7634e19039ec2b2684c55618db95041c006199ec
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-08-22  Keith Miller  <keith_miller@apple.com>
2
3         Unriviewed, fix windows build... for realz.
4
5         * CMakeLists.txt:
6
7 2017-08-22  Saam Barati  <sbarati@apple.com>
8
9         We are using valueProfileForBytecodeOffset when there may not be a value profile
10         https://bugs.webkit.org/show_bug.cgi?id=175812
11
12         Reviewed by Michael Saboff.
13
14         This patch uses the type system to aid the code around CodeBlock's ValueProfile
15         accessor methods. valueProfileForBytecodeOffset used to return ValueProfile*,
16         so there were callers of this that thought it could return nullptr when there
17         was no such ValueProfile. This was not the case, it always returned a non-null
18         pointer. This patch changes valueProfileForBytecodeOffset to return ValueProfile&
19         and adds a new tryGetValueProfileForBytecodeOffset method that returns ValueProfile*
20         and does the right thing if there is no such ValueProfile.
21         
22         This patch also changes the other ValueProfile accessors on CodeBlock to
23         return ValueProfile& instead of ValueProfile*. Some callers handled the null
24         case unnecessarily, and using the type system to specify the result can't be
25         null removes these useless branches.
26
27         * bytecode/CodeBlock.cpp:
28         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
29         (JSC::CodeBlock::dumpValueProfiles):
30         (JSC::CodeBlock::tryGetValueProfileForBytecodeOffset):
31         (JSC::CodeBlock::valueProfileForBytecodeOffset):
32         (JSC::CodeBlock::validate):
33         * bytecode/CodeBlock.h:
34         (JSC::CodeBlock::valueProfileForArgument):
35         (JSC::CodeBlock::valueProfile):
36         (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
37         (JSC::CodeBlock::getFromAllValueProfiles):
38         * dfg/DFGByteCodeParser.cpp:
39         (JSC::DFG::ByteCodeParser::handleInlining):
40         * dfg/DFGGraph.cpp:
41         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
42         * dfg/DFGPredictionInjectionPhase.cpp:
43         (JSC::DFG::PredictionInjectionPhase::run):
44         * jit/JIT.h:
45         * jit/JITInlines.h:
46         (JSC::JIT::emitValueProfilingSite):
47         * profiler/ProfilerBytecodeSequence.cpp:
48         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
49         * tools/HeapVerifier.cpp:
50         (JSC::HeapVerifier::validateJSCell):
51
52 2017-08-22  Keith Miller  <keith_miller@apple.com>
53
54         Unreviewed, fix windows build... maybe.
55
56         * CMakeLists.txt:
57
58 2017-08-22  Keith Miller  <keith_miller@apple.com>
59
60         Unreviewed, fix cloop build.
61
62         * JavaScriptCore.xcodeproj/project.pbxproj:
63
64 2017-08-22  Per Arne Vollan  <pvollan@apple.com>
65
66         [Win][Release] Crash when running testmasm executable.
67         https://bugs.webkit.org/show_bug.cgi?id=175772
68
69         Reviewed by Mark Lam.
70
71         We need to save and restore the modified registers in case one or more registers are callee saved
72         on the relevant platforms.
73
74         * assembler/testmasm.cpp:
75         (JSC::testProbeReadsArgumentRegisters):
76         (JSC::testProbeWritesArgumentRegisters):
77
78 2017-08-21  Mark Lam  <mark.lam@apple.com>
79
80         Change probe code to use static_assert instead of COMPILE_ASSERT.
81         https://bugs.webkit.org/show_bug.cgi?id=175762
82
83         Reviewed by JF Bastien.
84
85         * assembler/MacroAssemblerARM.cpp:
86         * assembler/MacroAssemblerARM64.cpp:
87         (JSC::MacroAssembler::probe): Deleted.
88         * assembler/MacroAssemblerARMv7.cpp:
89         * assembler/MacroAssemblerX86Common.cpp:
90
91 2017-08-21  Keith Miller  <keith_miller@apple.com>
92
93         Make generate_offset_extractor.rb architectures argument more robust
94         https://bugs.webkit.org/show_bug.cgi?id=175809
95
96         Reviewed by Joseph Pecoraro.
97
98         It turns out that some of our builders pass their architectures as
99         space separated lists.  I decided to just make the splitting of
100         our list robust to any reasonable combination of spaces and
101         commas.
102
103         * offlineasm/generate_offset_extractor.rb:
104
105 2017-08-21  Keith Miller  <keith_miller@apple.com>
106
107         Only generate offline asm for the ARCHS (xcodebuild) or the current system (CMake)
108         https://bugs.webkit.org/show_bug.cgi?id=175690
109
110         Reviewed by Michael Saboff.
111
112         This should reduce some of the time we spend building offline asm
113         in our builds (except for linux since they already did this).
114
115         * CMakeLists.txt:
116         * JavaScriptCore.xcodeproj/project.pbxproj:
117         * offlineasm/backends.rb:
118         * offlineasm/generate_offset_extractor.rb:
119
120 2017-08-20  Mark Lam  <mark.lam@apple.com>
121
122         Gardening: fix CLoop build.
123         https://bugs.webkit.org/show_bug.cgi?id=175688
124         <rdar://problem/33436870>
125
126         Not reviewed.
127
128         Make these files dependent on ENABLE(MASM_PROBE).
129
130         * assembler/ProbeContext.cpp:
131         * assembler/ProbeContext.h:
132         * assembler/ProbeStack.cpp:
133         * assembler/ProbeStack.h:
134
135 2017-08-20  Mark Lam  <mark.lam@apple.com>
136
137         Enhance MacroAssembler::probe() to allow the probe function to resize the stack frame and alter stack data in one pass.
138         https://bugs.webkit.org/show_bug.cgi?id=175688
139         <rdar://problem/33436870>
140
141         Reviewed by JF Bastien.
142
143         With this patch, the clients of the MacroAssembler::probe() can now change
144         stack values without having to worry about whether there is enough room in the
145         current stack frame for it or not.  This is done using the Probe::Context's stack
146         member like so:
147
148             jit.probe([] (Probe::Context& context) {
149                 auto cpu = context.cpu;
150                 auto stack = context.stack();
151                 uintptr_t* currentSP = cpu.sp<uintptr_t*>();
152
153                 // Get a value at the current stack pointer location.
154                 auto value = stack.get<uintptr_t>(currentSP);
155
156                 // Set a value above the current stack pointer (within current frame).
157                 stack.set<uintptr_t>(currentSP + 10, value);
158
159                 // Set a value below the current stack pointer (out of current frame).
160                 stack.set<uintptr_t>(currentSP - 10, value);
161
162                 // Set the new stack pointer.
163                 cpu.sp() = currentSP - 20;
164             });
165
166         What happens behind the scene:
167
168         1. the generated JIT probe code will now call Probe::executeProbe(), and
169            Probe::executeProbe() will in turn call the client's probe function.
170
171            Probe::executeProbe() receives the Probe::State on the machine stack passed
172            to it by the probe trampoline.  Probe::executeProbe() will instantiate a
173            Probe::Context to be passed to the client's probe function.  The client will
174            no longer see the Probe::State directly.
175
176         2. The Probe::Context comes with a Probe::Stack which serves as a manager of
177            stack pages.  Currently, each page is 1K in size.
178            Probe::Context::stack() returns a reference to an instance of Probe::Stack.
179
180         3. Invoking get() of set() on Probe::Stack with an address will lead to the
181            following:
182
183            a. the address will be decoded to a baseAddress that points to the 1K page
184               that contains that address.
185
186            b. the Probe::Stack will check if it already has a cached 1K page for that baseAddress.
187               If so, go to step (f).  Else, continue with step (c).
188
189            c. the Probe::Stack will malloc a 1K mirror page, and memcpy the 1K stack page
190               for that specified baseAddress to this mirror page.
191
192            d. the mirror page will be added to the ProbeStack's m_pages HashMap,
193               keyed on the baseAddress.
194
195            e. the ProbeStack will also cache the last baseAddress and its corresponding
196               mirror page in use.  With memory accesses tending to be localized, this
197               will save us from having to look up the page in the HashMap.
198
199            f. get() will map the requested address to a physical address in the mirror
200               page, and return the value at that location.
201
202            g. set() will map the requested address to a physical address in the mirror
203               page, and set the value at that location in the mirror page.
204
205               set() will also set a dirty bit corresponding to the "cache line" that
206               was modified in the mirror page.
207
208         4. When the client's probe function returns, Probe::executeProbe() will check if
209            there are stack changes that need to be applied.  If stack changes are needed:
210
211            a. Probe::executeProbe() will adjust the stack pointer to ensure enough stack
212               space is available to flush the dirty stack pages.  It will also register a
213               flushStackDirtyPages callback function in the Probe::State.  Thereafter,
214               Probe::executeProbe() returns to the probe trampoline.
215
216            b. the probe trampoline adjusts the stack pointer, moves the Probe::State to
217               a safe place if needed, and then calls the flushStackDirtyPages callback
218               if needed.
219
220            c. the flushStackDirtyPages() callback iterates the Probe::Stack's m_pages
221               HashMap and flush all dirty "cache lines" to the machine stack.
222               Thereafter, flushStackDirtyPages() returns to the probe trampoline.
223
224            d. lastly, the probe trampoline will restore all register values and return
225               to the pc set in the Probe::State.
226
227         To make this patch work, I also had to do the following work:
228
229         5. Refactor MacroAssembler::CPUState into Probe::CPUState.
230            Mainly, this means moving the code over to ProbeContext.h.
231            I also added some convenience accessor methods for spr registers. 
232
233            Moved Probe::Context over to its own file ProbeContext.h/cpp.
234
235         6. Fix all probe trampolines to pass the address of Probe::executeProbe in
236            addition to the client's probe function and arg.
237
238            I also took this opportunity to optimize the generated JIT probe code to
239            minimize the amount of memory stores needed. 
240
241         7. Simplified the ARM64 probe trampoline.  The ARM64 probe only supports changing
242            either lr or pc (or neither), but not both at in the same probe invocation.
243            The ARM64 probe trampoline used to have to check for this invariant in the
244            assembly trampoline code.  With the introduction of Probe::executeProbe(),
245            we can now do it there and simplify the trampoline.
246
247         8. Fix a bug in the old  ARM64 probe trampoline for the case where the client
248            changes lr.  That code path never worked before, but has now been fixed.
249
250         9. Removed trustedImm32FromPtr() helper functions in MacroAssemblerARM and
251            MacroAssemblerARMv7.
252
253            We can now use move() with TrustedImmPtr, and it does the same thing but in a
254            more generic way.
255
256        10. ARMv7's move() emitter may encode a T1 move instruction, which happens to have
257            the same semantics as movs (according to the Thumb spec).  This means these
258            instructions may trash the APSR flags before we have a chance to preserve them.
259
260            This patch changes MacroAssemblerARMv7's probe() to preserve the APSR register
261            early on.  This entails adding support for the mrs instruction in the
262            ARMv7Assembler.
263
264        10. Change testmasm's testProbeModifiesStackValues() to now modify stack values
265            the easy way.
266
267            Also fixed testmasm tests which check flag registers to only compare the
268            portions that are modifiable by the client i.e. some masking is applied.
269
270         This patch has passed the testmasm tests on x86, x86_64, arm64, and armv7.
271
272         * CMakeLists.txt:
273         * JavaScriptCore.xcodeproj/project.pbxproj:
274         * assembler/ARMv7Assembler.h:
275         (JSC::ARMv7Assembler::mrs):
276         * assembler/AbstractMacroAssembler.h:
277         * assembler/MacroAssembler.cpp:
278         (JSC::stdFunctionCallback):
279         (JSC::MacroAssembler::probe):
280         * assembler/MacroAssembler.h:
281         (JSC::MacroAssembler::CPUState::gprName): Deleted.
282         (JSC::MacroAssembler::CPUState::sprName): Deleted.
283         (JSC::MacroAssembler::CPUState::fprName): Deleted.
284         (JSC::MacroAssembler::CPUState::gpr): Deleted.
285         (JSC::MacroAssembler::CPUState::spr): Deleted.
286         (JSC::MacroAssembler::CPUState::fpr): Deleted.
287         (JSC:: const): Deleted.
288         (JSC::MacroAssembler::CPUState::fpr const): Deleted.
289         (JSC::MacroAssembler::CPUState::pc): Deleted.
290         (JSC::MacroAssembler::CPUState::fp): Deleted.
291         (JSC::MacroAssembler::CPUState::sp): Deleted.
292         (JSC::MacroAssembler::CPUState::pc const): Deleted.
293         (JSC::MacroAssembler::CPUState::fp const): Deleted.
294         (JSC::MacroAssembler::CPUState::sp const): Deleted.
295         (JSC::Probe::State::gpr): Deleted.
296         (JSC::Probe::State::spr): Deleted.
297         (JSC::Probe::State::fpr): Deleted.
298         (JSC::Probe::State::gprName): Deleted.
299         (JSC::Probe::State::sprName): Deleted.
300         (JSC::Probe::State::fprName): Deleted.
301         (JSC::Probe::State::pc): Deleted.
302         (JSC::Probe::State::fp): Deleted.
303         (JSC::Probe::State::sp): Deleted.
304         * assembler/MacroAssemblerARM.cpp:
305         (JSC::MacroAssembler::probe):
306         * assembler/MacroAssemblerARM.h:
307         (JSC::MacroAssemblerARM::trustedImm32FromPtr): Deleted.
308         * assembler/MacroAssemblerARM64.cpp:
309         (JSC::MacroAssembler::probe):
310         (JSC::arm64ProbeError): Deleted.
311         * assembler/MacroAssemblerARMv7.cpp:
312         (JSC::MacroAssembler::probe):
313         * assembler/MacroAssemblerARMv7.h:
314         (JSC::MacroAssemblerARMv7::armV7Condition):
315         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr): Deleted.
316         * assembler/MacroAssemblerPrinter.cpp:
317         (JSC::Printer::printCallback):
318         * assembler/MacroAssemblerPrinter.h:
319         * assembler/MacroAssemblerX86Common.cpp:
320         (JSC::ctiMasmProbeTrampoline):
321         (JSC::MacroAssembler::probe):
322         * assembler/Printer.h:
323         (JSC::Printer::Context::Context):
324         * assembler/ProbeContext.cpp: Added.
325         (JSC::Probe::executeProbe):
326         (JSC::Probe::handleProbeStackInitialization):
327         (JSC::Probe::probeStateForContext):
328         * assembler/ProbeContext.h: Added.
329         (JSC::Probe::CPUState::gprName):
330         (JSC::Probe::CPUState::sprName):
331         (JSC::Probe::CPUState::fprName):
332         (JSC::Probe::CPUState::gpr):
333         (JSC::Probe::CPUState::spr):
334         (JSC::Probe::CPUState::fpr):
335         (JSC::Probe:: const):
336         (JSC::Probe::CPUState::fpr const):
337         (JSC::Probe::CPUState::pc):
338         (JSC::Probe::CPUState::fp):
339         (JSC::Probe::CPUState::sp):
340         (JSC::Probe::CPUState::pc const):
341         (JSC::Probe::CPUState::fp const):
342         (JSC::Probe::CPUState::sp const):
343         (JSC::Probe::Context::Context):
344         (JSC::Probe::Context::gpr):
345         (JSC::Probe::Context::spr):
346         (JSC::Probe::Context::fpr):
347         (JSC::Probe::Context::gprName):
348         (JSC::Probe::Context::sprName):
349         (JSC::Probe::Context::fprName):
350         (JSC::Probe::Context::pc):
351         (JSC::Probe::Context::fp):
352         (JSC::Probe::Context::sp):
353         (JSC::Probe::Context::stack):
354         (JSC::Probe::Context::hasWritesToFlush):
355         (JSC::Probe::Context::releaseStack):
356         * assembler/ProbeStack.cpp: Added.
357         (JSC::Probe::Page::Page):
358         (JSC::Probe::Page::flushWrites):
359         (JSC::Probe::Stack::Stack):
360         (JSC::Probe::Stack::hasWritesToFlush):
361         (JSC::Probe::Stack::flushWrites):
362         (JSC::Probe::Stack::ensurePageFor):
363         * assembler/ProbeStack.h: Added.
364         (JSC::Probe::Page::baseAddressFor):
365         (JSC::Probe::Page::chunkAddressFor):
366         (JSC::Probe::Page::baseAddress):
367         (JSC::Probe::Page::get):
368         (JSC::Probe::Page::set):
369         (JSC::Probe::Page::hasWritesToFlush const):
370         (JSC::Probe::Page::flushWritesIfNeeded):
371         (JSC::Probe::Page::dirtyBitFor):
372         (JSC::Probe::Page::physicalAddressFor):
373         (JSC::Probe::Stack::Stack):
374         (JSC::Probe::Stack::lowWatermark):
375         (JSC::Probe::Stack::get):
376         (JSC::Probe::Stack::set):
377         (JSC::Probe::Stack::newStackPointer const):
378         (JSC::Probe::Stack::setNewStackPointer):
379         (JSC::Probe::Stack::isValid):
380         (JSC::Probe::Stack::pageFor):
381         * assembler/testmasm.cpp:
382         (JSC::testProbeReadsArgumentRegisters):
383         (JSC::testProbeWritesArgumentRegisters):
384         (JSC::testProbePreservesGPRS):
385         (JSC::testProbeModifiesStackPointer):
386         (JSC::testProbeModifiesStackPointerToInsideProbeStateOnStack):
387         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
388         (JSC::testProbeModifiesProgramCounter):
389         (JSC::testProbeModifiesStackValues):
390         (JSC::run):
391         (): Deleted.
392         (JSC::fillStack): Deleted.
393         (JSC::testProbeModifiesStackWithCallback): Deleted.
394
395 2017-08-19  Andy Estes  <aestes@apple.com>
396
397         [Payment Request] Add interface stubs
398         https://bugs.webkit.org/show_bug.cgi?id=175730
399
400         Reviewed by Youenn Fablet.
401
402         * runtime/CommonIdentifiers.h:
403
404 2017-08-18  Per Arne Vollan  <pvollan@apple.com>
405
406         Implement 32-bit MacroAssembler::probe support for Windows.
407         https://bugs.webkit.org/show_bug.cgi?id=175449
408
409         Reviewed by Mark Lam.
410
411         This is needed to enable the DFG.
412
413         * assembler/MacroAssemblerX86Common.cpp:
414         * assembler/testmasm.cpp:
415         (JSC::run):
416         (dllLauncherEntryPoint):
417         * shell/CMakeLists.txt:
418         * shell/PlatformWin.cmake:
419
420 2017-08-18  Mark Lam  <mark.lam@apple.com>
421
422         Rename ProbeContext and ProbeFunction to Probe::State and Probe::Function.
423         https://bugs.webkit.org/show_bug.cgi?id=175725
424         <rdar://problem/33965477>
425
426         Rubber-stamped by JF Bastien.
427
428         This is purely a refactoring patch (in preparation for the introduction of a
429         Probe::Context data structure in https://bugs.webkit.org/show_bug.cgi?id=175688
430         later).  This patch does not change any semantics / behavior.
431
432         * assembler/AbstractMacroAssembler.h:
433         * assembler/MacroAssembler.cpp:
434         (JSC::stdFunctionCallback):
435         (JSC::MacroAssembler::probe):
436         * assembler/MacroAssembler.h:
437         (JSC::ProbeContext::gpr): Deleted.
438         (JSC::ProbeContext::spr): Deleted.
439         (JSC::ProbeContext::fpr): Deleted.
440         (JSC::ProbeContext::gprName): Deleted.
441         (JSC::ProbeContext::sprName): Deleted.
442         (JSC::ProbeContext::fprName): Deleted.
443         (JSC::ProbeContext::pc): Deleted.
444         (JSC::ProbeContext::fp): Deleted.
445         (JSC::ProbeContext::sp): Deleted.
446         * assembler/MacroAssemblerARM.cpp:
447         (JSC::MacroAssembler::probe):
448         * assembler/MacroAssemblerARM.h:
449         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
450         * assembler/MacroAssemblerARM64.cpp:
451         (JSC::arm64ProbeError):
452         (JSC::MacroAssembler::probe):
453         * assembler/MacroAssemblerARMv7.cpp:
454         (JSC::MacroAssembler::probe):
455         * assembler/MacroAssemblerARMv7.h:
456         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr):
457         * assembler/MacroAssemblerPrinter.cpp:
458         (JSC::Printer::printCallback):
459         * assembler/MacroAssemblerPrinter.h:
460         * assembler/MacroAssemblerX86Common.cpp:
461         (JSC::MacroAssembler::probe):
462         * assembler/Printer.h:
463         (JSC::Printer::Context::Context):
464         * assembler/testmasm.cpp:
465         (JSC::testProbeReadsArgumentRegisters):
466         (JSC::testProbeWritesArgumentRegisters):
467         (JSC::testProbePreservesGPRS):
468         (JSC::testProbeModifiesStackPointer):
469         (JSC::testProbeModifiesStackPointerToInsideProbeStateOnStack):
470         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
471         (JSC::testProbeModifiesProgramCounter):
472         (JSC::fillStack):
473         (JSC::testProbeModifiesStackWithCallback):
474         (JSC::run):
475         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack): Deleted.
476
477 2017-08-17  JF Bastien  <jfbastien@apple.com>
478
479         WebAssembly: const in unreachable code decoded incorrectly, erroneously rejects binary as invalid
480         https://bugs.webkit.org/show_bug.cgi?id=175693
481         <rdar://problem/33952443>
482
483         Reviewed by Saam Barati.
484
485         64-bit constants in an unreachable context were being decoded as
486         32-bit constants. This is pretty benign because unreachable code
487         shouldn't occur often. The effect is that 64-bit constants which
488         can't be encoded as 32-bit constants would cause the binary to be
489         rejected.
490
491         At the same time, 32-bit integer constants should be decoded as signed.
492
493         * wasm/WasmFunctionParser.h:
494         (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
495
496 2017-08-17  Robin Morisset  <rmorisset@apple.com>
497
498         Teach DFGFixupPhase.cpp that the current scope is always a cell
499         https://bugs.webkit.org/show_bug.cgi?id=175610
500
501         Reviewed by Keith Miller.
502
503         Also teach it that the argument to with can usually be speculated to be an object,
504         since toObject() is called on it.
505
506         * dfg/DFGFixupPhase.cpp:
507         (JSC::DFG::FixupPhase::fixupNode):
508         * dfg/DFGSpeculativeJIT.cpp:
509         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
510         * dfg/DFGSpeculativeJIT.h:
511         (JSC::DFG::SpeculativeJIT::callOperation):
512         * ftl/FTLLowerDFGToB3.cpp:
513         (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
514         * jit/JITOperations.cpp:
515         * jit/JITOperations.h:
516
517 2017-08-17  Matt Baker  <mattbaker@apple.com>
518
519         Web Inspector: remove unused private struct from InspectorScriptProfilerAgent
520         https://bugs.webkit.org/show_bug.cgi?id=175644
521
522         Reviewed by Brian Burg.
523
524         * inspector/agents/InspectorScriptProfilerAgent.h:
525
526 2017-08-17  Mark Lam  <mark.lam@apple.com>
527
528         Only use 16 VFP registers if !CPU(ARM_NEON).
529         https://bugs.webkit.org/show_bug.cgi?id=175514
530
531         Reviewed by JF Bastien.
532
533         Deleted q16-q31 FPQuadRegisterID enums in ARMv7Assembler.h.  The NEON spec
534         says that there are only 16 128-bit NEON registers.  This change is merely to
535         correct the code documentation of these registers.  The FPQuadRegisterID are
536         currently unused.
537
538         * assembler/ARMAssembler.h:
539         (JSC::ARMAssembler::lastFPRegister):
540         (JSC::ARMAssembler::fprName):
541         * assembler/ARMv7Assembler.h:
542         (JSC::ARMv7Assembler::lastFPRegister):
543         (JSC::ARMv7Assembler::fprName):
544         * assembler/MacroAssemblerARM.cpp:
545         * assembler/MacroAssemblerARMv7.cpp:
546
547 2017-08-17  Andreas Kling  <akling@apple.com>
548
549         Disable CSS regions at compile time
550         https://bugs.webkit.org/show_bug.cgi?id=175630
551
552         Reviewed by Antti Koivisto.
553
554         * Configurations/FeatureDefines.xcconfig:
555
556 2017-08-17  Jacobo Aragunde Pérez  <jaragunde@igalia.com>
557
558         [WPE][GTK] Ensure proper casting of data in gvariants
559         https://bugs.webkit.org/show_bug.cgi?id=175667
560
561         Reviewed by Michael Catanzaro.
562
563         g_variant_new requires data to have the correct width for their types, using
564         casting if necessary. Some data of type `unsigned` were being saved to `guint64`
565         types without explicit casting, leading to undefined behavior in some platforms.
566
567         * inspector/remote/glib/RemoteInspectorGlib.cpp:
568         (Inspector::RemoteInspector::listingForInspectionTarget const):
569         (Inspector::RemoteInspector::listingForAutomationTarget const):
570         (Inspector::RemoteInspector::sendMessageToRemote):
571
572 2017-08-17  Yusuke Suzuki  <utatane.tea@gmail.com>
573
574         [JSC] Avoid code bloating for iteration if block does not have "break"
575         https://bugs.webkit.org/show_bug.cgi?id=173228
576
577         Reviewed by Keith Miller.
578
579         Currently, we always emit code for breaked path when emitting for-of iteration.
580         But we can know that this breaked path can be used when emitting the bytecode.
581
582         This patch adds LabelScope::breakTargetMayBeBound(), which returns true if
583         the break label may be bound. We emit a breaked path only when it returns
584         true. This reduces bytecode bloating when using for-of iteration.
585
586         * bytecompiler/BytecodeGenerator.cpp:
587         (JSC::Label::setLocation):
588         (JSC::BytecodeGenerator::newLabel):
589         (JSC::BytecodeGenerator::emitLabel):
590         (JSC::BytecodeGenerator::pushFinallyControlFlowScope):
591         (JSC::BytecodeGenerator::breakTarget):
592         (JSC::BytecodeGenerator::continueTarget):
593         (JSC::BytecodeGenerator::emitEnumeration):
594         * bytecompiler/BytecodeGenerator.h:
595         * bytecompiler/Label.h:
596         (JSC::Label::bind const):
597         (JSC::Label::hasOneRef const):
598         (JSC::Label::isBound const):
599         (JSC::Label::Label): Deleted.
600         * bytecompiler/LabelScope.h:
601         (JSC::LabelScope::hasOneRef const):
602         (JSC::LabelScope::breakTargetMayBeBound const):
603         * bytecompiler/NodesCodegen.cpp:
604         (JSC::ContinueNode::trivialTarget):
605         (JSC::ContinueNode::emitBytecode):
606         (JSC::BreakNode::trivialTarget):
607         (JSC::BreakNode::emitBytecode):
608
609 2017-08-17  Csaba Osztrogonác  <ossy@webkit.org>
610
611         ARM build fix after r220807 and r220834.
612         https://bugs.webkit.org/show_bug.cgi?id=175617
613
614         Unreviewed typo fix.
615
616         * assembler/MacroAssemblerARM.cpp:
617
618 2017-08-17  Mark Lam  <mark.lam@apple.com>
619
620         Gardening: build fix for ARM_TRADITIONAL after r220807.
621         https://bugs.webkit.org/show_bug.cgi?id=175617
622
623         Not reviewed.
624
625         * assembler/MacroAssemblerARM.cpp:
626
627 2017-08-16  Mark Lam  <mark.lam@apple.com>
628
629         Add back the ability to disable MASM_PROBE from the build.
630         https://bugs.webkit.org/show_bug.cgi?id=175656
631         <rdar://problem/33933720>
632
633         Reviewed by Yusuke Suzuki.
634
635         This is needed for ports that the existing MASM_PROBE implementation doesn't work
636         well with e.g. GTK with ARM_THUMB2.  Note that if the DFG_JIT will be disabled by
637         default if !ENABLE(MASM_PROBE).
638
639         * assembler/AbstractMacroAssembler.h:
640         * assembler/MacroAssembler.cpp:
641         * assembler/MacroAssembler.h:
642         * assembler/MacroAssemblerARM.cpp:
643         * assembler/MacroAssemblerARM64.cpp:
644         * assembler/MacroAssemblerARMv7.cpp:
645         * assembler/MacroAssemblerPrinter.cpp:
646         * assembler/MacroAssemblerPrinter.h:
647         * assembler/MacroAssemblerX86Common.cpp:
648         * assembler/testmasm.cpp:
649         (JSC::run):
650         * b3/B3LowerToAir.cpp:
651         * b3/air/AirPrintSpecial.cpp:
652         * b3/air/AirPrintSpecial.h:
653
654 2017-08-16  Dan Bernstein  <mitz@apple.com>
655
656         [Cocoa] Older-iOS install name symbols are being exported on other platforms
657         https://bugs.webkit.org/show_bug.cgi?id=175654
658
659         Reviewed by Tim Horton.
660
661         * API/JSBase.cpp: Define the symbols only when targeting iOS.
662
663 2017-08-16  Matt Baker  <mattbaker@apple.com>
664
665         Web Inspector: capture async stack trace when workers/main context posts a message
666         https://bugs.webkit.org/show_bug.cgi?id=167084
667         <rdar://problem/30033673>
668
669         Reviewed by Brian Burg.
670
671         * inspector/agents/InspectorDebuggerAgent.h:
672         Add `PostMessage` async call type.
673
674 2017-08-16  Mark Lam  <mark.lam@apple.com>
675
676         Enhance MacroAssembler::probe() to support an initializeStackFunction callback.
677         https://bugs.webkit.org/show_bug.cgi?id=175617
678         <rdar://problem/33912104>
679
680         Reviewed by JF Bastien.
681
682         This patch adds a new feature to MacroAssembler::probe() where the probe function
683         can provide a ProbeFunction callback to fill in stack values after the stack
684         pointer has been adjusted.  The probe function can use this feature as follows:
685
686         1. Set the new sp value in the ProbeContext's CPUState.
687
688         2. Set the ProbeContext's initializeStackFunction to a ProbeFunction callback
689            which will do the work of filling in the stack values after the probe
690            trampoline has adjusted the machine stack pointer.
691
692         3. Set the ProbeContext's initializeStackArgs to any value that the client wants
693            to pass to the initializeStackFunction callback.
694
695         4. Return from the probe function.
696
697         Upon returning from the probe function, the probe trampoline will adjust the
698         the stack pointer based on the sp value in CPUState.  If initializeStackFunction
699         is not set, the probe trampoline will restore registers and return to its caller.
700
701         If initializeStackFunction is set, the trampoline will move the ProbeContext
702         beyond the range of the stack pointer i.e. it will place the new ProbeContext at
703         an address lower than where CPUState.sp() points.  This ensures that the
704         ProbeContext will not be trashed by the initializeStackFunction when it writes to
705         the stack.  Then, the trampoline will call back to the initializeStackFunction
706         ProbeFunction to let it fill in the stack values as desired.  The
707         initializeStackFunction ProbeFunction will be passed the moved ProbeContext at
708         the new location.
709
710         initializeStackFunction may now write to the stack at addresses greater or
711         equal to CPUState.sp(), but not below that.  initializeStackFunction is also
712         not allowed to change CPUState.sp().  If the initializeStackFunction does not
713         abide by these rules, then behavior is undefined, and bad things may happen.
714
715         For future reference, some implementation details that this patch needed to
716         be mindful of:
717
718         1. When the probe trampoline allocates stack space for the ProbeContext, it
719            should include OUT_SIZE as well.  This ensures that it doesn't have to move
720            the ProbeContext on exit if the probe function didn't change the sp.
721
722         2. If the trampoline has to move the ProbeContext, it needs to point the machine
723            sp to new ProbeContext first before copying over the ProbeContext data.  This
724            protects the new ProbeContext from possibly being trashed by interrupts.
725
726         3. When computing the new address of ProbeContext to move to, we need to make
727            sure that it is properly aligned in accordance with stack ABI requirements
728            (just like we did when we allocated the ProbeContext on entry to the
729            probe trampoline).
730
731         4. When copying the ProbeContext to its new location, the trampoline should
732            always copy words from low addresses to high addresses.  This is because if
733            we're moving the ProbeContext, we'll always be moving it to a lower address.
734
735         * assembler/MacroAssembler.h:
736         * assembler/MacroAssemblerARM.cpp:
737         * assembler/MacroAssemblerARM64.cpp:
738         * assembler/MacroAssemblerARMv7.cpp:
739         * assembler/MacroAssemblerX86Common.cpp:
740         * assembler/testmasm.cpp:
741         (JSC::testProbePreservesGPRS):
742         (JSC::testProbeModifiesStackPointer):
743         (JSC::fillStack):
744         (JSC::testProbeModifiesStackWithCallback):
745         (JSC::run):
746
747 2017-08-16  Csaba Osztrogonác  <ossy@webkit.org>
748
749         Fix JSCOnly ARM buildbots after r220047 and r220184
750         https://bugs.webkit.org/show_bug.cgi?id=174993
751
752         Reviewed by Carlos Alberto Lopez Perez.
753
754         * CMakeLists.txt: Generate only one backend on Linux to save build time.
755
756 2017-08-16  Andy Estes  <aestes@apple.com>
757
758         [Payment Request] Add an ENABLE flag and an experimental feature preference
759         https://bugs.webkit.org/show_bug.cgi?id=175622
760
761         Reviewed by Tim Horton.
762
763         * Configurations/FeatureDefines.xcconfig:
764
765 2017-08-15  Robin Morisset  <rmorisset@apple.com>
766
767         We are too conservative about the effects of PushWithScope
768         https://bugs.webkit.org/show_bug.cgi?id=175584
769
770         Reviewed by Saam Barati.
771
772         PushWithScope converts its argument to an object (this can throw a type error,
773         but has no other observable effect), and allocates a new scope, that it then
774         makes the new current scope. We were a bit too
775         conservative in saying that it clobbers the world.
776
777         * dfg/DFGAbstractInterpreterInlines.h:
778         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
779         * dfg/DFGClobberize.h:
780         (JSC::DFG::clobberize):
781         * dfg/DFGDoesGC.cpp:
782         (JSC::DFG::doesGC):
783
784 2017-08-15  Ryosuke Niwa  <rniwa@webkit.org>
785
786         Make DataTransferItemList work with plain text entries
787         https://bugs.webkit.org/show_bug.cgi?id=175596
788
789         Reviewed by Wenson Hsieh.
790
791         Added DataTransferItem as a common identifier since it's a runtime enabled feature.
792
793         * runtime/CommonIdentifiers.h:
794
795 2017-08-15  Robin Morisset  <rmorisset@apple.com>
796
797         Support the 'with' keyword in FTL
798         https://bugs.webkit.org/show_bug.cgi?id=175585
799
800         Reviewed by Saam Barati.
801
802         Also makes sure that the order of arguments of PushWithScope, op_push_with_scope, JSWithScope::create()
803         and so on is consistent (always parentScope first, the new scopeObject second). We used to go from one
804         to the other at different step which was quite confusing. I picked this order for consistency with CreateActivation
805         that takes its parentScope argument first.
806
807         * bytecompiler/BytecodeGenerator.cpp:
808         (JSC::BytecodeGenerator::emitPushWithScope):
809         * debugger/DebuggerCallFrame.cpp:
810         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
811         * dfg/DFGByteCodeParser.cpp:
812         (JSC::DFG::ByteCodeParser::parseBlock):
813         * dfg/DFGFixupPhase.cpp:
814         (JSC::DFG::FixupPhase::fixupNode):
815         * dfg/DFGSpeculativeJIT.cpp:
816         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
817         * ftl/FTLCapabilities.cpp:
818         (JSC::FTL::canCompile):
819         * ftl/FTLLowerDFGToB3.cpp:
820         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
821         (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
822         * jit/JITOperations.cpp:
823         * runtime/CommonSlowPaths.cpp:
824         (JSC::SLOW_PATH_DECL):
825         * runtime/Completion.cpp:
826         (JSC::evaluateWithScopeExtension):
827         * runtime/JSWithScope.cpp:
828         (JSC::JSWithScope::create):
829         * runtime/JSWithScope.h:
830
831 2017-08-15  Saam Barati  <sbarati@apple.com>
832
833         Make VM::scratchBufferForSize thread safe
834         https://bugs.webkit.org/show_bug.cgi?id=175604
835
836         Reviewed by Geoffrey Garen and Mark Lam.
837
838         I want to use the VM::scratchBufferForSize in another patch I'm writing.
839         The use case for my other patch is to call it from the compiler thread.
840         When reading the code, I saw that this API was not thread safe. This patch
841         makes it thread safe. It actually turns out we were calling this API from
842         the compiler thread already when we created FTL::State for an FTL OSR entry
843         compilation, and from FTLLowerDFGToB3. That code was racy and wrong, but
844         is now correct with this patch.
845
846         * runtime/VM.cpp:
847         (JSC::VM::VM):
848         (JSC::VM::~VM):
849         (JSC::VM::gatherConservativeRoots):
850         (JSC::VM::scratchBufferForSize):
851         * runtime/VM.h:
852         (JSC::VM::scratchBufferForSize): Deleted.
853
854 2017-08-15  Keith Miller  <keith_miller@apple.com>
855
856         JSC named bytecode offsets should use references rather than pointers
857         https://bugs.webkit.org/show_bug.cgi?id=175601
858
859         Reviewed by Saam Barati.
860
861         * dfg/DFGByteCodeParser.cpp:
862         (JSC::DFG::ByteCodeParser::parseBlock):
863         * jit/JITOpcodes.cpp:
864         (JSC::JIT::emit_op_overrides_has_instance):
865         (JSC::JIT::emit_op_instanceof):
866         (JSC::JIT::emitSlow_op_instanceof):
867         (JSC::JIT::emitSlow_op_instanceof_custom):
868         * jit/JITOpcodes32_64.cpp:
869         (JSC::JIT::emit_op_overrides_has_instance):
870         (JSC::JIT::emit_op_instanceof):
871         (JSC::JIT::emitSlow_op_instanceof):
872         (JSC::JIT::emitSlow_op_instanceof_custom):
873
874 2017-08-15  Keith Miller  <keith_miller@apple.com>
875
876         Enable named offsets into JSC bytecodes
877         https://bugs.webkit.org/show_bug.cgi?id=175561
878
879         Reviewed by Mark Lam.
880
881         This patch adds the ability to add named offsets into JSC's
882         bytecodes.  In the bytecode json file, instead of listing a
883         length, you can now list a set of names and their types. Each
884         opcode with an offsets property will have a struct named after the
885         opcode by in our C++ naming style. For example,
886         op_overrides_has_instance would become OpOverridesHasInstance. The
887         struct has the same memory layout as the instruction list has but
888         comes with handy named accessors.
889
890         As a first cut I converted the various instanceof bytecodes to use
891         named offsets.
892
893         As an example op_overrides_has_instance produces the following struct:
894
895         struct OpOverridesHasInstance {
896         public:
897             Opcode& opcode() { return *reinterpret_cast<Opcode*>(&m_opcode); }
898             const Opcode& opcode() const { return *reinterpret_cast<const Opcode*>(&m_opcode); }
899             int& dst() { return *reinterpret_cast<int*>(&m_dst); }
900             const int& dst() const { return *reinterpret_cast<const int*>(&m_dst); }
901             int& constructor() { return *reinterpret_cast<int*>(&m_constructor); }
902             const int& constructor() const { return *reinterpret_cast<const int*>(&m_constructor); }
903             int& hasInstanceValue() { return *reinterpret_cast<int*>(&m_hasInstanceValue); }
904             const int& hasInstanceValue() const { return *reinterpret_cast<const int*>(&m_hasInstanceValue); }
905
906         private:
907             friend class LLIntOffsetsExtractor;
908             std::aligned_storage<sizeof(Opcode), sizeof(Instruction)>::type m_opcode;
909             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_dst;
910             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_constructor;
911             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_hasInstanceValue;
912         };
913
914         * CMakeLists.txt:
915         * DerivedSources.make:
916         * JavaScriptCore.xcodeproj/project.pbxproj:
917         * bytecode/BytecodeList.json:
918         * dfg/DFGByteCodeParser.cpp:
919         (JSC::DFG::ByteCodeParser::parseBlock):
920         * generate-bytecode-files:
921         * jit/JITOpcodes.cpp:
922         (JSC::JIT::emit_op_overrides_has_instance):
923         (JSC::JIT::emit_op_instanceof):
924         (JSC::JIT::emitSlow_op_instanceof):
925         (JSC::JIT::emitSlow_op_instanceof_custom):
926         * jit/JITOpcodes32_64.cpp:
927         (JSC::JIT::emit_op_overrides_has_instance):
928         (JSC::JIT::emit_op_instanceof):
929         (JSC::JIT::emitSlow_op_instanceof):
930         (JSC::JIT::emitSlow_op_instanceof_custom):
931         * llint/LLIntOffsetsExtractor.cpp:
932         * llint/LowLevelInterpreter.asm:
933         * llint/LowLevelInterpreter32_64.asm:
934         * llint/LowLevelInterpreter64.asm:
935
936 2017-08-15  Mark Lam  <mark.lam@apple.com>
937
938         Update testmasm to use new CPUState APIs.
939         https://bugs.webkit.org/show_bug.cgi?id=175573
940
941         Reviewed by Keith Miller.
942
943         1. Applied convenience CPUState accessors to minimize casting.
944         2. Converted the CHECK macro to CHECK_EQ to get more friendly failure debugging
945            messages.
946         3. Removed the CHECK_DOUBLE_BITWISE_EQ macro.  We can just use CHECK_EQ now since
947            casting is (mostly) no longer an issue.
948         4. Replaced the use of testDoubleWord(id) with bitwise_cast<double>(testWord64(id))
949            to make it clear that we're comparing against the bit values of testWord64(id).
950         5. Added a "Completed N tests" message at the end of running all tests.
951            This makes it easy to tell at a glance that testmasm completed successfully
952            versus when it crashed midway in a test.  The number of tests also serves as
953            a quick checksum to confirm that we ran the number of tests we expected.
954
955         * assembler/testmasm.cpp:
956         (WTF::printInternal):
957         (JSC::testSimple):
958         (JSC::testProbeReadsArgumentRegisters):
959         (JSC::testProbeWritesArgumentRegisters):
960         (JSC::testProbePreservesGPRS):
961         (JSC::testProbeModifiesStackPointer):
962         (JSC::testProbeModifiesProgramCounter):
963         (JSC::run):
964
965 2017-08-14  Keith Miller  <keith_miller@apple.com>
966
967         Add testing tool to lie to the DFG about profiles
968         https://bugs.webkit.org/show_bug.cgi?id=175487
969
970         Reviewed by Saam Barati.
971
972         This patch adds a new bytecode identity_with_profile that lets
973         us lie to the DFG about what profiles it has seen as the input to
974         another bytecode. Previously, there was no reliable way to force
975         a given profile when we tired up.
976
977         * bytecode/BytecodeDumper.cpp:
978         (JSC::BytecodeDumper<Block>::dumpBytecode):
979         * bytecode/BytecodeIntrinsicRegistry.h:
980         * bytecode/BytecodeList.json:
981         * bytecode/BytecodeUseDef.h:
982         (JSC::computeUsesForBytecodeOffset):
983         (JSC::computeDefsForBytecodeOffset):
984         * bytecode/SpeculatedType.cpp:
985         (JSC::speculationFromString):
986         * bytecode/SpeculatedType.h:
987         * bytecompiler/BytecodeGenerator.cpp:
988         (JSC::BytecodeGenerator::emitIdWithProfile):
989         * bytecompiler/BytecodeGenerator.h:
990         * bytecompiler/NodesCodegen.cpp:
991         (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
992         * dfg/DFGAbstractInterpreterInlines.h:
993         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
994         * dfg/DFGByteCodeParser.cpp:
995         (JSC::DFG::ByteCodeParser::parseBlock):
996         * dfg/DFGCapabilities.cpp:
997         (JSC::DFG::capabilityLevel):
998         * dfg/DFGClobberize.h:
999         (JSC::DFG::clobberize):
1000         * dfg/DFGDoesGC.cpp:
1001         (JSC::DFG::doesGC):
1002         * dfg/DFGFixupPhase.cpp:
1003         (JSC::DFG::FixupPhase::fixupNode):
1004         * dfg/DFGMayExit.cpp:
1005         * dfg/DFGNode.h:
1006         (JSC::DFG::Node::getForcedPrediction):
1007         * dfg/DFGNodeType.h:
1008         * dfg/DFGPredictionPropagationPhase.cpp:
1009         * dfg/DFGSafeToExecute.h:
1010         (JSC::DFG::safeToExecute):
1011         * dfg/DFGSpeculativeJIT32_64.cpp:
1012         (JSC::DFG::SpeculativeJIT::compile):
1013         * dfg/DFGSpeculativeJIT64.cpp:
1014         (JSC::DFG::SpeculativeJIT::compile):
1015         * dfg/DFGValidate.cpp:
1016         * jit/JIT.cpp:
1017         (JSC::JIT::privateCompileMainPass):
1018         * jit/JIT.h:
1019         * jit/JITOpcodes.cpp:
1020         (JSC::JIT::emit_op_identity_with_profile):
1021         * jit/JITOpcodes32_64.cpp:
1022         (JSC::JIT::emit_op_identity_with_profile):
1023         * llint/LowLevelInterpreter.asm:
1024
1025 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
1026
1027         Remove Proximity Events and related code
1028         https://bugs.webkit.org/show_bug.cgi?id=175545
1029
1030         Reviewed by Daniel Bates.
1031
1032         No platform enables Proximity Events, so remove code inside ENABLE(PROXIMITY_EVENTS)
1033         and other related code.
1034
1035         * Configurations/FeatureDefines.xcconfig:
1036
1037 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
1038
1039         Remove ENABLE(REQUEST_AUTOCOMPLETE) code, which was disabled everywhere
1040         https://bugs.webkit.org/show_bug.cgi?id=175504
1041
1042         Reviewed by Sam Weinig.
1043
1044         * Configurations/FeatureDefines.xcconfig:
1045
1046 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
1047
1048         Remove ENABLE_VIEW_MODE_CSS_MEDIA and related code
1049         https://bugs.webkit.org/show_bug.cgi?id=175557
1050
1051         Reviewed by Jon Lee.
1052
1053         No port cares about the ENABLE(VIEW_MODE_CSS_MEDIA) feature, so remove it.
1054
1055         * Configurations/FeatureDefines.xcconfig:
1056
1057 2017-08-14  Robin Morisset  <rmorisset@apple.com>
1058
1059         Support the 'with' keyword in DFG
1060         https://bugs.webkit.org/show_bug.cgi?id=175470
1061
1062         Reviewed by Saam Barati.
1063
1064         Not particularly optimized at the moment, the goal is just to avoid
1065         the DFG bailing out of any function with this keyword.
1066
1067         * dfg/DFGAbstractInterpreterInlines.h:
1068         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1069         * dfg/DFGByteCodeParser.cpp:
1070         (JSC::DFG::ByteCodeParser::parseBlock):
1071         * dfg/DFGCapabilities.cpp:
1072         (JSC::DFG::capabilityLevel):
1073         * dfg/DFGClobberize.h:
1074         (JSC::DFG::clobberize):
1075         * dfg/DFGDoesGC.cpp:
1076         (JSC::DFG::doesGC):
1077         * dfg/DFGFixupPhase.cpp:
1078         (JSC::DFG::FixupPhase::fixupNode):
1079         * dfg/DFGNodeType.h:
1080         * dfg/DFGPredictionPropagationPhase.cpp:
1081         * dfg/DFGSafeToExecute.h:
1082         (JSC::DFG::safeToExecute):
1083         * dfg/DFGSpeculativeJIT.cpp:
1084         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
1085         * dfg/DFGSpeculativeJIT.h:
1086         (JSC::DFG::SpeculativeJIT::callOperation):
1087         * dfg/DFGSpeculativeJIT32_64.cpp:
1088         (JSC::DFG::SpeculativeJIT::compile):
1089         * dfg/DFGSpeculativeJIT64.cpp:
1090         (JSC::DFG::SpeculativeJIT::compile):
1091         * jit/JITOperations.cpp:
1092         * jit/JITOperations.h:
1093
1094 2017-08-14  Mark Lam  <mark.lam@apple.com>
1095
1096         Add some convenience utility accessor methods to MacroAssembler::CPUState.
1097         https://bugs.webkit.org/show_bug.cgi?id=175549
1098         <rdar://problem/33884868>
1099
1100         Reviewed by Saam Barati.
1101
1102         Previously, in order to read ProbeContext CPUState registers, we used to need to
1103         do it this way:
1104
1105             ExecState* exec = reinterpret_cast<ExecState*>(cpu.fp());
1106             uint32_t i32 = static_cast<uint32_t>(cpu.gpr(GPRInfo::regT0));
1107             void* p = reinterpret_cast<void*>(cpu.gpr(GPRInfo::regT1));
1108             uint64_t u64 = bitwise_cast<uint64_t>(cpu.fpr(FPRInfo::fpRegT0));
1109
1110         With this patch, we can now read them this way instead:
1111         
1112             ExecState* exec = cpu.fp<ExecState*>();
1113             uint32_t i32 = cpu.gpr<uint32_t>(GPRInfo::regT0);
1114             void* p = cpu.gpr<void*>(GPRInfo::regT1);
1115             uint64_t u64 = cpu.fpr<uint64_t>(FPRInfo::fpRegT0);
1116
1117         * assembler/MacroAssembler.h:
1118         (JSC:: const):
1119         (JSC::MacroAssembler::CPUState::fpr const):
1120         (JSC::MacroAssembler::CPUState::pc const):
1121         (JSC::MacroAssembler::CPUState::fp const):
1122         (JSC::MacroAssembler::CPUState::sp const):
1123         (JSC::ProbeContext::pc):
1124         (JSC::ProbeContext::fp):
1125         (JSC::ProbeContext::sp):
1126
1127 2017-08-12  Filip Pizlo  <fpizlo@apple.com>
1128
1129         Put the ScopedArgumentsTable's ScopeOffset array in some gigacage
1130         https://bugs.webkit.org/show_bug.cgi?id=174921
1131
1132         Reviewed by Mark Lam.
1133         
1134         Uses CagedUniquePtr<> to cage the ScopeOffset array.
1135
1136         * dfg/DFGSpeculativeJIT.cpp:
1137         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1138         * ftl/FTLLowerDFGToB3.cpp:
1139         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1140         * jit/JITPropertyAccess.cpp:
1141         (JSC::JIT::emitScopedArgumentsGetByVal):
1142         * runtime/ScopedArgumentsTable.cpp:
1143         (JSC::ScopedArgumentsTable::create):
1144         (JSC::ScopedArgumentsTable::setLength):
1145         * runtime/ScopedArgumentsTable.h:
1146
1147 2017-08-14  Mark Lam  <mark.lam@apple.com>
1148
1149         Gardening: fix Windows build.
1150         https://bugs.webkit.org/show_bug.cgi?id=175446
1151
1152         Not reviewed.
1153
1154         * assembler/MacroAssemblerX86Common.cpp:
1155         (JSC::booleanTrueForAvoidingNoReturnDeclaration):
1156         (JSC::ctiMasmProbeTrampoline):
1157
1158 2017-08-12  Csaba Osztrogonác  <ossy@webkit.org>
1159
1160         [ARM64] Use x29 and x30 instead of fp and lr to make GCC happy
1161         https://bugs.webkit.org/show_bug.cgi?id=175512
1162         <rdar://problem/33863584>
1163
1164         Reviewed by Mark Lam.
1165
1166         * CMakeLists.txt: Added MacroAssemblerARM64.cpp.
1167         * assembler/MacroAssemblerARM64.cpp: Use x29 and x30 instead of fp and lr to make GCC happy.
1168
1169 2017-08-12  Csaba Osztrogonác  <ossy@webkit.org>
1170
1171         ARM_TRADITIONAL: static assertion failed: ProbeContext_size_matches_ctiMasmProbeTrampoline
1172         https://bugs.webkit.org/show_bug.cgi?id=175513
1173
1174         Reviewed by Mark Lam.
1175
1176         * assembler/MacroAssemblerARM.cpp: Added d16-d31 FP registers too.
1177
1178 2017-08-12  Filip Pizlo  <fpizlo@apple.com>
1179
1180         FTL's compileGetTypedArrayByteOffset needs to do caging
1181         https://bugs.webkit.org/show_bug.cgi?id=175366
1182
1183         Reviewed by Saam Barati.
1184         
1185         While implementing boxing in the DFG, I noticed that there was some missing boxing in the FTL. This
1186         fixes the case in GetTypedArrayByteOffset, and files FIXMEs for more such cases.
1187
1188         * dfg/DFGSpeculativeJIT.cpp:
1189         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
1190         * ftl/FTLLowerDFGToB3.cpp:
1191         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
1192         (JSC::FTL::DFG::LowerDFGToB3::cagedMayBeNull):
1193         * runtime/ArrayBuffer.h:
1194         * runtime/ArrayBufferView.h:
1195         * runtime/JSArrayBufferView.h:
1196
1197 2017-08-11  Ryosuke Niwa  <rniwa@webkit.org>
1198
1199         Replace DATA_TRANSFER_ITEMS by a runtime flag and add a stub implementation
1200         https://bugs.webkit.org/show_bug.cgi?id=175474
1201         <rdar://problem/33844628>
1202
1203         Reviewed by Wenson Hsieh.
1204
1205         * Configurations/FeatureDefines.xcconfig:
1206         * runtime/CommonIdentifiers.h:
1207
1208 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1209
1210         Caging shouldn't have to use a patchpoint for adding
1211         https://bugs.webkit.org/show_bug.cgi?id=175483
1212
1213         Reviewed by Mark Lam.
1214
1215         Caging involves doing a Add(ptr, largeConstant). All of B3's heuristics for how to deal with
1216         constants and associative operations dictate that you always want to sink constants. For example,
1217         Add(Add(a, constant), b) always becomes Add(Add(a, b), constant). This is profitable because in
1218         typical code, it reveals downstream optimizations. But it's terrible in the case of caging, because
1219         we want the large constant (which is shared by all caging operations) to be hoisted. Reassociating to
1220         sink constants obscures the constant in this case. Currently, moveConstants is not smart enough to
1221         reassociate, so instead of sinking largeConstant, it tries (and often fails) to sink some other
1222         constants instead. Without some hacks, this is a 5% Kraken regression and a 1.6% Octane regression.
1223         It's not clear that moveConstants could ever be smart enough to rematerialize that constant and then
1224         hoist it - that would require quite a bit of algebraic reasoning. But the only case we know of where
1225         our current constant reassociation heuristics are wrong is caging. So, we can get away with some
1226         hacks for just stopping B3's reassociation only in this specific case.
1227         
1228         Previously, we achieved this by concealing the Add(ptr, largeConstant) inside a patchpoint. That's
1229         OK, but patchpoints are expensive. They require a SharedTask instance. They require callbacks from
1230         the backend, including during register allocation. And they cannot be CSE'd. We do want B3 to know
1231         that if we cage the same pointer in two places, both places will compute the same value.
1232         
1233         This patch improves the situation by introducing the Opaque opcode. This is handled by LowerToAir as
1234         if it was Identity, but all prior phases treat it as an unknown pure unary idempotent operation. I.e.
1235         they know that Opaque(x) == Opaque(x) and that Opaque(Opaque(x)) == Opaque(x). But they don't know
1236         that Opaque(x) == x until LowerToAir. So, you can use Opaque exactly when you know that B3 will mess
1237         up your code but Air won't. (Currently we know of no cases where Air messes things up on a large
1238         enough scale to warrant new opcodes.)
1239         
1240         This change is perf-neutral, but may start to help as I add more uses of caged() in the FTL. It also
1241         makes the code a bit less ugly.
1242
1243         * b3/B3LowerToAir.cpp:
1244         (JSC::B3::Air::LowerToAir::shouldCopyPropagate):
1245         (JSC::B3::Air::LowerToAir::lower):
1246         * b3/B3Opcode.cpp:
1247         (WTF::printInternal):
1248         * b3/B3Opcode.h:
1249         * b3/B3ReduceStrength.cpp:
1250         * b3/B3Validate.cpp:
1251         * b3/B3Value.cpp:
1252         (JSC::B3::Value::effects const):
1253         (JSC::B3::Value::key const):
1254         (JSC::B3::Value::isFree const):
1255         (JSC::B3::Value::typeFor):
1256         * b3/B3Value.h:
1257         * b3/B3ValueKey.cpp:
1258         (JSC::B3::ValueKey::materialize const):
1259         * ftl/FTLLowerDFGToB3.cpp:
1260         (JSC::FTL::DFG::LowerDFGToB3::caged):
1261         * ftl/FTLOutput.cpp:
1262         (JSC::FTL::Output::opaque):
1263         * ftl/FTLOutput.h:
1264
1265 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1266
1267         ScopedArguments overflow storage needs to be in the JSValue gigacage
1268         https://bugs.webkit.org/show_bug.cgi?id=174923
1269
1270         Reviewed by Saam Barati.
1271         
1272         ScopedArguments overflow storage sits at the end of the ScopedArguments object, so we put that
1273         object into the JSValue gigacage.
1274
1275         * dfg/DFGSpeculativeJIT.cpp:
1276         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1277         * ftl/FTLLowerDFGToB3.cpp:
1278         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1279         * jit/JITPropertyAccess.cpp:
1280         (JSC::JIT::emitScopedArgumentsGetByVal):
1281         * runtime/ScopedArguments.h:
1282         (JSC::ScopedArguments::subspaceFor):
1283         (JSC::ScopedArguments::overflowStorage const):
1284
1285 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1286
1287         JSLexicalEnvironment needs to be in the JSValue gigacage
1288         https://bugs.webkit.org/show_bug.cgi?id=174922
1289
1290         Reviewed by Michael Saboff.
1291         
1292         We can sorta random access the JSLexicalEnvironment. So, we put it in the JSValue gigacage and make
1293         the only random accesses use pointer caging.
1294         
1295         We don't need to do anything to normal lexical environment accesses.
1296
1297         * dfg/DFGSpeculativeJIT.cpp:
1298         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1299         * ftl/FTLLowerDFGToB3.cpp:
1300         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1301         * runtime/JSEnvironmentRecord.h:
1302         (JSC::JSEnvironmentRecord::subspaceFor):
1303         (JSC::JSEnvironmentRecord::variables):
1304
1305 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1306
1307         DirectArguments should be in the JSValue gigacage
1308         https://bugs.webkit.org/show_bug.cgi?id=174920
1309
1310         Reviewed by Michael Saboff.
1311         
1312         This puts DirectArguments in a new subspace for cells that want to be in the JSValue gigacage. All
1313         indexed accesses to DirectArguments now do caging. get_from_arguments/put_to_arguments are exempted
1314         because they always operate on a DirectArguments that is pointed to directly from the stack, they are
1315         required to use fixed offsets, and you can only store JSValues.
1316
1317         * dfg/DFGSpeculativeJIT.cpp:
1318         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
1319         * ftl/FTLLowerDFGToB3.cpp:
1320         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1321         * jit/JITPropertyAccess.cpp:
1322         (JSC::JIT::emitDirectArgumentsGetByVal):
1323         * runtime/DirectArguments.h:
1324         (JSC::DirectArguments::subspaceFor):
1325         (JSC::DirectArguments::storage):
1326         * runtime/VM.cpp:
1327         (JSC::VM::VM):
1328         * runtime/VM.h:
1329
1330 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1331
1332         Unreviewed, add a FIXME.
1333
1334         * ftl/FTLLowerDFGToB3.cpp:
1335         (JSC::FTL::DFG::LowerDFGToB3::caged):
1336
1337 2017-08-10  Sam Weinig  <sam@webkit.org>
1338
1339         WTF::Function does not allow for reference / non-default constructible return types
1340         https://bugs.webkit.org/show_bug.cgi?id=175244
1341
1342         Reviewed by Chris Dumez.
1343
1344         * runtime/ArrayBuffer.cpp:
1345         (JSC::ArrayBufferContents::transferTo):
1346         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
1347         destroy call needed to be a no-op anyway, since the data is being moved.
1348
1349 2017-08-11  Mark Lam  <mark.lam@apple.com>
1350
1351         Gardening: fix CLoop build.
1352         https://bugs.webkit.org/show_bug.cgi?id=175446
1353         <rdar://problem/33836545>
1354
1355         Not reviewed.
1356
1357         * assembler/MacroAssemblerPrinter.cpp:
1358
1359 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
1360
1361         DFG should do caging
1362         https://bugs.webkit.org/show_bug.cgi?id=174918
1363
1364         Reviewed by Saam Barati.
1365         
1366         Adds the appropriate cage() calls to the DFG, including a cageTypedArrayStorage() helper that does
1367         the conditional caging with a watchpoint.
1368         
1369         This might be a 1% SunSpider slow-down, but it's not clear.
1370
1371         * dfg/DFGSpeculativeJIT.cpp:
1372         (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
1373         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
1374         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
1375         (JSC::DFG::SpeculativeJIT::compileCreateRest):
1376         (JSC::DFG::SpeculativeJIT::compileSpread):
1377         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
1378         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1379         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
1380         * dfg/DFGSpeculativeJIT.h:
1381         * dfg/DFGSpeculativeJIT64.cpp:
1382         (JSC::DFG::SpeculativeJIT::compile):
1383
1384 2017-08-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1385
1386         Unreviewed, build fix for x86 GTK port
1387         https://bugs.webkit.org/show_bug.cgi?id=175446
1388
1389         Use pushfl/popfl instead of pushfd/popfd.
1390
1391         * assembler/MacroAssemblerX86Common.cpp:
1392
1393 2017-08-10  Mark Lam  <mark.lam@apple.com>
1394
1395         Make the MASM_PROBE mechanism mandatory for DFG and FTL builds.
1396         https://bugs.webkit.org/show_bug.cgi?id=175446
1397         <rdar://problem/33836545>
1398
1399         Reviewed by Saam Barati.
1400
1401         * assembler/AbstractMacroAssembler.h:
1402         * assembler/MacroAssembler.cpp:
1403         (JSC::MacroAssembler::probe):
1404         * assembler/MacroAssembler.h:
1405         * assembler/MacroAssemblerARM.cpp:
1406         (JSC::MacroAssembler::probe):
1407         * assembler/MacroAssemblerARM.h:
1408         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
1409         * assembler/MacroAssemblerARM64.cpp:
1410         (JSC::MacroAssembler::probe):
1411         * assembler/MacroAssemblerARMv7.cpp:
1412         (JSC::MacroAssembler::probe):
1413         * assembler/MacroAssemblerARMv7.h:
1414         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr):
1415         * assembler/MacroAssemblerPrinter.cpp:
1416         * assembler/MacroAssemblerPrinter.h:
1417         * assembler/MacroAssemblerX86Common.cpp:
1418         * assembler/testmasm.cpp:
1419         (JSC::isSpecialGPR):
1420         (JSC::testProbeModifiesProgramCounter):
1421         (JSC::run):
1422         * b3/B3LowerToAir.cpp:
1423         (JSC::B3::Air::LowerToAir::print):
1424         * b3/air/AirPrintSpecial.cpp:
1425         * b3/air/AirPrintSpecial.h:
1426
1427 2017-08-10  Mark Lam  <mark.lam@apple.com>
1428
1429         Apply the UNLIKELY macro to some unlikely things.
1430         https://bugs.webkit.org/show_bug.cgi?id=175440
1431         <rdar://problem/33834767>
1432
1433         Reviewed by Yusuke Suzuki.
1434
1435         * bytecode/CodeBlock.cpp:
1436         (JSC::CodeBlock::~CodeBlock):
1437         (JSC::CodeBlock::jettison):
1438         * dfg/DFGByteCodeParser.cpp:
1439         (JSC::DFG::ByteCodeParser::handleCall):
1440         (JSC::DFG::ByteCodeParser::handleVarargsCall):
1441         (JSC::DFG::ByteCodeParser::handleGetById):
1442         (JSC::DFG::ByteCodeParser::handlePutById):
1443         (JSC::DFG::ByteCodeParser::parseBlock):
1444         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1445         * dfg/DFGJITCompiler.cpp:
1446         (JSC::DFG::JITCompiler::JITCompiler):
1447         (JSC::DFG::JITCompiler::linkOSRExits):
1448         (JSC::DFG::JITCompiler::link):
1449         (JSC::DFG::JITCompiler::disassemble):
1450         * dfg/DFGJITFinalizer.cpp:
1451         (JSC::DFG::JITFinalizer::finalizeCommon):
1452         * dfg/DFGOSRExit.cpp:
1453         (JSC::DFG::OSRExit::compileOSRExit):
1454         * dfg/DFGPlan.cpp:
1455         (JSC::DFG::Plan::Plan):
1456         * ftl/FTLJITFinalizer.cpp:
1457         (JSC::FTL::JITFinalizer::finalizeCommon):
1458         * ftl/FTLLink.cpp:
1459         (JSC::FTL::link):
1460         * ftl/FTLOSRExitCompiler.cpp:
1461         (JSC::FTL::compileStub):
1462         * jit/JIT.cpp:
1463         (JSC::JIT::privateCompileMainPass):
1464         (JSC::JIT::compileWithoutLinking):
1465         (JSC::JIT::link):
1466         * runtime/ScriptExecutable.cpp:
1467         (JSC::ScriptExecutable::installCode):
1468         * runtime/VM.cpp:
1469         (JSC::VM::VM):
1470
1471 2017-08-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1472
1473         [WTF] ThreadSpecific should not introduce additional indirection
1474         https://bugs.webkit.org/show_bug.cgi?id=175187
1475
1476         Reviewed by Mark Lam.
1477
1478         * runtime/Identifier.cpp:
1479
1480 2017-08-10  Tim Horton  <timothy_horton@apple.com>
1481
1482         Remove some unused lambda captures so that WebKit builds with -Wunused-lambda-capture
1483         https://bugs.webkit.org/show_bug.cgi?id=175436
1484         <rdar://problem/33667497>
1485
1486         Reviewed by Simon Fraser.
1487
1488         * interpreter/Interpreter.cpp:
1489         (JSC::Interpreter::Interpreter):
1490
1491 2017-08-10  Michael Catanzaro  <mcatanzaro@igalia.com>
1492
1493         Remove ENABLE_GAMEPAD_DEPRECATED
1494         https://bugs.webkit.org/show_bug.cgi?id=175361
1495
1496         Reviewed by Carlos Garcia Campos.
1497
1498         * Configurations/FeatureDefines.xcconfig:
1499
1500 2017-08-09  Caio Lima  <ticaiolima@gmail.com>
1501
1502         [JSC] Create JSSet constructor that accepts it's size as parameter
1503         https://bugs.webkit.org/show_bug.cgi?id=173297
1504
1505         Reviewed by Saam Barati.
1506
1507         This patch is adding a new constructor to JSSet that gives its
1508         expected initial size. It is important to avoid re-hashing and mutiple
1509         allocations when we know the final size of JSSet, such as in
1510         CodeBlock::setConstantIdentifierSetRegisters.
1511
1512         * bytecode/CodeBlock.cpp:
1513         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
1514         * runtime/HashMapImpl.h:
1515         (JSC::HashMapImpl::HashMapImpl):
1516         * runtime/JSSet.h:
1517
1518 2017-08-09  Commit Queue  <commit-queue@webkit.org>
1519
1520         Unreviewed, rolling out r220466, r220477, and r220487.
1521         https://bugs.webkit.org/show_bug.cgi?id=175411
1522
1523         This change broke existing API tests and follow up fixes did
1524         not resolve all the issues. (Requested by ryanhaddad on
1525         #webkit).
1526
1527         Reverted changesets:
1528
1529         https://bugs.webkit.org/show_bug.cgi?id=175244
1530         http://trac.webkit.org/changeset/220466
1531
1532         "WTF::Function does not allow for reference / non-default
1533         constructible return types"
1534         https://bugs.webkit.org/show_bug.cgi?id=175244
1535         http://trac.webkit.org/changeset/220477
1536
1537         https://bugs.webkit.org/show_bug.cgi?id=175244
1538         http://trac.webkit.org/changeset/220487
1539
1540 2017-08-09  Caitlin Potter  <caitp@igalia.com>
1541
1542         Early error on ANY operator before new.target
1543         https://bugs.webkit.org/show_bug.cgi?id=157970
1544
1545         Reviewed by Saam Barati.
1546
1547         Instead of throwing if any unary operator precedes new.target, only
1548         throw if the unary operator updates the reference.
1549
1550         The following become legal in JSC:
1551
1552         ```
1553         !new.target
1554         ~new.target
1555         typeof new.target
1556         delete new.target
1557         void new.target
1558         ```
1559
1560         All of which are legal in v8 and SpiderMonkey in strict and sloppy mode
1561
1562         * parser/Parser.cpp:
1563         (JSC::Parser<LexerType>::parseUnaryExpression):
1564
1565 2017-08-09  Sam Weinig  <sam@webkit.org>
1566
1567         WTF::Function does not allow for reference / non-default constructible return types
1568         https://bugs.webkit.org/show_bug.cgi?id=175244
1569
1570         Reviewed by Chris Dumez.
1571
1572         * runtime/ArrayBuffer.cpp:
1573         (JSC::ArrayBufferContents::transferTo):
1574         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
1575         destroy call needed to be a no-op anyway, since the data is being moved.
1576
1577 2017-08-09  Wenson Hsieh  <wenson_hsieh@apple.com>
1578
1579         [iOS DnD] ENABLE_DRAG_SUPPORT should be turned off for iOS 10 and enabled by default
1580         https://bugs.webkit.org/show_bug.cgi?id=175392
1581         <rdar://problem/33783207>
1582
1583         Reviewed by Tim Horton and Megan Gardner.
1584
1585         Tweak FeatureDefines to enable drag and drop by default, and disable only on unsupported platforms (i.e. iOS 10).
1586
1587         * Configurations/FeatureDefines.xcconfig:
1588
1589 2017-08-09  Robin Morisset  <rmorisset@apple.com>
1590
1591         Make JSC_validateExceptionChecks=1 succeed on JSTests/stress/v8-deltablue-strict.js.
1592         https://bugs.webkit.org/show_bug.cgi?id=175358
1593
1594         Reviewed by Mark Lam.
1595
1596         * jit/JITOperations.cpp:
1597         * runtime/JSObjectInlines.h:
1598         (JSC::JSObject::putInlineForJSObject):
1599
1600 2017-08-09  Ryan Haddad  <ryanhaddad@apple.com>
1601
1602         Unreviewed, rolling out r220457.
1603
1604         This change introduced API test failures.
1605
1606         Reverted changeset:
1607
1608         "WTF::Function does not allow for reference / non-default
1609         constructible return types"
1610         https://bugs.webkit.org/show_bug.cgi?id=175244
1611         http://trac.webkit.org/changeset/220457
1612
1613 2017-08-09  Sam Weinig  <sam@webkit.org>
1614
1615         WTF::Function does not allow for reference / non-default constructible return types
1616         https://bugs.webkit.org/show_bug.cgi?id=175244
1617
1618         Reviewed by Chris Dumez.
1619
1620         * runtime/ArrayBuffer.cpp:
1621         (JSC::ArrayBufferContents::transferTo):
1622         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
1623         destroy call needed to be a no-op anyway, since the data is being moved.
1624
1625 2017-08-09  Oleksandr Skachkov  <gskachkov@gmail.com>
1626
1627         REGRESSION: 2 test262/test/language/statements/async-function failures
1628         https://bugs.webkit.org/show_bug.cgi?id=175334
1629
1630         Reviewed by Yusuke Suzuki.
1631
1632         Switch off useAsyncIterator by default
1633
1634         * runtime/Options.h:
1635
1636 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
1637
1638         ICs should do caging
1639         https://bugs.webkit.org/show_bug.cgi?id=175295
1640
1641         Reviewed by Saam Barati.
1642         
1643         Adds the appropriate cage() calls in our inline caches.
1644
1645         * bytecode/AccessCase.cpp:
1646         (JSC::AccessCase::generateImpl):
1647         * bytecode/InlineAccess.cpp:
1648         (JSC::InlineAccess::dumpCacheSizesAndCrash):
1649         (JSC::InlineAccess::generateSelfPropertyAccess):
1650         (JSC::InlineAccess::generateSelfPropertyReplace):
1651         (JSC::InlineAccess::generateArrayLength):
1652
1653 2017-08-08  Devin Rousso  <drousso@apple.com>
1654
1655         Web Inspector: Canvas: support editing WebGL shaders
1656         https://bugs.webkit.org/show_bug.cgi?id=124211
1657         <rdar://problem/15448958>
1658
1659         Reviewed by Matt Baker.
1660
1661         * inspector/protocol/Canvas.json:
1662         Add `updateShader` command that will change the given shader's source to the provided string,
1663         recompile, and relink it to its associated program.
1664         Drive-by: add description to `requestShaderSource` command.
1665
1666 2017-08-08  Robin Morisset  <rmorisset@apple.com>
1667
1668         Make JSC_validateExceptionChecks=1 succeed on JSTests/slowMicrobenchmarks/spread-small-array.js.
1669         https://bugs.webkit.org/show_bug.cgi?id=175347
1670
1671         Reviewed by Saam Barati.
1672
1673         This is done by making finishCreation explicitely check for exceptions after setConstantRegister and setConstantIdentifiersSetRegisters.
1674         I chose to have this check replace the boolean returned previously by these functions for readability. The performance impact should be
1675         negligible considering how much more finishCreation does.
1676         This fix then caused another issue to appear as it was now clear that finishCreation can throw. And since it is called by ProgramCodeBlock::create(),
1677         FunctionCodeBlock::create() and friends, that are in turn called by ScriptExecutable::newCodeBlockFor, this last function also required a few tweaks.
1678
1679         * bytecode/CodeBlock.cpp:
1680         (JSC::CodeBlock::finishCreation):
1681         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
1682         (JSC::CodeBlock::setConstantRegisters):
1683         * bytecode/CodeBlock.h:
1684         * runtime/ScriptExecutable.cpp:
1685         (JSC::ScriptExecutable::newCodeBlockFor):
1686
1687 2017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
1688
1689         Unreviewed, fix Ubuntu LTS build
1690         https://bugs.webkit.org/show_bug.cgi?id=174490
1691
1692         * inspector/remote/glib/RemoteInspectorGlib.cpp:
1693         * inspector/remote/glib/RemoteInspectorServer.cpp:
1694
1695 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
1696
1697         Baseline JIT should do caging
1698         https://bugs.webkit.org/show_bug.cgi?id=175037
1699
1700         Reviewed by Mark Lam.
1701         
1702         Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
1703         
1704         Also modifies FTL caging to be more defensive when caging is disabled.
1705         
1706         Relanded with fixed AssemblyHelpers::cageConditionally().
1707
1708         * bytecode/AccessCase.cpp:
1709         (JSC::AccessCase::generateImpl):
1710         * bytecode/InlineAccess.cpp:
1711         (JSC::InlineAccess::dumpCacheSizesAndCrash):
1712         (JSC::InlineAccess::generateSelfPropertyAccess):
1713         (JSC::InlineAccess::generateSelfPropertyReplace):
1714         (JSC::InlineAccess::generateArrayLength):
1715         * ftl/FTLLowerDFGToB3.cpp:
1716         (JSC::FTL::DFG::LowerDFGToB3::caged):
1717         * jit/AssemblyHelpers.h:
1718         (JSC::AssemblyHelpers::cage):
1719         (JSC::AssemblyHelpers::cageConditionally):
1720         * jit/JITPropertyAccess.cpp:
1721         (JSC::JIT::emitDoubleLoad):
1722         (JSC::JIT::emitContiguousLoad):
1723         (JSC::JIT::emitArrayStorageLoad):
1724         (JSC::JIT::emitGenericContiguousPutByVal):
1725         (JSC::JIT::emitArrayStoragePutByVal):
1726         (JSC::JIT::emit_op_get_from_scope):
1727         (JSC::JIT::emit_op_put_to_scope):
1728         (JSC::JIT::emitIntTypedArrayGetByVal):
1729         (JSC::JIT::emitFloatTypedArrayGetByVal):
1730         (JSC::JIT::emitIntTypedArrayPutByVal):
1731         (JSC::JIT::emitFloatTypedArrayPutByVal):
1732         * jsc.cpp:
1733         (jscmain):
1734         (primitiveGigacageDisabled): Deleted.
1735
1736 2017-08-08  Ryan Haddad  <ryanhaddad@apple.com>
1737
1738         Unreviewed, rolling out r220368.
1739
1740         This change caused WK1 tests to exit early with crashes.
1741
1742         Reverted changeset:
1743
1744         "Baseline JIT should do caging"
1745         https://bugs.webkit.org/show_bug.cgi?id=175037
1746         http://trac.webkit.org/changeset/220368
1747
1748 2017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
1749
1750         [CMake] Properly test if compiler supports compiler flags
1751         https://bugs.webkit.org/show_bug.cgi?id=174490
1752
1753         Reviewed by Konstantin Tokarev.
1754
1755         * API/tests/PingPongStackOverflowTest.cpp:
1756         (testPingPongStackOverflow):
1757         * API/tests/testapi.c:
1758         * b3/testb3.cpp:
1759         (JSC::B3::testPatchpointLotsOfLateAnys):
1760
1761 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1762
1763         [Linux] Clear WasmMemory with madvice instead of memset
1764         https://bugs.webkit.org/show_bug.cgi?id=175150
1765
1766         Reviewed by Filip Pizlo.
1767
1768         In Linux, zeroing pages with memset populates backing store.
1769         Instead, we should use madvise with MADV_DONTNEED. It discards
1770         pages. And if you access these pages, on-demand-zero-pages will
1771         be shown.
1772
1773         We also commit grown pages in all OSes.
1774
1775         * wasm/WasmMemory.cpp:
1776         (JSC::Wasm::commitZeroPages):
1777         (JSC::Wasm::Memory::create):
1778         (JSC::Wasm::Memory::grow):
1779
1780 2017-08-07  Robin Morisset  <rmorisset@apple.com>
1781
1782         GetOwnProperty of TypedArray indexed fields is wrongly configurable
1783         https://bugs.webkit.org/show_bug.cgi?id=175307
1784
1785         Reviewed by Saam Barati.
1786
1787         ```
1788         let a = new Uint8Array(10);
1789         let b = Object.getOwnPropertyDescriptor(a, 0);
1790         assert(b.configurable === false);
1791         ```
1792         should not fail: by section 9.4.5.1 (https://tc39.github.io/ecma262/#sec-integer-indexed-exotic-objects-getownproperty-p) 
1793         that applies to integer indexed exotic objects, and section 22.2.7 (https://tc39.github.io/ecma262/#sec-properties-of-typedarray-instances)
1794         that says that typed arrays are integer indexed exotic objects.
1795
1796         * runtime/JSGenericTypedArrayViewInlines.h:
1797         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
1798
1799 2017-08-07  Filip Pizlo  <fpizlo@apple.com>
1800
1801         Baseline JIT should do caging
1802         https://bugs.webkit.org/show_bug.cgi?id=175037
1803
1804         Reviewed by Mark Lam.
1805         
1806         Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
1807         
1808         Also modifies FTL caging to be more defensive when caging is disabled.
1809
1810         * ftl/FTLLowerDFGToB3.cpp:
1811         (JSC::FTL::DFG::LowerDFGToB3::caged):
1812         * jit/AssemblyHelpers.h:
1813         (JSC::AssemblyHelpers::cage):
1814         (JSC::AssemblyHelpers::cageConditionally):
1815         * jit/JITPropertyAccess.cpp:
1816         (JSC::JIT::emitDoubleLoad):
1817         (JSC::JIT::emitContiguousLoad):
1818         (JSC::JIT::emitArrayStorageLoad):
1819         (JSC::JIT::emitGenericContiguousPutByVal):
1820         (JSC::JIT::emitArrayStoragePutByVal):
1821         (JSC::JIT::emit_op_get_from_scope):
1822         (JSC::JIT::emit_op_put_to_scope):
1823         (JSC::JIT::emitIntTypedArrayGetByVal):
1824         (JSC::JIT::emitFloatTypedArrayGetByVal):
1825         (JSC::JIT::emitIntTypedArrayPutByVal):
1826         (JSC::JIT::emitFloatTypedArrayPutByVal):
1827         * jsc.cpp:
1828         (jscmain):
1829         (primitiveGigacageDisabled): Deleted.
1830
1831 2017-08-06  Filip Pizlo  <fpizlo@apple.com>
1832
1833         Primitive auxiliaries and JSValue auxiliaries should have separate gigacages
1834         https://bugs.webkit.org/show_bug.cgi?id=174919
1835
1836         Reviewed by Keith Miller.
1837         
1838         This adapts JSC to there being two gigacages.
1839         
1840         To make matters simpler, this turns AlignedMemoryAllocators into per-VM instances rather than
1841         singletons. I don't think we were gaining anything by making them be singletons.
1842         
1843         This makes it easy to teach GigacageAlignedMemoryAllocator that there are multiple kinds of
1844         gigacages. We'll have one of those allocators per cage.
1845         
1846         From there, this change teaches everyone who previously knew about cages that there are two cages.
1847         This means having to specify either Gigacage::Primitive or Gigacage::JSValue. In most places, this is
1848         easy: typed arrays are Primitive and butterflies are JSValue. But there are a few places where it's
1849         not so obvious, so this change introduces some helpers to make it easy to define what cage you want
1850         to use in one place and refer to it abstractly. We do this in DirectArguments and GenericArguments.h
1851         
1852         A lot of the magic of this change is due to CagedBarrierPtr, which combines AuxiliaryBarrier and
1853         CagedPtr. This removes one layer of "get()" calls from a bunch of places.
1854
1855         * JavaScriptCore.xcodeproj/project.pbxproj:
1856         * bytecode/AccessCase.cpp:
1857         (JSC::AccessCase::generateImpl):
1858         * dfg/DFGSpeculativeJIT.cpp:
1859         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1860         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1861         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1862         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
1863         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
1864         * ftl/FTLLowerDFGToB3.cpp:
1865         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
1866         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
1867         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
1868         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
1869         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1870         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
1871         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
1872         (JSC::FTL::DFG::LowerDFGToB3::caged):
1873         * heap/FastMallocAlignedMemoryAllocator.cpp:
1874         (JSC::FastMallocAlignedMemoryAllocator::instance): Deleted.
1875         * heap/FastMallocAlignedMemoryAllocator.h:
1876         * heap/GigacageAlignedMemoryAllocator.cpp:
1877         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
1878         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
1879         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
1880         (JSC::GigacageAlignedMemoryAllocator::dump const):
1881         (JSC::GigacageAlignedMemoryAllocator::instance): Deleted.
1882         * heap/GigacageAlignedMemoryAllocator.h:
1883         * jsc.cpp:
1884         (primitiveGigacageDisabled):
1885         (jscmain):
1886         (gigacageDisabled): Deleted.
1887         * llint/LowLevelInterpreter64.asm:
1888         * runtime/ArrayBuffer.cpp:
1889         (JSC::ArrayBufferContents::tryAllocate):
1890         (JSC::ArrayBuffer::createAdopted):
1891         (JSC::ArrayBuffer::createFromBytes):
1892         * runtime/AuxiliaryBarrier.h:
1893         * runtime/ButterflyInlines.h:
1894         (JSC::Butterfly::createUninitialized):
1895         (JSC::Butterfly::tryCreate):
1896         (JSC::Butterfly::growArrayRight):
1897         * runtime/CagedBarrierPtr.h: Added.
1898         (JSC::CagedBarrierPtr::CagedBarrierPtr):
1899         (JSC::CagedBarrierPtr::clear):
1900         (JSC::CagedBarrierPtr::set):
1901         (JSC::CagedBarrierPtr::get const):
1902         (JSC::CagedBarrierPtr::getMayBeNull const):
1903         (JSC::CagedBarrierPtr::operator== const):
1904         (JSC::CagedBarrierPtr::operator!= const):
1905         (JSC::CagedBarrierPtr::operator bool const):
1906         (JSC::CagedBarrierPtr::setWithoutBarrier):
1907         (JSC::CagedBarrierPtr::operator* const):
1908         (JSC::CagedBarrierPtr::operator-> const):
1909         (JSC::CagedBarrierPtr::operator[] const):
1910         * runtime/DirectArguments.cpp:
1911         (JSC::DirectArguments::overrideThings):
1912         (JSC::DirectArguments::unmapArgument):
1913         * runtime/DirectArguments.h:
1914         (JSC::DirectArguments::isMappedArgument const):
1915         * runtime/GenericArguments.h:
1916         * runtime/GenericArgumentsInlines.h:
1917         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
1918         (JSC::GenericArguments<Type>::setModifiedArgumentDescriptor):
1919         (JSC::GenericArguments<Type>::isModifiedArgumentDescriptor):
1920         * runtime/HashMapImpl.cpp:
1921         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
1922         * runtime/HashMapImpl.h:
1923         (JSC::HashMapBuffer::create):
1924         (JSC::HashMapImpl::buffer const):
1925         (JSC::HashMapImpl::rehash):
1926         * runtime/JSArray.cpp:
1927         (JSC::JSArray::tryCreateUninitializedRestricted):
1928         (JSC::JSArray::unshiftCountSlowCase):
1929         (JSC::JSArray::setLength):
1930         (JSC::JSArray::pop):
1931         (JSC::JSArray::push):
1932         (JSC::JSArray::fastSlice):
1933         (JSC::JSArray::shiftCountWithArrayStorage):
1934         (JSC::JSArray::shiftCountWithAnyIndexingType):
1935         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1936         (JSC::JSArray::fillArgList):
1937         (JSC::JSArray::copyToArguments):
1938         * runtime/JSArray.h:
1939         (JSC::JSArray::tryCreate):
1940         * runtime/JSArrayBufferView.cpp:
1941         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1942         (JSC::JSArrayBufferView::finalize):
1943         * runtime/JSLock.cpp:
1944         (JSC::JSLock::didAcquireLock):
1945         * runtime/JSObject.cpp:
1946         (JSC::JSObject::heapSnapshot):
1947         (JSC::JSObject::getOwnPropertySlotByIndex):
1948         (JSC::JSObject::putByIndex):
1949         (JSC::JSObject::enterDictionaryIndexingMode):
1950         (JSC::JSObject::createInitialIndexedStorage):
1951         (JSC::JSObject::createArrayStorage):
1952         (JSC::JSObject::convertUndecidedToInt32):
1953         (JSC::JSObject::convertUndecidedToDouble):
1954         (JSC::JSObject::convertUndecidedToContiguous):
1955         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
1956         (JSC::JSObject::convertUndecidedToArrayStorage):
1957         (JSC::JSObject::convertInt32ToDouble):
1958         (JSC::JSObject::convertInt32ToContiguous):
1959         (JSC::JSObject::convertInt32ToArrayStorage):
1960         (JSC::JSObject::convertDoubleToContiguous):
1961         (JSC::JSObject::convertDoubleToArrayStorage):
1962         (JSC::JSObject::convertContiguousToArrayStorage):
1963         (JSC::JSObject::setIndexQuicklyToUndecided):
1964         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
1965         (JSC::JSObject::deletePropertyByIndex):
1966         (JSC::JSObject::getOwnPropertyNames):
1967         (JSC::JSObject::putIndexedDescriptor):
1968         (JSC::JSObject::defineOwnIndexedProperty):
1969         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1970         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
1971         (JSC::JSObject::getNewVectorLength):
1972         (JSC::JSObject::ensureLengthSlow):
1973         (JSC::JSObject::reallocateAndShrinkButterfly):
1974         (JSC::JSObject::allocateMoreOutOfLineStorage):
1975         (JSC::JSObject::getEnumerableLength):
1976         * runtime/JSObject.h:
1977         (JSC::JSObject::getArrayLength const):
1978         (JSC::JSObject::getVectorLength):
1979         (JSC::JSObject::putDirectIndex):
1980         (JSC::JSObject::canGetIndexQuickly):
1981         (JSC::JSObject::getIndexQuickly):
1982         (JSC::JSObject::tryGetIndexQuickly const):
1983         (JSC::JSObject::canSetIndexQuickly):
1984         (JSC::JSObject::setIndexQuickly):
1985         (JSC::JSObject::initializeIndex):
1986         (JSC::JSObject::initializeIndexWithoutBarrier):
1987         (JSC::JSObject::hasSparseMap):
1988         (JSC::JSObject::inSparseIndexingMode):
1989         (JSC::JSObject::butterfly const):
1990         (JSC::JSObject::butterfly):
1991         (JSC::JSObject::outOfLineStorage const):
1992         (JSC::JSObject::outOfLineStorage):
1993         (JSC::JSObject::ensureInt32):
1994         (JSC::JSObject::ensureDouble):
1995         (JSC::JSObject::ensureContiguous):
1996         (JSC::JSObject::ensureArrayStorage):
1997         (JSC::JSObject::arrayStorage):
1998         (JSC::JSObject::arrayStorageOrNull):
1999         (JSC::JSObject::ensureLength):
2000         * runtime/RegExpMatchesArray.h:
2001         (JSC::tryCreateUninitializedRegExpMatchesArray):
2002         * runtime/VM.cpp:
2003         (JSC::VM::VM):
2004         (JSC::VM::~VM):
2005         (JSC::VM::primitiveGigacageDisabledCallback):
2006         (JSC::VM::primitiveGigacageDisabled):
2007         (JSC::VM::gigacageDisabledCallback): Deleted.
2008         (JSC::VM::gigacageDisabled): Deleted.
2009         * runtime/VM.h:
2010         (JSC::VM::gigacageAuxiliarySpace):
2011         (JSC::VM::firePrimitiveGigacageEnabledIfNecessary):
2012         (JSC::VM::primitiveGigacageEnabled):
2013         (JSC::VM::fireGigacageEnabledIfNecessary): Deleted.
2014         (JSC::VM::gigacageEnabled): Deleted.
2015         * wasm/WasmMemory.cpp:
2016         (JSC::Wasm::Memory::create):
2017         (JSC::Wasm::Memory::~Memory):
2018         (JSC::Wasm::Memory::grow):
2019
2020 2017-08-07  Commit Queue  <commit-queue@webkit.org>
2021
2022         Unreviewed, rolling out r220144.
2023         https://bugs.webkit.org/show_bug.cgi?id=175276
2024
2025         "It did not actually speed things up in the way I expected"
2026         (Requested by saamyjoon on #webkit).
2027
2028         Reverted changeset:
2029
2030         "On memory-constrained iOS devices, reduce the rate at which
2031         the JS heap grows before a GC to try to keep more memory
2032         available for the system"
2033         https://bugs.webkit.org/show_bug.cgi?id=175041
2034         http://trac.webkit.org/changeset/220144
2035
2036 2017-08-07  Ryan Haddad  <ryanhaddad@apple.com>
2037
2038         Unreviewed, rolling out r220299.
2039
2040         This change caused LayoutTest inspector/dom-debugger/dom-
2041         breakpoints.html to fail.
2042
2043         Reverted changeset:
2044
2045         "Web Inspector: capture async stack trace when workers/main
2046         context posts a message"
2047         https://bugs.webkit.org/show_bug.cgi?id=167084
2048         http://trac.webkit.org/changeset/220299
2049
2050 2017-08-07  Brian Burg  <bburg@apple.com>
2051
2052         Remove CANVAS_PATH compilation guard
2053         https://bugs.webkit.org/show_bug.cgi?id=175207
2054
2055         Reviewed by Sam Weinig.
2056
2057         * Configurations/FeatureDefines.xcconfig:
2058
2059 2017-08-07  Keith Miller  <keith_miller@apple.com>
2060
2061         REGRESSION: wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js failing on JSC Debug bots
2062         https://bugs.webkit.org/show_bug.cgi?id=175256
2063
2064         Reviewed by Saam Barati.
2065
2066         The check in createFromBytes just needed to check that the buffer was not null before
2067         calling isCaged.
2068
2069         * runtime/ArrayBuffer.cpp:
2070         (JSC::ArrayBuffer::createFromBytes):
2071
2072 2017-08-05  Carlos Garcia Campos  <cgarcia@igalia.com>
2073
2074         [GTK][WPE] Add API to provide browser information required by automation
2075         https://bugs.webkit.org/show_bug.cgi?id=175130
2076
2077         Reviewed by Brian Burg.
2078
2079         Add browserName and browserVersion to RemoteInspector::Client::Capabilities and virtual methods to the Client to
2080         get them.
2081
2082         * inspector/remote/RemoteInspector.cpp:
2083         (Inspector::RemoteInspector::updateClientCapabilities): Update also browserName and browserVersion.
2084         * inspector/remote/RemoteInspector.h:
2085         * inspector/remote/glib/RemoteInspectorGlib.cpp:
2086         (Inspector::RemoteInspector::requestAutomationSession): Call updateClientCapabilities() after the session is
2087         requested to ensure they are updated before StartAutomationSession reply is sent.
2088         * inspector/remote/glib/RemoteInspectorServer.cpp: Add browserName and browserVersion as return values of
2089         StartAutomationSession mesasage.
2090
2091 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2092
2093         Promise resolve and reject function should have length = 1
2094         https://bugs.webkit.org/show_bug.cgi?id=175242
2095
2096         Reviewed by Saam Barati.
2097
2098         Previously we have separate system for "length" and "name" for builtin functions.
2099         The builtin functions do not use lazy reifying system. Instead, they have direct
2100         properties when instantiating it. While the function created for properties (like
2101         Array.prototype.filter) is created by JSFunction::createBuiltin(), function inside
2102         these builtin functions are just created by JSFunction::create(). Since it does
2103         not set any values for "length", these functions do not have "length" property.
2104         So, the resolve and reject functions passed to Promise's executor do not have
2105         "length" property.
2106
2107         This patch make builtin functions use standard lazy reifying system for "length".
2108         So, "length" property of the builtin function just works as if the normal functions
2109         do.
2110
2111         * runtime/JSFunction.cpp:
2112         (JSC::JSFunction::createBuiltinFunction):
2113         (JSC::JSFunction::getOwnPropertySlot):
2114         (JSC::JSFunction::getOwnNonIndexPropertyNames):
2115         (JSC::JSFunction::put):
2116         (JSC::JSFunction::deleteProperty):
2117         (JSC::JSFunction::defineOwnProperty):
2118         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
2119         (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
2120         (JSC::JSFunction::reifyLazyLengthIfNeeded):
2121         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
2122         (JSC::JSFunction::reifyBoundNameIfNeeded): Deleted.
2123         * runtime/JSFunction.h:
2124
2125 2017-08-06  Oleksandr Skachkov  <gskachkov@gmail.com>
2126
2127         [ESNext] Async iteration - Implement Async Generator - parser
2128         https://bugs.webkit.org/show_bug.cgi?id=175210
2129
2130         Reviewed by Yusuke Suzuki.
2131
2132         Current implementation is draft version of Async Iteration. 
2133         Link to spec https://tc39.github.io/proposal-async-iteration/
2134
2135         Current patch implement only parser part of the Async generator
2136         Runtime part will be in next ptches
2137
2138         * parser/ASTBuilder.h:
2139         (JSC::ASTBuilder::createFunctionMetadata):
2140         * parser/Parser.cpp:
2141         (JSC::getAsynFunctionBodyParseMode):
2142         (JSC::Parser<LexerType>::parseInner):
2143         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
2144         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
2145         (JSC::stringArticleForFunctionMode):
2146         (JSC::stringForFunctionMode):
2147         (JSC::Parser<LexerType>::parseFunctionInfo):
2148         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
2149         (JSC::Parser<LexerType>::parseClass):
2150         (JSC::Parser<LexerType>::parseProperty):
2151         (JSC::Parser<LexerType>::parsePropertyMethod):
2152         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
2153         * parser/Parser.h:
2154         (JSC::Scope::setSourceParseMode):
2155         * parser/ParserModes.h:
2156         (JSC::isFunctionParseMode):
2157         (JSC::isAsyncFunctionParseMode):
2158         (JSC::isAsyncArrowFunctionParseMode):
2159         (JSC::isAsyncGeneratorFunctionParseMode):
2160         (JSC::isAsyncFunctionOrAsyncGeneratorWrapperParseMode):
2161         (JSC::isAsyncFunctionWrapperParseMode):
2162         (JSC::isAsyncFunctionBodyParseMode):
2163         (JSC::isGeneratorMethodParseMode):
2164         (JSC::isAsyncMethodParseMode):
2165         (JSC::isAsyncGeneratorMethodParseMode):
2166         (JSC::isMethodParseMode):
2167         (JSC::isGeneratorOrAsyncFunctionBodyParseMode):
2168         (JSC::isGeneratorOrAsyncFunctionWrapperParseMode):
2169
2170 2017-08-05  Filip Pizlo  <fpizlo@apple.com>
2171
2172         REGRESSION (r219895-219897): Number of leaks on Open Source went from 9240 to 235983 and is now at 302372
2173         https://bugs.webkit.org/show_bug.cgi?id=175083
2174
2175         Reviewed by Oliver Hunt.
2176         
2177         This fixes the leak by making MarkedBlock::specializedSweep call destructors when the block is empty,
2178         even if we are using the pop path.
2179         
2180         Also, this fixes HeapCellInlines.h to no longer include MarkedBlockInlines.h. That's pretty
2181         important, since MarkedBlockInlines.h is the GC's internal guts - we don't want to have to recompile
2182         the world just because we changed it.
2183         
2184         Finally, this adds a new testing SPI for waiting for all VMs to finish destructing. This makes it
2185         easier to debug leaks.
2186
2187         * bytecode/AccessCase.cpp:
2188         * bytecode/PolymorphicAccess.cpp:
2189         * heap/HeapCell.cpp:
2190         (JSC::HeapCell::isLive):
2191         * heap/HeapCellInlines.h:
2192         (JSC::HeapCell::isLive): Deleted.
2193         * heap/MarkedAllocator.cpp:
2194         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2195         (JSC::MarkedAllocator::endMarking):
2196         * heap/MarkedBlockInlines.h:
2197         (JSC::MarkedBlock::Handle::specializedSweep):
2198         * jit/AssemblyHelpers.cpp:
2199         * jit/Repatch.cpp:
2200         * runtime/TestRunnerUtils.h:
2201         * runtime/VM.cpp:
2202         (JSC::waitForVMDestruction):
2203         (JSC::VM::~VM):
2204
2205 2017-08-05  Mark Lam  <mark.lam@apple.com>
2206
2207         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 3].
2208         https://bugs.webkit.org/show_bug.cgi?id=175228
2209         <rdar://problem/33735737>
2210
2211         Reviewed by Saam Barati.
2212
2213         Merge the 32-bit OSRExit::compileExit() method into the 64-bit version, and
2214         delete OSRExit32_64.cpp.
2215
2216         * CMakeLists.txt:
2217         * JavaScriptCore.xcodeproj/project.pbxproj:
2218         * dfg/DFGOSRExit.cpp:
2219         (JSC::DFG::OSRExit::compileExit):
2220         * dfg/DFGOSRExit32_64.cpp: Removed.
2221         * jit/GPRInfo.h:
2222         (JSC::JSValueSource::payloadGPR const):
2223
2224 2017-08-04  Youenn Fablet  <youenn@apple.com>
2225
2226         [Cache API] Add Cache and CacheStorage IDL definitions
2227         https://bugs.webkit.org/show_bug.cgi?id=175201
2228
2229         Reviewed by Brady Eidson.
2230
2231         * runtime/CommonIdentifiers.h:
2232
2233 2017-08-04  Mark Lam  <mark.lam@apple.com>
2234
2235         Fix typo in testmasm.cpp: ENABLE(JSVALUE64) should be USE(JSVALUE64).
2236         https://bugs.webkit.org/show_bug.cgi?id=175230
2237         <rdar://problem/33735857>
2238
2239         Reviewed by Saam Barati.
2240
2241         * assembler/testmasm.cpp:
2242         (JSC::testProbeReadsArgumentRegisters):
2243         (JSC::testProbeWritesArgumentRegisters):
2244
2245 2017-08-04  Mark Lam  <mark.lam@apple.com>
2246
2247         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 2].
2248         https://bugs.webkit.org/show_bug.cgi?id=175214
2249         <rdar://problem/33733308>
2250
2251         Rubber-stamped by Michael Saboff.
2252
2253         Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused
2254         DFGOSRExitCompiler files.
2255
2256         Also renamed DFGOSRExitCompiler32_64.cpp to DFGOSRExit32_64.cpp.
2257
2258         Also move debugOperationPrintSpeculationFailure() into DFGOSRExit.cpp.  It's only
2259         used by compileOSRExit(), and will be changed to not be a DFG operation function
2260         when we use JIT probes for DFG OSR exits later in
2261         https://bugs.webkit.org/show_bug.cgi?id=175144.
2262
2263         * CMakeLists.txt:
2264         * JavaScriptCore.xcodeproj/project.pbxproj:
2265         * dfg/DFGJITCompiler.cpp:
2266         * dfg/DFGOSRExit.cpp:
2267         (JSC::DFG::OSRExit::emitRestoreArguments):
2268         (JSC::DFG::OSRExit::compileOSRExit):
2269         (JSC::DFG::OSRExit::compileExit):
2270         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
2271         * dfg/DFGOSRExit.h:
2272         * dfg/DFGOSRExit32_64.cpp: Copied from Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp.
2273         * dfg/DFGOSRExitCompiler.cpp: Removed.
2274         * dfg/DFGOSRExitCompiler.h: Removed.
2275         * dfg/DFGOSRExitCompiler32_64.cpp: Removed.
2276         * dfg/DFGOSRExitCompiler64.cpp: Removed.
2277         * dfg/DFGOperations.cpp:
2278         * dfg/DFGOperations.h:
2279         * dfg/DFGThunks.cpp:
2280
2281 2017-08-04  Matt Baker  <mattbaker@apple.com>
2282
2283         Web Inspector: capture async stack trace when workers/main context posts a message
2284         https://bugs.webkit.org/show_bug.cgi?id=167084
2285         <rdar://problem/30033673>
2286
2287         Reviewed by Brian Burg.
2288
2289         * inspector/agents/InspectorDebuggerAgent.h:
2290         Add `PostMessage` async call type.
2291
2292 2017-08-04  Mark Lam  <mark.lam@apple.com>
2293
2294         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 1].
2295         https://bugs.webkit.org/show_bug.cgi?id=175208
2296         <rdar://problem/33732402>
2297
2298         Reviewed by Saam Barati.
2299
2300         This will minimize the code diff and make it easier to review the patch for
2301         https://bugs.webkit.org/show_bug.cgi?id=175144 later.  We'll do this patch in 3
2302         steps:
2303
2304         1. Do the code changes to move methods into OSRExit.
2305         2. Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused DFGOSRExitCompiler files.
2306         3. Merge the 32-bit OSRExitCompiler methods into the 64-bit version, and delete DFGOSRExitCompiler32_64.cpp.
2307
2308         Splitting this refactoring into these 3 steps also makes it easier to review this
2309         patch and understand what is being changed.
2310
2311         * dfg/DFGOSRExit.h:
2312         * dfg/DFGOSRExitCompiler.cpp:
2313         (JSC::DFG::OSRExit::emitRestoreArguments):
2314         (JSC::DFG::OSRExit::compileOSRExit):
2315         (JSC::DFG::OSRExitCompiler::emitRestoreArguments): Deleted.
2316         (): Deleted.
2317         * dfg/DFGOSRExitCompiler.h:
2318         (JSC::DFG::OSRExitCompiler::OSRExitCompiler): Deleted.
2319         (): Deleted.
2320         * dfg/DFGOSRExitCompiler32_64.cpp:
2321         (JSC::DFG::OSRExit::compileExit):
2322         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
2323         * dfg/DFGOSRExitCompiler64.cpp:
2324         (JSC::DFG::OSRExit::compileExit):
2325         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
2326         * dfg/DFGThunks.cpp:
2327         (JSC::DFG::osrExitGenerationThunkGenerator):
2328
2329 2017-08-04  Devin Rousso  <drousso@apple.com>
2330
2331         Web Inspector: add source view for WebGL shader programs
2332         https://bugs.webkit.org/show_bug.cgi?id=138593
2333         <rdar://problem/18936194>
2334
2335         Reviewed by Matt Baker.
2336
2337         * inspector/protocol/Canvas.json:
2338          - Add `ShaderType` enum that contains "vertex" and "fragment".
2339          - Add `requestShaderSource` command that will return the original source code for a given
2340            shader program and shader type.
2341
2342 2017-08-03  Filip Pizlo  <fpizlo@apple.com>
2343
2344         The allocator used to allocate memory for MarkedBlocks and LargeAllocations should not be the Subspace itself
2345         https://bugs.webkit.org/show_bug.cgi?id=175141
2346
2347         Reviewed by Mark Lam.
2348         
2349         To make it easier to have multiple gigacages and maybe even fancier methods of allocating, this
2350         decouples the allocator used to allocate memory from the GC Subspace. This means we no longer have
2351         to create a new Subspace subclass to allocate memory a different way. Instead, the allocator is now
2352         determined by the AlignedMemoryAllocator object.
2353         
2354         This also simplifies trading of blocks. Before, Subspaces had to determine if other Subspaces could
2355         trade blocks with them using canTradeBlocksWith(). This makes it difficult for two different
2356         Subspaces that both use the same underlying allocator to realize that they can trade blocks with
2357         each other. Now, you just need to ask the block being stolen and the subspace doing the stealing if
2358         they use the same AlignedMemoryAllocator.
2359
2360         * CMakeLists.txt:
2361         * JavaScriptCore.xcodeproj/project.pbxproj:
2362         * heap/AlignedMemoryAllocator.cpp: Added.
2363         (JSC::AlignedMemoryAllocator::AlignedMemoryAllocator):
2364         (JSC::AlignedMemoryAllocator::~AlignedMemoryAllocator):
2365         * heap/AlignedMemoryAllocator.h: Added.
2366         * heap/FastMallocAlignedMemoryAllocator.cpp: Added.
2367         (JSC::FastMallocAlignedMemoryAllocator::singleton):
2368         (JSC::FastMallocAlignedMemoryAllocator::FastMallocAlignedMemoryAllocator):
2369         (JSC::FastMallocAlignedMemoryAllocator::~FastMallocAlignedMemoryAllocator):
2370         (JSC::FastMallocAlignedMemoryAllocator::tryAllocateAlignedMemory):
2371         (JSC::FastMallocAlignedMemoryAllocator::freeAlignedMemory):
2372         (JSC::FastMallocAlignedMemoryAllocator::dump const):
2373         * heap/FastMallocAlignedMemoryAllocator.h: Added.
2374         * heap/GigacageAlignedMemoryAllocator.cpp: Added.
2375         (JSC::GigacageAlignedMemoryAllocator::singleton):
2376         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
2377         (JSC::GigacageAlignedMemoryAllocator::~GigacageAlignedMemoryAllocator):
2378         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
2379         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
2380         (JSC::GigacageAlignedMemoryAllocator::dump const):
2381         * heap/GigacageAlignedMemoryAllocator.h: Added.
2382         * heap/GigacageSubspace.cpp: Removed.
2383         * heap/GigacageSubspace.h: Removed.
2384         * heap/LargeAllocation.cpp:
2385         (JSC::LargeAllocation::tryCreate):
2386         (JSC::LargeAllocation::destroy):
2387         * heap/MarkedAllocator.cpp:
2388         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2389         * heap/MarkedBlock.cpp:
2390         (JSC::MarkedBlock::tryCreate):
2391         (JSC::MarkedBlock::Handle::Handle):
2392         (JSC::MarkedBlock::Handle::~Handle):
2393         (JSC::MarkedBlock::Handle::didAddToAllocator):
2394         (JSC::MarkedBlock::Handle::subspace const):
2395         * heap/MarkedBlock.h:
2396         (JSC::MarkedBlock::Handle::alignedMemoryAllocator const):
2397         (JSC::MarkedBlock::Handle::subspace const): Deleted.
2398         * heap/Subspace.cpp:
2399         (JSC::Subspace::Subspace):
2400         (JSC::Subspace::findEmptyBlockToSteal):
2401         (JSC::Subspace::canTradeBlocksWith): Deleted.
2402         (JSC::Subspace::tryAllocateAlignedMemory): Deleted.
2403         (JSC::Subspace::freeAlignedMemory): Deleted.
2404         * heap/Subspace.h:
2405         (JSC::Subspace::name const):
2406         (JSC::Subspace::alignedMemoryAllocator const):
2407         * runtime/JSDestructibleObjectSubspace.cpp:
2408         (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace):
2409         * runtime/JSDestructibleObjectSubspace.h:
2410         * runtime/JSSegmentedVariableObjectSubspace.cpp:
2411         (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace):
2412         * runtime/JSSegmentedVariableObjectSubspace.h:
2413         * runtime/JSStringSubspace.cpp:
2414         (JSC::JSStringSubspace::JSStringSubspace):
2415         * runtime/JSStringSubspace.h:
2416         * runtime/VM.cpp:
2417         (JSC::VM::VM):
2418         * runtime/VM.h:
2419         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp:
2420         (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace):
2421         * wasm/js/JSWebAssemblyCodeBlockSubspace.h:
2422
2423 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
2424
2425         [ESNext] Async iteration - update feature.json
2426         https://bugs.webkit.org/show_bug.cgi?id=175197
2427
2428         Reviewed by Yusuke Suzuki.
2429
2430         Update feature.json to add status of the Async Iteration
2431
2432         * features.json:
2433
2434 2017-08-04  Matt Lewis  <jlewis3@apple.com>
2435
2436         Unreviewed, rolling out r220271.
2437
2438         Rolling out due to Layout Test failing on iOS Simulator.
2439
2440         Reverted changeset:
2441
2442         "Remove STREAMS_API compilation guard"
2443         https://bugs.webkit.org/show_bug.cgi?id=175165
2444         http://trac.webkit.org/changeset/220271
2445
2446 2017-08-04  Youenn Fablet  <youenn@apple.com>
2447
2448         Remove STREAMS_API compilation guard
2449         https://bugs.webkit.org/show_bug.cgi?id=175165
2450
2451         Reviewed by Darin Adler.
2452
2453         * Configurations/FeatureDefines.xcconfig:
2454
2455 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
2456
2457         [EsNext] Async iteration - Add feature flag
2458         https://bugs.webkit.org/show_bug.cgi?id=166694
2459
2460         Reviewed by Yusuke Suzuki.
2461
2462         Add feature flag to JSC to switch on/off Async Iterator
2463
2464         * runtime/Options.h:
2465
2466 2017-08-03  Brian Burg  <bburg@apple.com>
2467
2468         Remove ENABLE(WEB_SOCKET) guards
2469         https://bugs.webkit.org/show_bug.cgi?id=167044
2470
2471         Reviewed by Joseph Pecoraro.
2472
2473         * Configurations/FeatureDefines.xcconfig:
2474
2475 2017-08-03  Youenn Fablet  <youenn@apple.com>
2476
2477         Remove FETCH_API compilation guard
2478         https://bugs.webkit.org/show_bug.cgi?id=175154
2479
2480         Reviewed by Chris Dumez.
2481
2482         * Configurations/FeatureDefines.xcconfig:
2483
2484 2017-08-03  Matt Baker  <mattbaker@apple.com>
2485
2486         Web Inspector: Instrument WebGLProgram created/deleted
2487         https://bugs.webkit.org/show_bug.cgi?id=175059
2488
2489         Reviewed by Devin Rousso.
2490
2491         Extend the Canvas protocol with types/events for tracking WebGLPrograms.
2492
2493         * inspector/protocol/Canvas.json:
2494
2495 2017-08-03  Brady Eidson  <beidson@apple.com>
2496
2497         Add SW IDLs and stub out basic functionality.
2498         https://bugs.webkit.org/show_bug.cgi?id=175115
2499
2500         Reviewed by Chris Dumez.
2501
2502         * Configurations/FeatureDefines.xcconfig:
2503
2504         * runtime/CommonIdentifiers.h:
2505
2506 2017-08-03  Mark Lam  <mark.lam@apple.com>
2507
2508         Rename ScratchBuffer::activeLengthPtr to addressOfActiveLength.
2509         https://bugs.webkit.org/show_bug.cgi?id=175142
2510         <rdar://problem/33704528>
2511
2512         Reviewed by Filip Pizlo.
2513
2514         The convention in the rest of of JSC for such methods which return the address of
2515         a field is to name them "addressOf<field name>".  We'll rename
2516         ScratchBuffer::activeLengthPtr to be consistent with this convention.
2517
2518         * dfg/DFGSpeculativeJIT.cpp:
2519         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
2520         * dfg/DFGSpeculativeJIT32_64.cpp:
2521         (JSC::DFG::SpeculativeJIT::compile):
2522         * dfg/DFGSpeculativeJIT64.cpp:
2523         (JSC::DFG::SpeculativeJIT::compile):
2524         * dfg/DFGThunks.cpp:
2525         (JSC::DFG::osrExitGenerationThunkGenerator):
2526         * ftl/FTLLowerDFGToB3.cpp:
2527         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
2528         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
2529         * ftl/FTLThunks.cpp:
2530         (JSC::FTL::genericGenerationThunkGenerator):
2531         * jit/AssemblyHelpers.cpp:
2532         (JSC::AssemblyHelpers::debugCall):
2533         * jit/ScratchRegisterAllocator.cpp:
2534         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
2535         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
2536         * runtime/VM.h:
2537         (JSC::ScratchBuffer::addressOfActiveLength):
2538         (JSC::ScratchBuffer::activeLengthPtr): Deleted.
2539         * wasm/WasmBinding.cpp:
2540         (JSC::Wasm::wasmToJs):
2541
2542 2017-08-02  Devin Rousso  <drousso@apple.com>
2543
2544         Web Inspector: add stack trace information for each RecordingAction
2545         https://bugs.webkit.org/show_bug.cgi?id=174663
2546
2547         Reviewed by Joseph Pecoraro.
2548
2549         * inspector/ScriptCallFrame.h:
2550         Add `operator==` so that when a ScriptCallFrame object is held in a Vector, calling `find`
2551         with an existing value doesn't need require a functor and can use existing code.
2552
2553         * interpreter/StackVisitor.h:
2554         * interpreter/StackVisitor.cpp:
2555         (JSC::StackVisitor::Frame::isWasmFrame const): Inlined in header.
2556
2557 2017-08-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2558
2559         Merge WTFThreadData to Thread::current
2560         https://bugs.webkit.org/show_bug.cgi?id=174716
2561
2562         Reviewed by Mark Lam.
2563
2564         Use Thread::current() instead.
2565
2566         * API/JSContext.mm:
2567         (+[JSContext currentContext]):
2568         (+[JSContext currentThis]):
2569         (+[JSContext currentCallee]):
2570         (+[JSContext currentArguments]):
2571         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
2572         (-[JSContext endCallbackWithData:]):
2573         * heap/Heap.cpp:
2574         (JSC::Heap::requestCollection):
2575         * runtime/Completion.cpp:
2576         (JSC::checkSyntax):
2577         (JSC::checkModuleSyntax):
2578         (JSC::evaluate):
2579         (JSC::loadAndEvaluateModule):
2580         (JSC::loadModule):
2581         (JSC::linkAndEvaluateModule):
2582         (JSC::importModule):
2583         * runtime/Identifier.cpp:
2584         (JSC::Identifier::checkCurrentAtomicStringTable):
2585         * runtime/InitializeThreading.cpp:
2586         (JSC::initializeThreading):
2587         * runtime/JSLock.cpp:
2588         (JSC::JSLock::didAcquireLock):
2589         (JSC::JSLock::willReleaseLock):
2590         (JSC::JSLock::dropAllLocks):
2591         (JSC::JSLock::grabAllLocks):
2592         * runtime/JSLock.h:
2593         * runtime/VM.cpp:
2594         (JSC::VM::VM):
2595         (JSC::VM::updateStackLimits):
2596         (JSC::VM::committedStackByteCount):
2597         * runtime/VM.h:
2598         (JSC::VM::isSafeToRecurse const):
2599         * runtime/VMEntryScope.cpp:
2600         (JSC::VMEntryScope::VMEntryScope):
2601         * runtime/VMInlines.h:
2602         (JSC::VM::ensureStackCapacityFor):
2603         * yarr/YarrPattern.cpp:
2604         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
2605
2606 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
2607
2608         LLInt should do pointer caging
2609         https://bugs.webkit.org/show_bug.cgi?id=175036
2610
2611         Reviewed by Keith Miller.
2612
2613         Implementing this in the LLInt was challenging because offlineasm did not previously know
2614         how to load from globals. This teaches it how to do that on Darwin/x86_64, which happens
2615         to be where the Gigacage is enabled right now.
2616
2617         * llint/LLIntOfflineAsmConfig.h:
2618         * llint/LowLevelInterpreter64.asm:
2619         * offlineasm/ast.rb:
2620         * offlineasm/x86.rb:
2621
2622 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
2623
2624         Sweeping should only scribble when sweeping to free list
2625         https://bugs.webkit.org/show_bug.cgi?id=175105
2626
2627         Reviewed by Saam Barati.
2628         
2629         I just saw a crash on the bots where a destructor call attempt dereferenced scribbled memory. This
2630         can happen because the bump path of specializedSweep will scribble in SweepOnly, which replaces the
2631         zap word (i.e. 0) with the scribble word (i.e. 0xbadbeef0). This is a recent regression, since we
2632         didn't used to do destruction on the bump path. No destruction, no zapping. Looking at the pop
2633         path, we only scribble when we SweepToFreeList. This ensures that we only overwrite the zap word
2634         when it doesn't matter anyway because we're building a free list.
2635         
2636         This is a fix for those crashes on the bots because it means that we'll no longer scribble over the
2637         zap.
2638
2639         * heap/MarkedBlockInlines.h:
2640         (JSC::MarkedBlock::Handle::specializedSweep):
2641
2642 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
2643
2644         All C++ accesses to JSObject::m_butterfly should do caging
2645         https://bugs.webkit.org/show_bug.cgi?id=175039
2646
2647         Reviewed by Keith Miller.
2648         
2649         Makes JSObject::m_butterfly a AuxiliaryBarrier<CagedPtr<Butterfly>> and adopts the CagedPtr<> API.
2650         This ensures that you can't cause C++ code to access a butterfly that has been rewired to point
2651         outside the gigacage.
2652
2653         * runtime/JSArray.cpp:
2654         (JSC::JSArray::setLength):
2655         (JSC::JSArray::pop):
2656         (JSC::JSArray::push):
2657         (JSC::JSArray::shiftCountWithAnyIndexingType):
2658         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2659         (JSC::JSArray::fillArgList):
2660         (JSC::JSArray::copyToArguments):
2661         * runtime/JSObject.cpp:
2662         (JSC::JSObject::heapSnapshot):
2663         (JSC::JSObject::createInitialIndexedStorage):
2664         (JSC::JSObject::createArrayStorage):
2665         (JSC::JSObject::convertUndecidedToInt32):
2666         (JSC::JSObject::convertUndecidedToDouble):
2667         (JSC::JSObject::convertUndecidedToContiguous):
2668         (JSC::JSObject::convertInt32ToDouble):
2669         (JSC::JSObject::convertInt32ToArrayStorage):
2670         (JSC::JSObject::convertDoubleToContiguous):
2671         (JSC::JSObject::convertDoubleToArrayStorage):
2672         (JSC::JSObject::convertContiguousToArrayStorage):
2673         (JSC::JSObject::defineOwnIndexedProperty):
2674         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2675         (JSC::JSObject::ensureLengthSlow):
2676         (JSC::JSObject::allocateMoreOutOfLineStorage):
2677         * runtime/JSObject.h:
2678         (JSC::JSObject::canGetIndexQuickly):
2679         (JSC::JSObject::getIndexQuickly):
2680         (JSC::JSObject::tryGetIndexQuickly const):
2681         (JSC::JSObject::canSetIndexQuickly):
2682         (JSC::JSObject::setIndexQuickly):
2683         (JSC::JSObject::initializeIndex):
2684         (JSC::JSObject::initializeIndexWithoutBarrier):
2685         (JSC::JSObject::butterfly const):
2686         (JSC::JSObject::butterfly):
2687
2688 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
2689
2690         We should be OK with the gigacage being disabled on gmalloc
2691         https://bugs.webkit.org/show_bug.cgi?id=175082
2692
2693         Reviewed by Michael Saboff.
2694
2695         * jsc.cpp:
2696         (jscmain):
2697
2698 2017-08-02  Saam Barati  <sbarati@apple.com>
2699
2700         On memory-constrained iOS devices, reduce the rate at which the JS heap grows before a GC to try to keep more memory available for the system
2701         https://bugs.webkit.org/show_bug.cgi?id=175041
2702         <rdar://problem/33659370>
2703
2704         Reviewed by Filip Pizlo.
2705
2706         The testing I have done shows that this new function is a ~10%
2707         progression running JetStream on 1GB iOS devices. I've also tried
2708         this on a few > 1GB iOS devices, and the testing shows this is either neutral
2709         or a regression. Right now, we'll just enable this for <= 1GB devices
2710         since it's a win. In the future, we might want to either look into
2711         tweaking these parameters or coming up with a new function for > 1GB
2712         devices.
2713
2714         * heap/Heap.cpp:
2715         * runtime/Options.h:
2716
2717 2017-08-01  Filip Pizlo  <fpizlo@apple.com>
2718
2719         Bmalloc and GC should put auxiliaries (butterflies, typed array backing stores) in a gigacage (separate multi-GB VM region)
2720         https://bugs.webkit.org/show_bug.cgi?id=174727
2721
2722         Reviewed by Mark Lam.
2723         
2724         This adopts the Gigacage for the GigacageSubspace, which we use for Auxiliary allocations. Also, in
2725         one place in the code - the FTL codegen for butterfly and typed array access - we "cage" the accesses
2726         themselves. Basically, we do masking to ensure that the pointer points into the gigacage.
2727         
2728         This is neutral on JetStream.
2729
2730         * CMakeLists.txt:
2731         * JavaScriptCore.xcodeproj/project.pbxproj:
2732         * b3/B3InsertionSet.cpp:
2733         (JSC::B3::InsertionSet::execute):
2734         * dfg/DFGAbstractInterpreterInlines.h:
2735         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2736         * dfg/DFGArgumentsEliminationPhase.cpp:
2737         * dfg/DFGClobberize.cpp:
2738         (JSC::DFG::readsOverlap):
2739         * dfg/DFGClobberize.h:
2740         (JSC::DFG::clobberize):
2741         * dfg/DFGDoesGC.cpp:
2742         (JSC::DFG::doesGC):
2743         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Added.
2744         (JSC::DFG::performFixedButterflyAccessUncaging):
2745         * dfg/DFGFixedButterflyAccessUncagingPhase.h: Added.
2746         * dfg/DFGFixupPhase.cpp:
2747         (JSC::DFG::FixupPhase::fixupNode):
2748         * dfg/DFGHeapLocation.cpp:
2749         (WTF::printInternal):
2750         * dfg/DFGHeapLocation.h:
2751         * dfg/DFGNodeType.h:
2752         * dfg/DFGPlan.cpp:
2753         (JSC::DFG::Plan::compileInThreadImpl):
2754         * dfg/DFGPredictionPropagationPhase.cpp:
2755         * dfg/DFGSafeToExecute.h:
2756         (JSC::DFG::safeToExecute):
2757         * dfg/DFGSpeculativeJIT.cpp:
2758         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
2759         * dfg/DFGSpeculativeJIT32_64.cpp:
2760         (JSC::DFG::SpeculativeJIT::compile):
2761         * dfg/DFGSpeculativeJIT64.cpp:
2762         (JSC::DFG::SpeculativeJIT::compile):
2763         * dfg/DFGTypeCheckHoistingPhase.cpp:
2764         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2765         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
2766         * ftl/FTLCapabilities.cpp:
2767         (JSC::FTL::canCompile):
2768         * ftl/FTLLowerDFGToB3.cpp:
2769         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2770         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
2771         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
2772         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2773         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
2774         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
2775         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
2776         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
2777         (JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase):
2778         (JSC::FTL::DFG::LowerDFGToB3::caged):
2779         * heap/GigacageSubspace.cpp: Added.
2780         (JSC::GigacageSubspace::GigacageSubspace):
2781         (JSC::GigacageSubspace::~GigacageSubspace):
2782         (JSC::GigacageSubspace::tryAllocateAlignedMemory):
2783         (JSC::GigacageSubspace::freeAlignedMemory):
2784         (JSC::GigacageSubspace::canTradeBlocksWith):
2785         * heap/GigacageSubspace.h: Added.
2786         * heap/Heap.cpp:
2787         (JSC::Heap::Heap):
2788         (JSC::Heap::lastChanceToFinalize):
2789         (JSC::Heap::finalize):
2790         (JSC::Heap::sweepInFinalize):
2791         (JSC::Heap::updateAllocationLimits):
2792         (JSC::Heap::shouldDoFullCollection):
2793         (JSC::Heap::collectIfNecessaryOrDefer):
2794         (JSC::Heap::reportWebAssemblyFastMemoriesAllocated): Deleted.
2795         (JSC::Heap::webAssemblyFastMemoriesThisCycleAtThreshold const): Deleted.
2796         (JSC::Heap::sweepLargeAllocations): Deleted.
2797         (JSC::Heap::didAllocateWebAssemblyFastMemories): Deleted.
2798         * heap/Heap.h:
2799         * heap/LargeAllocation.cpp:
2800         (JSC::LargeAllocation::tryCreate):
2801         (JSC::LargeAllocation::destroy):
2802         * heap/MarkedAllocator.cpp:
2803         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2804         (JSC::MarkedAllocator::tryAllocateBlock):
2805         * heap/MarkedBlock.cpp:
2806         (JSC::MarkedBlock::tryCreate):
2807         (JSC::MarkedBlock::Handle::Handle):
2808         (JSC::MarkedBlock::Handle::~Handle):
2809         (JSC::MarkedBlock::Handle::didAddToAllocator):
2810         (JSC::MarkedBlock::Handle::subspace const): Deleted.
2811         * heap/MarkedBlock.h:
2812         (JSC::MarkedBlock::Handle::subspace const):
2813         * heap/MarkedSpace.cpp:
2814         (JSC::MarkedSpace::~MarkedSpace):
2815         (JSC::MarkedSpace::freeMemory):
2816         (JSC::MarkedSpace::prepareForAllocation):
2817         (JSC::MarkedSpace::addMarkedAllocator):
2818         (JSC::MarkedSpace::findEmptyBlockToSteal): Deleted.
2819         * heap/MarkedSpace.h:
2820         (JSC::MarkedSpace::firstAllocator const):
2821         (JSC::MarkedSpace::allocatorForEmptyAllocation const): Deleted.
2822         * heap/Subspace.cpp:
2823         (JSC::Subspace::Subspace):
2824         (JSC::Subspace::canTradeBlocksWith):
2825         (JSC::Subspace::tryAllocateAlignedMemory):
2826         (JSC::Subspace::freeAlignedMemory):
2827         (JSC::Subspace::prepareForAllocation):
2828         (JSC::Subspace::findEmptyBlockToSteal):
2829         * heap/Subspace.h:
2830         (JSC::Subspace::didCreateFirstAllocator):
2831         * heap/SubspaceInlines.h:
2832         (JSC::Subspace::forEachAllocator):
2833         (JSC::Subspace::forEachMarkedBlock):
2834         (JSC::Subspace::forEachNotEmptyMarkedBlock):
2835         * jit/JITPropertyAccess.cpp:
2836         (JSC::JIT::emitDoubleLoad):
2837         (JSC::JIT::emitContiguousLoad):
2838         (JSC::JIT::emitArrayStorageLoad):
2839         (JSC::JIT::emitGenericContiguousPutByVal):
2840         (JSC::JIT::emitArrayStoragePutByVal):
2841         (JSC::JIT::emit_op_get_from_scope):
2842         (JSC::JIT::emit_op_put_to_scope):
2843         (JSC::JIT::emitIntTypedArrayGetByVal):
2844         (JSC::JIT::emitFloatTypedArrayGetByVal):
2845         (JSC::JIT::emitIntTypedArrayPutByVal):
2846         (JSC::JIT::emitFloatTypedArrayPutByVal):
2847         * jsc.cpp:
2848         (fillBufferWithContentsOfFile):
2849         (functionReadFile):
2850         (gigacageDisabled):
2851         (jscmain):
2852         * llint/LowLevelInterpreter64.asm:
2853         * runtime/ArrayBuffer.cpp:
2854         (JSC::ArrayBufferContents::tryAllocate):
2855         (JSC::ArrayBuffer::createAdopted):
2856         (JSC::ArrayBuffer::createFromBytes):
2857         (JSC::ArrayBuffer::tryCreate):
2858         * runtime/IndexingHeader.h:
2859         * runtime/InitializeThreading.cpp:
2860         (JSC::initializeThreading):
2861         * runtime/JSArrayBuffer.cpp:
2862         * runtime/JSArrayBufferView.cpp:
2863         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2864         (JSC::JSArrayBufferView::finalize):
2865         * runtime/JSLock.cpp:
2866         (JSC::JSLock::didAcquireLock):
2867         * runtime/JSObject.h:
2868         * runtime/Options.cpp:
2869         (JSC::recomputeDependentOptions):
2870         * runtime/Options.h:
2871         * runtime/ScopedArgumentsTable.h:
2872         * runtime/VM.cpp:
2873         (JSC::VM::VM):
2874         (JSC::VM::~VM):
2875         (JSC::VM::gigacageDisabledCallback):
2876         (JSC::VM::gigacageDisabled):
2877         * runtime/VM.h:
2878         (JSC::VM::fireGigacageEnabledIfNecessary):
2879         (JSC::VM::gigacageEnabled):
2880         * wasm/WasmB3IRGenerator.cpp:
2881         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2882         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
2883         * wasm/WasmCodeBlock.cpp:
2884         (JSC::Wasm::CodeBlock::isSafeToRun):
2885         * wasm/WasmMemory.cpp:
2886         (JSC::Wasm::makeString):
2887         (JSC::Wasm::Memory::create):
2888         (JSC::Wasm::Memory::~Memory):
2889         (JSC::Wasm::Memory::addressIsInActiveFastMemory):
2890         (JSC::Wasm::Memory::grow):
2891         (JSC::Wasm::Memory::initializePreallocations): Deleted.
2892         (JSC::Wasm::Memory::maxFastMemoryCount): Deleted.
2893         * wasm/WasmMemory.h:
2894         * wasm/js/JSWebAssemblyInstance.cpp:
2895         (JSC::JSWebAssemblyInstance::create):
2896         * wasm/js/JSWebAssemblyMemory.cpp:
2897         (JSC::JSWebAssemblyMemory::grow):
2898         (JSC::JSWebAssemblyMemory::finishCreation):
2899         * wasm/js/JSWebAssemblyMemory.h:
2900         (JSC::JSWebAssemblyMemory::subspaceFor):
2901
2902 2017-07-31  Mark Lam  <mark.lam@apple.com>
2903
2904         Added some UNLIKELYs to operationOptimize().
2905         https://bugs.webkit.org/show_bug.cgi?id=174976
2906
2907         Reviewed by JF Bastien.
2908
2909         * jit/JITOperations.cpp:
2910
2911 2017-07-31  Keith Miller  <keith_miller@apple.com>
2912
2913         Make more things LLInt constexprs
2914         https://bugs.webkit.org/show_bug.cgi?id=174994
2915
2916         Reviewed by Saam Barati.
2917
2918         This patch makes more const values in the LLInt constexprs.
2919         It also deletes all of the no longer necessary static_asserts in
2920         LLIntData.cpp. Finally, it fixes a typo in parser.rb.
2921
2922         * interpreter/ShadowChicken.h:
2923         (JSC::ShadowChicken::Packet::tailMarker):
2924         * llint/LLIntData.cpp:
2925         (JSC::LLInt::Data::performAssertions):
2926         * llint/LowLevelInterpreter.asm:
2927         * offlineasm/generate_offset_extractor.rb:
2928         * offlineasm/parser.rb:
2929
2930 2017-07-31  Matt Lewis  <jlewis3@apple.com>
2931
2932         Unreviewed, rolling out r220060.
2933
2934         This broke our internal builds. Contact reviewer of patch for
2935         more information.
2936
2937         Reverted changeset:
2938
2939         "Merge WTFThreadData to Thread::current"
2940         https://bugs.webkit.org/show_bug.cgi?id=174716
2941         http://trac.webkit.org/changeset/220060
2942
2943 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2944
2945         [JSC] Support optional catch binding
2946         https://bugs.webkit.org/show_bug.cgi?id=174981
2947
2948         Reviewed by Saam Barati.
2949
2950         This patch implements optional catch binding proposal[1], which is now stage 3.
2951         This proposal adds a new `catch` brace with no error value binding.
2952
2953             ```
2954                 try {
2955                     ...
2956                 } catch {
2957                     ...
2958                 }
2959             ```
2960
2961         Sometimes we do not need to get error value actually. For example, the function returns
2962         boolean which means whether the function succeeds.
2963
2964             ```
2965             function parse(result) // -> bool
2966             {
2967                  try {
2968                      parseInner(result);
2969                  } catch {
2970                      return false;
2971                  }
2972                  return true;
2973             }
2974             ```
2975
2976         In the above case, we are not interested in the actual error value. Without this syntax,
2977         we always need to introduce a binding for an error value that is just ignored.
2978
2979         [1]: https://michaelficarra.github.io/optional-catch-binding-proposal/
2980
2981         * bytecompiler/NodesCodegen.cpp:
2982         (JSC::TryNode::emitBytecode):
2983         * parser/Parser.cpp:
2984         (JSC::Parser<LexerType>::parseTryStatement):
2985
2986 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2987
2988         Merge WTFThreadData to Thread::current
2989         https://bugs.webkit.org/show_bug.cgi?id=174716
2990
2991         Reviewed by Sam Weinig.
2992
2993         Use Thread::current() instead.
2994
2995         * API/JSContext.mm:
2996         (+[JSContext currentContext]):
2997         (+[JSContext currentThis]):
2998         (+[JSContext currentCallee]):
2999         (+[JSContext currentArguments]):
3000         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
3001         (-[JSContext endCallbackWithData:]):
3002         * heap/Heap.cpp:
3003         (JSC::Heap::requestCollection):
3004         * runtime/Completion.cpp:
3005         (JSC::checkSyntax):
3006         (JSC::checkModuleSyntax):
3007         (JSC::evaluate):
3008         (JSC::loadAndEvaluateModule):
3009         (JSC::loadModule):
3010         (JSC::linkAndEvaluateModule):
3011         (JSC::importModule):
3012         * runtime/Identifier.cpp:
3013         (JSC::Identifier::checkCurrentAtomicStringTable):
3014         * runtime/InitializeThreading.cpp:
3015         (JSC::initializeThreading):
3016         * runtime/JSLock.cpp:
3017         (JSC::JSLock::didAcquireLock):
3018         (JSC::JSLock::willReleaseLock):
3019         (JSC::JSLock::dropAllLocks):
3020         (JSC::JSLock::grabAllLocks):
3021         * runtime/JSLock.h:
3022         * runtime/VM.cpp:
3023         (JSC::VM::VM):
3024         (JSC::VM::updateStackLimits):
3025         (JSC::VM::committedStackByteCount):
3026         * runtime/VM.h:
3027         (JSC::VM::isSafeToRecurse const):
3028         * runtime/VMEntryScope.cpp:
3029         (JSC::VMEntryScope::VMEntryScope):
3030         * runtime/VMInlines.h:
3031         (JSC::VM::ensureStackCapacityFor):
3032         * yarr/YarrPattern.cpp:
3033         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
3034
3035 2017-07-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3036
3037         [WTF] Introduce Private Symbols
3038         https://bugs.webkit.org/show_bug.cgi?id=174935
3039
3040         Reviewed by Darin Adler.
3041
3042         Use SymbolImpl::isPrivate().
3043
3044         * builtins/BuiltinNames.cpp:
3045         * builtins/BuiltinNames.h:
3046         (JSC::BuiltinNames::isPrivateName): Deleted.
3047         * builtins/BuiltinUtils.h:
3048         * bytecode/BytecodeIntrinsicRegistry.cpp:
3049         (JSC::BytecodeIntrinsicRegistry::lookup):
3050         * runtime/CommonIdentifiers.cpp:
3051         (JSC::CommonIdentifiers::isPrivateName): Deleted.
3052         * runtime/CommonIdentifiers.h:
3053         * runtime/ExceptionHelpers.cpp:
3054         (JSC::createUndefinedVariableError):
3055         * runtime/Identifier.h:
3056         (JSC::Identifier::isPrivateName):
3057         * runtime/IdentifierInlines.h:
3058         (JSC::identifierToSafePublicJSValue):
3059         * runtime/ObjectConstructor.cpp:
3060         (JSC::objectConstructorAssign):
3061         (JSC::defineProperties):
3062         (JSC::setIntegrityLevel):
3063         (JSC::testIntegrityLevel):
3064         (JSC::ownPropertyKeys):
3065         * runtime/PrivateName.h:
3066         (JSC::PrivateName::PrivateName):
3067         * runtime/PropertyName.h:
3068         (JSC::PropertyName::isPrivateName):
3069         * runtime/ProxyObject.cpp:
3070         (JSC::performProxyGet):
3071         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
3072         (JSC::ProxyObject::performHasProperty):
3073         (JSC::ProxyObject::performPut):
3074         (JSC::ProxyObject::performDelete):
3075         (JSC::ProxyObject::performDefineOwnProperty):
3076
3077 2017-07-29  Keith Miller  <keith_miller@apple.com>
3078
3079         LLInt offsets extractor should be able to handle C++ constexprs
3080         https://bugs.webkit.org/show_bug.cgi?id=174964
3081
3082         Reviewed by Saam Barati.
3083
3084         This patch adds new syntax to the offline asm language. The new keyword,
3085         constexpr, takes the subsequent identifier and maps it to a C++ constexpr
3086         expression. Additionally, if the value is not an identifier you can wrap it in
3087         parentheses. e.g. constexpr (myConstexprFunction() + OBJECT_OFFSET(Foo, bar)),
3088         which will get converted into:
3089         static_cast<int64_t>(myConstexprFunction() + OBJECT_OFFSET(Foo, bar));
3090
3091         This patch also changes the data format the LLIntOffsetsExtractor
3092         binary produces.  Previously, it would produce unsigned values,
3093         after this patch every value is an int64_t.  Using an int64_t is
3094         useful because it means that we can represent any constant needed.
3095         int32_t masks are sign extended then passed then converted to a
3096         negative literal sting in the assembler so it will be the constant
3097         expected.
3098
3099         * llint/LLIntOffsetsExtractor.cpp:
3100         (JSC::LLIntOffsetsExtractor::dummy):
3101         * llint/LowLevelInterpreter.asm:
3102         * llint/LowLevelInterpreter64.asm:
3103         * offlineasm/asm.rb:
3104         * offlineasm/ast.rb:
3105         * offlineasm/generate_offset_extractor.rb:
3106         * offlineasm/offsets.rb:
3107         * offlineasm/parser.rb:
3108         * offlineasm/transform.rb:
3109
3110 2017-07-28  Matt Baker  <mattbaker@apple.com>
3111
3112         Web Inspector: capture an async stack trace when web content calls addEventListener
3113         https://bugs.webkit.org/show_bug.cgi?id=174739
3114         <rdar://problem/33468197>
3115
3116         Reviewed by Brian Burg.
3117
3118         Allow debugger agents to perform custom logic when asynchronous stack
3119         trace data is cleared. For example, the PageDebuggerAgent would clear
3120         its list of registered listeners for which call stacks have been recorded.
3121
3122         * inspector/agents/InspectorDebuggerAgent.cpp:
3123         (Inspector::InspectorDebuggerAgent::clearAsyncStackTraceData):
3124         * inspector/agents/InspectorDebuggerAgent.h:
3125
3126 2017-07-28  Mark Lam  <mark.lam@apple.com>
3127
3128         ObjectToStringAdaptiveStructureWatchpoint should not fire if it's dying imminently.
3129         https://bugs.webkit.org/show_bug.cgi?id=174948
3130         <rdar://problem/33495680>
3131
3132         Reviewed by Filip Pizlo.
3133
3134         ObjectToStringAdaptiveStructureWatchpoint is owned by StructureRareData.  If its
3135         owner StructureRareData is already known to be dead (in terms of GC liveness) but
3136         hasn't been destructed yet (i.e. not swept by the GC yet), we should ignore all
3137         requests to fire this watchpoint.
3138
3139         If the GC had the chance to sweep the StructureRareData, thereby destructing the
3140         ObjectToStringAdaptiveStructureWatchpoint, it (the watchpoint) would have removed
3141         itself from the WatchpointSet it was on.  Hence, it would not have been fired.
3142
3143         But since the watchpoint hasn't been destructed yet, it still remains on the
3144         WatchpointSet and needs to guard against being fired in this state.  The fix is
3145         to simply return early if its owner StructureRareData is not live.  This has the
3146         effect of the watchpoint fire being a no-op, which is equivalent to the watchpoint
3147         not firing as we would expect.
3148
3149         This patch also removes some cargo cult copying of watchpoint code which
3150         instantiates a StringFireDetail.  In a few cases, that StringFireDetail is never
3151         used.  This patch removes these unnecessary instantiations.
3152
3153         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
3154         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
3155         * runtime/StructureRareData.cpp:
3156         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
3157         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
3158
3159 2017-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
3160
3161         ASSERTION FAILED: candidate->op() == PhantomCreateRest || candidate->op() == PhantomDirectArguments || candidate->op() == PhantomClonedArguments || candidate->op() == PhantomSpread || candidate->op() == PhantomNewArrayWithSpread
3162         https://bugs.webkit.org/show_bug.cgi?id=174900
3163
3164         Reviewed by Saam Barati.
3165
3166         In the arguments elimination phase, due to high cost of AI, we intentionally do not run AI.
3167         Instead, we use ForceOSRExit etc. (pseudo terminals) not to look into unreachable nodes.
3168         The problem is that even transforming phase also checks this pseudo terminals.
3169
3170             BB1
3171             1: ForceOSRExit
3172             2: CreateDirectArguments
3173
3174             BB2
3175             3: GetButterfly(@2)
3176             4: ForceOSRExit
3177
3178         In the above case, @2 is not converted to PhantomDirectArguments. But @3 is processed. And the assertion fires.
3179
3180         In this patch, we do not list candidates up after seeing pseudo terminals in basic blocks.
3181
3182         * dfg/DFGArgumentsEliminationPhase.cpp:
3183
3184 2017-07-27  Oleksandr Skachkov  <gskachkov@gmail.com>
3185
3186         [ES] Add support finally to Promise
3187         https://bugs.webkit.org/show_bug.cgi?id=174503
3188
3189         Reviewed by Yusuke Suzuki.
3190
3191         Add support `finally` method to Promise according
3192         to the https://bugs.webkit.org/show_bug.cgi?id=174503
3193         Current spec on STAGE 3 
3194         https://github.com/tc39/proposal-promise-finally
3195
3196         * builtins/PromisePrototype.js:
3197         (finally):
3198         (const.valueThunk):
3199         (globalPrivate.getThenFinally):
3200         (const.thrower):
3201         (globalPrivate.getCatchFinally):
3202         * runtime/JSPromisePrototype.cpp:
3203
3204 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3205
3206         Unreviewed, build fix for CLoop
3207         https://bugs.webkit.org/show_bug.cgi?id=171637
3208
3209         * domjit/DOMJITGetterSetter.h:
3210
3211 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3212
3213         Hoist DOM binding attribute getter prologue into JavaScriptCore taking advantage of DOMJIT / CheckSubClass
3214         https://bugs.webkit.org/show_bug.cgi?id=171637
3215
3216         Reviewed by Darin Adler.
3217
3218         Each DOM attribute getter has the code to perform ClassInfo check. But it is largely duplicate and causes code bloating.
3219         In this patch, we move ClassInfo check from WebCore to JSC and reduce code size.
3220
3221         We introduce DOMAnnotation which has ClassInfo* and DOMJIT::GetterSetter*. If the getter is not DOMJIT getter, this
3222         DOMJIT::GetterSetter becomes nullptr. We support such a CustomAccessorGetter in all the JIT tiers.
3223
3224         In IC, we drop CheckSubClass completely since IC's Structure check subsumes it. We do not enable this optimization for
3225         op_get_by_id_with_this case yet.
3226         In DFG and FTL, we emit CheckSubClass node. Which is typically removed by CheckStructure leading to CheckSubClass.
3227
3228         And we add DOMAttributeGetterSetter, which is derived class of CustomGetterSetter. It holds DOMAnnotation and perform
3229         ClassInfo check.
3230
3231         * CMakeLists.txt:
3232         * JavaScriptCore.xcodeproj/project.pbxproj:
3233         * bytecode/AccessCase.cpp:
3234         (JSC::AccessCase::generateImpl):
3235         * bytecode/GetByIdStatus.cpp:
3236         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
3237         * bytecode/GetByIdVariant.cpp:
3238         (JSC::GetByIdVariant::GetByIdVariant):
3239         (JSC::GetByIdVariant::operator=):
3240         (JSC::GetByIdVariant::attemptToMerge):
3241         (JSC::GetByIdVariant::dumpInContext):
3242         * bytecode/GetByIdVariant.h:
3243         (JSC::GetByIdVariant::customAccessorGetter):
3244         (JSC::GetByIdVariant::domAttribute):
3245         (JSC::GetByIdVariant::domJIT): Deleted.
3246         * bytecode/GetterSetterAccessCase.cpp:
3247         (JSC::GetterSetterAccessCase::create):
3248         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
3249         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
3250         * bytecode/GetterSetterAccessCase.h:
3251         (JSC::GetterSetterAccessCase::domAttribute):
3252         (JSC::GetterSetterAccessCase::customAccessor):
3253         (JSC::GetterSetterAccessCase::domJIT): Deleted.
3254         * bytecompiler/BytecodeGenerator.cpp:
3255         (JSC::BytecodeGenerator::instantiateLexicalVariables):
3256         * create_hash_table:
3257         * dfg/DFGAbstractInterpreterInlines.h:
3258         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3259         * dfg/DFGByteCodeParser.cpp:
3260         (JSC::DFG::blessCallDOMGetter):
3261         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
3262         (JSC::DFG::ByteCodeParser::handleGetById):
3263         * dfg/DFGClobberize.h:
3264         (JSC::DFG::clobberize):
3265         * dfg/DFGFixupPhase.cpp:
3266         (JSC::DFG::FixupPhase::fixupNode):
3267         * dfg/DFGNode.h:
3268         * dfg/DFGSpeculativeJIT.cpp:
3269         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
3270         * dfg/DFGSpeculativeJIT.h:
3271         (JSC::DFG::SpeculativeJIT::callCustomGetter):
3272         * domjit/DOMJITGetterSetter.h:
3273         (JSC::DOMJIT::GetterSetter::GetterSetter):
3274         (JSC::DOMJIT::GetterSetter::getter):
3275         (JSC::DOMJIT::GetterSetter::compiler):
3276         (JSC::DOMJIT::GetterSetter::resultType):
3277         (JSC::DOMJIT::GetterSetter::~GetterSetter): Deleted.
3278         (JSC::DOMJIT::GetterSetter::setter): Deleted.
3279         (JSC::DOMJIT::GetterSetter::thisClassInfo): Deleted.
3280         * ftl/FTLLowerDFGToB3.cpp:
3281         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
3282         * jit/Repatch.cpp:
3283         (JSC::tryCacheGetByID):
3284         * jsc.cpp:
3285         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
3286         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
3287         (WTF::DOMJITGetter::customGetter):
3288         (WTF::DOMJITGetter::finishCreation):
3289         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
3290         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
3291         (WTF::DOMJITGetterComplex::customGetter):
3292         (WTF::DOMJITGetterComplex::finishCreation):
3293         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
3294         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::slowCall): Deleted.
3295         (WTF::DOMJITGetter::domJITNodeGetterSetter): Deleted.
3296         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
3297         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::slowCall): Deleted.
3298         (WTF::DOMJITGetterComplex::domJITNodeGetterSetter): Deleted.
3299         * runtime/CustomGetterSetter.h:
3300         (JSC::CustomGetterSetter::create):
3301         (JSC::CustomGetterSetter::setter):
3302         (JSC::CustomGetterSetter::CustomGetterSetter):
3303         (): Deleted.
3304         * runtime/DOMAnnotation.h: Added.
3305         (JSC::operator==):
3306         (JSC::operator!=):
3307         * runtime/DOMAttributeGetterSetter.cpp: Added.
3308         * runtime/DOMAttributeGetterSetter.h: Copied from Source/JavaScriptCore/runtime/CustomGetterSetter.h.
3309         (JSC::isDOMAttributeGetterSetter):
3310         * runtime/Error.cpp:
3311         (JSC::throwDOMAttributeGetterTypeError):
3312         * runtime/Error.h:
3313         (JSC::throwVMDOMAttributeGetterTypeError):
3314         * runtime/JSCustomGetterSetterFunction.cpp:
3315         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
3316         * runtime/JSObject.cpp:
3317         (JSC::JSObject::putInlineSlow):
3318         (JSC::JSObject::deleteProperty):
3319         (JSC::JSObject::getOwnStaticPropertySlot):
3320         (JSC::JSObject::reifyAllStaticProperties):
3321         (JSC::JSObject::fillGetterPropertySlot):
3322         (JSC::JSObject::findPropertyHashEntry): Deleted.
3323         * runtime/JSObject.h:
3324         (JSC::JSObject::getOwnNonIndexPropertySlot):
3325         (JSC::JSObject::fillCustomGetterPropertySlot):
3326         * runtime/Lookup.cpp:
3327         (JSC::setUpStaticFunctionSlot):
3328         * runtime/Lookup.h:
3329         (JSC::HashTableValue::domJIT):
3330         (JSC::getStaticPropertySlotFromTable):
3331         (JSC::putEntry):
3332         (JSC::lookupPut):
3333         (JSC::reifyStaticProperty):
3334         (JSC::reifyStaticProperties):
3335         Each static property table has a new field ClassInfo*. It indicates that which ClassInfo check DOMAttribute registered in
3336         this static property table requires.
3337
3338         * runtime/ProgramExecutable.cpp:
3339         (JSC::ProgramExecutable::initializeGlobalProperties):
3340         * runtime/PropertyName.h:
3341         * runtime/PropertySlot.cpp:
3342         (JSC::PropertySlot::customGetter):
3343         (JSC::PropertySlot::customAccessorGetter):
3344         * runtime/PropertySlot.h:
3345         (JSC::PropertySlot::domAttribute):
3346         (JSC::PropertySlot::setCustom):
3347         (JSC::PropertySlot::setCacheableCustom):
3348         (JSC::PropertySlot::getValue):
3349         (JSC::PropertySlot::domJIT): Deleted.
3350         * runtime/VM.cpp:
3351         (JSC::VM::VM):
3352         * runtime/VM.h:
3353
3354 2017-07-26  Devin Rousso  <drousso@apple.com>
3355
3356         Web Inspector: create protocol for recording Canvas contexts
3357         https://bugs.webkit.org/show_bug.cgi?id=174481
3358
3359         Reviewed by Joseph Pecoraro.
3360
3361         * inspector/protocol/Canvas.json:
3362          - Add `requestRecording` command to mark the provided canvas as having requested a recording.
3363          - Add `cancelRecording` command to clear a previously marked canvas and flush any recorded data.
3364          - Add `recordingFinished` event that is fired once a recording is finished.
3365
3366         * CMakeLists.txt:
3367         * DerivedSources.make:
3368         * inspector/protocol/Recording.json: Added.
3369          - Add `Type` enum that lists the types of recordings
3370          - Add `InitialState` type that contains information about the canvas context at the
3371            beginning of the recording.
3372          - Add `Frame` type that holds a list of actions that were recorded.
3373          - Add `Recording` type as the container object of recording data.
3374
3375         * inspector/scripts/codegen/generate_js_backend_commands.py:
3376         (JSBackendCommandsGenerator.generate_domain):
3377         Create an agent for domains with no events or commands.
3378
3379         * inspector/InspectorValues.h:
3380         Make Array `get` public so that values can be retrieved if needed.
3381
3382 2017-07-26  Brian Burg  <bburg@apple.com>
3383
3384         Remove WEB_TIMING feature flag
3385         https://bugs.webkit.org/show_bug.cgi?id=174795
3386
3387         Reviewed by Alex Christensen.
3388
3389         * Configurations/FeatureDefines.xcconfig:
3390
3391 2017-07-26  Mark Lam  <mark.lam@apple.com>
3392
3393         Add the ability to change sp and pc to the ARM64 JIT probe.
3394         https://bugs.webkit.org/show_bug.cgi?id=174697
3395         <rdar://problem/33436965>
3396
3397         Reviewed by JF Bastien.
3398
3399         This patch implements the following:
3400
3401         1. The ARM64 probe now supports modifying the pc and sp.
3402
3403            However, lr is not preserved when modifying the pc because it is used as the
3404            scratch register for the indirect jump. Hence, the probe handler function
3405            may not modify both lr and pc in the same probe invocation.
3406
3407         2. Fix probe tests to use bitwise comparison when comparing double register
3408            values. Otherwise, equivalent nan values will be interpreted as not equivalent.
3409
3410         3. Change the minimum offset increment in testProbeModifiesStackPointer to be
3411            16 bytes for ARM64.  This is because the ARM64 probe now uses the ldp and stp
3412            instructions which require 16 byte alignment for their memory access.
3413
3414         * assembler/MacroAssemblerARM64.cpp:
3415         (JSC::arm64ProbeError):
3416         (JSC::MacroAssembler::probe):
3417         (JSC::arm64ProbeTrampoline): Deleted.
3418         * assembler/testmasm.cpp:
3419         (JSC::isSpecialGPR):
3420         (JSC::testProbeReadsArgumentRegisters):
3421         (JSC::testProbeWritesArgumentRegisters):
3422         (JSC::testProbePreservesGPRS):
3423         (JSC::testProbeModifiesStackPointer):
3424         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
3425         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
3426
3427 2017-07-25  JF Bastien  <jfbastien@apple.com>
3428
3429         WebAssembly: generate smaller binaries
3430         https://bugs.webkit.org/show_bug.cgi?id=174818
3431
3432         Reviewed by Filip Pizlo.
3433
3434         This patch reduces generated code size for WebAssembly in 2 ways:
3435
3436         1. Use the ZR register when storing zero on ARM64.
3437         2. Synthesize wasm context lazily.
3438
3439         This leads to a modest size reduction on both x86-64 and ARM64 for
3440         large WebAssembly games, without any performance loss on WasmBench
3441         and TitzerBench.
3442
3443         The reason this works is that these games, using Emscripten,
3444         generate 100k+ tiny functions, and our JIT allocation granule
3445         rounds all allocations up to 32 bytes. There are plenty of other
3446         simple gains to be had, I've filed a follow-up bug at
3447         webkit.org/b/174819
3448
3449         We should further avoid the per-function cost of tiering, which
3450         represents the bulk of code generated for small functions.
3451
3452         * assembler/MacroAssemblerARM64.h:
3453         (JSC::MacroAssemblerARM64::storeZero64):
3454         * assembler/MacroAssemblerX86_64.h:
3455         (JSC::MacroAssemblerX86_64::storeZero64):
3456         * b3/B3LowerToAir.cpp:
3457         (JSC::B3::Air::LowerToAir::createStore): this doesn't make sense
3458         for x86 because it constrains register reuse and codegen in a way
3459         that doesn't affect ARM64 because it has a dedicated zero
3460         register.
3461         * b3/air/AirOpcode.opcodes: add the storeZero64 opcode.
3462         * wasm/WasmB3IRGenerator.cpp:
3463         (JSC::Wasm::B3IRGenerator::instanceValue):
3464         (JSC::Wasm::B3IRGenerator::restoreWasmContext):
3465         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3466         (JSC::Wasm::B3IRGenerator::materializeWasmContext): Deleted.
3467
3468 2017-07-23  Filip Pizlo  <fpizlo@apple.com>
3469
3470         B3 should do LICM
3471         https://bugs.webkit.org/show_bug.cgi?id=174750
3472
3473         Reviewed by Keith Miller and Saam Barati.
3474         
3475         Added a LICM phase to B3. This phase is called hoistLoopInvariantValues, to conform to the B3 naming
3476         convention for phases (it has to be an imperative). The phase uses NaturalLoops and BackwardsDominators,
3477         so this adds those analyses to B3. BackwardsDominators was already available in templatized form. This
3478         change templatizes DFG::NaturalLoops so that we can just use it.
3479         
3480         The LICM phase itself is really simple. We are decently precise with our handling of everything except
3481         the relationship between control dependence and side exits.
3482         
3483         Also added a bunch of tests.
3484         
3485         This isn't super important. It's perf-neutral on JS benchmarks. FTL already does LICM on DFG SSA IR, and
3486         probably all current WebAssembly content has had LICM done to it. That being said, this is a cheap phase
3487         so it doesn't hurt to have it.
3488         
3489         I wrote it because I thought I needed it for bug 174727. It turns out that there's a better way to
3490         handle the problem I had, so I ended up not needed it - but by then I had already written it. I think
3491         it's good to have it because LICM is one of those core compiler phases; every compiler has it
3492         eventually.
3493
3494         * CMakeLists.txt:
3495         * JavaScriptCore.xcodeproj/project.pbxproj:
3496         * b3/B3BackwardsCFG.h: Added.
3497         (JSC::B3::BackwardsCFG::BackwardsCFG):
3498         * b3/B3BackwardsDominators.h: Added.
3499         (JSC::B3::BackwardsDominators::BackwardsDominators):
3500         * b3/B3BasicBlock.cpp:
3501         (JSC::B3::BasicBlock::appendNonTerminal):
3502         * b3/B3Effects.h:
3503         * b3/B3EnsureLoopPreHeaders.cpp: Added.
3504         (JSC::B3::ensureLoopPreHeaders):
3505         * b3/B3EnsureLoopPreHeaders.h: Added.
3506         * b3/B3Generate.cpp:
3507         (JSC::B3::generateToAir):
3508         * b3/B3HoistLoopInvariantValues.cpp: Added.
3509         (JSC::B3::hoistLoopInvariantValues):
3510         * b3/B3HoistLoopInvariantValues.h: Added.
3511         * b3/B3NaturalLoops.h: Added.
3512         (JSC::B3::NaturalLoops::NaturalLoops):
3513         * b3/B3Procedure.cpp:
3514         (JSC::B3::Procedure::invalidateCFG):
3515         (JSC::B3::Procedure::naturalLoops):
3516         (JSC::B3::Procedure::backwardsCFG):
3517         (JSC::B3::Procedure::backwardsDominators):
3518         * b3/B3Procedure.h:
3519         * b3/testb3.cpp:
3520         (JSC::B3::generateLoop):
3521         (JSC::B3::makeArrayForLoops):
3522         (JSC::B3::generateLoopNotBackwardsDominant):
3523         (JSC::B3::oneFunction):
3524         (JSC::B3::noOpFunction):
3525         (JSC::B3::testLICMPure):
3526         (JSC::B3::testLICMPureSideExits):
3527         (JSC::B3::testLICMPureWritesPinned):
3528         (JSC::B3::testLICMPureWrites):
3529         (JSC::B3::testLICMReadsLocalState):
3530         (JSC::B3::testLICMReadsPinned):
3531         (JSC::B3::testLICMReads):
3532         (JSC::B3::testLICMPureNotBackwardsDominant):
3533         (JSC::B3::testLICMPureFoiledByChild):
3534         (JSC::B3::testLICMPureNotBackwardsDominantFoiledByChild):
3535         (JSC::B3::testLICMExitsSideways):
3536         (JSC::B3::testLICMWritesLocalState):
3537         (JSC::B3::testLICMWrites):
3538         (JSC::B3::testLICMFence):
3539         (JSC::B3::testLICMWritesPinned):
3540         (JSC::B3::testLICMControlDependent):
3541         (JSC::B3::testLICMControlDependentNotBackwardsDominant):
3542         (JSC::B3::testLICMControlDependentSideExits):
3543         (JSC::B3::testLICMReadsPinnedWritesPinned):
3544         (JSC::B3::testLICMReadsWritesDifferentHeaps):
3545         (JSC::B3::testLICMReadsWritesOverlappingHeaps):
3546         (JSC::B3::testLICMDefaultCall):
3547         (JSC::B3::run):
3548         * dfg/DFGBasicBlock.h:
3549         * dfg/DFGCFG.h:
3550         * dfg/DFGNaturalLoops.cpp: Removed.
3551         * dfg/DFGNaturalLoops.h:
3552         (JSC::DFG::NaturalLoops::NaturalLoops):
3553         (JSC::DFG::NaturalLoop::NaturalLoop): Deleted.
3554         (JSC::DFG::NaturalLoop::header): Deleted.
3555         (JSC::DFG::NaturalLoop::size): Deleted.
3556         (JSC::DFG::NaturalLoop::at): Deleted.
3557         (JSC::DFG::NaturalLoop::operator[]): Deleted.
3558         (JSC::DFG::NaturalLoop::contains): Deleted.
3559         (JSC::DFG::NaturalLoop::index): Deleted.
3560         (JSC::DFG::NaturalLoop::isOuterMostLoop): Deleted.
3561         (JSC::DFG::NaturalLoop::addBlock): Deleted.
3562         (JSC::DFG::NaturalLoops::numLoops): Deleted.
3563         (JSC::DFG::NaturalLoops::loop): Deleted.
3564         (JSC::DFG::NaturalLoops::headerOf): Deleted.
3565         (JSC::DFG::NaturalLoops::innerMostLoopOf): Deleted.
3566         (JSC::DFG::NaturalLoops::innerMostOuterLoop): Deleted.
3567         (JSC::DFG::NaturalLoops::belongsTo): Deleted.
3568         (JSC::DFG::NaturalLoops::loopDepth): Deleted.
3569
3570 2017-07-24  Filip Pizlo  <fpizlo@apple.com>
3571
3572         GC should be fine with trading blocks between destructor and non-destructor blocks
3573         https://bugs.webkit.org/show_bug.cgi?id=174811
3574
3575         Reviewed by Mark Lam.
3576         
3577         Our GC has the ability to trade blocks between MarkedAllocators. A MarkedAllocator is a
3578         size-class-within-a-Subspace. The ability to trade helps reduce memory wastage due to
3579         fragmentation. Prior to this change, this only worked between blocks that did not have destructors.
3580         This was partly a policy decision. But mostly, it was fallout from the way we use the `empty` block
3581         set.
3582         
3583         Here's how `empty` used to work. If a block is empty, we don't run destructors. We say that a block
3584         is empty if:
3585         
3586         A) It has no live objects and its a non-destructor block, or
3587         B) We just allocated it (so it has no destructors even if it's a destructor block), or
3588         C) We just stole it from another allocator (so it also has no destructors), or
3589         D) We just swept the block and ran all destructors.
3590         
3591         Case (A) is for trading blocks. That's how a different MarkedAllocator would know that this is a
3592         block that could be stolen.
3593
3594         Cases (B) and (C) need to be detected for correctness, since otherwise we might try to run
3595         destructors in blocks that have garbage bits. In that case, the isZapped check won't detect that
3596         cells don't need destruction, so without having the `empty` bit we would try to destruct garbage
3597         and crash. Currently, we know that we have cases (B) and (C) when the block is empty.
3598         
3599         Case (D) is necessary for detecting which blocks can be removed when we `shrink` the heap.
3600         
3601         If we tried to enable trading of blocks between allocators without making any changes to how
3602         `empty` works, then it just would not work. We have to set the `empty` bits of blocks that have no
3603         live objects in order for those bits to be candidates for trading. But if we do that, then our
3604         logic for cases (B-D) will think that the block has no destructible objects. That's bad, since then
3605         our destructors won't run and we'll leak memory.
3606         
3607         This change fixes this issue by decoupling the "do I have destructors" question from the "do I have
3608         live objects" question by introducing a new `destructible` bitvector. The GC flags all live blocks
3609         as being destructible at the end. We clear the destructible bit in cases (B-D). Cases (B-C) are
3610         handled entirely by the new destrictible bit, while case (D) is detected by looking for blocks that
3611         are (empty & ~destructible).
3612         
3613         Then we can simply remove all destructor-oriented special-casing of the `empty` bit. And we can
3614         remove destructor-oriented special-casing of block trading.
3615
3616         This is a perf-neutral change. We expect most free memory to be in non-destructor blocks anyway,
3617         so this change is more about clean-up than perf. But, this could reduce memory usage in some
3618         pathological cases.
3619         
3620         * heap/MarkedAllocator.cpp:
3621         (JSC::MarkedAllocator::findEmptyBlockToSteal):
3622         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
3623         (JSC::MarkedAllocator::endMarking):
3624         (JSC::MarkedAllocator::shrink):
3625         (JSC::MarkedAllocator::shouldStealEmptyBlocksFromOtherAllocators): Deleted.
3626         * heap/MarkedAllocator.h:
3627         * heap/MarkedBlock.cpp:
3628         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
3629         (JSC::MarkedBlock::Handle::sweep):
3630         * heap/MarkedBlockInlines.h:
3631         (JSC::MarkedBlock::Handle::specializedSweep):
3632         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace):
3633         (JSC::MarkedBlock::Handle::emptyMode):
3634
3635 2017-07-25  Keith Miller  <keith_miller@apple.com>
3636
3637         Remove Broken CompareEq constant folding phase.
3638         https://bugs.webkit.org/show_bug.cgi?id=174846
3639         <rdar://problem/32978808>
3640
3641         Reviewed by Saam Barati.
3642
3643         This bug happened when we would get code like the following:
3644
3645         a: JSConst(Undefined)
3646         b: GetLocal(SomeObjectOrUndefined)
3647         ...
3648         c: CompareEq(Check:ObjectOrOther:b, Check:ObjectOrOther:a)
3649
3650         constant folding will turn this into:
3651
3652         a: JSConst(Undefined)
3653         b: GetLocal(SomeObjectOrUndefined)
3654         ...
3655         c: CompareEq(Check:ObjectOrOther:b, Other:a)
3656
3657         But the SpeculativeJIT/FTL lowering will fail to check b
3658         properly which leads to an assertion failure in the AI.
3659
3660         I'll follow up with a more robust fix later. For now, I'll remove the
3661         case that generates the code. Removing the code appears to be perf
3662         neutral.
3663
3664         * dfg/DFGConstantFoldingPhase.cpp:
3665         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3666
3667 2017-07-25  Matt Baker  <mattbaker@apple.com>
3668
3669         Web Inspector: Refactoring: extract async stack trace logic from InspectorInstrumentation
3670         https://bugs.webkit.org/show_bug.cgi?id=174738
3671
3672         Reviewed by Brian Burg.
3673
3674         Move AsyncCallType enum to InspectorDebuggerAgent, which manages async
3675         stack traces. This preserves the call type in JSC, makes the range of
3676         possible call types explicit, and is safer than passing ints.
3677
3678         * inspector/agents/InspectorDebuggerAgent.cpp:
3679         (Inspector::InspectorDebuggerAgent::asyncCallIdentifier):
3680         (Inspector::InspectorDebuggerAgent::didScheduleAsyncCall):
3681         (Inspector::InspectorDebuggerAgent::didCancelAsyncCall):
3682         (Inspector::InspectorDebuggerAgent::willDispatchAsyncCall):
3683         * inspector/agents/InspectorDebuggerAgent.h:
3684
3685 2017-07-25  Mark Lam  <mark.lam@apple.com>
3686
3687         Fix bugs in probe code to change sp on x86, x86_64 and 32-bit ARM.
3688         https://bugs.webkit.org/show_bug.cgi?id=174809
3689         <rdar://problem/33504759>
3690
3691         Reviewed by Filip Pizlo.
3692
3693         1. When the probe handler function changes the sp register to point to the
3694            region of stack in the middle of the ProbeContext on the stack, there is a
3695            bug where the ProbeContext's register values to be restored can be over-written
3696            before they can be restored.  This is now fixed.
3697
3698         2. Added more robust probe tests for changing the sp register.
3699
3700         3. Made existing probe tests to ensure that probe handlers were actually called.
3701
3702         4. Added some verification to testProbePreservesGPRS().
3703
3704         5. Change all the probe tests to fail early on discovering an error instead of
3705            batching till the end of the test.  This helps point a finger to the failing
3706            issue earlier.
3707
3708         This patch was tested on x86, x86_64, and ARMv7.  ARM64 probe code will be fixed
3709         next in https://bugs.webkit.org/show_bug.cgi?id=174697.
3710
3711         * assembler/MacroAssemblerARM.cpp:
3712         * assembler/MacroAssemblerARMv7.cpp:
3713         * assembler/MacroAssemblerX86Common.cpp:
3714         * assembler/testmasm.cpp:
3715         (JSC::testProbeReadsArgumentRegisters):
3716         (JSC::testProbeWritesArgumentRegisters):
3717         (JSC::testProbePreservesGPRS):
3718         (JSC::testProbeModifiesStackPointer):
3719         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
3720         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
3721         (JSC::testProbeModifiesProgramCounter):
3722         (JSC::run):
3723
3724 2017-07-25  Brian Burg  <bburg@apple.com>
3725
3726         Web Automation: add support for uploading files
3727         https://bugs.webkit.org/show_bug.cgi?id=174797
3728         <rdar://problem/28485063>
3729
3730         Reviewed by Joseph Pecoraro.
3731
3732         * inspector/scripts/generate-inspector-protocol-bindings.py:
3733         (generate_from_specification):
3734         Start generating frontend dispatcher code if the target framework is 'WebKit'.
3735
3736         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
3737         (CppFrontendDispatcherImplementationGenerator.generate_output):
3738         Use a framework include for InspectorFrontendRouter.h since this generated code
3739         will be compiled outside of WebCore.framework.
3740
3741         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
3742         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
3743         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
3744         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
3745         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
3746         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
3747         * inspector/scripts/tests/generic/expected/enum-values.json-result:
3748         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
3749         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
3750         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
3751         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
3752         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
3753         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
3754         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
3755         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
3756         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
3757         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
3758         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
3759         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
3760         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
3761         Rebaseline code generator tests.
3762
3763 2017-07-24  Mark Lam  <mark.lam@apple.com>
3764
3765         Gardening: fixed C Loop build after r219790.
3766         https://bugs.webkit.org/show_bug.cgi?id=174696
3767
3768         Not reviewed.
3769
3770         * assembler/testmasm.cpp:
3771
3772 2017-07-23  Mark Lam  <mark.lam@apple.com>
3773
3774         Create regression tests for the JIT probe.
3775         https://bugs.webkit.org/show_bug.cgi?id=174696
3776         <rdar://problem/33436922>
3777
3778         Reviewed by Saam Barati.
3779
3780         The new testmasm will test the following:
3781         1. the probe is able to read the value of CPU registers.
3782         2. the probe is able to write the value of CPU registers.
3783         3. the probe is able to preserve all CPU registers.
3784         4. special case of (2): the probe is able to change the value of the stack pointer.
3785         5. special case of (2): the probe is able to change the value of the program counter
3786            i.e. the probe can change where the code continues executing upon returning from
3787            the probe.
3788
3789         Currently, the x86, x86_64, and ARMv7 ports passes the test.  ARM64 does not
3790         because it does not support changing the sp and pc yet.  The ARM64 probe
3791         implementation will be fixed in https://bugs.webkit.org/show_bug.cgi?id=174697
3792         later.
3793
3794         * Configurations/ToolExecutable.xcconfig:
3795         * JavaScriptCore.xcodeproj/project.pbxproj:
3796         * assembler/MacroAssembler.h:
3797         (JSC::MacroAssembler::CPUState::pc):
3798         (JSC::MacroAssembler::CPUState::fp):
3799         (JSC::MacroAssembler::CPUState::sp):
3800         (JSC::ProbeContext::pc):
3801         (JSC::ProbeContext::fp):
3802         (JSC::ProbeContext::sp):
3803         * assembler/MacroAssemblerARM64.cpp:
3804         (JSC::arm64ProbeTrampoline):
3805         * assembler/MacroAssemblerPrinter.cpp:
3806         (JSC::Printer::printPCRegister):
3807         * assembler/testmasm.cpp: Added.
3808         (hiddenTruthBecauseNoReturnIsStupid):
3809         (usage):
3810         (JSC::nextID):
3811         (JSC::isPC):
3812         (JSC::isSP):
3813         (JSC::isFP):
3814         (JSC::compile):
3815         (JSC::invoke):
3816         (JSC::compileAndRun):
3817         (JSC::testSimple):
3818         (JSC::testProbeReadsArgumentRegisters):
3819         (JSC::testProbeWritesArgumentRegisters):
3820         (JSC::testFunctionToTrashRegisters):
3821         (JSC::testProbePreservesGPRS):
3822         (JSC::testProbeModifiesStackPointer):
3823         (JSC::testProbeModifiesProgramCounter):
3824         (JSC::run):
3825         (run):
3826         (main):
3827         * b3/air/testair.cpp:
3828         (usage):
3829         * shell/CMakeLists.txt:
3830
3831 2017-07-14  Filip Pizlo  <fpizlo@apple.com>
3832
3833         It should be easy to decide how WebKit yields
3834         https://bugs.webkit.org/show_bug.cgi?id=174298
3835
3836         Reviewed by Saam Barati.
3837         
3838         Use the new WTF::Thread::yield() function for yielding instead of the C++ function.
3839
3840         * heap/Heap.cpp:
3841         (JSC::Heap::resumeThePeriphery):
3842         * heap/VisitingTimeout.h:
3843         * runtime/JSCell.cpp:
3844         (JSC::JSCell::lockSlow):
3845         (JSC::JSCell::unlockSlow):
3846         * runtime/JSCell.h:
3847         * runtime/JSCellInlines.h:
3848         (JSC::JSCell::lock):
3849         (JSC::JSCell::unlock):
3850         * runtime/JSLock.cpp:
3851         (JSC::JSLock::grabAllLocks):
3852         * runtime/SamplingProfiler.cpp:
3853
3854 2017-07-21  Mark Lam  <mark.lam@apple.com>
3855
3856         Refactor MASM probe CPUState to use arrays for register storage.
3857         https://bugs.webkit.org/show_bug.cgi?id=174694
3858
3859         Reviewed by Keith Miller.
3860
3861         Using arrays for register storage in CPUState allows us to do away with the
3862         huge switch statements to decode each register id.  We can now simply index into
3863         the arrays.
3864
3865         With this patch, we now:
3866
3867         1. Remove the need for macros for defining the list of CPU registers.
3868            We can go back to simple enums.  This makes the code easier to read.
3869
3870         2. Make the assembler the authority on register names.
3871            Most of this code is moved into the assembler from GPRInfo and FPRInfo.
3872            GPRInfo and FPRInfo now forwards to the assembler.
3873
3874         3. Make the assembler the authority on the number of registers of each type.
3875
3876         4. Fix a "bug" in ARMv7's lastRegister().  It was previously omitting lr and pc.
3877            This is inconsistent with how every other CPU architecture implements
3878            lastRegister().  This patch fixes it to return the true last GPR i.e. pc, but
3879            updates RegisterSet::reservedHardwareRegisters() to exclude those registers.
3880
3881         * assembler/ARM64Assembler.h:
3882         (JSC::ARM64Assembler::numberOfRegisters):
3883         (JSC::ARM64Assembler::firstSPRegister):
3884         (JSC::ARM64Assembler::lastSPRegister):
3885         (JSC::ARM64Assembler::numberOfSPRegisters):
3886         (JSC::ARM64Assembler::numberOfFPRegisters):
3887         (JSC::ARM64Assembler::gprName):
3888         (JSC::ARM64Assembler::sprName):
3889         (JSC::ARM64Assembler::fprName):
3890         * assembler/ARMAssembler.h:
3891         (JSC::ARMAssembler::numberOfRegisters):
3892         (JSC::ARMAssembler::firstSPRegister):
3893         (JSC::ARMAssembler::lastSPRegister):
3894         (JSC::ARMAssembler::numberOfSPRegisters):
3895         (JSC::ARMAssembler::numberOfFPRegisters):
3896         (JSC::ARMAssembler::gprName):
3897         (JSC::ARMAssembler::sprName):
3898         (JSC::ARMAssembler::fprName):
3899         * assembler/ARMv7Assembler.h:
3900         (JSC::ARMv7Assembler::lastRegister):
3901         (JSC::ARMv7Assembler::numberOfRegisters):
3902         (JSC::ARMv7Assembler::firstSPRegister):
3903         (JSC::ARMv7Assembler::lastSPRegister):
3904         (JSC::ARMv7Assembler::numberOfSPRegisters):
3905         (JSC::ARMv7Assembler::numberOfFPRegisters):
3906         (JSC::ARMv7Assembler::gprName):
3907         (JSC::ARMv7Assembler::sprName):
3908         (JSC::ARMv7Assembler::fprName):
3909         * assembler/AbstractMacroAssembler.h:
3910         (JSC::AbstractMacroAssembler::numberOfRegisters):
3911         (JSC::AbstractMacroAssembler::gprName):
3912         (JSC::AbstractMacroAssembler::firstSPRegister):
3913         (JSC::AbstractMacroAssembler::lastSPRegister):
3914         (JSC::AbstractMacroAssembler::numberOfSPRegisters):
3915         (JSC::AbstractMacroAssembler::sprName):
3916         (JSC::AbstractMacroAssembler::numberOfFPRegisters):
3917         (JSC::AbstractMacroAssembler::fprName):
3918         * assembler/MIPSAssembler.h:
3919         (JSC::MIPSAssembler::numberOfRegisters):
3920         (JSC::MIPSAssembler::firstSPRegister):
3921         (JSC::MIPSAssembler::lastSPRegister):
3922         (JSC::MIPSAssembler::numberOfSPRegisters):
3923         (JSC::MIPSAssembler::numberOfFPRegisters):
3924         (JSC::MIPSAssembler::gprName):
3925         (JSC::MIPSAssembler::sprName):
3926         (JSC::MIPSAssembler::fprName):
3927         * assembler/MacroAssembler.h:
3928         (JSC::MacroAssembler::CPUState::gprName):
3929         (JSC::MacroAssembler::CPUState::sprName):
3930         (JSC::MacroAssembler::CPUState::fprName):
3931         (JSC::MacroAssembler::CPUState::gpr):
3932         (JSC::MacroAssembler::CPUState::spr):
3933         (JSC::MacroAssembler::CPUState::fpr):
3934         (JSC::MacroAssembler::CPUState::pc):
3935         (JSC::MacroAssembler::CPUState::fp):
3936         (JSC::MacroAssembler::CPUState::sp):
3937         (JSC::ProbeContext::gpr):
3938         (JSC::ProbeContext::spr):
3939         (JSC::ProbeContext::fpr):
3940         (JSC::ProbeContext::gprName):
3941         (JSC::ProbeContext::sprName):
3942         (JSC::ProbeContext::fprName):
3943         (JSC::MacroAssembler::numberOfRegisters): Deleted.
3944         (JSC::MacroAssembler::numberOfFPRegisters): Deleted.
3945         * assembler/MacroAssemblerARM.cpp:
3946         * assembler/MacroAssemblerARM64.cpp:
3947         (JSC::arm64ProbeTrampoline):
3948         * assembler/MacroAssemblerARMv7.cpp:
3949         * assembler/MacroAssemblerPrinter.cpp:
3950         (JSC::Printer::nextID):
3951         (JSC::Printer::printAllRegisters):
3952         (JSC::Printer::printPCRegister):
3953         (JSC::Printer::printRegisterID):