[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2017-11-30  Michael Saboff  <msaboff@apple.com>

        Allow JSC command line tool to accept UTF8
        https://bugs.webkit.org/show_bug.cgi?id=180205

        Reviewed by Keith Miller.

        This unifies the UTF8 handling of interactive mode with that of source files.

        * jsc.cpp:
        (runInteractive):

2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>

        REGRESSION(r225314): [Linux] More than 2000 jsc tests are failing after r225314
        https://bugs.webkit.org/show_bug.cgi?id=180185

        Reviewed by Carlos Garcia Campos.

        After r225314, we start using AllocatorForMode::MustAlreadyHaveAllocator for JSRopeString's allocatorFor.
        But it is different from the original code used before r225314. Since DFGSpeculativeJIT::emitAllocateJSCell
        can accept nullptr allocator, the behavior of the original code is AllocatorForMode::AllocatorIfExists.
        And JSRopeString's allocator may not exist at this point if any JSRopeString is not allocated. But MakeRope
        DFG node can be emitted if we see untaken path includes String + String code.

        This patch fixes Linux JSC crashes by changing JSRopeString's AllocatorForMode to AllocatorIfExists.
        As a result, only one user of AllocatorForMode::MustAlreadyHaveAllocator is MaterializeNewObject in FTL.
        I'm not sure why this condition (MustAlreadyHaveAllocator) is ensured. But this code is the same to the
        original code used before r225314.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileMakeRope):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):

2017-11-28  Filip Pizlo  <fpizlo@apple.com>

        CodeBlockSet::deleteUnmarkedAndUnreferenced can be a little more efficient
        https://bugs.webkit.org/show_bug.cgi?id=180108

        Reviewed by Saam Barati.
        
        This was creating a vector of things to remove and then removing them. I think I remember writing
        this code, and I did that because at the time we did not have removeAllMatching, which is
        definitely better. This is a minuscule optimization for Speedometer. I wanted to land this
        obvious improvement before I did more fundamental things to this code.

        * heap/CodeBlockSet.cpp:
        (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):

2017-11-29  Filip Pizlo  <fpizlo@apple.com>

        GC should support isoheaps
        https://bugs.webkit.org/show_bug.cgi?id=179288

        Reviewed by Saam Barati.
        
        This expands the power of the Subspace API in JSC:
        
        - Everything associated with describing the types of objects is now part of the HeapCellType class.
          We have different HeapCellTypes for different destruction strategies. Any Subspace can use any
          HeapCellType; these are orthogonal things.
        
        - There are now two variants of Subspace: CompleteSubspace, which can allocate any size objects using
          any AlignedMemoryAllocator; and IsoSubspace, which can allocate just one size of object and uses a
          special virtual memory pool for that purpose. Like bmalloc's IsoHeap, IsoSubspace hoards virtual
          pages but releases the physical pages as part of the respective allocator's scavenging policy
          (the Scavenger in bmalloc for IsoHeap and the incremental sweep and full sweep in Riptide for
          IsoSubspace).
        
        So far, this patch just puts subtypes of ExecutableBase in IsoSubspaces. If it works, we can use it
        for more things.
        
        This does not have any effect on JetStream (0.18% faster with p = 0.69).

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * bytecode/AccessCase.cpp:
        (JSC::AccessCase::generateImpl):
        * bytecode/ObjectAllocationProfileInlines.h:
        (JSC::ObjectAllocationProfile::initializeProfile):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
        (JSC::DFG::SpeculativeJIT::compileMakeRope):
        (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
        (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
        (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
        (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
        (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
        (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
        * heap/AlignedMemoryAllocator.cpp:
        (JSC::AlignedMemoryAllocator::registerAllocator):
        (JSC::AlignedMemoryAllocator::registerSubspace):
        * heap/AlignedMemoryAllocator.h:
        (JSC::AlignedMemoryAllocator::firstAllocator const):
        * heap/AllocationFailureMode.h: Added.
        * heap/CompleteSubspace.cpp: Added.
        (JSC::CompleteSubspace::CompleteSubspace):
        (JSC::CompleteSubspace::~CompleteSubspace):
        (JSC::CompleteSubspace::allocatorFor):
        (JSC::CompleteSubspace::allocate):
        (JSC::CompleteSubspace::allocateNonVirtual):
        (JSC::CompleteSubspace::allocatorForSlow):
        (JSC::CompleteSubspace::allocateSlow):
        (JSC::CompleteSubspace::tryAllocateSlow):
        * heap/CompleteSubspace.h: Added.
        (JSC::CompleteSubspace::offsetOfAllocatorForSizeStep):
        (JSC::CompleteSubspace::allocatorForSizeStep):
        (JSC::CompleteSubspace::allocatorForNonVirtual):
        * heap/HeapCellType.cpp: Added.
        (JSC::HeapCellType::HeapCellType):
        (JSC::HeapCellType::~HeapCellType):
        (JSC::HeapCellType::finishSweep):
        (JSC::HeapCellType::destroy):
        * heap/HeapCellType.h: Added.
        (JSC::HeapCellType::attributes const):
        * heap/IsoAlignedMemoryAllocator.cpp: Added.
        (JSC::IsoAlignedMemoryAllocator::IsoAlignedMemoryAllocator):
        (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
        (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
        (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
        (JSC::IsoAlignedMemoryAllocator::dump const):
        * heap/IsoAlignedMemoryAllocator.h: Added.
        * heap/IsoSubspace.cpp: Added.
        (JSC::IsoSubspace::IsoSubspace):
        (JSC::IsoSubspace::~IsoSubspace):
        (JSC::IsoSubspace::allocatorFor):
        (JSC::IsoSubspace::allocatorForNonVirtual):
        (JSC::IsoSubspace::allocate):
        (JSC::IsoSubspace::allocateNonVirtual):
        * heap/IsoSubspace.h: Added.
        (JSC::IsoSubspace::size const):
        * heap/MarkedAllocator.cpp:
        (JSC::MarkedAllocator::MarkedAllocator):
        (JSC::MarkedAllocator::setSubspace):
        (JSC::MarkedAllocator::allocateSlowCase):
        (JSC::MarkedAllocator::tryAllocateSlowCase): Deleted.
        (JSC::MarkedAllocator::allocateSlowCaseImpl): Deleted.
        * heap/MarkedAllocator.h:
        (JSC::MarkedAllocator::nextAllocatorInAlignedMemoryAllocator const):
        (JSC::MarkedAllocator::setNextAllocatorInAlignedMemoryAllocator):
        * heap/MarkedAllocatorInlines.h:
        (JSC::MarkedAllocator::allocate):
        (JSC::MarkedAllocator::tryAllocate): Deleted.
        * heap/MarkedBlock.h:
        * heap/MarkedBlockInlines.h:
        (JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType):
        (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace): Deleted.
        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::addMarkedAllocator):
        * heap/MarkedSpace.h:
        * heap/Subspace.cpp:
        (JSC::Subspace::Subspace):
        (JSC::Subspace::initialize):
        (JSC::Subspace::finishSweep):
        (JSC::Subspace::destroy):
        (JSC::Subspace::prepareForAllocation):
        (JSC::Subspace::findEmptyBlockToSteal):
        (): Deleted.
        (JSC::Subspace::allocate): Deleted.
        (JSC::Subspace::tryAllocate): Deleted.
        (JSC::Subspace::allocatorForSlow): Deleted.
        (JSC::Subspace::allocateSlow): Deleted.
        (JSC::Subspace::tryAllocateSlow): Deleted.
        (JSC::Subspace::didAllocate): Deleted.
        * heap/Subspace.h:
        (JSC::Subspace::heapCellType const):
        (JSC::Subspace::nextSubspaceInAlignedMemoryAllocator const):
        (JSC::Subspace::setNextSubspaceInAlignedMemoryAllocator):
        (JSC::Subspace::offsetOfAllocatorForSizeStep): Deleted.
        (JSC::Subspace::allocatorForSizeStep): Deleted.
        (JSC::Subspace::tryAllocatorFor): Deleted.
        (JSC::Subspace::allocatorFor): Deleted.
        * jit/AssemblyHelpers.h:
        (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
        (JSC::AssemblyHelpers::emitAllocateVariableSized):
        (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_new_object):
        * runtime/ButterflyInlines.h:
        (JSC::Butterfly::createUninitialized):
        (JSC::Butterfly::tryCreate):
        (JSC::Butterfly::growArrayRight):
        * runtime/DirectArguments.cpp:
        (JSC::DirectArguments::overrideThings):
        * runtime/DirectArguments.h:
        (JSC::DirectArguments::subspaceFor):
        * runtime/DirectEvalExecutable.h:
        * runtime/EvalExecutable.h:
        * runtime/ExecutableBase.h:
        (JSC::ExecutableBase::subspaceFor):
        * runtime/FunctionExecutable.h:
        * runtime/GenericArgumentsInlines.h:
        (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
        * runtime/HashMapImpl.h:
        (JSC::HashMapBuffer::create):
        * runtime/IndirectEvalExecutable.h:
        * runtime/JSArray.cpp:
        (JSC::JSArray::tryCreateUninitializedRestricted):
        (JSC::JSArray::unshiftCountSlowCase):
        * runtime/JSArray.h:
        (JSC::JSArray::tryCreate):
        * runtime/JSArrayBufferView.cpp:
        (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
        * runtime/JSCell.h:
        (JSC::subspaceFor):
        * runtime/JSCellInlines.h:
        (JSC::JSCell::subspaceFor):
        (JSC::tryAllocateCellHelper):
        (JSC::allocateCell):
        (JSC::tryAllocateCell):
        * runtime/JSDestructibleObject.h:
        (JSC::JSDestructibleObject::subspaceFor):
        * runtime/JSDestructibleObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.cpp.
        (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
        (JSC::JSDestructibleObjectHeapCellType::~JSDestructibleObjectHeapCellType):
        (JSC::JSDestructibleObjectHeapCellType::finishSweep):
        (JSC::JSDestructibleObjectHeapCellType::destroy):
        (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace): Deleted.
        (JSC::JSDestructibleObjectSubspace::~JSDestructibleObjectSubspace): Deleted.
        (JSC::JSDestructibleObjectSubspace::finishSweep): Deleted.
        (JSC::JSDestructibleObjectSubspace::destroy): Deleted.
        * runtime/JSDestructibleObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.h.
        * runtime/JSDestructibleObjectSubspace.cpp: Removed.
        * runtime/JSDestructibleObjectSubspace.h: Removed.
        * runtime/JSLexicalEnvironment.h:
        (JSC::JSLexicalEnvironment::subspaceFor):
        * runtime/JSSegmentedVariableObject.h:
        (JSC::JSSegmentedVariableObject::subspaceFor):
        * runtime/JSSegmentedVariableObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.cpp.
        (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
        (JSC::JSSegmentedVariableObjectHeapCellType::~JSSegmentedVariableObjectHeapCellType):
        (JSC::JSSegmentedVariableObjectHeapCellType::finishSweep):
        (JSC::JSSegmentedVariableObjectHeapCellType::destroy):
        (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace): Deleted.
        (JSC::JSSegmentedVariableObjectSubspace::~JSSegmentedVariableObjectSubspace): Deleted.
        (JSC::JSSegmentedVariableObjectSubspace::finishSweep): Deleted.
        (JSC::JSSegmentedVariableObjectSubspace::destroy): Deleted.
        * runtime/JSSegmentedVariableObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.h.
        * runtime/JSSegmentedVariableObjectSubspace.cpp: Removed.
        * runtime/JSSegmentedVariableObjectSubspace.h: Removed.
        * runtime/JSString.h:
        (JSC::JSString::subspaceFor):
        * runtime/JSStringHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.cpp.
        (JSC::JSStringHeapCellType::JSStringHeapCellType):
        (JSC::JSStringHeapCellType::~JSStringHeapCellType):
        (JSC::JSStringHeapCellType::finishSweep):
        (JSC::JSStringHeapCellType::destroy):
        (JSC::JSStringSubspace::JSStringSubspace): Deleted.
        (JSC::JSStringSubspace::~JSStringSubspace): Deleted.
        (JSC::JSStringSubspace::finishSweep): Deleted.
        (JSC::JSStringSubspace::destroy): Deleted.
        * runtime/JSStringHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.h.
        * runtime/JSStringSubspace.cpp: Removed.
        * runtime/JSStringSubspace.h: Removed.
        * runtime/ModuleProgramExecutable.h:
        * runtime/NativeExecutable.h:
        * runtime/ProgramExecutable.h:
        * runtime/RegExpMatchesArray.h:
        (JSC::tryCreateUninitializedRegExpMatchesArray):
        * runtime/ScopedArguments.h:
        (JSC::ScopedArguments::subspaceFor):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * runtime/VM.h:
        (JSC::VM::gigacageAuxiliarySpace):
        * wasm/js/JSWebAssemblyCodeBlock.h:
        * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.cpp.
        (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
        (JSC::JSWebAssemblyCodeBlockHeapCellType::~JSWebAssemblyCodeBlockHeapCellType):
        (JSC::JSWebAssemblyCodeBlockHeapCellType::finishSweep):
        (JSC::JSWebAssemblyCodeBlockHeapCellType::destroy):
        (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace): Deleted.
        (JSC::JSWebAssemblyCodeBlockSubspace::~JSWebAssemblyCodeBlockSubspace): Deleted.
        (JSC::JSWebAssemblyCodeBlockSubspace::finishSweep): Deleted.
        (JSC::JSWebAssemblyCodeBlockSubspace::destroy): Deleted.
        * wasm/js/JSWebAssemblyCodeBlockHeapCellType.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.h.
        * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp: Removed.
        * wasm/js/JSWebAssemblyCodeBlockSubspace.h: Removed.
        * wasm/js/JSWebAssemblyMemory.h:
        (JSC::JSWebAssemblyMemory::subspaceFor):

2017-11-29  Saam Barati  <sbarati@apple.com>

        Remove pointer caging for double arrays
        https://bugs.webkit.org/show_bug.cgi?id=180163

        Reviewed by Mark Lam.

        This patch removes pointer caging from double arrays. Like
        my previous removals of pointer caging, this is a security vs
        performance tradeoff. We believe that butterflies being allocated
        in the cage and with a 32GB runway gives us enough security that
        pointer caging the butterfly just for double arrays does not add
        enough security benefit for the performance hit it incurs.
        
        This patch also removes the GetButterflyWithoutCaging node and
        the FixedButterflyAccessUncaging phase. The node is no longer needed
        because now all GetButterfly nodes are not caged. The phase is removed
        since we no longer have two nodes.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGArgumentsEliminationPhase.cpp:
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Removed.
        * dfg/DFGFixedButterflyAccessUncagingPhase.h: Removed.
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGHeapLocation.cpp:
        (WTF::printInternal):
        * dfg/DFGHeapLocation.h:
        * dfg/DFGNodeType.h:
        * dfg/DFGPlan.cpp:
        (JSC::DFG::Plan::compileInThreadImpl):
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileSpread):
        (JSC::DFG::SpeculativeJIT::compileArraySlice):
        (JSC::DFG::SpeculativeJIT::compileGetButterfly):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGTypeCheckHoistingPhase.cpp:
        (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
        (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitDoubleLoad):
        (JSC::JIT::emitGenericContiguousPutByVal):
        * runtime/Butterfly.h:
        (JSC::Butterfly::pointer):
        (JSC::Butterfly::contiguousDouble):
        (JSC::Butterfly::caged): Deleted.
        * runtime/ButterflyInlines.h:
        (JSC::Butterfly::createOrGrowPropertyStorage):
        * runtime/JSObject.cpp:
        (JSC::JSObject::ensureLengthSlow):
        (JSC::JSObject::reallocateAndShrinkButterfly):

2017-11-29  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>

        [MIPS][JSC] Implement MacroAssembler::probe support on MIPS
        https://bugs.webkit.org/show_bug.cgi?id=175447

        Reviewed by Carlos Alberto Lopez Perez.

        This patch allows DFG JIT to be enabled on MIPS platforms.

        * Sources.txt:
        * assembler/MIPSAssembler.h:
        (JSC::MIPSAssembler::lastSPRegister):
        (JSC::MIPSAssembler::numberOfSPRegisters):
        (JSC::MIPSAssembler::sprName):
        * assembler/MacroAssemblerMIPS.cpp: Added.
        (JSC::MacroAssembler::probe):
        * assembler/ProbeContext.cpp:
        (JSC::Probe::executeProbe):
        * assembler/ProbeContext.h:
        (JSC::Probe::CPUState::pc):
        * assembler/testmasm.cpp:
        (JSC::isSpecialGPR):
        (JSC::testProbePreservesGPRS):
        (JSC::testProbeModifiesStackPointer):
        (JSC::testProbeModifiesStackValues):

2017-11-29  Matt Lewis  <jlewis3@apple.com>

        Unreviewed, rolling out r225286.

        The source files within this patch have been marked as
        executable.

        Reverted changeset:

        "[MIPS][JSC] Implement MacroAssembler::probe support on MIPS"
        https://bugs.webkit.org/show_bug.cgi?id=175447
        https://trac.webkit.org/changeset/225286

2017-11-29  Alex Christensen  <achristensen@webkit.org>

        Fix Mac CMake build.

        * PlatformMac.cmake:

2017-11-29  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>

        [MIPS][JSC] Implement MacroAssembler::probe support on MIPS
        https://bugs.webkit.org/show_bug.cgi?id=175447

        Reviewed by Carlos Alberto Lopez Perez.

        This patch allows DFG JIT to be enabled on MIPS platforms.

        * Sources.txt:
        * assembler/MIPSAssembler.h:
        (JSC::MIPSAssembler::lastSPRegister):
        (JSC::MIPSAssembler::numberOfSPRegisters):
        (JSC::MIPSAssembler::sprName):
        * assembler/MacroAssemblerMIPS.cpp: Added.
        (JSC::MacroAssembler::probe):
        * assembler/ProbeContext.cpp:
        (JSC::Probe::executeProbe):
        * assembler/ProbeContext.h:
        (JSC::Probe::CPUState::pc):
        * assembler/testmasm.cpp:
        (JSC::isSpecialGPR):
        (JSC::testProbePreservesGPRS):
        (JSC::testProbeModifiesStackPointer):
        (JSC::testProbeModifiesStackValues):

2017-11-28  JF Bastien  <jfbastien@apple.com>

        Strict and sloppy functions shouldn't share structure
        https://bugs.webkit.org/show_bug.cgi?id=180103
        <rdar://problem/35667847>

        Reviewed by Saam Barati.

        Sloppy and strict functions don't act the same when it comes to
        arguments, caller, and callee. Sharing a structure means that
        anything that is cached gets shared, and that's incorrect.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileNewFunction):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunctionSkippingEvalEnabledCheck):
        * runtime/JSFunction.cpp:
        (JSC::JSFunction::create): the second ::create is always strict
        because it applies to native functions.
        * runtime/JSFunctionInlines.h:
        (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::strictFunctionStructure const):
        (JSC::JSGlobalObject::sloppyFunctionStructure const):
        (JSC::JSGlobalObject::nativeStdFunctionStructure const):
        (JSC::JSGlobalObject::functionStructure const): Deleted. Renamed.
        (JSC::JSGlobalObject::namedFunctionStructure const): Deleted. Drive-by, unused.

2017-11-29  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Add MacroAssembler::getEffectiveAddress in all platforms
        https://bugs.webkit.org/show_bug.cgi?id=180070

        Reviewed by Saam Barati.

        This patch adds getEffectiveAddress in all JIT platforms.
        This is abstracted version of x86 lea.

        We also fix a bug in Yarr that uses branch32 instead of branchPtr for addresses.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::getEffectiveAddress):
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::getEffectiveAddress):
        (JSC::MacroAssemblerARM64::getEffectiveAddress64): Deleted.
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::getEffectiveAddress):
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::getEffectiveAddress):
        * assembler/MacroAssemblerX86.h:
        (JSC::MacroAssemblerX86::getEffectiveAddress):
        * assembler/MacroAssemblerX86_64.h:
        (JSC::MacroAssemblerX86_64::getEffectiveAddress):
        (JSC::MacroAssemblerX86_64::getEffectiveAddress64): Deleted.
        * assembler/testmasm.cpp:
        (JSC::testGetEffectiveAddress):
        (JSC::run):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArrayPush):
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
        (JSC::Yarr::YarrGenerator::tryReadUnicodeChar):

2017-11-29  Robin Morisset  <rmorisset@apple.com>

        The recursive tail call optimisation is wrong on closures
        https://bugs.webkit.org/show_bug.cgi?id=179835

        Reviewed by Saam Barati.

        The problem is that we only check the executable of the callee, not whatever variables might have been captured.
        As a stopgap measure this patch just does not do the optimisation for closures.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):

2017-11-28  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Cleanup Inspector classes be more consistent about using fast malloc / noncopyable
        https://bugs.webkit.org/show_bug.cgi?id=180119

        Reviewed by Devin Rousso.

        * inspector/InjectedScriptManager.h:
        * inspector/JSGlobalObjectScriptDebugServer.h:
        * inspector/agents/InspectorHeapAgent.h:
        * inspector/agents/InspectorRuntimeAgent.h:
        * inspector/agents/InspectorScriptProfilerAgent.h:
        * inspector/agents/JSGlobalObjectRuntimeAgent.h:

2017-11-28  Joseph Pecoraro  <pecoraro@apple.com>

        ServiceWorker Inspector: Frontend changes to support Network tab and sub resources
        https://bugs.webkit.org/show_bug.cgi?id=179642
        <rdar://problem/35517704>

        Reviewed by Brian Burg.

        * inspector/protocol/Network.json:
        Expose the NetworkAgent for a Service Worker inspector.

 2017-11-28  Brian Burg  <bburg@apple.com>

        [Cocoa] Clean up names of conversion methods after renaming InspectorValue to JSON::Value
        https://bugs.webkit.org/show_bug.cgi?id=179696

        Reviewed by Timothy Hatcher.

        * inspector/scripts/codegen/generate_objc_header.py:
        (ObjCHeaderGenerator._generate_type_interface):
        * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
        (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
        (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_protocol_object):
        (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_json_object): Deleted.
        * inspector/scripts/codegen/objc_generator.py:
        (ObjCGenerator.protocol_type_for_raw_name):
        (ObjCGenerator.objc_protocol_export_expression_for_variable):
        (ObjCGenerator.objc_protocol_export_expression_for_variable.is):
        (ObjCGenerator.objc_protocol_import_expression_for_variable):
        (ObjCGenerator.objc_protocol_import_expression_for_variable.is):
        (ObjCGenerator.objc_to_protocol_expression_for_member.is):
        (ObjCGenerator.objc_to_protocol_expression_for_member):
        (ObjCGenerator.protocol_to_objc_expression_for_member.is):
        (ObjCGenerator.protocol_to_objc_expression_for_member):
        (ObjCGenerator.protocol_to_objc_code_block_for_object_member):
        (ObjCGenerator.objc_setter_method_for_member_internal):
        (ObjCGenerator.objc_getter_method_for_member_internal):
        * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
        * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
        * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
        * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
        * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
        * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
        * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
        * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
        * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
        * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:

2017-11-27  JF Bastien  <jfbastien@apple.com>

        JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
        https://bugs.webkit.org/show_bug.cgi?id=180051
        <rdar://problem/35614371>

        Reviewed by Saam Barati.

        Checking for int32 isn't sufficient when uint32 is expected
        afterwards. While we're here, also use Checked<>.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

2017-11-14  Carlos Garcia Campos  <cgarcia@igalia.com>

        Move JSONValues to WTF and convert uses of InspectorValues.h to JSONValues.h
        https://bugs.webkit.org/show_bug.cgi?id=173793

        Reviewed by Joseph Pecoraro.

        Based on patch by Brian Burg.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * bindings/ScriptValue.cpp:
        (Inspector::jsToInspectorValue):
        (Inspector::toInspectorValue):
        (Deprecated::ScriptValue::toInspectorValue const):
        * bindings/ScriptValue.h:
        * inspector/AsyncStackTrace.cpp:
        * inspector/ConsoleMessage.cpp:
        * inspector/ContentSearchUtilities.cpp:
        * inspector/DeprecatedInspectorValues.cpp: Added.
        * inspector/DeprecatedInspectorValues.h: Added.
        Keep the old symbols around in JavaScriptCore so that builds with the
        public iOS SDK continue to work. These older SDKs include a version of
        WebInspector.framework that expects to find InspectorArray and other
        symbols in JavaScriptCore.framework.

        * inspector/InjectedScript.cpp:
        (Inspector::InjectedScript::getFunctionDetails):
        (Inspector::InjectedScript::functionDetails):
        (Inspector::InjectedScript::getPreview):
        (Inspector::InjectedScript::getProperties):
        (Inspector::InjectedScript::getDisplayableProperties):
        (Inspector::InjectedScript::getInternalProperties):
        (Inspector::InjectedScript::getCollectionEntries):
        (Inspector::InjectedScript::saveResult):
        (Inspector::InjectedScript::wrapCallFrames const):
        (Inspector::InjectedScript::wrapObject const):
        (Inspector::InjectedScript::wrapTable const):
        (Inspector::InjectedScript::previewValue const):
        (Inspector::InjectedScript::setExceptionValue):
        (Inspector::InjectedScript::clearExceptionValue):
        (Inspector::InjectedScript::inspectObject):
        (Inspector::InjectedScript::releaseObject):
        * inspector/InjectedScriptBase.cpp:
        (Inspector::InjectedScriptBase::makeCall):
        (Inspector::InjectedScriptBase::makeEvalCall):
        * inspector/InjectedScriptBase.h:
        * inspector/InjectedScriptManager.cpp:
        (Inspector::InjectedScriptManager::injectedScriptForObjectId):
        * inspector/InspectorBackendDispatcher.cpp:
        (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
        (Inspector::BackendDispatcher::dispatch):
        (Inspector::BackendDispatcher::sendResponse):
        (Inspector::BackendDispatcher::sendPendingErrors):
        (Inspector::BackendDispatcher::getPropertyValue):
        (Inspector::castToInteger):
        (Inspector::castToNumber):
        (Inspector::BackendDispatcher::getInteger):
        (Inspector::BackendDispatcher::getDouble):
        (Inspector::BackendDispatcher::getString):
        (Inspector::BackendDispatcher::getBoolean):
        (Inspector::BackendDispatcher::getObject):
        (Inspector::BackendDispatcher::getArray):
        (Inspector::BackendDispatcher::getValue):
        * inspector/InspectorBackendDispatcher.h:
        We need to keep around the sendResponse() variant with a parameter that
        has the InspectorObject type, as older WebInspector.framework versions
        expect this symbol to exist. Introduce a variant with arity 3 that can
        be used in TOT so as to avoid having two methods with the same name, arity, and
        different parameter types.

        When system WebInspector.framework is updated, we can remove the legacy
        method variant that uses the InspectorObject type. At that point, we can
        transition TOT to use the 2-arity variant, and delete the 3-arity variant
        when system WebInspector.framework is updated once more to use the 2-arity one.

        * inspector/InspectorProtocolTypes.h:
        (Inspector::Protocol::Array::openAccessors):
        (Inspector::Protocol::PrimitiveBindingTraits::assertValueHasExpectedType):
        (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast):
        (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType):
        (Inspector::Protocol::BindingTraits<JSON::Value>::assertValueHasExpectedType):
        * inspector/ScriptCallFrame.cpp:
        * inspector/ScriptCallStack.cpp:
        * inspector/agents/InspectorAgent.cpp:
        (Inspector::InspectorAgent::inspect):
        * inspector/agents/InspectorAgent.h:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::buildAssertPauseReason):
        (Inspector::buildCSPViolationPauseReason):
        (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
        (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
        (Inspector::buildObjectForBreakpointCookie):
        (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
        (Inspector::parseLocation):
        (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
        (Inspector::InspectorDebuggerAgent::setBreakpoint):
        (Inspector::InspectorDebuggerAgent::continueToLocation):
        (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
        (Inspector::InspectorDebuggerAgent::didParseSource):
        (Inspector::InspectorDebuggerAgent::breakProgram):
        * inspector/agents/InspectorDebuggerAgent.h:
        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::InspectorRuntimeAgent::callFunctionOn):
        (Inspector::InspectorRuntimeAgent::saveResult):
        (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
        * inspector/agents/InspectorRuntimeAgent.h:
        * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
        (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
        * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
        (CppBackendDispatcherImplementationGenerator.generate_output):
        (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
        * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
        (CppFrontendDispatcherHeaderGenerator.generate_output):
        * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
        (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
        * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
        (_generate_unchecked_setter_for_member):
        * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
        (CppProtocolTypesImplementationGenerator):
        * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
        (ObjCBackendDispatcherImplementationGenerator.generate_output):
        (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
        * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
        (ObjCFrontendDispatcherImplementationGenerator.generate_output):
        (ObjCFrontendDispatcherImplementationGenerator._generate_event):
        (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
        * inspector/scripts/codegen/generate_objc_internal_header.py:
        (ObjCInternalHeaderGenerator.generate_output):
        * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
        (ObjCProtocolTypesImplementationGenerator.generate_output):
        * inspector/scripts/codegen/generator.py:
        * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
        * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
        * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
        * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
        * inspector/scripts/tests/generic/expected/domain-availability.json-result:
        * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
        * inspector/scripts/tests/generic/expected/enum-values.json-result:
        * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
        * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
        * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
        * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
        * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
        * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
        * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
        * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
        * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
        * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
        * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
        * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
        * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:

2017-11-28  Robin Morisset  <rmorisset@apple.com>

        Support recursive tail call optimization for polymorphic calls
        https://bugs.webkit.org/show_bug.cgi?id=178390

        Reviewed by Saam Barati.

        Comes with a large but fairly simple refactoring: the inlining path for varargs and non-varargs calls now converge a lot later,
        eliminating some redundant checks, and simplifying a few parts of the inlining pipeline.

        Also removes some dead code from inlineCall(): there was a special path for when m_continuationBlock is null, but it should never be (now checked with RELEASE_ASSERT).

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::handleVarargsCall):
        (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
        (JSC::DFG::ByteCodeParser::inlineCall):
        (JSC::DFG::ByteCodeParser::handleCallVariant):
        (JSC::DFG::ByteCodeParser::handleVarargsInlining):
        (JSC::DFG::ByteCodeParser::getInliningBalance):
        (JSC::DFG::ByteCodeParser::handleInlining):
        (JSC::DFG::ByteCodeParser::attemptToInlineCall): Deleted.

2017-11-27  Saam Barati  <sbarati@apple.com>

        Spread can escape when CreateRest does not
        https://bugs.webkit.org/show_bug.cgi?id=180057
        <rdar://problem/35676119>

        Reviewed by JF Bastien.

        We previously did not handle Spread(PhantomCreateRest) only because I did not
        think it was possible to generate this IR. I was wrong. We can generate
        such IR when we have a PutStack(Spread) but nothing escapes the CreateRest.
        This IR is rare to generate since we normally don't PutStack(Spread) because
        the SetLocal almost always gets eliminated because of how our bytecode generates
        op_spread. However, there exists a test case showing it is possible. Supporting
        this IR pattern in FTLLower is trivial. This patch implements it and rewrites
        the Validation rule for Spread.

        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGValidate.cpp:
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
        * runtime/JSFixedArray.h:
        (JSC::JSFixedArray::tryCreate):

2017-11-27  Don Olmstead  <don.olmstead@sony.com>

        [CMake][Win] Conditionally select DLL CRT or static CRT
        https://bugs.webkit.org/show_bug.cgi?id=170594

        Reviewed by Alex Christensen.

        * shell/PlatformWin.cmake:

2017-11-27  Saam Barati  <sbarati@apple.com>

        Having a bad time watchpoint firing during compilation revealed a racy assertion
        https://bugs.webkit.org/show_bug.cgi?id=180048
        <rdar://problem/35700009>

        Reviewed by Mark Lam.

        While a DFG compilation is watching the having a bad time watchpoint, it was
        asserting that the rest parameter structure has indexing type ArrayWithContiguous.
        However, if the having a bad time watchpoint fires during the compilation,
        this particular structure will no longer have ArrayWithContiguous indexing type.
        This patch fixes this racy assertion to be aware that the watchpoint may fire
        during compilation.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileCreateRest):
        (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):

2017-11-27  Tim Horton  <timothy_horton@apple.com>

        One too many zeroes in macOS version number in FeatureDefines
        https://bugs.webkit.org/show_bug.cgi?id=180011

        Reviewed by Dan Bernstein.

        * Configurations/FeatureDefines.xcconfig:

2017-11-27  Robin Morisset  <rmorisset@apple.com>

        Update DFGSafeToExecute to be aware that ArrayPush is now a varargs node
        https://bugs.webkit.org/show_bug.cgi?id=179821

        Reviewed by Saam Barati.

        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):

2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] Add NormalizeMapKey DFG IR
        https://bugs.webkit.org/show_bug.cgi?id=179912

        Reviewed by Saam Barati.

        This patch introduces NormalizeMapKey DFG node. It executes what normalizeMapKey does in inlined manner.
        By separating this from MapHash and Map/Set related operations, we can perform CSE onto that, and we
        do not need to call normalizeMapKey conservatively in DFG operations.
        This can reduce slow path case in Untyped GetMapBucket since we can normalize keys in DFG/FTL.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixupNormalizeMapKey):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
        (JSC::FTL::DFG::LowerDFGToB3::compileNormalizeMapKey):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
        * runtime/HashMapImpl.h:

2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>

        [FTL] Support DeleteById and DeleteByVal
        https://bugs.webkit.org/show_bug.cgi?id=180022

        Reviewed by Saam Barati.

        We should increase the coverage of FTL. Even if the code includes DeleteById,
        it does not mean that remaining part of the code should not be optimized in FTL.
        Right now, even CallEval and `with` scope are handled in FTL.

        This patch just adds DeleteById and DeleteByVal handling to FTL to allow optimizing
        code including them.

        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileDeleteById):
        (JSC::FTL::DFG::LowerDFGToB3::compileDeleteByVal):

2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] Introduce {Set,Map,WeakMap}Fields
        https://bugs.webkit.org/show_bug.cgi?id=179925

        Reviewed by Saam Barati.

        SetAdd and MapSet uses `write(MiscFields)`, but it is not correct. It accidentally
        writes readonly MiscFields which is used by various nodes and make optimization
        conservative.

        We introduce JSSetFields, JSMapFields, and JSWeakMapFields to precisely model clobberizing of Map, Set, and WeakMap.

        * dfg/DFGAbstractHeap.h:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGHeapLocation.cpp:
        (WTF::printInternal):
        * dfg/DFGHeapLocation.h:
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasBucketOwnerType):

2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Remove JSStringBuilder
        https://bugs.webkit.org/show_bug.cgi?id=180016

        Reviewed by Saam Barati.

        JSStringBuilder is replaced with WTF::StringBuilder.
        This patch removes remaning uses and drop JSStringBuilder.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * runtime/ArrayPrototype.cpp:
        * runtime/AsyncFunctionPrototype.cpp:
        * runtime/AsyncGeneratorFunctionPrototype.cpp:
        * runtime/ErrorPrototype.cpp:
        * runtime/FunctionPrototype.cpp:
        * runtime/GeneratorFunctionPrototype.cpp:
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::decode):
        (JSC::globalFuncEscape):
        * runtime/JSStringBuilder.h: Removed.
        * runtime/JSStringInlines.h:
        (JSC::jsMakeNontrivialString):
        * runtime/RegExpPrototype.cpp:
        * runtime/StringPrototype.cpp:

2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] Remove GetLocalUnlinked
        https://bugs.webkit.org/show_bug.cgi?id=180017

        Reviewed by Saam Barati.

        Since DFGArgumentsSimplificationPhase is removed 2 years ago, GetLocalUnlinked is no longer used in DFG.
        This patch just removes it.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGCommon.h:
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::hasUnlinkedLocal):
        (JSC::DFG::Node::convertToGetLocalUnlinked): Deleted.
        (JSC::DFG::Node::convertToGetLocal): Deleted.
        (JSC::DFG::Node::hasUnlinkedMachineLocal): Deleted.
        (JSC::DFG::Node::setUnlinkedMachineLocal): Deleted.
        (JSC::DFG::Node::unlinkedMachineLocal): Deleted.
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGStackLayoutPhase.cpp:
        (JSC::DFG::StackLayoutPhase::run):
        * dfg/DFGValidate.cpp:

2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>

        Make ArgList::data() private again when we can remove callWasmFunction().
        https://bugs.webkit.org/show_bug.cgi?id=168582

        Reviewed by JF Bastien.

        Make ArgList::data() private since we already removed callWasmFunction.

        * runtime/ArgList.h:

2016-08-05  Darin Adler  <darin@apple.com>

        Fix some minor problems in the StringImpl header
        https://bugs.webkit.org/show_bug.cgi?id=160630

        Reviewed by Brent Fulgham.

        * inspector/ContentSearchUtilities.cpp: Removed a lot of unneeded explicit
        Yarr namespacing since we use "using namespace" in this file.

2017-11-24  Mark Lam  <mark.lam@apple.com>

        Fix CLoop::sanitizeStack() bug where it was clearing part of the JS stack in use.
        https://bugs.webkit.org/show_bug.cgi?id=179936
        <rdar://problem/35623998>

        Reviewed by Saam Barati.

        This issue was uncovered when we enabled --useDollarVM=true on the JSC tests.
        See https://bugs.webkit.org/show_bug.cgi?id=179684.

        Basically, in the case of the failing test we observed, op_tail_call_forward_arguments
        was allocating stack space to stash arguments (to be forwarded) and new frame
        info.  The location of this new stash space happens to lie beyond the top of frame
        of the tail call caller frame.  After stashing the arguments, the code proceeded
        to load the callee codeBlock.  This triggered an allocation, which in turn,
        triggered stack sanitization.  The CLoop stack sanitizer was relying on
        frame->topOfFrame() to tell it where the top of the used stack is.  In this case,
        that turned out to be inadequate.  As a result, part of the stashed data was
        zeroed out, and subsequently led to a crash.

        This bug does not affect JIT builds (i.e. the ASM LLint) for 2 reasons:
        1. JIT builds do stack sanitization in the LLInt code itself (different from the
           CLoop implementation), and the sanitizer there is aware of the true top of
           stack value (i.e. the stack pointer).
        2. JIT builds don't use a parallel stack like the CLoop.  The presence of the
           parallel stack is one condition necessary for reproducing this issue.

        The fix is to make the CLoop record the stack pointer in CLoopStack::m_currentStackPointer
        every time before it calls out to native C++ code.  This also brings the CLoop's
        behavior closer to hardware behavior where we can know where the stack pointer
        is after calling from JS back into native C++ code, which makes it easier to
        reason about correctness.       

        Also simplified the various stack boundary calculations (removed the +1 and -1
        adjustments).  The CLoopStack bounds are now:

            reservationTop(): the lowest reserved address that can be within stack bounds.
            m_commitTop: the lowest address within stack bounds that has been committed.
            lowAddress() aka m_end: the lowest stack address that JS code can use.
            m_lastStackPointer: cache of the last m_currentStackPointer value.
            m_currentStackPointer: the CLoopStack stack pointer value when calling from JS into C++ code.
            highAddress(): the highest address just beyond the bounds of the stack.

        Also deleted some unneeded code.

        * interpreter/CLoopStack.cpp:
        (JSC::CLoopStack::CLoopStack):
        (JSC::CLoopStack::gatherConservativeRoots):
        (JSC::CLoopStack::sanitizeStack):
        (JSC::CLoopStack::setSoftReservedZoneSize):
        * interpreter/CLoopStack.h:
        (JSC::CLoopStack::setCurrentStackPointer):
        (JSC::CLoopStack::lowAddress const):

        (JSC::CLoopStack::baseOfStack const): Deleted.
        - Not needed after we simplified the code and removed all the +1/-1 adjustments.
          Now, it has the exact same value as highAddress() and can be removed.

        * interpreter/CLoopStackInlines.h:
        (JSC::CLoopStack::ensureCapacityFor):
        (JSC::CLoopStack::currentStackPointer):
        (JSC::CLoopStack::setCLoopStackLimit):

        (JSC::CLoopStack::topOfFrameFor): Deleted.
        - Not needed.

        (JSC::CLoopStack::topOfStack): Deleted.
        - Supplanted by currentStackPointer().

        (JSC::CLoopStack::shrink): Deleted.
        - This is unused.

        * llint/LowLevelInterpreter.cpp:
        (JSC::CLoop::execute):
        - Introduce a StackPointerScope to restore the original CLoopStack::m_currentStackPointer
          upon exitting the interpreter loop.

        * offlineasm/cloop.rb:
        - Added setting of CLoopStack::m_currentStackPointer at boundary points where we
          call from JS into C++ code.

        * tools/VMInspector.h:
        - Added some default argument values. These were being used while debugging this
          issue.

2017-11-24  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Make empty key as deleted mark in HashMapBucket and drop m_deleted field
        https://bugs.webkit.org/show_bug.cgi?id=179923

        Reviewed by Darin Adler.

        We do not set empty as a key in HashMapBucket since JSMap / JSSet can expose it to users.
        So we can use it as a marker of deleted bucket.

        This patch uses empty key as a deleted flag, and drop m_deleted field of HashMapBucket.
        It shrinks the size of HashMapBucket much.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetMapBucketNext):
        * ftl/FTLAbstractHeapRepository.h:
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucketNext):
        * runtime/HashMapImpl.h:
        (JSC::HashMapBucket::createSentinel):
        We make sentinel bucket as (undefined, undefined) since DFG/FTL can load a value from sentinels.
        While the sentinel's deleted flag becomes false since key is set, it is not a problem since deleted
        flag of sentinel bucket is not used.

        (JSC::HashMapBucket::HashMapBucket):
        (JSC::HashMapBucket::deleted const):
        (JSC::HashMapBucket::makeDeleted):
        (JSC::HashMapImpl::remove):
        (JSC::HashMapImpl::clear):
        (JSC::HashMapImpl::setUpHeadAndTail):
        (JSC::HashMapImpl::addNormalizedInternal):
        (JSC::HashMapBucket::setDeleted): Deleted.
        (JSC::HashMapBucket::offsetOfDeleted): Deleted.
        (): Deleted.

2017-11-24  Mark Lam  <mark.lam@apple.com>

        Move unsafe jsc shell test functions to the $vm object.
        https://bugs.webkit.org/show_bug.cgi?id=179980

        Reviewed by Yusuke Suzuki.

        Also removed setElementRoot() which was not used.

        * jsc.cpp:
        (GlobalObject::finishCreation):
        (WTF::Element::Element): Deleted.
        (WTF::Element::root const): Deleted.
        (WTF::Element::setRoot): Deleted.
        (WTF::Element::create): Deleted.
        (WTF::Element::visitChildren): Deleted.
        (WTF::Element::createStructure): Deleted.
        (WTF::Root::Root): Deleted.
        (WTF::Root::element): Deleted.
        (WTF::Root::setElement): Deleted.
        (WTF::Root::create): Deleted.
        (WTF::Root::createStructure): Deleted.
        (WTF::Root::visitChildren): Deleted.
        (WTF::ImpureGetter::ImpureGetter): Deleted.
        (WTF::ImpureGetter::createStructure): Deleted.
        (WTF::ImpureGetter::create): Deleted.
        (WTF::ImpureGetter::finishCreation): Deleted.
        (WTF::ImpureGetter::getOwnPropertySlot): Deleted.
        (WTF::ImpureGetter::visitChildren): Deleted.
        (WTF::ImpureGetter::setDelegate): Deleted.
        (WTF::CustomGetter::CustomGetter): Deleted.
        (WTF::CustomGetter::createStructure): Deleted.
        (WTF::CustomGetter::create): Deleted.
        (WTF::CustomGetter::getOwnPropertySlot): Deleted.
        (WTF::CustomGetter::customGetter): Deleted.
        (WTF::CustomGetter::customGetterAcessor): Deleted.
        (WTF::RuntimeArray::create): Deleted.
        (WTF::RuntimeArray::~RuntimeArray): Deleted.
        (WTF::RuntimeArray::destroy): Deleted.
        (WTF::RuntimeArray::getOwnPropertySlot): Deleted.
        (WTF::RuntimeArray::getOwnPropertySlotByIndex): Deleted.
        (WTF::RuntimeArray::put): Deleted.
        (WTF::RuntimeArray::deleteProperty): Deleted.
        (WTF::RuntimeArray::getLength const): Deleted.
        (WTF::RuntimeArray::createPrototype): Deleted.
        (WTF::RuntimeArray::createStructure): Deleted.
        (WTF::RuntimeArray::finishCreation): Deleted.
        (WTF::RuntimeArray::RuntimeArray): Deleted.
        (WTF::RuntimeArray::lengthGetter): Deleted.
        (WTF::SimpleObject::SimpleObject): Deleted.
        (WTF::SimpleObject::create): Deleted.
        (WTF::SimpleObject::visitChildren): Deleted.
        (WTF::SimpleObject::createStructure): Deleted.
        (WTF::SimpleObject::hiddenValue): Deleted.
        (WTF::SimpleObject::setHiddenValue): Deleted.
        (WTF::DOMJITNode::DOMJITNode): Deleted.
        (WTF::DOMJITNode::createStructure): Deleted.
        (WTF::DOMJITNode::checkSubClassSnippet): Deleted.
        (WTF::DOMJITNode::create): Deleted.
        (WTF::DOMJITNode::value const): Deleted.
        (WTF::DOMJITNode::offsetOfValue): Deleted.
        (WTF::DOMJITGetter::DOMJITGetter): Deleted.
        (WTF::DOMJITGetter::createStructure): Deleted.
        (WTF::DOMJITGetter::create): Deleted.
        (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute): Deleted.
        (WTF::DOMJITGetter::DOMJITAttribute::slowCall): Deleted.
        (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter): Deleted.
        (WTF::DOMJITGetter::customGetter): Deleted.
        (WTF::DOMJITGetter::finishCreation): Deleted.
        (WTF::DOMJITGetterComplex::DOMJITGetterComplex): Deleted.
        (WTF::DOMJITGetterComplex::createStructure): Deleted.
        (WTF::DOMJITGetterComplex::create): Deleted.
        (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute): Deleted.
        (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall): Deleted.
        (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter): Deleted.
        (WTF::DOMJITGetterComplex::functionEnableException): Deleted.
        (WTF::DOMJITGetterComplex::customGetter): Deleted.
        (WTF::DOMJITGetterComplex::finishCreation): Deleted.
        (WTF::DOMJITFunctionObject::DOMJITFunctionObject): Deleted.
        (WTF::DOMJITFunctionObject::createStructure): Deleted.
        (WTF::DOMJITFunctionObject::create): Deleted.
        (WTF::DOMJITFunctionObject::safeFunction): Deleted.
        (WTF::DOMJITFunctionObject::unsafeFunction): Deleted.
        (WTF::DOMJITFunctionObject::checkSubClassSnippet): Deleted.
        (WTF::DOMJITFunctionObject::finishCreation): Deleted.
        (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject): Deleted.
        (WTF::DOMJITCheckSubClassObject::createStructure): Deleted.
        (WTF::DOMJITCheckSubClassObject::create): Deleted.
        (WTF::DOMJITCheckSubClassObject::safeFunction): Deleted.
        (WTF::DOMJITCheckSubClassObject::unsafeFunction): Deleted.
        (WTF::DOMJITCheckSubClassObject::finishCreation): Deleted.
        (WTF::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject): Deleted.
        (WTF::DOMJITGetterBaseJSObject::createStructure): Deleted.
        (WTF::DOMJITGetterBaseJSObject::create): Deleted.
        (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute): Deleted.
        (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall): Deleted.
        (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter): Deleted.
        (WTF::DOMJITGetterBaseJSObject::customGetter): Deleted.
        (WTF::DOMJITGetterBaseJSObject::finishCreation): Deleted.
        (WTF::Element::handleOwner): Deleted.
        (WTF::Element::finishCreation): Deleted.
        (JSTestCustomGetterSetter::JSTestCustomGetterSetter): Deleted.
        (JSTestCustomGetterSetter::create): Deleted.
        (JSTestCustomGetterSetter::createStructure): Deleted.
        (customGetAccessor): Deleted.
        (customGetValue): Deleted.
        (customSetAccessor): Deleted.
        (customSetValue): Deleted.
        (JSTestCustomGetterSetter::finishCreation): Deleted.
        (GlobalObject::addConstructableFunction): Deleted.
        (functionCreateRoot): Deleted.
        (functionCreateElement): Deleted.
        (functionGetElement): Deleted.
        (functionSetElementRoot): Deleted.
        (functionCreateSimpleObject): Deleted.
        (functionGetHiddenValue): Deleted.
        (functionSetHiddenValue): Deleted.
        (functionCreateProxy): Deleted.
        (functionCreateRuntimeArray): Deleted.
        (functionCreateImpureGetter): Deleted.
        (functionCreateCustomGetterObject): Deleted.
        (functionCreateDOMJITNodeObject): Deleted.
        (functionCreateDOMJITGetterObject): Deleted.
        (functionCreateDOMJITGetterComplexObject): Deleted.
        (functionCreateDOMJITFunctionObject): Deleted.
        (functionCreateDOMJITCheckSubClassObject): Deleted.
        (functionCreateDOMJITGetterBaseJSObject): Deleted.
        (functionSetImpureGetterDelegate): Deleted.
        (functionGetGetterSetter): Deleted.
        (functionShadowChickenFunctionsOnStack): Deleted.
        (functionSetGlobalConstRedeclarationShouldNotThrow): Deleted.
        (functionGlobalObjectForObject): Deleted.
        (functionLoadGetterFromGetterSetter): Deleted.
        (functionCreateCustomTestGetterSetter): Deleted.
        (functionAbort): Deleted.
        (functionFindTypeForExpression): Deleted.
        (functionReturnTypeFor): Deleted.
        (functionDumpBasicBlockExecutionRanges): Deleted.
        (functionHasBasicBlockExecuted): Deleted.
        (functionBasicBlockExecutionCount): Deleted.
        (functionEnableExceptionFuzz): Deleted.
        (functionCreateBuiltin): Deleted.
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * tools/JSDollarVM.cpp:
        (WTF::Element::Element):
        (WTF::Element::root const):
        (WTF::Element::setRoot):
        (WTF::Element::create):
        (WTF::Element::visitChildren):
        (WTF::Element::createStructure):
        (WTF::Root::Root):
        (WTF::Root::element):
        (WTF::Root::setElement):
        (WTF::Root::create):
        (WTF::Root::createStructure):
        (WTF::Root::visitChildren):
        (WTF::SimpleObject::SimpleObject):
        (WTF::SimpleObject::create):
        (WTF::SimpleObject::visitChildren):
        (WTF::SimpleObject::createStructure):
        (WTF::SimpleObject::hiddenValue):
        (WTF::SimpleObject::setHiddenValue):
        (WTF::ImpureGetter::ImpureGetter):
        (WTF::ImpureGetter::createStructure):
        (WTF::ImpureGetter::create):
        (WTF::ImpureGetter::finishCreation):
        (WTF::ImpureGetter::getOwnPropertySlot):
        (WTF::ImpureGetter::visitChildren):
        (WTF::ImpureGetter::setDelegate):
        (WTF::CustomGetter::CustomGetter):
        (WTF::CustomGetter::createStructure):
        (WTF::CustomGetter::create):
        (WTF::CustomGetter::getOwnPropertySlot):
        (WTF::CustomGetter::customGetter):
        (WTF::CustomGetter::customGetterAcessor):
        (WTF::RuntimeArray::create):
        (WTF::RuntimeArray::~RuntimeArray):
        (WTF::RuntimeArray::destroy):
        (WTF::RuntimeArray::getOwnPropertySlot):
        (WTF::RuntimeArray::getOwnPropertySlotByIndex):
        (WTF::RuntimeArray::put):
        (WTF::RuntimeArray::deleteProperty):
        (WTF::RuntimeArray::getLength const):
        (WTF::RuntimeArray::createPrototype):
        (WTF::RuntimeArray::createStructure):
        (WTF::RuntimeArray::finishCreation):
        (WTF::RuntimeArray::RuntimeArray):
        (WTF::RuntimeArray::lengthGetter):
        (WTF::DOMJITNode::DOMJITNode):
        (WTF::DOMJITNode::createStructure):
        (WTF::DOMJITNode::checkSubClassSnippet):
        (WTF::DOMJITNode::create):
        (WTF::DOMJITNode::value const):
        (WTF::DOMJITNode::offsetOfValue):
        (WTF::DOMJITGetter::DOMJITGetter):
        (WTF::DOMJITGetter::createStructure):
        (WTF::DOMJITGetter::create):
        (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
        (WTF::DOMJITGetter::DOMJITAttribute::slowCall):
        (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
        (WTF::DOMJITGetter::customGetter):
        (WTF::DOMJITGetter::finishCreation):
        (WTF::DOMJITGetterComplex::DOMJITGetterComplex):
        (WTF::DOMJITGetterComplex::createStructure):
        (WTF::DOMJITGetterComplex::create):
        (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
        (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall):
        (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
        (WTF::DOMJITGetterComplex::functionEnableException):
        (WTF::DOMJITGetterComplex::customGetter):
        (WTF::DOMJITGetterComplex::finishCreation):
        (WTF::DOMJITFunctionObject::DOMJITFunctionObject):
        (WTF::DOMJITFunctionObject::createStructure):
        (WTF::DOMJITFunctionObject::create):
        (WTF::DOMJITFunctionObject::safeFunction):
        (WTF::DOMJITFunctionObject::unsafeFunction):
        (WTF::DOMJITFunctionObject::checkSubClassSnippet):
        (WTF::DOMJITFunctionObject::finishCreation):
        (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
        (WTF::DOMJITCheckSubClassObject::createStructure):
        (WTF::DOMJITCheckSubClassObject::create):
        (WTF::DOMJITCheckSubClassObject::safeFunction):
        (WTF::DOMJITCheckSubClassObject::unsafeFunction):
        (WTF::DOMJITCheckSubClassObject::finishCreation):
        (WTF::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject):
        (WTF::DOMJITGetterBaseJSObject::createStructure):
        (WTF::DOMJITGetterBaseJSObject::create):
        (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute):
        (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
        (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter):
        (WTF::DOMJITGetterBaseJSObject::customGetter):
        (WTF::DOMJITGetterBaseJSObject::finishCreation):
        (WTF::Message::releaseContents):
        (WTF::Message::index const):
        (WTF::JSTestCustomGetterSetter::JSTestCustomGetterSetter):
        (WTF::JSTestCustomGetterSetter::create):
        (WTF::JSTestCustomGetterSetter::createStructure):
        (WTF::customGetAccessor):
        (WTF::customGetValue):
        (WTF::customSetAccessor):
        (WTF::customSetValue):
        (WTF::JSTestCustomGetterSetter::finishCreation):
        (WTF::Element::handleOwner):
        (WTF::Element::finishCreation):
        (JSC::functionCrash):
        (JSC::functionCreateProxy):
        (JSC::functionCreateRuntimeArray):
        (JSC::functionCreateImpureGetter):
        (JSC::functionCreateCustomGetterObject):
        (JSC::functionCreateDOMJITNodeObject):
        (JSC::functionCreateDOMJITGetterObject):
        (JSC::functionCreateDOMJITGetterComplexObject):
        (JSC::functionCreateDOMJITFunctionObject):
        (JSC::functionCreateDOMJITCheckSubClassObject):
        (JSC::functionCreateDOMJITGetterBaseJSObject):
        (JSC::functionSetImpureGetterDelegate):
        (JSC::functionCreateBuiltin):
        (JSC::functionCreateRoot):
        (JSC::functionCreateElement):
        (JSC::functionGetElement):
        (JSC::functionCreateSimpleObject):
        (JSC::functionGetHiddenValue):
        (JSC::functionSetHiddenValue):
        (JSC::functionShadowChickenFunctionsOnStack):
        (JSC::functionSetGlobalConstRedeclarationShouldNotThrow):
        (JSC::functionFindTypeForExpression):
        (JSC::functionReturnTypeFor):
        (JSC::functionDumpBasicBlockExecutionRanges):
        (JSC::functionHasBasicBlockExecuted):
        (JSC::functionBasicBlockExecutionCount):
        (JSC::functionEnableExceptionFuzz):
        (JSC::functionGlobalObjectForObject):
        (JSC::functionGetGetterSetter):
        (JSC::functionLoadGetterFromGetterSetter):
        (JSC::functionCreateCustomTestGetterSetter):
        (JSC::JSDollarVM::finishCreation):
        (JSC::JSDollarVM::addFunction):
        (JSC::JSDollarVM::addConstructibleFunction):
        * tools/JSDollarVM.h:
        (JSC::JSDollarVM::create):

2017-11-23  Simon Fraser  <simon.fraser@apple.com>

        Minor ArrayBufferView cleanup
        https://bugs.webkit.org/show_bug.cgi?id=179966

        Reviewed by Darin Adler.
        
        Use void* for data pointers when we don't need to do offset math. Use const for
        source pointers.
        
        Prefer uint8_t* to char*.
        
        Add comments noting that the assertions should not be made release assertions
        as recommended by the style checker, since the point is to avoid the virtual byteLength()
        call in release.

        * runtime/ArrayBufferView.h:
        (JSC::ArrayBufferView::setImpl):
        (JSC::ArrayBufferView::setRangeImpl):
        (JSC::ArrayBufferView::getRangeImpl):
        (JSC::ArrayBufferView::zeroRangeImpl):

2017-11-23  Darin Adler  <darin@apple.com>

        Reduce WTF::String operations that do unnecessary Unicode operations instead of ASCII
        https://bugs.webkit.org/show_bug.cgi?id=179907

        Reviewed by Sam Weinig.

        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::matches): Removed explicit TextCaseSensitive because RegularExpression now
        defaults to that.

        * runtime/StringPrototype.cpp:
        (JSC::stringIncludesImpl): Use String::find since there is no overload of
        String::contains that takes a start offset now that we removed the one that took a
        caseSensitive boolean. We can add one later if we like, but this should do for now.

        * yarr/RegularExpression.h: Moved the TextCaseSensitivity enumeration here from
        the StringImpl.h header because it is only used here.

2017-11-22  Simon Fraser  <simon.fraser@apple.com>

        Followup after r225084: if anyone called GenericTypedArrayView() it didn't compile,
        because of a getRangeUnchecked/getRangeImpl name mismatch; fixed to use getRangeImpl().
        
        Also name the argument to zeroRange() to 'count' since it's an item count.

        * runtime/GenericTypedArrayView.h:
        (JSC::GenericTypedArrayView::zeroRange):
        (JSC::GenericTypedArrayView::getRange):

2017-11-21  Simon Fraser  <simon.fraser@apple.com>

        Allow for more efficient use of GenericTypedArrayView
        https://bugs.webkit.org/show_bug.cgi?id=179899

        Reviewed by Sam Weinig.
        
        Fix ArrayBufferView::setRange() to not make two virtual function calls to byteLength()
        under setRangeImpl(). There is only one caller in GenericTypedArrayView, and it can pass
        in a length.

        Add GenericTypedArrayView::getRange() to fetch a range of elements, also without virtual
        byteLength() calls.
        
        Renamed 'dataLength' to 'count' in setRange() to be clearer.
        
        Added setNative() for callers who don't need clamping of doubles.

        * runtime/ArrayBufferView.h:
        (JSC::ArrayBufferView::setRangeImpl):
        (JSC::ArrayBufferView::getRangeImpl):
        * runtime/GenericTypedArrayView.h:
        (JSC::GenericTypedArrayView::setRange):
        (JSC::GenericTypedArrayView::setNative const):
        (JSC::GenericTypedArrayView::getRange):
        (JSC::GenericTypedArrayView::checkInboundData const):
        (JSC::GenericTypedArrayView::internalByteLength const):

2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG][FTL] Support MapSet / SetAdd intrinsics
        https://bugs.webkit.org/show_bug.cgi?id=179858

        Reviewed by Saam Barati.

        Map.prototype.set and Set.prototype.add uses MapHash value anyway.
        By handling them as MapSet and SetAdd DFG nodes and decoupling
        MapSet and SetAdd nodes from MapHash DFG node, we have a chance to
        remove duplicate MapHash calculation for the same key.

        One story is *set-if-not-exists*.

            if (!map.has(key))
                map.set(key, value);

        In the above code, both `has` and `set` require hash value for `key`.
        If we can change `set` to the series of DFG nodes:

            1: MapHash(key)
            2: MapSet(MapObjectUse:map, Untyped:key, Untyped:value, Int32Use:@1)

        we can remove duplicate @1 produced by `has` operation.

        This patch improves SixSpeed map-set.es6 and map-set-object.es6 by 20.5% and 20.4% respectively,

                                         baseline                  patched

            map-set.es6             246.2413+-15.2084    ^    204.3679+-11.2408       ^ definitely 1.2049x faster
            map-set-object.es6      266.5075+-17.2289    ^    221.2792+-12.2948       ^ definitely 1.2044x faster

        Microbenchmarks

            map-has-and-set         148.1522+-7.6665     ^    131.4552+-7.8846        ^ definitely 1.1270x faster

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileSetAdd):
        (JSC::DFG::SpeculativeJIT::compileMapSet):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd):
        (JSC::FTL::DFG::LowerDFGToB3::compileMapSet):
        * jit/JITOperations.h:
        * runtime/HashMapImpl.h:
        (JSC::HashMapImpl::addNormalized):
        (JSC::HashMapImpl::addNormalizedInternal):
        * runtime/Intrinsic.cpp:
        (JSC::intrinsicName):
        * runtime/Intrinsic.h:
        * runtime/MapPrototype.cpp:
        (JSC::MapPrototype::finishCreation):
        * runtime/SetPrototype.cpp:
        (JSC::SetPrototype::finishCreation):

2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Allow poly proto for intrinsic getters
        https://bugs.webkit.org/show_bug.cgi?id=179550

        Reviewed by Saam Barati.

        This patch allows intrinsic getters to accept poly proto.
        We propagate PolyProtoAccessChain in IntrinsicGetterAccessCase to perform
        poly proto checks. And we extend UnderscoreProtoIntrinsic to emit
        code for poly proto case.

        * bytecode/IntrinsicGetterAccessCase.cpp:
        (JSC::IntrinsicGetterAccessCase::IntrinsicGetterAccessCase):
        (JSC::IntrinsicGetterAccessCase::create):
        * bytecode/IntrinsicGetterAccessCase.h:
        * jit/IntrinsicEmitter.cpp:
        (JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
        (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
        * jit/Repatch.cpp:
        (JSC::tryCacheGetByID):

2017-11-20  Don Olmstead  <don.olmstead@sony.com>

        Detect __declspec within JSBase.h
        https://bugs.webkit.org/show_bug.cgi?id=179892

        Reviewed by Darin Adler.

        * API/JSBase.h:

2017-11-19  Tim Horton  <timothy_horton@apple.com>

        Remove unused TOUCH_ICON_LOADING feature flag
        https://bugs.webkit.org/show_bug.cgi?id=179873

        Reviewed by Simon Fraser.

        * Configurations/FeatureDefines.xcconfig:

2017-11-19  Yusuke Suzuki  <utatane.tea@gmail.com>

        Add CPU(UNKNOWN) to cover all the unknown CPU types
        https://bugs.webkit.org/show_bug.cgi?id=179243

        Reviewed by JF Bastien.

        * CMakeLists.txt:

2017-11-19  Tim Horton  <timothy_horton@apple.com>

        Remove unused LEGACY_VENDOR_PREFIXES feature flag
        https://bugs.webkit.org/show_bug.cgi?id=179872

        Reviewed by Darin Adler.

        * Configurations/FeatureDefines.xcconfig:

2017-11-18  Tim Horton  <timothy_horton@apple.com>

        Fix typos in closing ENABLE() comments
        https://bugs.webkit.org/show_bug.cgi?id=179869

        Unreviewed.

        * wasm/WasmMemory.h:
        * wasm/WasmMemoryMode.h:

2017-11-17  JF Bastien  <jfbastien@apple.com>

        NFC update ClassInfo to C++14
        https://bugs.webkit.org/show_bug.cgi?id=179783

        Reviewed by Mark Lam.

        Forked from #179734, use `using` instead of `typedef`. It's easier
        to read.

        * runtime/ClassInfo.h:

2017-11-17  JF Bastien  <jfbastien@apple.com>

        WebAssembly JS API: throw when a promise can't be created
        https://bugs.webkit.org/show_bug.cgi?id=179826
        <rdar://problem/35455813>

        Reviewed by Mark Lam.

        Failure *in* a promise causes rejection, but failure to create a
        promise (because of stack overflow) isn't really spec'd (as all
        stack things JS). This applies to WebAssembly.compile and
        WebAssembly.instantiate.

        Dan's current proposal says:

            https://littledan.github.io/spec/document/js-api/index.html#stack-overflow

            Whenever a stack overflow occurs in WebAssembly code, the same
            class of exception is thrown as for a stack overflow in
            JavaScript. The particular exception here is
            implementation-defined in both cases.

            Note: ECMAScript doesn’t specify any sort of behavior on stack
            overflow; implementations have been observed to throw RangeError,
            InternalError or Error. Any is valid here.

        This is for general stack overflow within WebAssembly, not
        specifically for promise creation within JavaScript, but it seems
        like a stack overflow in promise creation should follow the same
        rule instead of, say, swallowing the overflow and returning
        undefined.

        * wasm/js/WebAssemblyPrototype.cpp:
        (JSC::webAssemblyCompileFunc):
        (JSC::webAssemblyInstantiateFunc):

2017-11-16  Daniel Bates  <dabates@apple.com>

        Add feature define for alternative presentation button element
        https://bugs.webkit.org/show_bug.cgi?id=179692
        Part of <rdar://problem/34917108>

        Reviewed by Andy Estes.

        Only enabled on Cocoa platforms by default.

        * Configurations/FeatureDefines.xcconfig:

2017-11-16  Saam Barati  <sbarati@apple.com>

        Fix a bug with cpuid in the FTL.

        Rubber stamped by Mark Lam.

        Before uploading the previous patch, I tried to condense the code. I
        accidentally removed a crucial line saying that CPUID clobbers various
        registers.

        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileCPUIntrinsic):

2017-11-16  Saam Barati  <sbarati@apple.com>

        Add some X86 intrinsics to $vm to help with some perf testing
        https://bugs.webkit.org/show_bug.cgi?id=179693

        Reviewed by Mark Lam.

        I've been doing some local perf testing of various ideas and have
        had these come in handy. I'm going to land them to dollarVM to prevent
        having to add them to my local build every time I do perf testing.

        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::mfence):
        (JSC::MacroAssemblerX86Common::rdtsc):
        (JSC::MacroAssemblerX86Common::pause):
        (JSC::MacroAssemblerX86Common::cpuid):
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::rdtsc):
        (JSC::X86Assembler::pause):
        (JSC::X86Assembler::cpuid):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::dump):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::intrinsic):
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGValidate.cpp:
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileCPUIntrinsic):
        * runtime/Intrinsic.cpp:
        (JSC::intrinsicName):
        * runtime/Intrinsic.h:
        * tools/JSDollarVM.cpp:
        (JSC::functionCpuMfence):
        (JSC::functionCpuRdtsc):
        (JSC::functionCpuCpuid):
        (JSC::functionCpuPause):
        (JSC::functionCpuClflush):
        (JSC::JSDollarVM::finishCreation):

2017-11-16  JF Bastien  <jfbastien@apple.com>

        It should be easier to reify lazy property names
        https://bugs.webkit.org/show_bug.cgi?id=179734
        <rdar://problem/35492521>

        Reviewed by Keith Miller.

        We reify lazy property names in a few different ways, each
        specific to the JSCell implementation, in put() instead of having
        a special function to do reification. Let's make that simpler.

        This patch makes it easier to reify property names in a uniform
        manner, and does so in JSFunction. As a follow up I'll use the
        same mechanics for:

        ClonedArguments   callee, iteratorSymbol (Symbol.iterator)
        ErrorConstructor  stackTraceLimit
        ErrorInstance     line, column, sourceURL, stack
        GenericArguments  length, callee, iteratorSymbol (Symbol.iterator)
        GetterSetter      RELEASE_ASSERT_NOT_REACHED()
        JSArray           length
        RegExpObject      lastIndex
        StringObject      length

        * runtime/ClassInfo.h: Add reifyPropertyNameIfNeeded to method table.
        * runtime/JSCell.cpp:
        (JSC::JSCell::reifyPropertyNameIfNeeded): by default, don't reify.
        * runtime/JSCell.h:
        * runtime/JSFunction.cpp: `name` and `length` can be reified.
        (JSC::JSFunction::reifyPropertyNameIfNeeded):
        (JSC::JSFunction::put):
        (JSC::JSFunction::reifyLength):
        (JSC::JSFunction::reifyName):
        (JSC::JSFunction::reifyLazyPropertyIfNeeded):
        (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
        (JSC::JSFunction::reifyLazyLengthIfNeeded):
        (JSC::JSFunction::reifyLazyNameIfNeeded):
        (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
        * runtime/JSFunction.h:
        (JSC::JSFunction::isLazy):
        (JSC::JSFunction::isReified):
        * runtime/JSObjectInlines.h:
        (JSC::JSObject::putDirectInternal): do the reification here.

2017-11-16  Robin Morisset  <rmorisset@apple.com>

        Provide a runtime option for disabling the optimization of recursive tail calls
        https://bugs.webkit.org/show_bug.cgi?id=179765

        Reviewed by Mark Lam.

        * bytecode/PreciseJumpTargets.cpp:
        (JSC::getJumpTargetsForBytecodeOffset):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitEnter):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
        * runtime/Options.h:

2017-11-16  Robin Morisset  <rmorisset@apple.com>

        Fix null pointer dereference in bytecodeDumper
        https://bugs.webkit.org/show_bug.cgi?id=179764

        Reviewed by Mark Lam.

        The problem was just a call to lastSeenCallee() that was unguarded by haveLastSeenCallee().

        * bytecode/BytecodeDumper.cpp:
        (JSC::BytecodeDumper<Block>::printCallOp):

2017-11-16  Robin Morisset  <rmorisset@apple.com>

        REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
        https://bugs.webkit.org/show_bug.cgi?id=179763
        <rdar://problem/35550513>

        Reviewed by Keith Miller.

        Fix null pointer dereference caused by an eliminated tdz_check

        The problem was when doing an OSR entry in DFG while |this| was null
        (because super() had not yet been called in the constructor of this
        subclass), it would be marked as non-null, and the tdz_check eliminated.

        * dfg/DFGInPlaceAbstractState.cpp:
        (JSC::DFG::InPlaceAbstractState::initialize):

2017-11-15  Ryan Haddad  <ryanhaddad@apple.com>

        Unreviewed, rolling out r224863.

        Introduced LayoutTest crashes on iOS Simulator.

        Reverted changeset:

        "Move JSONValues to WTF and convert uses of InspectorValues.h
        to JSONValues.h"
        https://bugs.webkit.org/show_bug.cgi?id=173793
        https://trac.webkit.org/changeset/224863

2017-11-14  Mark Lam  <mark.lam@apple.com>

        Gardening: CLoop build fix after r224862.
        https://bugs.webkit.org/show_bug.cgi?id=179699

        Not reviewed..

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):

2017-11-14  Carlos Garcia Campos  <cgarcia@igalia.com>

        Move JSONValues to WTF and convert uses of InspectorValues.h to JSONValues.h
        https://bugs.webkit.org/show_bug.cgi?id=173793

        Reviewed by Brian Burg.

        Based on patch by Brian Burg.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * bindings/ScriptValue.cpp:
        (Inspector::jsToInspectorValue):
        (Inspector::toInspectorValue):
        (Deprecated::ScriptValue::toInspectorValue const):
        * bindings/ScriptValue.h:
        * inspector/AsyncStackTrace.cpp:
        * inspector/ConsoleMessage.cpp:
        * inspector/ContentSearchUtilities.cpp:
        * inspector/InjectedScript.cpp:
        (Inspector::InjectedScript::getFunctionDetails):
        (Inspector::InjectedScript::functionDetails):
        (Inspector::InjectedScript::getPreview):
        (Inspector::InjectedScript::getProperties):
        (Inspector::InjectedScript::getDisplayableProperties):
        (Inspector::InjectedScript::getInternalProperties):
        (Inspector::InjectedScript::getCollectionEntries):
        (Inspector::InjectedScript::saveResult):
        (Inspector::InjectedScript::wrapCallFrames const):
        (Inspector::InjectedScript::wrapObject const):
        (Inspector::InjectedScript::wrapTable const):
        (Inspector::InjectedScript::previewValue const):
        (Inspector::InjectedScript::setExceptionValue):
        (Inspector::InjectedScript::clearExceptionValue):
        (Inspector::InjectedScript::inspectObject):
        (Inspector::InjectedScript::releaseObject):
        * inspector/InjectedScriptBase.cpp:
        (Inspector::InjectedScriptBase::makeCall):
        (Inspector::InjectedScriptBase::makeEvalCall):
        * inspector/InjectedScriptBase.h:
        * inspector/InjectedScriptManager.cpp:
        (Inspector::InjectedScriptManager::injectedScriptForObjectId):
        * inspector/InspectorBackendDispatcher.cpp:
        (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
        (Inspector::BackendDispatcher::dispatch):
        (Inspector::BackendDispatcher::sendResponse):
        (Inspector::BackendDispatcher::sendPendingErrors):
        (Inspector::BackendDispatcher::getPropertyValue):
        (Inspector::castToInteger):
        (Inspector::castToNumber):
        (Inspector::BackendDispatcher::getInteger):
        (Inspector::BackendDispatcher::getDouble):
        (Inspector::BackendDispatcher::getString):
        (Inspector::BackendDispatcher::getBoolean):
        (Inspector::BackendDispatcher::getObject):
        (Inspector::BackendDispatcher::getArray):
        (Inspector::BackendDispatcher::getValue):
        * inspector/InspectorBackendDispatcher.h:
        * inspector/InspectorProtocolTypes.h:
        (Inspector::Protocol::Array::openAccessors):
        (Inspector::Protocol::PrimitiveBindingTraits::assertValueHasExpectedType):
        (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast):
        (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType):
        (Inspector::Protocol::BindingTraits<JSON::Value>::assertValueHasExpectedType):
        * inspector/ScriptCallFrame.cpp:
        * inspector/ScriptCallStack.cpp:
        * inspector/agents/InspectorAgent.cpp:
        (Inspector::InspectorAgent::inspect):
        * inspector/agents/InspectorAgent.h:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        (Inspector::buildAssertPauseReason):
        (Inspector::buildCSPViolationPauseReason):
        (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
        (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
        (Inspector::buildObjectForBreakpointCookie):
        (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
        (Inspector::parseLocation):
        (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
        (Inspector::InspectorDebuggerAgent::setBreakpoint):
        (Inspector::InspectorDebuggerAgent::continueToLocation):
        (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
        (Inspector::InspectorDebuggerAgent::didParseSource):
        (Inspector::InspectorDebuggerAgent::breakProgram):
        * inspector/agents/InspectorDebuggerAgent.h:
        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::InspectorRuntimeAgent::callFunctionOn):
        (Inspector::InspectorRuntimeAgent::saveResult):
        (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
        * inspector/agents/InspectorRuntimeAgent.h:
        * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
        (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
        * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
        (CppBackendDispatcherImplementationGenerator.generate_output):
        (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
        * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
        (CppFrontendDispatcherHeaderGenerator.generate_output):
        * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
        (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
        * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
        (_generate_unchecked_setter_for_member):
        * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
        (CppProtocolTypesImplementationGenerator):
        * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
        (ObjCBackendDispatcherImplementationGenerator.generate_output):
        (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
        * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
        (ObjCFrontendDispatcherImplementationGenerator.generate_output):
        (ObjCFrontendDispatcherImplementationGenerator._generate_event):
        (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
        * inspector/scripts/codegen/generate_objc_internal_header.py:
        (ObjCInternalHeaderGenerator.generate_output):
        * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
        (ObjCProtocolTypesImplementationGenerator.generate_output):
        * inspector/scripts/codegen/generator.py:
        * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
        * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
        * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
        * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
        * inspector/scripts/tests/generic/expected/domain-availability.json-result:
        * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
        * inspector/scripts/tests/generic/expected/enum-values.json-result:
        * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
        * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
        * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
        * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
        * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
        * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
        * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
        * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
        * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
        * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
        * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
        * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
        * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:

2017-11-14  Mark Lam  <mark.lam@apple.com>

        Fix a bit-rotted Interpreter::dumpRegisters() and make it more robust.
        https://bugs.webkit.org/show_bug.cgi?id=179699
        <rdar://problem/35462346>

        Reviewed by Michael Saboff.

        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::dumpRegisters):
        - Need to skip the callee saved registers

2017-11-14  Guillaume Emont  <guijemont@igalia.com>

        REGRESSION(r224623) [MIPS] branchTruncateDoubleToInt32() doesn't set return register when branching
        https://bugs.webkit.org/show_bug.cgi?id=179563

        Reviewed by Carlos Alberto Lopez Perez.

        When run with BranchIfTruncateSuccessful,
        branchTruncateDoubleToInt32() should set the destination register
        before branching.
        This change also removes branchTruncateDoubleToUInt32() as it is
        deprecated (see r160205), merges branchOnTruncateResult() into
        branchTruncateDoubleToInt32() and adds test cases in testmasm.

        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::branchOnTruncateResult): Deleted.
        (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
        Properly set dest before branching.
        (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUInt32): Deleted.
        * assembler/testmasm.cpp:
        (JSC::testBranchTruncateDoubleToInt32):
        (JSC::run):
        Add tests for branchTruncateDoubleToInt32().

2017-11-14  Daniel Bates  <dabates@apple.com>

        Update comment in FeatureDefines.xcconfig to reflect location of Visual Studio property files
        for feature defines

        Following r195498 and r201917 the Visual Studio property files for feature defines have
        moved from directory WebKitLibraries/win/tools/vsprops to directory Source/cmake/tools/vsprops.
        Update the comment in FeatureDefines.xcconfig to reflect the new location and names of these
        files.

        * Configurations/FeatureDefines.xcconfig:

2017-11-14  Mark Lam  <mark.lam@apple.com>

        Remove JSDollarVMPrototype.
        https://bugs.webkit.org/show_bug.cgi?id=179685

        Reviewed by Saam Barati.

        1. Move the JSDollarVMPrototype C++ utility functions into VMInspector.cpp.

           This allows us to call these functions during lldb debugging sessions using
           VMInspector::foo() instead of JSDollarVMPrototype::foo().  It makes sense that
           VMInspector provides VM debugging utility methods.  It doesn't make sense to
           have a JSDollarVMPrototype object provide these methods.

           Plus, it's shorter to type VMInspector than JSDollarVMPrototype.

        2. Move the JSDollarVMPrototype JS functions into JSDollarVM.cpp.

           JSDollarVM is a special object used only for debugging purposes.  There's no
           gain in requiring its methods to be stored in a prototype object other than to
           conform to typical JS convention.  We can remove this complexity.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Sources.txt:
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * tools/JSDollarVM.cpp:
        (JSC::JSDollarVM::addFunction):
        (JSC::functionCrash):
        (JSC::functionDFGTrue):
        (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
        (JSC::CallerFrameJITTypeFunctor::operator() const):
        (JSC::CallerFrameJITTypeFunctor::jitType):
        (JSC::functionLLintTrue):
        (JSC::functionJITTrue):
        (JSC::functionGC):
        (JSC::functionEdenGC):
        (JSC::functionCodeBlockForFrame):
        (JSC::codeBlockFromArg):
        (JSC::functionCodeBlockFor):
        (JSC::functionPrintSourceFor):
        (JSC::functionPrintBytecodeFor):
        (JSC::functionPrint):
        (JSC::functionPrintCallFrame):
        (JSC::functionPrintStack):
        (JSC::functionValue):
        (JSC::functionGetPID):
        (JSC::JSDollarVM::finishCreation):
        * tools/JSDollarVM.h:
        (JSC::JSDollarVM::create):
        * tools/JSDollarVMPrototype.cpp: Removed.
        * tools/JSDollarVMPrototype.h: Removed.
        * tools/VMInspector.cpp:
        (JSC::VMInspector::currentThreadOwnsJSLock):
        (JSC::ensureCurrentThreadOwnsJSLock):
        (JSC::VMInspector::gc):
        (JSC::VMInspector::edenGC):
        (JSC::VMInspector::isInHeap):
        (JSC::CellAddressCheckFunctor::CellAddressCheckFunctor):
        (JSC::CellAddressCheckFunctor::operator() const):
        (JSC::VMInspector::isValidCell):
        (JSC::VMInspector::isValidCodeBlock):
        (JSC::VMInspector::codeBlockForFrame):
        (JSC::PrintFrameFunctor::PrintFrameFunctor):
        (JSC::PrintFrameFunctor::operator() const):
        (JSC::VMInspector::printCallFrame):
        (JSC::VMInspector::printStack):
        (JSC::VMInspector::printValue):
        * tools/VMInspector.h:

2017-11-14  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Add a ServiceWorker domain to get information about an inspected ServiceWorker
        https://bugs.webkit.org/show_bug.cgi?id=179640
        <rdar://problem/35517361>

        Reviewed by Devin Rousso.

        * CMakeLists.txt:
        * DerivedSources.make:
        Gate the ServiceWorker domain on the ENABLE feature flag.

        * inspector/protocol/ServiceWorker.json: Added.
        New domain to be made available inside of a ServiceWorker target.

2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG][FTL] Support Array::DirectArguments with OutOfBounds
        https://bugs.webkit.org/show_bug.cgi?id=179594

        Reviewed by Saam Barati.

        Currently we handle OOB access to DirectArguments as GetByVal(Array::Generic).
        If we can handle it as GetByVal(Array::DirectArguments+OutOfBounds), we can (1) optimize
        `arguments[i]` accesses if i is in bound, and (2) encourage arguments elimination phase
        to convert CreateDirectArguments and GetByVal(Array::DirectArguments+OutOfBounds) to
        PhantomDirectArguments and GetMyArgumentOutOfBounds respectively.

        This patch introduces Array::DirectArguments+OutOfBounds array mode. GetByVal can
        accept this type, and emit optimized code compared to Array::Generic case.

        We make OOB check failures in GetByVal(Array::DirectArguments+InBounds) as OutOfBounds
        exit instead of ExoticObjectMode.

        This change significantly improves SixSpeed rest.es5 since it uses OOB access.
        Our arguments elimination phase can change CreateDirectArguments to PhantomDirectArguments.

            rest.es5                       59.6719+-2.2440     ^      3.1634+-0.5507        ^ definitely 18.8635x faster

        * dfg/DFGArgumentsEliminationPhase.cpp:
        * dfg/DFGArrayMode.cpp:
        (JSC::DFG::ArrayMode::refine const):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
        (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):

2017-11-14  Saam Barati  <sbarati@apple.com>

        We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
        https://bugs.webkit.org/show_bug.cgi?id=179639
        <rdar://problem/35513018>

        Reviewed by JF Bastien.

        Calling Wasm::Memory::grow from the JIT may cause us to GC. When we GC, we will
        walk the stack for ShadowChicken (and maybe other things). We weren't updating
        topCallFrame when calling grow from the Wasm JIT. This would cause the GC to
        use stale topCallFrame bits in VM, often leading to crashes. This patch fixes
        this bug by giving Wasm::Instance a lambda that is called when we need to store
        the topCallFrame. Users of Wasm::Instance can provide a function to do this action.
        Currently, JSWebAssemblyInstance passes in a lambda that stores to
        VM.topCallFrame.

        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::addGrowMemory):
        * wasm/WasmInstance.cpp:
        (JSC::Wasm::Instance::Instance):
        (JSC::Wasm::Instance::create):
        * wasm/WasmInstance.h:
        (JSC::Wasm::Instance::storeTopCallFrame):
        * wasm/js/JSWebAssemblyInstance.cpp:
        (JSC::JSWebAssemblyInstance::create):
        * wasm/js/JSWebAssemblyInstance.h:
        * wasm/js/WasmToJS.cpp:
        (JSC::Wasm::wasmToJSException):
        * wasm/js/WebAssemblyInstanceConstructor.cpp:
        (JSC::constructJSWebAssemblyInstance):
        * wasm/js/WebAssemblyPrototype.cpp:
        (JSC::instantiate):

2017-11-13  Saam Barati  <sbarati@apple.com>

        Remove pointer caging for HashMapImpl, JSLexicalEnvironment, DirectArguments, ScopedArguments, and ScopedArgumentsTable
        https://bugs.webkit.org/show_bug.cgi?id=179203

        Reviewed by Yusuke Suzuki.

        This patch only removes the pointer caging for the described types in the title.
        These types still allocate out of the gigacage. This is a just a cost vs benefit
        tradeoff of performance vs security.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
        (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitDirectArgumentsGetByVal):
        (JSC::JIT::emitScopedArgumentsGetByVal):
        * runtime/DirectArguments.h:
        (JSC::DirectArguments::storage):
        * runtime/HashMapImpl.cpp:
        (JSC::HashMapImpl<HashMapBucket>::visitChildren):
        * runtime/HashMapImpl.h:
        * runtime/JSLexicalEnvironment.h:
        (JSC::JSLexicalEnvironment::variables):
        * runtime/ScopedArguments.h:
        (JSC::ScopedArguments::overflowStorage const):

2017-11-08  Keith Miller  <keith_miller@apple.com>

        Async iteration should only fetch the next method once and add feature flag
        https://bugs.webkit.org/show_bug.cgi?id=179451

        Reviewed by Geoffrey Garen.

        Add feature flag for Async iteration. Also, change async iteration to match
        the expected behavior of the proposal.

        * Configurations/FeatureDefines.xcconfig:
        * builtins/AsyncFromSyncIteratorPrototype.js:
        (globalPrivate.createAsyncFromSyncIterator):
        (globalPrivate.AsyncFromSyncIteratorConstructor):
        * builtins/BuiltinNames.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitGetAsyncIterator):
        * runtime/Options.h:

2017-11-13  Mark Lam  <mark.lam@apple.com>

        Add more overflow check book-keeping for MarkedArgumentBuffer.
        https://bugs.webkit.org/show_bug.cgi?id=179634
        <rdar://problem/35492517>

        Reviewed by Saam Barati.

        * runtime/ArgList.h:
        (JSC::MarkedArgumentBuffer::overflowCheckNotNeeded):
        * runtime/JSJob.cpp:
        (JSC::JSJobMicrotask::run):
        * runtime/ObjectConstructor.cpp:
        (JSC::defineProperties):
        * runtime/ReflectObject.cpp:
        (JSC::reflectObjectConstruct):

2017-11-13  Guillaume Emont  <guijemont@igalia.com>

        [JSC] Remove ARM implementation of branchTruncateDoubleToUInt32
        https://bugs.webkit.org/show_bug.cgi?id=179542

        Reviewed by Alex Christensen.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::branchTruncateDoubleToUint32): Removed.

2017-11-13  Mark Lam  <mark.lam@apple.com>

        Make the jsc shell loadGetterFromGetterSetter() function more robust.
        https://bugs.webkit.org/show_bug.cgi?id=179619
        <rdar://problem/35492518>

        Reviewed by Saam Barati.

        * jsc.cpp:
        (functionLoadGetterFromGetterSetter):

2017-11-12  Darin Adler  <darin@apple.com>

        More is<> and downcast<>, less static_cast<>
        https://bugs.webkit.org/show_bug.cgi?id=179600

        Reviewed by Chris Dumez.

        * runtime/JSString.h:
        (JSC::jsSubstring): Removed unneeded static_cast; length already returns unsigned.
        (JSC::jsSubstringOfResolved): Ditto.

2017-11-12  Mark Lam  <mark.lam@apple.com>

        We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
        https://bugs.webkit.org/show_bug.cgi?id=179562
        <rdar://problem/35467022>

        Reviewed by Saam Barati.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGOperations.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::SafeToExecuteEdge::operator()):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::speculateNotSymbol):
        (JSC::DFG::SpeculativeJIT::speculate):
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGUseKind.cpp:
        (WTF::printInternal):
        * dfg/DFGUseKind.h:
        (JSC::DFG::typeFilterFor):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::speculate):
        (JSC::FTL::DFG::LowerDFGToB3::speculateNotSymbol):

2017-11-11  Devin Rousso  <webkit@devinrousso.com>

        Web Inspector: Canvas tab: show detailed status during canvas recording
        https://bugs.webkit.org/show_bug.cgi?id=178185
        <rdar://problem/34939862>

        Reviewed by Brian Burg.

        * inspector/protocol/Canvas.json:
        Add a `recordingProgress` event that is sent to the frontend that contains all the frame
        payloads since the last Canvas.recordingProgress event and the current buffer usage.

        * inspector/protocol/Recording.json:
        Remove the required `frames` parameter from the Recording protocol object, as they will be
        sent in batches via the Canvas.recordingProgress event.

2017-11-10  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Make http status codes be "integer" instead of "number" in protocol
        https://bugs.webkit.org/show_bug.cgi?id=179543

        Reviewed by Antoine Quint.

        * inspector/protocol/Network.json:
        Use a better type for the status code.

2017-11-10  Robin Morisset  <rmorisset@apple.com>

        The memory consumption of DFG::BasicBlock can be easily reduced a bit
        https://bugs.webkit.org/show_bug.cgi?id=179528

        Reviewed by Saam Barati.

        A few changes here:
        - Reordering some fields of DFG::BasicBlock to reduce padding
        - Making the enum fields that are glorified booleans fit into a u8
        - Make each Operands object have a single vector that holds all arguments followed by all locals, instead of two vectors.
          This change works because we never increase the number of arguments after allocating an Operands object.
          It lets us avoid one extra capacity field and one extra pointer field per Operands,
          and more importantly one allocation per Operands whenever both vectors would have overflowed their inlined buffer.
          Additionally, if a single vector would have overflowed its inline buffer, while the other would have had some free space,
          we have a chance to avoid an allocation.
        - Finally, the three methods argumentForIndex, variableForIndex and indexForOperand were deleted since they were dead code.

        * bytecode/Operands.h:
        (JSC::Operands::Operands):
        (JSC::Operands::numberOfArguments const):
        (JSC::Operands::numberOfLocals const):
        (JSC::Operands::argument):
        (JSC::Operands::argument const):
        (JSC::Operands::local):
        (JSC::Operands::local const):
        (JSC::Operands::ensureLocals):
        (JSC::Operands::setLocal):
        (JSC::Operands::getLocal):
        (JSC::Operands::setArgumentFirstTime):
        (JSC::Operands::setLocalFirstTime):
        (JSC::Operands::operand):
        (JSC::Operands::setOperand):
        (JSC::Operands::size const):
        (JSC::Operands::at const):
        (JSC::Operands::at):
        (JSC::Operands::isArgument const):
        (JSC::Operands::isVariable const):
        (JSC::Operands::virtualRegisterForIndex const):
        (JSC::Operands::fill):
        (JSC::Operands::operator== const):
        (JSC::Operands::argumentForIndex const): Deleted.
        (JSC::Operands::variableForIndex const): Deleted.
        (JSC::Operands::indexForOperand const): Deleted.
        * dfg/DFGBasicBlock.cpp:
        (JSC::DFG::BasicBlock::BasicBlock):
        * dfg/DFGBasicBlock.h:
        * dfg/DFGBranchDirection.h:
        * dfg/DFGStructureClobberState.h:

2017-11-09  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Retry module fetching if previous request fails
        https://bugs.webkit.org/show_bug.cgi?id=178168

        Reviewed by Saam Barati.

        According to the latest spec, the failed fetching operation can be retried if it is requested again.
        For example,

            <script type="module" integrity="shaXXX-bad" src="./A.js"></script>
            <script type="module" integrity="shaXXX-correct" src="./A.js"></script>

        When performing the first module fetching, integrity check fails, and the load of this module becomes failed.
        But when loading the second module, we do not use the cached failure result in the first module loading.
        We retry fetching for "./A.js". In this case, we have a correct integrity and module fetching succeeds.
        This is specified in whatwg/HTML[1]. If the fetching fails, we do not cache it.

        Interestingly, fetching result and instantiation result will be cached if they succeeds. This is because we would
        like to cache modules based on their URLs. As a result,

            <script type="module" integrity="shaXXX-correct" src="./A.js"></script>
            <script type="module" integrity="shaXXX-bad" src="./A.js"></script>

        In the above case, the first loading succeeds. And the second loading also succeeds since the succeeded fetching and
        instantiation are cached in the module pipeline.

        This patch implements the above semantics. Previously, our module pipeline always caches the result. If the fetching
        failed, all the subsequent fetching for the same URL fails even if we have different integrity values. We retry fetching
        if the previous one fails. As an overview of our change,

        1. Fetching result should be cached only if it succeeds. Two or more on-the-fly fetching requests to the same URLs should
           be unified. But if currently executing one fails, other attempts should retry fetching.

        2. Instantiation should be cached if fetching succeeds.

        3. Satisfying should be cached if it succeeds.

        [1]: https://html.spec.whatwg.org/#fetch-a-single-module-script

        * builtins/ModuleLoaderPrototype.js:
        (requestFetch):
        (requestInstantiate):
        (requestSatisfy):
        (link):
        (loadModule):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):

2017-11-09  Devin Rousso  <webkit@devinrousso.com>

        Web Inspector: support undo/redo of insertAdjacentHTML
        https://bugs.webkit.org/show_bug.cgi?id=179283

        Reviewed by Joseph Pecoraro.

        * inspector/protocol/DOM.json:
        Add `insertAdjacentHTML` command that executes an undoable version of `insertAdjacentHTML`
        on the given node.

2017-11-09  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Make domain availability a list of types instead of a single type
        https://bugs.webkit.org/show_bug.cgi?id=179457

        Reviewed by Brian Burg.

        * inspector/scripts/codegen/generate_js_backend_commands.py:
        (JSBackendCommandsGenerator.generate_domain):
        Update output of `InspectorBackend.activateDomain` to include the list.

        * inspector/scripts/codegen/models.py:
        (Protocol.parse_domain):
        Parse `availability` as a list and include a new supported value of "service-worker".

        * inspector/protocol/ApplicationCache.json:
        * inspector/protocol/CSS.json:
        * inspector/protocol/Canvas.json:
        * inspector/protocol/DOM.json:
        * inspector/protocol/DOMDebugger.json:
        * inspector/protocol/DOMStorage.json:
        * inspector/protocol/Database.json:
        * inspector/protocol/IndexedDB.json:
        * inspector/protocol/LayerTree.json:
        * inspector/protocol/Memory.json:
        * inspector/protocol/Network.json:
        * inspector/protocol/Page.json:
        * inspector/protocol/Timeline.json:
        * inspector/protocol/Worker.json:
        Update `availability` to be a list.

        * inspector/scripts/tests/generic/domain-availability.json:
        * inspector/scripts/tests/generic/expected/domain-availability.json-result:
        * inspector/scripts/tests/generic/expected/fail-on-domain-availability-type.json-error: Added.
        * inspector/scripts/tests/generic/expected/fail-on-domain-availability-value.json-error: Added.
        * inspector/scripts/tests/generic/expected/fail-on-domain-availability.json-error:
        * inspector/scripts/tests/generic/fail-on-domain-availability-type.json: Copied from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-availability.json.
        * inspector/scripts/tests/generic/fail-on-domain-availability-value.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-availability.json.
        Update tests to include a test for the type and an invalid value.

2017-11-03  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC][JIT] Clean up SlowPathCall stubs
        https://bugs.webkit.org/show_bug.cgi?id=179247

        Reviewed by Saam Barati.

        We have bunch of duplicate functions that just call a slow path function.
        This patch cleans up the above duplication.

        * jit/JIT.cpp:
        (JSC::JIT::emitSlowCaseCall):
        (JSC::JIT::privateCompileSlowCases):
        * jit/JIT.h:
        * jit/JITArithmetic.cpp:
        (JSC::JIT::emitSlow_op_unsigned): Deleted.
        (JSC::JIT::emitSlow_op_inc): Deleted.
        (JSC::JIT::emitSlow_op_dec): Deleted.
        (JSC::JIT::emitSlow_op_bitand): Deleted.
        (JSC::JIT::emitSlow_op_bitor): Deleted.
        (JSC::JIT::emitSlow_op_bitxor): Deleted.
        (JSC::JIT::emitSlow_op_lshift): Deleted.
        (JSC::JIT::emitSlow_op_rshift): Deleted.
        (JSC::JIT::emitSlow_op_urshift): Deleted.
        (JSC::JIT::emitSlow_op_div): Deleted.
        * jit/JITArithmetic32_64.cpp:
        (JSC::JIT::emitSlow_op_unsigned): Deleted.
        (JSC::JIT::emitSlow_op_inc): Deleted.
        (JSC::JIT::emitSlow_op_dec): Deleted.
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emitSlow_op_create_this): Deleted.
        (JSC::JIT::emitSlow_op_check_tdz): Deleted.
        (JSC::JIT::emitSlow_op_to_this): Deleted.
        (JSC::JIT::emitSlow_op_to_primitive): Deleted.
        (JSC::JIT::emitSlow_op_not): Deleted.
        (JSC::JIT::emitSlow_op_stricteq): Deleted.
        (JSC::JIT::emitSlow_op_nstricteq): Deleted.
        (JSC::JIT::emitSlow_op_to_number): Deleted.
        (JSC::JIT::emitSlow_op_to_string): Deleted.
        (JSC::JIT::emitSlow_op_to_object): Deleted.
        (JSC::JIT::emitSlow_op_get_direct_pname): Deleted.
        (JSC::JIT::emitSlow_op_has_structure_property): Deleted.
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emitSlow_op_to_primitive): Deleted.
        (JSC::JIT::emitSlow_op_not): Deleted.
        (JSC::JIT::emitSlow_op_stricteq): Deleted.
        (JSC::JIT::emitSlow_op_nstricteq): Deleted.
        (JSC::JIT::emitSlow_op_to_number): Deleted.
        (JSC::JIT::emitSlow_op_to_string): Deleted.
        (JSC::JIT::emitSlow_op_to_object): Deleted.
        (JSC::JIT::emitSlow_op_create_this): Deleted.
        (JSC::JIT::emitSlow_op_to_this): Deleted.
        (JSC::JIT::emitSlow_op_check_tdz): Deleted.
        (JSC::JIT::emitSlow_op_get_direct_pname): Deleted.
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitSlow_op_resolve_scope): Deleted.
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emit_op_resolve_scope):
        (JSC::JIT::emitSlow_op_resolve_scope): Deleted.
        * jit/SlowPathCall.h:
        (JSC::JITSlowPathCall::JITSlowPathCall):
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.h:

2017-11-09  Guillaume Emont  <guijemont@igalia.com>

        [JSC][MIPS] Use fcsr to check the validity of the result of trunc.w.d
        https://bugs.webkit.org/show_bug.cgi?id=179446

        Reviewed by Žan Doberšek.

        The trunc.w.d mips instruction should give a 0x7fffffff result when
        the source value is Infinity, NaN, or rounds to an integer outside the
        range -2^31 to 2^31 -1. This is what branchTruncateDoubleToInt32() and
        branchTruncateDoubleToUInt32() have been relying on. It turns out that
        this assumption is not true on some CPUs, including on the ci20 on
        which we run the testbot (we get 0x80000000 instead). We should the
        invalid operation cause bit instead to check whether the source value
        could be properly truncated. This requires the addition of the cfc1
        instruction, as well as the special registers that can be used with it
        (control registers of CP1).

        * assembler/MIPSAssembler.h:
        (JSC::MIPSAssembler::firstSPRegister):
        (JSC::MIPSAssembler::lastSPRegister):
        (JSC::MIPSAssembler::numberOfSPRegisters):
        (JSC::MIPSAssembler::sprName):
        Added control registers of CP1.
        (JSC::MIPSAssembler::cfc1):
        Added.
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::branchOnTruncateResult):
        (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
        (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUint32):
        Use fcsr to check if the value could be properly truncated.

2017-11-08  Jeremy Jones  <jeremyj@apple.com>

        HTMLMediaElement should not use element fullscreen on iOS
        https://bugs.webkit.org/show_bug.cgi?id=179418
        rdar://problem/35409277

        Reviewed by Eric Carlson.

        Add ENABLE_VIDEO_USES_ELEMENT_FULLSCREEN to determine if HTMLMediaElement should use element full screen or not.

        * Configurations/FeatureDefines.xcconfig:

2017-11-08  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Show Internal properties of PaymentRequest in Web Inspector Console
        https://bugs.webkit.org/show_bug.cgi?id=179276

        Reviewed by Andy Estes.

        * inspector/InjectedScriptHost.h:
        * inspector/JSInjectedScriptHost.cpp:
        (Inspector::JSInjectedScriptHost::getInternalProperties):
        Call through to virtual implementation so that WebCore can provide custom
        internal properties for Web / DOM objects.

2017-11-08  Saam Barati  <sbarati@apple.com>

        A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
        https://bugs.webkit.org/show_bug.cgi?id=177792

        Reviewed by Yusuke Suzuki.

        Before this patch, if a JSFunction's rare data initialized its allocation profile
        before its backing Executable's poly proto watchpoint was invalidated, that
        JSFunction would continue to allocate non-poly proto objects until its allocation
        profile was cleared (which essentially never happens in practice). This patch
        improves on this pathology. A JSFunction's rare data will now watch the poly
        proto watchpoint if it's still valid and clear its allocation profile when we
        detect that we should go poly proto.

        * bytecode/ObjectAllocationProfile.h:
        * bytecode/ObjectAllocationProfileInlines.h:
        (JSC::ObjectAllocationProfile::initializeProfile):
        * runtime/FunctionRareData.cpp:
        (JSC::FunctionRareData::initializeObjectAllocationProfile):
        (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::fireInternal):
        * runtime/FunctionRareData.h:
        (JSC::FunctionRareData::hasAllocationProfileClearingWatchpoint const):
        (JSC::FunctionRareData::createAllocationProfileClearingWatchpoint):
        (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::AllocationProfileClearingWatchpoint):

2017-11-08  Keith Miller  <keith_miller@apple.com>

        Add super sampler begin and end bytecodes.
        https://bugs.webkit.org/show_bug.cgi?id=179376

        Reviewed by Filip Pizlo.

        This patch adds a way to measure a narrow range of bytecodes for
        performance. This is done using the same infrastructure as the
        super sampler. I also added a class that helps do the bytecode
        checking with RAII. One problem with the current way this is done
        is that we don't handle decrementing early exits, either from
        branches or exceptions. So, when using this API users need to
        ensure that there are no early exits or that those exits don't
        occur on the measure code.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecode/BytecodeDumper.cpp:
        (JSC::BytecodeDumper<Block>::dumpBytecode):
        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitSuperSamplerBegin):
        (JSC::BytecodeGenerator::emitSuperSamplerEnd):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/SuperSamplerBytecodeScope.h: Added.
        (JSC::SuperSamplerBytecodeScope::SuperSamplerBytecodeScope):
        (JSC::SuperSamplerBytecodeScope::~SuperSamplerBytecodeScope):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGClobbersExitState.cpp:
        (JSC::DFG::clobbersExitState):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGMayExit.cpp:
        * dfg/DFGNodeType.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileSuperSamplerBegin):
        (JSC::FTL::DFG::LowerDFGToB3::compileSuperSamplerEnd):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_super_sampler_begin):
        (JSC::JIT::emit_op_super_sampler_end):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LLIntSlowPaths.h:
        * llint/LowLevelInterpreter.asm:

2017-11-08  Robin Morisset  <rmorisset@apple.com>

        Turn recursive tail calls into loops
        https://bugs.webkit.org/show_bug.cgi?id=176601

        Reviewed by Saam Barati.

        Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.

        We want to turn recursive tail calls into loops early in the pipeline, so that the loops can then be optimized.
        One difficulty is that we need to split the entry block of the function we are jumping to in order to have somewhere to jump to.
        Worse: it is not necessarily the first block of the codeBlock, because of inlining! So we must do the splitting in the DFGByteCodeParser, at the same time as inlining.
        We do this part through modifying the computation of the jump targets.
        Importantly, we only do this splitting for functions that have tail calls.
        It is the only case where the optimisation is sound, and doing the splitting unconditionnaly destroys performance on Octane/raytrace.

        We must then do the actual transformation also in DFGByteCodeParser, to avoid code motion moving code out of the body of what will become a loop.
        The transformation is entirely contained in handleRecursiveTailCall, which is hooked to the inlining machinery.

        * bytecode/CodeBlock.h:
        (JSC::CodeBlock::hasTailCalls const):
        * bytecode/PreciseJumpTargets.cpp:
        (JSC::getJumpTargetsForBytecodeOffset):
        (JSC::computePreciseJumpTargetsInternal):
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
        * bytecode/UnlinkedCodeBlock.h:
        (JSC::UnlinkedCodeBlock::hasTailCalls const):
        (JSC::UnlinkedCodeBlock::setHasTailCalls):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitEnter):
        (JSC::BytecodeGenerator::emitCallInTailPosition):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
        (JSC::DFG::ByteCodeParser::makeBlockTargetable):
        (JSC::DFG::ByteCodeParser::handleCall):
        (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
        (JSC::DFG::ByteCodeParser::parseBlock):
        (JSC::DFG::ByteCodeParser::parse):

2017-11-08  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Remove unused Page.ScriptIdentifier protocol type
        https://bugs.webkit.org/show_bug.cgi?id=179407

        Reviewed by Matt Baker.

        * inspector/protocol/Page.json:
        Remove unused protocol type.

2017-11-08  Carlos Garcia Campos  <cgarcia@igalia.com>

        Web Inspector: use JSON::{Array,Object,Value} instead of Inspector{Array,Object,Value}
        https://bugs.webkit.org/show_bug.cgi?id=173619

        Reviewed by Alex Christensen and Brian Burg.

        Eventually all classes used for our JSON-RPC message passing should be outside
        of the Inspector namespace since the protocol is used outside of Inspector code.
        This will also allow us to unify the primitive JSON types with parameteric types
        like Inspector::Protocol::Array<T> and other protocol-related types which don't
        need to be in the Inspector namespace.

        Start this refactoring off by making JSON::Value a typedef for InspectorValue. In following
        patches, other clients will move to use JSON::Value and friends. When all uses are
        changed, the actual implementation will be renamed. This patch just focuses on the typedef
        and making changes in generated protocol code.

        Original patch by Brian Burg, rebased and updated by me.

        * inspector/InspectorValues.cpp:
        * inspector/InspectorValues.h:
        * inspector/scripts/codegen/cpp_generator.py:
        (CppGenerator.cpp_protocol_type_for_type):
        (CppGenerator.cpp_type_for_unchecked_formal_in_parameter):
        (CppGenerator.cpp_type_for_type_with_name):
        (CppGenerator.cpp_type_for_stack_in_parameter):
        * inspector/scripts/codegen/cpp_generator_templates.py:
        (void):
        * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
        (_generate_class_for_object_declaration):
        (_generate_forward_declarations_for_binding_traits):
        * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
        (CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration):
        (CppProtocolTypesImplementationGenerator._generate_assertion_for_enum):
        * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
        * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
        * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
        * inspector/scripts/tests/generic/expected/domain-availability.json-result:
        * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
        * inspector/scripts/tests/generic/expected/enum-values.json-result:
        * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
        * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
        * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
        * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
        * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
        * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
        * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
        * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:

2017-11-07  Maciej Stachowiak  <mjs@apple.com>

        Get rid of unsightly hex numbers from unified build object files
        https://bugs.webkit.org/show_bug.cgi?id=179410

        Reviewed by Saam Barati.

        * JavaScriptCore.xcodeproj/project.pbxproj: Rename UnifiedSource*.mm to UnifiedSource*-mm.mm for more readable build output.

2017-11-07  Saam Barati  <sbarati@apple.com>

        Only cage double butterfly accesses
        https://bugs.webkit.org/show_bug.cgi?id=179202

        Reviewed by Mark Lam.

        This patch removes caging from all butterfly accesses except double loads/stores.
        This is a performance vs security tradeoff. Double loads/stores are the only butterfly
        loads/stores that can write arbitrary bit patterns, so we choose to keep them safe
        by caging. The other load/stores we are no longer caging to get back performance on
        various benchmarks.

        * bytecode/AccessCase.cpp:
        (JSC::AccessCase::generateImpl):
        * bytecode/InlineAccess.cpp:
        (JSC::InlineAccess::dumpCacheSizesAndCrash):
        (JSC::InlineAccess::generateSelfPropertyAccess):
        (JSC::InlineAccess::generateSelfPropertyReplace):
        (JSC::InlineAccess::generateArrayLength):
        * dfg/DFGFixedButterflyAccessUncagingPhase.cpp:
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileCreateRest):
        (JSC::DFG::SpeculativeJIT::compileSpread):
        (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitContiguousLoad):
        (JSC::JIT::emitArrayStorageLoad):
        (JSC::JIT::emitGenericContiguousPutByVal):
        (JSC::JIT::emitArrayStoragePutByVal):
        (JSC::JIT::emit_op_get_from_scope):
        (JSC::JIT::emit_op_put_to_scope):
        * llint/LowLevelInterpreter64.asm:
        * runtime/AuxiliaryBarrier.h:
        (JSC::AuxiliaryBarrier::operator-> const):
        * runtime/Butterfly.h:
        (JSC::Butterfly::caged):
        (JSC::Butterfly::contiguousDouble):
        * runtime/JSArray.cpp:
        (JSC::JSArray::setLength):
        (JSC::JSArray::pop):
        (JSC::JSArray::shiftCountWithAnyIndexingType):
        (JSC::JSArray::unshiftCountWithAnyIndexingType):
        (JSC::JSArray::fillArgList):
        (JSC::JSArray::copyToArguments):
        * runtime/JSArrayInlines.h:
        (JSC::JSArray::pushInline):
        * runtime/JSObject.cpp:
        (JSC::JSObject::heapSnapshot):
        (JSC::JSObject::createInitialIndexedStorage):
        (JSC::JSObject::createArrayStorage):
        (JSC::JSObject::convertUndecidedToInt32):
        (JSC::JSObject::ensureLengthSlow):
        (JSC::JSObject::reallocateAndShrinkButterfly):
        (JSC::JSObject::allocateMoreOutOfLineStorage):
        * runtime/JSObject.h:
        (JSC::JSObject::canGetIndexQuickly):
        (JSC::JSObject::getIndexQuickly):
        (JSC::JSObject::tryGetIndexQuickly const):
        (JSC::JSObject::canSetIndexQuickly):
        (JSC::JSObject::butterfly const):
        (JSC::JSObject::butterfly):

2017-11-07  Mark Lam  <mark.lam@apple.com>

        Introduce a default RegisterSet constructor so that we can use { } notation.
        https://bugs.webkit.org/show_bug.cgi?id=179389

        Reviewed by Saam Barati.

        I also replaced uses of "RegisterSet()" with "{ }" where the use of "RegisterSet()"
        does not add any code documentation value.

        * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
        * b3/air/AirCode.cpp:
        (JSC::B3::Air::Code::setRegsInPriorityOrder):
        * b3/air/AirPrintSpecial.cpp:
        (JSC::B3::Air::PrintSpecial::extraEarlyClobberedRegs):
        (JSC::B3::Air::PrintSpecial::extraClobberedRegs):
        * b3/air/testair.cpp:
        * bytecode/PolymorphicAccess.h:
        (JSC::AccessGenerationState::preserveLiveRegistersToStackForCall):
        (JSC::AccessGenerationState::restoreLiveRegistersFromStackForCall):
        * dfg/DFGJITCode.cpp:
        (JSC::DFG::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
        * ftl/FTLJITCode.cpp:
        (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
        * jit/JITCode.cpp:
        (JSC::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
        * jit/RegisterSet.cpp:
        (JSC::RegisterSet::reservedHardwareRegisters):
        (JSC::RegisterSet::runtimeRegisters):
        (JSC::RegisterSet::macroScratchRegisters):
        * jit/RegisterSet.h:
        (JSC::RegisterSet::RegisterSet):
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::emitTierUpCheck):

2017-11-07  Mark Lam  <mark.lam@apple.com>

        AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
        https://bugs.webkit.org/show_bug.cgi?id=179355
        <rdar://problem/35263053>

        Reviewed by Saam Barati.

        In the Transition case in AccessCase::generateImpl(), we were restoring registers
        using restoreLiveRegistersFromStackForCall() without excluding the scratchGPR
        where we previously stashed the reallocated butterfly.  If the generated code is
        under heavy register pressure, scratchGPR could have been from the set of preserved
        registers, and hence, would be restored by restoreLiveRegistersFromStackForCall().
        As a result, the restoration would trash the butterfly result we stored there.
        This patch fixes the issue by excluding the scratchGPR in the restoration.

        * bytecode/AccessCase.cpp:
        (JSC::AccessCase::generateImpl):

2017-11-06  Robin Morisset  <rmorisset@apple.com>

        CodeBlock::usesOpcode() is dead code
        https://bugs.webkit.org/show_bug.cgi?id=179316

        Reviewed by Yusuke Suzuki.

        Remove CodeBlock::usesOpcode which is dead code

        * bytecode/CodeBlock.cpp:
        * bytecode/CodeBlock.h:

2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>

        JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
        https://bugs.webkit.org/show_bug.cgi?id=144458

        Reviewed by Saam Barati.

        Previously only JSFunction is handled by CallLinkInfo's caching mechanism. This means that
        InternalFunction calls are not cached and they always go to the slow path. This is not good because

        1. We need to query getCallData/getConstructData every time in the slow path.
        2. CallLinkInfo tells nothing in the higher tier JITs.

        This patch starts handling InternalFunction in CallLinkInfo's caching mechanism. We change InternalFunction
        to hold pointers to the functions for call and construct. We have new stubs that can call/construct
        InternalFunction. And we return this code pointer as a result of setup call to use CallLinkInfo mechanism.

        This patch is critical to optimizing derived Array construction[1] since it starts using CallLinkInfo
        for InternalFunction. Previously we did not record any information to CallLinkInfo. Except for the
        case that DFGByteCodeParser figures out InternalFunction constant, we cannot attempt to emit DFG
        nodes for these InternalFunctions since CallLinkInfo tells us nothing.

        Attached microbenchmarks show performance improvement.

                                                           baseline                  patched

        dfg-internal-function-construct                 1.6439+-0.0826     ^      1.2829+-0.0727        ^ definitely 1.2813x faster
        dfg-internal-function-not-handled-construct     2.1862+-0.1361            2.0696+-0.1201          might be 1.0564x faster
        dfg-internal-function-not-handled-call         20.7592+-0.9085           19.7369+-0.7921          might be 1.0518x faster
        dfg-internal-function-call                      1.6856+-0.0967     ^      1.2771+-0.0744        ^ definitely 1.3198x faster

        [1]: https://bugs.webkit.org/show_bug.cgi?id=178064

        * API/JSCallbackFunction.cpp:
        (JSC::JSCallbackFunction::JSCallbackFunction):
        (JSC::JSCallbackFunction::getCallData): Deleted.
        * API/JSCallbackFunction.h:
        (JSC::JSCallbackFunction::createStructure):
        * API/ObjCCallbackFunction.h:
        (JSC::ObjCCallbackFunction::createStructure):
        * API/ObjCCallbackFunction.mm:
        (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
        (JSC::ObjCCallbackFunction::getCallData): Deleted.
        (JSC::ObjCCallbackFunction::getConstructData): Deleted.
        * bytecode/BytecodeDumper.cpp:
        (JSC::BytecodeDumper<Block>::printCallOp):
        * bytecode/BytecodeList.json:
        * bytecode/CallLinkInfo.cpp:
        (JSC::CallLinkInfo::setCallee):
        (JSC::CallLinkInfo::callee):
        (JSC::CallLinkInfo::setLastSeenCallee):
        (JSC::CallLinkInfo::lastSeenCallee):
        (JSC::CallLinkInfo::visitWeak):
        * bytecode/CallLinkInfo.h:
        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::computeFromCallLinkInfo):
        * bytecode/LLIntCallLinkInfo.h:
        * jit/JITOperations.cpp:
        * jit/JITThunks.cpp:
        (JSC::JITThunks::ctiInternalFunctionCall):
        (JSC::JITThunks::ctiInternalFunctionConstruct):
        * jit/JITThunks.h:
        * jit/Repatch.cpp:
        (JSC::linkFor):
        (JSC::linkPolymorphicCall):
        * jit/Repatch.h:
        * jit/ThunkGenerators.cpp:
        (JSC::virtualThunkFor):
        (JSC::nativeForGenerator):
        (JSC::nativeCallGenerator):
        (JSC::nativeTailCallGenerator):
        (JSC::nativeTailCallWithoutSavedTagsGenerator):
        (JSC::nativeConstructGenerator):
        (JSC::internalFunctionCallGenerator):
        (JSC::internalFunctionConstructGenerator):
        * jit/ThunkGenerators.h:
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::setUpCall):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/ArrayConstructor.cpp:
        (JSC::ArrayConstructor::ArrayConstructor):
        (JSC::ArrayConstructor::getConstructData): Deleted.
        (JSC::ArrayConstructor::getCallData): Deleted.
        * runtime/ArrayConstructor.h:
        (JSC::ArrayConstructor::createStructure):
        * runtime/AsyncFunctionConstructor.cpp:
        (JSC::AsyncFunctionConstructor::AsyncFunctionConstructor):
        (JSC::AsyncFunctionConstructor::finishCreation):
        (JSC::AsyncFunctionConstructor::getCallData): Deleted.
        (JSC::AsyncFunctionConstructor::getConstructData): Deleted.
        * runtime/AsyncFunctionConstructor.h:
        (JSC::AsyncFunctionConstructor::createStructure):
        * runtime/AsyncGeneratorFunctionConstructor.cpp:
        (JSC::AsyncGeneratorFunctionConstructor::AsyncGeneratorFunctionConstructor):
        (JSC::AsyncGeneratorFunctionConstructor::finishCreation):
        (JSC::AsyncGeneratorFunctionConstructor::getCallData): Deleted.
        (JSC::AsyncGeneratorFunctionConstructor::getConstructData): Deleted.
        * runtime/AsyncGeneratorFunctionConstructor.h:
        (JSC::AsyncGeneratorFunctionConstructor::createStructure):
        * runtime/BooleanConstructor.cpp:
        (JSC::callBooleanConstructor):
        (JSC::BooleanConstructor::BooleanConstructor):
        (JSC::BooleanConstructor::finishCreation):
        (JSC::BooleanConstructor::getConstructData): Deleted.
        (JSC::BooleanConstructor::getCallData): Deleted.
        * runtime/BooleanConstructor.h:
        (JSC::BooleanConstructor::createStructure):
        * runtime/DateConstructor.cpp:
        (JSC::DateConstructor::DateConstructor):
        (JSC::DateConstructor::getConstructData): Deleted.
        (JSC::DateConstructor::getCallData): Deleted.
        * runtime/DateConstructor.h:
        (JSC::DateConstructor::createStructure):
        * runtime/Error.h:
        (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
        (JSC::StrictModeTypeErrorFunction::createStructure):
        (JSC::StrictModeTypeErrorFunction::getConstructData): Deleted.
        (JSC::StrictModeTypeErrorFunction::getCallData): Deleted.
        * runtime/ErrorConstructor.cpp:
        (JSC::ErrorConstructor::ErrorConstructor):
        (JSC::ErrorConstructor::getConstructData): Deleted.
        (JSC::ErrorConstructor::getCallData): Deleted.
        * runtime/ErrorConstructor.h:
        (JSC::ErrorConstructor::createStructure):
        * runtime/FunctionConstructor.cpp:
        (JSC::FunctionConstructor::FunctionConstructor):
        (JSC::FunctionConstructor::finishCreation):
        (JSC::FunctionConstructor::getConstructData): Deleted.
        (JSC::FunctionConstructor::getCallData): Deleted.
        * runtime/FunctionConstructor.h:
        (JSC::FunctionConstructor::createStructure):
        * runtime/FunctionPrototype.cpp:
        (JSC::callFunctionPrototype):
        (JSC::FunctionPrototype::FunctionPrototype):
        (JSC::FunctionPrototype::getCallData): Deleted.
        * runtime/FunctionPrototype.h:
        (JSC::FunctionPrototype::createStructure):
        * runtime/GeneratorFunctionConstructor.cpp:
        (JSC::GeneratorFunctionConstructor::GeneratorFunctionConstructor):
        (JSC::GeneratorFunctionConstructor::finishCreation):
        (JSC::GeneratorFunctionConstructor::getCallData): Deleted.
        (JSC::GeneratorFunctionConstructor::getConstructData): Deleted.
        * runtime/GeneratorFunctionConstructor.h:
        (JSC::GeneratorFunctionConstructor::createStructure):
        * runtime/InternalFunction.cpp:
        (JSC::InternalFunction::InternalFunction):
        (JSC::InternalFunction::finishCreation):
        (JSC::InternalFunction::getCallData):
        (JSC::InternalFunction::getConstructData):
        * runtime/InternalFunction.h:
        (JSC::InternalFunction::createStructure):
        (JSC::InternalFunction::nativeFunctionFor):
        (JSC::InternalFunction::offsetOfNativeFunctionFor):
        * runtime/IntlCollatorConstructor.cpp:
        (JSC::IntlCollatorConstructor::createStructure):
        (JSC::IntlCollatorConstructor::IntlCollatorConstructor):
        (JSC::IntlCollatorConstructor::getConstructData): Deleted.
        (JSC::IntlCollatorConstructor::getCallData): Deleted.
        * runtime/IntlCollatorConstructor.h:
        * runtime/IntlDateTimeFormatConstructor.cpp:
        (JSC::IntlDateTimeFormatConstructor::createStructure):
        (JSC::IntlDateTimeFormatConstructor::IntlDateTimeFormatConstructor):
        (JSC::IntlDateTimeFormatConstructor::getConstructData): Deleted.
        (JSC::IntlDateTimeFormatConstructor::getCallData): Deleted.
        * runtime/IntlDateTimeFormatConstructor.h:
        * runtime/IntlNumberFormatConstructor.cpp:
        (JSC::IntlNumberFormatConstructor::createStructure):
        (JSC::IntlNumberFormatConstructor::IntlNumberFormatConstructor):
        (JSC::IntlNumberFormatConstructor::getConstructData): Deleted.
        (JSC::IntlNumberFormatConstructor::getCallData): Deleted.
        * runtime/IntlNumberFormatConstructor.h:
        * runtime/JSArrayBufferConstructor.cpp:
        (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
        (JSC::JSArrayBufferConstructor::createStructure):
        (JSC::JSArrayBufferConstructor::getConstructData): Deleted.
        (JSC::JSArrayBufferConstructor::getCallData): Deleted.
        * runtime/JSArrayBufferConstructor.h:
        * runtime/JSGenericTypedArrayViewConstructor.h:
        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
        (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::JSGenericTypedArrayViewConstructor):
        (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::createStructure):
        (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getConstructData): Deleted.
        (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData): Deleted.
        * runtime/JSInternalPromiseConstructor.cpp:
        (JSC::JSInternalPromiseConstructor::createStructure):
        (JSC::JSInternalPromiseConstructor::JSInternalPromiseConstructor):
        (JSC::JSInternalPromiseConstructor::getConstructData): Deleted.
        (JSC::JSInternalPromiseConstructor::getCallData): Deleted.
        * runtime/JSInternalPromiseConstructor.h:
        * runtime/JSPromiseConstructor.cpp:
        (JSC::JSPromiseConstructor::createStructure):
        (JSC::JSPromiseConstructor::JSPromiseConstructor):
        (JSC::JSPromiseConstructor::getConstructData): Deleted.
        (JSC::JSPromiseConstructor::getCallData): Deleted.
        * runtime/JSPromiseConstructor.h:
        * runtime/JSType.h:
        * runtime/JSTypedArrayViewConstructor.cpp:
        (JSC::JSTypedArrayViewConstructor::JSTypedArrayViewConstructor):
        (JSC::JSTypedArrayViewConstructor::createStructure):
        (JSC::JSTypedArrayViewConstructor::getConstructData): Deleted.
        (JSC::JSTypedArrayViewConstructor::getCallData): Deleted.
        * runtime/JSTypedArrayViewConstructor.h:
        * runtime/MapConstructor.cpp:
        (JSC::MapConstructor::MapConstructor):
        (JSC::MapConstructor::getConstructData): Deleted.
        (JSC::MapConstructor::getCallData): Deleted.
        * runtime/MapConstructor.h:
        (JSC::MapConstructor::createStructure):
        (JSC::MapConstructor::MapConstructor): Deleted.
        * runtime/NativeErrorConstructor.cpp:
        (JSC::NativeErrorConstructor::NativeErrorConstructor):
        (JSC::NativeErrorConstructor::getConstructData): Deleted.
        (JSC::NativeErrorConstructor::getCallData): Deleted.
        * runtime/NativeErrorConstructor.h:
        (JSC::NativeErrorConstructor::createStructure):
        * runtime/NullGetterFunction.cpp:
        (JSC::NullGetterFunction::NullGetterFunction):
        (JSC::NullGetterFunction::getCallData): Deleted.
        (JSC::NullGetterFunction::getConstructData): Deleted.
        * runtime/NullGetterFunction.h:
        (JSC::NullGetterFunction::createStructure):
        (JSC::NullGetterFunction::NullGetterFunction): Deleted.
        * runtime/NullSetterFunction.cpp:
        (JSC::NullSetterFunction::NullSetterFunction):
        (JSC::NullSetterFunction::getCallData): Deleted.
        (JSC::NullSetterFunction::getConstructData): Deleted.
        * runtime/NullSetterFunction.h:
        (JSC::NullSetterFunction::createStructure):
        (JSC::NullSetterFunction::NullSetterFunction): Deleted.
        * runtime/NumberConstructor.cpp:
        (JSC::NumberConstructor::NumberConstructor):
        (JSC::constructNumberConstructor):
        (JSC::constructWithNumberConstructor): Deleted.
        (JSC::NumberConstructor::getConstructData): Deleted.
        (JSC::NumberConstructor::getCallData): Deleted.
        * runtime/NumberConstructor.h:
        (JSC::NumberConstructor::createStructure):
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructor::ObjectConstructor):
        (JSC::ObjectConstructor::getConstructData): Deleted.
        (JSC::ObjectConstructor::getCallData): Deleted.
        * runtime/ObjectConstructor.h:
        (JSC::ObjectConstructor::createStructure):
        * runtime/ProxyConstructor.cpp:
        (JSC::ProxyConstructor::ProxyConstructor):
        (JSC::ProxyConstructor::getConstructData): Deleted.
        (JSC::ProxyConstructor::getCallData): Deleted.
        * runtime/ProxyConstructor.h:
        (JSC::ProxyConstructor::createStructure):
        * runtime/ProxyRevoke.cpp:
        (JSC::ProxyRevoke::ProxyRevoke):
        (JSC::ProxyRevoke::getCallData): Deleted.
        * runtime/ProxyRevoke.h:
        (JSC::ProxyRevoke::createStructure):
        * runtime/RegExpConstructor.cpp:
        (JSC::RegExpConstructor::RegExpConstructor):
        (JSC::RegExpConstructor::getConstructData): Deleted.
        (JSC::RegExpConstructor::getCallData): Deleted.
        * runtime/RegExpConstructor.h:
        (JSC::RegExpConstructor::createStructure):
        * runtime/SetConstructor.cpp:
        (JSC::SetConstructor::SetConstructor):
        (JSC::SetConstructor::getConstructData): Deleted.
        (JSC::SetConstructor::getCallData): Deleted.
        * runtime/SetConstructor.h:
        (JSC::SetConstructor::createStructure):
        (JSC::SetConstructor::SetConstructor): Deleted.
        * runtime/StringConstructor.cpp:
        (JSC::StringConstructor::StringConstructor):
        (JSC::StringConstructor::getConstructData): Deleted.
        (JSC::StringConstructor::getCallData): Deleted.
        * runtime/StringConstructor.h:
        (JSC::StringConstructor::createStructure):
        * runtime/SymbolConstructor.cpp:
        (JSC::SymbolConstructor::SymbolConstructor):
        (JSC::SymbolConstructor::getConstructData): Deleted.
        (JSC::SymbolConstructor::getCallData): Deleted.
        * runtime/SymbolConstructor.h:
        (JSC::SymbolConstructor::createStructure):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::VM::getCTIInternalFunctionTrampolineFor):
        * runtime/VM.h:
        * runtime/WeakMapConstructor.cpp:
        (JSC::WeakMapConstructor::WeakMapConstructor):
        (JSC::WeakMapConstructor::getConstructData): Deleted.
        (JSC::WeakMapConstructor::getCallData): Deleted.
        * runtime/WeakMapConstructor.h:
        (JSC::WeakMapConstructor::createStructure):
        (JSC::WeakMapConstructor::WeakMapConstructor): Deleted.
        * runtime/WeakSetConstructor.cpp:
        (JSC::WeakSetConstructor::WeakSetConstructor):
        (JSC::WeakSetConstructor::getConstructData): Deleted.
        (JSC::WeakSetConstructor::getCallData): Deleted.
        * runtime/WeakSetConstructor.h:
        (JSC::WeakSetConstructor::createStructure):
        (JSC::WeakSetConstructor::WeakSetConstructor): Deleted.
        * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
        (JSC::WebAssemblyCompileErrorConstructor::createStructure):
        (JSC::WebAssemblyCompileErrorConstructor::WebAssemblyCompileErrorConstructor):
        (JSC::WebAssemblyCompileErrorConstructor::getConstructData): Deleted.
        (JSC::WebAssemblyCompileErrorConstructor::getCallData): Deleted.
        * wasm/js/WebAssemblyCompileErrorConstructor.h:
        * wasm/js/WebAssemblyInstanceConstructor.cpp:
        (JSC::WebAssemblyInstanceConstructor::createStructure):
        (JSC::WebAssemblyInstanceConstructor::WebAssemblyInstanceConstructor):
        (JSC::WebAssemblyInstanceConstructor::getConstructData): Deleted.
        (JSC::WebAssemblyInstanceConstructor::getCallData): Deleted.
        * wasm/js/WebAssemblyInstanceConstructor.h:
        * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
        (JSC::WebAssemblyLinkErrorConstructor::createStructure):
        (JSC::WebAssemblyLinkErrorConstructor::WebAssemblyLinkErrorConstructor):
        (JSC::WebAssemblyLinkErrorConstructor::getConstructData): Deleted.
        (JSC::WebAssemblyLinkErrorConstructor::getCallData): Deleted.
        * wasm/js/WebAssemblyLinkErrorConstructor.h:
        * wasm/js/WebAssemblyMemoryConstructor.cpp:
        (JSC::WebAssemblyMemoryConstructor::createStructure):
        (JSC::WebAssemblyMemoryConstructor::WebAssemblyMemoryConstructor):
        (JSC::WebAssemblyMemoryConstructor::getConstructData): Deleted.
        (JSC::WebAssemblyMemoryConstructor::getCallData): Deleted.
        * wasm/js/WebAssemblyMemoryConstructor.h:
        * wasm/js/WebAssemblyModuleConstructor.cpp:
        (JSC::WebAssemblyModuleConstructor::createStructure):
        (JSC::WebAssemblyModuleConstructor::WebAssemblyModuleConstructor):
        (JSC::WebAssemblyModuleConstructor::getConstructData): Deleted.
        (JSC::WebAssemblyModuleConstructor::getCallData): Deleted.
        * wasm/js/WebAssemblyModuleConstructor.h:
        * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
        (JSC::WebAssemblyRuntimeErrorConstructor::createStructure):
        (JSC::WebAssemblyRuntimeErrorConstructor::WebAssemblyRuntimeErrorConstructor):
        (JSC::WebAssemblyRuntimeErrorConstructor::getConstructData): Deleted.
        (JSC::WebAssemblyRuntimeErrorConstructor::getCallData): Deleted.
        * wasm/js/WebAssemblyRuntimeErrorConstructor.h:
        * wasm/js/WebAssemblyTableConstructor.cpp:
        (JSC::WebAssemblyTableConstructor::createStructure):
        (JSC::WebAssemblyTableConstructor::WebAssemblyTableConstructor):
        (JSC::WebAssemblyTableConstructor::getConstructData): Deleted.
        (JSC::WebAssemblyTableConstructor::getCallData): Deleted.
        * wasm/js/WebAssemblyTableConstructor.h:

2017-11-03  Michael Saboff  <msaboff@apple.com>

        The Abstract Interpreter needs to change similar to clobberize() in r224366
        https://bugs.webkit.org/show_bug.cgi?id=179267

        Reviewed by Saam Barati.

        Add clobberWorld() to HasGenericProperty, HasStructureProperty & GetPropertyEnumerator
        cases in the abstract interpreter to match what was done for r224366.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

2017-11-03  Keith Miller  <keith_miller@apple.com>

        PutProperytSlot should inform the IC about the property before effects.
        https://bugs.webkit.org/show_bug.cgi?id=179262

        Reviewed by Mark Lam.

        This patch fixes an issue where we choose to cache setters based on
        incorrect information. If we did so we might end up OSR exiting
        more than we would otherwise need to. The new model is that the
        PutPropertySlot should inform the IC of what the property looked
        like before any potential side effects might have occurred.

        * runtime/JSObject.cpp:
        (JSC::JSObject::putInlineSlow):
        * runtime/Lookup.h:
        (JSC::putEntry):

2017-11-03  Mark Lam  <mark.lam@apple.com>

        CachedCall (and its clients) needs overflow checks.
        https://bugs.webkit.org/show_bug.cgi?id=179185

        Reviewed by JF Bastien.

        * interpreter/CachedCall.h:
        (JSC::CachedCall::CachedCall):
        (JSC::CachedCall::hasOverflowedArguments):
        * runtime/ArgList.h:
        (JSC::MarkedArgumentBuffer::clear):
        * runtime/StringPrototype.cpp:
        (JSC::replaceUsingRegExpSearch):

2017-11-03  Devin Rousso  <webkit@devinrousso.com>

        Web Inspector: Canvas2D Profiling: highlight expensive context commands in the captured command log
        https://bugs.webkit.org/show_bug.cgi?id=178302
        <rdar://problem/33158849>

        Reviewed by Brian Burg.

        * inspector/protocol/Recording.json:
        Add `duration` to each Frame that represents the total time of all the recorded actions.

2017-11-02  Devin Rousso  <webkit@devinrousso.com>

        Web Inspector: Canvas Tab: show supported GL extensions for selected canvas
        https://bugs.webkit.org/show_bug.cgi?id=179070
        <rdar://problem/35278276>

        Reviewed by Brian Burg.

        * inspector/protocol/Canvas.json:
        Add `extensionEnabled` event that is fired each time `getExtension` is called with a
        different string on a WebGL context.

2017-11-02  Joseph Pecoraro  <pecoraro@apple.com>

        Make ServiceWorker a Remote Inspector debuggable target
        https://bugs.webkit.org/show_bug.cgi?id=179043
        <rdar://problem/34126008>

        Reviewed by Brian Burg.

        * inspector/remote/RemoteControllableTarget.h:
        * inspector/remote/RemoteInspectionTarget.h:
        * inspector/remote/RemoteInspectorConstants.h:
        Include a new ServiceWorker remote inspector target type.

        * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
        (Inspector::RemoteInspector::listingForInspectionTarget const):
        Implement listing for a ServiceWorker to include a URL like a page.

        * inspector/remote/glib/RemoteInspectorGlib.cpp:
        (Inspector::RemoteInspector::listingForInspectionTarget const):
        Bail for ServiceWorker support in glib. They will need to implement their support.

2017-11-02  Michael Saboff  <msaboff@apple.com>

        DFG needs to handle code motion of code in for..in loop bodies
        https://bugs.webkit.org/show_bug.cgi?id=179212

        Reviewed by Keith Miller.

        The processing of the DFG nodes HasGenericProperty, HasStructureProperty & GetPropertyEnumerator
        make calls with side effects.  Updated clobberize() for those nodes to take that into account.

        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):

2017-11-02  Joseph Pecoraro  <pecoraro@apple.com>

        Inspector should display service worker served responses properly
        https://bugs.webkit.org/show_bug.cgi?id=178597
        <rdar://problem/35186111>

        Reviewed by Brian Burg.

        * inspector/protocol/Network.json:
        Expose a new "service-worker" response source.

2017-11-02  Filip Pizlo  <fpizlo@apple.com>

        AI does not correctly model the clobber case of ArithClz32
        https://bugs.webkit.org/show_bug.cgi?id=179188

        Reviewed by Michael Saboff.

        The non-Int32 case clobbers the world because it may call valueOf.

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):

2017-11-02  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, release throw scope
        https://bugs.webkit.org/show_bug.cgi?id=178726

        * dfg/DFGOperations.cpp:

2017-11-02  Frederic Wang  <fwang@igalia.com>

        Add references to bug 179167 in FIXME comments
        https://bugs.webkit.org/show_bug.cgi?id=179168

        Reviewed by Daniel Bates.

        * Configurations/FeatureDefines.xcconfig:

2017-11-01  Jeremy Jones  <jeremyj@apple.com>

        Implement WKFullscreenWindowController for iOS.
        https://bugs.webkit.org/show_bug.cgi?id=178924
        rdar://problem/34697120

        Reviewed by Simon Fraser.

        Enable ENABLE_FULLSCREEN_API for iOS.

        * Configurations/FeatureDefines.xcconfig:

2017-11-01  Mark Lam  <mark.lam@apple.com>

        Add support to throw OOM if MarkedArgumentBuffer may overflow.
        https://bugs.webkit.org/show_bug.cgi?id=179092
        <rdar://problem/35116160>

        Reviewed by Saam Barati.

        The test for overflowing a MarkedArgumentBuffer will run for a ridiculously long
        time, which renders it unsuitable for automated tests.  Instead, I've run a
        test manually to verify that an OutOfMemoryError will be thrown when an overflow
        occurs.

        The MarkedArgumentBuffer's destructor will now assert that the client has indeed
        checked for an overflow after invoking methods that may result in an overflow i.e.
        the destructor checks that MarkedArgumentBuffer::hasOverflowed() has been called.
        This is only done on debug builds.

        * API/JSObjectRef.cpp:
        (JSObjectMakeFunction):
        (JSObjectMakeArray):
        (JSObjectMakeDate):
        (JSObjectMakeRegExp):
        (JSObjectCallAsFunction):
        (JSObjectCallAsConstructor):
        * dfg/DFGOperations.cpp:
        * inspector/InjectedScriptManager.cpp:
        (Inspector::InjectedScriptManager::createInjectedScript):
        * inspector/JSJavaScriptCallFrame.cpp:
        (Inspector::JSJavaScriptCallFrame::scopeChain const):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::executeProgram):
        * jsc.cpp:
        (functionDollarAgentReceiveBroadcast):
        * runtime/ArgList.cpp:
        (JSC::MarkedArgumentBuffer::slowEnsureCapacity):
        (JSC::MarkedArgumentBuffer::expandCapacity):
        (JSC::MarkedArgumentBuffer::slowAppend):
        * runtime/ArgList.h:
        (JSC::MarkedArgumentBuffer::~MarkedArgumentBuffer):
        (JSC::MarkedArgumentBuffer::appendWithAction):
        (JSC::MarkedArgumentBuffer::append):
        (JSC::MarkedArgumentBuffer::appendWithCrashOnOverflow):
        (JSC::MarkedArgumentBuffer::hasOverflowed):
        (JSC::MarkedArgumentBuffer::setNeedsOverflowCheck):
        (JSC::MarkedArgumentBuffer::clearNeedsOverflowCheck):
        * runtime/ArrayPrototype.cpp:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/GetterSetter.cpp:
        (JSC::callSetter):
        * runtime/IteratorOperations.cpp:
        (JSC::iteratorNext):
        (JSC::iteratorClose):
        * runtime/JSBoundFunction.cpp:
        (JSC::boundThisNoArgsFunctionCall):
        (JSC::boundFunctionCall):
        (JSC::boundThisNoArgsFunctionConstruct):
        (JSC::boundFunctionConstruct):
        * runtime/JSGenericTypedArrayViewConstructorInlines.h:
        (JSC::constructGenericTypedArrayViewFromIterator):
        * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
        (JSC::genericTypedArrayViewProtoFuncSlice):
        (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::haveABadTime):
        * runtime/JSInternalPromise.cpp:
        (JSC::JSInternalPromise::then):
        * runtime/JSJob.cpp:
        (JSC::JSJobMicrotask::run):
        * runtime/JSMapIterator.cpp:
        (JSC::JSMapIterator::createPair):
        * runtime/JSModuleLoader.cpp:
        (JSC::JSModuleLoader::provideFetch):
        (JSC::JSModuleLoader::loadAndEvaluateModule):
        (JSC::JSModuleLoader::loadModule):
        (JSC::JSModuleLoader::linkAndEvaluateModule):
        (JSC::JSModuleLoader::requestImportModule):
        * runtime/JSONObject.cpp:
        (JSC::Stringifier::toJSONImpl):
        (JSC::Stringifier::appendStringifiedValue):
        (JSC::Walker::callReviver):
        * runtime/JSObject.cpp:
        (JSC::ordinarySetSlow):
        (JSC::callToPrimitiveFunction):
        (JSC::JSObject::hasInstance):
        * runtime/JSPromise.cpp:
        (JSC::JSPromise::initialize):
        (JSC::JSPromise::resolve):
        * runtime/JSPromiseDeferred.cpp:
        (JSC::newPromiseCapability):
        (JSC::callFunction):
        * runtime/JSSetIterator.cpp:
        (JSC::JSSetIterator::createPair):
        * runtime/LiteralParser.cpp:
        (JSC::LiteralParser<CharType>::parse):
        * runtime/MapConstructor.cpp:
        (JSC::constructMap):
        * runtime/ObjectConstructor.cpp:
        (JSC::defineProperties):
        * runtime/ProxyObject.cpp:
        (JSC::performProxyGet):
        (JSC::ProxyObject::performInternalMethodGetOwnProperty):
        (JSC::ProxyObject::performHasProperty):
        (JSC::ProxyObject::performPut):
        (JSC::performProxyCall):
        (JSC::performProxyConstruct):
        (JSC::ProxyObject::performDelete):
        (JSC::ProxyObject::performPreventExtensions):
        (JSC::ProxyObject::performIsExtensible):
        (JSC::ProxyObject::performDefineOwnProperty):
        (JSC::ProxyObject::performGetOwnPropertyNames):
        (JSC::ProxyObject::performSetPrototype):
        (JSC::ProxyObject::performGetPrototype):
        * runtime/ReflectObject.cpp:
        (JSC::reflectObjectConstruct):
        * runtime/SetConstructor.cpp:
        (JSC::constructSet):
        * runtime/StringPrototype.cpp:
        (JSC::replaceUsingRegExpSearch):
        (JSC::replaceUsingStringSearch):
        * runtime/WeakMapConstructor.cpp:
        (JSC::constructWeakMap):
        * runtime/WeakSetConstructor.cpp:
        (JSC::constructWeakSet):
        * wasm/js/WasmToJS.cpp:
        (JSC::Wasm::wasmToJS):

2017-11-01  Michael Saboff  <msaboff@apple.com>

        Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
        https://bugs.webkit.org/show_bug.cgi?id=179140

        Reviewed by Saam Barati.

        Added overflow checks to computation of arg count plus this.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs):

2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, use weakPointer instead of FTLOutput::weakPointer
        https://bugs.webkit.org/show_bug.cgi?id=178934

        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):

2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Introduce @toObject
        https://bugs.webkit.org/show_bug.cgi?id=178726

        Reviewed by Saam Barati.

        This patch introduces @toObject intrinsic. And we introduce op_to_object bytecode and DFG ToObject node.
        Previously we emulated @toObject behavior in builtin JS. But it consumes much bytecode size while @toObject
        is frequently seen and defined clearly in the spec. Furthermore, the emulated @toObject always calls
        ObjectConstructor in LLInt and Baseline.

        We add a new intrinsic `@toObject(target, "error message")`. It takes an error message string constant to
        offer understandable messages in builtin JS. We can change the frequently seen "emulated ToObject" operation

            if (this === @undefined || this === null)
                @throwTypeError("error message");
            var object = @Object(this);

        with

            var object = @toObject(this, "error message");

        And we handle op_to_object in DFG as ToObject node. While CallObjectConstructor does not throw an error for null/undefined,
        ToObject needs to throw an error for null/undefined. So it is marked as MustGenerate and it clobbers the world.
        In fixup phase, we attempt to convert ToObject to CallObjectConstructor with edge filters to relax its side effect.

        It also fixes a bug that CallObjectConstructor DFG node uses Node's semantic GlobalObject instead of function's one.

        * builtins/ArrayConstructor.js:
        (from):
        * builtins/ArrayPrototype.js:
        (values):
        (keys):
        (entries):
        (reduce):
        (reduceRight):
        (every):
        (forEach):
        (filter):
        (map):
        (some):
        (fill):
        (find):
        (findIndex):
        (includes):
        (sort):
        (globalPrivate.concatSlowPath):
        (copyWithin):
        * builtins/DatePrototype.js:
        (toLocaleString.toDateTimeOptionsAnyAll):
        (toLocaleString):
        (toLocaleDateString.toDateTimeOptionsDateDate):
        (toLocaleDateString):
        (toLocaleTimeString.toDateTimeOptionsTimeTime):
        (toLocaleTimeString):
        * builtins/GlobalOperations.js:
        (globalPrivate.copyDataProperties):
        (globalPrivate.copyDataPropertiesNoExclusions):
        * builtins/ObjectConstructor.js:
        (entries):
        * builtins/StringConstructor.js:
        (raw):
        * builtins/TypedArrayConstructor.js:
        (from):
        * builtins/TypedArrayPrototype.js:
        (map):
        (filter):
        * bytecode/BytecodeDumper.cpp:
        (JSC::BytecodeDumper<Block>::dumpBytecode):
        * bytecode/BytecodeIntrinsicRegistry.h:
        * bytecode/BytecodeList.json:
        * bytecode/BytecodeUseDef.h:
        (JSC::computeUsesForBytecodeOffset):
        (JSC::computeDefsForBytecodeOffset):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finishCreation):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitToObject):
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/NodesCodegen.cpp:
        (JSC::BytecodeIntrinsicNode::emit_intrinsic_toObject):
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixupToObject):
        (JSC::DFG::FixupPhase::fixupCallObjectConstructor):
        * dfg/DFGNode.h:
        (JSC::DFG::Node::convertToCallObjectConstructor):
        (JSC::DFG::Node::convertToNewStringObject):
        (JSC::DFG::Node::convertToNewObject):
        (JSC::DFG::Node::hasIdentifier):
        (JSC::DFG::Node::hasHeapPrediction):
        (JSC::DFG::Node::hasCellOperand):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileToObjectOrCallObjectConstructor):
        (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor): Deleted.
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::compileToObjectOrCallObjectConstructor):
        (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor): Deleted.
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        * jit/JIT.h:
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emit_op_to_object):
        (JSC::JIT::emitSlow_op_to_object):
        * jit/JITOpcodes32_64.cpp:
        (JSC::JIT::emit_op_to_object):
        (JSC::JIT::emitSlow_op_to_object):
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/CommonSlowPaths.cpp:
        (JSC::SLOW_PATH_DECL):
        * runtime/CommonSlowPaths.h:

2017-11-01  Fujii Hironori  <Hironori.Fujii@sony.com>

        Use LazyNeverDestroyed instead of DEFINE_GLOBAL
        https://bugs.webkit.org/show_bug.cgi?id=174979

        Reviewed by Yusuke Suzuki.

        * config.h: Removed definitions of SKIP_STATIC_CONSTRUCTORS_ON_MSVC and SKIP_STATIC_CONSTRUCTORS_ON_GCC.

2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG][FTL] Introduce StringSlice
        https://bugs.webkit.org/show_bug.cgi?id=178934

        Reviewed by Saam Barati.

        String.prototype.slice is one of the most frequently called function in ARES-6/Babylon.
        This patch introduces StringSlice DFG node to optimize it in DFG and FTL.

        This patch's StringSlice node optimizes the following things.

        1. Empty string generation is accelerated. It is fully executed inline.
        2. One char string generation is accelerated. `< 0x100` character is supported right now.
        It is the same to charAt acceleration.
        3. We calculate start and end index in DFG/FTL with Int32Use information and call optimized
        operation.

        We do not inline (3)'s operation right now since we do not have a way to call bmalloc allocation from DFG / FTL.
        And we do not optimize String.prototype.{substring,substr} right now. But they can be optimized based on this change
        in subsequent changes.

        This patch improves ARES-6/Babylon performance by 3% in steady state.

        Baseline:
            Running... Babylon ( 1  to go)
            firstIteration:     50.05 +- 13.68 ms
            averageWorstCase:   16.80 +- 1.27 ms
            steadyState:        7.53 +- 0.22 ms

        Patched:
            Running... Babylon ( 1  to go)
            firstIteration:     50.91 +- 13.41 ms
            averageWorstCase:   16.12 +- 0.99 ms
            steadyState:        7.30 +- 0.29 ms

        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
        * dfg/DFGBackwardsPropagationPhase.cpp:
        (JSC::DFG::BackwardsPropagationPhase::propagate):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):
        * dfg/DFGDoesGC.cpp:
        (JSC::DFG::doesGC):
        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        * dfg/DFGNodeType.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPredictionPropagationPhase.cpp:
        * dfg/DFGSafeToExecute.h:
        (JSC::DFG::safeToExecute):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileStringSlice):
        (JSC::DFG::SpeculativeJIT::emitPopulateSliceIndex):
        (JSC::DFG::SpeculativeJIT::compileArraySlice):
        (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
        * dfg/DFGSpeculativeJIT.h:
        (JSC::DFG::SpeculativeJIT::callOperation):
        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * ftl/FTLCapabilities.cpp:
        (JSC::FTL::canCompile):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        (JSC::FTL::DFG::LowerDFGToB3::populateSliceRange):
        (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
        (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
        * jit/JITOperations.h:
        * runtime/Intrinsic.cpp:
        (JSC::intrinsicName):
        * runtime/Intrinsic.h:
        * runtime/StringPrototype.cpp:
        (JSC::StringPrototype::finishCreation):

2017-10-31  JF Bastien  <jfbastien@apple.com>

        WebAssembly: Wasm::IndexOrName has a raw pointer to Name
        https://bugs.webkit.org/show_bug.cgi?id=176644

        Reviewed by Michael Saboff.

        IndexOrName now keeps a RefPtr to its original NameSection, which
        holds the Name (or references nullptr if Index). Holding onto the
        entire section seems like the better thing to do, since backtraces
        probably contain multiple names from the same Module.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * interpreter/Interpreter.cpp:
        (JSC::GetStackTraceFunctor::operator() const):
        * interpreter/StackVisitor.h: Frame is no longer POD because of the
        RefPtr.
        * runtime/StackFrame.cpp:
        (JSC::StackFrame::StackFrame):
        * runtime/StackFrame.h: Drop the union, size is now 40 bytes.
        (JSC::StackFrame::StackFrame): Deleted. Initialized in class instead.
        (JSC::StackFrame::wasm): Deleted. Make it a ctor instead.
        * wasm/WasmBBQPlanInlines.h:
        (JSC::Wasm::BBQPlan::initializeCallees):
        * wasm/WasmCallee.cpp:
        (JSC::Wasm::Callee::Callee):
        * wasm/WasmCallee.h:
        (JSC::Wasm::Callee::create):
        * wasm/WasmFormat.h: Move NameSection to its own header.
        (JSC::Wasm::isValidNameType):
        (JSC::Wasm::NameSection::get): Deleted.
        * wasm/WasmIndexOrName.cpp:
        (JSC::Wasm::IndexOrName::IndexOrName):
        (JSC::Wasm::makeString):
        * wasm/WasmIndexOrName.h:
        (JSC::Wasm::IndexOrName::IndexOrName):
        (JSC::Wasm::IndexOrName::isEmpty const):
        (JSC::Wasm::IndexOrName::isIndex const):
        * wasm/WasmModuleInformation.cpp:
        (JSC::Wasm::ModuleInformation::ModuleInformation):
        * wasm/WasmModuleInformation.h:
        (JSC::Wasm::ModuleInformation::ModuleInformation): Deleted.
        * wasm/WasmNameSection.h:
        (JSC::W