Fix a bug with cpuid in the FTL.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-11-16  Saam Barati  <sbarati@apple.com>
2
3         Fix a bug with cpuid in the FTL.
4
5         Rubber stamped by Mark Lam.
6
7         Before uploading the previous patch, I tried to condense the code. I
8         accidentally removed a crucial line saying that CPUID clobbers various
9         registers.
10
11         * ftl/FTLLowerDFGToB3.cpp:
12         (JSC::FTL::DFG::LowerDFGToB3::compileCPUIntrinsic):
13
14 2017-11-16  Saam Barati  <sbarati@apple.com>
15
16         Add some X86 intrinsics to $vm to help with some perf testing
17         https://bugs.webkit.org/show_bug.cgi?id=179693
18
19         Reviewed by Mark Lam.
20
21         I've been doing some local perf testing of various ideas and have
22         had these come in handy. I'm going to land them to dollarVM to prevent
23         having to add them to my local build every time I do perf testing.
24
25         * assembler/MacroAssemblerX86Common.h:
26         (JSC::MacroAssemblerX86Common::mfence):
27         (JSC::MacroAssemblerX86Common::rdtsc):
28         (JSC::MacroAssemblerX86Common::pause):
29         (JSC::MacroAssemblerX86Common::cpuid):
30         * assembler/X86Assembler.h:
31         (JSC::X86Assembler::rdtsc):
32         (JSC::X86Assembler::pause):
33         (JSC::X86Assembler::cpuid):
34         * dfg/DFGAbstractInterpreterInlines.h:
35         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
36         * dfg/DFGByteCodeParser.cpp:
37         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
38         * dfg/DFGClobberize.h:
39         (JSC::DFG::clobberize):
40         * dfg/DFGDoesGC.cpp:
41         (JSC::DFG::doesGC):
42         * dfg/DFGFixupPhase.cpp:
43         (JSC::DFG::FixupPhase::fixupNode):
44         * dfg/DFGGraph.cpp:
45         (JSC::DFG::Graph::dump):
46         * dfg/DFGNode.h:
47         (JSC::DFG::Node::intrinsic):
48         * dfg/DFGNodeType.h:
49         * dfg/DFGPredictionPropagationPhase.cpp:
50         * dfg/DFGSafeToExecute.h:
51         (JSC::DFG::safeToExecute):
52         * dfg/DFGSpeculativeJIT32_64.cpp:
53         (JSC::DFG::SpeculativeJIT::compile):
54         * dfg/DFGSpeculativeJIT64.cpp:
55         (JSC::DFG::SpeculativeJIT::compile):
56         * dfg/DFGValidate.cpp:
57         * ftl/FTLCapabilities.cpp:
58         (JSC::FTL::canCompile):
59         * ftl/FTLLowerDFGToB3.cpp:
60         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
61         (JSC::FTL::DFG::LowerDFGToB3::compileCPUIntrinsic):
62         * runtime/Intrinsic.cpp:
63         (JSC::intrinsicName):
64         * runtime/Intrinsic.h:
65         * tools/JSDollarVM.cpp:
66         (JSC::functionCpuMfence):
67         (JSC::functionCpuRdtsc):
68         (JSC::functionCpuCpuid):
69         (JSC::functionCpuPause):
70         (JSC::functionCpuClflush):
71         (JSC::JSDollarVM::finishCreation):
72
73 2017-11-16  JF Bastien  <jfbastien@apple.com>
74
75         It should be easier to reify lazy property names
76         https://bugs.webkit.org/show_bug.cgi?id=179734
77         <rdar://problem/35492521>
78
79         Reviewed by Keith Miller.
80
81         We reify lazy property names in a few different ways, each
82         specific to the JSCell implementation, in put() instead of having
83         a special function to do reification. Let's make that simpler.
84
85         This patch makes it easier to reify property names in a uniform
86         manner, and does so in JSFunction. As a follow up I'll use the
87         same mechanics for:
88
89         ClonedArguments   callee, iteratorSymbol (Symbol.iterator)
90         ErrorConstructor  stackTraceLimit
91         ErrorInstance     line, column, sourceURL, stack
92         GenericArguments  length, callee, iteratorSymbol (Symbol.iterator)
93         GetterSetter      RELEASE_ASSERT_NOT_REACHED()
94         JSArray           length
95         RegExpObject      lastIndex
96         StringObject      length
97
98         * runtime/ClassInfo.h: Add reifyPropertyNameIfNeeded to method table.
99         * runtime/JSCell.cpp:
100         (JSC::JSCell::reifyPropertyNameIfNeeded): by default, don't reify.
101         * runtime/JSCell.h:
102         * runtime/JSFunction.cpp: `name` and `length` can be reified.
103         (JSC::JSFunction::reifyPropertyNameIfNeeded):
104         (JSC::JSFunction::put):
105         (JSC::JSFunction::reifyLength):
106         (JSC::JSFunction::reifyName):
107         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
108         (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
109         (JSC::JSFunction::reifyLazyLengthIfNeeded):
110         (JSC::JSFunction::reifyLazyNameIfNeeded):
111         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
112         * runtime/JSFunction.h:
113         (JSC::JSFunction::isLazy):
114         (JSC::JSFunction::isReified):
115         * runtime/JSObjectInlines.h:
116         (JSC::JSObject::putDirectInternal): do the reification here.
117
118 2017-11-16  Robin Morisset  <rmorisset@apple.com>
119
120         Provide a runtime option for disabling the optimization of recursive tail calls
121         https://bugs.webkit.org/show_bug.cgi?id=179765
122
123         Reviewed by Mark Lam.
124
125         * bytecode/PreciseJumpTargets.cpp:
126         (JSC::getJumpTargetsForBytecodeOffset):
127         * bytecompiler/BytecodeGenerator.cpp:
128         (JSC::BytecodeGenerator::emitEnter):
129         * dfg/DFGByteCodeParser.cpp:
130         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
131         * runtime/Options.h:
132
133 2017-11-16  Robin Morisset  <rmorisset@apple.com>
134
135         Fix null pointer dereference in bytecodeDumper
136         https://bugs.webkit.org/show_bug.cgi?id=179764
137
138         Reviewed by Mark Lam.
139
140         The problem was just a call to lastSeenCallee() that was unguarded by haveLastSeenCallee().
141
142         * bytecode/BytecodeDumper.cpp:
143         (JSC::BytecodeDumper<Block>::printCallOp):
144
145 2017-11-16  Robin Morisset  <rmorisset@apple.com>
146
147         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
148         https://bugs.webkit.org/show_bug.cgi?id=179763
149         <rdar://problem/35550513>
150
151         Reviewed by Keith Miller.
152
153         Fix null pointer dereference caused by an eliminated tdz_check
154
155         The problem was when doing an OSR entry in DFG while |this| was null
156         (because super() had not yet been called in the constructor of this
157         subclass), it would be marked as non-null, and the tdz_check eliminated.
158
159         * dfg/DFGInPlaceAbstractState.cpp:
160         (JSC::DFG::InPlaceAbstractState::initialize):
161
162 2017-11-15  Ryan Haddad  <ryanhaddad@apple.com>
163
164         Unreviewed, rolling out r224863.
165
166         Introduced LayoutTest crashes on iOS Simulator.
167
168         Reverted changeset:
169
170         "Move JSONValues to WTF and convert uses of InspectorValues.h
171         to JSONValues.h"
172         https://bugs.webkit.org/show_bug.cgi?id=173793
173         https://trac.webkit.org/changeset/224863
174
175 2017-11-14  Mark Lam  <mark.lam@apple.com>
176
177         Gardening: CLoop build fix after r224862.
178         https://bugs.webkit.org/show_bug.cgi?id=179699
179
180         Not reviewed..
181
182         * bytecode/CodeBlock.h:
183         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
184
185 2017-11-14  Carlos Garcia Campos  <cgarcia@igalia.com>
186
187         Move JSONValues to WTF and convert uses of InspectorValues.h to JSONValues.h
188         https://bugs.webkit.org/show_bug.cgi?id=173793
189
190         Reviewed by Brian Burg.
191
192         Based on patch by Brian Burg.
193
194         * JavaScriptCore.xcodeproj/project.pbxproj:
195         * Sources.txt:
196         * bindings/ScriptValue.cpp:
197         (Inspector::jsToInspectorValue):
198         (Inspector::toInspectorValue):
199         (Deprecated::ScriptValue::toInspectorValue const):
200         * bindings/ScriptValue.h:
201         * inspector/AsyncStackTrace.cpp:
202         * inspector/ConsoleMessage.cpp:
203         * inspector/ContentSearchUtilities.cpp:
204         * inspector/InjectedScript.cpp:
205         (Inspector::InjectedScript::getFunctionDetails):
206         (Inspector::InjectedScript::functionDetails):
207         (Inspector::InjectedScript::getPreview):
208         (Inspector::InjectedScript::getProperties):
209         (Inspector::InjectedScript::getDisplayableProperties):
210         (Inspector::InjectedScript::getInternalProperties):
211         (Inspector::InjectedScript::getCollectionEntries):
212         (Inspector::InjectedScript::saveResult):
213         (Inspector::InjectedScript::wrapCallFrames const):
214         (Inspector::InjectedScript::wrapObject const):
215         (Inspector::InjectedScript::wrapTable const):
216         (Inspector::InjectedScript::previewValue const):
217         (Inspector::InjectedScript::setExceptionValue):
218         (Inspector::InjectedScript::clearExceptionValue):
219         (Inspector::InjectedScript::inspectObject):
220         (Inspector::InjectedScript::releaseObject):
221         * inspector/InjectedScriptBase.cpp:
222         (Inspector::InjectedScriptBase::makeCall):
223         (Inspector::InjectedScriptBase::makeEvalCall):
224         * inspector/InjectedScriptBase.h:
225         * inspector/InjectedScriptManager.cpp:
226         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
227         * inspector/InspectorBackendDispatcher.cpp:
228         (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
229         (Inspector::BackendDispatcher::dispatch):
230         (Inspector::BackendDispatcher::sendResponse):
231         (Inspector::BackendDispatcher::sendPendingErrors):
232         (Inspector::BackendDispatcher::getPropertyValue):
233         (Inspector::castToInteger):
234         (Inspector::castToNumber):
235         (Inspector::BackendDispatcher::getInteger):
236         (Inspector::BackendDispatcher::getDouble):
237         (Inspector::BackendDispatcher::getString):
238         (Inspector::BackendDispatcher::getBoolean):
239         (Inspector::BackendDispatcher::getObject):
240         (Inspector::BackendDispatcher::getArray):
241         (Inspector::BackendDispatcher::getValue):
242         * inspector/InspectorBackendDispatcher.h:
243         * inspector/InspectorProtocolTypes.h:
244         (Inspector::Protocol::Array::openAccessors):
245         (Inspector::Protocol::PrimitiveBindingTraits::assertValueHasExpectedType):
246         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast):
247         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType):
248         (Inspector::Protocol::BindingTraits<JSON::Value>::assertValueHasExpectedType):
249         * inspector/ScriptCallFrame.cpp:
250         * inspector/ScriptCallStack.cpp:
251         * inspector/agents/InspectorAgent.cpp:
252         (Inspector::InspectorAgent::inspect):
253         * inspector/agents/InspectorAgent.h:
254         * inspector/agents/InspectorDebuggerAgent.cpp:
255         (Inspector::buildAssertPauseReason):
256         (Inspector::buildCSPViolationPauseReason):
257         (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
258         (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
259         (Inspector::buildObjectForBreakpointCookie):
260         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
261         (Inspector::parseLocation):
262         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
263         (Inspector::InspectorDebuggerAgent::setBreakpoint):
264         (Inspector::InspectorDebuggerAgent::continueToLocation):
265         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
266         (Inspector::InspectorDebuggerAgent::didParseSource):
267         (Inspector::InspectorDebuggerAgent::breakProgram):
268         * inspector/agents/InspectorDebuggerAgent.h:
269         * inspector/agents/InspectorRuntimeAgent.cpp:
270         (Inspector::InspectorRuntimeAgent::callFunctionOn):
271         (Inspector::InspectorRuntimeAgent::saveResult):
272         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
273         * inspector/agents/InspectorRuntimeAgent.h:
274         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
275         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
276         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
277         (CppBackendDispatcherImplementationGenerator.generate_output):
278         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
279         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
280         (CppFrontendDispatcherHeaderGenerator.generate_output):
281         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
282         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
283         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
284         (_generate_unchecked_setter_for_member):
285         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
286         (CppProtocolTypesImplementationGenerator):
287         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
288         (ObjCBackendDispatcherImplementationGenerator.generate_output):
289         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
290         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
291         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
292         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
293         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
294         * inspector/scripts/codegen/generate_objc_internal_header.py:
295         (ObjCInternalHeaderGenerator.generate_output):
296         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
297         (ObjCProtocolTypesImplementationGenerator.generate_output):
298         * inspector/scripts/codegen/generator.py:
299         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
300         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
301         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
302         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
303         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
304         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
305         * inspector/scripts/tests/generic/expected/enum-values.json-result:
306         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
307         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
308         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
309         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
310         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
311         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
312         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
313         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
314         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
315         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
316         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
317         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
318         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
319
320 2017-11-14  Mark Lam  <mark.lam@apple.com>
321
322         Fix a bit-rotted Interpreter::dumpRegisters() and make it more robust.
323         https://bugs.webkit.org/show_bug.cgi?id=179699
324         <rdar://problem/35462346>
325
326         Reviewed by Michael Saboff.
327
328         * interpreter/Interpreter.cpp:
329         (JSC::Interpreter::dumpRegisters):
330         - Need to skip the callee saved registers
331
332 2017-11-14  Guillaume Emont  <guijemont@igalia.com>
333
334         REGRESSION(r224623) [MIPS] branchTruncateDoubleToInt32() doesn't set return register when branching
335         https://bugs.webkit.org/show_bug.cgi?id=179563
336
337         Reviewed by Carlos Alberto Lopez Perez.
338
339         When run with BranchIfTruncateSuccessful,
340         branchTruncateDoubleToInt32() should set the destination register
341         before branching.
342         This change also removes branchTruncateDoubleToUInt32() as it is
343         deprecated (see r160205), merges branchOnTruncateResult() into
344         branchTruncateDoubleToInt32() and adds test cases in testmasm.
345
346         * assembler/MacroAssemblerMIPS.h:
347         (JSC::MacroAssemblerMIPS::branchOnTruncateResult): Deleted.
348         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
349         Properly set dest before branching.
350         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUInt32): Deleted.
351         * assembler/testmasm.cpp:
352         (JSC::testBranchTruncateDoubleToInt32):
353         (JSC::run):
354         Add tests for branchTruncateDoubleToInt32().
355
356 2017-11-14  Daniel Bates  <dabates@apple.com>
357
358         Update comment in FeatureDefines.xcconfig to reflect location of Visual Studio property files
359         for feature defines
360
361         Following r195498 and r201917 the Visual Studio property files for feature defines have
362         moved from directory WebKitLibraries/win/tools/vsprops to directory Source/cmake/tools/vsprops.
363         Update the comment in FeatureDefines.xcconfig to reflect the new location and names of these
364         files.
365
366         * Configurations/FeatureDefines.xcconfig:
367
368 2017-11-14  Mark Lam  <mark.lam@apple.com>
369
370         Remove JSDollarVMPrototype.
371         https://bugs.webkit.org/show_bug.cgi?id=179685
372
373         Reviewed by Saam Barati.
374
375         1. Move the JSDollarVMPrototype C++ utility functions into VMInspector.cpp.
376
377            This allows us to call these functions during lldb debugging sessions using
378            VMInspector::foo() instead of JSDollarVMPrototype::foo().  It makes sense that
379            VMInspector provides VM debugging utility methods.  It doesn't make sense to
380            have a JSDollarVMPrototype object provide these methods.
381
382            Plus, it's shorter to type VMInspector than JSDollarVMPrototype.
383
384         2. Move the JSDollarVMPrototype JS functions into JSDollarVM.cpp.
385
386            JSDollarVM is a special object used only for debugging purposes.  There's no
387            gain in requiring its methods to be stored in a prototype object other than to
388            conform to typical JS convention.  We can remove this complexity.
389
390         * JavaScriptCore.xcodeproj/project.pbxproj:
391         * Sources.txt:
392         * runtime/JSGlobalObject.cpp:
393         (JSC::JSGlobalObject::init):
394         * tools/JSDollarVM.cpp:
395         (JSC::JSDollarVM::addFunction):
396         (JSC::functionCrash):
397         (JSC::functionDFGTrue):
398         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
399         (JSC::CallerFrameJITTypeFunctor::operator() const):
400         (JSC::CallerFrameJITTypeFunctor::jitType):
401         (JSC::functionLLintTrue):
402         (JSC::functionJITTrue):
403         (JSC::functionGC):
404         (JSC::functionEdenGC):
405         (JSC::functionCodeBlockForFrame):
406         (JSC::codeBlockFromArg):
407         (JSC::functionCodeBlockFor):
408         (JSC::functionPrintSourceFor):
409         (JSC::functionPrintBytecodeFor):
410         (JSC::functionPrint):
411         (JSC::functionPrintCallFrame):
412         (JSC::functionPrintStack):
413         (JSC::functionValue):
414         (JSC::functionGetPID):
415         (JSC::JSDollarVM::finishCreation):
416         * tools/JSDollarVM.h:
417         (JSC::JSDollarVM::create):
418         * tools/JSDollarVMPrototype.cpp: Removed.
419         * tools/JSDollarVMPrototype.h: Removed.
420         * tools/VMInspector.cpp:
421         (JSC::VMInspector::currentThreadOwnsJSLock):
422         (JSC::ensureCurrentThreadOwnsJSLock):
423         (JSC::VMInspector::gc):
424         (JSC::VMInspector::edenGC):
425         (JSC::VMInspector::isInHeap):
426         (JSC::CellAddressCheckFunctor::CellAddressCheckFunctor):
427         (JSC::CellAddressCheckFunctor::operator() const):
428         (JSC::VMInspector::isValidCell):
429         (JSC::VMInspector::isValidCodeBlock):
430         (JSC::VMInspector::codeBlockForFrame):
431         (JSC::PrintFrameFunctor::PrintFrameFunctor):
432         (JSC::PrintFrameFunctor::operator() const):
433         (JSC::VMInspector::printCallFrame):
434         (JSC::VMInspector::printStack):
435         (JSC::VMInspector::printValue):
436         * tools/VMInspector.h:
437
438 2017-11-14  Joseph Pecoraro  <pecoraro@apple.com>
439
440         Web Inspector: Add a ServiceWorker domain to get information about an inspected ServiceWorker
441         https://bugs.webkit.org/show_bug.cgi?id=179640
442         <rdar://problem/35517361>
443
444         Reviewed by Devin Rousso.
445
446         * CMakeLists.txt:
447         * DerivedSources.make:
448         Gate the ServiceWorker domain on the ENABLE feature flag.
449
450         * inspector/protocol/ServiceWorker.json: Added.
451         New domain to be made available inside of a ServiceWorker target.
452
453 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
454
455         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
456         https://bugs.webkit.org/show_bug.cgi?id=179594
457
458         Reviewed by Saam Barati.
459
460         Currently we handle OOB access to DirectArguments as GetByVal(Array::Generic).
461         If we can handle it as GetByVal(Array::DirectArguments+OutOfBounds), we can (1) optimize
462         `arguments[i]` accesses if i is in bound, and (2) encourage arguments elimination phase
463         to convert CreateDirectArguments and GetByVal(Array::DirectArguments+OutOfBounds) to
464         PhantomDirectArguments and GetMyArgumentOutOfBounds respectively.
465
466         This patch introduces Array::DirectArguments+OutOfBounds array mode. GetByVal can
467         accept this type, and emit optimized code compared to Array::Generic case.
468
469         We make OOB check failures in GetByVal(Array::DirectArguments+InBounds) as OutOfBounds
470         exit instead of ExoticObjectMode.
471
472         This change significantly improves SixSpeed rest.es5 since it uses OOB access.
473         Our arguments elimination phase can change CreateDirectArguments to PhantomDirectArguments.
474
475             rest.es5                       59.6719+-2.2440     ^      3.1634+-0.5507        ^ definitely 18.8635x faster
476
477         * dfg/DFGArgumentsEliminationPhase.cpp:
478         * dfg/DFGArrayMode.cpp:
479         (JSC::DFG::ArrayMode::refine const):
480         * dfg/DFGClobberize.h:
481         (JSC::DFG::clobberize):
482         * dfg/DFGSpeculativeJIT.cpp:
483         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
484         * ftl/FTLLowerDFGToB3.cpp:
485         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
486         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
487
488 2017-11-14  Saam Barati  <sbarati@apple.com>
489
490         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
491         https://bugs.webkit.org/show_bug.cgi?id=179639
492         <rdar://problem/35513018>
493
494         Reviewed by JF Bastien.
495
496         Calling Wasm::Memory::grow from the JIT may cause us to GC. When we GC, we will
497         walk the stack for ShadowChicken (and maybe other things). We weren't updating
498         topCallFrame when calling grow from the Wasm JIT. This would cause the GC to
499         use stale topCallFrame bits in VM, often leading to crashes. This patch fixes
500         this bug by giving Wasm::Instance a lambda that is called when we need to store
501         the topCallFrame. Users of Wasm::Instance can provide a function to do this action.
502         Currently, JSWebAssemblyInstance passes in a lambda that stores to
503         VM.topCallFrame.
504
505         * wasm/WasmB3IRGenerator.cpp:
506         (JSC::Wasm::B3IRGenerator::addGrowMemory):
507         * wasm/WasmInstance.cpp:
508         (JSC::Wasm::Instance::Instance):
509         (JSC::Wasm::Instance::create):
510         * wasm/WasmInstance.h:
511         (JSC::Wasm::Instance::storeTopCallFrame):
512         * wasm/js/JSWebAssemblyInstance.cpp:
513         (JSC::JSWebAssemblyInstance::create):
514         * wasm/js/JSWebAssemblyInstance.h:
515         * wasm/js/WasmToJS.cpp:
516         (JSC::Wasm::wasmToJSException):
517         * wasm/js/WebAssemblyInstanceConstructor.cpp:
518         (JSC::constructJSWebAssemblyInstance):
519         * wasm/js/WebAssemblyPrototype.cpp:
520         (JSC::instantiate):
521
522 2017-11-13  Saam Barati  <sbarati@apple.com>
523
524         Remove pointer caging for HashMapImpl, JSLexicalEnvironment, DirectArguments, ScopedArguments, and ScopedArgumentsTable
525         https://bugs.webkit.org/show_bug.cgi?id=179203
526
527         Reviewed by Yusuke Suzuki.
528
529         This patch only removes the pointer caging for the described types in the title.
530         These types still allocate out of the gigacage. This is a just a cost vs benefit
531         tradeoff of performance vs security.
532
533         * dfg/DFGSpeculativeJIT.cpp:
534         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
535         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
536         * ftl/FTLLowerDFGToB3.cpp:
537         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
538         * jit/JITPropertyAccess.cpp:
539         (JSC::JIT::emitDirectArgumentsGetByVal):
540         (JSC::JIT::emitScopedArgumentsGetByVal):
541         * runtime/DirectArguments.h:
542         (JSC::DirectArguments::storage):
543         * runtime/HashMapImpl.cpp:
544         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
545         * runtime/HashMapImpl.h:
546         * runtime/JSLexicalEnvironment.h:
547         (JSC::JSLexicalEnvironment::variables):
548         * runtime/ScopedArguments.h:
549         (JSC::ScopedArguments::overflowStorage const):
550
551 2017-11-08  Keith Miller  <keith_miller@apple.com>
552
553         Async iteration should only fetch the next method once and add feature flag
554         https://bugs.webkit.org/show_bug.cgi?id=179451
555
556         Reviewed by Geoffrey Garen.
557
558         Add feature flag for Async iteration. Also, change async iteration to match
559         the expected behavior of the proposal.
560
561         * Configurations/FeatureDefines.xcconfig:
562         * builtins/AsyncFromSyncIteratorPrototype.js:
563         (globalPrivate.createAsyncFromSyncIterator):
564         (globalPrivate.AsyncFromSyncIteratorConstructor):
565         * builtins/BuiltinNames.h:
566         * bytecompiler/BytecodeGenerator.cpp:
567         (JSC::BytecodeGenerator::emitGetAsyncIterator):
568         * runtime/Options.h:
569
570 2017-11-13  Mark Lam  <mark.lam@apple.com>
571
572         Add more overflow check book-keeping for MarkedArgumentBuffer.
573         https://bugs.webkit.org/show_bug.cgi?id=179634
574         <rdar://problem/35492517>
575
576         Reviewed by Saam Barati.
577
578         * runtime/ArgList.h:
579         (JSC::MarkedArgumentBuffer::overflowCheckNotNeeded):
580         * runtime/JSJob.cpp:
581         (JSC::JSJobMicrotask::run):
582         * runtime/ObjectConstructor.cpp:
583         (JSC::defineProperties):
584         * runtime/ReflectObject.cpp:
585         (JSC::reflectObjectConstruct):
586
587 2017-11-13  Guillaume Emont  <guijemont@igalia.com>
588
589         [JSC] Remove ARM implementation of branchTruncateDoubleToUInt32
590         https://bugs.webkit.org/show_bug.cgi?id=179542
591
592         Reviewed by Alex Christensen.
593
594         * assembler/MacroAssemblerARM.h:
595         (JSC::MacroAssemblerARM::branchTruncateDoubleToUint32): Removed.
596
597 2017-11-13  Mark Lam  <mark.lam@apple.com>
598
599         Make the jsc shell loadGetterFromGetterSetter() function more robust.
600         https://bugs.webkit.org/show_bug.cgi?id=179619
601         <rdar://problem/35492518>
602
603         Reviewed by Saam Barati.
604
605         * jsc.cpp:
606         (functionLoadGetterFromGetterSetter):
607
608 2017-11-12  Darin Adler  <darin@apple.com>
609
610         More is<> and downcast<>, less static_cast<>
611         https://bugs.webkit.org/show_bug.cgi?id=179600
612
613         Reviewed by Chris Dumez.
614
615         * runtime/JSString.h:
616         (JSC::jsSubstring): Removed unneeded static_cast; length already returns unsigned.
617         (JSC::jsSubstringOfResolved): Ditto.
618
619 2017-11-12  Mark Lam  <mark.lam@apple.com>
620
621         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
622         https://bugs.webkit.org/show_bug.cgi?id=179562
623         <rdar://problem/35467022>
624
625         Reviewed by Saam Barati.
626
627         * dfg/DFGFixupPhase.cpp:
628         (JSC::DFG::FixupPhase::fixupNode):
629         * dfg/DFGOperations.cpp:
630         * dfg/DFGSafeToExecute.h:
631         (JSC::DFG::SafeToExecuteEdge::operator()):
632         * dfg/DFGSpeculativeJIT.cpp:
633         (JSC::DFG::SpeculativeJIT::speculateNotSymbol):
634         (JSC::DFG::SpeculativeJIT::speculate):
635         * dfg/DFGSpeculativeJIT.h:
636         * dfg/DFGUseKind.cpp:
637         (WTF::printInternal):
638         * dfg/DFGUseKind.h:
639         (JSC::DFG::typeFilterFor):
640         * ftl/FTLCapabilities.cpp:
641         (JSC::FTL::canCompile):
642         * ftl/FTLLowerDFGToB3.cpp:
643         (JSC::FTL::DFG::LowerDFGToB3::speculate):
644         (JSC::FTL::DFG::LowerDFGToB3::speculateNotSymbol):
645
646 2017-11-11  Devin Rousso  <webkit@devinrousso.com>
647
648         Web Inspector: Canvas tab: show detailed status during canvas recording
649         https://bugs.webkit.org/show_bug.cgi?id=178185
650         <rdar://problem/34939862>
651
652         Reviewed by Brian Burg.
653
654         * inspector/protocol/Canvas.json:
655         Add a `recordingProgress` event that is sent to the frontend that contains all the frame
656         payloads since the last Canvas.recordingProgress event and the current buffer usage.
657
658         * inspector/protocol/Recording.json:
659         Remove the required `frames` parameter from the Recording protocol object, as they will be
660         sent in batches via the Canvas.recordingProgress event.
661
662 2017-11-10  Joseph Pecoraro  <pecoraro@apple.com>
663
664         Web Inspector: Make http status codes be "integer" instead of "number" in protocol
665         https://bugs.webkit.org/show_bug.cgi?id=179543
666
667         Reviewed by Antoine Quint.
668
669         * inspector/protocol/Network.json:
670         Use a better type for the status code.
671
672 2017-11-10  Robin Morisset  <rmorisset@apple.com>
673
674         The memory consumption of DFG::BasicBlock can be easily reduced a bit
675         https://bugs.webkit.org/show_bug.cgi?id=179528
676
677         Reviewed by Saam Barati.
678
679         A few changes here:
680         - Reordering some fields of DFG::BasicBlock to reduce padding
681         - Making the enum fields that are glorified booleans fit into a u8
682         - Make each Operands object have a single vector that holds all arguments followed by all locals, instead of two vectors.
683           This change works because we never increase the number of arguments after allocating an Operands object.
684           It lets us avoid one extra capacity field and one extra pointer field per Operands,
685           and more importantly one allocation per Operands whenever both vectors would have overflowed their inlined buffer.
686           Additionally, if a single vector would have overflowed its inline buffer, while the other would have had some free space,
687           we have a chance to avoid an allocation.
688         - Finally, the three methods argumentForIndex, variableForIndex and indexForOperand were deleted since they were dead code.
689
690         * bytecode/Operands.h:
691         (JSC::Operands::Operands):
692         (JSC::Operands::numberOfArguments const):
693         (JSC::Operands::numberOfLocals const):
694         (JSC::Operands::argument):
695         (JSC::Operands::argument const):
696         (JSC::Operands::local):
697         (JSC::Operands::local const):
698         (JSC::Operands::ensureLocals):
699         (JSC::Operands::setLocal):
700         (JSC::Operands::getLocal):
701         (JSC::Operands::setArgumentFirstTime):
702         (JSC::Operands::setLocalFirstTime):
703         (JSC::Operands::operand):
704         (JSC::Operands::setOperand):
705         (JSC::Operands::size const):
706         (JSC::Operands::at const):
707         (JSC::Operands::at):
708         (JSC::Operands::isArgument const):
709         (JSC::Operands::isVariable const):
710         (JSC::Operands::virtualRegisterForIndex const):
711         (JSC::Operands::fill):
712         (JSC::Operands::operator== const):
713         (JSC::Operands::argumentForIndex const): Deleted.
714         (JSC::Operands::variableForIndex const): Deleted.
715         (JSC::Operands::indexForOperand const): Deleted.
716         * dfg/DFGBasicBlock.cpp:
717         (JSC::DFG::BasicBlock::BasicBlock):
718         * dfg/DFGBasicBlock.h:
719         * dfg/DFGBranchDirection.h:
720         * dfg/DFGStructureClobberState.h:
721
722 2017-11-09  Yusuke Suzuki  <utatane.tea@gmail.com>
723
724         [JSC] Retry module fetching if previous request fails
725         https://bugs.webkit.org/show_bug.cgi?id=178168
726
727         Reviewed by Saam Barati.
728
729         According to the latest spec, the failed fetching operation can be retried if it is requested again.
730         For example,
731
732             <script type="module" integrity="shaXXX-bad" src="./A.js"></script>
733             <script type="module" integrity="shaXXX-correct" src="./A.js"></script>
734
735         When performing the first module fetching, integrity check fails, and the load of this module becomes failed.
736         But when loading the second module, we do not use the cached failure result in the first module loading.
737         We retry fetching for "./A.js". In this case, we have a correct integrity and module fetching succeeds.
738         This is specified in whatwg/HTML[1]. If the fetching fails, we do not cache it.
739
740         Interestingly, fetching result and instantiation result will be cached if they succeeds. This is because we would
741         like to cache modules based on their URLs. As a result,
742
743             <script type="module" integrity="shaXXX-correct" src="./A.js"></script>
744             <script type="module" integrity="shaXXX-bad" src="./A.js"></script>
745
746         In the above case, the first loading succeeds. And the second loading also succeeds since the succeeded fetching and
747         instantiation are cached in the module pipeline.
748
749         This patch implements the above semantics. Previously, our module pipeline always caches the result. If the fetching
750         failed, all the subsequent fetching for the same URL fails even if we have different integrity values. We retry fetching
751         if the previous one fails. As an overview of our change,
752
753         1. Fetching result should be cached only if it succeeds. Two or more on-the-fly fetching requests to the same URLs should
754            be unified. But if currently executing one fails, other attempts should retry fetching.
755
756         2. Instantiation should be cached if fetching succeeds.
757
758         3. Satisfying should be cached if it succeeds.
759
760         [1]: https://html.spec.whatwg.org/#fetch-a-single-module-script
761
762         * builtins/ModuleLoaderPrototype.js:
763         (requestFetch):
764         (requestInstantiate):
765         (requestSatisfy):
766         (link):
767         (loadModule):
768         * runtime/JSGlobalObject.cpp:
769         (JSC::JSGlobalObject::init):
770
771 2017-11-09  Devin Rousso  <webkit@devinrousso.com>
772
773         Web Inspector: support undo/redo of insertAdjacentHTML
774         https://bugs.webkit.org/show_bug.cgi?id=179283
775
776         Reviewed by Joseph Pecoraro.
777
778         * inspector/protocol/DOM.json:
779         Add `insertAdjacentHTML` command that executes an undoable version of `insertAdjacentHTML`
780         on the given node.
781
782 2017-11-09  Joseph Pecoraro  <pecoraro@apple.com>
783
784         Web Inspector: Make domain availability a list of types instead of a single type
785         https://bugs.webkit.org/show_bug.cgi?id=179457
786
787         Reviewed by Brian Burg.
788
789         * inspector/scripts/codegen/generate_js_backend_commands.py:
790         (JSBackendCommandsGenerator.generate_domain):
791         Update output of `InspectorBackend.activateDomain` to include the list.
792
793         * inspector/scripts/codegen/models.py:
794         (Protocol.parse_domain):
795         Parse `availability` as a list and include a new supported value of "service-worker".
796
797         * inspector/protocol/ApplicationCache.json:
798         * inspector/protocol/CSS.json:
799         * inspector/protocol/Canvas.json:
800         * inspector/protocol/DOM.json:
801         * inspector/protocol/DOMDebugger.json:
802         * inspector/protocol/DOMStorage.json:
803         * inspector/protocol/Database.json:
804         * inspector/protocol/IndexedDB.json:
805         * inspector/protocol/LayerTree.json:
806         * inspector/protocol/Memory.json:
807         * inspector/protocol/Network.json:
808         * inspector/protocol/Page.json:
809         * inspector/protocol/Timeline.json:
810         * inspector/protocol/Worker.json:
811         Update `availability` to be a list.
812
813         * inspector/scripts/tests/generic/domain-availability.json:
814         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
815         * inspector/scripts/tests/generic/expected/fail-on-domain-availability-type.json-error: Added.
816         * inspector/scripts/tests/generic/expected/fail-on-domain-availability-value.json-error: Added.
817         * inspector/scripts/tests/generic/expected/fail-on-domain-availability.json-error:
818         * inspector/scripts/tests/generic/fail-on-domain-availability-type.json: Copied from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-availability.json.
819         * inspector/scripts/tests/generic/fail-on-domain-availability-value.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-availability.json.
820         Update tests to include a test for the type and an invalid value.
821
822 2017-11-03  Yusuke Suzuki  <utatane.tea@gmail.com>
823
824         [JSC][JIT] Clean up SlowPathCall stubs
825         https://bugs.webkit.org/show_bug.cgi?id=179247
826
827         Reviewed by Saam Barati.
828
829         We have bunch of duplicate functions that just call a slow path function.
830         This patch cleans up the above duplication.
831
832         * jit/JIT.cpp:
833         (JSC::JIT::emitSlowCaseCall):
834         (JSC::JIT::privateCompileSlowCases):
835         * jit/JIT.h:
836         * jit/JITArithmetic.cpp:
837         (JSC::JIT::emitSlow_op_unsigned): Deleted.
838         (JSC::JIT::emitSlow_op_inc): Deleted.
839         (JSC::JIT::emitSlow_op_dec): Deleted.
840         (JSC::JIT::emitSlow_op_bitand): Deleted.
841         (JSC::JIT::emitSlow_op_bitor): Deleted.
842         (JSC::JIT::emitSlow_op_bitxor): Deleted.
843         (JSC::JIT::emitSlow_op_lshift): Deleted.
844         (JSC::JIT::emitSlow_op_rshift): Deleted.
845         (JSC::JIT::emitSlow_op_urshift): Deleted.
846         (JSC::JIT::emitSlow_op_div): Deleted.
847         * jit/JITArithmetic32_64.cpp:
848         (JSC::JIT::emitSlow_op_unsigned): Deleted.
849         (JSC::JIT::emitSlow_op_inc): Deleted.
850         (JSC::JIT::emitSlow_op_dec): Deleted.
851         * jit/JITOpcodes.cpp:
852         (JSC::JIT::emitSlow_op_create_this): Deleted.
853         (JSC::JIT::emitSlow_op_check_tdz): Deleted.
854         (JSC::JIT::emitSlow_op_to_this): Deleted.
855         (JSC::JIT::emitSlow_op_to_primitive): Deleted.
856         (JSC::JIT::emitSlow_op_not): Deleted.
857         (JSC::JIT::emitSlow_op_stricteq): Deleted.
858         (JSC::JIT::emitSlow_op_nstricteq): Deleted.
859         (JSC::JIT::emitSlow_op_to_number): Deleted.
860         (JSC::JIT::emitSlow_op_to_string): Deleted.
861         (JSC::JIT::emitSlow_op_to_object): Deleted.
862         (JSC::JIT::emitSlow_op_get_direct_pname): Deleted.
863         (JSC::JIT::emitSlow_op_has_structure_property): Deleted.
864         * jit/JITOpcodes32_64.cpp:
865         (JSC::JIT::emitSlow_op_to_primitive): Deleted.
866         (JSC::JIT::emitSlow_op_not): Deleted.
867         (JSC::JIT::emitSlow_op_stricteq): Deleted.
868         (JSC::JIT::emitSlow_op_nstricteq): Deleted.
869         (JSC::JIT::emitSlow_op_to_number): Deleted.
870         (JSC::JIT::emitSlow_op_to_string): Deleted.
871         (JSC::JIT::emitSlow_op_to_object): Deleted.
872         (JSC::JIT::emitSlow_op_create_this): Deleted.
873         (JSC::JIT::emitSlow_op_to_this): Deleted.
874         (JSC::JIT::emitSlow_op_check_tdz): Deleted.
875         (JSC::JIT::emitSlow_op_get_direct_pname): Deleted.
876         * jit/JITPropertyAccess.cpp:
877         (JSC::JIT::emitSlow_op_resolve_scope): Deleted.
878         * jit/JITPropertyAccess32_64.cpp:
879         (JSC::JIT::emit_op_resolve_scope):
880         (JSC::JIT::emitSlow_op_resolve_scope): Deleted.
881         * jit/SlowPathCall.h:
882         (JSC::JITSlowPathCall::JITSlowPathCall):
883         * runtime/CommonSlowPaths.cpp:
884         (JSC::SLOW_PATH_DECL):
885         * runtime/CommonSlowPaths.h:
886
887 2017-11-09  Guillaume Emont  <guijemont@igalia.com>
888
889         [JSC][MIPS] Use fcsr to check the validity of the result of trunc.w.d
890         https://bugs.webkit.org/show_bug.cgi?id=179446
891
892         Reviewed by Žan Doberšek.
893
894         The trunc.w.d mips instruction should give a 0x7fffffff result when
895         the source value is Infinity, NaN, or rounds to an integer outside the
896         range -2^31 to 2^31 -1. This is what branchTruncateDoubleToInt32() and
897         branchTruncateDoubleToUInt32() have been relying on. It turns out that
898         this assumption is not true on some CPUs, including on the ci20 on
899         which we run the testbot (we get 0x80000000 instead). We should the
900         invalid operation cause bit instead to check whether the source value
901         could be properly truncated. This requires the addition of the cfc1
902         instruction, as well as the special registers that can be used with it
903         (control registers of CP1).
904
905         * assembler/MIPSAssembler.h:
906         (JSC::MIPSAssembler::firstSPRegister):
907         (JSC::MIPSAssembler::lastSPRegister):
908         (JSC::MIPSAssembler::numberOfSPRegisters):
909         (JSC::MIPSAssembler::sprName):
910         Added control registers of CP1.
911         (JSC::MIPSAssembler::cfc1):
912         Added.
913         * assembler/MacroAssemblerMIPS.h:
914         (JSC::MacroAssemblerMIPS::branchOnTruncateResult):
915         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
916         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUint32):
917         Use fcsr to check if the value could be properly truncated.
918
919 2017-11-08  Jeremy Jones  <jeremyj@apple.com>
920
921         HTMLMediaElement should not use element fullscreen on iOS
922         https://bugs.webkit.org/show_bug.cgi?id=179418
923         rdar://problem/35409277
924
925         Reviewed by Eric Carlson.
926
927         Add ENABLE_VIDEO_USES_ELEMENT_FULLSCREEN to determine if HTMLMediaElement should use element full screen or not.
928
929         * Configurations/FeatureDefines.xcconfig:
930
931 2017-11-08  Joseph Pecoraro  <pecoraro@apple.com>
932
933         Web Inspector: Show Internal properties of PaymentRequest in Web Inspector Console
934         https://bugs.webkit.org/show_bug.cgi?id=179276
935
936         Reviewed by Andy Estes.
937
938         * inspector/InjectedScriptHost.h:
939         * inspector/JSInjectedScriptHost.cpp:
940         (Inspector::JSInjectedScriptHost::getInternalProperties):
941         Call through to virtual implementation so that WebCore can provide custom
942         internal properties for Web / DOM objects.
943
944 2017-11-08  Saam Barati  <sbarati@apple.com>
945
946         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
947         https://bugs.webkit.org/show_bug.cgi?id=177792
948
949         Reviewed by Yusuke Suzuki.
950
951         Before this patch, if a JSFunction's rare data initialized its allocation profile
952         before its backing Executable's poly proto watchpoint was invalidated, that
953         JSFunction would continue to allocate non-poly proto objects until its allocation
954         profile was cleared (which essentially never happens in practice). This patch
955         improves on this pathology. A JSFunction's rare data will now watch the poly
956         proto watchpoint if it's still valid and clear its allocation profile when we
957         detect that we should go poly proto.
958
959         * bytecode/ObjectAllocationProfile.h:
960         * bytecode/ObjectAllocationProfileInlines.h:
961         (JSC::ObjectAllocationProfile::initializeProfile):
962         * runtime/FunctionRareData.cpp:
963         (JSC::FunctionRareData::initializeObjectAllocationProfile):
964         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::fireInternal):
965         * runtime/FunctionRareData.h:
966         (JSC::FunctionRareData::hasAllocationProfileClearingWatchpoint const):
967         (JSC::FunctionRareData::createAllocationProfileClearingWatchpoint):
968         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::AllocationProfileClearingWatchpoint):
969
970 2017-11-08  Keith Miller  <keith_miller@apple.com>
971
972         Add super sampler begin and end bytecodes.
973         https://bugs.webkit.org/show_bug.cgi?id=179376
974
975         Reviewed by Filip Pizlo.
976
977         This patch adds a way to measure a narrow range of bytecodes for
978         performance. This is done using the same infrastructure as the
979         super sampler. I also added a class that helps do the bytecode
980         checking with RAII. One problem with the current way this is done
981         is that we don't handle decrementing early exits, either from
982         branches or exceptions. So, when using this API users need to
983         ensure that there are no early exits or that those exits don't
984         occur on the measure code.
985
986         * JavaScriptCore.xcodeproj/project.pbxproj:
987         * bytecode/BytecodeDumper.cpp:
988         (JSC::BytecodeDumper<Block>::dumpBytecode):
989         * bytecode/BytecodeList.json:
990         * bytecode/BytecodeUseDef.h:
991         (JSC::computeUsesForBytecodeOffset):
992         (JSC::computeDefsForBytecodeOffset):
993         * bytecompiler/BytecodeGenerator.cpp:
994         (JSC::BytecodeGenerator::emitSuperSamplerBegin):
995         (JSC::BytecodeGenerator::emitSuperSamplerEnd):
996         * bytecompiler/BytecodeGenerator.h:
997         * bytecompiler/SuperSamplerBytecodeScope.h: Added.
998         (JSC::SuperSamplerBytecodeScope::SuperSamplerBytecodeScope):
999         (JSC::SuperSamplerBytecodeScope::~SuperSamplerBytecodeScope):
1000         * dfg/DFGAbstractInterpreterInlines.h:
1001         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1002         * dfg/DFGByteCodeParser.cpp:
1003         (JSC::DFG::ByteCodeParser::parseBlock):
1004         * dfg/DFGClobberize.h:
1005         (JSC::DFG::clobberize):
1006         * dfg/DFGClobbersExitState.cpp:
1007         (JSC::DFG::clobbersExitState):
1008         * dfg/DFGDoesGC.cpp:
1009         (JSC::DFG::doesGC):
1010         * dfg/DFGFixupPhase.cpp:
1011         (JSC::DFG::FixupPhase::fixupNode):
1012         * dfg/DFGMayExit.cpp:
1013         * dfg/DFGNodeType.h:
1014         * dfg/DFGPredictionPropagationPhase.cpp:
1015         * dfg/DFGSafeToExecute.h:
1016         (JSC::DFG::safeToExecute):
1017         * dfg/DFGSpeculativeJIT.cpp:
1018         * dfg/DFGSpeculativeJIT32_64.cpp:
1019         (JSC::DFG::SpeculativeJIT::compile):
1020         * dfg/DFGSpeculativeJIT64.cpp:
1021         (JSC::DFG::SpeculativeJIT::compile):
1022         * ftl/FTLCapabilities.cpp:
1023         (JSC::FTL::canCompile):
1024         * ftl/FTLLowerDFGToB3.cpp:
1025         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1026         (JSC::FTL::DFG::LowerDFGToB3::compileSuperSamplerBegin):
1027         (JSC::FTL::DFG::LowerDFGToB3::compileSuperSamplerEnd):
1028         * jit/JIT.cpp:
1029         (JSC::JIT::privateCompileMainPass):
1030         * jit/JIT.h:
1031         * jit/JITOpcodes.cpp:
1032         (JSC::JIT::emit_op_super_sampler_begin):
1033         (JSC::JIT::emit_op_super_sampler_end):
1034         * llint/LLIntSlowPaths.cpp:
1035         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1036         * llint/LLIntSlowPaths.h:
1037         * llint/LowLevelInterpreter.asm:
1038
1039 2017-11-08  Robin Morisset  <rmorisset@apple.com>
1040
1041         Turn recursive tail calls into loops
1042         https://bugs.webkit.org/show_bug.cgi?id=176601
1043
1044         Reviewed by Saam Barati.
1045
1046         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
1047
1048         We want to turn recursive tail calls into loops early in the pipeline, so that the loops can then be optimized.
1049         One difficulty is that we need to split the entry block of the function we are jumping to in order to have somewhere to jump to.
1050         Worse: it is not necessarily the first block of the codeBlock, because of inlining! So we must do the splitting in the DFGByteCodeParser, at the same time as inlining.
1051         We do this part through modifying the computation of the jump targets.
1052         Importantly, we only do this splitting for functions that have tail calls.
1053         It is the only case where the optimisation is sound, and doing the splitting unconditionnaly destroys performance on Octane/raytrace.
1054
1055         We must then do the actual transformation also in DFGByteCodeParser, to avoid code motion moving code out of the body of what will become a loop.
1056         The transformation is entirely contained in handleRecursiveTailCall, which is hooked to the inlining machinery.
1057
1058         * bytecode/CodeBlock.h:
1059         (JSC::CodeBlock::hasTailCalls const):
1060         * bytecode/PreciseJumpTargets.cpp:
1061         (JSC::getJumpTargetsForBytecodeOffset):
1062         (JSC::computePreciseJumpTargetsInternal):
1063         * bytecode/UnlinkedCodeBlock.cpp:
1064         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1065         * bytecode/UnlinkedCodeBlock.h:
1066         (JSC::UnlinkedCodeBlock::hasTailCalls const):
1067         (JSC::UnlinkedCodeBlock::setHasTailCalls):
1068         * bytecompiler/BytecodeGenerator.cpp:
1069         (JSC::BytecodeGenerator::emitEnter):
1070         (JSC::BytecodeGenerator::emitCallInTailPosition):
1071         * dfg/DFGByteCodeParser.cpp:
1072         (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
1073         (JSC::DFG::ByteCodeParser::makeBlockTargetable):
1074         (JSC::DFG::ByteCodeParser::handleCall):
1075         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
1076         (JSC::DFG::ByteCodeParser::parseBlock):
1077         (JSC::DFG::ByteCodeParser::parse):
1078
1079 2017-11-08  Joseph Pecoraro  <pecoraro@apple.com>
1080
1081         Web Inspector: Remove unused Page.ScriptIdentifier protocol type
1082         https://bugs.webkit.org/show_bug.cgi?id=179407
1083
1084         Reviewed by Matt Baker.
1085
1086         * inspector/protocol/Page.json:
1087         Remove unused protocol type.
1088
1089 2017-11-08  Carlos Garcia Campos  <cgarcia@igalia.com>
1090
1091         Web Inspector: use JSON::{Array,Object,Value} instead of Inspector{Array,Object,Value}
1092         https://bugs.webkit.org/show_bug.cgi?id=173619
1093
1094         Reviewed by Alex Christensen and Brian Burg.
1095
1096         Eventually all classes used for our JSON-RPC message passing should be outside
1097         of the Inspector namespace since the protocol is used outside of Inspector code.
1098         This will also allow us to unify the primitive JSON types with parameteric types
1099         like Inspector::Protocol::Array<T> and other protocol-related types which don't
1100         need to be in the Inspector namespace.
1101
1102         Start this refactoring off by making JSON::Value a typedef for InspectorValue. In following
1103         patches, other clients will move to use JSON::Value and friends. When all uses are
1104         changed, the actual implementation will be renamed. This patch just focuses on the typedef
1105         and making changes in generated protocol code.
1106
1107         Original patch by Brian Burg, rebased and updated by me.
1108
1109         * inspector/InspectorValues.cpp:
1110         * inspector/InspectorValues.h:
1111         * inspector/scripts/codegen/cpp_generator.py:
1112         (CppGenerator.cpp_protocol_type_for_type):
1113         (CppGenerator.cpp_type_for_unchecked_formal_in_parameter):
1114         (CppGenerator.cpp_type_for_type_with_name):
1115         (CppGenerator.cpp_type_for_stack_in_parameter):
1116         * inspector/scripts/codegen/cpp_generator_templates.py:
1117         (void):
1118         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
1119         (_generate_class_for_object_declaration):
1120         (_generate_forward_declarations_for_binding_traits):
1121         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
1122         (CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration):
1123         (CppProtocolTypesImplementationGenerator._generate_assertion_for_enum):
1124         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
1125         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1126         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1127         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
1128         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
1129         * inspector/scripts/tests/generic/expected/enum-values.json-result:
1130         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
1131         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
1132         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
1133         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1134         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1135         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
1136         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
1137         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
1138
1139 2017-11-07  Maciej Stachowiak  <mjs@apple.com>
1140
1141         Get rid of unsightly hex numbers from unified build object files
1142         https://bugs.webkit.org/show_bug.cgi?id=179410
1143
1144         Reviewed by Saam Barati.
1145
1146         * JavaScriptCore.xcodeproj/project.pbxproj: Rename UnifiedSource*.mm to UnifiedSource*-mm.mm for more readable build output.
1147
1148 2017-11-07  Saam Barati  <sbarati@apple.com>
1149
1150         Only cage double butterfly accesses
1151         https://bugs.webkit.org/show_bug.cgi?id=179202
1152
1153         Reviewed by Mark Lam.
1154
1155         This patch removes caging from all butterfly accesses except double loads/stores.
1156         This is a performance vs security tradeoff. Double loads/stores are the only butterfly
1157         loads/stores that can write arbitrary bit patterns, so we choose to keep them safe
1158         by caging. The other load/stores we are no longer caging to get back performance on
1159         various benchmarks.
1160
1161         * bytecode/AccessCase.cpp:
1162         (JSC::AccessCase::generateImpl):
1163         * bytecode/InlineAccess.cpp:
1164         (JSC::InlineAccess::dumpCacheSizesAndCrash):
1165         (JSC::InlineAccess::generateSelfPropertyAccess):
1166         (JSC::InlineAccess::generateSelfPropertyReplace):
1167         (JSC::InlineAccess::generateArrayLength):
1168         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp:
1169         * dfg/DFGSpeculativeJIT.cpp:
1170         (JSC::DFG::SpeculativeJIT::compileCreateRest):
1171         (JSC::DFG::SpeculativeJIT::compileSpread):
1172         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
1173         * dfg/DFGSpeculativeJIT64.cpp:
1174         (JSC::DFG::SpeculativeJIT::compile):
1175         * ftl/FTLLowerDFGToB3.cpp:
1176         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
1177         * jit/JITPropertyAccess.cpp:
1178         (JSC::JIT::emitContiguousLoad):
1179         (JSC::JIT::emitArrayStorageLoad):
1180         (JSC::JIT::emitGenericContiguousPutByVal):
1181         (JSC::JIT::emitArrayStoragePutByVal):
1182         (JSC::JIT::emit_op_get_from_scope):
1183         (JSC::JIT::emit_op_put_to_scope):
1184         * llint/LowLevelInterpreter64.asm:
1185         * runtime/AuxiliaryBarrier.h:
1186         (JSC::AuxiliaryBarrier::operator-> const):
1187         * runtime/Butterfly.h:
1188         (JSC::Butterfly::caged):
1189         (JSC::Butterfly::contiguousDouble):
1190         * runtime/JSArray.cpp:
1191         (JSC::JSArray::setLength):
1192         (JSC::JSArray::pop):
1193         (JSC::JSArray::shiftCountWithAnyIndexingType):
1194         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1195         (JSC::JSArray::fillArgList):
1196         (JSC::JSArray::copyToArguments):
1197         * runtime/JSArrayInlines.h:
1198         (JSC::JSArray::pushInline):
1199         * runtime/JSObject.cpp:
1200         (JSC::JSObject::heapSnapshot):
1201         (JSC::JSObject::createInitialIndexedStorage):
1202         (JSC::JSObject::createArrayStorage):
1203         (JSC::JSObject::convertUndecidedToInt32):
1204         (JSC::JSObject::ensureLengthSlow):
1205         (JSC::JSObject::reallocateAndShrinkButterfly):
1206         (JSC::JSObject::allocateMoreOutOfLineStorage):
1207         * runtime/JSObject.h:
1208         (JSC::JSObject::canGetIndexQuickly):
1209         (JSC::JSObject::getIndexQuickly):
1210         (JSC::JSObject::tryGetIndexQuickly const):
1211         (JSC::JSObject::canSetIndexQuickly):
1212         (JSC::JSObject::butterfly const):
1213         (JSC::JSObject::butterfly):
1214
1215 2017-11-07  Mark Lam  <mark.lam@apple.com>
1216
1217         Introduce a default RegisterSet constructor so that we can use { } notation.
1218         https://bugs.webkit.org/show_bug.cgi?id=179389
1219
1220         Reviewed by Saam Barati.
1221
1222         I also replaced uses of "RegisterSet()" with "{ }" where the use of "RegisterSet()"
1223         does not add any code documentation value.
1224
1225         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
1226         * b3/air/AirCode.cpp:
1227         (JSC::B3::Air::Code::setRegsInPriorityOrder):
1228         * b3/air/AirPrintSpecial.cpp:
1229         (JSC::B3::Air::PrintSpecial::extraEarlyClobberedRegs):
1230         (JSC::B3::Air::PrintSpecial::extraClobberedRegs):
1231         * b3/air/testair.cpp:
1232         * bytecode/PolymorphicAccess.h:
1233         (JSC::AccessGenerationState::preserveLiveRegistersToStackForCall):
1234         (JSC::AccessGenerationState::restoreLiveRegistersFromStackForCall):
1235         * dfg/DFGJITCode.cpp:
1236         (JSC::DFG::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
1237         * ftl/FTLJITCode.cpp:
1238         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
1239         * jit/JITCode.cpp:
1240         (JSC::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
1241         * jit/RegisterSet.cpp:
1242         (JSC::RegisterSet::reservedHardwareRegisters):
1243         (JSC::RegisterSet::runtimeRegisters):
1244         (JSC::RegisterSet::macroScratchRegisters):
1245         * jit/RegisterSet.h:
1246         (JSC::RegisterSet::RegisterSet):
1247         * wasm/WasmB3IRGenerator.cpp:
1248         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
1249
1250 2017-11-07  Mark Lam  <mark.lam@apple.com>
1251
1252         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
1253         https://bugs.webkit.org/show_bug.cgi?id=179355
1254         <rdar://problem/35263053>
1255
1256         Reviewed by Saam Barati.
1257
1258         In the Transition case in AccessCase::generateImpl(), we were restoring registers
1259         using restoreLiveRegistersFromStackForCall() without excluding the scratchGPR
1260         where we previously stashed the reallocated butterfly.  If the generated code is
1261         under heavy register pressure, scratchGPR could have been from the set of preserved
1262         registers, and hence, would be restored by restoreLiveRegistersFromStackForCall().
1263         As a result, the restoration would trash the butterfly result we stored there.
1264         This patch fixes the issue by excluding the scratchGPR in the restoration.
1265
1266         * bytecode/AccessCase.cpp:
1267         (JSC::AccessCase::generateImpl):
1268
1269 2017-11-06  Robin Morisset  <rmorisset@apple.com>
1270
1271         CodeBlock::usesOpcode() is dead code
1272         https://bugs.webkit.org/show_bug.cgi?id=179316
1273
1274         Reviewed by Yusuke Suzuki.
1275
1276         Remove CodeBlock::usesOpcode which is dead code
1277
1278         * bytecode/CodeBlock.cpp:
1279         * bytecode/CodeBlock.h:
1280
1281 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
1282
1283         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
1284         https://bugs.webkit.org/show_bug.cgi?id=144458
1285
1286         Reviewed by Saam Barati.
1287
1288         Previously only JSFunction is handled by CallLinkInfo's caching mechanism. This means that
1289         InternalFunction calls are not cached and they always go to the slow path. This is not good because
1290
1291         1. We need to query getCallData/getConstructData every time in the slow path.
1292         2. CallLinkInfo tells nothing in the higher tier JITs.
1293
1294         This patch starts handling InternalFunction in CallLinkInfo's caching mechanism. We change InternalFunction
1295         to hold pointers to the functions for call and construct. We have new stubs that can call/construct
1296         InternalFunction. And we return this code pointer as a result of setup call to use CallLinkInfo mechanism.
1297
1298         This patch is critical to optimizing derived Array construction[1] since it starts using CallLinkInfo
1299         for InternalFunction. Previously we did not record any information to CallLinkInfo. Except for the
1300         case that DFGByteCodeParser figures out InternalFunction constant, we cannot attempt to emit DFG
1301         nodes for these InternalFunctions since CallLinkInfo tells us nothing.
1302
1303         Attached microbenchmarks show performance improvement.
1304
1305                                                            baseline                  patched
1306
1307         dfg-internal-function-construct                 1.6439+-0.0826     ^      1.2829+-0.0727        ^ definitely 1.2813x faster
1308         dfg-internal-function-not-handled-construct     2.1862+-0.1361            2.0696+-0.1201          might be 1.0564x faster
1309         dfg-internal-function-not-handled-call         20.7592+-0.9085           19.7369+-0.7921          might be 1.0518x faster
1310         dfg-internal-function-call                      1.6856+-0.0967     ^      1.2771+-0.0744        ^ definitely 1.3198x faster
1311
1312         [1]: https://bugs.webkit.org/show_bug.cgi?id=178064
1313
1314         * API/JSCallbackFunction.cpp:
1315         (JSC::JSCallbackFunction::JSCallbackFunction):
1316         (JSC::JSCallbackFunction::getCallData): Deleted.
1317         * API/JSCallbackFunction.h:
1318         (JSC::JSCallbackFunction::createStructure):
1319         * API/ObjCCallbackFunction.h:
1320         (JSC::ObjCCallbackFunction::createStructure):
1321         * API/ObjCCallbackFunction.mm:
1322         (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
1323         (JSC::ObjCCallbackFunction::getCallData): Deleted.
1324         (JSC::ObjCCallbackFunction::getConstructData): Deleted.
1325         * bytecode/BytecodeDumper.cpp:
1326         (JSC::BytecodeDumper<Block>::printCallOp):
1327         * bytecode/BytecodeList.json:
1328         * bytecode/CallLinkInfo.cpp:
1329         (JSC::CallLinkInfo::setCallee):
1330         (JSC::CallLinkInfo::callee):
1331         (JSC::CallLinkInfo::setLastSeenCallee):
1332         (JSC::CallLinkInfo::lastSeenCallee):
1333         (JSC::CallLinkInfo::visitWeak):
1334         * bytecode/CallLinkInfo.h:
1335         * bytecode/CallLinkStatus.cpp:
1336         (JSC::CallLinkStatus::computeFromCallLinkInfo):
1337         * bytecode/LLIntCallLinkInfo.h:
1338         * jit/JITOperations.cpp:
1339         * jit/JITThunks.cpp:
1340         (JSC::JITThunks::ctiInternalFunctionCall):
1341         (JSC::JITThunks::ctiInternalFunctionConstruct):
1342         * jit/JITThunks.h:
1343         * jit/Repatch.cpp:
1344         (JSC::linkFor):
1345         (JSC::linkPolymorphicCall):
1346         * jit/Repatch.h:
1347         * jit/ThunkGenerators.cpp:
1348         (JSC::virtualThunkFor):
1349         (JSC::nativeForGenerator):
1350         (JSC::nativeCallGenerator):
1351         (JSC::nativeTailCallGenerator):
1352         (JSC::nativeTailCallWithoutSavedTagsGenerator):
1353         (JSC::nativeConstructGenerator):
1354         (JSC::internalFunctionCallGenerator):
1355         (JSC::internalFunctionConstructGenerator):
1356         * jit/ThunkGenerators.h:
1357         * llint/LLIntSlowPaths.cpp:
1358         (JSC::LLInt::setUpCall):
1359         * llint/LowLevelInterpreter.asm:
1360         * llint/LowLevelInterpreter32_64.asm:
1361         * llint/LowLevelInterpreter64.asm:
1362         * runtime/ArrayConstructor.cpp:
1363         (JSC::ArrayConstructor::ArrayConstructor):
1364         (JSC::ArrayConstructor::getConstructData): Deleted.
1365         (JSC::ArrayConstructor::getCallData): Deleted.
1366         * runtime/ArrayConstructor.h:
1367         (JSC::ArrayConstructor::createStructure):
1368         * runtime/AsyncFunctionConstructor.cpp:
1369         (JSC::AsyncFunctionConstructor::AsyncFunctionConstructor):
1370         (JSC::AsyncFunctionConstructor::finishCreation):
1371         (JSC::AsyncFunctionConstructor::getCallData): Deleted.
1372         (JSC::AsyncFunctionConstructor::getConstructData): Deleted.
1373         * runtime/AsyncFunctionConstructor.h:
1374         (JSC::AsyncFunctionConstructor::createStructure):
1375         * runtime/AsyncGeneratorFunctionConstructor.cpp:
1376         (JSC::AsyncGeneratorFunctionConstructor::AsyncGeneratorFunctionConstructor):
1377         (JSC::AsyncGeneratorFunctionConstructor::finishCreation):
1378         (JSC::AsyncGeneratorFunctionConstructor::getCallData): Deleted.
1379         (JSC::AsyncGeneratorFunctionConstructor::getConstructData): Deleted.
1380         * runtime/AsyncGeneratorFunctionConstructor.h:
1381         (JSC::AsyncGeneratorFunctionConstructor::createStructure):
1382         * runtime/BooleanConstructor.cpp:
1383         (JSC::callBooleanConstructor):
1384         (JSC::BooleanConstructor::BooleanConstructor):
1385         (JSC::BooleanConstructor::finishCreation):
1386         (JSC::BooleanConstructor::getConstructData): Deleted.
1387         (JSC::BooleanConstructor::getCallData): Deleted.
1388         * runtime/BooleanConstructor.h:
1389         (JSC::BooleanConstructor::createStructure):
1390         * runtime/DateConstructor.cpp:
1391         (JSC::DateConstructor::DateConstructor):
1392         (JSC::DateConstructor::getConstructData): Deleted.
1393         (JSC::DateConstructor::getCallData): Deleted.
1394         * runtime/DateConstructor.h:
1395         (JSC::DateConstructor::createStructure):
1396         * runtime/Error.h:
1397         (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
1398         (JSC::StrictModeTypeErrorFunction::createStructure):
1399         (JSC::StrictModeTypeErrorFunction::getConstructData): Deleted.
1400         (JSC::StrictModeTypeErrorFunction::getCallData): Deleted.
1401         * runtime/ErrorConstructor.cpp:
1402         (JSC::ErrorConstructor::ErrorConstructor):
1403         (JSC::ErrorConstructor::getConstructData): Deleted.
1404         (JSC::ErrorConstructor::getCallData): Deleted.
1405         * runtime/ErrorConstructor.h:
1406         (JSC::ErrorConstructor::createStructure):
1407         * runtime/FunctionConstructor.cpp:
1408         (JSC::FunctionConstructor::FunctionConstructor):
1409         (JSC::FunctionConstructor::finishCreation):
1410         (JSC::FunctionConstructor::getConstructData): Deleted.
1411         (JSC::FunctionConstructor::getCallData): Deleted.
1412         * runtime/FunctionConstructor.h:
1413         (JSC::FunctionConstructor::createStructure):
1414         * runtime/FunctionPrototype.cpp:
1415         (JSC::callFunctionPrototype):
1416         (JSC::FunctionPrototype::FunctionPrototype):
1417         (JSC::FunctionPrototype::getCallData): Deleted.
1418         * runtime/FunctionPrototype.h:
1419         (JSC::FunctionPrototype::createStructure):
1420         * runtime/GeneratorFunctionConstructor.cpp:
1421         (JSC::GeneratorFunctionConstructor::GeneratorFunctionConstructor):
1422         (JSC::GeneratorFunctionConstructor::finishCreation):
1423         (JSC::GeneratorFunctionConstructor::getCallData): Deleted.
1424         (JSC::GeneratorFunctionConstructor::getConstructData): Deleted.
1425         * runtime/GeneratorFunctionConstructor.h:
1426         (JSC::GeneratorFunctionConstructor::createStructure):
1427         * runtime/InternalFunction.cpp:
1428         (JSC::InternalFunction::InternalFunction):
1429         (JSC::InternalFunction::finishCreation):
1430         (JSC::InternalFunction::getCallData):
1431         (JSC::InternalFunction::getConstructData):
1432         * runtime/InternalFunction.h:
1433         (JSC::InternalFunction::createStructure):
1434         (JSC::InternalFunction::nativeFunctionFor):
1435         (JSC::InternalFunction::offsetOfNativeFunctionFor):
1436         * runtime/IntlCollatorConstructor.cpp:
1437         (JSC::IntlCollatorConstructor::createStructure):
1438         (JSC::IntlCollatorConstructor::IntlCollatorConstructor):
1439         (JSC::IntlCollatorConstructor::getConstructData): Deleted.
1440         (JSC::IntlCollatorConstructor::getCallData): Deleted.
1441         * runtime/IntlCollatorConstructor.h:
1442         * runtime/IntlDateTimeFormatConstructor.cpp:
1443         (JSC::IntlDateTimeFormatConstructor::createStructure):
1444         (JSC::IntlDateTimeFormatConstructor::IntlDateTimeFormatConstructor):
1445         (JSC::IntlDateTimeFormatConstructor::getConstructData): Deleted.
1446         (JSC::IntlDateTimeFormatConstructor::getCallData): Deleted.
1447         * runtime/IntlDateTimeFormatConstructor.h:
1448         * runtime/IntlNumberFormatConstructor.cpp:
1449         (JSC::IntlNumberFormatConstructor::createStructure):
1450         (JSC::IntlNumberFormatConstructor::IntlNumberFormatConstructor):
1451         (JSC::IntlNumberFormatConstructor::getConstructData): Deleted.
1452         (JSC::IntlNumberFormatConstructor::getCallData): Deleted.
1453         * runtime/IntlNumberFormatConstructor.h:
1454         * runtime/JSArrayBufferConstructor.cpp:
1455         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
1456         (JSC::JSArrayBufferConstructor::createStructure):
1457         (JSC::JSArrayBufferConstructor::getConstructData): Deleted.
1458         (JSC::JSArrayBufferConstructor::getCallData): Deleted.
1459         * runtime/JSArrayBufferConstructor.h:
1460         * runtime/JSGenericTypedArrayViewConstructor.h:
1461         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1462         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::JSGenericTypedArrayViewConstructor):
1463         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::createStructure):
1464         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getConstructData): Deleted.
1465         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData): Deleted.
1466         * runtime/JSInternalPromiseConstructor.cpp:
1467         (JSC::JSInternalPromiseConstructor::createStructure):
1468         (JSC::JSInternalPromiseConstructor::JSInternalPromiseConstructor):
1469         (JSC::JSInternalPromiseConstructor::getConstructData): Deleted.
1470         (JSC::JSInternalPromiseConstructor::getCallData): Deleted.
1471         * runtime/JSInternalPromiseConstructor.h:
1472         * runtime/JSPromiseConstructor.cpp:
1473         (JSC::JSPromiseConstructor::createStructure):
1474         (JSC::JSPromiseConstructor::JSPromiseConstructor):
1475         (JSC::JSPromiseConstructor::getConstructData): Deleted.
1476         (JSC::JSPromiseConstructor::getCallData): Deleted.
1477         * runtime/JSPromiseConstructor.h:
1478         * runtime/JSType.h:
1479         * runtime/JSTypedArrayViewConstructor.cpp:
1480         (JSC::JSTypedArrayViewConstructor::JSTypedArrayViewConstructor):
1481         (JSC::JSTypedArrayViewConstructor::createStructure):
1482         (JSC::JSTypedArrayViewConstructor::getConstructData): Deleted.
1483         (JSC::JSTypedArrayViewConstructor::getCallData): Deleted.
1484         * runtime/JSTypedArrayViewConstructor.h:
1485         * runtime/MapConstructor.cpp:
1486         (JSC::MapConstructor::MapConstructor):
1487         (JSC::MapConstructor::getConstructData): Deleted.
1488         (JSC::MapConstructor::getCallData): Deleted.
1489         * runtime/MapConstructor.h:
1490         (JSC::MapConstructor::createStructure):
1491         (JSC::MapConstructor::MapConstructor): Deleted.
1492         * runtime/NativeErrorConstructor.cpp:
1493         (JSC::NativeErrorConstructor::NativeErrorConstructor):
1494         (JSC::NativeErrorConstructor::getConstructData): Deleted.
1495         (JSC::NativeErrorConstructor::getCallData): Deleted.
1496         * runtime/NativeErrorConstructor.h:
1497         (JSC::NativeErrorConstructor::createStructure):
1498         * runtime/NullGetterFunction.cpp:
1499         (JSC::NullGetterFunction::NullGetterFunction):
1500         (JSC::NullGetterFunction::getCallData): Deleted.
1501         (JSC::NullGetterFunction::getConstructData): Deleted.
1502         * runtime/NullGetterFunction.h:
1503         (JSC::NullGetterFunction::createStructure):
1504         (JSC::NullGetterFunction::NullGetterFunction): Deleted.
1505         * runtime/NullSetterFunction.cpp:
1506         (JSC::NullSetterFunction::NullSetterFunction):
1507         (JSC::NullSetterFunction::getCallData): Deleted.
1508         (JSC::NullSetterFunction::getConstructData): Deleted.
1509         * runtime/NullSetterFunction.h:
1510         (JSC::NullSetterFunction::createStructure):
1511         (JSC::NullSetterFunction::NullSetterFunction): Deleted.
1512         * runtime/NumberConstructor.cpp:
1513         (JSC::NumberConstructor::NumberConstructor):
1514         (JSC::constructNumberConstructor):
1515         (JSC::constructWithNumberConstructor): Deleted.
1516         (JSC::NumberConstructor::getConstructData): Deleted.
1517         (JSC::NumberConstructor::getCallData): Deleted.
1518         * runtime/NumberConstructor.h:
1519         (JSC::NumberConstructor::createStructure):
1520         * runtime/ObjectConstructor.cpp:
1521         (JSC::ObjectConstructor::ObjectConstructor):
1522         (JSC::ObjectConstructor::getConstructData): Deleted.
1523         (JSC::ObjectConstructor::getCallData): Deleted.
1524         * runtime/ObjectConstructor.h:
1525         (JSC::ObjectConstructor::createStructure):
1526         * runtime/ProxyConstructor.cpp:
1527         (JSC::ProxyConstructor::ProxyConstructor):
1528         (JSC::ProxyConstructor::getConstructData): Deleted.
1529         (JSC::ProxyConstructor::getCallData): Deleted.
1530         * runtime/ProxyConstructor.h:
1531         (JSC::ProxyConstructor::createStructure):
1532         * runtime/ProxyRevoke.cpp:
1533         (JSC::ProxyRevoke::ProxyRevoke):
1534         (JSC::ProxyRevoke::getCallData): Deleted.
1535         * runtime/ProxyRevoke.h:
1536         (JSC::ProxyRevoke::createStructure):
1537         * runtime/RegExpConstructor.cpp:
1538         (JSC::RegExpConstructor::RegExpConstructor):
1539         (JSC::RegExpConstructor::getConstructData): Deleted.
1540         (JSC::RegExpConstructor::getCallData): Deleted.
1541         * runtime/RegExpConstructor.h:
1542         (JSC::RegExpConstructor::createStructure):
1543         * runtime/SetConstructor.cpp:
1544         (JSC::SetConstructor::SetConstructor):
1545         (JSC::SetConstructor::getConstructData): Deleted.
1546         (JSC::SetConstructor::getCallData): Deleted.
1547         * runtime/SetConstructor.h:
1548         (JSC::SetConstructor::createStructure):
1549         (JSC::SetConstructor::SetConstructor): Deleted.
1550         * runtime/StringConstructor.cpp:
1551         (JSC::StringConstructor::StringConstructor):
1552         (JSC::StringConstructor::getConstructData): Deleted.
1553         (JSC::StringConstructor::getCallData): Deleted.
1554         * runtime/StringConstructor.h:
1555         (JSC::StringConstructor::createStructure):
1556         * runtime/SymbolConstructor.cpp:
1557         (JSC::SymbolConstructor::SymbolConstructor):
1558         (JSC::SymbolConstructor::getConstructData): Deleted.
1559         (JSC::SymbolConstructor::getCallData): Deleted.
1560         * runtime/SymbolConstructor.h:
1561         (JSC::SymbolConstructor::createStructure):
1562         * runtime/VM.cpp:
1563         (JSC::VM::VM):
1564         (JSC::VM::getCTIInternalFunctionTrampolineFor):
1565         * runtime/VM.h:
1566         * runtime/WeakMapConstructor.cpp:
1567         (JSC::WeakMapConstructor::WeakMapConstructor):
1568         (JSC::WeakMapConstructor::getConstructData): Deleted.
1569         (JSC::WeakMapConstructor::getCallData): Deleted.
1570         * runtime/WeakMapConstructor.h:
1571         (JSC::WeakMapConstructor::createStructure):
1572         (JSC::WeakMapConstructor::WeakMapConstructor): Deleted.
1573         * runtime/WeakSetConstructor.cpp:
1574         (JSC::WeakSetConstructor::WeakSetConstructor):
1575         (JSC::WeakSetConstructor::getConstructData): Deleted.
1576         (JSC::WeakSetConstructor::getCallData): Deleted.
1577         * runtime/WeakSetConstructor.h:
1578         (JSC::WeakSetConstructor::createStructure):
1579         (JSC::WeakSetConstructor::WeakSetConstructor): Deleted.
1580         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
1581         (JSC::WebAssemblyCompileErrorConstructor::createStructure):
1582         (JSC::WebAssemblyCompileErrorConstructor::WebAssemblyCompileErrorConstructor):
1583         (JSC::WebAssemblyCompileErrorConstructor::getConstructData): Deleted.
1584         (JSC::WebAssemblyCompileErrorConstructor::getCallData): Deleted.
1585         * wasm/js/WebAssemblyCompileErrorConstructor.h:
1586         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1587         (JSC::WebAssemblyInstanceConstructor::createStructure):
1588         (JSC::WebAssemblyInstanceConstructor::WebAssemblyInstanceConstructor):
1589         (JSC::WebAssemblyInstanceConstructor::getConstructData): Deleted.
1590         (JSC::WebAssemblyInstanceConstructor::getCallData): Deleted.
1591         * wasm/js/WebAssemblyInstanceConstructor.h:
1592         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
1593         (JSC::WebAssemblyLinkErrorConstructor::createStructure):
1594         (JSC::WebAssemblyLinkErrorConstructor::WebAssemblyLinkErrorConstructor):
1595         (JSC::WebAssemblyLinkErrorConstructor::getConstructData): Deleted.
1596         (JSC::WebAssemblyLinkErrorConstructor::getCallData): Deleted.
1597         * wasm/js/WebAssemblyLinkErrorConstructor.h:
1598         * wasm/js/WebAssemblyMemoryConstructor.cpp:
1599         (JSC::WebAssemblyMemoryConstructor::createStructure):
1600         (JSC::WebAssemblyMemoryConstructor::WebAssemblyMemoryConstructor):
1601         (JSC::WebAssemblyMemoryConstructor::getConstructData): Deleted.
1602         (JSC::WebAssemblyMemoryConstructor::getCallData): Deleted.
1603         * wasm/js/WebAssemblyMemoryConstructor.h:
1604         * wasm/js/WebAssemblyModuleConstructor.cpp:
1605         (JSC::WebAssemblyModuleConstructor::createStructure):
1606         (JSC::WebAssemblyModuleConstructor::WebAssemblyModuleConstructor):
1607         (JSC::WebAssemblyModuleConstructor::getConstructData): Deleted.
1608         (JSC::WebAssemblyModuleConstructor::getCallData): Deleted.
1609         * wasm/js/WebAssemblyModuleConstructor.h:
1610         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
1611         (JSC::WebAssemblyRuntimeErrorConstructor::createStructure):
1612         (JSC::WebAssemblyRuntimeErrorConstructor::WebAssemblyRuntimeErrorConstructor):
1613         (JSC::WebAssemblyRuntimeErrorConstructor::getConstructData): Deleted.
1614         (JSC::WebAssemblyRuntimeErrorConstructor::getCallData): Deleted.
1615         * wasm/js/WebAssemblyRuntimeErrorConstructor.h:
1616         * wasm/js/WebAssemblyTableConstructor.cpp:
1617         (JSC::WebAssemblyTableConstructor::createStructure):
1618         (JSC::WebAssemblyTableConstructor::WebAssemblyTableConstructor):
1619         (JSC::WebAssemblyTableConstructor::getConstructData): Deleted.
1620         (JSC::WebAssemblyTableConstructor::getCallData): Deleted.
1621         * wasm/js/WebAssemblyTableConstructor.h:
1622
1623 2017-11-03  Michael Saboff  <msaboff@apple.com>
1624
1625         The Abstract Interpreter needs to change similar to clobberize() in r224366
1626         https://bugs.webkit.org/show_bug.cgi?id=179267
1627
1628         Reviewed by Saam Barati.
1629
1630         Add clobberWorld() to HasGenericProperty, HasStructureProperty & GetPropertyEnumerator
1631         cases in the abstract interpreter to match what was done for r224366.
1632
1633         * dfg/DFGAbstractInterpreterInlines.h:
1634         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1635
1636 2017-11-03  Keith Miller  <keith_miller@apple.com>
1637
1638         PutProperytSlot should inform the IC about the property before effects.
1639         https://bugs.webkit.org/show_bug.cgi?id=179262
1640
1641         Reviewed by Mark Lam.
1642
1643         This patch fixes an issue where we choose to cache setters based on
1644         incorrect information. If we did so we might end up OSR exiting
1645         more than we would otherwise need to. The new model is that the
1646         PutPropertySlot should inform the IC of what the property looked
1647         like before any potential side effects might have occurred.
1648
1649         * runtime/JSObject.cpp:
1650         (JSC::JSObject::putInlineSlow):
1651         * runtime/Lookup.h:
1652         (JSC::putEntry):
1653
1654 2017-11-03  Mark Lam  <mark.lam@apple.com>
1655
1656         CachedCall (and its clients) needs overflow checks.
1657         https://bugs.webkit.org/show_bug.cgi?id=179185
1658
1659         Reviewed by JF Bastien.
1660
1661         * interpreter/CachedCall.h:
1662         (JSC::CachedCall::CachedCall):
1663         (JSC::CachedCall::hasOverflowedArguments):
1664         * runtime/ArgList.h:
1665         (JSC::MarkedArgumentBuffer::clear):
1666         * runtime/StringPrototype.cpp:
1667         (JSC::replaceUsingRegExpSearch):
1668
1669 2017-11-03  Devin Rousso  <webkit@devinrousso.com>
1670
1671         Web Inspector: Canvas2D Profiling: highlight expensive context commands in the captured command log
1672         https://bugs.webkit.org/show_bug.cgi?id=178302
1673         <rdar://problem/33158849>
1674
1675         Reviewed by Brian Burg.
1676
1677         * inspector/protocol/Recording.json:
1678         Add `duration` to each Frame that represents the total time of all the recorded actions.
1679
1680 2017-11-02  Devin Rousso  <webkit@devinrousso.com>
1681
1682         Web Inspector: Canvas Tab: show supported GL extensions for selected canvas
1683         https://bugs.webkit.org/show_bug.cgi?id=179070
1684         <rdar://problem/35278276>
1685
1686         Reviewed by Brian Burg.
1687
1688         * inspector/protocol/Canvas.json:
1689         Add `extensionEnabled` event that is fired each time `getExtension` is called with a
1690         different string on a WebGL context.
1691
1692 2017-11-02  Joseph Pecoraro  <pecoraro@apple.com>
1693
1694         Make ServiceWorker a Remote Inspector debuggable target
1695         https://bugs.webkit.org/show_bug.cgi?id=179043
1696         <rdar://problem/34126008>
1697
1698         Reviewed by Brian Burg.
1699
1700         * inspector/remote/RemoteControllableTarget.h:
1701         * inspector/remote/RemoteInspectionTarget.h:
1702         * inspector/remote/RemoteInspectorConstants.h:
1703         Include a new ServiceWorker remote inspector target type.
1704
1705         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
1706         (Inspector::RemoteInspector::listingForInspectionTarget const):
1707         Implement listing for a ServiceWorker to include a URL like a page.
1708
1709         * inspector/remote/glib/RemoteInspectorGlib.cpp:
1710         (Inspector::RemoteInspector::listingForInspectionTarget const):
1711         Bail for ServiceWorker support in glib. They will need to implement their support.
1712
1713 2017-11-02  Michael Saboff  <msaboff@apple.com>
1714
1715         DFG needs to handle code motion of code in for..in loop bodies
1716         https://bugs.webkit.org/show_bug.cgi?id=179212
1717
1718         Reviewed by Keith Miller.
1719
1720         The processing of the DFG nodes HasGenericProperty, HasStructureProperty & GetPropertyEnumerator
1721         make calls with side effects.  Updated clobberize() for those nodes to take that into account.
1722
1723         * dfg/DFGClobberize.h:
1724         (JSC::DFG::clobberize):
1725
1726 2017-11-02  Joseph Pecoraro  <pecoraro@apple.com>
1727
1728         Inspector should display service worker served responses properly
1729         https://bugs.webkit.org/show_bug.cgi?id=178597
1730         <rdar://problem/35186111>
1731
1732         Reviewed by Brian Burg.
1733
1734         * inspector/protocol/Network.json:
1735         Expose a new "service-worker" response source.
1736
1737 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
1738
1739         AI does not correctly model the clobber case of ArithClz32
1740         https://bugs.webkit.org/show_bug.cgi?id=179188
1741
1742         Reviewed by Michael Saboff.
1743
1744         The non-Int32 case clobbers the world because it may call valueOf.
1745
1746         * dfg/DFGAbstractInterpreterInlines.h:
1747         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1748
1749 2017-11-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1750
1751         Unreviewed, release throw scope
1752         https://bugs.webkit.org/show_bug.cgi?id=178726
1753
1754         * dfg/DFGOperations.cpp:
1755
1756 2017-11-02  Frederic Wang  <fwang@igalia.com>
1757
1758         Add references to bug 179167 in FIXME comments
1759         https://bugs.webkit.org/show_bug.cgi?id=179168
1760
1761         Reviewed by Daniel Bates.
1762
1763         * Configurations/FeatureDefines.xcconfig:
1764
1765 2017-11-01  Jeremy Jones  <jeremyj@apple.com>
1766
1767         Implement WKFullscreenWindowController for iOS.
1768         https://bugs.webkit.org/show_bug.cgi?id=178924
1769         rdar://problem/34697120
1770
1771         Reviewed by Simon Fraser.
1772
1773         Enable ENABLE_FULLSCREEN_API for iOS.
1774
1775         * Configurations/FeatureDefines.xcconfig:
1776
1777 2017-11-01  Mark Lam  <mark.lam@apple.com>
1778
1779         Add support to throw OOM if MarkedArgumentBuffer may overflow.
1780         https://bugs.webkit.org/show_bug.cgi?id=179092
1781         <rdar://problem/35116160>
1782
1783         Reviewed by Saam Barati.
1784
1785         The test for overflowing a MarkedArgumentBuffer will run for a ridiculously long
1786         time, which renders it unsuitable for automated tests.  Instead, I've run a
1787         test manually to verify that an OutOfMemoryError will be thrown when an overflow
1788         occurs.
1789
1790         The MarkedArgumentBuffer's destructor will now assert that the client has indeed
1791         checked for an overflow after invoking methods that may result in an overflow i.e.
1792         the destructor checks that MarkedArgumentBuffer::hasOverflowed() has been called.
1793         This is only done on debug builds.
1794
1795         * API/JSObjectRef.cpp:
1796         (JSObjectMakeFunction):
1797         (JSObjectMakeArray):
1798         (JSObjectMakeDate):
1799         (JSObjectMakeRegExp):
1800         (JSObjectCallAsFunction):
1801         (JSObjectCallAsConstructor):
1802         * dfg/DFGOperations.cpp:
1803         * inspector/InjectedScriptManager.cpp:
1804         (Inspector::InjectedScriptManager::createInjectedScript):
1805         * inspector/JSJavaScriptCallFrame.cpp:
1806         (Inspector::JSJavaScriptCallFrame::scopeChain const):
1807         * interpreter/Interpreter.cpp:
1808         (JSC::Interpreter::executeProgram):
1809         * jsc.cpp:
1810         (functionDollarAgentReceiveBroadcast):
1811         * runtime/ArgList.cpp:
1812         (JSC::MarkedArgumentBuffer::slowEnsureCapacity):
1813         (JSC::MarkedArgumentBuffer::expandCapacity):
1814         (JSC::MarkedArgumentBuffer::slowAppend):
1815         * runtime/ArgList.h:
1816         (JSC::MarkedArgumentBuffer::~MarkedArgumentBuffer):
1817         (JSC::MarkedArgumentBuffer::appendWithAction):
1818         (JSC::MarkedArgumentBuffer::append):
1819         (JSC::MarkedArgumentBuffer::appendWithCrashOnOverflow):
1820         (JSC::MarkedArgumentBuffer::hasOverflowed):
1821         (JSC::MarkedArgumentBuffer::setNeedsOverflowCheck):
1822         (JSC::MarkedArgumentBuffer::clearNeedsOverflowCheck):
1823         * runtime/ArrayPrototype.cpp:
1824         * runtime/CommonSlowPaths.cpp:
1825         (JSC::SLOW_PATH_DECL):
1826         * runtime/GetterSetter.cpp:
1827         (JSC::callSetter):
1828         * runtime/IteratorOperations.cpp:
1829         (JSC::iteratorNext):
1830         (JSC::iteratorClose):
1831         * runtime/JSBoundFunction.cpp:
1832         (JSC::boundThisNoArgsFunctionCall):
1833         (JSC::boundFunctionCall):
1834         (JSC::boundThisNoArgsFunctionConstruct):
1835         (JSC::boundFunctionConstruct):
1836         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1837         (JSC::constructGenericTypedArrayViewFromIterator):
1838         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1839         (JSC::genericTypedArrayViewProtoFuncSlice):
1840         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
1841         * runtime/JSGlobalObject.cpp:
1842         (JSC::JSGlobalObject::haveABadTime):
1843         * runtime/JSInternalPromise.cpp:
1844         (JSC::JSInternalPromise::then):
1845         * runtime/JSJob.cpp:
1846         (JSC::JSJobMicrotask::run):
1847         * runtime/JSMapIterator.cpp:
1848         (JSC::JSMapIterator::createPair):
1849         * runtime/JSModuleLoader.cpp:
1850         (JSC::JSModuleLoader::provideFetch):
1851         (JSC::JSModuleLoader::loadAndEvaluateModule):
1852         (JSC::JSModuleLoader::loadModule):
1853         (JSC::JSModuleLoader::linkAndEvaluateModule):
1854         (JSC::JSModuleLoader::requestImportModule):
1855         * runtime/JSONObject.cpp:
1856         (JSC::Stringifier::toJSONImpl):
1857         (JSC::Stringifier::appendStringifiedValue):
1858         (JSC::Walker::callReviver):
1859         * runtime/JSObject.cpp:
1860         (JSC::ordinarySetSlow):
1861         (JSC::callToPrimitiveFunction):
1862         (JSC::JSObject::hasInstance):
1863         * runtime/JSPromise.cpp:
1864         (JSC::JSPromise::initialize):
1865         (JSC::JSPromise::resolve):
1866         * runtime/JSPromiseDeferred.cpp:
1867         (JSC::newPromiseCapability):
1868         (JSC::callFunction):
1869         * runtime/JSSetIterator.cpp:
1870         (JSC::JSSetIterator::createPair):
1871         * runtime/LiteralParser.cpp:
1872         (JSC::LiteralParser<CharType>::parse):
1873         * runtime/MapConstructor.cpp:
1874         (JSC::constructMap):
1875         * runtime/ObjectConstructor.cpp:
1876         (JSC::defineProperties):
1877         * runtime/ProxyObject.cpp:
1878         (JSC::performProxyGet):
1879         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1880         (JSC::ProxyObject::performHasProperty):
1881         (JSC::ProxyObject::performPut):
1882         (JSC::performProxyCall):
1883         (JSC::performProxyConstruct):
1884         (JSC::ProxyObject::performDelete):
1885         (JSC::ProxyObject::performPreventExtensions):
1886         (JSC::ProxyObject::performIsExtensible):
1887         (JSC::ProxyObject::performDefineOwnProperty):
1888         (JSC::ProxyObject::performGetOwnPropertyNames):
1889         (JSC::ProxyObject::performSetPrototype):
1890         (JSC::ProxyObject::performGetPrototype):
1891         * runtime/ReflectObject.cpp:
1892         (JSC::reflectObjectConstruct):
1893         * runtime/SetConstructor.cpp:
1894         (JSC::constructSet):
1895         * runtime/StringPrototype.cpp:
1896         (JSC::replaceUsingRegExpSearch):
1897         (JSC::replaceUsingStringSearch):
1898         * runtime/WeakMapConstructor.cpp:
1899         (JSC::constructWeakMap):
1900         * runtime/WeakSetConstructor.cpp:
1901         (JSC::constructWeakSet):
1902         * wasm/js/WasmToJS.cpp:
1903         (JSC::Wasm::wasmToJS):
1904
1905 2017-11-01  Michael Saboff  <msaboff@apple.com>
1906
1907         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
1908         https://bugs.webkit.org/show_bug.cgi?id=179140
1909
1910         Reviewed by Saam Barati.
1911
1912         Added overflow checks to computation of arg count plus this.
1913
1914         * dfg/DFGSpeculativeJIT32_64.cpp:
1915         (JSC::DFG::SpeculativeJIT::compile):
1916         * dfg/DFGSpeculativeJIT64.cpp:
1917         (JSC::DFG::SpeculativeJIT::compile):
1918         * ftl/FTLLowerDFGToB3.cpp:
1919         (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs):
1920
1921 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1922
1923         Unreviewed, use weakPointer instead of FTLOutput::weakPointer
1924         https://bugs.webkit.org/show_bug.cgi?id=178934
1925
1926         * ftl/FTLLowerDFGToB3.cpp:
1927         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
1928
1929 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1930
1931         [JSC] Introduce @toObject
1932         https://bugs.webkit.org/show_bug.cgi?id=178726
1933
1934         Reviewed by Saam Barati.
1935
1936         This patch introduces @toObject intrinsic. And we introduce op_to_object bytecode and DFG ToObject node.
1937         Previously we emulated @toObject behavior in builtin JS. But it consumes much bytecode size while @toObject
1938         is frequently seen and defined clearly in the spec. Furthermore, the emulated @toObject always calls
1939         ObjectConstructor in LLInt and Baseline.
1940
1941         We add a new intrinsic `@toObject(target, "error message")`. It takes an error message string constant to
1942         offer understandable messages in builtin JS. We can change the frequently seen "emulated ToObject" operation
1943
1944             if (this === @undefined || this === null)
1945                 @throwTypeError("error message");
1946             var object = @Object(this);
1947
1948         with
1949
1950             var object = @toObject(this, "error message");
1951
1952         And we handle op_to_object in DFG as ToObject node. While CallObjectConstructor does not throw an error for null/undefined,
1953         ToObject needs to throw an error for null/undefined. So it is marked as MustGenerate and it clobbers the world.
1954         In fixup phase, we attempt to convert ToObject to CallObjectConstructor with edge filters to relax its side effect.
1955
1956         It also fixes a bug that CallObjectConstructor DFG node uses Node's semantic GlobalObject instead of function's one.
1957
1958         * builtins/ArrayConstructor.js:
1959         (from):
1960         * builtins/ArrayPrototype.js:
1961         (values):
1962         (keys):
1963         (entries):
1964         (reduce):
1965         (reduceRight):
1966         (every):
1967         (forEach):
1968         (filter):
1969         (map):
1970         (some):
1971         (fill):
1972         (find):
1973         (findIndex):
1974         (includes):
1975         (sort):
1976         (globalPrivate.concatSlowPath):
1977         (copyWithin):
1978         * builtins/DatePrototype.js:
1979         (toLocaleString.toDateTimeOptionsAnyAll):
1980         (toLocaleString):
1981         (toLocaleDateString.toDateTimeOptionsDateDate):
1982         (toLocaleDateString):
1983         (toLocaleTimeString.toDateTimeOptionsTimeTime):
1984         (toLocaleTimeString):
1985         * builtins/GlobalOperations.js:
1986         (globalPrivate.copyDataProperties):
1987         (globalPrivate.copyDataPropertiesNoExclusions):
1988         * builtins/ObjectConstructor.js:
1989         (entries):
1990         * builtins/StringConstructor.js:
1991         (raw):
1992         * builtins/TypedArrayConstructor.js:
1993         (from):
1994         * builtins/TypedArrayPrototype.js:
1995         (map):
1996         (filter):
1997         * bytecode/BytecodeDumper.cpp:
1998         (JSC::BytecodeDumper<Block>::dumpBytecode):
1999         * bytecode/BytecodeIntrinsicRegistry.h:
2000         * bytecode/BytecodeList.json:
2001         * bytecode/BytecodeUseDef.h:
2002         (JSC::computeUsesForBytecodeOffset):
2003         (JSC::computeDefsForBytecodeOffset):
2004         * bytecode/CodeBlock.cpp:
2005         (JSC::CodeBlock::finishCreation):
2006         * bytecompiler/BytecodeGenerator.cpp:
2007         (JSC::BytecodeGenerator::emitToObject):
2008         * bytecompiler/BytecodeGenerator.h:
2009         * bytecompiler/NodesCodegen.cpp:
2010         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toObject):
2011         * dfg/DFGAbstractInterpreterInlines.h:
2012         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2013         * dfg/DFGByteCodeParser.cpp:
2014         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2015         (JSC::DFG::ByteCodeParser::parseBlock):
2016         * dfg/DFGCapabilities.cpp:
2017         (JSC::DFG::capabilityLevel):
2018         * dfg/DFGClobberize.h:
2019         (JSC::DFG::clobberize):
2020         * dfg/DFGDoesGC.cpp:
2021         (JSC::DFG::doesGC):
2022         * dfg/DFGFixupPhase.cpp:
2023         (JSC::DFG::FixupPhase::fixupNode):
2024         (JSC::DFG::FixupPhase::fixupToObject):
2025         (JSC::DFG::FixupPhase::fixupCallObjectConstructor):
2026         * dfg/DFGNode.h:
2027         (JSC::DFG::Node::convertToCallObjectConstructor):
2028         (JSC::DFG::Node::convertToNewStringObject):
2029         (JSC::DFG::Node::convertToNewObject):
2030         (JSC::DFG::Node::hasIdentifier):
2031         (JSC::DFG::Node::hasHeapPrediction):
2032         (JSC::DFG::Node::hasCellOperand):
2033         * dfg/DFGNodeType.h:
2034         * dfg/DFGOperations.cpp:
2035         * dfg/DFGOperations.h:
2036         * dfg/DFGPredictionPropagationPhase.cpp:
2037         * dfg/DFGSafeToExecute.h:
2038         (JSC::DFG::safeToExecute):
2039         * dfg/DFGSpeculativeJIT.cpp:
2040         (JSC::DFG::SpeculativeJIT::compileToObjectOrCallObjectConstructor):
2041         (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor): Deleted.
2042         * dfg/DFGSpeculativeJIT.h:
2043         (JSC::DFG::SpeculativeJIT::callOperation):
2044         * dfg/DFGSpeculativeJIT32_64.cpp:
2045         (JSC::DFG::SpeculativeJIT::compile):
2046         * dfg/DFGSpeculativeJIT64.cpp:
2047         (JSC::DFG::SpeculativeJIT::compile):
2048         * ftl/FTLCapabilities.cpp:
2049         (JSC::FTL::canCompile):
2050         * ftl/FTLLowerDFGToB3.cpp:
2051         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2052         (JSC::FTL::DFG::LowerDFGToB3::compileToObjectOrCallObjectConstructor):
2053         (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor): Deleted.
2054         * jit/JIT.cpp:
2055         (JSC::JIT::privateCompileMainPass):
2056         (JSC::JIT::privateCompileSlowCases):
2057         * jit/JIT.h:
2058         * jit/JITOpcodes.cpp:
2059         (JSC::JIT::emit_op_to_object):
2060         (JSC::JIT::emitSlow_op_to_object):
2061         * jit/JITOpcodes32_64.cpp:
2062         (JSC::JIT::emit_op_to_object):
2063         (JSC::JIT::emitSlow_op_to_object):
2064         * jit/JITOperations.cpp:
2065         * jit/JITOperations.h:
2066         * llint/LowLevelInterpreter32_64.asm:
2067         * llint/LowLevelInterpreter64.asm:
2068         * runtime/CommonSlowPaths.cpp:
2069         (JSC::SLOW_PATH_DECL):
2070         * runtime/CommonSlowPaths.h:
2071
2072 2017-11-01  Fujii Hironori  <Hironori.Fujii@sony.com>
2073
2074         Use LazyNeverDestroyed instead of DEFINE_GLOBAL
2075         https://bugs.webkit.org/show_bug.cgi?id=174979
2076
2077         Reviewed by Yusuke Suzuki.
2078
2079         * config.h: Removed definitions of SKIP_STATIC_CONSTRUCTORS_ON_MSVC and SKIP_STATIC_CONSTRUCTORS_ON_GCC.
2080
2081 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2082
2083         [DFG][FTL] Introduce StringSlice
2084         https://bugs.webkit.org/show_bug.cgi?id=178934
2085
2086         Reviewed by Saam Barati.
2087
2088         String.prototype.slice is one of the most frequently called function in ARES-6/Babylon.
2089         This patch introduces StringSlice DFG node to optimize it in DFG and FTL.
2090
2091         This patch's StringSlice node optimizes the following things.
2092
2093         1. Empty string generation is accelerated. It is fully executed inline.
2094         2. One char string generation is accelerated. `< 0x100` character is supported right now.
2095         It is the same to charAt acceleration.
2096         3. We calculate start and end index in DFG/FTL with Int32Use information and call optimized
2097         operation.
2098
2099         We do not inline (3)'s operation right now since we do not have a way to call bmalloc allocation from DFG / FTL.
2100         And we do not optimize String.prototype.{substring,substr} right now. But they can be optimized based on this change
2101         in subsequent changes.
2102
2103         This patch improves ARES-6/Babylon performance by 3% in steady state.
2104
2105         Baseline:
2106             Running... Babylon ( 1  to go)
2107             firstIteration:     50.05 +- 13.68 ms
2108             averageWorstCase:   16.80 +- 1.27 ms
2109             steadyState:        7.53 +- 0.22 ms
2110
2111         Patched:
2112             Running... Babylon ( 1  to go)
2113             firstIteration:     50.91 +- 13.41 ms
2114             averageWorstCase:   16.12 +- 0.99 ms
2115             steadyState:        7.30 +- 0.29 ms
2116
2117         * dfg/DFGAbstractInterpreterInlines.h:
2118         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2119         * dfg/DFGBackwardsPropagationPhase.cpp:
2120         (JSC::DFG::BackwardsPropagationPhase::propagate):
2121         * dfg/DFGByteCodeParser.cpp:
2122         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2123         * dfg/DFGClobberize.h:
2124         (JSC::DFG::clobberize):
2125         * dfg/DFGDoesGC.cpp:
2126         (JSC::DFG::doesGC):
2127         * dfg/DFGFixupPhase.cpp:
2128         (JSC::DFG::FixupPhase::fixupNode):
2129         * dfg/DFGNodeType.h:
2130         * dfg/DFGOperations.cpp:
2131         * dfg/DFGOperations.h:
2132         * dfg/DFGPredictionPropagationPhase.cpp:
2133         * dfg/DFGSafeToExecute.h:
2134         (JSC::DFG::safeToExecute):
2135         * dfg/DFGSpeculativeJIT.cpp:
2136         (JSC::DFG::SpeculativeJIT::compileStringSlice):
2137         (JSC::DFG::SpeculativeJIT::emitPopulateSliceIndex):
2138         (JSC::DFG::SpeculativeJIT::compileArraySlice):
2139         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
2140         * dfg/DFGSpeculativeJIT.h:
2141         (JSC::DFG::SpeculativeJIT::callOperation):
2142         * dfg/DFGSpeculativeJIT32_64.cpp:
2143         (JSC::DFG::SpeculativeJIT::compile):
2144         * dfg/DFGSpeculativeJIT64.cpp:
2145         (JSC::DFG::SpeculativeJIT::compile):
2146         * ftl/FTLCapabilities.cpp:
2147         (JSC::FTL::canCompile):
2148         * ftl/FTLLowerDFGToB3.cpp:
2149         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2150         (JSC::FTL::DFG::LowerDFGToB3::populateSliceRange):
2151         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
2152         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
2153         * jit/JITOperations.h:
2154         * runtime/Intrinsic.cpp:
2155         (JSC::intrinsicName):
2156         * runtime/Intrinsic.h:
2157         * runtime/StringPrototype.cpp:
2158         (JSC::StringPrototype::finishCreation):
2159
2160 2017-10-31  JF Bastien  <jfbastien@apple.com>
2161
2162         WebAssembly: Wasm::IndexOrName has a raw pointer to Name
2163         https://bugs.webkit.org/show_bug.cgi?id=176644
2164
2165         Reviewed by Michael Saboff.
2166
2167         IndexOrName now keeps a RefPtr to its original NameSection, which
2168         holds the Name (or references nullptr if Index). Holding onto the
2169         entire section seems like the better thing to do, since backtraces
2170         probably contain multiple names from the same Module.
2171
2172         * JavaScriptCore.xcodeproj/project.pbxproj:
2173         * interpreter/Interpreter.cpp:
2174         (JSC::GetStackTraceFunctor::operator() const):
2175         * interpreter/StackVisitor.h: Frame is no longer POD because of the
2176         RefPtr.
2177         * runtime/StackFrame.cpp:
2178         (JSC::StackFrame::StackFrame):
2179         * runtime/StackFrame.h: Drop the union, size is now 40 bytes.
2180         (JSC::StackFrame::StackFrame): Deleted. Initialized in class instead.
2181         (JSC::StackFrame::wasm): Deleted. Make it a ctor instead.
2182         * wasm/WasmBBQPlanInlines.h:
2183         (JSC::Wasm::BBQPlan::initializeCallees):
2184         * wasm/WasmCallee.cpp:
2185         (JSC::Wasm::Callee::Callee):
2186         * wasm/WasmCallee.h:
2187         (JSC::Wasm::Callee::create):
2188         * wasm/WasmFormat.h: Move NameSection to its own header.
2189         (JSC::Wasm::isValidNameType):
2190         (JSC::Wasm::NameSection::get): Deleted.
2191         * wasm/WasmIndexOrName.cpp:
2192         (JSC::Wasm::IndexOrName::IndexOrName):
2193         (JSC::Wasm::makeString):
2194         * wasm/WasmIndexOrName.h:
2195         (JSC::Wasm::IndexOrName::IndexOrName):
2196         (JSC::Wasm::IndexOrName::isEmpty const):
2197         (JSC::Wasm::IndexOrName::isIndex const):
2198         * wasm/WasmModuleInformation.cpp:
2199         (JSC::Wasm::ModuleInformation::ModuleInformation):
2200         * wasm/WasmModuleInformation.h:
2201         (JSC::Wasm::ModuleInformation::ModuleInformation): Deleted.
2202         * wasm/WasmNameSection.h:
2203         (JSC::Wasm::NameSection::get):
2204         (JSC::Wasm::NameSection::create): Deleted.
2205         * wasm/WasmNameSectionParser.cpp:
2206         (JSC::Wasm::NameSectionParser::parse):
2207         * wasm/WasmNameSectionParser.h:
2208         * wasm/WasmOMGPlan.cpp:
2209         (JSC::Wasm::OMGPlan::work):
2210
2211 2017-10-31  Tim Horton  <timothy_horton@apple.com>
2212
2213         Clean up some drag and drop feature flags
2214         https://bugs.webkit.org/show_bug.cgi?id=179082
2215
2216         Reviewed by Simon Fraser.
2217
2218         * Configurations/FeatureDefines.xcconfig:
2219
2220 2017-10-31  Commit Queue  <commit-queue@webkit.org>
2221
2222         Unreviewed, rolling out r224243, r224246, and r224248.
2223         https://bugs.webkit.org/show_bug.cgi?id=179083
2224
2225         The patch and fix broke the Windows build. (Requested by
2226         mlewis13 on #webkit).
2227
2228         Reverted changesets:
2229
2230         "StructureStubInfo should have GPRReg members not int8_ts"
2231         https://bugs.webkit.org/show_bug.cgi?id=179071
2232         https://trac.webkit.org/changeset/224243
2233
2234         "Make all register enums be backed by uint8_t."
2235         https://bugs.webkit.org/show_bug.cgi?id=179074
2236         https://trac.webkit.org/changeset/224246
2237
2238         "Unreviewed, windows build fix."
2239         https://trac.webkit.org/changeset/224248
2240
2241 2017-10-31  Tim Horton  <timothy_horton@apple.com>
2242
2243         Fix up some content filtering feature flags
2244         https://bugs.webkit.org/show_bug.cgi?id=179079
2245
2246         Reviewed by Simon Fraser.
2247
2248         * Configurations/FeatureDefines.xcconfig:
2249
2250 2017-10-31  Keith Miller  <keith_miller@apple.com>
2251
2252         Unreviewed, windows build fix.
2253
2254         * assembler/X86Assembler.h:
2255         (JSC::X86Assembler::numberOfRegisters):
2256         (JSC::X86Assembler::numberOfSPRegisters):
2257         (JSC::X86Assembler::numberOfFPRegisters):
2258
2259 2017-10-31  Keith Miller  <keith_miller@apple.com>
2260
2261         Make all register enums be backed by uint8_t.
2262         https://bugs.webkit.org/show_bug.cgi?id=179074
2263
2264         Reviewed by Mark Lam.
2265
2266         * assembler/ARM64Assembler.h:
2267         * assembler/ARMAssembler.h:
2268         * assembler/ARMv7Assembler.h:
2269         * assembler/MIPSAssembler.h:
2270         * assembler/MacroAssembler.h:
2271         * assembler/X86Assembler.h:
2272
2273 2017-10-31  Keith Miller  <keith_miller@apple.com>
2274
2275         StructureStubInfo should have GPRReg members not int8_ts
2276         https://bugs.webkit.org/show_bug.cgi?id=179071
2277
2278         Reviewed by Michael Saboff.
2279
2280         This patch makes the various RegisterID enums be backed by
2281         uint8_t. This means that we can remove the old int8_t members in
2282         StructureStubInfo and replace them with the correct enum types.
2283
2284         Also, this fixes an indentation issue in ARMv7Assembler.h.
2285
2286         * assembler/ARM64Assembler.h:
2287         * assembler/ARMAssembler.h:
2288         * assembler/ARMv7Assembler.h:
2289         (JSC::ARMRegisters::asSingle):
2290         (JSC::ARMRegisters::asDouble):
2291         * assembler/MIPSAssembler.h:
2292         * assembler/X86Assembler.h:
2293         * bytecode/InlineAccess.cpp:
2294         (JSC::InlineAccess::generateSelfPropertyAccess):
2295         (JSC::getScratchRegister):
2296         * bytecode/PolymorphicAccess.cpp:
2297         (JSC::PolymorphicAccess::regenerate):
2298         * bytecode/StructureStubInfo.h:
2299         (JSC::StructureStubInfo::valueRegs const):
2300         * dfg/DFGSpeculativeJIT.cpp:
2301         (JSC::DFG::SpeculativeJIT::compileIn):
2302         * ftl/FTLLowerDFGToB3.cpp:
2303         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
2304         * jit/JITInlineCacheGenerator.cpp:
2305         (JSC::JITByIdGenerator::JITByIdGenerator):
2306         (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator):
2307
2308 2017-10-31  Devin Rousso  <webkit@devinrousso.com>
2309
2310         Web Inspector: make ScriptCallStack::maxCallStackSizeToCapture the default value when capturing backtraces
2311         https://bugs.webkit.org/show_bug.cgi?id=179048
2312
2313         Reviewed by Mark Lam.
2314
2315         * inspector/ScriptCallStackFactory.h:
2316         * inspector/ScriptCallStackFactory.cpp:
2317         (createScriptCallStack):
2318         (createScriptCallStackForConsole):
2319         (createScriptCallStackFromException):
2320
2321         * inspector/ConsoleMessage.cpp:
2322         (Inspector::ConsoleMessage::autogenerateMetadata):
2323         * inspector/JSGlobalObjectInspectorController.cpp:
2324         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
2325         * inspector/agents/InspectorConsoleAgent.cpp:
2326         (Inspector::InspectorConsoleAgent::count):
2327         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
2328         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
2329
2330 2017-10-31  Carlos Garcia Campos  <cgarcia@igalia.com>
2331
2332         Unreviewed. Fix GTK+ make distcheck.
2333
2334         Ensure DERIVED_SOURCES_JAVASCRIPTCORE_DIR/yarr is created before scripts generating files there are run.
2335
2336         * CMakeLists.txt:
2337
2338 2017-10-30  Saam Barati  <sbarati@apple.com>
2339
2340         We need a storeStoreFence before storing to the instruction stream's live variable catch data
2341         https://bugs.webkit.org/show_bug.cgi?id=178649
2342
2343         Reviewed by Keith Miller.
2344
2345         * bytecode/CodeBlock.cpp:
2346         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
2347
2348 2017-10-30  Michael Catanzaro  <mcatanzaro@igalia.com>
2349
2350         [WPE] Fix build warnings
2351         https://bugs.webkit.org/show_bug.cgi?id=178899
2352
2353         Reviewed by Carlos Alberto Lopez Perez.
2354
2355         * PlatformWPE.cmake:
2356
2357 2017-10-30  Zan Dobersek  <zdobersek@igalia.com>
2358
2359         [ARMv7] Fix initial start register support in YarrJIT
2360         https://bugs.webkit.org/show_bug.cgi?id=178641
2361
2362         Reviewed by Saam Barati.
2363
2364         * yarr/YarrJIT.cpp: On ARMv7, use r8 as the initialStart register in the
2365         YarrGenerator class. r6 should be avoided since it's already used inside
2366         MacroAssemblerARMv7 as addressTempRegister. r7 isn't picked because it
2367         can be used as the frame pointer register when targetting ARM Thumb2.
2368
2369 2017-10-30  Zan Dobersek  <zdobersek@igalia.com>
2370
2371         [ARM64][Linux] Re-enable Gigacage
2372         https://bugs.webkit.org/show_bug.cgi?id=178130
2373
2374         Reviewed by Michael Catanzaro.
2375
2376         Guard the current globaladdr opcode implementation for ARM64 with
2377         OS(DARWIN) as it's only usable for Mach-O.
2378
2379         For OS(LINUX), ELF-supported :got: and :got_lo12: relocation specifiers
2380         have to be used. The .loh directive can't be used as it's not supported
2381         in GCC or the ld linker.
2382
2383         On every other OS target, a compilation error is thrown.
2384
2385         * offlineasm/arm64.rb:
2386
2387 2017-10-27  Devin Rousso  <webkit@devinrousso.com>
2388
2389         Web Inspector: Canvas Tab: no way to see backtrace of where a canvas context was created
2390         https://bugs.webkit.org/show_bug.cgi?id=178799
2391         <rdar://problem/35175805>
2392
2393         Reviewed by Brian Burg.
2394
2395         * inspector/protocol/Canvas.json:
2396         Add optional `backtrace` to Canvas type that is an array of Console.CallFrame.
2397
2398 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2399
2400         [JSC] Tweak ES6 generator function to allow inlining
2401         https://bugs.webkit.org/show_bug.cgi?id=178935
2402
2403         Reviewed by Saam Barati.
2404
2405         We optimize builtins' generator helper functions to allow them inlined in the caller side.
2406         This patch adjust the layer between @generatorResume, next(), throw(), and return() to allow
2407         them inlined in DFG.
2408
2409                                        baseline                  patched
2410
2411         spread-generator.es6      301.2637+-11.1011    ^    260.5905+-14.2258       ^ definitely 1.1561x faster
2412         generator.es6             269.6030+-13.2435    ^    148.8840+-6.7614        ^ definitely 1.8108x faster
2413
2414         * builtins/GeneratorPrototype.js:
2415         (globalPrivate.generatorResume):
2416         (next):
2417         (return):
2418         (throw):
2419
2420 2017-10-27  Saam Barati  <sbarati@apple.com>
2421
2422         Bytecode liveness should live on UnlinkedCodeBlock so it can be shared amongst CodeBlocks
2423         https://bugs.webkit.org/show_bug.cgi?id=178949
2424
2425         Reviewed by Keith Miller.
2426
2427         This patch stores BytecodeLiveness on UnlinkedCodeBlock instead of CodeBlock
2428         so that we don't need to recompute liveness for the same UnlinkedCodeBlock
2429         more than once. To do this, this patch solidifies the invariant that CodeBlock
2430         linking can't do anything that would change the result of liveness. For example,
2431         it can't introduce new locals. This invariant was met my JSC before, because we
2432         didn't do anything in bytecode linking that would change liveness. However, it is
2433         now a correctness requirement that we don't do anything that would change the
2434         result of running liveness. To support this change, I've refactored BytecodeGraph
2435         to not be tied to a CodeBlockType*. Things that perform liveness will pass in
2436         CodeBlockType* and the instruction stream as needed. This means that we may
2437         compute liveness with one CodeBlock*'s instruction stream, and then perform
2438         queries on that analysis with a different CodeBlock*'s instruction stream.
2439
2440         This seems to be a 2% JSBench progression.
2441
2442         * bytecode/BytecodeGeneratorification.cpp:
2443         (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
2444         (JSC::BytecodeGeneratorification::graph):
2445         (JSC::BytecodeGeneratorification::storageForGeneratorLocal):
2446         (JSC::GeneratorLivenessAnalysis::run):
2447         (JSC::BytecodeGeneratorification::run):
2448         * bytecode/BytecodeGraph.h:
2449         (JSC::BytecodeGraph::BytecodeGraph):
2450         (JSC::BytecodeGraph::codeBlock const): Deleted.
2451         (JSC::BytecodeGraph::instructions): Deleted.
2452         (JSC::BytecodeGraph<Block>::BytecodeGraph): Deleted.
2453         * bytecode/BytecodeLivenessAnalysis.cpp:
2454         (JSC::BytecodeLivenessAnalysis::BytecodeLivenessAnalysis):
2455         (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
2456         (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
2457         (JSC::BytecodeLivenessAnalysis::computeKills):
2458         (JSC::BytecodeLivenessAnalysis::dumpResults):
2459         (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset): Deleted.
2460         (JSC::BytecodeLivenessAnalysis::compute): Deleted.
2461         * bytecode/BytecodeLivenessAnalysis.h:
2462         * bytecode/BytecodeLivenessAnalysisInlines.h:
2463         (JSC::BytecodeLivenessPropagation::stepOverInstruction):
2464         (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBytecodeOffset):
2465         (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBlock):
2466         (JSC::BytecodeLivenessPropagation::getLivenessInfoAtBytecodeOffset):
2467         (JSC::BytecodeLivenessPropagation::runLivenessFixpoint):
2468         * bytecode/BytecodeRewriter.cpp:
2469         (JSC::BytecodeRewriter::applyModification):
2470         (JSC::BytecodeRewriter::execute):
2471         (JSC::BytecodeRewriter::adjustJumpTargetsInFragment):
2472         * bytecode/BytecodeRewriter.h:
2473         (JSC::BytecodeRewriter::BytecodeRewriter):
2474         (JSC::BytecodeRewriter::removeBytecode):
2475         (JSC::BytecodeRewriter::graph):
2476         * bytecode/CodeBlock.cpp:
2477         (JSC::CodeBlock::finishCreation):
2478         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
2479         (JSC::CodeBlock::validate):
2480         (JSC::CodeBlock::livenessAnalysisSlow): Deleted.
2481         * bytecode/CodeBlock.h:
2482         (JSC::CodeBlock::livenessAnalysis):
2483         * bytecode/UnlinkedCodeBlock.cpp:
2484         (JSC::UnlinkedCodeBlock::applyModification):
2485         (JSC::UnlinkedCodeBlock::livenessAnalysisSlow):
2486         * bytecode/UnlinkedCodeBlock.h:
2487         (JSC::UnlinkedCodeBlock::livenessAnalysis):
2488         * dfg/DFGGraph.cpp:
2489         (JSC::DFG::Graph::livenessFor):
2490         (JSC::DFG::Graph::killsFor):
2491         * dfg/DFGPlan.cpp:
2492         (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
2493         * jit/JIT.cpp:
2494         (JSC::JIT::privateCompileMainPass):
2495
2496 2017-10-27  Keith Miller  <keith_miller@apple.com>
2497
2498         Add unified source list files and build scripts to Xcode project navigator
2499         https://bugs.webkit.org/show_bug.cgi?id=178959
2500
2501         Reviewed by Andy Estes.
2502
2503         Also, Add some extra source files for so new .cpp/.mm files don't cause the build
2504         to fail right away. We already do this in WebCore.
2505
2506         * JavaScriptCore.xcodeproj/project.pbxproj:
2507         * PlatformMac.cmake:
2508         * SourcesCocoa.txt: Renamed from Source/JavaScriptCore/SourcesMac.txt.
2509
2510 2017-10-27  JF Bastien  <jfbastien@apple.com>
2511
2512         WebAssembly: update arbitrary limits to what browsers use
2513         https://bugs.webkit.org/show_bug.cgi?id=178946
2514         <rdar://problem/34257412>
2515         <rdar://problem/34501154>
2516
2517         Reviewed by Saam Barati.
2518
2519         https://github.com/WebAssembly/design/issues/1138 discusses the
2520         arbitrary function size limit, which it turns out Chrome and
2521         Firefox didn't enforce. We didn't use it because it was
2522         ridiculously low and actual programs ran into that limit (bummer
2523         for Edge which just shipped it...). Now that we agree on a high
2524         arbitrary program limit, let's update it! While I'm doing this
2525         there are a few other spots that I polished to use Checked or
2526         better check limits overall.
2527
2528         * wasm/WasmB3IRGenerator.cpp:
2529         (JSC::Wasm::B3IRGenerator::addLocal):
2530         * wasm/WasmFormat.cpp:
2531         (JSC::Wasm::Segment::create):
2532         * wasm/WasmFunctionParser.h:
2533         (JSC::Wasm::FunctionParser<Context>::parse):
2534         * wasm/WasmInstance.cpp:
2535         * wasm/WasmLimits.h:
2536         * wasm/WasmModuleParser.cpp:
2537         (JSC::Wasm::ModuleParser::parseGlobal):
2538         (JSC::Wasm::ModuleParser::parseCode):
2539         (JSC::Wasm::ModuleParser::parseData):
2540         * wasm/WasmSignature.h:
2541         (JSC::Wasm::Signature::allocatedSize):
2542         * wasm/WasmTable.cpp:
2543         (JSC::Wasm::Table::Table):
2544         * wasm/js/JSWebAssemblyTable.cpp:
2545         (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
2546         (JSC::JSWebAssemblyTable::grow):
2547
2548 2017-10-26  Michael Saboff  <msaboff@apple.com>
2549
2550         REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
2551         https://bugs.webkit.org/show_bug.cgi?id=178890
2552
2553         Reviewed by Keith Miller.
2554
2555         We need to let a contained subpattern backtrack before declaring that the containing
2556         parenthesis doesn't match.  If the subpattern fails to match backtracking, then we
2557         can check to see if we trying to backtrack below the minimum match count.
2558         
2559         * yarr/YarrInterpreter.cpp:
2560         (JSC::Yarr::Interpreter::backtrackParentheses):
2561
2562 2017-10-26  Mark Lam  <mark.lam@apple.com>
2563
2564         JSRopeString::RopeBuilder::append() should check for overflows.
2565         https://bugs.webkit.org/show_bug.cgi?id=178385
2566         <rdar://problem/35027468>
2567
2568         Reviewed by Saam Barati.
2569
2570         1. Made RopeString check for overflow like the Checked class does.
2571         2. Added a missing overflow check in objectProtoFuncToString().
2572
2573         * runtime/JSString.cpp:
2574         (JSC::JSRopeString::RopeBuilder<RecordOverflow>::expand):
2575         (JSC::JSRopeString::RopeBuilder::expand): Deleted.
2576         * runtime/JSString.h:
2577         * runtime/ObjectPrototype.cpp:
2578         (JSC::objectProtoFuncToString):
2579         * runtime/Operations.h:
2580         (JSC::jsStringFromRegisterArray):
2581         (JSC::jsStringFromArguments):
2582
2583 2017-10-26  JF Bastien  <jfbastien@apple.com>
2584
2585         WebAssembly: no VM / JS version of our implementation
2586         https://bugs.webkit.org/show_bug.cgi?id=177472
2587
2588         Reviewed by Michael Saboff.
2589
2590         This patch removes all appearances of "JS" and "VM" in the wasm
2591         directory. These now only appear in the wasm/js directory, which
2592         is only used in a JS embedding of wasm. It should therefore now be
2593         possible to create non-JS embeddings of wasm through JSC, though
2594         it'll still require:
2595
2596           - Mild codegen for wasm<->embedder calls;
2597           - A strategy for trap handling (no need for full unwind! Could kill).
2598           - Creation of the Wasm::* objects.
2599           - Calling convention handling to call the embedder.
2600           - Handling of multiple embedders (see #177475, this is optional).
2601
2602         Most of the patch consists in renaming JSWebAssemblyInstance to
2603         Instance, and removing temporary copies which I'd added to make
2604         this specific patch very simple.
2605
2606         * interpreter/CallFrame.cpp:
2607         (JSC::CallFrame::wasmAwareLexicalGlobalObject): this one place
2608         which needs to know about who "owns" the Wasm::Instance. In a JS
2609         embedding it's the JSWebAssemblyInstance.
2610         * wasm/WasmB3IRGenerator.cpp:
2611         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2612         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
2613         (JSC::Wasm::B3IRGenerator::addGrowMemory):
2614         (JSC::Wasm::B3IRGenerator::addCurrentMemory):
2615         (JSC::Wasm::B3IRGenerator::getGlobal):
2616         (JSC::Wasm::B3IRGenerator::setGlobal):
2617         (JSC::Wasm::B3IRGenerator::addCall):
2618         (JSC::Wasm::B3IRGenerator::addCallIndirect):
2619         * wasm/WasmBinding.cpp:
2620         (JSC::Wasm::wasmToWasm):
2621         * wasm/WasmContext.cpp:
2622         (JSC::Wasm::Context::load const):
2623         (JSC::Wasm::Context::store):
2624         * wasm/WasmContext.h:
2625         * wasm/WasmEmbedder.h:
2626         * wasm/WasmInstance.cpp:
2627         (JSC::Wasm::Instance::Instance):
2628         (JSC::Wasm::Instance::create):
2629         (JSC::Wasm::Instance::extraMemoryAllocated const):
2630         * wasm/WasmInstance.h: add an "owner", the Wasm::Context, move the
2631         "tail" import information from JSWebAssemblyInstance over to here.
2632         (JSC::Wasm::Instance::finalizeCreation):
2633         (JSC::Wasm::Instance::owner const):
2634         (JSC::Wasm::Instance::offsetOfOwner):
2635         (JSC::Wasm::Instance::context const):
2636         (JSC::Wasm::Instance::setMemory):
2637         (JSC::Wasm::Instance::setTable):
2638         (JSC::Wasm::Instance::offsetOfMemory):
2639         (JSC::Wasm::Instance::offsetOfGlobals):
2640         (JSC::Wasm::Instance::offsetOfTable):
2641         (JSC::Wasm::Instance::offsetOfTail):
2642         (JSC::Wasm::Instance::numImportFunctions const):
2643         (JSC::Wasm::Instance::importFunctionInfo):
2644         (JSC::Wasm::Instance::offsetOfTargetInstance):
2645         (JSC::Wasm::Instance::offsetOfWasmEntrypoint):
2646         (JSC::Wasm::Instance::offsetOfWasmToEmbedderStubExecutableAddress):
2647         (JSC::Wasm::Instance::offsetOfImportFunction):
2648         (JSC::Wasm::Instance::importFunction):
2649         (JSC::Wasm::Instance::allocationSize):
2650         (JSC::Wasm::Instance::create): Deleted.
2651         * wasm/WasmOMGPlan.cpp:
2652         (JSC::Wasm::OMGPlan::runForIndex):
2653         * wasm/WasmOMGPlan.h:
2654         * wasm/WasmTable.cpp:
2655         (JSC::Wasm::Table::Table):
2656         (JSC::Wasm::Table::setFunction):
2657         * wasm/WasmTable.h:
2658         * wasm/WasmThunks.cpp:
2659         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
2660         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
2661         * wasm/js/JSToWasm.cpp:
2662         (JSC::Wasm::createJSToWasmWrapper):
2663         * wasm/js/JSWebAssemblyInstance.cpp: delete code that is now on Wasm::Instance
2664         (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance): The embedder
2665         decides what the import function is. Here we must properly
2666         placement-new it to what we've elected (and initialize it later).
2667         (JSC::JSWebAssemblyInstance::visitChildren):
2668         (JSC::JSWebAssemblyInstance::finalizeCreation):
2669         (JSC::JSWebAssemblyInstance::create):
2670         * wasm/js/JSWebAssemblyInstance.h: delete code that is now on Wasm::Instance
2671         (JSC::JSWebAssemblyInstance::instance):
2672         (JSC::JSWebAssemblyInstance::moduleNamespaceObject):
2673         (JSC::JSWebAssemblyInstance::setMemory):
2674         (JSC::JSWebAssemblyInstance::table):
2675         (JSC::JSWebAssemblyInstance::setTable):
2676         (JSC::JSWebAssemblyInstance::offsetOfInstance):
2677         (JSC::JSWebAssemblyInstance::offsetOfCallee):
2678         (JSC::JSWebAssemblyInstance::context const): Deleted.
2679         (JSC::JSWebAssemblyInstance::offsetOfTail): Deleted.
2680         (): Deleted.
2681         (JSC::JSWebAssemblyInstance::importFunctionInfo): Deleted.
2682         (JSC::JSWebAssemblyInstance::offsetOfTargetInstance): Deleted.
2683         (JSC::JSWebAssemblyInstance::offsetOfWasmEntrypoint): Deleted.
2684         (JSC::JSWebAssemblyInstance::offsetOfWasmToEmbedderStubExecutableAddress): Deleted.
2685         (JSC::JSWebAssemblyInstance::offsetOfImportFunction): Deleted.
2686         (JSC::JSWebAssemblyInstance::importFunction): Deleted.
2687         (JSC::JSWebAssemblyInstance::internalMemory): Deleted.
2688         (JSC::JSWebAssemblyInstance::wasmCodeBlock const): Deleted.
2689         (JSC::JSWebAssemblyInstance::offsetOfWasmTable): Deleted.
2690         (JSC::JSWebAssemblyInstance::offsetOfGlobals): Deleted.
2691         (JSC::JSWebAssemblyInstance::offsetOfCodeBlock): Deleted.
2692         (JSC::JSWebAssemblyInstance::offsetOfWasmCodeBlock): Deleted.
2693         (JSC::JSWebAssemblyInstance::offsetOfCachedStackLimit): Deleted.
2694         (JSC::JSWebAssemblyInstance::offsetOfWasmMemory): Deleted.
2695         (JSC::JSWebAssemblyInstance::offsetOfTopEntryFramePointer): Deleted.
2696         (JSC::JSWebAssemblyInstance::cachedStackLimit const): Deleted.
2697         (JSC::JSWebAssemblyInstance::setCachedStackLimit): Deleted.
2698         (JSC::JSWebAssemblyInstance::wasmMemory): Deleted.
2699         (JSC::JSWebAssemblyInstance::wasmModule): Deleted.
2700         (JSC::JSWebAssemblyInstance::allocationSize): Deleted.
2701         * wasm/js/JSWebAssemblyTable.cpp:
2702         (JSC::JSWebAssemblyTable::setFunction):
2703         * wasm/js/WasmToJS.cpp: One extra indirection to find the JSWebAssemblyInstance.
2704         (JSC::Wasm::materializeImportJSCell):
2705         (JSC::Wasm::handleBadI64Use):
2706         (JSC::Wasm::wasmToJS):
2707         (JSC::Wasm::wasmToJSException):
2708         * wasm/js/WasmToJS.h:
2709         * wasm/js/WebAssemblyFunction.cpp:
2710         (JSC::callWebAssemblyFunction):
2711         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2712         (JSC::constructJSWebAssemblyInstance):
2713         * wasm/js/WebAssemblyModuleRecord.cpp:
2714         (JSC::WebAssemblyModuleRecord::link):
2715         (JSC::WebAssemblyModuleRecord::evaluate):
2716         * wasm/js/WebAssemblyPrototype.cpp:
2717         (JSC::instantiate):
2718         * wasm/js/WebAssemblyWrapperFunction.cpp:
2719         (JSC::WebAssemblyWrapperFunction::create):
2720
2721 2017-10-25  Devin Rousso  <webkit@devinrousso.com>
2722
2723         Web Inspector: provide a way to enable/disable event listeners
2724         https://bugs.webkit.org/show_bug.cgi?id=177451
2725         <rdar://problem/34994925>
2726
2727         Reviewed by Joseph Pecoraro.
2728
2729         * inspector/protocol/DOM.json:
2730         Add `setEventListenerDisabled` command that enables/disables a specific event listener
2731         during event dispatch. When a disabled event listener is fired, the listener's callback will
2732         not be called.
2733
2734 2017-10-25  Commit Queue  <commit-queue@webkit.org>
2735
2736         Unreviewed, rolling out r223691 and r223729.
2737         https://bugs.webkit.org/show_bug.cgi?id=178834
2738
2739         Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
2740         by rniwa on #webkit).
2741
2742         Reverted changesets:
2743
2744         "Turn recursive tail calls into loops"
2745         https://bugs.webkit.org/show_bug.cgi?id=176601
2746         https://trac.webkit.org/changeset/223691
2747
2748         "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
2749         comparison is always false due to limited range of data type
2750         [-Wtype-limits]"
2751         https://bugs.webkit.org/show_bug.cgi?id=178543
2752         https://trac.webkit.org/changeset/223729
2753
2754 2017-10-25  Michael Saboff  <msaboff@apple.com>
2755
2756         REGRESSION(r223937): Use of -fobjc-weak causes build failures with older compilers
2757         https://bugs.webkit.org/show_bug.cgi?id=178825
2758
2759         Reviewed by Mark Lam.
2760
2761         Enable ARC for ARM64_32.  This eliminate the need for setting CLANG_ENABLE_OBJC_WEAK.
2762
2763         * Configurations/ToolExecutable.xcconfig:
2764
2765 2017-10-25  Keith Miller  <keith_miller@apple.com>
2766
2767         Fix implicit cast of enum, which seems to break the windows build of unified sources.
2768         https://bugs.webkit.org/show_bug.cgi?id=178822
2769
2770         Reviewed by Saam Barati.
2771
2772         * bytecode/DFGExitProfile.h:
2773         (JSC::DFG::FrequentExitSite::hash const):
2774
2775 2017-10-24  Michael Saboff  <msaboff@apple.com>
2776
2777         Allow OjbC Weak References when building TestAPI
2778         https://bugs.webkit.org/show_bug.cgi?id=178748
2779
2780         Reviewed by Dan Bernstein.
2781
2782         Set TestAPI build flag Weak References in Manual Retain Release to true.
2783
2784         * JavaScriptCore.xcodeproj/project.pbxproj: Reverted.
2785         * Configurations/ToolExecutable.xcconfig: Changed the flag here instead.
2786
2787 2017-10-24  Eric Carlson  <eric.carlson@apple.com>
2788
2789         Web Inspector: Enable WebKit logging configuration and display
2790         https://bugs.webkit.org/show_bug.cgi?id=177027
2791         <rdar://problem/33964767>
2792
2793         Reviewed by Joseph Pecoraro.
2794
2795         * inspector/ConsoleMessage.cpp:
2796         (Inspector::messageSourceValue): Inspector::Protocol::Console::ConsoleMessage -> 
2797             Inspector::Protocol::Console::ChannelSource.
2798         * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
2799         (Inspector::JSGlobalObjectConsoleAgent::getLoggingChannels): There are no logging channels
2800             specific to a JSContext yet, so return an empty channel array.
2801         (Inspector::JSGlobalObjectConsoleAgent::setLoggingChannelLevel): No channels, return an error.
2802         * inspector/agents/JSGlobalObjectConsoleAgent.h:
2803
2804         * inspector/protocol/Console.json: Add ChannelSource, ChannelLevel, and Channel. Add getLoggingChannels
2805             and setLoggingChannelLevel.
2806
2807         * inspector/scripts/codegen/generator.py: Special case "webrtc"-> "WebRTC".
2808         * inspector/scripts/tests/generic/expected/enum-values.json-result:
2809         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
2810         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
2811         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2812         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
2813
2814         * runtime/ConsoleTypes.h: Add Media and WebRTC.
2815
2816 2017-10-24  Michael Saboff  <msaboff@apple.com>
2817
2818         Allow OjbC Weak References when building TestAPI
2819         https://bugs.webkit.org/show_bug.cgi?id=178748
2820
2821         Reviewed by Saam Barati.
2822
2823         Set TestAPI build flag Weak References in Manual Retain Release to true.
2824
2825         * JavaScriptCore.xcodeproj/project.pbxproj:
2826
2827 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2828
2829         [FTL] Support NewStringObject
2830         https://bugs.webkit.org/show_bug.cgi?id=178737
2831
2832         Reviewed by Saam Barati.
2833
2834         FTL should support NewStringObject and encourage use of NewStringObject in DFG pipeline.
2835         After this change, we can convert `CallObjectConstructor(String)` to `NewStringObject(String)`.
2836
2837         * ftl/FTLAbstractHeapRepository.h:
2838         * ftl/FTLCapabilities.cpp:
2839         (JSC::FTL::canCompile):
2840         * ftl/FTLLowerDFGToB3.cpp:
2841         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2842         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
2843
2844 2017-10-24  Guillaume Emont  <guijemont@igalia.com>
2845
2846         [mips] fix offsets of branches that have to go over a jump
2847         https://bugs.webkit.org/show_bug.cgi?id=153464
2848
2849         The jump() function creates 8 instructions, but the offsets of branches
2850         meant to go over them only account for 6. In most cases, this is not an
2851         issue as the last two instructions of jump() would be nops, but in the
2852         rarer case where the jump destination is in a different 256 MB segment,
2853         MIPSAssembler::linkWithOffset() will rewrite the code in a way in which
2854         the last 4 instructions would be a 2 instruction load (lui/ori) into
2855         $t9, a "j $t9" and then a nop. The wrong offset will mean that the
2856         previous branches meant to go over the whole jump will branch to the
2857         "j $t9" instruction, which would jump to whatever is currently in $t9
2858         (since lui/ori would not be executed).
2859
2860         Reviewed by Michael Catanzaro.
2861
2862         * assembler/MacroAssemblerMIPS.h:
2863         (JSC::MacroAssemblerMIPS::branchAdd32):
2864         (JSC::MacroAssemblerMIPS::branchMul32):
2865         (JSC::MacroAssemblerMIPS::branchSub32):
2866         Fix the offsets of branches meant to go over code generated by jump().
2867
2868 2017-10-24  JF Bastien  <jfbastien@apple.com>
2869
2870         WebAssembly: NFC renames of things that aren't JS-specific
2871         https://bugs.webkit.org/show_bug.cgi?id=178738
2872
2873         Reviewed by Saam Barati.
2874
2875         * wasm/WasmB3IRGenerator.cpp:
2876         (JSC::Wasm::parseAndCompile):
2877         * wasm/WasmB3IRGenerator.h:
2878         * wasm/WasmBBQPlan.cpp:
2879         (JSC::Wasm::BBQPlan::complete):
2880         * wasm/WasmCodeBlock.cpp:
2881         (JSC::Wasm::CodeBlock::CodeBlock):
2882         * wasm/WasmCodeBlock.h:
2883         (JSC::Wasm::CodeBlock::embedderEntrypointCalleeFromFunctionIndexSpace):
2884         (JSC::Wasm::CodeBlock::jsEntrypointCalleeFromFunctionIndexSpace): Deleted.
2885         * wasm/WasmFormat.h:
2886         * wasm/js/JSToWasm.cpp:
2887         (JSC::Wasm::createJSToWasmWrapper):
2888         * wasm/js/WebAssemblyModuleRecord.cpp:
2889         (JSC::WebAssemblyModuleRecord::link):
2890         (JSC::WebAssemblyModuleRecord::evaluate):
2891
2892 2017-10-24  Stephan Szabo  <stephan.szabo@sony.com>
2893
2894         [Win][JSCOnly] Make jsconly build testapi and dlls and copy dlls when running tests
2895         https://bugs.webkit.org/show_bug.cgi?id=177279
2896
2897         Reviewed by Yusuke Suzuki.
2898
2899         * shell/PlatformJSCOnly.cmake: Added.
2900
2901 2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
2902
2903         [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
2904         https://bugs.webkit.org/show_bug.cgi?id=178308
2905
2906         Reviewed by Mark Lam.
2907
2908         With the change of the spec[1], we now do not need to remember star resolution modules.
2909         We reflect this change to our implementation. Since this change is covered by test262,
2910         this patch improves the score of test262.
2911
2912         We also add logging to ResolveExport to debug it easily.
2913
2914         [1]: https://github.com/tc39/ecma262/commit/a865e778ff0fc60e26e3e1c589635103710766a1
2915
2916         * runtime/AbstractModuleRecord.cpp:
2917         (JSC::AbstractModuleRecord::ResolveQuery::dump const):
2918         (JSC::AbstractModuleRecord::resolveExportImpl):
2919
2920 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2921
2922         [JSC] Use emitDumbVirtualCall in 32bit JIT
2923         https://bugs.webkit.org/show_bug.cgi?id=178644
2924
2925         Reviewed by Mark Lam.
2926
2927         This patch aligns 32bit JIT op_call_eval slow case to 64bit version by using emitDumbVirtualCall.
2928
2929         * jit/JITCall32_64.cpp:
2930         (JSC::JIT::compileCallEvalSlowCase):
2931
2932 2017-10-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2933
2934         [JSC] Drop ArityCheckData
2935         https://bugs.webkit.org/show_bug.cgi?id=178648
2936
2937         Reviewed by Mark Lam.
2938
2939         ArityCheckData is used to return a pair of `slotsToAdd` and `thunkToCall`.
2940         However, use of `thunkToCall` is removed in 64bit environment at r189575.
2941
2942         We remove `thunkToCall` and align 32bit implementation to 64bit implementation.
2943         Since we no longer need to have the above pair, we can remove ArityCheckData too.
2944
2945         * llint/LowLevelInterpreter32_64.asm:
2946         * llint/LowLevelInterpreter64.asm:
2947         * runtime/CommonSlowPaths.cpp:
2948         (JSC::SLOW_PATH_DECL):
2949         (JSC::setupArityCheckData): Deleted.
2950         * runtime/CommonSlowPaths.h:
2951         * runtime/VM.cpp:
2952         (JSC::VM::VM):
2953         * runtime/VM.h:
2954
2955 2017-10-23  Keith Miller  <keith_miller@apple.com>
2956
2957         Unreviewed, reland r223866
2958
2959         Didn't break the windows build...
2960
2961         Restored changeset:
2962
2963         "WebAssembly: topEntryFrame on Wasm::Instance"
2964         https://bugs.webkit.org/show_bug.cgi?id=178690
2965         https://trac.webkit.org/changeset/223866
2966
2967
2968 2017-10-23  Commit Queue  <commit-queue@webkit.org>
2969
2970         Unreviewed, rolling out r223866.
2971         https://bugs.webkit.org/show_bug.cgi?id=178699
2972
2973         Probably broke the windows build (Requested by keith_miller on
2974         #webkit).
2975
2976         Reverted changeset:
2977
2978         "WebAssembly: topEntryFrame on Wasm::Instance"
2979         https://bugs.webkit.org/show_bug.cgi?id=178690
2980         https://trac.webkit.org/changeset/223866
2981
2982 2017-10-23  Joseph Pecoraro  <pecoraro@apple.com>
2983
2984         Web Inspector: Remove unused Console.setMonitoringXHREnabled
2985         https://bugs.webkit.org/show_bug.cgi?id=178617
2986
2987         Reviewed by Sam Weinig.
2988
2989         * JavaScriptCore.xcodeproj/project.pbxproj:
2990         * Sources.txt:
2991         * inspector/agents/InspectorConsoleAgent.h:
2992         * inspector/agents/JSGlobalObjectConsoleAgent.cpp: Removed.
2993         * inspector/agents/JSGlobalObjectConsoleAgent.h: Removed.
2994         * inspector/protocol/Console.json:
2995         Removed files and method.
2996
2997         * inspector/JSGlobalObjectInspectorController.cpp:
2998         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2999         This can use the base ConsoleAgent now.
3000
3001 2017-10-23  JF Bastien  <jfbastien@apple.com>
3002
3003         WebAssembly: topEntryFrame on Wasm::Instance
3004         https://bugs.webkit.org/show_bug.cgi?id=178690
3005
3006         Reviewed by Saam Barati.
3007
3008         topEntryFrame is usually on VM, but for a no-VM WebAssembly we
3009         need to hold topEntryFrame elsewhere, and generated code cannot
3010         hard-code where topEntryFrame live. Do this at creation time of
3011         Wasm::Instance, and then generated code will just load from
3012         wherever Wasm::Instance was told topEntryFrame is. In a JavaScript
3013         embedding this is still from VM, so all of the unwinding machinery
3014         stays the same.
3015
3016         * dfg/DFGOSREntry.cpp:
3017         (JSC::DFG::prepareOSREntry):
3018         * dfg/DFGOSRExit.cpp:
3019         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
3020         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
3021         * ftl/FTLOSRExitCompiler.cpp:
3022         (JSC::FTL::compileStub):
3023         * interpreter/Interpreter.cpp:
3024         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
3025         * jit/AssemblyHelpers.cpp:
3026         (JSC::AssemblyHelpers::restoreCalleeSavesFromEntryFrameCalleeSavesBuffer):
3027         (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBufferImpl):
3028         * jit/AssemblyHelpers.h:
3029         (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBuffer):
3030         The default parameter was never non-defaulted from any of the
3031         callers. The new version calls the impl directly because it
3032         doesn't have VM and doesn't hard-code the address of
3033         topEntryFrame.
3034         * jit/RegisterSet.cpp:
3035         (JSC::RegisterSet::vmCalleeSaveRegisterOffsets): This was weird on
3036         VM because it's not really VM-specific.
3037         * jit/RegisterSet.h:
3038         * runtime/VM.cpp:
3039         (JSC::VM::getAllCalleeSaveRegisterOffsets): Deleted.
3040         * runtime/VM.h:
3041         (JSC::VM::getCTIStub):
3042         * wasm/WasmB3IRGenerator.cpp:
3043         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3044         (JSC::Wasm::B3IRGenerator::addCall):
3045         (JSC::Wasm::B3IRGenerator::addCallIndirect):
3046         * wasm/WasmInstance.cpp:
3047         (JSC::Wasm::Instance::Instance):
3048         * wasm/WasmInstance.h: topEntryFramePointer will eventually live
3049         here for real. Right now it's mirrored in JSWebAssemblyInstance
3050         because that's the acting Context.
3051         (JSC::Wasm::Instance::create):
3052         (JSC::Wasm::Instance::offsetOfTopEntryFramePointer):
3053         * wasm/WasmThunks.cpp:
3054         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
3055         * wasm/js/JSWebAssemblyInstance.cpp:
3056         (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
3057         * wasm/js/JSWebAssemblyInstance.h: Mirror Wasm::Instance temporarily.
3058         (JSC::JSWebAssemblyInstance::offsetOfCallee):
3059         (JSC::JSWebAssemblyInstance::offsetOfTopEntryFramePointer):
3060         (JSC::JSWebAssemblyInstance::offsetOfVM): Deleted.
3061         * wasm/js/WebAssemblyInstanceConstructor.cpp:
3062         (JSC::constructJSWebAssemblyInstance):
3063         * wasm/js/WebAssemblyPrototype.cpp:
3064         (JSC::instantiate):
3065
3066 2017-10-23  Joseph Pecoraro  <pecoraro@apple.com>
3067
3068         Web Inspector: Please support HAR Export for network traffic
3069         https://bugs.webkit.org/show_bug.cgi?id=146692
3070         <rdar://problem/7463672>
3071
3072         Reviewed by Brian Burg.
3073
3074         * inspector/protocol/Network.json:
3075         Add a walltime to each send request.
3076
3077 2017-10-23  Matt Lewis  <jlewis3@apple.com>
3078
3079         Unreviewed, rolling out r223820.
3080
3081         This caused a build break on Windows.
3082
3083         Reverted changeset:
3084
3085         "Web Inspector: Remove unused Console.setMonitoringXHREnabled"
3086         https://bugs.webkit.org/show_bug.cgi?id=178617
3087         https://trac.webkit.org/changeset/223820
3088
3089 2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
3090
3091         [JSC] Use fastJoin in Array#toString
3092         https://bugs.webkit.org/show_bug.cgi?id=178062
3093
3094         Reviewed by Darin Adler.
3095
3096         Array#toString()'s fast path uses original join operation.
3097         But this should use fastJoin if possible.
3098         This patch adds a fast path using fastJoin in Array#toString.
3099         And we also extend fastJoin to perform fast joining for int32
3100         arrays.
3101
3102                                              baseline                  patched
3103
3104         double-array-to-string          126.6157+-5.8625     ^    103.7343+-4.4968        ^ definitely 1.2206x faster
3105         int32-array-to-string            64.7792+-2.6524           61.2390+-2.1749          might be 1.0578x faster
3106         contiguous-array-to-string       62.6224+-2.6388     ^     56.9899+-2.0852        ^ definitely 1.0988x faster
3107
3108
3109         * runtime/ArrayPrototype.cpp:
3110         (JSC::fastJoin):
3111         (JSC::arrayProtoFuncToString):
3112         (JSC::arrayProtoFuncToLocaleString):
3113         * runtime/JSStringJoiner.h:
3114         (JSC::JSStringJoiner::appendWithoutSideEffects):
3115         (JSC::JSStringJoiner::appendInt32):
3116         (JSC::JSStringJoiner::appendDouble):
3117
3118 2017-10-22  Zan Dobersek  <zdobersek@igalia.com>
3119
3120         [JSC] Remove !(OS(LINUX) && CPU(ARM64)) guards in RegisterState.h
3121         https://bugs.webkit.org/show_bug.cgi?id=178452
3122
3123         Reviewed by Yusuke Suzuki.
3124
3125         * heap/RegisterState.h: Re-enable the custom RegisterState and
3126         ALLOCATE_AND_GET_REGISTER_STATE definitions on ARM64 Linux. These don't
3127         cause any crashes nowadays.
3128
3129 2017-10-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3130
3131         [JSC][Baseline] Use linkAllSlowCasesForBytecodeOffset as much as possible to simplify slow cases handling
3132         https://bugs.webkit.org/show_bug.cgi?id=178647
3133
3134         Reviewed by Saam Barati.
3135
3136         There is much code counting slow cases in fast paths to call `linkSlowCase` carefully. This is really error-prone
3137         since the number of slow cases depends on values of instruction's metadata. We have linkAllSlowCasesForBytecodeOffset,
3138         which drains all slow cases for a specified bytecode offset. In typical cases like just calling a slow path function,
3139         this is enough. We use linkAllSlowCasesForBytecodeOffset as much as possible. It significantly simplifies the code.
3140
3141         * jit/JIT.h:
3142         (JSC::JIT::linkAllSlowCases):
3143         * jit/JITArithmetic.cpp:
3144         (JSC::JIT::emitSlow_op_unsigned):
3145         (JSC::JIT::emit_compareAndJump):
3146         (JSC::JIT::emit_compareAndJumpSlow):
3147         (JSC::JIT::emitSlow_op_inc):
3148         (JSC::JIT::emitSlow_op_dec):
3149         (JSC::JIT::emitSlow_op_mod):
3150         (JSC::JIT::emitSlow_op_negate):
3151         (JSC::JIT::emitSlow_op_bitand):
3152         (JSC::JIT::emitSlow_op_bitor):
3153         (JSC::JIT::emitSlow_op_bitxor):
3154         (JSC::JIT::emitSlow_op_lshift):
3155         (JSC::JIT::emitSlow_op_rshift):
3156         (JSC::JIT::emitSlow_op_urshift):
3157         (JSC::JIT::emitSlow_op_add):
3158         (JSC::JIT::emitSlow_op_div):
3159         (JSC::JIT::emitSlow_op_mul):
3160         (JSC::JIT::emitSlow_op_sub):
3161         * jit/JITArithmetic32_64.cpp:
3162         (JSC::JIT::emit_compareAndJumpSlow):
3163         (JSC::JIT::emitSlow_op_unsigned):
3164         (JSC::JIT::emitSlow_op_inc):
3165         (JSC::JIT::emitSlow_op_dec):
3166         (JSC::JIT::emitSlow_op_mod):
3167         * jit/JITCall.cpp:
3168         (JSC::JIT::compileCallEvalSlowCase):
3169         (JSC::JIT::compileOpCallSlowCase):
3170         * jit/JITCall32_64.cpp:
3171         (JSC::JIT::compileCallEvalSlowCase):
3172         (JSC::JIT::compileOpCallSlowCase):
3173         * jit/JITInlines.h:
3174         (JSC::JIT::linkAllSlowCasesForBytecodeOffset):
3175         * jit/JITOpcodes.cpp:
3176         (JSC::JIT::emitSlow_op_new_object):
3177         (JSC::JIT::emitSlow_op_create_this):
3178         (JSC::JIT::emitSlow_op_check_tdz):
3179         (JSC::JIT::emitSlow_op_to_this):
3180         (JSC::JIT::emitSlow_op_to_primitive):
3181         (JSC::JIT::emitSlow_op_not):
3182         (JSC::JIT::emitSlow_op_eq):
3183         (JSC::JIT::emitSlow_op_neq):
3184         (JSC::JIT::emitSlow_op_stricteq):
3185         (JSC::JIT::emitSlow_op_nstricteq):
3186         (JSC::JIT::emitSlow_op_instanceof):
3187         (JSC::JIT::emitSlow_op_instanceof_custom):
3188         (JSC::JIT::emitSlow_op_to_number):
3189         (JSC::JIT::emitSlow_op_to_string):
3190         (JSC::JIT::emitSlow_op_loop_hint):
3191         (JSC::JIT::emitSlow_op_check_traps):
3192         (JSC::JIT::emitSlow_op_has_indexed_property):
3193         (JSC::JIT::emitSlow_op_get_direct_pname):
3194         (JSC::JIT::emitSlow_op_has_structure_property):
3195         * jit/JITOpcodes32_64.cpp:
3196         (JSC::JIT::emitSlow_op_new_object):
3197         (JSC::JIT::emitSlow_op_instanceof):
3198         (JSC::JIT::emitSlow_op_instanceof_custom):
3199         (JSC::JIT::emitSlow_op_to_primitive):
3200         (JSC::JIT::emitSlow_op_not):
3201         (JSC::JIT::emitSlow_op_stricteq):
3202         (JSC::JIT::emitSlow_op_nstricteq):
3203         (JSC::JIT::emitSlow_op_to_number):
3204         (JSC::JIT::emitSlow_op_to_string):
3205         (JSC::JIT::emitSlow_op_create_this):
3206         (JSC::JIT::emitSlow_op_to_this):
3207         (JSC::JIT::emitSlow_op_check_tdz):
3208         (JSC::JIT::emitSlow_op_has_indexed_property):
3209         (JSC::JIT::emitSlow_op_get_direct_pname):
3210         * jit/JITPropertyAccess.cpp:
3211         (JSC::JIT::emitSlow_op_try_get_by_id):
3212         (JSC::JIT::emitSlow_op_get_by_id):
3213         (JSC::JIT::emitSlow_op_get_by_id_with_this):
3214         (JSC::JIT::emitSlow_op_put_by_id):
3215         (JSC::JIT::emitSlow_op_resolve_scope):
3216         (JSC::JIT::emitSlow_op_get_from_scope):
3217         (JSC::JIT::emitSlow_op_put_to_scope):
3218         * jit/JITPropertyAccess32_64.cpp:
3219         (JSC::JIT::emitSlow_op_try_get_by_id):
3220         (JSC::JIT::emitSlow_op_get_by_id):
3221         (JSC::JIT::emitSlow_op_get_by_id_with_this):
3222         (JSC::JIT::emitSlow_op_put_by_id):
3223         (JSC::JIT::emitSlow_op_resolve_scope):
3224         (JSC::JIT::emitSlow_op_get_from_scope):
3225         (JSC::JIT::emitSlow_op_put_to_scope):
3226
3227 2017-10-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3228
3229         [JSC] Clean up baseline slow path
3230         https://bugs.webkit.org/show_bug.cgi?id=178646
3231
3232         Reviewed by Saam Barati.
3233
3234         If the given op is just calling a slow path function, we should use DEFINE_SLOW_OP instead.
3235         It is good since (1) we can reduce the manual emitting code and (2) it can clarify which
3236         function is implemented as a slow path call. This patch is an attempt to reduce 32bit specific
3237         code in baseline JIT.
3238
3239         * jit/JIT.cpp:
3240         (JSC::JIT::privateCompileMainPass):
3241         * jit/JIT.h:
3242         * jit/JITArithmetic.cpp:
3243         (JSC::JIT::emit_op_pow): Deleted.
3244         * jit/JITArithmetic32_64.cpp:
3245         (JSC::JIT::emitSlow_op_mod):
3246         * jit/JITOpcodes.cpp:
3247         (JSC::JIT::emit_op_strcat): Deleted.
3248         (JSC::JIT::emit_op_push_with_scope): Deleted.
3249         (JSC::JIT::emit_op_assert): Deleted.
3250         (JSC::JIT::emit_op_create_lexical_environment): Deleted.
3251         (JSC::JIT::emit_op_throw_static_error): Deleted.
3252         (JSC::JIT::emit_op_new_array_with_spread): Deleted.
3253         (JSC::JIT::emit_op_spread): Deleted.
3254         (JSC::JIT::emit_op_get_enumerable_length): Deleted.
3255         (JSC::JIT::emit_op_has_generic_property): Deleted.
3256         (JSC::JIT::emit_op_get_property_enumerator): Deleted.
3257         (JSC::JIT::emit_op_to_index_string): Deleted.
3258         (JSC::JIT::emit_op_create_direct_arguments): Deleted.
3259         (JSC::JIT::emit_op_create_scoped_arguments): Deleted.
3260         (JSC::JIT::emit_op_create_cloned_arguments): Deleted.
3261         (JSC::JIT::emit_op_create_rest): Deleted.
3262         (JSC::JIT::emit_op_unreachable): Deleted.
3263         * jit/JITOpcodes32_64.cpp:
3264         (JSC::JIT::emit_op_strcat): Deleted.
3265         (JSC::JIT::emit_op_push_with_scope): Deleted.
3266         (JSC::JIT::emit_op_assert): Deleted.
3267         (JSC::JIT::emit_op_create_lexical_environment): Deleted.
3268         * jit/JITPropertyAccess.cpp:
3269         (JSC::JIT::emit_op_put_by_val_with_this): Deleted.
3270         (JSC::JIT::emit_op_get_by_val_with_this): Deleted.
3271         (JSC::JIT::emit_op_put_by_id_with_this): Deleted.
3272         (JSC::JIT::emit_op_resolve_scope_for_hoisting_func_decl_in_eval): Deleted.
3273         (JSC::JIT::emit_op_define_data_property): Deleted.
3274         (JSC::JIT::emit_op_define_accessor_property): Deleted.
3275         * jit/JITPropertyAccess32_64.cpp:
3276         (JSC::JIT::emit_op_resolve_scope_for_hoisting_func_decl_in_eval): Deleted.
3277         (JSC::JIT::emit_op_get_by_val_with_this): Deleted.
3278         (JSC::JIT::emit_op_put_by_id_with_this): Deleted.
3279         (JSC::JIT::emit_op_put_by_val_with_this): Deleted.
3280
3281 2017-10-21  Joseph Pecoraro  <pecoraro@apple.com>
3282
3283         Web Inspector: Remove unused Console.setMonitoringXHREnabled
3284         https://bugs.webkit.org/show_bug.cgi?id=178617
3285
3286         Reviewed by Sam Weinig.
3287
3288         * JavaScriptCore.xcodeproj/project.pbxproj:
3289         * Sources.txt:
3290         * inspector/agents/InspectorConsoleAgent.h:
3291         * inspector/agents/JSGlobalObjectConsoleAgent.cpp: Removed.
3292         * inspector/agents/JSGlobalObjectConsoleAgent.h: Removed.
3293         * inspector/protocol/Console.json:
3294         Removed files and method.
3295
3296         * inspector/JSGlobalObjectInspectorController.cpp:
3297         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3298         This can use the base ConsoleAgent now.
3299
3300 2017-10-21  Yusuke Suzuki  <utatane.tea@gmail.com>
3301
3302         [JSC] Remove per-host-function CTI stub in 32bit environment
3303         https://bugs.webkit.org/show_bug.cgi?id=178581
3304
3305         Reviewed by Saam Barati.
3306
3307         JIT::privateCompileCTINativeCall only exists in 32bit environment and it is almost the same to native call CTI stub.
3308         The only difference is that it embed the address of the host function directly in the generated stub. This means
3309         that we have per-host-function CTI stub only in 32bit environment.
3310
3311         This patch just removes it and use one CTI stub instead. This design is the same to the current 64bit implementation.
3312
3313         * jit/JIT.cpp:
3314         (JSC::JIT::compileCTINativeCall): Deleted.
3315         * jit/JIT.h:
3316         * jit/JITOpcodes.cpp:
3317         (JSC::JIT::privateCompileCTINativeCall): Deleted.
3318         * jit/JITOpcodes32_64.cpp:
3319         (JSC::JIT::privateCompileCTINativeCall): Deleted.
3320         * jit/JITThunks.cpp:
3321         (JSC::JITThunks::hostFunctionStub):
3322
3323 2017-10-20  Antoine Quint  <graouts@apple.com>
3324
3325         [Web Animations] Provide basic timeline and animation interfaces
3326         https://bugs.webkit.org/show_bug.cgi?id=178526
3327
3328         Reviewed by Dean Jackson.
3329
3330         Remove the WEB_ANIMATIONS compile-time flag.
3331
3332         * Configurations/FeatureDefines.xcconfig:
3333
3334 2017-10-20  Commit Queue  <commit-queue@webkit.org>
3335
3336         Unreviewed, rolling out r223744, r223750, and r223751.
3337         https://bugs.webkit.org/show_bug.cgi?id=178594
3338
3339         These caused consistent failures in test that existed and were
3340         added in the patches. (Requested by mlewis13 on #webkit).
3341
3342         Reverted changesets:
3343
3344         "[JSC] ScriptFetcher should be notified directly from module
3345         pipeline"
3346         https://bugs.webkit.org/show_bug.cgi?id=178340
3347         https://trac.webkit.org/changeset/223744
3348
3349         "Unreviewed, fix changed line number in test expect files"
3350         https://bugs.webkit.org/show_bug.cgi?id=178340
3351         https://trac.webkit.org/changeset/223750
3352
3353         "Unreviewed, follow up to reflect comments"
3354         https://bugs.webkit.org/show_bug.cgi?id=178340
3355         https://trac.webkit.org/changeset/223751
3356
3357 2017-10-20  Yusuke Suzuki  <utatane.tea@gmail.com>
3358
3359         Unreviewed, follow up to reflect comments
3360         https://bugs.webkit.org/show_bug.cgi?id=178340
3361
3362         * runtime/JSModuleLoader.cpp:
3363         (JSC::JSModuleLoader::notifyCompleted):
3364
3365 2017-10-20  Saam Barati  <sbarati@apple.com>
3366
3367         Optimize accesses to how we get the direct prototype
3368         https://bugs.webkit.org/show_bug.cgi?id=178548
3369
3370         Reviewed by Yusuke Suzuki.