Web Inspector: provide way for ShaderPrograms to be enabled/disabled
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-08-22  Devin Rousso  <webkit@devinrousso.com>
2
3         Web Inspector: provide way for ShaderPrograms to be enabled/disabled
4         https://bugs.webkit.org/show_bug.cgi?id=175400
5
6         Reviewed by Matt Baker.
7
8         * inspector/protocol/Canvas.json:
9         Add `setShaderProgramDisabled` command that sets the `disabled` flag on the given shader
10         program to the supplied boolean value. If this value is true, calls to `drawArrays` and
11         `drawElements` when that program is in use will have no effect.
12
13 2017-08-22  Keith Miller  <keith_miller@apple.com>
14
15         Unriviewed, fix windows build... for realz.
16
17         * CMakeLists.txt:
18
19 2017-08-22  Saam Barati  <sbarati@apple.com>
20
21         We are using valueProfileForBytecodeOffset when there may not be a value profile
22         https://bugs.webkit.org/show_bug.cgi?id=175812
23
24         Reviewed by Michael Saboff.
25
26         This patch uses the type system to aid the code around CodeBlock's ValueProfile
27         accessor methods. valueProfileForBytecodeOffset used to return ValueProfile*,
28         so there were callers of this that thought it could return nullptr when there
29         was no such ValueProfile. This was not the case, it always returned a non-null
30         pointer. This patch changes valueProfileForBytecodeOffset to return ValueProfile&
31         and adds a new tryGetValueProfileForBytecodeOffset method that returns ValueProfile*
32         and does the right thing if there is no such ValueProfile.
33         
34         This patch also changes the other ValueProfile accessors on CodeBlock to
35         return ValueProfile& instead of ValueProfile*. Some callers handled the null
36         case unnecessarily, and using the type system to specify the result can't be
37         null removes these useless branches.
38
39         * bytecode/CodeBlock.cpp:
40         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
41         (JSC::CodeBlock::dumpValueProfiles):
42         (JSC::CodeBlock::tryGetValueProfileForBytecodeOffset):
43         (JSC::CodeBlock::valueProfileForBytecodeOffset):
44         (JSC::CodeBlock::validate):
45         * bytecode/CodeBlock.h:
46         (JSC::CodeBlock::valueProfileForArgument):
47         (JSC::CodeBlock::valueProfile):
48         (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
49         (JSC::CodeBlock::getFromAllValueProfiles):
50         * dfg/DFGByteCodeParser.cpp:
51         (JSC::DFG::ByteCodeParser::handleInlining):
52         * dfg/DFGGraph.cpp:
53         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
54         * dfg/DFGPredictionInjectionPhase.cpp:
55         (JSC::DFG::PredictionInjectionPhase::run):
56         * jit/JIT.h:
57         * jit/JITInlines.h:
58         (JSC::JIT::emitValueProfilingSite):
59         * profiler/ProfilerBytecodeSequence.cpp:
60         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
61         * tools/HeapVerifier.cpp:
62         (JSC::HeapVerifier::validateJSCell):
63
64 2017-08-22  Keith Miller  <keith_miller@apple.com>
65
66         Unreviewed, fix windows build... maybe.
67
68         * CMakeLists.txt:
69
70 2017-08-22  Keith Miller  <keith_miller@apple.com>
71
72         Unreviewed, fix cloop build.
73
74         * JavaScriptCore.xcodeproj/project.pbxproj:
75
76 2017-08-22  Per Arne Vollan  <pvollan@apple.com>
77
78         [Win][Release] Crash when running testmasm executable.
79         https://bugs.webkit.org/show_bug.cgi?id=175772
80
81         Reviewed by Mark Lam.
82
83         We need to save and restore the modified registers in case one or more registers are callee saved
84         on the relevant platforms.
85
86         * assembler/testmasm.cpp:
87         (JSC::testProbeReadsArgumentRegisters):
88         (JSC::testProbeWritesArgumentRegisters):
89
90 2017-08-21  Mark Lam  <mark.lam@apple.com>
91
92         Change probe code to use static_assert instead of COMPILE_ASSERT.
93         https://bugs.webkit.org/show_bug.cgi?id=175762
94
95         Reviewed by JF Bastien.
96
97         * assembler/MacroAssemblerARM.cpp:
98         * assembler/MacroAssemblerARM64.cpp:
99         (JSC::MacroAssembler::probe): Deleted.
100         * assembler/MacroAssemblerARMv7.cpp:
101         * assembler/MacroAssemblerX86Common.cpp:
102
103 2017-08-21  Keith Miller  <keith_miller@apple.com>
104
105         Make generate_offset_extractor.rb architectures argument more robust
106         https://bugs.webkit.org/show_bug.cgi?id=175809
107
108         Reviewed by Joseph Pecoraro.
109
110         It turns out that some of our builders pass their architectures as
111         space separated lists.  I decided to just make the splitting of
112         our list robust to any reasonable combination of spaces and
113         commas.
114
115         * offlineasm/generate_offset_extractor.rb:
116
117 2017-08-21  Keith Miller  <keith_miller@apple.com>
118
119         Only generate offline asm for the ARCHS (xcodebuild) or the current system (CMake)
120         https://bugs.webkit.org/show_bug.cgi?id=175690
121
122         Reviewed by Michael Saboff.
123
124         This should reduce some of the time we spend building offline asm
125         in our builds (except for linux since they already did this).
126
127         * CMakeLists.txt:
128         * JavaScriptCore.xcodeproj/project.pbxproj:
129         * offlineasm/backends.rb:
130         * offlineasm/generate_offset_extractor.rb:
131
132 2017-08-20  Mark Lam  <mark.lam@apple.com>
133
134         Gardening: fix CLoop build.
135         https://bugs.webkit.org/show_bug.cgi?id=175688
136         <rdar://problem/33436870>
137
138         Not reviewed.
139
140         Make these files dependent on ENABLE(MASM_PROBE).
141
142         * assembler/ProbeContext.cpp:
143         * assembler/ProbeContext.h:
144         * assembler/ProbeStack.cpp:
145         * assembler/ProbeStack.h:
146
147 2017-08-20  Mark Lam  <mark.lam@apple.com>
148
149         Enhance MacroAssembler::probe() to allow the probe function to resize the stack frame and alter stack data in one pass.
150         https://bugs.webkit.org/show_bug.cgi?id=175688
151         <rdar://problem/33436870>
152
153         Reviewed by JF Bastien.
154
155         With this patch, the clients of the MacroAssembler::probe() can now change
156         stack values without having to worry about whether there is enough room in the
157         current stack frame for it or not.  This is done using the Probe::Context's stack
158         member like so:
159
160             jit.probe([] (Probe::Context& context) {
161                 auto cpu = context.cpu;
162                 auto stack = context.stack();
163                 uintptr_t* currentSP = cpu.sp<uintptr_t*>();
164
165                 // Get a value at the current stack pointer location.
166                 auto value = stack.get<uintptr_t>(currentSP);
167
168                 // Set a value above the current stack pointer (within current frame).
169                 stack.set<uintptr_t>(currentSP + 10, value);
170
171                 // Set a value below the current stack pointer (out of current frame).
172                 stack.set<uintptr_t>(currentSP - 10, value);
173
174                 // Set the new stack pointer.
175                 cpu.sp() = currentSP - 20;
176             });
177
178         What happens behind the scene:
179
180         1. the generated JIT probe code will now call Probe::executeProbe(), and
181            Probe::executeProbe() will in turn call the client's probe function.
182
183            Probe::executeProbe() receives the Probe::State on the machine stack passed
184            to it by the probe trampoline.  Probe::executeProbe() will instantiate a
185            Probe::Context to be passed to the client's probe function.  The client will
186            no longer see the Probe::State directly.
187
188         2. The Probe::Context comes with a Probe::Stack which serves as a manager of
189            stack pages.  Currently, each page is 1K in size.
190            Probe::Context::stack() returns a reference to an instance of Probe::Stack.
191
192         3. Invoking get() of set() on Probe::Stack with an address will lead to the
193            following:
194
195            a. the address will be decoded to a baseAddress that points to the 1K page
196               that contains that address.
197
198            b. the Probe::Stack will check if it already has a cached 1K page for that baseAddress.
199               If so, go to step (f).  Else, continue with step (c).
200
201            c. the Probe::Stack will malloc a 1K mirror page, and memcpy the 1K stack page
202               for that specified baseAddress to this mirror page.
203
204            d. the mirror page will be added to the ProbeStack's m_pages HashMap,
205               keyed on the baseAddress.
206
207            e. the ProbeStack will also cache the last baseAddress and its corresponding
208               mirror page in use.  With memory accesses tending to be localized, this
209               will save us from having to look up the page in the HashMap.
210
211            f. get() will map the requested address to a physical address in the mirror
212               page, and return the value at that location.
213
214            g. set() will map the requested address to a physical address in the mirror
215               page, and set the value at that location in the mirror page.
216
217               set() will also set a dirty bit corresponding to the "cache line" that
218               was modified in the mirror page.
219
220         4. When the client's probe function returns, Probe::executeProbe() will check if
221            there are stack changes that need to be applied.  If stack changes are needed:
222
223            a. Probe::executeProbe() will adjust the stack pointer to ensure enough stack
224               space is available to flush the dirty stack pages.  It will also register a
225               flushStackDirtyPages callback function in the Probe::State.  Thereafter,
226               Probe::executeProbe() returns to the probe trampoline.
227
228            b. the probe trampoline adjusts the stack pointer, moves the Probe::State to
229               a safe place if needed, and then calls the flushStackDirtyPages callback
230               if needed.
231
232            c. the flushStackDirtyPages() callback iterates the Probe::Stack's m_pages
233               HashMap and flush all dirty "cache lines" to the machine stack.
234               Thereafter, flushStackDirtyPages() returns to the probe trampoline.
235
236            d. lastly, the probe trampoline will restore all register values and return
237               to the pc set in the Probe::State.
238
239         To make this patch work, I also had to do the following work:
240
241         5. Refactor MacroAssembler::CPUState into Probe::CPUState.
242            Mainly, this means moving the code over to ProbeContext.h.
243            I also added some convenience accessor methods for spr registers. 
244
245            Moved Probe::Context over to its own file ProbeContext.h/cpp.
246
247         6. Fix all probe trampolines to pass the address of Probe::executeProbe in
248            addition to the client's probe function and arg.
249
250            I also took this opportunity to optimize the generated JIT probe code to
251            minimize the amount of memory stores needed. 
252
253         7. Simplified the ARM64 probe trampoline.  The ARM64 probe only supports changing
254            either lr or pc (or neither), but not both at in the same probe invocation.
255            The ARM64 probe trampoline used to have to check for this invariant in the
256            assembly trampoline code.  With the introduction of Probe::executeProbe(),
257            we can now do it there and simplify the trampoline.
258
259         8. Fix a bug in the old  ARM64 probe trampoline for the case where the client
260            changes lr.  That code path never worked before, but has now been fixed.
261
262         9. Removed trustedImm32FromPtr() helper functions in MacroAssemblerARM and
263            MacroAssemblerARMv7.
264
265            We can now use move() with TrustedImmPtr, and it does the same thing but in a
266            more generic way.
267
268        10. ARMv7's move() emitter may encode a T1 move instruction, which happens to have
269            the same semantics as movs (according to the Thumb spec).  This means these
270            instructions may trash the APSR flags before we have a chance to preserve them.
271
272            This patch changes MacroAssemblerARMv7's probe() to preserve the APSR register
273            early on.  This entails adding support for the mrs instruction in the
274            ARMv7Assembler.
275
276        10. Change testmasm's testProbeModifiesStackValues() to now modify stack values
277            the easy way.
278
279            Also fixed testmasm tests which check flag registers to only compare the
280            portions that are modifiable by the client i.e. some masking is applied.
281
282         This patch has passed the testmasm tests on x86, x86_64, arm64, and armv7.
283
284         * CMakeLists.txt:
285         * JavaScriptCore.xcodeproj/project.pbxproj:
286         * assembler/ARMv7Assembler.h:
287         (JSC::ARMv7Assembler::mrs):
288         * assembler/AbstractMacroAssembler.h:
289         * assembler/MacroAssembler.cpp:
290         (JSC::stdFunctionCallback):
291         (JSC::MacroAssembler::probe):
292         * assembler/MacroAssembler.h:
293         (JSC::MacroAssembler::CPUState::gprName): Deleted.
294         (JSC::MacroAssembler::CPUState::sprName): Deleted.
295         (JSC::MacroAssembler::CPUState::fprName): Deleted.
296         (JSC::MacroAssembler::CPUState::gpr): Deleted.
297         (JSC::MacroAssembler::CPUState::spr): Deleted.
298         (JSC::MacroAssembler::CPUState::fpr): Deleted.
299         (JSC:: const): Deleted.
300         (JSC::MacroAssembler::CPUState::fpr const): Deleted.
301         (JSC::MacroAssembler::CPUState::pc): Deleted.
302         (JSC::MacroAssembler::CPUState::fp): Deleted.
303         (JSC::MacroAssembler::CPUState::sp): Deleted.
304         (JSC::MacroAssembler::CPUState::pc const): Deleted.
305         (JSC::MacroAssembler::CPUState::fp const): Deleted.
306         (JSC::MacroAssembler::CPUState::sp const): Deleted.
307         (JSC::Probe::State::gpr): Deleted.
308         (JSC::Probe::State::spr): Deleted.
309         (JSC::Probe::State::fpr): Deleted.
310         (JSC::Probe::State::gprName): Deleted.
311         (JSC::Probe::State::sprName): Deleted.
312         (JSC::Probe::State::fprName): Deleted.
313         (JSC::Probe::State::pc): Deleted.
314         (JSC::Probe::State::fp): Deleted.
315         (JSC::Probe::State::sp): Deleted.
316         * assembler/MacroAssemblerARM.cpp:
317         (JSC::MacroAssembler::probe):
318         * assembler/MacroAssemblerARM.h:
319         (JSC::MacroAssemblerARM::trustedImm32FromPtr): Deleted.
320         * assembler/MacroAssemblerARM64.cpp:
321         (JSC::MacroAssembler::probe):
322         (JSC::arm64ProbeError): Deleted.
323         * assembler/MacroAssemblerARMv7.cpp:
324         (JSC::MacroAssembler::probe):
325         * assembler/MacroAssemblerARMv7.h:
326         (JSC::MacroAssemblerARMv7::armV7Condition):
327         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr): Deleted.
328         * assembler/MacroAssemblerPrinter.cpp:
329         (JSC::Printer::printCallback):
330         * assembler/MacroAssemblerPrinter.h:
331         * assembler/MacroAssemblerX86Common.cpp:
332         (JSC::ctiMasmProbeTrampoline):
333         (JSC::MacroAssembler::probe):
334         * assembler/Printer.h:
335         (JSC::Printer::Context::Context):
336         * assembler/ProbeContext.cpp: Added.
337         (JSC::Probe::executeProbe):
338         (JSC::Probe::handleProbeStackInitialization):
339         (JSC::Probe::probeStateForContext):
340         * assembler/ProbeContext.h: Added.
341         (JSC::Probe::CPUState::gprName):
342         (JSC::Probe::CPUState::sprName):
343         (JSC::Probe::CPUState::fprName):
344         (JSC::Probe::CPUState::gpr):
345         (JSC::Probe::CPUState::spr):
346         (JSC::Probe::CPUState::fpr):
347         (JSC::Probe:: const):
348         (JSC::Probe::CPUState::fpr const):
349         (JSC::Probe::CPUState::pc):
350         (JSC::Probe::CPUState::fp):
351         (JSC::Probe::CPUState::sp):
352         (JSC::Probe::CPUState::pc const):
353         (JSC::Probe::CPUState::fp const):
354         (JSC::Probe::CPUState::sp const):
355         (JSC::Probe::Context::Context):
356         (JSC::Probe::Context::gpr):
357         (JSC::Probe::Context::spr):
358         (JSC::Probe::Context::fpr):
359         (JSC::Probe::Context::gprName):
360         (JSC::Probe::Context::sprName):
361         (JSC::Probe::Context::fprName):
362         (JSC::Probe::Context::pc):
363         (JSC::Probe::Context::fp):
364         (JSC::Probe::Context::sp):
365         (JSC::Probe::Context::stack):
366         (JSC::Probe::Context::hasWritesToFlush):
367         (JSC::Probe::Context::releaseStack):
368         * assembler/ProbeStack.cpp: Added.
369         (JSC::Probe::Page::Page):
370         (JSC::Probe::Page::flushWrites):
371         (JSC::Probe::Stack::Stack):
372         (JSC::Probe::Stack::hasWritesToFlush):
373         (JSC::Probe::Stack::flushWrites):
374         (JSC::Probe::Stack::ensurePageFor):
375         * assembler/ProbeStack.h: Added.
376         (JSC::Probe::Page::baseAddressFor):
377         (JSC::Probe::Page::chunkAddressFor):
378         (JSC::Probe::Page::baseAddress):
379         (JSC::Probe::Page::get):
380         (JSC::Probe::Page::set):
381         (JSC::Probe::Page::hasWritesToFlush const):
382         (JSC::Probe::Page::flushWritesIfNeeded):
383         (JSC::Probe::Page::dirtyBitFor):
384         (JSC::Probe::Page::physicalAddressFor):
385         (JSC::Probe::Stack::Stack):
386         (JSC::Probe::Stack::lowWatermark):
387         (JSC::Probe::Stack::get):
388         (JSC::Probe::Stack::set):
389         (JSC::Probe::Stack::newStackPointer const):
390         (JSC::Probe::Stack::setNewStackPointer):
391         (JSC::Probe::Stack::isValid):
392         (JSC::Probe::Stack::pageFor):
393         * assembler/testmasm.cpp:
394         (JSC::testProbeReadsArgumentRegisters):
395         (JSC::testProbeWritesArgumentRegisters):
396         (JSC::testProbePreservesGPRS):
397         (JSC::testProbeModifiesStackPointer):
398         (JSC::testProbeModifiesStackPointerToInsideProbeStateOnStack):
399         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
400         (JSC::testProbeModifiesProgramCounter):
401         (JSC::testProbeModifiesStackValues):
402         (JSC::run):
403         (): Deleted.
404         (JSC::fillStack): Deleted.
405         (JSC::testProbeModifiesStackWithCallback): Deleted.
406
407 2017-08-19  Andy Estes  <aestes@apple.com>
408
409         [Payment Request] Add interface stubs
410         https://bugs.webkit.org/show_bug.cgi?id=175730
411
412         Reviewed by Youenn Fablet.
413
414         * runtime/CommonIdentifiers.h:
415
416 2017-08-18  Per Arne Vollan  <pvollan@apple.com>
417
418         Implement 32-bit MacroAssembler::probe support for Windows.
419         https://bugs.webkit.org/show_bug.cgi?id=175449
420
421         Reviewed by Mark Lam.
422
423         This is needed to enable the DFG.
424
425         * assembler/MacroAssemblerX86Common.cpp:
426         * assembler/testmasm.cpp:
427         (JSC::run):
428         (dllLauncherEntryPoint):
429         * shell/CMakeLists.txt:
430         * shell/PlatformWin.cmake:
431
432 2017-08-18  Mark Lam  <mark.lam@apple.com>
433
434         Rename ProbeContext and ProbeFunction to Probe::State and Probe::Function.
435         https://bugs.webkit.org/show_bug.cgi?id=175725
436         <rdar://problem/33965477>
437
438         Rubber-stamped by JF Bastien.
439
440         This is purely a refactoring patch (in preparation for the introduction of a
441         Probe::Context data structure in https://bugs.webkit.org/show_bug.cgi?id=175688
442         later).  This patch does not change any semantics / behavior.
443
444         * assembler/AbstractMacroAssembler.h:
445         * assembler/MacroAssembler.cpp:
446         (JSC::stdFunctionCallback):
447         (JSC::MacroAssembler::probe):
448         * assembler/MacroAssembler.h:
449         (JSC::ProbeContext::gpr): Deleted.
450         (JSC::ProbeContext::spr): Deleted.
451         (JSC::ProbeContext::fpr): Deleted.
452         (JSC::ProbeContext::gprName): Deleted.
453         (JSC::ProbeContext::sprName): Deleted.
454         (JSC::ProbeContext::fprName): Deleted.
455         (JSC::ProbeContext::pc): Deleted.
456         (JSC::ProbeContext::fp): Deleted.
457         (JSC::ProbeContext::sp): Deleted.
458         * assembler/MacroAssemblerARM.cpp:
459         (JSC::MacroAssembler::probe):
460         * assembler/MacroAssemblerARM.h:
461         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
462         * assembler/MacroAssemblerARM64.cpp:
463         (JSC::arm64ProbeError):
464         (JSC::MacroAssembler::probe):
465         * assembler/MacroAssemblerARMv7.cpp:
466         (JSC::MacroAssembler::probe):
467         * assembler/MacroAssemblerARMv7.h:
468         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr):
469         * assembler/MacroAssemblerPrinter.cpp:
470         (JSC::Printer::printCallback):
471         * assembler/MacroAssemblerPrinter.h:
472         * assembler/MacroAssemblerX86Common.cpp:
473         (JSC::MacroAssembler::probe):
474         * assembler/Printer.h:
475         (JSC::Printer::Context::Context):
476         * assembler/testmasm.cpp:
477         (JSC::testProbeReadsArgumentRegisters):
478         (JSC::testProbeWritesArgumentRegisters):
479         (JSC::testProbePreservesGPRS):
480         (JSC::testProbeModifiesStackPointer):
481         (JSC::testProbeModifiesStackPointerToInsideProbeStateOnStack):
482         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
483         (JSC::testProbeModifiesProgramCounter):
484         (JSC::fillStack):
485         (JSC::testProbeModifiesStackWithCallback):
486         (JSC::run):
487         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack): Deleted.
488
489 2017-08-17  JF Bastien  <jfbastien@apple.com>
490
491         WebAssembly: const in unreachable code decoded incorrectly, erroneously rejects binary as invalid
492         https://bugs.webkit.org/show_bug.cgi?id=175693
493         <rdar://problem/33952443>
494
495         Reviewed by Saam Barati.
496
497         64-bit constants in an unreachable context were being decoded as
498         32-bit constants. This is pretty benign because unreachable code
499         shouldn't occur often. The effect is that 64-bit constants which
500         can't be encoded as 32-bit constants would cause the binary to be
501         rejected.
502
503         At the same time, 32-bit integer constants should be decoded as signed.
504
505         * wasm/WasmFunctionParser.h:
506         (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
507
508 2017-08-17  Robin Morisset  <rmorisset@apple.com>
509
510         Teach DFGFixupPhase.cpp that the current scope is always a cell
511         https://bugs.webkit.org/show_bug.cgi?id=175610
512
513         Reviewed by Keith Miller.
514
515         Also teach it that the argument to with can usually be speculated to be an object,
516         since toObject() is called on it.
517
518         * dfg/DFGFixupPhase.cpp:
519         (JSC::DFG::FixupPhase::fixupNode):
520         * dfg/DFGSpeculativeJIT.cpp:
521         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
522         * dfg/DFGSpeculativeJIT.h:
523         (JSC::DFG::SpeculativeJIT::callOperation):
524         * ftl/FTLLowerDFGToB3.cpp:
525         (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
526         * jit/JITOperations.cpp:
527         * jit/JITOperations.h:
528
529 2017-08-17  Matt Baker  <mattbaker@apple.com>
530
531         Web Inspector: remove unused private struct from InspectorScriptProfilerAgent
532         https://bugs.webkit.org/show_bug.cgi?id=175644
533
534         Reviewed by Brian Burg.
535
536         * inspector/agents/InspectorScriptProfilerAgent.h:
537
538 2017-08-17  Mark Lam  <mark.lam@apple.com>
539
540         Only use 16 VFP registers if !CPU(ARM_NEON).
541         https://bugs.webkit.org/show_bug.cgi?id=175514
542
543         Reviewed by JF Bastien.
544
545         Deleted q16-q31 FPQuadRegisterID enums in ARMv7Assembler.h.  The NEON spec
546         says that there are only 16 128-bit NEON registers.  This change is merely to
547         correct the code documentation of these registers.  The FPQuadRegisterID are
548         currently unused.
549
550         * assembler/ARMAssembler.h:
551         (JSC::ARMAssembler::lastFPRegister):
552         (JSC::ARMAssembler::fprName):
553         * assembler/ARMv7Assembler.h:
554         (JSC::ARMv7Assembler::lastFPRegister):
555         (JSC::ARMv7Assembler::fprName):
556         * assembler/MacroAssemblerARM.cpp:
557         * assembler/MacroAssemblerARMv7.cpp:
558
559 2017-08-17  Andreas Kling  <akling@apple.com>
560
561         Disable CSS regions at compile time
562         https://bugs.webkit.org/show_bug.cgi?id=175630
563
564         Reviewed by Antti Koivisto.
565
566         * Configurations/FeatureDefines.xcconfig:
567
568 2017-08-17  Jacobo Aragunde Pérez  <jaragunde@igalia.com>
569
570         [WPE][GTK] Ensure proper casting of data in gvariants
571         https://bugs.webkit.org/show_bug.cgi?id=175667
572
573         Reviewed by Michael Catanzaro.
574
575         g_variant_new requires data to have the correct width for their types, using
576         casting if necessary. Some data of type `unsigned` were being saved to `guint64`
577         types without explicit casting, leading to undefined behavior in some platforms.
578
579         * inspector/remote/glib/RemoteInspectorGlib.cpp:
580         (Inspector::RemoteInspector::listingForInspectionTarget const):
581         (Inspector::RemoteInspector::listingForAutomationTarget const):
582         (Inspector::RemoteInspector::sendMessageToRemote):
583
584 2017-08-17  Yusuke Suzuki  <utatane.tea@gmail.com>
585
586         [JSC] Avoid code bloating for iteration if block does not have "break"
587         https://bugs.webkit.org/show_bug.cgi?id=173228
588
589         Reviewed by Keith Miller.
590
591         Currently, we always emit code for breaked path when emitting for-of iteration.
592         But we can know that this breaked path can be used when emitting the bytecode.
593
594         This patch adds LabelScope::breakTargetMayBeBound(), which returns true if
595         the break label may be bound. We emit a breaked path only when it returns
596         true. This reduces bytecode bloating when using for-of iteration.
597
598         * bytecompiler/BytecodeGenerator.cpp:
599         (JSC::Label::setLocation):
600         (JSC::BytecodeGenerator::newLabel):
601         (JSC::BytecodeGenerator::emitLabel):
602         (JSC::BytecodeGenerator::pushFinallyControlFlowScope):
603         (JSC::BytecodeGenerator::breakTarget):
604         (JSC::BytecodeGenerator::continueTarget):
605         (JSC::BytecodeGenerator::emitEnumeration):
606         * bytecompiler/BytecodeGenerator.h:
607         * bytecompiler/Label.h:
608         (JSC::Label::bind const):
609         (JSC::Label::hasOneRef const):
610         (JSC::Label::isBound const):
611         (JSC::Label::Label): Deleted.
612         * bytecompiler/LabelScope.h:
613         (JSC::LabelScope::hasOneRef const):
614         (JSC::LabelScope::breakTargetMayBeBound const):
615         * bytecompiler/NodesCodegen.cpp:
616         (JSC::ContinueNode::trivialTarget):
617         (JSC::ContinueNode::emitBytecode):
618         (JSC::BreakNode::trivialTarget):
619         (JSC::BreakNode::emitBytecode):
620
621 2017-08-17  Csaba Osztrogonác  <ossy@webkit.org>
622
623         ARM build fix after r220807 and r220834.
624         https://bugs.webkit.org/show_bug.cgi?id=175617
625
626         Unreviewed typo fix.
627
628         * assembler/MacroAssemblerARM.cpp:
629
630 2017-08-17  Mark Lam  <mark.lam@apple.com>
631
632         Gardening: build fix for ARM_TRADITIONAL after r220807.
633         https://bugs.webkit.org/show_bug.cgi?id=175617
634
635         Not reviewed.
636
637         * assembler/MacroAssemblerARM.cpp:
638
639 2017-08-16  Mark Lam  <mark.lam@apple.com>
640
641         Add back the ability to disable MASM_PROBE from the build.
642         https://bugs.webkit.org/show_bug.cgi?id=175656
643         <rdar://problem/33933720>
644
645         Reviewed by Yusuke Suzuki.
646
647         This is needed for ports that the existing MASM_PROBE implementation doesn't work
648         well with e.g. GTK with ARM_THUMB2.  Note that if the DFG_JIT will be disabled by
649         default if !ENABLE(MASM_PROBE).
650
651         * assembler/AbstractMacroAssembler.h:
652         * assembler/MacroAssembler.cpp:
653         * assembler/MacroAssembler.h:
654         * assembler/MacroAssemblerARM.cpp:
655         * assembler/MacroAssemblerARM64.cpp:
656         * assembler/MacroAssemblerARMv7.cpp:
657         * assembler/MacroAssemblerPrinter.cpp:
658         * assembler/MacroAssemblerPrinter.h:
659         * assembler/MacroAssemblerX86Common.cpp:
660         * assembler/testmasm.cpp:
661         (JSC::run):
662         * b3/B3LowerToAir.cpp:
663         * b3/air/AirPrintSpecial.cpp:
664         * b3/air/AirPrintSpecial.h:
665
666 2017-08-16  Dan Bernstein  <mitz@apple.com>
667
668         [Cocoa] Older-iOS install name symbols are being exported on other platforms
669         https://bugs.webkit.org/show_bug.cgi?id=175654
670
671         Reviewed by Tim Horton.
672
673         * API/JSBase.cpp: Define the symbols only when targeting iOS.
674
675 2017-08-16  Matt Baker  <mattbaker@apple.com>
676
677         Web Inspector: capture async stack trace when workers/main context posts a message
678         https://bugs.webkit.org/show_bug.cgi?id=167084
679         <rdar://problem/30033673>
680
681         Reviewed by Brian Burg.
682
683         * inspector/agents/InspectorDebuggerAgent.h:
684         Add `PostMessage` async call type.
685
686 2017-08-16  Mark Lam  <mark.lam@apple.com>
687
688         Enhance MacroAssembler::probe() to support an initializeStackFunction callback.
689         https://bugs.webkit.org/show_bug.cgi?id=175617
690         <rdar://problem/33912104>
691
692         Reviewed by JF Bastien.
693
694         This patch adds a new feature to MacroAssembler::probe() where the probe function
695         can provide a ProbeFunction callback to fill in stack values after the stack
696         pointer has been adjusted.  The probe function can use this feature as follows:
697
698         1. Set the new sp value in the ProbeContext's CPUState.
699
700         2. Set the ProbeContext's initializeStackFunction to a ProbeFunction callback
701            which will do the work of filling in the stack values after the probe
702            trampoline has adjusted the machine stack pointer.
703
704         3. Set the ProbeContext's initializeStackArgs to any value that the client wants
705            to pass to the initializeStackFunction callback.
706
707         4. Return from the probe function.
708
709         Upon returning from the probe function, the probe trampoline will adjust the
710         the stack pointer based on the sp value in CPUState.  If initializeStackFunction
711         is not set, the probe trampoline will restore registers and return to its caller.
712
713         If initializeStackFunction is set, the trampoline will move the ProbeContext
714         beyond the range of the stack pointer i.e. it will place the new ProbeContext at
715         an address lower than where CPUState.sp() points.  This ensures that the
716         ProbeContext will not be trashed by the initializeStackFunction when it writes to
717         the stack.  Then, the trampoline will call back to the initializeStackFunction
718         ProbeFunction to let it fill in the stack values as desired.  The
719         initializeStackFunction ProbeFunction will be passed the moved ProbeContext at
720         the new location.
721
722         initializeStackFunction may now write to the stack at addresses greater or
723         equal to CPUState.sp(), but not below that.  initializeStackFunction is also
724         not allowed to change CPUState.sp().  If the initializeStackFunction does not
725         abide by these rules, then behavior is undefined, and bad things may happen.
726
727         For future reference, some implementation details that this patch needed to
728         be mindful of:
729
730         1. When the probe trampoline allocates stack space for the ProbeContext, it
731            should include OUT_SIZE as well.  This ensures that it doesn't have to move
732            the ProbeContext on exit if the probe function didn't change the sp.
733
734         2. If the trampoline has to move the ProbeContext, it needs to point the machine
735            sp to new ProbeContext first before copying over the ProbeContext data.  This
736            protects the new ProbeContext from possibly being trashed by interrupts.
737
738         3. When computing the new address of ProbeContext to move to, we need to make
739            sure that it is properly aligned in accordance with stack ABI requirements
740            (just like we did when we allocated the ProbeContext on entry to the
741            probe trampoline).
742
743         4. When copying the ProbeContext to its new location, the trampoline should
744            always copy words from low addresses to high addresses.  This is because if
745            we're moving the ProbeContext, we'll always be moving it to a lower address.
746
747         * assembler/MacroAssembler.h:
748         * assembler/MacroAssemblerARM.cpp:
749         * assembler/MacroAssemblerARM64.cpp:
750         * assembler/MacroAssemblerARMv7.cpp:
751         * assembler/MacroAssemblerX86Common.cpp:
752         * assembler/testmasm.cpp:
753         (JSC::testProbePreservesGPRS):
754         (JSC::testProbeModifiesStackPointer):
755         (JSC::fillStack):
756         (JSC::testProbeModifiesStackWithCallback):
757         (JSC::run):
758
759 2017-08-16  Csaba Osztrogonác  <ossy@webkit.org>
760
761         Fix JSCOnly ARM buildbots after r220047 and r220184
762         https://bugs.webkit.org/show_bug.cgi?id=174993
763
764         Reviewed by Carlos Alberto Lopez Perez.
765
766         * CMakeLists.txt: Generate only one backend on Linux to save build time.
767
768 2017-08-16  Andy Estes  <aestes@apple.com>
769
770         [Payment Request] Add an ENABLE flag and an experimental feature preference
771         https://bugs.webkit.org/show_bug.cgi?id=175622
772
773         Reviewed by Tim Horton.
774
775         * Configurations/FeatureDefines.xcconfig:
776
777 2017-08-15  Robin Morisset  <rmorisset@apple.com>
778
779         We are too conservative about the effects of PushWithScope
780         https://bugs.webkit.org/show_bug.cgi?id=175584
781
782         Reviewed by Saam Barati.
783
784         PushWithScope converts its argument to an object (this can throw a type error,
785         but has no other observable effect), and allocates a new scope, that it then
786         makes the new current scope. We were a bit too
787         conservative in saying that it clobbers the world.
788
789         * dfg/DFGAbstractInterpreterInlines.h:
790         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
791         * dfg/DFGClobberize.h:
792         (JSC::DFG::clobberize):
793         * dfg/DFGDoesGC.cpp:
794         (JSC::DFG::doesGC):
795
796 2017-08-15  Ryosuke Niwa  <rniwa@webkit.org>
797
798         Make DataTransferItemList work with plain text entries
799         https://bugs.webkit.org/show_bug.cgi?id=175596
800
801         Reviewed by Wenson Hsieh.
802
803         Added DataTransferItem as a common identifier since it's a runtime enabled feature.
804
805         * runtime/CommonIdentifiers.h:
806
807 2017-08-15  Robin Morisset  <rmorisset@apple.com>
808
809         Support the 'with' keyword in FTL
810         https://bugs.webkit.org/show_bug.cgi?id=175585
811
812         Reviewed by Saam Barati.
813
814         Also makes sure that the order of arguments of PushWithScope, op_push_with_scope, JSWithScope::create()
815         and so on is consistent (always parentScope first, the new scopeObject second). We used to go from one
816         to the other at different step which was quite confusing. I picked this order for consistency with CreateActivation
817         that takes its parentScope argument first.
818
819         * bytecompiler/BytecodeGenerator.cpp:
820         (JSC::BytecodeGenerator::emitPushWithScope):
821         * debugger/DebuggerCallFrame.cpp:
822         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
823         * dfg/DFGByteCodeParser.cpp:
824         (JSC::DFG::ByteCodeParser::parseBlock):
825         * dfg/DFGFixupPhase.cpp:
826         (JSC::DFG::FixupPhase::fixupNode):
827         * dfg/DFGSpeculativeJIT.cpp:
828         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
829         * ftl/FTLCapabilities.cpp:
830         (JSC::FTL::canCompile):
831         * ftl/FTLLowerDFGToB3.cpp:
832         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
833         (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
834         * jit/JITOperations.cpp:
835         * runtime/CommonSlowPaths.cpp:
836         (JSC::SLOW_PATH_DECL):
837         * runtime/Completion.cpp:
838         (JSC::evaluateWithScopeExtension):
839         * runtime/JSWithScope.cpp:
840         (JSC::JSWithScope::create):
841         * runtime/JSWithScope.h:
842
843 2017-08-15  Saam Barati  <sbarati@apple.com>
844
845         Make VM::scratchBufferForSize thread safe
846         https://bugs.webkit.org/show_bug.cgi?id=175604
847
848         Reviewed by Geoffrey Garen and Mark Lam.
849
850         I want to use the VM::scratchBufferForSize in another patch I'm writing.
851         The use case for my other patch is to call it from the compiler thread.
852         When reading the code, I saw that this API was not thread safe. This patch
853         makes it thread safe. It actually turns out we were calling this API from
854         the compiler thread already when we created FTL::State for an FTL OSR entry
855         compilation, and from FTLLowerDFGToB3. That code was racy and wrong, but
856         is now correct with this patch.
857
858         * runtime/VM.cpp:
859         (JSC::VM::VM):
860         (JSC::VM::~VM):
861         (JSC::VM::gatherConservativeRoots):
862         (JSC::VM::scratchBufferForSize):
863         * runtime/VM.h:
864         (JSC::VM::scratchBufferForSize): Deleted.
865
866 2017-08-15  Keith Miller  <keith_miller@apple.com>
867
868         JSC named bytecode offsets should use references rather than pointers
869         https://bugs.webkit.org/show_bug.cgi?id=175601
870
871         Reviewed by Saam Barati.
872
873         * dfg/DFGByteCodeParser.cpp:
874         (JSC::DFG::ByteCodeParser::parseBlock):
875         * jit/JITOpcodes.cpp:
876         (JSC::JIT::emit_op_overrides_has_instance):
877         (JSC::JIT::emit_op_instanceof):
878         (JSC::JIT::emitSlow_op_instanceof):
879         (JSC::JIT::emitSlow_op_instanceof_custom):
880         * jit/JITOpcodes32_64.cpp:
881         (JSC::JIT::emit_op_overrides_has_instance):
882         (JSC::JIT::emit_op_instanceof):
883         (JSC::JIT::emitSlow_op_instanceof):
884         (JSC::JIT::emitSlow_op_instanceof_custom):
885
886 2017-08-15  Keith Miller  <keith_miller@apple.com>
887
888         Enable named offsets into JSC bytecodes
889         https://bugs.webkit.org/show_bug.cgi?id=175561
890
891         Reviewed by Mark Lam.
892
893         This patch adds the ability to add named offsets into JSC's
894         bytecodes.  In the bytecode json file, instead of listing a
895         length, you can now list a set of names and their types. Each
896         opcode with an offsets property will have a struct named after the
897         opcode by in our C++ naming style. For example,
898         op_overrides_has_instance would become OpOverridesHasInstance. The
899         struct has the same memory layout as the instruction list has but
900         comes with handy named accessors.
901
902         As a first cut I converted the various instanceof bytecodes to use
903         named offsets.
904
905         As an example op_overrides_has_instance produces the following struct:
906
907         struct OpOverridesHasInstance {
908         public:
909             Opcode& opcode() { return *reinterpret_cast<Opcode*>(&m_opcode); }
910             const Opcode& opcode() const { return *reinterpret_cast<const Opcode*>(&m_opcode); }
911             int& dst() { return *reinterpret_cast<int*>(&m_dst); }
912             const int& dst() const { return *reinterpret_cast<const int*>(&m_dst); }
913             int& constructor() { return *reinterpret_cast<int*>(&m_constructor); }
914             const int& constructor() const { return *reinterpret_cast<const int*>(&m_constructor); }
915             int& hasInstanceValue() { return *reinterpret_cast<int*>(&m_hasInstanceValue); }
916             const int& hasInstanceValue() const { return *reinterpret_cast<const int*>(&m_hasInstanceValue); }
917
918         private:
919             friend class LLIntOffsetsExtractor;
920             std::aligned_storage<sizeof(Opcode), sizeof(Instruction)>::type m_opcode;
921             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_dst;
922             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_constructor;
923             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_hasInstanceValue;
924         };
925
926         * CMakeLists.txt:
927         * DerivedSources.make:
928         * JavaScriptCore.xcodeproj/project.pbxproj:
929         * bytecode/BytecodeList.json:
930         * dfg/DFGByteCodeParser.cpp:
931         (JSC::DFG::ByteCodeParser::parseBlock):
932         * generate-bytecode-files:
933         * jit/JITOpcodes.cpp:
934         (JSC::JIT::emit_op_overrides_has_instance):
935         (JSC::JIT::emit_op_instanceof):
936         (JSC::JIT::emitSlow_op_instanceof):
937         (JSC::JIT::emitSlow_op_instanceof_custom):
938         * jit/JITOpcodes32_64.cpp:
939         (JSC::JIT::emit_op_overrides_has_instance):
940         (JSC::JIT::emit_op_instanceof):
941         (JSC::JIT::emitSlow_op_instanceof):
942         (JSC::JIT::emitSlow_op_instanceof_custom):
943         * llint/LLIntOffsetsExtractor.cpp:
944         * llint/LowLevelInterpreter.asm:
945         * llint/LowLevelInterpreter32_64.asm:
946         * llint/LowLevelInterpreter64.asm:
947
948 2017-08-15  Mark Lam  <mark.lam@apple.com>
949
950         Update testmasm to use new CPUState APIs.
951         https://bugs.webkit.org/show_bug.cgi?id=175573
952
953         Reviewed by Keith Miller.
954
955         1. Applied convenience CPUState accessors to minimize casting.
956         2. Converted the CHECK macro to CHECK_EQ to get more friendly failure debugging
957            messages.
958         3. Removed the CHECK_DOUBLE_BITWISE_EQ macro.  We can just use CHECK_EQ now since
959            casting is (mostly) no longer an issue.
960         4. Replaced the use of testDoubleWord(id) with bitwise_cast<double>(testWord64(id))
961            to make it clear that we're comparing against the bit values of testWord64(id).
962         5. Added a "Completed N tests" message at the end of running all tests.
963            This makes it easy to tell at a glance that testmasm completed successfully
964            versus when it crashed midway in a test.  The number of tests also serves as
965            a quick checksum to confirm that we ran the number of tests we expected.
966
967         * assembler/testmasm.cpp:
968         (WTF::printInternal):
969         (JSC::testSimple):
970         (JSC::testProbeReadsArgumentRegisters):
971         (JSC::testProbeWritesArgumentRegisters):
972         (JSC::testProbePreservesGPRS):
973         (JSC::testProbeModifiesStackPointer):
974         (JSC::testProbeModifiesProgramCounter):
975         (JSC::run):
976
977 2017-08-14  Keith Miller  <keith_miller@apple.com>
978
979         Add testing tool to lie to the DFG about profiles
980         https://bugs.webkit.org/show_bug.cgi?id=175487
981
982         Reviewed by Saam Barati.
983
984         This patch adds a new bytecode identity_with_profile that lets
985         us lie to the DFG about what profiles it has seen as the input to
986         another bytecode. Previously, there was no reliable way to force
987         a given profile when we tired up.
988
989         * bytecode/BytecodeDumper.cpp:
990         (JSC::BytecodeDumper<Block>::dumpBytecode):
991         * bytecode/BytecodeIntrinsicRegistry.h:
992         * bytecode/BytecodeList.json:
993         * bytecode/BytecodeUseDef.h:
994         (JSC::computeUsesForBytecodeOffset):
995         (JSC::computeDefsForBytecodeOffset):
996         * bytecode/SpeculatedType.cpp:
997         (JSC::speculationFromString):
998         * bytecode/SpeculatedType.h:
999         * bytecompiler/BytecodeGenerator.cpp:
1000         (JSC::BytecodeGenerator::emitIdWithProfile):
1001         * bytecompiler/BytecodeGenerator.h:
1002         * bytecompiler/NodesCodegen.cpp:
1003         (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
1004         * dfg/DFGAbstractInterpreterInlines.h:
1005         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1006         * dfg/DFGByteCodeParser.cpp:
1007         (JSC::DFG::ByteCodeParser::parseBlock):
1008         * dfg/DFGCapabilities.cpp:
1009         (JSC::DFG::capabilityLevel):
1010         * dfg/DFGClobberize.h:
1011         (JSC::DFG::clobberize):
1012         * dfg/DFGDoesGC.cpp:
1013         (JSC::DFG::doesGC):
1014         * dfg/DFGFixupPhase.cpp:
1015         (JSC::DFG::FixupPhase::fixupNode):
1016         * dfg/DFGMayExit.cpp:
1017         * dfg/DFGNode.h:
1018         (JSC::DFG::Node::getForcedPrediction):
1019         * dfg/DFGNodeType.h:
1020         * dfg/DFGPredictionPropagationPhase.cpp:
1021         * dfg/DFGSafeToExecute.h:
1022         (JSC::DFG::safeToExecute):
1023         * dfg/DFGSpeculativeJIT32_64.cpp:
1024         (JSC::DFG::SpeculativeJIT::compile):
1025         * dfg/DFGSpeculativeJIT64.cpp:
1026         (JSC::DFG::SpeculativeJIT::compile):
1027         * dfg/DFGValidate.cpp:
1028         * jit/JIT.cpp:
1029         (JSC::JIT::privateCompileMainPass):
1030         * jit/JIT.h:
1031         * jit/JITOpcodes.cpp:
1032         (JSC::JIT::emit_op_identity_with_profile):
1033         * jit/JITOpcodes32_64.cpp:
1034         (JSC::JIT::emit_op_identity_with_profile):
1035         * llint/LowLevelInterpreter.asm:
1036
1037 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
1038
1039         Remove Proximity Events and related code
1040         https://bugs.webkit.org/show_bug.cgi?id=175545
1041
1042         Reviewed by Daniel Bates.
1043
1044         No platform enables Proximity Events, so remove code inside ENABLE(PROXIMITY_EVENTS)
1045         and other related code.
1046
1047         * Configurations/FeatureDefines.xcconfig:
1048
1049 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
1050
1051         Remove ENABLE(REQUEST_AUTOCOMPLETE) code, which was disabled everywhere
1052         https://bugs.webkit.org/show_bug.cgi?id=175504
1053
1054         Reviewed by Sam Weinig.
1055
1056         * Configurations/FeatureDefines.xcconfig:
1057
1058 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
1059
1060         Remove ENABLE_VIEW_MODE_CSS_MEDIA and related code
1061         https://bugs.webkit.org/show_bug.cgi?id=175557
1062
1063         Reviewed by Jon Lee.
1064
1065         No port cares about the ENABLE(VIEW_MODE_CSS_MEDIA) feature, so remove it.
1066
1067         * Configurations/FeatureDefines.xcconfig:
1068
1069 2017-08-14  Robin Morisset  <rmorisset@apple.com>
1070
1071         Support the 'with' keyword in DFG
1072         https://bugs.webkit.org/show_bug.cgi?id=175470
1073
1074         Reviewed by Saam Barati.
1075
1076         Not particularly optimized at the moment, the goal is just to avoid
1077         the DFG bailing out of any function with this keyword.
1078
1079         * dfg/DFGAbstractInterpreterInlines.h:
1080         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1081         * dfg/DFGByteCodeParser.cpp:
1082         (JSC::DFG::ByteCodeParser::parseBlock):
1083         * dfg/DFGCapabilities.cpp:
1084         (JSC::DFG::capabilityLevel):
1085         * dfg/DFGClobberize.h:
1086         (JSC::DFG::clobberize):
1087         * dfg/DFGDoesGC.cpp:
1088         (JSC::DFG::doesGC):
1089         * dfg/DFGFixupPhase.cpp:
1090         (JSC::DFG::FixupPhase::fixupNode):
1091         * dfg/DFGNodeType.h:
1092         * dfg/DFGPredictionPropagationPhase.cpp:
1093         * dfg/DFGSafeToExecute.h:
1094         (JSC::DFG::safeToExecute):
1095         * dfg/DFGSpeculativeJIT.cpp:
1096         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
1097         * dfg/DFGSpeculativeJIT.h:
1098         (JSC::DFG::SpeculativeJIT::callOperation):
1099         * dfg/DFGSpeculativeJIT32_64.cpp:
1100         (JSC::DFG::SpeculativeJIT::compile):
1101         * dfg/DFGSpeculativeJIT64.cpp:
1102         (JSC::DFG::SpeculativeJIT::compile):
1103         * jit/JITOperations.cpp:
1104         * jit/JITOperations.h:
1105
1106 2017-08-14  Mark Lam  <mark.lam@apple.com>
1107
1108         Add some convenience utility accessor methods to MacroAssembler::CPUState.
1109         https://bugs.webkit.org/show_bug.cgi?id=175549
1110         <rdar://problem/33884868>
1111
1112         Reviewed by Saam Barati.
1113
1114         Previously, in order to read ProbeContext CPUState registers, we used to need to
1115         do it this way:
1116
1117             ExecState* exec = reinterpret_cast<ExecState*>(cpu.fp());
1118             uint32_t i32 = static_cast<uint32_t>(cpu.gpr(GPRInfo::regT0));
1119             void* p = reinterpret_cast<void*>(cpu.gpr(GPRInfo::regT1));
1120             uint64_t u64 = bitwise_cast<uint64_t>(cpu.fpr(FPRInfo::fpRegT0));
1121
1122         With this patch, we can now read them this way instead:
1123         
1124             ExecState* exec = cpu.fp<ExecState*>();
1125             uint32_t i32 = cpu.gpr<uint32_t>(GPRInfo::regT0);
1126             void* p = cpu.gpr<void*>(GPRInfo::regT1);
1127             uint64_t u64 = cpu.fpr<uint64_t>(FPRInfo::fpRegT0);
1128
1129         * assembler/MacroAssembler.h:
1130         (JSC:: const):
1131         (JSC::MacroAssembler::CPUState::fpr const):
1132         (JSC::MacroAssembler::CPUState::pc const):
1133         (JSC::MacroAssembler::CPUState::fp const):
1134         (JSC::MacroAssembler::CPUState::sp const):
1135         (JSC::ProbeContext::pc):
1136         (JSC::ProbeContext::fp):
1137         (JSC::ProbeContext::sp):
1138
1139 2017-08-12  Filip Pizlo  <fpizlo@apple.com>
1140
1141         Put the ScopedArgumentsTable's ScopeOffset array in some gigacage
1142         https://bugs.webkit.org/show_bug.cgi?id=174921
1143
1144         Reviewed by Mark Lam.
1145         
1146         Uses CagedUniquePtr<> to cage the ScopeOffset array.
1147
1148         * dfg/DFGSpeculativeJIT.cpp:
1149         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1150         * ftl/FTLLowerDFGToB3.cpp:
1151         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1152         * jit/JITPropertyAccess.cpp:
1153         (JSC::JIT::emitScopedArgumentsGetByVal):
1154         * runtime/ScopedArgumentsTable.cpp:
1155         (JSC::ScopedArgumentsTable::create):
1156         (JSC::ScopedArgumentsTable::setLength):
1157         * runtime/ScopedArgumentsTable.h:
1158
1159 2017-08-14  Mark Lam  <mark.lam@apple.com>
1160
1161         Gardening: fix Windows build.
1162         https://bugs.webkit.org/show_bug.cgi?id=175446
1163
1164         Not reviewed.
1165
1166         * assembler/MacroAssemblerX86Common.cpp:
1167         (JSC::booleanTrueForAvoidingNoReturnDeclaration):
1168         (JSC::ctiMasmProbeTrampoline):
1169
1170 2017-08-12  Csaba Osztrogonác  <ossy@webkit.org>
1171
1172         [ARM64] Use x29 and x30 instead of fp and lr to make GCC happy
1173         https://bugs.webkit.org/show_bug.cgi?id=175512
1174         <rdar://problem/33863584>
1175
1176         Reviewed by Mark Lam.
1177
1178         * CMakeLists.txt: Added MacroAssemblerARM64.cpp.
1179         * assembler/MacroAssemblerARM64.cpp: Use x29 and x30 instead of fp and lr to make GCC happy.
1180
1181 2017-08-12  Csaba Osztrogonác  <ossy@webkit.org>
1182
1183         ARM_TRADITIONAL: static assertion failed: ProbeContext_size_matches_ctiMasmProbeTrampoline
1184         https://bugs.webkit.org/show_bug.cgi?id=175513
1185
1186         Reviewed by Mark Lam.
1187
1188         * assembler/MacroAssemblerARM.cpp: Added d16-d31 FP registers too.
1189
1190 2017-08-12  Filip Pizlo  <fpizlo@apple.com>
1191
1192         FTL's compileGetTypedArrayByteOffset needs to do caging
1193         https://bugs.webkit.org/show_bug.cgi?id=175366
1194
1195         Reviewed by Saam Barati.
1196         
1197         While implementing boxing in the DFG, I noticed that there was some missing boxing in the FTL. This
1198         fixes the case in GetTypedArrayByteOffset, and files FIXMEs for more such cases.
1199
1200         * dfg/DFGSpeculativeJIT.cpp:
1201         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
1202         * ftl/FTLLowerDFGToB3.cpp:
1203         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
1204         (JSC::FTL::DFG::LowerDFGToB3::cagedMayBeNull):
1205         * runtime/ArrayBuffer.h:
1206         * runtime/ArrayBufferView.h:
1207         * runtime/JSArrayBufferView.h:
1208
1209 2017-08-11  Ryosuke Niwa  <rniwa@webkit.org>
1210
1211         Replace DATA_TRANSFER_ITEMS by a runtime flag and add a stub implementation
1212         https://bugs.webkit.org/show_bug.cgi?id=175474
1213         <rdar://problem/33844628>
1214
1215         Reviewed by Wenson Hsieh.
1216
1217         * Configurations/FeatureDefines.xcconfig:
1218         * runtime/CommonIdentifiers.h:
1219
1220 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1221
1222         Caging shouldn't have to use a patchpoint for adding
1223         https://bugs.webkit.org/show_bug.cgi?id=175483
1224
1225         Reviewed by Mark Lam.
1226
1227         Caging involves doing a Add(ptr, largeConstant). All of B3's heuristics for how to deal with
1228         constants and associative operations dictate that you always want to sink constants. For example,
1229         Add(Add(a, constant), b) always becomes Add(Add(a, b), constant). This is profitable because in
1230         typical code, it reveals downstream optimizations. But it's terrible in the case of caging, because
1231         we want the large constant (which is shared by all caging operations) to be hoisted. Reassociating to
1232         sink constants obscures the constant in this case. Currently, moveConstants is not smart enough to
1233         reassociate, so instead of sinking largeConstant, it tries (and often fails) to sink some other
1234         constants instead. Without some hacks, this is a 5% Kraken regression and a 1.6% Octane regression.
1235         It's not clear that moveConstants could ever be smart enough to rematerialize that constant and then
1236         hoist it - that would require quite a bit of algebraic reasoning. But the only case we know of where
1237         our current constant reassociation heuristics are wrong is caging. So, we can get away with some
1238         hacks for just stopping B3's reassociation only in this specific case.
1239         
1240         Previously, we achieved this by concealing the Add(ptr, largeConstant) inside a patchpoint. That's
1241         OK, but patchpoints are expensive. They require a SharedTask instance. They require callbacks from
1242         the backend, including during register allocation. And they cannot be CSE'd. We do want B3 to know
1243         that if we cage the same pointer in two places, both places will compute the same value.
1244         
1245         This patch improves the situation by introducing the Opaque opcode. This is handled by LowerToAir as
1246         if it was Identity, but all prior phases treat it as an unknown pure unary idempotent operation. I.e.
1247         they know that Opaque(x) == Opaque(x) and that Opaque(Opaque(x)) == Opaque(x). But they don't know
1248         that Opaque(x) == x until LowerToAir. So, you can use Opaque exactly when you know that B3 will mess
1249         up your code but Air won't. (Currently we know of no cases where Air messes things up on a large
1250         enough scale to warrant new opcodes.)
1251         
1252         This change is perf-neutral, but may start to help as I add more uses of caged() in the FTL. It also
1253         makes the code a bit less ugly.
1254
1255         * b3/B3LowerToAir.cpp:
1256         (JSC::B3::Air::LowerToAir::shouldCopyPropagate):
1257         (JSC::B3::Air::LowerToAir::lower):
1258         * b3/B3Opcode.cpp:
1259         (WTF::printInternal):
1260         * b3/B3Opcode.h:
1261         * b3/B3ReduceStrength.cpp:
1262         * b3/B3Validate.cpp:
1263         * b3/B3Value.cpp:
1264         (JSC::B3::Value::effects const):
1265         (JSC::B3::Value::key const):
1266         (JSC::B3::Value::isFree const):
1267         (JSC::B3::Value::typeFor):
1268         * b3/B3Value.h:
1269         * b3/B3ValueKey.cpp:
1270         (JSC::B3::ValueKey::materialize const):
1271         * ftl/FTLLowerDFGToB3.cpp:
1272         (JSC::FTL::DFG::LowerDFGToB3::caged):
1273         * ftl/FTLOutput.cpp:
1274         (JSC::FTL::Output::opaque):
1275         * ftl/FTLOutput.h:
1276
1277 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1278
1279         ScopedArguments overflow storage needs to be in the JSValue gigacage
1280         https://bugs.webkit.org/show_bug.cgi?id=174923
1281
1282         Reviewed by Saam Barati.
1283         
1284         ScopedArguments overflow storage sits at the end of the ScopedArguments object, so we put that
1285         object into the JSValue gigacage.
1286
1287         * dfg/DFGSpeculativeJIT.cpp:
1288         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1289         * ftl/FTLLowerDFGToB3.cpp:
1290         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1291         * jit/JITPropertyAccess.cpp:
1292         (JSC::JIT::emitScopedArgumentsGetByVal):
1293         * runtime/ScopedArguments.h:
1294         (JSC::ScopedArguments::subspaceFor):
1295         (JSC::ScopedArguments::overflowStorage const):
1296
1297 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1298
1299         JSLexicalEnvironment needs to be in the JSValue gigacage
1300         https://bugs.webkit.org/show_bug.cgi?id=174922
1301
1302         Reviewed by Michael Saboff.
1303         
1304         We can sorta random access the JSLexicalEnvironment. So, we put it in the JSValue gigacage and make
1305         the only random accesses use pointer caging.
1306         
1307         We don't need to do anything to normal lexical environment accesses.
1308
1309         * dfg/DFGSpeculativeJIT.cpp:
1310         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1311         * ftl/FTLLowerDFGToB3.cpp:
1312         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1313         * runtime/JSEnvironmentRecord.h:
1314         (JSC::JSEnvironmentRecord::subspaceFor):
1315         (JSC::JSEnvironmentRecord::variables):
1316
1317 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1318
1319         DirectArguments should be in the JSValue gigacage
1320         https://bugs.webkit.org/show_bug.cgi?id=174920
1321
1322         Reviewed by Michael Saboff.
1323         
1324         This puts DirectArguments in a new subspace for cells that want to be in the JSValue gigacage. All
1325         indexed accesses to DirectArguments now do caging. get_from_arguments/put_to_arguments are exempted
1326         because they always operate on a DirectArguments that is pointed to directly from the stack, they are
1327         required to use fixed offsets, and you can only store JSValues.
1328
1329         * dfg/DFGSpeculativeJIT.cpp:
1330         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
1331         * ftl/FTLLowerDFGToB3.cpp:
1332         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1333         * jit/JITPropertyAccess.cpp:
1334         (JSC::JIT::emitDirectArgumentsGetByVal):
1335         * runtime/DirectArguments.h:
1336         (JSC::DirectArguments::subspaceFor):
1337         (JSC::DirectArguments::storage):
1338         * runtime/VM.cpp:
1339         (JSC::VM::VM):
1340         * runtime/VM.h:
1341
1342 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1343
1344         Unreviewed, add a FIXME.
1345
1346         * ftl/FTLLowerDFGToB3.cpp:
1347         (JSC::FTL::DFG::LowerDFGToB3::caged):
1348
1349 2017-08-10  Sam Weinig  <sam@webkit.org>
1350
1351         WTF::Function does not allow for reference / non-default constructible return types
1352         https://bugs.webkit.org/show_bug.cgi?id=175244
1353
1354         Reviewed by Chris Dumez.
1355
1356         * runtime/ArrayBuffer.cpp:
1357         (JSC::ArrayBufferContents::transferTo):
1358         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
1359         destroy call needed to be a no-op anyway, since the data is being moved.
1360
1361 2017-08-11  Mark Lam  <mark.lam@apple.com>
1362
1363         Gardening: fix CLoop build.
1364         https://bugs.webkit.org/show_bug.cgi?id=175446
1365         <rdar://problem/33836545>
1366
1367         Not reviewed.
1368
1369         * assembler/MacroAssemblerPrinter.cpp:
1370
1371 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
1372
1373         DFG should do caging
1374         https://bugs.webkit.org/show_bug.cgi?id=174918
1375
1376         Reviewed by Saam Barati.
1377         
1378         Adds the appropriate cage() calls to the DFG, including a cageTypedArrayStorage() helper that does
1379         the conditional caging with a watchpoint.
1380         
1381         This might be a 1% SunSpider slow-down, but it's not clear.
1382
1383         * dfg/DFGSpeculativeJIT.cpp:
1384         (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
1385         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
1386         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
1387         (JSC::DFG::SpeculativeJIT::compileCreateRest):
1388         (JSC::DFG::SpeculativeJIT::compileSpread):
1389         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
1390         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1391         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
1392         * dfg/DFGSpeculativeJIT.h:
1393         * dfg/DFGSpeculativeJIT64.cpp:
1394         (JSC::DFG::SpeculativeJIT::compile):
1395
1396 2017-08-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1397
1398         Unreviewed, build fix for x86 GTK port
1399         https://bugs.webkit.org/show_bug.cgi?id=175446
1400
1401         Use pushfl/popfl instead of pushfd/popfd.
1402
1403         * assembler/MacroAssemblerX86Common.cpp:
1404
1405 2017-08-10  Mark Lam  <mark.lam@apple.com>
1406
1407         Make the MASM_PROBE mechanism mandatory for DFG and FTL builds.
1408         https://bugs.webkit.org/show_bug.cgi?id=175446
1409         <rdar://problem/33836545>
1410
1411         Reviewed by Saam Barati.
1412
1413         * assembler/AbstractMacroAssembler.h:
1414         * assembler/MacroAssembler.cpp:
1415         (JSC::MacroAssembler::probe):
1416         * assembler/MacroAssembler.h:
1417         * assembler/MacroAssemblerARM.cpp:
1418         (JSC::MacroAssembler::probe):
1419         * assembler/MacroAssemblerARM.h:
1420         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
1421         * assembler/MacroAssemblerARM64.cpp:
1422         (JSC::MacroAssembler::probe):
1423         * assembler/MacroAssemblerARMv7.cpp:
1424         (JSC::MacroAssembler::probe):
1425         * assembler/MacroAssemblerARMv7.h:
1426         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr):
1427         * assembler/MacroAssemblerPrinter.cpp:
1428         * assembler/MacroAssemblerPrinter.h:
1429         * assembler/MacroAssemblerX86Common.cpp:
1430         * assembler/testmasm.cpp:
1431         (JSC::isSpecialGPR):
1432         (JSC::testProbeModifiesProgramCounter):
1433         (JSC::run):
1434         * b3/B3LowerToAir.cpp:
1435         (JSC::B3::Air::LowerToAir::print):
1436         * b3/air/AirPrintSpecial.cpp:
1437         * b3/air/AirPrintSpecial.h:
1438
1439 2017-08-10  Mark Lam  <mark.lam@apple.com>
1440
1441         Apply the UNLIKELY macro to some unlikely things.
1442         https://bugs.webkit.org/show_bug.cgi?id=175440
1443         <rdar://problem/33834767>
1444
1445         Reviewed by Yusuke Suzuki.
1446
1447         * bytecode/CodeBlock.cpp:
1448         (JSC::CodeBlock::~CodeBlock):
1449         (JSC::CodeBlock::jettison):
1450         * dfg/DFGByteCodeParser.cpp:
1451         (JSC::DFG::ByteCodeParser::handleCall):
1452         (JSC::DFG::ByteCodeParser::handleVarargsCall):
1453         (JSC::DFG::ByteCodeParser::handleGetById):
1454         (JSC::DFG::ByteCodeParser::handlePutById):
1455         (JSC::DFG::ByteCodeParser::parseBlock):
1456         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1457         * dfg/DFGJITCompiler.cpp:
1458         (JSC::DFG::JITCompiler::JITCompiler):
1459         (JSC::DFG::JITCompiler::linkOSRExits):
1460         (JSC::DFG::JITCompiler::link):
1461         (JSC::DFG::JITCompiler::disassemble):
1462         * dfg/DFGJITFinalizer.cpp:
1463         (JSC::DFG::JITFinalizer::finalizeCommon):
1464         * dfg/DFGOSRExit.cpp:
1465         (JSC::DFG::OSRExit::compileOSRExit):
1466         * dfg/DFGPlan.cpp:
1467         (JSC::DFG::Plan::Plan):
1468         * ftl/FTLJITFinalizer.cpp:
1469         (JSC::FTL::JITFinalizer::finalizeCommon):
1470         * ftl/FTLLink.cpp:
1471         (JSC::FTL::link):
1472         * ftl/FTLOSRExitCompiler.cpp:
1473         (JSC::FTL::compileStub):
1474         * jit/JIT.cpp:
1475         (JSC::JIT::privateCompileMainPass):
1476         (JSC::JIT::compileWithoutLinking):
1477         (JSC::JIT::link):
1478         * runtime/ScriptExecutable.cpp:
1479         (JSC::ScriptExecutable::installCode):
1480         * runtime/VM.cpp:
1481         (JSC::VM::VM):
1482
1483 2017-08-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1484
1485         [WTF] ThreadSpecific should not introduce additional indirection
1486         https://bugs.webkit.org/show_bug.cgi?id=175187
1487
1488         Reviewed by Mark Lam.
1489
1490         * runtime/Identifier.cpp:
1491
1492 2017-08-10  Tim Horton  <timothy_horton@apple.com>
1493
1494         Remove some unused lambda captures so that WebKit builds with -Wunused-lambda-capture
1495         https://bugs.webkit.org/show_bug.cgi?id=175436
1496         <rdar://problem/33667497>
1497
1498         Reviewed by Simon Fraser.
1499
1500         * interpreter/Interpreter.cpp:
1501         (JSC::Interpreter::Interpreter):
1502
1503 2017-08-10  Michael Catanzaro  <mcatanzaro@igalia.com>
1504
1505         Remove ENABLE_GAMEPAD_DEPRECATED
1506         https://bugs.webkit.org/show_bug.cgi?id=175361
1507
1508         Reviewed by Carlos Garcia Campos.
1509
1510         * Configurations/FeatureDefines.xcconfig:
1511
1512 2017-08-09  Caio Lima  <ticaiolima@gmail.com>
1513
1514         [JSC] Create JSSet constructor that accepts it's size as parameter
1515         https://bugs.webkit.org/show_bug.cgi?id=173297
1516
1517         Reviewed by Saam Barati.
1518
1519         This patch is adding a new constructor to JSSet that gives its
1520         expected initial size. It is important to avoid re-hashing and mutiple
1521         allocations when we know the final size of JSSet, such as in
1522         CodeBlock::setConstantIdentifierSetRegisters.
1523
1524         * bytecode/CodeBlock.cpp:
1525         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
1526         * runtime/HashMapImpl.h:
1527         (JSC::HashMapImpl::HashMapImpl):
1528         * runtime/JSSet.h:
1529
1530 2017-08-09  Commit Queue  <commit-queue@webkit.org>
1531
1532         Unreviewed, rolling out r220466, r220477, and r220487.
1533         https://bugs.webkit.org/show_bug.cgi?id=175411
1534
1535         This change broke existing API tests and follow up fixes did
1536         not resolve all the issues. (Requested by ryanhaddad on
1537         #webkit).
1538
1539         Reverted changesets:
1540
1541         https://bugs.webkit.org/show_bug.cgi?id=175244
1542         http://trac.webkit.org/changeset/220466
1543
1544         "WTF::Function does not allow for reference / non-default
1545         constructible return types"
1546         https://bugs.webkit.org/show_bug.cgi?id=175244
1547         http://trac.webkit.org/changeset/220477
1548
1549         https://bugs.webkit.org/show_bug.cgi?id=175244
1550         http://trac.webkit.org/changeset/220487
1551
1552 2017-08-09  Caitlin Potter  <caitp@igalia.com>
1553
1554         Early error on ANY operator before new.target
1555         https://bugs.webkit.org/show_bug.cgi?id=157970
1556
1557         Reviewed by Saam Barati.
1558
1559         Instead of throwing if any unary operator precedes new.target, only
1560         throw if the unary operator updates the reference.
1561
1562         The following become legal in JSC:
1563
1564         ```
1565         !new.target
1566         ~new.target
1567         typeof new.target
1568         delete new.target
1569         void new.target
1570         ```
1571
1572         All of which are legal in v8 and SpiderMonkey in strict and sloppy mode
1573
1574         * parser/Parser.cpp:
1575         (JSC::Parser<LexerType>::parseUnaryExpression):
1576
1577 2017-08-09  Sam Weinig  <sam@webkit.org>
1578
1579         WTF::Function does not allow for reference / non-default constructible return types
1580         https://bugs.webkit.org/show_bug.cgi?id=175244
1581
1582         Reviewed by Chris Dumez.
1583
1584         * runtime/ArrayBuffer.cpp:
1585         (JSC::ArrayBufferContents::transferTo):
1586         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
1587         destroy call needed to be a no-op anyway, since the data is being moved.
1588
1589 2017-08-09  Wenson Hsieh  <wenson_hsieh@apple.com>
1590
1591         [iOS DnD] ENABLE_DRAG_SUPPORT should be turned off for iOS 10 and enabled by default
1592         https://bugs.webkit.org/show_bug.cgi?id=175392
1593         <rdar://problem/33783207>
1594
1595         Reviewed by Tim Horton and Megan Gardner.
1596
1597         Tweak FeatureDefines to enable drag and drop by default, and disable only on unsupported platforms (i.e. iOS 10).
1598
1599         * Configurations/FeatureDefines.xcconfig:
1600
1601 2017-08-09  Robin Morisset  <rmorisset@apple.com>
1602
1603         Make JSC_validateExceptionChecks=1 succeed on JSTests/stress/v8-deltablue-strict.js.
1604         https://bugs.webkit.org/show_bug.cgi?id=175358
1605
1606         Reviewed by Mark Lam.
1607
1608         * jit/JITOperations.cpp:
1609         * runtime/JSObjectInlines.h:
1610         (JSC::JSObject::putInlineForJSObject):
1611
1612 2017-08-09  Ryan Haddad  <ryanhaddad@apple.com>
1613
1614         Unreviewed, rolling out r220457.
1615
1616         This change introduced API test failures.
1617
1618         Reverted changeset:
1619
1620         "WTF::Function does not allow for reference / non-default
1621         constructible return types"
1622         https://bugs.webkit.org/show_bug.cgi?id=175244
1623         http://trac.webkit.org/changeset/220457
1624
1625 2017-08-09  Sam Weinig  <sam@webkit.org>
1626
1627         WTF::Function does not allow for reference / non-default constructible return types
1628         https://bugs.webkit.org/show_bug.cgi?id=175244
1629
1630         Reviewed by Chris Dumez.
1631
1632         * runtime/ArrayBuffer.cpp:
1633         (JSC::ArrayBufferContents::transferTo):
1634         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
1635         destroy call needed to be a no-op anyway, since the data is being moved.
1636
1637 2017-08-09  Oleksandr Skachkov  <gskachkov@gmail.com>
1638
1639         REGRESSION: 2 test262/test/language/statements/async-function failures
1640         https://bugs.webkit.org/show_bug.cgi?id=175334
1641
1642         Reviewed by Yusuke Suzuki.
1643
1644         Switch off useAsyncIterator by default
1645
1646         * runtime/Options.h:
1647
1648 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
1649
1650         ICs should do caging
1651         https://bugs.webkit.org/show_bug.cgi?id=175295
1652
1653         Reviewed by Saam Barati.
1654         
1655         Adds the appropriate cage() calls in our inline caches.
1656
1657         * bytecode/AccessCase.cpp:
1658         (JSC::AccessCase::generateImpl):
1659         * bytecode/InlineAccess.cpp:
1660         (JSC::InlineAccess::dumpCacheSizesAndCrash):
1661         (JSC::InlineAccess::generateSelfPropertyAccess):
1662         (JSC::InlineAccess::generateSelfPropertyReplace):
1663         (JSC::InlineAccess::generateArrayLength):
1664
1665 2017-08-08  Devin Rousso  <drousso@apple.com>
1666
1667         Web Inspector: Canvas: support editing WebGL shaders
1668         https://bugs.webkit.org/show_bug.cgi?id=124211
1669         <rdar://problem/15448958>
1670
1671         Reviewed by Matt Baker.
1672
1673         * inspector/protocol/Canvas.json:
1674         Add `updateShader` command that will change the given shader's source to the provided string,
1675         recompile, and relink it to its associated program.
1676         Drive-by: add description to `requestShaderSource` command.
1677
1678 2017-08-08  Robin Morisset  <rmorisset@apple.com>
1679
1680         Make JSC_validateExceptionChecks=1 succeed on JSTests/slowMicrobenchmarks/spread-small-array.js.
1681         https://bugs.webkit.org/show_bug.cgi?id=175347
1682
1683         Reviewed by Saam Barati.
1684
1685         This is done by making finishCreation explicitely check for exceptions after setConstantRegister and setConstantIdentifiersSetRegisters.
1686         I chose to have this check replace the boolean returned previously by these functions for readability. The performance impact should be
1687         negligible considering how much more finishCreation does.
1688         This fix then caused another issue to appear as it was now clear that finishCreation can throw. And since it is called by ProgramCodeBlock::create(),
1689         FunctionCodeBlock::create() and friends, that are in turn called by ScriptExecutable::newCodeBlockFor, this last function also required a few tweaks.
1690
1691         * bytecode/CodeBlock.cpp:
1692         (JSC::CodeBlock::finishCreation):
1693         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
1694         (JSC::CodeBlock::setConstantRegisters):
1695         * bytecode/CodeBlock.h:
1696         * runtime/ScriptExecutable.cpp:
1697         (JSC::ScriptExecutable::newCodeBlockFor):
1698
1699 2017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
1700
1701         Unreviewed, fix Ubuntu LTS build
1702         https://bugs.webkit.org/show_bug.cgi?id=174490
1703
1704         * inspector/remote/glib/RemoteInspectorGlib.cpp:
1705         * inspector/remote/glib/RemoteInspectorServer.cpp:
1706
1707 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
1708
1709         Baseline JIT should do caging
1710         https://bugs.webkit.org/show_bug.cgi?id=175037
1711
1712         Reviewed by Mark Lam.
1713         
1714         Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
1715         
1716         Also modifies FTL caging to be more defensive when caging is disabled.
1717         
1718         Relanded with fixed AssemblyHelpers::cageConditionally().
1719
1720         * bytecode/AccessCase.cpp:
1721         (JSC::AccessCase::generateImpl):
1722         * bytecode/InlineAccess.cpp:
1723         (JSC::InlineAccess::dumpCacheSizesAndCrash):
1724         (JSC::InlineAccess::generateSelfPropertyAccess):
1725         (JSC::InlineAccess::generateSelfPropertyReplace):
1726         (JSC::InlineAccess::generateArrayLength):
1727         * ftl/FTLLowerDFGToB3.cpp:
1728         (JSC::FTL::DFG::LowerDFGToB3::caged):
1729         * jit/AssemblyHelpers.h:
1730         (JSC::AssemblyHelpers::cage):
1731         (JSC::AssemblyHelpers::cageConditionally):
1732         * jit/JITPropertyAccess.cpp:
1733         (JSC::JIT::emitDoubleLoad):
1734         (JSC::JIT::emitContiguousLoad):
1735         (JSC::JIT::emitArrayStorageLoad):
1736         (JSC::JIT::emitGenericContiguousPutByVal):
1737         (JSC::JIT::emitArrayStoragePutByVal):
1738         (JSC::JIT::emit_op_get_from_scope):
1739         (JSC::JIT::emit_op_put_to_scope):
1740         (JSC::JIT::emitIntTypedArrayGetByVal):
1741         (JSC::JIT::emitFloatTypedArrayGetByVal):
1742         (JSC::JIT::emitIntTypedArrayPutByVal):
1743         (JSC::JIT::emitFloatTypedArrayPutByVal):
1744         * jsc.cpp:
1745         (jscmain):
1746         (primitiveGigacageDisabled): Deleted.
1747
1748 2017-08-08  Ryan Haddad  <ryanhaddad@apple.com>
1749
1750         Unreviewed, rolling out r220368.
1751
1752         This change caused WK1 tests to exit early with crashes.
1753
1754         Reverted changeset:
1755
1756         "Baseline JIT should do caging"
1757         https://bugs.webkit.org/show_bug.cgi?id=175037
1758         http://trac.webkit.org/changeset/220368
1759
1760 2017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
1761
1762         [CMake] Properly test if compiler supports compiler flags
1763         https://bugs.webkit.org/show_bug.cgi?id=174490
1764
1765         Reviewed by Konstantin Tokarev.
1766
1767         * API/tests/PingPongStackOverflowTest.cpp:
1768         (testPingPongStackOverflow):
1769         * API/tests/testapi.c:
1770         * b3/testb3.cpp:
1771         (JSC::B3::testPatchpointLotsOfLateAnys):
1772
1773 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1774
1775         [Linux] Clear WasmMemory with madvice instead of memset
1776         https://bugs.webkit.org/show_bug.cgi?id=175150
1777
1778         Reviewed by Filip Pizlo.
1779
1780         In Linux, zeroing pages with memset populates backing store.
1781         Instead, we should use madvise with MADV_DONTNEED. It discards
1782         pages. And if you access these pages, on-demand-zero-pages will
1783         be shown.
1784
1785         We also commit grown pages in all OSes.
1786
1787         * wasm/WasmMemory.cpp:
1788         (JSC::Wasm::commitZeroPages):
1789         (JSC::Wasm::Memory::create):
1790         (JSC::Wasm::Memory::grow):
1791
1792 2017-08-07  Robin Morisset  <rmorisset@apple.com>
1793
1794         GetOwnProperty of TypedArray indexed fields is wrongly configurable
1795         https://bugs.webkit.org/show_bug.cgi?id=175307
1796
1797         Reviewed by Saam Barati.
1798
1799         ```
1800         let a = new Uint8Array(10);
1801         let b = Object.getOwnPropertyDescriptor(a, 0);
1802         assert(b.configurable === false);
1803         ```
1804         should not fail: by section 9.4.5.1 (https://tc39.github.io/ecma262/#sec-integer-indexed-exotic-objects-getownproperty-p) 
1805         that applies to integer indexed exotic objects, and section 22.2.7 (https://tc39.github.io/ecma262/#sec-properties-of-typedarray-instances)
1806         that says that typed arrays are integer indexed exotic objects.
1807
1808         * runtime/JSGenericTypedArrayViewInlines.h:
1809         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
1810
1811 2017-08-07  Filip Pizlo  <fpizlo@apple.com>
1812
1813         Baseline JIT should do caging
1814         https://bugs.webkit.org/show_bug.cgi?id=175037
1815
1816         Reviewed by Mark Lam.
1817         
1818         Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
1819         
1820         Also modifies FTL caging to be more defensive when caging is disabled.
1821
1822         * ftl/FTLLowerDFGToB3.cpp:
1823         (JSC::FTL::DFG::LowerDFGToB3::caged):
1824         * jit/AssemblyHelpers.h:
1825         (JSC::AssemblyHelpers::cage):
1826         (JSC::AssemblyHelpers::cageConditionally):
1827         * jit/JITPropertyAccess.cpp:
1828         (JSC::JIT::emitDoubleLoad):
1829         (JSC::JIT::emitContiguousLoad):
1830         (JSC::JIT::emitArrayStorageLoad):
1831         (JSC::JIT::emitGenericContiguousPutByVal):
1832         (JSC::JIT::emitArrayStoragePutByVal):
1833         (JSC::JIT::emit_op_get_from_scope):
1834         (JSC::JIT::emit_op_put_to_scope):
1835         (JSC::JIT::emitIntTypedArrayGetByVal):
1836         (JSC::JIT::emitFloatTypedArrayGetByVal):
1837         (JSC::JIT::emitIntTypedArrayPutByVal):
1838         (JSC::JIT::emitFloatTypedArrayPutByVal):
1839         * jsc.cpp:
1840         (jscmain):
1841         (primitiveGigacageDisabled): Deleted.
1842
1843 2017-08-06  Filip Pizlo  <fpizlo@apple.com>
1844
1845         Primitive auxiliaries and JSValue auxiliaries should have separate gigacages
1846         https://bugs.webkit.org/show_bug.cgi?id=174919
1847
1848         Reviewed by Keith Miller.
1849         
1850         This adapts JSC to there being two gigacages.
1851         
1852         To make matters simpler, this turns AlignedMemoryAllocators into per-VM instances rather than
1853         singletons. I don't think we were gaining anything by making them be singletons.
1854         
1855         This makes it easy to teach GigacageAlignedMemoryAllocator that there are multiple kinds of
1856         gigacages. We'll have one of those allocators per cage.
1857         
1858         From there, this change teaches everyone who previously knew about cages that there are two cages.
1859         This means having to specify either Gigacage::Primitive or Gigacage::JSValue. In most places, this is
1860         easy: typed arrays are Primitive and butterflies are JSValue. But there are a few places where it's
1861         not so obvious, so this change introduces some helpers to make it easy to define what cage you want
1862         to use in one place and refer to it abstractly. We do this in DirectArguments and GenericArguments.h
1863         
1864         A lot of the magic of this change is due to CagedBarrierPtr, which combines AuxiliaryBarrier and
1865         CagedPtr. This removes one layer of "get()" calls from a bunch of places.
1866
1867         * JavaScriptCore.xcodeproj/project.pbxproj:
1868         * bytecode/AccessCase.cpp:
1869         (JSC::AccessCase::generateImpl):
1870         * dfg/DFGSpeculativeJIT.cpp:
1871         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1872         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1873         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1874         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
1875         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
1876         * ftl/FTLLowerDFGToB3.cpp:
1877         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
1878         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
1879         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
1880         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
1881         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1882         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
1883         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
1884         (JSC::FTL::DFG::LowerDFGToB3::caged):
1885         * heap/FastMallocAlignedMemoryAllocator.cpp:
1886         (JSC::FastMallocAlignedMemoryAllocator::instance): Deleted.
1887         * heap/FastMallocAlignedMemoryAllocator.h:
1888         * heap/GigacageAlignedMemoryAllocator.cpp:
1889         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
1890         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
1891         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
1892         (JSC::GigacageAlignedMemoryAllocator::dump const):
1893         (JSC::GigacageAlignedMemoryAllocator::instance): Deleted.
1894         * heap/GigacageAlignedMemoryAllocator.h:
1895         * jsc.cpp:
1896         (primitiveGigacageDisabled):
1897         (jscmain):
1898         (gigacageDisabled): Deleted.
1899         * llint/LowLevelInterpreter64.asm:
1900         * runtime/ArrayBuffer.cpp:
1901         (JSC::ArrayBufferContents::tryAllocate):
1902         (JSC::ArrayBuffer::createAdopted):
1903         (JSC::ArrayBuffer::createFromBytes):
1904         * runtime/AuxiliaryBarrier.h:
1905         * runtime/ButterflyInlines.h:
1906         (JSC::Butterfly::createUninitialized):
1907         (JSC::Butterfly::tryCreate):
1908         (JSC::Butterfly::growArrayRight):
1909         * runtime/CagedBarrierPtr.h: Added.
1910         (JSC::CagedBarrierPtr::CagedBarrierPtr):
1911         (JSC::CagedBarrierPtr::clear):
1912         (JSC::CagedBarrierPtr::set):
1913         (JSC::CagedBarrierPtr::get const):
1914         (JSC::CagedBarrierPtr::getMayBeNull const):
1915         (JSC::CagedBarrierPtr::operator== const):
1916         (JSC::CagedBarrierPtr::operator!= const):
1917         (JSC::CagedBarrierPtr::operator bool const):
1918         (JSC::CagedBarrierPtr::setWithoutBarrier):
1919         (JSC::CagedBarrierPtr::operator* const):
1920         (JSC::CagedBarrierPtr::operator-> const):
1921         (JSC::CagedBarrierPtr::operator[] const):
1922         * runtime/DirectArguments.cpp:
1923         (JSC::DirectArguments::overrideThings):
1924         (JSC::DirectArguments::unmapArgument):
1925         * runtime/DirectArguments.h:
1926         (JSC::DirectArguments::isMappedArgument const):
1927         * runtime/GenericArguments.h:
1928         * runtime/GenericArgumentsInlines.h:
1929         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
1930         (JSC::GenericArguments<Type>::setModifiedArgumentDescriptor):
1931         (JSC::GenericArguments<Type>::isModifiedArgumentDescriptor):
1932         * runtime/HashMapImpl.cpp:
1933         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
1934         * runtime/HashMapImpl.h:
1935         (JSC::HashMapBuffer::create):
1936         (JSC::HashMapImpl::buffer const):
1937         (JSC::HashMapImpl::rehash):
1938         * runtime/JSArray.cpp:
1939         (JSC::JSArray::tryCreateUninitializedRestricted):
1940         (JSC::JSArray::unshiftCountSlowCase):
1941         (JSC::JSArray::setLength):
1942         (JSC::JSArray::pop):
1943         (JSC::JSArray::push):
1944         (JSC::JSArray::fastSlice):
1945         (JSC::JSArray::shiftCountWithArrayStorage):
1946         (JSC::JSArray::shiftCountWithAnyIndexingType):
1947         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1948         (JSC::JSArray::fillArgList):
1949         (JSC::JSArray::copyToArguments):
1950         * runtime/JSArray.h:
1951         (JSC::JSArray::tryCreate):
1952         * runtime/JSArrayBufferView.cpp:
1953         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1954         (JSC::JSArrayBufferView::finalize):
1955         * runtime/JSLock.cpp:
1956         (JSC::JSLock::didAcquireLock):
1957         * runtime/JSObject.cpp:
1958         (JSC::JSObject::heapSnapshot):
1959         (JSC::JSObject::getOwnPropertySlotByIndex):
1960         (JSC::JSObject::putByIndex):
1961         (JSC::JSObject::enterDictionaryIndexingMode):
1962         (JSC::JSObject::createInitialIndexedStorage):
1963         (JSC::JSObject::createArrayStorage):
1964         (JSC::JSObject::convertUndecidedToInt32):
1965         (JSC::JSObject::convertUndecidedToDouble):
1966         (JSC::JSObject::convertUndecidedToContiguous):
1967         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
1968         (JSC::JSObject::convertUndecidedToArrayStorage):
1969         (JSC::JSObject::convertInt32ToDouble):
1970         (JSC::JSObject::convertInt32ToContiguous):
1971         (JSC::JSObject::convertInt32ToArrayStorage):
1972         (JSC::JSObject::convertDoubleToContiguous):
1973         (JSC::JSObject::convertDoubleToArrayStorage):
1974         (JSC::JSObject::convertContiguousToArrayStorage):
1975         (JSC::JSObject::setIndexQuicklyToUndecided):
1976         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
1977         (JSC::JSObject::deletePropertyByIndex):
1978         (JSC::JSObject::getOwnPropertyNames):
1979         (JSC::JSObject::putIndexedDescriptor):
1980         (JSC::JSObject::defineOwnIndexedProperty):
1981         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1982         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
1983         (JSC::JSObject::getNewVectorLength):
1984         (JSC::JSObject::ensureLengthSlow):
1985         (JSC::JSObject::reallocateAndShrinkButterfly):
1986         (JSC::JSObject::allocateMoreOutOfLineStorage):
1987         (JSC::JSObject::getEnumerableLength):
1988         * runtime/JSObject.h:
1989         (JSC::JSObject::getArrayLength const):
1990         (JSC::JSObject::getVectorLength):
1991         (JSC::JSObject::putDirectIndex):
1992         (JSC::JSObject::canGetIndexQuickly):
1993         (JSC::JSObject::getIndexQuickly):
1994         (JSC::JSObject::tryGetIndexQuickly const):
1995         (JSC::JSObject::canSetIndexQuickly):
1996         (JSC::JSObject::setIndexQuickly):
1997         (JSC::JSObject::initializeIndex):
1998         (JSC::JSObject::initializeIndexWithoutBarrier):
1999         (JSC::JSObject::hasSparseMap):
2000         (JSC::JSObject::inSparseIndexingMode):
2001         (JSC::JSObject::butterfly const):
2002         (JSC::JSObject::butterfly):
2003         (JSC::JSObject::outOfLineStorage const):
2004         (JSC::JSObject::outOfLineStorage):
2005         (JSC::JSObject::ensureInt32):
2006         (JSC::JSObject::ensureDouble):
2007         (JSC::JSObject::ensureContiguous):
2008         (JSC::JSObject::ensureArrayStorage):
2009         (JSC::JSObject::arrayStorage):
2010         (JSC::JSObject::arrayStorageOrNull):
2011         (JSC::JSObject::ensureLength):
2012         * runtime/RegExpMatchesArray.h:
2013         (JSC::tryCreateUninitializedRegExpMatchesArray):
2014         * runtime/VM.cpp:
2015         (JSC::VM::VM):
2016         (JSC::VM::~VM):
2017         (JSC::VM::primitiveGigacageDisabledCallback):
2018         (JSC::VM::primitiveGigacageDisabled):
2019         (JSC::VM::gigacageDisabledCallback): Deleted.
2020         (JSC::VM::gigacageDisabled): Deleted.
2021         * runtime/VM.h:
2022         (JSC::VM::gigacageAuxiliarySpace):
2023         (JSC::VM::firePrimitiveGigacageEnabledIfNecessary):
2024         (JSC::VM::primitiveGigacageEnabled):
2025         (JSC::VM::fireGigacageEnabledIfNecessary): Deleted.
2026         (JSC::VM::gigacageEnabled): Deleted.
2027         * wasm/WasmMemory.cpp:
2028         (JSC::Wasm::Memory::create):
2029         (JSC::Wasm::Memory::~Memory):
2030         (JSC::Wasm::Memory::grow):
2031
2032 2017-08-07  Commit Queue  <commit-queue@webkit.org>
2033
2034         Unreviewed, rolling out r220144.
2035         https://bugs.webkit.org/show_bug.cgi?id=175276
2036
2037         "It did not actually speed things up in the way I expected"
2038         (Requested by saamyjoon on #webkit).
2039
2040         Reverted changeset:
2041
2042         "On memory-constrained iOS devices, reduce the rate at which
2043         the JS heap grows before a GC to try to keep more memory
2044         available for the system"
2045         https://bugs.webkit.org/show_bug.cgi?id=175041
2046         http://trac.webkit.org/changeset/220144
2047
2048 2017-08-07  Ryan Haddad  <ryanhaddad@apple.com>
2049
2050         Unreviewed, rolling out r220299.
2051
2052         This change caused LayoutTest inspector/dom-debugger/dom-
2053         breakpoints.html to fail.
2054
2055         Reverted changeset:
2056
2057         "Web Inspector: capture async stack trace when workers/main
2058         context posts a message"
2059         https://bugs.webkit.org/show_bug.cgi?id=167084
2060         http://trac.webkit.org/changeset/220299
2061
2062 2017-08-07  Brian Burg  <bburg@apple.com>
2063
2064         Remove CANVAS_PATH compilation guard
2065         https://bugs.webkit.org/show_bug.cgi?id=175207
2066
2067         Reviewed by Sam Weinig.
2068
2069         * Configurations/FeatureDefines.xcconfig:
2070
2071 2017-08-07  Keith Miller  <keith_miller@apple.com>
2072
2073         REGRESSION: wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js failing on JSC Debug bots
2074         https://bugs.webkit.org/show_bug.cgi?id=175256
2075
2076         Reviewed by Saam Barati.
2077
2078         The check in createFromBytes just needed to check that the buffer was not null before
2079         calling isCaged.
2080
2081         * runtime/ArrayBuffer.cpp:
2082         (JSC::ArrayBuffer::createFromBytes):
2083
2084 2017-08-05  Carlos Garcia Campos  <cgarcia@igalia.com>
2085
2086         [GTK][WPE] Add API to provide browser information required by automation
2087         https://bugs.webkit.org/show_bug.cgi?id=175130
2088
2089         Reviewed by Brian Burg.
2090
2091         Add browserName and browserVersion to RemoteInspector::Client::Capabilities and virtual methods to the Client to
2092         get them.
2093
2094         * inspector/remote/RemoteInspector.cpp:
2095         (Inspector::RemoteInspector::updateClientCapabilities): Update also browserName and browserVersion.
2096         * inspector/remote/RemoteInspector.h:
2097         * inspector/remote/glib/RemoteInspectorGlib.cpp:
2098         (Inspector::RemoteInspector::requestAutomationSession): Call updateClientCapabilities() after the session is
2099         requested to ensure they are updated before StartAutomationSession reply is sent.
2100         * inspector/remote/glib/RemoteInspectorServer.cpp: Add browserName and browserVersion as return values of
2101         StartAutomationSession mesasage.
2102
2103 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2104
2105         Promise resolve and reject function should have length = 1
2106         https://bugs.webkit.org/show_bug.cgi?id=175242
2107
2108         Reviewed by Saam Barati.
2109
2110         Previously we have separate system for "length" and "name" for builtin functions.
2111         The builtin functions do not use lazy reifying system. Instead, they have direct
2112         properties when instantiating it. While the function created for properties (like
2113         Array.prototype.filter) is created by JSFunction::createBuiltin(), function inside
2114         these builtin functions are just created by JSFunction::create(). Since it does
2115         not set any values for "length", these functions do not have "length" property.
2116         So, the resolve and reject functions passed to Promise's executor do not have
2117         "length" property.
2118
2119         This patch make builtin functions use standard lazy reifying system for "length".
2120         So, "length" property of the builtin function just works as if the normal functions
2121         do.
2122
2123         * runtime/JSFunction.cpp:
2124         (JSC::JSFunction::createBuiltinFunction):
2125         (JSC::JSFunction::getOwnPropertySlot):
2126         (JSC::JSFunction::getOwnNonIndexPropertyNames):
2127         (JSC::JSFunction::put):
2128         (JSC::JSFunction::deleteProperty):
2129         (JSC::JSFunction::defineOwnProperty):
2130         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
2131         (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
2132         (JSC::JSFunction::reifyLazyLengthIfNeeded):
2133         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
2134         (JSC::JSFunction::reifyBoundNameIfNeeded): Deleted.
2135         * runtime/JSFunction.h:
2136
2137 2017-08-06  Oleksandr Skachkov  <gskachkov@gmail.com>
2138
2139         [ESNext] Async iteration - Implement Async Generator - parser
2140         https://bugs.webkit.org/show_bug.cgi?id=175210
2141
2142         Reviewed by Yusuke Suzuki.
2143
2144         Current implementation is draft version of Async Iteration. 
2145         Link to spec https://tc39.github.io/proposal-async-iteration/
2146
2147         Current patch implement only parser part of the Async generator
2148         Runtime part will be in next ptches
2149
2150         * parser/ASTBuilder.h:
2151         (JSC::ASTBuilder::createFunctionMetadata):
2152         * parser/Parser.cpp:
2153         (JSC::getAsynFunctionBodyParseMode):
2154         (JSC::Parser<LexerType>::parseInner):
2155         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
2156         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
2157         (JSC::stringArticleForFunctionMode):
2158         (JSC::stringForFunctionMode):
2159         (JSC::Parser<LexerType>::parseFunctionInfo):
2160         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
2161         (JSC::Parser<LexerType>::parseClass):
2162         (JSC::Parser<LexerType>::parseProperty):
2163         (JSC::Parser<LexerType>::parsePropertyMethod):
2164         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
2165         * parser/Parser.h:
2166         (JSC::Scope::setSourceParseMode):
2167         * parser/ParserModes.h:
2168         (JSC::isFunctionParseMode):
2169         (JSC::isAsyncFunctionParseMode):
2170         (JSC::isAsyncArrowFunctionParseMode):
2171         (JSC::isAsyncGeneratorFunctionParseMode):
2172         (JSC::isAsyncFunctionOrAsyncGeneratorWrapperParseMode):
2173         (JSC::isAsyncFunctionWrapperParseMode):
2174         (JSC::isAsyncFunctionBodyParseMode):
2175         (JSC::isGeneratorMethodParseMode):
2176         (JSC::isAsyncMethodParseMode):
2177         (JSC::isAsyncGeneratorMethodParseMode):
2178         (JSC::isMethodParseMode):
2179         (JSC::isGeneratorOrAsyncFunctionBodyParseMode):
2180         (JSC::isGeneratorOrAsyncFunctionWrapperParseMode):
2181
2182 2017-08-05  Filip Pizlo  <fpizlo@apple.com>
2183
2184         REGRESSION (r219895-219897): Number of leaks on Open Source went from 9240 to 235983 and is now at 302372
2185         https://bugs.webkit.org/show_bug.cgi?id=175083
2186
2187         Reviewed by Oliver Hunt.
2188         
2189         This fixes the leak by making MarkedBlock::specializedSweep call destructors when the block is empty,
2190         even if we are using the pop path.
2191         
2192         Also, this fixes HeapCellInlines.h to no longer include MarkedBlockInlines.h. That's pretty
2193         important, since MarkedBlockInlines.h is the GC's internal guts - we don't want to have to recompile
2194         the world just because we changed it.
2195         
2196         Finally, this adds a new testing SPI for waiting for all VMs to finish destructing. This makes it
2197         easier to debug leaks.
2198
2199         * bytecode/AccessCase.cpp:
2200         * bytecode/PolymorphicAccess.cpp:
2201         * heap/HeapCell.cpp:
2202         (JSC::HeapCell::isLive):
2203         * heap/HeapCellInlines.h:
2204         (JSC::HeapCell::isLive): Deleted.
2205         * heap/MarkedAllocator.cpp:
2206         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2207         (JSC::MarkedAllocator::endMarking):
2208         * heap/MarkedBlockInlines.h:
2209         (JSC::MarkedBlock::Handle::specializedSweep):
2210         * jit/AssemblyHelpers.cpp:
2211         * jit/Repatch.cpp:
2212         * runtime/TestRunnerUtils.h:
2213         * runtime/VM.cpp:
2214         (JSC::waitForVMDestruction):
2215         (JSC::VM::~VM):
2216
2217 2017-08-05  Mark Lam  <mark.lam@apple.com>
2218
2219         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 3].
2220         https://bugs.webkit.org/show_bug.cgi?id=175228
2221         <rdar://problem/33735737>
2222
2223         Reviewed by Saam Barati.
2224
2225         Merge the 32-bit OSRExit::compileExit() method into the 64-bit version, and
2226         delete OSRExit32_64.cpp.
2227
2228         * CMakeLists.txt:
2229         * JavaScriptCore.xcodeproj/project.pbxproj:
2230         * dfg/DFGOSRExit.cpp:
2231         (JSC::DFG::OSRExit::compileExit):
2232         * dfg/DFGOSRExit32_64.cpp: Removed.
2233         * jit/GPRInfo.h:
2234         (JSC::JSValueSource::payloadGPR const):
2235
2236 2017-08-04  Youenn Fablet  <youenn@apple.com>
2237
2238         [Cache API] Add Cache and CacheStorage IDL definitions
2239         https://bugs.webkit.org/show_bug.cgi?id=175201
2240
2241         Reviewed by Brady Eidson.
2242
2243         * runtime/CommonIdentifiers.h:
2244
2245 2017-08-04  Mark Lam  <mark.lam@apple.com>
2246
2247         Fix typo in testmasm.cpp: ENABLE(JSVALUE64) should be USE(JSVALUE64).
2248         https://bugs.webkit.org/show_bug.cgi?id=175230
2249         <rdar://problem/33735857>
2250
2251         Reviewed by Saam Barati.
2252
2253         * assembler/testmasm.cpp:
2254         (JSC::testProbeReadsArgumentRegisters):
2255         (JSC::testProbeWritesArgumentRegisters):
2256
2257 2017-08-04  Mark Lam  <mark.lam@apple.com>
2258
2259         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 2].
2260         https://bugs.webkit.org/show_bug.cgi?id=175214
2261         <rdar://problem/33733308>
2262
2263         Rubber-stamped by Michael Saboff.
2264
2265         Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused
2266         DFGOSRExitCompiler files.
2267
2268         Also renamed DFGOSRExitCompiler32_64.cpp to DFGOSRExit32_64.cpp.
2269
2270         Also move debugOperationPrintSpeculationFailure() into DFGOSRExit.cpp.  It's only
2271         used by compileOSRExit(), and will be changed to not be a DFG operation function
2272         when we use JIT probes for DFG OSR exits later in
2273         https://bugs.webkit.org/show_bug.cgi?id=175144.
2274
2275         * CMakeLists.txt:
2276         * JavaScriptCore.xcodeproj/project.pbxproj:
2277         * dfg/DFGJITCompiler.cpp:
2278         * dfg/DFGOSRExit.cpp:
2279         (JSC::DFG::OSRExit::emitRestoreArguments):
2280         (JSC::DFG::OSRExit::compileOSRExit):
2281         (JSC::DFG::OSRExit::compileExit):
2282         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
2283         * dfg/DFGOSRExit.h:
2284         * dfg/DFGOSRExit32_64.cpp: Copied from Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp.
2285         * dfg/DFGOSRExitCompiler.cpp: Removed.
2286         * dfg/DFGOSRExitCompiler.h: Removed.
2287         * dfg/DFGOSRExitCompiler32_64.cpp: Removed.
2288         * dfg/DFGOSRExitCompiler64.cpp: Removed.
2289         * dfg/DFGOperations.cpp:
2290         * dfg/DFGOperations.h:
2291         * dfg/DFGThunks.cpp:
2292
2293 2017-08-04  Matt Baker  <mattbaker@apple.com>
2294
2295         Web Inspector: capture async stack trace when workers/main context posts a message
2296         https://bugs.webkit.org/show_bug.cgi?id=167084
2297         <rdar://problem/30033673>
2298
2299         Reviewed by Brian Burg.
2300
2301         * inspector/agents/InspectorDebuggerAgent.h:
2302         Add `PostMessage` async call type.
2303
2304 2017-08-04  Mark Lam  <mark.lam@apple.com>
2305
2306         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 1].
2307         https://bugs.webkit.org/show_bug.cgi?id=175208
2308         <rdar://problem/33732402>
2309
2310         Reviewed by Saam Barati.
2311
2312         This will minimize the code diff and make it easier to review the patch for
2313         https://bugs.webkit.org/show_bug.cgi?id=175144 later.  We'll do this patch in 3
2314         steps:
2315
2316         1. Do the code changes to move methods into OSRExit.
2317         2. Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused DFGOSRExitCompiler files.
2318         3. Merge the 32-bit OSRExitCompiler methods into the 64-bit version, and delete DFGOSRExitCompiler32_64.cpp.
2319
2320         Splitting this refactoring into these 3 steps also makes it easier to review this
2321         patch and understand what is being changed.
2322
2323         * dfg/DFGOSRExit.h:
2324         * dfg/DFGOSRExitCompiler.cpp:
2325         (JSC::DFG::OSRExit::emitRestoreArguments):
2326         (JSC::DFG::OSRExit::compileOSRExit):
2327         (JSC::DFG::OSRExitCompiler::emitRestoreArguments): Deleted.
2328         (): Deleted.
2329         * dfg/DFGOSRExitCompiler.h:
2330         (JSC::DFG::OSRExitCompiler::OSRExitCompiler): Deleted.
2331         (): Deleted.
2332         * dfg/DFGOSRExitCompiler32_64.cpp:
2333         (JSC::DFG::OSRExit::compileExit):
2334         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
2335         * dfg/DFGOSRExitCompiler64.cpp:
2336         (JSC::DFG::OSRExit::compileExit):
2337         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
2338         * dfg/DFGThunks.cpp:
2339         (JSC::DFG::osrExitGenerationThunkGenerator):
2340
2341 2017-08-04  Devin Rousso  <drousso@apple.com>
2342
2343         Web Inspector: add source view for WebGL shader programs
2344         https://bugs.webkit.org/show_bug.cgi?id=138593
2345         <rdar://problem/18936194>
2346
2347         Reviewed by Matt Baker.
2348
2349         * inspector/protocol/Canvas.json:
2350          - Add `ShaderType` enum that contains "vertex" and "fragment".
2351          - Add `requestShaderSource` command that will return the original source code for a given
2352            shader program and shader type.
2353
2354 2017-08-03  Filip Pizlo  <fpizlo@apple.com>
2355
2356         The allocator used to allocate memory for MarkedBlocks and LargeAllocations should not be the Subspace itself
2357         https://bugs.webkit.org/show_bug.cgi?id=175141
2358
2359         Reviewed by Mark Lam.
2360         
2361         To make it easier to have multiple gigacages and maybe even fancier methods of allocating, this
2362         decouples the allocator used to allocate memory from the GC Subspace. This means we no longer have
2363         to create a new Subspace subclass to allocate memory a different way. Instead, the allocator is now
2364         determined by the AlignedMemoryAllocator object.
2365         
2366         This also simplifies trading of blocks. Before, Subspaces had to determine if other Subspaces could
2367         trade blocks with them using canTradeBlocksWith(). This makes it difficult for two different
2368         Subspaces that both use the same underlying allocator to realize that they can trade blocks with
2369         each other. Now, you just need to ask the block being stolen and the subspace doing the stealing if
2370         they use the same AlignedMemoryAllocator.
2371
2372         * CMakeLists.txt:
2373         * JavaScriptCore.xcodeproj/project.pbxproj:
2374         * heap/AlignedMemoryAllocator.cpp: Added.
2375         (JSC::AlignedMemoryAllocator::AlignedMemoryAllocator):
2376         (JSC::AlignedMemoryAllocator::~AlignedMemoryAllocator):
2377         * heap/AlignedMemoryAllocator.h: Added.
2378         * heap/FastMallocAlignedMemoryAllocator.cpp: Added.
2379         (JSC::FastMallocAlignedMemoryAllocator::singleton):
2380         (JSC::FastMallocAlignedMemoryAllocator::FastMallocAlignedMemoryAllocator):
2381         (JSC::FastMallocAlignedMemoryAllocator::~FastMallocAlignedMemoryAllocator):
2382         (JSC::FastMallocAlignedMemoryAllocator::tryAllocateAlignedMemory):
2383         (JSC::FastMallocAlignedMemoryAllocator::freeAlignedMemory):
2384         (JSC::FastMallocAlignedMemoryAllocator::dump const):
2385         * heap/FastMallocAlignedMemoryAllocator.h: Added.
2386         * heap/GigacageAlignedMemoryAllocator.cpp: Added.
2387         (JSC::GigacageAlignedMemoryAllocator::singleton):
2388         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
2389         (JSC::GigacageAlignedMemoryAllocator::~GigacageAlignedMemoryAllocator):
2390         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
2391         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
2392         (JSC::GigacageAlignedMemoryAllocator::dump const):
2393         * heap/GigacageAlignedMemoryAllocator.h: Added.
2394         * heap/GigacageSubspace.cpp: Removed.
2395         * heap/GigacageSubspace.h: Removed.
2396         * heap/LargeAllocation.cpp:
2397         (JSC::LargeAllocation::tryCreate):
2398         (JSC::LargeAllocation::destroy):
2399         * heap/MarkedAllocator.cpp:
2400         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2401         * heap/MarkedBlock.cpp:
2402         (JSC::MarkedBlock::tryCreate):
2403         (JSC::MarkedBlock::Handle::Handle):
2404         (JSC::MarkedBlock::Handle::~Handle):
2405         (JSC::MarkedBlock::Handle::didAddToAllocator):
2406         (JSC::MarkedBlock::Handle::subspace const):
2407         * heap/MarkedBlock.h:
2408         (JSC::MarkedBlock::Handle::alignedMemoryAllocator const):
2409         (JSC::MarkedBlock::Handle::subspace const): Deleted.
2410         * heap/Subspace.cpp:
2411         (JSC::Subspace::Subspace):
2412         (JSC::Subspace::findEmptyBlockToSteal):
2413         (JSC::Subspace::canTradeBlocksWith): Deleted.
2414         (JSC::Subspace::tryAllocateAlignedMemory): Deleted.
2415         (JSC::Subspace::freeAlignedMemory): Deleted.
2416         * heap/Subspace.h:
2417         (JSC::Subspace::name const):
2418         (JSC::Subspace::alignedMemoryAllocator const):
2419         * runtime/JSDestructibleObjectSubspace.cpp:
2420         (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace):
2421         * runtime/JSDestructibleObjectSubspace.h:
2422         * runtime/JSSegmentedVariableObjectSubspace.cpp:
2423         (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace):
2424         * runtime/JSSegmentedVariableObjectSubspace.h:
2425         * runtime/JSStringSubspace.cpp:
2426         (JSC::JSStringSubspace::JSStringSubspace):
2427         * runtime/JSStringSubspace.h:
2428         * runtime/VM.cpp:
2429         (JSC::VM::VM):
2430         * runtime/VM.h:
2431         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp:
2432         (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace):
2433         * wasm/js/JSWebAssemblyCodeBlockSubspace.h:
2434
2435 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
2436
2437         [ESNext] Async iteration - update feature.json
2438         https://bugs.webkit.org/show_bug.cgi?id=175197
2439
2440         Reviewed by Yusuke Suzuki.
2441
2442         Update feature.json to add status of the Async Iteration
2443
2444         * features.json:
2445
2446 2017-08-04  Matt Lewis  <jlewis3@apple.com>
2447
2448         Unreviewed, rolling out r220271.
2449
2450         Rolling out due to Layout Test failing on iOS Simulator.
2451
2452         Reverted changeset:
2453
2454         "Remove STREAMS_API compilation guard"
2455         https://bugs.webkit.org/show_bug.cgi?id=175165
2456         http://trac.webkit.org/changeset/220271
2457
2458 2017-08-04  Youenn Fablet  <youenn@apple.com>
2459
2460         Remove STREAMS_API compilation guard
2461         https://bugs.webkit.org/show_bug.cgi?id=175165
2462
2463         Reviewed by Darin Adler.
2464
2465         * Configurations/FeatureDefines.xcconfig:
2466
2467 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
2468
2469         [EsNext] Async iteration - Add feature flag
2470         https://bugs.webkit.org/show_bug.cgi?id=166694
2471
2472         Reviewed by Yusuke Suzuki.
2473
2474         Add feature flag to JSC to switch on/off Async Iterator
2475
2476         * runtime/Options.h:
2477
2478 2017-08-03  Brian Burg  <bburg@apple.com>
2479
2480         Remove ENABLE(WEB_SOCKET) guards
2481         https://bugs.webkit.org/show_bug.cgi?id=167044
2482
2483         Reviewed by Joseph Pecoraro.
2484
2485         * Configurations/FeatureDefines.xcconfig:
2486
2487 2017-08-03  Youenn Fablet  <youenn@apple.com>
2488
2489         Remove FETCH_API compilation guard
2490         https://bugs.webkit.org/show_bug.cgi?id=175154
2491
2492         Reviewed by Chris Dumez.
2493
2494         * Configurations/FeatureDefines.xcconfig:
2495
2496 2017-08-03  Matt Baker  <mattbaker@apple.com>
2497
2498         Web Inspector: Instrument WebGLProgram created/deleted
2499         https://bugs.webkit.org/show_bug.cgi?id=175059
2500
2501         Reviewed by Devin Rousso.
2502
2503         Extend the Canvas protocol with types/events for tracking WebGLPrograms.
2504
2505         * inspector/protocol/Canvas.json:
2506
2507 2017-08-03  Brady Eidson  <beidson@apple.com>
2508
2509         Add SW IDLs and stub out basic functionality.
2510         https://bugs.webkit.org/show_bug.cgi?id=175115
2511
2512         Reviewed by Chris Dumez.
2513
2514         * Configurations/FeatureDefines.xcconfig:
2515
2516         * runtime/CommonIdentifiers.h:
2517
2518 2017-08-03  Mark Lam  <mark.lam@apple.com>
2519
2520         Rename ScratchBuffer::activeLengthPtr to addressOfActiveLength.
2521         https://bugs.webkit.org/show_bug.cgi?id=175142
2522         <rdar://problem/33704528>
2523
2524         Reviewed by Filip Pizlo.
2525
2526         The convention in the rest of of JSC for such methods which return the address of
2527         a field is to name them "addressOf<field name>".  We'll rename
2528         ScratchBuffer::activeLengthPtr to be consistent with this convention.
2529
2530         * dfg/DFGSpeculativeJIT.cpp:
2531         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
2532         * dfg/DFGSpeculativeJIT32_64.cpp:
2533         (JSC::DFG::SpeculativeJIT::compile):
2534         * dfg/DFGSpeculativeJIT64.cpp:
2535         (JSC::DFG::SpeculativeJIT::compile):
2536         * dfg/DFGThunks.cpp:
2537         (JSC::DFG::osrExitGenerationThunkGenerator):
2538         * ftl/FTLLowerDFGToB3.cpp:
2539         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
2540         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
2541         * ftl/FTLThunks.cpp:
2542         (JSC::FTL::genericGenerationThunkGenerator):
2543         * jit/AssemblyHelpers.cpp:
2544         (JSC::AssemblyHelpers::debugCall):
2545         * jit/ScratchRegisterAllocator.cpp:
2546         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
2547         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
2548         * runtime/VM.h:
2549         (JSC::ScratchBuffer::addressOfActiveLength):
2550         (JSC::ScratchBuffer::activeLengthPtr): Deleted.
2551         * wasm/WasmBinding.cpp:
2552         (JSC::Wasm::wasmToJs):
2553
2554 2017-08-02  Devin Rousso  <drousso@apple.com>
2555
2556         Web Inspector: add stack trace information for each RecordingAction
2557         https://bugs.webkit.org/show_bug.cgi?id=174663
2558
2559         Reviewed by Joseph Pecoraro.
2560
2561         * inspector/ScriptCallFrame.h:
2562         Add `operator==` so that when a ScriptCallFrame object is held in a Vector, calling `find`
2563         with an existing value doesn't need require a functor and can use existing code.
2564
2565         * interpreter/StackVisitor.h:
2566         * interpreter/StackVisitor.cpp:
2567         (JSC::StackVisitor::Frame::isWasmFrame const): Inlined in header.
2568
2569 2017-08-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2570
2571         Merge WTFThreadData to Thread::current
2572         https://bugs.webkit.org/show_bug.cgi?id=174716
2573
2574         Reviewed by Mark Lam.
2575
2576         Use Thread::current() instead.
2577
2578         * API/JSContext.mm:
2579         (+[JSContext currentContext]):
2580         (+[JSContext currentThis]):
2581         (+[JSContext currentCallee]):
2582         (+[JSContext currentArguments]):
2583         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
2584         (-[JSContext endCallbackWithData:]):
2585         * heap/Heap.cpp:
2586         (JSC::Heap::requestCollection):
2587         * runtime/Completion.cpp:
2588         (JSC::checkSyntax):
2589         (JSC::checkModuleSyntax):
2590         (JSC::evaluate):
2591         (JSC::loadAndEvaluateModule):
2592         (JSC::loadModule):
2593         (JSC::linkAndEvaluateModule):
2594         (JSC::importModule):
2595         * runtime/Identifier.cpp:
2596         (JSC::Identifier::checkCurrentAtomicStringTable):
2597         * runtime/InitializeThreading.cpp:
2598         (JSC::initializeThreading):
2599         * runtime/JSLock.cpp:
2600         (JSC::JSLock::didAcquireLock):
2601         (JSC::JSLock::willReleaseLock):
2602         (JSC::JSLock::dropAllLocks):
2603         (JSC::JSLock::grabAllLocks):
2604         * runtime/JSLock.h:
2605         * runtime/VM.cpp:
2606         (JSC::VM::VM):
2607         (JSC::VM::updateStackLimits):
2608         (JSC::VM::committedStackByteCount):
2609         * runtime/VM.h:
2610         (JSC::VM::isSafeToRecurse const):
2611         * runtime/VMEntryScope.cpp:
2612         (JSC::VMEntryScope::VMEntryScope):
2613         * runtime/VMInlines.h:
2614         (JSC::VM::ensureStackCapacityFor):
2615         * yarr/YarrPattern.cpp:
2616         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
2617
2618 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
2619
2620         LLInt should do pointer caging
2621         https://bugs.webkit.org/show_bug.cgi?id=175036
2622
2623         Reviewed by Keith Miller.
2624
2625         Implementing this in the LLInt was challenging because offlineasm did not previously know
2626         how to load from globals. This teaches it how to do that on Darwin/x86_64, which happens
2627         to be where the Gigacage is enabled right now.
2628
2629         * llint/LLIntOfflineAsmConfig.h:
2630         * llint/LowLevelInterpreter64.asm:
2631         * offlineasm/ast.rb:
2632         * offlineasm/x86.rb:
2633
2634 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
2635
2636         Sweeping should only scribble when sweeping to free list
2637         https://bugs.webkit.org/show_bug.cgi?id=175105
2638
2639         Reviewed by Saam Barati.
2640         
2641         I just saw a crash on the bots where a destructor call attempt dereferenced scribbled memory. This
2642         can happen because the bump path of specializedSweep will scribble in SweepOnly, which replaces the
2643         zap word (i.e. 0) with the scribble word (i.e. 0xbadbeef0). This is a recent regression, since we
2644         didn't used to do destruction on the bump path. No destruction, no zapping. Looking at the pop
2645         path, we only scribble when we SweepToFreeList. This ensures that we only overwrite the zap word
2646         when it doesn't matter anyway because we're building a free list.
2647         
2648         This is a fix for those crashes on the bots because it means that we'll no longer scribble over the
2649         zap.
2650
2651         * heap/MarkedBlockInlines.h:
2652         (JSC::MarkedBlock::Handle::specializedSweep):
2653
2654 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
2655
2656         All C++ accesses to JSObject::m_butterfly should do caging
2657         https://bugs.webkit.org/show_bug.cgi?id=175039
2658
2659         Reviewed by Keith Miller.
2660         
2661         Makes JSObject::m_butterfly a AuxiliaryBarrier<CagedPtr<Butterfly>> and adopts the CagedPtr<> API.
2662         This ensures that you can't cause C++ code to access a butterfly that has been rewired to point
2663         outside the gigacage.
2664
2665         * runtime/JSArray.cpp:
2666         (JSC::JSArray::setLength):
2667         (JSC::JSArray::pop):
2668         (JSC::JSArray::push):
2669         (JSC::JSArray::shiftCountWithAnyIndexingType):
2670         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2671         (JSC::JSArray::fillArgList):
2672         (JSC::JSArray::copyToArguments):
2673         * runtime/JSObject.cpp:
2674         (JSC::JSObject::heapSnapshot):
2675         (JSC::JSObject::createInitialIndexedStorage):
2676         (JSC::JSObject::createArrayStorage):
2677         (JSC::JSObject::convertUndecidedToInt32):
2678         (JSC::JSObject::convertUndecidedToDouble):
2679         (JSC::JSObject::convertUndecidedToContiguous):
2680         (JSC::JSObject::convertInt32ToDouble):
2681         (JSC::JSObject::convertInt32ToArrayStorage):
2682         (JSC::JSObject::convertDoubleToContiguous):
2683         (JSC::JSObject::convertDoubleToArrayStorage):
2684         (JSC::JSObject::convertContiguousToArrayStorage):
2685         (JSC::JSObject::defineOwnIndexedProperty):
2686         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2687         (JSC::JSObject::ensureLengthSlow):
2688         (JSC::JSObject::allocateMoreOutOfLineStorage):
2689         * runtime/JSObject.h:
2690         (JSC::JSObject::canGetIndexQuickly):
2691         (JSC::JSObject::getIndexQuickly):
2692         (JSC::JSObject::tryGetIndexQuickly const):
2693         (JSC::JSObject::canSetIndexQuickly):
2694         (JSC::JSObject::setIndexQuickly):
2695         (JSC::JSObject::initializeIndex):
2696         (JSC::JSObject::initializeIndexWithoutBarrier):
2697         (JSC::JSObject::butterfly const):
2698         (JSC::JSObject::butterfly):
2699
2700 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
2701
2702         We should be OK with the gigacage being disabled on gmalloc
2703         https://bugs.webkit.org/show_bug.cgi?id=175082
2704
2705         Reviewed by Michael Saboff.
2706
2707         * jsc.cpp:
2708         (jscmain):
2709
2710 2017-08-02  Saam Barati  <sbarati@apple.com>
2711
2712         On memory-constrained iOS devices, reduce the rate at which the JS heap grows before a GC to try to keep more memory available for the system
2713         https://bugs.webkit.org/show_bug.cgi?id=175041
2714         <rdar://problem/33659370>
2715
2716         Reviewed by Filip Pizlo.
2717
2718         The testing I have done shows that this new function is a ~10%
2719         progression running JetStream on 1GB iOS devices. I've also tried
2720         this on a few > 1GB iOS devices, and the testing shows this is either neutral
2721         or a regression. Right now, we'll just enable this for <= 1GB devices
2722         since it's a win. In the future, we might want to either look into
2723         tweaking these parameters or coming up with a new function for > 1GB
2724         devices.
2725
2726         * heap/Heap.cpp:
2727         * runtime/Options.h:
2728
2729 2017-08-01  Filip Pizlo  <fpizlo@apple.com>
2730
2731         Bmalloc and GC should put auxiliaries (butterflies, typed array backing stores) in a gigacage (separate multi-GB VM region)
2732         https://bugs.webkit.org/show_bug.cgi?id=174727
2733
2734         Reviewed by Mark Lam.
2735         
2736         This adopts the Gigacage for the GigacageSubspace, which we use for Auxiliary allocations. Also, in
2737         one place in the code - the FTL codegen for butterfly and typed array access - we "cage" the accesses
2738         themselves. Basically, we do masking to ensure that the pointer points into the gigacage.
2739         
2740         This is neutral on JetStream.
2741
2742         * CMakeLists.txt:
2743         * JavaScriptCore.xcodeproj/project.pbxproj:
2744         * b3/B3InsertionSet.cpp:
2745         (JSC::B3::InsertionSet::execute):
2746         * dfg/DFGAbstractInterpreterInlines.h:
2747         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2748         * dfg/DFGArgumentsEliminationPhase.cpp:
2749         * dfg/DFGClobberize.cpp:
2750         (JSC::DFG::readsOverlap):
2751         * dfg/DFGClobberize.h:
2752         (JSC::DFG::clobberize):
2753         * dfg/DFGDoesGC.cpp:
2754         (JSC::DFG::doesGC):
2755         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Added.
2756         (JSC::DFG::performFixedButterflyAccessUncaging):
2757         * dfg/DFGFixedButterflyAccessUncagingPhase.h: Added.
2758         * dfg/DFGFixupPhase.cpp:
2759         (JSC::DFG::FixupPhase::fixupNode):
2760         * dfg/DFGHeapLocation.cpp:
2761         (WTF::printInternal):
2762         * dfg/DFGHeapLocation.h:
2763         * dfg/DFGNodeType.h:
2764         * dfg/DFGPlan.cpp:
2765         (JSC::DFG::Plan::compileInThreadImpl):
2766         * dfg/DFGPredictionPropagationPhase.cpp:
2767         * dfg/DFGSafeToExecute.h:
2768         (JSC::DFG::safeToExecute):
2769         * dfg/DFGSpeculativeJIT.cpp:
2770         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
2771         * dfg/DFGSpeculativeJIT32_64.cpp:
2772         (JSC::DFG::SpeculativeJIT::compile):
2773         * dfg/DFGSpeculativeJIT64.cpp:
2774         (JSC::DFG::SpeculativeJIT::compile):
2775         * dfg/DFGTypeCheckHoistingPhase.cpp:
2776         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2777         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
2778         * ftl/FTLCapabilities.cpp:
2779         (JSC::FTL::canCompile):
2780         * ftl/FTLLowerDFGToB3.cpp:
2781         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2782         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
2783         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
2784         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2785         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
2786         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
2787         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
2788         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
2789         (JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase):
2790         (JSC::FTL::DFG::LowerDFGToB3::caged):
2791         * heap/GigacageSubspace.cpp: Added.
2792         (JSC::GigacageSubspace::GigacageSubspace):
2793         (JSC::GigacageSubspace::~GigacageSubspace):
2794         (JSC::GigacageSubspace::tryAllocateAlignedMemory):
2795         (JSC::GigacageSubspace::freeAlignedMemory):
2796         (JSC::GigacageSubspace::canTradeBlocksWith):
2797         * heap/GigacageSubspace.h: Added.
2798         * heap/Heap.cpp:
2799         (JSC::Heap::Heap):
2800         (JSC::Heap::lastChanceToFinalize):
2801         (JSC::Heap::finalize):
2802         (JSC::Heap::sweepInFinalize):
2803         (JSC::Heap::updateAllocationLimits):
2804         (JSC::Heap::shouldDoFullCollection):
2805         (JSC::Heap::collectIfNecessaryOrDefer):
2806         (JSC::Heap::reportWebAssemblyFastMemoriesAllocated): Deleted.
2807         (JSC::Heap::webAssemblyFastMemoriesThisCycleAtThreshold const): Deleted.
2808         (JSC::Heap::sweepLargeAllocations): Deleted.
2809         (JSC::Heap::didAllocateWebAssemblyFastMemories): Deleted.
2810         * heap/Heap.h:
2811         * heap/LargeAllocation.cpp:
2812         (JSC::LargeAllocation::tryCreate):
2813         (JSC::LargeAllocation::destroy):
2814         * heap/MarkedAllocator.cpp:
2815         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2816         (JSC::MarkedAllocator::tryAllocateBlock):
2817         * heap/MarkedBlock.cpp:
2818         (JSC::MarkedBlock::tryCreate):
2819         (JSC::MarkedBlock::Handle::Handle):
2820         (JSC::MarkedBlock::Handle::~Handle):
2821         (JSC::MarkedBlock::Handle::didAddToAllocator):
2822         (JSC::MarkedBlock::Handle::subspace const): Deleted.
2823         * heap/MarkedBlock.h:
2824         (JSC::MarkedBlock::Handle::subspace const):
2825         * heap/MarkedSpace.cpp:
2826         (JSC::MarkedSpace::~MarkedSpace):
2827         (JSC::MarkedSpace::freeMemory):
2828         (JSC::MarkedSpace::prepareForAllocation):
2829         (JSC::MarkedSpace::addMarkedAllocator):
2830         (JSC::MarkedSpace::findEmptyBlockToSteal): Deleted.
2831         * heap/MarkedSpace.h:
2832         (JSC::MarkedSpace::firstAllocator const):
2833         (JSC::MarkedSpace::allocatorForEmptyAllocation const): Deleted.
2834         * heap/Subspace.cpp:
2835         (JSC::Subspace::Subspace):
2836         (JSC::Subspace::canTradeBlocksWith):
2837         (JSC::Subspace::tryAllocateAlignedMemory):
2838         (JSC::Subspace::freeAlignedMemory):
2839         (JSC::Subspace::prepareForAllocation):
2840         (JSC::Subspace::findEmptyBlockToSteal):
2841         * heap/Subspace.h:
2842         (JSC::Subspace::didCreateFirstAllocator):
2843         * heap/SubspaceInlines.h:
2844         (JSC::Subspace::forEachAllocator):
2845         (JSC::Subspace::forEachMarkedBlock):
2846         (JSC::Subspace::forEachNotEmptyMarkedBlock):
2847         * jit/JITPropertyAccess.cpp:
2848         (JSC::JIT::emitDoubleLoad):
2849         (JSC::JIT::emitContiguousLoad):
2850         (JSC::JIT::emitArrayStorageLoad):
2851         (JSC::JIT::emitGenericContiguousPutByVal):
2852         (JSC::JIT::emitArrayStoragePutByVal):
2853         (JSC::JIT::emit_op_get_from_scope):
2854         (JSC::JIT::emit_op_put_to_scope):
2855         (JSC::JIT::emitIntTypedArrayGetByVal):
2856         (JSC::JIT::emitFloatTypedArrayGetByVal):
2857         (JSC::JIT::emitIntTypedArrayPutByVal):
2858         (JSC::JIT::emitFloatTypedArrayPutByVal):
2859         * jsc.cpp:
2860         (fillBufferWithContentsOfFile):
2861         (functionReadFile):
2862         (gigacageDisabled):
2863         (jscmain):
2864         * llint/LowLevelInterpreter64.asm:
2865         * runtime/ArrayBuffer.cpp:
2866         (JSC::ArrayBufferContents::tryAllocate):
2867         (JSC::ArrayBuffer::createAdopted):
2868         (JSC::ArrayBuffer::createFromBytes):
2869         (JSC::ArrayBuffer::tryCreate):
2870         * runtime/IndexingHeader.h:
2871         * runtime/InitializeThreading.cpp:
2872         (JSC::initializeThreading):
2873         * runtime/JSArrayBuffer.cpp:
2874         * runtime/JSArrayBufferView.cpp:
2875         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2876         (JSC::JSArrayBufferView::finalize):
2877         * runtime/JSLock.cpp:
2878         (JSC::JSLock::didAcquireLock):
2879         * runtime/JSObject.h:
2880         * runtime/Options.cpp:
2881         (JSC::recomputeDependentOptions):
2882         * runtime/Options.h:
2883         * runtime/ScopedArgumentsTable.h:
2884         * runtime/VM.cpp:
2885         (JSC::VM::VM):
2886         (JSC::VM::~VM):
2887         (JSC::VM::gigacageDisabledCallback):
2888         (JSC::VM::gigacageDisabled):
2889         * runtime/VM.h:
2890         (JSC::VM::fireGigacageEnabledIfNecessary):
2891         (JSC::VM::gigacageEnabled):
2892         * wasm/WasmB3IRGenerator.cpp:
2893         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2894         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
2895         * wasm/WasmCodeBlock.cpp:
2896         (JSC::Wasm::CodeBlock::isSafeToRun):
2897         * wasm/WasmMemory.cpp:
2898         (JSC::Wasm::makeString):
2899         (JSC::Wasm::Memory::create):
2900         (JSC::Wasm::Memory::~Memory):
2901         (JSC::Wasm::Memory::addressIsInActiveFastMemory):
2902         (JSC::Wasm::Memory::grow):
2903         (JSC::Wasm::Memory::initializePreallocations): Deleted.
2904         (JSC::Wasm::Memory::maxFastMemoryCount): Deleted.
2905         * wasm/WasmMemory.h:
2906         * wasm/js/JSWebAssemblyInstance.cpp:
2907         (JSC::JSWebAssemblyInstance::create):
2908         * wasm/js/JSWebAssemblyMemory.cpp:
2909         (JSC::JSWebAssemblyMemory::grow):
2910         (JSC::JSWebAssemblyMemory::finishCreation):
2911         * wasm/js/JSWebAssemblyMemory.h:
2912         (JSC::JSWebAssemblyMemory::subspaceFor):
2913
2914 2017-07-31  Mark Lam  <mark.lam@apple.com>
2915
2916         Added some UNLIKELYs to operationOptimize().
2917         https://bugs.webkit.org/show_bug.cgi?id=174976
2918
2919         Reviewed by JF Bastien.
2920
2921         * jit/JITOperations.cpp:
2922
2923 2017-07-31  Keith Miller  <keith_miller@apple.com>
2924
2925         Make more things LLInt constexprs
2926         https://bugs.webkit.org/show_bug.cgi?id=174994
2927
2928         Reviewed by Saam Barati.
2929
2930         This patch makes more const values in the LLInt constexprs.
2931         It also deletes all of the no longer necessary static_asserts in
2932         LLIntData.cpp. Finally, it fixes a typo in parser.rb.
2933
2934         * interpreter/ShadowChicken.h:
2935         (JSC::ShadowChicken::Packet::tailMarker):
2936         * llint/LLIntData.cpp:
2937         (JSC::LLInt::Data::performAssertions):
2938         * llint/LowLevelInterpreter.asm:
2939         * offlineasm/generate_offset_extractor.rb:
2940         * offlineasm/parser.rb:
2941
2942 2017-07-31  Matt Lewis  <jlewis3@apple.com>
2943
2944         Unreviewed, rolling out r220060.
2945
2946         This broke our internal builds. Contact reviewer of patch for
2947         more information.
2948
2949         Reverted changeset:
2950
2951         "Merge WTFThreadData to Thread::current"
2952         https://bugs.webkit.org/show_bug.cgi?id=174716
2953         http://trac.webkit.org/changeset/220060
2954
2955 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2956
2957         [JSC] Support optional catch binding
2958         https://bugs.webkit.org/show_bug.cgi?id=174981
2959
2960         Reviewed by Saam Barati.
2961
2962         This patch implements optional catch binding proposal[1], which is now stage 3.
2963         This proposal adds a new `catch` brace with no error value binding.
2964
2965             ```
2966                 try {
2967                     ...
2968                 } catch {
2969                     ...
2970                 }
2971             ```
2972
2973         Sometimes we do not need to get error value actually. For example, the function returns
2974         boolean which means whether the function succeeds.
2975
2976             ```
2977             function parse(result) // -> bool
2978             {
2979                  try {
2980                      parseInner(result);
2981                  } catch {
2982                      return false;
2983                  }
2984                  return true;
2985             }
2986             ```
2987
2988         In the above case, we are not interested in the actual error value. Without this syntax,
2989         we always need to introduce a binding for an error value that is just ignored.
2990
2991         [1]: https://michaelficarra.github.io/optional-catch-binding-proposal/
2992
2993         * bytecompiler/NodesCodegen.cpp:
2994         (JSC::TryNode::emitBytecode):
2995         * parser/Parser.cpp:
2996         (JSC::Parser<LexerType>::parseTryStatement):
2997
2998 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2999
3000         Merge WTFThreadData to Thread::current
3001         https://bugs.webkit.org/show_bug.cgi?id=174716
3002
3003         Reviewed by Sam Weinig.
3004
3005         Use Thread::current() instead.
3006
3007         * API/JSContext.mm:
3008         (+[JSContext currentContext]):
3009         (+[JSContext currentThis]):
3010         (+[JSContext currentCallee]):
3011         (+[JSContext currentArguments]):
3012         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
3013         (-[JSContext endCallbackWithData:]):
3014         * heap/Heap.cpp:
3015         (JSC::Heap::requestCollection):
3016         * runtime/Completion.cpp:
3017         (JSC::checkSyntax):
3018         (JSC::checkModuleSyntax):
3019         (JSC::evaluate):
3020         (JSC::loadAndEvaluateModule):
3021         (JSC::loadModule):
3022         (JSC::linkAndEvaluateModule):
3023         (JSC::importModule):
3024         * runtime/Identifier.cpp:
3025         (JSC::Identifier::checkCurrentAtomicStringTable):
3026         * runtime/InitializeThreading.cpp:
3027         (JSC::initializeThreading):
3028         * runtime/JSLock.cpp:
3029         (JSC::JSLock::didAcquireLock):
3030         (JSC::JSLock::willReleaseLock):
3031         (JSC::JSLock::dropAllLocks):
3032         (JSC::JSLock::grabAllLocks):
3033         * runtime/JSLock.h:
3034         * runtime/VM.cpp:
3035         (JSC::VM::VM):
3036         (JSC::VM::updateStackLimits):
3037         (JSC::VM::committedStackByteCount):
3038         * runtime/VM.h:
3039         (JSC::VM::isSafeToRecurse const):
3040         * runtime/VMEntryScope.cpp:
3041         (JSC::VMEntryScope::VMEntryScope):
3042         * runtime/VMInlines.h:
3043         (JSC::VM::ensureStackCapacityFor):
3044         * yarr/YarrPattern.cpp:
3045         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
3046
3047 2017-07-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3048
3049         [WTF] Introduce Private Symbols
3050         https://bugs.webkit.org/show_bug.cgi?id=174935
3051
3052         Reviewed by Darin Adler.
3053
3054         Use SymbolImpl::isPrivate().
3055
3056         * builtins/BuiltinNames.cpp:
3057         * builtins/BuiltinNames.h:
3058         (JSC::BuiltinNames::isPrivateName): Deleted.
3059         * builtins/BuiltinUtils.h:
3060         * bytecode/BytecodeIntrinsicRegistry.cpp:
3061         (JSC::BytecodeIntrinsicRegistry::lookup):
3062         * runtime/CommonIdentifiers.cpp:
3063         (JSC::CommonIdentifiers::isPrivateName): Deleted.
3064         * runtime/CommonIdentifiers.h:
3065         * runtime/ExceptionHelpers.cpp:
3066         (JSC::createUndefinedVariableError):
3067         * runtime/Identifier.h:
3068         (JSC::Identifier::isPrivateName):
3069         * runtime/IdentifierInlines.h:
3070         (JSC::identifierToSafePublicJSValue):
3071         * runtime/ObjectConstructor.cpp:
3072         (JSC::objectConstructorAssign):
3073         (JSC::defineProperties):
3074         (JSC::setIntegrityLevel):
3075         (JSC::testIntegrityLevel):
3076         (JSC::ownPropertyKeys):
3077         * runtime/PrivateName.h:
3078         (JSC::PrivateName::PrivateName):
3079         * runtime/PropertyName.h:
3080         (JSC::PropertyName::isPrivateName):
3081         * runtime/ProxyObject.cpp:
3082         (JSC::performProxyGet):
3083         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
3084         (JSC::ProxyObject::performHasProperty):
3085         (JSC::ProxyObject::performPut):
3086         (JSC::ProxyObject::performDelete):
3087         (JSC::ProxyObject::performDefineOwnProperty):
3088
3089 2017-07-29  Keith Miller  <keith_miller@apple.com>
3090
3091         LLInt offsets extractor should be able to handle C++ constexprs
3092         https://bugs.webkit.org/show_bug.cgi?id=174964
3093
3094         Reviewed by Saam Barati.
3095
3096         This patch adds new syntax to the offline asm language. The new keyword,
3097         constexpr, takes the subsequent identifier and maps it to a C++ constexpr
3098         expression. Additionally, if the value is not an identifier you can wrap it in
3099         parentheses. e.g. constexpr (myConstexprFunction() + OBJECT_OFFSET(Foo, bar)),
3100         which will get converted into:
3101         static_cast<int64_t>(myConstexprFunction() + OBJECT_OFFSET(Foo, bar));
3102
3103         This patch also changes the data format the LLIntOffsetsExtractor
3104         binary produces.  Previously, it would produce unsigned values,
3105         after this patch every value is an int64_t.  Using an int64_t is
3106         useful because it means that we can represent any constant needed.
3107         int32_t masks are sign extended then passed then converted to a
3108         negative literal sting in the assembler so it will be the constant
3109         expected.
3110
3111         * llint/LLIntOffsetsExtractor.cpp:
3112         (JSC::LLIntOffsetsExtractor::dummy):
3113         * llint/LowLevelInterpreter.asm:
3114         * llint/LowLevelInterpreter64.asm:
3115         * offlineasm/asm.rb:
3116         * offlineasm/ast.rb:
3117         * offlineasm/generate_offset_extractor.rb:
3118         * offlineasm/offsets.rb:
3119         * offlineasm/parser.rb:
3120         * offlineasm/transform.rb:
3121
3122 2017-07-28  Matt Baker  <mattbaker@apple.com>
3123
3124         Web Inspector: capture an async stack trace when web content calls addEventListener
3125         https://bugs.webkit.org/show_bug.cgi?id=174739
3126         <rdar://problem/33468197>
3127
3128         Reviewed by Brian Burg.
3129
3130         Allow debugger agents to perform custom logic when asynchronous stack
3131         trace data is cleared. For example, the PageDebuggerAgent would clear
3132         its list of registered listeners for which call stacks have been recorded.
3133
3134         * inspector/agents/InspectorDebuggerAgent.cpp:
3135         (Inspector::InspectorDebuggerAgent::clearAsyncStackTraceData):
3136         * inspector/agents/InspectorDebuggerAgent.h:
3137
3138 2017-07-28  Mark Lam  <mark.lam@apple.com>
3139
3140         ObjectToStringAdaptiveStructureWatchpoint should not fire if it's dying imminently.
3141         https://bugs.webkit.org/show_bug.cgi?id=174948
3142         <rdar://problem/33495680>
3143
3144         Reviewed by Filip Pizlo.
3145
3146         ObjectToStringAdaptiveStructureWatchpoint is owned by StructureRareData.  If its
3147         owner StructureRareData is already known to be dead (in terms of GC liveness) but
3148         hasn't been destructed yet (i.e. not swept by the GC yet), we should ignore all
3149         requests to fire this watchpoint.
3150
3151         If the GC had the chance to sweep the StructureRareData, thereby destructing the
3152         ObjectToStringAdaptiveStructureWatchpoint, it (the watchpoint) would have removed
3153         itself from the WatchpointSet it was on.  Hence, it would not have been fired.
3154
3155         But since the watchpoint hasn't been destructed yet, it still remains on the
3156         WatchpointSet and needs to guard against being fired in this state.  The fix is
3157         to simply return early if its owner StructureRareData is not live.  This has the
3158         effect of the watchpoint fire being a no-op, which is equivalent to the watchpoint
3159         not firing as we would expect.
3160
3161         This patch also removes some cargo cult copying of watchpoint code which
3162         instantiates a StringFireDetail.  In a few cases, that StringFireDetail is never
3163         used.  This patch removes these unnecessary instantiations.
3164
3165         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
3166         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
3167         * runtime/StructureRareData.cpp:
3168         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
3169         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
3170
3171 2017-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
3172
3173         ASSERTION FAILED: candidate->op() == PhantomCreateRest || candidate->op() == PhantomDirectArguments || candidate->op() == PhantomClonedArguments || candidate->op() == PhantomSpread || candidate->op() == PhantomNewArrayWithSpread
3174         https://bugs.webkit.org/show_bug.cgi?id=174900
3175
3176         Reviewed by Saam Barati.
3177
3178         In the arguments elimination phase, due to high cost of AI, we intentionally do not run AI.
3179         Instead, we use ForceOSRExit etc. (pseudo terminals) not to look into unreachable nodes.
3180         The problem is that even transforming phase also checks this pseudo terminals.
3181
3182             BB1
3183             1: ForceOSRExit
3184             2: CreateDirectArguments
3185
3186             BB2
3187             3: GetButterfly(@2)
3188             4: ForceOSRExit
3189
3190         In the above case, @2 is not converted to PhantomDirectArguments. But @3 is processed. And the assertion fires.
3191
3192         In this patch, we do not list candidates up after seeing pseudo terminals in basic blocks.
3193
3194         * dfg/DFGArgumentsEliminationPhase.cpp:
3195
3196 2017-07-27  Oleksandr Skachkov  <gskachkov@gmail.com>
3197
3198         [ES] Add support finally to Promise
3199         https://bugs.webkit.org/show_bug.cgi?id=174503
3200
3201         Reviewed by Yusuke Suzuki.
3202
3203         Add support `finally` method to Promise according
3204         to the https://bugs.webkit.org/show_bug.cgi?id=174503
3205         Current spec on STAGE 3 
3206         https://github.com/tc39/proposal-promise-finally
3207
3208         * builtins/PromisePrototype.js:
3209         (finally):
3210         (const.valueThunk):
3211         (globalPrivate.getThenFinally):
3212         (const.thrower):
3213         (globalPrivate.getCatchFinally):
3214         * runtime/JSPromisePrototype.cpp:
3215
3216 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3217
3218         Unreviewed, build fix for CLoop
3219         https://bugs.webkit.org/show_bug.cgi?id=171637
3220
3221         * domjit/DOMJITGetterSetter.h:
3222
3223 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3224
3225         Hoist DOM binding attribute getter prologue into JavaScriptCore taking advantage of DOMJIT / CheckSubClass
3226         https://bugs.webkit.org/show_bug.cgi?id=171637
3227
3228         Reviewed by Darin Adler.
3229
3230         Each DOM attribute getter has the code to perform ClassInfo check. But it is largely duplicate and causes code bloating.
3231         In this patch, we move ClassInfo check from WebCore to JSC and reduce code size.
3232
3233         We introduce DOMAnnotation which has ClassInfo* and DOMJIT::GetterSetter*. If the getter is not DOMJIT getter, this
3234         DOMJIT::GetterSetter becomes nullptr. We support such a CustomAccessorGetter in all the JIT tiers.
3235
3236         In IC, we drop CheckSubClass completely since IC's Structure check subsumes it. We do not enable this optimization for
3237         op_get_by_id_with_this case yet.
3238         In DFG and FTL, we emit CheckSubClass node. Which is typically removed by CheckStructure leading to CheckSubClass.
3239
3240         And we add DOMAttributeGetterSetter, which is derived class of CustomGetterSetter. It holds DOMAnnotation and perform
3241         ClassInfo check.
3242
3243         * CMakeLists.txt:
3244         * JavaScriptCore.xcodeproj/project.pbxproj:
3245         * bytecode/AccessCase.cpp:
3246         (JSC::AccessCase::generateImpl):
3247         * bytecode/GetByIdStatus.cpp:
3248         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
3249         * bytecode/GetByIdVariant.cpp:
3250         (JSC::GetByIdVariant::GetByIdVariant):
3251         (JSC::GetByIdVariant::operator=):
3252         (JSC::GetByIdVariant::attemptToMerge):
3253         (JSC::GetByIdVariant::dumpInContext):
3254         * bytecode/GetByIdVariant.h:
3255         (JSC::GetByIdVariant::customAccessorGetter):
3256         (JSC::GetByIdVariant::domAttribute):
3257         (JSC::GetByIdVariant::domJIT): Deleted.
3258         * bytecode/GetterSetterAccessCase.cpp:
3259         (JSC::GetterSetterAccessCase::create):
3260         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
3261         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
3262         * bytecode/GetterSetterAccessCase.h:
3263         (JSC::GetterSetterAccessCase::domAttribute):
3264         (JSC::GetterSetterAccessCase::customAccessor):
3265         (JSC::GetterSetterAccessCase::domJIT): Deleted.
3266         * bytecompiler/BytecodeGenerator.cpp:
3267         (JSC::BytecodeGenerator::instantiateLexicalVariables):
3268         * create_hash_table:
3269         * dfg/DFGAbstractInterpreterInlines.h:
3270         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3271         * dfg/DFGByteCodeParser.cpp:
3272         (JSC::DFG::blessCallDOMGetter):
3273         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
3274         (JSC::DFG::ByteCodeParser::handleGetById):
3275         * dfg/DFGClobberize.h:
3276         (JSC::DFG::clobberize):
3277         * dfg/DFGFixupPhase.cpp:
3278         (JSC::DFG::FixupPhase::fixupNode):
3279         * dfg/DFGNode.h:
3280         * dfg/DFGSpeculativeJIT.cpp:
3281         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
3282         * dfg/DFGSpeculativeJIT.h:
3283         (JSC::DFG::SpeculativeJIT::callCustomGetter):
3284         * domjit/DOMJITGetterSetter.h:
3285         (JSC::DOMJIT::GetterSetter::GetterSetter):
3286         (JSC::DOMJIT::GetterSetter::getter):
3287         (JSC::DOMJIT::GetterSetter::compiler):
3288         (JSC::DOMJIT::GetterSetter::resultType):
3289         (JSC::DOMJIT::GetterSetter::~GetterSetter): Deleted.
3290         (JSC::DOMJIT::GetterSetter::setter): Deleted.
3291         (JSC::DOMJIT::GetterSetter::thisClassInfo): Deleted.
3292         * ftl/FTLLowerDFGToB3.cpp:
3293         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
3294         * jit/Repatch.cpp:
3295         (JSC::tryCacheGetByID):
3296         * jsc.cpp:
3297         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
3298         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
3299         (WTF::DOMJITGetter::customGetter):
3300         (WTF::DOMJITGetter::finishCreation):
3301         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
3302         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
3303         (WTF::DOMJITGetterComplex::customGetter):
3304         (WTF::DOMJITGetterComplex::finishCreation):
3305         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
3306         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::slowCall): Deleted.
3307         (WTF::DOMJITGetter::domJITNodeGetterSetter): Deleted.
3308         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
3309         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::slowCall): Deleted.
3310         (WTF::DOMJITGetterComplex::domJITNodeGetterSetter): Deleted.
3311         * runtime/CustomGetterSetter.h:
3312         (JSC::CustomGetterSetter::create):
3313         (JSC::CustomGetterSetter::setter):
3314         (JSC::CustomGetterSetter::CustomGetterSetter):
3315         (): Deleted.
3316         * runtime/DOMAnnotation.h: Added.
3317         (JSC::operator==):
3318         (JSC::operator!=):
3319         * runtime/DOMAttributeGetterSetter.cpp: Added.
3320         * runtime/DOMAttributeGetterSetter.h: Copied from Source/JavaScriptCore/runtime/CustomGetterSetter.h.
3321         (JSC::isDOMAttributeGetterSetter):
3322         * runtime/Error.cpp:
3323         (JSC::throwDOMAttributeGetterTypeError):
3324         * runtime/Error.h:
3325         (JSC::throwVMDOMAttributeGetterTypeError):
3326         * runtime/JSCustomGetterSetterFunction.cpp:
3327         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
3328         * runtime/JSObject.cpp:
3329         (JSC::JSObject::putInlineSlow):
3330         (JSC::JSObject::deleteProperty):
3331         (JSC::JSObject::getOwnStaticPropertySlot):
3332         (JSC::JSObject::reifyAllStaticProperties):
3333         (JSC::JSObject::fillGetterPropertySlot):
3334         (JSC::JSObject::findPropertyHashEntry): Deleted.
3335         * runtime/JSObject.h:
3336         (JSC::JSObject::getOwnNonIndexPropertySlot):
3337         (JSC::JSObject::fillCustomGetterPropertySlot):
3338         * runtime/Lookup.cpp:
3339         (JSC::setUpStaticFunctionSlot):
3340         * runtime/Lookup.h:
3341         (JSC::HashTableValue::domJIT):
3342         (JSC::getStaticPropertySlotFromTable):
3343         (JSC::putEntry):
3344         (JSC::lookupPut):
3345         (JSC::reifyStaticProperty):
3346         (JSC::reifyStaticProperties):
3347         Each static property table has a new field ClassInfo*. It indicates that which ClassInfo check DOMAttribute registered in
3348         this static property table requires.
3349
3350         * runtime/ProgramExecutable.cpp:
3351         (JSC::ProgramExecutable::initializeGlobalProperties):
3352         * runtime/PropertyName.h:
3353         * runtime/PropertySlot.cpp:
3354         (JSC::PropertySlot::customGetter):
3355         (JSC::PropertySlot::customAccessorGetter):
3356         * runtime/PropertySlot.h:
3357         (JSC::PropertySlot::domAttribute):
3358         (JSC::PropertySlot::setCustom):
3359         (JSC::PropertySlot::setCacheableCustom):
3360         (JSC::PropertySlot::getValue):
3361         (JSC::PropertySlot::domJIT): Deleted.
3362         * runtime/VM.cpp:
3363         (JSC::VM::VM):
3364         * runtime/VM.h:
3365
3366 2017-07-26  Devin Rousso  <drousso@apple.com>
3367
3368         Web Inspector: create protocol for recording Canvas contexts
3369         https://bugs.webkit.org/show_bug.cgi?id=174481
3370
3371         Reviewed by Joseph Pecoraro.
3372
3373         * inspector/protocol/Canvas.json:
3374          - Add `requestRecording` command to mark the provided canvas as having requested a recording.
3375          - Add `cancelRecording` command to clear a previously marked canvas and flush any recorded data.
3376          - Add `recordingFinished` event that is fired once a recording is finished.
3377
3378         * CMakeLists.txt:
3379         * DerivedSources.make:
3380         * inspector/protocol/Recording.json: Added.
3381          - Add `Type` enum that lists the types of recordings
3382          - Add `InitialState` type that contains information about the canvas context at the
3383            beginning of the recording.
3384          - Add `Frame` type that holds a list of actions that were recorded.
3385          - Add `Recording` type as the container object of recording data.
3386
3387         * inspector/scripts/codegen/generate_js_backend_commands.py:
3388         (JSBackendCommandsGenerator.generate_domain):
3389         Create an agent for domains with no events or commands.
3390
3391         * inspector/InspectorValues.h:
3392         Make Array `get` public so that values can be retrieved if needed.
3393
3394 2017-07-26  Brian Burg  <bburg@apple.com>
3395
3396         Remove WEB_TIMING feature flag
3397         https://bugs.webkit.org/show_bug.cgi?id=174795
3398
3399         Reviewed by Alex Christensen.
3400
3401         * Configurations/FeatureDefines.xcconfig:
3402