d67b28b39e58750da11eed80ae65672a946f697d
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-11-16  Daniel Bates  <dabates@apple.com>
2
3         Add feature define for alternative presentation button element
4         https://bugs.webkit.org/show_bug.cgi?id=179692
5         Part of <rdar://problem/34917108>
6
7         Reviewed by Andy Estes.
8
9         Only enabled on Cocoa platforms by default.
10
11         * Configurations/FeatureDefines.xcconfig:
12
13 2017-11-16  Saam Barati  <sbarati@apple.com>
14
15         Fix a bug with cpuid in the FTL.
16
17         Rubber stamped by Mark Lam.
18
19         Before uploading the previous patch, I tried to condense the code. I
20         accidentally removed a crucial line saying that CPUID clobbers various
21         registers.
22
23         * ftl/FTLLowerDFGToB3.cpp:
24         (JSC::FTL::DFG::LowerDFGToB3::compileCPUIntrinsic):
25
26 2017-11-16  Saam Barati  <sbarati@apple.com>
27
28         Add some X86 intrinsics to $vm to help with some perf testing
29         https://bugs.webkit.org/show_bug.cgi?id=179693
30
31         Reviewed by Mark Lam.
32
33         I've been doing some local perf testing of various ideas and have
34         had these come in handy. I'm going to land them to dollarVM to prevent
35         having to add them to my local build every time I do perf testing.
36
37         * assembler/MacroAssemblerX86Common.h:
38         (JSC::MacroAssemblerX86Common::mfence):
39         (JSC::MacroAssemblerX86Common::rdtsc):
40         (JSC::MacroAssemblerX86Common::pause):
41         (JSC::MacroAssemblerX86Common::cpuid):
42         * assembler/X86Assembler.h:
43         (JSC::X86Assembler::rdtsc):
44         (JSC::X86Assembler::pause):
45         (JSC::X86Assembler::cpuid):
46         * dfg/DFGAbstractInterpreterInlines.h:
47         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
48         * dfg/DFGByteCodeParser.cpp:
49         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
50         * dfg/DFGClobberize.h:
51         (JSC::DFG::clobberize):
52         * dfg/DFGDoesGC.cpp:
53         (JSC::DFG::doesGC):
54         * dfg/DFGFixupPhase.cpp:
55         (JSC::DFG::FixupPhase::fixupNode):
56         * dfg/DFGGraph.cpp:
57         (JSC::DFG::Graph::dump):
58         * dfg/DFGNode.h:
59         (JSC::DFG::Node::intrinsic):
60         * dfg/DFGNodeType.h:
61         * dfg/DFGPredictionPropagationPhase.cpp:
62         * dfg/DFGSafeToExecute.h:
63         (JSC::DFG::safeToExecute):
64         * dfg/DFGSpeculativeJIT32_64.cpp:
65         (JSC::DFG::SpeculativeJIT::compile):
66         * dfg/DFGSpeculativeJIT64.cpp:
67         (JSC::DFG::SpeculativeJIT::compile):
68         * dfg/DFGValidate.cpp:
69         * ftl/FTLCapabilities.cpp:
70         (JSC::FTL::canCompile):
71         * ftl/FTLLowerDFGToB3.cpp:
72         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
73         (JSC::FTL::DFG::LowerDFGToB3::compileCPUIntrinsic):
74         * runtime/Intrinsic.cpp:
75         (JSC::intrinsicName):
76         * runtime/Intrinsic.h:
77         * tools/JSDollarVM.cpp:
78         (JSC::functionCpuMfence):
79         (JSC::functionCpuRdtsc):
80         (JSC::functionCpuCpuid):
81         (JSC::functionCpuPause):
82         (JSC::functionCpuClflush):
83         (JSC::JSDollarVM::finishCreation):
84
85 2017-11-16  JF Bastien  <jfbastien@apple.com>
86
87         It should be easier to reify lazy property names
88         https://bugs.webkit.org/show_bug.cgi?id=179734
89         <rdar://problem/35492521>
90
91         Reviewed by Keith Miller.
92
93         We reify lazy property names in a few different ways, each
94         specific to the JSCell implementation, in put() instead of having
95         a special function to do reification. Let's make that simpler.
96
97         This patch makes it easier to reify property names in a uniform
98         manner, and does so in JSFunction. As a follow up I'll use the
99         same mechanics for:
100
101         ClonedArguments   callee, iteratorSymbol (Symbol.iterator)
102         ErrorConstructor  stackTraceLimit
103         ErrorInstance     line, column, sourceURL, stack
104         GenericArguments  length, callee, iteratorSymbol (Symbol.iterator)
105         GetterSetter      RELEASE_ASSERT_NOT_REACHED()
106         JSArray           length
107         RegExpObject      lastIndex
108         StringObject      length
109
110         * runtime/ClassInfo.h: Add reifyPropertyNameIfNeeded to method table.
111         * runtime/JSCell.cpp:
112         (JSC::JSCell::reifyPropertyNameIfNeeded): by default, don't reify.
113         * runtime/JSCell.h:
114         * runtime/JSFunction.cpp: `name` and `length` can be reified.
115         (JSC::JSFunction::reifyPropertyNameIfNeeded):
116         (JSC::JSFunction::put):
117         (JSC::JSFunction::reifyLength):
118         (JSC::JSFunction::reifyName):
119         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
120         (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
121         (JSC::JSFunction::reifyLazyLengthIfNeeded):
122         (JSC::JSFunction::reifyLazyNameIfNeeded):
123         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
124         * runtime/JSFunction.h:
125         (JSC::JSFunction::isLazy):
126         (JSC::JSFunction::isReified):
127         * runtime/JSObjectInlines.h:
128         (JSC::JSObject::putDirectInternal): do the reification here.
129
130 2017-11-16  Robin Morisset  <rmorisset@apple.com>
131
132         Provide a runtime option for disabling the optimization of recursive tail calls
133         https://bugs.webkit.org/show_bug.cgi?id=179765
134
135         Reviewed by Mark Lam.
136
137         * bytecode/PreciseJumpTargets.cpp:
138         (JSC::getJumpTargetsForBytecodeOffset):
139         * bytecompiler/BytecodeGenerator.cpp:
140         (JSC::BytecodeGenerator::emitEnter):
141         * dfg/DFGByteCodeParser.cpp:
142         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
143         * runtime/Options.h:
144
145 2017-11-16  Robin Morisset  <rmorisset@apple.com>
146
147         Fix null pointer dereference in bytecodeDumper
148         https://bugs.webkit.org/show_bug.cgi?id=179764
149
150         Reviewed by Mark Lam.
151
152         The problem was just a call to lastSeenCallee() that was unguarded by haveLastSeenCallee().
153
154         * bytecode/BytecodeDumper.cpp:
155         (JSC::BytecodeDumper<Block>::printCallOp):
156
157 2017-11-16  Robin Morisset  <rmorisset@apple.com>
158
159         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
160         https://bugs.webkit.org/show_bug.cgi?id=179763
161         <rdar://problem/35550513>
162
163         Reviewed by Keith Miller.
164
165         Fix null pointer dereference caused by an eliminated tdz_check
166
167         The problem was when doing an OSR entry in DFG while |this| was null
168         (because super() had not yet been called in the constructor of this
169         subclass), it would be marked as non-null, and the tdz_check eliminated.
170
171         * dfg/DFGInPlaceAbstractState.cpp:
172         (JSC::DFG::InPlaceAbstractState::initialize):
173
174 2017-11-15  Ryan Haddad  <ryanhaddad@apple.com>
175
176         Unreviewed, rolling out r224863.
177
178         Introduced LayoutTest crashes on iOS Simulator.
179
180         Reverted changeset:
181
182         "Move JSONValues to WTF and convert uses of InspectorValues.h
183         to JSONValues.h"
184         https://bugs.webkit.org/show_bug.cgi?id=173793
185         https://trac.webkit.org/changeset/224863
186
187 2017-11-14  Mark Lam  <mark.lam@apple.com>
188
189         Gardening: CLoop build fix after r224862.
190         https://bugs.webkit.org/show_bug.cgi?id=179699
191
192         Not reviewed..
193
194         * bytecode/CodeBlock.h:
195         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
196
197 2017-11-14  Carlos Garcia Campos  <cgarcia@igalia.com>
198
199         Move JSONValues to WTF and convert uses of InspectorValues.h to JSONValues.h
200         https://bugs.webkit.org/show_bug.cgi?id=173793
201
202         Reviewed by Brian Burg.
203
204         Based on patch by Brian Burg.
205
206         * JavaScriptCore.xcodeproj/project.pbxproj:
207         * Sources.txt:
208         * bindings/ScriptValue.cpp:
209         (Inspector::jsToInspectorValue):
210         (Inspector::toInspectorValue):
211         (Deprecated::ScriptValue::toInspectorValue const):
212         * bindings/ScriptValue.h:
213         * inspector/AsyncStackTrace.cpp:
214         * inspector/ConsoleMessage.cpp:
215         * inspector/ContentSearchUtilities.cpp:
216         * inspector/InjectedScript.cpp:
217         (Inspector::InjectedScript::getFunctionDetails):
218         (Inspector::InjectedScript::functionDetails):
219         (Inspector::InjectedScript::getPreview):
220         (Inspector::InjectedScript::getProperties):
221         (Inspector::InjectedScript::getDisplayableProperties):
222         (Inspector::InjectedScript::getInternalProperties):
223         (Inspector::InjectedScript::getCollectionEntries):
224         (Inspector::InjectedScript::saveResult):
225         (Inspector::InjectedScript::wrapCallFrames const):
226         (Inspector::InjectedScript::wrapObject const):
227         (Inspector::InjectedScript::wrapTable const):
228         (Inspector::InjectedScript::previewValue const):
229         (Inspector::InjectedScript::setExceptionValue):
230         (Inspector::InjectedScript::clearExceptionValue):
231         (Inspector::InjectedScript::inspectObject):
232         (Inspector::InjectedScript::releaseObject):
233         * inspector/InjectedScriptBase.cpp:
234         (Inspector::InjectedScriptBase::makeCall):
235         (Inspector::InjectedScriptBase::makeEvalCall):
236         * inspector/InjectedScriptBase.h:
237         * inspector/InjectedScriptManager.cpp:
238         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
239         * inspector/InspectorBackendDispatcher.cpp:
240         (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
241         (Inspector::BackendDispatcher::dispatch):
242         (Inspector::BackendDispatcher::sendResponse):
243         (Inspector::BackendDispatcher::sendPendingErrors):
244         (Inspector::BackendDispatcher::getPropertyValue):
245         (Inspector::castToInteger):
246         (Inspector::castToNumber):
247         (Inspector::BackendDispatcher::getInteger):
248         (Inspector::BackendDispatcher::getDouble):
249         (Inspector::BackendDispatcher::getString):
250         (Inspector::BackendDispatcher::getBoolean):
251         (Inspector::BackendDispatcher::getObject):
252         (Inspector::BackendDispatcher::getArray):
253         (Inspector::BackendDispatcher::getValue):
254         * inspector/InspectorBackendDispatcher.h:
255         * inspector/InspectorProtocolTypes.h:
256         (Inspector::Protocol::Array::openAccessors):
257         (Inspector::Protocol::PrimitiveBindingTraits::assertValueHasExpectedType):
258         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast):
259         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType):
260         (Inspector::Protocol::BindingTraits<JSON::Value>::assertValueHasExpectedType):
261         * inspector/ScriptCallFrame.cpp:
262         * inspector/ScriptCallStack.cpp:
263         * inspector/agents/InspectorAgent.cpp:
264         (Inspector::InspectorAgent::inspect):
265         * inspector/agents/InspectorAgent.h:
266         * inspector/agents/InspectorDebuggerAgent.cpp:
267         (Inspector::buildAssertPauseReason):
268         (Inspector::buildCSPViolationPauseReason):
269         (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
270         (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
271         (Inspector::buildObjectForBreakpointCookie):
272         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
273         (Inspector::parseLocation):
274         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
275         (Inspector::InspectorDebuggerAgent::setBreakpoint):
276         (Inspector::InspectorDebuggerAgent::continueToLocation):
277         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
278         (Inspector::InspectorDebuggerAgent::didParseSource):
279         (Inspector::InspectorDebuggerAgent::breakProgram):
280         * inspector/agents/InspectorDebuggerAgent.h:
281         * inspector/agents/InspectorRuntimeAgent.cpp:
282         (Inspector::InspectorRuntimeAgent::callFunctionOn):
283         (Inspector::InspectorRuntimeAgent::saveResult):
284         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
285         * inspector/agents/InspectorRuntimeAgent.h:
286         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
287         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
288         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
289         (CppBackendDispatcherImplementationGenerator.generate_output):
290         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
291         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
292         (CppFrontendDispatcherHeaderGenerator.generate_output):
293         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
294         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
295         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
296         (_generate_unchecked_setter_for_member):
297         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
298         (CppProtocolTypesImplementationGenerator):
299         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
300         (ObjCBackendDispatcherImplementationGenerator.generate_output):
301         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
302         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
303         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
304         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
305         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
306         * inspector/scripts/codegen/generate_objc_internal_header.py:
307         (ObjCInternalHeaderGenerator.generate_output):
308         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
309         (ObjCProtocolTypesImplementationGenerator.generate_output):
310         * inspector/scripts/codegen/generator.py:
311         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
312         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
313         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
314         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
315         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
316         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
317         * inspector/scripts/tests/generic/expected/enum-values.json-result:
318         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
319         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
320         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
321         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
322         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
323         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
324         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
325         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
326         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
327         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
328         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
329         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
330         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
331
332 2017-11-14  Mark Lam  <mark.lam@apple.com>
333
334         Fix a bit-rotted Interpreter::dumpRegisters() and make it more robust.
335         https://bugs.webkit.org/show_bug.cgi?id=179699
336         <rdar://problem/35462346>
337
338         Reviewed by Michael Saboff.
339
340         * interpreter/Interpreter.cpp:
341         (JSC::Interpreter::dumpRegisters):
342         - Need to skip the callee saved registers
343
344 2017-11-14  Guillaume Emont  <guijemont@igalia.com>
345
346         REGRESSION(r224623) [MIPS] branchTruncateDoubleToInt32() doesn't set return register when branching
347         https://bugs.webkit.org/show_bug.cgi?id=179563
348
349         Reviewed by Carlos Alberto Lopez Perez.
350
351         When run with BranchIfTruncateSuccessful,
352         branchTruncateDoubleToInt32() should set the destination register
353         before branching.
354         This change also removes branchTruncateDoubleToUInt32() as it is
355         deprecated (see r160205), merges branchOnTruncateResult() into
356         branchTruncateDoubleToInt32() and adds test cases in testmasm.
357
358         * assembler/MacroAssemblerMIPS.h:
359         (JSC::MacroAssemblerMIPS::branchOnTruncateResult): Deleted.
360         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
361         Properly set dest before branching.
362         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUInt32): Deleted.
363         * assembler/testmasm.cpp:
364         (JSC::testBranchTruncateDoubleToInt32):
365         (JSC::run):
366         Add tests for branchTruncateDoubleToInt32().
367
368 2017-11-14  Daniel Bates  <dabates@apple.com>
369
370         Update comment in FeatureDefines.xcconfig to reflect location of Visual Studio property files
371         for feature defines
372
373         Following r195498 and r201917 the Visual Studio property files for feature defines have
374         moved from directory WebKitLibraries/win/tools/vsprops to directory Source/cmake/tools/vsprops.
375         Update the comment in FeatureDefines.xcconfig to reflect the new location and names of these
376         files.
377
378         * Configurations/FeatureDefines.xcconfig:
379
380 2017-11-14  Mark Lam  <mark.lam@apple.com>
381
382         Remove JSDollarVMPrototype.
383         https://bugs.webkit.org/show_bug.cgi?id=179685
384
385         Reviewed by Saam Barati.
386
387         1. Move the JSDollarVMPrototype C++ utility functions into VMInspector.cpp.
388
389            This allows us to call these functions during lldb debugging sessions using
390            VMInspector::foo() instead of JSDollarVMPrototype::foo().  It makes sense that
391            VMInspector provides VM debugging utility methods.  It doesn't make sense to
392            have a JSDollarVMPrototype object provide these methods.
393
394            Plus, it's shorter to type VMInspector than JSDollarVMPrototype.
395
396         2. Move the JSDollarVMPrototype JS functions into JSDollarVM.cpp.
397
398            JSDollarVM is a special object used only for debugging purposes.  There's no
399            gain in requiring its methods to be stored in a prototype object other than to
400            conform to typical JS convention.  We can remove this complexity.
401
402         * JavaScriptCore.xcodeproj/project.pbxproj:
403         * Sources.txt:
404         * runtime/JSGlobalObject.cpp:
405         (JSC::JSGlobalObject::init):
406         * tools/JSDollarVM.cpp:
407         (JSC::JSDollarVM::addFunction):
408         (JSC::functionCrash):
409         (JSC::functionDFGTrue):
410         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
411         (JSC::CallerFrameJITTypeFunctor::operator() const):
412         (JSC::CallerFrameJITTypeFunctor::jitType):
413         (JSC::functionLLintTrue):
414         (JSC::functionJITTrue):
415         (JSC::functionGC):
416         (JSC::functionEdenGC):
417         (JSC::functionCodeBlockForFrame):
418         (JSC::codeBlockFromArg):
419         (JSC::functionCodeBlockFor):
420         (JSC::functionPrintSourceFor):
421         (JSC::functionPrintBytecodeFor):
422         (JSC::functionPrint):
423         (JSC::functionPrintCallFrame):
424         (JSC::functionPrintStack):
425         (JSC::functionValue):
426         (JSC::functionGetPID):
427         (JSC::JSDollarVM::finishCreation):
428         * tools/JSDollarVM.h:
429         (JSC::JSDollarVM::create):
430         * tools/JSDollarVMPrototype.cpp: Removed.
431         * tools/JSDollarVMPrototype.h: Removed.
432         * tools/VMInspector.cpp:
433         (JSC::VMInspector::currentThreadOwnsJSLock):
434         (JSC::ensureCurrentThreadOwnsJSLock):
435         (JSC::VMInspector::gc):
436         (JSC::VMInspector::edenGC):
437         (JSC::VMInspector::isInHeap):
438         (JSC::CellAddressCheckFunctor::CellAddressCheckFunctor):
439         (JSC::CellAddressCheckFunctor::operator() const):
440         (JSC::VMInspector::isValidCell):
441         (JSC::VMInspector::isValidCodeBlock):
442         (JSC::VMInspector::codeBlockForFrame):
443         (JSC::PrintFrameFunctor::PrintFrameFunctor):
444         (JSC::PrintFrameFunctor::operator() const):
445         (JSC::VMInspector::printCallFrame):
446         (JSC::VMInspector::printStack):
447         (JSC::VMInspector::printValue):
448         * tools/VMInspector.h:
449
450 2017-11-14  Joseph Pecoraro  <pecoraro@apple.com>
451
452         Web Inspector: Add a ServiceWorker domain to get information about an inspected ServiceWorker
453         https://bugs.webkit.org/show_bug.cgi?id=179640
454         <rdar://problem/35517361>
455
456         Reviewed by Devin Rousso.
457
458         * CMakeLists.txt:
459         * DerivedSources.make:
460         Gate the ServiceWorker domain on the ENABLE feature flag.
461
462         * inspector/protocol/ServiceWorker.json: Added.
463         New domain to be made available inside of a ServiceWorker target.
464
465 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
466
467         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
468         https://bugs.webkit.org/show_bug.cgi?id=179594
469
470         Reviewed by Saam Barati.
471
472         Currently we handle OOB access to DirectArguments as GetByVal(Array::Generic).
473         If we can handle it as GetByVal(Array::DirectArguments+OutOfBounds), we can (1) optimize
474         `arguments[i]` accesses if i is in bound, and (2) encourage arguments elimination phase
475         to convert CreateDirectArguments and GetByVal(Array::DirectArguments+OutOfBounds) to
476         PhantomDirectArguments and GetMyArgumentOutOfBounds respectively.
477
478         This patch introduces Array::DirectArguments+OutOfBounds array mode. GetByVal can
479         accept this type, and emit optimized code compared to Array::Generic case.
480
481         We make OOB check failures in GetByVal(Array::DirectArguments+InBounds) as OutOfBounds
482         exit instead of ExoticObjectMode.
483
484         This change significantly improves SixSpeed rest.es5 since it uses OOB access.
485         Our arguments elimination phase can change CreateDirectArguments to PhantomDirectArguments.
486
487             rest.es5                       59.6719+-2.2440     ^      3.1634+-0.5507        ^ definitely 18.8635x faster
488
489         * dfg/DFGArgumentsEliminationPhase.cpp:
490         * dfg/DFGArrayMode.cpp:
491         (JSC::DFG::ArrayMode::refine const):
492         * dfg/DFGClobberize.h:
493         (JSC::DFG::clobberize):
494         * dfg/DFGSpeculativeJIT.cpp:
495         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
496         * ftl/FTLLowerDFGToB3.cpp:
497         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
498         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
499
500 2017-11-14  Saam Barati  <sbarati@apple.com>
501
502         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
503         https://bugs.webkit.org/show_bug.cgi?id=179639
504         <rdar://problem/35513018>
505
506         Reviewed by JF Bastien.
507
508         Calling Wasm::Memory::grow from the JIT may cause us to GC. When we GC, we will
509         walk the stack for ShadowChicken (and maybe other things). We weren't updating
510         topCallFrame when calling grow from the Wasm JIT. This would cause the GC to
511         use stale topCallFrame bits in VM, often leading to crashes. This patch fixes
512         this bug by giving Wasm::Instance a lambda that is called when we need to store
513         the topCallFrame. Users of Wasm::Instance can provide a function to do this action.
514         Currently, JSWebAssemblyInstance passes in a lambda that stores to
515         VM.topCallFrame.
516
517         * wasm/WasmB3IRGenerator.cpp:
518         (JSC::Wasm::B3IRGenerator::addGrowMemory):
519         * wasm/WasmInstance.cpp:
520         (JSC::Wasm::Instance::Instance):
521         (JSC::Wasm::Instance::create):
522         * wasm/WasmInstance.h:
523         (JSC::Wasm::Instance::storeTopCallFrame):
524         * wasm/js/JSWebAssemblyInstance.cpp:
525         (JSC::JSWebAssemblyInstance::create):
526         * wasm/js/JSWebAssemblyInstance.h:
527         * wasm/js/WasmToJS.cpp:
528         (JSC::Wasm::wasmToJSException):
529         * wasm/js/WebAssemblyInstanceConstructor.cpp:
530         (JSC::constructJSWebAssemblyInstance):
531         * wasm/js/WebAssemblyPrototype.cpp:
532         (JSC::instantiate):
533
534 2017-11-13  Saam Barati  <sbarati@apple.com>
535
536         Remove pointer caging for HashMapImpl, JSLexicalEnvironment, DirectArguments, ScopedArguments, and ScopedArgumentsTable
537         https://bugs.webkit.org/show_bug.cgi?id=179203
538
539         Reviewed by Yusuke Suzuki.
540
541         This patch only removes the pointer caging for the described types in the title.
542         These types still allocate out of the gigacage. This is a just a cost vs benefit
543         tradeoff of performance vs security.
544
545         * dfg/DFGSpeculativeJIT.cpp:
546         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
547         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
548         * ftl/FTLLowerDFGToB3.cpp:
549         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
550         * jit/JITPropertyAccess.cpp:
551         (JSC::JIT::emitDirectArgumentsGetByVal):
552         (JSC::JIT::emitScopedArgumentsGetByVal):
553         * runtime/DirectArguments.h:
554         (JSC::DirectArguments::storage):
555         * runtime/HashMapImpl.cpp:
556         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
557         * runtime/HashMapImpl.h:
558         * runtime/JSLexicalEnvironment.h:
559         (JSC::JSLexicalEnvironment::variables):
560         * runtime/ScopedArguments.h:
561         (JSC::ScopedArguments::overflowStorage const):
562
563 2017-11-08  Keith Miller  <keith_miller@apple.com>
564
565         Async iteration should only fetch the next method once and add feature flag
566         https://bugs.webkit.org/show_bug.cgi?id=179451
567
568         Reviewed by Geoffrey Garen.
569
570         Add feature flag for Async iteration. Also, change async iteration to match
571         the expected behavior of the proposal.
572
573         * Configurations/FeatureDefines.xcconfig:
574         * builtins/AsyncFromSyncIteratorPrototype.js:
575         (globalPrivate.createAsyncFromSyncIterator):
576         (globalPrivate.AsyncFromSyncIteratorConstructor):
577         * builtins/BuiltinNames.h:
578         * bytecompiler/BytecodeGenerator.cpp:
579         (JSC::BytecodeGenerator::emitGetAsyncIterator):
580         * runtime/Options.h:
581
582 2017-11-13  Mark Lam  <mark.lam@apple.com>
583
584         Add more overflow check book-keeping for MarkedArgumentBuffer.
585         https://bugs.webkit.org/show_bug.cgi?id=179634
586         <rdar://problem/35492517>
587
588         Reviewed by Saam Barati.
589
590         * runtime/ArgList.h:
591         (JSC::MarkedArgumentBuffer::overflowCheckNotNeeded):
592         * runtime/JSJob.cpp:
593         (JSC::JSJobMicrotask::run):
594         * runtime/ObjectConstructor.cpp:
595         (JSC::defineProperties):
596         * runtime/ReflectObject.cpp:
597         (JSC::reflectObjectConstruct):
598
599 2017-11-13  Guillaume Emont  <guijemont@igalia.com>
600
601         [JSC] Remove ARM implementation of branchTruncateDoubleToUInt32
602         https://bugs.webkit.org/show_bug.cgi?id=179542
603
604         Reviewed by Alex Christensen.
605
606         * assembler/MacroAssemblerARM.h:
607         (JSC::MacroAssemblerARM::branchTruncateDoubleToUint32): Removed.
608
609 2017-11-13  Mark Lam  <mark.lam@apple.com>
610
611         Make the jsc shell loadGetterFromGetterSetter() function more robust.
612         https://bugs.webkit.org/show_bug.cgi?id=179619
613         <rdar://problem/35492518>
614
615         Reviewed by Saam Barati.
616
617         * jsc.cpp:
618         (functionLoadGetterFromGetterSetter):
619
620 2017-11-12  Darin Adler  <darin@apple.com>
621
622         More is<> and downcast<>, less static_cast<>
623         https://bugs.webkit.org/show_bug.cgi?id=179600
624
625         Reviewed by Chris Dumez.
626
627         * runtime/JSString.h:
628         (JSC::jsSubstring): Removed unneeded static_cast; length already returns unsigned.
629         (JSC::jsSubstringOfResolved): Ditto.
630
631 2017-11-12  Mark Lam  <mark.lam@apple.com>
632
633         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
634         https://bugs.webkit.org/show_bug.cgi?id=179562
635         <rdar://problem/35467022>
636
637         Reviewed by Saam Barati.
638
639         * dfg/DFGFixupPhase.cpp:
640         (JSC::DFG::FixupPhase::fixupNode):
641         * dfg/DFGOperations.cpp:
642         * dfg/DFGSafeToExecute.h:
643         (JSC::DFG::SafeToExecuteEdge::operator()):
644         * dfg/DFGSpeculativeJIT.cpp:
645         (JSC::DFG::SpeculativeJIT::speculateNotSymbol):
646         (JSC::DFG::SpeculativeJIT::speculate):
647         * dfg/DFGSpeculativeJIT.h:
648         * dfg/DFGUseKind.cpp:
649         (WTF::printInternal):
650         * dfg/DFGUseKind.h:
651         (JSC::DFG::typeFilterFor):
652         * ftl/FTLCapabilities.cpp:
653         (JSC::FTL::canCompile):
654         * ftl/FTLLowerDFGToB3.cpp:
655         (JSC::FTL::DFG::LowerDFGToB3::speculate):
656         (JSC::FTL::DFG::LowerDFGToB3::speculateNotSymbol):
657
658 2017-11-11  Devin Rousso  <webkit@devinrousso.com>
659
660         Web Inspector: Canvas tab: show detailed status during canvas recording
661         https://bugs.webkit.org/show_bug.cgi?id=178185
662         <rdar://problem/34939862>
663
664         Reviewed by Brian Burg.
665
666         * inspector/protocol/Canvas.json:
667         Add a `recordingProgress` event that is sent to the frontend that contains all the frame
668         payloads since the last Canvas.recordingProgress event and the current buffer usage.
669
670         * inspector/protocol/Recording.json:
671         Remove the required `frames` parameter from the Recording protocol object, as they will be
672         sent in batches via the Canvas.recordingProgress event.
673
674 2017-11-10  Joseph Pecoraro  <pecoraro@apple.com>
675
676         Web Inspector: Make http status codes be "integer" instead of "number" in protocol
677         https://bugs.webkit.org/show_bug.cgi?id=179543
678
679         Reviewed by Antoine Quint.
680
681         * inspector/protocol/Network.json:
682         Use a better type for the status code.
683
684 2017-11-10  Robin Morisset  <rmorisset@apple.com>
685
686         The memory consumption of DFG::BasicBlock can be easily reduced a bit
687         https://bugs.webkit.org/show_bug.cgi?id=179528
688
689         Reviewed by Saam Barati.
690
691         A few changes here:
692         - Reordering some fields of DFG::BasicBlock to reduce padding
693         - Making the enum fields that are glorified booleans fit into a u8
694         - Make each Operands object have a single vector that holds all arguments followed by all locals, instead of two vectors.
695           This change works because we never increase the number of arguments after allocating an Operands object.
696           It lets us avoid one extra capacity field and one extra pointer field per Operands,
697           and more importantly one allocation per Operands whenever both vectors would have overflowed their inlined buffer.
698           Additionally, if a single vector would have overflowed its inline buffer, while the other would have had some free space,
699           we have a chance to avoid an allocation.
700         - Finally, the three methods argumentForIndex, variableForIndex and indexForOperand were deleted since they were dead code.
701
702         * bytecode/Operands.h:
703         (JSC::Operands::Operands):
704         (JSC::Operands::numberOfArguments const):
705         (JSC::Operands::numberOfLocals const):
706         (JSC::Operands::argument):
707         (JSC::Operands::argument const):
708         (JSC::Operands::local):
709         (JSC::Operands::local const):
710         (JSC::Operands::ensureLocals):
711         (JSC::Operands::setLocal):
712         (JSC::Operands::getLocal):
713         (JSC::Operands::setArgumentFirstTime):
714         (JSC::Operands::setLocalFirstTime):
715         (JSC::Operands::operand):
716         (JSC::Operands::setOperand):
717         (JSC::Operands::size const):
718         (JSC::Operands::at const):
719         (JSC::Operands::at):
720         (JSC::Operands::isArgument const):
721         (JSC::Operands::isVariable const):
722         (JSC::Operands::virtualRegisterForIndex const):
723         (JSC::Operands::fill):
724         (JSC::Operands::operator== const):
725         (JSC::Operands::argumentForIndex const): Deleted.
726         (JSC::Operands::variableForIndex const): Deleted.
727         (JSC::Operands::indexForOperand const): Deleted.
728         * dfg/DFGBasicBlock.cpp:
729         (JSC::DFG::BasicBlock::BasicBlock):
730         * dfg/DFGBasicBlock.h:
731         * dfg/DFGBranchDirection.h:
732         * dfg/DFGStructureClobberState.h:
733
734 2017-11-09  Yusuke Suzuki  <utatane.tea@gmail.com>
735
736         [JSC] Retry module fetching if previous request fails
737         https://bugs.webkit.org/show_bug.cgi?id=178168
738
739         Reviewed by Saam Barati.
740
741         According to the latest spec, the failed fetching operation can be retried if it is requested again.
742         For example,
743
744             <script type="module" integrity="shaXXX-bad" src="./A.js"></script>
745             <script type="module" integrity="shaXXX-correct" src="./A.js"></script>
746
747         When performing the first module fetching, integrity check fails, and the load of this module becomes failed.
748         But when loading the second module, we do not use the cached failure result in the first module loading.
749         We retry fetching for "./A.js". In this case, we have a correct integrity and module fetching succeeds.
750         This is specified in whatwg/HTML[1]. If the fetching fails, we do not cache it.
751
752         Interestingly, fetching result and instantiation result will be cached if they succeeds. This is because we would
753         like to cache modules based on their URLs. As a result,
754
755             <script type="module" integrity="shaXXX-correct" src="./A.js"></script>
756             <script type="module" integrity="shaXXX-bad" src="./A.js"></script>
757
758         In the above case, the first loading succeeds. And the second loading also succeeds since the succeeded fetching and
759         instantiation are cached in the module pipeline.
760
761         This patch implements the above semantics. Previously, our module pipeline always caches the result. If the fetching
762         failed, all the subsequent fetching for the same URL fails even if we have different integrity values. We retry fetching
763         if the previous one fails. As an overview of our change,
764
765         1. Fetching result should be cached only if it succeeds. Two or more on-the-fly fetching requests to the same URLs should
766            be unified. But if currently executing one fails, other attempts should retry fetching.
767
768         2. Instantiation should be cached if fetching succeeds.
769
770         3. Satisfying should be cached if it succeeds.
771
772         [1]: https://html.spec.whatwg.org/#fetch-a-single-module-script
773
774         * builtins/ModuleLoaderPrototype.js:
775         (requestFetch):
776         (requestInstantiate):
777         (requestSatisfy):
778         (link):
779         (loadModule):
780         * runtime/JSGlobalObject.cpp:
781         (JSC::JSGlobalObject::init):
782
783 2017-11-09  Devin Rousso  <webkit@devinrousso.com>
784
785         Web Inspector: support undo/redo of insertAdjacentHTML
786         https://bugs.webkit.org/show_bug.cgi?id=179283
787
788         Reviewed by Joseph Pecoraro.
789
790         * inspector/protocol/DOM.json:
791         Add `insertAdjacentHTML` command that executes an undoable version of `insertAdjacentHTML`
792         on the given node.
793
794 2017-11-09  Joseph Pecoraro  <pecoraro@apple.com>
795
796         Web Inspector: Make domain availability a list of types instead of a single type
797         https://bugs.webkit.org/show_bug.cgi?id=179457
798
799         Reviewed by Brian Burg.
800
801         * inspector/scripts/codegen/generate_js_backend_commands.py:
802         (JSBackendCommandsGenerator.generate_domain):
803         Update output of `InspectorBackend.activateDomain` to include the list.
804
805         * inspector/scripts/codegen/models.py:
806         (Protocol.parse_domain):
807         Parse `availability` as a list and include a new supported value of "service-worker".
808
809         * inspector/protocol/ApplicationCache.json:
810         * inspector/protocol/CSS.json:
811         * inspector/protocol/Canvas.json:
812         * inspector/protocol/DOM.json:
813         * inspector/protocol/DOMDebugger.json:
814         * inspector/protocol/DOMStorage.json:
815         * inspector/protocol/Database.json:
816         * inspector/protocol/IndexedDB.json:
817         * inspector/protocol/LayerTree.json:
818         * inspector/protocol/Memory.json:
819         * inspector/protocol/Network.json:
820         * inspector/protocol/Page.json:
821         * inspector/protocol/Timeline.json:
822         * inspector/protocol/Worker.json:
823         Update `availability` to be a list.
824
825         * inspector/scripts/tests/generic/domain-availability.json:
826         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
827         * inspector/scripts/tests/generic/expected/fail-on-domain-availability-type.json-error: Added.
828         * inspector/scripts/tests/generic/expected/fail-on-domain-availability-value.json-error: Added.
829         * inspector/scripts/tests/generic/expected/fail-on-domain-availability.json-error:
830         * inspector/scripts/tests/generic/fail-on-domain-availability-type.json: Copied from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-availability.json.
831         * inspector/scripts/tests/generic/fail-on-domain-availability-value.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-availability.json.
832         Update tests to include a test for the type and an invalid value.
833
834 2017-11-03  Yusuke Suzuki  <utatane.tea@gmail.com>
835
836         [JSC][JIT] Clean up SlowPathCall stubs
837         https://bugs.webkit.org/show_bug.cgi?id=179247
838
839         Reviewed by Saam Barati.
840
841         We have bunch of duplicate functions that just call a slow path function.
842         This patch cleans up the above duplication.
843
844         * jit/JIT.cpp:
845         (JSC::JIT::emitSlowCaseCall):
846         (JSC::JIT::privateCompileSlowCases):
847         * jit/JIT.h:
848         * jit/JITArithmetic.cpp:
849         (JSC::JIT::emitSlow_op_unsigned): Deleted.
850         (JSC::JIT::emitSlow_op_inc): Deleted.
851         (JSC::JIT::emitSlow_op_dec): Deleted.
852         (JSC::JIT::emitSlow_op_bitand): Deleted.
853         (JSC::JIT::emitSlow_op_bitor): Deleted.
854         (JSC::JIT::emitSlow_op_bitxor): Deleted.
855         (JSC::JIT::emitSlow_op_lshift): Deleted.
856         (JSC::JIT::emitSlow_op_rshift): Deleted.
857         (JSC::JIT::emitSlow_op_urshift): Deleted.
858         (JSC::JIT::emitSlow_op_div): Deleted.
859         * jit/JITArithmetic32_64.cpp:
860         (JSC::JIT::emitSlow_op_unsigned): Deleted.
861         (JSC::JIT::emitSlow_op_inc): Deleted.
862         (JSC::JIT::emitSlow_op_dec): Deleted.
863         * jit/JITOpcodes.cpp:
864         (JSC::JIT::emitSlow_op_create_this): Deleted.
865         (JSC::JIT::emitSlow_op_check_tdz): Deleted.
866         (JSC::JIT::emitSlow_op_to_this): Deleted.
867         (JSC::JIT::emitSlow_op_to_primitive): Deleted.
868         (JSC::JIT::emitSlow_op_not): Deleted.
869         (JSC::JIT::emitSlow_op_stricteq): Deleted.
870         (JSC::JIT::emitSlow_op_nstricteq): Deleted.
871         (JSC::JIT::emitSlow_op_to_number): Deleted.
872         (JSC::JIT::emitSlow_op_to_string): Deleted.
873         (JSC::JIT::emitSlow_op_to_object): Deleted.
874         (JSC::JIT::emitSlow_op_get_direct_pname): Deleted.
875         (JSC::JIT::emitSlow_op_has_structure_property): Deleted.
876         * jit/JITOpcodes32_64.cpp:
877         (JSC::JIT::emitSlow_op_to_primitive): Deleted.
878         (JSC::JIT::emitSlow_op_not): Deleted.
879         (JSC::JIT::emitSlow_op_stricteq): Deleted.
880         (JSC::JIT::emitSlow_op_nstricteq): Deleted.
881         (JSC::JIT::emitSlow_op_to_number): Deleted.
882         (JSC::JIT::emitSlow_op_to_string): Deleted.
883         (JSC::JIT::emitSlow_op_to_object): Deleted.
884         (JSC::JIT::emitSlow_op_create_this): Deleted.
885         (JSC::JIT::emitSlow_op_to_this): Deleted.
886         (JSC::JIT::emitSlow_op_check_tdz): Deleted.
887         (JSC::JIT::emitSlow_op_get_direct_pname): Deleted.
888         * jit/JITPropertyAccess.cpp:
889         (JSC::JIT::emitSlow_op_resolve_scope): Deleted.
890         * jit/JITPropertyAccess32_64.cpp:
891         (JSC::JIT::emit_op_resolve_scope):
892         (JSC::JIT::emitSlow_op_resolve_scope): Deleted.
893         * jit/SlowPathCall.h:
894         (JSC::JITSlowPathCall::JITSlowPathCall):
895         * runtime/CommonSlowPaths.cpp:
896         (JSC::SLOW_PATH_DECL):
897         * runtime/CommonSlowPaths.h:
898
899 2017-11-09  Guillaume Emont  <guijemont@igalia.com>
900
901         [JSC][MIPS] Use fcsr to check the validity of the result of trunc.w.d
902         https://bugs.webkit.org/show_bug.cgi?id=179446
903
904         Reviewed by Žan Doberšek.
905
906         The trunc.w.d mips instruction should give a 0x7fffffff result when
907         the source value is Infinity, NaN, or rounds to an integer outside the
908         range -2^31 to 2^31 -1. This is what branchTruncateDoubleToInt32() and
909         branchTruncateDoubleToUInt32() have been relying on. It turns out that
910         this assumption is not true on some CPUs, including on the ci20 on
911         which we run the testbot (we get 0x80000000 instead). We should the
912         invalid operation cause bit instead to check whether the source value
913         could be properly truncated. This requires the addition of the cfc1
914         instruction, as well as the special registers that can be used with it
915         (control registers of CP1).
916
917         * assembler/MIPSAssembler.h:
918         (JSC::MIPSAssembler::firstSPRegister):
919         (JSC::MIPSAssembler::lastSPRegister):
920         (JSC::MIPSAssembler::numberOfSPRegisters):
921         (JSC::MIPSAssembler::sprName):
922         Added control registers of CP1.
923         (JSC::MIPSAssembler::cfc1):
924         Added.
925         * assembler/MacroAssemblerMIPS.h:
926         (JSC::MacroAssemblerMIPS::branchOnTruncateResult):
927         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
928         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUint32):
929         Use fcsr to check if the value could be properly truncated.
930
931 2017-11-08  Jeremy Jones  <jeremyj@apple.com>
932
933         HTMLMediaElement should not use element fullscreen on iOS
934         https://bugs.webkit.org/show_bug.cgi?id=179418
935         rdar://problem/35409277
936
937         Reviewed by Eric Carlson.
938
939         Add ENABLE_VIDEO_USES_ELEMENT_FULLSCREEN to determine if HTMLMediaElement should use element full screen or not.
940
941         * Configurations/FeatureDefines.xcconfig:
942
943 2017-11-08  Joseph Pecoraro  <pecoraro@apple.com>
944
945         Web Inspector: Show Internal properties of PaymentRequest in Web Inspector Console
946         https://bugs.webkit.org/show_bug.cgi?id=179276
947
948         Reviewed by Andy Estes.
949
950         * inspector/InjectedScriptHost.h:
951         * inspector/JSInjectedScriptHost.cpp:
952         (Inspector::JSInjectedScriptHost::getInternalProperties):
953         Call through to virtual implementation so that WebCore can provide custom
954         internal properties for Web / DOM objects.
955
956 2017-11-08  Saam Barati  <sbarati@apple.com>
957
958         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
959         https://bugs.webkit.org/show_bug.cgi?id=177792
960
961         Reviewed by Yusuke Suzuki.
962
963         Before this patch, if a JSFunction's rare data initialized its allocation profile
964         before its backing Executable's poly proto watchpoint was invalidated, that
965         JSFunction would continue to allocate non-poly proto objects until its allocation
966         profile was cleared (which essentially never happens in practice). This patch
967         improves on this pathology. A JSFunction's rare data will now watch the poly
968         proto watchpoint if it's still valid and clear its allocation profile when we
969         detect that we should go poly proto.
970
971         * bytecode/ObjectAllocationProfile.h:
972         * bytecode/ObjectAllocationProfileInlines.h:
973         (JSC::ObjectAllocationProfile::initializeProfile):
974         * runtime/FunctionRareData.cpp:
975         (JSC::FunctionRareData::initializeObjectAllocationProfile):
976         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::fireInternal):
977         * runtime/FunctionRareData.h:
978         (JSC::FunctionRareData::hasAllocationProfileClearingWatchpoint const):
979         (JSC::FunctionRareData::createAllocationProfileClearingWatchpoint):
980         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::AllocationProfileClearingWatchpoint):
981
982 2017-11-08  Keith Miller  <keith_miller@apple.com>
983
984         Add super sampler begin and end bytecodes.
985         https://bugs.webkit.org/show_bug.cgi?id=179376
986
987         Reviewed by Filip Pizlo.
988
989         This patch adds a way to measure a narrow range of bytecodes for
990         performance. This is done using the same infrastructure as the
991         super sampler. I also added a class that helps do the bytecode
992         checking with RAII. One problem with the current way this is done
993         is that we don't handle decrementing early exits, either from
994         branches or exceptions. So, when using this API users need to
995         ensure that there are no early exits or that those exits don't
996         occur on the measure code.
997
998         * JavaScriptCore.xcodeproj/project.pbxproj:
999         * bytecode/BytecodeDumper.cpp:
1000         (JSC::BytecodeDumper<Block>::dumpBytecode):
1001         * bytecode/BytecodeList.json:
1002         * bytecode/BytecodeUseDef.h:
1003         (JSC::computeUsesForBytecodeOffset):
1004         (JSC::computeDefsForBytecodeOffset):
1005         * bytecompiler/BytecodeGenerator.cpp:
1006         (JSC::BytecodeGenerator::emitSuperSamplerBegin):
1007         (JSC::BytecodeGenerator::emitSuperSamplerEnd):
1008         * bytecompiler/BytecodeGenerator.h:
1009         * bytecompiler/SuperSamplerBytecodeScope.h: Added.
1010         (JSC::SuperSamplerBytecodeScope::SuperSamplerBytecodeScope):
1011         (JSC::SuperSamplerBytecodeScope::~SuperSamplerBytecodeScope):
1012         * dfg/DFGAbstractInterpreterInlines.h:
1013         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1014         * dfg/DFGByteCodeParser.cpp:
1015         (JSC::DFG::ByteCodeParser::parseBlock):
1016         * dfg/DFGClobberize.h:
1017         (JSC::DFG::clobberize):
1018         * dfg/DFGClobbersExitState.cpp:
1019         (JSC::DFG::clobbersExitState):
1020         * dfg/DFGDoesGC.cpp:
1021         (JSC::DFG::doesGC):
1022         * dfg/DFGFixupPhase.cpp:
1023         (JSC::DFG::FixupPhase::fixupNode):
1024         * dfg/DFGMayExit.cpp:
1025         * dfg/DFGNodeType.h:
1026         * dfg/DFGPredictionPropagationPhase.cpp:
1027         * dfg/DFGSafeToExecute.h:
1028         (JSC::DFG::safeToExecute):
1029         * dfg/DFGSpeculativeJIT.cpp:
1030         * dfg/DFGSpeculativeJIT32_64.cpp:
1031         (JSC::DFG::SpeculativeJIT::compile):
1032         * dfg/DFGSpeculativeJIT64.cpp:
1033         (JSC::DFG::SpeculativeJIT::compile):
1034         * ftl/FTLCapabilities.cpp:
1035         (JSC::FTL::canCompile):
1036         * ftl/FTLLowerDFGToB3.cpp:
1037         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1038         (JSC::FTL::DFG::LowerDFGToB3::compileSuperSamplerBegin):
1039         (JSC::FTL::DFG::LowerDFGToB3::compileSuperSamplerEnd):
1040         * jit/JIT.cpp:
1041         (JSC::JIT::privateCompileMainPass):
1042         * jit/JIT.h:
1043         * jit/JITOpcodes.cpp:
1044         (JSC::JIT::emit_op_super_sampler_begin):
1045         (JSC::JIT::emit_op_super_sampler_end):
1046         * llint/LLIntSlowPaths.cpp:
1047         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1048         * llint/LLIntSlowPaths.h:
1049         * llint/LowLevelInterpreter.asm:
1050
1051 2017-11-08  Robin Morisset  <rmorisset@apple.com>
1052
1053         Turn recursive tail calls into loops
1054         https://bugs.webkit.org/show_bug.cgi?id=176601
1055
1056         Reviewed by Saam Barati.
1057
1058         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
1059
1060         We want to turn recursive tail calls into loops early in the pipeline, so that the loops can then be optimized.
1061         One difficulty is that we need to split the entry block of the function we are jumping to in order to have somewhere to jump to.
1062         Worse: it is not necessarily the first block of the codeBlock, because of inlining! So we must do the splitting in the DFGByteCodeParser, at the same time as inlining.
1063         We do this part through modifying the computation of the jump targets.
1064         Importantly, we only do this splitting for functions that have tail calls.
1065         It is the only case where the optimisation is sound, and doing the splitting unconditionnaly destroys performance on Octane/raytrace.
1066
1067         We must then do the actual transformation also in DFGByteCodeParser, to avoid code motion moving code out of the body of what will become a loop.
1068         The transformation is entirely contained in handleRecursiveTailCall, which is hooked to the inlining machinery.
1069
1070         * bytecode/CodeBlock.h:
1071         (JSC::CodeBlock::hasTailCalls const):
1072         * bytecode/PreciseJumpTargets.cpp:
1073         (JSC::getJumpTargetsForBytecodeOffset):
1074         (JSC::computePreciseJumpTargetsInternal):
1075         * bytecode/UnlinkedCodeBlock.cpp:
1076         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1077         * bytecode/UnlinkedCodeBlock.h:
1078         (JSC::UnlinkedCodeBlock::hasTailCalls const):
1079         (JSC::UnlinkedCodeBlock::setHasTailCalls):
1080         * bytecompiler/BytecodeGenerator.cpp:
1081         (JSC::BytecodeGenerator::emitEnter):
1082         (JSC::BytecodeGenerator::emitCallInTailPosition):
1083         * dfg/DFGByteCodeParser.cpp:
1084         (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
1085         (JSC::DFG::ByteCodeParser::makeBlockTargetable):
1086         (JSC::DFG::ByteCodeParser::handleCall):
1087         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
1088         (JSC::DFG::ByteCodeParser::parseBlock):
1089         (JSC::DFG::ByteCodeParser::parse):
1090
1091 2017-11-08  Joseph Pecoraro  <pecoraro@apple.com>
1092
1093         Web Inspector: Remove unused Page.ScriptIdentifier protocol type
1094         https://bugs.webkit.org/show_bug.cgi?id=179407
1095
1096         Reviewed by Matt Baker.
1097
1098         * inspector/protocol/Page.json:
1099         Remove unused protocol type.
1100
1101 2017-11-08  Carlos Garcia Campos  <cgarcia@igalia.com>
1102
1103         Web Inspector: use JSON::{Array,Object,Value} instead of Inspector{Array,Object,Value}
1104         https://bugs.webkit.org/show_bug.cgi?id=173619
1105
1106         Reviewed by Alex Christensen and Brian Burg.
1107
1108         Eventually all classes used for our JSON-RPC message passing should be outside
1109         of the Inspector namespace since the protocol is used outside of Inspector code.
1110         This will also allow us to unify the primitive JSON types with parameteric types
1111         like Inspector::Protocol::Array<T> and other protocol-related types which don't
1112         need to be in the Inspector namespace.
1113
1114         Start this refactoring off by making JSON::Value a typedef for InspectorValue. In following
1115         patches, other clients will move to use JSON::Value and friends. When all uses are
1116         changed, the actual implementation will be renamed. This patch just focuses on the typedef
1117         and making changes in generated protocol code.
1118
1119         Original patch by Brian Burg, rebased and updated by me.
1120
1121         * inspector/InspectorValues.cpp:
1122         * inspector/InspectorValues.h:
1123         * inspector/scripts/codegen/cpp_generator.py:
1124         (CppGenerator.cpp_protocol_type_for_type):
1125         (CppGenerator.cpp_type_for_unchecked_formal_in_parameter):
1126         (CppGenerator.cpp_type_for_type_with_name):
1127         (CppGenerator.cpp_type_for_stack_in_parameter):
1128         * inspector/scripts/codegen/cpp_generator_templates.py:
1129         (void):
1130         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
1131         (_generate_class_for_object_declaration):
1132         (_generate_forward_declarations_for_binding_traits):
1133         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
1134         (CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration):
1135         (CppProtocolTypesImplementationGenerator._generate_assertion_for_enum):
1136         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
1137         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1138         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1139         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
1140         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
1141         * inspector/scripts/tests/generic/expected/enum-values.json-result:
1142         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
1143         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
1144         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
1145         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1146         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1147         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
1148         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
1149         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
1150
1151 2017-11-07  Maciej Stachowiak  <mjs@apple.com>
1152
1153         Get rid of unsightly hex numbers from unified build object files
1154         https://bugs.webkit.org/show_bug.cgi?id=179410
1155
1156         Reviewed by Saam Barati.
1157
1158         * JavaScriptCore.xcodeproj/project.pbxproj: Rename UnifiedSource*.mm to UnifiedSource*-mm.mm for more readable build output.
1159
1160 2017-11-07  Saam Barati  <sbarati@apple.com>
1161
1162         Only cage double butterfly accesses
1163         https://bugs.webkit.org/show_bug.cgi?id=179202
1164
1165         Reviewed by Mark Lam.
1166
1167         This patch removes caging from all butterfly accesses except double loads/stores.
1168         This is a performance vs security tradeoff. Double loads/stores are the only butterfly
1169         loads/stores that can write arbitrary bit patterns, so we choose to keep them safe
1170         by caging. The other load/stores we are no longer caging to get back performance on
1171         various benchmarks.
1172
1173         * bytecode/AccessCase.cpp:
1174         (JSC::AccessCase::generateImpl):
1175         * bytecode/InlineAccess.cpp:
1176         (JSC::InlineAccess::dumpCacheSizesAndCrash):
1177         (JSC::InlineAccess::generateSelfPropertyAccess):
1178         (JSC::InlineAccess::generateSelfPropertyReplace):
1179         (JSC::InlineAccess::generateArrayLength):
1180         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp:
1181         * dfg/DFGSpeculativeJIT.cpp:
1182         (JSC::DFG::SpeculativeJIT::compileCreateRest):
1183         (JSC::DFG::SpeculativeJIT::compileSpread):
1184         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
1185         * dfg/DFGSpeculativeJIT64.cpp:
1186         (JSC::DFG::SpeculativeJIT::compile):
1187         * ftl/FTLLowerDFGToB3.cpp:
1188         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
1189         * jit/JITPropertyAccess.cpp:
1190         (JSC::JIT::emitContiguousLoad):
1191         (JSC::JIT::emitArrayStorageLoad):
1192         (JSC::JIT::emitGenericContiguousPutByVal):
1193         (JSC::JIT::emitArrayStoragePutByVal):
1194         (JSC::JIT::emit_op_get_from_scope):
1195         (JSC::JIT::emit_op_put_to_scope):
1196         * llint/LowLevelInterpreter64.asm:
1197         * runtime/AuxiliaryBarrier.h:
1198         (JSC::AuxiliaryBarrier::operator-> const):
1199         * runtime/Butterfly.h:
1200         (JSC::Butterfly::caged):
1201         (JSC::Butterfly::contiguousDouble):
1202         * runtime/JSArray.cpp:
1203         (JSC::JSArray::setLength):
1204         (JSC::JSArray::pop):
1205         (JSC::JSArray::shiftCountWithAnyIndexingType):
1206         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1207         (JSC::JSArray::fillArgList):
1208         (JSC::JSArray::copyToArguments):
1209         * runtime/JSArrayInlines.h:
1210         (JSC::JSArray::pushInline):
1211         * runtime/JSObject.cpp:
1212         (JSC::JSObject::heapSnapshot):
1213         (JSC::JSObject::createInitialIndexedStorage):
1214         (JSC::JSObject::createArrayStorage):
1215         (JSC::JSObject::convertUndecidedToInt32):
1216         (JSC::JSObject::ensureLengthSlow):
1217         (JSC::JSObject::reallocateAndShrinkButterfly):
1218         (JSC::JSObject::allocateMoreOutOfLineStorage):
1219         * runtime/JSObject.h:
1220         (JSC::JSObject::canGetIndexQuickly):
1221         (JSC::JSObject::getIndexQuickly):
1222         (JSC::JSObject::tryGetIndexQuickly const):
1223         (JSC::JSObject::canSetIndexQuickly):
1224         (JSC::JSObject::butterfly const):
1225         (JSC::JSObject::butterfly):
1226
1227 2017-11-07  Mark Lam  <mark.lam@apple.com>
1228
1229         Introduce a default RegisterSet constructor so that we can use { } notation.
1230         https://bugs.webkit.org/show_bug.cgi?id=179389
1231
1232         Reviewed by Saam Barati.
1233
1234         I also replaced uses of "RegisterSet()" with "{ }" where the use of "RegisterSet()"
1235         does not add any code documentation value.
1236
1237         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
1238         * b3/air/AirCode.cpp:
1239         (JSC::B3::Air::Code::setRegsInPriorityOrder):
1240         * b3/air/AirPrintSpecial.cpp:
1241         (JSC::B3::Air::PrintSpecial::extraEarlyClobberedRegs):
1242         (JSC::B3::Air::PrintSpecial::extraClobberedRegs):
1243         * b3/air/testair.cpp:
1244         * bytecode/PolymorphicAccess.h:
1245         (JSC::AccessGenerationState::preserveLiveRegistersToStackForCall):
1246         (JSC::AccessGenerationState::restoreLiveRegistersFromStackForCall):
1247         * dfg/DFGJITCode.cpp:
1248         (JSC::DFG::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
1249         * ftl/FTLJITCode.cpp:
1250         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
1251         * jit/JITCode.cpp:
1252         (JSC::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
1253         * jit/RegisterSet.cpp:
1254         (JSC::RegisterSet::reservedHardwareRegisters):
1255         (JSC::RegisterSet::runtimeRegisters):
1256         (JSC::RegisterSet::macroScratchRegisters):
1257         * jit/RegisterSet.h:
1258         (JSC::RegisterSet::RegisterSet):
1259         * wasm/WasmB3IRGenerator.cpp:
1260         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
1261
1262 2017-11-07  Mark Lam  <mark.lam@apple.com>
1263
1264         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
1265         https://bugs.webkit.org/show_bug.cgi?id=179355
1266         <rdar://problem/35263053>
1267
1268         Reviewed by Saam Barati.
1269
1270         In the Transition case in AccessCase::generateImpl(), we were restoring registers
1271         using restoreLiveRegistersFromStackForCall() without excluding the scratchGPR
1272         where we previously stashed the reallocated butterfly.  If the generated code is
1273         under heavy register pressure, scratchGPR could have been from the set of preserved
1274         registers, and hence, would be restored by restoreLiveRegistersFromStackForCall().
1275         As a result, the restoration would trash the butterfly result we stored there.
1276         This patch fixes the issue by excluding the scratchGPR in the restoration.
1277
1278         * bytecode/AccessCase.cpp:
1279         (JSC::AccessCase::generateImpl):
1280
1281 2017-11-06  Robin Morisset  <rmorisset@apple.com>
1282
1283         CodeBlock::usesOpcode() is dead code
1284         https://bugs.webkit.org/show_bug.cgi?id=179316
1285
1286         Reviewed by Yusuke Suzuki.
1287
1288         Remove CodeBlock::usesOpcode which is dead code
1289
1290         * bytecode/CodeBlock.cpp:
1291         * bytecode/CodeBlock.h:
1292
1293 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
1294
1295         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
1296         https://bugs.webkit.org/show_bug.cgi?id=144458
1297
1298         Reviewed by Saam Barati.
1299
1300         Previously only JSFunction is handled by CallLinkInfo's caching mechanism. This means that
1301         InternalFunction calls are not cached and they always go to the slow path. This is not good because
1302
1303         1. We need to query getCallData/getConstructData every time in the slow path.
1304         2. CallLinkInfo tells nothing in the higher tier JITs.
1305
1306         This patch starts handling InternalFunction in CallLinkInfo's caching mechanism. We change InternalFunction
1307         to hold pointers to the functions for call and construct. We have new stubs that can call/construct
1308         InternalFunction. And we return this code pointer as a result of setup call to use CallLinkInfo mechanism.
1309
1310         This patch is critical to optimizing derived Array construction[1] since it starts using CallLinkInfo
1311         for InternalFunction. Previously we did not record any information to CallLinkInfo. Except for the
1312         case that DFGByteCodeParser figures out InternalFunction constant, we cannot attempt to emit DFG
1313         nodes for these InternalFunctions since CallLinkInfo tells us nothing.
1314
1315         Attached microbenchmarks show performance improvement.
1316
1317                                                            baseline                  patched
1318
1319         dfg-internal-function-construct                 1.6439+-0.0826     ^      1.2829+-0.0727        ^ definitely 1.2813x faster
1320         dfg-internal-function-not-handled-construct     2.1862+-0.1361            2.0696+-0.1201          might be 1.0564x faster
1321         dfg-internal-function-not-handled-call         20.7592+-0.9085           19.7369+-0.7921          might be 1.0518x faster
1322         dfg-internal-function-call                      1.6856+-0.0967     ^      1.2771+-0.0744        ^ definitely 1.3198x faster
1323
1324         [1]: https://bugs.webkit.org/show_bug.cgi?id=178064
1325
1326         * API/JSCallbackFunction.cpp:
1327         (JSC::JSCallbackFunction::JSCallbackFunction):
1328         (JSC::JSCallbackFunction::getCallData): Deleted.
1329         * API/JSCallbackFunction.h:
1330         (JSC::JSCallbackFunction::createStructure):
1331         * API/ObjCCallbackFunction.h:
1332         (JSC::ObjCCallbackFunction::createStructure):
1333         * API/ObjCCallbackFunction.mm:
1334         (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
1335         (JSC::ObjCCallbackFunction::getCallData): Deleted.
1336         (JSC::ObjCCallbackFunction::getConstructData): Deleted.
1337         * bytecode/BytecodeDumper.cpp:
1338         (JSC::BytecodeDumper<Block>::printCallOp):
1339         * bytecode/BytecodeList.json:
1340         * bytecode/CallLinkInfo.cpp:
1341         (JSC::CallLinkInfo::setCallee):
1342         (JSC::CallLinkInfo::callee):
1343         (JSC::CallLinkInfo::setLastSeenCallee):
1344         (JSC::CallLinkInfo::lastSeenCallee):
1345         (JSC::CallLinkInfo::visitWeak):
1346         * bytecode/CallLinkInfo.h:
1347         * bytecode/CallLinkStatus.cpp:
1348         (JSC::CallLinkStatus::computeFromCallLinkInfo):
1349         * bytecode/LLIntCallLinkInfo.h:
1350         * jit/JITOperations.cpp:
1351         * jit/JITThunks.cpp:
1352         (JSC::JITThunks::ctiInternalFunctionCall):
1353         (JSC::JITThunks::ctiInternalFunctionConstruct):
1354         * jit/JITThunks.h:
1355         * jit/Repatch.cpp:
1356         (JSC::linkFor):
1357         (JSC::linkPolymorphicCall):
1358         * jit/Repatch.h:
1359         * jit/ThunkGenerators.cpp:
1360         (JSC::virtualThunkFor):
1361         (JSC::nativeForGenerator):
1362         (JSC::nativeCallGenerator):
1363         (JSC::nativeTailCallGenerator):
1364         (JSC::nativeTailCallWithoutSavedTagsGenerator):
1365         (JSC::nativeConstructGenerator):
1366         (JSC::internalFunctionCallGenerator):
1367         (JSC::internalFunctionConstructGenerator):
1368         * jit/ThunkGenerators.h:
1369         * llint/LLIntSlowPaths.cpp:
1370         (JSC::LLInt::setUpCall):
1371         * llint/LowLevelInterpreter.asm:
1372         * llint/LowLevelInterpreter32_64.asm:
1373         * llint/LowLevelInterpreter64.asm:
1374         * runtime/ArrayConstructor.cpp:
1375         (JSC::ArrayConstructor::ArrayConstructor):
1376         (JSC::ArrayConstructor::getConstructData): Deleted.
1377         (JSC::ArrayConstructor::getCallData): Deleted.
1378         * runtime/ArrayConstructor.h:
1379         (JSC::ArrayConstructor::createStructure):
1380         * runtime/AsyncFunctionConstructor.cpp:
1381         (JSC::AsyncFunctionConstructor::AsyncFunctionConstructor):
1382         (JSC::AsyncFunctionConstructor::finishCreation):
1383         (JSC::AsyncFunctionConstructor::getCallData): Deleted.
1384         (JSC::AsyncFunctionConstructor::getConstructData): Deleted.
1385         * runtime/AsyncFunctionConstructor.h:
1386         (JSC::AsyncFunctionConstructor::createStructure):
1387         * runtime/AsyncGeneratorFunctionConstructor.cpp:
1388         (JSC::AsyncGeneratorFunctionConstructor::AsyncGeneratorFunctionConstructor):
1389         (JSC::AsyncGeneratorFunctionConstructor::finishCreation):
1390         (JSC::AsyncGeneratorFunctionConstructor::getCallData): Deleted.
1391         (JSC::AsyncGeneratorFunctionConstructor::getConstructData): Deleted.
1392         * runtime/AsyncGeneratorFunctionConstructor.h:
1393         (JSC::AsyncGeneratorFunctionConstructor::createStructure):
1394         * runtime/BooleanConstructor.cpp:
1395         (JSC::callBooleanConstructor):
1396         (JSC::BooleanConstructor::BooleanConstructor):
1397         (JSC::BooleanConstructor::finishCreation):
1398         (JSC::BooleanConstructor::getConstructData): Deleted.
1399         (JSC::BooleanConstructor::getCallData): Deleted.
1400         * runtime/BooleanConstructor.h:
1401         (JSC::BooleanConstructor::createStructure):
1402         * runtime/DateConstructor.cpp:
1403         (JSC::DateConstructor::DateConstructor):
1404         (JSC::DateConstructor::getConstructData): Deleted.
1405         (JSC::DateConstructor::getCallData): Deleted.
1406         * runtime/DateConstructor.h:
1407         (JSC::DateConstructor::createStructure):
1408         * runtime/Error.h:
1409         (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
1410         (JSC::StrictModeTypeErrorFunction::createStructure):
1411         (JSC::StrictModeTypeErrorFunction::getConstructData): Deleted.
1412         (JSC::StrictModeTypeErrorFunction::getCallData): Deleted.
1413         * runtime/ErrorConstructor.cpp:
1414         (JSC::ErrorConstructor::ErrorConstructor):
1415         (JSC::ErrorConstructor::getConstructData): Deleted.
1416         (JSC::ErrorConstructor::getCallData): Deleted.
1417         * runtime/ErrorConstructor.h:
1418         (JSC::ErrorConstructor::createStructure):
1419         * runtime/FunctionConstructor.cpp:
1420         (JSC::FunctionConstructor::FunctionConstructor):
1421         (JSC::FunctionConstructor::finishCreation):
1422         (JSC::FunctionConstructor::getConstructData): Deleted.
1423         (JSC::FunctionConstructor::getCallData): Deleted.
1424         * runtime/FunctionConstructor.h:
1425         (JSC::FunctionConstructor::createStructure):
1426         * runtime/FunctionPrototype.cpp:
1427         (JSC::callFunctionPrototype):
1428         (JSC::FunctionPrototype::FunctionPrototype):
1429         (JSC::FunctionPrototype::getCallData): Deleted.
1430         * runtime/FunctionPrototype.h:
1431         (JSC::FunctionPrototype::createStructure):
1432         * runtime/GeneratorFunctionConstructor.cpp:
1433         (JSC::GeneratorFunctionConstructor::GeneratorFunctionConstructor):
1434         (JSC::GeneratorFunctionConstructor::finishCreation):
1435         (JSC::GeneratorFunctionConstructor::getCallData): Deleted.
1436         (JSC::GeneratorFunctionConstructor::getConstructData): Deleted.
1437         * runtime/GeneratorFunctionConstructor.h:
1438         (JSC::GeneratorFunctionConstructor::createStructure):
1439         * runtime/InternalFunction.cpp:
1440         (JSC::InternalFunction::InternalFunction):
1441         (JSC::InternalFunction::finishCreation):
1442         (JSC::InternalFunction::getCallData):
1443         (JSC::InternalFunction::getConstructData):
1444         * runtime/InternalFunction.h:
1445         (JSC::InternalFunction::createStructure):
1446         (JSC::InternalFunction::nativeFunctionFor):
1447         (JSC::InternalFunction::offsetOfNativeFunctionFor):
1448         * runtime/IntlCollatorConstructor.cpp:
1449         (JSC::IntlCollatorConstructor::createStructure):
1450         (JSC::IntlCollatorConstructor::IntlCollatorConstructor):
1451         (JSC::IntlCollatorConstructor::getConstructData): Deleted.
1452         (JSC::IntlCollatorConstructor::getCallData): Deleted.
1453         * runtime/IntlCollatorConstructor.h:
1454         * runtime/IntlDateTimeFormatConstructor.cpp:
1455         (JSC::IntlDateTimeFormatConstructor::createStructure):
1456         (JSC::IntlDateTimeFormatConstructor::IntlDateTimeFormatConstructor):
1457         (JSC::IntlDateTimeFormatConstructor::getConstructData): Deleted.
1458         (JSC::IntlDateTimeFormatConstructor::getCallData): Deleted.
1459         * runtime/IntlDateTimeFormatConstructor.h:
1460         * runtime/IntlNumberFormatConstructor.cpp:
1461         (JSC::IntlNumberFormatConstructor::createStructure):
1462         (JSC::IntlNumberFormatConstructor::IntlNumberFormatConstructor):
1463         (JSC::IntlNumberFormatConstructor::getConstructData): Deleted.
1464         (JSC::IntlNumberFormatConstructor::getCallData): Deleted.
1465         * runtime/IntlNumberFormatConstructor.h:
1466         * runtime/JSArrayBufferConstructor.cpp:
1467         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
1468         (JSC::JSArrayBufferConstructor::createStructure):
1469         (JSC::JSArrayBufferConstructor::getConstructData): Deleted.
1470         (JSC::JSArrayBufferConstructor::getCallData): Deleted.
1471         * runtime/JSArrayBufferConstructor.h:
1472         * runtime/JSGenericTypedArrayViewConstructor.h:
1473         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1474         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::JSGenericTypedArrayViewConstructor):
1475         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::createStructure):
1476         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getConstructData): Deleted.
1477         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData): Deleted.
1478         * runtime/JSInternalPromiseConstructor.cpp:
1479         (JSC::JSInternalPromiseConstructor::createStructure):
1480         (JSC::JSInternalPromiseConstructor::JSInternalPromiseConstructor):
1481         (JSC::JSInternalPromiseConstructor::getConstructData): Deleted.
1482         (JSC::JSInternalPromiseConstructor::getCallData): Deleted.
1483         * runtime/JSInternalPromiseConstructor.h:
1484         * runtime/JSPromiseConstructor.cpp:
1485         (JSC::JSPromiseConstructor::createStructure):
1486         (JSC::JSPromiseConstructor::JSPromiseConstructor):
1487         (JSC::JSPromiseConstructor::getConstructData): Deleted.
1488         (JSC::JSPromiseConstructor::getCallData): Deleted.
1489         * runtime/JSPromiseConstructor.h:
1490         * runtime/JSType.h:
1491         * runtime/JSTypedArrayViewConstructor.cpp:
1492         (JSC::JSTypedArrayViewConstructor::JSTypedArrayViewConstructor):
1493         (JSC::JSTypedArrayViewConstructor::createStructure):
1494         (JSC::JSTypedArrayViewConstructor::getConstructData): Deleted.
1495         (JSC::JSTypedArrayViewConstructor::getCallData): Deleted.
1496         * runtime/JSTypedArrayViewConstructor.h:
1497         * runtime/MapConstructor.cpp:
1498         (JSC::MapConstructor::MapConstructor):
1499         (JSC::MapConstructor::getConstructData): Deleted.
1500         (JSC::MapConstructor::getCallData): Deleted.
1501         * runtime/MapConstructor.h:
1502         (JSC::MapConstructor::createStructure):
1503         (JSC::MapConstructor::MapConstructor): Deleted.
1504         * runtime/NativeErrorConstructor.cpp:
1505         (JSC::NativeErrorConstructor::NativeErrorConstructor):
1506         (JSC::NativeErrorConstructor::getConstructData): Deleted.
1507         (JSC::NativeErrorConstructor::getCallData): Deleted.
1508         * runtime/NativeErrorConstructor.h:
1509         (JSC::NativeErrorConstructor::createStructure):
1510         * runtime/NullGetterFunction.cpp:
1511         (JSC::NullGetterFunction::NullGetterFunction):
1512         (JSC::NullGetterFunction::getCallData): Deleted.
1513         (JSC::NullGetterFunction::getConstructData): Deleted.
1514         * runtime/NullGetterFunction.h:
1515         (JSC::NullGetterFunction::createStructure):
1516         (JSC::NullGetterFunction::NullGetterFunction): Deleted.
1517         * runtime/NullSetterFunction.cpp:
1518         (JSC::NullSetterFunction::NullSetterFunction):
1519         (JSC::NullSetterFunction::getCallData): Deleted.
1520         (JSC::NullSetterFunction::getConstructData): Deleted.
1521         * runtime/NullSetterFunction.h:
1522         (JSC::NullSetterFunction::createStructure):
1523         (JSC::NullSetterFunction::NullSetterFunction): Deleted.
1524         * runtime/NumberConstructor.cpp:
1525         (JSC::NumberConstructor::NumberConstructor):
1526         (JSC::constructNumberConstructor):
1527         (JSC::constructWithNumberConstructor): Deleted.
1528         (JSC::NumberConstructor::getConstructData): Deleted.
1529         (JSC::NumberConstructor::getCallData): Deleted.
1530         * runtime/NumberConstructor.h:
1531         (JSC::NumberConstructor::createStructure):
1532         * runtime/ObjectConstructor.cpp:
1533         (JSC::ObjectConstructor::ObjectConstructor):
1534         (JSC::ObjectConstructor::getConstructData): Deleted.
1535         (JSC::ObjectConstructor::getCallData): Deleted.
1536         * runtime/ObjectConstructor.h:
1537         (JSC::ObjectConstructor::createStructure):
1538         * runtime/ProxyConstructor.cpp:
1539         (JSC::ProxyConstructor::ProxyConstructor):
1540         (JSC::ProxyConstructor::getConstructData): Deleted.
1541         (JSC::ProxyConstructor::getCallData): Deleted.
1542         * runtime/ProxyConstructor.h:
1543         (JSC::ProxyConstructor::createStructure):
1544         * runtime/ProxyRevoke.cpp:
1545         (JSC::ProxyRevoke::ProxyRevoke):
1546         (JSC::ProxyRevoke::getCallData): Deleted.
1547         * runtime/ProxyRevoke.h:
1548         (JSC::ProxyRevoke::createStructure):
1549         * runtime/RegExpConstructor.cpp:
1550         (JSC::RegExpConstructor::RegExpConstructor):
1551         (JSC::RegExpConstructor::getConstructData): Deleted.
1552         (JSC::RegExpConstructor::getCallData): Deleted.
1553         * runtime/RegExpConstructor.h:
1554         (JSC::RegExpConstructor::createStructure):
1555         * runtime/SetConstructor.cpp:
1556         (JSC::SetConstructor::SetConstructor):
1557         (JSC::SetConstructor::getConstructData): Deleted.
1558         (JSC::SetConstructor::getCallData): Deleted.
1559         * runtime/SetConstructor.h:
1560         (JSC::SetConstructor::createStructure):
1561         (JSC::SetConstructor::SetConstructor): Deleted.
1562         * runtime/StringConstructor.cpp:
1563         (JSC::StringConstructor::StringConstructor):
1564         (JSC::StringConstructor::getConstructData): Deleted.
1565         (JSC::StringConstructor::getCallData): Deleted.
1566         * runtime/StringConstructor.h:
1567         (JSC::StringConstructor::createStructure):
1568         * runtime/SymbolConstructor.cpp:
1569         (JSC::SymbolConstructor::SymbolConstructor):
1570         (JSC::SymbolConstructor::getConstructData): Deleted.
1571         (JSC::SymbolConstructor::getCallData): Deleted.
1572         * runtime/SymbolConstructor.h:
1573         (JSC::SymbolConstructor::createStructure):
1574         * runtime/VM.cpp:
1575         (JSC::VM::VM):
1576         (JSC::VM::getCTIInternalFunctionTrampolineFor):
1577         * runtime/VM.h:
1578         * runtime/WeakMapConstructor.cpp:
1579         (JSC::WeakMapConstructor::WeakMapConstructor):
1580         (JSC::WeakMapConstructor::getConstructData): Deleted.
1581         (JSC::WeakMapConstructor::getCallData): Deleted.
1582         * runtime/WeakMapConstructor.h:
1583         (JSC::WeakMapConstructor::createStructure):
1584         (JSC::WeakMapConstructor::WeakMapConstructor): Deleted.
1585         * runtime/WeakSetConstructor.cpp:
1586         (JSC::WeakSetConstructor::WeakSetConstructor):
1587         (JSC::WeakSetConstructor::getConstructData): Deleted.
1588         (JSC::WeakSetConstructor::getCallData): Deleted.
1589         * runtime/WeakSetConstructor.h:
1590         (JSC::WeakSetConstructor::createStructure):
1591         (JSC::WeakSetConstructor::WeakSetConstructor): Deleted.
1592         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
1593         (JSC::WebAssemblyCompileErrorConstructor::createStructure):
1594         (JSC::WebAssemblyCompileErrorConstructor::WebAssemblyCompileErrorConstructor):
1595         (JSC::WebAssemblyCompileErrorConstructor::getConstructData): Deleted.
1596         (JSC::WebAssemblyCompileErrorConstructor::getCallData): Deleted.
1597         * wasm/js/WebAssemblyCompileErrorConstructor.h:
1598         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1599         (JSC::WebAssemblyInstanceConstructor::createStructure):
1600         (JSC::WebAssemblyInstanceConstructor::WebAssemblyInstanceConstructor):
1601         (JSC::WebAssemblyInstanceConstructor::getConstructData): Deleted.
1602         (JSC::WebAssemblyInstanceConstructor::getCallData): Deleted.
1603         * wasm/js/WebAssemblyInstanceConstructor.h:
1604         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
1605         (JSC::WebAssemblyLinkErrorConstructor::createStructure):
1606         (JSC::WebAssemblyLinkErrorConstructor::WebAssemblyLinkErrorConstructor):
1607         (JSC::WebAssemblyLinkErrorConstructor::getConstructData): Deleted.
1608         (JSC::WebAssemblyLinkErrorConstructor::getCallData): Deleted.
1609         * wasm/js/WebAssemblyLinkErrorConstructor.h:
1610         * wasm/js/WebAssemblyMemoryConstructor.cpp:
1611         (JSC::WebAssemblyMemoryConstructor::createStructure):
1612         (JSC::WebAssemblyMemoryConstructor::WebAssemblyMemoryConstructor):
1613         (JSC::WebAssemblyMemoryConstructor::getConstructData): Deleted.
1614         (JSC::WebAssemblyMemoryConstructor::getCallData): Deleted.
1615         * wasm/js/WebAssemblyMemoryConstructor.h:
1616         * wasm/js/WebAssemblyModuleConstructor.cpp:
1617         (JSC::WebAssemblyModuleConstructor::createStructure):
1618         (JSC::WebAssemblyModuleConstructor::WebAssemblyModuleConstructor):
1619         (JSC::WebAssemblyModuleConstructor::getConstructData): Deleted.
1620         (JSC::WebAssemblyModuleConstructor::getCallData): Deleted.
1621         * wasm/js/WebAssemblyModuleConstructor.h:
1622         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
1623         (JSC::WebAssemblyRuntimeErrorConstructor::createStructure):
1624         (JSC::WebAssemblyRuntimeErrorConstructor::WebAssemblyRuntimeErrorConstructor):
1625         (JSC::WebAssemblyRuntimeErrorConstructor::getConstructData): Deleted.
1626         (JSC::WebAssemblyRuntimeErrorConstructor::getCallData): Deleted.
1627         * wasm/js/WebAssemblyRuntimeErrorConstructor.h:
1628         * wasm/js/WebAssemblyTableConstructor.cpp:
1629         (JSC::WebAssemblyTableConstructor::createStructure):
1630         (JSC::WebAssemblyTableConstructor::WebAssemblyTableConstructor):
1631         (JSC::WebAssemblyTableConstructor::getConstructData): Deleted.
1632         (JSC::WebAssemblyTableConstructor::getCallData): Deleted.
1633         * wasm/js/WebAssemblyTableConstructor.h:
1634
1635 2017-11-03  Michael Saboff  <msaboff@apple.com>
1636
1637         The Abstract Interpreter needs to change similar to clobberize() in r224366
1638         https://bugs.webkit.org/show_bug.cgi?id=179267
1639
1640         Reviewed by Saam Barati.
1641
1642         Add clobberWorld() to HasGenericProperty, HasStructureProperty & GetPropertyEnumerator
1643         cases in the abstract interpreter to match what was done for r224366.
1644
1645         * dfg/DFGAbstractInterpreterInlines.h:
1646         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1647
1648 2017-11-03  Keith Miller  <keith_miller@apple.com>
1649
1650         PutProperytSlot should inform the IC about the property before effects.
1651         https://bugs.webkit.org/show_bug.cgi?id=179262
1652
1653         Reviewed by Mark Lam.
1654
1655         This patch fixes an issue where we choose to cache setters based on
1656         incorrect information. If we did so we might end up OSR exiting
1657         more than we would otherwise need to. The new model is that the
1658         PutPropertySlot should inform the IC of what the property looked
1659         like before any potential side effects might have occurred.
1660
1661         * runtime/JSObject.cpp:
1662         (JSC::JSObject::putInlineSlow):
1663         * runtime/Lookup.h:
1664         (JSC::putEntry):
1665
1666 2017-11-03  Mark Lam  <mark.lam@apple.com>
1667
1668         CachedCall (and its clients) needs overflow checks.
1669         https://bugs.webkit.org/show_bug.cgi?id=179185
1670
1671         Reviewed by JF Bastien.
1672
1673         * interpreter/CachedCall.h:
1674         (JSC::CachedCall::CachedCall):
1675         (JSC::CachedCall::hasOverflowedArguments):
1676         * runtime/ArgList.h:
1677         (JSC::MarkedArgumentBuffer::clear):
1678         * runtime/StringPrototype.cpp:
1679         (JSC::replaceUsingRegExpSearch):
1680
1681 2017-11-03  Devin Rousso  <webkit@devinrousso.com>
1682
1683         Web Inspector: Canvas2D Profiling: highlight expensive context commands in the captured command log
1684         https://bugs.webkit.org/show_bug.cgi?id=178302
1685         <rdar://problem/33158849>
1686
1687         Reviewed by Brian Burg.
1688
1689         * inspector/protocol/Recording.json:
1690         Add `duration` to each Frame that represents the total time of all the recorded actions.
1691
1692 2017-11-02  Devin Rousso  <webkit@devinrousso.com>
1693
1694         Web Inspector: Canvas Tab: show supported GL extensions for selected canvas
1695         https://bugs.webkit.org/show_bug.cgi?id=179070
1696         <rdar://problem/35278276>
1697
1698         Reviewed by Brian Burg.
1699
1700         * inspector/protocol/Canvas.json:
1701         Add `extensionEnabled` event that is fired each time `getExtension` is called with a
1702         different string on a WebGL context.
1703
1704 2017-11-02  Joseph Pecoraro  <pecoraro@apple.com>
1705
1706         Make ServiceWorker a Remote Inspector debuggable target
1707         https://bugs.webkit.org/show_bug.cgi?id=179043
1708         <rdar://problem/34126008>
1709
1710         Reviewed by Brian Burg.
1711
1712         * inspector/remote/RemoteControllableTarget.h:
1713         * inspector/remote/RemoteInspectionTarget.h:
1714         * inspector/remote/RemoteInspectorConstants.h:
1715         Include a new ServiceWorker remote inspector target type.
1716
1717         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
1718         (Inspector::RemoteInspector::listingForInspectionTarget const):
1719         Implement listing for a ServiceWorker to include a URL like a page.
1720
1721         * inspector/remote/glib/RemoteInspectorGlib.cpp:
1722         (Inspector::RemoteInspector::listingForInspectionTarget const):
1723         Bail for ServiceWorker support in glib. They will need to implement their support.
1724
1725 2017-11-02  Michael Saboff  <msaboff@apple.com>
1726
1727         DFG needs to handle code motion of code in for..in loop bodies
1728         https://bugs.webkit.org/show_bug.cgi?id=179212
1729
1730         Reviewed by Keith Miller.
1731
1732         The processing of the DFG nodes HasGenericProperty, HasStructureProperty & GetPropertyEnumerator
1733         make calls with side effects.  Updated clobberize() for those nodes to take that into account.
1734
1735         * dfg/DFGClobberize.h:
1736         (JSC::DFG::clobberize):
1737
1738 2017-11-02  Joseph Pecoraro  <pecoraro@apple.com>
1739
1740         Inspector should display service worker served responses properly
1741         https://bugs.webkit.org/show_bug.cgi?id=178597
1742         <rdar://problem/35186111>
1743
1744         Reviewed by Brian Burg.
1745
1746         * inspector/protocol/Network.json:
1747         Expose a new "service-worker" response source.
1748
1749 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
1750
1751         AI does not correctly model the clobber case of ArithClz32
1752         https://bugs.webkit.org/show_bug.cgi?id=179188
1753
1754         Reviewed by Michael Saboff.
1755
1756         The non-Int32 case clobbers the world because it may call valueOf.
1757
1758         * dfg/DFGAbstractInterpreterInlines.h:
1759         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1760
1761 2017-11-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1762
1763         Unreviewed, release throw scope
1764         https://bugs.webkit.org/show_bug.cgi?id=178726
1765
1766         * dfg/DFGOperations.cpp:
1767
1768 2017-11-02  Frederic Wang  <fwang@igalia.com>
1769
1770         Add references to bug 179167 in FIXME comments
1771         https://bugs.webkit.org/show_bug.cgi?id=179168
1772
1773         Reviewed by Daniel Bates.
1774
1775         * Configurations/FeatureDefines.xcconfig:
1776
1777 2017-11-01  Jeremy Jones  <jeremyj@apple.com>
1778
1779         Implement WKFullscreenWindowController for iOS.
1780         https://bugs.webkit.org/show_bug.cgi?id=178924
1781         rdar://problem/34697120
1782
1783         Reviewed by Simon Fraser.
1784
1785         Enable ENABLE_FULLSCREEN_API for iOS.
1786
1787         * Configurations/FeatureDefines.xcconfig:
1788
1789 2017-11-01  Mark Lam  <mark.lam@apple.com>
1790
1791         Add support to throw OOM if MarkedArgumentBuffer may overflow.
1792         https://bugs.webkit.org/show_bug.cgi?id=179092
1793         <rdar://problem/35116160>
1794
1795         Reviewed by Saam Barati.
1796
1797         The test for overflowing a MarkedArgumentBuffer will run for a ridiculously long
1798         time, which renders it unsuitable for automated tests.  Instead, I've run a
1799         test manually to verify that an OutOfMemoryError will be thrown when an overflow
1800         occurs.
1801
1802         The MarkedArgumentBuffer's destructor will now assert that the client has indeed
1803         checked for an overflow after invoking methods that may result in an overflow i.e.
1804         the destructor checks that MarkedArgumentBuffer::hasOverflowed() has been called.
1805         This is only done on debug builds.
1806
1807         * API/JSObjectRef.cpp:
1808         (JSObjectMakeFunction):
1809         (JSObjectMakeArray):
1810         (JSObjectMakeDate):
1811         (JSObjectMakeRegExp):
1812         (JSObjectCallAsFunction):
1813         (JSObjectCallAsConstructor):
1814         * dfg/DFGOperations.cpp:
1815         * inspector/InjectedScriptManager.cpp:
1816         (Inspector::InjectedScriptManager::createInjectedScript):
1817         * inspector/JSJavaScriptCallFrame.cpp:
1818         (Inspector::JSJavaScriptCallFrame::scopeChain const):
1819         * interpreter/Interpreter.cpp:
1820         (JSC::Interpreter::executeProgram):
1821         * jsc.cpp:
1822         (functionDollarAgentReceiveBroadcast):
1823         * runtime/ArgList.cpp:
1824         (JSC::MarkedArgumentBuffer::slowEnsureCapacity):
1825         (JSC::MarkedArgumentBuffer::expandCapacity):
1826         (JSC::MarkedArgumentBuffer::slowAppend):
1827         * runtime/ArgList.h:
1828         (JSC::MarkedArgumentBuffer::~MarkedArgumentBuffer):
1829         (JSC::MarkedArgumentBuffer::appendWithAction):
1830         (JSC::MarkedArgumentBuffer::append):
1831         (JSC::MarkedArgumentBuffer::appendWithCrashOnOverflow):
1832         (JSC::MarkedArgumentBuffer::hasOverflowed):
1833         (JSC::MarkedArgumentBuffer::setNeedsOverflowCheck):
1834         (JSC::MarkedArgumentBuffer::clearNeedsOverflowCheck):
1835         * runtime/ArrayPrototype.cpp:
1836         * runtime/CommonSlowPaths.cpp:
1837         (JSC::SLOW_PATH_DECL):
1838         * runtime/GetterSetter.cpp:
1839         (JSC::callSetter):
1840         * runtime/IteratorOperations.cpp:
1841         (JSC::iteratorNext):
1842         (JSC::iteratorClose):
1843         * runtime/JSBoundFunction.cpp:
1844         (JSC::boundThisNoArgsFunctionCall):
1845         (JSC::boundFunctionCall):
1846         (JSC::boundThisNoArgsFunctionConstruct):
1847         (JSC::boundFunctionConstruct):
1848         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
1849         (JSC::constructGenericTypedArrayViewFromIterator):
1850         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
1851         (JSC::genericTypedArrayViewProtoFuncSlice):
1852         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
1853         * runtime/JSGlobalObject.cpp:
1854         (JSC::JSGlobalObject::haveABadTime):
1855         * runtime/JSInternalPromise.cpp:
1856         (JSC::JSInternalPromise::then):
1857         * runtime/JSJob.cpp:
1858         (JSC::JSJobMicrotask::run):
1859         * runtime/JSMapIterator.cpp:
1860         (JSC::JSMapIterator::createPair):
1861         * runtime/JSModuleLoader.cpp:
1862         (JSC::JSModuleLoader::provideFetch):
1863         (JSC::JSModuleLoader::loadAndEvaluateModule):
1864         (JSC::JSModuleLoader::loadModule):
1865         (JSC::JSModuleLoader::linkAndEvaluateModule):
1866         (JSC::JSModuleLoader::requestImportModule):
1867         * runtime/JSONObject.cpp:
1868         (JSC::Stringifier::toJSONImpl):
1869         (JSC::Stringifier::appendStringifiedValue):
1870         (JSC::Walker::callReviver):
1871         * runtime/JSObject.cpp:
1872         (JSC::ordinarySetSlow):
1873         (JSC::callToPrimitiveFunction):
1874         (JSC::JSObject::hasInstance):
1875         * runtime/JSPromise.cpp:
1876         (JSC::JSPromise::initialize):
1877         (JSC::JSPromise::resolve):
1878         * runtime/JSPromiseDeferred.cpp:
1879         (JSC::newPromiseCapability):
1880         (JSC::callFunction):
1881         * runtime/JSSetIterator.cpp:
1882         (JSC::JSSetIterator::createPair):
1883         * runtime/LiteralParser.cpp:
1884         (JSC::LiteralParser<CharType>::parse):
1885         * runtime/MapConstructor.cpp:
1886         (JSC::constructMap):
1887         * runtime/ObjectConstructor.cpp:
1888         (JSC::defineProperties):
1889         * runtime/ProxyObject.cpp:
1890         (JSC::performProxyGet):
1891         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1892         (JSC::ProxyObject::performHasProperty):
1893         (JSC::ProxyObject::performPut):
1894         (JSC::performProxyCall):
1895         (JSC::performProxyConstruct):
1896         (JSC::ProxyObject::performDelete):
1897         (JSC::ProxyObject::performPreventExtensions):
1898         (JSC::ProxyObject::performIsExtensible):
1899         (JSC::ProxyObject::performDefineOwnProperty):
1900         (JSC::ProxyObject::performGetOwnPropertyNames):
1901         (JSC::ProxyObject::performSetPrototype):
1902         (JSC::ProxyObject::performGetPrototype):
1903         * runtime/ReflectObject.cpp:
1904         (JSC::reflectObjectConstruct):
1905         * runtime/SetConstructor.cpp:
1906         (JSC::constructSet):
1907         * runtime/StringPrototype.cpp:
1908         (JSC::replaceUsingRegExpSearch):
1909         (JSC::replaceUsingStringSearch):
1910         * runtime/WeakMapConstructor.cpp:
1911         (JSC::constructWeakMap):
1912         * runtime/WeakSetConstructor.cpp:
1913         (JSC::constructWeakSet):
1914         * wasm/js/WasmToJS.cpp:
1915         (JSC::Wasm::wasmToJS):
1916
1917 2017-11-01  Michael Saboff  <msaboff@apple.com>
1918
1919         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
1920         https://bugs.webkit.org/show_bug.cgi?id=179140
1921
1922         Reviewed by Saam Barati.
1923
1924         Added overflow checks to computation of arg count plus this.
1925
1926         * dfg/DFGSpeculativeJIT32_64.cpp:
1927         (JSC::DFG::SpeculativeJIT::compile):
1928         * dfg/DFGSpeculativeJIT64.cpp:
1929         (JSC::DFG::SpeculativeJIT::compile):
1930         * ftl/FTLLowerDFGToB3.cpp:
1931         (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs):
1932
1933 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1934
1935         Unreviewed, use weakPointer instead of FTLOutput::weakPointer
1936         https://bugs.webkit.org/show_bug.cgi?id=178934
1937
1938         * ftl/FTLLowerDFGToB3.cpp:
1939         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
1940
1941 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1942
1943         [JSC] Introduce @toObject
1944         https://bugs.webkit.org/show_bug.cgi?id=178726
1945
1946         Reviewed by Saam Barati.
1947
1948         This patch introduces @toObject intrinsic. And we introduce op_to_object bytecode and DFG ToObject node.
1949         Previously we emulated @toObject behavior in builtin JS. But it consumes much bytecode size while @toObject
1950         is frequently seen and defined clearly in the spec. Furthermore, the emulated @toObject always calls
1951         ObjectConstructor in LLInt and Baseline.
1952
1953         We add a new intrinsic `@toObject(target, "error message")`. It takes an error message string constant to
1954         offer understandable messages in builtin JS. We can change the frequently seen "emulated ToObject" operation
1955
1956             if (this === @undefined || this === null)
1957                 @throwTypeError("error message");
1958             var object = @Object(this);
1959
1960         with
1961
1962             var object = @toObject(this, "error message");
1963
1964         And we handle op_to_object in DFG as ToObject node. While CallObjectConstructor does not throw an error for null/undefined,
1965         ToObject needs to throw an error for null/undefined. So it is marked as MustGenerate and it clobbers the world.
1966         In fixup phase, we attempt to convert ToObject to CallObjectConstructor with edge filters to relax its side effect.
1967
1968         It also fixes a bug that CallObjectConstructor DFG node uses Node's semantic GlobalObject instead of function's one.
1969
1970         * builtins/ArrayConstructor.js:
1971         (from):
1972         * builtins/ArrayPrototype.js:
1973         (values):
1974         (keys):
1975         (entries):
1976         (reduce):
1977         (reduceRight):
1978         (every):
1979         (forEach):
1980         (filter):
1981         (map):
1982         (some):
1983         (fill):
1984         (find):
1985         (findIndex):
1986         (includes):
1987         (sort):
1988         (globalPrivate.concatSlowPath):
1989         (copyWithin):
1990         * builtins/DatePrototype.js:
1991         (toLocaleString.toDateTimeOptionsAnyAll):
1992         (toLocaleString):
1993         (toLocaleDateString.toDateTimeOptionsDateDate):
1994         (toLocaleDateString):
1995         (toLocaleTimeString.toDateTimeOptionsTimeTime):
1996         (toLocaleTimeString):
1997         * builtins/GlobalOperations.js:
1998         (globalPrivate.copyDataProperties):
1999         (globalPrivate.copyDataPropertiesNoExclusions):
2000         * builtins/ObjectConstructor.js:
2001         (entries):
2002         * builtins/StringConstructor.js:
2003         (raw):
2004         * builtins/TypedArrayConstructor.js:
2005         (from):
2006         * builtins/TypedArrayPrototype.js:
2007         (map):
2008         (filter):
2009         * bytecode/BytecodeDumper.cpp:
2010         (JSC::BytecodeDumper<Block>::dumpBytecode):
2011         * bytecode/BytecodeIntrinsicRegistry.h:
2012         * bytecode/BytecodeList.json:
2013         * bytecode/BytecodeUseDef.h:
2014         (JSC::computeUsesForBytecodeOffset):
2015         (JSC::computeDefsForBytecodeOffset):
2016         * bytecode/CodeBlock.cpp:
2017         (JSC::CodeBlock::finishCreation):
2018         * bytecompiler/BytecodeGenerator.cpp:
2019         (JSC::BytecodeGenerator::emitToObject):
2020         * bytecompiler/BytecodeGenerator.h:
2021         * bytecompiler/NodesCodegen.cpp:
2022         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toObject):
2023         * dfg/DFGAbstractInterpreterInlines.h:
2024         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2025         * dfg/DFGByteCodeParser.cpp:
2026         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2027         (JSC::DFG::ByteCodeParser::parseBlock):
2028         * dfg/DFGCapabilities.cpp:
2029         (JSC::DFG::capabilityLevel):
2030         * dfg/DFGClobberize.h:
2031         (JSC::DFG::clobberize):
2032         * dfg/DFGDoesGC.cpp:
2033         (JSC::DFG::doesGC):
2034         * dfg/DFGFixupPhase.cpp:
2035         (JSC::DFG::FixupPhase::fixupNode):
2036         (JSC::DFG::FixupPhase::fixupToObject):
2037         (JSC::DFG::FixupPhase::fixupCallObjectConstructor):
2038         * dfg/DFGNode.h:
2039         (JSC::DFG::Node::convertToCallObjectConstructor):
2040         (JSC::DFG::Node::convertToNewStringObject):
2041         (JSC::DFG::Node::convertToNewObject):
2042         (JSC::DFG::Node::hasIdentifier):
2043         (JSC::DFG::Node::hasHeapPrediction):
2044         (JSC::DFG::Node::hasCellOperand):
2045         * dfg/DFGNodeType.h:
2046         * dfg/DFGOperations.cpp:
2047         * dfg/DFGOperations.h:
2048         * dfg/DFGPredictionPropagationPhase.cpp:
2049         * dfg/DFGSafeToExecute.h:
2050         (JSC::DFG::safeToExecute):
2051         * dfg/DFGSpeculativeJIT.cpp:
2052         (JSC::DFG::SpeculativeJIT::compileToObjectOrCallObjectConstructor):
2053         (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor): Deleted.
2054         * dfg/DFGSpeculativeJIT.h:
2055         (JSC::DFG::SpeculativeJIT::callOperation):
2056         * dfg/DFGSpeculativeJIT32_64.cpp:
2057         (JSC::DFG::SpeculativeJIT::compile):
2058         * dfg/DFGSpeculativeJIT64.cpp:
2059         (JSC::DFG::SpeculativeJIT::compile):
2060         * ftl/FTLCapabilities.cpp:
2061         (JSC::FTL::canCompile):
2062         * ftl/FTLLowerDFGToB3.cpp:
2063         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2064         (JSC::FTL::DFG::LowerDFGToB3::compileToObjectOrCallObjectConstructor):
2065         (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor): Deleted.
2066         * jit/JIT.cpp:
2067         (JSC::JIT::privateCompileMainPass):
2068         (JSC::JIT::privateCompileSlowCases):
2069         * jit/JIT.h:
2070         * jit/JITOpcodes.cpp:
2071         (JSC::JIT::emit_op_to_object):
2072         (JSC::JIT::emitSlow_op_to_object):
2073         * jit/JITOpcodes32_64.cpp:
2074         (JSC::JIT::emit_op_to_object):
2075         (JSC::JIT::emitSlow_op_to_object):
2076         * jit/JITOperations.cpp:
2077         * jit/JITOperations.h:
2078         * llint/LowLevelInterpreter32_64.asm:
2079         * llint/LowLevelInterpreter64.asm:
2080         * runtime/CommonSlowPaths.cpp:
2081         (JSC::SLOW_PATH_DECL):
2082         * runtime/CommonSlowPaths.h:
2083
2084 2017-11-01  Fujii Hironori  <Hironori.Fujii@sony.com>
2085
2086         Use LazyNeverDestroyed instead of DEFINE_GLOBAL
2087         https://bugs.webkit.org/show_bug.cgi?id=174979
2088
2089         Reviewed by Yusuke Suzuki.
2090
2091         * config.h: Removed definitions of SKIP_STATIC_CONSTRUCTORS_ON_MSVC and SKIP_STATIC_CONSTRUCTORS_ON_GCC.
2092
2093 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2094
2095         [DFG][FTL] Introduce StringSlice
2096         https://bugs.webkit.org/show_bug.cgi?id=178934
2097
2098         Reviewed by Saam Barati.
2099
2100         String.prototype.slice is one of the most frequently called function in ARES-6/Babylon.
2101         This patch introduces StringSlice DFG node to optimize it in DFG and FTL.
2102
2103         This patch's StringSlice node optimizes the following things.
2104
2105         1. Empty string generation is accelerated. It is fully executed inline.
2106         2. One char string generation is accelerated. `< 0x100` character is supported right now.
2107         It is the same to charAt acceleration.
2108         3. We calculate start and end index in DFG/FTL with Int32Use information and call optimized
2109         operation.
2110
2111         We do not inline (3)'s operation right now since we do not have a way to call bmalloc allocation from DFG / FTL.
2112         And we do not optimize String.prototype.{substring,substr} right now. But they can be optimized based on this change
2113         in subsequent changes.
2114
2115         This patch improves ARES-6/Babylon performance by 3% in steady state.
2116
2117         Baseline:
2118             Running... Babylon ( 1  to go)
2119             firstIteration:     50.05 +- 13.68 ms
2120             averageWorstCase:   16.80 +- 1.27 ms
2121             steadyState:        7.53 +- 0.22 ms
2122
2123         Patched:
2124             Running... Babylon ( 1  to go)
2125             firstIteration:     50.91 +- 13.41 ms
2126             averageWorstCase:   16.12 +- 0.99 ms
2127             steadyState:        7.30 +- 0.29 ms
2128
2129         * dfg/DFGAbstractInterpreterInlines.h:
2130         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2131         * dfg/DFGBackwardsPropagationPhase.cpp:
2132         (JSC::DFG::BackwardsPropagationPhase::propagate):
2133         * dfg/DFGByteCodeParser.cpp:
2134         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2135         * dfg/DFGClobberize.h:
2136         (JSC::DFG::clobberize):
2137         * dfg/DFGDoesGC.cpp:
2138         (JSC::DFG::doesGC):
2139         * dfg/DFGFixupPhase.cpp:
2140         (JSC::DFG::FixupPhase::fixupNode):
2141         * dfg/DFGNodeType.h:
2142         * dfg/DFGOperations.cpp:
2143         * dfg/DFGOperations.h:
2144         * dfg/DFGPredictionPropagationPhase.cpp:
2145         * dfg/DFGSafeToExecute.h:
2146         (JSC::DFG::safeToExecute):
2147         * dfg/DFGSpeculativeJIT.cpp:
2148         (JSC::DFG::SpeculativeJIT::compileStringSlice):
2149         (JSC::DFG::SpeculativeJIT::emitPopulateSliceIndex):
2150         (JSC::DFG::SpeculativeJIT::compileArraySlice):
2151         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
2152         * dfg/DFGSpeculativeJIT.h:
2153         (JSC::DFG::SpeculativeJIT::callOperation):
2154         * dfg/DFGSpeculativeJIT32_64.cpp:
2155         (JSC::DFG::SpeculativeJIT::compile):
2156         * dfg/DFGSpeculativeJIT64.cpp:
2157         (JSC::DFG::SpeculativeJIT::compile):
2158         * ftl/FTLCapabilities.cpp:
2159         (JSC::FTL::canCompile):
2160         * ftl/FTLLowerDFGToB3.cpp:
2161         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2162         (JSC::FTL::DFG::LowerDFGToB3::populateSliceRange):
2163         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
2164         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
2165         * jit/JITOperations.h:
2166         * runtime/Intrinsic.cpp:
2167         (JSC::intrinsicName):
2168         * runtime/Intrinsic.h:
2169         * runtime/StringPrototype.cpp:
2170         (JSC::StringPrototype::finishCreation):
2171
2172 2017-10-31  JF Bastien  <jfbastien@apple.com>
2173
2174         WebAssembly: Wasm::IndexOrName has a raw pointer to Name
2175         https://bugs.webkit.org/show_bug.cgi?id=176644
2176
2177         Reviewed by Michael Saboff.
2178
2179         IndexOrName now keeps a RefPtr to its original NameSection, which
2180         holds the Name (or references nullptr if Index). Holding onto the
2181         entire section seems like the better thing to do, since backtraces
2182         probably contain multiple names from the same Module.
2183
2184         * JavaScriptCore.xcodeproj/project.pbxproj:
2185         * interpreter/Interpreter.cpp:
2186         (JSC::GetStackTraceFunctor::operator() const):
2187         * interpreter/StackVisitor.h: Frame is no longer POD because of the
2188         RefPtr.
2189         * runtime/StackFrame.cpp:
2190         (JSC::StackFrame::StackFrame):
2191         * runtime/StackFrame.h: Drop the union, size is now 40 bytes.
2192         (JSC::StackFrame::StackFrame): Deleted. Initialized in class instead.
2193         (JSC::StackFrame::wasm): Deleted. Make it a ctor instead.
2194         * wasm/WasmBBQPlanInlines.h:
2195         (JSC::Wasm::BBQPlan::initializeCallees):
2196         * wasm/WasmCallee.cpp:
2197         (JSC::Wasm::Callee::Callee):
2198         * wasm/WasmCallee.h:
2199         (JSC::Wasm::Callee::create):
2200         * wasm/WasmFormat.h: Move NameSection to its own header.
2201         (JSC::Wasm::isValidNameType):
2202         (JSC::Wasm::NameSection::get): Deleted.
2203         * wasm/WasmIndexOrName.cpp:
2204         (JSC::Wasm::IndexOrName::IndexOrName):
2205         (JSC::Wasm::makeString):
2206         * wasm/WasmIndexOrName.h:
2207         (JSC::Wasm::IndexOrName::IndexOrName):
2208         (JSC::Wasm::IndexOrName::isEmpty const):
2209         (JSC::Wasm::IndexOrName::isIndex const):
2210         * wasm/WasmModuleInformation.cpp:
2211         (JSC::Wasm::ModuleInformation::ModuleInformation):
2212         * wasm/WasmModuleInformation.h:
2213         (JSC::Wasm::ModuleInformation::ModuleInformation): Deleted.
2214         * wasm/WasmNameSection.h:
2215         (JSC::Wasm::NameSection::get):
2216         (JSC::Wasm::NameSection::create): Deleted.
2217         * wasm/WasmNameSectionParser.cpp:
2218         (JSC::Wasm::NameSectionParser::parse):
2219         * wasm/WasmNameSectionParser.h:
2220         * wasm/WasmOMGPlan.cpp:
2221         (JSC::Wasm::OMGPlan::work):
2222
2223 2017-10-31  Tim Horton  <timothy_horton@apple.com>
2224
2225         Clean up some drag and drop feature flags
2226         https://bugs.webkit.org/show_bug.cgi?id=179082
2227
2228         Reviewed by Simon Fraser.
2229
2230         * Configurations/FeatureDefines.xcconfig:
2231
2232 2017-10-31  Commit Queue  <commit-queue@webkit.org>
2233
2234         Unreviewed, rolling out r224243, r224246, and r224248.
2235         https://bugs.webkit.org/show_bug.cgi?id=179083
2236
2237         The patch and fix broke the Windows build. (Requested by
2238         mlewis13 on #webkit).
2239
2240         Reverted changesets:
2241
2242         "StructureStubInfo should have GPRReg members not int8_ts"
2243         https://bugs.webkit.org/show_bug.cgi?id=179071
2244         https://trac.webkit.org/changeset/224243
2245
2246         "Make all register enums be backed by uint8_t."
2247         https://bugs.webkit.org/show_bug.cgi?id=179074
2248         https://trac.webkit.org/changeset/224246
2249
2250         "Unreviewed, windows build fix."
2251         https://trac.webkit.org/changeset/224248
2252
2253 2017-10-31  Tim Horton  <timothy_horton@apple.com>
2254
2255         Fix up some content filtering feature flags
2256         https://bugs.webkit.org/show_bug.cgi?id=179079
2257
2258         Reviewed by Simon Fraser.
2259
2260         * Configurations/FeatureDefines.xcconfig:
2261
2262 2017-10-31  Keith Miller  <keith_miller@apple.com>
2263
2264         Unreviewed, windows build fix.
2265
2266         * assembler/X86Assembler.h:
2267         (JSC::X86Assembler::numberOfRegisters):
2268         (JSC::X86Assembler::numberOfSPRegisters):
2269         (JSC::X86Assembler::numberOfFPRegisters):
2270
2271 2017-10-31  Keith Miller  <keith_miller@apple.com>
2272
2273         Make all register enums be backed by uint8_t.
2274         https://bugs.webkit.org/show_bug.cgi?id=179074
2275
2276         Reviewed by Mark Lam.
2277
2278         * assembler/ARM64Assembler.h:
2279         * assembler/ARMAssembler.h:
2280         * assembler/ARMv7Assembler.h:
2281         * assembler/MIPSAssembler.h:
2282         * assembler/MacroAssembler.h:
2283         * assembler/X86Assembler.h:
2284
2285 2017-10-31  Keith Miller  <keith_miller@apple.com>
2286
2287         StructureStubInfo should have GPRReg members not int8_ts
2288         https://bugs.webkit.org/show_bug.cgi?id=179071
2289
2290         Reviewed by Michael Saboff.
2291
2292         This patch makes the various RegisterID enums be backed by
2293         uint8_t. This means that we can remove the old int8_t members in
2294         StructureStubInfo and replace them with the correct enum types.
2295
2296         Also, this fixes an indentation issue in ARMv7Assembler.h.
2297
2298         * assembler/ARM64Assembler.h:
2299         * assembler/ARMAssembler.h:
2300         * assembler/ARMv7Assembler.h:
2301         (JSC::ARMRegisters::asSingle):
2302         (JSC::ARMRegisters::asDouble):
2303         * assembler/MIPSAssembler.h:
2304         * assembler/X86Assembler.h:
2305         * bytecode/InlineAccess.cpp:
2306         (JSC::InlineAccess::generateSelfPropertyAccess):
2307         (JSC::getScratchRegister):
2308         * bytecode/PolymorphicAccess.cpp:
2309         (JSC::PolymorphicAccess::regenerate):
2310         * bytecode/StructureStubInfo.h:
2311         (JSC::StructureStubInfo::valueRegs const):
2312         * dfg/DFGSpeculativeJIT.cpp:
2313         (JSC::DFG::SpeculativeJIT::compileIn):
2314         * ftl/FTLLowerDFGToB3.cpp:
2315         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
2316         * jit/JITInlineCacheGenerator.cpp:
2317         (JSC::JITByIdGenerator::JITByIdGenerator):
2318         (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator):
2319
2320 2017-10-31  Devin Rousso  <webkit@devinrousso.com>
2321
2322         Web Inspector: make ScriptCallStack::maxCallStackSizeToCapture the default value when capturing backtraces
2323         https://bugs.webkit.org/show_bug.cgi?id=179048
2324
2325         Reviewed by Mark Lam.
2326
2327         * inspector/ScriptCallStackFactory.h:
2328         * inspector/ScriptCallStackFactory.cpp:
2329         (createScriptCallStack):
2330         (createScriptCallStackForConsole):
2331         (createScriptCallStackFromException):
2332
2333         * inspector/ConsoleMessage.cpp:
2334         (Inspector::ConsoleMessage::autogenerateMetadata):
2335         * inspector/JSGlobalObjectInspectorController.cpp:
2336         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
2337         * inspector/agents/InspectorConsoleAgent.cpp:
2338         (Inspector::InspectorConsoleAgent::count):
2339         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
2340         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
2341
2342 2017-10-31  Carlos Garcia Campos  <cgarcia@igalia.com>
2343
2344         Unreviewed. Fix GTK+ make distcheck.
2345
2346         Ensure DERIVED_SOURCES_JAVASCRIPTCORE_DIR/yarr is created before scripts generating files there are run.
2347
2348         * CMakeLists.txt:
2349
2350 2017-10-30  Saam Barati  <sbarati@apple.com>
2351
2352         We need a storeStoreFence before storing to the instruction stream's live variable catch data
2353         https://bugs.webkit.org/show_bug.cgi?id=178649
2354
2355         Reviewed by Keith Miller.
2356
2357         * bytecode/CodeBlock.cpp:
2358         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
2359
2360 2017-10-30  Michael Catanzaro  <mcatanzaro@igalia.com>
2361
2362         [WPE] Fix build warnings
2363         https://bugs.webkit.org/show_bug.cgi?id=178899
2364
2365         Reviewed by Carlos Alberto Lopez Perez.
2366
2367         * PlatformWPE.cmake:
2368
2369 2017-10-30  Zan Dobersek  <zdobersek@igalia.com>
2370
2371         [ARMv7] Fix initial start register support in YarrJIT
2372         https://bugs.webkit.org/show_bug.cgi?id=178641
2373
2374         Reviewed by Saam Barati.
2375
2376         * yarr/YarrJIT.cpp: On ARMv7, use r8 as the initialStart register in the
2377         YarrGenerator class. r6 should be avoided since it's already used inside
2378         MacroAssemblerARMv7 as addressTempRegister. r7 isn't picked because it
2379         can be used as the frame pointer register when targetting ARM Thumb2.
2380
2381 2017-10-30  Zan Dobersek  <zdobersek@igalia.com>
2382
2383         [ARM64][Linux] Re-enable Gigacage
2384         https://bugs.webkit.org/show_bug.cgi?id=178130
2385
2386         Reviewed by Michael Catanzaro.
2387
2388         Guard the current globaladdr opcode implementation for ARM64 with
2389         OS(DARWIN) as it's only usable for Mach-O.
2390
2391         For OS(LINUX), ELF-supported :got: and :got_lo12: relocation specifiers
2392         have to be used. The .loh directive can't be used as it's not supported
2393         in GCC or the ld linker.
2394
2395         On every other OS target, a compilation error is thrown.
2396
2397         * offlineasm/arm64.rb:
2398
2399 2017-10-27  Devin Rousso  <webkit@devinrousso.com>
2400
2401         Web Inspector: Canvas Tab: no way to see backtrace of where a canvas context was created
2402         https://bugs.webkit.org/show_bug.cgi?id=178799
2403         <rdar://problem/35175805>
2404
2405         Reviewed by Brian Burg.
2406
2407         * inspector/protocol/Canvas.json:
2408         Add optional `backtrace` to Canvas type that is an array of Console.CallFrame.
2409
2410 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2411
2412         [JSC] Tweak ES6 generator function to allow inlining
2413         https://bugs.webkit.org/show_bug.cgi?id=178935
2414
2415         Reviewed by Saam Barati.
2416
2417         We optimize builtins' generator helper functions to allow them inlined in the caller side.
2418         This patch adjust the layer between @generatorResume, next(), throw(), and return() to allow
2419         them inlined in DFG.
2420
2421                                        baseline                  patched
2422
2423         spread-generator.es6      301.2637+-11.1011    ^    260.5905+-14.2258       ^ definitely 1.1561x faster
2424         generator.es6             269.6030+-13.2435    ^    148.8840+-6.7614        ^ definitely 1.8108x faster
2425
2426         * builtins/GeneratorPrototype.js:
2427         (globalPrivate.generatorResume):
2428         (next):
2429         (return):
2430         (throw):
2431
2432 2017-10-27  Saam Barati  <sbarati@apple.com>
2433
2434         Bytecode liveness should live on UnlinkedCodeBlock so it can be shared amongst CodeBlocks
2435         https://bugs.webkit.org/show_bug.cgi?id=178949
2436
2437         Reviewed by Keith Miller.
2438
2439         This patch stores BytecodeLiveness on UnlinkedCodeBlock instead of CodeBlock
2440         so that we don't need to recompute liveness for the same UnlinkedCodeBlock
2441         more than once. To do this, this patch solidifies the invariant that CodeBlock
2442         linking can't do anything that would change the result of liveness. For example,
2443         it can't introduce new locals. This invariant was met my JSC before, because we
2444         didn't do anything in bytecode linking that would change liveness. However, it is
2445         now a correctness requirement that we don't do anything that would change the
2446         result of running liveness. To support this change, I've refactored BytecodeGraph
2447         to not be tied to a CodeBlockType*. Things that perform liveness will pass in
2448         CodeBlockType* and the instruction stream as needed. This means that we may
2449         compute liveness with one CodeBlock*'s instruction stream, and then perform
2450         queries on that analysis with a different CodeBlock*'s instruction stream.
2451
2452         This seems to be a 2% JSBench progression.
2453
2454         * bytecode/BytecodeGeneratorification.cpp:
2455         (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
2456         (JSC::BytecodeGeneratorification::graph):
2457         (JSC::BytecodeGeneratorification::storageForGeneratorLocal):
2458         (JSC::GeneratorLivenessAnalysis::run):
2459         (JSC::BytecodeGeneratorification::run):
2460         * bytecode/BytecodeGraph.h:
2461         (JSC::BytecodeGraph::BytecodeGraph):
2462         (JSC::BytecodeGraph::codeBlock const): Deleted.
2463         (JSC::BytecodeGraph::instructions): Deleted.
2464         (JSC::BytecodeGraph<Block>::BytecodeGraph): Deleted.
2465         * bytecode/BytecodeLivenessAnalysis.cpp:
2466         (JSC::BytecodeLivenessAnalysis::BytecodeLivenessAnalysis):
2467         (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
2468         (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
2469         (JSC::BytecodeLivenessAnalysis::computeKills):
2470         (JSC::BytecodeLivenessAnalysis::dumpResults):
2471         (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset): Deleted.
2472         (JSC::BytecodeLivenessAnalysis::compute): Deleted.
2473         * bytecode/BytecodeLivenessAnalysis.h:
2474         * bytecode/BytecodeLivenessAnalysisInlines.h:
2475         (JSC::BytecodeLivenessPropagation::stepOverInstruction):
2476         (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBytecodeOffset):
2477         (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBlock):
2478         (JSC::BytecodeLivenessPropagation::getLivenessInfoAtBytecodeOffset):
2479         (JSC::BytecodeLivenessPropagation::runLivenessFixpoint):
2480         * bytecode/BytecodeRewriter.cpp:
2481         (JSC::BytecodeRewriter::applyModification):
2482         (JSC::BytecodeRewriter::execute):
2483         (JSC::BytecodeRewriter::adjustJumpTargetsInFragment):
2484         * bytecode/BytecodeRewriter.h:
2485         (JSC::BytecodeRewriter::BytecodeRewriter):
2486         (JSC::BytecodeRewriter::removeBytecode):
2487         (JSC::BytecodeRewriter::graph):
2488         * bytecode/CodeBlock.cpp:
2489         (JSC::CodeBlock::finishCreation):
2490         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
2491         (JSC::CodeBlock::validate):
2492         (JSC::CodeBlock::livenessAnalysisSlow): Deleted.
2493         * bytecode/CodeBlock.h:
2494         (JSC::CodeBlock::livenessAnalysis):
2495         * bytecode/UnlinkedCodeBlock.cpp:
2496         (JSC::UnlinkedCodeBlock::applyModification):
2497         (JSC::UnlinkedCodeBlock::livenessAnalysisSlow):
2498         * bytecode/UnlinkedCodeBlock.h:
2499         (JSC::UnlinkedCodeBlock::livenessAnalysis):
2500         * dfg/DFGGraph.cpp:
2501         (JSC::DFG::Graph::livenessFor):
2502         (JSC::DFG::Graph::killsFor):
2503         * dfg/DFGPlan.cpp:
2504         (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
2505         * jit/JIT.cpp:
2506         (JSC::JIT::privateCompileMainPass):
2507
2508 2017-10-27  Keith Miller  <keith_miller@apple.com>
2509
2510         Add unified source list files and build scripts to Xcode project navigator
2511         https://bugs.webkit.org/show_bug.cgi?id=178959
2512
2513         Reviewed by Andy Estes.
2514
2515         Also, Add some extra source files for so new .cpp/.mm files don't cause the build
2516         to fail right away. We already do this in WebCore.
2517
2518         * JavaScriptCore.xcodeproj/project.pbxproj:
2519         * PlatformMac.cmake:
2520         * SourcesCocoa.txt: Renamed from Source/JavaScriptCore/SourcesMac.txt.
2521
2522 2017-10-27  JF Bastien  <jfbastien@apple.com>
2523
2524         WebAssembly: update arbitrary limits to what browsers use
2525         https://bugs.webkit.org/show_bug.cgi?id=178946
2526         <rdar://problem/34257412>
2527         <rdar://problem/34501154>
2528
2529         Reviewed by Saam Barati.
2530
2531         https://github.com/WebAssembly/design/issues/1138 discusses the
2532         arbitrary function size limit, which it turns out Chrome and
2533         Firefox didn't enforce. We didn't use it because it was
2534         ridiculously low and actual programs ran into that limit (bummer
2535         for Edge which just shipped it...). Now that we agree on a high
2536         arbitrary program limit, let's update it! While I'm doing this
2537         there are a few other spots that I polished to use Checked or
2538         better check limits overall.
2539
2540         * wasm/WasmB3IRGenerator.cpp:
2541         (JSC::Wasm::B3IRGenerator::addLocal):
2542         * wasm/WasmFormat.cpp:
2543         (JSC::Wasm::Segment::create):
2544         * wasm/WasmFunctionParser.h:
2545         (JSC::Wasm::FunctionParser<Context>::parse):
2546         * wasm/WasmInstance.cpp:
2547         * wasm/WasmLimits.h:
2548         * wasm/WasmModuleParser.cpp:
2549         (JSC::Wasm::ModuleParser::parseGlobal):
2550         (JSC::Wasm::ModuleParser::parseCode):
2551         (JSC::Wasm::ModuleParser::parseData):
2552         * wasm/WasmSignature.h:
2553         (JSC::Wasm::Signature::allocatedSize):
2554         * wasm/WasmTable.cpp:
2555         (JSC::Wasm::Table::Table):
2556         * wasm/js/JSWebAssemblyTable.cpp:
2557         (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
2558         (JSC::JSWebAssemblyTable::grow):
2559
2560 2017-10-26  Michael Saboff  <msaboff@apple.com>
2561
2562         REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
2563         https://bugs.webkit.org/show_bug.cgi?id=178890
2564
2565         Reviewed by Keith Miller.
2566
2567         We need to let a contained subpattern backtrack before declaring that the containing
2568         parenthesis doesn't match.  If the subpattern fails to match backtracking, then we
2569         can check to see if we trying to backtrack below the minimum match count.
2570         
2571         * yarr/YarrInterpreter.cpp:
2572         (JSC::Yarr::Interpreter::backtrackParentheses):
2573
2574 2017-10-26  Mark Lam  <mark.lam@apple.com>
2575
2576         JSRopeString::RopeBuilder::append() should check for overflows.
2577         https://bugs.webkit.org/show_bug.cgi?id=178385
2578         <rdar://problem/35027468>
2579
2580         Reviewed by Saam Barati.
2581
2582         1. Made RopeString check for overflow like the Checked class does.
2583         2. Added a missing overflow check in objectProtoFuncToString().
2584
2585         * runtime/JSString.cpp:
2586         (JSC::JSRopeString::RopeBuilder<RecordOverflow>::expand):
2587         (JSC::JSRopeString::RopeBuilder::expand): Deleted.
2588         * runtime/JSString.h:
2589         * runtime/ObjectPrototype.cpp:
2590         (JSC::objectProtoFuncToString):
2591         * runtime/Operations.h:
2592         (JSC::jsStringFromRegisterArray):
2593         (JSC::jsStringFromArguments):
2594
2595 2017-10-26  JF Bastien  <jfbastien@apple.com>
2596
2597         WebAssembly: no VM / JS version of our implementation
2598         https://bugs.webkit.org/show_bug.cgi?id=177472
2599
2600         Reviewed by Michael Saboff.
2601
2602         This patch removes all appearances of "JS" and "VM" in the wasm
2603         directory. These now only appear in the wasm/js directory, which
2604         is only used in a JS embedding of wasm. It should therefore now be
2605         possible to create non-JS embeddings of wasm through JSC, though
2606         it'll still require:
2607
2608           - Mild codegen for wasm<->embedder calls;
2609           - A strategy for trap handling (no need for full unwind! Could kill).
2610           - Creation of the Wasm::* objects.
2611           - Calling convention handling to call the embedder.
2612           - Handling of multiple embedders (see #177475, this is optional).
2613
2614         Most of the patch consists in renaming JSWebAssemblyInstance to
2615         Instance, and removing temporary copies which I'd added to make
2616         this specific patch very simple.
2617
2618         * interpreter/CallFrame.cpp:
2619         (JSC::CallFrame::wasmAwareLexicalGlobalObject): this one place
2620         which needs to know about who "owns" the Wasm::Instance. In a JS
2621         embedding it's the JSWebAssemblyInstance.
2622         * wasm/WasmB3IRGenerator.cpp:
2623         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2624         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
2625         (JSC::Wasm::B3IRGenerator::addGrowMemory):
2626         (JSC::Wasm::B3IRGenerator::addCurrentMemory):
2627         (JSC::Wasm::B3IRGenerator::getGlobal):
2628         (JSC::Wasm::B3IRGenerator::setGlobal):
2629         (JSC::Wasm::B3IRGenerator::addCall):
2630         (JSC::Wasm::B3IRGenerator::addCallIndirect):
2631         * wasm/WasmBinding.cpp:
2632         (JSC::Wasm::wasmToWasm):
2633         * wasm/WasmContext.cpp:
2634         (JSC::Wasm::Context::load const):
2635         (JSC::Wasm::Context::store):
2636         * wasm/WasmContext.h:
2637         * wasm/WasmEmbedder.h:
2638         * wasm/WasmInstance.cpp:
2639         (JSC::Wasm::Instance::Instance):
2640         (JSC::Wasm::Instance::create):
2641         (JSC::Wasm::Instance::extraMemoryAllocated const):
2642         * wasm/WasmInstance.h: add an "owner", the Wasm::Context, move the
2643         "tail" import information from JSWebAssemblyInstance over to here.
2644         (JSC::Wasm::Instance::finalizeCreation):
2645         (JSC::Wasm::Instance::owner const):
2646         (JSC::Wasm::Instance::offsetOfOwner):
2647         (JSC::Wasm::Instance::context const):
2648         (JSC::Wasm::Instance::setMemory):
2649         (JSC::Wasm::Instance::setTable):
2650         (JSC::Wasm::Instance::offsetOfMemory):
2651         (JSC::Wasm::Instance::offsetOfGlobals):
2652         (JSC::Wasm::Instance::offsetOfTable):
2653         (JSC::Wasm::Instance::offsetOfTail):
2654         (JSC::Wasm::Instance::numImportFunctions const):
2655         (JSC::Wasm::Instance::importFunctionInfo):
2656         (JSC::Wasm::Instance::offsetOfTargetInstance):
2657         (JSC::Wasm::Instance::offsetOfWasmEntrypoint):
2658         (JSC::Wasm::Instance::offsetOfWasmToEmbedderStubExecutableAddress):
2659         (JSC::Wasm::Instance::offsetOfImportFunction):
2660         (JSC::Wasm::Instance::importFunction):
2661         (JSC::Wasm::Instance::allocationSize):
2662         (JSC::Wasm::Instance::create): Deleted.
2663         * wasm/WasmOMGPlan.cpp:
2664         (JSC::Wasm::OMGPlan::runForIndex):
2665         * wasm/WasmOMGPlan.h:
2666         * wasm/WasmTable.cpp:
2667         (JSC::Wasm::Table::Table):
2668         (JSC::Wasm::Table::setFunction):
2669         * wasm/WasmTable.h:
2670         * wasm/WasmThunks.cpp:
2671         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
2672         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
2673         * wasm/js/JSToWasm.cpp:
2674         (JSC::Wasm::createJSToWasmWrapper):
2675         * wasm/js/JSWebAssemblyInstance.cpp: delete code that is now on Wasm::Instance
2676         (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance): The embedder
2677         decides what the import function is. Here we must properly
2678         placement-new it to what we've elected (and initialize it later).
2679         (JSC::JSWebAssemblyInstance::visitChildren):
2680         (JSC::JSWebAssemblyInstance::finalizeCreation):
2681         (JSC::JSWebAssemblyInstance::create):
2682         * wasm/js/JSWebAssemblyInstance.h: delete code that is now on Wasm::Instance
2683         (JSC::JSWebAssemblyInstance::instance):
2684         (JSC::JSWebAssemblyInstance::moduleNamespaceObject):
2685         (JSC::JSWebAssemblyInstance::setMemory):
2686         (JSC::JSWebAssemblyInstance::table):
2687         (JSC::JSWebAssemblyInstance::setTable):
2688         (JSC::JSWebAssemblyInstance::offsetOfInstance):
2689         (JSC::JSWebAssemblyInstance::offsetOfCallee):
2690         (JSC::JSWebAssemblyInstance::context const): Deleted.
2691         (JSC::JSWebAssemblyInstance::offsetOfTail): Deleted.
2692         (): Deleted.
2693         (JSC::JSWebAssemblyInstance::importFunctionInfo): Deleted.
2694         (JSC::JSWebAssemblyInstance::offsetOfTargetInstance): Deleted.
2695         (JSC::JSWebAssemblyInstance::offsetOfWasmEntrypoint): Deleted.
2696         (JSC::JSWebAssemblyInstance::offsetOfWasmToEmbedderStubExecutableAddress): Deleted.
2697         (JSC::JSWebAssemblyInstance::offsetOfImportFunction): Deleted.
2698         (JSC::JSWebAssemblyInstance::importFunction): Deleted.
2699         (JSC::JSWebAssemblyInstance::internalMemory): Deleted.
2700         (JSC::JSWebAssemblyInstance::wasmCodeBlock const): Deleted.
2701         (JSC::JSWebAssemblyInstance::offsetOfWasmTable): Deleted.
2702         (JSC::JSWebAssemblyInstance::offsetOfGlobals): Deleted.
2703         (JSC::JSWebAssemblyInstance::offsetOfCodeBlock): Deleted.
2704         (JSC::JSWebAssemblyInstance::offsetOfWasmCodeBlock): Deleted.
2705         (JSC::JSWebAssemblyInstance::offsetOfCachedStackLimit): Deleted.
2706         (JSC::JSWebAssemblyInstance::offsetOfWasmMemory): Deleted.
2707         (JSC::JSWebAssemblyInstance::offsetOfTopEntryFramePointer): Deleted.
2708         (JSC::JSWebAssemblyInstance::cachedStackLimit const): Deleted.
2709         (JSC::JSWebAssemblyInstance::setCachedStackLimit): Deleted.
2710         (JSC::JSWebAssemblyInstance::wasmMemory): Deleted.
2711         (JSC::JSWebAssemblyInstance::wasmModule): Deleted.
2712         (JSC::JSWebAssemblyInstance::allocationSize): Deleted.
2713         * wasm/js/JSWebAssemblyTable.cpp:
2714         (JSC::JSWebAssemblyTable::setFunction):
2715         * wasm/js/WasmToJS.cpp: One extra indirection to find the JSWebAssemblyInstance.
2716         (JSC::Wasm::materializeImportJSCell):
2717         (JSC::Wasm::handleBadI64Use):
2718         (JSC::Wasm::wasmToJS):
2719         (JSC::Wasm::wasmToJSException):
2720         * wasm/js/WasmToJS.h:
2721         * wasm/js/WebAssemblyFunction.cpp:
2722         (JSC::callWebAssemblyFunction):
2723         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2724         (JSC::constructJSWebAssemblyInstance):
2725         * wasm/js/WebAssemblyModuleRecord.cpp:
2726         (JSC::WebAssemblyModuleRecord::link):
2727         (JSC::WebAssemblyModuleRecord::evaluate):
2728         * wasm/js/WebAssemblyPrototype.cpp:
2729         (JSC::instantiate):
2730         * wasm/js/WebAssemblyWrapperFunction.cpp:
2731         (JSC::WebAssemblyWrapperFunction::create):
2732
2733 2017-10-25  Devin Rousso  <webkit@devinrousso.com>
2734
2735         Web Inspector: provide a way to enable/disable event listeners
2736         https://bugs.webkit.org/show_bug.cgi?id=177451
2737         <rdar://problem/34994925>
2738
2739         Reviewed by Joseph Pecoraro.
2740
2741         * inspector/protocol/DOM.json:
2742         Add `setEventListenerDisabled` command that enables/disables a specific event listener
2743         during event dispatch. When a disabled event listener is fired, the listener's callback will
2744         not be called.
2745
2746 2017-10-25  Commit Queue  <commit-queue@webkit.org>
2747
2748         Unreviewed, rolling out r223691 and r223729.
2749         https://bugs.webkit.org/show_bug.cgi?id=178834
2750
2751         Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
2752         by rniwa on #webkit).
2753
2754         Reverted changesets:
2755
2756         "Turn recursive tail calls into loops"
2757         https://bugs.webkit.org/show_bug.cgi?id=176601
2758         https://trac.webkit.org/changeset/223691
2759
2760         "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
2761         comparison is always false due to limited range of data type
2762         [-Wtype-limits]"
2763         https://bugs.webkit.org/show_bug.cgi?id=178543
2764         https://trac.webkit.org/changeset/223729
2765
2766 2017-10-25  Michael Saboff  <msaboff@apple.com>
2767
2768         REGRESSION(r223937): Use of -fobjc-weak causes build failures with older compilers
2769         https://bugs.webkit.org/show_bug.cgi?id=178825
2770
2771         Reviewed by Mark Lam.
2772
2773         Enable ARC for ARM64_32.  This eliminate the need for setting CLANG_ENABLE_OBJC_WEAK.
2774
2775         * Configurations/ToolExecutable.xcconfig:
2776
2777 2017-10-25  Keith Miller  <keith_miller@apple.com>
2778
2779         Fix implicit cast of enum, which seems to break the windows build of unified sources.
2780         https://bugs.webkit.org/show_bug.cgi?id=178822
2781
2782         Reviewed by Saam Barati.
2783
2784         * bytecode/DFGExitProfile.h:
2785         (JSC::DFG::FrequentExitSite::hash const):
2786
2787 2017-10-24  Michael Saboff  <msaboff@apple.com>
2788
2789         Allow OjbC Weak References when building TestAPI
2790         https://bugs.webkit.org/show_bug.cgi?id=178748
2791
2792         Reviewed by Dan Bernstein.
2793
2794         Set TestAPI build flag Weak References in Manual Retain Release to true.
2795
2796         * JavaScriptCore.xcodeproj/project.pbxproj: Reverted.
2797         * Configurations/ToolExecutable.xcconfig: Changed the flag here instead.
2798
2799 2017-10-24  Eric Carlson  <eric.carlson@apple.com>
2800
2801         Web Inspector: Enable WebKit logging configuration and display
2802         https://bugs.webkit.org/show_bug.cgi?id=177027
2803         <rdar://problem/33964767>
2804
2805         Reviewed by Joseph Pecoraro.
2806
2807         * inspector/ConsoleMessage.cpp:
2808         (Inspector::messageSourceValue): Inspector::Protocol::Console::ConsoleMessage -> 
2809             Inspector::Protocol::Console::ChannelSource.
2810         * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
2811         (Inspector::JSGlobalObjectConsoleAgent::getLoggingChannels): There are no logging channels
2812             specific to a JSContext yet, so return an empty channel array.
2813         (Inspector::JSGlobalObjectConsoleAgent::setLoggingChannelLevel): No channels, return an error.
2814         * inspector/agents/JSGlobalObjectConsoleAgent.h:
2815
2816         * inspector/protocol/Console.json: Add ChannelSource, ChannelLevel, and Channel. Add getLoggingChannels
2817             and setLoggingChannelLevel.
2818
2819         * inspector/scripts/codegen/generator.py: Special case "webrtc"-> "WebRTC".
2820         * inspector/scripts/tests/generic/expected/enum-values.json-result:
2821         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
2822         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
2823         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2824         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
2825
2826         * runtime/ConsoleTypes.h: Add Media and WebRTC.
2827
2828 2017-10-24  Michael Saboff  <msaboff@apple.com>
2829
2830         Allow OjbC Weak References when building TestAPI
2831         https://bugs.webkit.org/show_bug.cgi?id=178748
2832
2833         Reviewed by Saam Barati.
2834
2835         Set TestAPI build flag Weak References in Manual Retain Release to true.
2836
2837         * JavaScriptCore.xcodeproj/project.pbxproj:
2838
2839 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2840
2841         [FTL] Support NewStringObject
2842         https://bugs.webkit.org/show_bug.cgi?id=178737
2843
2844         Reviewed by Saam Barati.
2845
2846         FTL should support NewStringObject and encourage use of NewStringObject in DFG pipeline.
2847         After this change, we can convert `CallObjectConstructor(String)` to `NewStringObject(String)`.
2848
2849         * ftl/FTLAbstractHeapRepository.h:
2850         * ftl/FTLCapabilities.cpp:
2851         (JSC::FTL::canCompile):
2852         * ftl/FTLLowerDFGToB3.cpp:
2853         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2854         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
2855
2856 2017-10-24  Guillaume Emont  <guijemont@igalia.com>
2857
2858         [mips] fix offsets of branches that have to go over a jump
2859         https://bugs.webkit.org/show_bug.cgi?id=153464
2860
2861         The jump() function creates 8 instructions, but the offsets of branches
2862         meant to go over them only account for 6. In most cases, this is not an
2863         issue as the last two instructions of jump() would be nops, but in the
2864         rarer case where the jump destination is in a different 256 MB segment,
2865         MIPSAssembler::linkWithOffset() will rewrite the code in a way in which
2866         the last 4 instructions would be a 2 instruction load (lui/ori) into
2867         $t9, a "j $t9" and then a nop. The wrong offset will mean that the
2868         previous branches meant to go over the whole jump will branch to the
2869         "j $t9" instruction, which would jump to whatever is currently in $t9
2870         (since lui/ori would not be executed).
2871
2872         Reviewed by Michael Catanzaro.
2873
2874         * assembler/MacroAssemblerMIPS.h:
2875         (JSC::MacroAssemblerMIPS::branchAdd32):
2876         (JSC::MacroAssemblerMIPS::branchMul32):
2877         (JSC::MacroAssemblerMIPS::branchSub32):
2878         Fix the offsets of branches meant to go over code generated by jump().
2879
2880 2017-10-24  JF Bastien  <jfbastien@apple.com>
2881
2882         WebAssembly: NFC renames of things that aren't JS-specific
2883         https://bugs.webkit.org/show_bug.cgi?id=178738
2884
2885         Reviewed by Saam Barati.
2886
2887         * wasm/WasmB3IRGenerator.cpp:
2888         (JSC::Wasm::parseAndCompile):
2889         * wasm/WasmB3IRGenerator.h:
2890         * wasm/WasmBBQPlan.cpp:
2891         (JSC::Wasm::BBQPlan::complete):
2892         * wasm/WasmCodeBlock.cpp:
2893         (JSC::Wasm::CodeBlock::CodeBlock):
2894         * wasm/WasmCodeBlock.h:
2895         (JSC::Wasm::CodeBlock::embedderEntrypointCalleeFromFunctionIndexSpace):
2896         (JSC::Wasm::CodeBlock::jsEntrypointCalleeFromFunctionIndexSpace): Deleted.
2897         * wasm/WasmFormat.h:
2898         * wasm/js/JSToWasm.cpp:
2899         (JSC::Wasm::createJSToWasmWrapper):
2900         * wasm/js/WebAssemblyModuleRecord.cpp:
2901         (JSC::WebAssemblyModuleRecord::link):
2902         (JSC::WebAssemblyModuleRecord::evaluate):
2903
2904 2017-10-24  Stephan Szabo  <stephan.szabo@sony.com>
2905
2906         [Win][JSCOnly] Make jsconly build testapi and dlls and copy dlls when running tests
2907         https://bugs.webkit.org/show_bug.cgi?id=177279
2908
2909         Reviewed by Yusuke Suzuki.
2910
2911         * shell/PlatformJSCOnly.cmake: Added.
2912
2913 2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
2914
2915         [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
2916         https://bugs.webkit.org/show_bug.cgi?id=178308
2917
2918         Reviewed by Mark Lam.
2919
2920         With the change of the spec[1], we now do not need to remember star resolution modules.
2921         We reflect this change to our implementation. Since this change is covered by test262,
2922         this patch improves the score of test262.
2923
2924         We also add logging to ResolveExport to debug it easily.
2925
2926         [1]: https://github.com/tc39/ecma262/commit/a865e778ff0fc60e26e3e1c589635103710766a1
2927
2928         * runtime/AbstractModuleRecord.cpp:
2929         (JSC::AbstractModuleRecord::ResolveQuery::dump const):
2930         (JSC::AbstractModuleRecord::resolveExportImpl):
2931
2932 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2933
2934         [JSC] Use emitDumbVirtualCall in 32bit JIT
2935         https://bugs.webkit.org/show_bug.cgi?id=178644
2936
2937         Reviewed by Mark Lam.
2938
2939         This patch aligns 32bit JIT op_call_eval slow case to 64bit version by using emitDumbVirtualCall.
2940
2941         * jit/JITCall32_64.cpp:
2942         (JSC::JIT::compileCallEvalSlowCase):
2943
2944 2017-10-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2945
2946         [JSC] Drop ArityCheckData
2947         https://bugs.webkit.org/show_bug.cgi?id=178648
2948
2949         Reviewed by Mark Lam.
2950
2951         ArityCheckData is used to return a pair of `slotsToAdd` and `thunkToCall`.
2952         However, use of `thunkToCall` is removed in 64bit environment at r189575.
2953
2954         We remove `thunkToCall` and align 32bit implementation to 64bit implementation.
2955         Since we no longer need to have the above pair, we can remove ArityCheckData too.
2956
2957         * llint/LowLevelInterpreter32_64.asm:
2958         * llint/LowLevelInterpreter64.asm:
2959         * runtime/CommonSlowPaths.cpp:
2960         (JSC::SLOW_PATH_DECL):
2961         (JSC::setupArityCheckData): Deleted.
2962         * runtime/CommonSlowPaths.h:
2963         * runtime/VM.cpp:
2964         (JSC::VM::VM):
2965         * runtime/VM.h:
2966
2967 2017-10-23  Keith Miller  <keith_miller@apple.com>
2968
2969         Unreviewed, reland r223866
2970
2971         Didn't break the windows build...
2972
2973         Restored changeset:
2974
2975         "WebAssembly: topEntryFrame on Wasm::Instance"
2976         https://bugs.webkit.org/show_bug.cgi?id=178690
2977         https://trac.webkit.org/changeset/223866
2978
2979
2980 2017-10-23  Commit Queue  <commit-queue@webkit.org>
2981
2982         Unreviewed, rolling out r223866.
2983         https://bugs.webkit.org/show_bug.cgi?id=178699
2984
2985         Probably broke the windows build (Requested by keith_miller on
2986         #webkit).
2987
2988         Reverted changeset:
2989
2990         "WebAssembly: topEntryFrame on Wasm::Instance"
2991         https://bugs.webkit.org/show_bug.cgi?id=178690
2992         https://trac.webkit.org/changeset/223866
2993
2994 2017-10-23  Joseph Pecoraro  <pecoraro@apple.com>
2995
2996         Web Inspector: Remove unused Console.setMonitoringXHREnabled
2997         https://bugs.webkit.org/show_bug.cgi?id=178617
2998
2999         Reviewed by Sam Weinig.
3000
3001         * JavaScriptCore.xcodeproj/project.pbxproj:
3002         * Sources.txt:
3003         * inspector/agents/InspectorConsoleAgent.h:
3004         * inspector/agents/JSGlobalObjectConsoleAgent.cpp: Removed.
3005         * inspector/agents/JSGlobalObjectConsoleAgent.h: Removed.
3006         * inspector/protocol/Console.json:
3007         Removed files and method.
3008
3009         * inspector/JSGlobalObjectInspectorController.cpp:
3010         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3011         This can use the base ConsoleAgent now.
3012
3013 2017-10-23  JF Bastien  <jfbastien@apple.com>
3014
3015         WebAssembly: topEntryFrame on Wasm::Instance
3016         https://bugs.webkit.org/show_bug.cgi?id=178690
3017
3018         Reviewed by Saam Barati.
3019
3020         topEntryFrame is usually on VM, but for a no-VM WebAssembly we
3021         need to hold topEntryFrame elsewhere, and generated code cannot
3022         hard-code where topEntryFrame live. Do this at creation time of
3023         Wasm::Instance, and then generated code will just load from
3024         wherever Wasm::Instance was told topEntryFrame is. In a JavaScript
3025         embedding this is still from VM, so all of the unwinding machinery
3026         stays the same.
3027
3028         * dfg/DFGOSREntry.cpp:
3029         (JSC::DFG::prepareOSREntry):
3030         * dfg/DFGOSRExit.cpp:
3031         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
3032         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
3033         * ftl/FTLOSRExitCompiler.cpp:
3034         (JSC::FTL::compileStub):
3035         * interpreter/Interpreter.cpp:
3036         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
3037         * jit/AssemblyHelpers.cpp:
3038         (JSC::AssemblyHelpers::restoreCalleeSavesFromEntryFrameCalleeSavesBuffer):
3039         (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBufferImpl):
3040         * jit/AssemblyHelpers.h:
3041         (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBuffer):
3042         The default parameter was never non-defaulted from any of the
3043         callers. The new version calls the impl directly because it
3044         doesn't have VM and doesn't hard-code the address of
3045         topEntryFrame.
3046         * jit/RegisterSet.cpp:
3047         (JSC::RegisterSet::vmCalleeSaveRegisterOffsets): This was weird on
3048         VM because it's not really VM-specific.
3049         * jit/RegisterSet.h:
3050         * runtime/VM.cpp:
3051         (JSC::VM::getAllCalleeSaveRegisterOffsets): Deleted.
3052         * runtime/VM.h:
3053         (JSC::VM::getCTIStub):
3054         * wasm/WasmB3IRGenerator.cpp:
3055         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3056         (JSC::Wasm::B3IRGenerator::addCall):
3057         (JSC::Wasm::B3IRGenerator::addCallIndirect):
3058         * wasm/WasmInstance.cpp:
3059         (JSC::Wasm::Instance::Instance):
3060         * wasm/WasmInstance.h: topEntryFramePointer will eventually live
3061         here for real. Right now it's mirrored in JSWebAssemblyInstance
3062         because that's the acting Context.
3063         (JSC::Wasm::Instance::create):
3064         (JSC::Wasm::Instance::offsetOfTopEntryFramePointer):
3065         * wasm/WasmThunks.cpp:
3066         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
3067         * wasm/js/JSWebAssemblyInstance.cpp:
3068         (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
3069         * wasm/js/JSWebAssemblyInstance.h: Mirror Wasm::Instance temporarily.
3070         (JSC::JSWebAssemblyInstance::offsetOfCallee):
3071         (JSC::JSWebAssemblyInstance::offsetOfTopEntryFramePointer):
3072         (JSC::JSWebAssemblyInstance::offsetOfVM): Deleted.
3073         * wasm/js/WebAssemblyInstanceConstructor.cpp:
3074         (JSC::constructJSWebAssemblyInstance):
3075         * wasm/js/WebAssemblyPrototype.cpp:
3076         (JSC::instantiate):
3077
3078 2017-10-23  Joseph Pecoraro  <pecoraro@apple.com>
3079
3080         Web Inspector: Please support HAR Export for network traffic
3081         https://bugs.webkit.org/show_bug.cgi?id=146692
3082         <rdar://problem/7463672>
3083
3084         Reviewed by Brian Burg.
3085
3086         * inspector/protocol/Network.json:
3087         Add a walltime to each send request.
3088
3089 2017-10-23  Matt Lewis  <jlewis3@apple.com>
3090
3091         Unreviewed, rolling out r223820.
3092
3093         This caused a build break on Windows.
3094
3095         Reverted changeset:
3096
3097         "Web Inspector: Remove unused Console.setMonitoringXHREnabled"
3098         https://bugs.webkit.org/show_bug.cgi?id=178617
3099         https://trac.webkit.org/changeset/223820
3100
3101 2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
3102
3103         [JSC] Use fastJoin in Array#toString
3104         https://bugs.webkit.org/show_bug.cgi?id=178062
3105
3106         Reviewed by Darin Adler.
3107
3108         Array#toString()'s fast path uses original join operation.
3109         But this should use fastJoin if possible.
3110         This patch adds a fast path using fastJoin in Array#toString.
3111         And we also extend fastJoin to perform fast joining for int32
3112         arrays.
3113
3114                                              baseline                  patched
3115
3116         double-array-to-string          126.6157+-5.8625     ^    103.7343+-4.4968        ^ definitely 1.2206x faster
3117         int32-array-to-string            64.7792+-2.6524           61.2390+-2.1749          might be 1.0578x faster
3118         contiguous-array-to-string       62.6224+-2.6388     ^     56.9899+-2.0852        ^ definitely 1.0988x faster
3119
3120
3121         * runtime/ArrayPrototype.cpp:
3122         (JSC::fastJoin):
3123         (JSC::arrayProtoFuncToString):
3124         (JSC::arrayProtoFuncToLocaleString):
3125         * runtime/JSStringJoiner.h:
3126         (JSC::JSStringJoiner::appendWithoutSideEffects):
3127         (JSC::JSStringJoiner::appendInt32):
3128         (JSC::JSStringJoiner::appendDouble):
3129
3130 2017-10-22  Zan Dobersek  <zdobersek@igalia.com>
3131
3132         [JSC] Remove !(OS(LINUX) && CPU(ARM64)) guards in RegisterState.h
3133         https://bugs.webkit.org/show_bug.cgi?id=178452
3134
3135         Reviewed by Yusuke Suzuki.
3136
3137         * heap/RegisterState.h: Re-enable the custom RegisterState and
3138         ALLOCATE_AND_GET_REGISTER_STATE definitions on ARM64 Linux. These don't
3139         cause any crashes nowadays.
3140
3141 2017-10-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3142
3143         [JSC][Baseline] Use linkAllSlowCasesForBytecodeOffset as much as possible to simplify slow cases handling
3144         https://bugs.webkit.org/show_bug.cgi?id=178647
3145
3146         Reviewed by Saam Barati.
3147
3148         There is much code counting slow cases in fast paths to call `linkSlowCase` carefully. This is really error-prone
3149         since the number of slow cases depends on values of instruction's metadata. We have linkAllSlowCasesForBytecodeOffset,
3150         which drains all slow cases for a specified bytecode offset. In typical cases like just calling a slow path function,
3151         this is enough. We use linkAllSlowCasesForBytecodeOffset as much as possible. It significantly simplifies the code.
3152
3153         * jit/JIT.h:
3154         (JSC::JIT::linkAllSlowCases):
3155         * jit/JITArithmetic.cpp:
3156         (JSC::JIT::emitSlow_op_unsigned):
3157         (JSC::JIT::emit_compareAndJump):
3158         (JSC::JIT::emit_compareAndJumpSlow):
3159         (JSC::JIT::emitSlow_op_inc):
3160         (JSC::JIT::emitSlow_op_dec):
3161         (JSC::JIT::emitSlow_op_mod):
3162         (JSC::JIT::emitSlow_op_negate):
3163         (JSC::JIT::emitSlow_op_bitand):
3164         (JSC::JIT::emitSlow_op_bitor):
3165         (JSC::JIT::emitSlow_op_bitxor):
3166         (JSC::JIT::emitSlow_op_lshift):
3167         (JSC::JIT::emitSlow_op_rshift):
3168         (JSC::JIT::emitSlow_op_urshift):
3169         (JSC::JIT::emitSlow_op_add):
3170         (JSC::JIT::emitSlow_op_div):
3171         (JSC::JIT::emitSlow_op_mul):
3172         (JSC::JIT::emitSlow_op_sub):
3173         * jit/JITArithmetic32_64.cpp:
3174         (JSC::JIT::emit_compareAndJumpSlow):
3175         (JSC::JIT::emitSlow_op_unsigned):
3176         (JSC::JIT::emitSlow_op_inc):
3177         (JSC::JIT::emitSlow_op_dec):
3178         (JSC::JIT::emitSlow_op_mod):
3179         * jit/JITCall.cpp:
3180         (JSC::JIT::compileCallEvalSlowCase):
3181         (JSC::JIT::compileOpCallSlowCase):
3182         * jit/JITCall32_64.cpp:
3183         (JSC::JIT::compileCallEvalSlowCase):
3184         (JSC::JIT::compileOpCallSlowCase):
3185         * jit/JITInlines.h:
3186         (JSC::JIT::linkAllSlowCasesForBytecodeOffset):
3187         * jit/JITOpcodes.cpp:
3188         (JSC::JIT::emitSlow_op_new_object):
3189         (JSC::JIT::emitSlow_op_create_this):
3190         (JSC::JIT::emitSlow_op_check_tdz):
3191         (JSC::JIT::emitSlow_op_to_this):
3192         (JSC::JIT::emitSlow_op_to_primitive):
3193         (JSC::JIT::emitSlow_op_not):
3194         (JSC::JIT::emitSlow_op_eq):
3195         (JSC::JIT::emitSlow_op_neq):
3196         (JSC::JIT::emitSlow_op_stricteq):
3197         (JSC::JIT::emitSlow_op_nstricteq):
3198         (JSC::JIT::emitSlow_op_instanceof):
3199         (JSC::JIT::emitSlow_op_instanceof_custom):
3200         (JSC::JIT::emitSlow_op_to_number):
3201         (JSC::JIT::emitSlow_op_to_string):
3202         (JSC::JIT::emitSlow_op_loop_hint):
3203         (JSC::JIT::emitSlow_op_check_traps):
3204         (JSC::JIT::emitSlow_op_has_indexed_property):
3205         (JSC::JIT::emitSlow_op_get_direct_pname):
3206         (JSC::JIT::emitSlow_op_has_structure_property):
3207         * jit/JITOpcodes32_64.cpp:
3208         (JSC::JIT::emitSlow_op_new_object):
3209         (JSC::JIT::emitSlow_op_instanceof):
3210         (JSC::JIT::emitSlow_op_instanceof_custom):
3211         (JSC::JIT::emitSlow_op_to_primitive):
3212         (JSC::JIT::emitSlow_op_not):
3213         (JSC::JIT::emitSlow_op_stricteq):
3214         (JSC::JIT::emitSlow_op_nstricteq):
3215         (JSC::JIT::emitSlow_op_to_number):
3216         (JSC::JIT::emitSlow_op_to_string):
3217         (JSC::JIT::emitSlow_op_create_this):
3218         (JSC::JIT::emitSlow_op_to_this):
3219         (JSC::JIT::emitSlow_op_check_tdz):
3220         (JSC::JIT::emitSlow_op_has_indexed_property):
3221         (JSC::JIT::emitSlow_op_get_direct_pname):
3222         * jit/JITPropertyAccess.cpp:
3223         (JSC::JIT::emitSlow_op_try_get_by_id):
3224         (JSC::JIT::emitSlow_op_get_by_id):
3225         (JSC::JIT::emitSlow_op_get_by_id_with_this):
3226         (JSC::JIT::emitSlow_op_put_by_id):
3227         (JSC::JIT::emitSlow_op_resolve_scope):
3228         (JSC::JIT::emitSlow_op_get_from_scope):
3229         (JSC::JIT::emitSlow_op_put_to_scope):
3230         * jit/JITPropertyAccess32_64.cpp:
3231         (JSC::JIT::emitSlow_op_try_get_by_id):
3232         (JSC::JIT::emitSlow_op_get_by_id):
3233         (JSC::JIT::emitSlow_op_get_by_id_with_this):
3234         (JSC::JIT::emitSlow_op_put_by_id):
3235         (JSC::JIT::emitSlow_op_resolve_scope):
3236         (JSC::JIT::emitSlow_op_get_from_scope):
3237         (JSC::JIT::emitSlow_op_put_to_scope):
3238
3239 2017-10-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3240
3241         [JSC] Clean up baseline slow path
3242         https://bugs.webkit.org/show_bug.cgi?id=178646
3243
3244         Reviewed by Saam Barati.
3245
3246         If the given op is just calling a slow path function, we should use DEFINE_SLOW_OP instead.
3247         It is good since (1) we can reduce the manual emitting code and (2) it can clarify which
3248         function is implemented as a slow path call. This patch is an attempt to reduce 32bit specific
3249         code in baseline JIT.
3250
3251         * jit/JIT.cpp:
3252         (JSC::JIT::privateCompileMainPass):
3253         * jit/JIT.h:
3254         * jit/JITArithmetic.cpp:
3255         (JSC::JIT::emit_op_pow): Deleted.
3256         * jit/JITArithmetic32_64.cpp:
3257         (JSC::JIT::emitSlow_op_mod):
3258         * jit/JITOpcodes.cpp:
3259         (JSC::JIT::emit_op_strcat): Deleted.
3260         (JSC::JIT::emit_op_push_with_scope): Deleted.
3261         (JSC::JIT::emit_op_assert): Deleted.
3262         (JSC::JIT::emit_op_create_lexical_environment): Deleted.
3263         (JSC::JIT::emit_op_throw_static_error): Deleted.
3264         (JSC::JIT::emit_op_new_array_with_spread): Deleted.
3265         (JSC::JIT::emit_op_spread): Deleted.
3266         (JSC::JIT::emit_op_get_enumerable_length): Deleted.
3267         (JSC::JIT::emit_op_has_generic_property): Deleted.
3268         (JSC::JIT::emit_op_get_property_enumerator): Deleted.
3269         (JSC::JIT::emit_op_to_index_string): Deleted.
3270         (JSC::JIT::emit_op_create_direct_arguments): Deleted.
3271         (JSC::JIT::emit_op_create_scoped_arguments): Deleted.
3272         (JSC::JIT::emit_op_create_cloned_arguments): Deleted.
3273         (JSC::JIT::emit_op_create_rest): Deleted.
3274         (JSC::JIT::emit_op_unreachable): Deleted.
3275         * jit/JITOpcodes32_64.cpp:
3276         (JSC::JIT::emit_op_strcat): Deleted.
3277         (JSC::JIT::emit_op_push_with_scope): Deleted.
3278         (JSC::JIT::emit_op_assert): Deleted.
3279         (JSC::JIT::emit_op_create_lexical_environment): Deleted.
3280         * jit/JITPropertyAccess.cpp:
3281         (JSC::JIT::emit_op_put_by_val_with_this): Deleted.
3282         (JSC::JIT::emit_op_get_by_val_with_this): Deleted.
3283         (JSC::JIT::emit_op_put_by_id_with_this): Deleted.
3284         (JSC::JIT::emit_op_resolve_scope_for_hoisting_func_decl_in_eval): Deleted.
3285         (JSC::JIT::emit_op_define_data_property): Deleted.
3286         (JSC::JIT::emit_op_define_accessor_property): Deleted.
3287         * jit/JITPropertyAccess32_64.cpp:
3288         (JSC::JIT::emit_op_resolve_scope_for_hoisting_func_decl_in_eval): Deleted.
3289         (JSC::JIT::emit_op_get_by_val_with_this): Deleted.
3290         (JSC::JIT::emit_op_put_by_id_with_this): Deleted.
3291         (JSC::JIT::emit_op_put_by_val_with_this): Deleted.
3292
3293 2017-10-21  Joseph Pecoraro  <pecoraro@apple.com>
3294
3295         Web Inspector: Remove unused Console.setMonitoringXHREnabled
3296         https://bugs.webkit.org/show_bug.cgi?id=178617
3297
3298         Reviewed by Sam Weinig.
3299
3300         * JavaScriptCore.xcodeproj/project.pbxproj:
3301         * Sources.txt:
3302         * inspector/agents/InspectorConsoleAgent.h:
3303         * inspector/agents/JSGlobalObjectConsoleAgent.cpp: Removed.
3304         * inspector/agents/JSGlobalObjectConsoleAgent.h: Removed.
3305         * inspector/protocol/Console.json:
3306         Removed files and method.
3307
3308         * inspector/JSGlobalObjectInspectorController.cpp:
3309         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3310         This can use the base ConsoleAgent now.
3311
3312 2017-10-21  Yusuke Suzuki  <utatane.tea@gmail.com>
3313
3314         [JSC] Remove per-host-function CTI stub in 32bit environment
3315         https://bugs.webkit.org/show_bug.cgi?id=178581
3316
3317         Reviewed by Saam Barati.
3318
3319         JIT::privateCompileCTINativeCall only exists in 32bit environment and it is almost the same to native call CTI stub.
3320         The only difference is that it embed the address of the host function directly in the generated stub. This means
3321         that we have per-host-function CTI stub only in 32bit environment.
3322
3323         This patch just removes it and use one CTI stub instead. This design is the same to the current 64bit implementation.
3324
3325         * jit/JIT.cpp:
3326         (JSC::JIT::compileCTINativeCall): Deleted.
3327         * jit/JIT.h:
3328         * jit/JITOpcodes.cpp:
3329         (JSC::JIT::privateCompileCTINativeCall): Deleted.
3330         * jit/JITOpcodes32_64.cpp:
3331         (JSC::JIT::privateCompileCTINativeCall): Deleted.
3332         * jit/JITThunks.cpp:
3333         (JSC::JITThunks::hostFunctionStub):
3334
3335 2017-10-20  Antoine Quint  <graouts@apple.com>
3336
3337         [Web Animations] Provide basic timeline and animation interfaces
3338         https://bugs.webkit.org/show_bug.cgi?id=178526
3339
3340         Reviewed by Dean Jackson.
3341
3342         Remove the WEB_ANIMATIONS compile-time flag.
3343
3344         * Configurations/FeatureDefines.xcconfig:
3345
3346 2017-10-20  Commit Queue  <commit-queue@webkit.org>
3347
3348         Unreviewed, rolling out r223744, r223750, and r223751.
3349         https://bugs.webkit.org/show_bug.cgi?id=178594
3350
3351         These caused consistent failures in test that existed and were
3352         added in the patches. (Requested by mlewis13 on #webkit).
3353
3354         Reverted changesets:
3355
3356         "[JSC] ScriptFetcher should be notified directly from module
3357         pipeline"
3358         https://bugs.webkit.org/show_bug.cgi?id=178340
3359         https://trac.webkit.org/changeset/223744
3360
3361         "Unreviewed, fix changed line number in test expect files"
3362         https://bugs.webkit.org/show_bug.cgi?id=178340
3363         https://trac.webkit.org/changeset/223750
3364
3365         "Unreviewed, follow up to reflect comments"
3366         https://bugs.webkit.org/show_bug.cgi?id=178340
3367         https://trac.webkit.org/changeset/223751
3368
3369 2017-10-20  Yusuke Suzuki  <utatane.tea@gmail.com>
3370
3371         Unreviewed, follow up to reflect comments
3372         https://bugs.webkit.org/show_bug.cgi?id=178340
3373
3374         * runtime/JSModuleLoader.cpp:
3375         (JSC::JSModuleLoader::notifyCompleted):
3376
3377 2017-10-20  Saam Barati  <sbarati@apple.com>
3378
3379         Optimize accesses to how we get the direct prototype
3380         https://bugs.webkit.org/show_bug.cgi?id=178548
3381
3382         Reviewed by Yusuke Suzuki.
3383
3384         This patch makes JSObject::getPrototypeDirect take VM& as a parameter
3385         so it can use the faster version of the structure accessor function.
3386         The reason for making this change is that JSObjet::getPrototypeDirect
3387         is called on the hot path in property lookup.
3388
3389         * API/JSObjectRef.cpp:
3390         (JSObjectGetPrototype):
3391         * jsc.cpp:
3392         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
3393         (WTF::DOMJITGetterBaseJSObject::customGetter):
3394         (functionCreateProxy):
3395         * runtime/ArrayPrototype.cpp:
3396         (JSC::speciesWatchpointIsValid):
3397         * runtime/ErrorInstance.cpp:
3398         (JSC::ErrorInstance::sanitizedToString):
3399         * runtime/JSArray.cpp:
3400         (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
3401         * runtime/JSGlobalObject.cpp:
3402         (JSC::JSGlobalObject::init):
3403         (JSC::lastInPrototypeChain):
3404         (JSC::JSGlobalObject::resetPrototype):
3405         (JSC::JSGlobalObject::finishCreation):
3406         * runtime/JSGlobalObjectInlines.h:
3407         (JSC::JSGlobalObject::objectPrototypeIsSane):
3408         (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
3409         (JSC::JSGlobalObject::stringPrototypeChainIsSane):
3410         * runtime/JSLexicalEnvironment.cpp:
3411         (JSC::JSLexicalEnvironment::getOwnPropertySlot):
3412         * runtime/JSMap.cpp:
3413         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
3414         * runtime/JSObject.cpp:
3415         (JSC::JSObject::calculatedClassName):
3416         (JSC::JSObject::setPrototypeWithCycleCheck):
3417         (JSC::JSObject::getPrototype):
3418         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
3419         (JSC::JSObject::attemptToInterceptPutByIndexOnHole):
3420         (JSC::JSObject::anyObjectInChainMayInterceptIndexedAccesses const):
3421         (JSC::JSObject::prototypeChainMayInterceptStoreTo):
3422         * runtime/JSObject.h:
3423         (JSC::JSObject::finishCreation):
3424         (JSC::JSObject::getPrototypeDirect const):
3425         (JSC::JSObject::getPrototype):
3426         * runtime/JSObjectInlines.h:
3427         (JSC::JSObject::canPerformFastPutInline):
3428         (JSC::JSObject::getPropertySlot):
3429         (JSC::JSObject::getNonIndexPropertySlot):
3430         * runtime/JSProxy.cpp:
3431         (JSC::JSProxy::setTarget):
3432         * runtime/JSSet.cpp:
3433         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
3434         * runtime/ProgramExecutable.cpp:
3435         (JSC::ProgramExecutable::initializeGlobalProperties):
3436         * runtime/StructureInlines.h:
3437         (JSC::Structure::isValid const):
3438
3439 2017-10-20  Yusuke Suzuki  <utatane.tea@gmail.com>
3440
3441         [ARM64] static_cast<int32_t>() in BinaryOpNode::emitBytecode() prevents op_unsigned emission
3442         https://bugs.webkit.org/show_bug.cgi?id=178379
3443
3444         Reviewed by Saam Barati.
3445
3446         We reuse jsNumber's checking mechanism here to precisely check the generated number is within uint32_t
3447         in bytecode compiler. This is reasonable since the NumberNode will generate the exact this JSValue.
3448
3449         * bytecompiler/NodesCodegen.cpp:
3450         (JSC::BinaryOpNode::emitBytecode):
3451
3452 2017-10-20  Yusuke Suzuki  <utatane.tea@gmail.com>
3453
3454         [JSC] ScriptFetcher should be notified directly from module pipeline
3455         https://bugs.webkit.org/show_bug.cgi?id=178340
3456
3457         Reviewed by Sam Weinig.
3458
3459         Previously, we use JSStdFunction to let WebCore inform the module pipeline results.
3460         We setup JSStdFunction to the resulted promise of the module pipeline. It is super
3461         ad-hoc since JSStdFunction's lambda need extra-careful to make it non-cyclic-referenced.
3462         JSStdFunction's lambda can capture variables, but they are not able to be marked by GC.
3463
3464         But now, we have ScriptFetcher. It is introduced after we implemented the module pipeline
3465         notification mechanism by using JSStdFunction. But it is appropriate one to receive notification
3466         from the module pipeline by observer style.
3467
3468         This patch removes the above ad-hoc JSStdFunction use. And now ScriptFetcher receives
3469         completion/failure notifications from the module pipeline.
3470
3471         * builtins/ModuleLoaderPrototype.js:
3472         (loadModule):
3473         (loadAndEvaluateModule):
3474         * runtime/Completion.cpp:
3475         (JSC::loadModule):
3476         * runtime/Completion.h:
3477         * runtime/JSModuleLoader.cpp:
3478         (JSC::jsValueToModuleKey):
3479         (JSC::JSModuleLoader::notifyCompleted):
3480         (JSC::JSModuleLoader::notifyFailed):
3481         * runtime/JSModuleLoader.h:
3482         * runtime/ModuleLoaderPrototype.cpp:
3483         (JSC::moduleLoaderPrototypeNotifyCompleted):
3484         (JSC::moduleLoaderPrototypeNotifyFailed):
3485         * runtime/ScriptFetcher.h:
3486         (JSC::ScriptFetcher::notifyLoadCompleted):
3487         (JSC::ScriptFetcher::notifyLoadFailed):
3488
3489 2017-10-19  JF Bastien  <jfbastien@apple.com>
3490
3491         WebAssembly: no VM / JS version of everything but Instance
3492         https://bugs.webkit.org/show_bug.cgi?id=177473
3493
3494         Reviewed by Filip Pizlo, Saam Barati.
3495
3496         This change entails cleaning up and splitting a bunch of code which we had
3497         intertwined between C++ classes which represent JS objects, and pure C++
3498         implementation objects. This specific change goes most of the way towards
3499         allowing JSC's WebAssembly to work without VM / JS, up to but excluding
3500         JSWebAssemblyInstance (there's Wasm::Instance, but it's not *the* thing
3501         yet). Because of this we still have a few FIXME identifying places that need to
3502         change. A follow-up change will go the rest of the way.
3503
3504         I went about this change in the simplest way possible: grep the
3505         JavaScriptCore/wasm directory for "JS[^C_]" as well as "VM" and exclude the /js/
3506         sub-directory (which contains the JS implementation of WebAssembly).
3507
3508         None of this change removes the need for a JIT entitlement to be able to use
3509         WebAssembly. We don't have an interpreter, the process therefore still needs to
3510         be allowed to JIT to use these pure-C++ APIs.
3511
3512         Interesting things to note:
3513
3514           - Remove VM from Plan and associated places. It can just live as a capture in
3515             the callback lambda if it's needed.
3516           - Wasm::Memory shouldn't require a VM. It was only used to ask the GC to
3517             collect. We now instead pass two lambdas at construction time for this
3518             purpose: one to notify of memory pressure, and the other to ask for
3519             syncrhonous memory reclamation. This allows whoever creates the memory to
3520             dictate how to react to both these cases, and for a JS embedding that's to
3521             call the GC (async or sync, respectively).
3522           - Move grow logic from JSWebAssemblyMemory to Wasm::Memory::grow. Use Expected
3523             there, with an enum class for failure types.
3524           - Exceeding max on memory growth now returns a range error as per spec. This
3525             is a (very minor) breaking change: it used to throw OOM error. Update the
3526             corresponding test.
3527           - When generating the grow_memory opcode, no need to get the VM. Instead,
3528             reach directly for Wasm::Memory and grow it.
3529           - JSWebAssemblyMemory::grow can now always throw on failure, because it's only
3530             ever called from JS (not from grow_memory as before).
3531           - Wasm::Memory now takes a callback for successful growth. This allows JS
3532             wrappers to register themselves when growth succeeds without Wasm::Memory
3533             knowning anything about JS. It'll also allow creating a list of callbacks
3534             for when we add thread support (we'll want to notify many wrappers, all
3535             under a lock).
3536           - Wasm::Memory is now back to being the source of truth about address / size,
3537             used directly by generated code instead of JSWebAssemblyMemory.
3538           - Move wasmToJS from the general WasmBinding header to its own header under
3539             wasm/js. It's only used by wasm/js/JSWebAssemblyCodeBlock.cpp, and uses VM,
3540             and therefore isn't general WebAssembly.
3541           - Make Wasm::Context an actual type (just a struct holding a
3542             JSWebAssemlyInstance for now) instead of an alias for that. Notably this
3543             doesn't add anything to the Context and doesn't change what actually gets
3544             passed around in JIT code (fast TLS or registers) because these changes
3545             potentially impact performance. The entire purpose of this change is to
3546             allow passing Wasm::Context around without having to know about VM. Since VM
3547             contains a Wasm::Context the JS embedding is effectively the same, but with
3548             this setup a non-JS embedding is much better off.
3549           - Move JSWebAssembly into the JS folder.
3550           - OMGPlan: use Wasm::CodeBlock directly instead of JSWebAssemblyCodeBlock.
3551           - wasm->JS stubs are now on the instance's tail as raw pointers, instead of
3552             being on JSWebAssemblyCodeBlock, and are now called wasm->Embedder
3553             stubs. The owned reference is still on JSWebAssemblyCodeBlock, and is still
3554             called wasm->JS stub. This move means that the embedder must, after creating
3555             a Wasm::CodeBlock, somehow create the stubs to call back into the
3556             embedder. This removes an indirection in the generated code because
3557             the B3 IR generator now reaches into the instance instead of
3558             JSWebAssemblyCodeBlock.
3559           - Move more CodeBlock things. Compilation completion is now marked by its own
3560             atomic<bool> flag instead of a nullptr plan: that required using a lock, and
3561             was causing a deadlock in stack-trace.js because before my changes
3562             JSWebAssemblyCodeBlock did its own completion checking separately from
3563             Wasm::CodeBlock, without getting the lock. Now that everything points to
3564             Wasm::CodeBlock and there's no cached completion marker, the lock was being
3565             acquired in a sanity-check assertion.
3566           - Embedder -> Wasm wrappers are now generated through a function that's passed
3567             in at compilation time, instead of being hard-coded as a JS -> Wasm wrapper.
3568           - WasmMemory doens't need to know about fault handling thunks. Only the IR
3569             generator should know, and should make sure that the exception throwing
3570             thunk is generated if any memory is present (note: with signal handling not
3571             all of them generate an exception check).
3572           - Make exception throwing pluggable: instead of having a hard-coded
3573             JS-specific lambda we now have a regular C++ function being called from JIT
3574             code when a WebAssembly exception is thrown. This allows any embedder to get
3575             called as they wish. For now a process can only have a single of these
3576             functions (i.e. only one embedder per process) because the trap handler is a
3577             singleton. That can be fixed in in #177475.
3578           - Create WasmEmbedder.h where all embedder plugging will live.
3579           - Split up JSWebAssemblyTable into Wasm::Table which is
3580             refcounted. JSWebAssemblyTable now only contains the JS functions in the
3581             table, and Wasm::Table is what's used by the JIT code to lookup where to
3582             call and do the instance check (for context switch). Note that this creates
3583             an extra allocation for all the instances in Wasm::Table, and in exchange
3584             removes an indirection in JIT code because the instance used to be obtained
3585             off of the JS function. Also note that it's the embedder than keeps the
3586             instances alive, not Wasm::Table (which holds a dumb pointer to the
3587             instance), because doing otherwise would cause reference cycles.
3588            - Add WasmInstance. It doesn't do much for now, owns globals.
3589            - JSWebAssembly instance now doesn't just contain the imported functions as
3590              JSObjects, it also has the corresponding import's instance and wasm
3591              entrypoint. This triples the space allocated per instance's imported
3592              function, but there shouldn't be that many imports. This has two upsides: it
3593              creates smaller and faster code, and makes is easier to disassociate
3594              embedder-specific things from embedder-neutral things. The small / faster
3595              win is in two places: B3 IR generator only needs offsetOfImportFunction for
3596              the call opcode (when the called index is an import) to know whether the
3597              import is wasm->wasm or wasm->embedder (this isn't known at compile-time
3598              because it's dependent on the import object), this is now done by seeing if
3599              that import function has an associated target instance (only wasm->wasm
3600              does); the other place is wasmBinding which uses offsetOfImportFunction to
3601              figure out the wasm->wasm target instance, and then gets
3602              WebAssemblyFunction::offsetOfWasmEntrypointLoadLocation to do a tail
3603              call. The disassociation comes because the target instance can be
3604              Wasm::Instance once we change what the Context is, and
3605              WasmEntrypointLoadLocation is already embedder-independent. As a next step I
3606              can move this tail allocation from JSWebAssemblyInstance to Wasm::Instance,
3607              and leave importFunction in as an opaque pointer which is embedder-specific,
3608              and in JS will remain WriteBarrier<JSObject>.
3609            - Rename VMEntryFrame to EntryFrame, and in many places pass a pointer to it
3610              around instead of VM. This is a first step in allowing entry frames which
3611              aren't stored on VM, but which are instead stored in an embedder-specific
3612              location. That change won't really affect JS except through code churn, but
3613              will allow WebAssembly to use some machinery in a generic manner without
3614              having a VM.
3615
3616         * JavaScriptCore.xcodeproj/project.pbxproj:
3617         * Sources.txt:
3618         * bytecode/PolymorphicAccess.cpp:
3619         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
3620         * debugger/Debugger.cpp:
3621         (JSC::Debugger::stepOutOfFunction):
3622         (JSC::Debugger::returnEvent):
3623         (JSC::Debugger::unwindEvent):
3624         (JSC::Debugger::didExecuteProgram):
3625         * dfg/DFGJITCompiler.cpp:
3626         (JSC::DFG::JITCompiler::compileExceptionHandlers):
3627         * dfg/DFGOSREntry.cpp:
3628         (JSC::DFG::prepareOSREntry):
3629         * dfg/DFGOSRExit.cpp:
3630         (JSC::DFG::OSRExit::compileOSRExit):
3631         (JSC::DFG::OSRExit::compileExit):
3632         * dfg/DFGThunks.cpp:
3633         (JSC::DFG::osrEntryThunkGenerator):
3634         * ftl/FTLCompile.cpp:
3635         (JSC::FTL::compile):
3636         * ftl/FTLLink.cpp:
3637         (JSC::FTL::link):
3638         * ftl/FTLLowerDFGToB3.cpp:
3639         (JSC::FTL::DFG::LowerDFGToB3::lower):
3640         * ftl/FTLOSRExitCompiler.cpp:
3641         (JSC::FTL::compileStub):
3642         * interpreter/CallFrame.cpp:
3643         (JSC::CallFrame::wasmAwareLexicalGlobalObject):
3644         (JSC::CallFrame::callerFrame):
3645         (JSC::CallFrame::unsafeCallerFrame):
3646         * interpreter/CallFrame.h:
3647         (JSC::ExecState::callerFrame const):
3648         (JSC::ExecState::callerFrameOrEntryFrame const):
3649         (JSC::ExecState::unsafeCallerFrameOrEntryFrame const):
3650         * interpreter/FrameTracers.h:
3651         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
3652         (JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore):
3653         (JSC::NativeCallFrameTracerWithRestore::~NativeCallFrameTracerWithRestore):
3654         * interpreter/Interpreter.cpp:
3655         (JSC::UnwindFunctor::operator() const):
3656         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
3657         (JSC::Interpreter::unwind):
3658         * interpreter/StackVisitor.cpp:
3659         (JSC::StackVisitor::StackVisitor):
3660         (JSC::StackVisitor::gotoNextFrame):
3661         (JSC::StackVisitor::readNonInlinedFrame):
3662         (JSC::StackVisitor::Frame::dump const):
3663         * interpreter/StackVisitor.h:
3664         (JSC::StackVisitor::Frame::callerIsEntryFrame const):
3665         * interpreter/VMEntryRecord.h:
3666         (JSC::VMEntryRecord::prevTopEntryFrame):
3667         (JSC::VMEntryRecord::unsafePrevTopEntryFrame):
3668         (JSC::EntryFrame::vmEntryRecordOffset):
3669         * jit/AssemblyHelpers.cpp:
3670         (JSC::AssemblyHelpers::restoreCalleeSavesFromEntryFrameCalleeSavesBuffer):
3671         (JSC::AssemblyHelpers::loadWasmContextInstance):
3672         (JSC::AssemblyHelpers::storeWasmContextInstance):
3673         (JSC::AssemblyHelpers::loadWasmContextInstanceNeedsMacroScratchRegister):
3674         (JSC::AssemblyHelpers::storeWasmContextInstanceNeedsMacroScratchRegister):
3675         (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBufferImpl):
3676         * jit/AssemblyHelpers.h:
3677         (JSC::AssemblyHelpers::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
3678         (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBuffer):
3679         (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToEntryFrameCalleeSavesBuffer):
3680         * jit/JIT.cpp:
3681         (JSC::JIT::emitEnterOptimizationCheck):
3682         (JSC::JIT::privateCompileExceptionHandlers):
3683         * jit/JITExceptions.cpp:
3684         (JSC::genericUnwind):
3685         * jit/JITOpcodes.cpp:
3686         (JSC::JIT::emit_op_throw):
3687         (JSC::JIT::emit_op_catch):
3688         (JSC::JIT::emitSlow_op_loop_hint):
3689         * jit/JITOpcodes32_64.cpp:
3690         (JSC::JIT::emit_op_throw):
3691         (JSC::JIT::emit_op_catch):
3692         * jit/JITOperations.cpp:
3693         * jit/ThunkGenerators.cpp:
3694         (JSC::throwExceptionFromCallSlowPathGenerator):
3695         (JSC::nativeForGenerator):
3696         * jsc.cpp:
3697         (functionDumpCallFrame):
3698         * llint/LLIntSlowPaths.cpp:
3699         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3700         * llint/LLIntThunks.cpp:
3701         (JSC::vmEntryRecord):
3702         * llint/LowLevelInterpreter.asm:
3703         * llint/LowLevelInterpreter32_64.asm:
3704         * llint/LowLevelInterpreter64.asm:
3705         * runtime/Options.cpp:
3706         (JSC::recomputeDependentOptions):
3707         * runtime/Options.h:
3708         * runtime/SamplingProfiler.cpp:
3709         (JSC::FrameWalker::FrameWalker):
3710         (JSC::FrameWalker::advanceToParentFrame):
3711         (JSC::SamplingProfiler::processUnverifiedStackTraces):
3712         * runtime/ThrowScope.cpp:
3713         (JSC::ThrowScope::~ThrowScope):
3714         * runtime/VM.cpp:
3715         (JSC::VM::VM):
3716         (JSC::VM::~VM):
3717         * runtime/VM.h:
3718         (JSC::VM::topEntryFrameOffset):
3719         * runtime/VMTraps.cpp:
3720         (JSC::isSaneFrame):
3721         (JSC::VMTraps::tryInstallTrapBreakpoints):
3722         (JSC::VMTraps::invalidateCodeBlocksOnStack):
3723         * wasm/WasmB3IRGenerator.cpp:
3724         (JSC::Wasm::B3IRGenerator::restoreWasmContextInstance):
3725         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3726         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
3727         (JSC::Wasm::B3IRGenerator::addGrowMemory):
3728         (JSC::Wasm::B3IRGenerator::addCurrentMemory):
3729         (JSC::Wasm::B3IRGenerator::addCall):
3730         (JSC::Wasm::B3IRGenerator::addCallIndirect):
3731         (JSC::Wasm::parseAndCompile):
3732         * wasm/WasmB3IRGenerator.h:
3733         * wasm/WasmBBQPlan.cpp:
3734         (JSC::Wasm::BBQPlan::BBQPlan):
3735         (JSC::Wasm::BBQPlan::compileFunctions):
3736         (JSC::Wasm::BBQPlan::complete):
3737         * wasm/WasmBBQPlan.h:
3738         * wasm/WasmBBQPlanInlines.h:
3739         (JSC::Wasm::BBQPlan::initializeCallees):
3740         * wasm/WasmBinding.cpp:
3741         (JSC::Wasm::wasmToWasm):
3742         * wasm/WasmBinding.h:
3743         * wasm/WasmCodeBlock.cpp:
3744         (JSC::Wasm::CodeBlock::create):
3745         (JSC::Wasm::CodeBlock::CodeBlock):
3746         (JSC::Wasm::CodeBlock::compileAsync):
3747         (JSC::Wasm::CodeBlock::setCompilationFinished):
3748         * wasm/WasmCodeBlock.h:
3749         (JSC::Wasm::CodeBlock::offsetOfImportStubs):
3750         (JSC::Wasm::CodeBlock::allocationSize):
3751         (JSC::Wasm::CodeBlock::importWasmToEmbedderStub):
3752         (JSC::Wasm::CodeBlock::offsetOfImportWasmToEmbedderStub):
3753         (JSC::Wasm::CodeBlock::wasmToJSCallStubForImport):
3754         (JSC::Wasm::CodeBlock::compilationFinished):
3755         (JSC::Wasm::CodeBlock::jsEntrypointCalleeFromFunctionIndexSpace):
3756         (JSC::Wasm::CodeBlock::wasmEntrypointCalleeFromFunctionIndexSpace):
3757         * wasm/WasmContext.cpp:
3758         (JSC::Wasm::Context::useFastTLS):
3759         (JSC::Wasm::Context::load const):
3760         (JSC::Wasm::Context::store):
3761         * wasm/WasmContext.h:
3762         * wasm/WasmEmbedder.h: Copied from Source/JavaScriptCore/wasm/WasmContext.h.
3763         * wasm/WasmFaultSignalHandler.cpp:
3764         * wasm/WasmFaultSignalHandler.h:
3765         * wasm/WasmFormat.h:
3766         * wasm/WasmInstance.cpp: Copied from Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h.
3767         (JSC::Wasm::Instance::Instance):
3768         (JSC::Wasm::Instance::~Instance):
3769         (JSC::Wasm::Instance::extraMemoryAllocated const):
3770         * wasm/WasmInstance.h: Added.
3771         (JSC::Wasm::Instance::create):
3772         (JSC::Wasm::Instance::finalizeCreation):
3773         (JSC::Wasm::Instance::module):
3774         (JSC::Wasm::Instance::codeBlock):
3775         (JSC::Wasm::Instance::memory):
3776         (JSC::Wasm::Instance::table):
3777         (JSC::Wasm::Instance::loadI32Global const):
3778         (JSC::Wasm::Instance::loadI64Global const):
3779         (JSC::Wasm::Instance::loadF32Global const):
3780         (JSC::Wasm::Instance::loadF64Global const):
3781         (JSC::Wasm::Instance::setGlobal):
3782         (JSC::Wasm::Instance::offsetOfCachedStackLimit):
3783         (JSC::Wasm::Instance::cachedStackLimit const):
3784         (JSC::Wasm::Instance::setCachedStackLimit):
3785         * wasm/WasmMemory.cpp:
3786         (JSC::Wasm::Memory::Memory):
3787         (JSC::Wasm::Memory::create):
3788         (JSC::Wasm::Memory::~Memory):
3789         (JSC::Wasm::Memory::grow):
3790         * wasm/WasmMemory.h:
3791         (JSC::Wasm::Memory::offsetOfMemory):
3792         (JSC::Wasm::Memory::offsetOfSize):
3793         * wasm/WasmMemoryInformation.cpp:
3794         (JSC::Wasm::PinnedRegisterInfo::get):
3795         (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
3796         * wasm/WasmMemoryInformation.h:
3797         (JSC::Wasm::PinnedRegisterInfo::toSave const):
3798         * wasm/WasmMemoryMode.cpp: Copied from Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h.
3799         (JSC::Wasm::makeString):
3800         * wasm/WasmMemoryMode.h: Copied from Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h.
3801         * wasm/WasmModule.cpp:
3802         (JSC::Wasm::makeValidationCallback):
3803         (JSC::Wasm::Module::validateSync):
3804         (JSC::Wasm::Module::validateAsync):
3805         (JSC::Wasm::Module::getOrCreateCodeBlock):
3806         (JSC::Wasm::Module::compileSync):
3807         (JSC::Wasm::Module::compileAsync):
3808         * wasm/WasmModule.h:
3809         * wasm/WasmModuleParser.cpp:
3810         (JSC::Wasm::ModuleParser::parseTableHelper):
3811         * wasm/WasmOMGPlan.cpp:
3812         (JSC::Wasm::OMGPlan::OMGPlan):
3813         (JSC::Wasm::OMGPlan::runForIndex):
3814         * wasm/WasmOMGPlan.h:
3815         * wasm/WasmPageCount.h:
3816         (JSC::Wasm::PageCount::isValid const):
3817         * wasm/WasmPlan.cpp:
3818         (JSC::Wasm::Plan::Plan):
3819         (JSC::Wasm::Plan::runCompletionTasks):
3820         (JSC::Wasm::Plan::addCompletionTask):
3821         (JSC::Wasm::Plan::tryRemoveContextAndCancelIfLast):
3822         * wasm/WasmPlan.h:
3823         (JSC::Wasm::Plan::dontFinalize):
3824         * wasm/WasmSignature.cpp:
3825         * wasm/WasmSignature.h:
3826         * wasm/WasmTable.cpp: Added.
3827         (JSC::Wasm::Table::create):
3828         (JSC::Wasm::Table::~Table):
3829         (JSC::Wasm::Table::Table):
3830         (JSC::Wasm::Table::grow):
3831         (JSC::Wasm::Table::clearFunction):
3832         (JSC::Wasm::Table::setFunction):
3833         * wasm/WasmTable.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.h.
3834         (JSC::Wasm::Table::maximum const):
3835         (JSC::Wasm::Table::size const):
3836         (JSC::Wasm::Table::offsetOfSize):
3837         (JSC::Wasm::Table::offsetOfFunctions):
3838         (JSC::Wasm::Table::offsetOfInstances):
3839         (JSC::Wasm::Table::isValidSize):
3840         * wasm/WasmThunks.cpp:
3841         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
3842         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
3843         (JSC::Wasm::Thunks::setThrowWasmException):
3844         (JSC::Wasm::Thunks::throwWasmException):
3845         * wasm/WasmThunks.h:
3846         * wasm/WasmWorklist.cpp:
3847         (JSC::Wasm::Worklist::stopAllPlansForContext):
3848         * wasm/WasmWorklist.h:
3849         * wasm/js/JSToWasm.cpp: Added.
3850         (JSC::Wasm::createJSToWasmWrapper):
3851         * wasm/js/JSToWasm.h: Copied from Source/JavaScriptCore/wasm/WasmBinding.h.
3852         * wasm/js/JSWebAssembly.cpp: Renamed from Source/JavaScriptCore/wasm/JSWebAssembly.cpp.
3853         * wasm/js/JSWebAssembly.h: Renamed from Source/JavaScriptCore/wasm/JSWebAssembly.h.
3854         * wasm/js/JSWebAssemblyCodeBlock.cpp:
3855         (JSC::JSWebAssemblyCodeBlock::create):
3856         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
3857         * wasm/js/JSWebAssemblyCodeBlock.h:
3858         * wasm/js/JSWebAssemblyInstance.cpp:
3859         (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
3860         (JSC::JSWebAssemblyInstance::finishCreation):
3861         (JSC::JSWebAssemblyInstance::visitChildren):
3862         (JSC::JSWebAssemblyInstance::finalizeCreation):
3863         (JSC::JSWebAssemblyInstance::create):
3864         * wasm/js/JSWebAssemblyInstance.h:
3865         (JSC::JSWebAssemblyInstance::instance):
3866         (JSC::JSWebAssemblyInstance::context const):
3867         (JSC::JSWebAssemblyInstance::table):
3868         (JSC::JSWebAssemblyInstance::webAssemblyToJSCallee):
3869         (JSC::JSWebAssemblyInstance::setMemory):
3870         (JSC::JSWebAssemblyInstance::offsetOfTail):
3871         (JSC::JSWebAssemblyInstance::importFunctionInfo):
3872         (JSC::JSWebAssemblyInstance::offsetOfTargetInstance):
3873         (JSC::JSWebAssemblyInstance::offsetOfWasmEntrypoint):
3874         (JSC::JSWebAssemblyInstance::offsetOfImportFunction):
3875         (JSC::JSWebAssemblyInstance::importFunction):
3876         (JSC::JSWebAssemblyInstance::internalMemory):
3877         (JSC::JSWebAssemblyInstance::wasmCodeBlock const):
3878         (JSC::JSWebAssemblyInstance::offsetOfWasmTable):
3879         (JSC::JSWebAssemblyInstance::offsetOfCallee):
3880         (JSC::JSWebAssemblyInstance::offsetOfGlobals):
3881         (JSC::JSWebAssemblyInstance::offsetOfWasmCodeBlock):
3882         (JSC::JSWebAssemblyInstance::offsetOfWasmMemory):
3883         (JSC::JSWebAssemblyInstance::cachedStackLimit const):
3884         (JSC::JSWebAssemblyInstance::setCachedStackLimit):
3885         (JSC::JSWebAssemblyInstance::wasmMemory):
3886         (JSC::JSWebAssemblyInstance::wasmModule):
3887         (JSC::JSWebAssemblyInstance::allocationSize):
3888         (JSC::JSWebAssemblyInstance::module const):
3889         * wasm/js/JSWebAssemblyMemory.cpp:
3890         (JSC::JSWebAssemblyMemory::create):
3891         (JSC::JSWebAssemblyMemory::adopt):
3892 &n