Unreviewed, rolling out r221327.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-08-30  Ryan Haddad  <ryanhaddad@apple.com>
2
3         Unreviewed, rolling out r221327.
4
5         This change caused test262 failures.
6
7         Reverted changeset:
8
9         "[JSC] Use reifying system for "name" property of builtin
10         JSFunction"
11         https://bugs.webkit.org/show_bug.cgi?id=175260
12         http://trac.webkit.org/changeset/221327
13
14 2017-08-30  Matt Lewis  <jlewis3@apple.com>
15
16         Unreviewed, rolling out r221384.
17
18         This patch caused multiple 32-bit JSC test failures.
19
20         Reverted changeset:
21
22         "Strings need to be in some kind of gigacage"
23         https://bugs.webkit.org/show_bug.cgi?id=174924
24         http://trac.webkit.org/changeset/221384
25
26 2017-08-30  Saam Barati  <sbarati@apple.com>
27
28         semicolon is being interpreted as an = in the LiteralParser
29         https://bugs.webkit.org/show_bug.cgi?id=176114
30
31         Reviewed by Oliver Hunt.
32
33         When lexing a semicolon in the LiteralParser, we were properly
34         setting the TokenType on the current token, however, we were
35         *returning* the wrong TokenType. The lex function both returns
36         the TokenType and sets it on the current token. Semicolon was
37         setting the TokenType to semicolon, but returning the TokenType
38         for '='. This caused programs like `x;123` to be interpreted as
39         `x=123`.
40
41         * runtime/LiteralParser.cpp:
42         (JSC::LiteralParser<CharType>::Lexer::lex):
43         (JSC::LiteralParser<CharType>::Lexer::next):
44
45 2017-08-22  Filip Pizlo  <fpizlo@apple.com>
46
47         Strings need to be in some kind of gigacage
48         https://bugs.webkit.org/show_bug.cgi?id=174924
49
50         Reviewed by Oliver Hunt.
51
52         * runtime/JSString.cpp:
53         (JSC::JSRopeString::resolveRopeToAtomicString const):
54         (JSC::JSRopeString::resolveRope const):
55         * runtime/JSString.h:
56         (JSC::JSString::create):
57         (JSC::JSString::createHasOtherOwner):
58         * runtime/JSStringBuilder.h:
59         * runtime/VM.h:
60         (JSC::VM::gigacageAuxiliarySpace):
61
62 2017-08-30  Oleksandr Skachkov  <gskachkov@gmail.com>
63
64         [ESNext] Async iteration - Implement async iteration statement: for-await-of
65         https://bugs.webkit.org/show_bug.cgi?id=166698
66
67         Reviewed by Yusuke Suzuki.
68
69         Implementation of the for-await-of statement.
70
71         * bytecompiler/BytecodeGenerator.cpp:
72         (JSC::BytecodeGenerator::emitEnumeration):
73         (JSC::BytecodeGenerator::emitIteratorNext):
74         * bytecompiler/BytecodeGenerator.h:
75         * parser/ASTBuilder.h:
76         (JSC::ASTBuilder::createForOfLoop):
77         * parser/NodeConstructors.h:
78         (JSC::ForOfNode::ForOfNode):
79         * parser/Nodes.h:
80         (JSC::ForOfNode::isForAwait const):
81         * parser/Parser.cpp:
82         (JSC::Parser<LexerType>::parseForStatement):
83         * parser/Parser.h:
84         (JSC::Scope::setSourceParseMode):
85         (JSC::Scope::setIsFunction):
86         (JSC::Scope::setIsAsyncGeneratorFunction):
87         (JSC::Scope::setIsAsyncGeneratorFunctionBody):
88         * parser/SyntaxChecker.h:
89         (JSC::SyntaxChecker::createForOfLoop):
90
91 2017-08-29  Commit Queue  <commit-queue@webkit.org>
92
93         Unreviewed, rolling out r221317.
94         https://bugs.webkit.org/show_bug.cgi?id=176090
95
96         "It broke a testing mode because we will never FTL compile a
97         function that repeatedly throws" (Requested by saamyjoon on
98         #webkit).
99
100         Reverted changeset:
101
102         "Throwing an exception in the DFG/FTL should not be a
103         jettison-able OSR exit"
104         https://bugs.webkit.org/show_bug.cgi?id=176060
105         http://trac.webkit.org/changeset/221317
106
107 2017-08-29  Yusuke Suzuki  <utatane.tea@gmail.com>
108
109         [DFG] Add constant folding rule to convert CompareStrictEq(Untyped, Untyped [with non string cell constant]) to CompareEqPtr(Untyped)
110         https://bugs.webkit.org/show_bug.cgi?id=175895
111
112         Reviewed by Saam Barati.
113
114         We have `bucket === @sentinelMapBucket` code in builtin. Since @sentinelMapBucket and bucket
115         are MapBucket cell (SpecCellOther), we do not have any good fixup for CompareStrictEq.
116         But rather than introducing a special fixup edge (like, NonStringCellUse), converting
117         CompareStrictEq(Untyped, Untyped) to CompareEqPtr is simpler.
118         In constant folding phase, we convert CompareStrictEq(Untyped, Untyped) to CompareEqPtr(Untyed)
119         if one side of the children is constant non String cell.
120
121         This slightly optimizes map/set iteration.
122
123         set-for-each          4.5064+-0.3072     ^      3.2862+-0.2098        ^ definitely 1.3713x faster
124         large-map-iteration  56.2583+-1.6640           53.6798+-2.0097          might be 1.0480x faster
125         set-for-of            8.8058+-0.5953     ^      7.5832+-0.3805        ^ definitely 1.1612x faster
126         map-for-each          4.2633+-0.2694     ^      3.3967+-0.3013        ^ definitely 1.2551x faster
127         map-for-of           13.1556+-0.5707           12.4911+-0.6004          might be 1.0532x faster
128
129         * dfg/DFGAbstractInterpreterInlines.h:
130         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
131         * dfg/DFGConstantFoldingPhase.cpp:
132         (JSC::DFG::ConstantFoldingPhase::foldConstants):
133         * dfg/DFGNode.h:
134         (JSC::DFG::Node::convertToCompareEqPtr):
135
136 2017-08-29  Yusuke Suzuki  <utatane.tea@gmail.com>
137
138         [JSC] Use reifying system for "name" property of builtin JSFunction
139         https://bugs.webkit.org/show_bug.cgi?id=175260
140
141         Reviewed by Saam Barati.
142
143         Currently builtin JSFunction uses direct property for "name", which is different
144         from usual JSFunction. Usual JSFunction uses reifying system for "name". We would like
145         to apply this reifying mechanism to builtin JSFunction to simplify code and drop
146         JSFunction::createBuiltinFunction.
147
148         We would like to store the "correct" name in FunctionExecutable. For example,
149         we would like to store the name like "get [Symbol.species]" to FunctionExecutable
150         instead of specifying name when creating JSFunction. To do so, we add a new
151         annotations, @getter and @overriddenName. When @getter is specified, the name of
152         the function becomes "get xxx". And when @overriddenName="xxx" is specified,
153         the name of the function becomes "xxx".
154
155         * Scripts/builtins/builtins_generate_combined_header.py:
156         (generate_section_for_code_table_macro):
157         * Scripts/builtins/builtins_generate_combined_implementation.py:
158         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
159         * Scripts/builtins/builtins_generate_separate_header.py:
160         (generate_section_for_code_table_macro):
161         * Scripts/builtins/builtins_generate_separate_implementation.py:
162         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
163         * Scripts/builtins/builtins_model.py:
164         (BuiltinFunction.__init__):
165         (BuiltinFunction.fromString):
166         * Scripts/builtins/builtins_templates.py:
167         * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Combined.js:
168         (overriddenName.string_appeared_here.match):
169         (intrinsic.RegExpTestIntrinsic.test):
170         * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Separate.js:
171         (overriddenName.string_appeared_here.match):
172         (intrinsic.RegExpTestIntrinsic.test):
173         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
174         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
175         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
176         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
177         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
178         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
179         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
180         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
181         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
182         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
183         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
184         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
185         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
186         * builtins/BuiltinExecutables.cpp:
187         (JSC::BuiltinExecutables::BuiltinExecutables):
188         * builtins/BuiltinExecutables.h:
189         * builtins/FunctionPrototype.js:
190         (symbolHasInstance): Deleted.
191         * builtins/GlobalOperations.js:
192         (globalPrivate.speciesGetter): Deleted.
193         * builtins/IteratorPrototype.js:
194         (symbolIteratorGetter): Deleted.
195         * builtins/RegExpPrototype.js:
196         (match): Deleted.
197         (replace): Deleted.
198         (search): Deleted.
199         (split): Deleted.
200         * jsc.cpp:
201         (functionCreateBuiltin):
202         * runtime/FunctionPrototype.cpp:
203         (JSC::FunctionPrototype::addFunctionProperties):
204         * runtime/IteratorPrototype.cpp:
205         (JSC::IteratorPrototype::finishCreation):
206         * runtime/JSFunction.cpp:
207         (JSC::JSFunction::getOwnNonIndexPropertyNames):
208         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
209         (JSC::JSFunction::createBuiltinFunction): Deleted.
210         * runtime/JSFunction.h:
211         * runtime/JSGlobalObject.cpp:
212         (JSC::JSGlobalObject::init):
213         * runtime/JSObject.cpp:
214         (JSC::JSObject::putDirectBuiltinFunction):
215         (JSC::JSObject::putDirectBuiltinFunctionWithoutTransition):
216         * runtime/JSTypedArrayViewPrototype.cpp:
217         (JSC::JSTypedArrayViewPrototype::finishCreation):
218         * runtime/Lookup.cpp:
219         (JSC::reifyStaticAccessor):
220         * runtime/RegExpPrototype.cpp:
221         (JSC::RegExpPrototype::finishCreation):
222
223 2017-08-29  Saam Barati  <sbarati@apple.com>
224
225         Throwing an exception in the DFG/FTL should not be a jettison-able OSR exit
226         https://bugs.webkit.org/show_bug.cgi?id=176060
227
228         Reviewed by Michael Saboff.
229
230         OSR exitting when we throw an exception is expected behavior. We should
231         not count these exits towards our jettison OSR exit threshold.
232
233         * bytecode/ExitKind.cpp:
234         (JSC::exitKindToString):
235         (JSC::exitKindMayJettison):
236         * bytecode/ExitKind.h:
237         * dfg/DFGSpeculativeJIT32_64.cpp:
238         (JSC::DFG::SpeculativeJIT::compile):
239         * dfg/DFGSpeculativeJIT64.cpp:
240         (JSC::DFG::SpeculativeJIT::compile):
241         * ftl/FTLLowerDFGToB3.cpp:
242         (JSC::FTL::DFG::LowerDFGToB3::compileThrow):
243
244 2017-08-29  Chris Dumez  <cdumez@apple.com>
245
246         Add initial support for dataTransferItem.webkitGetAsEntry()
247         https://bugs.webkit.org/show_bug.cgi?id=176038
248         <rdar://problem/34121095>
249
250         Reviewed by Wenson Hsieh.
251
252         Add CommonIdentifier needed by [EnabledAtRuntime].
253
254         * runtime/CommonIdentifiers.h:
255
256 2017-08-27  Devin Rousso  <webkit@devinrousso.com>
257
258         Web Inspector: Record actions performed on WebGLRenderingContext
259         https://bugs.webkit.org/show_bug.cgi?id=174483
260         <rdar://problem/34040722>
261
262         Reviewed by Matt Baker.
263
264         * inspector/protocol/Recording.json:
265         * inspector/scripts/codegen/generator.py:
266         Add type and mapping for WebGL: "canvas-webgl" => CanvasWebGL
267
268 2017-08-26  Yusuke Suzuki  <utatane.tea@gmail.com>
269
270         Unreviewed, suppress warnings in GTK port
271
272         The "block" variable hides the argument variable.
273
274         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
275         (JSC::DFG::LiveCatchVariablePreservationPhase::isValidFlushLocation):
276
277 2017-08-26  Yusuke Suzuki  <utatane.tea@gmail.com>
278
279         Merge WeakMapData into JSWeakMap and JSWeakSet
280         https://bugs.webkit.org/show_bug.cgi?id=143919
281
282         Reviewed by Darin Adler.
283
284         This patch changes WeakMapData from JSCell to JSDestructibleObject,
285         renaming it to WeakMapBase, and JSWeakMap and JSWeakSet simply inherit
286         it instead of separately allocating WeakMapData. This reduces memory
287         consumption and allocation times.
288
289         Also this patch a bit optimizes sizeof(DeadKeyCleaner) by dropping m_target
290         field. Since this class is always embedded in WeakMapBase, we can calculate
291         WeakMapBase address from the address of DeadKeyCleaner.
292
293         This patch does not include the optimization changing WeakMapData to Set
294         for JSWeakSet.
295
296         * CMakeLists.txt:
297         * JavaScriptCore.xcodeproj/project.pbxproj:
298         * inspector/JSInjectedScriptHost.cpp:
299         (Inspector::JSInjectedScriptHost::weakMapSize):
300         (Inspector::JSInjectedScriptHost::weakMapEntries):
301         (Inspector::JSInjectedScriptHost::weakSetSize):
302         (Inspector::JSInjectedScriptHost::weakSetEntries):
303         * runtime/JSWeakMap.cpp:
304         (JSC::JSWeakMap::finishCreation): Deleted.
305         (JSC::JSWeakMap::visitChildren): Deleted.
306         * runtime/JSWeakMap.h:
307         (JSC::JSWeakMap::createStructure): Deleted.
308         (JSC::JSWeakMap::create): Deleted.
309         (JSC::JSWeakMap::weakMapData): Deleted.
310         (JSC::JSWeakMap::JSWeakMap): Deleted.
311         * runtime/JSWeakSet.cpp:
312         (JSC::JSWeakSet::finishCreation): Deleted.
313         (JSC::JSWeakSet::visitChildren): Deleted.
314         * runtime/JSWeakSet.h:
315         (JSC::JSWeakSet::createStructure): Deleted.
316         (JSC::JSWeakSet::create): Deleted.
317         (JSC::JSWeakSet::weakMapData): Deleted.
318         (JSC::JSWeakSet::JSWeakSet): Deleted.
319         * runtime/VM.cpp:
320         (JSC::VM::VM):
321         * runtime/VM.h:
322         * runtime/WeakMapBase.cpp: Renamed from Source/JavaScriptCore/runtime/WeakMapData.cpp.
323         (JSC::WeakMapBase::WeakMapBase):
324         (JSC::WeakMapBase::destroy):
325         (JSC::WeakMapBase::estimatedSize):
326         (JSC::WeakMapBase::visitChildren):
327         (JSC::WeakMapBase::set):
328         (JSC::WeakMapBase::get):
329         (JSC::WeakMapBase::remove):
330         (JSC::WeakMapBase::contains):
331         (JSC::WeakMapBase::clear):
332         (JSC::WeakMapBase::DeadKeyCleaner::target):
333         (JSC::WeakMapBase::DeadKeyCleaner::visitWeakReferences):
334         (JSC::WeakMapBase::DeadKeyCleaner::finalizeUnconditionally):
335         * runtime/WeakMapBase.h: Renamed from Source/JavaScriptCore/runtime/WeakMapData.h.
336         (JSC::WeakMapBase::size const):
337         * runtime/WeakMapPrototype.cpp:
338         (JSC::getWeakMap):
339         (JSC::protoFuncWeakMapDelete):
340         (JSC::protoFuncWeakMapGet):
341         (JSC::protoFuncWeakMapHas):
342         (JSC::protoFuncWeakMapSet):
343         (JSC::getWeakMapData): Deleted.
344         * runtime/WeakSetPrototype.cpp:
345         (JSC::getWeakSet):
346         (JSC::protoFuncWeakSetDelete):
347         (JSC::protoFuncWeakSetHas):
348         (JSC::protoFuncWeakSetAdd):
349         (JSC::getWeakMapData): Deleted.
350
351 2017-08-25  Daniel Bates  <dabates@apple.com>
352
353         Demarcate code added due to lack of NSDMI for aggregates
354         https://bugs.webkit.org/show_bug.cgi?id=175990
355
356         Reviewed by Andy Estes.
357
358         * domjit/DOMJITEffect.h:
359         (JSC::DOMJIT::Effect::Effect):
360         (JSC::DOMJIT::Effect::forWrite):
361         (JSC::DOMJIT::Effect::forRead):
362         (JSC::DOMJIT::Effect::forReadWrite):
363         (JSC::DOMJIT::Effect::forPure):
364         (JSC::DOMJIT::Effect::forDef):
365         * runtime/HasOwnPropertyCache.h:
366         (JSC::HasOwnPropertyCache::Entry::Entry):
367         (JSC::HasOwnPropertyCache::Entry::operator=): Deleted.
368         * wasm/WasmFormat.h: Modernize some of the code while I am here. Also
369         make some comments read well.
370         (JSC::Wasm::CallableFunction::CallableFunction):
371         * wasm/js/WebAssemblyFunction.cpp:
372         (JSC::WebAssemblyFunction::WebAssemblyFunction):
373         * wasm/js/WebAssemblyWrapperFunction.cpp:
374         (JSC::WebAssemblyWrapperFunction::create):
375
376 2017-08-25  Saam Barati  <sbarati@apple.com>
377
378         Unreviewed. Fix 32-bit after r221196
379
380         * jit/JITOpcodes32_64.cpp:
381         (JSC::JIT::emit_op_catch):
382
383 2017-08-25  Chris Dumez  <cdumez@apple.com>
384
385         Land stubs for File and Directory Entries API interfaces
386         https://bugs.webkit.org/show_bug.cgi?id=175993
387         <rdar://problem/34087477>
388
389         Reviewed by Ryosuke Niwa.
390
391         Add CommonIdentifiers needed for [EnabledAtRuntime].
392
393         * runtime/CommonIdentifiers.h:
394
395 2017-08-25  Brian Burg  <bburg@apple.com>
396
397         Web Automation: add capabilities to control ICE candidate filtering and insecure media capture
398         https://bugs.webkit.org/show_bug.cgi?id=175563
399         <rdar://problem/33734492>
400
401         Reviewed by Joseph Pecoraro.
402
403         Add macros for new capability protocol string names. Let's use a reverse
404         domain name notification for these capabilities so we know whether they are
405         intended for a particular client/port or any WebKit client, and what feature they
406         are related to (i.e., webrtc).
407
408         * inspector/remote/RemoteInspectorConstants.h:
409
410 2017-08-24  Brian Burg  <bburg@apple.com>
411
412         Web Automation: use automation session configurations to propagate per-session settings
413         https://bugs.webkit.org/show_bug.cgi?id=175562
414         <rdar://problem/30853362>
415
416         Reviewed by Joseph Pecoraro.
417
418         Add a Cocoa-specific code path to forward capabilities when requesting
419         a new session from the remote inspector (i.e., automation) client.
420
421         If other ports want to use this, then we can convert Cocoa types to WebKit types later.
422
423         * inspector/remote/RemoteInspector.h:
424         * inspector/remote/RemoteInspectorConstants.h:
425         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
426         (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage):
427
428 2017-08-25  Saam Barati  <sbarati@apple.com>
429
430         DFG::JITCode::osrEntry should get sorted since we perform a binary search on it
431         https://bugs.webkit.org/show_bug.cgi?id=175893
432
433         Reviewed by Mark Lam.
434
435         * dfg/DFGJITCode.cpp:
436         (JSC::DFG::JITCode::finalizeOSREntrypoints):
437         * dfg/DFGJITCode.h:
438         (JSC::DFG::JITCode::finalizeCatchOSREntrypoints): Deleted.
439         * dfg/DFGSpeculativeJIT.cpp:
440         (JSC::DFG::SpeculativeJIT::linkOSREntries):
441
442 2017-08-25  Saam Barati  <sbarati@apple.com>
443
444         Support compiling catch in the DFG
445         https://bugs.webkit.org/show_bug.cgi?id=174590
446         <rdar://problem/34047845>
447
448         Reviewed by Filip Pizlo.
449
450         This patch implements OSR entry into op_catch in the DFG. We will support OSR entry
451         into the FTL in a followup: https://bugs.webkit.org/show_bug.cgi?id=175396
452         
453         To implement catch in the DFG, this patch introduces the concept of multiple
454         entrypoints into CPS/LoadStore DFG IR. A lot of this patch is stringing this concept
455         through the DFG. Many phases used to assume that Graph::block(0) is the only root, and this
456         patch contains many straight forward changes generalizing the code to handle more than
457         one entrypoint.
458         
459         A main building block of this is moving to two CFG types: SSACFG and CPSCFG. SSACFG
460         is the same CFG we used to have. CPSCFG is a new type that introduces a fake root
461         that has an outgoing edge to all the entrypoints. This allows our existing graph algorithms
462         to Just Work over CPSCFG. For example, there is now the concept of SSADominators vs CPSDominators,
463         and SSANaturalLoops vs CPSNaturalLoops.
464         
465         The way we compile the catch entrypoint is by bootstrapping the state
466         of the program by loading all live bytecode locals from a buffer. The OSR
467         entry code will store all live values into that buffer before jumping to
468         the entrypoint. The OSR entry code is also responsible for performing type
469         proofs of the arguments before doing an OSR entry. If there is a type
470         mismatch, it's not legal to OSR enter into the DFG compilation. Currently,
471         each catch entrypoint knows the argument type proofs it must perform to enter
472         into the DFG. Currently, all entrypoints' arguments flush format are unified
473         via ArgumentPosition, but this is just an implementation detail. The code is
474         written more generally to assume that each entrypoint may perform its own distinct
475         proof.
476         
477         op_catch now performs value profiling for all live bytecode locals in the
478         LLInt and baseline JIT. This information is then fed into the DFG via the
479         ExtractCatchLocal node in the prediction propagation phase.
480         
481         This patch also changes how we generate op_catch in bytecode. All op_catches
482         are now split out at the end of the program in bytecode. This ensures that
483         no op_catch is inside a try block. This is needed to ensure correctness in
484         the DFGLiveCatchVariablePreservationPhase. That phase only inserts flushes
485         before SetLocals inside a try block. If an op_catch were in a try block, this
486         would cause the phase to insert a Flush before one of the state bootstrapping
487         SetLocals, which would generate invalid IR. Moving op_catch to be generated on
488         its own at the end of a bytecode stream seemed like the most elegant solution since
489         it better represents that we treat op_catch as an entrypoint. This is true
490         both in the DFG and in the baseline and LLInt: we don't reach an op_catch
491         via normal control flow. Because op_catch cannot throw, this will not break
492         any previous semantics of op_catch. Logically, it'd be valid to split try
493         blocks around any non-throwing bytecode operation.
494
495         * CMakeLists.txt:
496         * JavaScriptCore.xcodeproj/project.pbxproj:
497         * bytecode/BytecodeDumper.cpp:
498         (JSC::BytecodeDumper<Block>::dumpBytecode):
499         * bytecode/BytecodeList.json:
500         * bytecode/BytecodeUseDef.h:
501         (JSC::computeUsesForBytecodeOffset):
502         * bytecode/CodeBlock.cpp:
503         (JSC::CodeBlock::finishCreation):
504         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffset):
505         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
506         (JSC::CodeBlock::validate):
507         * bytecode/CodeBlock.h:
508         * bytecode/ValueProfile.h:
509         (JSC::ValueProfile::ValueProfile):
510         (JSC::ValueProfileAndOperandBuffer::ValueProfileAndOperandBuffer):
511         (JSC::ValueProfileAndOperandBuffer::~ValueProfileAndOperandBuffer):
512         (JSC::ValueProfileAndOperandBuffer::forEach):
513         * bytecompiler/BytecodeGenerator.cpp:
514         (JSC::BytecodeGenerator::generate):
515         (JSC::BytecodeGenerator::BytecodeGenerator):
516         (JSC::BytecodeGenerator::emitCatch):
517         (JSC::BytecodeGenerator::emitEnumeration):
518         * bytecompiler/BytecodeGenerator.h:
519         * bytecompiler/NodesCodegen.cpp:
520         (JSC::TryNode::emitBytecode):
521         * dfg/DFGAbstractInterpreterInlines.h:
522         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
523         * dfg/DFGBackwardsCFG.h:
524         (JSC::DFG::BackwardsCFG::BackwardsCFG):
525         * dfg/DFGBasicBlock.cpp:
526         (JSC::DFG::BasicBlock::BasicBlock):
527         * dfg/DFGBasicBlock.h:
528         (JSC::DFG::BasicBlock::findTerminal const):
529         * dfg/DFGByteCodeParser.cpp:
530         (JSC::DFG::ByteCodeParser::setDirect):
531         (JSC::DFG::ByteCodeParser::flush):
532         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
533         (JSC::DFG::ByteCodeParser::DelayedSetLocal::execute):
534         (JSC::DFG::ByteCodeParser::parseBlock):
535         (JSC::DFG::ByteCodeParser::parseCodeBlock):
536         (JSC::DFG::ByteCodeParser::parse):
537         * dfg/DFGCFG.h:
538         (JSC::DFG::CFG::root):
539         (JSC::DFG::CFG::roots):
540         (JSC::DFG::CPSCFG::CPSCFG):
541         (JSC::DFG::selectCFG):
542         * dfg/DFGCPSRethreadingPhase.cpp:
543         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
544         * dfg/DFGCSEPhase.cpp:
545         * dfg/DFGClobberize.h:
546         (JSC::DFG::clobberize):
547         * dfg/DFGControlEquivalenceAnalysis.h:
548         (JSC::DFG::ControlEquivalenceAnalysis::ControlEquivalenceAnalysis):
549         * dfg/DFGDCEPhase.cpp:
550         (JSC::DFG::DCEPhase::run):
551         * dfg/DFGDisassembler.cpp:
552         (JSC::DFG::Disassembler::createDumpList):
553         * dfg/DFGDoesGC.cpp:
554         (JSC::DFG::doesGC):
555         * dfg/DFGDominators.h:
556         (JSC::DFG::Dominators::Dominators):
557         (JSC::DFG::ensureDominatorsForCFG):
558         * dfg/DFGEdgeDominates.h:
559         (JSC::DFG::EdgeDominates::EdgeDominates):
560         (JSC::DFG::EdgeDominates::operator()):
561         * dfg/DFGFixupPhase.cpp:
562         (JSC::DFG::FixupPhase::fixupNode):
563         (JSC::DFG::FixupPhase::fixupChecksInBlock):
564         * dfg/DFGFlushFormat.h:
565         * dfg/DFGGraph.cpp:
566         (JSC::DFG::Graph::Graph):
567         (JSC::DFG::unboxLoopNode):
568         (JSC::DFG::Graph::dumpBlockHeader):
569         (JSC::DFG::Graph::dump):
570         (JSC::DFG::Graph::determineReachability):
571         (JSC::DFG::Graph::invalidateCFG):
572         (JSC::DFG::Graph::blocksInPreOrder):
573         (JSC::DFG::Graph::blocksInPostOrder):
574         (JSC::DFG::Graph::ensureCPSDominators):
575         (JSC::DFG::Graph::ensureSSADominators):
576         (JSC::DFG::Graph::ensureCPSNaturalLoops):
577         (JSC::DFG::Graph::ensureSSANaturalLoops):
578         (JSC::DFG::Graph::ensureBackwardsCFG):
579         (JSC::DFG::Graph::ensureBackwardsDominators):
580         (JSC::DFG::Graph::ensureControlEquivalenceAnalysis):
581         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
582         (JSC::DFG::Graph::clearCPSCFGData):
583         (JSC::DFG::Graph::ensureDominators): Deleted.
584         (JSC::DFG::Graph::ensurePrePostNumbering): Deleted.
585         (JSC::DFG::Graph::ensureNaturalLoops): Deleted.
586         * dfg/DFGGraph.h:
587         (JSC::DFG::Graph::willCatchExceptionInMachineFrame):
588         (JSC::DFG::Graph::isEntrypoint const):
589         * dfg/DFGInPlaceAbstractState.cpp:
590         (JSC::DFG::InPlaceAbstractState::initialize):
591         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
592         * dfg/DFGJITCode.cpp:
593         (JSC::DFG::JITCode::shrinkToFit):
594         * dfg/DFGJITCode.h:
595         (JSC::DFG::JITCode::catchOSREntryDataForBytecodeIndex):
596         (JSC::DFG::JITCode::finalizeCatchOSREntrypoints):
597         (JSC::DFG::JITCode::appendCatchEntrypoint):
598         * dfg/DFGJITCompiler.cpp:
599         (JSC::DFG::JITCompiler::compile):
600         (JSC::DFG::JITCompiler::compileFunction):
601         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
602         (JSC::DFG::JITCompiler::noticeOSREntry):
603         (JSC::DFG::JITCompiler::makeCatchOSREntryBuffer):
604         * dfg/DFGJITCompiler.h:
605         * dfg/DFGLICMPhase.cpp:
606         (JSC::DFG::LICMPhase::run):
607         (JSC::DFG::LICMPhase::attemptHoist):
608         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
609         (JSC::DFG::LiveCatchVariablePreservationPhase::run):
610         (JSC::DFG::LiveCatchVariablePreservationPhase::isValidFlushLocation):
611         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
612         (JSC::DFG::LiveCatchVariablePreservationPhase::newVariableAccessData):
613         (JSC::DFG::LiveCatchVariablePreservationPhase::willCatchException): Deleted.
614         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlock): Deleted.
615         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
616         (JSC::DFG::createPreHeader):
617         (JSC::DFG::LoopPreHeaderCreationPhase::run):
618         * dfg/DFGMaximalFlushInsertionPhase.cpp:
619         (JSC::DFG::MaximalFlushInsertionPhase::run):
620         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
621         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
622         * dfg/DFGMayExit.cpp:
623         * dfg/DFGNaturalLoops.h:
624         (JSC::DFG::NaturalLoops::NaturalLoops):
625         * dfg/DFGNode.h:
626         (JSC::DFG::Node::isSwitch const):
627         (JSC::DFG::Node::successor):
628         (JSC::DFG::Node::catchOSREntryIndex const):
629         (JSC::DFG::Node::catchLocalPrediction):
630         (JSC::DFG::Node::isSwitch): Deleted.
631         * dfg/DFGNodeType.h:
632         * dfg/DFGOSREntry.cpp:
633         (JSC::DFG::prepareCatchOSREntry):
634         * dfg/DFGOSREntry.h:
635         * dfg/DFGOSREntrypointCreationPhase.cpp:
636         (JSC::DFG::OSREntrypointCreationPhase::run):
637         * dfg/DFGOSRExitCompilerCommon.cpp:
638         (JSC::DFG::handleExitCounts):
639         * dfg/DFGObjectAllocationSinkingPhase.cpp:
640         * dfg/DFGPlan.cpp:
641         (JSC::DFG::Plan::compileInThreadImpl):
642         * dfg/DFGPrePostNumbering.cpp:
643         (JSC::DFG::PrePostNumbering::PrePostNumbering): Deleted.
644         (JSC::DFG::PrePostNumbering::~PrePostNumbering): Deleted.
645         (WTF::printInternal): Deleted.
646         * dfg/DFGPrePostNumbering.h:
647         (): Deleted.
648         (JSC::DFG::PrePostNumbering::preNumber const): Deleted.
649         (JSC::DFG::PrePostNumbering::postNumber const): Deleted.
650         (JSC::DFG::PrePostNumbering::isStrictAncestorOf const): Deleted.
651         (JSC::DFG::PrePostNumbering::isAncestorOf const): Deleted.
652         (JSC::DFG::PrePostNumbering::isStrictDescendantOf const): Deleted.
653         (JSC::DFG::PrePostNumbering::isDescendantOf const): Deleted.
654         (JSC::DFG::PrePostNumbering::edgeKind const): Deleted.
655         * dfg/DFGPredictionInjectionPhase.cpp:
656         (JSC::DFG::PredictionInjectionPhase::run):
657         * dfg/DFGPredictionPropagationPhase.cpp:
658         * dfg/DFGPutStackSinkingPhase.cpp:
659         * dfg/DFGSSACalculator.cpp:
660         (JSC::DFG::SSACalculator::nonLocalReachingDef):
661         (JSC::DFG::SSACalculator::reachingDefAtTail):
662         * dfg/DFGSSACalculator.h:
663         (JSC::DFG::SSACalculator::computePhis):
664         * dfg/DFGSSAConversionPhase.cpp:
665         (JSC::DFG::SSAConversionPhase::run):
666         (JSC::DFG::performSSAConversion):
667         * dfg/DFGSafeToExecute.h:
668         (JSC::DFG::safeToExecute):
669         * dfg/DFGSpeculativeJIT.cpp:
670         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
671         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
672         (JSC::DFG::SpeculativeJIT::createOSREntries):
673         (JSC::DFG::SpeculativeJIT::linkOSREntries):
674         * dfg/DFGSpeculativeJIT32_64.cpp:
675         (JSC::DFG::SpeculativeJIT::compile):
676         * dfg/DFGSpeculativeJIT64.cpp:
677         (JSC::DFG::SpeculativeJIT::compile):
678         * dfg/DFGStaticExecutionCountEstimationPhase.cpp:
679         (JSC::DFG::StaticExecutionCountEstimationPhase::run):
680         * dfg/DFGStrengthReductionPhase.cpp:
681         (JSC::DFG::StrengthReductionPhase::handleNode):
682         * dfg/DFGTierUpCheckInjectionPhase.cpp:
683         (JSC::DFG::TierUpCheckInjectionPhase::run):
684         (JSC::DFG::TierUpCheckInjectionPhase::buildNaturalLoopToLoopHintMap):
685         * dfg/DFGTypeCheckHoistingPhase.cpp:
686         (JSC::DFG::TypeCheckHoistingPhase::run):
687         * dfg/DFGValidate.cpp:
688         * ftl/FTLLink.cpp:
689         (JSC::FTL::link):
690         * ftl/FTLLowerDFGToB3.cpp:
691         (JSC::FTL::DFG::LowerDFGToB3::lower):
692         (JSC::FTL::DFG::LowerDFGToB3::safelyInvalidateAfterTermination):
693         (JSC::FTL::DFG::LowerDFGToB3::isValid):
694         * jit/JIT.h:
695         * jit/JITInlines.h:
696         (JSC::JIT::callOperation):
697         * jit/JITOpcodes.cpp:
698         (JSC::JIT::emit_op_catch):
699         * jit/JITOpcodes32_64.cpp:
700         (JSC::JIT::emit_op_catch):
701         * jit/JITOperations.cpp:
702         * jit/JITOperations.h:
703         * llint/LLIntSlowPaths.cpp:
704         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
705         * llint/LLIntSlowPaths.h:
706         * llint/LowLevelInterpreter32_64.asm:
707         * llint/LowLevelInterpreter64.asm:
708
709 2017-08-25  Keith Miller  <keith_miller@apple.com>
710
711         Explore increasing max JSString::m_length to UINT_MAX.
712         https://bugs.webkit.org/show_bug.cgi?id=163955
713         <rdar://problem/32001499>
714
715         Reviewed by JF Bastien.
716
717         This can cause us to release assert on some code paths. I don't
718         see a reason to maintain this restriction.
719
720         * runtime/JSString.h:
721         (JSC::JSString::length const):
722         (JSC::JSString::setLength):
723         (JSC::JSString::isValidLength): Deleted.
724         * runtime/JSStringBuilder.h:
725         (JSC::jsMakeNontrivialString):
726
727 2017-08-24  Commit Queue  <commit-queue@webkit.org>
728
729         Unreviewed, rolling out r221119, r221124, and r221143.
730         https://bugs.webkit.org/show_bug.cgi?id=175973
731
732         "I think it regressed JSBench by 20%" (Requested by saamyjoon
733         on #webkit).
734
735         Reverted changesets:
736
737         "Support compiling catch in the DFG"
738         https://bugs.webkit.org/show_bug.cgi?id=174590
739         http://trac.webkit.org/changeset/221119
740
741         "Unreviewed, build fix in GTK port"
742         https://bugs.webkit.org/show_bug.cgi?id=174590
743         http://trac.webkit.org/changeset/221124
744
745         "DFG::JITCode::osrEntry should get sorted since we perform a
746         binary search on it"
747         https://bugs.webkit.org/show_bug.cgi?id=175893
748         http://trac.webkit.org/changeset/221143
749
750 2017-08-24  Michael Saboff  <msaboff@apple.com>
751
752         Enable moving fixed character class terms after fixed character terms for BMP only character classes
753         https://bugs.webkit.org/show_bug.cgi?id=175958
754
755         Reviewed by Saam Barati.
756
757         Currently we don't perform the reordering optimiaztion of fixed character terms that
758         follow fixed character class terms for Unicode patterns.
759
760         This change allows that reordering when the character class contains only BMP
761         characters.
762
763         This fix is covered by existing tests.
764
765         * yarr/YarrJIT.cpp:
766         (JSC::Yarr::YarrGenerator::optimizeAlternative):
767
768 2017-08-24  Michael Saboff  <msaboff@apple.com>
769
770         Add support for RegExp "dotAll" flag
771         https://bugs.webkit.org/show_bug.cgi?id=175924
772
773         Reviewed by Keith Miller.
774
775         The dotAll RegExp flag, 's', changes . to match any character including line terminators.
776         Added a the "dotAll" identifier as well as RegExp.prototype.dotAll getter.
777         Added a new any character CharacterClass that is used to match . terms in a dotAll flags
778         RegExp.  In the YARR pattern and parsing code, changed the NewlineClassID, which was only
779         used for '.' processing, to DotClassID.  The selection of which builtin character class
780         that DotClassID resolves to when generating the pattern is conditional on the dotAll flag.
781         This NewlineClassID to DotClassID refactoring includes the atomBuiltInCharacterClass() in
782         the WebCore content extensions code in the PatternParser class.
783
784         As an optimization, the Yarr JIT actually doesn't perform match checks against the builtin
785         any character CharacterClass, it merely reads the character.  There is another optimization
786         in our DotStart enclosure processing where a non-capturing regular expression in the form
787         of .*<expression.*, with options beginning ^ and/or trailing $, match the contained
788         expression and then look for the extents of the surrounding .*'s.  When used with the
789         dotAll flag, that processing alwys results with the beinning of the string and the end
790         of the string.  Therefore we short circuit the finding the beginning and end of the line
791         or string with dotAll patterns.
792
793         * bytecode/BytecodeDumper.cpp:
794         (JSC::regexpToSourceString):
795         * runtime/CommonIdentifiers.h:
796         * runtime/RegExp.cpp:
797         (JSC::regExpFlags):
798         (JSC::RegExpFunctionalTestCollector::outputOneTest):
799         * runtime/RegExp.h:
800         * runtime/RegExpKey.h:
801         * runtime/RegExpPrototype.cpp:
802         (JSC::RegExpPrototype::finishCreation):
803         (JSC::flagsString):
804         (JSC::regExpProtoGetterDotAll):
805         * yarr/YarrInterpreter.cpp:
806         (JSC::Yarr::Interpreter::matchDotStarEnclosure):
807         * yarr/YarrInterpreter.h:
808         (JSC::Yarr::BytecodePattern::dotAll const):
809         * yarr/YarrJIT.cpp:
810         (JSC::Yarr::YarrGenerator::optimizeAlternative):
811         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
812         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
813         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
814         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
815         (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
816         * yarr/YarrParser.h:
817         (JSC::Yarr::Parser::parseTokens):
818         * yarr/YarrPattern.cpp:
819         (JSC::Yarr::YarrPatternConstructor::atomBuiltInCharacterClass):
820         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassBuiltIn):
821         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
822         (JSC::Yarr::YarrPattern::YarrPattern):
823         (JSC::Yarr::PatternTerm::dump):
824         (JSC::Yarr::anycharCreate):
825         * yarr/YarrPattern.h:
826         (JSC::Yarr::YarrPattern::reset):
827         (JSC::Yarr::YarrPattern::anyCharacterClass):
828         (JSC::Yarr::YarrPattern::dotAll const):
829
830 2017-08-23  Filip Pizlo  <fpizlo@apple.com>
831
832         Reduce Gigacage sizes
833         https://bugs.webkit.org/show_bug.cgi?id=175920
834
835         Reviewed by Mark Lam.
836
837         Teach all of the code generators to use the right gigacage masks.
838
839         Also teach Wasm that it has much less memory for signaling memories. With 32GB, we have room for 7 signaling memories. But if
840         we actually did that, then we'd have no memory left for anything else. So, this caps us at 4 signaling memories.
841
842         * ftl/FTLLowerDFGToB3.cpp:
843         (JSC::FTL::DFG::LowerDFGToB3::caged):
844         * jit/AssemblyHelpers.h:
845         (JSC::AssemblyHelpers::cage):
846         (JSC::AssemblyHelpers::cageConditionally):
847         * llint/LowLevelInterpreter64.asm:
848         * runtime/Options.h:
849
850 2017-08-24  Saam Barati  <sbarati@apple.com>
851
852         DFG::JITCode::osrEntry should get sorted since we perform a binary search on it
853         https://bugs.webkit.org/show_bug.cgi?id=175893
854
855         Reviewed by Mark Lam.
856
857         * dfg/DFGJITCode.cpp:
858         (JSC::DFG::JITCode::finalizeOSREntrypoints):
859         * dfg/DFGJITCode.h:
860         (JSC::DFG::JITCode::finalizeCatchOSREntrypoints): Deleted.
861         * dfg/DFGSpeculativeJIT.cpp:
862         (JSC::DFG::SpeculativeJIT::linkOSREntries):
863
864 2017-08-23  Keith Miller  <keith_miller@apple.com>
865
866         Fix Titzer bench on iOS.
867         https://bugs.webkit.org/show_bug.cgi?id=175917
868
869         Reviewed by Ryosuke Niwa.
870
871         Currently, Titzer bench doesn't run on iOS since the benchmark
872         allocates lots of physical pages that it never actually writes
873         to. We limited the total number wasm physical pages to the ram
874         size of the phone, which caused us to fail a memory
875         allocation. This patch changes it so we will allocate up to 3x ram
876         size, which seems to fix the problem.
877
878         * wasm/WasmMemory.cpp:
879
880 2017-08-23  Yusuke Suzuki  <utatane.tea@gmail.com>
881
882         Unreviewed, fix for test262
883         https://bugs.webkit.org/show_bug.cgi?id=175915
884
885         * runtime/MapPrototype.cpp:
886         (JSC::MapPrototype::finishCreation):
887         * runtime/SetPrototype.cpp:
888         (JSC::SetPrototype::finishCreation):
889
890 2017-08-23  Yusuke Suzuki  <utatane.tea@gmail.com>
891
892         Unreviewed, build fix in GTK port
893         https://bugs.webkit.org/show_bug.cgi?id=174590
894
895         * bytecompiler/BytecodeGenerator.cpp:
896         (JSC::BytecodeGenerator::emitCatch):
897         * bytecompiler/BytecodeGenerator.h:
898
899 2017-08-23  Saam Barati  <sbarati@apple.com>
900
901         Support compiling catch in the DFG
902         https://bugs.webkit.org/show_bug.cgi?id=174590
903
904         Reviewed by Filip Pizlo.
905
906         This patch implements OSR entry into op_catch in the DFG. We will support OSR entry
907         into the FTL in a followup: https://bugs.webkit.org/show_bug.cgi?id=175396
908         
909         To implement catch in the DFG, this patch introduces the concept of multiple
910         entrypoints into CPS/LoadStore DFG IR. A lot of this patch is stringing this concept
911         through the DFG. Many phases used to assume that Graph::block(0) is the only root, and this
912         patch contains many straight forward changes generalizing the code to handle more than
913         one entrypoint.
914         
915         A main building block of this is moving to two CFG types: SSACFG and CPSCFG. SSACFG
916         is the same CFG we used to have. CPSCFG is a new type that introduces a fake root
917         that has an outgoing edge to all the entrypoints. This allows our existing graph algorithms
918         to Just Work over CPSCFG. For example, there is now the concept of SSADominators vs CPSDominators,
919         and SSANaturalLoops vs CPSNaturalLoops.
920         
921         The way we compile the catch entrypoint is by bootstrapping the state
922         of the program by loading all live bytecode locals from a buffer. The OSR
923         entry code will store all live values into that buffer before jumping to
924         the entrypoint. The OSR entry code is also responsible for performing type
925         proofs of the arguments before doing an OSR entry. If there is a type
926         mismatch, it's not legal to OSR enter into the DFG compilation. Currently,
927         each catch entrypoint knows the argument type proofs it must perform to enter
928         into the DFG. Currently, all entrypoints' arguments flush format are unified
929         via ArgumentPosition, but this is just an implementation detail. The code is
930         written more generally to assume that each entrypoint may perform its own distinct
931         proof.
932         
933         op_catch now performs value profiling for all live bytecode locals in the
934         LLInt and baseline JIT. This information is then fed into the DFG via the
935         ExtractCatchLocal node in the prediction propagation phase.
936         
937         This patch also changes how we generate op_catch in bytecode. All op_catches
938         are now split out at the end of the program in bytecode. This ensures that
939         no op_catch is inside a try block. This is needed to ensure correctness in
940         the DFGLiveCatchVariablePreservationPhase. That phase only inserts flushes
941         before SetLocals inside a try block. If an op_catch were in a try block, this
942         would cause the phase to insert a Flush before one of the state bootstrapping
943         SetLocals, which would generate invalid IR. Moving op_catch to be generated on
944         its own at the end of a bytecode stream seemed like the most elegant solution since
945         it better represents that we treat op_catch as an entrypoint. This is true
946         both in the DFG and in the baseline and LLInt: we don't reach an op_catch
947         via normal control flow. Because op_catch cannot throw, this will not break
948         any previous semantics of op_catch. Logically, it'd be valid to split try
949         blocks around any non-throwing bytecode operation.
950
951         * CMakeLists.txt:
952         * JavaScriptCore.xcodeproj/project.pbxproj:
953         * bytecode/BytecodeDumper.cpp:
954         (JSC::BytecodeDumper<Block>::dumpBytecode):
955         * bytecode/BytecodeList.json:
956         * bytecode/BytecodeUseDef.h:
957         (JSC::computeUsesForBytecodeOffset):
958         * bytecode/CodeBlock.cpp:
959         (JSC::CodeBlock::finishCreation):
960         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
961         (JSC::CodeBlock::validate):
962         * bytecode/CodeBlock.h:
963         * bytecode/ValueProfile.h:
964         (JSC::ValueProfile::ValueProfile):
965         (JSC::ValueProfileAndOperandBuffer::ValueProfileAndOperandBuffer):
966         (JSC::ValueProfileAndOperandBuffer::~ValueProfileAndOperandBuffer):
967         (JSC::ValueProfileAndOperandBuffer::forEach):
968         * bytecompiler/BytecodeGenerator.cpp:
969         (JSC::BytecodeGenerator::generate):
970         (JSC::BytecodeGenerator::BytecodeGenerator):
971         (JSC::BytecodeGenerator::emitCatch):
972         (JSC::BytecodeGenerator::emitEnumeration):
973         * bytecompiler/BytecodeGenerator.h:
974         * bytecompiler/NodesCodegen.cpp:
975         (JSC::TryNode::emitBytecode):
976         * dfg/DFGAbstractInterpreterInlines.h:
977         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
978         * dfg/DFGBackwardsCFG.h:
979         (JSC::DFG::BackwardsCFG::BackwardsCFG):
980         * dfg/DFGBasicBlock.cpp:
981         (JSC::DFG::BasicBlock::BasicBlock):
982         * dfg/DFGBasicBlock.h:
983         (JSC::DFG::BasicBlock::findTerminal const):
984         * dfg/DFGByteCodeParser.cpp:
985         (JSC::DFG::ByteCodeParser::setDirect):
986         (JSC::DFG::ByteCodeParser::flush):
987         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
988         (JSC::DFG::ByteCodeParser::DelayedSetLocal::execute):
989         (JSC::DFG::ByteCodeParser::parseBlock):
990         (JSC::DFG::ByteCodeParser::parseCodeBlock):
991         (JSC::DFG::ByteCodeParser::parse):
992         * dfg/DFGCFG.h:
993         (JSC::DFG::CFG::root):
994         (JSC::DFG::CFG::roots):
995         (JSC::DFG::CPSCFG::CPSCFG):
996         (JSC::DFG::selectCFG):
997         * dfg/DFGCPSRethreadingPhase.cpp:
998         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
999         * dfg/DFGCSEPhase.cpp:
1000         * dfg/DFGClobberize.h:
1001         (JSC::DFG::clobberize):
1002         * dfg/DFGControlEquivalenceAnalysis.h:
1003         (JSC::DFG::ControlEquivalenceAnalysis::ControlEquivalenceAnalysis):
1004         * dfg/DFGDCEPhase.cpp:
1005         (JSC::DFG::DCEPhase::run):
1006         * dfg/DFGDisassembler.cpp:
1007         (JSC::DFG::Disassembler::createDumpList):
1008         * dfg/DFGDoesGC.cpp:
1009         (JSC::DFG::doesGC):
1010         * dfg/DFGDominators.h:
1011         (JSC::DFG::Dominators::Dominators):
1012         (JSC::DFG::ensureDominatorsForCFG):
1013         * dfg/DFGEdgeDominates.h:
1014         (JSC::DFG::EdgeDominates::EdgeDominates):
1015         (JSC::DFG::EdgeDominates::operator()):
1016         * dfg/DFGFixupPhase.cpp:
1017         (JSC::DFG::FixupPhase::fixupNode):
1018         (JSC::DFG::FixupPhase::fixupChecksInBlock):
1019         * dfg/DFGFlushFormat.h:
1020         * dfg/DFGGraph.cpp:
1021         (JSC::DFG::Graph::Graph):
1022         (JSC::DFG::unboxLoopNode):
1023         (JSC::DFG::Graph::dumpBlockHeader):
1024         (JSC::DFG::Graph::dump):
1025         (JSC::DFG::Graph::determineReachability):
1026         (JSC::DFG::Graph::invalidateCFG):
1027         (JSC::DFG::Graph::blocksInPreOrder):
1028         (JSC::DFG::Graph::blocksInPostOrder):
1029         (JSC::DFG::Graph::ensureCPSDominators):
1030         (JSC::DFG::Graph::ensureSSADominators):
1031         (JSC::DFG::Graph::ensureCPSNaturalLoops):
1032         (JSC::DFG::Graph::ensureSSANaturalLoops):
1033         (JSC::DFG::Graph::ensureBackwardsCFG):
1034         (JSC::DFG::Graph::ensureBackwardsDominators):
1035         (JSC::DFG::Graph::ensureControlEquivalenceAnalysis):
1036         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
1037         (JSC::DFG::Graph::clearCPSCFGData):
1038         (JSC::DFG::Graph::ensureDominators): Deleted.
1039         (JSC::DFG::Graph::ensurePrePostNumbering): Deleted.
1040         (JSC::DFG::Graph::ensureNaturalLoops): Deleted.
1041         * dfg/DFGGraph.h:
1042         (JSC::DFG::Graph::willCatchExceptionInMachineFrame):
1043         (JSC::DFG::Graph::isEntrypoint const):
1044         * dfg/DFGInPlaceAbstractState.cpp:
1045         (JSC::DFG::InPlaceAbstractState::initialize):
1046         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
1047         * dfg/DFGJITCode.cpp:
1048         (JSC::DFG::JITCode::shrinkToFit):
1049         * dfg/DFGJITCode.h:
1050         (JSC::DFG::JITCode::catchOSREntryDataForBytecodeIndex):
1051         (JSC::DFG::JITCode::finalizeCatchOSREntrypoints):
1052         (JSC::DFG::JITCode::appendCatchEntrypoint):
1053         * dfg/DFGJITCompiler.cpp:
1054         (JSC::DFG::JITCompiler::compile):
1055         (JSC::DFG::JITCompiler::compileFunction):
1056         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
1057         (JSC::DFG::JITCompiler::noticeOSREntry):
1058         (JSC::DFG::JITCompiler::makeCatchOSREntryBuffer):
1059         * dfg/DFGJITCompiler.h:
1060         * dfg/DFGLICMPhase.cpp:
1061         (JSC::DFG::LICMPhase::run):
1062         (JSC::DFG::LICMPhase::attemptHoist):
1063         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
1064         (JSC::DFG::LiveCatchVariablePreservationPhase::run):
1065         (JSC::DFG::LiveCatchVariablePreservationPhase::isValidFlushLocation):
1066         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
1067         (JSC::DFG::LiveCatchVariablePreservationPhase::newVariableAccessData):
1068         (JSC::DFG::LiveCatchVariablePreservationPhase::willCatchException): Deleted.
1069         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlock): Deleted.
1070         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
1071         (JSC::DFG::createPreHeader):
1072         (JSC::DFG::LoopPreHeaderCreationPhase::run):
1073         * dfg/DFGMaximalFlushInsertionPhase.cpp:
1074         (JSC::DFG::MaximalFlushInsertionPhase::run):
1075         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
1076         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
1077         * dfg/DFGMayExit.cpp:
1078         * dfg/DFGNaturalLoops.h:
1079         (JSC::DFG::NaturalLoops::NaturalLoops):
1080         * dfg/DFGNode.h:
1081         (JSC::DFG::Node::isSwitch const):
1082         (JSC::DFG::Node::successor):
1083         (JSC::DFG::Node::catchOSREntryIndex const):
1084         (JSC::DFG::Node::catchLocalPrediction):
1085         (JSC::DFG::Node::isSwitch): Deleted.
1086         * dfg/DFGNodeType.h:
1087         * dfg/DFGOSREntry.cpp:
1088         (JSC::DFG::prepareCatchOSREntry):
1089         * dfg/DFGOSREntry.h:
1090         * dfg/DFGOSREntrypointCreationPhase.cpp:
1091         (JSC::DFG::OSREntrypointCreationPhase::run):
1092         * dfg/DFGOSRExitCompilerCommon.cpp:
1093         (JSC::DFG::handleExitCounts):
1094         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1095         * dfg/DFGPlan.cpp:
1096         (JSC::DFG::Plan::compileInThreadImpl):
1097         * dfg/DFGPrePostNumbering.cpp:
1098         (JSC::DFG::PrePostNumbering::PrePostNumbering): Deleted.
1099         (JSC::DFG::PrePostNumbering::~PrePostNumbering): Deleted.
1100         (WTF::printInternal): Deleted.
1101         * dfg/DFGPrePostNumbering.h:
1102         (): Deleted.
1103         (JSC::DFG::PrePostNumbering::preNumber const): Deleted.
1104         (JSC::DFG::PrePostNumbering::postNumber const): Deleted.
1105         (JSC::DFG::PrePostNumbering::isStrictAncestorOf const): Deleted.
1106         (JSC::DFG::PrePostNumbering::isAncestorOf const): Deleted.
1107         (JSC::DFG::PrePostNumbering::isStrictDescendantOf const): Deleted.
1108         (JSC::DFG::PrePostNumbering::isDescendantOf const): Deleted.
1109         (JSC::DFG::PrePostNumbering::edgeKind const): Deleted.
1110         * dfg/DFGPredictionInjectionPhase.cpp:
1111         (JSC::DFG::PredictionInjectionPhase::run):
1112         * dfg/DFGPredictionPropagationPhase.cpp:
1113         * dfg/DFGPutStackSinkingPhase.cpp:
1114         * dfg/DFGSSACalculator.cpp:
1115         (JSC::DFG::SSACalculator::nonLocalReachingDef):
1116         (JSC::DFG::SSACalculator::reachingDefAtTail):
1117         * dfg/DFGSSACalculator.h:
1118         (JSC::DFG::SSACalculator::computePhis):
1119         * dfg/DFGSSAConversionPhase.cpp:
1120         (JSC::DFG::SSAConversionPhase::run):
1121         (JSC::DFG::performSSAConversion):
1122         * dfg/DFGSafeToExecute.h:
1123         (JSC::DFG::safeToExecute):
1124         * dfg/DFGSpeculativeJIT.cpp:
1125         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1126         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
1127         (JSC::DFG::SpeculativeJIT::createOSREntries):
1128         (JSC::DFG::SpeculativeJIT::linkOSREntries):
1129         * dfg/DFGSpeculativeJIT32_64.cpp:
1130         (JSC::DFG::SpeculativeJIT::compile):
1131         * dfg/DFGSpeculativeJIT64.cpp:
1132         (JSC::DFG::SpeculativeJIT::compile):
1133         * dfg/DFGStaticExecutionCountEstimationPhase.cpp:
1134         (JSC::DFG::StaticExecutionCountEstimationPhase::run):
1135         * dfg/DFGStrengthReductionPhase.cpp:
1136         (JSC::DFG::StrengthReductionPhase::handleNode):
1137         * dfg/DFGTierUpCheckInjectionPhase.cpp:
1138         (JSC::DFG::TierUpCheckInjectionPhase::run):
1139         (JSC::DFG::TierUpCheckInjectionPhase::buildNaturalLoopToLoopHintMap):
1140         * dfg/DFGTypeCheckHoistingPhase.cpp:
1141         (JSC::DFG::TypeCheckHoistingPhase::run):
1142         * dfg/DFGValidate.cpp:
1143         * ftl/FTLLink.cpp:
1144         (JSC::FTL::link):
1145         * ftl/FTLLowerDFGToB3.cpp:
1146         (JSC::FTL::DFG::LowerDFGToB3::lower):
1147         (JSC::FTL::DFG::LowerDFGToB3::safelyInvalidateAfterTermination):
1148         (JSC::FTL::DFG::LowerDFGToB3::isValid):
1149         * jit/JIT.h:
1150         * jit/JITInlines.h:
1151         (JSC::JIT::callOperation):
1152         * jit/JITOpcodes.cpp:
1153         (JSC::JIT::emit_op_catch):
1154         * jit/JITOpcodes32_64.cpp:
1155         (JSC::JIT::emit_op_catch):
1156         * jit/JITOperations.cpp:
1157         * jit/JITOperations.h:
1158         * llint/LLIntSlowPaths.cpp:
1159         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1160         * llint/LLIntSlowPaths.h:
1161         * llint/LowLevelInterpreter32_64.asm:
1162         * llint/LowLevelInterpreter64.asm:
1163
1164 2017-08-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1165
1166         Unreviewed, debug build fix
1167         https://bugs.webkit.org/show_bug.cgi?id=174355
1168
1169         * ftl/FTLLowerDFGToB3.cpp:
1170         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucketNext):
1171
1172 2017-08-23  Michael Saboff  <msaboff@apple.com>
1173
1174         REGRESSION (r221052): DumpRenderTree crashed in com.apple.JavaScriptCore: JSC::Yarr::YarrCodeBlock::execute + 137
1175         https://bugs.webkit.org/show_bug.cgi?id=175903
1176
1177         Reviewed by Saam Barati.
1178
1179         In generateCharacterClassGreedy we were incrementing the "count" register before checking
1180         for the end of the input string.  The at-end-of-input check is the final check before
1181         knowing that the current character matched.  In this case, the end of input check
1182         indicates that we ran out of prechecked characters and therefore should fail the match of
1183         the current character.  The backtracking code uses the value in the "count" register as
1184         the number of character that successfully matched, which shouldn't include the current
1185         character.  Therefore we need to move the incrementing of "count" to after the
1186         at end of input check.
1187
1188         Through code inspection of the expectations of other backtracking code, I determined that 
1189         the non greedy character class matching code had a similar issue.  I fixed that as well
1190         and added a new test case.
1191
1192         * yarr/YarrJIT.cpp:
1193         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
1194         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
1195
1196 2017-08-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1197
1198         [JSC] Optimize Map iteration with intrinsic
1199         https://bugs.webkit.org/show_bug.cgi?id=174355
1200
1201         Reviewed by Saam Barati.
1202
1203         This patch optimizes Map/Set iteration by taking the approach similar to Array iteration.
1204         We create a simple iterator object instead of JSMapIterator and JSSetIterator. And we
1205         directly handles Map/Set buckets in JS builtins. We carefully create mapIteratorNext and
1206         setIteratorNext functions which should be inlined. This leads significant performance boost
1207         when they are inlined in for-of iteration.
1208
1209         This patch changes how DFG and FTL handles MapBucket if the bucket is not found.
1210         Previously, we use nullptr for that, and DFG and FTL specially handle this nullptr as bucket.
1211         Instead, this patch introduces sentinel buckets. They are marked as deleted, and not linked
1212         to any hash maps. And its key and value fields are filled with Undefined. By returning this
1213         sentinel bucket instead of returning nullptr, we simplify DFG and FTL's LoadXXXFromMapBucket
1214         code.
1215
1216         We still keep JSMapIterator and JSSetIterator because they are useful to serialize Map and Set
1217         in WebCore. So they are not used in user observable JS. We change them from JS objects to JS cells.
1218
1219         Existing microbenchmarks shows performance improvements.
1220
1221         large-map-iteration                           164.1622+-4.1618     ^     56.6284+-1.5355        ^ definitely 2.8989x faster
1222         set-for-of                                     15.4369+-1.0631     ^      9.2955+-0.5979        ^ definitely 1.6607x faster
1223         map-for-each                                    7.5889+-0.5792     ^      6.3011+-0.4816        ^ definitely 1.2044x faster
1224         map-for-of                                     32.3904+-1.3003     ^     12.6907+-0.6118        ^ definitely 2.5523x faster
1225         map-rehash                                     13.9275+-0.9187     ^     11.5367+-0.6430        ^ definitely 1.2072x faster
1226
1227         * CMakeLists.txt:
1228         * DerivedSources.make:
1229         * builtins/ArrayPrototype.js:
1230         (globalPrivate.createArrayIterator):
1231         * builtins/BuiltinNames.h:
1232         * builtins/MapIteratorPrototype.js: Copied from Source/JavaScriptCore/builtins/MapPrototype.js.
1233         (globalPrivate.mapIteratorNext):
1234         (next):
1235         * builtins/MapPrototype.js:
1236         (globalPrivate.createMapIterator):
1237         (values):
1238         (keys):
1239         (entries):
1240         (forEach):
1241         * builtins/SetIteratorPrototype.js: Copied from Source/JavaScriptCore/builtins/MapPrototype.js.
1242         (globalPrivate.setIteratorNext):
1243         (next):
1244         * builtins/SetPrototype.js:
1245         (globalPrivate.createSetIterator):
1246         (values):
1247         (entries):
1248         (forEach):
1249         * bytecode/BytecodeIntrinsicRegistry.cpp:
1250         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1251         * bytecode/BytecodeIntrinsicRegistry.h:
1252         * bytecode/SpeculatedType.h:
1253         * dfg/DFGAbstractInterpreterInlines.h:
1254         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1255         * dfg/DFGByteCodeParser.cpp:
1256         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1257         * dfg/DFGClobberize.h:
1258         (JSC::DFG::clobberize):
1259         * dfg/DFGDoesGC.cpp:
1260         (JSC::DFG::doesGC):
1261         * dfg/DFGFixupPhase.cpp:
1262         (JSC::DFG::FixupPhase::fixupNode):
1263         * dfg/DFGHeapLocation.cpp:
1264         (WTF::printInternal):
1265         * dfg/DFGHeapLocation.h:
1266         * dfg/DFGNode.h:
1267         (JSC::DFG::Node::hasHeapPrediction):
1268         (JSC::DFG::Node::hasBucketOwnerType):
1269         (JSC::DFG::Node::bucketOwnerType):
1270         (JSC::DFG::Node::OpInfoWrapper::as const):
1271         * dfg/DFGNodeType.h:
1272         * dfg/DFGOperations.cpp:
1273         * dfg/DFGPredictionPropagationPhase.cpp:
1274         * dfg/DFGSafeToExecute.h:
1275         (JSC::DFG::safeToExecute):
1276         * dfg/DFGSpeculativeJIT.cpp:
1277         (JSC::DFG::SpeculativeJIT::compileGetMapBucketHead):
1278         (JSC::DFG::SpeculativeJIT::compileGetMapBucketNext):
1279         (JSC::DFG::SpeculativeJIT::compileLoadKeyFromMapBucket):
1280         (JSC::DFG::SpeculativeJIT::compileLoadValueFromMapBucket):
1281         (JSC::DFG::SpeculativeJIT::compileCompareEqPtr): Deleted.
1282         * dfg/DFGSpeculativeJIT.h:
1283         * dfg/DFGSpeculativeJIT32_64.cpp:
1284         (JSC::DFG::SpeculativeJIT::compileCompareEqPtr):
1285         (JSC::DFG::SpeculativeJIT::compile):
1286         * dfg/DFGSpeculativeJIT64.cpp:
1287         (JSC::DFG::SpeculativeJIT::compileCompareEqPtr):
1288         (JSC::DFG::SpeculativeJIT::compile):
1289         * ftl/FTLAbstractHeapRepository.h:
1290         * ftl/FTLCapabilities.cpp:
1291         (JSC::FTL::canCompile):
1292         * ftl/FTLLowerDFGToB3.cpp:
1293         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1294         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
1295         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucketHead):
1296         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucketNext):
1297         (JSC::FTL::DFG::LowerDFGToB3::compileLoadValueFromMapBucket):
1298         (JSC::FTL::DFG::LowerDFGToB3::compileLoadKeyFromMapBucket):
1299         (JSC::FTL::DFG::LowerDFGToB3::setStorage):
1300         (JSC::FTL::DFG::LowerDFGToB3::compileLoadFromJSMapBucket): Deleted.
1301         (JSC::FTL::DFG::LowerDFGToB3::compileIsNonEmptyMapBucket): Deleted.
1302         (JSC::FTL::DFG::LowerDFGToB3::lowMapBucket): Deleted.
1303         (JSC::FTL::DFG::LowerDFGToB3::setMapBucket): Deleted.
1304         * inspector/JSInjectedScriptHost.cpp:
1305         (Inspector::JSInjectedScriptHost::subtype):
1306         (Inspector::JSInjectedScriptHost::getInternalProperties):
1307         (Inspector::cloneMapIteratorObject):
1308         (Inspector::cloneSetIteratorObject):
1309         (Inspector::JSInjectedScriptHost::iteratorEntries):
1310         * runtime/HashMapImpl.h:
1311         (JSC::HashMapBucket::createSentinel):
1312         (JSC::HashMapBucket::offsetOfNext):
1313         (JSC::HashMapBucket::offsetOfDeleted):
1314         (JSC::HashMapImpl::offsetOfHead):
1315         * runtime/Intrinsic.cpp:
1316         (JSC::intrinsicName):
1317         * runtime/Intrinsic.h:
1318         * runtime/JSGlobalObject.cpp:
1319         (JSC::JSGlobalObject::init):
1320         * runtime/JSGlobalObject.h:
1321         * runtime/JSMap.h:
1322         * runtime/JSMapIterator.cpp:
1323         (JSC::JSMapIterator::clone): Deleted.
1324         * runtime/JSMapIterator.h:
1325         (JSC::JSMapIterator::iteratedValue const):
1326         * runtime/JSSet.h:
1327         * runtime/JSSetIterator.cpp:
1328         (JSC::JSSetIterator::clone): Deleted.
1329         * runtime/JSSetIterator.h:
1330         (JSC::JSSetIterator::iteratedValue const):
1331         * runtime/MapConstructor.cpp:
1332         (JSC::mapPrivateFuncMapBucketHead):
1333         (JSC::mapPrivateFuncMapBucketNext):
1334         (JSC::mapPrivateFuncMapBucketKey):
1335         (JSC::mapPrivateFuncMapBucketValue):
1336         * runtime/MapConstructor.h:
1337         * runtime/MapIteratorPrototype.cpp:
1338         (JSC::MapIteratorPrototype::finishCreation):
1339         (JSC::MapIteratorPrototypeFuncNext): Deleted.
1340         * runtime/MapPrototype.cpp:
1341         (JSC::MapPrototype::finishCreation):
1342         (JSC::mapProtoFuncValues): Deleted.
1343         (JSC::mapProtoFuncEntries): Deleted.
1344         (JSC::mapProtoFuncKeys): Deleted.
1345         (JSC::privateFuncMapIterator): Deleted.
1346         (JSC::privateFuncMapIteratorNext): Deleted.
1347         * runtime/MapPrototype.h:
1348         * runtime/SetConstructor.cpp:
1349         (JSC::setPrivateFuncSetBucketHead):
1350         (JSC::setPrivateFuncSetBucketNext):
1351         (JSC::setPrivateFuncSetBucketKey):
1352         * runtime/SetConstructor.h:
1353         * runtime/SetIteratorPrototype.cpp:
1354         (JSC::SetIteratorPrototype::finishCreation):
1355         (JSC::SetIteratorPrototypeFuncNext): Deleted.
1356         * runtime/SetPrototype.cpp:
1357         (JSC::SetPrototype::finishCreation):
1358         (JSC::setProtoFuncSize):
1359         (JSC::setProtoFuncValues): Deleted.
1360         (JSC::setProtoFuncEntries): Deleted.
1361         (JSC::privateFuncSetIterator): Deleted.
1362         (JSC::privateFuncSetIteratorNext): Deleted.
1363         * runtime/SetPrototype.h:
1364         * runtime/VM.cpp:
1365         (JSC::VM::VM):
1366         * runtime/VM.h:
1367
1368 2017-08-23  David Kilzer  <ddkilzer@apple.com>
1369
1370         Fix -Wcast-qual warnings in JavaScriptCore with new clang compiler
1371         <https://webkit.org/b/175889>
1372         <rdar://problem/33667497>
1373
1374         Reviewed by Mark Lam.
1375
1376         * API/ObjCCallbackFunction.mm:
1377         (JSC::objCCallbackFunctionCallAsConstructor): Use
1378         const_cast<JSObjectRef>() since JSValueRef is const while
1379         JSObjectRef is not.
1380         * API/tests/CurrentThisInsideBlockGetterTest.mm:
1381         (+[JSValue valueWithConstructorDescriptor:inContext:]): Use
1382         const_cast<void*>() since JSObjectMake() takes a void*, but
1383         CFBridgingRetain() returns const void*.
1384
1385 2017-08-23  Robin Morisset  <rmorisset@apple.com>
1386
1387         Make GetDynamicVar propagate heap predictions instead of saying HeapTop
1388         https://bugs.webkit.org/show_bug.cgi?id=175738
1389
1390         Reviewed by Saam Barati.
1391
1392         The heap prediction always end up in m_opInfo2. But GetDynamicVar was already storing getPutInfo in there.
1393         So we move that one into m_opInfo. We can do this because it is 32-bit, and the already present identifierNumber
1394         is also 32-bit, so we can pack both in m_opInfo (which is 64 bits).
1395
1396         * dfg/DFGByteCodeParser.cpp:
1397         (JSC::DFG::makeDynamicVarOpInfo):
1398         (JSC::DFG::ByteCodeParser::parseBlock):
1399         * dfg/DFGNode.h:
1400         (JSC::DFG::Node::getPutInfo):
1401         (JSC::DFG::Node::hasHeapPrediction):
1402         * dfg/DFGPredictionPropagationPhase.cpp:
1403
1404 2017-08-23  Skachkov Oleksandr  <gskachkov@gmail.com>
1405
1406         [ESNext] Async iteration - Implement Async Generator - runtime
1407         https://bugs.webkit.org/show_bug.cgi?id=175240
1408
1409         Reviewed by Yusuke Suzuki.
1410
1411         Current implementation is draft version of Async Iteration. 
1412         Link to spec https://tc39.github.io/proposal-async-iteration/
1413        
1414         To implement async generator added new states that show reason why async generator was suspended:
1415         # yield - return promise with result
1416         # await - wait until promise will be resolved and then continue
1417        
1418         The main difference between async function and async generator is that, 
1419         async function returns promise but async generator returns
1420         object with methods (next, throw and return) that return promise that 
1421         can be resolved with pair of properties value and done.
1422         Async generator functions are similar to generator functions, with the following differences:
1423         # When called, async generator functions return an object, an async generator 
1424         whose methods (next, throw, and return) return promises for { value, done }, 
1425         instead of directly returning { value, done }. 
1426         This automatically makes the returned async generator objects async iterators.
1427         # await expressions and for-await-of statements are allowed.
1428         # The behavior of yield* is modified to support 
1429           delegation to sync and async iterables
1430
1431         * CMakeLists.txt:
1432         * DerivedSources.make:
1433         * JavaScriptCore.xcodeproj/project.pbxproj:
1434         * builtins/AsyncFromSyncIteratorPrototype.js: Added.
1435         (next.try):
1436         (next):
1437         (return.try):
1438         (return):
1439         (throw.try):
1440         (throw):
1441         (globalPrivate.createAsyncFromSyncIterator):
1442         (globalPrivate.AsyncFromSyncIteratorConstructor):
1443         * builtins/AsyncGeneratorPrototype.js: Added.
1444         (globalPrivate.createAsyncGeneratorQueue):
1445         (globalPrivate.asyncGeneratorQueueIsEmpty):
1446         (globalPrivate.asyncGeneratorQueueCreateItem):
1447         (globalPrivate.asyncGeneratorQueueEnqueue):
1448         (globalPrivate.asyncGeneratorQueueDequeue):
1449         (globalPrivate.asyncGeneratorQueueGetFirstValue):
1450         (globalPrivate.asyncGeneratorDequeue):
1451         (globalPrivate.isExecutionState):
1452         (globalPrivate.isSuspendYieldState):
1453         (globalPrivate.asyncGeneratorReject):
1454         (globalPrivate.asyncGeneratorResolve):
1455         (asyncGeneratorYieldAwaited):
1456         (globalPrivate.asyncGeneratorYield):
1457         (const.onRejected):
1458         (globalPrivate.awaitValue):
1459         (const.onFulfilled):
1460         (globalPrivate.doAsyncGeneratorBodyCall):
1461         (globalPrivate.asyncGeneratorResumeNext.):
1462         (globalPrivate.asyncGeneratorResumeNext):
1463         (globalPrivate.asyncGeneratorEnqueue):
1464         (next):
1465         (return):
1466         (throw):
1467         * builtins/AsyncIteratorPrototype.js: Added.
1468         (symbolAsyncIteratorGetter):
1469         * builtins/BuiltinNames.h:
1470         * bytecode/BytecodeDumper.cpp:
1471         (JSC::BytecodeDumper<Block>::dumpBytecode):
1472         * bytecode/BytecodeIntrinsicRegistry.cpp:
1473         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1474         * bytecode/BytecodeIntrinsicRegistry.h:
1475         * bytecode/BytecodeList.json:
1476         * bytecode/BytecodeUseDef.h:
1477         (JSC::computeUsesForBytecodeOffset):
1478         (JSC::computeDefsForBytecodeOffset):
1479         * bytecompiler/BytecodeGenerator.cpp:
1480         (JSC::BytecodeGenerator::BytecodeGenerator):
1481         (JSC::BytecodeGenerator::emitCreateAsyncGeneratorQueue):
1482         (JSC::BytecodeGenerator::emitPutAsyncGeneratorFields):
1483         (JSC::BytecodeGenerator::emitNewFunctionExpressionCommon):
1484         (JSC::BytecodeGenerator::emitNewFunction):
1485         (JSC::BytecodeGenerator::emitIteratorNextWithValue):
1486         (JSC::BytecodeGenerator::emitIteratorClose):
1487         (JSC::BytecodeGenerator::emitYieldPoint):
1488         (JSC::BytecodeGenerator::emitYield):
1489         (JSC::BytecodeGenerator::emitCallIterator):
1490         (JSC::BytecodeGenerator::emitAwait):
1491         (JSC::BytecodeGenerator::emitGetIterator):
1492         (JSC::BytecodeGenerator::emitGetAsyncIterator):
1493         (JSC::BytecodeGenerator::emitDelegateYield):
1494         * bytecompiler/BytecodeGenerator.h:
1495         * bytecompiler/NodesCodegen.cpp:
1496         (JSC::ReturnNode::emitBytecode):
1497         (JSC::FunctionNode::emitBytecode):
1498         (JSC::YieldExprNode::emitBytecode):
1499         (JSC::AwaitExprNode::emitBytecode):
1500         * dfg/DFGAbstractInterpreterInlines.h:
1501         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1502         * dfg/DFGByteCodeParser.cpp:
1503         (JSC::DFG::ByteCodeParser::parseBlock):
1504         * dfg/DFGCapabilities.cpp:
1505         (JSC::DFG::capabilityLevel):
1506         * dfg/DFGClobberize.h:
1507         (JSC::DFG::clobberize):
1508         * dfg/DFGClobbersExitState.cpp:
1509         (JSC::DFG::clobbersExitState):
1510         * dfg/DFGDoesGC.cpp:
1511         (JSC::DFG::doesGC):
1512         * dfg/DFGFixupPhase.cpp:
1513         (JSC::DFG::FixupPhase::fixupNode):
1514         * dfg/DFGMayExit.cpp:
1515         * dfg/DFGNode.h:
1516         (JSC::DFG::Node::convertToPhantomNewFunction):
1517         (JSC::DFG::Node::convertToPhantomNewAsyncGeneratorFunction):
1518         (JSC::DFG::Node::hasCellOperand):
1519         (JSC::DFG::Node::isFunctionAllocation):
1520         (JSC::DFG::Node::isPhantomFunctionAllocation):
1521         (JSC::DFG::Node::isPhantomAllocation):
1522         * dfg/DFGNodeType.h:
1523         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1524         * dfg/DFGPredictionPropagationPhase.cpp:
1525         * dfg/DFGSafeToExecute.h:
1526         (JSC::DFG::safeToExecute):
1527         * dfg/DFGSpeculativeJIT.cpp:
1528         (JSC::DFG::SpeculativeJIT::compileNewFunction):
1529         * dfg/DFGSpeculativeJIT32_64.cpp:
1530         (JSC::DFG::SpeculativeJIT::compile):
1531         * dfg/DFGSpeculativeJIT64.cpp:
1532         (JSC::DFG::SpeculativeJIT::compile):
1533         * dfg/DFGStoreBarrierInsertionPhase.cpp:
1534         * dfg/DFGValidate.cpp:
1535         * ftl/FTLCapabilities.cpp:
1536         (JSC::FTL::canCompile):
1537         * ftl/FTLLowerDFGToB3.cpp:
1538         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1539         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
1540         * ftl/FTLOperations.cpp:
1541         (JSC::FTL::operationPopulateObjectInOSR):
1542         (JSC::FTL::operationMaterializeObjectInOSR):
1543         * jit/JIT.cpp:
1544         (JSC::JIT::privateCompileMainPass):
1545         * jit/JIT.h:
1546         * jit/JITOpcodes.cpp:
1547         (JSC::JIT::emitNewFuncCommon):
1548         (JSC::JIT::emit_op_new_async_generator_func):
1549         (JSC::JIT::emit_op_new_async_func):
1550         (JSC::JIT::emitNewFuncExprCommon):
1551         (JSC::JIT::emit_op_new_async_generator_func_exp):
1552         * jit/JITOperations.cpp:
1553         * jit/JITOperations.h:
1554         * llint/LLIntSlowPaths.cpp:
1555         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1556         * llint/LLIntSlowPaths.h:
1557         * llint/LowLevelInterpreter.asm:
1558         * parser/ASTBuilder.h:
1559         (JSC::ASTBuilder::createFunctionMetadata):
1560         * runtime/AsyncFromSyncIteratorPrototype.cpp: Added.
1561         (JSC::AsyncFromSyncIteratorPrototype::AsyncFromSyncIteratorPrototype):
1562         (JSC::AsyncFromSyncIteratorPrototype::finishCreation):
1563         (JSC::AsyncFromSyncIteratorPrototype::create):
1564         * runtime/AsyncFromSyncIteratorPrototype.h: Added.
1565         (JSC::AsyncFromSyncIteratorPrototype::createStructure):
1566         * runtime/AsyncGeneratorFunctionConstructor.cpp: Added.
1567         (JSC::AsyncGeneratorFunctionConstructor::AsyncGeneratorFunctionConstructor):
1568         (JSC::AsyncGeneratorFunctionConstructor::finishCreation):
1569         (JSC::callAsyncGeneratorFunctionConstructor):
1570         (JSC::constructAsyncGeneratorFunctionConstructor):
1571         (JSC::AsyncGeneratorFunctionConstructor::getCallData):
1572         (JSC::AsyncGeneratorFunctionConstructor::getConstructData):
1573         * runtime/AsyncGeneratorFunctionConstructor.h: Added.
1574         (JSC::AsyncGeneratorFunctionConstructor::create):
1575         (JSC::AsyncGeneratorFunctionConstructor::createStructure):
1576         * runtime/AsyncGeneratorFunctionPrototype.cpp: Added.
1577         (JSC::AsyncGeneratorFunctionPrototype::AsyncGeneratorFunctionPrototype):
1578         (JSC::AsyncGeneratorFunctionPrototype::finishCreation):
1579         * runtime/AsyncGeneratorFunctionPrototype.h: Added.
1580         (JSC::AsyncGeneratorFunctionPrototype::create):
1581         (JSC::AsyncGeneratorFunctionPrototype::createStructure):
1582         * runtime/AsyncGeneratorPrototype.cpp: Added.
1583         (JSC::AsyncGeneratorPrototype::finishCreation):
1584         * runtime/AsyncGeneratorPrototype.h: Added.
1585         (JSC::AsyncGeneratorPrototype::create):
1586         (JSC::AsyncGeneratorPrototype::createStructure):
1587         (JSC::AsyncGeneratorPrototype::AsyncGeneratorPrototype):
1588         * runtime/AsyncIteratorPrototype.cpp: Added.
1589         (JSC::AsyncIteratorPrototype::finishCreation):
1590         * runtime/AsyncIteratorPrototype.h: Added.
1591         (JSC::AsyncIteratorPrototype::create):
1592         (JSC::AsyncIteratorPrototype::createStructure):
1593         (JSC::AsyncIteratorPrototype::AsyncIteratorPrototype):
1594         * runtime/CommonIdentifiers.h:
1595         * runtime/FunctionConstructor.cpp:
1596         (JSC::constructFunctionSkippingEvalEnabledCheck):
1597         * runtime/FunctionConstructor.h:
1598         * runtime/FunctionExecutable.h:
1599         * runtime/JSAsyncGeneratorFunction.cpp: Added.
1600         (JSC::JSAsyncGeneratorFunction::JSAsyncGeneratorFunction):
1601         (JSC::JSAsyncGeneratorFunction::createImpl):
1602         (JSC::JSAsyncGeneratorFunction::create):
1603         (JSC::JSAsyncGeneratorFunction::createWithInvalidatedReallocationWatchpoint):
1604         * runtime/JSAsyncGeneratorFunction.h: Added.
1605         (JSC::JSAsyncGeneratorFunction::allocationSize):
1606         (JSC::JSAsyncGeneratorFunction::createStructure):
1607         * runtime/JSFunction.cpp:
1608         (JSC::JSFunction::getOwnPropertySlot):
1609         * runtime/JSGlobalObject.cpp:
1610         (JSC::JSGlobalObject::init):
1611         (JSC::JSGlobalObject::visitChildren):
1612         * runtime/JSGlobalObject.h:
1613         (JSC::JSGlobalObject::asyncIteratorPrototype const):
1614         (JSC::JSGlobalObject::asyncGeneratorPrototype const):
1615         (JSC::JSGlobalObject::asyncGeneratorFunctionPrototype const):
1616         (JSC::JSGlobalObject::asyncGeneratorFunctionStructure const):
1617         * runtime/Options.h:
1618
1619 2017-08-22  Michael Saboff  <msaboff@apple.com>
1620
1621         Implement Unicode RegExp support in the YARR JIT
1622         https://bugs.webkit.org/show_bug.cgi?id=174646
1623
1624         Reviewed by Filip Pizlo.
1625
1626         This support is only implemented for 64 bit platforms.  It wouldn't be too hard to add support
1627         for 32 bit platforms with a reasonable number of spare registers.  This code slightly refactors
1628         register usage to reduce the number of callee save registers used for non-Unicode expressions.
1629         For Unicode expressions, there are several more registers used to store constants values for
1630         processing surrogate pairs as well as discerning whether a character belongs to the Basic
1631         Multilingual Plane (BMP) or one of the Supplemental Planes.
1632
1633         This implements JIT support for Unicode expressions very similar to how the interpreter works.
1634         Just like in the interpreter, backtracking code uses more space on the stack to save positions.
1635         Moved the BackTrackInfo* structs to YarrPattern as separate functions.  Added xxxIndex()
1636         functions to each of these to simplify how the JIT code reads and writes the structure fields.
1637
1638         Given that reading surrogate pairs and transforming them into a single code point takes a
1639         little processing, the code that implements reading a Unicode character is implemented as a
1640         leaf function added to the end of the JIT'ed code.  The calling convention for
1641         "tryReadUnicodeCharacterHelper()" is non-standard given that the rest of the code assumes
1642         that argument values stay in argument registers for most of the generated code.
1643         That helper takes the starting character address in one register, regUnicodeInputAndTrail,
1644         and uses another dedicated temporary register, regUnicodeTemp.  The result is typically
1645         returned in regT0.  If another return register is requested, we'll create an inline copy of
1646         that function.
1647
1648         Added a new flag to CharacterClass to signify if a class has non-BMP characters.  This flag
1649         is used in optimizeAlternative() where we swap the order of a fixed character class term with
1650         a fixed character term that immediately follows it.  Since the non-BMP character class may
1651         increment "index" when matching, that must be done first before trying to match a fixed
1652         character term later in the string.
1653
1654         Given the usefulness of the LEA instruction on X86 to create a single pointer value from a
1655         base with index and offset, which the YARR JIT uses heavily, I added a new macroAssembler
1656         function, getEffectiveAddress64(), with an ARM64 implementation.  It just calls x86Lea64()
1657         on X86-64.  Also added an ImplicitAddress version of load16Unaligned().
1658
1659         (JSC::MacroAssemblerARM64::load16Unaligned):
1660         (JSC::MacroAssemblerARM64::getEffectiveAddress64):
1661         * assembler/MacroAssemblerX86Common.h:
1662         (JSC::MacroAssemblerX86Common::load16Unaligned):
1663         (JSC::MacroAssemblerX86Common::load16):
1664         * assembler/MacroAssemblerX86_64.h:
1665         (JSC::MacroAssemblerX86_64::getEffectiveAddress64):
1666         * create_regex_tables:
1667         * runtime/RegExp.cpp:
1668         (JSC::RegExp::compile):
1669         * yarr/YarrInterpreter.cpp:
1670         * yarr/YarrJIT.cpp:
1671         (JSC::Yarr::YarrGenerator::optimizeAlternative):
1672         (JSC::Yarr::YarrGenerator::matchCharacterClass):
1673         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
1674         (JSC::Yarr::YarrGenerator::tryReadUnicodeChar):
1675         (JSC::Yarr::YarrGenerator::readCharacter):
1676         (JSC::Yarr::YarrGenerator::jumpIfCharNotEquals):
1677         (JSC::Yarr::YarrGenerator::matchAssertionWordchar):
1678         (JSC::Yarr::YarrGenerator::generateAssertionWordBoundary):
1679         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
1680         (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
1681         (JSC::Yarr::YarrGenerator::generatePatternCharacterGreedy):
1682         (JSC::Yarr::YarrGenerator::backtrackPatternCharacterGreedy):
1683         (JSC::Yarr::YarrGenerator::generatePatternCharacterNonGreedy):
1684         (JSC::Yarr::YarrGenerator::backtrackPatternCharacterNonGreedy):
1685         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
1686         (JSC::Yarr::YarrGenerator::backtrackCharacterClassOnce):
1687         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
1688         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
1689         (JSC::Yarr::YarrGenerator::backtrackCharacterClassGreedy):
1690         (JSC::Yarr::YarrGenerator::generateCharacterClassNonGreedy):
1691         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
1692         (JSC::Yarr::YarrGenerator::generate):
1693         (JSC::Yarr::YarrGenerator::backtrack):
1694         (JSC::Yarr::YarrGenerator::generateTryReadUnicodeCharacterHelper):
1695         (JSC::Yarr::YarrGenerator::generateEnter):
1696         (JSC::Yarr::YarrGenerator::generateReturn):
1697         (JSC::Yarr::YarrGenerator::YarrGenerator):
1698         (JSC::Yarr::YarrGenerator::compile):
1699         * yarr/YarrJIT.h:
1700         * yarr/YarrPattern.cpp:
1701         (JSC::Yarr::CharacterClassConstructor::CharacterClassConstructor):
1702         (JSC::Yarr::CharacterClassConstructor::reset):
1703         (JSC::Yarr::CharacterClassConstructor::charClass):
1704         (JSC::Yarr::CharacterClassConstructor::addSorted):
1705         (JSC::Yarr::CharacterClassConstructor::addSortedRange):
1706         (JSC::Yarr::CharacterClassConstructor::hasNonBMPCharacters):
1707         (JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets):
1708         * yarr/YarrPattern.h:
1709         (JSC::Yarr::CharacterClass::CharacterClass):
1710         (JSC::Yarr::BackTrackInfoPatternCharacter::beginIndex):
1711         (JSC::Yarr::BackTrackInfoPatternCharacter::matchAmountIndex):
1712         (JSC::Yarr::BackTrackInfoCharacterClass::beginIndex):
1713         (JSC::Yarr::BackTrackInfoCharacterClass::matchAmountIndex):
1714         (JSC::Yarr::BackTrackInfoBackReference::beginIndex):
1715         (JSC::Yarr::BackTrackInfoBackReference::matchAmountIndex):
1716         (JSC::Yarr::BackTrackInfoAlternative::offsetIndex):
1717         (JSC::Yarr::BackTrackInfoParentheticalAssertion::beginIndex):
1718         (JSC::Yarr::BackTrackInfoParenthesesOnce::beginIndex):
1719         (JSC::Yarr::BackTrackInfoParenthesesTerminal::beginIndex):
1720
1721 2017-08-22  Per Arne Vollan  <pvollan@apple.com>
1722
1723         Implement 64-bit MacroAssembler::probe support for Windows.
1724         https://bugs.webkit.org/show_bug.cgi?id=175724
1725
1726         Reviewed by Mark Lam.
1727
1728         This is needed to enable the DFG. MSVC does no longer support inline assembly
1729         for 64-bit, which means we have to put the code in an asm file.
1730
1731         * assembler/MacroAssemblerX86Common.cpp:
1732         (JSC::booleanTrueForAvoidingNoReturnDeclaration): Deleted.
1733         * jit/JITStubsMSVC64.asm:
1734
1735 2017-08-22  Devin Rousso  <webkit@devinrousso.com>
1736
1737         Web Inspector: provide way for ShaderPrograms to be enabled/disabled
1738         https://bugs.webkit.org/show_bug.cgi?id=175400
1739
1740         Reviewed by Matt Baker.
1741
1742         * inspector/protocol/Canvas.json:
1743         Add `setShaderProgramDisabled` command that sets the `disabled` flag on the given shader
1744         program to the supplied boolean value. If this value is true, calls to `drawArrays` and
1745         `drawElements` when that program is in use will have no effect.
1746
1747 2017-08-22  Keith Miller  <keith_miller@apple.com>
1748
1749         Unriviewed, fix windows build... for realz.
1750
1751         * CMakeLists.txt:
1752
1753 2017-08-22  Saam Barati  <sbarati@apple.com>
1754
1755         We are using valueProfileForBytecodeOffset when there may not be a value profile
1756         https://bugs.webkit.org/show_bug.cgi?id=175812
1757
1758         Reviewed by Michael Saboff.
1759
1760         This patch uses the type system to aid the code around CodeBlock's ValueProfile
1761         accessor methods. valueProfileForBytecodeOffset used to return ValueProfile*,
1762         so there were callers of this that thought it could return nullptr when there
1763         was no such ValueProfile. This was not the case, it always returned a non-null
1764         pointer. This patch changes valueProfileForBytecodeOffset to return ValueProfile&
1765         and adds a new tryGetValueProfileForBytecodeOffset method that returns ValueProfile*
1766         and does the right thing if there is no such ValueProfile.
1767         
1768         This patch also changes the other ValueProfile accessors on CodeBlock to
1769         return ValueProfile& instead of ValueProfile*. Some callers handled the null
1770         case unnecessarily, and using the type system to specify the result can't be
1771         null removes these useless branches.
1772
1773         * bytecode/CodeBlock.cpp:
1774         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
1775         (JSC::CodeBlock::dumpValueProfiles):
1776         (JSC::CodeBlock::tryGetValueProfileForBytecodeOffset):
1777         (JSC::CodeBlock::valueProfileForBytecodeOffset):
1778         (JSC::CodeBlock::validate):
1779         * bytecode/CodeBlock.h:
1780         (JSC::CodeBlock::valueProfileForArgument):
1781         (JSC::CodeBlock::valueProfile):
1782         (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
1783         (JSC::CodeBlock::getFromAllValueProfiles):
1784         * dfg/DFGByteCodeParser.cpp:
1785         (JSC::DFG::ByteCodeParser::handleInlining):
1786         * dfg/DFGGraph.cpp:
1787         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
1788         * dfg/DFGPredictionInjectionPhase.cpp:
1789         (JSC::DFG::PredictionInjectionPhase::run):
1790         * jit/JIT.h:
1791         * jit/JITInlines.h:
1792         (JSC::JIT::emitValueProfilingSite):
1793         * profiler/ProfilerBytecodeSequence.cpp:
1794         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
1795         * tools/HeapVerifier.cpp:
1796         (JSC::HeapVerifier::validateJSCell):
1797
1798 2017-08-22  Keith Miller  <keith_miller@apple.com>
1799
1800         Unreviewed, fix windows build... maybe.
1801
1802         * CMakeLists.txt:
1803
1804 2017-08-22  Keith Miller  <keith_miller@apple.com>
1805
1806         Unreviewed, fix cloop build.
1807
1808         * JavaScriptCore.xcodeproj/project.pbxproj:
1809
1810 2017-08-22  Per Arne Vollan  <pvollan@apple.com>
1811
1812         [Win][Release] Crash when running testmasm executable.
1813         https://bugs.webkit.org/show_bug.cgi?id=175772
1814
1815         Reviewed by Mark Lam.
1816
1817         We need to save and restore the modified registers in case one or more registers are callee saved
1818         on the relevant platforms.
1819
1820         * assembler/testmasm.cpp:
1821         (JSC::testProbeReadsArgumentRegisters):
1822         (JSC::testProbeWritesArgumentRegisters):
1823
1824 2017-08-21  Mark Lam  <mark.lam@apple.com>
1825
1826         Change probe code to use static_assert instead of COMPILE_ASSERT.
1827         https://bugs.webkit.org/show_bug.cgi?id=175762
1828
1829         Reviewed by JF Bastien.
1830
1831         * assembler/MacroAssemblerARM.cpp:
1832         * assembler/MacroAssemblerARM64.cpp:
1833         (JSC::MacroAssembler::probe): Deleted.
1834         * assembler/MacroAssemblerARMv7.cpp:
1835         * assembler/MacroAssemblerX86Common.cpp:
1836
1837 2017-08-21  Keith Miller  <keith_miller@apple.com>
1838
1839         Make generate_offset_extractor.rb architectures argument more robust
1840         https://bugs.webkit.org/show_bug.cgi?id=175809
1841
1842         Reviewed by Joseph Pecoraro.
1843
1844         It turns out that some of our builders pass their architectures as
1845         space separated lists.  I decided to just make the splitting of
1846         our list robust to any reasonable combination of spaces and
1847         commas.
1848
1849         * offlineasm/generate_offset_extractor.rb:
1850
1851 2017-08-21  Keith Miller  <keith_miller@apple.com>
1852
1853         Only generate offline asm for the ARCHS (xcodebuild) or the current system (CMake)
1854         https://bugs.webkit.org/show_bug.cgi?id=175690
1855
1856         Reviewed by Michael Saboff.
1857
1858         This should reduce some of the time we spend building offline asm
1859         in our builds (except for linux since they already did this).
1860
1861         * CMakeLists.txt:
1862         * JavaScriptCore.xcodeproj/project.pbxproj:
1863         * offlineasm/backends.rb:
1864         * offlineasm/generate_offset_extractor.rb:
1865
1866 2017-08-20  Mark Lam  <mark.lam@apple.com>
1867
1868         Gardening: fix CLoop build.
1869         https://bugs.webkit.org/show_bug.cgi?id=175688
1870         <rdar://problem/33436870>
1871
1872         Not reviewed.
1873
1874         Make these files dependent on ENABLE(MASM_PROBE).
1875
1876         * assembler/ProbeContext.cpp:
1877         * assembler/ProbeContext.h:
1878         * assembler/ProbeStack.cpp:
1879         * assembler/ProbeStack.h:
1880
1881 2017-08-20  Mark Lam  <mark.lam@apple.com>
1882
1883         Enhance MacroAssembler::probe() to allow the probe function to resize the stack frame and alter stack data in one pass.
1884         https://bugs.webkit.org/show_bug.cgi?id=175688
1885         <rdar://problem/33436870>
1886
1887         Reviewed by JF Bastien.
1888
1889         With this patch, the clients of the MacroAssembler::probe() can now change
1890         stack values without having to worry about whether there is enough room in the
1891         current stack frame for it or not.  This is done using the Probe::Context's stack
1892         member like so:
1893
1894             jit.probe([] (Probe::Context& context) {
1895                 auto cpu = context.cpu;
1896                 auto stack = context.stack();
1897                 uintptr_t* currentSP = cpu.sp<uintptr_t*>();
1898
1899                 // Get a value at the current stack pointer location.
1900                 auto value = stack.get<uintptr_t>(currentSP);
1901
1902                 // Set a value above the current stack pointer (within current frame).
1903                 stack.set<uintptr_t>(currentSP + 10, value);
1904
1905                 // Set a value below the current stack pointer (out of current frame).
1906                 stack.set<uintptr_t>(currentSP - 10, value);
1907
1908                 // Set the new stack pointer.
1909                 cpu.sp() = currentSP - 20;
1910             });
1911
1912         What happens behind the scene:
1913
1914         1. the generated JIT probe code will now call Probe::executeProbe(), and
1915            Probe::executeProbe() will in turn call the client's probe function.
1916
1917            Probe::executeProbe() receives the Probe::State on the machine stack passed
1918            to it by the probe trampoline.  Probe::executeProbe() will instantiate a
1919            Probe::Context to be passed to the client's probe function.  The client will
1920            no longer see the Probe::State directly.
1921
1922         2. The Probe::Context comes with a Probe::Stack which serves as a manager of
1923            stack pages.  Currently, each page is 1K in size.
1924            Probe::Context::stack() returns a reference to an instance of Probe::Stack.
1925
1926         3. Invoking get() of set() on Probe::Stack with an address will lead to the
1927            following:
1928
1929            a. the address will be decoded to a baseAddress that points to the 1K page
1930               that contains that address.
1931
1932            b. the Probe::Stack will check if it already has a cached 1K page for that baseAddress.
1933               If so, go to step (f).  Else, continue with step (c).
1934
1935            c. the Probe::Stack will malloc a 1K mirror page, and memcpy the 1K stack page
1936               for that specified baseAddress to this mirror page.
1937
1938            d. the mirror page will be added to the ProbeStack's m_pages HashMap,
1939               keyed on the baseAddress.
1940
1941            e. the ProbeStack will also cache the last baseAddress and its corresponding
1942               mirror page in use.  With memory accesses tending to be localized, this
1943               will save us from having to look up the page in the HashMap.
1944
1945            f. get() will map the requested address to a physical address in the mirror
1946               page, and return the value at that location.
1947
1948            g. set() will map the requested address to a physical address in the mirror
1949               page, and set the value at that location in the mirror page.
1950
1951               set() will also set a dirty bit corresponding to the "cache line" that
1952               was modified in the mirror page.
1953
1954         4. When the client's probe function returns, Probe::executeProbe() will check if
1955            there are stack changes that need to be applied.  If stack changes are needed:
1956
1957            a. Probe::executeProbe() will adjust the stack pointer to ensure enough stack
1958               space is available to flush the dirty stack pages.  It will also register a
1959               flushStackDirtyPages callback function in the Probe::State.  Thereafter,
1960               Probe::executeProbe() returns to the probe trampoline.
1961
1962            b. the probe trampoline adjusts the stack pointer, moves the Probe::State to
1963               a safe place if needed, and then calls the flushStackDirtyPages callback
1964               if needed.
1965
1966            c. the flushStackDirtyPages() callback iterates the Probe::Stack's m_pages
1967               HashMap and flush all dirty "cache lines" to the machine stack.
1968               Thereafter, flushStackDirtyPages() returns to the probe trampoline.
1969
1970            d. lastly, the probe trampoline will restore all register values and return
1971               to the pc set in the Probe::State.
1972
1973         To make this patch work, I also had to do the following work:
1974
1975         5. Refactor MacroAssembler::CPUState into Probe::CPUState.
1976            Mainly, this means moving the code over to ProbeContext.h.
1977            I also added some convenience accessor methods for spr registers. 
1978
1979            Moved Probe::Context over to its own file ProbeContext.h/cpp.
1980
1981         6. Fix all probe trampolines to pass the address of Probe::executeProbe in
1982            addition to the client's probe function and arg.
1983
1984            I also took this opportunity to optimize the generated JIT probe code to
1985            minimize the amount of memory stores needed. 
1986
1987         7. Simplified the ARM64 probe trampoline.  The ARM64 probe only supports changing
1988            either lr or pc (or neither), but not both at in the same probe invocation.
1989            The ARM64 probe trampoline used to have to check for this invariant in the
1990            assembly trampoline code.  With the introduction of Probe::executeProbe(),
1991            we can now do it there and simplify the trampoline.
1992
1993         8. Fix a bug in the old  ARM64 probe trampoline for the case where the client
1994            changes lr.  That code path never worked before, but has now been fixed.
1995
1996         9. Removed trustedImm32FromPtr() helper functions in MacroAssemblerARM and
1997            MacroAssemblerARMv7.
1998
1999            We can now use move() with TrustedImmPtr, and it does the same thing but in a
2000            more generic way.
2001
2002        10. ARMv7's move() emitter may encode a T1 move instruction, which happens to have
2003            the same semantics as movs (according to the Thumb spec).  This means these
2004            instructions may trash the APSR flags before we have a chance to preserve them.
2005
2006            This patch changes MacroAssemblerARMv7's probe() to preserve the APSR register
2007            early on.  This entails adding support for the mrs instruction in the
2008            ARMv7Assembler.
2009
2010        10. Change testmasm's testProbeModifiesStackValues() to now modify stack values
2011            the easy way.
2012
2013            Also fixed testmasm tests which check flag registers to only compare the
2014            portions that are modifiable by the client i.e. some masking is applied.
2015
2016         This patch has passed the testmasm tests on x86, x86_64, arm64, and armv7.
2017
2018         * CMakeLists.txt:
2019         * JavaScriptCore.xcodeproj/project.pbxproj:
2020         * assembler/ARMv7Assembler.h:
2021         (JSC::ARMv7Assembler::mrs):
2022         * assembler/AbstractMacroAssembler.h:
2023         * assembler/MacroAssembler.cpp:
2024         (JSC::stdFunctionCallback):
2025         (JSC::MacroAssembler::probe):
2026         * assembler/MacroAssembler.h:
2027         (JSC::MacroAssembler::CPUState::gprName): Deleted.
2028         (JSC::MacroAssembler::CPUState::sprName): Deleted.
2029         (JSC::MacroAssembler::CPUState::fprName): Deleted.
2030         (JSC::MacroAssembler::CPUState::gpr): Deleted.
2031         (JSC::MacroAssembler::CPUState::spr): Deleted.
2032         (JSC::MacroAssembler::CPUState::fpr): Deleted.
2033         (JSC:: const): Deleted.
2034         (JSC::MacroAssembler::CPUState::fpr const): Deleted.
2035         (JSC::MacroAssembler::CPUState::pc): Deleted.
2036         (JSC::MacroAssembler::CPUState::fp): Deleted.
2037         (JSC::MacroAssembler::CPUState::sp): Deleted.
2038         (JSC::MacroAssembler::CPUState::pc const): Deleted.
2039         (JSC::MacroAssembler::CPUState::fp const): Deleted.
2040         (JSC::MacroAssembler::CPUState::sp const): Deleted.
2041         (JSC::Probe::State::gpr): Deleted.
2042         (JSC::Probe::State::spr): Deleted.
2043         (JSC::Probe::State::fpr): Deleted.
2044         (JSC::Probe::State::gprName): Deleted.
2045         (JSC::Probe::State::sprName): Deleted.
2046         (JSC::Probe::State::fprName): Deleted.
2047         (JSC::Probe::State::pc): Deleted.
2048         (JSC::Probe::State::fp): Deleted.
2049         (JSC::Probe::State::sp): Deleted.
2050         * assembler/MacroAssemblerARM.cpp:
2051         (JSC::MacroAssembler::probe):
2052         * assembler/MacroAssemblerARM.h:
2053         (JSC::MacroAssemblerARM::trustedImm32FromPtr): Deleted.
2054         * assembler/MacroAssemblerARM64.cpp:
2055         (JSC::MacroAssembler::probe):
2056         (JSC::arm64ProbeError): Deleted.
2057         * assembler/MacroAssemblerARMv7.cpp:
2058         (JSC::MacroAssembler::probe):
2059         * assembler/MacroAssemblerARMv7.h:
2060         (JSC::MacroAssemblerARMv7::armV7Condition):
2061         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr): Deleted.
2062         * assembler/MacroAssemblerPrinter.cpp:
2063         (JSC::Printer::printCallback):
2064         * assembler/MacroAssemblerPrinter.h:
2065         * assembler/MacroAssemblerX86Common.cpp:
2066         (JSC::ctiMasmProbeTrampoline):
2067         (JSC::MacroAssembler::probe):
2068         * assembler/Printer.h:
2069         (JSC::Printer::Context::Context):
2070         * assembler/ProbeContext.cpp: Added.
2071         (JSC::Probe::executeProbe):
2072         (JSC::Probe::handleProbeStackInitialization):
2073         (JSC::Probe::probeStateForContext):
2074         * assembler/ProbeContext.h: Added.
2075         (JSC::Probe::CPUState::gprName):
2076         (JSC::Probe::CPUState::sprName):
2077         (JSC::Probe::CPUState::fprName):
2078         (JSC::Probe::CPUState::gpr):
2079         (JSC::Probe::CPUState::spr):
2080         (JSC::Probe::CPUState::fpr):
2081         (JSC::Probe:: const):
2082         (JSC::Probe::CPUState::fpr const):
2083         (JSC::Probe::CPUState::pc):
2084         (JSC::Probe::CPUState::fp):
2085         (JSC::Probe::CPUState::sp):
2086         (JSC::Probe::CPUState::pc const):
2087         (JSC::Probe::CPUState::fp const):
2088         (JSC::Probe::CPUState::sp const):
2089         (JSC::Probe::Context::Context):
2090         (JSC::Probe::Context::gpr):
2091         (JSC::Probe::Context::spr):
2092         (JSC::Probe::Context::fpr):
2093         (JSC::Probe::Context::gprName):
2094         (JSC::Probe::Context::sprName):
2095         (JSC::Probe::Context::fprName):
2096         (JSC::Probe::Context::pc):
2097         (JSC::Probe::Context::fp):
2098         (JSC::Probe::Context::sp):
2099         (JSC::Probe::Context::stack):
2100         (JSC::Probe::Context::hasWritesToFlush):
2101         (JSC::Probe::Context::releaseStack):
2102         * assembler/ProbeStack.cpp: Added.
2103         (JSC::Probe::Page::Page):
2104         (JSC::Probe::Page::flushWrites):
2105         (JSC::Probe::Stack::Stack):
2106         (JSC::Probe::Stack::hasWritesToFlush):
2107         (JSC::Probe::Stack::flushWrites):
2108         (JSC::Probe::Stack::ensurePageFor):
2109         * assembler/ProbeStack.h: Added.
2110         (JSC::Probe::Page::baseAddressFor):
2111         (JSC::Probe::Page::chunkAddressFor):
2112         (JSC::Probe::Page::baseAddress):
2113         (JSC::Probe::Page::get):
2114         (JSC::Probe::Page::set):
2115         (JSC::Probe::Page::hasWritesToFlush const):
2116         (JSC::Probe::Page::flushWritesIfNeeded):
2117         (JSC::Probe::Page::dirtyBitFor):
2118         (JSC::Probe::Page::physicalAddressFor):
2119         (JSC::Probe::Stack::Stack):
2120         (JSC::Probe::Stack::lowWatermark):
2121         (JSC::Probe::Stack::get):
2122         (JSC::Probe::Stack::set):
2123         (JSC::Probe::Stack::newStackPointer const):
2124         (JSC::Probe::Stack::setNewStackPointer):
2125         (JSC::Probe::Stack::isValid):
2126         (JSC::Probe::Stack::pageFor):
2127         * assembler/testmasm.cpp:
2128         (JSC::testProbeReadsArgumentRegisters):
2129         (JSC::testProbeWritesArgumentRegisters):
2130         (JSC::testProbePreservesGPRS):
2131         (JSC::testProbeModifiesStackPointer):
2132         (JSC::testProbeModifiesStackPointerToInsideProbeStateOnStack):
2133         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
2134         (JSC::testProbeModifiesProgramCounter):
2135         (JSC::testProbeModifiesStackValues):
2136         (JSC::run):
2137         (): Deleted.
2138         (JSC::fillStack): Deleted.
2139         (JSC::testProbeModifiesStackWithCallback): Deleted.
2140
2141 2017-08-19  Andy Estes  <aestes@apple.com>
2142
2143         [Payment Request] Add interface stubs
2144         https://bugs.webkit.org/show_bug.cgi?id=175730
2145
2146         Reviewed by Youenn Fablet.
2147
2148         * runtime/CommonIdentifiers.h:
2149
2150 2017-08-18  Per Arne Vollan  <pvollan@apple.com>
2151
2152         Implement 32-bit MacroAssembler::probe support for Windows.
2153         https://bugs.webkit.org/show_bug.cgi?id=175449
2154
2155         Reviewed by Mark Lam.
2156
2157         This is needed to enable the DFG.
2158
2159         * assembler/MacroAssemblerX86Common.cpp:
2160         * assembler/testmasm.cpp:
2161         (JSC::run):
2162         (dllLauncherEntryPoint):
2163         * shell/CMakeLists.txt:
2164         * shell/PlatformWin.cmake:
2165
2166 2017-08-18  Mark Lam  <mark.lam@apple.com>
2167
2168         Rename ProbeContext and ProbeFunction to Probe::State and Probe::Function.
2169         https://bugs.webkit.org/show_bug.cgi?id=175725
2170         <rdar://problem/33965477>
2171
2172         Rubber-stamped by JF Bastien.
2173
2174         This is purely a refactoring patch (in preparation for the introduction of a
2175         Probe::Context data structure in https://bugs.webkit.org/show_bug.cgi?id=175688
2176         later).  This patch does not change any semantics / behavior.
2177
2178         * assembler/AbstractMacroAssembler.h:
2179         * assembler/MacroAssembler.cpp:
2180         (JSC::stdFunctionCallback):
2181         (JSC::MacroAssembler::probe):
2182         * assembler/MacroAssembler.h:
2183         (JSC::ProbeContext::gpr): Deleted.
2184         (JSC::ProbeContext::spr): Deleted.
2185         (JSC::ProbeContext::fpr): Deleted.
2186         (JSC::ProbeContext::gprName): Deleted.
2187         (JSC::ProbeContext::sprName): Deleted.
2188         (JSC::ProbeContext::fprName): Deleted.
2189         (JSC::ProbeContext::pc): Deleted.
2190         (JSC::ProbeContext::fp): Deleted.
2191         (JSC::ProbeContext::sp): Deleted.
2192         * assembler/MacroAssemblerARM.cpp:
2193         (JSC::MacroAssembler::probe):
2194         * assembler/MacroAssemblerARM.h:
2195         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
2196         * assembler/MacroAssemblerARM64.cpp:
2197         (JSC::arm64ProbeError):
2198         (JSC::MacroAssembler::probe):
2199         * assembler/MacroAssemblerARMv7.cpp:
2200         (JSC::MacroAssembler::probe):
2201         * assembler/MacroAssemblerARMv7.h:
2202         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr):
2203         * assembler/MacroAssemblerPrinter.cpp:
2204         (JSC::Printer::printCallback):
2205         * assembler/MacroAssemblerPrinter.h:
2206         * assembler/MacroAssemblerX86Common.cpp:
2207         (JSC::MacroAssembler::probe):
2208         * assembler/Printer.h:
2209         (JSC::Printer::Context::Context):
2210         * assembler/testmasm.cpp:
2211         (JSC::testProbeReadsArgumentRegisters):
2212         (JSC::testProbeWritesArgumentRegisters):
2213         (JSC::testProbePreservesGPRS):
2214         (JSC::testProbeModifiesStackPointer):
2215         (JSC::testProbeModifiesStackPointerToInsideProbeStateOnStack):
2216         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
2217         (JSC::testProbeModifiesProgramCounter):
2218         (JSC::fillStack):
2219         (JSC::testProbeModifiesStackWithCallback):
2220         (JSC::run):
2221         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack): Deleted.
2222
2223 2017-08-17  JF Bastien  <jfbastien@apple.com>
2224
2225         WebAssembly: const in unreachable code decoded incorrectly, erroneously rejects binary as invalid
2226         https://bugs.webkit.org/show_bug.cgi?id=175693
2227         <rdar://problem/33952443>
2228
2229         Reviewed by Saam Barati.
2230
2231         64-bit constants in an unreachable context were being decoded as
2232         32-bit constants. This is pretty benign because unreachable code
2233         shouldn't occur often. The effect is that 64-bit constants which
2234         can't be encoded as 32-bit constants would cause the binary to be
2235         rejected.
2236
2237         At the same time, 32-bit integer constants should be decoded as signed.
2238
2239         * wasm/WasmFunctionParser.h:
2240         (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
2241
2242 2017-08-17  Robin Morisset  <rmorisset@apple.com>
2243
2244         Teach DFGFixupPhase.cpp that the current scope is always a cell
2245         https://bugs.webkit.org/show_bug.cgi?id=175610
2246
2247         Reviewed by Keith Miller.
2248
2249         Also teach it that the argument to with can usually be speculated to be an object,
2250         since toObject() is called on it.
2251
2252         * dfg/DFGFixupPhase.cpp:
2253         (JSC::DFG::FixupPhase::fixupNode):
2254         * dfg/DFGSpeculativeJIT.cpp:
2255         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
2256         * dfg/DFGSpeculativeJIT.h:
2257         (JSC::DFG::SpeculativeJIT::callOperation):
2258         * ftl/FTLLowerDFGToB3.cpp:
2259         (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
2260         * jit/JITOperations.cpp:
2261         * jit/JITOperations.h:
2262
2263 2017-08-17  Matt Baker  <mattbaker@apple.com>
2264
2265         Web Inspector: remove unused private struct from InspectorScriptProfilerAgent
2266         https://bugs.webkit.org/show_bug.cgi?id=175644
2267
2268         Reviewed by Brian Burg.
2269
2270         * inspector/agents/InspectorScriptProfilerAgent.h:
2271
2272 2017-08-17  Mark Lam  <mark.lam@apple.com>
2273
2274         Only use 16 VFP registers if !CPU(ARM_NEON).
2275         https://bugs.webkit.org/show_bug.cgi?id=175514
2276
2277         Reviewed by JF Bastien.
2278
2279         Deleted q16-q31 FPQuadRegisterID enums in ARMv7Assembler.h.  The NEON spec
2280         says that there are only 16 128-bit NEON registers.  This change is merely to
2281         correct the code documentation of these registers.  The FPQuadRegisterID are
2282         currently unused.
2283
2284         * assembler/ARMAssembler.h:
2285         (JSC::ARMAssembler::lastFPRegister):
2286         (JSC::ARMAssembler::fprName):
2287         * assembler/ARMv7Assembler.h:
2288         (JSC::ARMv7Assembler::lastFPRegister):
2289         (JSC::ARMv7Assembler::fprName):
2290         * assembler/MacroAssemblerARM.cpp:
2291         * assembler/MacroAssemblerARMv7.cpp:
2292
2293 2017-08-17  Andreas Kling  <akling@apple.com>
2294
2295         Disable CSS regions at compile time
2296         https://bugs.webkit.org/show_bug.cgi?id=175630
2297
2298         Reviewed by Antti Koivisto.
2299
2300         * Configurations/FeatureDefines.xcconfig:
2301
2302 2017-08-17  Jacobo Aragunde Pérez  <jaragunde@igalia.com>
2303
2304         [WPE][GTK] Ensure proper casting of data in gvariants
2305         https://bugs.webkit.org/show_bug.cgi?id=175667
2306
2307         Reviewed by Michael Catanzaro.
2308
2309         g_variant_new requires data to have the correct width for their types, using
2310         casting if necessary. Some data of type `unsigned` were being saved to `guint64`
2311         types without explicit casting, leading to undefined behavior in some platforms.
2312
2313         * inspector/remote/glib/RemoteInspectorGlib.cpp:
2314         (Inspector::RemoteInspector::listingForInspectionTarget const):
2315         (Inspector::RemoteInspector::listingForAutomationTarget const):
2316         (Inspector::RemoteInspector::sendMessageToRemote):
2317
2318 2017-08-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2319
2320         [JSC] Avoid code bloating for iteration if block does not have "break"
2321         https://bugs.webkit.org/show_bug.cgi?id=173228
2322
2323         Reviewed by Keith Miller.
2324
2325         Currently, we always emit code for breaked path when emitting for-of iteration.
2326         But we can know that this breaked path can be used when emitting the bytecode.
2327
2328         This patch adds LabelScope::breakTargetMayBeBound(), which returns true if
2329         the break label may be bound. We emit a breaked path only when it returns
2330         true. This reduces bytecode bloating when using for-of iteration.
2331
2332         * bytecompiler/BytecodeGenerator.cpp:
2333         (JSC::Label::setLocation):
2334         (JSC::BytecodeGenerator::newLabel):
2335         (JSC::BytecodeGenerator::emitLabel):
2336         (JSC::BytecodeGenerator::pushFinallyControlFlowScope):
2337         (JSC::BytecodeGenerator::breakTarget):
2338         (JSC::BytecodeGenerator::continueTarget):
2339         (JSC::BytecodeGenerator::emitEnumeration):
2340         * bytecompiler/BytecodeGenerator.h:
2341         * bytecompiler/Label.h:
2342         (JSC::Label::bind const):
2343         (JSC::Label::hasOneRef const):
2344         (JSC::Label::isBound const):
2345         (JSC::Label::Label): Deleted.
2346         * bytecompiler/LabelScope.h:
2347         (JSC::LabelScope::hasOneRef const):
2348         (JSC::LabelScope::breakTargetMayBeBound const):
2349         * bytecompiler/NodesCodegen.cpp:
2350         (JSC::ContinueNode::trivialTarget):
2351         (JSC::ContinueNode::emitBytecode):
2352         (JSC::BreakNode::trivialTarget):
2353         (JSC::BreakNode::emitBytecode):
2354
2355 2017-08-17  Csaba Osztrogonác  <ossy@webkit.org>
2356
2357         ARM build fix after r220807 and r220834.
2358         https://bugs.webkit.org/show_bug.cgi?id=175617
2359
2360         Unreviewed typo fix.
2361
2362         * assembler/MacroAssemblerARM.cpp:
2363
2364 2017-08-17  Mark Lam  <mark.lam@apple.com>
2365
2366         Gardening: build fix for ARM_TRADITIONAL after r220807.
2367         https://bugs.webkit.org/show_bug.cgi?id=175617
2368
2369         Not reviewed.
2370
2371         * assembler/MacroAssemblerARM.cpp:
2372
2373 2017-08-16  Mark Lam  <mark.lam@apple.com>
2374
2375         Add back the ability to disable MASM_PROBE from the build.
2376         https://bugs.webkit.org/show_bug.cgi?id=175656
2377         <rdar://problem/33933720>
2378
2379         Reviewed by Yusuke Suzuki.
2380
2381         This is needed for ports that the existing MASM_PROBE implementation doesn't work
2382         well with e.g. GTK with ARM_THUMB2.  Note that if the DFG_JIT will be disabled by
2383         default if !ENABLE(MASM_PROBE).
2384
2385         * assembler/AbstractMacroAssembler.h:
2386         * assembler/MacroAssembler.cpp:
2387         * assembler/MacroAssembler.h:
2388         * assembler/MacroAssemblerARM.cpp:
2389         * assembler/MacroAssemblerARM64.cpp:
2390         * assembler/MacroAssemblerARMv7.cpp:
2391         * assembler/MacroAssemblerPrinter.cpp:
2392         * assembler/MacroAssemblerPrinter.h:
2393         * assembler/MacroAssemblerX86Common.cpp:
2394         * assembler/testmasm.cpp:
2395         (JSC::run):
2396         * b3/B3LowerToAir.cpp:
2397         * b3/air/AirPrintSpecial.cpp:
2398         * b3/air/AirPrintSpecial.h:
2399
2400 2017-08-16  Dan Bernstein  <mitz@apple.com>
2401
2402         [Cocoa] Older-iOS install name symbols are being exported on other platforms
2403         https://bugs.webkit.org/show_bug.cgi?id=175654
2404
2405         Reviewed by Tim Horton.
2406
2407         * API/JSBase.cpp: Define the symbols only when targeting iOS.
2408
2409 2017-08-16  Matt Baker  <mattbaker@apple.com>
2410
2411         Web Inspector: capture async stack trace when workers/main context posts a message
2412         https://bugs.webkit.org/show_bug.cgi?id=167084
2413         <rdar://problem/30033673>
2414
2415         Reviewed by Brian Burg.
2416
2417         * inspector/agents/InspectorDebuggerAgent.h:
2418         Add `PostMessage` async call type.
2419
2420 2017-08-16  Mark Lam  <mark.lam@apple.com>
2421
2422         Enhance MacroAssembler::probe() to support an initializeStackFunction callback.
2423         https://bugs.webkit.org/show_bug.cgi?id=175617
2424         <rdar://problem/33912104>
2425
2426         Reviewed by JF Bastien.
2427
2428         This patch adds a new feature to MacroAssembler::probe() where the probe function
2429         can provide a ProbeFunction callback to fill in stack values after the stack
2430         pointer has been adjusted.  The probe function can use this feature as follows:
2431
2432         1. Set the new sp value in the ProbeContext's CPUState.
2433
2434         2. Set the ProbeContext's initializeStackFunction to a ProbeFunction callback
2435            which will do the work of filling in the stack values after the probe
2436            trampoline has adjusted the machine stack pointer.
2437
2438         3. Set the ProbeContext's initializeStackArgs to any value that the client wants
2439            to pass to the initializeStackFunction callback.
2440
2441         4. Return from the probe function.
2442
2443         Upon returning from the probe function, the probe trampoline will adjust the
2444         the stack pointer based on the sp value in CPUState.  If initializeStackFunction
2445         is not set, the probe trampoline will restore registers and return to its caller.
2446
2447         If initializeStackFunction is set, the trampoline will move the ProbeContext
2448         beyond the range of the stack pointer i.e. it will place the new ProbeContext at
2449         an address lower than where CPUState.sp() points.  This ensures that the
2450         ProbeContext will not be trashed by the initializeStackFunction when it writes to
2451         the stack.  Then, the trampoline will call back to the initializeStackFunction
2452         ProbeFunction to let it fill in the stack values as desired.  The
2453         initializeStackFunction ProbeFunction will be passed the moved ProbeContext at
2454         the new location.
2455
2456         initializeStackFunction may now write to the stack at addresses greater or
2457         equal to CPUState.sp(), but not below that.  initializeStackFunction is also
2458         not allowed to change CPUState.sp().  If the initializeStackFunction does not
2459         abide by these rules, then behavior is undefined, and bad things may happen.
2460
2461         For future reference, some implementation details that this patch needed to
2462         be mindful of:
2463
2464         1. When the probe trampoline allocates stack space for the ProbeContext, it
2465            should include OUT_SIZE as well.  This ensures that it doesn't have to move
2466            the ProbeContext on exit if the probe function didn't change the sp.
2467
2468         2. If the trampoline has to move the ProbeContext, it needs to point the machine
2469            sp to new ProbeContext first before copying over the ProbeContext data.  This
2470            protects the new ProbeContext from possibly being trashed by interrupts.
2471
2472         3. When computing the new address of ProbeContext to move to, we need to make
2473            sure that it is properly aligned in accordance with stack ABI requirements
2474            (just like we did when we allocated the ProbeContext on entry to the
2475            probe trampoline).
2476
2477         4. When copying the ProbeContext to its new location, the trampoline should
2478            always copy words from low addresses to high addresses.  This is because if
2479            we're moving the ProbeContext, we'll always be moving it to a lower address.
2480
2481         * assembler/MacroAssembler.h:
2482         * assembler/MacroAssemblerARM.cpp:
2483         * assembler/MacroAssemblerARM64.cpp:
2484         * assembler/MacroAssemblerARMv7.cpp:
2485         * assembler/MacroAssemblerX86Common.cpp:
2486         * assembler/testmasm.cpp:
2487         (JSC::testProbePreservesGPRS):
2488         (JSC::testProbeModifiesStackPointer):
2489         (JSC::fillStack):
2490         (JSC::testProbeModifiesStackWithCallback):
2491         (JSC::run):
2492
2493 2017-08-16  Csaba Osztrogonác  <ossy@webkit.org>
2494
2495         Fix JSCOnly ARM buildbots after r220047 and r220184
2496         https://bugs.webkit.org/show_bug.cgi?id=174993
2497
2498         Reviewed by Carlos Alberto Lopez Perez.
2499
2500         * CMakeLists.txt: Generate only one backend on Linux to save build time.
2501
2502 2017-08-16  Andy Estes  <aestes@apple.com>
2503
2504         [Payment Request] Add an ENABLE flag and an experimental feature preference
2505         https://bugs.webkit.org/show_bug.cgi?id=175622
2506
2507         Reviewed by Tim Horton.
2508
2509         * Configurations/FeatureDefines.xcconfig:
2510
2511 2017-08-15  Robin Morisset  <rmorisset@apple.com>
2512
2513         We are too conservative about the effects of PushWithScope
2514         https://bugs.webkit.org/show_bug.cgi?id=175584
2515
2516         Reviewed by Saam Barati.
2517
2518         PushWithScope converts its argument to an object (this can throw a type error,
2519         but has no other observable effect), and allocates a new scope, that it then
2520         makes the new current scope. We were a bit too
2521         conservative in saying that it clobbers the world.
2522
2523         * dfg/DFGAbstractInterpreterInlines.h:
2524         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2525         * dfg/DFGClobberize.h:
2526         (JSC::DFG::clobberize):
2527         * dfg/DFGDoesGC.cpp:
2528         (JSC::DFG::doesGC):
2529
2530 2017-08-15  Ryosuke Niwa  <rniwa@webkit.org>
2531
2532         Make DataTransferItemList work with plain text entries
2533         https://bugs.webkit.org/show_bug.cgi?id=175596
2534
2535         Reviewed by Wenson Hsieh.
2536
2537         Added DataTransferItem as a common identifier since it's a runtime enabled feature.
2538
2539         * runtime/CommonIdentifiers.h:
2540
2541 2017-08-15  Robin Morisset  <rmorisset@apple.com>
2542
2543         Support the 'with' keyword in FTL
2544         https://bugs.webkit.org/show_bug.cgi?id=175585
2545
2546         Reviewed by Saam Barati.
2547
2548         Also makes sure that the order of arguments of PushWithScope, op_push_with_scope, JSWithScope::create()
2549         and so on is consistent (always parentScope first, the new scopeObject second). We used to go from one
2550         to the other at different step which was quite confusing. I picked this order for consistency with CreateActivation
2551         that takes its parentScope argument first.
2552
2553         * bytecompiler/BytecodeGenerator.cpp:
2554         (JSC::BytecodeGenerator::emitPushWithScope):
2555         * debugger/DebuggerCallFrame.cpp:
2556         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
2557         * dfg/DFGByteCodeParser.cpp:
2558         (JSC::DFG::ByteCodeParser::parseBlock):
2559         * dfg/DFGFixupPhase.cpp:
2560         (JSC::DFG::FixupPhase::fixupNode):
2561         * dfg/DFGSpeculativeJIT.cpp:
2562         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
2563         * ftl/FTLCapabilities.cpp:
2564         (JSC::FTL::canCompile):
2565         * ftl/FTLLowerDFGToB3.cpp:
2566         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2567         (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
2568         * jit/JITOperations.cpp:
2569         * runtime/CommonSlowPaths.cpp:
2570         (JSC::SLOW_PATH_DECL):
2571         * runtime/Completion.cpp:
2572         (JSC::evaluateWithScopeExtension):
2573         * runtime/JSWithScope.cpp:
2574         (JSC::JSWithScope::create):
2575         * runtime/JSWithScope.h:
2576
2577 2017-08-15  Saam Barati  <sbarati@apple.com>
2578
2579         Make VM::scratchBufferForSize thread safe
2580         https://bugs.webkit.org/show_bug.cgi?id=175604
2581
2582         Reviewed by Geoffrey Garen and Mark Lam.
2583
2584         I want to use the VM::scratchBufferForSize in another patch I'm writing.
2585         The use case for my other patch is to call it from the compiler thread.
2586         When reading the code, I saw that this API was not thread safe. This patch
2587         makes it thread safe. It actually turns out we were calling this API from
2588         the compiler thread already when we created FTL::State for an FTL OSR entry
2589         compilation, and from FTLLowerDFGToB3. That code was racy and wrong, but
2590         is now correct with this patch.
2591
2592         * runtime/VM.cpp:
2593         (JSC::VM::VM):
2594         (JSC::VM::~VM):
2595         (JSC::VM::gatherConservativeRoots):
2596         (JSC::VM::scratchBufferForSize):
2597         * runtime/VM.h:
2598         (JSC::VM::scratchBufferForSize): Deleted.
2599
2600 2017-08-15  Keith Miller  <keith_miller@apple.com>
2601
2602         JSC named bytecode offsets should use references rather than pointers
2603         https://bugs.webkit.org/show_bug.cgi?id=175601
2604
2605         Reviewed by Saam Barati.
2606
2607         * dfg/DFGByteCodeParser.cpp:
2608         (JSC::DFG::ByteCodeParser::parseBlock):
2609         * jit/JITOpcodes.cpp:
2610         (JSC::JIT::emit_op_overrides_has_instance):
2611         (JSC::JIT::emit_op_instanceof):
2612         (JSC::JIT::emitSlow_op_instanceof):
2613         (JSC::JIT::emitSlow_op_instanceof_custom):
2614         * jit/JITOpcodes32_64.cpp:
2615         (JSC::JIT::emit_op_overrides_has_instance):
2616         (JSC::JIT::emit_op_instanceof):
2617         (JSC::JIT::emitSlow_op_instanceof):
2618         (JSC::JIT::emitSlow_op_instanceof_custom):
2619
2620 2017-08-15  Keith Miller  <keith_miller@apple.com>
2621
2622         Enable named offsets into JSC bytecodes
2623         https://bugs.webkit.org/show_bug.cgi?id=175561
2624
2625         Reviewed by Mark Lam.
2626
2627         This patch adds the ability to add named offsets into JSC's
2628         bytecodes.  In the bytecode json file, instead of listing a
2629         length, you can now list a set of names and their types. Each
2630         opcode with an offsets property will have a struct named after the
2631         opcode by in our C++ naming style. For example,
2632         op_overrides_has_instance would become OpOverridesHasInstance. The
2633         struct has the same memory layout as the instruction list has but
2634         comes with handy named accessors.
2635
2636         As a first cut I converted the various instanceof bytecodes to use
2637         named offsets.
2638
2639         As an example op_overrides_has_instance produces the following struct:
2640
2641         struct OpOverridesHasInstance {
2642         public:
2643             Opcode& opcode() { return *reinterpret_cast<Opcode*>(&m_opcode); }
2644             const Opcode& opcode() const { return *reinterpret_cast<const Opcode*>(&m_opcode); }
2645             int& dst() { return *reinterpret_cast<int*>(&m_dst); }
2646             const int& dst() const { return *reinterpret_cast<const int*>(&m_dst); }
2647             int& constructor() { return *reinterpret_cast<int*>(&m_constructor); }
2648             const int& constructor() const { return *reinterpret_cast<const int*>(&m_constructor); }
2649             int& hasInstanceValue() { return *reinterpret_cast<int*>(&m_hasInstanceValue); }
2650             const int& hasInstanceValue() const { return *reinterpret_cast<const int*>(&m_hasInstanceValue); }
2651
2652         private:
2653             friend class LLIntOffsetsExtractor;
2654             std::aligned_storage<sizeof(Opcode), sizeof(Instruction)>::type m_opcode;
2655             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_dst;
2656             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_constructor;
2657             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_hasInstanceValue;
2658         };
2659
2660         * CMakeLists.txt:
2661         * DerivedSources.make:
2662         * JavaScriptCore.xcodeproj/project.pbxproj:
2663         * bytecode/BytecodeList.json:
2664         * dfg/DFGByteCodeParser.cpp:
2665         (JSC::DFG::ByteCodeParser::parseBlock):
2666         * generate-bytecode-files:
2667         * jit/JITOpcodes.cpp:
2668         (JSC::JIT::emit_op_overrides_has_instance):
2669         (JSC::JIT::emit_op_instanceof):
2670         (JSC::JIT::emitSlow_op_instanceof):
2671         (JSC::JIT::emitSlow_op_instanceof_custom):
2672         * jit/JITOpcodes32_64.cpp:
2673         (JSC::JIT::emit_op_overrides_has_instance):
2674         (JSC::JIT::emit_op_instanceof):
2675         (JSC::JIT::emitSlow_op_instanceof):
2676         (JSC::JIT::emitSlow_op_instanceof_custom):
2677         * llint/LLIntOffsetsExtractor.cpp:
2678         * llint/LowLevelInterpreter.asm:
2679         * llint/LowLevelInterpreter32_64.asm:
2680         * llint/LowLevelInterpreter64.asm:
2681
2682 2017-08-15  Mark Lam  <mark.lam@apple.com>
2683
2684         Update testmasm to use new CPUState APIs.
2685         https://bugs.webkit.org/show_bug.cgi?id=175573
2686
2687         Reviewed by Keith Miller.
2688
2689         1. Applied convenience CPUState accessors to minimize casting.
2690         2. Converted the CHECK macro to CHECK_EQ to get more friendly failure debugging
2691            messages.
2692         3. Removed the CHECK_DOUBLE_BITWISE_EQ macro.  We can just use CHECK_EQ now since
2693            casting is (mostly) no longer an issue.
2694         4. Replaced the use of testDoubleWord(id) with bitwise_cast<double>(testWord64(id))
2695            to make it clear that we're comparing against the bit values of testWord64(id).
2696         5. Added a "Completed N tests" message at the end of running all tests.
2697            This makes it easy to tell at a glance that testmasm completed successfully
2698            versus when it crashed midway in a test.  The number of tests also serves as
2699            a quick checksum to confirm that we ran the number of tests we expected.
2700
2701         * assembler/testmasm.cpp:
2702         (WTF::printInternal):
2703         (JSC::testSimple):
2704         (JSC::testProbeReadsArgumentRegisters):
2705         (JSC::testProbeWritesArgumentRegisters):
2706         (JSC::testProbePreservesGPRS):
2707         (JSC::testProbeModifiesStackPointer):
2708         (JSC::testProbeModifiesProgramCounter):
2709         (JSC::run):
2710
2711 2017-08-14  Keith Miller  <keith_miller@apple.com>
2712
2713         Add testing tool to lie to the DFG about profiles
2714         https://bugs.webkit.org/show_bug.cgi?id=175487
2715
2716         Reviewed by Saam Barati.
2717
2718         This patch adds a new bytecode identity_with_profile that lets
2719         us lie to the DFG about what profiles it has seen as the input to
2720         another bytecode. Previously, there was no reliable way to force
2721         a given profile when we tired up.
2722
2723         * bytecode/BytecodeDumper.cpp:
2724         (JSC::BytecodeDumper<Block>::dumpBytecode):
2725         * bytecode/BytecodeIntrinsicRegistry.h:
2726         * bytecode/BytecodeList.json:
2727         * bytecode/BytecodeUseDef.h:
2728         (JSC::computeUsesForBytecodeOffset):
2729         (JSC::computeDefsForBytecodeOffset):
2730         * bytecode/SpeculatedType.cpp:
2731         (JSC::speculationFromString):
2732         * bytecode/SpeculatedType.h:
2733         * bytecompiler/BytecodeGenerator.cpp:
2734         (JSC::BytecodeGenerator::emitIdWithProfile):
2735         * bytecompiler/BytecodeGenerator.h:
2736         * bytecompiler/NodesCodegen.cpp:
2737         (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
2738         * dfg/DFGAbstractInterpreterInlines.h:
2739         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2740         * dfg/DFGByteCodeParser.cpp:
2741         (JSC::DFG::ByteCodeParser::parseBlock):
2742         * dfg/DFGCapabilities.cpp:
2743         (JSC::DFG::capabilityLevel):
2744         * dfg/DFGClobberize.h:
2745         (JSC::DFG::clobberize):
2746         * dfg/DFGDoesGC.cpp:
2747         (JSC::DFG::doesGC):
2748         * dfg/DFGFixupPhase.cpp:
2749         (JSC::DFG::FixupPhase::fixupNode):
2750         * dfg/DFGMayExit.cpp:
2751         * dfg/DFGNode.h:
2752         (JSC::DFG::Node::getForcedPrediction):
2753         * dfg/DFGNodeType.h:
2754         * dfg/DFGPredictionPropagationPhase.cpp:
2755         * dfg/DFGSafeToExecute.h:
2756         (JSC::DFG::safeToExecute):
2757         * dfg/DFGSpeculativeJIT32_64.cpp:
2758         (JSC::DFG::SpeculativeJIT::compile):
2759         * dfg/DFGSpeculativeJIT64.cpp:
2760         (JSC::DFG::SpeculativeJIT::compile):
2761         * dfg/DFGValidate.cpp:
2762         * jit/JIT.cpp:
2763         (JSC::JIT::privateCompileMainPass):
2764         * jit/JIT.h:
2765         * jit/JITOpcodes.cpp:
2766         (JSC::JIT::emit_op_identity_with_profile):
2767         * jit/JITOpcodes32_64.cpp:
2768         (JSC::JIT::emit_op_identity_with_profile):
2769         * llint/LowLevelInterpreter.asm:
2770
2771 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
2772
2773         Remove Proximity Events and related code
2774         https://bugs.webkit.org/show_bug.cgi?id=175545
2775
2776         Reviewed by Daniel Bates.
2777
2778         No platform enables Proximity Events, so remove code inside ENABLE(PROXIMITY_EVENTS)
2779         and other related code.
2780
2781         * Configurations/FeatureDefines.xcconfig:
2782
2783 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
2784
2785         Remove ENABLE(REQUEST_AUTOCOMPLETE) code, which was disabled everywhere
2786         https://bugs.webkit.org/show_bug.cgi?id=175504
2787
2788         Reviewed by Sam Weinig.
2789
2790         * Configurations/FeatureDefines.xcconfig:
2791
2792 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
2793
2794         Remove ENABLE_VIEW_MODE_CSS_MEDIA and related code
2795         https://bugs.webkit.org/show_bug.cgi?id=175557
2796
2797         Reviewed by Jon Lee.
2798
2799         No port cares about the ENABLE(VIEW_MODE_CSS_MEDIA) feature, so remove it.
2800
2801         * Configurations/FeatureDefines.xcconfig:
2802
2803 2017-08-14  Robin Morisset  <rmorisset@apple.com>
2804
2805         Support the 'with' keyword in DFG
2806         https://bugs.webkit.org/show_bug.cgi?id=175470
2807
2808         Reviewed by Saam Barati.
2809
2810         Not particularly optimized at the moment, the goal is just to avoid
2811         the DFG bailing out of any function with this keyword.
2812
2813         * dfg/DFGAbstractInterpreterInlines.h:
2814         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2815         * dfg/DFGByteCodeParser.cpp:
2816         (JSC::DFG::ByteCodeParser::parseBlock):
2817         * dfg/DFGCapabilities.cpp:
2818         (JSC::DFG::capabilityLevel):
2819         * dfg/DFGClobberize.h:
2820         (JSC::DFG::clobberize):
2821         * dfg/DFGDoesGC.cpp:
2822         (JSC::DFG::doesGC):
2823         * dfg/DFGFixupPhase.cpp:
2824         (JSC::DFG::FixupPhase::fixupNode):
2825         * dfg/DFGNodeType.h:
2826         * dfg/DFGPredictionPropagationPhase.cpp:
2827         * dfg/DFGSafeToExecute.h:
2828         (JSC::DFG::safeToExecute):
2829         * dfg/DFGSpeculativeJIT.cpp:
2830         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
2831         * dfg/DFGSpeculativeJIT.h:
2832         (JSC::DFG::SpeculativeJIT::callOperation):
2833         * dfg/DFGSpeculativeJIT32_64.cpp:
2834         (JSC::DFG::SpeculativeJIT::compile):
2835         * dfg/DFGSpeculativeJIT64.cpp:
2836         (JSC::DFG::SpeculativeJIT::compile):
2837         * jit/JITOperations.cpp:
2838         * jit/JITOperations.h:
2839
2840 2017-08-14  Mark Lam  <mark.lam@apple.com>
2841
2842         Add some convenience utility accessor methods to MacroAssembler::CPUState.
2843         https://bugs.webkit.org/show_bug.cgi?id=175549
2844         <rdar://problem/33884868>
2845
2846         Reviewed by Saam Barati.
2847
2848         Previously, in order to read ProbeContext CPUState registers, we used to need to
2849         do it this way:
2850
2851             ExecState* exec = reinterpret_cast<ExecState*>(cpu.fp());
2852             uint32_t i32 = static_cast<uint32_t>(cpu.gpr(GPRInfo::regT0));
2853             void* p = reinterpret_cast<void*>(cpu.gpr(GPRInfo::regT1));
2854             uint64_t u64 = bitwise_cast<uint64_t>(cpu.fpr(FPRInfo::fpRegT0));
2855
2856         With this patch, we can now read them this way instead:
2857         
2858             ExecState* exec = cpu.fp<ExecState*>();
2859             uint32_t i32 = cpu.gpr<uint32_t>(GPRInfo::regT0);
2860             void* p = cpu.gpr<void*>(GPRInfo::regT1);
2861             uint64_t u64 = cpu.fpr<uint64_t>(FPRInfo::fpRegT0);
2862
2863         * assembler/MacroAssembler.h:
2864         (JSC:: const):
2865         (JSC::MacroAssembler::CPUState::fpr const):
2866         (JSC::MacroAssembler::CPUState::pc const):
2867         (JSC::MacroAssembler::CPUState::fp const):
2868         (JSC::MacroAssembler::CPUState::sp const):
2869         (JSC::ProbeContext::pc):
2870         (JSC::ProbeContext::fp):
2871         (JSC::ProbeContext::sp):
2872
2873 2017-08-12  Filip Pizlo  <fpizlo@apple.com>
2874
2875         Put the ScopedArgumentsTable's ScopeOffset array in some gigacage
2876         https://bugs.webkit.org/show_bug.cgi?id=174921
2877
2878         Reviewed by Mark Lam.
2879         
2880         Uses CagedUniquePtr<> to cage the ScopeOffset array.
2881
2882         * dfg/DFGSpeculativeJIT.cpp:
2883         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
2884         * ftl/FTLLowerDFGToB3.cpp:
2885         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2886         * jit/JITPropertyAccess.cpp:
2887         (JSC::JIT::emitScopedArgumentsGetByVal):
2888         * runtime/ScopedArgumentsTable.cpp:
2889         (JSC::ScopedArgumentsTable::create):
2890         (JSC::ScopedArgumentsTable::setLength):
2891         * runtime/ScopedArgumentsTable.h:
2892
2893 2017-08-14  Mark Lam  <mark.lam@apple.com>
2894
2895         Gardening: fix Windows build.
2896         https://bugs.webkit.org/show_bug.cgi?id=175446
2897
2898         Not reviewed.
2899
2900         * assembler/MacroAssemblerX86Common.cpp:
2901         (JSC::booleanTrueForAvoidingNoReturnDeclaration):
2902         (JSC::ctiMasmProbeTrampoline):
2903
2904 2017-08-12  Csaba Osztrogonác  <ossy@webkit.org>
2905
2906         [ARM64] Use x29 and x30 instead of fp and lr to make GCC happy
2907         https://bugs.webkit.org/show_bug.cgi?id=175512
2908         <rdar://problem/33863584>
2909
2910         Reviewed by Mark Lam.
2911
2912         * CMakeLists.txt: Added MacroAssemblerARM64.cpp.
2913         * assembler/MacroAssemblerARM64.cpp: Use x29 and x30 instead of fp and lr to make GCC happy.
2914
2915 2017-08-12  Csaba Osztrogonác  <ossy@webkit.org>
2916
2917         ARM_TRADITIONAL: static assertion failed: ProbeContext_size_matches_ctiMasmProbeTrampoline
2918         https://bugs.webkit.org/show_bug.cgi?id=175513
2919
2920         Reviewed by Mark Lam.
2921
2922         * assembler/MacroAssemblerARM.cpp: Added d16-d31 FP registers too.
2923
2924 2017-08-12  Filip Pizlo  <fpizlo@apple.com>
2925
2926         FTL's compileGetTypedArrayByteOffset needs to do caging
2927         https://bugs.webkit.org/show_bug.cgi?id=175366
2928
2929         Reviewed by Saam Barati.
2930         
2931         While implementing boxing in the DFG, I noticed that there was some missing boxing in the FTL. This
2932         fixes the case in GetTypedArrayByteOffset, and files FIXMEs for more such cases.
2933
2934         * dfg/DFGSpeculativeJIT.cpp:
2935         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
2936         * ftl/FTLLowerDFGToB3.cpp:
2937         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
2938         (JSC::FTL::DFG::LowerDFGToB3::cagedMayBeNull):
2939         * runtime/ArrayBuffer.h:
2940         * runtime/ArrayBufferView.h:
2941         * runtime/JSArrayBufferView.h:
2942
2943 2017-08-11  Ryosuke Niwa  <rniwa@webkit.org>
2944
2945         Replace DATA_TRANSFER_ITEMS by a runtime flag and add a stub implementation
2946         https://bugs.webkit.org/show_bug.cgi?id=175474
2947         <rdar://problem/33844628>
2948
2949         Reviewed by Wenson Hsieh.
2950
2951         * Configurations/FeatureDefines.xcconfig:
2952         * runtime/CommonIdentifiers.h:
2953
2954 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
2955
2956         Caging shouldn't have to use a patchpoint for adding
2957         https://bugs.webkit.org/show_bug.cgi?id=175483
2958
2959         Reviewed by Mark Lam.
2960
2961         Caging involves doing a Add(ptr, largeConstant). All of B3's heuristics for how to deal with
2962         constants and associative operations dictate that you always want to sink constants. For example,
2963         Add(Add(a, constant), b) always becomes Add(Add(a, b), constant). This is profitable because in
2964         typical code, it reveals downstream optimizations. But it's terrible in the case of caging, because
2965         we want the large constant (which is shared by all caging operations) to be hoisted. Reassociating to
2966         sink constants obscures the constant in this case. Currently, moveConstants is not smart enough to
2967         reassociate, so instead of sinking largeConstant, it tries (and often fails) to sink some other
2968         constants instead. Without some hacks, this is a 5% Kraken regression and a 1.6% Octane regression.
2969         It's not clear that moveConstants could ever be smart enough to rematerialize that constant and then
2970         hoist it - that would require quite a bit of algebraic reasoning. But the only case we know of where
2971         our current constant reassociation heuristics are wrong is caging. So, we can get away with some
2972         hacks for just stopping B3's reassociation only in this specific case.
2973         
2974         Previously, we achieved this by concealing the Add(ptr, largeConstant) inside a patchpoint. That's
2975         OK, but patchpoints are expensive. They require a SharedTask instance. They require callbacks from
2976         the backend, including during register allocation. And they cannot be CSE'd. We do want B3 to know
2977         that if we cage the same pointer in two places, both places will compute the same value.
2978         
2979         This patch improves the situation by introducing the Opaque opcode. This is handled by LowerToAir as
2980         if it was Identity, but all prior phases treat it as an unknown pure unary idempotent operation. I.e.
2981         they know that Opaque(x) == Opaque(x) and that Opaque(Opaque(x)) == Opaque(x). But they don't know
2982         that Opaque(x) == x until LowerToAir. So, you can use Opaque exactly when you know that B3 will mess
2983         up your code but Air won't. (Currently we know of no cases where Air messes things up on a large
2984         enough scale to warrant new opcodes.)
2985         
2986         This change is perf-neutral, but may start to help as I add more uses of caged() in the FTL. It also
2987         makes the code a bit less ugly.
2988
2989         * b3/B3LowerToAir.cpp:
2990         (JSC::B3::Air::LowerToAir::shouldCopyPropagate):
2991         (JSC::B3::Air::LowerToAir::lower):
2992         * b3/B3Opcode.cpp:
2993         (WTF::printInternal):
2994         * b3/B3Opcode.h:
2995         * b3/B3ReduceStrength.cpp:
2996         * b3/B3Validate.cpp:
2997         * b3/B3Value.cpp:
2998         (JSC::B3::Value::effects const):
2999         (JSC::B3::Value::key const):
3000         (JSC::B3::Value::isFree const):
3001         (JSC::B3::Value::typeFor):
3002         * b3/B3Value.h:
3003         * b3/B3ValueKey.cpp:
3004         (JSC::B3::ValueKey::materialize const):
3005         * ftl/FTLLowerDFGToB3.cpp:
3006         (JSC::FTL::DFG::LowerDFGToB3::caged):
3007         * ftl/FTLOutput.cpp:
3008         (JSC::FTL::Output::opaque):
3009         * ftl/FTLOutput.h:
3010
3011 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
3012
3013         ScopedArguments overflow storage needs to be in the JSValue gigacage
3014         https://bugs.webkit.org/show_bug.cgi?id=174923
3015
3016         Reviewed by Saam Barati.
3017         
3018         ScopedArguments overflow storage sits at the end of the ScopedArguments object, so we put that
3019         object into the JSValue gigacage.
3020
3021         * dfg/DFGSpeculativeJIT.cpp:
3022         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
3023         * ftl/FTLLowerDFGToB3.cpp:
3024         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
3025         * jit/JITPropertyAccess.cpp:
3026         (JSC::JIT::emitScopedArgumentsGetByVal):
3027         * runtime/ScopedArguments.h:
3028         (JSC::ScopedArguments::subspaceFor):
3029         (JSC::ScopedArguments::overflowStorage const):
3030
3031 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
3032
3033         JSLexicalEnvironment needs to be in the JSValue gigacage
3034         https://bugs.webkit.org/show_bug.cgi?id=174922
3035
3036         Reviewed by Michael Saboff.
3037         
3038         We can sorta random access the JSLexicalEnvironment. So, we put it in the JSValue gigacage and make
3039         the only random accesses use pointer caging.
3040         
3041         We don't need to do anything to normal lexical environment accesses.
3042
3043         * dfg/DFGSpeculativeJIT.cpp:
3044         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
3045         * ftl/FTLLowerDFGToB3.cpp:
3046         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
3047         * runtime/JSEnvironmentRecord.h:
3048         (JSC::JSEnvironmentRecord::subspaceFor):
3049         (JSC::JSEnvironmentRecord::variables):
3050
3051 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
3052
3053         DirectArguments should be in the JSValue gigacage
3054         https://bugs.webkit.org/show_bug.cgi?id=174920
3055
3056         Reviewed by Michael Saboff.
3057         
3058         This puts DirectArguments in a new subspace for cells that want to be in the JSValue gigacage. All
3059         indexed accesses to DirectArguments now do caging. get_from_arguments/put_to_arguments are exempted
3060         because they always operate on a DirectArguments that is pointed to directly from the stack, they are
3061         required to use fixed offsets, and you can only store JSValues.
3062
3063         * dfg/DFGSpeculativeJIT.cpp:
3064         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
3065         * ftl/FTLLowerDFGToB3.cpp:
3066         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
3067         * jit/JITPropertyAccess.cpp:
3068         (JSC::JIT::emitDirectArgumentsGetByVal):
3069         * runtime/DirectArguments.h:
3070         (JSC::DirectArguments::subspaceFor):
3071         (JSC::DirectArguments::storage):
3072         * runtime/VM.cpp:
3073         (JSC::VM::VM):
3074         * runtime/VM.h:
3075
3076 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
3077
3078         Unreviewed, add a FIXME.
3079
3080         * ftl/FTLLowerDFGToB3.cpp:
3081         (JSC::FTL::DFG::LowerDFGToB3::caged):
3082
3083 2017-08-10  Sam Weinig  <sam@webkit.org>
3084
3085         WTF::Function does not allow for reference / non-default constructible return types
3086         https://bugs.webkit.org/show_bug.cgi?id=175244
3087
3088         Reviewed by Chris Dumez.
3089
3090         * runtime/ArrayBuffer.cpp:
3091         (JSC::ArrayBufferContents::transferTo):
3092         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
3093         destroy call needed to be a no-op anyway, since the data is being moved.
3094
3095 2017-08-11  Mark Lam  <mark.lam@apple.com>
3096
3097         Gardening: fix CLoop build.
3098         https://bugs.webkit.org/show_bug.cgi?id=175446
3099         <rdar://problem/33836545>
3100
3101         Not reviewed.
3102
3103         * assembler/MacroAssemblerPrinter.cpp:
3104
3105 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
3106
3107         DFG should do caging
3108         https://bugs.webkit.org/show_bug.cgi?id=174918
3109
3110         Reviewed by Saam Barati.
3111         
3112         Adds the appropriate cage() calls to the DFG, including a cageTypedArrayStorage() helper that does
3113         the conditional caging with a watchpoint.
3114         
3115         This might be a 1% SunSpider slow-down, but it's not clear.
3116
3117         * dfg/DFGSpeculativeJIT.cpp:
3118         (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
3119         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
3120         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
3121         (JSC::DFG::SpeculativeJIT::compileCreateRest):
3122         (JSC::DFG::SpeculativeJIT::compileSpread):
3123         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
3124         (JSC::DFG::SpeculativeJIT::compileArraySlice):
3125         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
3126         * dfg/DFGSpeculativeJIT.h:
3127         * dfg/DFGSpeculativeJIT64.cpp:
3128         (JSC::DFG::SpeculativeJIT::compile):
3129
3130 2017-08-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3131
3132         Unreviewed, build fix for x86 GTK port
3133         https://bugs.webkit.org/show_bug.cgi?id=175446
3134
3135         Use pushfl/popfl instead of pushfd/popfd.
3136
3137         * assembler/MacroAssemblerX86Common.cpp:
3138
3139 2017-08-10  Mark Lam  <mark.lam@apple.com>
3140
3141         Make the MASM_PROBE mechanism mandatory for DFG and FTL builds.
3142         https://bugs.webkit.org/show_bug.cgi?id=175446
3143         <rdar://problem/33836545>
3144
3145         Reviewed by Saam Barati.
3146
3147         * assembler/AbstractMacroAssembler.h:
3148         * assembler/MacroAssembler.cpp:
3149         (JSC::MacroAssembler::probe):
3150         * assembler/MacroAssembler.h:
3151         * assembler/MacroAssemblerARM.cpp:
3152         (JSC::MacroAssembler::probe):
3153         * assembler/MacroAssemblerARM.h:
3154         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
3155         * assembler/MacroAssemblerARM64.cpp:
3156         (JSC::MacroAssembler::probe):
3157         * assembler/MacroAssemblerARMv7.cpp:
3158         (JSC::MacroAssembler::probe):
3159         * assembler/MacroAssemblerARMv7.h:
3160         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr):
3161         * assembler/MacroAssemblerPrinter.cpp:
3162         * assembler/MacroAssemblerPrinter.h:
3163         * assembler/MacroAssemblerX86Common.cpp:
3164         * assembler/testmasm.cpp:
3165         (JSC::isSpecialGPR):
3166         (JSC::testProbeModifiesProgramCounter):
3167         (JSC::run):
3168         * b3/B3LowerToAir.cpp:
3169         (JSC::B3::Air::LowerToAir::print):
3170         * b3/air/AirPrintSpecial.cpp:
3171         * b3/air/AirPrintSpecial.h:
3172
3173 2017-08-10  Mark Lam  <mark.lam@apple.com>
3174
3175         Apply the UNLIKELY macro to some unlikely things.
3176         https://bugs.webkit.org/show_bug.cgi?id=175440
3177         <rdar://problem/33834767>
3178
3179         Reviewed by Yusuke Suzuki.
3180
3181         * bytecode/CodeBlock.cpp:
3182         (JSC::CodeBlock::~CodeBlock):
3183         (JSC::CodeBlock::jettison):
3184         * dfg/DFGByteCodeParser.cpp:
3185         (JSC::DFG::ByteCodeParser::handleCall):
3186         (JSC::DFG::ByteCodeParser::handleVarargsCall):
3187         (JSC::DFG::ByteCodeParser::handleGetById):
3188         (JSC::DFG::ByteCodeParser::handlePutById):
3189         (JSC::DFG::ByteCodeParser::parseBlock):
3190         (JSC::DFG::ByteCodeParser::parseCodeBlock):
3191         * dfg/DFGJITCompiler.cpp:
3192         (JSC::DFG::JITCompiler::JITCompiler):
3193         (JSC::DFG::JITCompiler::linkOSRExits):
3194         (JSC::DFG::JITCompiler::link):
3195         (JSC::DFG::JITCompiler::disassemble):
3196         * dfg/DFGJITFinalizer.cpp:
3197         (JSC::DFG::JITFinalizer::finalizeCommon):
3198         * dfg/DFGOSRExit.cpp:
3199         (JSC::DFG::OSRExit::compileOSRExit):
3200         * dfg/DFGPlan.cpp:
3201         (JSC::DFG::Plan::Plan):
3202         * ftl/FTLJITFinalizer.cpp:
3203         (JSC::FTL::JITFinalizer::finalizeCommon):
3204         * ftl/FTLLink.cpp:
3205         (JSC::FTL::link):
3206         * ftl/FTLOSRExitCompiler.cpp:
3207         (JSC::FTL::compileStub):
3208         * jit/JIT.cpp:
3209         (JSC::JIT::privateCompileMainPass):
3210         (JSC::JIT::compileWithoutLinking):
3211         (JSC::JIT::link):
3212         * runtime/ScriptExecutable.cpp:
3213         (JSC::ScriptExecutable::installCode):
3214         * runtime/VM.cpp:
3215         (JSC::VM::VM):
3216
3217 2017-08-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3218
3219         [WTF] ThreadSpecific should not introduce additional indirection
3220         https://bugs.webkit.org/show_bug.cgi?id=175187
3221
3222         Reviewed by Mark Lam.
3223
3224         * runtime/Identifier.cpp:
3225
3226 2017-08-10  Tim Horton  <timothy_horton@apple.com>
3227
3228         Remove some unused lambda captures so that WebKit builds with -Wunused-lambda-capture
3229         https://bugs.webkit.org/show_bug.cgi?id=175436
3230         <rdar://problem/33667497>
3231
3232         Reviewed by Simon Fraser.
3233
3234         * interpreter/Interpreter.cpp:
3235         (JSC::Interpreter::Interpreter):
3236
3237 2017-08-10  Michael Catanzaro  <mcatanzaro@igalia.com>
3238
3239         Remove ENABLE_GAMEPAD_DEPRECATED
3240         https://bugs.webkit.org/show_bug.cgi?id=175361
3241
3242         Reviewed by Carlos Garcia Campos.
3243
3244         * Configurations/FeatureDefines.xcconfig:
3245
3246 2017-08-09  Caio Lima  <ticaiolima@gmail.com>
3247
3248         [JSC] Create JSSet constructor that accepts it's size as parameter
3249         https://bugs.webkit.org/show_bug.cgi?id=173297
3250
3251         Reviewed by Saam Barati.
3252
3253         This patch is adding a new constructor to JSSet that gives its
3254         expected initial size. It is important to avoid re-hashing and mutiple
3255         allocations when we know the final size of JSSet, such as in
3256         CodeBlock::setConstantIdentifierSetRegisters.
3257
3258         * bytecode/CodeBlock.cpp:
3259         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
3260         * runtime/HashMapImpl.h:
3261         (JSC::HashMapImpl::HashMapImpl):
3262         * runtime/JSSet.h:
3263
3264 2017-08-09  Commit Queue  <commit-queue@webkit.org>
3265
3266         Unreviewed, rolling out r220466, r220477, and r220487.
3267         https://bugs.webkit.org/show_bug.cgi?id=175411
3268
3269         This change broke existing API tests and follow up fixes did
3270         not resolve all the issues. (Requested by ryanhaddad on
3271         #webkit).
3272
3273         Reverted changesets:
3274
3275         https://bugs.webkit.org/show_bug.cgi?id=175244
3276         http://trac.webkit.org/changeset/220466
3277
3278         "WTF::Function does not allow for reference / non-default
3279         constructible return types"
3280         https://bugs.webkit.org/show_bug.cgi?id=175244
3281         http://trac.webkit.org/changeset/220477
3282
3283         https://bugs.webkit.org/show_bug.cgi?id=175244
3284         http://trac.webkit.org/changeset/220487
3285
3286 2017-08-09  Caitlin Potter  <caitp@igalia.com>
3287
3288         Early error on ANY operator before new.target
3289         https://bugs.webkit.org/show_bug.cgi?id=157970
3290
3291         Reviewed by Saam Barati.
3292
3293         Instead of throwing if any unary operator precedes new.target, only
3294         throw if the unary operator updates the reference.
3295
3296         The following become legal in JSC:
3297
3298         ```
3299         !new.target
3300         ~new.target
3301         typeof new.target
3302         delete new.target
3303         void new.target
3304         ```
3305
3306         All of which are legal in v8 and SpiderMonkey in strict and sloppy mode
3307
3308         * parser/Parser.cpp:
3309         (JSC::Parser<LexerType>::parseUnaryExpression):
3310
3311 2017-08-09  Sam Weinig  <sam@webkit.org>
3312
3313         WTF::Function does not allow for reference / non-default constructible return types
3314         https://bugs.webkit.org/show_bug.cgi?id=175244
3315
3316         Reviewed by Chris Dumez.
3317
3318         * runtime/ArrayBuffer.cpp:
3319         (JSC::ArrayBufferContents::transferTo):
3320         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
3321         destroy call needed to be a no-op anyway, since the data is being moved.
3322
3323 2017-08-09  Wenson Hsieh  <wenson_hsieh@apple.com>
3324
3325         [iOS DnD] ENABLE_DRAG_SUPPORT should be turned off for iOS 10 and enabled by default
3326         https://bugs.webkit.org/show_bug.cgi?id=175392
3327         <rdar://problem/33783207>
3328
3329         Reviewed by Tim Horton and Megan Gardner.
3330
3331         Tweak FeatureDefines to enable drag and drop by default, and disable only on unsupported platforms (i.e. iOS 10).
3332
3333         * Configurations/FeatureDefines.xcconfig:
3334
3335 2017-08-09  Robin Morisset  <rmorisset@apple.com>
3336
3337         Make JSC_validateExceptionChecks=1 succeed on JSTests/stress/v8-deltablue-strict.js.
3338         https://bugs.webkit.org/show_bug.cgi?id=175358
3339
3340         Reviewed by Mark Lam.
3341
3342         * jit/JITOperations.cpp:
3343         * runtime/JSObjectInlines.h:
3344         (JSC::JSObject::putInlineForJSObject):
3345
3346 2017-08-09  Ryan Haddad  <ryanhaddad@apple.com>
3347
3348         Unreviewed, rolling out r220457.