eb8cfd53f4555a390e5f63e331a76e8adfa0f08f
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-08-30  Oleksandr Skachkov  <gskachkov@gmail.com>
2
3         [ESNext] Async iteration - Implement async iteration statement: for-await-of
4         https://bugs.webkit.org/show_bug.cgi?id=166698
5
6         Reviewed by Yusuke Suzuki.
7
8         Implementation of the for-await-of statement.
9
10         * bytecompiler/BytecodeGenerator.cpp:
11         (JSC::BytecodeGenerator::emitEnumeration):
12         (JSC::BytecodeGenerator::emitIteratorNext):
13         * bytecompiler/BytecodeGenerator.h:
14         * parser/ASTBuilder.h:
15         (JSC::ASTBuilder::createForOfLoop):
16         * parser/NodeConstructors.h:
17         (JSC::ForOfNode::ForOfNode):
18         * parser/Nodes.h:
19         (JSC::ForOfNode::isForAwait const):
20         * parser/Parser.cpp:
21         (JSC::Parser<LexerType>::parseForStatement):
22         * parser/Parser.h:
23         (JSC::Scope::setSourceParseMode):
24         (JSC::Scope::setIsFunction):
25         (JSC::Scope::setIsAsyncGeneratorFunction):
26         (JSC::Scope::setIsAsyncGeneratorFunctionBody):
27         * parser/SyntaxChecker.h:
28         (JSC::SyntaxChecker::createForOfLoop):
29
30 2017-08-29  Commit Queue  <commit-queue@webkit.org>
31
32         Unreviewed, rolling out r221317.
33         https://bugs.webkit.org/show_bug.cgi?id=176090
34
35         "It broke a testing mode because we will never FTL compile a
36         function that repeatedly throws" (Requested by saamyjoon on
37         #webkit).
38
39         Reverted changeset:
40
41         "Throwing an exception in the DFG/FTL should not be a
42         jettison-able OSR exit"
43         https://bugs.webkit.org/show_bug.cgi?id=176060
44         http://trac.webkit.org/changeset/221317
45
46 2017-08-29  Yusuke Suzuki  <utatane.tea@gmail.com>
47
48         [DFG] Add constant folding rule to convert CompareStrictEq(Untyped, Untyped [with non string cell constant]) to CompareEqPtr(Untyped)
49         https://bugs.webkit.org/show_bug.cgi?id=175895
50
51         Reviewed by Saam Barati.
52
53         We have `bucket === @sentinelMapBucket` code in builtin. Since @sentinelMapBucket and bucket
54         are MapBucket cell (SpecCellOther), we do not have any good fixup for CompareStrictEq.
55         But rather than introducing a special fixup edge (like, NonStringCellUse), converting
56         CompareStrictEq(Untyped, Untyped) to CompareEqPtr is simpler.
57         In constant folding phase, we convert CompareStrictEq(Untyped, Untyped) to CompareEqPtr(Untyed)
58         if one side of the children is constant non String cell.
59
60         This slightly optimizes map/set iteration.
61
62         set-for-each          4.5064+-0.3072     ^      3.2862+-0.2098        ^ definitely 1.3713x faster
63         large-map-iteration  56.2583+-1.6640           53.6798+-2.0097          might be 1.0480x faster
64         set-for-of            8.8058+-0.5953     ^      7.5832+-0.3805        ^ definitely 1.1612x faster
65         map-for-each          4.2633+-0.2694     ^      3.3967+-0.3013        ^ definitely 1.2551x faster
66         map-for-of           13.1556+-0.5707           12.4911+-0.6004          might be 1.0532x faster
67
68         * dfg/DFGAbstractInterpreterInlines.h:
69         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
70         * dfg/DFGConstantFoldingPhase.cpp:
71         (JSC::DFG::ConstantFoldingPhase::foldConstants):
72         * dfg/DFGNode.h:
73         (JSC::DFG::Node::convertToCompareEqPtr):
74
75 2017-08-29  Yusuke Suzuki  <utatane.tea@gmail.com>
76
77         [JSC] Use reifying system for "name" property of builtin JSFunction
78         https://bugs.webkit.org/show_bug.cgi?id=175260
79
80         Reviewed by Saam Barati.
81
82         Currently builtin JSFunction uses direct property for "name", which is different
83         from usual JSFunction. Usual JSFunction uses reifying system for "name". We would like
84         to apply this reifying mechanism to builtin JSFunction to simplify code and drop
85         JSFunction::createBuiltinFunction.
86
87         We would like to store the "correct" name in FunctionExecutable. For example,
88         we would like to store the name like "get [Symbol.species]" to FunctionExecutable
89         instead of specifying name when creating JSFunction. To do so, we add a new
90         annotations, @getter and @overriddenName. When @getter is specified, the name of
91         the function becomes "get xxx". And when @overriddenName="xxx" is specified,
92         the name of the function becomes "xxx".
93
94         * Scripts/builtins/builtins_generate_combined_header.py:
95         (generate_section_for_code_table_macro):
96         * Scripts/builtins/builtins_generate_combined_implementation.py:
97         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
98         * Scripts/builtins/builtins_generate_separate_header.py:
99         (generate_section_for_code_table_macro):
100         * Scripts/builtins/builtins_generate_separate_implementation.py:
101         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
102         * Scripts/builtins/builtins_model.py:
103         (BuiltinFunction.__init__):
104         (BuiltinFunction.fromString):
105         * Scripts/builtins/builtins_templates.py:
106         * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Combined.js:
107         (overriddenName.string_appeared_here.match):
108         (intrinsic.RegExpTestIntrinsic.test):
109         * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Separate.js:
110         (overriddenName.string_appeared_here.match):
111         (intrinsic.RegExpTestIntrinsic.test):
112         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
113         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
114         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
115         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
116         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
117         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
118         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
119         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
120         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
121         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
122         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
123         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
124         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
125         * builtins/BuiltinExecutables.cpp:
126         (JSC::BuiltinExecutables::BuiltinExecutables):
127         * builtins/BuiltinExecutables.h:
128         * builtins/FunctionPrototype.js:
129         (symbolHasInstance): Deleted.
130         * builtins/GlobalOperations.js:
131         (globalPrivate.speciesGetter): Deleted.
132         * builtins/IteratorPrototype.js:
133         (symbolIteratorGetter): Deleted.
134         * builtins/RegExpPrototype.js:
135         (match): Deleted.
136         (replace): Deleted.
137         (search): Deleted.
138         (split): Deleted.
139         * jsc.cpp:
140         (functionCreateBuiltin):
141         * runtime/FunctionPrototype.cpp:
142         (JSC::FunctionPrototype::addFunctionProperties):
143         * runtime/IteratorPrototype.cpp:
144         (JSC::IteratorPrototype::finishCreation):
145         * runtime/JSFunction.cpp:
146         (JSC::JSFunction::getOwnNonIndexPropertyNames):
147         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
148         (JSC::JSFunction::createBuiltinFunction): Deleted.
149         * runtime/JSFunction.h:
150         * runtime/JSGlobalObject.cpp:
151         (JSC::JSGlobalObject::init):
152         * runtime/JSObject.cpp:
153         (JSC::JSObject::putDirectBuiltinFunction):
154         (JSC::JSObject::putDirectBuiltinFunctionWithoutTransition):
155         * runtime/JSTypedArrayViewPrototype.cpp:
156         (JSC::JSTypedArrayViewPrototype::finishCreation):
157         * runtime/Lookup.cpp:
158         (JSC::reifyStaticAccessor):
159         * runtime/RegExpPrototype.cpp:
160         (JSC::RegExpPrototype::finishCreation):
161
162 2017-08-29  Saam Barati  <sbarati@apple.com>
163
164         Throwing an exception in the DFG/FTL should not be a jettison-able OSR exit
165         https://bugs.webkit.org/show_bug.cgi?id=176060
166
167         Reviewed by Michael Saboff.
168
169         OSR exitting when we throw an exception is expected behavior. We should
170         not count these exits towards our jettison OSR exit threshold.
171
172         * bytecode/ExitKind.cpp:
173         (JSC::exitKindToString):
174         (JSC::exitKindMayJettison):
175         * bytecode/ExitKind.h:
176         * dfg/DFGSpeculativeJIT32_64.cpp:
177         (JSC::DFG::SpeculativeJIT::compile):
178         * dfg/DFGSpeculativeJIT64.cpp:
179         (JSC::DFG::SpeculativeJIT::compile):
180         * ftl/FTLLowerDFGToB3.cpp:
181         (JSC::FTL::DFG::LowerDFGToB3::compileThrow):
182
183 2017-08-29  Chris Dumez  <cdumez@apple.com>
184
185         Add initial support for dataTransferItem.webkitGetAsEntry()
186         https://bugs.webkit.org/show_bug.cgi?id=176038
187         <rdar://problem/34121095>
188
189         Reviewed by Wenson Hsieh.
190
191         Add CommonIdentifier needed by [EnabledAtRuntime].
192
193         * runtime/CommonIdentifiers.h:
194
195 2017-08-27  Devin Rousso  <webkit@devinrousso.com>
196
197         Web Inspector: Record actions performed on WebGLRenderingContext
198         https://bugs.webkit.org/show_bug.cgi?id=174483
199         <rdar://problem/34040722>
200
201         Reviewed by Matt Baker.
202
203         * inspector/protocol/Recording.json:
204         * inspector/scripts/codegen/generator.py:
205         Add type and mapping for WebGL: "canvas-webgl" => CanvasWebGL
206
207 2017-08-26  Yusuke Suzuki  <utatane.tea@gmail.com>
208
209         Unreviewed, suppress warnings in GTK port
210
211         The "block" variable hides the argument variable.
212
213         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
214         (JSC::DFG::LiveCatchVariablePreservationPhase::isValidFlushLocation):
215
216 2017-08-26  Yusuke Suzuki  <utatane.tea@gmail.com>
217
218         Merge WeakMapData into JSWeakMap and JSWeakSet
219         https://bugs.webkit.org/show_bug.cgi?id=143919
220
221         Reviewed by Darin Adler.
222
223         This patch changes WeakMapData from JSCell to JSDestructibleObject,
224         renaming it to WeakMapBase, and JSWeakMap and JSWeakSet simply inherit
225         it instead of separately allocating WeakMapData. This reduces memory
226         consumption and allocation times.
227
228         Also this patch a bit optimizes sizeof(DeadKeyCleaner) by dropping m_target
229         field. Since this class is always embedded in WeakMapBase, we can calculate
230         WeakMapBase address from the address of DeadKeyCleaner.
231
232         This patch does not include the optimization changing WeakMapData to Set
233         for JSWeakSet.
234
235         * CMakeLists.txt:
236         * JavaScriptCore.xcodeproj/project.pbxproj:
237         * inspector/JSInjectedScriptHost.cpp:
238         (Inspector::JSInjectedScriptHost::weakMapSize):
239         (Inspector::JSInjectedScriptHost::weakMapEntries):
240         (Inspector::JSInjectedScriptHost::weakSetSize):
241         (Inspector::JSInjectedScriptHost::weakSetEntries):
242         * runtime/JSWeakMap.cpp:
243         (JSC::JSWeakMap::finishCreation): Deleted.
244         (JSC::JSWeakMap::visitChildren): Deleted.
245         * runtime/JSWeakMap.h:
246         (JSC::JSWeakMap::createStructure): Deleted.
247         (JSC::JSWeakMap::create): Deleted.
248         (JSC::JSWeakMap::weakMapData): Deleted.
249         (JSC::JSWeakMap::JSWeakMap): Deleted.
250         * runtime/JSWeakSet.cpp:
251         (JSC::JSWeakSet::finishCreation): Deleted.
252         (JSC::JSWeakSet::visitChildren): Deleted.
253         * runtime/JSWeakSet.h:
254         (JSC::JSWeakSet::createStructure): Deleted.
255         (JSC::JSWeakSet::create): Deleted.
256         (JSC::JSWeakSet::weakMapData): Deleted.
257         (JSC::JSWeakSet::JSWeakSet): Deleted.
258         * runtime/VM.cpp:
259         (JSC::VM::VM):
260         * runtime/VM.h:
261         * runtime/WeakMapBase.cpp: Renamed from Source/JavaScriptCore/runtime/WeakMapData.cpp.
262         (JSC::WeakMapBase::WeakMapBase):
263         (JSC::WeakMapBase::destroy):
264         (JSC::WeakMapBase::estimatedSize):
265         (JSC::WeakMapBase::visitChildren):
266         (JSC::WeakMapBase::set):
267         (JSC::WeakMapBase::get):
268         (JSC::WeakMapBase::remove):
269         (JSC::WeakMapBase::contains):
270         (JSC::WeakMapBase::clear):
271         (JSC::WeakMapBase::DeadKeyCleaner::target):
272         (JSC::WeakMapBase::DeadKeyCleaner::visitWeakReferences):
273         (JSC::WeakMapBase::DeadKeyCleaner::finalizeUnconditionally):
274         * runtime/WeakMapBase.h: Renamed from Source/JavaScriptCore/runtime/WeakMapData.h.
275         (JSC::WeakMapBase::size const):
276         * runtime/WeakMapPrototype.cpp:
277         (JSC::getWeakMap):
278         (JSC::protoFuncWeakMapDelete):
279         (JSC::protoFuncWeakMapGet):
280         (JSC::protoFuncWeakMapHas):
281         (JSC::protoFuncWeakMapSet):
282         (JSC::getWeakMapData): Deleted.
283         * runtime/WeakSetPrototype.cpp:
284         (JSC::getWeakSet):
285         (JSC::protoFuncWeakSetDelete):
286         (JSC::protoFuncWeakSetHas):
287         (JSC::protoFuncWeakSetAdd):
288         (JSC::getWeakMapData): Deleted.
289
290 2017-08-25  Daniel Bates  <dabates@apple.com>
291
292         Demarcate code added due to lack of NSDMI for aggregates
293         https://bugs.webkit.org/show_bug.cgi?id=175990
294
295         Reviewed by Andy Estes.
296
297         * domjit/DOMJITEffect.h:
298         (JSC::DOMJIT::Effect::Effect):
299         (JSC::DOMJIT::Effect::forWrite):
300         (JSC::DOMJIT::Effect::forRead):
301         (JSC::DOMJIT::Effect::forReadWrite):
302         (JSC::DOMJIT::Effect::forPure):
303         (JSC::DOMJIT::Effect::forDef):
304         * runtime/HasOwnPropertyCache.h:
305         (JSC::HasOwnPropertyCache::Entry::Entry):
306         (JSC::HasOwnPropertyCache::Entry::operator=): Deleted.
307         * wasm/WasmFormat.h: Modernize some of the code while I am here. Also
308         make some comments read well.
309         (JSC::Wasm::CallableFunction::CallableFunction):
310         * wasm/js/WebAssemblyFunction.cpp:
311         (JSC::WebAssemblyFunction::WebAssemblyFunction):
312         * wasm/js/WebAssemblyWrapperFunction.cpp:
313         (JSC::WebAssemblyWrapperFunction::create):
314
315 2017-08-25  Saam Barati  <sbarati@apple.com>
316
317         Unreviewed. Fix 32-bit after r221196
318
319         * jit/JITOpcodes32_64.cpp:
320         (JSC::JIT::emit_op_catch):
321
322 2017-08-25  Chris Dumez  <cdumez@apple.com>
323
324         Land stubs for File and Directory Entries API interfaces
325         https://bugs.webkit.org/show_bug.cgi?id=175993
326         <rdar://problem/34087477>
327
328         Reviewed by Ryosuke Niwa.
329
330         Add CommonIdentifiers needed for [EnabledAtRuntime].
331
332         * runtime/CommonIdentifiers.h:
333
334 2017-08-25  Brian Burg  <bburg@apple.com>
335
336         Web Automation: add capabilities to control ICE candidate filtering and insecure media capture
337         https://bugs.webkit.org/show_bug.cgi?id=175563
338         <rdar://problem/33734492>
339
340         Reviewed by Joseph Pecoraro.
341
342         Add macros for new capability protocol string names. Let's use a reverse
343         domain name notification for these capabilities so we know whether they are
344         intended for a particular client/port or any WebKit client, and what feature they
345         are related to (i.e., webrtc).
346
347         * inspector/remote/RemoteInspectorConstants.h:
348
349 2017-08-24  Brian Burg  <bburg@apple.com>
350
351         Web Automation: use automation session configurations to propagate per-session settings
352         https://bugs.webkit.org/show_bug.cgi?id=175562
353         <rdar://problem/30853362>
354
355         Reviewed by Joseph Pecoraro.
356
357         Add a Cocoa-specific code path to forward capabilities when requesting
358         a new session from the remote inspector (i.e., automation) client.
359
360         If other ports want to use this, then we can convert Cocoa types to WebKit types later.
361
362         * inspector/remote/RemoteInspector.h:
363         * inspector/remote/RemoteInspectorConstants.h:
364         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
365         (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage):
366
367 2017-08-25  Saam Barati  <sbarati@apple.com>
368
369         DFG::JITCode::osrEntry should get sorted since we perform a binary search on it
370         https://bugs.webkit.org/show_bug.cgi?id=175893
371
372         Reviewed by Mark Lam.
373
374         * dfg/DFGJITCode.cpp:
375         (JSC::DFG::JITCode::finalizeOSREntrypoints):
376         * dfg/DFGJITCode.h:
377         (JSC::DFG::JITCode::finalizeCatchOSREntrypoints): Deleted.
378         * dfg/DFGSpeculativeJIT.cpp:
379         (JSC::DFG::SpeculativeJIT::linkOSREntries):
380
381 2017-08-25  Saam Barati  <sbarati@apple.com>
382
383         Support compiling catch in the DFG
384         https://bugs.webkit.org/show_bug.cgi?id=174590
385         <rdar://problem/34047845>
386
387         Reviewed by Filip Pizlo.
388
389         This patch implements OSR entry into op_catch in the DFG. We will support OSR entry
390         into the FTL in a followup: https://bugs.webkit.org/show_bug.cgi?id=175396
391         
392         To implement catch in the DFG, this patch introduces the concept of multiple
393         entrypoints into CPS/LoadStore DFG IR. A lot of this patch is stringing this concept
394         through the DFG. Many phases used to assume that Graph::block(0) is the only root, and this
395         patch contains many straight forward changes generalizing the code to handle more than
396         one entrypoint.
397         
398         A main building block of this is moving to two CFG types: SSACFG and CPSCFG. SSACFG
399         is the same CFG we used to have. CPSCFG is a new type that introduces a fake root
400         that has an outgoing edge to all the entrypoints. This allows our existing graph algorithms
401         to Just Work over CPSCFG. For example, there is now the concept of SSADominators vs CPSDominators,
402         and SSANaturalLoops vs CPSNaturalLoops.
403         
404         The way we compile the catch entrypoint is by bootstrapping the state
405         of the program by loading all live bytecode locals from a buffer. The OSR
406         entry code will store all live values into that buffer before jumping to
407         the entrypoint. The OSR entry code is also responsible for performing type
408         proofs of the arguments before doing an OSR entry. If there is a type
409         mismatch, it's not legal to OSR enter into the DFG compilation. Currently,
410         each catch entrypoint knows the argument type proofs it must perform to enter
411         into the DFG. Currently, all entrypoints' arguments flush format are unified
412         via ArgumentPosition, but this is just an implementation detail. The code is
413         written more generally to assume that each entrypoint may perform its own distinct
414         proof.
415         
416         op_catch now performs value profiling for all live bytecode locals in the
417         LLInt and baseline JIT. This information is then fed into the DFG via the
418         ExtractCatchLocal node in the prediction propagation phase.
419         
420         This patch also changes how we generate op_catch in bytecode. All op_catches
421         are now split out at the end of the program in bytecode. This ensures that
422         no op_catch is inside a try block. This is needed to ensure correctness in
423         the DFGLiveCatchVariablePreservationPhase. That phase only inserts flushes
424         before SetLocals inside a try block. If an op_catch were in a try block, this
425         would cause the phase to insert a Flush before one of the state bootstrapping
426         SetLocals, which would generate invalid IR. Moving op_catch to be generated on
427         its own at the end of a bytecode stream seemed like the most elegant solution since
428         it better represents that we treat op_catch as an entrypoint. This is true
429         both in the DFG and in the baseline and LLInt: we don't reach an op_catch
430         via normal control flow. Because op_catch cannot throw, this will not break
431         any previous semantics of op_catch. Logically, it'd be valid to split try
432         blocks around any non-throwing bytecode operation.
433
434         * CMakeLists.txt:
435         * JavaScriptCore.xcodeproj/project.pbxproj:
436         * bytecode/BytecodeDumper.cpp:
437         (JSC::BytecodeDumper<Block>::dumpBytecode):
438         * bytecode/BytecodeList.json:
439         * bytecode/BytecodeUseDef.h:
440         (JSC::computeUsesForBytecodeOffset):
441         * bytecode/CodeBlock.cpp:
442         (JSC::CodeBlock::finishCreation):
443         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffset):
444         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
445         (JSC::CodeBlock::validate):
446         * bytecode/CodeBlock.h:
447         * bytecode/ValueProfile.h:
448         (JSC::ValueProfile::ValueProfile):
449         (JSC::ValueProfileAndOperandBuffer::ValueProfileAndOperandBuffer):
450         (JSC::ValueProfileAndOperandBuffer::~ValueProfileAndOperandBuffer):
451         (JSC::ValueProfileAndOperandBuffer::forEach):
452         * bytecompiler/BytecodeGenerator.cpp:
453         (JSC::BytecodeGenerator::generate):
454         (JSC::BytecodeGenerator::BytecodeGenerator):
455         (JSC::BytecodeGenerator::emitCatch):
456         (JSC::BytecodeGenerator::emitEnumeration):
457         * bytecompiler/BytecodeGenerator.h:
458         * bytecompiler/NodesCodegen.cpp:
459         (JSC::TryNode::emitBytecode):
460         * dfg/DFGAbstractInterpreterInlines.h:
461         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
462         * dfg/DFGBackwardsCFG.h:
463         (JSC::DFG::BackwardsCFG::BackwardsCFG):
464         * dfg/DFGBasicBlock.cpp:
465         (JSC::DFG::BasicBlock::BasicBlock):
466         * dfg/DFGBasicBlock.h:
467         (JSC::DFG::BasicBlock::findTerminal const):
468         * dfg/DFGByteCodeParser.cpp:
469         (JSC::DFG::ByteCodeParser::setDirect):
470         (JSC::DFG::ByteCodeParser::flush):
471         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
472         (JSC::DFG::ByteCodeParser::DelayedSetLocal::execute):
473         (JSC::DFG::ByteCodeParser::parseBlock):
474         (JSC::DFG::ByteCodeParser::parseCodeBlock):
475         (JSC::DFG::ByteCodeParser::parse):
476         * dfg/DFGCFG.h:
477         (JSC::DFG::CFG::root):
478         (JSC::DFG::CFG::roots):
479         (JSC::DFG::CPSCFG::CPSCFG):
480         (JSC::DFG::selectCFG):
481         * dfg/DFGCPSRethreadingPhase.cpp:
482         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
483         * dfg/DFGCSEPhase.cpp:
484         * dfg/DFGClobberize.h:
485         (JSC::DFG::clobberize):
486         * dfg/DFGControlEquivalenceAnalysis.h:
487         (JSC::DFG::ControlEquivalenceAnalysis::ControlEquivalenceAnalysis):
488         * dfg/DFGDCEPhase.cpp:
489         (JSC::DFG::DCEPhase::run):
490         * dfg/DFGDisassembler.cpp:
491         (JSC::DFG::Disassembler::createDumpList):
492         * dfg/DFGDoesGC.cpp:
493         (JSC::DFG::doesGC):
494         * dfg/DFGDominators.h:
495         (JSC::DFG::Dominators::Dominators):
496         (JSC::DFG::ensureDominatorsForCFG):
497         * dfg/DFGEdgeDominates.h:
498         (JSC::DFG::EdgeDominates::EdgeDominates):
499         (JSC::DFG::EdgeDominates::operator()):
500         * dfg/DFGFixupPhase.cpp:
501         (JSC::DFG::FixupPhase::fixupNode):
502         (JSC::DFG::FixupPhase::fixupChecksInBlock):
503         * dfg/DFGFlushFormat.h:
504         * dfg/DFGGraph.cpp:
505         (JSC::DFG::Graph::Graph):
506         (JSC::DFG::unboxLoopNode):
507         (JSC::DFG::Graph::dumpBlockHeader):
508         (JSC::DFG::Graph::dump):
509         (JSC::DFG::Graph::determineReachability):
510         (JSC::DFG::Graph::invalidateCFG):
511         (JSC::DFG::Graph::blocksInPreOrder):
512         (JSC::DFG::Graph::blocksInPostOrder):
513         (JSC::DFG::Graph::ensureCPSDominators):
514         (JSC::DFG::Graph::ensureSSADominators):
515         (JSC::DFG::Graph::ensureCPSNaturalLoops):
516         (JSC::DFG::Graph::ensureSSANaturalLoops):
517         (JSC::DFG::Graph::ensureBackwardsCFG):
518         (JSC::DFG::Graph::ensureBackwardsDominators):
519         (JSC::DFG::Graph::ensureControlEquivalenceAnalysis):
520         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
521         (JSC::DFG::Graph::clearCPSCFGData):
522         (JSC::DFG::Graph::ensureDominators): Deleted.
523         (JSC::DFG::Graph::ensurePrePostNumbering): Deleted.
524         (JSC::DFG::Graph::ensureNaturalLoops): Deleted.
525         * dfg/DFGGraph.h:
526         (JSC::DFG::Graph::willCatchExceptionInMachineFrame):
527         (JSC::DFG::Graph::isEntrypoint const):
528         * dfg/DFGInPlaceAbstractState.cpp:
529         (JSC::DFG::InPlaceAbstractState::initialize):
530         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
531         * dfg/DFGJITCode.cpp:
532         (JSC::DFG::JITCode::shrinkToFit):
533         * dfg/DFGJITCode.h:
534         (JSC::DFG::JITCode::catchOSREntryDataForBytecodeIndex):
535         (JSC::DFG::JITCode::finalizeCatchOSREntrypoints):
536         (JSC::DFG::JITCode::appendCatchEntrypoint):
537         * dfg/DFGJITCompiler.cpp:
538         (JSC::DFG::JITCompiler::compile):
539         (JSC::DFG::JITCompiler::compileFunction):
540         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
541         (JSC::DFG::JITCompiler::noticeOSREntry):
542         (JSC::DFG::JITCompiler::makeCatchOSREntryBuffer):
543         * dfg/DFGJITCompiler.h:
544         * dfg/DFGLICMPhase.cpp:
545         (JSC::DFG::LICMPhase::run):
546         (JSC::DFG::LICMPhase::attemptHoist):
547         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
548         (JSC::DFG::LiveCatchVariablePreservationPhase::run):
549         (JSC::DFG::LiveCatchVariablePreservationPhase::isValidFlushLocation):
550         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
551         (JSC::DFG::LiveCatchVariablePreservationPhase::newVariableAccessData):
552         (JSC::DFG::LiveCatchVariablePreservationPhase::willCatchException): Deleted.
553         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlock): Deleted.
554         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
555         (JSC::DFG::createPreHeader):
556         (JSC::DFG::LoopPreHeaderCreationPhase::run):
557         * dfg/DFGMaximalFlushInsertionPhase.cpp:
558         (JSC::DFG::MaximalFlushInsertionPhase::run):
559         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
560         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
561         * dfg/DFGMayExit.cpp:
562         * dfg/DFGNaturalLoops.h:
563         (JSC::DFG::NaturalLoops::NaturalLoops):
564         * dfg/DFGNode.h:
565         (JSC::DFG::Node::isSwitch const):
566         (JSC::DFG::Node::successor):
567         (JSC::DFG::Node::catchOSREntryIndex const):
568         (JSC::DFG::Node::catchLocalPrediction):
569         (JSC::DFG::Node::isSwitch): Deleted.
570         * dfg/DFGNodeType.h:
571         * dfg/DFGOSREntry.cpp:
572         (JSC::DFG::prepareCatchOSREntry):
573         * dfg/DFGOSREntry.h:
574         * dfg/DFGOSREntrypointCreationPhase.cpp:
575         (JSC::DFG::OSREntrypointCreationPhase::run):
576         * dfg/DFGOSRExitCompilerCommon.cpp:
577         (JSC::DFG::handleExitCounts):
578         * dfg/DFGObjectAllocationSinkingPhase.cpp:
579         * dfg/DFGPlan.cpp:
580         (JSC::DFG::Plan::compileInThreadImpl):
581         * dfg/DFGPrePostNumbering.cpp:
582         (JSC::DFG::PrePostNumbering::PrePostNumbering): Deleted.
583         (JSC::DFG::PrePostNumbering::~PrePostNumbering): Deleted.
584         (WTF::printInternal): Deleted.
585         * dfg/DFGPrePostNumbering.h:
586         (): Deleted.
587         (JSC::DFG::PrePostNumbering::preNumber const): Deleted.
588         (JSC::DFG::PrePostNumbering::postNumber const): Deleted.
589         (JSC::DFG::PrePostNumbering::isStrictAncestorOf const): Deleted.
590         (JSC::DFG::PrePostNumbering::isAncestorOf const): Deleted.
591         (JSC::DFG::PrePostNumbering::isStrictDescendantOf const): Deleted.
592         (JSC::DFG::PrePostNumbering::isDescendantOf const): Deleted.
593         (JSC::DFG::PrePostNumbering::edgeKind const): Deleted.
594         * dfg/DFGPredictionInjectionPhase.cpp:
595         (JSC::DFG::PredictionInjectionPhase::run):
596         * dfg/DFGPredictionPropagationPhase.cpp:
597         * dfg/DFGPutStackSinkingPhase.cpp:
598         * dfg/DFGSSACalculator.cpp:
599         (JSC::DFG::SSACalculator::nonLocalReachingDef):
600         (JSC::DFG::SSACalculator::reachingDefAtTail):
601         * dfg/DFGSSACalculator.h:
602         (JSC::DFG::SSACalculator::computePhis):
603         * dfg/DFGSSAConversionPhase.cpp:
604         (JSC::DFG::SSAConversionPhase::run):
605         (JSC::DFG::performSSAConversion):
606         * dfg/DFGSafeToExecute.h:
607         (JSC::DFG::safeToExecute):
608         * dfg/DFGSpeculativeJIT.cpp:
609         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
610         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
611         (JSC::DFG::SpeculativeJIT::createOSREntries):
612         (JSC::DFG::SpeculativeJIT::linkOSREntries):
613         * dfg/DFGSpeculativeJIT32_64.cpp:
614         (JSC::DFG::SpeculativeJIT::compile):
615         * dfg/DFGSpeculativeJIT64.cpp:
616         (JSC::DFG::SpeculativeJIT::compile):
617         * dfg/DFGStaticExecutionCountEstimationPhase.cpp:
618         (JSC::DFG::StaticExecutionCountEstimationPhase::run):
619         * dfg/DFGStrengthReductionPhase.cpp:
620         (JSC::DFG::StrengthReductionPhase::handleNode):
621         * dfg/DFGTierUpCheckInjectionPhase.cpp:
622         (JSC::DFG::TierUpCheckInjectionPhase::run):
623         (JSC::DFG::TierUpCheckInjectionPhase::buildNaturalLoopToLoopHintMap):
624         * dfg/DFGTypeCheckHoistingPhase.cpp:
625         (JSC::DFG::TypeCheckHoistingPhase::run):
626         * dfg/DFGValidate.cpp:
627         * ftl/FTLLink.cpp:
628         (JSC::FTL::link):
629         * ftl/FTLLowerDFGToB3.cpp:
630         (JSC::FTL::DFG::LowerDFGToB3::lower):
631         (JSC::FTL::DFG::LowerDFGToB3::safelyInvalidateAfterTermination):
632         (JSC::FTL::DFG::LowerDFGToB3::isValid):
633         * jit/JIT.h:
634         * jit/JITInlines.h:
635         (JSC::JIT::callOperation):
636         * jit/JITOpcodes.cpp:
637         (JSC::JIT::emit_op_catch):
638         * jit/JITOpcodes32_64.cpp:
639         (JSC::JIT::emit_op_catch):
640         * jit/JITOperations.cpp:
641         * jit/JITOperations.h:
642         * llint/LLIntSlowPaths.cpp:
643         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
644         * llint/LLIntSlowPaths.h:
645         * llint/LowLevelInterpreter32_64.asm:
646         * llint/LowLevelInterpreter64.asm:
647
648 2017-08-25  Keith Miller  <keith_miller@apple.com>
649
650         Explore increasing max JSString::m_length to UINT_MAX.
651         https://bugs.webkit.org/show_bug.cgi?id=163955
652         <rdar://problem/32001499>
653
654         Reviewed by JF Bastien.
655
656         This can cause us to release assert on some code paths. I don't
657         see a reason to maintain this restriction.
658
659         * runtime/JSString.h:
660         (JSC::JSString::length const):
661         (JSC::JSString::setLength):
662         (JSC::JSString::isValidLength): Deleted.
663         * runtime/JSStringBuilder.h:
664         (JSC::jsMakeNontrivialString):
665
666 2017-08-24  Commit Queue  <commit-queue@webkit.org>
667
668         Unreviewed, rolling out r221119, r221124, and r221143.
669         https://bugs.webkit.org/show_bug.cgi?id=175973
670
671         "I think it regressed JSBench by 20%" (Requested by saamyjoon
672         on #webkit).
673
674         Reverted changesets:
675
676         "Support compiling catch in the DFG"
677         https://bugs.webkit.org/show_bug.cgi?id=174590
678         http://trac.webkit.org/changeset/221119
679
680         "Unreviewed, build fix in GTK port"
681         https://bugs.webkit.org/show_bug.cgi?id=174590
682         http://trac.webkit.org/changeset/221124
683
684         "DFG::JITCode::osrEntry should get sorted since we perform a
685         binary search on it"
686         https://bugs.webkit.org/show_bug.cgi?id=175893
687         http://trac.webkit.org/changeset/221143
688
689 2017-08-24  Michael Saboff  <msaboff@apple.com>
690
691         Enable moving fixed character class terms after fixed character terms for BMP only character classes
692         https://bugs.webkit.org/show_bug.cgi?id=175958
693
694         Reviewed by Saam Barati.
695
696         Currently we don't perform the reordering optimiaztion of fixed character terms that
697         follow fixed character class terms for Unicode patterns.
698
699         This change allows that reordering when the character class contains only BMP
700         characters.
701
702         This fix is covered by existing tests.
703
704         * yarr/YarrJIT.cpp:
705         (JSC::Yarr::YarrGenerator::optimizeAlternative):
706
707 2017-08-24  Michael Saboff  <msaboff@apple.com>
708
709         Add support for RegExp "dotAll" flag
710         https://bugs.webkit.org/show_bug.cgi?id=175924
711
712         Reviewed by Keith Miller.
713
714         The dotAll RegExp flag, 's', changes . to match any character including line terminators.
715         Added a the "dotAll" identifier as well as RegExp.prototype.dotAll getter.
716         Added a new any character CharacterClass that is used to match . terms in a dotAll flags
717         RegExp.  In the YARR pattern and parsing code, changed the NewlineClassID, which was only
718         used for '.' processing, to DotClassID.  The selection of which builtin character class
719         that DotClassID resolves to when generating the pattern is conditional on the dotAll flag.
720         This NewlineClassID to DotClassID refactoring includes the atomBuiltInCharacterClass() in
721         the WebCore content extensions code in the PatternParser class.
722
723         As an optimization, the Yarr JIT actually doesn't perform match checks against the builtin
724         any character CharacterClass, it merely reads the character.  There is another optimization
725         in our DotStart enclosure processing where a non-capturing regular expression in the form
726         of .*<expression.*, with options beginning ^ and/or trailing $, match the contained
727         expression and then look for the extents of the surrounding .*'s.  When used with the
728         dotAll flag, that processing alwys results with the beinning of the string and the end
729         of the string.  Therefore we short circuit the finding the beginning and end of the line
730         or string with dotAll patterns.
731
732         * bytecode/BytecodeDumper.cpp:
733         (JSC::regexpToSourceString):
734         * runtime/CommonIdentifiers.h:
735         * runtime/RegExp.cpp:
736         (JSC::regExpFlags):
737         (JSC::RegExpFunctionalTestCollector::outputOneTest):
738         * runtime/RegExp.h:
739         * runtime/RegExpKey.h:
740         * runtime/RegExpPrototype.cpp:
741         (JSC::RegExpPrototype::finishCreation):
742         (JSC::flagsString):
743         (JSC::regExpProtoGetterDotAll):
744         * yarr/YarrInterpreter.cpp:
745         (JSC::Yarr::Interpreter::matchDotStarEnclosure):
746         * yarr/YarrInterpreter.h:
747         (JSC::Yarr::BytecodePattern::dotAll const):
748         * yarr/YarrJIT.cpp:
749         (JSC::Yarr::YarrGenerator::optimizeAlternative):
750         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
751         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
752         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
753         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
754         (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
755         * yarr/YarrParser.h:
756         (JSC::Yarr::Parser::parseTokens):
757         * yarr/YarrPattern.cpp:
758         (JSC::Yarr::YarrPatternConstructor::atomBuiltInCharacterClass):
759         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassBuiltIn):
760         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
761         (JSC::Yarr::YarrPattern::YarrPattern):
762         (JSC::Yarr::PatternTerm::dump):
763         (JSC::Yarr::anycharCreate):
764         * yarr/YarrPattern.h:
765         (JSC::Yarr::YarrPattern::reset):
766         (JSC::Yarr::YarrPattern::anyCharacterClass):
767         (JSC::Yarr::YarrPattern::dotAll const):
768
769 2017-08-23  Filip Pizlo  <fpizlo@apple.com>
770
771         Reduce Gigacage sizes
772         https://bugs.webkit.org/show_bug.cgi?id=175920
773
774         Reviewed by Mark Lam.
775
776         Teach all of the code generators to use the right gigacage masks.
777
778         Also teach Wasm that it has much less memory for signaling memories. With 32GB, we have room for 7 signaling memories. But if
779         we actually did that, then we'd have no memory left for anything else. So, this caps us at 4 signaling memories.
780
781         * ftl/FTLLowerDFGToB3.cpp:
782         (JSC::FTL::DFG::LowerDFGToB3::caged):
783         * jit/AssemblyHelpers.h:
784         (JSC::AssemblyHelpers::cage):
785         (JSC::AssemblyHelpers::cageConditionally):
786         * llint/LowLevelInterpreter64.asm:
787         * runtime/Options.h:
788
789 2017-08-24  Saam Barati  <sbarati@apple.com>
790
791         DFG::JITCode::osrEntry should get sorted since we perform a binary search on it
792         https://bugs.webkit.org/show_bug.cgi?id=175893
793
794         Reviewed by Mark Lam.
795
796         * dfg/DFGJITCode.cpp:
797         (JSC::DFG::JITCode::finalizeOSREntrypoints):
798         * dfg/DFGJITCode.h:
799         (JSC::DFG::JITCode::finalizeCatchOSREntrypoints): Deleted.
800         * dfg/DFGSpeculativeJIT.cpp:
801         (JSC::DFG::SpeculativeJIT::linkOSREntries):
802
803 2017-08-23  Keith Miller  <keith_miller@apple.com>
804
805         Fix Titzer bench on iOS.
806         https://bugs.webkit.org/show_bug.cgi?id=175917
807
808         Reviewed by Ryosuke Niwa.
809
810         Currently, Titzer bench doesn't run on iOS since the benchmark
811         allocates lots of physical pages that it never actually writes
812         to. We limited the total number wasm physical pages to the ram
813         size of the phone, which caused us to fail a memory
814         allocation. This patch changes it so we will allocate up to 3x ram
815         size, which seems to fix the problem.
816
817         * wasm/WasmMemory.cpp:
818
819 2017-08-23  Yusuke Suzuki  <utatane.tea@gmail.com>
820
821         Unreviewed, fix for test262
822         https://bugs.webkit.org/show_bug.cgi?id=175915
823
824         * runtime/MapPrototype.cpp:
825         (JSC::MapPrototype::finishCreation):
826         * runtime/SetPrototype.cpp:
827         (JSC::SetPrototype::finishCreation):
828
829 2017-08-23  Yusuke Suzuki  <utatane.tea@gmail.com>
830
831         Unreviewed, build fix in GTK port
832         https://bugs.webkit.org/show_bug.cgi?id=174590
833
834         * bytecompiler/BytecodeGenerator.cpp:
835         (JSC::BytecodeGenerator::emitCatch):
836         * bytecompiler/BytecodeGenerator.h:
837
838 2017-08-23  Saam Barati  <sbarati@apple.com>
839
840         Support compiling catch in the DFG
841         https://bugs.webkit.org/show_bug.cgi?id=174590
842
843         Reviewed by Filip Pizlo.
844
845         This patch implements OSR entry into op_catch in the DFG. We will support OSR entry
846         into the FTL in a followup: https://bugs.webkit.org/show_bug.cgi?id=175396
847         
848         To implement catch in the DFG, this patch introduces the concept of multiple
849         entrypoints into CPS/LoadStore DFG IR. A lot of this patch is stringing this concept
850         through the DFG. Many phases used to assume that Graph::block(0) is the only root, and this
851         patch contains many straight forward changes generalizing the code to handle more than
852         one entrypoint.
853         
854         A main building block of this is moving to two CFG types: SSACFG and CPSCFG. SSACFG
855         is the same CFG we used to have. CPSCFG is a new type that introduces a fake root
856         that has an outgoing edge to all the entrypoints. This allows our existing graph algorithms
857         to Just Work over CPSCFG. For example, there is now the concept of SSADominators vs CPSDominators,
858         and SSANaturalLoops vs CPSNaturalLoops.
859         
860         The way we compile the catch entrypoint is by bootstrapping the state
861         of the program by loading all live bytecode locals from a buffer. The OSR
862         entry code will store all live values into that buffer before jumping to
863         the entrypoint. The OSR entry code is also responsible for performing type
864         proofs of the arguments before doing an OSR entry. If there is a type
865         mismatch, it's not legal to OSR enter into the DFG compilation. Currently,
866         each catch entrypoint knows the argument type proofs it must perform to enter
867         into the DFG. Currently, all entrypoints' arguments flush format are unified
868         via ArgumentPosition, but this is just an implementation detail. The code is
869         written more generally to assume that each entrypoint may perform its own distinct
870         proof.
871         
872         op_catch now performs value profiling for all live bytecode locals in the
873         LLInt and baseline JIT. This information is then fed into the DFG via the
874         ExtractCatchLocal node in the prediction propagation phase.
875         
876         This patch also changes how we generate op_catch in bytecode. All op_catches
877         are now split out at the end of the program in bytecode. This ensures that
878         no op_catch is inside a try block. This is needed to ensure correctness in
879         the DFGLiveCatchVariablePreservationPhase. That phase only inserts flushes
880         before SetLocals inside a try block. If an op_catch were in a try block, this
881         would cause the phase to insert a Flush before one of the state bootstrapping
882         SetLocals, which would generate invalid IR. Moving op_catch to be generated on
883         its own at the end of a bytecode stream seemed like the most elegant solution since
884         it better represents that we treat op_catch as an entrypoint. This is true
885         both in the DFG and in the baseline and LLInt: we don't reach an op_catch
886         via normal control flow. Because op_catch cannot throw, this will not break
887         any previous semantics of op_catch. Logically, it'd be valid to split try
888         blocks around any non-throwing bytecode operation.
889
890         * CMakeLists.txt:
891         * JavaScriptCore.xcodeproj/project.pbxproj:
892         * bytecode/BytecodeDumper.cpp:
893         (JSC::BytecodeDumper<Block>::dumpBytecode):
894         * bytecode/BytecodeList.json:
895         * bytecode/BytecodeUseDef.h:
896         (JSC::computeUsesForBytecodeOffset):
897         * bytecode/CodeBlock.cpp:
898         (JSC::CodeBlock::finishCreation):
899         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
900         (JSC::CodeBlock::validate):
901         * bytecode/CodeBlock.h:
902         * bytecode/ValueProfile.h:
903         (JSC::ValueProfile::ValueProfile):
904         (JSC::ValueProfileAndOperandBuffer::ValueProfileAndOperandBuffer):
905         (JSC::ValueProfileAndOperandBuffer::~ValueProfileAndOperandBuffer):
906         (JSC::ValueProfileAndOperandBuffer::forEach):
907         * bytecompiler/BytecodeGenerator.cpp:
908         (JSC::BytecodeGenerator::generate):
909         (JSC::BytecodeGenerator::BytecodeGenerator):
910         (JSC::BytecodeGenerator::emitCatch):
911         (JSC::BytecodeGenerator::emitEnumeration):
912         * bytecompiler/BytecodeGenerator.h:
913         * bytecompiler/NodesCodegen.cpp:
914         (JSC::TryNode::emitBytecode):
915         * dfg/DFGAbstractInterpreterInlines.h:
916         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
917         * dfg/DFGBackwardsCFG.h:
918         (JSC::DFG::BackwardsCFG::BackwardsCFG):
919         * dfg/DFGBasicBlock.cpp:
920         (JSC::DFG::BasicBlock::BasicBlock):
921         * dfg/DFGBasicBlock.h:
922         (JSC::DFG::BasicBlock::findTerminal const):
923         * dfg/DFGByteCodeParser.cpp:
924         (JSC::DFG::ByteCodeParser::setDirect):
925         (JSC::DFG::ByteCodeParser::flush):
926         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
927         (JSC::DFG::ByteCodeParser::DelayedSetLocal::execute):
928         (JSC::DFG::ByteCodeParser::parseBlock):
929         (JSC::DFG::ByteCodeParser::parseCodeBlock):
930         (JSC::DFG::ByteCodeParser::parse):
931         * dfg/DFGCFG.h:
932         (JSC::DFG::CFG::root):
933         (JSC::DFG::CFG::roots):
934         (JSC::DFG::CPSCFG::CPSCFG):
935         (JSC::DFG::selectCFG):
936         * dfg/DFGCPSRethreadingPhase.cpp:
937         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
938         * dfg/DFGCSEPhase.cpp:
939         * dfg/DFGClobberize.h:
940         (JSC::DFG::clobberize):
941         * dfg/DFGControlEquivalenceAnalysis.h:
942         (JSC::DFG::ControlEquivalenceAnalysis::ControlEquivalenceAnalysis):
943         * dfg/DFGDCEPhase.cpp:
944         (JSC::DFG::DCEPhase::run):
945         * dfg/DFGDisassembler.cpp:
946         (JSC::DFG::Disassembler::createDumpList):
947         * dfg/DFGDoesGC.cpp:
948         (JSC::DFG::doesGC):
949         * dfg/DFGDominators.h:
950         (JSC::DFG::Dominators::Dominators):
951         (JSC::DFG::ensureDominatorsForCFG):
952         * dfg/DFGEdgeDominates.h:
953         (JSC::DFG::EdgeDominates::EdgeDominates):
954         (JSC::DFG::EdgeDominates::operator()):
955         * dfg/DFGFixupPhase.cpp:
956         (JSC::DFG::FixupPhase::fixupNode):
957         (JSC::DFG::FixupPhase::fixupChecksInBlock):
958         * dfg/DFGFlushFormat.h:
959         * dfg/DFGGraph.cpp:
960         (JSC::DFG::Graph::Graph):
961         (JSC::DFG::unboxLoopNode):
962         (JSC::DFG::Graph::dumpBlockHeader):
963         (JSC::DFG::Graph::dump):
964         (JSC::DFG::Graph::determineReachability):
965         (JSC::DFG::Graph::invalidateCFG):
966         (JSC::DFG::Graph::blocksInPreOrder):
967         (JSC::DFG::Graph::blocksInPostOrder):
968         (JSC::DFG::Graph::ensureCPSDominators):
969         (JSC::DFG::Graph::ensureSSADominators):
970         (JSC::DFG::Graph::ensureCPSNaturalLoops):
971         (JSC::DFG::Graph::ensureSSANaturalLoops):
972         (JSC::DFG::Graph::ensureBackwardsCFG):
973         (JSC::DFG::Graph::ensureBackwardsDominators):
974         (JSC::DFG::Graph::ensureControlEquivalenceAnalysis):
975         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
976         (JSC::DFG::Graph::clearCPSCFGData):
977         (JSC::DFG::Graph::ensureDominators): Deleted.
978         (JSC::DFG::Graph::ensurePrePostNumbering): Deleted.
979         (JSC::DFG::Graph::ensureNaturalLoops): Deleted.
980         * dfg/DFGGraph.h:
981         (JSC::DFG::Graph::willCatchExceptionInMachineFrame):
982         (JSC::DFG::Graph::isEntrypoint const):
983         * dfg/DFGInPlaceAbstractState.cpp:
984         (JSC::DFG::InPlaceAbstractState::initialize):
985         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
986         * dfg/DFGJITCode.cpp:
987         (JSC::DFG::JITCode::shrinkToFit):
988         * dfg/DFGJITCode.h:
989         (JSC::DFG::JITCode::catchOSREntryDataForBytecodeIndex):
990         (JSC::DFG::JITCode::finalizeCatchOSREntrypoints):
991         (JSC::DFG::JITCode::appendCatchEntrypoint):
992         * dfg/DFGJITCompiler.cpp:
993         (JSC::DFG::JITCompiler::compile):
994         (JSC::DFG::JITCompiler::compileFunction):
995         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
996         (JSC::DFG::JITCompiler::noticeOSREntry):
997         (JSC::DFG::JITCompiler::makeCatchOSREntryBuffer):
998         * dfg/DFGJITCompiler.h:
999         * dfg/DFGLICMPhase.cpp:
1000         (JSC::DFG::LICMPhase::run):
1001         (JSC::DFG::LICMPhase::attemptHoist):
1002         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
1003         (JSC::DFG::LiveCatchVariablePreservationPhase::run):
1004         (JSC::DFG::LiveCatchVariablePreservationPhase::isValidFlushLocation):
1005         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
1006         (JSC::DFG::LiveCatchVariablePreservationPhase::newVariableAccessData):
1007         (JSC::DFG::LiveCatchVariablePreservationPhase::willCatchException): Deleted.
1008         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlock): Deleted.
1009         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
1010         (JSC::DFG::createPreHeader):
1011         (JSC::DFG::LoopPreHeaderCreationPhase::run):
1012         * dfg/DFGMaximalFlushInsertionPhase.cpp:
1013         (JSC::DFG::MaximalFlushInsertionPhase::run):
1014         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
1015         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
1016         * dfg/DFGMayExit.cpp:
1017         * dfg/DFGNaturalLoops.h:
1018         (JSC::DFG::NaturalLoops::NaturalLoops):
1019         * dfg/DFGNode.h:
1020         (JSC::DFG::Node::isSwitch const):
1021         (JSC::DFG::Node::successor):
1022         (JSC::DFG::Node::catchOSREntryIndex const):
1023         (JSC::DFG::Node::catchLocalPrediction):
1024         (JSC::DFG::Node::isSwitch): Deleted.
1025         * dfg/DFGNodeType.h:
1026         * dfg/DFGOSREntry.cpp:
1027         (JSC::DFG::prepareCatchOSREntry):
1028         * dfg/DFGOSREntry.h:
1029         * dfg/DFGOSREntrypointCreationPhase.cpp:
1030         (JSC::DFG::OSREntrypointCreationPhase::run):
1031         * dfg/DFGOSRExitCompilerCommon.cpp:
1032         (JSC::DFG::handleExitCounts):
1033         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1034         * dfg/DFGPlan.cpp:
1035         (JSC::DFG::Plan::compileInThreadImpl):
1036         * dfg/DFGPrePostNumbering.cpp:
1037         (JSC::DFG::PrePostNumbering::PrePostNumbering): Deleted.
1038         (JSC::DFG::PrePostNumbering::~PrePostNumbering): Deleted.
1039         (WTF::printInternal): Deleted.
1040         * dfg/DFGPrePostNumbering.h:
1041         (): Deleted.
1042         (JSC::DFG::PrePostNumbering::preNumber const): Deleted.
1043         (JSC::DFG::PrePostNumbering::postNumber const): Deleted.
1044         (JSC::DFG::PrePostNumbering::isStrictAncestorOf const): Deleted.
1045         (JSC::DFG::PrePostNumbering::isAncestorOf const): Deleted.
1046         (JSC::DFG::PrePostNumbering::isStrictDescendantOf const): Deleted.
1047         (JSC::DFG::PrePostNumbering::isDescendantOf const): Deleted.
1048         (JSC::DFG::PrePostNumbering::edgeKind const): Deleted.
1049         * dfg/DFGPredictionInjectionPhase.cpp:
1050         (JSC::DFG::PredictionInjectionPhase::run):
1051         * dfg/DFGPredictionPropagationPhase.cpp:
1052         * dfg/DFGPutStackSinkingPhase.cpp:
1053         * dfg/DFGSSACalculator.cpp:
1054         (JSC::DFG::SSACalculator::nonLocalReachingDef):
1055         (JSC::DFG::SSACalculator::reachingDefAtTail):
1056         * dfg/DFGSSACalculator.h:
1057         (JSC::DFG::SSACalculator::computePhis):
1058         * dfg/DFGSSAConversionPhase.cpp:
1059         (JSC::DFG::SSAConversionPhase::run):
1060         (JSC::DFG::performSSAConversion):
1061         * dfg/DFGSafeToExecute.h:
1062         (JSC::DFG::safeToExecute):
1063         * dfg/DFGSpeculativeJIT.cpp:
1064         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1065         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
1066         (JSC::DFG::SpeculativeJIT::createOSREntries):
1067         (JSC::DFG::SpeculativeJIT::linkOSREntries):
1068         * dfg/DFGSpeculativeJIT32_64.cpp:
1069         (JSC::DFG::SpeculativeJIT::compile):
1070         * dfg/DFGSpeculativeJIT64.cpp:
1071         (JSC::DFG::SpeculativeJIT::compile):
1072         * dfg/DFGStaticExecutionCountEstimationPhase.cpp:
1073         (JSC::DFG::StaticExecutionCountEstimationPhase::run):
1074         * dfg/DFGStrengthReductionPhase.cpp:
1075         (JSC::DFG::StrengthReductionPhase::handleNode):
1076         * dfg/DFGTierUpCheckInjectionPhase.cpp:
1077         (JSC::DFG::TierUpCheckInjectionPhase::run):
1078         (JSC::DFG::TierUpCheckInjectionPhase::buildNaturalLoopToLoopHintMap):
1079         * dfg/DFGTypeCheckHoistingPhase.cpp:
1080         (JSC::DFG::TypeCheckHoistingPhase::run):
1081         * dfg/DFGValidate.cpp:
1082         * ftl/FTLLink.cpp:
1083         (JSC::FTL::link):
1084         * ftl/FTLLowerDFGToB3.cpp:
1085         (JSC::FTL::DFG::LowerDFGToB3::lower):
1086         (JSC::FTL::DFG::LowerDFGToB3::safelyInvalidateAfterTermination):
1087         (JSC::FTL::DFG::LowerDFGToB3::isValid):
1088         * jit/JIT.h:
1089         * jit/JITInlines.h:
1090         (JSC::JIT::callOperation):
1091         * jit/JITOpcodes.cpp:
1092         (JSC::JIT::emit_op_catch):
1093         * jit/JITOpcodes32_64.cpp:
1094         (JSC::JIT::emit_op_catch):
1095         * jit/JITOperations.cpp:
1096         * jit/JITOperations.h:
1097         * llint/LLIntSlowPaths.cpp:
1098         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1099         * llint/LLIntSlowPaths.h:
1100         * llint/LowLevelInterpreter32_64.asm:
1101         * llint/LowLevelInterpreter64.asm:
1102
1103 2017-08-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1104
1105         Unreviewed, debug build fix
1106         https://bugs.webkit.org/show_bug.cgi?id=174355
1107
1108         * ftl/FTLLowerDFGToB3.cpp:
1109         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucketNext):
1110
1111 2017-08-23  Michael Saboff  <msaboff@apple.com>
1112
1113         REGRESSION (r221052): DumpRenderTree crashed in com.apple.JavaScriptCore: JSC::Yarr::YarrCodeBlock::execute + 137
1114         https://bugs.webkit.org/show_bug.cgi?id=175903
1115
1116         Reviewed by Saam Barati.
1117
1118         In generateCharacterClassGreedy we were incrementing the "count" register before checking
1119         for the end of the input string.  The at-end-of-input check is the final check before
1120         knowing that the current character matched.  In this case, the end of input check
1121         indicates that we ran out of prechecked characters and therefore should fail the match of
1122         the current character.  The backtracking code uses the value in the "count" register as
1123         the number of character that successfully matched, which shouldn't include the current
1124         character.  Therefore we need to move the incrementing of "count" to after the
1125         at end of input check.
1126
1127         Through code inspection of the expectations of other backtracking code, I determined that 
1128         the non greedy character class matching code had a similar issue.  I fixed that as well
1129         and added a new test case.
1130
1131         * yarr/YarrJIT.cpp:
1132         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
1133         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
1134
1135 2017-08-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1136
1137         [JSC] Optimize Map iteration with intrinsic
1138         https://bugs.webkit.org/show_bug.cgi?id=174355
1139
1140         Reviewed by Saam Barati.
1141
1142         This patch optimizes Map/Set iteration by taking the approach similar to Array iteration.
1143         We create a simple iterator object instead of JSMapIterator and JSSetIterator. And we
1144         directly handles Map/Set buckets in JS builtins. We carefully create mapIteratorNext and
1145         setIteratorNext functions which should be inlined. This leads significant performance boost
1146         when they are inlined in for-of iteration.
1147
1148         This patch changes how DFG and FTL handles MapBucket if the bucket is not found.
1149         Previously, we use nullptr for that, and DFG and FTL specially handle this nullptr as bucket.
1150         Instead, this patch introduces sentinel buckets. They are marked as deleted, and not linked
1151         to any hash maps. And its key and value fields are filled with Undefined. By returning this
1152         sentinel bucket instead of returning nullptr, we simplify DFG and FTL's LoadXXXFromMapBucket
1153         code.
1154
1155         We still keep JSMapIterator and JSSetIterator because they are useful to serialize Map and Set
1156         in WebCore. So they are not used in user observable JS. We change them from JS objects to JS cells.
1157
1158         Existing microbenchmarks shows performance improvements.
1159
1160         large-map-iteration                           164.1622+-4.1618     ^     56.6284+-1.5355        ^ definitely 2.8989x faster
1161         set-for-of                                     15.4369+-1.0631     ^      9.2955+-0.5979        ^ definitely 1.6607x faster
1162         map-for-each                                    7.5889+-0.5792     ^      6.3011+-0.4816        ^ definitely 1.2044x faster
1163         map-for-of                                     32.3904+-1.3003     ^     12.6907+-0.6118        ^ definitely 2.5523x faster
1164         map-rehash                                     13.9275+-0.9187     ^     11.5367+-0.6430        ^ definitely 1.2072x faster
1165
1166         * CMakeLists.txt:
1167         * DerivedSources.make:
1168         * builtins/ArrayPrototype.js:
1169         (globalPrivate.createArrayIterator):
1170         * builtins/BuiltinNames.h:
1171         * builtins/MapIteratorPrototype.js: Copied from Source/JavaScriptCore/builtins/MapPrototype.js.
1172         (globalPrivate.mapIteratorNext):
1173         (next):
1174         * builtins/MapPrototype.js:
1175         (globalPrivate.createMapIterator):
1176         (values):
1177         (keys):
1178         (entries):
1179         (forEach):
1180         * builtins/SetIteratorPrototype.js: Copied from Source/JavaScriptCore/builtins/MapPrototype.js.
1181         (globalPrivate.setIteratorNext):
1182         (next):
1183         * builtins/SetPrototype.js:
1184         (globalPrivate.createSetIterator):
1185         (values):
1186         (entries):
1187         (forEach):
1188         * bytecode/BytecodeIntrinsicRegistry.cpp:
1189         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1190         * bytecode/BytecodeIntrinsicRegistry.h:
1191         * bytecode/SpeculatedType.h:
1192         * dfg/DFGAbstractInterpreterInlines.h:
1193         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1194         * dfg/DFGByteCodeParser.cpp:
1195         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1196         * dfg/DFGClobberize.h:
1197         (JSC::DFG::clobberize):
1198         * dfg/DFGDoesGC.cpp:
1199         (JSC::DFG::doesGC):
1200         * dfg/DFGFixupPhase.cpp:
1201         (JSC::DFG::FixupPhase::fixupNode):
1202         * dfg/DFGHeapLocation.cpp:
1203         (WTF::printInternal):
1204         * dfg/DFGHeapLocation.h:
1205         * dfg/DFGNode.h:
1206         (JSC::DFG::Node::hasHeapPrediction):
1207         (JSC::DFG::Node::hasBucketOwnerType):
1208         (JSC::DFG::Node::bucketOwnerType):
1209         (JSC::DFG::Node::OpInfoWrapper::as const):
1210         * dfg/DFGNodeType.h:
1211         * dfg/DFGOperations.cpp:
1212         * dfg/DFGPredictionPropagationPhase.cpp:
1213         * dfg/DFGSafeToExecute.h:
1214         (JSC::DFG::safeToExecute):
1215         * dfg/DFGSpeculativeJIT.cpp:
1216         (JSC::DFG::SpeculativeJIT::compileGetMapBucketHead):
1217         (JSC::DFG::SpeculativeJIT::compileGetMapBucketNext):
1218         (JSC::DFG::SpeculativeJIT::compileLoadKeyFromMapBucket):
1219         (JSC::DFG::SpeculativeJIT::compileLoadValueFromMapBucket):
1220         (JSC::DFG::SpeculativeJIT::compileCompareEqPtr): Deleted.
1221         * dfg/DFGSpeculativeJIT.h:
1222         * dfg/DFGSpeculativeJIT32_64.cpp:
1223         (JSC::DFG::SpeculativeJIT::compileCompareEqPtr):
1224         (JSC::DFG::SpeculativeJIT::compile):
1225         * dfg/DFGSpeculativeJIT64.cpp:
1226         (JSC::DFG::SpeculativeJIT::compileCompareEqPtr):
1227         (JSC::DFG::SpeculativeJIT::compile):
1228         * ftl/FTLAbstractHeapRepository.h:
1229         * ftl/FTLCapabilities.cpp:
1230         (JSC::FTL::canCompile):
1231         * ftl/FTLLowerDFGToB3.cpp:
1232         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1233         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
1234         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucketHead):
1235         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucketNext):
1236         (JSC::FTL::DFG::LowerDFGToB3::compileLoadValueFromMapBucket):
1237         (JSC::FTL::DFG::LowerDFGToB3::compileLoadKeyFromMapBucket):
1238         (JSC::FTL::DFG::LowerDFGToB3::setStorage):
1239         (JSC::FTL::DFG::LowerDFGToB3::compileLoadFromJSMapBucket): Deleted.
1240         (JSC::FTL::DFG::LowerDFGToB3::compileIsNonEmptyMapBucket): Deleted.
1241         (JSC::FTL::DFG::LowerDFGToB3::lowMapBucket): Deleted.
1242         (JSC::FTL::DFG::LowerDFGToB3::setMapBucket): Deleted.
1243         * inspector/JSInjectedScriptHost.cpp:
1244         (Inspector::JSInjectedScriptHost::subtype):
1245         (Inspector::JSInjectedScriptHost::getInternalProperties):
1246         (Inspector::cloneMapIteratorObject):
1247         (Inspector::cloneSetIteratorObject):
1248         (Inspector::JSInjectedScriptHost::iteratorEntries):
1249         * runtime/HashMapImpl.h:
1250         (JSC::HashMapBucket::createSentinel):
1251         (JSC::HashMapBucket::offsetOfNext):
1252         (JSC::HashMapBucket::offsetOfDeleted):
1253         (JSC::HashMapImpl::offsetOfHead):
1254         * runtime/Intrinsic.cpp:
1255         (JSC::intrinsicName):
1256         * runtime/Intrinsic.h:
1257         * runtime/JSGlobalObject.cpp:
1258         (JSC::JSGlobalObject::init):
1259         * runtime/JSGlobalObject.h:
1260         * runtime/JSMap.h:
1261         * runtime/JSMapIterator.cpp:
1262         (JSC::JSMapIterator::clone): Deleted.
1263         * runtime/JSMapIterator.h:
1264         (JSC::JSMapIterator::iteratedValue const):
1265         * runtime/JSSet.h:
1266         * runtime/JSSetIterator.cpp:
1267         (JSC::JSSetIterator::clone): Deleted.
1268         * runtime/JSSetIterator.h:
1269         (JSC::JSSetIterator::iteratedValue const):
1270         * runtime/MapConstructor.cpp:
1271         (JSC::mapPrivateFuncMapBucketHead):
1272         (JSC::mapPrivateFuncMapBucketNext):
1273         (JSC::mapPrivateFuncMapBucketKey):
1274         (JSC::mapPrivateFuncMapBucketValue):
1275         * runtime/MapConstructor.h:
1276         * runtime/MapIteratorPrototype.cpp:
1277         (JSC::MapIteratorPrototype::finishCreation):
1278         (JSC::MapIteratorPrototypeFuncNext): Deleted.
1279         * runtime/MapPrototype.cpp:
1280         (JSC::MapPrototype::finishCreation):
1281         (JSC::mapProtoFuncValues): Deleted.
1282         (JSC::mapProtoFuncEntries): Deleted.
1283         (JSC::mapProtoFuncKeys): Deleted.
1284         (JSC::privateFuncMapIterator): Deleted.
1285         (JSC::privateFuncMapIteratorNext): Deleted.
1286         * runtime/MapPrototype.h:
1287         * runtime/SetConstructor.cpp:
1288         (JSC::setPrivateFuncSetBucketHead):
1289         (JSC::setPrivateFuncSetBucketNext):
1290         (JSC::setPrivateFuncSetBucketKey):
1291         * runtime/SetConstructor.h:
1292         * runtime/SetIteratorPrototype.cpp:
1293         (JSC::SetIteratorPrototype::finishCreation):
1294         (JSC::SetIteratorPrototypeFuncNext): Deleted.
1295         * runtime/SetPrototype.cpp:
1296         (JSC::SetPrototype::finishCreation):
1297         (JSC::setProtoFuncSize):
1298         (JSC::setProtoFuncValues): Deleted.
1299         (JSC::setProtoFuncEntries): Deleted.
1300         (JSC::privateFuncSetIterator): Deleted.
1301         (JSC::privateFuncSetIteratorNext): Deleted.
1302         * runtime/SetPrototype.h:
1303         * runtime/VM.cpp:
1304         (JSC::VM::VM):
1305         * runtime/VM.h:
1306
1307 2017-08-23  David Kilzer  <ddkilzer@apple.com>
1308
1309         Fix -Wcast-qual warnings in JavaScriptCore with new clang compiler
1310         <https://webkit.org/b/175889>
1311         <rdar://problem/33667497>
1312
1313         Reviewed by Mark Lam.
1314
1315         * API/ObjCCallbackFunction.mm:
1316         (JSC::objCCallbackFunctionCallAsConstructor): Use
1317         const_cast<JSObjectRef>() since JSValueRef is const while
1318         JSObjectRef is not.
1319         * API/tests/CurrentThisInsideBlockGetterTest.mm:
1320         (+[JSValue valueWithConstructorDescriptor:inContext:]): Use
1321         const_cast<void*>() since JSObjectMake() takes a void*, but
1322         CFBridgingRetain() returns const void*.
1323
1324 2017-08-23  Robin Morisset  <rmorisset@apple.com>
1325
1326         Make GetDynamicVar propagate heap predictions instead of saying HeapTop
1327         https://bugs.webkit.org/show_bug.cgi?id=175738
1328
1329         Reviewed by Saam Barati.
1330
1331         The heap prediction always end up in m_opInfo2. But GetDynamicVar was already storing getPutInfo in there.
1332         So we move that one into m_opInfo. We can do this because it is 32-bit, and the already present identifierNumber
1333         is also 32-bit, so we can pack both in m_opInfo (which is 64 bits).
1334
1335         * dfg/DFGByteCodeParser.cpp:
1336         (JSC::DFG::makeDynamicVarOpInfo):
1337         (JSC::DFG::ByteCodeParser::parseBlock):
1338         * dfg/DFGNode.h:
1339         (JSC::DFG::Node::getPutInfo):
1340         (JSC::DFG::Node::hasHeapPrediction):
1341         * dfg/DFGPredictionPropagationPhase.cpp:
1342
1343 2017-08-23  Skachkov Oleksandr  <gskachkov@gmail.com>
1344
1345         [ESNext] Async iteration - Implement Async Generator - runtime
1346         https://bugs.webkit.org/show_bug.cgi?id=175240
1347
1348         Reviewed by Yusuke Suzuki.
1349
1350         Current implementation is draft version of Async Iteration. 
1351         Link to spec https://tc39.github.io/proposal-async-iteration/
1352        
1353         To implement async generator added new states that show reason why async generator was suspended:
1354         # yield - return promise with result
1355         # await - wait until promise will be resolved and then continue
1356        
1357         The main difference between async function and async generator is that, 
1358         async function returns promise but async generator returns
1359         object with methods (next, throw and return) that return promise that 
1360         can be resolved with pair of properties value and done.
1361         Async generator functions are similar to generator functions, with the following differences:
1362         # When called, async generator functions return an object, an async generator 
1363         whose methods (next, throw, and return) return promises for { value, done }, 
1364         instead of directly returning { value, done }. 
1365         This automatically makes the returned async generator objects async iterators.
1366         # await expressions and for-await-of statements are allowed.
1367         # The behavior of yield* is modified to support 
1368           delegation to sync and async iterables
1369
1370         * CMakeLists.txt:
1371         * DerivedSources.make:
1372         * JavaScriptCore.xcodeproj/project.pbxproj:
1373         * builtins/AsyncFromSyncIteratorPrototype.js: Added.
1374         (next.try):
1375         (next):
1376         (return.try):
1377         (return):
1378         (throw.try):
1379         (throw):
1380         (globalPrivate.createAsyncFromSyncIterator):
1381         (globalPrivate.AsyncFromSyncIteratorConstructor):
1382         * builtins/AsyncGeneratorPrototype.js: Added.
1383         (globalPrivate.createAsyncGeneratorQueue):
1384         (globalPrivate.asyncGeneratorQueueIsEmpty):
1385         (globalPrivate.asyncGeneratorQueueCreateItem):
1386         (globalPrivate.asyncGeneratorQueueEnqueue):
1387         (globalPrivate.asyncGeneratorQueueDequeue):
1388         (globalPrivate.asyncGeneratorQueueGetFirstValue):
1389         (globalPrivate.asyncGeneratorDequeue):
1390         (globalPrivate.isExecutionState):
1391         (globalPrivate.isSuspendYieldState):
1392         (globalPrivate.asyncGeneratorReject):
1393         (globalPrivate.asyncGeneratorResolve):
1394         (asyncGeneratorYieldAwaited):
1395         (globalPrivate.asyncGeneratorYield):
1396         (const.onRejected):
1397         (globalPrivate.awaitValue):
1398         (const.onFulfilled):
1399         (globalPrivate.doAsyncGeneratorBodyCall):
1400         (globalPrivate.asyncGeneratorResumeNext.):
1401         (globalPrivate.asyncGeneratorResumeNext):
1402         (globalPrivate.asyncGeneratorEnqueue):
1403         (next):
1404         (return):
1405         (throw):
1406         * builtins/AsyncIteratorPrototype.js: Added.
1407         (symbolAsyncIteratorGetter):
1408         * builtins/BuiltinNames.h:
1409         * bytecode/BytecodeDumper.cpp:
1410         (JSC::BytecodeDumper<Block>::dumpBytecode):
1411         * bytecode/BytecodeIntrinsicRegistry.cpp:
1412         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1413         * bytecode/BytecodeIntrinsicRegistry.h:
1414         * bytecode/BytecodeList.json:
1415         * bytecode/BytecodeUseDef.h:
1416         (JSC::computeUsesForBytecodeOffset):
1417         (JSC::computeDefsForBytecodeOffset):
1418         * bytecompiler/BytecodeGenerator.cpp:
1419         (JSC::BytecodeGenerator::BytecodeGenerator):
1420         (JSC::BytecodeGenerator::emitCreateAsyncGeneratorQueue):
1421         (JSC::BytecodeGenerator::emitPutAsyncGeneratorFields):
1422         (JSC::BytecodeGenerator::emitNewFunctionExpressionCommon):
1423         (JSC::BytecodeGenerator::emitNewFunction):
1424         (JSC::BytecodeGenerator::emitIteratorNextWithValue):
1425         (JSC::BytecodeGenerator::emitIteratorClose):
1426         (JSC::BytecodeGenerator::emitYieldPoint):
1427         (JSC::BytecodeGenerator::emitYield):
1428         (JSC::BytecodeGenerator::emitCallIterator):
1429         (JSC::BytecodeGenerator::emitAwait):
1430         (JSC::BytecodeGenerator::emitGetIterator):
1431         (JSC::BytecodeGenerator::emitGetAsyncIterator):
1432         (JSC::BytecodeGenerator::emitDelegateYield):
1433         * bytecompiler/BytecodeGenerator.h:
1434         * bytecompiler/NodesCodegen.cpp:
1435         (JSC::ReturnNode::emitBytecode):
1436         (JSC::FunctionNode::emitBytecode):
1437         (JSC::YieldExprNode::emitBytecode):
1438         (JSC::AwaitExprNode::emitBytecode):
1439         * dfg/DFGAbstractInterpreterInlines.h:
1440         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1441         * dfg/DFGByteCodeParser.cpp:
1442         (JSC::DFG::ByteCodeParser::parseBlock):
1443         * dfg/DFGCapabilities.cpp:
1444         (JSC::DFG::capabilityLevel):
1445         * dfg/DFGClobberize.h:
1446         (JSC::DFG::clobberize):
1447         * dfg/DFGClobbersExitState.cpp:
1448         (JSC::DFG::clobbersExitState):
1449         * dfg/DFGDoesGC.cpp:
1450         (JSC::DFG::doesGC):
1451         * dfg/DFGFixupPhase.cpp:
1452         (JSC::DFG::FixupPhase::fixupNode):
1453         * dfg/DFGMayExit.cpp:
1454         * dfg/DFGNode.h:
1455         (JSC::DFG::Node::convertToPhantomNewFunction):
1456         (JSC::DFG::Node::convertToPhantomNewAsyncGeneratorFunction):
1457         (JSC::DFG::Node::hasCellOperand):
1458         (JSC::DFG::Node::isFunctionAllocation):
1459         (JSC::DFG::Node::isPhantomFunctionAllocation):
1460         (JSC::DFG::Node::isPhantomAllocation):
1461         * dfg/DFGNodeType.h:
1462         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1463         * dfg/DFGPredictionPropagationPhase.cpp:
1464         * dfg/DFGSafeToExecute.h:
1465         (JSC::DFG::safeToExecute):
1466         * dfg/DFGSpeculativeJIT.cpp:
1467         (JSC::DFG::SpeculativeJIT::compileNewFunction):
1468         * dfg/DFGSpeculativeJIT32_64.cpp:
1469         (JSC::DFG::SpeculativeJIT::compile):
1470         * dfg/DFGSpeculativeJIT64.cpp:
1471         (JSC::DFG::SpeculativeJIT::compile):
1472         * dfg/DFGStoreBarrierInsertionPhase.cpp:
1473         * dfg/DFGValidate.cpp:
1474         * ftl/FTLCapabilities.cpp:
1475         (JSC::FTL::canCompile):
1476         * ftl/FTLLowerDFGToB3.cpp:
1477         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1478         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
1479         * ftl/FTLOperations.cpp:
1480         (JSC::FTL::operationPopulateObjectInOSR):
1481         (JSC::FTL::operationMaterializeObjectInOSR):
1482         * jit/JIT.cpp:
1483         (JSC::JIT::privateCompileMainPass):
1484         * jit/JIT.h:
1485         * jit/JITOpcodes.cpp:
1486         (JSC::JIT::emitNewFuncCommon):
1487         (JSC::JIT::emit_op_new_async_generator_func):
1488         (JSC::JIT::emit_op_new_async_func):
1489         (JSC::JIT::emitNewFuncExprCommon):
1490         (JSC::JIT::emit_op_new_async_generator_func_exp):
1491         * jit/JITOperations.cpp:
1492         * jit/JITOperations.h:
1493         * llint/LLIntSlowPaths.cpp:
1494         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1495         * llint/LLIntSlowPaths.h:
1496         * llint/LowLevelInterpreter.asm:
1497         * parser/ASTBuilder.h:
1498         (JSC::ASTBuilder::createFunctionMetadata):
1499         * runtime/AsyncFromSyncIteratorPrototype.cpp: Added.
1500         (JSC::AsyncFromSyncIteratorPrototype::AsyncFromSyncIteratorPrototype):
1501         (JSC::AsyncFromSyncIteratorPrototype::finishCreation):
1502         (JSC::AsyncFromSyncIteratorPrototype::create):
1503         * runtime/AsyncFromSyncIteratorPrototype.h: Added.
1504         (JSC::AsyncFromSyncIteratorPrototype::createStructure):
1505         * runtime/AsyncGeneratorFunctionConstructor.cpp: Added.
1506         (JSC::AsyncGeneratorFunctionConstructor::AsyncGeneratorFunctionConstructor):
1507         (JSC::AsyncGeneratorFunctionConstructor::finishCreation):
1508         (JSC::callAsyncGeneratorFunctionConstructor):
1509         (JSC::constructAsyncGeneratorFunctionConstructor):
1510         (JSC::AsyncGeneratorFunctionConstructor::getCallData):
1511         (JSC::AsyncGeneratorFunctionConstructor::getConstructData):
1512         * runtime/AsyncGeneratorFunctionConstructor.h: Added.
1513         (JSC::AsyncGeneratorFunctionConstructor::create):
1514         (JSC::AsyncGeneratorFunctionConstructor::createStructure):
1515         * runtime/AsyncGeneratorFunctionPrototype.cpp: Added.
1516         (JSC::AsyncGeneratorFunctionPrototype::AsyncGeneratorFunctionPrototype):
1517         (JSC::AsyncGeneratorFunctionPrototype::finishCreation):
1518         * runtime/AsyncGeneratorFunctionPrototype.h: Added.
1519         (JSC::AsyncGeneratorFunctionPrototype::create):
1520         (JSC::AsyncGeneratorFunctionPrototype::createStructure):
1521         * runtime/AsyncGeneratorPrototype.cpp: Added.
1522         (JSC::AsyncGeneratorPrototype::finishCreation):
1523         * runtime/AsyncGeneratorPrototype.h: Added.
1524         (JSC::AsyncGeneratorPrototype::create):
1525         (JSC::AsyncGeneratorPrototype::createStructure):
1526         (JSC::AsyncGeneratorPrototype::AsyncGeneratorPrototype):
1527         * runtime/AsyncIteratorPrototype.cpp: Added.
1528         (JSC::AsyncIteratorPrototype::finishCreation):
1529         * runtime/AsyncIteratorPrototype.h: Added.
1530         (JSC::AsyncIteratorPrototype::create):
1531         (JSC::AsyncIteratorPrototype::createStructure):
1532         (JSC::AsyncIteratorPrototype::AsyncIteratorPrototype):
1533         * runtime/CommonIdentifiers.h:
1534         * runtime/FunctionConstructor.cpp:
1535         (JSC::constructFunctionSkippingEvalEnabledCheck):
1536         * runtime/FunctionConstructor.h:
1537         * runtime/FunctionExecutable.h:
1538         * runtime/JSAsyncGeneratorFunction.cpp: Added.
1539         (JSC::JSAsyncGeneratorFunction::JSAsyncGeneratorFunction):
1540         (JSC::JSAsyncGeneratorFunction::createImpl):
1541         (JSC::JSAsyncGeneratorFunction::create):
1542         (JSC::JSAsyncGeneratorFunction::createWithInvalidatedReallocationWatchpoint):
1543         * runtime/JSAsyncGeneratorFunction.h: Added.
1544         (JSC::JSAsyncGeneratorFunction::allocationSize):
1545         (JSC::JSAsyncGeneratorFunction::createStructure):
1546         * runtime/JSFunction.cpp:
1547         (JSC::JSFunction::getOwnPropertySlot):
1548         * runtime/JSGlobalObject.cpp:
1549         (JSC::JSGlobalObject::init):
1550         (JSC::JSGlobalObject::visitChildren):
1551         * runtime/JSGlobalObject.h:
1552         (JSC::JSGlobalObject::asyncIteratorPrototype const):
1553         (JSC::JSGlobalObject::asyncGeneratorPrototype const):
1554         (JSC::JSGlobalObject::asyncGeneratorFunctionPrototype const):
1555         (JSC::JSGlobalObject::asyncGeneratorFunctionStructure const):
1556         * runtime/Options.h:
1557
1558 2017-08-22  Michael Saboff  <msaboff@apple.com>
1559
1560         Implement Unicode RegExp support in the YARR JIT
1561         https://bugs.webkit.org/show_bug.cgi?id=174646
1562
1563         Reviewed by Filip Pizlo.
1564
1565         This support is only implemented for 64 bit platforms.  It wouldn't be too hard to add support
1566         for 32 bit platforms with a reasonable number of spare registers.  This code slightly refactors
1567         register usage to reduce the number of callee save registers used for non-Unicode expressions.
1568         For Unicode expressions, there are several more registers used to store constants values for
1569         processing surrogate pairs as well as discerning whether a character belongs to the Basic
1570         Multilingual Plane (BMP) or one of the Supplemental Planes.
1571
1572         This implements JIT support for Unicode expressions very similar to how the interpreter works.
1573         Just like in the interpreter, backtracking code uses more space on the stack to save positions.
1574         Moved the BackTrackInfo* structs to YarrPattern as separate functions.  Added xxxIndex()
1575         functions to each of these to simplify how the JIT code reads and writes the structure fields.
1576
1577         Given that reading surrogate pairs and transforming them into a single code point takes a
1578         little processing, the code that implements reading a Unicode character is implemented as a
1579         leaf function added to the end of the JIT'ed code.  The calling convention for
1580         "tryReadUnicodeCharacterHelper()" is non-standard given that the rest of the code assumes
1581         that argument values stay in argument registers for most of the generated code.
1582         That helper takes the starting character address in one register, regUnicodeInputAndTrail,
1583         and uses another dedicated temporary register, regUnicodeTemp.  The result is typically
1584         returned in regT0.  If another return register is requested, we'll create an inline copy of
1585         that function.
1586
1587         Added a new flag to CharacterClass to signify if a class has non-BMP characters.  This flag
1588         is used in optimizeAlternative() where we swap the order of a fixed character class term with
1589         a fixed character term that immediately follows it.  Since the non-BMP character class may
1590         increment "index" when matching, that must be done first before trying to match a fixed
1591         character term later in the string.
1592
1593         Given the usefulness of the LEA instruction on X86 to create a single pointer value from a
1594         base with index and offset, which the YARR JIT uses heavily, I added a new macroAssembler
1595         function, getEffectiveAddress64(), with an ARM64 implementation.  It just calls x86Lea64()
1596         on X86-64.  Also added an ImplicitAddress version of load16Unaligned().
1597
1598         (JSC::MacroAssemblerARM64::load16Unaligned):
1599         (JSC::MacroAssemblerARM64::getEffectiveAddress64):
1600         * assembler/MacroAssemblerX86Common.h:
1601         (JSC::MacroAssemblerX86Common::load16Unaligned):
1602         (JSC::MacroAssemblerX86Common::load16):
1603         * assembler/MacroAssemblerX86_64.h:
1604         (JSC::MacroAssemblerX86_64::getEffectiveAddress64):
1605         * create_regex_tables:
1606         * runtime/RegExp.cpp:
1607         (JSC::RegExp::compile):
1608         * yarr/YarrInterpreter.cpp:
1609         * yarr/YarrJIT.cpp:
1610         (JSC::Yarr::YarrGenerator::optimizeAlternative):
1611         (JSC::Yarr::YarrGenerator::matchCharacterClass):
1612         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
1613         (JSC::Yarr::YarrGenerator::tryReadUnicodeChar):
1614         (JSC::Yarr::YarrGenerator::readCharacter):
1615         (JSC::Yarr::YarrGenerator::jumpIfCharNotEquals):
1616         (JSC::Yarr::YarrGenerator::matchAssertionWordchar):
1617         (JSC::Yarr::YarrGenerator::generateAssertionWordBoundary):
1618         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
1619         (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
1620         (JSC::Yarr::YarrGenerator::generatePatternCharacterGreedy):
1621         (JSC::Yarr::YarrGenerator::backtrackPatternCharacterGreedy):
1622         (JSC::Yarr::YarrGenerator::generatePatternCharacterNonGreedy):
1623         (JSC::Yarr::YarrGenerator::backtrackPatternCharacterNonGreedy):
1624         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
1625         (JSC::Yarr::YarrGenerator::backtrackCharacterClassOnce):
1626         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
1627         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
1628         (JSC::Yarr::YarrGenerator::backtrackCharacterClassGreedy):
1629         (JSC::Yarr::YarrGenerator::generateCharacterClassNonGreedy):
1630         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
1631         (JSC::Yarr::YarrGenerator::generate):
1632         (JSC::Yarr::YarrGenerator::backtrack):
1633         (JSC::Yarr::YarrGenerator::generateTryReadUnicodeCharacterHelper):
1634         (JSC::Yarr::YarrGenerator::generateEnter):
1635         (JSC::Yarr::YarrGenerator::generateReturn):
1636         (JSC::Yarr::YarrGenerator::YarrGenerator):
1637         (JSC::Yarr::YarrGenerator::compile):
1638         * yarr/YarrJIT.h:
1639         * yarr/YarrPattern.cpp:
1640         (JSC::Yarr::CharacterClassConstructor::CharacterClassConstructor):
1641         (JSC::Yarr::CharacterClassConstructor::reset):
1642         (JSC::Yarr::CharacterClassConstructor::charClass):
1643         (JSC::Yarr::CharacterClassConstructor::addSorted):
1644         (JSC::Yarr::CharacterClassConstructor::addSortedRange):
1645         (JSC::Yarr::CharacterClassConstructor::hasNonBMPCharacters):
1646         (JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets):
1647         * yarr/YarrPattern.h:
1648         (JSC::Yarr::CharacterClass::CharacterClass):
1649         (JSC::Yarr::BackTrackInfoPatternCharacter::beginIndex):
1650         (JSC::Yarr::BackTrackInfoPatternCharacter::matchAmountIndex):
1651         (JSC::Yarr::BackTrackInfoCharacterClass::beginIndex):
1652         (JSC::Yarr::BackTrackInfoCharacterClass::matchAmountIndex):
1653         (JSC::Yarr::BackTrackInfoBackReference::beginIndex):
1654         (JSC::Yarr::BackTrackInfoBackReference::matchAmountIndex):
1655         (JSC::Yarr::BackTrackInfoAlternative::offsetIndex):
1656         (JSC::Yarr::BackTrackInfoParentheticalAssertion::beginIndex):
1657         (JSC::Yarr::BackTrackInfoParenthesesOnce::beginIndex):
1658         (JSC::Yarr::BackTrackInfoParenthesesTerminal::beginIndex):
1659
1660 2017-08-22  Per Arne Vollan  <pvollan@apple.com>
1661
1662         Implement 64-bit MacroAssembler::probe support for Windows.
1663         https://bugs.webkit.org/show_bug.cgi?id=175724
1664
1665         Reviewed by Mark Lam.
1666
1667         This is needed to enable the DFG. MSVC does no longer support inline assembly
1668         for 64-bit, which means we have to put the code in an asm file.
1669
1670         * assembler/MacroAssemblerX86Common.cpp:
1671         (JSC::booleanTrueForAvoidingNoReturnDeclaration): Deleted.
1672         * jit/JITStubsMSVC64.asm:
1673
1674 2017-08-22  Devin Rousso  <webkit@devinrousso.com>
1675
1676         Web Inspector: provide way for ShaderPrograms to be enabled/disabled
1677         https://bugs.webkit.org/show_bug.cgi?id=175400
1678
1679         Reviewed by Matt Baker.
1680
1681         * inspector/protocol/Canvas.json:
1682         Add `setShaderProgramDisabled` command that sets the `disabled` flag on the given shader
1683         program to the supplied boolean value. If this value is true, calls to `drawArrays` and
1684         `drawElements` when that program is in use will have no effect.
1685
1686 2017-08-22  Keith Miller  <keith_miller@apple.com>
1687
1688         Unriviewed, fix windows build... for realz.
1689
1690         * CMakeLists.txt:
1691
1692 2017-08-22  Saam Barati  <sbarati@apple.com>
1693
1694         We are using valueProfileForBytecodeOffset when there may not be a value profile
1695         https://bugs.webkit.org/show_bug.cgi?id=175812
1696
1697         Reviewed by Michael Saboff.
1698
1699         This patch uses the type system to aid the code around CodeBlock's ValueProfile
1700         accessor methods. valueProfileForBytecodeOffset used to return ValueProfile*,
1701         so there were callers of this that thought it could return nullptr when there
1702         was no such ValueProfile. This was not the case, it always returned a non-null
1703         pointer. This patch changes valueProfileForBytecodeOffset to return ValueProfile&
1704         and adds a new tryGetValueProfileForBytecodeOffset method that returns ValueProfile*
1705         and does the right thing if there is no such ValueProfile.
1706         
1707         This patch also changes the other ValueProfile accessors on CodeBlock to
1708         return ValueProfile& instead of ValueProfile*. Some callers handled the null
1709         case unnecessarily, and using the type system to specify the result can't be
1710         null removes these useless branches.
1711
1712         * bytecode/CodeBlock.cpp:
1713         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
1714         (JSC::CodeBlock::dumpValueProfiles):
1715         (JSC::CodeBlock::tryGetValueProfileForBytecodeOffset):
1716         (JSC::CodeBlock::valueProfileForBytecodeOffset):
1717         (JSC::CodeBlock::validate):
1718         * bytecode/CodeBlock.h:
1719         (JSC::CodeBlock::valueProfileForArgument):
1720         (JSC::CodeBlock::valueProfile):
1721         (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
1722         (JSC::CodeBlock::getFromAllValueProfiles):
1723         * dfg/DFGByteCodeParser.cpp:
1724         (JSC::DFG::ByteCodeParser::handleInlining):
1725         * dfg/DFGGraph.cpp:
1726         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
1727         * dfg/DFGPredictionInjectionPhase.cpp:
1728         (JSC::DFG::PredictionInjectionPhase::run):
1729         * jit/JIT.h:
1730         * jit/JITInlines.h:
1731         (JSC::JIT::emitValueProfilingSite):
1732         * profiler/ProfilerBytecodeSequence.cpp:
1733         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
1734         * tools/HeapVerifier.cpp:
1735         (JSC::HeapVerifier::validateJSCell):
1736
1737 2017-08-22  Keith Miller  <keith_miller@apple.com>
1738
1739         Unreviewed, fix windows build... maybe.
1740
1741         * CMakeLists.txt:
1742
1743 2017-08-22  Keith Miller  <keith_miller@apple.com>
1744
1745         Unreviewed, fix cloop build.
1746
1747         * JavaScriptCore.xcodeproj/project.pbxproj:
1748
1749 2017-08-22  Per Arne Vollan  <pvollan@apple.com>
1750
1751         [Win][Release] Crash when running testmasm executable.
1752         https://bugs.webkit.org/show_bug.cgi?id=175772
1753
1754         Reviewed by Mark Lam.
1755
1756         We need to save and restore the modified registers in case one or more registers are callee saved
1757         on the relevant platforms.
1758
1759         * assembler/testmasm.cpp:
1760         (JSC::testProbeReadsArgumentRegisters):
1761         (JSC::testProbeWritesArgumentRegisters):
1762
1763 2017-08-21  Mark Lam  <mark.lam@apple.com>
1764
1765         Change probe code to use static_assert instead of COMPILE_ASSERT.
1766         https://bugs.webkit.org/show_bug.cgi?id=175762
1767
1768         Reviewed by JF Bastien.
1769
1770         * assembler/MacroAssemblerARM.cpp:
1771         * assembler/MacroAssemblerARM64.cpp:
1772         (JSC::MacroAssembler::probe): Deleted.
1773         * assembler/MacroAssemblerARMv7.cpp:
1774         * assembler/MacroAssemblerX86Common.cpp:
1775
1776 2017-08-21  Keith Miller  <keith_miller@apple.com>
1777
1778         Make generate_offset_extractor.rb architectures argument more robust
1779         https://bugs.webkit.org/show_bug.cgi?id=175809
1780
1781         Reviewed by Joseph Pecoraro.
1782
1783         It turns out that some of our builders pass their architectures as
1784         space separated lists.  I decided to just make the splitting of
1785         our list robust to any reasonable combination of spaces and
1786         commas.
1787
1788         * offlineasm/generate_offset_extractor.rb:
1789
1790 2017-08-21  Keith Miller  <keith_miller@apple.com>
1791
1792         Only generate offline asm for the ARCHS (xcodebuild) or the current system (CMake)
1793         https://bugs.webkit.org/show_bug.cgi?id=175690
1794
1795         Reviewed by Michael Saboff.
1796
1797         This should reduce some of the time we spend building offline asm
1798         in our builds (except for linux since they already did this).
1799
1800         * CMakeLists.txt:
1801         * JavaScriptCore.xcodeproj/project.pbxproj:
1802         * offlineasm/backends.rb:
1803         * offlineasm/generate_offset_extractor.rb:
1804
1805 2017-08-20  Mark Lam  <mark.lam@apple.com>
1806
1807         Gardening: fix CLoop build.
1808         https://bugs.webkit.org/show_bug.cgi?id=175688
1809         <rdar://problem/33436870>
1810
1811         Not reviewed.
1812
1813         Make these files dependent on ENABLE(MASM_PROBE).
1814
1815         * assembler/ProbeContext.cpp:
1816         * assembler/ProbeContext.h:
1817         * assembler/ProbeStack.cpp:
1818         * assembler/ProbeStack.h:
1819
1820 2017-08-20  Mark Lam  <mark.lam@apple.com>
1821
1822         Enhance MacroAssembler::probe() to allow the probe function to resize the stack frame and alter stack data in one pass.
1823         https://bugs.webkit.org/show_bug.cgi?id=175688
1824         <rdar://problem/33436870>
1825
1826         Reviewed by JF Bastien.
1827
1828         With this patch, the clients of the MacroAssembler::probe() can now change
1829         stack values without having to worry about whether there is enough room in the
1830         current stack frame for it or not.  This is done using the Probe::Context's stack
1831         member like so:
1832
1833             jit.probe([] (Probe::Context& context) {
1834                 auto cpu = context.cpu;
1835                 auto stack = context.stack();
1836                 uintptr_t* currentSP = cpu.sp<uintptr_t*>();
1837
1838                 // Get a value at the current stack pointer location.
1839                 auto value = stack.get<uintptr_t>(currentSP);
1840
1841                 // Set a value above the current stack pointer (within current frame).
1842                 stack.set<uintptr_t>(currentSP + 10, value);
1843
1844                 // Set a value below the current stack pointer (out of current frame).
1845                 stack.set<uintptr_t>(currentSP - 10, value);
1846
1847                 // Set the new stack pointer.
1848                 cpu.sp() = currentSP - 20;
1849             });
1850
1851         What happens behind the scene:
1852
1853         1. the generated JIT probe code will now call Probe::executeProbe(), and
1854            Probe::executeProbe() will in turn call the client's probe function.
1855
1856            Probe::executeProbe() receives the Probe::State on the machine stack passed
1857            to it by the probe trampoline.  Probe::executeProbe() will instantiate a
1858            Probe::Context to be passed to the client's probe function.  The client will
1859            no longer see the Probe::State directly.
1860
1861         2. The Probe::Context comes with a Probe::Stack which serves as a manager of
1862            stack pages.  Currently, each page is 1K in size.
1863            Probe::Context::stack() returns a reference to an instance of Probe::Stack.
1864
1865         3. Invoking get() of set() on Probe::Stack with an address will lead to the
1866            following:
1867
1868            a. the address will be decoded to a baseAddress that points to the 1K page
1869               that contains that address.
1870
1871            b. the Probe::Stack will check if it already has a cached 1K page for that baseAddress.
1872               If so, go to step (f).  Else, continue with step (c).
1873
1874            c. the Probe::Stack will malloc a 1K mirror page, and memcpy the 1K stack page
1875               for that specified baseAddress to this mirror page.
1876
1877            d. the mirror page will be added to the ProbeStack's m_pages HashMap,
1878               keyed on the baseAddress.
1879
1880            e. the ProbeStack will also cache the last baseAddress and its corresponding
1881               mirror page in use.  With memory accesses tending to be localized, this
1882               will save us from having to look up the page in the HashMap.
1883
1884            f. get() will map the requested address to a physical address in the mirror
1885               page, and return the value at that location.
1886
1887            g. set() will map the requested address to a physical address in the mirror
1888               page, and set the value at that location in the mirror page.
1889
1890               set() will also set a dirty bit corresponding to the "cache line" that
1891               was modified in the mirror page.
1892
1893         4. When the client's probe function returns, Probe::executeProbe() will check if
1894            there are stack changes that need to be applied.  If stack changes are needed:
1895
1896            a. Probe::executeProbe() will adjust the stack pointer to ensure enough stack
1897               space is available to flush the dirty stack pages.  It will also register a
1898               flushStackDirtyPages callback function in the Probe::State.  Thereafter,
1899               Probe::executeProbe() returns to the probe trampoline.
1900
1901            b. the probe trampoline adjusts the stack pointer, moves the Probe::State to
1902               a safe place if needed, and then calls the flushStackDirtyPages callback
1903               if needed.
1904
1905            c. the flushStackDirtyPages() callback iterates the Probe::Stack's m_pages
1906               HashMap and flush all dirty "cache lines" to the machine stack.
1907               Thereafter, flushStackDirtyPages() returns to the probe trampoline.
1908
1909            d. lastly, the probe trampoline will restore all register values and return
1910               to the pc set in the Probe::State.
1911
1912         To make this patch work, I also had to do the following work:
1913
1914         5. Refactor MacroAssembler::CPUState into Probe::CPUState.
1915            Mainly, this means moving the code over to ProbeContext.h.
1916            I also added some convenience accessor methods for spr registers. 
1917
1918            Moved Probe::Context over to its own file ProbeContext.h/cpp.
1919
1920         6. Fix all probe trampolines to pass the address of Probe::executeProbe in
1921            addition to the client's probe function and arg.
1922
1923            I also took this opportunity to optimize the generated JIT probe code to
1924            minimize the amount of memory stores needed. 
1925
1926         7. Simplified the ARM64 probe trampoline.  The ARM64 probe only supports changing
1927            either lr or pc (or neither), but not both at in the same probe invocation.
1928            The ARM64 probe trampoline used to have to check for this invariant in the
1929            assembly trampoline code.  With the introduction of Probe::executeProbe(),
1930            we can now do it there and simplify the trampoline.
1931
1932         8. Fix a bug in the old  ARM64 probe trampoline for the case where the client
1933            changes lr.  That code path never worked before, but has now been fixed.
1934
1935         9. Removed trustedImm32FromPtr() helper functions in MacroAssemblerARM and
1936            MacroAssemblerARMv7.
1937
1938            We can now use move() with TrustedImmPtr, and it does the same thing but in a
1939            more generic way.
1940
1941        10. ARMv7's move() emitter may encode a T1 move instruction, which happens to have
1942            the same semantics as movs (according to the Thumb spec).  This means these
1943            instructions may trash the APSR flags before we have a chance to preserve them.
1944
1945            This patch changes MacroAssemblerARMv7's probe() to preserve the APSR register
1946            early on.  This entails adding support for the mrs instruction in the
1947            ARMv7Assembler.
1948
1949        10. Change testmasm's testProbeModifiesStackValues() to now modify stack values
1950            the easy way.
1951
1952            Also fixed testmasm tests which check flag registers to only compare the
1953            portions that are modifiable by the client i.e. some masking is applied.
1954
1955         This patch has passed the testmasm tests on x86, x86_64, arm64, and armv7.
1956
1957         * CMakeLists.txt:
1958         * JavaScriptCore.xcodeproj/project.pbxproj:
1959         * assembler/ARMv7Assembler.h:
1960         (JSC::ARMv7Assembler::mrs):
1961         * assembler/AbstractMacroAssembler.h:
1962         * assembler/MacroAssembler.cpp:
1963         (JSC::stdFunctionCallback):
1964         (JSC::MacroAssembler::probe):
1965         * assembler/MacroAssembler.h:
1966         (JSC::MacroAssembler::CPUState::gprName): Deleted.
1967         (JSC::MacroAssembler::CPUState::sprName): Deleted.
1968         (JSC::MacroAssembler::CPUState::fprName): Deleted.
1969         (JSC::MacroAssembler::CPUState::gpr): Deleted.
1970         (JSC::MacroAssembler::CPUState::spr): Deleted.
1971         (JSC::MacroAssembler::CPUState::fpr): Deleted.
1972         (JSC:: const): Deleted.
1973         (JSC::MacroAssembler::CPUState::fpr const): Deleted.
1974         (JSC::MacroAssembler::CPUState::pc): Deleted.
1975         (JSC::MacroAssembler::CPUState::fp): Deleted.
1976         (JSC::MacroAssembler::CPUState::sp): Deleted.
1977         (JSC::MacroAssembler::CPUState::pc const): Deleted.
1978         (JSC::MacroAssembler::CPUState::fp const): Deleted.
1979         (JSC::MacroAssembler::CPUState::sp const): Deleted.
1980         (JSC::Probe::State::gpr): Deleted.
1981         (JSC::Probe::State::spr): Deleted.
1982         (JSC::Probe::State::fpr): Deleted.
1983         (JSC::Probe::State::gprName): Deleted.
1984         (JSC::Probe::State::sprName): Deleted.
1985         (JSC::Probe::State::fprName): Deleted.
1986         (JSC::Probe::State::pc): Deleted.
1987         (JSC::Probe::State::fp): Deleted.
1988         (JSC::Probe::State::sp): Deleted.
1989         * assembler/MacroAssemblerARM.cpp:
1990         (JSC::MacroAssembler::probe):
1991         * assembler/MacroAssemblerARM.h:
1992         (JSC::MacroAssemblerARM::trustedImm32FromPtr): Deleted.
1993         * assembler/MacroAssemblerARM64.cpp:
1994         (JSC::MacroAssembler::probe):
1995         (JSC::arm64ProbeError): Deleted.
1996         * assembler/MacroAssemblerARMv7.cpp:
1997         (JSC::MacroAssembler::probe):
1998         * assembler/MacroAssemblerARMv7.h:
1999         (JSC::MacroAssemblerARMv7::armV7Condition):
2000         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr): Deleted.
2001         * assembler/MacroAssemblerPrinter.cpp:
2002         (JSC::Printer::printCallback):
2003         * assembler/MacroAssemblerPrinter.h:
2004         * assembler/MacroAssemblerX86Common.cpp:
2005         (JSC::ctiMasmProbeTrampoline):
2006         (JSC::MacroAssembler::probe):
2007         * assembler/Printer.h:
2008         (JSC::Printer::Context::Context):
2009         * assembler/ProbeContext.cpp: Added.
2010         (JSC::Probe::executeProbe):
2011         (JSC::Probe::handleProbeStackInitialization):
2012         (JSC::Probe::probeStateForContext):
2013         * assembler/ProbeContext.h: Added.
2014         (JSC::Probe::CPUState::gprName):
2015         (JSC::Probe::CPUState::sprName):
2016         (JSC::Probe::CPUState::fprName):
2017         (JSC::Probe::CPUState::gpr):
2018         (JSC::Probe::CPUState::spr):
2019         (JSC::Probe::CPUState::fpr):
2020         (JSC::Probe:: const):
2021         (JSC::Probe::CPUState::fpr const):
2022         (JSC::Probe::CPUState::pc):
2023         (JSC::Probe::CPUState::fp):
2024         (JSC::Probe::CPUState::sp):
2025         (JSC::Probe::CPUState::pc const):
2026         (JSC::Probe::CPUState::fp const):
2027         (JSC::Probe::CPUState::sp const):
2028         (JSC::Probe::Context::Context):
2029         (JSC::Probe::Context::gpr):
2030         (JSC::Probe::Context::spr):
2031         (JSC::Probe::Context::fpr):
2032         (JSC::Probe::Context::gprName):
2033         (JSC::Probe::Context::sprName):
2034         (JSC::Probe::Context::fprName):
2035         (JSC::Probe::Context::pc):
2036         (JSC::Probe::Context::fp):
2037         (JSC::Probe::Context::sp):
2038         (JSC::Probe::Context::stack):
2039         (JSC::Probe::Context::hasWritesToFlush):
2040         (JSC::Probe::Context::releaseStack):
2041         * assembler/ProbeStack.cpp: Added.
2042         (JSC::Probe::Page::Page):
2043         (JSC::Probe::Page::flushWrites):
2044         (JSC::Probe::Stack::Stack):
2045         (JSC::Probe::Stack::hasWritesToFlush):
2046         (JSC::Probe::Stack::flushWrites):
2047         (JSC::Probe::Stack::ensurePageFor):
2048         * assembler/ProbeStack.h: Added.
2049         (JSC::Probe::Page::baseAddressFor):
2050         (JSC::Probe::Page::chunkAddressFor):
2051         (JSC::Probe::Page::baseAddress):
2052         (JSC::Probe::Page::get):
2053         (JSC::Probe::Page::set):
2054         (JSC::Probe::Page::hasWritesToFlush const):
2055         (JSC::Probe::Page::flushWritesIfNeeded):
2056         (JSC::Probe::Page::dirtyBitFor):
2057         (JSC::Probe::Page::physicalAddressFor):
2058         (JSC::Probe::Stack::Stack):
2059         (JSC::Probe::Stack::lowWatermark):
2060         (JSC::Probe::Stack::get):
2061         (JSC::Probe::Stack::set):
2062         (JSC::Probe::Stack::newStackPointer const):
2063         (JSC::Probe::Stack::setNewStackPointer):
2064         (JSC::Probe::Stack::isValid):
2065         (JSC::Probe::Stack::pageFor):
2066         * assembler/testmasm.cpp:
2067         (JSC::testProbeReadsArgumentRegisters):
2068         (JSC::testProbeWritesArgumentRegisters):
2069         (JSC::testProbePreservesGPRS):
2070         (JSC::testProbeModifiesStackPointer):
2071         (JSC::testProbeModifiesStackPointerToInsideProbeStateOnStack):
2072         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
2073         (JSC::testProbeModifiesProgramCounter):
2074         (JSC::testProbeModifiesStackValues):
2075         (JSC::run):
2076         (): Deleted.
2077         (JSC::fillStack): Deleted.
2078         (JSC::testProbeModifiesStackWithCallback): Deleted.
2079
2080 2017-08-19  Andy Estes  <aestes@apple.com>
2081
2082         [Payment Request] Add interface stubs
2083         https://bugs.webkit.org/show_bug.cgi?id=175730
2084
2085         Reviewed by Youenn Fablet.
2086
2087         * runtime/CommonIdentifiers.h:
2088
2089 2017-08-18  Per Arne Vollan  <pvollan@apple.com>
2090
2091         Implement 32-bit MacroAssembler::probe support for Windows.
2092         https://bugs.webkit.org/show_bug.cgi?id=175449
2093
2094         Reviewed by Mark Lam.
2095
2096         This is needed to enable the DFG.
2097
2098         * assembler/MacroAssemblerX86Common.cpp:
2099         * assembler/testmasm.cpp:
2100         (JSC::run):
2101         (dllLauncherEntryPoint):
2102         * shell/CMakeLists.txt:
2103         * shell/PlatformWin.cmake:
2104
2105 2017-08-18  Mark Lam  <mark.lam@apple.com>
2106
2107         Rename ProbeContext and ProbeFunction to Probe::State and Probe::Function.
2108         https://bugs.webkit.org/show_bug.cgi?id=175725
2109         <rdar://problem/33965477>
2110
2111         Rubber-stamped by JF Bastien.
2112
2113         This is purely a refactoring patch (in preparation for the introduction of a
2114         Probe::Context data structure in https://bugs.webkit.org/show_bug.cgi?id=175688
2115         later).  This patch does not change any semantics / behavior.
2116
2117         * assembler/AbstractMacroAssembler.h:
2118         * assembler/MacroAssembler.cpp:
2119         (JSC::stdFunctionCallback):
2120         (JSC::MacroAssembler::probe):
2121         * assembler/MacroAssembler.h:
2122         (JSC::ProbeContext::gpr): Deleted.
2123         (JSC::ProbeContext::spr): Deleted.
2124         (JSC::ProbeContext::fpr): Deleted.
2125         (JSC::ProbeContext::gprName): Deleted.
2126         (JSC::ProbeContext::sprName): Deleted.
2127         (JSC::ProbeContext::fprName): Deleted.
2128         (JSC::ProbeContext::pc): Deleted.
2129         (JSC::ProbeContext::fp): Deleted.
2130         (JSC::ProbeContext::sp): Deleted.
2131         * assembler/MacroAssemblerARM.cpp:
2132         (JSC::MacroAssembler::probe):
2133         * assembler/MacroAssemblerARM.h:
2134         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
2135         * assembler/MacroAssemblerARM64.cpp:
2136         (JSC::arm64ProbeError):
2137         (JSC::MacroAssembler::probe):
2138         * assembler/MacroAssemblerARMv7.cpp:
2139         (JSC::MacroAssembler::probe):
2140         * assembler/MacroAssemblerARMv7.h:
2141         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr):
2142         * assembler/MacroAssemblerPrinter.cpp:
2143         (JSC::Printer::printCallback):
2144         * assembler/MacroAssemblerPrinter.h:
2145         * assembler/MacroAssemblerX86Common.cpp:
2146         (JSC::MacroAssembler::probe):
2147         * assembler/Printer.h:
2148         (JSC::Printer::Context::Context):
2149         * assembler/testmasm.cpp:
2150         (JSC::testProbeReadsArgumentRegisters):
2151         (JSC::testProbeWritesArgumentRegisters):
2152         (JSC::testProbePreservesGPRS):
2153         (JSC::testProbeModifiesStackPointer):
2154         (JSC::testProbeModifiesStackPointerToInsideProbeStateOnStack):
2155         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
2156         (JSC::testProbeModifiesProgramCounter):
2157         (JSC::fillStack):
2158         (JSC::testProbeModifiesStackWithCallback):
2159         (JSC::run):
2160         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack): Deleted.
2161
2162 2017-08-17  JF Bastien  <jfbastien@apple.com>
2163
2164         WebAssembly: const in unreachable code decoded incorrectly, erroneously rejects binary as invalid
2165         https://bugs.webkit.org/show_bug.cgi?id=175693
2166         <rdar://problem/33952443>
2167
2168         Reviewed by Saam Barati.
2169
2170         64-bit constants in an unreachable context were being decoded as
2171         32-bit constants. This is pretty benign because unreachable code
2172         shouldn't occur often. The effect is that 64-bit constants which
2173         can't be encoded as 32-bit constants would cause the binary to be
2174         rejected.
2175
2176         At the same time, 32-bit integer constants should be decoded as signed.
2177
2178         * wasm/WasmFunctionParser.h:
2179         (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
2180
2181 2017-08-17  Robin Morisset  <rmorisset@apple.com>
2182
2183         Teach DFGFixupPhase.cpp that the current scope is always a cell
2184         https://bugs.webkit.org/show_bug.cgi?id=175610
2185
2186         Reviewed by Keith Miller.
2187
2188         Also teach it that the argument to with can usually be speculated to be an object,
2189         since toObject() is called on it.
2190
2191         * dfg/DFGFixupPhase.cpp:
2192         (JSC::DFG::FixupPhase::fixupNode):
2193         * dfg/DFGSpeculativeJIT.cpp:
2194         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
2195         * dfg/DFGSpeculativeJIT.h:
2196         (JSC::DFG::SpeculativeJIT::callOperation):
2197         * ftl/FTLLowerDFGToB3.cpp:
2198         (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
2199         * jit/JITOperations.cpp:
2200         * jit/JITOperations.h:
2201
2202 2017-08-17  Matt Baker  <mattbaker@apple.com>
2203
2204         Web Inspector: remove unused private struct from InspectorScriptProfilerAgent
2205         https://bugs.webkit.org/show_bug.cgi?id=175644
2206
2207         Reviewed by Brian Burg.
2208
2209         * inspector/agents/InspectorScriptProfilerAgent.h:
2210
2211 2017-08-17  Mark Lam  <mark.lam@apple.com>
2212
2213         Only use 16 VFP registers if !CPU(ARM_NEON).
2214         https://bugs.webkit.org/show_bug.cgi?id=175514
2215
2216         Reviewed by JF Bastien.
2217
2218         Deleted q16-q31 FPQuadRegisterID enums in ARMv7Assembler.h.  The NEON spec
2219         says that there are only 16 128-bit NEON registers.  This change is merely to
2220         correct the code documentation of these registers.  The FPQuadRegisterID are
2221         currently unused.
2222
2223         * assembler/ARMAssembler.h:
2224         (JSC::ARMAssembler::lastFPRegister):
2225         (JSC::ARMAssembler::fprName):
2226         * assembler/ARMv7Assembler.h:
2227         (JSC::ARMv7Assembler::lastFPRegister):
2228         (JSC::ARMv7Assembler::fprName):
2229         * assembler/MacroAssemblerARM.cpp:
2230         * assembler/MacroAssemblerARMv7.cpp:
2231
2232 2017-08-17  Andreas Kling  <akling@apple.com>
2233
2234         Disable CSS regions at compile time
2235         https://bugs.webkit.org/show_bug.cgi?id=175630
2236
2237         Reviewed by Antti Koivisto.
2238
2239         * Configurations/FeatureDefines.xcconfig:
2240
2241 2017-08-17  Jacobo Aragunde Pérez  <jaragunde@igalia.com>
2242
2243         [WPE][GTK] Ensure proper casting of data in gvariants
2244         https://bugs.webkit.org/show_bug.cgi?id=175667
2245
2246         Reviewed by Michael Catanzaro.
2247
2248         g_variant_new requires data to have the correct width for their types, using
2249         casting if necessary. Some data of type `unsigned` were being saved to `guint64`
2250         types without explicit casting, leading to undefined behavior in some platforms.
2251
2252         * inspector/remote/glib/RemoteInspectorGlib.cpp:
2253         (Inspector::RemoteInspector::listingForInspectionTarget const):
2254         (Inspector::RemoteInspector::listingForAutomationTarget const):
2255         (Inspector::RemoteInspector::sendMessageToRemote):
2256
2257 2017-08-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2258
2259         [JSC] Avoid code bloating for iteration if block does not have "break"
2260         https://bugs.webkit.org/show_bug.cgi?id=173228
2261
2262         Reviewed by Keith Miller.
2263
2264         Currently, we always emit code for breaked path when emitting for-of iteration.
2265         But we can know that this breaked path can be used when emitting the bytecode.
2266
2267         This patch adds LabelScope::breakTargetMayBeBound(), which returns true if
2268         the break label may be bound. We emit a breaked path only when it returns
2269         true. This reduces bytecode bloating when using for-of iteration.
2270
2271         * bytecompiler/BytecodeGenerator.cpp:
2272         (JSC::Label::setLocation):
2273         (JSC::BytecodeGenerator::newLabel):
2274         (JSC::BytecodeGenerator::emitLabel):
2275         (JSC::BytecodeGenerator::pushFinallyControlFlowScope):
2276         (JSC::BytecodeGenerator::breakTarget):
2277         (JSC::BytecodeGenerator::continueTarget):
2278         (JSC::BytecodeGenerator::emitEnumeration):
2279         * bytecompiler/BytecodeGenerator.h:
2280         * bytecompiler/Label.h:
2281         (JSC::Label::bind const):
2282         (JSC::Label::hasOneRef const):
2283         (JSC::Label::isBound const):
2284         (JSC::Label::Label): Deleted.
2285         * bytecompiler/LabelScope.h:
2286         (JSC::LabelScope::hasOneRef const):
2287         (JSC::LabelScope::breakTargetMayBeBound const):
2288         * bytecompiler/NodesCodegen.cpp:
2289         (JSC::ContinueNode::trivialTarget):
2290         (JSC::ContinueNode::emitBytecode):
2291         (JSC::BreakNode::trivialTarget):
2292         (JSC::BreakNode::emitBytecode):
2293
2294 2017-08-17  Csaba Osztrogonác  <ossy@webkit.org>
2295
2296         ARM build fix after r220807 and r220834.
2297         https://bugs.webkit.org/show_bug.cgi?id=175617
2298
2299         Unreviewed typo fix.
2300
2301         * assembler/MacroAssemblerARM.cpp:
2302
2303 2017-08-17  Mark Lam  <mark.lam@apple.com>
2304
2305         Gardening: build fix for ARM_TRADITIONAL after r220807.
2306         https://bugs.webkit.org/show_bug.cgi?id=175617
2307
2308         Not reviewed.
2309
2310         * assembler/MacroAssemblerARM.cpp:
2311
2312 2017-08-16  Mark Lam  <mark.lam@apple.com>
2313
2314         Add back the ability to disable MASM_PROBE from the build.
2315         https://bugs.webkit.org/show_bug.cgi?id=175656
2316         <rdar://problem/33933720>
2317
2318         Reviewed by Yusuke Suzuki.
2319
2320         This is needed for ports that the existing MASM_PROBE implementation doesn't work
2321         well with e.g. GTK with ARM_THUMB2.  Note that if the DFG_JIT will be disabled by
2322         default if !ENABLE(MASM_PROBE).
2323
2324         * assembler/AbstractMacroAssembler.h:
2325         * assembler/MacroAssembler.cpp:
2326         * assembler/MacroAssembler.h:
2327         * assembler/MacroAssemblerARM.cpp:
2328         * assembler/MacroAssemblerARM64.cpp:
2329         * assembler/MacroAssemblerARMv7.cpp:
2330         * assembler/MacroAssemblerPrinter.cpp:
2331         * assembler/MacroAssemblerPrinter.h:
2332         * assembler/MacroAssemblerX86Common.cpp:
2333         * assembler/testmasm.cpp:
2334         (JSC::run):
2335         * b3/B3LowerToAir.cpp:
2336         * b3/air/AirPrintSpecial.cpp:
2337         * b3/air/AirPrintSpecial.h:
2338
2339 2017-08-16  Dan Bernstein  <mitz@apple.com>
2340
2341         [Cocoa] Older-iOS install name symbols are being exported on other platforms
2342         https://bugs.webkit.org/show_bug.cgi?id=175654
2343
2344         Reviewed by Tim Horton.
2345
2346         * API/JSBase.cpp: Define the symbols only when targeting iOS.
2347
2348 2017-08-16  Matt Baker  <mattbaker@apple.com>
2349
2350         Web Inspector: capture async stack trace when workers/main context posts a message
2351         https://bugs.webkit.org/show_bug.cgi?id=167084
2352         <rdar://problem/30033673>
2353
2354         Reviewed by Brian Burg.
2355
2356         * inspector/agents/InspectorDebuggerAgent.h:
2357         Add `PostMessage` async call type.
2358
2359 2017-08-16  Mark Lam  <mark.lam@apple.com>
2360
2361         Enhance MacroAssembler::probe() to support an initializeStackFunction callback.
2362         https://bugs.webkit.org/show_bug.cgi?id=175617
2363         <rdar://problem/33912104>
2364
2365         Reviewed by JF Bastien.
2366
2367         This patch adds a new feature to MacroAssembler::probe() where the probe function
2368         can provide a ProbeFunction callback to fill in stack values after the stack
2369         pointer has been adjusted.  The probe function can use this feature as follows:
2370
2371         1. Set the new sp value in the ProbeContext's CPUState.
2372
2373         2. Set the ProbeContext's initializeStackFunction to a ProbeFunction callback
2374            which will do the work of filling in the stack values after the probe
2375            trampoline has adjusted the machine stack pointer.
2376
2377         3. Set the ProbeContext's initializeStackArgs to any value that the client wants
2378            to pass to the initializeStackFunction callback.
2379
2380         4. Return from the probe function.
2381
2382         Upon returning from the probe function, the probe trampoline will adjust the
2383         the stack pointer based on the sp value in CPUState.  If initializeStackFunction
2384         is not set, the probe trampoline will restore registers and return to its caller.
2385
2386         If initializeStackFunction is set, the trampoline will move the ProbeContext
2387         beyond the range of the stack pointer i.e. it will place the new ProbeContext at
2388         an address lower than where CPUState.sp() points.  This ensures that the
2389         ProbeContext will not be trashed by the initializeStackFunction when it writes to
2390         the stack.  Then, the trampoline will call back to the initializeStackFunction
2391         ProbeFunction to let it fill in the stack values as desired.  The
2392         initializeStackFunction ProbeFunction will be passed the moved ProbeContext at
2393         the new location.
2394
2395         initializeStackFunction may now write to the stack at addresses greater or
2396         equal to CPUState.sp(), but not below that.  initializeStackFunction is also
2397         not allowed to change CPUState.sp().  If the initializeStackFunction does not
2398         abide by these rules, then behavior is undefined, and bad things may happen.
2399
2400         For future reference, some implementation details that this patch needed to
2401         be mindful of:
2402
2403         1. When the probe trampoline allocates stack space for the ProbeContext, it
2404            should include OUT_SIZE as well.  This ensures that it doesn't have to move
2405            the ProbeContext on exit if the probe function didn't change the sp.
2406
2407         2. If the trampoline has to move the ProbeContext, it needs to point the machine
2408            sp to new ProbeContext first before copying over the ProbeContext data.  This
2409            protects the new ProbeContext from possibly being trashed by interrupts.
2410
2411         3. When computing the new address of ProbeContext to move to, we need to make
2412            sure that it is properly aligned in accordance with stack ABI requirements
2413            (just like we did when we allocated the ProbeContext on entry to the
2414            probe trampoline).
2415
2416         4. When copying the ProbeContext to its new location, the trampoline should
2417            always copy words from low addresses to high addresses.  This is because if
2418            we're moving the ProbeContext, we'll always be moving it to a lower address.
2419
2420         * assembler/MacroAssembler.h:
2421         * assembler/MacroAssemblerARM.cpp:
2422         * assembler/MacroAssemblerARM64.cpp:
2423         * assembler/MacroAssemblerARMv7.cpp:
2424         * assembler/MacroAssemblerX86Common.cpp:
2425         * assembler/testmasm.cpp:
2426         (JSC::testProbePreservesGPRS):
2427         (JSC::testProbeModifiesStackPointer):
2428         (JSC::fillStack):
2429         (JSC::testProbeModifiesStackWithCallback):
2430         (JSC::run):
2431
2432 2017-08-16  Csaba Osztrogonác  <ossy@webkit.org>
2433
2434         Fix JSCOnly ARM buildbots after r220047 and r220184
2435         https://bugs.webkit.org/show_bug.cgi?id=174993
2436
2437         Reviewed by Carlos Alberto Lopez Perez.
2438
2439         * CMakeLists.txt: Generate only one backend on Linux to save build time.
2440
2441 2017-08-16  Andy Estes  <aestes@apple.com>
2442
2443         [Payment Request] Add an ENABLE flag and an experimental feature preference
2444         https://bugs.webkit.org/show_bug.cgi?id=175622
2445
2446         Reviewed by Tim Horton.
2447
2448         * Configurations/FeatureDefines.xcconfig:
2449
2450 2017-08-15  Robin Morisset  <rmorisset@apple.com>
2451
2452         We are too conservative about the effects of PushWithScope
2453         https://bugs.webkit.org/show_bug.cgi?id=175584
2454
2455         Reviewed by Saam Barati.
2456
2457         PushWithScope converts its argument to an object (this can throw a type error,
2458         but has no other observable effect), and allocates a new scope, that it then
2459         makes the new current scope. We were a bit too
2460         conservative in saying that it clobbers the world.
2461
2462         * dfg/DFGAbstractInterpreterInlines.h:
2463         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2464         * dfg/DFGClobberize.h:
2465         (JSC::DFG::clobberize):
2466         * dfg/DFGDoesGC.cpp:
2467         (JSC::DFG::doesGC):
2468
2469 2017-08-15  Ryosuke Niwa  <rniwa@webkit.org>
2470
2471         Make DataTransferItemList work with plain text entries
2472         https://bugs.webkit.org/show_bug.cgi?id=175596
2473
2474         Reviewed by Wenson Hsieh.
2475
2476         Added DataTransferItem as a common identifier since it's a runtime enabled feature.
2477
2478         * runtime/CommonIdentifiers.h:
2479
2480 2017-08-15  Robin Morisset  <rmorisset@apple.com>
2481
2482         Support the 'with' keyword in FTL
2483         https://bugs.webkit.org/show_bug.cgi?id=175585
2484
2485         Reviewed by Saam Barati.
2486
2487         Also makes sure that the order of arguments of PushWithScope, op_push_with_scope, JSWithScope::create()
2488         and so on is consistent (always parentScope first, the new scopeObject second). We used to go from one
2489         to the other at different step which was quite confusing. I picked this order for consistency with CreateActivation
2490         that takes its parentScope argument first.
2491
2492         * bytecompiler/BytecodeGenerator.cpp:
2493         (JSC::BytecodeGenerator::emitPushWithScope):
2494         * debugger/DebuggerCallFrame.cpp:
2495         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
2496         * dfg/DFGByteCodeParser.cpp:
2497         (JSC::DFG::ByteCodeParser::parseBlock):
2498         * dfg/DFGFixupPhase.cpp:
2499         (JSC::DFG::FixupPhase::fixupNode):
2500         * dfg/DFGSpeculativeJIT.cpp:
2501         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
2502         * ftl/FTLCapabilities.cpp:
2503         (JSC::FTL::canCompile):
2504         * ftl/FTLLowerDFGToB3.cpp:
2505         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2506         (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
2507         * jit/JITOperations.cpp:
2508         * runtime/CommonSlowPaths.cpp:
2509         (JSC::SLOW_PATH_DECL):
2510         * runtime/Completion.cpp:
2511         (JSC::evaluateWithScopeExtension):
2512         * runtime/JSWithScope.cpp:
2513         (JSC::JSWithScope::create):
2514         * runtime/JSWithScope.h:
2515
2516 2017-08-15  Saam Barati  <sbarati@apple.com>
2517
2518         Make VM::scratchBufferForSize thread safe
2519         https://bugs.webkit.org/show_bug.cgi?id=175604
2520
2521         Reviewed by Geoffrey Garen and Mark Lam.
2522
2523         I want to use the VM::scratchBufferForSize in another patch I'm writing.
2524         The use case for my other patch is to call it from the compiler thread.
2525         When reading the code, I saw that this API was not thread safe. This patch
2526         makes it thread safe. It actually turns out we were calling this API from
2527         the compiler thread already when we created FTL::State for an FTL OSR entry
2528         compilation, and from FTLLowerDFGToB3. That code was racy and wrong, but
2529         is now correct with this patch.
2530
2531         * runtime/VM.cpp:
2532         (JSC::VM::VM):
2533         (JSC::VM::~VM):
2534         (JSC::VM::gatherConservativeRoots):
2535         (JSC::VM::scratchBufferForSize):
2536         * runtime/VM.h:
2537         (JSC::VM::scratchBufferForSize): Deleted.
2538
2539 2017-08-15  Keith Miller  <keith_miller@apple.com>
2540
2541         JSC named bytecode offsets should use references rather than pointers
2542         https://bugs.webkit.org/show_bug.cgi?id=175601
2543
2544         Reviewed by Saam Barati.
2545
2546         * dfg/DFGByteCodeParser.cpp:
2547         (JSC::DFG::ByteCodeParser::parseBlock):
2548         * jit/JITOpcodes.cpp:
2549         (JSC::JIT::emit_op_overrides_has_instance):
2550         (JSC::JIT::emit_op_instanceof):
2551         (JSC::JIT::emitSlow_op_instanceof):
2552         (JSC::JIT::emitSlow_op_instanceof_custom):
2553         * jit/JITOpcodes32_64.cpp:
2554         (JSC::JIT::emit_op_overrides_has_instance):
2555         (JSC::JIT::emit_op_instanceof):
2556         (JSC::JIT::emitSlow_op_instanceof):
2557         (JSC::JIT::emitSlow_op_instanceof_custom):
2558
2559 2017-08-15  Keith Miller  <keith_miller@apple.com>
2560
2561         Enable named offsets into JSC bytecodes
2562         https://bugs.webkit.org/show_bug.cgi?id=175561
2563
2564         Reviewed by Mark Lam.
2565
2566         This patch adds the ability to add named offsets into JSC's
2567         bytecodes.  In the bytecode json file, instead of listing a
2568         length, you can now list a set of names and their types. Each
2569         opcode with an offsets property will have a struct named after the
2570         opcode by in our C++ naming style. For example,
2571         op_overrides_has_instance would become OpOverridesHasInstance. The
2572         struct has the same memory layout as the instruction list has but
2573         comes with handy named accessors.
2574
2575         As a first cut I converted the various instanceof bytecodes to use
2576         named offsets.
2577
2578         As an example op_overrides_has_instance produces the following struct:
2579
2580         struct OpOverridesHasInstance {
2581         public:
2582             Opcode& opcode() { return *reinterpret_cast<Opcode*>(&m_opcode); }
2583             const Opcode& opcode() const { return *reinterpret_cast<const Opcode*>(&m_opcode); }
2584             int& dst() { return *reinterpret_cast<int*>(&m_dst); }
2585             const int& dst() const { return *reinterpret_cast<const int*>(&m_dst); }
2586             int& constructor() { return *reinterpret_cast<int*>(&m_constructor); }
2587             const int& constructor() const { return *reinterpret_cast<const int*>(&m_constructor); }
2588             int& hasInstanceValue() { return *reinterpret_cast<int*>(&m_hasInstanceValue); }
2589             const int& hasInstanceValue() const { return *reinterpret_cast<const int*>(&m_hasInstanceValue); }
2590
2591         private:
2592             friend class LLIntOffsetsExtractor;
2593             std::aligned_storage<sizeof(Opcode), sizeof(Instruction)>::type m_opcode;
2594             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_dst;
2595             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_constructor;
2596             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_hasInstanceValue;
2597         };
2598
2599         * CMakeLists.txt:
2600         * DerivedSources.make:
2601         * JavaScriptCore.xcodeproj/project.pbxproj:
2602         * bytecode/BytecodeList.json:
2603         * dfg/DFGByteCodeParser.cpp:
2604         (JSC::DFG::ByteCodeParser::parseBlock):
2605         * generate-bytecode-files:
2606         * jit/JITOpcodes.cpp:
2607         (JSC::JIT::emit_op_overrides_has_instance):
2608         (JSC::JIT::emit_op_instanceof):
2609         (JSC::JIT::emitSlow_op_instanceof):
2610         (JSC::JIT::emitSlow_op_instanceof_custom):
2611         * jit/JITOpcodes32_64.cpp:
2612         (JSC::JIT::emit_op_overrides_has_instance):
2613         (JSC::JIT::emit_op_instanceof):
2614         (JSC::JIT::emitSlow_op_instanceof):
2615         (JSC::JIT::emitSlow_op_instanceof_custom):
2616         * llint/LLIntOffsetsExtractor.cpp:
2617         * llint/LowLevelInterpreter.asm:
2618         * llint/LowLevelInterpreter32_64.asm:
2619         * llint/LowLevelInterpreter64.asm:
2620
2621 2017-08-15  Mark Lam  <mark.lam@apple.com>
2622
2623         Update testmasm to use new CPUState APIs.
2624         https://bugs.webkit.org/show_bug.cgi?id=175573
2625
2626         Reviewed by Keith Miller.
2627
2628         1. Applied convenience CPUState accessors to minimize casting.
2629         2. Converted the CHECK macro to CHECK_EQ to get more friendly failure debugging
2630            messages.
2631         3. Removed the CHECK_DOUBLE_BITWISE_EQ macro.  We can just use CHECK_EQ now since
2632            casting is (mostly) no longer an issue.
2633         4. Replaced the use of testDoubleWord(id) with bitwise_cast<double>(testWord64(id))
2634            to make it clear that we're comparing against the bit values of testWord64(id).
2635         5. Added a "Completed N tests" message at the end of running all tests.
2636            This makes it easy to tell at a glance that testmasm completed successfully
2637            versus when it crashed midway in a test.  The number of tests also serves as
2638            a quick checksum to confirm that we ran the number of tests we expected.
2639
2640         * assembler/testmasm.cpp:
2641         (WTF::printInternal):
2642         (JSC::testSimple):
2643         (JSC::testProbeReadsArgumentRegisters):
2644         (JSC::testProbeWritesArgumentRegisters):
2645         (JSC::testProbePreservesGPRS):
2646         (JSC::testProbeModifiesStackPointer):
2647         (JSC::testProbeModifiesProgramCounter):
2648         (JSC::run):
2649
2650 2017-08-14  Keith Miller  <keith_miller@apple.com>
2651
2652         Add testing tool to lie to the DFG about profiles
2653         https://bugs.webkit.org/show_bug.cgi?id=175487
2654
2655         Reviewed by Saam Barati.
2656
2657         This patch adds a new bytecode identity_with_profile that lets
2658         us lie to the DFG about what profiles it has seen as the input to
2659         another bytecode. Previously, there was no reliable way to force
2660         a given profile when we tired up.
2661
2662         * bytecode/BytecodeDumper.cpp:
2663         (JSC::BytecodeDumper<Block>::dumpBytecode):
2664         * bytecode/BytecodeIntrinsicRegistry.h:
2665         * bytecode/BytecodeList.json:
2666         * bytecode/BytecodeUseDef.h:
2667         (JSC::computeUsesForBytecodeOffset):
2668         (JSC::computeDefsForBytecodeOffset):
2669         * bytecode/SpeculatedType.cpp:
2670         (JSC::speculationFromString):
2671         * bytecode/SpeculatedType.h:
2672         * bytecompiler/BytecodeGenerator.cpp:
2673         (JSC::BytecodeGenerator::emitIdWithProfile):
2674         * bytecompiler/BytecodeGenerator.h:
2675         * bytecompiler/NodesCodegen.cpp:
2676         (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
2677         * dfg/DFGAbstractInterpreterInlines.h:
2678         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2679         * dfg/DFGByteCodeParser.cpp:
2680         (JSC::DFG::ByteCodeParser::parseBlock):
2681         * dfg/DFGCapabilities.cpp:
2682         (JSC::DFG::capabilityLevel):
2683         * dfg/DFGClobberize.h:
2684         (JSC::DFG::clobberize):
2685         * dfg/DFGDoesGC.cpp:
2686         (JSC::DFG::doesGC):
2687         * dfg/DFGFixupPhase.cpp:
2688         (JSC::DFG::FixupPhase::fixupNode):
2689         * dfg/DFGMayExit.cpp:
2690         * dfg/DFGNode.h:
2691         (JSC::DFG::Node::getForcedPrediction):
2692         * dfg/DFGNodeType.h:
2693         * dfg/DFGPredictionPropagationPhase.cpp:
2694         * dfg/DFGSafeToExecute.h:
2695         (JSC::DFG::safeToExecute):
2696         * dfg/DFGSpeculativeJIT32_64.cpp:
2697         (JSC::DFG::SpeculativeJIT::compile):
2698         * dfg/DFGSpeculativeJIT64.cpp:
2699         (JSC::DFG::SpeculativeJIT::compile):
2700         * dfg/DFGValidate.cpp:
2701         * jit/JIT.cpp:
2702         (JSC::JIT::privateCompileMainPass):
2703         * jit/JIT.h:
2704         * jit/JITOpcodes.cpp:
2705         (JSC::JIT::emit_op_identity_with_profile):
2706         * jit/JITOpcodes32_64.cpp:
2707         (JSC::JIT::emit_op_identity_with_profile):
2708         * llint/LowLevelInterpreter.asm:
2709
2710 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
2711
2712         Remove Proximity Events and related code
2713         https://bugs.webkit.org/show_bug.cgi?id=175545
2714
2715         Reviewed by Daniel Bates.
2716
2717         No platform enables Proximity Events, so remove code inside ENABLE(PROXIMITY_EVENTS)
2718         and other related code.
2719
2720         * Configurations/FeatureDefines.xcconfig:
2721
2722 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
2723
2724         Remove ENABLE(REQUEST_AUTOCOMPLETE) code, which was disabled everywhere
2725         https://bugs.webkit.org/show_bug.cgi?id=175504
2726
2727         Reviewed by Sam Weinig.
2728
2729         * Configurations/FeatureDefines.xcconfig:
2730
2731 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
2732
2733         Remove ENABLE_VIEW_MODE_CSS_MEDIA and related code
2734         https://bugs.webkit.org/show_bug.cgi?id=175557
2735
2736         Reviewed by Jon Lee.
2737
2738         No port cares about the ENABLE(VIEW_MODE_CSS_MEDIA) feature, so remove it.
2739
2740         * Configurations/FeatureDefines.xcconfig:
2741
2742 2017-08-14  Robin Morisset  <rmorisset@apple.com>
2743
2744         Support the 'with' keyword in DFG
2745         https://bugs.webkit.org/show_bug.cgi?id=175470
2746
2747         Reviewed by Saam Barati.
2748
2749         Not particularly optimized at the moment, the goal is just to avoid
2750         the DFG bailing out of any function with this keyword.
2751
2752         * dfg/DFGAbstractInterpreterInlines.h:
2753         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2754         * dfg/DFGByteCodeParser.cpp:
2755         (JSC::DFG::ByteCodeParser::parseBlock):
2756         * dfg/DFGCapabilities.cpp:
2757         (JSC::DFG::capabilityLevel):
2758         * dfg/DFGClobberize.h:
2759         (JSC::DFG::clobberize):
2760         * dfg/DFGDoesGC.cpp:
2761         (JSC::DFG::doesGC):
2762         * dfg/DFGFixupPhase.cpp:
2763         (JSC::DFG::FixupPhase::fixupNode):
2764         * dfg/DFGNodeType.h:
2765         * dfg/DFGPredictionPropagationPhase.cpp:
2766         * dfg/DFGSafeToExecute.h:
2767         (JSC::DFG::safeToExecute):
2768         * dfg/DFGSpeculativeJIT.cpp:
2769         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
2770         * dfg/DFGSpeculativeJIT.h:
2771         (JSC::DFG::SpeculativeJIT::callOperation):
2772         * dfg/DFGSpeculativeJIT32_64.cpp:
2773         (JSC::DFG::SpeculativeJIT::compile):
2774         * dfg/DFGSpeculativeJIT64.cpp:
2775         (JSC::DFG::SpeculativeJIT::compile):
2776         * jit/JITOperations.cpp:
2777         * jit/JITOperations.h:
2778
2779 2017-08-14  Mark Lam  <mark.lam@apple.com>
2780
2781         Add some convenience utility accessor methods to MacroAssembler::CPUState.
2782         https://bugs.webkit.org/show_bug.cgi?id=175549
2783         <rdar://problem/33884868>
2784
2785         Reviewed by Saam Barati.
2786
2787         Previously, in order to read ProbeContext CPUState registers, we used to need to
2788         do it this way:
2789
2790             ExecState* exec = reinterpret_cast<ExecState*>(cpu.fp());
2791             uint32_t i32 = static_cast<uint32_t>(cpu.gpr(GPRInfo::regT0));
2792             void* p = reinterpret_cast<void*>(cpu.gpr(GPRInfo::regT1));
2793             uint64_t u64 = bitwise_cast<uint64_t>(cpu.fpr(FPRInfo::fpRegT0));
2794
2795         With this patch, we can now read them this way instead:
2796         
2797             ExecState* exec = cpu.fp<ExecState*>();
2798             uint32_t i32 = cpu.gpr<uint32_t>(GPRInfo::regT0);
2799             void* p = cpu.gpr<void*>(GPRInfo::regT1);
2800             uint64_t u64 = cpu.fpr<uint64_t>(FPRInfo::fpRegT0);
2801
2802         * assembler/MacroAssembler.h:
2803         (JSC:: const):
2804         (JSC::MacroAssembler::CPUState::fpr const):
2805         (JSC::MacroAssembler::CPUState::pc const):
2806         (JSC::MacroAssembler::CPUState::fp const):
2807         (JSC::MacroAssembler::CPUState::sp const):
2808         (JSC::ProbeContext::pc):
2809         (JSC::ProbeContext::fp):
2810         (JSC::ProbeContext::sp):
2811
2812 2017-08-12  Filip Pizlo  <fpizlo@apple.com>
2813
2814         Put the ScopedArgumentsTable's ScopeOffset array in some gigacage
2815         https://bugs.webkit.org/show_bug.cgi?id=174921
2816
2817         Reviewed by Mark Lam.
2818         
2819         Uses CagedUniquePtr<> to cage the ScopeOffset array.
2820
2821         * dfg/DFGSpeculativeJIT.cpp:
2822         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
2823         * ftl/FTLLowerDFGToB3.cpp:
2824         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2825         * jit/JITPropertyAccess.cpp:
2826         (JSC::JIT::emitScopedArgumentsGetByVal):
2827         * runtime/ScopedArgumentsTable.cpp:
2828         (JSC::ScopedArgumentsTable::create):
2829         (JSC::ScopedArgumentsTable::setLength):
2830         * runtime/ScopedArgumentsTable.h:
2831
2832 2017-08-14  Mark Lam  <mark.lam@apple.com>
2833
2834         Gardening: fix Windows build.
2835         https://bugs.webkit.org/show_bug.cgi?id=175446
2836
2837         Not reviewed.
2838
2839         * assembler/MacroAssemblerX86Common.cpp:
2840         (JSC::booleanTrueForAvoidingNoReturnDeclaration):
2841         (JSC::ctiMasmProbeTrampoline):
2842
2843 2017-08-12  Csaba Osztrogonác  <ossy@webkit.org>
2844
2845         [ARM64] Use x29 and x30 instead of fp and lr to make GCC happy
2846         https://bugs.webkit.org/show_bug.cgi?id=175512
2847         <rdar://problem/33863584>
2848
2849         Reviewed by Mark Lam.
2850
2851         * CMakeLists.txt: Added MacroAssemblerARM64.cpp.
2852         * assembler/MacroAssemblerARM64.cpp: Use x29 and x30 instead of fp and lr to make GCC happy.
2853
2854 2017-08-12  Csaba Osztrogonác  <ossy@webkit.org>
2855
2856         ARM_TRADITIONAL: static assertion failed: ProbeContext_size_matches_ctiMasmProbeTrampoline
2857         https://bugs.webkit.org/show_bug.cgi?id=175513
2858
2859         Reviewed by Mark Lam.
2860
2861         * assembler/MacroAssemblerARM.cpp: Added d16-d31 FP registers too.
2862
2863 2017-08-12  Filip Pizlo  <fpizlo@apple.com>
2864
2865         FTL's compileGetTypedArrayByteOffset needs to do caging
2866         https://bugs.webkit.org/show_bug.cgi?id=175366
2867
2868         Reviewed by Saam Barati.
2869         
2870         While implementing boxing in the DFG, I noticed that there was some missing boxing in the FTL. This
2871         fixes the case in GetTypedArrayByteOffset, and files FIXMEs for more such cases.
2872
2873         * dfg/DFGSpeculativeJIT.cpp:
2874         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
2875         * ftl/FTLLowerDFGToB3.cpp:
2876         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
2877         (JSC::FTL::DFG::LowerDFGToB3::cagedMayBeNull):
2878         * runtime/ArrayBuffer.h:
2879         * runtime/ArrayBufferView.h:
2880         * runtime/JSArrayBufferView.h:
2881
2882 2017-08-11  Ryosuke Niwa  <rniwa@webkit.org>
2883
2884         Replace DATA_TRANSFER_ITEMS by a runtime flag and add a stub implementation
2885         https://bugs.webkit.org/show_bug.cgi?id=175474
2886         <rdar://problem/33844628>
2887
2888         Reviewed by Wenson Hsieh.
2889
2890         * Configurations/FeatureDefines.xcconfig:
2891         * runtime/CommonIdentifiers.h:
2892
2893 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
2894
2895         Caging shouldn't have to use a patchpoint for adding
2896         https://bugs.webkit.org/show_bug.cgi?id=175483
2897
2898         Reviewed by Mark Lam.
2899
2900         Caging involves doing a Add(ptr, largeConstant). All of B3's heuristics for how to deal with
2901         constants and associative operations dictate that you always want to sink constants. For example,
2902         Add(Add(a, constant), b) always becomes Add(Add(a, b), constant). This is profitable because in
2903         typical code, it reveals downstream optimizations. But it's terrible in the case of caging, because
2904         we want the large constant (which is shared by all caging operations) to be hoisted. Reassociating to
2905         sink constants obscures the constant in this case. Currently, moveConstants is not smart enough to
2906         reassociate, so instead of sinking largeConstant, it tries (and often fails) to sink some other
2907         constants instead. Without some hacks, this is a 5% Kraken regression and a 1.6% Octane regression.
2908         It's not clear that moveConstants could ever be smart enough to rematerialize that constant and then
2909         hoist it - that would require quite a bit of algebraic reasoning. But the only case we know of where
2910         our current constant reassociation heuristics are wrong is caging. So, we can get away with some
2911         hacks for just stopping B3's reassociation only in this specific case.
2912         
2913         Previously, we achieved this by concealing the Add(ptr, largeConstant) inside a patchpoint. That's
2914         OK, but patchpoints are expensive. They require a SharedTask instance. They require callbacks from
2915         the backend, including during register allocation. And they cannot be CSE'd. We do want B3 to know
2916         that if we cage the same pointer in two places, both places will compute the same value.
2917         
2918         This patch improves the situation by introducing the Opaque opcode. This is handled by LowerToAir as
2919         if it was Identity, but all prior phases treat it as an unknown pure unary idempotent operation. I.e.
2920         they know that Opaque(x) == Opaque(x) and that Opaque(Opaque(x)) == Opaque(x). But they don't know
2921         that Opaque(x) == x until LowerToAir. So, you can use Opaque exactly when you know that B3 will mess
2922         up your code but Air won't. (Currently we know of no cases where Air messes things up on a large
2923         enough scale to warrant new opcodes.)
2924         
2925         This change is perf-neutral, but may start to help as I add more uses of caged() in the FTL. It also
2926         makes the code a bit less ugly.
2927
2928         * b3/B3LowerToAir.cpp:
2929         (JSC::B3::Air::LowerToAir::shouldCopyPropagate):
2930         (JSC::B3::Air::LowerToAir::lower):
2931         * b3/B3Opcode.cpp:
2932         (WTF::printInternal):
2933         * b3/B3Opcode.h:
2934         * b3/B3ReduceStrength.cpp:
2935         * b3/B3Validate.cpp:
2936         * b3/B3Value.cpp:
2937         (JSC::B3::Value::effects const):
2938         (JSC::B3::Value::key const):
2939         (JSC::B3::Value::isFree const):
2940         (JSC::B3::Value::typeFor):
2941         * b3/B3Value.h:
2942         * b3/B3ValueKey.cpp:
2943         (JSC::B3::ValueKey::materialize const):
2944         * ftl/FTLLowerDFGToB3.cpp:
2945         (JSC::FTL::DFG::LowerDFGToB3::caged):
2946         * ftl/FTLOutput.cpp:
2947         (JSC::FTL::Output::opaque):
2948         * ftl/FTLOutput.h:
2949
2950 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
2951
2952         ScopedArguments overflow storage needs to be in the JSValue gigacage
2953         https://bugs.webkit.org/show_bug.cgi?id=174923
2954
2955         Reviewed by Saam Barati.
2956         
2957         ScopedArguments overflow storage sits at the end of the ScopedArguments object, so we put that
2958         object into the JSValue gigacage.
2959
2960         * dfg/DFGSpeculativeJIT.cpp:
2961         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
2962         * ftl/FTLLowerDFGToB3.cpp:
2963         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2964         * jit/JITPropertyAccess.cpp:
2965         (JSC::JIT::emitScopedArgumentsGetByVal):
2966         * runtime/ScopedArguments.h:
2967         (JSC::ScopedArguments::subspaceFor):
2968         (JSC::ScopedArguments::overflowStorage const):
2969
2970 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
2971
2972         JSLexicalEnvironment needs to be in the JSValue gigacage
2973         https://bugs.webkit.org/show_bug.cgi?id=174922
2974
2975         Reviewed by Michael Saboff.
2976         
2977         We can sorta random access the JSLexicalEnvironment. So, we put it in the JSValue gigacage and make
2978         the only random accesses use pointer caging.
2979         
2980         We don't need to do anything to normal lexical environment accesses.
2981
2982         * dfg/DFGSpeculativeJIT.cpp:
2983         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
2984         * ftl/FTLLowerDFGToB3.cpp:
2985         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2986         * runtime/JSEnvironmentRecord.h:
2987         (JSC::JSEnvironmentRecord::subspaceFor):
2988         (JSC::JSEnvironmentRecord::variables):
2989
2990 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
2991
2992         DirectArguments should be in the JSValue gigacage
2993         https://bugs.webkit.org/show_bug.cgi?id=174920
2994
2995         Reviewed by Michael Saboff.
2996         
2997         This puts DirectArguments in a new subspace for cells that want to be in the JSValue gigacage. All
2998         indexed accesses to DirectArguments now do caging. get_from_arguments/put_to_arguments are exempted
2999         because they always operate on a DirectArguments that is pointed to directly from the stack, they are
3000         required to use fixed offsets, and you can only store JSValues.
3001
3002         * dfg/DFGSpeculativeJIT.cpp:
3003         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
3004         * ftl/FTLLowerDFGToB3.cpp:
3005         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
3006         * jit/JITPropertyAccess.cpp:
3007         (JSC::JIT::emitDirectArgumentsGetByVal):
3008         * runtime/DirectArguments.h:
3009         (JSC::DirectArguments::subspaceFor):
3010         (JSC::DirectArguments::storage):
3011         * runtime/VM.cpp:
3012         (JSC::VM::VM):
3013         * runtime/VM.h:
3014
3015 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
3016
3017         Unreviewed, add a FIXME.
3018
3019         * ftl/FTLLowerDFGToB3.cpp:
3020         (JSC::FTL::DFG::LowerDFGToB3::caged):
3021
3022 2017-08-10  Sam Weinig  <sam@webkit.org>
3023
3024         WTF::Function does not allow for reference / non-default constructible return types
3025         https://bugs.webkit.org/show_bug.cgi?id=175244
3026
3027         Reviewed by Chris Dumez.
3028
3029         * runtime/ArrayBuffer.cpp:
3030         (JSC::ArrayBufferContents::transferTo):
3031         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
3032         destroy call needed to be a no-op anyway, since the data is being moved.
3033
3034 2017-08-11  Mark Lam  <mark.lam@apple.com>
3035
3036         Gardening: fix CLoop build.
3037         https://bugs.webkit.org/show_bug.cgi?id=175446
3038         <rdar://problem/33836545>
3039
3040         Not reviewed.
3041
3042         * assembler/MacroAssemblerPrinter.cpp:
3043
3044 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
3045
3046         DFG should do caging
3047         https://bugs.webkit.org/show_bug.cgi?id=174918
3048
3049         Reviewed by Saam Barati.
3050         
3051         Adds the appropriate cage() calls to the DFG, including a cageTypedArrayStorage() helper that does
3052         the conditional caging with a watchpoint.
3053         
3054         This might be a 1% SunSpider slow-down, but it's not clear.
3055
3056         * dfg/DFGSpeculativeJIT.cpp:
3057         (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
3058         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
3059         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
3060         (JSC::DFG::SpeculativeJIT::compileCreateRest):
3061         (JSC::DFG::SpeculativeJIT::compileSpread):
3062         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
3063         (JSC::DFG::SpeculativeJIT::compileArraySlice):
3064         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
3065         * dfg/DFGSpeculativeJIT.h:
3066         * dfg/DFGSpeculativeJIT64.cpp:
3067         (JSC::DFG::SpeculativeJIT::compile):
3068
3069 2017-08-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3070
3071         Unreviewed, build fix for x86 GTK port
3072         https://bugs.webkit.org/show_bug.cgi?id=175446
3073
3074         Use pushfl/popfl instead of pushfd/popfd.
3075
3076         * assembler/MacroAssemblerX86Common.cpp:
3077
3078 2017-08-10  Mark Lam  <mark.lam@apple.com>
3079
3080         Make the MASM_PROBE mechanism mandatory for DFG and FTL builds.
3081         https://bugs.webkit.org/show_bug.cgi?id=175446
3082         <rdar://problem/33836545>
3083
3084         Reviewed by Saam Barati.
3085
3086         * assembler/AbstractMacroAssembler.h:
3087         * assembler/MacroAssembler.cpp:
3088         (JSC::MacroAssembler::probe):
3089         * assembler/MacroAssembler.h:
3090         * assembler/MacroAssemblerARM.cpp:
3091         (JSC::MacroAssembler::probe):
3092         * assembler/MacroAssemblerARM.h:
3093         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
3094         * assembler/MacroAssemblerARM64.cpp:
3095         (JSC::MacroAssembler::probe):
3096         * assembler/MacroAssemblerARMv7.cpp:
3097         (JSC::MacroAssembler::probe):
3098         * assembler/MacroAssemblerARMv7.h:
3099         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr):
3100         * assembler/MacroAssemblerPrinter.cpp:
3101         * assembler/MacroAssemblerPrinter.h:
3102         * assembler/MacroAssemblerX86Common.cpp:
3103         * assembler/testmasm.cpp:
3104         (JSC::isSpecialGPR):
3105         (JSC::testProbeModifiesProgramCounter):
3106         (JSC::run):
3107         * b3/B3LowerToAir.cpp:
3108         (JSC::B3::Air::LowerToAir::print):
3109         * b3/air/AirPrintSpecial.cpp:
3110         * b3/air/AirPrintSpecial.h:
3111
3112 2017-08-10  Mark Lam  <mark.lam@apple.com>
3113
3114         Apply the UNLIKELY macro to some unlikely things.
3115         https://bugs.webkit.org/show_bug.cgi?id=175440
3116         <rdar://problem/33834767>
3117
3118         Reviewed by Yusuke Suzuki.
3119
3120         * bytecode/CodeBlock.cpp:
3121         (JSC::CodeBlock::~CodeBlock):
3122         (JSC::CodeBlock::jettison):
3123         * dfg/DFGByteCodeParser.cpp:
3124         (JSC::DFG::ByteCodeParser::handleCall):
3125         (JSC::DFG::ByteCodeParser::handleVarargsCall):
3126         (JSC::DFG::ByteCodeParser::handleGetById):
3127         (JSC::DFG::ByteCodeParser::handlePutById):
3128         (JSC::DFG::ByteCodeParser::parseBlock):
3129         (JSC::DFG::ByteCodeParser::parseCodeBlock):
3130         * dfg/DFGJITCompiler.cpp:
3131         (JSC::DFG::JITCompiler::JITCompiler):
3132         (JSC::DFG::JITCompiler::linkOSRExits):
3133         (JSC::DFG::JITCompiler::link):
3134         (JSC::DFG::JITCompiler::disassemble):
3135         * dfg/DFGJITFinalizer.cpp:
3136         (JSC::DFG::JITFinalizer::finalizeCommon):
3137         * dfg/DFGOSRExit.cpp:
3138         (JSC::DFG::OSRExit::compileOSRExit):
3139         * dfg/DFGPlan.cpp:
3140         (JSC::DFG::Plan::Plan):
3141         * ftl/FTLJITFinalizer.cpp:
3142         (JSC::FTL::JITFinalizer::finalizeCommon):
3143         * ftl/FTLLink.cpp:
3144         (JSC::FTL::link):
3145         * ftl/FTLOSRExitCompiler.cpp:
3146         (JSC::FTL::compileStub):
3147         * jit/JIT.cpp:
3148         (JSC::JIT::privateCompileMainPass):
3149         (JSC::JIT::compileWithoutLinking):
3150         (JSC::JIT::link):
3151         * runtime/ScriptExecutable.cpp:
3152         (JSC::ScriptExecutable::installCode):
3153         * runtime/VM.cpp:
3154         (JSC::VM::VM):
3155
3156 2017-08-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3157
3158         [WTF] ThreadSpecific should not introduce additional indirection
3159         https://bugs.webkit.org/show_bug.cgi?id=175187
3160
3161         Reviewed by Mark Lam.
3162
3163         * runtime/Identifier.cpp:
3164
3165 2017-08-10  Tim Horton  <timothy_horton@apple.com>
3166
3167         Remove some unused lambda captures so that WebKit builds with -Wunused-lambda-capture
3168         https://bugs.webkit.org/show_bug.cgi?id=175436
3169         <rdar://problem/33667497>
3170
3171         Reviewed by Simon Fraser.
3172
3173         * interpreter/Interpreter.cpp:
3174         (JSC::Interpreter::Interpreter):
3175
3176 2017-08-10  Michael Catanzaro  <mcatanzaro@igalia.com>
3177
3178         Remove ENABLE_GAMEPAD_DEPRECATED
3179         https://bugs.webkit.org/show_bug.cgi?id=175361
3180
3181         Reviewed by Carlos Garcia Campos.
3182
3183         * Configurations/FeatureDefines.xcconfig:
3184
3185 2017-08-09  Caio Lima  <ticaiolima@gmail.com>
3186
3187         [JSC] Create JSSet constructor that accepts it's size as parameter
3188         https://bugs.webkit.org/show_bug.cgi?id=173297
3189
3190         Reviewed by Saam Barati.
3191
3192         This patch is adding a new constructor to JSSet that gives its
3193         expected initial size. It is important to avoid re-hashing and mutiple
3194         allocations when we know the final size of JSSet, such as in
3195         CodeBlock::setConstantIdentifierSetRegisters.
3196
3197         * bytecode/CodeBlock.cpp:
3198         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
3199         * runtime/HashMapImpl.h:
3200         (JSC::HashMapImpl::HashMapImpl):
3201         * runtime/JSSet.h:
3202
3203 2017-08-09  Commit Queue  <commit-queue@webkit.org>
3204
3205         Unreviewed, rolling out r220466, r220477, and r220487.
3206         https://bugs.webkit.org/show_bug.cgi?id=175411
3207
3208         This change broke existing API tests and follow up fixes did
3209         not resolve all the issues. (Requested by ryanhaddad on
3210         #webkit).
3211
3212         Reverted changesets:
3213
3214         https://bugs.webkit.org/show_bug.cgi?id=175244
3215         http://trac.webkit.org/changeset/220466
3216
3217         "WTF::Function does not allow for reference / non-default
3218         constructible return types"
3219         https://bugs.webkit.org/show_bug.cgi?id=175244
3220         http://trac.webkit.org/changeset/220477
3221
3222         https://bugs.webkit.org/show_bug.cgi?id=175244
3223         http://trac.webkit.org/changeset/220487
3224
3225 2017-08-09  Caitlin Potter  <caitp@igalia.com>
3226
3227         Early error on ANY operator before new.target
3228         https://bugs.webkit.org/show_bug.cgi?id=157970
3229
3230         Reviewed by Saam Barati.
3231
3232         Instead of throwing if any unary operator precedes new.target, only
3233         throw if the unary operator updates the reference.
3234
3235         The following become legal in JSC:
3236
3237         ```
3238         !new.target
3239         ~new.target
3240         typeof new.target
3241         delete new.target
3242         void new.target
3243         ```
3244
3245         All of which are legal in v8 and SpiderMonkey in strict and sloppy mode
3246
3247         * parser/Parser.cpp:
3248         (JSC::Parser<LexerType>::parseUnaryExpression):
3249
3250 2017-08-09  Sam Weinig  <sam@webkit.org>
3251
3252         WTF::Function does not allow for reference / non-default constructible return types
3253         https://bugs.webkit.org/show_bug.cgi?id=175244
3254
3255         Reviewed by Chris Dumez.
3256
3257         * runtime/ArrayBuffer.cpp:
3258         (JSC::ArrayBufferContents::transferTo):
3259         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
3260         destroy call needed to be a no-op anyway, since the data is being moved.
3261
3262 2017-08-09  Wenson Hsieh  <wenson_hsieh@apple.com>
3263
3264         [iOS DnD] ENABLE_DRAG_SUPPORT should be turned off for iOS 10 and enabled by default
3265         https://bugs.webkit.org/show_bug.cgi?id=175392
3266         <rdar://problem/33783207>
3267
3268         Reviewed by Tim Horton and Megan Gardner.
3269
3270         Tweak FeatureDefines to enable drag and drop by default, and disable only on unsupported platforms (i.e. iOS 10).
3271
3272         * Configurations/FeatureDefines.xcconfig:
3273
3274 2017-08-09  Robin Morisset  <rmorisset@apple.com>
3275
3276         Make JSC_validateExceptionChecks=1 succeed on JSTests/stress/v8-deltablue-strict.js.
3277         https://bugs.webkit.org/show_bug.cgi?id=175358
3278
3279         Reviewed by Mark Lam.
3280
3281         * jit/JITOperations.cpp:
3282         * runtime/JSObjectInlines.h:
3283         (JSC::JSObject::putInlineForJSObject):
3284
3285 2017-08-09  Ryan Haddad  <ryanhaddad@apple.com>
3286
3287         Unreviewed, rolling out r220457.
3288
3289         This change introduced API test failures.
3290
3291         Reverted changeset:
3292
3293         "WTF::Function does not allow for reference / non-default
3294         constructible return types"
3295         https://bugs.webkit.org/show_bug.cgi?id=175244
3296         http://trac.webkit.org/changeset/220457
3297
3298 2017-08-09  Sam Weinig  <sam@webkit.org>
3299
3300         WTF::Function does not allow for reference / non-default constructible return types
3301         https://bugs.webkit.org/show_bug.cgi?id=175244
3302
3303         Reviewed by Chris Dumez.
3304
3305         * runtime/ArrayBuffer.cpp:
3306         (JSC::ArrayBufferContents::transferTo):
3307         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
3308         destroy call needed to be a no-op anyway, since the data is being moved.
3309
3310 2017-08-09  Oleksandr Skachkov  <gskachkov@gmail.com>
3311
3312         REGRESSION: 2 test262/test/language/statements/async-function failures
3313         https://bugs.webkit.org/show_bug.cgi?id=175334
3314
3315         Reviewed by Yusuke Suzuki.
3316
3317         Switch off useAsyncIterator by default
3318
3319         * runtime/Options.h:
3320
3321 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
3322
3323         ICs should do caging
3324         https://bugs.webkit.org/show_bug.cgi?id=175295
3325
3326         Reviewed by Saam Barati.
3327         
3328         Adds the appropriate cage() calls in our inline caches.
3329
3330         * bytecode/AccessCase.cpp:
3331         (JSC::AccessCase::generateImpl):
3332         * bytecode/InlineAccess.cpp:
3333         (JSC::InlineAccess::dumpCacheSizesAndCrash):
3334         (JSC::InlineAccess::generateSelfPropertyAccess):
3335         (JSC::InlineAccess::generateSelfPropertyReplace):
3336         (JSC::InlineAccess::generateArrayLength):
3337
3338 2017-08-08  Devin Rousso  <drousso@apple.com>
3339
3340         Web Inspector: Canvas: support editing WebGL shaders
3341         https://bugs.webkit.org/show_bug.cgi?id=124211
3342         <rdar://problem/15448958>
3343
3344         Reviewed by Matt Baker.
3345
3346         * inspector/protocol/Canvas.json:
3347         Add `updateShader` command that will change the given shader's source to the provided string,
3348         recompile, and relink it to its associated program.
3349         Drive-by: add description to `requestShaderSource` command.
3350
3351 2017-08-08  Robin Morisset  <rmorisset@apple.com>
3352
3353         Make JSC_validateExceptionChecks=1 succeed on JSTests/slowMicrobenchmarks/spread-small-array.js.
3354         https://bugs.webkit.org/show_bug.cgi?id=175347
3355
3356         Reviewed by Saam Barati.
3357
3358         This is done by making finishCreation explicitely check for exceptions after setConstantRegister and setConstantIdentifiersSetRegisters.
3359         I chose to have this check replace the boolean returned previously by these functions for readability. The performance impact should be
3360         negligible considering how much more finishCreation does.
3361         This fix then caused another issue to appear as it was now clear that finishCreation can throw. And since it is called by ProgramCodeBlock::create(),
3362         FunctionCodeBlock::create() and friends, that are in turn called by ScriptExecutable::newCodeBlockFor, this last function also required a few tweaks.
3363
3364         * bytecode/CodeBlock.cpp:
3365         (JSC::CodeBlock::finishCreation):
3366         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
3367         (JSC::CodeBlock::setConstantRegisters):
3368         * bytecode/CodeBlock.h:
3369         * runtime/ScriptExecutable.cpp:
3370         (JSC::ScriptExecutable::newCodeBlockFor):
3371
3372 2017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
3373
3374         Unreviewed, fix Ubuntu LTS build
3375         https://bugs.webkit.org/show_bug.cgi?id=174490
3376
3377         * inspector/remote/glib/RemoteInspectorGlib.cpp:
3378         * inspector/remote/glib/RemoteInspectorServer.cpp:
3379
3380 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
3381
3382         Baseline JIT should do caging
3383         https://bugs.webkit.org/show_bug.cgi?id=175037
3384
3385         Reviewed by Mark Lam.
3386         
3387         Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
3388         
3389         Also modifies FTL caging to be more defensive when caging is disabled.
3390         
3391         Relanded with fixed AssemblyHelpers::cageConditionally().
3392
3393         * bytecode/AccessCase.cpp:
3394         (JSC::AccessCase::generateImpl):
3395         * bytecode/InlineAccess.cpp:
3396         (JSC::InlineAccess::dumpCacheSizesAndCrash):
3397         (JSC::InlineAccess::generateSelfPropertyAccess):
3398         (JSC::InlineAccess::generateSelfPropertyReplace):
3399         (JSC::InlineAccess::generateArrayLength):
3400         * ftl/FTLLowerDFGToB3.cpp:
3401         (JSC::FTL::DFG::LowerDFGToB3::caged):
3402         * jit/AssemblyHelpers.h:
3403         (JSC::AssemblyHelpers::cage):
3404         (JSC::AssemblyHelpers::cageConditionally):
3405         * jit/JITPropertyAccess.cpp:
3406         (JSC::JIT::emitDoubleLoad):
3407         (JSC::JIT::emitContiguousLoad):
3408         (JSC::JIT::emitArrayStorageLoad):
3409         (JSC::JIT::emitGenericContiguousPutByVal):
3410         (JSC::JIT::emitArrayStoragePutByVal):
3411         (JSC::JIT::emit_op_get_from_scope):
3412         (JSC::JIT::emit_op_put_to_scope):
3413         (JSC::JIT::emitIntTypedArrayGetByVal):
3414         (JSC::JIT::emitFloatTypedArrayGetByVal):
3415         (JSC::JIT::emitIntTypedArrayPutByVal):
3416         (JSC::JIT::emitFloatTypedArrayPutByVal):
3417         * jsc.cpp:
3418         (jscmain):
3419         (primitiveGigacageDisabled): Deleted.
3420
3421 2017-08-08  Ryan Haddad  <ryanhaddad@apple.com>
3422
3423         Unreviewed, rolling out r220368.
3424
3425         This change caused WK1 tests to exit early with crashes.
3426
3427         Reverted changeset:
3428
3429         "Baseline JIT should do caging"
3430         https://bugs.webkit.org/show_bug.cgi?id=175037
3431         http://trac.webkit.org/changeset/220368
3432
3433 2017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
3434
3435         [CMake] Properly test if compiler supports compiler flags
3436         https://bugs.webkit.org/show_bug.cgi?id=174490
3437
3438         Reviewed by Konstantin Tokarev.
3439
3440         * API/tests/PingPongStackOverflowTest.cpp:
3441         (testPingPongStackOverflow):
3442         * API/tests/testapi.c:
3443         * b3/testb3.cpp:
3444         (JSC::B3::testPatchpointLotsOfLateAnys):
3445
3446 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
3447
3448         [Linux] Clear WasmMemory with madvice instead of memset
3449         https://bugs.webkit.org/show_bug.cgi?id=175150
3450
3451         Reviewed by Filip Pizlo.
3452
3453         In Linux, zeroing pages with memset populates backing store.
3454         Instead, we should use madvise with MADV_DONTNEED. It discards
3455         pages. And if you access these pages, on-demand-zero-pages will
3456         be shown.
3457
3458         We also commit grown pages in all OSes.
3459
3460         * wasm/WasmMemory.cpp:
3461         (JSC::Wasm::commitZeroPages):
3462         (JSC::Wasm::Memory::create):
3463         (JSC::Wasm::Memory::grow):
3464
3465 2017-08-07  Robin Morisset  <rmorisset@apple.com>
3466
3467         GetOwnProperty of TypedArray indexed fields is wrongly configurable
3468         https://bugs.webkit.org/show_bug.cgi?id=175307
3469
3470         Reviewed by Saam Barati.
3471
3472         ```
3473         let a = new Uint8Array(10);
3474         let b = Object.getOwnPropertyDescriptor(a, 0);
3475         assert(b.configurable === false);
3476         ```
3477         should not fail: by section 9.4.5.1 (https://tc39.github.io/ecma262/#sec-integer-indexed-exotic-objects-getownproperty-p) 
3478         that applies to integer indexed exotic objects, and section 22.2.7 (https://tc39.github.io/ecma262/#sec-properties-of-typedarray-instances)
3479         that says that typed arrays are integer indexed exotic objects.
3480
3481         * runtime/JSGenericTypedArrayViewInlines.h:
3482         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
3483
3484 2017-08-07  Filip Pizlo  <fpizlo@apple.com>
3485
3486         Baseline JIT should do caging
3487         https://bugs.webkit.org/show_bug.cgi?id=175037
3488
3489         Reviewed by Mark Lam.
3490         
3491         Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
3492         
3493         Also modifies FTL caging to be more defensive when caging is disabled.
3494
3495         * ftl/FTLLowerDFGToB3.cpp:
3496         (JSC::FTL::DFG::LowerDFGToB3::caged):
3497         * jit/AssemblyHelpers.h:
3498         (JSC::AssemblyHelpers::cage):
3499         (JSC::AssemblyHelpers::cageConditionally):
3500         * jit/JITPropertyAccess.cpp:
3501         (JSC::JIT::emitDoubleLoad):
3502         (JSC::JIT::emitContiguousLoad):
3503         (JSC::JIT::emitArrayStorageLoad):
3504         (JSC::JIT::emitGenericContiguousPutByVal):
3505         (JSC::JIT::emitArrayStoragePutByVal):
3506         (JSC::JIT::emit_op_get_from_scope):
3507         (JSC::JIT::emit_op_put_to_scope):
3508         (JSC::JIT::emitIntTypedArrayGetByVal):
3509         (JSC::JIT::emitFloatTypedArrayGetByVal):
3510         (JSC::JIT::emitIntTypedArrayPutByVal):
3511         (JSC::JIT::emitFloatTypedArrayPutByVal):
3512         * jsc.cpp:
3513         (jscmain):
3514         (primitiveGigacageDisabled): Deleted.
3515
3516 2017-08-06  Filip Pizlo  <fpizlo@apple.com>
3517
3518         Primitive auxiliaries and JSValue auxiliaries should have separate gigacages
3519         https://bugs.webkit.org/show_bug.cgi?id=174919
3520
3521         Reviewed by Keith Miller.
3522         
3523         This adapts JSC to there being two gigacages.
3524         
3525         To make matters simpler, this turns AlignedMemoryAllocators into per-VM instances rather than
3526         singletons. I don't think we were gaining anything by making them be singletons.
3527         
3528         This makes it easy to teach GigacageAlignedMemoryAllocator that there are multiple kinds of
3529         gigacages. We'll have one of those allocators per cage.
3530         
3531         From there, this change teaches everyone who previously knew about cages that there are two cages.
3532         This means having to specify either Gigacage::Primitive or Gigacage::JSValue. In most places, this is
3533         easy: typed arrays are Primitive and butterflies are JSValue. But there are a few places where it's
3534         not so obvious, so this change introduces some helpers to make it easy to define what cage you want
3535         to use in one place and refer to it abstractly. We do this in DirectArguments and GenericArguments.h
3536         
3537         A lot of the magic of this change is due to CagedBarrierPtr, which combines AuxiliaryBarrier and
3538         CagedPtr. This removes one layer of "get()" calls from a bunch of places.
3539
3540         * JavaScriptCore.xcodeproj/project.pbxproj:
3541         * bytecode/AccessCase.cpp:
3542         (JSC::AccessCase::generateImpl):
3543         * dfg/DFGSpeculativeJIT.cpp:
3544         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
3545         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
3546         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3547         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
3548         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
3549         * ftl/FTLLowerDFGToB3.cpp:
3550         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
3551         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
3552         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
3553         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
3554         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
3555         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
3556         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
3557         (JSC::FTL::DFG::LowerDFGToB3::caged):
3558         * heap/FastMallocAlignedMemoryAllocator.cpp:
3559         (JSC::FastMallocAlignedMemoryAllocator::instance): Deleted.
3560         * heap/FastMallocAlignedMemoryAllocator.h:
3561         * heap/GigacageAlignedMemoryAllocator.cpp:
3562         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
3563         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
3564         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
3565         (JSC::GigacageAlignedMemoryAllocator::dump const):
3566         (JSC::GigacageAlignedMemoryAllocator::instance): Deleted.
3567         * heap/GigacageAlignedMemoryAllocator.h:
3568         * jsc.cpp:
3569         (primitiveGigacageDisabled):
3570         (jscmain):
3571         (gigacageDisabled): Deleted.
3572         * llint/LowLevelInterpreter64.asm:
3573         * runtime/ArrayBuffer.cpp:
3574         (JSC::ArrayBufferContents::tryAllocate):
3575         (JSC::ArrayBuffer::createAdopted):
3576         (JSC::ArrayBuffer::createFromBytes):
3577         * runtime/AuxiliaryBarrier.h:
3578         * runtime/ButterflyInlines.h:
3579         (JSC::Butterfly::createUninitialized):
3580         (JSC::Butterfly::tryCreate):
3581         (JSC::Butterfly::growArrayRight):
3582         * runtime/CagedBarrierPtr.h: Added.
3583         (JSC::CagedBarrierPtr::CagedBarrierPtr):
3584         (JSC::CagedBarrierPtr::clear):
3585         (JSC::CagedBarrierPtr::set):
3586         (JSC::CagedBarrierPtr::get const):
3587         (JSC::CagedBarrierPtr::getMayBeNull const):
3588         (JSC::CagedBarrierPtr::operator== const):
3589         (JSC::CagedBarrierPtr::operator!= const):
3590         (JSC::CagedBarrierPtr::operator bool const):
3591         (JSC::CagedBarrierPtr::setWithoutBarrier):
3592         (JSC::CagedBarrierPtr::operator* const):
3593         (JSC::CagedBarrierPtr::operator-> const):
3594         (JSC::CagedBarrierPtr::operator[] const):
3595         * runtime/DirectArguments.cpp:
3596         (JSC::DirectArguments::overrideThings):
3597         (JSC::DirectArguments::unmapArgument):
3598         * runtime/DirectArguments.h:
3599         (JSC::DirectArguments::isMappedArgument const):
3600         * runtime/GenericArguments.h:
3601         * runtime/GenericArgumentsInlines.h:
3602         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
3603         (JSC::GenericArguments<Type>::setModifiedArgumentDescriptor):
3604         (JSC::GenericArguments<Type>::isModifiedArgumentDescriptor):
3605         * runtime/HashMapImpl.cpp:
3606         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
3607         * runtime/HashMapImpl.h:
3608         (JSC::HashMapBuffer::create):
3609         (JSC::HashMapImpl::buffer const):
3610         (JSC::HashMapImpl::rehash):
3611         * runtime/JSArray.cpp:
3612         (JSC::JSArray::tryCreateUninitializedRestricted):
3613         (JSC::JSArray::unshiftCountSlowCase):
3614         (JSC::JSArray::setLength):
3615         (JSC::JSArray::pop):
3616         (JSC::JSArray::push):
3617         (JSC::JSArray::fastSlice):
3618         (JSC::JSArray::shiftCountWithArrayStorage):
3619         (JSC::JSArray::shiftCountWithAnyIndexingType):
3620         (JSC::JSArray::unshiftCountWithAnyIndexingType):
3621         (JSC::JSArray::fillArgList):
3622         (JSC::JSArray::copyToArguments):
3623         * runtime/JSArray.h:
3624         (JSC::JSArray::tryCreate):
3625         * runtime/JSArrayBufferView.cpp:
3626         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
3627         (JSC::JSArrayBufferView::finalize):
3628         * runtime/JSLock.cpp:
3629         (JSC::JSLock::didAcquireLock):
3630         * runtime/JSObject.cpp:
3631         (JSC::JSObject::heapSnapshot):
3632         (JSC::JSObject::getOwnPropertySlotByIndex):
3633         (JSC::JSObject::putByIndex):
3634         (JSC::JSObject::enterDictionaryIndexingMode):
3635         (JSC::JSObject::createInitialIndexedStorage):
3636         (JSC::JSObject::createArrayStorage):
3637         (JSC::JSObject::convertUndecidedToInt32):
3638         (JSC::JSObject::convertUndecidedToDouble):
3639         (JSC::JSObject::convertUndecidedToContiguous):
3640         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
3641         (JSC::JSObject::convertUndecidedToArrayStorage):
3642         (JSC::JSObject::convertInt32ToDouble):
3643         (JSC::JSObject::convertInt32ToContiguous):
3644         (JSC::JSObject::convertInt32ToArrayStorage):
3645         (JSC::JSObject::convertDoubleToContiguous):
3646         (JSC::JSObject::convertDoubleToArrayStorage):
3647         (JSC::JSObject::convertContiguousToArrayStorage):
3648         (JSC::JSObject::setIndexQuicklyToUndecided):
3649         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
3650         (JSC::JSObject::deletePropertyByIndex):
3651         (JSC::JSObject::getOwnPropertyNames):
3652         (JSC::JSObject::putIndexedDescriptor):
3653         (JSC::JSObject::defineOwnIndexedProperty):
3654         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
3655         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
3656         (JSC::JSObject::getNewVectorLength):
3657         (JSC::JSObject::ensureLengthSlow):
3658         (JSC::JSObject::reallocateAndShrinkButterfly):
3659         (JSC::JSObject::allocateMoreOutOfLineStorage):
3660         (JSC::JSObject::getEnumerableLength):
3661         * runtime/JSObject.h:
3662         (JSC::JSObject::getArrayLength const):
3663         (JSC::JSObject::getVectorLength):
3664         (JSC::JSObject::putDirectIndex):
3665         (JSC::JSObject::canGetIndexQuickly):
3666         (JSC::JSObject::getIndexQuickly):
3667         (JSC::JSObject::tryGetIndexQuickly const):
3668         (JSC::JSObject::canSetIndexQuickly):
3669         (JSC::JSObject::setIndexQuickly):
3670         (JSC::JSObject::initializeIndex):
3671         (JSC::JSObject::initializeIndexWithoutBarrier):
3672         (JSC::JSObject::hasSparseMap):
3673         (JSC::JSObject::inSparseIndexingMode):
3674         (JSC::JSObject::butterfly const):
3675         (JSC::JSObject::butterfly):
3676         (JSC::JSObject::outOfLineStorage const):
3677         (JSC::JSObject::outOfLineStorage):
3678         (JSC::JSObject::ensureInt32):
3679         (JSC::JSObject::ensureDouble):
3680         (JSC::JSObject::ensureContiguous):
3681         (JSC::JSObject::ensureArrayStorage):
3682         (JSC::JSObject::arrayStorage):
3683         (JSC::JSObject::arrayStorageOrNull):
3684         (JSC::JSObject::ensureLength):
3685         * runtime/RegExpMatchesArray.h:
3686         (JSC::tryCreateUninitializedRegExpMatchesArray):
3687         * runtime/VM.cpp:
3688         (JSC::VM::VM):
3689         (JSC::VM::~VM):
3690         (JSC::VM::primitiveGigacageDisabledCallback):
3691         (JSC::VM::primitiveGigacageDisabled):
3692         (JSC::VM::gigacageDisabledCallback): Deleted.
3693         (JSC::VM::gigacageDisabled): Deleted.
3694         * runtime/VM.h:
3695         (JSC::VM::gigacageAuxiliarySpace):
3696         (JSC::VM::firePrimitiveGigacageEnabledIfNecessary):
3697         (JSC::VM::primitiveGigacageEnabled):
3698         (JSC::VM::fireGigacageEnabledIfNecessary): Deleted.
3699         (JSC::VM::gigacageEnabled): Deleted.
3700         * wasm/WasmMemory.cpp:
3701         (JSC::Wasm::Memory::create):
3702         (JSC::Wasm::Memory::~Memory):
3703         (JSC::Wasm::Memory::grow):
3704
3705 2017-08-07  Commit Queue  <commit-queue@webkit.org>
3706
3707         Unreviewed, rolling out r220144.
3708         https://bugs.webkit.org/show_bug.cgi?id=175276
3709
3710         "It did not actually speed things up in the way I expected"
3711         (Requested by saamyjoon on #webkit).
3712
3713         Reverted changeset:
3714
3715         "On memory-constrained iOS devices, reduce the rate at which
3716         the JS heap grows before a GC to try to keep more memory
3717         available for the system"
3718         https://bugs.webkit.org/show_bug.cgi?id=175041
3719         http://trac.webkit.org/changeset/220144
3720
3721 2017-08-07  Ryan Haddad  <ryanhaddad@apple.com>
3722
3723         Unreviewed, rolling out r220299.
3724
3725         This change caused LayoutTest inspector/dom-debugger/dom-
3726         breakpoints.html to fail.
3727
3728         Reverted changeset:
3729
3730         "Web Inspector: capture async stack trace when workers/main
3731         context posts a message"
3732         https://bugs.webkit.org/show_bug.cgi?id=167084
3733         http://trac.webkit.org/changeset/220299
3734
3735 2017-08-07  Brian Burg  <bburg@apple.com>
3736
3737         Remove CANVAS_PATH compilation guard
3738         https://bugs.webkit.org/show_bug.cgi?id=175207
3739
3740         Reviewed by Sam Weinig.
3741
3742         * Configurations/FeatureDefines.xcconfig:
3743
3744 2017-08-07  Keith Miller  <keith_miller@apple.com>
3745
3746         REGRESSION: wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js failing on JSC Debug bots
3747         https://bugs.webkit.org/show_bug.cgi?id=175256
3748
3749         Reviewed by Saam Barati.
3750
3751         The check in createFromBytes just needed to check that the buffer was not null before
3752         calling isCaged.
3753
3754         * runtime/ArrayBuffer.cpp:
3755         (JSC::ArrayBuffer::createFromBytes):
3756
3757 2017-08-05  Carlos Garcia Campos  <cgarcia@igalia.com>
3758
3759         [GTK][WPE] Add API to provide browser information required by automation
3760         https://bugs.webkit.org/show_bug.cgi?id=175130
3761
3762         Reviewed by Brian Burg.
3763
3764         Add browserName and browserVersion to RemoteInspector::Client::Capabilities and virtual methods to the Client to
3765         get them.
3766
3767         * inspector/remote/RemoteInspector.cpp:
3768         (Inspector::RemoteInspector::updateClientCapabilities): Update also browserName and browserVersion.
3769         * inspector/remote/RemoteInspector.h:
3770         * inspector/remote/glib/RemoteInspectorGlib.cpp:
3771         (Inspector::RemoteInspector::requestAutomationSession): Call updateClientCapabilities() after the session is
3772         requested to ensure they are updated before StartAutomationSession reply is sent.
3773         * inspector/remote/glib/RemoteInspectorServer.cpp: Add browserName and browserVersion as return values of
3774         StartAutomationSession mesasage.
3775
3776 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
3777
3778         Promise resolve and reject function should have length = 1
3779         https://bugs.webkit.org/show_bug.cgi?id=175242
3780
3781         Reviewed by Saam Barati.
3782
3783         Previously we have separate system for "length" and "name" for builtin functions.
3784         The builtin functions do not use lazy reifying system. Instead, they have direct
3785         properties when instantiating it. While the function created for properties (like
3786         Array.prototype.filter) is created by JSFunction::createBuiltin(), function inside
3787         these builtin functions are just created by JSFunction::create(). Since it does
3788         not set any values for "length", these functions do not have "length" property.
3789         So, the resolve and reject functions passed to Promise's executor do not have
3790         "length" property.
3791
3792         This patch make builtin functions use standard lazy reifying system for "length".
3793         So, "length" property of the builtin function just works as if the normal functions
3794         do.
3795
3796         * runtime/JSFunction.cpp:
3797         (JSC::JSFunction::createBuiltinFunction):
3798         (JSC::JSFunction::getOwnPropertySlot):
3799         (JSC::JSFunction::getOwnNonIndexPropertyNames):
3800         (JSC::JSFunction::put):
3801         (JSC::JSFunction::deleteProperty):
3802         (JSC::JSFunction::defineOwnProperty):
3803         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
3804         (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
3805         (JSC::JSFunction::reifyLazyLengthIfNeeded):
3806         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
3807         (JSC::JSFunction::reifyBoundNameIfNeeded): Deleted.
3808         * runtime/JSFunction.h:
3809
3810 2017-08-06  Oleksandr Skachkov  <gskachkov@gmail.com>
3811
3812         [ESNext] Async iteration - Implement Async Generator - parser
3813         https://bugs.webkit.org/show_bug.cgi?id=175210
3814
3815         Reviewed by Yusuke Suzuki.
3816
3817         Current implementation is draft version of Async Iteration. 
3818         Link to spec https://tc39.github.io/proposal-async-iteration/
3819
3820         Current patch implement only parser part of the Async generator
3821         Runtime part will be in next ptches
3822
3823         * parser/ASTBuilder.h:
3824         (JSC::ASTBuilder::createFunctionMetadata):
3825         * parser/Parser.cpp:
3826         (JSC::getAsynFunctionBodyParseMode):
3827         (JSC::Parser<LexerType>::parseInner):
3828         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
3829         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
3830         (JSC::stringArticleForFunctionMode):
3831         (JSC::stringForFunctionMode):
3832         (JSC::Parser<LexerType>::parseFunctionInfo):
3833         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
3834         (JSC::Parser<LexerType>::parseClass):
3835         (JSC::Parser<LexerType>::parseProperty):
3836         (JSC::Parser<LexerType>::parsePropertyMethod):
3837         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
3838         * parser/Parser.h:
3839         (JSC::Scope::setSourceParseMode):
3840         * parser/ParserModes.h:
3841         (JSC::isFunctionParseMode):
3842         (JSC::isAsyncFunctionParseMode):
3843         (JSC::isAsyncArrowFunctionParseMode):
3844         (JSC::isAsyncGeneratorFunctionParseMode):
3845         (JSC::isAsyncFunctionOrAsyncGeneratorWrapperParseMode):
3846         (JSC::isAsyncFunctionWrapperParseMode):
3847         (JSC::isAsyncFunctionBodyParseMode):
3848         (JSC::isGeneratorMethodParseMode):
3849         (JSC::isAsyncMethodParseMode):
3850         (JSC::isAsyncGeneratorMethodParseMode):
3851         (JSC::isMethodParseMode):
3852         (JSC::isGeneratorOrAsyncFunctionBodyParseMode):
3853         (JSC::isGeneratorOrAsyncFunctionWrapperParseMode):
3854
3855 2017-08-05  Filip Pizlo  <fpizlo@apple.com>
3856
3857         REGRESSION (r219895-219897): Number of leaks on Open Source went from 9240 to 235983 and is now at 302372
3858         https://bugs.webkit.org/show_bug.cgi?id=175083
3859
3860         Reviewed by Oliver Hunt.
3861         
3862         This fixes the leak by making MarkedBlock::specializedSweep call destructors when the block is empty,
3863         even if we are using the pop path.
3864         
3865         Also, this fixes HeapCellInlines.h to no longer include MarkedBlockInlines.h. That's pretty
3866         important, since MarkedBlockInlines.h is the GC's internal guts - we don't want to have to recompile
3867         the world just because we changed it.
3868         
3869         Finally, this adds a new testing SPI for waiting for all VMs to finish destructing. This makes it
3870         easier to debug leaks.
3871
3872         * bytecode/AccessCase.cpp:
3873         * bytecode/PolymorphicAccess.cpp:
3874         * heap/HeapCell.cpp:
3875         (JSC::HeapCell::isLive):
3876         * heap/HeapCellInlines.h:
3877         (JSC::HeapCell::isLive): Deleted.
3878         * heap/MarkedAllocator.cpp:
3879         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
3880         (JSC::MarkedAllocator::endMarking):
3881         * heap/MarkedBlockInlines.h:
3882         (JSC::MarkedBlock::Handle::specializedSweep):
3883         * jit/AssemblyHelpers.cpp:
3884         * jit/Repatch.cpp:
3885         * runtime/TestRunnerUtils.h:
3886         * runtime/VM.cpp:
3887         (JSC::waitForVMDestruction):
3888         (JSC::VM::~VM):
3889
3890 2017-08-05  Mark Lam  <mark.lam@apple.com>
3891
3892         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 3].
3893         https://bugs.webkit.org/show_bug.cgi?id=175228
3894         <rdar://problem/33735737>
3895
3896         Reviewed by Saam Barati.
3897
3898         Merge the 32-bit OSRExit::compileExit() method into the 64-bit version, and
3899         delete OSRExit32_64.cpp.
3900
3901         * CMakeLists.txt:
3902         * JavaScriptCore.xcodeproj/project.pbxproj:
3903         * dfg/DFGOSRExit.cpp:
3904         (JSC::DFG::OSRExit::compileExit):
3905         * dfg/DFGOSRExit32_64.cpp: Removed.
3906         * jit/GPRInfo.h:
3907         (JSC::JSValueSource::payloadGPR const):
3908
3909 2017-08-04  Youenn Fablet  <youenn@apple.com>
3910