[WebKit-https.git] / Source / JavaScriptCore / ChangeLog

2017-07-21  Mark Lam  <mark.lam@apple.com>

        Refactor MASM probe CPUState to use arrays for register storage.
        https://bugs.webkit.org/show_bug.cgi?id=174694

        Reviewed by Keith Miller.

        Using arrays for register storage in CPUState allows us to do away with the
        huge switch statements to decode each register id.  We can now simply index into
        the arrays.

        With this patch, we now:

        1. Remove the need for macros for defining the list of CPU registers.
           We can go back to simple enums.  This makes the code easier to read.

        2. Make the assembler the authority on register names.
           Most of this code is moved into the assembler from GPRInfo and FPRInfo.
           GPRInfo and FPRInfo now forwards to the assembler.

        3. Make the assembler the authority on the number of registers of each type.

        4. Fix a "bug" in ARMv7's lastRegister().  It was previously omitting lr and pc.
           This is inconsistent with how every other CPU architecture implements
           lastRegister().  This patch fixes it to return the true last GPR i.e. pc, but
           updates RegisterSet::reservedHardwareRegisters() to exclude those registers.

        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::numberOfRegisters):
        (JSC::ARM64Assembler::firstSPRegister):
        (JSC::ARM64Assembler::lastSPRegister):
        (JSC::ARM64Assembler::numberOfSPRegisters):
        (JSC::ARM64Assembler::numberOfFPRegisters):
        (JSC::ARM64Assembler::gprName):
        (JSC::ARM64Assembler::sprName):
        (JSC::ARM64Assembler::fprName):
        * assembler/ARMAssembler.h:
        (JSC::ARMAssembler::numberOfRegisters):
        (JSC::ARMAssembler::firstSPRegister):
        (JSC::ARMAssembler::lastSPRegister):
        (JSC::ARMAssembler::numberOfSPRegisters):
        (JSC::ARMAssembler::numberOfFPRegisters):
        (JSC::ARMAssembler::gprName):
        (JSC::ARMAssembler::sprName):
        (JSC::ARMAssembler::fprName):
        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::lastRegister):
        (JSC::ARMv7Assembler::numberOfRegisters):
        (JSC::ARMv7Assembler::firstSPRegister):
        (JSC::ARMv7Assembler::lastSPRegister):
        (JSC::ARMv7Assembler::numberOfSPRegisters):
        (JSC::ARMv7Assembler::numberOfFPRegisters):
        (JSC::ARMv7Assembler::gprName):
        (JSC::ARMv7Assembler::sprName):
        (JSC::ARMv7Assembler::fprName):
        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler::numberOfRegisters):
        (JSC::AbstractMacroAssembler::gprName):
        (JSC::AbstractMacroAssembler::firstSPRegister):
        (JSC::AbstractMacroAssembler::lastSPRegister):
        (JSC::AbstractMacroAssembler::numberOfSPRegisters):
        (JSC::AbstractMacroAssembler::sprName):
        (JSC::AbstractMacroAssembler::numberOfFPRegisters):
        (JSC::AbstractMacroAssembler::fprName):
        * assembler/MIPSAssembler.h:
        (JSC::MIPSAssembler::numberOfRegisters):
        (JSC::MIPSAssembler::firstSPRegister):
        (JSC::MIPSAssembler::lastSPRegister):
        (JSC::MIPSAssembler::numberOfSPRegisters):
        (JSC::MIPSAssembler::numberOfFPRegisters):
        (JSC::MIPSAssembler::gprName):
        (JSC::MIPSAssembler::sprName):
        (JSC::MIPSAssembler::fprName):
        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::CPUState::gprName):
        (JSC::MacroAssembler::CPUState::sprName):
        (JSC::MacroAssembler::CPUState::fprName):
        (JSC::MacroAssembler::CPUState::gpr):
        (JSC::MacroAssembler::CPUState::spr):
        (JSC::MacroAssembler::CPUState::fpr):
        (JSC::MacroAssembler::CPUState::pc):
        (JSC::MacroAssembler::CPUState::fp):
        (JSC::MacroAssembler::CPUState::sp):
        (JSC::ProbeContext::gpr):
        (JSC::ProbeContext::spr):
        (JSC::ProbeContext::fpr):
        (JSC::ProbeContext::gprName):
        (JSC::ProbeContext::sprName):
        (JSC::ProbeContext::fprName):
        (JSC::MacroAssembler::numberOfRegisters): Deleted.
        (JSC::MacroAssembler::numberOfFPRegisters): Deleted.
        * assembler/MacroAssemblerARM.cpp:
        * assembler/MacroAssemblerARM64.cpp:
        (JSC::arm64ProbeTrampoline):
        * assembler/MacroAssemblerARMv7.cpp:
        * assembler/MacroAssemblerPrinter.cpp:
        (JSC::Printer::nextID):
        (JSC::Printer::printAllRegisters):
        (JSC::Printer::printPCRegister):
        (JSC::Printer::printRegisterID):
        (JSC::Printer::printAddress):
        * assembler/MacroAssemblerX86Common.cpp:
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::numberOfRegisters):
        (JSC::X86Assembler::firstSPRegister):
        (JSC::X86Assembler::lastSPRegister):
        (JSC::X86Assembler::numberOfSPRegisters):
        (JSC::X86Assembler::numberOfFPRegisters):
        (JSC::X86Assembler::gprName):
        (JSC::X86Assembler::sprName):
        (JSC::X86Assembler::fprName):
        * jit/FPRInfo.h:
        (JSC::FPRInfo::debugName):
        * jit/GPRInfo.h:
        (JSC::GPRInfo::debugName):
        * jit/RegisterSet.cpp:
        (JSC::RegisterSet::reservedHardwareRegisters):

2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Introduce static symbols
        https://bugs.webkit.org/show_bug.cgi?id=158863

        Reviewed by Darin Adler.

        We use StaticSymbolImpl to initialize PrivateNames and builtin Symbols.
        As a result, we can share the same Symbol values between VMs and threads.
        And we do not need to allocate Ref<SymbolImpl> for these symbols at runtime.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * builtins/BuiltinNames.cpp: Added.
        Suppress warning C4307, integral constant overflow. It is intentional in constexpr hash value calculation.

        * builtins/BuiltinNames.h:
        (JSC::BuiltinNames::BuiltinNames):
        * builtins/BuiltinUtils.h:

2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>

        [FTL] Arguments elimination is suppressed by unreachable blocks
        https://bugs.webkit.org/show_bug.cgi?id=174352

        Reviewed by Filip Pizlo.

        If we do not execute `op_get_by_id`, our value profiling tells us unpredictable and DFG emits ForceOSRExit.
        The problem is that arguments elimination phase checks escaping even when ForceOSRExit preceeds.
        Since GetById without information can escape arguments if it is specified, non-executed code including
        op_get_by_id with arguments can escape arguments.

        For example,

            function test(flag)
            {
                if (flag) {
                    // This is not executed, but emits GetById with arguments.
                    // It prevents us from eliminating materialization.
                    return arguments.length;
                }
                return arguments.length;
            }
            noInline(test);
            while (true)
                test(false);

        We do not perform CFA and dead-node clipping yet when performing arguments elimination phase.
        So this GetById exists and escapes arguments.

        To solve this problem, our arguments elimination phase checks preceding pseudo-terminal nodes.
        If it is shown, following GetById does not escape arguments. Compared to performing AI, it is
        lightweight. But it catches much of typical cases we failed to perform arguments elimination.

        * dfg/DFGArgumentsEliminationPhase.cpp:
        * dfg/DFGNode.h:
        (JSC::DFG::Node::isPseudoTerminal):
        * dfg/DFGValidate.cpp:

2017-07-20  Chris Dumez  <cdumez@apple.com>

        Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable
        https://bugs.webkit.org/show_bug.cgi?id=174660

        Reviewed by Geoffrey Garen.

        Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable.
        This essentially replaces a branch to figure out if the new size is less or greater than the
        current size by an assertion.

        * b3/B3BasicBlockUtils.h:
        (JSC::B3::clearPredecessors):
        * b3/B3InferSwitches.cpp:
        * b3/B3LowerToAir.cpp:
        (JSC::B3::Air::LowerToAir::finishAppendingInstructions):
        * b3/B3ReduceStrength.cpp:
        * b3/B3SparseCollection.h:
        (JSC::B3::SparseCollection::packIndices):
        * b3/B3UseCounts.cpp:
        (JSC::B3::UseCounts::UseCounts):
        * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
        * b3/air/AirEmitShuffle.cpp:
        (JSC::B3::Air::emitShuffle):
        * b3/air/AirLowerAfterRegAlloc.cpp:
        (JSC::B3::Air::lowerAfterRegAlloc):
        * b3/air/AirOptimizeBlockOrder.cpp:
        (JSC::B3::Air::optimizeBlockOrder):
        * bytecode/Operands.h:
        (JSC::Operands::ensureLocals):
        * bytecode/PreciseJumpTargets.cpp:
        (JSC::computePreciseJumpTargetsInternal):
        * dfg/DFGBlockInsertionSet.cpp:
        (JSC::DFG::BlockInsertionSet::execute):
        * dfg/DFGBlockMapInlines.h:
        (JSC::DFG::BlockMap<T>::BlockMap):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::processSetLocalQueue):
        (JSC::DFG::ByteCodeParser::clearCaches):
        * dfg/DFGDisassembler.cpp:
        (JSC::DFG::Disassembler::Disassembler):
        * dfg/DFGFlowIndexing.cpp:
        (JSC::DFG::FlowIndexing::recompute):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::registerFrozenValues):
        * dfg/DFGInPlaceAbstractState.cpp:
        (JSC::DFG::setLiveValues):
        * dfg/DFGLICMPhase.cpp:
        (JSC::DFG::LICMPhase::run):
        * dfg/DFGLivenessAnalysisPhase.cpp:
        * dfg/DFGNaturalLoops.cpp:
        (JSC::DFG::NaturalLoops::NaturalLoops):
        * dfg/DFGStoreBarrierClusteringPhase.cpp:
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNode):
        * heap/CodeBlockSet.cpp:
        (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
        * heap/MarkedSpace.cpp:
        (JSC::MarkedSpace::sweepLargeAllocations):
        * inspector/ContentSearchUtilities.cpp:
        (Inspector::ContentSearchUtilities::findMagicComment):
        * interpreter/ShadowChicken.cpp:
        (JSC::ShadowChicken::update):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::shrinkOperandStackBy):
        * parser/Lexer.h:
        (JSC::Lexer::setOffset):
        * runtime/RegExpInlines.h:
        (JSC::RegExp::matchInline):
        * runtime/RegExpPrototype.cpp:
        (JSC::genericSplit):
        * yarr/RegularExpression.cpp:
        (JSC::Yarr::RegularExpression::match):

2017-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>

        [WTF] Use ThreadGroup to bookkeep active threads for Mach exception
        https://bugs.webkit.org/show_bug.cgi?id=174678

        Reviewed by Mark Lam.

        Use Thread& instead.

        * runtime/JSLock.cpp:
        (JSC::JSLock::didAcquireLock):

2017-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>

        [WTF] Implement WTF::ThreadGroup
        https://bugs.webkit.org/show_bug.cgi?id=174081

        Reviewed by Mark Lam.

        Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
        And SamplingProfiler and others interact with WTF::Thread directly.

        * API/tests/ExecutionTimeLimitTest.cpp:
        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::MachineThreads):
        (JSC::captureStack):
        (JSC::MachineThreads::tryCopyOtherThreadStack):
        (JSC::MachineThreads::tryCopyOtherThreadStacks):
        (JSC::MachineThreads::gatherConservativeRoots):
        (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
        (JSC::ActiveMachineThreadsManager::add): Deleted.
        (JSC::ActiveMachineThreadsManager::remove): Deleted.
        (JSC::ActiveMachineThreadsManager::contains): Deleted.
        (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
        (JSC::activeMachineThreadsManager): Deleted.
        (JSC::MachineThreads::~MachineThreads): Deleted.
        (JSC::MachineThreads::addCurrentThread): Deleted.
        (): Deleted.
        (JSC::MachineThreads::removeThread): Deleted.
        (JSC::MachineThreads::removeThreadIfFound): Deleted.
        (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
        (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
        (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
        (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
        (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
        (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
        (JSC::MachineThreads::MachineThread::captureStack): Deleted.
        * heap/MachineStackMarker.h:
        (JSC::MachineThreads::addCurrentThread):
        (JSC::MachineThreads::getLock):
        (JSC::MachineThreads::threads):
        (JSC::MachineThreads::MachineThread::suspend): Deleted.
        (JSC::MachineThreads::MachineThread::resume): Deleted.
        (JSC::MachineThreads::MachineThread::threadID): Deleted.
        (JSC::MachineThreads::MachineThread::stackBase): Deleted.
        (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
        (JSC::MachineThreads::threadsListHead): Deleted.
        * runtime/SamplingProfiler.cpp:
        (JSC::FrameWalker::isValidFramePointer):
        (JSC::SamplingProfiler::SamplingProfiler):
        (JSC::SamplingProfiler::takeSample):
        (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
        * runtime/SamplingProfiler.h:
        * wasm/WasmMachineThreads.cpp:
        (JSC::Wasm::resetInstructionCacheOnAllThreads):

2017-07-18  Andy Estes  <aestes@apple.com>

        [Xcode] Enable CLANG_WARN_RANGE_LOOP_ANALYSIS
        https://bugs.webkit.org/show_bug.cgi?id=174631

        Reviewed by Tim Horton.

        * Configurations/Base.xcconfig:
        * b3/B3FoldPathConstants.cpp:
        * b3/B3LowerMacros.cpp:
        * b3/air/AirAllocateRegistersByGraphColoring.cpp:
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::check):
        (JSC::DFG::ByteCodeParser::planLoad):

2017-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>

        WTF::Thread should have the threads stack bounds.
        https://bugs.webkit.org/show_bug.cgi?id=173975

        Reviewed by Mark Lam.

        There is a site in JSC that try to walk another thread's stack.
        Currently, stack bounds are stored in WTFThreadData which is located
        in TLS. Thus, only the thread itself can access its own WTFThreadData.
        We workaround this situation by holding StackBounds in MachineThread in JSC,
        but StackBounds should be put in WTF::Thread instead.

        This patch adds StackBounds to WTF::Thread. StackBounds information is tightly
        coupled with Thread. Thus putting it in WTF::Thread is natural choice.

        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::MachineThread::MachineThread):
        (JSC::MachineThreads::MachineThread::captureStack):
        * heap/MachineStackMarker.h:
        (JSC::MachineThreads::MachineThread::stackBase):
        (JSC::MachineThreads::MachineThread::stackEnd):
        * runtime/VMTraps.cpp:

2017-07-18  Andy Estes  <aestes@apple.com>

        [Xcode] Enable CLANG_WARN_OBJC_LITERAL_CONVERSION
        https://bugs.webkit.org/show_bug.cgi?id=174631

        Reviewed by Sam Weinig.

        * Configurations/Base.xcconfig:

2017-07-18  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Modernize InjectedScriptSource
        https://bugs.webkit.org/show_bug.cgi?id=173890

        Reviewed by Brian Burg.

        * inspector/InjectedScript.h:
        Reorder functions to be slightly better.

        * inspector/InjectedScriptSource.js:
        - Convert to classes named InjectedScript and RemoteObject
        - Align InjectedScript's API with the wrapper C++ interfaces
        - Move some code to RemoteObject where appropriate (subtype, describe)
        - Move some code to helper functions (isPrimitiveValue, isDefined)
        - Refactor for readability and modern features
        - Remove some unused / unnecessary code

2017-07-18  Mark Lam  <mark.lam@apple.com>

        Butterfly storage need not be initialized for indexing type Undecided.
        https://bugs.webkit.org/show_bug.cgi?id=174516

        Reviewed by Saam Barati.

        While it's not incorrect to initialize the butterfly storage when the
        indexingType is Undecided, it is inefficient as we'll end up initializing
        it again later when we convert the storage to a different indexingType.
        Some of our code already skips initializing Undecided butterflies.
        This patch makes it the consistent behavior everywhere.

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
        * runtime/JSArray.cpp:
        (JSC::JSArray::tryCreateUninitializedRestricted):
        * runtime/JSArray.h:
        (JSC::JSArray::tryCreate):
        * runtime/JSObject.cpp:
        (JSC::JSObject::ensureLengthSlow):

2017-07-18  Saam Barati  <sbarati@apple.com>

        AirLowerAfterRegAlloc may incorrectly use a callee save that's live as a scratch register
        https://bugs.webkit.org/show_bug.cgi?id=174515
        <rdar://problem/33358092>

        Reviewed by Filip Pizlo.

        AirLowerAfterRegAlloc was computing the set of available scratch
        registers incorrectly. It was always excluding callee save registers
        from the set of live registers. It did not guarantee that live callee save
        registers were not in the set of scratch registers that could
        get clobbered. That's incorrect as the shuffling code is free
        to overwrite whatever is in the scratch register it gets passed.

        * b3/air/AirLowerAfterRegAlloc.cpp:
        (JSC::B3::Air::lowerAfterRegAlloc):
        * b3/testb3.cpp:
        (JSC::B3::functionNineArgs):
        (JSC::B3::testShuffleDoesntTrashCalleeSaves):
        (JSC::B3::run):
        * jit/RegisterSet.h:

2017-07-18  Andy Estes  <aestes@apple.com>

        [Xcode] Enable CLANG_WARN_NON_LITERAL_NULL_CONVERSION
        https://bugs.webkit.org/show_bug.cgi?id=174631

        Reviewed by Dan Bernstein.

        * Configurations/Base.xcconfig:

2017-07-18  Devin Rousso  <drousso@apple.com>

        Web Inspector: Add memoryCost to Inspector Protocol objects
        https://bugs.webkit.org/show_bug.cgi?id=174478

        Reviewed by Joseph Pecoraro.

        For non-array and non-object InspectorValue, calculate memoryCost as the sizeof the object,
        plus the memoryCost of the data if it is a string.

        For array InspectorValue, calculate memoryCost as the sum of the memoryCost of all items.

        For object InspectorValue, calculate memoryCost as the sum of the memoryCost of the string
        key plus the memoryCost of the InspectorValue for each entry.

        Test: TestWebKitAPI/Tests/JavaScriptCore/InspectorValue.cpp

        * inspector/InspectorValues.h:
        * inspector/InspectorValues.cpp:
        (Inspector::InspectorValue::memoryCost):
        (Inspector::InspectorObjectBase::memoryCost):
        (Inspector::InspectorArrayBase::memoryCost):

2017-07-18  Andy Estes  <aestes@apple.com>

        [Xcode] Enable CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING
        https://bugs.webkit.org/show_bug.cgi?id=174631

        Reviewed by Darin Adler.

        * Configurations/Base.xcconfig:

2017-07-18  Michael Saboff  <msaboff@apple.com>

        [JSC] There should be a debug option to dump a compiled RegExp Pattern
        https://bugs.webkit.org/show_bug.cgi?id=174601

        Reviewed by Alex Christensen.

        Added the debug option dumpCompiledRegExpPatterns which will dump the YarrPattern and related
        objects after a regular expression has been compiled.

        * runtime/Options.h:
        * yarr/YarrPattern.cpp:
        (JSC::Yarr::YarrPattern::compile):
        (JSC::Yarr::indentForNestingLevel):
        (JSC::Yarr::dumpUChar32):
        (JSC::Yarr::PatternAlternative::dump):
        (JSC::Yarr::PatternTerm::dumpQuantifier):
        (JSC::Yarr::PatternTerm::dump):
        (JSC::Yarr::PatternDisjunction::dump):
        (JSC::Yarr::YarrPattern::dumpPattern):
        * yarr/YarrPattern.h:
        (JSC::Yarr::YarrPattern::global):

2017-07-17  Darin Adler  <darin@apple.com>

        Improve use of NeverDestroyed
        https://bugs.webkit.org/show_bug.cgi?id=174348

        Reviewed by Sam Weinig.

        * heap/MachineStackMarker.cpp:
        * wasm/WasmMemory.cpp:
        Removed unneeded includes of NeverDestroyed.h in files that do not make use
        of NeverDestroyed.

2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>

        [CMake] Macros in WebKitMacros.cmake should be prefixed with WEBKIT_ namespace
        https://bugs.webkit.org/show_bug.cgi?id=174547

        Reviewed by Alex Christensen.

        * CMakeLists.txt:
        * shell/CMakeLists.txt:

2017-07-17  Saam Barati  <sbarati@apple.com>

        Remove custom defined RELEASE_ASSERT in DFGObjectAllocationSinkingPhase
        https://bugs.webkit.org/show_bug.cgi?id=174584

        Rubber stamped by Keith Miller.

        I used it to diagnose a bug. The bug is now fixed. This custom
        RELEASE_ASSERT is no longer needed.

        * dfg/DFGObjectAllocationSinkingPhase.cpp:

2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>

        -Wformat-truncation warning in ConfigFile.cpp
        https://bugs.webkit.org/show_bug.cgi?id=174506

        Reviewed by Darin Adler.

        Check if the JSC config filename would be truncated due to exceeding max path length. If so,
        return ParseError.

        * runtime/ConfigFile.cpp:
        (JSC::ConfigFile::parse):

2017-07-17  Konstantin Tokarev  <annulen@yandex.ru>

        [CMake] Create targets before WEBKIT_INCLUDE_CONFIG_FILES_IF_EXISTS is called
        https://bugs.webkit.org/show_bug.cgi?id=174557

        Reviewed by Michael Catanzaro.

        * CMakeLists.txt:

2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>

        [WTF] Use std::unique_ptr for StackTrace
        https://bugs.webkit.org/show_bug.cgi?id=174495

        Reviewed by Alex Christensen.

        * runtime/ExceptionScope.cpp:
        (JSC::ExceptionScope::unexpectedExceptionMessage):
        * runtime/VM.cpp:
        (JSC::VM::throwException):

2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Use WTFMove to prune liveness in DFGAvailabilityMap
        https://bugs.webkit.org/show_bug.cgi?id=174423

        Reviewed by Saam Barati.

        * dfg/DFGAvailabilityMap.cpp:
        (JSC::DFG::AvailabilityMap::pruneHeap):
        (JSC::DFG::AvailabilityMap::pruneByLiveness):

2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>

        Fix compiler warnings when building with GCC 7
        https://bugs.webkit.org/show_bug.cgi?id=174463

        Reviewed by Darin Adler.

        * disassembler/udis86/udis86_decode.c:
        (decode_operand):

2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>

        Incorrect assertion in JSC::CallLinkInfo::callTypeFor
        https://bugs.webkit.org/show_bug.cgi?id=174467

        Reviewed by Saam Barati.

        * bytecode/CallLinkInfo.cpp:
        (JSC::CallLinkInfo::callTypeFor):

2017-07-13  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Remove unused and untested Page domain commands
        https://bugs.webkit.org/show_bug.cgi?id=174429

        Reviewed by Timothy Hatcher.

        * inspector/protocol/Page.json:

2017-07-13  Saam Barati  <sbarati@apple.com>

        Missing exception check in JSObject::hasInstance
        https://bugs.webkit.org/show_bug.cgi?id=174455
        <rdar://problem/31384608>

        Reviewed by Mark Lam.

        * runtime/JSObject.cpp:
        (JSC::JSObject::hasInstance):

2017-07-13  Caio Lima  <ticaiolima@gmail.com>

        [ESnext] Implement Object Spread
        https://bugs.webkit.org/show_bug.cgi?id=167963

        Reviewed by Saam Barati.

        This patch implements ECMA262 stage 3 Object Spread proposal [1].
        It's implemented using CopyDataPropertiesNoExclusions to copy
        all enumerable keys from object being spreaded. The implementation of
        CopyDataPropertiesNoExclusions follows the CopyDataProperties
        implementation, however we don't receive excludedNames as parameter.

        [1] - https://github.com/tc39/proposal-object-rest-spread

        * builtins/GlobalOperations.js:
        (globalPrivate.copyDataPropertiesNoExclusions):
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::emitLoad):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::PropertyListNode::emitBytecode):
        (JSC::ObjectSpreadExpressionNode::emitBytecode):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::createObjectSpreadExpression):
        (JSC::ASTBuilder::createProperty):
        * parser/NodeConstructors.h:
        (JSC::PropertyNode::PropertyNode):
        (JSC::ObjectSpreadExpressionNode::ObjectSpreadExpressionNode):
        * parser/Nodes.h:
        (JSC::ObjectSpreadExpressionNode::expression):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseProperty):
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::createObjectSpreadExpression):
        (JSC::SyntaxChecker::createProperty):

2017-07-12  Mark Lam  <mark.lam@apple.com>

        Gardening: build fix after r219434.
        https://bugs.webkit.org/show_bug.cgi?id=174441

        Not reviewed.

        Make public some MacroAssembler functions that are needed by the probe implementationq.

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::trustedImm32FromPtr):
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::linkCall):

2017-07-12  Mark Lam  <mark.lam@apple.com>

        Move Probe code from AbstractMacroAssembler to MacroAssembler.
        https://bugs.webkit.org/show_bug.cgi?id=174441

        Reviewed by Saam Barati.

        This is a pure refactoring patch for moving probe code from the AbstractMacroAssembler
        to MacroAssembler.  There is no code behavior change.

        * assembler/AbstractMacroAssembler.h:
        (JSC::AbstractMacroAssembler<AssemblerType>::Address::indexedBy):
        (JSC::AbstractMacroAssembler::CPUState::gprName): Deleted.
        (JSC::AbstractMacroAssembler::CPUState::fprName): Deleted.
        (JSC::AbstractMacroAssembler::CPUState::gpr): Deleted.
        (JSC::AbstractMacroAssembler::CPUState::fpr): Deleted.
        (JSC::MacroAssemblerType>::Address::indexedBy): Deleted.
        * assembler/MacroAssembler.h:
        (JSC::MacroAssembler::CPUState::gprName):
        (JSC::MacroAssembler::CPUState::fprName):
        (JSC::MacroAssembler::CPUState::gpr):
        (JSC::MacroAssembler::CPUState::fpr):
        * assembler/MacroAssemblerARM.cpp:
        (JSC::MacroAssembler::probe):
        (JSC::MacroAssemblerARM::probe): Deleted.
        * assembler/MacroAssemblerARM.h:
        * assembler/MacroAssemblerARM64.cpp:
        (JSC::MacroAssembler::probe):
        (JSC::MacroAssemblerARM64::probe): Deleted.
        * assembler/MacroAssemblerARM64.h:
        * assembler/MacroAssemblerARMv7.cpp:
        (JSC::MacroAssembler::probe):
        (JSC::MacroAssemblerARMv7::probe): Deleted.
        * assembler/MacroAssemblerARMv7.h:
        * assembler/MacroAssemblerMIPS.h:
        * assembler/MacroAssemblerX86Common.cpp:
        (JSC::MacroAssembler::probe):
        (JSC::MacroAssemblerX86Common::probe): Deleted.
        * assembler/MacroAssemblerX86Common.h:

2017-07-12  Saam Barati  <sbarati@apple.com>

        GenericArguments consults the wrong state when tracking modified argument descriptors and mapped arguments
        https://bugs.webkit.org/show_bug.cgi?id=174411
        <rdar://problem/31696186>

        Reviewed by Mark Lam.

        The code for deleting an argument was incorrectly referencing state
        when it decided if it should unmap or mark a property as having its
        descriptor modified. This patch fixes the bug where if we delete a
        property, we would sometimes not unmap an argument when deleting it.

        * runtime/GenericArgumentsInlines.h:
        (JSC::GenericArguments<Type>::getOwnPropertySlot):
        (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
        (JSC::GenericArguments<Type>::deleteProperty):
        (JSC::GenericArguments<Type>::deletePropertyByIndex):

2017-07-12  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r219176.
        https://bugs.webkit.org/show_bug.cgi?id=174436

        "Can cause infinite recursion on iOS" (Requested by mlam on
        #webkit).

        Reverted changeset:

        "WTF::Thread should have the threads stack bounds."
        https://bugs.webkit.org/show_bug.cgi?id=173975
        http://trac.webkit.org/changeset/219176

2017-07-12  Matt Lewis  <jlewis3@apple.com>

        Unreviewed, rolling out r219401.

        This revision rolled out the previous patch, but after talking
        with reviewer, a rebaseline is what was needed.Rolling back in
        before rebaseline.

        Reverted changeset:

        "Unreviewed, rolling out r219379."
        https://bugs.webkit.org/show_bug.cgi?id=174400
        http://trac.webkit.org/changeset/219401

2017-07-12  Matt Lewis  <jlewis3@apple.com>

        Unreviewed, rolling out r219379.

        This revision caused a consistent failure in the test
        fast/dom/Window/property-access-on-cached-window-after-frame-
        removed.html.

        Reverted changeset:

        "Remove NAVIGATOR_HWCONCURRENCY"
        https://bugs.webkit.org/show_bug.cgi?id=174400
        http://trac.webkit.org/changeset/219379

2017-07-12  Tooru Fujisawa [:arai]  <arai.unmht@gmail.com>

        Wrong radix used in Unicode Escape in invalid character error message
        https://bugs.webkit.org/show_bug.cgi?id=174419

        Reviewed by Alex Christensen.

        * parser/Lexer.cpp:
        (JSC::Lexer<T>::invalidCharacterMessage):

2017-07-11  Dean Jackson  <dino@apple.com>

        Remove NAVIGATOR_HWCONCURRENCY
        https://bugs.webkit.org/show_bug.cgi?id=174400

        Reviewed by Sam Weinig.

        * Configurations/FeatureDefines.xcconfig:

2017-07-11  Dean Jackson  <dino@apple.com>

        Rolling out r219372.

        * Configurations/FeatureDefines.xcconfig:

2017-07-11  Dean Jackson  <dino@apple.com>

        Remove NAVIGATOR_HWCONCURRENCY
        https://bugs.webkit.org/show_bug.cgi?id=174400

        Reviewed by Sam Weinig.

        * Configurations/FeatureDefines.xcconfig:

2017-07-11  Saam Barati  <sbarati@apple.com>

        remove the empty JavaScriptCore/wasm/js/WebAssemblyFunctionCell.* files
        https://bugs.webkit.org/show_bug.cgi?id=174397

        Rubber stamped by David Kilzer.

        * wasm/js/WebAssemblyFunctionCell.cpp: Removed.
        * wasm/js/WebAssemblyFunctionCell.h: Removed.

2017-07-10  Saam Barati  <sbarati@apple.com>

        Allocation sinking phase should consider a CheckStructure that would fail as an escape
        https://bugs.webkit.org/show_bug.cgi?id=174321
        <rdar://problem/32604963>

        Reviewed by Filip Pizlo.

        When the allocation sinking phase was generating stores to materialize
        objects in a cycle with each other, it would assume that each materialized
        object had a valid, non empty, set of structures. This is an OK assumption for
        the phase to make because how do you materialize an object with no structure?
        
        The abstract interpretation part of the phase will model what's in the heap.
        However, it would sometimes model that a CheckStructure would fail. The phase
        did nothing special for this; it just stored the empty set of structures for
        its representation of a particular allocation. However, what the phase proved
        in such a scenario is that, had the CheckStructure executed, it would have exited.
        
        This patch treats such CheckStructures and MultiGetByOffsets as escape points.
        This will cause the allocation in question to be materialized just before
        the CheckStructure, and then at execution time, the CheckStructure will exit.
        
        I wasn't able to write a test case for this. However, I was able to reproduce
        this crash by manually editing the IR. I've opened a separate bug to help us
        create a testing framework for writing tests for hard to reproduce bugs like this:
        https://bugs.webkit.org/show_bug.cgi?id=174322

        * dfg/DFGObjectAllocationSinkingPhase.cpp:

2017-07-10  Devin Rousso  <drousso@apple.com>

        Web Inspector: Highlight matching CSS canvas clients when hovering contexts in the Resources tab
        https://bugs.webkit.org/show_bug.cgi?id=174279

        Reviewed by Matt Baker.

        * inspector/protocol/DOM.json:
        Add `highlightNodeList` command that will highlight each node in the given list.

2017-07-03  Brian Burg  <bburg@apple.com>

        Web Replay: remove some unused code
        https://bugs.webkit.org/show_bug.cgi?id=173903

        Rubber-stamped by Joseph Pecoraro.

        * CMakeLists.txt:
        * Configurations/FeatureDefines.xcconfig:
        * DerivedSources.make:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * inspector/protocol/Replay.json: Removed.
        * replay/EmptyInputCursor.h: Removed.
        * replay/EncodedValue.cpp: Removed.
        * replay/EncodedValue.h: Removed.
        * replay/InputCursor.h: Removed.
        * replay/JSInputs.json: Removed.
        * replay/NondeterministicInput.h: Removed.
        * replay/scripts/CodeGeneratorReplayInputs.py: Removed.
        * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Removed.
        * replay/scripts/tests/expected/fail-on-c-style-enum-no-storage.json-error: Removed.
        * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Removed.
        * replay/scripts/tests/expected/fail-on-duplicate-input-names.json-error: Removed.
        * replay/scripts/tests/expected/fail-on-duplicate-type-names.json-error: Removed.
        * replay/scripts/tests/expected/fail-on-enum-type-missing-values.json-error: Removed.
        * replay/scripts/tests/expected/fail-on-missing-input-member-name.json-error: Removed.
        * replay/scripts/tests/expected/fail-on-missing-input-name.json-error: Removed.
        * replay/scripts/tests/expected/fail-on-missing-input-queue.json-error: Removed.
        * replay/scripts/tests/expected/fail-on-missing-type-mode.json-error: Removed.
        * replay/scripts/tests/expected/fail-on-missing-type-name.json-error: Removed.
        * replay/scripts/tests/expected/fail-on-unknown-input-queue.json-error: Removed.
        * replay/scripts/tests/expected/fail-on-unknown-member-type.json-error: Removed.
        * replay/scripts/tests/expected/fail-on-unknown-type-mode.json-error: Removed.
        * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp: Removed.
        * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h: Removed.
        * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp: Removed.
        * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h: Removed.
        * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Removed.
        * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Removed.
        * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Removed.
        * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Removed.
        * replay/scripts/tests/expected/generate-event-loop-shape-types.json-error: Removed.
        * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp: Removed.
        * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h: Removed.
        * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp: Removed.
        * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Removed.
        * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.cpp: Removed.
        * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h: Removed.
        * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp: Removed.
        * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h: Removed.
        * replay/scripts/tests/fail-on-c-style-enum-no-storage.json: Removed.
        * replay/scripts/tests/fail-on-duplicate-enum-type.json: Removed.
        * replay/scripts/tests/fail-on-duplicate-input-names.json: Removed.
        * replay/scripts/tests/fail-on-duplicate-type-names.json: Removed.
        * replay/scripts/tests/fail-on-enum-type-missing-values.json: Removed.
        * replay/scripts/tests/fail-on-missing-input-member-name.json: Removed.
        * replay/scripts/tests/fail-on-missing-input-name.json: Removed.
        * replay/scripts/tests/fail-on-missing-input-queue.json: Removed.
        * replay/scripts/tests/fail-on-missing-type-mode.json: Removed.
        * replay/scripts/tests/fail-on-missing-type-name.json: Removed.
        * replay/scripts/tests/fail-on-unknown-input-queue.json: Removed.
        * replay/scripts/tests/fail-on-unknown-member-type.json: Removed.
        * replay/scripts/tests/fail-on-unknown-type-mode.json: Removed.
        * replay/scripts/tests/generate-enum-encoding-helpers-with-guarded-values.json: Removed.
        * replay/scripts/tests/generate-enum-encoding-helpers.json: Removed.
        * replay/scripts/tests/generate-enum-with-guard.json: Removed.
        * replay/scripts/tests/generate-enums-with-same-base-name.json: Removed.
        * replay/scripts/tests/generate-event-loop-shape-types.json: Removed.
        * replay/scripts/tests/generate-input-with-guard.json: Removed.
        * replay/scripts/tests/generate-input-with-vector-members.json: Removed.
        * replay/scripts/tests/generate-inputs-with-flags.json: Removed.
        * replay/scripts/tests/generate-memoized-type-modes.json: Removed.
        * runtime/DateConstructor.cpp:
        (JSC::constructDate):
        (JSC::dateNow):
        (JSC::deterministicCurrentTime): Deleted.
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::JSGlobalObject):
        (JSC::JSGlobalObject::setInputCursor): Deleted.
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::inputCursor): Deleted.

2017-07-10  Carlos Garcia Campos  <cgarcia@igalia.com>

        Move make-js-file-arrays.py from WebCore to JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=174024

        Reviewed by Michael Catanzaro.

        It's currently used only by WebCore, but it depends on other JavaScriptCore scripts and it's not WebCore
        specific at all. I plan to use it to compile the JavaScript atoms used by the WebDriver implementation.
        Added command line option to pass the namespace to use instead of using WebCore.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * Scripts/make-js-file-arrays.py: Renamed from Source/WebCore/Scripts/make-js-file-arrays.py.
        (main):

2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Drop LineNumberAdder since we no longer treat <LF><CR> (not <CR><LF>) as one line terminator
        https://bugs.webkit.org/show_bug.cgi?id=174296

        Reviewed by Mark Lam.

        Previously, we treat <LF><CR> as one line terminator. So we increase line number by one.
        It caused a problem in scanning template literals. While template literals normalize
        <LF><CR> to <LF><LF>, we still needed to increase line number by only one.
        To handle it correctly, LineNumberAdder is introduced.

        As of r219263, <LF><CR> is counted as two line terminators. So we do not need to have
        LineNumberAdder. Let's just use shiftLineTerminator() instead.

        * parser/Lexer.cpp:
        (JSC::Lexer<T>::parseTemplateLiteral):
        (JSC::LineNumberAdder::LineNumberAdder): Deleted.
        (JSC::LineNumberAdder::clear): Deleted.
        (JSC::LineNumberAdder::add): Deleted.

2017-07-09  Dan Bernstein  <mitz@apple.com>

        [Xcode] ICU headers aren’t treated as system headers after r219155
        https://bugs.webkit.org/show_bug.cgi?id=174299

        Reviewed by Sam Weinig.

        * Configurations/JavaScriptCore.xcconfig: Pass --system-header-prefix=unicode/ to the C and
          C++ compilers.

* runtime/IntlCollator.cpp: Removed documentation warning suppression.
        * runtime/IntlDateTimeFormat.cpp: Ditto.
        * runtime/JSGlobalObject.cpp: Ditto.
        * runtime/StringPrototype.cpp: Ditto.

2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Use fastMalloc / fastFree for STL containers
        https://bugs.webkit.org/show_bug.cgi?id=174297

        Reviewed by Sam Weinig.

        In some places, we intentionally use STL containers over WTF containers.
        For example, we sometimes use std::unordered_{set,map} instead of WTF::Hash{Set,Map}
        because we do not have effective empty / deleted representations in the space of key's value.
        But just using STL container means using libc's malloc instead of our fast malloc (bmalloc if it is enabled).

        We introduce WTF::FastAllocator. This is C++ allocator implementation using fastMalloc and fastFree.
        We specify this allocator to STL containers' template parameter to allocate memory from fastMalloc.

        This WTF::FastAllocator gives us a chance to use STL containers if it is necessary
        without compromising memory allocation throughput.

        * dfg/DFGGraph.h:
        * dfg/DFGIntegerCheckCombiningPhase.cpp:
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
        * runtime/FunctionHasExecutedCache.h:
        * runtime/TypeLocationCache.h:

2017-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>

        Drop NOSNIFF compile flag
        https://bugs.webkit.org/show_bug.cgi?id=174289

        Reviewed by Michael Catanzaro.

        * Configurations/FeatureDefines.xcconfig:

2017-07-07  AJ Ringer  <aringer@apple.com>

        Lower the max_protection for the separated heap
        https://bugs.webkit.org/show_bug.cgi?id=174281

        Reviewed by Oliver Hunt.

        Switch to vm_protect so we can set maximum page protection.

        * jit/ExecutableAllocator.cpp:
        (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
        (JSC::ExecutableAllocator::allocate):

2017-07-07  Devin Rousso  <drousso@apple.com>

        Web Inspector: Show all elements currently using a given CSS Canvas
        https://bugs.webkit.org/show_bug.cgi?id=173965

        Reviewed by Joseph Pecoraro.

        * inspector/protocol/Canvas.json:
         - Add `requestCSSCanvasClientNodes` command for getting the node IDs all nodes using this
           canvas via -webkit-canvas.
         - Add `cssCanvasClientNodesChanged` event that is dispatched whenever a node is
           added/removed from the list of -webkit-canvas clients.

2017-07-07  Mark Lam  <mark.lam@apple.com>

        \n\r is not the same as \r\n.
        https://bugs.webkit.org/show_bug.cgi?id=173053

        Reviewed by Keith Miller.

        * parser/Lexer.cpp:
        (JSC::Lexer<T>::shiftLineTerminator):
        (JSC::LineNumberAdder::add):

2017-07-07  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r219238, r219239, and r219241.
        https://bugs.webkit.org/show_bug.cgi?id=174265

        "fast/workers/dedicated-worker-lifecycle.html is flaky"
        (Requested by yusukesuzuki on #webkit).

        Reverted changesets:

        "[WTF] Implement WTF::ThreadGroup"
        https://bugs.webkit.org/show_bug.cgi?id=174081
        http://trac.webkit.org/changeset/219238

        "Unreviewed, build fix after r219238"
        https://bugs.webkit.org/show_bug.cgi?id=174081
        http://trac.webkit.org/changeset/219239

        "Unreviewed, CLoop build fix after r219238"
        https://bugs.webkit.org/show_bug.cgi?id=174081
        http://trac.webkit.org/changeset/219241

2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, CLoop build fix after r219238
        https://bugs.webkit.org/show_bug.cgi?id=174081

        * heap/MachineStackMarker.cpp:

2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>

        [WTF] Implement WTF::ThreadGroup
        https://bugs.webkit.org/show_bug.cgi?id=174081

        Reviewed by Mark Lam.

        Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
        And SamplingProfiler and others interact with WTF::Thread directly.

        * API/tests/ExecutionTimeLimitTest.cpp:
        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::MachineThreads):
        (JSC::captureStack):
        (JSC::MachineThreads::tryCopyOtherThreadStack):
        (JSC::MachineThreads::tryCopyOtherThreadStacks):
        (JSC::MachineThreads::gatherConservativeRoots):
        (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
        (JSC::ActiveMachineThreadsManager::add): Deleted.
        (JSC::ActiveMachineThreadsManager::remove): Deleted.
        (JSC::ActiveMachineThreadsManager::contains): Deleted.
        (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
        (JSC::activeMachineThreadsManager): Deleted.
        (JSC::MachineThreads::~MachineThreads): Deleted.
        (JSC::MachineThreads::addCurrentThread): Deleted.
        (): Deleted.
        (JSC::MachineThreads::removeThread): Deleted.
        (JSC::MachineThreads::removeThreadIfFound): Deleted.
        (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
        (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
        (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
        (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
        (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
        (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
        (JSC::MachineThreads::MachineThread::captureStack): Deleted.
        * heap/MachineStackMarker.h:
        (JSC::MachineThreads::addCurrentThread):
        (JSC::MachineThreads::getLock):
        (JSC::MachineThreads::threads):
        (JSC::MachineThreads::MachineThread::suspend): Deleted.
        (JSC::MachineThreads::MachineThread::resume): Deleted.
        (JSC::MachineThreads::MachineThread::threadID): Deleted.
        (JSC::MachineThreads::MachineThread::stackBase): Deleted.
        (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
        (JSC::MachineThreads::threadsListHead): Deleted.
        * runtime/SamplingProfiler.cpp:
        (JSC::FrameWalker::isValidFramePointer):
        (JSC::SamplingProfiler::SamplingProfiler):
        (JSC::SamplingProfiler::takeSample):
        (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
        * runtime/SamplingProfiler.h:
        * wasm/WasmMachineThreads.cpp:
        (JSC::Wasm::resetInstructionCacheOnAllThreads):

2017-07-06  Saam Barati  <sbarati@apple.com>

        We are missing places where we invalidate the for-in context
        https://bugs.webkit.org/show_bug.cgi?id=174184

        Reviewed by Geoffrey Garen.

        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::invalidateForInContextForLocal):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::EmptyLetExpression::emitBytecode):
        (JSC::ForInNode::emitLoopHeader):
        (JSC::ForOfNode::emitBytecode):
        (JSC::BindingNode::bindValue):

2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, suppress warnings in GCC environment

        * dfg/DFGObjectAllocationSinkingPhase.cpp:
        * runtime/IntlCollator.cpp:
        * runtime/IntlDateTimeFormat.cpp:
        * runtime/JSGlobalObject.cpp:
        * runtime/StringPrototype.cpp:

2017-07-05  Saam Barati  <sbarati@apple.com>

        NewArray in FTLLowerDFGToB3 does not handle speculating on doubles when having a bad time
        https://bugs.webkit.org/show_bug.cgi?id=174188
        <rdar://problem/30581423>

        Reviewed by Mark Lam.

        We were calling lowJSValue(edge) when we were speculating the
        edge as double. This isn't allowed. We should have been using
        lowDouble.
        
        This patch also adds a new option, called useArrayAllocationProfiling,
        which defaults to true. When false, it will make the array allocation
        profile not actually sample seen arrays. It'll force the allocation
        profile's predicted indexing type to be ArrayWithUndecided. Adding
        this option made it trivial to write a test for this bug.

        * bytecode/ArrayAllocationProfile.cpp:
        (JSC::ArrayAllocationProfile::updateIndexingType):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
        * runtime/Options.h:

2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>

        WTF::Thread should have the threads stack bounds.
        https://bugs.webkit.org/show_bug.cgi?id=173975

        Reviewed by Keith Miller.

        There is a site in JSC that try to walk another thread's stack.
        Currently, stack bounds are stored in WTFThreadData which is located
        in TLS. Thus, only the thread itself can access its own WTFThreadData.
        We workaround this situation by holding StackBounds in MachineThread in JSC,
        but StackBounds should be put in WTF::Thread instead.

        This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
        information is tightly coupled with Thread. Thus putting it in WTF::Thread
        is natural choice.

        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::MachineThread::MachineThread):
        (JSC::MachineThreads::MachineThread::captureStack):
        * heap/MachineStackMarker.h:
        (JSC::MachineThreads::MachineThread::stackBase):
        (JSC::MachineThreads::MachineThread::stackEnd):
        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreading):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::VM::updateStackLimits):
        (JSC::VM::committedStackByteCount):
        * runtime/VM.h:
        (JSC::VM::isSafeToRecurse):
        * runtime/VMEntryScope.cpp:
        (JSC::VMEntryScope::VMEntryScope):
        * runtime/VMInlines.h:
        (JSC::VM::ensureStackCapacityFor):
        * runtime/VMTraps.cpp:
        * yarr/YarrPattern.cpp:
        (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):

2017-07-05  Keith Miller  <keith_miller@apple.com>

        Crashing with information should have an abort reason
        https://bugs.webkit.org/show_bug.cgi?id=174185

        Reviewed by Saam Barati.

        Add crash information for the abstract interpreter and add an enum
        value for object allocation sinking.

        * assembler/AbortReason.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::logDFGAssertionFailure):
        * dfg/DFGObjectAllocationSinkingPhase.cpp:

2017-07-03  Myles C. Maxfield  <mmaxfield@apple.com>

        Remove copy of ICU headers from WebKit
        https://bugs.webkit.org/show_bug.cgi?id=116407

        Reviewed by Alex Christensen.

        Use WTF's copy of ICU headers.

        * Configurations/Base.xcconfig:
        * icu/unicode/localpointer.h: Removed.
        * icu/unicode/parseerr.h: Removed.
        * icu/unicode/platform.h: Removed.
        * icu/unicode/ptypes.h: Removed.
        * icu/unicode/putil.h: Removed.
        * icu/unicode/uchar.h: Removed.
        * icu/unicode/ucnv.h: Removed.
        * icu/unicode/ucnv_err.h: Removed.
        * icu/unicode/ucol.h: Removed.
        * icu/unicode/uconfig.h: Removed.
        * icu/unicode/ucurr.h: Removed.
        * icu/unicode/uenum.h: Removed.
        * icu/unicode/uiter.h: Removed.
        * icu/unicode/uloc.h: Removed.
        * icu/unicode/umachine.h: Removed.
        * icu/unicode/unorm.h: Removed.
        * icu/unicode/unorm2.h: Removed.
        * icu/unicode/urename.h: Removed.
        * icu/unicode/uscript.h: Removed.
        * icu/unicode/uset.h: Removed.
        * icu/unicode/ustring.h: Removed.
        * icu/unicode/utf.h: Removed.
        * icu/unicode/utf16.h: Removed.
        * icu/unicode/utf8.h: Removed.
        * icu/unicode/utf_old.h: Removed.
        * icu/unicode/utypes.h: Removed.
        * icu/unicode/uvernum.h: Removed.
        * icu/unicode/uversion.h: Removed.
        * runtime/IntlCollator.cpp:
        * runtime/IntlDateTimeFormat.cpp:
        (JSC::IntlDateTimeFormat::partTypeString):
        * runtime/JSGlobalObject.cpp:
        * runtime/StringPrototype.cpp:
        (JSC::normalize):
        (JSC::stringProtoFuncNormalize):

2017-07-05  Devin Rousso  <drousso@apple.com>

        Web Inspector: Allow users to log any tracked canvas context
        https://bugs.webkit.org/show_bug.cgi?id=173397
        <rdar://problem/33111581>

        Reviewed by Joseph Pecoraro.

        * inspector/protocol/Canvas.json:
        Add `resolveCanvasContext` command that returns a RemoteObject for the given canvas context.

2017-07-05  Jonathan Bedard  <jbedard@apple.com>

        Add WebKitPrivateFrameworkStubs for iOS 11
        https://bugs.webkit.org/show_bug.cgi?id=173988

        Reviewed by David Kilzer.

        * Configurations/Base.xcconfig: iphoneos and iphonesimulator should use the
        same directory for private framework stubs.

2017-07-05  JF Bastien  <jfbastien@apple.com>

        WebAssembly: implement name section's module name, skip unknown sections
        https://bugs.webkit.org/show_bug.cgi?id=172008

        Reviewed by Keith Miller.

        Parse the WebAssembly module name properly, and skip unknown
        sections. This is useful because as toolchains support new types
        of names we want to keep displaying the information we know about
        and simply ignore new information. That capability was designed
        into WebAssembly's name section.

        Failure to commit this patch would mean that WebKit won't display
        stack trace information, which would make developers sad.

        Module names were added here: https://github.com/WebAssembly/design/pull/1055

        Note that this patch doesn't do anything with the parsed name! Two
        reasons for this: module names aren't supported in binaryen yet,
        so I can't write a simple binary test; and using the name is a
        slightly riskier change because it requires changing StackVisitor
        + StackFrame (where they print "[wasm code]") which requires
        figuring out the frame's Module. The latter bit isn't trivial
        because we only know wasm frames from their tag bits, and
        CodeBlocks are always nullptr.

        Binaryen bug: https://github.com/WebAssembly/binaryen/issues/1010

        I filed #174098 to use the module name.

        * wasm/WasmFormat.h:
        (JSC::Wasm::isValidNameType):
        * wasm/WasmNameSectionParser.cpp:

2017-07-04  Joseph Pecoraro  <pecoraro@apple.com>

        Cleanup some StringBuilder use
        https://bugs.webkit.org/show_bug.cgi?id=174118

        Reviewed by Andreas Kling.

        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunctionSkippingEvalEnabledCheck):
        * tools/FunctionOverrides.cpp:
        (JSC::parseClause):
        * wasm/WasmOMGPlan.cpp:
        * wasm/WasmPlan.cpp:
        * wasm/WasmValidate.cpp:

2017-07-03  Saam Barati  <sbarati@apple.com>

        LayoutTest workers/bomb.html is a Crash
        https://bugs.webkit.org/show_bug.cgi?id=167757
        <rdar://problem/33086462>

        Reviewed by Keith Miller.

        VMTraps::SignalSender was accessing VM fields even after
        the VM was destroyed. This happened when the SignalSender
        thread was in the middle of its work() function while VMTraps
        was notified that the VM was shutting down. The VM would proceed
        to run its destructor even after the SignalSender thread finished
        doing its work. This means that the SignalSender thread was accessing
        VM field eve after VM was destructed (including itself, since it is
        transitively owned by the VM). The VM must wait for the SignalSender
        thread to shutdown before it can continue to destruct itself.

        * runtime/VMTraps.cpp:
        (JSC::VMTraps::willDestroyVM):

2017-07-03  Saam Barati  <sbarati@apple.com>

        DFGBytecodeParser op_to_this does not access the correct instruction offset for to this status
        https://bugs.webkit.org/show_bug.cgi?id=174110

        Reviewed by Michael Saboff.

        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::parseBlock):

2017-07-03  Saam Barati  <sbarati@apple.com>

        Add a new assertion to object allocation sinking phase
        https://bugs.webkit.org/show_bug.cgi?id=174107

        Rubber stamped by Filip Pizlo.

        * dfg/DFGObjectAllocationSinkingPhase.cpp:

2017-07-03  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r219060.
        https://bugs.webkit.org/show_bug.cgi?id=174108

        crashing constantly when initializing UIWebView (Requested by
        thorton on #webkit).

        Reverted changeset:

        "WTF::Thread should have the threads stack bounds."
        https://bugs.webkit.org/show_bug.cgi?id=173975
        http://trac.webkit.org/changeset/219060

2017-07-03  Matt Lewis  <jlewis3@apple.com>

        Unreviewed, rolling out r219103.

        Caused multiple build failures.

        Reverted changeset:

        "Remove copy of ICU headers from WebKit"
        https://bugs.webkit.org/show_bug.cgi?id=116407
        http://trac.webkit.org/changeset/219103

2017-07-03  Myles C. Maxfield  <mmaxfield@apple.com>

        Remove copy of ICU headers from WebKit
        https://bugs.webkit.org/show_bug.cgi?id=116407

        Reviewed by Alex Christensen.

        Use WTF's copy of ICU headers.

        * Configurations/Base.xcconfig:
        * icu/unicode/localpointer.h: Removed.
        * icu/unicode/parseerr.h: Removed.
        * icu/unicode/platform.h: Removed.
        * icu/unicode/ptypes.h: Removed.
        * icu/unicode/putil.h: Removed.
        * icu/unicode/uchar.h: Removed.
        * icu/unicode/ucnv.h: Removed.
        * icu/unicode/ucnv_err.h: Removed.
        * icu/unicode/ucol.h: Removed.
        * icu/unicode/uconfig.h: Removed.
        * icu/unicode/ucurr.h: Removed.
        * icu/unicode/uenum.h: Removed.
        * icu/unicode/uiter.h: Removed.
        * icu/unicode/uloc.h: Removed.
        * icu/unicode/umachine.h: Removed.
        * icu/unicode/unorm.h: Removed.
        * icu/unicode/unorm2.h: Removed.
        * icu/unicode/urename.h: Removed.
        * icu/unicode/uscript.h: Removed.
        * icu/unicode/uset.h: Removed.
        * icu/unicode/ustring.h: Removed.
        * icu/unicode/utf.h: Removed.
        * icu/unicode/utf16.h: Removed.
        * icu/unicode/utf8.h: Removed.
        * icu/unicode/utf_old.h: Removed.
        * icu/unicode/utypes.h: Removed.
        * icu/unicode/uvernum.h: Removed.
        * icu/unicode/uversion.h: Removed.
        * runtime/IntlCollator.cpp:
        * runtime/IntlDateTimeFormat.cpp:
        * runtime/JSGlobalObject.cpp:
        * runtime/StringPrototype.cpp:

2017-07-03  Saam Barati  <sbarati@apple.com>

        Add better crash logging for allocation sinking phase
        https://bugs.webkit.org/show_bug.cgi?id=174102
        <rdar://problem/33112092>

        Rubber stamped by Filip Pizlo.

        I'm trying to gather better information from crashlogs about why
        we're crashing in the allocation sinking phase. I'm adding a allocation
        sinking specific RELEASE_ASSERT as well as marking a few functions as
        NEVER_INLINE to have the stack traces in the crash trace contain more
        actionable information.

        * dfg/DFGObjectAllocationSinkingPhase.cpp:

2017-07-03  Sam Weinig  <sam@webkit.org>

        [WebIDL] Remove more unnecessary uses of the preprocessor in idl files
        https://bugs.webkit.org/show_bug.cgi?id=174083

        Reviewed by Alex Christensen.

        * Configurations/FeatureDefines.xcconfig:
        Add ENABLE_NAVIGATOR_STANDALONE.

2017-07-03  Andy Estes  <aestes@apple.com>

        [Xcode] Add an experimental setting to build with ccache
        https://bugs.webkit.org/show_bug.cgi?id=173875

        Reviewed by Tim Horton.

        * Configurations/DebugRelease.xcconfig: Included ccache.xcconfig.

2017-07-03  Devin Rousso  <drousso@apple.com>

        Web Inspector: Support listing WebGL2 and WebGPU contexts
        https://bugs.webkit.org/show_bug.cgi?id=173396

        Reviewed by Joseph Pecoraro.

        * inspector/protocol/Canvas.json:
        * inspector/scripts/codegen/generator.py:
        (Generator.stylized_name_for_enum_value):
        Add cases for handling new Canvas.ContextType protocol enumerations:
         - "webgl2" maps to `WebGL2`
         - "webgpu" maps to `WebGPU`

2017-07-02  Yusuke Suzuki  <utatane.tea@gmail.com>

        WTF::Thread should have the threads stack bounds.
        https://bugs.webkit.org/show_bug.cgi?id=173975

        Reviewed by Mark Lam.

        There is a site in JSC that try to walk another thread's stack.
        Currently, stack bounds are stored in WTFThreadData which is located
        in TLS. Thus, only the thread itself can access its own WTFThreadData.
        We workaround this situation by holding StackBounds in MachineThread in JSC,
        but StackBounds should be put in WTF::Thread instead.

        This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
        information is tightly coupled with Thread. Thus putting it in WTF::Thread
        is natural choice.

        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::MachineThread::MachineThread):
        (JSC::MachineThreads::MachineThread::captureStack):
        * heap/MachineStackMarker.h:
        (JSC::MachineThreads::MachineThread::stackBase):
        (JSC::MachineThreads::MachineThread::stackEnd):
        * runtime/InitializeThreading.cpp:
        (JSC::initializeThreading):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::VM::updateStackLimits):
        (JSC::VM::committedStackByteCount):
        * runtime/VM.h:
        (JSC::VM::isSafeToRecurse):
        * runtime/VMEntryScope.cpp:
        (JSC::VMEntryScope::VMEntryScope):
        * runtime/VMInlines.h:
        (JSC::VM::ensureStackCapacityFor):
        * runtime/VMTraps.cpp:
        * yarr/YarrPattern.cpp:
        (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):

2017-07-01  Dan Bernstein  <mitz@apple.com>

        [iOS] Remove code only needed when building for iOS 9.x
        https://bugs.webkit.org/show_bug.cgi?id=174068

        Reviewed by Tim Horton.

        * Configurations/FeatureDefines.xcconfig:
        * jit/ExecutableAllocator.cpp:
        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):

2017-07-01  Dan Bernstein  <mitz@apple.com>

        [macOS] Remove code only needed when building for OS X Yosemite
        https://bugs.webkit.org/show_bug.cgi?id=174067

        Reviewed by Tim Horton.

        * API/WebKitAvailability.h:
        * Configurations/Base.xcconfig:
        * Configurations/DebugRelease.xcconfig:
        * Configurations/FeatureDefines.xcconfig:
        * Configurations/Version.xcconfig:

2017-07-01  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, build fix for GCC
        https://bugs.webkit.org/show_bug.cgi?id=174034

        * b3/testb3.cpp:
        (JSC::B3::testDoubleLiteralComparison):

2017-06-30  Keith Miller  <keith_miller@apple.com>

        Force crashWithInfo to be out of line.
        https://bugs.webkit.org/show_bug.cgi?id=174028

        Reviewed by Filip Pizlo.

        Update DFG_ASSERT macro to call CRASH_WITH_SECURITY_IMPLICATION_AND_INFO.

        * dfg/DFGGraph.cpp:
        (JSC::DFG::logDFGAssertionFailure):
        (JSC::DFG::Graph::logAssertionFailure):
        (JSC::DFG::crash): Deleted.
        (JSC::DFG::Graph::handleAssertionFailure): Deleted.
        * dfg/DFGGraph.h:

2017-06-30  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Use AbstractMacroAssembler::random instead of holding WeakRandom in JIT
        https://bugs.webkit.org/show_bug.cgi?id=174053

        Reviewed by Geoffrey Garen.

        We already have AbstractMacroAssembler::random() function. Use it instead.

        * jit/JIT.cpp:
        (JSC::JIT::JIT):
        (JSC::JIT::compileWithoutLinking):
        * jit/JIT.h:

2017-06-30  Yusuke Suzuki  <utatane.tea@gmail.com>

        [WTF] Drop SymbolRegistry::keyForSymbol
        https://bugs.webkit.org/show_bug.cgi?id=174052

        Reviewed by Sam Weinig.

        * runtime/SymbolConstructor.cpp:
        (JSC::symbolConstructorKeyFor):

2017-06-30  Saam Barati  <sbarati@apple.com>

        B3ReduceStrength should reduce EqualOrUnordered over const float input
        https://bugs.webkit.org/show_bug.cgi?id=174039

        Reviewed by Michael Saboff.

        We perform this folding for ConstDoubleValue. It is simply
        an oversight that we didn't do it for ConstFloatValue.

        * b3/B3ConstFloatValue.cpp:
        (JSC::B3::ConstFloatValue::equalOrUnorderedConstant):
        * b3/B3ConstFloatValue.h:
        * b3/testb3.cpp:
        (JSC::B3::testFloatEqualOrUnorderedFolding):
        (JSC::B3::testFloatEqualOrUnorderedFoldingNaN):
        (JSC::B3::testFloatEqualOrUnorderedDontFold):
        (JSC::B3::run):

2017-06-30  Matt Baker  <mattbaker@apple.com>

        Web Inspector: AsyncStackTrace nodes can be corrupted when truncating
        https://bugs.webkit.org/show_bug.cgi?id=173840
        <rdar://problem/30840820>

        Reviewed by Joseph Pecoraro.

        When truncating an asynchronous stack trace, the parent chain is traversed
        until a locked node is found. The path from this node to the root is shared
        by more than one stack trace, and cannot be safely modified. Starting at
        the first locked node, the path is cloned and becomes a new stack trace tree.

        However, the clone operation initialized each new AsyncStackTrace node with
        the original node's parent. This would increment the child count of the original
        node. When cloning nodes, new nodes should not have their parent set until the
        next node up the parent chain is cloned.

        * inspector/AsyncStackTrace.cpp:
        (Inspector::AsyncStackTrace::truncate):

2017-06-30  Michael Saboff  <msaboff@apple.com>

        RegExp's  anchored with .* with \g flag can return wrong match start for strings with multiple matches
        https://bugs.webkit.org/show_bug.cgi?id=174044

        Reviewed by Oliver Hunt.

        The .* enclosure optimization didn't respect that we can start matching from a non-zero
        index.  This optimization treats /.*<some-terms>.*/ by first matching the <some-terms> and
        then finding the extent of the match by going back to the beginning of the line and going
        forward to the end of the line.  The code that went back to the beginning of the line
        checked for an index of 0 instead of comparing the index to the start position.  This start
        position is passed as the initial index.

        Added another temporary register to the YARR JIT to contain the start position for
        platforms that have spare registers.

        * yarr/Yarr.h:
        * yarr/YarrInterpreter.cpp:
        (JSC::Yarr::Interpreter::matchDotStarEnclosure):
        (JSC::Yarr::Interpreter::Interpreter):
        * yarr/YarrJIT.cpp:
        (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
        (JSC::Yarr::YarrGenerator::compile):
        * yarr/YarrPattern.cpp:
        (JSC::Yarr::YarrPattern::YarrPattern):
        * yarr/YarrPattern.h:
        (JSC::Yarr::YarrPattern::reset):

2017-06-30  Saam Barati  <sbarati@apple.com>

        B3MoveConstants floatZero() returns the wrong ValueKey
        https://bugs.webkit.org/show_bug.cgi?id=174040

        Reviewed by Filip Pizlo.

        It had a typo where the ValueKey for floatZero() produces a Double
        instead of a Float.

        * b3/B3MoveConstants.cpp:

2017-06-30  Saam Barati  <sbarati@apple.com>

        B3ReduceDoubleToFloat incorrectly reduces operations over two double constants
        https://bugs.webkit.org/show_bug.cgi?id=174034
        <rdar://problem/30793007>

        Reviewed by Filip Pizlo.

        B3ReduceDoubleToFloat had a bug in it where it would incorrectly
        reduce binary operations over double constants into the same binary
        operation over the double constants casted to floats. This is clearly
        incorrect as these two things will produce different values. For example:
        
        a = DoubleConst(bitwise_cast<double>(0x8000000000000001ull))
        b = DoubleConst(bitwise_cast<double>(0x0000000000000000ull))
        c = EqualOrUnordered(@a, @b) // produces 0
        
        into:
        
        a = FloatConst(static_cast<float>(bitwise_cast<double>(0x8000000000000001ull)))
        b = FloatConst(static_cast<float>(bitwise_cast<double>(0x0000000000000000ull)))
        c = EqualOrUnordered(@a, @b) // produces 1
        
        Which produces a different value for @c.

        * b3/B3ReduceDoubleToFloat.cpp:
        * b3/testb3.cpp:
        (JSC::B3::doubleEq):
        (JSC::B3::doubleNeq):
        (JSC::B3::doubleGt):
        (JSC::B3::doubleGte):
        (JSC::B3::doubleLt):
        (JSC::B3::doubleLte):
        (JSC::B3::testDoubleLiteralComparison):
        (JSC::B3::run):

2017-06-29  Jer Noble  <jer.noble@apple.com>

        Make Legacy EME API controlled by RuntimeEnabled setting.
        https://bugs.webkit.org/show_bug.cgi?id=173994

        Reviewed by Sam Weinig.

        * Configurations/FeatureDefines.xcconfig:
        * runtime/CommonIdentifiers.h:

2017-06-30  Ryosuke Niwa  <rniwa@webkit.org>

        Ran sort-Xcode-project-file.

        * JavaScriptCore.xcodeproj/project.pbxproj:

2017-06-30  Matt Lewis  <jlewis3@apple.com>

        Unreviewed, rolling out r218992.

        The patch broke the iOS device builds.

        Reverted changeset:

        "DFG_ASSERT should allow stuffing registers before trapping."
        https://bugs.webkit.org/show_bug.cgi?id=174005
        http://trac.webkit.org/changeset/218992

2017-06-30  Filip Pizlo  <fpizlo@apple.com>

        RegExpCachedResult::setInput should reify left and right contexts
        https://bugs.webkit.org/show_bug.cgi?id=173818

        Reviewed by Keith Miller.
        
        If you don't reify them in setInput, then when you later try to reify them, you'll end up
        using indices into an old input string to create a substring of a new input string. That
        never goes well.

        * runtime/RegExpCachedResult.cpp:
        (JSC::RegExpCachedResult::setInput):

2017-06-30  Keith Miller  <keith_miller@apple.com>

        DFG_ASSERT should allow stuffing registers before trapping.
        https://bugs.webkit.org/show_bug.cgi?id=174005

        Reviewed by Mark Lam.

        DFG_ASSERT currently prints error data to stderr before crashing,
        which is nice for local development. In the wild, however, we
        can't see this information in crash logs. This patch enables
        stuffing some of the most useful information from DFG_ASSERTS into
        up to five registers right before crashing. The values stuffed
        should not impact any logging during local development.

        * assembler/AbortReason.h:
        * dfg/DFGAbstractInterpreterInlines.h:
        (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::logForCrash):
        (JSC::DFG::Graph::logAssertionFailure):
        (JSC::DFG::crash): Deleted.
        (JSC::DFG::Graph::handleAssertionFailure): Deleted.
        * dfg/DFGGraph.h:

2017-06-29  Saam Barati  <sbarati@apple.com>

        Calculating postCapacity in unshiftCountSlowCase is wrong
        https://bugs.webkit.org/show_bug.cgi?id=173992
        <rdar://problem/32283199>

        Reviewed by Keith Miller.

        This patch fixes a bug inside unshiftCountSlowCase where we would use
        more memory than we allocated. The bug was when deciding how much extra
        space we have after the vector we've allocated. This area is called the
        postCapacity. The largest legal postCapacity value we could use is the
        space we allocated minus the space we need:
        largestPossiblePostCapacity = newStorageCapacity - requiredVectorLength;
        However, the code was calculating the postCapacity as:
        postCapacity = max(newStorageCapacity - requiredVectorLength, count);
        
        where count is how many elements we're appending. Depending on the inputs,
        count could be larger than (newStorageCapacity - requiredVectorLength). This
        would cause us to use more memory than we actually allocated.

        * runtime/JSArray.cpp:
        (JSC::JSArray::unshiftCountSlowCase):

2017-06-29  Commit Queue  <commit-queue@webkit.org>

        Unreviewed, rolling out r218512.
        https://bugs.webkit.org/show_bug.cgi?id=173981

        "It changes the behavior of the JS API's JSEvaluateScript
        which breaks TurboTax" (Requested by saamyjoon on #webkit).

        Reverted changeset:

        "test262: Completion values for control flow do not match the
        spec"
        https://bugs.webkit.org/show_bug.cgi?id=171265
        http://trac.webkit.org/changeset/218512

2017-06-29  JF Bastien  <jfbastien@apple.com>

        WebAssembly: disable some APIs under CSP
        https://bugs.webkit.org/show_bug.cgi?id=173892
        <rdar://problem/32914613>

        Reviewed by Daniel Bates.

        We should disable parts of WebAssembly under Content Security
        Policy as discussed here:

        https://github.com/WebAssembly/design/issues/1092

        Exactly what should be disabled isn't super clear, so we may as
        well be conservative and disable many things if developers already
        opted into CSP. It's easy to loosen what we disable later.

        This patch disables:
        - WebAssembly.Instance
        - WebAssembly.instantiate
        - WebAssembly.Memory
        - WebAssembly.Table

        And leaves:
        - WebAssembly on the global object
        - WebAssembly.Module
        - WebAssembly.compile
        - WebAssembly.CompileError
        - WebAssembly.LinkError

        Nothing because currently unimplmented:
        - WebAssembly.compileStreaming
        - WebAssembly.instantiateStreaming

        That way it won't be possible to call WebAssembly-compiled code,
        or create memories (which use fancy 4GiB allocations
        sometimes). Table isn't really useful on its own, and eventually
        we may make them shareable so without more details it seems benign
        to disable them (and useless if we don't).

        I haven't done anything with postMessage, so you can still
        postMessage a WebAssembly.Module cross-CSP, but you can't
        instantiate it so it's useless. Because of this I elected to leave
        WebAssembly.Module and friends available.

        I haven't added any new directives. It's still unsafe-eval. We can
        add something else later, but it seems odd to add a WebAssembly as
        a new capability and tell developers "you should have been using
        this directive which we just implemented if you wanted to disable
        WebAssembly which didn't exist when you adopted CSP". So IMO we
        should keep unsafe-eval as it currently is, add WebAssembly to
        what it disables, and later consider having two new directives
        which do each individually or something.

        In all cases I throw an EvalError *before* other WebAssembly
        errors would be produced.

        Note that, as for eval, reporting doesn't work and is tracked by
        https://webkit.org/b/111869

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::JSGlobalObject):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::webAssemblyEnabled):
        (JSC::JSGlobalObject::webAssemblyDisabledErrorMessage):
        (JSC::JSGlobalObject::setWebAssemblyEnabled):
        * wasm/js/JSWebAssemblyInstance.cpp:
        (JSC::JSWebAssemblyInstance::create):
        * wasm/js/JSWebAssemblyMemory.cpp:
        (JSC::JSWebAssemblyMemory::create):
        * wasm/js/JSWebAssemblyMemory.h:
        * wasm/js/JSWebAssemblyTable.cpp:
        (JSC::JSWebAssemblyTable::create):
        * wasm/js/WebAssemblyMemoryConstructor.cpp:
        (JSC::constructJSWebAssemblyMemory):

2017-06-28  Keith Miller  <keith_miller@apple.com>

        VMTraps has some races
        https://bugs.webkit.org/show_bug.cgi?id=173941

        Reviewed by Michael Saboff.

        This patch refactors much of the VMTraps API.

        On the message sending side:

        1) No longer uses the Yarr JIT check to determine if we are in
        RegExp code. That was unsound because RegExp JIT code can be run
        on compilation threads.  Instead it looks at the current frame's
        code block slot and checks if it is valid, which is the same as
        what it did for JIT code previously.

        2) Only have one signal sender thread, previously, there could be
        many at once, which caused some data races. Additionally, the
        signal sender thread is an automatic thread so it will deallocate
        itself when not in use.

        On the VMTraps breakpoint side:

        1) We now have a true mapping of if we hit a breakpoint instead of
        a JIT assertion. So the exception handler won't eat JIT assertions
        anymore.

        2) It jettisons all CodeBlocks that have VMTraps breakpoints on
        them instead of every CodeBlock on the stack. This both prevents
        us from hitting stale VMTraps breakpoints and also doesn't OSR
        codeblocks that otherwise don't need to be jettisoned.

        3) The old exception handler could theoretically fail for a couple
        of reasons then resume execution with a clobbered instruction
        set. This patch will kill the program if the exception handler
        would fail.

        This patch also refactors some of the jsc.cpp functions to take the
        CommandLine options object instead of individual options. Also, there
        is a new command line option that makes exceptions due to watchdog
        timeouts an acceptable result.

        * API/tests/testapi.c:
        (main):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::installVMTrapBreakpoints):
        * dfg/DFGCommonData.cpp:
        (JSC::DFG::pcCodeBlockMap):
        (JSC::DFG::CommonData::invalidate):
        (JSC::DFG::CommonData::~CommonData):
        (JSC::DFG::CommonData::installVMTrapBreakpoints):
        (JSC::DFG::codeBlockForVMTrapPC):
        * dfg/DFGCommonData.h:
        * jsc.cpp:
        (functionDollarAgentStart):
        (checkUncaughtException):
        (checkException):
        (runWithOptions):
        (printUsageStatement):
        (CommandLine::parseArguments):
        (jscmain):
        (runWithScripts): Deleted.
        * runtime/JSLock.cpp:
        (JSC::JSLock::didAcquireLock):
        * runtime/VMTraps.cpp:
        (JSC::sanitizedTopCallFrame):
        (JSC::VMTraps::tryInstallTrapBreakpoints):
        (JSC::VMTraps::willDestroyVM):
        (JSC::VMTraps::fireTrap):
        (JSC::VMTraps::handleTraps):
        (JSC::VMTraps::VMTraps):
        (JSC::VMTraps::~VMTraps):
        (JSC::findActiveVMAndStackBounds): Deleted.
        (JSC::installSignalHandler): Deleted.
        (JSC::VMTraps::addSignalSender): Deleted.
        (JSC::VMTraps::removeSignalSender): Deleted.
        (JSC::VMTraps::SignalSender::willDestroyVM): Deleted.
        (JSC::VMTraps::SignalSender::send): Deleted.
        * runtime/VMTraps.h:
        (JSC::VMTraps::~VMTraps): Deleted.
        (JSC::VMTraps::SignalSender::SignalSender): Deleted.

2017-06-28  Devin Rousso  <drousso@apple.com>

        Web Inspector: Instrument active pixel memory used by canvases
        https://bugs.webkit.org/show_bug.cgi?id=173087
        <rdar://problem/32719261>

        Reviewed by Joseph Pecoraro.

        * inspector/protocol/Canvas.json:
         - Add optional `memoryCost` attribute to the `Canvas` type.
         - Add `canvasMemoryChanged` event that is dispatched when the `memoryCost` of a canvas changes.

2017-06-28  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Cleanup Protocol JSON files
        https://bugs.webkit.org/show_bug.cgi?id=173934

        Reviewed by Matt Baker.

        * inspector/protocol/ApplicationCache.json:
        * inspector/protocol/CSS.json:
        * inspector/protocol/Console.json:
        * inspector/protocol/DOM.json:
        * inspector/protocol/DOMDebugger.json:
        * inspector/protocol/Debugger.json:
        * inspector/protocol/LayerTree.json:
        * inspector/protocol/Network.json:
        * inspector/protocol/Page.json:
        * inspector/protocol/Runtime.json:
        Be more consistent about placement of `description` property.

2017-06-27  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Remove unused Inspector domain events
        https://bugs.webkit.org/show_bug.cgi?id=173905

        Reviewed by Matt Baker.

        * inspector/protocol/Inspector.json:

2017-06-28  JF Bastien  <jfbastien@apple.com>

        Ensure that computed new stack pointer values do not underflow.
        https://bugs.webkit.org/show_bug.cgi?id=173700
        <rdar://problem/32926032>

        Reviewed by Filip Pizlo and Saam Barati, update reviewed by Mark Lam.

        Patch by Mark Lam, with the following fix:

        Re-apply this patch, it originally broke the ARM build because the llint code
        generated `subs xzr, x3, sp` which isn't valid ARM64: the third operand cannot
        be SP (that encoding would be ZR instead, subtracting zero). Flip the comparison
        and operands to emit valid code (because the second operand can be SP).

        1. Added a RELEASE_ASSERT to BytecodeGenerator::generate() to ensure that
           m_numCalleeLocals is sane.

        2. Added underflow checks in LLInt code and VarargsFrame code.

        3. Introduce minimumReservedZoneSize, which is hardcoded to 16K.
           Ensure that Options::reservedZoneSize() is at least minimumReservedZoneSize.
           Ensure that Options::softReservedZoneSize() is at least greater than
           Options::reservedZoneSize() by minimumReservedZoneSize.

        4. Ensure that stack checks emitted by JIT tiers include an underflow check if
           and only if the max size of the frame is greater than Options::reservedZoneSize().

           By design, we are guaranteed to have at least Options::reservedZoneSize() bytes
           of memory at the bottom (end) of the stack.  This means that, at any time, the
           frame pointer must be at least Options::reservedZoneSize() bytes away from the
           end of the stack.  Hence, if the max frame size is less than
           Options::reservedZoneSize(), there's no way that frame pointer - max
           frame size can underflow, and we can elide the underflow check.

           Note that we use Options::reservedZoneSize() instead of
           Options::softReservedZoneSize() for determine if we need an underflow check.
           This is because the softStackLimit that is used for stack checks can be set
           based on Options::reservedZoneSize() during error handling (e.g. when creating
           strings for instantiating the Error object).  Hence, the guaranteed minimum of
           distance between the frame pointer and the end of the stack is
           Options::reservedZoneSize() and nor Options::softReservedZoneSize().

           Note also that we ensure that Options::reservedZoneSize() is at least
           minimumReservedZoneSize (i.e. 16K).  In typical deployments,
           Options::reservedZoneSize() may be larger.  Using Options::reservedZoneSize()
           instead of minimumReservedZoneSize gives us more chances to elide underflow
           checks.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::generate):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::emitStackOverflowCheck):
        (JSC::DFG::JITCompiler::compile):
        (JSC::DFG::JITCompiler::compileFunction):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::lower):
        * jit/JIT.cpp:
        (JSC::JIT::compileWithoutLinking):
        * jit/SetupVarargsFrame.cpp:
        (JSC::emitSetupVarargsFrameFastCase):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/MinimumReservedZoneSize.h: Added.
        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):
        * runtime/VM.cpp:
        (JSC::VM::updateStackLimits):
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
        * wasm/js/WebAssemblyFunction.cpp:
        (JSC::callWebAssemblyFunction):

2017-06-28  Chris Dumez  <cdumez@apple.com>

        Unreviewed, rolling out r218869.

        Broke the iOS build

        Reverted changeset:

        "Ensure that computed new stack pointer values do not
        underflow."
        https://bugs.webkit.org/show_bug.cgi?id=173700
        http://trac.webkit.org/changeset/218869

2017-06-28  Chris Dumez  <cdumez@apple.com>

        Unreviewed, rolling out r218873.

        Broke the iOS build

        Reverted changeset:

        "Gardening: CLoop build fix."
        https://bugs.webkit.org/show_bug.cgi?id=173700
        http://trac.webkit.org/changeset/218873

2017-06-28  Mark Lam  <mark.lam@apple.com>

        Gardening: CLoop build fix.
        https://bugs.webkit.org/show_bug.cgi?id=173700
        <rdar://problem/32926032>

        Not reviewed.

        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):

2017-06-28  Mark Lam  <mark.lam@apple.com>

        Ensure that computed new stack pointer values do not underflow.
        https://bugs.webkit.org/show_bug.cgi?id=173700
        <rdar://problem/32926032>

        Reviewed by Filip Pizlo and Saam Barati.

        1. Added a RELEASE_ASSERT to BytecodeGenerator::generate() to ensure that
           m_numCalleeLocals is sane.

        2. Added underflow checks in LLInt code and VarargsFrame code.

        3. Introduce minimumReservedZoneSize, which is hardcoded to 16K.
           Ensure that Options::reservedZoneSize() is at least minimumReservedZoneSize.
           Ensure that Options::softReservedZoneSize() is at least greater than
           Options::reservedZoneSize() by minimumReservedZoneSize.

        4. Ensure that stack checks emitted by JIT tiers include an underflow check if
           and only if the max size of the frame is greater than Options::reservedZoneSize().

           By design, we are guaranteed to have at least Options::reservedZoneSize() bytes
           of memory at the bottom (end) of the stack.  This means that, at any time, the
           frame pointer must be at least Options::reservedZoneSize() bytes away from the
           end of the stack.  Hence, if the max frame size is less than
           Options::reservedZoneSize(), there's no way that frame pointer - max
           frame size can underflow, and we can elide the underflow check.

           Note that we use Options::reservedZoneSize() instead of
           Options::softReservedZoneSize() for determine if we need an underflow check.
           This is because the softStackLimit that is used for stack checks can be set
           based on Options::reservedZoneSize() during error handling (e.g. when creating
           strings for instantiating the Error object).  Hence, the guaranteed minimum of
           distance between the frame pointer and the end of the stack is
           Options::reservedZoneSize() and nor Options::softReservedZoneSize().

           Note also that we ensure that Options::reservedZoneSize() is at least
           minimumReservedZoneSize (i.e. 16K).  In typical deployments,
           Options::reservedZoneSize() may be larger.  Using Options::reservedZoneSize()
           instead of minimumReservedZoneSize gives us more chances to elide underflow
           checks.

        * JavaScriptCore.xcodeproj/project.pbxproj:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::generate):
        * dfg/DFGGraph.cpp:
        (JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit):
        * dfg/DFGJITCompiler.cpp:
        (JSC::DFG::JITCompiler::compile):
        (JSC::DFG::JITCompiler::compileFunction):
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::lower):
        * jit/JIT.cpp:
        (JSC::JIT::compileWithoutLinking):
        * jit/SetupVarargsFrame.cpp:
        (JSC::emitSetupVarargsFrameFastCase):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * llint/LowLevelInterpreter.asm:
        * llint/LowLevelInterpreter32_64.asm:
        * llint/LowLevelInterpreter64.asm:
        * runtime/MinimumReservedZoneSize.h: Added.
        * runtime/Options.cpp:
        (JSC::recomputeDependentOptions):
        * runtime/VM.cpp:
        (JSC::VM::updateStackLimits):
        * wasm/WasmB3IRGenerator.cpp:
        (JSC::Wasm::B3IRGenerator::B3IRGenerator):
        * wasm/js/WebAssemblyFunction.cpp:
        (JSC::callWebAssemblyFunction):

2017-06-27  JF Bastien  <jfbastien@apple.com>

        WebAssembly: running out of executable memory should throw OoM
        https://bugs.webkit.org/show_bug.cgi?id=171537
        <rdar://problem/32963338>

        Reviewed by Saam Barati.

        Both on first compile with BBQ as well as on tier-up with OMG,
        running out of X memory shouldn't cause the entire program to
        terminate. An exception will do when compiling initial code (since
        we don't have any other fallback at the moment), and refusal to
        tier up will do as well (it'll just be slower).

        This is useful because programs which generate huge amounts of
        code simply look like crashes, which developers report to
        us. Getting a JavaScript exception instead is much clearer.

        * jit/ExecutableAllocator.cpp:
        (JSC::ExecutableAllocator::allocate):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::shouldJIT):
        * runtime/Options.h:
        * wasm/WasmBBQPlan.cpp:
        (JSC::Wasm::BBQPlan::prepare):
        (JSC::Wasm::BBQPlan::complete):
        * wasm/WasmBinding.cpp:
        (JSC::Wasm::wasmToJs):
        (JSC::Wasm::wasmToWasm):
        * wasm/WasmBinding.h:
        * wasm/WasmOMGPlan.cpp:
        (JSC::Wasm::OMGPlan::work):
        * wasm/js/JSWebAssemblyCodeBlock.cpp:
        (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
        * wasm/js/JSWebAssemblyCodeBlock.h:
        * wasm/js/JSWebAssemblyInstance.cpp:
        (JSC::JSWebAssemblyInstance::finalizeCreation):

2017-06-27  Saam Barati  <sbarati@apple.com>

        JITStubRoutine::passesFilter should use isJITPC
        https://bugs.webkit.org/show_bug.cgi?id=173906

        Reviewed by JF Bastien.

        This patch makes JITStubRoutine use the isJITPC abstraction defined
        inside ExecutableAllocator.h. Before, JITStubRoutine was using a
        hardcoded platform size constant. This means it'd do the wrong thing
        if Options::jitMemoryReservationSize() was larger than the defined
        constant for that platform. This patch also removes a bunch of
        dead code in that file.

        * jit/ExecutableAllocator.cpp:
        * jit/ExecutableAllocator.h:
        * jit/JITStubRoutine.h:
        (JSC::JITStubRoutine::passesFilter):
        (JSC::JITStubRoutine::canPerformRangeFilter): Deleted.
        (JSC::JITStubRoutine::filteringStartAddress): Deleted.
        (JSC::JITStubRoutine::filteringExtentSize): Deleted.

2017-06-27  Saam Barati  <sbarati@apple.com>

        Fix some stale comments in Wasm code base
        https://bugs.webkit.org/show_bug.cgi?id=173814

        Reviewed by Mark Lam.

        * wasm/WasmBinding.cpp:
        (JSC::Wasm::wasmToJs):
        * wasm/WasmOMGPlan.cpp:
        (JSC::Wasm::runOMGPlanForIndex):

2017-06-27  Caio Lima  <ticaiolima@gmail.com>

        [ESnext] Implement Object Rest - Implementing Object Rest Destructuring
        https://bugs.webkit.org/show_bug.cgi?id=167962

        Reviewed by Saam Barati.

        Object Rest/Spread Destructing proposal is in stage 3[1] and this
        Patch is a prototype implementation of it. A simple change over the
        parser was necessary to support the new '...' token on Object Pattern
        destruction rule. In the bytecode generator side, We changed the
        bytecode generated on ObjectPatternNode::bindValue to store in an
        set the identifiers of already destructured properties, following spec draft
        section[2], and then pass it as excludedNames to CopyDataProperties.
        The rest destructuring calls copyDataProperties to perform the
        copy of rest properties in rhs.

        We also implemented CopyDataProperties as private JS global operation
        on builtins/GlobalOperations.js following it's specification on [3].
        It is implemented using Set object to verify if a property is on
        excludedNames to keep this algorithm with O(n + m) complexity, where n
        = number of source's own properties and m = excludedNames.length.

        In this implementation we aren't using excludeList as constant if
        destructuring pattern contains computed property, i.e. we can
        just determine the key to be excluded at runtime. If we can define all
        identifiers in the pattern in compile time, we then create a
        constant JSSet. This approach gives a good performance improvement,
        since we allocate the excludeSet just once, reducing GC pressure.

        [1] - https://github.com/tc39/proposal-object-rest-spread
        [2] - https://tc39.github.io/proposal-object-rest-spread/#Rest-RuntimeSemantics-PropertyDestructuringAssignmentEvaluation
        [3] - https://tc39.github.io/proposal-object-rest-spread/#AbstractOperations-CopyDataProperties

        * builtins/BuiltinNames.h:
        * builtins/GlobalOperations.js:
        (globalPrivate.copyDataProperties):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finishCreation):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ObjectPatternNode::bindValue):
        * parser/ASTBuilder.h:
        (JSC::ASTBuilder::appendObjectPatternEntry):
        (JSC::ASTBuilder::appendObjectPatternRestEntry):
        (JSC::ASTBuilder::setContainsObjectRestElement):
        * parser/Nodes.h:
        (JSC::ObjectPatternNode::appendEntry):
        (JSC::ObjectPatternNode::setContainsRestElement):
        * parser/Parser.cpp:
        (JSC::Parser<LexerType>::parseDestructuringPattern):
        (JSC::Parser<LexerType>::parseProperty):
        * parser/SyntaxChecker.h:
        (JSC::SyntaxChecker::operatorStackPop):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::asyncFunctionStructure):
        (JSC::JSGlobalObject::setStructure): Deleted.
        * runtime/JSGlobalObjectFunctions.cpp:
        (JSC::privateToObject):
        * runtime/JSGlobalObjectFunctions.h:
        * runtime/ObjectConstructor.cpp:
        (JSC::ObjectConstructor::finishCreation):
        * runtime/SetPrototype.cpp:
        (JSC::SetPrototype::finishCreation):

2017-06-27  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Do not touch VM after notifying Ready in DFG::Worklist
        https://bugs.webkit.org/show_bug.cgi?id=173888

        Reviewed by Saam Barati.

        After notifying Plan::Ready and releasing Worklist lock, VM can be destroyed.
        Thus, Plan::vm() can return a destroyed VM. Do not touch it.
        This causes occasional SEGV / assertion failures in workers/bomb test.

        * dfg/DFGWorklist.cpp:

2017-06-27  Saam Barati  <sbarati@apple.com>

        Remove an inaccurate comment inside DFGClobberize.h
        https://bugs.webkit.org/show_bug.cgi?id=163874

        Reviewed by Filip Pizlo.

        The comment said that Clobberize may or may not be sound if run prior to
        doing type inference. This is not correct, though. Clobberize *must* be sound
        prior do doing type inference since we use it inside the BytecodeParser, which
        is the very first thing the DFG does.

        * dfg/DFGClobberize.h:
        (JSC::DFG::clobberize):

2017-06-27  Saam Barati  <sbarati@apple.com>

        Function constructor needs to follow the spec and validate parameters and body independently
        https://bugs.webkit.org/show_bug.cgi?id=173303
        <rdar://problem/32732526>

        Reviewed by Keith Miller.

        The Function constructor must check the arguments and body strings
        independently for syntax errors. People rely on this specified behavior
        to verify that a particular string is a valid function body. We used
        to check these things strings concatenated together, instead of
        independently. For example, this used to be valid: `Function("/*", "*/){")`.
        However, we should throw a syntax error here since "(/*)" is not a valid
        parameter list, and "*/){" is not a valid body.
        
        To implement the specified behavior, we check the syntax independently of
        both the body and the parameter list. To check that the parameter list has
        valid syntax, we check that it is valid if in a function with an empty body.
        To check that the body has valid syntax, we check it is valid in a function
        with an empty parameter list.

        * runtime/FunctionConstructor.cpp:
        (JSC::constructFunctionSkippingEvalEnabledCheck):

2017-06-27  Ting-Wei Lan  <lantw44@gmail.com>

        Add missing includes to fix compilation error on FreeBSD
        https://bugs.webkit.org/show_bug.cgi?id=172919

        Reviewed by Mark Lam.

        * API/JSRemoteInspector.h:
        * API/tests/GlobalContextWithFinalizerTest.cpp:
        * API/tests/TypedArrayCTest.cpp:

2017-06-27  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Crash generating object preview for ArrayIterator
        https://bugs.webkit.org/show_bug.cgi?id=173754
        <rdar://problem/32859012>

        Reviewed by Saam Barati.

        When Inspector generates an object preview for an ArrayIterator instance it made
        a "clone" of the original ArrayIterator instance by constructing a new object with
        the instance's structure. However, user code could have modified that instance's
        structure, such as adding / removing properties. The `return` property had special
        meaning, and our clone did not fill that slot. This approach is brittle in that
        we weren't satisfying the expectations of an object with a particular Structure,
        and the original goal of having Web Inspector peek values of built-in Iterators
        was to avoid observable behavior.

        This tightens Web Inspector's Iterator preview to only peek values if the
        Iterators would actually be non-observable. It also builds an ArrayIterator
        clone like a regular object construction.

        * inspector/JSInjectedScriptHost.cpp:
        (Inspector::cloneArrayIteratorObject):
        Build up the Object from scratch with a new ArrayIterator prototype.

        (Inspector::JSInjectedScriptHost::iteratorEntries):
        Only clone and peek iterators if it would not be observable.
        Also update iteration to be more in line with IterationOperations, such as when
        we call iteratorClose.

        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::JSGlobalObject):
        (JSC::JSGlobalObject::init):
        * runtime/JSGlobalObject.h:
        (JSC::JSGlobalObject::stringIteratorProtocolWatchpoint):
        * runtime/JSGlobalObjectInlines.h:
        (JSC::JSGlobalObject::isStringPrototypeIteratorProtocolFastAndNonObservable):
        Add a StringIterator WatchPoint in line with the Array/Map/Set iterator watchpoints.

        * runtime/JSMap.cpp:
        (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
        (JSC::JSMap::canCloneFastAndNonObservable):
        * runtime/JSMap.h:
        * runtime/JSSet.cpp:
        (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
        (JSC::JSSet::canCloneFastAndNonObservable):
        * runtime/JSSet.h:
        Promote isIteratorProtocolFastAndNonObservable to a method.

        * runtime/JSObject.cpp:
        (JSC::canDoFastPutDirectIndex):
        * runtime/JSTypeInfo.h:
        (JSC::TypeInfo::isArgumentsType):
        Helper to detect if an Object is an Arguments type.

2017-06-26  Saam Barati  <sbarati@apple.com>

        RegExpPrototype.js builtin uses for-of iteration which is almost certainly incorrect
        https://bugs.webkit.org/show_bug.cgi?id=173740

        Reviewed by Mark Lam.

        The builtin was using for-of iteration to iterate over an internal
        list in its algorithm. For-of iteration is observable via user code
        in the global object, so this approach was wrong as it would break if
        a user changed the Array iteration protocol in some way.

        * builtins/RegExpPrototype.js:
        (replace):

2017-06-26  Mark Lam  <mark.lam@apple.com>

        Renamed DumpRegisterFunctor to DumpReturnVirtualPCFunctor.
        https://bugs.webkit.org/show_bug.cgi?id=173848

        Reviewed by JF Bastien.

        This functor only dumps the return VirtualPC.

        * interpreter/Interpreter.cpp:
        (JSC::DumpReturnVirtualPCFunctor::DumpReturnVirtualPCFunctor):
        (JSC::Interpreter::dumpRegisters):
        (JSC::DumpRegisterFunctor::DumpRegisterFunctor): Deleted.
        (JSC::DumpRegisterFunctor::operator()): Deleted.

2017-06-26  Saam Barati  <sbarati@apple.com>

        Crash in JSC::Lexer<unsigned char>::setCode
        https://bugs.webkit.org/show_bug.cgi?id=172754

        Reviewed by Mark Lam.

        The lexer was asking one of its buffers to reserve initial space that
        was O(text size in bytes). For large sources, this would end up causing
        the vector to overflow and crash. This patch changes this code be like
        the Lexer's other buffers and to only reserve a small starting buffer.

        * parser/Lexer.cpp:
        (JSC::Lexer<T>::setCode):

2017-06-26  Yusuke Suzuki  <utatane.tea@gmail.com>

        [WTF] Drop Thread::create(obsolete things) API since we can use lambda
        https://bugs.webkit.org/show_bug.cgi?id=173825

        Reviewed by Saam Barati.

        * jsc.cpp:
        (startTimeoutThreadIfNeeded):
        (timeoutThreadMain): Deleted.

2017-06-26  Konstantin Tokarev  <annulen@yandex.ru>

        Unreviewed, add missing header for CLoop

        * runtime/SymbolTable.cpp:

2017-06-26  Konstantin Tokarev  <annulen@yandex.ru>

        Unreviewed, add missing header icncludes

        * parser/Lexer.h:

2017-06-25  Konstantin Tokarev  <annulen@yandex.ru>

        Remove excessive headers from JavaScriptCore
        https://bugs.webkit.org/show_bug.cgi?id=173812

        Reviewed by Darin Adler.

        * API/APIUtils.h:
        * assembler/LinkBuffer.cpp:
        * assembler/MacroAssemblerCodeRef.cpp:
        * b3/air/AirLiveness.h:
        * b3/air/AirLowerAfterRegAlloc.cpp:
        * bindings/ScriptValue.cpp:
        * bindings/ScriptValue.h:
        * bytecode/AccessCase.cpp:
        * bytecode/AccessCase.h:
        * bytecode/ArrayProfile.h:
        * bytecode/BytecodeDumper.h:
        * bytecode/BytecodeIntrinsicRegistry.cpp:
        * bytecode/BytecodeKills.h:
        * bytecode/BytecodeLivenessAnalysis.h:
        * bytecode/BytecodeUseDef.h:
        * bytecode/CallLinkStatus.h:
        * bytecode/CodeBlock.h:
        * bytecode/CodeOrigin.h:
        * bytecode/ComplexGetStatus.h:
        * bytecode/GetByIdStatus.h:
        * bytecode/GetByIdVariant.h:
        * bytecode/InlineCallFrame.h:
        * bytecode/InlineCallFrameSet.h:
        * bytecode/Instruction.h:
        * bytecode/InternalFunctionAllocationProfile.h:
        * bytecode/JumpTable.h:
        * bytecode/MethodOfGettingAValueProfile.h:
        * bytecode/ObjectPropertyConditionSet.h:
        * bytecode/Operands.h:
        * bytecode/PolymorphicAccess.h:
        * bytecode/PutByIdStatus.h:
        * bytecode/SpeculatedType.cpp:
        * bytecode/StructureSet.h:
        * bytecode/StructureStubInfo.h:
        * bytecode/UnlinkedCodeBlock.h:
        * bytecode/UnlinkedFunctionExecutable.h:
        * bytecode/ValueProfile.h:
        * bytecompiler/BytecodeGenerator.cpp:
        * bytecompiler/BytecodeGenerator.h:
        * bytecompiler/Label.h:
        * bytecompiler/StaticPropertyAnalysis.h:
        * debugger/DebuggerCallFrame.cpp:
        * dfg/DFGAbstractInterpreter.h:
        * dfg/DFGAdjacencyList.h:
        * dfg/DFGArgumentsUtilities.h:
        * dfg/DFGArrayMode.h:
        * dfg/DFGArrayifySlowPathGenerator.h:
        * dfg/DFGBackwardsPropagationPhase.h:
        * dfg/DFGBasicBlock.h:
        * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
        * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
        * dfg/DFGCapabilities.h:
        * dfg/DFGCommon.h:
        * dfg/DFGCommonData.h:
        * dfg/DFGDesiredIdentifiers.h:
        * dfg/DFGDesiredWatchpoints.h:
        * dfg/DFGDisassembler.cpp:
        * dfg/DFGDominators.h:
        * dfg/DFGDriver.cpp:
        * dfg/DFGDriver.h:
        * dfg/DFGEdgeDominates.h:
        * dfg/DFGFinalizer.h:
        * dfg/DFGGenerationInfo.h:
        * dfg/DFGJITCompiler.cpp:
        * dfg/DFGJITCompiler.h:
        * dfg/DFGJITFinalizer.h:
        * dfg/DFGLivenessAnalysisPhase.h:
        * dfg/DFGMinifiedNode.h:
        * dfg/DFGMultiGetByOffsetData.h:
        * dfg/DFGNaturalLoops.cpp:
        * dfg/DFGNaturalLoops.h:
        * dfg/DFGNode.h:
        * dfg/DFGOSRAvailabilityAnalysisPhase.h:
        * dfg/DFGOSRExit.h:
        * dfg/DFGOSRExitCompilationInfo.h:
        * dfg/DFGOSRExitCompiler.cpp:
        * dfg/DFGOSRExitCompiler.h:
        * dfg/DFGOSRExitJumpPlaceholder.h:
        * dfg/DFGOperations.cpp:
        * dfg/DFGOperations.h:
        * dfg/DFGPlan.h:
        * dfg/DFGPreciseLocalClobberize.h:
        * dfg/DFGPromotedHeapLocation.h:
        * dfg/DFGRegisteredStructure.h:
        * dfg/DFGRegisteredStructureSet.h:
        * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
        * dfg/DFGSlowPathGenerator.h:
        * dfg/DFGSnippetParams.h:
        * dfg/DFGSpeculativeJIT.h:
        * dfg/DFGToFTLDeferredCompilationCallback.h:
        * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h:
        * dfg/DFGValidate.h:
        * dfg/DFGValueSource.h:
        * dfg/DFGVariableEvent.h:
        * dfg/DFGVariableEventStream.h:
        * dfg/DFGWorklist.h:
        * domjit/DOMJITCallDOMGetterSnippet.h:
        * domjit/DOMJITEffect.h:
        * ftl/FTLLink.cpp:
        * ftl/FTLLowerDFGToB3.cpp:
        * ftl/FTLPatchpointExceptionHandle.h:
        * heap/AllocatorAttributes.h:
        * heap/CodeBlockSet.h:
        * heap/DeferGC.h:
        * heap/GCSegmentedArray.h:
        * heap/Heap.cpp:
        * heap/Heap.h:
        * heap/IncrementalSweeper.h:
        * heap/ListableHandler.h:
        * heap/MachineStackMarker.h:
        * heap/MarkedAllocator.h:
        * heap/MarkedBlock.cpp:
        * heap/MarkedBlock.h:
        * heap/MarkingConstraint.h:
        * heap/SlotVisitor.cpp:
        * heap/SlotVisitor.h:
        * inspector/ConsoleMessage.cpp:
        * inspector/ConsoleMessage.h:
        * inspector/InjectedScript.h:
        * inspector/InjectedScriptHost.h:
        * inspector/InjectedScriptManager.cpp:
        * inspector/JSGlobalObjectInspectorController.cpp:
        * inspector/JavaScriptCallFrame.h:
        * inspector/ScriptCallStack.h:
        * inspector/ScriptCallStackFactory.cpp:
        * inspector/ScriptDebugServer.h:
        * inspector/agents/InspectorConsoleAgent.h:
        * inspector/agents/InspectorDebuggerAgent.cpp:
        * inspector/agents/InspectorDebuggerAgent.h:
        * inspector/agents/InspectorHeapAgent.cpp:
        * inspector/agents/InspectorHeapAgent.h:
        * inspector/agents/InspectorRuntimeAgent.h:
        * inspector/agents/InspectorScriptProfilerAgent.cpp:
        * inspector/agents/InspectorScriptProfilerAgent.h:
        * inspector/agents/JSGlobalObjectConsoleAgent.h:
        * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
        * inspector/agents/JSGlobalObjectDebuggerAgent.h:
        * inspector/agents/JSGlobalObjectRuntimeAgent.h:
        * inspector/augmentable/AlternateDispatchableAgent.h:
        * interpreter/CLoopStack.h:
        * interpreter/CachedCall.h:
        * interpreter/CallFrame.h:
        * interpreter/Interpreter.cpp:
        * interpreter/Interpreter.h:
        * jit/AssemblyHelpers.cpp:
        * jit/AssemblyHelpers.h:
        * jit/CCallHelpers.h:
        * jit/CallFrameShuffler.h:
        * jit/ExecutableAllocator.h:
        * jit/GCAwareJITStubRoutine.h:
        * jit/HostCallReturnValue.h:
        * jit/ICStats.h:
        * jit/JIT.cpp:
        * jit/JIT.h:
        * jit/JITAddGenerator.h:
        * jit/JITCall32_64.cpp:
        * jit/JITCode.h:
        * jit/JITDisassembler.cpp:
        * jit/JITExceptions.cpp:
        * jit/JITMathIC.h:
        * jit/JITOpcodes.cpp:
        * jit/JITOperations.cpp:
        * jit/JITOperations.h:
        * jit/JITThunks.cpp:
        * jit/JITThunks.h:
        * jit/JSInterfaceJIT.h:
        * jit/PCToCodeOriginMap.h:
        * jit/PolymorphicCallStubRoutine.h:
        * jit/RegisterSet.h:
        * jit/Repatch.h:
        * jit/SetupVarargsFrame.h:
        * jit/Snippet.h:
        * jit/SnippetParams.h:
        * jit/ThunkGenerators.h:
        * jsc.cpp:
        * llint/LLIntCLoop.h:
        * llint/LLIntEntrypoint.h:
        * llint/LLIntExceptions.h:
        * llint/LLIntOfflineAsmConfig.h:
        * llint/LLIntSlowPaths.cpp:
        * parser/NodeConstructors.h:
        * parser/Nodes.cpp:
        * parser/Nodes.h:
        * parser/Parser.cpp:
        * parser/Parser.h:
        * parser/ParserTokens.h:
        * parser/SourceProviderCacheItem.h:
        * profiler/ProfilerBytecodeSequence.h:
        * profiler/ProfilerDatabase.cpp:
        * profiler/ProfilerDatabase.h:
        * profiler/ProfilerOrigin.h:
        * profiler/ProfilerOriginStack.h:
        * profiler/ProfilerProfiledBytecodes.h:
        * profiler/ProfilerUID.h:
        * runtime/AbstractModuleRecord.h:
        * runtime/ArrayConstructor.h:
        * runtime/ArrayConventions.h:
        * runtime/ArrayIteratorPrototype.h:
        * runtime/ArrayPrototype.h:
        * runtime/BasicBlockLocation.h:
        * runtime/Butterfly.h:
        * runtime/CallData.cpp:
        * runtime/CodeCache.h:
        * runtime/CommonSlowPaths.cpp:
        * runtime/CommonSlowPaths.h:
        * runtime/CommonSlowPathsExceptions.cpp:
        * runtime/Completion.cpp:
        * runtime/ControlFlowProfiler.h:
        * runtime/DateInstanceCache.h:
        * runtime/ErrorConstructor.h:
        * runtime/ErrorInstance.h:
        * runtime/ExceptionHelpers.cpp:
        * runtime/ExceptionHelpers.h:
        * runtime/ExecutableBase.h:
        * runtime/FunctionExecutable.h:
        * runtime/HasOwnPropertyCache.h:
        * runtime/Identifier.h:
        * runtime/InternalFunction.h:
        * runtime/IntlCollator.cpp:
        * runtime/IntlCollatorPrototype.h:
        * runtime/IntlDateTimeFormatPrototype.h:
        * runtime/IntlNumberFormat.cpp:
        * runtime/IntlNumberFormatPrototype.h:
        * runtime/IteratorOperations.cpp:
        * runtime/JSArray.h:
        * runtime/JSArrayBufferPrototype.h:
        * runtime/JSCJSValue.h:
        * runtime/JSCJSValueInlines.h:
        * runtime/JSCell.h:
        * runtime/JSFunction.cpp:
        * runtime/JSFunction.h:
        * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
        * runtime/JSGlobalObject.cpp:
        * runtime/JSGlobalObject.h:
        * runtime/JSGlobalObjectDebuggable.cpp:
        * runtime/JSGlobalObjectDebuggable.h:
        * runtime/JSGlobalObjectFunctions.cpp:
        * runtime/JSGlobalObjectFunctions.h:
        * runtime/JSJob.cpp:
        * runtime/JSLock.h:
        * runtime/JSModuleLoader.cpp:
        * runtime/JSModuleNamespaceObject.h:
        * runtime/JSModuleRecord.h:
        * runtime/JSObject.cpp:
        * runtime/JSObject.h:
        * runtime/JSRunLoopTimer.h:
        * runtime/JSTemplateRegistryKey.h:
        * runtime/JSTypedArrayPrototypes.cpp:
        * runtime/JSTypedArrayPrototypes.h:
        * runtime/JSTypedArrays.h:
        * runtime/LiteralParser.h:
        * runtime/MatchResult.h:
        * runtime/MemoryStatistics.h:
        * runtime/PrivateName.h:
        * runtime/PromiseDeferredTimer.h:
        * runtime/ProxyObject.h:
        * runtime/RegExp.h:
        * runtime/SamplingProfiler.cpp:
        * runtime/SmallStrings.h:
        * runtime/StringPrototype.cpp:
        * runtime/StringRecursionChecker.h:
        * runtime/Structure.h:
        * runtime/SymbolConstructor.h:
        * runtime/SymbolPrototype.cpp:
        * runtime/SymbolPrototype.h:
        * runtime/TypeProfiler.h:
        * runtime/TypeProfilerLog.h:
        * runtime/TypedArrayType.h:
        * runtime/VM.cpp:
        * runtime/VM.h:
        * runtime/VMEntryScope.h:
        * runtime/WeakMapData.h:
        * runtime/WriteBarrier.h:
        * tools/FunctionOverrides.cpp:
        * tools/FunctionOverrides.h:
        * wasm/WasmBinding.cpp:
        * wasm/js/JSWebAssemblyCodeBlock.h:
        * wasm/js/WebAssemblyPrototype.cpp:
        * yarr/Yarr.h:
        * yarr/YarrJIT.cpp:
        * yarr/YarrJIT.h:
        * yarr/YarrParser.h:

2017-06-24  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Clean up Object.entries implementation
        https://bugs.webkit.org/show_bug.cgi?id=173759

        Reviewed by Sam Weinig.

        This patch cleans up Object.entries implementation.
        We drop unused private functions. And we merge the
        implementation into Object.entries.

        It slightly speeds up Object.entries speed.

                                     baseline                  patched

            object-entries      148.0101+-5.6627          142.1877+-4.8661          might be 1.0409x faster


        * builtins/BuiltinNames.h:
        * builtins/ObjectConstructor.js:
        (entries):
        (globalPrivate.enumerableOwnProperties): Deleted.
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        * runtime/ObjectConstructor.cpp:
        (JSC::ownEnumerablePropertyKeys): Deleted.
        * runtime/ObjectConstructor.h:

2017-06-24  Joseph Pecoraro  <pecoraro@apple.com>

        Remove Reflect.enumerate
        https://bugs.webkit.org/show_bug.cgi?id=173806

        Reviewed by Yusuke Suzuki.

        * CMakeLists.txt:
        * JavaScriptCore.xcodeproj/project.pbxproj:
        * inspector/JSInjectedScriptHost.cpp:
        (Inspector::JSInjectedScriptHost::subtype):
        (Inspector::JSInjectedScriptHost::getInternalProperties):
        (Inspector::JSInjectedScriptHost::iteratorEntries):
        * runtime/JSGlobalObject.cpp:
        (JSC::JSGlobalObject::init):
        (JSC::JSGlobalObject::visitChildren):
        * runtime/JSPropertyNameIterator.cpp: Removed.
        * runtime/JSPropertyNameIterator.h: Removed.
        * runtime/ReflectObject.cpp:
        (JSC::reflectObjectEnumerate): Deleted.

2017-06-23  Keith Miller  <keith_miller@apple.com>

        Switch VMTraps to use halt instructions rather than breakpoint instructions
        https://bugs.webkit.org/show_bug.cgi?id=173677
        <rdar://problem/32178892>

        Reviewed by JF Bastien.

        Using the breakpoint instruction for VMTraps caused issues with lldb.
        Since we only need some way to stop execution we can, in theory, use
        any exceptioning instruction we want. I went with the halt instruction
        on X86 since that is the only one byte instruction that does not
        breakpoint (in my tests both 0xf1 and 0xd6 produced EXC_BREAKPOINT).
        On ARM we use the data cache clearing instruction with the zero register,
        which triggers a segmentation fault.

        Also, update the platform code to only use signaling VMTraps
        on where we have an appropriate instruction (x86 and ARM64).

        * API/tests/ExecutionTimeLimitTest.cpp:
        (testExecutionTimeLimit):
        * assembler/ARM64Assembler.h:
        (JSC::ARM64Assembler::replaceWithVMHalt):
        (JSC::ARM64Assembler::dataCacheZeroVirtualAddress):
        (JSC::ARM64Assembler::replaceWithBkpt): Deleted.
        * assembler/ARMAssembler.h:
        (JSC::ARMAssembler::replaceWithBkpt): Deleted.
        * assembler/ARMv7Assembler.h:
        (JSC::ARMv7Assembler::replaceWithBkpt): Deleted.
        * assembler/MIPSAssembler.h:
        (JSC::MIPSAssembler::replaceWithBkpt): Deleted.
        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::replaceWithBreakpoint): Deleted.
        * assembler/MacroAssemblerARM64.h:
        (JSC::MacroAssemblerARM64::replaceWithVMHalt):
        (JSC::MacroAssemblerARM64::replaceWithBreakpoint): Deleted.
        * assembler/MacroAssemblerARMv7.h:
        (JSC::MacroAssemblerARMv7::storeFence):
        (JSC::MacroAssemblerARMv7::replaceWithBreakpoint): Deleted.
        * assembler/MacroAssemblerMIPS.h:
        (JSC::MacroAssemblerMIPS::replaceWithBreakpoint): Deleted.
        * assembler/MacroAssemblerX86Common.h:
        (JSC::MacroAssemblerX86Common::replaceWithVMHalt):
        (JSC::MacroAssemblerX86Common::replaceWithBreakpoint): Deleted.
        * assembler/X86Assembler.h:
        (JSC::X86Assembler::replaceWithHlt):
        (JSC::X86Assembler::replaceWithInt3): Deleted.
        * dfg/DFGJumpReplacement.cpp:
        (JSC::DFG::JumpReplacement::installVMTrapBreakpoint):
        * runtime/VMTraps.cpp:
        (JSC::SignalContext::SignalContext):
        (JSC::installSignalHandler):
        (JSC::SignalContext::adjustPCToPointToTrappingInstruction): Deleted.
        * wasm/WasmFaultSignalHandler.cpp:
        (JSC::Wasm::enableFastMemory):

2017-06-22  Saam Barati  <sbarati@apple.com>

        The lowering of Identity in the DFG backend needs to use ManualOperandSpeculation
        https://bugs.webkit.org/show_bug.cgi?id=173743
        <rdar://problem/32932536>

        Reviewed by Mark Lam.

        The code always manually speculates, however, we weren't specifying
        ManualOperandSpeculation when creating a JSValueOperand. This would
        fire an assertion in JSValueOperand construction for a node like:
        Identity(String:@otherNode)
        
        I spent about 45 minutes trying to craft a test and came up
        empty. However, this fixes a debug assertion on an internal
        Apple website.

        * dfg/DFGSpeculativeJIT32_64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):
        * dfg/DFGSpeculativeJIT64.cpp:
        (JSC::DFG::SpeculativeJIT::compile):

2017-06-22  Saam Barati  <sbarati@apple.com>

        ValueRep(DoubleRep(@v)) can not simply convert to @v
        https://bugs.webkit.org/show_bug.cgi?id=173687
        <rdar://problem/32855563>

        Reviewed by Mark Lam.

        Consider this IR:
         block#x
          p: Phi() // int32 and double flows into this phi from various control flow
          d: DoubleRep(@p)
          some uses of @d here
          v: ValueRep(DoubleRepUse:@d)
          a: NewArrayWithSize(Int32:@v)
          some more nodes here ...
        
        Because the flow of ValueRep(DoubleRep(@p)) will not produce an Int32,
        AI proves that the Int32 check will fail. Constant folding phase removes
        all nodes after @a and inserts an Unreachable after the NewArrayWithSize node.
        
        The IR then looks like this:
        block#x
          p: Phi() // int32 and double flows into this phi from various control flow
          d: DoubleRep(@p)
          some uses of @d here
          v: ValueRep(DoubleRepUse:@d)
          a: NewArrayWithSize(Int32:@v)
          Unreachable
        
        However, there was a strength reduction rule that tries eliminate redundant
        conversions. It used to convert the program to:
        block#x
          p: Phi() // int32 and double flows into this phi from various control flow
          d: DoubleRep(@p)
          some uses of @d here
          a: NewArrayWithSize(Int32:@p)
          Unreachable
        
        However, at runtime, @p will actually be an Int32, so @a will not OSR exit,
        and we'll crash. This patch removes this strength reduction rule since it
        does not maintain what would have happened if we executed the program before
        the rule.
        
        This rule is also wrong for other types of programs (I'm not sure we'd
        actually emit this code, but if such IR were generated, we would previously
        optimize it incorrectly):
        @a: Constant(JSTrue)
        @b: DoubleRep(@a)
        @c: ValueRep(@b)
        @d: use(@c)
        
        However, the strength reduction rule would've transformed this into:
        @a: Constant(JSTrue)
        @d: use(@a)
        
        And this would be wrong because node @c before the transformation would
        have produced the JSValue jsNumber(1.0).
        
        This patch was neutral in the benchmark run I did.

        * dfg/DFGStrengthReductionPhase.cpp:
        (JSC::DFG::StrengthReductionPhase::handleNode):

2017-06-22  JF Bastien  <jfbastien@apple.com>

        ARM64: doubled executable memory limit from 32MiB to 64MiB
        https://bugs.webkit.org/show_bug.cgi?id=173734
        <rdar://problem/32932407>

        Reviewed by Oliver Hunt.

        Some WebAssembly programs stress the amount of memory we have
        available, especially when we consider tiering (BBQ never dies,
        and is bigger that OMG). Tiering to OMG just piles on more memory,
        and we're also competing with JavaScript.

        * jit/ExecutableAllocator.h:

2017-06-22  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Pausing with a deep call stack can be very slow, avoid eagerly generating object previews
        https://bugs.webkit.org/show_bug.cgi?id=173698

        Reviewed by Matt Baker.

        When pausing in a deep call stack the majority of the time spent in JavaScriptCore
        when preparing Inspector pause information is spent generating object previews for
        the `thisObject` of each of the call frames. In some cases, this could be more
        than 95% of the time generating pause information. In the common case, only one of
        these (the top frame) will ever be seen by users. This change avoids eagerly
        generating object previews up front and let the frontend request previews if they
        are needed.

        This introduces the `Runtime.getPreview` protocol command. This can be used to:

            - Get a preview for a RemoteObject that did not have a preview but could.
            - Update a preview for a RemoteObject that had a preview.

        This patch only uses it for the first case, but the second is valid and may be
        something we want to do in the future.

        * inspector/protocol/Runtime.json:
        A new command to get an up to date preview for an object.

        * inspector/InjectedScript.h:
        * inspector/InjectedScript.cpp:
        (Inspector::InjectedScript::getPreview):
        * inspector/agents/InspectorRuntimeAgent.cpp:
        (Inspector::InspectorRuntimeAgent::getPreview):
        * inspector/agents/InspectorRuntimeAgent.h:
        Plumbing for the new command.

        * inspector/InjectedScriptSource.js:
        (InjectedScript.prototype.getPreview):
        Implementation just uses the existing helper.

        (InjectedScript.CallFrameProxy):
        Do not generate a preview for the this object as it may not be shown.
        Let the frontend request a preview if it wants or needs one.

2017-06-22  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Remove stale "rawScopes" concept that was never available in JSC
        https://bugs.webkit.org/show_bug.cgi?id=173686

        Reviewed by Mark Lam.

        * inspector/InjectedScript.cpp:
        (Inspector::InjectedScript::functionDetails):
        * inspector/InjectedScriptSource.js:
        (InjectedScript.prototype.functionDetails):
        * inspector/JSInjectedScriptHost.cpp:
        (Inspector::JSInjectedScriptHost::functionDetails):

2017-06-22  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Object.values should be implemented in C++
        https://bugs.webkit.org/show_bug.cgi?id=173703

        Reviewed by Sam Weinig.

        As the same to Object.assign, Object.values() is also inherently polymorphic.
        And allocating JSString / Symbol for Identifier and JSArray for Object.keys()
        result is costly.

        In this patch, we implement Object.values() in C++. It can avoid above allocations.
        Furthermore, by using `slot.isTaintedByOpaqueObject()` information, we can skip
        non-observable JSObject::get() calls.

        This improves performance by 2.49x. And also now Object.values() beats
        Object.keys(object).map(key => object[key]) implementation.

                                             baseline                  patched

            object-values               132.1551+-3.7209     ^     53.1254+-1.6139        ^ definitely 2.4876x faster
            object-keys-map-values       78.2008+-2.1378     ?     78.9078+-2.2121        ?

        * builtins/ObjectConstructor.js:
        (values): Deleted.
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorValues):

2017-06-21  Saam Barati  <sbarati@apple.com>

        ArrayPrototype.map builtin declares a var it does not use
        https://bugs.webkit.org/show_bug.cgi?id=173685

        Reviewed by Keith Miller.

        * builtins/ArrayPrototype.js:
        (map):

2017-06-21  Saam Barati  <sbarati@apple.com>

        eval virtual call is incorrect in the baseline JIT
        https://bugs.webkit.org/show_bug.cgi?id=173587
        <rdar://problem/32867897>

        Reviewed by Michael Saboff.

        When making a virtual call for call_eval, e.g, when the thing
        we're calling isn't actually eval, we end up calling the caller
        instead of the callee. This is clearly wrong. The code ends up
        issuing a load for the Callee in the callers frame instead of
        the callee we're calling. The fix is simple, we just need to
        load the real callee. Only the 32-bit baseline JIT had this bug.

        * jit/JITCall32_64.cpp:
        (JSC::JIT::compileCallEvalSlowCase):

2017-06-21  Joseph Pecoraro  <pecoraro@apple.com>

        Web Inspector: Using "break on all exceptions" when throwing stack overflow hangs inspector
        https://bugs.webkit.org/show_bug.cgi?id=172432
        <rdar://problem/29870873>

        Reviewed by Saam Barati.

        Avoid pausing on StackOverflow and OutOfMemory errors to avoid a hang.
        We will proceed to improve debugging of these cases in the follow-up bugs.

        * debugger/Debugger.cpp:
        (JSC::Debugger::exception):
        Ignore pausing on these errors.

        * runtime/ErrorInstance.h:
        (JSC::ErrorInstance::setStackOverflowError):
        (JSC::ErrorInstance::isStackOverflowError):
        (JSC::ErrorInstance::setOutOfMemoryError):
        (JSC::ErrorInstance::isOutOfMemoryError):
        * runtime/ExceptionHelpers.cpp:
        (JSC::createStackOverflowError):
        * runtime/Error.cpp:
        (JSC::createOutOfMemoryError):
        Mark these kinds of errors.

2017-06-21  Saam Barati  <sbarati@apple.com>

        Make it clear that regenerating ICs are holding the CodeBlock's lock by passing the locker as a parameter
        https://bugs.webkit.org/show_bug.cgi?id=173609

        Reviewed by Keith Miller.

        This patch makes many of the IC generating functions require a locker as
        a parameter. We do this in other places in JSC to indicate that
        a particular API is only valid while a particular lock is held.
        This is the case when generating ICs. This patch just makes it
        explicit in the IC generating interface.

        * bytecode/PolymorphicAccess.cpp:
        (JSC::PolymorphicAccess::addCases):
        (JSC::PolymorphicAccess::addCase):
        (JSC::PolymorphicAccess::commit):
        (JSC::PolymorphicAccess::regenerate):
        * bytecode/PolymorphicAccess.h:
        * bytecode/StructureStubInfo.cpp:
        (JSC::StructureStubInfo::addAccessCase):
        (JSC::StructureStubInfo::initStub): Deleted.
        * bytecode/StructureStubInfo.h:
        * jit/Repatch.cpp:
        (JSC::tryCacheGetByID):
        (JSC::repatchGetByID):
        (JSC::tryCachePutByID):
        (JSC::repatchPutByID):
        (JSC::tryRepatchIn):
        (JSC::repatchIn):

2017-06-20  Myles C. Maxfield  <mmaxfield@apple.com>

        Disable font variations on macOS Sierra and iOS 10
        https://bugs.webkit.org/show_bug.cgi?id=173618
        <rdar://problem/32879164>

        Reviewed by Jon Lee.

        * Configurations/FeatureDefines.xcconfig:

2017-06-20  Keith Miller  <keith_miller@apple.com>

        Fix leak of ModuleInformations in BBQPlan constructors.
        https://bugs.webkit.org/show_bug.cgi?id=173577

        Reviewed by Saam Barati.

        This patch fixes a leak in the BBQPlan constructiors. Previously,
        the plans were calling makeRef on the newly constructed objects.
        This patch fixes the issue and uses adoptRef instead. Additionally,
        an old, incorrect, attempt to fix the leak is removed.

        * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
        (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
        * jit/JITWorklist.cpp:
        (JSC::JITWorklist::Thread::Thread):
        * runtime/PromiseDeferredTimer.cpp:
        (JSC::PromiseDeferredTimer::addPendingPromise):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        * wasm/WasmBBQPlan.cpp:
        (JSC::Wasm::BBQPlan::BBQPlan):
        * wasm/WasmPlan.cpp:
        (JSC::Wasm::Plan::Plan):

2017-06-20  Devin Rousso  <drousso@apple.com>

        Web Inspector: Send context attributes for tracked canvases
        https://bugs.webkit.org/show_bug.cgi?id=173327

        Reviewed by Joseph Pecoraro.

        * inspector/protocol/Canvas.json:
        Add ContextAttributes object type that is optionally used for WebGL canvases.

2017-06-20  Konstantin Tokarev  <annulen@yandex.ru>

        Remove excessive include directives from WTF
        https://bugs.webkit.org/show_bug.cgi?id=173553

        Reviewed by Saam Barati.

        * profiler/ProfilerDatabase.cpp: Added missing include directive.
        * runtime/SamplingProfiler.cpp: Ditto.

2017-06-20  Oleksandr Skachkov  <gskachkov@gmail.com>

        Revert changes in bug#160417 about extending `null` not being a derived class
        https://bugs.webkit.org/show_bug.cgi?id=169293

        Reviewed by Saam Barati.

        Reverted changes in bug#160417 about extending `null` not being a derived class 
        according to changes in spec:
        https://github.com/tc39/ecma262/commit/c57ef95c45a371f9c9485bb1c3881dbdc04524a2

        * builtins/BuiltinNames.h:
        * bytecompiler/BytecodeGenerator.cpp:
        (JSC::BytecodeGenerator::BytecodeGenerator):
        (JSC::BytecodeGenerator::emitReturn):
        * bytecompiler/NodesCodegen.cpp:
        (JSC::ClassExprNode::emitBytecode):

2017-06-20  Saam Barati  <sbarati@apple.com>

        repatchIn needs to lock the CodeBlock's lock
        https://bugs.webkit.org/show_bug.cgi?id=173573

        Reviewed by Yusuke Suzuki.

        CodeBlock::propagateTransitions and CodeBlock::visitWeakly grab the CodeBlock's
        lock before modifying the StructureStubInfo/PolymorphicAccess. When regenerating
        an IC, we must hold the CodeBlock's to prevent the executing thread from racing
        with the marking thread. repatchIn was not grabbing the lock. I haven't been
        able to get it to crash, but this is needed for the same reasons that get and put IC
        regeneration grab the lock.

        * jit/Repatch.cpp:
        (JSC::repatchIn):

2017-06-19  Devin Rousso  <drousso@apple.com>

        Web Inspector: create canvas content view and details sidebar panel
        https://bugs.webkit.org/show_bug.cgi?id=138941
        <rdar://problem/19051672>

        Reviewed by Joseph Pecoraro.

        * inspector/protocol/Canvas.json:
         - Add an optional `nodeId` attribute to the `Canvas` type.
         - Add `requestNode` command for getting the node id of the backing canvas element.
         - Add `requestContent` command for getting the current image content of the canvas.

2017-06-19  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, build fix for ARM

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::internalCompare32):

2017-06-13  Yusuke Suzuki  <utatane.tea@gmail.com>

        [DFG] More ArrayIndexOf fixups for various types
        https://bugs.webkit.org/show_bug.cgi?id=173176

        Reviewed by Saam Barati.

        This patch further expands coverage of ArrayIndexOf optimization in DFG and FTL.

        1. We attempt to fold ArrayIndexOf to constant (-1) if we know that its array
        never contains the given search value.

        2. We support Symbol and Other specialization additionally. Especially, Other is
        useful because null/undefined can be used as a sentinel value.

        One interesting thing is that Array.prototype.indexOf does not consider holes as
        undefineds. Thus,

            var array = [,,,,,,,];
            array.indexOf(undefined); // => -1

        This can be trivially achieved in JSC because Empty and Undefined are different values.

        * dfg/DFGFixupPhase.cpp:
        (JSC::DFG::FixupPhase::fixupNode):
        (JSC::DFG::FixupPhase::fixupArrayIndexOf):
        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
        (JSC::DFG::SpeculativeJIT::speculateOther):
        * dfg/DFGSpeculativeJIT.h:
        * ftl/FTLLowerDFGToB3.cpp:
        (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):

2017-06-19  Caio Lima  <ticaiolima@gmail.com>

        [ARMv6][DFG] ARM MacroAssembler is always emitting cmn when immediate is 0
        https://bugs.webkit.org/show_bug.cgi?id=172972

        Reviewed by Mark Lam.

        We are changing internalCompare32 implementation in ARM
        MacroAssembler to emit "cmp" when the "right.value" is 0.
        It is generating wrong comparison cases, since the
        semantics of cmn is opposite of cmp[1]. One case that it's breaking is
        "branch32(MacroAssembler::Above, gpr, TrustedImm32(0))", where ends
        resulting in following assembly code:

        ```
        cmn $r0, #0
        bhi <address>
        ```

        However, as cmn is similar to "adds", it will never take the branch
        when $r0 > 0. In that case, the correct opcode is "cmp". With this
        patch we will fix current broken tests that uses
        "branch32(MacroAssembler::Above, gpr, TrustedImm32(0))",
        such as ForwardVarargs, Spread and GetRestLength.

        [1] - http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0204j/Cihiddid.html

        * assembler/MacroAssemblerARM.h:
        (JSC::MacroAssemblerARM::internalCompare32):

2017-06-19  Joseph Pecoraro  <pecoraro@apple.com>

        test262: Completion values for control flow do not match the spec
        https://bugs.webkit.org/show_bug.cgi?id=171265

        Reviewed by Saam Barati.

        * bytecompiler/BytecodeGenerator.h:
        (JSC::BytecodeGenerator::shouldBeConcernedWithCompletionValue):
        When we care about having proper completion values (global code
        in programs, modules, and eval) insert undefined results for
        control flow statements.

        * bytecompiler/NodesCodegen.cpp:
        (JSC::SourceElements::emitBytecode):
        Reduce writing a default `undefined` value to the completion result to
        only once before the last statement we know will produce a value.

        (JSC::IfElseNode::emitBytecode):
        (JSC::WithNode::emitBytecode):
        (JSC::WhileNode::emitBytecode):
        (JSC::ForNode::emitBytecode):
        (JSC::ForInNode::emitBytecode):
        (JSC::ForOfNode::emitBytecode):
        (JSC::SwitchNode::emitBytecode):
        Insert an undefined to handle cases where code may break out of an
        if/else or with statement (break/continue).

        (JSC::TryNode::emitBytecode):
        Same handling for break cases. Also, finally block statement completion
        values are always ignored for the try statement result.

        (JSC::ClassDeclNode::emitBytecode):
        Class declarations, like function declarations, produce an empty result.

        * parser/Nodes.cpp:
        (JSC::SourceElements::lastStatement):
        (JSC::SourceElements::hasCompletionValue):
        (JSC::SourceElements::hasEarlyBreakOrContinue):
        (JSC::BlockNode::lastStatement):
        (JSC::BlockNode::singleStatement):
        (JSC::BlockNode::hasCompletionValue):
        (JSC::BlockNode::hasEarlyBreakOrContinue):
        (JSC::ScopeNode::singleStatement):
        (JSC::ScopeNode::hasCompletionValue):
        (JSC::ScopeNode::hasEarlyBreakOrContinue):
        The only non-trivial cases need to loop through their list of statements
        to determine if this has a completion value or not. Likewise for
        determining if there is an early break / continue, meaning a break or
        continue statement with no preceding statement that has a completion value.

        * parser/Nodes.h:
        (JSC::StatementNode::next):
        (JSC::StatementNode::hasCompletionValue):
        Helper to check if a statement nodes produces a completion value or not.

2017-06-19  Adrian Perez de Castro  <aperez@igalia.com>

        Missing <functional> includes make builds fail with GCC 7.x
        https://bugs.webkit.org/show_bug.cgi?id=173544

        Unreviewed gardening.

        Fix compilation with GCC 7.

        * API/tests/CompareAndSwapTest.cpp:
        * runtime/VMEntryScope.h:

2017-06-17  Keith Miller  <keith_miller@apple.com>

        ArrayBuffer constructor needs to create subclass structures before its buffer
        https://bugs.webkit.org/show_bug.cgi?id=173510

        Reviewed by Yusuke Suzuki.

        * runtime/JSArrayBufferConstructor.cpp:
        (JSC::constructArrayBuffer):

2017-06-17  Keith Miller  <keith_miller@apple.com>

        ArrayPrototype methods should use JSValue::toLength for non-Arrays.
        https://bugs.webkit.org/show_bug.cgi?id=173506

        Reviewed by Ryosuke Niwa.

        This patch changes the result of unshift if old length +
        unshift.arguments.length > (2 ** 53) - 1 to be a type error. Also,
        the getLength function, which was always incorrect to use, has
        been removed. Additionally, some cases where we were using a
        constant for (2 ** 53) - 1 have been replaced with
        maxSafeInteger()

        * interpreter/Interpreter.cpp:
        (JSC::sizeOfVarargs):
        * runtime/ArrayPrototype.cpp:
        (JSC::arrayProtoFuncToLocaleString):
        (JSC::arrayProtoFuncPop):
        (JSC::arrayProtoFuncPush):
        (JSC::arrayProtoFuncReverse):
        (JSC::arrayProtoFuncShift):
        (JSC::arrayProtoFuncSlice):
        (JSC::arrayProtoFuncSplice):
        (JSC::arrayProtoFuncUnShift):
        (JSC::arrayProtoFuncIndexOf):
        (JSC::arrayProtoFuncLastIndexOf):
        * runtime/JSArrayInlines.h:
        (JSC::getLength): Deleted.
        * runtime/JSCJSValue.cpp:
        (JSC::JSValue::toLength):
        * runtime/NumberConstructor.cpp:
        (JSC::numberConstructorFuncIsSafeInteger):

2017-06-16  Matt Baker  <mattbaker@apple.com>

        Web Inspector: Instrument 2D/WebGL canvas contexts in the backend
        https://bugs.webkit.org/show_bug.cgi?id=172623
        <rdar://problem/32415986>

        Reviewed by Devin Rousso and Joseph Pecoraro.

        This patch adds a basic Canvas protocol. It includes Canvas and related
        types and events for monitoring the lifetime of canvases in the page.

        * CMakeLists.txt:
        * DerivedSources.make:
        * inspector/protocol/Canvas.json: Added.

        * inspector/scripts/codegen/generator.py:
        (Generator.stylized_name_for_enum_value):
        Add special handling for Canvas.ContextType protocol enumeration,
        so that "canvas-2d" and "webgl" map to `Canvas2D` and `WebGL`.

2017-06-16  Wenson Hsieh  <wenson_hsieh@apple.com>

        [iOS DnD] Upstream iOS drag and drop implementation into OpenSource WebKit
        https://bugs.webkit.org/show_bug.cgi?id=173366
        <rdar://problem/32767014>

        Reviewed by Tim Horton.

        Introduce ENABLE_DATA_INTERACTION and ENABLE_DRAG_SUPPORT to FeatureDefines.xcconfig.

        * Configurations/FeatureDefines.xcconfig:

2017-06-16  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Add fast path for Object.assign
        https://bugs.webkit.org/show_bug.cgi?id=173416

        Reviewed by Mark Lam.

        In Object.assign implementation, we need to ensure that given key is still enumerable own key.
        This seems duplicate look up. And we want to avoid this. However, we still need to perform this
        check in the face of Proxy. Proxy can observe that this check is done correctly.

        In almost all the cases, the above check is duplicate to the subsequent [[Get]] operation.
        In this patch, we perform this check. But at that time, we investigate `isTaintedByOpaqueObject()`.
        If it is false, we can say that getOwnPropertySlot is pure. In that case, we can just retrieve the
        value by calling `slot.getValue()`.

        This further improves performance of Object.assign.

                                        baseline                  patched

            object-assign.es6      363.6706+-6.4381     ^    324.1769+-6.9624        ^ definitely 1.1218x faster

        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorAssign):

2017-06-16  Michael Saboff  <msaboff@apple.com>

        Intermittent crash running Internal/Tests/InternalJSTests/Regress/radar-24300617.js
        https://bugs.webkit.org/show_bug.cgi?id=173488

        Reviewed by Filip Pizlo.

        ClonedArguments lazily sets its callee and interator properties and it used its own inline
        code to initialize its butterfly.  This means that these lazily set properties can have
        bogus values in those slots.  Instead, let's use the standard BUtterfly:tryCreate() method
        to create the butterfly as it clears out of line properties.

        * runtime/ClonedArguments.cpp:
        (JSC::ClonedArguments::createEmpty):

2017-06-16  Mark Lam  <mark.lam@apple.com>

        Interpreter methods for mapping between Opcode and OpcodeID need not be instance methods.
        https://bugs.webkit.org/show_bug.cgi?id=173491

        Reviewed by Keith Miller.

        The implementation are based on static data. There's no need to get the
        interpreter instance. Hence, we can make these methods static and avoid doing
        unnecessary work to compute the interpreter this pointer.

        Also removed the unused isCallBytecode method.

        * bytecode/BytecodeBasicBlock.cpp:
        (JSC::BytecodeBasicBlock::computeImpl):
        * bytecode/BytecodeDumper.cpp:
        (JSC::BytecodeDumper<Block>::printGetByIdOp):
        (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
        (JSC::BytecodeDumper<Block>::dumpBytecode):
        (JSC::BytecodeDumper<Block>::dumpBlock):
        * bytecode/BytecodeLivenessAnalysis.cpp:
        (JSC::BytecodeLivenessAnalysis::dumpResults):
        * bytecode/BytecodeLivenessAnalysisInlines.h:
        (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::stepOverInstruction):
        * bytecode/BytecodeRewriter.cpp:
        (JSC::BytecodeRewriter::adjustJumpTargetsInFragment):
        * bytecode/CallLinkStatus.cpp:
        (JSC::CallLinkStatus::computeFromLLInt):
        * bytecode/CodeBlock.cpp:
        (JSC::CodeBlock::finishCreation):
        (JSC::CodeBlock::propagateTransitions):
        (JSC::CodeBlock::finalizeLLIntInlineCaches):
        (JSC::CodeBlock::hasOpDebugForLineAndColumn):
        (JSC::CodeBlock::usesOpcode):
        (JSC::CodeBlock::valueProfileForBytecodeOffset):
        (JSC::CodeBlock::arithProfileForPC):
        (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
        * bytecode/PreciseJumpTargets.cpp:
        (JSC::getJumpTargetsForBytecodeOffset):
        (JSC::computePreciseJumpTargetsInternal):
        (JSC::findJumpTargetsForBytecodeOffset):
        * bytecode/PreciseJumpTargetsInlines.h:
        (JSC::extractStoredJumpTargetsForBytecodeOffset):
        * bytecode/UnlinkedCodeBlock.cpp:
        (JSC::UnlinkedCodeBlock::applyModification):
        * dfg/DFGByteCodeParser.cpp:
        (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
        (JSC::DFG::ByteCodeParser::parseBlock):
        * dfg/DFGCapabilities.cpp:
        (JSC::DFG::capabilityLevel):
        * interpreter/Interpreter.cpp:
        (JSC::Interpreter::Interpreter):
        (JSC::Interpreter::isOpcode):
        (): Deleted.
        * interpreter/Interpreter.h:
        (JSC::Interpreter::getOpcode): Deleted.
        (JSC::Interpreter::getOpcodeID): Deleted.
        (JSC::Interpreter::isCallBytecode): Deleted.
        * interpreter/InterpreterInlines.h:
        (JSC::Interpreter::getOpcode):
        (JSC::Interpreter::getOpcodeID):
        * jit/JIT.cpp:
        (JSC::JIT::privateCompileMainPass):
        (JSC::JIT::privateCompileSlowCases):
        * jit/JITOpcodes.cpp:
        (JSC::JIT::emitNewFuncCommon):
        (JSC::JIT::emitNewFuncExprCommon):
        * jit/JITPropertyAccess.cpp:
        (JSC::JIT::emitSlow_op_put_by_val):
        (JSC::JIT::privateCompilePutByVal):
        * jit/JITPropertyAccess32_64.cpp:
        (JSC::JIT::emitSlow_op_put_by_val):
        * llint/LLIntSlowPaths.cpp:
        (JSC::LLInt::llint_trace_operand):
        (JSC::LLInt::llint_trace_value):
        (JSC::LLInt::LLINT_SLOW_PATH_DECL):
        * profiler/ProfilerBytecodeSequence.cpp:
        (JSC::Profiler::BytecodeSequence::BytecodeSequence):

2017-06-16  Matt Lewis  <jlewis3@apple.com>

        Unreviewed, rolling out r218376.

        The patch cause multiple Layout Test Crashes.

        Reverted changeset:

        "Web Inspector: Instrument 2D/WebGL canvas contexts in the
        backend"
        https://bugs.webkit.org/show_bug.cgi?id=172623
        http://trac.webkit.org/changeset/218376

2017-06-16  Konstantin Tokarev  <annulen@yandex.ru>

        REGRESSION(r166799): LogsPageMessagesToSystemConsoleEnabled corrupts non-ASCII characters
        https://bugs.webkit.org/show_bug.cgi?id=173470

        Reviewed by Joseph Pecoraro.

        ConsoleClient::printConsoleMessageWithArguments() incorrectly uses
        const char* overload of StringBuilder::append() that assummes Latin1
        encoding, not UTF8.

        * runtime/ConsoleClient.cpp:
        (JSC::ConsoleClient::printConsoleMessageWithArguments):

2017-06-15  Mark Lam  <mark.lam@apple.com>

        Add a JSRunLoopTimer registry in VM.
        https://bugs.webkit.org/show_bug.cgi?id=173429
        <rdar://problem/31287961>

        Reviewed by Filip Pizlo.

        This way, we can be sure we've got every JSRunLoopTimer instance covered if we
        need to change their run loop (e.g. when setting to the WebThread's run loop).

        * heap/Heap.cpp:
        (JSC::Heap::Heap):
        (JSC::Heap::setRunLoop): Deleted.
        * heap/Heap.h:
        (JSC::Heap::runLoop): Deleted.
        * runtime/JSRunLoopTimer.cpp:
        (JSC::JSRunLoopTimer::JSRunLoopTimer):
        (JSC::JSRunLoopTimer::setRunLoop):
        (JSC::JSRunLoopTimer::~JSRunLoopTimer):
        * runtime/VM.cpp:
        (JSC::VM::VM):
        (JSC::VM::registerRunLoopTimer):
        (JSC::VM::unregisterRunLoopTimer):
        (JSC::VM::setRunLoop):
        * runtime/VM.h:
        (JSC::VM::runLoop):

2017-06-15  Joseph Pecoraro  <pecoraro@apple.com>

        [Cocoa] Modernize some internal initializers to use instancetype instead of id
        https://bugs.webkit.org/show_bug.cgi?id=173112

        Reviewed by Wenson Hsieh.

        * API/JSContextInternal.h:
        * API/JSWrapperMap.h:
        * API/JSWrapperMap.mm:
        (-[JSObjCClassInfo initForClass:]):
        (-[JSWrapperMap initWithGlobalContextRef:]):

2017-06-15  Matt Baker  <mattbaker@apple.com>

        Web Inspector: Instrument 2D/WebGL canvas contexts in the backend
        https://bugs.webkit.org/show_bug.cgi?id=172623
        <rdar://problem/32415986>

        Reviewed by Devin Rousso.

        This patch adds a basic Canvas protocol. It includes Canvas and related
        types and events for monitoring the lifetime of canvases in the page.

        * CMakeLists.txt:
        * DerivedSources.make:
        * inspector/protocol/Canvas.json: Added.

        * inspector/scripts/codegen/generator.py:
        (Generator.stylized_name_for_enum_value):
        Add special handling for Canvas.ContextType protocol enumeration,
        so that "canvas-2d" and "webgl" map to `Canvas2D` and `WebGL`.

2017-06-15  Keith Miller  <keith_miller@apple.com>

        Add logging to MachineStackMarker to try to diagnose crashes in the wild
        https://bugs.webkit.org/show_bug.cgi?id=173427

        Reviewed by Mark Lam.

        This patch adds some logging to the MachineStackMarker constructor
        to help figure out where we are seeing crashes. Since macOS does
        not support os_log_info my hope is that if we set all the callee
        save registers before making any calls in the C++ code we can
        figure out which calls is the source of the crash. We also, set
        all the caller save registers before returning in case some
        weirdness is happening in the Heap constructor.

        This logging should not matter from a performance perspective. We
        only create MachineStackMarkers when we are creating a new VM,
        which is already expensive.

        * heap/MachineStackMarker.cpp:
        (JSC::MachineThreads::MachineThreads):

2017-06-15  Yusuke Suzuki  <utatane.tea@gmail.com>

        [JSC] Implement Object.assign in C++
        https://bugs.webkit.org/show_bug.cgi?id=173414

        Reviewed by Saam Barati.

        Implementing Object.assign in JS is not so good compared to C++ version because,

        1. JS version allocates JS array for object own keys. And we allocate JSString / Symbol for each key.
        But basically, they can be handled as UniquedStringImpl in C++. Allocating these cells are wasteful.

        2. While implementing builtins in JS offers some good type speculation chances, Object.assign is inherently super polymorphic.
        So JS's type profile doesn't help well.

        3. We have a chance to introduce various fast path for Object.assign in C++.

        This patch moves implementation from JS to C++. It achieves the above (1) and (2). (3) is filed in [1].

        We can see 1.65x improvement in SixSpeed object-assign.es6.

                                    baseline                  patched

        object-assign.es6      643.3253+-8.0521     ^    389.1075+-8.8840        ^ definitely 1.6533x faster

        [1]: https://bugs.webkit.org/show_bug.cgi?id=173416

        * builtins/ObjectConstructor.js:
        (entries):
        (assign): Deleted.
        * runtime/JSCJSValueInlines.h:
        (JSC::JSValue::putInline):
        * runtime/JSCell.h:
        * runtime/JSCellInlines.h:
        (JSC::JSCell::putInline):
        * runtime/JSObject.cpp:
        (JSC::JSObject::put):
        * runtime/JSObject.h:
        * runtime/JSObjectInlines.h:
        (JSC::JSObject::putInlineForJSObject):
        (JSC::JSObject::putInline): Deleted.
        * runtime/ObjectConstructor.cpp:
        (JSC::objectConstructorAssign):

2017-06-14  Dan Bernstein  <mitz@apple.com>

        [Cocoa] Objective-C class whose name begins with an underscore can’t be exported to JavaScript
        https://bugs.webkit.org/show_bug.cgi?id=168578

        Reviewed by Geoff Garen.

        * API/JSWrapperMap.mm:
        (allocateConstructorForCustomClass): Updated for change to forEachProtocolImplementingProtocol.
        (-[JSObjCClassInfo allocateConstructorAndPrototype]): Ditto.
        (-[JSWrapperMap classInfoForClass:]): If the class name begins with an underscore, check if
          it defines conformance to a JSExport-derived protocol and if so, avoid using the
          superclass as a substitute as we’d normally do.

        * API/ObjcRuntimeExtras.h:
        (forEachProtocolImplementingProtocol): Added a "stop" argument to the block to let callers
          bail out.

        * API/tests/JSExportTests.mm:
        (+[JSExportTests classNamePrefixedWithUnderscoreTest]): New test for this.
        (runJSExportTests): Run new test.

2017-06-14  Yusuke Suzuki  <utatane.tea@gmail.com>

        Unreviewed, suppress invalid register alloation validation assertion in 32 bit part 2
        https://bugs.webkit.org/show_bug.cgi?id=172421

        * dfg/DFGSpeculativeJIT.cpp:
        (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):

2017-06-14  Claudio Saavedra  <csaavedra@igalia.com>

        REGRESSION: 15 new jsc failures in WPE and GTK+
        https://bugs.webkit.org/show_bug.cgi?id=173349

        Reviewed by JF Bastien.

        Recent changes to generateWasm.py are not accounted for from
        CMake, which leads to WasmOps.h not being regenerated in partial
        builds. Make generateWasm.py an additional dependency.
        * CMakeLists.txt:

2017-06-13  Joseph Pecoraro  <pecoraro@apple.com>

        Debugger has unexpected effect on program correctness
        https://bugs.webkit.org/show_bug.cgi?id=172683

        Reviewed by Saam Barati.

        * inspector/InjectedScriptSource.js:
        (InjectedScript.RemoteObject.prototype._appendPropertyPreviews):
        (InjectedScript.RemoteObject.prototype._isPreviewableObjectInternal):
        (BasicCommandLineAPI):
        Eliminate for..of use with Arrays from InjectedScriptSource as it can be observable.
        We still use it for Set / Map iteration which we can eliminate when moving to builtins.

2017-06-13  JF Bastien  <jfbastien@apple.com>

        WebAssembly: fix erroneous signature comment
        https://bugs.webkit.org/show_bug.cgi?id=173334

        Reviewed by Keith Miller.

        * wasm/WasmSignature.h:

2017-06-13  Michael Saboff  <msaboff@apple.com>

        Refactor AbsenceOfSetter to AbsenceOfSetEffects
        https://bugs.webkit.org/show_bug.cgi?id=173322

        Reviewed by Filip Pizlo.

        * bytecode/ObjectPropertyCondition.h:
        (JSC::ObjectPropertyCondition::absenceOfSetEffectWithoutBarrier):
        (JSC::ObjectPropertyCondition::absenceOfSetEffect):
        (JSC::ObjectPropertyCondition::absenceOfSetterWithoutBarrier): Deleted.
        (JSC::ObjectPropertyCondition::absenceOfSetter): Deleted.
        * bytecode/ObjectPropertyConditionSet.cpp:
        (JSC::generateConditionsForPropertySetterMiss):
        (JSC::generateConditionsForPropertySetterMissConcurrently):
        * bytecode/PropertyCondition.cpp:
        (JSC::PropertyCondition::dumpInContext):
        (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
        (JSC::PropertyCondition::isStillValid):
        (WTF::printInternal):
        * bytecode/PropertyCondition.h:
        (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
        (JSC::PropertyCondition::absenceOfSetEffect):
        (JSC::PropertyCondition::hasPrototype):
        (JSC::PropertyCondition::hash):
        (JSC::PropertyCondition::operator==):
        (JSC::PropertyCondition::absenceOfSetterWithoutBarrier): Deleted.
        (JSC::PropertyCondition::absenceOfSetter): Deleted.

2017-06-13  JF Bastien  <jfbastien@apple.com>

        WebAssembly: import updated spec tests
        https://bugs.webkit.org/show_bug.cgi?id=173287
        <rdar://problem/32725975>

        Reviewed by Saam Barati.

        Import spec tests as of 31c641cc15f2aedbec2fa45a5185f68416df578b,
        with a few modifications so things work.

        Fix a bunch of bugs found through this process, and punt a few tests (which I
        marked as blocked by this bug).

        Fixes:

        Fix load / store alignment: r216908 erroneously implemented it as bit alignment
        instead of byte alignment. It was also missing memory-alignment.js despite it
        being in the ChangeLog, so add it too. This allows spec-test/align.wast.js to
        pass.

        Tables can be imported or in a section. There can be only one, but sections can
        be empty. An Elements section can exist if there's no Table, as long as it is
        also empty.

        Memories can be imported or in a section. There can be only one, but sections
        can be empty. A Data section can exist if there's no Memory, as long as it is
        also empty.

        Prototypes: stringify without .prototype. in the string.

        WebAssembly.Table.prototype.grow was plain wrong: it takes a delta parameter,
        not a final size, and throws a RangeError on failure, not a TypeError.

        Fix compile / instantiate so the reject the promise if given an argument of the
        wrong type (instead of failing instantly).

        Fix async on neuter test.

        Element section shouldn't affect any Table if any of the elements are out of
        bounds. We need to process it in two passes.

        Segment section shouldn't affect any Data if any of the segments are out of
        bounds. We need to process it in two passes.

        Empty data segments are valid, but only when there is no memory. Their index
        still gets validated, and has to be zero.

        Punts:

        Error messages with context, the test seems overly restrictive but this is
        minor.

        compile/instantiate/validate property descriptors.

        UTF-8 bugs.

        Temporarily disable NaN tests. We need to go back and implement the following
        semantics: https://github.com/WebAssembly/spec/pull/414 This doesn't matter as
        much as getting all the other tests passing.

        Worth noting for NaNs: f64.no_fold_mul_one (also a NaN test) as well as
        no_fold_promote_demote (an interesting corner case which we get wrong). mul by
        one is (assert_return (invoke \"f64.no_fold_mul_one\" (i64.const
        0x7ff4000000000000)) (i64.const 0x7ff8000000000000)) which means converting sNaN
        to qNaN, and promote/demote is (assert_return (invoke \"no_fold_promote_demote\"
        (i32.const 0x7fa00000)) (i32.const 0x7fc00000)) which is the same. I'm not sure
        why they're not allowed.

        * wasm/WasmB3IRGenerator.cpp:
        * wasm/WasmFunctionParser.h:
        * wasm/WasmModuleParser.cpp:
        * wasm/WasmModuleParser.h:
        * wasm/WasmParser.h:
        (JSC::Wasm::Parser<SuccessType>::consumeUTF8String):
        * wasm/generateWasm.py:
        (memoryLog2Alignment):
        * wasm/js/JSWebAssemblyTable.cpp:
        (JSC::JSWebAssemblyTable::grow):
        * wasm/js/JSWebAssemblyTable.h:
     &n