DFG_ASSERT should allow stuffing registers before trapping.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-06-30  Keith Miller  <keith_miller@apple.com>
2
3         DFG_ASSERT should allow stuffing registers before trapping.
4         https://bugs.webkit.org/show_bug.cgi?id=174005
5
6         Reviewed by Mark Lam.
7
8         DFG_ASSERT currently prints error data to stderr before crashing,
9         which is nice for local development. In the wild, however, we
10         can't see this information in crash logs. This patch enables
11         stuffing some of the most useful information from DFG_ASSERTS into
12         up to five registers right before crashing. The values stuffed
13         should not impact any logging during local development.
14
15         * assembler/AbortReason.h:
16         * dfg/DFGAbstractInterpreterInlines.h:
17         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
18         * dfg/DFGGraph.cpp:
19         (JSC::DFG::logForCrash):
20         (JSC::DFG::Graph::logAssertionFailure):
21         (JSC::DFG::crash): Deleted.
22         (JSC::DFG::Graph::handleAssertionFailure): Deleted.
23         * dfg/DFGGraph.h:
24
25 2017-06-29  Saam Barati  <sbarati@apple.com>
26
27         Calculating postCapacity in unshiftCountSlowCase is wrong
28         https://bugs.webkit.org/show_bug.cgi?id=173992
29         <rdar://problem/32283199>
30
31         Reviewed by Keith Miller.
32
33         This patch fixes a bug inside unshiftCountSlowCase where we would use
34         more memory than we allocated. The bug was when deciding how much extra
35         space we have after the vector we've allocated. This area is called the
36         postCapacity. The largest legal postCapacity value we could use is the
37         space we allocated minus the space we need:
38         largestPossiblePostCapacity = newStorageCapacity - requiredVectorLength;
39         However, the code was calculating the postCapacity as:
40         postCapacity = max(newStorageCapacity - requiredVectorLength, count);
41         
42         where count is how many elements we're appending. Depending on the inputs,
43         count could be larger than (newStorageCapacity - requiredVectorLength). This
44         would cause us to use more memory than we actually allocated.
45
46         * runtime/JSArray.cpp:
47         (JSC::JSArray::unshiftCountSlowCase):
48
49 2017-06-29  Commit Queue  <commit-queue@webkit.org>
50
51         Unreviewed, rolling out r218512.
52         https://bugs.webkit.org/show_bug.cgi?id=173981
53
54         "It changes the behavior of the JS API's JSEvaluateScript
55         which breaks TurboTax" (Requested by saamyjoon on #webkit).
56
57         Reverted changeset:
58
59         "test262: Completion values for control flow do not match the
60         spec"
61         https://bugs.webkit.org/show_bug.cgi?id=171265
62         http://trac.webkit.org/changeset/218512
63
64 2017-06-29  JF Bastien  <jfbastien@apple.com>
65
66         WebAssembly: disable some APIs under CSP
67         https://bugs.webkit.org/show_bug.cgi?id=173892
68         <rdar://problem/32914613>
69
70         Reviewed by Daniel Bates.
71
72         We should disable parts of WebAssembly under Content Security
73         Policy as discussed here:
74
75         https://github.com/WebAssembly/design/issues/1092
76
77         Exactly what should be disabled isn't super clear, so we may as
78         well be conservative and disable many things if developers already
79         opted into CSP. It's easy to loosen what we disable later.
80
81         This patch disables:
82         - WebAssembly.Instance
83         - WebAssembly.instantiate
84         - WebAssembly.Memory
85         - WebAssembly.Table
86
87         And leaves:
88         - WebAssembly on the global object
89         - WebAssembly.Module
90         - WebAssembly.compile
91         - WebAssembly.CompileError
92         - WebAssembly.LinkError
93
94         Nothing because currently unimplmented:
95         - WebAssembly.compileStreaming
96         - WebAssembly.instantiateStreaming
97
98         That way it won't be possible to call WebAssembly-compiled code,
99         or create memories (which use fancy 4GiB allocations
100         sometimes). Table isn't really useful on its own, and eventually
101         we may make them shareable so without more details it seems benign
102         to disable them (and useless if we don't).
103
104         I haven't done anything with postMessage, so you can still
105         postMessage a WebAssembly.Module cross-CSP, but you can't
106         instantiate it so it's useless. Because of this I elected to leave
107         WebAssembly.Module and friends available.
108
109         I haven't added any new directives. It's still unsafe-eval. We can
110         add something else later, but it seems odd to add a WebAssembly as
111         a new capability and tell developers "you should have been using
112         this directive which we just implemented if you wanted to disable
113         WebAssembly which didn't exist when you adopted CSP". So IMO we
114         should keep unsafe-eval as it currently is, add WebAssembly to
115         what it disables, and later consider having two new directives
116         which do each individually or something.
117
118         In all cases I throw an EvalError *before* other WebAssembly
119         errors would be produced.
120
121         Note that, as for eval, reporting doesn't work and is tracked by
122         https://webkit.org/b/111869
123
124         * runtime/JSGlobalObject.cpp:
125         (JSC::JSGlobalObject::JSGlobalObject):
126         * runtime/JSGlobalObject.h:
127         (JSC::JSGlobalObject::webAssemblyEnabled):
128         (JSC::JSGlobalObject::webAssemblyDisabledErrorMessage):
129         (JSC::JSGlobalObject::setWebAssemblyEnabled):
130         * wasm/js/JSWebAssemblyInstance.cpp:
131         (JSC::JSWebAssemblyInstance::create):
132         * wasm/js/JSWebAssemblyMemory.cpp:
133         (JSC::JSWebAssemblyMemory::create):
134         * wasm/js/JSWebAssemblyMemory.h:
135         * wasm/js/JSWebAssemblyTable.cpp:
136         (JSC::JSWebAssemblyTable::create):
137         * wasm/js/WebAssemblyMemoryConstructor.cpp:
138         (JSC::constructJSWebAssemblyMemory):
139
140 2017-06-28  Keith Miller  <keith_miller@apple.com>
141
142         VMTraps has some races
143         https://bugs.webkit.org/show_bug.cgi?id=173941
144
145         Reviewed by Michael Saboff.
146
147         This patch refactors much of the VMTraps API.
148
149         On the message sending side:
150
151         1) No longer uses the Yarr JIT check to determine if we are in
152         RegExp code. That was unsound because RegExp JIT code can be run
153         on compilation threads.  Instead it looks at the current frame's
154         code block slot and checks if it is valid, which is the same as
155         what it did for JIT code previously.
156
157         2) Only have one signal sender thread, previously, there could be
158         many at once, which caused some data races. Additionally, the
159         signal sender thread is an automatic thread so it will deallocate
160         itself when not in use.
161
162         On the VMTraps breakpoint side:
163
164         1) We now have a true mapping of if we hit a breakpoint instead of
165         a JIT assertion. So the exception handler won't eat JIT assertions
166         anymore.
167
168         2) It jettisons all CodeBlocks that have VMTraps breakpoints on
169         them instead of every CodeBlock on the stack. This both prevents
170         us from hitting stale VMTraps breakpoints and also doesn't OSR
171         codeblocks that otherwise don't need to be jettisoned.
172
173         3) The old exception handler could theoretically fail for a couple
174         of reasons then resume execution with a clobbered instruction
175         set. This patch will kill the program if the exception handler
176         would fail.
177
178         This patch also refactors some of the jsc.cpp functions to take the
179         CommandLine options object instead of individual options. Also, there
180         is a new command line option that makes exceptions due to watchdog
181         timeouts an acceptable result.
182
183         * API/tests/testapi.c:
184         (main):
185         * bytecode/CodeBlock.cpp:
186         (JSC::CodeBlock::installVMTrapBreakpoints):
187         * dfg/DFGCommonData.cpp:
188         (JSC::DFG::pcCodeBlockMap):
189         (JSC::DFG::CommonData::invalidate):
190         (JSC::DFG::CommonData::~CommonData):
191         (JSC::DFG::CommonData::installVMTrapBreakpoints):
192         (JSC::DFG::codeBlockForVMTrapPC):
193         * dfg/DFGCommonData.h:
194         * jsc.cpp:
195         (functionDollarAgentStart):
196         (checkUncaughtException):
197         (checkException):
198         (runWithOptions):
199         (printUsageStatement):
200         (CommandLine::parseArguments):
201         (jscmain):
202         (runWithScripts): Deleted.
203         * runtime/JSLock.cpp:
204         (JSC::JSLock::didAcquireLock):
205         * runtime/VMTraps.cpp:
206         (JSC::sanitizedTopCallFrame):
207         (JSC::VMTraps::tryInstallTrapBreakpoints):
208         (JSC::VMTraps::willDestroyVM):
209         (JSC::VMTraps::fireTrap):
210         (JSC::VMTraps::handleTraps):
211         (JSC::VMTraps::VMTraps):
212         (JSC::VMTraps::~VMTraps):
213         (JSC::findActiveVMAndStackBounds): Deleted.
214         (JSC::installSignalHandler): Deleted.
215         (JSC::VMTraps::addSignalSender): Deleted.
216         (JSC::VMTraps::removeSignalSender): Deleted.
217         (JSC::VMTraps::SignalSender::willDestroyVM): Deleted.
218         (JSC::VMTraps::SignalSender::send): Deleted.
219         * runtime/VMTraps.h:
220         (JSC::VMTraps::~VMTraps): Deleted.
221         (JSC::VMTraps::SignalSender::SignalSender): Deleted.
222
223 2017-06-28  Devin Rousso  <drousso@apple.com>
224
225         Web Inspector: Instrument active pixel memory used by canvases
226         https://bugs.webkit.org/show_bug.cgi?id=173087
227         <rdar://problem/32719261>
228
229         Reviewed by Joseph Pecoraro.
230
231         * inspector/protocol/Canvas.json:
232          - Add optional `memoryCost` attribute to the `Canvas` type.
233          - Add `canvasMemoryChanged` event that is dispatched when the `memoryCost` of a canvas changes.
234
235 2017-06-28  Joseph Pecoraro  <pecoraro@apple.com>
236
237         Web Inspector: Cleanup Protocol JSON files
238         https://bugs.webkit.org/show_bug.cgi?id=173934
239
240         Reviewed by Matt Baker.
241
242         * inspector/protocol/ApplicationCache.json:
243         * inspector/protocol/CSS.json:
244         * inspector/protocol/Console.json:
245         * inspector/protocol/DOM.json:
246         * inspector/protocol/DOMDebugger.json:
247         * inspector/protocol/Debugger.json:
248         * inspector/protocol/LayerTree.json:
249         * inspector/protocol/Network.json:
250         * inspector/protocol/Page.json:
251         * inspector/protocol/Runtime.json:
252         Be more consistent about placement of `description` property.
253
254 2017-06-27  Joseph Pecoraro  <pecoraro@apple.com>
255
256         Web Inspector: Remove unused Inspector domain events
257         https://bugs.webkit.org/show_bug.cgi?id=173905
258
259         Reviewed by Matt Baker.
260
261         * inspector/protocol/Inspector.json:
262
263 2017-06-28  JF Bastien  <jfbastien@apple.com>
264
265         Ensure that computed new stack pointer values do not underflow.
266         https://bugs.webkit.org/show_bug.cgi?id=173700
267         <rdar://problem/32926032>
268
269         Reviewed by Filip Pizlo and Saam Barati, update reviewed by Mark Lam.
270
271         Patch by Mark Lam, with the following fix:
272
273         Re-apply this patch, it originally broke the ARM build because the llint code
274         generated `subs xzr, x3, sp` which isn't valid ARM64: the third operand cannot
275         be SP (that encoding would be ZR instead, subtracting zero). Flip the comparison
276         and operands to emit valid code (because the second operand can be SP).
277
278         1. Added a RELEASE_ASSERT to BytecodeGenerator::generate() to ensure that
279            m_numCalleeLocals is sane.
280
281         2. Added underflow checks in LLInt code and VarargsFrame code.
282
283         3. Introduce minimumReservedZoneSize, which is hardcoded to 16K.
284            Ensure that Options::reservedZoneSize() is at least minimumReservedZoneSize.
285            Ensure that Options::softReservedZoneSize() is at least greater than
286            Options::reservedZoneSize() by minimumReservedZoneSize.
287
288         4. Ensure that stack checks emitted by JIT tiers include an underflow check if
289            and only if the max size of the frame is greater than Options::reservedZoneSize().
290
291            By design, we are guaranteed to have at least Options::reservedZoneSize() bytes
292            of memory at the bottom (end) of the stack.  This means that, at any time, the
293            frame pointer must be at least Options::reservedZoneSize() bytes away from the
294            end of the stack.  Hence, if the max frame size is less than
295            Options::reservedZoneSize(), there's no way that frame pointer - max
296            frame size can underflow, and we can elide the underflow check.
297
298            Note that we use Options::reservedZoneSize() instead of
299            Options::softReservedZoneSize() for determine if we need an underflow check.
300            This is because the softStackLimit that is used for stack checks can be set
301            based on Options::reservedZoneSize() during error handling (e.g. when creating
302            strings for instantiating the Error object).  Hence, the guaranteed minimum of
303            distance between the frame pointer and the end of the stack is
304            Options::reservedZoneSize() and nor Options::softReservedZoneSize().
305
306            Note also that we ensure that Options::reservedZoneSize() is at least
307            minimumReservedZoneSize (i.e. 16K).  In typical deployments,
308            Options::reservedZoneSize() may be larger.  Using Options::reservedZoneSize()
309            instead of minimumReservedZoneSize gives us more chances to elide underflow
310            checks.
311
312         * JavaScriptCore.xcodeproj/project.pbxproj:
313         * bytecompiler/BytecodeGenerator.cpp:
314         (JSC::BytecodeGenerator::generate):
315         * dfg/DFGGraph.cpp:
316         (JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit):
317         * dfg/DFGJITCompiler.cpp:
318         (JSC::DFG::emitStackOverflowCheck):
319         (JSC::DFG::JITCompiler::compile):
320         (JSC::DFG::JITCompiler::compileFunction):
321         * ftl/FTLLowerDFGToB3.cpp:
322         (JSC::FTL::DFG::LowerDFGToB3::lower):
323         * jit/JIT.cpp:
324         (JSC::JIT::compileWithoutLinking):
325         * jit/SetupVarargsFrame.cpp:
326         (JSC::emitSetupVarargsFrameFastCase):
327         * llint/LLIntSlowPaths.cpp:
328         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
329         * llint/LowLevelInterpreter.asm:
330         * llint/LowLevelInterpreter32_64.asm:
331         * llint/LowLevelInterpreter64.asm:
332         * runtime/MinimumReservedZoneSize.h: Added.
333         * runtime/Options.cpp:
334         (JSC::recomputeDependentOptions):
335         * runtime/VM.cpp:
336         (JSC::VM::updateStackLimits):
337         * wasm/WasmB3IRGenerator.cpp:
338         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
339         * wasm/js/WebAssemblyFunction.cpp:
340         (JSC::callWebAssemblyFunction):
341
342 2017-06-28  Chris Dumez  <cdumez@apple.com>
343
344         Unreviewed, rolling out r218869.
345
346         Broke the iOS build
347
348         Reverted changeset:
349
350         "Ensure that computed new stack pointer values do not
351         underflow."
352         https://bugs.webkit.org/show_bug.cgi?id=173700
353         http://trac.webkit.org/changeset/218869
354
355 2017-06-28  Chris Dumez  <cdumez@apple.com>
356
357         Unreviewed, rolling out r218873.
358
359         Broke the iOS build
360
361         Reverted changeset:
362
363         "Gardening: CLoop build fix."
364         https://bugs.webkit.org/show_bug.cgi?id=173700
365         http://trac.webkit.org/changeset/218873
366
367 2017-06-28  Mark Lam  <mark.lam@apple.com>
368
369         Gardening: CLoop build fix.
370         https://bugs.webkit.org/show_bug.cgi?id=173700
371         <rdar://problem/32926032>
372
373         Not reviewed.
374
375         * llint/LLIntSlowPaths.cpp:
376         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
377
378 2017-06-28  Mark Lam  <mark.lam@apple.com>
379
380         Ensure that computed new stack pointer values do not underflow.
381         https://bugs.webkit.org/show_bug.cgi?id=173700
382         <rdar://problem/32926032>
383
384         Reviewed by Filip Pizlo and Saam Barati.
385
386         1. Added a RELEASE_ASSERT to BytecodeGenerator::generate() to ensure that
387            m_numCalleeLocals is sane.
388
389         2. Added underflow checks in LLInt code and VarargsFrame code.
390
391         3. Introduce minimumReservedZoneSize, which is hardcoded to 16K.
392            Ensure that Options::reservedZoneSize() is at least minimumReservedZoneSize.
393            Ensure that Options::softReservedZoneSize() is at least greater than
394            Options::reservedZoneSize() by minimumReservedZoneSize.
395
396         4. Ensure that stack checks emitted by JIT tiers include an underflow check if
397            and only if the max size of the frame is greater than Options::reservedZoneSize().
398
399            By design, we are guaranteed to have at least Options::reservedZoneSize() bytes
400            of memory at the bottom (end) of the stack.  This means that, at any time, the
401            frame pointer must be at least Options::reservedZoneSize() bytes away from the
402            end of the stack.  Hence, if the max frame size is less than
403            Options::reservedZoneSize(), there's no way that frame pointer - max
404            frame size can underflow, and we can elide the underflow check.
405
406            Note that we use Options::reservedZoneSize() instead of
407            Options::softReservedZoneSize() for determine if we need an underflow check.
408            This is because the softStackLimit that is used for stack checks can be set
409            based on Options::reservedZoneSize() during error handling (e.g. when creating
410            strings for instantiating the Error object).  Hence, the guaranteed minimum of
411            distance between the frame pointer and the end of the stack is
412            Options::reservedZoneSize() and nor Options::softReservedZoneSize().
413
414            Note also that we ensure that Options::reservedZoneSize() is at least
415            minimumReservedZoneSize (i.e. 16K).  In typical deployments,
416            Options::reservedZoneSize() may be larger.  Using Options::reservedZoneSize()
417            instead of minimumReservedZoneSize gives us more chances to elide underflow
418            checks.
419
420         * JavaScriptCore.xcodeproj/project.pbxproj:
421         * bytecompiler/BytecodeGenerator.cpp:
422         (JSC::BytecodeGenerator::generate):
423         * dfg/DFGGraph.cpp:
424         (JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit):
425         * dfg/DFGJITCompiler.cpp:
426         (JSC::DFG::JITCompiler::compile):
427         (JSC::DFG::JITCompiler::compileFunction):
428         * ftl/FTLLowerDFGToB3.cpp:
429         (JSC::FTL::DFG::LowerDFGToB3::lower):
430         * jit/JIT.cpp:
431         (JSC::JIT::compileWithoutLinking):
432         * jit/SetupVarargsFrame.cpp:
433         (JSC::emitSetupVarargsFrameFastCase):
434         * llint/LLIntSlowPaths.cpp:
435         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
436         * llint/LowLevelInterpreter.asm:
437         * llint/LowLevelInterpreter32_64.asm:
438         * llint/LowLevelInterpreter64.asm:
439         * runtime/MinimumReservedZoneSize.h: Added.
440         * runtime/Options.cpp:
441         (JSC::recomputeDependentOptions):
442         * runtime/VM.cpp:
443         (JSC::VM::updateStackLimits):
444         * wasm/WasmB3IRGenerator.cpp:
445         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
446         * wasm/js/WebAssemblyFunction.cpp:
447         (JSC::callWebAssemblyFunction):
448
449 2017-06-27  JF Bastien  <jfbastien@apple.com>
450
451         WebAssembly: running out of executable memory should throw OoM
452         https://bugs.webkit.org/show_bug.cgi?id=171537
453         <rdar://problem/32963338>
454
455         Reviewed by Saam Barati.
456
457         Both on first compile with BBQ as well as on tier-up with OMG,
458         running out of X memory shouldn't cause the entire program to
459         terminate. An exception will do when compiling initial code (since
460         we don't have any other fallback at the moment), and refusal to
461         tier up will do as well (it'll just be slower).
462
463         This is useful because programs which generate huge amounts of
464         code simply look like crashes, which developers report to
465         us. Getting a JavaScript exception instead is much clearer.
466
467         * jit/ExecutableAllocator.cpp:
468         (JSC::ExecutableAllocator::allocate):
469         * llint/LLIntSlowPaths.cpp:
470         (JSC::LLInt::shouldJIT):
471         * runtime/Options.h:
472         * wasm/WasmBBQPlan.cpp:
473         (JSC::Wasm::BBQPlan::prepare):
474         (JSC::Wasm::BBQPlan::complete):
475         * wasm/WasmBinding.cpp:
476         (JSC::Wasm::wasmToJs):
477         (JSC::Wasm::wasmToWasm):
478         * wasm/WasmBinding.h:
479         * wasm/WasmOMGPlan.cpp:
480         (JSC::Wasm::OMGPlan::work):
481         * wasm/js/JSWebAssemblyCodeBlock.cpp:
482         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
483         * wasm/js/JSWebAssemblyCodeBlock.h:
484         * wasm/js/JSWebAssemblyInstance.cpp:
485         (JSC::JSWebAssemblyInstance::finalizeCreation):
486
487 2017-06-27  Saam Barati  <sbarati@apple.com>
488
489         JITStubRoutine::passesFilter should use isJITPC
490         https://bugs.webkit.org/show_bug.cgi?id=173906
491
492         Reviewed by JF Bastien.
493
494         This patch makes JITStubRoutine use the isJITPC abstraction defined
495         inside ExecutableAllocator.h. Before, JITStubRoutine was using a
496         hardcoded platform size constant. This means it'd do the wrong thing
497         if Options::jitMemoryReservationSize() was larger than the defined
498         constant for that platform. This patch also removes a bunch of
499         dead code in that file.
500
501         * jit/ExecutableAllocator.cpp:
502         * jit/ExecutableAllocator.h:
503         * jit/JITStubRoutine.h:
504         (JSC::JITStubRoutine::passesFilter):
505         (JSC::JITStubRoutine::canPerformRangeFilter): Deleted.
506         (JSC::JITStubRoutine::filteringStartAddress): Deleted.
507         (JSC::JITStubRoutine::filteringExtentSize): Deleted.
508
509 2017-06-27  Saam Barati  <sbarati@apple.com>
510
511         Fix some stale comments in Wasm code base
512         https://bugs.webkit.org/show_bug.cgi?id=173814
513
514         Reviewed by Mark Lam.
515
516         * wasm/WasmBinding.cpp:
517         (JSC::Wasm::wasmToJs):
518         * wasm/WasmOMGPlan.cpp:
519         (JSC::Wasm::runOMGPlanForIndex):
520
521 2017-06-27  Caio Lima  <ticaiolima@gmail.com>
522
523         [ESnext] Implement Object Rest - Implementing Object Rest Destructuring
524         https://bugs.webkit.org/show_bug.cgi?id=167962
525
526         Reviewed by Saam Barati.
527
528         Object Rest/Spread Destructing proposal is in stage 3[1] and this
529         Patch is a prototype implementation of it. A simple change over the
530         parser was necessary to support the new '...' token on Object Pattern
531         destruction rule. In the bytecode generator side, We changed the
532         bytecode generated on ObjectPatternNode::bindValue to store in an
533         set the identifiers of already destructured properties, following spec draft
534         section[2], and then pass it as excludedNames to CopyDataProperties.
535         The rest destructuring calls copyDataProperties to perform the
536         copy of rest properties in rhs.
537
538         We also implemented CopyDataProperties as private JS global operation
539         on builtins/GlobalOperations.js following it's specification on [3].
540         It is implemented using Set object to verify if a property is on
541         excludedNames to keep this algorithm with O(n + m) complexity, where n
542         = number of source's own properties and m = excludedNames.length.
543
544         In this implementation we aren't using excludeList as constant if
545         destructuring pattern contains computed property, i.e. we can
546         just determine the key to be excluded at runtime. If we can define all
547         identifiers in the pattern in compile time, we then create a
548         constant JSSet. This approach gives a good performance improvement,
549         since we allocate the excludeSet just once, reducing GC pressure.
550
551         [1] - https://github.com/tc39/proposal-object-rest-spread
552         [2] - https://tc39.github.io/proposal-object-rest-spread/#Rest-RuntimeSemantics-PropertyDestructuringAssignmentEvaluation
553         [3] - https://tc39.github.io/proposal-object-rest-spread/#AbstractOperations-CopyDataProperties
554
555         * builtins/BuiltinNames.h:
556         * builtins/GlobalOperations.js:
557         (globalPrivate.copyDataProperties):
558         * bytecode/CodeBlock.cpp:
559         (JSC::CodeBlock::finishCreation):
560         * bytecompiler/NodesCodegen.cpp:
561         (JSC::ObjectPatternNode::bindValue):
562         * parser/ASTBuilder.h:
563         (JSC::ASTBuilder::appendObjectPatternEntry):
564         (JSC::ASTBuilder::appendObjectPatternRestEntry):
565         (JSC::ASTBuilder::setContainsObjectRestElement):
566         * parser/Nodes.h:
567         (JSC::ObjectPatternNode::appendEntry):
568         (JSC::ObjectPatternNode::setContainsRestElement):
569         * parser/Parser.cpp:
570         (JSC::Parser<LexerType>::parseDestructuringPattern):
571         (JSC::Parser<LexerType>::parseProperty):
572         * parser/SyntaxChecker.h:
573         (JSC::SyntaxChecker::operatorStackPop):
574         * runtime/JSGlobalObject.cpp:
575         (JSC::JSGlobalObject::init):
576         * runtime/JSGlobalObject.h:
577         (JSC::JSGlobalObject::asyncFunctionStructure):
578         (JSC::JSGlobalObject::setStructure): Deleted.
579         * runtime/JSGlobalObjectFunctions.cpp:
580         (JSC::privateToObject):
581         * runtime/JSGlobalObjectFunctions.h:
582         * runtime/ObjectConstructor.cpp:
583         (JSC::ObjectConstructor::finishCreation):
584         * runtime/SetPrototype.cpp:
585         (JSC::SetPrototype::finishCreation):
586
587 2017-06-27  Yusuke Suzuki  <utatane.tea@gmail.com>
588
589         [JSC] Do not touch VM after notifying Ready in DFG::Worklist
590         https://bugs.webkit.org/show_bug.cgi?id=173888
591
592         Reviewed by Saam Barati.
593
594         After notifying Plan::Ready and releasing Worklist lock, VM can be destroyed.
595         Thus, Plan::vm() can return a destroyed VM. Do not touch it.
596         This causes occasional SEGV / assertion failures in workers/bomb test.
597
598         * dfg/DFGWorklist.cpp:
599
600 2017-06-27  Saam Barati  <sbarati@apple.com>
601
602         Remove an inaccurate comment inside DFGClobberize.h
603         https://bugs.webkit.org/show_bug.cgi?id=163874
604
605         Reviewed by Filip Pizlo.
606
607         The comment said that Clobberize may or may not be sound if run prior to
608         doing type inference. This is not correct, though. Clobberize *must* be sound
609         prior do doing type inference since we use it inside the BytecodeParser, which
610         is the very first thing the DFG does.
611
612         * dfg/DFGClobberize.h:
613         (JSC::DFG::clobberize):
614
615 2017-06-27  Saam Barati  <sbarati@apple.com>
616
617         Function constructor needs to follow the spec and validate parameters and body independently
618         https://bugs.webkit.org/show_bug.cgi?id=173303
619         <rdar://problem/32732526>
620
621         Reviewed by Keith Miller.
622
623         The Function constructor must check the arguments and body strings
624         independently for syntax errors. People rely on this specified behavior
625         to verify that a particular string is a valid function body. We used
626         to check these things strings concatenated together, instead of
627         independently. For example, this used to be valid: `Function("/*", "*/){")`.
628         However, we should throw a syntax error here since "(/*)" is not a valid
629         parameter list, and "*/){" is not a valid body.
630         
631         To implement the specified behavior, we check the syntax independently of
632         both the body and the parameter list. To check that the parameter list has
633         valid syntax, we check that it is valid if in a function with an empty body.
634         To check that the body has valid syntax, we check it is valid in a function
635         with an empty parameter list.
636
637         * runtime/FunctionConstructor.cpp:
638         (JSC::constructFunctionSkippingEvalEnabledCheck):
639
640 2017-06-27  Ting-Wei Lan  <lantw44@gmail.com>
641
642         Add missing includes to fix compilation error on FreeBSD
643         https://bugs.webkit.org/show_bug.cgi?id=172919
644
645         Reviewed by Mark Lam.
646
647         * API/JSRemoteInspector.h:
648         * API/tests/GlobalContextWithFinalizerTest.cpp:
649         * API/tests/TypedArrayCTest.cpp:
650
651 2017-06-27  Joseph Pecoraro  <pecoraro@apple.com>
652
653         Web Inspector: Crash generating object preview for ArrayIterator
654         https://bugs.webkit.org/show_bug.cgi?id=173754
655         <rdar://problem/32859012>
656
657         Reviewed by Saam Barati.
658
659         When Inspector generates an object preview for an ArrayIterator instance it made
660         a "clone" of the original ArrayIterator instance by constructing a new object with
661         the instance's structure. However, user code could have modified that instance's
662         structure, such as adding / removing properties. The `return` property had special
663         meaning, and our clone did not fill that slot. This approach is brittle in that
664         we weren't satisfying the expectations of an object with a particular Structure,
665         and the original goal of having Web Inspector peek values of built-in Iterators
666         was to avoid observable behavior.
667
668         This tightens Web Inspector's Iterator preview to only peek values if the
669         Iterators would actually be non-observable. It also builds an ArrayIterator
670         clone like a regular object construction.
671
672         * inspector/JSInjectedScriptHost.cpp:
673         (Inspector::cloneArrayIteratorObject):
674         Build up the Object from scratch with a new ArrayIterator prototype.
675
676         (Inspector::JSInjectedScriptHost::iteratorEntries):
677         Only clone and peek iterators if it would not be observable.
678         Also update iteration to be more in line with IterationOperations, such as when
679         we call iteratorClose.
680
681         * runtime/JSGlobalObject.cpp:
682         (JSC::JSGlobalObject::JSGlobalObject):
683         (JSC::JSGlobalObject::init):
684         * runtime/JSGlobalObject.h:
685         (JSC::JSGlobalObject::stringIteratorProtocolWatchpoint):
686         * runtime/JSGlobalObjectInlines.h:
687         (JSC::JSGlobalObject::isStringPrototypeIteratorProtocolFastAndNonObservable):
688         Add a StringIterator WatchPoint in line with the Array/Map/Set iterator watchpoints.
689
690         * runtime/JSMap.cpp:
691         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
692         (JSC::JSMap::canCloneFastAndNonObservable):
693         * runtime/JSMap.h:
694         * runtime/JSSet.cpp:
695         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
696         (JSC::JSSet::canCloneFastAndNonObservable):
697         * runtime/JSSet.h:
698         Promote isIteratorProtocolFastAndNonObservable to a method.
699
700         * runtime/JSObject.cpp:
701         (JSC::canDoFastPutDirectIndex):
702         * runtime/JSTypeInfo.h:
703         (JSC::TypeInfo::isArgumentsType):
704         Helper to detect if an Object is an Arguments type.
705
706 2017-06-26  Saam Barati  <sbarati@apple.com>
707
708         RegExpPrototype.js builtin uses for-of iteration which is almost certainly incorrect
709         https://bugs.webkit.org/show_bug.cgi?id=173740
710
711         Reviewed by Mark Lam.
712
713         The builtin was using for-of iteration to iterate over an internal
714         list in its algorithm. For-of iteration is observable via user code
715         in the global object, so this approach was wrong as it would break if
716         a user changed the Array iteration protocol in some way.
717
718         * builtins/RegExpPrototype.js:
719         (replace):
720
721 2017-06-26  Mark Lam  <mark.lam@apple.com>
722
723         Renamed DumpRegisterFunctor to DumpReturnVirtualPCFunctor.
724         https://bugs.webkit.org/show_bug.cgi?id=173848
725
726         Reviewed by JF Bastien.
727
728         This functor only dumps the return VirtualPC.
729
730         * interpreter/Interpreter.cpp:
731         (JSC::DumpReturnVirtualPCFunctor::DumpReturnVirtualPCFunctor):
732         (JSC::Interpreter::dumpRegisters):
733         (JSC::DumpRegisterFunctor::DumpRegisterFunctor): Deleted.
734         (JSC::DumpRegisterFunctor::operator()): Deleted.
735
736 2017-06-26  Saam Barati  <sbarati@apple.com>
737
738         Crash in JSC::Lexer<unsigned char>::setCode
739         https://bugs.webkit.org/show_bug.cgi?id=172754
740
741         Reviewed by Mark Lam.
742
743         The lexer was asking one of its buffers to reserve initial space that
744         was O(text size in bytes). For large sources, this would end up causing
745         the vector to overflow and crash. This patch changes this code be like
746         the Lexer's other buffers and to only reserve a small starting buffer.
747
748         * parser/Lexer.cpp:
749         (JSC::Lexer<T>::setCode):
750
751 2017-06-26  Yusuke Suzuki  <utatane.tea@gmail.com>
752
753         [WTF] Drop Thread::create(obsolete things) API since we can use lambda
754         https://bugs.webkit.org/show_bug.cgi?id=173825
755
756         Reviewed by Saam Barati.
757
758         * jsc.cpp:
759         (startTimeoutThreadIfNeeded):
760         (timeoutThreadMain): Deleted.
761
762 2017-06-26  Konstantin Tokarev  <annulen@yandex.ru>
763
764         Unreviewed, add missing header for CLoop
765
766         * runtime/SymbolTable.cpp:
767
768 2017-06-26  Konstantin Tokarev  <annulen@yandex.ru>
769
770         Unreviewed, add missing header icncludes
771
772         * parser/Lexer.h:
773
774 2017-06-25  Konstantin Tokarev  <annulen@yandex.ru>
775
776         Remove excessive headers from JavaScriptCore
777         https://bugs.webkit.org/show_bug.cgi?id=173812
778
779         Reviewed by Darin Adler.
780
781         * API/APIUtils.h:
782         * assembler/LinkBuffer.cpp:
783         * assembler/MacroAssemblerCodeRef.cpp:
784         * b3/air/AirLiveness.h:
785         * b3/air/AirLowerAfterRegAlloc.cpp:
786         * bindings/ScriptValue.cpp:
787         * bindings/ScriptValue.h:
788         * bytecode/AccessCase.cpp:
789         * bytecode/AccessCase.h:
790         * bytecode/ArrayProfile.h:
791         * bytecode/BytecodeDumper.h:
792         * bytecode/BytecodeIntrinsicRegistry.cpp:
793         * bytecode/BytecodeKills.h:
794         * bytecode/BytecodeLivenessAnalysis.h:
795         * bytecode/BytecodeUseDef.h:
796         * bytecode/CallLinkStatus.h:
797         * bytecode/CodeBlock.h:
798         * bytecode/CodeOrigin.h:
799         * bytecode/ComplexGetStatus.h:
800         * bytecode/GetByIdStatus.h:
801         * bytecode/GetByIdVariant.h:
802         * bytecode/InlineCallFrame.h:
803         * bytecode/InlineCallFrameSet.h:
804         * bytecode/Instruction.h:
805         * bytecode/InternalFunctionAllocationProfile.h:
806         * bytecode/JumpTable.h:
807         * bytecode/MethodOfGettingAValueProfile.h:
808         * bytecode/ObjectPropertyConditionSet.h:
809         * bytecode/Operands.h:
810         * bytecode/PolymorphicAccess.h:
811         * bytecode/PutByIdStatus.h:
812         * bytecode/SpeculatedType.cpp:
813         * bytecode/StructureSet.h:
814         * bytecode/StructureStubInfo.h:
815         * bytecode/UnlinkedCodeBlock.h:
816         * bytecode/UnlinkedFunctionExecutable.h:
817         * bytecode/ValueProfile.h:
818         * bytecompiler/BytecodeGenerator.cpp:
819         * bytecompiler/BytecodeGenerator.h:
820         * bytecompiler/Label.h:
821         * bytecompiler/StaticPropertyAnalysis.h:
822         * debugger/DebuggerCallFrame.cpp:
823         * dfg/DFGAbstractInterpreter.h:
824         * dfg/DFGAdjacencyList.h:
825         * dfg/DFGArgumentsUtilities.h:
826         * dfg/DFGArrayMode.h:
827         * dfg/DFGArrayifySlowPathGenerator.h:
828         * dfg/DFGBackwardsPropagationPhase.h:
829         * dfg/DFGBasicBlock.h:
830         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
831         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
832         * dfg/DFGCapabilities.h:
833         * dfg/DFGCommon.h:
834         * dfg/DFGCommonData.h:
835         * dfg/DFGDesiredIdentifiers.h:
836         * dfg/DFGDesiredWatchpoints.h:
837         * dfg/DFGDisassembler.cpp:
838         * dfg/DFGDominators.h:
839         * dfg/DFGDriver.cpp:
840         * dfg/DFGDriver.h:
841         * dfg/DFGEdgeDominates.h:
842         * dfg/DFGFinalizer.h:
843         * dfg/DFGGenerationInfo.h:
844         * dfg/DFGJITCompiler.cpp:
845         * dfg/DFGJITCompiler.h:
846         * dfg/DFGJITFinalizer.h:
847         * dfg/DFGLivenessAnalysisPhase.h:
848         * dfg/DFGMinifiedNode.h:
849         * dfg/DFGMultiGetByOffsetData.h:
850         * dfg/DFGNaturalLoops.cpp:
851         * dfg/DFGNaturalLoops.h:
852         * dfg/DFGNode.h:
853         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
854         * dfg/DFGOSRExit.h:
855         * dfg/DFGOSRExitCompilationInfo.h:
856         * dfg/DFGOSRExitCompiler.cpp:
857         * dfg/DFGOSRExitCompiler.h:
858         * dfg/DFGOSRExitJumpPlaceholder.h:
859         * dfg/DFGOperations.cpp:
860         * dfg/DFGOperations.h:
861         * dfg/DFGPlan.h:
862         * dfg/DFGPreciseLocalClobberize.h:
863         * dfg/DFGPromotedHeapLocation.h:
864         * dfg/DFGRegisteredStructure.h:
865         * dfg/DFGRegisteredStructureSet.h:
866         * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
867         * dfg/DFGSlowPathGenerator.h:
868         * dfg/DFGSnippetParams.h:
869         * dfg/DFGSpeculativeJIT.h:
870         * dfg/DFGToFTLDeferredCompilationCallback.h:
871         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h:
872         * dfg/DFGValidate.h:
873         * dfg/DFGValueSource.h:
874         * dfg/DFGVariableEvent.h:
875         * dfg/DFGVariableEventStream.h:
876         * dfg/DFGWorklist.h:
877         * domjit/DOMJITCallDOMGetterSnippet.h:
878         * domjit/DOMJITEffect.h:
879         * ftl/FTLLink.cpp:
880         * ftl/FTLLowerDFGToB3.cpp:
881         * ftl/FTLPatchpointExceptionHandle.h:
882         * heap/AllocatorAttributes.h:
883         * heap/CodeBlockSet.h:
884         * heap/DeferGC.h:
885         * heap/GCSegmentedArray.h:
886         * heap/Heap.cpp:
887         * heap/Heap.h:
888         * heap/IncrementalSweeper.h:
889         * heap/ListableHandler.h:
890         * heap/MachineStackMarker.h:
891         * heap/MarkedAllocator.h:
892         * heap/MarkedBlock.cpp:
893         * heap/MarkedBlock.h:
894         * heap/MarkingConstraint.h:
895         * heap/SlotVisitor.cpp:
896         * heap/SlotVisitor.h:
897         * inspector/ConsoleMessage.cpp:
898         * inspector/ConsoleMessage.h:
899         * inspector/InjectedScript.h:
900         * inspector/InjectedScriptHost.h:
901         * inspector/InjectedScriptManager.cpp:
902         * inspector/JSGlobalObjectInspectorController.cpp:
903         * inspector/JavaScriptCallFrame.h:
904         * inspector/ScriptCallStack.h:
905         * inspector/ScriptCallStackFactory.cpp:
906         * inspector/ScriptDebugServer.h:
907         * inspector/agents/InspectorConsoleAgent.h:
908         * inspector/agents/InspectorDebuggerAgent.cpp:
909         * inspector/agents/InspectorDebuggerAgent.h:
910         * inspector/agents/InspectorHeapAgent.cpp:
911         * inspector/agents/InspectorHeapAgent.h:
912         * inspector/agents/InspectorRuntimeAgent.h:
913         * inspector/agents/InspectorScriptProfilerAgent.cpp:
914         * inspector/agents/InspectorScriptProfilerAgent.h:
915         * inspector/agents/JSGlobalObjectConsoleAgent.h:
916         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
917         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
918         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
919         * inspector/augmentable/AlternateDispatchableAgent.h:
920         * interpreter/CLoopStack.h:
921         * interpreter/CachedCall.h:
922         * interpreter/CallFrame.h:
923         * interpreter/Interpreter.cpp:
924         * interpreter/Interpreter.h:
925         * jit/AssemblyHelpers.cpp:
926         * jit/AssemblyHelpers.h:
927         * jit/CCallHelpers.h:
928         * jit/CallFrameShuffler.h:
929         * jit/ExecutableAllocator.h:
930         * jit/GCAwareJITStubRoutine.h:
931         * jit/HostCallReturnValue.h:
932         * jit/ICStats.h:
933         * jit/JIT.cpp:
934         * jit/JIT.h:
935         * jit/JITAddGenerator.h:
936         * jit/JITCall32_64.cpp:
937         * jit/JITCode.h:
938         * jit/JITDisassembler.cpp:
939         * jit/JITExceptions.cpp:
940         * jit/JITMathIC.h:
941         * jit/JITOpcodes.cpp:
942         * jit/JITOperations.cpp:
943         * jit/JITOperations.h:
944         * jit/JITThunks.cpp:
945         * jit/JITThunks.h:
946         * jit/JSInterfaceJIT.h:
947         * jit/PCToCodeOriginMap.h:
948         * jit/PolymorphicCallStubRoutine.h:
949         * jit/RegisterSet.h:
950         * jit/Repatch.h:
951         * jit/SetupVarargsFrame.h:
952         * jit/Snippet.h:
953         * jit/SnippetParams.h:
954         * jit/ThunkGenerators.h:
955         * jsc.cpp:
956         * llint/LLIntCLoop.h:
957         * llint/LLIntEntrypoint.h:
958         * llint/LLIntExceptions.h:
959         * llint/LLIntOfflineAsmConfig.h:
960         * llint/LLIntSlowPaths.cpp:
961         * parser/NodeConstructors.h:
962         * parser/Nodes.cpp:
963         * parser/Nodes.h:
964         * parser/Parser.cpp:
965         * parser/Parser.h:
966         * parser/ParserTokens.h:
967         * parser/SourceProviderCacheItem.h:
968         * profiler/ProfilerBytecodeSequence.h:
969         * profiler/ProfilerDatabase.cpp:
970         * profiler/ProfilerDatabase.h:
971         * profiler/ProfilerOrigin.h:
972         * profiler/ProfilerOriginStack.h:
973         * profiler/ProfilerProfiledBytecodes.h:
974         * profiler/ProfilerUID.h:
975         * runtime/AbstractModuleRecord.h:
976         * runtime/ArrayConstructor.h:
977         * runtime/ArrayConventions.h:
978         * runtime/ArrayIteratorPrototype.h:
979         * runtime/ArrayPrototype.h:
980         * runtime/BasicBlockLocation.h:
981         * runtime/Butterfly.h:
982         * runtime/CallData.cpp:
983         * runtime/CodeCache.h:
984         * runtime/CommonSlowPaths.cpp:
985         * runtime/CommonSlowPaths.h:
986         * runtime/CommonSlowPathsExceptions.cpp:
987         * runtime/Completion.cpp:
988         * runtime/ControlFlowProfiler.h:
989         * runtime/DateInstanceCache.h:
990         * runtime/ErrorConstructor.h:
991         * runtime/ErrorInstance.h:
992         * runtime/ExceptionHelpers.cpp:
993         * runtime/ExceptionHelpers.h:
994         * runtime/ExecutableBase.h:
995         * runtime/FunctionExecutable.h:
996         * runtime/HasOwnPropertyCache.h:
997         * runtime/Identifier.h:
998         * runtime/InternalFunction.h:
999         * runtime/IntlCollator.cpp:
1000         * runtime/IntlCollatorPrototype.h:
1001         * runtime/IntlDateTimeFormatPrototype.h:
1002         * runtime/IntlNumberFormat.cpp:
1003         * runtime/IntlNumberFormatPrototype.h:
1004         * runtime/IteratorOperations.cpp:
1005         * runtime/JSArray.h:
1006         * runtime/JSArrayBufferPrototype.h:
1007         * runtime/JSCJSValue.h:
1008         * runtime/JSCJSValueInlines.h:
1009         * runtime/JSCell.h:
1010         * runtime/JSFunction.cpp:
1011         * runtime/JSFunction.h:
1012         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1013         * runtime/JSGlobalObject.cpp:
1014         * runtime/JSGlobalObject.h:
1015         * runtime/JSGlobalObjectDebuggable.cpp:
1016         * runtime/JSGlobalObjectDebuggable.h:
1017         * runtime/JSGlobalObjectFunctions.cpp:
1018         * runtime/JSGlobalObjectFunctions.h:
1019         * runtime/JSJob.cpp:
1020         * runtime/JSLock.h:
1021         * runtime/JSModuleLoader.cpp:
1022         * runtime/JSModuleNamespaceObject.h:
1023         * runtime/JSModuleRecord.h:
1024         * runtime/JSObject.cpp:
1025         * runtime/JSObject.h:
1026         * runtime/JSRunLoopTimer.h:
1027         * runtime/JSTemplateRegistryKey.h:
1028         * runtime/JSTypedArrayPrototypes.cpp:
1029         * runtime/JSTypedArrayPrototypes.h:
1030         * runtime/JSTypedArrays.h:
1031         * runtime/LiteralParser.h:
1032         * runtime/MatchResult.h:
1033         * runtime/MemoryStatistics.h:
1034         * runtime/PrivateName.h:
1035         * runtime/PromiseDeferredTimer.h:
1036         * runtime/ProxyObject.h:
1037         * runtime/RegExp.h:
1038         * runtime/SamplingProfiler.cpp:
1039         * runtime/SmallStrings.h:
1040         * runtime/StringPrototype.cpp:
1041         * runtime/StringRecursionChecker.h:
1042         * runtime/Structure.h:
1043         * runtime/SymbolConstructor.h:
1044         * runtime/SymbolPrototype.cpp:
1045         * runtime/SymbolPrototype.h:
1046         * runtime/TypeProfiler.h:
1047         * runtime/TypeProfilerLog.h:
1048         * runtime/TypedArrayType.h:
1049         * runtime/VM.cpp:
1050         * runtime/VM.h:
1051         * runtime/VMEntryScope.h:
1052         * runtime/WeakMapData.h:
1053         * runtime/WriteBarrier.h:
1054         * tools/FunctionOverrides.cpp:
1055         * tools/FunctionOverrides.h:
1056         * wasm/WasmBinding.cpp:
1057         * wasm/js/JSWebAssemblyCodeBlock.h:
1058         * wasm/js/WebAssemblyPrototype.cpp:
1059         * yarr/Yarr.h:
1060         * yarr/YarrJIT.cpp:
1061         * yarr/YarrJIT.h:
1062         * yarr/YarrParser.h:
1063
1064 2017-06-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1065
1066         [JSC] Clean up Object.entries implementation
1067         https://bugs.webkit.org/show_bug.cgi?id=173759
1068
1069         Reviewed by Sam Weinig.
1070
1071         This patch cleans up Object.entries implementation.
1072         We drop unused private functions. And we merge the
1073         implementation into Object.entries.
1074
1075         It slightly speeds up Object.entries speed.
1076
1077                                      baseline                  patched
1078
1079             object-entries      148.0101+-5.6627          142.1877+-4.8661          might be 1.0409x faster
1080
1081
1082         * builtins/BuiltinNames.h:
1083         * builtins/ObjectConstructor.js:
1084         (entries):
1085         (globalPrivate.enumerableOwnProperties): Deleted.
1086         * runtime/JSGlobalObject.cpp:
1087         (JSC::JSGlobalObject::init):
1088         * runtime/ObjectConstructor.cpp:
1089         (JSC::ownEnumerablePropertyKeys): Deleted.
1090         * runtime/ObjectConstructor.h:
1091
1092 2017-06-24  Joseph Pecoraro  <pecoraro@apple.com>
1093
1094         Remove Reflect.enumerate
1095         https://bugs.webkit.org/show_bug.cgi?id=173806
1096
1097         Reviewed by Yusuke Suzuki.
1098
1099         * CMakeLists.txt:
1100         * JavaScriptCore.xcodeproj/project.pbxproj:
1101         * inspector/JSInjectedScriptHost.cpp:
1102         (Inspector::JSInjectedScriptHost::subtype):
1103         (Inspector::JSInjectedScriptHost::getInternalProperties):
1104         (Inspector::JSInjectedScriptHost::iteratorEntries):
1105         * runtime/JSGlobalObject.cpp:
1106         (JSC::JSGlobalObject::init):
1107         (JSC::JSGlobalObject::visitChildren):
1108         * runtime/JSPropertyNameIterator.cpp: Removed.
1109         * runtime/JSPropertyNameIterator.h: Removed.
1110         * runtime/ReflectObject.cpp:
1111         (JSC::reflectObjectEnumerate): Deleted.
1112
1113 2017-06-23  Keith Miller  <keith_miller@apple.com>
1114
1115         Switch VMTraps to use halt instructions rather than breakpoint instructions
1116         https://bugs.webkit.org/show_bug.cgi?id=173677
1117         <rdar://problem/32178892>
1118
1119         Reviewed by JF Bastien.
1120
1121         Using the breakpoint instruction for VMTraps caused issues with lldb.
1122         Since we only need some way to stop execution we can, in theory, use
1123         any exceptioning instruction we want. I went with the halt instruction
1124         on X86 since that is the only one byte instruction that does not
1125         breakpoint (in my tests both 0xf1 and 0xd6 produced EXC_BREAKPOINT).
1126         On ARM we use the data cache clearing instruction with the zero register,
1127         which triggers a segmentation fault.
1128
1129         Also, update the platform code to only use signaling VMTraps
1130         on where we have an appropriate instruction (x86 and ARM64).
1131
1132         * API/tests/ExecutionTimeLimitTest.cpp:
1133         (testExecutionTimeLimit):
1134         * assembler/ARM64Assembler.h:
1135         (JSC::ARM64Assembler::replaceWithVMHalt):
1136         (JSC::ARM64Assembler::dataCacheZeroVirtualAddress):
1137         (JSC::ARM64Assembler::replaceWithBkpt): Deleted.
1138         * assembler/ARMAssembler.h:
1139         (JSC::ARMAssembler::replaceWithBkpt): Deleted.
1140         * assembler/ARMv7Assembler.h:
1141         (JSC::ARMv7Assembler::replaceWithBkpt): Deleted.
1142         * assembler/MIPSAssembler.h:
1143         (JSC::MIPSAssembler::replaceWithBkpt): Deleted.
1144         * assembler/MacroAssemblerARM.h:
1145         (JSC::MacroAssemblerARM::replaceWithBreakpoint): Deleted.
1146         * assembler/MacroAssemblerARM64.h:
1147         (JSC::MacroAssemblerARM64::replaceWithVMHalt):
1148         (JSC::MacroAssemblerARM64::replaceWithBreakpoint): Deleted.
1149         * assembler/MacroAssemblerARMv7.h:
1150         (JSC::MacroAssemblerARMv7::storeFence):
1151         (JSC::MacroAssemblerARMv7::replaceWithBreakpoint): Deleted.
1152         * assembler/MacroAssemblerMIPS.h:
1153         (JSC::MacroAssemblerMIPS::replaceWithBreakpoint): Deleted.
1154         * assembler/MacroAssemblerX86Common.h:
1155         (JSC::MacroAssemblerX86Common::replaceWithVMHalt):
1156         (JSC::MacroAssemblerX86Common::replaceWithBreakpoint): Deleted.
1157         * assembler/X86Assembler.h:
1158         (JSC::X86Assembler::replaceWithHlt):
1159         (JSC::X86Assembler::replaceWithInt3): Deleted.
1160         * dfg/DFGJumpReplacement.cpp:
1161         (JSC::DFG::JumpReplacement::installVMTrapBreakpoint):
1162         * runtime/VMTraps.cpp:
1163         (JSC::SignalContext::SignalContext):
1164         (JSC::installSignalHandler):
1165         (JSC::SignalContext::adjustPCToPointToTrappingInstruction): Deleted.
1166         * wasm/WasmFaultSignalHandler.cpp:
1167         (JSC::Wasm::enableFastMemory):
1168
1169 2017-06-22  Saam Barati  <sbarati@apple.com>
1170
1171         The lowering of Identity in the DFG backend needs to use ManualOperandSpeculation
1172         https://bugs.webkit.org/show_bug.cgi?id=173743
1173         <rdar://problem/32932536>
1174
1175         Reviewed by Mark Lam.
1176
1177         The code always manually speculates, however, we weren't specifying
1178         ManualOperandSpeculation when creating a JSValueOperand. This would
1179         fire an assertion in JSValueOperand construction for a node like:
1180         Identity(String:@otherNode)
1181         
1182         I spent about 45 minutes trying to craft a test and came up
1183         empty. However, this fixes a debug assertion on an internal
1184         Apple website.
1185
1186         * dfg/DFGSpeculativeJIT32_64.cpp:
1187         (JSC::DFG::SpeculativeJIT::compile):
1188         * dfg/DFGSpeculativeJIT64.cpp:
1189         (JSC::DFG::SpeculativeJIT::compile):
1190
1191 2017-06-22  Saam Barati  <sbarati@apple.com>
1192
1193         ValueRep(DoubleRep(@v)) can not simply convert to @v
1194         https://bugs.webkit.org/show_bug.cgi?id=173687
1195         <rdar://problem/32855563>
1196
1197         Reviewed by Mark Lam.
1198
1199         Consider this IR:
1200          block#x
1201           p: Phi() // int32 and double flows into this phi from various control flow
1202           d: DoubleRep(@p)
1203           some uses of @d here
1204           v: ValueRep(DoubleRepUse:@d)
1205           a: NewArrayWithSize(Int32:@v)
1206           some more nodes here ...
1207         
1208         Because the flow of ValueRep(DoubleRep(@p)) will not produce an Int32,
1209         AI proves that the Int32 check will fail. Constant folding phase removes
1210         all nodes after @a and inserts an Unreachable after the NewArrayWithSize node.
1211         
1212         The IR then looks like this:
1213         block#x
1214           p: Phi() // int32 and double flows into this phi from various control flow
1215           d: DoubleRep(@p)
1216           some uses of @d here
1217           v: ValueRep(DoubleRepUse:@d)
1218           a: NewArrayWithSize(Int32:@v)
1219           Unreachable
1220         
1221         However, there was a strength reduction rule that tries eliminate redundant
1222         conversions. It used to convert the program to:
1223         block#x
1224           p: Phi() // int32 and double flows into this phi from various control flow
1225           d: DoubleRep(@p)
1226           some uses of @d here
1227           a: NewArrayWithSize(Int32:@p)
1228           Unreachable
1229         
1230         However, at runtime, @p will actually be an Int32, so @a will not OSR exit,
1231         and we'll crash. This patch removes this strength reduction rule since it
1232         does not maintain what would have happened if we executed the program before
1233         the rule.
1234         
1235         This rule is also wrong for other types of programs (I'm not sure we'd
1236         actually emit this code, but if such IR were generated, we would previously
1237         optimize it incorrectly):
1238         @a: Constant(JSTrue)
1239         @b: DoubleRep(@a)
1240         @c: ValueRep(@b)
1241         @d: use(@c)
1242         
1243         However, the strength reduction rule would've transformed this into:
1244         @a: Constant(JSTrue)
1245         @d: use(@a)
1246         
1247         And this would be wrong because node @c before the transformation would
1248         have produced the JSValue jsNumber(1.0).
1249         
1250         This patch was neutral in the benchmark run I did.
1251
1252         * dfg/DFGStrengthReductionPhase.cpp:
1253         (JSC::DFG::StrengthReductionPhase::handleNode):
1254
1255 2017-06-22  JF Bastien  <jfbastien@apple.com>
1256
1257         ARM64: doubled executable memory limit from 32MiB to 64MiB
1258         https://bugs.webkit.org/show_bug.cgi?id=173734
1259         <rdar://problem/32932407>
1260
1261         Reviewed by Oliver Hunt.
1262
1263         Some WebAssembly programs stress the amount of memory we have
1264         available, especially when we consider tiering (BBQ never dies,
1265         and is bigger that OMG). Tiering to OMG just piles on more memory,
1266         and we're also competing with JavaScript.
1267
1268         * jit/ExecutableAllocator.h:
1269
1270 2017-06-22  Joseph Pecoraro  <pecoraro@apple.com>
1271
1272         Web Inspector: Pausing with a deep call stack can be very slow, avoid eagerly generating object previews
1273         https://bugs.webkit.org/show_bug.cgi?id=173698
1274
1275         Reviewed by Matt Baker.
1276
1277         When pausing in a deep call stack the majority of the time spent in JavaScriptCore
1278         when preparing Inspector pause information is spent generating object previews for
1279         the `thisObject` of each of the call frames. In some cases, this could be more
1280         than 95% of the time generating pause information. In the common case, only one of
1281         these (the top frame) will ever be seen by users. This change avoids eagerly
1282         generating object previews up front and let the frontend request previews if they
1283         are needed.
1284
1285         This introduces the `Runtime.getPreview` protocol command. This can be used to:
1286
1287             - Get a preview for a RemoteObject that did not have a preview but could.
1288             - Update a preview for a RemoteObject that had a preview.
1289
1290         This patch only uses it for the first case, but the second is valid and may be
1291         something we want to do in the future.
1292
1293         * inspector/protocol/Runtime.json:
1294         A new command to get an up to date preview for an object.
1295
1296         * inspector/InjectedScript.h:
1297         * inspector/InjectedScript.cpp:
1298         (Inspector::InjectedScript::getPreview):
1299         * inspector/agents/InspectorRuntimeAgent.cpp:
1300         (Inspector::InspectorRuntimeAgent::getPreview):
1301         * inspector/agents/InspectorRuntimeAgent.h:
1302         Plumbing for the new command.
1303
1304         * inspector/InjectedScriptSource.js:
1305         (InjectedScript.prototype.getPreview):
1306         Implementation just uses the existing helper.
1307
1308         (InjectedScript.CallFrameProxy):
1309         Do not generate a preview for the this object as it may not be shown.
1310         Let the frontend request a preview if it wants or needs one.
1311
1312 2017-06-22  Joseph Pecoraro  <pecoraro@apple.com>
1313
1314         Web Inspector: Remove stale "rawScopes" concept that was never available in JSC
1315         https://bugs.webkit.org/show_bug.cgi?id=173686
1316
1317         Reviewed by Mark Lam.
1318
1319         * inspector/InjectedScript.cpp:
1320         (Inspector::InjectedScript::functionDetails):
1321         * inspector/InjectedScriptSource.js:
1322         (InjectedScript.prototype.functionDetails):
1323         * inspector/JSInjectedScriptHost.cpp:
1324         (Inspector::JSInjectedScriptHost::functionDetails):
1325
1326 2017-06-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1327
1328         [JSC] Object.values should be implemented in C++
1329         https://bugs.webkit.org/show_bug.cgi?id=173703
1330
1331         Reviewed by Sam Weinig.
1332
1333         As the same to Object.assign, Object.values() is also inherently polymorphic.
1334         And allocating JSString / Symbol for Identifier and JSArray for Object.keys()
1335         result is costly.
1336
1337         In this patch, we implement Object.values() in C++. It can avoid above allocations.
1338         Furthermore, by using `slot.isTaintedByOpaqueObject()` information, we can skip
1339         non-observable JSObject::get() calls.
1340
1341         This improves performance by 2.49x. And also now Object.values() beats
1342         Object.keys(object).map(key => object[key]) implementation.
1343
1344                                              baseline                  patched
1345
1346             object-values               132.1551+-3.7209     ^     53.1254+-1.6139        ^ definitely 2.4876x faster
1347             object-keys-map-values       78.2008+-2.1378     ?     78.9078+-2.2121        ?
1348
1349         * builtins/ObjectConstructor.js:
1350         (values): Deleted.
1351         * runtime/ObjectConstructor.cpp:
1352         (JSC::objectConstructorValues):
1353
1354 2017-06-21  Saam Barati  <sbarati@apple.com>
1355
1356         ArrayPrototype.map builtin declares a var it does not use
1357         https://bugs.webkit.org/show_bug.cgi?id=173685
1358
1359         Reviewed by Keith Miller.
1360
1361         * builtins/ArrayPrototype.js:
1362         (map):
1363
1364 2017-06-21  Saam Barati  <sbarati@apple.com>
1365
1366         eval virtual call is incorrect in the baseline JIT
1367         https://bugs.webkit.org/show_bug.cgi?id=173587
1368         <rdar://problem/32867897>
1369
1370         Reviewed by Michael Saboff.
1371
1372         When making a virtual call for call_eval, e.g, when the thing
1373         we're calling isn't actually eval, we end up calling the caller
1374         instead of the callee. This is clearly wrong. The code ends up
1375         issuing a load for the Callee in the callers frame instead of
1376         the callee we're calling. The fix is simple, we just need to
1377         load the real callee. Only the 32-bit baseline JIT had this bug.
1378
1379         * jit/JITCall32_64.cpp:
1380         (JSC::JIT::compileCallEvalSlowCase):
1381
1382 2017-06-21  Joseph Pecoraro  <pecoraro@apple.com>
1383
1384         Web Inspector: Using "break on all exceptions" when throwing stack overflow hangs inspector
1385         https://bugs.webkit.org/show_bug.cgi?id=172432
1386         <rdar://problem/29870873>
1387
1388         Reviewed by Saam Barati.
1389
1390         Avoid pausing on StackOverflow and OutOfMemory errors to avoid a hang.
1391         We will proceed to improve debugging of these cases in the follow-up bugs.
1392
1393         * debugger/Debugger.cpp:
1394         (JSC::Debugger::exception):
1395         Ignore pausing on these errors.
1396
1397         * runtime/ErrorInstance.h:
1398         (JSC::ErrorInstance::setStackOverflowError):
1399         (JSC::ErrorInstance::isStackOverflowError):
1400         (JSC::ErrorInstance::setOutOfMemoryError):
1401         (JSC::ErrorInstance::isOutOfMemoryError):
1402         * runtime/ExceptionHelpers.cpp:
1403         (JSC::createStackOverflowError):
1404         * runtime/Error.cpp:
1405         (JSC::createOutOfMemoryError):
1406         Mark these kinds of errors.
1407
1408 2017-06-21  Saam Barati  <sbarati@apple.com>
1409
1410         Make it clear that regenerating ICs are holding the CodeBlock's lock by passing the locker as a parameter
1411         https://bugs.webkit.org/show_bug.cgi?id=173609
1412
1413         Reviewed by Keith Miller.
1414
1415         This patch makes many of the IC generating functions require a locker as
1416         a parameter. We do this in other places in JSC to indicate that
1417         a particular API is only valid while a particular lock is held.
1418         This is the case when generating ICs. This patch just makes it
1419         explicit in the IC generating interface.
1420
1421         * bytecode/PolymorphicAccess.cpp:
1422         (JSC::PolymorphicAccess::addCases):
1423         (JSC::PolymorphicAccess::addCase):
1424         (JSC::PolymorphicAccess::commit):
1425         (JSC::PolymorphicAccess::regenerate):
1426         * bytecode/PolymorphicAccess.h:
1427         * bytecode/StructureStubInfo.cpp:
1428         (JSC::StructureStubInfo::addAccessCase):
1429         (JSC::StructureStubInfo::initStub): Deleted.
1430         * bytecode/StructureStubInfo.h:
1431         * jit/Repatch.cpp:
1432         (JSC::tryCacheGetByID):
1433         (JSC::repatchGetByID):
1434         (JSC::tryCachePutByID):
1435         (JSC::repatchPutByID):
1436         (JSC::tryRepatchIn):
1437         (JSC::repatchIn):
1438
1439 2017-06-20  Myles C. Maxfield  <mmaxfield@apple.com>
1440
1441         Disable font variations on macOS Sierra and iOS 10
1442         https://bugs.webkit.org/show_bug.cgi?id=173618
1443         <rdar://problem/32879164>
1444
1445         Reviewed by Jon Lee.
1446
1447         * Configurations/FeatureDefines.xcconfig:
1448
1449 2017-06-20  Keith Miller  <keith_miller@apple.com>
1450
1451         Fix leak of ModuleInformations in BBQPlan constructors.
1452         https://bugs.webkit.org/show_bug.cgi?id=173577
1453
1454         Reviewed by Saam Barati.
1455
1456         This patch fixes a leak in the BBQPlan constructiors. Previously,
1457         the plans were calling makeRef on the newly constructed objects.
1458         This patch fixes the issue and uses adoptRef instead. Additionally,
1459         an old, incorrect, attempt to fix the leak is removed.
1460
1461         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
1462         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
1463         * jit/JITWorklist.cpp:
1464         (JSC::JITWorklist::Thread::Thread):
1465         * runtime/PromiseDeferredTimer.cpp:
1466         (JSC::PromiseDeferredTimer::addPendingPromise):
1467         * runtime/VM.cpp:
1468         (JSC::VM::VM):
1469         * wasm/WasmBBQPlan.cpp:
1470         (JSC::Wasm::BBQPlan::BBQPlan):
1471         * wasm/WasmPlan.cpp:
1472         (JSC::Wasm::Plan::Plan):
1473
1474 2017-06-20  Devin Rousso  <drousso@apple.com>
1475
1476         Web Inspector: Send context attributes for tracked canvases
1477         https://bugs.webkit.org/show_bug.cgi?id=173327
1478
1479         Reviewed by Joseph Pecoraro.
1480
1481         * inspector/protocol/Canvas.json:
1482         Add ContextAttributes object type that is optionally used for WebGL canvases.
1483
1484 2017-06-20  Konstantin Tokarev  <annulen@yandex.ru>
1485
1486         Remove excessive include directives from WTF
1487         https://bugs.webkit.org/show_bug.cgi?id=173553
1488
1489         Reviewed by Saam Barati.
1490
1491         * profiler/ProfilerDatabase.cpp: Added missing include directive.
1492         * runtime/SamplingProfiler.cpp: Ditto.
1493
1494 2017-06-20  Oleksandr Skachkov  <gskachkov@gmail.com>
1495
1496         Revert changes in bug#160417 about extending `null` not being a derived class
1497         https://bugs.webkit.org/show_bug.cgi?id=169293
1498
1499         Reviewed by Saam Barati.
1500
1501         Reverted changes in bug#160417 about extending `null` not being a derived class 
1502         according to changes in spec:
1503         https://github.com/tc39/ecma262/commit/c57ef95c45a371f9c9485bb1c3881dbdc04524a2
1504
1505         * builtins/BuiltinNames.h:
1506         * bytecompiler/BytecodeGenerator.cpp:
1507         (JSC::BytecodeGenerator::BytecodeGenerator):
1508         (JSC::BytecodeGenerator::emitReturn):
1509         * bytecompiler/NodesCodegen.cpp:
1510         (JSC::ClassExprNode::emitBytecode):
1511
1512 2017-06-20  Saam Barati  <sbarati@apple.com>
1513
1514         repatchIn needs to lock the CodeBlock's lock
1515         https://bugs.webkit.org/show_bug.cgi?id=173573
1516
1517         Reviewed by Yusuke Suzuki.
1518
1519         CodeBlock::propagateTransitions and CodeBlock::visitWeakly grab the CodeBlock's
1520         lock before modifying the StructureStubInfo/PolymorphicAccess. When regenerating
1521         an IC, we must hold the CodeBlock's to prevent the executing thread from racing
1522         with the marking thread. repatchIn was not grabbing the lock. I haven't been
1523         able to get it to crash, but this is needed for the same reasons that get and put IC
1524         regeneration grab the lock.
1525
1526         * jit/Repatch.cpp:
1527         (JSC::repatchIn):
1528
1529 2017-06-19  Devin Rousso  <drousso@apple.com>
1530
1531         Web Inspector: create canvas content view and details sidebar panel
1532         https://bugs.webkit.org/show_bug.cgi?id=138941
1533         <rdar://problem/19051672>
1534
1535         Reviewed by Joseph Pecoraro.
1536
1537         * inspector/protocol/Canvas.json:
1538          - Add an optional `nodeId` attribute to the `Canvas` type.
1539          - Add `requestNode` command for getting the node id of the backing canvas element.
1540          - Add `requestContent` command for getting the current image content of the canvas.
1541
1542 2017-06-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1543
1544         Unreviewed, build fix for ARM
1545
1546         * assembler/MacroAssemblerARM.h:
1547         (JSC::MacroAssemblerARM::internalCompare32):
1548
1549 2017-06-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1550
1551         [DFG] More ArrayIndexOf fixups for various types
1552         https://bugs.webkit.org/show_bug.cgi?id=173176
1553
1554         Reviewed by Saam Barati.
1555
1556         This patch further expands coverage of ArrayIndexOf optimization in DFG and FTL.
1557
1558         1. We attempt to fold ArrayIndexOf to constant (-1) if we know that its array
1559         never contains the given search value.
1560
1561         2. We support Symbol and Other specialization additionally. Especially, Other is
1562         useful because null/undefined can be used as a sentinel value.
1563
1564         One interesting thing is that Array.prototype.indexOf does not consider holes as
1565         undefineds. Thus,
1566
1567             var array = [,,,,,,,];
1568             array.indexOf(undefined); // => -1
1569
1570         This can be trivially achieved in JSC because Empty and Undefined are different values.
1571
1572         * dfg/DFGFixupPhase.cpp:
1573         (JSC::DFG::FixupPhase::fixupNode):
1574         (JSC::DFG::FixupPhase::fixupArrayIndexOf):
1575         * dfg/DFGSpeculativeJIT.cpp:
1576         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
1577         (JSC::DFG::SpeculativeJIT::speculateOther):
1578         * dfg/DFGSpeculativeJIT.h:
1579         * ftl/FTLLowerDFGToB3.cpp:
1580         (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):
1581
1582 2017-06-19  Caio Lima  <ticaiolima@gmail.com>
1583
1584         [ARMv6][DFG] ARM MacroAssembler is always emitting cmn when immediate is 0
1585         https://bugs.webkit.org/show_bug.cgi?id=172972
1586
1587         Reviewed by Mark Lam.
1588
1589         We are changing internalCompare32 implementation in ARM
1590         MacroAssembler to emit "cmp" when the "right.value" is 0.
1591         It is generating wrong comparison cases, since the
1592         semantics of cmn is opposite of cmp[1]. One case that it's breaking is
1593         "branch32(MacroAssembler::Above, gpr, TrustedImm32(0))", where ends
1594         resulting in following assembly code:
1595
1596         ```
1597         cmn $r0, #0
1598         bhi <address>
1599         ```
1600
1601         However, as cmn is similar to "adds", it will never take the branch
1602         when $r0 > 0. In that case, the correct opcode is "cmp". With this
1603         patch we will fix current broken tests that uses
1604         "branch32(MacroAssembler::Above, gpr, TrustedImm32(0))",
1605         such as ForwardVarargs, Spread and GetRestLength.
1606
1607         [1] - http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0204j/Cihiddid.html
1608
1609         * assembler/MacroAssemblerARM.h:
1610         (JSC::MacroAssemblerARM::internalCompare32):
1611
1612 2017-06-19  Joseph Pecoraro  <pecoraro@apple.com>
1613
1614         test262: Completion values for control flow do not match the spec
1615         https://bugs.webkit.org/show_bug.cgi?id=171265
1616
1617         Reviewed by Saam Barati.
1618
1619         * bytecompiler/BytecodeGenerator.h:
1620         (JSC::BytecodeGenerator::shouldBeConcernedWithCompletionValue):
1621         When we care about having proper completion values (global code
1622         in programs, modules, and eval) insert undefined results for
1623         control flow statements.
1624
1625         * bytecompiler/NodesCodegen.cpp:
1626         (JSC::SourceElements::emitBytecode):
1627         Reduce writing a default `undefined` value to the completion result to
1628         only once before the last statement we know will produce a value.
1629
1630         (JSC::IfElseNode::emitBytecode):
1631         (JSC::WithNode::emitBytecode):
1632         (JSC::WhileNode::emitBytecode):
1633         (JSC::ForNode::emitBytecode):
1634         (JSC::ForInNode::emitBytecode):
1635         (JSC::ForOfNode::emitBytecode):
1636         (JSC::SwitchNode::emitBytecode):
1637         Insert an undefined to handle cases where code may break out of an
1638         if/else or with statement (break/continue).
1639
1640         (JSC::TryNode::emitBytecode):
1641         Same handling for break cases. Also, finally block statement completion
1642         values are always ignored for the try statement result.
1643
1644         (JSC::ClassDeclNode::emitBytecode):
1645         Class declarations, like function declarations, produce an empty result.
1646
1647         * parser/Nodes.cpp:
1648         (JSC::SourceElements::lastStatement):
1649         (JSC::SourceElements::hasCompletionValue):
1650         (JSC::SourceElements::hasEarlyBreakOrContinue):
1651         (JSC::BlockNode::lastStatement):
1652         (JSC::BlockNode::singleStatement):
1653         (JSC::BlockNode::hasCompletionValue):
1654         (JSC::BlockNode::hasEarlyBreakOrContinue):
1655         (JSC::ScopeNode::singleStatement):
1656         (JSC::ScopeNode::hasCompletionValue):
1657         (JSC::ScopeNode::hasEarlyBreakOrContinue):
1658         The only non-trivial cases need to loop through their list of statements
1659         to determine if this has a completion value or not. Likewise for
1660         determining if there is an early break / continue, meaning a break or
1661         continue statement with no preceding statement that has a completion value.
1662
1663         * parser/Nodes.h:
1664         (JSC::StatementNode::next):
1665         (JSC::StatementNode::hasCompletionValue):
1666         Helper to check if a statement nodes produces a completion value or not.
1667
1668 2017-06-19  Adrian Perez de Castro  <aperez@igalia.com>
1669
1670         Missing <functional> includes make builds fail with GCC 7.x
1671         https://bugs.webkit.org/show_bug.cgi?id=173544
1672
1673         Unreviewed gardening.
1674
1675         Fix compilation with GCC 7.
1676
1677         * API/tests/CompareAndSwapTest.cpp:
1678         * runtime/VMEntryScope.h:
1679
1680 2017-06-17  Keith Miller  <keith_miller@apple.com>
1681
1682         ArrayBuffer constructor needs to create subclass structures before its buffer
1683         https://bugs.webkit.org/show_bug.cgi?id=173510
1684
1685         Reviewed by Yusuke Suzuki.
1686
1687         * runtime/JSArrayBufferConstructor.cpp:
1688         (JSC::constructArrayBuffer):
1689
1690 2017-06-17  Keith Miller  <keith_miller@apple.com>
1691
1692         ArrayPrototype methods should use JSValue::toLength for non-Arrays.
1693         https://bugs.webkit.org/show_bug.cgi?id=173506
1694
1695         Reviewed by Ryosuke Niwa.
1696
1697         This patch changes the result of unshift if old length +
1698         unshift.arguments.length > (2 ** 53) - 1 to be a type error. Also,
1699         the getLength function, which was always incorrect to use, has
1700         been removed. Additionally, some cases where we were using a
1701         constant for (2 ** 53) - 1 have been replaced with
1702         maxSafeInteger()
1703
1704         * interpreter/Interpreter.cpp:
1705         (JSC::sizeOfVarargs):
1706         * runtime/ArrayPrototype.cpp:
1707         (JSC::arrayProtoFuncToLocaleString):
1708         (JSC::arrayProtoFuncPop):
1709         (JSC::arrayProtoFuncPush):
1710         (JSC::arrayProtoFuncReverse):
1711         (JSC::arrayProtoFuncShift):
1712         (JSC::arrayProtoFuncSlice):
1713         (JSC::arrayProtoFuncSplice):
1714         (JSC::arrayProtoFuncUnShift):
1715         (JSC::arrayProtoFuncIndexOf):
1716         (JSC::arrayProtoFuncLastIndexOf):
1717         * runtime/JSArrayInlines.h:
1718         (JSC::getLength): Deleted.
1719         * runtime/JSCJSValue.cpp:
1720         (JSC::JSValue::toLength):
1721         * runtime/NumberConstructor.cpp:
1722         (JSC::numberConstructorFuncIsSafeInteger):
1723
1724 2017-06-16  Matt Baker  <mattbaker@apple.com>
1725
1726         Web Inspector: Instrument 2D/WebGL canvas contexts in the backend
1727         https://bugs.webkit.org/show_bug.cgi?id=172623
1728         <rdar://problem/32415986>
1729
1730         Reviewed by Devin Rousso and Joseph Pecoraro.
1731
1732         This patch adds a basic Canvas protocol. It includes Canvas and related
1733         types and events for monitoring the lifetime of canvases in the page.
1734
1735         * CMakeLists.txt:
1736         * DerivedSources.make:
1737         * inspector/protocol/Canvas.json: Added.
1738
1739         * inspector/scripts/codegen/generator.py:
1740         (Generator.stylized_name_for_enum_value):
1741         Add special handling for Canvas.ContextType protocol enumeration,
1742         so that "canvas-2d" and "webgl" map to `Canvas2D` and `WebGL`.
1743
1744 2017-06-16  Wenson Hsieh  <wenson_hsieh@apple.com>
1745
1746         [iOS DnD] Upstream iOS drag and drop implementation into OpenSource WebKit
1747         https://bugs.webkit.org/show_bug.cgi?id=173366
1748         <rdar://problem/32767014>
1749
1750         Reviewed by Tim Horton.
1751
1752         Introduce ENABLE_DATA_INTERACTION and ENABLE_DRAG_SUPPORT to FeatureDefines.xcconfig.
1753
1754         * Configurations/FeatureDefines.xcconfig:
1755
1756 2017-06-16  Yusuke Suzuki  <utatane.tea@gmail.com>
1757
1758         [JSC] Add fast path for Object.assign
1759         https://bugs.webkit.org/show_bug.cgi?id=173416
1760
1761         Reviewed by Mark Lam.
1762
1763         In Object.assign implementation, we need to ensure that given key is still enumerable own key.
1764         This seems duplicate look up. And we want to avoid this. However, we still need to perform this
1765         check in the face of Proxy. Proxy can observe that this check is done correctly.
1766
1767         In almost all the cases, the above check is duplicate to the subsequent [[Get]] operation.
1768         In this patch, we perform this check. But at that time, we investigate `isTaintedByOpaqueObject()`.
1769         If it is false, we can say that getOwnPropertySlot is pure. In that case, we can just retrieve the
1770         value by calling `slot.getValue()`.
1771
1772         This further improves performance of Object.assign.
1773
1774                                         baseline                  patched
1775
1776             object-assign.es6      363.6706+-6.4381     ^    324.1769+-6.9624        ^ definitely 1.1218x faster
1777
1778         * runtime/ObjectConstructor.cpp:
1779         (JSC::objectConstructorAssign):
1780
1781 2017-06-16  Michael Saboff  <msaboff@apple.com>
1782
1783         Intermittent crash running Internal/Tests/InternalJSTests/Regress/radar-24300617.js
1784         https://bugs.webkit.org/show_bug.cgi?id=173488
1785
1786         Reviewed by Filip Pizlo.
1787
1788         ClonedArguments lazily sets its callee and interator properties and it used its own inline
1789         code to initialize its butterfly.  This means that these lazily set properties can have
1790         bogus values in those slots.  Instead, let's use the standard BUtterfly:tryCreate() method
1791         to create the butterfly as it clears out of line properties.
1792
1793         * runtime/ClonedArguments.cpp:
1794         (JSC::ClonedArguments::createEmpty):
1795
1796 2017-06-16  Mark Lam  <mark.lam@apple.com>
1797
1798         Interpreter methods for mapping between Opcode and OpcodeID need not be instance methods.
1799         https://bugs.webkit.org/show_bug.cgi?id=173491
1800
1801         Reviewed by Keith Miller.
1802
1803         The implementation are based on static data. There's no need to get the
1804         interpreter instance. Hence, we can make these methods static and avoid doing
1805         unnecessary work to compute the interpreter this pointer.
1806
1807         Also removed the unused isCallBytecode method.
1808
1809         * bytecode/BytecodeBasicBlock.cpp:
1810         (JSC::BytecodeBasicBlock::computeImpl):
1811         * bytecode/BytecodeDumper.cpp:
1812         (JSC::BytecodeDumper<Block>::printGetByIdOp):
1813         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
1814         (JSC::BytecodeDumper<Block>::dumpBytecode):
1815         (JSC::BytecodeDumper<Block>::dumpBlock):
1816         * bytecode/BytecodeLivenessAnalysis.cpp:
1817         (JSC::BytecodeLivenessAnalysis::dumpResults):
1818         * bytecode/BytecodeLivenessAnalysisInlines.h:
1819         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::stepOverInstruction):
1820         * bytecode/BytecodeRewriter.cpp:
1821         (JSC::BytecodeRewriter::adjustJumpTargetsInFragment):
1822         * bytecode/CallLinkStatus.cpp:
1823         (JSC::CallLinkStatus::computeFromLLInt):
1824         * bytecode/CodeBlock.cpp:
1825         (JSC::CodeBlock::finishCreation):
1826         (JSC::CodeBlock::propagateTransitions):
1827         (JSC::CodeBlock::finalizeLLIntInlineCaches):
1828         (JSC::CodeBlock::hasOpDebugForLineAndColumn):
1829         (JSC::CodeBlock::usesOpcode):
1830         (JSC::CodeBlock::valueProfileForBytecodeOffset):
1831         (JSC::CodeBlock::arithProfileForPC):
1832         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
1833         * bytecode/PreciseJumpTargets.cpp:
1834         (JSC::getJumpTargetsForBytecodeOffset):
1835         (JSC::computePreciseJumpTargetsInternal):
1836         (JSC::findJumpTargetsForBytecodeOffset):
1837         * bytecode/PreciseJumpTargetsInlines.h:
1838         (JSC::extractStoredJumpTargetsForBytecodeOffset):
1839         * bytecode/UnlinkedCodeBlock.cpp:
1840         (JSC::UnlinkedCodeBlock::applyModification):
1841         * dfg/DFGByteCodeParser.cpp:
1842         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
1843         (JSC::DFG::ByteCodeParser::parseBlock):
1844         * dfg/DFGCapabilities.cpp:
1845         (JSC::DFG::capabilityLevel):
1846         * interpreter/Interpreter.cpp:
1847         (JSC::Interpreter::Interpreter):
1848         (JSC::Interpreter::isOpcode):
1849         (): Deleted.
1850         * interpreter/Interpreter.h:
1851         (JSC::Interpreter::getOpcode): Deleted.
1852         (JSC::Interpreter::getOpcodeID): Deleted.
1853         (JSC::Interpreter::isCallBytecode): Deleted.
1854         * interpreter/InterpreterInlines.h:
1855         (JSC::Interpreter::getOpcode):
1856         (JSC::Interpreter::getOpcodeID):
1857         * jit/JIT.cpp:
1858         (JSC::JIT::privateCompileMainPass):
1859         (JSC::JIT::privateCompileSlowCases):
1860         * jit/JITOpcodes.cpp:
1861         (JSC::JIT::emitNewFuncCommon):
1862         (JSC::JIT::emitNewFuncExprCommon):
1863         * jit/JITPropertyAccess.cpp:
1864         (JSC::JIT::emitSlow_op_put_by_val):
1865         (JSC::JIT::privateCompilePutByVal):
1866         * jit/JITPropertyAccess32_64.cpp:
1867         (JSC::JIT::emitSlow_op_put_by_val):
1868         * llint/LLIntSlowPaths.cpp:
1869         (JSC::LLInt::llint_trace_operand):
1870         (JSC::LLInt::llint_trace_value):
1871         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1872         * profiler/ProfilerBytecodeSequence.cpp:
1873         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
1874
1875 2017-06-16  Matt Lewis  <jlewis3@apple.com>
1876
1877         Unreviewed, rolling out r218376.
1878
1879         The patch cause multiple Layout Test Crashes.
1880
1881         Reverted changeset:
1882
1883         "Web Inspector: Instrument 2D/WebGL canvas contexts in the
1884         backend"
1885         https://bugs.webkit.org/show_bug.cgi?id=172623
1886         http://trac.webkit.org/changeset/218376
1887
1888 2017-06-16  Konstantin Tokarev  <annulen@yandex.ru>
1889
1890         REGRESSION(r166799): LogsPageMessagesToSystemConsoleEnabled corrupts non-ASCII characters
1891         https://bugs.webkit.org/show_bug.cgi?id=173470
1892
1893         Reviewed by Joseph Pecoraro.
1894
1895         ConsoleClient::printConsoleMessageWithArguments() incorrectly uses
1896         const char* overload of StringBuilder::append() that assummes Latin1
1897         encoding, not UTF8.
1898
1899         * runtime/ConsoleClient.cpp:
1900         (JSC::ConsoleClient::printConsoleMessageWithArguments):
1901
1902 2017-06-15  Mark Lam  <mark.lam@apple.com>
1903
1904         Add a JSRunLoopTimer registry in VM.
1905         https://bugs.webkit.org/show_bug.cgi?id=173429
1906         <rdar://problem/31287961>
1907
1908         Reviewed by Filip Pizlo.
1909
1910         This way, we can be sure we've got every JSRunLoopTimer instance covered if we
1911         need to change their run loop (e.g. when setting to the WebThread's run loop).
1912
1913         * heap/Heap.cpp:
1914         (JSC::Heap::Heap):
1915         (JSC::Heap::setRunLoop): Deleted.
1916         * heap/Heap.h:
1917         (JSC::Heap::runLoop): Deleted.
1918         * runtime/JSRunLoopTimer.cpp:
1919         (JSC::JSRunLoopTimer::JSRunLoopTimer):
1920         (JSC::JSRunLoopTimer::setRunLoop):
1921         (JSC::JSRunLoopTimer::~JSRunLoopTimer):
1922         * runtime/VM.cpp:
1923         (JSC::VM::VM):
1924         (JSC::VM::registerRunLoopTimer):
1925         (JSC::VM::unregisterRunLoopTimer):
1926         (JSC::VM::setRunLoop):
1927         * runtime/VM.h:
1928         (JSC::VM::runLoop):
1929
1930 2017-06-15  Joseph Pecoraro  <pecoraro@apple.com>
1931
1932         [Cocoa] Modernize some internal initializers to use instancetype instead of id
1933         https://bugs.webkit.org/show_bug.cgi?id=173112
1934
1935         Reviewed by Wenson Hsieh.
1936
1937         * API/JSContextInternal.h:
1938         * API/JSWrapperMap.h:
1939         * API/JSWrapperMap.mm:
1940         (-[JSObjCClassInfo initForClass:]):
1941         (-[JSWrapperMap initWithGlobalContextRef:]):
1942
1943 2017-06-15  Matt Baker  <mattbaker@apple.com>
1944
1945         Web Inspector: Instrument 2D/WebGL canvas contexts in the backend
1946         https://bugs.webkit.org/show_bug.cgi?id=172623
1947         <rdar://problem/32415986>
1948
1949         Reviewed by Devin Rousso.
1950
1951         This patch adds a basic Canvas protocol. It includes Canvas and related
1952         types and events for monitoring the lifetime of canvases in the page.
1953
1954         * CMakeLists.txt:
1955         * DerivedSources.make:
1956         * inspector/protocol/Canvas.json: Added.
1957
1958         * inspector/scripts/codegen/generator.py:
1959         (Generator.stylized_name_for_enum_value):
1960         Add special handling for Canvas.ContextType protocol enumeration,
1961         so that "canvas-2d" and "webgl" map to `Canvas2D` and `WebGL`.
1962
1963 2017-06-15  Keith Miller  <keith_miller@apple.com>
1964
1965         Add logging to MachineStackMarker to try to diagnose crashes in the wild
1966         https://bugs.webkit.org/show_bug.cgi?id=173427
1967
1968         Reviewed by Mark Lam.
1969
1970         This patch adds some logging to the MachineStackMarker constructor
1971         to help figure out where we are seeing crashes. Since macOS does
1972         not support os_log_info my hope is that if we set all the callee
1973         save registers before making any calls in the C++ code we can
1974         figure out which calls is the source of the crash. We also, set
1975         all the caller save registers before returning in case some
1976         weirdness is happening in the Heap constructor.
1977
1978         This logging should not matter from a performance perspective. We
1979         only create MachineStackMarkers when we are creating a new VM,
1980         which is already expensive.
1981
1982         * heap/MachineStackMarker.cpp:
1983         (JSC::MachineThreads::MachineThreads):
1984
1985 2017-06-15  Yusuke Suzuki  <utatane.tea@gmail.com>
1986
1987         [JSC] Implement Object.assign in C++
1988         https://bugs.webkit.org/show_bug.cgi?id=173414
1989
1990         Reviewed by Saam Barati.
1991
1992         Implementing Object.assign in JS is not so good compared to C++ version because,
1993
1994         1. JS version allocates JS array for object own keys. And we allocate JSString / Symbol for each key.
1995         But basically, they can be handled as UniquedStringImpl in C++. Allocating these cells are wasteful.
1996
1997         2. While implementing builtins in JS offers some good type speculation chances, Object.assign is inherently super polymorphic.
1998         So JS's type profile doesn't help well.
1999
2000         3. We have a chance to introduce various fast path for Object.assign in C++.
2001
2002         This patch moves implementation from JS to C++. It achieves the above (1) and (2). (3) is filed in [1].
2003
2004         We can see 1.65x improvement in SixSpeed object-assign.es6.
2005
2006                                     baseline                  patched
2007
2008         object-assign.es6      643.3253+-8.0521     ^    389.1075+-8.8840        ^ definitely 1.6533x faster
2009
2010         [1]: https://bugs.webkit.org/show_bug.cgi?id=173416
2011
2012         * builtins/ObjectConstructor.js:
2013         (entries):
2014         (assign): Deleted.
2015         * runtime/JSCJSValueInlines.h:
2016         (JSC::JSValue::putInline):
2017         * runtime/JSCell.h:
2018         * runtime/JSCellInlines.h:
2019         (JSC::JSCell::putInline):
2020         * runtime/JSObject.cpp:
2021         (JSC::JSObject::put):
2022         * runtime/JSObject.h:
2023         * runtime/JSObjectInlines.h:
2024         (JSC::JSObject::putInlineForJSObject):
2025         (JSC::JSObject::putInline): Deleted.
2026         * runtime/ObjectConstructor.cpp:
2027         (JSC::objectConstructorAssign):
2028
2029 2017-06-14  Dan Bernstein  <mitz@apple.com>
2030
2031         [Cocoa] Objective-C class whose name begins with an underscore can’t be exported to JavaScript
2032         https://bugs.webkit.org/show_bug.cgi?id=168578
2033
2034         Reviewed by Geoff Garen.
2035
2036         * API/JSWrapperMap.mm:
2037         (allocateConstructorForCustomClass): Updated for change to forEachProtocolImplementingProtocol.
2038         (-[JSObjCClassInfo allocateConstructorAndPrototype]): Ditto.
2039         (-[JSWrapperMap classInfoForClass:]): If the class name begins with an underscore, check if
2040           it defines conformance to a JSExport-derived protocol and if so, avoid using the
2041           superclass as a substitute as we’d normally do.
2042
2043         * API/ObjcRuntimeExtras.h:
2044         (forEachProtocolImplementingProtocol): Added a "stop" argument to the block to let callers
2045           bail out.
2046
2047         * API/tests/JSExportTests.mm:
2048         (+[JSExportTests classNamePrefixedWithUnderscoreTest]): New test for this.
2049         (runJSExportTests): Run new test.
2050
2051 2017-06-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2052
2053         Unreviewed, suppress invalid register alloation validation assertion in 32 bit part 2
2054         https://bugs.webkit.org/show_bug.cgi?id=172421
2055
2056         * dfg/DFGSpeculativeJIT.cpp:
2057         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
2058
2059 2017-06-14  Claudio Saavedra  <csaavedra@igalia.com>
2060
2061         REGRESSION: 15 new jsc failures in WPE and GTK+
2062         https://bugs.webkit.org/show_bug.cgi?id=173349
2063
2064         Reviewed by JF Bastien.
2065
2066         Recent changes to generateWasm.py are not accounted for from
2067         CMake, which leads to WasmOps.h not being regenerated in partial
2068         builds. Make generateWasm.py an additional dependency.
2069         * CMakeLists.txt:
2070
2071 2017-06-13  Joseph Pecoraro  <pecoraro@apple.com>
2072
2073         Debugger has unexpected effect on program correctness
2074         https://bugs.webkit.org/show_bug.cgi?id=172683
2075
2076         Reviewed by Saam Barati.
2077
2078         * inspector/InjectedScriptSource.js:
2079         (InjectedScript.RemoteObject.prototype._appendPropertyPreviews):
2080         (InjectedScript.RemoteObject.prototype._isPreviewableObjectInternal):
2081         (BasicCommandLineAPI):
2082         Eliminate for..of use with Arrays from InjectedScriptSource as it can be observable.
2083         We still use it for Set / Map iteration which we can eliminate when moving to builtins.
2084
2085 2017-06-13  JF Bastien  <jfbastien@apple.com>
2086
2087         WebAssembly: fix erroneous signature comment
2088         https://bugs.webkit.org/show_bug.cgi?id=173334
2089
2090         Reviewed by Keith Miller.
2091
2092         * wasm/WasmSignature.h:
2093
2094 2017-06-13  Michael Saboff  <msaboff@apple.com>
2095
2096         Refactor AbsenceOfSetter to AbsenceOfSetEffects
2097         https://bugs.webkit.org/show_bug.cgi?id=173322
2098
2099         Reviewed by Filip Pizlo.
2100
2101         * bytecode/ObjectPropertyCondition.h:
2102         (JSC::ObjectPropertyCondition::absenceOfSetEffectWithoutBarrier):
2103         (JSC::ObjectPropertyCondition::absenceOfSetEffect):
2104         (JSC::ObjectPropertyCondition::absenceOfSetterWithoutBarrier): Deleted.
2105         (JSC::ObjectPropertyCondition::absenceOfSetter): Deleted.
2106         * bytecode/ObjectPropertyConditionSet.cpp:
2107         (JSC::generateConditionsForPropertySetterMiss):
2108         (JSC::generateConditionsForPropertySetterMissConcurrently):
2109         * bytecode/PropertyCondition.cpp:
2110         (JSC::PropertyCondition::dumpInContext):
2111         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
2112         (JSC::PropertyCondition::isStillValid):
2113         (WTF::printInternal):
2114         * bytecode/PropertyCondition.h:
2115         (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
2116         (JSC::PropertyCondition::absenceOfSetEffect):
2117         (JSC::PropertyCondition::hasPrototype):
2118         (JSC::PropertyCondition::hash):
2119         (JSC::PropertyCondition::operator==):
2120         (JSC::PropertyCondition::absenceOfSetterWithoutBarrier): Deleted.
2121         (JSC::PropertyCondition::absenceOfSetter): Deleted.
2122
2123 2017-06-13  JF Bastien  <jfbastien@apple.com>
2124
2125         WebAssembly: import updated spec tests
2126         https://bugs.webkit.org/show_bug.cgi?id=173287
2127         <rdar://problem/32725975>
2128
2129         Reviewed by Saam Barati.
2130
2131         Import spec tests as of 31c641cc15f2aedbec2fa45a5185f68416df578b,
2132         with a few modifications so things work.
2133
2134         Fix a bunch of bugs found through this process, and punt a few tests (which I
2135         marked as blocked by this bug).
2136
2137         Fixes:
2138
2139         Fix load / store alignment: r216908 erroneously implemented it as bit alignment
2140         instead of byte alignment. It was also missing memory-alignment.js despite it
2141         being in the ChangeLog, so add it too. This allows spec-test/align.wast.js to
2142         pass.
2143
2144         Tables can be imported or in a section. There can be only one, but sections can
2145         be empty. An Elements section can exist if there's no Table, as long as it is
2146         also empty.
2147
2148         Memories can be imported or in a section. There can be only one, but sections
2149         can be empty. A Data section can exist if there's no Memory, as long as it is
2150         also empty.
2151
2152         Prototypes: stringify without .prototype. in the string.
2153
2154         WebAssembly.Table.prototype.grow was plain wrong: it takes a delta parameter,
2155         not a final size, and throws a RangeError on failure, not a TypeError.
2156
2157         Fix compile / instantiate so the reject the promise if given an argument of the
2158         wrong type (instead of failing instantly).
2159
2160         Fix async on neuter test.
2161
2162         Element section shouldn't affect any Table if any of the elements are out of
2163         bounds. We need to process it in two passes.
2164
2165         Segment section shouldn't affect any Data if any of the segments are out of
2166         bounds. We need to process it in two passes.
2167
2168         Empty data segments are valid, but only when there is no memory. Their index
2169         still gets validated, and has to be zero.
2170
2171         Punts:
2172
2173         Error messages with context, the test seems overly restrictive but this is
2174         minor.
2175
2176         compile/instantiate/validate property descriptors.
2177
2178         UTF-8 bugs.
2179
2180         Temporarily disable NaN tests. We need to go back and implement the following
2181         semantics: https://github.com/WebAssembly/spec/pull/414 This doesn't matter as
2182         much as getting all the other tests passing.
2183
2184         Worth noting for NaNs: f64.no_fold_mul_one (also a NaN test) as well as
2185         no_fold_promote_demote (an interesting corner case which we get wrong). mul by
2186         one is (assert_return (invoke \"f64.no_fold_mul_one\" (i64.const
2187         0x7ff4000000000000)) (i64.const 0x7ff8000000000000)) which means converting sNaN
2188         to qNaN, and promote/demote is (assert_return (invoke \"no_fold_promote_demote\"
2189         (i32.const 0x7fa00000)) (i32.const 0x7fc00000)) which is the same. I'm not sure
2190         why they're not allowed.
2191
2192         * wasm/WasmB3IRGenerator.cpp:
2193         * wasm/WasmFunctionParser.h:
2194         * wasm/WasmModuleParser.cpp:
2195         * wasm/WasmModuleParser.h:
2196         * wasm/WasmParser.h:
2197         (JSC::Wasm::Parser<SuccessType>::consumeUTF8String):
2198         * wasm/generateWasm.py:
2199         (memoryLog2Alignment):
2200         * wasm/js/JSWebAssemblyTable.cpp:
2201         (JSC::JSWebAssemblyTable::grow):
2202         * wasm/js/JSWebAssemblyTable.h:
2203         * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
2204         * wasm/js/WebAssemblyInstancePrototype.cpp:
2205         * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
2206         * wasm/js/WebAssemblyMemoryPrototype.cpp:
2207         * wasm/js/WebAssemblyModulePrototype.cpp:
2208         * wasm/js/WebAssemblyModuleRecord.cpp:
2209         (JSC::WebAssemblyModuleRecord::evaluate):
2210         * wasm/js/WebAssemblyPrototype.cpp:
2211         (JSC::webAssemblyCompileFunc):
2212         (JSC::resolve):
2213         (JSC::instantiate):
2214         (JSC::compileAndInstantiate):
2215         (JSC::webAssemblyInstantiateFunc):
2216         * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
2217         * wasm/js/WebAssemblyTablePrototype.cpp:
2218         (JSC::webAssemblyTableProtoFuncGrow):
2219
2220 2017-06-13  Michael Saboff  <msaboff@apple.com>
2221
2222         DFG doesn't properly handle a property that is change to read only in a prototype
2223         https://bugs.webkit.org/show_bug.cgi?id=173321
2224
2225         Reviewed by Filip Pizlo.
2226
2227         We need to check for ReadOnly as well as a not being a Setter when checking
2228         an AbsenceOfSetter.
2229
2230         * bytecode/PropertyCondition.cpp:
2231         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
2232
2233 2017-06-13  Daniel Bates  <dabates@apple.com>
2234
2235         Implement W3C Secure Contexts Draft Specification
2236         https://bugs.webkit.org/show_bug.cgi?id=158121
2237         <rdar://problem/26012994>
2238
2239         Reviewed by Brent Fulgham.
2240
2241         Part 4
2242
2243         Adds isSecureContext to the list of common identifiers as needed to support
2244         toggling its exposure from a runtime enabled feature flag.
2245
2246         * runtime/CommonIdentifiers.h:
2247
2248 2017-06-13  Don Olmstead  <don.olmstead@sony.com>
2249
2250         [JSC] Remove redundant includes in config.h
2251         https://bugs.webkit.org/show_bug.cgi?id=173294
2252
2253         Reviewed by Alex Christensen.
2254
2255         * config.h:
2256
2257 2017-06-12  Saam Barati  <sbarati@apple.com>
2258
2259         We should not claim that SpecEmpty is filtered out of cell checks on 64 bit platforms
2260         https://bugs.webkit.org/show_bug.cgi?id=172957
2261         <rdar://problem/32602704>
2262
2263         Reviewed by Filip Pizlo.
2264
2265         Consider this program:
2266         ```
2267         block#1:
2268         n: GetClosureVar(..., |this|) // this will load empty JSValue()
2269         SetLocal(Cell:@n, locFoo) // Cell check succeeds because JSValue() looks like a cell
2270         Branch(#2, #3)
2271         
2272         Block#3:
2273         x: GetLocal(locFoo)
2274         y: CheckNotEmpty(@x)
2275         ```
2276         
2277         If we claim that a cell check filters out the empty value, we will
2278         incorrectly eliminate the CheckNotEmpty node @y. This patch fixes AI,
2279         FTLLowerDFGToB3, and DFGSpeculativeJIT to no longer make this claim.
2280         
2281         On 64 bit platforms:
2282         - Cell use kind *now allows* the empty value to pass through.
2283         - CellOrOther use kind *now allows* for the empty value to pass through
2284         - NotCell use kind *no longer allows* the empty value to pass through.
2285
2286         * assembler/CPU.h:
2287         (JSC::isARMv7IDIVSupported):
2288         (JSC::isARM64):
2289         (JSC::isX86):
2290         (JSC::isX86_64):
2291         (JSC::is64Bit):
2292         (JSC::is32Bit):
2293         (JSC::isMIPS):
2294         Make these functions constexpr so we can use them in static variable assignment.
2295
2296         * bytecode/SpeculatedType.h:
2297         * dfg/DFGSpeculativeJIT.cpp:
2298         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
2299         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
2300         (JSC::DFG::SpeculativeJIT::compileLogicalNotStringOrOther):
2301         (JSC::DFG::SpeculativeJIT::emitStringOrOtherBranch):
2302         (JSC::DFG::SpeculativeJIT::speculateCell):
2303         (JSC::DFG::SpeculativeJIT::speculateCellOrOther):
2304         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
2305         (JSC::DFG::SpeculativeJIT::speculateString):
2306         (JSC::DFG::SpeculativeJIT::speculateStringOrOther):
2307         (JSC::DFG::SpeculativeJIT::speculateSymbol):
2308         (JSC::DFG::SpeculativeJIT::speculateNotCell):
2309         * dfg/DFGSpeculativeJIT32_64.cpp:
2310         * dfg/DFGSpeculativeJIT64.cpp:
2311         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
2312         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
2313         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
2314         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
2315         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
2316         * dfg/DFGUseKind.h:
2317         (JSC::DFG::typeFilterFor):
2318         * ftl/FTLLowerDFGToB3.cpp:
2319         (JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep):
2320         (JSC::FTL::DFG::LowerDFGToB3::numberOrNotCellToInt32):
2321         (JSC::FTL::DFG::LowerDFGToB3::compareEqObjectOrOtherToObject):
2322         (JSC::FTL::DFG::LowerDFGToB3::boolify):
2323         (JSC::FTL::DFG::LowerDFGToB3::equalNullOrUndefined):
2324         (JSC::FTL::DFG::LowerDFGToB3::lowCell):
2325         (JSC::FTL::DFG::LowerDFGToB3::lowNotCell):
2326         (JSC::FTL::DFG::LowerDFGToB3::isCellOrMisc):
2327         (JSC::FTL::DFG::LowerDFGToB3::isNotCellOrMisc):
2328         (JSC::FTL::DFG::LowerDFGToB3::isNotCell):
2329         (JSC::FTL::DFG::LowerDFGToB3::isCell):
2330         (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
2331         (JSC::FTL::DFG::LowerDFGToB3::speculateObjectOrOther):
2332         (JSC::FTL::DFG::LowerDFGToB3::speculateString):
2333         (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
2334         (JSC::FTL::DFG::LowerDFGToB3::speculateSymbol):
2335
2336 2017-06-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2337
2338         Unreviewed, suppress invalid register alloation validation assertion in 32 bit
2339         https://bugs.webkit.org/show_bug.cgi?id=172421
2340
2341         * dfg/DFGSpeculativeJIT.cpp:
2342         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
2343
2344 2017-06-12  Oleksandr Skachkov  <gskachkov@gmail.com>
2345
2346         We incorrectly allow escaped characters in keyword tokens
2347         https://bugs.webkit.org/show_bug.cgi?id=171310
2348
2349         Reviewed by Yusuke Suzuki.
2350
2351         According spec it is not allow to use escaped characters in 
2352         keywords. https://tc39.github.io/ecma262/#sec-reserved-words
2353         Current patch implements this requirements.
2354
2355
2356         * parser/Lexer.cpp:
2357         (JSC::Lexer<CharacterType>::parseIdentifierSlowCase):
2358         * parser/Parser.cpp:
2359         (JSC::Parser<LexerType>::printUnexpectedTokenText):
2360         * parser/ParserTokens.h:
2361
2362 2017-06-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2363
2364         Unreviewed, add branch64(Cond, BaseIndex, RegisterID) for ARM64
2365         https://bugs.webkit.org/show_bug.cgi?id=172421
2366
2367         * assembler/MacroAssemblerARM64.h:
2368         (JSC::MacroAssemblerARM64::branch64):
2369         (JSC::MacroAssemblerARM64::branchPtr):
2370
2371 2017-06-12  Commit Queue  <commit-queue@webkit.org>
2372
2373         Unreviewed, rolling out r218093.
2374         https://bugs.webkit.org/show_bug.cgi?id=173259
2375
2376         Break builds (Requested by yusukesuzuki on #webkit).
2377
2378         Reverted changeset:
2379
2380         "Unreviewed, build fix for ARM64"
2381         https://bugs.webkit.org/show_bug.cgi?id=172421
2382         http://trac.webkit.org/changeset/218093
2383
2384 2017-06-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2385
2386         Unreviewed, build fix for ARM64
2387         https://bugs.webkit.org/show_bug.cgi?id=172421
2388
2389         * dfg/DFGSpeculativeJIT.cpp:
2390         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
2391
2392 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2393
2394         [DFG] Add ArrayIndexOf intrinsic
2395         https://bugs.webkit.org/show_bug.cgi?id=172421
2396
2397         Reviewed by Saam Barati.
2398
2399         This patch introduces ArrayIndexOfInstrinsic for DFG and FTL optimizations.
2400         We emit array check and go fast path if the array is Array::Int32, Array::Double
2401         or Array::Continugous. In addition, for Array::Int32 and Array::Double case,
2402         we have inlined fast paths.
2403
2404         With updated ARES-6 Babylon,
2405
2406         Before
2407             firstIteration:     45.76 +- 3.87 ms
2408             averageWorstCase:   24.41 +- 2.17 ms
2409             steadyState:        8.01 +- 0.22 ms
2410         After
2411             firstIteration:     45.64 +- 4.23 ms
2412             averageWorstCase:   23.03 +- 3.34 ms
2413             steadyState:        7.33 +- 0.34 ms
2414
2415         In SixSpeed.
2416                                          baseline                  patched
2417
2418             map-set-lookup.es5      734.4701+-10.4383    ^    102.0968+-2.6357        ^ definitely 7.1939x faster
2419             map-set.es5              41.1396+-1.0558     ^     33.1916+-0.7986        ^ definitely 1.2395x faster
2420             map-set-object.es5       62.8317+-1.2518     ^     45.6944+-0.8369        ^ definitely 1.3750x faster
2421
2422         * dfg/DFGAbstractInterpreterInlines.h:
2423         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2424         * dfg/DFGByteCodeParser.cpp:
2425         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2426         * dfg/DFGClobberize.h:
2427         (JSC::DFG::clobberize):
2428         * dfg/DFGDoesGC.cpp:
2429         (JSC::DFG::doesGC):
2430         * dfg/DFGFixupPhase.cpp:
2431         (JSC::DFG::FixupPhase::fixupNode):
2432         * dfg/DFGNode.h:
2433         (JSC::DFG::Node::hasArrayMode):
2434         * dfg/DFGNodeType.h:
2435         * dfg/DFGOperations.cpp:
2436         * dfg/DFGOperations.h:
2437         * dfg/DFGPredictionPropagationPhase.cpp:
2438         * dfg/DFGSafeToExecute.h:
2439         (JSC::DFG::safeToExecute):
2440         * dfg/DFGSpeculativeJIT.cpp:
2441         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
2442         (JSC::DFG::SpeculativeJIT::speculateObject):
2443         * dfg/DFGSpeculativeJIT.h:
2444         (JSC::DFG::SpeculativeJIT::callOperation):
2445         * dfg/DFGSpeculativeJIT32_64.cpp:
2446         (JSC::DFG::SpeculativeJIT::compile):
2447         * dfg/DFGSpeculativeJIT64.cpp:
2448         (JSC::DFG::SpeculativeJIT::compile):
2449         (JSC::DFG::SpeculativeJIT::speculateInt32):
2450         * ftl/FTLCapabilities.cpp:
2451         (JSC::FTL::canCompile):
2452         * ftl/FTLLowerDFGToB3.cpp:
2453         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2454         (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):
2455         * jit/JITOperations.h:
2456         * runtime/ArrayPrototype.cpp:
2457         (JSC::ArrayPrototype::finishCreation):
2458         * runtime/Intrinsic.cpp:
2459         (JSC::intrinsicName):
2460         * runtime/Intrinsic.h:
2461
2462 2017-06-11  Keith Miller  <keith_miller@apple.com>
2463
2464         TypedArray constructor with string shouldn't throw
2465         https://bugs.webkit.org/show_bug.cgi?id=173181
2466
2467         Reviewed by JF Bastien.
2468
2469         We should be coercing primitive arguments to numbers in the various
2470         TypedArray constructors.
2471
2472         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2473         (JSC::constructGenericTypedArrayViewWithArguments):
2474
2475 2017-06-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2476
2477         [WTF] Make ThreadMessage portable
2478         https://bugs.webkit.org/show_bug.cgi?id=172073
2479
2480         Reviewed by Keith Miller.
2481
2482         * runtime/MachineContext.h:
2483         (JSC::MachineContext::stackPointer):
2484         * tools/CodeProfiling.cpp:
2485         (JSC::profilingTimer):
2486
2487 2017-06-11  Yusuke Suzuki  <utatane.tea@gmail.com>
2488
2489         [JSC] Shrink Structure size
2490         https://bugs.webkit.org/show_bug.cgi?id=173239
2491
2492         Reviewed by Mark Lam.
2493
2494         We find that the size of our Structure is slightly enlarged due to paddings.
2495         By changing the order of members, we can reduce the size from 120 to 112.
2496         This is good because 120 and 112 are categorized into different size classes.
2497         For 120, we allocate 128 bytes. And for 112, we allocate 112 bytes.
2498         We now save 16 bytes per Structure for free.
2499
2500         * runtime/ConcurrentJSLock.h:
2501         * runtime/Structure.cpp:
2502         (JSC::Structure::Structure):
2503         * runtime/Structure.h:
2504
2505 2017-06-11  Konstantin Tokarev  <annulen@yandex.ru>
2506
2507         Unreviewed, attempt to fix JSC tests on Win after r217771
2508
2509         * jsc.cpp:
2510         (currentWorkingDirectory): buffer is not NULL-terminated
2511
2512 2017-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2513
2514         [WTF] Add RegisteredSymbolImpl
2515         https://bugs.webkit.org/show_bug.cgi?id=173230
2516
2517         Reviewed by Mark Lam.
2518
2519         * runtime/SymbolConstructor.cpp:
2520         (JSC::symbolConstructorKeyFor):
2521
2522 2017-06-10  Dan Bernstein  <mitz@apple.com>
2523
2524         Reverted r218056 because it made the IDE reindex constantly.
2525
2526         * Configurations/DebugRelease.xcconfig:
2527
2528 2017-06-10  Dan Bernstein  <mitz@apple.com>
2529
2530         [Xcode] With Xcode 9 developer beta, everything rebuilds when switching between command-line and IDE
2531         https://bugs.webkit.org/show_bug.cgi?id=173223
2532
2533         Reviewed by Sam Weinig.
2534
2535         The rebuilds were happening due to a difference in the compiler options that the IDE and
2536         xcodebuild were specifying. Only the IDE was passing the -index-store-path option. To make
2537         xcodebuild pass that option, too, set CLANG_INDEX_STORE_ENABLE to YES if it is unset, and
2538         specify an appropriate path in CLANG_INDEX_STORE_PATH.
2539
2540         * Configurations/DebugRelease.xcconfig:
2541
2542 2017-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>
2543
2544         [JSC] Update RegExp.prototype.[@@search]] implementation according to the latest spec
2545         https://bugs.webkit.org/show_bug.cgi?id=173227
2546
2547         Reviewed by Mark Lam.
2548
2549         The latest spec introduces slight change to RegExp.prototype.[@@search].
2550         This patch applies this change. Basically, this change is done in the slow path of
2551         the RegExp.prototype[@@search].
2552         https://tc39.github.io/ecma262/#sec-regexp.prototype-@@search
2553
2554         * builtins/RegExpPrototype.js:
2555         (search):
2556
2557 2017-06-09  Chris Dumez  <cdumez@apple.com>
2558
2559         Update Thread::create() to take in a WTF::Function instead of a std::function
2560         https://bugs.webkit.org/show_bug.cgi?id=173175
2561
2562         Reviewed by Mark Lam.
2563
2564         * API/tests/CompareAndSwapTest.cpp:
2565         (testCompareAndSwap):
2566
2567 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2568
2569         [DFG] Add verboseDFGOSRExit
2570         https://bugs.webkit.org/show_bug.cgi?id=173156
2571
2572         Reviewed by Saam Barati.
2573
2574         This patch adds verboseDFGOSRExit which is similar to verboseFTLOSRExit.
2575
2576         * dfg/DFGOSRExitCompiler.cpp:
2577         * runtime/Options.h:
2578
2579 2017-06-09  Guillaume Emont  <guijemont@igalia.com>
2580
2581         [JSC][MIPS] Add MacroAssemblerMIPS::xor32(Address, RegisterID) implementation
2582         https://bugs.webkit.org/show_bug.cgi?id=173170
2583
2584         Reviewed by Yusuke Suzuki.
2585
2586         MIPS does not build since r217711 because it is missing this
2587         implementation. This patch fixes the build.
2588
2589         * assembler/MacroAssemblerMIPS.h:
2590         (JSC::MacroAssemblerMIPS::xor32):
2591
2592 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2593
2594         [JSC] FTL does not require dlfcn
2595         https://bugs.webkit.org/show_bug.cgi?id=173143
2596
2597         Reviewed by Darin Adler.
2598
2599         We no longer use LLVM library. Thus, dlfcn.h is not necessary.
2600         Also, ProcessID is not used in FTLLowerDFGToB3.cpp.
2601
2602         * ftl/FTLLowerDFGToB3.cpp:
2603
2604 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2605
2606         [DFG] Add --verboseDFGFailure
2607         https://bugs.webkit.org/show_bug.cgi?id=173155
2608
2609         Reviewed by Sam Weinig.
2610
2611         Similar to verboseFTLFailure, JSC should have verboseDFGFailure flag to show DFG failures quickly.
2612
2613         * dfg/DFGCapabilities.cpp:
2614         (JSC::DFG::verboseCapabilities):
2615         (JSC::DFG::debugFail):
2616         * runtime/Options.cpp:
2617         (JSC::recomputeDependentOptions):
2618         * runtime/Options.h:
2619
2620 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2621
2622         [JSC] Drop OS(DARWIN) for VM_TAG_FOR_WEBASSEMBLY_MEMORY
2623         https://bugs.webkit.org/show_bug.cgi?id=173147
2624
2625         Reviewed by JF Bastien.
2626
2627         Because this value becomes -1 in non-Darwin environments.
2628         Thus, we do not need to use OS(DARWIN) here.
2629
2630         * wasm/WasmMemory.cpp:
2631
2632 2017-06-09  Daewoong Jang  <daewoong.jang@navercorp.com>
2633
2634         Reduce compiler warnings
2635         https://bugs.webkit.org/show_bug.cgi?id=172078
2636
2637         Reviewed by Yusuke Suzuki.
2638
2639         * runtime/IntlDateTimeFormat.h:
2640
2641 2017-06-08  Joseph Pecoraro  <pecoraro@apple.com>
2642
2643         [Cocoa] JSWrapperMap leaks for all JSContexts
2644         https://bugs.webkit.org/show_bug.cgi?id=173110
2645         <rdar://problem/32602198>
2646
2647         Reviewed by Geoffrey Garen.
2648
2649         * API/JSContext.mm:
2650         (-[JSContext ensureWrapperMap]):
2651         Ensure this allocation gets released.
2652
2653 2017-06-08  Filip Pizlo  <fpizlo@apple.com>
2654
2655         REGRESSION: js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-5.html has a flaky failure
2656         https://bugs.webkit.org/show_bug.cgi?id=161156
2657
2658         Reviewed by Saam Barati.
2659         
2660         Since LLInt does not register impure property watchpoints for self property accesses, it
2661         shouldn't try to cache accesses that require a watchpoint.
2662         
2663         This manifested as a flaky failure because the test would fire the watchpoint after we had
2664         usually already tiered up. Without concurrent JIT, we would have always tiered up before
2665         getting to the bad case. With concurrent JIT, we would sometimes not tier up by that time. This
2666         also adds a test that deterministically failed in LLInt without this change; it does so by just
2667         running a lot shorter.
2668
2669         * llint/LLIntSlowPaths.cpp:
2670         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2671
2672 2017-06-08  Keith Miller  <keith_miller@apple.com>
2673
2674         WebAssembly: We should only create wrappers for functions that can be exported
2675         https://bugs.webkit.org/show_bug.cgi?id=173088
2676
2677         Reviewed by Saam Barati.
2678
2679         This patch makes it so we only create wrappers for WebAssembly functions that
2680         can actually be exported. It appears to be a ~2.5% speedup on WasmBench compile times.
2681
2682         This patch also removes most of the old testWasmModuleFunctions api from the jsc CLI.
2683         Most of the tests were duplicates of ones in the spec-tests directory. The others I
2684         have converted to use the normal API.
2685
2686         * jsc.cpp:
2687         (GlobalObject::finishCreation):
2688         (valueWithTypeOfWasmValue): Deleted.
2689         (box): Deleted.
2690         (callWasmFunction): Deleted.
2691         (functionTestWasmModuleFunctions): Deleted.
2692         * wasm/WasmB3IRGenerator.cpp:
2693         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2694         (JSC::Wasm::createJSToWasmWrapper):
2695         (JSC::Wasm::parseAndCompile):
2696         * wasm/WasmB3IRGenerator.h:
2697         * wasm/WasmBBQPlan.cpp:
2698         (JSC::Wasm::BBQPlan::prepare):
2699         (JSC::Wasm::BBQPlan::compileFunctions):
2700         (JSC::Wasm::BBQPlan::complete):
2701         * wasm/WasmBBQPlan.h:
2702         * wasm/WasmBBQPlanInlines.h:
2703         (JSC::Wasm::BBQPlan::initializeCallees):
2704         * wasm/WasmCodeBlock.cpp:
2705         (JSC::Wasm::CodeBlock::CodeBlock):
2706         * wasm/WasmCodeBlock.h:
2707         (JSC::Wasm::CodeBlock::jsEntrypointCalleeFromFunctionIndexSpace):
2708         * wasm/WasmFormat.h:
2709         * wasm/WasmOMGPlan.cpp:
2710         (JSC::Wasm::OMGPlan::work):
2711
2712 2017-06-07  JF Bastien  <jfbastien@apple.com>
2713
2714         WebAssembly: test imports and exports with 16-bit characters
2715         https://bugs.webkit.org/show_bug.cgi?id=165977
2716         <rdar://problem/29760130>
2717
2718         Reviewed by Saam Barati.
2719
2720         Add the missing UTF-8 conversions. Improve import failure error
2721         messages, otherwise it's hard to figure out which import is wrong.
2722
2723         * wasm/js/JSWebAssemblyInstance.cpp:
2724         (JSC::JSWebAssemblyInstance::create):
2725         * wasm/js/WebAssemblyModuleRecord.cpp:
2726         (JSC::WebAssemblyModuleRecord::finishCreation):
2727         (JSC::WebAssemblyModuleRecord::link):
2728
2729 2017-06-07  Devin Rousso  <drousso@apple.com>
2730
2731         Web Inspector: Add ContextMenu item to log WebSocket object to console
2732         https://bugs.webkit.org/show_bug.cgi?id=172878
2733
2734         Reviewed by Joseph Pecoraro.
2735
2736         * inspector/protocol/Network.json:
2737         Add resolveWebSocket command.
2738
2739 2017-06-07  Jon Davis  <jond@apple.com>
2740
2741         Update feature status for features Supported In Preview
2742         https://bugs.webkit.org/show_bug.cgi?id=173071
2743
2744         Reviewed by Darin Adler.
2745
2746         Updated Media Capture and Streams, Performance Observer, Resource Timing Level 2,
2747         User Timing Level 2, Web Cryptography API, WebGL 2, WebRTC.
2748
2749         * features.json:
2750
2751 2017-06-07  Saam Barati  <sbarati@apple.com>
2752
2753         Assertion failure in com.apple.WebKit.WebContent.Development in com.apple.JavaScriptCore: JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined + 141
2754         https://bugs.webkit.org/show_bug.cgi?id=172673
2755         <rdar://problem/32250144>
2756
2757         Reviewed by Mark Lam.
2758
2759         This patch simply removes this assertion. It's faulty because it
2760         races with the main thread when doing concurrent compilation.
2761         
2762         Consider a program with:
2763         - a FrozenValue over an object O and Structure S1. S1 starts off as dfgWatchable() being true.
2764         - Structure S2
2765         
2766         The DFG IR is like so:
2767           a: JSConstant(O) // FrozenValue {O, S1}
2768           b: CheckStructure(@a, S2)
2769           c: ToThis(@a)
2770           d: CheckEq(@c, nullConstant)
2771           Branch(@d)
2772         
2773         The AbstractValue for @a will start off as having a finite structure because S1 is dfgWatchable().
2774         When running AI, we'll notice that node @b will OSR exit, so nodes after
2775         @b are unreachable. Later in the compilation, S1 is no longer dfgWatchable().
2776         Now, when running AI, @a will have Top for its structure set. No longer will
2777         we think @b exits.
2778         
2779         The DFG backend asserts that under such a situation, we should have simplified
2780         the CheckEq to false. However, this is a racy thing to assert, since the
2781         transition from dfgWatchable() to !dfgWatchable() can happen right before we
2782         enter the backend. Hence, this assertion is not valid.
2783         
2784         (Note, the generated code for the above program will never actually execute.
2785         Since we noticed S1 as dfgWatchable(), we make the compilation dependent on
2786         S1 not transitioning. S1 transitions, so we won't actually run the code that
2787         gets compiled.)
2788
2789         * dfg/DFGSpeculativeJIT64.cpp:
2790         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
2791
2792 2017-06-07  Yusuke Suzuki  <utatane.tea@gmail.com>
2793
2794         [JSC] has_generic_property never accepts non-String
2795         https://bugs.webkit.org/show_bug.cgi?id=173057
2796
2797         Reviewed by Darin Adler.
2798
2799         We never pass non-String value to has_generic_property bytecode.
2800
2801         * runtime/CommonSlowPaths.cpp:
2802         (JSC::SLOW_PATH_DECL):
2803
2804 2017-06-06  Fujii Hironori  <Hironori.Fujii@sony.com>
2805
2806         [Win][x86-64] Some callee saved registers aren't preserved
2807         https://bugs.webkit.org/show_bug.cgi?id=171266
2808
2809         Reviewed by Saam Barati.
2810
2811         * jit/RegisterSet.cpp:
2812         (JSC::RegisterSet::calleeSaveRegisters): Added edi and esi for X86_64 Windows.
2813
2814 2017-06-06  Mark Lam  <mark.lam@apple.com>
2815
2816         Contiguous storage butterfly length should not exceed MAX_STORAGE_VECTOR_LENGTH.
2817         https://bugs.webkit.org/show_bug.cgi?id=173035
2818         <rdar://problem/32554593>
2819
2820         Reviewed by Geoffrey Garen and Filip Pizlo.
2821
2822         Also added and fixed up some assertions.
2823
2824         * runtime/ArrayConventions.h:
2825         * runtime/JSArray.cpp:
2826         (JSC::JSArray::setLength):
2827         * runtime/JSObject.cpp:
2828         (JSC::JSObject::createInitialIndexedStorage):
2829         (JSC::JSObject::ensureLengthSlow):
2830         (JSC::JSObject::reallocateAndShrinkButterfly):
2831         * runtime/JSObject.h:
2832         (JSC::JSObject::ensureLength):
2833         * runtime/RegExpObject.cpp:
2834         (JSC::collectMatches):
2835         * runtime/RegExpPrototype.cpp:
2836         (JSC::regExpProtoFuncSplitFast):
2837
2838 2017-06-06  Saam Barati  <sbarati@apple.com>
2839
2840         Make sure we restore SP when doing calls that could be to JS
2841         https://bugs.webkit.org/show_bug.cgi?id=172946
2842         <rdar://problem/32579026>
2843
2844         Reviewed by JF Bastien.
2845
2846         I was worried that there was a bug where we'd call JS, JS would tail call,
2847         and we'd end up with a bogus SP. However, this bug does not exist since wasm
2848         always calls to JS through a stub, and the stub treats SP as a callee save.
2849         
2850         I wrote a test for this, and also made a note that this is the needed ABI.
2851
2852         * wasm/WasmBinding.cpp:
2853         (JSC::Wasm::wasmToJs):
2854
2855 2017-06-06  Keith Miller  <keith_miller@apple.com>
2856
2857         OMG tier up checks should be a patchpoint
2858         https://bugs.webkit.org/show_bug.cgi?id=172944
2859
2860         Reviewed by Saam Barati.
2861
2862         Tier up checks in BBQ should be done as a patchpoint rather than individual B3 opcodes.
2863         In order to reduce code generated out of line in each function. We generate a single stub
2864         that pushes all the callee-saves. This looks like a 5-10% compile time speedup.
2865
2866         * wasm/WasmB3IRGenerator.cpp:
2867         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2868         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
2869         (JSC::Wasm::B3IRGenerator::addLoop):
2870         * wasm/WasmThunks.cpp:
2871         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
2872         * wasm/WasmThunks.h:
2873
2874 2017-06-06  Darin Adler  <darin@apple.com>
2875
2876         Cut down use of WTF_ARRAY_LENGTH
2877         https://bugs.webkit.org/show_bug.cgi?id=172997
2878
2879         Reviewed by Chris Dumez.
2880
2881         * parser/Lexer.cpp:
2882         (JSC::singleEscape): Use WTF_ARRAY_LENGTH instead of ARRAY_SIZE.
2883
2884         * runtime/NumberPrototype.cpp:
2885         (JSC::toStringWithRadix): Use std::end instead of WTF_ARRAY_LENGTH.
2886
2887 2017-06-06  Konstantin Tokarev  <annulen@yandex.ru>
2888
2889         Add missing <functional> includes
2890         https://bugs.webkit.org/show_bug.cgi?id=173017
2891
2892         Patch by Thiago Macieira <thiago.macieira@intel.com>
2893         Reviewed by Yusuke Suzuki.
2894
2895         This patch fixes compilation with GCC 7.
2896
2897         * inspector/InspectorBackendDispatcher.h:
2898
2899 2017-06-06  Filip Pizlo  <fpizlo@apple.com>
2900
2901         Unreviewed, fix 32-bit build.
2902
2903         * jit/JITOpcodes.cpp:
2904         (JSC::JIT::emit_op_unreachable):
2905
2906 2017-06-06  Joseph Pecoraro  <pecoraro@apple.com>
2907
2908         Unreviewed rollout r217807. Caused a test to crash.
2909
2910         * heap/HeapSnapshotBuilder.cpp:
2911         (JSC::HeapSnapshotBuilder::buildSnapshot):
2912         (JSC::HeapSnapshotBuilder::json):
2913         (): Deleted.
2914         * heap/HeapSnapshotBuilder.h:
2915         * runtime/JSObject.cpp:
2916         (JSC::JSObject::calculatedClassName):
2917
2918 2017-06-06  Filip Pizlo  <fpizlo@apple.com>
2919
2920         index out of bound in bytecodebasicblock
2921         https://bugs.webkit.org/show_bug.cgi?id=172963
2922
2923         Reviewed by Saam Barati and Mark Lam.
2924         
2925         We were leaving an unterminated basic block when generating CodeForCall for a class
2926         constructor. This was mostly benign since that unterminated block was not reachable, but it
2927         does cause an ASSERT.
2928         
2929         This fixes the issue by appending op_unreachable to that block. I added op_unreachable because
2930         this really is the cleanest and most idiomatic way to solve this problem, so even though it
2931         makes the change bigger it's probabably worth it.
2932
2933         * bytecode/BytecodeDumper.cpp:
2934         (JSC::BytecodeDumper<Block>::dumpBytecode):
2935         * bytecode/BytecodeList.json:
2936         * bytecode/BytecodeUseDef.h:
2937         (JSC::computeUsesForBytecodeOffset):
2938         (JSC::computeDefsForBytecodeOffset):
2939         * bytecode/Opcode.h:
2940         (JSC::isTerminal):
2941         * bytecompiler/BytecodeGenerator.cpp:
2942         (JSC::BytecodeGenerator::generate):
2943         (JSC::BytecodeGenerator::emitUnreachable):
2944         * bytecompiler/BytecodeGenerator.h:
2945         * dfg/DFGByteCodeParser.cpp:
2946         (JSC::DFG::ByteCodeParser::parseBlock):
2947         * dfg/DFGCapabilities.cpp:
2948         (JSC::DFG::capabilityLevel):
2949         * ftl/FTLLowerDFGToB3.cpp:
2950         (JSC::FTL::DFG::LowerDFGToB3::compileUnreachable):
2951         * jit/JIT.cpp:
2952         (JSC::JIT::privateCompileMainPass):
2953         * jit/JIT.h:
2954         * jit/JITOpcodes.cpp:
2955         (JSC::JIT::emit_op_unreachable):
2956         * llint/LowLevelInterpreter.asm:
2957         * runtime/CommonSlowPaths.cpp:
2958         (JSC::SLOW_PATH_DECL):
2959         * runtime/CommonSlowPaths.h:
2960
2961 2017-06-06  Ryan Haddad  <ryanhaddad@apple.com>
2962
2963         Unreviewed, rolling out r217812.
2964
2965         This change caused test failures on arm64.
2966
2967         Reverted changeset:
2968
2969         "OMG tier up checks should be a patchpoint"
2970         https://bugs.webkit.org/show_bug.cgi?id=172944
2971         http://trac.webkit.org/changeset/217812
2972
2973 2017-06-06  Carlos Garcia Campos  <cgarcia@igalia.com>
2974
2975         [WPE] Enable remote inspector
2976         https://bugs.webkit.org/show_bug.cgi?id=172971
2977
2978         Reviewed by Žan Doberšek.
2979
2980         We can just build the current glib remote inspector, without adding a frontend implementation and using a
2981         WebKitGTK+ browser as frontend for now.
2982
2983         * PlatformWPE.cmake: Add remote inspector files to compilation.
2984         * inspector/remote/glib/RemoteInspectorUtils.cpp:
2985         (Inspector::backendCommands): Load the inspector resources library.
2986
2987 2017-06-06  Carlos Garcia Campos  <cgarcia@igalia.com>
2988
2989         [GLIB] Make remote inspector DBus protocol common to all glib based ports
2990         https://bugs.webkit.org/show_bug.cgi?id=172970
2991
2992         Reviewed by Žan Doberšek.
2993
2994         We are currently using "webkitgtk" in the names of DBus interfaces and object paths inside an ifdef with the
2995         idea that other ports could use their own names. However, the protocol is the same, so we could use the same
2996         names and make all glib based ports compatible to each other. This way we could use the GTK+ MiniBrowser to
2997         debug WPE, without having to implement the frontend part in WPE yet.
2998
2999         * inspector/remote/glib/RemoteInspectorGlib.cpp: Use webkit instead of webkitgtk and reomve platform idfeds.
3000         * inspector/remote/glib/RemoteInspectorServer.cpp: Ditto.
3001
3002 2017-06-06  Carlos Garcia Campos  <cgarcia@igalia.com>
3003
3004         [GTK] Web Process deadlock when closing the remote inspector frontend
3005         https://bugs.webkit.org/show_bug.cgi?id=172973
3006
3007         Reviewed by Žan Doberšek.
3008
3009         We are taking the remote inspector mutex twice. First close message is received, and receivedCloseMessage()
3010         takes the mutex. Then RemoteConnectionToTarget::close() is called that, when connected, calls
3011         PageDebuggable::disconnect() that ends up calling RemoteInspector::updateTarget() that also takes the remote
3012         inspector mutex. We should release the mutex before calling RemoteConnectionToTarget::close().
3013
3014         * inspector/remote/glib/RemoteInspectorGlib.cpp:
3015         (Inspector::RemoteInspector::receivedCloseMessage):
3016
3017 2017-06-05  Saam Barati  <sbarati@apple.com>
3018
3019         Try to fix features.json by adding an ESNext section.
3020
3021         Unreviewed.
3022
3023         * features.json:
3024
3025 2017-06-05  David Kilzer  <ddkilzer@apple.com>
3026
3027         Follow-up: Update JSC's features.json
3028         https://bugs.webkit.org/show_bug.cgi?id=172942
3029
3030         Rubber-stamped by Jon Davis.
3031
3032         * features.json: Change "Supported in preview" to
3033         "Supported" to try to fix <https://webkit.org/status/>.
3034
3035 2017-06-05  Saam Barati  <sbarati@apple.com>
3036
3037         We don't properly parse init_expr when the opcode is an unexpected opcode
3038         https://bugs.webkit.org/show_bug.cgi?id=172945
3039
3040         Reviewed by JF Bastien.
3041
3042         The bug is a simple typo. It should use the constant
3043         `true` instead of `false` when invoking the WASM_PARSER_FAIL_IF
3044         macro. This failure is already caught by spec tests that fail
3045         on arm64 devices.
3046
3047         * wasm/WasmModuleParser.cpp:
3048
3049 2017-06-05  Keith Miller  <keith_miller@apple.com>
3050
3051         OMG tier up checks should be a patchpoint
3052         https://bugs.webkit.org/show_bug.cgi?id=172944
3053
3054         Reviewed by Saam Barati.
3055
3056         Tier up checks in BBQ should be done as a patchpoint rather than individual B3 opcodes.
3057         In order to reduce code generated out of line in each function. We generate a single stub
3058         that pushes all the callee-saves. This looks like a 5-10% compile time speedup.
3059
3060         * wasm/WasmB3IRGenerator.cpp:
3061         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3062         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
3063         (JSC::Wasm::B3IRGenerator::addLoop):
3064         * wasm/WasmThunks.cpp:
3065         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
3066         * wasm/WasmThunks.h:
3067
3068 2017-06-05  Joseph Pecoraro  <pecoraro@apple.com>
3069
3070         Remove unused VM members
3071         https://bugs.webkit.org/show_bug.cgi?id=172941
3072
3073         Reviewed by Mark Lam.
3074
3075         * runtime/HashMapImpl.h:
3076         (JSC::HashMapImpl::selectStructure): Deleted.
3077         * runtime/VM.cpp:
3078         (JSC::VM::VM):
3079         * runtime/VM.h:
3080
3081 2017-06-05  Joseph Pecoraro  <pecoraro@apple.com>
3082
3083         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
3084         https://bugs.webkit.org/show_bug.cgi?id=172848
3085         <rdar://problem/25709212>
3086
3087         Reviewed by Saam Barati.
3088
3089         * heap/HeapSnapshotBuilder.h:
3090         * heap/HeapSnapshotBuilder.cpp:
3091         Update the snapshot version. Change the node's 0 | 1 internal value
3092         to be a 32bit bit flag. This is nice in that it is both compatible
3093         with the previous snapshot version and the same size. We can use more
3094         flags in the future.
3095
3096         (JSC::HeapSnapshotBuilder::json):
3097         In cases where the classInfo gives us "Object" check for a better
3098         class name by checking (o).__proto__.constructor.name. We avoid this
3099         check in cases where (o).hasOwnProperty("constructor") which is the
3100         case for most Foo.prototype objects. Otherwise this would get the
3101         name of the Foo superclass for the Foo.prototype object.
3102
3103         * runtime/JSObject.cpp:
3104         (JSC::JSObject::calculatedClassName):
3105         Handle some possible edge cases that were not handled before. Such
3106         as a JSObject without a GlobalObject, and an object which doesn't
3107         have a default getPrototype. Try to make the code a little clearer.
3108
3109 2017-06-05  Saam Barati  <sbarati@apple.com>
3110
3111         Update JSC's features.json
3112         https://bugs.webkit.org/show_bug.cgi?id=172942
3113
3114         Rubber stamped by Mark Lam.
3115
3116         * features.json:
3117
3118 2017-06-04  Konstantin Tokarev  <annulen@yandex.ru>
3119
3120         Fix build of Windows-specific code with ICU 59.1
3121         https://bugs.webkit.org/show_bug.cgi?id=172729
3122
3123         Reviewed by Darin Adler.
3124
3125         Fix conversions from WTF::String to wchar_t* and vice versa.
3126
3127         * jsc.cpp:
3128         (currentWorkingDirectory):
3129         (fetchModuleFromLocalFileSystem):
3130         * runtime/DateConversion.cpp:
3131         (JSC::formatDateTime):
3132
3133 2017-06-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3134
3135         [JSC] Drop unnecessary USE(CF) guard for getenv
3136         https://bugs.webkit.org/show_bug.cgi?id=172903
3137
3138         Reviewed by Sam Weinig.
3139
3140         getenv is not related to USE(CF) and OS(UNIX). It seems that this
3141         ifdef only hits in WinCairo, but WinCairo can use getenv.
3142         Moreover, in VM::VM, we already use getenv without any ifdef guard.
3143
3144         This patch just drops it.
3145
3146         * runtime/VM.cpp:
3147         (JSC::enableAssembler):
3148
3149 2017-06-04  Yusuke Suzuki  <utatane.tea@gmail.com>
3150
3151         [JSC] Drop OS(DARWIN) for uintptr_t type conflict
3152         https://bugs.webkit.org/show_bug.cgi?id=172904
3153
3154         Reviewed by Sam Weinig.
3155
3156         In non-Darwin environment, uintptr_t may have the same type
3157         to uint64_t. We avoided the compile error by using OS(DARWIN).
3158         But, since it depends on cstdint implementaion rather than OS, it is flaky.
3159         Instead, we just use template parameter IntegralType.
3160         And we describe the type constraint in a SFINAE manner.
3161
3162         * dfg/DFGOpInfo.h:
3163         (JSC::DFG::OpInfo::OpInfo):
3164
3165 2017-06-03  Csaba Osztrogonác  <ossy@webkit.org>
3166
3167         [ARM] Unreviewed buildfix after r217711.
3168
3169         * assembler/MacroAssemblerARM.h:
3170         (JSC::MacroAssemblerARM::xor32):
3171
3172 2017-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>
3173
3174         ASSERTION FAILED: "We should only declare a function as a lexically scoped variable in scopes where var declarations aren't allowed. ..." for function redeclaration with async function module export
3175         https://bugs.webkit.org/show_bug.cgi?id=168844
3176
3177         Reviewed by Saam Barati.
3178
3179         As the same to the exported function declaration, we should set statementDepth = 1 for exported async function declaration.
3180
3181         * parser/Parser.cpp:
3182         (JSC::DepthManager::DepthManager):
3183         (JSC::Parser<LexerType>::parseExportDeclaration):
3184         * parser/Parser.h:
3185         (JSC::Parser::DepthManager::DepthManager): Deleted.
3186         (JSC::Parser::DepthManager::~DepthManager): Deleted.
3187
3188 2017-06-02  Keith Miller  <keith_miller@apple.com>
3189
3190         Defer installing mach breakpoint handler until watchdog is actually called
3191         https://bugs.webkit.org/show_bug.cgi?id=172885
3192
3193         Reviewed by Saam Barati.
3194
3195         Eagerly installing the mach breakpoint handler causes issues with Xcode GUI debugging.
3196         This hides the issue, so it won't occur as often.
3197
3198         * runtime/VMTraps.cpp:
3199         (JSC::VMTraps::SignalSender::send):
3200         (JSC::VMTraps::VMTraps): Deleted.
3201         * runtime/VMTraps.h:
3202
3203 2017-06-02  Filip Pizlo  <fpizlo@apple.com>
3204
3205         Atomics.load and Atomics.store need to be fully fenced
3206         https://bugs.webkit.org/show_bug.cgi?id=172844
3207
3208         Reviewed by Keith Miller.
3209         
3210         Implement fully fenced loads and stores in FTL using AtomicXchgAdd(0, ptr) for the load and
3211         AtomicXchg(value, ptr) for the store.
3212         
3213         DFG needed no changes because it implements all atomics using a CAS loop.
3214         
3215         AtomicsObject.cpp now uses new Atomic<> API for fully fences loads and stores.
3216         
3217         Prior to this change, we used half fences (acquire/release) for atomic loads and stores. This
3218         is not correct according to my current understanding of the SAB memory model, which requires
3219         that atomic operations are SC with respect to everything not just other atomics.
3220
3221         * ftl/FTLLowerDFGToB3.cpp:
3222         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
3223         * ftl/FTLOutput.cpp:
3224         (JSC::FTL::Output::atomicWeakCAS):
3225         * ftl/FTLOutput.h:
3226         * runtime/AtomicsObject.cpp:
3227
3228 2017-06-02  Ryan Haddad  <ryanhaddad@apple.com>
3229
3230         Unreviewed, attempt to fix the iOS build after r217711.
3231
3232         * assembler/MacroAssemblerARM64.h:
3233         (JSC::MacroAssemblerARM64::xor32):
3234         (JSC::MacroAssemblerARM64::xor64):
3235
3236 2017-06-01  Filip Pizlo  <fpizlo@apple.com>
3237
3238         GC should use scrambled free-lists
3239         https://bugs.webkit.org/show_bug.cgi?id=172793
3240
3241         Reviewed by Mark Lam.
3242         
3243         Previously, our bump'n'pop allocator would use a conventional linked-list for the free-list.
3244         The linked-list would be threaded through free memory, as is the usual convention.
3245         
3246         This scrambles the next pointers of that free-list. It also scrambles the head pointer, because
3247         this leads to a more natural fast-path structure and saves one register on ARM64.
3248         
3249         The secret with which pointers are scrambled is per-allocator. Allocators choose a new secret
3250         every time they do a sweep-to-pop.
3251         
3252         This doesn't change the behavior of the bump part of bump'n'pop, but it does refactor the code
3253         quite a bit. Previously, there were four copies of the allocator fast path: two in
3254         MarkedAllocatorInlines.h, one in MarkedAllocator.cpp, and one in AssemblyHelpers.h. The JIT one
3255         was obviously different-looking, but the other three were almost identical. This moves all of
3256         that logic into FreeList. There are now just two copies of the allocator: FreeListInlines.h and
3257         AssemblyHelpers.h.
3258         
3259         This appears to be just as fast as our previously allocator.
3260
3261         * JavaScriptCore.xcodeproj/project.pbxproj:
3262         * heap/FreeList.cpp:
3263         (JSC::FreeList::FreeList):
3264         (JSC::FreeList::~FreeList):
3265         (JSC::FreeList::clear):
3266         (JSC::FreeList::initializeList):
3267         (JSC::FreeList::initializeBump):
3268         (JSC::FreeList::contains):
3269         (JSC::FreeList::dump):
3270         * heap/FreeList.h:
3271         (JSC::FreeList::allocationWillFail):
3272         (JSC::FreeList::originalSize):
3273         (JSC::FreeList::addressOfList):
3274         (JSC::FreeList::offsetOfBlock):
3275         (JSC::FreeList::offsetOfList):
3276         (JSC::FreeList::offsetOfIndex):
3277         (JSC::FreeList::offsetOfPayloadEnd):
3278         (JSC::FreeList::offsetOfRemaining):
3279         (JSC::FreeList::offsetOfOriginalSize):
3280         (JSC::FreeList::FreeList): Deleted.
3281         (JSC::FreeList::list): Deleted.
3282         (JSC::FreeList::bump): Deleted.
3283         (JSC::FreeList::operator==): Deleted.
3284         (JSC::FreeList::operator!=): Deleted.
3285         (JSC::FreeList::operator bool): Deleted.
3286         * heap/FreeListInlines.h: Added.
3287         (JSC::FreeList::addFreeCell):
3288         (JSC::FreeList::allocate):
3289         (JSC::FreeList::forEach):
3290         (JSC::FreeList::toOffset):
3291         (JSC::FreeList::fromOffset):
3292         * heap/IncrementalSweeper.cpp:
3293         (JSC::IncrementalSweeper::sweepNextBlock):
3294         * heap/MarkedAllocator.cpp:
3295         (JSC::MarkedAllocator::MarkedAllocator):
3296         (JSC::MarkedAllocator::didConsumeFreeList):
3297         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
3298         (JSC::MarkedAllocator::tryAllocateIn):
3299         (JSC::MarkedAllocator::allocateSlowCaseImpl):
3300         (JSC::MarkedAllocator::stopAllocating):
3301         (JSC::MarkedAllocator::prepareForAllocation):
3302         (JSC::MarkedAllocator::resumeAllocating):
3303         (JSC::MarkedAllocator::sweep):
3304         (JSC::MarkedAllocator::setFreeList): Deleted.
3305         * heap/MarkedAllocator.h:
3306         (JSC::MarkedAllocator::freeList):
3307         (JSC::MarkedAllocator::isFreeListedCell): Deleted.
3308         * heap/MarkedAllocatorInlines.h:
3309         (JSC::MarkedAllocator::isFreeListedCell):
3310         (JSC::MarkedAllocator::tryAllocate):
3311         (JSC::MarkedAllocator::allocate):
3312         * heap/MarkedBlock.cpp:
3313         (JSC::MarkedBlock::Handle::stopAllocating):
3314         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
3315         (JSC::MarkedBlock::Handle::resumeAllocating):
3316         (JSC::MarkedBlock::Handle::zap):
3317         (JSC::MarkedBlock::Handle::sweep):
3318         (JSC::MarkedBlock::Handle::isFreeListedCell):
3319         (JSC::MarkedBlock::Handle::forEachFreeCell): Deleted.
3320         * heap/MarkedBlock.h:
3321         * heap/MarkedBlockInlines.h:
3322         (JSC::MarkedBlock::Handle::specializedSweep):
3323         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace):
3324         (JSC::MarkedBlock::Handle::isFreeListedCell): Deleted.
3325         * heap/Subspace.cpp:
3326         (JSC::Subspace::finishSweep):
3327         * heap/Subspace.h:
3328         * jit/AssemblyHelpers.h:
3329         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
3330         * runtime/JSDestructibleObjectSubspace.cpp:
3331         (JSC::JSDestructibleObjectSubspace::finishSweep):
3332         * runtime/JSDestructibleObjectSubspace.h:
3333         * runtime/JSSegmentedVariableObjectSubspace.cpp:
3334         (JSC::JSSegmentedVariableObjectSubspace::finishSweep):
3335         * runtime/JSSegmentedVariableObjectSubspace.h:
3336         * runtime/JSStringSubspace.cpp:
3337         (JSC::JSStringSubspace::finishSweep):
3338         * runtime/JSStringSubspace.h:
3339         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp:
3340         (JSC::JSWebAssemblyCodeBlockSubspace::finishSweep):
3341         * wasm/js/JSWebAssemblyCodeBlockSubspace.h:
3342
3343 2017-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>
3344
3345         [JSC] Use @globalPrivate for concatSlowPath
3346         https://bugs.webkit.org/show_bug.cgi?id=172802
3347
3348         Reviewed by Darin Adler.
3349
3350         Use @globalPrivate instead of manually putting it to JSGlobalObject.
3351
3352         * builtins/ArrayPrototype.js:
3353         (concatSlowPath): Deleted.
3354         * runtime/JSGlobalObject.cpp:
3355         (JSC::JSGlobalObject::init):
3356
3357 2017-06-01  Andy Estes  <aestes@apple.com>
3358
3359         REGRESSION (r217626): ENABLE_APPLE_PAY_SESSION_V3 was disabled by mistake
3360         https://bugs.webkit.org/show_bug.cgi?id=172828
3361
3362         Reviewed by Beth Dakin.
3363
3364         * Configurations/FeatureDefines.xcconfig:
3365
3366 2017-06-01  Keith Miller  <keith_miller@apple.com>
3367
3368         Undo rollout in r217638 with bug fix
3369         https://bugs.webkit.org/show_bug.cgi?id=172824
3370
3371         Unreviewed, reland patch with unused set_state code removed.
3372
3373         * API/tests/ExecutionTimeLimitTest.cpp:
3374         (dispatchTermitateCallback):
3375         (testExecutionTimeLimit):
3376         * runtime/JSLock.cpp:
3377         (JSC::JSLock::didAcquireLock):
3378         * runtime/Options.cpp:
3379         (JSC::overrideDefaults):
3380         (JSC::Options::initialize):
3381         * runtime/Options.h:
3382         * runtime/VMTraps.cpp:
3383         (JSC::SignalContext::SignalContext):
3384         (JSC::SignalContext::adjustPCToPointToTrappingInstruction):
3385         (JSC::installSignalHandler):
3386         (JSC::VMTraps::SignalSender::send):
3387         * tools/SigillCrashAnalyzer.cpp:
3388         (JSC::SignalContext::SignalContext):
3389         (JSC::SignalContext::dump):
3390         (JSC::installCrashHandler):
3391         * wasm/WasmBBQPlan.cpp:
3392         (JSC::Wasm::BBQPlan::compileFunctions):
3393         * wasm/WasmFaultSignalHandler.cpp:
3394         (JSC::Wasm::trapHandler):
3395         (JSC::Wasm::enableFastMemory):
3396         * wasm/WasmMachineThreads.cpp:
3397         (JSC::Wasm::resetInstructionCacheOnAllThreads):
3398
3399 2017-06-01  Guillaume Emont  <guijemont@igalia.com>
3400
3401         [JSC][MIPS] SamplingProfiler::timerLoop() sleeps for 4000+ seconds
3402         https://bugs.webkit.org/show_bug.cgi?id=172800
3403
3404         Reviewed by Saam Barati.
3405
3406         This fixes a static_cast<uint64_t> by making it a cast to int64_t
3407         instead, which looks like the original intent. This fixes the
3408         sampling-profiler tests in JSTests/stress.
3409
3410         * runtime/SamplingProfiler.cpp:
3411         (JSC::SamplingProfiler::timerLoop):
3412