96e0ce0fc538cb309450130ec741d41a086b989b
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-11-30  Michael Saboff  <msaboff@apple.com>
2
3         Allow JSC command line tool to accept UTF8
4         https://bugs.webkit.org/show_bug.cgi?id=180205
5
6         Reviewed by Keith Miller.
7
8         This unifies the UTF8 handling of interactive mode with that of source files.
9
10         * jsc.cpp:
11         (runInteractive):
12
13 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
14
15         REGRESSION(r225314): [Linux] More than 2000 jsc tests are failing after r225314
16         https://bugs.webkit.org/show_bug.cgi?id=180185
17
18         Reviewed by Carlos Garcia Campos.
19
20         After r225314, we start using AllocatorForMode::MustAlreadyHaveAllocator for JSRopeString's allocatorFor.
21         But it is different from the original code used before r225314. Since DFGSpeculativeJIT::emitAllocateJSCell
22         can accept nullptr allocator, the behavior of the original code is AllocatorForMode::AllocatorIfExists.
23         And JSRopeString's allocator may not exist at this point if any JSRopeString is not allocated. But MakeRope
24         DFG node can be emitted if we see untaken path includes String + String code.
25
26         This patch fixes Linux JSC crashes by changing JSRopeString's AllocatorForMode to AllocatorIfExists.
27         As a result, only one user of AllocatorForMode::MustAlreadyHaveAllocator is MaterializeNewObject in FTL.
28         I'm not sure why this condition (MustAlreadyHaveAllocator) is ensured. But this code is the same to the
29         original code used before r225314.
30
31         * dfg/DFGSpeculativeJIT.cpp:
32         (JSC::DFG::SpeculativeJIT::compileMakeRope):
33         * ftl/FTLLowerDFGToB3.cpp:
34         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
35
36 2017-11-28  Filip Pizlo  <fpizlo@apple.com>
37
38         CodeBlockSet::deleteUnmarkedAndUnreferenced can be a little more efficient
39         https://bugs.webkit.org/show_bug.cgi?id=180108
40
41         Reviewed by Saam Barati.
42         
43         This was creating a vector of things to remove and then removing them. I think I remember writing
44         this code, and I did that because at the time we did not have removeAllMatching, which is
45         definitely better. This is a minuscule optimization for Speedometer. I wanted to land this
46         obvious improvement before I did more fundamental things to this code.
47
48         * heap/CodeBlockSet.cpp:
49         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
50
51 2017-11-29  Filip Pizlo  <fpizlo@apple.com>
52
53         GC should support isoheaps
54         https://bugs.webkit.org/show_bug.cgi?id=179288
55
56         Reviewed by Saam Barati.
57         
58         This expands the power of the Subspace API in JSC:
59         
60         - Everything associated with describing the types of objects is now part of the HeapCellType class.
61           We have different HeapCellTypes for different destruction strategies. Any Subspace can use any
62           HeapCellType; these are orthogonal things.
63         
64         - There are now two variants of Subspace: CompleteSubspace, which can allocate any size objects using
65           any AlignedMemoryAllocator; and IsoSubspace, which can allocate just one size of object and uses a
66           special virtual memory pool for that purpose. Like bmalloc's IsoHeap, IsoSubspace hoards virtual
67           pages but releases the physical pages as part of the respective allocator's scavenging policy
68           (the Scavenger in bmalloc for IsoHeap and the incremental sweep and full sweep in Riptide for
69           IsoSubspace).
70         
71         So far, this patch just puts subtypes of ExecutableBase in IsoSubspaces. If it works, we can use it
72         for more things.
73         
74         This does not have any effect on JetStream (0.18% faster with p = 0.69).
75
76         * JavaScriptCore.xcodeproj/project.pbxproj:
77         * Sources.txt:
78         * bytecode/AccessCase.cpp:
79         (JSC::AccessCase::generateImpl):
80         * bytecode/ObjectAllocationProfileInlines.h:
81         (JSC::ObjectAllocationProfile::initializeProfile):
82         * dfg/DFGSpeculativeJIT.cpp:
83         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
84         (JSC::DFG::SpeculativeJIT::compileMakeRope):
85         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
86         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
87         * dfg/DFGSpeculativeJIT64.cpp:
88         (JSC::DFG::SpeculativeJIT::compile):
89         * ftl/FTLAbstractHeapRepository.h:
90         * ftl/FTLLowerDFGToB3.cpp:
91         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
92         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
93         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
94         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
95         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
96         * heap/AlignedMemoryAllocator.cpp:
97         (JSC::AlignedMemoryAllocator::registerAllocator):
98         (JSC::AlignedMemoryAllocator::registerSubspace):
99         * heap/AlignedMemoryAllocator.h:
100         (JSC::AlignedMemoryAllocator::firstAllocator const):
101         * heap/AllocationFailureMode.h: Added.
102         * heap/CompleteSubspace.cpp: Added.
103         (JSC::CompleteSubspace::CompleteSubspace):
104         (JSC::CompleteSubspace::~CompleteSubspace):
105         (JSC::CompleteSubspace::allocatorFor):
106         (JSC::CompleteSubspace::allocate):
107         (JSC::CompleteSubspace::allocateNonVirtual):
108         (JSC::CompleteSubspace::allocatorForSlow):
109         (JSC::CompleteSubspace::allocateSlow):
110         (JSC::CompleteSubspace::tryAllocateSlow):
111         * heap/CompleteSubspace.h: Added.
112         (JSC::CompleteSubspace::offsetOfAllocatorForSizeStep):
113         (JSC::CompleteSubspace::allocatorForSizeStep):
114         (JSC::CompleteSubspace::allocatorForNonVirtual):
115         * heap/HeapCellType.cpp: Added.
116         (JSC::HeapCellType::HeapCellType):
117         (JSC::HeapCellType::~HeapCellType):
118         (JSC::HeapCellType::finishSweep):
119         (JSC::HeapCellType::destroy):
120         * heap/HeapCellType.h: Added.
121         (JSC::HeapCellType::attributes const):
122         * heap/IsoAlignedMemoryAllocator.cpp: Added.
123         (JSC::IsoAlignedMemoryAllocator::IsoAlignedMemoryAllocator):
124         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
125         (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
126         (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
127         (JSC::IsoAlignedMemoryAllocator::dump const):
128         * heap/IsoAlignedMemoryAllocator.h: Added.
129         * heap/IsoSubspace.cpp: Added.
130         (JSC::IsoSubspace::IsoSubspace):
131         (JSC::IsoSubspace::~IsoSubspace):
132         (JSC::IsoSubspace::allocatorFor):
133         (JSC::IsoSubspace::allocatorForNonVirtual):
134         (JSC::IsoSubspace::allocate):
135         (JSC::IsoSubspace::allocateNonVirtual):
136         * heap/IsoSubspace.h: Added.
137         (JSC::IsoSubspace::size const):
138         * heap/MarkedAllocator.cpp:
139         (JSC::MarkedAllocator::MarkedAllocator):
140         (JSC::MarkedAllocator::setSubspace):
141         (JSC::MarkedAllocator::allocateSlowCase):
142         (JSC::MarkedAllocator::tryAllocateSlowCase): Deleted.
143         (JSC::MarkedAllocator::allocateSlowCaseImpl): Deleted.
144         * heap/MarkedAllocator.h:
145         (JSC::MarkedAllocator::nextAllocatorInAlignedMemoryAllocator const):
146         (JSC::MarkedAllocator::setNextAllocatorInAlignedMemoryAllocator):
147         * heap/MarkedAllocatorInlines.h:
148         (JSC::MarkedAllocator::allocate):
149         (JSC::MarkedAllocator::tryAllocate): Deleted.
150         * heap/MarkedBlock.h:
151         * heap/MarkedBlockInlines.h:
152         (JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType):
153         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace): Deleted.
154         * heap/MarkedSpace.cpp:
155         (JSC::MarkedSpace::addMarkedAllocator):
156         * heap/MarkedSpace.h:
157         * heap/Subspace.cpp:
158         (JSC::Subspace::Subspace):
159         (JSC::Subspace::initialize):
160         (JSC::Subspace::finishSweep):
161         (JSC::Subspace::destroy):
162         (JSC::Subspace::prepareForAllocation):
163         (JSC::Subspace::findEmptyBlockToSteal):
164         (): Deleted.
165         (JSC::Subspace::allocate): Deleted.
166         (JSC::Subspace::tryAllocate): Deleted.
167         (JSC::Subspace::allocatorForSlow): Deleted.
168         (JSC::Subspace::allocateSlow): Deleted.
169         (JSC::Subspace::tryAllocateSlow): Deleted.
170         (JSC::Subspace::didAllocate): Deleted.
171         * heap/Subspace.h:
172         (JSC::Subspace::heapCellType const):
173         (JSC::Subspace::nextSubspaceInAlignedMemoryAllocator const):
174         (JSC::Subspace::setNextSubspaceInAlignedMemoryAllocator):
175         (JSC::Subspace::offsetOfAllocatorForSizeStep): Deleted.
176         (JSC::Subspace::allocatorForSizeStep): Deleted.
177         (JSC::Subspace::tryAllocatorFor): Deleted.
178         (JSC::Subspace::allocatorFor): Deleted.
179         * jit/AssemblyHelpers.h:
180         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
181         (JSC::AssemblyHelpers::emitAllocateVariableSized):
182         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
183         * jit/JITOpcodes.cpp:
184         (JSC::JIT::emit_op_new_object):
185         * runtime/ButterflyInlines.h:
186         (JSC::Butterfly::createUninitialized):
187         (JSC::Butterfly::tryCreate):
188         (JSC::Butterfly::growArrayRight):
189         * runtime/DirectArguments.cpp:
190         (JSC::DirectArguments::overrideThings):
191         * runtime/DirectArguments.h:
192         (JSC::DirectArguments::subspaceFor):
193         * runtime/DirectEvalExecutable.h:
194         * runtime/EvalExecutable.h:
195         * runtime/ExecutableBase.h:
196         (JSC::ExecutableBase::subspaceFor):
197         * runtime/FunctionExecutable.h:
198         * runtime/GenericArgumentsInlines.h:
199         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
200         * runtime/HashMapImpl.h:
201         (JSC::HashMapBuffer::create):
202         * runtime/IndirectEvalExecutable.h:
203         * runtime/JSArray.cpp:
204         (JSC::JSArray::tryCreateUninitializedRestricted):
205         (JSC::JSArray::unshiftCountSlowCase):
206         * runtime/JSArray.h:
207         (JSC::JSArray::tryCreate):
208         * runtime/JSArrayBufferView.cpp:
209         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
210         * runtime/JSCell.h:
211         (JSC::subspaceFor):
212         * runtime/JSCellInlines.h:
213         (JSC::JSCell::subspaceFor):
214         (JSC::tryAllocateCellHelper):
215         (JSC::allocateCell):
216         (JSC::tryAllocateCell):
217         * runtime/JSDestructibleObject.h:
218         (JSC::JSDestructibleObject::subspaceFor):
219         * runtime/JSDestructibleObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.cpp.
220         (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
221         (JSC::JSDestructibleObjectHeapCellType::~JSDestructibleObjectHeapCellType):
222         (JSC::JSDestructibleObjectHeapCellType::finishSweep):
223         (JSC::JSDestructibleObjectHeapCellType::destroy):
224         (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace): Deleted.
225         (JSC::JSDestructibleObjectSubspace::~JSDestructibleObjectSubspace): Deleted.
226         (JSC::JSDestructibleObjectSubspace::finishSweep): Deleted.
227         (JSC::JSDestructibleObjectSubspace::destroy): Deleted.
228         * runtime/JSDestructibleObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.h.
229         * runtime/JSDestructibleObjectSubspace.cpp: Removed.
230         * runtime/JSDestructibleObjectSubspace.h: Removed.
231         * runtime/JSLexicalEnvironment.h:
232         (JSC::JSLexicalEnvironment::subspaceFor):
233         * runtime/JSSegmentedVariableObject.h:
234         (JSC::JSSegmentedVariableObject::subspaceFor):
235         * runtime/JSSegmentedVariableObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.cpp.
236         (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
237         (JSC::JSSegmentedVariableObjectHeapCellType::~JSSegmentedVariableObjectHeapCellType):
238         (JSC::JSSegmentedVariableObjectHeapCellType::finishSweep):
239         (JSC::JSSegmentedVariableObjectHeapCellType::destroy):
240         (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace): Deleted.
241         (JSC::JSSegmentedVariableObjectSubspace::~JSSegmentedVariableObjectSubspace): Deleted.
242         (JSC::JSSegmentedVariableObjectSubspace::finishSweep): Deleted.
243         (JSC::JSSegmentedVariableObjectSubspace::destroy): Deleted.
244         * runtime/JSSegmentedVariableObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.h.
245         * runtime/JSSegmentedVariableObjectSubspace.cpp: Removed.
246         * runtime/JSSegmentedVariableObjectSubspace.h: Removed.
247         * runtime/JSString.h:
248         (JSC::JSString::subspaceFor):
249         * runtime/JSStringHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.cpp.
250         (JSC::JSStringHeapCellType::JSStringHeapCellType):
251         (JSC::JSStringHeapCellType::~JSStringHeapCellType):
252         (JSC::JSStringHeapCellType::finishSweep):
253         (JSC::JSStringHeapCellType::destroy):
254         (JSC::JSStringSubspace::JSStringSubspace): Deleted.
255         (JSC::JSStringSubspace::~JSStringSubspace): Deleted.
256         (JSC::JSStringSubspace::finishSweep): Deleted.
257         (JSC::JSStringSubspace::destroy): Deleted.
258         * runtime/JSStringHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.h.
259         * runtime/JSStringSubspace.cpp: Removed.
260         * runtime/JSStringSubspace.h: Removed.
261         * runtime/ModuleProgramExecutable.h:
262         * runtime/NativeExecutable.h:
263         * runtime/ProgramExecutable.h:
264         * runtime/RegExpMatchesArray.h:
265         (JSC::tryCreateUninitializedRegExpMatchesArray):
266         * runtime/ScopedArguments.h:
267         (JSC::ScopedArguments::subspaceFor):
268         * runtime/VM.cpp:
269         (JSC::VM::VM):
270         * runtime/VM.h:
271         (JSC::VM::gigacageAuxiliarySpace):
272         * wasm/js/JSWebAssemblyCodeBlock.h:
273         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.cpp.
274         (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
275         (JSC::JSWebAssemblyCodeBlockHeapCellType::~JSWebAssemblyCodeBlockHeapCellType):
276         (JSC::JSWebAssemblyCodeBlockHeapCellType::finishSweep):
277         (JSC::JSWebAssemblyCodeBlockHeapCellType::destroy):
278         (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace): Deleted.
279         (JSC::JSWebAssemblyCodeBlockSubspace::~JSWebAssemblyCodeBlockSubspace): Deleted.
280         (JSC::JSWebAssemblyCodeBlockSubspace::finishSweep): Deleted.
281         (JSC::JSWebAssemblyCodeBlockSubspace::destroy): Deleted.
282         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.h.
283         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp: Removed.
284         * wasm/js/JSWebAssemblyCodeBlockSubspace.h: Removed.
285         * wasm/js/JSWebAssemblyMemory.h:
286         (JSC::JSWebAssemblyMemory::subspaceFor):
287
288 2017-11-29  Saam Barati  <sbarati@apple.com>
289
290         Remove pointer caging for double arrays
291         https://bugs.webkit.org/show_bug.cgi?id=180163
292
293         Reviewed by Mark Lam.
294
295         This patch removes pointer caging from double arrays. Like
296         my previous removals of pointer caging, this is a security vs
297         performance tradeoff. We believe that butterflies being allocated
298         in the cage and with a 32GB runway gives us enough security that
299         pointer caging the butterfly just for double arrays does not add
300         enough security benefit for the performance hit it incurs.
301         
302         This patch also removes the GetButterflyWithoutCaging node and
303         the FixedButterflyAccessUncaging phase. The node is no longer needed
304         because now all GetButterfly nodes are not caged. The phase is removed
305         since we no longer have two nodes.
306
307         * dfg/DFGAbstractInterpreterInlines.h:
308         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
309         * dfg/DFGArgumentsEliminationPhase.cpp:
310         * dfg/DFGClobberize.h:
311         (JSC::DFG::clobberize):
312         * dfg/DFGDoesGC.cpp:
313         (JSC::DFG::doesGC):
314         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Removed.
315         * dfg/DFGFixedButterflyAccessUncagingPhase.h: Removed.
316         * dfg/DFGFixupPhase.cpp:
317         (JSC::DFG::FixupPhase::fixupNode):
318         * dfg/DFGHeapLocation.cpp:
319         (WTF::printInternal):
320         * dfg/DFGHeapLocation.h:
321         * dfg/DFGNodeType.h:
322         * dfg/DFGPlan.cpp:
323         (JSC::DFG::Plan::compileInThreadImpl):
324         * dfg/DFGPredictionPropagationPhase.cpp:
325         * dfg/DFGSafeToExecute.h:
326         (JSC::DFG::safeToExecute):
327         * dfg/DFGSpeculativeJIT.cpp:
328         (JSC::DFG::SpeculativeJIT::compileSpread):
329         (JSC::DFG::SpeculativeJIT::compileArraySlice):
330         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
331         * dfg/DFGSpeculativeJIT32_64.cpp:
332         (JSC::DFG::SpeculativeJIT::compile):
333         * dfg/DFGSpeculativeJIT64.cpp:
334         (JSC::DFG::SpeculativeJIT::compile):
335         * dfg/DFGTypeCheckHoistingPhase.cpp:
336         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
337         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
338         * ftl/FTLCapabilities.cpp:
339         (JSC::FTL::canCompile):
340         * ftl/FTLLowerDFGToB3.cpp:
341         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
342         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
343         * jit/JITPropertyAccess.cpp:
344         (JSC::JIT::emitDoubleLoad):
345         (JSC::JIT::emitGenericContiguousPutByVal):
346         * runtime/Butterfly.h:
347         (JSC::Butterfly::pointer):
348         (JSC::Butterfly::contiguousDouble):
349         (JSC::Butterfly::caged): Deleted.
350         * runtime/ButterflyInlines.h:
351         (JSC::Butterfly::createOrGrowPropertyStorage):
352         * runtime/JSObject.cpp:
353         (JSC::JSObject::ensureLengthSlow):
354         (JSC::JSObject::reallocateAndShrinkButterfly):
355
356 2017-11-29  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
357
358         [MIPS][JSC] Implement MacroAssembler::probe support on MIPS
359         https://bugs.webkit.org/show_bug.cgi?id=175447
360
361         Reviewed by Carlos Alberto Lopez Perez.
362
363         This patch allows DFG JIT to be enabled on MIPS platforms.
364
365         * Sources.txt:
366         * assembler/MIPSAssembler.h:
367         (JSC::MIPSAssembler::lastSPRegister):
368         (JSC::MIPSAssembler::numberOfSPRegisters):
369         (JSC::MIPSAssembler::sprName):
370         * assembler/MacroAssemblerMIPS.cpp: Added.
371         (JSC::MacroAssembler::probe):
372         * assembler/ProbeContext.cpp:
373         (JSC::Probe::executeProbe):
374         * assembler/ProbeContext.h:
375         (JSC::Probe::CPUState::pc):
376         * assembler/testmasm.cpp:
377         (JSC::isSpecialGPR):
378         (JSC::testProbePreservesGPRS):
379         (JSC::testProbeModifiesStackPointer):
380         (JSC::testProbeModifiesStackValues):
381
382 2017-11-29  Matt Lewis  <jlewis3@apple.com>
383
384         Unreviewed, rolling out r225286.
385
386         The source files within this patch have been marked as
387         executable.
388
389         Reverted changeset:
390
391         "[MIPS][JSC] Implement MacroAssembler::probe support on MIPS"
392         https://bugs.webkit.org/show_bug.cgi?id=175447
393         https://trac.webkit.org/changeset/225286
394
395 2017-11-29  Alex Christensen  <achristensen@webkit.org>
396
397         Fix Mac CMake build.
398
399         * PlatformMac.cmake:
400
401 2017-11-29  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
402
403         [MIPS][JSC] Implement MacroAssembler::probe support on MIPS
404         https://bugs.webkit.org/show_bug.cgi?id=175447
405
406         Reviewed by Carlos Alberto Lopez Perez.
407
408         This patch allows DFG JIT to be enabled on MIPS platforms.
409
410         * Sources.txt:
411         * assembler/MIPSAssembler.h:
412         (JSC::MIPSAssembler::lastSPRegister):
413         (JSC::MIPSAssembler::numberOfSPRegisters):
414         (JSC::MIPSAssembler::sprName):
415         * assembler/MacroAssemblerMIPS.cpp: Added.
416         (JSC::MacroAssembler::probe):
417         * assembler/ProbeContext.cpp:
418         (JSC::Probe::executeProbe):
419         * assembler/ProbeContext.h:
420         (JSC::Probe::CPUState::pc):
421         * assembler/testmasm.cpp:
422         (JSC::isSpecialGPR):
423         (JSC::testProbePreservesGPRS):
424         (JSC::testProbeModifiesStackPointer):
425         (JSC::testProbeModifiesStackValues):
426
427 2017-11-28  JF Bastien  <jfbastien@apple.com>
428
429         Strict and sloppy functions shouldn't share structure
430         https://bugs.webkit.org/show_bug.cgi?id=180103
431         <rdar://problem/35667847>
432
433         Reviewed by Saam Barati.
434
435         Sloppy and strict functions don't act the same when it comes to
436         arguments, caller, and callee. Sharing a structure means that
437         anything that is cached gets shared, and that's incorrect.
438
439         * dfg/DFGAbstractInterpreterInlines.h:
440         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
441         * dfg/DFGSpeculativeJIT.cpp:
442         (JSC::DFG::SpeculativeJIT::compileNewFunction):
443         * ftl/FTLLowerDFGToB3.cpp:
444         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
445         * runtime/FunctionConstructor.cpp:
446         (JSC::constructFunctionSkippingEvalEnabledCheck):
447         * runtime/JSFunction.cpp:
448         (JSC::JSFunction::create): the second ::create is always strict
449         because it applies to native functions.
450         * runtime/JSFunctionInlines.h:
451         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
452         * runtime/JSGlobalObject.cpp:
453         (JSC::JSGlobalObject::init):
454         (JSC::JSGlobalObject::visitChildren):
455         * runtime/JSGlobalObject.h:
456         (JSC::JSGlobalObject::strictFunctionStructure const):
457         (JSC::JSGlobalObject::sloppyFunctionStructure const):
458         (JSC::JSGlobalObject::nativeStdFunctionStructure const):
459         (JSC::JSGlobalObject::functionStructure const): Deleted. Renamed.
460         (JSC::JSGlobalObject::namedFunctionStructure const): Deleted. Drive-by, unused.
461
462 2017-11-29  Yusuke Suzuki  <utatane.tea@gmail.com>
463
464         [JSC] Add MacroAssembler::getEffectiveAddress in all platforms
465         https://bugs.webkit.org/show_bug.cgi?id=180070
466
467         Reviewed by Saam Barati.
468
469         This patch adds getEffectiveAddress in all JIT platforms.
470         This is abstracted version of x86 lea.
471
472         We also fix a bug in Yarr that uses branch32 instead of branchPtr for addresses.
473
474         * assembler/MacroAssemblerARM.h:
475         (JSC::MacroAssemblerARM::getEffectiveAddress):
476         * assembler/MacroAssemblerARM64.h:
477         (JSC::MacroAssemblerARM64::getEffectiveAddress):
478         (JSC::MacroAssemblerARM64::getEffectiveAddress64): Deleted.
479         * assembler/MacroAssemblerARMv7.h:
480         (JSC::MacroAssemblerARMv7::getEffectiveAddress):
481         * assembler/MacroAssemblerMIPS.h:
482         (JSC::MacroAssemblerMIPS::getEffectiveAddress):
483         * assembler/MacroAssemblerX86.h:
484         (JSC::MacroAssemblerX86::getEffectiveAddress):
485         * assembler/MacroAssemblerX86_64.h:
486         (JSC::MacroAssemblerX86_64::getEffectiveAddress):
487         (JSC::MacroAssemblerX86_64::getEffectiveAddress64): Deleted.
488         * assembler/testmasm.cpp:
489         (JSC::testGetEffectiveAddress):
490         (JSC::run):
491         * dfg/DFGSpeculativeJIT.cpp:
492         (JSC::DFG::SpeculativeJIT::compileArrayPush):
493         * yarr/YarrJIT.cpp:
494         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
495         (JSC::Yarr::YarrGenerator::tryReadUnicodeChar):
496
497 2017-11-29  Robin Morisset  <rmorisset@apple.com>
498
499         The recursive tail call optimisation is wrong on closures
500         https://bugs.webkit.org/show_bug.cgi?id=179835
501
502         Reviewed by Saam Barati.
503
504         The problem is that we only check the executable of the callee, not whatever variables might have been captured.
505         As a stopgap measure this patch just does not do the optimisation for closures.
506
507         * dfg/DFGByteCodeParser.cpp:
508         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
509
510 2017-11-28  Joseph Pecoraro  <pecoraro@apple.com>
511
512         Web Inspector: Cleanup Inspector classes be more consistent about using fast malloc / noncopyable
513         https://bugs.webkit.org/show_bug.cgi?id=180119
514
515         Reviewed by Devin Rousso.
516
517         * inspector/InjectedScriptManager.h:
518         * inspector/JSGlobalObjectScriptDebugServer.h:
519         * inspector/agents/InspectorHeapAgent.h:
520         * inspector/agents/InspectorRuntimeAgent.h:
521         * inspector/agents/InspectorScriptProfilerAgent.h:
522         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
523
524 2017-11-28  Joseph Pecoraro  <pecoraro@apple.com>
525
526         ServiceWorker Inspector: Frontend changes to support Network tab and sub resources
527         https://bugs.webkit.org/show_bug.cgi?id=179642
528         <rdar://problem/35517704>
529
530         Reviewed by Brian Burg.
531
532         * inspector/protocol/Network.json:
533         Expose the NetworkAgent for a Service Worker inspector.
534
535  2017-11-28  Brian Burg  <bburg@apple.com>
536
537         [Cocoa] Clean up names of conversion methods after renaming InspectorValue to JSON::Value
538         https://bugs.webkit.org/show_bug.cgi?id=179696
539
540         Reviewed by Timothy Hatcher.
541
542         * inspector/scripts/codegen/generate_objc_header.py:
543         (ObjCHeaderGenerator._generate_type_interface):
544         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
545         (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
546         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_protocol_object):
547         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_json_object): Deleted.
548         * inspector/scripts/codegen/objc_generator.py:
549         (ObjCGenerator.protocol_type_for_raw_name):
550         (ObjCGenerator.objc_protocol_export_expression_for_variable):
551         (ObjCGenerator.objc_protocol_export_expression_for_variable.is):
552         (ObjCGenerator.objc_protocol_import_expression_for_variable):
553         (ObjCGenerator.objc_protocol_import_expression_for_variable.is):
554         (ObjCGenerator.objc_to_protocol_expression_for_member.is):
555         (ObjCGenerator.objc_to_protocol_expression_for_member):
556         (ObjCGenerator.protocol_to_objc_expression_for_member.is):
557         (ObjCGenerator.protocol_to_objc_expression_for_member):
558         (ObjCGenerator.protocol_to_objc_code_block_for_object_member):
559         (ObjCGenerator.objc_setter_method_for_member_internal):
560         (ObjCGenerator.objc_getter_method_for_member_internal):
561         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
562         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
563         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
564         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
565         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
566         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
567         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
568         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
569         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
570         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
571
572 2017-11-27  JF Bastien  <jfbastien@apple.com>
573
574         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
575         https://bugs.webkit.org/show_bug.cgi?id=180051
576         <rdar://problem/35614371>
577
578         Reviewed by Saam Barati.
579
580         Checking for int32 isn't sufficient when uint32 is expected
581         afterwards. While we're here, also use Checked<>.
582
583         * dfg/DFGAbstractInterpreterInlines.h:
584         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
585
586 2017-11-14  Carlos Garcia Campos  <cgarcia@igalia.com>
587
588         Move JSONValues to WTF and convert uses of InspectorValues.h to JSONValues.h
589         https://bugs.webkit.org/show_bug.cgi?id=173793
590
591         Reviewed by Joseph Pecoraro.
592
593         Based on patch by Brian Burg.
594
595         * JavaScriptCore.xcodeproj/project.pbxproj:
596         * Sources.txt:
597         * bindings/ScriptValue.cpp:
598         (Inspector::jsToInspectorValue):
599         (Inspector::toInspectorValue):
600         (Deprecated::ScriptValue::toInspectorValue const):
601         * bindings/ScriptValue.h:
602         * inspector/AsyncStackTrace.cpp:
603         * inspector/ConsoleMessage.cpp:
604         * inspector/ContentSearchUtilities.cpp:
605         * inspector/DeprecatedInspectorValues.cpp: Added.
606         * inspector/DeprecatedInspectorValues.h: Added.
607         Keep the old symbols around in JavaScriptCore so that builds with the
608         public iOS SDK continue to work. These older SDKs include a version of
609         WebInspector.framework that expects to find InspectorArray and other
610         symbols in JavaScriptCore.framework.
611
612         * inspector/InjectedScript.cpp:
613         (Inspector::InjectedScript::getFunctionDetails):
614         (Inspector::InjectedScript::functionDetails):
615         (Inspector::InjectedScript::getPreview):
616         (Inspector::InjectedScript::getProperties):
617         (Inspector::InjectedScript::getDisplayableProperties):
618         (Inspector::InjectedScript::getInternalProperties):
619         (Inspector::InjectedScript::getCollectionEntries):
620         (Inspector::InjectedScript::saveResult):
621         (Inspector::InjectedScript::wrapCallFrames const):
622         (Inspector::InjectedScript::wrapObject const):
623         (Inspector::InjectedScript::wrapTable const):
624         (Inspector::InjectedScript::previewValue const):
625         (Inspector::InjectedScript::setExceptionValue):
626         (Inspector::InjectedScript::clearExceptionValue):
627         (Inspector::InjectedScript::inspectObject):
628         (Inspector::InjectedScript::releaseObject):
629         * inspector/InjectedScriptBase.cpp:
630         (Inspector::InjectedScriptBase::makeCall):
631         (Inspector::InjectedScriptBase::makeEvalCall):
632         * inspector/InjectedScriptBase.h:
633         * inspector/InjectedScriptManager.cpp:
634         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
635         * inspector/InspectorBackendDispatcher.cpp:
636         (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
637         (Inspector::BackendDispatcher::dispatch):
638         (Inspector::BackendDispatcher::sendResponse):
639         (Inspector::BackendDispatcher::sendPendingErrors):
640         (Inspector::BackendDispatcher::getPropertyValue):
641         (Inspector::castToInteger):
642         (Inspector::castToNumber):
643         (Inspector::BackendDispatcher::getInteger):
644         (Inspector::BackendDispatcher::getDouble):
645         (Inspector::BackendDispatcher::getString):
646         (Inspector::BackendDispatcher::getBoolean):
647         (Inspector::BackendDispatcher::getObject):
648         (Inspector::BackendDispatcher::getArray):
649         (Inspector::BackendDispatcher::getValue):
650         * inspector/InspectorBackendDispatcher.h:
651         We need to keep around the sendResponse() variant with a parameter that
652         has the InspectorObject type, as older WebInspector.framework versions
653         expect this symbol to exist. Introduce a variant with arity 3 that can
654         be used in TOT so as to avoid having two methods with the same name, arity, and
655         different parameter types.
656
657         When system WebInspector.framework is updated, we can remove the legacy
658         method variant that uses the InspectorObject type. At that point, we can
659         transition TOT to use the 2-arity variant, and delete the 3-arity variant
660         when system WebInspector.framework is updated once more to use the 2-arity one.
661
662         * inspector/InspectorProtocolTypes.h:
663         (Inspector::Protocol::Array::openAccessors):
664         (Inspector::Protocol::PrimitiveBindingTraits::assertValueHasExpectedType):
665         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast):
666         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType):
667         (Inspector::Protocol::BindingTraits<JSON::Value>::assertValueHasExpectedType):
668         * inspector/ScriptCallFrame.cpp:
669         * inspector/ScriptCallStack.cpp:
670         * inspector/agents/InspectorAgent.cpp:
671         (Inspector::InspectorAgent::inspect):
672         * inspector/agents/InspectorAgent.h:
673         * inspector/agents/InspectorDebuggerAgent.cpp:
674         (Inspector::buildAssertPauseReason):
675         (Inspector::buildCSPViolationPauseReason):
676         (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
677         (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
678         (Inspector::buildObjectForBreakpointCookie):
679         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
680         (Inspector::parseLocation):
681         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
682         (Inspector::InspectorDebuggerAgent::setBreakpoint):
683         (Inspector::InspectorDebuggerAgent::continueToLocation):
684         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
685         (Inspector::InspectorDebuggerAgent::didParseSource):
686         (Inspector::InspectorDebuggerAgent::breakProgram):
687         * inspector/agents/InspectorDebuggerAgent.h:
688         * inspector/agents/InspectorRuntimeAgent.cpp:
689         (Inspector::InspectorRuntimeAgent::callFunctionOn):
690         (Inspector::InspectorRuntimeAgent::saveResult):
691         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
692         * inspector/agents/InspectorRuntimeAgent.h:
693         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
694         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
695         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
696         (CppBackendDispatcherImplementationGenerator.generate_output):
697         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
698         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
699         (CppFrontendDispatcherHeaderGenerator.generate_output):
700         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
701         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
702         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
703         (_generate_unchecked_setter_for_member):
704         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
705         (CppProtocolTypesImplementationGenerator):
706         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
707         (ObjCBackendDispatcherImplementationGenerator.generate_output):
708         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
709         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
710         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
711         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
712         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
713         * inspector/scripts/codegen/generate_objc_internal_header.py:
714         (ObjCInternalHeaderGenerator.generate_output):
715         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
716         (ObjCProtocolTypesImplementationGenerator.generate_output):
717         * inspector/scripts/codegen/generator.py:
718         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
719         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
720         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
721         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
722         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
723         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
724         * inspector/scripts/tests/generic/expected/enum-values.json-result:
725         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
726         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
727         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
728         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
729         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
730         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
731         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
732         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
733         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
734         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
735         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
736         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
737         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
738
739 2017-11-28  Robin Morisset  <rmorisset@apple.com>
740
741         Support recursive tail call optimization for polymorphic calls
742         https://bugs.webkit.org/show_bug.cgi?id=178390
743
744         Reviewed by Saam Barati.
745
746         Comes with a large but fairly simple refactoring: the inlining path for varargs and non-varargs calls now converge a lot later,
747         eliminating some redundant checks, and simplifying a few parts of the inlining pipeline.
748
749         Also removes some dead code from inlineCall(): there was a special path for when m_continuationBlock is null, but it should never be (now checked with RELEASE_ASSERT).
750
751         * dfg/DFGByteCodeParser.cpp:
752         (JSC::DFG::ByteCodeParser::handleCall):
753         (JSC::DFG::ByteCodeParser::handleVarargsCall):
754         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
755         (JSC::DFG::ByteCodeParser::inlineCall):
756         (JSC::DFG::ByteCodeParser::handleCallVariant):
757         (JSC::DFG::ByteCodeParser::handleVarargsInlining):
758         (JSC::DFG::ByteCodeParser::getInliningBalance):
759         (JSC::DFG::ByteCodeParser::handleInlining):
760         (JSC::DFG::ByteCodeParser::attemptToInlineCall): Deleted.
761
762 2017-11-27  Saam Barati  <sbarati@apple.com>
763
764         Spread can escape when CreateRest does not
765         https://bugs.webkit.org/show_bug.cgi?id=180057
766         <rdar://problem/35676119>
767
768         Reviewed by JF Bastien.
769
770         We previously did not handle Spread(PhantomCreateRest) only because I did not
771         think it was possible to generate this IR. I was wrong. We can generate
772         such IR when we have a PutStack(Spread) but nothing escapes the CreateRest.
773         This IR is rare to generate since we normally don't PutStack(Spread) because
774         the SetLocal almost always gets eliminated because of how our bytecode generates
775         op_spread. However, there exists a test case showing it is possible. Supporting
776         this IR pattern in FTLLower is trivial. This patch implements it and rewrites
777         the Validation rule for Spread.
778
779         * dfg/DFGOperations.cpp:
780         * dfg/DFGOperations.h:
781         * dfg/DFGValidate.cpp:
782         * ftl/FTLLowerDFGToB3.cpp:
783         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
784         * runtime/JSFixedArray.h:
785         (JSC::JSFixedArray::tryCreate):
786
787 2017-11-27  Don Olmstead  <don.olmstead@sony.com>
788
789         [CMake][Win] Conditionally select DLL CRT or static CRT
790         https://bugs.webkit.org/show_bug.cgi?id=170594
791
792         Reviewed by Alex Christensen.
793
794         * shell/PlatformWin.cmake:
795
796 2017-11-27  Saam Barati  <sbarati@apple.com>
797
798         Having a bad time watchpoint firing during compilation revealed a racy assertion
799         https://bugs.webkit.org/show_bug.cgi?id=180048
800         <rdar://problem/35700009>
801
802         Reviewed by Mark Lam.
803
804         While a DFG compilation is watching the having a bad time watchpoint, it was
805         asserting that the rest parameter structure has indexing type ArrayWithContiguous.
806         However, if the having a bad time watchpoint fires during the compilation,
807         this particular structure will no longer have ArrayWithContiguous indexing type.
808         This patch fixes this racy assertion to be aware that the watchpoint may fire
809         during compilation.
810
811         * dfg/DFGSpeculativeJIT.cpp:
812         (JSC::DFG::SpeculativeJIT::compileCreateRest):
813         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
814
815 2017-11-27  Tim Horton  <timothy_horton@apple.com>
816
817         One too many zeroes in macOS version number in FeatureDefines
818         https://bugs.webkit.org/show_bug.cgi?id=180011
819
820         Reviewed by Dan Bernstein.
821
822         * Configurations/FeatureDefines.xcconfig:
823
824 2017-11-27  Robin Morisset  <rmorisset@apple.com>
825
826         Update DFGSafeToExecute to be aware that ArrayPush is now a varargs node
827         https://bugs.webkit.org/show_bug.cgi?id=179821
828
829         Reviewed by Saam Barati.
830
831         * dfg/DFGSafeToExecute.h:
832         (JSC::DFG::safeToExecute):
833
834 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
835
836         [DFG] Add NormalizeMapKey DFG IR
837         https://bugs.webkit.org/show_bug.cgi?id=179912
838
839         Reviewed by Saam Barati.
840
841         This patch introduces NormalizeMapKey DFG node. It executes what normalizeMapKey does in inlined manner.
842         By separating this from MapHash and Map/Set related operations, we can perform CSE onto that, and we
843         do not need to call normalizeMapKey conservatively in DFG operations.
844         This can reduce slow path case in Untyped GetMapBucket since we can normalize keys in DFG/FTL.
845
846         * dfg/DFGAbstractInterpreterInlines.h:
847         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
848         * dfg/DFGByteCodeParser.cpp:
849         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
850         * dfg/DFGClobberize.h:
851         (JSC::DFG::clobberize):
852         * dfg/DFGDoesGC.cpp:
853         (JSC::DFG::doesGC):
854         * dfg/DFGFixupPhase.cpp:
855         (JSC::DFG::FixupPhase::fixupNode):
856         (JSC::DFG::FixupPhase::fixupNormalizeMapKey):
857         * dfg/DFGNodeType.h:
858         * dfg/DFGOperations.cpp:
859         * dfg/DFGPredictionPropagationPhase.cpp:
860         * dfg/DFGSafeToExecute.h:
861         (JSC::DFG::safeToExecute):
862         * dfg/DFGSpeculativeJIT.cpp:
863         (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
864         * dfg/DFGSpeculativeJIT.h:
865         * dfg/DFGSpeculativeJIT32_64.cpp:
866         (JSC::DFG::SpeculativeJIT::compile):
867         * dfg/DFGSpeculativeJIT64.cpp:
868         (JSC::DFG::SpeculativeJIT::compile):
869         * ftl/FTLCapabilities.cpp:
870         (JSC::FTL::canCompile):
871         * ftl/FTLLowerDFGToB3.cpp:
872         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
873         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
874         (JSC::FTL::DFG::LowerDFGToB3::compileNormalizeMapKey):
875         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
876         * runtime/HashMapImpl.h:
877
878 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
879
880         [FTL] Support DeleteById and DeleteByVal
881         https://bugs.webkit.org/show_bug.cgi?id=180022
882
883         Reviewed by Saam Barati.
884
885         We should increase the coverage of FTL. Even if the code includes DeleteById,
886         it does not mean that remaining part of the code should not be optimized in FTL.
887         Right now, even CallEval and `with` scope are handled in FTL.
888
889         This patch just adds DeleteById and DeleteByVal handling to FTL to allow optimizing
890         code including them.
891
892         * ftl/FTLCapabilities.cpp:
893         (JSC::FTL::canCompile):
894         * ftl/FTLLowerDFGToB3.cpp:
895         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
896         (JSC::FTL::DFG::LowerDFGToB3::compileDeleteById):
897         (JSC::FTL::DFG::LowerDFGToB3::compileDeleteByVal):
898
899 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
900
901         [DFG] Introduce {Set,Map,WeakMap}Fields
902         https://bugs.webkit.org/show_bug.cgi?id=179925
903
904         Reviewed by Saam Barati.
905
906         SetAdd and MapSet uses `write(MiscFields)`, but it is not correct. It accidentally
907         writes readonly MiscFields which is used by various nodes and make optimization
908         conservative.
909
910         We introduce JSSetFields, JSMapFields, and JSWeakMapFields to precisely model clobberizing of Map, Set, and WeakMap.
911
912         * dfg/DFGAbstractHeap.h:
913         * dfg/DFGByteCodeParser.cpp:
914         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
915         * dfg/DFGClobberize.h:
916         (JSC::DFG::clobberize):
917         * dfg/DFGHeapLocation.cpp:
918         (WTF::printInternal):
919         * dfg/DFGHeapLocation.h:
920         * dfg/DFGNode.h:
921         (JSC::DFG::Node::hasBucketOwnerType):
922
923 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
924
925         [JSC] Remove JSStringBuilder
926         https://bugs.webkit.org/show_bug.cgi?id=180016
927
928         Reviewed by Saam Barati.
929
930         JSStringBuilder is replaced with WTF::StringBuilder.
931         This patch removes remaning uses and drop JSStringBuilder.
932
933         * JavaScriptCore.xcodeproj/project.pbxproj:
934         * runtime/ArrayPrototype.cpp:
935         * runtime/AsyncFunctionPrototype.cpp:
936         * runtime/AsyncGeneratorFunctionPrototype.cpp:
937         * runtime/ErrorPrototype.cpp:
938         * runtime/FunctionPrototype.cpp:
939         * runtime/GeneratorFunctionPrototype.cpp:
940         * runtime/JSGlobalObjectFunctions.cpp:
941         (JSC::decode):
942         (JSC::globalFuncEscape):
943         * runtime/JSStringBuilder.h: Removed.
944         * runtime/JSStringInlines.h:
945         (JSC::jsMakeNontrivialString):
946         * runtime/RegExpPrototype.cpp:
947         * runtime/StringPrototype.cpp:
948
949 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
950
951         [DFG] Remove GetLocalUnlinked
952         https://bugs.webkit.org/show_bug.cgi?id=180017
953
954         Reviewed by Saam Barati.
955
956         Since DFGArgumentsSimplificationPhase is removed 2 years ago, GetLocalUnlinked is no longer used in DFG.
957         This patch just removes it.
958
959         * dfg/DFGAbstractInterpreterInlines.h:
960         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
961         * dfg/DFGClobberize.h:
962         (JSC::DFG::clobberize):
963         * dfg/DFGCommon.h:
964         * dfg/DFGDoesGC.cpp:
965         (JSC::DFG::doesGC):
966         * dfg/DFGFixupPhase.cpp:
967         (JSC::DFG::FixupPhase::fixupNode):
968         * dfg/DFGGraph.cpp:
969         (JSC::DFG::Graph::dump):
970         * dfg/DFGNode.h:
971         (JSC::DFG::Node::hasUnlinkedLocal):
972         (JSC::DFG::Node::convertToGetLocalUnlinked): Deleted.
973         (JSC::DFG::Node::convertToGetLocal): Deleted.
974         (JSC::DFG::Node::hasUnlinkedMachineLocal): Deleted.
975         (JSC::DFG::Node::setUnlinkedMachineLocal): Deleted.
976         (JSC::DFG::Node::unlinkedMachineLocal): Deleted.
977         * dfg/DFGNodeType.h:
978         * dfg/DFGPredictionPropagationPhase.cpp:
979         * dfg/DFGSafeToExecute.h:
980         (JSC::DFG::safeToExecute):
981         * dfg/DFGSpeculativeJIT32_64.cpp:
982         (JSC::DFG::SpeculativeJIT::compile):
983         * dfg/DFGSpeculativeJIT64.cpp:
984         (JSC::DFG::SpeculativeJIT::compile):
985         * dfg/DFGStackLayoutPhase.cpp:
986         (JSC::DFG::StackLayoutPhase::run):
987         * dfg/DFGValidate.cpp:
988
989 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
990
991         Make ArgList::data() private again when we can remove callWasmFunction().
992         https://bugs.webkit.org/show_bug.cgi?id=168582
993
994         Reviewed by JF Bastien.
995
996         Make ArgList::data() private since we already removed callWasmFunction.
997
998         * runtime/ArgList.h:
999
1000 2016-08-05  Darin Adler  <darin@apple.com>
1001
1002         Fix some minor problems in the StringImpl header
1003         https://bugs.webkit.org/show_bug.cgi?id=160630
1004
1005         Reviewed by Brent Fulgham.
1006
1007         * inspector/ContentSearchUtilities.cpp: Removed a lot of unneeded explicit
1008         Yarr namespacing since we use "using namespace" in this file.
1009
1010 2017-11-24  Mark Lam  <mark.lam@apple.com>
1011
1012         Fix CLoop::sanitizeStack() bug where it was clearing part of the JS stack in use.
1013         https://bugs.webkit.org/show_bug.cgi?id=179936
1014         <rdar://problem/35623998>
1015
1016         Reviewed by Saam Barati.
1017
1018         This issue was uncovered when we enabled --useDollarVM=true on the JSC tests.
1019         See https://bugs.webkit.org/show_bug.cgi?id=179684.
1020
1021         Basically, in the case of the failing test we observed, op_tail_call_forward_arguments
1022         was allocating stack space to stash arguments (to be forwarded) and new frame
1023         info.  The location of this new stash space happens to lie beyond the top of frame
1024         of the tail call caller frame.  After stashing the arguments, the code proceeded
1025         to load the callee codeBlock.  This triggered an allocation, which in turn,
1026         triggered stack sanitization.  The CLoop stack sanitizer was relying on
1027         frame->topOfFrame() to tell it where the top of the used stack is.  In this case,
1028         that turned out to be inadequate.  As a result, part of the stashed data was
1029         zeroed out, and subsequently led to a crash.
1030
1031         This bug does not affect JIT builds (i.e. the ASM LLint) for 2 reasons:
1032         1. JIT builds do stack sanitization in the LLInt code itself (different from the
1033            CLoop implementation), and the sanitizer there is aware of the true top of
1034            stack value (i.e. the stack pointer).
1035         2. JIT builds don't use a parallel stack like the CLoop.  The presence of the
1036            parallel stack is one condition necessary for reproducing this issue.
1037
1038         The fix is to make the CLoop record the stack pointer in CLoopStack::m_currentStackPointer
1039         every time before it calls out to native C++ code.  This also brings the CLoop's
1040         behavior closer to hardware behavior where we can know where the stack pointer
1041         is after calling from JS back into native C++ code, which makes it easier to
1042         reason about correctness.       
1043
1044         Also simplified the various stack boundary calculations (removed the +1 and -1
1045         adjustments).  The CLoopStack bounds are now:
1046
1047             reservationTop(): the lowest reserved address that can be within stack bounds.
1048             m_commitTop: the lowest address within stack bounds that has been committed.
1049             lowAddress() aka m_end: the lowest stack address that JS code can use.
1050             m_lastStackPointer: cache of the last m_currentStackPointer value.
1051             m_currentStackPointer: the CLoopStack stack pointer value when calling from JS into C++ code.
1052             highAddress(): the highest address just beyond the bounds of the stack.
1053
1054         Also deleted some unneeded code.
1055
1056         * interpreter/CLoopStack.cpp:
1057         (JSC::CLoopStack::CLoopStack):
1058         (JSC::CLoopStack::gatherConservativeRoots):
1059         (JSC::CLoopStack::sanitizeStack):
1060         (JSC::CLoopStack::setSoftReservedZoneSize):
1061         * interpreter/CLoopStack.h:
1062         (JSC::CLoopStack::setCurrentStackPointer):
1063         (JSC::CLoopStack::lowAddress const):
1064
1065         (JSC::CLoopStack::baseOfStack const): Deleted.
1066         - Not needed after we simplified the code and removed all the +1/-1 adjustments.
1067           Now, it has the exact same value as highAddress() and can be removed.
1068
1069         * interpreter/CLoopStackInlines.h:
1070         (JSC::CLoopStack::ensureCapacityFor):
1071         (JSC::CLoopStack::currentStackPointer):
1072         (JSC::CLoopStack::setCLoopStackLimit):
1073
1074         (JSC::CLoopStack::topOfFrameFor): Deleted.
1075         - Not needed.
1076
1077         (JSC::CLoopStack::topOfStack): Deleted.
1078         - Supplanted by currentStackPointer().
1079
1080         (JSC::CLoopStack::shrink): Deleted.
1081         - This is unused.
1082
1083         * llint/LowLevelInterpreter.cpp:
1084         (JSC::CLoop::execute):
1085         - Introduce a StackPointerScope to restore the original CLoopStack::m_currentStackPointer
1086           upon exitting the interpreter loop.
1087
1088         * offlineasm/cloop.rb:
1089         - Added setting of CLoopStack::m_currentStackPointer at boundary points where we
1090           call from JS into C++ code.
1091
1092         * tools/VMInspector.h:
1093         - Added some default argument values. These were being used while debugging this
1094           issue.
1095
1096 2017-11-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1097
1098         [JSC] Make empty key as deleted mark in HashMapBucket and drop m_deleted field
1099         https://bugs.webkit.org/show_bug.cgi?id=179923
1100
1101         Reviewed by Darin Adler.
1102
1103         We do not set empty as a key in HashMapBucket since JSMap / JSSet can expose it to users.
1104         So we can use it as a marker of deleted bucket.
1105
1106         This patch uses empty key as a deleted flag, and drop m_deleted field of HashMapBucket.
1107         It shrinks the size of HashMapBucket much.
1108
1109         * dfg/DFGSpeculativeJIT.cpp:
1110         (JSC::DFG::SpeculativeJIT::compileGetMapBucketNext):
1111         * ftl/FTLAbstractHeapRepository.h:
1112         * ftl/FTLLowerDFGToB3.cpp:
1113         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucketNext):
1114         * runtime/HashMapImpl.h:
1115         (JSC::HashMapBucket::createSentinel):
1116         We make sentinel bucket as (undefined, undefined) since DFG/FTL can load a value from sentinels.
1117         While the sentinel's deleted flag becomes false since key is set, it is not a problem since deleted
1118         flag of sentinel bucket is not used.
1119
1120         (JSC::HashMapBucket::HashMapBucket):
1121         (JSC::HashMapBucket::deleted const):
1122         (JSC::HashMapBucket::makeDeleted):
1123         (JSC::HashMapImpl::remove):
1124         (JSC::HashMapImpl::clear):
1125         (JSC::HashMapImpl::setUpHeadAndTail):
1126         (JSC::HashMapImpl::addNormalizedInternal):
1127         (JSC::HashMapBucket::setDeleted): Deleted.
1128         (JSC::HashMapBucket::offsetOfDeleted): Deleted.
1129         (): Deleted.
1130
1131 2017-11-24  Mark Lam  <mark.lam@apple.com>
1132
1133         Move unsafe jsc shell test functions to the $vm object.
1134         https://bugs.webkit.org/show_bug.cgi?id=179980
1135
1136         Reviewed by Yusuke Suzuki.
1137
1138         Also removed setElementRoot() which was not used.
1139
1140         * jsc.cpp:
1141         (GlobalObject::finishCreation):
1142         (WTF::Element::Element): Deleted.
1143         (WTF::Element::root const): Deleted.
1144         (WTF::Element::setRoot): Deleted.
1145         (WTF::Element::create): Deleted.
1146         (WTF::Element::visitChildren): Deleted.
1147         (WTF::Element::createStructure): Deleted.
1148         (WTF::Root::Root): Deleted.
1149         (WTF::Root::element): Deleted.
1150         (WTF::Root::setElement): Deleted.
1151         (WTF::Root::create): Deleted.
1152         (WTF::Root::createStructure): Deleted.
1153         (WTF::Root::visitChildren): Deleted.
1154         (WTF::ImpureGetter::ImpureGetter): Deleted.
1155         (WTF::ImpureGetter::createStructure): Deleted.
1156         (WTF::ImpureGetter::create): Deleted.
1157         (WTF::ImpureGetter::finishCreation): Deleted.
1158         (WTF::ImpureGetter::getOwnPropertySlot): Deleted.
1159         (WTF::ImpureGetter::visitChildren): Deleted.
1160         (WTF::ImpureGetter::setDelegate): Deleted.
1161         (WTF::CustomGetter::CustomGetter): Deleted.
1162         (WTF::CustomGetter::createStructure): Deleted.
1163         (WTF::CustomGetter::create): Deleted.
1164         (WTF::CustomGetter::getOwnPropertySlot): Deleted.
1165         (WTF::CustomGetter::customGetter): Deleted.
1166         (WTF::CustomGetter::customGetterAcessor): Deleted.
1167         (WTF::RuntimeArray::create): Deleted.
1168         (WTF::RuntimeArray::~RuntimeArray): Deleted.
1169         (WTF::RuntimeArray::destroy): Deleted.
1170         (WTF::RuntimeArray::getOwnPropertySlot): Deleted.
1171         (WTF::RuntimeArray::getOwnPropertySlotByIndex): Deleted.
1172         (WTF::RuntimeArray::put): Deleted.
1173         (WTF::RuntimeArray::deleteProperty): Deleted.
1174         (WTF::RuntimeArray::getLength const): Deleted.
1175         (WTF::RuntimeArray::createPrototype): Deleted.
1176         (WTF::RuntimeArray::createStructure): Deleted.
1177         (WTF::RuntimeArray::finishCreation): Deleted.
1178         (WTF::RuntimeArray::RuntimeArray): Deleted.
1179         (WTF::RuntimeArray::lengthGetter): Deleted.
1180         (WTF::SimpleObject::SimpleObject): Deleted.
1181         (WTF::SimpleObject::create): Deleted.
1182         (WTF::SimpleObject::visitChildren): Deleted.
1183         (WTF::SimpleObject::createStructure): Deleted.
1184         (WTF::SimpleObject::hiddenValue): Deleted.
1185         (WTF::SimpleObject::setHiddenValue): Deleted.
1186         (WTF::DOMJITNode::DOMJITNode): Deleted.
1187         (WTF::DOMJITNode::createStructure): Deleted.
1188         (WTF::DOMJITNode::checkSubClassSnippet): Deleted.
1189         (WTF::DOMJITNode::create): Deleted.
1190         (WTF::DOMJITNode::value const): Deleted.
1191         (WTF::DOMJITNode::offsetOfValue): Deleted.
1192         (WTF::DOMJITGetter::DOMJITGetter): Deleted.
1193         (WTF::DOMJITGetter::createStructure): Deleted.
1194         (WTF::DOMJITGetter::create): Deleted.
1195         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute): Deleted.
1196         (WTF::DOMJITGetter::DOMJITAttribute::slowCall): Deleted.
1197         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter): Deleted.
1198         (WTF::DOMJITGetter::customGetter): Deleted.
1199         (WTF::DOMJITGetter::finishCreation): Deleted.
1200         (WTF::DOMJITGetterComplex::DOMJITGetterComplex): Deleted.
1201         (WTF::DOMJITGetterComplex::createStructure): Deleted.
1202         (WTF::DOMJITGetterComplex::create): Deleted.
1203         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute): Deleted.
1204         (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall): Deleted.
1205         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter): Deleted.
1206         (WTF::DOMJITGetterComplex::functionEnableException): Deleted.
1207         (WTF::DOMJITGetterComplex::customGetter): Deleted.
1208         (WTF::DOMJITGetterComplex::finishCreation): Deleted.
1209         (WTF::DOMJITFunctionObject::DOMJITFunctionObject): Deleted.
1210         (WTF::DOMJITFunctionObject::createStructure): Deleted.
1211         (WTF::DOMJITFunctionObject::create): Deleted.
1212         (WTF::DOMJITFunctionObject::safeFunction): Deleted.
1213         (WTF::DOMJITFunctionObject::unsafeFunction): Deleted.
1214         (WTF::DOMJITFunctionObject::checkSubClassSnippet): Deleted.
1215         (WTF::DOMJITFunctionObject::finishCreation): Deleted.
1216         (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject): Deleted.
1217         (WTF::DOMJITCheckSubClassObject::createStructure): Deleted.
1218         (WTF::DOMJITCheckSubClassObject::create): Deleted.
1219         (WTF::DOMJITCheckSubClassObject::safeFunction): Deleted.
1220         (WTF::DOMJITCheckSubClassObject::unsafeFunction): Deleted.
1221         (WTF::DOMJITCheckSubClassObject::finishCreation): Deleted.
1222         (WTF::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject): Deleted.
1223         (WTF::DOMJITGetterBaseJSObject::createStructure): Deleted.
1224         (WTF::DOMJITGetterBaseJSObject::create): Deleted.
1225         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute): Deleted.
1226         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall): Deleted.
1227         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter): Deleted.
1228         (WTF::DOMJITGetterBaseJSObject::customGetter): Deleted.
1229         (WTF::DOMJITGetterBaseJSObject::finishCreation): Deleted.
1230         (WTF::Element::handleOwner): Deleted.
1231         (WTF::Element::finishCreation): Deleted.
1232         (JSTestCustomGetterSetter::JSTestCustomGetterSetter): Deleted.
1233         (JSTestCustomGetterSetter::create): Deleted.
1234         (JSTestCustomGetterSetter::createStructure): Deleted.
1235         (customGetAccessor): Deleted.
1236         (customGetValue): Deleted.
1237         (customSetAccessor): Deleted.
1238         (customSetValue): Deleted.
1239         (JSTestCustomGetterSetter::finishCreation): Deleted.
1240         (GlobalObject::addConstructableFunction): Deleted.
1241         (functionCreateRoot): Deleted.
1242         (functionCreateElement): Deleted.
1243         (functionGetElement): Deleted.
1244         (functionSetElementRoot): Deleted.
1245         (functionCreateSimpleObject): Deleted.
1246         (functionGetHiddenValue): Deleted.
1247         (functionSetHiddenValue): Deleted.
1248         (functionCreateProxy): Deleted.
1249         (functionCreateRuntimeArray): Deleted.
1250         (functionCreateImpureGetter): Deleted.
1251         (functionCreateCustomGetterObject): Deleted.
1252         (functionCreateDOMJITNodeObject): Deleted.
1253         (functionCreateDOMJITGetterObject): Deleted.
1254         (functionCreateDOMJITGetterComplexObject): Deleted.
1255         (functionCreateDOMJITFunctionObject): Deleted.
1256         (functionCreateDOMJITCheckSubClassObject): Deleted.
1257         (functionCreateDOMJITGetterBaseJSObject): Deleted.
1258         (functionSetImpureGetterDelegate): Deleted.
1259         (functionGetGetterSetter): Deleted.
1260         (functionShadowChickenFunctionsOnStack): Deleted.
1261         (functionSetGlobalConstRedeclarationShouldNotThrow): Deleted.
1262         (functionGlobalObjectForObject): Deleted.
1263         (functionLoadGetterFromGetterSetter): Deleted.
1264         (functionCreateCustomTestGetterSetter): Deleted.
1265         (functionAbort): Deleted.
1266         (functionFindTypeForExpression): Deleted.
1267         (functionReturnTypeFor): Deleted.
1268         (functionDumpBasicBlockExecutionRanges): Deleted.
1269         (functionHasBasicBlockExecuted): Deleted.
1270         (functionBasicBlockExecutionCount): Deleted.
1271         (functionEnableExceptionFuzz): Deleted.
1272         (functionCreateBuiltin): Deleted.
1273         * runtime/JSGlobalObject.cpp:
1274         (JSC::JSGlobalObject::init):
1275         * tools/JSDollarVM.cpp:
1276         (WTF::Element::Element):
1277         (WTF::Element::root const):
1278         (WTF::Element::setRoot):
1279         (WTF::Element::create):
1280         (WTF::Element::visitChildren):
1281         (WTF::Element::createStructure):
1282         (WTF::Root::Root):
1283         (WTF::Root::element):
1284         (WTF::Root::setElement):
1285         (WTF::Root::create):
1286         (WTF::Root::createStructure):
1287         (WTF::Root::visitChildren):
1288         (WTF::SimpleObject::SimpleObject):
1289         (WTF::SimpleObject::create):
1290         (WTF::SimpleObject::visitChildren):
1291         (WTF::SimpleObject::createStructure):
1292         (WTF::SimpleObject::hiddenValue):
1293         (WTF::SimpleObject::setHiddenValue):
1294         (WTF::ImpureGetter::ImpureGetter):
1295         (WTF::ImpureGetter::createStructure):
1296         (WTF::ImpureGetter::create):
1297         (WTF::ImpureGetter::finishCreation):
1298         (WTF::ImpureGetter::getOwnPropertySlot):
1299         (WTF::ImpureGetter::visitChildren):
1300         (WTF::ImpureGetter::setDelegate):
1301         (WTF::CustomGetter::CustomGetter):
1302         (WTF::CustomGetter::createStructure):
1303         (WTF::CustomGetter::create):
1304         (WTF::CustomGetter::getOwnPropertySlot):
1305         (WTF::CustomGetter::customGetter):
1306         (WTF::CustomGetter::customGetterAcessor):
1307         (WTF::RuntimeArray::create):
1308         (WTF::RuntimeArray::~RuntimeArray):
1309         (WTF::RuntimeArray::destroy):
1310         (WTF::RuntimeArray::getOwnPropertySlot):
1311         (WTF::RuntimeArray::getOwnPropertySlotByIndex):
1312         (WTF::RuntimeArray::put):
1313         (WTF::RuntimeArray::deleteProperty):
1314         (WTF::RuntimeArray::getLength const):
1315         (WTF::RuntimeArray::createPrototype):
1316         (WTF::RuntimeArray::createStructure):
1317         (WTF::RuntimeArray::finishCreation):
1318         (WTF::RuntimeArray::RuntimeArray):
1319         (WTF::RuntimeArray::lengthGetter):
1320         (WTF::DOMJITNode::DOMJITNode):
1321         (WTF::DOMJITNode::createStructure):
1322         (WTF::DOMJITNode::checkSubClassSnippet):
1323         (WTF::DOMJITNode::create):
1324         (WTF::DOMJITNode::value const):
1325         (WTF::DOMJITNode::offsetOfValue):
1326         (WTF::DOMJITGetter::DOMJITGetter):
1327         (WTF::DOMJITGetter::createStructure):
1328         (WTF::DOMJITGetter::create):
1329         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
1330         (WTF::DOMJITGetter::DOMJITAttribute::slowCall):
1331         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
1332         (WTF::DOMJITGetter::customGetter):
1333         (WTF::DOMJITGetter::finishCreation):
1334         (WTF::DOMJITGetterComplex::DOMJITGetterComplex):
1335         (WTF::DOMJITGetterComplex::createStructure):
1336         (WTF::DOMJITGetterComplex::create):
1337         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
1338         (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall):
1339         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
1340         (WTF::DOMJITGetterComplex::functionEnableException):
1341         (WTF::DOMJITGetterComplex::customGetter):
1342         (WTF::DOMJITGetterComplex::finishCreation):
1343         (WTF::DOMJITFunctionObject::DOMJITFunctionObject):
1344         (WTF::DOMJITFunctionObject::createStructure):
1345         (WTF::DOMJITFunctionObject::create):
1346         (WTF::DOMJITFunctionObject::safeFunction):
1347         (WTF::DOMJITFunctionObject::unsafeFunction):
1348         (WTF::DOMJITFunctionObject::checkSubClassSnippet):
1349         (WTF::DOMJITFunctionObject::finishCreation):
1350         (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
1351         (WTF::DOMJITCheckSubClassObject::createStructure):
1352         (WTF::DOMJITCheckSubClassObject::create):
1353         (WTF::DOMJITCheckSubClassObject::safeFunction):
1354         (WTF::DOMJITCheckSubClassObject::unsafeFunction):
1355         (WTF::DOMJITCheckSubClassObject::finishCreation):
1356         (WTF::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject):
1357         (WTF::DOMJITGetterBaseJSObject::createStructure):
1358         (WTF::DOMJITGetterBaseJSObject::create):
1359         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute):
1360         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
1361         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter):
1362         (WTF::DOMJITGetterBaseJSObject::customGetter):
1363         (WTF::DOMJITGetterBaseJSObject::finishCreation):
1364         (WTF::Message::releaseContents):
1365         (WTF::Message::index const):
1366         (WTF::JSTestCustomGetterSetter::JSTestCustomGetterSetter):
1367         (WTF::JSTestCustomGetterSetter::create):
1368         (WTF::JSTestCustomGetterSetter::createStructure):
1369         (WTF::customGetAccessor):
1370         (WTF::customGetValue):
1371         (WTF::customSetAccessor):
1372         (WTF::customSetValue):
1373         (WTF::JSTestCustomGetterSetter::finishCreation):
1374         (WTF::Element::handleOwner):
1375         (WTF::Element::finishCreation):
1376         (JSC::functionCrash):
1377         (JSC::functionCreateProxy):
1378         (JSC::functionCreateRuntimeArray):
1379         (JSC::functionCreateImpureGetter):
1380         (JSC::functionCreateCustomGetterObject):
1381         (JSC::functionCreateDOMJITNodeObject):
1382         (JSC::functionCreateDOMJITGetterObject):
1383         (JSC::functionCreateDOMJITGetterComplexObject):
1384         (JSC::functionCreateDOMJITFunctionObject):
1385         (JSC::functionCreateDOMJITCheckSubClassObject):
1386         (JSC::functionCreateDOMJITGetterBaseJSObject):
1387         (JSC::functionSetImpureGetterDelegate):
1388         (JSC::functionCreateBuiltin):
1389         (JSC::functionCreateRoot):
1390         (JSC::functionCreateElement):
1391         (JSC::functionGetElement):
1392         (JSC::functionCreateSimpleObject):
1393         (JSC::functionGetHiddenValue):
1394         (JSC::functionSetHiddenValue):
1395         (JSC::functionShadowChickenFunctionsOnStack):
1396         (JSC::functionSetGlobalConstRedeclarationShouldNotThrow):
1397         (JSC::functionFindTypeForExpression):
1398         (JSC::functionReturnTypeFor):
1399         (JSC::functionDumpBasicBlockExecutionRanges):
1400         (JSC::functionHasBasicBlockExecuted):
1401         (JSC::functionBasicBlockExecutionCount):
1402         (JSC::functionEnableExceptionFuzz):
1403         (JSC::functionGlobalObjectForObject):
1404         (JSC::functionGetGetterSetter):
1405         (JSC::functionLoadGetterFromGetterSetter):
1406         (JSC::functionCreateCustomTestGetterSetter):
1407         (JSC::JSDollarVM::finishCreation):
1408         (JSC::JSDollarVM::addFunction):
1409         (JSC::JSDollarVM::addConstructibleFunction):
1410         * tools/JSDollarVM.h:
1411         (JSC::JSDollarVM::create):
1412
1413 2017-11-23  Simon Fraser  <simon.fraser@apple.com>
1414
1415         Minor ArrayBufferView cleanup
1416         https://bugs.webkit.org/show_bug.cgi?id=179966
1417
1418         Reviewed by Darin Adler.
1419         
1420         Use void* for data pointers when we don't need to do offset math. Use const for
1421         source pointers.
1422         
1423         Prefer uint8_t* to char*.
1424         
1425         Add comments noting that the assertions should not be made release assertions
1426         as recommended by the style checker, since the point is to avoid the virtual byteLength()
1427         call in release.
1428
1429         * runtime/ArrayBufferView.h:
1430         (JSC::ArrayBufferView::setImpl):
1431         (JSC::ArrayBufferView::setRangeImpl):
1432         (JSC::ArrayBufferView::getRangeImpl):
1433         (JSC::ArrayBufferView::zeroRangeImpl):
1434
1435 2017-11-23  Darin Adler  <darin@apple.com>
1436
1437         Reduce WTF::String operations that do unnecessary Unicode operations instead of ASCII
1438         https://bugs.webkit.org/show_bug.cgi?id=179907
1439
1440         Reviewed by Sam Weinig.
1441
1442         * inspector/agents/InspectorDebuggerAgent.cpp:
1443         (Inspector::matches): Removed explicit TextCaseSensitive because RegularExpression now
1444         defaults to that.
1445
1446         * runtime/StringPrototype.cpp:
1447         (JSC::stringIncludesImpl): Use String::find since there is no overload of
1448         String::contains that takes a start offset now that we removed the one that took a
1449         caseSensitive boolean. We can add one later if we like, but this should do for now.
1450
1451         * yarr/RegularExpression.h: Moved the TextCaseSensitivity enumeration here from
1452         the StringImpl.h header because it is only used here.
1453
1454 2017-11-22  Simon Fraser  <simon.fraser@apple.com>
1455
1456         Followup after r225084: if anyone called GenericTypedArrayView() it didn't compile,
1457         because of a getRangeUnchecked/getRangeImpl name mismatch; fixed to use getRangeImpl().
1458         
1459         Also name the argument to zeroRange() to 'count' since it's an item count.
1460
1461         * runtime/GenericTypedArrayView.h:
1462         (JSC::GenericTypedArrayView::zeroRange):
1463         (JSC::GenericTypedArrayView::getRange):
1464
1465 2017-11-21  Simon Fraser  <simon.fraser@apple.com>
1466
1467         Allow for more efficient use of GenericTypedArrayView
1468         https://bugs.webkit.org/show_bug.cgi?id=179899
1469
1470         Reviewed by Sam Weinig.
1471         
1472         Fix ArrayBufferView::setRange() to not make two virtual function calls to byteLength()
1473         under setRangeImpl(). There is only one caller in GenericTypedArrayView, and it can pass
1474         in a length.
1475
1476         Add GenericTypedArrayView::getRange() to fetch a range of elements, also without virtual
1477         byteLength() calls.
1478         
1479         Renamed 'dataLength' to 'count' in setRange() to be clearer.
1480         
1481         Added setNative() for callers who don't need clamping of doubles.
1482
1483         * runtime/ArrayBufferView.h:
1484         (JSC::ArrayBufferView::setRangeImpl):
1485         (JSC::ArrayBufferView::getRangeImpl):
1486         * runtime/GenericTypedArrayView.h:
1487         (JSC::GenericTypedArrayView::setRange):
1488         (JSC::GenericTypedArrayView::setNative const):
1489         (JSC::GenericTypedArrayView::getRange):
1490         (JSC::GenericTypedArrayView::checkInboundData const):
1491         (JSC::GenericTypedArrayView::internalByteLength const):
1492
1493 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1494
1495         [DFG][FTL] Support MapSet / SetAdd intrinsics
1496         https://bugs.webkit.org/show_bug.cgi?id=179858
1497
1498         Reviewed by Saam Barati.
1499
1500         Map.prototype.set and Set.prototype.add uses MapHash value anyway.
1501         By handling them as MapSet and SetAdd DFG nodes and decoupling
1502         MapSet and SetAdd nodes from MapHash DFG node, we have a chance to
1503         remove duplicate MapHash calculation for the same key.
1504
1505         One story is *set-if-not-exists*.
1506
1507             if (!map.has(key))
1508                 map.set(key, value);
1509
1510         In the above code, both `has` and `set` require hash value for `key`.
1511         If we can change `set` to the series of DFG nodes:
1512
1513             1: MapHash(key)
1514             2: MapSet(MapObjectUse:map, Untyped:key, Untyped:value, Int32Use:@1)
1515
1516         we can remove duplicate @1 produced by `has` operation.
1517
1518         This patch improves SixSpeed map-set.es6 and map-set-object.es6 by 20.5% and 20.4% respectively,
1519
1520                                          baseline                  patched
1521
1522             map-set.es6             246.2413+-15.2084    ^    204.3679+-11.2408       ^ definitely 1.2049x faster
1523             map-set-object.es6      266.5075+-17.2289    ^    221.2792+-12.2948       ^ definitely 1.2044x faster
1524
1525         Microbenchmarks
1526
1527             map-has-and-set         148.1522+-7.6665     ^    131.4552+-7.8846        ^ definitely 1.1270x faster
1528
1529         * dfg/DFGAbstractInterpreterInlines.h:
1530         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1531         * dfg/DFGByteCodeParser.cpp:
1532         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1533         * dfg/DFGClobberize.h:
1534         (JSC::DFG::clobberize):
1535         * dfg/DFGDoesGC.cpp:
1536         (JSC::DFG::doesGC):
1537         * dfg/DFGFixupPhase.cpp:
1538         (JSC::DFG::FixupPhase::fixupNode):
1539         * dfg/DFGNodeType.h:
1540         * dfg/DFGOperations.cpp:
1541         * dfg/DFGOperations.h:
1542         * dfg/DFGPredictionPropagationPhase.cpp:
1543         * dfg/DFGSafeToExecute.h:
1544         (JSC::DFG::safeToExecute):
1545         * dfg/DFGSpeculativeJIT.cpp:
1546         (JSC::DFG::SpeculativeJIT::compileSetAdd):
1547         (JSC::DFG::SpeculativeJIT::compileMapSet):
1548         * dfg/DFGSpeculativeJIT.h:
1549         (JSC::DFG::SpeculativeJIT::callOperation):
1550         * dfg/DFGSpeculativeJIT32_64.cpp:
1551         (JSC::DFG::SpeculativeJIT::compile):
1552         * dfg/DFGSpeculativeJIT64.cpp:
1553         (JSC::DFG::SpeculativeJIT::compile):
1554         * ftl/FTLCapabilities.cpp:
1555         (JSC::FTL::canCompile):
1556         * ftl/FTLLowerDFGToB3.cpp:
1557         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1558         (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd):
1559         (JSC::FTL::DFG::LowerDFGToB3::compileMapSet):
1560         * jit/JITOperations.h:
1561         * runtime/HashMapImpl.h:
1562         (JSC::HashMapImpl::addNormalized):
1563         (JSC::HashMapImpl::addNormalizedInternal):
1564         * runtime/Intrinsic.cpp:
1565         (JSC::intrinsicName):
1566         * runtime/Intrinsic.h:
1567         * runtime/MapPrototype.cpp:
1568         (JSC::MapPrototype::finishCreation):
1569         * runtime/SetPrototype.cpp:
1570         (JSC::SetPrototype::finishCreation):
1571
1572 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1573
1574         [JSC] Allow poly proto for intrinsic getters
1575         https://bugs.webkit.org/show_bug.cgi?id=179550
1576
1577         Reviewed by Saam Barati.
1578
1579         This patch allows intrinsic getters to accept poly proto.
1580         We propagate PolyProtoAccessChain in IntrinsicGetterAccessCase to perform
1581         poly proto checks. And we extend UnderscoreProtoIntrinsic to emit
1582         code for poly proto case.
1583
1584         * bytecode/IntrinsicGetterAccessCase.cpp:
1585         (JSC::IntrinsicGetterAccessCase::IntrinsicGetterAccessCase):
1586         (JSC::IntrinsicGetterAccessCase::create):
1587         * bytecode/IntrinsicGetterAccessCase.h:
1588         * jit/IntrinsicEmitter.cpp:
1589         (JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
1590         (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
1591         * jit/Repatch.cpp:
1592         (JSC::tryCacheGetByID):
1593
1594 2017-11-20  Don Olmstead  <don.olmstead@sony.com>
1595
1596         Detect __declspec within JSBase.h
1597         https://bugs.webkit.org/show_bug.cgi?id=179892
1598
1599         Reviewed by Darin Adler.
1600
1601         * API/JSBase.h:
1602
1603 2017-11-19  Tim Horton  <timothy_horton@apple.com>
1604
1605         Remove unused TOUCH_ICON_LOADING feature flag
1606         https://bugs.webkit.org/show_bug.cgi?id=179873
1607
1608         Reviewed by Simon Fraser.
1609
1610         * Configurations/FeatureDefines.xcconfig:
1611
1612 2017-11-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1613
1614         Add CPU(UNKNOWN) to cover all the unknown CPU types
1615         https://bugs.webkit.org/show_bug.cgi?id=179243
1616
1617         Reviewed by JF Bastien.
1618
1619         * CMakeLists.txt:
1620
1621 2017-11-19  Tim Horton  <timothy_horton@apple.com>
1622
1623         Remove unused LEGACY_VENDOR_PREFIXES feature flag
1624         https://bugs.webkit.org/show_bug.cgi?id=179872
1625
1626         Reviewed by Darin Adler.
1627
1628         * Configurations/FeatureDefines.xcconfig:
1629
1630 2017-11-18  Tim Horton  <timothy_horton@apple.com>
1631
1632         Fix typos in closing ENABLE() comments
1633         https://bugs.webkit.org/show_bug.cgi?id=179869
1634
1635         Unreviewed.
1636
1637         * wasm/WasmMemory.h:
1638         * wasm/WasmMemoryMode.h:
1639
1640 2017-11-17  JF Bastien  <jfbastien@apple.com>
1641
1642         NFC update ClassInfo to C++14
1643         https://bugs.webkit.org/show_bug.cgi?id=179783
1644
1645         Reviewed by Mark Lam.
1646
1647         Forked from #179734, use `using` instead of `typedef`. It's easier
1648         to read.
1649
1650         * runtime/ClassInfo.h:
1651
1652 2017-11-17  JF Bastien  <jfbastien@apple.com>
1653
1654         WebAssembly JS API: throw when a promise can't be created
1655         https://bugs.webkit.org/show_bug.cgi?id=179826
1656         <rdar://problem/35455813>
1657
1658         Reviewed by Mark Lam.
1659
1660         Failure *in* a promise causes rejection, but failure to create a
1661         promise (because of stack overflow) isn't really spec'd (as all
1662         stack things JS). This applies to WebAssembly.compile and
1663         WebAssembly.instantiate.
1664
1665         Dan's current proposal says:
1666
1667             https://littledan.github.io/spec/document/js-api/index.html#stack-overflow
1668
1669             Whenever a stack overflow occurs in WebAssembly code, the same
1670             class of exception is thrown as for a stack overflow in
1671             JavaScript. The particular exception here is
1672             implementation-defined in both cases.
1673
1674             Note: ECMAScript doesn’t specify any sort of behavior on stack
1675             overflow; implementations have been observed to throw RangeError,
1676             InternalError or Error. Any is valid here.
1677
1678         This is for general stack overflow within WebAssembly, not
1679         specifically for promise creation within JavaScript, but it seems
1680         like a stack overflow in promise creation should follow the same
1681         rule instead of, say, swallowing the overflow and returning
1682         undefined.
1683
1684         * wasm/js/WebAssemblyPrototype.cpp:
1685         (JSC::webAssemblyCompileFunc):
1686         (JSC::webAssemblyInstantiateFunc):
1687
1688 2017-11-16  Daniel Bates  <dabates@apple.com>
1689
1690         Add feature define for alternative presentation button element
1691         https://bugs.webkit.org/show_bug.cgi?id=179692
1692         Part of <rdar://problem/34917108>
1693
1694         Reviewed by Andy Estes.
1695
1696         Only enabled on Cocoa platforms by default.
1697
1698         * Configurations/FeatureDefines.xcconfig:
1699
1700 2017-11-16  Saam Barati  <sbarati@apple.com>
1701
1702         Fix a bug with cpuid in the FTL.
1703
1704         Rubber stamped by Mark Lam.
1705
1706         Before uploading the previous patch, I tried to condense the code. I
1707         accidentally removed a crucial line saying that CPUID clobbers various
1708         registers.
1709
1710         * ftl/FTLLowerDFGToB3.cpp:
1711         (JSC::FTL::DFG::LowerDFGToB3::compileCPUIntrinsic):
1712
1713 2017-11-16  Saam Barati  <sbarati@apple.com>
1714
1715         Add some X86 intrinsics to $vm to help with some perf testing
1716         https://bugs.webkit.org/show_bug.cgi?id=179693
1717
1718         Reviewed by Mark Lam.
1719
1720         I've been doing some local perf testing of various ideas and have
1721         had these come in handy. I'm going to land them to dollarVM to prevent
1722         having to add them to my local build every time I do perf testing.
1723
1724         * assembler/MacroAssemblerX86Common.h:
1725         (JSC::MacroAssemblerX86Common::mfence):
1726         (JSC::MacroAssemblerX86Common::rdtsc):
1727         (JSC::MacroAssemblerX86Common::pause):
1728         (JSC::MacroAssemblerX86Common::cpuid):
1729         * assembler/X86Assembler.h:
1730         (JSC::X86Assembler::rdtsc):
1731         (JSC::X86Assembler::pause):
1732         (JSC::X86Assembler::cpuid):
1733         * dfg/DFGAbstractInterpreterInlines.h:
1734         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1735         * dfg/DFGByteCodeParser.cpp:
1736         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1737         * dfg/DFGClobberize.h:
1738         (JSC::DFG::clobberize):
1739         * dfg/DFGDoesGC.cpp:
1740         (JSC::DFG::doesGC):
1741         * dfg/DFGFixupPhase.cpp:
1742         (JSC::DFG::FixupPhase::fixupNode):
1743         * dfg/DFGGraph.cpp:
1744         (JSC::DFG::Graph::dump):
1745         * dfg/DFGNode.h:
1746         (JSC::DFG::Node::intrinsic):
1747         * dfg/DFGNodeType.h:
1748         * dfg/DFGPredictionPropagationPhase.cpp:
1749         * dfg/DFGSafeToExecute.h:
1750         (JSC::DFG::safeToExecute):
1751         * dfg/DFGSpeculativeJIT32_64.cpp:
1752         (JSC::DFG::SpeculativeJIT::compile):
1753         * dfg/DFGSpeculativeJIT64.cpp:
1754         (JSC::DFG::SpeculativeJIT::compile):
1755         * dfg/DFGValidate.cpp:
1756         * ftl/FTLCapabilities.cpp:
1757         (JSC::FTL::canCompile):
1758         * ftl/FTLLowerDFGToB3.cpp:
1759         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1760         (JSC::FTL::DFG::LowerDFGToB3::compileCPUIntrinsic):
1761         * runtime/Intrinsic.cpp:
1762         (JSC::intrinsicName):
1763         * runtime/Intrinsic.h:
1764         * tools/JSDollarVM.cpp:
1765         (JSC::functionCpuMfence):
1766         (JSC::functionCpuRdtsc):
1767         (JSC::functionCpuCpuid):
1768         (JSC::functionCpuPause):
1769         (JSC::functionCpuClflush):
1770         (JSC::JSDollarVM::finishCreation):
1771
1772 2017-11-16  JF Bastien  <jfbastien@apple.com>
1773
1774         It should be easier to reify lazy property names
1775         https://bugs.webkit.org/show_bug.cgi?id=179734
1776         <rdar://problem/35492521>
1777
1778         Reviewed by Keith Miller.
1779
1780         We reify lazy property names in a few different ways, each
1781         specific to the JSCell implementation, in put() instead of having
1782         a special function to do reification. Let's make that simpler.
1783
1784         This patch makes it easier to reify property names in a uniform
1785         manner, and does so in JSFunction. As a follow up I'll use the
1786         same mechanics for:
1787
1788         ClonedArguments   callee, iteratorSymbol (Symbol.iterator)
1789         ErrorConstructor  stackTraceLimit
1790         ErrorInstance     line, column, sourceURL, stack
1791         GenericArguments  length, callee, iteratorSymbol (Symbol.iterator)
1792         GetterSetter      RELEASE_ASSERT_NOT_REACHED()
1793         JSArray           length
1794         RegExpObject      lastIndex
1795         StringObject      length
1796
1797         * runtime/ClassInfo.h: Add reifyPropertyNameIfNeeded to method table.
1798         * runtime/JSCell.cpp:
1799         (JSC::JSCell::reifyPropertyNameIfNeeded): by default, don't reify.
1800         * runtime/JSCell.h:
1801         * runtime/JSFunction.cpp: `name` and `length` can be reified.
1802         (JSC::JSFunction::reifyPropertyNameIfNeeded):
1803         (JSC::JSFunction::put):
1804         (JSC::JSFunction::reifyLength):
1805         (JSC::JSFunction::reifyName):
1806         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
1807         (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
1808         (JSC::JSFunction::reifyLazyLengthIfNeeded):
1809         (JSC::JSFunction::reifyLazyNameIfNeeded):
1810         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
1811         * runtime/JSFunction.h:
1812         (JSC::JSFunction::isLazy):
1813         (JSC::JSFunction::isReified):
1814         * runtime/JSObjectInlines.h:
1815         (JSC::JSObject::putDirectInternal): do the reification here.
1816
1817 2017-11-16  Robin Morisset  <rmorisset@apple.com>
1818
1819         Provide a runtime option for disabling the optimization of recursive tail calls
1820         https://bugs.webkit.org/show_bug.cgi?id=179765
1821
1822         Reviewed by Mark Lam.
1823
1824         * bytecode/PreciseJumpTargets.cpp:
1825         (JSC::getJumpTargetsForBytecodeOffset):
1826         * bytecompiler/BytecodeGenerator.cpp:
1827         (JSC::BytecodeGenerator::emitEnter):
1828         * dfg/DFGByteCodeParser.cpp:
1829         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
1830         * runtime/Options.h:
1831
1832 2017-11-16  Robin Morisset  <rmorisset@apple.com>
1833
1834         Fix null pointer dereference in bytecodeDumper
1835         https://bugs.webkit.org/show_bug.cgi?id=179764
1836
1837         Reviewed by Mark Lam.
1838
1839         The problem was just a call to lastSeenCallee() that was unguarded by haveLastSeenCallee().
1840
1841         * bytecode/BytecodeDumper.cpp:
1842         (JSC::BytecodeDumper<Block>::printCallOp):
1843
1844 2017-11-16  Robin Morisset  <rmorisset@apple.com>
1845
1846         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
1847         https://bugs.webkit.org/show_bug.cgi?id=179763
1848         <rdar://problem/35550513>
1849
1850         Reviewed by Keith Miller.
1851
1852         Fix null pointer dereference caused by an eliminated tdz_check
1853
1854         The problem was when doing an OSR entry in DFG while |this| was null
1855         (because super() had not yet been called in the constructor of this
1856         subclass), it would be marked as non-null, and the tdz_check eliminated.
1857
1858         * dfg/DFGInPlaceAbstractState.cpp:
1859         (JSC::DFG::InPlaceAbstractState::initialize):
1860
1861 2017-11-15  Ryan Haddad  <ryanhaddad@apple.com>
1862
1863         Unreviewed, rolling out r224863.
1864
1865         Introduced LayoutTest crashes on iOS Simulator.
1866
1867         Reverted changeset:
1868
1869         "Move JSONValues to WTF and convert uses of InspectorValues.h
1870         to JSONValues.h"
1871         https://bugs.webkit.org/show_bug.cgi?id=173793
1872         https://trac.webkit.org/changeset/224863
1873
1874 2017-11-14  Mark Lam  <mark.lam@apple.com>
1875
1876         Gardening: CLoop build fix after r224862.
1877         https://bugs.webkit.org/show_bug.cgi?id=179699
1878
1879         Not reviewed..
1880
1881         * bytecode/CodeBlock.h:
1882         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
1883
1884 2017-11-14  Carlos Garcia Campos  <cgarcia@igalia.com>
1885
1886         Move JSONValues to WTF and convert uses of InspectorValues.h to JSONValues.h
1887         https://bugs.webkit.org/show_bug.cgi?id=173793
1888
1889         Reviewed by Brian Burg.
1890
1891         Based on patch by Brian Burg.
1892
1893         * JavaScriptCore.xcodeproj/project.pbxproj:
1894         * Sources.txt:
1895         * bindings/ScriptValue.cpp:
1896         (Inspector::jsToInspectorValue):
1897         (Inspector::toInspectorValue):
1898         (Deprecated::ScriptValue::toInspectorValue const):
1899         * bindings/ScriptValue.h:
1900         * inspector/AsyncStackTrace.cpp:
1901         * inspector/ConsoleMessage.cpp:
1902         * inspector/ContentSearchUtilities.cpp:
1903         * inspector/InjectedScript.cpp:
1904         (Inspector::InjectedScript::getFunctionDetails):
1905         (Inspector::InjectedScript::functionDetails):
1906         (Inspector::InjectedScript::getPreview):
1907         (Inspector::InjectedScript::getProperties):
1908         (Inspector::InjectedScript::getDisplayableProperties):
1909         (Inspector::InjectedScript::getInternalProperties):
1910         (Inspector::InjectedScript::getCollectionEntries):
1911         (Inspector::InjectedScript::saveResult):
1912         (Inspector::InjectedScript::wrapCallFrames const):
1913         (Inspector::InjectedScript::wrapObject const):
1914         (Inspector::InjectedScript::wrapTable const):
1915         (Inspector::InjectedScript::previewValue const):
1916         (Inspector::InjectedScript::setExceptionValue):
1917         (Inspector::InjectedScript::clearExceptionValue):
1918         (Inspector::InjectedScript::inspectObject):
1919         (Inspector::InjectedScript::releaseObject):
1920         * inspector/InjectedScriptBase.cpp:
1921         (Inspector::InjectedScriptBase::makeCall):
1922         (Inspector::InjectedScriptBase::makeEvalCall):
1923         * inspector/InjectedScriptBase.h:
1924         * inspector/InjectedScriptManager.cpp:
1925         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
1926         * inspector/InspectorBackendDispatcher.cpp:
1927         (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
1928         (Inspector::BackendDispatcher::dispatch):
1929         (Inspector::BackendDispatcher::sendResponse):
1930         (Inspector::BackendDispatcher::sendPendingErrors):
1931         (Inspector::BackendDispatcher::getPropertyValue):
1932         (Inspector::castToInteger):
1933         (Inspector::castToNumber):
1934         (Inspector::BackendDispatcher::getInteger):
1935         (Inspector::BackendDispatcher::getDouble):
1936         (Inspector::BackendDispatcher::getString):
1937         (Inspector::BackendDispatcher::getBoolean):
1938         (Inspector::BackendDispatcher::getObject):
1939         (Inspector::BackendDispatcher::getArray):
1940         (Inspector::BackendDispatcher::getValue):
1941         * inspector/InspectorBackendDispatcher.h:
1942         * inspector/InspectorProtocolTypes.h:
1943         (Inspector::Protocol::Array::openAccessors):
1944         (Inspector::Protocol::PrimitiveBindingTraits::assertValueHasExpectedType):
1945         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast):
1946         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType):
1947         (Inspector::Protocol::BindingTraits<JSON::Value>::assertValueHasExpectedType):
1948         * inspector/ScriptCallFrame.cpp:
1949         * inspector/ScriptCallStack.cpp:
1950         * inspector/agents/InspectorAgent.cpp:
1951         (Inspector::InspectorAgent::inspect):
1952         * inspector/agents/InspectorAgent.h:
1953         * inspector/agents/InspectorDebuggerAgent.cpp:
1954         (Inspector::buildAssertPauseReason):
1955         (Inspector::buildCSPViolationPauseReason):
1956         (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
1957         (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
1958         (Inspector::buildObjectForBreakpointCookie):
1959         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
1960         (Inspector::parseLocation):
1961         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
1962         (Inspector::InspectorDebuggerAgent::setBreakpoint):
1963         (Inspector::InspectorDebuggerAgent::continueToLocation):
1964         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
1965         (Inspector::InspectorDebuggerAgent::didParseSource):
1966         (Inspector::InspectorDebuggerAgent::breakProgram):
1967         * inspector/agents/InspectorDebuggerAgent.h:
1968         * inspector/agents/InspectorRuntimeAgent.cpp:
1969         (Inspector::InspectorRuntimeAgent::callFunctionOn):
1970         (Inspector::InspectorRuntimeAgent::saveResult):
1971         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1972         * inspector/agents/InspectorRuntimeAgent.h:
1973         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
1974         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
1975         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
1976         (CppBackendDispatcherImplementationGenerator.generate_output):
1977         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
1978         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
1979         (CppFrontendDispatcherHeaderGenerator.generate_output):
1980         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
1981         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
1982         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
1983         (_generate_unchecked_setter_for_member):
1984         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
1985         (CppProtocolTypesImplementationGenerator):
1986         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1987         (ObjCBackendDispatcherImplementationGenerator.generate_output):
1988         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
1989         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1990         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
1991         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
1992         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
1993         * inspector/scripts/codegen/generate_objc_internal_header.py:
1994         (ObjCInternalHeaderGenerator.generate_output):
1995         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1996         (ObjCProtocolTypesImplementationGenerator.generate_output):
1997         * inspector/scripts/codegen/generator.py:
1998         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
1999         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2000         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2001         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
2002         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
2003         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
2004         * inspector/scripts/tests/generic/expected/enum-values.json-result:
2005         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2006         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
2007         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
2008         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
2009         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
2010         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
2011         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
2012         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2013         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
2014         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
2015         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
2016         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
2017         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
2018
2019 2017-11-14  Mark Lam  <mark.lam@apple.com>
2020
2021         Fix a bit-rotted Interpreter::dumpRegisters() and make it more robust.
2022         https://bugs.webkit.org/show_bug.cgi?id=179699
2023         <rdar://problem/35462346>
2024
2025         Reviewed by Michael Saboff.
2026
2027         * interpreter/Interpreter.cpp:
2028         (JSC::Interpreter::dumpRegisters):
2029         - Need to skip the callee saved registers
2030
2031 2017-11-14  Guillaume Emont  <guijemont@igalia.com>
2032
2033         REGRESSION(r224623) [MIPS] branchTruncateDoubleToInt32() doesn't set return register when branching
2034         https://bugs.webkit.org/show_bug.cgi?id=179563
2035
2036         Reviewed by Carlos Alberto Lopez Perez.
2037
2038         When run with BranchIfTruncateSuccessful,
2039         branchTruncateDoubleToInt32() should set the destination register
2040         before branching.
2041         This change also removes branchTruncateDoubleToUInt32() as it is
2042         deprecated (see r160205), merges branchOnTruncateResult() into
2043         branchTruncateDoubleToInt32() and adds test cases in testmasm.
2044
2045         * assembler/MacroAssemblerMIPS.h:
2046         (JSC::MacroAssemblerMIPS::branchOnTruncateResult): Deleted.
2047         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
2048         Properly set dest before branching.
2049         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUInt32): Deleted.
2050         * assembler/testmasm.cpp:
2051         (JSC::testBranchTruncateDoubleToInt32):
2052         (JSC::run):
2053         Add tests for branchTruncateDoubleToInt32().
2054
2055 2017-11-14  Daniel Bates  <dabates@apple.com>
2056
2057         Update comment in FeatureDefines.xcconfig to reflect location of Visual Studio property files
2058         for feature defines
2059
2060         Following r195498 and r201917 the Visual Studio property files for feature defines have
2061         moved from directory WebKitLibraries/win/tools/vsprops to directory Source/cmake/tools/vsprops.
2062         Update the comment in FeatureDefines.xcconfig to reflect the new location and names of these
2063         files.
2064
2065         * Configurations/FeatureDefines.xcconfig:
2066
2067 2017-11-14  Mark Lam  <mark.lam@apple.com>
2068
2069         Remove JSDollarVMPrototype.
2070         https://bugs.webkit.org/show_bug.cgi?id=179685
2071
2072         Reviewed by Saam Barati.
2073
2074         1. Move the JSDollarVMPrototype C++ utility functions into VMInspector.cpp.
2075
2076            This allows us to call these functions during lldb debugging sessions using
2077            VMInspector::foo() instead of JSDollarVMPrototype::foo().  It makes sense that
2078            VMInspector provides VM debugging utility methods.  It doesn't make sense to
2079            have a JSDollarVMPrototype object provide these methods.
2080
2081            Plus, it's shorter to type VMInspector than JSDollarVMPrototype.
2082
2083         2. Move the JSDollarVMPrototype JS functions into JSDollarVM.cpp.
2084
2085            JSDollarVM is a special object used only for debugging purposes.  There's no
2086            gain in requiring its methods to be stored in a prototype object other than to
2087            conform to typical JS convention.  We can remove this complexity.
2088
2089         * JavaScriptCore.xcodeproj/project.pbxproj:
2090         * Sources.txt:
2091         * runtime/JSGlobalObject.cpp:
2092         (JSC::JSGlobalObject::init):
2093         * tools/JSDollarVM.cpp:
2094         (JSC::JSDollarVM::addFunction):
2095         (JSC::functionCrash):
2096         (JSC::functionDFGTrue):
2097         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
2098         (JSC::CallerFrameJITTypeFunctor::operator() const):
2099         (JSC::CallerFrameJITTypeFunctor::jitType):
2100         (JSC::functionLLintTrue):
2101         (JSC::functionJITTrue):
2102         (JSC::functionGC):
2103         (JSC::functionEdenGC):
2104         (JSC::functionCodeBlockForFrame):
2105         (JSC::codeBlockFromArg):
2106         (JSC::functionCodeBlockFor):
2107         (JSC::functionPrintSourceFor):
2108         (JSC::functionPrintBytecodeFor):
2109         (JSC::functionPrint):
2110         (JSC::functionPrintCallFrame):
2111         (JSC::functionPrintStack):
2112         (JSC::functionValue):
2113         (JSC::functionGetPID):
2114         (JSC::JSDollarVM::finishCreation):
2115         * tools/JSDollarVM.h:
2116         (JSC::JSDollarVM::create):
2117         * tools/JSDollarVMPrototype.cpp: Removed.
2118         * tools/JSDollarVMPrototype.h: Removed.
2119         * tools/VMInspector.cpp:
2120         (JSC::VMInspector::currentThreadOwnsJSLock):
2121         (JSC::ensureCurrentThreadOwnsJSLock):
2122         (JSC::VMInspector::gc):
2123         (JSC::VMInspector::edenGC):
2124         (JSC::VMInspector::isInHeap):
2125         (JSC::CellAddressCheckFunctor::CellAddressCheckFunctor):
2126         (JSC::CellAddressCheckFunctor::operator() const):
2127         (JSC::VMInspector::isValidCell):
2128         (JSC::VMInspector::isValidCodeBlock):
2129         (JSC::VMInspector::codeBlockForFrame):
2130         (JSC::PrintFrameFunctor::PrintFrameFunctor):
2131         (JSC::PrintFrameFunctor::operator() const):
2132         (JSC::VMInspector::printCallFrame):
2133         (JSC::VMInspector::printStack):
2134         (JSC::VMInspector::printValue):
2135         * tools/VMInspector.h:
2136
2137 2017-11-14  Joseph Pecoraro  <pecoraro@apple.com>
2138
2139         Web Inspector: Add a ServiceWorker domain to get information about an inspected ServiceWorker
2140         https://bugs.webkit.org/show_bug.cgi?id=179640
2141         <rdar://problem/35517361>
2142
2143         Reviewed by Devin Rousso.
2144
2145         * CMakeLists.txt:
2146         * DerivedSources.make:
2147         Gate the ServiceWorker domain on the ENABLE feature flag.
2148
2149         * inspector/protocol/ServiceWorker.json: Added.
2150         New domain to be made available inside of a ServiceWorker target.
2151
2152 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2153
2154         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
2155         https://bugs.webkit.org/show_bug.cgi?id=179594
2156
2157         Reviewed by Saam Barati.
2158
2159         Currently we handle OOB access to DirectArguments as GetByVal(Array::Generic).
2160         If we can handle it as GetByVal(Array::DirectArguments+OutOfBounds), we can (1) optimize
2161         `arguments[i]` accesses if i is in bound, and (2) encourage arguments elimination phase
2162         to convert CreateDirectArguments and GetByVal(Array::DirectArguments+OutOfBounds) to
2163         PhantomDirectArguments and GetMyArgumentOutOfBounds respectively.
2164
2165         This patch introduces Array::DirectArguments+OutOfBounds array mode. GetByVal can
2166         accept this type, and emit optimized code compared to Array::Generic case.
2167
2168         We make OOB check failures in GetByVal(Array::DirectArguments+InBounds) as OutOfBounds
2169         exit instead of ExoticObjectMode.
2170
2171         This change significantly improves SixSpeed rest.es5 since it uses OOB access.
2172         Our arguments elimination phase can change CreateDirectArguments to PhantomDirectArguments.
2173
2174             rest.es5                       59.6719+-2.2440     ^      3.1634+-0.5507        ^ definitely 18.8635x faster
2175
2176         * dfg/DFGArgumentsEliminationPhase.cpp:
2177         * dfg/DFGArrayMode.cpp:
2178         (JSC::DFG::ArrayMode::refine const):
2179         * dfg/DFGClobberize.h:
2180         (JSC::DFG::clobberize):
2181         * dfg/DFGSpeculativeJIT.cpp:
2182         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
2183         * ftl/FTLLowerDFGToB3.cpp:
2184         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2185         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
2186
2187 2017-11-14  Saam Barati  <sbarati@apple.com>
2188
2189         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
2190         https://bugs.webkit.org/show_bug.cgi?id=179639
2191         <rdar://problem/35513018>
2192
2193         Reviewed by JF Bastien.
2194
2195         Calling Wasm::Memory::grow from the JIT may cause us to GC. When we GC, we will
2196         walk the stack for ShadowChicken (and maybe other things). We weren't updating
2197         topCallFrame when calling grow from the Wasm JIT. This would cause the GC to
2198         use stale topCallFrame bits in VM, often leading to crashes. This patch fixes
2199         this bug by giving Wasm::Instance a lambda that is called when we need to store
2200         the topCallFrame. Users of Wasm::Instance can provide a function to do this action.
2201         Currently, JSWebAssemblyInstance passes in a lambda that stores to
2202         VM.topCallFrame.
2203
2204         * wasm/WasmB3IRGenerator.cpp:
2205         (JSC::Wasm::B3IRGenerator::addGrowMemory):
2206         * wasm/WasmInstance.cpp:
2207         (JSC::Wasm::Instance::Instance):
2208         (JSC::Wasm::Instance::create):
2209         * wasm/WasmInstance.h:
2210         (JSC::Wasm::Instance::storeTopCallFrame):
2211         * wasm/js/JSWebAssemblyInstance.cpp:
2212         (JSC::JSWebAssemblyInstance::create):
2213         * wasm/js/JSWebAssemblyInstance.h:
2214         * wasm/js/WasmToJS.cpp:
2215         (JSC::Wasm::wasmToJSException):
2216         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2217         (JSC::constructJSWebAssemblyInstance):
2218         * wasm/js/WebAssemblyPrototype.cpp:
2219         (JSC::instantiate):
2220
2221 2017-11-13  Saam Barati  <sbarati@apple.com>
2222
2223         Remove pointer caging for HashMapImpl, JSLexicalEnvironment, DirectArguments, ScopedArguments, and ScopedArgumentsTable
2224         https://bugs.webkit.org/show_bug.cgi?id=179203
2225
2226         Reviewed by Yusuke Suzuki.
2227
2228         This patch only removes the pointer caging for the described types in the title.
2229         These types still allocate out of the gigacage. This is a just a cost vs benefit
2230         tradeoff of performance vs security.
2231
2232         * dfg/DFGSpeculativeJIT.cpp:
2233         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
2234         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
2235         * ftl/FTLLowerDFGToB3.cpp:
2236         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2237         * jit/JITPropertyAccess.cpp:
2238         (JSC::JIT::emitDirectArgumentsGetByVal):
2239         (JSC::JIT::emitScopedArgumentsGetByVal):
2240         * runtime/DirectArguments.h:
2241         (JSC::DirectArguments::storage):
2242         * runtime/HashMapImpl.cpp:
2243         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
2244         * runtime/HashMapImpl.h:
2245         * runtime/JSLexicalEnvironment.h:
2246         (JSC::JSLexicalEnvironment::variables):
2247         * runtime/ScopedArguments.h:
2248         (JSC::ScopedArguments::overflowStorage const):
2249
2250 2017-11-08  Keith Miller  <keith_miller@apple.com>
2251
2252         Async iteration should only fetch the next method once and add feature flag
2253         https://bugs.webkit.org/show_bug.cgi?id=179451
2254
2255         Reviewed by Geoffrey Garen.
2256
2257         Add feature flag for Async iteration. Also, change async iteration to match
2258         the expected behavior of the proposal.
2259
2260         * Configurations/FeatureDefines.xcconfig:
2261         * builtins/AsyncFromSyncIteratorPrototype.js:
2262         (globalPrivate.createAsyncFromSyncIterator):
2263         (globalPrivate.AsyncFromSyncIteratorConstructor):
2264         * builtins/BuiltinNames.h:
2265         * bytecompiler/BytecodeGenerator.cpp:
2266         (JSC::BytecodeGenerator::emitGetAsyncIterator):
2267         * runtime/Options.h:
2268
2269 2017-11-13  Mark Lam  <mark.lam@apple.com>
2270
2271         Add more overflow check book-keeping for MarkedArgumentBuffer.
2272         https://bugs.webkit.org/show_bug.cgi?id=179634
2273         <rdar://problem/35492517>
2274
2275         Reviewed by Saam Barati.
2276
2277         * runtime/ArgList.h:
2278         (JSC::MarkedArgumentBuffer::overflowCheckNotNeeded):
2279         * runtime/JSJob.cpp:
2280         (JSC::JSJobMicrotask::run):
2281         * runtime/ObjectConstructor.cpp:
2282         (JSC::defineProperties):
2283         * runtime/ReflectObject.cpp:
2284         (JSC::reflectObjectConstruct):
2285
2286 2017-11-13  Guillaume Emont  <guijemont@igalia.com>
2287
2288         [JSC] Remove ARM implementation of branchTruncateDoubleToUInt32
2289         https://bugs.webkit.org/show_bug.cgi?id=179542
2290
2291         Reviewed by Alex Christensen.
2292
2293         * assembler/MacroAssemblerARM.h:
2294         (JSC::MacroAssemblerARM::branchTruncateDoubleToUint32): Removed.
2295
2296 2017-11-13  Mark Lam  <mark.lam@apple.com>
2297
2298         Make the jsc shell loadGetterFromGetterSetter() function more robust.
2299         https://bugs.webkit.org/show_bug.cgi?id=179619
2300         <rdar://problem/35492518>
2301
2302         Reviewed by Saam Barati.
2303
2304         * jsc.cpp:
2305         (functionLoadGetterFromGetterSetter):
2306
2307 2017-11-12  Darin Adler  <darin@apple.com>
2308
2309         More is<> and downcast<>, less static_cast<>
2310         https://bugs.webkit.org/show_bug.cgi?id=179600
2311
2312         Reviewed by Chris Dumez.
2313
2314         * runtime/JSString.h:
2315         (JSC::jsSubstring): Removed unneeded static_cast; length already returns unsigned.
2316         (JSC::jsSubstringOfResolved): Ditto.
2317
2318 2017-11-12  Mark Lam  <mark.lam@apple.com>
2319
2320         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
2321         https://bugs.webkit.org/show_bug.cgi?id=179562
2322         <rdar://problem/35467022>
2323
2324         Reviewed by Saam Barati.
2325
2326         * dfg/DFGFixupPhase.cpp:
2327         (JSC::DFG::FixupPhase::fixupNode):
2328         * dfg/DFGOperations.cpp:
2329         * dfg/DFGSafeToExecute.h:
2330         (JSC::DFG::SafeToExecuteEdge::operator()):
2331         * dfg/DFGSpeculativeJIT.cpp:
2332         (JSC::DFG::SpeculativeJIT::speculateNotSymbol):
2333         (JSC::DFG::SpeculativeJIT::speculate):
2334         * dfg/DFGSpeculativeJIT.h:
2335         * dfg/DFGUseKind.cpp:
2336         (WTF::printInternal):
2337         * dfg/DFGUseKind.h:
2338         (JSC::DFG::typeFilterFor):
2339         * ftl/FTLCapabilities.cpp:
2340         (JSC::FTL::canCompile):
2341         * ftl/FTLLowerDFGToB3.cpp:
2342         (JSC::FTL::DFG::LowerDFGToB3::speculate):
2343         (JSC::FTL::DFG::LowerDFGToB3::speculateNotSymbol):
2344
2345 2017-11-11  Devin Rousso  <webkit@devinrousso.com>
2346
2347         Web Inspector: Canvas tab: show detailed status during canvas recording
2348         https://bugs.webkit.org/show_bug.cgi?id=178185
2349         <rdar://problem/34939862>
2350
2351         Reviewed by Brian Burg.
2352
2353         * inspector/protocol/Canvas.json:
2354         Add a `recordingProgress` event that is sent to the frontend that contains all the frame
2355         payloads since the last Canvas.recordingProgress event and the current buffer usage.
2356
2357         * inspector/protocol/Recording.json:
2358         Remove the required `frames` parameter from the Recording protocol object, as they will be
2359         sent in batches via the Canvas.recordingProgress event.
2360
2361 2017-11-10  Joseph Pecoraro  <pecoraro@apple.com>
2362
2363         Web Inspector: Make http status codes be "integer" instead of "number" in protocol
2364         https://bugs.webkit.org/show_bug.cgi?id=179543
2365
2366         Reviewed by Antoine Quint.
2367
2368         * inspector/protocol/Network.json:
2369         Use a better type for the status code.
2370
2371 2017-11-10  Robin Morisset  <rmorisset@apple.com>
2372
2373         The memory consumption of DFG::BasicBlock can be easily reduced a bit
2374         https://bugs.webkit.org/show_bug.cgi?id=179528
2375
2376         Reviewed by Saam Barati.
2377
2378         A few changes here:
2379         - Reordering some fields of DFG::BasicBlock to reduce padding
2380         - Making the enum fields that are glorified booleans fit into a u8
2381         - Make each Operands object have a single vector that holds all arguments followed by all locals, instead of two vectors.
2382           This change works because we never increase the number of arguments after allocating an Operands object.
2383           It lets us avoid one extra capacity field and one extra pointer field per Operands,
2384           and more importantly one allocation per Operands whenever both vectors would have overflowed their inlined buffer.
2385           Additionally, if a single vector would have overflowed its inline buffer, while the other would have had some free space,
2386           we have a chance to avoid an allocation.
2387         - Finally, the three methods argumentForIndex, variableForIndex and indexForOperand were deleted since they were dead code.
2388
2389         * bytecode/Operands.h:
2390         (JSC::Operands::Operands):
2391         (JSC::Operands::numberOfArguments const):
2392         (JSC::Operands::numberOfLocals const):
2393         (JSC::Operands::argument):
2394         (JSC::Operands::argument const):
2395         (JSC::Operands::local):
2396         (JSC::Operands::local const):
2397         (JSC::Operands::ensureLocals):
2398         (JSC::Operands::setLocal):
2399         (JSC::Operands::getLocal):
2400         (JSC::Operands::setArgumentFirstTime):
2401         (JSC::Operands::setLocalFirstTime):
2402         (JSC::Operands::operand):
2403         (JSC::Operands::setOperand):
2404         (JSC::Operands::size const):
2405         (JSC::Operands::at const):
2406         (JSC::Operands::at):
2407         (JSC::Operands::isArgument const):
2408         (JSC::Operands::isVariable const):
2409         (JSC::Operands::virtualRegisterForIndex const):
2410         (JSC::Operands::fill):
2411         (JSC::Operands::operator== const):
2412         (JSC::Operands::argumentForIndex const): Deleted.
2413         (JSC::Operands::variableForIndex const): Deleted.
2414         (JSC::Operands::indexForOperand const): Deleted.
2415         * dfg/DFGBasicBlock.cpp:
2416         (JSC::DFG::BasicBlock::BasicBlock):
2417         * dfg/DFGBasicBlock.h:
2418         * dfg/DFGBranchDirection.h:
2419         * dfg/DFGStructureClobberState.h:
2420
2421 2017-11-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2422
2423         [JSC] Retry module fetching if previous request fails
2424         https://bugs.webkit.org/show_bug.cgi?id=178168
2425
2426         Reviewed by Saam Barati.
2427
2428         According to the latest spec, the failed fetching operation can be retried if it is requested again.
2429         For example,
2430
2431             <script type="module" integrity="shaXXX-bad" src="./A.js"></script>
2432             <script type="module" integrity="shaXXX-correct" src="./A.js"></script>
2433
2434         When performing the first module fetching, integrity check fails, and the load of this module becomes failed.
2435         But when loading the second module, we do not use the cached failure result in the first module loading.
2436         We retry fetching for "./A.js". In this case, we have a correct integrity and module fetching succeeds.
2437         This is specified in whatwg/HTML[1]. If the fetching fails, we do not cache it.
2438
2439         Interestingly, fetching result and instantiation result will be cached if they succeeds. This is because we would
2440         like to cache modules based on their URLs. As a result,
2441
2442             <script type="module" integrity="shaXXX-correct" src="./A.js"></script>
2443             <script type="module" integrity="shaXXX-bad" src="./A.js"></script>
2444
2445         In the above case, the first loading succeeds. And the second loading also succeeds since the succeeded fetching and
2446         instantiation are cached in the module pipeline.
2447
2448         This patch implements the above semantics. Previously, our module pipeline always caches the result. If the fetching
2449         failed, all the subsequent fetching for the same URL fails even if we have different integrity values. We retry fetching
2450         if the previous one fails. As an overview of our change,
2451
2452         1. Fetching result should be cached only if it succeeds. Two or more on-the-fly fetching requests to the same URLs should
2453            be unified. But if currently executing one fails, other attempts should retry fetching.
2454
2455         2. Instantiation should be cached if fetching succeeds.
2456
2457         3. Satisfying should be cached if it succeeds.
2458
2459         [1]: https://html.spec.whatwg.org/#fetch-a-single-module-script
2460
2461         * builtins/ModuleLoaderPrototype.js:
2462         (requestFetch):
2463         (requestInstantiate):
2464         (requestSatisfy):
2465         (link):
2466         (loadModule):
2467         * runtime/JSGlobalObject.cpp:
2468         (JSC::JSGlobalObject::init):
2469
2470 2017-11-09  Devin Rousso  <webkit@devinrousso.com>
2471
2472         Web Inspector: support undo/redo of insertAdjacentHTML
2473         https://bugs.webkit.org/show_bug.cgi?id=179283
2474
2475         Reviewed by Joseph Pecoraro.
2476
2477         * inspector/protocol/DOM.json:
2478         Add `insertAdjacentHTML` command that executes an undoable version of `insertAdjacentHTML`
2479         on the given node.
2480
2481 2017-11-09  Joseph Pecoraro  <pecoraro@apple.com>
2482
2483         Web Inspector: Make domain availability a list of types instead of a single type
2484         https://bugs.webkit.org/show_bug.cgi?id=179457
2485
2486         Reviewed by Brian Burg.
2487
2488         * inspector/scripts/codegen/generate_js_backend_commands.py:
2489         (JSBackendCommandsGenerator.generate_domain):
2490         Update output of `InspectorBackend.activateDomain` to include the list.
2491
2492         * inspector/scripts/codegen/models.py:
2493         (Protocol.parse_domain):
2494         Parse `availability` as a list and include a new supported value of "service-worker".
2495
2496         * inspector/protocol/ApplicationCache.json:
2497         * inspector/protocol/CSS.json:
2498         * inspector/protocol/Canvas.json:
2499         * inspector/protocol/DOM.json:
2500         * inspector/protocol/DOMDebugger.json:
2501         * inspector/protocol/DOMStorage.json:
2502         * inspector/protocol/Database.json:
2503         * inspector/protocol/IndexedDB.json:
2504         * inspector/protocol/LayerTree.json:
2505         * inspector/protocol/Memory.json:
2506         * inspector/protocol/Network.json:
2507         * inspector/protocol/Page.json:
2508         * inspector/protocol/Timeline.json:
2509         * inspector/protocol/Worker.json:
2510         Update `availability` to be a list.
2511
2512         * inspector/scripts/tests/generic/domain-availability.json:
2513         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
2514         * inspector/scripts/tests/generic/expected/fail-on-domain-availability-type.json-error: Added.
2515         * inspector/scripts/tests/generic/expected/fail-on-domain-availability-value.json-error: Added.
2516         * inspector/scripts/tests/generic/expected/fail-on-domain-availability.json-error:
2517         * inspector/scripts/tests/generic/fail-on-domain-availability-type.json: Copied from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-availability.json.
2518         * inspector/scripts/tests/generic/fail-on-domain-availability-value.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-availability.json.
2519         Update tests to include a test for the type and an invalid value.
2520
2521 2017-11-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2522
2523         [JSC][JIT] Clean up SlowPathCall stubs
2524         https://bugs.webkit.org/show_bug.cgi?id=179247
2525
2526         Reviewed by Saam Barati.
2527
2528         We have bunch of duplicate functions that just call a slow path function.
2529         This patch cleans up the above duplication.
2530
2531         * jit/JIT.cpp:
2532         (JSC::JIT::emitSlowCaseCall):
2533         (JSC::JIT::privateCompileSlowCases):
2534         * jit/JIT.h:
2535         * jit/JITArithmetic.cpp:
2536         (JSC::JIT::emitSlow_op_unsigned): Deleted.
2537         (JSC::JIT::emitSlow_op_inc): Deleted.
2538         (JSC::JIT::emitSlow_op_dec): Deleted.
2539         (JSC::JIT::emitSlow_op_bitand): Deleted.
2540         (JSC::JIT::emitSlow_op_bitor): Deleted.
2541         (JSC::JIT::emitSlow_op_bitxor): Deleted.
2542         (JSC::JIT::emitSlow_op_lshift): Deleted.
2543         (JSC::JIT::emitSlow_op_rshift): Deleted.
2544         (JSC::JIT::emitSlow_op_urshift): Deleted.
2545         (JSC::JIT::emitSlow_op_div): Deleted.
2546         * jit/JITArithmetic32_64.cpp:
2547         (JSC::JIT::emitSlow_op_unsigned): Deleted.
2548         (JSC::JIT::emitSlow_op_inc): Deleted.
2549         (JSC::JIT::emitSlow_op_dec): Deleted.
2550         * jit/JITOpcodes.cpp:
2551         (JSC::JIT::emitSlow_op_create_this): Deleted.
2552         (JSC::JIT::emitSlow_op_check_tdz): Deleted.
2553         (JSC::JIT::emitSlow_op_to_this): Deleted.
2554         (JSC::JIT::emitSlow_op_to_primitive): Deleted.
2555         (JSC::JIT::emitSlow_op_not): Deleted.
2556         (JSC::JIT::emitSlow_op_stricteq): Deleted.
2557         (JSC::JIT::emitSlow_op_nstricteq): Deleted.
2558         (JSC::JIT::emitSlow_op_to_number): Deleted.
2559         (JSC::JIT::emitSlow_op_to_string): Deleted.
2560         (JSC::JIT::emitSlow_op_to_object): Deleted.
2561         (JSC::JIT::emitSlow_op_get_direct_pname): Deleted.
2562         (JSC::JIT::emitSlow_op_has_structure_property): Deleted.
2563         * jit/JITOpcodes32_64.cpp:
2564         (JSC::JIT::emitSlow_op_to_primitive): Deleted.
2565         (JSC::JIT::emitSlow_op_not): Deleted.
2566         (JSC::JIT::emitSlow_op_stricteq): Deleted.
2567         (JSC::JIT::emitSlow_op_nstricteq): Deleted.
2568         (JSC::JIT::emitSlow_op_to_number): Deleted.
2569         (JSC::JIT::emitSlow_op_to_string): Deleted.
2570         (JSC::JIT::emitSlow_op_to_object): Deleted.
2571         (JSC::JIT::emitSlow_op_create_this): Deleted.
2572         (JSC::JIT::emitSlow_op_to_this): Deleted.
2573         (JSC::JIT::emitSlow_op_check_tdz): Deleted.
2574         (JSC::JIT::emitSlow_op_get_direct_pname): Deleted.
2575         * jit/JITPropertyAccess.cpp:
2576         (JSC::JIT::emitSlow_op_resolve_scope): Deleted.
2577         * jit/JITPropertyAccess32_64.cpp:
2578         (JSC::JIT::emit_op_resolve_scope):
2579         (JSC::JIT::emitSlow_op_resolve_scope): Deleted.
2580         * jit/SlowPathCall.h:
2581         (JSC::JITSlowPathCall::JITSlowPathCall):
2582         * runtime/CommonSlowPaths.cpp:
2583         (JSC::SLOW_PATH_DECL):
2584         * runtime/CommonSlowPaths.h:
2585
2586 2017-11-09  Guillaume Emont  <guijemont@igalia.com>
2587
2588         [JSC][MIPS] Use fcsr to check the validity of the result of trunc.w.d
2589         https://bugs.webkit.org/show_bug.cgi?id=179446
2590
2591         Reviewed by Žan Doberšek.
2592
2593         The trunc.w.d mips instruction should give a 0x7fffffff result when
2594         the source value is Infinity, NaN, or rounds to an integer outside the
2595         range -2^31 to 2^31 -1. This is what branchTruncateDoubleToInt32() and
2596         branchTruncateDoubleToUInt32() have been relying on. It turns out that
2597         this assumption is not true on some CPUs, including on the ci20 on
2598         which we run the testbot (we get 0x80000000 instead). We should the
2599         invalid operation cause bit instead to check whether the source value
2600         could be properly truncated. This requires the addition of the cfc1
2601         instruction, as well as the special registers that can be used with it
2602         (control registers of CP1).
2603
2604         * assembler/MIPSAssembler.h:
2605         (JSC::MIPSAssembler::firstSPRegister):
2606         (JSC::MIPSAssembler::lastSPRegister):
2607         (JSC::MIPSAssembler::numberOfSPRegisters):
2608         (JSC::MIPSAssembler::sprName):
2609         Added control registers of CP1.
2610         (JSC::MIPSAssembler::cfc1):
2611         Added.
2612         * assembler/MacroAssemblerMIPS.h:
2613         (JSC::MacroAssemblerMIPS::branchOnTruncateResult):
2614         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
2615         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUint32):
2616         Use fcsr to check if the value could be properly truncated.
2617
2618 2017-11-08  Jeremy Jones  <jeremyj@apple.com>
2619
2620         HTMLMediaElement should not use element fullscreen on iOS
2621         https://bugs.webkit.org/show_bug.cgi?id=179418
2622         rdar://problem/35409277
2623
2624         Reviewed by Eric Carlson.
2625
2626         Add ENABLE_VIDEO_USES_ELEMENT_FULLSCREEN to determine if HTMLMediaElement should use element full screen or not.
2627
2628         * Configurations/FeatureDefines.xcconfig:
2629
2630 2017-11-08  Joseph Pecoraro  <pecoraro@apple.com>
2631
2632         Web Inspector: Show Internal properties of PaymentRequest in Web Inspector Console
2633         https://bugs.webkit.org/show_bug.cgi?id=179276
2634
2635         Reviewed by Andy Estes.
2636
2637         * inspector/InjectedScriptHost.h:
2638         * inspector/JSInjectedScriptHost.cpp:
2639         (Inspector::JSInjectedScriptHost::getInternalProperties):
2640         Call through to virtual implementation so that WebCore can provide custom
2641         internal properties for Web / DOM objects.
2642
2643 2017-11-08  Saam Barati  <sbarati@apple.com>
2644
2645         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
2646         https://bugs.webkit.org/show_bug.cgi?id=177792
2647
2648         Reviewed by Yusuke Suzuki.
2649
2650         Before this patch, if a JSFunction's rare data initialized its allocation profile
2651         before its backing Executable's poly proto watchpoint was invalidated, that
2652         JSFunction would continue to allocate non-poly proto objects until its allocation
2653         profile was cleared (which essentially never happens in practice). This patch
2654         improves on this pathology. A JSFunction's rare data will now watch the poly
2655         proto watchpoint if it's still valid and clear its allocation profile when we
2656         detect that we should go poly proto.
2657
2658         * bytecode/ObjectAllocationProfile.h:
2659         * bytecode/ObjectAllocationProfileInlines.h:
2660         (JSC::ObjectAllocationProfile::initializeProfile):
2661         * runtime/FunctionRareData.cpp:
2662         (JSC::FunctionRareData::initializeObjectAllocationProfile):
2663         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::fireInternal):
2664         * runtime/FunctionRareData.h:
2665         (JSC::FunctionRareData::hasAllocationProfileClearingWatchpoint const):
2666         (JSC::FunctionRareData::createAllocationProfileClearingWatchpoint):
2667         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::AllocationProfileClearingWatchpoint):
2668
2669 2017-11-08  Keith Miller  <keith_miller@apple.com>
2670
2671         Add super sampler begin and end bytecodes.
2672         https://bugs.webkit.org/show_bug.cgi?id=179376
2673
2674         Reviewed by Filip Pizlo.
2675
2676         This patch adds a way to measure a narrow range of bytecodes for
2677         performance. This is done using the same infrastructure as the
2678         super sampler. I also added a class that helps do the bytecode
2679         checking with RAII. One problem with the current way this is done
2680         is that we don't handle decrementing early exits, either from
2681         branches or exceptions. So, when using this API users need to
2682         ensure that there are no early exits or that those exits don't
2683         occur on the measure code.
2684
2685         * JavaScriptCore.xcodeproj/project.pbxproj:
2686         * bytecode/BytecodeDumper.cpp:
2687         (JSC::BytecodeDumper<Block>::dumpBytecode):
2688         * bytecode/BytecodeList.json:
2689         * bytecode/BytecodeUseDef.h:
2690         (JSC::computeUsesForBytecodeOffset):
2691         (JSC::computeDefsForBytecodeOffset):
2692         * bytecompiler/BytecodeGenerator.cpp:
2693         (JSC::BytecodeGenerator::emitSuperSamplerBegin):
2694         (JSC::BytecodeGenerator::emitSuperSamplerEnd):
2695         * bytecompiler/BytecodeGenerator.h:
2696         * bytecompiler/SuperSamplerBytecodeScope.h: Added.
2697         (JSC::SuperSamplerBytecodeScope::SuperSamplerBytecodeScope):
2698         (JSC::SuperSamplerBytecodeScope::~SuperSamplerBytecodeScope):
2699         * dfg/DFGAbstractInterpreterInlines.h:
2700         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2701         * dfg/DFGByteCodeParser.cpp:
2702         (JSC::DFG::ByteCodeParser::parseBlock):
2703         * dfg/DFGClobberize.h:
2704         (JSC::DFG::clobberize):
2705         * dfg/DFGClobbersExitState.cpp:
2706         (JSC::DFG::clobbersExitState):
2707         * dfg/DFGDoesGC.cpp:
2708         (JSC::DFG::doesGC):
2709         * dfg/DFGFixupPhase.cpp:
2710         (JSC::DFG::FixupPhase::fixupNode):
2711         * dfg/DFGMayExit.cpp:
2712         * dfg/DFGNodeType.h:
2713         * dfg/DFGPredictionPropagationPhase.cpp:
2714         * dfg/DFGSafeToExecute.h:
2715         (JSC::DFG::safeToExecute):
2716         * dfg/DFGSpeculativeJIT.cpp:
2717         * dfg/DFGSpeculativeJIT32_64.cpp:
2718         (JSC::DFG::SpeculativeJIT::compile):
2719         * dfg/DFGSpeculativeJIT64.cpp:
2720         (JSC::DFG::SpeculativeJIT::compile):
2721         * ftl/FTLCapabilities.cpp:
2722         (JSC::FTL::canCompile):
2723         * ftl/FTLLowerDFGToB3.cpp:
2724         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2725         (JSC::FTL::DFG::LowerDFGToB3::compileSuperSamplerBegin):
2726         (JSC::FTL::DFG::LowerDFGToB3::compileSuperSamplerEnd):
2727         * jit/JIT.cpp:
2728         (JSC::JIT::privateCompileMainPass):
2729         * jit/JIT.h:
2730         * jit/JITOpcodes.cpp:
2731         (JSC::JIT::emit_op_super_sampler_begin):
2732         (JSC::JIT::emit_op_super_sampler_end):
2733         * llint/LLIntSlowPaths.cpp:
2734         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2735         * llint/LLIntSlowPaths.h:
2736         * llint/LowLevelInterpreter.asm:
2737
2738 2017-11-08  Robin Morisset  <rmorisset@apple.com>
2739
2740         Turn recursive tail calls into loops
2741         https://bugs.webkit.org/show_bug.cgi?id=176601
2742
2743         Reviewed by Saam Barati.
2744
2745         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
2746
2747         We want to turn recursive tail calls into loops early in the pipeline, so that the loops can then be optimized.
2748         One difficulty is that we need to split the entry block of the function we are jumping to in order to have somewhere to jump to.
2749         Worse: it is not necessarily the first block of the codeBlock, because of inlining! So we must do the splitting in the DFGByteCodeParser, at the same time as inlining.
2750         We do this part through modifying the computation of the jump targets.
2751         Importantly, we only do this splitting for functions that have tail calls.
2752         It is the only case where the optimisation is sound, and doing the splitting unconditionnaly destroys performance on Octane/raytrace.
2753
2754         We must then do the actual transformation also in DFGByteCodeParser, to avoid code motion moving code out of the body of what will become a loop.
2755         The transformation is entirely contained in handleRecursiveTailCall, which is hooked to the inlining machinery.
2756
2757         * bytecode/CodeBlock.h:
2758         (JSC::CodeBlock::hasTailCalls const):
2759         * bytecode/PreciseJumpTargets.cpp:
2760         (JSC::getJumpTargetsForBytecodeOffset):
2761         (JSC::computePreciseJumpTargetsInternal):
2762         * bytecode/UnlinkedCodeBlock.cpp:
2763         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2764         * bytecode/UnlinkedCodeBlock.h:
2765         (JSC::UnlinkedCodeBlock::hasTailCalls const):
2766         (JSC::UnlinkedCodeBlock::setHasTailCalls):
2767         * bytecompiler/BytecodeGenerator.cpp:
2768         (JSC::BytecodeGenerator::emitEnter):
2769         (JSC::BytecodeGenerator::emitCallInTailPosition):
2770         * dfg/DFGByteCodeParser.cpp:
2771         (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
2772         (JSC::DFG::ByteCodeParser::makeBlockTargetable):
2773         (JSC::DFG::ByteCodeParser::handleCall):
2774         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
2775         (JSC::DFG::ByteCodeParser::parseBlock):
2776         (JSC::DFG::ByteCodeParser::parse):
2777
2778 2017-11-08  Joseph Pecoraro  <pecoraro@apple.com>
2779
2780         Web Inspector: Remove unused Page.ScriptIdentifier protocol type
2781         https://bugs.webkit.org/show_bug.cgi?id=179407
2782
2783         Reviewed by Matt Baker.
2784
2785         * inspector/protocol/Page.json:
2786         Remove unused protocol type.
2787
2788 2017-11-08  Carlos Garcia Campos  <cgarcia@igalia.com>
2789
2790         Web Inspector: use JSON::{Array,Object,Value} instead of Inspector{Array,Object,Value}
2791         https://bugs.webkit.org/show_bug.cgi?id=173619
2792
2793         Reviewed by Alex Christensen and Brian Burg.
2794
2795         Eventually all classes used for our JSON-RPC message passing should be outside
2796         of the Inspector namespace since the protocol is used outside of Inspector code.
2797         This will also allow us to unify the primitive JSON types with parameteric types
2798         like Inspector::Protocol::Array<T> and other protocol-related types which don't
2799         need to be in the Inspector namespace.
2800
2801         Start this refactoring off by making JSON::Value a typedef for InspectorValue. In following
2802         patches, other clients will move to use JSON::Value and friends. When all uses are
2803         changed, the actual implementation will be renamed. This patch just focuses on the typedef
2804         and making changes in generated protocol code.
2805
2806         Original patch by Brian Burg, rebased and updated by me.
2807
2808         * inspector/InspectorValues.cpp:
2809         * inspector/InspectorValues.h:
2810         * inspector/scripts/codegen/cpp_generator.py:
2811         (CppGenerator.cpp_protocol_type_for_type):
2812         (CppGenerator.cpp_type_for_unchecked_formal_in_parameter):
2813         (CppGenerator.cpp_type_for_type_with_name):
2814         (CppGenerator.cpp_type_for_stack_in_parameter):
2815         * inspector/scripts/codegen/cpp_generator_templates.py:
2816         (void):
2817         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2818         (_generate_class_for_object_declaration):
2819         (_generate_forward_declarations_for_binding_traits):
2820         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2821         (CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration):
2822         (CppProtocolTypesImplementationGenerator._generate_assertion_for_enum):
2823         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
2824         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2825         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2826         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
2827         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
2828         * inspector/scripts/tests/generic/expected/enum-values.json-result:
2829         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2830         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
2831         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
2832         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2833         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
2834         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
2835         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
2836         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
2837
2838 2017-11-07  Maciej Stachowiak  <mjs@apple.com>
2839
2840         Get rid of unsightly hex numbers from unified build object files
2841         https://bugs.webkit.org/show_bug.cgi?id=179410
2842
2843         Reviewed by Saam Barati.
2844
2845         * JavaScriptCore.xcodeproj/project.pbxproj: Rename UnifiedSource*.mm to UnifiedSource*-mm.mm for more readable build output.
2846
2847 2017-11-07  Saam Barati  <sbarati@apple.com>
2848
2849         Only cage double butterfly accesses
2850         https://bugs.webkit.org/show_bug.cgi?id=179202
2851
2852         Reviewed by Mark Lam.
2853
2854         This patch removes caging from all butterfly accesses except double loads/stores.
2855         This is a performance vs security tradeoff. Double loads/stores are the only butterfly
2856         loads/stores that can write arbitrary bit patterns, so we choose to keep them safe
2857         by caging. The other load/stores we are no longer caging to get back performance on
2858         various benchmarks.
2859
2860         * bytecode/AccessCase.cpp:
2861         (JSC::AccessCase::generateImpl):
2862         * bytecode/InlineAccess.cpp:
2863         (JSC::InlineAccess::dumpCacheSizesAndCrash):
2864         (JSC::InlineAccess::generateSelfPropertyAccess):
2865         (JSC::InlineAccess::generateSelfPropertyReplace):
2866         (JSC::InlineAccess::generateArrayLength):
2867         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp:
2868         * dfg/DFGSpeculativeJIT.cpp:
2869         (JSC::DFG::SpeculativeJIT::compileCreateRest):
2870         (JSC::DFG::SpeculativeJIT::compileSpread):
2871         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
2872         * dfg/DFGSpeculativeJIT64.cpp:
2873         (JSC::DFG::SpeculativeJIT::compile):
2874         * ftl/FTLLowerDFGToB3.cpp:
2875         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
2876         * jit/JITPropertyAccess.cpp:
2877         (JSC::JIT::emitContiguousLoad):
2878         (JSC::JIT::emitArrayStorageLoad):
2879         (JSC::JIT::emitGenericContiguousPutByVal):
2880         (JSC::JIT::emitArrayStoragePutByVal):
2881         (JSC::JIT::emit_op_get_from_scope):
2882         (JSC::JIT::emit_op_put_to_scope):
2883         * llint/LowLevelInterpreter64.asm:
2884         * runtime/AuxiliaryBarrier.h:
2885         (JSC::AuxiliaryBarrier::operator-> const):
2886         * runtime/Butterfly.h:
2887         (JSC::Butterfly::caged):
2888         (JSC::Butterfly::contiguousDouble):
2889         * runtime/JSArray.cpp:
2890         (JSC::JSArray::setLength):
2891         (JSC::JSArray::pop):
2892         (JSC::JSArray::shiftCountWithAnyIndexingType):
2893         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2894         (JSC::JSArray::fillArgList):
2895         (JSC::JSArray::copyToArguments):
2896         * runtime/JSArrayInlines.h:
2897         (JSC::JSArray::pushInline):
2898         * runtime/JSObject.cpp:
2899         (JSC::JSObject::heapSnapshot):
2900         (JSC::JSObject::createInitialIndexedStorage):
2901         (JSC::JSObject::createArrayStorage):
2902         (JSC::JSObject::convertUndecidedToInt32):
2903         (JSC::JSObject::ensureLengthSlow):
2904         (JSC::JSObject::reallocateAndShrinkButterfly):
2905         (JSC::JSObject::allocateMoreOutOfLineStorage):
2906         * runtime/JSObject.h:
2907         (JSC::JSObject::canGetIndexQuickly):
2908         (JSC::JSObject::getIndexQuickly):
2909         (JSC::JSObject::tryGetIndexQuickly const):
2910         (JSC::JSObject::canSetIndexQuickly):
2911         (JSC::JSObject::butterfly const):
2912         (JSC::JSObject::butterfly):
2913
2914 2017-11-07  Mark Lam  <mark.lam@apple.com>
2915
2916         Introduce a default RegisterSet constructor so that we can use { } notation.
2917         https://bugs.webkit.org/show_bug.cgi?id=179389
2918
2919         Reviewed by Saam Barati.
2920
2921         I also replaced uses of "RegisterSet()" with "{ }" where the use of "RegisterSet()"
2922         does not add any code documentation value.
2923
2924         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
2925         * b3/air/AirCode.cpp:
2926         (JSC::B3::Air::Code::setRegsInPriorityOrder):
2927         * b3/air/AirPrintSpecial.cpp:
2928         (JSC::B3::Air::PrintSpecial::extraEarlyClobberedRegs):
2929         (JSC::B3::Air::PrintSpecial::extraClobberedRegs):
2930         * b3/air/testair.cpp:
2931         * bytecode/PolymorphicAccess.h:
2932         (JSC::AccessGenerationState::preserveLiveRegistersToStackForCall):
2933         (JSC::AccessGenerationState::restoreLiveRegistersFromStackForCall):
2934         * dfg/DFGJITCode.cpp:
2935         (JSC::DFG::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
2936         * ftl/FTLJITCode.cpp:
2937         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
2938         * jit/JITCode.cpp:
2939         (JSC::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
2940         * jit/RegisterSet.cpp:
2941         (JSC::RegisterSet::reservedHardwareRegisters):
2942         (JSC::RegisterSet::runtimeRegisters):
2943         (JSC::RegisterSet::macroScratchRegisters):
2944         * jit/RegisterSet.h:
2945         (JSC::RegisterSet::RegisterSet):
2946         * wasm/WasmB3IRGenerator.cpp:
2947         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
2948
2949 2017-11-07  Mark Lam  <mark.lam@apple.com>
2950
2951         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
2952         https://bugs.webkit.org/show_bug.cgi?id=179355
2953         <rdar://problem/35263053>
2954
2955         Reviewed by Saam Barati.
2956
2957         In the Transition case in AccessCase::generateImpl(), we were restoring registers
2958         using restoreLiveRegistersFromStackForCall() without excluding the scratchGPR
2959         where we previously stashed the reallocated butterfly.  If the generated code is
2960         under heavy register pressure, scratchGPR could have been from the set of preserved
2961         registers, and hence, would be restored by restoreLiveRegistersFromStackForCall().
2962         As a result, the restoration would trash the butterfly result we stored there.
2963         This patch fixes the issue by excluding the scratchGPR in the restoration.
2964
2965         * bytecode/AccessCase.cpp:
2966         (JSC::AccessCase::generateImpl):
2967
2968 2017-11-06  Robin Morisset  <rmorisset@apple.com>
2969
2970         CodeBlock::usesOpcode() is dead code
2971         https://bugs.webkit.org/show_bug.cgi?id=179316
2972
2973         Reviewed by Yusuke Suzuki.
2974
2975         Remove CodeBlock::usesOpcode which is dead code
2976
2977         * bytecode/CodeBlock.cpp:
2978         * bytecode/CodeBlock.h:
2979
2980 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2981
2982         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
2983         https://bugs.webkit.org/show_bug.cgi?id=144458
2984
2985         Reviewed by Saam Barati.
2986
2987         Previously only JSFunction is handled by CallLinkInfo's caching mechanism. This means that
2988         InternalFunction calls are not cached and they always go to the slow path. This is not good because
2989
2990         1. We need to query getCallData/getConstructData every time in the slow path.
2991         2. CallLinkInfo tells nothing in the higher tier JITs.
2992
2993         This patch starts handling InternalFunction in CallLinkInfo's caching mechanism. We change InternalFunction
2994         to hold pointers to the functions for call and construct. We have new stubs that can call/construct
2995         InternalFunction. And we return this code pointer as a result of setup call to use CallLinkInfo mechanism.
2996
2997         This patch is critical to optimizing derived Array construction[1] since it starts using CallLinkInfo
2998         for InternalFunction. Previously we did not record any information to CallLinkInfo. Except for the
2999         case that DFGByteCodeParser figures out InternalFunction constant, we cannot attempt to emit DFG
3000         nodes for these InternalFunctions since CallLinkInfo tells us nothing.
3001
3002         Attached microbenchmarks show performance improvement.
3003
3004                                                            baseline                  patched
3005
3006         dfg-internal-function-construct                 1.6439+-0.0826     ^      1.2829+-0.0727        ^ definitely 1.2813x faster
3007         dfg-internal-function-not-handled-construct     2.1862+-0.1361            2.0696+-0.1201          might be 1.0564x faster
3008         dfg-internal-function-not-handled-call         20.7592+-0.9085           19.7369+-0.7921          might be 1.0518x faster
3009         dfg-internal-function-call                      1.6856+-0.0967     ^      1.2771+-0.0744        ^ definitely 1.3198x faster
3010
3011         [1]: https://bugs.webkit.org/show_bug.cgi?id=178064
3012
3013         * API/JSCallbackFunction.cpp:
3014         (JSC::JSCallbackFunction::JSCallbackFunction):
3015         (JSC::JSCallbackFunction::getCallData): Deleted.
3016         * API/JSCallbackFunction.h:
3017         (JSC::JSCallbackFunction::createStructure):
3018         * API/ObjCCallbackFunction.h:
3019         (JSC::ObjCCallbackFunction::createStructure):
3020         * API/ObjCCallbackFunction.mm:
3021         (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
3022         (JSC::ObjCCallbackFunction::getCallData): Deleted.
3023         (JSC::ObjCCallbackFunction::getConstructData): Deleted.
3024         * bytecode/BytecodeDumper.cpp:
3025         (JSC::BytecodeDumper<Block>::printCallOp):
3026         * bytecode/BytecodeList.json:
3027         * bytecode/CallLinkInfo.cpp:
3028         (JSC::CallLinkInfo::setCallee):
3029         (JSC::CallLinkInfo::callee):
3030         (JSC::CallLinkInfo::setLastSeenCallee):
3031         (JSC::CallLinkInfo::lastSeenCallee):
3032         (JSC::CallLinkInfo::visitWeak):
3033         * bytecode/CallLinkInfo.h:
3034         * bytecode/CallLinkStatus.cpp:
3035         (JSC::CallLinkStatus::computeFromCallLinkInfo):
3036         * bytecode/LLIntCallLinkInfo.h:
3037         * jit/JITOperations.cpp:
3038         * jit/JITThunks.cpp:
3039         (JSC::JITThunks::ctiInternalFunctionCall):
3040         (JSC::JITThunks::ctiInternalFunctionConstruct):
3041         * jit/JITThunks.h:
3042         * jit/Repatch.cpp:
3043         (JSC::linkFor):
3044         (JSC::linkPolymorphicCall):
3045         * jit/Repatch.h:
3046         * jit/ThunkGenerators.cpp:
3047         (JSC::virtualThunkFor):
3048         (JSC::nativeForGenerator):
3049         (JSC::nativeCallGenerator):
3050         (JSC::nativeTailCallGenerator):
3051         (JSC::nativeTailCallWithoutSavedTagsGenerator):
3052         (JSC::nativeConstructGenerator):
3053         (JSC::internalFunctionCallGenerator):
3054         (JSC::internalFunctionConstructGenerator):
3055         * jit/ThunkGenerators.h:
3056         * llint/LLIntSlowPaths.cpp:
3057         (JSC::LLInt::setUpCall):
3058         * llint/LowLevelInterpreter.asm:
3059         * llint/LowLevelInterpreter32_64.asm:
3060         * llint/LowLevelInterpreter64.asm:
3061         * runtime/ArrayConstructor.cpp:
3062         (JSC::ArrayConstructor::ArrayConstructor):
3063         (JSC::ArrayConstructor::getConstructData): Deleted.
3064         (JSC::ArrayConstructor::getCallData): Deleted.
3065         * runtime/ArrayConstructor.h:
3066         (JSC::ArrayConstructor::createStructure):
3067         * runtime/AsyncFunctionConstructor.cpp:
3068         (JSC::AsyncFunctionConstructor::AsyncFunctionConstructor):
3069         (JSC::AsyncFunctionConstructor::finishCreation):
3070         (JSC::AsyncFunctionConstructor::getCallData): Deleted.
3071         (JSC::AsyncFunctionConstructor::getConstructData): Deleted.
3072         * runtime/AsyncFunctionConstructor.h:
3073         (JSC::AsyncFunctionConstructor::createStructure):
3074         * runtime/AsyncGeneratorFunctionConstructor.cpp:
3075         (JSC::AsyncGeneratorFunctionConstructor::AsyncGeneratorFunctionConstructor):
3076         (JSC::AsyncGeneratorFunctionConstructor::finishCreation):
3077         (JSC::AsyncGeneratorFunctionConstructor::getCallData): Deleted.
3078         (JSC::AsyncGeneratorFunctionConstructor::getConstructData): Deleted.
3079         * runtime/AsyncGeneratorFunctionConstructor.h:
3080         (JSC::AsyncGeneratorFunctionConstructor::createStructure):
3081         * runtime/BooleanConstructor.cpp:
3082         (JSC::callBooleanConstructor):
3083         (JSC::BooleanConstructor::BooleanConstructor):
3084         (JSC::BooleanConstructor::finishCreation):
3085         (JSC::BooleanConstructor::getConstructData): Deleted.
3086         (JSC::BooleanConstructor::getCallData): Deleted.
3087         * runtime/BooleanConstructor.h:
3088         (JSC::BooleanConstructor::createStructure):
3089         * runtime/DateConstructor.cpp:
3090         (JSC::DateConstructor::DateConstructor):
3091         (JSC::DateConstructor::getConstructData): Deleted.
3092         (JSC::DateConstructor::getCallData): Deleted.
3093         * runtime/DateConstructor.h:
3094         (JSC::DateConstructor::createStructure):
3095         * runtime/Error.h:
3096         (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
3097         (JSC::StrictModeTypeErrorFunction::createStructure):
3098         (JSC::StrictModeTypeErrorFunction::getConstructData): Deleted.
3099         (JSC::StrictModeTypeErrorFunction::getCallData): Deleted.
3100         * runtime/ErrorConstructor.cpp:
3101         (JSC::ErrorConstructor::ErrorConstructor):
3102         (JSC::ErrorConstructor::getConstructData): Deleted.
3103         (JSC::ErrorConstructor::getCallData): Deleted.
3104         * runtime/ErrorConstructor.h:
3105         (JSC::ErrorConstructor::createStructure):
3106         * runtime/FunctionConstructor.cpp:
3107         (JSC::FunctionConstructor::FunctionConstructor):
3108         (JSC::FunctionConstructor::finishCreation):
3109         (JSC::FunctionConstructor::getConstructData): Deleted.
3110         (JSC::FunctionConstructor::getCallData): Deleted.
3111         * runtime/FunctionConstructor.h:
3112         (JSC::FunctionConstructor::createStructure):
3113         * runtime/FunctionPrototype.cpp:
3114         (JSC::callFunctionPrototype):
3115         (JSC::FunctionPrototype::FunctionPrototype):
3116         (JSC::FunctionPrototype::getCallData): Deleted.
3117         * runtime/FunctionPrototype.h:
3118         (JSC::FunctionPrototype::createStructure):
3119         * runtime/GeneratorFunctionConstructor.cpp:
3120         (JSC::GeneratorFunctionConstructor::GeneratorFunctionConstructor):
3121         (JSC::GeneratorFunctionConstructor::finishCreation):
3122         (JSC::GeneratorFunctionConstructor::getCallData): Deleted.
3123         (JSC::GeneratorFunctionConstructor::getConstructData): Deleted.
3124         * runtime/GeneratorFunctionConstructor.h:
3125         (JSC::GeneratorFunctionConstructor::createStructure):
3126         * runtime/InternalFunction.cpp:
3127         (JSC::InternalFunction::InternalFunction):
3128         (JSC::InternalFunction::finishCreation):
3129         (JSC::InternalFunction::getCallData):
3130         (JSC::InternalFunction::getConstructData):
3131         * runtime/InternalFunction.h:
3132         (JSC::InternalFunction::createStructure):
3133         (JSC::InternalFunction::nativeFunctionFor):
3134         (JSC::InternalFunction::offsetOfNativeFunctionFor):
3135         * runtime/IntlCollatorConstructor.cpp:
3136         (JSC::IntlCollatorConstructor::createStructure):
3137         (JSC::IntlCollatorConstructor::IntlCollatorConstructor):
3138         (JSC::IntlCollatorConstructor::getConstructData): Deleted.
3139         (JSC::IntlCollatorConstructor::getCallData): Deleted.
3140         * runtime/IntlCollatorConstructor.h:
3141         * runtime/IntlDateTimeFormatConstructor.cpp:
3142         (JSC::IntlDateTimeFormatConstructor::createStructure):
3143         (JSC::IntlDateTimeFormatConstructor::IntlDateTimeFormatConstructor):
3144         (JSC::IntlDateTimeFormatConstructor::getConstructData): Deleted.
3145         (JSC::IntlDateTimeFormatConstructor::getCallData): Deleted.
3146         * runtime/IntlDateTimeFormatConstructor.h:
3147         * runtime/IntlNumberFormatConstructor.cpp:
3148         (JSC::IntlNumberFormatConstructor::createStructure):
3149         (JSC::IntlNumberFormatConstructor::IntlNumberFormatConstructor):
3150         (JSC::IntlNumberFormatConstructor::getConstructData): Deleted.
3151         (JSC::IntlNumberFormatConstructor::getCallData): Deleted.
3152         * runtime/IntlNumberFormatConstructor.h:
3153         * runtime/JSArrayBufferConstructor.cpp:
3154         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
3155         (JSC::JSArrayBufferConstructor::createStructure):
3156         (JSC::JSArrayBufferConstructor::getConstructData): Deleted.
3157         (JSC::JSArrayBufferConstructor::getCallData): Deleted.
3158         * runtime/JSArrayBufferConstructor.h:
3159         * runtime/JSGenericTypedArrayViewConstructor.h:
3160         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
3161         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::JSGenericTypedArrayViewConstructor):
3162         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::createStructure):
3163         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getConstructData): Deleted.
3164         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData): Deleted.
3165         * runtime/JSInternalPromiseConstructor.cpp:
3166         (JSC::JSInternalPromiseConstructor::createStructure):
3167         (JSC::JSInternalPromiseConstructor::JSInternalPromiseConstructor):
3168         (JSC::JSInternalPromiseConstructor::getConstructData): Deleted.
3169         (JSC::JSInternalPromiseConstructor::getCallData): Deleted.
3170         * runtime/JSInternalPromiseConstructor.h:
3171         * runtime/JSPromiseConstructor.cpp:
3172         (JSC::JSPromiseConstructor::createStructure):
3173         (JSC::JSPromiseConstructor::JSPromiseConstructor):
3174         (JSC::JSPromiseConstructor::getConstructData): Deleted.
3175         (JSC::JSPromiseConstructor::getCallData): Deleted.
3176         * runtime/JSPromiseConstructor.h:
3177         * runtime/JSType.h:
3178         * runtime/JSTypedArrayViewConstructor.cpp:
3179         (JSC::JSTypedArrayViewConstructor::JSTypedArrayViewConstructor):
3180         (JSC::JSTypedArrayViewConstructor::createStructure):
3181         (JSC::JSTypedArrayViewConstructor::getConstructData): Deleted.
3182         (JSC::JSTypedArrayViewConstructor::getCallData): Deleted.
3183         * runtime/JSTypedArrayViewConstructor.h:
3184         * runtime/MapConstructor.cpp:
3185         (JSC::MapConstructor::MapConstructor):
3186         (JSC::MapConstructor::getConstructData): Deleted.
3187         (JSC::MapConstructor::getCallData): Deleted.
3188         * runtime/MapConstructor.h:
3189         (JSC::MapConstructor::createStructure):
3190         (JSC::MapConstructor::MapConstructor): Deleted.
3191         * runtime/NativeErrorConstructor.cpp:
3192         (JSC::NativeErrorConstructor::NativeErrorConstructor):
3193         (JSC::NativeErrorConstructor::getConstructData): Deleted.
3194         (JSC::NativeErrorConstructor::getCallData): Deleted.
3195         * runtime/NativeErrorConstructor.h:
3196         (JSC::NativeErrorConstructor::createStructure):
3197         * runtime/NullGetterFunction.cpp:
3198         (JSC::NullGetterFunction::NullGetterFunction):
3199         (JSC::NullGetterFunction::getCallData): Deleted.
3200         (JSC::NullGetterFunction::getConstructData): Deleted.
3201         * runtime/NullGetterFunction.h:
3202         (JSC::NullGetterFunction::createStructure):
3203         (JSC::NullGetterFunction::NullGetterFunction): Deleted.
3204         * runtime/NullSetterFunction.cpp:
3205         (JSC::NullSetterFunction::NullSetterFunction):
3206         (JSC::NullSetterFunction::getCallData): Deleted.
3207         (JSC::NullSetterFunction::getConstructData): Deleted.
3208         * runtime/NullSetterFunction.h:
3209         (JSC::NullSetterFunction::createStructure):
3210         (JSC::NullSetterFunction::NullSetterFunction): Deleted.
3211         * runtime/NumberConstructor.cpp:
3212         (JSC::NumberConstructor::NumberConstructor):
3213         (JSC::constructNumberConstructor):
3214         (JSC::constructWithNumberConstructor): Deleted.
3215         (JSC::NumberConstructor::getConstructData): Deleted.
3216         (JSC::NumberConstructor::getCallData): Deleted.
3217         * runtime/NumberConstructor.h:
3218         (JSC::NumberConstructor::createStructure):
3219         * runtime/ObjectConstructor.cpp:
3220         (JSC::ObjectConstructor::ObjectConstructor):
3221         (JSC::ObjectConstructor::getConstructData): Deleted.
3222         (JSC::ObjectConstructor::getCallData): Deleted.
3223         * runtime/ObjectConstructor.h:
3224         (JSC::ObjectConstructor::createStructure):
3225         * runtime/ProxyConstructor.cpp:
3226         (JSC::ProxyConstructor::ProxyConstructor):
3227         (JSC::ProxyConstructor::getConstructData): Deleted.
3228         (JSC::ProxyConstructor::getCallData): Deleted.
3229         * runtime/ProxyConstructor.h:
3230         (JSC::ProxyConstructor::createStructure):
3231         * runtime/ProxyRevoke.cpp:
3232         (JSC::ProxyRevoke::ProxyRevoke):
3233         (JSC::ProxyRevoke::getCallData): Deleted.
3234         * runtime/ProxyRevoke.h:
3235         (JSC::ProxyRevoke::createStructure):
3236         * runtime/RegExpConstructor.cpp:
3237         (JSC::RegExpConstructor::RegExpConstructor):
3238         (JSC::RegExpConstructor::getConstructData): Deleted.
3239         (JSC::RegExpConstructor::getCallData): Deleted.
3240         * runtime/RegExpConstructor.h:
3241         (JSC::RegExpConstructor::createStructure):
3242         * runtime/SetConstructor.cpp:
3243         (JSC::SetConstructor::SetConstructor):
3244         (JSC::SetConstructor::getConstructData): Deleted.
3245         (JSC::SetConstructor::getCallData): Deleted.
3246         * runtime/SetConstructor.h:
3247         (JSC::SetConstructor::createStructure):
3248         (JSC::SetConstructor::SetConstructor): Deleted.
3249         * runtime/StringConstructor.cpp:
3250         (JSC::StringConstructor::StringConstructor):
3251         (JSC::StringConstructor::getConstructData): Deleted.
3252         (JSC::StringConstructor::getCallData): Deleted.
3253         * runtime/StringConstructor.h:
3254         (JSC::StringConstructor::createStructure):
3255         * runtime/SymbolConstructor.cpp:
3256         (JSC::SymbolConstructor::SymbolConstructor):
3257         (JSC::SymbolConstructor::getConstructData): Deleted.
3258         (JSC::SymbolConstructor::getCallData): Deleted.
3259         * runtime/SymbolConstructor.h:
3260         (JSC::SymbolConstructor::createStructure):
3261         * runtime/VM.cpp:
3262         (JSC::VM::VM):
3263         (JSC::VM::getCTIInternalFunctionTrampolineFor):
3264         * runtime/VM.h:
3265         * runtime/WeakMapConstructor.cpp:
3266         (JSC::WeakMapConstructor::WeakMapConstructor):
3267         (JSC::WeakMapConstructor::getConstructData): Deleted.
3268         (JSC::WeakMapConstructor::getCallData): Deleted.
3269         * runtime/WeakMapConstructor.h:
3270         (JSC::WeakMapConstructor::createStructure):
3271         (JSC::WeakMapConstructor::WeakMapConstructor): Deleted.
3272         * runtime/WeakSetConstructor.cpp:
3273         (JSC::WeakSetConstructor::WeakSetConstructor):
3274         (JSC::WeakSetConstructor::getConstructData): Deleted.
3275         (JSC::WeakSetConstructor::getCallData): Deleted.
3276         * runtime/WeakSetConstructor.h:
3277         (JSC::WeakSetConstructor::createStructure):
3278         (JSC::WeakSetConstructor::WeakSetConstructor): Deleted.
3279         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
3280         (JSC::WebAssemblyCompileErrorConstructor::createStructure):
3281         (JSC::WebAssemblyCompileErrorConstructor::WebAssemblyCompileErrorConstructor):
3282         (JSC::WebAssemblyCompileErrorConstructor::getConstructData): Deleted.
3283         (JSC::WebAssemblyCompileErrorConstructor::getCallData): Deleted.
3284         * wasm/js/WebAssemblyCompileErrorConstructor.h:
3285         * wasm/js/WebAssemblyInstanceConstructor.cpp:
3286         (JSC::WebAssemblyInstanceConstructor::createStructure):
3287         (JSC::WebAssemblyInstanceConstructor::WebAssemblyInstanceConstructor):
3288         (JSC::WebAssemblyInstanceConstructor::getConstructData): Deleted.
3289         (JSC::WebAssemblyInstanceConstructor::getCallData): Deleted.
3290         * wasm/js/WebAssemblyInstanceConstructor.h:
3291         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
3292         (JSC::WebAssemblyLinkErrorConstructor::createStructure):
3293         (JSC::WebAssemblyLinkErrorConstructor::WebAssemblyLinkErrorConstructor):
3294         (JSC::WebAssemblyLinkErrorConstructor::getConstructData): Deleted.
3295         (JSC::WebAssemblyLinkErrorConstructor::getCallData): Deleted.
3296         * wasm/js/WebAssemblyLinkErrorConstructor.h:
3297         * wasm/js/WebAssemblyMemoryConstructor.cpp:
3298         (JSC::WebAssemblyMemoryConstructor::createStructure):
3299         (JSC::WebAssemblyMemoryConstructor::WebAssemblyMemoryConstructor):
3300         (JSC::WebAssemblyMemoryConstructor::getConstructData): Deleted.
3301         (JSC::WebAssemblyMemoryConstructor::getCallData): Deleted.
3302         * wasm/js/WebAssemblyMemoryConstructor.h:
3303         * wasm/js/WebAssemblyModuleConstructor.cpp:
3304         (JSC::WebAssemblyModuleConstructor::createStructure):
3305         (JSC::WebAssemblyModuleConstructor::WebAssemblyModuleConstructor):
3306         (JSC::WebAssemblyModuleConstructor::getConstructData): Deleted.
3307         (JSC::WebAssemblyModuleConstructor::getCallData): Deleted.
3308         * wasm/js/WebAssemblyModuleConstructor.h:
3309         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
3310         (JSC::WebAssemblyRuntimeErrorConstructor::createStructure):
3311         (JSC::WebAssemblyRuntimeErrorConstructor::WebAssemblyRuntimeErrorConstructor):
3312         (JSC::WebAssemblyRuntimeErrorConstructor::getConstructData): Deleted.
3313         (JSC::WebAssemblyRuntimeErrorConstructor::getCallData): Deleted.
3314         * wasm/js/WebAssemblyRuntimeErrorConstructor.h:
3315         * wasm/js/WebAssemblyTableConstructor.cpp:
3316         (JSC::WebAssemblyTableConstructor::createStructure):
3317         (JSC::WebAssemblyTableConstructor::WebAssemblyTableConstructor):
3318         (JSC::WebAssemblyTableConstructor::getConstructData): Deleted.
3319         (JSC::WebAssemblyTableConstructor::getCallData): Deleted.
3320         * wasm/js/WebAssemblyTableConstructor.h:
3321
3322 2017-11-03  Michael Saboff  <msaboff@apple.com>
3323
3324         The Abstract Interpreter needs to change similar to clobberize() in r224366
3325         https://bugs.webkit.org/show_bug.cgi?id=179267
3326
3327         Reviewed by Saam Barati.
3328
3329         Add clobberWorld() to HasGenericProperty, HasStructureProperty & GetPropertyEnumerator
3330         cases in the abstract interpreter to match what was done for r224366.
3331
3332         * dfg/DFGAbstractInterpreterInlines.h:
3333         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3334
3335 2017-11-03  Keith Miller  <keith_miller@apple.com>
3336
3337         PutProperytSlot should inform the IC about the property before effects.
3338         https://bugs.webkit.org/show_bug.cgi?id=179262
3339
3340         Reviewed by Mark Lam.
3341
3342         This patch fixes an issue where we choose to cache setters based on
3343         incorrect information. If we did so we might end up OSR exiting
3344         more than we would otherwise need to. The new model is that the
3345         PutPropertySlot should inform the IC of what the property looked
3346         like before any potential side effects might have occurred.
3347
3348         * runtime/JSObject.cpp:
3349         (JSC::JSObject::putInlineSlow):
3350         * runtime/Lookup.h:
3351         (JSC::putEntry):
3352
3353 2017-11-03  Mark Lam  <mark.lam@apple.com>
3354
3355         CachedCall (and its clients) needs overflow checks.
3356         https://bugs.webkit.org/show_bug.cgi?id=179185
3357
3358         Reviewed by JF Bastien.
3359
3360         * interpreter/CachedCall.h:
3361         (JSC::CachedCall::CachedCall):
3362         (JSC::CachedCall::hasOverflowedArguments):
3363         * runtime/ArgList.h:
3364         (JSC::MarkedArgumentBuffer::clear):
3365         * runtime/StringPrototype.cpp:
3366         (JSC::replaceUsingRegExpSearch):
3367
3368 2017-11-03  Devin Rousso  <webkit@devinrousso.com>
3369
3370         Web Inspector: Canvas2D Profiling: highlight expensive context commands in the captured command log
3371         https://bugs.webkit.org/show_bug.cgi?id=178302
3372         <rdar://problem/33158849>
3373
3374         Reviewed by Brian Burg.
3375
3376         * inspector/protocol/Recording.json:
3377         Add `duration` to each Frame that represents the total time of all the recorded actions.
3378
3379 2017-11-02  Devin Rousso  <webkit@devinrousso.com>
3380
3381         Web Inspector: Canvas Tab: show supported GL extensions for selected canvas
3382         https://bugs.webkit.org/show_bug.cgi?id=179070
3383         <rdar://problem/35278276>
3384
3385         Reviewed by Brian Burg.
3386
3387         * inspector/protocol/Canvas.json:
3388         Add `extensionEnabled` event that is fired each time `getExtension` is called with a
3389         different string on a WebGL context.
3390
3391 2017-11-02  Joseph Pecoraro  <pecoraro@apple.com>
3392
3393         Make ServiceWorker a Remote Inspector debuggable target
3394         https://bugs.webkit.org/show_bug.cgi?id=179043
3395         <rdar://problem/34126008>
3396
3397         Reviewed by Brian Burg.
3398
3399         * inspector/remote/RemoteControllableTarget.h:
3400         * inspector/remote/RemoteInspectionTarget.h:
3401         * inspector/remote/RemoteInspectorConstants.h:
3402         Include a new ServiceWorker remote inspector target type.
3403
3404         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
3405         (Inspector::RemoteInspector::listingForInspectionTarget const):
3406         Implement listing for a ServiceWorker to include a URL like a page.
3407
3408         * inspector/remote/glib/RemoteInspectorGlib.cpp:
3409         (Inspector::RemoteInspector::listingForInspectionTarget const):
3410         Bail for ServiceWorker support in glib. They will need to implement their support.
3411
3412 2017-11-02  Michael Saboff  <msaboff@apple.com>
3413
3414         DFG needs to handle code motion of code in for..in loop bodies
3415         https://bugs.webkit.org/show_bug.cgi?id=179212
3416
3417         Reviewed by Keith Miller.
3418
3419         The processing of the DFG nodes HasGenericProperty, HasStructureProperty & GetPropertyEnumerator
3420         make calls with side effects.  Updated clobberize() for those nodes to take that into account.
3421
3422         * dfg/DFGClobberize.h:
3423         (JSC::DFG::clobberize):
3424
3425 2017-11-02  Joseph Pecoraro  <pecoraro@apple.com>
3426
3427         Inspector should display service worker served responses properly
3428         https://bugs.webkit.org/show_bug.cgi?id=178597
3429         <rdar://problem/35186111>
3430
3431         Reviewed by Brian Burg.
3432
3433         * inspector/protocol/Network.json:
3434         Expose a new "service-worker" response source.
3435
3436 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
3437
3438         AI does not correctly model the clobber case of ArithClz32
3439         https://bugs.webkit.org/show_bug.cgi?id=179188
3440
3441         Reviewed by Michael Saboff.
3442
3443         The non-Int32 case clobbers the world because it may call valueOf.
3444
3445         * dfg/DFGAbstractInterpreterInlines.h:
3446         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3447
3448 2017-11-02  Yusuke Suzuki  <utatane.tea@gmail.com>
3449
3450         Unreviewed, release throw scope
3451         https://bugs.webkit.org/show_bug.cgi?id=178726
3452
3453         * dfg/DFGOperations.cpp:
3454
3455 2017-11-02  Frederic Wang  <fwang@igalia.com>
3456
3457         Add references to bug 179167 in FIXME comments
3458         https://bugs.webkit.org/show_bug.cgi?id=179168
3459
3460         Reviewed by Daniel Bates.
3461
3462         * Configurations/FeatureDefines.xcconfig:
3463
3464 2017-11-01  Jeremy Jones  <jeremyj@apple.com>
3465
3466         Implement WKFullscreenWindowController for iOS.
3467         https://bugs.webkit.org/show_bug.cgi?id=178924
3468         rdar://problem/34697120
3469
3470         Reviewed by Simon Fraser.
3471
3472         Enable ENABLE_FULLSCREEN_API for iOS.
3473
3474         * Configurations/FeatureDefines.xcconfig:
3475
3476 2017-11-01  Mark Lam  <mark.lam@apple.com>
3477
3478         Add support to throw OOM if MarkedArgumentBuffer may overflow.
3479         https://bugs.webkit.org/show_bug.cgi?id=179092
3480         <rdar://problem/35116160>
3481
3482         Reviewed by Saam Barati.
3483
3484         The test for overflowing a MarkedArgumentBuffer will run for a ridiculously long
3485         time, which renders it unsuitable for automated tests.  Instead, I've run a
3486         test manually to verify that an OutOfMemoryError will be thrown when an overflow
3487         occurs.
3488
3489         The MarkedArgumentBuffer's destructor will now assert that the client has indeed
3490         checked for an overflow after invoking methods that may result in an overflow i.e.
3491         the destructor checks that MarkedArgumentBuffer::hasOverflowed() has been called.
3492         This is only done on debug builds.
3493
3494         * API/JSObjectRef.cpp:
3495         (JSObjectMakeFunction):
3496         (JSObjectMakeArray):
3497         (JSObjectMakeDate):
3498         (JSObjectMakeRegExp):
3499         (JSObjectCallAsFunction):
3500         (JSObjectCallAsConstructor):
3501         * dfg/DFGOperations.cpp:
3502         * inspector/InjectedScriptManager.cpp:
3503         (Inspector::InjectedScriptManager::createInjectedScript):
3504         * inspector/JSJavaScriptCallFrame.cpp:
3505         (Inspector::JSJavaScriptCallFrame::scopeChain const):
3506         * interpreter/Interpreter.cpp:
3507         (JSC::Interpreter::executeProgram):
3508         * jsc.cpp:
3509         (functionDollarAgentReceiveBroadcast):
3510         * runtime/ArgList.cpp:
3511         (JSC::MarkedArgumentBuffer::slowEnsureCapacity):
3512         (JSC::MarkedArgumentBuffer::expandCapacity):
3513         (JSC::MarkedArgumentBuffer::slowAppend):
3514         * runtime/ArgList.h:
3515         (JSC::MarkedArgumentBuffer::~MarkedArgumentBuffer):
3516         (JSC::MarkedArgumentBuffer::appendWithAction):
3517         (JSC::MarkedArgumentBuffer::append):
3518         (JSC::MarkedArgumentBuffer::appendWithCrashOnOverflow):
3519         (JSC::MarkedArgumentBuffer::hasOverflowed):
3520         (JSC::MarkedArgumentBuffer::setNeedsOverflowCheck):
3521         (JSC::MarkedArgumentBuffer::clearNeedsOverflowCheck):
3522         * runtime/ArrayPrototype.cpp:
3523         * runtime/CommonSlowPaths.cpp:
3524         (JSC::SLOW_PATH_DECL):
3525         * runtime/GetterSetter.cpp:
3526         (JSC::callSetter):
3527         * runtime/IteratorOperations.cpp:
3528         (JSC::iteratorNext):
3529         (JSC::iteratorClose):
3530         * runtime/JSBoundFunction.cpp:
3531         (JSC::boundThisNoArgsFunctionCall):
3532         (JSC::boundFunctionCall):
3533         (JSC::boundThisNoArgsFunctionConstruct):
3534         (JSC::boundFunctionConstruct):
3535         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
3536         (JSC::constructGenericTypedArrayViewFromIterator):
3537         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
3538         (JSC::genericTypedArrayViewProtoFuncSlice):
3539         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
3540         * runtime/JSGlobalObject.cpp:
3541         (JSC::JSGlobalObject::haveABadTime):
3542         * runtime/JSInternalPromise.cpp:
3543         (JSC::JSInternalPromise::then):
3544         * runtime/JSJob.cpp:
3545         (JSC::JSJobMicrotask::run):
3546         * runtime/JSMapIterator.cpp:
3547         (JSC::JSMapIterator::createPair):
3548         * runtime/JSModuleLoader.cpp:
3549         (JSC::JSModuleLoader::provideFetch):
3550         (JSC::JSModuleLoader::loadAndEvaluateModule):
3551         (JSC::JSModuleLoader::loadModule):
3552         (JSC::JSModuleLoader::linkAndEvaluateModule):
3553         (JSC::JSModuleLoader::requestImportModule):
3554         * runtime/JSONObject.cpp:
3555         (JSC::Stringifier::toJSONImpl):
3556         (JSC::Stringifier::appendStringifiedValue):
3557         (JSC::Walker::callReviver):
3558         * runtime/JSObject.cpp:
3559         (JSC::ordinarySetSlow):
3560         (JSC::callToPrimitiveFunction):
3561         (JSC::JSObject::hasInstance):
3562         * runtime/JSPromise.cpp:
3563         (JSC::JSPromise::initialize):
3564         (JSC::JSPromise::resolve):
3565         * runtime/JSPromiseDeferred.cpp:
3566         (JSC::newPromiseCapability):
3567         (JSC::callFunction):
3568         * runtime/JSSetIterator.cpp:
3569         (JSC::JSSetIterator::createPair):
3570         * runtime/LiteralParser.cpp:
3571         (JSC::LiteralParser<CharType>::parse):
3572         * runtime/MapConstructor.cpp:
3573         (JSC::constructMap):
3574         * runtime/ObjectConstructor.cpp:
3575         (JSC::defineProperties):
3576         * runtime/ProxyObject.cpp:
3577         (JSC::performProxyGet):
3578         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
3579         (JSC::ProxyObject::performHasProperty):
3580         (JSC::ProxyObject::performPut):
3581         (JSC::performProxyCall):
3582         (JSC::performProxyConstruct):
3583         (JSC::ProxyObject::performDelete):
3584         (JSC::ProxyObject::performPreventExtensions):
3585         (JSC::ProxyObject::performIsExtensible):
3586         (JSC::ProxyObject::performDefineOwnProperty):
3587         (JSC::ProxyObject::performGetOwnPropertyNames):
3588         (JSC::ProxyObject::performSetPrototype):
3589         (JSC::ProxyObject::performGetPrototype):
3590         * runtime/ReflectObject.cpp:
3591         (JSC::reflectObjectConstruct):
3592         * runtime/SetConstructor.cpp:
3593         (JSC::constructSet):
3594         * runtime/StringPrototype.cpp:
3595         (JSC::replaceUsingRegExpSearch):
3596         (JSC::replaceUsingStringSearch):
3597         * runtime/WeakMapConstructor.cpp:
3598         (JSC::constructWeakMap):
3599         * runtime/WeakSetConstructor.cpp:
3600         (JSC::constructWeakSet):
3601         * wasm/js/WasmToJS.cpp:
3602         (JSC::Wasm::wasmToJS):
3603
3604 2017-11-01  Michael Saboff  <msaboff@apple.com>
3605
3606         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
3607         https://bugs.webkit.org/show_bug.cgi?id=179140
3608
3609         Reviewed by Saam Barati.
3610
3611         Added overflow checks to computation of arg count plus this.
3612
3613         * dfg/DFGSpeculativeJIT32_64.cpp:
3614         (JSC::DFG::SpeculativeJIT::compile):
3615         * dfg/DFGSpeculativeJIT64.cpp:
3616         (JSC::DFG::SpeculativeJIT::compile):
3617         * ftl/FTLLowerDFGToB3.cpp:
3618         (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs):
3619
3620 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
3621
3622         Unreviewed, use weakPointer instead of FTLOutput::weakPointer
3623         https://bugs.webkit.org/show_bug.cgi?id=178934
3624
3625         * ftl/FTLLowerDFGToB3.cpp:
3626         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
3627
3628 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
3629
3630         [JSC] Introduce @toObject
3631         https://bugs.webkit.org/show_bug.cgi?id=178726
3632
3633         Reviewed by Saam Barati.
3634
3635         This patch introduces @toObject intrinsic. And we introduce op_to_object bytecode and DFG ToObject node.
3636         Previously we emulated @toObject behavior in builtin JS. But it consumes much bytecode size while @toObject
3637         is frequently seen and defined clearly in the spec. Furthermore, the emulated @toObject always calls
3638         ObjectConstructor in LLInt and Baseline.
3639
3640         We add a new intrinsic `@toObject(target, "error message")`. It takes an error message string constant to
3641         offer understandable messages in builtin JS. We can change the frequently seen "emulated ToObject" operation
3642
3643             if (this === @undefined || this === null)
3644                 @throwTypeError("error message");
3645             var object = @Object(this);
3646
3647         with
3648
3649             var object = @toObject(this, "error message");
3650
3651         And we handle op_to_object in DFG as ToObject node. While CallObjectConstructor does not throw an error for null/undefined,
3652         ToObject needs to throw an error for null/undefined. So it is marked as MustGenerate and it clobbers the world.
3653         In fixup phase, we attempt to convert ToObject to CallObjectConstructor with edge filters to relax its side effect.
3654
3655         It also fixes a bug that CallObjectConstructor DFG node uses Node's semantic GlobalObject instead of function's one.
3656
3657         * builtins/ArrayConstructor.js:
3658         (from):
3659         * builtins/ArrayPrototype.js:
3660         (values):
3661         (keys):
3662         (entries):
3663         (reduce):
3664         (reduceRight):
3665         (every):
3666         (forEach):
3667         (filter):
3668         (map):
3669         (some):
3670         (fill):
3671         (find):
3672         (findIndex):
3673         (includes):
3674         (sort):
3675         (globalPrivate.concatSlowPath):
3676         (copyWithin):
3677         * builtins/DatePrototype.js:
3678         (toLocaleString.toDateTimeOptionsAnyAll):
3679         (toLocaleString):
3680         (toLocaleDateString.toDateTimeOptionsDateDate):
3681         (toLocaleDateString):
3682         (toLocaleTimeString.toDateTimeOptionsTimeTime):
3683         (toLocaleTimeString):
3684         * builtins/GlobalOperations.js:
3685         (globalPrivate.copyDataProperties):
3686         (globalPrivate.copyDataPropertiesNoExclusions):
3687         * builtins/ObjectConstructor.js:
3688         (entries):
3689         * builtins/StringConstructor.js:
3690         (raw):
3691         * builtins/TypedArrayConstructor.js:
3692         (from):
3693         * builtins/TypedArrayPrototype.js:
3694         (map):
3695         (filter):
3696         * bytecode/BytecodeDumper.cpp:
3697         (JSC::BytecodeDumper<Block>::dumpBytecode):
3698         * bytecode/BytecodeIntrinsicRegistry.h:
3699         * bytecode/BytecodeList.json:
3700         * bytecode/BytecodeUseDef.h:
3701         (JSC::computeUsesForBytecodeOffset):
3702         (JSC::computeDefsForBytecodeOffset):
3703         * bytecode/CodeBlock.cpp:
3704         (JSC::CodeBlock::finishCreation):
3705         * bytecompiler/BytecodeGenerator.cpp:
3706         (JSC::BytecodeGenerator::emitToObject):
3707         * bytecompiler/BytecodeGenerator.h:
3708         * bytecompiler/NodesCodegen.cpp:
3709         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toObject):
3710         * dfg/DFGAbstractInterpreterInlines.h:
3711         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3712         * dfg/DFGByteCodeParser.cpp:
3713         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
3714         (JSC::DFG::ByteCodeParser::parseBlock):
3715         * dfg/DFGCapabilities.cpp:
3716         (JSC::DFG::capabilityLevel):
3717         * dfg/DFGClobberize.h:
3718         (JSC::DFG::clobberize):
3719         * dfg/DFGDoesGC.cpp:
3720         (JSC::DFG::doesGC):
3721         * dfg/DFGFixupPhase.cpp:
3722         (JSC::DFG::FixupPhase::fixupNode):
3723         (JSC::DFG::FixupPhase::fixupToObject):
3724         (JSC::DFG::FixupPhase::fixupCallObjectConstructor):
3725         * dfg/DFGNode.h:
3726         (JSC::DFG::Node::convertToCallObjectConstructor):
3727         (JSC::DFG::Node::convertToNewStringObject):
3728         (JSC::DFG::Node::convertToNewObject):
3729         (JSC::DFG::Node::hasIdentifier):
3730         (JSC::DFG::Node::hasHeapPrediction):
3731         (JSC::DFG::Node::hasCellOperand):
3732         * dfg/DFGNodeType.h:
3733         * dfg/DFGOperations.cpp:
3734         * dfg/DFGOperations.h:
3735         * dfg/DFGPredictionPropagationPhase.cpp:
3736         * dfg/DFGSafeToExecute.h:
3737         (JSC::DFG::safeToExecute):
3738         * dfg/DFGSpeculativeJIT.cpp:
3739         (JSC::DFG::SpeculativeJIT::compileToObjectOrCallObjectConstructor):
3740         (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor): Deleted.
3741         * dfg/DFGSpeculativeJIT.h:
3742         (JSC::DFG::SpeculativeJIT::callOperation):
3743         * dfg/DFGSpeculativeJIT32_64.cpp:
3744         (JSC::DFG::SpeculativeJIT::compile):
3745         * dfg/DFGSpeculativeJIT64.cpp:
3746         (JSC::DFG::SpeculativeJIT::compile):
3747         * ftl/FTLCapabilities.cpp:
3748         (JSC::FTL::canCompile):
3749         * ftl/FTLLowerDFGToB3.cpp:
3750         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3751         (JSC::FTL::DFG::LowerDFGToB3::compileToObjectOrCallObjectConstructor):
3752         (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor): Deleted.
3753         * jit/JIT.cpp:
3754         (JSC::JIT::privateCompileMainPass):
3755         (JSC::JIT::privateCompileSlowCases):
3756         * jit/JIT.h:
3757         * jit/JITOpcodes.cpp:
3758         (JSC::JIT::emit_op_to_object):
3759         (JSC::JIT::emitSlow_op_to_object):
3760         * jit/JITOpcodes32_64.cpp:
3761         (JSC::JIT::emit_op_to_object):
3762         (JSC::JIT::emitSlow_op_to_object):
3763         * jit/JITOperations.cpp:
3764         * jit/JITOperations.h:
3765         * llint/LowLevelInterpreter32_64.asm:
3766         * llint/LowLevelInterpreter64.asm:
3767         * runtime/CommonSlowPaths.cpp:
3768         (JSC::SLOW_PATH_DECL):
3769         * runtime/CommonSlowPaths.h:
3770
3771 2017-11-01  Fujii Hironori  <Hironori.Fujii@sony.com>
3772
3773         Use LazyNeverDestroyed instead of DEFINE_GLOBAL
3774         https://bugs.webkit.org/show_bug.cgi?id=174979
3775
3776         Reviewed by Yusuke Suzuki.
3777
3778         * config.h: Removed definitions of SKIP_STATIC_CONSTRUCTORS_ON_MSVC and SKIP_STATIC_CONSTRUCTORS_ON_GCC.
3779
3780 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3781
3782         [DFG][FTL] Introduce StringSlice
3783         https://bugs.webkit.org/show_bug.cgi?id=178934
3784
3785         Reviewed by Saam Barati.
3786
3787         String.prototype.slice is one of the most frequently called function in ARES-6/Babylon.
3788         This patch introduces StringSlice DFG node to optimize it in DFG and FTL.
3789
3790         This patch's StringSlice node optimizes the following things.
3791
3792         1. Empty string generation is accelerated. It is fully executed inline.
3793         2. One char string generation is accelerated. `< 0x100` character is supported right now.
3794         It is the same to charAt acceleration.
3795         3. We calculate start and end index in DFG/FTL with Int32Use information and call optimized
3796         operation.
3797
3798         We do not inline (3)'s operation right now since we do not have a way to call bmalloc allocation from DFG / FTL.
3799         And we do not optimize String.prototype.{substring,substr} right now. But they can be optimized based on this change
3800         in subsequent changes.
3801
3802         This patch improves ARES-6/Babylon performance by 3% in steady state.
3803
3804         Baseline:
3805             Running... Babylon ( 1  to go)
3806             firstIteration:     50.05 +- 13.68 ms
3807             averageWorstCase:   16.80 +- 1.27 ms
3808             steadyState:        7.53 +- 0.22 ms
3809
3810         Patched:
3811             Running... Babylon ( 1  to go)
3812             firstIteration:     50.91 +- 13.41 ms
3813             averageWorstCase:   16.12 +- 0.99 ms
3814             steadyState:        7.30 +- 0.29 ms
3815
3816         * dfg/DFGAbstractInterpreterInlines.h:
3817         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3818         * dfg/DFGBackwardsPropagationPhase.cpp:
3819         (JSC::DFG::BackwardsPropagationPhase::propagate):
3820         * dfg/DFGByteCodeParser.cpp:
3821         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3822         * dfg/DFGClobberize.h:
3823         (JSC::DFG::clobberize):
3824         * dfg/DFGDoesGC.cpp:
3825         (JSC::DFG::doesGC):
3826         * dfg/DFGFixupPhase.cpp:
3827         (JSC::DFG::FixupPhase::fixupNode):
3828         * dfg/DFGNodeType.h:
3829         * dfg/DFGOperations.cpp:
3830         * dfg/DFGOperations.h:
3831         * dfg/DFGPredictionPropagationPhase.cpp:
3832         * dfg/DFGSafeToExecute.h:
3833         (JSC::DFG::safeToExecute):
3834         * dfg/DFGSpeculativeJIT.cpp:
3835         (JSC::DFG::SpeculativeJIT::compileStringSlice):
3836         (JSC::DFG::SpeculativeJIT::emitPopulateSliceIndex):
3837         (JSC::DFG::SpeculativeJIT::compileArraySlice):
3838         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
3839         * dfg/DFGSpeculativeJIT.h:
3840         (JSC::DFG::SpeculativeJIT::callOperation):
3841         * dfg/DFGSpeculativeJIT32_64.cpp:
3842         (JSC::DFG::SpeculativeJIT::compile):
3843         * dfg/DFGSpeculativeJIT64.cpp:
3844         (JSC::DFG::SpeculativeJIT::compile):
3845         * ftl/FTLCapabilities.cpp:
3846         (JSC::FTL::canCompile):
3847         * ftl/FTLLowerDFGToB3.cpp:
3848         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3849         (JSC::FTL::DFG::LowerDFGToB3::populateSliceRange):
3850         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
3851         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
3852         * jit/JITOperations.h:
3853         * runtime/Intrinsic.cpp:
3854         (JSC::intrinsicName):
3855         * runtime/Intrinsic.h:
3856         * runtime/StringPrototype.cpp:
3857         (JSC::StringPrototype::finishCreation):
3858
3859 2017-10-31  JF Bastien  <jfbastien@apple.com>
3860
3861         WebAssembly: Wasm::IndexOrName has a raw pointer to Name
3862         https://bugs.webkit.org/show_bug.cgi?id=176644
3863
3864         Reviewed by Michael Saboff.
3865
3866         IndexOrName now keeps a RefPtr to its original NameSection, which
3867         holds the Name (or references nullptr if Index). Holding onto the
3868         entire section seems like the better thing to do, since backtraces
3869         probably contain multiple names from the same Module.
3870
3871         * JavaScriptCore.xcodeproj/project.pbxproj:
3872         * interpreter/Interpreter.cpp:
3873         (JSC::GetStackTraceFunctor::operator() const):
3874         * interpreter/StackVisitor.h: Frame is no longer POD because of the
3875         RefPtr.
3876         * runtime/StackFrame.cpp:
3877         (JSC::StackFrame::StackFrame):
3878         * runtime/StackFrame.h: Drop the union, size is now 40 bytes.
3879         (JSC::StackFrame::StackFrame): Deleted. Initialized in class instead.
3880         (JSC::StackFrame::wasm): Deleted. Make it a ctor instead.
3881         * wasm/WasmBBQPlanInlines.h:
3882         (JSC::Wasm::BBQPlan::initializeCallees):
3883         * wasm/WasmCallee.cpp:
3884         (JSC::Wasm::Callee::Callee):
3885         * wasm/WasmCallee.h:
3886         (JSC::Wasm::Callee::create):
3887         * wasm/WasmFormat.h: Move NameSection to its own header.
3888         (JSC::Wasm::isValidNameType):
3889         (JSC::Wasm::NameSection::get): Deleted.
3890         * wasm/WasmIndexOrName.cpp:
3891         (JSC::Wasm::IndexOrName::IndexOrName):
3892         (JSC::Wasm::makeString):
3893         * wasm/WasmIndexOrName.h:
3894         (JSC::Wasm::IndexOrName::IndexOrName):
3895         (JSC::Wasm::IndexOrName::isEmpty const):
3896         (JSC::Wasm::IndexOrName::isIndex const):
3897         * wasm/WasmModuleInformation.cpp:
3898         (JSC::Wasm::ModuleInformation::ModuleInformation):
3899         * wasm/WasmModuleInformation.h:
3900         (JSC::Wasm::ModuleInformation::ModuleInformation): Deleted.
3901         * wasm/WasmNameSection.h:
3902         (JSC::W