de20c35519bb6d548ab68551d2ddfae6fbe0c0bb
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [WTF] Use std::unique_ptr for StackTrace
4         https://bugs.webkit.org/show_bug.cgi?id=174495
5
6         Reviewed by Alex Christensen.
7
8         * runtime/ExceptionScope.cpp:
9         (JSC::ExceptionScope::unexpectedExceptionMessage):
10         * runtime/VM.cpp:
11         (JSC::VM::throwException):
12
13 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
14
15         [JSC] Use WTFMove to prune liveness in DFGAvailabilityMap
16         https://bugs.webkit.org/show_bug.cgi?id=174423
17
18         Reviewed by Saam Barati.
19
20         * dfg/DFGAvailabilityMap.cpp:
21         (JSC::DFG::AvailabilityMap::pruneHeap):
22         (JSC::DFG::AvailabilityMap::pruneByLiveness):
23
24 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
25
26         Fix compiler warnings when building with GCC 7
27         https://bugs.webkit.org/show_bug.cgi?id=174463
28
29         Reviewed by Darin Adler.
30
31         * disassembler/udis86/udis86_decode.c:
32         (decode_operand):
33
34 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
35
36         Incorrect assertion in JSC::CallLinkInfo::callTypeFor
37         https://bugs.webkit.org/show_bug.cgi?id=174467
38
39         Reviewed by Saam Barati.
40
41         * bytecode/CallLinkInfo.cpp:
42         (JSC::CallLinkInfo::callTypeFor):
43
44 2017-07-13  Joseph Pecoraro  <pecoraro@apple.com>
45
46         Web Inspector: Remove unused and untested Page domain commands
47         https://bugs.webkit.org/show_bug.cgi?id=174429
48
49         Reviewed by Timothy Hatcher.
50
51         * inspector/protocol/Page.json:
52
53 2017-07-13  Saam Barati  <sbarati@apple.com>
54
55         Missing exception check in JSObject::hasInstance
56         https://bugs.webkit.org/show_bug.cgi?id=174455
57         <rdar://problem/31384608>
58
59         Reviewed by Mark Lam.
60
61         * runtime/JSObject.cpp:
62         (JSC::JSObject::hasInstance):
63
64 2017-07-13  Caio Lima  <ticaiolima@gmail.com>
65
66         [ESnext] Implement Object Spread
67         https://bugs.webkit.org/show_bug.cgi?id=167963
68
69         Reviewed by Saam Barati.
70
71         This patch implements ECMA262 stage 3 Object Spread proposal [1].
72         It's implemented using CopyDataPropertiesNoExclusions to copy
73         all enumerable keys from object being spreaded. The implementation of
74         CopyDataPropertiesNoExclusions follows the CopyDataProperties
75         implementation, however we don't receive excludedNames as parameter.
76
77         [1] - https://github.com/tc39/proposal-object-rest-spread
78
79         * builtins/GlobalOperations.js:
80         (globalPrivate.copyDataPropertiesNoExclusions):
81         * bytecompiler/BytecodeGenerator.cpp:
82         (JSC::BytecodeGenerator::emitLoad):
83         * bytecompiler/NodesCodegen.cpp:
84         (JSC::PropertyListNode::emitBytecode):
85         (JSC::ObjectSpreadExpressionNode::emitBytecode):
86         * parser/ASTBuilder.h:
87         (JSC::ASTBuilder::createObjectSpreadExpression):
88         (JSC::ASTBuilder::createProperty):
89         * parser/NodeConstructors.h:
90         (JSC::PropertyNode::PropertyNode):
91         (JSC::ObjectSpreadExpressionNode::ObjectSpreadExpressionNode):
92         * parser/Nodes.h:
93         (JSC::ObjectSpreadExpressionNode::expression):
94         * parser/Parser.cpp:
95         (JSC::Parser<LexerType>::parseProperty):
96         * parser/SyntaxChecker.h:
97         (JSC::SyntaxChecker::createObjectSpreadExpression):
98         (JSC::SyntaxChecker::createProperty):
99
100 2017-07-12  Mark Lam  <mark.lam@apple.com>
101
102         Gardening: build fix after r219434.
103         https://bugs.webkit.org/show_bug.cgi?id=174441
104
105         Not reviewed.
106
107         Make public some MacroAssembler functions that are needed by the probe implementationq.
108
109         * assembler/MacroAssemblerARM.h:
110         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
111         * assembler/MacroAssemblerARMv7.h:
112         (JSC::MacroAssemblerARMv7::linkCall):
113
114 2017-07-12  Mark Lam  <mark.lam@apple.com>
115
116         Move Probe code from AbstractMacroAssembler to MacroAssembler.
117         https://bugs.webkit.org/show_bug.cgi?id=174441
118
119         Reviewed by Saam Barati.
120
121         This is a pure refactoring patch for moving probe code from the AbstractMacroAssembler
122         to MacroAssembler.  There is no code behavior change.
123
124         * assembler/AbstractMacroAssembler.h:
125         (JSC::AbstractMacroAssembler<AssemblerType>::Address::indexedBy):
126         (JSC::AbstractMacroAssembler::CPUState::gprName): Deleted.
127         (JSC::AbstractMacroAssembler::CPUState::fprName): Deleted.
128         (JSC::AbstractMacroAssembler::CPUState::gpr): Deleted.
129         (JSC::AbstractMacroAssembler::CPUState::fpr): Deleted.
130         (JSC::MacroAssemblerType>::Address::indexedBy): Deleted.
131         * assembler/MacroAssembler.h:
132         (JSC::MacroAssembler::CPUState::gprName):
133         (JSC::MacroAssembler::CPUState::fprName):
134         (JSC::MacroAssembler::CPUState::gpr):
135         (JSC::MacroAssembler::CPUState::fpr):
136         * assembler/MacroAssemblerARM.cpp:
137         (JSC::MacroAssembler::probe):
138         (JSC::MacroAssemblerARM::probe): Deleted.
139         * assembler/MacroAssemblerARM.h:
140         * assembler/MacroAssemblerARM64.cpp:
141         (JSC::MacroAssembler::probe):
142         (JSC::MacroAssemblerARM64::probe): Deleted.
143         * assembler/MacroAssemblerARM64.h:
144         * assembler/MacroAssemblerARMv7.cpp:
145         (JSC::MacroAssembler::probe):
146         (JSC::MacroAssemblerARMv7::probe): Deleted.
147         * assembler/MacroAssemblerARMv7.h:
148         * assembler/MacroAssemblerMIPS.h:
149         * assembler/MacroAssemblerX86Common.cpp:
150         (JSC::MacroAssembler::probe):
151         (JSC::MacroAssemblerX86Common::probe): Deleted.
152         * assembler/MacroAssemblerX86Common.h:
153
154 2017-07-12  Saam Barati  <sbarati@apple.com>
155
156         GenericArguments consults the wrong state when tracking modified argument descriptors and mapped arguments
157         https://bugs.webkit.org/show_bug.cgi?id=174411
158         <rdar://problem/31696186>
159
160         Reviewed by Mark Lam.
161
162         The code for deleting an argument was incorrectly referencing state
163         when it decided if it should unmap or mark a property as having its
164         descriptor modified. This patch fixes the bug where if we delete a
165         property, we would sometimes not unmap an argument when deleting it.
166
167         * runtime/GenericArgumentsInlines.h:
168         (JSC::GenericArguments<Type>::getOwnPropertySlot):
169         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
170         (JSC::GenericArguments<Type>::deleteProperty):
171         (JSC::GenericArguments<Type>::deletePropertyByIndex):
172
173 2017-07-12  Commit Queue  <commit-queue@webkit.org>
174
175         Unreviewed, rolling out r219176.
176         https://bugs.webkit.org/show_bug.cgi?id=174436
177
178         "Can cause infinite recursion on iOS" (Requested by mlam on
179         #webkit).
180
181         Reverted changeset:
182
183         "WTF::Thread should have the threads stack bounds."
184         https://bugs.webkit.org/show_bug.cgi?id=173975
185         http://trac.webkit.org/changeset/219176
186
187 2017-07-12  Matt Lewis  <jlewis3@apple.com>
188
189         Unreviewed, rolling out r219401.
190
191         This revision rolled out the previous patch, but after talking
192         with reviewer, a rebaseline is what was needed.Rolling back in
193         before rebaseline.
194
195         Reverted changeset:
196
197         "Unreviewed, rolling out r219379."
198         https://bugs.webkit.org/show_bug.cgi?id=174400
199         http://trac.webkit.org/changeset/219401
200
201 2017-07-12  Matt Lewis  <jlewis3@apple.com>
202
203         Unreviewed, rolling out r219379.
204
205         This revision caused a consistent failure in the test
206         fast/dom/Window/property-access-on-cached-window-after-frame-
207         removed.html.
208
209         Reverted changeset:
210
211         "Remove NAVIGATOR_HWCONCURRENCY"
212         https://bugs.webkit.org/show_bug.cgi?id=174400
213         http://trac.webkit.org/changeset/219379
214
215 2017-07-12  Tooru Fujisawa [:arai]  <arai.unmht@gmail.com>
216
217         Wrong radix used in Unicode Escape in invalid character error message
218         https://bugs.webkit.org/show_bug.cgi?id=174419
219
220         Reviewed by Alex Christensen.
221
222         * parser/Lexer.cpp:
223         (JSC::Lexer<T>::invalidCharacterMessage):
224
225 2017-07-11  Dean Jackson  <dino@apple.com>
226
227         Remove NAVIGATOR_HWCONCURRENCY
228         https://bugs.webkit.org/show_bug.cgi?id=174400
229
230         Reviewed by Sam Weinig.
231
232         * Configurations/FeatureDefines.xcconfig:
233
234 2017-07-11  Dean Jackson  <dino@apple.com>
235
236         Rolling out r219372.
237
238         * Configurations/FeatureDefines.xcconfig:
239
240 2017-07-11  Dean Jackson  <dino@apple.com>
241
242         Remove NAVIGATOR_HWCONCURRENCY
243         https://bugs.webkit.org/show_bug.cgi?id=174400
244
245         Reviewed by Sam Weinig.
246
247         * Configurations/FeatureDefines.xcconfig:
248
249 2017-07-11  Saam Barati  <sbarati@apple.com>
250
251         remove the empty JavaScriptCore/wasm/js/WebAssemblyFunctionCell.* files
252         https://bugs.webkit.org/show_bug.cgi?id=174397
253
254         Rubber stamped by David Kilzer.
255
256         * wasm/js/WebAssemblyFunctionCell.cpp: Removed.
257         * wasm/js/WebAssemblyFunctionCell.h: Removed.
258
259 2017-07-10  Saam Barati  <sbarati@apple.com>
260
261         Allocation sinking phase should consider a CheckStructure that would fail as an escape
262         https://bugs.webkit.org/show_bug.cgi?id=174321
263         <rdar://problem/32604963>
264
265         Reviewed by Filip Pizlo.
266
267         When the allocation sinking phase was generating stores to materialize
268         objects in a cycle with each other, it would assume that each materialized
269         object had a valid, non empty, set of structures. This is an OK assumption for
270         the phase to make because how do you materialize an object with no structure?
271         
272         The abstract interpretation part of the phase will model what's in the heap.
273         However, it would sometimes model that a CheckStructure would fail. The phase
274         did nothing special for this; it just stored the empty set of structures for
275         its representation of a particular allocation. However, what the phase proved
276         in such a scenario is that, had the CheckStructure executed, it would have exited.
277         
278         This patch treats such CheckStructures and MultiGetByOffsets as escape points.
279         This will cause the allocation in question to be materialized just before
280         the CheckStructure, and then at execution time, the CheckStructure will exit.
281         
282         I wasn't able to write a test case for this. However, I was able to reproduce
283         this crash by manually editing the IR. I've opened a separate bug to help us
284         create a testing framework for writing tests for hard to reproduce bugs like this:
285         https://bugs.webkit.org/show_bug.cgi?id=174322
286
287         * dfg/DFGObjectAllocationSinkingPhase.cpp:
288
289 2017-07-10  Devin Rousso  <drousso@apple.com>
290
291         Web Inspector: Highlight matching CSS canvas clients when hovering contexts in the Resources tab
292         https://bugs.webkit.org/show_bug.cgi?id=174279
293
294         Reviewed by Matt Baker.
295
296         * inspector/protocol/DOM.json:
297         Add `highlightNodeList` command that will highlight each node in the given list.
298
299 2017-07-03  Brian Burg  <bburg@apple.com>
300
301         Web Replay: remove some unused code
302         https://bugs.webkit.org/show_bug.cgi?id=173903
303
304         Rubber-stamped by Joseph Pecoraro.
305
306         * CMakeLists.txt:
307         * Configurations/FeatureDefines.xcconfig:
308         * DerivedSources.make:
309         * JavaScriptCore.xcodeproj/project.pbxproj:
310         * inspector/protocol/Replay.json: Removed.
311         * replay/EmptyInputCursor.h: Removed.
312         * replay/EncodedValue.cpp: Removed.
313         * replay/EncodedValue.h: Removed.
314         * replay/InputCursor.h: Removed.
315         * replay/JSInputs.json: Removed.
316         * replay/NondeterministicInput.h: Removed.
317         * replay/scripts/CodeGeneratorReplayInputs.py: Removed.
318         * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Removed.
319         * replay/scripts/tests/expected/fail-on-c-style-enum-no-storage.json-error: Removed.
320         * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Removed.
321         * replay/scripts/tests/expected/fail-on-duplicate-input-names.json-error: Removed.
322         * replay/scripts/tests/expected/fail-on-duplicate-type-names.json-error: Removed.
323         * replay/scripts/tests/expected/fail-on-enum-type-missing-values.json-error: Removed.
324         * replay/scripts/tests/expected/fail-on-missing-input-member-name.json-error: Removed.
325         * replay/scripts/tests/expected/fail-on-missing-input-name.json-error: Removed.
326         * replay/scripts/tests/expected/fail-on-missing-input-queue.json-error: Removed.
327         * replay/scripts/tests/expected/fail-on-missing-type-mode.json-error: Removed.
328         * replay/scripts/tests/expected/fail-on-missing-type-name.json-error: Removed.
329         * replay/scripts/tests/expected/fail-on-unknown-input-queue.json-error: Removed.
330         * replay/scripts/tests/expected/fail-on-unknown-member-type.json-error: Removed.
331         * replay/scripts/tests/expected/fail-on-unknown-type-mode.json-error: Removed.
332         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp: Removed.
333         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h: Removed.
334         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp: Removed.
335         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h: Removed.
336         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Removed.
337         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Removed.
338         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Removed.
339         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Removed.
340         * replay/scripts/tests/expected/generate-event-loop-shape-types.json-error: Removed.
341         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp: Removed.
342         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h: Removed.
343         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp: Removed.
344         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Removed.
345         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.cpp: Removed.
346         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h: Removed.
347         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp: Removed.
348         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h: Removed.
349         * replay/scripts/tests/fail-on-c-style-enum-no-storage.json: Removed.
350         * replay/scripts/tests/fail-on-duplicate-enum-type.json: Removed.
351         * replay/scripts/tests/fail-on-duplicate-input-names.json: Removed.
352         * replay/scripts/tests/fail-on-duplicate-type-names.json: Removed.
353         * replay/scripts/tests/fail-on-enum-type-missing-values.json: Removed.
354         * replay/scripts/tests/fail-on-missing-input-member-name.json: Removed.
355         * replay/scripts/tests/fail-on-missing-input-name.json: Removed.
356         * replay/scripts/tests/fail-on-missing-input-queue.json: Removed.
357         * replay/scripts/tests/fail-on-missing-type-mode.json: Removed.
358         * replay/scripts/tests/fail-on-missing-type-name.json: Removed.
359         * replay/scripts/tests/fail-on-unknown-input-queue.json: Removed.
360         * replay/scripts/tests/fail-on-unknown-member-type.json: Removed.
361         * replay/scripts/tests/fail-on-unknown-type-mode.json: Removed.
362         * replay/scripts/tests/generate-enum-encoding-helpers-with-guarded-values.json: Removed.
363         * replay/scripts/tests/generate-enum-encoding-helpers.json: Removed.
364         * replay/scripts/tests/generate-enum-with-guard.json: Removed.
365         * replay/scripts/tests/generate-enums-with-same-base-name.json: Removed.
366         * replay/scripts/tests/generate-event-loop-shape-types.json: Removed.
367         * replay/scripts/tests/generate-input-with-guard.json: Removed.
368         * replay/scripts/tests/generate-input-with-vector-members.json: Removed.
369         * replay/scripts/tests/generate-inputs-with-flags.json: Removed.
370         * replay/scripts/tests/generate-memoized-type-modes.json: Removed.
371         * runtime/DateConstructor.cpp:
372         (JSC::constructDate):
373         (JSC::dateNow):
374         (JSC::deterministicCurrentTime): Deleted.
375         * runtime/JSGlobalObject.cpp:
376         (JSC::JSGlobalObject::JSGlobalObject):
377         (JSC::JSGlobalObject::setInputCursor): Deleted.
378         * runtime/JSGlobalObject.h:
379         (JSC::JSGlobalObject::inputCursor): Deleted.
380
381 2017-07-10  Carlos Garcia Campos  <cgarcia@igalia.com>
382
383         Move make-js-file-arrays.py from WebCore to JavaScriptCore
384         https://bugs.webkit.org/show_bug.cgi?id=174024
385
386         Reviewed by Michael Catanzaro.
387
388         It's currently used only by WebCore, but it depends on other JavaScriptCore scripts and it's not WebCore
389         specific at all. I plan to use it to compile the JavaScript atoms used by the WebDriver implementation.
390         Added command line option to pass the namespace to use instead of using WebCore.
391
392         * JavaScriptCore.xcodeproj/project.pbxproj:
393         * Scripts/make-js-file-arrays.py: Renamed from Source/WebCore/Scripts/make-js-file-arrays.py.
394         (main):
395
396 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
397
398         [JSC] Drop LineNumberAdder since we no longer treat <LF><CR> (not <CR><LF>) as one line terminator
399         https://bugs.webkit.org/show_bug.cgi?id=174296
400
401         Reviewed by Mark Lam.
402
403         Previously, we treat <LF><CR> as one line terminator. So we increase line number by one.
404         It caused a problem in scanning template literals. While template literals normalize
405         <LF><CR> to <LF><LF>, we still needed to increase line number by only one.
406         To handle it correctly, LineNumberAdder is introduced.
407
408         As of r219263, <LF><CR> is counted as two line terminators. So we do not need to have
409         LineNumberAdder. Let's just use shiftLineTerminator() instead.
410
411         * parser/Lexer.cpp:
412         (JSC::Lexer<T>::parseTemplateLiteral):
413         (JSC::LineNumberAdder::LineNumberAdder): Deleted.
414         (JSC::LineNumberAdder::clear): Deleted.
415         (JSC::LineNumberAdder::add): Deleted.
416
417 2017-07-09  Dan Bernstein  <mitz@apple.com>
418
419         [Xcode] ICU headers aren’t treated as system headers after r219155
420         https://bugs.webkit.org/show_bug.cgi?id=174299
421
422         Reviewed by Sam Weinig.
423
424         * Configurations/JavaScriptCore.xcconfig: Pass --system-header-prefix=unicode/ to the C and
425           C++ compilers.
426
427 * runtime/IntlCollator.cpp: Removed documentation warning suppression.
428         * runtime/IntlDateTimeFormat.cpp: Ditto.
429         * runtime/JSGlobalObject.cpp: Ditto.
430         * runtime/StringPrototype.cpp: Ditto.
431
432 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
433
434         [JSC] Use fastMalloc / fastFree for STL containers
435         https://bugs.webkit.org/show_bug.cgi?id=174297
436
437         Reviewed by Sam Weinig.
438
439         In some places, we intentionally use STL containers over WTF containers.
440         For example, we sometimes use std::unordered_{set,map} instead of WTF::Hash{Set,Map}
441         because we do not have effective empty / deleted representations in the space of key's value.
442         But just using STL container means using libc's malloc instead of our fast malloc (bmalloc if it is enabled).
443
444         We introduce WTF::FastAllocator. This is C++ allocator implementation using fastMalloc and fastFree.
445         We specify this allocator to STL containers' template parameter to allocate memory from fastMalloc.
446
447         This WTF::FastAllocator gives us a chance to use STL containers if it is necessary
448         without compromising memory allocation throughput.
449
450         * dfg/DFGGraph.h:
451         * dfg/DFGIntegerCheckCombiningPhase.cpp:
452         * ftl/FTLLowerDFGToB3.cpp:
453         (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
454         * runtime/FunctionHasExecutedCache.h:
455         * runtime/TypeLocationCache.h:
456
457 2017-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
458
459         Drop NOSNIFF compile flag
460         https://bugs.webkit.org/show_bug.cgi?id=174289
461
462         Reviewed by Michael Catanzaro.
463
464         * Configurations/FeatureDefines.xcconfig:
465
466 2017-07-07  AJ Ringer  <aringer@apple.com>
467
468         Lower the max_protection for the separated heap
469         https://bugs.webkit.org/show_bug.cgi?id=174281
470
471         Reviewed by Oliver Hunt.
472
473         Switch to vm_protect so we can set maximum page protection.
474
475         * jit/ExecutableAllocator.cpp:
476         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
477         (JSC::ExecutableAllocator::allocate):
478
479 2017-07-07  Devin Rousso  <drousso@apple.com>
480
481         Web Inspector: Show all elements currently using a given CSS Canvas
482         https://bugs.webkit.org/show_bug.cgi?id=173965
483
484         Reviewed by Joseph Pecoraro.
485
486         * inspector/protocol/Canvas.json:
487          - Add `requestCSSCanvasClientNodes` command for getting the node IDs all nodes using this
488            canvas via -webkit-canvas.
489          - Add `cssCanvasClientNodesChanged` event that is dispatched whenever a node is
490            added/removed from the list of -webkit-canvas clients.
491
492 2017-07-07  Mark Lam  <mark.lam@apple.com>
493
494         \n\r is not the same as \r\n.
495         https://bugs.webkit.org/show_bug.cgi?id=173053
496
497         Reviewed by Keith Miller.
498
499         * parser/Lexer.cpp:
500         (JSC::Lexer<T>::shiftLineTerminator):
501         (JSC::LineNumberAdder::add):
502
503 2017-07-07  Commit Queue  <commit-queue@webkit.org>
504
505         Unreviewed, rolling out r219238, r219239, and r219241.
506         https://bugs.webkit.org/show_bug.cgi?id=174265
507
508         "fast/workers/dedicated-worker-lifecycle.html is flaky"
509         (Requested by yusukesuzuki on #webkit).
510
511         Reverted changesets:
512
513         "[WTF] Implement WTF::ThreadGroup"
514         https://bugs.webkit.org/show_bug.cgi?id=174081
515         http://trac.webkit.org/changeset/219238
516
517         "Unreviewed, build fix after r219238"
518         https://bugs.webkit.org/show_bug.cgi?id=174081
519         http://trac.webkit.org/changeset/219239
520
521         "Unreviewed, CLoop build fix after r219238"
522         https://bugs.webkit.org/show_bug.cgi?id=174081
523         http://trac.webkit.org/changeset/219241
524
525 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
526
527         Unreviewed, CLoop build fix after r219238
528         https://bugs.webkit.org/show_bug.cgi?id=174081
529
530         * heap/MachineStackMarker.cpp:
531
532 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
533
534         [WTF] Implement WTF::ThreadGroup
535         https://bugs.webkit.org/show_bug.cgi?id=174081
536
537         Reviewed by Mark Lam.
538
539         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
540         And SamplingProfiler and others interact with WTF::Thread directly.
541
542         * API/tests/ExecutionTimeLimitTest.cpp:
543         * heap/MachineStackMarker.cpp:
544         (JSC::MachineThreads::MachineThreads):
545         (JSC::captureStack):
546         (JSC::MachineThreads::tryCopyOtherThreadStack):
547         (JSC::MachineThreads::tryCopyOtherThreadStacks):
548         (JSC::MachineThreads::gatherConservativeRoots):
549         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
550         (JSC::ActiveMachineThreadsManager::add): Deleted.
551         (JSC::ActiveMachineThreadsManager::remove): Deleted.
552         (JSC::ActiveMachineThreadsManager::contains): Deleted.
553         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
554         (JSC::activeMachineThreadsManager): Deleted.
555         (JSC::MachineThreads::~MachineThreads): Deleted.
556         (JSC::MachineThreads::addCurrentThread): Deleted.
557         (): Deleted.
558         (JSC::MachineThreads::removeThread): Deleted.
559         (JSC::MachineThreads::removeThreadIfFound): Deleted.
560         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
561         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
562         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
563         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
564         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
565         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
566         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
567         * heap/MachineStackMarker.h:
568         (JSC::MachineThreads::addCurrentThread):
569         (JSC::MachineThreads::getLock):
570         (JSC::MachineThreads::threads):
571         (JSC::MachineThreads::MachineThread::suspend): Deleted.
572         (JSC::MachineThreads::MachineThread::resume): Deleted.
573         (JSC::MachineThreads::MachineThread::threadID): Deleted.
574         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
575         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
576         (JSC::MachineThreads::threadsListHead): Deleted.
577         * runtime/SamplingProfiler.cpp:
578         (JSC::FrameWalker::isValidFramePointer):
579         (JSC::SamplingProfiler::SamplingProfiler):
580         (JSC::SamplingProfiler::takeSample):
581         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
582         * runtime/SamplingProfiler.h:
583         * wasm/WasmMachineThreads.cpp:
584         (JSC::Wasm::resetInstructionCacheOnAllThreads):
585
586 2017-07-06  Saam Barati  <sbarati@apple.com>
587
588         We are missing places where we invalidate the for-in context
589         https://bugs.webkit.org/show_bug.cgi?id=174184
590
591         Reviewed by Geoffrey Garen.
592
593         * bytecompiler/BytecodeGenerator.cpp:
594         (JSC::BytecodeGenerator::invalidateForInContextForLocal):
595         * bytecompiler/NodesCodegen.cpp:
596         (JSC::EmptyLetExpression::emitBytecode):
597         (JSC::ForInNode::emitLoopHeader):
598         (JSC::ForOfNode::emitBytecode):
599         (JSC::BindingNode::bindValue):
600
601 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
602
603         Unreviewed, suppress warnings in GCC environment
604
605         * dfg/DFGObjectAllocationSinkingPhase.cpp:
606         * runtime/IntlCollator.cpp:
607         * runtime/IntlDateTimeFormat.cpp:
608         * runtime/JSGlobalObject.cpp:
609         * runtime/StringPrototype.cpp:
610
611 2017-07-05  Saam Barati  <sbarati@apple.com>
612
613         NewArray in FTLLowerDFGToB3 does not handle speculating on doubles when having a bad time
614         https://bugs.webkit.org/show_bug.cgi?id=174188
615         <rdar://problem/30581423>
616
617         Reviewed by Mark Lam.
618
619         We were calling lowJSValue(edge) when we were speculating the
620         edge as double. This isn't allowed. We should have been using
621         lowDouble.
622         
623         This patch also adds a new option, called useArrayAllocationProfiling,
624         which defaults to true. When false, it will make the array allocation
625         profile not actually sample seen arrays. It'll force the allocation
626         profile's predicted indexing type to be ArrayWithUndecided. Adding
627         this option made it trivial to write a test for this bug.
628
629         * bytecode/ArrayAllocationProfile.cpp:
630         (JSC::ArrayAllocationProfile::updateIndexingType):
631         * ftl/FTLLowerDFGToB3.cpp:
632         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
633         * runtime/Options.h:
634
635 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
636
637         WTF::Thread should have the threads stack bounds.
638         https://bugs.webkit.org/show_bug.cgi?id=173975
639
640         Reviewed by Keith Miller.
641
642         There is a site in JSC that try to walk another thread's stack.
643         Currently, stack bounds are stored in WTFThreadData which is located
644         in TLS. Thus, only the thread itself can access its own WTFThreadData.
645         We workaround this situation by holding StackBounds in MachineThread in JSC,
646         but StackBounds should be put in WTF::Thread instead.
647
648         This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
649         information is tightly coupled with Thread. Thus putting it in WTF::Thread
650         is natural choice.
651
652         * heap/MachineStackMarker.cpp:
653         (JSC::MachineThreads::MachineThread::MachineThread):
654         (JSC::MachineThreads::MachineThread::captureStack):
655         * heap/MachineStackMarker.h:
656         (JSC::MachineThreads::MachineThread::stackBase):
657         (JSC::MachineThreads::MachineThread::stackEnd):
658         * runtime/InitializeThreading.cpp:
659         (JSC::initializeThreading):
660         * runtime/VM.cpp:
661         (JSC::VM::VM):
662         (JSC::VM::updateStackLimits):
663         (JSC::VM::committedStackByteCount):
664         * runtime/VM.h:
665         (JSC::VM::isSafeToRecurse):
666         * runtime/VMEntryScope.cpp:
667         (JSC::VMEntryScope::VMEntryScope):
668         * runtime/VMInlines.h:
669         (JSC::VM::ensureStackCapacityFor):
670         * runtime/VMTraps.cpp:
671         * yarr/YarrPattern.cpp:
672         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
673
674 2017-07-05  Keith Miller  <keith_miller@apple.com>
675
676         Crashing with information should have an abort reason
677         https://bugs.webkit.org/show_bug.cgi?id=174185
678
679         Reviewed by Saam Barati.
680
681         Add crash information for the abstract interpreter and add an enum
682         value for object allocation sinking.
683
684         * assembler/AbortReason.h:
685         * dfg/DFGAbstractInterpreterInlines.h:
686         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
687         * dfg/DFGGraph.cpp:
688         (JSC::DFG::logDFGAssertionFailure):
689         * dfg/DFGObjectAllocationSinkingPhase.cpp:
690
691 2017-07-03  Myles C. Maxfield  <mmaxfield@apple.com>
692
693         Remove copy of ICU headers from WebKit
694         https://bugs.webkit.org/show_bug.cgi?id=116407
695
696         Reviewed by Alex Christensen.
697
698         Use WTF's copy of ICU headers.
699
700         * Configurations/Base.xcconfig:
701         * icu/unicode/localpointer.h: Removed.
702         * icu/unicode/parseerr.h: Removed.
703         * icu/unicode/platform.h: Removed.
704         * icu/unicode/ptypes.h: Removed.
705         * icu/unicode/putil.h: Removed.
706         * icu/unicode/uchar.h: Removed.
707         * icu/unicode/ucnv.h: Removed.
708         * icu/unicode/ucnv_err.h: Removed.
709         * icu/unicode/ucol.h: Removed.
710         * icu/unicode/uconfig.h: Removed.
711         * icu/unicode/ucurr.h: Removed.
712         * icu/unicode/uenum.h: Removed.
713         * icu/unicode/uiter.h: Removed.
714         * icu/unicode/uloc.h: Removed.
715         * icu/unicode/umachine.h: Removed.
716         * icu/unicode/unorm.h: Removed.
717         * icu/unicode/unorm2.h: Removed.
718         * icu/unicode/urename.h: Removed.
719         * icu/unicode/uscript.h: Removed.
720         * icu/unicode/uset.h: Removed.
721         * icu/unicode/ustring.h: Removed.
722         * icu/unicode/utf.h: Removed.
723         * icu/unicode/utf16.h: Removed.
724         * icu/unicode/utf8.h: Removed.
725         * icu/unicode/utf_old.h: Removed.
726         * icu/unicode/utypes.h: Removed.
727         * icu/unicode/uvernum.h: Removed.
728         * icu/unicode/uversion.h: Removed.
729         * runtime/IntlCollator.cpp:
730         * runtime/IntlDateTimeFormat.cpp:
731         (JSC::IntlDateTimeFormat::partTypeString):
732         * runtime/JSGlobalObject.cpp:
733         * runtime/StringPrototype.cpp:
734         (JSC::normalize):
735         (JSC::stringProtoFuncNormalize):
736
737 2017-07-05  Devin Rousso  <drousso@apple.com>
738
739         Web Inspector: Allow users to log any tracked canvas context
740         https://bugs.webkit.org/show_bug.cgi?id=173397
741         <rdar://problem/33111581>
742
743         Reviewed by Joseph Pecoraro.
744
745         * inspector/protocol/Canvas.json:
746         Add `resolveCanvasContext` command that returns a RemoteObject for the given canvas context.
747
748 2017-07-05  Jonathan Bedard  <jbedard@apple.com>
749
750         Add WebKitPrivateFrameworkStubs for iOS 11
751         https://bugs.webkit.org/show_bug.cgi?id=173988
752
753         Reviewed by David Kilzer.
754
755         * Configurations/Base.xcconfig: iphoneos and iphonesimulator should use the
756         same directory for private framework stubs.
757
758 2017-07-05  JF Bastien  <jfbastien@apple.com>
759
760         WebAssembly: implement name section's module name, skip unknown sections
761         https://bugs.webkit.org/show_bug.cgi?id=172008
762
763         Reviewed by Keith Miller.
764
765         Parse the WebAssembly module name properly, and skip unknown
766         sections. This is useful because as toolchains support new types
767         of names we want to keep displaying the information we know about
768         and simply ignore new information. That capability was designed
769         into WebAssembly's name section.
770
771         Failure to commit this patch would mean that WebKit won't display
772         stack trace information, which would make developers sad.
773
774         Module names were added here: https://github.com/WebAssembly/design/pull/1055
775
776         Note that this patch doesn't do anything with the parsed name! Two
777         reasons for this: module names aren't supported in binaryen yet,
778         so I can't write a simple binary test; and using the name is a
779         slightly riskier change because it requires changing StackVisitor
780         + StackFrame (where they print "[wasm code]") which requires
781         figuring out the frame's Module. The latter bit isn't trivial
782         because we only know wasm frames from their tag bits, and
783         CodeBlocks are always nullptr.
784
785         Binaryen bug: https://github.com/WebAssembly/binaryen/issues/1010
786
787         I filed #174098 to use the module name.
788
789         * wasm/WasmFormat.h:
790         (JSC::Wasm::isValidNameType):
791         * wasm/WasmNameSectionParser.cpp:
792
793 2017-07-04  Joseph Pecoraro  <pecoraro@apple.com>
794
795         Cleanup some StringBuilder use
796         https://bugs.webkit.org/show_bug.cgi?id=174118
797
798         Reviewed by Andreas Kling.
799
800         * runtime/FunctionConstructor.cpp:
801         (JSC::constructFunctionSkippingEvalEnabledCheck):
802         * tools/FunctionOverrides.cpp:
803         (JSC::parseClause):
804         * wasm/WasmOMGPlan.cpp:
805         * wasm/WasmPlan.cpp:
806         * wasm/WasmValidate.cpp:
807
808 2017-07-03  Saam Barati  <sbarati@apple.com>
809
810         LayoutTest workers/bomb.html is a Crash
811         https://bugs.webkit.org/show_bug.cgi?id=167757
812         <rdar://problem/33086462>
813
814         Reviewed by Keith Miller.
815
816         VMTraps::SignalSender was accessing VM fields even after
817         the VM was destroyed. This happened when the SignalSender
818         thread was in the middle of its work() function while VMTraps
819         was notified that the VM was shutting down. The VM would proceed
820         to run its destructor even after the SignalSender thread finished
821         doing its work. This means that the SignalSender thread was accessing
822         VM field eve after VM was destructed (including itself, since it is
823         transitively owned by the VM). The VM must wait for the SignalSender
824         thread to shutdown before it can continue to destruct itself.
825
826         * runtime/VMTraps.cpp:
827         (JSC::VMTraps::willDestroyVM):
828
829 2017-07-03  Saam Barati  <sbarati@apple.com>
830
831         DFGBytecodeParser op_to_this does not access the correct instruction offset for to this status
832         https://bugs.webkit.org/show_bug.cgi?id=174110
833
834         Reviewed by Michael Saboff.
835
836         * dfg/DFGByteCodeParser.cpp:
837         (JSC::DFG::ByteCodeParser::parseBlock):
838
839 2017-07-03  Saam Barati  <sbarati@apple.com>
840
841         Add a new assertion to object allocation sinking phase
842         https://bugs.webkit.org/show_bug.cgi?id=174107
843
844         Rubber stamped by Filip Pizlo.
845
846         * dfg/DFGObjectAllocationSinkingPhase.cpp:
847
848 2017-07-03  Commit Queue  <commit-queue@webkit.org>
849
850         Unreviewed, rolling out r219060.
851         https://bugs.webkit.org/show_bug.cgi?id=174108
852
853         crashing constantly when initializing UIWebView (Requested by
854         thorton on #webkit).
855
856         Reverted changeset:
857
858         "WTF::Thread should have the threads stack bounds."
859         https://bugs.webkit.org/show_bug.cgi?id=173975
860         http://trac.webkit.org/changeset/219060
861
862 2017-07-03  Matt Lewis  <jlewis3@apple.com>
863
864         Unreviewed, rolling out r219103.
865
866         Caused multiple build failures.
867
868         Reverted changeset:
869
870         "Remove copy of ICU headers from WebKit"
871         https://bugs.webkit.org/show_bug.cgi?id=116407
872         http://trac.webkit.org/changeset/219103
873
874 2017-07-03  Myles C. Maxfield  <mmaxfield@apple.com>
875
876         Remove copy of ICU headers from WebKit
877         https://bugs.webkit.org/show_bug.cgi?id=116407
878
879         Reviewed by Alex Christensen.
880
881         Use WTF's copy of ICU headers.
882
883         * Configurations/Base.xcconfig:
884         * icu/unicode/localpointer.h: Removed.
885         * icu/unicode/parseerr.h: Removed.
886         * icu/unicode/platform.h: Removed.
887         * icu/unicode/ptypes.h: Removed.
888         * icu/unicode/putil.h: Removed.
889         * icu/unicode/uchar.h: Removed.
890         * icu/unicode/ucnv.h: Removed.
891         * icu/unicode/ucnv_err.h: Removed.
892         * icu/unicode/ucol.h: Removed.
893         * icu/unicode/uconfig.h: Removed.
894         * icu/unicode/ucurr.h: Removed.
895         * icu/unicode/uenum.h: Removed.
896         * icu/unicode/uiter.h: Removed.
897         * icu/unicode/uloc.h: Removed.
898         * icu/unicode/umachine.h: Removed.
899         * icu/unicode/unorm.h: Removed.
900         * icu/unicode/unorm2.h: Removed.
901         * icu/unicode/urename.h: Removed.
902         * icu/unicode/uscript.h: Removed.
903         * icu/unicode/uset.h: Removed.
904         * icu/unicode/ustring.h: Removed.
905         * icu/unicode/utf.h: Removed.
906         * icu/unicode/utf16.h: Removed.
907         * icu/unicode/utf8.h: Removed.
908         * icu/unicode/utf_old.h: Removed.
909         * icu/unicode/utypes.h: Removed.
910         * icu/unicode/uvernum.h: Removed.
911         * icu/unicode/uversion.h: Removed.
912         * runtime/IntlCollator.cpp:
913         * runtime/IntlDateTimeFormat.cpp:
914         * runtime/JSGlobalObject.cpp:
915         * runtime/StringPrototype.cpp:
916
917 2017-07-03  Saam Barati  <sbarati@apple.com>
918
919         Add better crash logging for allocation sinking phase
920         https://bugs.webkit.org/show_bug.cgi?id=174102
921         <rdar://problem/33112092>
922
923         Rubber stamped by Filip Pizlo.
924
925         I'm trying to gather better information from crashlogs about why
926         we're crashing in the allocation sinking phase. I'm adding a allocation
927         sinking specific RELEASE_ASSERT as well as marking a few functions as
928         NEVER_INLINE to have the stack traces in the crash trace contain more
929         actionable information.
930
931         * dfg/DFGObjectAllocationSinkingPhase.cpp:
932
933 2017-07-03  Sam Weinig  <sam@webkit.org>
934
935         [WebIDL] Remove more unnecessary uses of the preprocessor in idl files
936         https://bugs.webkit.org/show_bug.cgi?id=174083
937
938         Reviewed by Alex Christensen.
939
940         * Configurations/FeatureDefines.xcconfig:
941         Add ENABLE_NAVIGATOR_STANDALONE.
942
943 2017-07-03  Andy Estes  <aestes@apple.com>
944
945         [Xcode] Add an experimental setting to build with ccache
946         https://bugs.webkit.org/show_bug.cgi?id=173875
947
948         Reviewed by Tim Horton.
949
950         * Configurations/DebugRelease.xcconfig: Included ccache.xcconfig.
951
952 2017-07-03  Devin Rousso  <drousso@apple.com>
953
954         Web Inspector: Support listing WebGL2 and WebGPU contexts
955         https://bugs.webkit.org/show_bug.cgi?id=173396
956
957         Reviewed by Joseph Pecoraro.
958
959         * inspector/protocol/Canvas.json:
960         * inspector/scripts/codegen/generator.py:
961         (Generator.stylized_name_for_enum_value):
962         Add cases for handling new Canvas.ContextType protocol enumerations:
963          - "webgl2" maps to `WebGL2`
964          - "webgpu" maps to `WebGPU`
965
966 2017-07-02  Yusuke Suzuki  <utatane.tea@gmail.com>
967
968         WTF::Thread should have the threads stack bounds.
969         https://bugs.webkit.org/show_bug.cgi?id=173975
970
971         Reviewed by Mark Lam.
972
973         There is a site in JSC that try to walk another thread's stack.
974         Currently, stack bounds are stored in WTFThreadData which is located
975         in TLS. Thus, only the thread itself can access its own WTFThreadData.
976         We workaround this situation by holding StackBounds in MachineThread in JSC,
977         but StackBounds should be put in WTF::Thread instead.
978
979         This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
980         information is tightly coupled with Thread. Thus putting it in WTF::Thread
981         is natural choice.
982
983         * heap/MachineStackMarker.cpp:
984         (JSC::MachineThreads::MachineThread::MachineThread):
985         (JSC::MachineThreads::MachineThread::captureStack):
986         * heap/MachineStackMarker.h:
987         (JSC::MachineThreads::MachineThread::stackBase):
988         (JSC::MachineThreads::MachineThread::stackEnd):
989         * runtime/InitializeThreading.cpp:
990         (JSC::initializeThreading):
991         * runtime/VM.cpp:
992         (JSC::VM::VM):
993         (JSC::VM::updateStackLimits):
994         (JSC::VM::committedStackByteCount):
995         * runtime/VM.h:
996         (JSC::VM::isSafeToRecurse):
997         * runtime/VMEntryScope.cpp:
998         (JSC::VMEntryScope::VMEntryScope):
999         * runtime/VMInlines.h:
1000         (JSC::VM::ensureStackCapacityFor):
1001         * runtime/VMTraps.cpp:
1002         * yarr/YarrPattern.cpp:
1003         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
1004
1005 2017-07-01  Dan Bernstein  <mitz@apple.com>
1006
1007         [iOS] Remove code only needed when building for iOS 9.x
1008         https://bugs.webkit.org/show_bug.cgi?id=174068
1009
1010         Reviewed by Tim Horton.
1011
1012         * Configurations/FeatureDefines.xcconfig:
1013         * jit/ExecutableAllocator.cpp:
1014         * runtime/Options.cpp:
1015         (JSC::recomputeDependentOptions):
1016
1017 2017-07-01  Dan Bernstein  <mitz@apple.com>
1018
1019         [macOS] Remove code only needed when building for OS X Yosemite
1020         https://bugs.webkit.org/show_bug.cgi?id=174067
1021
1022         Reviewed by Tim Horton.
1023
1024         * API/WebKitAvailability.h:
1025         * Configurations/Base.xcconfig:
1026         * Configurations/DebugRelease.xcconfig:
1027         * Configurations/FeatureDefines.xcconfig:
1028         * Configurations/Version.xcconfig:
1029
1030 2017-07-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1031
1032         Unreviewed, build fix for GCC
1033         https://bugs.webkit.org/show_bug.cgi?id=174034
1034
1035         * b3/testb3.cpp:
1036         (JSC::B3::testDoubleLiteralComparison):
1037
1038 2017-06-30  Keith Miller  <keith_miller@apple.com>
1039
1040         Force crashWithInfo to be out of line.
1041         https://bugs.webkit.org/show_bug.cgi?id=174028
1042
1043         Reviewed by Filip Pizlo.
1044
1045         Update DFG_ASSERT macro to call CRASH_WITH_SECURITY_IMPLICATION_AND_INFO.
1046
1047         * dfg/DFGGraph.cpp:
1048         (JSC::DFG::logDFGAssertionFailure):
1049         (JSC::DFG::Graph::logAssertionFailure):
1050         (JSC::DFG::crash): Deleted.
1051         (JSC::DFG::Graph::handleAssertionFailure): Deleted.
1052         * dfg/DFGGraph.h:
1053
1054 2017-06-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1055
1056         [JSC] Use AbstractMacroAssembler::random instead of holding WeakRandom in JIT
1057         https://bugs.webkit.org/show_bug.cgi?id=174053
1058
1059         Reviewed by Geoffrey Garen.
1060
1061         We already have AbstractMacroAssembler::random() function. Use it instead.
1062
1063         * jit/JIT.cpp:
1064         (JSC::JIT::JIT):
1065         (JSC::JIT::compileWithoutLinking):
1066         * jit/JIT.h:
1067
1068 2017-06-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1069
1070         [WTF] Drop SymbolRegistry::keyForSymbol
1071         https://bugs.webkit.org/show_bug.cgi?id=174052
1072
1073         Reviewed by Sam Weinig.
1074
1075         * runtime/SymbolConstructor.cpp:
1076         (JSC::symbolConstructorKeyFor):
1077
1078 2017-06-30  Saam Barati  <sbarati@apple.com>
1079
1080         B3ReduceStrength should reduce EqualOrUnordered over const float input
1081         https://bugs.webkit.org/show_bug.cgi?id=174039
1082
1083         Reviewed by Michael Saboff.
1084
1085         We perform this folding for ConstDoubleValue. It is simply
1086         an oversight that we didn't do it for ConstFloatValue.
1087
1088         * b3/B3ConstFloatValue.cpp:
1089         (JSC::B3::ConstFloatValue::equalOrUnorderedConstant):
1090         * b3/B3ConstFloatValue.h:
1091         * b3/testb3.cpp:
1092         (JSC::B3::testFloatEqualOrUnorderedFolding):
1093         (JSC::B3::testFloatEqualOrUnorderedFoldingNaN):
1094         (JSC::B3::testFloatEqualOrUnorderedDontFold):
1095         (JSC::B3::run):
1096
1097 2017-06-30  Matt Baker  <mattbaker@apple.com>
1098
1099         Web Inspector: AsyncStackTrace nodes can be corrupted when truncating
1100         https://bugs.webkit.org/show_bug.cgi?id=173840
1101         <rdar://problem/30840820>
1102
1103         Reviewed by Joseph Pecoraro.
1104
1105         When truncating an asynchronous stack trace, the parent chain is traversed
1106         until a locked node is found. The path from this node to the root is shared
1107         by more than one stack trace, and cannot be safely modified. Starting at
1108         the first locked node, the path is cloned and becomes a new stack trace tree.
1109
1110         However, the clone operation initialized each new AsyncStackTrace node with
1111         the original node's parent. This would increment the child count of the original
1112         node. When cloning nodes, new nodes should not have their parent set until the
1113         next node up the parent chain is cloned.
1114
1115         * inspector/AsyncStackTrace.cpp:
1116         (Inspector::AsyncStackTrace::truncate):
1117
1118 2017-06-30  Michael Saboff  <msaboff@apple.com>
1119
1120         RegExp's  anchored with .* with \g flag can return wrong match start for strings with multiple matches
1121         https://bugs.webkit.org/show_bug.cgi?id=174044
1122
1123         Reviewed by Oliver Hunt.
1124
1125         The .* enclosure optimization didn't respect that we can start matching from a non-zero
1126         index.  This optimization treats /.*<some-terms>.*/ by first matching the <some-terms> and
1127         then finding the extent of the match by going back to the beginning of the line and going
1128         forward to the end of the line.  The code that went back to the beginning of the line
1129         checked for an index of 0 instead of comparing the index to the start position.  This start
1130         position is passed as the initial index.
1131
1132         Added another temporary register to the YARR JIT to contain the start position for
1133         platforms that have spare registers.
1134
1135         * yarr/Yarr.h:
1136         * yarr/YarrInterpreter.cpp:
1137         (JSC::Yarr::Interpreter::matchDotStarEnclosure):
1138         (JSC::Yarr::Interpreter::Interpreter):
1139         * yarr/YarrJIT.cpp:
1140         (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
1141         (JSC::Yarr::YarrGenerator::compile):
1142         * yarr/YarrPattern.cpp:
1143         (JSC::Yarr::YarrPattern::YarrPattern):
1144         * yarr/YarrPattern.h:
1145         (JSC::Yarr::YarrPattern::reset):
1146
1147 2017-06-30  Saam Barati  <sbarati@apple.com>
1148
1149         B3MoveConstants floatZero() returns the wrong ValueKey
1150         https://bugs.webkit.org/show_bug.cgi?id=174040
1151
1152         Reviewed by Filip Pizlo.
1153
1154         It had a typo where the ValueKey for floatZero() produces a Double
1155         instead of a Float.
1156
1157         * b3/B3MoveConstants.cpp:
1158
1159 2017-06-30  Saam Barati  <sbarati@apple.com>
1160
1161         B3ReduceDoubleToFloat incorrectly reduces operations over two double constants
1162         https://bugs.webkit.org/show_bug.cgi?id=174034
1163         <rdar://problem/30793007>
1164
1165         Reviewed by Filip Pizlo.
1166
1167         B3ReduceDoubleToFloat had a bug in it where it would incorrectly
1168         reduce binary operations over double constants into the same binary
1169         operation over the double constants casted to floats. This is clearly
1170         incorrect as these two things will produce different values. For example:
1171         
1172         a = DoubleConst(bitwise_cast<double>(0x8000000000000001ull))
1173         b = DoubleConst(bitwise_cast<double>(0x0000000000000000ull))
1174         c = EqualOrUnordered(@a, @b) // produces 0
1175         
1176         into:
1177         
1178         a = FloatConst(static_cast<float>(bitwise_cast<double>(0x8000000000000001ull)))
1179         b = FloatConst(static_cast<float>(bitwise_cast<double>(0x0000000000000000ull)))
1180         c = EqualOrUnordered(@a, @b) // produces 1
1181         
1182         Which produces a different value for @c.
1183
1184         * b3/B3ReduceDoubleToFloat.cpp:
1185         * b3/testb3.cpp:
1186         (JSC::B3::doubleEq):
1187         (JSC::B3::doubleNeq):
1188         (JSC::B3::doubleGt):
1189         (JSC::B3::doubleGte):
1190         (JSC::B3::doubleLt):
1191         (JSC::B3::doubleLte):
1192         (JSC::B3::testDoubleLiteralComparison):
1193         (JSC::B3::run):
1194
1195 2017-06-29  Jer Noble  <jer.noble@apple.com>
1196
1197         Make Legacy EME API controlled by RuntimeEnabled setting.
1198         https://bugs.webkit.org/show_bug.cgi?id=173994
1199
1200         Reviewed by Sam Weinig.
1201
1202         * Configurations/FeatureDefines.xcconfig:
1203         * runtime/CommonIdentifiers.h:
1204
1205 2017-06-30  Ryosuke Niwa  <rniwa@webkit.org>
1206
1207         Ran sort-Xcode-project-file.
1208
1209         * JavaScriptCore.xcodeproj/project.pbxproj:
1210
1211 2017-06-30  Matt Lewis  <jlewis3@apple.com>
1212
1213         Unreviewed, rolling out r218992.
1214
1215         The patch broke the iOS device builds.
1216
1217         Reverted changeset:
1218
1219         "DFG_ASSERT should allow stuffing registers before trapping."
1220         https://bugs.webkit.org/show_bug.cgi?id=174005
1221         http://trac.webkit.org/changeset/218992
1222
1223 2017-06-30  Filip Pizlo  <fpizlo@apple.com>
1224
1225         RegExpCachedResult::setInput should reify left and right contexts
1226         https://bugs.webkit.org/show_bug.cgi?id=173818
1227
1228         Reviewed by Keith Miller.
1229         
1230         If you don't reify them in setInput, then when you later try to reify them, you'll end up
1231         using indices into an old input string to create a substring of a new input string. That
1232         never goes well.
1233
1234         * runtime/RegExpCachedResult.cpp:
1235         (JSC::RegExpCachedResult::setInput):
1236
1237 2017-06-30  Keith Miller  <keith_miller@apple.com>
1238
1239         DFG_ASSERT should allow stuffing registers before trapping.
1240         https://bugs.webkit.org/show_bug.cgi?id=174005
1241
1242         Reviewed by Mark Lam.
1243
1244         DFG_ASSERT currently prints error data to stderr before crashing,
1245         which is nice for local development. In the wild, however, we
1246         can't see this information in crash logs. This patch enables
1247         stuffing some of the most useful information from DFG_ASSERTS into
1248         up to five registers right before crashing. The values stuffed
1249         should not impact any logging during local development.
1250
1251         * assembler/AbortReason.h:
1252         * dfg/DFGAbstractInterpreterInlines.h:
1253         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
1254         * dfg/DFGGraph.cpp:
1255         (JSC::DFG::logForCrash):
1256         (JSC::DFG::Graph::logAssertionFailure):
1257         (JSC::DFG::crash): Deleted.
1258         (JSC::DFG::Graph::handleAssertionFailure): Deleted.
1259         * dfg/DFGGraph.h:
1260
1261 2017-06-29  Saam Barati  <sbarati@apple.com>
1262
1263         Calculating postCapacity in unshiftCountSlowCase is wrong
1264         https://bugs.webkit.org/show_bug.cgi?id=173992
1265         <rdar://problem/32283199>
1266
1267         Reviewed by Keith Miller.
1268
1269         This patch fixes a bug inside unshiftCountSlowCase where we would use
1270         more memory than we allocated. The bug was when deciding how much extra
1271         space we have after the vector we've allocated. This area is called the
1272         postCapacity. The largest legal postCapacity value we could use is the
1273         space we allocated minus the space we need:
1274         largestPossiblePostCapacity = newStorageCapacity - requiredVectorLength;
1275         However, the code was calculating the postCapacity as:
1276         postCapacity = max(newStorageCapacity - requiredVectorLength, count);
1277         
1278         where count is how many elements we're appending. Depending on the inputs,
1279         count could be larger than (newStorageCapacity - requiredVectorLength). This
1280         would cause us to use more memory than we actually allocated.
1281
1282         * runtime/JSArray.cpp:
1283         (JSC::JSArray::unshiftCountSlowCase):
1284
1285 2017-06-29  Commit Queue  <commit-queue@webkit.org>
1286
1287         Unreviewed, rolling out r218512.
1288         https://bugs.webkit.org/show_bug.cgi?id=173981
1289
1290         "It changes the behavior of the JS API's JSEvaluateScript
1291         which breaks TurboTax" (Requested by saamyjoon on #webkit).
1292
1293         Reverted changeset:
1294
1295         "test262: Completion values for control flow do not match the
1296         spec"
1297         https://bugs.webkit.org/show_bug.cgi?id=171265
1298         http://trac.webkit.org/changeset/218512
1299
1300 2017-06-29  JF Bastien  <jfbastien@apple.com>
1301
1302         WebAssembly: disable some APIs under CSP
1303         https://bugs.webkit.org/show_bug.cgi?id=173892
1304         <rdar://problem/32914613>
1305
1306         Reviewed by Daniel Bates.
1307
1308         We should disable parts of WebAssembly under Content Security
1309         Policy as discussed here:
1310
1311         https://github.com/WebAssembly/design/issues/1092
1312
1313         Exactly what should be disabled isn't super clear, so we may as
1314         well be conservative and disable many things if developers already
1315         opted into CSP. It's easy to loosen what we disable later.
1316
1317         This patch disables:
1318         - WebAssembly.Instance
1319         - WebAssembly.instantiate
1320         - WebAssembly.Memory
1321         - WebAssembly.Table
1322
1323         And leaves:
1324         - WebAssembly on the global object
1325         - WebAssembly.Module
1326         - WebAssembly.compile
1327         - WebAssembly.CompileError
1328         - WebAssembly.LinkError
1329
1330         Nothing because currently unimplmented:
1331         - WebAssembly.compileStreaming
1332         - WebAssembly.instantiateStreaming
1333
1334         That way it won't be possible to call WebAssembly-compiled code,
1335         or create memories (which use fancy 4GiB allocations
1336         sometimes). Table isn't really useful on its own, and eventually
1337         we may make them shareable so without more details it seems benign
1338         to disable them (and useless if we don't).
1339
1340         I haven't done anything with postMessage, so you can still
1341         postMessage a WebAssembly.Module cross-CSP, but you can't
1342         instantiate it so it's useless. Because of this I elected to leave
1343         WebAssembly.Module and friends available.
1344
1345         I haven't added any new directives. It's still unsafe-eval. We can
1346         add something else later, but it seems odd to add a WebAssembly as
1347         a new capability and tell developers "you should have been using
1348         this directive which we just implemented if you wanted to disable
1349         WebAssembly which didn't exist when you adopted CSP". So IMO we
1350         should keep unsafe-eval as it currently is, add WebAssembly to
1351         what it disables, and later consider having two new directives
1352         which do each individually or something.
1353
1354         In all cases I throw an EvalError *before* other WebAssembly
1355         errors would be produced.
1356
1357         Note that, as for eval, reporting doesn't work and is tracked by
1358         https://webkit.org/b/111869
1359
1360         * runtime/JSGlobalObject.cpp:
1361         (JSC::JSGlobalObject::JSGlobalObject):
1362         * runtime/JSGlobalObject.h:
1363         (JSC::JSGlobalObject::webAssemblyEnabled):
1364         (JSC::JSGlobalObject::webAssemblyDisabledErrorMessage):
1365         (JSC::JSGlobalObject::setWebAssemblyEnabled):
1366         * wasm/js/JSWebAssemblyInstance.cpp:
1367         (JSC::JSWebAssemblyInstance::create):
1368         * wasm/js/JSWebAssemblyMemory.cpp:
1369         (JSC::JSWebAssemblyMemory::create):
1370         * wasm/js/JSWebAssemblyMemory.h:
1371         * wasm/js/JSWebAssemblyTable.cpp:
1372         (JSC::JSWebAssemblyTable::create):
1373         * wasm/js/WebAssemblyMemoryConstructor.cpp:
1374         (JSC::constructJSWebAssemblyMemory):
1375
1376 2017-06-28  Keith Miller  <keith_miller@apple.com>
1377
1378         VMTraps has some races
1379         https://bugs.webkit.org/show_bug.cgi?id=173941
1380
1381         Reviewed by Michael Saboff.
1382
1383         This patch refactors much of the VMTraps API.
1384
1385         On the message sending side:
1386
1387         1) No longer uses the Yarr JIT check to determine if we are in
1388         RegExp code. That was unsound because RegExp JIT code can be run
1389         on compilation threads.  Instead it looks at the current frame's
1390         code block slot and checks if it is valid, which is the same as
1391         what it did for JIT code previously.
1392
1393         2) Only have one signal sender thread, previously, there could be
1394         many at once, which caused some data races. Additionally, the
1395         signal sender thread is an automatic thread so it will deallocate
1396         itself when not in use.
1397
1398         On the VMTraps breakpoint side:
1399
1400         1) We now have a true mapping of if we hit a breakpoint instead of
1401         a JIT assertion. So the exception handler won't eat JIT assertions
1402         anymore.
1403
1404         2) It jettisons all CodeBlocks that have VMTraps breakpoints on
1405         them instead of every CodeBlock on the stack. This both prevents
1406         us from hitting stale VMTraps breakpoints and also doesn't OSR
1407         codeblocks that otherwise don't need to be jettisoned.
1408
1409         3) The old exception handler could theoretically fail for a couple
1410         of reasons then resume execution with a clobbered instruction
1411         set. This patch will kill the program if the exception handler
1412         would fail.
1413
1414         This patch also refactors some of the jsc.cpp functions to take the
1415         CommandLine options object instead of individual options. Also, there
1416         is a new command line option that makes exceptions due to watchdog
1417         timeouts an acceptable result.
1418
1419         * API/tests/testapi.c:
1420         (main):
1421         * bytecode/CodeBlock.cpp:
1422         (JSC::CodeBlock::installVMTrapBreakpoints):
1423         * dfg/DFGCommonData.cpp:
1424         (JSC::DFG::pcCodeBlockMap):
1425         (JSC::DFG::CommonData::invalidate):
1426         (JSC::DFG::CommonData::~CommonData):
1427         (JSC::DFG::CommonData::installVMTrapBreakpoints):
1428         (JSC::DFG::codeBlockForVMTrapPC):
1429         * dfg/DFGCommonData.h:
1430         * jsc.cpp:
1431         (functionDollarAgentStart):
1432         (checkUncaughtException):
1433         (checkException):
1434         (runWithOptions):
1435         (printUsageStatement):
1436         (CommandLine::parseArguments):
1437         (jscmain):
1438         (runWithScripts): Deleted.
1439         * runtime/JSLock.cpp:
1440         (JSC::JSLock::didAcquireLock):
1441         * runtime/VMTraps.cpp:
1442         (JSC::sanitizedTopCallFrame):
1443         (JSC::VMTraps::tryInstallTrapBreakpoints):
1444         (JSC::VMTraps::willDestroyVM):
1445         (JSC::VMTraps::fireTrap):
1446         (JSC::VMTraps::handleTraps):
1447         (JSC::VMTraps::VMTraps):
1448         (JSC::VMTraps::~VMTraps):
1449         (JSC::findActiveVMAndStackBounds): Deleted.
1450         (JSC::installSignalHandler): Deleted.
1451         (JSC::VMTraps::addSignalSender): Deleted.
1452         (JSC::VMTraps::removeSignalSender): Deleted.
1453         (JSC::VMTraps::SignalSender::willDestroyVM): Deleted.
1454         (JSC::VMTraps::SignalSender::send): Deleted.
1455         * runtime/VMTraps.h:
1456         (JSC::VMTraps::~VMTraps): Deleted.
1457         (JSC::VMTraps::SignalSender::SignalSender): Deleted.
1458
1459 2017-06-28  Devin Rousso  <drousso@apple.com>
1460
1461         Web Inspector: Instrument active pixel memory used by canvases
1462         https://bugs.webkit.org/show_bug.cgi?id=173087
1463         <rdar://problem/32719261>
1464
1465         Reviewed by Joseph Pecoraro.
1466
1467         * inspector/protocol/Canvas.json:
1468          - Add optional `memoryCost` attribute to the `Canvas` type.
1469          - Add `canvasMemoryChanged` event that is dispatched when the `memoryCost` of a canvas changes.
1470
1471 2017-06-28  Joseph Pecoraro  <pecoraro@apple.com>
1472
1473         Web Inspector: Cleanup Protocol JSON files
1474         https://bugs.webkit.org/show_bug.cgi?id=173934
1475
1476         Reviewed by Matt Baker.
1477
1478         * inspector/protocol/ApplicationCache.json:
1479         * inspector/protocol/CSS.json:
1480         * inspector/protocol/Console.json:
1481         * inspector/protocol/DOM.json:
1482         * inspector/protocol/DOMDebugger.json:
1483         * inspector/protocol/Debugger.json:
1484         * inspector/protocol/LayerTree.json:
1485         * inspector/protocol/Network.json:
1486         * inspector/protocol/Page.json:
1487         * inspector/protocol/Runtime.json:
1488         Be more consistent about placement of `description` property.
1489
1490 2017-06-27  Joseph Pecoraro  <pecoraro@apple.com>
1491
1492         Web Inspector: Remove unused Inspector domain events
1493         https://bugs.webkit.org/show_bug.cgi?id=173905
1494
1495         Reviewed by Matt Baker.
1496
1497         * inspector/protocol/Inspector.json:
1498
1499 2017-06-28  JF Bastien  <jfbastien@apple.com>
1500
1501         Ensure that computed new stack pointer values do not underflow.
1502         https://bugs.webkit.org/show_bug.cgi?id=173700
1503         <rdar://problem/32926032>
1504
1505         Reviewed by Filip Pizlo and Saam Barati, update reviewed by Mark Lam.
1506
1507         Patch by Mark Lam, with the following fix:
1508
1509         Re-apply this patch, it originally broke the ARM build because the llint code
1510         generated `subs xzr, x3, sp` which isn't valid ARM64: the third operand cannot
1511         be SP (that encoding would be ZR instead, subtracting zero). Flip the comparison
1512         and operands to emit valid code (because the second operand can be SP).
1513
1514         1. Added a RELEASE_ASSERT to BytecodeGenerator::generate() to ensure that
1515            m_numCalleeLocals is sane.
1516
1517         2. Added underflow checks in LLInt code and VarargsFrame code.
1518
1519         3. Introduce minimumReservedZoneSize, which is hardcoded to 16K.
1520            Ensure that Options::reservedZoneSize() is at least minimumReservedZoneSize.
1521            Ensure that Options::softReservedZoneSize() is at least greater than
1522            Options::reservedZoneSize() by minimumReservedZoneSize.
1523
1524         4. Ensure that stack checks emitted by JIT tiers include an underflow check if
1525            and only if the max size of the frame is greater than Options::reservedZoneSize().
1526
1527            By design, we are guaranteed to have at least Options::reservedZoneSize() bytes
1528            of memory at the bottom (end) of the stack.  This means that, at any time, the
1529            frame pointer must be at least Options::reservedZoneSize() bytes away from the
1530            end of the stack.  Hence, if the max frame size is less than
1531            Options::reservedZoneSize(), there's no way that frame pointer - max
1532            frame size can underflow, and we can elide the underflow check.
1533
1534            Note that we use Options::reservedZoneSize() instead of
1535            Options::softReservedZoneSize() for determine if we need an underflow check.
1536            This is because the softStackLimit that is used for stack checks can be set
1537            based on Options::reservedZoneSize() during error handling (e.g. when creating
1538            strings for instantiating the Error object).  Hence, the guaranteed minimum of
1539            distance between the frame pointer and the end of the stack is
1540            Options::reservedZoneSize() and nor Options::softReservedZoneSize().
1541
1542            Note also that we ensure that Options::reservedZoneSize() is at least
1543            minimumReservedZoneSize (i.e. 16K).  In typical deployments,
1544            Options::reservedZoneSize() may be larger.  Using Options::reservedZoneSize()
1545            instead of minimumReservedZoneSize gives us more chances to elide underflow
1546            checks.
1547
1548         * JavaScriptCore.xcodeproj/project.pbxproj:
1549         * bytecompiler/BytecodeGenerator.cpp:
1550         (JSC::BytecodeGenerator::generate):
1551         * dfg/DFGGraph.cpp:
1552         (JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit):
1553         * dfg/DFGJITCompiler.cpp:
1554         (JSC::DFG::emitStackOverflowCheck):
1555         (JSC::DFG::JITCompiler::compile):
1556         (JSC::DFG::JITCompiler::compileFunction):
1557         * ftl/FTLLowerDFGToB3.cpp:
1558         (JSC::FTL::DFG::LowerDFGToB3::lower):
1559         * jit/JIT.cpp:
1560         (JSC::JIT::compileWithoutLinking):
1561         * jit/SetupVarargsFrame.cpp:
1562         (JSC::emitSetupVarargsFrameFastCase):
1563         * llint/LLIntSlowPaths.cpp:
1564         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1565         * llint/LowLevelInterpreter.asm:
1566         * llint/LowLevelInterpreter32_64.asm:
1567         * llint/LowLevelInterpreter64.asm:
1568         * runtime/MinimumReservedZoneSize.h: Added.
1569         * runtime/Options.cpp:
1570         (JSC::recomputeDependentOptions):
1571         * runtime/VM.cpp:
1572         (JSC::VM::updateStackLimits):
1573         * wasm/WasmB3IRGenerator.cpp:
1574         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1575         * wasm/js/WebAssemblyFunction.cpp:
1576         (JSC::callWebAssemblyFunction):
1577
1578 2017-06-28  Chris Dumez  <cdumez@apple.com>
1579
1580         Unreviewed, rolling out r218869.
1581
1582         Broke the iOS build
1583
1584         Reverted changeset:
1585
1586         "Ensure that computed new stack pointer values do not
1587         underflow."
1588         https://bugs.webkit.org/show_bug.cgi?id=173700
1589         http://trac.webkit.org/changeset/218869
1590
1591 2017-06-28  Chris Dumez  <cdumez@apple.com>
1592
1593         Unreviewed, rolling out r218873.
1594
1595         Broke the iOS build
1596
1597         Reverted changeset:
1598
1599         "Gardening: CLoop build fix."
1600         https://bugs.webkit.org/show_bug.cgi?id=173700
1601         http://trac.webkit.org/changeset/218873
1602
1603 2017-06-28  Mark Lam  <mark.lam@apple.com>
1604
1605         Gardening: CLoop build fix.
1606         https://bugs.webkit.org/show_bug.cgi?id=173700
1607         <rdar://problem/32926032>
1608
1609         Not reviewed.
1610
1611         * llint/LLIntSlowPaths.cpp:
1612         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1613
1614 2017-06-28  Mark Lam  <mark.lam@apple.com>
1615
1616         Ensure that computed new stack pointer values do not underflow.
1617         https://bugs.webkit.org/show_bug.cgi?id=173700
1618         <rdar://problem/32926032>
1619
1620         Reviewed by Filip Pizlo and Saam Barati.
1621
1622         1. Added a RELEASE_ASSERT to BytecodeGenerator::generate() to ensure that
1623            m_numCalleeLocals is sane.
1624
1625         2. Added underflow checks in LLInt code and VarargsFrame code.
1626
1627         3. Introduce minimumReservedZoneSize, which is hardcoded to 16K.
1628            Ensure that Options::reservedZoneSize() is at least minimumReservedZoneSize.
1629            Ensure that Options::softReservedZoneSize() is at least greater than
1630            Options::reservedZoneSize() by minimumReservedZoneSize.
1631
1632         4. Ensure that stack checks emitted by JIT tiers include an underflow check if
1633            and only if the max size of the frame is greater than Options::reservedZoneSize().
1634
1635            By design, we are guaranteed to have at least Options::reservedZoneSize() bytes
1636            of memory at the bottom (end) of the stack.  This means that, at any time, the
1637            frame pointer must be at least Options::reservedZoneSize() bytes away from the
1638            end of the stack.  Hence, if the max frame size is less than
1639            Options::reservedZoneSize(), there's no way that frame pointer - max
1640            frame size can underflow, and we can elide the underflow check.
1641
1642            Note that we use Options::reservedZoneSize() instead of
1643            Options::softReservedZoneSize() for determine if we need an underflow check.
1644            This is because the softStackLimit that is used for stack checks can be set
1645            based on Options::reservedZoneSize() during error handling (e.g. when creating
1646            strings for instantiating the Error object).  Hence, the guaranteed minimum of
1647            distance between the frame pointer and the end of the stack is
1648            Options::reservedZoneSize() and nor Options::softReservedZoneSize().
1649
1650            Note also that we ensure that Options::reservedZoneSize() is at least
1651            minimumReservedZoneSize (i.e. 16K).  In typical deployments,
1652            Options::reservedZoneSize() may be larger.  Using Options::reservedZoneSize()
1653            instead of minimumReservedZoneSize gives us more chances to elide underflow
1654            checks.
1655
1656         * JavaScriptCore.xcodeproj/project.pbxproj:
1657         * bytecompiler/BytecodeGenerator.cpp:
1658         (JSC::BytecodeGenerator::generate):
1659         * dfg/DFGGraph.cpp:
1660         (JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit):
1661         * dfg/DFGJITCompiler.cpp:
1662         (JSC::DFG::JITCompiler::compile):
1663         (JSC::DFG::JITCompiler::compileFunction):
1664         * ftl/FTLLowerDFGToB3.cpp:
1665         (JSC::FTL::DFG::LowerDFGToB3::lower):
1666         * jit/JIT.cpp:
1667         (JSC::JIT::compileWithoutLinking):
1668         * jit/SetupVarargsFrame.cpp:
1669         (JSC::emitSetupVarargsFrameFastCase):
1670         * llint/LLIntSlowPaths.cpp:
1671         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1672         * llint/LowLevelInterpreter.asm:
1673         * llint/LowLevelInterpreter32_64.asm:
1674         * llint/LowLevelInterpreter64.asm:
1675         * runtime/MinimumReservedZoneSize.h: Added.
1676         * runtime/Options.cpp:
1677         (JSC::recomputeDependentOptions):
1678         * runtime/VM.cpp:
1679         (JSC::VM::updateStackLimits):
1680         * wasm/WasmB3IRGenerator.cpp:
1681         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1682         * wasm/js/WebAssemblyFunction.cpp:
1683         (JSC::callWebAssemblyFunction):
1684
1685 2017-06-27  JF Bastien  <jfbastien@apple.com>
1686
1687         WebAssembly: running out of executable memory should throw OoM
1688         https://bugs.webkit.org/show_bug.cgi?id=171537
1689         <rdar://problem/32963338>
1690
1691         Reviewed by Saam Barati.
1692
1693         Both on first compile with BBQ as well as on tier-up with OMG,
1694         running out of X memory shouldn't cause the entire program to
1695         terminate. An exception will do when compiling initial code (since
1696         we don't have any other fallback at the moment), and refusal to
1697         tier up will do as well (it'll just be slower).
1698
1699         This is useful because programs which generate huge amounts of
1700         code simply look like crashes, which developers report to
1701         us. Getting a JavaScript exception instead is much clearer.
1702
1703         * jit/ExecutableAllocator.cpp:
1704         (JSC::ExecutableAllocator::allocate):
1705         * llint/LLIntSlowPaths.cpp:
1706         (JSC::LLInt::shouldJIT):
1707         * runtime/Options.h:
1708         * wasm/WasmBBQPlan.cpp:
1709         (JSC::Wasm::BBQPlan::prepare):
1710         (JSC::Wasm::BBQPlan::complete):
1711         * wasm/WasmBinding.cpp:
1712         (JSC::Wasm::wasmToJs):
1713         (JSC::Wasm::wasmToWasm):
1714         * wasm/WasmBinding.h:
1715         * wasm/WasmOMGPlan.cpp:
1716         (JSC::Wasm::OMGPlan::work):
1717         * wasm/js/JSWebAssemblyCodeBlock.cpp:
1718         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
1719         * wasm/js/JSWebAssemblyCodeBlock.h:
1720         * wasm/js/JSWebAssemblyInstance.cpp:
1721         (JSC::JSWebAssemblyInstance::finalizeCreation):
1722
1723 2017-06-27  Saam Barati  <sbarati@apple.com>
1724
1725         JITStubRoutine::passesFilter should use isJITPC
1726         https://bugs.webkit.org/show_bug.cgi?id=173906
1727
1728         Reviewed by JF Bastien.
1729
1730         This patch makes JITStubRoutine use the isJITPC abstraction defined
1731         inside ExecutableAllocator.h. Before, JITStubRoutine was using a
1732         hardcoded platform size constant. This means it'd do the wrong thing
1733         if Options::jitMemoryReservationSize() was larger than the defined
1734         constant for that platform. This patch also removes a bunch of
1735         dead code in that file.
1736
1737         * jit/ExecutableAllocator.cpp:
1738         * jit/ExecutableAllocator.h:
1739         * jit/JITStubRoutine.h:
1740         (JSC::JITStubRoutine::passesFilter):
1741         (JSC::JITStubRoutine::canPerformRangeFilter): Deleted.
1742         (JSC::JITStubRoutine::filteringStartAddress): Deleted.
1743         (JSC::JITStubRoutine::filteringExtentSize): Deleted.
1744
1745 2017-06-27  Saam Barati  <sbarati@apple.com>
1746
1747         Fix some stale comments in Wasm code base
1748         https://bugs.webkit.org/show_bug.cgi?id=173814
1749
1750         Reviewed by Mark Lam.
1751
1752         * wasm/WasmBinding.cpp:
1753         (JSC::Wasm::wasmToJs):
1754         * wasm/WasmOMGPlan.cpp:
1755         (JSC::Wasm::runOMGPlanForIndex):
1756
1757 2017-06-27  Caio Lima  <ticaiolima@gmail.com>
1758
1759         [ESnext] Implement Object Rest - Implementing Object Rest Destructuring
1760         https://bugs.webkit.org/show_bug.cgi?id=167962
1761
1762         Reviewed by Saam Barati.
1763
1764         Object Rest/Spread Destructing proposal is in stage 3[1] and this
1765         Patch is a prototype implementation of it. A simple change over the
1766         parser was necessary to support the new '...' token on Object Pattern
1767         destruction rule. In the bytecode generator side, We changed the
1768         bytecode generated on ObjectPatternNode::bindValue to store in an
1769         set the identifiers of already destructured properties, following spec draft
1770         section[2], and then pass it as excludedNames to CopyDataProperties.
1771         The rest destructuring calls copyDataProperties to perform the
1772         copy of rest properties in rhs.
1773
1774         We also implemented CopyDataProperties as private JS global operation
1775         on builtins/GlobalOperations.js following it's specification on [3].
1776         It is implemented using Set object to verify if a property is on
1777         excludedNames to keep this algorithm with O(n + m) complexity, where n
1778         = number of source's own properties and m = excludedNames.length.
1779
1780         In this implementation we aren't using excludeList as constant if
1781         destructuring pattern contains computed property, i.e. we can
1782         just determine the key to be excluded at runtime. If we can define all
1783         identifiers in the pattern in compile time, we then create a
1784         constant JSSet. This approach gives a good performance improvement,
1785         since we allocate the excludeSet just once, reducing GC pressure.
1786
1787         [1] - https://github.com/tc39/proposal-object-rest-spread
1788         [2] - https://tc39.github.io/proposal-object-rest-spread/#Rest-RuntimeSemantics-PropertyDestructuringAssignmentEvaluation
1789         [3] - https://tc39.github.io/proposal-object-rest-spread/#AbstractOperations-CopyDataProperties
1790
1791         * builtins/BuiltinNames.h:
1792         * builtins/GlobalOperations.js:
1793         (globalPrivate.copyDataProperties):
1794         * bytecode/CodeBlock.cpp:
1795         (JSC::CodeBlock::finishCreation):
1796         * bytecompiler/NodesCodegen.cpp:
1797         (JSC::ObjectPatternNode::bindValue):
1798         * parser/ASTBuilder.h:
1799         (JSC::ASTBuilder::appendObjectPatternEntry):
1800         (JSC::ASTBuilder::appendObjectPatternRestEntry):
1801         (JSC::ASTBuilder::setContainsObjectRestElement):
1802         * parser/Nodes.h:
1803         (JSC::ObjectPatternNode::appendEntry):
1804         (JSC::ObjectPatternNode::setContainsRestElement):
1805         * parser/Parser.cpp:
1806         (JSC::Parser<LexerType>::parseDestructuringPattern):
1807         (JSC::Parser<LexerType>::parseProperty):
1808         * parser/SyntaxChecker.h:
1809         (JSC::SyntaxChecker::operatorStackPop):
1810         * runtime/JSGlobalObject.cpp:
1811         (JSC::JSGlobalObject::init):
1812         * runtime/JSGlobalObject.h:
1813         (JSC::JSGlobalObject::asyncFunctionStructure):
1814         (JSC::JSGlobalObject::setStructure): Deleted.
1815         * runtime/JSGlobalObjectFunctions.cpp:
1816         (JSC::privateToObject):
1817         * runtime/JSGlobalObjectFunctions.h:
1818         * runtime/ObjectConstructor.cpp:
1819         (JSC::ObjectConstructor::finishCreation):
1820         * runtime/SetPrototype.cpp:
1821         (JSC::SetPrototype::finishCreation):
1822
1823 2017-06-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1824
1825         [JSC] Do not touch VM after notifying Ready in DFG::Worklist
1826         https://bugs.webkit.org/show_bug.cgi?id=173888
1827
1828         Reviewed by Saam Barati.
1829
1830         After notifying Plan::Ready and releasing Worklist lock, VM can be destroyed.
1831         Thus, Plan::vm() can return a destroyed VM. Do not touch it.
1832         This causes occasional SEGV / assertion failures in workers/bomb test.
1833
1834         * dfg/DFGWorklist.cpp:
1835
1836 2017-06-27  Saam Barati  <sbarati@apple.com>
1837
1838         Remove an inaccurate comment inside DFGClobberize.h
1839         https://bugs.webkit.org/show_bug.cgi?id=163874
1840
1841         Reviewed by Filip Pizlo.
1842
1843         The comment said that Clobberize may or may not be sound if run prior to
1844         doing type inference. This is not correct, though. Clobberize *must* be sound
1845         prior do doing type inference since we use it inside the BytecodeParser, which
1846         is the very first thing the DFG does.
1847
1848         * dfg/DFGClobberize.h:
1849         (JSC::DFG::clobberize):
1850
1851 2017-06-27  Saam Barati  <sbarati@apple.com>
1852
1853         Function constructor needs to follow the spec and validate parameters and body independently
1854         https://bugs.webkit.org/show_bug.cgi?id=173303
1855         <rdar://problem/32732526>
1856
1857         Reviewed by Keith Miller.
1858
1859         The Function constructor must check the arguments and body strings
1860         independently for syntax errors. People rely on this specified behavior
1861         to verify that a particular string is a valid function body. We used
1862         to check these things strings concatenated together, instead of
1863         independently. For example, this used to be valid: `Function("/*", "*/){")`.
1864         However, we should throw a syntax error here since "(/*)" is not a valid
1865         parameter list, and "*/){" is not a valid body.
1866         
1867         To implement the specified behavior, we check the syntax independently of
1868         both the body and the parameter list. To check that the parameter list has
1869         valid syntax, we check that it is valid if in a function with an empty body.
1870         To check that the body has valid syntax, we check it is valid in a function
1871         with an empty parameter list.
1872
1873         * runtime/FunctionConstructor.cpp:
1874         (JSC::constructFunctionSkippingEvalEnabledCheck):
1875
1876 2017-06-27  Ting-Wei Lan  <lantw44@gmail.com>
1877
1878         Add missing includes to fix compilation error on FreeBSD
1879         https://bugs.webkit.org/show_bug.cgi?id=172919
1880
1881         Reviewed by Mark Lam.
1882
1883         * API/JSRemoteInspector.h:
1884         * API/tests/GlobalContextWithFinalizerTest.cpp:
1885         * API/tests/TypedArrayCTest.cpp:
1886
1887 2017-06-27  Joseph Pecoraro  <pecoraro@apple.com>
1888
1889         Web Inspector: Crash generating object preview for ArrayIterator
1890         https://bugs.webkit.org/show_bug.cgi?id=173754
1891         <rdar://problem/32859012>
1892
1893         Reviewed by Saam Barati.
1894
1895         When Inspector generates an object preview for an ArrayIterator instance it made
1896         a "clone" of the original ArrayIterator instance by constructing a new object with
1897         the instance's structure. However, user code could have modified that instance's
1898         structure, such as adding / removing properties. The `return` property had special
1899         meaning, and our clone did not fill that slot. This approach is brittle in that
1900         we weren't satisfying the expectations of an object with a particular Structure,
1901         and the original goal of having Web Inspector peek values of built-in Iterators
1902         was to avoid observable behavior.
1903
1904         This tightens Web Inspector's Iterator preview to only peek values if the
1905         Iterators would actually be non-observable. It also builds an ArrayIterator
1906         clone like a regular object construction.
1907
1908         * inspector/JSInjectedScriptHost.cpp:
1909         (Inspector::cloneArrayIteratorObject):
1910         Build up the Object from scratch with a new ArrayIterator prototype.
1911
1912         (Inspector::JSInjectedScriptHost::iteratorEntries):
1913         Only clone and peek iterators if it would not be observable.
1914         Also update iteration to be more in line with IterationOperations, such as when
1915         we call iteratorClose.
1916
1917         * runtime/JSGlobalObject.cpp:
1918         (JSC::JSGlobalObject::JSGlobalObject):
1919         (JSC::JSGlobalObject::init):
1920         * runtime/JSGlobalObject.h:
1921         (JSC::JSGlobalObject::stringIteratorProtocolWatchpoint):
1922         * runtime/JSGlobalObjectInlines.h:
1923         (JSC::JSGlobalObject::isStringPrototypeIteratorProtocolFastAndNonObservable):
1924         Add a StringIterator WatchPoint in line with the Array/Map/Set iterator watchpoints.
1925
1926         * runtime/JSMap.cpp:
1927         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
1928         (JSC::JSMap::canCloneFastAndNonObservable):
1929         * runtime/JSMap.h:
1930         * runtime/JSSet.cpp:
1931         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
1932         (JSC::JSSet::canCloneFastAndNonObservable):
1933         * runtime/JSSet.h:
1934         Promote isIteratorProtocolFastAndNonObservable to a method.
1935
1936         * runtime/JSObject.cpp:
1937         (JSC::canDoFastPutDirectIndex):
1938         * runtime/JSTypeInfo.h:
1939         (JSC::TypeInfo::isArgumentsType):
1940         Helper to detect if an Object is an Arguments type.
1941
1942 2017-06-26  Saam Barati  <sbarati@apple.com>
1943
1944         RegExpPrototype.js builtin uses for-of iteration which is almost certainly incorrect
1945         https://bugs.webkit.org/show_bug.cgi?id=173740
1946
1947         Reviewed by Mark Lam.
1948
1949         The builtin was using for-of iteration to iterate over an internal
1950         list in its algorithm. For-of iteration is observable via user code
1951         in the global object, so this approach was wrong as it would break if
1952         a user changed the Array iteration protocol in some way.
1953
1954         * builtins/RegExpPrototype.js:
1955         (replace):
1956
1957 2017-06-26  Mark Lam  <mark.lam@apple.com>
1958
1959         Renamed DumpRegisterFunctor to DumpReturnVirtualPCFunctor.
1960         https://bugs.webkit.org/show_bug.cgi?id=173848
1961
1962         Reviewed by JF Bastien.
1963
1964         This functor only dumps the return VirtualPC.
1965
1966         * interpreter/Interpreter.cpp:
1967         (JSC::DumpReturnVirtualPCFunctor::DumpReturnVirtualPCFunctor):
1968         (JSC::Interpreter::dumpRegisters):
1969         (JSC::DumpRegisterFunctor::DumpRegisterFunctor): Deleted.
1970         (JSC::DumpRegisterFunctor::operator()): Deleted.
1971
1972 2017-06-26  Saam Barati  <sbarati@apple.com>
1973
1974         Crash in JSC::Lexer<unsigned char>::setCode
1975         https://bugs.webkit.org/show_bug.cgi?id=172754
1976
1977         Reviewed by Mark Lam.
1978
1979         The lexer was asking one of its buffers to reserve initial space that
1980         was O(text size in bytes). For large sources, this would end up causing
1981         the vector to overflow and crash. This patch changes this code be like
1982         the Lexer's other buffers and to only reserve a small starting buffer.
1983
1984         * parser/Lexer.cpp:
1985         (JSC::Lexer<T>::setCode):
1986
1987 2017-06-26  Yusuke Suzuki  <utatane.tea@gmail.com>
1988
1989         [WTF] Drop Thread::create(obsolete things) API since we can use lambda
1990         https://bugs.webkit.org/show_bug.cgi?id=173825
1991
1992         Reviewed by Saam Barati.
1993
1994         * jsc.cpp:
1995         (startTimeoutThreadIfNeeded):
1996         (timeoutThreadMain): Deleted.
1997
1998 2017-06-26  Konstantin Tokarev  <annulen@yandex.ru>
1999
2000         Unreviewed, add missing header for CLoop
2001
2002         * runtime/SymbolTable.cpp:
2003
2004 2017-06-26  Konstantin Tokarev  <annulen@yandex.ru>
2005
2006         Unreviewed, add missing header icncludes
2007
2008         * parser/Lexer.h:
2009
2010 2017-06-25  Konstantin Tokarev  <annulen@yandex.ru>
2011
2012         Remove excessive headers from JavaScriptCore
2013         https://bugs.webkit.org/show_bug.cgi?id=173812
2014
2015         Reviewed by Darin Adler.
2016
2017         * API/APIUtils.h:
2018         * assembler/LinkBuffer.cpp:
2019         * assembler/MacroAssemblerCodeRef.cpp:
2020         * b3/air/AirLiveness.h:
2021         * b3/air/AirLowerAfterRegAlloc.cpp:
2022         * bindings/ScriptValue.cpp:
2023         * bindings/ScriptValue.h:
2024         * bytecode/AccessCase.cpp:
2025         * bytecode/AccessCase.h:
2026         * bytecode/ArrayProfile.h:
2027         * bytecode/BytecodeDumper.h:
2028         * bytecode/BytecodeIntrinsicRegistry.cpp:
2029         * bytecode/BytecodeKills.h:
2030         * bytecode/BytecodeLivenessAnalysis.h:
2031         * bytecode/BytecodeUseDef.h:
2032         * bytecode/CallLinkStatus.h:
2033         * bytecode/CodeBlock.h:
2034         * bytecode/CodeOrigin.h:
2035         * bytecode/ComplexGetStatus.h:
2036         * bytecode/GetByIdStatus.h:
2037         * bytecode/GetByIdVariant.h:
2038         * bytecode/InlineCallFrame.h:
2039         * bytecode/InlineCallFrameSet.h:
2040         * bytecode/Instruction.h:
2041         * bytecode/InternalFunctionAllocationProfile.h:
2042         * bytecode/JumpTable.h:
2043         * bytecode/MethodOfGettingAValueProfile.h:
2044         * bytecode/ObjectPropertyConditionSet.h:
2045         * bytecode/Operands.h:
2046         * bytecode/PolymorphicAccess.h:
2047         * bytecode/PutByIdStatus.h:
2048         * bytecode/SpeculatedType.cpp:
2049         * bytecode/StructureSet.h:
2050         * bytecode/StructureStubInfo.h:
2051         * bytecode/UnlinkedCodeBlock.h:
2052         * bytecode/UnlinkedFunctionExecutable.h:
2053         * bytecode/ValueProfile.h:
2054         * bytecompiler/BytecodeGenerator.cpp:
2055         * bytecompiler/BytecodeGenerator.h:
2056         * bytecompiler/Label.h:
2057         * bytecompiler/StaticPropertyAnalysis.h:
2058         * debugger/DebuggerCallFrame.cpp:
2059         * dfg/DFGAbstractInterpreter.h:
2060         * dfg/DFGAdjacencyList.h:
2061         * dfg/DFGArgumentsUtilities.h:
2062         * dfg/DFGArrayMode.h:
2063         * dfg/DFGArrayifySlowPathGenerator.h:
2064         * dfg/DFGBackwardsPropagationPhase.h:
2065         * dfg/DFGBasicBlock.h:
2066         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
2067         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
2068         * dfg/DFGCapabilities.h:
2069         * dfg/DFGCommon.h:
2070         * dfg/DFGCommonData.h:
2071         * dfg/DFGDesiredIdentifiers.h:
2072         * dfg/DFGDesiredWatchpoints.h:
2073         * dfg/DFGDisassembler.cpp:
2074         * dfg/DFGDominators.h:
2075         * dfg/DFGDriver.cpp:
2076         * dfg/DFGDriver.h:
2077         * dfg/DFGEdgeDominates.h:
2078         * dfg/DFGFinalizer.h:
2079         * dfg/DFGGenerationInfo.h:
2080         * dfg/DFGJITCompiler.cpp:
2081         * dfg/DFGJITCompiler.h:
2082         * dfg/DFGJITFinalizer.h:
2083         * dfg/DFGLivenessAnalysisPhase.h:
2084         * dfg/DFGMinifiedNode.h:
2085         * dfg/DFGMultiGetByOffsetData.h:
2086         * dfg/DFGNaturalLoops.cpp:
2087         * dfg/DFGNaturalLoops.h:
2088         * dfg/DFGNode.h:
2089         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
2090         * dfg/DFGOSRExit.h:
2091         * dfg/DFGOSRExitCompilationInfo.h:
2092         * dfg/DFGOSRExitCompiler.cpp:
2093         * dfg/DFGOSRExitCompiler.h:
2094         * dfg/DFGOSRExitJumpPlaceholder.h:
2095         * dfg/DFGOperations.cpp:
2096         * dfg/DFGOperations.h:
2097         * dfg/DFGPlan.h:
2098         * dfg/DFGPreciseLocalClobberize.h:
2099         * dfg/DFGPromotedHeapLocation.h:
2100         * dfg/DFGRegisteredStructure.h:
2101         * dfg/DFGRegisteredStructureSet.h:
2102         * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
2103         * dfg/DFGSlowPathGenerator.h:
2104         * dfg/DFGSnippetParams.h:
2105         * dfg/DFGSpeculativeJIT.h:
2106         * dfg/DFGToFTLDeferredCompilationCallback.h:
2107         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h:
2108         * dfg/DFGValidate.h:
2109         * dfg/DFGValueSource.h:
2110         * dfg/DFGVariableEvent.h:
2111         * dfg/DFGVariableEventStream.h:
2112         * dfg/DFGWorklist.h:
2113         * domjit/DOMJITCallDOMGetterSnippet.h:
2114         * domjit/DOMJITEffect.h:
2115         * ftl/FTLLink.cpp:
2116         * ftl/FTLLowerDFGToB3.cpp:
2117         * ftl/FTLPatchpointExceptionHandle.h:
2118         * heap/AllocatorAttributes.h:
2119         * heap/CodeBlockSet.h:
2120         * heap/DeferGC.h:
2121         * heap/GCSegmentedArray.h:
2122         * heap/Heap.cpp:
2123         * heap/Heap.h:
2124         * heap/IncrementalSweeper.h:
2125         * heap/ListableHandler.h:
2126         * heap/MachineStackMarker.h:
2127         * heap/MarkedAllocator.h:
2128         * heap/MarkedBlock.cpp:
2129         * heap/MarkedBlock.h:
2130         * heap/MarkingConstraint.h:
2131         * heap/SlotVisitor.cpp:
2132         * heap/SlotVisitor.h:
2133         * inspector/ConsoleMessage.cpp:
2134         * inspector/ConsoleMessage.h:
2135         * inspector/InjectedScript.h:
2136         * inspector/InjectedScriptHost.h:
2137         * inspector/InjectedScriptManager.cpp:
2138         * inspector/JSGlobalObjectInspectorController.cpp:
2139         * inspector/JavaScriptCallFrame.h:
2140         * inspector/ScriptCallStack.h:
2141         * inspector/ScriptCallStackFactory.cpp:
2142         * inspector/ScriptDebugServer.h:
2143         * inspector/agents/InspectorConsoleAgent.h:
2144         * inspector/agents/InspectorDebuggerAgent.cpp:
2145         * inspector/agents/InspectorDebuggerAgent.h:
2146         * inspector/agents/InspectorHeapAgent.cpp:
2147         * inspector/agents/InspectorHeapAgent.h:
2148         * inspector/agents/InspectorRuntimeAgent.h:
2149         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2150         * inspector/agents/InspectorScriptProfilerAgent.h:
2151         * inspector/agents/JSGlobalObjectConsoleAgent.h:
2152         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
2153         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
2154         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
2155         * inspector/augmentable/AlternateDispatchableAgent.h:
2156         * interpreter/CLoopStack.h:
2157         * interpreter/CachedCall.h:
2158         * interpreter/CallFrame.h:
2159         * interpreter/Interpreter.cpp:
2160         * interpreter/Interpreter.h:
2161         * jit/AssemblyHelpers.cpp:
2162         * jit/AssemblyHelpers.h:
2163         * jit/CCallHelpers.h:
2164         * jit/CallFrameShuffler.h:
2165         * jit/ExecutableAllocator.h:
2166         * jit/GCAwareJITStubRoutine.h:
2167         * jit/HostCallReturnValue.h:
2168         * jit/ICStats.h:
2169         * jit/JIT.cpp:
2170         * jit/JIT.h:
2171         * jit/JITAddGenerator.h:
2172         * jit/JITCall32_64.cpp:
2173         * jit/JITCode.h:
2174         * jit/JITDisassembler.cpp:
2175         * jit/JITExceptions.cpp:
2176         * jit/JITMathIC.h:
2177         * jit/JITOpcodes.cpp:
2178         * jit/JITOperations.cpp:
2179         * jit/JITOperations.h:
2180         * jit/JITThunks.cpp:
2181         * jit/JITThunks.h:
2182         * jit/JSInterfaceJIT.h:
2183         * jit/PCToCodeOriginMap.h:
2184         * jit/PolymorphicCallStubRoutine.h:
2185         * jit/RegisterSet.h:
2186         * jit/Repatch.h:
2187         * jit/SetupVarargsFrame.h:
2188         * jit/Snippet.h:
2189         * jit/SnippetParams.h:
2190         * jit/ThunkGenerators.h:
2191         * jsc.cpp:
2192         * llint/LLIntCLoop.h:
2193         * llint/LLIntEntrypoint.h:
2194         * llint/LLIntExceptions.h:
2195         * llint/LLIntOfflineAsmConfig.h:
2196         * llint/LLIntSlowPaths.cpp:
2197         * parser/NodeConstructors.h:
2198         * parser/Nodes.cpp:
2199         * parser/Nodes.h:
2200         * parser/Parser.cpp:
2201         * parser/Parser.h:
2202         * parser/ParserTokens.h:
2203         * parser/SourceProviderCacheItem.h:
2204         * profiler/ProfilerBytecodeSequence.h:
2205         * profiler/ProfilerDatabase.cpp:
2206         * profiler/ProfilerDatabase.h:
2207         * profiler/ProfilerOrigin.h:
2208         * profiler/ProfilerOriginStack.h:
2209         * profiler/ProfilerProfiledBytecodes.h:
2210         * profiler/ProfilerUID.h:
2211         * runtime/AbstractModuleRecord.h:
2212         * runtime/ArrayConstructor.h:
2213         * runtime/ArrayConventions.h:
2214         * runtime/ArrayIteratorPrototype.h:
2215         * runtime/ArrayPrototype.h:
2216         * runtime/BasicBlockLocation.h:
2217         * runtime/Butterfly.h:
2218         * runtime/CallData.cpp:
2219         * runtime/CodeCache.h:
2220         * runtime/CommonSlowPaths.cpp:
2221         * runtime/CommonSlowPaths.h:
2222         * runtime/CommonSlowPathsExceptions.cpp:
2223         * runtime/Completion.cpp:
2224         * runtime/ControlFlowProfiler.h:
2225         * runtime/DateInstanceCache.h:
2226         * runtime/ErrorConstructor.h:
2227         * runtime/ErrorInstance.h:
2228         * runtime/ExceptionHelpers.cpp:
2229         * runtime/ExceptionHelpers.h:
2230         * runtime/ExecutableBase.h:
2231         * runtime/FunctionExecutable.h:
2232         * runtime/HasOwnPropertyCache.h:
2233         * runtime/Identifier.h:
2234         * runtime/InternalFunction.h:
2235         * runtime/IntlCollator.cpp:
2236         * runtime/IntlCollatorPrototype.h:
2237         * runtime/IntlDateTimeFormatPrototype.h:
2238         * runtime/IntlNumberFormat.cpp:
2239         * runtime/IntlNumberFormatPrototype.h:
2240         * runtime/IteratorOperations.cpp:
2241         * runtime/JSArray.h:
2242         * runtime/JSArrayBufferPrototype.h:
2243         * runtime/JSCJSValue.h:
2244         * runtime/JSCJSValueInlines.h:
2245         * runtime/JSCell.h:
2246         * runtime/JSFunction.cpp:
2247         * runtime/JSFunction.h:
2248         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2249         * runtime/JSGlobalObject.cpp:
2250         * runtime/JSGlobalObject.h:
2251         * runtime/JSGlobalObjectDebuggable.cpp:
2252         * runtime/JSGlobalObjectDebuggable.h:
2253         * runtime/JSGlobalObjectFunctions.cpp:
2254         * runtime/JSGlobalObjectFunctions.h:
2255         * runtime/JSJob.cpp:
2256         * runtime/JSLock.h:
2257         * runtime/JSModuleLoader.cpp:
2258         * runtime/JSModuleNamespaceObject.h:
2259         * runtime/JSModuleRecord.h:
2260         * runtime/JSObject.cpp:
2261         * runtime/JSObject.h:
2262         * runtime/JSRunLoopTimer.h:
2263         * runtime/JSTemplateRegistryKey.h:
2264         * runtime/JSTypedArrayPrototypes.cpp:
2265         * runtime/JSTypedArrayPrototypes.h:
2266         * runtime/JSTypedArrays.h:
2267         * runtime/LiteralParser.h:
2268         * runtime/MatchResult.h:
2269         * runtime/MemoryStatistics.h:
2270         * runtime/PrivateName.h:
2271         * runtime/PromiseDeferredTimer.h:
2272         * runtime/ProxyObject.h:
2273         * runtime/RegExp.h:
2274         * runtime/SamplingProfiler.cpp:
2275         * runtime/SmallStrings.h:
2276         * runtime/StringPrototype.cpp:
2277         * runtime/StringRecursionChecker.h:
2278         * runtime/Structure.h:
2279         * runtime/SymbolConstructor.h:
2280         * runtime/SymbolPrototype.cpp:
2281         * runtime/SymbolPrototype.h:
2282         * runtime/TypeProfiler.h:
2283         * runtime/TypeProfilerLog.h:
2284         * runtime/TypedArrayType.h:
2285         * runtime/VM.cpp:
2286         * runtime/VM.h:
2287         * runtime/VMEntryScope.h:
2288         * runtime/WeakMapData.h:
2289         * runtime/WriteBarrier.h:
2290         * tools/FunctionOverrides.cpp:
2291         * tools/FunctionOverrides.h:
2292         * wasm/WasmBinding.cpp:
2293         * wasm/js/JSWebAssemblyCodeBlock.h:
2294         * wasm/js/WebAssemblyPrototype.cpp:
2295         * yarr/Yarr.h:
2296         * yarr/YarrJIT.cpp:
2297         * yarr/YarrJIT.h:
2298         * yarr/YarrParser.h:
2299
2300 2017-06-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2301
2302         [JSC] Clean up Object.entries implementation
2303         https://bugs.webkit.org/show_bug.cgi?id=173759
2304
2305         Reviewed by Sam Weinig.
2306
2307         This patch cleans up Object.entries implementation.
2308         We drop unused private functions. And we merge the
2309         implementation into Object.entries.
2310
2311         It slightly speeds up Object.entries speed.
2312
2313                                      baseline                  patched
2314
2315             object-entries      148.0101+-5.6627          142.1877+-4.8661          might be 1.0409x faster
2316
2317
2318         * builtins/BuiltinNames.h:
2319         * builtins/ObjectConstructor.js:
2320         (entries):
2321         (globalPrivate.enumerableOwnProperties): Deleted.
2322         * runtime/JSGlobalObject.cpp:
2323         (JSC::JSGlobalObject::init):
2324         * runtime/ObjectConstructor.cpp:
2325         (JSC::ownEnumerablePropertyKeys): Deleted.
2326         * runtime/ObjectConstructor.h:
2327
2328 2017-06-24  Joseph Pecoraro  <pecoraro@apple.com>
2329
2330         Remove Reflect.enumerate
2331         https://bugs.webkit.org/show_bug.cgi?id=173806
2332
2333         Reviewed by Yusuke Suzuki.
2334
2335         * CMakeLists.txt:
2336         * JavaScriptCore.xcodeproj/project.pbxproj:
2337         * inspector/JSInjectedScriptHost.cpp:
2338         (Inspector::JSInjectedScriptHost::subtype):
2339         (Inspector::JSInjectedScriptHost::getInternalProperties):
2340         (Inspector::JSInjectedScriptHost::iteratorEntries):
2341         * runtime/JSGlobalObject.cpp:
2342         (JSC::JSGlobalObject::init):
2343         (JSC::JSGlobalObject::visitChildren):
2344         * runtime/JSPropertyNameIterator.cpp: Removed.
2345         * runtime/JSPropertyNameIterator.h: Removed.
2346         * runtime/ReflectObject.cpp:
2347         (JSC::reflectObjectEnumerate): Deleted.
2348
2349 2017-06-23  Keith Miller  <keith_miller@apple.com>
2350
2351         Switch VMTraps to use halt instructions rather than breakpoint instructions
2352         https://bugs.webkit.org/show_bug.cgi?id=173677
2353         <rdar://problem/32178892>
2354
2355         Reviewed by JF Bastien.
2356
2357         Using the breakpoint instruction for VMTraps caused issues with lldb.
2358         Since we only need some way to stop execution we can, in theory, use
2359         any exceptioning instruction we want. I went with the halt instruction
2360         on X86 since that is the only one byte instruction that does not
2361         breakpoint (in my tests both 0xf1 and 0xd6 produced EXC_BREAKPOINT).
2362         On ARM we use the data cache clearing instruction with the zero register,
2363         which triggers a segmentation fault.
2364
2365         Also, update the platform code to only use signaling VMTraps
2366         on where we have an appropriate instruction (x86 and ARM64).
2367
2368         * API/tests/ExecutionTimeLimitTest.cpp:
2369         (testExecutionTimeLimit):
2370         * assembler/ARM64Assembler.h:
2371         (JSC::ARM64Assembler::replaceWithVMHalt):
2372         (JSC::ARM64Assembler::dataCacheZeroVirtualAddress):
2373         (JSC::ARM64Assembler::replaceWithBkpt): Deleted.
2374         * assembler/ARMAssembler.h:
2375         (JSC::ARMAssembler::replaceWithBkpt): Deleted.
2376         * assembler/ARMv7Assembler.h:
2377         (JSC::ARMv7Assembler::replaceWithBkpt): Deleted.
2378         * assembler/MIPSAssembler.h:
2379         (JSC::MIPSAssembler::replaceWithBkpt): Deleted.
2380         * assembler/MacroAssemblerARM.h:
2381         (JSC::MacroAssemblerARM::replaceWithBreakpoint): Deleted.
2382         * assembler/MacroAssemblerARM64.h:
2383         (JSC::MacroAssemblerARM64::replaceWithVMHalt):
2384         (JSC::MacroAssemblerARM64::replaceWithBreakpoint): Deleted.
2385         * assembler/MacroAssemblerARMv7.h:
2386         (JSC::MacroAssemblerARMv7::storeFence):
2387         (JSC::MacroAssemblerARMv7::replaceWithBreakpoint): Deleted.
2388         * assembler/MacroAssemblerMIPS.h:
2389         (JSC::MacroAssemblerMIPS::replaceWithBreakpoint): Deleted.
2390         * assembler/MacroAssemblerX86Common.h:
2391         (JSC::MacroAssemblerX86Common::replaceWithVMHalt):
2392         (JSC::MacroAssemblerX86Common::replaceWithBreakpoint): Deleted.
2393         * assembler/X86Assembler.h:
2394         (JSC::X86Assembler::replaceWithHlt):
2395         (JSC::X86Assembler::replaceWithInt3): Deleted.
2396         * dfg/DFGJumpReplacement.cpp:
2397         (JSC::DFG::JumpReplacement::installVMTrapBreakpoint):
2398         * runtime/VMTraps.cpp:
2399         (JSC::SignalContext::SignalContext):
2400         (JSC::installSignalHandler):
2401         (JSC::SignalContext::adjustPCToPointToTrappingInstruction): Deleted.
2402         * wasm/WasmFaultSignalHandler.cpp:
2403         (JSC::Wasm::enableFastMemory):
2404
2405 2017-06-22  Saam Barati  <sbarati@apple.com>
2406
2407         The lowering of Identity in the DFG backend needs to use ManualOperandSpeculation
2408         https://bugs.webkit.org/show_bug.cgi?id=173743
2409         <rdar://problem/32932536>
2410
2411         Reviewed by Mark Lam.
2412
2413         The code always manually speculates, however, we weren't specifying
2414         ManualOperandSpeculation when creating a JSValueOperand. This would
2415         fire an assertion in JSValueOperand construction for a node like:
2416         Identity(String:@otherNode)
2417         
2418         I spent about 45 minutes trying to craft a test and came up
2419         empty. However, this fixes a debug assertion on an internal
2420         Apple website.
2421
2422         * dfg/DFGSpeculativeJIT32_64.cpp:
2423         (JSC::DFG::SpeculativeJIT::compile):
2424         * dfg/DFGSpeculativeJIT64.cpp:
2425         (JSC::DFG::SpeculativeJIT::compile):
2426
2427 2017-06-22  Saam Barati  <sbarati@apple.com>
2428
2429         ValueRep(DoubleRep(@v)) can not simply convert to @v
2430         https://bugs.webkit.org/show_bug.cgi?id=173687
2431         <rdar://problem/32855563>
2432
2433         Reviewed by Mark Lam.
2434
2435         Consider this IR:
2436          block#x
2437           p: Phi() // int32 and double flows into this phi from various control flow
2438           d: DoubleRep(@p)
2439           some uses of @d here
2440           v: ValueRep(DoubleRepUse:@d)
2441           a: NewArrayWithSize(Int32:@v)
2442           some more nodes here ...
2443         
2444         Because the flow of ValueRep(DoubleRep(@p)) will not produce an Int32,
2445         AI proves that the Int32 check will fail. Constant folding phase removes
2446         all nodes after @a and inserts an Unreachable after the NewArrayWithSize node.
2447         
2448         The IR then looks like this:
2449         block#x
2450           p: Phi() // int32 and double flows into this phi from various control flow
2451           d: DoubleRep(@p)
2452           some uses of @d here
2453           v: ValueRep(DoubleRepUse:@d)
2454           a: NewArrayWithSize(Int32:@v)
2455           Unreachable
2456         
2457         However, there was a strength reduction rule that tries eliminate redundant
2458         conversions. It used to convert the program to:
2459         block#x
2460           p: Phi() // int32 and double flows into this phi from various control flow
2461           d: DoubleRep(@p)
2462           some uses of @d here
2463           a: NewArrayWithSize(Int32:@p)
2464           Unreachable
2465         
2466         However, at runtime, @p will actually be an Int32, so @a will not OSR exit,
2467         and we'll crash. This patch removes this strength reduction rule since it
2468         does not maintain what would have happened if we executed the program before
2469         the rule.
2470         
2471         This rule is also wrong for other types of programs (I'm not sure we'd
2472         actually emit this code, but if such IR were generated, we would previously
2473         optimize it incorrectly):
2474         @a: Constant(JSTrue)
2475         @b: DoubleRep(@a)
2476         @c: ValueRep(@b)
2477         @d: use(@c)
2478         
2479         However, the strength reduction rule would've transformed this into:
2480         @a: Constant(JSTrue)
2481         @d: use(@a)
2482         
2483         And this would be wrong because node @c before the transformation would
2484         have produced the JSValue jsNumber(1.0).
2485         
2486         This patch was neutral in the benchmark run I did.
2487
2488         * dfg/DFGStrengthReductionPhase.cpp:
2489         (JSC::DFG::StrengthReductionPhase::handleNode):
2490
2491 2017-06-22  JF Bastien  <jfbastien@apple.com>
2492
2493         ARM64: doubled executable memory limit from 32MiB to 64MiB
2494         https://bugs.webkit.org/show_bug.cgi?id=173734
2495         <rdar://problem/32932407>
2496
2497         Reviewed by Oliver Hunt.
2498
2499         Some WebAssembly programs stress the amount of memory we have
2500         available, especially when we consider tiering (BBQ never dies,
2501         and is bigger that OMG). Tiering to OMG just piles on more memory,
2502         and we're also competing with JavaScript.
2503
2504         * jit/ExecutableAllocator.h:
2505
2506 2017-06-22  Joseph Pecoraro  <pecoraro@apple.com>
2507
2508         Web Inspector: Pausing with a deep call stack can be very slow, avoid eagerly generating object previews
2509         https://bugs.webkit.org/show_bug.cgi?id=173698
2510
2511         Reviewed by Matt Baker.
2512
2513         When pausing in a deep call stack the majority of the time spent in JavaScriptCore
2514         when preparing Inspector pause information is spent generating object previews for
2515         the `thisObject` of each of the call frames. In some cases, this could be more
2516         than 95% of the time generating pause information. In the common case, only one of
2517         these (the top frame) will ever be seen by users. This change avoids eagerly
2518         generating object previews up front and let the frontend request previews if they
2519         are needed.
2520
2521         This introduces the `Runtime.getPreview` protocol command. This can be used to:
2522
2523             - Get a preview for a RemoteObject that did not have a preview but could.
2524             - Update a preview for a RemoteObject that had a preview.
2525
2526         This patch only uses it for the first case, but the second is valid and may be
2527         something we want to do in the future.
2528
2529         * inspector/protocol/Runtime.json:
2530         A new command to get an up to date preview for an object.
2531
2532         * inspector/InjectedScript.h:
2533         * inspector/InjectedScript.cpp:
2534         (Inspector::InjectedScript::getPreview):
2535         * inspector/agents/InspectorRuntimeAgent.cpp:
2536         (Inspector::InspectorRuntimeAgent::getPreview):
2537         * inspector/agents/InspectorRuntimeAgent.h:
2538         Plumbing for the new command.
2539
2540         * inspector/InjectedScriptSource.js:
2541         (InjectedScript.prototype.getPreview):
2542         Implementation just uses the existing helper.
2543
2544         (InjectedScript.CallFrameProxy):
2545         Do not generate a preview for the this object as it may not be shown.
2546         Let the frontend request a preview if it wants or needs one.
2547
2548 2017-06-22  Joseph Pecoraro  <pecoraro@apple.com>
2549
2550         Web Inspector: Remove stale "rawScopes" concept that was never available in JSC
2551         https://bugs.webkit.org/show_bug.cgi?id=173686
2552
2553         Reviewed by Mark Lam.
2554
2555         * inspector/InjectedScript.cpp:
2556         (Inspector::InjectedScript::functionDetails):
2557         * inspector/InjectedScriptSource.js:
2558         (InjectedScript.prototype.functionDetails):
2559         * inspector/JSInjectedScriptHost.cpp:
2560         (Inspector::JSInjectedScriptHost::functionDetails):
2561
2562 2017-06-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2563
2564         [JSC] Object.values should be implemented in C++
2565         https://bugs.webkit.org/show_bug.cgi?id=173703
2566
2567         Reviewed by Sam Weinig.
2568
2569         As the same to Object.assign, Object.values() is also inherently polymorphic.
2570         And allocating JSString / Symbol for Identifier and JSArray for Object.keys()
2571         result is costly.
2572
2573         In this patch, we implement Object.values() in C++. It can avoid above allocations.
2574         Furthermore, by using `slot.isTaintedByOpaqueObject()` information, we can skip
2575         non-observable JSObject::get() calls.
2576
2577         This improves performance by 2.49x. And also now Object.values() beats
2578         Object.keys(object).map(key => object[key]) implementation.
2579
2580                                              baseline                  patched
2581
2582             object-values               132.1551+-3.7209     ^     53.1254+-1.6139        ^ definitely 2.4876x faster
2583             object-keys-map-values       78.2008+-2.1378     ?     78.9078+-2.2121        ?
2584
2585         * builtins/ObjectConstructor.js:
2586         (values): Deleted.
2587         * runtime/ObjectConstructor.cpp:
2588         (JSC::objectConstructorValues):
2589
2590 2017-06-21  Saam Barati  <sbarati@apple.com>
2591
2592         ArrayPrototype.map builtin declares a var it does not use
2593         https://bugs.webkit.org/show_bug.cgi?id=173685
2594
2595         Reviewed by Keith Miller.
2596
2597         * builtins/ArrayPrototype.js:
2598         (map):
2599
2600 2017-06-21  Saam Barati  <sbarati@apple.com>
2601
2602         eval virtual call is incorrect in the baseline JIT
2603         https://bugs.webkit.org/show_bug.cgi?id=173587
2604         <rdar://problem/32867897>
2605
2606         Reviewed by Michael Saboff.
2607
2608         When making a virtual call for call_eval, e.g, when the thing
2609         we're calling isn't actually eval, we end up calling the caller
2610         instead of the callee. This is clearly wrong. The code ends up
2611         issuing a load for the Callee in the callers frame instead of
2612         the callee we're calling. The fix is simple, we just need to
2613         load the real callee. Only the 32-bit baseline JIT had this bug.
2614
2615         * jit/JITCall32_64.cpp:
2616         (JSC::JIT::compileCallEvalSlowCase):
2617
2618 2017-06-21  Joseph Pecoraro  <pecoraro@apple.com>
2619
2620         Web Inspector: Using "break on all exceptions" when throwing stack overflow hangs inspector
2621         https://bugs.webkit.org/show_bug.cgi?id=172432
2622         <rdar://problem/29870873>
2623
2624         Reviewed by Saam Barati.
2625
2626         Avoid pausing on StackOverflow and OutOfMemory errors to avoid a hang.
2627         We will proceed to improve debugging of these cases in the follow-up bugs.
2628
2629         * debugger/Debugger.cpp:
2630         (JSC::Debugger::exception):
2631         Ignore pausing on these errors.
2632
2633         * runtime/ErrorInstance.h:
2634         (JSC::ErrorInstance::setStackOverflowError):
2635         (JSC::ErrorInstance::isStackOverflowError):
2636         (JSC::ErrorInstance::setOutOfMemoryError):
2637         (JSC::ErrorInstance::isOutOfMemoryError):
2638         * runtime/ExceptionHelpers.cpp:
2639         (JSC::createStackOverflowError):
2640         * runtime/Error.cpp:
2641         (JSC::createOutOfMemoryError):
2642         Mark these kinds of errors.
2643
2644 2017-06-21  Saam Barati  <sbarati@apple.com>
2645
2646         Make it clear that regenerating ICs are holding the CodeBlock's lock by passing the locker as a parameter
2647         https://bugs.webkit.org/show_bug.cgi?id=173609
2648
2649         Reviewed by Keith Miller.
2650
2651         This patch makes many of the IC generating functions require a locker as
2652         a parameter. We do this in other places in JSC to indicate that
2653         a particular API is only valid while a particular lock is held.
2654         This is the case when generating ICs. This patch just makes it
2655         explicit in the IC generating interface.
2656
2657         * bytecode/PolymorphicAccess.cpp:
2658         (JSC::PolymorphicAccess::addCases):
2659         (JSC::PolymorphicAccess::addCase):
2660         (JSC::PolymorphicAccess::commit):
2661         (JSC::PolymorphicAccess::regenerate):
2662         * bytecode/PolymorphicAccess.h:
2663         * bytecode/StructureStubInfo.cpp:
2664         (JSC::StructureStubInfo::addAccessCase):
2665         (JSC::StructureStubInfo::initStub): Deleted.
2666         * bytecode/StructureStubInfo.h:
2667         * jit/Repatch.cpp:
2668         (JSC::tryCacheGetByID):
2669         (JSC::repatchGetByID):
2670         (JSC::tryCachePutByID):
2671         (JSC::repatchPutByID):
2672         (JSC::tryRepatchIn):
2673         (JSC::repatchIn):
2674
2675 2017-06-20  Myles C. Maxfield  <mmaxfield@apple.com>
2676
2677         Disable font variations on macOS Sierra and iOS 10
2678         https://bugs.webkit.org/show_bug.cgi?id=173618
2679         <rdar://problem/32879164>
2680
2681         Reviewed by Jon Lee.
2682
2683         * Configurations/FeatureDefines.xcconfig:
2684
2685 2017-06-20  Keith Miller  <keith_miller@apple.com>
2686
2687         Fix leak of ModuleInformations in BBQPlan constructors.
2688         https://bugs.webkit.org/show_bug.cgi?id=173577
2689
2690         Reviewed by Saam Barati.
2691
2692         This patch fixes a leak in the BBQPlan constructiors. Previously,
2693         the plans were calling makeRef on the newly constructed objects.
2694         This patch fixes the issue and uses adoptRef instead. Additionally,
2695         an old, incorrect, attempt to fix the leak is removed.
2696
2697         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
2698         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
2699         * jit/JITWorklist.cpp:
2700         (JSC::JITWorklist::Thread::Thread):
2701         * runtime/PromiseDeferredTimer.cpp:
2702         (JSC::PromiseDeferredTimer::addPendingPromise):
2703         * runtime/VM.cpp:
2704         (JSC::VM::VM):
2705         * wasm/WasmBBQPlan.cpp:
2706         (JSC::Wasm::BBQPlan::BBQPlan):
2707         * wasm/WasmPlan.cpp:
2708         (JSC::Wasm::Plan::Plan):
2709
2710 2017-06-20  Devin Rousso  <drousso@apple.com>
2711
2712         Web Inspector: Send context attributes for tracked canvases
2713         https://bugs.webkit.org/show_bug.cgi?id=173327
2714
2715         Reviewed by Joseph Pecoraro.
2716
2717         * inspector/protocol/Canvas.json:
2718         Add ContextAttributes object type that is optionally used for WebGL canvases.
2719
2720 2017-06-20  Konstantin Tokarev  <annulen@yandex.ru>
2721
2722         Remove excessive include directives from WTF
2723         https://bugs.webkit.org/show_bug.cgi?id=173553
2724
2725         Reviewed by Saam Barati.
2726
2727         * profiler/ProfilerDatabase.cpp: Added missing include directive.
2728         * runtime/SamplingProfiler.cpp: Ditto.
2729
2730 2017-06-20  Oleksandr Skachkov  <gskachkov@gmail.com>
2731
2732         Revert changes in bug#160417 about extending `null` not being a derived class
2733         https://bugs.webkit.org/show_bug.cgi?id=169293
2734
2735         Reviewed by Saam Barati.
2736
2737         Reverted changes in bug#160417 about extending `null` not being a derived class 
2738         according to changes in spec:
2739         https://github.com/tc39/ecma262/commit/c57ef95c45a371f9c9485bb1c3881dbdc04524a2
2740
2741         * builtins/BuiltinNames.h:
2742         * bytecompiler/BytecodeGenerator.cpp:
2743         (JSC::BytecodeGenerator::BytecodeGenerator):
2744         (JSC::BytecodeGenerator::emitReturn):
2745         * bytecompiler/NodesCodegen.cpp:
2746         (JSC::ClassExprNode::emitBytecode):
2747
2748 2017-06-20  Saam Barati  <sbarati@apple.com>
2749
2750         repatchIn needs to lock the CodeBlock's lock
2751         https://bugs.webkit.org/show_bug.cgi?id=173573
2752
2753         Reviewed by Yusuke Suzuki.
2754
2755         CodeBlock::propagateTransitions and CodeBlock::visitWeakly grab the CodeBlock's
2756         lock before modifying the StructureStubInfo/PolymorphicAccess. When regenerating
2757         an IC, we must hold the CodeBlock's to prevent the executing thread from racing
2758         with the marking thread. repatchIn was not grabbing the lock. I haven't been
2759         able to get it to crash, but this is needed for the same reasons that get and put IC
2760         regeneration grab the lock.
2761
2762         * jit/Repatch.cpp:
2763         (JSC::repatchIn):
2764
2765 2017-06-19  Devin Rousso  <drousso@apple.com>
2766
2767         Web Inspector: create canvas content view and details sidebar panel
2768         https://bugs.webkit.org/show_bug.cgi?id=138941
2769         <rdar://problem/19051672>
2770
2771         Reviewed by Joseph Pecoraro.
2772
2773         * inspector/protocol/Canvas.json:
2774          - Add an optional `nodeId` attribute to the `Canvas` type.
2775          - Add `requestNode` command for getting the node id of the backing canvas element.
2776          - Add `requestContent` command for getting the current image content of the canvas.
2777
2778 2017-06-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2779
2780         Unreviewed, build fix for ARM
2781
2782         * assembler/MacroAssemblerARM.h:
2783         (JSC::MacroAssemblerARM::internalCompare32):
2784
2785 2017-06-13  Yusuke Suzuki  <utatane.tea@gmail.com>
2786
2787         [DFG] More ArrayIndexOf fixups for various types
2788         https://bugs.webkit.org/show_bug.cgi?id=173176
2789
2790         Reviewed by Saam Barati.
2791
2792         This patch further expands coverage of ArrayIndexOf optimization in DFG and FTL.
2793
2794         1. We attempt to fold ArrayIndexOf to constant (-1) if we know that its array
2795         never contains the given search value.
2796
2797         2. We support Symbol and Other specialization additionally. Especially, Other is
2798         useful because null/undefined can be used as a sentinel value.
2799
2800         One interesting thing is that Array.prototype.indexOf does not consider holes as
2801         undefineds. Thus,
2802
2803             var array = [,,,,,,,];
2804             array.indexOf(undefined); // => -1
2805
2806         This can be trivially achieved in JSC because Empty and Undefined are different values.
2807
2808         * dfg/DFGFixupPhase.cpp:
2809         (JSC::DFG::FixupPhase::fixupNode):
2810         (JSC::DFG::FixupPhase::fixupArrayIndexOf):
2811         * dfg/DFGSpeculativeJIT.cpp:
2812         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
2813         (JSC::DFG::SpeculativeJIT::speculateOther):
2814         * dfg/DFGSpeculativeJIT.h:
2815         * ftl/FTLLowerDFGToB3.cpp:
2816         (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):
2817
2818 2017-06-19  Caio Lima  <ticaiolima@gmail.com>
2819
2820         [ARMv6][DFG] ARM MacroAssembler is always emitting cmn when immediate is 0
2821         https://bugs.webkit.org/show_bug.cgi?id=172972
2822
2823         Reviewed by Mark Lam.
2824
2825         We are changing internalCompare32 implementation in ARM
2826         MacroAssembler to emit "cmp" when the "right.value" is 0.
2827         It is generating wrong comparison cases, since the
2828         semantics of cmn is opposite of cmp[1]. One case that it's breaking is
2829         "branch32(MacroAssembler::Above, gpr, TrustedImm32(0))", where ends
2830         resulting in following assembly code:
2831
2832         ```
2833         cmn $r0, #0
2834         bhi <address>
2835         ```
2836
2837         However, as cmn is similar to "adds", it will never take the branch
2838         when $r0 > 0. In that case, the correct opcode is "cmp". With this
2839         patch we will fix current broken tests that uses
2840         "branch32(MacroAssembler::Above, gpr, TrustedImm32(0))",
2841         such as ForwardVarargs, Spread and GetRestLength.
2842
2843         [1] - http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0204j/Cihiddid.html
2844
2845         * assembler/MacroAssemblerARM.h:
2846         (JSC::MacroAssemblerARM::internalCompare32):
2847
2848 2017-06-19  Joseph Pecoraro  <pecoraro@apple.com>
2849
2850         test262: Completion values for control flow do not match the spec
2851         https://bugs.webkit.org/show_bug.cgi?id=171265
2852
2853         Reviewed by Saam Barati.
2854
2855         * bytecompiler/BytecodeGenerator.h:
2856         (JSC::BytecodeGenerator::shouldBeConcernedWithCompletionValue):
2857         When we care about having proper completion values (global code
2858         in programs, modules, and eval) insert undefined results for
2859         control flow statements.
2860
2861         * bytecompiler/NodesCodegen.cpp:
2862         (JSC::SourceElements::emitBytecode):
2863         Reduce writing a default `undefined` value to the completion result to
2864         only once before the last statement we know will produce a value.
2865
2866         (JSC::IfElseNode::emitBytecode):
2867         (JSC::WithNode::emitBytecode):
2868         (JSC::WhileNode::emitBytecode):
2869         (JSC::ForNode::emitBytecode):
2870         (JSC::ForInNode::emitBytecode):
2871         (JSC::ForOfNode::emitBytecode):
2872         (JSC::SwitchNode::emitBytecode):
2873         Insert an undefined to handle cases where code may break out of an
2874         if/else or with statement (break/continue).
2875
2876         (JSC::TryNode::emitBytecode):
2877         Same handling for break cases. Also, finally block statement completion
2878         values are always ignored for the try statement result.
2879
2880         (JSC::ClassDeclNode::emitBytecode):
2881         Class declarations, like function declarations, produce an empty result.
2882
2883         * parser/Nodes.cpp:
2884         (JSC::SourceElements::lastStatement):
2885         (JSC::SourceElements::hasCompletionValue):
2886         (JSC::SourceElements::hasEarlyBreakOrContinue):
2887         (JSC::BlockNode::lastStatement):
2888         (JSC::BlockNode::singleStatement):
2889         (JSC::BlockNode::hasCompletionValue):
2890         (JSC::BlockNode::hasEarlyBreakOrContinue):
2891         (JSC::ScopeNode::singleStatement):
2892         (JSC::ScopeNode::hasCompletionValue):
2893         (JSC::ScopeNode::hasEarlyBreakOrContinue):
2894         The only non-trivial cases need to loop through their list of statements
2895         to determine if this has a completion value or not. Likewise for
2896         determining if there is an early break / continue, meaning a break or
2897         continue statement with no preceding statement that has a completion value.
2898
2899         * parser/Nodes.h:
2900         (JSC::StatementNode::next):
2901         (JSC::StatementNode::hasCompletionValue):
2902         Helper to check if a statement nodes produces a completion value or not.
2903
2904 2017-06-19  Adrian Perez de Castro  <aperez@igalia.com>
2905
2906         Missing <functional> includes make builds fail with GCC 7.x
2907         https://bugs.webkit.org/show_bug.cgi?id=173544
2908
2909         Unreviewed gardening.
2910
2911         Fix compilation with GCC 7.
2912
2913         * API/tests/CompareAndSwapTest.cpp:
2914         * runtime/VMEntryScope.h:
2915
2916 2017-06-17  Keith Miller  <keith_miller@apple.com>
2917
2918         ArrayBuffer constructor needs to create subclass structures before its buffer
2919         https://bugs.webkit.org/show_bug.cgi?id=173510
2920
2921         Reviewed by Yusuke Suzuki.
2922
2923         * runtime/JSArrayBufferConstructor.cpp:
2924         (JSC::constructArrayBuffer):
2925
2926 2017-06-17  Keith Miller  <keith_miller@apple.com>
2927
2928         ArrayPrototype methods should use JSValue::toLength for non-Arrays.
2929         https://bugs.webkit.org/show_bug.cgi?id=173506
2930
2931         Reviewed by Ryosuke Niwa.
2932
2933         This patch changes the result of unshift if old length +
2934         unshift.arguments.length > (2 ** 53) - 1 to be a type error. Also,
2935         the getLength function, which was always incorrect to use, has
2936         been removed. Additionally, some cases where we were using a
2937         constant for (2 ** 53) - 1 have been replaced with
2938         maxSafeInteger()
2939
2940         * interpreter/Interpreter.cpp:
2941         (JSC::sizeOfVarargs):
2942         * runtime/ArrayPrototype.cpp:
2943         (JSC::arrayProtoFuncToLocaleString):
2944         (JSC::arrayProtoFuncPop):
2945         (JSC::arrayProtoFuncPush):
2946         (JSC::arrayProtoFuncReverse):
2947         (JSC::arrayProtoFuncShift):
2948         (JSC::arrayProtoFuncSlice):
2949         (JSC::arrayProtoFuncSplice):
2950         (JSC::arrayProtoFuncUnShift):
2951         (JSC::arrayProtoFuncIndexOf):
2952         (JSC::arrayProtoFuncLastIndexOf):
2953         * runtime/JSArrayInlines.h:
2954         (JSC::getLength): Deleted.
2955         * runtime/JSCJSValue.cpp:
2956         (JSC::JSValue::toLength):
2957         * runtime/NumberConstructor.cpp:
2958         (JSC::numberConstructorFuncIsSafeInteger):
2959
2960 2017-06-16  Matt Baker  <mattbaker@apple.com>
2961
2962         Web Inspector: Instrument 2D/WebGL canvas contexts in the backend
2963         https://bugs.webkit.org/show_bug.cgi?id=172623
2964         <rdar://problem/32415986>
2965
2966         Reviewed by Devin Rousso and Joseph Pecoraro.
2967
2968         This patch adds a basic Canvas protocol. It includes Canvas and related
2969         types and events for monitoring the lifetime of canvases in the page.
2970
2971         * CMakeLists.txt:
2972         * DerivedSources.make:
2973         * inspector/protocol/Canvas.json: Added.
2974
2975         * inspector/scripts/codegen/generator.py:
2976         (Generator.stylized_name_for_enum_value):
2977         Add special handling for Canvas.ContextType protocol enumeration,
2978         so that "canvas-2d" and "webgl" map to `Canvas2D` and `WebGL`.
2979
2980 2017-06-16  Wenson Hsieh  <wenson_hsieh@apple.com>
2981
2982         [iOS DnD] Upstream iOS drag and drop implementation into OpenSource WebKit
2983         https://bugs.webkit.org/show_bug.cgi?id=173366
2984         <rdar://problem/32767014>
2985
2986         Reviewed by Tim Horton.
2987
2988         Introduce ENABLE_DATA_INTERACTION and ENABLE_DRAG_SUPPORT to FeatureDefines.xcconfig.
2989
2990         * Configurations/FeatureDefines.xcconfig:
2991
2992 2017-06-16  Yusuke Suzuki  <utatane.tea@gmail.com>
2993
2994         [JSC] Add fast path for Object.assign
2995         https://bugs.webkit.org/show_bug.cgi?id=173416
2996
2997         Reviewed by Mark Lam.
2998
2999         In Object.assign implementation, we need to ensure that given key is still enumerable own key.
3000         This seems duplicate look up. And we want to avoid this. However, we still need to perform this
3001         check in the face of Proxy. Proxy can observe that this check is done correctly.
3002
3003         In almost all the cases, the above check is duplicate to the subsequent [[Get]] operation.
3004         In this patch, we perform this check. But at that time, we investigate `isTaintedByOpaqueObject()`.
3005         If it is false, we can say that getOwnPropertySlot is pure. In that case, we can just retrieve the
3006         value by calling `slot.getValue()`.
3007
3008         This further improves performance of Object.assign.
3009
3010                                         baseline                  patched
3011
3012             object-assign.es6      363.6706+-6.4381     ^    324.1769+-6.9624        ^ definitely 1.1218x faster
3013
3014         * runtime/ObjectConstructor.cpp:
3015         (JSC::objectConstructorAssign):
3016
3017 2017-06-16  Michael Saboff  <msaboff@apple.com>
3018
3019         Intermittent crash running Internal/Tests/InternalJSTests/Regress/radar-24300617.js
3020         https://bugs.webkit.org/show_bug.cgi?id=173488
3021
3022         Reviewed by Filip Pizlo.
3023
3024         ClonedArguments lazily sets its callee and interator properties and it used its own inline
3025         code to initialize its butterfly.  This means that these lazily set properties can have
3026         bogus values in those slots.  Instead, let's use the standard BUtterfly:tryCreate() method
3027         to create the butterfly as it clears out of line properties.
3028
3029         * runtime/ClonedArguments.cpp:
3030         (JSC::ClonedArguments::createEmpty):
3031
3032 2017-06-16  Mark Lam  <mark.lam@apple.com>
3033
3034         Interpreter methods for mapping between Opcode and OpcodeID need not be instance methods.
3035         https://bugs.webkit.org/show_bug.cgi?id=173491
3036
3037         Reviewed by Keith Miller.
3038
3039         The implementation are based on static data. There's no need to get the
3040         interpreter instance. Hence, we can make these methods static and avoid doing
3041         unnecessary work to compute the interpreter this pointer.
3042
3043         Also removed the unused isCallBytecode method.
3044
3045         * bytecode/BytecodeBasicBlock.cpp:
3046         (JSC::BytecodeBasicBlock::computeImpl):
3047         * bytecode/BytecodeDumper.cpp:
3048         (JSC::BytecodeDumper<Block>::printGetByIdOp):
3049         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
3050         (JSC::BytecodeDumper<Block>::dumpBytecode):
3051         (JSC::BytecodeDumper<Block>::dumpBlock):
3052         * bytecode/BytecodeLivenessAnalysis.cpp:
3053         (JSC::BytecodeLivenessAnalysis::dumpResults):
3054         * bytecode/BytecodeLivenessAnalysisInlines.h:
3055         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::stepOverInstruction):
3056         * bytecode/BytecodeRewriter.cpp:
3057         (JSC::BytecodeRewriter::adjustJumpTargetsInFragment):
3058         * bytecode/CallLinkStatus.cpp:
3059         (JSC::CallLinkStatus::computeFromLLInt):
3060         * bytecode/CodeBlock.cpp:
3061         (JSC::CodeBlock::finishCreation):
3062         (JSC::CodeBlock::propagateTransitions):
3063         (JSC::CodeBlock::finalizeLLIntInlineCaches):
3064         (JSC::CodeBlock::hasOpDebugForLineAndColumn):
3065         (JSC::CodeBlock::usesOpcode):
3066         (JSC::CodeBlock::valueProfileForBytecodeOffset):
3067         (JSC::CodeBlock::arithProfileForPC):
3068         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
3069         * bytecode/PreciseJumpTargets.cpp:
3070         (JSC::getJumpTargetsForBytecodeOffset):
3071         (JSC::computePreciseJumpTargetsInternal):
3072         (JSC::findJumpTargetsForBytecodeOffset):
3073         * bytecode/PreciseJumpTargetsInlines.h:
3074         (JSC::extractStoredJumpTargetsForBytecodeOffset):
3075         * bytecode/UnlinkedCodeBlock.cpp:
3076         (JSC::UnlinkedCodeBlock::applyModification):
3077         * dfg/DFGByteCodeParser.cpp:
3078         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
3079         (JSC::DFG::ByteCodeParser::parseBlock):
3080         * dfg/DFGCapabilities.cpp:
3081         (JSC::DFG::capabilityLevel):
3082         * interpreter/Interpreter.cpp:
3083         (JSC::Interpreter::Interpreter):
3084         (JSC::Interpreter::isOpcode):
3085         (): Deleted.
3086         * interpreter/Interpreter.h:
3087         (JSC::Interpreter::getOpcode): Deleted.
3088         (JSC::Interpreter::getOpcodeID): Deleted.
3089         (JSC::Interpreter::isCallBytecode): Deleted.
3090         * interpreter/InterpreterInlines.h:
3091         (JSC::Interpreter::getOpcode):
3092         (JSC::Interpreter::getOpcodeID):
3093         * jit/JIT.cpp:
3094         (JSC::JIT::privateCompileMainPass):
3095         (JSC::JIT::privateCompileSlowCases):
3096         * jit/JITOpcodes.cpp:
3097         (JSC::JIT::emitNewFuncCommon):
3098         (JSC::JIT::emitNewFuncExprCommon):
3099         * jit/JITPropertyAccess.cpp:
3100         (JSC::JIT::emitSlow_op_put_by_val):
3101         (JSC::JIT::privateCompilePutByVal):
3102         * jit/JITPropertyAccess32_64.cpp:
3103         (JSC::JIT::emitSlow_op_put_by_val):
3104         * llint/LLIntSlowPaths.cpp:
3105         (JSC::LLInt::llint_trace_operand):
3106         (JSC::LLInt::llint_trace_value):
3107         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3108         * profiler/ProfilerBytecodeSequence.cpp:
3109         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
3110
3111 2017-06-16  Matt Lewis  <jlewis3@apple.com>
3112
3113         Unreviewed, rolling out r218376.
3114
3115         The patch cause multiple Layout Test Crashes.
3116
3117         Reverted changeset:
3118
3119         "Web Inspector: Instrument 2D/WebGL canvas contexts in the
3120         backend"
3121         https://bugs.webkit.org/show_bug.cgi?id=172623
3122         http://trac.webkit.org/changeset/218376
3123
3124 2017-06-16  Konstantin Tokarev  <annulen@yandex.ru>
3125
3126         REGRESSION(r166799): LogsPageMessagesToSystemConsoleEnabled corrupts non-ASCII characters
3127         https://bugs.webkit.org/show_bug.cgi?id=173470
3128
3129         Reviewed by Joseph Pecoraro.
3130
3131         ConsoleClient::printConsoleMessageWithArguments() incorrectly uses
3132         const char* overload of StringBuilder::append() that assummes Latin1
3133         encoding, not UTF8.
3134
3135         * runtime/ConsoleClient.cpp:
3136         (JSC::ConsoleClient::printConsoleMessageWithArguments):
3137
3138 2017-06-15  Mark Lam  <mark.lam@apple.com>
3139
3140         Add a JSRunLoopTimer registry in VM.
3141         https://bugs.webkit.org/show_bug.cgi?id=173429
3142         <rdar://problem/31287961>
3143
3144         Reviewed by Filip Pizlo.
3145
3146         This way, we can be sure we've got every JSRunLoopTimer instance covered if we
3147         need to change their run loop (e.g. when setting to the WebThread's run loop).
3148
3149         * heap/Heap.cpp:
3150         (JSC::Heap::Heap):
3151         (JSC::Heap::setRunLoop): Deleted.
3152         * heap/Heap.h:
3153         (JSC::Heap::runLoop): Deleted.
3154         * runtime/JSRunLoopTimer.cpp:
3155         (JSC::JSRunLoopTimer::JSRunLoopTimer):
3156         (JSC::JSRunLoopTimer::setRunLoop):
3157         (JSC::JSRunLoopTimer::~JSRunLoopTimer):
3158         * runtime/VM.cpp:
3159         (JSC::VM::VM):
3160         (JSC::VM::registerRunLoopTimer):
3161         (JSC::VM::unregisterRunLoopTimer):
3162         (JSC::VM::setRunLoop):
3163         * runtime/VM.h:
3164         (JSC::VM::runLoop):
3165
3166 2017-06-15  Joseph Pecoraro  <pecoraro@apple.com>
3167
3168         [Cocoa] Modernize some internal initializers to use instancetype instead of id
3169         https://bugs.webkit.org/show_bug.cgi?id=173112
3170
3171         Reviewed by Wenson Hsieh.
3172
3173         * API/JSContextInternal.h:
3174         * API/JSWrapperMap.h:
3175         * API/JSWrapperMap.mm:
3176         (-[JSObjCClassInfo initForClass:]):
3177         (-[JSWrapperMap initWithGlobalContextRef:]):
3178
3179 2017-06-15  Matt Baker  <mattbaker@apple.com>
3180
3181         Web Inspector: Instrument 2D/WebGL canvas contexts in the backend
3182         https://bugs.webkit.org/show_bug.cgi?id=172623
3183         <rdar://problem/32415986>
3184
3185         Reviewed by Devin Rousso.
3186
3187         This patch adds a basic Canvas protocol. It includes Canvas and related
3188         types and events for monitoring the lifetime of canvases in the page.
3189
3190         * CMakeLists.txt:
3191         * DerivedSources.make:
3192         * inspector/protocol/Canvas.json: Added.
3193
3194         * inspector/scripts/codegen/generator.py:
3195         (Generator.stylized_name_for_enum_value):
3196         Add special handling for Canvas.ContextType protocol enumeration,
3197         so that "canvas-2d" and "webgl" map to `Canvas2D` and `WebGL`.
3198
3199 2017-06-15  Keith Miller  <keith_miller@apple.com>
3200
3201         Add logging to MachineStackMarker to try to diagnose crashes in the wild
3202         https://bugs.webkit.org/show_bug.cgi?id=173427
3203
3204         Reviewed by Mark Lam.
3205
3206         This patch adds some logging to the MachineStackMarker constructor
3207         to help figure out where we are seeing crashes. Since macOS does
3208         not support os_log_info my hope is that if we set all the callee
3209         save registers before making any calls in the C++ code we can
3210         figure out which calls is the source of the crash. We also, set
3211         all the caller save registers before returning in case some
3212         weirdness is happening in the Heap constructor.
3213
3214         This logging should not matter from a performance perspective. We
3215         only create MachineStackMarkers when we are creating a new VM,
3216         which is already expensive.
3217
3218         * heap/MachineStackMarker.cpp:
3219         (JSC::MachineThreads::MachineThreads):
3220
3221 2017-06-15  Yusuke Suzuki  <utatane.tea@gmail.com>
3222
3223         [JSC] Implement Object.assign in C++
3224         https://bugs.webkit.org/show_bug.cgi?id=173414
3225
3226         Reviewed by Saam Barati.
3227
3228         Implementing Object.assign in JS is not so good compared to C++ version because,
3229
3230         1. JS version allocates JS array for object own keys. And we allocate JSString / Symbol for each key.
3231         But basically, they can be handled as UniquedStringImpl in C++. Allocating these cells are wasteful.
3232
3233         2. While implementing builtins in JS offers some good type speculation chances, Object.assign is inherently super polymorphic.
3234         So JS's type profile doesn't help well.
3235
3236         3. We have a chance to introduce various fast path for Object.assign in C++.
3237
3238         This patch moves implementation from JS to C++. It achieves the above (1) and (2). (3) is filed in [1].
3239
3240         We can see 1.65x improvement in SixSpeed object-assign.es6.
3241
3242                                     baseline                  patched
3243
3244         object-assign.es6      643.3253+-8.0521     ^    389.1075+-8.8840        ^ definitely 1.6533x faster
3245
3246         [1]: https://bugs.webkit.org/show_bug.cgi?id=173416
3247
3248         * builtins/ObjectConstructor.js:
3249         (entries):
3250         (assign): Deleted.
3251         * runtime/JSCJSValueInlines.h:
3252         (JSC::JSValue::putInline):
3253         * runtime/JSCell.h:
3254         * runtime/JSCellInlines.h:
3255         (JSC::JSCell::putInline):
3256         * runtime/JSObject.cpp:
3257         (JSC::JSObject::put):
3258         * runtime/JSObject.h:
3259         * runtime/JSObjectInlines.h:
3260         (JSC::JSObject::putInlineForJSObject):
3261         (JSC::JSObject::putInline): Deleted.
3262         * runtime/ObjectConstructor.cpp:
3263         (JSC::objectConstructorAssign):
3264
3265 2017-06-14  Dan Bernstein  <mitz@apple.com>
3266
3267         [Cocoa] Objective-C class whose name begins with an underscore can’t be exported to JavaScript
3268         https://bugs.webkit.org/show_bug.cgi?id=168578
3269
3270         Reviewed by Geoff Garen.
3271
3272         * API/JSWrapperMap.mm:
3273         (allocateConstructorForCustomClass): Updated for change to forEachProtocolImplementingProtocol.
3274         (-[JSObjCClassInfo allocateConstructorAndPrototype]): Ditto.
3275         (-[JSWrapperMap classInfoForClass:]): If the class name begins with an underscore, check if
3276           it defines conformance to a JSExport-derived protocol and if so, avoid using the
3277           superclass as a substitute as we’d normally do.
3278
3279         * API/ObjcRuntimeExtras.h:
3280         (forEachProtocolImplementingProtocol): Added a "stop" argument to the block to let callers
3281           bail out.
3282
3283         * API/tests/JSExportTests.mm:
3284         (+[JSExportTests classNamePrefixedWithUnderscoreTest]): New test for this.
3285         (runJSExportTests): Run new test.
3286
3287 2017-06-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3288
3289         Unreviewed, suppress invalid register alloation validation assertion in 32 bit part 2
3290         https://bugs.webkit.org/show_bug.cgi?id=172421
3291
3292         * dfg/DFGSpeculativeJIT.cpp:
3293         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
3294
3295 2017-06-14  Claudio Saavedra  <csaavedra@igalia.com>
3296
3297         REGRESSION: 15 new jsc failures in WPE and GTK+
3298         https://bugs.webkit.org/show_bug.cgi?id=173349
3299
3300         Reviewed by JF Bastien.
3301
3302         Recent changes to generateWasm.py are not accounted for from
3303         CMake, which leads to WasmOps.h not being regenerated in partial
3304         builds. Make generateWasm.py an additional dependency.
3305         * CMakeLists.txt:
3306
3307 2017-06-13  Joseph Pecoraro  <pecoraro@apple.com>
3308
3309         Debugger has unexpected effect on program correctness
3310         https://bugs.webkit.org/show_bug.cgi?id=172683
3311
3312         Reviewed by Saam Barati.
3313
3314         * inspector/InjectedScriptSource.js:
3315         (InjectedScript.RemoteObject.prototype._appendPropertyPreviews):
3316         (InjectedScript.RemoteObject.prototype._isPreviewableObjectInternal):
3317         (BasicCommandLineAPI):
3318         Eliminate for..of use with Arrays from InjectedScriptSource as it can be observable.
3319         We still use it for Set / Map iteration which we can eliminate when moving to builtins.
3320
3321 2017-06-13  JF Bastien  <jfbastien@apple.com>
3322
3323         WebAssembly: fix erroneous signature comment
3324         https://bugs.webkit.org/show_bug.cgi?id=173334
3325
3326         Reviewed by Keith Miller.
3327
3328         * wasm/WasmSignature.h:
3329
3330 2017-06-13  Michael Saboff  <msaboff@apple.com>
3331
3332         Refactor AbsenceOfSetter to AbsenceOfSetEffects
3333         https://bugs.webkit.org/show_bug.cgi?id=173322
3334
3335         Reviewed by Filip Pizlo.
3336
3337         * bytecode/ObjectPropertyCondition.h:
3338         (JSC::ObjectPropertyCondition::absenceOfSetEffectWithoutBarrier):
3339         (JSC::ObjectPropertyCondition::absenceOfSetEffect):
3340         (JSC::ObjectPropertyCondition::absenceOfSetterWithoutBarrier): Deleted.
3341         (JSC::ObjectPropertyCondition::absenceOfSetter): Deleted.
3342         * bytecode/ObjectPropertyConditionSet.cpp:
3343         (JSC::generateConditionsForPropertySetterMiss):
3344         (JSC::generateConditionsForPropertySetterMissConcurrently):
3345         * bytecode/PropertyCondition.cpp:
3346         (JSC::PropertyCondition::dumpInContext):
3347         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
3348         (JSC::PropertyCondition::isStillValid):
3349         (WTF::printInternal):
3350         * bytecode/PropertyCondition.h:
3351         (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
3352         (JSC::PropertyCondition::absenceOfSetEffect):
3353         (JSC::PropertyCondition::hasPrototype):
3354         (JSC::PropertyCondition::hash):
3355         (JSC::PropertyCondition::operator==):
3356         (JSC::PropertyCondition::absenceOfSetterWithoutBarrier): Deleted.
3357         (JSC::PropertyCondition::absenceOfSetter): Deleted.
3358
3359 2017-06-13  JF Bastien  <jfbastien@apple.com>
3360
3361         WebAssembly: import updated spec tests
3362         https://bugs.webkit.org/show_bug.cgi?id=173287
3363         <rdar://problem/32725975>
3364
3365         Reviewed by Saam Barati.
3366
3367         Import spec tests as of 31c641cc15f2aedbec2fa45a5185f68416df578b,
3368         with a few modifications so things work.
3369
3370         Fix a bunch of bugs found through this process, and punt a few tests (which I
3371         marked as blocked by this bug).
3372
3373         Fixes:
3374
3375         Fix load / store alignment: r216908 erroneously implemented it as bit alignment
3376         instead of byte alignment. It was also missing memory-alignment.js despite it
3377         being in the ChangeLog, so add it too. This allows spec-test/align.wast.js to
3378         pass.
3379
3380         Tables can be imported or in a section. There can be only one, but sections can
3381         be empty. An Elements section can exist if there's no Table, as long as it is
3382         also empty.
3383
3384         Memories can be imported or in a section. There can be only one, but sections
3385         can be empty. A Data section can exist if there's no Memory, as long as it is
3386         also empty.
3387
3388         Prototypes: stringify without .prototype. in the string.
3389
3390         WebAssembly.Table.prototype.grow was plain wrong: it takes a delta parameter,
3391         not a final size, and throws a RangeError on failure, not a TypeError.
3392
3393         Fix compile / instantiate so the reject the promise if given an argument of the
3394         wrong type (instead of failing instantly).
3395
3396         Fix async on neuter test.
3397
3398         Element section shouldn't affect any Table if any of the elements are out of
3399         bounds. We need to process it in two passes.
3400
3401         Segment section shouldn't affect any Data if any of the segments are out of
3402         bounds. We need to process it in two passes.
3403
3404         Empty data segments are valid, but only when there is no memory. Their index
3405         still gets validated, and has to be zero.
3406
3407         Punts:
3408
3409         Error messages with context, the test seems overly restrictive but this is
3410         minor.
3411
3412         compile/instantiate/validate property descriptors.
3413
3414         UTF-8 bugs.
3415
3416         Temporarily disable NaN tests. We need to go back and implement the following
3417         semantics: https://github.com/WebAssembly/spec/pull/414 This doesn't matter as
3418         much as getting all the other tests passing.
3419
3420         Worth noting for NaNs: f64.no_fold_mul_one (also a NaN test) as well as
3421         no_fold_promote_demote (an interesting corner case which we get wrong). mul by
3422         one is (assert_return (invoke \"f64.no_fold_mul_one\" (i64.const
3423         0x7ff4000000000000)) (i64.const 0x7ff8000000000000)) which means converting sNaN
3424         to qNaN, and promote/demote is (assert_return (invoke \"no_fold_promote_demote\"
3425         (i32.const 0x7fa00000)) (i32.const 0x7fc00000)) which is the same. I'm not sure
3426         why they're not allowed.
3427
3428         * wasm/WasmB3IRGenerator.cpp:
3429         * wasm/WasmFunctionParser.h:
3430         * wasm/WasmModuleParser.cpp:
3431         * wasm/WasmModuleParser.h:
3432         * wasm/WasmParser.h:
3433         (JSC::Wasm::Parser<SuccessType>::consumeUTF8String):
3434         * wasm/generateWasm.py:
3435         (memoryLog2Alignment):
3436         * wasm/js/JSWebAssemblyTable.cpp:
3437         (JSC::JSWebAssemblyTable::grow):
3438         * wasm/js/JSWebAssemblyTable.h:
3439         * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
3440         * wasm/js/WebAssemblyInstancePrototype.cpp:
3441         * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
3442         * wasm/js/WebAssemblyMemoryPrototype.cpp:
3443         * wasm/js/WebAssemblyModulePrototype.cpp:
3444         * wasm/js/WebAssemblyModuleRecord.cpp:
3445         (JSC::WebAssemblyModuleRecord::evaluate):
3446         * wasm/js/WebAssemblyPrototype.cpp:
3447         (JSC::webAssemblyCompileFunc):
3448         (JSC::resolve):
3449         (JSC::instantiate):
3450         (JSC::compileAndInstantiate):
3451         (JSC::webAssemblyInstantiateFunc):
3452         * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
3453         * wasm/js/WebAssemblyTablePrototype.cpp:
3454         (JSC::webAssemblyTableProtoFuncGrow):
3455
3456 2017-06-13  Michael Saboff  <msaboff@apple.com>
3457
3458         DFG doesn't properly handle a property that is change to read only in a prototype
3459         https://bugs.webkit.org/show_bug.cgi?id=173321
3460
3461         Reviewed by Filip Pizlo.
3462
3463         We need to check for ReadOnly as well as a not being a Setter when checking
3464         an AbsenceOfSetter.
3465
3466         * bytecode/PropertyCondition.cpp:
3467         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
3468
3469 2017-06-13  Daniel Bates  <dabates@apple.com>
3470
3471         Implement W3C Secure Contexts Draft Specification
3472         https://bugs.webkit.org/show_bug.cgi?id=158121
3473         <rdar://problem/26012994>
3474
3475         Reviewed by Brent Fulgham.
3476
3477         Part 4
3478
3479         Adds isSecureContext to the list of common identifiers as needed to support
3480         toggling its exposure from a runtime enabled feature flag.
3481
3482         * runtime/CommonIdentifiers.h:
3483
3484 2017-06-13  Don Olmstead  <don.olmstead@sony.com>
3485
3486         [JSC] Remove redundant includes in config.h
3487         https://bugs.webkit.org/show_bug.cgi?id=173294
3488
3489         Reviewed by Alex Christensen.
3490
3491         * config.h:
3492
3493 2017-06-12  Saam Barati  <sbarati@apple.com>
3494
3495         We should not claim that SpecEmpty is filtered out of cell checks on 64 bit platforms
3496         https://bugs.webkit.org/show_bug.cgi?id=172957
3497         <rdar://problem/32602704>
3498
3499         Reviewed by Filip Pizlo.
3500
3501         Consider this program:
3502         ```
3503         block#1:
3504         n: GetClosureVar(..., |this|) // this will load empty JSValue()
3505         SetLocal(Cell:@n, locFoo) // Cell check succeeds because JSValue() looks like a cell
3506         Branch(#2, #3)
3507         
3508         Block#3:
3509         x: GetLocal(locFoo)
3510         y: CheckNotEmpty(@x)
3511         ```
3512         
3513         If we claim that a cell check filters out the empty value, we will
3514         incorrectly eliminate the CheckNotEmpty node @y. This patch fixes AI,
3515         FTLLowerDFGToB3, and DFGSpeculativeJIT to no longer make this claim.
3516         
3517         On 64 bit platforms:
3518         - Cell use kind *now allows* the empty value to pass through.
3519         - CellOrOther use kind *now allows* for the empty value to pass through
3520         - NotCell use kind *no longer allows* the empty value to pass through.
3521
3522         * assembler/CPU.h:
3523         (JSC::isARMv7IDIVSupported):
3524         (JSC::isARM64):
3525         (JSC::isX86):
3526         (JSC::isX86_64):
3527         (JSC::is64Bit):
3528         (JSC::is32Bit):
3529         (JSC::isMIPS):
3530         Make these functions constexpr so we can use them in static variable assignment.
3531
3532         * bytecode/SpeculatedType.h:
3533         * dfg/DFGSpeculativeJIT.cpp:
3534         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
3535         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
3536         (JSC::DFG::SpeculativeJIT::compileLogicalNotStringOrOther):
3537         (JSC::DFG::SpeculativeJIT::emitStringOrOtherBranch):
3538         (JSC::DFG::SpeculativeJIT::speculateCell):
3539         (JSC::DFG::SpeculativeJIT::speculateCellOrOther):
3540         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
3541         (JSC::DFG::SpeculativeJIT::speculateString):
3542         (JSC::DFG::SpeculativeJIT::speculateStringOrOther):
3543         (JSC::DFG::SpeculativeJIT::speculateSymbol):
3544         (JSC::DFG::SpeculativeJIT::speculateNotCell):
3545         * dfg/DFGSpeculativeJIT32_64.cpp:
3546         * dfg/DFGSpeculativeJIT64.cpp:
3547         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
3548         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
3549         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
3550         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
3551         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
3552         * dfg/DFGUseKind.h:
3553         (JSC::DFG::typeFilterFor):
3554         * ftl/FTLLowerDFGToB3.cpp:
3555         (JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep):
3556         (JSC::FTL::DFG::LowerDFGToB3::numberOrNotCellToInt32):
3557         (JSC::FTL::DFG::LowerDFGToB3::compareEqObjectOrOtherToObject):
3558         (JSC::FTL::DFG::LowerDFGToB3::boolify):
3559         (JSC::FTL::DFG::LowerDFGToB3::equalNullOrUndefined):
3560         (JSC::FTL::DFG::LowerDFGToB3::lowCell):
3561         (JSC::FTL::DFG::LowerDFGToB3::lowNotCell):
3562         (JSC::FTL::DFG::LowerDFGToB3::isCellOrMisc):
3563         (JSC::FTL::DFG::LowerDFGToB3::isNotCellOrMisc):
3564         (JSC::FTL::DFG::LowerDFGToB3::isNotCell):
3565         (JSC::FTL::DFG::LowerDFGToB3::isCell):
3566         (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
3567         (JSC::FTL::DFG::LowerDFGToB3::speculateObjectOrOther):
3568         (JSC::FTL::DFG::LowerDFGToB3::speculateString):
3569         (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
3570         (JSC::FTL::DFG::LowerDFGToB3::speculateSymbol):
3571
3572 2017-06-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3573
3574         Unreviewed, suppress invalid register alloation validation assertion in 32 bit
3575         https://bugs.webkit.org/show_bug.cgi?id=172421
3576
3577         * dfg/DFGSpeculativeJIT.cpp:
3578         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
3579
3580 2017-06-12  Oleksandr Skachkov  <gskachkov@gmail.com>
3581
3582         We incorrectly allow escaped characters in keyword tokens
3583         https://bugs.webkit.org/show_bug.cgi?id=171310
3584
3585         Reviewed by Yusuke Suzuki.
3586
3587         According spec it is not allow to use escaped characters in 
3588         keywords. https://tc39.github.io/ecma262/#sec-reserved-words
3589         Current patch implements this requirements.
3590
3591
3592         * parser/Lexer.cpp:
3593         (JSC::Lexer<CharacterType>::parseIdentifierSlowCase):
3594         * parser/Parser.cpp:
3595         (JSC::Parser<LexerType>::printUnexpectedTokenText):
3596         * parser/ParserTokens.h:
3597
3598 2017-06-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3599
3600         Unreviewed, add branch64(Cond, BaseIndex, RegisterID) for ARM64
3601         https://bugs.webkit.org/show_bug.cgi?id=172421
3602
3603         * assembler/MacroAssemblerARM64.h:
3604         (JSC::MacroAssemblerARM64::branch64):
3605         (JSC::MacroAssemblerARM64::branchPtr):
3606
3607 2017-06-12  Commit Queue  <commit-queue@webkit.org>
3608
3609         Unreviewed, rolling out r218093.
3610         https://bugs.webkit.org/show_bug.cgi?id=173259
3611
3612         Break builds (Requested by yusukesuzuki on #webkit).
3613
3614         Reverted changeset:
3615
3616         "Unreviewed, build fix for ARM64"
3617         https://bugs.webkit.org/show_bug.cgi?id=172421
3618         http://trac.webkit.org/changeset/218093
3619
3620 2017-06-12  Yusuke Suzuki  <utatane.tea@gmail.com>
3621
3622         Unreviewed, build fix for ARM64
3623         https://bugs.webkit.org/show_bug.cgi?id=172421
3624
3625         * dfg/DFGSpeculativeJIT.cpp:
3626         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
3627
3628 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3629
3630         [DFG] Add ArrayIndexOf intrinsic
3631         https://bugs.webkit.org/show_bug.cgi?id=172421
3632
3633         Reviewed by Saam Barati.
3634
3635         This patch introduces ArrayIndexOfInstrinsic for DFG and FTL optimizations.
3636         We emit array check and go fast path if the array is Array::Int32, Array::Double
3637         or Array::Continugous. In addition, for Array::Int32 and Array::Double case,
3638         we have inlined fast paths.
3639
3640         With updated ARES-6 Babylon,
3641
3642         Before
3643             firstIteration:     45.76 +- 3.87 ms
3644             averageWorstCase:   24.41 +- 2.17 ms
3645             steadyState:        8.01 +- 0.22 ms
3646         After
3647             firstIteration:     45.64 +- 4.23 ms
3648             averageWorstCase:   23.03 +- 3.34 ms
3649             steadyState:        7.33 +- 0.34 ms
3650
3651         In SixSpeed.
3652                                          baseline                  patched
3653
3654             map-set-lookup.es5      734.4701+-10.4383    ^    102.0968+-2.6357        ^ definitely 7.1939x faster
3655             map-set.es5              41.1396+-1.0558     ^     33.1916+-0.7986        ^ definitely 1.2395x faster
3656             map-set-object.es5       62.8317+-1.2518     ^     45.6944+-0.8369        ^ definitely 1.3750x faster
3657
3658         * dfg/DFGAbstractInterpreterInlines.h:
3659         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3660         * dfg/DFGByteCodeParser.cpp:
3661         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3662         * dfg/DFGClobberize.h:
3663         (JSC::DFG::clobberize):
3664         * dfg/DFGDoesGC.cpp:
3665         (JSC::DFG::doesGC):
3666         * dfg/DFGFixupPhase.cpp:
3667         (JSC::DFG::FixupPhase::fixupNode):
3668         * dfg/DFGNode.h:
3669         (JSC::DFG::Node::hasArrayMode):
3670         * dfg/DFGNodeType.h:
3671         * dfg/DFGOperations.cpp:
3672         * dfg/DFGOperations.h:
3673         * dfg/DFGPredictionPropagationPhase.cpp:
3674         * dfg/DFGSafeToExecute.h:
3675         (JSC::DFG::safeToExecute):
3676         * dfg/DFGSpeculativeJIT.cpp:
3677         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
3678         (JSC::DFG::SpeculativeJIT::speculateObject):
3679         * dfg/DFGSpeculativeJIT.h:
3680         (JSC::DFG::SpeculativeJIT::callOperation):
3681         * dfg/DFGSpeculativeJIT32_64.cpp:
3682         (JSC::DFG::SpeculativeJIT::compile):
3683         * dfg/DFGSpeculativeJIT64.cpp:
3684         (JSC::DFG::SpeculativeJIT::compile):
3685         (JSC::DFG::SpeculativeJIT::speculateInt32):
3686         * ftl/FTLCapabilities.cpp:
3687         (JSC::FTL::canCompile):
3688         * ftl/FTLLowerDFGToB3.cpp:
3689         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3690         (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):
3691         * jit/JITOperations.h:
3692         * runtime/ArrayPrototype.cpp:
3693         (JSC::ArrayPrototype::finishCreation):
3694         * runtime/Intrinsic.cpp:
3695         (JSC::intrinsicName):
3696         * runtime/Intrinsic.h:
3697
3698 2017-06-11  Keith Miller  <keith_miller@apple.com>
3699
3700         TypedArray constructor with string shouldn't throw
3701         https://bugs.webkit.org/show_bug.cgi?id=173181
3702
3703         Reviewed by JF Bastien.
3704
3705         We should be coercing primitive arguments to numbers in the various
3706         TypedArray constructors.
3707
3708         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
3709         (JSC::constructGenericTypedArrayViewWithArguments):
3710
3711 2017-06-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3712
3713         [WTF] Make ThreadMessage portable
3714         https://bugs.webkit.org/show_bug.cgi?id=172073
3715
3716         Reviewed by Keith Miller.
3717
3718         * runtime/MachineContext.h:
3719         (JSC::MachineContext::stackPointer):
3720         * tools/CodeProfiling.cpp:
3721         (JSC::profilingTimer):
3722
3723 2017-06-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3724
3725         [JSC] Shrink Structure size
3726         https://bugs.webkit.org/show_bug.cgi?id=173239
3727
3728         Reviewed by Mark Lam.
3729
3730         We find that the size of our Structure is slightly enlarged due to paddings.
3731         By changing the order of members, we can reduce the size from 120 to 112.
3732         This is good because 120 and 112 are categorized into different size classes.
3733         For 120, we allocate 128 bytes. And for 112, we allocate 112 bytes.
3734         We now save 16 bytes per Structure for free.
3735
3736         * runtime/ConcurrentJSLock.h:
3737         * runtime/Structure.cpp:
3738         (JSC::Structure::Structure):
3739         * runtime/Structure.h:
3740
3741 2017-06-11  Konstantin Tokarev  <annulen@yandex.ru>
3742
3743         Unreviewed, attempt to fix JSC tests on Win after r217771
3744
3745         * jsc.cpp:
3746         (currentWorkingDirectory): buffer is not NULL-terminated
3747
3748 2017-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>
3749
3750         [WTF] Add RegisteredSymbolImpl
3751         https://bugs.webkit.org/show_bug.cgi?id=173230
3752
3753         Reviewed by Mark Lam.
3754
3755         * runtime/SymbolConstructor.cpp:
3756         (JSC::symbolConstructorKeyFor):
3757
3758 2017-06-10  Dan Bernstein  <mitz@apple.com>
3759
3760         Reverted r218056 because it made the IDE reindex constantly.
3761
3762         * Configurations/DebugRelease.xcconfig:
3763
3764 2017-06-10  Dan Bernstein  <mitz@apple.com>
3765
3766         [Xcode] With Xcode 9 developer beta, everything rebuilds when switching between command-line and IDE
3767         https://bugs.webkit.org/show_bug.cgi?id=173223
3768
3769         Reviewed by Sam Weinig.
3770
3771         The rebuilds were happening due to a difference in the compiler options that the IDE and
3772         xcodebuild were specifying. Only the IDE was passing the -index-store-path option. To make
3773         xcodebuild pass that option, too, set CLANG_INDEX_STORE_ENABLE to YES if it is unset, and
3774         specify an appropriate path in CLANG_INDEX_STORE_PATH.
3775
3776         * Configurations/DebugRelease.xcconfig:
3777
3778 2017-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>
3779
3780         [JSC] Update RegExp.prototype.[@@search]] implementation according to the latest spec
3781         https://bugs.webkit.org/show_bug.cgi?id=173227
3782
3783         Reviewed by Mark Lam.
3784
3785         The latest spec introduces slight change to RegExp.prototype.[@@search].
3786         This patch applies this change. Basically, this change is done in the slow path of
3787         the RegExp.prototype[@@search].
3788         https://tc39.github.io/ecma262/#sec-regexp.prototype-@@search
3789
3790         * builtins/RegExpPrototype.js:
3791         (search):
3792
3793 2017-06-09  Chris Dumez  <cdumez@apple.com>
3794
3795         Update Thread::create() to take in a WTF::Function instead of a std::function
3796         https://bugs.webkit.org/show_bug.cgi?id=173175
3797
3798         Reviewed by Mark Lam.
3799
3800         * API/tests/CompareAndSwapTest.cpp:
3801         (testCompareAndSwap):
3802
3803 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3804
3805         [DFG] Add verboseDFGOSRExit
3806         https://bugs.webkit.org/show_bug.cgi?id=173156
3807
3808         Reviewed by Saam Barati.
3809
3810         This patch adds verboseDFGOSRExit which is similar to verboseFTLOSRExit.
3811
3812         * dfg/DFGOSRExitCompiler.cpp:
3813         * runtime/Options.h:
3814
3815 2017-06-09  Guillaume Emont  <guijemont@igalia.com>
3816
3817         [JSC][MIPS] Add MacroAssemblerMIPS::xor32(Address, RegisterID) implementation
3818         https://bugs.webkit.org/show_bug.cgi?id=173170
3819
3820         Reviewed by Yusuke Suzuki.
3821
3822         MIPS does not build since r217711 because it is missing this
3823         implementation. This patch fixes the build.
3824
3825         * assembler/MacroAssemblerMIPS.h:
3826         (JSC::MacroAssemblerMIPS::xor32):
3827
3828 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3829
3830         [JSC] FTL does not require dlfcn
3831         https://bugs.webkit.org/show_bug.cgi?id=173143
3832
3833         Reviewed by Darin Adler.
3834
3835         We no longer use LLVM library. Thus, dlfcn.h is not necessary.
3836         Also, ProcessID is not used in FTLLowerDFGToB3.cpp.
3837
3838         * ftl/FTLLowerDFGToB3.cpp:
3839
3840 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3841
3842         [DFG] Add --verboseDFGFailure
3843         https://bugs.webkit.org/show_bug.cgi?id=173155
3844
3845         Reviewed by Sam Weinig.
3846
3847         Similar to verboseFTLFailure, JSC should have verboseDFGFailure flag to show DFG failures quickly.
3848
3849         * dfg/DFGCapabilities.cpp:
3850         (JSC::DFG::verboseCapabilities):
3851         (JSC::DFG::debugFail):
3852         * runtime/Options.cpp:
3853         (JSC::recomputeDependentOptions):
3854         * runtime/Options.h:
3855
3856 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3857
3858         [JSC] Drop OS(DARWIN) for VM_TAG_FOR_WEBASSEMBLY_MEMORY
3859         https://bugs.webkit.org/show_bug.cgi?id=173147
3860
3861         Reviewed by JF Bastien.
3862
3863         Because this value becomes -1 in non-Darwin environments.
3864         Thus, we do not need to use OS(DARWIN) here.
3865
3866         * wasm/WasmMemory.cpp:
3867
3868 2017-06-09  Daewoong Jang  <daewoong.jang@navercorp.com>
3869
3870         Reduce compiler warnings
3871         https://bugs.webkit.org/show_bug.cgi?id=172078
3872
3873         Reviewed by Yusuke Suzuki.
3874
3875         * runtime/IntlDateTimeFormat.h:
3876
3877 2017-06-08  Joseph Pecoraro  <pecoraro@apple.com>
3878
3879         [Cocoa] JSWrapperMap leaks for all JSContexts
3880         https://bugs.webkit.org/show_bug.cgi?id=173110
3881         <rdar://problem/32602198>
3882
3883         Reviewed by Geoffrey Garen.
3884
3885         * API/JSContext.mm:
3886         (-[JSContext ensureWrapperMap]):
3887         Ensure this allocation gets released.
3888
3889 2017-06-08  Filip Pizlo  <fpizlo@apple.com>
3890
3891         REGRESSION: js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-5.html has a flaky failure
3892         https://bugs.webkit.org/show_bug.cgi?id=161156
3893
3894         Reviewed by Saam Barati.
3895         
3896         Since LLInt does not register impure property watchpoints for self property accesses, it
3897         shouldn't try to cache accesses that require a watchpoint.
3898         
3899         This manifested as a flaky failure because the test would fire the watchpoint after we had
3900         usually already tiered up. Without concurrent JIT, we would have always tiered up before
3901         getting to the bad case. With concurrent JIT, we would sometimes not tier up by that time. This
3902         also adds a test that deterministically failed in LLInt without this change; it does so by just
3903         running a lot shorter.
3904
3905         * llint/LLIntSlowPaths.cpp:
3906         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3907
3908 2017-06-08  Keith Miller  <keith_miller@apple.com>
3909
3910         WebAssembly: We should only create wrappers for functions that can be exported
3911         https://bugs.webkit.org/show_bug.cgi?id=173088
3912
3913         Reviewed by Saam Barati.
3914
3915         This patch makes it so we only create wrappers for WebAssembly functions that
3916         can actually be exported. It appears to be a ~2.5% speedup on WasmBench compile times.
3917
3918         This patch also removes most of the old testWasmModuleFunctions api from the jsc CLI.
3919         Most of the tests were duplicates of ones in the spec-tests directory. The others I
3920         have converted to use the normal API.
3921
3922         * jsc.cpp:
3923         (GlobalObject::finishCreation):
3924         (valueWithTypeOfWasmValue): Deleted.
3925         (box): Deleted.
3926         (callWasmFunction): Deleted.
3927         (functionTestWasmModuleFunctions): Deleted.
3928         * wasm/WasmB3IRGenerator.cpp:
3929         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3930         (JSC::Wasm::createJSToWasmWrapper):
3931         (JSC::Wasm::parseAndCompile):
3932         * wasm/WasmB3IRGenerator.h:
3933         * wasm/WasmBBQPlan.cpp:
3934         (JSC::Wasm::BBQPlan::prepare):
3935         (JSC::Wasm::BBQPlan::compileFunctions):
3936         (JSC::Wasm::BBQPlan::complete):
3937         * wasm/WasmBBQPlan.h:
3938         * wasm/WasmBBQPlanInlines.h:
3939         (JSC::Wasm::BBQPlan::initializeCallees):
3940         * wasm/WasmCodeBlock.cpp:
3941         (JSC::Wasm::CodeBlock::CodeBlock):
3942         * wasm/WasmCodeBlock.h:
3943         (JSC::Wasm::CodeBlock::jsEntrypointCalleeFromFunctionIndexSpace):
3944         * wasm/WasmFormat.h:
3945         * wasm/WasmOMGPlan.cpp:
3946         (JSC::Wasm::OMGPlan::work):
3947
3948 2017-06-07  JF Bastien  <jfbastien@apple.com>
3949
3950         WebAssembly: test imports and exports with 16-bit characters
3951         https://bugs.webkit.org/show_bug.cgi?id=165977
3952         <rdar://problem/29760130>
3953
3954         Reviewed by Saam Barati.
3955
3956         Add the missing UTF-8 conversions. Improve import failure error
3957         messages, otherwise it's hard to figure out which import is wrong.
3958
3959         * wasm/js/JSWebAssemblyInstance.cpp:
3960         (JSC::JSWebAssemblyInstance::create):
3961         * wasm/js/WebAssemblyModuleRecord.cpp:
3962         (JSC::WebAssemblyModuleRecord::finishCreation):
3963         (JSC::WebAssemblyModuleRecord::link):
3964
3965 2017-06-07  Devin Rousso  <drousso@apple.com>
3966
3967         Web Inspector: Add ContextMenu item to log WebSocket object to console
3968         https://bugs.webkit.org/show_bug.cgi?id=172878
3969
3970         Reviewed by Joseph Pecoraro.
3971
3972         * inspector/protocol/Network.json:
3973         Add resolveWebSocket command.
3974
3975 2017-06-07  Jon Davis  <jond@apple.com>
3976
3977         Update feature status for features Supported In Preview
3978         https://bugs.webkit.org/show_bug.cgi?id=173071
3979
3980         Reviewed by Darin Adler.
3981
3982         Updated Media Capture and Streams, Performance Observer, Resource Timing Level 2,
3983         User Timing Level 2, Web Cryptography API, WebGL 2, WebRTC.
3984
3985         * features.json:
3986
3987 2017-06-07  Saam Barati  <sbarati@apple.com>
3988
3989         Assertion failure in com.apple.WebKit.WebContent.Development in com.apple.JavaScriptCore: JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined + 141
3990         https://bugs.webkit.org/show_bug.cgi?id=172673
3991         <rdar://problem/32250144>
3992
3993         Reviewed by Mark Lam.
3994
3995         This patch simply removes this assertion. It's faulty because it
3996         races with the main thread when doing concurrent compilation.
3997         
3998         Consider a program with:
3999         - a FrozenValu