b4633bb4110740be46ef5429c8d93218226ddccc
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-07-21  Mark Lam  <mark.lam@apple.com>
2
3         Refactor MASM probe CPUState to use arrays for register storage.
4         https://bugs.webkit.org/show_bug.cgi?id=174694
5
6         Reviewed by Keith Miller.
7
8         Using arrays for register storage in CPUState allows us to do away with the
9         huge switch statements to decode each register id.  We can now simply index into
10         the arrays.
11
12         With this patch, we now:
13
14         1. Remove the need for macros for defining the list of CPU registers.
15            We can go back to simple enums.  This makes the code easier to read.
16
17         2. Make the assembler the authority on register names.
18            Most of this code is moved into the assembler from GPRInfo and FPRInfo.
19            GPRInfo and FPRInfo now forwards to the assembler.
20
21         3. Make the assembler the authority on the number of registers of each type.
22
23         4. Fix a "bug" in ARMv7's lastRegister().  It was previously omitting lr and pc.
24            This is inconsistent with how every other CPU architecture implements
25            lastRegister().  This patch fixes it to return the true last GPR i.e. pc, but
26            updates RegisterSet::reservedHardwareRegisters() to exclude those registers.
27
28         * assembler/ARM64Assembler.h:
29         (JSC::ARM64Assembler::numberOfRegisters):
30         (JSC::ARM64Assembler::firstSPRegister):
31         (JSC::ARM64Assembler::lastSPRegister):
32         (JSC::ARM64Assembler::numberOfSPRegisters):
33         (JSC::ARM64Assembler::numberOfFPRegisters):
34         (JSC::ARM64Assembler::gprName):
35         (JSC::ARM64Assembler::sprName):
36         (JSC::ARM64Assembler::fprName):
37         * assembler/ARMAssembler.h:
38         (JSC::ARMAssembler::numberOfRegisters):
39         (JSC::ARMAssembler::firstSPRegister):
40         (JSC::ARMAssembler::lastSPRegister):
41         (JSC::ARMAssembler::numberOfSPRegisters):
42         (JSC::ARMAssembler::numberOfFPRegisters):
43         (JSC::ARMAssembler::gprName):
44         (JSC::ARMAssembler::sprName):
45         (JSC::ARMAssembler::fprName):
46         * assembler/ARMv7Assembler.h:
47         (JSC::ARMv7Assembler::lastRegister):
48         (JSC::ARMv7Assembler::numberOfRegisters):
49         (JSC::ARMv7Assembler::firstSPRegister):
50         (JSC::ARMv7Assembler::lastSPRegister):
51         (JSC::ARMv7Assembler::numberOfSPRegisters):
52         (JSC::ARMv7Assembler::numberOfFPRegisters):
53         (JSC::ARMv7Assembler::gprName):
54         (JSC::ARMv7Assembler::sprName):
55         (JSC::ARMv7Assembler::fprName):
56         * assembler/AbstractMacroAssembler.h:
57         (JSC::AbstractMacroAssembler::numberOfRegisters):
58         (JSC::AbstractMacroAssembler::gprName):
59         (JSC::AbstractMacroAssembler::firstSPRegister):
60         (JSC::AbstractMacroAssembler::lastSPRegister):
61         (JSC::AbstractMacroAssembler::numberOfSPRegisters):
62         (JSC::AbstractMacroAssembler::sprName):
63         (JSC::AbstractMacroAssembler::numberOfFPRegisters):
64         (JSC::AbstractMacroAssembler::fprName):
65         * assembler/MIPSAssembler.h:
66         (JSC::MIPSAssembler::numberOfRegisters):
67         (JSC::MIPSAssembler::firstSPRegister):
68         (JSC::MIPSAssembler::lastSPRegister):
69         (JSC::MIPSAssembler::numberOfSPRegisters):
70         (JSC::MIPSAssembler::numberOfFPRegisters):
71         (JSC::MIPSAssembler::gprName):
72         (JSC::MIPSAssembler::sprName):
73         (JSC::MIPSAssembler::fprName):
74         * assembler/MacroAssembler.h:
75         (JSC::MacroAssembler::CPUState::gprName):
76         (JSC::MacroAssembler::CPUState::sprName):
77         (JSC::MacroAssembler::CPUState::fprName):
78         (JSC::MacroAssembler::CPUState::gpr):
79         (JSC::MacroAssembler::CPUState::spr):
80         (JSC::MacroAssembler::CPUState::fpr):
81         (JSC::MacroAssembler::CPUState::pc):
82         (JSC::MacroAssembler::CPUState::fp):
83         (JSC::MacroAssembler::CPUState::sp):
84         (JSC::ProbeContext::gpr):
85         (JSC::ProbeContext::spr):
86         (JSC::ProbeContext::fpr):
87         (JSC::ProbeContext::gprName):
88         (JSC::ProbeContext::sprName):
89         (JSC::ProbeContext::fprName):
90         (JSC::MacroAssembler::numberOfRegisters): Deleted.
91         (JSC::MacroAssembler::numberOfFPRegisters): Deleted.
92         * assembler/MacroAssemblerARM.cpp:
93         * assembler/MacroAssemblerARM64.cpp:
94         (JSC::arm64ProbeTrampoline):
95         * assembler/MacroAssemblerARMv7.cpp:
96         * assembler/MacroAssemblerPrinter.cpp:
97         (JSC::Printer::nextID):
98         (JSC::Printer::printAllRegisters):
99         (JSC::Printer::printPCRegister):
100         (JSC::Printer::printRegisterID):
101         (JSC::Printer::printAddress):
102         * assembler/MacroAssemblerX86Common.cpp:
103         * assembler/X86Assembler.h:
104         (JSC::X86Assembler::numberOfRegisters):
105         (JSC::X86Assembler::firstSPRegister):
106         (JSC::X86Assembler::lastSPRegister):
107         (JSC::X86Assembler::numberOfSPRegisters):
108         (JSC::X86Assembler::numberOfFPRegisters):
109         (JSC::X86Assembler::gprName):
110         (JSC::X86Assembler::sprName):
111         (JSC::X86Assembler::fprName):
112         * jit/FPRInfo.h:
113         (JSC::FPRInfo::debugName):
114         * jit/GPRInfo.h:
115         (JSC::GPRInfo::debugName):
116         * jit/RegisterSet.cpp:
117         (JSC::RegisterSet::reservedHardwareRegisters):
118
119 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
120
121         [JSC] Introduce static symbols
122         https://bugs.webkit.org/show_bug.cgi?id=158863
123
124         Reviewed by Darin Adler.
125
126         We use StaticSymbolImpl to initialize PrivateNames and builtin Symbols.
127         As a result, we can share the same Symbol values between VMs and threads.
128         And we do not need to allocate Ref<SymbolImpl> for these symbols at runtime.
129
130         * CMakeLists.txt:
131         * JavaScriptCore.xcodeproj/project.pbxproj:
132         * builtins/BuiltinNames.cpp: Added.
133         Suppress warning C4307, integral constant overflow. It is intentional in constexpr hash value calculation.
134
135         * builtins/BuiltinNames.h:
136         (JSC::BuiltinNames::BuiltinNames):
137         * builtins/BuiltinUtils.h:
138
139 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
140
141         [FTL] Arguments elimination is suppressed by unreachable blocks
142         https://bugs.webkit.org/show_bug.cgi?id=174352
143
144         Reviewed by Filip Pizlo.
145
146         If we do not execute `op_get_by_id`, our value profiling tells us unpredictable and DFG emits ForceOSRExit.
147         The problem is that arguments elimination phase checks escaping even when ForceOSRExit preceeds.
148         Since GetById without information can escape arguments if it is specified, non-executed code including
149         op_get_by_id with arguments can escape arguments.
150
151         For example,
152
153             function test(flag)
154             {
155                 if (flag) {
156                     // This is not executed, but emits GetById with arguments.
157                     // It prevents us from eliminating materialization.
158                     return arguments.length;
159                 }
160                 return arguments.length;
161             }
162             noInline(test);
163             while (true)
164                 test(false);
165
166         We do not perform CFA and dead-node clipping yet when performing arguments elimination phase.
167         So this GetById exists and escapes arguments.
168
169         To solve this problem, our arguments elimination phase checks preceding pseudo-terminal nodes.
170         If it is shown, following GetById does not escape arguments. Compared to performing AI, it is
171         lightweight. But it catches much of typical cases we failed to perform arguments elimination.
172
173         * dfg/DFGArgumentsEliminationPhase.cpp:
174         * dfg/DFGNode.h:
175         (JSC::DFG::Node::isPseudoTerminal):
176         * dfg/DFGValidate.cpp:
177
178 2017-07-20  Chris Dumez  <cdumez@apple.com>
179
180         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable
181         https://bugs.webkit.org/show_bug.cgi?id=174660
182
183         Reviewed by Geoffrey Garen.
184
185         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable.
186         This essentially replaces a branch to figure out if the new size is less or greater than the
187         current size by an assertion.
188
189         * b3/B3BasicBlockUtils.h:
190         (JSC::B3::clearPredecessors):
191         * b3/B3InferSwitches.cpp:
192         * b3/B3LowerToAir.cpp:
193         (JSC::B3::Air::LowerToAir::finishAppendingInstructions):
194         * b3/B3ReduceStrength.cpp:
195         * b3/B3SparseCollection.h:
196         (JSC::B3::SparseCollection::packIndices):
197         * b3/B3UseCounts.cpp:
198         (JSC::B3::UseCounts::UseCounts):
199         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
200         * b3/air/AirEmitShuffle.cpp:
201         (JSC::B3::Air::emitShuffle):
202         * b3/air/AirLowerAfterRegAlloc.cpp:
203         (JSC::B3::Air::lowerAfterRegAlloc):
204         * b3/air/AirOptimizeBlockOrder.cpp:
205         (JSC::B3::Air::optimizeBlockOrder):
206         * bytecode/Operands.h:
207         (JSC::Operands::ensureLocals):
208         * bytecode/PreciseJumpTargets.cpp:
209         (JSC::computePreciseJumpTargetsInternal):
210         * dfg/DFGBlockInsertionSet.cpp:
211         (JSC::DFG::BlockInsertionSet::execute):
212         * dfg/DFGBlockMapInlines.h:
213         (JSC::DFG::BlockMap<T>::BlockMap):
214         * dfg/DFGByteCodeParser.cpp:
215         (JSC::DFG::ByteCodeParser::processSetLocalQueue):
216         (JSC::DFG::ByteCodeParser::clearCaches):
217         * dfg/DFGDisassembler.cpp:
218         (JSC::DFG::Disassembler::Disassembler):
219         * dfg/DFGFlowIndexing.cpp:
220         (JSC::DFG::FlowIndexing::recompute):
221         * dfg/DFGGraph.cpp:
222         (JSC::DFG::Graph::registerFrozenValues):
223         * dfg/DFGInPlaceAbstractState.cpp:
224         (JSC::DFG::setLiveValues):
225         * dfg/DFGLICMPhase.cpp:
226         (JSC::DFG::LICMPhase::run):
227         * dfg/DFGLivenessAnalysisPhase.cpp:
228         * dfg/DFGNaturalLoops.cpp:
229         (JSC::DFG::NaturalLoops::NaturalLoops):
230         * dfg/DFGStoreBarrierClusteringPhase.cpp:
231         * ftl/FTLLowerDFGToB3.cpp:
232         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
233         * heap/CodeBlockSet.cpp:
234         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
235         * heap/MarkedSpace.cpp:
236         (JSC::MarkedSpace::sweepLargeAllocations):
237         * inspector/ContentSearchUtilities.cpp:
238         (Inspector::ContentSearchUtilities::findMagicComment):
239         * interpreter/ShadowChicken.cpp:
240         (JSC::ShadowChicken::update):
241         * parser/ASTBuilder.h:
242         (JSC::ASTBuilder::shrinkOperandStackBy):
243         * parser/Lexer.h:
244         (JSC::Lexer::setOffset):
245         * runtime/RegExpInlines.h:
246         (JSC::RegExp::matchInline):
247         * runtime/RegExpPrototype.cpp:
248         (JSC::genericSplit):
249         * yarr/RegularExpression.cpp:
250         (JSC::Yarr::RegularExpression::match):
251
252 2017-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
253
254         [WTF] Use ThreadGroup to bookkeep active threads for Mach exception
255         https://bugs.webkit.org/show_bug.cgi?id=174678
256
257         Reviewed by Mark Lam.
258
259         Use Thread& instead.
260
261         * runtime/JSLock.cpp:
262         (JSC::JSLock::didAcquireLock):
263
264 2017-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
265
266         [WTF] Implement WTF::ThreadGroup
267         https://bugs.webkit.org/show_bug.cgi?id=174081
268
269         Reviewed by Mark Lam.
270
271         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
272         And SamplingProfiler and others interact with WTF::Thread directly.
273
274         * API/tests/ExecutionTimeLimitTest.cpp:
275         * heap/MachineStackMarker.cpp:
276         (JSC::MachineThreads::MachineThreads):
277         (JSC::captureStack):
278         (JSC::MachineThreads::tryCopyOtherThreadStack):
279         (JSC::MachineThreads::tryCopyOtherThreadStacks):
280         (JSC::MachineThreads::gatherConservativeRoots):
281         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
282         (JSC::ActiveMachineThreadsManager::add): Deleted.
283         (JSC::ActiveMachineThreadsManager::remove): Deleted.
284         (JSC::ActiveMachineThreadsManager::contains): Deleted.
285         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
286         (JSC::activeMachineThreadsManager): Deleted.
287         (JSC::MachineThreads::~MachineThreads): Deleted.
288         (JSC::MachineThreads::addCurrentThread): Deleted.
289         (): Deleted.
290         (JSC::MachineThreads::removeThread): Deleted.
291         (JSC::MachineThreads::removeThreadIfFound): Deleted.
292         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
293         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
294         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
295         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
296         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
297         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
298         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
299         * heap/MachineStackMarker.h:
300         (JSC::MachineThreads::addCurrentThread):
301         (JSC::MachineThreads::getLock):
302         (JSC::MachineThreads::threads):
303         (JSC::MachineThreads::MachineThread::suspend): Deleted.
304         (JSC::MachineThreads::MachineThread::resume): Deleted.
305         (JSC::MachineThreads::MachineThread::threadID): Deleted.
306         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
307         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
308         (JSC::MachineThreads::threadsListHead): Deleted.
309         * runtime/SamplingProfiler.cpp:
310         (JSC::FrameWalker::isValidFramePointer):
311         (JSC::SamplingProfiler::SamplingProfiler):
312         (JSC::SamplingProfiler::takeSample):
313         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
314         * runtime/SamplingProfiler.h:
315         * wasm/WasmMachineThreads.cpp:
316         (JSC::Wasm::resetInstructionCacheOnAllThreads):
317
318 2017-07-18  Andy Estes  <aestes@apple.com>
319
320         [Xcode] Enable CLANG_WARN_RANGE_LOOP_ANALYSIS
321         https://bugs.webkit.org/show_bug.cgi?id=174631
322
323         Reviewed by Tim Horton.
324
325         * Configurations/Base.xcconfig:
326         * b3/B3FoldPathConstants.cpp:
327         * b3/B3LowerMacros.cpp:
328         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
329         * dfg/DFGByteCodeParser.cpp:
330         (JSC::DFG::ByteCodeParser::check):
331         (JSC::DFG::ByteCodeParser::planLoad):
332
333 2017-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
334
335         WTF::Thread should have the threads stack bounds.
336         https://bugs.webkit.org/show_bug.cgi?id=173975
337
338         Reviewed by Mark Lam.
339
340         There is a site in JSC that try to walk another thread's stack.
341         Currently, stack bounds are stored in WTFThreadData which is located
342         in TLS. Thus, only the thread itself can access its own WTFThreadData.
343         We workaround this situation by holding StackBounds in MachineThread in JSC,
344         but StackBounds should be put in WTF::Thread instead.
345
346         This patch adds StackBounds to WTF::Thread. StackBounds information is tightly
347         coupled with Thread. Thus putting it in WTF::Thread is natural choice.
348
349         * heap/MachineStackMarker.cpp:
350         (JSC::MachineThreads::MachineThread::MachineThread):
351         (JSC::MachineThreads::MachineThread::captureStack):
352         * heap/MachineStackMarker.h:
353         (JSC::MachineThreads::MachineThread::stackBase):
354         (JSC::MachineThreads::MachineThread::stackEnd):
355         * runtime/VMTraps.cpp:
356
357 2017-07-18  Andy Estes  <aestes@apple.com>
358
359         [Xcode] Enable CLANG_WARN_OBJC_LITERAL_CONVERSION
360         https://bugs.webkit.org/show_bug.cgi?id=174631
361
362         Reviewed by Sam Weinig.
363
364         * Configurations/Base.xcconfig:
365
366 2017-07-18  Joseph Pecoraro  <pecoraro@apple.com>
367
368         Web Inspector: Modernize InjectedScriptSource
369         https://bugs.webkit.org/show_bug.cgi?id=173890
370
371         Reviewed by Brian Burg.
372
373         * inspector/InjectedScript.h:
374         Reorder functions to be slightly better.
375
376         * inspector/InjectedScriptSource.js:
377         - Convert to classes named InjectedScript and RemoteObject
378         - Align InjectedScript's API with the wrapper C++ interfaces
379         - Move some code to RemoteObject where appropriate (subtype, describe)
380         - Move some code to helper functions (isPrimitiveValue, isDefined)
381         - Refactor for readability and modern features
382         - Remove some unused / unnecessary code
383
384 2017-07-18  Mark Lam  <mark.lam@apple.com>
385
386         Butterfly storage need not be initialized for indexing type Undecided.
387         https://bugs.webkit.org/show_bug.cgi?id=174516
388
389         Reviewed by Saam Barati.
390
391         While it's not incorrect to initialize the butterfly storage when the
392         indexingType is Undecided, it is inefficient as we'll end up initializing
393         it again later when we convert the storage to a different indexingType.
394         Some of our code already skips initializing Undecided butterflies.
395         This patch makes it the consistent behavior everywhere.
396
397         * dfg/DFGSpeculativeJIT.cpp:
398         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
399         * runtime/JSArray.cpp:
400         (JSC::JSArray::tryCreateUninitializedRestricted):
401         * runtime/JSArray.h:
402         (JSC::JSArray::tryCreate):
403         * runtime/JSObject.cpp:
404         (JSC::JSObject::ensureLengthSlow):
405
406 2017-07-18  Saam Barati  <sbarati@apple.com>
407
408         AirLowerAfterRegAlloc may incorrectly use a callee save that's live as a scratch register
409         https://bugs.webkit.org/show_bug.cgi?id=174515
410         <rdar://problem/33358092>
411
412         Reviewed by Filip Pizlo.
413
414         AirLowerAfterRegAlloc was computing the set of available scratch
415         registers incorrectly. It was always excluding callee save registers
416         from the set of live registers. It did not guarantee that live callee save
417         registers were not in the set of scratch registers that could
418         get clobbered. That's incorrect as the shuffling code is free
419         to overwrite whatever is in the scratch register it gets passed.
420
421         * b3/air/AirLowerAfterRegAlloc.cpp:
422         (JSC::B3::Air::lowerAfterRegAlloc):
423         * b3/testb3.cpp:
424         (JSC::B3::functionNineArgs):
425         (JSC::B3::testShuffleDoesntTrashCalleeSaves):
426         (JSC::B3::run):
427         * jit/RegisterSet.h:
428
429 2017-07-18  Andy Estes  <aestes@apple.com>
430
431         [Xcode] Enable CLANG_WARN_NON_LITERAL_NULL_CONVERSION
432         https://bugs.webkit.org/show_bug.cgi?id=174631
433
434         Reviewed by Dan Bernstein.
435
436         * Configurations/Base.xcconfig:
437
438 2017-07-18  Devin Rousso  <drousso@apple.com>
439
440         Web Inspector: Add memoryCost to Inspector Protocol objects
441         https://bugs.webkit.org/show_bug.cgi?id=174478
442
443         Reviewed by Joseph Pecoraro.
444
445         For non-array and non-object InspectorValue, calculate memoryCost as the sizeof the object,
446         plus the memoryCost of the data if it is a string.
447
448         For array InspectorValue, calculate memoryCost as the sum of the memoryCost of all items.
449
450         For object InspectorValue, calculate memoryCost as the sum of the memoryCost of the string
451         key plus the memoryCost of the InspectorValue for each entry.
452
453         Test: TestWebKitAPI/Tests/JavaScriptCore/InspectorValue.cpp
454
455         * inspector/InspectorValues.h:
456         * inspector/InspectorValues.cpp:
457         (Inspector::InspectorValue::memoryCost):
458         (Inspector::InspectorObjectBase::memoryCost):
459         (Inspector::InspectorArrayBase::memoryCost):
460
461 2017-07-18  Andy Estes  <aestes@apple.com>
462
463         [Xcode] Enable CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING
464         https://bugs.webkit.org/show_bug.cgi?id=174631
465
466         Reviewed by Darin Adler.
467
468         * Configurations/Base.xcconfig:
469
470 2017-07-18  Michael Saboff  <msaboff@apple.com>
471
472         [JSC] There should be a debug option to dump a compiled RegExp Pattern
473         https://bugs.webkit.org/show_bug.cgi?id=174601
474
475         Reviewed by Alex Christensen.
476
477         Added the debug option dumpCompiledRegExpPatterns which will dump the YarrPattern and related
478         objects after a regular expression has been compiled.
479
480         * runtime/Options.h:
481         * yarr/YarrPattern.cpp:
482         (JSC::Yarr::YarrPattern::compile):
483         (JSC::Yarr::indentForNestingLevel):
484         (JSC::Yarr::dumpUChar32):
485         (JSC::Yarr::PatternAlternative::dump):
486         (JSC::Yarr::PatternTerm::dumpQuantifier):
487         (JSC::Yarr::PatternTerm::dump):
488         (JSC::Yarr::PatternDisjunction::dump):
489         (JSC::Yarr::YarrPattern::dumpPattern):
490         * yarr/YarrPattern.h:
491         (JSC::Yarr::YarrPattern::global):
492
493 2017-07-17  Darin Adler  <darin@apple.com>
494
495         Improve use of NeverDestroyed
496         https://bugs.webkit.org/show_bug.cgi?id=174348
497
498         Reviewed by Sam Weinig.
499
500         * heap/MachineStackMarker.cpp:
501         * wasm/WasmMemory.cpp:
502         Removed unneeded includes of NeverDestroyed.h in files that do not make use
503         of NeverDestroyed.
504
505 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
506
507         [CMake] Macros in WebKitMacros.cmake should be prefixed with WEBKIT_ namespace
508         https://bugs.webkit.org/show_bug.cgi?id=174547
509
510         Reviewed by Alex Christensen.
511
512         * CMakeLists.txt:
513         * shell/CMakeLists.txt:
514
515 2017-07-17  Saam Barati  <sbarati@apple.com>
516
517         Remove custom defined RELEASE_ASSERT in DFGObjectAllocationSinkingPhase
518         https://bugs.webkit.org/show_bug.cgi?id=174584
519
520         Rubber stamped by Keith Miller.
521
522         I used it to diagnose a bug. The bug is now fixed. This custom
523         RELEASE_ASSERT is no longer needed.
524
525         * dfg/DFGObjectAllocationSinkingPhase.cpp:
526
527 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
528
529         -Wformat-truncation warning in ConfigFile.cpp
530         https://bugs.webkit.org/show_bug.cgi?id=174506
531
532         Reviewed by Darin Adler.
533
534         Check if the JSC config filename would be truncated due to exceeding max path length. If so,
535         return ParseError.
536
537         * runtime/ConfigFile.cpp:
538         (JSC::ConfigFile::parse):
539
540 2017-07-17  Konstantin Tokarev  <annulen@yandex.ru>
541
542         [CMake] Create targets before WEBKIT_INCLUDE_CONFIG_FILES_IF_EXISTS is called
543         https://bugs.webkit.org/show_bug.cgi?id=174557
544
545         Reviewed by Michael Catanzaro.
546
547         * CMakeLists.txt:
548
549 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
550
551         [WTF] Use std::unique_ptr for StackTrace
552         https://bugs.webkit.org/show_bug.cgi?id=174495
553
554         Reviewed by Alex Christensen.
555
556         * runtime/ExceptionScope.cpp:
557         (JSC::ExceptionScope::unexpectedExceptionMessage):
558         * runtime/VM.cpp:
559         (JSC::VM::throwException):
560
561 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
562
563         [JSC] Use WTFMove to prune liveness in DFGAvailabilityMap
564         https://bugs.webkit.org/show_bug.cgi?id=174423
565
566         Reviewed by Saam Barati.
567
568         * dfg/DFGAvailabilityMap.cpp:
569         (JSC::DFG::AvailabilityMap::pruneHeap):
570         (JSC::DFG::AvailabilityMap::pruneByLiveness):
571
572 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
573
574         Fix compiler warnings when building with GCC 7
575         https://bugs.webkit.org/show_bug.cgi?id=174463
576
577         Reviewed by Darin Adler.
578
579         * disassembler/udis86/udis86_decode.c:
580         (decode_operand):
581
582 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
583
584         Incorrect assertion in JSC::CallLinkInfo::callTypeFor
585         https://bugs.webkit.org/show_bug.cgi?id=174467
586
587         Reviewed by Saam Barati.
588
589         * bytecode/CallLinkInfo.cpp:
590         (JSC::CallLinkInfo::callTypeFor):
591
592 2017-07-13  Joseph Pecoraro  <pecoraro@apple.com>
593
594         Web Inspector: Remove unused and untested Page domain commands
595         https://bugs.webkit.org/show_bug.cgi?id=174429
596
597         Reviewed by Timothy Hatcher.
598
599         * inspector/protocol/Page.json:
600
601 2017-07-13  Saam Barati  <sbarati@apple.com>
602
603         Missing exception check in JSObject::hasInstance
604         https://bugs.webkit.org/show_bug.cgi?id=174455
605         <rdar://problem/31384608>
606
607         Reviewed by Mark Lam.
608
609         * runtime/JSObject.cpp:
610         (JSC::JSObject::hasInstance):
611
612 2017-07-13  Caio Lima  <ticaiolima@gmail.com>
613
614         [ESnext] Implement Object Spread
615         https://bugs.webkit.org/show_bug.cgi?id=167963
616
617         Reviewed by Saam Barati.
618
619         This patch implements ECMA262 stage 3 Object Spread proposal [1].
620         It's implemented using CopyDataPropertiesNoExclusions to copy
621         all enumerable keys from object being spreaded. The implementation of
622         CopyDataPropertiesNoExclusions follows the CopyDataProperties
623         implementation, however we don't receive excludedNames as parameter.
624
625         [1] - https://github.com/tc39/proposal-object-rest-spread
626
627         * builtins/GlobalOperations.js:
628         (globalPrivate.copyDataPropertiesNoExclusions):
629         * bytecompiler/BytecodeGenerator.cpp:
630         (JSC::BytecodeGenerator::emitLoad):
631         * bytecompiler/NodesCodegen.cpp:
632         (JSC::PropertyListNode::emitBytecode):
633         (JSC::ObjectSpreadExpressionNode::emitBytecode):
634         * parser/ASTBuilder.h:
635         (JSC::ASTBuilder::createObjectSpreadExpression):
636         (JSC::ASTBuilder::createProperty):
637         * parser/NodeConstructors.h:
638         (JSC::PropertyNode::PropertyNode):
639         (JSC::ObjectSpreadExpressionNode::ObjectSpreadExpressionNode):
640         * parser/Nodes.h:
641         (JSC::ObjectSpreadExpressionNode::expression):
642         * parser/Parser.cpp:
643         (JSC::Parser<LexerType>::parseProperty):
644         * parser/SyntaxChecker.h:
645         (JSC::SyntaxChecker::createObjectSpreadExpression):
646         (JSC::SyntaxChecker::createProperty):
647
648 2017-07-12  Mark Lam  <mark.lam@apple.com>
649
650         Gardening: build fix after r219434.
651         https://bugs.webkit.org/show_bug.cgi?id=174441
652
653         Not reviewed.
654
655         Make public some MacroAssembler functions that are needed by the probe implementationq.
656
657         * assembler/MacroAssemblerARM.h:
658         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
659         * assembler/MacroAssemblerARMv7.h:
660         (JSC::MacroAssemblerARMv7::linkCall):
661
662 2017-07-12  Mark Lam  <mark.lam@apple.com>
663
664         Move Probe code from AbstractMacroAssembler to MacroAssembler.
665         https://bugs.webkit.org/show_bug.cgi?id=174441
666
667         Reviewed by Saam Barati.
668
669         This is a pure refactoring patch for moving probe code from the AbstractMacroAssembler
670         to MacroAssembler.  There is no code behavior change.
671
672         * assembler/AbstractMacroAssembler.h:
673         (JSC::AbstractMacroAssembler<AssemblerType>::Address::indexedBy):
674         (JSC::AbstractMacroAssembler::CPUState::gprName): Deleted.
675         (JSC::AbstractMacroAssembler::CPUState::fprName): Deleted.
676         (JSC::AbstractMacroAssembler::CPUState::gpr): Deleted.
677         (JSC::AbstractMacroAssembler::CPUState::fpr): Deleted.
678         (JSC::MacroAssemblerType>::Address::indexedBy): Deleted.
679         * assembler/MacroAssembler.h:
680         (JSC::MacroAssembler::CPUState::gprName):
681         (JSC::MacroAssembler::CPUState::fprName):
682         (JSC::MacroAssembler::CPUState::gpr):
683         (JSC::MacroAssembler::CPUState::fpr):
684         * assembler/MacroAssemblerARM.cpp:
685         (JSC::MacroAssembler::probe):
686         (JSC::MacroAssemblerARM::probe): Deleted.
687         * assembler/MacroAssemblerARM.h:
688         * assembler/MacroAssemblerARM64.cpp:
689         (JSC::MacroAssembler::probe):
690         (JSC::MacroAssemblerARM64::probe): Deleted.
691         * assembler/MacroAssemblerARM64.h:
692         * assembler/MacroAssemblerARMv7.cpp:
693         (JSC::MacroAssembler::probe):
694         (JSC::MacroAssemblerARMv7::probe): Deleted.
695         * assembler/MacroAssemblerARMv7.h:
696         * assembler/MacroAssemblerMIPS.h:
697         * assembler/MacroAssemblerX86Common.cpp:
698         (JSC::MacroAssembler::probe):
699         (JSC::MacroAssemblerX86Common::probe): Deleted.
700         * assembler/MacroAssemblerX86Common.h:
701
702 2017-07-12  Saam Barati  <sbarati@apple.com>
703
704         GenericArguments consults the wrong state when tracking modified argument descriptors and mapped arguments
705         https://bugs.webkit.org/show_bug.cgi?id=174411
706         <rdar://problem/31696186>
707
708         Reviewed by Mark Lam.
709
710         The code for deleting an argument was incorrectly referencing state
711         when it decided if it should unmap or mark a property as having its
712         descriptor modified. This patch fixes the bug where if we delete a
713         property, we would sometimes not unmap an argument when deleting it.
714
715         * runtime/GenericArgumentsInlines.h:
716         (JSC::GenericArguments<Type>::getOwnPropertySlot):
717         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
718         (JSC::GenericArguments<Type>::deleteProperty):
719         (JSC::GenericArguments<Type>::deletePropertyByIndex):
720
721 2017-07-12  Commit Queue  <commit-queue@webkit.org>
722
723         Unreviewed, rolling out r219176.
724         https://bugs.webkit.org/show_bug.cgi?id=174436
725
726         "Can cause infinite recursion on iOS" (Requested by mlam on
727         #webkit).
728
729         Reverted changeset:
730
731         "WTF::Thread should have the threads stack bounds."
732         https://bugs.webkit.org/show_bug.cgi?id=173975
733         http://trac.webkit.org/changeset/219176
734
735 2017-07-12  Matt Lewis  <jlewis3@apple.com>
736
737         Unreviewed, rolling out r219401.
738
739         This revision rolled out the previous patch, but after talking
740         with reviewer, a rebaseline is what was needed.Rolling back in
741         before rebaseline.
742
743         Reverted changeset:
744
745         "Unreviewed, rolling out r219379."
746         https://bugs.webkit.org/show_bug.cgi?id=174400
747         http://trac.webkit.org/changeset/219401
748
749 2017-07-12  Matt Lewis  <jlewis3@apple.com>
750
751         Unreviewed, rolling out r219379.
752
753         This revision caused a consistent failure in the test
754         fast/dom/Window/property-access-on-cached-window-after-frame-
755         removed.html.
756
757         Reverted changeset:
758
759         "Remove NAVIGATOR_HWCONCURRENCY"
760         https://bugs.webkit.org/show_bug.cgi?id=174400
761         http://trac.webkit.org/changeset/219379
762
763 2017-07-12  Tooru Fujisawa [:arai]  <arai.unmht@gmail.com>
764
765         Wrong radix used in Unicode Escape in invalid character error message
766         https://bugs.webkit.org/show_bug.cgi?id=174419
767
768         Reviewed by Alex Christensen.
769
770         * parser/Lexer.cpp:
771         (JSC::Lexer<T>::invalidCharacterMessage):
772
773 2017-07-11  Dean Jackson  <dino@apple.com>
774
775         Remove NAVIGATOR_HWCONCURRENCY
776         https://bugs.webkit.org/show_bug.cgi?id=174400
777
778         Reviewed by Sam Weinig.
779
780         * Configurations/FeatureDefines.xcconfig:
781
782 2017-07-11  Dean Jackson  <dino@apple.com>
783
784         Rolling out r219372.
785
786         * Configurations/FeatureDefines.xcconfig:
787
788 2017-07-11  Dean Jackson  <dino@apple.com>
789
790         Remove NAVIGATOR_HWCONCURRENCY
791         https://bugs.webkit.org/show_bug.cgi?id=174400
792
793         Reviewed by Sam Weinig.
794
795         * Configurations/FeatureDefines.xcconfig:
796
797 2017-07-11  Saam Barati  <sbarati@apple.com>
798
799         remove the empty JavaScriptCore/wasm/js/WebAssemblyFunctionCell.* files
800         https://bugs.webkit.org/show_bug.cgi?id=174397
801
802         Rubber stamped by David Kilzer.
803
804         * wasm/js/WebAssemblyFunctionCell.cpp: Removed.
805         * wasm/js/WebAssemblyFunctionCell.h: Removed.
806
807 2017-07-10  Saam Barati  <sbarati@apple.com>
808
809         Allocation sinking phase should consider a CheckStructure that would fail as an escape
810         https://bugs.webkit.org/show_bug.cgi?id=174321
811         <rdar://problem/32604963>
812
813         Reviewed by Filip Pizlo.
814
815         When the allocation sinking phase was generating stores to materialize
816         objects in a cycle with each other, it would assume that each materialized
817         object had a valid, non empty, set of structures. This is an OK assumption for
818         the phase to make because how do you materialize an object with no structure?
819         
820         The abstract interpretation part of the phase will model what's in the heap.
821         However, it would sometimes model that a CheckStructure would fail. The phase
822         did nothing special for this; it just stored the empty set of structures for
823         its representation of a particular allocation. However, what the phase proved
824         in such a scenario is that, had the CheckStructure executed, it would have exited.
825         
826         This patch treats such CheckStructures and MultiGetByOffsets as escape points.
827         This will cause the allocation in question to be materialized just before
828         the CheckStructure, and then at execution time, the CheckStructure will exit.
829         
830         I wasn't able to write a test case for this. However, I was able to reproduce
831         this crash by manually editing the IR. I've opened a separate bug to help us
832         create a testing framework for writing tests for hard to reproduce bugs like this:
833         https://bugs.webkit.org/show_bug.cgi?id=174322
834
835         * dfg/DFGObjectAllocationSinkingPhase.cpp:
836
837 2017-07-10  Devin Rousso  <drousso@apple.com>
838
839         Web Inspector: Highlight matching CSS canvas clients when hovering contexts in the Resources tab
840         https://bugs.webkit.org/show_bug.cgi?id=174279
841
842         Reviewed by Matt Baker.
843
844         * inspector/protocol/DOM.json:
845         Add `highlightNodeList` command that will highlight each node in the given list.
846
847 2017-07-03  Brian Burg  <bburg@apple.com>
848
849         Web Replay: remove some unused code
850         https://bugs.webkit.org/show_bug.cgi?id=173903
851
852         Rubber-stamped by Joseph Pecoraro.
853
854         * CMakeLists.txt:
855         * Configurations/FeatureDefines.xcconfig:
856         * DerivedSources.make:
857         * JavaScriptCore.xcodeproj/project.pbxproj:
858         * inspector/protocol/Replay.json: Removed.
859         * replay/EmptyInputCursor.h: Removed.
860         * replay/EncodedValue.cpp: Removed.
861         * replay/EncodedValue.h: Removed.
862         * replay/InputCursor.h: Removed.
863         * replay/JSInputs.json: Removed.
864         * replay/NondeterministicInput.h: Removed.
865         * replay/scripts/CodeGeneratorReplayInputs.py: Removed.
866         * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Removed.
867         * replay/scripts/tests/expected/fail-on-c-style-enum-no-storage.json-error: Removed.
868         * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Removed.
869         * replay/scripts/tests/expected/fail-on-duplicate-input-names.json-error: Removed.
870         * replay/scripts/tests/expected/fail-on-duplicate-type-names.json-error: Removed.
871         * replay/scripts/tests/expected/fail-on-enum-type-missing-values.json-error: Removed.
872         * replay/scripts/tests/expected/fail-on-missing-input-member-name.json-error: Removed.
873         * replay/scripts/tests/expected/fail-on-missing-input-name.json-error: Removed.
874         * replay/scripts/tests/expected/fail-on-missing-input-queue.json-error: Removed.
875         * replay/scripts/tests/expected/fail-on-missing-type-mode.json-error: Removed.
876         * replay/scripts/tests/expected/fail-on-missing-type-name.json-error: Removed.
877         * replay/scripts/tests/expected/fail-on-unknown-input-queue.json-error: Removed.
878         * replay/scripts/tests/expected/fail-on-unknown-member-type.json-error: Removed.
879         * replay/scripts/tests/expected/fail-on-unknown-type-mode.json-error: Removed.
880         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp: Removed.
881         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h: Removed.
882         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp: Removed.
883         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h: Removed.
884         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Removed.
885         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Removed.
886         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Removed.
887         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Removed.
888         * replay/scripts/tests/expected/generate-event-loop-shape-types.json-error: Removed.
889         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp: Removed.
890         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h: Removed.
891         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp: Removed.
892         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Removed.
893         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.cpp: Removed.
894         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h: Removed.
895         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp: Removed.
896         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h: Removed.
897         * replay/scripts/tests/fail-on-c-style-enum-no-storage.json: Removed.
898         * replay/scripts/tests/fail-on-duplicate-enum-type.json: Removed.
899         * replay/scripts/tests/fail-on-duplicate-input-names.json: Removed.
900         * replay/scripts/tests/fail-on-duplicate-type-names.json: Removed.
901         * replay/scripts/tests/fail-on-enum-type-missing-values.json: Removed.
902         * replay/scripts/tests/fail-on-missing-input-member-name.json: Removed.
903         * replay/scripts/tests/fail-on-missing-input-name.json: Removed.
904         * replay/scripts/tests/fail-on-missing-input-queue.json: Removed.
905         * replay/scripts/tests/fail-on-missing-type-mode.json: Removed.
906         * replay/scripts/tests/fail-on-missing-type-name.json: Removed.
907         * replay/scripts/tests/fail-on-unknown-input-queue.json: Removed.
908         * replay/scripts/tests/fail-on-unknown-member-type.json: Removed.
909         * replay/scripts/tests/fail-on-unknown-type-mode.json: Removed.
910         * replay/scripts/tests/generate-enum-encoding-helpers-with-guarded-values.json: Removed.
911         * replay/scripts/tests/generate-enum-encoding-helpers.json: Removed.
912         * replay/scripts/tests/generate-enum-with-guard.json: Removed.
913         * replay/scripts/tests/generate-enums-with-same-base-name.json: Removed.
914         * replay/scripts/tests/generate-event-loop-shape-types.json: Removed.
915         * replay/scripts/tests/generate-input-with-guard.json: Removed.
916         * replay/scripts/tests/generate-input-with-vector-members.json: Removed.
917         * replay/scripts/tests/generate-inputs-with-flags.json: Removed.
918         * replay/scripts/tests/generate-memoized-type-modes.json: Removed.
919         * runtime/DateConstructor.cpp:
920         (JSC::constructDate):
921         (JSC::dateNow):
922         (JSC::deterministicCurrentTime): Deleted.
923         * runtime/JSGlobalObject.cpp:
924         (JSC::JSGlobalObject::JSGlobalObject):
925         (JSC::JSGlobalObject::setInputCursor): Deleted.
926         * runtime/JSGlobalObject.h:
927         (JSC::JSGlobalObject::inputCursor): Deleted.
928
929 2017-07-10  Carlos Garcia Campos  <cgarcia@igalia.com>
930
931         Move make-js-file-arrays.py from WebCore to JavaScriptCore
932         https://bugs.webkit.org/show_bug.cgi?id=174024
933
934         Reviewed by Michael Catanzaro.
935
936         It's currently used only by WebCore, but it depends on other JavaScriptCore scripts and it's not WebCore
937         specific at all. I plan to use it to compile the JavaScript atoms used by the WebDriver implementation.
938         Added command line option to pass the namespace to use instead of using WebCore.
939
940         * JavaScriptCore.xcodeproj/project.pbxproj:
941         * Scripts/make-js-file-arrays.py: Renamed from Source/WebCore/Scripts/make-js-file-arrays.py.
942         (main):
943
944 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
945
946         [JSC] Drop LineNumberAdder since we no longer treat <LF><CR> (not <CR><LF>) as one line terminator
947         https://bugs.webkit.org/show_bug.cgi?id=174296
948
949         Reviewed by Mark Lam.
950
951         Previously, we treat <LF><CR> as one line terminator. So we increase line number by one.
952         It caused a problem in scanning template literals. While template literals normalize
953         <LF><CR> to <LF><LF>, we still needed to increase line number by only one.
954         To handle it correctly, LineNumberAdder is introduced.
955
956         As of r219263, <LF><CR> is counted as two line terminators. So we do not need to have
957         LineNumberAdder. Let's just use shiftLineTerminator() instead.
958
959         * parser/Lexer.cpp:
960         (JSC::Lexer<T>::parseTemplateLiteral):
961         (JSC::LineNumberAdder::LineNumberAdder): Deleted.
962         (JSC::LineNumberAdder::clear): Deleted.
963         (JSC::LineNumberAdder::add): Deleted.
964
965 2017-07-09  Dan Bernstein  <mitz@apple.com>
966
967         [Xcode] ICU headers aren’t treated as system headers after r219155
968         https://bugs.webkit.org/show_bug.cgi?id=174299
969
970         Reviewed by Sam Weinig.
971
972         * Configurations/JavaScriptCore.xcconfig: Pass --system-header-prefix=unicode/ to the C and
973           C++ compilers.
974
975 * runtime/IntlCollator.cpp: Removed documentation warning suppression.
976         * runtime/IntlDateTimeFormat.cpp: Ditto.
977         * runtime/JSGlobalObject.cpp: Ditto.
978         * runtime/StringPrototype.cpp: Ditto.
979
980 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
981
982         [JSC] Use fastMalloc / fastFree for STL containers
983         https://bugs.webkit.org/show_bug.cgi?id=174297
984
985         Reviewed by Sam Weinig.
986
987         In some places, we intentionally use STL containers over WTF containers.
988         For example, we sometimes use std::unordered_{set,map} instead of WTF::Hash{Set,Map}
989         because we do not have effective empty / deleted representations in the space of key's value.
990         But just using STL container means using libc's malloc instead of our fast malloc (bmalloc if it is enabled).
991
992         We introduce WTF::FastAllocator. This is C++ allocator implementation using fastMalloc and fastFree.
993         We specify this allocator to STL containers' template parameter to allocate memory from fastMalloc.
994
995         This WTF::FastAllocator gives us a chance to use STL containers if it is necessary
996         without compromising memory allocation throughput.
997
998         * dfg/DFGGraph.h:
999         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1000         * ftl/FTLLowerDFGToB3.cpp:
1001         (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
1002         * runtime/FunctionHasExecutedCache.h:
1003         * runtime/TypeLocationCache.h:
1004
1005 2017-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1006
1007         Drop NOSNIFF compile flag
1008         https://bugs.webkit.org/show_bug.cgi?id=174289
1009
1010         Reviewed by Michael Catanzaro.
1011
1012         * Configurations/FeatureDefines.xcconfig:
1013
1014 2017-07-07  AJ Ringer  <aringer@apple.com>
1015
1016         Lower the max_protection for the separated heap
1017         https://bugs.webkit.org/show_bug.cgi?id=174281
1018
1019         Reviewed by Oliver Hunt.
1020
1021         Switch to vm_protect so we can set maximum page protection.
1022
1023         * jit/ExecutableAllocator.cpp:
1024         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
1025         (JSC::ExecutableAllocator::allocate):
1026
1027 2017-07-07  Devin Rousso  <drousso@apple.com>
1028
1029         Web Inspector: Show all elements currently using a given CSS Canvas
1030         https://bugs.webkit.org/show_bug.cgi?id=173965
1031
1032         Reviewed by Joseph Pecoraro.
1033
1034         * inspector/protocol/Canvas.json:
1035          - Add `requestCSSCanvasClientNodes` command for getting the node IDs all nodes using this
1036            canvas via -webkit-canvas.
1037          - Add `cssCanvasClientNodesChanged` event that is dispatched whenever a node is
1038            added/removed from the list of -webkit-canvas clients.
1039
1040 2017-07-07  Mark Lam  <mark.lam@apple.com>
1041
1042         \n\r is not the same as \r\n.
1043         https://bugs.webkit.org/show_bug.cgi?id=173053
1044
1045         Reviewed by Keith Miller.
1046
1047         * parser/Lexer.cpp:
1048         (JSC::Lexer<T>::shiftLineTerminator):
1049         (JSC::LineNumberAdder::add):
1050
1051 2017-07-07  Commit Queue  <commit-queue@webkit.org>
1052
1053         Unreviewed, rolling out r219238, r219239, and r219241.
1054         https://bugs.webkit.org/show_bug.cgi?id=174265
1055
1056         "fast/workers/dedicated-worker-lifecycle.html is flaky"
1057         (Requested by yusukesuzuki on #webkit).
1058
1059         Reverted changesets:
1060
1061         "[WTF] Implement WTF::ThreadGroup"
1062         https://bugs.webkit.org/show_bug.cgi?id=174081
1063         http://trac.webkit.org/changeset/219238
1064
1065         "Unreviewed, build fix after r219238"
1066         https://bugs.webkit.org/show_bug.cgi?id=174081
1067         http://trac.webkit.org/changeset/219239
1068
1069         "Unreviewed, CLoop build fix after r219238"
1070         https://bugs.webkit.org/show_bug.cgi?id=174081
1071         http://trac.webkit.org/changeset/219241
1072
1073 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1074
1075         Unreviewed, CLoop build fix after r219238
1076         https://bugs.webkit.org/show_bug.cgi?id=174081
1077
1078         * heap/MachineStackMarker.cpp:
1079
1080 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
1081
1082         [WTF] Implement WTF::ThreadGroup
1083         https://bugs.webkit.org/show_bug.cgi?id=174081
1084
1085         Reviewed by Mark Lam.
1086
1087         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
1088         And SamplingProfiler and others interact with WTF::Thread directly.
1089
1090         * API/tests/ExecutionTimeLimitTest.cpp:
1091         * heap/MachineStackMarker.cpp:
1092         (JSC::MachineThreads::MachineThreads):
1093         (JSC::captureStack):
1094         (JSC::MachineThreads::tryCopyOtherThreadStack):
1095         (JSC::MachineThreads::tryCopyOtherThreadStacks):
1096         (JSC::MachineThreads::gatherConservativeRoots):
1097         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
1098         (JSC::ActiveMachineThreadsManager::add): Deleted.
1099         (JSC::ActiveMachineThreadsManager::remove): Deleted.
1100         (JSC::ActiveMachineThreadsManager::contains): Deleted.
1101         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
1102         (JSC::activeMachineThreadsManager): Deleted.
1103         (JSC::MachineThreads::~MachineThreads): Deleted.
1104         (JSC::MachineThreads::addCurrentThread): Deleted.
1105         (): Deleted.
1106         (JSC::MachineThreads::removeThread): Deleted.
1107         (JSC::MachineThreads::removeThreadIfFound): Deleted.
1108         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
1109         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
1110         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
1111         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
1112         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
1113         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
1114         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
1115         * heap/MachineStackMarker.h:
1116         (JSC::MachineThreads::addCurrentThread):
1117         (JSC::MachineThreads::getLock):
1118         (JSC::MachineThreads::threads):
1119         (JSC::MachineThreads::MachineThread::suspend): Deleted.
1120         (JSC::MachineThreads::MachineThread::resume): Deleted.
1121         (JSC::MachineThreads::MachineThread::threadID): Deleted.
1122         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
1123         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
1124         (JSC::MachineThreads::threadsListHead): Deleted.
1125         * runtime/SamplingProfiler.cpp:
1126         (JSC::FrameWalker::isValidFramePointer):
1127         (JSC::SamplingProfiler::SamplingProfiler):
1128         (JSC::SamplingProfiler::takeSample):
1129         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
1130         * runtime/SamplingProfiler.h:
1131         * wasm/WasmMachineThreads.cpp:
1132         (JSC::Wasm::resetInstructionCacheOnAllThreads):
1133
1134 2017-07-06  Saam Barati  <sbarati@apple.com>
1135
1136         We are missing places where we invalidate the for-in context
1137         https://bugs.webkit.org/show_bug.cgi?id=174184
1138
1139         Reviewed by Geoffrey Garen.
1140
1141         * bytecompiler/BytecodeGenerator.cpp:
1142         (JSC::BytecodeGenerator::invalidateForInContextForLocal):
1143         * bytecompiler/NodesCodegen.cpp:
1144         (JSC::EmptyLetExpression::emitBytecode):
1145         (JSC::ForInNode::emitLoopHeader):
1146         (JSC::ForOfNode::emitBytecode):
1147         (JSC::BindingNode::bindValue):
1148
1149 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1150
1151         Unreviewed, suppress warnings in GCC environment
1152
1153         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1154         * runtime/IntlCollator.cpp:
1155         * runtime/IntlDateTimeFormat.cpp:
1156         * runtime/JSGlobalObject.cpp:
1157         * runtime/StringPrototype.cpp:
1158
1159 2017-07-05  Saam Barati  <sbarati@apple.com>
1160
1161         NewArray in FTLLowerDFGToB3 does not handle speculating on doubles when having a bad time
1162         https://bugs.webkit.org/show_bug.cgi?id=174188
1163         <rdar://problem/30581423>
1164
1165         Reviewed by Mark Lam.
1166
1167         We were calling lowJSValue(edge) when we were speculating the
1168         edge as double. This isn't allowed. We should have been using
1169         lowDouble.
1170         
1171         This patch also adds a new option, called useArrayAllocationProfiling,
1172         which defaults to true. When false, it will make the array allocation
1173         profile not actually sample seen arrays. It'll force the allocation
1174         profile's predicted indexing type to be ArrayWithUndecided. Adding
1175         this option made it trivial to write a test for this bug.
1176
1177         * bytecode/ArrayAllocationProfile.cpp:
1178         (JSC::ArrayAllocationProfile::updateIndexingType):
1179         * ftl/FTLLowerDFGToB3.cpp:
1180         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
1181         * runtime/Options.h:
1182
1183 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
1184
1185         WTF::Thread should have the threads stack bounds.
1186         https://bugs.webkit.org/show_bug.cgi?id=173975
1187
1188         Reviewed by Keith Miller.
1189
1190         There is a site in JSC that try to walk another thread's stack.
1191         Currently, stack bounds are stored in WTFThreadData which is located
1192         in TLS. Thus, only the thread itself can access its own WTFThreadData.
1193         We workaround this situation by holding StackBounds in MachineThread in JSC,
1194         but StackBounds should be put in WTF::Thread instead.
1195
1196         This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
1197         information is tightly coupled with Thread. Thus putting it in WTF::Thread
1198         is natural choice.
1199
1200         * heap/MachineStackMarker.cpp:
1201         (JSC::MachineThreads::MachineThread::MachineThread):
1202         (JSC::MachineThreads::MachineThread::captureStack):
1203         * heap/MachineStackMarker.h:
1204         (JSC::MachineThreads::MachineThread::stackBase):
1205         (JSC::MachineThreads::MachineThread::stackEnd):
1206         * runtime/InitializeThreading.cpp:
1207         (JSC::initializeThreading):
1208         * runtime/VM.cpp:
1209         (JSC::VM::VM):
1210         (JSC::VM::updateStackLimits):
1211         (JSC::VM::committedStackByteCount):
1212         * runtime/VM.h:
1213         (JSC::VM::isSafeToRecurse):
1214         * runtime/VMEntryScope.cpp:
1215         (JSC::VMEntryScope::VMEntryScope):
1216         * runtime/VMInlines.h:
1217         (JSC::VM::ensureStackCapacityFor):
1218         * runtime/VMTraps.cpp:
1219         * yarr/YarrPattern.cpp:
1220         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
1221
1222 2017-07-05  Keith Miller  <keith_miller@apple.com>
1223
1224         Crashing with information should have an abort reason
1225         https://bugs.webkit.org/show_bug.cgi?id=174185
1226
1227         Reviewed by Saam Barati.
1228
1229         Add crash information for the abstract interpreter and add an enum
1230         value for object allocation sinking.
1231
1232         * assembler/AbortReason.h:
1233         * dfg/DFGAbstractInterpreterInlines.h:
1234         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
1235         * dfg/DFGGraph.cpp:
1236         (JSC::DFG::logDFGAssertionFailure):
1237         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1238
1239 2017-07-03  Myles C. Maxfield  <mmaxfield@apple.com>
1240
1241         Remove copy of ICU headers from WebKit
1242         https://bugs.webkit.org/show_bug.cgi?id=116407
1243
1244         Reviewed by Alex Christensen.
1245
1246         Use WTF's copy of ICU headers.
1247
1248         * Configurations/Base.xcconfig:
1249         * icu/unicode/localpointer.h: Removed.
1250         * icu/unicode/parseerr.h: Removed.
1251         * icu/unicode/platform.h: Removed.
1252         * icu/unicode/ptypes.h: Removed.
1253         * icu/unicode/putil.h: Removed.
1254         * icu/unicode/uchar.h: Removed.
1255         * icu/unicode/ucnv.h: Removed.
1256         * icu/unicode/ucnv_err.h: Removed.
1257         * icu/unicode/ucol.h: Removed.
1258         * icu/unicode/uconfig.h: Removed.
1259         * icu/unicode/ucurr.h: Removed.
1260         * icu/unicode/uenum.h: Removed.
1261         * icu/unicode/uiter.h: Removed.
1262         * icu/unicode/uloc.h: Removed.
1263         * icu/unicode/umachine.h: Removed.
1264         * icu/unicode/unorm.h: Removed.
1265         * icu/unicode/unorm2.h: Removed.
1266         * icu/unicode/urename.h: Removed.
1267         * icu/unicode/uscript.h: Removed.
1268         * icu/unicode/uset.h: Removed.
1269         * icu/unicode/ustring.h: Removed.
1270         * icu/unicode/utf.h: Removed.
1271         * icu/unicode/utf16.h: Removed.
1272         * icu/unicode/utf8.h: Removed.
1273         * icu/unicode/utf_old.h: Removed.
1274         * icu/unicode/utypes.h: Removed.
1275         * icu/unicode/uvernum.h: Removed.
1276         * icu/unicode/uversion.h: Removed.
1277         * runtime/IntlCollator.cpp:
1278         * runtime/IntlDateTimeFormat.cpp:
1279         (JSC::IntlDateTimeFormat::partTypeString):
1280         * runtime/JSGlobalObject.cpp:
1281         * runtime/StringPrototype.cpp:
1282         (JSC::normalize):
1283         (JSC::stringProtoFuncNormalize):
1284
1285 2017-07-05  Devin Rousso  <drousso@apple.com>
1286
1287         Web Inspector: Allow users to log any tracked canvas context
1288         https://bugs.webkit.org/show_bug.cgi?id=173397
1289         <rdar://problem/33111581>
1290
1291         Reviewed by Joseph Pecoraro.
1292
1293         * inspector/protocol/Canvas.json:
1294         Add `resolveCanvasContext` command that returns a RemoteObject for the given canvas context.
1295
1296 2017-07-05  Jonathan Bedard  <jbedard@apple.com>
1297
1298         Add WebKitPrivateFrameworkStubs for iOS 11
1299         https://bugs.webkit.org/show_bug.cgi?id=173988
1300
1301         Reviewed by David Kilzer.
1302
1303         * Configurations/Base.xcconfig: iphoneos and iphonesimulator should use the
1304         same directory for private framework stubs.
1305
1306 2017-07-05  JF Bastien  <jfbastien@apple.com>
1307
1308         WebAssembly: implement name section's module name, skip unknown sections
1309         https://bugs.webkit.org/show_bug.cgi?id=172008
1310
1311         Reviewed by Keith Miller.
1312
1313         Parse the WebAssembly module name properly, and skip unknown
1314         sections. This is useful because as toolchains support new types
1315         of names we want to keep displaying the information we know about
1316         and simply ignore new information. That capability was designed
1317         into WebAssembly's name section.
1318
1319         Failure to commit this patch would mean that WebKit won't display
1320         stack trace information, which would make developers sad.
1321
1322         Module names were added here: https://github.com/WebAssembly/design/pull/1055
1323
1324         Note that this patch doesn't do anything with the parsed name! Two
1325         reasons for this: module names aren't supported in binaryen yet,
1326         so I can't write a simple binary test; and using the name is a
1327         slightly riskier change because it requires changing StackVisitor
1328         + StackFrame (where they print "[wasm code]") which requires
1329         figuring out the frame's Module. The latter bit isn't trivial
1330         because we only know wasm frames from their tag bits, and
1331         CodeBlocks are always nullptr.
1332
1333         Binaryen bug: https://github.com/WebAssembly/binaryen/issues/1010
1334
1335         I filed #174098 to use the module name.
1336
1337         * wasm/WasmFormat.h:
1338         (JSC::Wasm::isValidNameType):
1339         * wasm/WasmNameSectionParser.cpp:
1340
1341 2017-07-04  Joseph Pecoraro  <pecoraro@apple.com>
1342
1343         Cleanup some StringBuilder use
1344         https://bugs.webkit.org/show_bug.cgi?id=174118
1345
1346         Reviewed by Andreas Kling.
1347
1348         * runtime/FunctionConstructor.cpp:
1349         (JSC::constructFunctionSkippingEvalEnabledCheck):
1350         * tools/FunctionOverrides.cpp:
1351         (JSC::parseClause):
1352         * wasm/WasmOMGPlan.cpp:
1353         * wasm/WasmPlan.cpp:
1354         * wasm/WasmValidate.cpp:
1355
1356 2017-07-03  Saam Barati  <sbarati@apple.com>
1357
1358         LayoutTest workers/bomb.html is a Crash
1359         https://bugs.webkit.org/show_bug.cgi?id=167757
1360         <rdar://problem/33086462>
1361
1362         Reviewed by Keith Miller.
1363
1364         VMTraps::SignalSender was accessing VM fields even after
1365         the VM was destroyed. This happened when the SignalSender
1366         thread was in the middle of its work() function while VMTraps
1367         was notified that the VM was shutting down. The VM would proceed
1368         to run its destructor even after the SignalSender thread finished
1369         doing its work. This means that the SignalSender thread was accessing
1370         VM field eve after VM was destructed (including itself, since it is
1371         transitively owned by the VM). The VM must wait for the SignalSender
1372         thread to shutdown before it can continue to destruct itself.
1373
1374         * runtime/VMTraps.cpp:
1375         (JSC::VMTraps::willDestroyVM):
1376
1377 2017-07-03  Saam Barati  <sbarati@apple.com>
1378
1379         DFGBytecodeParser op_to_this does not access the correct instruction offset for to this status
1380         https://bugs.webkit.org/show_bug.cgi?id=174110
1381
1382         Reviewed by Michael Saboff.
1383
1384         * dfg/DFGByteCodeParser.cpp:
1385         (JSC::DFG::ByteCodeParser::parseBlock):
1386
1387 2017-07-03  Saam Barati  <sbarati@apple.com>
1388
1389         Add a new assertion to object allocation sinking phase
1390         https://bugs.webkit.org/show_bug.cgi?id=174107
1391
1392         Rubber stamped by Filip Pizlo.
1393
1394         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1395
1396 2017-07-03  Commit Queue  <commit-queue@webkit.org>
1397
1398         Unreviewed, rolling out r219060.
1399         https://bugs.webkit.org/show_bug.cgi?id=174108
1400
1401         crashing constantly when initializing UIWebView (Requested by
1402         thorton on #webkit).
1403
1404         Reverted changeset:
1405
1406         "WTF::Thread should have the threads stack bounds."
1407         https://bugs.webkit.org/show_bug.cgi?id=173975
1408         http://trac.webkit.org/changeset/219060
1409
1410 2017-07-03  Matt Lewis  <jlewis3@apple.com>
1411
1412         Unreviewed, rolling out r219103.
1413
1414         Caused multiple build failures.
1415
1416         Reverted changeset:
1417
1418         "Remove copy of ICU headers from WebKit"
1419         https://bugs.webkit.org/show_bug.cgi?id=116407
1420         http://trac.webkit.org/changeset/219103
1421
1422 2017-07-03  Myles C. Maxfield  <mmaxfield@apple.com>
1423
1424         Remove copy of ICU headers from WebKit
1425         https://bugs.webkit.org/show_bug.cgi?id=116407
1426
1427         Reviewed by Alex Christensen.
1428
1429         Use WTF's copy of ICU headers.
1430
1431         * Configurations/Base.xcconfig:
1432         * icu/unicode/localpointer.h: Removed.
1433         * icu/unicode/parseerr.h: Removed.
1434         * icu/unicode/platform.h: Removed.
1435         * icu/unicode/ptypes.h: Removed.
1436         * icu/unicode/putil.h: Removed.
1437         * icu/unicode/uchar.h: Removed.
1438         * icu/unicode/ucnv.h: Removed.
1439         * icu/unicode/ucnv_err.h: Removed.
1440         * icu/unicode/ucol.h: Removed.
1441         * icu/unicode/uconfig.h: Removed.
1442         * icu/unicode/ucurr.h: Removed.
1443         * icu/unicode/uenum.h: Removed.
1444         * icu/unicode/uiter.h: Removed.
1445         * icu/unicode/uloc.h: Removed.
1446         * icu/unicode/umachine.h: Removed.
1447         * icu/unicode/unorm.h: Removed.
1448         * icu/unicode/unorm2.h: Removed.
1449         * icu/unicode/urename.h: Removed.
1450         * icu/unicode/uscript.h: Removed.
1451         * icu/unicode/uset.h: Removed.
1452         * icu/unicode/ustring.h: Removed.
1453         * icu/unicode/utf.h: Removed.
1454         * icu/unicode/utf16.h: Removed.
1455         * icu/unicode/utf8.h: Removed.
1456         * icu/unicode/utf_old.h: Removed.
1457         * icu/unicode/utypes.h: Removed.
1458         * icu/unicode/uvernum.h: Removed.
1459         * icu/unicode/uversion.h: Removed.
1460         * runtime/IntlCollator.cpp:
1461         * runtime/IntlDateTimeFormat.cpp:
1462         * runtime/JSGlobalObject.cpp:
1463         * runtime/StringPrototype.cpp:
1464
1465 2017-07-03  Saam Barati  <sbarati@apple.com>
1466
1467         Add better crash logging for allocation sinking phase
1468         https://bugs.webkit.org/show_bug.cgi?id=174102
1469         <rdar://problem/33112092>
1470
1471         Rubber stamped by Filip Pizlo.
1472
1473         I'm trying to gather better information from crashlogs about why
1474         we're crashing in the allocation sinking phase. I'm adding a allocation
1475         sinking specific RELEASE_ASSERT as well as marking a few functions as
1476         NEVER_INLINE to have the stack traces in the crash trace contain more
1477         actionable information.
1478
1479         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1480
1481 2017-07-03  Sam Weinig  <sam@webkit.org>
1482
1483         [WebIDL] Remove more unnecessary uses of the preprocessor in idl files
1484         https://bugs.webkit.org/show_bug.cgi?id=174083
1485
1486         Reviewed by Alex Christensen.
1487
1488         * Configurations/FeatureDefines.xcconfig:
1489         Add ENABLE_NAVIGATOR_STANDALONE.
1490
1491 2017-07-03  Andy Estes  <aestes@apple.com>
1492
1493         [Xcode] Add an experimental setting to build with ccache
1494         https://bugs.webkit.org/show_bug.cgi?id=173875
1495
1496         Reviewed by Tim Horton.
1497
1498         * Configurations/DebugRelease.xcconfig: Included ccache.xcconfig.
1499
1500 2017-07-03  Devin Rousso  <drousso@apple.com>
1501
1502         Web Inspector: Support listing WebGL2 and WebGPU contexts
1503         https://bugs.webkit.org/show_bug.cgi?id=173396
1504
1505         Reviewed by Joseph Pecoraro.
1506
1507         * inspector/protocol/Canvas.json:
1508         * inspector/scripts/codegen/generator.py:
1509         (Generator.stylized_name_for_enum_value):
1510         Add cases for handling new Canvas.ContextType protocol enumerations:
1511          - "webgl2" maps to `WebGL2`
1512          - "webgpu" maps to `WebGPU`
1513
1514 2017-07-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1515
1516         WTF::Thread should have the threads stack bounds.
1517         https://bugs.webkit.org/show_bug.cgi?id=173975
1518
1519         Reviewed by Mark Lam.
1520
1521         There is a site in JSC that try to walk another thread's stack.
1522         Currently, stack bounds are stored in WTFThreadData which is located
1523         in TLS. Thus, only the thread itself can access its own WTFThreadData.
1524         We workaround this situation by holding StackBounds in MachineThread in JSC,
1525         but StackBounds should be put in WTF::Thread instead.
1526
1527         This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
1528         information is tightly coupled with Thread. Thus putting it in WTF::Thread
1529         is natural choice.
1530
1531         * heap/MachineStackMarker.cpp:
1532         (JSC::MachineThreads::MachineThread::MachineThread):
1533         (JSC::MachineThreads::MachineThread::captureStack):
1534         * heap/MachineStackMarker.h:
1535         (JSC::MachineThreads::MachineThread::stackBase):
1536         (JSC::MachineThreads::MachineThread::stackEnd):
1537         * runtime/InitializeThreading.cpp:
1538         (JSC::initializeThreading):
1539         * runtime/VM.cpp:
1540         (JSC::VM::VM):
1541         (JSC::VM::updateStackLimits):
1542         (JSC::VM::committedStackByteCount):
1543         * runtime/VM.h:
1544         (JSC::VM::isSafeToRecurse):
1545         * runtime/VMEntryScope.cpp:
1546         (JSC::VMEntryScope::VMEntryScope):
1547         * runtime/VMInlines.h:
1548         (JSC::VM::ensureStackCapacityFor):
1549         * runtime/VMTraps.cpp:
1550         * yarr/YarrPattern.cpp:
1551         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
1552
1553 2017-07-01  Dan Bernstein  <mitz@apple.com>
1554
1555         [iOS] Remove code only needed when building for iOS 9.x
1556         https://bugs.webkit.org/show_bug.cgi?id=174068
1557
1558         Reviewed by Tim Horton.
1559
1560         * Configurations/FeatureDefines.xcconfig:
1561         * jit/ExecutableAllocator.cpp:
1562         * runtime/Options.cpp:
1563         (JSC::recomputeDependentOptions):
1564
1565 2017-07-01  Dan Bernstein  <mitz@apple.com>
1566
1567         [macOS] Remove code only needed when building for OS X Yosemite
1568         https://bugs.webkit.org/show_bug.cgi?id=174067
1569
1570         Reviewed by Tim Horton.
1571
1572         * API/WebKitAvailability.h:
1573         * Configurations/Base.xcconfig:
1574         * Configurations/DebugRelease.xcconfig:
1575         * Configurations/FeatureDefines.xcconfig:
1576         * Configurations/Version.xcconfig:
1577
1578 2017-07-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1579
1580         Unreviewed, build fix for GCC
1581         https://bugs.webkit.org/show_bug.cgi?id=174034
1582
1583         * b3/testb3.cpp:
1584         (JSC::B3::testDoubleLiteralComparison):
1585
1586 2017-06-30  Keith Miller  <keith_miller@apple.com>
1587
1588         Force crashWithInfo to be out of line.
1589         https://bugs.webkit.org/show_bug.cgi?id=174028
1590
1591         Reviewed by Filip Pizlo.
1592
1593         Update DFG_ASSERT macro to call CRASH_WITH_SECURITY_IMPLICATION_AND_INFO.
1594
1595         * dfg/DFGGraph.cpp:
1596         (JSC::DFG::logDFGAssertionFailure):
1597         (JSC::DFG::Graph::logAssertionFailure):
1598         (JSC::DFG::crash): Deleted.
1599         (JSC::DFG::Graph::handleAssertionFailure): Deleted.
1600         * dfg/DFGGraph.h:
1601
1602 2017-06-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1603
1604         [JSC] Use AbstractMacroAssembler::random instead of holding WeakRandom in JIT
1605         https://bugs.webkit.org/show_bug.cgi?id=174053
1606
1607         Reviewed by Geoffrey Garen.
1608
1609         We already have AbstractMacroAssembler::random() function. Use it instead.
1610
1611         * jit/JIT.cpp:
1612         (JSC::JIT::JIT):
1613         (JSC::JIT::compileWithoutLinking):
1614         * jit/JIT.h:
1615
1616 2017-06-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1617
1618         [WTF] Drop SymbolRegistry::keyForSymbol
1619         https://bugs.webkit.org/show_bug.cgi?id=174052
1620
1621         Reviewed by Sam Weinig.
1622
1623         * runtime/SymbolConstructor.cpp:
1624         (JSC::symbolConstructorKeyFor):
1625
1626 2017-06-30  Saam Barati  <sbarati@apple.com>
1627
1628         B3ReduceStrength should reduce EqualOrUnordered over const float input
1629         https://bugs.webkit.org/show_bug.cgi?id=174039
1630
1631         Reviewed by Michael Saboff.
1632
1633         We perform this folding for ConstDoubleValue. It is simply
1634         an oversight that we didn't do it for ConstFloatValue.
1635
1636         * b3/B3ConstFloatValue.cpp:
1637         (JSC::B3::ConstFloatValue::equalOrUnorderedConstant):
1638         * b3/B3ConstFloatValue.h:
1639         * b3/testb3.cpp:
1640         (JSC::B3::testFloatEqualOrUnorderedFolding):
1641         (JSC::B3::testFloatEqualOrUnorderedFoldingNaN):
1642         (JSC::B3::testFloatEqualOrUnorderedDontFold):
1643         (JSC::B3::run):
1644
1645 2017-06-30  Matt Baker  <mattbaker@apple.com>
1646
1647         Web Inspector: AsyncStackTrace nodes can be corrupted when truncating
1648         https://bugs.webkit.org/show_bug.cgi?id=173840
1649         <rdar://problem/30840820>
1650
1651         Reviewed by Joseph Pecoraro.
1652
1653         When truncating an asynchronous stack trace, the parent chain is traversed
1654         until a locked node is found. The path from this node to the root is shared
1655         by more than one stack trace, and cannot be safely modified. Starting at
1656         the first locked node, the path is cloned and becomes a new stack trace tree.
1657
1658         However, the clone operation initialized each new AsyncStackTrace node with
1659         the original node's parent. This would increment the child count of the original
1660         node. When cloning nodes, new nodes should not have their parent set until the
1661         next node up the parent chain is cloned.
1662
1663         * inspector/AsyncStackTrace.cpp:
1664         (Inspector::AsyncStackTrace::truncate):
1665
1666 2017-06-30  Michael Saboff  <msaboff@apple.com>
1667
1668         RegExp's  anchored with .* with \g flag can return wrong match start for strings with multiple matches
1669         https://bugs.webkit.org/show_bug.cgi?id=174044
1670
1671         Reviewed by Oliver Hunt.
1672
1673         The .* enclosure optimization didn't respect that we can start matching from a non-zero
1674         index.  This optimization treats /.*<some-terms>.*/ by first matching the <some-terms> and
1675         then finding the extent of the match by going back to the beginning of the line and going
1676         forward to the end of the line.  The code that went back to the beginning of the line
1677         checked for an index of 0 instead of comparing the index to the start position.  This start
1678         position is passed as the initial index.
1679
1680         Added another temporary register to the YARR JIT to contain the start position for
1681         platforms that have spare registers.
1682
1683         * yarr/Yarr.h:
1684         * yarr/YarrInterpreter.cpp:
1685         (JSC::Yarr::Interpreter::matchDotStarEnclosure):
1686         (JSC::Yarr::Interpreter::Interpreter):
1687         * yarr/YarrJIT.cpp:
1688         (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
1689         (JSC::Yarr::YarrGenerator::compile):
1690         * yarr/YarrPattern.cpp:
1691         (JSC::Yarr::YarrPattern::YarrPattern):
1692         * yarr/YarrPattern.h:
1693         (JSC::Yarr::YarrPattern::reset):
1694
1695 2017-06-30  Saam Barati  <sbarati@apple.com>
1696
1697         B3MoveConstants floatZero() returns the wrong ValueKey
1698         https://bugs.webkit.org/show_bug.cgi?id=174040
1699
1700         Reviewed by Filip Pizlo.
1701
1702         It had a typo where the ValueKey for floatZero() produces a Double
1703         instead of a Float.
1704
1705         * b3/B3MoveConstants.cpp:
1706
1707 2017-06-30  Saam Barati  <sbarati@apple.com>
1708
1709         B3ReduceDoubleToFloat incorrectly reduces operations over two double constants
1710         https://bugs.webkit.org/show_bug.cgi?id=174034
1711         <rdar://problem/30793007>
1712
1713         Reviewed by Filip Pizlo.
1714
1715         B3ReduceDoubleToFloat had a bug in it where it would incorrectly
1716         reduce binary operations over double constants into the same binary
1717         operation over the double constants casted to floats. This is clearly
1718         incorrect as these two things will produce different values. For example:
1719         
1720         a = DoubleConst(bitwise_cast<double>(0x8000000000000001ull))
1721         b = DoubleConst(bitwise_cast<double>(0x0000000000000000ull))
1722         c = EqualOrUnordered(@a, @b) // produces 0
1723         
1724         into:
1725         
1726         a = FloatConst(static_cast<float>(bitwise_cast<double>(0x8000000000000001ull)))
1727         b = FloatConst(static_cast<float>(bitwise_cast<double>(0x0000000000000000ull)))
1728         c = EqualOrUnordered(@a, @b) // produces 1
1729         
1730         Which produces a different value for @c.
1731
1732         * b3/B3ReduceDoubleToFloat.cpp:
1733         * b3/testb3.cpp:
1734         (JSC::B3::doubleEq):
1735         (JSC::B3::doubleNeq):
1736         (JSC::B3::doubleGt):
1737         (JSC::B3::doubleGte):
1738         (JSC::B3::doubleLt):
1739         (JSC::B3::doubleLte):
1740         (JSC::B3::testDoubleLiteralComparison):
1741         (JSC::B3::run):
1742
1743 2017-06-29  Jer Noble  <jer.noble@apple.com>
1744
1745         Make Legacy EME API controlled by RuntimeEnabled setting.
1746         https://bugs.webkit.org/show_bug.cgi?id=173994
1747
1748         Reviewed by Sam Weinig.
1749
1750         * Configurations/FeatureDefines.xcconfig:
1751         * runtime/CommonIdentifiers.h:
1752
1753 2017-06-30  Ryosuke Niwa  <rniwa@webkit.org>
1754
1755         Ran sort-Xcode-project-file.
1756
1757         * JavaScriptCore.xcodeproj/project.pbxproj:
1758
1759 2017-06-30  Matt Lewis  <jlewis3@apple.com>
1760
1761         Unreviewed, rolling out r218992.
1762
1763         The patch broke the iOS device builds.
1764
1765         Reverted changeset:
1766
1767         "DFG_ASSERT should allow stuffing registers before trapping."
1768         https://bugs.webkit.org/show_bug.cgi?id=174005
1769         http://trac.webkit.org/changeset/218992
1770
1771 2017-06-30  Filip Pizlo  <fpizlo@apple.com>
1772
1773         RegExpCachedResult::setInput should reify left and right contexts
1774         https://bugs.webkit.org/show_bug.cgi?id=173818
1775
1776         Reviewed by Keith Miller.
1777         
1778         If you don't reify them in setInput, then when you later try to reify them, you'll end up
1779         using indices into an old input string to create a substring of a new input string. That
1780         never goes well.
1781
1782         * runtime/RegExpCachedResult.cpp:
1783         (JSC::RegExpCachedResult::setInput):
1784
1785 2017-06-30  Keith Miller  <keith_miller@apple.com>
1786
1787         DFG_ASSERT should allow stuffing registers before trapping.
1788         https://bugs.webkit.org/show_bug.cgi?id=174005
1789
1790         Reviewed by Mark Lam.
1791
1792         DFG_ASSERT currently prints error data to stderr before crashing,
1793         which is nice for local development. In the wild, however, we
1794         can't see this information in crash logs. This patch enables
1795         stuffing some of the most useful information from DFG_ASSERTS into
1796         up to five registers right before crashing. The values stuffed
1797         should not impact any logging during local development.
1798
1799         * assembler/AbortReason.h:
1800         * dfg/DFGAbstractInterpreterInlines.h:
1801         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
1802         * dfg/DFGGraph.cpp:
1803         (JSC::DFG::logForCrash):
1804         (JSC::DFG::Graph::logAssertionFailure):
1805         (JSC::DFG::crash): Deleted.
1806         (JSC::DFG::Graph::handleAssertionFailure): Deleted.
1807         * dfg/DFGGraph.h:
1808
1809 2017-06-29  Saam Barati  <sbarati@apple.com>
1810
1811         Calculating postCapacity in unshiftCountSlowCase is wrong
1812         https://bugs.webkit.org/show_bug.cgi?id=173992
1813         <rdar://problem/32283199>
1814
1815         Reviewed by Keith Miller.
1816
1817         This patch fixes a bug inside unshiftCountSlowCase where we would use
1818         more memory than we allocated. The bug was when deciding how much extra
1819         space we have after the vector we've allocated. This area is called the
1820         postCapacity. The largest legal postCapacity value we could use is the
1821         space we allocated minus the space we need:
1822         largestPossiblePostCapacity = newStorageCapacity - requiredVectorLength;
1823         However, the code was calculating the postCapacity as:
1824         postCapacity = max(newStorageCapacity - requiredVectorLength, count);
1825         
1826         where count is how many elements we're appending. Depending on the inputs,
1827         count could be larger than (newStorageCapacity - requiredVectorLength). This
1828         would cause us to use more memory than we actually allocated.
1829
1830         * runtime/JSArray.cpp:
1831         (JSC::JSArray::unshiftCountSlowCase):
1832
1833 2017-06-29  Commit Queue  <commit-queue@webkit.org>
1834
1835         Unreviewed, rolling out r218512.
1836         https://bugs.webkit.org/show_bug.cgi?id=173981
1837
1838         "It changes the behavior of the JS API's JSEvaluateScript
1839         which breaks TurboTax" (Requested by saamyjoon on #webkit).
1840
1841         Reverted changeset:
1842
1843         "test262: Completion values for control flow do not match the
1844         spec"
1845         https://bugs.webkit.org/show_bug.cgi?id=171265
1846         http://trac.webkit.org/changeset/218512
1847
1848 2017-06-29  JF Bastien  <jfbastien@apple.com>
1849
1850         WebAssembly: disable some APIs under CSP
1851         https://bugs.webkit.org/show_bug.cgi?id=173892
1852         <rdar://problem/32914613>
1853
1854         Reviewed by Daniel Bates.
1855
1856         We should disable parts of WebAssembly under Content Security
1857         Policy as discussed here:
1858
1859         https://github.com/WebAssembly/design/issues/1092
1860
1861         Exactly what should be disabled isn't super clear, so we may as
1862         well be conservative and disable many things if developers already
1863         opted into CSP. It's easy to loosen what we disable later.
1864
1865         This patch disables:
1866         - WebAssembly.Instance
1867         - WebAssembly.instantiate
1868         - WebAssembly.Memory
1869         - WebAssembly.Table
1870
1871         And leaves:
1872         - WebAssembly on the global object
1873         - WebAssembly.Module
1874         - WebAssembly.compile
1875         - WebAssembly.CompileError
1876         - WebAssembly.LinkError
1877
1878         Nothing because currently unimplmented:
1879         - WebAssembly.compileStreaming
1880         - WebAssembly.instantiateStreaming
1881
1882         That way it won't be possible to call WebAssembly-compiled code,
1883         or create memories (which use fancy 4GiB allocations
1884         sometimes). Table isn't really useful on its own, and eventually
1885         we may make them shareable so without more details it seems benign
1886         to disable them (and useless if we don't).
1887
1888         I haven't done anything with postMessage, so you can still
1889         postMessage a WebAssembly.Module cross-CSP, but you can't
1890         instantiate it so it's useless. Because of this I elected to leave
1891         WebAssembly.Module and friends available.
1892
1893         I haven't added any new directives. It's still unsafe-eval. We can
1894         add something else later, but it seems odd to add a WebAssembly as
1895         a new capability and tell developers "you should have been using
1896         this directive which we just implemented if you wanted to disable
1897         WebAssembly which didn't exist when you adopted CSP". So IMO we
1898         should keep unsafe-eval as it currently is, add WebAssembly to
1899         what it disables, and later consider having two new directives
1900         which do each individually or something.
1901
1902         In all cases I throw an EvalError *before* other WebAssembly
1903         errors would be produced.
1904
1905         Note that, as for eval, reporting doesn't work and is tracked by
1906         https://webkit.org/b/111869
1907
1908         * runtime/JSGlobalObject.cpp:
1909         (JSC::JSGlobalObject::JSGlobalObject):
1910         * runtime/JSGlobalObject.h:
1911         (JSC::JSGlobalObject::webAssemblyEnabled):
1912         (JSC::JSGlobalObject::webAssemblyDisabledErrorMessage):
1913         (JSC::JSGlobalObject::setWebAssemblyEnabled):
1914         * wasm/js/JSWebAssemblyInstance.cpp:
1915         (JSC::JSWebAssemblyInstance::create):
1916         * wasm/js/JSWebAssemblyMemory.cpp:
1917         (JSC::JSWebAssemblyMemory::create):
1918         * wasm/js/JSWebAssemblyMemory.h:
1919         * wasm/js/JSWebAssemblyTable.cpp:
1920         (JSC::JSWebAssemblyTable::create):
1921         * wasm/js/WebAssemblyMemoryConstructor.cpp:
1922         (JSC::constructJSWebAssemblyMemory):
1923
1924 2017-06-28  Keith Miller  <keith_miller@apple.com>
1925
1926         VMTraps has some races
1927         https://bugs.webkit.org/show_bug.cgi?id=173941
1928
1929         Reviewed by Michael Saboff.
1930
1931         This patch refactors much of the VMTraps API.
1932
1933         On the message sending side:
1934
1935         1) No longer uses the Yarr JIT check to determine if we are in
1936         RegExp code. That was unsound because RegExp JIT code can be run
1937         on compilation threads.  Instead it looks at the current frame's
1938         code block slot and checks if it is valid, which is the same as
1939         what it did for JIT code previously.
1940
1941         2) Only have one signal sender thread, previously, there could be
1942         many at once, which caused some data races. Additionally, the
1943         signal sender thread is an automatic thread so it will deallocate
1944         itself when not in use.
1945
1946         On the VMTraps breakpoint side:
1947
1948         1) We now have a true mapping of if we hit a breakpoint instead of
1949         a JIT assertion. So the exception handler won't eat JIT assertions
1950         anymore.
1951
1952         2) It jettisons all CodeBlocks that have VMTraps breakpoints on
1953         them instead of every CodeBlock on the stack. This both prevents
1954         us from hitting stale VMTraps breakpoints and also doesn't OSR
1955         codeblocks that otherwise don't need to be jettisoned.
1956
1957         3) The old exception handler could theoretically fail for a couple
1958         of reasons then resume execution with a clobbered instruction
1959         set. This patch will kill the program if the exception handler
1960         would fail.
1961
1962         This patch also refactors some of the jsc.cpp functions to take the
1963         CommandLine options object instead of individual options. Also, there
1964         is a new command line option that makes exceptions due to watchdog
1965         timeouts an acceptable result.
1966
1967         * API/tests/testapi.c:
1968         (main):
1969         * bytecode/CodeBlock.cpp:
1970         (JSC::CodeBlock::installVMTrapBreakpoints):
1971         * dfg/DFGCommonData.cpp:
1972         (JSC::DFG::pcCodeBlockMap):
1973         (JSC::DFG::CommonData::invalidate):
1974         (JSC::DFG::CommonData::~CommonData):
1975         (JSC::DFG::CommonData::installVMTrapBreakpoints):
1976         (JSC::DFG::codeBlockForVMTrapPC):
1977         * dfg/DFGCommonData.h:
1978         * jsc.cpp:
1979         (functionDollarAgentStart):
1980         (checkUncaughtException):
1981         (checkException):
1982         (runWithOptions):
1983         (printUsageStatement):
1984         (CommandLine::parseArguments):
1985         (jscmain):
1986         (runWithScripts): Deleted.
1987         * runtime/JSLock.cpp:
1988         (JSC::JSLock::didAcquireLock):
1989         * runtime/VMTraps.cpp:
1990         (JSC::sanitizedTopCallFrame):
1991         (JSC::VMTraps::tryInstallTrapBreakpoints):
1992         (JSC::VMTraps::willDestroyVM):
1993         (JSC::VMTraps::fireTrap):
1994         (JSC::VMTraps::handleTraps):
1995         (JSC::VMTraps::VMTraps):
1996         (JSC::VMTraps::~VMTraps):
1997         (JSC::findActiveVMAndStackBounds): Deleted.
1998         (JSC::installSignalHandler): Deleted.
1999         (JSC::VMTraps::addSignalSender): Deleted.
2000         (JSC::VMTraps::removeSignalSender): Deleted.
2001         (JSC::VMTraps::SignalSender::willDestroyVM): Deleted.
2002         (JSC::VMTraps::SignalSender::send): Deleted.
2003         * runtime/VMTraps.h:
2004         (JSC::VMTraps::~VMTraps): Deleted.
2005         (JSC::VMTraps::SignalSender::SignalSender): Deleted.
2006
2007 2017-06-28  Devin Rousso  <drousso@apple.com>
2008
2009         Web Inspector: Instrument active pixel memory used by canvases
2010         https://bugs.webkit.org/show_bug.cgi?id=173087
2011         <rdar://problem/32719261>
2012
2013         Reviewed by Joseph Pecoraro.
2014
2015         * inspector/protocol/Canvas.json:
2016          - Add optional `memoryCost` attribute to the `Canvas` type.
2017          - Add `canvasMemoryChanged` event that is dispatched when the `memoryCost` of a canvas changes.
2018
2019 2017-06-28  Joseph Pecoraro  <pecoraro@apple.com>
2020
2021         Web Inspector: Cleanup Protocol JSON files
2022         https://bugs.webkit.org/show_bug.cgi?id=173934
2023
2024         Reviewed by Matt Baker.
2025
2026         * inspector/protocol/ApplicationCache.json:
2027         * inspector/protocol/CSS.json:
2028         * inspector/protocol/Console.json:
2029         * inspector/protocol/DOM.json:
2030         * inspector/protocol/DOMDebugger.json:
2031         * inspector/protocol/Debugger.json:
2032         * inspector/protocol/LayerTree.json:
2033         * inspector/protocol/Network.json:
2034         * inspector/protocol/Page.json:
2035         * inspector/protocol/Runtime.json:
2036         Be more consistent about placement of `description` property.
2037
2038 2017-06-27  Joseph Pecoraro  <pecoraro@apple.com>
2039
2040         Web Inspector: Remove unused Inspector domain events
2041         https://bugs.webkit.org/show_bug.cgi?id=173905
2042
2043         Reviewed by Matt Baker.
2044
2045         * inspector/protocol/Inspector.json:
2046
2047 2017-06-28  JF Bastien  <jfbastien@apple.com>
2048
2049         Ensure that computed new stack pointer values do not underflow.
2050         https://bugs.webkit.org/show_bug.cgi?id=173700
2051         <rdar://problem/32926032>
2052
2053         Reviewed by Filip Pizlo and Saam Barati, update reviewed by Mark Lam.
2054
2055         Patch by Mark Lam, with the following fix:
2056
2057         Re-apply this patch, it originally broke the ARM build because the llint code
2058         generated `subs xzr, x3, sp` which isn't valid ARM64: the third operand cannot
2059         be SP (that encoding would be ZR instead, subtracting zero). Flip the comparison
2060         and operands to emit valid code (because the second operand can be SP).
2061
2062         1. Added a RELEASE_ASSERT to BytecodeGenerator::generate() to ensure that
2063            m_numCalleeLocals is sane.
2064
2065         2. Added underflow checks in LLInt code and VarargsFrame code.
2066
2067         3. Introduce minimumReservedZoneSize, which is hardcoded to 16K.
2068            Ensure that Options::reservedZoneSize() is at least minimumReservedZoneSize.
2069            Ensure that Options::softReservedZoneSize() is at least greater than
2070            Options::reservedZoneSize() by minimumReservedZoneSize.
2071
2072         4. Ensure that stack checks emitted by JIT tiers include an underflow check if
2073            and only if the max size of the frame is greater than Options::reservedZoneSize().
2074
2075            By design, we are guaranteed to have at least Options::reservedZoneSize() bytes
2076            of memory at the bottom (end) of the stack.  This means that, at any time, the
2077            frame pointer must be at least Options::reservedZoneSize() bytes away from the
2078            end of the stack.  Hence, if the max frame size is less than
2079            Options::reservedZoneSize(), there's no way that frame pointer - max
2080            frame size can underflow, and we can elide the underflow check.
2081
2082            Note that we use Options::reservedZoneSize() instead of
2083            Options::softReservedZoneSize() for determine if we need an underflow check.
2084            This is because the softStackLimit that is used for stack checks can be set
2085            based on Options::reservedZoneSize() during error handling (e.g. when creating
2086            strings for instantiating the Error object).  Hence, the guaranteed minimum of
2087            distance between the frame pointer and the end of the stack is
2088            Options::reservedZoneSize() and nor Options::softReservedZoneSize().
2089
2090            Note also that we ensure that Options::reservedZoneSize() is at least
2091            minimumReservedZoneSize (i.e. 16K).  In typical deployments,
2092            Options::reservedZoneSize() may be larger.  Using Options::reservedZoneSize()
2093            instead of minimumReservedZoneSize gives us more chances to elide underflow
2094            checks.
2095
2096         * JavaScriptCore.xcodeproj/project.pbxproj:
2097         * bytecompiler/BytecodeGenerator.cpp:
2098         (JSC::BytecodeGenerator::generate):
2099         * dfg/DFGGraph.cpp:
2100         (JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit):
2101         * dfg/DFGJITCompiler.cpp:
2102         (JSC::DFG::emitStackOverflowCheck):
2103         (JSC::DFG::JITCompiler::compile):
2104         (JSC::DFG::JITCompiler::compileFunction):
2105         * ftl/FTLLowerDFGToB3.cpp:
2106         (JSC::FTL::DFG::LowerDFGToB3::lower):
2107         * jit/JIT.cpp:
2108         (JSC::JIT::compileWithoutLinking):
2109         * jit/SetupVarargsFrame.cpp:
2110         (JSC::emitSetupVarargsFrameFastCase):
2111         * llint/LLIntSlowPaths.cpp:
2112         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2113         * llint/LowLevelInterpreter.asm:
2114         * llint/LowLevelInterpreter32_64.asm:
2115         * llint/LowLevelInterpreter64.asm:
2116         * runtime/MinimumReservedZoneSize.h: Added.
2117         * runtime/Options.cpp:
2118         (JSC::recomputeDependentOptions):
2119         * runtime/VM.cpp:
2120         (JSC::VM::updateStackLimits):
2121         * wasm/WasmB3IRGenerator.cpp:
2122         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2123         * wasm/js/WebAssemblyFunction.cpp:
2124         (JSC::callWebAssemblyFunction):
2125
2126 2017-06-28  Chris Dumez  <cdumez@apple.com>
2127
2128         Unreviewed, rolling out r218869.
2129
2130         Broke the iOS build
2131
2132         Reverted changeset:
2133
2134         "Ensure that computed new stack pointer values do not
2135         underflow."
2136         https://bugs.webkit.org/show_bug.cgi?id=173700
2137         http://trac.webkit.org/changeset/218869
2138
2139 2017-06-28  Chris Dumez  <cdumez@apple.com>
2140
2141         Unreviewed, rolling out r218873.
2142
2143         Broke the iOS build
2144
2145         Reverted changeset:
2146
2147         "Gardening: CLoop build fix."
2148         https://bugs.webkit.org/show_bug.cgi?id=173700
2149         http://trac.webkit.org/changeset/218873
2150
2151 2017-06-28  Mark Lam  <mark.lam@apple.com>
2152
2153         Gardening: CLoop build fix.
2154         https://bugs.webkit.org/show_bug.cgi?id=173700
2155         <rdar://problem/32926032>
2156
2157         Not reviewed.
2158
2159         * llint/LLIntSlowPaths.cpp:
2160         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2161
2162 2017-06-28  Mark Lam  <mark.lam@apple.com>
2163
2164         Ensure that computed new stack pointer values do not underflow.
2165         https://bugs.webkit.org/show_bug.cgi?id=173700
2166         <rdar://problem/32926032>
2167
2168         Reviewed by Filip Pizlo and Saam Barati.
2169
2170         1. Added a RELEASE_ASSERT to BytecodeGenerator::generate() to ensure that
2171            m_numCalleeLocals is sane.
2172
2173         2. Added underflow checks in LLInt code and VarargsFrame code.
2174
2175         3. Introduce minimumReservedZoneSize, which is hardcoded to 16K.
2176            Ensure that Options::reservedZoneSize() is at least minimumReservedZoneSize.
2177            Ensure that Options::softReservedZoneSize() is at least greater than
2178            Options::reservedZoneSize() by minimumReservedZoneSize.
2179
2180         4. Ensure that stack checks emitted by JIT tiers include an underflow check if
2181            and only if the max size of the frame is greater than Options::reservedZoneSize().
2182
2183            By design, we are guaranteed to have at least Options::reservedZoneSize() bytes
2184            of memory at the bottom (end) of the stack.  This means that, at any time, the
2185            frame pointer must be at least Options::reservedZoneSize() bytes away from the
2186            end of the stack.  Hence, if the max frame size is less than
2187            Options::reservedZoneSize(), there's no way that frame pointer - max
2188            frame size can underflow, and we can elide the underflow check.
2189
2190            Note that we use Options::reservedZoneSize() instead of
2191            Options::softReservedZoneSize() for determine if we need an underflow check.
2192            This is because the softStackLimit that is used for stack checks can be set
2193            based on Options::reservedZoneSize() during error handling (e.g. when creating
2194            strings for instantiating the Error object).  Hence, the guaranteed minimum of
2195            distance between the frame pointer and the end of the stack is
2196            Options::reservedZoneSize() and nor Options::softReservedZoneSize().
2197
2198            Note also that we ensure that Options::reservedZoneSize() is at least
2199            minimumReservedZoneSize (i.e. 16K).  In typical deployments,
2200            Options::reservedZoneSize() may be larger.  Using Options::reservedZoneSize()
2201            instead of minimumReservedZoneSize gives us more chances to elide underflow
2202            checks.
2203
2204         * JavaScriptCore.xcodeproj/project.pbxproj:
2205         * bytecompiler/BytecodeGenerator.cpp:
2206         (JSC::BytecodeGenerator::generate):
2207         * dfg/DFGGraph.cpp:
2208         (JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit):
2209         * dfg/DFGJITCompiler.cpp:
2210         (JSC::DFG::JITCompiler::compile):
2211         (JSC::DFG::JITCompiler::compileFunction):
2212         * ftl/FTLLowerDFGToB3.cpp:
2213         (JSC::FTL::DFG::LowerDFGToB3::lower):
2214         * jit/JIT.cpp:
2215         (JSC::JIT::compileWithoutLinking):
2216         * jit/SetupVarargsFrame.cpp:
2217         (JSC::emitSetupVarargsFrameFastCase):
2218         * llint/LLIntSlowPaths.cpp:
2219         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2220         * llint/LowLevelInterpreter.asm:
2221         * llint/LowLevelInterpreter32_64.asm:
2222         * llint/LowLevelInterpreter64.asm:
2223         * runtime/MinimumReservedZoneSize.h: Added.
2224         * runtime/Options.cpp:
2225         (JSC::recomputeDependentOptions):
2226         * runtime/VM.cpp:
2227         (JSC::VM::updateStackLimits):
2228         * wasm/WasmB3IRGenerator.cpp:
2229         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2230         * wasm/js/WebAssemblyFunction.cpp:
2231         (JSC::callWebAssemblyFunction):
2232
2233 2017-06-27  JF Bastien  <jfbastien@apple.com>
2234
2235         WebAssembly: running out of executable memory should throw OoM
2236         https://bugs.webkit.org/show_bug.cgi?id=171537
2237         <rdar://problem/32963338>
2238
2239         Reviewed by Saam Barati.
2240
2241         Both on first compile with BBQ as well as on tier-up with OMG,
2242         running out of X memory shouldn't cause the entire program to
2243         terminate. An exception will do when compiling initial code (since
2244         we don't have any other fallback at the moment), and refusal to
2245         tier up will do as well (it'll just be slower).
2246
2247         This is useful because programs which generate huge amounts of
2248         code simply look like crashes, which developers report to
2249         us. Getting a JavaScript exception instead is much clearer.
2250
2251         * jit/ExecutableAllocator.cpp:
2252         (JSC::ExecutableAllocator::allocate):
2253         * llint/LLIntSlowPaths.cpp:
2254         (JSC::LLInt::shouldJIT):
2255         * runtime/Options.h:
2256         * wasm/WasmBBQPlan.cpp:
2257         (JSC::Wasm::BBQPlan::prepare):
2258         (JSC::Wasm::BBQPlan::complete):
2259         * wasm/WasmBinding.cpp:
2260         (JSC::Wasm::wasmToJs):
2261         (JSC::Wasm::wasmToWasm):
2262         * wasm/WasmBinding.h:
2263         * wasm/WasmOMGPlan.cpp:
2264         (JSC::Wasm::OMGPlan::work):
2265         * wasm/js/JSWebAssemblyCodeBlock.cpp:
2266         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
2267         * wasm/js/JSWebAssemblyCodeBlock.h:
2268         * wasm/js/JSWebAssemblyInstance.cpp:
2269         (JSC::JSWebAssemblyInstance::finalizeCreation):
2270
2271 2017-06-27  Saam Barati  <sbarati@apple.com>
2272
2273         JITStubRoutine::passesFilter should use isJITPC
2274         https://bugs.webkit.org/show_bug.cgi?id=173906
2275
2276         Reviewed by JF Bastien.
2277
2278         This patch makes JITStubRoutine use the isJITPC abstraction defined
2279         inside ExecutableAllocator.h. Before, JITStubRoutine was using a
2280         hardcoded platform size constant. This means it'd do the wrong thing
2281         if Options::jitMemoryReservationSize() was larger than the defined
2282         constant for that platform. This patch also removes a bunch of
2283         dead code in that file.
2284
2285         * jit/ExecutableAllocator.cpp:
2286         * jit/ExecutableAllocator.h:
2287         * jit/JITStubRoutine.h:
2288         (JSC::JITStubRoutine::passesFilter):
2289         (JSC::JITStubRoutine::canPerformRangeFilter): Deleted.
2290         (JSC::JITStubRoutine::filteringStartAddress): Deleted.
2291         (JSC::JITStubRoutine::filteringExtentSize): Deleted.
2292
2293 2017-06-27  Saam Barati  <sbarati@apple.com>
2294
2295         Fix some stale comments in Wasm code base
2296         https://bugs.webkit.org/show_bug.cgi?id=173814
2297
2298         Reviewed by Mark Lam.
2299
2300         * wasm/WasmBinding.cpp:
2301         (JSC::Wasm::wasmToJs):
2302         * wasm/WasmOMGPlan.cpp:
2303         (JSC::Wasm::runOMGPlanForIndex):
2304
2305 2017-06-27  Caio Lima  <ticaiolima@gmail.com>
2306
2307         [ESnext] Implement Object Rest - Implementing Object Rest Destructuring
2308         https://bugs.webkit.org/show_bug.cgi?id=167962
2309
2310         Reviewed by Saam Barati.
2311
2312         Object Rest/Spread Destructing proposal is in stage 3[1] and this
2313         Patch is a prototype implementation of it. A simple change over the
2314         parser was necessary to support the new '...' token on Object Pattern
2315         destruction rule. In the bytecode generator side, We changed the
2316         bytecode generated on ObjectPatternNode::bindValue to store in an
2317         set the identifiers of already destructured properties, following spec draft
2318         section[2], and then pass it as excludedNames to CopyDataProperties.
2319         The rest destructuring calls copyDataProperties to perform the
2320         copy of rest properties in rhs.
2321
2322         We also implemented CopyDataProperties as private JS global operation
2323         on builtins/GlobalOperations.js following it's specification on [3].
2324         It is implemented using Set object to verify if a property is on
2325         excludedNames to keep this algorithm with O(n + m) complexity, where n
2326         = number of source's own properties and m = excludedNames.length.
2327
2328         In this implementation we aren't using excludeList as constant if
2329         destructuring pattern contains computed property, i.e. we can
2330         just determine the key to be excluded at runtime. If we can define all
2331         identifiers in the pattern in compile time, we then create a
2332         constant JSSet. This approach gives a good performance improvement,
2333         since we allocate the excludeSet just once, reducing GC pressure.
2334
2335         [1] - https://github.com/tc39/proposal-object-rest-spread
2336         [2] - https://tc39.github.io/proposal-object-rest-spread/#Rest-RuntimeSemantics-PropertyDestructuringAssignmentEvaluation
2337         [3] - https://tc39.github.io/proposal-object-rest-spread/#AbstractOperations-CopyDataProperties
2338
2339         * builtins/BuiltinNames.h:
2340         * builtins/GlobalOperations.js:
2341         (globalPrivate.copyDataProperties):
2342         * bytecode/CodeBlock.cpp:
2343         (JSC::CodeBlock::finishCreation):
2344         * bytecompiler/NodesCodegen.cpp:
2345         (JSC::ObjectPatternNode::bindValue):
2346         * parser/ASTBuilder.h:
2347         (JSC::ASTBuilder::appendObjectPatternEntry):
2348         (JSC::ASTBuilder::appendObjectPatternRestEntry):
2349         (JSC::ASTBuilder::setContainsObjectRestElement):
2350         * parser/Nodes.h:
2351         (JSC::ObjectPatternNode::appendEntry):
2352         (JSC::ObjectPatternNode::setContainsRestElement):
2353         * parser/Parser.cpp:
2354         (JSC::Parser<LexerType>::parseDestructuringPattern):
2355         (JSC::Parser<LexerType>::parseProperty):
2356         * parser/SyntaxChecker.h:
2357         (JSC::SyntaxChecker::operatorStackPop):
2358         * runtime/JSGlobalObject.cpp:
2359         (JSC::JSGlobalObject::init):
2360         * runtime/JSGlobalObject.h:
2361         (JSC::JSGlobalObject::asyncFunctionStructure):
2362         (JSC::JSGlobalObject::setStructure): Deleted.
2363         * runtime/JSGlobalObjectFunctions.cpp:
2364         (JSC::privateToObject):
2365         * runtime/JSGlobalObjectFunctions.h:
2366         * runtime/ObjectConstructor.cpp:
2367         (JSC::ObjectConstructor::finishCreation):
2368         * runtime/SetPrototype.cpp:
2369         (JSC::SetPrototype::finishCreation):
2370
2371 2017-06-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2372
2373         [JSC] Do not touch VM after notifying Ready in DFG::Worklist
2374         https://bugs.webkit.org/show_bug.cgi?id=173888
2375
2376         Reviewed by Saam Barati.
2377
2378         After notifying Plan::Ready and releasing Worklist lock, VM can be destroyed.
2379         Thus, Plan::vm() can return a destroyed VM. Do not touch it.
2380         This causes occasional SEGV / assertion failures in workers/bomb test.
2381
2382         * dfg/DFGWorklist.cpp:
2383
2384 2017-06-27  Saam Barati  <sbarati@apple.com>
2385
2386         Remove an inaccurate comment inside DFGClobberize.h
2387         https://bugs.webkit.org/show_bug.cgi?id=163874
2388
2389         Reviewed by Filip Pizlo.
2390
2391         The comment said that Clobberize may or may not be sound if run prior to
2392         doing type inference. This is not correct, though. Clobberize *must* be sound
2393         prior do doing type inference since we use it inside the BytecodeParser, which
2394         is the very first thing the DFG does.
2395
2396         * dfg/DFGClobberize.h:
2397         (JSC::DFG::clobberize):
2398
2399 2017-06-27  Saam Barati  <sbarati@apple.com>
2400
2401         Function constructor needs to follow the spec and validate parameters and body independently
2402         https://bugs.webkit.org/show_bug.cgi?id=173303
2403         <rdar://problem/32732526>
2404
2405         Reviewed by Keith Miller.
2406
2407         The Function constructor must check the arguments and body strings
2408         independently for syntax errors. People rely on this specified behavior
2409         to verify that a particular string is a valid function body. We used
2410         to check these things strings concatenated together, instead of
2411         independently. For example, this used to be valid: `Function("/*", "*/){")`.
2412         However, we should throw a syntax error here since "(/*)" is not a valid
2413         parameter list, and "*/){" is not a valid body.
2414         
2415         To implement the specified behavior, we check the syntax independently of
2416         both the body and the parameter list. To check that the parameter list has
2417         valid syntax, we check that it is valid if in a function with an empty body.
2418         To check that the body has valid syntax, we check it is valid in a function
2419         with an empty parameter list.
2420
2421         * runtime/FunctionConstructor.cpp:
2422         (JSC::constructFunctionSkippingEvalEnabledCheck):
2423
2424 2017-06-27  Ting-Wei Lan  <lantw44@gmail.com>
2425
2426         Add missing includes to fix compilation error on FreeBSD
2427         https://bugs.webkit.org/show_bug.cgi?id=172919
2428
2429         Reviewed by Mark Lam.
2430
2431         * API/JSRemoteInspector.h:
2432         * API/tests/GlobalContextWithFinalizerTest.cpp:
2433         * API/tests/TypedArrayCTest.cpp:
2434
2435 2017-06-27  Joseph Pecoraro  <pecoraro@apple.com>
2436
2437         Web Inspector: Crash generating object preview for ArrayIterator
2438         https://bugs.webkit.org/show_bug.cgi?id=173754
2439         <rdar://problem/32859012>
2440
2441         Reviewed by Saam Barati.
2442
2443         When Inspector generates an object preview for an ArrayIterator instance it made
2444         a "clone" of the original ArrayIterator instance by constructing a new object with
2445         the instance's structure. However, user code could have modified that instance's
2446         structure, such as adding / removing properties. The `return` property had special
2447         meaning, and our clone did not fill that slot. This approach is brittle in that
2448         we weren't satisfying the expectations of an object with a particular Structure,
2449         and the original goal of having Web Inspector peek values of built-in Iterators
2450         was to avoid observable behavior.
2451
2452         This tightens Web Inspector's Iterator preview to only peek values if the
2453         Iterators would actually be non-observable. It also builds an ArrayIterator
2454         clone like a regular object construction.
2455
2456         * inspector/JSInjectedScriptHost.cpp:
2457         (Inspector::cloneArrayIteratorObject):
2458         Build up the Object from scratch with a new ArrayIterator prototype.
2459
2460         (Inspector::JSInjectedScriptHost::iteratorEntries):
2461         Only clone and peek iterators if it would not be observable.
2462         Also update iteration to be more in line with IterationOperations, such as when
2463         we call iteratorClose.
2464
2465         * runtime/JSGlobalObject.cpp:
2466         (JSC::JSGlobalObject::JSGlobalObject):
2467         (JSC::JSGlobalObject::init):
2468         * runtime/JSGlobalObject.h:
2469         (JSC::JSGlobalObject::stringIteratorProtocolWatchpoint):
2470         * runtime/JSGlobalObjectInlines.h:
2471         (JSC::JSGlobalObject::isStringPrototypeIteratorProtocolFastAndNonObservable):
2472         Add a StringIterator WatchPoint in line with the Array/Map/Set iterator watchpoints.
2473
2474         * runtime/JSMap.cpp:
2475         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
2476         (JSC::JSMap::canCloneFastAndNonObservable):
2477         * runtime/JSMap.h:
2478         * runtime/JSSet.cpp:
2479         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
2480         (JSC::JSSet::canCloneFastAndNonObservable):
2481         * runtime/JSSet.h:
2482         Promote isIteratorProtocolFastAndNonObservable to a method.
2483
2484         * runtime/JSObject.cpp:
2485         (JSC::canDoFastPutDirectIndex):
2486         * runtime/JSTypeInfo.h:
2487         (JSC::TypeInfo::isArgumentsType):
2488         Helper to detect if an Object is an Arguments type.
2489
2490 2017-06-26  Saam Barati  <sbarati@apple.com>
2491
2492         RegExpPrototype.js builtin uses for-of iteration which is almost certainly incorrect
2493         https://bugs.webkit.org/show_bug.cgi?id=173740
2494
2495         Reviewed by Mark Lam.
2496
2497         The builtin was using for-of iteration to iterate over an internal
2498         list in its algorithm. For-of iteration is observable via user code
2499         in the global object, so this approach was wrong as it would break if
2500         a user changed the Array iteration protocol in some way.
2501
2502         * builtins/RegExpPrototype.js:
2503         (replace):
2504
2505 2017-06-26  Mark Lam  <mark.lam@apple.com>
2506
2507         Renamed DumpRegisterFunctor to DumpReturnVirtualPCFunctor.
2508         https://bugs.webkit.org/show_bug.cgi?id=173848
2509
2510         Reviewed by JF Bastien.
2511
2512         This functor only dumps the return VirtualPC.
2513
2514         * interpreter/Interpreter.cpp:
2515         (JSC::DumpReturnVirtualPCFunctor::DumpReturnVirtualPCFunctor):
2516         (JSC::Interpreter::dumpRegisters):
2517         (JSC::DumpRegisterFunctor::DumpRegisterFunctor): Deleted.
2518         (JSC::DumpRegisterFunctor::operator()): Deleted.
2519
2520 2017-06-26  Saam Barati  <sbarati@apple.com>
2521
2522         Crash in JSC::Lexer<unsigned char>::setCode
2523         https://bugs.webkit.org/show_bug.cgi?id=172754
2524
2525         Reviewed by Mark Lam.
2526
2527         The lexer was asking one of its buffers to reserve initial space that
2528         was O(text size in bytes). For large sources, this would end up causing
2529         the vector to overflow and crash. This patch changes this code be like
2530         the Lexer's other buffers and to only reserve a small starting buffer.
2531
2532         * parser/Lexer.cpp:
2533         (JSC::Lexer<T>::setCode):
2534
2535 2017-06-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2536
2537         [WTF] Drop Thread::create(obsolete things) API since we can use lambda
2538         https://bugs.webkit.org/show_bug.cgi?id=173825
2539
2540         Reviewed by Saam Barati.
2541
2542         * jsc.cpp:
2543         (startTimeoutThreadIfNeeded):
2544         (timeoutThreadMain): Deleted.
2545
2546 2017-06-26  Konstantin Tokarev  <annulen@yandex.ru>
2547
2548         Unreviewed, add missing header for CLoop
2549
2550         * runtime/SymbolTable.cpp:
2551
2552 2017-06-26  Konstantin Tokarev  <annulen@yandex.ru>
2553
2554         Unreviewed, add missing header icncludes
2555
2556         * parser/Lexer.h:
2557
2558 2017-06-25  Konstantin Tokarev  <annulen@yandex.ru>
2559
2560         Remove excessive headers from JavaScriptCore
2561         https://bugs.webkit.org/show_bug.cgi?id=173812
2562
2563         Reviewed by Darin Adler.
2564
2565         * API/APIUtils.h:
2566         * assembler/LinkBuffer.cpp:
2567         * assembler/MacroAssemblerCodeRef.cpp:
2568         * b3/air/AirLiveness.h:
2569         * b3/air/AirLowerAfterRegAlloc.cpp:
2570         * bindings/ScriptValue.cpp:
2571         * bindings/ScriptValue.h:
2572         * bytecode/AccessCase.cpp:
2573         * bytecode/AccessCase.h:
2574         * bytecode/ArrayProfile.h:
2575         * bytecode/BytecodeDumper.h:
2576         * bytecode/BytecodeIntrinsicRegistry.cpp:
2577         * bytecode/BytecodeKills.h:
2578         * bytecode/BytecodeLivenessAnalysis.h:
2579         * bytecode/BytecodeUseDef.h:
2580         * bytecode/CallLinkStatus.h:
2581         * bytecode/CodeBlock.h:
2582         * bytecode/CodeOrigin.h:
2583         * bytecode/ComplexGetStatus.h:
2584         * bytecode/GetByIdStatus.h:
2585         * bytecode/GetByIdVariant.h:
2586         * bytecode/InlineCallFrame.h:
2587         * bytecode/InlineCallFrameSet.h:
2588         * bytecode/Instruction.h:
2589         * bytecode/InternalFunctionAllocationProfile.h:
2590         * bytecode/JumpTable.h:
2591         * bytecode/MethodOfGettingAValueProfile.h:
2592         * bytecode/ObjectPropertyConditionSet.h:
2593         * bytecode/Operands.h:
2594         * bytecode/PolymorphicAccess.h:
2595         * bytecode/PutByIdStatus.h:
2596         * bytecode/SpeculatedType.cpp:
2597         * bytecode/StructureSet.h:
2598         * bytecode/StructureStubInfo.h:
2599         * bytecode/UnlinkedCodeBlock.h:
2600         * bytecode/UnlinkedFunctionExecutable.h:
2601         * bytecode/ValueProfile.h:
2602         * bytecompiler/BytecodeGenerator.cpp:
2603         * bytecompiler/BytecodeGenerator.h:
2604         * bytecompiler/Label.h:
2605         * bytecompiler/StaticPropertyAnalysis.h:
2606         * debugger/DebuggerCallFrame.cpp:
2607         * dfg/DFGAbstractInterpreter.h:
2608         * dfg/DFGAdjacencyList.h:
2609         * dfg/DFGArgumentsUtilities.h:
2610         * dfg/DFGArrayMode.h:
2611         * dfg/DFGArrayifySlowPathGenerator.h:
2612         * dfg/DFGBackwardsPropagationPhase.h:
2613         * dfg/DFGBasicBlock.h:
2614         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
2615         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
2616         * dfg/DFGCapabilities.h:
2617         * dfg/DFGCommon.h:
2618         * dfg/DFGCommonData.h:
2619         * dfg/DFGDesiredIdentifiers.h:
2620         * dfg/DFGDesiredWatchpoints.h:
2621         * dfg/DFGDisassembler.cpp:
2622         * dfg/DFGDominators.h:
2623         * dfg/DFGDriver.cpp:
2624         * dfg/DFGDriver.h:
2625         * dfg/DFGEdgeDominates.h:
2626         * dfg/DFGFinalizer.h:
2627         * dfg/DFGGenerationInfo.h:
2628         * dfg/DFGJITCompiler.cpp:
2629         * dfg/DFGJITCompiler.h:
2630         * dfg/DFGJITFinalizer.h:
2631         * dfg/DFGLivenessAnalysisPhase.h:
2632         * dfg/DFGMinifiedNode.h:
2633         * dfg/DFGMultiGetByOffsetData.h:
2634         * dfg/DFGNaturalLoops.cpp:
2635         * dfg/DFGNaturalLoops.h:
2636         * dfg/DFGNode.h:
2637         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
2638         * dfg/DFGOSRExit.h:
2639         * dfg/DFGOSRExitCompilationInfo.h:
2640         * dfg/DFGOSRExitCompiler.cpp:
2641         * dfg/DFGOSRExitCompiler.h:
2642         * dfg/DFGOSRExitJumpPlaceholder.h:
2643         * dfg/DFGOperations.cpp:
2644         * dfg/DFGOperations.h:
2645         * dfg/DFGPlan.h:
2646         * dfg/DFGPreciseLocalClobberize.h:
2647         * dfg/DFGPromotedHeapLocation.h:
2648         * dfg/DFGRegisteredStructure.h:
2649         * dfg/DFGRegisteredStructureSet.h:
2650         * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
2651         * dfg/DFGSlowPathGenerator.h:
2652         * dfg/DFGSnippetParams.h:
2653         * dfg/DFGSpeculativeJIT.h:
2654         * dfg/DFGToFTLDeferredCompilationCallback.h:
2655         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h:
2656         * dfg/DFGValidate.h:
2657         * dfg/DFGValueSource.h:
2658         * dfg/DFGVariableEvent.h:
2659         * dfg/DFGVariableEventStream.h:
2660         * dfg/DFGWorklist.h:
2661         * domjit/DOMJITCallDOMGetterSnippet.h:
2662         * domjit/DOMJITEffect.h:
2663         * ftl/FTLLink.cpp:
2664         * ftl/FTLLowerDFGToB3.cpp:
2665         * ftl/FTLPatchpointExceptionHandle.h:
2666         * heap/AllocatorAttributes.h:
2667         * heap/CodeBlockSet.h:
2668         * heap/DeferGC.h:
2669         * heap/GCSegmentedArray.h:
2670         * heap/Heap.cpp:
2671         * heap/Heap.h:
2672         * heap/IncrementalSweeper.h:
2673         * heap/ListableHandler.h:
2674         * heap/MachineStackMarker.h:
2675         * heap/MarkedAllocator.h:
2676         * heap/MarkedBlock.cpp:
2677         * heap/MarkedBlock.h:
2678         * heap/MarkingConstraint.h:
2679         * heap/SlotVisitor.cpp:
2680         * heap/SlotVisitor.h:
2681         * inspector/ConsoleMessage.cpp:
2682         * inspector/ConsoleMessage.h:
2683         * inspector/InjectedScript.h:
2684         * inspector/InjectedScriptHost.h:
2685         * inspector/InjectedScriptManager.cpp:
2686         * inspector/JSGlobalObjectInspectorController.cpp:
2687         * inspector/JavaScriptCallFrame.h:
2688         * inspector/ScriptCallStack.h:
2689         * inspector/ScriptCallStackFactory.cpp:
2690         * inspector/ScriptDebugServer.h:
2691         * inspector/agents/InspectorConsoleAgent.h:
2692         * inspector/agents/InspectorDebuggerAgent.cpp:
2693         * inspector/agents/InspectorDebuggerAgent.h:
2694         * inspector/agents/InspectorHeapAgent.cpp:
2695         * inspector/agents/InspectorHeapAgent.h:
2696         * inspector/agents/InspectorRuntimeAgent.h:
2697         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2698         * inspector/agents/InspectorScriptProfilerAgent.h:
2699         * inspector/agents/JSGlobalObjectConsoleAgent.h:
2700         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
2701         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
2702         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
2703         * inspector/augmentable/AlternateDispatchableAgent.h:
2704         * interpreter/CLoopStack.h:
2705         * interpreter/CachedCall.h:
2706         * interpreter/CallFrame.h:
2707         * interpreter/Interpreter.cpp:
2708         * interpreter/Interpreter.h:
2709         * jit/AssemblyHelpers.cpp:
2710         * jit/AssemblyHelpers.h:
2711         * jit/CCallHelpers.h:
2712         * jit/CallFrameShuffler.h:
2713         * jit/ExecutableAllocator.h:
2714         * jit/GCAwareJITStubRoutine.h:
2715         * jit/HostCallReturnValue.h:
2716         * jit/ICStats.h:
2717         * jit/JIT.cpp:
2718         * jit/JIT.h:
2719         * jit/JITAddGenerator.h:
2720         * jit/JITCall32_64.cpp:
2721         * jit/JITCode.h:
2722         * jit/JITDisassembler.cpp:
2723         * jit/JITExceptions.cpp:
2724         * jit/JITMathIC.h:
2725         * jit/JITOpcodes.cpp:
2726         * jit/JITOperations.cpp:
2727         * jit/JITOperations.h:
2728         * jit/JITThunks.cpp:
2729         * jit/JITThunks.h:
2730         * jit/JSInterfaceJIT.h:
2731         * jit/PCToCodeOriginMap.h:
2732         * jit/PolymorphicCallStubRoutine.h:
2733         * jit/RegisterSet.h:
2734         * jit/Repatch.h:
2735         * jit/SetupVarargsFrame.h:
2736         * jit/Snippet.h:
2737         * jit/SnippetParams.h:
2738         * jit/ThunkGenerators.h:
2739         * jsc.cpp:
2740         * llint/LLIntCLoop.h:
2741         * llint/LLIntEntrypoint.h:
2742         * llint/LLIntExceptions.h:
2743         * llint/LLIntOfflineAsmConfig.h:
2744         * llint/LLIntSlowPaths.cpp:
2745         * parser/NodeConstructors.h:
2746         * parser/Nodes.cpp:
2747         * parser/Nodes.h:
2748         * parser/Parser.cpp:
2749         * parser/Parser.h:
2750         * parser/ParserTokens.h:
2751         * parser/SourceProviderCacheItem.h:
2752         * profiler/ProfilerBytecodeSequence.h:
2753         * profiler/ProfilerDatabase.cpp:
2754         * profiler/ProfilerDatabase.h:
2755         * profiler/ProfilerOrigin.h:
2756         * profiler/ProfilerOriginStack.h:
2757         * profiler/ProfilerProfiledBytecodes.h:
2758         * profiler/ProfilerUID.h:
2759         * runtime/AbstractModuleRecord.h:
2760         * runtime/ArrayConstructor.h:
2761         * runtime/ArrayConventions.h:
2762         * runtime/ArrayIteratorPrototype.h:
2763         * runtime/ArrayPrototype.h:
2764         * runtime/BasicBlockLocation.h:
2765         * runtime/Butterfly.h:
2766         * runtime/CallData.cpp:
2767         * runtime/CodeCache.h:
2768         * runtime/CommonSlowPaths.cpp:
2769         * runtime/CommonSlowPaths.h:
2770         * runtime/CommonSlowPathsExceptions.cpp:
2771         * runtime/Completion.cpp:
2772         * runtime/ControlFlowProfiler.h:
2773         * runtime/DateInstanceCache.h:
2774         * runtime/ErrorConstructor.h:
2775         * runtime/ErrorInstance.h:
2776         * runtime/ExceptionHelpers.cpp:
2777         * runtime/ExceptionHelpers.h:
2778         * runtime/ExecutableBase.h:
2779         * runtime/FunctionExecutable.h:
2780         * runtime/HasOwnPropertyCache.h:
2781         * runtime/Identifier.h:
2782         * runtime/InternalFunction.h:
2783         * runtime/IntlCollator.cpp:
2784         * runtime/IntlCollatorPrototype.h:
2785         * runtime/IntlDateTimeFormatPrototype.h:
2786         * runtime/IntlNumberFormat.cpp:
2787         * runtime/IntlNumberFormatPrototype.h:
2788         * runtime/IteratorOperations.cpp:
2789         * runtime/JSArray.h:
2790         * runtime/JSArrayBufferPrototype.h:
2791         * runtime/JSCJSValue.h:
2792         * runtime/JSCJSValueInlines.h:
2793         * runtime/JSCell.h:
2794         * runtime/JSFunction.cpp:
2795         * runtime/JSFunction.h:
2796         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2797         * runtime/JSGlobalObject.cpp:
2798         * runtime/JSGlobalObject.h:
2799         * runtime/JSGlobalObjectDebuggable.cpp:
2800         * runtime/JSGlobalObjectDebuggable.h:
2801         * runtime/JSGlobalObjectFunctions.cpp:
2802         * runtime/JSGlobalObjectFunctions.h:
2803         * runtime/JSJob.cpp:
2804         * runtime/JSLock.h:
2805         * runtime/JSModuleLoader.cpp:
2806         * runtime/JSModuleNamespaceObject.h:
2807         * runtime/JSModuleRecord.h:
2808         * runtime/JSObject.cpp:
2809         * runtime/JSObject.h:
2810         * runtime/JSRunLoopTimer.h:
2811         * runtime/JSTemplateRegistryKey.h:
2812         * runtime/JSTypedArrayPrototypes.cpp:
2813         * runtime/JSTypedArrayPrototypes.h:
2814         * runtime/JSTypedArrays.h:
2815         * runtime/LiteralParser.h:
2816         * runtime/MatchResult.h:
2817         * runtime/MemoryStatistics.h:
2818         * runtime/PrivateName.h:
2819         * runtime/PromiseDeferredTimer.h:
2820         * runtime/ProxyObject.h:
2821         * runtime/RegExp.h:
2822         * runtime/SamplingProfiler.cpp:
2823         * runtime/SmallStrings.h:
2824         * runtime/StringPrototype.cpp:
2825         * runtime/StringRecursionChecker.h:
2826         * runtime/Structure.h:
2827         * runtime/SymbolConstructor.h:
2828         * runtime/SymbolPrototype.cpp:
2829         * runtime/SymbolPrototype.h:
2830         * runtime/TypeProfiler.h:
2831         * runtime/TypeProfilerLog.h:
2832         * runtime/TypedArrayType.h:
2833         * runtime/VM.cpp:
2834         * runtime/VM.h:
2835         * runtime/VMEntryScope.h:
2836         * runtime/WeakMapData.h:
2837         * runtime/WriteBarrier.h:
2838         * tools/FunctionOverrides.cpp:
2839         * tools/FunctionOverrides.h:
2840         * wasm/WasmBinding.cpp:
2841         * wasm/js/JSWebAssemblyCodeBlock.h:
2842         * wasm/js/WebAssemblyPrototype.cpp:
2843         * yarr/Yarr.h:
2844         * yarr/YarrJIT.cpp:
2845         * yarr/YarrJIT.h:
2846         * yarr/YarrParser.h:
2847
2848 2017-06-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2849
2850         [JSC] Clean up Object.entries implementation
2851         https://bugs.webkit.org/show_bug.cgi?id=173759
2852
2853         Reviewed by Sam Weinig.
2854
2855         This patch cleans up Object.entries implementation.
2856         We drop unused private functions. And we merge the
2857         implementation into Object.entries.
2858
2859         It slightly speeds up Object.entries speed.
2860
2861                                      baseline                  patched
2862
2863             object-entries      148.0101+-5.6627          142.1877+-4.8661          might be 1.0409x faster
2864
2865
2866         * builtins/BuiltinNames.h:
2867         * builtins/ObjectConstructor.js:
2868         (entries):
2869         (globalPrivate.enumerableOwnProperties): Deleted.
2870         * runtime/JSGlobalObject.cpp:
2871         (JSC::JSGlobalObject::init):
2872         * runtime/ObjectConstructor.cpp:
2873         (JSC::ownEnumerablePropertyKeys): Deleted.
2874         * runtime/ObjectConstructor.h:
2875
2876 2017-06-24  Joseph Pecoraro  <pecoraro@apple.com>
2877
2878         Remove Reflect.enumerate
2879         https://bugs.webkit.org/show_bug.cgi?id=173806
2880
2881         Reviewed by Yusuke Suzuki.
2882
2883         * CMakeLists.txt:
2884         * JavaScriptCore.xcodeproj/project.pbxproj:
2885         * inspector/JSInjectedScriptHost.cpp:
2886         (Inspector::JSInjectedScriptHost::subtype):
2887         (Inspector::JSInjectedScriptHost::getInternalProperties):
2888         (Inspector::JSInjectedScriptHost::iteratorEntries):
2889         * runtime/JSGlobalObject.cpp:
2890         (JSC::JSGlobalObject::init):
2891         (JSC::JSGlobalObject::visitChildren):
2892         * runtime/JSPropertyNameIterator.cpp: Removed.
2893         * runtime/JSPropertyNameIterator.h: Removed.
2894         * runtime/ReflectObject.cpp:
2895         (JSC::reflectObjectEnumerate): Deleted.
2896
2897 2017-06-23  Keith Miller  <keith_miller@apple.com>
2898
2899         Switch VMTraps to use halt instructions rather than breakpoint instructions
2900         https://bugs.webkit.org/show_bug.cgi?id=173677
2901         <rdar://problem/32178892>
2902
2903         Reviewed by JF Bastien.
2904
2905         Using the breakpoint instruction for VMTraps caused issues with lldb.
2906         Since we only need some way to stop execution we can, in theory, use
2907         any exceptioning instruction we want. I went with the halt instruction
2908         on X86 since that is the only one byte instruction that does not
2909         breakpoint (in my tests both 0xf1 and 0xd6 produced EXC_BREAKPOINT).
2910         On ARM we use the data cache clearing instruction with the zero register,
2911         which triggers a segmentation fault.
2912
2913         Also, update the platform code to only use signaling VMTraps
2914         on where we have an appropriate instruction (x86 and ARM64).
2915
2916         * API/tests/ExecutionTimeLimitTest.cpp:
2917         (testExecutionTimeLimit):
2918         * assembler/ARM64Assembler.h:
2919         (JSC::ARM64Assembler::replaceWithVMHalt):
2920         (JSC::ARM64Assembler::dataCacheZeroVirtualAddress):
2921         (JSC::ARM64Assembler::replaceWithBkpt): Deleted.
2922         * assembler/ARMAssembler.h:
2923         (JSC::ARMAssembler::replaceWithBkpt): Deleted.
2924         * assembler/ARMv7Assembler.h:
2925         (JSC::ARMv7Assembler::replaceWithBkpt): Deleted.
2926         * assembler/MIPSAssembler.h:
2927         (JSC::MIPSAssembler::replaceWithBkpt): Deleted.
2928         * assembler/MacroAssemblerARM.h:
2929         (JSC::MacroAssemblerARM::replaceWithBreakpoint): Deleted.
2930         * assembler/MacroAssemblerARM64.h:
2931         (JSC::MacroAssemblerARM64::replaceWithVMHalt):
2932         (JSC::MacroAssemblerARM64::replaceWithBreakpoint): Deleted.
2933         * assembler/MacroAssemblerARMv7.h:
2934         (JSC::MacroAssemblerARMv7::storeFence):
2935         (JSC::MacroAssemblerARMv7::replaceWithBreakpoint): Deleted.
2936         * assembler/MacroAssemblerMIPS.h:
2937         (JSC::MacroAssemblerMIPS::replaceWithBreakpoint): Deleted.
2938         * assembler/MacroAssemblerX86Common.h:
2939         (JSC::MacroAssemblerX86Common::replaceWithVMHalt):
2940         (JSC::MacroAssemblerX86Common::replaceWithBreakpoint): Deleted.
2941         * assembler/X86Assembler.h:
2942         (JSC::X86Assembler::replaceWithHlt):
2943         (JSC::X86Assembler::replaceWithInt3): Deleted.
2944         * dfg/DFGJumpReplacement.cpp:
2945         (JSC::DFG::JumpReplacement::installVMTrapBreakpoint):
2946         * runtime/VMTraps.cpp:
2947         (JSC::SignalContext::SignalContext):
2948         (JSC::installSignalHandler):
2949         (JSC::SignalContext::adjustPCToPointToTrappingInstruction): Deleted.
2950         * wasm/WasmFaultSignalHandler.cpp:
2951         (JSC::Wasm::enableFastMemory):
2952
2953 2017-06-22  Saam Barati  <sbarati@apple.com>
2954
2955         The lowering of Identity in the DFG backend needs to use ManualOperandSpeculation
2956         https://bugs.webkit.org/show_bug.cgi?id=173743
2957         <rdar://problem/32932536>
2958
2959         Reviewed by Mark Lam.
2960
2961         The code always manually speculates, however, we weren't specifying
2962         ManualOperandSpeculation when creating a JSValueOperand. This would
2963         fire an assertion in JSValueOperand construction for a node like:
2964         Identity(String:@otherNode)
2965         
2966         I spent about 45 minutes trying to craft a test and came up
2967         empty. However, this fixes a debug assertion on an internal
2968         Apple website.
2969
2970         * dfg/DFGSpeculativeJIT32_64.cpp:
2971         (JSC::DFG::SpeculativeJIT::compile):
2972         * dfg/DFGSpeculativeJIT64.cpp:
2973         (JSC::DFG::SpeculativeJIT::compile):
2974
2975 2017-06-22  Saam Barati  <sbarati@apple.com>
2976
2977         ValueRep(DoubleRep(@v)) can not simply convert to @v
2978         https://bugs.webkit.org/show_bug.cgi?id=173687
2979         <rdar://problem/32855563>
2980
2981         Reviewed by Mark Lam.
2982
2983         Consider this IR:
2984          block#x
2985           p: Phi() // int32 and double flows into this phi from various control flow
2986           d: DoubleRep(@p)
2987           some uses of @d here
2988           v: ValueRep(DoubleRepUse:@d)
2989           a: NewArrayWithSize(Int32:@v)
2990           some more nodes here ...
2991         
2992         Because the flow of ValueRep(DoubleRep(@p)) will not produce an Int32,
2993         AI proves that the Int32 check will fail. Constant folding phase removes
2994         all nodes after @a and inserts an Unreachable after the NewArrayWithSize node.
2995         
2996         The IR then looks like this:
2997         block#x
2998           p: Phi() // int32 and double flows into this phi from various control flow
2999           d: DoubleRep(@p)
3000           some uses of @d here
3001           v: ValueRep(DoubleRepUse:@d)
3002           a: NewArrayWithSize(Int32:@v)
3003           Unreachable
3004         
3005         However, there was a strength reduction rule that tries eliminate redundant
3006         conversions. It used to convert the program to:
3007         block#x
3008           p: Phi() // int32 and double flows into this phi from various control flow
3009           d: DoubleRep(@p)
3010           some uses of @d here
3011           a: NewArrayWithSize(Int32:@p)
3012           Unreachable
3013         
3014         However, at runtime, @p will actually be an Int32, so @a will not OSR exit,
3015         and we'll crash. This patch removes this strength reduction rule since it
3016         does not maintain what would have happened if we executed the program before
3017         the rule.
3018         
3019         This rule is also wrong for other types of programs (I'm not sure we'd
3020         actually emit this code, but if such IR were generated, we would previously
3021         optimize it incorrectly):
3022         @a: Constant(JSTrue)
3023         @b: DoubleRep(@a)
3024         @c: ValueRep(@b)
3025         @d: use(@c)
3026         
3027         However, the strength reduction rule would've transformed this into:
3028         @a: Constant(JSTrue)
3029         @d: use(@a)
3030         
3031         And this would be wrong because node @c before the transformation would
3032         have produced the JSValue jsNumber(1.0).
3033         
3034         This patch was neutral in the benchmark run I did.
3035
3036         * dfg/DFGStrengthReductionPhase.cpp:
3037         (JSC::DFG::StrengthReductionPhase::handleNode):
3038
3039 2017-06-22  JF Bastien  <jfbastien@apple.com>
3040
3041         ARM64: doubled executable memory limit from 32MiB to 64MiB
3042         https://bugs.webkit.org/show_bug.cgi?id=173734
3043         <rdar://problem/32932407>
3044
3045         Reviewed by Oliver Hunt.
3046
3047         Some WebAssembly programs stress the amount of memory we have
3048         available, especially when we consider tiering (BBQ never dies,
3049         and is bigger that OMG). Tiering to OMG just piles on more memory,
3050         and we're also competing with JavaScript.
3051
3052         * jit/ExecutableAllocator.h:
3053
3054 2017-06-22  Joseph Pecoraro  <pecoraro@apple.com>
3055
3056         Web Inspector: Pausing with a deep call stack can be very slow, avoid eagerly generating object previews
3057         https://bugs.webkit.org/show_bug.cgi?id=173698
3058
3059         Reviewed by Matt Baker.
3060
3061         When pausing in a deep call stack the majority of the time spent in JavaScriptCore
3062         when preparing Inspector pause information is spent generating object previews for
3063         the `thisObject` of each of the call frames. In some cases, this could be more
3064         than 95% of the time generating pause information. In the common case, only one of
3065         these (the top frame) will ever be seen by users. This change avoids eagerly
3066         generating object previews up front and let the frontend request previews if they
3067         are needed.
3068
3069         This introduces the `Runtime.getPreview` protocol command. This can be used to:
3070
3071             - Get a preview for a RemoteObject that did not have a preview but could.
3072             - Update a preview for a RemoteObject that had a preview.
3073
3074         This patch only uses it for the first case, but the second is valid and may be
3075         something we want to do in the future.
3076
3077         * inspector/protocol/Runtime.json:
3078         A new command to get an up to date preview for an object.
3079
3080         * inspector/InjectedScript.h:
3081         * inspector/InjectedScript.cpp:
3082         (Inspector::InjectedScript::getPreview):
3083         * inspector/agents/InspectorRuntimeAgent.cpp:
3084         (Inspector::InspectorRuntimeAgent::getPreview):
3085         * inspector/agents/InspectorRuntimeAgent.h:
3086         Plumbing for the new command.
3087
3088         * inspector/InjectedScriptSource.js:
3089         (InjectedScript.prototype.getPreview):
3090         Implementation just uses the existing helper.
3091
3092         (InjectedScript.CallFrameProxy):
3093         Do not generate a preview for the this object as it may not be shown.
3094         Let the frontend request a preview if it wants or needs one.
3095
3096 2017-06-22  Joseph Pecoraro  <pecoraro@apple.com>
3097
3098         Web Inspector: Remove stale "rawScopes" concept that was never available in JSC
3099         https://bugs.webkit.org/show_bug.cgi?id=173686
3100
3101         Reviewed by Mark Lam.
3102
3103         * inspector/InjectedScript.cpp:
3104         (Inspector::InjectedScript::functionDetails):
3105         * inspector/InjectedScriptSource.js:
3106         (InjectedScript.prototype.functionDetails):
3107         * inspector/JSInjectedScriptHost.cpp:
3108         (Inspector::JSInjectedScriptHost::functionDetails):
3109
3110 2017-06-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3111
3112         [JSC] Object.values should be implemented in C++
3113         https://bugs.webkit.org/show_bug.cgi?id=173703
3114
3115         Reviewed by Sam Weinig.
3116
3117         As the same to Object.assign, Object.values() is also inherently polymorphic.
3118         And allocating JSString / Symbol for Identifier and JSArray for Object.keys()
3119         result is costly.
3120
3121         In this patch, we implement Object.values() in C++. It can avoid above allocations.
3122         Furthermore, by using `slot.isTaintedByOpaqueObject()` information, we can skip
3123         non-observable JSObject::get() calls.
3124
3125         This improves performance by 2.49x. And also now Object.values() beats
3126         Object.keys(object).map(key => object[key]) implementation.
3127
3128                                              baseline                  patched
3129
3130             object-values               132.1551+-3.7209     ^     53.1254+-1.6139        ^ definitely 2.4876x faster
3131             object-keys-map-values       78.2008+-2.1378     ?     78.9078+-2.2121        ?
3132
3133         * builtins/ObjectConstructor.js:
3134         (values): Deleted.
3135         * runtime/ObjectConstructor.cpp:
3136         (JSC::objectConstructorValues):
3137
3138 2017-06-21  Saam Barati  <sbarati@apple.com>
3139
3140         ArrayPrototype.map builtin declares a var it does not use
3141         https://bugs.webkit.org/show_bug.cgi?id=173685
3142
3143         Reviewed by Keith Miller.
3144
3145         * builtins/ArrayPrototype.js:
3146         (map):
3147
3148 2017-06-21  Saam Barati  <sbarati@apple.com>
3149
3150         eval virtual call is incorrect in the baseline JIT
3151         https://bugs.webkit.org/show_bug.cgi?id=173587
3152         <rdar://problem/32867897>
3153
3154         Reviewed by Michael Saboff.
3155
3156         When making a virtual call for call_eval, e.g, when the thing
3157         we're calling isn't actually eval, we end up calling the caller
3158         instead of the callee. This is clearly wrong. The code ends up
3159         issuing a load for the Callee in the callers frame instead of
3160         the callee we're calling. The fix is simple, we just need to
3161         load the real callee. Only the 32-bit baseline JIT had this bug.
3162
3163         * jit/JITCall32_64.cpp:
3164         (JSC::JIT::compileCallEvalSlowCase):
3165
3166 2017-06-21  Joseph Pecoraro  <pecoraro@apple.com>
3167
3168         Web Inspector: Using "break on all exceptions" when throwing stack overflow hangs inspector
3169         https://bugs.webkit.org/show_bug.cgi?id=172432
3170         <rdar://problem/29870873>
3171
3172         Reviewed by Saam Barati.
3173
3174         Avoid pausing on StackOverflow and OutOfMemory errors to avoid a hang.
3175         We will proceed to improve debugging of these cases in the follow-up bugs.
3176
3177         * debugger/Debugger.cpp:
3178         (JSC::Debugger::exception):
3179         Ignore pausing on these errors.
3180
3181         * runtime/ErrorInstance.h:
3182         (JSC::ErrorInstance::setStackOverflowError):
3183         (JSC::ErrorInstance::isStackOverflowError):
3184         (JSC::ErrorInstance::setOutOfMemoryError):
3185         (JSC::ErrorInstance::isOutOfMemoryError):
3186         * runtime/ExceptionHelpers.cpp:
3187         (JSC::createStackOverflowError):
3188         * runtime/Error.cpp:
3189         (JSC::createOutOfMemoryError):
3190         Mark these kinds of errors.
3191
3192 2017-06-21  Saam Barati  <sbarati@apple.com>
3193
3194         Make it clear that regenerating ICs are holding the CodeBlock's lock by passing the locker as a parameter
3195         https://bugs.webkit.org/show_bug.cgi?id=173609
3196
3197         Reviewed by Keith Miller.
3198
3199         This patch makes many of the IC generating functions require a locker as
3200         a parameter. We do this in other places in JSC to indicate that
3201         a particular API is only valid while a particular lock is held.
3202         This is the case when generating ICs. This patch just makes it
3203         explicit in the IC generating interface.
3204
3205         * bytecode/PolymorphicAccess.cpp:
3206         (JSC::PolymorphicAccess::addCases):
3207         (JSC::PolymorphicAccess::addCase):
3208         (JSC::PolymorphicAccess::commit):
3209         (JSC::PolymorphicAccess::regenerate):
3210         * bytecode/PolymorphicAccess.h:
3211         * bytecode/StructureStubInfo.cpp:
3212         (JSC::StructureStubInfo::addAccessCase):
3213         (JSC::StructureStubInfo::initStub): Deleted.
3214         * bytecode/StructureStubInfo.h:
3215         * jit/Repatch.cpp:
3216         (JSC::tryCacheGetByID):
3217         (JSC::repatchGetByID):
3218         (JSC::tryCachePutByID):
3219         (JSC::repatchPutByID):
3220         (JSC::tryRepatchIn):
3221         (JSC::repatchIn):
3222
3223 2017-06-20  Myles C. Maxfield  <mmaxfield@apple.com>
3224
3225         Disable font variations on macOS Sierra and iOS 10
3226         https://bugs.webkit.org/show_bug.cgi?id=173618
3227         <rdar://problem/32879164>
3228
3229         Reviewed by Jon Lee.
3230
3231         * Configurations/FeatureDefines.xcconfig:
3232
3233 2017-06-20  Keith Miller  <keith_miller@apple.com>
3234
3235         Fix leak of ModuleInformations in BBQPlan constructors.
3236         https://bugs.webkit.org/show_bug.cgi?id=173577
3237
3238         Reviewed by Saam Barati.
3239
3240         This patch fixes a leak in the BBQPlan constructiors. Previously,
3241         the plans were calling makeRef on the newly constructed objects.
3242         This patch fixes the issue and uses adoptRef instead. Additionally,
3243         an old, incorrect, attempt to fix the leak is removed.
3244
3245         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
3246         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
3247         * jit/JITWorklist.cpp:
3248         (JSC::JITWorklist::Thread::Thread):
3249         * runtime/PromiseDeferredTimer.cpp:
3250         (JSC::PromiseDeferredTimer::addPendingPromise):
3251         * runtime/VM.cpp:
3252         (JSC::VM::VM):
3253         * wasm/WasmBBQPlan.cpp:
3254         (JSC::Wasm::BBQPlan::BBQPlan):
3255         * wasm/WasmPlan.cpp:
3256         (JSC::Wasm::Plan::Plan):
3257
3258 2017-06-20  Devin Rousso  <drousso@apple.com>
3259
3260         Web Inspector: Send context attributes for tracked canvases
3261         https://bugs.webkit.org/show_bug.cgi?id=173327
3262
3263         Reviewed by Joseph Pecoraro.
3264
3265         * inspector/protocol/Canvas.json:
3266         Add ContextAttributes object type that is optionally used for WebGL canvases.
3267
3268 2017-06-20  Konstantin Tokarev  <annulen@yandex.ru>
3269
3270         Remove excessive include directives from WTF
3271         https://bugs.webkit.org/show_bug.cgi?id=173553
3272
3273         Reviewed by Saam Barati.
3274
3275         * profiler/ProfilerDatabase.cpp: Added missing include directive.
3276         * runtime/SamplingProfiler.cpp: Ditto.
3277
3278 2017-06-20  Oleksandr Skachkov  <gskachkov@gmail.com>
3279
3280         Revert changes in bug#160417 about extending `null` not being a derived class
3281         https://bugs.webkit.org/show_bug.cgi?id=169293
3282
3283         Reviewed by Saam Barati.
3284
3285         Reverted changes in bug#160417 about extending `null` not being a derived class 
3286         according to changes in spec:
3287         https://github.com/tc39/ecma262/commit/c57ef95c45a371f9c9485bb1c3881dbdc04524a2
3288
3289         * builtins/BuiltinNames.h:
3290         * bytecompiler/BytecodeGenerator.cpp:
3291         (JSC::BytecodeGenerator::BytecodeGenerator):
3292         (JSC::BytecodeGenerator::emitReturn):
3293         * bytecompiler/NodesCodegen.cpp:
3294         (JSC::ClassExprNode::emitBytecode):
3295
3296 2017-06-20  Saam Barati  <sbarati@apple.com>
3297
3298         repatchIn needs to lock the CodeBlock's lock
3299         https://bugs.webkit.org/show_bug.cgi?id=173573
3300
3301         Reviewed by Yusuke Suzuki.
3302
3303         CodeBlock::propagateTransitions and CodeBlock::visitWeakly grab the CodeBlock's
3304         lock before modifying the StructureStubInfo/PolymorphicAccess. When regenerating
3305         an IC, we must hold the CodeBlock's to prevent the executing thread from racing
3306         with the marking thread. repatchIn was not grabbing the lock. I haven't been
3307         able to get it to crash, but this is needed for the same reasons that get and put IC
3308         regeneration grab the lock.
3309
3310         * jit/Repatch.cpp:
3311         (JSC::repatchIn):
3312
3313 2017-06-19  Devin Rousso  <drousso@apple.com>
3314
3315         Web Inspector: create canvas content view and details sidebar panel
3316         https://bugs.webkit.org/show_bug.cgi?id=138941
3317         <rdar://problem/19051672>
3318
3319         Reviewed by Joseph Pecoraro.
3320
3321         * inspector/protocol/Canvas.json:
3322          - Add an optional `nodeId` attribute to the `Canvas` type.
3323          - Add `requestNode` command for getting the node id of the backing canvas element.
3324          - Add `requestContent` command for getting the current image content of the canvas.
3325
3326 2017-06-19  Yusuke Suzuki  <utatane.tea@gmail.com>
3327
3328         Unreviewed, build fix for ARM
3329
3330         * assembler/MacroAssemblerARM.h:
3331         (JSC::MacroAssemblerARM::internalCompare32):
3332
3333 2017-06-13  Yusuke Suzuki  <utatane.tea@gmail.com>
3334
3335         [DFG] More ArrayIndexOf fixups for various types
3336         https://bugs.webkit.org/show_bug.cgi?id=173176
3337
3338         Reviewed by Saam Barati.
3339
3340         This patch further expands coverage of ArrayIndexOf optimization in DFG and FTL.
3341
3342         1. We attempt to fold ArrayIndexOf to constant (-1) if we know that its array
3343         never contains the given search value.
3344
3345         2. We support Symbol and Other specialization additionally. Especially, Other is
3346         useful because null/undefined can be used as a sentinel value.
3347
3348         One interesting thing is that Array.prototype.indexOf does not consider holes as
3349         undefineds. Thus,
3350
3351             var array = [,,,,,,,];
3352             array.indexOf(undefined); // => -1
3353
3354         This can be trivially achieved in JSC because Empty and Undefined are different values.
3355
3356         * dfg/DFGFixupPhase.cpp:
3357         (JSC::DFG::FixupPhase::fixupNode):
3358         (JSC::DFG::FixupPhase::fixupArrayIndexOf):
3359         * dfg/DFGSpeculativeJIT.cpp:
3360         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
3361         (JSC::DFG::SpeculativeJIT::speculateOther):
3362         * dfg/DFGSpeculativeJIT.h:
3363         * ftl/FTLLowerDFGToB3.cpp:
3364         (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):
3365
3366 2017-06-19  Caio Lima  <ticaiolima@gmail.com>
3367
3368         [ARMv6][DFG] ARM MacroAssembler is always emitting cmn when immediate is 0
3369         https://bugs.webkit.org/show_bug.cgi?id=172972
3370
3371         Reviewed by Mark Lam.
3372
3373         We are changing internalCompare32 implementation in ARM
3374         MacroAssembler to emit "cmp" when the "right.value" is 0.
3375         It is generating wrong comparison cases, since the
3376         semantics of cmn is opposite of cmp[1]. One case that it's breaking is
3377         "branch32(MacroAssembler::Above, gpr, TrustedImm32(0))", where ends
3378         resulting in following assembly code:
3379
3380         ```
3381         cmn $r0, #0
3382         bhi <address>
3383         ```
3384
3385         However, as cmn is similar to "adds", it will never take the branch
3386         when $r0 > 0. In that case, the correct opcode is "cmp". With this
3387         patch we will fix current broken tests that uses
3388         "branch32(MacroAssembler::Above, gpr, TrustedImm32(0))",
3389         such as ForwardVarargs, Spread and GetRestLength.
3390
3391         [1] - http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0204j/Cihiddid.html
3392
3393         * assembler/MacroAssemblerARM.h:
3394         (JSC::MacroAssemblerARM::internalCompare32):
3395
3396 2017-06-19  Joseph Pecoraro  <pecoraro@apple.com>
3397
3398         test262: Completion values for control flow do not match the spec
3399         https://bugs.webkit.org/show_bug.cgi?id=171265
3400
3401         Reviewed by Saam Barati.
3402
3403         * bytecompiler/BytecodeGenerator.h:
3404         (JSC::BytecodeGenerator::shouldBeConcernedWithCompletionValue):
3405         When we care about having proper completion values (global code
3406         in programs, modules, and eval) insert undefined results for
3407         control flow statements.
3408
3409         * bytecompiler/NodesCodegen.cpp:
3410         (JSC::SourceElements::emitBytecode):
3411         Reduce writing a default `undefined` value to the completion result to
3412         only once before the last statement we know will produce a value.
3413
3414         (JSC::IfElseNode::emitBytecode):
3415         (JSC::WithNode::emitBytecode):
3416         (JSC::WhileNode::emitBytecode):
3417         (JSC::ForNode::emitBytecode):
3418         (JSC::ForInNode::emitBytecode):
3419         (JSC::ForOfNode::emitBytecode):
3420         (JSC::SwitchNode::emitBytecode):
3421         Insert an undefined to handle cases where code may break out of an
3422         if/else or with statement (break/continue).
3423
3424         (JSC::TryNode::emitBytecode):
3425         Same handling for break cases. Also, finally block statement completion
3426         values are always ignored for the try statement result.
3427
3428         (JSC::ClassDeclNode::emitBytecode):
3429         Class declarations, like function declarations, produce an empty result.
3430
3431         * parser/Nodes.cpp:
3432         (JSC::SourceElements::lastStatement):
3433         (JSC::SourceElements::hasCompletionValue):
3434         (JSC::SourceElements::hasEarlyBreakOrContinue):
3435         (JSC::BlockNode::lastStatement):
3436         (JSC::BlockNode::singleStatement):
3437         (JSC::BlockNode::hasCompletionValue):
3438         (JSC::BlockNode::hasEarlyBreakOrContinue):
3439         (JSC::ScopeNode::singleStatement):
3440         (JSC::ScopeNode::hasCompletionValue):
3441         (JSC::ScopeNode::hasEarlyBreakOrContinue):
3442         The only non-trivial cases need to loop through their list of statements
3443         to determine if this has a completion value or not. Likewise for
3444         determining if there is an early break / continue, meaning a break or
3445         continue statement with no preceding statement that has a completion value.
3446
3447         * parser/Nodes.h:
3448         (JSC::StatementNode::next):
3449         (JSC::StatementNode::hasCompletionValue):
3450         Helper to check if a statement nodes produces a completion value or not.
3451
3452 2017-06-19  Adrian Perez de Castro  <aperez@igalia.com>
3453
3454         Missing <functional> includes make builds fail with GCC 7.x
3455         https://bugs.webkit.org/show_bug.cgi?id=173544
3456
3457         Unreviewed gardening.
3458
3459         Fix compilation with GCC 7.
3460
3461         * API/tests/CompareAndSwapTest.cpp:
3462         * runtime/VMEntryScope.h:
3463
3464 2017-06-17  Keith Miller  <keith_miller@apple.com>
3465
3466         ArrayBuffer constructor needs to create subclass structures before its buffer
3467         https://bugs.webkit.org/show_bug.cgi?id=173510
3468
3469         Reviewed by Yusuke Suzuki.
3470
3471         * runtime/JSArrayBufferConstructor.cpp:
3472         (JSC::constructArrayBuffer):
3473
3474 2017-06-17  Keith Miller  <keith_miller@apple.com>
3475
3476         ArrayPrototype methods should use JSValue::toLength for non-Arrays.
3477         https://bugs.webkit.org/show_bug.cgi?id=173506
3478
3479         Reviewed by Ryosuke Niwa.
3480
3481         This patch changes the result of unshift if old length +
3482         unshift.arguments.length > (2 ** 53) - 1 to be a type error. Also,
3483         the getLength function, which was always incorrect to use, has
3484         been removed. Additionally, some cases where we were using a
3485         constant for (2 ** 53) - 1 have been replaced with
3486         maxSafeInteger()
3487
3488         * interpreter/Interpreter.cpp:
3489         (JSC::sizeOfVarargs):
3490         * runtime/ArrayPrototype.cpp:
3491         (JSC::arrayProtoFuncToLocaleString):
3492         (JSC::arrayProtoFuncPop):
3493         (JSC::arrayProtoFuncPush):
3494         (JSC::arrayProtoFuncReverse):
3495         (JSC::arrayProtoFuncShift):
3496         (JSC::arrayProtoFuncSlice):
3497         (JSC::arrayProtoFuncSplice):
3498         (JSC::arrayProtoFuncUnShift):
3499         (JSC::arrayProtoFuncIndexOf):
3500         (JSC::arrayProtoFuncLastIndexOf):
3501         * runtime/JSArrayInlines.h:
3502         (JSC::getLength): Deleted.
3503         * runtime/JSCJSValue.cpp:
3504         (JSC::JSValue::toLength):
3505         * runtime/NumberConstructor.cpp:
3506         (JSC::numberConstructorFuncIsSafeInteger):
3507
3508 2017-06-16  Matt Baker  <mattbaker@apple.com>
3509
3510         Web Inspector: Instrument 2D/WebGL canvas contexts in the backend
3511         https://bugs.webkit.org/show_bug.cgi?id=172623
3512         <rdar://problem/32415986>
3513
3514         Reviewed by Devin Rousso and Joseph Pecoraro.
3515
3516         This patch adds a basic Canvas protocol. It includes Canvas and related
3517         types and events for monitoring the lifetime of canvases in the page.
3518
3519         * CMakeLists.txt:
3520         * DerivedSources.make:
3521         * inspector/protocol/Canvas.json: Added.
3522
3523         * inspector/scripts/codegen/generator.py:
3524         (Generator.stylized_name_for_enum_value):
3525         Add special handling for Canvas.ContextType protocol enumeration,
3526         so that "canvas-2d" and "webgl" map to `Canvas2D` and `WebGL`.
3527
3528 2017-06-16  Wenson Hsieh  <wenson_hsieh@apple.com>
3529
3530         [iOS DnD] Upstream iOS drag and drop implementation into OpenSource WebKit
3531         https://bugs.webkit.org/show_bug.cgi?id=173366
3532         <rdar://problem/32767014>
3533
3534         Reviewed by Tim Horton.
3535
3536         Introduce ENABLE_DATA_INTERACTION and ENABLE_DRAG_SUPPORT to FeatureDefines.xcconfig.
3537
3538         * Configurations/FeatureDefines.xcconfig:
3539
3540 2017-06-16  Yusuke Suzuki  <utatane.tea@gmail.com>
3541
3542         [JSC] Add fast path for Object.assign
3543         https://bugs.webkit.org/show_bug.cgi?id=173416
3544
3545         Reviewed by Mark Lam.
3546
3547         In Object.assign implementation, we need to ensure that given key is still enumerable own key.
3548         This seems duplicate look up. And we want to avoid this. However, we still need to perform this
3549         check in the face of Proxy. Proxy can observe that this check is done correctly.
3550
3551         In almost all the cases, the above check is duplicate to the subsequent [[Get]] operation.
3552         In this patch, we perform this check. But at that time, we investigate `isTaintedByOpaqueObject()`.
3553         If it is false, we can say that getOwnPropertySlot is pure. In that case, we can just retrieve the
3554         value by calling `slot.getValue()`.
3555
3556         This further improves performance of Object.assign.
3557
3558                                         baseline                  patched
3559
3560             object-assign.es6      363.6706+-6.4381     ^    324.1769+-6.9624        ^ definitely 1.1218x faster
3561
3562         * runtime/ObjectConstructor.cpp:
3563         (JSC::objectConstructorAssign):
3564
3565 2017-06-16  Michael Saboff  <msaboff@apple.com>
3566
3567         Intermittent crash running Internal/Tests/InternalJSTests/Regress/radar-24300617.js
3568         https://bugs.webkit.org/show_bug.cgi?id=173488
3569
3570         Reviewed by Filip Pizlo.
3571
3572         ClonedArguments lazily sets its callee and interator properties and it used its own inline
3573         code to initialize its butterfly.  This means that these lazily set properties can have
3574         bogus values in those slots.  Instead, let's use the standard BUtterfly:tryCreate() method
3575         to create the butterfly as it clears out of line properties.
3576
3577         * runtime/ClonedArguments.cpp:
3578         (JSC::ClonedArguments::createEmpty):
3579
3580 2017-06-16  Mark Lam  <mark.lam@apple.com>
3581
3582         Interpreter methods for mapping between Opcode and OpcodeID need not be instance methods.
3583         https://bugs.webkit.org/show_bug.cgi?id=173491
3584
3585         Reviewed by Keith Miller.
3586
3587         The implementation are based on static data. There's no need to get the
3588         interpreter instance. Hence, we can make these methods static and avoid doing
3589         unnecessary work to compute the interpreter this pointer.
3590
3591         Also removed the unused isCallBytecode method.
3592
3593         * bytecode/BytecodeBasicBlock.cpp:
3594         (JSC::BytecodeBasicBlock::computeImpl):
3595         * bytecode/BytecodeDumper.cpp:
3596         (JSC::BytecodeDumper<Block>::printGetByIdOp):
3597         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
3598         (JSC::BytecodeDumper<Block>::dumpBytecode):
3599         (JSC::BytecodeDumper<Block>::dumpBlock):
3600         * bytecode/BytecodeLivenessAnalysis.cpp:
3601         (JSC::BytecodeLivenessAnalysis::dumpResults):
3602         * bytecode/BytecodeLivenessAnalysisInlines.h:
3603         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::stepOverInstruction):
3604         * bytecode/BytecodeRewriter.cpp:
3605         (JSC::BytecodeRewriter::adjustJumpTargetsInFragment):
3606         * bytecode/CallLinkStatus.cpp:
3607         (JSC::CallLinkStatus::computeFromLLInt):
3608         * bytecode/CodeBlock.cpp:
3609         (JSC::CodeBlock::finishCreation):
3610         (JSC::CodeBlock::propagateTransitions):
3611         (JSC::CodeBlock::finalizeLLIntInlineCaches):
3612         (JSC::CodeBlock::hasOpDebugForLineAndColumn):
3613         (JSC::CodeBlock::usesOpcode):
3614         (JSC::CodeBlock::valueProfileForBytecodeOffset):
3615         (JSC::CodeBlock::arithProfileForPC):
3616         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
3617         * bytecode/PreciseJumpTargets.cpp:
3618         (JSC::getJumpTargetsForBytecodeOffset):
3619         (JSC::computePreciseJumpTargetsInternal):
3620         (JSC::findJumpTargetsForBytecodeOffset):
3621         * bytecode/PreciseJumpTargetsInlines.h:
3622         (JSC::extractStoredJumpTargetsForBytecodeOffset):
3623         * bytecode/UnlinkedCodeBlock.cpp:
3624         (JSC::UnlinkedCodeBlock::applyModification):
3625         * dfg/DFGByteCodeParser.cpp:
3626         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
3627         (JSC::DFG::ByteCodeParser::parseBlock):
3628         * dfg/DFGCapabilities.cpp:
3629         (JSC::DFG::capabilityLevel):
3630         * interpreter/Interpreter.cpp:
3631         (JSC::Interpreter::Interpreter):
3632         (JSC::Interpreter::isOpcode):
3633         (): Deleted.
3634         * interpreter/Interpreter.h:
3635         (JSC::Interpreter::getOpcode): Deleted.
3636         (JSC::Interpreter::getOpcodeID): Deleted.
3637         (JSC::Interpreter::isCallBytecode): Deleted.
3638         * interpreter/InterpreterInlines.h:
3639         (JSC::Interpreter::getOpcode):
3640         (JSC::Interpreter::getOpcodeID):
3641         * jit/JIT.cpp:
3642         (JSC::JIT::privateCompileMainPass):
3643         (JSC::JIT::privateCompileSlowCases):
3644         * jit/JITOpcodes.cpp:
3645         (JSC::JIT::emitNewFuncCommon):
3646         (JSC::JIT::emitNewFuncExprCommon):
3647         * jit/JITPropertyAccess.cpp:
3648         (JSC::JIT::emitSlow_op_put_by_val):
3649         (JSC::JIT::privateCompilePutByVal):
3650         * jit/JITPropertyAccess32_64.cpp:
3651         (JSC::JIT::emitSlow_op_put_by_val):
3652         * llint/LLIntSlowPaths.cpp:
3653         (JSC::LLInt::llint_trace_operand):
3654         (JSC::LLInt::llint_trace_value):
3655         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3656         * profiler/ProfilerBytecodeSequence.cpp:
3657         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
3658
3659 2017-06-16  Matt Lewis  <jlewis3@apple.com>
3660
3661         Unreviewed, rolling out r218376.
3662
3663         The patch cause multiple Layout Test Crashes.
3664
3665         Reverted changeset:
3666
3667         "Web Inspector: Instrument 2D/WebGL canvas contexts in the
3668         backend"
3669         https://bugs.webkit.org/show_bug.cgi?id=172623
3670         http://trac.webkit.org/changeset/218376
3671
3672 2017-06-16  Konstantin Tokarev  <annulen@yandex.ru>
3673
3674         REGRESSION(r166799): LogsPageMessagesToSystemConsoleEnabled corrupts non-ASCII characters
3675         https://bugs.webkit.org/show_bug.cgi?id=173470
3676
3677         Reviewed by Joseph Pecoraro.
3678
3679         ConsoleClient::printConsoleMessageWithArguments() incorrectly uses
3680         const char* overload of StringBuilder::append() that assummes Latin1
3681         encoding, not UTF8.
3682
3683         * runtime/ConsoleClient.cpp:
3684         (JSC::ConsoleClient::printConsoleMessageWithArguments):
3685
3686 2017-06-15  Mark Lam  <mark.lam@apple.com>
3687
3688         Add a JSRunLoopTimer registry in VM.
3689         https://bugs.webkit.org/show_bug.cgi?id=173429
3690         <rdar://problem/31287961>
3691
3692         Reviewed by Filip Pizlo.
3693
3694         This way, we can be sure we've got every JSRunLoopTimer instance covered if we
3695         need to change their run loop (e.g. when setting to the WebThread's run loop).
3696
3697         * heap/Heap.cpp:
3698         (JSC::Heap::Heap):
3699         (JSC::Heap::setRunLoop): Deleted.
3700         * heap/Heap.h:
3701         (JSC::Heap::runLoop): Deleted.
3702         * runtime/JSRunLoopTimer.cpp:
3703         (JSC::JSRunLoopTimer::JSRunLoopTimer):
3704         (JSC::JSRunLoopTimer::setRunLoop):
3705         (JSC::JSRunLoopTimer::~JSRunLoopTimer):
3706         * runtime/VM.cpp:
3707         (JSC::VM::VM):
3708         (JSC::VM::registerRunLoopTimer):
3709         (JSC::VM::unregisterRunLoopTimer):
3710         (JSC::VM::setRunLoop):
3711         * runtime/VM.h:
3712         (JSC::VM::runLoop):
3713
3714 2017-06-15  Joseph Pecoraro  <pecoraro@apple.com>
3715
3716         [Cocoa] Modernize some internal initializers to use instancetype instead of id
3717         https://bugs.webkit.org/show_bug.cgi?id=173112
3718
3719         Reviewed by Wenson Hsieh.
3720
3721         * API/JSContextInternal.h:
3722         * API/JSWrapperMap.h:
3723         * API/JSWrapperMap.mm:
3724         (-[JSObjCClassInfo initForClass:]):
3725         (-[JSWrapperMap initWithGlobalContextRef:]):
3726
3727 2017-06-15  Matt Baker  <mattbaker@apple.com>
3728
3729         Web Inspector: Instrument 2D/WebGL canvas contexts in the backend
3730         https://bugs.webkit.org/show_bug.cgi?id=172623
3731         <rdar://problem/32415986>
3732
3733         Reviewed by Devin Rousso.
3734
3735         This patch adds a basic Canvas protocol. It includes Canvas and related
3736         types and events for monitoring the lifetime of canvases in the page.
3737
3738         * CMakeLists.txt:
3739         * DerivedSources.make:
3740         * inspector/protocol/Canvas.json: Added.
3741
3742         * inspector/scripts/codegen/generator.py:
3743         (Generator.stylized_name_for_enum_value):
3744         Add special handling for Canvas.ContextType protocol enumeration,
3745         so that "canvas-2d" and "webgl" map to `Canvas2D` and `WebGL`.
3746
3747 2017-06-15  Keith Miller  <keith_miller@apple.com>
3748
3749         Add logging to MachineStackMarker to try to diagnose crashes in the wild
3750         https://bugs.webkit.org/show_bug.cgi?id=173427
3751
3752         Reviewed by Mark Lam.
3753
3754         This patch adds some logging to the MachineStackMarker constructor
3755         to help figure out where we are seeing crashes. Since macOS does
3756         not support os_log_info my hope is that if we set all the callee
3757         save registers before making any calls in the C++ code we can
3758         figure out which calls is the source of the crash. We also, set
3759         all the caller save registers before returning in case some
3760         weirdness is happening in the Heap constructor.
3761
3762         This logging should not matter from a performance perspective. We
3763         only create MachineStackMarkers when we are creating a new VM,
3764         which is already expensive.
3765
3766         * heap/MachineStackMarker.cpp:
3767         (JSC::MachineThreads::MachineThreads):
3768
3769 2017-06-15  Yusuke Suzuki  <utatane.tea@gmail.com>
3770
3771         [JSC] Implement Object.assign in C++
3772         https://bugs.webkit.org/show_bug.cgi?id=173414
3773
3774         Reviewed by Saam Barati.
3775
3776         Implementing Object.assign in JS is not so good compared to C++ version because,
3777
3778         1. JS version allocates JS array for object own keys. And we allocate JSString / Symbol for each key.
3779         But basically, they can be handled as UniquedStringImpl in C++. Allocating these cells are wasteful.
3780
3781         2. While implementing builtins in JS offers some good type speculation chances, Object.assign is inherently super polymorphic.
3782         So JS's type profile doesn't help well.
3783
3784         3. We have a chance to introduce various fast path for Object.assign in C++.
3785
3786         This patch moves implementation from JS to C++. It achieves the above (1) and (2). (3) is filed in [1].
3787
3788         We can see 1.65x improvement in SixSpeed object-assign.es6.
3789
3790                                     baseline                  patched
3791
3792         object-assign.es6      643.3253+-8.0521     ^    389.1075+-8.8840        ^ definitely 1.6533x faster
3793
3794         [1]: https://bugs.webkit.org/show_bug.cgi?id=173416
3795
3796         * builtins/ObjectConstructor.js:
3797         (entries):
3798         (assign): Deleted.
3799         * runtime/JSCJSValueInlines.h:
3800         (JSC::JSValue::putInline):
3801         * runtime/JSCell.h:
3802         * runtime/JSCellInlines.h:
3803         (JSC::JSCell::putInline):
3804         * runtime/JSObject.cpp:
3805         (JSC::JSObject::put):
3806         * runtime/JSObject.h:
3807         * runtime/JSObjectInlines.h:
3808         (JSC::JSObject::putInlineForJSObject):
3809         (JSC::JSObject::putInline): Deleted.
3810         * runtime/ObjectConstructor.cpp:
3811         (JSC::objectConstructorAssign):
3812
3813 2017-06-14  Dan Bernstein  <mitz@apple.com>
3814
3815         [Cocoa] Objective-C class whose name begins with an underscore can’t be exported to JavaScript
3816         https://bugs.webkit.org/show_bug.cgi?id=168578
3817
3818         Reviewed by Geoff Garen.
3819
3820         * API/JSWrapperMap.mm:
3821         (allocateConstructorForCustomClass): Updated for change to forEachProtocolImplementingProtocol.
3822         (-[JSObjCClassInfo allocateConstructorAndPrototype]): Ditto.
3823         (-[JSWrapperMap classInfoForClass:]): If the class name begins with an underscore, check if
3824           it defines conformance to a JSExport-derived protocol and if so, avoid using the
3825           superclass as a substitute as we’d normally do.
3826
3827         * API/ObjcRuntimeExtras.h:
3828         (forEachProtocolImplementingProtocol): Added a "stop" argument to the block to let callers
3829           bail out.
3830
3831         * API/tests/JSExportTests.mm:
3832         (+[JSExportTests classNamePrefixedWithUnderscoreTest]): New test for this.
3833         (runJSExportTests): Run new test.
3834
3835 2017-06-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3836
3837         Unreviewed, suppress invalid register alloation validation assertion in 32 bit part 2
3838         https://bugs.webkit.org/show_bug.cgi?id=172421
3839
3840         * dfg/DFGSpeculativeJIT.cpp:
3841         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
3842
3843 2017-06-14  Claudio Saavedra  <csaavedra@igalia.com>
3844
3845         REGRESSION: 15 new jsc failures in WPE and GTK+
3846         https://bugs.webkit.org/show_bug.cgi?id=173349
3847
3848         Reviewed by JF Bastien.
3849
3850         Recent changes to generateWasm.py are not accounted for from
3851         CMake, which leads to WasmOps.h not being regenerated in partial
3852         builds. Make generateWasm.py an additional dependency.
3853         * CMakeLists.txt:
3854
3855 2017-06-13  Joseph Pecoraro  <pecoraro@apple.com>
3856
3857         Debugger has unexpected effect on program correctness
3858         https://bugs.webkit.org/show_bug.cgi?id=172683
3859
3860         Reviewed by Saam Barati.
3861
3862         * inspector/InjectedScriptSource.js:
3863         (InjectedScript.RemoteObject.prototype._appendPropertyPreviews):
3864         (InjectedScript.RemoteObject.prototype._isPreviewableObjectInternal):
3865         (BasicCommandLineAPI):
3866         Eliminate for..of use with Arrays from InjectedScriptSource as it can be observable.
3867         We still use it for Set / Map iteration which we can eliminate when moving to builtins.
3868
3869 2017-06-13  JF Bastien  <jfbastien@apple.com>
3870
3871         WebAssembly: fix erroneous signature comment
3872         https://bugs.webkit.org/show_bug.cgi?id=173334
3873
3874         Reviewed by Keith Miller.
3875
3876         * wasm/WasmSignature.h:
3877
3878 2017-06-13  Michael Saboff  <msaboff@apple.com>
3879
3880         Refactor AbsenceOfSetter to AbsenceOfSetEffects
3881         https://bugs.webkit.org/show_bug.cgi?id=173322
3882
3883         Reviewed by Filip Pizlo.
3884
3885         * bytecode/ObjectPropertyCondition.h:
3886         (JSC::ObjectPropertyCondition::absenceOfSetEffectWithoutBarrier):
3887         (JSC::ObjectPropertyCondition::absenceOfSetEffect):
3888         (JSC::ObjectPropertyCondition::absenceOfSetterWithoutBarrier): Deleted.
3889         (JSC::ObjectPropertyCondition::absenceOfSetter): Deleted.
3890         * bytecode/ObjectPropertyConditionSet.cpp:
3891         (JSC::generateConditionsForPropertySetterMiss):
3892         (JSC::generateConditionsForPropertySetterMissConcurrently):
3893         * bytecode/PropertyCondition.cpp:
3894         (JSC::PropertyCondition::dumpInContext):
3895         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
3896         (JSC::PropertyCondition::isStillValid):
3897         (WTF::printInternal):
3898         * bytecode/PropertyCondition.h:
3899         (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
3900         (JSC::PropertyCondition::absenceOfSetEffect):
3901         (JSC::PropertyCondition::hasPrototype):
3902         (JSC::PropertyCondition::hash):
3903         (JSC::PropertyCondition::operator==):
3904         (JSC::PropertyCondition::absenceOfSetterWithoutBarrier): Deleted.
3905         (JSC::PropertyCondition::absenceOfSetter): Deleted.
3906
3907 2017-06-13  JF Bastien  <jfbastien@apple.com>
3908
3909         WebAssembly: import updated spec tests
3910         https://bugs.webkit.org/show_bug.cgi?id=173287
3911         <rdar://problem/32725975>
3912
3913         Reviewed by Saam Barati.
3914
3915         Import spec tests as of 31c641cc15f2aedbec2fa45a5185f68416df578b,
3916         with a few modifications so things work.
3917
3918         Fix a bunch of bugs found through this process, and punt a few tests (which I
3919         marked as blocked by this bug).
3920
3921         Fixes:
3922
3923         Fix load / store alignment: r216908 erroneously implemented it as bit alignment
3924         instead of byte alignment. It was also missing memory-alignment.js despite it
3925         being in the ChangeLog, so add it too. This allows spec-test/align.wast.js to
3926         pass.
3927
3928         Tables can be imported or in a section. There can be only one, but sections can
3929         be empty. An Elements section can exist if there's no Table, as long as it is
3930         also empty.
3931
3932         Memories can be imported or in a section. There can be only one, but sections
3933         can be empty. A Data section can exist if there's no Memory, as long as it is
3934         also empty.
3935
3936         Prototypes: stringify without .prototype. in the string.
3937
3938         WebAssembly.Table.prototype.grow was plain wrong: it takes a delta parameter,
3939         not a final size, and throws a RangeError on failure, not a TypeError.
3940
3941         Fix compile / instantiate so the reject the promise if given an argument of the
3942         wrong type (instead of failing instantly).
3943
3944         Fix async on neuter test.
3945
3946         Element section shouldn't affect any Table if any of the elements are out of
3947         bounds. We need to process it in two passes.
3948
3949         Segment section shouldn't affect any Data if any of the segments are out of
3950         bounds. We need to process it in two passes.
3951
3952         Empty data segments are valid, but only when there is no memory. Their index
3953         still gets validated, and has to be zero.
3954
3955         Punts:
3956
3957         Error messages with context, the test seems overly restrictive but this is
3958         minor.
3959
3960         compile/instantiate/validate property descriptors.
3961
3962         UTF-8 bugs.
3963
3964         Temporarily disable NaN tests. We need to go back and implement the following
3965         semantics: https://github.com/WebAssembly/spec/pull/414 This doesn't matter as
3966         much as getting all the other tests passing.
3967
3968         Worth noting for NaNs: f64.no_fold_mul_one (also a NaN test) as well as
3969         no_fold_promote_demote (an interesting corner case which we get wrong). mul by
3970         one is (assert_return (invoke \"f64.no_fold_mul_one\" (i64.const
3971         0x7ff4000000000000)) (i64.const 0x7ff8000000000000)) which means converting sNaN
3972         to qNaN, and promote/demote is (assert_return (invoke \"no_fold_promote_demote\"
3973         (i32.const 0x7fa00000)) (i32.const 0x7fc00000)) which is the same. I'm not sure
3974         why they're not allowed.
3975
3976         * wasm/WasmB3IRGenerator.cpp:
3977         * wasm/WasmFunctionParser.h:
3978         * wasm/WasmModuleParser.cpp:
3979         * wasm/WasmModuleParser.h:
3980         * wasm/WasmParser.h:
3981         (JSC::Wasm::Parser<SuccessType>::consumeUTF8String):
3982         * wasm/generateWasm.py:
3983         (memoryLog2Alignment):
3984         * wasm/js/JSWebAssemblyTable.cpp:
3985         (JSC::JSWebAssemblyTable::grow):
3986         * wasm/js/JSWebAssemblyTable.h:
3987      &n