da8bc014b3746f58a9fc3a9585601525ee0a3743
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-12-05  Filip Pizlo  <fpizlo@apple.com>
2
3         IsoAlignedMemoryAllocator needs to free all of its memory when the VM destructs
4         https://bugs.webkit.org/show_bug.cgi?id=180425
5
6         Reviewed by Saam Barati.
7         
8         Failure to do so causes leaks after starting workers.
9
10         * heap/IsoAlignedMemoryAllocator.cpp:
11         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
12         (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
13
14 2017-12-05  Per Arne Vollan  <pvollan@apple.com>
15
16         [Win64] Compile error in testmasm.cpp.
17         https://bugs.webkit.org/show_bug.cgi?id=180436
18
19         Reviewed by Mark Lam.
20
21         Fix MSVC warning (32-bit shift implicitly converted to 64 bits).
22         
23         * assembler/testmasm.cpp:
24         (JSC::testGetEffectiveAddress):
25
26 2017-12-01  Filip Pizlo  <fpizlo@apple.com>
27
28         GC constraint solving should be parallel
29         https://bugs.webkit.org/show_bug.cgi?id=179934
30
31         Reviewed by JF Bastien.
32         
33         This makes it possible to do constraint solving in parallel. This looks like a 1% Speedometer
34         speed-up. It's more than 1% on trunk-Speedometer.
35         
36         The constraint solver supports running constraints in parallel in two different ways:
37         
38         - Run multiple constraints in parallel to each other. This only works for constraints that can
39           tolerate other constraints running concurrently to them (constraint.concurrency() ==
40           ConstraintConcurrency::Concurrent). This is the most basic kind of parallelism that the
41           constraint solver supports. All constraints except the JSC SPI constraints are concurrent. We
42           could probably make them concurrent, but I'm playing it safe for now.
43         
44         - A constraint can create parallel work for itself, which the constraint solver will interleave
45           with other stuff. A constraint can report that it has parallel work by returning
46           ConstraintParallelism::Parallel from its executeImpl() function. Then the solver will allow that
47           constraint's doParallelWorkImpl() function to run on as many GC marker threads as are available,
48           for as long as that function wants to run.
49         
50         It's not possible to have a non-concurrent constraint that creates parallel work.
51         
52         The parallelism is implemented in terms of the existing GC marker threads. This turns out to be
53         most natural for two reasons:
54         
55         - No need to start any other threads.
56         
57         - The constraints all want to be passed a SlotVisitor. Running on the marker threads means having
58           access to those threads' SlotVisitors. Also, it means less load balancing. The solver will
59           create work on each marking thread's SlotVisitor. When the solver is done "stealing" a marker
60           thread, that thread will have work it can start doing immediately. Before this change, we had to
61           contribute the work found by the constraint solver to the global worklist so that it could be
62           distributed to the marker threads by load balancing. This change probably helps to avoid that
63           load balancing step.
64         
65         A lot of this change is about making it easy to iterate GC data structures in parallel. This
66         change makes almost all constraints parallel-enabled, but only the DOM's output constraint uses
67         the parallel work API. That constraint iterates the marked cells in two subspaces. This change
68         makes it very easy to compose parallel iterators over subspaces, allocators, blocks, and cells.
69         The marked cell parallel iterator is composed out of parallel iterators for the others. A parallel
70         iterator is just an iterator that can do an atomic next() very quickly. We abstract them using
71         RefPtr<SharedTask<...()>>, where ... is the type returned from the iterator. We know it's done
72         when it returns a falsish version of ... (in the current code, that's always a pointer type, so
73         done is indicated by null).
74         
75         * API/JSMarkingConstraintPrivate.cpp:
76         (JSContextGroupAddMarkingConstraint):
77         * API/JSVirtualMachine.mm:
78         (scanExternalObjectGraph):
79         (scanExternalRememberedSet):
80         * JavaScriptCore.xcodeproj/project.pbxproj:
81         * Sources.txt:
82         * bytecode/AccessCase.cpp:
83         (JSC::AccessCase::propagateTransitions const):
84         * bytecode/CodeBlock.cpp:
85         (JSC::CodeBlock::visitWeakly):
86         (JSC::CodeBlock::shouldJettisonDueToOldAge):
87         (JSC::shouldMarkTransition):
88         (JSC::CodeBlock::propagateTransitions):
89         (JSC::CodeBlock::determineLiveness):
90         * dfg/DFGWorklist.cpp:
91         * ftl/FTLCompile.cpp:
92         (JSC::FTL::compile):
93         * heap/ConstraintParallelism.h: Added.
94         (WTF::printInternal):
95         * heap/Heap.cpp:
96         (JSC::Heap::Heap):
97         (JSC::Heap::addToRememberedSet):
98         (JSC::Heap::runFixpointPhase):
99         (JSC::Heap::stopThePeriphery):
100         (JSC::Heap::resumeThePeriphery):
101         (JSC::Heap::addCoreConstraints):
102         (JSC::Heap::setBonusVisitorTask):
103         (JSC::Heap::runTaskInParallel):
104         (JSC::Heap::forEachSlotVisitor): Deleted.
105         * heap/Heap.h:
106         (JSC::Heap::worldIsRunning const):
107         (JSC::Heap::runFunctionInParallel):
108         * heap/HeapInlines.h:
109         (JSC::Heap::worldIsStopped const):
110         (JSC::Heap::isMarked):
111         (JSC::Heap::incrementDeferralDepth):
112         (JSC::Heap::decrementDeferralDepth):
113         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
114         (JSC::Heap::forEachSlotVisitor):
115         (JSC::Heap::collectorBelievesThatTheWorldIsStopped const): Deleted.
116         (JSC::Heap::isMarkedConcurrently): Deleted.
117         * heap/HeapSnapshotBuilder.cpp:
118         (JSC::HeapSnapshotBuilder::appendNode):
119         * heap/LargeAllocation.h:
120         (JSC::LargeAllocation::isMarked):
121         (JSC::LargeAllocation::isMarkedConcurrently): Deleted.
122         * heap/LockDuringMarking.h:
123         (JSC::lockDuringMarking):
124         * heap/MarkedAllocator.cpp:
125         (JSC::MarkedAllocator::parallelNotEmptyBlockSource):
126         * heap/MarkedAllocator.h:
127         * heap/MarkedBlock.h:
128         (JSC::MarkedBlock::aboutToMark):
129         (JSC::MarkedBlock::isMarked):
130         (JSC::MarkedBlock::areMarksStaleWithDependency): Deleted.
131         (JSC::MarkedBlock::isMarkedConcurrently): Deleted.
132         * heap/MarkedSpace.h:
133         (JSC::MarkedSpace::activeWeakSetsBegin):
134         (JSC::MarkedSpace::activeWeakSetsEnd):
135         (JSC::MarkedSpace::newActiveWeakSetsBegin):
136         (JSC::MarkedSpace::newActiveWeakSetsEnd):
137         * heap/MarkingConstraint.cpp:
138         (JSC::MarkingConstraint::MarkingConstraint):
139         (JSC::MarkingConstraint::execute):
140         (JSC::MarkingConstraint::quickWorkEstimate):
141         (JSC::MarkingConstraint::workEstimate):
142         (JSC::MarkingConstraint::doParallelWork):
143         (JSC::MarkingConstraint::finishParallelWork):
144         (JSC::MarkingConstraint::doParallelWorkImpl):
145         (JSC::MarkingConstraint::finishParallelWorkImpl):
146         * heap/MarkingConstraint.h:
147         (JSC::MarkingConstraint::lastExecuteParallelism const):
148         (JSC::MarkingConstraint::parallelism const):
149         (JSC::MarkingConstraint::quickWorkEstimate): Deleted.
150         (JSC::MarkingConstraint::workEstimate): Deleted.
151         * heap/MarkingConstraintSet.cpp:
152         (JSC::MarkingConstraintSet::MarkingConstraintSet):
153         (JSC::MarkingConstraintSet::add):
154         (JSC::MarkingConstraintSet::executeConvergence):
155         (JSC::MarkingConstraintSet::executeConvergenceImpl):
156         (JSC::MarkingConstraintSet::executeAll):
157         (JSC::MarkingConstraintSet::ExecutionContext::ExecutionContext): Deleted.
158         (JSC::MarkingConstraintSet::ExecutionContext::didVisitSomething const): Deleted.
159         (JSC::MarkingConstraintSet::ExecutionContext::shouldTimeOut const): Deleted.
160         (JSC::MarkingConstraintSet::ExecutionContext::drain): Deleted.
161         (JSC::MarkingConstraintSet::ExecutionContext::didExecute const): Deleted.
162         (JSC::MarkingConstraintSet::ExecutionContext::execute): Deleted.
163         (): Deleted.
164         * heap/MarkingConstraintSet.h:
165         * heap/MarkingConstraintSolver.cpp: Added.
166         (JSC::MarkingConstraintSolver::MarkingConstraintSolver):
167         (JSC::MarkingConstraintSolver::~MarkingConstraintSolver):
168         (JSC::MarkingConstraintSolver::didVisitSomething const):
169         (JSC::MarkingConstraintSolver::execute):
170         (JSC::MarkingConstraintSolver::drain):
171         (JSC::MarkingConstraintSolver::converge):
172         (JSC::MarkingConstraintSolver::runExecutionThread):
173         (JSC::MarkingConstraintSolver::didExecute):
174         * heap/MarkingConstraintSolver.h: Added.
175         * heap/OpaqueRootSet.h: Removed.
176         * heap/ParallelSourceAdapter.h: Added.
177         (JSC::ParallelSourceAdapter::ParallelSourceAdapter):
178         (JSC::createParallelSourceAdapter):
179         * heap/SimpleMarkingConstraint.cpp: Added.
180         (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
181         (JSC::SimpleMarkingConstraint::~SimpleMarkingConstraint):
182         (JSC::SimpleMarkingConstraint::quickWorkEstimate):
183         (JSC::SimpleMarkingConstraint::executeImpl):
184         * heap/SimpleMarkingConstraint.h: Added.
185         * heap/SlotVisitor.cpp:
186         (JSC::SlotVisitor::didStartMarking):
187         (JSC::SlotVisitor::reset):
188         (JSC::SlotVisitor::appendToMarkStack):
189         (JSC::SlotVisitor::visitChildren):
190         (JSC::SlotVisitor::updateMutatorIsStopped):
191         (JSC::SlotVisitor::mutatorIsStoppedIsUpToDate const):
192         (JSC::SlotVisitor::drain):
193         (JSC::SlotVisitor::performIncrementOfDraining):
194         (JSC::SlotVisitor::didReachTermination):
195         (JSC::SlotVisitor::hasWork):
196         (JSC::SlotVisitor::drainFromShared):
197         (JSC::SlotVisitor::drainInParallelPassively):
198         (JSC::SlotVisitor::waitForTermination):
199         (JSC::SlotVisitor::addOpaqueRoot): Deleted.
200         (JSC::SlotVisitor::containsOpaqueRoot const): Deleted.
201         (JSC::SlotVisitor::containsOpaqueRootTriState const): Deleted.
202         (JSC::SlotVisitor::mergeIfNecessary): Deleted.
203         (JSC::SlotVisitor::mergeOpaqueRootsIfProfitable): Deleted.
204         (JSC::SlotVisitor::mergeOpaqueRoots): Deleted.
205         * heap/SlotVisitor.h:
206         * heap/SlotVisitorInlines.h:
207         (JSC::SlotVisitor::addOpaqueRoot):
208         (JSC::SlotVisitor::containsOpaqueRoot const):
209         (JSC::SlotVisitor::vm):
210         (JSC::SlotVisitor::vm const):
211         * heap/Subspace.cpp:
212         (JSC::Subspace::parallelAllocatorSource):
213         (JSC::Subspace::parallelNotEmptyMarkedBlockSource):
214         * heap/Subspace.h:
215         * heap/SubspaceInlines.h:
216         (JSC::Subspace::forEachMarkedCellInParallel):
217         * heap/VisitCounter.h: Added.
218         (JSC::VisitCounter::VisitCounter):
219         (JSC::VisitCounter::visitCount const):
220         * heap/VisitingTimeout.h: Removed.
221         * heap/WeakBlock.cpp:
222         (JSC::WeakBlock::specializedVisit):
223         * runtime/Structure.cpp:
224         (JSC::Structure::isCheapDuringGC):
225         (JSC::Structure::markIfCheap):
226
227 2017-12-04  JF Bastien  <jfbastien@apple.com>
228
229         Math: don't redundantly check for exceptions, just release scope
230         https://bugs.webkit.org/show_bug.cgi?id=180395
231
232         Rubber stamped by Mark Lam.
233
234         Two of the exceptions checks could just have been exception scope
235         releases before the return, which is ever-so-slightly more
236         efficient. The same technically applies where we have loops over
237         parameters, but doing the scope release there isn't really more
238         efficient and is way harder to read.
239
240         * runtime/MathObject.cpp:
241         (JSC::mathProtoFuncATan2):
242         (JSC::mathProtoFuncPow):
243
244 2017-12-04  David Quesada  <david_quesada@apple.com>
245
246         Add a class for parsing application manifests
247         https://bugs.webkit.org/show_bug.cgi?id=177973
248         rdar://problem/34747949
249
250         Reviewed by Geoffrey Garen.
251
252         * Configurations/FeatureDefines.xcconfig: Add ENABLE_APPLICATION_MANIFEST feature flag.
253
254 2017-12-04  JF Bastien  <jfbastien@apple.com>
255
256         Update std::expected to match libc++ coding style
257         https://bugs.webkit.org/show_bug.cgi?id=180264
258
259         Reviewed by Alex Christensen.
260
261         Update various uses of Expected.
262
263         * wasm/WasmModule.h:
264         * wasm/WasmModuleParser.cpp:
265         (JSC::Wasm::ModuleParser::parseImport):
266         (JSC::Wasm::ModuleParser::parseTableHelper):
267         (JSC::Wasm::ModuleParser::parseTable):
268         (JSC::Wasm::ModuleParser::parseMemoryHelper):
269         * wasm/WasmParser.h:
270         * wasm/generateWasmValidateInlinesHeader.py:
271         (loadMacro):
272         (storeMacro):
273         * wasm/js/JSWebAssemblyModule.cpp:
274         (JSC::JSWebAssemblyModule::createStub):
275         * wasm/js/JSWebAssemblyModule.h:
276
277 2017-12-04  Saam Barati  <sbarati@apple.com>
278
279         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
280         https://bugs.webkit.org/show_bug.cgi?id=180366
281         <rdar://problem/35685877>
282
283         Reviewed by Michael Saboff.
284
285         On the TailCall slow path, the CallFrameShuffler will build the frame with
286         respect to SP instead of FP. However, this may overwrite slots on the stack
287         that are needed if the slow path C call does a stack walk. The slow path
288         C call does a stack walk when it throws an exception. This patch fixes
289         this bug by ensuring that the top of the stack in the FTL always has enough
290         space to allow CallFrameShuffler to build a frame without overwriting any
291         items on the stack that are needed when doing a stack walk.
292
293         * ftl/FTLLowerDFGToB3.cpp:
294         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
295
296 2017-12-04  Devin Rousso  <webkit@devinrousso.com>
297
298         Web Inspector: provide method for recording CanvasRenderingContext2D from JavaScript
299         https://bugs.webkit.org/show_bug.cgi?id=175166
300         <rdar://problem/34040740>
301
302         Reviewed by Joseph Pecoraro.
303
304         * inspector/protocol/Recording.json:
305         Add optional `name` that will be used by the frontend for uniquely identifying the Recording.
306
307         * inspector/JSGlobalObjectConsoleClient.h:
308         * inspector/JSGlobalObjectConsoleClient.cpp:
309         (Inspector::JSGlobalObjectConsoleClient::record):
310         (Inspector::JSGlobalObjectConsoleClient::recordEnd):
311
312         * runtime/ConsoleClient.h:
313         * runtime/ConsoleObject.cpp:
314         (JSC::ConsoleObject::finishCreation):
315         (JSC::consoleProtoFuncRecord):
316         (JSC::consoleProtoFuncRecordEnd):
317
318 2017-12-03  Yusuke Suzuki  <utatane.tea@gmail.com>
319
320         WTF shouldn't have both Thread and ThreadIdentifier
321         https://bugs.webkit.org/show_bug.cgi?id=180308
322
323         Reviewed by Darin Adler.
324
325         * heap/MachineStackMarker.cpp:
326         (JSC::MachineThreads::tryCopyOtherThreadStacks):
327         * llint/LLIntSlowPaths.cpp:
328         (JSC::LLInt::llint_trace_operand):
329         (JSC::LLInt::llint_trace_value):
330         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
331         (JSC::LLInt::traceFunctionPrologue):
332         * runtime/ExceptionScope.cpp:
333         (JSC::ExceptionScope::unexpectedExceptionMessage):
334         * runtime/JSLock.h:
335         (JSC::JSLock::currentThreadIsHoldingLock):
336         * runtime/VM.cpp:
337         (JSC::VM::throwException):
338         * runtime/VM.h:
339         (JSC::VM::throwingThread const):
340         (JSC::VM::clearException):
341         * tools/HeapVerifier.cpp:
342         (JSC::HeapVerifier::printVerificationHeader):
343
344 2017-12-03  Caio Lima  <ticaiolima@gmail.com>
345
346         Rename DestroyFunc to avoid redefinition on unified build
347         https://bugs.webkit.org/show_bug.cgi?id=180335
348
349         Reviewed by Filip Pizlo.
350
351         Changing DestroyFunc structures to more specific names to avoid
352         conflits on unified builds.
353
354         * heap/HeapCellType.cpp:
355         (JSC::HeapCellType::finishSweep):
356         (JSC::HeapCellType::destroy):
357         * runtime/JSDestructibleObjectHeapCellType.cpp:
358         (JSC::JSDestructibleObjectHeapCellType::finishSweep):
359         (JSC::JSDestructibleObjectHeapCellType::destroy):
360         * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
361         (JSC::JSSegmentedVariableObjectHeapCellType::finishSweep):
362         (JSC::JSSegmentedVariableObjectHeapCellType::destroy):
363         * runtime/JSStringHeapCellType.cpp:
364         (JSC::JSStringHeapCellType::finishSweep):
365         (JSC::JSStringHeapCellType::destroy):
366         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
367         (JSC::JSWebAssemblyCodeBlockHeapCellType::finishSweep):
368         (JSC::JSWebAssemblyCodeBlockHeapCellType::destroy):
369
370 2017-12-01  JF Bastien  <jfbastien@apple.com>
371
372         JavaScriptCore: missing exception checks in Math functions that take more than one argument
373         https://bugs.webkit.org/show_bug.cgi?id=180297
374         <rdar://problem/35745556>
375
376         Reviewed by Mark Lam.
377
378         * runtime/MathObject.cpp:
379         (JSC::mathProtoFuncATan2):
380         (JSC::mathProtoFuncMax):
381         (JSC::mathProtoFuncMin):
382         (JSC::mathProtoFuncPow):
383
384 2017-12-01  Mark Lam  <mark.lam@apple.com>
385
386         Let's scramble ClassInfo pointers in cells.
387         https://bugs.webkit.org/show_bug.cgi?id=180291
388         <rdar://problem/35807620>
389
390         Reviewed by JF Bastien.
391
392         * API/JSCallbackObject.h:
393         * API/JSObjectRef.cpp:
394         (classInfoPrivate):
395         * JavaScriptCore.xcodeproj/project.pbxproj:
396         * Sources.txt:
397         * assembler/MacroAssemblerCodeRef.cpp:
398         (JSC::MacroAssemblerCodePtr::initialize): Deleted.
399         * assembler/MacroAssemblerCodeRef.h:
400         (JSC::MacroAssemblerCodePtr:: const):
401         (JSC::MacroAssemblerCodePtr::hash const):
402         * dfg/DFGSpeculativeJIT.cpp:
403         (JSC::DFG::SpeculativeJIT::checkArray):
404         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
405         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
406         * ftl/FTLLowerDFGToB3.cpp:
407         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
408         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
409         * jit/AssemblyHelpers.h:
410         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
411         * jit/SpecializedThunkJIT.h:
412         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
413         * runtime/InitializeThreading.cpp:
414         (JSC::initializeThreading):
415         * runtime/JSCScrambledPtr.cpp: Added.
416         (JSC::initializeScrambledPtrKeys):
417         * runtime/JSCScrambledPtr.h: Added.
418         * runtime/JSDestructibleObject.h:
419         (JSC::JSDestructibleObject::classInfo const):
420         * runtime/JSSegmentedVariableObject.h:
421         (JSC::JSSegmentedVariableObject::classInfo const):
422         * runtime/Structure.h:
423         * runtime/VM.h:
424
425 2017-12-01  Brian Burg  <bburg@apple.com>
426
427         Web Inspector: move Inspector::Protocol::Array<T> to JSON namespace
428         https://bugs.webkit.org/show_bug.cgi?id=173662
429
430         Reviewed by Joseph Pecoraro.
431
432         Adopt new type names. Fix protocol generator to use correct type names.
433
434         * inspector/ConsoleMessage.cpp:
435         (Inspector::ConsoleMessage::addToFrontend):
436         Improve namings and use 'auto' when the type is obvious and repeated.
437
438         * inspector/ContentSearchUtilities.cpp:
439         (Inspector::ContentSearchUtilities::searchInTextByLines):
440         * inspector/ContentSearchUtilities.h:
441         * inspector/InjectedScript.cpp:
442         (Inspector::InjectedScript::getProperties):
443         (Inspector::InjectedScript::getDisplayableProperties):
444         (Inspector::InjectedScript::getInternalProperties):
445         (Inspector::InjectedScript::getCollectionEntries):
446         (Inspector::InjectedScript::wrapCallFrames const):
447         * inspector/InjectedScript.h:
448         * inspector/InspectorProtocolTypes.h:
449         (Inspector::Protocol::BindingTraits<JSON::ArrayOf<T>>::runtimeCast):
450         (Inspector::Protocol::Array::Array): Deleted.
451         (Inspector::Protocol::Array::openAccessors): Deleted.
452         (Inspector::Protocol::Array::addItem): Deleted.
453         (Inspector::Protocol::Array::create): Deleted.
454         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast): Deleted.
455         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType): Deleted.
456         Move the implementation out of this file.
457
458         * inspector/ScriptCallStack.cpp:
459         (Inspector::ScriptCallStack::buildInspectorArray const):
460         * inspector/ScriptCallStack.h:
461         * inspector/agents/InspectorAgent.cpp:
462         (Inspector::InspectorAgent::activateExtraDomain):
463         (Inspector::InspectorAgent::activateExtraDomains):
464         * inspector/agents/InspectorAgent.h:
465         * inspector/agents/InspectorConsoleAgent.cpp:
466         (Inspector::InspectorConsoleAgent::getLoggingChannels):
467         * inspector/agents/InspectorConsoleAgent.h:
468         * inspector/agents/InspectorDebuggerAgent.cpp:
469         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
470         (Inspector::InspectorDebuggerAgent::searchInContent):
471         (Inspector::InspectorDebuggerAgent::currentCallFrames):
472         * inspector/agents/InspectorDebuggerAgent.h:
473         * inspector/agents/InspectorRuntimeAgent.cpp:
474         (Inspector::InspectorRuntimeAgent::getProperties):
475         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
476         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
477         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
478         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
479         * inspector/agents/InspectorRuntimeAgent.h:
480         * inspector/agents/InspectorScriptProfilerAgent.cpp:
481         (Inspector::buildSamples):
482         Use more 'auto' and rename a variable.
483
484         * inspector/scripts/codegen/cpp_generator.py:
485         (CppGenerator.cpp_protocol_type_for_type):
486         Adopt new type names. This exposed a latent bug where we should have been
487         unwrapping an AliasedType prior to generating a C++ type for it. The aliased
488         type may be an array, in which case we would have generated the wrong type.
489
490         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
491         (_generate_typedefs_for_domain.JSON):
492         (_generate_typedefs_for_domain.Inspector): Deleted.
493         * inspector/scripts/codegen/objc_generator.py:
494         (ObjCGenerator.protocol_type_for_type):
495         (ObjCGenerator.objc_protocol_export_expression_for_variable):
496         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
497         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
498         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
499         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
500         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
501         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
502         Rebaseline.
503
504         * runtime/TypeSet.cpp:
505         (JSC::TypeSet::allStructureRepresentations const):
506         (JSC::StructureShape::inspectorRepresentation):
507         * runtime/TypeSet.h:
508
509 2017-12-01  Saam Barati  <sbarati@apple.com>
510
511         Having a bad time needs to handle ArrayClass indexing type as well
512         https://bugs.webkit.org/show_bug.cgi?id=180274
513         <rdar://problem/35667869>
514
515         Reviewed by Keith Miller and Mark Lam.
516
517         We need to make sure to transition ArrayClass to SlowPutArrayStorage as well.
518         Otherwise, we'll end up with the wrong Structure, which will lead us to not
519         adhere to the spec. The bug was that we were not considering ArrayClass inside 
520         hasBrokenIndexing. This patch rewrites that function to automatically opt
521         in non-empty indexing types as broken, instead of having to opt out all
522         non-empty indexing types besides SlowPutArrayStorage.
523
524         * runtime/IndexingType.h:
525         (JSC::hasSlowPutArrayStorage):
526         (JSC::shouldUseSlowPut):
527         * runtime/JSGlobalObject.cpp:
528         * runtime/JSObject.cpp:
529         (JSC::JSObject::switchToSlowPutArrayStorage):
530
531 2017-12-01  JF Bastien  <jfbastien@apple.com>
532
533         WebAssembly: stack trace improvement follow-ups
534         https://bugs.webkit.org/show_bug.cgi?id=180273
535
536         Reviewed by Saam Barati.
537
538         * wasm/WasmIndexOrName.cpp:
539         (JSC::Wasm::makeString):
540         * wasm/WasmIndexOrName.h:
541         (JSC::Wasm::IndexOrName::nameSection const):
542         * wasm/WasmNameSection.h:
543         (JSC::Wasm::NameSection::NameSection):
544         (JSC::Wasm::NameSection::get):
545
546 2017-12-01  JF Bastien  <jfbastien@apple.com>
547
548         WebAssembly: restore cached stack limit after out-call
549         https://bugs.webkit.org/show_bug.cgi?id=179106
550         <rdar://problem/35337525>
551
552         Reviewed by Saam Barati.
553
554         We cache the stack limit on the Instance so that we can do fast
555         stack checks where required. In regular usage the stack limit
556         never changes because we always run on the same thread, but in
557         rare cases an API user can totally migrate which thread (and
558         therefore stack) is used for execution between WebAssembly
559         traces. For that reason we set the cached stack limit to
560         UINTPTR_MAX on the outgoing Instance when transitioning back into
561         a different Instance. We usually restore the cached stack limit in
562         Context::store, but this wasn't called on all code paths. We had a
563         bug where an Instance calling into itself indirectly would
564         therefore fail to restore its cached stack limit properly.
565
566         This patch therefore restores the cached stack limit after direct
567         calls which could be to imports (both wasm->wasm and
568         wasm->embedder). We have to do all of them because we have no way
569         of knowing what imports will do (they're known at instantiation
570         time, not compilation time, and different instances can have
571         different imports). To make this efficient we also add a pointer
572         to the canonical location of the stack limit (i.e. the extra
573         indirection we're trying to save by caching the stack limit on the
574         Instance in the first place). This is potentially a small perf hit
575         on imported direct calls.
576
577         It's hard to say what the performance cost will be because we
578         haven't seen much code in the wild which does this. We're adding
579         two dependent loads and a store of the loaded value, which is
580         unlikely to get used soon after. It's more code, but on an
581         out-of-order processor it doesn't contribute to the critical path.
582
583         * wasm/WasmB3IRGenerator.cpp:
584         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
585         (JSC::Wasm::B3IRGenerator::addGrowMemory):
586         (JSC::Wasm::B3IRGenerator::addCall):
587         (JSC::Wasm::B3IRGenerator::addCallIndirect):
588         * wasm/WasmInstance.cpp:
589         (JSC::Wasm::Instance::Instance):
590         (JSC::Wasm::Instance::create):
591         * wasm/WasmInstance.h:
592         (JSC::Wasm::Instance::offsetOfPointerToActualStackLimit):
593         (JSC::Wasm::Instance::cachedStackLimit const):
594         (JSC::Wasm::Instance::setCachedStackLimit):
595         * wasm/js/JSWebAssemblyInstance.cpp:
596         (JSC::JSWebAssemblyInstance::create):
597         * wasm/js/WebAssemblyFunction.cpp:
598         (JSC::callWebAssemblyFunction):
599
600 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
601
602         [JSC] Use JSFixedArray for op_new_array_buffer
603         https://bugs.webkit.org/show_bug.cgi?id=180084
604
605         Reviewed by Saam Barati.
606
607         For op_new_array_buffer, we have a special constant buffer in CodeBlock.
608         But using JSFixedArray is better because,
609
610         1. In DFG, we have special hashing mechanism to avoid duplicating constant buffer from the same CodeBlock.
611            If we use JSFixedArray, this is unnecessary since JSFixedArray is handled just as JS constant.
612
613         2. In a subsequent patch[1], we would like to support Spread(PhantomNewArrayBuffer). If NewArrayBuffer
614            has JSFixedArray, we can just emit a held JSFixedArray.
615
616         3. We can reduce length of op_new_array_buffer since JSFixedArray holds this.
617
618         4. We can fold NewArrayBufferData into uint64_t. No need to maintain a bag of NewArrayBufferData in DFG.
619
620         5. We do not need to look up constant buffer from CodeBlock if buffer data is necessary. Our NewArrayBuffer
621            DFG node has JSFixedArray as its cellOperand. This makes materializing PhantomNewArrayBuffer easy, which
622            will be introduced in [1].
623
624         [1]: https://bugs.webkit.org/show_bug.cgi?id=179762
625
626         * bytecode/BytecodeDumper.cpp:
627         (JSC::BytecodeDumper<Block>::dumpBytecode):
628         * bytecode/BytecodeList.json:
629         * bytecode/BytecodeUseDef.h:
630         (JSC::computeUsesForBytecodeOffset):
631         * bytecode/CodeBlock.cpp:
632         (JSC::CodeBlock::finishCreation):
633         * bytecode/CodeBlock.h:
634         (JSC::CodeBlock::numberOfConstantBuffers const): Deleted.
635         (JSC::CodeBlock::addConstantBuffer): Deleted.
636         (JSC::CodeBlock::constantBufferAsVector): Deleted.
637         (JSC::CodeBlock::constantBuffer): Deleted.
638         * bytecode/UnlinkedCodeBlock.cpp:
639         (JSC::UnlinkedCodeBlock::shrinkToFit):
640         * bytecode/UnlinkedCodeBlock.h:
641         (JSC::UnlinkedCodeBlock::constantBufferCount): Deleted.
642         (JSC::UnlinkedCodeBlock::addConstantBuffer): Deleted.
643         (JSC::UnlinkedCodeBlock::constantBuffer const): Deleted.
644         (JSC::UnlinkedCodeBlock::constantBuffer): Deleted.
645         * bytecompiler/BytecodeGenerator.cpp:
646         (JSC::BytecodeGenerator::emitNewArray):
647         (JSC::BytecodeGenerator::addConstantBuffer): Deleted.
648         * bytecompiler/BytecodeGenerator.h:
649         * dfg/DFGByteCodeParser.cpp:
650         (JSC::DFG::ByteCodeParser::parseBlock):
651         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
652         (JSC::DFG::ConstantBufferKey::ConstantBufferKey): Deleted.
653         (JSC::DFG::ConstantBufferKey::operator== const): Deleted.
654         (JSC::DFG::ConstantBufferKey::hash const): Deleted.
655         (JSC::DFG::ConstantBufferKey::isHashTableDeletedValue const): Deleted.
656         (JSC::DFG::ConstantBufferKey::codeBlock const): Deleted.
657         (JSC::DFG::ConstantBufferKey::index const): Deleted.
658         (JSC::DFG::ConstantBufferKeyHash::hash): Deleted.
659         (JSC::DFG::ConstantBufferKeyHash::equal): Deleted.
660         * dfg/DFGClobberize.h:
661         (JSC::DFG::clobberize):
662         * dfg/DFGGraph.cpp:
663         (JSC::DFG::Graph::dump):
664         * dfg/DFGGraph.h:
665         * dfg/DFGNode.h:
666         (JSC::DFG::Node::hasNewArrayBufferData):
667         (JSC::DFG::Node::newArrayBufferData):
668         (JSC::DFG::Node::hasVectorLengthHint):
669         (JSC::DFG::Node::vectorLengthHint):
670         (JSC::DFG::Node::indexingType):
671         (JSC::DFG::Node::hasCellOperand):
672         (JSC::DFG::Node::OpInfoWrapper::operator=):
673         (JSC::DFG::Node::OpInfoWrapper::asNewArrayBufferData const):
674         (JSC::DFG::Node::hasConstantBuffer): Deleted.
675         (JSC::DFG::Node::startConstant): Deleted.
676         (JSC::DFG::Node::numConstants): Deleted.
677         * dfg/DFGOperations.cpp:
678         * dfg/DFGOperations.h:
679         * dfg/DFGSpeculativeJIT.h:
680         (JSC::DFG::SpeculativeJIT::callOperation):
681         * dfg/DFGSpeculativeJIT32_64.cpp:
682         (JSC::DFG::SpeculativeJIT::compile):
683         * dfg/DFGSpeculativeJIT64.cpp:
684         (JSC::DFG::SpeculativeJIT::compile):
685         * ftl/FTLLowerDFGToB3.cpp:
686         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
687         * jit/JIT.cpp:
688         (JSC::JIT::privateCompileMainPass):
689         * jit/JIT.h:
690         * jit/JITOpcodes.cpp:
691         (JSC::JIT::emit_op_new_array_buffer): Deleted.
692         * jit/JITOperations.cpp:
693         * jit/JITOperations.h:
694         * llint/LLIntSlowPaths.cpp:
695         * llint/LLIntSlowPaths.h:
696         * llint/LowLevelInterpreter.asm:
697         * runtime/CommonSlowPaths.cpp:
698         (JSC::SLOW_PATH_DECL):
699         * runtime/CommonSlowPaths.h:
700         * runtime/JSFixedArray.cpp:
701         (JSC::JSFixedArray::dumpToStream):
702         * runtime/JSFixedArray.h:
703         (JSC::JSFixedArray::create):
704         (JSC::JSFixedArray::get const):
705         (JSC::JSFixedArray::set):
706         (JSC::JSFixedArray::buffer const):
707         (JSC::JSFixedArray::values const):
708         (JSC::JSFixedArray::length const):
709         (JSC::JSFixedArray::get): Deleted.
710
711 2017-11-30  JF Bastien  <jfbastien@apple.com>
712
713         WebAssembly: improve stack trace
714         https://bugs.webkit.org/show_bug.cgi?id=179343
715
716         Reviewed by Saam Barati.
717
718         Stack traces now include:
719
720           - Module name, if provided by the name section.
721           - Module SHA1 hash if no name was provided
722           - Stub identification, to differentiate from user code
723           - Slightly different naming to match design from:
724               https://github.com/WebAssembly/design/blob/master/Web.md#developer-facing-display-conventions
725
726         * interpreter/StackVisitor.cpp:
727         (JSC::StackVisitor::Frame::functionName const):
728         * runtime/StackFrame.cpp:
729         (JSC::StackFrame::functionName const):
730         (JSC::StackFrame::visitChildren):
731         * wasm/WasmIndexOrName.cpp:
732         (JSC::Wasm::IndexOrName::IndexOrName):
733         (JSC::Wasm::makeString):
734         * wasm/WasmIndexOrName.h:
735         (JSC::Wasm::IndexOrName::nameSection const):
736         * wasm/WasmModuleInformation.cpp:
737         (JSC::Wasm::ModuleInformation::ModuleInformation):
738         * wasm/WasmModuleInformation.h:
739         * wasm/WasmNameSection.h:
740         (JSC::Wasm::NameSection::NameSection):
741         (JSC::Wasm::NameSection::get):
742         * wasm/WasmNameSectionParser.cpp:
743         (JSC::Wasm::NameSectionParser::parse):
744
745 2017-11-30  Stephan Szabo  <stephan.szabo@sony.com>
746
747         Make LegacyCustomProtocolManager optional for network process
748         https://bugs.webkit.org/show_bug.cgi?id=176230
749
750         Reviewed by Alex Christensen.
751
752         * Configurations/FeatureDefines.xcconfig:
753
754 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
755
756         [JSC] Remove easy toRemove & map.remove() use in OAS phase
757         https://bugs.webkit.org/show_bug.cgi?id=180208
758
759         Reviewed by Mark Lam.
760
761         In this patch, we replace Vector<> toRemove & map.remove loop with removeIf,
762         to optimize this common pattern. This patch only modifies apparent ones.
763         But we can apply this refactoring further to OAS phase in the future.
764
765         One thing we should care is that predicate of removeIf should not touch the
766         removing set itself. In this patch, we apply this change to (1) apparently
767         correct one and (2) things in DFG OAS phase since it is very slow.
768
769         * b3/B3MoveConstants.cpp:
770         * dfg/DFGObjectAllocationSinkingPhase.cpp:
771
772 2017-11-30  Commit Queue  <commit-queue@webkit.org>
773
774         Unreviewed, rolling out r225362.
775         https://bugs.webkit.org/show_bug.cgi?id=180225
776
777         removeIf predicate function can touch remove target set
778         (Requested by yusukesuzuki on #webkit).
779
780         Reverted changeset:
781
782         "[JSC] Remove easy toRemove & map.remove() use"
783         https://bugs.webkit.org/show_bug.cgi?id=180208
784         https://trac.webkit.org/changeset/225362
785
786 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
787
788         [JSC] Use AllocatorIfExists for MaterializeNewObject
789         https://bugs.webkit.org/show_bug.cgi?id=180189
790
791         Reviewed by Filip Pizlo.
792
793         I don't think anyone guarantees this allocator exists at this phase.
794         And nullptr allocator just works here. We change AllocatorForMode
795         to AllocatorIfExists to accept nullptr for allocator.
796
797         * ftl/FTLLowerDFGToB3.cpp:
798         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
799
800 2017-11-30  Mark Lam  <mark.lam@apple.com>
801
802         Let's scramble MacroAssemblerCodePtr values.
803         https://bugs.webkit.org/show_bug.cgi?id=180169
804         <rdar://problem/35758340>
805
806         Reviewed by Filip Pizlo, Saam Barati, and JF Bastien.
807
808         1. MacroAssemblerCodePtr now stores a ScrambledPtr instead of a void*.
809
810         2. MacroAssemblerCodePtr's executableAddress() and dataLocation() now take a
811            template argument type that will be used to cast the result.  This makes the
812            client code that uses these functions a little less verbose.
813
814         3. Change the code base in general to minimize passing void* code pointers around.
815            We now pass MacroAssemblerCodePtr as much as possible, and descramble it only
816            at the last moment when we need the underlying code pointer.
817
818         4. Added some MasmScrambledPtr paranoid asserts that are disabled (not built) by
819            default.  I'm leaving them in because they are instrumental in finding bugs
820            where not all MacroAssemblerCodePtr values were not scrambled as expected.
821            I expect them to be useful in the near future as we add more scrambling.
822
823         5. Also disable the casting operator on MacroAssemblerCodePtr (except for
824            explicit casts to a boolean).  This ensures that clients will always explicitly
825            use scrambledBits() or executableAddress() to get a value based on which value
826            they actually need.
827
828         5. Added currentThread() id to the logging in LLIntSlowPath trace functions.
829            This was helpful when debugging tests that ran multiple VMs concurrently on
830            different threads.
831
832         MacroAssemblerCodePtr is currently supported on 64-bit builds (including the
833         CLoop).  It is not yet supported in 32-bit and Windows because we don't
834         currently have a way to read a global variable from their LLInt code.
835
836         * assembler/AbstractMacroAssembler.h:
837         (JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
838         (JSC::AbstractMacroAssembler::linkPointer):
839         * assembler/CodeLocation.h:
840         (JSC::CodeLocationCommon::instructionAtOffset):
841         (JSC::CodeLocationCommon::labelAtOffset):
842         (JSC::CodeLocationCommon::jumpAtOffset):
843         (JSC::CodeLocationCommon::callAtOffset):
844         (JSC::CodeLocationCommon::nearCallAtOffset):
845         (JSC::CodeLocationCommon::dataLabelPtrAtOffset):
846         (JSC::CodeLocationCommon::dataLabel32AtOffset):
847         (JSC::CodeLocationCommon::dataLabelCompactAtOffset):
848         (JSC::CodeLocationCommon::convertibleLoadAtOffset):
849         * assembler/LinkBuffer.cpp:
850         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
851         * assembler/LinkBuffer.h:
852         (JSC::LinkBuffer::link):
853         (JSC::LinkBuffer::patch):
854         * assembler/MacroAssemblerCodeRef.cpp:
855         (JSC::MacroAssemblerCodePtr::initialize):
856         * assembler/MacroAssemblerCodeRef.h:
857         (JSC::FunctionPtr::FunctionPtr):
858         (JSC::FunctionPtr::value const):
859         (JSC::FunctionPtr::executableAddress const):
860         (JSC::ReturnAddressPtr::ReturnAddressPtr):
861         (JSC::ReturnAddressPtr::value const):
862         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
863         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
864         (JSC::MacroAssemblerCodePtr::scrambledPtr const):
865         (JSC::MacroAssemblerCodePtr:: const):
866         (JSC::MacroAssemblerCodePtr::operator! const):
867         (JSC::MacroAssemblerCodePtr::operator bool const):
868         (JSC::MacroAssemblerCodePtr::operator== const):
869         (JSC::MacroAssemblerCodePtr::hash const):
870         (JSC::MacroAssemblerCodePtr::emptyValue):
871         (JSC::MacroAssemblerCodePtr::deletedValue):
872         (JSC::MacroAssemblerCodePtr::executableAddress const): Deleted.
873         (JSC::MacroAssemblerCodePtr::dataLocation const): Deleted.
874         * b3/B3LowerMacros.cpp:
875         * b3/testb3.cpp:
876         (JSC::B3::testInterpreter):
877         * dfg/DFGDisassembler.cpp:
878         (JSC::DFG::Disassembler::dumpDisassembly):
879         * dfg/DFGJITCompiler.cpp:
880         (JSC::DFG::JITCompiler::link):
881         (JSC::DFG::JITCompiler::compileFunction):
882         * dfg/DFGOperations.cpp:
883         * dfg/DFGSpeculativeJIT.cpp:
884         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
885         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
886         (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
887         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
888         * dfg/DFGSpeculativeJIT.h:
889         * disassembler/Disassembler.cpp:
890         (JSC::disassemble):
891         * disassembler/UDis86Disassembler.cpp:
892         (JSC::tryToDisassembleWithUDis86):
893         * ftl/FTLCompile.cpp:
894         (JSC::FTL::compile):
895         * ftl/FTLJITCode.cpp:
896         (JSC::FTL::JITCode::executableAddressAtOffset):
897         * ftl/FTLLink.cpp:
898         (JSC::FTL::link):
899         * ftl/FTLLowerDFGToB3.cpp:
900         (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
901         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
902         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
903         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
904         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
905         * interpreter/InterpreterInlines.h:
906         (JSC::Interpreter::getOpcodeID):
907         * jit/JITArithmetic.cpp:
908         (JSC::JIT::emitMathICFast):
909         (JSC::JIT::emitMathICSlow):
910         * jit/JITCode.cpp:
911         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
912         (JSC::JITCodeWithCodeRef::dataAddressAtOffset):
913         (JSC::JITCodeWithCodeRef::offsetOf):
914         * jit/JITDisassembler.cpp:
915         (JSC::JITDisassembler::dumpDisassembly):
916         * jit/PCToCodeOriginMap.cpp:
917         (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
918         * jit/Repatch.cpp:
919         (JSC::ftlThunkAwareRepatchCall):
920         * jit/ThunkGenerators.cpp:
921         (JSC::virtualThunkFor):
922         (JSC::boundThisNoArgsFunctionCallGenerator):
923         * llint/LLIntSlowPaths.cpp:
924         (JSC::LLInt::llint_trace_operand):
925         (JSC::LLInt::llint_trace_value):
926         (JSC::LLInt::handleHostCall):
927         (JSC::LLInt::setUpCall):
928         * llint/LowLevelInterpreter64.asm:
929         * offlineasm/cloop.rb:
930         * runtime/InitializeThreading.cpp:
931         (JSC::initializeThreading):
932         * wasm/WasmBBQPlan.cpp:
933         (JSC::Wasm::BBQPlan::complete):
934         * wasm/WasmCallee.h:
935         (JSC::Wasm::Callee::entrypoint const):
936         * wasm/WasmCodeBlock.cpp:
937         (JSC::Wasm::CodeBlock::CodeBlock):
938         * wasm/WasmOMGPlan.cpp:
939         (JSC::Wasm::OMGPlan::work):
940         * wasm/js/WasmToJS.cpp:
941         (JSC::Wasm::wasmToJS):
942         * wasm/js/WebAssemblyFunction.cpp:
943         (JSC::callWebAssemblyFunction):
944         * wasm/js/WebAssemblyFunction.h:
945         * wasm/js/WebAssemblyWrapperFunction.cpp:
946         (JSC::WebAssemblyWrapperFunction::create):
947
948 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
949
950         [JSC] Remove easy toRemove & map.remove() use
951         https://bugs.webkit.org/show_bug.cgi?id=180208
952
953         Reviewed by Mark Lam.
954
955         In this patch, we replace Vector<> toRemove & map.remove loop with removeIf,
956         to optimize this common pattern. This patch only modifies apparent ones.
957         But we can apply this refactoring further to OAS phase in the future.
958
959         * b3/B3MoveConstants.cpp:
960         * dfg/DFGArgumentsEliminationPhase.cpp:
961         * dfg/DFGObjectAllocationSinkingPhase.cpp:
962         * wasm/WasmSignature.cpp:
963         (JSC::Wasm::SignatureInformation::tryCleanup):
964
965 2017-11-29  Yusuke Suzuki  <utatane.tea@gmail.com>
966
967         [JSC] Use getEffectiveAddress more in JSC
968         https://bugs.webkit.org/show_bug.cgi?id=180154
969
970         Reviewed by Mark Lam.
971
972         We can use MacroAssembler::getEffectiveAddress for stack height calculation.
973         And we also add MacroAssembler::negPtr(src, dest) variation.
974
975         * assembler/MacroAssembler.h:
976         (JSC::MacroAssembler::negPtr):
977         * assembler/MacroAssemblerARM.h:
978         (JSC::MacroAssemblerARM::neg32):
979         * assembler/MacroAssemblerARM64.h:
980         (JSC::MacroAssemblerARM64::neg32):
981         (JSC::MacroAssemblerARM64::neg64):
982         * assembler/MacroAssemblerARMv7.h:
983         (JSC::MacroAssemblerARMv7::neg32):
984         * assembler/MacroAssemblerMIPS.h:
985         (JSC::MacroAssemblerMIPS::neg32):
986         * assembler/MacroAssemblerX86Common.h:
987         (JSC::MacroAssemblerX86Common::neg32):
988         * assembler/MacroAssemblerX86_64.h:
989         (JSC::MacroAssemblerX86_64::neg64):
990         * dfg/DFGThunks.cpp:
991         (JSC::DFG::osrEntryThunkGenerator):
992         * ftl/FTLLowerDFGToB3.cpp:
993         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
994         * jit/SetupVarargsFrame.cpp:
995         (JSC::emitSetVarargsFrame):
996
997 2017-11-30  Mark Lam  <mark.lam@apple.com>
998
999         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
1000         https://bugs.webkit.org/show_bug.cgi?id=180219
1001         <rdar://problem/35696536>
1002
1003         Reviewed by Filip Pizlo.
1004
1005         * jsc.cpp:
1006         (functionFlashHeapAccess):
1007
1008 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1009
1010         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
1011         https://bugs.webkit.org/show_bug.cgi?id=180190
1012
1013         Reviewed by Mark Lam.
1014
1015         If DFG HasIndexedProperty node observes negative index, it goes to a slow
1016         path by calling operationHasIndexedProperty. The problem is that
1017         operationHasIndexedProperty does not account negative index. Negative index
1018         was used as uint32 array index.
1019
1020         In this patch we add a path for negative index in operationHasIndexedProperty.
1021         And rename it to operationHasIndexedPropertyByInt to make intension clear.
1022         We also move operationHasIndexedPropertyByInt from JITOperations to DFGOperations
1023         since it is only used in DFG and FTL.
1024
1025         While fixing this bug, we found that our op_in does not record OutOfBound feedback.
1026         This causes repeated OSR exit and significantly regresses the performance. We opened
1027         a bug to track this issue[1].
1028
1029         [1]: https://bugs.webkit.org/show_bug.cgi?id=180192
1030
1031         * dfg/DFGOperations.cpp:
1032         * dfg/DFGOperations.h:
1033         * dfg/DFGSpeculativeJIT32_64.cpp:
1034         (JSC::DFG::SpeculativeJIT::compile):
1035         * dfg/DFGSpeculativeJIT64.cpp:
1036         (JSC::DFG::SpeculativeJIT::compile):
1037         * ftl/FTLLowerDFGToB3.cpp:
1038         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
1039         * jit/JITOperations.cpp:
1040         * jit/JITOperations.h:
1041
1042 2017-11-30  Michael Saboff  <msaboff@apple.com>
1043
1044         Allow JSC command line tool to accept UTF8
1045         https://bugs.webkit.org/show_bug.cgi?id=180205
1046
1047         Reviewed by Keith Miller.
1048
1049         This unifies the UTF8 handling of interactive mode with that of source files.
1050
1051         * jsc.cpp:
1052         (runInteractive):
1053
1054 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1055
1056         REGRESSION(r225314): [Linux] More than 2000 jsc tests are failing after r225314
1057         https://bugs.webkit.org/show_bug.cgi?id=180185
1058
1059         Reviewed by Carlos Garcia Campos.
1060
1061         After r225314, we start using AllocatorForMode::MustAlreadyHaveAllocator for JSRopeString's allocatorFor.
1062         But it is different from the original code used before r225314. Since DFGSpeculativeJIT::emitAllocateJSCell
1063         can accept nullptr allocator, the behavior of the original code is AllocatorForMode::AllocatorIfExists.
1064         And JSRopeString's allocator may not exist at this point if any JSRopeString is not allocated. But MakeRope
1065         DFG node can be emitted if we see untaken path includes String + String code.
1066
1067         This patch fixes Linux JSC crashes by changing JSRopeString's AllocatorForMode to AllocatorIfExists.
1068         As a result, only one user of AllocatorForMode::MustAlreadyHaveAllocator is MaterializeNewObject in FTL.
1069         I'm not sure why this condition (MustAlreadyHaveAllocator) is ensured. But this code is the same to the
1070         original code used before r225314.
1071
1072         * dfg/DFGSpeculativeJIT.cpp:
1073         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1074         * ftl/FTLLowerDFGToB3.cpp:
1075         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
1076
1077 2017-11-28  Filip Pizlo  <fpizlo@apple.com>
1078
1079         CodeBlockSet::deleteUnmarkedAndUnreferenced can be a little more efficient
1080         https://bugs.webkit.org/show_bug.cgi?id=180108
1081
1082         Reviewed by Saam Barati.
1083         
1084         This was creating a vector of things to remove and then removing them. I think I remember writing
1085         this code, and I did that because at the time we did not have removeAllMatching, which is
1086         definitely better. This is a minuscule optimization for Speedometer. I wanted to land this
1087         obvious improvement before I did more fundamental things to this code.
1088
1089         * heap/CodeBlockSet.cpp:
1090         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
1091
1092 2017-11-29  Filip Pizlo  <fpizlo@apple.com>
1093
1094         GC should support isoheaps
1095         https://bugs.webkit.org/show_bug.cgi?id=179288
1096
1097         Reviewed by Saam Barati.
1098         
1099         This expands the power of the Subspace API in JSC:
1100         
1101         - Everything associated with describing the types of objects is now part of the HeapCellType class.
1102           We have different HeapCellTypes for different destruction strategies. Any Subspace can use any
1103           HeapCellType; these are orthogonal things.
1104         
1105         - There are now two variants of Subspace: CompleteSubspace, which can allocate any size objects using
1106           any AlignedMemoryAllocator; and IsoSubspace, which can allocate just one size of object and uses a
1107           special virtual memory pool for that purpose. Like bmalloc's IsoHeap, IsoSubspace hoards virtual
1108           pages but releases the physical pages as part of the respective allocator's scavenging policy
1109           (the Scavenger in bmalloc for IsoHeap and the incremental sweep and full sweep in Riptide for
1110           IsoSubspace).
1111         
1112         So far, this patch just puts subtypes of ExecutableBase in IsoSubspaces. If it works, we can use it
1113         for more things.
1114         
1115         This does not have any effect on JetStream (0.18% faster with p = 0.69).
1116
1117         * JavaScriptCore.xcodeproj/project.pbxproj:
1118         * Sources.txt:
1119         * bytecode/AccessCase.cpp:
1120         (JSC::AccessCase::generateImpl):
1121         * bytecode/ObjectAllocationProfileInlines.h:
1122         (JSC::ObjectAllocationProfile::initializeProfile):
1123         * dfg/DFGSpeculativeJIT.cpp:
1124         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1125         (JSC::DFG::SpeculativeJIT::compileMakeRope):
1126         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1127         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1128         * dfg/DFGSpeculativeJIT64.cpp:
1129         (JSC::DFG::SpeculativeJIT::compile):
1130         * ftl/FTLAbstractHeapRepository.h:
1131         * ftl/FTLLowerDFGToB3.cpp:
1132         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
1133         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1134         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
1135         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1136         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
1137         * heap/AlignedMemoryAllocator.cpp:
1138         (JSC::AlignedMemoryAllocator::registerAllocator):
1139         (JSC::AlignedMemoryAllocator::registerSubspace):
1140         * heap/AlignedMemoryAllocator.h:
1141         (JSC::AlignedMemoryAllocator::firstAllocator const):
1142         * heap/AllocationFailureMode.h: Added.
1143         * heap/CompleteSubspace.cpp: Added.
1144         (JSC::CompleteSubspace::CompleteSubspace):
1145         (JSC::CompleteSubspace::~CompleteSubspace):
1146         (JSC::CompleteSubspace::allocatorFor):
1147         (JSC::CompleteSubspace::allocate):
1148         (JSC::CompleteSubspace::allocateNonVirtual):
1149         (JSC::CompleteSubspace::allocatorForSlow):
1150         (JSC::CompleteSubspace::allocateSlow):
1151         (JSC::CompleteSubspace::tryAllocateSlow):
1152         * heap/CompleteSubspace.h: Added.
1153         (JSC::CompleteSubspace::offsetOfAllocatorForSizeStep):
1154         (JSC::CompleteSubspace::allocatorForSizeStep):
1155         (JSC::CompleteSubspace::allocatorForNonVirtual):
1156         * heap/HeapCellType.cpp: Added.
1157         (JSC::HeapCellType::HeapCellType):
1158         (JSC::HeapCellType::~HeapCellType):
1159         (JSC::HeapCellType::finishSweep):
1160         (JSC::HeapCellType::destroy):
1161         * heap/HeapCellType.h: Added.
1162         (JSC::HeapCellType::attributes const):
1163         * heap/IsoAlignedMemoryAllocator.cpp: Added.
1164         (JSC::IsoAlignedMemoryAllocator::IsoAlignedMemoryAllocator):
1165         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
1166         (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
1167         (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
1168         (JSC::IsoAlignedMemoryAllocator::dump const):
1169         * heap/IsoAlignedMemoryAllocator.h: Added.
1170         * heap/IsoSubspace.cpp: Added.
1171         (JSC::IsoSubspace::IsoSubspace):
1172         (JSC::IsoSubspace::~IsoSubspace):
1173         (JSC::IsoSubspace::allocatorFor):
1174         (JSC::IsoSubspace::allocatorForNonVirtual):
1175         (JSC::IsoSubspace::allocate):
1176         (JSC::IsoSubspace::allocateNonVirtual):
1177         * heap/IsoSubspace.h: Added.
1178         (JSC::IsoSubspace::size const):
1179         * heap/MarkedAllocator.cpp:
1180         (JSC::MarkedAllocator::MarkedAllocator):
1181         (JSC::MarkedAllocator::setSubspace):
1182         (JSC::MarkedAllocator::allocateSlowCase):
1183         (JSC::MarkedAllocator::tryAllocateSlowCase): Deleted.
1184         (JSC::MarkedAllocator::allocateSlowCaseImpl): Deleted.
1185         * heap/MarkedAllocator.h:
1186         (JSC::MarkedAllocator::nextAllocatorInAlignedMemoryAllocator const):
1187         (JSC::MarkedAllocator::setNextAllocatorInAlignedMemoryAllocator):
1188         * heap/MarkedAllocatorInlines.h:
1189         (JSC::MarkedAllocator::allocate):
1190         (JSC::MarkedAllocator::tryAllocate): Deleted.
1191         * heap/MarkedBlock.h:
1192         * heap/MarkedBlockInlines.h:
1193         (JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType):
1194         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace): Deleted.
1195         * heap/MarkedSpace.cpp:
1196         (JSC::MarkedSpace::addMarkedAllocator):
1197         * heap/MarkedSpace.h:
1198         * heap/Subspace.cpp:
1199         (JSC::Subspace::Subspace):
1200         (JSC::Subspace::initialize):
1201         (JSC::Subspace::finishSweep):
1202         (JSC::Subspace::destroy):
1203         (JSC::Subspace::prepareForAllocation):
1204         (JSC::Subspace::findEmptyBlockToSteal):
1205         (): Deleted.
1206         (JSC::Subspace::allocate): Deleted.
1207         (JSC::Subspace::tryAllocate): Deleted.
1208         (JSC::Subspace::allocatorForSlow): Deleted.
1209         (JSC::Subspace::allocateSlow): Deleted.
1210         (JSC::Subspace::tryAllocateSlow): Deleted.
1211         (JSC::Subspace::didAllocate): Deleted.
1212         * heap/Subspace.h:
1213         (JSC::Subspace::heapCellType const):
1214         (JSC::Subspace::nextSubspaceInAlignedMemoryAllocator const):
1215         (JSC::Subspace::setNextSubspaceInAlignedMemoryAllocator):
1216         (JSC::Subspace::offsetOfAllocatorForSizeStep): Deleted.
1217         (JSC::Subspace::allocatorForSizeStep): Deleted.
1218         (JSC::Subspace::tryAllocatorFor): Deleted.
1219         (JSC::Subspace::allocatorFor): Deleted.
1220         * jit/AssemblyHelpers.h:
1221         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
1222         (JSC::AssemblyHelpers::emitAllocateVariableSized):
1223         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
1224         * jit/JITOpcodes.cpp:
1225         (JSC::JIT::emit_op_new_object):
1226         * runtime/ButterflyInlines.h:
1227         (JSC::Butterfly::createUninitialized):
1228         (JSC::Butterfly::tryCreate):
1229         (JSC::Butterfly::growArrayRight):
1230         * runtime/DirectArguments.cpp:
1231         (JSC::DirectArguments::overrideThings):
1232         * runtime/DirectArguments.h:
1233         (JSC::DirectArguments::subspaceFor):
1234         * runtime/DirectEvalExecutable.h:
1235         * runtime/EvalExecutable.h:
1236         * runtime/ExecutableBase.h:
1237         (JSC::ExecutableBase::subspaceFor):
1238         * runtime/FunctionExecutable.h:
1239         * runtime/GenericArgumentsInlines.h:
1240         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
1241         * runtime/HashMapImpl.h:
1242         (JSC::HashMapBuffer::create):
1243         * runtime/IndirectEvalExecutable.h:
1244         * runtime/JSArray.cpp:
1245         (JSC::JSArray::tryCreateUninitializedRestricted):
1246         (JSC::JSArray::unshiftCountSlowCase):
1247         * runtime/JSArray.h:
1248         (JSC::JSArray::tryCreate):
1249         * runtime/JSArrayBufferView.cpp:
1250         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1251         * runtime/JSCell.h:
1252         (JSC::subspaceFor):
1253         * runtime/JSCellInlines.h:
1254         (JSC::JSCell::subspaceFor):
1255         (JSC::tryAllocateCellHelper):
1256         (JSC::allocateCell):
1257         (JSC::tryAllocateCell):
1258         * runtime/JSDestructibleObject.h:
1259         (JSC::JSDestructibleObject::subspaceFor):
1260         * runtime/JSDestructibleObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.cpp.
1261         (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
1262         (JSC::JSDestructibleObjectHeapCellType::~JSDestructibleObjectHeapCellType):
1263         (JSC::JSDestructibleObjectHeapCellType::finishSweep):
1264         (JSC::JSDestructibleObjectHeapCellType::destroy):
1265         (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace): Deleted.
1266         (JSC::JSDestructibleObjectSubspace::~JSDestructibleObjectSubspace): Deleted.
1267         (JSC::JSDestructibleObjectSubspace::finishSweep): Deleted.
1268         (JSC::JSDestructibleObjectSubspace::destroy): Deleted.
1269         * runtime/JSDestructibleObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.h.
1270         * runtime/JSDestructibleObjectSubspace.cpp: Removed.
1271         * runtime/JSDestructibleObjectSubspace.h: Removed.
1272         * runtime/JSLexicalEnvironment.h:
1273         (JSC::JSLexicalEnvironment::subspaceFor):
1274         * runtime/JSSegmentedVariableObject.h:
1275         (JSC::JSSegmentedVariableObject::subspaceFor):
1276         * runtime/JSSegmentedVariableObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.cpp.
1277         (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
1278         (JSC::JSSegmentedVariableObjectHeapCellType::~JSSegmentedVariableObjectHeapCellType):
1279         (JSC::JSSegmentedVariableObjectHeapCellType::finishSweep):
1280         (JSC::JSSegmentedVariableObjectHeapCellType::destroy):
1281         (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace): Deleted.
1282         (JSC::JSSegmentedVariableObjectSubspace::~JSSegmentedVariableObjectSubspace): Deleted.
1283         (JSC::JSSegmentedVariableObjectSubspace::finishSweep): Deleted.
1284         (JSC::JSSegmentedVariableObjectSubspace::destroy): Deleted.
1285         * runtime/JSSegmentedVariableObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.h.
1286         * runtime/JSSegmentedVariableObjectSubspace.cpp: Removed.
1287         * runtime/JSSegmentedVariableObjectSubspace.h: Removed.
1288         * runtime/JSString.h:
1289         (JSC::JSString::subspaceFor):
1290         * runtime/JSStringHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.cpp.
1291         (JSC::JSStringHeapCellType::JSStringHeapCellType):
1292         (JSC::JSStringHeapCellType::~JSStringHeapCellType):
1293         (JSC::JSStringHeapCellType::finishSweep):
1294         (JSC::JSStringHeapCellType::destroy):
1295         (JSC::JSStringSubspace::JSStringSubspace): Deleted.
1296         (JSC::JSStringSubspace::~JSStringSubspace): Deleted.
1297         (JSC::JSStringSubspace::finishSweep): Deleted.
1298         (JSC::JSStringSubspace::destroy): Deleted.
1299         * runtime/JSStringHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.h.
1300         * runtime/JSStringSubspace.cpp: Removed.
1301         * runtime/JSStringSubspace.h: Removed.
1302         * runtime/ModuleProgramExecutable.h:
1303         * runtime/NativeExecutable.h:
1304         * runtime/ProgramExecutable.h:
1305         * runtime/RegExpMatchesArray.h:
1306         (JSC::tryCreateUninitializedRegExpMatchesArray):
1307         * runtime/ScopedArguments.h:
1308         (JSC::ScopedArguments::subspaceFor):
1309         * runtime/VM.cpp:
1310         (JSC::VM::VM):
1311         * runtime/VM.h:
1312         (JSC::VM::gigacageAuxiliarySpace):
1313         * wasm/js/JSWebAssemblyCodeBlock.h:
1314         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.cpp.
1315         (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
1316         (JSC::JSWebAssemblyCodeBlockHeapCellType::~JSWebAssemblyCodeBlockHeapCellType):
1317         (JSC::JSWebAssemblyCodeBlockHeapCellType::finishSweep):
1318         (JSC::JSWebAssemblyCodeBlockHeapCellType::destroy):
1319         (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace): Deleted.
1320         (JSC::JSWebAssemblyCodeBlockSubspace::~JSWebAssemblyCodeBlockSubspace): Deleted.
1321         (JSC::JSWebAssemblyCodeBlockSubspace::finishSweep): Deleted.
1322         (JSC::JSWebAssemblyCodeBlockSubspace::destroy): Deleted.
1323         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.h.
1324         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp: Removed.
1325         * wasm/js/JSWebAssemblyCodeBlockSubspace.h: Removed.
1326         * wasm/js/JSWebAssemblyMemory.h:
1327         (JSC::JSWebAssemblyMemory::subspaceFor):
1328
1329 2017-11-29  Saam Barati  <sbarati@apple.com>
1330
1331         Remove pointer caging for double arrays
1332         https://bugs.webkit.org/show_bug.cgi?id=180163
1333
1334         Reviewed by Mark Lam.
1335
1336         This patch removes pointer caging from double arrays. Like
1337         my previous removals of pointer caging, this is a security vs
1338         performance tradeoff. We believe that butterflies being allocated
1339         in the cage and with a 32GB runway gives us enough security that
1340         pointer caging the butterfly just for double arrays does not add
1341         enough security benefit for the performance hit it incurs.
1342         
1343         This patch also removes the GetButterflyWithoutCaging node and
1344         the FixedButterflyAccessUncaging phase. The node is no longer needed
1345         because now all GetButterfly nodes are not caged. The phase is removed
1346         since we no longer have two nodes.
1347
1348         * dfg/DFGAbstractInterpreterInlines.h:
1349         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1350         * dfg/DFGArgumentsEliminationPhase.cpp:
1351         * dfg/DFGClobberize.h:
1352         (JSC::DFG::clobberize):
1353         * dfg/DFGDoesGC.cpp:
1354         (JSC::DFG::doesGC):
1355         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Removed.
1356         * dfg/DFGFixedButterflyAccessUncagingPhase.h: Removed.
1357         * dfg/DFGFixupPhase.cpp:
1358         (JSC::DFG::FixupPhase::fixupNode):
1359         * dfg/DFGHeapLocation.cpp:
1360         (WTF::printInternal):
1361         * dfg/DFGHeapLocation.h:
1362         * dfg/DFGNodeType.h:
1363         * dfg/DFGPlan.cpp:
1364         (JSC::DFG::Plan::compileInThreadImpl):
1365         * dfg/DFGPredictionPropagationPhase.cpp:
1366         * dfg/DFGSafeToExecute.h:
1367         (JSC::DFG::safeToExecute):
1368         * dfg/DFGSpeculativeJIT.cpp:
1369         (JSC::DFG::SpeculativeJIT::compileSpread):
1370         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1371         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
1372         * dfg/DFGSpeculativeJIT32_64.cpp:
1373         (JSC::DFG::SpeculativeJIT::compile):
1374         * dfg/DFGSpeculativeJIT64.cpp:
1375         (JSC::DFG::SpeculativeJIT::compile):
1376         * dfg/DFGTypeCheckHoistingPhase.cpp:
1377         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
1378         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
1379         * ftl/FTLCapabilities.cpp:
1380         (JSC::FTL::canCompile):
1381         * ftl/FTLLowerDFGToB3.cpp:
1382         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1383         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
1384         * jit/JITPropertyAccess.cpp:
1385         (JSC::JIT::emitDoubleLoad):
1386         (JSC::JIT::emitGenericContiguousPutByVal):
1387         * runtime/Butterfly.h:
1388         (JSC::Butterfly::pointer):
1389         (JSC::Butterfly::contiguousDouble):
1390         (JSC::Butterfly::caged): Deleted.
1391         * runtime/ButterflyInlines.h:
1392         (JSC::Butterfly::createOrGrowPropertyStorage):
1393         * runtime/JSObject.cpp:
1394         (JSC::JSObject::ensureLengthSlow):
1395         (JSC::JSObject::reallocateAndShrinkButterfly):
1396
1397 2017-11-29  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
1398
1399         [MIPS][JSC] Implement MacroAssembler::probe support on MIPS
1400         https://bugs.webkit.org/show_bug.cgi?id=175447
1401
1402         Reviewed by Carlos Alberto Lopez Perez.
1403
1404         This patch allows DFG JIT to be enabled on MIPS platforms.
1405
1406         * Sources.txt:
1407         * assembler/MIPSAssembler.h:
1408         (JSC::MIPSAssembler::lastSPRegister):
1409         (JSC::MIPSAssembler::numberOfSPRegisters):
1410         (JSC::MIPSAssembler::sprName):
1411         * assembler/MacroAssemblerMIPS.cpp: Added.
1412         (JSC::MacroAssembler::probe):
1413         * assembler/ProbeContext.cpp:
1414         (JSC::Probe::executeProbe):
1415         * assembler/ProbeContext.h:
1416         (JSC::Probe::CPUState::pc):
1417         * assembler/testmasm.cpp:
1418         (JSC::isSpecialGPR):
1419         (JSC::testProbePreservesGPRS):
1420         (JSC::testProbeModifiesStackPointer):
1421         (JSC::testProbeModifiesStackValues):
1422
1423 2017-11-29  Matt Lewis  <jlewis3@apple.com>
1424
1425         Unreviewed, rolling out r225286.
1426
1427         The source files within this patch have been marked as
1428         executable.
1429
1430         Reverted changeset:
1431
1432         "[MIPS][JSC] Implement MacroAssembler::probe support on MIPS"
1433         https://bugs.webkit.org/show_bug.cgi?id=175447
1434         https://trac.webkit.org/changeset/225286
1435
1436 2017-11-29  Alex Christensen  <achristensen@webkit.org>
1437
1438         Fix Mac CMake build.
1439
1440         * PlatformMac.cmake:
1441
1442 2017-11-29  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
1443
1444         [MIPS][JSC] Implement MacroAssembler::probe support on MIPS
1445         https://bugs.webkit.org/show_bug.cgi?id=175447
1446
1447         Reviewed by Carlos Alberto Lopez Perez.
1448
1449         This patch allows DFG JIT to be enabled on MIPS platforms.
1450
1451         * Sources.txt:
1452         * assembler/MIPSAssembler.h:
1453         (JSC::MIPSAssembler::lastSPRegister):
1454         (JSC::MIPSAssembler::numberOfSPRegisters):
1455         (JSC::MIPSAssembler::sprName):
1456         * assembler/MacroAssemblerMIPS.cpp: Added.
1457         (JSC::MacroAssembler::probe):
1458         * assembler/ProbeContext.cpp:
1459         (JSC::Probe::executeProbe):
1460         * assembler/ProbeContext.h:
1461         (JSC::Probe::CPUState::pc):
1462         * assembler/testmasm.cpp:
1463         (JSC::isSpecialGPR):
1464         (JSC::testProbePreservesGPRS):
1465         (JSC::testProbeModifiesStackPointer):
1466         (JSC::testProbeModifiesStackValues):
1467
1468 2017-11-28  JF Bastien  <jfbastien@apple.com>
1469
1470         Strict and sloppy functions shouldn't share structure
1471         https://bugs.webkit.org/show_bug.cgi?id=180103
1472         <rdar://problem/35667847>
1473
1474         Reviewed by Saam Barati.
1475
1476         Sloppy and strict functions don't act the same when it comes to
1477         arguments, caller, and callee. Sharing a structure means that
1478         anything that is cached gets shared, and that's incorrect.
1479
1480         * dfg/DFGAbstractInterpreterInlines.h:
1481         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1482         * dfg/DFGSpeculativeJIT.cpp:
1483         (JSC::DFG::SpeculativeJIT::compileNewFunction):
1484         * ftl/FTLLowerDFGToB3.cpp:
1485         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
1486         * runtime/FunctionConstructor.cpp:
1487         (JSC::constructFunctionSkippingEvalEnabledCheck):
1488         * runtime/JSFunction.cpp:
1489         (JSC::JSFunction::create): the second ::create is always strict
1490         because it applies to native functions.
1491         * runtime/JSFunctionInlines.h:
1492         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
1493         * runtime/JSGlobalObject.cpp:
1494         (JSC::JSGlobalObject::init):
1495         (JSC::JSGlobalObject::visitChildren):
1496         * runtime/JSGlobalObject.h:
1497         (JSC::JSGlobalObject::strictFunctionStructure const):
1498         (JSC::JSGlobalObject::sloppyFunctionStructure const):
1499         (JSC::JSGlobalObject::nativeStdFunctionStructure const):
1500         (JSC::JSGlobalObject::functionStructure const): Deleted. Renamed.
1501         (JSC::JSGlobalObject::namedFunctionStructure const): Deleted. Drive-by, unused.
1502
1503 2017-11-29  Yusuke Suzuki  <utatane.tea@gmail.com>
1504
1505         [JSC] Add MacroAssembler::getEffectiveAddress in all platforms
1506         https://bugs.webkit.org/show_bug.cgi?id=180070
1507
1508         Reviewed by Saam Barati.
1509
1510         This patch adds getEffectiveAddress in all JIT platforms.
1511         This is abstracted version of x86 lea.
1512
1513         We also fix a bug in Yarr that uses branch32 instead of branchPtr for addresses.
1514
1515         * assembler/MacroAssemblerARM.h:
1516         (JSC::MacroAssemblerARM::getEffectiveAddress):
1517         * assembler/MacroAssemblerARM64.h:
1518         (JSC::MacroAssemblerARM64::getEffectiveAddress):
1519         (JSC::MacroAssemblerARM64::getEffectiveAddress64): Deleted.
1520         * assembler/MacroAssemblerARMv7.h:
1521         (JSC::MacroAssemblerARMv7::getEffectiveAddress):
1522         * assembler/MacroAssemblerMIPS.h:
1523         (JSC::MacroAssemblerMIPS::getEffectiveAddress):
1524         * assembler/MacroAssemblerX86.h:
1525         (JSC::MacroAssemblerX86::getEffectiveAddress):
1526         * assembler/MacroAssemblerX86_64.h:
1527         (JSC::MacroAssemblerX86_64::getEffectiveAddress):
1528         (JSC::MacroAssemblerX86_64::getEffectiveAddress64): Deleted.
1529         * assembler/testmasm.cpp:
1530         (JSC::testGetEffectiveAddress):
1531         (JSC::run):
1532         * dfg/DFGSpeculativeJIT.cpp:
1533         (JSC::DFG::SpeculativeJIT::compileArrayPush):
1534         * yarr/YarrJIT.cpp:
1535         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
1536         (JSC::Yarr::YarrGenerator::tryReadUnicodeChar):
1537
1538 2017-11-29  Robin Morisset  <rmorisset@apple.com>
1539
1540         The recursive tail call optimisation is wrong on closures
1541         https://bugs.webkit.org/show_bug.cgi?id=179835
1542
1543         Reviewed by Saam Barati.
1544
1545         The problem is that we only check the executable of the callee, not whatever variables might have been captured.
1546         As a stopgap measure this patch just does not do the optimisation for closures.
1547
1548         * dfg/DFGByteCodeParser.cpp:
1549         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
1550
1551 2017-11-28  Joseph Pecoraro  <pecoraro@apple.com>
1552
1553         Web Inspector: Cleanup Inspector classes be more consistent about using fast malloc / noncopyable
1554         https://bugs.webkit.org/show_bug.cgi?id=180119
1555
1556         Reviewed by Devin Rousso.
1557
1558         * inspector/InjectedScriptManager.h:
1559         * inspector/JSGlobalObjectScriptDebugServer.h:
1560         * inspector/agents/InspectorHeapAgent.h:
1561         * inspector/agents/InspectorRuntimeAgent.h:
1562         * inspector/agents/InspectorScriptProfilerAgent.h:
1563         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
1564
1565 2017-11-28  Joseph Pecoraro  <pecoraro@apple.com>
1566
1567         ServiceWorker Inspector: Frontend changes to support Network tab and sub resources
1568         https://bugs.webkit.org/show_bug.cgi?id=179642
1569         <rdar://problem/35517704>
1570
1571         Reviewed by Brian Burg.
1572
1573         * inspector/protocol/Network.json:
1574         Expose the NetworkAgent for a Service Worker inspector.
1575
1576  2017-11-28  Brian Burg  <bburg@apple.com>
1577
1578         [Cocoa] Clean up names of conversion methods after renaming InspectorValue to JSON::Value
1579         https://bugs.webkit.org/show_bug.cgi?id=179696
1580
1581         Reviewed by Timothy Hatcher.
1582
1583         * inspector/scripts/codegen/generate_objc_header.py:
1584         (ObjCHeaderGenerator._generate_type_interface):
1585         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1586         (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
1587         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_protocol_object):
1588         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_json_object): Deleted.
1589         * inspector/scripts/codegen/objc_generator.py:
1590         (ObjCGenerator.protocol_type_for_raw_name):
1591         (ObjCGenerator.objc_protocol_export_expression_for_variable):
1592         (ObjCGenerator.objc_protocol_export_expression_for_variable.is):
1593         (ObjCGenerator.objc_protocol_import_expression_for_variable):
1594         (ObjCGenerator.objc_protocol_import_expression_for_variable.is):
1595         (ObjCGenerator.objc_to_protocol_expression_for_member.is):
1596         (ObjCGenerator.objc_to_protocol_expression_for_member):
1597         (ObjCGenerator.protocol_to_objc_expression_for_member.is):
1598         (ObjCGenerator.protocol_to_objc_expression_for_member):
1599         (ObjCGenerator.protocol_to_objc_code_block_for_object_member):
1600         (ObjCGenerator.objc_setter_method_for_member_internal):
1601         (ObjCGenerator.objc_getter_method_for_member_internal):
1602         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
1603         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1604         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1605         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
1606         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
1607         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
1608         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1609         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1610         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
1611         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
1612
1613 2017-11-27  JF Bastien  <jfbastien@apple.com>
1614
1615         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
1616         https://bugs.webkit.org/show_bug.cgi?id=180051
1617         <rdar://problem/35614371>
1618
1619         Reviewed by Saam Barati.
1620
1621         Checking for int32 isn't sufficient when uint32 is expected
1622         afterwards. While we're here, also use Checked<>.
1623
1624         * dfg/DFGAbstractInterpreterInlines.h:
1625         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1626
1627 2017-11-14  Carlos Garcia Campos  <cgarcia@igalia.com>
1628
1629         Move JSONValues to WTF and convert uses of InspectorValues.h to JSONValues.h
1630         https://bugs.webkit.org/show_bug.cgi?id=173793
1631
1632         Reviewed by Joseph Pecoraro.
1633
1634         Based on patch by Brian Burg.
1635
1636         * JavaScriptCore.xcodeproj/project.pbxproj:
1637         * Sources.txt:
1638         * bindings/ScriptValue.cpp:
1639         (Inspector::jsToInspectorValue):
1640         (Inspector::toInspectorValue):
1641         (Deprecated::ScriptValue::toInspectorValue const):
1642         * bindings/ScriptValue.h:
1643         * inspector/AsyncStackTrace.cpp:
1644         * inspector/ConsoleMessage.cpp:
1645         * inspector/ContentSearchUtilities.cpp:
1646         * inspector/DeprecatedInspectorValues.cpp: Added.
1647         * inspector/DeprecatedInspectorValues.h: Added.
1648         Keep the old symbols around in JavaScriptCore so that builds with the
1649         public iOS SDK continue to work. These older SDKs include a version of
1650         WebInspector.framework that expects to find InspectorArray and other
1651         symbols in JavaScriptCore.framework.
1652
1653         * inspector/InjectedScript.cpp:
1654         (Inspector::InjectedScript::getFunctionDetails):
1655         (Inspector::InjectedScript::functionDetails):
1656         (Inspector::InjectedScript::getPreview):
1657         (Inspector::InjectedScript::getProperties):
1658         (Inspector::InjectedScript::getDisplayableProperties):
1659         (Inspector::InjectedScript::getInternalProperties):
1660         (Inspector::InjectedScript::getCollectionEntries):
1661         (Inspector::InjectedScript::saveResult):
1662         (Inspector::InjectedScript::wrapCallFrames const):
1663         (Inspector::InjectedScript::wrapObject const):
1664         (Inspector::InjectedScript::wrapTable const):
1665         (Inspector::InjectedScript::previewValue const):
1666         (Inspector::InjectedScript::setExceptionValue):
1667         (Inspector::InjectedScript::clearExceptionValue):
1668         (Inspector::InjectedScript::inspectObject):
1669         (Inspector::InjectedScript::releaseObject):
1670         * inspector/InjectedScriptBase.cpp:
1671         (Inspector::InjectedScriptBase::makeCall):
1672         (Inspector::InjectedScriptBase::makeEvalCall):
1673         * inspector/InjectedScriptBase.h:
1674         * inspector/InjectedScriptManager.cpp:
1675         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
1676         * inspector/InspectorBackendDispatcher.cpp:
1677         (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
1678         (Inspector::BackendDispatcher::dispatch):
1679         (Inspector::BackendDispatcher::sendResponse):
1680         (Inspector::BackendDispatcher::sendPendingErrors):
1681         (Inspector::BackendDispatcher::getPropertyValue):
1682         (Inspector::castToInteger):
1683         (Inspector::castToNumber):
1684         (Inspector::BackendDispatcher::getInteger):
1685         (Inspector::BackendDispatcher::getDouble):
1686         (Inspector::BackendDispatcher::getString):
1687         (Inspector::BackendDispatcher::getBoolean):
1688         (Inspector::BackendDispatcher::getObject):
1689         (Inspector::BackendDispatcher::getArray):
1690         (Inspector::BackendDispatcher::getValue):
1691         * inspector/InspectorBackendDispatcher.h:
1692         We need to keep around the sendResponse() variant with a parameter that
1693         has the InspectorObject type, as older WebInspector.framework versions
1694         expect this symbol to exist. Introduce a variant with arity 3 that can
1695         be used in TOT so as to avoid having two methods with the same name, arity, and
1696         different parameter types.
1697
1698         When system WebInspector.framework is updated, we can remove the legacy
1699         method variant that uses the InspectorObject type. At that point, we can
1700         transition TOT to use the 2-arity variant, and delete the 3-arity variant
1701         when system WebInspector.framework is updated once more to use the 2-arity one.
1702
1703         * inspector/InspectorProtocolTypes.h:
1704         (Inspector::Protocol::Array::openAccessors):
1705         (Inspector::Protocol::PrimitiveBindingTraits::assertValueHasExpectedType):
1706         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast):
1707         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType):
1708         (Inspector::Protocol::BindingTraits<JSON::Value>::assertValueHasExpectedType):
1709         * inspector/ScriptCallFrame.cpp:
1710         * inspector/ScriptCallStack.cpp:
1711         * inspector/agents/InspectorAgent.cpp:
1712         (Inspector::InspectorAgent::inspect):
1713         * inspector/agents/InspectorAgent.h:
1714         * inspector/agents/InspectorDebuggerAgent.cpp:
1715         (Inspector::buildAssertPauseReason):
1716         (Inspector::buildCSPViolationPauseReason):
1717         (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
1718         (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
1719         (Inspector::buildObjectForBreakpointCookie):
1720         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
1721         (Inspector::parseLocation):
1722         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
1723         (Inspector::InspectorDebuggerAgent::setBreakpoint):
1724         (Inspector::InspectorDebuggerAgent::continueToLocation):
1725         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
1726         (Inspector::InspectorDebuggerAgent::didParseSource):
1727         (Inspector::InspectorDebuggerAgent::breakProgram):
1728         * inspector/agents/InspectorDebuggerAgent.h:
1729         * inspector/agents/InspectorRuntimeAgent.cpp:
1730         (Inspector::InspectorRuntimeAgent::callFunctionOn):
1731         (Inspector::InspectorRuntimeAgent::saveResult):
1732         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1733         * inspector/agents/InspectorRuntimeAgent.h:
1734         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
1735         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
1736         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
1737         (CppBackendDispatcherImplementationGenerator.generate_output):
1738         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
1739         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
1740         (CppFrontendDispatcherHeaderGenerator.generate_output):
1741         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
1742         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
1743         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
1744         (_generate_unchecked_setter_for_member):
1745         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
1746         (CppProtocolTypesImplementationGenerator):
1747         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1748         (ObjCBackendDispatcherImplementationGenerator.generate_output):
1749         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
1750         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1751         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
1752         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
1753         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
1754         * inspector/scripts/codegen/generate_objc_internal_header.py:
1755         (ObjCInternalHeaderGenerator.generate_output):
1756         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1757         (ObjCProtocolTypesImplementationGenerator.generate_output):
1758         * inspector/scripts/codegen/generator.py:
1759         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
1760         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1761         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1762         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
1763         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
1764         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
1765         * inspector/scripts/tests/generic/expected/enum-values.json-result:
1766         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
1767         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
1768         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
1769         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
1770         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
1771         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
1772         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
1773         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1774         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1775         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
1776         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
1777         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
1778         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
1779
1780 2017-11-28  Robin Morisset  <rmorisset@apple.com>
1781
1782         Support recursive tail call optimization for polymorphic calls
1783         https://bugs.webkit.org/show_bug.cgi?id=178390
1784
1785         Reviewed by Saam Barati.
1786
1787         Comes with a large but fairly simple refactoring: the inlining path for varargs and non-varargs calls now converge a lot later,
1788         eliminating some redundant checks, and simplifying a few parts of the inlining pipeline.
1789
1790         Also removes some dead code from inlineCall(): there was a special path for when m_continuationBlock is null, but it should never be (now checked with RELEASE_ASSERT).
1791
1792         * dfg/DFGByteCodeParser.cpp:
1793         (JSC::DFG::ByteCodeParser::handleCall):
1794         (JSC::DFG::ByteCodeParser::handleVarargsCall):
1795         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
1796         (JSC::DFG::ByteCodeParser::inlineCall):
1797         (JSC::DFG::ByteCodeParser::handleCallVariant):
1798         (JSC::DFG::ByteCodeParser::handleVarargsInlining):
1799         (JSC::DFG::ByteCodeParser::getInliningBalance):
1800         (JSC::DFG::ByteCodeParser::handleInlining):
1801         (JSC::DFG::ByteCodeParser::attemptToInlineCall): Deleted.
1802
1803 2017-11-27  Saam Barati  <sbarati@apple.com>
1804
1805         Spread can escape when CreateRest does not
1806         https://bugs.webkit.org/show_bug.cgi?id=180057
1807         <rdar://problem/35676119>
1808
1809         Reviewed by JF Bastien.
1810
1811         We previously did not handle Spread(PhantomCreateRest) only because I did not
1812         think it was possible to generate this IR. I was wrong. We can generate
1813         such IR when we have a PutStack(Spread) but nothing escapes the CreateRest.
1814         This IR is rare to generate since we normally don't PutStack(Spread) because
1815         the SetLocal almost always gets eliminated because of how our bytecode generates
1816         op_spread. However, there exists a test case showing it is possible. Supporting
1817         this IR pattern in FTLLower is trivial. This patch implements it and rewrites
1818         the Validation rule for Spread.
1819
1820         * dfg/DFGOperations.cpp:
1821         * dfg/DFGOperations.h:
1822         * dfg/DFGValidate.cpp:
1823         * ftl/FTLLowerDFGToB3.cpp:
1824         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
1825         * runtime/JSFixedArray.h:
1826         (JSC::JSFixedArray::tryCreate):
1827
1828 2017-11-27  Don Olmstead  <don.olmstead@sony.com>
1829
1830         [CMake][Win] Conditionally select DLL CRT or static CRT
1831         https://bugs.webkit.org/show_bug.cgi?id=170594
1832
1833         Reviewed by Alex Christensen.
1834
1835         * shell/PlatformWin.cmake:
1836
1837 2017-11-27  Saam Barati  <sbarati@apple.com>
1838
1839         Having a bad time watchpoint firing during compilation revealed a racy assertion
1840         https://bugs.webkit.org/show_bug.cgi?id=180048
1841         <rdar://problem/35700009>
1842
1843         Reviewed by Mark Lam.
1844
1845         While a DFG compilation is watching the having a bad time watchpoint, it was
1846         asserting that the rest parameter structure has indexing type ArrayWithContiguous.
1847         However, if the having a bad time watchpoint fires during the compilation,
1848         this particular structure will no longer have ArrayWithContiguous indexing type.
1849         This patch fixes this racy assertion to be aware that the watchpoint may fire
1850         during compilation.
1851
1852         * dfg/DFGSpeculativeJIT.cpp:
1853         (JSC::DFG::SpeculativeJIT::compileCreateRest):
1854         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
1855
1856 2017-11-27  Tim Horton  <timothy_horton@apple.com>
1857
1858         One too many zeroes in macOS version number in FeatureDefines
1859         https://bugs.webkit.org/show_bug.cgi?id=180011
1860
1861         Reviewed by Dan Bernstein.
1862
1863         * Configurations/FeatureDefines.xcconfig:
1864
1865 2017-11-27  Robin Morisset  <rmorisset@apple.com>
1866
1867         Update DFGSafeToExecute to be aware that ArrayPush is now a varargs node
1868         https://bugs.webkit.org/show_bug.cgi?id=179821
1869
1870         Reviewed by Saam Barati.
1871
1872         * dfg/DFGSafeToExecute.h:
1873         (JSC::DFG::safeToExecute):
1874
1875 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1876
1877         [DFG] Add NormalizeMapKey DFG IR
1878         https://bugs.webkit.org/show_bug.cgi?id=179912
1879
1880         Reviewed by Saam Barati.
1881
1882         This patch introduces NormalizeMapKey DFG node. It executes what normalizeMapKey does in inlined manner.
1883         By separating this from MapHash and Map/Set related operations, we can perform CSE onto that, and we
1884         do not need to call normalizeMapKey conservatively in DFG operations.
1885         This can reduce slow path case in Untyped GetMapBucket since we can normalize keys in DFG/FTL.
1886
1887         * dfg/DFGAbstractInterpreterInlines.h:
1888         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1889         * dfg/DFGByteCodeParser.cpp:
1890         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1891         * dfg/DFGClobberize.h:
1892         (JSC::DFG::clobberize):
1893         * dfg/DFGDoesGC.cpp:
1894         (JSC::DFG::doesGC):
1895         * dfg/DFGFixupPhase.cpp:
1896         (JSC::DFG::FixupPhase::fixupNode):
1897         (JSC::DFG::FixupPhase::fixupNormalizeMapKey):
1898         * dfg/DFGNodeType.h:
1899         * dfg/DFGOperations.cpp:
1900         * dfg/DFGPredictionPropagationPhase.cpp:
1901         * dfg/DFGSafeToExecute.h:
1902         (JSC::DFG::safeToExecute):
1903         * dfg/DFGSpeculativeJIT.cpp:
1904         (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
1905         * dfg/DFGSpeculativeJIT.h:
1906         * dfg/DFGSpeculativeJIT32_64.cpp:
1907         (JSC::DFG::SpeculativeJIT::compile):
1908         * dfg/DFGSpeculativeJIT64.cpp:
1909         (JSC::DFG::SpeculativeJIT::compile):
1910         * ftl/FTLCapabilities.cpp:
1911         (JSC::FTL::canCompile):
1912         * ftl/FTLLowerDFGToB3.cpp:
1913         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1914         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
1915         (JSC::FTL::DFG::LowerDFGToB3::compileNormalizeMapKey):
1916         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
1917         * runtime/HashMapImpl.h:
1918
1919 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1920
1921         [FTL] Support DeleteById and DeleteByVal
1922         https://bugs.webkit.org/show_bug.cgi?id=180022
1923
1924         Reviewed by Saam Barati.
1925
1926         We should increase the coverage of FTL. Even if the code includes DeleteById,
1927         it does not mean that remaining part of the code should not be optimized in FTL.
1928         Right now, even CallEval and `with` scope are handled in FTL.
1929
1930         This patch just adds DeleteById and DeleteByVal handling to FTL to allow optimizing
1931         code including them.
1932
1933         * ftl/FTLCapabilities.cpp:
1934         (JSC::FTL::canCompile):
1935         * ftl/FTLLowerDFGToB3.cpp:
1936         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1937         (JSC::FTL::DFG::LowerDFGToB3::compileDeleteById):
1938         (JSC::FTL::DFG::LowerDFGToB3::compileDeleteByVal):
1939
1940 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1941
1942         [DFG] Introduce {Set,Map,WeakMap}Fields
1943         https://bugs.webkit.org/show_bug.cgi?id=179925
1944
1945         Reviewed by Saam Barati.
1946
1947         SetAdd and MapSet uses `write(MiscFields)`, but it is not correct. It accidentally
1948         writes readonly MiscFields which is used by various nodes and make optimization
1949         conservative.
1950
1951         We introduce JSSetFields, JSMapFields, and JSWeakMapFields to precisely model clobberizing of Map, Set, and WeakMap.
1952
1953         * dfg/DFGAbstractHeap.h:
1954         * dfg/DFGByteCodeParser.cpp:
1955         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1956         * dfg/DFGClobberize.h:
1957         (JSC::DFG::clobberize):
1958         * dfg/DFGHeapLocation.cpp:
1959         (WTF::printInternal):
1960         * dfg/DFGHeapLocation.h:
1961         * dfg/DFGNode.h:
1962         (JSC::DFG::Node::hasBucketOwnerType):
1963
1964 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1965
1966         [JSC] Remove JSStringBuilder
1967         https://bugs.webkit.org/show_bug.cgi?id=180016
1968
1969         Reviewed by Saam Barati.
1970
1971         JSStringBuilder is replaced with WTF::StringBuilder.
1972         This patch removes remaning uses and drop JSStringBuilder.
1973
1974         * JavaScriptCore.xcodeproj/project.pbxproj:
1975         * runtime/ArrayPrototype.cpp:
1976         * runtime/AsyncFunctionPrototype.cpp:
1977         * runtime/AsyncGeneratorFunctionPrototype.cpp:
1978         * runtime/ErrorPrototype.cpp:
1979         * runtime/FunctionPrototype.cpp:
1980         * runtime/GeneratorFunctionPrototype.cpp:
1981         * runtime/JSGlobalObjectFunctions.cpp:
1982         (JSC::decode):
1983         (JSC::globalFuncEscape):
1984         * runtime/JSStringBuilder.h: Removed.
1985         * runtime/JSStringInlines.h:
1986         (JSC::jsMakeNontrivialString):
1987         * runtime/RegExpPrototype.cpp:
1988         * runtime/StringPrototype.cpp:
1989
1990 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1991
1992         [DFG] Remove GetLocalUnlinked
1993         https://bugs.webkit.org/show_bug.cgi?id=180017
1994
1995         Reviewed by Saam Barati.
1996
1997         Since DFGArgumentsSimplificationPhase is removed 2 years ago, GetLocalUnlinked is no longer used in DFG.
1998         This patch just removes it.
1999
2000         * dfg/DFGAbstractInterpreterInlines.h:
2001         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2002         * dfg/DFGClobberize.h:
2003         (JSC::DFG::clobberize):
2004         * dfg/DFGCommon.h:
2005         * dfg/DFGDoesGC.cpp:
2006         (JSC::DFG::doesGC):
2007         * dfg/DFGFixupPhase.cpp:
2008         (JSC::DFG::FixupPhase::fixupNode):
2009         * dfg/DFGGraph.cpp:
2010         (JSC::DFG::Graph::dump):
2011         * dfg/DFGNode.h:
2012         (JSC::DFG::Node::hasUnlinkedLocal):
2013         (JSC::DFG::Node::convertToGetLocalUnlinked): Deleted.
2014         (JSC::DFG::Node::convertToGetLocal): Deleted.
2015         (JSC::DFG::Node::hasUnlinkedMachineLocal): Deleted.
2016         (JSC::DFG::Node::setUnlinkedMachineLocal): Deleted.
2017         (JSC::DFG::Node::unlinkedMachineLocal): Deleted.
2018         * dfg/DFGNodeType.h:
2019         * dfg/DFGPredictionPropagationPhase.cpp:
2020         * dfg/DFGSafeToExecute.h:
2021         (JSC::DFG::safeToExecute):
2022         * dfg/DFGSpeculativeJIT32_64.cpp:
2023         (JSC::DFG::SpeculativeJIT::compile):
2024         * dfg/DFGSpeculativeJIT64.cpp:
2025         (JSC::DFG::SpeculativeJIT::compile):
2026         * dfg/DFGStackLayoutPhase.cpp:
2027         (JSC::DFG::StackLayoutPhase::run):
2028         * dfg/DFGValidate.cpp:
2029
2030 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2031
2032         Make ArgList::data() private again when we can remove callWasmFunction().
2033         https://bugs.webkit.org/show_bug.cgi?id=168582
2034
2035         Reviewed by JF Bastien.
2036
2037         Make ArgList::data() private since we already removed callWasmFunction.
2038
2039         * runtime/ArgList.h:
2040
2041 2016-08-05  Darin Adler  <darin@apple.com>
2042
2043         Fix some minor problems in the StringImpl header
2044         https://bugs.webkit.org/show_bug.cgi?id=160630
2045
2046         Reviewed by Brent Fulgham.
2047
2048         * inspector/ContentSearchUtilities.cpp: Removed a lot of unneeded explicit
2049         Yarr namespacing since we use "using namespace" in this file.
2050
2051 2017-11-24  Mark Lam  <mark.lam@apple.com>
2052
2053         Fix CLoop::sanitizeStack() bug where it was clearing part of the JS stack in use.
2054         https://bugs.webkit.org/show_bug.cgi?id=179936
2055         <rdar://problem/35623998>
2056
2057         Reviewed by Saam Barati.
2058
2059         This issue was uncovered when we enabled --useDollarVM=true on the JSC tests.
2060         See https://bugs.webkit.org/show_bug.cgi?id=179684.
2061
2062         Basically, in the case of the failing test we observed, op_tail_call_forward_arguments
2063         was allocating stack space to stash arguments (to be forwarded) and new frame
2064         info.  The location of this new stash space happens to lie beyond the top of frame
2065         of the tail call caller frame.  After stashing the arguments, the code proceeded
2066         to load the callee codeBlock.  This triggered an allocation, which in turn,
2067         triggered stack sanitization.  The CLoop stack sanitizer was relying on
2068         frame->topOfFrame() to tell it where the top of the used stack is.  In this case,
2069         that turned out to be inadequate.  As a result, part of the stashed data was
2070         zeroed out, and subsequently led to a crash.
2071
2072         This bug does not affect JIT builds (i.e. the ASM LLint) for 2 reasons:
2073         1. JIT builds do stack sanitization in the LLInt code itself (different from the
2074            CLoop implementation), and the sanitizer there is aware of the true top of
2075            stack value (i.e. the stack pointer).
2076         2. JIT builds don't use a parallel stack like the CLoop.  The presence of the
2077            parallel stack is one condition necessary for reproducing this issue.
2078
2079         The fix is to make the CLoop record the stack pointer in CLoopStack::m_currentStackPointer
2080         every time before it calls out to native C++ code.  This also brings the CLoop's
2081         behavior closer to hardware behavior where we can know where the stack pointer
2082         is after calling from JS back into native C++ code, which makes it easier to
2083         reason about correctness.       
2084
2085         Also simplified the various stack boundary calculations (removed the +1 and -1
2086         adjustments).  The CLoopStack bounds are now:
2087
2088             reservationTop(): the lowest reserved address that can be within stack bounds.
2089             m_commitTop: the lowest address within stack bounds that has been committed.
2090             lowAddress() aka m_end: the lowest stack address that JS code can use.
2091             m_lastStackPointer: cache of the last m_currentStackPointer value.
2092             m_currentStackPointer: the CLoopStack stack pointer value when calling from JS into C++ code.
2093             highAddress(): the highest address just beyond the bounds of the stack.
2094
2095         Also deleted some unneeded code.
2096
2097         * interpreter/CLoopStack.cpp:
2098         (JSC::CLoopStack::CLoopStack):
2099         (JSC::CLoopStack::gatherConservativeRoots):
2100         (JSC::CLoopStack::sanitizeStack):
2101         (JSC::CLoopStack::setSoftReservedZoneSize):
2102         * interpreter/CLoopStack.h:
2103         (JSC::CLoopStack::setCurrentStackPointer):
2104         (JSC::CLoopStack::lowAddress const):
2105
2106         (JSC::CLoopStack::baseOfStack const): Deleted.
2107         - Not needed after we simplified the code and removed all the +1/-1 adjustments.
2108           Now, it has the exact same value as highAddress() and can be removed.
2109
2110         * interpreter/CLoopStackInlines.h:
2111         (JSC::CLoopStack::ensureCapacityFor):
2112         (JSC::CLoopStack::currentStackPointer):
2113         (JSC::CLoopStack::setCLoopStackLimit):
2114
2115         (JSC::CLoopStack::topOfFrameFor): Deleted.
2116         - Not needed.
2117
2118         (JSC::CLoopStack::topOfStack): Deleted.
2119         - Supplanted by currentStackPointer().
2120
2121         (JSC::CLoopStack::shrink): Deleted.
2122         - This is unused.
2123
2124         * llint/LowLevelInterpreter.cpp:
2125         (JSC::CLoop::execute):
2126         - Introduce a StackPointerScope to restore the original CLoopStack::m_currentStackPointer
2127           upon exitting the interpreter loop.
2128
2129         * offlineasm/cloop.rb:
2130         - Added setting of CLoopStack::m_currentStackPointer at boundary points where we
2131           call from JS into C++ code.
2132
2133         * tools/VMInspector.h:
2134         - Added some default argument values. These were being used while debugging this
2135           issue.
2136
2137 2017-11-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2138
2139         [JSC] Make empty key as deleted mark in HashMapBucket and drop m_deleted field
2140         https://bugs.webkit.org/show_bug.cgi?id=179923
2141
2142         Reviewed by Darin Adler.
2143
2144         We do not set empty as a key in HashMapBucket since JSMap / JSSet can expose it to users.
2145         So we can use it as a marker of deleted bucket.
2146
2147         This patch uses empty key as a deleted flag, and drop m_deleted field of HashMapBucket.
2148         It shrinks the size of HashMapBucket much.
2149
2150         * dfg/DFGSpeculativeJIT.cpp:
2151         (JSC::DFG::SpeculativeJIT::compileGetMapBucketNext):
2152         * ftl/FTLAbstractHeapRepository.h:
2153         * ftl/FTLLowerDFGToB3.cpp:
2154         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucketNext):
2155         * runtime/HashMapImpl.h:
2156         (JSC::HashMapBucket::createSentinel):
2157         We make sentinel bucket as (undefined, undefined) since DFG/FTL can load a value from sentinels.
2158         While the sentinel's deleted flag becomes false since key is set, it is not a problem since deleted
2159         flag of sentinel bucket is not used.
2160
2161         (JSC::HashMapBucket::HashMapBucket):
2162         (JSC::HashMapBucket::deleted const):
2163         (JSC::HashMapBucket::makeDeleted):
2164         (JSC::HashMapImpl::remove):
2165         (JSC::HashMapImpl::clear):
2166         (JSC::HashMapImpl::setUpHeadAndTail):
2167         (JSC::HashMapImpl::addNormalizedInternal):
2168         (JSC::HashMapBucket::setDeleted): Deleted.
2169         (JSC::HashMapBucket::offsetOfDeleted): Deleted.
2170         (): Deleted.
2171
2172 2017-11-24  Mark Lam  <mark.lam@apple.com>
2173
2174         Move unsafe jsc shell test functions to the $vm object.
2175         https://bugs.webkit.org/show_bug.cgi?id=179980
2176
2177         Reviewed by Yusuke Suzuki.
2178
2179         Also removed setElementRoot() which was not used.
2180
2181         * jsc.cpp:
2182         (GlobalObject::finishCreation):
2183         (WTF::Element::Element): Deleted.
2184         (WTF::Element::root const): Deleted.
2185         (WTF::Element::setRoot): Deleted.
2186         (WTF::Element::create): Deleted.
2187         (WTF::Element::visitChildren): Deleted.
2188         (WTF::Element::createStructure): Deleted.
2189         (WTF::Root::Root): Deleted.
2190         (WTF::Root::element): Deleted.
2191         (WTF::Root::setElement): Deleted.
2192         (WTF::Root::create): Deleted.
2193         (WTF::Root::createStructure): Deleted.
2194         (WTF::Root::visitChildren): Deleted.
2195         (WTF::ImpureGetter::ImpureGetter): Deleted.
2196         (WTF::ImpureGetter::createStructure): Deleted.
2197         (WTF::ImpureGetter::create): Deleted.
2198         (WTF::ImpureGetter::finishCreation): Deleted.
2199         (WTF::ImpureGetter::getOwnPropertySlot): Deleted.
2200         (WTF::ImpureGetter::visitChildren): Deleted.
2201         (WTF::ImpureGetter::setDelegate): Deleted.
2202         (WTF::CustomGetter::CustomGetter): Deleted.
2203         (WTF::CustomGetter::createStructure): Deleted.
2204         (WTF::CustomGetter::create): Deleted.
2205         (WTF::CustomGetter::getOwnPropertySlot): Deleted.
2206         (WTF::CustomGetter::customGetter): Deleted.
2207         (WTF::CustomGetter::customGetterAcessor): Deleted.
2208         (WTF::RuntimeArray::create): Deleted.
2209         (WTF::RuntimeArray::~RuntimeArray): Deleted.
2210         (WTF::RuntimeArray::destroy): Deleted.
2211         (WTF::RuntimeArray::getOwnPropertySlot): Deleted.
2212         (WTF::RuntimeArray::getOwnPropertySlotByIndex): Deleted.
2213         (WTF::RuntimeArray::put): Deleted.
2214         (WTF::RuntimeArray::deleteProperty): Deleted.
2215         (WTF::RuntimeArray::getLength const): Deleted.
2216         (WTF::RuntimeArray::createPrototype): Deleted.
2217         (WTF::RuntimeArray::createStructure): Deleted.
2218         (WTF::RuntimeArray::finishCreation): Deleted.
2219         (WTF::RuntimeArray::RuntimeArray): Deleted.
2220         (WTF::RuntimeArray::lengthGetter): Deleted.
2221         (WTF::SimpleObject::SimpleObject): Deleted.
2222         (WTF::SimpleObject::create): Deleted.
2223         (WTF::SimpleObject::visitChildren): Deleted.
2224         (WTF::SimpleObject::createStructure): Deleted.
2225         (WTF::SimpleObject::hiddenValue): Deleted.
2226         (WTF::SimpleObject::setHiddenValue): Deleted.
2227         (WTF::DOMJITNode::DOMJITNode): Deleted.
2228         (WTF::DOMJITNode::createStructure): Deleted.
2229         (WTF::DOMJITNode::checkSubClassSnippet): Deleted.
2230         (WTF::DOMJITNode::create): Deleted.
2231         (WTF::DOMJITNode::value const): Deleted.
2232         (WTF::DOMJITNode::offsetOfValue): Deleted.
2233         (WTF::DOMJITGetter::DOMJITGetter): Deleted.
2234         (WTF::DOMJITGetter::createStructure): Deleted.
2235         (WTF::DOMJITGetter::create): Deleted.
2236         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute): Deleted.
2237         (WTF::DOMJITGetter::DOMJITAttribute::slowCall): Deleted.
2238         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter): Deleted.
2239         (WTF::DOMJITGetter::customGetter): Deleted.
2240         (WTF::DOMJITGetter::finishCreation): Deleted.
2241         (WTF::DOMJITGetterComplex::DOMJITGetterComplex): Deleted.
2242         (WTF::DOMJITGetterComplex::createStructure): Deleted.
2243         (WTF::DOMJITGetterComplex::create): Deleted.
2244         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute): Deleted.
2245         (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall): Deleted.
2246         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter): Deleted.
2247         (WTF::DOMJITGetterComplex::functionEnableException): Deleted.
2248         (WTF::DOMJITGetterComplex::customGetter): Deleted.
2249         (WTF::DOMJITGetterComplex::finishCreation): Deleted.
2250         (WTF::DOMJITFunctionObject::DOMJITFunctionObject): Deleted.
2251         (WTF::DOMJITFunctionObject::createStructure): Deleted.
2252         (WTF::DOMJITFunctionObject::create): Deleted.
2253         (WTF::DOMJITFunctionObject::safeFunction): Deleted.
2254         (WTF::DOMJITFunctionObject::unsafeFunction): Deleted.
2255         (WTF::DOMJITFunctionObject::checkSubClassSnippet): Deleted.
2256         (WTF::DOMJITFunctionObject::finishCreation): Deleted.
2257         (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject): Deleted.
2258         (WTF::DOMJITCheckSubClassObject::createStructure): Deleted.
2259         (WTF::DOMJITCheckSubClassObject::create): Deleted.
2260         (WTF::DOMJITCheckSubClassObject::safeFunction): Deleted.
2261         (WTF::DOMJITCheckSubClassObject::unsafeFunction): Deleted.
2262         (WTF::DOMJITCheckSubClassObject::finishCreation): Deleted.
2263         (WTF::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject): Deleted.
2264         (WTF::DOMJITGetterBaseJSObject::createStructure): Deleted.
2265         (WTF::DOMJITGetterBaseJSObject::create): Deleted.
2266         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute): Deleted.
2267         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall): Deleted.
2268         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter): Deleted.
2269         (WTF::DOMJITGetterBaseJSObject::customGetter): Deleted.
2270         (WTF::DOMJITGetterBaseJSObject::finishCreation): Deleted.
2271         (WTF::Element::handleOwner): Deleted.
2272         (WTF::Element::finishCreation): Deleted.
2273         (JSTestCustomGetterSetter::JSTestCustomGetterSetter): Deleted.
2274         (JSTestCustomGetterSetter::create): Deleted.
2275         (JSTestCustomGetterSetter::createStructure): Deleted.
2276         (customGetAccessor): Deleted.
2277         (customGetValue): Deleted.
2278         (customSetAccessor): Deleted.
2279         (customSetValue): Deleted.
2280         (JSTestCustomGetterSetter::finishCreation): Deleted.
2281         (GlobalObject::addConstructableFunction): Deleted.
2282         (functionCreateRoot): Deleted.
2283         (functionCreateElement): Deleted.
2284         (functionGetElement): Deleted.
2285         (functionSetElementRoot): Deleted.
2286         (functionCreateSimpleObject): Deleted.
2287         (functionGetHiddenValue): Deleted.
2288         (functionSetHiddenValue): Deleted.
2289         (functionCreateProxy): Deleted.
2290         (functionCreateRuntimeArray): Deleted.
2291         (functionCreateImpureGetter): Deleted.
2292         (functionCreateCustomGetterObject): Deleted.
2293         (functionCreateDOMJITNodeObject): Deleted.
2294         (functionCreateDOMJITGetterObject): Deleted.
2295         (functionCreateDOMJITGetterComplexObject): Deleted.
2296         (functionCreateDOMJITFunctionObject): Deleted.
2297         (functionCreateDOMJITCheckSubClassObject): Deleted.
2298         (functionCreateDOMJITGetterBaseJSObject): Deleted.
2299         (functionSetImpureGetterDelegate): Deleted.
2300         (functionGetGetterSetter): Deleted.
2301         (functionShadowChickenFunctionsOnStack): Deleted.
2302         (functionSetGlobalConstRedeclarationShouldNotThrow): Deleted.
2303         (functionGlobalObjectForObject): Deleted.
2304         (functionLoadGetterFromGetterSetter): Deleted.
2305         (functionCreateCustomTestGetterSetter): Deleted.
2306         (functionAbort): Deleted.
2307         (functionFindTypeForExpression): Deleted.
2308         (functionReturnTypeFor): Deleted.
2309         (functionDumpBasicBlockExecutionRanges): Deleted.
2310         (functionHasBasicBlockExecuted): Deleted.
2311         (functionBasicBlockExecutionCount): Deleted.
2312         (functionEnableExceptionFuzz): Deleted.
2313         (functionCreateBuiltin): Deleted.
2314         * runtime/JSGlobalObject.cpp:
2315         (JSC::JSGlobalObject::init):
2316         * tools/JSDollarVM.cpp:
2317         (WTF::Element::Element):
2318         (WTF::Element::root const):
2319         (WTF::Element::setRoot):
2320         (WTF::Element::create):
2321         (WTF::Element::visitChildren):
2322         (WTF::Element::createStructure):
2323         (WTF::Root::Root):
2324         (WTF::Root::element):
2325         (WTF::Root::setElement):
2326         (WTF::Root::create):
2327         (WTF::Root::createStructure):
2328         (WTF::Root::visitChildren):
2329         (WTF::SimpleObject::SimpleObject):
2330         (WTF::SimpleObject::create):
2331         (WTF::SimpleObject::visitChildren):
2332         (WTF::SimpleObject::createStructure):
2333         (WTF::SimpleObject::hiddenValue):
2334         (WTF::SimpleObject::setHiddenValue):
2335         (WTF::ImpureGetter::ImpureGetter):
2336         (WTF::ImpureGetter::createStructure):
2337         (WTF::ImpureGetter::create):
2338         (WTF::ImpureGetter::finishCreation):
2339         (WTF::ImpureGetter::getOwnPropertySlot):
2340         (WTF::ImpureGetter::visitChildren):
2341         (WTF::ImpureGetter::setDelegate):
2342         (WTF::CustomGetter::CustomGetter):
2343         (WTF::CustomGetter::createStructure):
2344         (WTF::CustomGetter::create):
2345         (WTF::CustomGetter::getOwnPropertySlot):
2346         (WTF::CustomGetter::customGetter):
2347         (WTF::CustomGetter::customGetterAcessor):
2348         (WTF::RuntimeArray::create):
2349         (WTF::RuntimeArray::~RuntimeArray):
2350         (WTF::RuntimeArray::destroy):
2351         (WTF::RuntimeArray::getOwnPropertySlot):
2352         (WTF::RuntimeArray::getOwnPropertySlotByIndex):
2353         (WTF::RuntimeArray::put):
2354         (WTF::RuntimeArray::deleteProperty):
2355         (WTF::RuntimeArray::getLength const):
2356         (WTF::RuntimeArray::createPrototype):
2357         (WTF::RuntimeArray::createStructure):
2358         (WTF::RuntimeArray::finishCreation):
2359         (WTF::RuntimeArray::RuntimeArray):
2360         (WTF::RuntimeArray::lengthGetter):
2361         (WTF::DOMJITNode::DOMJITNode):
2362         (WTF::DOMJITNode::createStructure):
2363         (WTF::DOMJITNode::checkSubClassSnippet):
2364         (WTF::DOMJITNode::create):
2365         (WTF::DOMJITNode::value const):
2366         (WTF::DOMJITNode::offsetOfValue):
2367         (WTF::DOMJITGetter::DOMJITGetter):
2368         (WTF::DOMJITGetter::createStructure):
2369         (WTF::DOMJITGetter::create):
2370         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
2371         (WTF::DOMJITGetter::DOMJITAttribute::slowCall):
2372         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
2373         (WTF::DOMJITGetter::customGetter):
2374         (WTF::DOMJITGetter::finishCreation):
2375         (WTF::DOMJITGetterComplex::DOMJITGetterComplex):
2376         (WTF::DOMJITGetterComplex::createStructure):
2377         (WTF::DOMJITGetterComplex::create):
2378         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
2379         (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall):
2380         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
2381         (WTF::DOMJITGetterComplex::functionEnableException):
2382         (WTF::DOMJITGetterComplex::customGetter):
2383         (WTF::DOMJITGetterComplex::finishCreation):
2384         (WTF::DOMJITFunctionObject::DOMJITFunctionObject):
2385         (WTF::DOMJITFunctionObject::createStructure):
2386         (WTF::DOMJITFunctionObject::create):
2387         (WTF::DOMJITFunctionObject::safeFunction):
2388         (WTF::DOMJITFunctionObject::unsafeFunction):
2389         (WTF::DOMJITFunctionObject::checkSubClassSnippet):
2390         (WTF::DOMJITFunctionObject::finishCreation):
2391         (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
2392         (WTF::DOMJITCheckSubClassObject::createStructure):
2393         (WTF::DOMJITCheckSubClassObject::create):
2394         (WTF::DOMJITCheckSubClassObject::safeFunction):
2395         (WTF::DOMJITCheckSubClassObject::unsafeFunction):
2396         (WTF::DOMJITCheckSubClassObject::finishCreation):
2397         (WTF::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject):
2398         (WTF::DOMJITGetterBaseJSObject::createStructure):
2399         (WTF::DOMJITGetterBaseJSObject::create):
2400         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute):
2401         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
2402         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter):
2403         (WTF::DOMJITGetterBaseJSObject::customGetter):
2404         (WTF::DOMJITGetterBaseJSObject::finishCreation):
2405         (WTF::Message::releaseContents):
2406         (WTF::Message::index const):
2407         (WTF::JSTestCustomGetterSetter::JSTestCustomGetterSetter):
2408         (WTF::JSTestCustomGetterSetter::create):
2409         (WTF::JSTestCustomGetterSetter::createStructure):
2410         (WTF::customGetAccessor):
2411         (WTF::customGetValue):
2412         (WTF::customSetAccessor):
2413         (WTF::customSetValue):
2414         (WTF::JSTestCustomGetterSetter::finishCreation):
2415         (WTF::Element::handleOwner):
2416         (WTF::Element::finishCreation):
2417         (JSC::functionCrash):
2418         (JSC::functionCreateProxy):
2419         (JSC::functionCreateRuntimeArray):
2420         (JSC::functionCreateImpureGetter):
2421         (JSC::functionCreateCustomGetterObject):
2422         (JSC::functionCreateDOMJITNodeObject):
2423         (JSC::functionCreateDOMJITGetterObject):
2424         (JSC::functionCreateDOMJITGetterComplexObject):
2425         (JSC::functionCreateDOMJITFunctionObject):
2426         (JSC::functionCreateDOMJITCheckSubClassObject):
2427         (JSC::functionCreateDOMJITGetterBaseJSObject):
2428         (JSC::functionSetImpureGetterDelegate):
2429         (JSC::functionCreateBuiltin):
2430         (JSC::functionCreateRoot):
2431         (JSC::functionCreateElement):
2432         (JSC::functionGetElement):
2433         (JSC::functionCreateSimpleObject):
2434         (JSC::functionGetHiddenValue):
2435         (JSC::functionSetHiddenValue):
2436         (JSC::functionShadowChickenFunctionsOnStack):
2437         (JSC::functionSetGlobalConstRedeclarationShouldNotThrow):
2438         (JSC::functionFindTypeForExpression):
2439         (JSC::functionReturnTypeFor):
2440         (JSC::functionDumpBasicBlockExecutionRanges):
2441         (JSC::functionHasBasicBlockExecuted):
2442         (JSC::functionBasicBlockExecutionCount):
2443         (JSC::functionEnableExceptionFuzz):
2444         (JSC::functionGlobalObjectForObject):
2445         (JSC::functionGetGetterSetter):
2446         (JSC::functionLoadGetterFromGetterSetter):
2447         (JSC::functionCreateCustomTestGetterSetter):
2448         (JSC::JSDollarVM::finishCreation):
2449         (JSC::JSDollarVM::addFunction):
2450         (JSC::JSDollarVM::addConstructibleFunction):
2451         * tools/JSDollarVM.h:
2452         (JSC::JSDollarVM::create):
2453
2454 2017-11-23  Simon Fraser  <simon.fraser@apple.com>
2455
2456         Minor ArrayBufferView cleanup
2457         https://bugs.webkit.org/show_bug.cgi?id=179966
2458
2459         Reviewed by Darin Adler.
2460         
2461         Use void* for data pointers when we don't need to do offset math. Use const for
2462         source pointers.
2463         
2464         Prefer uint8_t* to char*.
2465         
2466         Add comments noting that the assertions should not be made release assertions
2467         as recommended by the style checker, since the point is to avoid the virtual byteLength()
2468         call in release.
2469
2470         * runtime/ArrayBufferView.h:
2471         (JSC::ArrayBufferView::setImpl):
2472         (JSC::ArrayBufferView::setRangeImpl):
2473         (JSC::ArrayBufferView::getRangeImpl):
2474         (JSC::ArrayBufferView::zeroRangeImpl):
2475
2476 2017-11-23  Darin Adler  <darin@apple.com>
2477
2478         Reduce WTF::String operations that do unnecessary Unicode operations instead of ASCII
2479         https://bugs.webkit.org/show_bug.cgi?id=179907
2480
2481         Reviewed by Sam Weinig.
2482
2483         * inspector/agents/InspectorDebuggerAgent.cpp:
2484         (Inspector::matches): Removed explicit TextCaseSensitive because RegularExpression now
2485         defaults to that.
2486
2487         * runtime/StringPrototype.cpp:
2488         (JSC::stringIncludesImpl): Use String::find since there is no overload of
2489         String::contains that takes a start offset now that we removed the one that took a
2490         caseSensitive boolean. We can add one later if we like, but this should do for now.
2491
2492         * yarr/RegularExpression.h: Moved the TextCaseSensitivity enumeration here from
2493         the StringImpl.h header because it is only used here.
2494
2495 2017-11-22  Simon Fraser  <simon.fraser@apple.com>
2496
2497         Followup after r225084: if anyone called GenericTypedArrayView() it didn't compile,
2498         because of a getRangeUnchecked/getRangeImpl name mismatch; fixed to use getRangeImpl().
2499         
2500         Also name the argument to zeroRange() to 'count' since it's an item count.
2501
2502         * runtime/GenericTypedArrayView.h:
2503         (JSC::GenericTypedArrayView::zeroRange):
2504         (JSC::GenericTypedArrayView::getRange):
2505
2506 2017-11-21  Simon Fraser  <simon.fraser@apple.com>
2507
2508         Allow for more efficient use of GenericTypedArrayView
2509         https://bugs.webkit.org/show_bug.cgi?id=179899
2510
2511         Reviewed by Sam Weinig.
2512         
2513         Fix ArrayBufferView::setRange() to not make two virtual function calls to byteLength()
2514         under setRangeImpl(). There is only one caller in GenericTypedArrayView, and it can pass
2515         in a length.
2516
2517         Add GenericTypedArrayView::getRange() to fetch a range of elements, also without virtual
2518         byteLength() calls.
2519         
2520         Renamed 'dataLength' to 'count' in setRange() to be clearer.
2521         
2522         Added setNative() for callers who don't need clamping of doubles.
2523
2524         * runtime/ArrayBufferView.h:
2525         (JSC::ArrayBufferView::setRangeImpl):
2526         (JSC::ArrayBufferView::getRangeImpl):
2527         * runtime/GenericTypedArrayView.h:
2528         (JSC::GenericTypedArrayView::setRange):
2529         (JSC::GenericTypedArrayView::setNative const):
2530         (JSC::GenericTypedArrayView::getRange):
2531         (JSC::GenericTypedArrayView::checkInboundData const):
2532         (JSC::GenericTypedArrayView::internalByteLength const):
2533
2534 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2535
2536         [DFG][FTL] Support MapSet / SetAdd intrinsics
2537         https://bugs.webkit.org/show_bug.cgi?id=179858
2538
2539         Reviewed by Saam Barati.
2540
2541         Map.prototype.set and Set.prototype.add uses MapHash value anyway.
2542         By handling them as MapSet and SetAdd DFG nodes and decoupling
2543         MapSet and SetAdd nodes from MapHash DFG node, we have a chance to
2544         remove duplicate MapHash calculation for the same key.
2545
2546         One story is *set-if-not-exists*.
2547
2548             if (!map.has(key))
2549                 map.set(key, value);
2550
2551         In the above code, both `has` and `set` require hash value for `key`.
2552         If we can change `set` to the series of DFG nodes:
2553
2554             1: MapHash(key)
2555             2: MapSet(MapObjectUse:map, Untyped:key, Untyped:value, Int32Use:@1)
2556
2557         we can remove duplicate @1 produced by `has` operation.
2558
2559         This patch improves SixSpeed map-set.es6 and map-set-object.es6 by 20.5% and 20.4% respectively,
2560
2561                                          baseline                  patched
2562
2563             map-set.es6             246.2413+-15.2084    ^    204.3679+-11.2408       ^ definitely 1.2049x faster
2564             map-set-object.es6      266.5075+-17.2289    ^    221.2792+-12.2948       ^ definitely 1.2044x faster
2565
2566         Microbenchmarks
2567
2568             map-has-and-set         148.1522+-7.6665     ^    131.4552+-7.8846        ^ definitely 1.1270x faster
2569
2570         * dfg/DFGAbstractInterpreterInlines.h:
2571         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2572         * dfg/DFGByteCodeParser.cpp:
2573         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2574         * dfg/DFGClobberize.h:
2575         (JSC::DFG::clobberize):
2576         * dfg/DFGDoesGC.cpp:
2577         (JSC::DFG::doesGC):
2578         * dfg/DFGFixupPhase.cpp:
2579         (JSC::DFG::FixupPhase::fixupNode):
2580         * dfg/DFGNodeType.h:
2581         * dfg/DFGOperations.cpp:
2582         * dfg/DFGOperations.h:
2583         * dfg/DFGPredictionPropagationPhase.cpp:
2584         * dfg/DFGSafeToExecute.h:
2585         (JSC::DFG::safeToExecute):
2586         * dfg/DFGSpeculativeJIT.cpp:
2587         (JSC::DFG::SpeculativeJIT::compileSetAdd):
2588         (JSC::DFG::SpeculativeJIT::compileMapSet):
2589         * dfg/DFGSpeculativeJIT.h:
2590         (JSC::DFG::SpeculativeJIT::callOperation):
2591         * dfg/DFGSpeculativeJIT32_64.cpp:
2592         (JSC::DFG::SpeculativeJIT::compile):
2593         * dfg/DFGSpeculativeJIT64.cpp:
2594         (JSC::DFG::SpeculativeJIT::compile):
2595         * ftl/FTLCapabilities.cpp:
2596         (JSC::FTL::canCompile):
2597         * ftl/FTLLowerDFGToB3.cpp:
2598         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2599         (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd):
2600         (JSC::FTL::DFG::LowerDFGToB3::compileMapSet):
2601         * jit/JITOperations.h:
2602         * runtime/HashMapImpl.h:
2603         (JSC::HashMapImpl::addNormalized):
2604         (JSC::HashMapImpl::addNormalizedInternal):
2605         * runtime/Intrinsic.cpp:
2606         (JSC::intrinsicName):
2607         * runtime/Intrinsic.h:
2608         * runtime/MapPrototype.cpp:
2609         (JSC::MapPrototype::finishCreation):
2610         * runtime/SetPrototype.cpp:
2611         (JSC::SetPrototype::finishCreation):
2612
2613 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2614
2615         [JSC] Allow poly proto for intrinsic getters
2616         https://bugs.webkit.org/show_bug.cgi?id=179550
2617
2618         Reviewed by Saam Barati.
2619
2620         This patch allows intrinsic getters to accept poly proto.
2621         We propagate PolyProtoAccessChain in IntrinsicGetterAccessCase to perform
2622         poly proto checks. And we extend UnderscoreProtoIntrinsic to emit
2623         code for poly proto case.
2624
2625         * bytecode/IntrinsicGetterAccessCase.cpp:
2626         (JSC::IntrinsicGetterAccessCase::IntrinsicGetterAccessCase):
2627         (JSC::IntrinsicGetterAccessCase::create):
2628         * bytecode/IntrinsicGetterAccessCase.h:
2629         * jit/IntrinsicEmitter.cpp:
2630         (JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
2631         (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
2632         * jit/Repatch.cpp:
2633         (JSC::tryCacheGetByID):
2634
2635 2017-11-20  Don Olmstead  <don.olmstead@sony.com>
2636
2637         Detect __declspec within JSBase.h
2638         https://bugs.webkit.org/show_bug.cgi?id=179892
2639
2640         Reviewed by Darin Adler.
2641
2642         * API/JSBase.h:
2643
2644 2017-11-19  Tim Horton  <timothy_horton@apple.com>
2645
2646         Remove unused TOUCH_ICON_LOADING feature flag
2647         https://bugs.webkit.org/show_bug.cgi?id=179873
2648
2649         Reviewed by Simon Fraser.
2650
2651         * Configurations/FeatureDefines.xcconfig:
2652
2653 2017-11-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2654
2655         Add CPU(UNKNOWN) to cover all the unknown CPU types
2656         https://bugs.webkit.org/show_bug.cgi?id=179243
2657
2658         Reviewed by JF Bastien.
2659
2660         * CMakeLists.txt:
2661
2662 2017-11-19  Tim Horton  <timothy_horton@apple.com>
2663
2664         Remove unused LEGACY_VENDOR_PREFIXES feature flag
2665         https://bugs.webkit.org/show_bug.cgi?id=179872
2666
2667         Reviewed by Darin Adler.
2668
2669         * Configurations/FeatureDefines.xcconfig:
2670
2671 2017-11-18  Tim Horton  <timothy_horton@apple.com>
2672
2673         Fix typos in closing ENABLE() comments
2674         https://bugs.webkit.org/show_bug.cgi?id=179869
2675
2676         Unreviewed.
2677
2678         * wasm/WasmMemory.h:
2679         * wasm/WasmMemoryMode.h:
2680
2681 2017-11-17  JF Bastien  <jfbastien@apple.com>
2682
2683         NFC update ClassInfo to C++14
2684         https://bugs.webkit.org/show_bug.cgi?id=179783
2685
2686         Reviewed by Mark Lam.
2687
2688         Forked from #179734, use `using` instead of `typedef`. It's easier
2689         to read.
2690
2691         * runtime/ClassInfo.h:
2692
2693 2017-11-17  JF Bastien  <jfbastien@apple.com>
2694
2695         WebAssembly JS API: throw when a promise can't be created
2696         https://bugs.webkit.org/show_bug.cgi?id=179826
2697         <rdar://problem/35455813>
2698
2699         Reviewed by Mark Lam.
2700
2701         Failure *in* a promise causes rejection, but failure to create a
2702         promise (because of stack overflow) isn't really spec'd (as all
2703         stack things JS). This applies to WebAssembly.compile and
2704         WebAssembly.instantiate.
2705
2706         Dan's current proposal says:
2707
2708             https://littledan.github.io/spec/document/js-api/index.html#stack-overflow
2709
2710             Whenever a stack overflow occurs in WebAssembly code, the same
2711             class of exception is thrown as for a stack overflow in
2712             JavaScript. The particular exception here is
2713             implementation-defined in both cases.
2714
2715             Note: ECMAScript doesn’t specify any sort of behavior on stack
2716             overflow; implementations have been observed to throw RangeError,
2717             InternalError or Error. Any is valid here.
2718
2719         This is for general stack overflow within WebAssembly, not
2720         specifically for promise creation within JavaScript, but it seems
2721         like a stack overflow in promise creation should follow the same
2722         rule instead of, say, swallowing the overflow and returning
2723         undefined.
2724
2725         * wasm/js/WebAssemblyPrototype.cpp:
2726         (JSC::webAssemblyCompileFunc):
2727         (JSC::webAssemblyInstantiateFunc):
2728
2729 2017-11-16  Daniel Bates  <dabates@apple.com>
2730
2731         Add feature define for alternative presentation button element
2732         https://bugs.webkit.org/show_bug.cgi?id=179692
2733         Part of <rdar://problem/34917108>
2734
2735         Reviewed by Andy Estes.
2736
2737         Only enabled on Cocoa platforms by default.
2738
2739         * Configurations/FeatureDefines.xcconfig:
2740
2741 2017-11-16  Saam Barati  <sbarati@apple.com>
2742
2743         Fix a bug with cpuid in the FTL.
2744
2745         Rubber stamped by Mark Lam.
2746
2747         Before uploading the previous patch, I tried to condense the code. I
2748         accidentally removed a crucial line saying that CPUID clobbers various
2749         registers.
2750
2751         * ftl/FTLLowerDFGToB3.cpp:
2752         (JSC::FTL::DFG::LowerDFGToB3::compileCPUIntrinsic):
2753
2754 2017-11-16  Saam Barati  <sbarati@apple.com>
2755
2756         Add some X86 intrinsics to $vm to help with some perf testing
2757         https://bugs.webkit.org/show_bug.cgi?id=179693
2758
2759         Reviewed by Mark Lam.
2760
2761         I've been doing some local perf testing of various ideas and have
2762         had these come in handy. I'm going to land them to dollarVM to prevent
2763         having to add them to my local build every time I do perf testing.
2764
2765         * assembler/MacroAssemblerX86Common.h:
2766         (JSC::MacroAssemblerX86Common::mfence):
2767         (JSC::MacroAssemblerX86Common::rdtsc):
2768         (JSC::MacroAssemblerX86Common::pause):
2769         (JSC::MacroAssemblerX86Common::cpuid):
2770         * assembler/X86Assembler.h:
2771         (JSC::X86Assembler::rdtsc):
2772         (JSC::X86Assembler::pause):
2773         (JSC::X86Assembler::cpuid):
2774         * dfg/DFGAbstractInterpreterInlines.h:
2775         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2776         * dfg/DFGByteCodeParser.cpp:
2777         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2778         * dfg/DFGClobberize.h:
2779         (JSC::DFG::clobberize):
2780         * dfg/DFGDoesGC.cpp:
2781         (JSC::DFG::doesGC):
2782         * dfg/DFGFixupPhase.cpp:
2783         (JSC::DFG::FixupPhase::fixupNode):
2784         * dfg/DFGGraph.cpp:
2785         (JSC::DFG::Graph::dump):
2786         * dfg/DFGNode.h:
2787         (JSC::DFG::Node::intrinsic):
2788         * dfg/DFGNodeType.h:
2789         * dfg/DFGPredictionPropagationPhase.cpp:
2790         * dfg/DFGSafeToExecute.h:
2791         (JSC::DFG::safeToExecute):
2792         * dfg/DFGSpeculativeJIT32_64.cpp:
2793         (JSC::DFG::SpeculativeJIT::compile):
2794         * dfg/DFGSpeculativeJIT64.cpp:
2795         (JSC::DFG::SpeculativeJIT::compile):
2796         * dfg/DFGValidate.cpp:
2797         * ftl/FTLCapabilities.cpp:
2798         (JSC::FTL::canCompile):
2799         * ftl/FTLLowerDFGToB3.cpp:
2800         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2801         (JSC::FTL::DFG::LowerDFGToB3::compileCPUIntrinsic):
2802         * runtime/Intrinsic.cpp:
2803         (JSC::intrinsicName):
2804         * runtime/Intrinsic.h:
2805         * tools/JSDollarVM.cpp:
2806         (JSC::functionCpuMfence):
2807         (JSC::functionCpuRdtsc):
2808         (JSC::functionCpuCpuid):
2809         (JSC::functionCpuPause):
2810         (JSC::functionCpuClflush):
2811         (JSC::JSDollarVM::finishCreation):
2812
2813 2017-11-16  JF Bastien  <jfbastien@apple.com>
2814
2815         It should be easier to reify lazy property names
2816         https://bugs.webkit.org/show_bug.cgi?id=179734
2817         <rdar://problem/35492521>
2818
2819         Reviewed by Keith Miller.
2820
2821         We reify lazy property names in a few different ways, each
2822         specific to the JSCell implementation, in put() instead of having
2823         a special function to do reification. Let's make that simpler.
2824
2825         This patch makes it easier to reify property names in a uniform
2826         manner, and does so in JSFunction. As a follow up I'll use the
2827         same mechanics for:
2828
2829         ClonedArguments   callee, iteratorSymbol (Symbol.iterator)
2830         ErrorConstructor  stackTraceLimit
2831         ErrorInstance     line, column, sourceURL, stack
2832         GenericArguments  length, callee, iteratorSymbol (Symbol.iterator)
2833         GetterSetter      RELEASE_ASSERT_NOT_REACHED()
2834         JSArray           length
2835         RegExpObject      lastIndex
2836         StringObject      length
2837
2838         * runtime/ClassInfo.h: Add reifyPropertyNameIfNeeded to method table.
2839         * runtime/JSCell.cpp:
2840         (JSC::JSCell::reifyPropertyNameIfNeeded): by default, don't reify.
2841         * runtime/JSCell.h:
2842         * runtime/JSFunction.cpp: `name` and `length` can be reified.
2843         (JSC::JSFunction::reifyPropertyNameIfNeeded):
2844         (JSC::JSFunction::put):
2845         (JSC::JSFunction::reifyLength):
2846         (JSC::JSFunction::reifyName):
2847         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
2848         (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
2849         (JSC::JSFunction::reifyLazyLengthIfNeeded):
2850         (JSC::JSFunction::reifyLazyNameIfNeeded):
2851         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
2852         * runtime/JSFunction.h:
2853         (JSC::JSFunction::isLazy):
2854         (JSC::JSFunction::isReified):
2855         * runtime/JSObjectInlines.h:
2856         (JSC::JSObject::putDirectInternal): do the reification here.
2857
2858 2017-11-16  Robin Morisset  <rmorisset@apple.com>
2859
2860         Provide a runtime option for disabling the optimization of recursive tail calls
2861         https://bugs.webkit.org/show_bug.cgi?id=179765
2862
2863         Reviewed by Mark Lam.
2864
2865         * bytecode/PreciseJumpTargets.cpp:
2866         (JSC::getJumpTargetsForBytecodeOffset):
2867         * bytecompiler/BytecodeGenerator.cpp:
2868         (JSC::BytecodeGenerator::emitEnter):
2869         * dfg/DFGByteCodeParser.cpp:
2870         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
2871         * runtime/Options.h:
2872
2873 2017-11-16  Robin Morisset  <rmorisset@apple.com>
2874
2875         Fix null pointer dereference in bytecodeDumper
2876         https://bugs.webkit.org/show_bug.cgi?id=179764
2877
2878         Reviewed by Mark Lam.
2879
2880         The problem was just a call to lastSeenCallee() that was unguarded by haveLastSeenCallee().
2881
2882         * bytecode/BytecodeDumper.cpp:
2883         (JSC::BytecodeDumper<Block>::printCallOp):
2884
2885 2017-11-16  Robin Morisset  <rmorisset@apple.com>
2886
2887         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
2888         https://bugs.webkit.org/show_bug.cgi?id=179763
2889         <rdar://problem/35550513>
2890
2891         Reviewed by Keith Miller.
2892
2893         Fix null pointer dereference caused by an eliminated tdz_check
2894
2895         The problem was when doing an OSR entry in DFG while |this| was null
2896         (because super() had not yet been called in the constructor of this
2897         subclass), it would be marked as non-null, and the tdz_check eliminated.
2898
2899         * dfg/DFGInPlaceAbstractState.cpp:
2900         (JSC::DFG::InPlaceAbstractState::initialize):
2901
2902 2017-11-15  Ryan Haddad  <ryanhaddad@apple.com>
2903
2904         Unreviewed, rolling out r224863.
2905
2906         Introduced LayoutTest crashes on iOS Simulator.
2907
2908         Reverted changeset:
2909
2910         "Move JSONValues to WTF and convert uses of InspectorValues.h
2911         to JSONValues.h"
2912         https://bugs.webkit.org/show_bug.cgi?id=173793
2913         https://trac.webkit.org/changeset/224863
2914
2915 2017-11-14  Mark Lam  <mark.lam@apple.com>
2916
2917         Gardening: CLoop build fix after r224862.
2918         https://bugs.webkit.org/show_bug.cgi?id=179699
2919
2920         Not reviewed..
2921
2922         * bytecode/CodeBlock.h:
2923         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
2924
2925 2017-11-14  Carlos Garcia Campos  <cgarcia@igalia.com>
2926
2927         Move JSONValues to WTF and convert uses of InspectorValues.h to JSONValues.h
2928         https://bugs.webkit.org/show_bug.cgi?id=173793
2929
2930         Reviewed by Brian Burg.
2931
2932         Based on patch by Brian Burg.
2933
2934         * JavaScriptCore.xcodeproj/project.pbxproj:
2935         * Sources.txt:
2936         * bindings/ScriptValue.cpp:
2937         (Inspector::jsToInspectorValue):
2938         (Inspector::toInspectorValue):
2939         (Deprecated::ScriptValue::toInspectorValue const):
2940         * bindings/ScriptValue.h:
2941         * inspector/AsyncStackTrace.cpp:
2942         * inspector/ConsoleMessage.cpp:
2943         * inspector/ContentSearchUtilities.cpp:
2944         * inspector/InjectedScript.cpp:
2945         (Inspector::InjectedScript::getFunctionDetails):
2946         (Inspector::InjectedScript::functionDetails):
2947         (Inspector::InjectedScript::getPreview):
2948         (Inspector::InjectedScript::getProperties):
2949         (Inspector::InjectedScript::getDisplayableProperties):
2950         (Inspector::InjectedScript::getInternalProperties):
2951         (Inspector::InjectedScript::getCollectionEntries):
2952         (Inspector::InjectedScript::saveResult):
2953         (Inspector::InjectedScript::wrapCallFrames const):
2954         (Inspector::InjectedScript::wrapObject const):
2955         (Inspector::InjectedScript::wrapTable const):
2956         (Inspector::InjectedScript::previewValue const):
2957         (Inspector::InjectedScript::setExceptionValue):
2958         (Inspector::InjectedScript::clearExceptionValue):
2959         (Inspector::InjectedScript::inspectObject):
2960         (Inspector::InjectedScript::releaseObject):
2961         * inspector/InjectedScriptBase.cpp:
2962         (Inspector::InjectedScriptBase::makeCall):
2963         (Inspector::InjectedScriptBase::makeEvalCall):
2964         * inspector/InjectedScriptBase.h:
2965         * inspector/InjectedScriptManager.cpp:
2966         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
2967         * inspector/InspectorBackendDispatcher.cpp:
2968         (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
2969         (Inspector::BackendDispatcher::dispatch):
2970         (Inspector::BackendDispatcher::sendResponse):
2971         (Inspector::BackendDispatcher::sendPendingErrors):
2972         (Inspector::BackendDispatcher::getPropertyValue):
2973         (Inspector::castToInteger):
2974         (Inspector::castToNumber):
2975         (Inspector::BackendDispatcher::getInteger):
2976         (Inspector::BackendDispatcher::getDouble):
2977         (Inspector::BackendDispatcher::getString):
2978         (Inspector::BackendDispatcher::getBoolean):
2979         (Inspector::BackendDispatcher::getObject):
2980         (Inspector::BackendDispatcher::getArray):
2981         (Inspector::BackendDispatcher::getValue):
2982         * inspector/InspectorBackendDispatcher.h:
2983         * inspector/InspectorProtocolTypes.h:
2984         (Inspector::Protocol::Array::openAccessors):
2985         (Inspector::Protocol::PrimitiveBindingTraits::assertValueHasExpectedType):
2986         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast):
2987         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType):
2988         (Inspector::Protocol::BindingTraits<JSON::Value>::assertValueHasExpectedType):
2989         * inspector/ScriptCallFrame.cpp:
2990         * inspector/ScriptCallStack.cpp:
2991         * inspector/agents/InspectorAgent.cpp:
2992         (Inspector::InspectorAgent::inspect):
2993         * inspector/agents/InspectorAgent.h:
2994         * inspector/agents/InspectorDebuggerAgent.cpp:
2995         (Inspector::buildAssertPauseReason):
2996         (Inspector::buildCSPViolationPauseReason):
2997         (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
2998         (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
2999         (Inspector::buildObjectForBreakpointCookie):
3000         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
3001         (Inspector::parseLocation):
3002         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
3003         (Inspector::InspectorDebuggerAgent::setBreakpoint):
3004         (Inspector::InspectorDebuggerAgent::continueToLocation):
3005         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
3006         (Inspector::InspectorDebuggerAgent::didParseSource):
3007         (Inspector::InspectorDebuggerAgent::breakProgram):
3008         * inspector/agents/InspectorDebuggerAgent.h:
3009         * inspector/agents/InspectorRuntimeAgent.cpp:
3010         (Inspector::InspectorRuntimeAgent::callFunctionOn):
3011         (Inspector::InspectorRuntimeAgent::saveResult):
3012         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
3013         * inspector/agents/InspectorRuntimeAgent.h:
3014         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
3015         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
3016         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
3017         (CppBackendDispatcherImplementationGenerator.generate_output):
3018         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
3019         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
3020         (CppFrontendDispatcherHeaderGenerator.generate_output):
3021         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
3022         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
3023         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
3024         (_generate_unchecked_setter_for_member):
3025         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
3026         (CppProtocolTypesImplementationGenerator):
3027         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
3028         (ObjCBackendDispatcherImplementationGenerator.generate_output):
3029         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
3030         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
3031         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
3032         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
3033         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
3034         * inspector/scripts/codegen/generate_objc_internal_header.py:
3035         (ObjCInternalHeaderGenerator.generate_output):
3036         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
3037         (ObjCProtocolTypesImplementationGenerator.generate_output):
3038         * inspector/scripts/codegen/generator.py:
3039         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
3040         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
3041         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
3042         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
3043         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
3044         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
3045         * inspector/scripts/tests/generic/expected/enum-values.json-result:
3046         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
3047         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
3048         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
3049         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
3050         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
3051         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
3052         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
3053         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
3054         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
3055         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
3056         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
3057         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
3058         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
3059
3060 2017-11-14  Mark Lam  <mark.lam@apple.com>
3061
3062         Fix a bit-rotted Interpreter::dumpRegisters() and make it more robust.
3063         https://bugs.webkit.org/show_bug.cgi?id=179699
3064         <rdar://problem/35462346>
3065
3066         Reviewed by Michael Saboff.
3067
3068         * interpreter/Interpreter.cpp:
3069         (JSC::Interpreter::dumpRegisters):
3070         - Need to skip the callee saved registers
3071
3072 2017-11-14  Guillaume Emont  <guijemont@igalia.com>
3073
3074         REGRESSION(r224623) [MIPS] branchTruncateDoubleToInt32() doesn't set return register when branching
3075         https://bugs.webkit.org/show_bug.cgi?id=179563
3076
3077         Reviewed by Carlos Alberto Lopez Perez.
3078
3079         When run with BranchIfTruncateSuccessful,
3080         branchTruncateDoubleToInt32() should set the destination register
3081         before branching.
3082         This change also removes branchTruncateDoubleToUInt32() as it is
3083         deprecated (see r160205), merges branchOnTruncateResult() into
3084         branchTruncateDoubleToInt32() and adds test cases in testmasm.
3085
3086         * assembler/MacroAssemblerMIPS.h:
3087         (JSC::MacroAssemblerMIPS::branchOnTruncateResult): Deleted.
3088         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
3089         Properly set dest before branching.
3090         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUInt32): Deleted.
3091         * assembler/testmasm.cpp:
3092         (JSC::testBranchTruncateDoubleToInt32):
3093         (JSC::run):
3094         Add tests for branchTruncateDoubleToInt32().
3095
3096 2017-11-14  Daniel Bates  <dabates@apple.com>
3097
3098         Update comment in FeatureDefines.xcconfig to reflect location of Visual Studio property files
3099         for feature defines
3100
3101         Following r195498 and r201917 the Visual Studio property files for feature defines have
3102         moved from directory WebKitLibraries/win/tools/vsprops to directory Source/cmake/tools/vsprops.
3103         Update the comment in FeatureDefines.xcconfig to reflect the new location and names of these
3104         files.
3105
3106         * Configurations/FeatureDefines.xcconfig:
3107
3108 2017-11-14  Mark Lam  <mark.lam@apple.com>
3109
3110         Remove JSDollarVMPrototype.
3111         https://bugs.webkit.org/show_bug.cgi?id=179685
3112
3113         Reviewed by Saam Barati.
3114
3115         1. Move the JSDollarVMPrototype C++ utility functions into VMInspector.cpp.
3116
3117            This allows us to call these functions during lldb debugging sessions using
3118            VMInspector::foo() instead of JSDollarVMPrototype::foo().  It makes sense that
3119            VMInspector provides VM debugging utility methods.  It doesn't make sense to
3120            have a JSDollarVMPrototype object provide these methods.
3121
3122            Plus, it's shorter to type VMInspector than JSDollarVMPrototype.
3123
3124         2. Move the JSDollarVMPrototype JS functions into JSDollarVM.cpp.
3125
3126            JSDollarVM is a special object used only for debugging purposes.  There's no
3127            gain in requiring its methods to be stored in a prototype object other than to
3128            conform to typical JS convention.  We can remove this complexity.
3129
3130         * JavaScriptCore.xcodeproj/project.pbxproj:
3131         * Sources.txt:
3132         * runtime/JSGlobalObject.cpp:
3133         (JSC::JSGlobalObject::init):
3134         * tools/JSDollarVM.cpp:
3135         (JSC::JSDollarVM::addFunction):
3136         (JSC::functionCrash):
3137         (JSC::functionDFGTrue):
3138         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
3139         (JSC::CallerFrameJITTypeFunctor::operator() const):
3140         (JSC::CallerFrameJITTypeFunctor::jitType):
3141         (JSC::functionLLintTrue):
3142         (JSC::functionJITTrue):
3143         (JSC::functionGC):
3144         (JSC::functionEdenGC):
3145         (JSC::functionCodeBlockForFrame):
3146         (JSC::codeBlockFromArg):
3147         (JSC::functionCodeBlockFor):
3148         (JSC::functionPrintSourceFor):
3149         (JSC::functionPrintBytecodeFor):
3150         (JSC::functionPrint):
3151         (JSC::functionPrintCallFrame):
3152         (JSC::functionPrintStack):
3153         (JSC::functionValue):
3154         (JSC::functionGetPID):
3155         (JSC::JSDollarVM::finishCreation):
3156         * tools/JSDollarVM.h:
3157         (JSC::JSDollarVM::create):
3158         * tools/JSDollarVMPrototype.cpp: Removed.
3159         * tools/JSDollarVMPrototype.h: Removed.
3160         * tools/VMInspector.cpp:
3161         (JSC::VMInspector::currentThreadOwnsJSLock):
3162         (JSC::ensureCurrentThreadOwnsJSLock):
3163         (JSC::VMInspector::gc):
3164         (JSC::VMInspector::edenGC):
3165         (JSC::VMInspector::isInHeap):
3166         (JSC::CellAddressCheckFunctor::CellAddressCheckFunctor):
3167         (JSC::CellAddressCheckFunctor::operator() const):
3168         (JSC::VMInspector::isValidCell):
3169         (JSC::VMInspector::isValidCodeBlock):
3170         (JSC::VMInspector::codeBlockForFrame):
3171         (JSC::PrintFrameFunctor::PrintFrameFunctor):
3172         (JSC::PrintFrameFunctor::operator() const):
3173         (JSC::VMInspector::printCallFrame):
3174         (JSC::VMInspector::printStack):
3175         (JSC::VMInspector::printValue):
3176         * tools/VMInspector.h:
3177
3178 2017-11-14  Joseph Pecoraro  <pecoraro@apple.com>
3179
3180         Web Inspector: Add a ServiceWorker domain to get information about an inspected ServiceWorker
3181         https://bugs.webkit.org/show_bug.cgi?id=179640
3182         <rdar://problem/35517361>
3183
3184         Reviewed by Devin Rousso.
3185
3186         * CMakeLists.txt:
3187         * DerivedSources.make:
3188         Gate the ServiceWorker domain on the ENABLE feature flag.
3189
3190         * inspector/protocol/ServiceWorker.json: Added.
3191         New domain to be made available inside of a ServiceWorker target.
3192
3193 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3194
3195         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
3196         https://bugs.webkit.org/show_bug.cgi?id=179594
3197
3198         Reviewed by Saam Barati.
3199
3200         Currently we handle OOB access to DirectArguments as GetByVal(Array::Generic).
3201         If we can handle it as GetByVal(Array::DirectArguments+OutOfBounds), we can (1) optimize
3202         `arguments[i]` accesses if i is in bound, and (2) encourage arguments elimination phase
3203         to convert CreateDirectArguments and GetByVal(Array::DirectArguments+OutOfBounds) to
3204         PhantomDirectArguments and GetMyArgumentOutOfBounds respectively.
3205
3206         This patch introduces Array::DirectArguments+OutOfBounds array mode. GetByVal can
3207         accept this type, and emit optimized code compared to Array::Generic case.
3208
3209         We make OOB check failures in GetByVal(Array::DirectArguments+InBounds) as OutOfBounds
3210         exit instead of ExoticObjectMode.
3211
3212         This change significantly improves SixSpeed rest.es5 since it uses OOB access.
3213         Our arguments elimination phase can change CreateDirectArguments to PhantomDirectArguments.
3214
3215             rest.es5                       59.6719+-2.2440     ^      3.1634+-0.5507        ^ definitely 18.8635x faster
3216
3217         * dfg/DFGArgumentsEliminationPhase.cpp:
3218         * dfg/DFGArrayMode.cpp:
3219         (JSC::DFG::ArrayMode::refine const):
3220         * dfg/DFGClobberize.h:
3221         (JSC::DFG::clobberize):
3222         * dfg/DFGSpeculativeJIT.cpp:
3223         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
3224         * ftl/FTLLowerDFGToB3.cpp:
3225         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
3226         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
3227
3228 2017-11-14  Saam Barati  <sbarati@apple.com>
3229
3230         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
3231         https://bugs.webkit.org/show_bug.cgi?id=179639
3232         <rdar://problem/35513018>
3233
3234         Reviewed by JF Bastien.
3235
3236         Calling Wasm::Memory::grow from the JIT may cause us to GC. When we GC, we will
3237         walk the stack for ShadowChicken (and maybe other things). We weren't updating
3238         topCallFrame when calling grow from the Wasm JIT. This would cause the GC to
3239         use stale topCallFrame bits in VM, often leading to crashes. This patch fixes
3240         this bug by giving Wasm::Instance a lambda that is called when we need to store
3241         the topCallFrame. Users of Wasm::Instance can provide a function to do this action.
3242         Currently, JSWebAssemblyInstance passes in a lambda that stores to
3243         VM.topCallFrame.
3244
3245         * wasm/WasmB3IRGenerator.cpp:
3246         (JSC::Wasm::B3IRGenerator::addGrowMemory):
3247         * wasm/WasmInstance.cpp:
3248         (JSC::Wasm::Instance::Instance):
3249         (JSC::Wasm::Instance::create):
3250         * wasm/WasmInstance.h:
3251         (JSC::Wasm::Instance::storeTopCallFrame):
3252         * wasm/js/JSWebAssemblyInstance.cpp:
3253         (JSC::JSWebAssemblyInstance::create):
3254         * wasm/js/JSWebAssemblyInstance.h:
3255         * wasm/js/WasmToJS.cpp:
3256         (JSC::Wasm::wasmToJSException):
3257         * wasm/js/WebAssemblyInstanceConstructor.cpp:
3258         (JSC::constructJSWebAssemblyInstance):
3259         * wasm/js/WebAssemblyPrototype.cpp:
3260         (JSC::instantiate):
3261
3262 2017-11-13  Saam Barati  <sbarati@apple.com>
3263
3264         Remove pointer caging for HashMapImpl, JSLexicalEnvironment, DirectArguments, ScopedArguments, and ScopedArgumentsTable
3265         https://bugs.webkit.org/show_bug.cgi?id=179203
3266
3267         Reviewed by Yusuke Suzuki.
3268
3269         This patch only removes the pointer caging for the described types in the title.
3270         These types still allocate out of the gigacage. This is a just a cost vs benefit
3271         tradeoff of performance vs security.
3272
3273         * dfg/DFGSpeculativeJIT.cpp:
3274         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
3275         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
3276         * ftl/FTLLowerDFGToB3.cpp:
3277         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
3278         * jit/JITPropertyAccess.cpp:
3279         (JSC::JIT::emitDirectArgumentsGetByVal):
3280         (JSC::JIT::emitScopedArgumentsGetByVal):
3281         * runtime/DirectArguments.h:
3282         (JSC::DirectArguments::storage):
3283         * runtime/HashMapImpl.cpp:
3284         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
3285         * runtime/HashMapImpl.h:
3286         * runtime/JSLexicalEnvironment.h:
3287         (JSC::JSLexicalEnvironment::variables):
3288         * runtime/ScopedArguments.h:
3289         (JSC::ScopedArguments::overflowStorage const):
3290
3291 2017-11-08  Keith Miller  <keith_miller@apple.com>
3292
3293         Async iteration should only fetch the next method once and add feature flag
3294         https://bugs.webkit.org/show_bug.cgi?id=179451
3295
3296         Reviewed by Geoffrey Garen.
3297
3298         Add feature flag for Async iteration. Also, change async iteration to match
3299         the expected behavior of the proposal.
3300
3301         * Configurations/FeatureDefines.xcconfig:
3302         * builtins/AsyncFromSyncIteratorPrototype.js:
3303         (globalPrivate.createAsyncFromSyncIterator):
3304         (globalPrivate.AsyncFromSyncIteratorConstructor):
3305         * builtins/BuiltinNames.h:
3306         * bytecompiler/BytecodeGenerator.cpp:
3307         (JSC::BytecodeGenerator::emitGetAsyncIterator):
3308         * runtime/Options.h:
3309
3310 2017-11-13  Mark Lam  <mark.lam@apple.com>
3311
3312         Add more overflow check book-keeping for MarkedArgumentBuffer.
3313         https://bugs.webkit.org/show_bug.cgi?id=179634
3314         <rdar://problem/35492517>
3315
3316         Reviewed by Saam Barati.
3317
3318         * runtime/ArgList.h:
3319         (JSC::MarkedArgumentBuffer::overflowCheckNotNeeded):
3320         * runtime/JSJob.cpp:
3321         (JSC::JSJobMicrotask::run):
3322         * runtime/ObjectConstructor.cpp:
3323         (JSC::defineProperties):
3324         * runtime/ReflectObject.cpp:
3325         (JSC::reflectObjectConstruct):
3326
3327 2017-11-13  Guillaume Emont  <guijemont@igalia.com>
3328
3329         [JSC] Remove ARM implementation of branchTruncateDoubleToUInt32
3330         https://bugs.webkit.org/show_bug.cgi?id=179542
3331
3332         Reviewed by Alex Christensen.
3333
3334         * assembler/MacroAssemblerARM.h:
3335         (JSC::MacroAssemblerARM::branchTruncateDoubleToUint32): Removed.
3336
3337 2017-11-13  Mark Lam  <mark.lam@apple.com>
3338
3339         Make the jsc shell loadGetterFromGetterSetter() function more robust.
3340         https://bugs.webkit.org/show_bug.cgi?id=179619
3341         <rdar://problem/35492518>
3342
3343         Reviewed by Saam Barati.
3344
3345         * jsc.cpp:
3346         (functionLoadGetterFromGetterSetter):
3347
3348 2017-11-12  Darin Adler  <darin@apple.com>
3349
3350         More is<> and downcast<>, less static_cast<>
3351         https://bugs.webkit.org/show_bug.cgi?id=179600
3352
3353         Reviewed by Chris Dumez.
3354
3355         * runtime/JSString.h:
3356         (JSC::jsSubstring): Removed unneeded static_cast; length already returns unsigned.
3357         (JSC::jsSubstringOfResolved): Ditto.
3358
3359 2017-11-12  Mark Lam  <mark.lam@apple.com>
3360
3361         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
3362         https://bugs.webkit.org/show_bug.cgi?id=179562
3363         <rdar://problem/35467022>
3364
3365         Reviewed by Saam Barati.
3366
3367         * dfg/DFGFixupPhase.cpp:
3368         (JSC::DFG::FixupPhase::fixupNode):
3369         * dfg/DFGOperations.cpp:
3370         * dfg/DFGSafeToExecute.h:
3371         (JSC::DFG::SafeToExecuteEdge::operator()):
3372         * dfg/DFGSpeculativeJIT.cpp:
3373         (JSC::DFG::SpeculativeJIT::speculateNotSymbol):
3374         (JSC::DFG::SpeculativeJIT::speculate):
3375         * dfg/DFGSpeculativeJIT.h:
3376         * dfg/DFGUseKind.cpp:
3377         (WTF::printInternal):
3378         * dfg/DFGUseKind.h:
3379         (JSC::DFG::typeFilterFor):
3380         * ftl/FTLCapabilities.cpp:
3381         (JSC::FTL::canCompile):
3382         * ftl/FTLLowerDFGToB3.cpp:
3383         (JSC::FTL::DFG::LowerDFGToB3::speculate):
3384         (JSC::FTL::DFG::LowerDFGToB3::speculateNotSymbol):
3385
3386 2017-11-11  Devin Rousso  <webkit@devinrousso.com>
3387
3388         Web Inspector: Canvas tab: show detailed status during canvas recording
3389         https://bugs.webkit.org/show_bug.cgi?id=178185
3390         <rdar://problem/34939862>
3391
3392         Reviewed by Brian Burg.
3393
3394         * inspector/protocol/Canvas.json:
3395         Add a `recordingProgress` event that is sent to the frontend that contains all the frame
3396         payloads since the last Canvas.recordingProgress event and the current buffer usage.
3397
3398         * inspector/protocol/Recording.json:
3399         Remove the required `frames` parameter from the Recording protocol object, as they will be
3400         sent in batches via the Canvas.recordingProgress event.
3401
3402 2017-11-10  Joseph Pecoraro  <pecoraro@apple.com>
3403
3404         Web Inspector: Make http status codes be "integer" instead of "number" in protocol
3405         https://bugs.webkit.org/show_bug.cgi?id=179543
3406
3407         Reviewed by Antoine Quint.
3408
3409         * inspector/protocol/Network.json:
3410         Use a better type for the status code.
3411
3412 2017-11-10  Robin Morisset  <rmorisset@apple.com>
3413
3414         The memory consumption of DFG::BasicBlock can be easily reduced a bit
3415         https://bugs.webkit.org/show_bug.cgi?id=179528
3416
3417         Reviewed by Saam Barati.
3418
3419         A few changes here:
3420         - Reordering some fields of DFG::BasicBlock to reduce padding
3421         - Making the enum fields that are glorified booleans fit into a u8
3422         - Make each Operands object have a single vector that holds all arguments followed by all locals, instead of two vectors.
3423           This change works because we never increase the number of arguments after allocating an Operands object.
3424           It lets us avoid one extra capacity field and one extra pointer field per Operands,
3425           and more importantly one allocation per Operands whenever both vectors would have overflowed their inlined buffer.
3426           Additionally, if a single vector would have overflowed its inline buffer, while the other would have had some free space,
3427           we have a chance to avoid an allocation.
3428         - Finally, the three methods argumentForIndex, variableForIndex and indexForOperand were deleted since they were dead code.
3429
3430         * bytecode/Operands.h:
3431         (JSC::Operands::Operands):
3432         (JSC::Operands::numberOfArguments const):
3433         (JSC::Operands::numberOfLocals const):
3434         (JSC::Operands::argument):
3435         (JSC::Operands::argument const):
3436         (JSC::Operands::local):
3437         (JSC::Operands::local const):
3438         (JSC::Operands::ensureLocals):
3439         (JSC::Operands::setLocal):
3440         (JSC::Operands::getLocal):
3441         (JSC::Operands::setArgumentFirstTime):
3442         (JSC::Operands::setLocalFirstTime):
3443         (JSC::Operands::operand):
3444         (JSC::Operands::setOperand):
3445         (JSC::Operands::size const):
3446         (JSC::Operands::at const):
3447         (JSC::Operands::at):
3448         (JSC::Operands::isArgument const):
3449         (JSC::Operands::isVariable const):
3450         (JSC::Operands::virtualRegisterForIndex const):
3451         (JSC::Operands::fill):
3452         (JSC::Operands::operator== const):
3453         (JSC::Operands::argumentForIndex const): Deleted.
3454         (JSC::Operands::variableForIndex const): Deleted.
3455         (JSC::Operands::indexForOperand const): Deleted.
3456         * dfg/DFGBasicBlock.cpp:
3457         (JSC::DFG::BasicBlock::BasicBlock):
3458         * dfg/DFGBasicBlock.h:
3459         * dfg/DFGBranchDirection.h:
3460         * dfg/DFGStructureClobberState.h:
3461
3462 2017-11-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3463
3464         [JSC] Retry module fetching if previous request fails
3465         https://bugs.webkit.org/show_bug.cgi?id=178168
3466
3467         Reviewed by Saam Barati.
3468
3469         According to the latest spec, the failed fetching operation can be retried if it is requested again.
3470         For example,
3471
3472             <script type="module" integrity="shaXXX-bad" src="./A.js"></script>
3473             <script type="module" integrity="shaXXX-correct" src="./A.js"></script>
3474
3475         When performing the first module fetching, integrity check fails, and the load of this module becomes failed.
3476         But when loading the second module, we do not use the cached failure result in the first module loading.
3477         We retry fetching for "./A.js". In this case, we have a correct integrity and module fetching succeeds.
3478         This is specified in whatwg/HTML[1]. If the fetching fails, we do not cache it.
3479
3480         Interestingly, fetching result and instantiation result will be cached if they succeeds. This is because we would
3481         like to cache modules based on their URLs. As a result,
3482
3483             <script type="module" integrity="shaXXX-correct" src="./A.js"></script>
3484             <script type="module" integrity="shaXXX-bad" src="./A.js"></script>
3485
3486         In the above case, the first loading succeeds. And the second loading also succeeds since the succeeded fetching and
3487         instantiation are cached in the module pipeline.
3488
3489         This patch implements the above semantics. Previously, our module pipeline always caches the result. If the fetching
3490         failed, all the subsequent fetching for the same URL fails even if we have different integrity values. We retry fetching
3491         if the previous one fails. As an overview of our change,
3492
3493         1. Fetching result should be cached only if it succeeds. Two or more on-the-fly fetching requests to the same URLs should
3494            be unified. But if currently executing one fails, other attempts should retry fetching.
3495
3496         2. Instantiation should be cached if fetching succeeds.
3497
3498         3. Satisfying should be cached if it succeeds.
3499
3500         [1]: https://html.spec.whatwg.org/#fetch-a-single-module-script
3501
3502         * builtins/ModuleLoaderPrototype.js:
3503         (requestFetch):
3504         (requestInstantiate):
3505         (requestSatisfy):
3506         (link):
3507         (loadModule):
3508         * runtime/JSGlobalObject.cpp:
3509         (JSC::JSGlobalObject::init):
3510
3511 2017-11-09  Devin Rousso  <webkit@devinrousso.com>
3512
3513         Web Inspector: support undo/redo of insertAdjacentHTML
3514         https://bugs.webkit.org/show_bug.cgi?id=179283
3515
3516         Reviewed by Joseph Pecoraro.
3517
3518         * inspector/protocol/DOM.json:
3519         Add `insertAdjacentHTML` command that executes an undoable version of `insertAdjacentHTML`
3520         on the given node.
3521
3522 2017-11-09  Joseph Pecoraro  <pecoraro@apple.com>
3523
3524         Web Inspector: Make domain availability a list of types instead of a single type
3525         https://bugs.webkit.org/show_bug.cgi?id=179457
3526
3527         Reviewed by Brian Burg.
3528
3529         * inspector/scripts/codegen/generate_js_backend_commands.py:
3530         (JSBackendCommandsGenerator.generate_domain):
3531         Update output of `InspectorBackend.activateDomain` to include the list.
3532
3533         * inspector/scripts/codegen/models.py:
3534         (Protocol.parse_domain):
3535         Parse `availability` as a list and include a new supported value of "service-worker".
3536
3537         * inspector/protocol/ApplicationCache.json:
3538         * inspector/protocol/CSS.json:
3539         * inspector/protocol/Canvas.json:
3540         * inspector/protocol/DOM.json:
3541         * inspector/protocol/DOMDebugger.json:
3542         * inspector/protocol/DOMStorage.json:
3543         * inspector/protocol/Database.json:
3544         * inspector/protocol/IndexedDB.json:
3545         * inspector/protocol/LayerTree.json:
3546         * inspector/protocol/Memory.json:
3547         * inspector/protocol/Network.json:
3548         * inspector/protocol/Page.json:
3549         * inspector/protocol/Timeline.json:
3550         * inspector/protocol/Worker.json:
3551         Update `availability` to be a list.
3552
3553         * inspector/scripts/tests/generic/domain-availability.json:
3554         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
3555         * inspector/scripts/tests/generic/expected/fail-on-domain-availability-type.json-error: Added.
3556         * inspector/scripts/tests/generic/expected/fail-on-domain-availability-value.json-error: Added.
3557         * inspector/scripts/tests/generic/expected/fail-on-domain-availability.json-error:
3558         * inspector/scripts/tests/generic/fail-on-domain-availability-type.json: Copied from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-availability.json.
3559         * inspector/scripts/tests/generic/fail-on-domain-availability-value.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-availability.json.
3560         Update tests to include a test for the type and an invalid value.
3561
3562 2017-11-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3563
3564         [JSC][JIT] Clean up SlowPathCall stubs
3565         https://bugs.webkit.org/show_bug.cgi?id=179247
3566
3567         Reviewed by Saam Barati.
3568
3569         We have bunch of duplicate functions that just call a slow path function.
3570         This patch cleans up the above duplication.
3571
3572         * jit/JIT.cpp:
3573         (JSC::JIT::emitSlowCaseCall):
3574         (JSC::JIT::privateCompileSlowCases):
3575         * jit/JIT.h:
3576         * jit/JITArithmetic.cpp:
3577         (JSC::JIT::emitSlow_op_unsigned): Deleted.
3578         (JSC::JIT::emitSlow_op_inc): Deleted.
3579         (JSC::JIT::emitSlow_op_dec): Deleted.
3580         (JSC::JIT::emitSlow_op_bitand): Deleted.
3581         (JSC::JIT::emitSlow_op_bitor): Deleted.
3582         (JSC::JIT::emitSlow_op_bitxor): Deleted.
3583         (JSC::JIT::emitSlow_op_lshift): Deleted.
3584         (JSC::JIT::emitSlow_op_rshift): Deleted.
3585         (JSC::JIT::emitSlow_op_urshift): Deleted.
3586         (JSC::JIT::emitSlow_op_div): Deleted.
3587         * jit/JITArithmetic32_64.cpp:
3588         (JSC::JIT::emitSlow_op_unsigned): Deleted.
3589         (JSC::JIT::emitSlow_op_inc): Deleted.
3590         (JSC::JIT::emitSlow_op_dec): Deleted.
3591         * jit/JITOpcodes.cpp:
3592         (JSC::JIT::emitSlow_op_create_this): Deleted.
3593         (JSC::JIT::emitSlow_op_check_tdz): Deleted.
3594         (JSC::JIT::emitSlow_op_to_this): Deleted.
3595         (JSC::JIT::emitSlow_op_to_primitive): Deleted.
3596         (JSC::JIT::emitSlow_op_not): Deleted.
3597         (JSC::JIT::emitSlow_op_stricteq): Deleted.
3598         (JSC::JIT::emitSlow_op_nstricteq): Deleted.
3599         (JSC::JIT::emitSlow_op_to_number): Deleted.
3600         (JSC::JIT::emitSlow_op_to_string): Deleted.
3601         (JSC::JIT::emitSlow_op_to_object): Deleted.
3602         (JSC::JIT::emitSlow_op_get_direct_pname): Deleted.
3603         (JSC::JIT::emitSlow_op_has_structure_property): Deleted.
3604         * jit/JITOpcodes32_64.cpp:
3605         (JSC::JIT::emitSlow_op_to_primitive): Deleted.
3606         (JSC::JIT::emitSlow_op_not): Deleted.
3607         (JSC::JIT::emitSlow_op_stricteq): Deleted.
3608         (JSC::JIT::emitSlow_op_nstricteq): Deleted.
3609         (JSC::JIT::emitSlow_op_to_number): Deleted.
3610         (JSC::JIT::emitSlow_op_to_string): Deleted.
3611         (JSC::JIT::emitSlow_op_to_object): Deleted.
3612         (JSC::JIT::emitSlow_op_create_this): Deleted.
3613         (JSC::JIT::emitSlow_op_to_this): Deleted.
3614         (JSC::JIT::emitSlow_op_check_tdz): Deleted.
3615         (JSC::JIT::emitSlow_op_get_direct_pname): Deleted.
3616         * jit/JITPropertyAccess.cpp:
3617         (JSC::JIT::emitSlow_op_resolve_scope): Deleted.
3618         * jit/JITPropertyAccess32_64.cpp:
3619         (JSC::JIT::emit_op_resolve_scope):
3620         (JSC::JIT::emitSlow_op_resolve_scope): Deleted.
3621         * jit/SlowPathCall.h:
3622         (JSC::JITSlowPathCall::JITSlowPathCall):
3623         * runtime/CommonSlowPaths.cpp:
3624         (JSC::SLOW_PATH_DECL):
3625         * runtime/CommonSlowPaths.h:
3626
3627 2017-11-09  Guillaume Emont  <guijemont@igalia.com>
3628
3629         [JSC][MIPS] Use fcsr to check the validity of the result of trunc.w.d
3630         https://bugs.webkit.org/show_bug.cgi?id=179446
3631
3632         Reviewed by Žan Doberšek.
3633
3634         The trunc.w.d mips instruction should give a 0x7fffffff result when
3635         the source value is Infinity, NaN, or rounds to an integer outside the
3636         range -2^31 to 2^31 -1. This is what branchTruncateDoubleToInt32() and
3637         branchTruncateDoubleToUInt32() have been relying on. It turns out that
3638         this assumption is not true on some CPUs, including on the ci20 on
3639         which we run the testbot (we get 0x80000000 instead). We should the
3640         invalid operation cause bit instead to check whether the source value
3641         could be properly truncated. This requires the addition of the cfc1
3642         instruction, as well as the special registers that can be used with it
3643         (control registers of CP1).
3644
3645         * assembler/MIPSAssembler.h:
3646         (JSC::MIPSAssembler::firstSPRegister):
3647         (JSC::MIPSAssembler::lastSPRegister):
3648         (JSC::MIPSAssembler::numberOfSPRegisters):
3649         (JSC::MIPSAssembler::sprName):
3650         Added control registers of CP1.
3651         (JSC::MIPSAssembler::cfc1):
3652         Added.
3653         * assembler/MacroAssemblerMIPS.h:
3654         (JSC::MacroAssemblerMIPS::branchOnTruncateResult):
3655         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
3656         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUint32):
3657         Use fcsr to check if the value could be properly truncated.
3658
3659 2017-11-08  Jeremy Jones  <jeremyj@apple.com>
3660
3661         HTMLMediaElement should not use element fullscreen on iOS
3662         https://bugs.webkit.org/show_bug.cgi?id=179418
3663         rdar://problem/35409277
3664
3665         Reviewed by Eric Carlson.
3666
3667         Add ENABLE_VIDEO_USES_ELEMENT_FULLSCREEN to determine if HTMLMediaElement should use element full screen or not.
3668
3669         * Configurations/FeatureDefines.xcconfig:
3670
3671 2017-11-08  Joseph Pecoraro  <pecoraro@apple.com>
3672
3673         Web Inspector: Show Internal properties of PaymentRequest in Web Inspector Console
3674         https://bugs.webkit.org/show_bug.cgi?id=179276
3675
3676         Reviewed by Andy Estes.
3677
3678         * inspector/InjectedScriptHost.h:
3679         * inspector/JSInjectedScriptHost.cpp:
3680         (Inspector::JSInjectedScriptHost::getInternalProperties):
3681         Call through to virtual implementation so that WebCore can provide custom
3682         internal properties for Web / DOM objects.
3683
3684 2017-11-08  Saam Barati  <sbarati@apple.com>
3685
3686         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
3687         https://bugs.webkit.org/show_bug.cgi?id=177792
3688
3689         Reviewed by Yusuke Suzuki.
3690
3691         Before this patch, if a JSFunction's rare data initialized its allocation profile
3692         before its backing Executable's poly proto watchpoint was invalidated, that
3693         JSFunction would continue to allocate non-poly proto objects until its allocation
3694         profile was cleared (which essentially never happens in practice). This patch
3695         improves on this pathology. A JSFunction's rare data will now watch the poly
3696         proto watchpoint if it's still valid and clear its allocation profile when we
3697         detect that we should go poly proto.
3698
3699         * bytecode/ObjectAllocationProfile.h:
3700         * bytecode/ObjectAllocationProfileInlines.h:
3701         (JSC::ObjectAllocationProfile::initializeProfile):
3702         * runtime/FunctionRareData.cpp:
3703         (JSC::FunctionRareData::initializeObjectAllocationProfile):
3704         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::fireInternal):
3705         * runtime/FunctionRareData.h:
3706         (JSC::FunctionRareData::hasAllocationProfileClearingWatchpoint const):
3707         (JSC::FunctionRareData::createAllocationProfileClearingWatchpoint):
3708         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::AllocationProfileClearingWatchpoint):
3709
3710 2017-11-08  Keith Miller  <keith_miller@apple.com>
3711
3712         Add super sampler begin and end bytecodes.
3713         https://bugs.webkit.org/show_bug.cgi?id=179376
3714
3715         Reviewed by Filip Pizlo.
3716
3717         This patch adds a way to measure a narrow range of bytecodes for
3718         performance. This is done using the same infrastructure as the
3719         super sampler. I also added a class that helps do the bytecode
3720         checking with RAII. One problem with the current way this is done
3721         is that we don't handle decrementing early exits, either from
3722         branches or exceptions. So, when using this API users need to
3723         ensure that there are no early exits or that those exits don't
3724         occur on the measure code.
3725
3726         * JavaScriptCore.xcodeproj/project.pbxproj:
3727         * bytecode/BytecodeDumper.cpp:
3728         (JSC::BytecodeDumper<Block>::dumpBytecode):
3729         * bytecode/BytecodeList.json:
3730         * bytecode/BytecodeUseDef.h:
3731         (JSC::computeUsesForBytecodeOffset):
3732         (JSC::computeDefsForBytecodeOffset):
3733         * bytecompiler/BytecodeGenerator.cpp:
3734         (JSC::BytecodeGenerator::emitSuperSamplerBegin):
3735         (JSC::BytecodeGenerator::emitSuperSamplerEnd):
3736         * bytecompiler/BytecodeGenerator.h:
3737         * bytecompiler/SuperSamplerBytecodeScope.h: Added.
3738         (JSC::SuperSamplerBytecodeScope::SuperSamplerBytecodeScope):
3739         (JSC::SuperSamplerBytecodeScope::~SuperSamplerBytecodeScope):
3740         * dfg/DFGAbstractInterpreterInlines.h:
3741         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3742         * dfg/DFGByteCodeParser.cpp:
3743         (JSC::DFG::ByteCodeParser::parseBlock):
3744         * dfg/DFGClobberize.h:
3745         (JSC::DFG::clobberize):
3746         * dfg/DFGClobbersExitState.cpp:
3747         (JSC::DFG::clobbersExitState):
3748         * dfg/DFGDoesGC.cpp:
3749         (JSC::DFG::doesGC):
3750         * dfg/DFGFixupPhase.cpp:
3751         (JSC::DFG::FixupPhase::fixupNode):
3752         * dfg/DFGMayExit.cpp:
3753         * dfg/DFGNodeType.h:
3754         * dfg/DFGPredictionPropagationPhase.cpp:
3755         * dfg/DFGSafeToExecute.h:
3756         (JSC::DFG::safeToExecute):
3757         * dfg/DFGSpeculativeJIT.cpp:
3758         * dfg/DFGSpeculativeJIT32_64.cpp:
3759         (JSC::DFG::SpeculativeJIT::compile):
3760         * dfg/DFGSpeculativeJIT64.cpp:
3761         (JSC::DFG::SpeculativeJIT::compile):
3762         * ftl/FTLCapabilities.cpp:
3763         (JSC::FTL::canCompile):
3764         * ftl/FTLLowerDFGToB3.cpp:
3765         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3766         (JSC::FTL::DFG::LowerDFGToB3::compileSuperSamplerBegin):
3767         (JSC::FTL::DFG::LowerDFGToB3::compileSuperSamplerEnd):
3768         * jit/JIT.cpp:
3769         (JSC::JIT::privateCompileMainPass):
3770         * jit/JIT.h:
3771         * jit/JITOpcodes.cpp:
3772         (JSC::JIT::emit_op_super_sampler_begin):
3773         (JSC::JIT::emit_op_super_sampler_end):
3774         * llint/LLIntSlowPaths.cpp:
3775         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3776         * llint/LLIntSlowPaths.h:
3777         * llint/LowLevelInterpreter.asm:
3778
3779 2017-11-08  Robin Morisset  <rmorisset@apple.com>
3780
3781         Turn recursive tail calls into loops
3782         https://bugs.webkit.org/show_bug.cgi?id=176601
3783
3784         Reviewed by Saam Barati.
3785
3786         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
3787
3788         We want to turn recursive tail calls into loops early in the pipeline, so that the loops can then be optimized.
3789         One difficulty is that we need to split the entry block of the function we are jumping to in order to have somewhere to jump to.
3790         Worse: it is not necessarily the first block of the codeBlock, because of inlining! So we must do the splitting in the DFGByteCodeParser, at the same time as inlining.
3791         We do this part through modifying the computation of the jump targets.
3792         Importantly, we only do this splitting for functions that have tail calls.
3793         It is the only case where the optimisation is sound, and doing the splitting unconditionnaly destroys performance on Octane/raytrace.
3794
3795         We must then do the actual transformation also in DFGByteCodeParser, to avoid code motion moving code out of the body of what will become a loop.
3796         The transformation is entirely contained in handleRecursiveTailCall, which is hooked to the inlining machinery.
3797
3798         * bytecode/CodeBlock.h:
3799         (JSC::CodeBlock::hasTailCalls const):
3800         * bytecode/PreciseJumpTargets.cpp:
3801         (JSC::getJumpTargetsForBytecodeOffset):
3802         (JSC::computePreciseJumpTargetsInternal):
3803         * bytecode/UnlinkedCodeBlock.cpp:
3804         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
3805         * bytecode/UnlinkedCodeBlock.h:
3806         (JSC::UnlinkedCodeBlock::hasTailCalls const):
3807         (JSC::UnlinkedCodeBlock::setHasTailCalls):
3808         * bytecompiler/BytecodeGenerator.cpp:
3809         (JSC::BytecodeGenerator::emitEnter):
3810         (JSC::BytecodeGenerator::emitCallInTailPosition):
3811         * dfg/DFGByteCodeParser.cpp:
3812         (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
3813         (JSC::DFG::ByteCodeParser::makeBlockTargetable):
3814         (JSC::DFG::ByteCodeParser::handleCall):
3815         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
3816         (JSC::DFG::ByteCodeParser::parseBlock):
3817         (JSC::DFG::ByteCodeParser::parse):
3818
3819 2017-11-08  Joseph Pecoraro  <pecoraro@apple.com>
3820
3821         Web Inspector: Remove unused Page.ScriptIdentifier protocol type
3822         https://bugs.webkit.org/show_bug.cgi?id=179407
3823
3824         Reviewed by Matt Baker.
3825
3826         * inspector/protocol/Page.json:
3827         Remove unused protocol type.
3828
3829 2017-11-08  Carlos Garcia Campos  <cgarcia@igalia.com>
3830
3831         Web Inspector: use JSON::{Array,Object,Value} instead of Inspector{Array,Object,Value}
3832         https://bugs.webkit.org/show_bug.cgi?id=173619
3833
3834         Reviewed by Alex Christensen and Brian Burg.
3835
3836         Eventually all classes used for our JSON-RPC message passing should be outside
3837         of the Inspector namespace since the protocol is used outside of Inspector code.
3838         This will also allow us to unify the primitive JSON types with parameteric types
3839         like Inspector::Protocol::Array<T> and other protocol-related types which don't
3840         need to be in the Inspector namespace.
3841
3842         Start this refactoring off by making JSON::Value a typedef for InspectorValue. In following
3843         patches, other clients will move to use JSON::Value and friends. When all uses are
3844         changed, the actual implementation will be renamed. This patch just focuses on the typedef
3845         and making changes in generated protocol code.
3846
3847         Original patch by Brian Burg, rebased and updated by me.
3848
3849         * inspector/InspectorValues.cpp:
3850         * inspector/InspectorValues.h:
3851         * inspector/scripts/codegen/cpp_generator.py:
3852         (CppGenerator.cpp_protocol_type_for_type):
3853         (CppGenerator.cpp_type_for_unchecked_formal_in_parameter):
3854         (CppGenerator.cpp_type_for_type_with_name):
3855         (CppGenerator.cpp_type_for_stack_in_parameter):
3856         * inspector/scripts/codegen/cpp_generator_templates.py:
3857         (void):
3858         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
3859         (_generate_class_for_object_declaration):
3860         (_generate_forward_declarations_for_binding_traits):
3861         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
3862         (CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration):
3863         (CppProtocolTypesImplementationGenerator._generate_assertion_for_enum):
3864         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
3865         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
3866         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
3867         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
3868         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
3869         * inspector/scripts/tests/generic/expected/enum-values.json-result:
3870         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
3871         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
3872         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
3873         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
3874         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
3875         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
3876         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
3877         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
3878
3879 2017-11-07  Maciej Stachowiak  <mjs@apple.com>
3880
3881         Get rid of unsightly hex numbers from unified build object files
3882         https://bugs.webkit.org/show_bug.cgi?id=179410
3883
3884         Reviewed by Saam Barati.
3885
3886         * JavaScriptCore.xcodeproj/project.pbxproj: Rename UnifiedSource*.mm to UnifiedSource*-mm.mm for more readable build output.
3887
3888 2017-11-07  Saam Barati  <sbarati@apple.com>
3889
3890         Only cage double butterfly accesses
3891         https://bugs.webkit.org/show_bug.cgi?id=179202
3892
3893         Reviewed by Mark Lam.
3894
3895         This patch removes caging from all butterfly accesses except double loads/stores.
3896         This is a performance vs security tradeoff. Double loads/stores are the only butterfly