Modernize some aspects of text codecs, eliminate WebKit use of strcasecmp
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-12-02  Darin Adler  <darin@apple.com>
2
3         Modernize some aspects of text codecs, eliminate WebKit use of strcasecmp
4         https://bugs.webkit.org/show_bug.cgi?id=180009
5
6         Reviewed by Alex Christensen.
7
8         * bytecode/ArrayProfile.cpp: Removed include of StringExtras.h.
9         * bytecode/CodeBlock.cpp: Ditto.
10         * bytecode/ExecutionCounter.cpp: Ditto.
11         * runtime/ConfigFile.cpp: Ditto.
12         * runtime/DatePrototype.cpp: Ditto.
13         * runtime/IndexingType.cpp: Ditto.
14         * runtime/JSCJSValue.cpp: Ditto.
15         * runtime/JSDateMath.cpp: Ditto.
16         * runtime/JSGlobalObjectFunctions.cpp: Ditto.
17         * runtime/Options.cpp: Ditto.
18         (JSC::parse): Use equalLettersIgnoringASCIICase instead of strcasecmp.
19
20 2017-12-06  Saam Barati  <sbarati@apple.com>
21
22         ASSERTION FAILED: vm->currentThreadIsHoldingAPILock() in void JSC::sanitizeStackForVM(JSC::VM *)
23         https://bugs.webkit.org/show_bug.cgi?id=180438
24         <rdar://problem/35862342>
25
26         Reviewed by Yusuke Suzuki.
27
28         A couple inspector methods that take stacktraces need
29         to grab the JSLock.
30
31         * inspector/ScriptCallStackFactory.cpp:
32         (Inspector::createScriptCallStack):
33         (Inspector::createScriptCallStackForConsole):
34
35 2017-12-05  Stephan Szabo  <stephan.szabo@sony.com>
36
37         Switch windows build to Visual Studio 2017
38         https://bugs.webkit.org/show_bug.cgi?id=172412
39
40         Reviewed by Per Arne Vollan.
41
42         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
43
44 2017-12-05  JF Bastien  <jfbastien@apple.com>
45
46         WebAssembly: don't eagerly checksum
47         https://bugs.webkit.org/show_bug.cgi?id=180441
48         <rdar://problem/35156628>
49
50         Reviewed by Saam Barati.
51
52         Make checksumming of module optional for now. The bots think the
53         checksum hurt compile-time. I'd measured it and couldn't see a
54         difference, and still can't at this point in time, but we'll see
55         if disabling it fixes the bots. If so then I can make it lazy upon
56         first backtrace construction, or I can try out MD5 instead of
57         SHA1.
58
59         * runtime/Options.h:
60         * wasm/WasmModuleInformation.cpp:
61         (JSC::Wasm::ModuleInformation::ModuleInformation):
62         * wasm/WasmModuleInformation.h:
63         * wasm/WasmNameSection.h:
64         (JSC::Wasm::NameSection::NameSection):
65
66 2017-12-05  Filip Pizlo  <fpizlo@apple.com>
67
68         IsoAlignedMemoryAllocator needs to free all of its memory when the VM destructs
69         https://bugs.webkit.org/show_bug.cgi?id=180425
70
71         Reviewed by Saam Barati.
72         
73         Failure to do so causes leaks after starting workers.
74
75         * heap/IsoAlignedMemoryAllocator.cpp:
76         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
77         (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
78
79 2017-12-05  Per Arne Vollan  <pvollan@apple.com>
80
81         [Win64] Compile error in testmasm.cpp.
82         https://bugs.webkit.org/show_bug.cgi?id=180436
83
84         Reviewed by Mark Lam.
85
86         Fix MSVC warning (32-bit shift implicitly converted to 64 bits).
87         
88         * assembler/testmasm.cpp:
89         (JSC::testGetEffectiveAddress):
90
91 2017-12-01  Filip Pizlo  <fpizlo@apple.com>
92
93         GC constraint solving should be parallel
94         https://bugs.webkit.org/show_bug.cgi?id=179934
95
96         Reviewed by JF Bastien.
97         
98         This makes it possible to do constraint solving in parallel. This looks like a 1% Speedometer
99         speed-up. It's more than 1% on trunk-Speedometer.
100         
101         The constraint solver supports running constraints in parallel in two different ways:
102         
103         - Run multiple constraints in parallel to each other. This only works for constraints that can
104           tolerate other constraints running concurrently to them (constraint.concurrency() ==
105           ConstraintConcurrency::Concurrent). This is the most basic kind of parallelism that the
106           constraint solver supports. All constraints except the JSC SPI constraints are concurrent. We
107           could probably make them concurrent, but I'm playing it safe for now.
108         
109         - A constraint can create parallel work for itself, which the constraint solver will interleave
110           with other stuff. A constraint can report that it has parallel work by returning
111           ConstraintParallelism::Parallel from its executeImpl() function. Then the solver will allow that
112           constraint's doParallelWorkImpl() function to run on as many GC marker threads as are available,
113           for as long as that function wants to run.
114         
115         It's not possible to have a non-concurrent constraint that creates parallel work.
116         
117         The parallelism is implemented in terms of the existing GC marker threads. This turns out to be
118         most natural for two reasons:
119         
120         - No need to start any other threads.
121         
122         - The constraints all want to be passed a SlotVisitor. Running on the marker threads means having
123           access to those threads' SlotVisitors. Also, it means less load balancing. The solver will
124           create work on each marking thread's SlotVisitor. When the solver is done "stealing" a marker
125           thread, that thread will have work it can start doing immediately. Before this change, we had to
126           contribute the work found by the constraint solver to the global worklist so that it could be
127           distributed to the marker threads by load balancing. This change probably helps to avoid that
128           load balancing step.
129         
130         A lot of this change is about making it easy to iterate GC data structures in parallel. This
131         change makes almost all constraints parallel-enabled, but only the DOM's output constraint uses
132         the parallel work API. That constraint iterates the marked cells in two subspaces. This change
133         makes it very easy to compose parallel iterators over subspaces, allocators, blocks, and cells.
134         The marked cell parallel iterator is composed out of parallel iterators for the others. A parallel
135         iterator is just an iterator that can do an atomic next() very quickly. We abstract them using
136         RefPtr<SharedTask<...()>>, where ... is the type returned from the iterator. We know it's done
137         when it returns a falsish version of ... (in the current code, that's always a pointer type, so
138         done is indicated by null).
139         
140         * API/JSMarkingConstraintPrivate.cpp:
141         (JSContextGroupAddMarkingConstraint):
142         * API/JSVirtualMachine.mm:
143         (scanExternalObjectGraph):
144         (scanExternalRememberedSet):
145         * JavaScriptCore.xcodeproj/project.pbxproj:
146         * Sources.txt:
147         * bytecode/AccessCase.cpp:
148         (JSC::AccessCase::propagateTransitions const):
149         * bytecode/CodeBlock.cpp:
150         (JSC::CodeBlock::visitWeakly):
151         (JSC::CodeBlock::shouldJettisonDueToOldAge):
152         (JSC::shouldMarkTransition):
153         (JSC::CodeBlock::propagateTransitions):
154         (JSC::CodeBlock::determineLiveness):
155         * dfg/DFGWorklist.cpp:
156         * ftl/FTLCompile.cpp:
157         (JSC::FTL::compile):
158         * heap/ConstraintParallelism.h: Added.
159         (WTF::printInternal):
160         * heap/Heap.cpp:
161         (JSC::Heap::Heap):
162         (JSC::Heap::addToRememberedSet):
163         (JSC::Heap::runFixpointPhase):
164         (JSC::Heap::stopThePeriphery):
165         (JSC::Heap::resumeThePeriphery):
166         (JSC::Heap::addCoreConstraints):
167         (JSC::Heap::setBonusVisitorTask):
168         (JSC::Heap::runTaskInParallel):
169         (JSC::Heap::forEachSlotVisitor): Deleted.
170         * heap/Heap.h:
171         (JSC::Heap::worldIsRunning const):
172         (JSC::Heap::runFunctionInParallel):
173         * heap/HeapInlines.h:
174         (JSC::Heap::worldIsStopped const):
175         (JSC::Heap::isMarked):
176         (JSC::Heap::incrementDeferralDepth):
177         (JSC::Heap::decrementDeferralDepth):
178         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
179         (JSC::Heap::forEachSlotVisitor):
180         (JSC::Heap::collectorBelievesThatTheWorldIsStopped const): Deleted.
181         (JSC::Heap::isMarkedConcurrently): Deleted.
182         * heap/HeapSnapshotBuilder.cpp:
183         (JSC::HeapSnapshotBuilder::appendNode):
184         * heap/LargeAllocation.h:
185         (JSC::LargeAllocation::isMarked):
186         (JSC::LargeAllocation::isMarkedConcurrently): Deleted.
187         * heap/LockDuringMarking.h:
188         (JSC::lockDuringMarking):
189         * heap/MarkedAllocator.cpp:
190         (JSC::MarkedAllocator::parallelNotEmptyBlockSource):
191         * heap/MarkedAllocator.h:
192         * heap/MarkedBlock.h:
193         (JSC::MarkedBlock::aboutToMark):
194         (JSC::MarkedBlock::isMarked):
195         (JSC::MarkedBlock::areMarksStaleWithDependency): Deleted.
196         (JSC::MarkedBlock::isMarkedConcurrently): Deleted.
197         * heap/MarkedSpace.h:
198         (JSC::MarkedSpace::activeWeakSetsBegin):
199         (JSC::MarkedSpace::activeWeakSetsEnd):
200         (JSC::MarkedSpace::newActiveWeakSetsBegin):
201         (JSC::MarkedSpace::newActiveWeakSetsEnd):
202         * heap/MarkingConstraint.cpp:
203         (JSC::MarkingConstraint::MarkingConstraint):
204         (JSC::MarkingConstraint::execute):
205         (JSC::MarkingConstraint::quickWorkEstimate):
206         (JSC::MarkingConstraint::workEstimate):
207         (JSC::MarkingConstraint::doParallelWork):
208         (JSC::MarkingConstraint::finishParallelWork):
209         (JSC::MarkingConstraint::doParallelWorkImpl):
210         (JSC::MarkingConstraint::finishParallelWorkImpl):
211         * heap/MarkingConstraint.h:
212         (JSC::MarkingConstraint::lastExecuteParallelism const):
213         (JSC::MarkingConstraint::parallelism const):
214         (JSC::MarkingConstraint::quickWorkEstimate): Deleted.
215         (JSC::MarkingConstraint::workEstimate): Deleted.
216         * heap/MarkingConstraintSet.cpp:
217         (JSC::MarkingConstraintSet::MarkingConstraintSet):
218         (JSC::MarkingConstraintSet::add):
219         (JSC::MarkingConstraintSet::executeConvergence):
220         (JSC::MarkingConstraintSet::executeConvergenceImpl):
221         (JSC::MarkingConstraintSet::executeAll):
222         (JSC::MarkingConstraintSet::ExecutionContext::ExecutionContext): Deleted.
223         (JSC::MarkingConstraintSet::ExecutionContext::didVisitSomething const): Deleted.
224         (JSC::MarkingConstraintSet::ExecutionContext::shouldTimeOut const): Deleted.
225         (JSC::MarkingConstraintSet::ExecutionContext::drain): Deleted.
226         (JSC::MarkingConstraintSet::ExecutionContext::didExecute const): Deleted.
227         (JSC::MarkingConstraintSet::ExecutionContext::execute): Deleted.
228         (): Deleted.
229         * heap/MarkingConstraintSet.h:
230         * heap/MarkingConstraintSolver.cpp: Added.
231         (JSC::MarkingConstraintSolver::MarkingConstraintSolver):
232         (JSC::MarkingConstraintSolver::~MarkingConstraintSolver):
233         (JSC::MarkingConstraintSolver::didVisitSomething const):
234         (JSC::MarkingConstraintSolver::execute):
235         (JSC::MarkingConstraintSolver::drain):
236         (JSC::MarkingConstraintSolver::converge):
237         (JSC::MarkingConstraintSolver::runExecutionThread):
238         (JSC::MarkingConstraintSolver::didExecute):
239         * heap/MarkingConstraintSolver.h: Added.
240         * heap/OpaqueRootSet.h: Removed.
241         * heap/ParallelSourceAdapter.h: Added.
242         (JSC::ParallelSourceAdapter::ParallelSourceAdapter):
243         (JSC::createParallelSourceAdapter):
244         * heap/SimpleMarkingConstraint.cpp: Added.
245         (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
246         (JSC::SimpleMarkingConstraint::~SimpleMarkingConstraint):
247         (JSC::SimpleMarkingConstraint::quickWorkEstimate):
248         (JSC::SimpleMarkingConstraint::executeImpl):
249         * heap/SimpleMarkingConstraint.h: Added.
250         * heap/SlotVisitor.cpp:
251         (JSC::SlotVisitor::didStartMarking):
252         (JSC::SlotVisitor::reset):
253         (JSC::SlotVisitor::appendToMarkStack):
254         (JSC::SlotVisitor::visitChildren):
255         (JSC::SlotVisitor::updateMutatorIsStopped):
256         (JSC::SlotVisitor::mutatorIsStoppedIsUpToDate const):
257         (JSC::SlotVisitor::drain):
258         (JSC::SlotVisitor::performIncrementOfDraining):
259         (JSC::SlotVisitor::didReachTermination):
260         (JSC::SlotVisitor::hasWork):
261         (JSC::SlotVisitor::drainFromShared):
262         (JSC::SlotVisitor::drainInParallelPassively):
263         (JSC::SlotVisitor::waitForTermination):
264         (JSC::SlotVisitor::addOpaqueRoot): Deleted.
265         (JSC::SlotVisitor::containsOpaqueRoot const): Deleted.
266         (JSC::SlotVisitor::containsOpaqueRootTriState const): Deleted.
267         (JSC::SlotVisitor::mergeIfNecessary): Deleted.
268         (JSC::SlotVisitor::mergeOpaqueRootsIfProfitable): Deleted.
269         (JSC::SlotVisitor::mergeOpaqueRoots): Deleted.
270         * heap/SlotVisitor.h:
271         * heap/SlotVisitorInlines.h:
272         (JSC::SlotVisitor::addOpaqueRoot):
273         (JSC::SlotVisitor::containsOpaqueRoot const):
274         (JSC::SlotVisitor::vm):
275         (JSC::SlotVisitor::vm const):
276         * heap/Subspace.cpp:
277         (JSC::Subspace::parallelAllocatorSource):
278         (JSC::Subspace::parallelNotEmptyMarkedBlockSource):
279         * heap/Subspace.h:
280         * heap/SubspaceInlines.h:
281         (JSC::Subspace::forEachMarkedCellInParallel):
282         * heap/VisitCounter.h: Added.
283         (JSC::VisitCounter::VisitCounter):
284         (JSC::VisitCounter::visitCount const):
285         * heap/VisitingTimeout.h: Removed.
286         * heap/WeakBlock.cpp:
287         (JSC::WeakBlock::specializedVisit):
288         * runtime/Structure.cpp:
289         (JSC::Structure::isCheapDuringGC):
290         (JSC::Structure::markIfCheap):
291
292 2017-12-04  JF Bastien  <jfbastien@apple.com>
293
294         Math: don't redundantly check for exceptions, just release scope
295         https://bugs.webkit.org/show_bug.cgi?id=180395
296
297         Rubber stamped by Mark Lam.
298
299         Two of the exceptions checks could just have been exception scope
300         releases before the return, which is ever-so-slightly more
301         efficient. The same technically applies where we have loops over
302         parameters, but doing the scope release there isn't really more
303         efficient and is way harder to read.
304
305         * runtime/MathObject.cpp:
306         (JSC::mathProtoFuncATan2):
307         (JSC::mathProtoFuncPow):
308
309 2017-12-04  David Quesada  <david_quesada@apple.com>
310
311         Add a class for parsing application manifests
312         https://bugs.webkit.org/show_bug.cgi?id=177973
313         rdar://problem/34747949
314
315         Reviewed by Geoffrey Garen.
316
317         * Configurations/FeatureDefines.xcconfig: Add ENABLE_APPLICATION_MANIFEST feature flag.
318
319 2017-12-04  JF Bastien  <jfbastien@apple.com>
320
321         Update std::expected to match libc++ coding style
322         https://bugs.webkit.org/show_bug.cgi?id=180264
323
324         Reviewed by Alex Christensen.
325
326         Update various uses of Expected.
327
328         * wasm/WasmModule.h:
329         * wasm/WasmModuleParser.cpp:
330         (JSC::Wasm::ModuleParser::parseImport):
331         (JSC::Wasm::ModuleParser::parseTableHelper):
332         (JSC::Wasm::ModuleParser::parseTable):
333         (JSC::Wasm::ModuleParser::parseMemoryHelper):
334         * wasm/WasmParser.h:
335         * wasm/generateWasmValidateInlinesHeader.py:
336         (loadMacro):
337         (storeMacro):
338         * wasm/js/JSWebAssemblyModule.cpp:
339         (JSC::JSWebAssemblyModule::createStub):
340         * wasm/js/JSWebAssemblyModule.h:
341
342 2017-12-04  Saam Barati  <sbarati@apple.com>
343
344         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
345         https://bugs.webkit.org/show_bug.cgi?id=180366
346         <rdar://problem/35685877>
347
348         Reviewed by Michael Saboff.
349
350         On the TailCall slow path, the CallFrameShuffler will build the frame with
351         respect to SP instead of FP. However, this may overwrite slots on the stack
352         that are needed if the slow path C call does a stack walk. The slow path
353         C call does a stack walk when it throws an exception. This patch fixes
354         this bug by ensuring that the top of the stack in the FTL always has enough
355         space to allow CallFrameShuffler to build a frame without overwriting any
356         items on the stack that are needed when doing a stack walk.
357
358         * ftl/FTLLowerDFGToB3.cpp:
359         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
360
361 2017-12-04  Devin Rousso  <webkit@devinrousso.com>
362
363         Web Inspector: provide method for recording CanvasRenderingContext2D from JavaScript
364         https://bugs.webkit.org/show_bug.cgi?id=175166
365         <rdar://problem/34040740>
366
367         Reviewed by Joseph Pecoraro.
368
369         * inspector/protocol/Recording.json:
370         Add optional `name` that will be used by the frontend for uniquely identifying the Recording.
371
372         * inspector/JSGlobalObjectConsoleClient.h:
373         * inspector/JSGlobalObjectConsoleClient.cpp:
374         (Inspector::JSGlobalObjectConsoleClient::record):
375         (Inspector::JSGlobalObjectConsoleClient::recordEnd):
376
377         * runtime/ConsoleClient.h:
378         * runtime/ConsoleObject.cpp:
379         (JSC::ConsoleObject::finishCreation):
380         (JSC::consoleProtoFuncRecord):
381         (JSC::consoleProtoFuncRecordEnd):
382
383 2017-12-03  Yusuke Suzuki  <utatane.tea@gmail.com>
384
385         WTF shouldn't have both Thread and ThreadIdentifier
386         https://bugs.webkit.org/show_bug.cgi?id=180308
387
388         Reviewed by Darin Adler.
389
390         * heap/MachineStackMarker.cpp:
391         (JSC::MachineThreads::tryCopyOtherThreadStacks):
392         * llint/LLIntSlowPaths.cpp:
393         (JSC::LLInt::llint_trace_operand):
394         (JSC::LLInt::llint_trace_value):
395         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
396         (JSC::LLInt::traceFunctionPrologue):
397         * runtime/ExceptionScope.cpp:
398         (JSC::ExceptionScope::unexpectedExceptionMessage):
399         * runtime/JSLock.h:
400         (JSC::JSLock::currentThreadIsHoldingLock):
401         * runtime/VM.cpp:
402         (JSC::VM::throwException):
403         * runtime/VM.h:
404         (JSC::VM::throwingThread const):
405         (JSC::VM::clearException):
406         * tools/HeapVerifier.cpp:
407         (JSC::HeapVerifier::printVerificationHeader):
408
409 2017-12-03  Caio Lima  <ticaiolima@gmail.com>
410
411         Rename DestroyFunc to avoid redefinition on unified build
412         https://bugs.webkit.org/show_bug.cgi?id=180335
413
414         Reviewed by Filip Pizlo.
415
416         Changing DestroyFunc structures to more specific names to avoid
417         conflits on unified builds.
418
419         * heap/HeapCellType.cpp:
420         (JSC::HeapCellType::finishSweep):
421         (JSC::HeapCellType::destroy):
422         * runtime/JSDestructibleObjectHeapCellType.cpp:
423         (JSC::JSDestructibleObjectHeapCellType::finishSweep):
424         (JSC::JSDestructibleObjectHeapCellType::destroy):
425         * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
426         (JSC::JSSegmentedVariableObjectHeapCellType::finishSweep):
427         (JSC::JSSegmentedVariableObjectHeapCellType::destroy):
428         * runtime/JSStringHeapCellType.cpp:
429         (JSC::JSStringHeapCellType::finishSweep):
430         (JSC::JSStringHeapCellType::destroy):
431         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
432         (JSC::JSWebAssemblyCodeBlockHeapCellType::finishSweep):
433         (JSC::JSWebAssemblyCodeBlockHeapCellType::destroy):
434
435 2017-12-01  JF Bastien  <jfbastien@apple.com>
436
437         JavaScriptCore: missing exception checks in Math functions that take more than one argument
438         https://bugs.webkit.org/show_bug.cgi?id=180297
439         <rdar://problem/35745556>
440
441         Reviewed by Mark Lam.
442
443         * runtime/MathObject.cpp:
444         (JSC::mathProtoFuncATan2):
445         (JSC::mathProtoFuncMax):
446         (JSC::mathProtoFuncMin):
447         (JSC::mathProtoFuncPow):
448
449 2017-12-01  Mark Lam  <mark.lam@apple.com>
450
451         Let's scramble ClassInfo pointers in cells.
452         https://bugs.webkit.org/show_bug.cgi?id=180291
453         <rdar://problem/35807620>
454
455         Reviewed by JF Bastien.
456
457         * API/JSCallbackObject.h:
458         * API/JSObjectRef.cpp:
459         (classInfoPrivate):
460         * JavaScriptCore.xcodeproj/project.pbxproj:
461         * Sources.txt:
462         * assembler/MacroAssemblerCodeRef.cpp:
463         (JSC::MacroAssemblerCodePtr::initialize): Deleted.
464         * assembler/MacroAssemblerCodeRef.h:
465         (JSC::MacroAssemblerCodePtr:: const):
466         (JSC::MacroAssemblerCodePtr::hash const):
467         * dfg/DFGSpeculativeJIT.cpp:
468         (JSC::DFG::SpeculativeJIT::checkArray):
469         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
470         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
471         * ftl/FTLLowerDFGToB3.cpp:
472         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
473         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
474         * jit/AssemblyHelpers.h:
475         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
476         * jit/SpecializedThunkJIT.h:
477         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
478         * runtime/InitializeThreading.cpp:
479         (JSC::initializeThreading):
480         * runtime/JSCScrambledPtr.cpp: Added.
481         (JSC::initializeScrambledPtrKeys):
482         * runtime/JSCScrambledPtr.h: Added.
483         * runtime/JSDestructibleObject.h:
484         (JSC::JSDestructibleObject::classInfo const):
485         * runtime/JSSegmentedVariableObject.h:
486         (JSC::JSSegmentedVariableObject::classInfo const):
487         * runtime/Structure.h:
488         * runtime/VM.h:
489
490 2017-12-01  Brian Burg  <bburg@apple.com>
491
492         Web Inspector: move Inspector::Protocol::Array<T> to JSON namespace
493         https://bugs.webkit.org/show_bug.cgi?id=173662
494
495         Reviewed by Joseph Pecoraro.
496
497         Adopt new type names. Fix protocol generator to use correct type names.
498
499         * inspector/ConsoleMessage.cpp:
500         (Inspector::ConsoleMessage::addToFrontend):
501         Improve namings and use 'auto' when the type is obvious and repeated.
502
503         * inspector/ContentSearchUtilities.cpp:
504         (Inspector::ContentSearchUtilities::searchInTextByLines):
505         * inspector/ContentSearchUtilities.h:
506         * inspector/InjectedScript.cpp:
507         (Inspector::InjectedScript::getProperties):
508         (Inspector::InjectedScript::getDisplayableProperties):
509         (Inspector::InjectedScript::getInternalProperties):
510         (Inspector::InjectedScript::getCollectionEntries):
511         (Inspector::InjectedScript::wrapCallFrames const):
512         * inspector/InjectedScript.h:
513         * inspector/InspectorProtocolTypes.h:
514         (Inspector::Protocol::BindingTraits<JSON::ArrayOf<T>>::runtimeCast):
515         (Inspector::Protocol::Array::Array): Deleted.
516         (Inspector::Protocol::Array::openAccessors): Deleted.
517         (Inspector::Protocol::Array::addItem): Deleted.
518         (Inspector::Protocol::Array::create): Deleted.
519         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast): Deleted.
520         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType): Deleted.
521         Move the implementation out of this file.
522
523         * inspector/ScriptCallStack.cpp:
524         (Inspector::ScriptCallStack::buildInspectorArray const):
525         * inspector/ScriptCallStack.h:
526         * inspector/agents/InspectorAgent.cpp:
527         (Inspector::InspectorAgent::activateExtraDomain):
528         (Inspector::InspectorAgent::activateExtraDomains):
529         * inspector/agents/InspectorAgent.h:
530         * inspector/agents/InspectorConsoleAgent.cpp:
531         (Inspector::InspectorConsoleAgent::getLoggingChannels):
532         * inspector/agents/InspectorConsoleAgent.h:
533         * inspector/agents/InspectorDebuggerAgent.cpp:
534         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
535         (Inspector::InspectorDebuggerAgent::searchInContent):
536         (Inspector::InspectorDebuggerAgent::currentCallFrames):
537         * inspector/agents/InspectorDebuggerAgent.h:
538         * inspector/agents/InspectorRuntimeAgent.cpp:
539         (Inspector::InspectorRuntimeAgent::getProperties):
540         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
541         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
542         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
543         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
544         * inspector/agents/InspectorRuntimeAgent.h:
545         * inspector/agents/InspectorScriptProfilerAgent.cpp:
546         (Inspector::buildSamples):
547         Use more 'auto' and rename a variable.
548
549         * inspector/scripts/codegen/cpp_generator.py:
550         (CppGenerator.cpp_protocol_type_for_type):
551         Adopt new type names. This exposed a latent bug where we should have been
552         unwrapping an AliasedType prior to generating a C++ type for it. The aliased
553         type may be an array, in which case we would have generated the wrong type.
554
555         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
556         (_generate_typedefs_for_domain.JSON):
557         (_generate_typedefs_for_domain.Inspector): Deleted.
558         * inspector/scripts/codegen/objc_generator.py:
559         (ObjCGenerator.protocol_type_for_type):
560         (ObjCGenerator.objc_protocol_export_expression_for_variable):
561         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
562         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
563         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
564         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
565         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
566         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
567         Rebaseline.
568
569         * runtime/TypeSet.cpp:
570         (JSC::TypeSet::allStructureRepresentations const):
571         (JSC::StructureShape::inspectorRepresentation):
572         * runtime/TypeSet.h:
573
574 2017-12-01  Saam Barati  <sbarati@apple.com>
575
576         Having a bad time needs to handle ArrayClass indexing type as well
577         https://bugs.webkit.org/show_bug.cgi?id=180274
578         <rdar://problem/35667869>
579
580         Reviewed by Keith Miller and Mark Lam.
581
582         We need to make sure to transition ArrayClass to SlowPutArrayStorage as well.
583         Otherwise, we'll end up with the wrong Structure, which will lead us to not
584         adhere to the spec. The bug was that we were not considering ArrayClass inside 
585         hasBrokenIndexing. This patch rewrites that function to automatically opt
586         in non-empty indexing types as broken, instead of having to opt out all
587         non-empty indexing types besides SlowPutArrayStorage.
588
589         * runtime/IndexingType.h:
590         (JSC::hasSlowPutArrayStorage):
591         (JSC::shouldUseSlowPut):
592         * runtime/JSGlobalObject.cpp:
593         * runtime/JSObject.cpp:
594         (JSC::JSObject::switchToSlowPutArrayStorage):
595
596 2017-12-01  JF Bastien  <jfbastien@apple.com>
597
598         WebAssembly: stack trace improvement follow-ups
599         https://bugs.webkit.org/show_bug.cgi?id=180273
600
601         Reviewed by Saam Barati.
602
603         * wasm/WasmIndexOrName.cpp:
604         (JSC::Wasm::makeString):
605         * wasm/WasmIndexOrName.h:
606         (JSC::Wasm::IndexOrName::nameSection const):
607         * wasm/WasmNameSection.h:
608         (JSC::Wasm::NameSection::NameSection):
609         (JSC::Wasm::NameSection::get):
610
611 2017-12-01  JF Bastien  <jfbastien@apple.com>
612
613         WebAssembly: restore cached stack limit after out-call
614         https://bugs.webkit.org/show_bug.cgi?id=179106
615         <rdar://problem/35337525>
616
617         Reviewed by Saam Barati.
618
619         We cache the stack limit on the Instance so that we can do fast
620         stack checks where required. In regular usage the stack limit
621         never changes because we always run on the same thread, but in
622         rare cases an API user can totally migrate which thread (and
623         therefore stack) is used for execution between WebAssembly
624         traces. For that reason we set the cached stack limit to
625         UINTPTR_MAX on the outgoing Instance when transitioning back into
626         a different Instance. We usually restore the cached stack limit in
627         Context::store, but this wasn't called on all code paths. We had a
628         bug where an Instance calling into itself indirectly would
629         therefore fail to restore its cached stack limit properly.
630
631         This patch therefore restores the cached stack limit after direct
632         calls which could be to imports (both wasm->wasm and
633         wasm->embedder). We have to do all of them because we have no way
634         of knowing what imports will do (they're known at instantiation
635         time, not compilation time, and different instances can have
636         different imports). To make this efficient we also add a pointer
637         to the canonical location of the stack limit (i.e. the extra
638         indirection we're trying to save by caching the stack limit on the
639         Instance in the first place). This is potentially a small perf hit
640         on imported direct calls.
641
642         It's hard to say what the performance cost will be because we
643         haven't seen much code in the wild which does this. We're adding
644         two dependent loads and a store of the loaded value, which is
645         unlikely to get used soon after. It's more code, but on an
646         out-of-order processor it doesn't contribute to the critical path.
647
648         * wasm/WasmB3IRGenerator.cpp:
649         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
650         (JSC::Wasm::B3IRGenerator::addGrowMemory):
651         (JSC::Wasm::B3IRGenerator::addCall):
652         (JSC::Wasm::B3IRGenerator::addCallIndirect):
653         * wasm/WasmInstance.cpp:
654         (JSC::Wasm::Instance::Instance):
655         (JSC::Wasm::Instance::create):
656         * wasm/WasmInstance.h:
657         (JSC::Wasm::Instance::offsetOfPointerToActualStackLimit):
658         (JSC::Wasm::Instance::cachedStackLimit const):
659         (JSC::Wasm::Instance::setCachedStackLimit):
660         * wasm/js/JSWebAssemblyInstance.cpp:
661         (JSC::JSWebAssemblyInstance::create):
662         * wasm/js/WebAssemblyFunction.cpp:
663         (JSC::callWebAssemblyFunction):
664
665 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
666
667         [JSC] Use JSFixedArray for op_new_array_buffer
668         https://bugs.webkit.org/show_bug.cgi?id=180084
669
670         Reviewed by Saam Barati.
671
672         For op_new_array_buffer, we have a special constant buffer in CodeBlock.
673         But using JSFixedArray is better because,
674
675         1. In DFG, we have special hashing mechanism to avoid duplicating constant buffer from the same CodeBlock.
676            If we use JSFixedArray, this is unnecessary since JSFixedArray is handled just as JS constant.
677
678         2. In a subsequent patch[1], we would like to support Spread(PhantomNewArrayBuffer). If NewArrayBuffer
679            has JSFixedArray, we can just emit a held JSFixedArray.
680
681         3. We can reduce length of op_new_array_buffer since JSFixedArray holds this.
682
683         4. We can fold NewArrayBufferData into uint64_t. No need to maintain a bag of NewArrayBufferData in DFG.
684
685         5. We do not need to look up constant buffer from CodeBlock if buffer data is necessary. Our NewArrayBuffer
686            DFG node has JSFixedArray as its cellOperand. This makes materializing PhantomNewArrayBuffer easy, which
687            will be introduced in [1].
688
689         [1]: https://bugs.webkit.org/show_bug.cgi?id=179762
690
691         * bytecode/BytecodeDumper.cpp:
692         (JSC::BytecodeDumper<Block>::dumpBytecode):
693         * bytecode/BytecodeList.json:
694         * bytecode/BytecodeUseDef.h:
695         (JSC::computeUsesForBytecodeOffset):
696         * bytecode/CodeBlock.cpp:
697         (JSC::CodeBlock::finishCreation):
698         * bytecode/CodeBlock.h:
699         (JSC::CodeBlock::numberOfConstantBuffers const): Deleted.
700         (JSC::CodeBlock::addConstantBuffer): Deleted.
701         (JSC::CodeBlock::constantBufferAsVector): Deleted.
702         (JSC::CodeBlock::constantBuffer): Deleted.
703         * bytecode/UnlinkedCodeBlock.cpp:
704         (JSC::UnlinkedCodeBlock::shrinkToFit):
705         * bytecode/UnlinkedCodeBlock.h:
706         (JSC::UnlinkedCodeBlock::constantBufferCount): Deleted.
707         (JSC::UnlinkedCodeBlock::addConstantBuffer): Deleted.
708         (JSC::UnlinkedCodeBlock::constantBuffer const): Deleted.
709         (JSC::UnlinkedCodeBlock::constantBuffer): Deleted.
710         * bytecompiler/BytecodeGenerator.cpp:
711         (JSC::BytecodeGenerator::emitNewArray):
712         (JSC::BytecodeGenerator::addConstantBuffer): Deleted.
713         * bytecompiler/BytecodeGenerator.h:
714         * dfg/DFGByteCodeParser.cpp:
715         (JSC::DFG::ByteCodeParser::parseBlock):
716         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
717         (JSC::DFG::ConstantBufferKey::ConstantBufferKey): Deleted.
718         (JSC::DFG::ConstantBufferKey::operator== const): Deleted.
719         (JSC::DFG::ConstantBufferKey::hash const): Deleted.
720         (JSC::DFG::ConstantBufferKey::isHashTableDeletedValue const): Deleted.
721         (JSC::DFG::ConstantBufferKey::codeBlock const): Deleted.
722         (JSC::DFG::ConstantBufferKey::index const): Deleted.
723         (JSC::DFG::ConstantBufferKeyHash::hash): Deleted.
724         (JSC::DFG::ConstantBufferKeyHash::equal): Deleted.
725         * dfg/DFGClobberize.h:
726         (JSC::DFG::clobberize):
727         * dfg/DFGGraph.cpp:
728         (JSC::DFG::Graph::dump):
729         * dfg/DFGGraph.h:
730         * dfg/DFGNode.h:
731         (JSC::DFG::Node::hasNewArrayBufferData):
732         (JSC::DFG::Node::newArrayBufferData):
733         (JSC::DFG::Node::hasVectorLengthHint):
734         (JSC::DFG::Node::vectorLengthHint):
735         (JSC::DFG::Node::indexingType):
736         (JSC::DFG::Node::hasCellOperand):
737         (JSC::DFG::Node::OpInfoWrapper::operator=):
738         (JSC::DFG::Node::OpInfoWrapper::asNewArrayBufferData const):
739         (JSC::DFG::Node::hasConstantBuffer): Deleted.
740         (JSC::DFG::Node::startConstant): Deleted.
741         (JSC::DFG::Node::numConstants): Deleted.
742         * dfg/DFGOperations.cpp:
743         * dfg/DFGOperations.h:
744         * dfg/DFGSpeculativeJIT.h:
745         (JSC::DFG::SpeculativeJIT::callOperation):
746         * dfg/DFGSpeculativeJIT32_64.cpp:
747         (JSC::DFG::SpeculativeJIT::compile):
748         * dfg/DFGSpeculativeJIT64.cpp:
749         (JSC::DFG::SpeculativeJIT::compile):
750         * ftl/FTLLowerDFGToB3.cpp:
751         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
752         * jit/JIT.cpp:
753         (JSC::JIT::privateCompileMainPass):
754         * jit/JIT.h:
755         * jit/JITOpcodes.cpp:
756         (JSC::JIT::emit_op_new_array_buffer): Deleted.
757         * jit/JITOperations.cpp:
758         * jit/JITOperations.h:
759         * llint/LLIntSlowPaths.cpp:
760         * llint/LLIntSlowPaths.h:
761         * llint/LowLevelInterpreter.asm:
762         * runtime/CommonSlowPaths.cpp:
763         (JSC::SLOW_PATH_DECL):
764         * runtime/CommonSlowPaths.h:
765         * runtime/JSFixedArray.cpp:
766         (JSC::JSFixedArray::dumpToStream):
767         * runtime/JSFixedArray.h:
768         (JSC::JSFixedArray::create):
769         (JSC::JSFixedArray::get const):
770         (JSC::JSFixedArray::set):
771         (JSC::JSFixedArray::buffer const):
772         (JSC::JSFixedArray::values const):
773         (JSC::JSFixedArray::length const):
774         (JSC::JSFixedArray::get): Deleted.
775
776 2017-11-30  JF Bastien  <jfbastien@apple.com>
777
778         WebAssembly: improve stack trace
779         https://bugs.webkit.org/show_bug.cgi?id=179343
780
781         Reviewed by Saam Barati.
782
783         Stack traces now include:
784
785           - Module name, if provided by the name section.
786           - Module SHA1 hash if no name was provided
787           - Stub identification, to differentiate from user code
788           - Slightly different naming to match design from:
789               https://github.com/WebAssembly/design/blob/master/Web.md#developer-facing-display-conventions
790
791         * interpreter/StackVisitor.cpp:
792         (JSC::StackVisitor::Frame::functionName const):
793         * runtime/StackFrame.cpp:
794         (JSC::StackFrame::functionName const):
795         (JSC::StackFrame::visitChildren):
796         * wasm/WasmIndexOrName.cpp:
797         (JSC::Wasm::IndexOrName::IndexOrName):
798         (JSC::Wasm::makeString):
799         * wasm/WasmIndexOrName.h:
800         (JSC::Wasm::IndexOrName::nameSection const):
801         * wasm/WasmModuleInformation.cpp:
802         (JSC::Wasm::ModuleInformation::ModuleInformation):
803         * wasm/WasmModuleInformation.h:
804         * wasm/WasmNameSection.h:
805         (JSC::Wasm::NameSection::NameSection):
806         (JSC::Wasm::NameSection::get):
807         * wasm/WasmNameSectionParser.cpp:
808         (JSC::Wasm::NameSectionParser::parse):
809
810 2017-11-30  Stephan Szabo  <stephan.szabo@sony.com>
811
812         Make LegacyCustomProtocolManager optional for network process
813         https://bugs.webkit.org/show_bug.cgi?id=176230
814
815         Reviewed by Alex Christensen.
816
817         * Configurations/FeatureDefines.xcconfig:
818
819 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
820
821         [JSC] Remove easy toRemove & map.remove() use in OAS phase
822         https://bugs.webkit.org/show_bug.cgi?id=180208
823
824         Reviewed by Mark Lam.
825
826         In this patch, we replace Vector<> toRemove & map.remove loop with removeIf,
827         to optimize this common pattern. This patch only modifies apparent ones.
828         But we can apply this refactoring further to OAS phase in the future.
829
830         One thing we should care is that predicate of removeIf should not touch the
831         removing set itself. In this patch, we apply this change to (1) apparently
832         correct one and (2) things in DFG OAS phase since it is very slow.
833
834         * b3/B3MoveConstants.cpp:
835         * dfg/DFGObjectAllocationSinkingPhase.cpp:
836
837 2017-11-30  Commit Queue  <commit-queue@webkit.org>
838
839         Unreviewed, rolling out r225362.
840         https://bugs.webkit.org/show_bug.cgi?id=180225
841
842         removeIf predicate function can touch remove target set
843         (Requested by yusukesuzuki on #webkit).
844
845         Reverted changeset:
846
847         "[JSC] Remove easy toRemove & map.remove() use"
848         https://bugs.webkit.org/show_bug.cgi?id=180208
849         https://trac.webkit.org/changeset/225362
850
851 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
852
853         [JSC] Use AllocatorIfExists for MaterializeNewObject
854         https://bugs.webkit.org/show_bug.cgi?id=180189
855
856         Reviewed by Filip Pizlo.
857
858         I don't think anyone guarantees this allocator exists at this phase.
859         And nullptr allocator just works here. We change AllocatorForMode
860         to AllocatorIfExists to accept nullptr for allocator.
861
862         * ftl/FTLLowerDFGToB3.cpp:
863         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
864
865 2017-11-30  Mark Lam  <mark.lam@apple.com>
866
867         Let's scramble MacroAssemblerCodePtr values.
868         https://bugs.webkit.org/show_bug.cgi?id=180169
869         <rdar://problem/35758340>
870
871         Reviewed by Filip Pizlo, Saam Barati, and JF Bastien.
872
873         1. MacroAssemblerCodePtr now stores a ScrambledPtr instead of a void*.
874
875         2. MacroAssemblerCodePtr's executableAddress() and dataLocation() now take a
876            template argument type that will be used to cast the result.  This makes the
877            client code that uses these functions a little less verbose.
878
879         3. Change the code base in general to minimize passing void* code pointers around.
880            We now pass MacroAssemblerCodePtr as much as possible, and descramble it only
881            at the last moment when we need the underlying code pointer.
882
883         4. Added some MasmScrambledPtr paranoid asserts that are disabled (not built) by
884            default.  I'm leaving them in because they are instrumental in finding bugs
885            where not all MacroAssemblerCodePtr values were not scrambled as expected.
886            I expect them to be useful in the near future as we add more scrambling.
887
888         5. Also disable the casting operator on MacroAssemblerCodePtr (except for
889            explicit casts to a boolean).  This ensures that clients will always explicitly
890            use scrambledBits() or executableAddress() to get a value based on which value
891            they actually need.
892
893         5. Added currentThread() id to the logging in LLIntSlowPath trace functions.
894            This was helpful when debugging tests that ran multiple VMs concurrently on
895            different threads.
896
897         MacroAssemblerCodePtr is currently supported on 64-bit builds (including the
898         CLoop).  It is not yet supported in 32-bit and Windows because we don't
899         currently have a way to read a global variable from their LLInt code.
900
901         * assembler/AbstractMacroAssembler.h:
902         (JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
903         (JSC::AbstractMacroAssembler::linkPointer):
904         * assembler/CodeLocation.h:
905         (JSC::CodeLocationCommon::instructionAtOffset):
906         (JSC::CodeLocationCommon::labelAtOffset):
907         (JSC::CodeLocationCommon::jumpAtOffset):
908         (JSC::CodeLocationCommon::callAtOffset):
909         (JSC::CodeLocationCommon::nearCallAtOffset):
910         (JSC::CodeLocationCommon::dataLabelPtrAtOffset):
911         (JSC::CodeLocationCommon::dataLabel32AtOffset):
912         (JSC::CodeLocationCommon::dataLabelCompactAtOffset):
913         (JSC::CodeLocationCommon::convertibleLoadAtOffset):
914         * assembler/LinkBuffer.cpp:
915         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
916         * assembler/LinkBuffer.h:
917         (JSC::LinkBuffer::link):
918         (JSC::LinkBuffer::patch):
919         * assembler/MacroAssemblerCodeRef.cpp:
920         (JSC::MacroAssemblerCodePtr::initialize):
921         * assembler/MacroAssemblerCodeRef.h:
922         (JSC::FunctionPtr::FunctionPtr):
923         (JSC::FunctionPtr::value const):
924         (JSC::FunctionPtr::executableAddress const):
925         (JSC::ReturnAddressPtr::ReturnAddressPtr):
926         (JSC::ReturnAddressPtr::value const):
927         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
928         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
929         (JSC::MacroAssemblerCodePtr::scrambledPtr const):
930         (JSC::MacroAssemblerCodePtr:: const):
931         (JSC::MacroAssemblerCodePtr::operator! const):
932         (JSC::MacroAssemblerCodePtr::operator bool const):
933         (JSC::MacroAssemblerCodePtr::operator== const):
934         (JSC::MacroAssemblerCodePtr::hash const):
935         (JSC::MacroAssemblerCodePtr::emptyValue):
936         (JSC::MacroAssemblerCodePtr::deletedValue):
937         (JSC::MacroAssemblerCodePtr::executableAddress const): Deleted.
938         (JSC::MacroAssemblerCodePtr::dataLocation const): Deleted.
939         * b3/B3LowerMacros.cpp:
940         * b3/testb3.cpp:
941         (JSC::B3::testInterpreter):
942         * dfg/DFGDisassembler.cpp:
943         (JSC::DFG::Disassembler::dumpDisassembly):
944         * dfg/DFGJITCompiler.cpp:
945         (JSC::DFG::JITCompiler::link):
946         (JSC::DFG::JITCompiler::compileFunction):
947         * dfg/DFGOperations.cpp:
948         * dfg/DFGSpeculativeJIT.cpp:
949         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
950         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
951         (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
952         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
953         * dfg/DFGSpeculativeJIT.h:
954         * disassembler/Disassembler.cpp:
955         (JSC::disassemble):
956         * disassembler/UDis86Disassembler.cpp:
957         (JSC::tryToDisassembleWithUDis86):
958         * ftl/FTLCompile.cpp:
959         (JSC::FTL::compile):
960         * ftl/FTLJITCode.cpp:
961         (JSC::FTL::JITCode::executableAddressAtOffset):
962         * ftl/FTLLink.cpp:
963         (JSC::FTL::link):
964         * ftl/FTLLowerDFGToB3.cpp:
965         (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
966         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
967         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
968         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
969         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
970         * interpreter/InterpreterInlines.h:
971         (JSC::Interpreter::getOpcodeID):
972         * jit/JITArithmetic.cpp:
973         (JSC::JIT::emitMathICFast):
974         (JSC::JIT::emitMathICSlow):
975         * jit/JITCode.cpp:
976         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
977         (JSC::JITCodeWithCodeRef::dataAddressAtOffset):
978         (JSC::JITCodeWithCodeRef::offsetOf):
979         * jit/JITDisassembler.cpp:
980         (JSC::JITDisassembler::dumpDisassembly):
981         * jit/PCToCodeOriginMap.cpp:
982         (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
983         * jit/Repatch.cpp:
984         (JSC::ftlThunkAwareRepatchCall):
985         * jit/ThunkGenerators.cpp:
986         (JSC::virtualThunkFor):
987         (JSC::boundThisNoArgsFunctionCallGenerator):
988         * llint/LLIntSlowPaths.cpp:
989         (JSC::LLInt::llint_trace_operand):
990         (JSC::LLInt::llint_trace_value):
991         (JSC::LLInt::handleHostCall):
992         (JSC::LLInt::setUpCall):
993         * llint/LowLevelInterpreter64.asm:
994         * offlineasm/cloop.rb:
995         * runtime/InitializeThreading.cpp:
996         (JSC::initializeThreading):
997         * wasm/WasmBBQPlan.cpp:
998         (JSC::Wasm::BBQPlan::complete):
999         * wasm/WasmCallee.h:
1000         (JSC::Wasm::Callee::entrypoint const):
1001         * wasm/WasmCodeBlock.cpp:
1002         (JSC::Wasm::CodeBlock::CodeBlock):
1003         * wasm/WasmOMGPlan.cpp:
1004         (JSC::Wasm::OMGPlan::work):
1005         * wasm/js/WasmToJS.cpp:
1006         (JSC::Wasm::wasmToJS):
1007         * wasm/js/WebAssemblyFunction.cpp:
1008         (JSC::callWebAssemblyFunction):
1009         * wasm/js/WebAssemblyFunction.h:
1010         * wasm/js/WebAssemblyWrapperFunction.cpp:
1011         (JSC::WebAssemblyWrapperFunction::create):
1012
1013 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1014
1015         [JSC] Remove easy toRemove & map.remove() use
1016         https://bugs.webkit.org/show_bug.cgi?id=180208
1017
1018         Reviewed by Mark Lam.
1019
1020         In this patch, we replace Vector<> toRemove & map.remove loop with removeIf,
1021         to optimize this common pattern. This patch only modifies apparent ones.
1022         But we can apply this refactoring further to OAS phase in the future.
1023
1024         * b3/B3MoveConstants.cpp:
1025         * dfg/DFGArgumentsEliminationPhase.cpp:
1026         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1027         * wasm/WasmSignature.cpp:
1028         (JSC::Wasm::SignatureInformation::tryCleanup):
1029
1030 2017-11-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1031
1032         [JSC] Use getEffectiveAddress more in JSC
1033         https://bugs.webkit.org/show_bug.cgi?id=180154
1034
1035         Reviewed by Mark Lam.
1036
1037         We can use MacroAssembler::getEffectiveAddress for stack height calculation.
1038         And we also add MacroAssembler::negPtr(src, dest) variation.
1039
1040         * assembler/MacroAssembler.h:
1041         (JSC::MacroAssembler::negPtr):
1042         * assembler/MacroAssemblerARM.h:
1043         (JSC::MacroAssemblerARM::neg32):
1044         * assembler/MacroAssemblerARM64.h:
1045         (JSC::MacroAssemblerARM64::neg32):
1046         (JSC::MacroAssemblerARM64::neg64):
1047         * assembler/MacroAssemblerARMv7.h:
1048         (JSC::MacroAssemblerARMv7::neg32):
1049         * assembler/MacroAssemblerMIPS.h:
1050         (JSC::MacroAssemblerMIPS::neg32):
1051         * assembler/MacroAssemblerX86Common.h:
1052         (JSC::MacroAssemblerX86Common::neg32):
1053         * assembler/MacroAssemblerX86_64.h:
1054         (JSC::MacroAssemblerX86_64::neg64):
1055         * dfg/DFGThunks.cpp:
1056         (JSC::DFG::osrEntryThunkGenerator):
1057         * ftl/FTLLowerDFGToB3.cpp:
1058         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
1059         * jit/SetupVarargsFrame.cpp:
1060         (JSC::emitSetVarargsFrame):
1061
1062 2017-11-30  Mark Lam  <mark.lam@apple.com>
1063
1064         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
1065         https://bugs.webkit.org/show_bug.cgi?id=180219
1066         <rdar://problem/35696536>
1067
1068         Reviewed by Filip Pizlo.
1069
1070         * jsc.cpp:
1071         (functionFlashHeapAccess):
1072
1073 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1074
1075         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
1076         https://bugs.webkit.org/show_bug.cgi?id=180190
1077
1078         Reviewed by Mark Lam.
1079
1080         If DFG HasIndexedProperty node observes negative index, it goes to a slow
1081         path by calling operationHasIndexedProperty. The problem is that
1082         operationHasIndexedProperty does not account negative index. Negative index
1083         was used as uint32 array index.
1084
1085         In this patch we add a path for negative index in operationHasIndexedProperty.
1086         And rename it to operationHasIndexedPropertyByInt to make intension clear.
1087         We also move operationHasIndexedPropertyByInt from JITOperations to DFGOperations
1088         since it is only used in DFG and FTL.
1089
1090         While fixing this bug, we found that our op_in does not record OutOfBound feedback.
1091         This causes repeated OSR exit and significantly regresses the performance. We opened
1092         a bug to track this issue[1].
1093
1094         [1]: https://bugs.webkit.org/show_bug.cgi?id=180192
1095
1096         * dfg/DFGOperations.cpp:
1097         * dfg/DFGOperations.h:
1098         * dfg/DFGSpeculativeJIT32_64.cpp:
1099         (JSC::DFG::SpeculativeJIT::compile):
1100         * dfg/DFGSpeculativeJIT64.cpp:
1101         (JSC::DFG::SpeculativeJIT::compile):
1102         * ftl/FTLLowerDFGToB3.cpp:
1103         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
1104         * jit/JITOperations.cpp:
1105         * jit/JITOperations.h:
1106
1107 2017-11-30  Michael Saboff  <msaboff@apple.com>
1108
1109         Allow JSC command line tool to accept UTF8
1110         https://bugs.webkit.org/show_bug.cgi?id=180205
1111
1112         Reviewed by Keith Miller.
1113
1114         This unifies the UTF8 handling of interactive mode with that of source files.
1115
1116         * jsc.cpp:
1117         (runInteractive):
1118
1119 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1120
1121         REGRESSION(r225314): [Linux] More than 2000 jsc tests are failing after r225314
1122         https://bugs.webkit.org/show_bug.cgi?id=180185
1123
1124         Reviewed by Carlos Garcia Campos.
1125
1126         After r225314, we start using AllocatorForMode::MustAlreadyHaveAllocator for JSRopeString's allocatorFor.
1127         But it is different from the original code used before r225314. Since DFGSpeculativeJIT::emitAllocateJSCell
1128         can accept nullptr allocator, the behavior of the original code is AllocatorForMode::AllocatorIfExists.
1129         And JSRopeString's allocator may not exist at this point if any JSRopeString is not allocated. But MakeRope
1130         DFG node can be emitted if we see untaken path includes String + String code.
1131
1132         This patch fixes Linux JSC crashes by changing JSRopeString's AllocatorForMode to AllocatorIfExists.
1133         As a result, only one user of AllocatorForMode::MustAlreadyHaveAllocator is MaterializeNewObject in FTL.
1134         I'm not sure why this condition (MustAlreadyHaveAllocator) is ensured. But this code is the same to the
1135         original code used before r225314.
1136
1137         * dfg/DFGSpeculativeJIT.cpp:
1138         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1139         * ftl/FTLLowerDFGToB3.cpp:
1140         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
1141
1142 2017-11-28  Filip Pizlo  <fpizlo@apple.com>
1143
1144         CodeBlockSet::deleteUnmarkedAndUnreferenced can be a little more efficient
1145         https://bugs.webkit.org/show_bug.cgi?id=180108
1146
1147         Reviewed by Saam Barati.
1148         
1149         This was creating a vector of things to remove and then removing them. I think I remember writing
1150         this code, and I did that because at the time we did not have removeAllMatching, which is
1151         definitely better. This is a minuscule optimization for Speedometer. I wanted to land this
1152         obvious improvement before I did more fundamental things to this code.
1153
1154         * heap/CodeBlockSet.cpp:
1155         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
1156
1157 2017-11-29  Filip Pizlo  <fpizlo@apple.com>
1158
1159         GC should support isoheaps
1160         https://bugs.webkit.org/show_bug.cgi?id=179288
1161
1162         Reviewed by Saam Barati.
1163         
1164         This expands the power of the Subspace API in JSC:
1165         
1166         - Everything associated with describing the types of objects is now part of the HeapCellType class.
1167           We have different HeapCellTypes for different destruction strategies. Any Subspace can use any
1168           HeapCellType; these are orthogonal things.
1169         
1170         - There are now two variants of Subspace: CompleteSubspace, which can allocate any size objects using
1171           any AlignedMemoryAllocator; and IsoSubspace, which can allocate just one size of object and uses a
1172           special virtual memory pool for that purpose. Like bmalloc's IsoHeap, IsoSubspace hoards virtual
1173           pages but releases the physical pages as part of the respective allocator's scavenging policy
1174           (the Scavenger in bmalloc for IsoHeap and the incremental sweep and full sweep in Riptide for
1175           IsoSubspace).
1176         
1177         So far, this patch just puts subtypes of ExecutableBase in IsoSubspaces. If it works, we can use it
1178         for more things.
1179         
1180         This does not have any effect on JetStream (0.18% faster with p = 0.69).
1181
1182         * JavaScriptCore.xcodeproj/project.pbxproj:
1183         * Sources.txt:
1184         * bytecode/AccessCase.cpp:
1185         (JSC::AccessCase::generateImpl):
1186         * bytecode/ObjectAllocationProfileInlines.h:
1187         (JSC::ObjectAllocationProfile::initializeProfile):
1188         * dfg/DFGSpeculativeJIT.cpp:
1189         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1190         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1191         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1192         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1193         * dfg/DFGSpeculativeJIT64.cpp:
1194         (JSC::DFG::SpeculativeJIT::compile):
1195         * ftl/FTLAbstractHeapRepository.h:
1196         * ftl/FTLLowerDFGToB3.cpp:
1197         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
1198         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1199         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
1200         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1201         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
1202         * heap/AlignedMemoryAllocator.cpp:
1203         (JSC::AlignedMemoryAllocator::registerAllocator):
1204         (JSC::AlignedMemoryAllocator::registerSubspace):
1205         * heap/AlignedMemoryAllocator.h:
1206         (JSC::AlignedMemoryAllocator::firstAllocator const):
1207         * heap/AllocationFailureMode.h: Added.
1208         * heap/CompleteSubspace.cpp: Added.
1209         (JSC::CompleteSubspace::CompleteSubspace):
1210         (JSC::CompleteSubspace::~CompleteSubspace):
1211         (JSC::CompleteSubspace::allocatorFor):
1212         (JSC::CompleteSubspace::allocate):
1213         (JSC::CompleteSubspace::allocateNonVirtual):
1214         (JSC::CompleteSubspace::allocatorForSlow):
1215         (JSC::CompleteSubspace::allocateSlow):
1216         (JSC::CompleteSubspace::tryAllocateSlow):
1217         * heap/CompleteSubspace.h: Added.
1218         (JSC::CompleteSubspace::offsetOfAllocatorForSizeStep):
1219         (JSC::CompleteSubspace::allocatorForSizeStep):
1220         (JSC::CompleteSubspace::allocatorForNonVirtual):
1221         * heap/HeapCellType.cpp: Added.
1222         (JSC::HeapCellType::HeapCellType):
1223         (JSC::HeapCellType::~HeapCellType):
1224         (JSC::HeapCellType::finishSweep):
1225         (JSC::HeapCellType::destroy):
1226         * heap/HeapCellType.h: Added.
1227         (JSC::HeapCellType::attributes const):
1228         * heap/IsoAlignedMemoryAllocator.cpp: Added.
1229         (JSC::IsoAlignedMemoryAllocator::IsoAlignedMemoryAllocator):
1230         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
1231         (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
1232         (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
1233         (JSC::IsoAlignedMemoryAllocator::dump const):
1234         * heap/IsoAlignedMemoryAllocator.h: Added.
1235         * heap/IsoSubspace.cpp: Added.
1236         (JSC::IsoSubspace::IsoSubspace):
1237         (JSC::IsoSubspace::~IsoSubspace):
1238         (JSC::IsoSubspace::allocatorFor):
1239         (JSC::IsoSubspace::allocatorForNonVirtual):
1240         (JSC::IsoSubspace::allocate):
1241         (JSC::IsoSubspace::allocateNonVirtual):
1242         * heap/IsoSubspace.h: Added.
1243         (JSC::IsoSubspace::size const):
1244         * heap/MarkedAllocator.cpp:
1245         (JSC::MarkedAllocator::MarkedAllocator):
1246         (JSC::MarkedAllocator::setSubspace):
1247         (JSC::MarkedAllocator::allocateSlowCase):
1248         (JSC::MarkedAllocator::tryAllocateSlowCase): Deleted.
1249         (JSC::MarkedAllocator::allocateSlowCaseImpl): Deleted.
1250         * heap/MarkedAllocator.h:
1251         (JSC::MarkedAllocator::nextAllocatorInAlignedMemoryAllocator const):
1252         (JSC::MarkedAllocator::setNextAllocatorInAlignedMemoryAllocator):
1253         * heap/MarkedAllocatorInlines.h:
1254         (JSC::MarkedAllocator::allocate):
1255         (JSC::MarkedAllocator::tryAllocate): Deleted.
1256         * heap/MarkedBlock.h:
1257         * heap/MarkedBlockInlines.h:
1258         (JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType):
1259         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace): Deleted.
1260         * heap/MarkedSpace.cpp:
1261         (JSC::MarkedSpace::addMarkedAllocator):
1262         * heap/MarkedSpace.h:
1263         * heap/Subspace.cpp:
1264         (JSC::Subspace::Subspace):
1265         (JSC::Subspace::initialize):
1266         (JSC::Subspace::finishSweep):
1267         (JSC::Subspace::destroy):
1268         (JSC::Subspace::prepareForAllocation):
1269         (JSC::Subspace::findEmptyBlockToSteal):
1270         (): Deleted.
1271         (JSC::Subspace::allocate): Deleted.
1272         (JSC::Subspace::tryAllocate): Deleted.
1273         (JSC::Subspace::allocatorForSlow): Deleted.
1274         (JSC::Subspace::allocateSlow): Deleted.
1275         (JSC::Subspace::tryAllocateSlow): Deleted.
1276         (JSC::Subspace::didAllocate): Deleted.
1277         * heap/Subspace.h:
1278         (JSC::Subspace::heapCellType const):
1279         (JSC::Subspace::nextSubspaceInAlignedMemoryAllocator const):
1280         (JSC::Subspace::setNextSubspaceInAlignedMemoryAllocator):
1281         (JSC::Subspace::offsetOfAllocatorForSizeStep): Deleted.
1282         (JSC::Subspace::allocatorForSizeStep): Deleted.
1283         (JSC::Subspace::tryAllocatorFor): Deleted.
1284         (JSC::Subspace::allocatorFor): Deleted.
1285         * jit/AssemblyHelpers.h:
1286         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
1287         (JSC::AssemblyHelpers::emitAllocateVariableSized):
1288         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
1289         * jit/JITOpcodes.cpp:
1290         (JSC::JIT::emit_op_new_object):
1291         * runtime/ButterflyInlines.h:
1292         (JSC::Butterfly::createUninitialized):
1293         (JSC::Butterfly::tryCreate):
1294         (JSC::Butterfly::growArrayRight):
1295         * runtime/DirectArguments.cpp:
1296         (JSC::DirectArguments::overrideThings):
1297         * runtime/DirectArguments.h:
1298         (JSC::DirectArguments::subspaceFor):
1299         * runtime/DirectEvalExecutable.h:
1300         * runtime/EvalExecutable.h:
1301         * runtime/ExecutableBase.h:
1302         (JSC::ExecutableBase::subspaceFor):
1303         * runtime/FunctionExecutable.h:
1304         * runtime/GenericArgumentsInlines.h:
1305         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
1306         * runtime/HashMapImpl.h:
1307         (JSC::HashMapBuffer::create):
1308         * runtime/IndirectEvalExecutable.h:
1309         * runtime/JSArray.cpp:
1310         (JSC::JSArray::tryCreateUninitializedRestricted):
1311         (JSC::JSArray::unshiftCountSlowCase):
1312         * runtime/JSArray.h:
1313         (JSC::JSArray::tryCreate):
1314         * runtime/JSArrayBufferView.cpp:
1315         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1316         * runtime/JSCell.h:
1317         (JSC::subspaceFor):
1318         * runtime/JSCellInlines.h:
1319         (JSC::JSCell::subspaceFor):
1320         (JSC::tryAllocateCellHelper):
1321         (JSC::allocateCell):
1322         (JSC::tryAllocateCell):
1323         * runtime/JSDestructibleObject.h:
1324         (JSC::JSDestructibleObject::subspaceFor):
1325         * runtime/JSDestructibleObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.cpp.
1326         (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
1327         (JSC::JSDestructibleObjectHeapCellType::~JSDestructibleObjectHeapCellType):
1328         (JSC::JSDestructibleObjectHeapCellType::finishSweep):
1329         (JSC::JSDestructibleObjectHeapCellType::destroy):
1330         (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace): Deleted.
1331         (JSC::JSDestructibleObjectSubspace::~JSDestructibleObjectSubspace): Deleted.
1332         (JSC::JSDestructibleObjectSubspace::finishSweep): Deleted.
1333         (JSC::JSDestructibleObjectSubspace::destroy): Deleted.
1334         * runtime/JSDestructibleObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.h.
1335         * runtime/JSDestructibleObjectSubspace.cpp: Removed.
1336         * runtime/JSDestructibleObjectSubspace.h: Removed.
1337         * runtime/JSLexicalEnvironment.h:
1338         (JSC::JSLexicalEnvironment::subspaceFor):
1339         * runtime/JSSegmentedVariableObject.h:
1340         (JSC::JSSegmentedVariableObject::subspaceFor):
1341         * runtime/JSSegmentedVariableObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.cpp.
1342         (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
1343         (JSC::JSSegmentedVariableObjectHeapCellType::~JSSegmentedVariableObjectHeapCellType):
1344         (JSC::JSSegmentedVariableObjectHeapCellType::finishSweep):
1345         (JSC::JSSegmentedVariableObjectHeapCellType::destroy):
1346         (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace): Deleted.
1347         (JSC::JSSegmentedVariableObjectSubspace::~JSSegmentedVariableObjectSubspace): Deleted.
1348         (JSC::JSSegmentedVariableObjectSubspace::finishSweep): Deleted.
1349         (JSC::JSSegmentedVariableObjectSubspace::destroy): Deleted.
1350         * runtime/JSSegmentedVariableObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.h.
1351         * runtime/JSSegmentedVariableObjectSubspace.cpp: Removed.
1352         * runtime/JSSegmentedVariableObjectSubspace.h: Removed.
1353         * runtime/JSString.h:
1354         (JSC::JSString::subspaceFor):
1355         * runtime/JSStringHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.cpp.
1356         (JSC::JSStringHeapCellType::JSStringHeapCellType):
1357         (JSC::JSStringHeapCellType::~JSStringHeapCellType):
1358         (JSC::JSStringHeapCellType::finishSweep):
1359         (JSC::JSStringHeapCellType::destroy):
1360         (JSC::JSStringSubspace::JSStringSubspace): Deleted.
1361         (JSC::JSStringSubspace::~JSStringSubspace): Deleted.
1362         (JSC::JSStringSubspace::finishSweep): Deleted.
1363         (JSC::JSStringSubspace::destroy): Deleted.
1364         * runtime/JSStringHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.h.
1365         * runtime/JSStringSubspace.cpp: Removed.
1366         * runtime/JSStringSubspace.h: Removed.
1367         * runtime/ModuleProgramExecutable.h:
1368         * runtime/NativeExecutable.h:
1369         * runtime/ProgramExecutable.h:
1370         * runtime/RegExpMatchesArray.h:
1371         (JSC::tryCreateUninitializedRegExpMatchesArray):
1372         * runtime/ScopedArguments.h:
1373         (JSC::ScopedArguments::subspaceFor):
1374         * runtime/VM.cpp:
1375         (JSC::VM::VM):
1376         * runtime/VM.h:
1377         (JSC::VM::gigacageAuxiliarySpace):
1378         * wasm/js/JSWebAssemblyCodeBlock.h:
1379         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.cpp.
1380         (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
1381         (JSC::JSWebAssemblyCodeBlockHeapCellType::~JSWebAssemblyCodeBlockHeapCellType):
1382         (JSC::JSWebAssemblyCodeBlockHeapCellType::finishSweep):
1383         (JSC::JSWebAssemblyCodeBlockHeapCellType::destroy):
1384         (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace): Deleted.
1385         (JSC::JSWebAssemblyCodeBlockSubspace::~JSWebAssemblyCodeBlockSubspace): Deleted.
1386         (JSC::JSWebAssemblyCodeBlockSubspace::finishSweep): Deleted.
1387         (JSC::JSWebAssemblyCodeBlockSubspace::destroy): Deleted.
1388         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.h.
1389         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp: Removed.
1390         * wasm/js/JSWebAssemblyCodeBlockSubspace.h: Removed.
1391         * wasm/js/JSWebAssemblyMemory.h:
1392         (JSC::JSWebAssemblyMemory::subspaceFor):
1393
1394 2017-11-29  Saam Barati  <sbarati@apple.com>
1395
1396         Remove pointer caging for double arrays
1397         https://bugs.webkit.org/show_bug.cgi?id=180163
1398
1399         Reviewed by Mark Lam.
1400
1401         This patch removes pointer caging from double arrays. Like
1402         my previous removals of pointer caging, this is a security vs
1403         performance tradeoff. We believe that butterflies being allocated
1404         in the cage and with a 32GB runway gives us enough security that
1405         pointer caging the butterfly just for double arrays does not add
1406         enough security benefit for the performance hit it incurs.
1407         
1408         This patch also removes the GetButterflyWithoutCaging node and
1409         the FixedButterflyAccessUncaging phase. The node is no longer needed
1410         because now all GetButterfly nodes are not caged. The phase is removed
1411         since we no longer have two nodes.
1412
1413         * dfg/DFGAbstractInterpreterInlines.h:
1414         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1415         * dfg/DFGArgumentsEliminationPhase.cpp:
1416         * dfg/DFGClobberize.h:
1417         (JSC::DFG::clobberize):
1418         * dfg/DFGDoesGC.cpp:
1419         (JSC::DFG::doesGC):
1420         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Removed.
1421         * dfg/DFGFixedButterflyAccessUncagingPhase.h: Removed.
1422         * dfg/DFGFixupPhase.cpp:
1423         (JSC::DFG::FixupPhase::fixupNode):
1424         * dfg/DFGHeapLocation.cpp:
1425         (WTF::printInternal):
1426         * dfg/DFGHeapLocation.h:
1427         * dfg/DFGNodeType.h:
1428         * dfg/DFGPlan.cpp:
1429         (JSC::DFG::Plan::compileInThreadImpl):
1430         * dfg/DFGPredictionPropagationPhase.cpp:
1431         * dfg/DFGSafeToExecute.h:
1432         (JSC::DFG::safeToExecute):
1433         * dfg/DFGSpeculativeJIT.cpp:
1434         (JSC::DFG::SpeculativeJIT::compileSpread):
1435         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1436         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
1437         * dfg/DFGSpeculativeJIT32_64.cpp:
1438         (JSC::DFG::SpeculativeJIT::compile):
1439         * dfg/DFGSpeculativeJIT64.cpp:
1440         (JSC::DFG::SpeculativeJIT::compile):
1441         * dfg/DFGTypeCheckHoistingPhase.cpp:
1442         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
1443         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
1444         * ftl/FTLCapabilities.cpp:
1445         (JSC::FTL::canCompile):
1446         * ftl/FTLLowerDFGToB3.cpp:
1447         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1448         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
1449         * jit/JITPropertyAccess.cpp:
1450         (JSC::JIT::emitDoubleLoad):
1451         (JSC::JIT::emitGenericContiguousPutByVal):
1452         * runtime/Butterfly.h:
1453         (JSC::Butterfly::pointer):
1454         (JSC::Butterfly::contiguousDouble):
1455         (JSC::Butterfly::caged): Deleted.
1456         * runtime/ButterflyInlines.h:
1457         (JSC::Butterfly::createOrGrowPropertyStorage):
1458         * runtime/JSObject.cpp:
1459         (JSC::JSObject::ensureLengthSlow):
1460         (JSC::JSObject::reallocateAndShrinkButterfly):
1461
1462 2017-11-29  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
1463
1464         [MIPS][JSC] Implement MacroAssembler::probe support on MIPS
1465         https://bugs.webkit.org/show_bug.cgi?id=175447
1466
1467         Reviewed by Carlos Alberto Lopez Perez.
1468
1469         This patch allows DFG JIT to be enabled on MIPS platforms.
1470
1471         * Sources.txt:
1472         * assembler/MIPSAssembler.h:
1473         (JSC::MIPSAssembler::lastSPRegister):
1474         (JSC::MIPSAssembler::numberOfSPRegisters):
1475         (JSC::MIPSAssembler::sprName):
1476         * assembler/MacroAssemblerMIPS.cpp: Added.
1477         (JSC::MacroAssembler::probe):
1478         * assembler/ProbeContext.cpp:
1479         (JSC::Probe::executeProbe):
1480         * assembler/ProbeContext.h:
1481         (JSC::Probe::CPUState::pc):
1482         * assembler/testmasm.cpp:
1483         (JSC::isSpecialGPR):
1484         (JSC::testProbePreservesGPRS):
1485         (JSC::testProbeModifiesStackPointer):
1486         (JSC::testProbeModifiesStackValues):
1487
1488 2017-11-29  Matt Lewis  <jlewis3@apple.com>
1489
1490         Unreviewed, rolling out r225286.
1491
1492         The source files within this patch have been marked as
1493         executable.
1494
1495         Reverted changeset:
1496
1497         "[MIPS][JSC] Implement MacroAssembler::probe support on MIPS"
1498         https://bugs.webkit.org/show_bug.cgi?id=175447
1499         https://trac.webkit.org/changeset/225286
1500
1501 2017-11-29  Alex Christensen  <achristensen@webkit.org>
1502
1503         Fix Mac CMake build.
1504
1505         * PlatformMac.cmake:
1506
1507 2017-11-29  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
1508
1509         [MIPS][JSC] Implement MacroAssembler::probe support on MIPS
1510         https://bugs.webkit.org/show_bug.cgi?id=175447
1511
1512         Reviewed by Carlos Alberto Lopez Perez.
1513
1514         This patch allows DFG JIT to be enabled on MIPS platforms.
1515
1516         * Sources.txt:
1517         * assembler/MIPSAssembler.h:
1518         (JSC::MIPSAssembler::lastSPRegister):
1519         (JSC::MIPSAssembler::numberOfSPRegisters):
1520         (JSC::MIPSAssembler::sprName):
1521         * assembler/MacroAssemblerMIPS.cpp: Added.
1522         (JSC::MacroAssembler::probe):
1523         * assembler/ProbeContext.cpp:
1524         (JSC::Probe::executeProbe):
1525         * assembler/ProbeContext.h:
1526         (JSC::Probe::CPUState::pc):
1527         * assembler/testmasm.cpp:
1528         (JSC::isSpecialGPR):
1529         (JSC::testProbePreservesGPRS):
1530         (JSC::testProbeModifiesStackPointer):
1531         (JSC::testProbeModifiesStackValues):
1532
1533 2017-11-28  JF Bastien  <jfbastien@apple.com>
1534
1535         Strict and sloppy functions shouldn't share structure
1536         https://bugs.webkit.org/show_bug.cgi?id=180103
1537         <rdar://problem/35667847>
1538
1539         Reviewed by Saam Barati.
1540
1541         Sloppy and strict functions don't act the same when it comes to
1542         arguments, caller, and callee. Sharing a structure means that
1543         anything that is cached gets shared, and that's incorrect.
1544
1545         * dfg/DFGAbstractInterpreterInlines.h:
1546         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1547         * dfg/DFGSpeculativeJIT.cpp:
1548         (JSC::DFG::SpeculativeJIT::compileNewFunction):
1549         * ftl/FTLLowerDFGToB3.cpp:
1550         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
1551         * runtime/FunctionConstructor.cpp:
1552         (JSC::constructFunctionSkippingEvalEnabledCheck):
1553         * runtime/JSFunction.cpp:
1554         (JSC::JSFunction::create): the second ::create is always strict
1555         because it applies to native functions.
1556         * runtime/JSFunctionInlines.h:
1557         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
1558         * runtime/JSGlobalObject.cpp:
1559         (JSC::JSGlobalObject::init):
1560         (JSC::JSGlobalObject::visitChildren):
1561         * runtime/JSGlobalObject.h:
1562         (JSC::JSGlobalObject::strictFunctionStructure const):
1563         (JSC::JSGlobalObject::sloppyFunctionStructure const):
1564         (JSC::JSGlobalObject::nativeStdFunctionStructure const):
1565         (JSC::JSGlobalObject::functionStructure const): Deleted. Renamed.
1566         (JSC::JSGlobalObject::namedFunctionStructure const): Deleted. Drive-by, unused.
1567
1568 2017-11-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1569
1570         [JSC] Add MacroAssembler::getEffectiveAddress in all platforms
1571         https://bugs.webkit.org/show_bug.cgi?id=180070
1572
1573         Reviewed by Saam Barati.
1574
1575         This patch adds getEffectiveAddress in all JIT platforms.
1576         This is abstracted version of x86 lea.
1577
1578         We also fix a bug in Yarr that uses branch32 instead of branchPtr for addresses.
1579
1580         * assembler/MacroAssemblerARM.h:
1581         (JSC::MacroAssemblerARM::getEffectiveAddress):
1582         * assembler/MacroAssemblerARM64.h:
1583         (JSC::MacroAssemblerARM64::getEffectiveAddress):
1584         (JSC::MacroAssemblerARM64::getEffectiveAddress64): Deleted.
1585         * assembler/MacroAssemblerARMv7.h:
1586         (JSC::MacroAssemblerARMv7::getEffectiveAddress):
1587         * assembler/MacroAssemblerMIPS.h:
1588         (JSC::MacroAssemblerMIPS::getEffectiveAddress):
1589         * assembler/MacroAssemblerX86.h:
1590         (JSC::MacroAssemblerX86::getEffectiveAddress):
1591         * assembler/MacroAssemblerX86_64.h:
1592         (JSC::MacroAssemblerX86_64::getEffectiveAddress):
1593         (JSC::MacroAssemblerX86_64::getEffectiveAddress64): Deleted.
1594         * assembler/testmasm.cpp:
1595         (JSC::testGetEffectiveAddress):
1596         (JSC::run):
1597         * dfg/DFGSpeculativeJIT.cpp:
1598         (JSC::DFG::SpeculativeJIT::compileArrayPush):
1599         * yarr/YarrJIT.cpp:
1600         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
1601         (JSC::Yarr::YarrGenerator::tryReadUnicodeChar):
1602
1603 2017-11-29  Robin Morisset  <rmorisset@apple.com>
1604
1605         The recursive tail call optimisation is wrong on closures
1606         https://bugs.webkit.org/show_bug.cgi?id=179835
1607
1608         Reviewed by Saam Barati.
1609
1610         The problem is that we only check the executable of the callee, not whatever variables might have been captured.
1611         As a stopgap measure this patch just does not do the optimisation for closures.
1612
1613         * dfg/DFGByteCodeParser.cpp:
1614         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
1615
1616 2017-11-28  Joseph Pecoraro  <pecoraro@apple.com>
1617
1618         Web Inspector: Cleanup Inspector classes be more consistent about using fast malloc / noncopyable
1619         https://bugs.webkit.org/show_bug.cgi?id=180119
1620
1621         Reviewed by Devin Rousso.
1622
1623         * inspector/InjectedScriptManager.h:
1624         * inspector/JSGlobalObjectScriptDebugServer.h:
1625         * inspector/agents/InspectorHeapAgent.h:
1626         * inspector/agents/InspectorRuntimeAgent.h:
1627         * inspector/agents/InspectorScriptProfilerAgent.h:
1628         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
1629
1630 2017-11-28  Joseph Pecoraro  <pecoraro@apple.com>
1631
1632         ServiceWorker Inspector: Frontend changes to support Network tab and sub resources
1633         https://bugs.webkit.org/show_bug.cgi?id=179642
1634         <rdar://problem/35517704>
1635
1636         Reviewed by Brian Burg.
1637
1638         * inspector/protocol/Network.json:
1639         Expose the NetworkAgent for a Service Worker inspector.
1640
1641  2017-11-28  Brian Burg  <bburg@apple.com>
1642
1643         [Cocoa] Clean up names of conversion methods after renaming InspectorValue to JSON::Value
1644         https://bugs.webkit.org/show_bug.cgi?id=179696
1645
1646         Reviewed by Timothy Hatcher.
1647
1648         * inspector/scripts/codegen/generate_objc_header.py:
1649         (ObjCHeaderGenerator._generate_type_interface):
1650         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1651         (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
1652         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_protocol_object):
1653         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_json_object): Deleted.
1654         * inspector/scripts/codegen/objc_generator.py:
1655         (ObjCGenerator.protocol_type_for_raw_name):
1656         (ObjCGenerator.objc_protocol_export_expression_for_variable):
1657         (ObjCGenerator.objc_protocol_export_expression_for_variable.is):
1658         (ObjCGenerator.objc_protocol_import_expression_for_variable):
1659         (ObjCGenerator.objc_protocol_import_expression_for_variable.is):
1660         (ObjCGenerator.objc_to_protocol_expression_for_member.is):
1661         (ObjCGenerator.objc_to_protocol_expression_for_member):
1662         (ObjCGenerator.protocol_to_objc_expression_for_member.is):
1663         (ObjCGenerator.protocol_to_objc_expression_for_member):
1664         (ObjCGenerator.protocol_to_objc_code_block_for_object_member):
1665         (ObjCGenerator.objc_setter_method_for_member_internal):
1666         (ObjCGenerator.objc_getter_method_for_member_internal):
1667         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
1668         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1669         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1670         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
1671         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
1672         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
1673         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1674         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1675         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
1676         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
1677
1678 2017-11-27  JF Bastien  <jfbastien@apple.com>
1679
1680         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
1681         https://bugs.webkit.org/show_bug.cgi?id=180051
1682         <rdar://problem/35614371>
1683
1684         Reviewed by Saam Barati.
1685
1686         Checking for int32 isn't sufficient when uint32 is expected
1687         afterwards. While we're here, also use Checked<>.
1688
1689         * dfg/DFGAbstractInterpreterInlines.h:
1690         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1691
1692 2017-11-14  Carlos Garcia Campos  <cgarcia@igalia.com>
1693
1694         Move JSONValues to WTF and convert uses of InspectorValues.h to JSONValues.h
1695         https://bugs.webkit.org/show_bug.cgi?id=173793
1696
1697         Reviewed by Joseph Pecoraro.
1698
1699         Based on patch by Brian Burg.
1700
1701         * JavaScriptCore.xcodeproj/project.pbxproj:
1702         * Sources.txt:
1703         * bindings/ScriptValue.cpp:
1704         (Inspector::jsToInspectorValue):
1705         (Inspector::toInspectorValue):
1706         (Deprecated::ScriptValue::toInspectorValue const):
1707         * bindings/ScriptValue.h:
1708         * inspector/AsyncStackTrace.cpp:
1709         * inspector/ConsoleMessage.cpp:
1710         * inspector/ContentSearchUtilities.cpp:
1711         * inspector/DeprecatedInspectorValues.cpp: Added.
1712         * inspector/DeprecatedInspectorValues.h: Added.
1713         Keep the old symbols around in JavaScriptCore so that builds with the
1714         public iOS SDK continue to work. These older SDKs include a version of
1715         WebInspector.framework that expects to find InspectorArray and other
1716         symbols in JavaScriptCore.framework.
1717
1718         * inspector/InjectedScript.cpp:
1719         (Inspector::InjectedScript::getFunctionDetails):
1720         (Inspector::InjectedScript::functionDetails):
1721         (Inspector::InjectedScript::getPreview):
1722         (Inspector::InjectedScript::getProperties):
1723         (Inspector::InjectedScript::getDisplayableProperties):
1724         (Inspector::InjectedScript::getInternalProperties):
1725         (Inspector::InjectedScript::getCollectionEntries):
1726         (Inspector::InjectedScript::saveResult):
1727         (Inspector::InjectedScript::wrapCallFrames const):
1728         (Inspector::InjectedScript::wrapObject const):
1729         (Inspector::InjectedScript::wrapTable const):
1730         (Inspector::InjectedScript::previewValue const):
1731         (Inspector::InjectedScript::setExceptionValue):
1732         (Inspector::InjectedScript::clearExceptionValue):
1733         (Inspector::InjectedScript::inspectObject):
1734         (Inspector::InjectedScript::releaseObject):
1735         * inspector/InjectedScriptBase.cpp:
1736         (Inspector::InjectedScriptBase::makeCall):
1737         (Inspector::InjectedScriptBase::makeEvalCall):
1738         * inspector/InjectedScriptBase.h:
1739         * inspector/InjectedScriptManager.cpp:
1740         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
1741         * inspector/InspectorBackendDispatcher.cpp:
1742         (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
1743         (Inspector::BackendDispatcher::dispatch):
1744         (Inspector::BackendDispatcher::sendResponse):
1745         (Inspector::BackendDispatcher::sendPendingErrors):
1746         (Inspector::BackendDispatcher::getPropertyValue):
1747         (Inspector::castToInteger):
1748         (Inspector::castToNumber):
1749         (Inspector::BackendDispatcher::getInteger):
1750         (Inspector::BackendDispatcher::getDouble):
1751         (Inspector::BackendDispatcher::getString):
1752         (Inspector::BackendDispatcher::getBoolean):
1753         (Inspector::BackendDispatcher::getObject):
1754         (Inspector::BackendDispatcher::getArray):
1755         (Inspector::BackendDispatcher::getValue):
1756         * inspector/InspectorBackendDispatcher.h:
1757         We need to keep around the sendResponse() variant with a parameter that
1758         has the InspectorObject type, as older WebInspector.framework versions
1759         expect this symbol to exist. Introduce a variant with arity 3 that can
1760         be used in TOT so as to avoid having two methods with the same name, arity, and
1761         different parameter types.
1762
1763         When system WebInspector.framework is updated, we can remove the legacy
1764         method variant that uses the InspectorObject type. At that point, we can
1765         transition TOT to use the 2-arity variant, and delete the 3-arity variant
1766         when system WebInspector.framework is updated once more to use the 2-arity one.
1767
1768         * inspector/InspectorProtocolTypes.h:
1769         (Inspector::Protocol::Array::openAccessors):
1770         (Inspector::Protocol::PrimitiveBindingTraits::assertValueHasExpectedType):
1771         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast):
1772         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType):
1773         (Inspector::Protocol::BindingTraits<JSON::Value>::assertValueHasExpectedType):
1774         * inspector/ScriptCallFrame.cpp:
1775         * inspector/ScriptCallStack.cpp:
1776         * inspector/agents/InspectorAgent.cpp:
1777         (Inspector::InspectorAgent::inspect):
1778         * inspector/agents/InspectorAgent.h:
1779         * inspector/agents/InspectorDebuggerAgent.cpp:
1780         (Inspector::buildAssertPauseReason):
1781         (Inspector::buildCSPViolationPauseReason):
1782         (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
1783         (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
1784         (Inspector::buildObjectForBreakpointCookie):
1785         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
1786         (Inspector::parseLocation):
1787         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
1788         (Inspector::InspectorDebuggerAgent::setBreakpoint):
1789         (Inspector::InspectorDebuggerAgent::continueToLocation):
1790         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
1791         (Inspector::InspectorDebuggerAgent::didParseSource):
1792         (Inspector::InspectorDebuggerAgent::breakProgram):
1793         * inspector/agents/InspectorDebuggerAgent.h:
1794         * inspector/agents/InspectorRuntimeAgent.cpp:
1795         (Inspector::InspectorRuntimeAgent::callFunctionOn):
1796         (Inspector::InspectorRuntimeAgent::saveResult):
1797         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1798         * inspector/agents/InspectorRuntimeAgent.h:
1799         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
1800         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
1801         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
1802         (CppBackendDispatcherImplementationGenerator.generate_output):
1803         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
1804         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
1805         (CppFrontendDispatcherHeaderGenerator.generate_output):
1806         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
1807         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
1808         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
1809         (_generate_unchecked_setter_for_member):
1810         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
1811         (CppProtocolTypesImplementationGenerator):
1812         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1813         (ObjCBackendDispatcherImplementationGenerator.generate_output):
1814         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
1815         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1816         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
1817         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
1818         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
1819         * inspector/scripts/codegen/generate_objc_internal_header.py:
1820         (ObjCInternalHeaderGenerator.generate_output):
1821         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1822         (ObjCProtocolTypesImplementationGenerator.generate_output):
1823         * inspector/scripts/codegen/generator.py:
1824         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
1825         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1826         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1827         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
1828         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
1829         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
1830         * inspector/scripts/tests/generic/expected/enum-values.json-result:
1831         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
1832         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
1833         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
1834         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
1835         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
1836         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
1837         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
1838         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1839         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1840         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
1841         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
1842         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
1843         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
1844
1845 2017-11-28  Robin Morisset  <rmorisset@apple.com>
1846
1847         Support recursive tail call optimization for polymorphic calls
1848         https://bugs.webkit.org/show_bug.cgi?id=178390
1849
1850         Reviewed by Saam Barati.
1851
1852         Comes with a large but fairly simple refactoring: the inlining path for varargs and non-varargs calls now converge a lot later,
1853         eliminating some redundant checks, and simplifying a few parts of the inlining pipeline.
1854
1855         Also removes some dead code from inlineCall(): there was a special path for when m_continuationBlock is null, but it should never be (now checked with RELEASE_ASSERT).
1856
1857         * dfg/DFGByteCodeParser.cpp:
1858         (JSC::DFG::ByteCodeParser::handleCall):
1859         (JSC::DFG::ByteCodeParser::handleVarargsCall):
1860         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
1861         (JSC::DFG::ByteCodeParser::inlineCall):
1862         (JSC::DFG::ByteCodeParser::handleCallVariant):
1863         (JSC::DFG::ByteCodeParser::handleVarargsInlining):
1864         (JSC::DFG::ByteCodeParser::getInliningBalance):
1865         (JSC::DFG::ByteCodeParser::handleInlining):
1866         (JSC::DFG::ByteCodeParser::attemptToInlineCall): Deleted.
1867
1868 2017-11-27  Saam Barati  <sbarati@apple.com>
1869
1870         Spread can escape when CreateRest does not
1871         https://bugs.webkit.org/show_bug.cgi?id=180057
1872         <rdar://problem/35676119>
1873
1874         Reviewed by JF Bastien.
1875
1876         We previously did not handle Spread(PhantomCreateRest) only because I did not
1877         think it was possible to generate this IR. I was wrong. We can generate
1878         such IR when we have a PutStack(Spread) but nothing escapes the CreateRest.
1879         This IR is rare to generate since we normally don't PutStack(Spread) because
1880         the SetLocal almost always gets eliminated because of how our bytecode generates
1881         op_spread. However, there exists a test case showing it is possible. Supporting
1882         this IR pattern in FTLLower is trivial. This patch implements it and rewrites
1883         the Validation rule for Spread.
1884
1885         * dfg/DFGOperations.cpp:
1886         * dfg/DFGOperations.h:
1887         * dfg/DFGValidate.cpp:
1888         * ftl/FTLLowerDFGToB3.cpp:
1889         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
1890         * runtime/JSFixedArray.h:
1891         (JSC::JSFixedArray::tryCreate):
1892
1893 2017-11-27  Don Olmstead  <don.olmstead@sony.com>
1894
1895         [CMake][Win] Conditionally select DLL CRT or static CRT
1896         https://bugs.webkit.org/show_bug.cgi?id=170594
1897
1898         Reviewed by Alex Christensen.
1899
1900         * shell/PlatformWin.cmake:
1901
1902 2017-11-27  Saam Barati  <sbarati@apple.com>
1903
1904         Having a bad time watchpoint firing during compilation revealed a racy assertion
1905         https://bugs.webkit.org/show_bug.cgi?id=180048
1906         <rdar://problem/35700009>
1907
1908         Reviewed by Mark Lam.
1909
1910         While a DFG compilation is watching the having a bad time watchpoint, it was
1911         asserting that the rest parameter structure has indexing type ArrayWithContiguous.
1912         However, if the having a bad time watchpoint fires during the compilation,
1913         this particular structure will no longer have ArrayWithContiguous indexing type.
1914         This patch fixes this racy assertion to be aware that the watchpoint may fire
1915         during compilation.
1916
1917         * dfg/DFGSpeculativeJIT.cpp:
1918         (JSC::DFG::SpeculativeJIT::compileCreateRest):
1919         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
1920
1921 2017-11-27  Tim Horton  <timothy_horton@apple.com>
1922
1923         One too many zeroes in macOS version number in FeatureDefines
1924         https://bugs.webkit.org/show_bug.cgi?id=180011
1925
1926         Reviewed by Dan Bernstein.
1927
1928         * Configurations/FeatureDefines.xcconfig:
1929
1930 2017-11-27  Robin Morisset  <rmorisset@apple.com>
1931
1932         Update DFGSafeToExecute to be aware that ArrayPush is now a varargs node
1933         https://bugs.webkit.org/show_bug.cgi?id=179821
1934
1935         Reviewed by Saam Barati.
1936
1937         * dfg/DFGSafeToExecute.h:
1938         (JSC::DFG::safeToExecute):
1939
1940 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1941
1942         [DFG] Add NormalizeMapKey DFG IR
1943         https://bugs.webkit.org/show_bug.cgi?id=179912
1944
1945         Reviewed by Saam Barati.
1946
1947         This patch introduces NormalizeMapKey DFG node. It executes what normalizeMapKey does in inlined manner.
1948         By separating this from MapHash and Map/Set related operations, we can perform CSE onto that, and we
1949         do not need to call normalizeMapKey conservatively in DFG operations.
1950         This can reduce slow path case in Untyped GetMapBucket since we can normalize keys in DFG/FTL.
1951
1952         * dfg/DFGAbstractInterpreterInlines.h:
1953         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1954         * dfg/DFGByteCodeParser.cpp:
1955         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1956         * dfg/DFGClobberize.h:
1957         (JSC::DFG::clobberize):
1958         * dfg/DFGDoesGC.cpp:
1959         (JSC::DFG::doesGC):
1960         * dfg/DFGFixupPhase.cpp:
1961         (JSC::DFG::FixupPhase::fixupNode):
1962         (JSC::DFG::FixupPhase::fixupNormalizeMapKey):
1963         * dfg/DFGNodeType.h:
1964         * dfg/DFGOperations.cpp:
1965         * dfg/DFGPredictionPropagationPhase.cpp:
1966         * dfg/DFGSafeToExecute.h:
1967         (JSC::DFG::safeToExecute):
1968         * dfg/DFGSpeculativeJIT.cpp:
1969         (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
1970         * dfg/DFGSpeculativeJIT.h:
1971         * dfg/DFGSpeculativeJIT32_64.cpp:
1972         (JSC::DFG::SpeculativeJIT::compile):
1973         * dfg/DFGSpeculativeJIT64.cpp:
1974         (JSC::DFG::SpeculativeJIT::compile):
1975         * ftl/FTLCapabilities.cpp:
1976         (JSC::FTL::canCompile):
1977         * ftl/FTLLowerDFGToB3.cpp:
1978         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1979         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
1980         (JSC::FTL::DFG::LowerDFGToB3::compileNormalizeMapKey):
1981         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
1982         * runtime/HashMapImpl.h:
1983
1984 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1985
1986         [FTL] Support DeleteById and DeleteByVal
1987         https://bugs.webkit.org/show_bug.cgi?id=180022
1988
1989         Reviewed by Saam Barati.
1990
1991         We should increase the coverage of FTL. Even if the code includes DeleteById,
1992         it does not mean that remaining part of the code should not be optimized in FTL.
1993         Right now, even CallEval and `with` scope are handled in FTL.
1994
1995         This patch just adds DeleteById and DeleteByVal handling to FTL to allow optimizing
1996         code including them.
1997
1998         * ftl/FTLCapabilities.cpp:
1999         (JSC::FTL::canCompile):
2000         * ftl/FTLLowerDFGToB3.cpp:
2001         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2002         (JSC::FTL::DFG::LowerDFGToB3::compileDeleteById):
2003         (JSC::FTL::DFG::LowerDFGToB3::compileDeleteByVal):
2004
2005 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2006
2007         [DFG] Introduce {Set,Map,WeakMap}Fields
2008         https://bugs.webkit.org/show_bug.cgi?id=179925
2009
2010         Reviewed by Saam Barati.
2011
2012         SetAdd and MapSet uses `write(MiscFields)`, but it is not correct. It accidentally
2013         writes readonly MiscFields which is used by various nodes and make optimization
2014         conservative.
2015
2016         We introduce JSSetFields, JSMapFields, and JSWeakMapFields to precisely model clobberizing of Map, Set, and WeakMap.
2017
2018         * dfg/DFGAbstractHeap.h:
2019         * dfg/DFGByteCodeParser.cpp:
2020         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2021         * dfg/DFGClobberize.h:
2022         (JSC::DFG::clobberize):
2023         * dfg/DFGHeapLocation.cpp:
2024         (WTF::printInternal):
2025         * dfg/DFGHeapLocation.h:
2026         * dfg/DFGNode.h:
2027         (JSC::DFG::Node::hasBucketOwnerType):
2028
2029 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2030
2031         [JSC] Remove JSStringBuilder
2032         https://bugs.webkit.org/show_bug.cgi?id=180016
2033
2034         Reviewed by Saam Barati.
2035
2036         JSStringBuilder is replaced with WTF::StringBuilder.
2037         This patch removes remaning uses and drop JSStringBuilder.
2038
2039         * JavaScriptCore.xcodeproj/project.pbxproj:
2040         * runtime/ArrayPrototype.cpp:
2041         * runtime/AsyncFunctionPrototype.cpp:
2042         * runtime/AsyncGeneratorFunctionPrototype.cpp:
2043         * runtime/ErrorPrototype.cpp:
2044         * runtime/FunctionPrototype.cpp:
2045         * runtime/GeneratorFunctionPrototype.cpp:
2046         * runtime/JSGlobalObjectFunctions.cpp:
2047         (JSC::decode):
2048         (JSC::globalFuncEscape):
2049         * runtime/JSStringBuilder.h: Removed.
2050         * runtime/JSStringInlines.h:
2051         (JSC::jsMakeNontrivialString):
2052         * runtime/RegExpPrototype.cpp:
2053         * runtime/StringPrototype.cpp:
2054
2055 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2056
2057         [DFG] Remove GetLocalUnlinked
2058         https://bugs.webkit.org/show_bug.cgi?id=180017
2059
2060         Reviewed by Saam Barati.
2061
2062         Since DFGArgumentsSimplificationPhase is removed 2 years ago, GetLocalUnlinked is no longer used in DFG.
2063         This patch just removes it.
2064
2065         * dfg/DFGAbstractInterpreterInlines.h:
2066         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2067         * dfg/DFGClobberize.h:
2068         (JSC::DFG::clobberize):
2069         * dfg/DFGCommon.h:
2070         * dfg/DFGDoesGC.cpp:
2071         (JSC::DFG::doesGC):
2072         * dfg/DFGFixupPhase.cpp:
2073         (JSC::DFG::FixupPhase::fixupNode):
2074         * dfg/DFGGraph.cpp:
2075         (JSC::DFG::Graph::dump):
2076         * dfg/DFGNode.h:
2077         (JSC::DFG::Node::hasUnlinkedLocal):
2078         (JSC::DFG::Node::convertToGetLocalUnlinked): Deleted.
2079         (JSC::DFG::Node::convertToGetLocal): Deleted.
2080         (JSC::DFG::Node::hasUnlinkedMachineLocal): Deleted.
2081         (JSC::DFG::Node::setUnlinkedMachineLocal): Deleted.
2082         (JSC::DFG::Node::unlinkedMachineLocal): Deleted.
2083         * dfg/DFGNodeType.h:
2084         * dfg/DFGPredictionPropagationPhase.cpp:
2085         * dfg/DFGSafeToExecute.h:
2086         (JSC::DFG::safeToExecute):
2087         * dfg/DFGSpeculativeJIT32_64.cpp:
2088         (JSC::DFG::SpeculativeJIT::compile):
2089         * dfg/DFGSpeculativeJIT64.cpp:
2090         (JSC::DFG::SpeculativeJIT::compile):
2091         * dfg/DFGStackLayoutPhase.cpp:
2092         (JSC::DFG::StackLayoutPhase::run):
2093         * dfg/DFGValidate.cpp:
2094
2095 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2096
2097         Make ArgList::data() private again when we can remove callWasmFunction().
2098         https://bugs.webkit.org/show_bug.cgi?id=168582
2099
2100         Reviewed by JF Bastien.
2101
2102         Make ArgList::data() private since we already removed callWasmFunction.
2103
2104         * runtime/ArgList.h:
2105
2106 2016-08-05  Darin Adler  <darin@apple.com>
2107
2108         Fix some minor problems in the StringImpl header
2109         https://bugs.webkit.org/show_bug.cgi?id=160630
2110
2111         Reviewed by Brent Fulgham.
2112
2113         * inspector/ContentSearchUtilities.cpp: Removed a lot of unneeded explicit
2114         Yarr namespacing since we use "using namespace" in this file.
2115
2116 2017-11-24  Mark Lam  <mark.lam@apple.com>
2117
2118         Fix CLoop::sanitizeStack() bug where it was clearing part of the JS stack in use.
2119         https://bugs.webkit.org/show_bug.cgi?id=179936
2120         <rdar://problem/35623998>
2121
2122         Reviewed by Saam Barati.
2123
2124         This issue was uncovered when we enabled --useDollarVM=true on the JSC tests.
2125         See https://bugs.webkit.org/show_bug.cgi?id=179684.
2126
2127         Basically, in the case of the failing test we observed, op_tail_call_forward_arguments
2128         was allocating stack space to stash arguments (to be forwarded) and new frame
2129         info.  The location of this new stash space happens to lie beyond the top of frame
2130         of the tail call caller frame.  After stashing the arguments, the code proceeded
2131         to load the callee codeBlock.  This triggered an allocation, which in turn,
2132         triggered stack sanitization.  The CLoop stack sanitizer was relying on
2133         frame->topOfFrame() to tell it where the top of the used stack is.  In this case,
2134         that turned out to be inadequate.  As a result, part of the stashed data was
2135         zeroed out, and subsequently led to a crash.
2136
2137         This bug does not affect JIT builds (i.e. the ASM LLint) for 2 reasons:
2138         1. JIT builds do stack sanitization in the LLInt code itself (different from the
2139            CLoop implementation), and the sanitizer there is aware of the true top of
2140            stack value (i.e. the stack pointer).
2141         2. JIT builds don't use a parallel stack like the CLoop.  The presence of the
2142            parallel stack is one condition necessary for reproducing this issue.
2143
2144         The fix is to make the CLoop record the stack pointer in CLoopStack::m_currentStackPointer
2145         every time before it calls out to native C++ code.  This also brings the CLoop's
2146         behavior closer to hardware behavior where we can know where the stack pointer
2147         is after calling from JS back into native C++ code, which makes it easier to
2148         reason about correctness.       
2149
2150         Also simplified the various stack boundary calculations (removed the +1 and -1
2151         adjustments).  The CLoopStack bounds are now:
2152
2153             reservationTop(): the lowest reserved address that can be within stack bounds.
2154             m_commitTop: the lowest address within stack bounds that has been committed.
2155             lowAddress() aka m_end: the lowest stack address that JS code can use.
2156             m_lastStackPointer: cache of the last m_currentStackPointer value.
2157             m_currentStackPointer: the CLoopStack stack pointer value when calling from JS into C++ code.
2158             highAddress(): the highest address just beyond the bounds of the stack.
2159
2160         Also deleted some unneeded code.
2161
2162         * interpreter/CLoopStack.cpp:
2163         (JSC::CLoopStack::CLoopStack):
2164         (JSC::CLoopStack::gatherConservativeRoots):
2165         (JSC::CLoopStack::sanitizeStack):
2166         (JSC::CLoopStack::setSoftReservedZoneSize):
2167         * interpreter/CLoopStack.h:
2168         (JSC::CLoopStack::setCurrentStackPointer):
2169         (JSC::CLoopStack::lowAddress const):
2170
2171         (JSC::CLoopStack::baseOfStack const): Deleted.
2172         - Not needed after we simplified the code and removed all the +1/-1 adjustments.
2173           Now, it has the exact same value as highAddress() and can be removed.
2174
2175         * interpreter/CLoopStackInlines.h:
2176         (JSC::CLoopStack::ensureCapacityFor):
2177         (JSC::CLoopStack::currentStackPointer):
2178         (JSC::CLoopStack::setCLoopStackLimit):
2179
2180         (JSC::CLoopStack::topOfFrameFor): Deleted.
2181         - Not needed.
2182
2183         (JSC::CLoopStack::topOfStack): Deleted.
2184         - Supplanted by currentStackPointer().
2185
2186         (JSC::CLoopStack::shrink): Deleted.
2187         - This is unused.
2188
2189         * llint/LowLevelInterpreter.cpp:
2190         (JSC::CLoop::execute):
2191         - Introduce a StackPointerScope to restore the original CLoopStack::m_currentStackPointer
2192           upon exitting the interpreter loop.
2193
2194         * offlineasm/cloop.rb:
2195         - Added setting of CLoopStack::m_currentStackPointer at boundary points where we
2196           call from JS into C++ code.
2197
2198         * tools/VMInspector.h:
2199         - Added some default argument values. These were being used while debugging this
2200           issue.
2201
2202 2017-11-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2203
2204         [JSC] Make empty key as deleted mark in HashMapBucket and drop m_deleted field
2205         https://bugs.webkit.org/show_bug.cgi?id=179923
2206
2207         Reviewed by Darin Adler.
2208
2209         We do not set empty as a key in HashMapBucket since JSMap / JSSet can expose it to users.
2210         So we can use it as a marker of deleted bucket.
2211
2212         This patch uses empty key as a deleted flag, and drop m_deleted field of HashMapBucket.
2213         It shrinks the size of HashMapBucket much.
2214
2215         * dfg/DFGSpeculativeJIT.cpp:
2216         (JSC::DFG::SpeculativeJIT::compileGetMapBucketNext):
2217         * ftl/FTLAbstractHeapRepository.h:
2218         * ftl/FTLLowerDFGToB3.cpp:
2219         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucketNext):
2220         * runtime/HashMapImpl.h:
2221         (JSC::HashMapBucket::createSentinel):
2222         We make sentinel bucket as (undefined, undefined) since DFG/FTL can load a value from sentinels.
2223         While the sentinel's deleted flag becomes false since key is set, it is not a problem since deleted
2224         flag of sentinel bucket is not used.
2225
2226         (JSC::HashMapBucket::HashMapBucket):
2227         (JSC::HashMapBucket::deleted const):
2228         (JSC::HashMapBucket::makeDeleted):
2229         (JSC::HashMapImpl::remove):
2230         (JSC::HashMapImpl::clear):
2231         (JSC::HashMapImpl::setUpHeadAndTail):
2232         (JSC::HashMapImpl::addNormalizedInternal):
2233         (JSC::HashMapBucket::setDeleted): Deleted.
2234         (JSC::HashMapBucket::offsetOfDeleted): Deleted.
2235         (): Deleted.
2236
2237 2017-11-24  Mark Lam  <mark.lam@apple.com>
2238
2239         Move unsafe jsc shell test functions to the $vm object.
2240         https://bugs.webkit.org/show_bug.cgi?id=179980
2241
2242         Reviewed by Yusuke Suzuki.
2243
2244         Also removed setElementRoot() which was not used.
2245
2246         * jsc.cpp:
2247         (GlobalObject::finishCreation):
2248         (WTF::Element::Element): Deleted.
2249         (WTF::Element::root const): Deleted.
2250         (WTF::Element::setRoot): Deleted.
2251         (WTF::Element::create): Deleted.
2252         (WTF::Element::visitChildren): Deleted.
2253         (WTF::Element::createStructure): Deleted.
2254         (WTF::Root::Root): Deleted.
2255         (WTF::Root::element): Deleted.
2256         (WTF::Root::setElement): Deleted.
2257         (WTF::Root::create): Deleted.
2258         (WTF::Root::createStructure): Deleted.
2259         (WTF::Root::visitChildren): Deleted.
2260         (WTF::ImpureGetter::ImpureGetter): Deleted.
2261         (WTF::ImpureGetter::createStructure): Deleted.
2262         (WTF::ImpureGetter::create): Deleted.
2263         (WTF::ImpureGetter::finishCreation): Deleted.
2264         (WTF::ImpureGetter::getOwnPropertySlot): Deleted.
2265         (WTF::ImpureGetter::visitChildren): Deleted.
2266         (WTF::ImpureGetter::setDelegate): Deleted.
2267         (WTF::CustomGetter::CustomGetter): Deleted.
2268         (WTF::CustomGetter::createStructure): Deleted.
2269         (WTF::CustomGetter::create): Deleted.
2270         (WTF::CustomGetter::getOwnPropertySlot): Deleted.
2271         (WTF::CustomGetter::customGetter): Deleted.
2272         (WTF::CustomGetter::customGetterAcessor): Deleted.
2273         (WTF::RuntimeArray::create): Deleted.
2274         (WTF::RuntimeArray::~RuntimeArray): Deleted.
2275         (WTF::RuntimeArray::destroy): Deleted.
2276         (WTF::RuntimeArray::getOwnPropertySlot): Deleted.
2277         (WTF::RuntimeArray::getOwnPropertySlotByIndex): Deleted.
2278         (WTF::RuntimeArray::put): Deleted.
2279         (WTF::RuntimeArray::deleteProperty): Deleted.
2280         (WTF::RuntimeArray::getLength const): Deleted.
2281         (WTF::RuntimeArray::createPrototype): Deleted.
2282         (WTF::RuntimeArray::createStructure): Deleted.
2283         (WTF::RuntimeArray::finishCreation): Deleted.
2284         (WTF::RuntimeArray::RuntimeArray): Deleted.
2285         (WTF::RuntimeArray::lengthGetter): Deleted.
2286         (WTF::SimpleObject::SimpleObject): Deleted.
2287         (WTF::SimpleObject::create): Deleted.
2288         (WTF::SimpleObject::visitChildren): Deleted.
2289         (WTF::SimpleObject::createStructure): Deleted.
2290         (WTF::SimpleObject::hiddenValue): Deleted.
2291         (WTF::SimpleObject::setHiddenValue): Deleted.
2292         (WTF::DOMJITNode::DOMJITNode): Deleted.
2293         (WTF::DOMJITNode::createStructure): Deleted.
2294         (WTF::DOMJITNode::checkSubClassSnippet): Deleted.
2295         (WTF::DOMJITNode::create): Deleted.
2296         (WTF::DOMJITNode::value const): Deleted.
2297         (WTF::DOMJITNode::offsetOfValue): Deleted.
2298         (WTF::DOMJITGetter::DOMJITGetter): Deleted.
2299         (WTF::DOMJITGetter::createStructure): Deleted.
2300         (WTF::DOMJITGetter::create): Deleted.
2301         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute): Deleted.
2302         (WTF::DOMJITGetter::DOMJITAttribute::slowCall): Deleted.
2303         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter): Deleted.
2304         (WTF::DOMJITGetter::customGetter): Deleted.
2305         (WTF::DOMJITGetter::finishCreation): Deleted.
2306         (WTF::DOMJITGetterComplex::DOMJITGetterComplex): Deleted.
2307         (WTF::DOMJITGetterComplex::createStructure): Deleted.
2308         (WTF::DOMJITGetterComplex::create): Deleted.
2309         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute): Deleted.
2310         (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall): Deleted.
2311         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter): Deleted.
2312         (WTF::DOMJITGetterComplex::functionEnableException): Deleted.
2313         (WTF::DOMJITGetterComplex::customGetter): Deleted.
2314         (WTF::DOMJITGetterComplex::finishCreation): Deleted.
2315         (WTF::DOMJITFunctionObject::DOMJITFunctionObject): Deleted.
2316         (WTF::DOMJITFunctionObject::createStructure): Deleted.
2317         (WTF::DOMJITFunctionObject::create): Deleted.
2318         (WTF::DOMJITFunctionObject::safeFunction): Deleted.
2319         (WTF::DOMJITFunctionObject::unsafeFunction): Deleted.
2320         (WTF::DOMJITFunctionObject::checkSubClassSnippet): Deleted.
2321         (WTF::DOMJITFunctionObject::finishCreation): Deleted.
2322         (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject): Deleted.
2323         (WTF::DOMJITCheckSubClassObject::createStructure): Deleted.
2324         (WTF::DOMJITCheckSubClassObject::create): Deleted.
2325         (WTF::DOMJITCheckSubClassObject::safeFunction): Deleted.
2326         (WTF::DOMJITCheckSubClassObject::unsafeFunction): Deleted.
2327         (WTF::DOMJITCheckSubClassObject::finishCreation): Deleted.
2328         (WTF::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject): Deleted.
2329         (WTF::DOMJITGetterBaseJSObject::createStructure): Deleted.
2330         (WTF::DOMJITGetterBaseJSObject::create): Deleted.
2331         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute): Deleted.
2332         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall): Deleted.
2333         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter): Deleted.
2334         (WTF::DOMJITGetterBaseJSObject::customGetter): Deleted.
2335         (WTF::DOMJITGetterBaseJSObject::finishCreation): Deleted.
2336         (WTF::Element::handleOwner): Deleted.
2337         (WTF::Element::finishCreation): Deleted.
2338         (JSTestCustomGetterSetter::JSTestCustomGetterSetter): Deleted.
2339         (JSTestCustomGetterSetter::create): Deleted.
2340         (JSTestCustomGetterSetter::createStructure): Deleted.
2341         (customGetAccessor): Deleted.
2342         (customGetValue): Deleted.
2343         (customSetAccessor): Deleted.
2344         (customSetValue): Deleted.
2345         (JSTestCustomGetterSetter::finishCreation): Deleted.
2346         (GlobalObject::addConstructableFunction): Deleted.
2347         (functionCreateRoot): Deleted.
2348         (functionCreateElement): Deleted.
2349         (functionGetElement): Deleted.
2350         (functionSetElementRoot): Deleted.
2351         (functionCreateSimpleObject): Deleted.
2352         (functionGetHiddenValue): Deleted.
2353         (functionSetHiddenValue): Deleted.
2354         (functionCreateProxy): Deleted.
2355         (functionCreateRuntimeArray): Deleted.
2356         (functionCreateImpureGetter): Deleted.
2357         (functionCreateCustomGetterObject): Deleted.
2358         (functionCreateDOMJITNodeObject): Deleted.
2359         (functionCreateDOMJITGetterObject): Deleted.
2360         (functionCreateDOMJITGetterComplexObject): Deleted.
2361         (functionCreateDOMJITFunctionObject): Deleted.
2362         (functionCreateDOMJITCheckSubClassObject): Deleted.
2363         (functionCreateDOMJITGetterBaseJSObject): Deleted.
2364         (functionSetImpureGetterDelegate): Deleted.
2365         (functionGetGetterSetter): Deleted.
2366         (functionShadowChickenFunctionsOnStack): Deleted.
2367         (functionSetGlobalConstRedeclarationShouldNotThrow): Deleted.
2368         (functionGlobalObjectForObject): Deleted.
2369         (functionLoadGetterFromGetterSetter): Deleted.
2370         (functionCreateCustomTestGetterSetter): Deleted.
2371         (functionAbort): Deleted.
2372         (functionFindTypeForExpression): Deleted.
2373         (functionReturnTypeFor): Deleted.
2374         (functionDumpBasicBlockExecutionRanges): Deleted.
2375         (functionHasBasicBlockExecuted): Deleted.
2376         (functionBasicBlockExecutionCount): Deleted.
2377         (functionEnableExceptionFuzz): Deleted.
2378         (functionCreateBuiltin): Deleted.
2379         * runtime/JSGlobalObject.cpp:
2380         (JSC::JSGlobalObject::init):
2381         * tools/JSDollarVM.cpp:
2382         (WTF::Element::Element):
2383         (WTF::Element::root const):
2384         (WTF::Element::setRoot):
2385         (WTF::Element::create):
2386         (WTF::Element::visitChildren):
2387         (WTF::Element::createStructure):
2388         (WTF::Root::Root):
2389         (WTF::Root::element):
2390         (WTF::Root::setElement):
2391         (WTF::Root::create):
2392         (WTF::Root::createStructure):
2393         (WTF::Root::visitChildren):
2394         (WTF::SimpleObject::SimpleObject):
2395         (WTF::SimpleObject::create):
2396         (WTF::SimpleObject::visitChildren):
2397         (WTF::SimpleObject::createStructure):
2398         (WTF::SimpleObject::hiddenValue):
2399         (WTF::SimpleObject::setHiddenValue):
2400         (WTF::ImpureGetter::ImpureGetter):
2401         (WTF::ImpureGetter::createStructure):
2402         (WTF::ImpureGetter::create):
2403         (WTF::ImpureGetter::finishCreation):
2404         (WTF::ImpureGetter::getOwnPropertySlot):
2405         (WTF::ImpureGetter::visitChildren):
2406         (WTF::ImpureGetter::setDelegate):
2407         (WTF::CustomGetter::CustomGetter):
2408         (WTF::CustomGetter::createStructure):
2409         (WTF::CustomGetter::create):
2410         (WTF::CustomGetter::getOwnPropertySlot):
2411         (WTF::CustomGetter::customGetter):
2412         (WTF::CustomGetter::customGetterAcessor):
2413         (WTF::RuntimeArray::create):
2414         (WTF::RuntimeArray::~RuntimeArray):
2415         (WTF::RuntimeArray::destroy):
2416         (WTF::RuntimeArray::getOwnPropertySlot):
2417         (WTF::RuntimeArray::getOwnPropertySlotByIndex):
2418         (WTF::RuntimeArray::put):
2419         (WTF::RuntimeArray::deleteProperty):
2420         (WTF::RuntimeArray::getLength const):
2421         (WTF::RuntimeArray::createPrototype):
2422         (WTF::RuntimeArray::createStructure):
2423         (WTF::RuntimeArray::finishCreation):
2424         (WTF::RuntimeArray::RuntimeArray):
2425         (WTF::RuntimeArray::lengthGetter):
2426         (WTF::DOMJITNode::DOMJITNode):
2427         (WTF::DOMJITNode::createStructure):
2428         (WTF::DOMJITNode::checkSubClassSnippet):
2429         (WTF::DOMJITNode::create):
2430         (WTF::DOMJITNode::value const):
2431         (WTF::DOMJITNode::offsetOfValue):
2432         (WTF::DOMJITGetter::DOMJITGetter):
2433         (WTF::DOMJITGetter::createStructure):
2434         (WTF::DOMJITGetter::create):
2435         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
2436         (WTF::DOMJITGetter::DOMJITAttribute::slowCall):
2437         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
2438         (WTF::DOMJITGetter::customGetter):
2439         (WTF::DOMJITGetter::finishCreation):
2440         (WTF::DOMJITGetterComplex::DOMJITGetterComplex):
2441         (WTF::DOMJITGetterComplex::createStructure):
2442         (WTF::DOMJITGetterComplex::create):
2443         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
2444         (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall):
2445         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
2446         (WTF::DOMJITGetterComplex::functionEnableException):
2447         (WTF::DOMJITGetterComplex::customGetter):
2448         (WTF::DOMJITGetterComplex::finishCreation):
2449         (WTF::DOMJITFunctionObject::DOMJITFunctionObject):
2450         (WTF::DOMJITFunctionObject::createStructure):
2451         (WTF::DOMJITFunctionObject::create):
2452         (WTF::DOMJITFunctionObject::safeFunction):
2453         (WTF::DOMJITFunctionObject::unsafeFunction):
2454         (WTF::DOMJITFunctionObject::checkSubClassSnippet):
2455         (WTF::DOMJITFunctionObject::finishCreation):
2456         (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
2457         (WTF::DOMJITCheckSubClassObject::createStructure):
2458         (WTF::DOMJITCheckSubClassObject::create):
2459         (WTF::DOMJITCheckSubClassObject::safeFunction):
2460         (WTF::DOMJITCheckSubClassObject::unsafeFunction):
2461         (WTF::DOMJITCheckSubClassObject::finishCreation):
2462         (WTF::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject):
2463         (WTF::DOMJITGetterBaseJSObject::createStructure):
2464         (WTF::DOMJITGetterBaseJSObject::create):
2465         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute):
2466         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
2467         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter):
2468         (WTF::DOMJITGetterBaseJSObject::customGetter):
2469         (WTF::DOMJITGetterBaseJSObject::finishCreation):
2470         (WTF::Message::releaseContents):
2471         (WTF::Message::index const):
2472         (WTF::JSTestCustomGetterSetter::JSTestCustomGetterSetter):
2473         (WTF::JSTestCustomGetterSetter::create):
2474         (WTF::JSTestCustomGetterSetter::createStructure):
2475         (WTF::customGetAccessor):
2476         (WTF::customGetValue):
2477         (WTF::customSetAccessor):
2478         (WTF::customSetValue):
2479         (WTF::JSTestCustomGetterSetter::finishCreation):
2480         (WTF::Element::handleOwner):
2481         (WTF::Element::finishCreation):
2482         (JSC::functionCrash):
2483         (JSC::functionCreateProxy):
2484         (JSC::functionCreateRuntimeArray):
2485         (JSC::functionCreateImpureGetter):
2486         (JSC::functionCreateCustomGetterObject):
2487         (JSC::functionCreateDOMJITNodeObject):
2488         (JSC::functionCreateDOMJITGetterObject):
2489         (JSC::functionCreateDOMJITGetterComplexObject):
2490         (JSC::functionCreateDOMJITFunctionObject):
2491         (JSC::functionCreateDOMJITCheckSubClassObject):
2492         (JSC::functionCreateDOMJITGetterBaseJSObject):
2493         (JSC::functionSetImpureGetterDelegate):
2494         (JSC::functionCreateBuiltin):
2495         (JSC::functionCreateRoot):
2496         (JSC::functionCreateElement):
2497         (JSC::functionGetElement):
2498         (JSC::functionCreateSimpleObject):
2499         (JSC::functionGetHiddenValue):
2500         (JSC::functionSetHiddenValue):
2501         (JSC::functionShadowChickenFunctionsOnStack):
2502         (JSC::functionSetGlobalConstRedeclarationShouldNotThrow):
2503         (JSC::functionFindTypeForExpression):
2504         (JSC::functionReturnTypeFor):
2505         (JSC::functionDumpBasicBlockExecutionRanges):
2506         (JSC::functionHasBasicBlockExecuted):
2507         (JSC::functionBasicBlockExecutionCount):
2508         (JSC::functionEnableExceptionFuzz):
2509         (JSC::functionGlobalObjectForObject):
2510         (JSC::functionGetGetterSetter):
2511         (JSC::functionLoadGetterFromGetterSetter):
2512         (JSC::functionCreateCustomTestGetterSetter):
2513         (JSC::JSDollarVM::finishCreation):
2514         (JSC::JSDollarVM::addFunction):
2515         (JSC::JSDollarVM::addConstructibleFunction):
2516         * tools/JSDollarVM.h:
2517         (JSC::JSDollarVM::create):
2518
2519 2017-11-23  Simon Fraser  <simon.fraser@apple.com>
2520
2521         Minor ArrayBufferView cleanup
2522         https://bugs.webkit.org/show_bug.cgi?id=179966
2523
2524         Reviewed by Darin Adler.
2525         
2526         Use void* for data pointers when we don't need to do offset math. Use const for
2527         source pointers.
2528         
2529         Prefer uint8_t* to char*.
2530         
2531         Add comments noting that the assertions should not be made release assertions
2532         as recommended by the style checker, since the point is to avoid the virtual byteLength()
2533         call in release.
2534
2535         * runtime/ArrayBufferView.h:
2536         (JSC::ArrayBufferView::setImpl):
2537         (JSC::ArrayBufferView::setRangeImpl):
2538         (JSC::ArrayBufferView::getRangeImpl):
2539         (JSC::ArrayBufferView::zeroRangeImpl):
2540
2541 2017-11-23  Darin Adler  <darin@apple.com>
2542
2543         Reduce WTF::String operations that do unnecessary Unicode operations instead of ASCII
2544         https://bugs.webkit.org/show_bug.cgi?id=179907
2545
2546         Reviewed by Sam Weinig.
2547
2548         * inspector/agents/InspectorDebuggerAgent.cpp:
2549         (Inspector::matches): Removed explicit TextCaseSensitive because RegularExpression now
2550         defaults to that.
2551
2552         * runtime/StringPrototype.cpp:
2553         (JSC::stringIncludesImpl): Use String::find since there is no overload of
2554         String::contains that takes a start offset now that we removed the one that took a
2555         caseSensitive boolean. We can add one later if we like, but this should do for now.
2556
2557         * yarr/RegularExpression.h: Moved the TextCaseSensitivity enumeration here from
2558         the StringImpl.h header because it is only used here.
2559
2560 2017-11-22  Simon Fraser  <simon.fraser@apple.com>
2561
2562         Followup after r225084: if anyone called GenericTypedArrayView() it didn't compile,
2563         because of a getRangeUnchecked/getRangeImpl name mismatch; fixed to use getRangeImpl().
2564         
2565         Also name the argument to zeroRange() to 'count' since it's an item count.
2566
2567         * runtime/GenericTypedArrayView.h:
2568         (JSC::GenericTypedArrayView::zeroRange):
2569         (JSC::GenericTypedArrayView::getRange):
2570
2571 2017-11-21  Simon Fraser  <simon.fraser@apple.com>
2572
2573         Allow for more efficient use of GenericTypedArrayView
2574         https://bugs.webkit.org/show_bug.cgi?id=179899
2575
2576         Reviewed by Sam Weinig.
2577         
2578         Fix ArrayBufferView::setRange() to not make two virtual function calls to byteLength()
2579         under setRangeImpl(). There is only one caller in GenericTypedArrayView, and it can pass
2580         in a length.
2581
2582         Add GenericTypedArrayView::getRange() to fetch a range of elements, also without virtual
2583         byteLength() calls.
2584         
2585         Renamed 'dataLength' to 'count' in setRange() to be clearer.
2586         
2587         Added setNative() for callers who don't need clamping of doubles.
2588
2589         * runtime/ArrayBufferView.h:
2590         (JSC::ArrayBufferView::setRangeImpl):
2591         (JSC::ArrayBufferView::getRangeImpl):
2592         * runtime/GenericTypedArrayView.h:
2593         (JSC::GenericTypedArrayView::setRange):
2594         (JSC::GenericTypedArrayView::setNative const):
2595         (JSC::GenericTypedArrayView::getRange):
2596         (JSC::GenericTypedArrayView::checkInboundData const):
2597         (JSC::GenericTypedArrayView::internalByteLength const):
2598
2599 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2600
2601         [DFG][FTL] Support MapSet / SetAdd intrinsics
2602         https://bugs.webkit.org/show_bug.cgi?id=179858
2603
2604         Reviewed by Saam Barati.
2605
2606         Map.prototype.set and Set.prototype.add uses MapHash value anyway.
2607         By handling them as MapSet and SetAdd DFG nodes and decoupling
2608         MapSet and SetAdd nodes from MapHash DFG node, we have a chance to
2609         remove duplicate MapHash calculation for the same key.
2610
2611         One story is *set-if-not-exists*.
2612
2613             if (!map.has(key))
2614                 map.set(key, value);
2615
2616         In the above code, both `has` and `set` require hash value for `key`.
2617         If we can change `set` to the series of DFG nodes:
2618
2619             1: MapHash(key)
2620             2: MapSet(MapObjectUse:map, Untyped:key, Untyped:value, Int32Use:@1)
2621
2622         we can remove duplicate @1 produced by `has` operation.
2623
2624         This patch improves SixSpeed map-set.es6 and map-set-object.es6 by 20.5% and 20.4% respectively,
2625
2626                                          baseline                  patched
2627
2628             map-set.es6             246.2413+-15.2084    ^    204.3679+-11.2408       ^ definitely 1.2049x faster
2629             map-set-object.es6      266.5075+-17.2289    ^    221.2792+-12.2948       ^ definitely 1.2044x faster
2630
2631         Microbenchmarks
2632
2633             map-has-and-set         148.1522+-7.6665     ^    131.4552+-7.8846        ^ definitely 1.1270x faster
2634
2635         * dfg/DFGAbstractInterpreterInlines.h:
2636         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2637         * dfg/DFGByteCodeParser.cpp:
2638         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2639         * dfg/DFGClobberize.h:
2640         (JSC::DFG::clobberize):
2641         * dfg/DFGDoesGC.cpp:
2642         (JSC::DFG::doesGC):
2643         * dfg/DFGFixupPhase.cpp:
2644         (JSC::DFG::FixupPhase::fixupNode):
2645         * dfg/DFGNodeType.h:
2646         * dfg/DFGOperations.cpp:
2647         * dfg/DFGOperations.h:
2648         * dfg/DFGPredictionPropagationPhase.cpp:
2649         * dfg/DFGSafeToExecute.h:
2650         (JSC::DFG::safeToExecute):
2651         * dfg/DFGSpeculativeJIT.cpp:
2652         (JSC::DFG::SpeculativeJIT::compileSetAdd):
2653         (JSC::DFG::SpeculativeJIT::compileMapSet):
2654         * dfg/DFGSpeculativeJIT.h:
2655         (JSC::DFG::SpeculativeJIT::callOperation):
2656         * dfg/DFGSpeculativeJIT32_64.cpp:
2657         (JSC::DFG::SpeculativeJIT::compile):
2658         * dfg/DFGSpeculativeJIT64.cpp:
2659         (JSC::DFG::SpeculativeJIT::compile):
2660         * ftl/FTLCapabilities.cpp:
2661         (JSC::FTL::canCompile):
2662         * ftl/FTLLowerDFGToB3.cpp:
2663         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2664         (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd):
2665         (JSC::FTL::DFG::LowerDFGToB3::compileMapSet):
2666         * jit/JITOperations.h:
2667         * runtime/HashMapImpl.h:
2668         (JSC::HashMapImpl::addNormalized):
2669         (JSC::HashMapImpl::addNormalizedInternal):
2670         * runtime/Intrinsic.cpp:
2671         (JSC::intrinsicName):
2672         * runtime/Intrinsic.h:
2673         * runtime/MapPrototype.cpp:
2674         (JSC::MapPrototype::finishCreation):
2675         * runtime/SetPrototype.cpp:
2676         (JSC::SetPrototype::finishCreation):
2677
2678 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2679
2680         [JSC] Allow poly proto for intrinsic getters
2681         https://bugs.webkit.org/show_bug.cgi?id=179550
2682
2683         Reviewed by Saam Barati.
2684
2685         This patch allows intrinsic getters to accept poly proto.
2686         We propagate PolyProtoAccessChain in IntrinsicGetterAccessCase to perform
2687         poly proto checks. And we extend UnderscoreProtoIntrinsic to emit
2688         code for poly proto case.
2689
2690         * bytecode/IntrinsicGetterAccessCase.cpp:
2691         (JSC::IntrinsicGetterAccessCase::IntrinsicGetterAccessCase):
2692         (JSC::IntrinsicGetterAccessCase::create):
2693         * bytecode/IntrinsicGetterAccessCase.h:
2694         * jit/IntrinsicEmitter.cpp:
2695         (JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
2696         (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
2697         * jit/Repatch.cpp:
2698         (JSC::tryCacheGetByID):
2699
2700 2017-11-20  Don Olmstead  <don.olmstead@sony.com>
2701
2702         Detect __declspec within JSBase.h
2703         https://bugs.webkit.org/show_bug.cgi?id=179892
2704
2705         Reviewed by Darin Adler.
2706
2707         * API/JSBase.h:
2708
2709 2017-11-19  Tim Horton  <timothy_horton@apple.com>
2710
2711         Remove unused TOUCH_ICON_LOADING feature flag
2712         https://bugs.webkit.org/show_bug.cgi?id=179873
2713
2714         Reviewed by Simon Fraser.
2715
2716         * Configurations/FeatureDefines.xcconfig:
2717
2718 2017-11-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2719
2720         Add CPU(UNKNOWN) to cover all the unknown CPU types
2721         https://bugs.webkit.org/show_bug.cgi?id=179243
2722
2723         Reviewed by JF Bastien.
2724
2725         * CMakeLists.txt:
2726
2727 2017-11-19  Tim Horton  <timothy_horton@apple.com>
2728
2729         Remove unused LEGACY_VENDOR_PREFIXES feature flag
2730         https://bugs.webkit.org/show_bug.cgi?id=179872
2731
2732         Reviewed by Darin Adler.
2733
2734         * Configurations/FeatureDefines.xcconfig:
2735
2736 2017-11-18  Tim Horton  <timothy_horton@apple.com>
2737
2738         Fix typos in closing ENABLE() comments
2739         https://bugs.webkit.org/show_bug.cgi?id=179869
2740
2741         Unreviewed.
2742
2743         * wasm/WasmMemory.h:
2744         * wasm/WasmMemoryMode.h:
2745
2746 2017-11-17  JF Bastien  <jfbastien@apple.com>
2747
2748         NFC update ClassInfo to C++14
2749         https://bugs.webkit.org/show_bug.cgi?id=179783
2750
2751         Reviewed by Mark Lam.
2752
2753         Forked from #179734, use `using` instead of `typedef`. It's easier
2754         to read.
2755
2756         * runtime/ClassInfo.h:
2757
2758 2017-11-17  JF Bastien  <jfbastien@apple.com>
2759
2760         WebAssembly JS API: throw when a promise can't be created
2761         https://bugs.webkit.org/show_bug.cgi?id=179826
2762         <rdar://problem/35455813>
2763
2764         Reviewed by Mark Lam.
2765
2766         Failure *in* a promise causes rejection, but failure to create a
2767         promise (because of stack overflow) isn't really spec'd (as all
2768         stack things JS). This applies to WebAssembly.compile and
2769         WebAssembly.instantiate.
2770
2771         Dan's current proposal says:
2772
2773             https://littledan.github.io/spec/document/js-api/index.html#stack-overflow
2774
2775             Whenever a stack overflow occurs in WebAssembly code, the same
2776             class of exception is thrown as for a stack overflow in
2777             JavaScript. The particular exception here is
2778             implementation-defined in both cases.
2779
2780             Note: ECMAScript doesn’t specify any sort of behavior on stack
2781             overflow; implementations have been observed to throw RangeError,
2782             InternalError or Error. Any is valid here.
2783
2784         This is for general stack overflow within WebAssembly, not
2785         specifically for promise creation within JavaScript, but it seems
2786         like a stack overflow in promise creation should follow the same
2787         rule instead of, say, swallowing the overflow and returning
2788         undefined.
2789
2790         * wasm/js/WebAssemblyPrototype.cpp:
2791         (JSC::webAssemblyCompileFunc):
2792         (JSC::webAssemblyInstantiateFunc):
2793
2794 2017-11-16  Daniel Bates  <dabates@apple.com>
2795
2796         Add feature define for alternative presentation button element
2797         https://bugs.webkit.org/show_bug.cgi?id=179692
2798         Part of <rdar://problem/34917108>
2799
2800         Reviewed by Andy Estes.
2801
2802         Only enabled on Cocoa platforms by default.
2803
2804         * Configurations/FeatureDefines.xcconfig:
2805
2806 2017-11-16  Saam Barati  <sbarati@apple.com>
2807
2808         Fix a bug with cpuid in the FTL.
2809
2810         Rubber stamped by Mark Lam.
2811
2812         Before uploading the previous patch, I tried to condense the code. I
2813         accidentally removed a crucial line saying that CPUID clobbers various
2814         registers.
2815
2816         * ftl/FTLLowerDFGToB3.cpp:
2817         (JSC::FTL::DFG::LowerDFGToB3::compileCPUIntrinsic):
2818
2819 2017-11-16  Saam Barati  <sbarati@apple.com>
2820
2821         Add some X86 intrinsics to $vm to help with some perf testing
2822         https://bugs.webkit.org/show_bug.cgi?id=179693
2823
2824         Reviewed by Mark Lam.
2825
2826         I've been doing some local perf testing of various ideas and have
2827         had these come in handy. I'm going to land them to dollarVM to prevent
2828         having to add them to my local build every time I do perf testing.
2829
2830         * assembler/MacroAssemblerX86Common.h:
2831         (JSC::MacroAssemblerX86Common::mfence):
2832         (JSC::MacroAssemblerX86Common::rdtsc):
2833         (JSC::MacroAssemblerX86Common::pause):
2834         (JSC::MacroAssemblerX86Common::cpuid):
2835         * assembler/X86Assembler.h:
2836         (JSC::X86Assembler::rdtsc):
2837         (JSC::X86Assembler::pause):
2838         (JSC::X86Assembler::cpuid):
2839         * dfg/DFGAbstractInterpreterInlines.h:
2840         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2841         * dfg/DFGByteCodeParser.cpp:
2842         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2843         * dfg/DFGClobberize.h:
2844         (JSC::DFG::clobberize):
2845         * dfg/DFGDoesGC.cpp:
2846         (JSC::DFG::doesGC):
2847         * dfg/DFGFixupPhase.cpp:
2848         (JSC::DFG::FixupPhase::fixupNode):
2849         * dfg/DFGGraph.cpp:
2850         (JSC::DFG::Graph::dump):
2851         * dfg/DFGNode.h:
2852         (JSC::DFG::Node::intrinsic):
2853         * dfg/DFGNodeType.h:
2854         * dfg/DFGPredictionPropagationPhase.cpp:
2855         * dfg/DFGSafeToExecute.h:
2856         (JSC::DFG::safeToExecute):
2857         * dfg/DFGSpeculativeJIT32_64.cpp:
2858         (JSC::DFG::SpeculativeJIT::compile):
2859         * dfg/DFGSpeculativeJIT64.cpp:
2860         (JSC::DFG::SpeculativeJIT::compile):
2861         * dfg/DFGValidate.cpp:
2862         * ftl/FTLCapabilities.cpp:
2863         (JSC::FTL::canCompile):
2864         * ftl/FTLLowerDFGToB3.cpp:
2865         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2866         (JSC::FTL::DFG::LowerDFGToB3::compileCPUIntrinsic):
2867         * runtime/Intrinsic.cpp:
2868         (JSC::intrinsicName):
2869         * runtime/Intrinsic.h:
2870         * tools/JSDollarVM.cpp:
2871         (JSC::functionCpuMfence):
2872         (JSC::functionCpuRdtsc):
2873         (JSC::functionCpuCpuid):
2874         (JSC::functionCpuPause):
2875         (JSC::functionCpuClflush):
2876         (JSC::JSDollarVM::finishCreation):
2877
2878 2017-11-16  JF Bastien  <jfbastien@apple.com>
2879
2880         It should be easier to reify lazy property names
2881         https://bugs.webkit.org/show_bug.cgi?id=179734
2882         <rdar://problem/35492521>
2883
2884         Reviewed by Keith Miller.
2885
2886         We reify lazy property names in a few different ways, each
2887         specific to the JSCell implementation, in put() instead of having
2888         a special function to do reification. Let's make that simpler.
2889
2890         This patch makes it easier to reify property names in a uniform
2891         manner, and does so in JSFunction. As a follow up I'll use the
2892         same mechanics for:
2893
2894         ClonedArguments   callee, iteratorSymbol (Symbol.iterator)
2895         ErrorConstructor  stackTraceLimit
2896         ErrorInstance     line, column, sourceURL, stack
2897         GenericArguments  length, callee, iteratorSymbol (Symbol.iterator)
2898         GetterSetter      RELEASE_ASSERT_NOT_REACHED()
2899         JSArray           length
2900         RegExpObject      lastIndex
2901         StringObject      length
2902
2903         * runtime/ClassInfo.h: Add reifyPropertyNameIfNeeded to method table.
2904         * runtime/JSCell.cpp:
2905         (JSC::JSCell::reifyPropertyNameIfNeeded): by default, don't reify.
2906         * runtime/JSCell.h:
2907         * runtime/JSFunction.cpp: `name` and `length` can be reified.
2908         (JSC::JSFunction::reifyPropertyNameIfNeeded):
2909         (JSC::JSFunction::put):
2910         (JSC::JSFunction::reifyLength):
2911         (JSC::JSFunction::reifyName):
2912         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
2913         (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
2914         (JSC::JSFunction::reifyLazyLengthIfNeeded):
2915         (JSC::JSFunction::reifyLazyNameIfNeeded):
2916         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
2917         * runtime/JSFunction.h:
2918         (JSC::JSFunction::isLazy):
2919         (JSC::JSFunction::isReified):
2920         * runtime/JSObjectInlines.h:
2921         (JSC::JSObject::putDirectInternal): do the reification here.
2922
2923 2017-11-16  Robin Morisset  <rmorisset@apple.com>
2924
2925         Provide a runtime option for disabling the optimization of recursive tail calls
2926         https://bugs.webkit.org/show_bug.cgi?id=179765
2927
2928         Reviewed by Mark Lam.
2929
2930         * bytecode/PreciseJumpTargets.cpp:
2931         (JSC::getJumpTargetsForBytecodeOffset):
2932         * bytecompiler/BytecodeGenerator.cpp:
2933         (JSC::BytecodeGenerator::emitEnter):
2934         * dfg/DFGByteCodeParser.cpp:
2935         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
2936         * runtime/Options.h:
2937
2938 2017-11-16  Robin Morisset  <rmorisset@apple.com>
2939
2940         Fix null pointer dereference in bytecodeDumper
2941         https://bugs.webkit.org/show_bug.cgi?id=179764
2942
2943         Reviewed by Mark Lam.
2944
2945         The problem was just a call to lastSeenCallee() that was unguarded by haveLastSeenCallee().
2946
2947         * bytecode/BytecodeDumper.cpp:
2948         (JSC::BytecodeDumper<Block>::printCallOp):
2949
2950 2017-11-16  Robin Morisset  <rmorisset@apple.com>
2951
2952         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
2953         https://bugs.webkit.org/show_bug.cgi?id=179763
2954         <rdar://problem/35550513>
2955
2956         Reviewed by Keith Miller.
2957
2958         Fix null pointer dereference caused by an eliminated tdz_check
2959
2960         The problem was when doing an OSR entry in DFG while |this| was null
2961         (because super() had not yet been called in the constructor of this
2962         subclass), it would be marked as non-null, and the tdz_check eliminated.
2963
2964         * dfg/DFGInPlaceAbstractState.cpp:
2965         (JSC::DFG::InPlaceAbstractState::initialize):
2966
2967 2017-11-15  Ryan Haddad  <ryanhaddad@apple.com>
2968
2969         Unreviewed, rolling out r224863.
2970
2971         Introduced LayoutTest crashes on iOS Simulator.
2972
2973         Reverted changeset:
2974
2975         "Move JSONValues to WTF and convert uses of InspectorValues.h
2976         to JSONValues.h"
2977         https://bugs.webkit.org/show_bug.cgi?id=173793
2978         https://trac.webkit.org/changeset/224863
2979
2980 2017-11-14  Mark Lam  <mark.lam@apple.com>
2981
2982         Gardening: CLoop build fix after r224862.
2983         https://bugs.webkit.org/show_bug.cgi?id=179699
2984
2985         Not reviewed..
2986
2987         * bytecode/CodeBlock.h:
2988         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
2989
2990 2017-11-14  Carlos Garcia Campos  <cgarcia@igalia.com>
2991
2992         Move JSONValues to WTF and convert uses of InspectorValues.h to JSONValues.h
2993         https://bugs.webkit.org/show_bug.cgi?id=173793
2994
2995         Reviewed by Brian Burg.
2996
2997         Based on patch by Brian Burg.
2998
2999         * JavaScriptCore.xcodeproj/project.pbxproj:
3000         * Sources.txt:
3001         * bindings/ScriptValue.cpp:
3002         (Inspector::jsToInspectorValue):
3003         (Inspector::toInspectorValue):
3004         (Deprecated::ScriptValue::toInspectorValue const):
3005         * bindings/ScriptValue.h:
3006         * inspector/AsyncStackTrace.cpp:
3007         * inspector/ConsoleMessage.cpp:
3008         * inspector/ContentSearchUtilities.cpp:
3009         * inspector/InjectedScript.cpp:
3010         (Inspector::InjectedScript::getFunctionDetails):
3011         (Inspector::InjectedScript::functionDetails):
3012         (Inspector::InjectedScript::getPreview):
3013         (Inspector::InjectedScript::getProperties):
3014         (Inspector::InjectedScript::getDisplayableProperties):
3015         (Inspector::InjectedScript::getInternalProperties):
3016         (Inspector::InjectedScript::getCollectionEntries):
3017         (Inspector::InjectedScript::saveResult):
3018         (Inspector::InjectedScript::wrapCallFrames const):
3019         (Inspector::InjectedScript::wrapObject const):
3020         (Inspector::InjectedScript::wrapTable const):
3021         (Inspector::InjectedScript::previewValue const):
3022         (Inspector::InjectedScript::setExceptionValue):
3023         (Inspector::InjectedScript::clearExceptionValue):
3024         (Inspector::InjectedScript::inspectObject):
3025         (Inspector::InjectedScript::releaseObject):
3026         * inspector/InjectedScriptBase.cpp:
3027         (Inspector::InjectedScriptBase::makeCall):
3028         (Inspector::InjectedScriptBase::makeEvalCall):
3029         * inspector/InjectedScriptBase.h:
3030         * inspector/InjectedScriptManager.cpp:
3031         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
3032         * inspector/InspectorBackendDispatcher.cpp:
3033         (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
3034         (Inspector::BackendDispatcher::dispatch):
3035         (Inspector::BackendDispatcher::sendResponse):
3036         (Inspector::BackendDispatcher::sendPendingErrors):
3037         (Inspector::BackendDispatcher::getPropertyValue):
3038         (Inspector::castToInteger):
3039         (Inspector::castToNumber):
3040         (Inspector::BackendDispatcher::getInteger):
3041         (Inspector::BackendDispatcher::getDouble):
3042         (Inspector::BackendDispatcher::getString):
3043         (Inspector::BackendDispatcher::getBoolean):
3044         (Inspector::BackendDispatcher::getObject):
3045         (Inspector::BackendDispatcher::getArray):
3046         (Inspector::BackendDispatcher::getValue):
3047         * inspector/InspectorBackendDispatcher.h:
3048         * inspector/InspectorProtocolTypes.h:
3049         (Inspector::Protocol::Array::openAccessors):
3050         (Inspector::Protocol::PrimitiveBindingTraits::assertValueHasExpectedType):
3051         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast):
3052         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType):
3053         (Inspector::Protocol::BindingTraits<JSON::Value>::assertValueHasExpectedType):
3054         * inspector/ScriptCallFrame.cpp:
3055         * inspector/ScriptCallStack.cpp:
3056         * inspector/agents/InspectorAgent.cpp:
3057         (Inspector::InspectorAgent::inspect):
3058         * inspector/agents/InspectorAgent.h:
3059         * inspector/agents/InspectorDebuggerAgent.cpp:
3060         (Inspector::buildAssertPauseReason):
3061         (Inspector::buildCSPViolationPauseReason):
3062         (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
3063         (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
3064         (Inspector::buildObjectForBreakpointCookie):
3065         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
3066         (Inspector::parseLocation):
3067         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
3068         (Inspector::InspectorDebuggerAgent::setBreakpoint):
3069         (Inspector::InspectorDebuggerAgent::continueToLocation):
3070         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
3071         (Inspector::InspectorDebuggerAgent::didParseSource):
3072         (Inspector::InspectorDebuggerAgent::breakProgram):
3073         * inspector/agents/InspectorDebuggerAgent.h:
3074         * inspector/agents/InspectorRuntimeAgent.cpp:
3075         (Inspector::InspectorRuntimeAgent::callFunctionOn):
3076         (Inspector::InspectorRuntimeAgent::saveResult):
3077         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
3078         * inspector/agents/InspectorRuntimeAgent.h:
3079         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
3080         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
3081         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
3082         (CppBackendDispatcherImplementationGenerator.generate_output):
3083         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
3084         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
3085         (CppFrontendDispatcherHeaderGenerator.generate_output):
3086         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
3087         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
3088         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
3089         (_generate_unchecked_setter_for_member):
3090         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
3091         (CppProtocolTypesImplementationGenerator):
3092         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
3093         (ObjCBackendDispatcherImplementationGenerator.generate_output):
3094         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
3095         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
3096         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
3097         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
3098         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
3099         * inspector/scripts/codegen/generate_objc_internal_header.py:
3100         (ObjCInternalHeaderGenerator.generate_output):
3101         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
3102         (ObjCProtocolTypesImplementationGenerator.generate_output):
3103         * inspector/scripts/codegen/generator.py:
3104         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
3105         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
3106         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
3107         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
3108         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
3109         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
3110         * inspector/scripts/tests/generic/expected/enum-values.json-result:
3111         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
3112         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
3113         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
3114         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
3115         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
3116         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
3117         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
3118         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
3119         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
3120         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
3121         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
3122         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
3123         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
3124
3125 2017-11-14  Mark Lam  <mark.lam@apple.com>
3126
3127         Fix a bit-rotted Interpreter::dumpRegisters() and make it more robust.
3128         https://bugs.webkit.org/show_bug.cgi?id=179699
3129         <rdar://problem/35462346>
3130
3131         Reviewed by Michael Saboff.
3132
3133         * interpreter/Interpreter.cpp:
3134         (JSC::Interpreter::dumpRegisters):
3135         - Need to skip the callee saved registers
3136
3137 2017-11-14  Guillaume Emont  <guijemont@igalia.com>
3138
3139         REGRESSION(r224623) [MIPS] branchTruncateDoubleToInt32() doesn't set return register when branching
3140         https://bugs.webkit.org/show_bug.cgi?id=179563
3141
3142         Reviewed by Carlos Alberto Lopez Perez.
3143
3144         When run with BranchIfTruncateSuccessful,
3145         branchTruncateDoubleToInt32() should set the destination register
3146         before branching.
3147         This change also removes branchTruncateDoubleToUInt32() as it is
3148         deprecated (see r160205), merges branchOnTruncateResult() into
3149         branchTruncateDoubleToInt32() and adds test cases in testmasm.
3150
3151         * assembler/MacroAssemblerMIPS.h:
3152         (JSC::MacroAssemblerMIPS::branchOnTruncateResult): Deleted.
3153         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
3154         Properly set dest before branching.
3155         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUInt32): Deleted.
3156         * assembler/testmasm.cpp:
3157         (JSC::testBranchTruncateDoubleToInt32):
3158         (JSC::run):
3159         Add tests for branchTruncateDoubleToInt32().
3160
3161 2017-11-14  Daniel Bates  <dabates@apple.com>
3162
3163         Update comment in FeatureDefines.xcconfig to reflect location of Visual Studio property files
3164         for feature defines
3165
3166         Following r195498 and r201917 the Visual Studio property files for feature defines have
3167         moved from directory WebKitLibraries/win/tools/vsprops to directory Source/cmake/tools/vsprops.
3168         Update the comment in FeatureDefines.xcconfig to reflect the new location and names of these
3169         files.
3170
3171         * Configurations/FeatureDefines.xcconfig:
3172
3173 2017-11-14  Mark Lam  <mark.lam@apple.com>
3174
3175         Remove JSDollarVMPrototype.
3176         https://bugs.webkit.org/show_bug.cgi?id=179685
3177
3178         Reviewed by Saam Barati.
3179
3180         1. Move the JSDollarVMPrototype C++ utility functions into VMInspector.cpp.
3181
3182            This allows us to call these functions during lldb debugging sessions using
3183            VMInspector::foo() instead of JSDollarVMPrototype::foo().  It makes sense that
3184            VMInspector provides VM debugging utility methods.  It doesn't make sense to
3185            have a JSDollarVMPrototype object provide these methods.
3186
3187            Plus, it's shorter to type VMInspector than JSDollarVMPrototype.
3188
3189         2. Move the JSDollarVMPrototype JS functions into JSDollarVM.cpp.
3190
3191            JSDollarVM is a special object used only for debugging purposes.  There's no
3192            gain in requiring its methods to be stored in a prototype object other than to
3193            conform to typical JS convention.  We can remove this complexity.
3194
3195         * JavaScriptCore.xcodeproj/project.pbxproj:
3196         * Sources.txt:
3197         * runtime/JSGlobalObject.cpp:
3198         (JSC::JSGlobalObject::init):
3199         * tools/JSDollarVM.cpp:
3200         (JSC::JSDollarVM::addFunction):
3201         (JSC::functionCrash):
3202         (JSC::functionDFGTrue):
3203         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
3204         (JSC::CallerFrameJITTypeFunctor::operator() const):
3205         (JSC::CallerFrameJITTypeFunctor::jitType):
3206         (JSC::functionLLintTrue):
3207         (JSC::functionJITTrue):
3208         (JSC::functionGC):
3209         (JSC::functionEdenGC):
3210         (JSC::functionCodeBlockForFrame):
3211         (JSC::codeBlockFromArg):
3212         (JSC::functionCodeBlockFor):
3213         (JSC::functionPrintSourceFor):
3214         (JSC::functionPrintBytecodeFor):
3215         (JSC::functionPrint):
3216         (JSC::functionPrintCallFrame):
3217         (JSC::functionPrintStack):
3218         (JSC::functionValue):
3219         (JSC::functionGetPID):
3220         (JSC::JSDollarVM::finishCreation):
3221         * tools/JSDollarVM.h:
3222         (JSC::JSDollarVM::create):
3223         * tools/JSDollarVMPrototype.cpp: Removed.
3224         * tools/JSDollarVMPrototype.h: Removed.
3225         * tools/VMInspector.cpp:
3226         (JSC::VMInspector::currentThreadOwnsJSLock):
3227         (JSC::ensureCurrentThreadOwnsJSLock):
3228         (JSC::VMInspector::gc):
3229         (JSC::VMInspector::edenGC):
3230         (JSC::VMInspector::isInHeap):
3231         (JSC::CellAddressCheckFunctor::CellAddressCheckFunctor):
3232         (JSC::CellAddressCheckFunctor::operator() const):
3233         (JSC::VMInspector::isValidCell):
3234         (JSC::VMInspector::isValidCodeBlock):
3235         (JSC::VMInspector::codeBlockForFrame):
3236         (JSC::PrintFrameFunctor::PrintFrameFunctor):
3237         (JSC::PrintFrameFunctor::operator() const):
3238         (JSC::VMInspector::printCallFrame):
3239         (JSC::VMInspector::printStack):
3240         (JSC::VMInspector::printValue):
3241         * tools/VMInspector.h:
3242
3243 2017-11-14  Joseph Pecoraro  <pecoraro@apple.com>
3244
3245         Web Inspector: Add a ServiceWorker domain to get information about an inspected ServiceWorker
3246         https://bugs.webkit.org/show_bug.cgi?id=179640
3247         <rdar://problem/35517361>
3248
3249         Reviewed by Devin Rousso.
3250
3251         * CMakeLists.txt:
3252         * DerivedSources.make:
3253         Gate the ServiceWorker domain on the ENABLE feature flag.
3254
3255         * inspector/protocol/ServiceWorker.json: Added.
3256         New domain to be made available inside of a ServiceWorker target.
3257
3258 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3259
3260         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
3261         https://bugs.webkit.org/show_bug.cgi?id=179594
3262
3263         Reviewed by Saam Barati.
3264
3265         Currently we handle OOB access to DirectArguments as GetByVal(Array::Generic).
3266         If we can handle it as GetByVal(Array::DirectArguments+OutOfBounds), we can (1) optimize
3267         `arguments[i]` accesses if i is in bound, and (2) encourage arguments elimination phase
3268         to convert CreateDirectArguments and GetByVal(Array::DirectArguments+OutOfBounds) to
3269         PhantomDirectArguments and GetMyArgumentOutOfBounds respectively.
3270
3271         This patch introduces Array::DirectArguments+OutOfBounds array mode. GetByVal can
3272         accept this type, and emit optimized code compared to Array::Generic case.
3273
3274         We make OOB check failures in GetByVal(Array::DirectArguments+InBounds) as OutOfBounds
3275         exit instead of ExoticObjectMode.
3276
3277         This change significantly improves SixSpeed rest.es5 since it uses OOB access.
3278         Our arguments elimination phase can change CreateDirectArguments to PhantomDirectArguments.
3279
3280             rest.es5                       59.6719+-2.2440     ^      3.1634+-0.5507        ^ definitely 18.8635x faster
3281
3282         * dfg/DFGArgumentsEliminationPhase.cpp:
3283         * dfg/DFGArrayMode.cpp:
3284         (JSC::DFG::ArrayMode::refine const):
3285         * dfg/DFGClobberize.h:
3286         (JSC::DFG::clobberize):
3287         * dfg/DFGSpeculativeJIT.cpp:
3288         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
3289         * ftl/FTLLowerDFGToB3.cpp:
3290         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
3291         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
3292
3293 2017-11-14  Saam Barati  <sbarati@apple.com>
3294
3295         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
3296         https://bugs.webkit.org/show_bug.cgi?id=179639
3297         <rdar://problem/35513018>
3298
3299         Reviewed by JF Bastien.
3300
3301         Calling Wasm::Memory::grow from the JIT may cause us to GC. When we GC, we will
3302         walk the stack for ShadowChicken (and maybe other things). We weren't updating
3303         topCallFrame when calling grow from the Wasm JIT. This would cause the GC to
3304         use stale topCallFrame bits in VM, often leading to crashes. This patch fixes
3305         this bug by giving Wasm::Instance a lambda that is called when we need to store
3306         the topCallFrame. Users of Wasm::Instance can provide a function to do this action.
3307         Currently, JSWebAssemblyInstance passes in a lambda that stores to
3308         VM.topCallFrame.
3309
3310         * wasm/WasmB3IRGenerator.cpp:
3311         (JSC::Wasm::B3IRGenerator::addGrowMemory):
3312         * wasm/WasmInstance.cpp:
3313         (JSC::Wasm::Instance::Instance):
3314         (JSC::Wasm::Instance::create):
3315         * wasm/WasmInstance.h:
3316         (JSC::Wasm::Instance::storeTopCallFrame):
3317         * wasm/js/JSWebAssemblyInstance.cpp:
3318         (JSC::JSWebAssemblyInstance::create):
3319         * wasm/js/JSWebAssemblyInstance.h:
3320         * wasm/js/WasmToJS.cpp:
3321         (JSC::Wasm::wasmToJSException):
3322         * wasm/js/WebAssemblyInstanceConstructor.cpp:
3323         (JSC::constructJSWebAssemblyInstance):
3324         * wasm/js/WebAssemblyPrototype.cpp:
3325         (JSC::instantiate):
3326
3327 2017-11-13  Saam Barati  <sbarati@apple.com>
3328
3329         Remove pointer caging for HashMapImpl, JSLexicalEnvironment, DirectArguments, ScopedArguments, and ScopedArgumentsTable
3330         https://bugs.webkit.org/show_bug.cgi?id=179203
3331
3332         Reviewed by Yusuke Suzuki.
3333
3334         This patch only removes the pointer caging for the described types in the title.
3335         These types still allocate out of the gigacage. This is a just a cost vs benefit
3336         tradeoff of performance vs security.
3337
3338         * dfg/DFGSpeculativeJIT.cpp:
3339         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
3340         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
3341         * ftl/FTLLowerDFGToB3.cpp:
3342         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
3343         * jit/JITPropertyAccess.cpp:
3344         (JSC::JIT::emitDirectArgumentsGetByVal):
3345         (JSC::JIT::emitScopedArgumentsGetByVal):
3346         * runtime/DirectArguments.h:
3347         (JSC::DirectArguments::storage):
3348         * runtime/HashMapImpl.cpp:
3349         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
3350         * runtime/Hash