[CMake] Create targets before WEBKIT_INCLUDE_CONFIG_FILES_IF_EXISTS is called
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-07-17  Konstantin Tokarev  <annulen@yandex.ru>
2
3         [CMake] Create targets before WEBKIT_INCLUDE_CONFIG_FILES_IF_EXISTS is called
4         https://bugs.webkit.org/show_bug.cgi?id=174557
5
6         Reviewed by Michael Catanzaro.
7
8         * CMakeLists.txt:
9
10 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
11
12         [WTF] Use std::unique_ptr for StackTrace
13         https://bugs.webkit.org/show_bug.cgi?id=174495
14
15         Reviewed by Alex Christensen.
16
17         * runtime/ExceptionScope.cpp:
18         (JSC::ExceptionScope::unexpectedExceptionMessage):
19         * runtime/VM.cpp:
20         (JSC::VM::throwException):
21
22 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
23
24         [JSC] Use WTFMove to prune liveness in DFGAvailabilityMap
25         https://bugs.webkit.org/show_bug.cgi?id=174423
26
27         Reviewed by Saam Barati.
28
29         * dfg/DFGAvailabilityMap.cpp:
30         (JSC::DFG::AvailabilityMap::pruneHeap):
31         (JSC::DFG::AvailabilityMap::pruneByLiveness):
32
33 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
34
35         Fix compiler warnings when building with GCC 7
36         https://bugs.webkit.org/show_bug.cgi?id=174463
37
38         Reviewed by Darin Adler.
39
40         * disassembler/udis86/udis86_decode.c:
41         (decode_operand):
42
43 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
44
45         Incorrect assertion in JSC::CallLinkInfo::callTypeFor
46         https://bugs.webkit.org/show_bug.cgi?id=174467
47
48         Reviewed by Saam Barati.
49
50         * bytecode/CallLinkInfo.cpp:
51         (JSC::CallLinkInfo::callTypeFor):
52
53 2017-07-13  Joseph Pecoraro  <pecoraro@apple.com>
54
55         Web Inspector: Remove unused and untested Page domain commands
56         https://bugs.webkit.org/show_bug.cgi?id=174429
57
58         Reviewed by Timothy Hatcher.
59
60         * inspector/protocol/Page.json:
61
62 2017-07-13  Saam Barati  <sbarati@apple.com>
63
64         Missing exception check in JSObject::hasInstance
65         https://bugs.webkit.org/show_bug.cgi?id=174455
66         <rdar://problem/31384608>
67
68         Reviewed by Mark Lam.
69
70         * runtime/JSObject.cpp:
71         (JSC::JSObject::hasInstance):
72
73 2017-07-13  Caio Lima  <ticaiolima@gmail.com>
74
75         [ESnext] Implement Object Spread
76         https://bugs.webkit.org/show_bug.cgi?id=167963
77
78         Reviewed by Saam Barati.
79
80         This patch implements ECMA262 stage 3 Object Spread proposal [1].
81         It's implemented using CopyDataPropertiesNoExclusions to copy
82         all enumerable keys from object being spreaded. The implementation of
83         CopyDataPropertiesNoExclusions follows the CopyDataProperties
84         implementation, however we don't receive excludedNames as parameter.
85
86         [1] - https://github.com/tc39/proposal-object-rest-spread
87
88         * builtins/GlobalOperations.js:
89         (globalPrivate.copyDataPropertiesNoExclusions):
90         * bytecompiler/BytecodeGenerator.cpp:
91         (JSC::BytecodeGenerator::emitLoad):
92         * bytecompiler/NodesCodegen.cpp:
93         (JSC::PropertyListNode::emitBytecode):
94         (JSC::ObjectSpreadExpressionNode::emitBytecode):
95         * parser/ASTBuilder.h:
96         (JSC::ASTBuilder::createObjectSpreadExpression):
97         (JSC::ASTBuilder::createProperty):
98         * parser/NodeConstructors.h:
99         (JSC::PropertyNode::PropertyNode):
100         (JSC::ObjectSpreadExpressionNode::ObjectSpreadExpressionNode):
101         * parser/Nodes.h:
102         (JSC::ObjectSpreadExpressionNode::expression):
103         * parser/Parser.cpp:
104         (JSC::Parser<LexerType>::parseProperty):
105         * parser/SyntaxChecker.h:
106         (JSC::SyntaxChecker::createObjectSpreadExpression):
107         (JSC::SyntaxChecker::createProperty):
108
109 2017-07-12  Mark Lam  <mark.lam@apple.com>
110
111         Gardening: build fix after r219434.
112         https://bugs.webkit.org/show_bug.cgi?id=174441
113
114         Not reviewed.
115
116         Make public some MacroAssembler functions that are needed by the probe implementationq.
117
118         * assembler/MacroAssemblerARM.h:
119         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
120         * assembler/MacroAssemblerARMv7.h:
121         (JSC::MacroAssemblerARMv7::linkCall):
122
123 2017-07-12  Mark Lam  <mark.lam@apple.com>
124
125         Move Probe code from AbstractMacroAssembler to MacroAssembler.
126         https://bugs.webkit.org/show_bug.cgi?id=174441
127
128         Reviewed by Saam Barati.
129
130         This is a pure refactoring patch for moving probe code from the AbstractMacroAssembler
131         to MacroAssembler.  There is no code behavior change.
132
133         * assembler/AbstractMacroAssembler.h:
134         (JSC::AbstractMacroAssembler<AssemblerType>::Address::indexedBy):
135         (JSC::AbstractMacroAssembler::CPUState::gprName): Deleted.
136         (JSC::AbstractMacroAssembler::CPUState::fprName): Deleted.
137         (JSC::AbstractMacroAssembler::CPUState::gpr): Deleted.
138         (JSC::AbstractMacroAssembler::CPUState::fpr): Deleted.
139         (JSC::MacroAssemblerType>::Address::indexedBy): Deleted.
140         * assembler/MacroAssembler.h:
141         (JSC::MacroAssembler::CPUState::gprName):
142         (JSC::MacroAssembler::CPUState::fprName):
143         (JSC::MacroAssembler::CPUState::gpr):
144         (JSC::MacroAssembler::CPUState::fpr):
145         * assembler/MacroAssemblerARM.cpp:
146         (JSC::MacroAssembler::probe):
147         (JSC::MacroAssemblerARM::probe): Deleted.
148         * assembler/MacroAssemblerARM.h:
149         * assembler/MacroAssemblerARM64.cpp:
150         (JSC::MacroAssembler::probe):
151         (JSC::MacroAssemblerARM64::probe): Deleted.
152         * assembler/MacroAssemblerARM64.h:
153         * assembler/MacroAssemblerARMv7.cpp:
154         (JSC::MacroAssembler::probe):
155         (JSC::MacroAssemblerARMv7::probe): Deleted.
156         * assembler/MacroAssemblerARMv7.h:
157         * assembler/MacroAssemblerMIPS.h:
158         * assembler/MacroAssemblerX86Common.cpp:
159         (JSC::MacroAssembler::probe):
160         (JSC::MacroAssemblerX86Common::probe): Deleted.
161         * assembler/MacroAssemblerX86Common.h:
162
163 2017-07-12  Saam Barati  <sbarati@apple.com>
164
165         GenericArguments consults the wrong state when tracking modified argument descriptors and mapped arguments
166         https://bugs.webkit.org/show_bug.cgi?id=174411
167         <rdar://problem/31696186>
168
169         Reviewed by Mark Lam.
170
171         The code for deleting an argument was incorrectly referencing state
172         when it decided if it should unmap or mark a property as having its
173         descriptor modified. This patch fixes the bug where if we delete a
174         property, we would sometimes not unmap an argument when deleting it.
175
176         * runtime/GenericArgumentsInlines.h:
177         (JSC::GenericArguments<Type>::getOwnPropertySlot):
178         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
179         (JSC::GenericArguments<Type>::deleteProperty):
180         (JSC::GenericArguments<Type>::deletePropertyByIndex):
181
182 2017-07-12  Commit Queue  <commit-queue@webkit.org>
183
184         Unreviewed, rolling out r219176.
185         https://bugs.webkit.org/show_bug.cgi?id=174436
186
187         "Can cause infinite recursion on iOS" (Requested by mlam on
188         #webkit).
189
190         Reverted changeset:
191
192         "WTF::Thread should have the threads stack bounds."
193         https://bugs.webkit.org/show_bug.cgi?id=173975
194         http://trac.webkit.org/changeset/219176
195
196 2017-07-12  Matt Lewis  <jlewis3@apple.com>
197
198         Unreviewed, rolling out r219401.
199
200         This revision rolled out the previous patch, but after talking
201         with reviewer, a rebaseline is what was needed.Rolling back in
202         before rebaseline.
203
204         Reverted changeset:
205
206         "Unreviewed, rolling out r219379."
207         https://bugs.webkit.org/show_bug.cgi?id=174400
208         http://trac.webkit.org/changeset/219401
209
210 2017-07-12  Matt Lewis  <jlewis3@apple.com>
211
212         Unreviewed, rolling out r219379.
213
214         This revision caused a consistent failure in the test
215         fast/dom/Window/property-access-on-cached-window-after-frame-
216         removed.html.
217
218         Reverted changeset:
219
220         "Remove NAVIGATOR_HWCONCURRENCY"
221         https://bugs.webkit.org/show_bug.cgi?id=174400
222         http://trac.webkit.org/changeset/219379
223
224 2017-07-12  Tooru Fujisawa [:arai]  <arai.unmht@gmail.com>
225
226         Wrong radix used in Unicode Escape in invalid character error message
227         https://bugs.webkit.org/show_bug.cgi?id=174419
228
229         Reviewed by Alex Christensen.
230
231         * parser/Lexer.cpp:
232         (JSC::Lexer<T>::invalidCharacterMessage):
233
234 2017-07-11  Dean Jackson  <dino@apple.com>
235
236         Remove NAVIGATOR_HWCONCURRENCY
237         https://bugs.webkit.org/show_bug.cgi?id=174400
238
239         Reviewed by Sam Weinig.
240
241         * Configurations/FeatureDefines.xcconfig:
242
243 2017-07-11  Dean Jackson  <dino@apple.com>
244
245         Rolling out r219372.
246
247         * Configurations/FeatureDefines.xcconfig:
248
249 2017-07-11  Dean Jackson  <dino@apple.com>
250
251         Remove NAVIGATOR_HWCONCURRENCY
252         https://bugs.webkit.org/show_bug.cgi?id=174400
253
254         Reviewed by Sam Weinig.
255
256         * Configurations/FeatureDefines.xcconfig:
257
258 2017-07-11  Saam Barati  <sbarati@apple.com>
259
260         remove the empty JavaScriptCore/wasm/js/WebAssemblyFunctionCell.* files
261         https://bugs.webkit.org/show_bug.cgi?id=174397
262
263         Rubber stamped by David Kilzer.
264
265         * wasm/js/WebAssemblyFunctionCell.cpp: Removed.
266         * wasm/js/WebAssemblyFunctionCell.h: Removed.
267
268 2017-07-10  Saam Barati  <sbarati@apple.com>
269
270         Allocation sinking phase should consider a CheckStructure that would fail as an escape
271         https://bugs.webkit.org/show_bug.cgi?id=174321
272         <rdar://problem/32604963>
273
274         Reviewed by Filip Pizlo.
275
276         When the allocation sinking phase was generating stores to materialize
277         objects in a cycle with each other, it would assume that each materialized
278         object had a valid, non empty, set of structures. This is an OK assumption for
279         the phase to make because how do you materialize an object with no structure?
280         
281         The abstract interpretation part of the phase will model what's in the heap.
282         However, it would sometimes model that a CheckStructure would fail. The phase
283         did nothing special for this; it just stored the empty set of structures for
284         its representation of a particular allocation. However, what the phase proved
285         in such a scenario is that, had the CheckStructure executed, it would have exited.
286         
287         This patch treats such CheckStructures and MultiGetByOffsets as escape points.
288         This will cause the allocation in question to be materialized just before
289         the CheckStructure, and then at execution time, the CheckStructure will exit.
290         
291         I wasn't able to write a test case for this. However, I was able to reproduce
292         this crash by manually editing the IR. I've opened a separate bug to help us
293         create a testing framework for writing tests for hard to reproduce bugs like this:
294         https://bugs.webkit.org/show_bug.cgi?id=174322
295
296         * dfg/DFGObjectAllocationSinkingPhase.cpp:
297
298 2017-07-10  Devin Rousso  <drousso@apple.com>
299
300         Web Inspector: Highlight matching CSS canvas clients when hovering contexts in the Resources tab
301         https://bugs.webkit.org/show_bug.cgi?id=174279
302
303         Reviewed by Matt Baker.
304
305         * inspector/protocol/DOM.json:
306         Add `highlightNodeList` command that will highlight each node in the given list.
307
308 2017-07-03  Brian Burg  <bburg@apple.com>
309
310         Web Replay: remove some unused code
311         https://bugs.webkit.org/show_bug.cgi?id=173903
312
313         Rubber-stamped by Joseph Pecoraro.
314
315         * CMakeLists.txt:
316         * Configurations/FeatureDefines.xcconfig:
317         * DerivedSources.make:
318         * JavaScriptCore.xcodeproj/project.pbxproj:
319         * inspector/protocol/Replay.json: Removed.
320         * replay/EmptyInputCursor.h: Removed.
321         * replay/EncodedValue.cpp: Removed.
322         * replay/EncodedValue.h: Removed.
323         * replay/InputCursor.h: Removed.
324         * replay/JSInputs.json: Removed.
325         * replay/NondeterministicInput.h: Removed.
326         * replay/scripts/CodeGeneratorReplayInputs.py: Removed.
327         * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Removed.
328         * replay/scripts/tests/expected/fail-on-c-style-enum-no-storage.json-error: Removed.
329         * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Removed.
330         * replay/scripts/tests/expected/fail-on-duplicate-input-names.json-error: Removed.
331         * replay/scripts/tests/expected/fail-on-duplicate-type-names.json-error: Removed.
332         * replay/scripts/tests/expected/fail-on-enum-type-missing-values.json-error: Removed.
333         * replay/scripts/tests/expected/fail-on-missing-input-member-name.json-error: Removed.
334         * replay/scripts/tests/expected/fail-on-missing-input-name.json-error: Removed.
335         * replay/scripts/tests/expected/fail-on-missing-input-queue.json-error: Removed.
336         * replay/scripts/tests/expected/fail-on-missing-type-mode.json-error: Removed.
337         * replay/scripts/tests/expected/fail-on-missing-type-name.json-error: Removed.
338         * replay/scripts/tests/expected/fail-on-unknown-input-queue.json-error: Removed.
339         * replay/scripts/tests/expected/fail-on-unknown-member-type.json-error: Removed.
340         * replay/scripts/tests/expected/fail-on-unknown-type-mode.json-error: Removed.
341         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp: Removed.
342         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h: Removed.
343         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp: Removed.
344         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h: Removed.
345         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Removed.
346         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Removed.
347         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Removed.
348         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Removed.
349         * replay/scripts/tests/expected/generate-event-loop-shape-types.json-error: Removed.
350         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp: Removed.
351         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h: Removed.
352         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp: Removed.
353         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Removed.
354         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.cpp: Removed.
355         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h: Removed.
356         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp: Removed.
357         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h: Removed.
358         * replay/scripts/tests/fail-on-c-style-enum-no-storage.json: Removed.
359         * replay/scripts/tests/fail-on-duplicate-enum-type.json: Removed.
360         * replay/scripts/tests/fail-on-duplicate-input-names.json: Removed.
361         * replay/scripts/tests/fail-on-duplicate-type-names.json: Removed.
362         * replay/scripts/tests/fail-on-enum-type-missing-values.json: Removed.
363         * replay/scripts/tests/fail-on-missing-input-member-name.json: Removed.
364         * replay/scripts/tests/fail-on-missing-input-name.json: Removed.
365         * replay/scripts/tests/fail-on-missing-input-queue.json: Removed.
366         * replay/scripts/tests/fail-on-missing-type-mode.json: Removed.
367         * replay/scripts/tests/fail-on-missing-type-name.json: Removed.
368         * replay/scripts/tests/fail-on-unknown-input-queue.json: Removed.
369         * replay/scripts/tests/fail-on-unknown-member-type.json: Removed.
370         * replay/scripts/tests/fail-on-unknown-type-mode.json: Removed.
371         * replay/scripts/tests/generate-enum-encoding-helpers-with-guarded-values.json: Removed.
372         * replay/scripts/tests/generate-enum-encoding-helpers.json: Removed.
373         * replay/scripts/tests/generate-enum-with-guard.json: Removed.
374         * replay/scripts/tests/generate-enums-with-same-base-name.json: Removed.
375         * replay/scripts/tests/generate-event-loop-shape-types.json: Removed.
376         * replay/scripts/tests/generate-input-with-guard.json: Removed.
377         * replay/scripts/tests/generate-input-with-vector-members.json: Removed.
378         * replay/scripts/tests/generate-inputs-with-flags.json: Removed.
379         * replay/scripts/tests/generate-memoized-type-modes.json: Removed.
380         * runtime/DateConstructor.cpp:
381         (JSC::constructDate):
382         (JSC::dateNow):
383         (JSC::deterministicCurrentTime): Deleted.
384         * runtime/JSGlobalObject.cpp:
385         (JSC::JSGlobalObject::JSGlobalObject):
386         (JSC::JSGlobalObject::setInputCursor): Deleted.
387         * runtime/JSGlobalObject.h:
388         (JSC::JSGlobalObject::inputCursor): Deleted.
389
390 2017-07-10  Carlos Garcia Campos  <cgarcia@igalia.com>
391
392         Move make-js-file-arrays.py from WebCore to JavaScriptCore
393         https://bugs.webkit.org/show_bug.cgi?id=174024
394
395         Reviewed by Michael Catanzaro.
396
397         It's currently used only by WebCore, but it depends on other JavaScriptCore scripts and it's not WebCore
398         specific at all. I plan to use it to compile the JavaScript atoms used by the WebDriver implementation.
399         Added command line option to pass the namespace to use instead of using WebCore.
400
401         * JavaScriptCore.xcodeproj/project.pbxproj:
402         * Scripts/make-js-file-arrays.py: Renamed from Source/WebCore/Scripts/make-js-file-arrays.py.
403         (main):
404
405 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
406
407         [JSC] Drop LineNumberAdder since we no longer treat <LF><CR> (not <CR><LF>) as one line terminator
408         https://bugs.webkit.org/show_bug.cgi?id=174296
409
410         Reviewed by Mark Lam.
411
412         Previously, we treat <LF><CR> as one line terminator. So we increase line number by one.
413         It caused a problem in scanning template literals. While template literals normalize
414         <LF><CR> to <LF><LF>, we still needed to increase line number by only one.
415         To handle it correctly, LineNumberAdder is introduced.
416
417         As of r219263, <LF><CR> is counted as two line terminators. So we do not need to have
418         LineNumberAdder. Let's just use shiftLineTerminator() instead.
419
420         * parser/Lexer.cpp:
421         (JSC::Lexer<T>::parseTemplateLiteral):
422         (JSC::LineNumberAdder::LineNumberAdder): Deleted.
423         (JSC::LineNumberAdder::clear): Deleted.
424         (JSC::LineNumberAdder::add): Deleted.
425
426 2017-07-09  Dan Bernstein  <mitz@apple.com>
427
428         [Xcode] ICU headers aren’t treated as system headers after r219155
429         https://bugs.webkit.org/show_bug.cgi?id=174299
430
431         Reviewed by Sam Weinig.
432
433         * Configurations/JavaScriptCore.xcconfig: Pass --system-header-prefix=unicode/ to the C and
434           C++ compilers.
435
436 * runtime/IntlCollator.cpp: Removed documentation warning suppression.
437         * runtime/IntlDateTimeFormat.cpp: Ditto.
438         * runtime/JSGlobalObject.cpp: Ditto.
439         * runtime/StringPrototype.cpp: Ditto.
440
441 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
442
443         [JSC] Use fastMalloc / fastFree for STL containers
444         https://bugs.webkit.org/show_bug.cgi?id=174297
445
446         Reviewed by Sam Weinig.
447
448         In some places, we intentionally use STL containers over WTF containers.
449         For example, we sometimes use std::unordered_{set,map} instead of WTF::Hash{Set,Map}
450         because we do not have effective empty / deleted representations in the space of key's value.
451         But just using STL container means using libc's malloc instead of our fast malloc (bmalloc if it is enabled).
452
453         We introduce WTF::FastAllocator. This is C++ allocator implementation using fastMalloc and fastFree.
454         We specify this allocator to STL containers' template parameter to allocate memory from fastMalloc.
455
456         This WTF::FastAllocator gives us a chance to use STL containers if it is necessary
457         without compromising memory allocation throughput.
458
459         * dfg/DFGGraph.h:
460         * dfg/DFGIntegerCheckCombiningPhase.cpp:
461         * ftl/FTLLowerDFGToB3.cpp:
462         (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
463         * runtime/FunctionHasExecutedCache.h:
464         * runtime/TypeLocationCache.h:
465
466 2017-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
467
468         Drop NOSNIFF compile flag
469         https://bugs.webkit.org/show_bug.cgi?id=174289
470
471         Reviewed by Michael Catanzaro.
472
473         * Configurations/FeatureDefines.xcconfig:
474
475 2017-07-07  AJ Ringer  <aringer@apple.com>
476
477         Lower the max_protection for the separated heap
478         https://bugs.webkit.org/show_bug.cgi?id=174281
479
480         Reviewed by Oliver Hunt.
481
482         Switch to vm_protect so we can set maximum page protection.
483
484         * jit/ExecutableAllocator.cpp:
485         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
486         (JSC::ExecutableAllocator::allocate):
487
488 2017-07-07  Devin Rousso  <drousso@apple.com>
489
490         Web Inspector: Show all elements currently using a given CSS Canvas
491         https://bugs.webkit.org/show_bug.cgi?id=173965
492
493         Reviewed by Joseph Pecoraro.
494
495         * inspector/protocol/Canvas.json:
496          - Add `requestCSSCanvasClientNodes` command for getting the node IDs all nodes using this
497            canvas via -webkit-canvas.
498          - Add `cssCanvasClientNodesChanged` event that is dispatched whenever a node is
499            added/removed from the list of -webkit-canvas clients.
500
501 2017-07-07  Mark Lam  <mark.lam@apple.com>
502
503         \n\r is not the same as \r\n.
504         https://bugs.webkit.org/show_bug.cgi?id=173053
505
506         Reviewed by Keith Miller.
507
508         * parser/Lexer.cpp:
509         (JSC::Lexer<T>::shiftLineTerminator):
510         (JSC::LineNumberAdder::add):
511
512 2017-07-07  Commit Queue  <commit-queue@webkit.org>
513
514         Unreviewed, rolling out r219238, r219239, and r219241.
515         https://bugs.webkit.org/show_bug.cgi?id=174265
516
517         "fast/workers/dedicated-worker-lifecycle.html is flaky"
518         (Requested by yusukesuzuki on #webkit).
519
520         Reverted changesets:
521
522         "[WTF] Implement WTF::ThreadGroup"
523         https://bugs.webkit.org/show_bug.cgi?id=174081
524         http://trac.webkit.org/changeset/219238
525
526         "Unreviewed, build fix after r219238"
527         https://bugs.webkit.org/show_bug.cgi?id=174081
528         http://trac.webkit.org/changeset/219239
529
530         "Unreviewed, CLoop build fix after r219238"
531         https://bugs.webkit.org/show_bug.cgi?id=174081
532         http://trac.webkit.org/changeset/219241
533
534 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
535
536         Unreviewed, CLoop build fix after r219238
537         https://bugs.webkit.org/show_bug.cgi?id=174081
538
539         * heap/MachineStackMarker.cpp:
540
541 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
542
543         [WTF] Implement WTF::ThreadGroup
544         https://bugs.webkit.org/show_bug.cgi?id=174081
545
546         Reviewed by Mark Lam.
547
548         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
549         And SamplingProfiler and others interact with WTF::Thread directly.
550
551         * API/tests/ExecutionTimeLimitTest.cpp:
552         * heap/MachineStackMarker.cpp:
553         (JSC::MachineThreads::MachineThreads):
554         (JSC::captureStack):
555         (JSC::MachineThreads::tryCopyOtherThreadStack):
556         (JSC::MachineThreads::tryCopyOtherThreadStacks):
557         (JSC::MachineThreads::gatherConservativeRoots):
558         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
559         (JSC::ActiveMachineThreadsManager::add): Deleted.
560         (JSC::ActiveMachineThreadsManager::remove): Deleted.
561         (JSC::ActiveMachineThreadsManager::contains): Deleted.
562         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
563         (JSC::activeMachineThreadsManager): Deleted.
564         (JSC::MachineThreads::~MachineThreads): Deleted.
565         (JSC::MachineThreads::addCurrentThread): Deleted.
566         (): Deleted.
567         (JSC::MachineThreads::removeThread): Deleted.
568         (JSC::MachineThreads::removeThreadIfFound): Deleted.
569         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
570         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
571         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
572         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
573         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
574         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
575         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
576         * heap/MachineStackMarker.h:
577         (JSC::MachineThreads::addCurrentThread):
578         (JSC::MachineThreads::getLock):
579         (JSC::MachineThreads::threads):
580         (JSC::MachineThreads::MachineThread::suspend): Deleted.
581         (JSC::MachineThreads::MachineThread::resume): Deleted.
582         (JSC::MachineThreads::MachineThread::threadID): Deleted.
583         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
584         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
585         (JSC::MachineThreads::threadsListHead): Deleted.
586         * runtime/SamplingProfiler.cpp:
587         (JSC::FrameWalker::isValidFramePointer):
588         (JSC::SamplingProfiler::SamplingProfiler):
589         (JSC::SamplingProfiler::takeSample):
590         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
591         * runtime/SamplingProfiler.h:
592         * wasm/WasmMachineThreads.cpp:
593         (JSC::Wasm::resetInstructionCacheOnAllThreads):
594
595 2017-07-06  Saam Barati  <sbarati@apple.com>
596
597         We are missing places where we invalidate the for-in context
598         https://bugs.webkit.org/show_bug.cgi?id=174184
599
600         Reviewed by Geoffrey Garen.
601
602         * bytecompiler/BytecodeGenerator.cpp:
603         (JSC::BytecodeGenerator::invalidateForInContextForLocal):
604         * bytecompiler/NodesCodegen.cpp:
605         (JSC::EmptyLetExpression::emitBytecode):
606         (JSC::ForInNode::emitLoopHeader):
607         (JSC::ForOfNode::emitBytecode):
608         (JSC::BindingNode::bindValue):
609
610 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
611
612         Unreviewed, suppress warnings in GCC environment
613
614         * dfg/DFGObjectAllocationSinkingPhase.cpp:
615         * runtime/IntlCollator.cpp:
616         * runtime/IntlDateTimeFormat.cpp:
617         * runtime/JSGlobalObject.cpp:
618         * runtime/StringPrototype.cpp:
619
620 2017-07-05  Saam Barati  <sbarati@apple.com>
621
622         NewArray in FTLLowerDFGToB3 does not handle speculating on doubles when having a bad time
623         https://bugs.webkit.org/show_bug.cgi?id=174188
624         <rdar://problem/30581423>
625
626         Reviewed by Mark Lam.
627
628         We were calling lowJSValue(edge) when we were speculating the
629         edge as double. This isn't allowed. We should have been using
630         lowDouble.
631         
632         This patch also adds a new option, called useArrayAllocationProfiling,
633         which defaults to true. When false, it will make the array allocation
634         profile not actually sample seen arrays. It'll force the allocation
635         profile's predicted indexing type to be ArrayWithUndecided. Adding
636         this option made it trivial to write a test for this bug.
637
638         * bytecode/ArrayAllocationProfile.cpp:
639         (JSC::ArrayAllocationProfile::updateIndexingType):
640         * ftl/FTLLowerDFGToB3.cpp:
641         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
642         * runtime/Options.h:
643
644 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
645
646         WTF::Thread should have the threads stack bounds.
647         https://bugs.webkit.org/show_bug.cgi?id=173975
648
649         Reviewed by Keith Miller.
650
651         There is a site in JSC that try to walk another thread's stack.
652         Currently, stack bounds are stored in WTFThreadData which is located
653         in TLS. Thus, only the thread itself can access its own WTFThreadData.
654         We workaround this situation by holding StackBounds in MachineThread in JSC,
655         but StackBounds should be put in WTF::Thread instead.
656
657         This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
658         information is tightly coupled with Thread. Thus putting it in WTF::Thread
659         is natural choice.
660
661         * heap/MachineStackMarker.cpp:
662         (JSC::MachineThreads::MachineThread::MachineThread):
663         (JSC::MachineThreads::MachineThread::captureStack):
664         * heap/MachineStackMarker.h:
665         (JSC::MachineThreads::MachineThread::stackBase):
666         (JSC::MachineThreads::MachineThread::stackEnd):
667         * runtime/InitializeThreading.cpp:
668         (JSC::initializeThreading):
669         * runtime/VM.cpp:
670         (JSC::VM::VM):
671         (JSC::VM::updateStackLimits):
672         (JSC::VM::committedStackByteCount):
673         * runtime/VM.h:
674         (JSC::VM::isSafeToRecurse):
675         * runtime/VMEntryScope.cpp:
676         (JSC::VMEntryScope::VMEntryScope):
677         * runtime/VMInlines.h:
678         (JSC::VM::ensureStackCapacityFor):
679         * runtime/VMTraps.cpp:
680         * yarr/YarrPattern.cpp:
681         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
682
683 2017-07-05  Keith Miller  <keith_miller@apple.com>
684
685         Crashing with information should have an abort reason
686         https://bugs.webkit.org/show_bug.cgi?id=174185
687
688         Reviewed by Saam Barati.
689
690         Add crash information for the abstract interpreter and add an enum
691         value for object allocation sinking.
692
693         * assembler/AbortReason.h:
694         * dfg/DFGAbstractInterpreterInlines.h:
695         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
696         * dfg/DFGGraph.cpp:
697         (JSC::DFG::logDFGAssertionFailure):
698         * dfg/DFGObjectAllocationSinkingPhase.cpp:
699
700 2017-07-03  Myles C. Maxfield  <mmaxfield@apple.com>
701
702         Remove copy of ICU headers from WebKit
703         https://bugs.webkit.org/show_bug.cgi?id=116407
704
705         Reviewed by Alex Christensen.
706
707         Use WTF's copy of ICU headers.
708
709         * Configurations/Base.xcconfig:
710         * icu/unicode/localpointer.h: Removed.
711         * icu/unicode/parseerr.h: Removed.
712         * icu/unicode/platform.h: Removed.
713         * icu/unicode/ptypes.h: Removed.
714         * icu/unicode/putil.h: Removed.
715         * icu/unicode/uchar.h: Removed.
716         * icu/unicode/ucnv.h: Removed.
717         * icu/unicode/ucnv_err.h: Removed.
718         * icu/unicode/ucol.h: Removed.
719         * icu/unicode/uconfig.h: Removed.
720         * icu/unicode/ucurr.h: Removed.
721         * icu/unicode/uenum.h: Removed.
722         * icu/unicode/uiter.h: Removed.
723         * icu/unicode/uloc.h: Removed.
724         * icu/unicode/umachine.h: Removed.
725         * icu/unicode/unorm.h: Removed.
726         * icu/unicode/unorm2.h: Removed.
727         * icu/unicode/urename.h: Removed.
728         * icu/unicode/uscript.h: Removed.
729         * icu/unicode/uset.h: Removed.
730         * icu/unicode/ustring.h: Removed.
731         * icu/unicode/utf.h: Removed.
732         * icu/unicode/utf16.h: Removed.
733         * icu/unicode/utf8.h: Removed.
734         * icu/unicode/utf_old.h: Removed.
735         * icu/unicode/utypes.h: Removed.
736         * icu/unicode/uvernum.h: Removed.
737         * icu/unicode/uversion.h: Removed.
738         * runtime/IntlCollator.cpp:
739         * runtime/IntlDateTimeFormat.cpp:
740         (JSC::IntlDateTimeFormat::partTypeString):
741         * runtime/JSGlobalObject.cpp:
742         * runtime/StringPrototype.cpp:
743         (JSC::normalize):
744         (JSC::stringProtoFuncNormalize):
745
746 2017-07-05  Devin Rousso  <drousso@apple.com>
747
748         Web Inspector: Allow users to log any tracked canvas context
749         https://bugs.webkit.org/show_bug.cgi?id=173397
750         <rdar://problem/33111581>
751
752         Reviewed by Joseph Pecoraro.
753
754         * inspector/protocol/Canvas.json:
755         Add `resolveCanvasContext` command that returns a RemoteObject for the given canvas context.
756
757 2017-07-05  Jonathan Bedard  <jbedard@apple.com>
758
759         Add WebKitPrivateFrameworkStubs for iOS 11
760         https://bugs.webkit.org/show_bug.cgi?id=173988
761
762         Reviewed by David Kilzer.
763
764         * Configurations/Base.xcconfig: iphoneos and iphonesimulator should use the
765         same directory for private framework stubs.
766
767 2017-07-05  JF Bastien  <jfbastien@apple.com>
768
769         WebAssembly: implement name section's module name, skip unknown sections
770         https://bugs.webkit.org/show_bug.cgi?id=172008
771
772         Reviewed by Keith Miller.
773
774         Parse the WebAssembly module name properly, and skip unknown
775         sections. This is useful because as toolchains support new types
776         of names we want to keep displaying the information we know about
777         and simply ignore new information. That capability was designed
778         into WebAssembly's name section.
779
780         Failure to commit this patch would mean that WebKit won't display
781         stack trace information, which would make developers sad.
782
783         Module names were added here: https://github.com/WebAssembly/design/pull/1055
784
785         Note that this patch doesn't do anything with the parsed name! Two
786         reasons for this: module names aren't supported in binaryen yet,
787         so I can't write a simple binary test; and using the name is a
788         slightly riskier change because it requires changing StackVisitor
789         + StackFrame (where they print "[wasm code]") which requires
790         figuring out the frame's Module. The latter bit isn't trivial
791         because we only know wasm frames from their tag bits, and
792         CodeBlocks are always nullptr.
793
794         Binaryen bug: https://github.com/WebAssembly/binaryen/issues/1010
795
796         I filed #174098 to use the module name.
797
798         * wasm/WasmFormat.h:
799         (JSC::Wasm::isValidNameType):
800         * wasm/WasmNameSectionParser.cpp:
801
802 2017-07-04  Joseph Pecoraro  <pecoraro@apple.com>
803
804         Cleanup some StringBuilder use
805         https://bugs.webkit.org/show_bug.cgi?id=174118
806
807         Reviewed by Andreas Kling.
808
809         * runtime/FunctionConstructor.cpp:
810         (JSC::constructFunctionSkippingEvalEnabledCheck):
811         * tools/FunctionOverrides.cpp:
812         (JSC::parseClause):
813         * wasm/WasmOMGPlan.cpp:
814         * wasm/WasmPlan.cpp:
815         * wasm/WasmValidate.cpp:
816
817 2017-07-03  Saam Barati  <sbarati@apple.com>
818
819         LayoutTest workers/bomb.html is a Crash
820         https://bugs.webkit.org/show_bug.cgi?id=167757
821         <rdar://problem/33086462>
822
823         Reviewed by Keith Miller.
824
825         VMTraps::SignalSender was accessing VM fields even after
826         the VM was destroyed. This happened when the SignalSender
827         thread was in the middle of its work() function while VMTraps
828         was notified that the VM was shutting down. The VM would proceed
829         to run its destructor even after the SignalSender thread finished
830         doing its work. This means that the SignalSender thread was accessing
831         VM field eve after VM was destructed (including itself, since it is
832         transitively owned by the VM). The VM must wait for the SignalSender
833         thread to shutdown before it can continue to destruct itself.
834
835         * runtime/VMTraps.cpp:
836         (JSC::VMTraps::willDestroyVM):
837
838 2017-07-03  Saam Barati  <sbarati@apple.com>
839
840         DFGBytecodeParser op_to_this does not access the correct instruction offset for to this status
841         https://bugs.webkit.org/show_bug.cgi?id=174110
842
843         Reviewed by Michael Saboff.
844
845         * dfg/DFGByteCodeParser.cpp:
846         (JSC::DFG::ByteCodeParser::parseBlock):
847
848 2017-07-03  Saam Barati  <sbarati@apple.com>
849
850         Add a new assertion to object allocation sinking phase
851         https://bugs.webkit.org/show_bug.cgi?id=174107
852
853         Rubber stamped by Filip Pizlo.
854
855         * dfg/DFGObjectAllocationSinkingPhase.cpp:
856
857 2017-07-03  Commit Queue  <commit-queue@webkit.org>
858
859         Unreviewed, rolling out r219060.
860         https://bugs.webkit.org/show_bug.cgi?id=174108
861
862         crashing constantly when initializing UIWebView (Requested by
863         thorton on #webkit).
864
865         Reverted changeset:
866
867         "WTF::Thread should have the threads stack bounds."
868         https://bugs.webkit.org/show_bug.cgi?id=173975
869         http://trac.webkit.org/changeset/219060
870
871 2017-07-03  Matt Lewis  <jlewis3@apple.com>
872
873         Unreviewed, rolling out r219103.
874
875         Caused multiple build failures.
876
877         Reverted changeset:
878
879         "Remove copy of ICU headers from WebKit"
880         https://bugs.webkit.org/show_bug.cgi?id=116407
881         http://trac.webkit.org/changeset/219103
882
883 2017-07-03  Myles C. Maxfield  <mmaxfield@apple.com>
884
885         Remove copy of ICU headers from WebKit
886         https://bugs.webkit.org/show_bug.cgi?id=116407
887
888         Reviewed by Alex Christensen.
889
890         Use WTF's copy of ICU headers.
891
892         * Configurations/Base.xcconfig:
893         * icu/unicode/localpointer.h: Removed.
894         * icu/unicode/parseerr.h: Removed.
895         * icu/unicode/platform.h: Removed.
896         * icu/unicode/ptypes.h: Removed.
897         * icu/unicode/putil.h: Removed.
898         * icu/unicode/uchar.h: Removed.
899         * icu/unicode/ucnv.h: Removed.
900         * icu/unicode/ucnv_err.h: Removed.
901         * icu/unicode/ucol.h: Removed.
902         * icu/unicode/uconfig.h: Removed.
903         * icu/unicode/ucurr.h: Removed.
904         * icu/unicode/uenum.h: Removed.
905         * icu/unicode/uiter.h: Removed.
906         * icu/unicode/uloc.h: Removed.
907         * icu/unicode/umachine.h: Removed.
908         * icu/unicode/unorm.h: Removed.
909         * icu/unicode/unorm2.h: Removed.
910         * icu/unicode/urename.h: Removed.
911         * icu/unicode/uscript.h: Removed.
912         * icu/unicode/uset.h: Removed.
913         * icu/unicode/ustring.h: Removed.
914         * icu/unicode/utf.h: Removed.
915         * icu/unicode/utf16.h: Removed.
916         * icu/unicode/utf8.h: Removed.
917         * icu/unicode/utf_old.h: Removed.
918         * icu/unicode/utypes.h: Removed.
919         * icu/unicode/uvernum.h: Removed.
920         * icu/unicode/uversion.h: Removed.
921         * runtime/IntlCollator.cpp:
922         * runtime/IntlDateTimeFormat.cpp:
923         * runtime/JSGlobalObject.cpp:
924         * runtime/StringPrototype.cpp:
925
926 2017-07-03  Saam Barati  <sbarati@apple.com>
927
928         Add better crash logging for allocation sinking phase
929         https://bugs.webkit.org/show_bug.cgi?id=174102
930         <rdar://problem/33112092>
931
932         Rubber stamped by Filip Pizlo.
933
934         I'm trying to gather better information from crashlogs about why
935         we're crashing in the allocation sinking phase. I'm adding a allocation
936         sinking specific RELEASE_ASSERT as well as marking a few functions as
937         NEVER_INLINE to have the stack traces in the crash trace contain more
938         actionable information.
939
940         * dfg/DFGObjectAllocationSinkingPhase.cpp:
941
942 2017-07-03  Sam Weinig  <sam@webkit.org>
943
944         [WebIDL] Remove more unnecessary uses of the preprocessor in idl files
945         https://bugs.webkit.org/show_bug.cgi?id=174083
946
947         Reviewed by Alex Christensen.
948
949         * Configurations/FeatureDefines.xcconfig:
950         Add ENABLE_NAVIGATOR_STANDALONE.
951
952 2017-07-03  Andy Estes  <aestes@apple.com>
953
954         [Xcode] Add an experimental setting to build with ccache
955         https://bugs.webkit.org/show_bug.cgi?id=173875
956
957         Reviewed by Tim Horton.
958
959         * Configurations/DebugRelease.xcconfig: Included ccache.xcconfig.
960
961 2017-07-03  Devin Rousso  <drousso@apple.com>
962
963         Web Inspector: Support listing WebGL2 and WebGPU contexts
964         https://bugs.webkit.org/show_bug.cgi?id=173396
965
966         Reviewed by Joseph Pecoraro.
967
968         * inspector/protocol/Canvas.json:
969         * inspector/scripts/codegen/generator.py:
970         (Generator.stylized_name_for_enum_value):
971         Add cases for handling new Canvas.ContextType protocol enumerations:
972          - "webgl2" maps to `WebGL2`
973          - "webgpu" maps to `WebGPU`
974
975 2017-07-02  Yusuke Suzuki  <utatane.tea@gmail.com>
976
977         WTF::Thread should have the threads stack bounds.
978         https://bugs.webkit.org/show_bug.cgi?id=173975
979
980         Reviewed by Mark Lam.
981
982         There is a site in JSC that try to walk another thread's stack.
983         Currently, stack bounds are stored in WTFThreadData which is located
984         in TLS. Thus, only the thread itself can access its own WTFThreadData.
985         We workaround this situation by holding StackBounds in MachineThread in JSC,
986         but StackBounds should be put in WTF::Thread instead.
987
988         This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
989         information is tightly coupled with Thread. Thus putting it in WTF::Thread
990         is natural choice.
991
992         * heap/MachineStackMarker.cpp:
993         (JSC::MachineThreads::MachineThread::MachineThread):
994         (JSC::MachineThreads::MachineThread::captureStack):
995         * heap/MachineStackMarker.h:
996         (JSC::MachineThreads::MachineThread::stackBase):
997         (JSC::MachineThreads::MachineThread::stackEnd):
998         * runtime/InitializeThreading.cpp:
999         (JSC::initializeThreading):
1000         * runtime/VM.cpp:
1001         (JSC::VM::VM):
1002         (JSC::VM::updateStackLimits):
1003         (JSC::VM::committedStackByteCount):
1004         * runtime/VM.h:
1005         (JSC::VM::isSafeToRecurse):
1006         * runtime/VMEntryScope.cpp:
1007         (JSC::VMEntryScope::VMEntryScope):
1008         * runtime/VMInlines.h:
1009         (JSC::VM::ensureStackCapacityFor):
1010         * runtime/VMTraps.cpp:
1011         * yarr/YarrPattern.cpp:
1012         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
1013
1014 2017-07-01  Dan Bernstein  <mitz@apple.com>
1015
1016         [iOS] Remove code only needed when building for iOS 9.x
1017         https://bugs.webkit.org/show_bug.cgi?id=174068
1018
1019         Reviewed by Tim Horton.
1020
1021         * Configurations/FeatureDefines.xcconfig:
1022         * jit/ExecutableAllocator.cpp:
1023         * runtime/Options.cpp:
1024         (JSC::recomputeDependentOptions):
1025
1026 2017-07-01  Dan Bernstein  <mitz@apple.com>
1027
1028         [macOS] Remove code only needed when building for OS X Yosemite
1029         https://bugs.webkit.org/show_bug.cgi?id=174067
1030
1031         Reviewed by Tim Horton.
1032
1033         * API/WebKitAvailability.h:
1034         * Configurations/Base.xcconfig:
1035         * Configurations/DebugRelease.xcconfig:
1036         * Configurations/FeatureDefines.xcconfig:
1037         * Configurations/Version.xcconfig:
1038
1039 2017-07-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1040
1041         Unreviewed, build fix for GCC
1042         https://bugs.webkit.org/show_bug.cgi?id=174034
1043
1044         * b3/testb3.cpp:
1045         (JSC::B3::testDoubleLiteralComparison):
1046
1047 2017-06-30  Keith Miller  <keith_miller@apple.com>
1048
1049         Force crashWithInfo to be out of line.
1050         https://bugs.webkit.org/show_bug.cgi?id=174028
1051
1052         Reviewed by Filip Pizlo.
1053
1054         Update DFG_ASSERT macro to call CRASH_WITH_SECURITY_IMPLICATION_AND_INFO.
1055
1056         * dfg/DFGGraph.cpp:
1057         (JSC::DFG::logDFGAssertionFailure):
1058         (JSC::DFG::Graph::logAssertionFailure):
1059         (JSC::DFG::crash): Deleted.
1060         (JSC::DFG::Graph::handleAssertionFailure): Deleted.
1061         * dfg/DFGGraph.h:
1062
1063 2017-06-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1064
1065         [JSC] Use AbstractMacroAssembler::random instead of holding WeakRandom in JIT
1066         https://bugs.webkit.org/show_bug.cgi?id=174053
1067
1068         Reviewed by Geoffrey Garen.
1069
1070         We already have AbstractMacroAssembler::random() function. Use it instead.
1071
1072         * jit/JIT.cpp:
1073         (JSC::JIT::JIT):
1074         (JSC::JIT::compileWithoutLinking):
1075         * jit/JIT.h:
1076
1077 2017-06-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1078
1079         [WTF] Drop SymbolRegistry::keyForSymbol
1080         https://bugs.webkit.org/show_bug.cgi?id=174052
1081
1082         Reviewed by Sam Weinig.
1083
1084         * runtime/SymbolConstructor.cpp:
1085         (JSC::symbolConstructorKeyFor):
1086
1087 2017-06-30  Saam Barati  <sbarati@apple.com>
1088
1089         B3ReduceStrength should reduce EqualOrUnordered over const float input
1090         https://bugs.webkit.org/show_bug.cgi?id=174039
1091
1092         Reviewed by Michael Saboff.
1093
1094         We perform this folding for ConstDoubleValue. It is simply
1095         an oversight that we didn't do it for ConstFloatValue.
1096
1097         * b3/B3ConstFloatValue.cpp:
1098         (JSC::B3::ConstFloatValue::equalOrUnorderedConstant):
1099         * b3/B3ConstFloatValue.h:
1100         * b3/testb3.cpp:
1101         (JSC::B3::testFloatEqualOrUnorderedFolding):
1102         (JSC::B3::testFloatEqualOrUnorderedFoldingNaN):
1103         (JSC::B3::testFloatEqualOrUnorderedDontFold):
1104         (JSC::B3::run):
1105
1106 2017-06-30  Matt Baker  <mattbaker@apple.com>
1107
1108         Web Inspector: AsyncStackTrace nodes can be corrupted when truncating
1109         https://bugs.webkit.org/show_bug.cgi?id=173840
1110         <rdar://problem/30840820>
1111
1112         Reviewed by Joseph Pecoraro.
1113
1114         When truncating an asynchronous stack trace, the parent chain is traversed
1115         until a locked node is found. The path from this node to the root is shared
1116         by more than one stack trace, and cannot be safely modified. Starting at
1117         the first locked node, the path is cloned and becomes a new stack trace tree.
1118
1119         However, the clone operation initialized each new AsyncStackTrace node with
1120         the original node's parent. This would increment the child count of the original
1121         node. When cloning nodes, new nodes should not have their parent set until the
1122         next node up the parent chain is cloned.
1123
1124         * inspector/AsyncStackTrace.cpp:
1125         (Inspector::AsyncStackTrace::truncate):
1126
1127 2017-06-30  Michael Saboff  <msaboff@apple.com>
1128
1129         RegExp's  anchored with .* with \g flag can return wrong match start for strings with multiple matches
1130         https://bugs.webkit.org/show_bug.cgi?id=174044
1131
1132         Reviewed by Oliver Hunt.
1133
1134         The .* enclosure optimization didn't respect that we can start matching from a non-zero
1135         index.  This optimization treats /.*<some-terms>.*/ by first matching the <some-terms> and
1136         then finding the extent of the match by going back to the beginning of the line and going
1137         forward to the end of the line.  The code that went back to the beginning of the line
1138         checked for an index of 0 instead of comparing the index to the start position.  This start
1139         position is passed as the initial index.
1140
1141         Added another temporary register to the YARR JIT to contain the start position for
1142         platforms that have spare registers.
1143
1144         * yarr/Yarr.h:
1145         * yarr/YarrInterpreter.cpp:
1146         (JSC::Yarr::Interpreter::matchDotStarEnclosure):
1147         (JSC::Yarr::Interpreter::Interpreter):
1148         * yarr/YarrJIT.cpp:
1149         (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
1150         (JSC::Yarr::YarrGenerator::compile):
1151         * yarr/YarrPattern.cpp:
1152         (JSC::Yarr::YarrPattern::YarrPattern):
1153         * yarr/YarrPattern.h:
1154         (JSC::Yarr::YarrPattern::reset):
1155
1156 2017-06-30  Saam Barati  <sbarati@apple.com>
1157
1158         B3MoveConstants floatZero() returns the wrong ValueKey
1159         https://bugs.webkit.org/show_bug.cgi?id=174040
1160
1161         Reviewed by Filip Pizlo.
1162
1163         It had a typo where the ValueKey for floatZero() produces a Double
1164         instead of a Float.
1165
1166         * b3/B3MoveConstants.cpp:
1167
1168 2017-06-30  Saam Barati  <sbarati@apple.com>
1169
1170         B3ReduceDoubleToFloat incorrectly reduces operations over two double constants
1171         https://bugs.webkit.org/show_bug.cgi?id=174034
1172         <rdar://problem/30793007>
1173
1174         Reviewed by Filip Pizlo.
1175
1176         B3ReduceDoubleToFloat had a bug in it where it would incorrectly
1177         reduce binary operations over double constants into the same binary
1178         operation over the double constants casted to floats. This is clearly
1179         incorrect as these two things will produce different values. For example:
1180         
1181         a = DoubleConst(bitwise_cast<double>(0x8000000000000001ull))
1182         b = DoubleConst(bitwise_cast<double>(0x0000000000000000ull))
1183         c = EqualOrUnordered(@a, @b) // produces 0
1184         
1185         into:
1186         
1187         a = FloatConst(static_cast<float>(bitwise_cast<double>(0x8000000000000001ull)))
1188         b = FloatConst(static_cast<float>(bitwise_cast<double>(0x0000000000000000ull)))
1189         c = EqualOrUnordered(@a, @b) // produces 1
1190         
1191         Which produces a different value for @c.
1192
1193         * b3/B3ReduceDoubleToFloat.cpp:
1194         * b3/testb3.cpp:
1195         (JSC::B3::doubleEq):
1196         (JSC::B3::doubleNeq):
1197         (JSC::B3::doubleGt):
1198         (JSC::B3::doubleGte):
1199         (JSC::B3::doubleLt):
1200         (JSC::B3::doubleLte):
1201         (JSC::B3::testDoubleLiteralComparison):
1202         (JSC::B3::run):
1203
1204 2017-06-29  Jer Noble  <jer.noble@apple.com>
1205
1206         Make Legacy EME API controlled by RuntimeEnabled setting.
1207         https://bugs.webkit.org/show_bug.cgi?id=173994
1208
1209         Reviewed by Sam Weinig.
1210
1211         * Configurations/FeatureDefines.xcconfig:
1212         * runtime/CommonIdentifiers.h:
1213
1214 2017-06-30  Ryosuke Niwa  <rniwa@webkit.org>
1215
1216         Ran sort-Xcode-project-file.
1217
1218         * JavaScriptCore.xcodeproj/project.pbxproj:
1219
1220 2017-06-30  Matt Lewis  <jlewis3@apple.com>
1221
1222         Unreviewed, rolling out r218992.
1223
1224         The patch broke the iOS device builds.
1225
1226         Reverted changeset:
1227
1228         "DFG_ASSERT should allow stuffing registers before trapping."
1229         https://bugs.webkit.org/show_bug.cgi?id=174005
1230         http://trac.webkit.org/changeset/218992
1231
1232 2017-06-30  Filip Pizlo  <fpizlo@apple.com>
1233
1234         RegExpCachedResult::setInput should reify left and right contexts
1235         https://bugs.webkit.org/show_bug.cgi?id=173818
1236
1237         Reviewed by Keith Miller.
1238         
1239         If you don't reify them in setInput, then when you later try to reify them, you'll end up
1240         using indices into an old input string to create a substring of a new input string. That
1241         never goes well.
1242
1243         * runtime/RegExpCachedResult.cpp:
1244         (JSC::RegExpCachedResult::setInput):
1245
1246 2017-06-30  Keith Miller  <keith_miller@apple.com>
1247
1248         DFG_ASSERT should allow stuffing registers before trapping.
1249         https://bugs.webkit.org/show_bug.cgi?id=174005
1250
1251         Reviewed by Mark Lam.
1252
1253         DFG_ASSERT currently prints error data to stderr before crashing,
1254         which is nice for local development. In the wild, however, we
1255         can't see this information in crash logs. This patch enables
1256         stuffing some of the most useful information from DFG_ASSERTS into
1257         up to five registers right before crashing. The values stuffed
1258         should not impact any logging during local development.
1259
1260         * assembler/AbortReason.h:
1261         * dfg/DFGAbstractInterpreterInlines.h:
1262         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
1263         * dfg/DFGGraph.cpp:
1264         (JSC::DFG::logForCrash):
1265         (JSC::DFG::Graph::logAssertionFailure):
1266         (JSC::DFG::crash): Deleted.
1267         (JSC::DFG::Graph::handleAssertionFailure): Deleted.
1268         * dfg/DFGGraph.h:
1269
1270 2017-06-29  Saam Barati  <sbarati@apple.com>
1271
1272         Calculating postCapacity in unshiftCountSlowCase is wrong
1273         https://bugs.webkit.org/show_bug.cgi?id=173992
1274         <rdar://problem/32283199>
1275
1276         Reviewed by Keith Miller.
1277
1278         This patch fixes a bug inside unshiftCountSlowCase where we would use
1279         more memory than we allocated. The bug was when deciding how much extra
1280         space we have after the vector we've allocated. This area is called the
1281         postCapacity. The largest legal postCapacity value we could use is the
1282         space we allocated minus the space we need:
1283         largestPossiblePostCapacity = newStorageCapacity - requiredVectorLength;
1284         However, the code was calculating the postCapacity as:
1285         postCapacity = max(newStorageCapacity - requiredVectorLength, count);
1286         
1287         where count is how many elements we're appending. Depending on the inputs,
1288         count could be larger than (newStorageCapacity - requiredVectorLength). This
1289         would cause us to use more memory than we actually allocated.
1290
1291         * runtime/JSArray.cpp:
1292         (JSC::JSArray::unshiftCountSlowCase):
1293
1294 2017-06-29  Commit Queue  <commit-queue@webkit.org>
1295
1296         Unreviewed, rolling out r218512.
1297         https://bugs.webkit.org/show_bug.cgi?id=173981
1298
1299         "It changes the behavior of the JS API's JSEvaluateScript
1300         which breaks TurboTax" (Requested by saamyjoon on #webkit).
1301
1302         Reverted changeset:
1303
1304         "test262: Completion values for control flow do not match the
1305         spec"
1306         https://bugs.webkit.org/show_bug.cgi?id=171265
1307         http://trac.webkit.org/changeset/218512
1308
1309 2017-06-29  JF Bastien  <jfbastien@apple.com>
1310
1311         WebAssembly: disable some APIs under CSP
1312         https://bugs.webkit.org/show_bug.cgi?id=173892
1313         <rdar://problem/32914613>
1314
1315         Reviewed by Daniel Bates.
1316
1317         We should disable parts of WebAssembly under Content Security
1318         Policy as discussed here:
1319
1320         https://github.com/WebAssembly/design/issues/1092
1321
1322         Exactly what should be disabled isn't super clear, so we may as
1323         well be conservative and disable many things if developers already
1324         opted into CSP. It's easy to loosen what we disable later.
1325
1326         This patch disables:
1327         - WebAssembly.Instance
1328         - WebAssembly.instantiate
1329         - WebAssembly.Memory
1330         - WebAssembly.Table
1331
1332         And leaves:
1333         - WebAssembly on the global object
1334         - WebAssembly.Module
1335         - WebAssembly.compile
1336         - WebAssembly.CompileError
1337         - WebAssembly.LinkError
1338
1339         Nothing because currently unimplmented:
1340         - WebAssembly.compileStreaming
1341         - WebAssembly.instantiateStreaming
1342
1343         That way it won't be possible to call WebAssembly-compiled code,
1344         or create memories (which use fancy 4GiB allocations
1345         sometimes). Table isn't really useful on its own, and eventually
1346         we may make them shareable so without more details it seems benign
1347         to disable them (and useless if we don't).
1348
1349         I haven't done anything with postMessage, so you can still
1350         postMessage a WebAssembly.Module cross-CSP, but you can't
1351         instantiate it so it's useless. Because of this I elected to leave
1352         WebAssembly.Module and friends available.
1353
1354         I haven't added any new directives. It's still unsafe-eval. We can
1355         add something else later, but it seems odd to add a WebAssembly as
1356         a new capability and tell developers "you should have been using
1357         this directive which we just implemented if you wanted to disable
1358         WebAssembly which didn't exist when you adopted CSP". So IMO we
1359         should keep unsafe-eval as it currently is, add WebAssembly to
1360         what it disables, and later consider having two new directives
1361         which do each individually or something.
1362
1363         In all cases I throw an EvalError *before* other WebAssembly
1364         errors would be produced.
1365
1366         Note that, as for eval, reporting doesn't work and is tracked by
1367         https://webkit.org/b/111869
1368
1369         * runtime/JSGlobalObject.cpp:
1370         (JSC::JSGlobalObject::JSGlobalObject):
1371         * runtime/JSGlobalObject.h:
1372         (JSC::JSGlobalObject::webAssemblyEnabled):
1373         (JSC::JSGlobalObject::webAssemblyDisabledErrorMessage):
1374         (JSC::JSGlobalObject::setWebAssemblyEnabled):
1375         * wasm/js/JSWebAssemblyInstance.cpp:
1376         (JSC::JSWebAssemblyInstance::create):
1377         * wasm/js/JSWebAssemblyMemory.cpp:
1378         (JSC::JSWebAssemblyMemory::create):
1379         * wasm/js/JSWebAssemblyMemory.h:
1380         * wasm/js/JSWebAssemblyTable.cpp:
1381         (JSC::JSWebAssemblyTable::create):
1382         * wasm/js/WebAssemblyMemoryConstructor.cpp:
1383         (JSC::constructJSWebAssemblyMemory):
1384
1385 2017-06-28  Keith Miller  <keith_miller@apple.com>
1386
1387         VMTraps has some races
1388         https://bugs.webkit.org/show_bug.cgi?id=173941
1389
1390         Reviewed by Michael Saboff.
1391
1392         This patch refactors much of the VMTraps API.
1393
1394         On the message sending side:
1395
1396         1) No longer uses the Yarr JIT check to determine if we are in
1397         RegExp code. That was unsound because RegExp JIT code can be run
1398         on compilation threads.  Instead it looks at the current frame's
1399         code block slot and checks if it is valid, which is the same as
1400         what it did for JIT code previously.
1401
1402         2) Only have one signal sender thread, previously, there could be
1403         many at once, which caused some data races. Additionally, the
1404         signal sender thread is an automatic thread so it will deallocate
1405         itself when not in use.
1406
1407         On the VMTraps breakpoint side:
1408
1409         1) We now have a true mapping of if we hit a breakpoint instead of
1410         a JIT assertion. So the exception handler won't eat JIT assertions
1411         anymore.
1412
1413         2) It jettisons all CodeBlocks that have VMTraps breakpoints on
1414         them instead of every CodeBlock on the stack. This both prevents
1415         us from hitting stale VMTraps breakpoints and also doesn't OSR
1416         codeblocks that otherwise don't need to be jettisoned.
1417
1418         3) The old exception handler could theoretically fail for a couple
1419         of reasons then resume execution with a clobbered instruction
1420         set. This patch will kill the program if the exception handler
1421         would fail.
1422
1423         This patch also refactors some of the jsc.cpp functions to take the
1424         CommandLine options object instead of individual options. Also, there
1425         is a new command line option that makes exceptions due to watchdog
1426         timeouts an acceptable result.
1427
1428         * API/tests/testapi.c:
1429         (main):
1430         * bytecode/CodeBlock.cpp:
1431         (JSC::CodeBlock::installVMTrapBreakpoints):
1432         * dfg/DFGCommonData.cpp:
1433         (JSC::DFG::pcCodeBlockMap):
1434         (JSC::DFG::CommonData::invalidate):
1435         (JSC::DFG::CommonData::~CommonData):
1436         (JSC::DFG::CommonData::installVMTrapBreakpoints):
1437         (JSC::DFG::codeBlockForVMTrapPC):
1438         * dfg/DFGCommonData.h:
1439         * jsc.cpp:
1440         (functionDollarAgentStart):
1441         (checkUncaughtException):
1442         (checkException):
1443         (runWithOptions):
1444         (printUsageStatement):
1445         (CommandLine::parseArguments):
1446         (jscmain):
1447         (runWithScripts): Deleted.
1448         * runtime/JSLock.cpp:
1449         (JSC::JSLock::didAcquireLock):
1450         * runtime/VMTraps.cpp:
1451         (JSC::sanitizedTopCallFrame):
1452         (JSC::VMTraps::tryInstallTrapBreakpoints):
1453         (JSC::VMTraps::willDestroyVM):
1454         (JSC::VMTraps::fireTrap):
1455         (JSC::VMTraps::handleTraps):
1456         (JSC::VMTraps::VMTraps):
1457         (JSC::VMTraps::~VMTraps):
1458         (JSC::findActiveVMAndStackBounds): Deleted.
1459         (JSC::installSignalHandler): Deleted.
1460         (JSC::VMTraps::addSignalSender): Deleted.
1461         (JSC::VMTraps::removeSignalSender): Deleted.
1462         (JSC::VMTraps::SignalSender::willDestroyVM): Deleted.
1463         (JSC::VMTraps::SignalSender::send): Deleted.
1464         * runtime/VMTraps.h:
1465         (JSC::VMTraps::~VMTraps): Deleted.
1466         (JSC::VMTraps::SignalSender::SignalSender): Deleted.
1467
1468 2017-06-28  Devin Rousso  <drousso@apple.com>
1469
1470         Web Inspector: Instrument active pixel memory used by canvases
1471         https://bugs.webkit.org/show_bug.cgi?id=173087
1472         <rdar://problem/32719261>
1473
1474         Reviewed by Joseph Pecoraro.
1475
1476         * inspector/protocol/Canvas.json:
1477          - Add optional `memoryCost` attribute to the `Canvas` type.
1478          - Add `canvasMemoryChanged` event that is dispatched when the `memoryCost` of a canvas changes.
1479
1480 2017-06-28  Joseph Pecoraro  <pecoraro@apple.com>
1481
1482         Web Inspector: Cleanup Protocol JSON files
1483         https://bugs.webkit.org/show_bug.cgi?id=173934
1484
1485         Reviewed by Matt Baker.
1486
1487         * inspector/protocol/ApplicationCache.json:
1488         * inspector/protocol/CSS.json:
1489         * inspector/protocol/Console.json:
1490         * inspector/protocol/DOM.json:
1491         * inspector/protocol/DOMDebugger.json:
1492         * inspector/protocol/Debugger.json:
1493         * inspector/protocol/LayerTree.json:
1494         * inspector/protocol/Network.json:
1495         * inspector/protocol/Page.json:
1496         * inspector/protocol/Runtime.json:
1497         Be more consistent about placement of `description` property.
1498
1499 2017-06-27  Joseph Pecoraro  <pecoraro@apple.com>
1500
1501         Web Inspector: Remove unused Inspector domain events
1502         https://bugs.webkit.org/show_bug.cgi?id=173905
1503
1504         Reviewed by Matt Baker.
1505
1506         * inspector/protocol/Inspector.json:
1507
1508 2017-06-28  JF Bastien  <jfbastien@apple.com>
1509
1510         Ensure that computed new stack pointer values do not underflow.
1511         https://bugs.webkit.org/show_bug.cgi?id=173700
1512         <rdar://problem/32926032>
1513
1514         Reviewed by Filip Pizlo and Saam Barati, update reviewed by Mark Lam.
1515
1516         Patch by Mark Lam, with the following fix:
1517
1518         Re-apply this patch, it originally broke the ARM build because the llint code
1519         generated `subs xzr, x3, sp` which isn't valid ARM64: the third operand cannot
1520         be SP (that encoding would be ZR instead, subtracting zero). Flip the comparison
1521         and operands to emit valid code (because the second operand can be SP).
1522
1523         1. Added a RELEASE_ASSERT to BytecodeGenerator::generate() to ensure that
1524            m_numCalleeLocals is sane.
1525
1526         2. Added underflow checks in LLInt code and VarargsFrame code.
1527
1528         3. Introduce minimumReservedZoneSize, which is hardcoded to 16K.
1529            Ensure that Options::reservedZoneSize() is at least minimumReservedZoneSize.
1530            Ensure that Options::softReservedZoneSize() is at least greater than
1531            Options::reservedZoneSize() by minimumReservedZoneSize.
1532
1533         4. Ensure that stack checks emitted by JIT tiers include an underflow check if
1534            and only if the max size of the frame is greater than Options::reservedZoneSize().
1535
1536            By design, we are guaranteed to have at least Options::reservedZoneSize() bytes
1537            of memory at the bottom (end) of the stack.  This means that, at any time, the
1538            frame pointer must be at least Options::reservedZoneSize() bytes away from the
1539            end of the stack.  Hence, if the max frame size is less than
1540            Options::reservedZoneSize(), there's no way that frame pointer - max
1541            frame size can underflow, and we can elide the underflow check.
1542
1543            Note that we use Options::reservedZoneSize() instead of
1544            Options::softReservedZoneSize() for determine if we need an underflow check.
1545            This is because the softStackLimit that is used for stack checks can be set
1546            based on Options::reservedZoneSize() during error handling (e.g. when creating
1547            strings for instantiating the Error object).  Hence, the guaranteed minimum of
1548            distance between the frame pointer and the end of the stack is
1549            Options::reservedZoneSize() and nor Options::softReservedZoneSize().
1550
1551            Note also that we ensure that Options::reservedZoneSize() is at least
1552            minimumReservedZoneSize (i.e. 16K).  In typical deployments,
1553            Options::reservedZoneSize() may be larger.  Using Options::reservedZoneSize()
1554            instead of minimumReservedZoneSize gives us more chances to elide underflow
1555            checks.
1556
1557         * JavaScriptCore.xcodeproj/project.pbxproj:
1558         * bytecompiler/BytecodeGenerator.cpp:
1559         (JSC::BytecodeGenerator::generate):
1560         * dfg/DFGGraph.cpp:
1561         (JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit):
1562         * dfg/DFGJITCompiler.cpp:
1563         (JSC::DFG::emitStackOverflowCheck):
1564         (JSC::DFG::JITCompiler::compile):
1565         (JSC::DFG::JITCompiler::compileFunction):
1566         * ftl/FTLLowerDFGToB3.cpp:
1567         (JSC::FTL::DFG::LowerDFGToB3::lower):
1568         * jit/JIT.cpp:
1569         (JSC::JIT::compileWithoutLinking):
1570         * jit/SetupVarargsFrame.cpp:
1571         (JSC::emitSetupVarargsFrameFastCase):
1572         * llint/LLIntSlowPaths.cpp:
1573         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1574         * llint/LowLevelInterpreter.asm:
1575         * llint/LowLevelInterpreter32_64.asm:
1576         * llint/LowLevelInterpreter64.asm:
1577         * runtime/MinimumReservedZoneSize.h: Added.
1578         * runtime/Options.cpp:
1579         (JSC::recomputeDependentOptions):
1580         * runtime/VM.cpp:
1581         (JSC::VM::updateStackLimits):
1582         * wasm/WasmB3IRGenerator.cpp:
1583         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1584         * wasm/js/WebAssemblyFunction.cpp:
1585         (JSC::callWebAssemblyFunction):
1586
1587 2017-06-28  Chris Dumez  <cdumez@apple.com>
1588
1589         Unreviewed, rolling out r218869.
1590
1591         Broke the iOS build
1592
1593         Reverted changeset:
1594
1595         "Ensure that computed new stack pointer values do not
1596         underflow."
1597         https://bugs.webkit.org/show_bug.cgi?id=173700
1598         http://trac.webkit.org/changeset/218869
1599
1600 2017-06-28  Chris Dumez  <cdumez@apple.com>
1601
1602         Unreviewed, rolling out r218873.
1603
1604         Broke the iOS build
1605
1606         Reverted changeset:
1607
1608         "Gardening: CLoop build fix."
1609         https://bugs.webkit.org/show_bug.cgi?id=173700
1610         http://trac.webkit.org/changeset/218873
1611
1612 2017-06-28  Mark Lam  <mark.lam@apple.com>
1613
1614         Gardening: CLoop build fix.
1615         https://bugs.webkit.org/show_bug.cgi?id=173700
1616         <rdar://problem/32926032>
1617
1618         Not reviewed.
1619
1620         * llint/LLIntSlowPaths.cpp:
1621         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1622
1623 2017-06-28  Mark Lam  <mark.lam@apple.com>
1624
1625         Ensure that computed new stack pointer values do not underflow.
1626         https://bugs.webkit.org/show_bug.cgi?id=173700
1627         <rdar://problem/32926032>
1628
1629         Reviewed by Filip Pizlo and Saam Barati.
1630
1631         1. Added a RELEASE_ASSERT to BytecodeGenerator::generate() to ensure that
1632            m_numCalleeLocals is sane.
1633
1634         2. Added underflow checks in LLInt code and VarargsFrame code.
1635
1636         3. Introduce minimumReservedZoneSize, which is hardcoded to 16K.
1637            Ensure that Options::reservedZoneSize() is at least minimumReservedZoneSize.
1638            Ensure that Options::softReservedZoneSize() is at least greater than
1639            Options::reservedZoneSize() by minimumReservedZoneSize.
1640
1641         4. Ensure that stack checks emitted by JIT tiers include an underflow check if
1642            and only if the max size of the frame is greater than Options::reservedZoneSize().
1643
1644            By design, we are guaranteed to have at least Options::reservedZoneSize() bytes
1645            of memory at the bottom (end) of the stack.  This means that, at any time, the
1646            frame pointer must be at least Options::reservedZoneSize() bytes away from the
1647            end of the stack.  Hence, if the max frame size is less than
1648            Options::reservedZoneSize(), there's no way that frame pointer - max
1649            frame size can underflow, and we can elide the underflow check.
1650
1651            Note that we use Options::reservedZoneSize() instead of
1652            Options::softReservedZoneSize() for determine if we need an underflow check.
1653            This is because the softStackLimit that is used for stack checks can be set
1654            based on Options::reservedZoneSize() during error handling (e.g. when creating
1655            strings for instantiating the Error object).  Hence, the guaranteed minimum of
1656            distance between the frame pointer and the end of the stack is
1657            Options::reservedZoneSize() and nor Options::softReservedZoneSize().
1658
1659            Note also that we ensure that Options::reservedZoneSize() is at least
1660            minimumReservedZoneSize (i.e. 16K).  In typical deployments,
1661            Options::reservedZoneSize() may be larger.  Using Options::reservedZoneSize()
1662            instead of minimumReservedZoneSize gives us more chances to elide underflow
1663            checks.
1664
1665         * JavaScriptCore.xcodeproj/project.pbxproj:
1666         * bytecompiler/BytecodeGenerator.cpp:
1667         (JSC::BytecodeGenerator::generate):
1668         * dfg/DFGGraph.cpp:
1669         (JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit):
1670         * dfg/DFGJITCompiler.cpp:
1671         (JSC::DFG::JITCompiler::compile):
1672         (JSC::DFG::JITCompiler::compileFunction):
1673         * ftl/FTLLowerDFGToB3.cpp:
1674         (JSC::FTL::DFG::LowerDFGToB3::lower):
1675         * jit/JIT.cpp:
1676         (JSC::JIT::compileWithoutLinking):
1677         * jit/SetupVarargsFrame.cpp:
1678         (JSC::emitSetupVarargsFrameFastCase):
1679         * llint/LLIntSlowPaths.cpp:
1680         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1681         * llint/LowLevelInterpreter.asm:
1682         * llint/LowLevelInterpreter32_64.asm:
1683         * llint/LowLevelInterpreter64.asm:
1684         * runtime/MinimumReservedZoneSize.h: Added.
1685         * runtime/Options.cpp:
1686         (JSC::recomputeDependentOptions):
1687         * runtime/VM.cpp:
1688         (JSC::VM::updateStackLimits):
1689         * wasm/WasmB3IRGenerator.cpp:
1690         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1691         * wasm/js/WebAssemblyFunction.cpp:
1692         (JSC::callWebAssemblyFunction):
1693
1694 2017-06-27  JF Bastien  <jfbastien@apple.com>
1695
1696         WebAssembly: running out of executable memory should throw OoM
1697         https://bugs.webkit.org/show_bug.cgi?id=171537
1698         <rdar://problem/32963338>
1699
1700         Reviewed by Saam Barati.
1701
1702         Both on first compile with BBQ as well as on tier-up with OMG,
1703         running out of X memory shouldn't cause the entire program to
1704         terminate. An exception will do when compiling initial code (since
1705         we don't have any other fallback at the moment), and refusal to
1706         tier up will do as well (it'll just be slower).
1707
1708         This is useful because programs which generate huge amounts of
1709         code simply look like crashes, which developers report to
1710         us. Getting a JavaScript exception instead is much clearer.
1711
1712         * jit/ExecutableAllocator.cpp:
1713         (JSC::ExecutableAllocator::allocate):
1714         * llint/LLIntSlowPaths.cpp:
1715         (JSC::LLInt::shouldJIT):
1716         * runtime/Options.h:
1717         * wasm/WasmBBQPlan.cpp:
1718         (JSC::Wasm::BBQPlan::prepare):
1719         (JSC::Wasm::BBQPlan::complete):
1720         * wasm/WasmBinding.cpp:
1721         (JSC::Wasm::wasmToJs):
1722         (JSC::Wasm::wasmToWasm):
1723         * wasm/WasmBinding.h:
1724         * wasm/WasmOMGPlan.cpp:
1725         (JSC::Wasm::OMGPlan::work):
1726         * wasm/js/JSWebAssemblyCodeBlock.cpp:
1727         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
1728         * wasm/js/JSWebAssemblyCodeBlock.h:
1729         * wasm/js/JSWebAssemblyInstance.cpp:
1730         (JSC::JSWebAssemblyInstance::finalizeCreation):
1731
1732 2017-06-27  Saam Barati  <sbarati@apple.com>
1733
1734         JITStubRoutine::passesFilter should use isJITPC
1735         https://bugs.webkit.org/show_bug.cgi?id=173906
1736
1737         Reviewed by JF Bastien.
1738
1739         This patch makes JITStubRoutine use the isJITPC abstraction defined
1740         inside ExecutableAllocator.h. Before, JITStubRoutine was using a
1741         hardcoded platform size constant. This means it'd do the wrong thing
1742         if Options::jitMemoryReservationSize() was larger than the defined
1743         constant for that platform. This patch also removes a bunch of
1744         dead code in that file.
1745
1746         * jit/ExecutableAllocator.cpp:
1747         * jit/ExecutableAllocator.h:
1748         * jit/JITStubRoutine.h:
1749         (JSC::JITStubRoutine::passesFilter):
1750         (JSC::JITStubRoutine::canPerformRangeFilter): Deleted.
1751         (JSC::JITStubRoutine::filteringStartAddress): Deleted.
1752         (JSC::JITStubRoutine::filteringExtentSize): Deleted.
1753
1754 2017-06-27  Saam Barati  <sbarati@apple.com>
1755
1756         Fix some stale comments in Wasm code base
1757         https://bugs.webkit.org/show_bug.cgi?id=173814
1758
1759         Reviewed by Mark Lam.
1760
1761         * wasm/WasmBinding.cpp:
1762         (JSC::Wasm::wasmToJs):
1763         * wasm/WasmOMGPlan.cpp:
1764         (JSC::Wasm::runOMGPlanForIndex):
1765
1766 2017-06-27  Caio Lima  <ticaiolima@gmail.com>
1767
1768         [ESnext] Implement Object Rest - Implementing Object Rest Destructuring
1769         https://bugs.webkit.org/show_bug.cgi?id=167962
1770
1771         Reviewed by Saam Barati.
1772
1773         Object Rest/Spread Destructing proposal is in stage 3[1] and this
1774         Patch is a prototype implementation of it. A simple change over the
1775         parser was necessary to support the new '...' token on Object Pattern
1776         destruction rule. In the bytecode generator side, We changed the
1777         bytecode generated on ObjectPatternNode::bindValue to store in an
1778         set the identifiers of already destructured properties, following spec draft
1779         section[2], and then pass it as excludedNames to CopyDataProperties.
1780         The rest destructuring calls copyDataProperties to perform the
1781         copy of rest properties in rhs.
1782
1783         We also implemented CopyDataProperties as private JS global operation
1784         on builtins/GlobalOperations.js following it's specification on [3].
1785         It is implemented using Set object to verify if a property is on
1786         excludedNames to keep this algorithm with O(n + m) complexity, where n
1787         = number of source's own properties and m = excludedNames.length.
1788
1789         In this implementation we aren't using excludeList as constant if
1790         destructuring pattern contains computed property, i.e. we can
1791         just determine the key to be excluded at runtime. If we can define all
1792         identifiers in the pattern in compile time, we then create a
1793         constant JSSet. This approach gives a good performance improvement,
1794         since we allocate the excludeSet just once, reducing GC pressure.
1795
1796         [1] - https://github.com/tc39/proposal-object-rest-spread
1797         [2] - https://tc39.github.io/proposal-object-rest-spread/#Rest-RuntimeSemantics-PropertyDestructuringAssignmentEvaluation
1798         [3] - https://tc39.github.io/proposal-object-rest-spread/#AbstractOperations-CopyDataProperties
1799
1800         * builtins/BuiltinNames.h:
1801         * builtins/GlobalOperations.js:
1802         (globalPrivate.copyDataProperties):
1803         * bytecode/CodeBlock.cpp:
1804         (JSC::CodeBlock::finishCreation):
1805         * bytecompiler/NodesCodegen.cpp:
1806         (JSC::ObjectPatternNode::bindValue):
1807         * parser/ASTBuilder.h:
1808         (JSC::ASTBuilder::appendObjectPatternEntry):
1809         (JSC::ASTBuilder::appendObjectPatternRestEntry):
1810         (JSC::ASTBuilder::setContainsObjectRestElement):
1811         * parser/Nodes.h:
1812         (JSC::ObjectPatternNode::appendEntry):
1813         (JSC::ObjectPatternNode::setContainsRestElement):
1814         * parser/Parser.cpp:
1815         (JSC::Parser<LexerType>::parseDestructuringPattern):
1816         (JSC::Parser<LexerType>::parseProperty):
1817         * parser/SyntaxChecker.h:
1818         (JSC::SyntaxChecker::operatorStackPop):
1819         * runtime/JSGlobalObject.cpp:
1820         (JSC::JSGlobalObject::init):
1821         * runtime/JSGlobalObject.h:
1822         (JSC::JSGlobalObject::asyncFunctionStructure):
1823         (JSC::JSGlobalObject::setStructure): Deleted.
1824         * runtime/JSGlobalObjectFunctions.cpp:
1825         (JSC::privateToObject):
1826         * runtime/JSGlobalObjectFunctions.h:
1827         * runtime/ObjectConstructor.cpp:
1828         (JSC::ObjectConstructor::finishCreation):
1829         * runtime/SetPrototype.cpp:
1830         (JSC::SetPrototype::finishCreation):
1831
1832 2017-06-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1833
1834         [JSC] Do not touch VM after notifying Ready in DFG::Worklist
1835         https://bugs.webkit.org/show_bug.cgi?id=173888
1836
1837         Reviewed by Saam Barati.
1838
1839         After notifying Plan::Ready and releasing Worklist lock, VM can be destroyed.
1840         Thus, Plan::vm() can return a destroyed VM. Do not touch it.
1841         This causes occasional SEGV / assertion failures in workers/bomb test.
1842
1843         * dfg/DFGWorklist.cpp:
1844
1845 2017-06-27  Saam Barati  <sbarati@apple.com>
1846
1847         Remove an inaccurate comment inside DFGClobberize.h
1848         https://bugs.webkit.org/show_bug.cgi?id=163874
1849
1850         Reviewed by Filip Pizlo.
1851
1852         The comment said that Clobberize may or may not be sound if run prior to
1853         doing type inference. This is not correct, though. Clobberize *must* be sound
1854         prior do doing type inference since we use it inside the BytecodeParser, which
1855         is the very first thing the DFG does.
1856
1857         * dfg/DFGClobberize.h:
1858         (JSC::DFG::clobberize):
1859
1860 2017-06-27  Saam Barati  <sbarati@apple.com>
1861
1862         Function constructor needs to follow the spec and validate parameters and body independently
1863         https://bugs.webkit.org/show_bug.cgi?id=173303
1864         <rdar://problem/32732526>
1865
1866         Reviewed by Keith Miller.
1867
1868         The Function constructor must check the arguments and body strings
1869         independently for syntax errors. People rely on this specified behavior
1870         to verify that a particular string is a valid function body. We used
1871         to check these things strings concatenated together, instead of
1872         independently. For example, this used to be valid: `Function("/*", "*/){")`.
1873         However, we should throw a syntax error here since "(/*)" is not a valid
1874         parameter list, and "*/){" is not a valid body.
1875         
1876         To implement the specified behavior, we check the syntax independently of
1877         both the body and the parameter list. To check that the parameter list has
1878         valid syntax, we check that it is valid if in a function with an empty body.
1879         To check that the body has valid syntax, we check it is valid in a function
1880         with an empty parameter list.
1881
1882         * runtime/FunctionConstructor.cpp:
1883         (JSC::constructFunctionSkippingEvalEnabledCheck):
1884
1885 2017-06-27  Ting-Wei Lan  <lantw44@gmail.com>
1886
1887         Add missing includes to fix compilation error on FreeBSD
1888         https://bugs.webkit.org/show_bug.cgi?id=172919
1889
1890         Reviewed by Mark Lam.
1891
1892         * API/JSRemoteInspector.h:
1893         * API/tests/GlobalContextWithFinalizerTest.cpp:
1894         * API/tests/TypedArrayCTest.cpp:
1895
1896 2017-06-27  Joseph Pecoraro  <pecoraro@apple.com>
1897
1898         Web Inspector: Crash generating object preview for ArrayIterator
1899         https://bugs.webkit.org/show_bug.cgi?id=173754
1900         <rdar://problem/32859012>
1901
1902         Reviewed by Saam Barati.
1903
1904         When Inspector generates an object preview for an ArrayIterator instance it made
1905         a "clone" of the original ArrayIterator instance by constructing a new object with
1906         the instance's structure. However, user code could have modified that instance's
1907         structure, such as adding / removing properties. The `return` property had special
1908         meaning, and our clone did not fill that slot. This approach is brittle in that
1909         we weren't satisfying the expectations of an object with a particular Structure,
1910         and the original goal of having Web Inspector peek values of built-in Iterators
1911         was to avoid observable behavior.
1912
1913         This tightens Web Inspector's Iterator preview to only peek values if the
1914         Iterators would actually be non-observable. It also builds an ArrayIterator
1915         clone like a regular object construction.
1916
1917         * inspector/JSInjectedScriptHost.cpp:
1918         (Inspector::cloneArrayIteratorObject):
1919         Build up the Object from scratch with a new ArrayIterator prototype.
1920
1921         (Inspector::JSInjectedScriptHost::iteratorEntries):
1922         Only clone and peek iterators if it would not be observable.
1923         Also update iteration to be more in line with IterationOperations, such as when
1924         we call iteratorClose.
1925
1926         * runtime/JSGlobalObject.cpp:
1927         (JSC::JSGlobalObject::JSGlobalObject):
1928         (JSC::JSGlobalObject::init):
1929         * runtime/JSGlobalObject.h:
1930         (JSC::JSGlobalObject::stringIteratorProtocolWatchpoint):
1931         * runtime/JSGlobalObjectInlines.h:
1932         (JSC::JSGlobalObject::isStringPrototypeIteratorProtocolFastAndNonObservable):
1933         Add a StringIterator WatchPoint in line with the Array/Map/Set iterator watchpoints.
1934
1935         * runtime/JSMap.cpp:
1936         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
1937         (JSC::JSMap::canCloneFastAndNonObservable):
1938         * runtime/JSMap.h:
1939         * runtime/JSSet.cpp:
1940         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
1941         (JSC::JSSet::canCloneFastAndNonObservable):
1942         * runtime/JSSet.h:
1943         Promote isIteratorProtocolFastAndNonObservable to a method.
1944
1945         * runtime/JSObject.cpp:
1946         (JSC::canDoFastPutDirectIndex):
1947         * runtime/JSTypeInfo.h:
1948         (JSC::TypeInfo::isArgumentsType):
1949         Helper to detect if an Object is an Arguments type.
1950
1951 2017-06-26  Saam Barati  <sbarati@apple.com>
1952
1953         RegExpPrototype.js builtin uses for-of iteration which is almost certainly incorrect
1954         https://bugs.webkit.org/show_bug.cgi?id=173740
1955
1956         Reviewed by Mark Lam.
1957
1958         The builtin was using for-of iteration to iterate over an internal
1959         list in its algorithm. For-of iteration is observable via user code
1960         in the global object, so this approach was wrong as it would break if
1961         a user changed the Array iteration protocol in some way.
1962
1963         * builtins/RegExpPrototype.js:
1964         (replace):
1965
1966 2017-06-26  Mark Lam  <mark.lam@apple.com>
1967
1968         Renamed DumpRegisterFunctor to DumpReturnVirtualPCFunctor.
1969         https://bugs.webkit.org/show_bug.cgi?id=173848
1970
1971         Reviewed by JF Bastien.
1972
1973         This functor only dumps the return VirtualPC.
1974
1975         * interpreter/Interpreter.cpp:
1976         (JSC::DumpReturnVirtualPCFunctor::DumpReturnVirtualPCFunctor):
1977         (JSC::Interpreter::dumpRegisters):
1978         (JSC::DumpRegisterFunctor::DumpRegisterFunctor): Deleted.
1979         (JSC::DumpRegisterFunctor::operator()): Deleted.
1980
1981 2017-06-26  Saam Barati  <sbarati@apple.com>
1982
1983         Crash in JSC::Lexer<unsigned char>::setCode
1984         https://bugs.webkit.org/show_bug.cgi?id=172754
1985
1986         Reviewed by Mark Lam.
1987
1988         The lexer was asking one of its buffers to reserve initial space that
1989         was O(text size in bytes). For large sources, this would end up causing
1990         the vector to overflow and crash. This patch changes this code be like
1991         the Lexer's other buffers and to only reserve a small starting buffer.
1992
1993         * parser/Lexer.cpp:
1994         (JSC::Lexer<T>::setCode):
1995
1996 2017-06-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1997
1998         [WTF] Drop Thread::create(obsolete things) API since we can use lambda
1999         https://bugs.webkit.org/show_bug.cgi?id=173825
2000
2001         Reviewed by Saam Barati.
2002
2003         * jsc.cpp:
2004         (startTimeoutThreadIfNeeded):
2005         (timeoutThreadMain): Deleted.
2006
2007 2017-06-26  Konstantin Tokarev  <annulen@yandex.ru>
2008
2009         Unreviewed, add missing header for CLoop
2010
2011         * runtime/SymbolTable.cpp:
2012
2013 2017-06-26  Konstantin Tokarev  <annulen@yandex.ru>
2014
2015         Unreviewed, add missing header icncludes
2016
2017         * parser/Lexer.h:
2018
2019 2017-06-25  Konstantin Tokarev  <annulen@yandex.ru>
2020
2021         Remove excessive headers from JavaScriptCore
2022         https://bugs.webkit.org/show_bug.cgi?id=173812
2023
2024         Reviewed by Darin Adler.
2025
2026         * API/APIUtils.h:
2027         * assembler/LinkBuffer.cpp:
2028         * assembler/MacroAssemblerCodeRef.cpp:
2029         * b3/air/AirLiveness.h:
2030         * b3/air/AirLowerAfterRegAlloc.cpp:
2031         * bindings/ScriptValue.cpp:
2032         * bindings/ScriptValue.h:
2033         * bytecode/AccessCase.cpp:
2034         * bytecode/AccessCase.h:
2035         * bytecode/ArrayProfile.h:
2036         * bytecode/BytecodeDumper.h:
2037         * bytecode/BytecodeIntrinsicRegistry.cpp:
2038         * bytecode/BytecodeKills.h:
2039         * bytecode/BytecodeLivenessAnalysis.h:
2040         * bytecode/BytecodeUseDef.h:
2041         * bytecode/CallLinkStatus.h:
2042         * bytecode/CodeBlock.h:
2043         * bytecode/CodeOrigin.h:
2044         * bytecode/ComplexGetStatus.h:
2045         * bytecode/GetByIdStatus.h:
2046         * bytecode/GetByIdVariant.h:
2047         * bytecode/InlineCallFrame.h:
2048         * bytecode/InlineCallFrameSet.h:
2049         * bytecode/Instruction.h:
2050         * bytecode/InternalFunctionAllocationProfile.h:
2051         * bytecode/JumpTable.h:
2052         * bytecode/MethodOfGettingAValueProfile.h:
2053         * bytecode/ObjectPropertyConditionSet.h:
2054         * bytecode/Operands.h:
2055         * bytecode/PolymorphicAccess.h:
2056         * bytecode/PutByIdStatus.h:
2057         * bytecode/SpeculatedType.cpp:
2058         * bytecode/StructureSet.h:
2059         * bytecode/StructureStubInfo.h:
2060         * bytecode/UnlinkedCodeBlock.h:
2061         * bytecode/UnlinkedFunctionExecutable.h:
2062         * bytecode/ValueProfile.h:
2063         * bytecompiler/BytecodeGenerator.cpp:
2064         * bytecompiler/BytecodeGenerator.h:
2065         * bytecompiler/Label.h:
2066         * bytecompiler/StaticPropertyAnalysis.h:
2067         * debugger/DebuggerCallFrame.cpp:
2068         * dfg/DFGAbstractInterpreter.h:
2069         * dfg/DFGAdjacencyList.h:
2070         * dfg/DFGArgumentsUtilities.h:
2071         * dfg/DFGArrayMode.h:
2072         * dfg/DFGArrayifySlowPathGenerator.h:
2073         * dfg/DFGBackwardsPropagationPhase.h:
2074         * dfg/DFGBasicBlock.h:
2075         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
2076         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
2077         * dfg/DFGCapabilities.h:
2078         * dfg/DFGCommon.h:
2079         * dfg/DFGCommonData.h:
2080         * dfg/DFGDesiredIdentifiers.h:
2081         * dfg/DFGDesiredWatchpoints.h:
2082         * dfg/DFGDisassembler.cpp:
2083         * dfg/DFGDominators.h:
2084         * dfg/DFGDriver.cpp:
2085         * dfg/DFGDriver.h:
2086         * dfg/DFGEdgeDominates.h:
2087         * dfg/DFGFinalizer.h:
2088         * dfg/DFGGenerationInfo.h:
2089         * dfg/DFGJITCompiler.cpp:
2090         * dfg/DFGJITCompiler.h:
2091         * dfg/DFGJITFinalizer.h:
2092         * dfg/DFGLivenessAnalysisPhase.h:
2093         * dfg/DFGMinifiedNode.h:
2094         * dfg/DFGMultiGetByOffsetData.h:
2095         * dfg/DFGNaturalLoops.cpp:
2096         * dfg/DFGNaturalLoops.h:
2097         * dfg/DFGNode.h:
2098         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
2099         * dfg/DFGOSRExit.h:
2100         * dfg/DFGOSRExitCompilationInfo.h:
2101         * dfg/DFGOSRExitCompiler.cpp:
2102         * dfg/DFGOSRExitCompiler.h:
2103         * dfg/DFGOSRExitJumpPlaceholder.h:
2104         * dfg/DFGOperations.cpp:
2105         * dfg/DFGOperations.h:
2106         * dfg/DFGPlan.h:
2107         * dfg/DFGPreciseLocalClobberize.h:
2108         * dfg/DFGPromotedHeapLocation.h:
2109         * dfg/DFGRegisteredStructure.h:
2110         * dfg/DFGRegisteredStructureSet.h:
2111         * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
2112         * dfg/DFGSlowPathGenerator.h:
2113         * dfg/DFGSnippetParams.h:
2114         * dfg/DFGSpeculativeJIT.h:
2115         * dfg/DFGToFTLDeferredCompilationCallback.h:
2116         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h:
2117         * dfg/DFGValidate.h:
2118         * dfg/DFGValueSource.h:
2119         * dfg/DFGVariableEvent.h:
2120         * dfg/DFGVariableEventStream.h:
2121         * dfg/DFGWorklist.h:
2122         * domjit/DOMJITCallDOMGetterSnippet.h:
2123         * domjit/DOMJITEffect.h:
2124         * ftl/FTLLink.cpp:
2125         * ftl/FTLLowerDFGToB3.cpp:
2126         * ftl/FTLPatchpointExceptionHandle.h:
2127         * heap/AllocatorAttributes.h:
2128         * heap/CodeBlockSet.h:
2129         * heap/DeferGC.h:
2130         * heap/GCSegmentedArray.h:
2131         * heap/Heap.cpp:
2132         * heap/Heap.h:
2133         * heap/IncrementalSweeper.h:
2134         * heap/ListableHandler.h:
2135         * heap/MachineStackMarker.h:
2136         * heap/MarkedAllocator.h:
2137         * heap/MarkedBlock.cpp:
2138         * heap/MarkedBlock.h:
2139         * heap/MarkingConstraint.h:
2140         * heap/SlotVisitor.cpp:
2141         * heap/SlotVisitor.h:
2142         * inspector/ConsoleMessage.cpp:
2143         * inspector/ConsoleMessage.h:
2144         * inspector/InjectedScript.h:
2145         * inspector/InjectedScriptHost.h:
2146         * inspector/InjectedScriptManager.cpp:
2147         * inspector/JSGlobalObjectInspectorController.cpp:
2148         * inspector/JavaScriptCallFrame.h:
2149         * inspector/ScriptCallStack.h:
2150         * inspector/ScriptCallStackFactory.cpp:
2151         * inspector/ScriptDebugServer.h:
2152         * inspector/agents/InspectorConsoleAgent.h:
2153         * inspector/agents/InspectorDebuggerAgent.cpp:
2154         * inspector/agents/InspectorDebuggerAgent.h:
2155         * inspector/agents/InspectorHeapAgent.cpp:
2156         * inspector/agents/InspectorHeapAgent.h:
2157         * inspector/agents/InspectorRuntimeAgent.h:
2158         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2159         * inspector/agents/InspectorScriptProfilerAgent.h:
2160         * inspector/agents/JSGlobalObjectConsoleAgent.h:
2161         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
2162         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
2163         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
2164         * inspector/augmentable/AlternateDispatchableAgent.h:
2165         * interpreter/CLoopStack.h:
2166         * interpreter/CachedCall.h:
2167         * interpreter/CallFrame.h:
2168         * interpreter/Interpreter.cpp:
2169         * interpreter/Interpreter.h:
2170         * jit/AssemblyHelpers.cpp:
2171         * jit/AssemblyHelpers.h:
2172         * jit/CCallHelpers.h:
2173         * jit/CallFrameShuffler.h:
2174         * jit/ExecutableAllocator.h:
2175         * jit/GCAwareJITStubRoutine.h:
2176         * jit/HostCallReturnValue.h:
2177         * jit/ICStats.h:
2178         * jit/JIT.cpp:
2179         * jit/JIT.h:
2180         * jit/JITAddGenerator.h:
2181         * jit/JITCall32_64.cpp:
2182         * jit/JITCode.h:
2183         * jit/JITDisassembler.cpp:
2184         * jit/JITExceptions.cpp:
2185         * jit/JITMathIC.h:
2186         * jit/JITOpcodes.cpp:
2187         * jit/JITOperations.cpp:
2188         * jit/JITOperations.h:
2189         * jit/JITThunks.cpp:
2190         * jit/JITThunks.h:
2191         * jit/JSInterfaceJIT.h:
2192         * jit/PCToCodeOriginMap.h:
2193         * jit/PolymorphicCallStubRoutine.h:
2194         * jit/RegisterSet.h:
2195         * jit/Repatch.h:
2196         * jit/SetupVarargsFrame.h:
2197         * jit/Snippet.h:
2198         * jit/SnippetParams.h:
2199         * jit/ThunkGenerators.h:
2200         * jsc.cpp:
2201         * llint/LLIntCLoop.h:
2202         * llint/LLIntEntrypoint.h:
2203         * llint/LLIntExceptions.h:
2204         * llint/LLIntOfflineAsmConfig.h:
2205         * llint/LLIntSlowPaths.cpp:
2206         * parser/NodeConstructors.h:
2207         * parser/Nodes.cpp:
2208         * parser/Nodes.h:
2209         * parser/Parser.cpp:
2210         * parser/Parser.h:
2211         * parser/ParserTokens.h:
2212         * parser/SourceProviderCacheItem.h:
2213         * profiler/ProfilerBytecodeSequence.h:
2214         * profiler/ProfilerDatabase.cpp:
2215         * profiler/ProfilerDatabase.h:
2216         * profiler/ProfilerOrigin.h:
2217         * profiler/ProfilerOriginStack.h:
2218         * profiler/ProfilerProfiledBytecodes.h:
2219         * profiler/ProfilerUID.h:
2220         * runtime/AbstractModuleRecord.h:
2221         * runtime/ArrayConstructor.h:
2222         * runtime/ArrayConventions.h:
2223         * runtime/ArrayIteratorPrototype.h:
2224         * runtime/ArrayPrototype.h:
2225         * runtime/BasicBlockLocation.h:
2226         * runtime/Butterfly.h:
2227         * runtime/CallData.cpp:
2228         * runtime/CodeCache.h:
2229         * runtime/CommonSlowPaths.cpp:
2230         * runtime/CommonSlowPaths.h:
2231         * runtime/CommonSlowPathsExceptions.cpp:
2232         * runtime/Completion.cpp:
2233         * runtime/ControlFlowProfiler.h:
2234         * runtime/DateInstanceCache.h:
2235         * runtime/ErrorConstructor.h:
2236         * runtime/ErrorInstance.h:
2237         * runtime/ExceptionHelpers.cpp:
2238         * runtime/ExceptionHelpers.h:
2239         * runtime/ExecutableBase.h:
2240         * runtime/FunctionExecutable.h:
2241         * runtime/HasOwnPropertyCache.h:
2242         * runtime/Identifier.h:
2243         * runtime/InternalFunction.h:
2244         * runtime/IntlCollator.cpp:
2245         * runtime/IntlCollatorPrototype.h:
2246         * runtime/IntlDateTimeFormatPrototype.h:
2247         * runtime/IntlNumberFormat.cpp:
2248         * runtime/IntlNumberFormatPrototype.h:
2249         * runtime/IteratorOperations.cpp:
2250         * runtime/JSArray.h:
2251         * runtime/JSArrayBufferPrototype.h:
2252         * runtime/JSCJSValue.h:
2253         * runtime/JSCJSValueInlines.h:
2254         * runtime/JSCell.h:
2255         * runtime/JSFunction.cpp:
2256         * runtime/JSFunction.h:
2257         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2258         * runtime/JSGlobalObject.cpp:
2259         * runtime/JSGlobalObject.h:
2260         * runtime/JSGlobalObjectDebuggable.cpp:
2261         * runtime/JSGlobalObjectDebuggable.h:
2262         * runtime/JSGlobalObjectFunctions.cpp:
2263         * runtime/JSGlobalObjectFunctions.h:
2264         * runtime/JSJob.cpp:
2265         * runtime/JSLock.h:
2266         * runtime/JSModuleLoader.cpp:
2267         * runtime/JSModuleNamespaceObject.h:
2268         * runtime/JSModuleRecord.h:
2269         * runtime/JSObject.cpp:
2270         * runtime/JSObject.h:
2271         * runtime/JSRunLoopTimer.h:
2272         * runtime/JSTemplateRegistryKey.h:
2273         * runtime/JSTypedArrayPrototypes.cpp:
2274         * runtime/JSTypedArrayPrototypes.h:
2275         * runtime/JSTypedArrays.h:
2276         * runtime/LiteralParser.h:
2277         * runtime/MatchResult.h:
2278         * runtime/MemoryStatistics.h:
2279         * runtime/PrivateName.h:
2280         * runtime/PromiseDeferredTimer.h:
2281         * runtime/ProxyObject.h:
2282         * runtime/RegExp.h:
2283         * runtime/SamplingProfiler.cpp:
2284         * runtime/SmallStrings.h:
2285         * runtime/StringPrototype.cpp:
2286         * runtime/StringRecursionChecker.h:
2287         * runtime/Structure.h:
2288         * runtime/SymbolConstructor.h:
2289         * runtime/SymbolPrototype.cpp:
2290         * runtime/SymbolPrototype.h:
2291         * runtime/TypeProfiler.h:
2292         * runtime/TypeProfilerLog.h:
2293         * runtime/TypedArrayType.h:
2294         * runtime/VM.cpp:
2295         * runtime/VM.h:
2296         * runtime/VMEntryScope.h:
2297         * runtime/WeakMapData.h:
2298         * runtime/WriteBarrier.h:
2299         * tools/FunctionOverrides.cpp:
2300         * tools/FunctionOverrides.h:
2301         * wasm/WasmBinding.cpp:
2302         * wasm/js/JSWebAssemblyCodeBlock.h:
2303         * wasm/js/WebAssemblyPrototype.cpp:
2304         * yarr/Yarr.h:
2305         * yarr/YarrJIT.cpp:
2306         * yarr/YarrJIT.h:
2307         * yarr/YarrParser.h:
2308
2309 2017-06-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2310
2311         [JSC] Clean up Object.entries implementation
2312         https://bugs.webkit.org/show_bug.cgi?id=173759
2313
2314         Reviewed by Sam Weinig.
2315
2316         This patch cleans up Object.entries implementation.
2317         We drop unused private functions. And we merge the
2318         implementation into Object.entries.
2319
2320         It slightly speeds up Object.entries speed.
2321
2322                                      baseline                  patched
2323
2324             object-entries      148.0101+-5.6627          142.1877+-4.8661          might be 1.0409x faster
2325
2326
2327         * builtins/BuiltinNames.h:
2328         * builtins/ObjectConstructor.js:
2329         (entries):
2330         (globalPrivate.enumerableOwnProperties): Deleted.
2331         * runtime/JSGlobalObject.cpp:
2332         (JSC::JSGlobalObject::init):
2333         * runtime/ObjectConstructor.cpp:
2334         (JSC::ownEnumerablePropertyKeys): Deleted.
2335         * runtime/ObjectConstructor.h:
2336
2337 2017-06-24  Joseph Pecoraro  <pecoraro@apple.com>
2338
2339         Remove Reflect.enumerate
2340         https://bugs.webkit.org/show_bug.cgi?id=173806
2341
2342         Reviewed by Yusuke Suzuki.
2343
2344         * CMakeLists.txt:
2345         * JavaScriptCore.xcodeproj/project.pbxproj:
2346         * inspector/JSInjectedScriptHost.cpp:
2347         (Inspector::JSInjectedScriptHost::subtype):
2348         (Inspector::JSInjectedScriptHost::getInternalProperties):
2349         (Inspector::JSInjectedScriptHost::iteratorEntries):
2350         * runtime/JSGlobalObject.cpp:
2351         (JSC::JSGlobalObject::init):
2352         (JSC::JSGlobalObject::visitChildren):
2353         * runtime/JSPropertyNameIterator.cpp: Removed.
2354         * runtime/JSPropertyNameIterator.h: Removed.
2355         * runtime/ReflectObject.cpp:
2356         (JSC::reflectObjectEnumerate): Deleted.
2357
2358 2017-06-23  Keith Miller  <keith_miller@apple.com>
2359
2360         Switch VMTraps to use halt instructions rather than breakpoint instructions
2361         https://bugs.webkit.org/show_bug.cgi?id=173677
2362         <rdar://problem/32178892>
2363
2364         Reviewed by JF Bastien.
2365
2366         Using the breakpoint instruction for VMTraps caused issues with lldb.
2367         Since we only need some way to stop execution we can, in theory, use
2368         any exceptioning instruction we want. I went with the halt instruction
2369         on X86 since that is the only one byte instruction that does not
2370         breakpoint (in my tests both 0xf1 and 0xd6 produced EXC_BREAKPOINT).
2371         On ARM we use the data cache clearing instruction with the zero register,
2372         which triggers a segmentation fault.
2373
2374         Also, update the platform code to only use signaling VMTraps
2375         on where we have an appropriate instruction (x86 and ARM64).
2376
2377         * API/tests/ExecutionTimeLimitTest.cpp:
2378         (testExecutionTimeLimit):
2379         * assembler/ARM64Assembler.h:
2380         (JSC::ARM64Assembler::replaceWithVMHalt):
2381         (JSC::ARM64Assembler::dataCacheZeroVirtualAddress):
2382         (JSC::ARM64Assembler::replaceWithBkpt): Deleted.
2383         * assembler/ARMAssembler.h:
2384         (JSC::ARMAssembler::replaceWithBkpt): Deleted.
2385         * assembler/ARMv7Assembler.h:
2386         (JSC::ARMv7Assembler::replaceWithBkpt): Deleted.
2387         * assembler/MIPSAssembler.h:
2388         (JSC::MIPSAssembler::replaceWithBkpt): Deleted.
2389         * assembler/MacroAssemblerARM.h:
2390         (JSC::MacroAssemblerARM::replaceWithBreakpoint): Deleted.
2391         * assembler/MacroAssemblerARM64.h:
2392         (JSC::MacroAssemblerARM64::replaceWithVMHalt):
2393         (JSC::MacroAssemblerARM64::replaceWithBreakpoint): Deleted.
2394         * assembler/MacroAssemblerARMv7.h:
2395         (JSC::MacroAssemblerARMv7::storeFence):
2396         (JSC::MacroAssemblerARMv7::replaceWithBreakpoint): Deleted.
2397         * assembler/MacroAssemblerMIPS.h:
2398         (JSC::MacroAssemblerMIPS::replaceWithBreakpoint): Deleted.
2399         * assembler/MacroAssemblerX86Common.h:
2400         (JSC::MacroAssemblerX86Common::replaceWithVMHalt):
2401         (JSC::MacroAssemblerX86Common::replaceWithBreakpoint): Deleted.
2402         * assembler/X86Assembler.h:
2403         (JSC::X86Assembler::replaceWithHlt):
2404         (JSC::X86Assembler::replaceWithInt3): Deleted.
2405         * dfg/DFGJumpReplacement.cpp:
2406         (JSC::DFG::JumpReplacement::installVMTrapBreakpoint):
2407         * runtime/VMTraps.cpp:
2408         (JSC::SignalContext::SignalContext):
2409         (JSC::installSignalHandler):
2410         (JSC::SignalContext::adjustPCToPointToTrappingInstruction): Deleted.
2411         * wasm/WasmFaultSignalHandler.cpp:
2412         (JSC::Wasm::enableFastMemory):
2413
2414 2017-06-22  Saam Barati  <sbarati@apple.com>
2415
2416         The lowering of Identity in the DFG backend needs to use ManualOperandSpeculation
2417         https://bugs.webkit.org/show_bug.cgi?id=173743
2418         <rdar://problem/32932536>
2419
2420         Reviewed by Mark Lam.
2421
2422         The code always manually speculates, however, we weren't specifying
2423         ManualOperandSpeculation when creating a JSValueOperand. This would
2424         fire an assertion in JSValueOperand construction for a node like:
2425         Identity(String:@otherNode)
2426         
2427         I spent about 45 minutes trying to craft a test and came up
2428         empty. However, this fixes a debug assertion on an internal
2429         Apple website.
2430
2431         * dfg/DFGSpeculativeJIT32_64.cpp:
2432         (JSC::DFG::SpeculativeJIT::compile):
2433         * dfg/DFGSpeculativeJIT64.cpp:
2434         (JSC::DFG::SpeculativeJIT::compile):
2435
2436 2017-06-22  Saam Barati  <sbarati@apple.com>
2437
2438         ValueRep(DoubleRep(@v)) can not simply convert to @v
2439         https://bugs.webkit.org/show_bug.cgi?id=173687
2440         <rdar://problem/32855563>
2441
2442         Reviewed by Mark Lam.
2443
2444         Consider this IR:
2445          block#x
2446           p: Phi() // int32 and double flows into this phi from various control flow
2447           d: DoubleRep(@p)
2448           some uses of @d here
2449           v: ValueRep(DoubleRepUse:@d)
2450           a: NewArrayWithSize(Int32:@v)
2451           some more nodes here ...
2452         
2453         Because the flow of ValueRep(DoubleRep(@p)) will not produce an Int32,
2454         AI proves that the Int32 check will fail. Constant folding phase removes
2455         all nodes after @a and inserts an Unreachable after the NewArrayWithSize node.
2456         
2457         The IR then looks like this:
2458         block#x
2459           p: Phi() // int32 and double flows into this phi from various control flow
2460           d: DoubleRep(@p)
2461           some uses of @d here
2462           v: ValueRep(DoubleRepUse:@d)
2463           a: NewArrayWithSize(Int32:@v)
2464           Unreachable
2465         
2466         However, there was a strength reduction rule that tries eliminate redundant
2467         conversions. It used to convert the program to:
2468         block#x
2469           p: Phi() // int32 and double flows into this phi from various control flow
2470           d: DoubleRep(@p)
2471           some uses of @d here
2472           a: NewArrayWithSize(Int32:@p)
2473           Unreachable
2474         
2475         However, at runtime, @p will actually be an Int32, so @a will not OSR exit,
2476         and we'll crash. This patch removes this strength reduction rule since it
2477         does not maintain what would have happened if we executed the program before
2478         the rule.
2479         
2480         This rule is also wrong for other types of programs (I'm not sure we'd
2481         actually emit this code, but if such IR were generated, we would previously
2482         optimize it incorrectly):
2483         @a: Constant(JSTrue)
2484         @b: DoubleRep(@a)
2485         @c: ValueRep(@b)
2486         @d: use(@c)
2487         
2488         However, the strength reduction rule would've transformed this into:
2489         @a: Constant(JSTrue)
2490         @d: use(@a)
2491         
2492         And this would be wrong because node @c before the transformation would
2493         have produced the JSValue jsNumber(1.0).
2494         
2495         This patch was neutral in the benchmark run I did.
2496
2497         * dfg/DFGStrengthReductionPhase.cpp:
2498         (JSC::DFG::StrengthReductionPhase::handleNode):
2499
2500 2017-06-22  JF Bastien  <jfbastien@apple.com>
2501
2502         ARM64: doubled executable memory limit from 32MiB to 64MiB
2503         https://bugs.webkit.org/show_bug.cgi?id=173734
2504         <rdar://problem/32932407>
2505
2506         Reviewed by Oliver Hunt.
2507
2508         Some WebAssembly programs stress the amount of memory we have
2509         available, especially when we consider tiering (BBQ never dies,
2510         and is bigger that OMG). Tiering to OMG just piles on more memory,
2511         and we're also competing with JavaScript.
2512
2513         * jit/ExecutableAllocator.h:
2514
2515 2017-06-22  Joseph Pecoraro  <pecoraro@apple.com>
2516
2517         Web Inspector: Pausing with a deep call stack can be very slow, avoid eagerly generating object previews
2518         https://bugs.webkit.org/show_bug.cgi?id=173698
2519
2520         Reviewed by Matt Baker.
2521
2522         When pausing in a deep call stack the majority of the time spent in JavaScriptCore
2523         when preparing Inspector pause information is spent generating object previews for
2524         the `thisObject` of each of the call frames. In some cases, this could be more
2525         than 95% of the time generating pause information. In the common case, only one of
2526         these (the top frame) will ever be seen by users. This change avoids eagerly
2527         generating object previews up front and let the frontend request previews if they
2528         are needed.
2529
2530         This introduces the `Runtime.getPreview` protocol command. This can be used to:
2531
2532             - Get a preview for a RemoteObject that did not have a preview but could.
2533             - Update a preview for a RemoteObject that had a preview.
2534
2535         This patch only uses it for the first case, but the second is valid and may be
2536         something we want to do in the future.
2537
2538         * inspector/protocol/Runtime.json:
2539         A new command to get an up to date preview for an object.
2540
2541         * inspector/InjectedScript.h:
2542         * inspector/InjectedScript.cpp:
2543         (Inspector::InjectedScript::getPreview):
2544         * inspector/agents/InspectorRuntimeAgent.cpp:
2545         (Inspector::InspectorRuntimeAgent::getPreview):
2546         * inspector/agents/InspectorRuntimeAgent.h:
2547         Plumbing for the new command.
2548
2549         * inspector/InjectedScriptSource.js:
2550         (InjectedScript.prototype.getPreview):
2551         Implementation just uses the existing helper.
2552
2553         (InjectedScript.CallFrameProxy):
2554         Do not generate a preview for the this object as it may not be shown.
2555         Let the frontend request a preview if it wants or needs one.
2556
2557 2017-06-22  Joseph Pecoraro  <pecoraro@apple.com>
2558
2559         Web Inspector: Remove stale "rawScopes" concept that was never available in JSC
2560         https://bugs.webkit.org/show_bug.cgi?id=173686
2561
2562         Reviewed by Mark Lam.
2563
2564         * inspector/InjectedScript.cpp:
2565         (Inspector::InjectedScript::functionDetails):
2566         * inspector/InjectedScriptSource.js:
2567         (InjectedScript.prototype.functionDetails):
2568         * inspector/JSInjectedScriptHost.cpp:
2569         (Inspector::JSInjectedScriptHost::functionDetails):
2570
2571 2017-06-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2572
2573         [JSC] Object.values should be implemented in C++
2574         https://bugs.webkit.org/show_bug.cgi?id=173703
2575
2576         Reviewed by Sam Weinig.
2577
2578         As the same to Object.assign, Object.values() is also inherently polymorphic.
2579         And allocating JSString / Symbol for Identifier and JSArray for Object.keys()
2580         result is costly.
2581
2582         In this patch, we implement Object.values() in C++. It can avoid above allocations.
2583         Furthermore, by using `slot.isTaintedByOpaqueObject()` information, we can skip
2584         non-observable JSObject::get() calls.
2585
2586         This improves performance by 2.49x. And also now Object.values() beats
2587         Object.keys(object).map(key => object[key]) implementation.
2588
2589                                              baseline                  patched
2590
2591             object-values               132.1551+-3.7209     ^     53.1254+-1.6139        ^ definitely 2.4876x faster
2592             object-keys-map-values       78.2008+-2.1378     ?     78.9078+-2.2121        ?
2593
2594         * builtins/ObjectConstructor.js:
2595         (values): Deleted.
2596         * runtime/ObjectConstructor.cpp:
2597         (JSC::objectConstructorValues):
2598
2599 2017-06-21  Saam Barati  <sbarati@apple.com>
2600
2601         ArrayPrototype.map builtin declares a var it does not use
2602         https://bugs.webkit.org/show_bug.cgi?id=173685
2603
2604         Reviewed by Keith Miller.
2605
2606         * builtins/ArrayPrototype.js:
2607         (map):
2608
2609 2017-06-21  Saam Barati  <sbarati@apple.com>
2610
2611         eval virtual call is incorrect in the baseline JIT
2612         https://bugs.webkit.org/show_bug.cgi?id=173587
2613         <rdar://problem/32867897>
2614
2615         Reviewed by Michael Saboff.
2616
2617         When making a virtual call for call_eval, e.g, when the thing
2618         we're calling isn't actually eval, we end up calling the caller
2619         instead of the callee. This is clearly wrong. The code ends up
2620         issuing a load for the Callee in the callers frame instead of
2621         the callee we're calling. The fix is simple, we just need to
2622         load the real callee. Only the 32-bit baseline JIT had this bug.
2623
2624         * jit/JITCall32_64.cpp:
2625         (JSC::JIT::compileCallEvalSlowCase):
2626
2627 2017-06-21  Joseph Pecoraro  <pecoraro@apple.com>
2628
2629         Web Inspector: Using "break on all exceptions" when throwing stack overflow hangs inspector
2630         https://bugs.webkit.org/show_bug.cgi?id=172432
2631         <rdar://problem/29870873>
2632
2633         Reviewed by Saam Barati.
2634
2635         Avoid pausing on StackOverflow and OutOfMemory errors to avoid a hang.
2636         We will proceed to improve debugging of these cases in the follow-up bugs.
2637
2638         * debugger/Debugger.cpp:
2639         (JSC::Debugger::exception):
2640         Ignore pausing on these errors.
2641
2642         * runtime/ErrorInstance.h:
2643         (JSC::ErrorInstance::setStackOverflowError):
2644         (JSC::ErrorInstance::isStackOverflowError):
2645         (JSC::ErrorInstance::setOutOfMemoryError):
2646         (JSC::ErrorInstance::isOutOfMemoryError):
2647         * runtime/ExceptionHelpers.cpp:
2648         (JSC::createStackOverflowError):
2649         * runtime/Error.cpp:
2650         (JSC::createOutOfMemoryError):
2651         Mark these kinds of errors.
2652
2653 2017-06-21  Saam Barati  <sbarati@apple.com>
2654
2655         Make it clear that regenerating ICs are holding the CodeBlock's lock by passing the locker as a parameter
2656         https://bugs.webkit.org/show_bug.cgi?id=173609
2657
2658         Reviewed by Keith Miller.
2659
2660         This patch makes many of the IC generating functions require a locker as
2661         a parameter. We do this in other places in JSC to indicate that
2662         a particular API is only valid while a particular lock is held.
2663         This is the case when generating ICs. This patch just makes it
2664         explicit in the IC generating interface.
2665
2666         * bytecode/PolymorphicAccess.cpp:
2667         (JSC::PolymorphicAccess::addCases):
2668         (JSC::PolymorphicAccess::addCase):
2669         (JSC::PolymorphicAccess::commit):
2670         (JSC::PolymorphicAccess::regenerate):
2671         * bytecode/PolymorphicAccess.h:
2672         * bytecode/StructureStubInfo.cpp:
2673         (JSC::StructureStubInfo::addAccessCase):
2674         (JSC::StructureStubInfo::initStub): Deleted.
2675         * bytecode/StructureStubInfo.h:
2676         * jit/Repatch.cpp:
2677         (JSC::tryCacheGetByID):
2678         (JSC::repatchGetByID):
2679         (JSC::tryCachePutByID):
2680         (JSC::repatchPutByID):
2681         (JSC::tryRepatchIn):
2682         (JSC::repatchIn):
2683
2684 2017-06-20  Myles C. Maxfield  <mmaxfield@apple.com>
2685
2686         Disable font variations on macOS Sierra and iOS 10
2687         https://bugs.webkit.org/show_bug.cgi?id=173618
2688         <rdar://problem/32879164>
2689
2690         Reviewed by Jon Lee.
2691
2692         * Configurations/FeatureDefines.xcconfig:
2693
2694 2017-06-20  Keith Miller  <keith_miller@apple.com>
2695
2696         Fix leak of ModuleInformations in BBQPlan constructors.
2697         https://bugs.webkit.org/show_bug.cgi?id=173577
2698
2699         Reviewed by Saam Barati.
2700
2701         This patch fixes a leak in the BBQPlan constructiors. Previously,
2702         the plans were calling makeRef on the newly constructed objects.
2703         This patch fixes the issue and uses adoptRef instead. Additionally,
2704         an old, incorrect, attempt to fix the leak is removed.
2705
2706         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
2707         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
2708         * jit/JITWorklist.cpp:
2709         (JSC::JITWorklist::Thread::Thread):
2710         * runtime/PromiseDeferredTimer.cpp:
2711         (JSC::PromiseDeferredTimer::addPendingPromise):
2712         * runtime/VM.cpp:
2713         (JSC::VM::VM):
2714         * wasm/WasmBBQPlan.cpp:
2715         (JSC::Wasm::BBQPlan::BBQPlan):
2716         * wasm/WasmPlan.cpp:
2717         (JSC::Wasm::Plan::Plan):
2718
2719 2017-06-20  Devin Rousso  <drousso@apple.com>
2720
2721         Web Inspector: Send context attributes for tracked canvases
2722         https://bugs.webkit.org/show_bug.cgi?id=173327
2723
2724         Reviewed by Joseph Pecoraro.
2725
2726         * inspector/protocol/Canvas.json:
2727         Add ContextAttributes object type that is optionally used for WebGL canvases.
2728
2729 2017-06-20  Konstantin Tokarev  <annulen@yandex.ru>
2730
2731         Remove excessive include directives from WTF
2732         https://bugs.webkit.org/show_bug.cgi?id=173553
2733
2734         Reviewed by Saam Barati.
2735
2736         * profiler/ProfilerDatabase.cpp: Added missing include directive.
2737         * runtime/SamplingProfiler.cpp: Ditto.
2738
2739 2017-06-20  Oleksandr Skachkov  <gskachkov@gmail.com>
2740
2741         Revert changes in bug#160417 about extending `null` not being a derived class
2742         https://bugs.webkit.org/show_bug.cgi?id=169293
2743
2744         Reviewed by Saam Barati.
2745
2746         Reverted changes in bug#160417 about extending `null` not being a derived class 
2747         according to changes in spec:
2748         https://github.com/tc39/ecma262/commit/c57ef95c45a371f9c9485bb1c3881dbdc04524a2
2749
2750         * builtins/BuiltinNames.h:
2751         * bytecompiler/BytecodeGenerator.cpp:
2752         (JSC::BytecodeGenerator::BytecodeGenerator):
2753         (JSC::BytecodeGenerator::emitReturn):
2754         * bytecompiler/NodesCodegen.cpp:
2755         (JSC::ClassExprNode::emitBytecode):
2756
2757 2017-06-20  Saam Barati  <sbarati@apple.com>
2758
2759         repatchIn needs to lock the CodeBlock's lock
2760         https://bugs.webkit.org/show_bug.cgi?id=173573
2761
2762         Reviewed by Yusuke Suzuki.
2763
2764         CodeBlock::propagateTransitions and CodeBlock::visitWeakly grab the CodeBlock's
2765         lock before modifying the StructureStubInfo/PolymorphicAccess. When regenerating
2766         an IC, we must hold the CodeBlock's to prevent the executing thread from racing
2767         with the marking thread. repatchIn was not grabbing the lock. I haven't been
2768         able to get it to crash, but this is needed for the same reasons that get and put IC
2769         regeneration grab the lock.
2770
2771         * jit/Repatch.cpp:
2772         (JSC::repatchIn):
2773
2774 2017-06-19  Devin Rousso  <drousso@apple.com>
2775
2776         Web Inspector: create canvas content view and details sidebar panel
2777         https://bugs.webkit.org/show_bug.cgi?id=138941
2778         <rdar://problem/19051672>
2779
2780         Reviewed by Joseph Pecoraro.
2781
2782         * inspector/protocol/Canvas.json:
2783          - Add an optional `nodeId` attribute to the `Canvas` type.
2784          - Add `requestNode` command for getting the node id of the backing canvas element.
2785          - Add `requestContent` command for getting the current image content of the canvas.
2786
2787 2017-06-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2788
2789         Unreviewed, build fix for ARM
2790
2791         * assembler/MacroAssemblerARM.h:
2792         (JSC::MacroAssemblerARM::internalCompare32):
2793
2794 2017-06-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2795
2796         [DFG] More ArrayIndexOf fixups for various types
2797         https://bugs.webkit.org/show_bug.cgi?id=173176
2798
2799         Reviewed by Saam Barati.
2800
2801         This patch further expands coverage of ArrayIndexOf optimization in DFG and FTL.
2802
2803         1. We attempt to fold ArrayIndexOf to constant (-1) if we know that its array
2804         never contains the given search value.
2805
2806         2. We support Symbol and Other specialization additionally. Especially, Other is
2807         useful because null/undefined can be used as a sentinel value.
2808
2809         One interesting thing is that Array.prototype.indexOf does not consider holes as
2810         undefineds. Thus,
2811
2812             var array = [,,,,,,,];
2813             array.indexOf(undefined); // => -1
2814
2815         This can be trivially achieved in JSC because Empty and Undefined are different values.
2816
2817         * dfg/DFGFixupPhase.cpp:
2818         (JSC::DFG::FixupPhase::fixupNode):
2819         (JSC::DFG::FixupPhase::fixupArrayIndexOf):
2820         * dfg/DFGSpeculativeJIT.cpp:
2821         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
2822         (JSC::DFG::SpeculativeJIT::speculateOther):
2823         * dfg/DFGSpeculativeJIT.h:
2824         * ftl/FTLLowerDFGToB3.cpp:
2825         (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):
2826
2827 2017-06-19  Caio Lima  <ticaiolima@gmail.com>
2828
2829         [ARMv6][DFG] ARM MacroAssembler is always emitting cmn when immediate is 0
2830         https://bugs.webkit.org/show_bug.cgi?id=172972
2831
2832         Reviewed by Mark Lam.
2833
2834         We are changing internalCompare32 implementation in ARM
2835         MacroAssembler to emit "cmp" when the "right.value" is 0.
2836         It is generating wrong comparison cases, since the
2837         semantics of cmn is opposite of cmp[1]. One case that it's breaking is
2838         "branch32(MacroAssembler::Above, gpr, TrustedImm32(0))", where ends
2839         resulting in following assembly code:
2840
2841         ```
2842         cmn $r0, #0
2843         bhi <address>
2844         ```
2845
2846         However, as cmn is similar to "adds", it will never take the branch
2847         when $r0 > 0. In that case, the correct opcode is "cmp". With this
2848         patch we will fix current broken tests that uses
2849         "branch32(MacroAssembler::Above, gpr, TrustedImm32(0))",
2850         such as ForwardVarargs, Spread and GetRestLength.
2851
2852         [1] - http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0204j/Cihiddid.html
2853
2854         * assembler/MacroAssemblerARM.h:
2855         (JSC::MacroAssemblerARM::internalCompare32):
2856
2857 2017-06-19  Joseph Pecoraro  <pecoraro@apple.com>
2858
2859         test262: Completion values for control flow do not match the spec
2860         https://bugs.webkit.org/show_bug.cgi?id=171265
2861
2862         Reviewed by Saam Barati.
2863
2864         * bytecompiler/BytecodeGenerator.h:
2865         (JSC::BytecodeGenerator::shouldBeConcernedWithCompletionValue):
2866         When we care about having proper completion values (global code
2867         in programs, modules, and eval) insert undefined results for
2868         control flow statements.
2869
2870         * bytecompiler/NodesCodegen.cpp:
2871         (JSC::SourceElements::emitBytecode):
2872         Reduce writing a default `undefined` value to the completion result to
2873         only once before the last statement we know will produce a value.
2874
2875         (JSC::IfElseNode::emitBytecode):
2876         (JSC::WithNode::emitBytecode):
2877         (JSC::WhileNode::emitBytecode):
2878         (JSC::ForNode::emitBytecode):
2879         (JSC::ForInNode::emitBytecode):
2880         (JSC::ForOfNode::emitBytecode):
2881         (JSC::SwitchNode::emitBytecode):
2882         Insert an undefined to handle cases where code may break out of an
2883         if/else or with statement (break/continue).
2884
2885         (JSC::TryNode::emitBytecode):
2886         Same handling for break cases. Also, finally block statement completion
2887         values are always ignored for the try statement result.
2888
2889         (JSC::ClassDeclNode::emitBytecode):
2890         Class declarations, like function declarations, produce an empty result.
2891
2892         * parser/Nodes.cpp:
2893         (JSC::SourceElements::lastStatement):
2894         (JSC::SourceElements::hasCompletionValue):
2895         (JSC::SourceElements::hasEarlyBreakOrContinue):
2896         (JSC::BlockNode::lastStatement):
2897         (JSC::BlockNode::singleStatement):
2898         (JSC::BlockNode::hasCompletionValue):
2899         (JSC::BlockNode::hasEarlyBreakOrContinue):
2900         (JSC::ScopeNode::singleStatement):
2901         (JSC::ScopeNode::hasCompletionValue):
2902         (JSC::ScopeNode::hasEarlyBreakOrContinue):
2903         The only non-trivial cases need to loop through their list of statements
2904         to determine if this has a completion value or not. Likewise for
2905         determining if there is an early break / continue, meaning a break or
2906         continue statement with no preceding statement that has a completion value.
2907
2908         * parser/Nodes.h:
2909         (JSC::StatementNode::next):
2910         (JSC::StatementNode::hasCompletionValue):
2911         Helper to check if a statement nodes produces a completion value or not.
2912
2913 2017-06-19  Adrian Perez de Castro  <aperez@igalia.com>
2914
2915         Missing <functional> includes make builds fail with GCC 7.x
2916         https://bugs.webkit.org/show_bug.cgi?id=173544
2917
2918         Unreviewed gardening.
2919
2920         Fix compilation with GCC 7.
2921
2922         * API/tests/CompareAndSwapTest.cpp:
2923         * runtime/VMEntryScope.h:
2924
2925 2017-06-17  Keith Miller  <keith_miller@apple.com>
2926
2927         ArrayBuffer constructor needs to create subclass structures before its buffer
2928         https://bugs.webkit.org/show_bug.cgi?id=173510
2929
2930         Reviewed by Yusuke Suzuki.
2931
2932         * runtime/JSArrayBufferConstructor.cpp:
2933         (JSC::constructArrayBuffer):
2934
2935 2017-06-17  Keith Miller  <keith_miller@apple.com>
2936
2937         ArrayPrototype methods should use JSValue::toLength for non-Arrays.
2938         https://bugs.webkit.org/show_bug.cgi?id=173506
2939
2940         Reviewed by Ryosuke Niwa.
2941
2942         This patch changes the result of unshift if old length +
2943         unshift.arguments.length > (2 ** 53) - 1 to be a type error. Also,
2944         the getLength function, which was always incorrect to use, has
2945         been removed. Additionally, some cases where we were using a
2946         constant for (2 ** 53) - 1 have been replaced with
2947         maxSafeInteger()
2948
2949         * interpreter/Interpreter.cpp:
2950         (JSC::sizeOfVarargs):
2951         * runtime/ArrayPrototype.cpp:
2952         (JSC::arrayProtoFuncToLocaleString):
2953         (JSC::arrayProtoFuncPop):
2954         (JSC::arrayProtoFuncPush):
2955         (JSC::arrayProtoFuncReverse):
2956         (JSC::arrayProtoFuncShift):
2957         (JSC::arrayProtoFuncSlice):
2958         (JSC::arrayProtoFuncSplice):
2959         (JSC::arrayProtoFuncUnShift):
2960         (JSC::arrayProtoFuncIndexOf):
2961         (JSC::arrayProtoFuncLastIndexOf):
2962         * runtime/JSArrayInlines.h:
2963         (JSC::getLength): Deleted.
2964         * runtime/JSCJSValue.cpp:
2965         (JSC::JSValue::toLength):
2966         * runtime/NumberConstructor.cpp:
2967         (JSC::numberConstructorFuncIsSafeInteger):
2968
2969 2017-06-16  Matt Baker  <mattbaker@apple.com>
2970
2971         Web Inspector: Instrument 2D/WebGL canvas contexts in the backend
2972         https://bugs.webkit.org/show_bug.cgi?id=172623
2973         <rdar://problem/32415986>
2974
2975         Reviewed by Devin Rousso and Joseph Pecoraro.
2976
2977         This patch adds a basic Canvas protocol. It includes Canvas and related
2978         types and events for monitoring the lifetime of canvases in the page.
2979
2980         * CMakeLists.txt:
2981         * DerivedSources.make:
2982         * inspector/protocol/Canvas.json: Added.
2983
2984         * inspector/scripts/codegen/generator.py:
2985         (Generator.stylized_name_for_enum_value):
2986         Add special handling for Canvas.ContextType protocol enumeration,
2987         so that "canvas-2d" and "webgl" map to `Canvas2D` and `WebGL`.
2988
2989 2017-06-16  Wenson Hsieh  <wenson_hsieh@apple.com>
2990
2991         [iOS DnD] Upstream iOS drag and drop implementation into OpenSource WebKit
2992         https://bugs.webkit.org/show_bug.cgi?id=173366
2993         <rdar://problem/32767014>
2994
2995         Reviewed by Tim Horton.
2996
2997         Introduce ENABLE_DATA_INTERACTION and ENABLE_DRAG_SUPPORT to FeatureDefines.xcconfig.
2998
2999         * Configurations/FeatureDefines.xcconfig:
3000
3001 2017-06-16  Yusuke Suzuki  <utatane.tea@gmail.com>
3002
3003         [JSC] Add fast path for Object.assign
3004         https://bugs.webkit.org/show_bug.cgi?id=173416
3005
3006         Reviewed by Mark Lam.
3007
3008         In Object.assign implementation, we need to ensure that given key is still enumerable own key.
3009         This seems duplicate look up. And we want to avoid this. However, we still need to perform this
3010         check in the face of Proxy. Proxy can observe that this check is done correctly.
3011
3012         In almost all the cases, the above check is duplicate to the subsequent [[Get]] operation.
3013         In this patch, we perform this check. But at that time, we investigate `isTaintedByOpaqueObject()`.
3014         If it is false, we can say that getOwnPropertySlot is pure. In that case, we can just retrieve the
3015         value by calling `slot.getValue()`.
3016
3017         This further improves performance of Object.assign.
3018
3019                                         baseline                  patched
3020
3021             object-assign.es6      363.6706+-6.4381     ^    324.1769+-6.9624        ^ definitely 1.1218x faster
3022
3023         * runtime/ObjectConstructor.cpp:
3024         (JSC::objectConstructorAssign):
3025
3026 2017-06-16  Michael Saboff  <msaboff@apple.com>
3027
3028         Intermittent crash running Internal/Tests/InternalJSTests/Regress/radar-24300617.js
3029         https://bugs.webkit.org/show_bug.cgi?id=173488
3030
3031         Reviewed by Filip Pizlo.
3032
3033         ClonedArguments lazily sets its callee and interator properties and it used its own inline
3034         code to initialize its butterfly.  This means that these lazily set properties can have
3035         bogus values in those slots.  Instead, let's use the standard BUtterfly:tryCreate() method
3036         to create the butterfly as it clears out of line properties.
3037
3038         * runtime/ClonedArguments.cpp:
3039         (JSC::ClonedArguments::createEmpty):
3040
3041 2017-06-16  Mark Lam  <mark.lam@apple.com>
3042
3043         Interpreter methods for mapping between Opcode and OpcodeID need not be instance methods.
3044         https://bugs.webkit.org/show_bug.cgi?id=173491
3045
3046         Reviewed by Keith Miller.
3047
3048         The implementation are based on static data. There's no need to get the
3049         interpreter instance. Hence, we can make these methods static and avoid doing
3050         unnecessary work to compute the interpreter this pointer.
3051
3052         Also removed the unused isCallBytecode method.
3053
3054         * bytecode/BytecodeBasicBlock.cpp:
3055         (JSC::BytecodeBasicBlock::computeImpl):
3056         * bytecode/BytecodeDumper.cpp:
3057         (JSC::BytecodeDumper<Block>::printGetByIdOp):
3058         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
3059         (JSC::BytecodeDumper<Block>::dumpBytecode):
3060         (JSC::BytecodeDumper<Block>::dumpBlock):
3061         * bytecode/BytecodeLivenessAnalysis.cpp:
3062         (JSC::BytecodeLivenessAnalysis::dumpResults):
3063         * bytecode/BytecodeLivenessAnalysisInlines.h:
3064         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::stepOverInstruction):
3065         * bytecode/BytecodeRewriter.cpp:
3066         (JSC::BytecodeRewriter::adjustJumpTargetsInFragment):
3067         * bytecode/CallLinkStatus.cpp:
3068         (JSC::CallLinkStatus::computeFromLLInt):
3069         * bytecode/CodeBlock.cpp:
3070         (JSC::CodeBlock::finishCreation):
3071         (JSC::CodeBlock::propagateTransitions):
3072         (JSC::CodeBlock::finalizeLLIntInlineCaches):
3073         (JSC::CodeBlock::hasOpDebugForLineAndColumn):
3074         (JSC::CodeBlock::usesOpcode):
3075         (JSC::CodeBlock::valueProfileForBytecodeOffset):
3076         (JSC::CodeBlock::arithProfileForPC):
3077         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
3078         * bytecode/PreciseJumpTargets.cpp:
3079         (JSC::getJumpTargetsForBytecodeOffset):
3080         (JSC::computePreciseJumpTargetsInternal):
3081         (JSC::findJumpTargetsForBytecodeOffset):
3082         * bytecode/PreciseJumpTargetsInlines.h:
3083         (JSC::extractStoredJumpTargetsForBytecodeOffset):
3084         * bytecode/UnlinkedCodeBlock.cpp:
3085         (JSC::UnlinkedCodeBlock::applyModification):
3086         * dfg/DFGByteCodeParser.cpp:
3087         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
3088         (JSC::DFG::ByteCodeParser::parseBlock):
3089         * dfg/DFGCapabilities.cpp:
3090         (JSC::DFG::capabilityLevel):
3091         * interpreter/Interpreter.cpp:
3092         (JSC::Interpreter::Interpreter):
3093         (JSC::Interpreter::isOpcode):
3094         (): Deleted.
3095         * interpreter/Interpreter.h:
3096         (JSC::Interpreter::getOpcode): Deleted.
3097         (JSC::Interpreter::getOpcodeID): Deleted.
3098         (JSC::Interpreter::isCallBytecode): Deleted.
3099         * interpreter/InterpreterInlines.h:
3100         (JSC::Interpreter::getOpcode):
3101         (JSC::Interpreter::getOpcodeID):
3102         * jit/JIT.cpp:
3103         (JSC::JIT::privateCompileMainPass):
3104         (JSC::JIT::privateCompileSlowCases):
3105         * jit/JITOpcodes.cpp:
3106         (JSC::JIT::emitNewFuncCommon):
3107         (JSC::JIT::emitNewFuncExprCommon):
3108         * jit/JITPropertyAccess.cpp:
3109         (JSC::JIT::emitSlow_op_put_by_val):
3110         (JSC::JIT::privateCompilePutByVal):
3111         * jit/JITPropertyAccess32_64.cpp:
3112         (JSC::JIT::emitSlow_op_put_by_val):
3113         * llint/LLIntSlowPaths.cpp:
3114         (JSC::LLInt::llint_trace_operand):
3115         (JSC::LLInt::llint_trace_value):
3116         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3117         * profiler/ProfilerBytecodeSequence.cpp:
3118         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
3119
3120 2017-06-16  Matt Lewis  <jlewis3@apple.com>
3121
3122         Unreviewed, rolling out r218376.
3123
3124         The patch cause multiple Layout Test Crashes.
3125
3126         Reverted changeset:
3127
3128         "Web Inspector: Instrument 2D/WebGL canvas contexts in the
3129         backend"
3130         https://bugs.webkit.org/show_bug.cgi?id=172623
3131         http://trac.webkit.org/changeset/218376
3132
3133 2017-06-16  Konstantin Tokarev  <annulen@yandex.ru>
3134
3135         REGRESSION(r166799): LogsPageMessagesToSystemConsoleEnabled corrupts non-ASCII characters
3136         https://bugs.webkit.org/show_bug.cgi?id=173470
3137
3138         Reviewed by Joseph Pecoraro.
3139
3140         ConsoleClient::printConsoleMessageWithArguments() incorrectly uses
3141         const char* overload of StringBuilder::append() that assummes Latin1
3142         encoding, not UTF8.
3143
3144         * runtime/ConsoleClient.cpp:
3145         (JSC::ConsoleClient::printConsoleMessageWithArguments):
3146
3147 2017-06-15  Mark Lam  <mark.lam@apple.com>
3148
3149         Add a JSRunLoopTimer registry in VM.
3150         https://bugs.webkit.org/show_bug.cgi?id=173429
3151         <rdar://problem/31287961>
3152
3153         Reviewed by Filip Pizlo.
3154
3155         This way, we can be sure we've got every JSRunLoopTimer instance covered if we
3156         need to change their run loop (e.g. when setting to the WebThread's run loop).
3157
3158         * heap/Heap.cpp:
3159         (JSC::Heap::Heap):
3160         (JSC::Heap::setRunLoop): Deleted.
3161         * heap/Heap.h:
3162         (JSC::Heap::runLoop): Deleted.
3163         * runtime/JSRunLoopTimer.cpp:
3164         (JSC::JSRunLoopTimer::JSRunLoopTimer):
3165         (JSC::JSRunLoopTimer::setRunLoop):
3166         (JSC::JSRunLoopTimer::~JSRunLoopTimer):
3167         * runtime/VM.cpp:
3168         (JSC::VM::VM):
3169         (JSC::VM::registerRunLoopTimer):
3170         (JSC::VM::unregisterRunLoopTimer):
3171         (JSC::VM::setRunLoop):
3172         * runtime/VM.h:
3173         (JSC::VM::runLoop):
3174
3175 2017-06-15  Joseph Pecoraro  <pecoraro@apple.com>
3176
3177         [Cocoa] Modernize some internal initializers to use instancetype instead of id
3178         https://bugs.webkit.org/show_bug.cgi?id=173112
3179
3180         Reviewed by Wenson Hsieh.
3181
3182         * API/JSContextInternal.h:
3183         * API/JSWrapperMap.h:
3184         * API/JSWrapperMap.mm:
3185         (-[JSObjCClassInfo initForClass:]):
3186         (-[JSWrapperMap initWithGlobalContextRef:]):
3187
3188 2017-06-15  Matt Baker  <mattbaker@apple.com>
3189
3190         Web Inspector: Instrument 2D/WebGL canvas contexts in the backend
3191         https://bugs.webkit.org/show_bug.cgi?id=172623
3192         <rdar://problem/32415986>
3193
3194         Reviewed by Devin Rousso.
3195
3196         This patch adds a basic Canvas protocol. It includes Canvas and related
3197         types and events for monitoring the lifetime of canvases in the page.
3198
3199         * CMakeLists.txt:
3200         * DerivedSources.make:
3201         * inspector/protocol/Canvas.json: Added.
3202
3203         * inspector/scripts/codegen/generator.py:
3204         (Generator.stylized_name_for_enum_value):
3205         Add special handling for Canvas.ContextType protocol enumeration,
3206         so that "canvas-2d" and "webgl" map to `Canvas2D` and `WebGL`.
3207
3208 2017-06-15  Keith Miller  <keith_miller@apple.com>
3209
3210         Add logging to MachineStackMarker to try to diagnose crashes in the wild
3211         https://bugs.webkit.org/show_bug.cgi?id=173427
3212
3213         Reviewed by Mark Lam.
3214
3215         This patch adds some logging to the MachineStackMarker constructor
3216         to help figure out where we are seeing crashes. Since macOS does
3217         not support os_log_info my hope is that if we set all the callee
3218         save registers before making any calls in the C++ code we can
3219         figure out which calls is the source of the crash. We also, set
3220         all the caller save registers before returning in case some
3221         weirdness is happening in the Heap constructor.
3222
3223         This logging should not matter from a performance perspective. We
3224         only create MachineStackMarkers when we are creating a new VM,
3225         which is already expensive.
3226
3227         * heap/MachineStackMarker.cpp:
3228         (JSC::MachineThreads::MachineThreads):
3229
3230 2017-06-15  Yusuke Suzuki  <utatane.tea@gmail.com>
3231
3232         [JSC] Implement Object.assign in C++
3233         https://bugs.webkit.org/show_bug.cgi?id=173414
3234
3235         Reviewed by Saam Barati.
3236
3237         Implementing Object.assign in JS is not so good compared to C++ version because,
3238
3239         1. JS version allocates JS array for object own keys. And we allocate JSString / Symbol for each key.
3240         But basically, they can be handled as UniquedStringImpl in C++. Allocating these cells are wasteful.
3241
3242         2. While implementing builtins in JS offers some good type speculation chances, Object.assign is inherently super polymorphic.
3243         So JS's type profile doesn't help well.
3244
3245         3. We have a chance to introduce various fast path for Object.assign in C++.
3246
3247         This patch moves implementation from JS to C++. It achieves the above (1) and (2). (3) is filed in [1].
3248
3249         We can see 1.65x improvement in SixSpeed object-assign.es6.
3250
3251                                     baseline                  patched
3252
3253         object-assign.es6      643.3253+-8.0521     ^    389.1075+-8.8840        ^ definitely 1.6533x faster
3254
3255         [1]: https://bugs.webkit.org/show_bug.cgi?id=173416
3256
3257         * builtins/ObjectConstructor.js:
3258         (entries):
3259         (assign): Deleted.
3260         * runtime/JSCJSValueInlines.h:
3261         (JSC::JSValue::putInline):
3262         * runtime/JSCell.h:
3263         * runtime/JSCellInlines.h:
3264         (JSC::JSCell::putInline):
3265         * runtime/JSObject.cpp:
3266         (JSC::JSObject::put):
3267         * runtime/JSObject.h:
3268         * runtime/JSObjectInlines.h:
3269         (JSC::JSObject::putInlineForJSObject):
3270         (JSC::JSObject::putInline): Deleted.
3271         * runtime/ObjectConstructor.cpp:
3272         (JSC::objectConstructorAssign):
3273
3274 2017-06-14  Dan Bernstein  <mitz@apple.com>
3275
3276         [Cocoa] Objective-C class whose name begins with an underscore can’t be exported to JavaScript
3277         https://bugs.webkit.org/show_bug.cgi?id=168578
3278
3279         Reviewed by Geoff Garen.
3280
3281         * API/JSWrapperMap.mm:
3282         (allocateConstructorForCustomClass): Updated for change to forEachProtocolImplementingProtocol.
3283         (-[JSObjCClassInfo allocateConstructorAndPrototype]): Ditto.
3284         (-[JSWrapperMap classInfoForClass:]): If the class name begins with an underscore, check if
3285           it defines conformance to a JSExport-derived protocol and if so, avoid using the
3286           superclass as a substitute as we’d normally do.
3287
3288         * API/ObjcRuntimeExtras.h:
3289         (forEachProtocolImplementingProtocol): Added a "stop" argument to the block to let callers
3290           bail out.
3291
3292         * API/tests/JSExportTests.mm:
3293         (+[JSExportTests classNamePrefixedWithUnderscoreTest]): New test for this.
3294         (runJSExportTests): Run new test.
3295
3296 2017-06-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3297
3298         Unreviewed, suppress invalid register alloation validation assertion in 32 bit part 2
3299         https://bugs.webkit.org/show_bug.cgi?id=172421
3300
3301         * dfg/DFGSpeculativeJIT.cpp:
3302         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
3303
3304 2017-06-14  Claudio Saavedra  <csaavedra@igalia.com>
3305
3306         REGRESSION: 15 new jsc failures in WPE and GTK+
3307         https://bugs.webkit.org/show_bug.cgi?id=173349
3308
3309         Reviewed by JF Bastien.
3310
3311         Recent changes to generateWasm.py are not accounted for from
3312         CMake, which leads to WasmOps.h not being regenerated in partial
3313         builds. Make generateWasm.py an additional dependency.
3314         * CMakeLists.txt:
3315
3316 2017-06-13  Joseph Pecoraro  <pecoraro@apple.com>
3317
3318         Debugger has unexpected effect on program correctness
3319         https://bugs.webkit.org/show_bug.cgi?id=172683
3320
3321         Reviewed by Saam Barati.
3322
3323         * inspector/InjectedScriptSource.js:
3324         (InjectedScript.RemoteObject.prototype._appendPropertyPreviews):
3325         (InjectedScript.RemoteObject.prototype._isPreviewableObjectInternal):
3326         (BasicCommandLineAPI):
3327         Eliminate for..of use with Arrays from InjectedScriptSource as it can be observable.
3328         We still use it for Set / Map iteration which we can eliminate when moving to builtins.
3329
3330 2017-06-13  JF Bastien  <jfbastien@apple.com>
3331
3332         WebAssembly: fix erroneous signature comment
3333         https://bugs.webkit.org/show_bug.cgi?id=173334
3334
3335         Reviewed by Keith Miller.
3336
3337         * wasm/WasmSignature.h:
3338
3339 2017-06-13  Michael Saboff  <msaboff@apple.com>
3340
3341         Refactor AbsenceOfSetter to AbsenceOfSetEffects
3342         https://bugs.webkit.org/show_bug.cgi?id=173322
3343
3344         Reviewed by Filip Pizlo.
3345
3346         * bytecode/ObjectPropertyCondition.h:
3347         (JSC::ObjectPropertyCondition::absenceOfSetEffectWithoutBarrier):
3348         (JSC::ObjectPropertyCondition::absenceOfSetEffect):
3349         (JSC::ObjectPropertyCondition::absenceOfSetterWithoutBarrier): Deleted.
3350         (JSC::ObjectPropertyCondition::absenceOfSetter): Deleted.
3351         * bytecode/ObjectPropertyConditionSet.cpp:
3352         (JSC::generateConditionsForPropertySetterMiss):
3353         (JSC::generateConditionsForPropertySetterMissConcurrently):
3354         * bytecode/PropertyCondition.cpp:
3355         (JSC::PropertyCondition::dumpInContext):
3356         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
3357         (JSC::PropertyCondition::isStillValid):
3358         (WTF::printInternal):
3359         * bytecode/PropertyCondition.h:
3360         (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
3361         (JSC::PropertyCondition::absenceOfSetEffect):
3362         (JSC::PropertyCondition::hasPrototype):
3363         (JSC::PropertyCondition::hash):
3364         (JSC::PropertyCondition::operator==):
3365         (JSC::PropertyCondition::absenceOfSetterWithoutBarrier): Deleted.
3366         (JSC::PropertyCondition::absenceOfSetter): Deleted.
3367
3368 2017-06-13  JF Bastien  <jfbastien@apple.com>
3369
3370         WebAssembly: import updated spec tests
3371         https://bugs.webkit.org/show_bug.cgi?id=173287
3372         <rdar://problem/32725975>
3373
3374         Reviewed by Saam Barati.
3375
3376         Import spec tests as of 31c641cc15f2aedbec2fa45a5185f68416df578b,
3377         with a few modifications so things work.
3378
3379         Fix a bunch of bugs found through this process, and punt a few tests (which I
3380         marked as blocked by this bug).
3381
3382         Fixes:
3383
3384         Fix load / store alignment: r216908 erroneously implemented it as bit alignment
3385         instead of byte alignment. It was also missing memory-alignment.js despite it
3386         being in the ChangeLog, so add it too. This allows spec-test/align.wast.js to
3387         pass.
3388
3389         Tables can be imported or in a section. There can be only one, but sections can
3390         be empty. An Elements section can exist if there's no Table, as long as it is
3391         also empty.
3392
3393         Memories can be imported or in a section. There can be only one, but sections
3394         can be empty. A Data section can exist if there's no Memory, as long as it is
3395         also empty.
3396
3397         Prototypes: stringify without .prototype. in the string.
3398
3399         WebAssembly.Table.prototype.grow was plain wrong: it takes a delta parameter,
3400         not a final size, and throws a RangeError on failure, not a TypeError.
3401
3402         Fix compile / instantiate so the reject the promise if given an argument of the
3403         wrong type (instead of failing instantly).
3404
3405         Fix async on neuter test.
3406
3407         Element section shouldn't affect any Table if any of the elements are out of
3408         bounds. We need to process it in two passes.
3409
3410         Segment section shouldn't affect any Data if any of the segments are out of