[DFG][FTL] Support MapSet / SetAdd intrinsics
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [DFG][FTL] Support MapSet / SetAdd intrinsics
4         https://bugs.webkit.org/show_bug.cgi?id=179858
5
6         Reviewed by Saam Barati.
7
8         Map.prototype.set and Set.prototype.add uses MapHash value anyway.
9         By handling them as MapSet and SetAdd DFG nodes and decoupling
10         MapSet and SetAdd nodes from MapHash DFG node, we have a chance to
11         remove duplicate MapHash calculation for the same key.
12
13         One story is *set-if-not-exists*.
14
15             if (!map.has(key))
16                 map.set(key, value);
17
18         In the above code, both `has` and `set` require hash value for `key`.
19         If we can change `set` to the series of DFG nodes:
20
21             1: MapHash(key)
22             2: MapSet(MapObjectUse:map, Untyped:key, Untyped:value, Int32Use:@1)
23
24         we can remove duplicate @1 produced by `has` operation.
25
26         This patch improves SixSpeed map-set.es6 and map-set-object.es6 by 20.5% and 20.4% respectively,
27
28                                          baseline                  patched
29
30             map-set.es6             246.2413+-15.2084    ^    204.3679+-11.2408       ^ definitely 1.2049x faster
31             map-set-object.es6      266.5075+-17.2289    ^    221.2792+-12.2948       ^ definitely 1.2044x faster
32
33         Microbenchmarks
34
35             map-has-and-set         148.1522+-7.6665     ^    131.4552+-7.8846        ^ definitely 1.1270x faster
36
37         * dfg/DFGAbstractInterpreterInlines.h:
38         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
39         * dfg/DFGByteCodeParser.cpp:
40         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
41         * dfg/DFGClobberize.h:
42         (JSC::DFG::clobberize):
43         * dfg/DFGDoesGC.cpp:
44         (JSC::DFG::doesGC):
45         * dfg/DFGFixupPhase.cpp:
46         (JSC::DFG::FixupPhase::fixupNode):
47         * dfg/DFGNodeType.h:
48         * dfg/DFGOperations.cpp:
49         * dfg/DFGOperations.h:
50         * dfg/DFGPredictionPropagationPhase.cpp:
51         * dfg/DFGSafeToExecute.h:
52         (JSC::DFG::safeToExecute):
53         * dfg/DFGSpeculativeJIT.cpp:
54         (JSC::DFG::SpeculativeJIT::compileSetAdd):
55         (JSC::DFG::SpeculativeJIT::compileMapSet):
56         * dfg/DFGSpeculativeJIT.h:
57         (JSC::DFG::SpeculativeJIT::callOperation):
58         * dfg/DFGSpeculativeJIT32_64.cpp:
59         (JSC::DFG::SpeculativeJIT::compile):
60         * dfg/DFGSpeculativeJIT64.cpp:
61         (JSC::DFG::SpeculativeJIT::compile):
62         * ftl/FTLCapabilities.cpp:
63         (JSC::FTL::canCompile):
64         * ftl/FTLLowerDFGToB3.cpp:
65         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
66         (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd):
67         (JSC::FTL::DFG::LowerDFGToB3::compileMapSet):
68         * jit/JITOperations.h:
69         * runtime/HashMapImpl.h:
70         (JSC::HashMapImpl::addNormalized):
71         (JSC::HashMapImpl::addNormalizedInternal):
72         * runtime/Intrinsic.cpp:
73         (JSC::intrinsicName):
74         * runtime/Intrinsic.h:
75         * runtime/MapPrototype.cpp:
76         (JSC::MapPrototype::finishCreation):
77         * runtime/SetPrototype.cpp:
78         (JSC::SetPrototype::finishCreation):
79
80 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
81
82         [JSC] Allow poly proto for intrinsic getters
83         https://bugs.webkit.org/show_bug.cgi?id=179550
84
85         Reviewed by Saam Barati.
86
87         This patch allows intrinsic getters to accept poly proto.
88         We propagate PolyProtoAccessChain in IntrinsicGetterAccessCase to perform
89         poly proto checks. And we extend UnderscoreProtoIntrinsic to emit
90         code for poly proto case.
91
92         * bytecode/IntrinsicGetterAccessCase.cpp:
93         (JSC::IntrinsicGetterAccessCase::IntrinsicGetterAccessCase):
94         (JSC::IntrinsicGetterAccessCase::create):
95         * bytecode/IntrinsicGetterAccessCase.h:
96         * jit/IntrinsicEmitter.cpp:
97         (JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
98         (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
99         * jit/Repatch.cpp:
100         (JSC::tryCacheGetByID):
101
102 2017-11-20  Don Olmstead  <don.olmstead@sony.com>
103
104         Detect __declspec within JSBase.h
105         https://bugs.webkit.org/show_bug.cgi?id=179892
106
107         Reviewed by Darin Adler.
108
109         * API/JSBase.h:
110
111 2017-11-19  Tim Horton  <timothy_horton@apple.com>
112
113         Remove unused TOUCH_ICON_LOADING feature flag
114         https://bugs.webkit.org/show_bug.cgi?id=179873
115
116         Reviewed by Simon Fraser.
117
118         * Configurations/FeatureDefines.xcconfig:
119
120 2017-11-19  Yusuke Suzuki  <utatane.tea@gmail.com>
121
122         Add CPU(UNKNOWN) to cover all the unknown CPU types
123         https://bugs.webkit.org/show_bug.cgi?id=179243
124
125         Reviewed by JF Bastien.
126
127         * CMakeLists.txt:
128
129 2017-11-19  Tim Horton  <timothy_horton@apple.com>
130
131         Remove unused LEGACY_VENDOR_PREFIXES feature flag
132         https://bugs.webkit.org/show_bug.cgi?id=179872
133
134         Reviewed by Darin Adler.
135
136         * Configurations/FeatureDefines.xcconfig:
137
138 2017-11-18  Tim Horton  <timothy_horton@apple.com>
139
140         Fix typos in closing ENABLE() comments
141         https://bugs.webkit.org/show_bug.cgi?id=179869
142
143         Unreviewed.
144
145         * wasm/WasmMemory.h:
146         * wasm/WasmMemoryMode.h:
147
148 2017-11-17  JF Bastien  <jfbastien@apple.com>
149
150         NFC update ClassInfo to C++14
151         https://bugs.webkit.org/show_bug.cgi?id=179783
152
153         Reviewed by Mark Lam.
154
155         Forked from #179734, use `using` instead of `typedef`. It's easier
156         to read.
157
158         * runtime/ClassInfo.h:
159
160 2017-11-17  JF Bastien  <jfbastien@apple.com>
161
162         WebAssembly JS API: throw when a promise can't be created
163         https://bugs.webkit.org/show_bug.cgi?id=179826
164         <rdar://problem/35455813>
165
166         Reviewed by Mark Lam.
167
168         Failure *in* a promise causes rejection, but failure to create a
169         promise (because of stack overflow) isn't really spec'd (as all
170         stack things JS). This applies to WebAssembly.compile and
171         WebAssembly.instantiate.
172
173         Dan's current proposal says:
174
175             https://littledan.github.io/spec/document/js-api/index.html#stack-overflow
176
177             Whenever a stack overflow occurs in WebAssembly code, the same
178             class of exception is thrown as for a stack overflow in
179             JavaScript. The particular exception here is
180             implementation-defined in both cases.
181
182             Note: ECMAScript doesn’t specify any sort of behavior on stack
183             overflow; implementations have been observed to throw RangeError,
184             InternalError or Error. Any is valid here.
185
186         This is for general stack overflow within WebAssembly, not
187         specifically for promise creation within JavaScript, but it seems
188         like a stack overflow in promise creation should follow the same
189         rule instead of, say, swallowing the overflow and returning
190         undefined.
191
192         * wasm/js/WebAssemblyPrototype.cpp:
193         (JSC::webAssemblyCompileFunc):
194         (JSC::webAssemblyInstantiateFunc):
195
196 2017-11-16  Daniel Bates  <dabates@apple.com>
197
198         Add feature define for alternative presentation button element
199         https://bugs.webkit.org/show_bug.cgi?id=179692
200         Part of <rdar://problem/34917108>
201
202         Reviewed by Andy Estes.
203
204         Only enabled on Cocoa platforms by default.
205
206         * Configurations/FeatureDefines.xcconfig:
207
208 2017-11-16  Saam Barati  <sbarati@apple.com>
209
210         Fix a bug with cpuid in the FTL.
211
212         Rubber stamped by Mark Lam.
213
214         Before uploading the previous patch, I tried to condense the code. I
215         accidentally removed a crucial line saying that CPUID clobbers various
216         registers.
217
218         * ftl/FTLLowerDFGToB3.cpp:
219         (JSC::FTL::DFG::LowerDFGToB3::compileCPUIntrinsic):
220
221 2017-11-16  Saam Barati  <sbarati@apple.com>
222
223         Add some X86 intrinsics to $vm to help with some perf testing
224         https://bugs.webkit.org/show_bug.cgi?id=179693
225
226         Reviewed by Mark Lam.
227
228         I've been doing some local perf testing of various ideas and have
229         had these come in handy. I'm going to land them to dollarVM to prevent
230         having to add them to my local build every time I do perf testing.
231
232         * assembler/MacroAssemblerX86Common.h:
233         (JSC::MacroAssemblerX86Common::mfence):
234         (JSC::MacroAssemblerX86Common::rdtsc):
235         (JSC::MacroAssemblerX86Common::pause):
236         (JSC::MacroAssemblerX86Common::cpuid):
237         * assembler/X86Assembler.h:
238         (JSC::X86Assembler::rdtsc):
239         (JSC::X86Assembler::pause):
240         (JSC::X86Assembler::cpuid):
241         * dfg/DFGAbstractInterpreterInlines.h:
242         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
243         * dfg/DFGByteCodeParser.cpp:
244         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
245         * dfg/DFGClobberize.h:
246         (JSC::DFG::clobberize):
247         * dfg/DFGDoesGC.cpp:
248         (JSC::DFG::doesGC):
249         * dfg/DFGFixupPhase.cpp:
250         (JSC::DFG::FixupPhase::fixupNode):
251         * dfg/DFGGraph.cpp:
252         (JSC::DFG::Graph::dump):
253         * dfg/DFGNode.h:
254         (JSC::DFG::Node::intrinsic):
255         * dfg/DFGNodeType.h:
256         * dfg/DFGPredictionPropagationPhase.cpp:
257         * dfg/DFGSafeToExecute.h:
258         (JSC::DFG::safeToExecute):
259         * dfg/DFGSpeculativeJIT32_64.cpp:
260         (JSC::DFG::SpeculativeJIT::compile):
261         * dfg/DFGSpeculativeJIT64.cpp:
262         (JSC::DFG::SpeculativeJIT::compile):
263         * dfg/DFGValidate.cpp:
264         * ftl/FTLCapabilities.cpp:
265         (JSC::FTL::canCompile):
266         * ftl/FTLLowerDFGToB3.cpp:
267         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
268         (JSC::FTL::DFG::LowerDFGToB3::compileCPUIntrinsic):
269         * runtime/Intrinsic.cpp:
270         (JSC::intrinsicName):
271         * runtime/Intrinsic.h:
272         * tools/JSDollarVM.cpp:
273         (JSC::functionCpuMfence):
274         (JSC::functionCpuRdtsc):
275         (JSC::functionCpuCpuid):
276         (JSC::functionCpuPause):
277         (JSC::functionCpuClflush):
278         (JSC::JSDollarVM::finishCreation):
279
280 2017-11-16  JF Bastien  <jfbastien@apple.com>
281
282         It should be easier to reify lazy property names
283         https://bugs.webkit.org/show_bug.cgi?id=179734
284         <rdar://problem/35492521>
285
286         Reviewed by Keith Miller.
287
288         We reify lazy property names in a few different ways, each
289         specific to the JSCell implementation, in put() instead of having
290         a special function to do reification. Let's make that simpler.
291
292         This patch makes it easier to reify property names in a uniform
293         manner, and does so in JSFunction. As a follow up I'll use the
294         same mechanics for:
295
296         ClonedArguments   callee, iteratorSymbol (Symbol.iterator)
297         ErrorConstructor  stackTraceLimit
298         ErrorInstance     line, column, sourceURL, stack
299         GenericArguments  length, callee, iteratorSymbol (Symbol.iterator)
300         GetterSetter      RELEASE_ASSERT_NOT_REACHED()
301         JSArray           length
302         RegExpObject      lastIndex
303         StringObject      length
304
305         * runtime/ClassInfo.h: Add reifyPropertyNameIfNeeded to method table.
306         * runtime/JSCell.cpp:
307         (JSC::JSCell::reifyPropertyNameIfNeeded): by default, don't reify.
308         * runtime/JSCell.h:
309         * runtime/JSFunction.cpp: `name` and `length` can be reified.
310         (JSC::JSFunction::reifyPropertyNameIfNeeded):
311         (JSC::JSFunction::put):
312         (JSC::JSFunction::reifyLength):
313         (JSC::JSFunction::reifyName):
314         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
315         (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
316         (JSC::JSFunction::reifyLazyLengthIfNeeded):
317         (JSC::JSFunction::reifyLazyNameIfNeeded):
318         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
319         * runtime/JSFunction.h:
320         (JSC::JSFunction::isLazy):
321         (JSC::JSFunction::isReified):
322         * runtime/JSObjectInlines.h:
323         (JSC::JSObject::putDirectInternal): do the reification here.
324
325 2017-11-16  Robin Morisset  <rmorisset@apple.com>
326
327         Provide a runtime option for disabling the optimization of recursive tail calls
328         https://bugs.webkit.org/show_bug.cgi?id=179765
329
330         Reviewed by Mark Lam.
331
332         * bytecode/PreciseJumpTargets.cpp:
333         (JSC::getJumpTargetsForBytecodeOffset):
334         * bytecompiler/BytecodeGenerator.cpp:
335         (JSC::BytecodeGenerator::emitEnter):
336         * dfg/DFGByteCodeParser.cpp:
337         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
338         * runtime/Options.h:
339
340 2017-11-16  Robin Morisset  <rmorisset@apple.com>
341
342         Fix null pointer dereference in bytecodeDumper
343         https://bugs.webkit.org/show_bug.cgi?id=179764
344
345         Reviewed by Mark Lam.
346
347         The problem was just a call to lastSeenCallee() that was unguarded by haveLastSeenCallee().
348
349         * bytecode/BytecodeDumper.cpp:
350         (JSC::BytecodeDumper<Block>::printCallOp):
351
352 2017-11-16  Robin Morisset  <rmorisset@apple.com>
353
354         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
355         https://bugs.webkit.org/show_bug.cgi?id=179763
356         <rdar://problem/35550513>
357
358         Reviewed by Keith Miller.
359
360         Fix null pointer dereference caused by an eliminated tdz_check
361
362         The problem was when doing an OSR entry in DFG while |this| was null
363         (because super() had not yet been called in the constructor of this
364         subclass), it would be marked as non-null, and the tdz_check eliminated.
365
366         * dfg/DFGInPlaceAbstractState.cpp:
367         (JSC::DFG::InPlaceAbstractState::initialize):
368
369 2017-11-15  Ryan Haddad  <ryanhaddad@apple.com>
370
371         Unreviewed, rolling out r224863.
372
373         Introduced LayoutTest crashes on iOS Simulator.
374
375         Reverted changeset:
376
377         "Move JSONValues to WTF and convert uses of InspectorValues.h
378         to JSONValues.h"
379         https://bugs.webkit.org/show_bug.cgi?id=173793
380         https://trac.webkit.org/changeset/224863
381
382 2017-11-14  Mark Lam  <mark.lam@apple.com>
383
384         Gardening: CLoop build fix after r224862.
385         https://bugs.webkit.org/show_bug.cgi?id=179699
386
387         Not reviewed..
388
389         * bytecode/CodeBlock.h:
390         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
391
392 2017-11-14  Carlos Garcia Campos  <cgarcia@igalia.com>
393
394         Move JSONValues to WTF and convert uses of InspectorValues.h to JSONValues.h
395         https://bugs.webkit.org/show_bug.cgi?id=173793
396
397         Reviewed by Brian Burg.
398
399         Based on patch by Brian Burg.
400
401         * JavaScriptCore.xcodeproj/project.pbxproj:
402         * Sources.txt:
403         * bindings/ScriptValue.cpp:
404         (Inspector::jsToInspectorValue):
405         (Inspector::toInspectorValue):
406         (Deprecated::ScriptValue::toInspectorValue const):
407         * bindings/ScriptValue.h:
408         * inspector/AsyncStackTrace.cpp:
409         * inspector/ConsoleMessage.cpp:
410         * inspector/ContentSearchUtilities.cpp:
411         * inspector/InjectedScript.cpp:
412         (Inspector::InjectedScript::getFunctionDetails):
413         (Inspector::InjectedScript::functionDetails):
414         (Inspector::InjectedScript::getPreview):
415         (Inspector::InjectedScript::getProperties):
416         (Inspector::InjectedScript::getDisplayableProperties):
417         (Inspector::InjectedScript::getInternalProperties):
418         (Inspector::InjectedScript::getCollectionEntries):
419         (Inspector::InjectedScript::saveResult):
420         (Inspector::InjectedScript::wrapCallFrames const):
421         (Inspector::InjectedScript::wrapObject const):
422         (Inspector::InjectedScript::wrapTable const):
423         (Inspector::InjectedScript::previewValue const):
424         (Inspector::InjectedScript::setExceptionValue):
425         (Inspector::InjectedScript::clearExceptionValue):
426         (Inspector::InjectedScript::inspectObject):
427         (Inspector::InjectedScript::releaseObject):
428         * inspector/InjectedScriptBase.cpp:
429         (Inspector::InjectedScriptBase::makeCall):
430         (Inspector::InjectedScriptBase::makeEvalCall):
431         * inspector/InjectedScriptBase.h:
432         * inspector/InjectedScriptManager.cpp:
433         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
434         * inspector/InspectorBackendDispatcher.cpp:
435         (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
436         (Inspector::BackendDispatcher::dispatch):
437         (Inspector::BackendDispatcher::sendResponse):
438         (Inspector::BackendDispatcher::sendPendingErrors):
439         (Inspector::BackendDispatcher::getPropertyValue):
440         (Inspector::castToInteger):
441         (Inspector::castToNumber):
442         (Inspector::BackendDispatcher::getInteger):
443         (Inspector::BackendDispatcher::getDouble):
444         (Inspector::BackendDispatcher::getString):
445         (Inspector::BackendDispatcher::getBoolean):
446         (Inspector::BackendDispatcher::getObject):
447         (Inspector::BackendDispatcher::getArray):
448         (Inspector::BackendDispatcher::getValue):
449         * inspector/InspectorBackendDispatcher.h:
450         * inspector/InspectorProtocolTypes.h:
451         (Inspector::Protocol::Array::openAccessors):
452         (Inspector::Protocol::PrimitiveBindingTraits::assertValueHasExpectedType):
453         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast):
454         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType):
455         (Inspector::Protocol::BindingTraits<JSON::Value>::assertValueHasExpectedType):
456         * inspector/ScriptCallFrame.cpp:
457         * inspector/ScriptCallStack.cpp:
458         * inspector/agents/InspectorAgent.cpp:
459         (Inspector::InspectorAgent::inspect):
460         * inspector/agents/InspectorAgent.h:
461         * inspector/agents/InspectorDebuggerAgent.cpp:
462         (Inspector::buildAssertPauseReason):
463         (Inspector::buildCSPViolationPauseReason):
464         (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
465         (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
466         (Inspector::buildObjectForBreakpointCookie):
467         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
468         (Inspector::parseLocation):
469         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
470         (Inspector::InspectorDebuggerAgent::setBreakpoint):
471         (Inspector::InspectorDebuggerAgent::continueToLocation):
472         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
473         (Inspector::InspectorDebuggerAgent::didParseSource):
474         (Inspector::InspectorDebuggerAgent::breakProgram):
475         * inspector/agents/InspectorDebuggerAgent.h:
476         * inspector/agents/InspectorRuntimeAgent.cpp:
477         (Inspector::InspectorRuntimeAgent::callFunctionOn):
478         (Inspector::InspectorRuntimeAgent::saveResult):
479         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
480         * inspector/agents/InspectorRuntimeAgent.h:
481         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
482         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
483         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
484         (CppBackendDispatcherImplementationGenerator.generate_output):
485         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
486         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
487         (CppFrontendDispatcherHeaderGenerator.generate_output):
488         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
489         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
490         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
491         (_generate_unchecked_setter_for_member):
492         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
493         (CppProtocolTypesImplementationGenerator):
494         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
495         (ObjCBackendDispatcherImplementationGenerator.generate_output):
496         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
497         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
498         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
499         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
500         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
501         * inspector/scripts/codegen/generate_objc_internal_header.py:
502         (ObjCInternalHeaderGenerator.generate_output):
503         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
504         (ObjCProtocolTypesImplementationGenerator.generate_output):
505         * inspector/scripts/codegen/generator.py:
506         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
507         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
508         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
509         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
510         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
511         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
512         * inspector/scripts/tests/generic/expected/enum-values.json-result:
513         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
514         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
515         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
516         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
517         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
518         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
519         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
520         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
521         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
522         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
523         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
524         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
525         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
526
527 2017-11-14  Mark Lam  <mark.lam@apple.com>
528
529         Fix a bit-rotted Interpreter::dumpRegisters() and make it more robust.
530         https://bugs.webkit.org/show_bug.cgi?id=179699
531         <rdar://problem/35462346>
532
533         Reviewed by Michael Saboff.
534
535         * interpreter/Interpreter.cpp:
536         (JSC::Interpreter::dumpRegisters):
537         - Need to skip the callee saved registers
538
539 2017-11-14  Guillaume Emont  <guijemont@igalia.com>
540
541         REGRESSION(r224623) [MIPS] branchTruncateDoubleToInt32() doesn't set return register when branching
542         https://bugs.webkit.org/show_bug.cgi?id=179563
543
544         Reviewed by Carlos Alberto Lopez Perez.
545
546         When run with BranchIfTruncateSuccessful,
547         branchTruncateDoubleToInt32() should set the destination register
548         before branching.
549         This change also removes branchTruncateDoubleToUInt32() as it is
550         deprecated (see r160205), merges branchOnTruncateResult() into
551         branchTruncateDoubleToInt32() and adds test cases in testmasm.
552
553         * assembler/MacroAssemblerMIPS.h:
554         (JSC::MacroAssemblerMIPS::branchOnTruncateResult): Deleted.
555         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
556         Properly set dest before branching.
557         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUInt32): Deleted.
558         * assembler/testmasm.cpp:
559         (JSC::testBranchTruncateDoubleToInt32):
560         (JSC::run):
561         Add tests for branchTruncateDoubleToInt32().
562
563 2017-11-14  Daniel Bates  <dabates@apple.com>
564
565         Update comment in FeatureDefines.xcconfig to reflect location of Visual Studio property files
566         for feature defines
567
568         Following r195498 and r201917 the Visual Studio property files for feature defines have
569         moved from directory WebKitLibraries/win/tools/vsprops to directory Source/cmake/tools/vsprops.
570         Update the comment in FeatureDefines.xcconfig to reflect the new location and names of these
571         files.
572
573         * Configurations/FeatureDefines.xcconfig:
574
575 2017-11-14  Mark Lam  <mark.lam@apple.com>
576
577         Remove JSDollarVMPrototype.
578         https://bugs.webkit.org/show_bug.cgi?id=179685
579
580         Reviewed by Saam Barati.
581
582         1. Move the JSDollarVMPrototype C++ utility functions into VMInspector.cpp.
583
584            This allows us to call these functions during lldb debugging sessions using
585            VMInspector::foo() instead of JSDollarVMPrototype::foo().  It makes sense that
586            VMInspector provides VM debugging utility methods.  It doesn't make sense to
587            have a JSDollarVMPrototype object provide these methods.
588
589            Plus, it's shorter to type VMInspector than JSDollarVMPrototype.
590
591         2. Move the JSDollarVMPrototype JS functions into JSDollarVM.cpp.
592
593            JSDollarVM is a special object used only for debugging purposes.  There's no
594            gain in requiring its methods to be stored in a prototype object other than to
595            conform to typical JS convention.  We can remove this complexity.
596
597         * JavaScriptCore.xcodeproj/project.pbxproj:
598         * Sources.txt:
599         * runtime/JSGlobalObject.cpp:
600         (JSC::JSGlobalObject::init):
601         * tools/JSDollarVM.cpp:
602         (JSC::JSDollarVM::addFunction):
603         (JSC::functionCrash):
604         (JSC::functionDFGTrue):
605         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
606         (JSC::CallerFrameJITTypeFunctor::operator() const):
607         (JSC::CallerFrameJITTypeFunctor::jitType):
608         (JSC::functionLLintTrue):
609         (JSC::functionJITTrue):
610         (JSC::functionGC):
611         (JSC::functionEdenGC):
612         (JSC::functionCodeBlockForFrame):
613         (JSC::codeBlockFromArg):
614         (JSC::functionCodeBlockFor):
615         (JSC::functionPrintSourceFor):
616         (JSC::functionPrintBytecodeFor):
617         (JSC::functionPrint):
618         (JSC::functionPrintCallFrame):
619         (JSC::functionPrintStack):
620         (JSC::functionValue):
621         (JSC::functionGetPID):
622         (JSC::JSDollarVM::finishCreation):
623         * tools/JSDollarVM.h:
624         (JSC::JSDollarVM::create):
625         * tools/JSDollarVMPrototype.cpp: Removed.
626         * tools/JSDollarVMPrototype.h: Removed.
627         * tools/VMInspector.cpp:
628         (JSC::VMInspector::currentThreadOwnsJSLock):
629         (JSC::ensureCurrentThreadOwnsJSLock):
630         (JSC::VMInspector::gc):
631         (JSC::VMInspector::edenGC):
632         (JSC::VMInspector::isInHeap):
633         (JSC::CellAddressCheckFunctor::CellAddressCheckFunctor):
634         (JSC::CellAddressCheckFunctor::operator() const):
635         (JSC::VMInspector::isValidCell):
636         (JSC::VMInspector::isValidCodeBlock):
637         (JSC::VMInspector::codeBlockForFrame):
638         (JSC::PrintFrameFunctor::PrintFrameFunctor):
639         (JSC::PrintFrameFunctor::operator() const):
640         (JSC::VMInspector::printCallFrame):
641         (JSC::VMInspector::printStack):
642         (JSC::VMInspector::printValue):
643         * tools/VMInspector.h:
644
645 2017-11-14  Joseph Pecoraro  <pecoraro@apple.com>
646
647         Web Inspector: Add a ServiceWorker domain to get information about an inspected ServiceWorker
648         https://bugs.webkit.org/show_bug.cgi?id=179640
649         <rdar://problem/35517361>
650
651         Reviewed by Devin Rousso.
652
653         * CMakeLists.txt:
654         * DerivedSources.make:
655         Gate the ServiceWorker domain on the ENABLE feature flag.
656
657         * inspector/protocol/ServiceWorker.json: Added.
658         New domain to be made available inside of a ServiceWorker target.
659
660 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
661
662         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
663         https://bugs.webkit.org/show_bug.cgi?id=179594
664
665         Reviewed by Saam Barati.
666
667         Currently we handle OOB access to DirectArguments as GetByVal(Array::Generic).
668         If we can handle it as GetByVal(Array::DirectArguments+OutOfBounds), we can (1) optimize
669         `arguments[i]` accesses if i is in bound, and (2) encourage arguments elimination phase
670         to convert CreateDirectArguments and GetByVal(Array::DirectArguments+OutOfBounds) to
671         PhantomDirectArguments and GetMyArgumentOutOfBounds respectively.
672
673         This patch introduces Array::DirectArguments+OutOfBounds array mode. GetByVal can
674         accept this type, and emit optimized code compared to Array::Generic case.
675
676         We make OOB check failures in GetByVal(Array::DirectArguments+InBounds) as OutOfBounds
677         exit instead of ExoticObjectMode.
678
679         This change significantly improves SixSpeed rest.es5 since it uses OOB access.
680         Our arguments elimination phase can change CreateDirectArguments to PhantomDirectArguments.
681
682             rest.es5                       59.6719+-2.2440     ^      3.1634+-0.5507        ^ definitely 18.8635x faster
683
684         * dfg/DFGArgumentsEliminationPhase.cpp:
685         * dfg/DFGArrayMode.cpp:
686         (JSC::DFG::ArrayMode::refine const):
687         * dfg/DFGClobberize.h:
688         (JSC::DFG::clobberize):
689         * dfg/DFGSpeculativeJIT.cpp:
690         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
691         * ftl/FTLLowerDFGToB3.cpp:
692         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
693         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
694
695 2017-11-14  Saam Barati  <sbarati@apple.com>
696
697         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
698         https://bugs.webkit.org/show_bug.cgi?id=179639
699         <rdar://problem/35513018>
700
701         Reviewed by JF Bastien.
702
703         Calling Wasm::Memory::grow from the JIT may cause us to GC. When we GC, we will
704         walk the stack for ShadowChicken (and maybe other things). We weren't updating
705         topCallFrame when calling grow from the Wasm JIT. This would cause the GC to
706         use stale topCallFrame bits in VM, often leading to crashes. This patch fixes
707         this bug by giving Wasm::Instance a lambda that is called when we need to store
708         the topCallFrame. Users of Wasm::Instance can provide a function to do this action.
709         Currently, JSWebAssemblyInstance passes in a lambda that stores to
710         VM.topCallFrame.
711
712         * wasm/WasmB3IRGenerator.cpp:
713         (JSC::Wasm::B3IRGenerator::addGrowMemory):
714         * wasm/WasmInstance.cpp:
715         (JSC::Wasm::Instance::Instance):
716         (JSC::Wasm::Instance::create):
717         * wasm/WasmInstance.h:
718         (JSC::Wasm::Instance::storeTopCallFrame):
719         * wasm/js/JSWebAssemblyInstance.cpp:
720         (JSC::JSWebAssemblyInstance::create):
721         * wasm/js/JSWebAssemblyInstance.h:
722         * wasm/js/WasmToJS.cpp:
723         (JSC::Wasm::wasmToJSException):
724         * wasm/js/WebAssemblyInstanceConstructor.cpp:
725         (JSC::constructJSWebAssemblyInstance):
726         * wasm/js/WebAssemblyPrototype.cpp:
727         (JSC::instantiate):
728
729 2017-11-13  Saam Barati  <sbarati@apple.com>
730
731         Remove pointer caging for HashMapImpl, JSLexicalEnvironment, DirectArguments, ScopedArguments, and ScopedArgumentsTable
732         https://bugs.webkit.org/show_bug.cgi?id=179203
733
734         Reviewed by Yusuke Suzuki.
735
736         This patch only removes the pointer caging for the described types in the title.
737         These types still allocate out of the gigacage. This is a just a cost vs benefit
738         tradeoff of performance vs security.
739
740         * dfg/DFGSpeculativeJIT.cpp:
741         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
742         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
743         * ftl/FTLLowerDFGToB3.cpp:
744         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
745         * jit/JITPropertyAccess.cpp:
746         (JSC::JIT::emitDirectArgumentsGetByVal):
747         (JSC::JIT::emitScopedArgumentsGetByVal):
748         * runtime/DirectArguments.h:
749         (JSC::DirectArguments::storage):
750         * runtime/HashMapImpl.cpp:
751         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
752         * runtime/HashMapImpl.h:
753         * runtime/JSLexicalEnvironment.h:
754         (JSC::JSLexicalEnvironment::variables):
755         * runtime/ScopedArguments.h:
756         (JSC::ScopedArguments::overflowStorage const):
757
758 2017-11-08  Keith Miller  <keith_miller@apple.com>
759
760         Async iteration should only fetch the next method once and add feature flag
761         https://bugs.webkit.org/show_bug.cgi?id=179451
762
763         Reviewed by Geoffrey Garen.
764
765         Add feature flag for Async iteration. Also, change async iteration to match
766         the expected behavior of the proposal.
767
768         * Configurations/FeatureDefines.xcconfig:
769         * builtins/AsyncFromSyncIteratorPrototype.js:
770         (globalPrivate.createAsyncFromSyncIterator):
771         (globalPrivate.AsyncFromSyncIteratorConstructor):
772         * builtins/BuiltinNames.h:
773         * bytecompiler/BytecodeGenerator.cpp:
774         (JSC::BytecodeGenerator::emitGetAsyncIterator):
775         * runtime/Options.h:
776
777 2017-11-13  Mark Lam  <mark.lam@apple.com>
778
779         Add more overflow check book-keeping for MarkedArgumentBuffer.
780         https://bugs.webkit.org/show_bug.cgi?id=179634
781         <rdar://problem/35492517>
782
783         Reviewed by Saam Barati.
784
785         * runtime/ArgList.h:
786         (JSC::MarkedArgumentBuffer::overflowCheckNotNeeded):
787         * runtime/JSJob.cpp:
788         (JSC::JSJobMicrotask::run):
789         * runtime/ObjectConstructor.cpp:
790         (JSC::defineProperties):
791         * runtime/ReflectObject.cpp:
792         (JSC::reflectObjectConstruct):
793
794 2017-11-13  Guillaume Emont  <guijemont@igalia.com>
795
796         [JSC] Remove ARM implementation of branchTruncateDoubleToUInt32
797         https://bugs.webkit.org/show_bug.cgi?id=179542
798
799         Reviewed by Alex Christensen.
800
801         * assembler/MacroAssemblerARM.h:
802         (JSC::MacroAssemblerARM::branchTruncateDoubleToUint32): Removed.
803
804 2017-11-13  Mark Lam  <mark.lam@apple.com>
805
806         Make the jsc shell loadGetterFromGetterSetter() function more robust.
807         https://bugs.webkit.org/show_bug.cgi?id=179619
808         <rdar://problem/35492518>
809
810         Reviewed by Saam Barati.
811
812         * jsc.cpp:
813         (functionLoadGetterFromGetterSetter):
814
815 2017-11-12  Darin Adler  <darin@apple.com>
816
817         More is<> and downcast<>, less static_cast<>
818         https://bugs.webkit.org/show_bug.cgi?id=179600
819
820         Reviewed by Chris Dumez.
821
822         * runtime/JSString.h:
823         (JSC::jsSubstring): Removed unneeded static_cast; length already returns unsigned.
824         (JSC::jsSubstringOfResolved): Ditto.
825
826 2017-11-12  Mark Lam  <mark.lam@apple.com>
827
828         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
829         https://bugs.webkit.org/show_bug.cgi?id=179562
830         <rdar://problem/35467022>
831
832         Reviewed by Saam Barati.
833
834         * dfg/DFGFixupPhase.cpp:
835         (JSC::DFG::FixupPhase::fixupNode):
836         * dfg/DFGOperations.cpp:
837         * dfg/DFGSafeToExecute.h:
838         (JSC::DFG::SafeToExecuteEdge::operator()):
839         * dfg/DFGSpeculativeJIT.cpp:
840         (JSC::DFG::SpeculativeJIT::speculateNotSymbol):
841         (JSC::DFG::SpeculativeJIT::speculate):
842         * dfg/DFGSpeculativeJIT.h:
843         * dfg/DFGUseKind.cpp:
844         (WTF::printInternal):
845         * dfg/DFGUseKind.h:
846         (JSC::DFG::typeFilterFor):
847         * ftl/FTLCapabilities.cpp:
848         (JSC::FTL::canCompile):
849         * ftl/FTLLowerDFGToB3.cpp:
850         (JSC::FTL::DFG::LowerDFGToB3::speculate):
851         (JSC::FTL::DFG::LowerDFGToB3::speculateNotSymbol):
852
853 2017-11-11  Devin Rousso  <webkit@devinrousso.com>
854
855         Web Inspector: Canvas tab: show detailed status during canvas recording
856         https://bugs.webkit.org/show_bug.cgi?id=178185
857         <rdar://problem/34939862>
858
859         Reviewed by Brian Burg.
860
861         * inspector/protocol/Canvas.json:
862         Add a `recordingProgress` event that is sent to the frontend that contains all the frame
863         payloads since the last Canvas.recordingProgress event and the current buffer usage.
864
865         * inspector/protocol/Recording.json:
866         Remove the required `frames` parameter from the Recording protocol object, as they will be
867         sent in batches via the Canvas.recordingProgress event.
868
869 2017-11-10  Joseph Pecoraro  <pecoraro@apple.com>
870
871         Web Inspector: Make http status codes be "integer" instead of "number" in protocol
872         https://bugs.webkit.org/show_bug.cgi?id=179543
873
874         Reviewed by Antoine Quint.
875
876         * inspector/protocol/Network.json:
877         Use a better type for the status code.
878
879 2017-11-10  Robin Morisset  <rmorisset@apple.com>
880
881         The memory consumption of DFG::BasicBlock can be easily reduced a bit
882         https://bugs.webkit.org/show_bug.cgi?id=179528
883
884         Reviewed by Saam Barati.
885
886         A few changes here:
887         - Reordering some fields of DFG::BasicBlock to reduce padding
888         - Making the enum fields that are glorified booleans fit into a u8
889         - Make each Operands object have a single vector that holds all arguments followed by all locals, instead of two vectors.
890           This change works because we never increase the number of arguments after allocating an Operands object.
891           It lets us avoid one extra capacity field and one extra pointer field per Operands,
892           and more importantly one allocation per Operands whenever both vectors would have overflowed their inlined buffer.
893           Additionally, if a single vector would have overflowed its inline buffer, while the other would have had some free space,
894           we have a chance to avoid an allocation.
895         - Finally, the three methods argumentForIndex, variableForIndex and indexForOperand were deleted since they were dead code.
896
897         * bytecode/Operands.h:
898         (JSC::Operands::Operands):
899         (JSC::Operands::numberOfArguments const):
900         (JSC::Operands::numberOfLocals const):
901         (JSC::Operands::argument):
902         (JSC::Operands::argument const):
903         (JSC::Operands::local):
904         (JSC::Operands::local const):
905         (JSC::Operands::ensureLocals):
906         (JSC::Operands::setLocal):
907         (JSC::Operands::getLocal):
908         (JSC::Operands::setArgumentFirstTime):
909         (JSC::Operands::setLocalFirstTime):
910         (JSC::Operands::operand):
911         (JSC::Operands::setOperand):
912         (JSC::Operands::size const):
913         (JSC::Operands::at const):
914         (JSC::Operands::at):
915         (JSC::Operands::isArgument const):
916         (JSC::Operands::isVariable const):
917         (JSC::Operands::virtualRegisterForIndex const):
918         (JSC::Operands::fill):
919         (JSC::Operands::operator== const):
920         (JSC::Operands::argumentForIndex const): Deleted.
921         (JSC::Operands::variableForIndex const): Deleted.
922         (JSC::Operands::indexForOperand const): Deleted.
923         * dfg/DFGBasicBlock.cpp:
924         (JSC::DFG::BasicBlock::BasicBlock):
925         * dfg/DFGBasicBlock.h:
926         * dfg/DFGBranchDirection.h:
927         * dfg/DFGStructureClobberState.h:
928
929 2017-11-09  Yusuke Suzuki  <utatane.tea@gmail.com>
930
931         [JSC] Retry module fetching if previous request fails
932         https://bugs.webkit.org/show_bug.cgi?id=178168
933
934         Reviewed by Saam Barati.
935
936         According to the latest spec, the failed fetching operation can be retried if it is requested again.
937         For example,
938
939             <script type="module" integrity="shaXXX-bad" src="./A.js"></script>
940             <script type="module" integrity="shaXXX-correct" src="./A.js"></script>
941
942         When performing the first module fetching, integrity check fails, and the load of this module becomes failed.
943         But when loading the second module, we do not use the cached failure result in the first module loading.
944         We retry fetching for "./A.js". In this case, we have a correct integrity and module fetching succeeds.
945         This is specified in whatwg/HTML[1]. If the fetching fails, we do not cache it.
946
947         Interestingly, fetching result and instantiation result will be cached if they succeeds. This is because we would
948         like to cache modules based on their URLs. As a result,
949
950             <script type="module" integrity="shaXXX-correct" src="./A.js"></script>
951             <script type="module" integrity="shaXXX-bad" src="./A.js"></script>
952
953         In the above case, the first loading succeeds. And the second loading also succeeds since the succeeded fetching and
954         instantiation are cached in the module pipeline.
955
956         This patch implements the above semantics. Previously, our module pipeline always caches the result. If the fetching
957         failed, all the subsequent fetching for the same URL fails even if we have different integrity values. We retry fetching
958         if the previous one fails. As an overview of our change,
959
960         1. Fetching result should be cached only if it succeeds. Two or more on-the-fly fetching requests to the same URLs should
961            be unified. But if currently executing one fails, other attempts should retry fetching.
962
963         2. Instantiation should be cached if fetching succeeds.
964
965         3. Satisfying should be cached if it succeeds.
966
967         [1]: https://html.spec.whatwg.org/#fetch-a-single-module-script
968
969         * builtins/ModuleLoaderPrototype.js:
970         (requestFetch):
971         (requestInstantiate):
972         (requestSatisfy):
973         (link):
974         (loadModule):
975         * runtime/JSGlobalObject.cpp:
976         (JSC::JSGlobalObject::init):
977
978 2017-11-09  Devin Rousso  <webkit@devinrousso.com>
979
980         Web Inspector: support undo/redo of insertAdjacentHTML
981         https://bugs.webkit.org/show_bug.cgi?id=179283
982
983         Reviewed by Joseph Pecoraro.
984
985         * inspector/protocol/DOM.json:
986         Add `insertAdjacentHTML` command that executes an undoable version of `insertAdjacentHTML`
987         on the given node.
988
989 2017-11-09  Joseph Pecoraro  <pecoraro@apple.com>
990
991         Web Inspector: Make domain availability a list of types instead of a single type
992         https://bugs.webkit.org/show_bug.cgi?id=179457
993
994         Reviewed by Brian Burg.
995
996         * inspector/scripts/codegen/generate_js_backend_commands.py:
997         (JSBackendCommandsGenerator.generate_domain):
998         Update output of `InspectorBackend.activateDomain` to include the list.
999
1000         * inspector/scripts/codegen/models.py:
1001         (Protocol.parse_domain):
1002         Parse `availability` as a list and include a new supported value of "service-worker".
1003
1004         * inspector/protocol/ApplicationCache.json:
1005         * inspector/protocol/CSS.json:
1006         * inspector/protocol/Canvas.json:
1007         * inspector/protocol/DOM.json:
1008         * inspector/protocol/DOMDebugger.json:
1009         * inspector/protocol/DOMStorage.json:
1010         * inspector/protocol/Database.json:
1011         * inspector/protocol/IndexedDB.json:
1012         * inspector/protocol/LayerTree.json:
1013         * inspector/protocol/Memory.json:
1014         * inspector/protocol/Network.json:
1015         * inspector/protocol/Page.json:
1016         * inspector/protocol/Timeline.json:
1017         * inspector/protocol/Worker.json:
1018         Update `availability` to be a list.
1019
1020         * inspector/scripts/tests/generic/domain-availability.json:
1021         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
1022         * inspector/scripts/tests/generic/expected/fail-on-domain-availability-type.json-error: Added.
1023         * inspector/scripts/tests/generic/expected/fail-on-domain-availability-value.json-error: Added.
1024         * inspector/scripts/tests/generic/expected/fail-on-domain-availability.json-error:
1025         * inspector/scripts/tests/generic/fail-on-domain-availability-type.json: Copied from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-availability.json.
1026         * inspector/scripts/tests/generic/fail-on-domain-availability-value.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-availability.json.
1027         Update tests to include a test for the type and an invalid value.
1028
1029 2017-11-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1030
1031         [JSC][JIT] Clean up SlowPathCall stubs
1032         https://bugs.webkit.org/show_bug.cgi?id=179247
1033
1034         Reviewed by Saam Barati.
1035
1036         We have bunch of duplicate functions that just call a slow path function.
1037         This patch cleans up the above duplication.
1038
1039         * jit/JIT.cpp:
1040         (JSC::JIT::emitSlowCaseCall):
1041         (JSC::JIT::privateCompileSlowCases):
1042         * jit/JIT.h:
1043         * jit/JITArithmetic.cpp:
1044         (JSC::JIT::emitSlow_op_unsigned): Deleted.
1045         (JSC::JIT::emitSlow_op_inc): Deleted.
1046         (JSC::JIT::emitSlow_op_dec): Deleted.
1047         (JSC::JIT::emitSlow_op_bitand): Deleted.
1048         (JSC::JIT::emitSlow_op_bitor): Deleted.
1049         (JSC::JIT::emitSlow_op_bitxor): Deleted.
1050         (JSC::JIT::emitSlow_op_lshift): Deleted.
1051         (JSC::JIT::emitSlow_op_rshift): Deleted.
1052         (JSC::JIT::emitSlow_op_urshift): Deleted.
1053         (JSC::JIT::emitSlow_op_div): Deleted.
1054         * jit/JITArithmetic32_64.cpp:
1055         (JSC::JIT::emitSlow_op_unsigned): Deleted.
1056         (JSC::JIT::emitSlow_op_inc): Deleted.
1057         (JSC::JIT::emitSlow_op_dec): Deleted.
1058         * jit/JITOpcodes.cpp:
1059         (JSC::JIT::emitSlow_op_create_this): Deleted.
1060         (JSC::JIT::emitSlow_op_check_tdz): Deleted.
1061         (JSC::JIT::emitSlow_op_to_this): Deleted.
1062         (JSC::JIT::emitSlow_op_to_primitive): Deleted.
1063         (JSC::JIT::emitSlow_op_not): Deleted.
1064         (JSC::JIT::emitSlow_op_stricteq): Deleted.
1065         (JSC::JIT::emitSlow_op_nstricteq): Deleted.
1066         (JSC::JIT::emitSlow_op_to_number): Deleted.
1067         (JSC::JIT::emitSlow_op_to_string): Deleted.
1068         (JSC::JIT::emitSlow_op_to_object): Deleted.
1069         (JSC::JIT::emitSlow_op_get_direct_pname): Deleted.
1070         (JSC::JIT::emitSlow_op_has_structure_property): Deleted.
1071         * jit/JITOpcodes32_64.cpp:
1072         (JSC::JIT::emitSlow_op_to_primitive): Deleted.
1073         (JSC::JIT::emitSlow_op_not): Deleted.
1074         (JSC::JIT::emitSlow_op_stricteq): Deleted.
1075         (JSC::JIT::emitSlow_op_nstricteq): Deleted.
1076         (JSC::JIT::emitSlow_op_to_number): Deleted.
1077         (JSC::JIT::emitSlow_op_to_string): Deleted.
1078         (JSC::JIT::emitSlow_op_to_object): Deleted.
1079         (JSC::JIT::emitSlow_op_create_this): Deleted.
1080         (JSC::JIT::emitSlow_op_to_this): Deleted.
1081         (JSC::JIT::emitSlow_op_check_tdz): Deleted.
1082         (JSC::JIT::emitSlow_op_get_direct_pname): Deleted.
1083         * jit/JITPropertyAccess.cpp:
1084         (JSC::JIT::emitSlow_op_resolve_scope): Deleted.
1085         * jit/JITPropertyAccess32_64.cpp:
1086         (JSC::JIT::emit_op_resolve_scope):
1087         (JSC::JIT::emitSlow_op_resolve_scope): Deleted.
1088         * jit/SlowPathCall.h:
1089         (JSC::JITSlowPathCall::JITSlowPathCall):
1090         * runtime/CommonSlowPaths.cpp:
1091         (JSC::SLOW_PATH_DECL):
1092         * runtime/CommonSlowPaths.h:
1093
1094 2017-11-09  Guillaume Emont  <guijemont@igalia.com>
1095
1096         [JSC][MIPS] Use fcsr to check the validity of the result of trunc.w.d
1097         https://bugs.webkit.org/show_bug.cgi?id=179446
1098
1099         Reviewed by Žan Doberšek.
1100
1101         The trunc.w.d mips instruction should give a 0x7fffffff result when
1102         the source value is Infinity, NaN, or rounds to an integer outside the
1103         range -2^31 to 2^31 -1. This is what branchTruncateDoubleToInt32() and
1104         branchTruncateDoubleToUInt32() have been relying on. It turns out that
1105         this assumption is not true on some CPUs, including on the ci20 on
1106         which we run the testbot (we get 0x80000000 instead). We should the
1107         invalid operation cause bit instead to check whether the source value
1108         could be properly truncated. This requires the addition of the cfc1
1109         instruction, as well as the special registers that can be used with it
1110         (control registers of CP1).
1111
1112         * assembler/MIPSAssembler.h:
1113         (JSC::MIPSAssembler::firstSPRegister):
1114         (JSC::MIPSAssembler::lastSPRegister):
1115         (JSC::MIPSAssembler::numberOfSPRegisters):
1116         (JSC::MIPSAssembler::sprName):
1117         Added control registers of CP1.
1118         (JSC::MIPSAssembler::cfc1):
1119         Added.
1120         * assembler/MacroAssemblerMIPS.h:
1121         (JSC::MacroAssemblerMIPS::branchOnTruncateResult):
1122         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
1123         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUint32):
1124         Use fcsr to check if the value could be properly truncated.
1125
1126 2017-11-08  Jeremy Jones  <jeremyj@apple.com>
1127
1128         HTMLMediaElement should not use element fullscreen on iOS
1129         https://bugs.webkit.org/show_bug.cgi?id=179418
1130         rdar://problem/35409277
1131
1132         Reviewed by Eric Carlson.
1133
1134         Add ENABLE_VIDEO_USES_ELEMENT_FULLSCREEN to determine if HTMLMediaElement should use element full screen or not.
1135
1136         * Configurations/FeatureDefines.xcconfig:
1137
1138 2017-11-08  Joseph Pecoraro  <pecoraro@apple.com>
1139
1140         Web Inspector: Show Internal properties of PaymentRequest in Web Inspector Console
1141         https://bugs.webkit.org/show_bug.cgi?id=179276
1142
1143         Reviewed by Andy Estes.
1144
1145         * inspector/InjectedScriptHost.h:
1146         * inspector/JSInjectedScriptHost.cpp:
1147         (Inspector::JSInjectedScriptHost::getInternalProperties):
1148         Call through to virtual implementation so that WebCore can provide custom
1149         internal properties for Web / DOM objects.
1150
1151 2017-11-08  Saam Barati  <sbarati@apple.com>
1152
1153         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
1154         https://bugs.webkit.org/show_bug.cgi?id=177792
1155
1156         Reviewed by Yusuke Suzuki.
1157
1158         Before this patch, if a JSFunction's rare data initialized its allocation profile
1159         before its backing Executable's poly proto watchpoint was invalidated, that
1160         JSFunction would continue to allocate non-poly proto objects until its allocation
1161         profile was cleared (which essentially never happens in practice). This patch
1162         improves on this pathology. A JSFunction's rare data will now watch the poly
1163         proto watchpoint if it's still valid and clear its allocation profile when we
1164         detect that we should go poly proto.
1165
1166         * bytecode/ObjectAllocationProfile.h:
1167         * bytecode/ObjectAllocationProfileInlines.h:
1168         (JSC::ObjectAllocationProfile::initializeProfile):
1169         * runtime/FunctionRareData.cpp:
1170         (JSC::FunctionRareData::initializeObjectAllocationProfile):
1171         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::fireInternal):
1172         * runtime/FunctionRareData.h:
1173         (JSC::FunctionRareData::hasAllocationProfileClearingWatchpoint const):
1174         (JSC::FunctionRareData::createAllocationProfileClearingWatchpoint):
1175         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::AllocationProfileClearingWatchpoint):
1176
1177 2017-11-08  Keith Miller  <keith_miller@apple.com>
1178
1179         Add super sampler begin and end bytecodes.
1180         https://bugs.webkit.org/show_bug.cgi?id=179376
1181
1182         Reviewed by Filip Pizlo.
1183
1184         This patch adds a way to measure a narrow range of bytecodes for
1185         performance. This is done using the same infrastructure as the
1186         super sampler. I also added a class that helps do the bytecode
1187         checking with RAII. One problem with the current way this is done
1188         is that we don't handle decrementing early exits, either from
1189         branches or exceptions. So, when using this API users need to
1190         ensure that there are no early exits or that those exits don't
1191         occur on the measure code.
1192
1193         * JavaScriptCore.xcodeproj/project.pbxproj:
1194         * bytecode/BytecodeDumper.cpp:
1195         (JSC::BytecodeDumper<Block>::dumpBytecode):
1196         * bytecode/BytecodeList.json:
1197         * bytecode/BytecodeUseDef.h:
1198         (JSC::computeUsesForBytecodeOffset):
1199         (JSC::computeDefsForBytecodeOffset):
1200         * bytecompiler/BytecodeGenerator.cpp:
1201         (JSC::BytecodeGenerator::emitSuperSamplerBegin):
1202         (JSC::BytecodeGenerator::emitSuperSamplerEnd):
1203         * bytecompiler/BytecodeGenerator.h:
1204         * bytecompiler/SuperSamplerBytecodeScope.h: Added.
1205         (JSC::SuperSamplerBytecodeScope::SuperSamplerBytecodeScope):
1206         (JSC::SuperSamplerBytecodeScope::~SuperSamplerBytecodeScope):
1207         * dfg/DFGAbstractInterpreterInlines.h:
1208         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1209         * dfg/DFGByteCodeParser.cpp:
1210         (JSC::DFG::ByteCodeParser::parseBlock):
1211         * dfg/DFGClobberize.h:
1212         (JSC::DFG::clobberize):
1213         * dfg/DFGClobbersExitState.cpp:
1214         (JSC::DFG::clobbersExitState):
1215         * dfg/DFGDoesGC.cpp:
1216         (JSC::DFG::doesGC):
1217         * dfg/DFGFixupPhase.cpp:
1218         (JSC::DFG::FixupPhase::fixupNode):
1219         * dfg/DFGMayExit.cpp:
1220         * dfg/DFGNodeType.h:
1221         * dfg/DFGPredictionPropagationPhase.cpp:
1222         * dfg/DFGSafeToExecute.h:
1223         (JSC::DFG::safeToExecute):
1224         * dfg/DFGSpeculativeJIT.cpp:
1225         * dfg/DFGSpeculativeJIT32_64.cpp:
1226         (JSC::DFG::SpeculativeJIT::compile):
1227         * dfg/DFGSpeculativeJIT64.cpp:
1228         (JSC::DFG::SpeculativeJIT::compile):
1229         * ftl/FTLCapabilities.cpp:
1230         (JSC::FTL::canCompile):
1231         * ftl/FTLLowerDFGToB3.cpp:
1232         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1233         (JSC::FTL::DFG::LowerDFGToB3::compileSuperSamplerBegin):
1234         (JSC::FTL::DFG::LowerDFGToB3::compileSuperSamplerEnd):
1235         * jit/JIT.cpp:
1236         (JSC::JIT::privateCompileMainPass):
1237         * jit/JIT.h:
1238         * jit/JITOpcodes.cpp:
1239         (JSC::JIT::emit_op_super_sampler_begin):
1240         (JSC::JIT::emit_op_super_sampler_end):
1241         * llint/LLIntSlowPaths.cpp:
1242         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1243         * llint/LLIntSlowPaths.h:
1244         * llint/LowLevelInterpreter.asm:
1245
1246 2017-11-08  Robin Morisset  <rmorisset@apple.com>
1247
1248         Turn recursive tail calls into loops
1249         https://bugs.webkit.org/show_bug.cgi?id=176601
1250
1251         Reviewed by Saam Barati.
1252
1253         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
1254
1255         We want to turn recursive tail calls into loops early in the pipeline, so that the loops can then be optimized.
1256         One difficulty is that we need to split the entry block of the function we are jumping to in order to have somewhere to jump to.
1257         Worse: it is not necessarily the first block of the codeBlock, because of inlining! So we must do the splitting in the DFGByteCodeParser, at the same time as inlining.
1258         We do this part through modifying the computation of the jump targets.
1259         Importantly, we only do this splitting for functions that have tail calls.
1260         It is the only case where the optimisation is sound, and doing the splitting unconditionnaly destroys performance on Octane/raytrace.
1261
1262         We must then do the actual transformation also in DFGByteCodeParser, to avoid code motion moving code out of the body of what will become a loop.
1263         The transformation is entirely contained in handleRecursiveTailCall, which is hooked to the inlining machinery.
1264
1265         * bytecode/CodeBlock.h:
1266         (JSC::CodeBlock::hasTailCalls const):
1267         * bytecode/PreciseJumpTargets.cpp:
1268         (JSC::getJumpTargetsForBytecodeOffset):
1269         (JSC::computePreciseJumpTargetsInternal):
1270         * bytecode/UnlinkedCodeBlock.cpp:
1271         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1272         * bytecode/UnlinkedCodeBlock.h:
1273         (JSC::UnlinkedCodeBlock::hasTailCalls const):
1274         (JSC::UnlinkedCodeBlock::setHasTailCalls):
1275         * bytecompiler/BytecodeGenerator.cpp:
1276         (JSC::BytecodeGenerator::emitEnter):
1277         (JSC::BytecodeGenerator::emitCallInTailPosition):
1278         * dfg/DFGByteCodeParser.cpp:
1279         (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
1280         (JSC::DFG::ByteCodeParser::makeBlockTargetable):
1281         (JSC::DFG::ByteCodeParser::handleCall):
1282         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
1283         (JSC::DFG::ByteCodeParser::parseBlock):
1284         (JSC::DFG::ByteCodeParser::parse):
1285
1286 2017-11-08  Joseph Pecoraro  <pecoraro@apple.com>
1287
1288         Web Inspector: Remove unused Page.ScriptIdentifier protocol type
1289         https://bugs.webkit.org/show_bug.cgi?id=179407
1290
1291         Reviewed by Matt Baker.
1292
1293         * inspector/protocol/Page.json:
1294         Remove unused protocol type.
1295
1296 2017-11-08  Carlos Garcia Campos  <cgarcia@igalia.com>
1297
1298         Web Inspector: use JSON::{Array,Object,Value} instead of Inspector{Array,Object,Value}
1299         https://bugs.webkit.org/show_bug.cgi?id=173619
1300
1301         Reviewed by Alex Christensen and Brian Burg.
1302
1303         Eventually all classes used for our JSON-RPC message passing should be outside
1304         of the Inspector namespace since the protocol is used outside of Inspector code.
1305         This will also allow us to unify the primitive JSON types with parameteric types
1306         like Inspector::Protocol::Array<T> and other protocol-related types which don't
1307         need to be in the Inspector namespace.
1308
1309         Start this refactoring off by making JSON::Value a typedef for InspectorValue. In following
1310         patches, other clients will move to use JSON::Value and friends. When all uses are
1311         changed, the actual implementation will be renamed. This patch just focuses on the typedef
1312         and making changes in generated protocol code.
1313
1314         Original patch by Brian Burg, rebased and updated by me.
1315
1316         * inspector/InspectorValues.cpp:
1317         * inspector/InspectorValues.h:
1318         * inspector/scripts/codegen/cpp_generator.py:
1319         (CppGenerator.cpp_protocol_type_for_type):
1320         (CppGenerator.cpp_type_for_unchecked_formal_in_parameter):
1321         (CppGenerator.cpp_type_for_type_with_name):
1322         (CppGenerator.cpp_type_for_stack_in_parameter):
1323         * inspector/scripts/codegen/cpp_generator_templates.py:
1324         (void):
1325         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
1326         (_generate_class_for_object_declaration):
1327         (_generate_forward_declarations_for_binding_traits):
1328         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
1329         (CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration):
1330         (CppProtocolTypesImplementationGenerator._generate_assertion_for_enum):
1331         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
1332         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1333         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1334         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
1335         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
1336         * inspector/scripts/tests/generic/expected/enum-values.json-result:
1337         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
1338         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
1339         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
1340         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1341         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1342         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
1343         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
1344         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
1345
1346 2017-11-07  Maciej Stachowiak  <mjs@apple.com>
1347
1348         Get rid of unsightly hex numbers from unified build object files
1349         https://bugs.webkit.org/show_bug.cgi?id=179410
1350
1351         Reviewed by Saam Barati.
1352
1353         * JavaScriptCore.xcodeproj/project.pbxproj: Rename UnifiedSource*.mm to UnifiedSource*-mm.mm for more readable build output.
1354
1355 2017-11-07  Saam Barati  <sbarati@apple.com>
1356
1357         Only cage double butterfly accesses
1358         https://bugs.webkit.org/show_bug.cgi?id=179202
1359
1360         Reviewed by Mark Lam.
1361
1362         This patch removes caging from all butterfly accesses except double loads/stores.
1363         This is a performance vs security tradeoff. Double loads/stores are the only butterfly
1364         loads/stores that can write arbitrary bit patterns, so we choose to keep them safe
1365         by caging. The other load/stores we are no longer caging to get back performance on
1366         various benchmarks.
1367
1368         * bytecode/AccessCase.cpp:
1369         (JSC::AccessCase::generateImpl):
1370         * bytecode/InlineAccess.cpp:
1371         (JSC::InlineAccess::dumpCacheSizesAndCrash):
1372         (JSC::InlineAccess::generateSelfPropertyAccess):
1373         (JSC::InlineAccess::generateSelfPropertyReplace):
1374         (JSC::InlineAccess::generateArrayLength):
1375         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp:
1376         * dfg/DFGSpeculativeJIT.cpp:
1377         (JSC::DFG::SpeculativeJIT::compileCreateRest):
1378         (JSC::DFG::SpeculativeJIT::compileSpread):
1379         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
1380         * dfg/DFGSpeculativeJIT64.cpp:
1381         (JSC::DFG::SpeculativeJIT::compile):
1382         * ftl/FTLLowerDFGToB3.cpp:
1383         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
1384         * jit/JITPropertyAccess.cpp:
1385         (JSC::JIT::emitContiguousLoad):
1386         (JSC::JIT::emitArrayStorageLoad):
1387         (JSC::JIT::emitGenericContiguousPutByVal):
1388         (JSC::JIT::emitArrayStoragePutByVal):
1389         (JSC::JIT::emit_op_get_from_scope):
1390         (JSC::JIT::emit_op_put_to_scope):
1391         * llint/LowLevelInterpreter64.asm:
1392         * runtime/AuxiliaryBarrier.h:
1393         (JSC::AuxiliaryBarrier::operator-> const):
1394         * runtime/Butterfly.h:
1395         (JSC::Butterfly::caged):
1396         (JSC::Butterfly::contiguousDouble):
1397         * runtime/JSArray.cpp:
1398         (JSC::JSArray::setLength):
1399         (JSC::JSArray::pop):
1400         (JSC::JSArray::shiftCountWithAnyIndexingType):
1401         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1402         (JSC::JSArray::fillArgList):
1403         (JSC::JSArray::copyToArguments):
1404         * runtime/JSArrayInlines.h:
1405         (JSC::JSArray::pushInline):
1406         * runtime/JSObject.cpp:
1407         (JSC::JSObject::heapSnapshot):
1408         (JSC::JSObject::createInitialIndexedStorage):
1409         (JSC::JSObject::createArrayStorage):
1410         (JSC::JSObject::convertUndecidedToInt32):
1411         (JSC::JSObject::ensureLengthSlow):
1412         (JSC::JSObject::reallocateAndShrinkButterfly):
1413         (JSC::JSObject::allocateMoreOutOfLineStorage):
1414         * runtime/JSObject.h:
1415         (JSC::JSObject::canGetIndexQuickly):
1416         (JSC::JSObject::getIndexQuickly):
1417         (JSC::JSObject::tryGetIndexQuickly const):
1418         (JSC::JSObject::canSetIndexQuickly):
1419         (JSC::JSObject::butterfly const):
1420         (JSC::JSObject::butterfly):
1421
1422 2017-11-07  Mark Lam  <mark.lam@apple.com>
1423
1424         Introduce a default RegisterSet constructor so that we can use { } notation.
1425         https://bugs.webkit.org/show_bug.cgi?id=179389
1426
1427         Reviewed by Saam Barati.
1428
1429         I also replaced uses of "RegisterSet()" with "{ }" where the use of "RegisterSet()"
1430         does not add any code documentation value.
1431
1432         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
1433         * b3/air/AirCode.cpp:
1434         (JSC::B3::Air::Code::setRegsInPriorityOrder):
1435         * b3/air/AirPrintSpecial.cpp:
1436         (JSC::B3::Air::PrintSpecial::extraEarlyClobberedRegs):
1437         (JSC::B3::Air::PrintSpecial::extraClobberedRegs):
1438         * b3/air/testair.cpp:
1439         * bytecode/PolymorphicAccess.h:
1440         (JSC::AccessGenerationState::preserveLiveRegistersToStackForCall):
1441         (JSC::AccessGenerationState::restoreLiveRegistersFromStackForCall):
1442         * dfg/DFGJITCode.cpp:
1443         (JSC::DFG::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
1444         * ftl/FTLJITCode.cpp:
1445         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
1446         * jit/JITCode.cpp:
1447         (JSC::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
1448         * jit/RegisterSet.cpp:
1449         (JSC::RegisterSet::reservedHardwareRegisters):
1450         (JSC::RegisterSet::runtimeRegisters):
1451         (JSC::RegisterSet::macroScratchRegisters):
1452         * jit/RegisterSet.h:
1453         (JSC::RegisterSet::RegisterSet):
1454         * wasm/WasmB3IRGenerator.cpp:
1455         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
1456
1457 2017-11-07  Mark Lam  <mark.lam@apple.com>
1458
1459         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
1460         https://bugs.webkit.org/show_bug.cgi?id=179355
1461         <rdar://problem/35263053>
1462
1463         Reviewed by Saam Barati.
1464
1465         In the Transition case in AccessCase::generateImpl(), we were restoring registers
1466         using restoreLiveRegistersFromStackForCall() without excluding the scratchGPR
1467         where we previously stashed the reallocated butterfly.  If the generated code is
1468         under heavy register pressure, scratchGPR could have been from the set of preserved
1469         registers, and hence, would be restored by restoreLiveRegistersFromStackForCall().
1470         As a result, the restoration would trash the butterfly result we stored there.
1471         This patch fixes the issue by excluding the scratchGPR in the restoration.
1472
1473         * bytecode/AccessCase.cpp:
1474         (JSC::AccessCase::generateImpl):
1475
1476 2017-11-06  Robin Morisset  <rmorisset@apple.com>
1477
1478         CodeBlock::usesOpcode() is dead code
1479         https://bugs.webkit.org/show_bug.cgi?id=179316
1480
1481         Reviewed by Yusuke Suzuki.
1482
1483         Remove CodeBlock::usesOpcode which is dead code
1484
1485         * bytecode/CodeBlock.cpp:
1486         * bytecode/CodeBlock.h:
1487
1488 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
1489
1490         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
1491         https://bugs.webkit.org/show_bug.cgi?id=144458
1492
1493         Reviewed by Saam Barati.
1494
1495         Previously only JSFunction is handled by CallLinkInfo's caching mechanism. This means that
1496         InternalFunction calls are not cached and they always go to the slow path. This is not good because
1497
1498         1. We need to query getCallData/getConstructData every time in the slow path.
1499         2. CallLinkInfo tells nothing in the higher tier JITs.
1500
1501         This patch starts handling InternalFunction in CallLinkInfo's caching mechanism. We change InternalFunction
1502         to hold pointers to the functions for call and construct. We have new stubs that can call/construct
1503         InternalFunction. And we return this code pointer as a result of setup call to use CallLinkInfo mechanism.
1504
1505         This patch is critical to optimizing derived Array construction[1] since it starts using CallLinkInfo
1506         for InternalFunction. Previously we did not record any information to CallLinkInfo. Except for the
1507         case that DFGByteCodeParser figures out InternalFunction constant, we cannot attempt to emit DFG
1508         nodes for these InternalFunctions since CallLinkInfo tells us nothing.
1509
1510         Attached microbenchmarks show performance improvement.
1511
1512                                                            baseline                  patched
1513
1514         dfg-internal-function-construct                 1.6439+-0.0826     ^      1.2829+-0.0727        ^ definitely 1.2813x faster
1515         dfg-internal-function-not-handled-construct     2.1862+-0.1361            2.0696+-0.1201          might be 1.0564x faster
1516         dfg-internal-function-not-handled-call         20.7592+-0.9085           19.7369+-0.7921          might be 1.0518x faster
1517         dfg-internal-function-call                      1.6856+-0.0967     ^      1.2771+-0.0744        ^ definitely 1.3198x faster
1518
1519         [1]: https://bugs.webkit.org/show_bug.cgi?id=178064
1520
1521         * API/JSCallbackFunction.cpp:
1522         (JSC::JSCallbackFunction::JSCallbackFunction):
1523         (JSC::JSCallbackFunction::getCallData): Deleted.
1524         * API/JSCallbackFunction.h:
1525         (JSC::JSCallbackFunction::createStructure):
1526         * API/ObjCCallbackFunction.h:
1527         (JSC::ObjCCallbackFunction::createStructure):
1528         * API/ObjCCallbackFunction.mm:
1529         (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
1530         (JSC::ObjCCallbackFunction::getCallData): Deleted.
1531         (JSC::ObjCCallbackFunction::getConstructData): Deleted.
1532         * bytecode/BytecodeDumper.cpp:
1533         (JSC::BytecodeDumper<Block>::printCallOp):
1534         * bytecode/BytecodeList.json:
1535         * bytecode/CallLinkInfo.cpp:
1536         (JSC::CallLinkInfo::setCallee):
1537         (JSC::CallLinkInfo::callee):
1538         (JSC::CallLinkInfo::setLastSeenCallee):
1539         (JSC::CallLinkInfo::lastSeenCallee):
1540         (JSC::CallLinkInfo::visitWeak):
1541         * bytecode/CallLinkInfo.h:
1542         * bytecode/CallLinkStatus.cpp:
1543         (JSC::CallLinkStatus::computeFromCallLinkInfo):
1544         * bytecode/LLIntCallLinkInfo.h:
1545         * jit/JITOperations.cpp:
1546         * jit/JITThunks.cpp:
1547         (JSC::JITThunks::ctiInternalFunctionCall):
1548         (JSC::JITThunks::ctiInternalFunctionConstruct):
1549         * jit/JITThunks.h:
1550         * jit/Repatch.cpp:
1551         (JSC::linkFor):
1552         (JSC::linkPolymorphicCall):
1553         * jit/Repatch.h:
1554         * jit/ThunkGenerators.cpp:
1555         (JSC::virtualThunkFor):
1556         (JSC::nativeForGenerator):
1557         (JSC::nativeCallGenerator):
1558         (JSC::nativeTailCallGenerator):
1559         (JSC::nativeTailCallWithoutSavedTagsGenerator):
1560         (JSC::nativeConstructGenerator):
1561         (JSC::internalFunctionCallGenerator):
1562         (JSC::internalFunctionConstructGenerator):
1563         * jit/ThunkGenerators.h:
1564         * llint/LLIntSlowPaths.cpp:
1565         (JSC::LLInt::setUpCall):
1566         * llint/LowLevelInterpreter.asm:
1567         * llint/LowLevelInterpreter32_64.asm:
1568         * llint/LowLevelInterpreter64.asm:
1569         * runtime/ArrayConstructor.cpp:
1570         (JSC::ArrayConstructor::ArrayConstructor):
1571         (JSC::ArrayConstructor::getConstructData): Deleted.
1572         (JSC::ArrayConstructor::getCallData): Deleted.
1573         * runtime/ArrayConstructor.h:
1574         (JSC::ArrayConstructor::createStructure):
1575         * runtime/AsyncFunctionConstructor.cpp:
1576         (JSC::AsyncFunctionConstructor::AsyncFunctionConstructor):
1577         (JSC::AsyncFunctionConstructor::finishCreation):
1578         (JSC::AsyncFunctionConstructor::getCallData): Deleted.
1579         (JSC::AsyncFunctionConstructor::getConstructData): Deleted.
1580         * runtime/AsyncFunctionConstructor.h:
1581         (JSC::AsyncFunctionConstructor::createStructure):
1582         * runtime/AsyncGeneratorFunctionConstructor.cpp:
1583         (JSC::AsyncGeneratorFunctionConstructor::AsyncGeneratorFunctionConstructor):
1584         (JSC::AsyncGeneratorFunctionConstructor::finishCreation):
1585         (JSC::AsyncGeneratorFunctionConstructor::getCallData): Deleted.
1586         (JSC::AsyncGeneratorFunctionConstructor::getConstructData): Deleted.
1587         * runtime/AsyncGeneratorFunctionConstructor.h:
1588         (JSC::AsyncGeneratorFunctionConstructor::createStructure):
1589         * runtime/BooleanConstructor.cpp:
1590         (JSC::callBooleanConstructor):
1591         (JSC::BooleanConstructor::BooleanConstructor):
1592         (JSC::BooleanConstructor::finishCreation):
1593         (JSC::BooleanConstructor::getConstructData): Deleted.
1594         (JSC::BooleanConstructor::getCallData): Deleted.
1595         * runtime/BooleanConstructor.h:
1596         (JSC::BooleanConstructor::createStructure):
1597         * runtime/DateConstructor.cpp:
1598         (JSC::DateConstructor::DateConstructor):
1599         (JSC::DateConstructor::getConstructData): Deleted.
1600         (JSC::DateConstructor::getCallData): Deleted.
1601         * runtime/DateConstructor.h:
1602         (JSC::DateConstructor::createStructure):
1603         * runtime/Error.h:
1604         (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
1605         (JSC::StrictModeTypeErrorFunction::createStructure):
1606         (JSC::StrictModeTypeErrorFunction::getConstructData): Deleted.
1607         (JSC::StrictModeTypeErrorFunction::getCallData): Deleted.
1608         * runtime/ErrorConstructor.cpp:
1609         (JSC::ErrorConstructor::ErrorConstructor):
1610         (JSC::ErrorConstructor::getConstructData): Deleted.
1611         (JSC::ErrorConstructor::getCallData): Deleted.
1612         * runtime/ErrorConstructor.h:
1613         (JSC::ErrorConstructor::createStructure):
1614         * runtime/FunctionConstructor.cpp:
1615         (JSC::FunctionConstructor::FunctionConstructor):
1616         (JSC::FunctionConstructor::finishCreation):
1617         (JSC::FunctionConstructor::getConstructData): Deleted.
1618         (JSC::FunctionConstructor::getCallData): Deleted.
1619         * runtime/FunctionConstructor.h:
1620         (JSC::FunctionConstructor::createStructure):
1621         * runtime/FunctionPrototype.cpp:
1622         (JSC::callFunctionPrototype):
1623         (JSC::FunctionPrototype::FunctionPrototype):
1624         (JSC::FunctionPrototype::getCallData): Deleted.
1625         * runtime/FunctionPrototype.h:
1626         (JSC::FunctionPrototype::createStructure):
1627         * runtime/GeneratorFunctionConstructor.cpp:
1628         (JSC::GeneratorFunctionConstructor::GeneratorFunctionConstructor):
1629         (JSC::GeneratorFunctionConstructor::finishCreation):
1630         (JSC::GeneratorFunctionConstructor::getCallData): Deleted.
1631         (JSC::GeneratorFunctionConstructor::getConstructData): Deleted.
1632         * runtime/GeneratorFunctionConstructor.h:
1633         (JSC::GeneratorFunctionConstructor::createStructure):
1634         * runtime/InternalFunction.cpp:
1635         (JSC::InternalFunction::InternalFunction):
1636         (JSC::InternalFunction::finishCreation):
1637         (JSC::InternalFunction::getCallData):
1638         (JSC::InternalFunction::getConstructData):
1639         * runtime/InternalFunction.h:
1640         (JSC::InternalFunction::createStructure):
1641         (JSC::InternalFunction::nativeFunctionFor):
1642         (JSC::InternalFunction::offsetOfNativeFunctionFor):
1643         * runtime/IntlCollatorConstructor.cpp:
1644         (JSC::IntlCollatorConstructor::createStructure):
1645         (JSC::IntlCollatorConstructor::IntlCollatorConstructor):
1646         (JSC::IntlCollatorConstructor::getConstructData): Deleted.
1647         (JSC::IntlCollatorConstructor::getCallData): Deleted.
1648         * runtime/IntlCollatorConstructor.h:
1649         * runtime/IntlDateTimeFormatConstructor.cpp:
1650         (JSC::IntlDateTimeFormatConstructor::createStructure):
1651         (JSC::IntlDateTimeFormatConstructor::IntlDateTimeFormatConstructor):
1652         (JSC::IntlDateTimeFormatConstructor::getConstructData): Deleted.
1653         (JSC::IntlDateTimeFormatConstructor::getCallData): Deleted.
1654         * runtime/IntlDateTimeFormatConstructor.h:
1655         * runtime/IntlNumberFormatConstructor.cpp:
1656         (JSC::IntlNumberFormatConstructor::createStructure):
1657         (JSC::IntlNumberFormatConstructor::IntlNumberFormatConstructor):
1658         (JSC::IntlNumberFormatConstructor::getConstructData): Deleted.
1659         (JSC::IntlNumberFormatConstructor::getCallData): Deleted.
1660         * runtime/IntlNumberFormatConstructor.h:
1661         * runtime/JSArrayBufferConstructor.cpp:
1662         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
1663         (JSC::JSArrayBufferConstructor::createStructure):
1664         (JSC::JSArrayBufferConstructor::getConstructData): Deleted.
1665         (JSC::JSArrayBufferConstructor::getCallData): Deleted.
1666         * runtime/JSArrayBufferConstructor.h:
1667         * runtime/JSGenericTypedArrayViewConstructor.h:
1668         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1669         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::JSGenericTypedArrayViewConstructor):
1670         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::createStructure):
1671         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getConstructData): Deleted.
1672         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData): Deleted.
1673         * runtime/JSInternalPromiseConstructor.cpp:
1674         (JSC::JSInternalPromiseConstructor::createStructure):
1675         (JSC::JSInternalPromiseConstructor::JSInternalPromiseConstructor):
1676         (JSC::JSInternalPromiseConstructor::getConstructData): Deleted.
1677         (JSC::JSInternalPromiseConstructor::getCallData): Deleted.
1678         * runtime/JSInternalPromiseConstructor.h:
1679         * runtime/JSPromiseConstructor.cpp:
1680         (JSC::JSPromiseConstructor::createStructure):
1681         (JSC::JSPromiseConstructor::JSPromiseConstructor):
1682         (JSC::JSPromiseConstructor::getConstructData): Deleted.
1683         (JSC::JSPromiseConstructor::getCallData): Deleted.
1684         * runtime/JSPromiseConstructor.h:
1685         * runtime/JSType.h:
1686         * runtime/JSTypedArrayViewConstructor.cpp:
1687         (JSC::JSTypedArrayViewConstructor::JSTypedArrayViewConstructor):
1688         (JSC::JSTypedArrayViewConstructor::createStructure):
1689         (JSC::JSTypedArrayViewConstructor::getConstructData): Deleted.
1690         (JSC::JSTypedArrayViewConstructor::getCallData): Deleted.
1691         * runtime/JSTypedArrayViewConstructor.h:
1692         * runtime/MapConstructor.cpp:
1693         (JSC::MapConstructor::MapConstructor):
1694         (JSC::MapConstructor::getConstructData): Deleted.
1695         (JSC::MapConstructor::getCallData): Deleted.
1696         * runtime/MapConstructor.h:
1697         (JSC::MapConstructor::createStructure):
1698         (JSC::MapConstructor::MapConstructor): Deleted.
1699         * runtime/NativeErrorConstructor.cpp:
1700         (JSC::NativeErrorConstructor::NativeErrorConstructor):
1701         (JSC::NativeErrorConstructor::getConstructData): Deleted.
1702         (JSC::NativeErrorConstructor::getCallData): Deleted.
1703         * runtime/NativeErrorConstructor.h:
1704         (JSC::NativeErrorConstructor::createStructure):
1705         * runtime/NullGetterFunction.cpp:
1706         (JSC::NullGetterFunction::NullGetterFunction):
1707         (JSC::NullGetterFunction::getCallData): Deleted.
1708         (JSC::NullGetterFunction::getConstructData): Deleted.
1709         * runtime/NullGetterFunction.h:
1710         (JSC::NullGetterFunction::createStructure):
1711         (JSC::NullGetterFunction::NullGetterFunction): Deleted.
1712         * runtime/NullSetterFunction.cpp:
1713         (JSC::NullSetterFunction::NullSetterFunction):
1714         (JSC::NullSetterFunction::getCallData): Deleted.
1715         (JSC::NullSetterFunction::getConstructData): Deleted.
1716         * runtime/NullSetterFunction.h:
1717         (JSC::NullSetterFunction::createStructure):
1718         (JSC::NullSetterFunction::NullSetterFunction): Deleted.
1719         * runtime/NumberConstructor.cpp:
1720         (JSC::NumberConstructor::NumberConstructor):
1721         (JSC::constructNumberConstructor):
1722         (JSC::constructWithNumberConstructor): Deleted.
1723         (JSC::NumberConstructor::getConstructData): Deleted.
1724         (JSC::NumberConstructor::getCallData): Deleted.
1725         * runtime/NumberConstructor.h:
1726         (JSC::NumberConstructor::createStructure):
1727         * runtime/ObjectConstructor.cpp:
1728         (JSC::ObjectConstructor::ObjectConstructor):
1729         (JSC::ObjectConstructor::getConstructData): Deleted.
1730         (JSC::ObjectConstructor::getCallData): Deleted.
1731         * runtime/ObjectConstructor.h:
1732         (JSC::ObjectConstructor::createStructure):
1733         * runtime/ProxyConstructor.cpp:
1734         (JSC::ProxyConstructor::ProxyConstructor):
1735         (JSC::ProxyConstructor::getConstructData): Deleted.
1736         (JSC::ProxyConstructor::getCallData): Deleted.
1737         * runtime/ProxyConstructor.h:
1738         (JSC::ProxyConstructor::createStructure):
1739         * runtime/ProxyRevoke.cpp:
1740         (JSC::ProxyRevoke::ProxyRevoke):
1741         (JSC::ProxyRevoke::getCallData): Deleted.
1742         * runtime/ProxyRevoke.h:
1743         (JSC::ProxyRevoke::createStructure):
1744         * runtime/RegExpConstructor.cpp:
1745         (JSC::RegExpConstructor::RegExpConstructor):
1746         (JSC::RegExpConstructor::getConstructData): Deleted.
1747         (JSC::RegExpConstructor::getCallData): Deleted.
1748         * runtime/RegExpConstructor.h:
1749         (JSC::RegExpConstructor::createStructure):
1750         * runtime/SetConstructor.cpp:
1751         (JSC::SetConstructor::SetConstructor):
1752         (JSC::SetConstructor::getConstructData): Deleted.
1753         (JSC::SetConstructor::getCallData): Deleted.
1754         * runtime/SetConstructor.h:
1755         (JSC::SetConstructor::createStructure):
1756         (JSC::SetConstructor::SetConstructor): Deleted.
1757         * runtime/StringConstructor.cpp:
1758         (JSC::StringConstructor::StringConstructor):
1759         (JSC::StringConstructor::getConstructData): Deleted.
1760         (JSC::StringConstructor::getCallData): Deleted.
1761         * runtime/StringConstructor.h:
1762         (JSC::StringConstructor::createStructure):
1763         * runtime/SymbolConstructor.cpp:
1764         (JSC::SymbolConstructor::SymbolConstructor):
1765         (JSC::SymbolConstructor::getConstructData): Deleted.
1766         (JSC::SymbolConstructor::getCallData): Deleted.
1767         * runtime/SymbolConstructor.h:
1768         (JSC::SymbolConstructor::createStructure):
1769         * runtime/VM.cpp:
1770         (JSC::VM::VM):
1771         (JSC::VM::getCTIInternalFunctionTrampolineFor):
1772         * runtime/VM.h:
1773         * runtime/WeakMapConstructor.cpp:
1774         (JSC::WeakMapConstructor::WeakMapConstructor):
1775         (JSC::WeakMapConstructor::getConstructData): Deleted.
1776         (JSC::WeakMapConstructor::getCallData): Deleted.
1777         * runtime/WeakMapConstructor.h:
1778         (JSC::WeakMapConstructor::createStructure):
1779         (JSC::WeakMapConstructor::WeakMapConstructor): Deleted.
1780         * runtime/WeakSetConstructor.cpp:
1781         (JSC::WeakSetConstructor::WeakSetConstructor):
1782         (JSC::WeakSetConstructor::getConstructData): Deleted.
1783         (JSC::WeakSetConstructor::getCallData): Deleted.
1784         * runtime/WeakSetConstructor.h:
1785         (JSC::WeakSetConstructor::createStructure):
1786         (JSC::WeakSetConstructor::WeakSetConstructor): Deleted.
1787         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
1788         (JSC::WebAssemblyCompileErrorConstructor::createStructure):
1789         (JSC::WebAssemblyCompileErrorConstructor::WebAssemblyCompileErrorConstructor):
1790         (JSC::WebAssemblyCompileErrorConstructor::getConstructData): Deleted.
1791         (JSC::WebAssemblyCompileErrorConstructor::getCallData): Deleted.
1792         * wasm/js/WebAssemblyCompileErrorConstructor.h:
1793         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1794         (JSC::WebAssemblyInstanceConstructor::createStructure):
1795         (JSC::WebAssemblyInstanceConstructor::WebAssemblyInstanceConstructor):
1796         (JSC::WebAssemblyInstanceConstructor::getConstructData): Deleted.
1797         (JSC::WebAssemblyInstanceConstructor::getCallData): Deleted.
1798         * wasm/js/WebAssemblyInstanceConstructor.h:
1799         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
1800         (JSC::WebAssemblyLinkErrorConstructor::createStructure):
1801         (JSC::WebAssemblyLinkErrorConstructor::WebAssemblyLinkErrorConstructor):
1802         (JSC::WebAssemblyLinkErrorConstructor::getConstructData): Deleted.
1803         (JSC::WebAssemblyLinkErrorConstructor::getCallData): Deleted.
1804         * wasm/js/WebAssemblyLinkErrorConstructor.h:
1805         * wasm/js/WebAssemblyMemoryConstructor.cpp:
1806         (JSC::WebAssemblyMemoryConstructor::createStructure):
1807         (JSC::WebAssemblyMemoryConstructor::WebAssemblyMemoryConstructor):
1808         (JSC::WebAssemblyMemoryConstructor::getConstructData): Deleted.
1809         (JSC::WebAssemblyMemoryConstructor::getCallData): Deleted.
1810         * wasm/js/WebAssemblyMemoryConstructor.h:
1811         * wasm/js/WebAssemblyModuleConstructor.cpp:
1812         (JSC::WebAssemblyModuleConstructor::createStructure):
1813         (JSC::WebAssemblyModuleConstructor::WebAssemblyModuleConstructor):
1814         (JSC::WebAssemblyModuleConstructor::getConstructData): Deleted.
1815         (JSC::WebAssemblyModuleConstructor::getCallData): Deleted.
1816         * wasm/js/WebAssemblyModuleConstructor.h:
1817         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
1818         (JSC::WebAssemblyRuntimeErrorConstructor::createStructure):
1819         (JSC::WebAssemblyRuntimeErrorConstructor::WebAssemblyRuntimeErrorConstructor):
1820         (JSC::WebAssemblyRuntimeErrorConstructor::getConstructData): Deleted.
1821         (JSC::WebAssemblyRuntimeErrorConstructor::getCallData): Deleted.
1822         * wasm/js/WebAssemblyRuntimeErrorConstructor.h:
1823         * wasm/js/WebAssemblyTableConstructor.cpp:
1824         (JSC::WebAssemblyTableConstructor::createStructure):
1825         (JSC::WebAssemblyTableConstructor::WebAssemblyTableConstructor):
1826         (JSC::WebAssemblyTableConstructor::getConstructData): Deleted.
1827         (JSC::WebAssemblyTableConstructor::getCallData): Deleted.
1828         * wasm/js/WebAssemblyTableConstructor.h:
1829
1830 2017-11-03  Michael Saboff  <msaboff@apple.com>
1831
1832         The Abstract Interpreter needs to change similar to clobberize() in r224366
1833         https://bugs.webkit.org/show_bug.cgi?id=179267
1834
1835         Reviewed by Saam Barati.
1836
1837         Add clobberWorld() to HasGenericProperty, HasStructureProperty & GetPropertyEnumerator
1838         cases in the abstract interpreter to match what was done for r224366.
1839
1840         * dfg/DFGAbstractInterpreterInlines.h:
1841         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1842
1843 2017-11-03  Keith Miller  <keith_miller@apple.com>
1844
1845         PutProperytSlot should inform the IC about the property before effects.
1846         https://bugs.webkit.org/show_bug.cgi?id=179262
1847
1848         Reviewed by Mark Lam.
1849
1850         This patch fixes an issue where we choose to cache setters based on
1851         incorrect information. If we did so we might end up OSR exiting
1852         more than we would otherwise need to. The new model is that the
1853         PutPropertySlot should inform the IC of what the property looked
1854         like before any potential side effects might have occurred.
1855
1856         * runtime/JSObject.cpp:
1857         (JSC::JSObject::putInlineSlow):
1858         * runtime/Lookup.h:
1859         (JSC::putEntry):
1860
1861 2017-11-03  Mark Lam  <mark.lam@apple.com>
1862
1863         CachedCall (and its clients) needs overflow checks.
1864         https://bugs.webkit.org/show_bug.cgi?id=179185
1865
1866         Reviewed by JF Bastien.
1867
1868         * interpreter/CachedCall.h:
1869         (JSC::CachedCall::CachedCall):
1870         (JSC::CachedCall::hasOverflowedArguments):
1871         * runtime/ArgList.h:
1872         (JSC::MarkedArgumentBuffer::clear):
1873         * runtime/StringPrototype.cpp:
1874         (JSC::replaceUsingRegExpSearch):
1875
1876 2017-11-03  Devin Rousso  <webkit@devinrousso.com>
1877
1878         Web Inspector: Canvas2D Profiling: highlight expensive context commands in the captured command log
1879         https://bugs.webkit.org/show_bug.cgi?id=178302
1880         <rdar://problem/33158849>
1881
1882         Reviewed by Brian Burg.
1883
1884         * inspector/protocol/Recording.json:
1885         Add `duration` to each Frame that represents the total time of all the recorded actions.
1886
1887 2017-11-02  Devin Rousso  <webkit@devinrousso.com>
1888
1889         Web Inspector: Canvas Tab: show supported GL extensions for selected canvas
1890         https://bugs.webkit.org/show_bug.cgi?id=179070
1891         <rdar://problem/35278276>
1892
1893         Reviewed by Brian Burg.
1894
1895         * inspector/protocol/Canvas.json:
1896         Add `extensionEnabled` event that is fired each time `getExtension` is called with a
1897         different string on a WebGL context.
1898
1899 2017-11-02  Joseph Pecoraro  <pecoraro@apple.com>
1900
1901         Make ServiceWorker a Remote Inspector debuggable target
1902         https://bugs.webkit.org/show_bug.cgi?id=179043
1903         <rdar://problem/34126008>
1904
1905         Reviewed by Brian Burg.
1906
1907         * inspector/remote/RemoteControllableTarget.h:
1908         * inspector/remote/RemoteInspectionTarget.h:
1909         * inspector/remote/RemoteInspectorConstants.h:
1910         Include a new ServiceWorker remote inspector target type.
1911
1912         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
1913         (Inspector::RemoteInspector::listingForInspectionTarget const):
1914         Implement listing for a ServiceWorker to include a URL like a page.
1915
1916         * inspector/remote/glib/RemoteInspectorGlib.cpp:
1917         (Inspector::RemoteInspector::listingForInspectionTarget const):
1918         Bail for ServiceWorker support in glib. They will need to implement their support.
1919
1920 2017-11-02  Michael Saboff  <msaboff@apple.com>
1921
1922         DFG needs to handle code motion of code in for..in loop bodies
1923         https://bugs.webkit.org/show_bug.cgi?id=179212
1924
1925         Reviewed by Keith Miller.
1926
1927         The processing of the DFG nodes HasGenericProperty, HasStructureProperty & GetPropertyEnumerator
1928         make calls with side effects.  Updated clobberize() for those nodes to take that into account.
1929
1930         * dfg/DFGClobberize.h:
1931         (JSC::DFG::clobberize):
1932
1933 2017-11-02  Joseph Pecoraro  <pecoraro@apple.com>
1934
1935         Inspector should display service worker served responses properly
1936         https://bugs.webkit.org/show_bug.cgi?id=178597
1937         <rdar://problem/35186111>
1938
1939         Reviewed by Brian Burg.
1940
1941         * inspector/protocol/Network.json:
1942         Expose a new "service-worker" response source.
1943
1944 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
1945
1946         AI does not correctly model the clobber case of ArithClz32
1947         https://bugs.webkit.org/show_bug.cgi?id=179188
1948
1949         Reviewed by Michael Saboff.
1950
1951         The non-Int32 case clobbers the world because it may call valueOf.
1952
1953         * dfg/DFGAbstractInterpreterInlines.h:
1954         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1955
1956 2017-11-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1957
1958         Unreviewed, release throw scope
1959         https://bugs.webkit.org/show_bug.cgi?id=178726
1960
1961         * dfg/DFGOperations.cpp:
1962
1963 2017-11-02  Frederic Wang  <fwang@igalia.com>
1964
1965         Add references to bug 179167 in FIXME comments
1966         https://bugs.webkit.org/show_bug.cgi?id=179168
1967
1968         Reviewed by Daniel Bates.
1969
1970         * Configurations/FeatureDefines.xcconfig:
1971
1972 2017-11-01  Jeremy Jones  <jeremyj@apple.com>
1973
1974         Implement WKFullscreenWindowController for iOS.
1975         https://bugs.webkit.org/show_bug.cgi?id=178924
1976         rdar://problem/34697120
1977
1978         Reviewed by Simon Fraser.
1979
1980         Enable ENABLE_FULLSCREEN_API for iOS.
1981
1982         * Configurations/FeatureDefines.xcconfig:
1983
1984 2017-11-01  Mark Lam  <mark.lam@apple.com>
1985
1986         Add support to throw OOM if MarkedArgumentBuffer may overflow.
1987         https://bugs.webkit.org/show_bug.cgi?id=179092
1988         <rdar://problem/35116160>
1989
1990         Reviewed by Saam Barati.
1991
1992         The test for overflowing a MarkedArgumentBuffer will run for a ridiculously long
1993         time, which renders it unsuitable for automated tests.  Instead, I've run a
1994         test manually to verify that an OutOfMemoryError will be thrown when an overflow
1995         occurs.
1996
1997         The MarkedArgumentBuffer's destructor will now assert that the client has indeed
1998         checked for an overflow after invoking methods that may result in an overflow i.e.
1999         the destructor checks that MarkedArgumentBuffer::hasOverflowed() has been called.
2000         This is only done on debug builds.
2001
2002         * API/JSObjectRef.cpp:
2003         (JSObjectMakeFunction):
2004         (JSObjectMakeArray):
2005         (JSObjectMakeDate):
2006         (JSObjectMakeRegExp):
2007         (JSObjectCallAsFunction):
2008         (JSObjectCallAsConstructor):
2009         * dfg/DFGOperations.cpp:
2010         * inspector/InjectedScriptManager.cpp:
2011         (Inspector::InjectedScriptManager::createInjectedScript):
2012         * inspector/JSJavaScriptCallFrame.cpp:
2013         (Inspector::JSJavaScriptCallFrame::scopeChain const):
2014         * interpreter/Interpreter.cpp:
2015         (JSC::Interpreter::executeProgram):
2016         * jsc.cpp:
2017         (functionDollarAgentReceiveBroadcast):
2018         * runtime/ArgList.cpp:
2019         (JSC::MarkedArgumentBuffer::slowEnsureCapacity):
2020         (JSC::MarkedArgumentBuffer::expandCapacity):
2021         (JSC::MarkedArgumentBuffer::slowAppend):
2022         * runtime/ArgList.h:
2023         (JSC::MarkedArgumentBuffer::~MarkedArgumentBuffer):
2024         (JSC::MarkedArgumentBuffer::appendWithAction):
2025         (JSC::MarkedArgumentBuffer::append):
2026         (JSC::MarkedArgumentBuffer::appendWithCrashOnOverflow):
2027         (JSC::MarkedArgumentBuffer::hasOverflowed):
2028         (JSC::MarkedArgumentBuffer::setNeedsOverflowCheck):
2029         (JSC::MarkedArgumentBuffer::clearNeedsOverflowCheck):
2030         * runtime/ArrayPrototype.cpp:
2031         * runtime/CommonSlowPaths.cpp:
2032         (JSC::SLOW_PATH_DECL):
2033         * runtime/GetterSetter.cpp:
2034         (JSC::callSetter):
2035         * runtime/IteratorOperations.cpp:
2036         (JSC::iteratorNext):
2037         (JSC::iteratorClose):
2038         * runtime/JSBoundFunction.cpp:
2039         (JSC::boundThisNoArgsFunctionCall):
2040         (JSC::boundFunctionCall):
2041         (JSC::boundThisNoArgsFunctionConstruct):
2042         (JSC::boundFunctionConstruct):
2043         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2044         (JSC::constructGenericTypedArrayViewFromIterator):
2045         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2046         (JSC::genericTypedArrayViewProtoFuncSlice):
2047         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
2048         * runtime/JSGlobalObject.cpp:
2049         (JSC::JSGlobalObject::haveABadTime):
2050         * runtime/JSInternalPromise.cpp:
2051         (JSC::JSInternalPromise::then):
2052         * runtime/JSJob.cpp:
2053         (JSC::JSJobMicrotask::run):
2054         * runtime/JSMapIterator.cpp:
2055         (JSC::JSMapIterator::createPair):
2056         * runtime/JSModuleLoader.cpp:
2057         (JSC::JSModuleLoader::provideFetch):
2058         (JSC::JSModuleLoader::loadAndEvaluateModule):
2059         (JSC::JSModuleLoader::loadModule):
2060         (JSC::JSModuleLoader::linkAndEvaluateModule):
2061         (JSC::JSModuleLoader::requestImportModule):
2062         * runtime/JSONObject.cpp:
2063         (JSC::Stringifier::toJSONImpl):
2064         (JSC::Stringifier::appendStringifiedValue):
2065         (JSC::Walker::callReviver):
2066         * runtime/JSObject.cpp:
2067         (JSC::ordinarySetSlow):
2068         (JSC::callToPrimitiveFunction):
2069         (JSC::JSObject::hasInstance):
2070         * runtime/JSPromise.cpp:
2071         (JSC::JSPromise::initialize):
2072         (JSC::JSPromise::resolve):
2073         * runtime/JSPromiseDeferred.cpp:
2074         (JSC::newPromiseCapability):
2075         (JSC::callFunction):
2076         * runtime/JSSetIterator.cpp:
2077         (JSC::JSSetIterator::createPair):
2078         * runtime/LiteralParser.cpp:
2079         (JSC::LiteralParser<CharType>::parse):
2080         * runtime/MapConstructor.cpp:
2081         (JSC::constructMap):
2082         * runtime/ObjectConstructor.cpp:
2083         (JSC::defineProperties):
2084         * runtime/ProxyObject.cpp:
2085         (JSC::performProxyGet):
2086         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2087         (JSC::ProxyObject::performHasProperty):
2088         (JSC::ProxyObject::performPut):
2089         (JSC::performProxyCall):
2090         (JSC::performProxyConstruct):
2091         (JSC::ProxyObject::performDelete):
2092         (JSC::ProxyObject::performPreventExtensions):
2093         (JSC::ProxyObject::performIsExtensible):
2094         (JSC::ProxyObject::performDefineOwnProperty):
2095         (JSC::ProxyObject::performGetOwnPropertyNames):
2096         (JSC::ProxyObject::performSetPrototype):
2097         (JSC::ProxyObject::performGetPrototype):
2098         * runtime/ReflectObject.cpp:
2099         (JSC::reflectObjectConstruct):
2100         * runtime/SetConstructor.cpp:
2101         (JSC::constructSet):
2102         * runtime/StringPrototype.cpp:
2103         (JSC::replaceUsingRegExpSearch):
2104         (JSC::replaceUsingStringSearch):
2105         * runtime/WeakMapConstructor.cpp:
2106         (JSC::constructWeakMap):
2107         * runtime/WeakSetConstructor.cpp:
2108         (JSC::constructWeakSet):
2109         * wasm/js/WasmToJS.cpp:
2110         (JSC::Wasm::wasmToJS):
2111
2112 2017-11-01  Michael Saboff  <msaboff@apple.com>
2113
2114         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
2115         https://bugs.webkit.org/show_bug.cgi?id=179140
2116
2117         Reviewed by Saam Barati.
2118
2119         Added overflow checks to computation of arg count plus this.
2120
2121         * dfg/DFGSpeculativeJIT32_64.cpp:
2122         (JSC::DFG::SpeculativeJIT::compile):
2123         * dfg/DFGSpeculativeJIT64.cpp:
2124         (JSC::DFG::SpeculativeJIT::compile):
2125         * ftl/FTLLowerDFGToB3.cpp:
2126         (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs):
2127
2128 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2129
2130         Unreviewed, use weakPointer instead of FTLOutput::weakPointer
2131         https://bugs.webkit.org/show_bug.cgi?id=178934
2132
2133         * ftl/FTLLowerDFGToB3.cpp:
2134         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
2135
2136 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2137
2138         [JSC] Introduce @toObject
2139         https://bugs.webkit.org/show_bug.cgi?id=178726
2140
2141         Reviewed by Saam Barati.
2142
2143         This patch introduces @toObject intrinsic. And we introduce op_to_object bytecode and DFG ToObject node.
2144         Previously we emulated @toObject behavior in builtin JS. But it consumes much bytecode size while @toObject
2145         is frequently seen and defined clearly in the spec. Furthermore, the emulated @toObject always calls
2146         ObjectConstructor in LLInt and Baseline.
2147
2148         We add a new intrinsic `@toObject(target, "error message")`. It takes an error message string constant to
2149         offer understandable messages in builtin JS. We can change the frequently seen "emulated ToObject" operation
2150
2151             if (this === @undefined || this === null)
2152                 @throwTypeError("error message");
2153             var object = @Object(this);
2154
2155         with
2156
2157             var object = @toObject(this, "error message");
2158
2159         And we handle op_to_object in DFG as ToObject node. While CallObjectConstructor does not throw an error for null/undefined,
2160         ToObject needs to throw an error for null/undefined. So it is marked as MustGenerate and it clobbers the world.
2161         In fixup phase, we attempt to convert ToObject to CallObjectConstructor with edge filters to relax its side effect.
2162
2163         It also fixes a bug that CallObjectConstructor DFG node uses Node's semantic GlobalObject instead of function's one.
2164
2165         * builtins/ArrayConstructor.js:
2166         (from):
2167         * builtins/ArrayPrototype.js:
2168         (values):
2169         (keys):
2170         (entries):
2171         (reduce):
2172         (reduceRight):
2173         (every):
2174         (forEach):
2175         (filter):
2176         (map):
2177         (some):
2178         (fill):
2179         (find):
2180         (findIndex):
2181         (includes):
2182         (sort):
2183         (globalPrivate.concatSlowPath):
2184         (copyWithin):
2185         * builtins/DatePrototype.js:
2186         (toLocaleString.toDateTimeOptionsAnyAll):
2187         (toLocaleString):
2188         (toLocaleDateString.toDateTimeOptionsDateDate):
2189         (toLocaleDateString):
2190         (toLocaleTimeString.toDateTimeOptionsTimeTime):
2191         (toLocaleTimeString):
2192         * builtins/GlobalOperations.js:
2193         (globalPrivate.copyDataProperties):
2194         (globalPrivate.copyDataPropertiesNoExclusions):
2195         * builtins/ObjectConstructor.js:
2196         (entries):
2197         * builtins/StringConstructor.js:
2198         (raw):
2199         * builtins/TypedArrayConstructor.js:
2200         (from):
2201         * builtins/TypedArrayPrototype.js:
2202         (map):
2203         (filter):
2204         * bytecode/BytecodeDumper.cpp:
2205         (JSC::BytecodeDumper<Block>::dumpBytecode):
2206         * bytecode/BytecodeIntrinsicRegistry.h:
2207         * bytecode/BytecodeList.json:
2208         * bytecode/BytecodeUseDef.h:
2209         (JSC::computeUsesForBytecodeOffset):
2210         (JSC::computeDefsForBytecodeOffset):
2211         * bytecode/CodeBlock.cpp:
2212         (JSC::CodeBlock::finishCreation):
2213         * bytecompiler/BytecodeGenerator.cpp:
2214         (JSC::BytecodeGenerator::emitToObject):
2215         * bytecompiler/BytecodeGenerator.h:
2216         * bytecompiler/NodesCodegen.cpp:
2217         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toObject):
2218         * dfg/DFGAbstractInterpreterInlines.h:
2219         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2220         * dfg/DFGByteCodeParser.cpp:
2221         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2222         (JSC::DFG::ByteCodeParser::parseBlock):
2223         * dfg/DFGCapabilities.cpp:
2224         (JSC::DFG::capabilityLevel):
2225         * dfg/DFGClobberize.h:
2226         (JSC::DFG::clobberize):
2227         * dfg/DFGDoesGC.cpp:
2228         (JSC::DFG::doesGC):
2229         * dfg/DFGFixupPhase.cpp:
2230         (JSC::DFG::FixupPhase::fixupNode):
2231         (JSC::DFG::FixupPhase::fixupToObject):
2232         (JSC::DFG::FixupPhase::fixupCallObjectConstructor):
2233         * dfg/DFGNode.h:
2234         (JSC::DFG::Node::convertToCallObjectConstructor):
2235         (JSC::DFG::Node::convertToNewStringObject):
2236         (JSC::DFG::Node::convertToNewObject):
2237         (JSC::DFG::Node::hasIdentifier):
2238         (JSC::DFG::Node::hasHeapPrediction):
2239         (JSC::DFG::Node::hasCellOperand):
2240         * dfg/DFGNodeType.h:
2241         * dfg/DFGOperations.cpp:
2242         * dfg/DFGOperations.h:
2243         * dfg/DFGPredictionPropagationPhase.cpp:
2244         * dfg/DFGSafeToExecute.h:
2245         (JSC::DFG::safeToExecute):
2246         * dfg/DFGSpeculativeJIT.cpp:
2247         (JSC::DFG::SpeculativeJIT::compileToObjectOrCallObjectConstructor):
2248         (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor): Deleted.
2249         * dfg/DFGSpeculativeJIT.h:
2250         (JSC::DFG::SpeculativeJIT::callOperation):
2251         * dfg/DFGSpeculativeJIT32_64.cpp:
2252         (JSC::DFG::SpeculativeJIT::compile):
2253         * dfg/DFGSpeculativeJIT64.cpp:
2254         (JSC::DFG::SpeculativeJIT::compile):
2255         * ftl/FTLCapabilities.cpp:
2256         (JSC::FTL::canCompile):
2257         * ftl/FTLLowerDFGToB3.cpp:
2258         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2259         (JSC::FTL::DFG::LowerDFGToB3::compileToObjectOrCallObjectConstructor):
2260         (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor): Deleted.
2261         * jit/JIT.cpp:
2262         (JSC::JIT::privateCompileMainPass):
2263         (JSC::JIT::privateCompileSlowCases):
2264         * jit/JIT.h:
2265         * jit/JITOpcodes.cpp:
2266         (JSC::JIT::emit_op_to_object):
2267         (JSC::JIT::emitSlow_op_to_object):
2268         * jit/JITOpcodes32_64.cpp:
2269         (JSC::JIT::emit_op_to_object):
2270         (JSC::JIT::emitSlow_op_to_object):
2271         * jit/JITOperations.cpp:
2272         * jit/JITOperations.h:
2273         * llint/LowLevelInterpreter32_64.asm:
2274         * llint/LowLevelInterpreter64.asm:
2275         * runtime/CommonSlowPaths.cpp:
2276         (JSC::SLOW_PATH_DECL):
2277         * runtime/CommonSlowPaths.h:
2278
2279 2017-11-01  Fujii Hironori  <Hironori.Fujii@sony.com>
2280
2281         Use LazyNeverDestroyed instead of DEFINE_GLOBAL
2282         https://bugs.webkit.org/show_bug.cgi?id=174979
2283
2284         Reviewed by Yusuke Suzuki.
2285
2286         * config.h: Removed definitions of SKIP_STATIC_CONSTRUCTORS_ON_MSVC and SKIP_STATIC_CONSTRUCTORS_ON_GCC.
2287
2288 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2289
2290         [DFG][FTL] Introduce StringSlice
2291         https://bugs.webkit.org/show_bug.cgi?id=178934
2292
2293         Reviewed by Saam Barati.
2294
2295         String.prototype.slice is one of the most frequently called function in ARES-6/Babylon.
2296         This patch introduces StringSlice DFG node to optimize it in DFG and FTL.
2297
2298         This patch's StringSlice node optimizes the following things.
2299
2300         1. Empty string generation is accelerated. It is fully executed inline.
2301         2. One char string generation is accelerated. `< 0x100` character is supported right now.
2302         It is the same to charAt acceleration.
2303         3. We calculate start and end index in DFG/FTL with Int32Use information and call optimized
2304         operation.
2305
2306         We do not inline (3)'s operation right now since we do not have a way to call bmalloc allocation from DFG / FTL.
2307         And we do not optimize String.prototype.{substring,substr} right now. But they can be optimized based on this change
2308         in subsequent changes.
2309
2310         This patch improves ARES-6/Babylon performance by 3% in steady state.
2311
2312         Baseline:
2313             Running... Babylon ( 1  to go)
2314             firstIteration:     50.05 +- 13.68 ms
2315             averageWorstCase:   16.80 +- 1.27 ms
2316             steadyState:        7.53 +- 0.22 ms
2317
2318         Patched:
2319             Running... Babylon ( 1  to go)
2320             firstIteration:     50.91 +- 13.41 ms
2321             averageWorstCase:   16.12 +- 0.99 ms
2322             steadyState:        7.30 +- 0.29 ms
2323
2324         * dfg/DFGAbstractInterpreterInlines.h:
2325         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2326         * dfg/DFGBackwardsPropagationPhase.cpp:
2327         (JSC::DFG::BackwardsPropagationPhase::propagate):
2328         * dfg/DFGByteCodeParser.cpp:
2329         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2330         * dfg/DFGClobberize.h:
2331         (JSC::DFG::clobberize):
2332         * dfg/DFGDoesGC.cpp:
2333         (JSC::DFG::doesGC):
2334         * dfg/DFGFixupPhase.cpp:
2335         (JSC::DFG::FixupPhase::fixupNode):
2336         * dfg/DFGNodeType.h:
2337         * dfg/DFGOperations.cpp:
2338         * dfg/DFGOperations.h:
2339         * dfg/DFGPredictionPropagationPhase.cpp:
2340         * dfg/DFGSafeToExecute.h:
2341         (JSC::DFG::safeToExecute):
2342         * dfg/DFGSpeculativeJIT.cpp:
2343         (JSC::DFG::SpeculativeJIT::compileStringSlice):
2344         (JSC::DFG::SpeculativeJIT::emitPopulateSliceIndex):
2345         (JSC::DFG::SpeculativeJIT::compileArraySlice):
2346         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
2347         * dfg/DFGSpeculativeJIT.h:
2348         (JSC::DFG::SpeculativeJIT::callOperation):
2349         * dfg/DFGSpeculativeJIT32_64.cpp:
2350         (JSC::DFG::SpeculativeJIT::compile):
2351         * dfg/DFGSpeculativeJIT64.cpp:
2352         (JSC::DFG::SpeculativeJIT::compile):
2353         * ftl/FTLCapabilities.cpp:
2354         (JSC::FTL::canCompile):
2355         * ftl/FTLLowerDFGToB3.cpp:
2356         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2357         (JSC::FTL::DFG::LowerDFGToB3::populateSliceRange):
2358         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
2359         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
2360         * jit/JITOperations.h:
2361         * runtime/Intrinsic.cpp:
2362         (JSC::intrinsicName):
2363         * runtime/Intrinsic.h:
2364         * runtime/StringPrototype.cpp:
2365         (JSC::StringPrototype::finishCreation):
2366
2367 2017-10-31  JF Bastien  <jfbastien@apple.com>
2368
2369         WebAssembly: Wasm::IndexOrName has a raw pointer to Name
2370         https://bugs.webkit.org/show_bug.cgi?id=176644
2371
2372         Reviewed by Michael Saboff.
2373
2374         IndexOrName now keeps a RefPtr to its original NameSection, which
2375         holds the Name (or references nullptr if Index). Holding onto the
2376         entire section seems like the better thing to do, since backtraces
2377         probably contain multiple names from the same Module.
2378
2379         * JavaScriptCore.xcodeproj/project.pbxproj:
2380         * interpreter/Interpreter.cpp:
2381         (JSC::GetStackTraceFunctor::operator() const):
2382         * interpreter/StackVisitor.h: Frame is no longer POD because of the
2383         RefPtr.
2384         * runtime/StackFrame.cpp:
2385         (JSC::StackFrame::StackFrame):
2386         * runtime/StackFrame.h: Drop the union, size is now 40 bytes.
2387         (JSC::StackFrame::StackFrame): Deleted. Initialized in class instead.
2388         (JSC::StackFrame::wasm): Deleted. Make it a ctor instead.
2389         * wasm/WasmBBQPlanInlines.h:
2390         (JSC::Wasm::BBQPlan::initializeCallees):
2391         * wasm/WasmCallee.cpp:
2392         (JSC::Wasm::Callee::Callee):
2393         * wasm/WasmCallee.h:
2394         (JSC::Wasm::Callee::create):
2395         * wasm/WasmFormat.h: Move NameSection to its own header.
2396         (JSC::Wasm::isValidNameType):
2397         (JSC::Wasm::NameSection::get): Deleted.
2398         * wasm/WasmIndexOrName.cpp:
2399         (JSC::Wasm::IndexOrName::IndexOrName):
2400         (JSC::Wasm::makeString):
2401         * wasm/WasmIndexOrName.h:
2402         (JSC::Wasm::IndexOrName::IndexOrName):
2403         (JSC::Wasm::IndexOrName::isEmpty const):
2404         (JSC::Wasm::IndexOrName::isIndex const):
2405         * wasm/WasmModuleInformation.cpp:
2406         (JSC::Wasm::ModuleInformation::ModuleInformation):
2407         * wasm/WasmModuleInformation.h:
2408         (JSC::Wasm::ModuleInformation::ModuleInformation): Deleted.
2409         * wasm/WasmNameSection.h:
2410         (JSC::Wasm::NameSection::get):
2411         (JSC::Wasm::NameSection::create): Deleted.
2412         * wasm/WasmNameSectionParser.cpp:
2413         (JSC::Wasm::NameSectionParser::parse):
2414         * wasm/WasmNameSectionParser.h:
2415         * wasm/WasmOMGPlan.cpp:
2416         (JSC::Wasm::OMGPlan::work):
2417
2418 2017-10-31  Tim Horton  <timothy_horton@apple.com>
2419
2420         Clean up some drag and drop feature flags
2421         https://bugs.webkit.org/show_bug.cgi?id=179082
2422
2423         Reviewed by Simon Fraser.
2424
2425         * Configurations/FeatureDefines.xcconfig:
2426
2427 2017-10-31  Commit Queue  <commit-queue@webkit.org>
2428
2429         Unreviewed, rolling out r224243, r224246, and r224248.
2430         https://bugs.webkit.org/show_bug.cgi?id=179083
2431
2432         The patch and fix broke the Windows build. (Requested by
2433         mlewis13 on #webkit).
2434
2435         Reverted changesets:
2436
2437         "StructureStubInfo should have GPRReg members not int8_ts"
2438         https://bugs.webkit.org/show_bug.cgi?id=179071
2439         https://trac.webkit.org/changeset/224243
2440
2441         "Make all register enums be backed by uint8_t."
2442         https://bugs.webkit.org/show_bug.cgi?id=179074
2443         https://trac.webkit.org/changeset/224246
2444
2445         "Unreviewed, windows build fix."
2446         https://trac.webkit.org/changeset/224248
2447
2448 2017-10-31  Tim Horton  <timothy_horton@apple.com>
2449
2450         Fix up some content filtering feature flags
2451         https://bugs.webkit.org/show_bug.cgi?id=179079
2452
2453         Reviewed by Simon Fraser.
2454
2455         * Configurations/FeatureDefines.xcconfig:
2456
2457 2017-10-31  Keith Miller  <keith_miller@apple.com>
2458
2459         Unreviewed, windows build fix.
2460
2461         * assembler/X86Assembler.h:
2462         (JSC::X86Assembler::numberOfRegisters):
2463         (JSC::X86Assembler::numberOfSPRegisters):
2464         (JSC::X86Assembler::numberOfFPRegisters):
2465
2466 2017-10-31  Keith Miller  <keith_miller@apple.com>
2467
2468         Make all register enums be backed by uint8_t.
2469         https://bugs.webkit.org/show_bug.cgi?id=179074
2470
2471         Reviewed by Mark Lam.
2472
2473         * assembler/ARM64Assembler.h:
2474         * assembler/ARMAssembler.h:
2475         * assembler/ARMv7Assembler.h:
2476         * assembler/MIPSAssembler.h:
2477         * assembler/MacroAssembler.h:
2478         * assembler/X86Assembler.h:
2479
2480 2017-10-31  Keith Miller  <keith_miller@apple.com>
2481
2482         StructureStubInfo should have GPRReg members not int8_ts
2483         https://bugs.webkit.org/show_bug.cgi?id=179071
2484
2485         Reviewed by Michael Saboff.
2486
2487         This patch makes the various RegisterID enums be backed by
2488         uint8_t. This means that we can remove the old int8_t members in
2489         StructureStubInfo and replace them with the correct enum types.
2490
2491         Also, this fixes an indentation issue in ARMv7Assembler.h.
2492
2493         * assembler/ARM64Assembler.h:
2494         * assembler/ARMAssembler.h:
2495         * assembler/ARMv7Assembler.h:
2496         (JSC::ARMRegisters::asSingle):
2497         (JSC::ARMRegisters::asDouble):
2498         * assembler/MIPSAssembler.h:
2499         * assembler/X86Assembler.h:
2500         * bytecode/InlineAccess.cpp:
2501         (JSC::InlineAccess::generateSelfPropertyAccess):
2502         (JSC::getScratchRegister):
2503         * bytecode/PolymorphicAccess.cpp:
2504         (JSC::PolymorphicAccess::regenerate):
2505         * bytecode/StructureStubInfo.h:
2506         (JSC::StructureStubInfo::valueRegs const):
2507         * dfg/DFGSpeculativeJIT.cpp:
2508         (JSC::DFG::SpeculativeJIT::compileIn):
2509         * ftl/FTLLowerDFGToB3.cpp:
2510         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
2511         * jit/JITInlineCacheGenerator.cpp:
2512         (JSC::JITByIdGenerator::JITByIdGenerator):
2513         (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator):
2514
2515 2017-10-31  Devin Rousso  <webkit@devinrousso.com>
2516
2517         Web Inspector: make ScriptCallStack::maxCallStackSizeToCapture the default value when capturing backtraces
2518         https://bugs.webkit.org/show_bug.cgi?id=179048
2519
2520         Reviewed by Mark Lam.
2521
2522         * inspector/ScriptCallStackFactory.h:
2523         * inspector/ScriptCallStackFactory.cpp:
2524         (createScriptCallStack):
2525         (createScriptCallStackForConsole):
2526         (createScriptCallStackFromException):
2527
2528         * inspector/ConsoleMessage.cpp:
2529         (Inspector::ConsoleMessage::autogenerateMetadata):
2530         * inspector/JSGlobalObjectInspectorController.cpp:
2531         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
2532         * inspector/agents/InspectorConsoleAgent.cpp:
2533         (Inspector::InspectorConsoleAgent::count):
2534         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
2535         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
2536
2537 2017-10-31  Carlos Garcia Campos  <cgarcia@igalia.com>
2538
2539         Unreviewed. Fix GTK+ make distcheck.
2540
2541         Ensure DERIVED_SOURCES_JAVASCRIPTCORE_DIR/yarr is created before scripts generating files there are run.
2542
2543         * CMakeLists.txt:
2544
2545 2017-10-30  Saam Barati  <sbarati@apple.com>
2546
2547         We need a storeStoreFence before storing to the instruction stream's live variable catch data
2548         https://bugs.webkit.org/show_bug.cgi?id=178649
2549
2550         Reviewed by Keith Miller.
2551
2552         * bytecode/CodeBlock.cpp:
2553         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
2554
2555 2017-10-30  Michael Catanzaro  <mcatanzaro@igalia.com>
2556
2557         [WPE] Fix build warnings
2558         https://bugs.webkit.org/show_bug.cgi?id=178899
2559
2560         Reviewed by Carlos Alberto Lopez Perez.
2561
2562         * PlatformWPE.cmake:
2563
2564 2017-10-30  Zan Dobersek  <zdobersek@igalia.com>
2565
2566         [ARMv7] Fix initial start register support in YarrJIT
2567         https://bugs.webkit.org/show_bug.cgi?id=178641
2568
2569         Reviewed by Saam Barati.
2570
2571         * yarr/YarrJIT.cpp: On ARMv7, use r8 as the initialStart register in the
2572         YarrGenerator class. r6 should be avoided since it's already used inside
2573         MacroAssemblerARMv7 as addressTempRegister. r7 isn't picked because it
2574         can be used as the frame pointer register when targetting ARM Thumb2.
2575
2576 2017-10-30  Zan Dobersek  <zdobersek@igalia.com>
2577
2578         [ARM64][Linux] Re-enable Gigacage
2579         https://bugs.webkit.org/show_bug.cgi?id=178130
2580
2581         Reviewed by Michael Catanzaro.
2582
2583         Guard the current globaladdr opcode implementation for ARM64 with
2584         OS(DARWIN) as it's only usable for Mach-O.
2585
2586         For OS(LINUX), ELF-supported :got: and :got_lo12: relocation specifiers
2587         have to be used. The .loh directive can't be used as it's not supported
2588         in GCC or the ld linker.
2589
2590         On every other OS target, a compilation error is thrown.
2591
2592         * offlineasm/arm64.rb:
2593
2594 2017-10-27  Devin Rousso  <webkit@devinrousso.com>
2595
2596         Web Inspector: Canvas Tab: no way to see backtrace of where a canvas context was created
2597         https://bugs.webkit.org/show_bug.cgi?id=178799
2598         <rdar://problem/35175805>
2599
2600         Reviewed by Brian Burg.
2601
2602         * inspector/protocol/Canvas.json:
2603         Add optional `backtrace` to Canvas type that is an array of Console.CallFrame.
2604
2605 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2606
2607         [JSC] Tweak ES6 generator function to allow inlining
2608         https://bugs.webkit.org/show_bug.cgi?id=178935
2609
2610         Reviewed by Saam Barati.
2611
2612         We optimize builtins' generator helper functions to allow them inlined in the caller side.
2613         This patch adjust the layer between @generatorResume, next(), throw(), and return() to allow
2614         them inlined in DFG.
2615
2616                                        baseline                  patched
2617
2618         spread-generator.es6      301.2637+-11.1011    ^    260.5905+-14.2258       ^ definitely 1.1561x faster
2619         generator.es6             269.6030+-13.2435    ^    148.8840+-6.7614        ^ definitely 1.8108x faster
2620
2621         * builtins/GeneratorPrototype.js:
2622         (globalPrivate.generatorResume):
2623         (next):
2624         (return):
2625         (throw):
2626
2627 2017-10-27  Saam Barati  <sbarati@apple.com>
2628
2629         Bytecode liveness should live on UnlinkedCodeBlock so it can be shared amongst CodeBlocks
2630         https://bugs.webkit.org/show_bug.cgi?id=178949
2631
2632         Reviewed by Keith Miller.
2633
2634         This patch stores BytecodeLiveness on UnlinkedCodeBlock instead of CodeBlock
2635         so that we don't need to recompute liveness for the same UnlinkedCodeBlock
2636         more than once. To do this, this patch solidifies the invariant that CodeBlock
2637         linking can't do anything that would change the result of liveness. For example,
2638         it can't introduce new locals. This invariant was met my JSC before, because we
2639         didn't do anything in bytecode linking that would change liveness. However, it is
2640         now a correctness requirement that we don't do anything that would change the
2641         result of running liveness. To support this change, I've refactored BytecodeGraph
2642         to not be tied to a CodeBlockType*. Things that perform liveness will pass in
2643         CodeBlockType* and the instruction stream as needed. This means that we may
2644         compute liveness with one CodeBlock*'s instruction stream, and then perform
2645         queries on that analysis with a different CodeBlock*'s instruction stream.
2646
2647         This seems to be a 2% JSBench progression.
2648
2649         * bytecode/BytecodeGeneratorification.cpp:
2650         (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
2651         (JSC::BytecodeGeneratorification::graph):
2652         (JSC::BytecodeGeneratorification::storageForGeneratorLocal):
2653         (JSC::GeneratorLivenessAnalysis::run):
2654         (JSC::BytecodeGeneratorification::run):
2655         * bytecode/BytecodeGraph.h:
2656         (JSC::BytecodeGraph::BytecodeGraph):
2657         (JSC::BytecodeGraph::codeBlock const): Deleted.
2658         (JSC::BytecodeGraph::instructions): Deleted.
2659         (JSC::BytecodeGraph<Block>::BytecodeGraph): Deleted.
2660         * bytecode/BytecodeLivenessAnalysis.cpp:
2661         (JSC::BytecodeLivenessAnalysis::BytecodeLivenessAnalysis):
2662         (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
2663         (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
2664         (JSC::BytecodeLivenessAnalysis::computeKills):
2665         (JSC::BytecodeLivenessAnalysis::dumpResults):
2666         (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset): Deleted.
2667         (JSC::BytecodeLivenessAnalysis::compute): Deleted.
2668         * bytecode/BytecodeLivenessAnalysis.h:
2669         * bytecode/BytecodeLivenessAnalysisInlines.h:
2670         (JSC::BytecodeLivenessPropagation::stepOverInstruction):
2671         (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBytecodeOffset):
2672         (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBlock):
2673         (JSC::BytecodeLivenessPropagation::getLivenessInfoAtBytecodeOffset):
2674         (JSC::BytecodeLivenessPropagation::runLivenessFixpoint):
2675         * bytecode/BytecodeRewriter.cpp:
2676         (JSC::BytecodeRewriter::applyModification):
2677         (JSC::BytecodeRewriter::execute):
2678         (JSC::BytecodeRewriter::adjustJumpTargetsInFragment):
2679         * bytecode/BytecodeRewriter.h:
2680         (JSC::BytecodeRewriter::BytecodeRewriter):
2681         (JSC::BytecodeRewriter::removeBytecode):
2682         (JSC::BytecodeRewriter::graph):
2683         * bytecode/CodeBlock.cpp:
2684         (JSC::CodeBlock::finishCreation):
2685         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
2686         (JSC::CodeBlock::validate):
2687         (JSC::CodeBlock::livenessAnalysisSlow): Deleted.
2688         * bytecode/CodeBlock.h:
2689         (JSC::CodeBlock::livenessAnalysis):
2690         * bytecode/UnlinkedCodeBlock.cpp:
2691         (JSC::UnlinkedCodeBlock::applyModification):
2692         (JSC::UnlinkedCodeBlock::livenessAnalysisSlow):
2693         * bytecode/UnlinkedCodeBlock.h:
2694         (JSC::UnlinkedCodeBlock::livenessAnalysis):
2695         * dfg/DFGGraph.cpp:
2696         (JSC::DFG::Graph::livenessFor):
2697         (JSC::DFG::Graph::killsFor):
2698         * dfg/DFGPlan.cpp:
2699         (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
2700         * jit/JIT.cpp:
2701         (JSC::JIT::privateCompileMainPass):
2702
2703 2017-10-27  Keith Miller  <keith_miller@apple.com>
2704
2705         Add unified source list files and build scripts to Xcode project navigator
2706         https://bugs.webkit.org/show_bug.cgi?id=178959
2707
2708         Reviewed by Andy Estes.
2709
2710         Also, Add some extra source files for so new .cpp/.mm files don't cause the build
2711         to fail right away. We already do this in WebCore.
2712
2713         * JavaScriptCore.xcodeproj/project.pbxproj:
2714         * PlatformMac.cmake:
2715         * SourcesCocoa.txt: Renamed from Source/JavaScriptCore/SourcesMac.txt.
2716
2717 2017-10-27  JF Bastien  <jfbastien@apple.com>
2718
2719         WebAssembly: update arbitrary limits to what browsers use
2720         https://bugs.webkit.org/show_bug.cgi?id=178946
2721         <rdar://problem/34257412>
2722         <rdar://problem/34501154>
2723
2724         Reviewed by Saam Barati.
2725
2726         https://github.com/WebAssembly/design/issues/1138 discusses the
2727         arbitrary function size limit, which it turns out Chrome and
2728         Firefox didn't enforce. We didn't use it because it was
2729         ridiculously low and actual programs ran into that limit (bummer
2730         for Edge which just shipped it...). Now that we agree on a high
2731         arbitrary program limit, let's update it! While I'm doing this
2732         there are a few other spots that I polished to use Checked or
2733         better check limits overall.
2734
2735         * wasm/WasmB3IRGenerator.cpp:
2736         (JSC::Wasm::B3IRGenerator::addLocal):
2737         * wasm/WasmFormat.cpp:
2738         (JSC::Wasm::Segment::create):
2739         * wasm/WasmFunctionParser.h:
2740         (JSC::Wasm::FunctionParser<Context>::parse):
2741         * wasm/WasmInstance.cpp:
2742         * wasm/WasmLimits.h:
2743         * wasm/WasmModuleParser.cpp:
2744         (JSC::Wasm::ModuleParser::parseGlobal):
2745         (JSC::Wasm::ModuleParser::parseCode):
2746         (JSC::Wasm::ModuleParser::parseData):
2747         * wasm/WasmSignature.h:
2748         (JSC::Wasm::Signature::allocatedSize):
2749         * wasm/WasmTable.cpp:
2750         (JSC::Wasm::Table::Table):
2751         * wasm/js/JSWebAssemblyTable.cpp:
2752         (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
2753         (JSC::JSWebAssemblyTable::grow):
2754
2755 2017-10-26  Michael Saboff  <msaboff@apple.com>
2756
2757         REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
2758         https://bugs.webkit.org/show_bug.cgi?id=178890
2759
2760         Reviewed by Keith Miller.
2761
2762         We need to let a contained subpattern backtrack before declaring that the containing
2763         parenthesis doesn't match.  If the subpattern fails to match backtracking, then we
2764         can check to see if we trying to backtrack below the minimum match count.
2765         
2766         * yarr/YarrInterpreter.cpp:
2767         (JSC::Yarr::Interpreter::backtrackParentheses):
2768
2769 2017-10-26  Mark Lam  <mark.lam@apple.com>
2770
2771         JSRopeString::RopeBuilder::append() should check for overflows.
2772         https://bugs.webkit.org/show_bug.cgi?id=178385
2773         <rdar://problem/35027468>
2774
2775         Reviewed by Saam Barati.
2776
2777         1. Made RopeString check for overflow like the Checked class does.
2778         2. Added a missing overflow check in objectProtoFuncToString().
2779
2780         * runtime/JSString.cpp:
2781         (JSC::JSRopeString::RopeBuilder<RecordOverflow>::expand):
2782         (JSC::JSRopeString::RopeBuilder::expand): Deleted.
2783         * runtime/JSString.h:
2784         * runtime/ObjectPrototype.cpp:
2785         (JSC::objectProtoFuncToString):
2786         * runtime/Operations.h:
2787         (JSC::jsStringFromRegisterArray):
2788         (JSC::jsStringFromArguments):
2789
2790 2017-10-26  JF Bastien  <jfbastien@apple.com>
2791
2792         WebAssembly: no VM / JS version of our implementation
2793         https://bugs.webkit.org/show_bug.cgi?id=177472
2794
2795         Reviewed by Michael Saboff.
2796
2797         This patch removes all appearances of "JS" and "VM" in the wasm
2798         directory. These now only appear in the wasm/js directory, which
2799         is only used in a JS embedding of wasm. It should therefore now be
2800         possible to create non-JS embeddings of wasm through JSC, though
2801         it'll still require:
2802
2803           - Mild codegen for wasm<->embedder calls;
2804           - A strategy for trap handling (no need for full unwind! Could kill).
2805           - Creation of the Wasm::* objects.
2806           - Calling convention handling to call the embedder.
2807           - Handling of multiple embedders (see #177475, this is optional).
2808
2809         Most of the patch consists in renaming JSWebAssemblyInstance to
2810         Instance, and removing temporary copies which I'd added to make
2811         this specific patch very simple.
2812
2813         * interpreter/CallFrame.cpp:
2814         (JSC::CallFrame::wasmAwareLexicalGlobalObject): this one place
2815         which needs to know about who "owns" the Wasm::Instance. In a JS
2816         embedding it's the JSWebAssemblyInstance.
2817         * wasm/WasmB3IRGenerator.cpp:
2818         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2819         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
2820         (JSC::Wasm::B3IRGenerator::addGrowMemory):
2821         (JSC::Wasm::B3IRGenerator::addCurrentMemory):
2822         (JSC::Wasm::B3IRGenerator::getGlobal):
2823         (JSC::Wasm::B3IRGenerator::setGlobal):
2824         (JSC::Wasm::B3IRGenerator::addCall):
2825         (JSC::Wasm::B3IRGenerator::addCallIndirect):
2826         * wasm/WasmBinding.cpp:
2827         (JSC::Wasm::wasmToWasm):
2828         * wasm/WasmContext.cpp:
2829         (JSC::Wasm::Context::load const):
2830         (JSC::Wasm::Context::store):
2831         * wasm/WasmContext.h:
2832         * wasm/WasmEmbedder.h:
2833         * wasm/WasmInstance.cpp:
2834         (JSC::Wasm::Instance::Instance):
2835         (JSC::Wasm::Instance::create):
2836         (JSC::Wasm::Instance::extraMemoryAllocated const):
2837         * wasm/WasmInstance.h: add an "owner", the Wasm::Context, move the
2838         "tail" import information from JSWebAssemblyInstance over to here.
2839         (JSC::Wasm::Instance::finalizeCreation):
2840         (JSC::Wasm::Instance::owner const):
2841         (JSC::Wasm::Instance::offsetOfOwner):
2842         (JSC::Wasm::Instance::context const):
2843         (JSC::Wasm::Instance::setMemory):
2844         (JSC::Wasm::Instance::setTable):
2845         (JSC::Wasm::Instance::offsetOfMemory):
2846         (JSC::Wasm::Instance::offsetOfGlobals):
2847         (JSC::Wasm::Instance::offsetOfTable):
2848         (JSC::Wasm::Instance::offsetOfTail):
2849         (JSC::Wasm::Instance::numImportFunctions const):
2850         (JSC::Wasm::Instance::importFunctionInfo):
2851         (JSC::Wasm::Instance::offsetOfTargetInstance):
2852         (JSC::Wasm::Instance::offsetOfWasmEntrypoint):
2853         (JSC::Wasm::Instance::offsetOfWasmToEmbedderStubExecutableAddress):
2854         (JSC::Wasm::Instance::offsetOfImportFunction):
2855         (JSC::Wasm::Instance::importFunction):
2856         (JSC::Wasm::Instance::allocationSize):
2857         (JSC::Wasm::Instance::create): Deleted.
2858         * wasm/WasmOMGPlan.cpp:
2859         (JSC::Wasm::OMGPlan::runForIndex):
2860         * wasm/WasmOMGPlan.h:
2861         * wasm/WasmTable.cpp:
2862         (JSC::Wasm::Table::Table):
2863         (JSC::Wasm::Table::setFunction):
2864         * wasm/WasmTable.h:
2865         * wasm/WasmThunks.cpp:
2866         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
2867         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
2868         * wasm/js/JSToWasm.cpp:
2869         (JSC::Wasm::createJSToWasmWrapper):
2870         * wasm/js/JSWebAssemblyInstance.cpp: delete code that is now on Wasm::Instance
2871         (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance): The embedder
2872         decides what the import function is. Here we must properly
2873         placement-new it to what we've elected (and initialize it later).
2874         (JSC::JSWebAssemblyInstance::visitChildren):
2875         (JSC::JSWebAssemblyInstance::finalizeCreation):
2876         (JSC::JSWebAssemblyInstance::create):
2877         * wasm/js/JSWebAssemblyInstance.h: delete code that is now on Wasm::Instance
2878         (JSC::JSWebAssemblyInstance::instance):
2879         (JSC::JSWebAssemblyInstance::moduleNamespaceObject):
2880         (JSC::JSWebAssemblyInstance::setMemory):
2881         (JSC::JSWebAssemblyInstance::table):
2882         (JSC::JSWebAssemblyInstance::setTable):
2883         (JSC::JSWebAssemblyInstance::offsetOfInstance):
2884         (JSC::JSWebAssemblyInstance::offsetOfCallee):
2885         (JSC::JSWebAssemblyInstance::context const): Deleted.
2886         (JSC::JSWebAssemblyInstance::offsetOfTail): Deleted.
2887         (): Deleted.
2888         (JSC::JSWebAssemblyInstance::importFunctionInfo): Deleted.
2889         (JSC::JSWebAssemblyInstance::offsetOfTargetInstance): Deleted.
2890         (JSC::JSWebAssemblyInstance::offsetOfWasmEntrypoint): Deleted.
2891         (JSC::JSWebAssemblyInstance::offsetOfWasmToEmbedderStubExecutableAddress): Deleted.
2892         (JSC::JSWebAssemblyInstance::offsetOfImportFunction): Deleted.
2893         (JSC::JSWebAssemblyInstance::importFunction): Deleted.
2894         (JSC::JSWebAssemblyInstance::internalMemory): Deleted.
2895         (JSC::JSWebAssemblyInstance::wasmCodeBlock const): Deleted.
2896         (JSC::JSWebAssemblyInstance::offsetOfWasmTable): Deleted.
2897         (JSC::JSWebAssemblyInstance::offsetOfGlobals): Deleted.
2898         (JSC::JSWebAssemblyInstance::offsetOfCodeBlock): Deleted.
2899         (JSC::JSWebAssemblyInstance::offsetOfWasmCodeBlock): Deleted.
2900         (JSC::JSWebAssemblyInstance::offsetOfCachedStackLimit): Deleted.
2901         (JSC::JSWebAssemblyInstance::offsetOfWasmMemory): Deleted.
2902         (JSC::JSWebAssemblyInstance::offsetOfTopEntryFramePointer): Deleted.
2903         (JSC::JSWebAssemblyInstance::cachedStackLimit const): Deleted.
2904         (JSC::JSWebAssemblyInstance::setCachedStackLimit): Deleted.
2905         (JSC::JSWebAssemblyInstance::wasmMemory): Deleted.
2906         (JSC::JSWebAssemblyInstance::wasmModule): Deleted.
2907         (JSC::JSWebAssemblyInstance::allocationSize): Deleted.
2908         * wasm/js/JSWebAssemblyTable.cpp:
2909         (JSC::JSWebAssemblyTable::setFunction):
2910         * wasm/js/WasmToJS.cpp: One extra indirection to find the JSWebAssemblyInstance.
2911         (JSC::Wasm::materializeImportJSCell):
2912         (JSC::Wasm::handleBadI64Use):
2913         (JSC::Wasm::wasmToJS):
2914         (JSC::Wasm::wasmToJSException):
2915         * wasm/js/WasmToJS.h:
2916         * wasm/js/WebAssemblyFunction.cpp:
2917         (JSC::callWebAssemblyFunction):
2918         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2919         (JSC::constructJSWebAssemblyInstance):
2920         * wasm/js/WebAssemblyModuleRecord.cpp:
2921         (JSC::WebAssemblyModuleRecord::link):
2922         (JSC::WebAssemblyModuleRecord::evaluate):
2923         * wasm/js/WebAssemblyPrototype.cpp:
2924         (JSC::instantiate):
2925         * wasm/js/WebAssemblyWrapperFunction.cpp:
2926         (JSC::WebAssemblyWrapperFunction::create):
2927
2928 2017-10-25  Devin Rousso  <webkit@devinrousso.com>
2929
2930         Web Inspector: provide a way to enable/disable event listeners
2931         https://bugs.webkit.org/show_bug.cgi?id=177451
2932         <rdar://problem/34994925>
2933
2934         Reviewed by Joseph Pecoraro.
2935
2936         * inspector/protocol/DOM.json:
2937         Add `setEventListenerDisabled` command that enables/disables a specific event listener
2938         during event dispatch. When a disabled event listener is fired, the listener's callback will
2939         not be called.
2940
2941 2017-10-25  Commit Queue  <commit-queue@webkit.org>
2942
2943         Unreviewed, rolling out r223691 and r223729.
2944         https://bugs.webkit.org/show_bug.cgi?id=178834
2945
2946         Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
2947         by rniwa on #webkit).
2948
2949         Reverted changesets:
2950
2951         "Turn recursive tail calls into loops"
2952         https://bugs.webkit.org/show_bug.cgi?id=176601
2953         https://trac.webkit.org/changeset/223691
2954
2955         "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
2956         comparison is always false due to limited range of data type
2957         [-Wtype-limits]"
2958         https://bugs.webkit.org/show_bug.cgi?id=178543
2959         https://trac.webkit.org/changeset/223729
2960
2961 2017-10-25  Michael Saboff  <msaboff@apple.com>
2962
2963         REGRESSION(r223937): Use of -fobjc-weak causes build failures with older compilers
2964         https://bugs.webkit.org/show_bug.cgi?id=178825
2965
2966         Reviewed by Mark Lam.
2967
2968         Enable ARC for ARM64_32.  This eliminate the need for setting CLANG_ENABLE_OBJC_WEAK.
2969
2970         * Configurations/ToolExecutable.xcconfig:
2971
2972 2017-10-25  Keith Miller  <keith_miller@apple.com>
2973
2974         Fix implicit cast of enum, which seems to break the windows build of unified sources.
2975         https://bugs.webkit.org/show_bug.cgi?id=178822
2976
2977         Reviewed by Saam Barati.
2978
2979         * bytecode/DFGExitProfile.h:
2980         (JSC::DFG::FrequentExitSite::hash const):
2981
2982 2017-10-24  Michael Saboff  <msaboff@apple.com>
2983
2984         Allow OjbC Weak References when building TestAPI
2985         https://bugs.webkit.org/show_bug.cgi?id=178748
2986
2987         Reviewed by Dan Bernstein.
2988
2989         Set TestAPI build flag Weak References in Manual Retain Release to true.
2990
2991         * JavaScriptCore.xcodeproj/project.pbxproj: Reverted.
2992         * Configurations/ToolExecutable.xcconfig: Changed the flag here instead.
2993
2994 2017-10-24  Eric Carlson  <eric.carlson@apple.com>
2995
2996         Web Inspector: Enable WebKit logging configuration and display
2997         https://bugs.webkit.org/show_bug.cgi?id=177027
2998         <rdar://problem/33964767>
2999
3000         Reviewed by Joseph Pecoraro.
3001
3002         * inspector/ConsoleMessage.cpp:
3003         (Inspector::messageSourceValue): Inspector::Protocol::Console::ConsoleMessage -> 
3004             Inspector::Protocol::Console::ChannelSource.
3005         * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
3006         (Inspector::JSGlobalObjectConsoleAgent::getLoggingChannels): There are no logging channels
3007             specific to a JSContext yet, so return an empty channel array.
3008         (Inspector::JSGlobalObjectConsoleAgent::setLoggingChannelLevel): No channels, return an error.
3009         * inspector/agents/JSGlobalObjectConsoleAgent.h:
3010
3011         * inspector/protocol/Console.json: Add ChannelSource, ChannelLevel, and Channel. Add getLoggingChannels
3012             and setLoggingChannelLevel.
3013
3014         * inspector/scripts/codegen/generator.py: Special case "webrtc"-> "WebRTC".
3015         * inspector/scripts/tests/generic/expected/enum-values.json-result:
3016         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
3017         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
3018         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
3019         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
3020
3021         * runtime/ConsoleTypes.h: Add Media and WebRTC.
3022
3023 2017-10-24  Michael Saboff  <msaboff@apple.com>
3024
3025         Allow OjbC Weak References when building TestAPI
3026         https://bugs.webkit.org/show_bug.cgi?id=178748
3027
3028         Reviewed by Saam Barati.
3029
3030         Set TestAPI build flag Weak References in Manual Retain Release to true.
3031
3032         * JavaScriptCore.xcodeproj/project.pbxproj:
3033
3034 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
3035
3036         [FTL] Support NewStringObject
3037         https://bugs.webkit.org/show_bug.cgi?id=178737
3038
3039         Reviewed by Saam Barati.
3040
3041         FTL should support NewStringObject and encourage use of NewStringObject in DFG pipeline.
3042         After this change, we can convert `CallObjectConstructor(String)` to `NewStringObject(String)`.
3043
3044         * ftl/FTLAbstractHeapRepository.h:
3045         * ftl/FTLCapabilities.cpp:
3046         (JSC::FTL::canCompile):
3047         * ftl/FTLLowerDFGToB3.cpp:
3048         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3049         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
3050
3051 2017-10-24  Guillaume Emont  <guijemont@igalia.com>
3052
3053         [mips] fix offsets of branches that have to go over a jump
3054         https://bugs.webkit.org/show_bug.cgi?id=153464
3055
3056         The jump() function creates 8 instructions, but the offsets of branches
3057         meant to go over them only account for 6. In most cases, this is not an
3058         issue as the last two instructions of jump() would be nops, but in the
3059         rarer case where the jump destination is in a different 256 MB segment,
3060         MIPSAssembler::linkWithOffset() will rewrite the code in a way in which
3061         the last 4 instructions would be a 2 instruction load (lui/ori) into
3062         $t9, a "j $t9" and then a nop. The wrong offset will mean that the
3063         previous branches meant to go over the whole jump will branch to the
3064         "j $t9" instruction, which would jump to whatever is currently in $t9
3065         (since lui/ori would not be executed).
3066
3067         Reviewed by Michael Catanzaro.
3068
3069         * assembler/MacroAssemblerMIPS.h:
3070         (JSC::MacroAssemblerMIPS::branchAdd32):
3071         (JSC::MacroAssemblerMIPS::branchMul32):
3072         (JSC::MacroAssemblerMIPS::branchSub32):
3073         Fix the offsets of branches meant to go over code generated by jump().
3074
3075 2017-10-24  JF Bastien  <jfbastien@apple.com>
3076
3077         WebAssembly: NFC renames of things that aren't JS-specific
3078         https://bugs.webkit.org/show_bug.cgi?id=178738
3079
3080         Reviewed by Saam Barati.
3081
3082         * wasm/WasmB3IRGenerator.cpp:
3083         (JSC::Wasm::parseAndCompile):
3084         * wasm/WasmB3IRGenerator.h:
3085         * wasm/WasmBBQPlan.cpp:
3086         (JSC::Wasm::BBQPlan::complete):
3087         * wasm/WasmCodeBlock.cpp:
3088         (JSC::Wasm::CodeBlock::CodeBlock):
3089         * wasm/WasmCodeBlock.h:
3090         (JSC::Wasm::CodeBlock::embedderEntrypointCalleeFromFunctionIndexSpace):
3091         (JSC::Wasm::CodeBlock::jsEntrypointCalleeFromFunctionIndexSpace): Deleted.
3092         * wasm/WasmFormat.h:
3093         * wasm/js/JSToWasm.cpp:
3094         (JSC::Wasm::createJSToWasmWrapper):
3095         * wasm/js/WebAssemblyModuleRecord.cpp:
3096         (JSC::WebAssemblyModuleRecord::link):
3097         (JSC::WebAssemblyModuleRecord::evaluate):
3098
3099 2017-10-24  Stephan Szabo  <stephan.szabo@sony.com>
3100
3101         [Win][JSCOnly] Make jsconly build testapi and dlls and copy dlls when running tests
3102         https://bugs.webkit.org/show_bug.cgi?id=177279
3103
3104         Reviewed by Yusuke Suzuki.
3105
3106         * shell/PlatformJSCOnly.cmake: Added.
3107
3108 2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
3109
3110         [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
3111         https://bugs.webkit.org/show_bug.cgi?id=178308
3112
3113         Reviewed by Mark Lam.
3114
3115         With the change of the spec[1], we now do not need to remember star resolution modules.
3116         We reflect this change to our implementation. Since this change is covered by test262,
3117         this patch improves the score of test262.
3118
3119         We also add logging to ResolveExport to debug it easily.
3120
3121         [1]: https://github.com/tc39/ecma262/commit/a865e778ff0fc60e26e3e1c589635103710766a1
3122
3123         * runtime/AbstractModuleRecord.cpp:
3124         (JSC::AbstractModuleRecord::ResolveQuery::dump const):
3125         (JSC::AbstractModuleRecord::resolveExportImpl):
3126
3127 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
3128
3129         [JSC] Use emitDumbVirtualCall in 32bit JIT
3130         https://bugs.webkit.org/show_bug.cgi?id=178644
3131
3132         Reviewed by Mark Lam.
3133
3134         This patch aligns 32bit JIT op_call_eval slow case to 64bit version by using emitDumbVirtualCall.
3135
3136         * jit/JITCall32_64.cpp:
3137         (JSC::JIT::compileCallEvalSlowCase):
3138
3139 2017-10-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3140
3141         [JSC] Drop ArityCheckData
3142         https://bugs.webkit.org/show_bug.cgi?id=178648
3143
3144         Reviewed by Mark Lam.
3145
3146         ArityCheckData is used to return a pair of `slotsToAdd` and `thunkToCall`.
3147         However, use of `thunkToCall` is removed in 64bit environment at r189575.
3148
3149         We remove `thunkToCall` and align 32bit implementation to 64bit implementation.
3150         Since we no longer need to have the above pair, we can remove ArityCheckData too.
3151
3152         * llint/LowLevelInterpreter32_64.asm:
3153         * llint/LowLevelInterpreter64.asm:
3154         * runtime/CommonSlowPaths.cpp:
3155         (JSC::SLOW_PATH_DECL):
3156         (JSC::setupArityCheckData): Deleted.
3157         * runtime/CommonSlowPaths.h:
3158         * runtime/VM.cpp:
3159         (JSC::VM::VM):
3160         * runtime/VM.h:
3161
3162 2017-10-23  Keith Miller  <keith_miller@apple.com>
3163
3164         Unreviewed, reland r223866
3165
3166         Didn't break the windows build...
3167
3168         Restored changeset:
3169
3170         "WebAssembly: topEntryFrame on Wasm::Instance"
3171         https://bugs.webkit.org/show_bug.cgi?id=178690
3172         https://trac.webkit.org/changeset/223866
3173
3174
3175 2017-10-23  Commit Queue  <commit-queue@webkit.org>
3176
3177         Unreviewed, rolling out r223866.
3178         https://bugs.webkit.org/show_bug.cgi?id=178699
3179
3180         Probably broke the windows build (Requested by keith_miller on
3181         #webkit).
3182
3183         Reverted changeset:
3184
3185         "WebAssembly: topEntryFrame on Wasm::Instance"
3186         https://bugs.webkit.org/show_bug.cgi?id=178690
3187         https://trac.webkit.org/changeset/223866
3188
3189 2017-10-23  Joseph Pecoraro  <pecoraro@apple.com>
3190
3191         Web Inspector: Remove unused Console.setMonitoringXHREnabled
3192         https://bugs.webkit.org/show_bug.cgi?id=178617
3193
3194         Reviewed by Sam Weinig.
3195
3196         * JavaScriptCore.xcodeproj/project.pbxproj:
3197         * Sources.txt:
3198         * inspector/agents/InspectorConsoleAgent.h:
3199         * inspector/agents/JSGlobalObjectConsoleAgent.cpp: Removed.
3200         * inspector/agents/JSGlobalObjectConsoleAgent.h: Removed.
3201         * inspector/protocol/Console.json:
3202         Removed files and method.
3203
3204         * inspector/JSGlobalObjectInspectorController.cpp:
3205         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3206         This can use the base ConsoleAgent now.
3207
3208 2017-10-23  JF Bastien  <jfbastien@apple.com>
3209
3210         WebAssembly: topEntryFrame on Wasm::Instance
3211         https://bugs.webkit.org/show_bug.cgi?id=178690
3212
3213         Reviewed by Saam Barati.
3214
3215         topEntryFrame is usually on VM, but for a no-VM WebAssembly we
3216         need to hold topEntryFrame elsewhere, and generated code cannot
3217         hard-code where topEntryFrame live. Do this at creation time of
3218         Wasm::Instance, and then generated code will just load from
3219         wherever Wasm::Instance was told topEntryFrame is. In a JavaScript
3220         embedding this is still from VM, so all of the unwinding machinery
3221         stays the same.
3222
3223         * dfg/DFGOSREntry.cpp:
3224         (JSC::DFG::prepareOSREntry):
3225         * dfg/DFGOSRExit.cpp:
3226         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
3227         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
3228         * ftl/FTLOSRExitCompiler.cpp:
3229         (JSC::FTL::compileStub):
3230         * interpreter/Interpreter.cpp:
3231         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
3232         * jit/AssemblyHelpers.cpp:
3233         (JSC::AssemblyHelpers::restoreCalleeSavesFromEntryFrameCalleeSavesBuffer):
3234         (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBufferImpl):
3235         * jit/AssemblyHelpers.h:
3236         (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBuffer):
3237         The default parameter was never non-defaulted from any of the
3238         callers. The new version calls the impl directly because it
3239         doesn't have VM and doesn't hard-code the address of
3240         topEntryFrame.
3241         * jit/RegisterSet.cpp:
3242         (JSC::RegisterSet::vmCalleeSaveRegisterOffsets): This was weird on
3243         VM because it's not really VM-specific.
3244         * jit/RegisterSet.h:
3245         * runtime/VM.cpp:
3246         (JSC::VM::getAllCalleeSaveRegisterOffsets): Deleted.
3247         * runtime/VM.h:
3248         (JSC::VM::getCTIStub):
3249         * wasm/WasmB3IRGenerator.cpp:
3250         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3251         (JSC::Wasm::B3IRGenerator::addCall):
3252         (JSC::Wasm::B3IRGenerator::addCallIndirect):
3253         * wasm/WasmInstance.cpp:
3254         (JSC::Wasm::Instance::Instance):
3255         * wasm/WasmInstance.h: topEntryFramePointer will eventually live
3256         here for real. Right now it's mirrored in JSWebAssemblyInstance
3257         because that's the acting Context.
3258         (JSC::Wasm::Instance::create):
3259         (JSC::Wasm::Instance::offsetOfTopEntryFramePointer):
3260         * wasm/WasmThunks.cpp:
3261         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
3262         * wasm/js/JSWebAssemblyInstance.cpp:
3263         (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
3264         * wasm/js/JSWebAssemblyInstance.h: Mirror Wasm::Instance temporarily.
3265         (JSC::JSWebAssemblyInstance::offsetOfCallee):
3266         (JSC::JSWebAssemblyInstance::offsetOfTopEntryFramePointer):
3267         (JSC::JSWebAssemblyInstance::offsetOfVM): Deleted.
3268         * wasm/js/WebAssemblyInstanceConstructor.cpp:
3269         (JSC::constructJSWebAssemblyInstance):
3270         * wasm/js/WebAssemblyPrototype.cpp:
3271         (JSC::instantiate):
3272
3273 2017-10-23  Joseph Pecoraro  <pecoraro@apple.com>
3274
3275         Web Inspector: Please support HAR Export for network traffic
3276         https://bugs.webkit.org/show_bug.cgi?id=146692
3277         <rdar://problem/7463672>
3278
3279         Reviewed by Brian Burg.
3280
3281         * inspector/protocol/Network.json:
3282         Add a walltime to each send request.
3283
3284 2017-10-23  Matt Lewis  <jlewis3@apple.com>
3285
3286         Unreviewed, rolling out r223820.
3287
3288         This caused a build break on Windows.
3289
3290         Reverted changeset:
3291
3292         "Web Inspector: Remove unused Console.setMonitoringXHREnabled"
3293         https://bugs.webkit.org/show_bug.cgi?id=178617
3294         https://trac.webkit.org/changeset/223820
3295
3296 2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
3297
3298         [JSC] Use fastJoin in Array#toString
3299         https://bugs.webkit.org/show_bug.cgi?id=178062
3300
3301         Reviewed by Darin Adler.
3302
3303         Array#toString()'s fast path uses original join operation.
3304         But this should use fastJoin if possible.
3305         This patch adds a fast path using fastJoin in Array#toString.
3306         And we also extend fastJoin to perform fast joining for int32
3307         arrays.
3308
3309                                              baseline                  patched
3310
3311         double-array-to-string          126.6157+-5.8625     ^    103.7343+-4.4968        ^ definitely 1.2206x faster
3312         int32-array-to-string            64.7792+-2.6524           61.2390+-2.1749          might be 1.0578x faster
3313         contiguous-array-to-string       62.6224+-2.6388     ^     56.9899+-2.0852        ^ definitely 1.0988x faster
3314
3315
3316         * runtime/ArrayPrototype.cpp:
3317         (JSC::fastJoin):
3318         (JSC::arrayProtoFuncToString):
3319         (JSC::arrayProtoFuncToLocaleString):
3320         * runtime/JSStringJoiner.h:
3321         (JSC::JSStringJoiner::appendWithoutSideEffects):
3322         (JSC::JSStringJoiner::appendInt32):
3323         (JSC::JSStringJoiner::appendDouble):
3324
3325 2017-10-22  Zan Dobersek  <zdobersek@igalia.com>
3326
3327         [JSC] Remove !(OS(LINUX) && CPU(ARM64)) guards in RegisterState.h
3328         https://bugs.webkit.org/show_bug.cgi?id=178452
3329
3330         Reviewed by Yusuke Suzuki.
3331
3332         * heap/RegisterState.h: Re-enable the custom RegisterState and
3333         ALLOCATE_AND_GET_REGISTER_STATE definitions on ARM64 Linux. These don't
3334         cause any crashes nowadays.
3335
3336 2017-10-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3337
3338         [JSC][Baseline] Use linkAllSlowCasesForBytecodeOffset as much as possible to simplify slow cases handling
3339         https://bugs.webkit.org/show_bug.cgi?id=178647
3340
3341         Reviewed by Saam Barati.
3342
3343         There is much code counting slow cases in fast paths to call `linkSlowCase` carefully. This is really error-prone
3344         since the number of slow cases depends on values of instruction's metadata. We have linkAllSlowCasesForBytecodeOffset,
3345         which drains all slow cases for a specified bytecode offset. In typical cases like just calling a slow path function,
3346         this is enough. We use linkAllSlowCasesForBytecodeOffset as much as possible. It significantly simplifies the code.
3347
3348         * jit/JIT.h:
3349         (JSC::JIT::linkAllSlowCases):
3350         * jit/JITArithmetic.cpp:
3351         (JSC::JIT::emitSlow_op_unsigned):
3352         (JSC::JIT::emit_compareAndJump):
3353         (JSC::JIT::emit_compareAndJumpSlow):
3354         (JSC::JIT::emitSlow_op_inc):
3355         (JSC::JIT::emitSlow_op_dec):
3356         (JSC::JIT::emitSlow_op_mod):
3357         (JSC::JIT::emitSlow_op_negate):
3358         (JSC::JIT::emitSlow_op_bitand):
3359         (JSC::JIT::emitSlow_op_bitor):
3360         (JSC::JIT::emitSlow_op_bitxor):
3361         (JSC::JIT::emitSlow_op_lshift):
3362         (JSC::JIT::emitSlow_op_rshift):
3363         (JSC::JIT::emitSlow_op_urshift):
3364         (JSC::JIT::emitSlow_op_add):
3365         (JSC::JIT::emitSlow_op_div):
3366         (JSC::JIT::emitSlow_op_mul):
3367         (JSC::JIT::emitSlow_op_sub):
3368         * jit/JITArithmetic32_64.cpp:
3369         (JSC::JIT::emit_compareAndJumpSlow):
3370         (JSC::JIT::emitSlow_op_unsigned):
3371         (JSC::JIT::emitSlow_op_inc):
3372         (JSC::JIT::emitSlow_op_dec):
3373         (JSC::JIT::emitSlow_op_mod):
3374         * jit/JITCall.cpp: