8bf08107b556c30c93bf6e4363163b9f9c6a9a72
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-12-06  Saam Barati  <sbarati@apple.com>
2
3         ASSERTION FAILED: vm->currentThreadIsHoldingAPILock() in void JSC::sanitizeStackForVM(JSC::VM *)
4         https://bugs.webkit.org/show_bug.cgi?id=180438
5         <rdar://problem/35862342>
6
7         Reviewed by Yusuke Suzuki.
8
9         A couple inspector methods that take stacktraces need
10         to grab the JSLock.
11
12         * inspector/ScriptCallStackFactory.cpp:
13         (Inspector::createScriptCallStack):
14         (Inspector::createScriptCallStackForConsole):
15
16 2017-12-05  Stephan Szabo  <stephan.szabo@sony.com>
17
18         Switch windows build to Visual Studio 2017
19         https://bugs.webkit.org/show_bug.cgi?id=172412
20
21         Reviewed by Per Arne Vollan.
22
23         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
24
25 2017-12-05  JF Bastien  <jfbastien@apple.com>
26
27         WebAssembly: don't eagerly checksum
28         https://bugs.webkit.org/show_bug.cgi?id=180441
29         <rdar://problem/35156628>
30
31         Reviewed by Saam Barati.
32
33         Make checksumming of module optional for now. The bots think the
34         checksum hurt compile-time. I'd measured it and couldn't see a
35         difference, and still can't at this point in time, but we'll see
36         if disabling it fixes the bots. If so then I can make it lazy upon
37         first backtrace construction, or I can try out MD5 instead of
38         SHA1.
39
40         * runtime/Options.h:
41         * wasm/WasmModuleInformation.cpp:
42         (JSC::Wasm::ModuleInformation::ModuleInformation):
43         * wasm/WasmModuleInformation.h:
44         * wasm/WasmNameSection.h:
45         (JSC::Wasm::NameSection::NameSection):
46
47 2017-12-05  Filip Pizlo  <fpizlo@apple.com>
48
49         IsoAlignedMemoryAllocator needs to free all of its memory when the VM destructs
50         https://bugs.webkit.org/show_bug.cgi?id=180425
51
52         Reviewed by Saam Barati.
53         
54         Failure to do so causes leaks after starting workers.
55
56         * heap/IsoAlignedMemoryAllocator.cpp:
57         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
58         (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
59
60 2017-12-05  Per Arne Vollan  <pvollan@apple.com>
61
62         [Win64] Compile error in testmasm.cpp.
63         https://bugs.webkit.org/show_bug.cgi?id=180436
64
65         Reviewed by Mark Lam.
66
67         Fix MSVC warning (32-bit shift implicitly converted to 64 bits).
68         
69         * assembler/testmasm.cpp:
70         (JSC::testGetEffectiveAddress):
71
72 2017-12-01  Filip Pizlo  <fpizlo@apple.com>
73
74         GC constraint solving should be parallel
75         https://bugs.webkit.org/show_bug.cgi?id=179934
76
77         Reviewed by JF Bastien.
78         
79         This makes it possible to do constraint solving in parallel. This looks like a 1% Speedometer
80         speed-up. It's more than 1% on trunk-Speedometer.
81         
82         The constraint solver supports running constraints in parallel in two different ways:
83         
84         - Run multiple constraints in parallel to each other. This only works for constraints that can
85           tolerate other constraints running concurrently to them (constraint.concurrency() ==
86           ConstraintConcurrency::Concurrent). This is the most basic kind of parallelism that the
87           constraint solver supports. All constraints except the JSC SPI constraints are concurrent. We
88           could probably make them concurrent, but I'm playing it safe for now.
89         
90         - A constraint can create parallel work for itself, which the constraint solver will interleave
91           with other stuff. A constraint can report that it has parallel work by returning
92           ConstraintParallelism::Parallel from its executeImpl() function. Then the solver will allow that
93           constraint's doParallelWorkImpl() function to run on as many GC marker threads as are available,
94           for as long as that function wants to run.
95         
96         It's not possible to have a non-concurrent constraint that creates parallel work.
97         
98         The parallelism is implemented in terms of the existing GC marker threads. This turns out to be
99         most natural for two reasons:
100         
101         - No need to start any other threads.
102         
103         - The constraints all want to be passed a SlotVisitor. Running on the marker threads means having
104           access to those threads' SlotVisitors. Also, it means less load balancing. The solver will
105           create work on each marking thread's SlotVisitor. When the solver is done "stealing" a marker
106           thread, that thread will have work it can start doing immediately. Before this change, we had to
107           contribute the work found by the constraint solver to the global worklist so that it could be
108           distributed to the marker threads by load balancing. This change probably helps to avoid that
109           load balancing step.
110         
111         A lot of this change is about making it easy to iterate GC data structures in parallel. This
112         change makes almost all constraints parallel-enabled, but only the DOM's output constraint uses
113         the parallel work API. That constraint iterates the marked cells in two subspaces. This change
114         makes it very easy to compose parallel iterators over subspaces, allocators, blocks, and cells.
115         The marked cell parallel iterator is composed out of parallel iterators for the others. A parallel
116         iterator is just an iterator that can do an atomic next() very quickly. We abstract them using
117         RefPtr<SharedTask<...()>>, where ... is the type returned from the iterator. We know it's done
118         when it returns a falsish version of ... (in the current code, that's always a pointer type, so
119         done is indicated by null).
120         
121         * API/JSMarkingConstraintPrivate.cpp:
122         (JSContextGroupAddMarkingConstraint):
123         * API/JSVirtualMachine.mm:
124         (scanExternalObjectGraph):
125         (scanExternalRememberedSet):
126         * JavaScriptCore.xcodeproj/project.pbxproj:
127         * Sources.txt:
128         * bytecode/AccessCase.cpp:
129         (JSC::AccessCase::propagateTransitions const):
130         * bytecode/CodeBlock.cpp:
131         (JSC::CodeBlock::visitWeakly):
132         (JSC::CodeBlock::shouldJettisonDueToOldAge):
133         (JSC::shouldMarkTransition):
134         (JSC::CodeBlock::propagateTransitions):
135         (JSC::CodeBlock::determineLiveness):
136         * dfg/DFGWorklist.cpp:
137         * ftl/FTLCompile.cpp:
138         (JSC::FTL::compile):
139         * heap/ConstraintParallelism.h: Added.
140         (WTF::printInternal):
141         * heap/Heap.cpp:
142         (JSC::Heap::Heap):
143         (JSC::Heap::addToRememberedSet):
144         (JSC::Heap::runFixpointPhase):
145         (JSC::Heap::stopThePeriphery):
146         (JSC::Heap::resumeThePeriphery):
147         (JSC::Heap::addCoreConstraints):
148         (JSC::Heap::setBonusVisitorTask):
149         (JSC::Heap::runTaskInParallel):
150         (JSC::Heap::forEachSlotVisitor): Deleted.
151         * heap/Heap.h:
152         (JSC::Heap::worldIsRunning const):
153         (JSC::Heap::runFunctionInParallel):
154         * heap/HeapInlines.h:
155         (JSC::Heap::worldIsStopped const):
156         (JSC::Heap::isMarked):
157         (JSC::Heap::incrementDeferralDepth):
158         (JSC::Heap::decrementDeferralDepth):
159         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
160         (JSC::Heap::forEachSlotVisitor):
161         (JSC::Heap::collectorBelievesThatTheWorldIsStopped const): Deleted.
162         (JSC::Heap::isMarkedConcurrently): Deleted.
163         * heap/HeapSnapshotBuilder.cpp:
164         (JSC::HeapSnapshotBuilder::appendNode):
165         * heap/LargeAllocation.h:
166         (JSC::LargeAllocation::isMarked):
167         (JSC::LargeAllocation::isMarkedConcurrently): Deleted.
168         * heap/LockDuringMarking.h:
169         (JSC::lockDuringMarking):
170         * heap/MarkedAllocator.cpp:
171         (JSC::MarkedAllocator::parallelNotEmptyBlockSource):
172         * heap/MarkedAllocator.h:
173         * heap/MarkedBlock.h:
174         (JSC::MarkedBlock::aboutToMark):
175         (JSC::MarkedBlock::isMarked):
176         (JSC::MarkedBlock::areMarksStaleWithDependency): Deleted.
177         (JSC::MarkedBlock::isMarkedConcurrently): Deleted.
178         * heap/MarkedSpace.h:
179         (JSC::MarkedSpace::activeWeakSetsBegin):
180         (JSC::MarkedSpace::activeWeakSetsEnd):
181         (JSC::MarkedSpace::newActiveWeakSetsBegin):
182         (JSC::MarkedSpace::newActiveWeakSetsEnd):
183         * heap/MarkingConstraint.cpp:
184         (JSC::MarkingConstraint::MarkingConstraint):
185         (JSC::MarkingConstraint::execute):
186         (JSC::MarkingConstraint::quickWorkEstimate):
187         (JSC::MarkingConstraint::workEstimate):
188         (JSC::MarkingConstraint::doParallelWork):
189         (JSC::MarkingConstraint::finishParallelWork):
190         (JSC::MarkingConstraint::doParallelWorkImpl):
191         (JSC::MarkingConstraint::finishParallelWorkImpl):
192         * heap/MarkingConstraint.h:
193         (JSC::MarkingConstraint::lastExecuteParallelism const):
194         (JSC::MarkingConstraint::parallelism const):
195         (JSC::MarkingConstraint::quickWorkEstimate): Deleted.
196         (JSC::MarkingConstraint::workEstimate): Deleted.
197         * heap/MarkingConstraintSet.cpp:
198         (JSC::MarkingConstraintSet::MarkingConstraintSet):
199         (JSC::MarkingConstraintSet::add):
200         (JSC::MarkingConstraintSet::executeConvergence):
201         (JSC::MarkingConstraintSet::executeConvergenceImpl):
202         (JSC::MarkingConstraintSet::executeAll):
203         (JSC::MarkingConstraintSet::ExecutionContext::ExecutionContext): Deleted.
204         (JSC::MarkingConstraintSet::ExecutionContext::didVisitSomething const): Deleted.
205         (JSC::MarkingConstraintSet::ExecutionContext::shouldTimeOut const): Deleted.
206         (JSC::MarkingConstraintSet::ExecutionContext::drain): Deleted.
207         (JSC::MarkingConstraintSet::ExecutionContext::didExecute const): Deleted.
208         (JSC::MarkingConstraintSet::ExecutionContext::execute): Deleted.
209         (): Deleted.
210         * heap/MarkingConstraintSet.h:
211         * heap/MarkingConstraintSolver.cpp: Added.
212         (JSC::MarkingConstraintSolver::MarkingConstraintSolver):
213         (JSC::MarkingConstraintSolver::~MarkingConstraintSolver):
214         (JSC::MarkingConstraintSolver::didVisitSomething const):
215         (JSC::MarkingConstraintSolver::execute):
216         (JSC::MarkingConstraintSolver::drain):
217         (JSC::MarkingConstraintSolver::converge):
218         (JSC::MarkingConstraintSolver::runExecutionThread):
219         (JSC::MarkingConstraintSolver::didExecute):
220         * heap/MarkingConstraintSolver.h: Added.
221         * heap/OpaqueRootSet.h: Removed.
222         * heap/ParallelSourceAdapter.h: Added.
223         (JSC::ParallelSourceAdapter::ParallelSourceAdapter):
224         (JSC::createParallelSourceAdapter):
225         * heap/SimpleMarkingConstraint.cpp: Added.
226         (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
227         (JSC::SimpleMarkingConstraint::~SimpleMarkingConstraint):
228         (JSC::SimpleMarkingConstraint::quickWorkEstimate):
229         (JSC::SimpleMarkingConstraint::executeImpl):
230         * heap/SimpleMarkingConstraint.h: Added.
231         * heap/SlotVisitor.cpp:
232         (JSC::SlotVisitor::didStartMarking):
233         (JSC::SlotVisitor::reset):
234         (JSC::SlotVisitor::appendToMarkStack):
235         (JSC::SlotVisitor::visitChildren):
236         (JSC::SlotVisitor::updateMutatorIsStopped):
237         (JSC::SlotVisitor::mutatorIsStoppedIsUpToDate const):
238         (JSC::SlotVisitor::drain):
239         (JSC::SlotVisitor::performIncrementOfDraining):
240         (JSC::SlotVisitor::didReachTermination):
241         (JSC::SlotVisitor::hasWork):
242         (JSC::SlotVisitor::drainFromShared):
243         (JSC::SlotVisitor::drainInParallelPassively):
244         (JSC::SlotVisitor::waitForTermination):
245         (JSC::SlotVisitor::addOpaqueRoot): Deleted.
246         (JSC::SlotVisitor::containsOpaqueRoot const): Deleted.
247         (JSC::SlotVisitor::containsOpaqueRootTriState const): Deleted.
248         (JSC::SlotVisitor::mergeIfNecessary): Deleted.
249         (JSC::SlotVisitor::mergeOpaqueRootsIfProfitable): Deleted.
250         (JSC::SlotVisitor::mergeOpaqueRoots): Deleted.
251         * heap/SlotVisitor.h:
252         * heap/SlotVisitorInlines.h:
253         (JSC::SlotVisitor::addOpaqueRoot):
254         (JSC::SlotVisitor::containsOpaqueRoot const):
255         (JSC::SlotVisitor::vm):
256         (JSC::SlotVisitor::vm const):
257         * heap/Subspace.cpp:
258         (JSC::Subspace::parallelAllocatorSource):
259         (JSC::Subspace::parallelNotEmptyMarkedBlockSource):
260         * heap/Subspace.h:
261         * heap/SubspaceInlines.h:
262         (JSC::Subspace::forEachMarkedCellInParallel):
263         * heap/VisitCounter.h: Added.
264         (JSC::VisitCounter::VisitCounter):
265         (JSC::VisitCounter::visitCount const):
266         * heap/VisitingTimeout.h: Removed.
267         * heap/WeakBlock.cpp:
268         (JSC::WeakBlock::specializedVisit):
269         * runtime/Structure.cpp:
270         (JSC::Structure::isCheapDuringGC):
271         (JSC::Structure::markIfCheap):
272
273 2017-12-04  JF Bastien  <jfbastien@apple.com>
274
275         Math: don't redundantly check for exceptions, just release scope
276         https://bugs.webkit.org/show_bug.cgi?id=180395
277
278         Rubber stamped by Mark Lam.
279
280         Two of the exceptions checks could just have been exception scope
281         releases before the return, which is ever-so-slightly more
282         efficient. The same technically applies where we have loops over
283         parameters, but doing the scope release there isn't really more
284         efficient and is way harder to read.
285
286         * runtime/MathObject.cpp:
287         (JSC::mathProtoFuncATan2):
288         (JSC::mathProtoFuncPow):
289
290 2017-12-04  David Quesada  <david_quesada@apple.com>
291
292         Add a class for parsing application manifests
293         https://bugs.webkit.org/show_bug.cgi?id=177973
294         rdar://problem/34747949
295
296         Reviewed by Geoffrey Garen.
297
298         * Configurations/FeatureDefines.xcconfig: Add ENABLE_APPLICATION_MANIFEST feature flag.
299
300 2017-12-04  JF Bastien  <jfbastien@apple.com>
301
302         Update std::expected to match libc++ coding style
303         https://bugs.webkit.org/show_bug.cgi?id=180264
304
305         Reviewed by Alex Christensen.
306
307         Update various uses of Expected.
308
309         * wasm/WasmModule.h:
310         * wasm/WasmModuleParser.cpp:
311         (JSC::Wasm::ModuleParser::parseImport):
312         (JSC::Wasm::ModuleParser::parseTableHelper):
313         (JSC::Wasm::ModuleParser::parseTable):
314         (JSC::Wasm::ModuleParser::parseMemoryHelper):
315         * wasm/WasmParser.h:
316         * wasm/generateWasmValidateInlinesHeader.py:
317         (loadMacro):
318         (storeMacro):
319         * wasm/js/JSWebAssemblyModule.cpp:
320         (JSC::JSWebAssemblyModule::createStub):
321         * wasm/js/JSWebAssemblyModule.h:
322
323 2017-12-04  Saam Barati  <sbarati@apple.com>
324
325         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
326         https://bugs.webkit.org/show_bug.cgi?id=180366
327         <rdar://problem/35685877>
328
329         Reviewed by Michael Saboff.
330
331         On the TailCall slow path, the CallFrameShuffler will build the frame with
332         respect to SP instead of FP. However, this may overwrite slots on the stack
333         that are needed if the slow path C call does a stack walk. The slow path
334         C call does a stack walk when it throws an exception. This patch fixes
335         this bug by ensuring that the top of the stack in the FTL always has enough
336         space to allow CallFrameShuffler to build a frame without overwriting any
337         items on the stack that are needed when doing a stack walk.
338
339         * ftl/FTLLowerDFGToB3.cpp:
340         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
341
342 2017-12-04  Devin Rousso  <webkit@devinrousso.com>
343
344         Web Inspector: provide method for recording CanvasRenderingContext2D from JavaScript
345         https://bugs.webkit.org/show_bug.cgi?id=175166
346         <rdar://problem/34040740>
347
348         Reviewed by Joseph Pecoraro.
349
350         * inspector/protocol/Recording.json:
351         Add optional `name` that will be used by the frontend for uniquely identifying the Recording.
352
353         * inspector/JSGlobalObjectConsoleClient.h:
354         * inspector/JSGlobalObjectConsoleClient.cpp:
355         (Inspector::JSGlobalObjectConsoleClient::record):
356         (Inspector::JSGlobalObjectConsoleClient::recordEnd):
357
358         * runtime/ConsoleClient.h:
359         * runtime/ConsoleObject.cpp:
360         (JSC::ConsoleObject::finishCreation):
361         (JSC::consoleProtoFuncRecord):
362         (JSC::consoleProtoFuncRecordEnd):
363
364 2017-12-03  Yusuke Suzuki  <utatane.tea@gmail.com>
365
366         WTF shouldn't have both Thread and ThreadIdentifier
367         https://bugs.webkit.org/show_bug.cgi?id=180308
368
369         Reviewed by Darin Adler.
370
371         * heap/MachineStackMarker.cpp:
372         (JSC::MachineThreads::tryCopyOtherThreadStacks):
373         * llint/LLIntSlowPaths.cpp:
374         (JSC::LLInt::llint_trace_operand):
375         (JSC::LLInt::llint_trace_value):
376         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
377         (JSC::LLInt::traceFunctionPrologue):
378         * runtime/ExceptionScope.cpp:
379         (JSC::ExceptionScope::unexpectedExceptionMessage):
380         * runtime/JSLock.h:
381         (JSC::JSLock::currentThreadIsHoldingLock):
382         * runtime/VM.cpp:
383         (JSC::VM::throwException):
384         * runtime/VM.h:
385         (JSC::VM::throwingThread const):
386         (JSC::VM::clearException):
387         * tools/HeapVerifier.cpp:
388         (JSC::HeapVerifier::printVerificationHeader):
389
390 2017-12-03  Caio Lima  <ticaiolima@gmail.com>
391
392         Rename DestroyFunc to avoid redefinition on unified build
393         https://bugs.webkit.org/show_bug.cgi?id=180335
394
395         Reviewed by Filip Pizlo.
396
397         Changing DestroyFunc structures to more specific names to avoid
398         conflits on unified builds.
399
400         * heap/HeapCellType.cpp:
401         (JSC::HeapCellType::finishSweep):
402         (JSC::HeapCellType::destroy):
403         * runtime/JSDestructibleObjectHeapCellType.cpp:
404         (JSC::JSDestructibleObjectHeapCellType::finishSweep):
405         (JSC::JSDestructibleObjectHeapCellType::destroy):
406         * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
407         (JSC::JSSegmentedVariableObjectHeapCellType::finishSweep):
408         (JSC::JSSegmentedVariableObjectHeapCellType::destroy):
409         * runtime/JSStringHeapCellType.cpp:
410         (JSC::JSStringHeapCellType::finishSweep):
411         (JSC::JSStringHeapCellType::destroy):
412         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
413         (JSC::JSWebAssemblyCodeBlockHeapCellType::finishSweep):
414         (JSC::JSWebAssemblyCodeBlockHeapCellType::destroy):
415
416 2017-12-01  JF Bastien  <jfbastien@apple.com>
417
418         JavaScriptCore: missing exception checks in Math functions that take more than one argument
419         https://bugs.webkit.org/show_bug.cgi?id=180297
420         <rdar://problem/35745556>
421
422         Reviewed by Mark Lam.
423
424         * runtime/MathObject.cpp:
425         (JSC::mathProtoFuncATan2):
426         (JSC::mathProtoFuncMax):
427         (JSC::mathProtoFuncMin):
428         (JSC::mathProtoFuncPow):
429
430 2017-12-01  Mark Lam  <mark.lam@apple.com>
431
432         Let's scramble ClassInfo pointers in cells.
433         https://bugs.webkit.org/show_bug.cgi?id=180291
434         <rdar://problem/35807620>
435
436         Reviewed by JF Bastien.
437
438         * API/JSCallbackObject.h:
439         * API/JSObjectRef.cpp:
440         (classInfoPrivate):
441         * JavaScriptCore.xcodeproj/project.pbxproj:
442         * Sources.txt:
443         * assembler/MacroAssemblerCodeRef.cpp:
444         (JSC::MacroAssemblerCodePtr::initialize): Deleted.
445         * assembler/MacroAssemblerCodeRef.h:
446         (JSC::MacroAssemblerCodePtr:: const):
447         (JSC::MacroAssemblerCodePtr::hash const):
448         * dfg/DFGSpeculativeJIT.cpp:
449         (JSC::DFG::SpeculativeJIT::checkArray):
450         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
451         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
452         * ftl/FTLLowerDFGToB3.cpp:
453         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
454         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
455         * jit/AssemblyHelpers.h:
456         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
457         * jit/SpecializedThunkJIT.h:
458         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
459         * runtime/InitializeThreading.cpp:
460         (JSC::initializeThreading):
461         * runtime/JSCScrambledPtr.cpp: Added.
462         (JSC::initializeScrambledPtrKeys):
463         * runtime/JSCScrambledPtr.h: Added.
464         * runtime/JSDestructibleObject.h:
465         (JSC::JSDestructibleObject::classInfo const):
466         * runtime/JSSegmentedVariableObject.h:
467         (JSC::JSSegmentedVariableObject::classInfo const):
468         * runtime/Structure.h:
469         * runtime/VM.h:
470
471 2017-12-01  Brian Burg  <bburg@apple.com>
472
473         Web Inspector: move Inspector::Protocol::Array<T> to JSON namespace
474         https://bugs.webkit.org/show_bug.cgi?id=173662
475
476         Reviewed by Joseph Pecoraro.
477
478         Adopt new type names. Fix protocol generator to use correct type names.
479
480         * inspector/ConsoleMessage.cpp:
481         (Inspector::ConsoleMessage::addToFrontend):
482         Improve namings and use 'auto' when the type is obvious and repeated.
483
484         * inspector/ContentSearchUtilities.cpp:
485         (Inspector::ContentSearchUtilities::searchInTextByLines):
486         * inspector/ContentSearchUtilities.h:
487         * inspector/InjectedScript.cpp:
488         (Inspector::InjectedScript::getProperties):
489         (Inspector::InjectedScript::getDisplayableProperties):
490         (Inspector::InjectedScript::getInternalProperties):
491         (Inspector::InjectedScript::getCollectionEntries):
492         (Inspector::InjectedScript::wrapCallFrames const):
493         * inspector/InjectedScript.h:
494         * inspector/InspectorProtocolTypes.h:
495         (Inspector::Protocol::BindingTraits<JSON::ArrayOf<T>>::runtimeCast):
496         (Inspector::Protocol::Array::Array): Deleted.
497         (Inspector::Protocol::Array::openAccessors): Deleted.
498         (Inspector::Protocol::Array::addItem): Deleted.
499         (Inspector::Protocol::Array::create): Deleted.
500         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast): Deleted.
501         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType): Deleted.
502         Move the implementation out of this file.
503
504         * inspector/ScriptCallStack.cpp:
505         (Inspector::ScriptCallStack::buildInspectorArray const):
506         * inspector/ScriptCallStack.h:
507         * inspector/agents/InspectorAgent.cpp:
508         (Inspector::InspectorAgent::activateExtraDomain):
509         (Inspector::InspectorAgent::activateExtraDomains):
510         * inspector/agents/InspectorAgent.h:
511         * inspector/agents/InspectorConsoleAgent.cpp:
512         (Inspector::InspectorConsoleAgent::getLoggingChannels):
513         * inspector/agents/InspectorConsoleAgent.h:
514         * inspector/agents/InspectorDebuggerAgent.cpp:
515         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
516         (Inspector::InspectorDebuggerAgent::searchInContent):
517         (Inspector::InspectorDebuggerAgent::currentCallFrames):
518         * inspector/agents/InspectorDebuggerAgent.h:
519         * inspector/agents/InspectorRuntimeAgent.cpp:
520         (Inspector::InspectorRuntimeAgent::getProperties):
521         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
522         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
523         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
524         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
525         * inspector/agents/InspectorRuntimeAgent.h:
526         * inspector/agents/InspectorScriptProfilerAgent.cpp:
527         (Inspector::buildSamples):
528         Use more 'auto' and rename a variable.
529
530         * inspector/scripts/codegen/cpp_generator.py:
531         (CppGenerator.cpp_protocol_type_for_type):
532         Adopt new type names. This exposed a latent bug where we should have been
533         unwrapping an AliasedType prior to generating a C++ type for it. The aliased
534         type may be an array, in which case we would have generated the wrong type.
535
536         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
537         (_generate_typedefs_for_domain.JSON):
538         (_generate_typedefs_for_domain.Inspector): Deleted.
539         * inspector/scripts/codegen/objc_generator.py:
540         (ObjCGenerator.protocol_type_for_type):
541         (ObjCGenerator.objc_protocol_export_expression_for_variable):
542         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
543         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
544         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
545         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
546         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
547         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
548         Rebaseline.
549
550         * runtime/TypeSet.cpp:
551         (JSC::TypeSet::allStructureRepresentations const):
552         (JSC::StructureShape::inspectorRepresentation):
553         * runtime/TypeSet.h:
554
555 2017-12-01  Saam Barati  <sbarati@apple.com>
556
557         Having a bad time needs to handle ArrayClass indexing type as well
558         https://bugs.webkit.org/show_bug.cgi?id=180274
559         <rdar://problem/35667869>
560
561         Reviewed by Keith Miller and Mark Lam.
562
563         We need to make sure to transition ArrayClass to SlowPutArrayStorage as well.
564         Otherwise, we'll end up with the wrong Structure, which will lead us to not
565         adhere to the spec. The bug was that we were not considering ArrayClass inside 
566         hasBrokenIndexing. This patch rewrites that function to automatically opt
567         in non-empty indexing types as broken, instead of having to opt out all
568         non-empty indexing types besides SlowPutArrayStorage.
569
570         * runtime/IndexingType.h:
571         (JSC::hasSlowPutArrayStorage):
572         (JSC::shouldUseSlowPut):
573         * runtime/JSGlobalObject.cpp:
574         * runtime/JSObject.cpp:
575         (JSC::JSObject::switchToSlowPutArrayStorage):
576
577 2017-12-01  JF Bastien  <jfbastien@apple.com>
578
579         WebAssembly: stack trace improvement follow-ups
580         https://bugs.webkit.org/show_bug.cgi?id=180273
581
582         Reviewed by Saam Barati.
583
584         * wasm/WasmIndexOrName.cpp:
585         (JSC::Wasm::makeString):
586         * wasm/WasmIndexOrName.h:
587         (JSC::Wasm::IndexOrName::nameSection const):
588         * wasm/WasmNameSection.h:
589         (JSC::Wasm::NameSection::NameSection):
590         (JSC::Wasm::NameSection::get):
591
592 2017-12-01  JF Bastien  <jfbastien@apple.com>
593
594         WebAssembly: restore cached stack limit after out-call
595         https://bugs.webkit.org/show_bug.cgi?id=179106
596         <rdar://problem/35337525>
597
598         Reviewed by Saam Barati.
599
600         We cache the stack limit on the Instance so that we can do fast
601         stack checks where required. In regular usage the stack limit
602         never changes because we always run on the same thread, but in
603         rare cases an API user can totally migrate which thread (and
604         therefore stack) is used for execution between WebAssembly
605         traces. For that reason we set the cached stack limit to
606         UINTPTR_MAX on the outgoing Instance when transitioning back into
607         a different Instance. We usually restore the cached stack limit in
608         Context::store, but this wasn't called on all code paths. We had a
609         bug where an Instance calling into itself indirectly would
610         therefore fail to restore its cached stack limit properly.
611
612         This patch therefore restores the cached stack limit after direct
613         calls which could be to imports (both wasm->wasm and
614         wasm->embedder). We have to do all of them because we have no way
615         of knowing what imports will do (they're known at instantiation
616         time, not compilation time, and different instances can have
617         different imports). To make this efficient we also add a pointer
618         to the canonical location of the stack limit (i.e. the extra
619         indirection we're trying to save by caching the stack limit on the
620         Instance in the first place). This is potentially a small perf hit
621         on imported direct calls.
622
623         It's hard to say what the performance cost will be because we
624         haven't seen much code in the wild which does this. We're adding
625         two dependent loads and a store of the loaded value, which is
626         unlikely to get used soon after. It's more code, but on an
627         out-of-order processor it doesn't contribute to the critical path.
628
629         * wasm/WasmB3IRGenerator.cpp:
630         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
631         (JSC::Wasm::B3IRGenerator::addGrowMemory):
632         (JSC::Wasm::B3IRGenerator::addCall):
633         (JSC::Wasm::B3IRGenerator::addCallIndirect):
634         * wasm/WasmInstance.cpp:
635         (JSC::Wasm::Instance::Instance):
636         (JSC::Wasm::Instance::create):
637         * wasm/WasmInstance.h:
638         (JSC::Wasm::Instance::offsetOfPointerToActualStackLimit):
639         (JSC::Wasm::Instance::cachedStackLimit const):
640         (JSC::Wasm::Instance::setCachedStackLimit):
641         * wasm/js/JSWebAssemblyInstance.cpp:
642         (JSC::JSWebAssemblyInstance::create):
643         * wasm/js/WebAssemblyFunction.cpp:
644         (JSC::callWebAssemblyFunction):
645
646 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
647
648         [JSC] Use JSFixedArray for op_new_array_buffer
649         https://bugs.webkit.org/show_bug.cgi?id=180084
650
651         Reviewed by Saam Barati.
652
653         For op_new_array_buffer, we have a special constant buffer in CodeBlock.
654         But using JSFixedArray is better because,
655
656         1. In DFG, we have special hashing mechanism to avoid duplicating constant buffer from the same CodeBlock.
657            If we use JSFixedArray, this is unnecessary since JSFixedArray is handled just as JS constant.
658
659         2. In a subsequent patch[1], we would like to support Spread(PhantomNewArrayBuffer). If NewArrayBuffer
660            has JSFixedArray, we can just emit a held JSFixedArray.
661
662         3. We can reduce length of op_new_array_buffer since JSFixedArray holds this.
663
664         4. We can fold NewArrayBufferData into uint64_t. No need to maintain a bag of NewArrayBufferData in DFG.
665
666         5. We do not need to look up constant buffer from CodeBlock if buffer data is necessary. Our NewArrayBuffer
667            DFG node has JSFixedArray as its cellOperand. This makes materializing PhantomNewArrayBuffer easy, which
668            will be introduced in [1].
669
670         [1]: https://bugs.webkit.org/show_bug.cgi?id=179762
671
672         * bytecode/BytecodeDumper.cpp:
673         (JSC::BytecodeDumper<Block>::dumpBytecode):
674         * bytecode/BytecodeList.json:
675         * bytecode/BytecodeUseDef.h:
676         (JSC::computeUsesForBytecodeOffset):
677         * bytecode/CodeBlock.cpp:
678         (JSC::CodeBlock::finishCreation):
679         * bytecode/CodeBlock.h:
680         (JSC::CodeBlock::numberOfConstantBuffers const): Deleted.
681         (JSC::CodeBlock::addConstantBuffer): Deleted.
682         (JSC::CodeBlock::constantBufferAsVector): Deleted.
683         (JSC::CodeBlock::constantBuffer): Deleted.
684         * bytecode/UnlinkedCodeBlock.cpp:
685         (JSC::UnlinkedCodeBlock::shrinkToFit):
686         * bytecode/UnlinkedCodeBlock.h:
687         (JSC::UnlinkedCodeBlock::constantBufferCount): Deleted.
688         (JSC::UnlinkedCodeBlock::addConstantBuffer): Deleted.
689         (JSC::UnlinkedCodeBlock::constantBuffer const): Deleted.
690         (JSC::UnlinkedCodeBlock::constantBuffer): Deleted.
691         * bytecompiler/BytecodeGenerator.cpp:
692         (JSC::BytecodeGenerator::emitNewArray):
693         (JSC::BytecodeGenerator::addConstantBuffer): Deleted.
694         * bytecompiler/BytecodeGenerator.h:
695         * dfg/DFGByteCodeParser.cpp:
696         (JSC::DFG::ByteCodeParser::parseBlock):
697         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
698         (JSC::DFG::ConstantBufferKey::ConstantBufferKey): Deleted.
699         (JSC::DFG::ConstantBufferKey::operator== const): Deleted.
700         (JSC::DFG::ConstantBufferKey::hash const): Deleted.
701         (JSC::DFG::ConstantBufferKey::isHashTableDeletedValue const): Deleted.
702         (JSC::DFG::ConstantBufferKey::codeBlock const): Deleted.
703         (JSC::DFG::ConstantBufferKey::index const): Deleted.
704         (JSC::DFG::ConstantBufferKeyHash::hash): Deleted.
705         (JSC::DFG::ConstantBufferKeyHash::equal): Deleted.
706         * dfg/DFGClobberize.h:
707         (JSC::DFG::clobberize):
708         * dfg/DFGGraph.cpp:
709         (JSC::DFG::Graph::dump):
710         * dfg/DFGGraph.h:
711         * dfg/DFGNode.h:
712         (JSC::DFG::Node::hasNewArrayBufferData):
713         (JSC::DFG::Node::newArrayBufferData):
714         (JSC::DFG::Node::hasVectorLengthHint):
715         (JSC::DFG::Node::vectorLengthHint):
716         (JSC::DFG::Node::indexingType):
717         (JSC::DFG::Node::hasCellOperand):
718         (JSC::DFG::Node::OpInfoWrapper::operator=):
719         (JSC::DFG::Node::OpInfoWrapper::asNewArrayBufferData const):
720         (JSC::DFG::Node::hasConstantBuffer): Deleted.
721         (JSC::DFG::Node::startConstant): Deleted.
722         (JSC::DFG::Node::numConstants): Deleted.
723         * dfg/DFGOperations.cpp:
724         * dfg/DFGOperations.h:
725         * dfg/DFGSpeculativeJIT.h:
726         (JSC::DFG::SpeculativeJIT::callOperation):
727         * dfg/DFGSpeculativeJIT32_64.cpp:
728         (JSC::DFG::SpeculativeJIT::compile):
729         * dfg/DFGSpeculativeJIT64.cpp:
730         (JSC::DFG::SpeculativeJIT::compile):
731         * ftl/FTLLowerDFGToB3.cpp:
732         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
733         * jit/JIT.cpp:
734         (JSC::JIT::privateCompileMainPass):
735         * jit/JIT.h:
736         * jit/JITOpcodes.cpp:
737         (JSC::JIT::emit_op_new_array_buffer): Deleted.
738         * jit/JITOperations.cpp:
739         * jit/JITOperations.h:
740         * llint/LLIntSlowPaths.cpp:
741         * llint/LLIntSlowPaths.h:
742         * llint/LowLevelInterpreter.asm:
743         * runtime/CommonSlowPaths.cpp:
744         (JSC::SLOW_PATH_DECL):
745         * runtime/CommonSlowPaths.h:
746         * runtime/JSFixedArray.cpp:
747         (JSC::JSFixedArray::dumpToStream):
748         * runtime/JSFixedArray.h:
749         (JSC::JSFixedArray::create):
750         (JSC::JSFixedArray::get const):
751         (JSC::JSFixedArray::set):
752         (JSC::JSFixedArray::buffer const):
753         (JSC::JSFixedArray::values const):
754         (JSC::JSFixedArray::length const):
755         (JSC::JSFixedArray::get): Deleted.
756
757 2017-11-30  JF Bastien  <jfbastien@apple.com>
758
759         WebAssembly: improve stack trace
760         https://bugs.webkit.org/show_bug.cgi?id=179343
761
762         Reviewed by Saam Barati.
763
764         Stack traces now include:
765
766           - Module name, if provided by the name section.
767           - Module SHA1 hash if no name was provided
768           - Stub identification, to differentiate from user code
769           - Slightly different naming to match design from:
770               https://github.com/WebAssembly/design/blob/master/Web.md#developer-facing-display-conventions
771
772         * interpreter/StackVisitor.cpp:
773         (JSC::StackVisitor::Frame::functionName const):
774         * runtime/StackFrame.cpp:
775         (JSC::StackFrame::functionName const):
776         (JSC::StackFrame::visitChildren):
777         * wasm/WasmIndexOrName.cpp:
778         (JSC::Wasm::IndexOrName::IndexOrName):
779         (JSC::Wasm::makeString):
780         * wasm/WasmIndexOrName.h:
781         (JSC::Wasm::IndexOrName::nameSection const):
782         * wasm/WasmModuleInformation.cpp:
783         (JSC::Wasm::ModuleInformation::ModuleInformation):
784         * wasm/WasmModuleInformation.h:
785         * wasm/WasmNameSection.h:
786         (JSC::Wasm::NameSection::NameSection):
787         (JSC::Wasm::NameSection::get):
788         * wasm/WasmNameSectionParser.cpp:
789         (JSC::Wasm::NameSectionParser::parse):
790
791 2017-11-30  Stephan Szabo  <stephan.szabo@sony.com>
792
793         Make LegacyCustomProtocolManager optional for network process
794         https://bugs.webkit.org/show_bug.cgi?id=176230
795
796         Reviewed by Alex Christensen.
797
798         * Configurations/FeatureDefines.xcconfig:
799
800 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
801
802         [JSC] Remove easy toRemove & map.remove() use in OAS phase
803         https://bugs.webkit.org/show_bug.cgi?id=180208
804
805         Reviewed by Mark Lam.
806
807         In this patch, we replace Vector<> toRemove & map.remove loop with removeIf,
808         to optimize this common pattern. This patch only modifies apparent ones.
809         But we can apply this refactoring further to OAS phase in the future.
810
811         One thing we should care is that predicate of removeIf should not touch the
812         removing set itself. In this patch, we apply this change to (1) apparently
813         correct one and (2) things in DFG OAS phase since it is very slow.
814
815         * b3/B3MoveConstants.cpp:
816         * dfg/DFGObjectAllocationSinkingPhase.cpp:
817
818 2017-11-30  Commit Queue  <commit-queue@webkit.org>
819
820         Unreviewed, rolling out r225362.
821         https://bugs.webkit.org/show_bug.cgi?id=180225
822
823         removeIf predicate function can touch remove target set
824         (Requested by yusukesuzuki on #webkit).
825
826         Reverted changeset:
827
828         "[JSC] Remove easy toRemove & map.remove() use"
829         https://bugs.webkit.org/show_bug.cgi?id=180208
830         https://trac.webkit.org/changeset/225362
831
832 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
833
834         [JSC] Use AllocatorIfExists for MaterializeNewObject
835         https://bugs.webkit.org/show_bug.cgi?id=180189
836
837         Reviewed by Filip Pizlo.
838
839         I don't think anyone guarantees this allocator exists at this phase.
840         And nullptr allocator just works here. We change AllocatorForMode
841         to AllocatorIfExists to accept nullptr for allocator.
842
843         * ftl/FTLLowerDFGToB3.cpp:
844         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
845
846 2017-11-30  Mark Lam  <mark.lam@apple.com>
847
848         Let's scramble MacroAssemblerCodePtr values.
849         https://bugs.webkit.org/show_bug.cgi?id=180169
850         <rdar://problem/35758340>
851
852         Reviewed by Filip Pizlo, Saam Barati, and JF Bastien.
853
854         1. MacroAssemblerCodePtr now stores a ScrambledPtr instead of a void*.
855
856         2. MacroAssemblerCodePtr's executableAddress() and dataLocation() now take a
857            template argument type that will be used to cast the result.  This makes the
858            client code that uses these functions a little less verbose.
859
860         3. Change the code base in general to minimize passing void* code pointers around.
861            We now pass MacroAssemblerCodePtr as much as possible, and descramble it only
862            at the last moment when we need the underlying code pointer.
863
864         4. Added some MasmScrambledPtr paranoid asserts that are disabled (not built) by
865            default.  I'm leaving them in because they are instrumental in finding bugs
866            where not all MacroAssemblerCodePtr values were not scrambled as expected.
867            I expect them to be useful in the near future as we add more scrambling.
868
869         5. Also disable the casting operator on MacroAssemblerCodePtr (except for
870            explicit casts to a boolean).  This ensures that clients will always explicitly
871            use scrambledBits() or executableAddress() to get a value based on which value
872            they actually need.
873
874         5. Added currentThread() id to the logging in LLIntSlowPath trace functions.
875            This was helpful when debugging tests that ran multiple VMs concurrently on
876            different threads.
877
878         MacroAssemblerCodePtr is currently supported on 64-bit builds (including the
879         CLoop).  It is not yet supported in 32-bit and Windows because we don't
880         currently have a way to read a global variable from their LLInt code.
881
882         * assembler/AbstractMacroAssembler.h:
883         (JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
884         (JSC::AbstractMacroAssembler::linkPointer):
885         * assembler/CodeLocation.h:
886         (JSC::CodeLocationCommon::instructionAtOffset):
887         (JSC::CodeLocationCommon::labelAtOffset):
888         (JSC::CodeLocationCommon::jumpAtOffset):
889         (JSC::CodeLocationCommon::callAtOffset):
890         (JSC::CodeLocationCommon::nearCallAtOffset):
891         (JSC::CodeLocationCommon::dataLabelPtrAtOffset):
892         (JSC::CodeLocationCommon::dataLabel32AtOffset):
893         (JSC::CodeLocationCommon::dataLabelCompactAtOffset):
894         (JSC::CodeLocationCommon::convertibleLoadAtOffset):
895         * assembler/LinkBuffer.cpp:
896         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
897         * assembler/LinkBuffer.h:
898         (JSC::LinkBuffer::link):
899         (JSC::LinkBuffer::patch):
900         * assembler/MacroAssemblerCodeRef.cpp:
901         (JSC::MacroAssemblerCodePtr::initialize):
902         * assembler/MacroAssemblerCodeRef.h:
903         (JSC::FunctionPtr::FunctionPtr):
904         (JSC::FunctionPtr::value const):
905         (JSC::FunctionPtr::executableAddress const):
906         (JSC::ReturnAddressPtr::ReturnAddressPtr):
907         (JSC::ReturnAddressPtr::value const):
908         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
909         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
910         (JSC::MacroAssemblerCodePtr::scrambledPtr const):
911         (JSC::MacroAssemblerCodePtr:: const):
912         (JSC::MacroAssemblerCodePtr::operator! const):
913         (JSC::MacroAssemblerCodePtr::operator bool const):
914         (JSC::MacroAssemblerCodePtr::operator== const):
915         (JSC::MacroAssemblerCodePtr::hash const):
916         (JSC::MacroAssemblerCodePtr::emptyValue):
917         (JSC::MacroAssemblerCodePtr::deletedValue):
918         (JSC::MacroAssemblerCodePtr::executableAddress const): Deleted.
919         (JSC::MacroAssemblerCodePtr::dataLocation const): Deleted.
920         * b3/B3LowerMacros.cpp:
921         * b3/testb3.cpp:
922         (JSC::B3::testInterpreter):
923         * dfg/DFGDisassembler.cpp:
924         (JSC::DFG::Disassembler::dumpDisassembly):
925         * dfg/DFGJITCompiler.cpp:
926         (JSC::DFG::JITCompiler::link):
927         (JSC::DFG::JITCompiler::compileFunction):
928         * dfg/DFGOperations.cpp:
929         * dfg/DFGSpeculativeJIT.cpp:
930         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
931         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
932         (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
933         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
934         * dfg/DFGSpeculativeJIT.h:
935         * disassembler/Disassembler.cpp:
936         (JSC::disassemble):
937         * disassembler/UDis86Disassembler.cpp:
938         (JSC::tryToDisassembleWithUDis86):
939         * ftl/FTLCompile.cpp:
940         (JSC::FTL::compile):
941         * ftl/FTLJITCode.cpp:
942         (JSC::FTL::JITCode::executableAddressAtOffset):
943         * ftl/FTLLink.cpp:
944         (JSC::FTL::link):
945         * ftl/FTLLowerDFGToB3.cpp:
946         (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
947         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
948         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
949         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
950         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
951         * interpreter/InterpreterInlines.h:
952         (JSC::Interpreter::getOpcodeID):
953         * jit/JITArithmetic.cpp:
954         (JSC::JIT::emitMathICFast):
955         (JSC::JIT::emitMathICSlow):
956         * jit/JITCode.cpp:
957         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
958         (JSC::JITCodeWithCodeRef::dataAddressAtOffset):
959         (JSC::JITCodeWithCodeRef::offsetOf):
960         * jit/JITDisassembler.cpp:
961         (JSC::JITDisassembler::dumpDisassembly):
962         * jit/PCToCodeOriginMap.cpp:
963         (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
964         * jit/Repatch.cpp:
965         (JSC::ftlThunkAwareRepatchCall):
966         * jit/ThunkGenerators.cpp:
967         (JSC::virtualThunkFor):
968         (JSC::boundThisNoArgsFunctionCallGenerator):
969         * llint/LLIntSlowPaths.cpp:
970         (JSC::LLInt::llint_trace_operand):
971         (JSC::LLInt::llint_trace_value):
972         (JSC::LLInt::handleHostCall):
973         (JSC::LLInt::setUpCall):
974         * llint/LowLevelInterpreter64.asm:
975         * offlineasm/cloop.rb:
976         * runtime/InitializeThreading.cpp:
977         (JSC::initializeThreading):
978         * wasm/WasmBBQPlan.cpp:
979         (JSC::Wasm::BBQPlan::complete):
980         * wasm/WasmCallee.h:
981         (JSC::Wasm::Callee::entrypoint const):
982         * wasm/WasmCodeBlock.cpp:
983         (JSC::Wasm::CodeBlock::CodeBlock):
984         * wasm/WasmOMGPlan.cpp:
985         (JSC::Wasm::OMGPlan::work):
986         * wasm/js/WasmToJS.cpp:
987         (JSC::Wasm::wasmToJS):
988         * wasm/js/WebAssemblyFunction.cpp:
989         (JSC::callWebAssemblyFunction):
990         * wasm/js/WebAssemblyFunction.h:
991         * wasm/js/WebAssemblyWrapperFunction.cpp:
992         (JSC::WebAssemblyWrapperFunction::create):
993
994 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
995
996         [JSC] Remove easy toRemove & map.remove() use
997         https://bugs.webkit.org/show_bug.cgi?id=180208
998
999         Reviewed by Mark Lam.
1000
1001         In this patch, we replace Vector<> toRemove & map.remove loop with removeIf,
1002         to optimize this common pattern. This patch only modifies apparent ones.
1003         But we can apply this refactoring further to OAS phase in the future.
1004
1005         * b3/B3MoveConstants.cpp:
1006         * dfg/DFGArgumentsEliminationPhase.cpp:
1007         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1008         * wasm/WasmSignature.cpp:
1009         (JSC::Wasm::SignatureInformation::tryCleanup):
1010
1011 2017-11-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1012
1013         [JSC] Use getEffectiveAddress more in JSC
1014         https://bugs.webkit.org/show_bug.cgi?id=180154
1015
1016         Reviewed by Mark Lam.
1017
1018         We can use MacroAssembler::getEffectiveAddress for stack height calculation.
1019         And we also add MacroAssembler::negPtr(src, dest) variation.
1020
1021         * assembler/MacroAssembler.h:
1022         (JSC::MacroAssembler::negPtr):
1023         * assembler/MacroAssemblerARM.h:
1024         (JSC::MacroAssemblerARM::neg32):
1025         * assembler/MacroAssemblerARM64.h:
1026         (JSC::MacroAssemblerARM64::neg32):
1027         (JSC::MacroAssemblerARM64::neg64):
1028         * assembler/MacroAssemblerARMv7.h:
1029         (JSC::MacroAssemblerARMv7::neg32):
1030         * assembler/MacroAssemblerMIPS.h:
1031         (JSC::MacroAssemblerMIPS::neg32):
1032         * assembler/MacroAssemblerX86Common.h:
1033         (JSC::MacroAssemblerX86Common::neg32):
1034         * assembler/MacroAssemblerX86_64.h:
1035         (JSC::MacroAssemblerX86_64::neg64):
1036         * dfg/DFGThunks.cpp:
1037         (JSC::DFG::osrEntryThunkGenerator):
1038         * ftl/FTLLowerDFGToB3.cpp:
1039         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
1040         * jit/SetupVarargsFrame.cpp:
1041         (JSC::emitSetVarargsFrame):
1042
1043 2017-11-30  Mark Lam  <mark.lam@apple.com>
1044
1045         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
1046         https://bugs.webkit.org/show_bug.cgi?id=180219
1047         <rdar://problem/35696536>
1048
1049         Reviewed by Filip Pizlo.
1050
1051         * jsc.cpp:
1052         (functionFlashHeapAccess):
1053
1054 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1055
1056         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
1057         https://bugs.webkit.org/show_bug.cgi?id=180190
1058
1059         Reviewed by Mark Lam.
1060
1061         If DFG HasIndexedProperty node observes negative index, it goes to a slow
1062         path by calling operationHasIndexedProperty. The problem is that
1063         operationHasIndexedProperty does not account negative index. Negative index
1064         was used as uint32 array index.
1065
1066         In this patch we add a path for negative index in operationHasIndexedProperty.
1067         And rename it to operationHasIndexedPropertyByInt to make intension clear.
1068         We also move operationHasIndexedPropertyByInt from JITOperations to DFGOperations
1069         since it is only used in DFG and FTL.
1070
1071         While fixing this bug, we found that our op_in does not record OutOfBound feedback.
1072         This causes repeated OSR exit and significantly regresses the performance. We opened
1073         a bug to track this issue[1].
1074
1075         [1]: https://bugs.webkit.org/show_bug.cgi?id=180192
1076
1077         * dfg/DFGOperations.cpp:
1078         * dfg/DFGOperations.h:
1079         * dfg/DFGSpeculativeJIT32_64.cpp:
1080         (JSC::DFG::SpeculativeJIT::compile):
1081         * dfg/DFGSpeculativeJIT64.cpp:
1082         (JSC::DFG::SpeculativeJIT::compile):
1083         * ftl/FTLLowerDFGToB3.cpp:
1084         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
1085         * jit/JITOperations.cpp:
1086         * jit/JITOperations.h:
1087
1088 2017-11-30  Michael Saboff  <msaboff@apple.com>
1089
1090         Allow JSC command line tool to accept UTF8
1091         https://bugs.webkit.org/show_bug.cgi?id=180205
1092
1093         Reviewed by Keith Miller.
1094
1095         This unifies the UTF8 handling of interactive mode with that of source files.
1096
1097         * jsc.cpp:
1098         (runInteractive):
1099
1100 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1101
1102         REGRESSION(r225314): [Linux] More than 2000 jsc tests are failing after r225314
1103         https://bugs.webkit.org/show_bug.cgi?id=180185
1104
1105         Reviewed by Carlos Garcia Campos.
1106
1107         After r225314, we start using AllocatorForMode::MustAlreadyHaveAllocator for JSRopeString's allocatorFor.
1108         But it is different from the original code used before r225314. Since DFGSpeculativeJIT::emitAllocateJSCell
1109         can accept nullptr allocator, the behavior of the original code is AllocatorForMode::AllocatorIfExists.
1110         And JSRopeString's allocator may not exist at this point if any JSRopeString is not allocated. But MakeRope
1111         DFG node can be emitted if we see untaken path includes String + String code.
1112
1113         This patch fixes Linux JSC crashes by changing JSRopeString's AllocatorForMode to AllocatorIfExists.
1114         As a result, only one user of AllocatorForMode::MustAlreadyHaveAllocator is MaterializeNewObject in FTL.
1115         I'm not sure why this condition (MustAlreadyHaveAllocator) is ensured. But this code is the same to the
1116         original code used before r225314.
1117
1118         * dfg/DFGSpeculativeJIT.cpp:
1119         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1120         * ftl/FTLLowerDFGToB3.cpp:
1121         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
1122
1123 2017-11-28  Filip Pizlo  <fpizlo@apple.com>
1124
1125         CodeBlockSet::deleteUnmarkedAndUnreferenced can be a little more efficient
1126         https://bugs.webkit.org/show_bug.cgi?id=180108
1127
1128         Reviewed by Saam Barati.
1129         
1130         This was creating a vector of things to remove and then removing them. I think I remember writing
1131         this code, and I did that because at the time we did not have removeAllMatching, which is
1132         definitely better. This is a minuscule optimization for Speedometer. I wanted to land this
1133         obvious improvement before I did more fundamental things to this code.
1134
1135         * heap/CodeBlockSet.cpp:
1136         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
1137
1138 2017-11-29  Filip Pizlo  <fpizlo@apple.com>
1139
1140         GC should support isoheaps
1141         https://bugs.webkit.org/show_bug.cgi?id=179288
1142
1143         Reviewed by Saam Barati.
1144         
1145         This expands the power of the Subspace API in JSC:
1146         
1147         - Everything associated with describing the types of objects is now part of the HeapCellType class.
1148           We have different HeapCellTypes for different destruction strategies. Any Subspace can use any
1149           HeapCellType; these are orthogonal things.
1150         
1151         - There are now two variants of Subspace: CompleteSubspace, which can allocate any size objects using
1152           any AlignedMemoryAllocator; and IsoSubspace, which can allocate just one size of object and uses a
1153           special virtual memory pool for that purpose. Like bmalloc's IsoHeap, IsoSubspace hoards virtual
1154           pages but releases the physical pages as part of the respective allocator's scavenging policy
1155           (the Scavenger in bmalloc for IsoHeap and the incremental sweep and full sweep in Riptide for
1156           IsoSubspace).
1157         
1158         So far, this patch just puts subtypes of ExecutableBase in IsoSubspaces. If it works, we can use it
1159         for more things.
1160         
1161         This does not have any effect on JetStream (0.18% faster with p = 0.69).
1162
1163         * JavaScriptCore.xcodeproj/project.pbxproj:
1164         * Sources.txt:
1165         * bytecode/AccessCase.cpp:
1166         (JSC::AccessCase::generateImpl):
1167         * bytecode/ObjectAllocationProfileInlines.h:
1168         (JSC::ObjectAllocationProfile::initializeProfile):
1169         * dfg/DFGSpeculativeJIT.cpp:
1170         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1171         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1172         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1173         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1174         * dfg/DFGSpeculativeJIT64.cpp:
1175         (JSC::DFG::SpeculativeJIT::compile):
1176         * ftl/FTLAbstractHeapRepository.h:
1177         * ftl/FTLLowerDFGToB3.cpp:
1178         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
1179         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1180         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
1181         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1182         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
1183         * heap/AlignedMemoryAllocator.cpp:
1184         (JSC::AlignedMemoryAllocator::registerAllocator):
1185         (JSC::AlignedMemoryAllocator::registerSubspace):
1186         * heap/AlignedMemoryAllocator.h:
1187         (JSC::AlignedMemoryAllocator::firstAllocator const):
1188         * heap/AllocationFailureMode.h: Added.
1189         * heap/CompleteSubspace.cpp: Added.
1190         (JSC::CompleteSubspace::CompleteSubspace):
1191         (JSC::CompleteSubspace::~CompleteSubspace):
1192         (JSC::CompleteSubspace::allocatorFor):
1193         (JSC::CompleteSubspace::allocate):
1194         (JSC::CompleteSubspace::allocateNonVirtual):
1195         (JSC::CompleteSubspace::allocatorForSlow):
1196         (JSC::CompleteSubspace::allocateSlow):
1197         (JSC::CompleteSubspace::tryAllocateSlow):
1198         * heap/CompleteSubspace.h: Added.
1199         (JSC::CompleteSubspace::offsetOfAllocatorForSizeStep):
1200         (JSC::CompleteSubspace::allocatorForSizeStep):
1201         (JSC::CompleteSubspace::allocatorForNonVirtual):
1202         * heap/HeapCellType.cpp: Added.
1203         (JSC::HeapCellType::HeapCellType):
1204         (JSC::HeapCellType::~HeapCellType):
1205         (JSC::HeapCellType::finishSweep):
1206         (JSC::HeapCellType::destroy):
1207         * heap/HeapCellType.h: Added.
1208         (JSC::HeapCellType::attributes const):
1209         * heap/IsoAlignedMemoryAllocator.cpp: Added.
1210         (JSC::IsoAlignedMemoryAllocator::IsoAlignedMemoryAllocator):
1211         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
1212         (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
1213         (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
1214         (JSC::IsoAlignedMemoryAllocator::dump const):
1215         * heap/IsoAlignedMemoryAllocator.h: Added.
1216         * heap/IsoSubspace.cpp: Added.
1217         (JSC::IsoSubspace::IsoSubspace):
1218         (JSC::IsoSubspace::~IsoSubspace):
1219         (JSC::IsoSubspace::allocatorFor):
1220         (JSC::IsoSubspace::allocatorForNonVirtual):
1221         (JSC::IsoSubspace::allocate):
1222         (JSC::IsoSubspace::allocateNonVirtual):
1223         * heap/IsoSubspace.h: Added.
1224         (JSC::IsoSubspace::size const):
1225         * heap/MarkedAllocator.cpp:
1226         (JSC::MarkedAllocator::MarkedAllocator):
1227         (JSC::MarkedAllocator::setSubspace):
1228         (JSC::MarkedAllocator::allocateSlowCase):
1229         (JSC::MarkedAllocator::tryAllocateSlowCase): Deleted.
1230         (JSC::MarkedAllocator::allocateSlowCaseImpl): Deleted.
1231         * heap/MarkedAllocator.h:
1232         (JSC::MarkedAllocator::nextAllocatorInAlignedMemoryAllocator const):
1233         (JSC::MarkedAllocator::setNextAllocatorInAlignedMemoryAllocator):
1234         * heap/MarkedAllocatorInlines.h:
1235         (JSC::MarkedAllocator::allocate):
1236         (JSC::MarkedAllocator::tryAllocate): Deleted.
1237         * heap/MarkedBlock.h:
1238         * heap/MarkedBlockInlines.h:
1239         (JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType):
1240         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace): Deleted.
1241         * heap/MarkedSpace.cpp:
1242         (JSC::MarkedSpace::addMarkedAllocator):
1243         * heap/MarkedSpace.h:
1244         * heap/Subspace.cpp:
1245         (JSC::Subspace::Subspace):
1246         (JSC::Subspace::initialize):
1247         (JSC::Subspace::finishSweep):
1248         (JSC::Subspace::destroy):
1249         (JSC::Subspace::prepareForAllocation):
1250         (JSC::Subspace::findEmptyBlockToSteal):
1251         (): Deleted.
1252         (JSC::Subspace::allocate): Deleted.
1253         (JSC::Subspace::tryAllocate): Deleted.
1254         (JSC::Subspace::allocatorForSlow): Deleted.
1255         (JSC::Subspace::allocateSlow): Deleted.
1256         (JSC::Subspace::tryAllocateSlow): Deleted.
1257         (JSC::Subspace::didAllocate): Deleted.
1258         * heap/Subspace.h:
1259         (JSC::Subspace::heapCellType const):
1260         (JSC::Subspace::nextSubspaceInAlignedMemoryAllocator const):
1261         (JSC::Subspace::setNextSubspaceInAlignedMemoryAllocator):
1262         (JSC::Subspace::offsetOfAllocatorForSizeStep): Deleted.
1263         (JSC::Subspace::allocatorForSizeStep): Deleted.
1264         (JSC::Subspace::tryAllocatorFor): Deleted.
1265         (JSC::Subspace::allocatorFor): Deleted.
1266         * jit/AssemblyHelpers.h:
1267         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
1268         (JSC::AssemblyHelpers::emitAllocateVariableSized):
1269         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
1270         * jit/JITOpcodes.cpp:
1271         (JSC::JIT::emit_op_new_object):
1272         * runtime/ButterflyInlines.h:
1273         (JSC::Butterfly::createUninitialized):
1274         (JSC::Butterfly::tryCreate):
1275         (JSC::Butterfly::growArrayRight):
1276         * runtime/DirectArguments.cpp:
1277         (JSC::DirectArguments::overrideThings):
1278         * runtime/DirectArguments.h:
1279         (JSC::DirectArguments::subspaceFor):
1280         * runtime/DirectEvalExecutable.h:
1281         * runtime/EvalExecutable.h:
1282         * runtime/ExecutableBase.h:
1283         (JSC::ExecutableBase::subspaceFor):
1284         * runtime/FunctionExecutable.h:
1285         * runtime/GenericArgumentsInlines.h:
1286         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
1287         * runtime/HashMapImpl.h:
1288         (JSC::HashMapBuffer::create):
1289         * runtime/IndirectEvalExecutable.h:
1290         * runtime/JSArray.cpp:
1291         (JSC::JSArray::tryCreateUninitializedRestricted):
1292         (JSC::JSArray::unshiftCountSlowCase):
1293         * runtime/JSArray.h:
1294         (JSC::JSArray::tryCreate):
1295         * runtime/JSArrayBufferView.cpp:
1296         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1297         * runtime/JSCell.h:
1298         (JSC::subspaceFor):
1299         * runtime/JSCellInlines.h:
1300         (JSC::JSCell::subspaceFor):
1301         (JSC::tryAllocateCellHelper):
1302         (JSC::allocateCell):
1303         (JSC::tryAllocateCell):
1304         * runtime/JSDestructibleObject.h:
1305         (JSC::JSDestructibleObject::subspaceFor):
1306         * runtime/JSDestructibleObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.cpp.
1307         (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
1308         (JSC::JSDestructibleObjectHeapCellType::~JSDestructibleObjectHeapCellType):
1309         (JSC::JSDestructibleObjectHeapCellType::finishSweep):
1310         (JSC::JSDestructibleObjectHeapCellType::destroy):
1311         (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace): Deleted.
1312         (JSC::JSDestructibleObjectSubspace::~JSDestructibleObjectSubspace): Deleted.
1313         (JSC::JSDestructibleObjectSubspace::finishSweep): Deleted.
1314         (JSC::JSDestructibleObjectSubspace::destroy): Deleted.
1315         * runtime/JSDestructibleObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.h.
1316         * runtime/JSDestructibleObjectSubspace.cpp: Removed.
1317         * runtime/JSDestructibleObjectSubspace.h: Removed.
1318         * runtime/JSLexicalEnvironment.h:
1319         (JSC::JSLexicalEnvironment::subspaceFor):
1320         * runtime/JSSegmentedVariableObject.h:
1321         (JSC::JSSegmentedVariableObject::subspaceFor):
1322         * runtime/JSSegmentedVariableObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.cpp.
1323         (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
1324         (JSC::JSSegmentedVariableObjectHeapCellType::~JSSegmentedVariableObjectHeapCellType):
1325         (JSC::JSSegmentedVariableObjectHeapCellType::finishSweep):
1326         (JSC::JSSegmentedVariableObjectHeapCellType::destroy):
1327         (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace): Deleted.
1328         (JSC::JSSegmentedVariableObjectSubspace::~JSSegmentedVariableObjectSubspace): Deleted.
1329         (JSC::JSSegmentedVariableObjectSubspace::finishSweep): Deleted.
1330         (JSC::JSSegmentedVariableObjectSubspace::destroy): Deleted.
1331         * runtime/JSSegmentedVariableObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.h.
1332         * runtime/JSSegmentedVariableObjectSubspace.cpp: Removed.
1333         * runtime/JSSegmentedVariableObjectSubspace.h: Removed.
1334         * runtime/JSString.h:
1335         (JSC::JSString::subspaceFor):
1336         * runtime/JSStringHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.cpp.
1337         (JSC::JSStringHeapCellType::JSStringHeapCellType):
1338         (JSC::JSStringHeapCellType::~JSStringHeapCellType):
1339         (JSC::JSStringHeapCellType::finishSweep):
1340         (JSC::JSStringHeapCellType::destroy):
1341         (JSC::JSStringSubspace::JSStringSubspace): Deleted.
1342         (JSC::JSStringSubspace::~JSStringSubspace): Deleted.
1343         (JSC::JSStringSubspace::finishSweep): Deleted.
1344         (JSC::JSStringSubspace::destroy): Deleted.
1345         * runtime/JSStringHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.h.
1346         * runtime/JSStringSubspace.cpp: Removed.
1347         * runtime/JSStringSubspace.h: Removed.
1348         * runtime/ModuleProgramExecutable.h:
1349         * runtime/NativeExecutable.h:
1350         * runtime/ProgramExecutable.h:
1351         * runtime/RegExpMatchesArray.h:
1352         (JSC::tryCreateUninitializedRegExpMatchesArray):
1353         * runtime/ScopedArguments.h:
1354         (JSC::ScopedArguments::subspaceFor):
1355         * runtime/VM.cpp:
1356         (JSC::VM::VM):
1357         * runtime/VM.h:
1358         (JSC::VM::gigacageAuxiliarySpace):
1359         * wasm/js/JSWebAssemblyCodeBlock.h:
1360         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.cpp.
1361         (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
1362         (JSC::JSWebAssemblyCodeBlockHeapCellType::~JSWebAssemblyCodeBlockHeapCellType):
1363         (JSC::JSWebAssemblyCodeBlockHeapCellType::finishSweep):
1364         (JSC::JSWebAssemblyCodeBlockHeapCellType::destroy):
1365         (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace): Deleted.
1366         (JSC::JSWebAssemblyCodeBlockSubspace::~JSWebAssemblyCodeBlockSubspace): Deleted.
1367         (JSC::JSWebAssemblyCodeBlockSubspace::finishSweep): Deleted.
1368         (JSC::JSWebAssemblyCodeBlockSubspace::destroy): Deleted.
1369         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.h.
1370         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp: Removed.
1371         * wasm/js/JSWebAssemblyCodeBlockSubspace.h: Removed.
1372         * wasm/js/JSWebAssemblyMemory.h:
1373         (JSC::JSWebAssemblyMemory::subspaceFor):
1374
1375 2017-11-29  Saam Barati  <sbarati@apple.com>
1376
1377         Remove pointer caging for double arrays
1378         https://bugs.webkit.org/show_bug.cgi?id=180163
1379
1380         Reviewed by Mark Lam.
1381
1382         This patch removes pointer caging from double arrays. Like
1383         my previous removals of pointer caging, this is a security vs
1384         performance tradeoff. We believe that butterflies being allocated
1385         in the cage and with a 32GB runway gives us enough security that
1386         pointer caging the butterfly just for double arrays does not add
1387         enough security benefit for the performance hit it incurs.
1388         
1389         This patch also removes the GetButterflyWithoutCaging node and
1390         the FixedButterflyAccessUncaging phase. The node is no longer needed
1391         because now all GetButterfly nodes are not caged. The phase is removed
1392         since we no longer have two nodes.
1393
1394         * dfg/DFGAbstractInterpreterInlines.h:
1395         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1396         * dfg/DFGArgumentsEliminationPhase.cpp:
1397         * dfg/DFGClobberize.h:
1398         (JSC::DFG::clobberize):
1399         * dfg/DFGDoesGC.cpp:
1400         (JSC::DFG::doesGC):
1401         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Removed.
1402         * dfg/DFGFixedButterflyAccessUncagingPhase.h: Removed.
1403         * dfg/DFGFixupPhase.cpp:
1404         (JSC::DFG::FixupPhase::fixupNode):
1405         * dfg/DFGHeapLocation.cpp:
1406         (WTF::printInternal):
1407         * dfg/DFGHeapLocation.h:
1408         * dfg/DFGNodeType.h:
1409         * dfg/DFGPlan.cpp:
1410         (JSC::DFG::Plan::compileInThreadImpl):
1411         * dfg/DFGPredictionPropagationPhase.cpp:
1412         * dfg/DFGSafeToExecute.h:
1413         (JSC::DFG::safeToExecute):
1414         * dfg/DFGSpeculativeJIT.cpp:
1415         (JSC::DFG::SpeculativeJIT::compileSpread):
1416         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1417         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
1418         * dfg/DFGSpeculativeJIT32_64.cpp:
1419         (JSC::DFG::SpeculativeJIT::compile):
1420         * dfg/DFGSpeculativeJIT64.cpp:
1421         (JSC::DFG::SpeculativeJIT::compile):
1422         * dfg/DFGTypeCheckHoistingPhase.cpp:
1423         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
1424         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
1425         * ftl/FTLCapabilities.cpp:
1426         (JSC::FTL::canCompile):
1427         * ftl/FTLLowerDFGToB3.cpp:
1428         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1429         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
1430         * jit/JITPropertyAccess.cpp:
1431         (JSC::JIT::emitDoubleLoad):
1432         (JSC::JIT::emitGenericContiguousPutByVal):
1433         * runtime/Butterfly.h:
1434         (JSC::Butterfly::pointer):
1435         (JSC::Butterfly::contiguousDouble):
1436         (JSC::Butterfly::caged): Deleted.
1437         * runtime/ButterflyInlines.h:
1438         (JSC::Butterfly::createOrGrowPropertyStorage):
1439         * runtime/JSObject.cpp:
1440         (JSC::JSObject::ensureLengthSlow):
1441         (JSC::JSObject::reallocateAndShrinkButterfly):
1442
1443 2017-11-29  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
1444
1445         [MIPS][JSC] Implement MacroAssembler::probe support on MIPS
1446         https://bugs.webkit.org/show_bug.cgi?id=175447
1447
1448         Reviewed by Carlos Alberto Lopez Perez.
1449
1450         This patch allows DFG JIT to be enabled on MIPS platforms.
1451
1452         * Sources.txt:
1453         * assembler/MIPSAssembler.h:
1454         (JSC::MIPSAssembler::lastSPRegister):
1455         (JSC::MIPSAssembler::numberOfSPRegisters):
1456         (JSC::MIPSAssembler::sprName):
1457         * assembler/MacroAssemblerMIPS.cpp: Added.
1458         (JSC::MacroAssembler::probe):
1459         * assembler/ProbeContext.cpp:
1460         (JSC::Probe::executeProbe):
1461         * assembler/ProbeContext.h:
1462         (JSC::Probe::CPUState::pc):
1463         * assembler/testmasm.cpp:
1464         (JSC::isSpecialGPR):
1465         (JSC::testProbePreservesGPRS):
1466         (JSC::testProbeModifiesStackPointer):
1467         (JSC::testProbeModifiesStackValues):
1468
1469 2017-11-29  Matt Lewis  <jlewis3@apple.com>
1470
1471         Unreviewed, rolling out r225286.
1472
1473         The source files within this patch have been marked as
1474         executable.
1475
1476         Reverted changeset:
1477
1478         "[MIPS][JSC] Implement MacroAssembler::probe support on MIPS"
1479         https://bugs.webkit.org/show_bug.cgi?id=175447
1480         https://trac.webkit.org/changeset/225286
1481
1482 2017-11-29  Alex Christensen  <achristensen@webkit.org>
1483
1484         Fix Mac CMake build.
1485
1486         * PlatformMac.cmake:
1487
1488 2017-11-29  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
1489
1490         [MIPS][JSC] Implement MacroAssembler::probe support on MIPS
1491         https://bugs.webkit.org/show_bug.cgi?id=175447
1492
1493         Reviewed by Carlos Alberto Lopez Perez.
1494
1495         This patch allows DFG JIT to be enabled on MIPS platforms.
1496
1497         * Sources.txt:
1498         * assembler/MIPSAssembler.h:
1499         (JSC::MIPSAssembler::lastSPRegister):
1500         (JSC::MIPSAssembler::numberOfSPRegisters):
1501         (JSC::MIPSAssembler::sprName):
1502         * assembler/MacroAssemblerMIPS.cpp: Added.
1503         (JSC::MacroAssembler::probe):
1504         * assembler/ProbeContext.cpp:
1505         (JSC::Probe::executeProbe):
1506         * assembler/ProbeContext.h:
1507         (JSC::Probe::CPUState::pc):
1508         * assembler/testmasm.cpp:
1509         (JSC::isSpecialGPR):
1510         (JSC::testProbePreservesGPRS):
1511         (JSC::testProbeModifiesStackPointer):
1512         (JSC::testProbeModifiesStackValues):
1513
1514 2017-11-28  JF Bastien  <jfbastien@apple.com>
1515
1516         Strict and sloppy functions shouldn't share structure
1517         https://bugs.webkit.org/show_bug.cgi?id=180103
1518         <rdar://problem/35667847>
1519
1520         Reviewed by Saam Barati.
1521
1522         Sloppy and strict functions don't act the same when it comes to
1523         arguments, caller, and callee. Sharing a structure means that
1524         anything that is cached gets shared, and that's incorrect.
1525
1526         * dfg/DFGAbstractInterpreterInlines.h:
1527         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1528         * dfg/DFGSpeculativeJIT.cpp:
1529         (JSC::DFG::SpeculativeJIT::compileNewFunction):
1530         * ftl/FTLLowerDFGToB3.cpp:
1531         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
1532         * runtime/FunctionConstructor.cpp:
1533         (JSC::constructFunctionSkippingEvalEnabledCheck):
1534         * runtime/JSFunction.cpp:
1535         (JSC::JSFunction::create): the second ::create is always strict
1536         because it applies to native functions.
1537         * runtime/JSFunctionInlines.h:
1538         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
1539         * runtime/JSGlobalObject.cpp:
1540         (JSC::JSGlobalObject::init):
1541         (JSC::JSGlobalObject::visitChildren):
1542         * runtime/JSGlobalObject.h:
1543         (JSC::JSGlobalObject::strictFunctionStructure const):
1544         (JSC::JSGlobalObject::sloppyFunctionStructure const):
1545         (JSC::JSGlobalObject::nativeStdFunctionStructure const):
1546         (JSC::JSGlobalObject::functionStructure const): Deleted. Renamed.
1547         (JSC::JSGlobalObject::namedFunctionStructure const): Deleted. Drive-by, unused.
1548
1549 2017-11-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1550
1551         [JSC] Add MacroAssembler::getEffectiveAddress in all platforms
1552         https://bugs.webkit.org/show_bug.cgi?id=180070
1553
1554         Reviewed by Saam Barati.
1555
1556         This patch adds getEffectiveAddress in all JIT platforms.
1557         This is abstracted version of x86 lea.
1558
1559         We also fix a bug in Yarr that uses branch32 instead of branchPtr for addresses.
1560
1561         * assembler/MacroAssemblerARM.h:
1562         (JSC::MacroAssemblerARM::getEffectiveAddress):
1563         * assembler/MacroAssemblerARM64.h:
1564         (JSC::MacroAssemblerARM64::getEffectiveAddress):
1565         (JSC::MacroAssemblerARM64::getEffectiveAddress64): Deleted.
1566         * assembler/MacroAssemblerARMv7.h:
1567         (JSC::MacroAssemblerARMv7::getEffectiveAddress):
1568         * assembler/MacroAssemblerMIPS.h:
1569         (JSC::MacroAssemblerMIPS::getEffectiveAddress):
1570         * assembler/MacroAssemblerX86.h:
1571         (JSC::MacroAssemblerX86::getEffectiveAddress):
1572         * assembler/MacroAssemblerX86_64.h:
1573         (JSC::MacroAssemblerX86_64::getEffectiveAddress):
1574         (JSC::MacroAssemblerX86_64::getEffectiveAddress64): Deleted.
1575         * assembler/testmasm.cpp:
1576         (JSC::testGetEffectiveAddress):
1577         (JSC::run):
1578         * dfg/DFGSpeculativeJIT.cpp:
1579         (JSC::DFG::SpeculativeJIT::compileArrayPush):
1580         * yarr/YarrJIT.cpp:
1581         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
1582         (JSC::Yarr::YarrGenerator::tryReadUnicodeChar):
1583
1584 2017-11-29  Robin Morisset  <rmorisset@apple.com>
1585
1586         The recursive tail call optimisation is wrong on closures
1587         https://bugs.webkit.org/show_bug.cgi?id=179835
1588
1589         Reviewed by Saam Barati.
1590
1591         The problem is that we only check the executable of the callee, not whatever variables might have been captured.
1592         As a stopgap measure this patch just does not do the optimisation for closures.
1593
1594         * dfg/DFGByteCodeParser.cpp:
1595         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
1596
1597 2017-11-28  Joseph Pecoraro  <pecoraro@apple.com>
1598
1599         Web Inspector: Cleanup Inspector classes be more consistent about using fast malloc / noncopyable
1600         https://bugs.webkit.org/show_bug.cgi?id=180119
1601
1602         Reviewed by Devin Rousso.
1603
1604         * inspector/InjectedScriptManager.h:
1605         * inspector/JSGlobalObjectScriptDebugServer.h:
1606         * inspector/agents/InspectorHeapAgent.h:
1607         * inspector/agents/InspectorRuntimeAgent.h:
1608         * inspector/agents/InspectorScriptProfilerAgent.h:
1609         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
1610
1611 2017-11-28  Joseph Pecoraro  <pecoraro@apple.com>
1612
1613         ServiceWorker Inspector: Frontend changes to support Network tab and sub resources
1614         https://bugs.webkit.org/show_bug.cgi?id=179642
1615         <rdar://problem/35517704>
1616
1617         Reviewed by Brian Burg.
1618
1619         * inspector/protocol/Network.json:
1620         Expose the NetworkAgent for a Service Worker inspector.
1621
1622  2017-11-28  Brian Burg  <bburg@apple.com>
1623
1624         [Cocoa] Clean up names of conversion methods after renaming InspectorValue to JSON::Value
1625         https://bugs.webkit.org/show_bug.cgi?id=179696
1626
1627         Reviewed by Timothy Hatcher.
1628
1629         * inspector/scripts/codegen/generate_objc_header.py:
1630         (ObjCHeaderGenerator._generate_type_interface):
1631         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1632         (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
1633         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_protocol_object):
1634         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_json_object): Deleted.
1635         * inspector/scripts/codegen/objc_generator.py:
1636         (ObjCGenerator.protocol_type_for_raw_name):
1637         (ObjCGenerator.objc_protocol_export_expression_for_variable):
1638         (ObjCGenerator.objc_protocol_export_expression_for_variable.is):
1639         (ObjCGenerator.objc_protocol_import_expression_for_variable):
1640         (ObjCGenerator.objc_protocol_import_expression_for_variable.is):
1641         (ObjCGenerator.objc_to_protocol_expression_for_member.is):
1642         (ObjCGenerator.objc_to_protocol_expression_for_member):
1643         (ObjCGenerator.protocol_to_objc_expression_for_member.is):
1644         (ObjCGenerator.protocol_to_objc_expression_for_member):
1645         (ObjCGenerator.protocol_to_objc_code_block_for_object_member):
1646         (ObjCGenerator.objc_setter_method_for_member_internal):
1647         (ObjCGenerator.objc_getter_method_for_member_internal):
1648         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
1649         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1650         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1651         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
1652         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
1653         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
1654         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1655         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1656         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
1657         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
1658
1659 2017-11-27  JF Bastien  <jfbastien@apple.com>
1660
1661         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
1662         https://bugs.webkit.org/show_bug.cgi?id=180051
1663         <rdar://problem/35614371>
1664
1665         Reviewed by Saam Barati.
1666
1667         Checking for int32 isn't sufficient when uint32 is expected
1668         afterwards. While we're here, also use Checked<>.
1669
1670         * dfg/DFGAbstractInterpreterInlines.h:
1671         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1672
1673 2017-11-14  Carlos Garcia Campos  <cgarcia@igalia.com>
1674
1675         Move JSONValues to WTF and convert uses of InspectorValues.h to JSONValues.h
1676         https://bugs.webkit.org/show_bug.cgi?id=173793
1677
1678         Reviewed by Joseph Pecoraro.
1679
1680         Based on patch by Brian Burg.
1681
1682         * JavaScriptCore.xcodeproj/project.pbxproj:
1683         * Sources.txt:
1684         * bindings/ScriptValue.cpp:
1685         (Inspector::jsToInspectorValue):
1686         (Inspector::toInspectorValue):
1687         (Deprecated::ScriptValue::toInspectorValue const):
1688         * bindings/ScriptValue.h:
1689         * inspector/AsyncStackTrace.cpp:
1690         * inspector/ConsoleMessage.cpp:
1691         * inspector/ContentSearchUtilities.cpp:
1692         * inspector/DeprecatedInspectorValues.cpp: Added.
1693         * inspector/DeprecatedInspectorValues.h: Added.
1694         Keep the old symbols around in JavaScriptCore so that builds with the
1695         public iOS SDK continue to work. These older SDKs include a version of
1696         WebInspector.framework that expects to find InspectorArray and other
1697         symbols in JavaScriptCore.framework.
1698
1699         * inspector/InjectedScript.cpp:
1700         (Inspector::InjectedScript::getFunctionDetails):
1701         (Inspector::InjectedScript::functionDetails):
1702         (Inspector::InjectedScript::getPreview):
1703         (Inspector::InjectedScript::getProperties):
1704         (Inspector::InjectedScript::getDisplayableProperties):
1705         (Inspector::InjectedScript::getInternalProperties):
1706         (Inspector::InjectedScript::getCollectionEntries):
1707         (Inspector::InjectedScript::saveResult):
1708         (Inspector::InjectedScript::wrapCallFrames const):
1709         (Inspector::InjectedScript::wrapObject const):
1710         (Inspector::InjectedScript::wrapTable const):
1711         (Inspector::InjectedScript::previewValue const):
1712         (Inspector::InjectedScript::setExceptionValue):
1713         (Inspector::InjectedScript::clearExceptionValue):
1714         (Inspector::InjectedScript::inspectObject):
1715         (Inspector::InjectedScript::releaseObject):
1716         * inspector/InjectedScriptBase.cpp:
1717         (Inspector::InjectedScriptBase::makeCall):
1718         (Inspector::InjectedScriptBase::makeEvalCall):
1719         * inspector/InjectedScriptBase.h:
1720         * inspector/InjectedScriptManager.cpp:
1721         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
1722         * inspector/InspectorBackendDispatcher.cpp:
1723         (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
1724         (Inspector::BackendDispatcher::dispatch):
1725         (Inspector::BackendDispatcher::sendResponse):
1726         (Inspector::BackendDispatcher::sendPendingErrors):
1727         (Inspector::BackendDispatcher::getPropertyValue):
1728         (Inspector::castToInteger):
1729         (Inspector::castToNumber):
1730         (Inspector::BackendDispatcher::getInteger):
1731         (Inspector::BackendDispatcher::getDouble):
1732         (Inspector::BackendDispatcher::getString):
1733         (Inspector::BackendDispatcher::getBoolean):
1734         (Inspector::BackendDispatcher::getObject):
1735         (Inspector::BackendDispatcher::getArray):
1736         (Inspector::BackendDispatcher::getValue):
1737         * inspector/InspectorBackendDispatcher.h:
1738         We need to keep around the sendResponse() variant with a parameter that
1739         has the InspectorObject type, as older WebInspector.framework versions
1740         expect this symbol to exist. Introduce a variant with arity 3 that can
1741         be used in TOT so as to avoid having two methods with the same name, arity, and
1742         different parameter types.
1743
1744         When system WebInspector.framework is updated, we can remove the legacy
1745         method variant that uses the InspectorObject type. At that point, we can
1746         transition TOT to use the 2-arity variant, and delete the 3-arity variant
1747         when system WebInspector.framework is updated once more to use the 2-arity one.
1748
1749         * inspector/InspectorProtocolTypes.h:
1750         (Inspector::Protocol::Array::openAccessors):
1751         (Inspector::Protocol::PrimitiveBindingTraits::assertValueHasExpectedType):
1752         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast):
1753         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType):
1754         (Inspector::Protocol::BindingTraits<JSON::Value>::assertValueHasExpectedType):
1755         * inspector/ScriptCallFrame.cpp:
1756         * inspector/ScriptCallStack.cpp:
1757         * inspector/agents/InspectorAgent.cpp:
1758         (Inspector::InspectorAgent::inspect):
1759         * inspector/agents/InspectorAgent.h:
1760         * inspector/agents/InspectorDebuggerAgent.cpp:
1761         (Inspector::buildAssertPauseReason):
1762         (Inspector::buildCSPViolationPauseReason):
1763         (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
1764         (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
1765         (Inspector::buildObjectForBreakpointCookie):
1766         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
1767         (Inspector::parseLocation):
1768         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
1769         (Inspector::InspectorDebuggerAgent::setBreakpoint):
1770         (Inspector::InspectorDebuggerAgent::continueToLocation):
1771         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
1772         (Inspector::InspectorDebuggerAgent::didParseSource):
1773         (Inspector::InspectorDebuggerAgent::breakProgram):
1774         * inspector/agents/InspectorDebuggerAgent.h:
1775         * inspector/agents/InspectorRuntimeAgent.cpp:
1776         (Inspector::InspectorRuntimeAgent::callFunctionOn):
1777         (Inspector::InspectorRuntimeAgent::saveResult):
1778         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1779         * inspector/agents/InspectorRuntimeAgent.h:
1780         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
1781         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
1782         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
1783         (CppBackendDispatcherImplementationGenerator.generate_output):
1784         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
1785         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
1786         (CppFrontendDispatcherHeaderGenerator.generate_output):
1787         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
1788         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
1789         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
1790         (_generate_unchecked_setter_for_member):
1791         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
1792         (CppProtocolTypesImplementationGenerator):
1793         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1794         (ObjCBackendDispatcherImplementationGenerator.generate_output):
1795         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
1796         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1797         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
1798         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
1799         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
1800         * inspector/scripts/codegen/generate_objc_internal_header.py:
1801         (ObjCInternalHeaderGenerator.generate_output):
1802         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1803         (ObjCProtocolTypesImplementationGenerator.generate_output):
1804         * inspector/scripts/codegen/generator.py:
1805         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
1806         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1807         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1808         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
1809         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
1810         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
1811         * inspector/scripts/tests/generic/expected/enum-values.json-result:
1812         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
1813         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
1814         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
1815         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
1816         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
1817         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
1818         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
1819         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1820         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1821         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
1822         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
1823         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
1824         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
1825
1826 2017-11-28  Robin Morisset  <rmorisset@apple.com>
1827
1828         Support recursive tail call optimization for polymorphic calls
1829         https://bugs.webkit.org/show_bug.cgi?id=178390
1830
1831         Reviewed by Saam Barati.
1832
1833         Comes with a large but fairly simple refactoring: the inlining path for varargs and non-varargs calls now converge a lot later,
1834         eliminating some redundant checks, and simplifying a few parts of the inlining pipeline.
1835
1836         Also removes some dead code from inlineCall(): there was a special path for when m_continuationBlock is null, but it should never be (now checked with RELEASE_ASSERT).
1837
1838         * dfg/DFGByteCodeParser.cpp:
1839         (JSC::DFG::ByteCodeParser::handleCall):
1840         (JSC::DFG::ByteCodeParser::handleVarargsCall):
1841         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
1842         (JSC::DFG::ByteCodeParser::inlineCall):
1843         (JSC::DFG::ByteCodeParser::handleCallVariant):
1844         (JSC::DFG::ByteCodeParser::handleVarargsInlining):
1845         (JSC::DFG::ByteCodeParser::getInliningBalance):
1846         (JSC::DFG::ByteCodeParser::handleInlining):
1847         (JSC::DFG::ByteCodeParser::attemptToInlineCall): Deleted.
1848
1849 2017-11-27  Saam Barati  <sbarati@apple.com>
1850
1851         Spread can escape when CreateRest does not
1852         https://bugs.webkit.org/show_bug.cgi?id=180057
1853         <rdar://problem/35676119>
1854
1855         Reviewed by JF Bastien.
1856
1857         We previously did not handle Spread(PhantomCreateRest) only because I did not
1858         think it was possible to generate this IR. I was wrong. We can generate
1859         such IR when we have a PutStack(Spread) but nothing escapes the CreateRest.
1860         This IR is rare to generate since we normally don't PutStack(Spread) because
1861         the SetLocal almost always gets eliminated because of how our bytecode generates
1862         op_spread. However, there exists a test case showing it is possible. Supporting
1863         this IR pattern in FTLLower is trivial. This patch implements it and rewrites
1864         the Validation rule for Spread.
1865
1866         * dfg/DFGOperations.cpp:
1867         * dfg/DFGOperations.h:
1868         * dfg/DFGValidate.cpp:
1869         * ftl/FTLLowerDFGToB3.cpp:
1870         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
1871         * runtime/JSFixedArray.h:
1872         (JSC::JSFixedArray::tryCreate):
1873
1874 2017-11-27  Don Olmstead  <don.olmstead@sony.com>
1875
1876         [CMake][Win] Conditionally select DLL CRT or static CRT
1877         https://bugs.webkit.org/show_bug.cgi?id=170594
1878
1879         Reviewed by Alex Christensen.
1880
1881         * shell/PlatformWin.cmake:
1882
1883 2017-11-27  Saam Barati  <sbarati@apple.com>
1884
1885         Having a bad time watchpoint firing during compilation revealed a racy assertion
1886         https://bugs.webkit.org/show_bug.cgi?id=180048
1887         <rdar://problem/35700009>
1888
1889         Reviewed by Mark Lam.
1890
1891         While a DFG compilation is watching the having a bad time watchpoint, it was
1892         asserting that the rest parameter structure has indexing type ArrayWithContiguous.
1893         However, if the having a bad time watchpoint fires during the compilation,
1894         this particular structure will no longer have ArrayWithContiguous indexing type.
1895         This patch fixes this racy assertion to be aware that the watchpoint may fire
1896         during compilation.
1897
1898         * dfg/DFGSpeculativeJIT.cpp:
1899         (JSC::DFG::SpeculativeJIT::compileCreateRest):
1900         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
1901
1902 2017-11-27  Tim Horton  <timothy_horton@apple.com>
1903
1904         One too many zeroes in macOS version number in FeatureDefines
1905         https://bugs.webkit.org/show_bug.cgi?id=180011
1906
1907         Reviewed by Dan Bernstein.
1908
1909         * Configurations/FeatureDefines.xcconfig:
1910
1911 2017-11-27  Robin Morisset  <rmorisset@apple.com>
1912
1913         Update DFGSafeToExecute to be aware that ArrayPush is now a varargs node
1914         https://bugs.webkit.org/show_bug.cgi?id=179821
1915
1916         Reviewed by Saam Barati.
1917
1918         * dfg/DFGSafeToExecute.h:
1919         (JSC::DFG::safeToExecute):
1920
1921 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1922
1923         [DFG] Add NormalizeMapKey DFG IR
1924         https://bugs.webkit.org/show_bug.cgi?id=179912
1925
1926         Reviewed by Saam Barati.
1927
1928         This patch introduces NormalizeMapKey DFG node. It executes what normalizeMapKey does in inlined manner.
1929         By separating this from MapHash and Map/Set related operations, we can perform CSE onto that, and we
1930         do not need to call normalizeMapKey conservatively in DFG operations.
1931         This can reduce slow path case in Untyped GetMapBucket since we can normalize keys in DFG/FTL.
1932
1933         * dfg/DFGAbstractInterpreterInlines.h:
1934         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1935         * dfg/DFGByteCodeParser.cpp:
1936         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1937         * dfg/DFGClobberize.h:
1938         (JSC::DFG::clobberize):
1939         * dfg/DFGDoesGC.cpp:
1940         (JSC::DFG::doesGC):
1941         * dfg/DFGFixupPhase.cpp:
1942         (JSC::DFG::FixupPhase::fixupNode):
1943         (JSC::DFG::FixupPhase::fixupNormalizeMapKey):
1944         * dfg/DFGNodeType.h:
1945         * dfg/DFGOperations.cpp:
1946         * dfg/DFGPredictionPropagationPhase.cpp:
1947         * dfg/DFGSafeToExecute.h:
1948         (JSC::DFG::safeToExecute):
1949         * dfg/DFGSpeculativeJIT.cpp:
1950         (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
1951         * dfg/DFGSpeculativeJIT.h:
1952         * dfg/DFGSpeculativeJIT32_64.cpp:
1953         (JSC::DFG::SpeculativeJIT::compile):
1954         * dfg/DFGSpeculativeJIT64.cpp:
1955         (JSC::DFG::SpeculativeJIT::compile):
1956         * ftl/FTLCapabilities.cpp:
1957         (JSC::FTL::canCompile):
1958         * ftl/FTLLowerDFGToB3.cpp:
1959         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1960         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
1961         (JSC::FTL::DFG::LowerDFGToB3::compileNormalizeMapKey):
1962         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
1963         * runtime/HashMapImpl.h:
1964
1965 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1966
1967         [FTL] Support DeleteById and DeleteByVal
1968         https://bugs.webkit.org/show_bug.cgi?id=180022
1969
1970         Reviewed by Saam Barati.
1971
1972         We should increase the coverage of FTL. Even if the code includes DeleteById,
1973         it does not mean that remaining part of the code should not be optimized in FTL.
1974         Right now, even CallEval and `with` scope are handled in FTL.
1975
1976         This patch just adds DeleteById and DeleteByVal handling to FTL to allow optimizing
1977         code including them.
1978
1979         * ftl/FTLCapabilities.cpp:
1980         (JSC::FTL::canCompile):
1981         * ftl/FTLLowerDFGToB3.cpp:
1982         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1983         (JSC::FTL::DFG::LowerDFGToB3::compileDeleteById):
1984         (JSC::FTL::DFG::LowerDFGToB3::compileDeleteByVal):
1985
1986 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1987
1988         [DFG] Introduce {Set,Map,WeakMap}Fields
1989         https://bugs.webkit.org/show_bug.cgi?id=179925
1990
1991         Reviewed by Saam Barati.
1992
1993         SetAdd and MapSet uses `write(MiscFields)`, but it is not correct. It accidentally
1994         writes readonly MiscFields which is used by various nodes and make optimization
1995         conservative.
1996
1997         We introduce JSSetFields, JSMapFields, and JSWeakMapFields to precisely model clobberizing of Map, Set, and WeakMap.
1998
1999         * dfg/DFGAbstractHeap.h:
2000         * dfg/DFGByteCodeParser.cpp:
2001         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2002         * dfg/DFGClobberize.h:
2003         (JSC::DFG::clobberize):
2004         * dfg/DFGHeapLocation.cpp:
2005         (WTF::printInternal):
2006         * dfg/DFGHeapLocation.h:
2007         * dfg/DFGNode.h:
2008         (JSC::DFG::Node::hasBucketOwnerType):
2009
2010 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2011
2012         [JSC] Remove JSStringBuilder
2013         https://bugs.webkit.org/show_bug.cgi?id=180016
2014
2015         Reviewed by Saam Barati.
2016
2017         JSStringBuilder is replaced with WTF::StringBuilder.
2018         This patch removes remaning uses and drop JSStringBuilder.
2019
2020         * JavaScriptCore.xcodeproj/project.pbxproj:
2021         * runtime/ArrayPrototype.cpp:
2022         * runtime/AsyncFunctionPrototype.cpp:
2023         * runtime/AsyncGeneratorFunctionPrototype.cpp:
2024         * runtime/ErrorPrototype.cpp:
2025         * runtime/FunctionPrototype.cpp:
2026         * runtime/GeneratorFunctionPrototype.cpp:
2027         * runtime/JSGlobalObjectFunctions.cpp:
2028         (JSC::decode):
2029         (JSC::globalFuncEscape):
2030         * runtime/JSStringBuilder.h: Removed.
2031         * runtime/JSStringInlines.h:
2032         (JSC::jsMakeNontrivialString):
2033         * runtime/RegExpPrototype.cpp:
2034         * runtime/StringPrototype.cpp:
2035
2036 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2037
2038         [DFG] Remove GetLocalUnlinked
2039         https://bugs.webkit.org/show_bug.cgi?id=180017
2040
2041         Reviewed by Saam Barati.
2042
2043         Since DFGArgumentsSimplificationPhase is removed 2 years ago, GetLocalUnlinked is no longer used in DFG.
2044         This patch just removes it.
2045
2046         * dfg/DFGAbstractInterpreterInlines.h:
2047         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2048         * dfg/DFGClobberize.h:
2049         (JSC::DFG::clobberize):
2050         * dfg/DFGCommon.h:
2051         * dfg/DFGDoesGC.cpp:
2052         (JSC::DFG::doesGC):
2053         * dfg/DFGFixupPhase.cpp:
2054         (JSC::DFG::FixupPhase::fixupNode):
2055         * dfg/DFGGraph.cpp:
2056         (JSC::DFG::Graph::dump):
2057         * dfg/DFGNode.h:
2058         (JSC::DFG::Node::hasUnlinkedLocal):
2059         (JSC::DFG::Node::convertToGetLocalUnlinked): Deleted.
2060         (JSC::DFG::Node::convertToGetLocal): Deleted.
2061         (JSC::DFG::Node::hasUnlinkedMachineLocal): Deleted.
2062         (JSC::DFG::Node::setUnlinkedMachineLocal): Deleted.
2063         (JSC::DFG::Node::unlinkedMachineLocal): Deleted.
2064         * dfg/DFGNodeType.h:
2065         * dfg/DFGPredictionPropagationPhase.cpp:
2066         * dfg/DFGSafeToExecute.h:
2067         (JSC::DFG::safeToExecute):
2068         * dfg/DFGSpeculativeJIT32_64.cpp:
2069         (JSC::DFG::SpeculativeJIT::compile):
2070         * dfg/DFGSpeculativeJIT64.cpp:
2071         (JSC::DFG::SpeculativeJIT::compile):
2072         * dfg/DFGStackLayoutPhase.cpp:
2073         (JSC::DFG::StackLayoutPhase::run):
2074         * dfg/DFGValidate.cpp:
2075
2076 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2077
2078         Make ArgList::data() private again when we can remove callWasmFunction().
2079         https://bugs.webkit.org/show_bug.cgi?id=168582
2080
2081         Reviewed by JF Bastien.
2082
2083         Make ArgList::data() private since we already removed callWasmFunction.
2084
2085         * runtime/ArgList.h:
2086
2087 2016-08-05  Darin Adler  <darin@apple.com>
2088
2089         Fix some minor problems in the StringImpl header
2090         https://bugs.webkit.org/show_bug.cgi?id=160630
2091
2092         Reviewed by Brent Fulgham.
2093
2094         * inspector/ContentSearchUtilities.cpp: Removed a lot of unneeded explicit
2095         Yarr namespacing since we use "using namespace" in this file.
2096
2097 2017-11-24  Mark Lam  <mark.lam@apple.com>
2098
2099         Fix CLoop::sanitizeStack() bug where it was clearing part of the JS stack in use.
2100         https://bugs.webkit.org/show_bug.cgi?id=179936
2101         <rdar://problem/35623998>
2102
2103         Reviewed by Saam Barati.
2104
2105         This issue was uncovered when we enabled --useDollarVM=true on the JSC tests.
2106         See https://bugs.webkit.org/show_bug.cgi?id=179684.
2107
2108         Basically, in the case of the failing test we observed, op_tail_call_forward_arguments
2109         was allocating stack space to stash arguments (to be forwarded) and new frame
2110         info.  The location of this new stash space happens to lie beyond the top of frame
2111         of the tail call caller frame.  After stashing the arguments, the code proceeded
2112         to load the callee codeBlock.  This triggered an allocation, which in turn,
2113         triggered stack sanitization.  The CLoop stack sanitizer was relying on
2114         frame->topOfFrame() to tell it where the top of the used stack is.  In this case,
2115         that turned out to be inadequate.  As a result, part of the stashed data was
2116         zeroed out, and subsequently led to a crash.
2117
2118         This bug does not affect JIT builds (i.e. the ASM LLint) for 2 reasons:
2119         1. JIT builds do stack sanitization in the LLInt code itself (different from the
2120            CLoop implementation), and the sanitizer there is aware of the true top of
2121            stack value (i.e. the stack pointer).
2122         2. JIT builds don't use a parallel stack like the CLoop.  The presence of the
2123            parallel stack is one condition necessary for reproducing this issue.
2124
2125         The fix is to make the CLoop record the stack pointer in CLoopStack::m_currentStackPointer
2126         every time before it calls out to native C++ code.  This also brings the CLoop's
2127         behavior closer to hardware behavior where we can know where the stack pointer
2128         is after calling from JS back into native C++ code, which makes it easier to
2129         reason about correctness.       
2130
2131         Also simplified the various stack boundary calculations (removed the +1 and -1
2132         adjustments).  The CLoopStack bounds are now:
2133
2134             reservationTop(): the lowest reserved address that can be within stack bounds.
2135             m_commitTop: the lowest address within stack bounds that has been committed.
2136             lowAddress() aka m_end: the lowest stack address that JS code can use.
2137             m_lastStackPointer: cache of the last m_currentStackPointer value.
2138             m_currentStackPointer: the CLoopStack stack pointer value when calling from JS into C++ code.
2139             highAddress(): the highest address just beyond the bounds of the stack.
2140
2141         Also deleted some unneeded code.
2142
2143         * interpreter/CLoopStack.cpp:
2144         (JSC::CLoopStack::CLoopStack):
2145         (JSC::CLoopStack::gatherConservativeRoots):
2146         (JSC::CLoopStack::sanitizeStack):
2147         (JSC::CLoopStack::setSoftReservedZoneSize):
2148         * interpreter/CLoopStack.h:
2149         (JSC::CLoopStack::setCurrentStackPointer):
2150         (JSC::CLoopStack::lowAddress const):
2151
2152         (JSC::CLoopStack::baseOfStack const): Deleted.
2153         - Not needed after we simplified the code and removed all the +1/-1 adjustments.
2154           Now, it has the exact same value as highAddress() and can be removed.
2155
2156         * interpreter/CLoopStackInlines.h:
2157         (JSC::CLoopStack::ensureCapacityFor):
2158         (JSC::CLoopStack::currentStackPointer):
2159         (JSC::CLoopStack::setCLoopStackLimit):
2160
2161         (JSC::CLoopStack::topOfFrameFor): Deleted.
2162         - Not needed.
2163
2164         (JSC::CLoopStack::topOfStack): Deleted.
2165         - Supplanted by currentStackPointer().
2166
2167         (JSC::CLoopStack::shrink): Deleted.
2168         - This is unused.
2169
2170         * llint/LowLevelInterpreter.cpp:
2171         (JSC::CLoop::execute):
2172         - Introduce a StackPointerScope to restore the original CLoopStack::m_currentStackPointer
2173           upon exitting the interpreter loop.
2174
2175         * offlineasm/cloop.rb:
2176         - Added setting of CLoopStack::m_currentStackPointer at boundary points where we
2177           call from JS into C++ code.
2178
2179         * tools/VMInspector.h:
2180         - Added some default argument values. These were being used while debugging this
2181           issue.
2182
2183 2017-11-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2184
2185         [JSC] Make empty key as deleted mark in HashMapBucket and drop m_deleted field
2186         https://bugs.webkit.org/show_bug.cgi?id=179923
2187
2188         Reviewed by Darin Adler.
2189
2190         We do not set empty as a key in HashMapBucket since JSMap / JSSet can expose it to users.
2191         So we can use it as a marker of deleted bucket.
2192
2193         This patch uses empty key as a deleted flag, and drop m_deleted field of HashMapBucket.
2194         It shrinks the size of HashMapBucket much.
2195
2196         * dfg/DFGSpeculativeJIT.cpp:
2197         (JSC::DFG::SpeculativeJIT::compileGetMapBucketNext):
2198         * ftl/FTLAbstractHeapRepository.h:
2199         * ftl/FTLLowerDFGToB3.cpp:
2200         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucketNext):
2201         * runtime/HashMapImpl.h:
2202         (JSC::HashMapBucket::createSentinel):
2203         We make sentinel bucket as (undefined, undefined) since DFG/FTL can load a value from sentinels.
2204         While the sentinel's deleted flag becomes false since key is set, it is not a problem since deleted
2205         flag of sentinel bucket is not used.
2206
2207         (JSC::HashMapBucket::HashMapBucket):
2208         (JSC::HashMapBucket::deleted const):
2209         (JSC::HashMapBucket::makeDeleted):
2210         (JSC::HashMapImpl::remove):
2211         (JSC::HashMapImpl::clear):
2212         (JSC::HashMapImpl::setUpHeadAndTail):
2213         (JSC::HashMapImpl::addNormalizedInternal):
2214         (JSC::HashMapBucket::setDeleted): Deleted.
2215         (JSC::HashMapBucket::offsetOfDeleted): Deleted.
2216         (): Deleted.
2217
2218 2017-11-24  Mark Lam  <mark.lam@apple.com>
2219
2220         Move unsafe jsc shell test functions to the $vm object.
2221         https://bugs.webkit.org/show_bug.cgi?id=179980
2222
2223         Reviewed by Yusuke Suzuki.
2224
2225         Also removed setElementRoot() which was not used.
2226
2227         * jsc.cpp:
2228         (GlobalObject::finishCreation):
2229         (WTF::Element::Element): Deleted.
2230         (WTF::Element::root const): Deleted.
2231         (WTF::Element::setRoot): Deleted.
2232         (WTF::Element::create): Deleted.
2233         (WTF::Element::visitChildren): Deleted.
2234         (WTF::Element::createStructure): Deleted.
2235         (WTF::Root::Root): Deleted.
2236         (WTF::Root::element): Deleted.
2237         (WTF::Root::setElement): Deleted.
2238         (WTF::Root::create): Deleted.
2239         (WTF::Root::createStructure): Deleted.
2240         (WTF::Root::visitChildren): Deleted.
2241         (WTF::ImpureGetter::ImpureGetter): Deleted.
2242         (WTF::ImpureGetter::createStructure): Deleted.
2243         (WTF::ImpureGetter::create): Deleted.
2244         (WTF::ImpureGetter::finishCreation): Deleted.
2245         (WTF::ImpureGetter::getOwnPropertySlot): Deleted.
2246         (WTF::ImpureGetter::visitChildren): Deleted.
2247         (WTF::ImpureGetter::setDelegate): Deleted.
2248         (WTF::CustomGetter::CustomGetter): Deleted.
2249         (WTF::CustomGetter::createStructure): Deleted.
2250         (WTF::CustomGetter::create): Deleted.
2251         (WTF::CustomGetter::getOwnPropertySlot): Deleted.
2252         (WTF::CustomGetter::customGetter): Deleted.
2253         (WTF::CustomGetter::customGetterAcessor): Deleted.
2254         (WTF::RuntimeArray::create): Deleted.
2255         (WTF::RuntimeArray::~RuntimeArray): Deleted.
2256         (WTF::RuntimeArray::destroy): Deleted.
2257         (WTF::RuntimeArray::getOwnPropertySlot): Deleted.
2258         (WTF::RuntimeArray::getOwnPropertySlotByIndex): Deleted.
2259         (WTF::RuntimeArray::put): Deleted.
2260         (WTF::RuntimeArray::deleteProperty): Deleted.
2261         (WTF::RuntimeArray::getLength const): Deleted.
2262         (WTF::RuntimeArray::createPrototype): Deleted.
2263         (WTF::RuntimeArray::createStructure): Deleted.
2264         (WTF::RuntimeArray::finishCreation): Deleted.
2265         (WTF::RuntimeArray::RuntimeArray): Deleted.
2266         (WTF::RuntimeArray::lengthGetter): Deleted.
2267         (WTF::SimpleObject::SimpleObject): Deleted.
2268         (WTF::SimpleObject::create): Deleted.
2269         (WTF::SimpleObject::visitChildren): Deleted.
2270         (WTF::SimpleObject::createStructure): Deleted.
2271         (WTF::SimpleObject::hiddenValue): Deleted.
2272         (WTF::SimpleObject::setHiddenValue): Deleted.
2273         (WTF::DOMJITNode::DOMJITNode): Deleted.
2274         (WTF::DOMJITNode::createStructure): Deleted.
2275         (WTF::DOMJITNode::checkSubClassSnippet): Deleted.
2276         (WTF::DOMJITNode::create): Deleted.
2277         (WTF::DOMJITNode::value const): Deleted.
2278         (WTF::DOMJITNode::offsetOfValue): Deleted.
2279         (WTF::DOMJITGetter::DOMJITGetter): Deleted.
2280         (WTF::DOMJITGetter::createStructure): Deleted.
2281         (WTF::DOMJITGetter::create): Deleted.
2282         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute): Deleted.
2283         (WTF::DOMJITGetter::DOMJITAttribute::slowCall): Deleted.
2284         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter): Deleted.
2285         (WTF::DOMJITGetter::customGetter): Deleted.
2286         (WTF::DOMJITGetter::finishCreation): Deleted.
2287         (WTF::DOMJITGetterComplex::DOMJITGetterComplex): Deleted.
2288         (WTF::DOMJITGetterComplex::createStructure): Deleted.
2289         (WTF::DOMJITGetterComplex::create): Deleted.
2290         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute): Deleted.
2291         (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall): Deleted.
2292         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter): Deleted.
2293         (WTF::DOMJITGetterComplex::functionEnableException): Deleted.
2294         (WTF::DOMJITGetterComplex::customGetter): Deleted.
2295         (WTF::DOMJITGetterComplex::finishCreation): Deleted.
2296         (WTF::DOMJITFunctionObject::DOMJITFunctionObject): Deleted.
2297         (WTF::DOMJITFunctionObject::createStructure): Deleted.
2298         (WTF::DOMJITFunctionObject::create): Deleted.
2299         (WTF::DOMJITFunctionObject::safeFunction): Deleted.
2300         (WTF::DOMJITFunctionObject::unsafeFunction): Deleted.
2301         (WTF::DOMJITFunctionObject::checkSubClassSnippet): Deleted.
2302         (WTF::DOMJITFunctionObject::finishCreation): Deleted.
2303         (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject): Deleted.
2304         (WTF::DOMJITCheckSubClassObject::createStructure): Deleted.
2305         (WTF::DOMJITCheckSubClassObject::create): Deleted.
2306         (WTF::DOMJITCheckSubClassObject::safeFunction): Deleted.
2307         (WTF::DOMJITCheckSubClassObject::unsafeFunction): Deleted.
2308         (WTF::DOMJITCheckSubClassObject::finishCreation): Deleted.
2309         (WTF::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject): Deleted.
2310         (WTF::DOMJITGetterBaseJSObject::createStructure): Deleted.
2311         (WTF::DOMJITGetterBaseJSObject::create): Deleted.
2312         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute): Deleted.
2313         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall): Deleted.
2314         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter): Deleted.
2315         (WTF::DOMJITGetterBaseJSObject::customGetter): Deleted.
2316         (WTF::DOMJITGetterBaseJSObject::finishCreation): Deleted.
2317         (WTF::Element::handleOwner): Deleted.
2318         (WTF::Element::finishCreation): Deleted.
2319         (JSTestCustomGetterSetter::JSTestCustomGetterSetter): Deleted.
2320         (JSTestCustomGetterSetter::create): Deleted.
2321         (JSTestCustomGetterSetter::createStructure): Deleted.
2322         (customGetAccessor): Deleted.
2323         (customGetValue): Deleted.
2324         (customSetAccessor): Deleted.
2325         (customSetValue): Deleted.
2326         (JSTestCustomGetterSetter::finishCreation): Deleted.
2327         (GlobalObject::addConstructableFunction): Deleted.
2328         (functionCreateRoot): Deleted.
2329         (functionCreateElement): Deleted.
2330         (functionGetElement): Deleted.
2331         (functionSetElementRoot): Deleted.
2332         (functionCreateSimpleObject): Deleted.
2333         (functionGetHiddenValue): Deleted.
2334         (functionSetHiddenValue): Deleted.
2335         (functionCreateProxy): Deleted.
2336         (functionCreateRuntimeArray): Deleted.
2337         (functionCreateImpureGetter): Deleted.
2338         (functionCreateCustomGetterObject): Deleted.
2339         (functionCreateDOMJITNodeObject): Deleted.
2340         (functionCreateDOMJITGetterObject): Deleted.
2341         (functionCreateDOMJITGetterComplexObject): Deleted.
2342         (functionCreateDOMJITFunctionObject): Deleted.
2343         (functionCreateDOMJITCheckSubClassObject): Deleted.
2344         (functionCreateDOMJITGetterBaseJSObject): Deleted.
2345         (functionSetImpureGetterDelegate): Deleted.
2346         (functionGetGetterSetter): Deleted.
2347         (functionShadowChickenFunctionsOnStack): Deleted.
2348         (functionSetGlobalConstRedeclarationShouldNotThrow): Deleted.
2349         (functionGlobalObjectForObject): Deleted.
2350         (functionLoadGetterFromGetterSetter): Deleted.
2351         (functionCreateCustomTestGetterSetter): Deleted.
2352         (functionAbort): Deleted.
2353         (functionFindTypeForExpression): Deleted.
2354         (functionReturnTypeFor): Deleted.
2355         (functionDumpBasicBlockExecutionRanges): Deleted.
2356         (functionHasBasicBlockExecuted): Deleted.
2357         (functionBasicBlockExecutionCount): Deleted.
2358         (functionEnableExceptionFuzz): Deleted.
2359         (functionCreateBuiltin): Deleted.
2360         * runtime/JSGlobalObject.cpp:
2361         (JSC::JSGlobalObject::init):
2362         * tools/JSDollarVM.cpp:
2363         (WTF::Element::Element):
2364         (WTF::Element::root const):
2365         (WTF::Element::setRoot):
2366         (WTF::Element::create):
2367         (WTF::Element::visitChildren):
2368         (WTF::Element::createStructure):
2369         (WTF::Root::Root):
2370         (WTF::Root::element):
2371         (WTF::Root::setElement):
2372         (WTF::Root::create):
2373         (WTF::Root::createStructure):
2374         (WTF::Root::visitChildren):
2375         (WTF::SimpleObject::SimpleObject):
2376         (WTF::SimpleObject::create):
2377         (WTF::SimpleObject::visitChildren):
2378         (WTF::SimpleObject::createStructure):
2379         (WTF::SimpleObject::hiddenValue):
2380         (WTF::SimpleObject::setHiddenValue):
2381         (WTF::ImpureGetter::ImpureGetter):
2382         (WTF::ImpureGetter::createStructure):
2383         (WTF::ImpureGetter::create):
2384         (WTF::ImpureGetter::finishCreation):
2385         (WTF::ImpureGetter::getOwnPropertySlot):
2386         (WTF::ImpureGetter::visitChildren):
2387         (WTF::ImpureGetter::setDelegate):
2388         (WTF::CustomGetter::CustomGetter):
2389         (WTF::CustomGetter::createStructure):
2390         (WTF::CustomGetter::create):
2391         (WTF::CustomGetter::getOwnPropertySlot):
2392         (WTF::CustomGetter::customGetter):
2393         (WTF::CustomGetter::customGetterAcessor):
2394         (WTF::RuntimeArray::create):
2395         (WTF::RuntimeArray::~RuntimeArray):
2396         (WTF::RuntimeArray::destroy):
2397         (WTF::RuntimeArray::getOwnPropertySlot):
2398         (WTF::RuntimeArray::getOwnPropertySlotByIndex):
2399         (WTF::RuntimeArray::put):
2400         (WTF::RuntimeArray::deleteProperty):
2401         (WTF::RuntimeArray::getLength const):
2402         (WTF::RuntimeArray::createPrototype):
2403         (WTF::RuntimeArray::createStructure):
2404         (WTF::RuntimeArray::finishCreation):
2405         (WTF::RuntimeArray::RuntimeArray):
2406         (WTF::RuntimeArray::lengthGetter):
2407         (WTF::DOMJITNode::DOMJITNode):
2408         (WTF::DOMJITNode::createStructure):
2409         (WTF::DOMJITNode::checkSubClassSnippet):
2410         (WTF::DOMJITNode::create):
2411         (WTF::DOMJITNode::value const):
2412         (WTF::DOMJITNode::offsetOfValue):
2413         (WTF::DOMJITGetter::DOMJITGetter):
2414         (WTF::DOMJITGetter::createStructure):
2415         (WTF::DOMJITGetter::create):
2416         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
2417         (WTF::DOMJITGetter::DOMJITAttribute::slowCall):
2418         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
2419         (WTF::DOMJITGetter::customGetter):
2420         (WTF::DOMJITGetter::finishCreation):
2421         (WTF::DOMJITGetterComplex::DOMJITGetterComplex):
2422         (WTF::DOMJITGetterComplex::createStructure):
2423         (WTF::DOMJITGetterComplex::create):
2424         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
2425         (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall):
2426         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
2427         (WTF::DOMJITGetterComplex::functionEnableException):
2428         (WTF::DOMJITGetterComplex::customGetter):
2429         (WTF::DOMJITGetterComplex::finishCreation):
2430         (WTF::DOMJITFunctionObject::DOMJITFunctionObject):
2431         (WTF::DOMJITFunctionObject::createStructure):
2432         (WTF::DOMJITFunctionObject::create):
2433         (WTF::DOMJITFunctionObject::safeFunction):
2434         (WTF::DOMJITFunctionObject::unsafeFunction):
2435         (WTF::DOMJITFunctionObject::checkSubClassSnippet):
2436         (WTF::DOMJITFunctionObject::finishCreation):
2437         (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
2438         (WTF::DOMJITCheckSubClassObject::createStructure):
2439         (WTF::DOMJITCheckSubClassObject::create):
2440         (WTF::DOMJITCheckSubClassObject::safeFunction):
2441         (WTF::DOMJITCheckSubClassObject::unsafeFunction):
2442         (WTF::DOMJITCheckSubClassObject::finishCreation):
2443         (WTF::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject):
2444         (WTF::DOMJITGetterBaseJSObject::createStructure):
2445         (WTF::DOMJITGetterBaseJSObject::create):
2446         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute):
2447         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
2448         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter):
2449         (WTF::DOMJITGetterBaseJSObject::customGetter):
2450         (WTF::DOMJITGetterBaseJSObject::finishCreation):
2451         (WTF::Message::releaseContents):
2452         (WTF::Message::index const):
2453         (WTF::JSTestCustomGetterSetter::JSTestCustomGetterSetter):
2454         (WTF::JSTestCustomGetterSetter::create):
2455         (WTF::JSTestCustomGetterSetter::createStructure):
2456         (WTF::customGetAccessor):
2457         (WTF::customGetValue):
2458         (WTF::customSetAccessor):
2459         (WTF::customSetValue):
2460         (WTF::JSTestCustomGetterSetter::finishCreation):
2461         (WTF::Element::handleOwner):
2462         (WTF::Element::finishCreation):
2463         (JSC::functionCrash):
2464         (JSC::functionCreateProxy):
2465         (JSC::functionCreateRuntimeArray):
2466         (JSC::functionCreateImpureGetter):
2467         (JSC::functionCreateCustomGetterObject):
2468         (JSC::functionCreateDOMJITNodeObject):
2469         (JSC::functionCreateDOMJITGetterObject):
2470         (JSC::functionCreateDOMJITGetterComplexObject):
2471         (JSC::functionCreateDOMJITFunctionObject):
2472         (JSC::functionCreateDOMJITCheckSubClassObject):
2473         (JSC::functionCreateDOMJITGetterBaseJSObject):
2474         (JSC::functionSetImpureGetterDelegate):
2475         (JSC::functionCreateBuiltin):
2476         (JSC::functionCreateRoot):
2477         (JSC::functionCreateElement):
2478         (JSC::functionGetElement):
2479         (JSC::functionCreateSimpleObject):
2480         (JSC::functionGetHiddenValue):
2481         (JSC::functionSetHiddenValue):
2482         (JSC::functionShadowChickenFunctionsOnStack):
2483         (JSC::functionSetGlobalConstRedeclarationShouldNotThrow):
2484         (JSC::functionFindTypeForExpression):
2485         (JSC::functionReturnTypeFor):
2486         (JSC::functionDumpBasicBlockExecutionRanges):
2487         (JSC::functionHasBasicBlockExecuted):
2488         (JSC::functionBasicBlockExecutionCount):
2489         (JSC::functionEnableExceptionFuzz):
2490         (JSC::functionGlobalObjectForObject):
2491         (JSC::functionGetGetterSetter):
2492         (JSC::functionLoadGetterFromGetterSetter):
2493         (JSC::functionCreateCustomTestGetterSetter):
2494         (JSC::JSDollarVM::finishCreation):
2495         (JSC::JSDollarVM::addFunction):
2496         (JSC::JSDollarVM::addConstructibleFunction):
2497         * tools/JSDollarVM.h:
2498         (JSC::JSDollarVM::create):
2499
2500 2017-11-23  Simon Fraser  <simon.fraser@apple.com>
2501
2502         Minor ArrayBufferView cleanup
2503         https://bugs.webkit.org/show_bug.cgi?id=179966
2504
2505         Reviewed by Darin Adler.
2506         
2507         Use void* for data pointers when we don't need to do offset math. Use const for
2508         source pointers.
2509         
2510         Prefer uint8_t* to char*.
2511         
2512         Add comments noting that the assertions should not be made release assertions
2513         as recommended by the style checker, since the point is to avoid the virtual byteLength()
2514         call in release.
2515
2516         * runtime/ArrayBufferView.h:
2517         (JSC::ArrayBufferView::setImpl):
2518         (JSC::ArrayBufferView::setRangeImpl):
2519         (JSC::ArrayBufferView::getRangeImpl):
2520         (JSC::ArrayBufferView::zeroRangeImpl):
2521
2522 2017-11-23  Darin Adler  <darin@apple.com>
2523
2524         Reduce WTF::String operations that do unnecessary Unicode operations instead of ASCII
2525         https://bugs.webkit.org/show_bug.cgi?id=179907
2526
2527         Reviewed by Sam Weinig.
2528
2529         * inspector/agents/InspectorDebuggerAgent.cpp:
2530         (Inspector::matches): Removed explicit TextCaseSensitive because RegularExpression now
2531         defaults to that.
2532
2533         * runtime/StringPrototype.cpp:
2534         (JSC::stringIncludesImpl): Use String::find since there is no overload of
2535         String::contains that takes a start offset now that we removed the one that took a
2536         caseSensitive boolean. We can add one later if we like, but this should do for now.
2537
2538         * yarr/RegularExpression.h: Moved the TextCaseSensitivity enumeration here from
2539         the StringImpl.h header because it is only used here.
2540
2541 2017-11-22  Simon Fraser  <simon.fraser@apple.com>
2542
2543         Followup after r225084: if anyone called GenericTypedArrayView() it didn't compile,
2544         because of a getRangeUnchecked/getRangeImpl name mismatch; fixed to use getRangeImpl().
2545         
2546         Also name the argument to zeroRange() to 'count' since it's an item count.
2547
2548         * runtime/GenericTypedArrayView.h:
2549         (JSC::GenericTypedArrayView::zeroRange):
2550         (JSC::GenericTypedArrayView::getRange):
2551
2552 2017-11-21  Simon Fraser  <simon.fraser@apple.com>
2553
2554         Allow for more efficient use of GenericTypedArrayView
2555         https://bugs.webkit.org/show_bug.cgi?id=179899
2556
2557         Reviewed by Sam Weinig.
2558         
2559         Fix ArrayBufferView::setRange() to not make two virtual function calls to byteLength()
2560         under setRangeImpl(). There is only one caller in GenericTypedArrayView, and it can pass
2561         in a length.
2562
2563         Add GenericTypedArrayView::getRange() to fetch a range of elements, also without virtual
2564         byteLength() calls.
2565         
2566         Renamed 'dataLength' to 'count' in setRange() to be clearer.
2567         
2568         Added setNative() for callers who don't need clamping of doubles.
2569
2570         * runtime/ArrayBufferView.h:
2571         (JSC::ArrayBufferView::setRangeImpl):
2572         (JSC::ArrayBufferView::getRangeImpl):
2573         * runtime/GenericTypedArrayView.h:
2574         (JSC::GenericTypedArrayView::setRange):
2575         (JSC::GenericTypedArrayView::setNative const):
2576         (JSC::GenericTypedArrayView::getRange):
2577         (JSC::GenericTypedArrayView::checkInboundData const):
2578         (JSC::GenericTypedArrayView::internalByteLength const):
2579
2580 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2581
2582         [DFG][FTL] Support MapSet / SetAdd intrinsics
2583         https://bugs.webkit.org/show_bug.cgi?id=179858
2584
2585         Reviewed by Saam Barati.
2586
2587         Map.prototype.set and Set.prototype.add uses MapHash value anyway.
2588         By handling them as MapSet and SetAdd DFG nodes and decoupling
2589         MapSet and SetAdd nodes from MapHash DFG node, we have a chance to
2590         remove duplicate MapHash calculation for the same key.
2591
2592         One story is *set-if-not-exists*.
2593
2594             if (!map.has(key))
2595                 map.set(key, value);
2596
2597         In the above code, both `has` and `set` require hash value for `key`.
2598         If we can change `set` to the series of DFG nodes:
2599
2600             1: MapHash(key)
2601             2: MapSet(MapObjectUse:map, Untyped:key, Untyped:value, Int32Use:@1)
2602
2603         we can remove duplicate @1 produced by `has` operation.
2604
2605         This patch improves SixSpeed map-set.es6 and map-set-object.es6 by 20.5% and 20.4% respectively,
2606
2607                                          baseline                  patched
2608
2609             map-set.es6             246.2413+-15.2084    ^    204.3679+-11.2408       ^ definitely 1.2049x faster
2610             map-set-object.es6      266.5075+-17.2289    ^    221.2792+-12.2948       ^ definitely 1.2044x faster
2611
2612         Microbenchmarks
2613
2614             map-has-and-set         148.1522+-7.6665     ^    131.4552+-7.8846        ^ definitely 1.1270x faster
2615
2616         * dfg/DFGAbstractInterpreterInlines.h:
2617         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2618         * dfg/DFGByteCodeParser.cpp:
2619         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2620         * dfg/DFGClobberize.h:
2621         (JSC::DFG::clobberize):
2622         * dfg/DFGDoesGC.cpp:
2623         (JSC::DFG::doesGC):
2624         * dfg/DFGFixupPhase.cpp:
2625         (JSC::DFG::FixupPhase::fixupNode):
2626         * dfg/DFGNodeType.h:
2627         * dfg/DFGOperations.cpp:
2628         * dfg/DFGOperations.h:
2629         * dfg/DFGPredictionPropagationPhase.cpp:
2630         * dfg/DFGSafeToExecute.h:
2631         (JSC::DFG::safeToExecute):
2632         * dfg/DFGSpeculativeJIT.cpp:
2633         (JSC::DFG::SpeculativeJIT::compileSetAdd):
2634         (JSC::DFG::SpeculativeJIT::compileMapSet):
2635         * dfg/DFGSpeculativeJIT.h:
2636         (JSC::DFG::SpeculativeJIT::callOperation):
2637         * dfg/DFGSpeculativeJIT32_64.cpp:
2638         (JSC::DFG::SpeculativeJIT::compile):
2639         * dfg/DFGSpeculativeJIT64.cpp:
2640         (JSC::DFG::SpeculativeJIT::compile):
2641         * ftl/FTLCapabilities.cpp:
2642         (JSC::FTL::canCompile):
2643         * ftl/FTLLowerDFGToB3.cpp:
2644         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2645         (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd):
2646         (JSC::FTL::DFG::LowerDFGToB3::compileMapSet):
2647         * jit/JITOperations.h:
2648         * runtime/HashMapImpl.h:
2649         (JSC::HashMapImpl::addNormalized):
2650         (JSC::HashMapImpl::addNormalizedInternal):
2651         * runtime/Intrinsic.cpp:
2652         (JSC::intrinsicName):
2653         * runtime/Intrinsic.h:
2654         * runtime/MapPrototype.cpp:
2655         (JSC::MapPrototype::finishCreation):
2656         * runtime/SetPrototype.cpp:
2657         (JSC::SetPrototype::finishCreation):
2658
2659 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2660
2661         [JSC] Allow poly proto for intrinsic getters
2662         https://bugs.webkit.org/show_bug.cgi?id=179550
2663
2664         Reviewed by Saam Barati.
2665
2666         This patch allows intrinsic getters to accept poly proto.
2667         We propagate PolyProtoAccessChain in IntrinsicGetterAccessCase to perform
2668         poly proto checks. And we extend UnderscoreProtoIntrinsic to emit
2669         code for poly proto case.
2670
2671         * bytecode/IntrinsicGetterAccessCase.cpp:
2672         (JSC::IntrinsicGetterAccessCase::IntrinsicGetterAccessCase):
2673         (JSC::IntrinsicGetterAccessCase::create):
2674         * bytecode/IntrinsicGetterAccessCase.h:
2675         * jit/IntrinsicEmitter.cpp:
2676         (JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
2677         (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
2678         * jit/Repatch.cpp:
2679         (JSC::tryCacheGetByID):
2680
2681 2017-11-20  Don Olmstead  <don.olmstead@sony.com>
2682
2683         Detect __declspec within JSBase.h
2684         https://bugs.webkit.org/show_bug.cgi?id=179892
2685
2686         Reviewed by Darin Adler.
2687
2688         * API/JSBase.h:
2689
2690 2017-11-19  Tim Horton  <timothy_horton@apple.com>
2691
2692         Remove unused TOUCH_ICON_LOADING feature flag
2693         https://bugs.webkit.org/show_bug.cgi?id=179873
2694
2695         Reviewed by Simon Fraser.
2696
2697         * Configurations/FeatureDefines.xcconfig:
2698
2699 2017-11-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2700
2701         Add CPU(UNKNOWN) to cover all the unknown CPU types
2702         https://bugs.webkit.org/show_bug.cgi?id=179243
2703
2704         Reviewed by JF Bastien.
2705
2706         * CMakeLists.txt:
2707
2708 2017-11-19  Tim Horton  <timothy_horton@apple.com>
2709
2710         Remove unused LEGACY_VENDOR_PREFIXES feature flag
2711         https://bugs.webkit.org/show_bug.cgi?id=179872
2712
2713         Reviewed by Darin Adler.
2714
2715         * Configurations/FeatureDefines.xcconfig:
2716
2717 2017-11-18  Tim Horton  <timothy_horton@apple.com>
2718
2719         Fix typos in closing ENABLE() comments
2720         https://bugs.webkit.org/show_bug.cgi?id=179869
2721
2722         Unreviewed.
2723
2724         * wasm/WasmMemory.h:
2725         * wasm/WasmMemoryMode.h:
2726
2727 2017-11-17  JF Bastien  <jfbastien@apple.com>
2728
2729         NFC update ClassInfo to C++14
2730         https://bugs.webkit.org/show_bug.cgi?id=179783
2731
2732         Reviewed by Mark Lam.
2733
2734         Forked from #179734, use `using` instead of `typedef`. It's easier
2735         to read.
2736
2737         * runtime/ClassInfo.h:
2738
2739 2017-11-17  JF Bastien  <jfbastien@apple.com>
2740
2741         WebAssembly JS API: throw when a promise can't be created
2742         https://bugs.webkit.org/show_bug.cgi?id=179826
2743         <rdar://problem/35455813>
2744
2745         Reviewed by Mark Lam.
2746
2747         Failure *in* a promise causes rejection, but failure to create a
2748         promise (because of stack overflow) isn't really spec'd (as all
2749         stack things JS). This applies to WebAssembly.compile and
2750         WebAssembly.instantiate.
2751
2752         Dan's current proposal says:
2753
2754             https://littledan.github.io/spec/document/js-api/index.html#stack-overflow
2755
2756             Whenever a stack overflow occurs in WebAssembly code, the same
2757             class of exception is thrown as for a stack overflow in
2758             JavaScript. The particular exception here is
2759             implementation-defined in both cases.
2760
2761             Note: ECMAScript doesn’t specify any sort of behavior on stack
2762             overflow; implementations have been observed to throw RangeError,
2763             InternalError or Error. Any is valid here.
2764
2765         This is for general stack overflow within WebAssembly, not
2766         specifically for promise creation within JavaScript, but it seems
2767         like a stack overflow in promise creation should follow the same
2768         rule instead of, say, swallowing the overflow and returning
2769         undefined.
2770
2771         * wasm/js/WebAssemblyPrototype.cpp:
2772         (JSC::webAssemblyCompileFunc):
2773         (JSC::webAssemblyInstantiateFunc):
2774
2775 2017-11-16  Daniel Bates  <dabates@apple.com>
2776
2777         Add feature define for alternative presentation button element
2778         https://bugs.webkit.org/show_bug.cgi?id=179692
2779         Part of <rdar://problem/34917108>
2780
2781         Reviewed by Andy Estes.
2782
2783         Only enabled on Cocoa platforms by default.
2784
2785         * Configurations/FeatureDefines.xcconfig:
2786
2787 2017-11-16  Saam Barati  <sbarati@apple.com>
2788
2789         Fix a bug with cpuid in the FTL.
2790
2791         Rubber stamped by Mark Lam.
2792
2793         Before uploading the previous patch, I tried to condense the code. I
2794         accidentally removed a crucial line saying that CPUID clobbers various
2795         registers.
2796
2797         * ftl/FTLLowerDFGToB3.cpp:
2798         (JSC::FTL::DFG::LowerDFGToB3::compileCPUIntrinsic):
2799
2800 2017-11-16  Saam Barati  <sbarati@apple.com>
2801
2802         Add some X86 intrinsics to $vm to help with some perf testing
2803         https://bugs.webkit.org/show_bug.cgi?id=179693
2804
2805         Reviewed by Mark Lam.
2806
2807         I've been doing some local perf testing of various ideas and have
2808         had these come in handy. I'm going to land them to dollarVM to prevent
2809         having to add them to my local build every time I do perf testing.
2810
2811         * assembler/MacroAssemblerX86Common.h:
2812         (JSC::MacroAssemblerX86Common::mfence):
2813         (JSC::MacroAssemblerX86Common::rdtsc):
2814         (JSC::MacroAssemblerX86Common::pause):
2815         (JSC::MacroAssemblerX86Common::cpuid):
2816         * assembler/X86Assembler.h:
2817         (JSC::X86Assembler::rdtsc):
2818         (JSC::X86Assembler::pause):
2819         (JSC::X86Assembler::cpuid):
2820         * dfg/DFGAbstractInterpreterInlines.h:
2821         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2822         * dfg/DFGByteCodeParser.cpp:
2823         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2824         * dfg/DFGClobberize.h:
2825         (JSC::DFG::clobberize):
2826         * dfg/DFGDoesGC.cpp:
2827         (JSC::DFG::doesGC):
2828         * dfg/DFGFixupPhase.cpp:
2829         (JSC::DFG::FixupPhase::fixupNode):
2830         * dfg/DFGGraph.cpp:
2831         (JSC::DFG::Graph::dump):
2832         * dfg/DFGNode.h:
2833         (JSC::DFG::Node::intrinsic):
2834         * dfg/DFGNodeType.h:
2835         * dfg/DFGPredictionPropagationPhase.cpp:
2836         * dfg/DFGSafeToExecute.h:
2837         (JSC::DFG::safeToExecute):
2838         * dfg/DFGSpeculativeJIT32_64.cpp:
2839         (JSC::DFG::SpeculativeJIT::compile):
2840         * dfg/DFGSpeculativeJIT64.cpp:
2841         (JSC::DFG::SpeculativeJIT::compile):
2842         * dfg/DFGValidate.cpp:
2843         * ftl/FTLCapabilities.cpp:
2844         (JSC::FTL::canCompile):
2845         * ftl/FTLLowerDFGToB3.cpp:
2846         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2847         (JSC::FTL::DFG::LowerDFGToB3::compileCPUIntrinsic):
2848         * runtime/Intrinsic.cpp:
2849         (JSC::intrinsicName):
2850         * runtime/Intrinsic.h:
2851         * tools/JSDollarVM.cpp:
2852         (JSC::functionCpuMfence):
2853         (JSC::functionCpuRdtsc):
2854         (JSC::functionCpuCpuid):
2855         (JSC::functionCpuPause):
2856         (JSC::functionCpuClflush):
2857         (JSC::JSDollarVM::finishCreation):
2858
2859 2017-11-16  JF Bastien  <jfbastien@apple.com>
2860
2861         It should be easier to reify lazy property names
2862         https://bugs.webkit.org/show_bug.cgi?id=179734
2863         <rdar://problem/35492521>
2864
2865         Reviewed by Keith Miller.
2866
2867         We reify lazy property names in a few different ways, each
2868         specific to the JSCell implementation, in put() instead of having
2869         a special function to do reification. Let's make that simpler.
2870
2871         This patch makes it easier to reify property names in a uniform
2872         manner, and does so in JSFunction. As a follow up I'll use the
2873         same mechanics for:
2874
2875         ClonedArguments   callee, iteratorSymbol (Symbol.iterator)
2876         ErrorConstructor  stackTraceLimit
2877         ErrorInstance     line, column, sourceURL, stack
2878         GenericArguments  length, callee, iteratorSymbol (Symbol.iterator)
2879         GetterSetter      RELEASE_ASSERT_NOT_REACHED()
2880         JSArray           length
2881         RegExpObject      lastIndex
2882         StringObject      length
2883
2884         * runtime/ClassInfo.h: Add reifyPropertyNameIfNeeded to method table.
2885         * runtime/JSCell.cpp:
2886         (JSC::JSCell::reifyPropertyNameIfNeeded): by default, don't reify.
2887         * runtime/JSCell.h:
2888         * runtime/JSFunction.cpp: `name` and `length` can be reified.
2889         (JSC::JSFunction::reifyPropertyNameIfNeeded):
2890         (JSC::JSFunction::put):
2891         (JSC::JSFunction::reifyLength):
2892         (JSC::JSFunction::reifyName):
2893         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
2894         (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
2895         (JSC::JSFunction::reifyLazyLengthIfNeeded):
2896         (JSC::JSFunction::reifyLazyNameIfNeeded):
2897         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
2898         * runtime/JSFunction.h:
2899         (JSC::JSFunction::isLazy):
2900         (JSC::JSFunction::isReified):
2901         * runtime/JSObjectInlines.h:
2902         (JSC::JSObject::putDirectInternal): do the reification here.
2903
2904 2017-11-16  Robin Morisset  <rmorisset@apple.com>
2905
2906         Provide a runtime option for disabling the optimization of recursive tail calls
2907         https://bugs.webkit.org/show_bug.cgi?id=179765
2908
2909         Reviewed by Mark Lam.
2910
2911         * bytecode/PreciseJumpTargets.cpp:
2912         (JSC::getJumpTargetsForBytecodeOffset):
2913         * bytecompiler/BytecodeGenerator.cpp:
2914         (JSC::BytecodeGenerator::emitEnter):
2915         * dfg/DFGByteCodeParser.cpp:
2916         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
2917         * runtime/Options.h:
2918
2919 2017-11-16  Robin Morisset  <rmorisset@apple.com>
2920
2921         Fix null pointer dereference in bytecodeDumper
2922         https://bugs.webkit.org/show_bug.cgi?id=179764
2923
2924         Reviewed by Mark Lam.
2925
2926         The problem was just a call to lastSeenCallee() that was unguarded by haveLastSeenCallee().
2927
2928         * bytecode/BytecodeDumper.cpp:
2929         (JSC::BytecodeDumper<Block>::printCallOp):
2930
2931 2017-11-16  Robin Morisset  <rmorisset@apple.com>
2932
2933         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
2934         https://bugs.webkit.org/show_bug.cgi?id=179763
2935         <rdar://problem/35550513>
2936
2937         Reviewed by Keith Miller.
2938
2939         Fix null pointer dereference caused by an eliminated tdz_check
2940
2941         The problem was when doing an OSR entry in DFG while |this| was null
2942         (because super() had not yet been called in the constructor of this
2943         subclass), it would be marked as non-null, and the tdz_check eliminated.
2944
2945         * dfg/DFGInPlaceAbstractState.cpp:
2946         (JSC::DFG::InPlaceAbstractState::initialize):
2947
2948 2017-11-15  Ryan Haddad  <ryanhaddad@apple.com>
2949
2950         Unreviewed, rolling out r224863.
2951
2952         Introduced LayoutTest crashes on iOS Simulator.
2953
2954         Reverted changeset:
2955
2956         "Move JSONValues to WTF and convert uses of InspectorValues.h
2957         to JSONValues.h"
2958         https://bugs.webkit.org/show_bug.cgi?id=173793
2959         https://trac.webkit.org/changeset/224863
2960
2961 2017-11-14  Mark Lam  <mark.lam@apple.com>
2962
2963         Gardening: CLoop build fix after r224862.
2964         https://bugs.webkit.org/show_bug.cgi?id=179699
2965
2966         Not reviewed..
2967
2968         * bytecode/CodeBlock.h:
2969         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
2970
2971 2017-11-14  Carlos Garcia Campos  <cgarcia@igalia.com>
2972
2973         Move JSONValues to WTF and convert uses of InspectorValues.h to JSONValues.h
2974         https://bugs.webkit.org/show_bug.cgi?id=173793
2975
2976         Reviewed by Brian Burg.
2977
2978         Based on patch by Brian Burg.
2979
2980         * JavaScriptCore.xcodeproj/project.pbxproj:
2981         * Sources.txt:
2982         * bindings/ScriptValue.cpp:
2983         (Inspector::jsToInspectorValue):
2984         (Inspector::toInspectorValue):
2985         (Deprecated::ScriptValue::toInspectorValue const):
2986         * bindings/ScriptValue.h:
2987         * inspector/AsyncStackTrace.cpp:
2988         * inspector/ConsoleMessage.cpp:
2989         * inspector/ContentSearchUtilities.cpp:
2990         * inspector/InjectedScript.cpp:
2991         (Inspector::InjectedScript::getFunctionDetails):
2992         (Inspector::InjectedScript::functionDetails):
2993         (Inspector::InjectedScript::getPreview):
2994         (Inspector::InjectedScript::getProperties):
2995         (Inspector::InjectedScript::getDisplayableProperties):
2996         (Inspector::InjectedScript::getInternalProperties):
2997         (Inspector::InjectedScript::getCollectionEntries):
2998         (Inspector::InjectedScript::saveResult):
2999         (Inspector::InjectedScript::wrapCallFrames const):
3000         (Inspector::InjectedScript::wrapObject const):
3001         (Inspector::InjectedScript::wrapTable const):
3002         (Inspector::InjectedScript::previewValue const):
3003         (Inspector::InjectedScript::setExceptionValue):
3004         (Inspector::InjectedScript::clearExceptionValue):
3005         (Inspector::InjectedScript::inspectObject):
3006         (Inspector::InjectedScript::releaseObject):
3007         * inspector/InjectedScriptBase.cpp:
3008         (Inspector::InjectedScriptBase::makeCall):
3009         (Inspector::InjectedScriptBase::makeEvalCall):
3010         * inspector/InjectedScriptBase.h:
3011         * inspector/InjectedScriptManager.cpp:
3012         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
3013         * inspector/InspectorBackendDispatcher.cpp:
3014         (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
3015         (Inspector::BackendDispatcher::dispatch):
3016         (Inspector::BackendDispatcher::sendResponse):
3017         (Inspector::BackendDispatcher::sendPendingErrors):
3018         (Inspector::BackendDispatcher::getPropertyValue):
3019         (Inspector::castToInteger):
3020         (Inspector::castToNumber):
3021         (Inspector::BackendDispatcher::getInteger):
3022         (Inspector::BackendDispatcher::getDouble):
3023         (Inspector::BackendDispatcher::getString):
3024         (Inspector::BackendDispatcher::getBoolean):
3025         (Inspector::BackendDispatcher::getObject):
3026         (Inspector::BackendDispatcher::getArray):
3027         (Inspector::BackendDispatcher::getValue):
3028         * inspector/InspectorBackendDispatcher.h:
3029         * inspector/InspectorProtocolTypes.h:
3030         (Inspector::Protocol::Array::openAccessors):
3031         (Inspector::Protocol::PrimitiveBindingTraits::assertValueHasExpectedType):
3032         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast):
3033         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType):
3034         (Inspector::Protocol::BindingTraits<JSON::Value>::assertValueHasExpectedType):
3035         * inspector/ScriptCallFrame.cpp:
3036         * inspector/ScriptCallStack.cpp:
3037         * inspector/agents/InspectorAgent.cpp:
3038         (Inspector::InspectorAgent::inspect):
3039         * inspector/agents/InspectorAgent.h:
3040         * inspector/agents/InspectorDebuggerAgent.cpp:
3041         (Inspector::buildAssertPauseReason):
3042         (Inspector::buildCSPViolationPauseReason):
3043         (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
3044         (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
3045         (Inspector::buildObjectForBreakpointCookie):
3046         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
3047         (Inspector::parseLocation):
3048         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
3049         (Inspector::InspectorDebuggerAgent::setBreakpoint):
3050         (Inspector::InspectorDebuggerAgent::continueToLocation):
3051         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
3052         (Inspector::InspectorDebuggerAgent::didParseSource):
3053         (Inspector::InspectorDebuggerAgent::breakProgram):
3054         * inspector/agents/InspectorDebuggerAgent.h:
3055         * inspector/agents/InspectorRuntimeAgent.cpp:
3056         (Inspector::InspectorRuntimeAgent::callFunctionOn):
3057         (Inspector::InspectorRuntimeAgent::saveResult):
3058         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
3059         * inspector/agents/InspectorRuntimeAgent.h:
3060         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
3061         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
3062         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
3063         (CppBackendDispatcherImplementationGenerator.generate_output):
3064         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
3065         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
3066         (CppFrontendDispatcherHeaderGenerator.generate_output):
3067         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
3068         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
3069         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
3070         (_generate_unchecked_setter_for_member):
3071         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
3072         (CppProtocolTypesImplementationGenerator):
3073         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
3074         (ObjCBackendDispatcherImplementationGenerator.generate_output):
3075         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
3076         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
3077         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
3078         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
3079         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
3080         * inspector/scripts/codegen/generate_objc_internal_header.py:
3081         (ObjCInternalHeaderGenerator.generate_output):
3082         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
3083         (ObjCProtocolTypesImplementationGenerator.generate_output):
3084         * inspector/scripts/codegen/generator.py:
3085         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
3086         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
3087         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
3088         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
3089         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
3090         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
3091         * inspector/scripts/tests/generic/expected/enum-values.json-result:
3092         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
3093         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
3094         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
3095         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
3096         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
3097         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
3098         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
3099         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
3100         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
3101         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
3102         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
3103         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
3104         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
3105
3106 2017-11-14  Mark Lam  <mark.lam@apple.com>
3107
3108         Fix a bit-rotted Interpreter::dumpRegisters() and make it more robust.
3109         https://bugs.webkit.org/show_bug.cgi?id=179699
3110         <rdar://problem/35462346>
3111
3112         Reviewed by Michael Saboff.
3113
3114         * interpreter/Interpreter.cpp:
3115         (JSC::Interpreter::dumpRegisters):
3116         - Need to skip the callee saved registers
3117
3118 2017-11-14  Guillaume Emont  <guijemont@igalia.com>
3119
3120         REGRESSION(r224623) [MIPS] branchTruncateDoubleToInt32() doesn't set return register when branching
3121         https://bugs.webkit.org/show_bug.cgi?id=179563
3122
3123         Reviewed by Carlos Alberto Lopez Perez.
3124
3125         When run with BranchIfTruncateSuccessful,
3126         branchTruncateDoubleToInt32() should set the destination register
3127         before branching.
3128         This change also removes branchTruncateDoubleToUInt32() as it is
3129         deprecated (see r160205), merges branchOnTruncateResult() into
3130         branchTruncateDoubleToInt32() and adds test cases in testmasm.
3131
3132         * assembler/MacroAssemblerMIPS.h:
3133         (JSC::MacroAssemblerMIPS::branchOnTruncateResult): Deleted.
3134         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
3135         Properly set dest before branching.
3136         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUInt32): Deleted.
3137         * assembler/testmasm.cpp:
3138         (JSC::testBranchTruncateDoubleToInt32):
3139         (JSC::run):
3140         Add tests for branchTruncateDoubleToInt32().
3141
3142 2017-11-14  Daniel Bates  <dabates@apple.com>
3143
3144         Update comment in FeatureDefines.xcconfig to reflect location of Visual Studio property files
3145         for feature defines
3146
3147         Following r195498 and r201917 the Visual Studio property files for feature defines have
3148         moved from directory WebKitLibraries/win/tools/vsprops to directory Source/cmake/tools/vsprops.
3149         Update the comment in FeatureDefines.xcconfig to reflect the new location and names of these
3150         files.
3151
3152         * Configurations/FeatureDefines.xcconfig:
3153
3154 2017-11-14  Mark Lam  <mark.lam@apple.com>
3155
3156         Remove JSDollarVMPrototype.
3157         https://bugs.webkit.org/show_bug.cgi?id=179685
3158
3159         Reviewed by Saam Barati.
3160
3161         1. Move the JSDollarVMPrototype C++ utility functions into VMInspector.cpp.
3162
3163            This allows us to call these functions during lldb debugging sessions using
3164            VMInspector::foo() instead of JSDollarVMPrototype::foo().  It makes sense that
3165            VMInspector provides VM debugging utility methods.  It doesn't make sense to
3166            have a JSDollarVMPrototype object provide these methods.
3167
3168            Plus, it's shorter to type VMInspector than JSDollarVMPrototype.
3169
3170         2. Move the JSDollarVMPrototype JS functions into JSDollarVM.cpp.
3171
3172            JSDollarVM is a special object used only for debugging purposes.  There's no
3173            gain in requiring its methods to be stored in a prototype object other than to
3174            conform to typical JS convention.  We can remove this complexity.
3175
3176         * JavaScriptCore.xcodeproj/project.pbxproj:
3177         * Sources.txt:
3178         * runtime/JSGlobalObject.cpp:
3179         (JSC::JSGlobalObject::init):
3180         * tools/JSDollarVM.cpp:
3181         (JSC::JSDollarVM::addFunction):
3182         (JSC::functionCrash):
3183         (JSC::functionDFGTrue):
3184         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
3185         (JSC::CallerFrameJITTypeFunctor::operator() const):
3186         (JSC::CallerFrameJITTypeFunctor::jitType):
3187         (JSC::functionLLintTrue):
3188         (JSC::functionJITTrue):
3189         (JSC::functionGC):
3190         (JSC::functionEdenGC):
3191         (JSC::functionCodeBlockForFrame):
3192         (JSC::codeBlockFromArg):
3193         (JSC::functionCodeBlockFor):
3194         (JSC::functionPrintSourceFor):
3195         (JSC::functionPrintBytecodeFor):
3196         (JSC::functionPrint):
3197         (JSC::functionPrintCallFrame):
3198         (JSC::functionPrintStack):
3199         (JSC::functionValue):
3200         (JSC::functionGetPID):
3201         (JSC::JSDollarVM::finishCreation):
3202         * tools/JSDollarVM.h:
3203         (JSC::JSDollarVM::create):
3204         * tools/JSDollarVMPrototype.cpp: Removed.
3205         * tools/JSDollarVMPrototype.h: Removed.
3206         * tools/VMInspector.cpp:
3207         (JSC::VMInspector::currentThreadOwnsJSLock):
3208         (JSC::ensureCurrentThreadOwnsJSLock):
3209         (JSC::VMInspector::gc):
3210         (JSC::VMInspector::edenGC):
3211         (JSC::VMInspector::isInHeap):
3212         (JSC::CellAddressCheckFunctor::CellAddressCheckFunctor):
3213         (JSC::CellAddressCheckFunctor::operator() const):
3214         (JSC::VMInspector::isValidCell):
3215         (JSC::VMInspector::isValidCodeBlock):
3216         (JSC::VMInspector::codeBlockForFrame):
3217         (JSC::PrintFrameFunctor::PrintFrameFunctor):
3218         (JSC::PrintFrameFunctor::operator() const):
3219         (JSC::VMInspector::printCallFrame):
3220         (JSC::VMInspector::printStack):
3221         (JSC::VMInspector::printValue):
3222         * tools/VMInspector.h:
3223
3224 2017-11-14  Joseph Pecoraro  <pecoraro@apple.com>
3225
3226         Web Inspector: Add a ServiceWorker domain to get information about an inspected ServiceWorker
3227         https://bugs.webkit.org/show_bug.cgi?id=179640
3228         <rdar://problem/35517361>
3229
3230         Reviewed by Devin Rousso.
3231
3232         * CMakeLists.txt:
3233         * DerivedSources.make:
3234         Gate the ServiceWorker domain on the ENABLE feature flag.
3235
3236         * inspector/protocol/ServiceWorker.json: Added.
3237         New domain to be made available inside of a ServiceWorker target.
3238
3239 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3240
3241         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
3242         https://bugs.webkit.org/show_bug.cgi?id=179594
3243
3244         Reviewed by Saam Barati.
3245
3246         Currently we handle OOB access to DirectArguments as GetByVal(Array::Generic).
3247         If we can handle it as GetByVal(Array::DirectArguments+OutOfBounds), we can (1) optimize
3248         `arguments[i]` accesses if i is in bound, and (2) encourage arguments elimination phase
3249         to convert CreateDirectArguments and GetByVal(Array::DirectArguments+OutOfBounds) to
3250         PhantomDirectArguments and GetMyArgumentOutOfBounds respectively.
3251
3252         This patch introduces Array::DirectArguments+OutOfBounds array mode. GetByVal can
3253         accept this type, and emit optimized code compared to Array::Generic case.
3254
3255         We make OOB check failures in GetByVal(Array::DirectArguments+InBounds) as OutOfBounds
3256         exit instead of ExoticObjectMode.
3257
3258         This change significantly improves SixSpeed rest.es5 since it uses OOB access.
3259         Our arguments elimination phase can change CreateDirectArguments to PhantomDirectArguments.
3260
3261             rest.es5                       59.6719+-2.2440     ^      3.1634+-0.5507        ^ definitely 18.8635x faster
3262
3263         * dfg/DFGArgumentsEliminationPhase.cpp:
3264         * dfg/DFGArrayMode.cpp:
3265         (JSC::DFG::ArrayMode::refine const):
3266         * dfg/DFGClobberize.h:
3267         (JSC::DFG::clobberize):
3268         * dfg/DFGSpeculativeJIT.cpp:
3269         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
3270         * ftl/FTLLowerDFGToB3.cpp:
3271         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
3272         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
3273
3274 2017-11-14  Saam Barati  <sbarati@apple.com>
3275
3276         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
3277         https://bugs.webkit.org/show_bug.cgi?id=179639
3278         <rdar://problem/35513018>
3279
3280         Reviewed by JF Bastien.
3281
3282         Calling Wasm::Memory::grow from the JIT may cause us to GC. When we GC, we will
3283         walk the stack for ShadowChicken (and maybe other things). We weren't updating
3284         topCallFrame when calling grow from the Wasm JIT. This would cause the GC to
3285         use stale topCallFrame bits in VM, often leading to crashes. This patch fixes
3286         this bug by giving Wasm::Instance a lambda that is called when we need to store
3287         the topCallFrame. Users of Wasm::Instance can provide a function to do this action.
3288         Currently, JSWebAssemblyInstance passes in a lambda that stores to
3289         VM.topCallFrame.
3290
3291         * wasm/WasmB3IRGenerator.cpp:
3292         (JSC::Wasm::B3IRGenerator::addGrowMemory):
3293         * wasm/WasmInstance.cpp:
3294         (JSC::Wasm::Instance::Instance):
3295         (JSC::Wasm::Instance::create):
3296         * wasm/WasmInstance.h:
3297         (JSC::Wasm::Instance::storeTopCallFrame):
3298         * wasm/js/JSWebAssemblyInstance.cpp:
3299         (JSC::JSWebAssemblyInstance::create):
3300         * wasm/js/JSWebAssemblyInstance.h:
3301         * wasm/js/WasmToJS.cpp:
3302         (JSC::Wasm::wasmToJSException):
3303         * wasm/js/WebAssemblyInstanceConstructor.cpp:
3304         (JSC::constructJSWebAssemblyInstance):
3305         * wasm/js/WebAssemblyPrototype.cpp:
3306         (JSC::instantiate):
3307
3308 2017-11-13  Saam Barati  <sbarati@apple.com>
3309
3310         Remove pointer caging for HashMapImpl, JSLexicalEnvironment, DirectArguments, ScopedArguments, and ScopedArgumentsTable
3311         https://bugs.webkit.org/show_bug.cgi?id=179203
3312
3313         Reviewed by Yusuke Suzuki.
3314
3315         This patch only removes the pointer caging for the described types in the title.
3316         These types still allocate out of the gigacage. This is a just a cost vs benefit
3317         tradeoff of performance vs security.
3318
3319         * dfg/DFGSpeculativeJIT.cpp:
3320         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
3321         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
3322         * ftl/FTLLowerDFGToB3.cpp:
3323         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
3324         * jit/JITPropertyAccess.cpp:
3325         (JSC::JIT::emitDirectArgumentsGetByVal):
3326         (JSC::JIT::emitScopedArgumentsGetByVal):
3327         * runtime/DirectArguments.h:
3328         (JSC::DirectArguments::storage):
3329         * runtime/HashMapImpl.cpp:
3330         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
3331         * runtime/HashMapImpl.h:
3332         * runtime/JSLexicalEnvironment.h:
3333         (JSC::JSLexicalEnvironment::variables):
3334         * runtime/ScopedArguments.h:
3335         (JSC::ScopedArguments::overflowStorage const):
3336
3337 2017-11-08  Keith Miller  <keith_miller@apple.com>
3338
3339         Async iteration should only fetch the next method once and add feature flag
3340         https://bugs.webkit.org/show_bug.cgi?id=179451
3341
3342         Reviewed by Geoffrey Garen.
3343
3344         Add feature flag for Async iteration. Also, change async iteration to match
3345         the expected behavior of the proposal.
3346
3347         * Configurations/FeatureDefines.xcconfig:
3348         * builtins/AsyncFromSyncIteratorPrototype.js:
3349         (globalPrivate.createAsyncFromSyncIterator):
3350         (globalPrivate.AsyncFromSyncIteratorConstructor):
3351         * builtins/BuiltinNames.h:
3352         * bytecompiler/BytecodeGenerator.cpp:
3353         (JSC::BytecodeGenerator::emitGetAsyncIterator):
3354         * runtime/Options.h:
3355
3356 2017-11-13  Mark Lam  <mark.lam@apple.com>
3357
3358         Add more overflow check book-keeping for MarkedArgumentBuffer.
3359         https://bugs.webkit.org/show_bug.cgi?id=179634
3360         <rdar://problem/35492517>
3361
3362         Reviewed by Saam Barati.
3363
3364         * runtime/ArgList.h:
3365         (JSC::MarkedArgumentBuffer::overflowCheckNotNeeded):
3366         * runtime/JSJob.cpp:
3367         (JSC::JSJobMicrotask::run):
3368         * runtime/ObjectConstructor.cpp:
3369         (JSC::defineProperties):
3370         * runtime/ReflectObject.cpp:
3371         (JSC::reflectObjectConstruct):
3372
3373 2017-11-13  Guillaume Emont  <guijemont@igalia.com>
3374
3375         [JSC] Remove ARM implementation of branchTruncateDoubleToUInt32
3376         https://bugs.webkit.org/show_bug.cgi?id=179542
3377
3378         Reviewed by Alex Christensen.
3379
3380         * assembler/MacroAssemblerARM.h:
3381         (JSC::MacroAssemblerARM::branchTruncateDoubleToUint32): Removed.
3382
3383 2017-11-13  Mark Lam  <mark.lam@apple.com>
3384
3385         Make the jsc shell loadGetterFromGetterSetter() function more robust.
3386         https://bugs.webkit.org/show_bug.cgi?id=179619
3387         <rdar://problem/35492518>
3388
3389         Reviewed by Saam Barati.
3390
3391         * jsc.cpp:
3392         (functionLoadGetterFromGetterSetter):
3393
3394 2017-11-12  Darin Adler  <darin@apple.com>
3395
3396         More is<> and downcast<>, less static_cast<>
3397         https://bugs.webkit.org/show_bug.cgi?id=179600
3398
3399         Reviewed by Chris Dumez.
3400
3401         * runtime/JSString.h:
3402         (JSC::jsSubstring): Removed unneeded static_cast; length already returns unsigned.
3403         (JSC::jsSubstringOfResolved): Ditto.
3404
3405 2017-11-12  Mark Lam  <mark.lam@apple.com>
3406
3407         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
3408         https://bugs.webkit.org/show_bug.cgi?id=179562
3409         <rdar://problem/35467022>
3410
3411         Reviewed by Saam Barati.
3412
3413         * dfg/DFGFixupPhase.cpp:
3414         (JSC::DFG::FixupPhase::fixupNode):
3415         * dfg/DFGOperations.cpp:
3416         * dfg/DFGSafeToExecute.h:
3417         (JSC::DFG::SafeToExecuteEdge::operator()):
3418         * dfg/DFGSpeculativeJIT.cpp:
3419         (JSC::DFG::SpeculativeJIT::speculateNotSymbol):
3420         (JSC::DFG::SpeculativeJIT::speculate):
3421         * dfg/DFGSpeculativeJIT.h:
3422         * dfg/DFGUseKind.cpp:
3423         (WTF::printInternal):
3424         * dfg/DFGUseKind.h:
3425         (JSC::DFG::typeFilterFor):
3426         * ftl/FTLCapabilities.cpp:
3427         (JSC::FTL::canCompile):
3428         * ftl/FTLLowerDFGToB3.cpp:
3429         (JSC::FTL::DFG::LowerDFGToB3::speculate):
3430         (JSC::FTL::DFG::LowerDFGToB3::speculateNotSymbol):
3431
3432 2017-11-11  Devin Rousso  <webkit@devinrousso.com>
3433
3434         Web Inspector: Canvas tab: show detailed status during canvas recording
3435         https://bugs.webkit.org/show_bug.cgi?id=178185
3436         <rdar://problem/34939862>
3437
3438         Reviewed by Brian Burg.
3439
3440         * inspector/protocol/Canvas.json:
3441         Add a `recordingProgress` event that is sent to the frontend that contains all the frame
3442         payloads since the last Canvas.recordingProgress event and the current buffer usage.
3443
3444         * inspector/protocol/Recording.json:
3445         Remove the required `frames` parameter from the Recording protocol object, as they will be
3446         sent in batches via the Canvas.recordingProgress event.
3447
3448 2017-11-10  Joseph Pecoraro  <pecoraro@apple.com>
3449
3450         Web Inspector: Make http status codes be "integer" instead of "number" in protocol
3451         https://bugs.webkit.org/show_bug.cgi?id=179543
3452
3453         Reviewed by Antoine Quint.
3454
3455         * inspector/protocol/Network.json:
3456         Use a better type for the status code.
3457
3458 2017-11-10  Robin Morisset  <rmorisset@apple.com>
3459
3460         The memory consumption of DFG::BasicBlock can be easily reduced a bit
3461         https://bugs.webkit.org/show_bug.cgi?id=179528
3462
3463         Reviewed by Saam Barati.
3464
3465         A few changes here:
3466         - Reordering some fields of DFG::BasicBlock to reduce padding
3467         - Making the enum fields that are glorified booleans fit into a u8
3468         - Make each Operands object have a single vector that holds all arguments followed by all locals, instead of two vectors.
3469           This change works because we never increase the number of arguments after allocating an Operands object.
3470           It lets us avoid one extra capacity field and one extra pointer field per Operands,
3471           and more importantly one allocation per Operands whenever both vectors would have overflowed their inlined buffer.
3472           Additionally, if a single vector would have overflowed its inline buffer, while the other would have had some free space,
3473           we have a chance to avoid an allocation.
3474         - Finally, the three methods argumentForIndex, variableForIndex and indexForOperand were deleted since they were dead code.
3475
3476         * bytecode/Operands.h:
3477         (JSC::Operands::Operands):
3478         (JSC::Operands::numberOfArguments const):
3479         (JSC::Operands::numberOfLocals const):
3480         (JSC::Operands::argument):
3481         (JSC::Operands::argument const):
3482         (JSC::Operands::local):
3483         (JSC::Operands::local const):
3484         (JSC::Operands::ensureLocals):
3485         (JSC::Operands::setLocal):
3486         (JSC::Operands::getLocal):
3487         (JSC::Operands::setArgumentFirstTime):
3488         (JSC::Operands::setLocalFirstTime):
3489         (JSC::Operands::operand):
3490         (JSC::Operands::setOperand):
3491         (JSC::Operands::size const):
3492         (JSC::Operands::at const):
3493         (JSC::Operands::at):
3494         (JSC::Operands::isArgument const):
3495         (JSC::Operands::isVariable const):
3496         (JSC::Operands::virtualRegisterForIndex const):
3497         (JSC::Operands::fill):
3498         (JSC::Operands::operator== const):
3499         (JSC::Operands::argumentForIndex const): Deleted.
3500         (JSC::Operands::variableForIndex const): Deleted.
3501         (JSC::Operands::indexForOperand const): Deleted.
3502         * dfg/DFGBasicBlock.cpp:
3503         (JSC::DFG::BasicBlock::BasicBlock):
3504         * dfg/DFGBasicBlock.h:
3505         * dfg/DFGBranchDirection.h:
3506         * dfg/DFGStructureClobberState.h:
3507
3508 2017-11-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3509
3510         [JSC] Retry module fetching if previous request fails
3511         https://bugs.webkit.org/show_bug.cgi?id=178168
3512
3513         Reviewed by Saam Barati.
3514
3515         According to the latest spec, the failed fetching operation can be retried if it is requested again.
3516         For example,
3517
3518             <script type="module" integrity="shaXXX-bad" src="./A.js"></script>
3519             <script type="module" integrity="shaXXX-correct" src="./A.js"></script>
3520
3521         When performing the first module fetching, integrity check fails, and the load of this module becomes failed.
3522         But when loading the second module, we do not use the cached failure result in the first module loading.
3523         We retry fetching for "./A.js". In this case, we have a correct integrity and module fetching succeeds.
3524         This is specified in whatwg/HTML[1]. If the fetching fails, we do not cache it.
3525
3526         Interestingly, fetching result and instantiation result will be cached if they succeeds. This is because we would
3527         like to cache modules based on their URLs. As a result,
3528
3529             <script type="module" integrity="shaXXX-correct" src="./A.js"></script>
3530             <script type="module" integrity="shaXXX-bad" src="./A.js"></script>
3531
3532         In the above case, the first loading succeeds. And the second loading also succeeds since the succeeded fetching and
3533         instantiation are cached in the module pipeline.
3534
3535         This patch implements the above semantics. Previously, our module pipeline always caches the result. If the fetching
3536         failed, all the subsequent fetching for the same URL fails even if we have different integrity values. We retry fetching
3537         if the previous one fails. As an overview of our change,
3538
3539         1. Fetching result should be cached only if it succeeds. Two or more on-the-fly fetching requests to the same URLs should
3540            be unified. But if currently executing one fails, other attempts should retry fetching.
3541
3542         2. Instantiation should be cached if fetching succeeds.
3543
3544         3. Satisfying should be cached if it succeeds.
3545
3546         [1]: https://html.spec.whatwg.org/#fetch-a-single-module-script
3547
3548         * builtins/ModuleLoaderPrototype.js:
3549         (requestFetch):
3550         (requestInstantiate):
3551         (requestSatisfy):
3552         (link):
3553         (loadModule):
3554         * runtime/JSGlobalObject.cpp:
3555         (JSC::JSGlobalObject::init):
3556
3557 2017-11-09  Devin Rousso  <webkit@devinrousso.com>
3558
3559         Web Inspector: support undo/redo of insertAdjacentHTML
3560         https://bugs.webkit.org/show_bug.cgi?id=179283
3561
3562         Reviewed by Joseph Pecoraro.
3563
3564         * inspector/protocol/DOM.json:
3565         Add `insertAdjacentHTML` command that executes an undoable version of `insertAdjacentHTML`
3566         on the given node.
3567
3568 2017-11-09  Joseph Pecoraro  <pecoraro@apple.com>
3569
3570         Web Inspector: Make domain availability a list of types instead of a single type
3571         https://bugs.webkit.org/show_bug.cgi?id=179457
3572
3573         Reviewed by Brian Burg.
3574
3575         * inspector/scripts/codegen/generate_js_backend_commands.py:
3576         (JSBackendCommandsGenerator.generate_domain):
3577         Update output of `InspectorBackend.activateDomain` to include the list.
3578
3579         * inspector/scripts/codegen/models.py:
3580         (Protocol.parse_domain):
3581         Parse `availability` as a list and include a new supported value of "service-worker".
3582
3583         * inspector/protocol/ApplicationCache.json:
3584         * inspector/protocol/CSS.json:
3585         * inspector/protocol/Canvas.json:
3586         * inspector/protocol/DOM.json:
3587         * inspector/protocol/DOMDebugger.json:
3588         * inspector/protocol/DOMStorage.json:
3589         * inspector/protocol/Database.json:
3590         * inspector/protocol/IndexedDB.json:
3591         * inspector/protocol/LayerTree.json:
3592         * inspector/protocol/Memory.json:
3593         * inspector/protocol/Network.json:
3594         * inspector/protocol/Page.json:
3595         * inspector/protocol/Timeline.json:
3596         * inspector/protocol/Worker.json:
3597         Update `availability` to be a list.
3598
3599         * inspector/scripts/tests/generic/domain-availability.json:
3600         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
3601         * inspector/scripts/tests/generic/expected/fail-on-domain-availability-type.json-error: Added.
3602         * inspector/scripts/tests/generic/expected/fail-on-domain-availability-value.json-error: Added.
3603         * inspector/scripts/tests/generic/expected/fail-on-domain-availability.json-error:
3604         * inspector/scripts/tests/generic/fail-on-domain-availability-type.json: Copied from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-availability.json.
3605         * inspector/scripts/tests/generic/fail-on-domain-availability-value.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-availability.json.
3606         Update tests to include a test for the type and an invalid value.
3607
3608 2017-11-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3609
3610         [JSC][JIT] Clean up SlowPathCall stubs
3611         https://bugs.webkit.org/show_bug.cgi?id=179247
3612
3613         Reviewed by Saam Barati.
3614
3615         We have bunch of duplicate functions that just call a slow path function.
3616         This patch cleans up the above duplication.
3617
3618         * jit/JIT.cpp:
3619         (JSC::JIT::emitSlowCaseCall):
3620         (JSC::JIT::privateCompileSlowCases):
3621         * jit/JIT.h:
3622         * jit/JITArithmetic.cpp:
3623         (JSC::JIT::emitSlow_op_unsigned): Deleted.
3624         (JSC::JIT::emitSlow_op_inc): Deleted.
3625         (JSC::JIT::emitSlow_op_dec): Deleted.
3626         (JSC::JIT::emitSlow_op_bitand): Deleted.
3627         (JSC::JIT::emitSlow_op_bitor): Deleted.
3628         (JSC::JIT::emitSlow_op_bitxor): Deleted.
3629         (JSC::JIT::emitSlow_op_lshift): Deleted.
3630         (JSC::JIT::emitSlow_op_rshift): Deleted.
3631         (JSC::JIT::emitSlow_op_urshift): Deleted.
3632         (JSC::JIT::emitSlow_op_div): Deleted.
3633         * jit/JITArithmetic32_64.cpp:
3634         (JSC::JIT::emitSlow_op_unsigned): Deleted.
3635         (JSC::JIT::emitSlow_op_inc): Deleted.
3636         (JSC::JIT::emitSlow_op_dec): Deleted.
3637         * jit/JITOpcodes.cpp:
3638         (JSC::JIT::emitSlow_op_create_this): Deleted.
3639         (JSC::JIT::emitSlow_op_check_tdz): Deleted.
3640         (JSC::JIT::emitSlow_op_to_this): Deleted.
3641         (JSC::JIT::emitSlow_op_to_primitive): Deleted.
3642         (JSC::JIT::emitSlow_op_not): Deleted.
3643         (JSC::JIT::emitSlow_op_stricteq): Deleted.
3644         (JSC::JIT::emitSlow_op_nstricteq): Deleted.
3645         (JSC::JIT::emitSlow_op_to_number): Deleted.
3646         (JSC::JIT::emitSlow_op_to_string): Deleted.
3647         (JSC::JIT::emitSlow_op_to_object): Deleted.
3648         (JSC::JIT::emitSlow_op_get_direct_pname): Deleted.
3649         (JSC::JIT::emitSlow_op_has_structure_property): Deleted.
3650         * jit/JITOpcodes32_64.cpp:
3651         (JSC::JIT::emitSlow_op_to_primitive): Deleted.
3652         (JSC::JIT::emitSlow_op_not): Deleted.
3653         (JSC::JIT::emitSlow_op_stricteq): Deleted.
3654         (JSC::JIT::emitSlow_op_nstricteq): Deleted.
3655         (JSC::JIT::emitSlow_op_to_number): Deleted.
3656         (JSC::JIT::emitSlow_op_to_string): Deleted.
3657         (JSC::JIT::emitSlow_op_to_object): Deleted.
3658         (JSC::JIT::emitSlow_op_create_this): Deleted.
3659         (JSC::JIT::emitSlow_op_to_this): Deleted.
3660         (JSC::JIT::emitSlow_op_check_tdz): Deleted.
3661         (JSC::JIT::emitSlow_op_get_direct_pname): Deleted.
3662         * jit/JITPropertyAccess.cpp:
3663         (JSC::JIT::emitSlow_op_resolve_scope): Deleted.
3664         * jit/JITPropertyAccess32_64.cpp:
3665         (JSC::JIT::emit_op_resolve_scope):
3666         (JSC::JIT::emitSlow_op_resolve_scope): Deleted.
3667         * jit/SlowPathCall.h:
3668         (JSC::JITSlowPathCall::JITSlowPathCall):
3669         * runtime/CommonSlowPaths.cpp:
3670         (JSC::SLOW_PATH_DECL):
3671         * runtime/CommonSlowPaths.h:
3672
3673 2017-11-09  Guillaume Emont  <guijemont@igalia.com>
3674
3675         [JSC][MIPS] Use fcsr to check the validity of the result of trunc.w.d
3676         https://bugs.webkit.org/show_bug.cgi?id=179446
3677
3678         Reviewed by Žan Doberšek.
3679
3680         The trunc.w.d mips instruction should give a 0x7fffffff result when
3681         the source value is Infinity, NaN, or rounds to an integer outside the
3682         range -2^31 to 2^31 -1. This is what branchTruncateDoubleToInt32() and
3683         branchTruncateDoubleToUInt32() have been relying on. It turns out that
3684         this assumption is not true on some CPUs, including on the ci20 on
3685         which we run the testbot (we get 0x80000000 instead). We should the
3686         invalid operation cause bit instead to check whether the source value
3687         could be properly truncated. This requires the addition of the cfc1
3688         instruction, as well as the special registers that can be used with it
3689         (control registers of CP1).
3690
3691         * assembler/MIPSAssembler.h:
3692         (JSC::MIPSAssembler::firstSPRegister):
3693         (JSC::MIPSAssembler::lastSPRegister):
3694         (JSC::MIPSAssembler::numberOfSPRegisters):
3695         (JSC::MIPSAssembler::sprName):
3696         Added control registers of CP1.
3697         (JSC::MIPSAssembler::cfc1):
3698         Added.
3699         * assembler/MacroAssemblerMIPS.h:
3700         (JSC::MacroAssemblerMIPS::branchOnTruncateResult):
3701         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
3702         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUint32):
3703         Use fcsr to check if the value could be properly truncated.
3704
3705 2017-11-08  Jeremy Jones  <jeremyj@apple.com>
3706
3707         HTMLMediaElement should not use element fullscreen on iOS
3708         https://bugs.webkit.org/show_bug.cgi?id=179418
3709         rdar://problem/35409277
3710
3711         Reviewed by Eric Carlson.
3712
3713         Add ENABLE_VIDEO_USES_ELEMENT_FULLSCREEN to determine if HTMLMediaElement should use element full screen or not.
3714
3715         * Configurations/FeatureDefines.xcconfig:
3716
3717 2017-11-08  Joseph Pecoraro  <pecoraro@apple.com>
3718
3719         Web Inspector: Show Internal properties of PaymentRequest in Web Inspector Console
3720         https://bugs.webkit.org/show_bug.cgi?id=179276
3721
3722         Reviewed by Andy Estes.
3723
3724         * inspector/InjectedScriptHost.h:
3725         * inspector/JSInjectedScriptHost.cpp:
3726         (Inspector::JSInjectedScriptHost::getInternalProperties):
3727         Call through to virtual implementation so that WebCore can provide custom
3728         internal properties for Web / DOM objects.
3729
3730 2017-11-08  Saam Barati  <sbarati@apple.com>
3731
3732         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
3733         https://bugs.webkit.org/show_bug.cgi?id=177792
3734
3735         Reviewed by Yusuke Suzuki.
3736
3737         Before this patch, if a JSFunction's rare data initialized its allocation profile
3738         before its backing Executable's poly proto watchpoint was invalidated, that
3739         JSFunction would continue to allocate non-poly proto objects until its allocation
3740         profile was cleared (which essentially never happens in practice). This patch
3741         improves on this pathology. A JSFunction's rare data will now watch the poly
3742         proto watchpoint if it's still valid and clear its allocation profile when we
3743         detect that we should go poly proto.
3744
3745         * bytecode/ObjectAllocationProfile.h:
3746         * bytecode/ObjectAllocationProfileInlines.h:
3747         (JSC::ObjectAllocationProfile::initializeProfile):
3748         * runtime/FunctionRareData.cpp:
3749         (JSC::FunctionRareData::initializeObjectAllocationProfile):
3750         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::fireInternal):
3751         * runtime/FunctionRareData.h:
3752         (JSC::FunctionRareData::hasAllocationProfileClearingWatchpoint const):
3753         (JSC::FunctionRareData::createAllocationProfileClearingWatchpoint):
3754         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::AllocationProfileClearingWatchpoint):
3755
3756 2017-11-08  Keith Miller  <keith_miller@apple.com>
3757
3758         Add super sampler begin and end bytecodes.
3759         https://bugs.webkit.org/show_bug.cgi?id=179376
3760
3761         Reviewed by Filip Pizlo.
3762
3763         This patch adds a way to measure a narrow range of bytecodes for
3764         performance. This is done using the same infrastructure as the
3765         super sampler. I also added a class that helps do the bytecode
3766         checking with RAII. One problem with the current way this is done
3767         is that we don't handle decrementing early exits, either from
3768         branches or exceptions. So, when using this API users need to
3769         ensure that there are no early exits or that those exits don't
3770         occur on the measure code.
3771
3772         * JavaScriptCore.xcodeproj/project.pbxproj:
3773         * bytecode/BytecodeDumper.cpp:
3774         (JSC::BytecodeDumper<Block>::dumpBytecode):
3775         * bytecode/BytecodeList.json:
3776         * bytecode/BytecodeUseDef.h:
3777         (JSC::computeUsesForBytecodeOffset):
3778         (JSC::computeDefsForBytecodeOffset):
3779         * bytecompiler/BytecodeGenerator.cpp:
3780         (JSC::BytecodeGenerator::emitSuperSamplerBegin):
3781         (JSC::BytecodeGenerator::emitSuperSamplerEnd):
3782         * bytecompiler/BytecodeGenerator.h:
3783         * bytecompiler/SuperSamplerBytecodeScope.h: Added.
3784         (JSC::SuperSamplerBytecodeScope::SuperSamplerBytecodeScope):
3785         (JSC::SuperSamplerBytecodeScope::~SuperSamplerBytecodeScope):
3786         * dfg/DFGAbstractInterpreterInlines.h:
3787         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3788         * dfg/DFGByteCodeParser.cpp:
3789         (JSC::DFG::ByteCodeParser::parseBlock):
3790         * dfg/DFGClobberize.h:
3791         (JSC::DFG::clobberize):
3792         * dfg/DFGClobbersExitState.cpp:
3793         (JSC::DFG::clobbersExitState):
3794         * dfg/DFGDoesGC.cpp:
3795         (JSC::DFG::doesGC):
3796         * dfg/DFGFixupPhase.cpp:
3797         (JSC::DFG::FixupPhase::fixupNode):
3798         * dfg/DFGMayExit.cpp:
3799         * dfg/DFGNodeType.h:
3800         * dfg/DFGPredictionPropagationPhase.cpp:
3801         * dfg/DFGSafeToExecute.h:
3802         (JSC::DFG::safeToExecute):
3803         * dfg/DFGSpeculativeJIT.cpp:
3804         * dfg/DFGSpeculativeJIT32_64.cpp:
3805         (JSC::DFG::SpeculativeJIT::compile):
3806         * dfg/DFGSpeculativeJIT64.cpp:
3807         (JSC::DFG::SpeculativeJIT::compile):
3808         * ftl/FTLCapabilities.cpp:
3809         (JSC::FTL::canCompile):
3810         * ftl/FTLLowerDFGToB3.cpp:
3811         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3812         (JSC::FTL::DFG::LowerDFGToB3::compileSuperSamplerBegin):
3813         (JSC::FTL::DFG::LowerDFGToB3::compileSuperSamplerEnd):
3814         * jit/JIT.cpp:
3815         (JSC::JIT::privateCompileMainPass):
3816         * jit/JIT.h:
3817         * jit/JITOpcodes.cpp:
3818         (JSC::JIT::emit_op_super_sampler_begin):
3819         (JSC::JIT::emit_op_super_sampler_end):
3820         * llint/LLIntSlowPaths.cpp:
3821         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3822         * llint/LLIntSlowPaths.h:
3823         * llint/LowLevelInterpreter.asm:
3824
3825 2017-11-08  Robin Morisset  <rmorisset@apple.com>
3826
3827         Turn recursive tail calls into loops
3828         https://bugs.webkit.org/show_bug.cgi?id=176601
3829
3830         Reviewed by Saam Barati.
3831
3832         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
3833
3834         We want to turn recursive tail calls into loops early in the pipeline, so that the loops can then be optimized.
3835         One difficulty is that we need to split the entry block of the function we are jumping to in order to have somewhere to jump to.
3836         Worse: it is not necessarily the first block of the codeBlock, because of inlining! So we must do the splitting in the DFGByteCodeParser, at the same time as inlining.
3837         We do this part through modifying the computation of the jump targets.
3838         Importantly, we only do this splitting for functions that have tail calls.
3839         It is the only case where the optimisation is sound, and doing the splitting unconditionnaly destroys performance on Octane/raytrace.
3840
3841         We must then do the actual transformation also in DFGByteCodeParser, to avoid code motion moving code out of the body of what will become a loop.
3842         The transformation is entirely contained in handleRecursiveTailCall, which is hooked to the inlining machinery.
3843
3844         * bytecode/CodeBlock.h:
3845         (JSC::CodeBlock::hasTailCalls const):
3846         * bytecode/PreciseJumpTargets.cpp:
3847         (JSC::getJumpTargetsForBytecodeOffset):
3848         (JSC::computePreciseJumpTargetsInternal):
3849         * bytecode/UnlinkedCodeBlock.cpp:
3850         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
3851         * bytecode/UnlinkedCodeBlock.h:
3852         (JSC::UnlinkedCodeBlock::hasTailCalls const):
3853         (JSC::UnlinkedCodeBlock::setHasTailCalls):
3854         * bytecompiler/BytecodeGenerator.cpp:
3855         (JSC::BytecodeGenerator::emitEnter):
3856         (JSC::BytecodeGenerator::emitCallInTailPosition):
3857         * dfg/DFGByteCodeParser.cpp:
3858         (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
3859         (JSC::DFG::ByteCodeParser::makeBlockTargetable):
3860         (JSC::DFG::ByteCodeParser::handleCall):
3861         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
3862         (JSC::DFG::ByteCodeParser::parseBlock):
3863         (JSC::DFG::ByteCodeParser::parse):
3864
3865 2017-11-08  Joseph Pecoraro  <pecoraro@apple.com>
3866
3867         Web Inspector: Remove unused Page.ScriptIdentifier protocol type
3868         https://bugs.webkit.org/show_bug.cgi?id=179407
3869
3870         Reviewed by Matt Baker.
3871
3872         * inspector/protocol/Page.json:
3873         Remove unused protocol type.
3874
3875 2017-11-08  Carlos Garcia Campos  <cgarcia@igalia.com>
3876
3877         Web Inspector: use JSON::{Array,Object,Value} instead of Inspector{Array,Object,Value}
3878         https://bugs.webkit.org/show_bug.cgi?id=173619
3879
3880         Reviewed by Alex Christensen and Brian Burg.
3881
3882         Eventually all classes used for our JSON-RPC message passing should be outside
3883         of the Inspector namespace since the protocol is used outside of Inspector code.
3884         This will also allow us to unify the primitive JSON types with parameteric types
3885         like Inspector::Protocol::Array<T> and other protocol-related types which don't
3886         need to be in the Inspector namespace.
3887
3888         Start this refactoring off by making JSON::Value a typedef for InspectorValue. In following
3889         patches, other clients will move to use JSON::Value and friends. When all uses are
3890         changed, the actual implementation will be renamed. This patch just focuses on the typedef
3891         and making changes in generated protocol code.
3892
3893         Original patch by Brian Burg, rebased and updated by me.
3894
3895         * inspector/InspectorValues.cpp:
3896         * inspector/InspectorValues.h:
3897         * inspector/scripts/codegen/cpp_generator.py:
3898         (CppGenerator.cpp_protocol_type_for_type):
3899         (CppGenerator.cpp_type_for_unchecked_formal_in_parameter):
3900         (CppGenerator.cpp_type_for_type_with_name):
3901         (CppGenerator.cpp_type_for_stack_in_parameter):