[EME] Add basic implementation of HTMLMediaElement::setMediaKeys()
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-08-20  Mark Lam  <mark.lam@apple.com>
2
3         Enhance MacroAssembler::probe() to allow the probe function to resize the stack frame and alter stack data in one pass.
4         https://bugs.webkit.org/show_bug.cgi?id=175688
5         <rdar://problem/33436870>
6
7         Reviewed by JF Bastien.
8
9         With this patch, the clients of the MacroAssembler::probe() can now change
10         stack values without having to worry about whether there is enough room in the
11         current stack frame for it or not.  This is done using the Probe::Context's stack
12         member like so:
13
14             jit.probe([] (Probe::Context& context) {
15                 auto cpu = context.cpu;
16                 auto stack = context.stack();
17                 uintptr_t* currentSP = cpu.sp<uintptr_t*>();
18
19                 // Get a value at the current stack pointer location.
20                 auto value = stack.get<uintptr_t>(currentSP);
21
22                 // Set a value above the current stack pointer (within current frame).
23                 stack.set<uintptr_t>(currentSP + 10, value);
24
25                 // Set a value below the current stack pointer (out of current frame).
26                 stack.set<uintptr_t>(currentSP - 10, value);
27
28                 // Set the new stack pointer.
29                 cpu.sp() = currentSP - 20;
30             });
31
32         What happens behind the scene:
33
34         1. the generated JIT probe code will now call Probe::executeProbe(), and
35            Probe::executeProbe() will in turn call the client's probe function.
36
37            Probe::executeProbe() receives the Probe::State on the machine stack passed
38            to it by the probe trampoline.  Probe::executeProbe() will instantiate a
39            Probe::Context to be passed to the client's probe function.  The client will
40            no longer see the Probe::State directly.
41
42         2. The Probe::Context comes with a Probe::Stack which serves as a manager of
43            stack pages.  Currently, each page is 1K in size.
44            Probe::Context::stack() returns a reference to an instance of Probe::Stack.
45
46         3. Invoking get() of set() on Probe::Stack with an address will lead to the
47            following:
48
49            a. the address will be decoded to a baseAddress that points to the 1K page
50               that contains that address.
51
52            b. the Probe::Stack will check if it already has a cached 1K page for that baseAddress.
53               If so, go to step (f).  Else, continue with step (c).
54
55            c. the Probe::Stack will malloc a 1K mirror page, and memcpy the 1K stack page
56               for that specified baseAddress to this mirror page.
57
58            d. the mirror page will be added to the ProbeStack's m_pages HashMap,
59               keyed on the baseAddress.
60
61            e. the ProbeStack will also cache the last baseAddress and its corresponding
62               mirror page in use.  With memory accesses tending to be localized, this
63               will save us from having to look up the page in the HashMap.
64
65            f. get() will map the requested address to a physical address in the mirror
66               page, and return the value at that location.
67
68            g. set() will map the requested address to a physical address in the mirror
69               page, and set the value at that location in the mirror page.
70
71               set() will also set a dirty bit corresponding to the "cache line" that
72               was modified in the mirror page.
73
74         4. When the client's probe function returns, Probe::executeProbe() will check if
75            there are stack changes that need to be applied.  If stack changes are needed:
76
77            a. Probe::executeProbe() will adjust the stack pointer to ensure enough stack
78               space is available to flush the dirty stack pages.  It will also register a
79               flushStackDirtyPages callback function in the Probe::State.  Thereafter,
80               Probe::executeProbe() returns to the probe trampoline.
81
82            b. the probe trampoline adjusts the stack pointer, moves the Probe::State to
83               a safe place if needed, and then calls the flushStackDirtyPages callback
84               if needed.
85
86            c. the flushStackDirtyPages() callback iterates the Probe::Stack's m_pages
87               HashMap and flush all dirty "cache lines" to the machine stack.
88               Thereafter, flushStackDirtyPages() returns to the probe trampoline.
89
90            d. lastly, the probe trampoline will restore all register values and return
91               to the pc set in the Probe::State.
92
93         To make this patch work, I also had to do the following work:
94
95         5. Refactor MacroAssembler::CPUState into Probe::CPUState.
96            Mainly, this means moving the code over to ProbeContext.h.
97            I also added some convenience accessor methods for spr registers. 
98
99            Moved Probe::Context over to its own file ProbeContext.h/cpp.
100
101         6. Fix all probe trampolines to pass the address of Probe::executeProbe in
102            addition to the client's probe function and arg.
103
104            I also took this opportunity to optimize the generated JIT probe code to
105            minimize the amount of memory stores needed. 
106
107         7. Simplified the ARM64 probe trampoline.  The ARM64 probe only supports changing
108            either lr or pc (or neither), but not both at in the same probe invocation.
109            The ARM64 probe trampoline used to have to check for this invariant in the
110            assembly trampoline code.  With the introduction of Probe::executeProbe(),
111            we can now do it there and simplify the trampoline.
112
113         8. Fix a bug in the old  ARM64 probe trampoline for the case where the client
114            changes lr.  That code path never worked before, but has now been fixed.
115
116         9. Removed trustedImm32FromPtr() helper functions in MacroAssemblerARM and
117            MacroAssemblerARMv7.
118
119            We can now use move() with TrustedImmPtr, and it does the same thing but in a
120            more generic way.
121
122        10. ARMv7's move() emitter may encode a T1 move instruction, which happens to have
123            the same semantics as movs (according to the Thumb spec).  This means these
124            instructions may trash the APSR flags before we have a chance to preserve them.
125
126            This patch changes MacroAssemblerARMv7's probe() to preserve the APSR register
127            early on.  This entails adding support for the mrs instruction in the
128            ARMv7Assembler.
129
130        10. Change testmasm's testProbeModifiesStackValues() to now modify stack values
131            the easy way.
132
133            Also fixed testmasm tests which check flag registers to only compare the
134            portions that are modifiable by the client i.e. some masking is applied.
135
136         This patch has passed the testmasm tests on x86, x86_64, arm64, and armv7.
137
138         * CMakeLists.txt:
139         * JavaScriptCore.xcodeproj/project.pbxproj:
140         * assembler/ARMv7Assembler.h:
141         (JSC::ARMv7Assembler::mrs):
142         * assembler/AbstractMacroAssembler.h:
143         * assembler/MacroAssembler.cpp:
144         (JSC::stdFunctionCallback):
145         (JSC::MacroAssembler::probe):
146         * assembler/MacroAssembler.h:
147         (JSC::MacroAssembler::CPUState::gprName): Deleted.
148         (JSC::MacroAssembler::CPUState::sprName): Deleted.
149         (JSC::MacroAssembler::CPUState::fprName): Deleted.
150         (JSC::MacroAssembler::CPUState::gpr): Deleted.
151         (JSC::MacroAssembler::CPUState::spr): Deleted.
152         (JSC::MacroAssembler::CPUState::fpr): Deleted.
153         (JSC:: const): Deleted.
154         (JSC::MacroAssembler::CPUState::fpr const): Deleted.
155         (JSC::MacroAssembler::CPUState::pc): Deleted.
156         (JSC::MacroAssembler::CPUState::fp): Deleted.
157         (JSC::MacroAssembler::CPUState::sp): Deleted.
158         (JSC::MacroAssembler::CPUState::pc const): Deleted.
159         (JSC::MacroAssembler::CPUState::fp const): Deleted.
160         (JSC::MacroAssembler::CPUState::sp const): Deleted.
161         (JSC::Probe::State::gpr): Deleted.
162         (JSC::Probe::State::spr): Deleted.
163         (JSC::Probe::State::fpr): Deleted.
164         (JSC::Probe::State::gprName): Deleted.
165         (JSC::Probe::State::sprName): Deleted.
166         (JSC::Probe::State::fprName): Deleted.
167         (JSC::Probe::State::pc): Deleted.
168         (JSC::Probe::State::fp): Deleted.
169         (JSC::Probe::State::sp): Deleted.
170         * assembler/MacroAssemblerARM.cpp:
171         (JSC::MacroAssembler::probe):
172         * assembler/MacroAssemblerARM.h:
173         (JSC::MacroAssemblerARM::trustedImm32FromPtr): Deleted.
174         * assembler/MacroAssemblerARM64.cpp:
175         (JSC::MacroAssembler::probe):
176         (JSC::arm64ProbeError): Deleted.
177         * assembler/MacroAssemblerARMv7.cpp:
178         (JSC::MacroAssembler::probe):
179         * assembler/MacroAssemblerARMv7.h:
180         (JSC::MacroAssemblerARMv7::armV7Condition):
181         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr): Deleted.
182         * assembler/MacroAssemblerPrinter.cpp:
183         (JSC::Printer::printCallback):
184         * assembler/MacroAssemblerPrinter.h:
185         * assembler/MacroAssemblerX86Common.cpp:
186         (JSC::ctiMasmProbeTrampoline):
187         (JSC::MacroAssembler::probe):
188         * assembler/Printer.h:
189         (JSC::Printer::Context::Context):
190         * assembler/ProbeContext.cpp: Added.
191         (JSC::Probe::executeProbe):
192         (JSC::Probe::handleProbeStackInitialization):
193         (JSC::Probe::probeStateForContext):
194         * assembler/ProbeContext.h: Added.
195         (JSC::Probe::CPUState::gprName):
196         (JSC::Probe::CPUState::sprName):
197         (JSC::Probe::CPUState::fprName):
198         (JSC::Probe::CPUState::gpr):
199         (JSC::Probe::CPUState::spr):
200         (JSC::Probe::CPUState::fpr):
201         (JSC::Probe:: const):
202         (JSC::Probe::CPUState::fpr const):
203         (JSC::Probe::CPUState::pc):
204         (JSC::Probe::CPUState::fp):
205         (JSC::Probe::CPUState::sp):
206         (JSC::Probe::CPUState::pc const):
207         (JSC::Probe::CPUState::fp const):
208         (JSC::Probe::CPUState::sp const):
209         (JSC::Probe::Context::Context):
210         (JSC::Probe::Context::gpr):
211         (JSC::Probe::Context::spr):
212         (JSC::Probe::Context::fpr):
213         (JSC::Probe::Context::gprName):
214         (JSC::Probe::Context::sprName):
215         (JSC::Probe::Context::fprName):
216         (JSC::Probe::Context::pc):
217         (JSC::Probe::Context::fp):
218         (JSC::Probe::Context::sp):
219         (JSC::Probe::Context::stack):
220         (JSC::Probe::Context::hasWritesToFlush):
221         (JSC::Probe::Context::releaseStack):
222         * assembler/ProbeStack.cpp: Added.
223         (JSC::Probe::Page::Page):
224         (JSC::Probe::Page::flushWrites):
225         (JSC::Probe::Stack::Stack):
226         (JSC::Probe::Stack::hasWritesToFlush):
227         (JSC::Probe::Stack::flushWrites):
228         (JSC::Probe::Stack::ensurePageFor):
229         * assembler/ProbeStack.h: Added.
230         (JSC::Probe::Page::baseAddressFor):
231         (JSC::Probe::Page::chunkAddressFor):
232         (JSC::Probe::Page::baseAddress):
233         (JSC::Probe::Page::get):
234         (JSC::Probe::Page::set):
235         (JSC::Probe::Page::hasWritesToFlush const):
236         (JSC::Probe::Page::flushWritesIfNeeded):
237         (JSC::Probe::Page::dirtyBitFor):
238         (JSC::Probe::Page::physicalAddressFor):
239         (JSC::Probe::Stack::Stack):
240         (JSC::Probe::Stack::lowWatermark):
241         (JSC::Probe::Stack::get):
242         (JSC::Probe::Stack::set):
243         (JSC::Probe::Stack::newStackPointer const):
244         (JSC::Probe::Stack::setNewStackPointer):
245         (JSC::Probe::Stack::isValid):
246         (JSC::Probe::Stack::pageFor):
247         * assembler/testmasm.cpp:
248         (JSC::testProbeReadsArgumentRegisters):
249         (JSC::testProbeWritesArgumentRegisters):
250         (JSC::testProbePreservesGPRS):
251         (JSC::testProbeModifiesStackPointer):
252         (JSC::testProbeModifiesStackPointerToInsideProbeStateOnStack):
253         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
254         (JSC::testProbeModifiesProgramCounter):
255         (JSC::testProbeModifiesStackValues):
256         (JSC::run):
257         (): Deleted.
258         (JSC::fillStack): Deleted.
259         (JSC::testProbeModifiesStackWithCallback): Deleted.
260
261 2017-08-19  Andy Estes  <aestes@apple.com>
262
263         [Payment Request] Add interface stubs
264         https://bugs.webkit.org/show_bug.cgi?id=175730
265
266         Reviewed by Youenn Fablet.
267
268         * runtime/CommonIdentifiers.h:
269
270 2017-08-18  Per Arne Vollan  <pvollan@apple.com>
271
272         Implement 32-bit MacroAssembler::probe support for Windows.
273         https://bugs.webkit.org/show_bug.cgi?id=175449
274
275         Reviewed by Mark Lam.
276
277         This is needed to enable the DFG.
278
279         * assembler/MacroAssemblerX86Common.cpp:
280         * assembler/testmasm.cpp:
281         (JSC::run):
282         (dllLauncherEntryPoint):
283         * shell/CMakeLists.txt:
284         * shell/PlatformWin.cmake:
285
286 2017-08-18  Mark Lam  <mark.lam@apple.com>
287
288         Rename ProbeContext and ProbeFunction to Probe::State and Probe::Function.
289         https://bugs.webkit.org/show_bug.cgi?id=175725
290         <rdar://problem/33965477>
291
292         Rubber-stamped by JF Bastien.
293
294         This is purely a refactoring patch (in preparation for the introduction of a
295         Probe::Context data structure in https://bugs.webkit.org/show_bug.cgi?id=175688
296         later).  This patch does not change any semantics / behavior.
297
298         * assembler/AbstractMacroAssembler.h:
299         * assembler/MacroAssembler.cpp:
300         (JSC::stdFunctionCallback):
301         (JSC::MacroAssembler::probe):
302         * assembler/MacroAssembler.h:
303         (JSC::ProbeContext::gpr): Deleted.
304         (JSC::ProbeContext::spr): Deleted.
305         (JSC::ProbeContext::fpr): Deleted.
306         (JSC::ProbeContext::gprName): Deleted.
307         (JSC::ProbeContext::sprName): Deleted.
308         (JSC::ProbeContext::fprName): Deleted.
309         (JSC::ProbeContext::pc): Deleted.
310         (JSC::ProbeContext::fp): Deleted.
311         (JSC::ProbeContext::sp): Deleted.
312         * assembler/MacroAssemblerARM.cpp:
313         (JSC::MacroAssembler::probe):
314         * assembler/MacroAssemblerARM.h:
315         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
316         * assembler/MacroAssemblerARM64.cpp:
317         (JSC::arm64ProbeError):
318         (JSC::MacroAssembler::probe):
319         * assembler/MacroAssemblerARMv7.cpp:
320         (JSC::MacroAssembler::probe):
321         * assembler/MacroAssemblerARMv7.h:
322         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr):
323         * assembler/MacroAssemblerPrinter.cpp:
324         (JSC::Printer::printCallback):
325         * assembler/MacroAssemblerPrinter.h:
326         * assembler/MacroAssemblerX86Common.cpp:
327         (JSC::MacroAssembler::probe):
328         * assembler/Printer.h:
329         (JSC::Printer::Context::Context):
330         * assembler/testmasm.cpp:
331         (JSC::testProbeReadsArgumentRegisters):
332         (JSC::testProbeWritesArgumentRegisters):
333         (JSC::testProbePreservesGPRS):
334         (JSC::testProbeModifiesStackPointer):
335         (JSC::testProbeModifiesStackPointerToInsideProbeStateOnStack):
336         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
337         (JSC::testProbeModifiesProgramCounter):
338         (JSC::fillStack):
339         (JSC::testProbeModifiesStackWithCallback):
340         (JSC::run):
341         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack): Deleted.
342
343 2017-08-17  JF Bastien  <jfbastien@apple.com>
344
345         WebAssembly: const in unreachable code decoded incorrectly, erroneously rejects binary as invalid
346         https://bugs.webkit.org/show_bug.cgi?id=175693
347         <rdar://problem/33952443>
348
349         Reviewed by Saam Barati.
350
351         64-bit constants in an unreachable context were being decoded as
352         32-bit constants. This is pretty benign because unreachable code
353         shouldn't occur often. The effect is that 64-bit constants which
354         can't be encoded as 32-bit constants would cause the binary to be
355         rejected.
356
357         At the same time, 32-bit integer constants should be decoded as signed.
358
359         * wasm/WasmFunctionParser.h:
360         (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
361
362 2017-08-17  Robin Morisset  <rmorisset@apple.com>
363
364         Teach DFGFixupPhase.cpp that the current scope is always a cell
365         https://bugs.webkit.org/show_bug.cgi?id=175610
366
367         Reviewed by Keith Miller.
368
369         Also teach it that the argument to with can usually be speculated to be an object,
370         since toObject() is called on it.
371
372         * dfg/DFGFixupPhase.cpp:
373         (JSC::DFG::FixupPhase::fixupNode):
374         * dfg/DFGSpeculativeJIT.cpp:
375         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
376         * dfg/DFGSpeculativeJIT.h:
377         (JSC::DFG::SpeculativeJIT::callOperation):
378         * ftl/FTLLowerDFGToB3.cpp:
379         (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
380         * jit/JITOperations.cpp:
381         * jit/JITOperations.h:
382
383 2017-08-17  Matt Baker  <mattbaker@apple.com>
384
385         Web Inspector: remove unused private struct from InspectorScriptProfilerAgent
386         https://bugs.webkit.org/show_bug.cgi?id=175644
387
388         Reviewed by Brian Burg.
389
390         * inspector/agents/InspectorScriptProfilerAgent.h:
391
392 2017-08-17  Mark Lam  <mark.lam@apple.com>
393
394         Only use 16 VFP registers if !CPU(ARM_NEON).
395         https://bugs.webkit.org/show_bug.cgi?id=175514
396
397         Reviewed by JF Bastien.
398
399         Deleted q16-q31 FPQuadRegisterID enums in ARMv7Assembler.h.  The NEON spec
400         says that there are only 16 128-bit NEON registers.  This change is merely to
401         correct the code documentation of these registers.  The FPQuadRegisterID are
402         currently unused.
403
404         * assembler/ARMAssembler.h:
405         (JSC::ARMAssembler::lastFPRegister):
406         (JSC::ARMAssembler::fprName):
407         * assembler/ARMv7Assembler.h:
408         (JSC::ARMv7Assembler::lastFPRegister):
409         (JSC::ARMv7Assembler::fprName):
410         * assembler/MacroAssemblerARM.cpp:
411         * assembler/MacroAssemblerARMv7.cpp:
412
413 2017-08-17  Andreas Kling  <akling@apple.com>
414
415         Disable CSS regions at compile time
416         https://bugs.webkit.org/show_bug.cgi?id=175630
417
418         Reviewed by Antti Koivisto.
419
420         * Configurations/FeatureDefines.xcconfig:
421
422 2017-08-17  Jacobo Aragunde Pérez  <jaragunde@igalia.com>
423
424         [WPE][GTK] Ensure proper casting of data in gvariants
425         https://bugs.webkit.org/show_bug.cgi?id=175667
426
427         Reviewed by Michael Catanzaro.
428
429         g_variant_new requires data to have the correct width for their types, using
430         casting if necessary. Some data of type `unsigned` were being saved to `guint64`
431         types without explicit casting, leading to undefined behavior in some platforms.
432
433         * inspector/remote/glib/RemoteInspectorGlib.cpp:
434         (Inspector::RemoteInspector::listingForInspectionTarget const):
435         (Inspector::RemoteInspector::listingForAutomationTarget const):
436         (Inspector::RemoteInspector::sendMessageToRemote):
437
438 2017-08-17  Yusuke Suzuki  <utatane.tea@gmail.com>
439
440         [JSC] Avoid code bloating for iteration if block does not have "break"
441         https://bugs.webkit.org/show_bug.cgi?id=173228
442
443         Reviewed by Keith Miller.
444
445         Currently, we always emit code for breaked path when emitting for-of iteration.
446         But we can know that this breaked path can be used when emitting the bytecode.
447
448         This patch adds LabelScope::breakTargetMayBeBound(), which returns true if
449         the break label may be bound. We emit a breaked path only when it returns
450         true. This reduces bytecode bloating when using for-of iteration.
451
452         * bytecompiler/BytecodeGenerator.cpp:
453         (JSC::Label::setLocation):
454         (JSC::BytecodeGenerator::newLabel):
455         (JSC::BytecodeGenerator::emitLabel):
456         (JSC::BytecodeGenerator::pushFinallyControlFlowScope):
457         (JSC::BytecodeGenerator::breakTarget):
458         (JSC::BytecodeGenerator::continueTarget):
459         (JSC::BytecodeGenerator::emitEnumeration):
460         * bytecompiler/BytecodeGenerator.h:
461         * bytecompiler/Label.h:
462         (JSC::Label::bind const):
463         (JSC::Label::hasOneRef const):
464         (JSC::Label::isBound const):
465         (JSC::Label::Label): Deleted.
466         * bytecompiler/LabelScope.h:
467         (JSC::LabelScope::hasOneRef const):
468         (JSC::LabelScope::breakTargetMayBeBound const):
469         * bytecompiler/NodesCodegen.cpp:
470         (JSC::ContinueNode::trivialTarget):
471         (JSC::ContinueNode::emitBytecode):
472         (JSC::BreakNode::trivialTarget):
473         (JSC::BreakNode::emitBytecode):
474
475 2017-08-17  Csaba Osztrogonác  <ossy@webkit.org>
476
477         ARM build fix after r220807 and r220834.
478         https://bugs.webkit.org/show_bug.cgi?id=175617
479
480         Unreviewed typo fix.
481
482         * assembler/MacroAssemblerARM.cpp:
483
484 2017-08-17  Mark Lam  <mark.lam@apple.com>
485
486         Gardening: build fix for ARM_TRADITIONAL after r220807.
487         https://bugs.webkit.org/show_bug.cgi?id=175617
488
489         Not reviewed.
490
491         * assembler/MacroAssemblerARM.cpp:
492
493 2017-08-16  Mark Lam  <mark.lam@apple.com>
494
495         Add back the ability to disable MASM_PROBE from the build.
496         https://bugs.webkit.org/show_bug.cgi?id=175656
497         <rdar://problem/33933720>
498
499         Reviewed by Yusuke Suzuki.
500
501         This is needed for ports that the existing MASM_PROBE implementation doesn't work
502         well with e.g. GTK with ARM_THUMB2.  Note that if the DFG_JIT will be disabled by
503         default if !ENABLE(MASM_PROBE).
504
505         * assembler/AbstractMacroAssembler.h:
506         * assembler/MacroAssembler.cpp:
507         * assembler/MacroAssembler.h:
508         * assembler/MacroAssemblerARM.cpp:
509         * assembler/MacroAssemblerARM64.cpp:
510         * assembler/MacroAssemblerARMv7.cpp:
511         * assembler/MacroAssemblerPrinter.cpp:
512         * assembler/MacroAssemblerPrinter.h:
513         * assembler/MacroAssemblerX86Common.cpp:
514         * assembler/testmasm.cpp:
515         (JSC::run):
516         * b3/B3LowerToAir.cpp:
517         * b3/air/AirPrintSpecial.cpp:
518         * b3/air/AirPrintSpecial.h:
519
520 2017-08-16  Dan Bernstein  <mitz@apple.com>
521
522         [Cocoa] Older-iOS install name symbols are being exported on other platforms
523         https://bugs.webkit.org/show_bug.cgi?id=175654
524
525         Reviewed by Tim Horton.
526
527         * API/JSBase.cpp: Define the symbols only when targeting iOS.
528
529 2017-08-16  Matt Baker  <mattbaker@apple.com>
530
531         Web Inspector: capture async stack trace when workers/main context posts a message
532         https://bugs.webkit.org/show_bug.cgi?id=167084
533         <rdar://problem/30033673>
534
535         Reviewed by Brian Burg.
536
537         * inspector/agents/InspectorDebuggerAgent.h:
538         Add `PostMessage` async call type.
539
540 2017-08-16  Mark Lam  <mark.lam@apple.com>
541
542         Enhance MacroAssembler::probe() to support an initializeStackFunction callback.
543         https://bugs.webkit.org/show_bug.cgi?id=175617
544         <rdar://problem/33912104>
545
546         Reviewed by JF Bastien.
547
548         This patch adds a new feature to MacroAssembler::probe() where the probe function
549         can provide a ProbeFunction callback to fill in stack values after the stack
550         pointer has been adjusted.  The probe function can use this feature as follows:
551
552         1. Set the new sp value in the ProbeContext's CPUState.
553
554         2. Set the ProbeContext's initializeStackFunction to a ProbeFunction callback
555            which will do the work of filling in the stack values after the probe
556            trampoline has adjusted the machine stack pointer.
557
558         3. Set the ProbeContext's initializeStackArgs to any value that the client wants
559            to pass to the initializeStackFunction callback.
560
561         4. Return from the probe function.
562
563         Upon returning from the probe function, the probe trampoline will adjust the
564         the stack pointer based on the sp value in CPUState.  If initializeStackFunction
565         is not set, the probe trampoline will restore registers and return to its caller.
566
567         If initializeStackFunction is set, the trampoline will move the ProbeContext
568         beyond the range of the stack pointer i.e. it will place the new ProbeContext at
569         an address lower than where CPUState.sp() points.  This ensures that the
570         ProbeContext will not be trashed by the initializeStackFunction when it writes to
571         the stack.  Then, the trampoline will call back to the initializeStackFunction
572         ProbeFunction to let it fill in the stack values as desired.  The
573         initializeStackFunction ProbeFunction will be passed the moved ProbeContext at
574         the new location.
575
576         initializeStackFunction may now write to the stack at addresses greater or
577         equal to CPUState.sp(), but not below that.  initializeStackFunction is also
578         not allowed to change CPUState.sp().  If the initializeStackFunction does not
579         abide by these rules, then behavior is undefined, and bad things may happen.
580
581         For future reference, some implementation details that this patch needed to
582         be mindful of:
583
584         1. When the probe trampoline allocates stack space for the ProbeContext, it
585            should include OUT_SIZE as well.  This ensures that it doesn't have to move
586            the ProbeContext on exit if the probe function didn't change the sp.
587
588         2. If the trampoline has to move the ProbeContext, it needs to point the machine
589            sp to new ProbeContext first before copying over the ProbeContext data.  This
590            protects the new ProbeContext from possibly being trashed by interrupts.
591
592         3. When computing the new address of ProbeContext to move to, we need to make
593            sure that it is properly aligned in accordance with stack ABI requirements
594            (just like we did when we allocated the ProbeContext on entry to the
595            probe trampoline).
596
597         4. When copying the ProbeContext to its new location, the trampoline should
598            always copy words from low addresses to high addresses.  This is because if
599            we're moving the ProbeContext, we'll always be moving it to a lower address.
600
601         * assembler/MacroAssembler.h:
602         * assembler/MacroAssemblerARM.cpp:
603         * assembler/MacroAssemblerARM64.cpp:
604         * assembler/MacroAssemblerARMv7.cpp:
605         * assembler/MacroAssemblerX86Common.cpp:
606         * assembler/testmasm.cpp:
607         (JSC::testProbePreservesGPRS):
608         (JSC::testProbeModifiesStackPointer):
609         (JSC::fillStack):
610         (JSC::testProbeModifiesStackWithCallback):
611         (JSC::run):
612
613 2017-08-16  Csaba Osztrogonác  <ossy@webkit.org>
614
615         Fix JSCOnly ARM buildbots after r220047 and r220184
616         https://bugs.webkit.org/show_bug.cgi?id=174993
617
618         Reviewed by Carlos Alberto Lopez Perez.
619
620         * CMakeLists.txt: Generate only one backend on Linux to save build time.
621
622 2017-08-16  Andy Estes  <aestes@apple.com>
623
624         [Payment Request] Add an ENABLE flag and an experimental feature preference
625         https://bugs.webkit.org/show_bug.cgi?id=175622
626
627         Reviewed by Tim Horton.
628
629         * Configurations/FeatureDefines.xcconfig:
630
631 2017-08-15  Robin Morisset  <rmorisset@apple.com>
632
633         We are too conservative about the effects of PushWithScope
634         https://bugs.webkit.org/show_bug.cgi?id=175584
635
636         Reviewed by Saam Barati.
637
638         PushWithScope converts its argument to an object (this can throw a type error,
639         but has no other observable effect), and allocates a new scope, that it then
640         makes the new current scope. We were a bit too
641         conservative in saying that it clobbers the world.
642
643         * dfg/DFGAbstractInterpreterInlines.h:
644         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
645         * dfg/DFGClobberize.h:
646         (JSC::DFG::clobberize):
647         * dfg/DFGDoesGC.cpp:
648         (JSC::DFG::doesGC):
649
650 2017-08-15  Ryosuke Niwa  <rniwa@webkit.org>
651
652         Make DataTransferItemList work with plain text entries
653         https://bugs.webkit.org/show_bug.cgi?id=175596
654
655         Reviewed by Wenson Hsieh.
656
657         Added DataTransferItem as a common identifier since it's a runtime enabled feature.
658
659         * runtime/CommonIdentifiers.h:
660
661 2017-08-15  Robin Morisset  <rmorisset@apple.com>
662
663         Support the 'with' keyword in FTL
664         https://bugs.webkit.org/show_bug.cgi?id=175585
665
666         Reviewed by Saam Barati.
667
668         Also makes sure that the order of arguments of PushWithScope, op_push_with_scope, JSWithScope::create()
669         and so on is consistent (always parentScope first, the new scopeObject second). We used to go from one
670         to the other at different step which was quite confusing. I picked this order for consistency with CreateActivation
671         that takes its parentScope argument first.
672
673         * bytecompiler/BytecodeGenerator.cpp:
674         (JSC::BytecodeGenerator::emitPushWithScope):
675         * debugger/DebuggerCallFrame.cpp:
676         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
677         * dfg/DFGByteCodeParser.cpp:
678         (JSC::DFG::ByteCodeParser::parseBlock):
679         * dfg/DFGFixupPhase.cpp:
680         (JSC::DFG::FixupPhase::fixupNode):
681         * dfg/DFGSpeculativeJIT.cpp:
682         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
683         * ftl/FTLCapabilities.cpp:
684         (JSC::FTL::canCompile):
685         * ftl/FTLLowerDFGToB3.cpp:
686         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
687         (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
688         * jit/JITOperations.cpp:
689         * runtime/CommonSlowPaths.cpp:
690         (JSC::SLOW_PATH_DECL):
691         * runtime/Completion.cpp:
692         (JSC::evaluateWithScopeExtension):
693         * runtime/JSWithScope.cpp:
694         (JSC::JSWithScope::create):
695         * runtime/JSWithScope.h:
696
697 2017-08-15  Saam Barati  <sbarati@apple.com>
698
699         Make VM::scratchBufferForSize thread safe
700         https://bugs.webkit.org/show_bug.cgi?id=175604
701
702         Reviewed by Geoffrey Garen and Mark Lam.
703
704         I want to use the VM::scratchBufferForSize in another patch I'm writing.
705         The use case for my other patch is to call it from the compiler thread.
706         When reading the code, I saw that this API was not thread safe. This patch
707         makes it thread safe. It actually turns out we were calling this API from
708         the compiler thread already when we created FTL::State for an FTL OSR entry
709         compilation, and from FTLLowerDFGToB3. That code was racy and wrong, but
710         is now correct with this patch.
711
712         * runtime/VM.cpp:
713         (JSC::VM::VM):
714         (JSC::VM::~VM):
715         (JSC::VM::gatherConservativeRoots):
716         (JSC::VM::scratchBufferForSize):
717         * runtime/VM.h:
718         (JSC::VM::scratchBufferForSize): Deleted.
719
720 2017-08-15  Keith Miller  <keith_miller@apple.com>
721
722         JSC named bytecode offsets should use references rather than pointers
723         https://bugs.webkit.org/show_bug.cgi?id=175601
724
725         Reviewed by Saam Barati.
726
727         * dfg/DFGByteCodeParser.cpp:
728         (JSC::DFG::ByteCodeParser::parseBlock):
729         * jit/JITOpcodes.cpp:
730         (JSC::JIT::emit_op_overrides_has_instance):
731         (JSC::JIT::emit_op_instanceof):
732         (JSC::JIT::emitSlow_op_instanceof):
733         (JSC::JIT::emitSlow_op_instanceof_custom):
734         * jit/JITOpcodes32_64.cpp:
735         (JSC::JIT::emit_op_overrides_has_instance):
736         (JSC::JIT::emit_op_instanceof):
737         (JSC::JIT::emitSlow_op_instanceof):
738         (JSC::JIT::emitSlow_op_instanceof_custom):
739
740 2017-08-15  Keith Miller  <keith_miller@apple.com>
741
742         Enable named offsets into JSC bytecodes
743         https://bugs.webkit.org/show_bug.cgi?id=175561
744
745         Reviewed by Mark Lam.
746
747         This patch adds the ability to add named offsets into JSC's
748         bytecodes.  In the bytecode json file, instead of listing a
749         length, you can now list a set of names and their types. Each
750         opcode with an offsets property will have a struct named after the
751         opcode by in our C++ naming style. For example,
752         op_overrides_has_instance would become OpOverridesHasInstance. The
753         struct has the same memory layout as the instruction list has but
754         comes with handy named accessors.
755
756         As a first cut I converted the various instanceof bytecodes to use
757         named offsets.
758
759         As an example op_overrides_has_instance produces the following struct:
760
761         struct OpOverridesHasInstance {
762         public:
763             Opcode& opcode() { return *reinterpret_cast<Opcode*>(&m_opcode); }
764             const Opcode& opcode() const { return *reinterpret_cast<const Opcode*>(&m_opcode); }
765             int& dst() { return *reinterpret_cast<int*>(&m_dst); }
766             const int& dst() const { return *reinterpret_cast<const int*>(&m_dst); }
767             int& constructor() { return *reinterpret_cast<int*>(&m_constructor); }
768             const int& constructor() const { return *reinterpret_cast<const int*>(&m_constructor); }
769             int& hasInstanceValue() { return *reinterpret_cast<int*>(&m_hasInstanceValue); }
770             const int& hasInstanceValue() const { return *reinterpret_cast<const int*>(&m_hasInstanceValue); }
771
772         private:
773             friend class LLIntOffsetsExtractor;
774             std::aligned_storage<sizeof(Opcode), sizeof(Instruction)>::type m_opcode;
775             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_dst;
776             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_constructor;
777             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_hasInstanceValue;
778         };
779
780         * CMakeLists.txt:
781         * DerivedSources.make:
782         * JavaScriptCore.xcodeproj/project.pbxproj:
783         * bytecode/BytecodeList.json:
784         * dfg/DFGByteCodeParser.cpp:
785         (JSC::DFG::ByteCodeParser::parseBlock):
786         * generate-bytecode-files:
787         * jit/JITOpcodes.cpp:
788         (JSC::JIT::emit_op_overrides_has_instance):
789         (JSC::JIT::emit_op_instanceof):
790         (JSC::JIT::emitSlow_op_instanceof):
791         (JSC::JIT::emitSlow_op_instanceof_custom):
792         * jit/JITOpcodes32_64.cpp:
793         (JSC::JIT::emit_op_overrides_has_instance):
794         (JSC::JIT::emit_op_instanceof):
795         (JSC::JIT::emitSlow_op_instanceof):
796         (JSC::JIT::emitSlow_op_instanceof_custom):
797         * llint/LLIntOffsetsExtractor.cpp:
798         * llint/LowLevelInterpreter.asm:
799         * llint/LowLevelInterpreter32_64.asm:
800         * llint/LowLevelInterpreter64.asm:
801
802 2017-08-15  Mark Lam  <mark.lam@apple.com>
803
804         Update testmasm to use new CPUState APIs.
805         https://bugs.webkit.org/show_bug.cgi?id=175573
806
807         Reviewed by Keith Miller.
808
809         1. Applied convenience CPUState accessors to minimize casting.
810         2. Converted the CHECK macro to CHECK_EQ to get more friendly failure debugging
811            messages.
812         3. Removed the CHECK_DOUBLE_BITWISE_EQ macro.  We can just use CHECK_EQ now since
813            casting is (mostly) no longer an issue.
814         4. Replaced the use of testDoubleWord(id) with bitwise_cast<double>(testWord64(id))
815            to make it clear that we're comparing against the bit values of testWord64(id).
816         5. Added a "Completed N tests" message at the end of running all tests.
817            This makes it easy to tell at a glance that testmasm completed successfully
818            versus when it crashed midway in a test.  The number of tests also serves as
819            a quick checksum to confirm that we ran the number of tests we expected.
820
821         * assembler/testmasm.cpp:
822         (WTF::printInternal):
823         (JSC::testSimple):
824         (JSC::testProbeReadsArgumentRegisters):
825         (JSC::testProbeWritesArgumentRegisters):
826         (JSC::testProbePreservesGPRS):
827         (JSC::testProbeModifiesStackPointer):
828         (JSC::testProbeModifiesProgramCounter):
829         (JSC::run):
830
831 2017-08-14  Keith Miller  <keith_miller@apple.com>
832
833         Add testing tool to lie to the DFG about profiles
834         https://bugs.webkit.org/show_bug.cgi?id=175487
835
836         Reviewed by Saam Barati.
837
838         This patch adds a new bytecode identity_with_profile that lets
839         us lie to the DFG about what profiles it has seen as the input to
840         another bytecode. Previously, there was no reliable way to force
841         a given profile when we tired up.
842
843         * bytecode/BytecodeDumper.cpp:
844         (JSC::BytecodeDumper<Block>::dumpBytecode):
845         * bytecode/BytecodeIntrinsicRegistry.h:
846         * bytecode/BytecodeList.json:
847         * bytecode/BytecodeUseDef.h:
848         (JSC::computeUsesForBytecodeOffset):
849         (JSC::computeDefsForBytecodeOffset):
850         * bytecode/SpeculatedType.cpp:
851         (JSC::speculationFromString):
852         * bytecode/SpeculatedType.h:
853         * bytecompiler/BytecodeGenerator.cpp:
854         (JSC::BytecodeGenerator::emitIdWithProfile):
855         * bytecompiler/BytecodeGenerator.h:
856         * bytecompiler/NodesCodegen.cpp:
857         (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
858         * dfg/DFGAbstractInterpreterInlines.h:
859         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
860         * dfg/DFGByteCodeParser.cpp:
861         (JSC::DFG::ByteCodeParser::parseBlock):
862         * dfg/DFGCapabilities.cpp:
863         (JSC::DFG::capabilityLevel):
864         * dfg/DFGClobberize.h:
865         (JSC::DFG::clobberize):
866         * dfg/DFGDoesGC.cpp:
867         (JSC::DFG::doesGC):
868         * dfg/DFGFixupPhase.cpp:
869         (JSC::DFG::FixupPhase::fixupNode):
870         * dfg/DFGMayExit.cpp:
871         * dfg/DFGNode.h:
872         (JSC::DFG::Node::getForcedPrediction):
873         * dfg/DFGNodeType.h:
874         * dfg/DFGPredictionPropagationPhase.cpp:
875         * dfg/DFGSafeToExecute.h:
876         (JSC::DFG::safeToExecute):
877         * dfg/DFGSpeculativeJIT32_64.cpp:
878         (JSC::DFG::SpeculativeJIT::compile):
879         * dfg/DFGSpeculativeJIT64.cpp:
880         (JSC::DFG::SpeculativeJIT::compile):
881         * dfg/DFGValidate.cpp:
882         * jit/JIT.cpp:
883         (JSC::JIT::privateCompileMainPass):
884         * jit/JIT.h:
885         * jit/JITOpcodes.cpp:
886         (JSC::JIT::emit_op_identity_with_profile):
887         * jit/JITOpcodes32_64.cpp:
888         (JSC::JIT::emit_op_identity_with_profile):
889         * llint/LowLevelInterpreter.asm:
890
891 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
892
893         Remove Proximity Events and related code
894         https://bugs.webkit.org/show_bug.cgi?id=175545
895
896         Reviewed by Daniel Bates.
897
898         No platform enables Proximity Events, so remove code inside ENABLE(PROXIMITY_EVENTS)
899         and other related code.
900
901         * Configurations/FeatureDefines.xcconfig:
902
903 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
904
905         Remove ENABLE(REQUEST_AUTOCOMPLETE) code, which was disabled everywhere
906         https://bugs.webkit.org/show_bug.cgi?id=175504
907
908         Reviewed by Sam Weinig.
909
910         * Configurations/FeatureDefines.xcconfig:
911
912 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
913
914         Remove ENABLE_VIEW_MODE_CSS_MEDIA and related code
915         https://bugs.webkit.org/show_bug.cgi?id=175557
916
917         Reviewed by Jon Lee.
918
919         No port cares about the ENABLE(VIEW_MODE_CSS_MEDIA) feature, so remove it.
920
921         * Configurations/FeatureDefines.xcconfig:
922
923 2017-08-14  Robin Morisset  <rmorisset@apple.com>
924
925         Support the 'with' keyword in DFG
926         https://bugs.webkit.org/show_bug.cgi?id=175470
927
928         Reviewed by Saam Barati.
929
930         Not particularly optimized at the moment, the goal is just to avoid
931         the DFG bailing out of any function with this keyword.
932
933         * dfg/DFGAbstractInterpreterInlines.h:
934         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
935         * dfg/DFGByteCodeParser.cpp:
936         (JSC::DFG::ByteCodeParser::parseBlock):
937         * dfg/DFGCapabilities.cpp:
938         (JSC::DFG::capabilityLevel):
939         * dfg/DFGClobberize.h:
940         (JSC::DFG::clobberize):
941         * dfg/DFGDoesGC.cpp:
942         (JSC::DFG::doesGC):
943         * dfg/DFGFixupPhase.cpp:
944         (JSC::DFG::FixupPhase::fixupNode):
945         * dfg/DFGNodeType.h:
946         * dfg/DFGPredictionPropagationPhase.cpp:
947         * dfg/DFGSafeToExecute.h:
948         (JSC::DFG::safeToExecute):
949         * dfg/DFGSpeculativeJIT.cpp:
950         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
951         * dfg/DFGSpeculativeJIT.h:
952         (JSC::DFG::SpeculativeJIT::callOperation):
953         * dfg/DFGSpeculativeJIT32_64.cpp:
954         (JSC::DFG::SpeculativeJIT::compile):
955         * dfg/DFGSpeculativeJIT64.cpp:
956         (JSC::DFG::SpeculativeJIT::compile):
957         * jit/JITOperations.cpp:
958         * jit/JITOperations.h:
959
960 2017-08-14  Mark Lam  <mark.lam@apple.com>
961
962         Add some convenience utility accessor methods to MacroAssembler::CPUState.
963         https://bugs.webkit.org/show_bug.cgi?id=175549
964         <rdar://problem/33884868>
965
966         Reviewed by Saam Barati.
967
968         Previously, in order to read ProbeContext CPUState registers, we used to need to
969         do it this way:
970
971             ExecState* exec = reinterpret_cast<ExecState*>(cpu.fp());
972             uint32_t i32 = static_cast<uint32_t>(cpu.gpr(GPRInfo::regT0));
973             void* p = reinterpret_cast<void*>(cpu.gpr(GPRInfo::regT1));
974             uint64_t u64 = bitwise_cast<uint64_t>(cpu.fpr(FPRInfo::fpRegT0));
975
976         With this patch, we can now read them this way instead:
977         
978             ExecState* exec = cpu.fp<ExecState*>();
979             uint32_t i32 = cpu.gpr<uint32_t>(GPRInfo::regT0);
980             void* p = cpu.gpr<void*>(GPRInfo::regT1);
981             uint64_t u64 = cpu.fpr<uint64_t>(FPRInfo::fpRegT0);
982
983         * assembler/MacroAssembler.h:
984         (JSC:: const):
985         (JSC::MacroAssembler::CPUState::fpr const):
986         (JSC::MacroAssembler::CPUState::pc const):
987         (JSC::MacroAssembler::CPUState::fp const):
988         (JSC::MacroAssembler::CPUState::sp const):
989         (JSC::ProbeContext::pc):
990         (JSC::ProbeContext::fp):
991         (JSC::ProbeContext::sp):
992
993 2017-08-12  Filip Pizlo  <fpizlo@apple.com>
994
995         Put the ScopedArgumentsTable's ScopeOffset array in some gigacage
996         https://bugs.webkit.org/show_bug.cgi?id=174921
997
998         Reviewed by Mark Lam.
999         
1000         Uses CagedUniquePtr<> to cage the ScopeOffset array.
1001
1002         * dfg/DFGSpeculativeJIT.cpp:
1003         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1004         * ftl/FTLLowerDFGToB3.cpp:
1005         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1006         * jit/JITPropertyAccess.cpp:
1007         (JSC::JIT::emitScopedArgumentsGetByVal):
1008         * runtime/ScopedArgumentsTable.cpp:
1009         (JSC::ScopedArgumentsTable::create):
1010         (JSC::ScopedArgumentsTable::setLength):
1011         * runtime/ScopedArgumentsTable.h:
1012
1013 2017-08-14  Mark Lam  <mark.lam@apple.com>
1014
1015         Gardening: fix Windows build.
1016         https://bugs.webkit.org/show_bug.cgi?id=175446
1017
1018         Not reviewed.
1019
1020         * assembler/MacroAssemblerX86Common.cpp:
1021         (JSC::booleanTrueForAvoidingNoReturnDeclaration):
1022         (JSC::ctiMasmProbeTrampoline):
1023
1024 2017-08-12  Csaba Osztrogonác  <ossy@webkit.org>
1025
1026         [ARM64] Use x29 and x30 instead of fp and lr to make GCC happy
1027         https://bugs.webkit.org/show_bug.cgi?id=175512
1028         <rdar://problem/33863584>
1029
1030         Reviewed by Mark Lam.
1031
1032         * CMakeLists.txt: Added MacroAssemblerARM64.cpp.
1033         * assembler/MacroAssemblerARM64.cpp: Use x29 and x30 instead of fp and lr to make GCC happy.
1034
1035 2017-08-12  Csaba Osztrogonác  <ossy@webkit.org>
1036
1037         ARM_TRADITIONAL: static assertion failed: ProbeContext_size_matches_ctiMasmProbeTrampoline
1038         https://bugs.webkit.org/show_bug.cgi?id=175513
1039
1040         Reviewed by Mark Lam.
1041
1042         * assembler/MacroAssemblerARM.cpp: Added d16-d31 FP registers too.
1043
1044 2017-08-12  Filip Pizlo  <fpizlo@apple.com>
1045
1046         FTL's compileGetTypedArrayByteOffset needs to do caging
1047         https://bugs.webkit.org/show_bug.cgi?id=175366
1048
1049         Reviewed by Saam Barati.
1050         
1051         While implementing boxing in the DFG, I noticed that there was some missing boxing in the FTL. This
1052         fixes the case in GetTypedArrayByteOffset, and files FIXMEs for more such cases.
1053
1054         * dfg/DFGSpeculativeJIT.cpp:
1055         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
1056         * ftl/FTLLowerDFGToB3.cpp:
1057         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
1058         (JSC::FTL::DFG::LowerDFGToB3::cagedMayBeNull):
1059         * runtime/ArrayBuffer.h:
1060         * runtime/ArrayBufferView.h:
1061         * runtime/JSArrayBufferView.h:
1062
1063 2017-08-11  Ryosuke Niwa  <rniwa@webkit.org>
1064
1065         Replace DATA_TRANSFER_ITEMS by a runtime flag and add a stub implementation
1066         https://bugs.webkit.org/show_bug.cgi?id=175474
1067         <rdar://problem/33844628>
1068
1069         Reviewed by Wenson Hsieh.
1070
1071         * Configurations/FeatureDefines.xcconfig:
1072         * runtime/CommonIdentifiers.h:
1073
1074 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1075
1076         Caging shouldn't have to use a patchpoint for adding
1077         https://bugs.webkit.org/show_bug.cgi?id=175483
1078
1079         Reviewed by Mark Lam.
1080
1081         Caging involves doing a Add(ptr, largeConstant). All of B3's heuristics for how to deal with
1082         constants and associative operations dictate that you always want to sink constants. For example,
1083         Add(Add(a, constant), b) always becomes Add(Add(a, b), constant). This is profitable because in
1084         typical code, it reveals downstream optimizations. But it's terrible in the case of caging, because
1085         we want the large constant (which is shared by all caging operations) to be hoisted. Reassociating to
1086         sink constants obscures the constant in this case. Currently, moveConstants is not smart enough to
1087         reassociate, so instead of sinking largeConstant, it tries (and often fails) to sink some other
1088         constants instead. Without some hacks, this is a 5% Kraken regression and a 1.6% Octane regression.
1089         It's not clear that moveConstants could ever be smart enough to rematerialize that constant and then
1090         hoist it - that would require quite a bit of algebraic reasoning. But the only case we know of where
1091         our current constant reassociation heuristics are wrong is caging. So, we can get away with some
1092         hacks for just stopping B3's reassociation only in this specific case.
1093         
1094         Previously, we achieved this by concealing the Add(ptr, largeConstant) inside a patchpoint. That's
1095         OK, but patchpoints are expensive. They require a SharedTask instance. They require callbacks from
1096         the backend, including during register allocation. And they cannot be CSE'd. We do want B3 to know
1097         that if we cage the same pointer in two places, both places will compute the same value.
1098         
1099         This patch improves the situation by introducing the Opaque opcode. This is handled by LowerToAir as
1100         if it was Identity, but all prior phases treat it as an unknown pure unary idempotent operation. I.e.
1101         they know that Opaque(x) == Opaque(x) and that Opaque(Opaque(x)) == Opaque(x). But they don't know
1102         that Opaque(x) == x until LowerToAir. So, you can use Opaque exactly when you know that B3 will mess
1103         up your code but Air won't. (Currently we know of no cases where Air messes things up on a large
1104         enough scale to warrant new opcodes.)
1105         
1106         This change is perf-neutral, but may start to help as I add more uses of caged() in the FTL. It also
1107         makes the code a bit less ugly.
1108
1109         * b3/B3LowerToAir.cpp:
1110         (JSC::B3::Air::LowerToAir::shouldCopyPropagate):
1111         (JSC::B3::Air::LowerToAir::lower):
1112         * b3/B3Opcode.cpp:
1113         (WTF::printInternal):
1114         * b3/B3Opcode.h:
1115         * b3/B3ReduceStrength.cpp:
1116         * b3/B3Validate.cpp:
1117         * b3/B3Value.cpp:
1118         (JSC::B3::Value::effects const):
1119         (JSC::B3::Value::key const):
1120         (JSC::B3::Value::isFree const):
1121         (JSC::B3::Value::typeFor):
1122         * b3/B3Value.h:
1123         * b3/B3ValueKey.cpp:
1124         (JSC::B3::ValueKey::materialize const):
1125         * ftl/FTLLowerDFGToB3.cpp:
1126         (JSC::FTL::DFG::LowerDFGToB3::caged):
1127         * ftl/FTLOutput.cpp:
1128         (JSC::FTL::Output::opaque):
1129         * ftl/FTLOutput.h:
1130
1131 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1132
1133         ScopedArguments overflow storage needs to be in the JSValue gigacage
1134         https://bugs.webkit.org/show_bug.cgi?id=174923
1135
1136         Reviewed by Saam Barati.
1137         
1138         ScopedArguments overflow storage sits at the end of the ScopedArguments object, so we put that
1139         object into the JSValue gigacage.
1140
1141         * dfg/DFGSpeculativeJIT.cpp:
1142         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1143         * ftl/FTLLowerDFGToB3.cpp:
1144         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1145         * jit/JITPropertyAccess.cpp:
1146         (JSC::JIT::emitScopedArgumentsGetByVal):
1147         * runtime/ScopedArguments.h:
1148         (JSC::ScopedArguments::subspaceFor):
1149         (JSC::ScopedArguments::overflowStorage const):
1150
1151 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1152
1153         JSLexicalEnvironment needs to be in the JSValue gigacage
1154         https://bugs.webkit.org/show_bug.cgi?id=174922
1155
1156         Reviewed by Michael Saboff.
1157         
1158         We can sorta random access the JSLexicalEnvironment. So, we put it in the JSValue gigacage and make
1159         the only random accesses use pointer caging.
1160         
1161         We don't need to do anything to normal lexical environment accesses.
1162
1163         * dfg/DFGSpeculativeJIT.cpp:
1164         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1165         * ftl/FTLLowerDFGToB3.cpp:
1166         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1167         * runtime/JSEnvironmentRecord.h:
1168         (JSC::JSEnvironmentRecord::subspaceFor):
1169         (JSC::JSEnvironmentRecord::variables):
1170
1171 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1172
1173         DirectArguments should be in the JSValue gigacage
1174         https://bugs.webkit.org/show_bug.cgi?id=174920
1175
1176         Reviewed by Michael Saboff.
1177         
1178         This puts DirectArguments in a new subspace for cells that want to be in the JSValue gigacage. All
1179         indexed accesses to DirectArguments now do caging. get_from_arguments/put_to_arguments are exempted
1180         because they always operate on a DirectArguments that is pointed to directly from the stack, they are
1181         required to use fixed offsets, and you can only store JSValues.
1182
1183         * dfg/DFGSpeculativeJIT.cpp:
1184         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
1185         * ftl/FTLLowerDFGToB3.cpp:
1186         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1187         * jit/JITPropertyAccess.cpp:
1188         (JSC::JIT::emitDirectArgumentsGetByVal):
1189         * runtime/DirectArguments.h:
1190         (JSC::DirectArguments::subspaceFor):
1191         (JSC::DirectArguments::storage):
1192         * runtime/VM.cpp:
1193         (JSC::VM::VM):
1194         * runtime/VM.h:
1195
1196 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1197
1198         Unreviewed, add a FIXME.
1199
1200         * ftl/FTLLowerDFGToB3.cpp:
1201         (JSC::FTL::DFG::LowerDFGToB3::caged):
1202
1203 2017-08-10  Sam Weinig  <sam@webkit.org>
1204
1205         WTF::Function does not allow for reference / non-default constructible return types
1206         https://bugs.webkit.org/show_bug.cgi?id=175244
1207
1208         Reviewed by Chris Dumez.
1209
1210         * runtime/ArrayBuffer.cpp:
1211         (JSC::ArrayBufferContents::transferTo):
1212         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
1213         destroy call needed to be a no-op anyway, since the data is being moved.
1214
1215 2017-08-11  Mark Lam  <mark.lam@apple.com>
1216
1217         Gardening: fix CLoop build.
1218         https://bugs.webkit.org/show_bug.cgi?id=175446
1219         <rdar://problem/33836545>
1220
1221         Not reviewed.
1222
1223         * assembler/MacroAssemblerPrinter.cpp:
1224
1225 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
1226
1227         DFG should do caging
1228         https://bugs.webkit.org/show_bug.cgi?id=174918
1229
1230         Reviewed by Saam Barati.
1231         
1232         Adds the appropriate cage() calls to the DFG, including a cageTypedArrayStorage() helper that does
1233         the conditional caging with a watchpoint.
1234         
1235         This might be a 1% SunSpider slow-down, but it's not clear.
1236
1237         * dfg/DFGSpeculativeJIT.cpp:
1238         (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
1239         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
1240         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
1241         (JSC::DFG::SpeculativeJIT::compileCreateRest):
1242         (JSC::DFG::SpeculativeJIT::compileSpread):
1243         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
1244         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1245         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
1246         * dfg/DFGSpeculativeJIT.h:
1247         * dfg/DFGSpeculativeJIT64.cpp:
1248         (JSC::DFG::SpeculativeJIT::compile):
1249
1250 2017-08-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1251
1252         Unreviewed, build fix for x86 GTK port
1253         https://bugs.webkit.org/show_bug.cgi?id=175446
1254
1255         Use pushfl/popfl instead of pushfd/popfd.
1256
1257         * assembler/MacroAssemblerX86Common.cpp:
1258
1259 2017-08-10  Mark Lam  <mark.lam@apple.com>
1260
1261         Make the MASM_PROBE mechanism mandatory for DFG and FTL builds.
1262         https://bugs.webkit.org/show_bug.cgi?id=175446
1263         <rdar://problem/33836545>
1264
1265         Reviewed by Saam Barati.
1266
1267         * assembler/AbstractMacroAssembler.h:
1268         * assembler/MacroAssembler.cpp:
1269         (JSC::MacroAssembler::probe):
1270         * assembler/MacroAssembler.h:
1271         * assembler/MacroAssemblerARM.cpp:
1272         (JSC::MacroAssembler::probe):
1273         * assembler/MacroAssemblerARM.h:
1274         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
1275         * assembler/MacroAssemblerARM64.cpp:
1276         (JSC::MacroAssembler::probe):
1277         * assembler/MacroAssemblerARMv7.cpp:
1278         (JSC::MacroAssembler::probe):
1279         * assembler/MacroAssemblerARMv7.h:
1280         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr):
1281         * assembler/MacroAssemblerPrinter.cpp:
1282         * assembler/MacroAssemblerPrinter.h:
1283         * assembler/MacroAssemblerX86Common.cpp:
1284         * assembler/testmasm.cpp:
1285         (JSC::isSpecialGPR):
1286         (JSC::testProbeModifiesProgramCounter):
1287         (JSC::run):
1288         * b3/B3LowerToAir.cpp:
1289         (JSC::B3::Air::LowerToAir::print):
1290         * b3/air/AirPrintSpecial.cpp:
1291         * b3/air/AirPrintSpecial.h:
1292
1293 2017-08-10  Mark Lam  <mark.lam@apple.com>
1294
1295         Apply the UNLIKELY macro to some unlikely things.
1296         https://bugs.webkit.org/show_bug.cgi?id=175440
1297         <rdar://problem/33834767>
1298
1299         Reviewed by Yusuke Suzuki.
1300
1301         * bytecode/CodeBlock.cpp:
1302         (JSC::CodeBlock::~CodeBlock):
1303         (JSC::CodeBlock::jettison):
1304         * dfg/DFGByteCodeParser.cpp:
1305         (JSC::DFG::ByteCodeParser::handleCall):
1306         (JSC::DFG::ByteCodeParser::handleVarargsCall):
1307         (JSC::DFG::ByteCodeParser::handleGetById):
1308         (JSC::DFG::ByteCodeParser::handlePutById):
1309         (JSC::DFG::ByteCodeParser::parseBlock):
1310         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1311         * dfg/DFGJITCompiler.cpp:
1312         (JSC::DFG::JITCompiler::JITCompiler):
1313         (JSC::DFG::JITCompiler::linkOSRExits):
1314         (JSC::DFG::JITCompiler::link):
1315         (JSC::DFG::JITCompiler::disassemble):
1316         * dfg/DFGJITFinalizer.cpp:
1317         (JSC::DFG::JITFinalizer::finalizeCommon):
1318         * dfg/DFGOSRExit.cpp:
1319         (JSC::DFG::OSRExit::compileOSRExit):
1320         * dfg/DFGPlan.cpp:
1321         (JSC::DFG::Plan::Plan):
1322         * ftl/FTLJITFinalizer.cpp:
1323         (JSC::FTL::JITFinalizer::finalizeCommon):
1324         * ftl/FTLLink.cpp:
1325         (JSC::FTL::link):
1326         * ftl/FTLOSRExitCompiler.cpp:
1327         (JSC::FTL::compileStub):
1328         * jit/JIT.cpp:
1329         (JSC::JIT::privateCompileMainPass):
1330         (JSC::JIT::compileWithoutLinking):
1331         (JSC::JIT::link):
1332         * runtime/ScriptExecutable.cpp:
1333         (JSC::ScriptExecutable::installCode):
1334         * runtime/VM.cpp:
1335         (JSC::VM::VM):
1336
1337 2017-08-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1338
1339         [WTF] ThreadSpecific should not introduce additional indirection
1340         https://bugs.webkit.org/show_bug.cgi?id=175187
1341
1342         Reviewed by Mark Lam.
1343
1344         * runtime/Identifier.cpp:
1345
1346 2017-08-10  Tim Horton  <timothy_horton@apple.com>
1347
1348         Remove some unused lambda captures so that WebKit builds with -Wunused-lambda-capture
1349         https://bugs.webkit.org/show_bug.cgi?id=175436
1350         <rdar://problem/33667497>
1351
1352         Reviewed by Simon Fraser.
1353
1354         * interpreter/Interpreter.cpp:
1355         (JSC::Interpreter::Interpreter):
1356
1357 2017-08-10  Michael Catanzaro  <mcatanzaro@igalia.com>
1358
1359         Remove ENABLE_GAMEPAD_DEPRECATED
1360         https://bugs.webkit.org/show_bug.cgi?id=175361
1361
1362         Reviewed by Carlos Garcia Campos.
1363
1364         * Configurations/FeatureDefines.xcconfig:
1365
1366 2017-08-09  Caio Lima  <ticaiolima@gmail.com>
1367
1368         [JSC] Create JSSet constructor that accepts it's size as parameter
1369         https://bugs.webkit.org/show_bug.cgi?id=173297
1370
1371         Reviewed by Saam Barati.
1372
1373         This patch is adding a new constructor to JSSet that gives its
1374         expected initial size. It is important to avoid re-hashing and mutiple
1375         allocations when we know the final size of JSSet, such as in
1376         CodeBlock::setConstantIdentifierSetRegisters.
1377
1378         * bytecode/CodeBlock.cpp:
1379         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
1380         * runtime/HashMapImpl.h:
1381         (JSC::HashMapImpl::HashMapImpl):
1382         * runtime/JSSet.h:
1383
1384 2017-08-09  Commit Queue  <commit-queue@webkit.org>
1385
1386         Unreviewed, rolling out r220466, r220477, and r220487.
1387         https://bugs.webkit.org/show_bug.cgi?id=175411
1388
1389         This change broke existing API tests and follow up fixes did
1390         not resolve all the issues. (Requested by ryanhaddad on
1391         #webkit).
1392
1393         Reverted changesets:
1394
1395         https://bugs.webkit.org/show_bug.cgi?id=175244
1396         http://trac.webkit.org/changeset/220466
1397
1398         "WTF::Function does not allow for reference / non-default
1399         constructible return types"
1400         https://bugs.webkit.org/show_bug.cgi?id=175244
1401         http://trac.webkit.org/changeset/220477
1402
1403         https://bugs.webkit.org/show_bug.cgi?id=175244
1404         http://trac.webkit.org/changeset/220487
1405
1406 2017-08-09  Caitlin Potter  <caitp@igalia.com>
1407
1408         Early error on ANY operator before new.target
1409         https://bugs.webkit.org/show_bug.cgi?id=157970
1410
1411         Reviewed by Saam Barati.
1412
1413         Instead of throwing if any unary operator precedes new.target, only
1414         throw if the unary operator updates the reference.
1415
1416         The following become legal in JSC:
1417
1418         ```
1419         !new.target
1420         ~new.target
1421         typeof new.target
1422         delete new.target
1423         void new.target
1424         ```
1425
1426         All of which are legal in v8 and SpiderMonkey in strict and sloppy mode
1427
1428         * parser/Parser.cpp:
1429         (JSC::Parser<LexerType>::parseUnaryExpression):
1430
1431 2017-08-09  Sam Weinig  <sam@webkit.org>
1432
1433         WTF::Function does not allow for reference / non-default constructible return types
1434         https://bugs.webkit.org/show_bug.cgi?id=175244
1435
1436         Reviewed by Chris Dumez.
1437
1438         * runtime/ArrayBuffer.cpp:
1439         (JSC::ArrayBufferContents::transferTo):
1440         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
1441         destroy call needed to be a no-op anyway, since the data is being moved.
1442
1443 2017-08-09  Wenson Hsieh  <wenson_hsieh@apple.com>
1444
1445         [iOS DnD] ENABLE_DRAG_SUPPORT should be turned off for iOS 10 and enabled by default
1446         https://bugs.webkit.org/show_bug.cgi?id=175392
1447         <rdar://problem/33783207>
1448
1449         Reviewed by Tim Horton and Megan Gardner.
1450
1451         Tweak FeatureDefines to enable drag and drop by default, and disable only on unsupported platforms (i.e. iOS 10).
1452
1453         * Configurations/FeatureDefines.xcconfig:
1454
1455 2017-08-09  Robin Morisset  <rmorisset@apple.com>
1456
1457         Make JSC_validateExceptionChecks=1 succeed on JSTests/stress/v8-deltablue-strict.js.
1458         https://bugs.webkit.org/show_bug.cgi?id=175358
1459
1460         Reviewed by Mark Lam.
1461
1462         * jit/JITOperations.cpp:
1463         * runtime/JSObjectInlines.h:
1464         (JSC::JSObject::putInlineForJSObject):
1465
1466 2017-08-09  Ryan Haddad  <ryanhaddad@apple.com>
1467
1468         Unreviewed, rolling out r220457.
1469
1470         This change introduced API test failures.
1471
1472         Reverted changeset:
1473
1474         "WTF::Function does not allow for reference / non-default
1475         constructible return types"
1476         https://bugs.webkit.org/show_bug.cgi?id=175244
1477         http://trac.webkit.org/changeset/220457
1478
1479 2017-08-09  Sam Weinig  <sam@webkit.org>
1480
1481         WTF::Function does not allow for reference / non-default constructible return types
1482         https://bugs.webkit.org/show_bug.cgi?id=175244
1483
1484         Reviewed by Chris Dumez.
1485
1486         * runtime/ArrayBuffer.cpp:
1487         (JSC::ArrayBufferContents::transferTo):
1488         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
1489         destroy call needed to be a no-op anyway, since the data is being moved.
1490
1491 2017-08-09  Oleksandr Skachkov  <gskachkov@gmail.com>
1492
1493         REGRESSION: 2 test262/test/language/statements/async-function failures
1494         https://bugs.webkit.org/show_bug.cgi?id=175334
1495
1496         Reviewed by Yusuke Suzuki.
1497
1498         Switch off useAsyncIterator by default
1499
1500         * runtime/Options.h:
1501
1502 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
1503
1504         ICs should do caging
1505         https://bugs.webkit.org/show_bug.cgi?id=175295
1506
1507         Reviewed by Saam Barati.
1508         
1509         Adds the appropriate cage() calls in our inline caches.
1510
1511         * bytecode/AccessCase.cpp:
1512         (JSC::AccessCase::generateImpl):
1513         * bytecode/InlineAccess.cpp:
1514         (JSC::InlineAccess::dumpCacheSizesAndCrash):
1515         (JSC::InlineAccess::generateSelfPropertyAccess):
1516         (JSC::InlineAccess::generateSelfPropertyReplace):
1517         (JSC::InlineAccess::generateArrayLength):
1518
1519 2017-08-08  Devin Rousso  <drousso@apple.com>
1520
1521         Web Inspector: Canvas: support editing WebGL shaders
1522         https://bugs.webkit.org/show_bug.cgi?id=124211
1523         <rdar://problem/15448958>
1524
1525         Reviewed by Matt Baker.
1526
1527         * inspector/protocol/Canvas.json:
1528         Add `updateShader` command that will change the given shader's source to the provided string,
1529         recompile, and relink it to its associated program.
1530         Drive-by: add description to `requestShaderSource` command.
1531
1532 2017-08-08  Robin Morisset  <rmorisset@apple.com>
1533
1534         Make JSC_validateExceptionChecks=1 succeed on JSTests/slowMicrobenchmarks/spread-small-array.js.
1535         https://bugs.webkit.org/show_bug.cgi?id=175347
1536
1537         Reviewed by Saam Barati.
1538
1539         This is done by making finishCreation explicitely check for exceptions after setConstantRegister and setConstantIdentifiersSetRegisters.
1540         I chose to have this check replace the boolean returned previously by these functions for readability. The performance impact should be
1541         negligible considering how much more finishCreation does.
1542         This fix then caused another issue to appear as it was now clear that finishCreation can throw. And since it is called by ProgramCodeBlock::create(),
1543         FunctionCodeBlock::create() and friends, that are in turn called by ScriptExecutable::newCodeBlockFor, this last function also required a few tweaks.
1544
1545         * bytecode/CodeBlock.cpp:
1546         (JSC::CodeBlock::finishCreation):
1547         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
1548         (JSC::CodeBlock::setConstantRegisters):
1549         * bytecode/CodeBlock.h:
1550         * runtime/ScriptExecutable.cpp:
1551         (JSC::ScriptExecutable::newCodeBlockFor):
1552
1553 2017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
1554
1555         Unreviewed, fix Ubuntu LTS build
1556         https://bugs.webkit.org/show_bug.cgi?id=174490
1557
1558         * inspector/remote/glib/RemoteInspectorGlib.cpp:
1559         * inspector/remote/glib/RemoteInspectorServer.cpp:
1560
1561 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
1562
1563         Baseline JIT should do caging
1564         https://bugs.webkit.org/show_bug.cgi?id=175037
1565
1566         Reviewed by Mark Lam.
1567         
1568         Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
1569         
1570         Also modifies FTL caging to be more defensive when caging is disabled.
1571         
1572         Relanded with fixed AssemblyHelpers::cageConditionally().
1573
1574         * bytecode/AccessCase.cpp:
1575         (JSC::AccessCase::generateImpl):
1576         * bytecode/InlineAccess.cpp:
1577         (JSC::InlineAccess::dumpCacheSizesAndCrash):
1578         (JSC::InlineAccess::generateSelfPropertyAccess):
1579         (JSC::InlineAccess::generateSelfPropertyReplace):
1580         (JSC::InlineAccess::generateArrayLength):
1581         * ftl/FTLLowerDFGToB3.cpp:
1582         (JSC::FTL::DFG::LowerDFGToB3::caged):
1583         * jit/AssemblyHelpers.h:
1584         (JSC::AssemblyHelpers::cage):
1585         (JSC::AssemblyHelpers::cageConditionally):
1586         * jit/JITPropertyAccess.cpp:
1587         (JSC::JIT::emitDoubleLoad):
1588         (JSC::JIT::emitContiguousLoad):
1589         (JSC::JIT::emitArrayStorageLoad):
1590         (JSC::JIT::emitGenericContiguousPutByVal):
1591         (JSC::JIT::emitArrayStoragePutByVal):
1592         (JSC::JIT::emit_op_get_from_scope):
1593         (JSC::JIT::emit_op_put_to_scope):
1594         (JSC::JIT::emitIntTypedArrayGetByVal):
1595         (JSC::JIT::emitFloatTypedArrayGetByVal):
1596         (JSC::JIT::emitIntTypedArrayPutByVal):
1597         (JSC::JIT::emitFloatTypedArrayPutByVal):
1598         * jsc.cpp:
1599         (jscmain):
1600         (primitiveGigacageDisabled): Deleted.
1601
1602 2017-08-08  Ryan Haddad  <ryanhaddad@apple.com>
1603
1604         Unreviewed, rolling out r220368.
1605
1606         This change caused WK1 tests to exit early with crashes.
1607
1608         Reverted changeset:
1609
1610         "Baseline JIT should do caging"
1611         https://bugs.webkit.org/show_bug.cgi?id=175037
1612         http://trac.webkit.org/changeset/220368
1613
1614 2017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
1615
1616         [CMake] Properly test if compiler supports compiler flags
1617         https://bugs.webkit.org/show_bug.cgi?id=174490
1618
1619         Reviewed by Konstantin Tokarev.
1620
1621         * API/tests/PingPongStackOverflowTest.cpp:
1622         (testPingPongStackOverflow):
1623         * API/tests/testapi.c:
1624         * b3/testb3.cpp:
1625         (JSC::B3::testPatchpointLotsOfLateAnys):
1626
1627 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1628
1629         [Linux] Clear WasmMemory with madvice instead of memset
1630         https://bugs.webkit.org/show_bug.cgi?id=175150
1631
1632         Reviewed by Filip Pizlo.
1633
1634         In Linux, zeroing pages with memset populates backing store.
1635         Instead, we should use madvise with MADV_DONTNEED. It discards
1636         pages. And if you access these pages, on-demand-zero-pages will
1637         be shown.
1638
1639         We also commit grown pages in all OSes.
1640
1641         * wasm/WasmMemory.cpp:
1642         (JSC::Wasm::commitZeroPages):
1643         (JSC::Wasm::Memory::create):
1644         (JSC::Wasm::Memory::grow):
1645
1646 2017-08-07  Robin Morisset  <rmorisset@apple.com>
1647
1648         GetOwnProperty of TypedArray indexed fields is wrongly configurable
1649         https://bugs.webkit.org/show_bug.cgi?id=175307
1650
1651         Reviewed by Saam Barati.
1652
1653         ```
1654         let a = new Uint8Array(10);
1655         let b = Object.getOwnPropertyDescriptor(a, 0);
1656         assert(b.configurable === false);
1657         ```
1658         should not fail: by section 9.4.5.1 (https://tc39.github.io/ecma262/#sec-integer-indexed-exotic-objects-getownproperty-p) 
1659         that applies to integer indexed exotic objects, and section 22.2.7 (https://tc39.github.io/ecma262/#sec-properties-of-typedarray-instances)
1660         that says that typed arrays are integer indexed exotic objects.
1661
1662         * runtime/JSGenericTypedArrayViewInlines.h:
1663         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
1664
1665 2017-08-07  Filip Pizlo  <fpizlo@apple.com>
1666
1667         Baseline JIT should do caging
1668         https://bugs.webkit.org/show_bug.cgi?id=175037
1669
1670         Reviewed by Mark Lam.
1671         
1672         Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
1673         
1674         Also modifies FTL caging to be more defensive when caging is disabled.
1675
1676         * ftl/FTLLowerDFGToB3.cpp:
1677         (JSC::FTL::DFG::LowerDFGToB3::caged):
1678         * jit/AssemblyHelpers.h:
1679         (JSC::AssemblyHelpers::cage):
1680         (JSC::AssemblyHelpers::cageConditionally):
1681         * jit/JITPropertyAccess.cpp:
1682         (JSC::JIT::emitDoubleLoad):
1683         (JSC::JIT::emitContiguousLoad):
1684         (JSC::JIT::emitArrayStorageLoad):
1685         (JSC::JIT::emitGenericContiguousPutByVal):
1686         (JSC::JIT::emitArrayStoragePutByVal):
1687         (JSC::JIT::emit_op_get_from_scope):
1688         (JSC::JIT::emit_op_put_to_scope):
1689         (JSC::JIT::emitIntTypedArrayGetByVal):
1690         (JSC::JIT::emitFloatTypedArrayGetByVal):
1691         (JSC::JIT::emitIntTypedArrayPutByVal):
1692         (JSC::JIT::emitFloatTypedArrayPutByVal):
1693         * jsc.cpp:
1694         (jscmain):
1695         (primitiveGigacageDisabled): Deleted.
1696
1697 2017-08-06  Filip Pizlo  <fpizlo@apple.com>
1698
1699         Primitive auxiliaries and JSValue auxiliaries should have separate gigacages
1700         https://bugs.webkit.org/show_bug.cgi?id=174919
1701
1702         Reviewed by Keith Miller.
1703         
1704         This adapts JSC to there being two gigacages.
1705         
1706         To make matters simpler, this turns AlignedMemoryAllocators into per-VM instances rather than
1707         singletons. I don't think we were gaining anything by making them be singletons.
1708         
1709         This makes it easy to teach GigacageAlignedMemoryAllocator that there are multiple kinds of
1710         gigacages. We'll have one of those allocators per cage.
1711         
1712         From there, this change teaches everyone who previously knew about cages that there are two cages.
1713         This means having to specify either Gigacage::Primitive or Gigacage::JSValue. In most places, this is
1714         easy: typed arrays are Primitive and butterflies are JSValue. But there are a few places where it's
1715         not so obvious, so this change introduces some helpers to make it easy to define what cage you want
1716         to use in one place and refer to it abstractly. We do this in DirectArguments and GenericArguments.h
1717         
1718         A lot of the magic of this change is due to CagedBarrierPtr, which combines AuxiliaryBarrier and
1719         CagedPtr. This removes one layer of "get()" calls from a bunch of places.
1720
1721         * JavaScriptCore.xcodeproj/project.pbxproj:
1722         * bytecode/AccessCase.cpp:
1723         (JSC::AccessCase::generateImpl):
1724         * dfg/DFGSpeculativeJIT.cpp:
1725         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1726         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1727         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1728         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
1729         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
1730         * ftl/FTLLowerDFGToB3.cpp:
1731         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
1732         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
1733         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
1734         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
1735         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1736         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
1737         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
1738         (JSC::FTL::DFG::LowerDFGToB3::caged):
1739         * heap/FastMallocAlignedMemoryAllocator.cpp:
1740         (JSC::FastMallocAlignedMemoryAllocator::instance): Deleted.
1741         * heap/FastMallocAlignedMemoryAllocator.h:
1742         * heap/GigacageAlignedMemoryAllocator.cpp:
1743         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
1744         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
1745         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
1746         (JSC::GigacageAlignedMemoryAllocator::dump const):
1747         (JSC::GigacageAlignedMemoryAllocator::instance): Deleted.
1748         * heap/GigacageAlignedMemoryAllocator.h:
1749         * jsc.cpp:
1750         (primitiveGigacageDisabled):
1751         (jscmain):
1752         (gigacageDisabled): Deleted.
1753         * llint/LowLevelInterpreter64.asm:
1754         * runtime/ArrayBuffer.cpp:
1755         (JSC::ArrayBufferContents::tryAllocate):
1756         (JSC::ArrayBuffer::createAdopted):
1757         (JSC::ArrayBuffer::createFromBytes):
1758         * runtime/AuxiliaryBarrier.h:
1759         * runtime/ButterflyInlines.h:
1760         (JSC::Butterfly::createUninitialized):
1761         (JSC::Butterfly::tryCreate):
1762         (JSC::Butterfly::growArrayRight):
1763         * runtime/CagedBarrierPtr.h: Added.
1764         (JSC::CagedBarrierPtr::CagedBarrierPtr):
1765         (JSC::CagedBarrierPtr::clear):
1766         (JSC::CagedBarrierPtr::set):
1767         (JSC::CagedBarrierPtr::get const):
1768         (JSC::CagedBarrierPtr::getMayBeNull const):
1769         (JSC::CagedBarrierPtr::operator== const):
1770         (JSC::CagedBarrierPtr::operator!= const):
1771         (JSC::CagedBarrierPtr::operator bool const):
1772         (JSC::CagedBarrierPtr::setWithoutBarrier):
1773         (JSC::CagedBarrierPtr::operator* const):
1774         (JSC::CagedBarrierPtr::operator-> const):
1775         (JSC::CagedBarrierPtr::operator[] const):
1776         * runtime/DirectArguments.cpp:
1777         (JSC::DirectArguments::overrideThings):
1778         (JSC::DirectArguments::unmapArgument):
1779         * runtime/DirectArguments.h:
1780         (JSC::DirectArguments::isMappedArgument const):
1781         * runtime/GenericArguments.h:
1782         * runtime/GenericArgumentsInlines.h:
1783         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
1784         (JSC::GenericArguments<Type>::setModifiedArgumentDescriptor):
1785         (JSC::GenericArguments<Type>::isModifiedArgumentDescriptor):
1786         * runtime/HashMapImpl.cpp:
1787         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
1788         * runtime/HashMapImpl.h:
1789         (JSC::HashMapBuffer::create):
1790         (JSC::HashMapImpl::buffer const):
1791         (JSC::HashMapImpl::rehash):
1792         * runtime/JSArray.cpp:
1793         (JSC::JSArray::tryCreateUninitializedRestricted):
1794         (JSC::JSArray::unshiftCountSlowCase):
1795         (JSC::JSArray::setLength):
1796         (JSC::JSArray::pop):
1797         (JSC::JSArray::push):
1798         (JSC::JSArray::fastSlice):
1799         (JSC::JSArray::shiftCountWithArrayStorage):
1800         (JSC::JSArray::shiftCountWithAnyIndexingType):
1801         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1802         (JSC::JSArray::fillArgList):
1803         (JSC::JSArray::copyToArguments):
1804         * runtime/JSArray.h:
1805         (JSC::JSArray::tryCreate):
1806         * runtime/JSArrayBufferView.cpp:
1807         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1808         (JSC::JSArrayBufferView::finalize):
1809         * runtime/JSLock.cpp:
1810         (JSC::JSLock::didAcquireLock):
1811         * runtime/JSObject.cpp:
1812         (JSC::JSObject::heapSnapshot):
1813         (JSC::JSObject::getOwnPropertySlotByIndex):
1814         (JSC::JSObject::putByIndex):
1815         (JSC::JSObject::enterDictionaryIndexingMode):
1816         (JSC::JSObject::createInitialIndexedStorage):
1817         (JSC::JSObject::createArrayStorage):
1818         (JSC::JSObject::convertUndecidedToInt32):
1819         (JSC::JSObject::convertUndecidedToDouble):
1820         (JSC::JSObject::convertUndecidedToContiguous):
1821         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
1822         (JSC::JSObject::convertUndecidedToArrayStorage):
1823         (JSC::JSObject::convertInt32ToDouble):
1824         (JSC::JSObject::convertInt32ToContiguous):
1825         (JSC::JSObject::convertInt32ToArrayStorage):
1826         (JSC::JSObject::convertDoubleToContiguous):
1827         (JSC::JSObject::convertDoubleToArrayStorage):
1828         (JSC::JSObject::convertContiguousToArrayStorage):
1829         (JSC::JSObject::setIndexQuicklyToUndecided):
1830         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
1831         (JSC::JSObject::deletePropertyByIndex):
1832         (JSC::JSObject::getOwnPropertyNames):
1833         (JSC::JSObject::putIndexedDescriptor):
1834         (JSC::JSObject::defineOwnIndexedProperty):
1835         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1836         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
1837         (JSC::JSObject::getNewVectorLength):
1838         (JSC::JSObject::ensureLengthSlow):
1839         (JSC::JSObject::reallocateAndShrinkButterfly):
1840         (JSC::JSObject::allocateMoreOutOfLineStorage):
1841         (JSC::JSObject::getEnumerableLength):
1842         * runtime/JSObject.h:
1843         (JSC::JSObject::getArrayLength const):
1844         (JSC::JSObject::getVectorLength):
1845         (JSC::JSObject::putDirectIndex):
1846         (JSC::JSObject::canGetIndexQuickly):
1847         (JSC::JSObject::getIndexQuickly):
1848         (JSC::JSObject::tryGetIndexQuickly const):
1849         (JSC::JSObject::canSetIndexQuickly):
1850         (JSC::JSObject::setIndexQuickly):
1851         (JSC::JSObject::initializeIndex):
1852         (JSC::JSObject::initializeIndexWithoutBarrier):
1853         (JSC::JSObject::hasSparseMap):
1854         (JSC::JSObject::inSparseIndexingMode):
1855         (JSC::JSObject::butterfly const):
1856         (JSC::JSObject::butterfly):
1857         (JSC::JSObject::outOfLineStorage const):
1858         (JSC::JSObject::outOfLineStorage):
1859         (JSC::JSObject::ensureInt32):
1860         (JSC::JSObject::ensureDouble):
1861         (JSC::JSObject::ensureContiguous):
1862         (JSC::JSObject::ensureArrayStorage):
1863         (JSC::JSObject::arrayStorage):
1864         (JSC::JSObject::arrayStorageOrNull):
1865         (JSC::JSObject::ensureLength):
1866         * runtime/RegExpMatchesArray.h:
1867         (JSC::tryCreateUninitializedRegExpMatchesArray):
1868         * runtime/VM.cpp:
1869         (JSC::VM::VM):
1870         (JSC::VM::~VM):
1871         (JSC::VM::primitiveGigacageDisabledCallback):
1872         (JSC::VM::primitiveGigacageDisabled):
1873         (JSC::VM::gigacageDisabledCallback): Deleted.
1874         (JSC::VM::gigacageDisabled): Deleted.
1875         * runtime/VM.h:
1876         (JSC::VM::gigacageAuxiliarySpace):
1877         (JSC::VM::firePrimitiveGigacageEnabledIfNecessary):
1878         (JSC::VM::primitiveGigacageEnabled):
1879         (JSC::VM::fireGigacageEnabledIfNecessary): Deleted.
1880         (JSC::VM::gigacageEnabled): Deleted.
1881         * wasm/WasmMemory.cpp:
1882         (JSC::Wasm::Memory::create):
1883         (JSC::Wasm::Memory::~Memory):
1884         (JSC::Wasm::Memory::grow):
1885
1886 2017-08-07  Commit Queue  <commit-queue@webkit.org>
1887
1888         Unreviewed, rolling out r220144.
1889         https://bugs.webkit.org/show_bug.cgi?id=175276
1890
1891         "It did not actually speed things up in the way I expected"
1892         (Requested by saamyjoon on #webkit).
1893
1894         Reverted changeset:
1895
1896         "On memory-constrained iOS devices, reduce the rate at which
1897         the JS heap grows before a GC to try to keep more memory
1898         available for the system"
1899         https://bugs.webkit.org/show_bug.cgi?id=175041
1900         http://trac.webkit.org/changeset/220144
1901
1902 2017-08-07  Ryan Haddad  <ryanhaddad@apple.com>
1903
1904         Unreviewed, rolling out r220299.
1905
1906         This change caused LayoutTest inspector/dom-debugger/dom-
1907         breakpoints.html to fail.
1908
1909         Reverted changeset:
1910
1911         "Web Inspector: capture async stack trace when workers/main
1912         context posts a message"
1913         https://bugs.webkit.org/show_bug.cgi?id=167084
1914         http://trac.webkit.org/changeset/220299
1915
1916 2017-08-07  Brian Burg  <bburg@apple.com>
1917
1918         Remove CANVAS_PATH compilation guard
1919         https://bugs.webkit.org/show_bug.cgi?id=175207
1920
1921         Reviewed by Sam Weinig.
1922
1923         * Configurations/FeatureDefines.xcconfig:
1924
1925 2017-08-07  Keith Miller  <keith_miller@apple.com>
1926
1927         REGRESSION: wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js failing on JSC Debug bots
1928         https://bugs.webkit.org/show_bug.cgi?id=175256
1929
1930         Reviewed by Saam Barati.
1931
1932         The check in createFromBytes just needed to check that the buffer was not null before
1933         calling isCaged.
1934
1935         * runtime/ArrayBuffer.cpp:
1936         (JSC::ArrayBuffer::createFromBytes):
1937
1938 2017-08-05  Carlos Garcia Campos  <cgarcia@igalia.com>
1939
1940         [GTK][WPE] Add API to provide browser information required by automation
1941         https://bugs.webkit.org/show_bug.cgi?id=175130
1942
1943         Reviewed by Brian Burg.
1944
1945         Add browserName and browserVersion to RemoteInspector::Client::Capabilities and virtual methods to the Client to
1946         get them.
1947
1948         * inspector/remote/RemoteInspector.cpp:
1949         (Inspector::RemoteInspector::updateClientCapabilities): Update also browserName and browserVersion.
1950         * inspector/remote/RemoteInspector.h:
1951         * inspector/remote/glib/RemoteInspectorGlib.cpp:
1952         (Inspector::RemoteInspector::requestAutomationSession): Call updateClientCapabilities() after the session is
1953         requested to ensure they are updated before StartAutomationSession reply is sent.
1954         * inspector/remote/glib/RemoteInspectorServer.cpp: Add browserName and browserVersion as return values of
1955         StartAutomationSession mesasage.
1956
1957 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1958
1959         Promise resolve and reject function should have length = 1
1960         https://bugs.webkit.org/show_bug.cgi?id=175242
1961
1962         Reviewed by Saam Barati.
1963
1964         Previously we have separate system for "length" and "name" for builtin functions.
1965         The builtin functions do not use lazy reifying system. Instead, they have direct
1966         properties when instantiating it. While the function created for properties (like
1967         Array.prototype.filter) is created by JSFunction::createBuiltin(), function inside
1968         these builtin functions are just created by JSFunction::create(). Since it does
1969         not set any values for "length", these functions do not have "length" property.
1970         So, the resolve and reject functions passed to Promise's executor do not have
1971         "length" property.
1972
1973         This patch make builtin functions use standard lazy reifying system for "length".
1974         So, "length" property of the builtin function just works as if the normal functions
1975         do.
1976
1977         * runtime/JSFunction.cpp:
1978         (JSC::JSFunction::createBuiltinFunction):
1979         (JSC::JSFunction::getOwnPropertySlot):
1980         (JSC::JSFunction::getOwnNonIndexPropertyNames):
1981         (JSC::JSFunction::put):
1982         (JSC::JSFunction::deleteProperty):
1983         (JSC::JSFunction::defineOwnProperty):
1984         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
1985         (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
1986         (JSC::JSFunction::reifyLazyLengthIfNeeded):
1987         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
1988         (JSC::JSFunction::reifyBoundNameIfNeeded): Deleted.
1989         * runtime/JSFunction.h:
1990
1991 2017-08-06  Oleksandr Skachkov  <gskachkov@gmail.com>
1992
1993         [ESNext] Async iteration - Implement Async Generator - parser
1994         https://bugs.webkit.org/show_bug.cgi?id=175210
1995
1996         Reviewed by Yusuke Suzuki.
1997
1998         Current implementation is draft version of Async Iteration. 
1999         Link to spec https://tc39.github.io/proposal-async-iteration/
2000
2001         Current patch implement only parser part of the Async generator
2002         Runtime part will be in next ptches
2003
2004         * parser/ASTBuilder.h:
2005         (JSC::ASTBuilder::createFunctionMetadata):
2006         * parser/Parser.cpp:
2007         (JSC::getAsynFunctionBodyParseMode):
2008         (JSC::Parser<LexerType>::parseInner):
2009         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
2010         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
2011         (JSC::stringArticleForFunctionMode):
2012         (JSC::stringForFunctionMode):
2013         (JSC::Parser<LexerType>::parseFunctionInfo):
2014         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
2015         (JSC::Parser<LexerType>::parseClass):
2016         (JSC::Parser<LexerType>::parseProperty):
2017         (JSC::Parser<LexerType>::parsePropertyMethod):
2018         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
2019         * parser/Parser.h:
2020         (JSC::Scope::setSourceParseMode):
2021         * parser/ParserModes.h:
2022         (JSC::isFunctionParseMode):
2023         (JSC::isAsyncFunctionParseMode):
2024         (JSC::isAsyncArrowFunctionParseMode):
2025         (JSC::isAsyncGeneratorFunctionParseMode):
2026         (JSC::isAsyncFunctionOrAsyncGeneratorWrapperParseMode):
2027         (JSC::isAsyncFunctionWrapperParseMode):
2028         (JSC::isAsyncFunctionBodyParseMode):
2029         (JSC::isGeneratorMethodParseMode):
2030         (JSC::isAsyncMethodParseMode):
2031         (JSC::isAsyncGeneratorMethodParseMode):
2032         (JSC::isMethodParseMode):
2033         (JSC::isGeneratorOrAsyncFunctionBodyParseMode):
2034         (JSC::isGeneratorOrAsyncFunctionWrapperParseMode):
2035
2036 2017-08-05  Filip Pizlo  <fpizlo@apple.com>
2037
2038         REGRESSION (r219895-219897): Number of leaks on Open Source went from 9240 to 235983 and is now at 302372
2039         https://bugs.webkit.org/show_bug.cgi?id=175083
2040
2041         Reviewed by Oliver Hunt.
2042         
2043         This fixes the leak by making MarkedBlock::specializedSweep call destructors when the block is empty,
2044         even if we are using the pop path.
2045         
2046         Also, this fixes HeapCellInlines.h to no longer include MarkedBlockInlines.h. That's pretty
2047         important, since MarkedBlockInlines.h is the GC's internal guts - we don't want to have to recompile
2048         the world just because we changed it.
2049         
2050         Finally, this adds a new testing SPI for waiting for all VMs to finish destructing. This makes it
2051         easier to debug leaks.
2052
2053         * bytecode/AccessCase.cpp:
2054         * bytecode/PolymorphicAccess.cpp:
2055         * heap/HeapCell.cpp:
2056         (JSC::HeapCell::isLive):
2057         * heap/HeapCellInlines.h:
2058         (JSC::HeapCell::isLive): Deleted.
2059         * heap/MarkedAllocator.cpp:
2060         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2061         (JSC::MarkedAllocator::endMarking):
2062         * heap/MarkedBlockInlines.h:
2063         (JSC::MarkedBlock::Handle::specializedSweep):
2064         * jit/AssemblyHelpers.cpp:
2065         * jit/Repatch.cpp:
2066         * runtime/TestRunnerUtils.h:
2067         * runtime/VM.cpp:
2068         (JSC::waitForVMDestruction):
2069         (JSC::VM::~VM):
2070
2071 2017-08-05  Mark Lam  <mark.lam@apple.com>
2072
2073         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 3].
2074         https://bugs.webkit.org/show_bug.cgi?id=175228
2075         <rdar://problem/33735737>
2076
2077         Reviewed by Saam Barati.
2078
2079         Merge the 32-bit OSRExit::compileExit() method into the 64-bit version, and
2080         delete OSRExit32_64.cpp.
2081
2082         * CMakeLists.txt:
2083         * JavaScriptCore.xcodeproj/project.pbxproj:
2084         * dfg/DFGOSRExit.cpp:
2085         (JSC::DFG::OSRExit::compileExit):
2086         * dfg/DFGOSRExit32_64.cpp: Removed.
2087         * jit/GPRInfo.h:
2088         (JSC::JSValueSource::payloadGPR const):
2089
2090 2017-08-04  Youenn Fablet  <youenn@apple.com>
2091
2092         [Cache API] Add Cache and CacheStorage IDL definitions
2093         https://bugs.webkit.org/show_bug.cgi?id=175201
2094
2095         Reviewed by Brady Eidson.
2096
2097         * runtime/CommonIdentifiers.h:
2098
2099 2017-08-04  Mark Lam  <mark.lam@apple.com>
2100
2101         Fix typo in testmasm.cpp: ENABLE(JSVALUE64) should be USE(JSVALUE64).
2102         https://bugs.webkit.org/show_bug.cgi?id=175230
2103         <rdar://problem/33735857>
2104
2105         Reviewed by Saam Barati.
2106
2107         * assembler/testmasm.cpp:
2108         (JSC::testProbeReadsArgumentRegisters):
2109         (JSC::testProbeWritesArgumentRegisters):
2110
2111 2017-08-04  Mark Lam  <mark.lam@apple.com>
2112
2113         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 2].
2114         https://bugs.webkit.org/show_bug.cgi?id=175214
2115         <rdar://problem/33733308>
2116
2117         Rubber-stamped by Michael Saboff.
2118
2119         Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused
2120         DFGOSRExitCompiler files.
2121
2122         Also renamed DFGOSRExitCompiler32_64.cpp to DFGOSRExit32_64.cpp.
2123
2124         Also move debugOperationPrintSpeculationFailure() into DFGOSRExit.cpp.  It's only
2125         used by compileOSRExit(), and will be changed to not be a DFG operation function
2126         when we use JIT probes for DFG OSR exits later in
2127         https://bugs.webkit.org/show_bug.cgi?id=175144.
2128
2129         * CMakeLists.txt:
2130         * JavaScriptCore.xcodeproj/project.pbxproj:
2131         * dfg/DFGJITCompiler.cpp:
2132         * dfg/DFGOSRExit.cpp:
2133         (JSC::DFG::OSRExit::emitRestoreArguments):
2134         (JSC::DFG::OSRExit::compileOSRExit):
2135         (JSC::DFG::OSRExit::compileExit):
2136         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
2137         * dfg/DFGOSRExit.h:
2138         * dfg/DFGOSRExit32_64.cpp: Copied from Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp.
2139         * dfg/DFGOSRExitCompiler.cpp: Removed.
2140         * dfg/DFGOSRExitCompiler.h: Removed.
2141         * dfg/DFGOSRExitCompiler32_64.cpp: Removed.
2142         * dfg/DFGOSRExitCompiler64.cpp: Removed.
2143         * dfg/DFGOperations.cpp:
2144         * dfg/DFGOperations.h:
2145         * dfg/DFGThunks.cpp:
2146
2147 2017-08-04  Matt Baker  <mattbaker@apple.com>
2148
2149         Web Inspector: capture async stack trace when workers/main context posts a message
2150         https://bugs.webkit.org/show_bug.cgi?id=167084
2151         <rdar://problem/30033673>
2152
2153         Reviewed by Brian Burg.
2154
2155         * inspector/agents/InspectorDebuggerAgent.h:
2156         Add `PostMessage` async call type.
2157
2158 2017-08-04  Mark Lam  <mark.lam@apple.com>
2159
2160         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 1].
2161         https://bugs.webkit.org/show_bug.cgi?id=175208
2162         <rdar://problem/33732402>
2163
2164         Reviewed by Saam Barati.
2165
2166         This will minimize the code diff and make it easier to review the patch for
2167         https://bugs.webkit.org/show_bug.cgi?id=175144 later.  We'll do this patch in 3
2168         steps:
2169
2170         1. Do the code changes to move methods into OSRExit.
2171         2. Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused DFGOSRExitCompiler files.
2172         3. Merge the 32-bit OSRExitCompiler methods into the 64-bit version, and delete DFGOSRExitCompiler32_64.cpp.
2173
2174         Splitting this refactoring into these 3 steps also makes it easier to review this
2175         patch and understand what is being changed.
2176
2177         * dfg/DFGOSRExit.h:
2178         * dfg/DFGOSRExitCompiler.cpp:
2179         (JSC::DFG::OSRExit::emitRestoreArguments):
2180         (JSC::DFG::OSRExit::compileOSRExit):
2181         (JSC::DFG::OSRExitCompiler::emitRestoreArguments): Deleted.
2182         (): Deleted.
2183         * dfg/DFGOSRExitCompiler.h:
2184         (JSC::DFG::OSRExitCompiler::OSRExitCompiler): Deleted.
2185         (): Deleted.
2186         * dfg/DFGOSRExitCompiler32_64.cpp:
2187         (JSC::DFG::OSRExit::compileExit):
2188         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
2189         * dfg/DFGOSRExitCompiler64.cpp:
2190         (JSC::DFG::OSRExit::compileExit):
2191         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
2192         * dfg/DFGThunks.cpp:
2193         (JSC::DFG::osrExitGenerationThunkGenerator):
2194
2195 2017-08-04  Devin Rousso  <drousso@apple.com>
2196
2197         Web Inspector: add source view for WebGL shader programs
2198         https://bugs.webkit.org/show_bug.cgi?id=138593
2199         <rdar://problem/18936194>
2200
2201         Reviewed by Matt Baker.
2202
2203         * inspector/protocol/Canvas.json:
2204          - Add `ShaderType` enum that contains "vertex" and "fragment".
2205          - Add `requestShaderSource` command that will return the original source code for a given
2206            shader program and shader type.
2207
2208 2017-08-03  Filip Pizlo  <fpizlo@apple.com>
2209
2210         The allocator used to allocate memory for MarkedBlocks and LargeAllocations should not be the Subspace itself
2211         https://bugs.webkit.org/show_bug.cgi?id=175141
2212
2213         Reviewed by Mark Lam.
2214         
2215         To make it easier to have multiple gigacages and maybe even fancier methods of allocating, this
2216         decouples the allocator used to allocate memory from the GC Subspace. This means we no longer have
2217         to create a new Subspace subclass to allocate memory a different way. Instead, the allocator is now
2218         determined by the AlignedMemoryAllocator object.
2219         
2220         This also simplifies trading of blocks. Before, Subspaces had to determine if other Subspaces could
2221         trade blocks with them using canTradeBlocksWith(). This makes it difficult for two different
2222         Subspaces that both use the same underlying allocator to realize that they can trade blocks with
2223         each other. Now, you just need to ask the block being stolen and the subspace doing the stealing if
2224         they use the same AlignedMemoryAllocator.
2225
2226         * CMakeLists.txt:
2227         * JavaScriptCore.xcodeproj/project.pbxproj:
2228         * heap/AlignedMemoryAllocator.cpp: Added.
2229         (JSC::AlignedMemoryAllocator::AlignedMemoryAllocator):
2230         (JSC::AlignedMemoryAllocator::~AlignedMemoryAllocator):
2231         * heap/AlignedMemoryAllocator.h: Added.
2232         * heap/FastMallocAlignedMemoryAllocator.cpp: Added.
2233         (JSC::FastMallocAlignedMemoryAllocator::singleton):
2234         (JSC::FastMallocAlignedMemoryAllocator::FastMallocAlignedMemoryAllocator):
2235         (JSC::FastMallocAlignedMemoryAllocator::~FastMallocAlignedMemoryAllocator):
2236         (JSC::FastMallocAlignedMemoryAllocator::tryAllocateAlignedMemory):
2237         (JSC::FastMallocAlignedMemoryAllocator::freeAlignedMemory):
2238         (JSC::FastMallocAlignedMemoryAllocator::dump const):
2239         * heap/FastMallocAlignedMemoryAllocator.h: Added.
2240         * heap/GigacageAlignedMemoryAllocator.cpp: Added.
2241         (JSC::GigacageAlignedMemoryAllocator::singleton):
2242         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
2243         (JSC::GigacageAlignedMemoryAllocator::~GigacageAlignedMemoryAllocator):
2244         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
2245         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
2246         (JSC::GigacageAlignedMemoryAllocator::dump const):
2247         * heap/GigacageAlignedMemoryAllocator.h: Added.
2248         * heap/GigacageSubspace.cpp: Removed.
2249         * heap/GigacageSubspace.h: Removed.
2250         * heap/LargeAllocation.cpp:
2251         (JSC::LargeAllocation::tryCreate):
2252         (JSC::LargeAllocation::destroy):
2253         * heap/MarkedAllocator.cpp:
2254         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2255         * heap/MarkedBlock.cpp:
2256         (JSC::MarkedBlock::tryCreate):
2257         (JSC::MarkedBlock::Handle::Handle):
2258         (JSC::MarkedBlock::Handle::~Handle):
2259         (JSC::MarkedBlock::Handle::didAddToAllocator):
2260         (JSC::MarkedBlock::Handle::subspace const):
2261         * heap/MarkedBlock.h:
2262         (JSC::MarkedBlock::Handle::alignedMemoryAllocator const):
2263         (JSC::MarkedBlock::Handle::subspace const): Deleted.
2264         * heap/Subspace.cpp:
2265         (JSC::Subspace::Subspace):
2266         (JSC::Subspace::findEmptyBlockToSteal):
2267         (JSC::Subspace::canTradeBlocksWith): Deleted.
2268         (JSC::Subspace::tryAllocateAlignedMemory): Deleted.
2269         (JSC::Subspace::freeAlignedMemory): Deleted.
2270         * heap/Subspace.h:
2271         (JSC::Subspace::name const):
2272         (JSC::Subspace::alignedMemoryAllocator const):
2273         * runtime/JSDestructibleObjectSubspace.cpp:
2274         (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace):
2275         * runtime/JSDestructibleObjectSubspace.h:
2276         * runtime/JSSegmentedVariableObjectSubspace.cpp:
2277         (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace):
2278         * runtime/JSSegmentedVariableObjectSubspace.h:
2279         * runtime/JSStringSubspace.cpp:
2280         (JSC::JSStringSubspace::JSStringSubspace):
2281         * runtime/JSStringSubspace.h:
2282         * runtime/VM.cpp:
2283         (JSC::VM::VM):
2284         * runtime/VM.h:
2285         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp:
2286         (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace):
2287         * wasm/js/JSWebAssemblyCodeBlockSubspace.h:
2288
2289 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
2290
2291         [ESNext] Async iteration - update feature.json
2292         https://bugs.webkit.org/show_bug.cgi?id=175197
2293
2294         Reviewed by Yusuke Suzuki.
2295
2296         Update feature.json to add status of the Async Iteration
2297
2298         * features.json:
2299
2300 2017-08-04  Matt Lewis  <jlewis3@apple.com>
2301
2302         Unreviewed, rolling out r220271.
2303
2304         Rolling out due to Layout Test failing on iOS Simulator.
2305
2306         Reverted changeset:
2307
2308         "Remove STREAMS_API compilation guard"
2309         https://bugs.webkit.org/show_bug.cgi?id=175165
2310         http://trac.webkit.org/changeset/220271
2311
2312 2017-08-04  Youenn Fablet  <youenn@apple.com>
2313
2314         Remove STREAMS_API compilation guard
2315         https://bugs.webkit.org/show_bug.cgi?id=175165
2316
2317         Reviewed by Darin Adler.
2318
2319         * Configurations/FeatureDefines.xcconfig:
2320
2321 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
2322
2323         [EsNext] Async iteration - Add feature flag
2324         https://bugs.webkit.org/show_bug.cgi?id=166694
2325
2326         Reviewed by Yusuke Suzuki.
2327
2328         Add feature flag to JSC to switch on/off Async Iterator
2329
2330         * runtime/Options.h:
2331
2332 2017-08-03  Brian Burg  <bburg@apple.com>
2333
2334         Remove ENABLE(WEB_SOCKET) guards
2335         https://bugs.webkit.org/show_bug.cgi?id=167044
2336
2337         Reviewed by Joseph Pecoraro.
2338
2339         * Configurations/FeatureDefines.xcconfig:
2340
2341 2017-08-03  Youenn Fablet  <youenn@apple.com>
2342
2343         Remove FETCH_API compilation guard
2344         https://bugs.webkit.org/show_bug.cgi?id=175154
2345
2346         Reviewed by Chris Dumez.
2347
2348         * Configurations/FeatureDefines.xcconfig:
2349
2350 2017-08-03  Matt Baker  <mattbaker@apple.com>
2351
2352         Web Inspector: Instrument WebGLProgram created/deleted
2353         https://bugs.webkit.org/show_bug.cgi?id=175059
2354
2355         Reviewed by Devin Rousso.
2356
2357         Extend the Canvas protocol with types/events for tracking WebGLPrograms.
2358
2359         * inspector/protocol/Canvas.json:
2360
2361 2017-08-03  Brady Eidson  <beidson@apple.com>
2362
2363         Add SW IDLs and stub out basic functionality.
2364         https://bugs.webkit.org/show_bug.cgi?id=175115
2365
2366         Reviewed by Chris Dumez.
2367
2368         * Configurations/FeatureDefines.xcconfig:
2369
2370         * runtime/CommonIdentifiers.h:
2371
2372 2017-08-03  Mark Lam  <mark.lam@apple.com>
2373
2374         Rename ScratchBuffer::activeLengthPtr to addressOfActiveLength.
2375         https://bugs.webkit.org/show_bug.cgi?id=175142
2376         <rdar://problem/33704528>
2377
2378         Reviewed by Filip Pizlo.
2379
2380         The convention in the rest of of JSC for such methods which return the address of
2381         a field is to name them "addressOf<field name>".  We'll rename
2382         ScratchBuffer::activeLengthPtr to be consistent with this convention.
2383
2384         * dfg/DFGSpeculativeJIT.cpp:
2385         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
2386         * dfg/DFGSpeculativeJIT32_64.cpp:
2387         (JSC::DFG::SpeculativeJIT::compile):
2388         * dfg/DFGSpeculativeJIT64.cpp:
2389         (JSC::DFG::SpeculativeJIT::compile):
2390         * dfg/DFGThunks.cpp:
2391         (JSC::DFG::osrExitGenerationThunkGenerator):
2392         * ftl/FTLLowerDFGToB3.cpp:
2393         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
2394         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
2395         * ftl/FTLThunks.cpp:
2396         (JSC::FTL::genericGenerationThunkGenerator):
2397         * jit/AssemblyHelpers.cpp:
2398         (JSC::AssemblyHelpers::debugCall):
2399         * jit/ScratchRegisterAllocator.cpp:
2400         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
2401         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
2402         * runtime/VM.h:
2403         (JSC::ScratchBuffer::addressOfActiveLength):
2404         (JSC::ScratchBuffer::activeLengthPtr): Deleted.
2405         * wasm/WasmBinding.cpp:
2406         (JSC::Wasm::wasmToJs):
2407
2408 2017-08-02  Devin Rousso  <drousso@apple.com>
2409
2410         Web Inspector: add stack trace information for each RecordingAction
2411         https://bugs.webkit.org/show_bug.cgi?id=174663
2412
2413         Reviewed by Joseph Pecoraro.
2414
2415         * inspector/ScriptCallFrame.h:
2416         Add `operator==` so that when a ScriptCallFrame object is held in a Vector, calling `find`
2417         with an existing value doesn't need require a functor and can use existing code.
2418
2419         * interpreter/StackVisitor.h:
2420         * interpreter/StackVisitor.cpp:
2421         (JSC::StackVisitor::Frame::isWasmFrame const): Inlined in header.
2422
2423 2017-08-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2424
2425         Merge WTFThreadData to Thread::current
2426         https://bugs.webkit.org/show_bug.cgi?id=174716
2427
2428         Reviewed by Mark Lam.
2429
2430         Use Thread::current() instead.
2431
2432         * API/JSContext.mm:
2433         (+[JSContext currentContext]):
2434         (+[JSContext currentThis]):
2435         (+[JSContext currentCallee]):
2436         (+[JSContext currentArguments]):
2437         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
2438         (-[JSContext endCallbackWithData:]):
2439         * heap/Heap.cpp:
2440         (JSC::Heap::requestCollection):
2441         * runtime/Completion.cpp:
2442         (JSC::checkSyntax):
2443         (JSC::checkModuleSyntax):
2444         (JSC::evaluate):
2445         (JSC::loadAndEvaluateModule):
2446         (JSC::loadModule):
2447         (JSC::linkAndEvaluateModule):
2448         (JSC::importModule):
2449         * runtime/Identifier.cpp:
2450         (JSC::Identifier::checkCurrentAtomicStringTable):
2451         * runtime/InitializeThreading.cpp:
2452         (JSC::initializeThreading):
2453         * runtime/JSLock.cpp:
2454         (JSC::JSLock::didAcquireLock):
2455         (JSC::JSLock::willReleaseLock):
2456         (JSC::JSLock::dropAllLocks):
2457         (JSC::JSLock::grabAllLocks):
2458         * runtime/JSLock.h:
2459         * runtime/VM.cpp:
2460         (JSC::VM::VM):
2461         (JSC::VM::updateStackLimits):
2462         (JSC::VM::committedStackByteCount):
2463         * runtime/VM.h:
2464         (JSC::VM::isSafeToRecurse const):
2465         * runtime/VMEntryScope.cpp:
2466         (JSC::VMEntryScope::VMEntryScope):
2467         * runtime/VMInlines.h:
2468         (JSC::VM::ensureStackCapacityFor):
2469         * yarr/YarrPattern.cpp:
2470         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
2471
2472 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
2473
2474         LLInt should do pointer caging
2475         https://bugs.webkit.org/show_bug.cgi?id=175036
2476
2477         Reviewed by Keith Miller.
2478
2479         Implementing this in the LLInt was challenging because offlineasm did not previously know
2480         how to load from globals. This teaches it how to do that on Darwin/x86_64, which happens
2481         to be where the Gigacage is enabled right now.
2482
2483         * llint/LLIntOfflineAsmConfig.h:
2484         * llint/LowLevelInterpreter64.asm:
2485         * offlineasm/ast.rb:
2486         * offlineasm/x86.rb:
2487
2488 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
2489
2490         Sweeping should only scribble when sweeping to free list
2491         https://bugs.webkit.org/show_bug.cgi?id=175105
2492
2493         Reviewed by Saam Barati.
2494         
2495         I just saw a crash on the bots where a destructor call attempt dereferenced scribbled memory. This
2496         can happen because the bump path of specializedSweep will scribble in SweepOnly, which replaces the
2497         zap word (i.e. 0) with the scribble word (i.e. 0xbadbeef0). This is a recent regression, since we
2498         didn't used to do destruction on the bump path. No destruction, no zapping. Looking at the pop
2499         path, we only scribble when we SweepToFreeList. This ensures that we only overwrite the zap word
2500         when it doesn't matter anyway because we're building a free list.
2501         
2502         This is a fix for those crashes on the bots because it means that we'll no longer scribble over the
2503         zap.
2504
2505         * heap/MarkedBlockInlines.h:
2506         (JSC::MarkedBlock::Handle::specializedSweep):
2507
2508 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
2509
2510         All C++ accesses to JSObject::m_butterfly should do caging
2511         https://bugs.webkit.org/show_bug.cgi?id=175039
2512
2513         Reviewed by Keith Miller.
2514         
2515         Makes JSObject::m_butterfly a AuxiliaryBarrier<CagedPtr<Butterfly>> and adopts the CagedPtr<> API.
2516         This ensures that you can't cause C++ code to access a butterfly that has been rewired to point
2517         outside the gigacage.
2518
2519         * runtime/JSArray.cpp:
2520         (JSC::JSArray::setLength):
2521         (JSC::JSArray::pop):
2522         (JSC::JSArray::push):
2523         (JSC::JSArray::shiftCountWithAnyIndexingType):
2524         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2525         (JSC::JSArray::fillArgList):
2526         (JSC::JSArray::copyToArguments):
2527         * runtime/JSObject.cpp:
2528         (JSC::JSObject::heapSnapshot):
2529         (JSC::JSObject::createInitialIndexedStorage):
2530         (JSC::JSObject::createArrayStorage):
2531         (JSC::JSObject::convertUndecidedToInt32):
2532         (JSC::JSObject::convertUndecidedToDouble):
2533         (JSC::JSObject::convertUndecidedToContiguous):
2534         (JSC::JSObject::convertInt32ToDouble):
2535         (JSC::JSObject::convertInt32ToArrayStorage):
2536         (JSC::JSObject::convertDoubleToContiguous):
2537         (JSC::JSObject::convertDoubleToArrayStorage):
2538         (JSC::JSObject::convertContiguousToArrayStorage):
2539         (JSC::JSObject::defineOwnIndexedProperty):
2540         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2541         (JSC::JSObject::ensureLengthSlow):
2542         (JSC::JSObject::allocateMoreOutOfLineStorage):
2543         * runtime/JSObject.h:
2544         (JSC::JSObject::canGetIndexQuickly):
2545         (JSC::JSObject::getIndexQuickly):
2546         (JSC::JSObject::tryGetIndexQuickly const):
2547         (JSC::JSObject::canSetIndexQuickly):
2548         (JSC::JSObject::setIndexQuickly):
2549         (JSC::JSObject::initializeIndex):
2550         (JSC::JSObject::initializeIndexWithoutBarrier):
2551         (JSC::JSObject::butterfly const):
2552         (JSC::JSObject::butterfly):
2553
2554 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
2555
2556         We should be OK with the gigacage being disabled on gmalloc
2557         https://bugs.webkit.org/show_bug.cgi?id=175082
2558
2559         Reviewed by Michael Saboff.
2560
2561         * jsc.cpp:
2562         (jscmain):
2563
2564 2017-08-02  Saam Barati  <sbarati@apple.com>
2565
2566         On memory-constrained iOS devices, reduce the rate at which the JS heap grows before a GC to try to keep more memory available for the system
2567         https://bugs.webkit.org/show_bug.cgi?id=175041
2568         <rdar://problem/33659370>
2569
2570         Reviewed by Filip Pizlo.
2571
2572         The testing I have done shows that this new function is a ~10%
2573         progression running JetStream on 1GB iOS devices. I've also tried
2574         this on a few > 1GB iOS devices, and the testing shows this is either neutral
2575         or a regression. Right now, we'll just enable this for <= 1GB devices
2576         since it's a win. In the future, we might want to either look into
2577         tweaking these parameters or coming up with a new function for > 1GB
2578         devices.
2579
2580         * heap/Heap.cpp:
2581         * runtime/Options.h:
2582
2583 2017-08-01  Filip Pizlo  <fpizlo@apple.com>
2584
2585         Bmalloc and GC should put auxiliaries (butterflies, typed array backing stores) in a gigacage (separate multi-GB VM region)
2586         https://bugs.webkit.org/show_bug.cgi?id=174727
2587
2588         Reviewed by Mark Lam.
2589         
2590         This adopts the Gigacage for the GigacageSubspace, which we use for Auxiliary allocations. Also, in
2591         one place in the code - the FTL codegen for butterfly and typed array access - we "cage" the accesses
2592         themselves. Basically, we do masking to ensure that the pointer points into the gigacage.
2593         
2594         This is neutral on JetStream.
2595
2596         * CMakeLists.txt:
2597         * JavaScriptCore.xcodeproj/project.pbxproj:
2598         * b3/B3InsertionSet.cpp:
2599         (JSC::B3::InsertionSet::execute):
2600         * dfg/DFGAbstractInterpreterInlines.h:
2601         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2602         * dfg/DFGArgumentsEliminationPhase.cpp:
2603         * dfg/DFGClobberize.cpp:
2604         (JSC::DFG::readsOverlap):
2605         * dfg/DFGClobberize.h:
2606         (JSC::DFG::clobberize):
2607         * dfg/DFGDoesGC.cpp:
2608         (JSC::DFG::doesGC):
2609         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Added.
2610         (JSC::DFG::performFixedButterflyAccessUncaging):
2611         * dfg/DFGFixedButterflyAccessUncagingPhase.h: Added.
2612         * dfg/DFGFixupPhase.cpp:
2613         (JSC::DFG::FixupPhase::fixupNode):
2614         * dfg/DFGHeapLocation.cpp:
2615         (WTF::printInternal):
2616         * dfg/DFGHeapLocation.h:
2617         * dfg/DFGNodeType.h:
2618         * dfg/DFGPlan.cpp:
2619         (JSC::DFG::Plan::compileInThreadImpl):
2620         * dfg/DFGPredictionPropagationPhase.cpp:
2621         * dfg/DFGSafeToExecute.h:
2622         (JSC::DFG::safeToExecute):
2623         * dfg/DFGSpeculativeJIT.cpp:
2624         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
2625         * dfg/DFGSpeculativeJIT32_64.cpp:
2626         (JSC::DFG::SpeculativeJIT::compile):
2627         * dfg/DFGSpeculativeJIT64.cpp:
2628         (JSC::DFG::SpeculativeJIT::compile):
2629         * dfg/DFGTypeCheckHoistingPhase.cpp:
2630         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2631         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
2632         * ftl/FTLCapabilities.cpp:
2633         (JSC::FTL::canCompile):
2634         * ftl/FTLLowerDFGToB3.cpp:
2635         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2636         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
2637         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
2638         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2639         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
2640         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
2641         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
2642         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
2643         (JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase):
2644         (JSC::FTL::DFG::LowerDFGToB3::caged):
2645         * heap/GigacageSubspace.cpp: Added.
2646         (JSC::GigacageSubspace::GigacageSubspace):
2647         (JSC::GigacageSubspace::~GigacageSubspace):
2648         (JSC::GigacageSubspace::tryAllocateAlignedMemory):
2649         (JSC::GigacageSubspace::freeAlignedMemory):
2650         (JSC::GigacageSubspace::canTradeBlocksWith):
2651         * heap/GigacageSubspace.h: Added.
2652         * heap/Heap.cpp:
2653         (JSC::Heap::Heap):
2654         (JSC::Heap::lastChanceToFinalize):
2655         (JSC::Heap::finalize):
2656         (JSC::Heap::sweepInFinalize):
2657         (JSC::Heap::updateAllocationLimits):
2658         (JSC::Heap::shouldDoFullCollection):
2659         (JSC::Heap::collectIfNecessaryOrDefer):
2660         (JSC::Heap::reportWebAssemblyFastMemoriesAllocated): Deleted.
2661         (JSC::Heap::webAssemblyFastMemoriesThisCycleAtThreshold const): Deleted.
2662         (JSC::Heap::sweepLargeAllocations): Deleted.
2663         (JSC::Heap::didAllocateWebAssemblyFastMemories): Deleted.
2664         * heap/Heap.h:
2665         * heap/LargeAllocation.cpp:
2666         (JSC::LargeAllocation::tryCreate):
2667         (JSC::LargeAllocation::destroy):
2668         * heap/MarkedAllocator.cpp:
2669         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2670         (JSC::MarkedAllocator::tryAllocateBlock):
2671         * heap/MarkedBlock.cpp:
2672         (JSC::MarkedBlock::tryCreate):
2673         (JSC::MarkedBlock::Handle::Handle):
2674         (JSC::MarkedBlock::Handle::~Handle):
2675         (JSC::MarkedBlock::Handle::didAddToAllocator):
2676         (JSC::MarkedBlock::Handle::subspace const): Deleted.
2677         * heap/MarkedBlock.h:
2678         (JSC::MarkedBlock::Handle::subspace const):
2679         * heap/MarkedSpace.cpp:
2680         (JSC::MarkedSpace::~MarkedSpace):
2681         (JSC::MarkedSpace::freeMemory):
2682         (JSC::MarkedSpace::prepareForAllocation):
2683         (JSC::MarkedSpace::addMarkedAllocator):
2684         (JSC::MarkedSpace::findEmptyBlockToSteal): Deleted.
2685         * heap/MarkedSpace.h:
2686         (JSC::MarkedSpace::firstAllocator const):
2687         (JSC::MarkedSpace::allocatorForEmptyAllocation const): Deleted.
2688         * heap/Subspace.cpp:
2689         (JSC::Subspace::Subspace):
2690         (JSC::Subspace::canTradeBlocksWith):
2691         (JSC::Subspace::tryAllocateAlignedMemory):
2692         (JSC::Subspace::freeAlignedMemory):
2693         (JSC::Subspace::prepareForAllocation):
2694         (JSC::Subspace::findEmptyBlockToSteal):
2695         * heap/Subspace.h:
2696         (JSC::Subspace::didCreateFirstAllocator):
2697         * heap/SubspaceInlines.h:
2698         (JSC::Subspace::forEachAllocator):
2699         (JSC::Subspace::forEachMarkedBlock):
2700         (JSC::Subspace::forEachNotEmptyMarkedBlock):
2701         * jit/JITPropertyAccess.cpp:
2702         (JSC::JIT::emitDoubleLoad):
2703         (JSC::JIT::emitContiguousLoad):
2704         (JSC::JIT::emitArrayStorageLoad):
2705         (JSC::JIT::emitGenericContiguousPutByVal):
2706         (JSC::JIT::emitArrayStoragePutByVal):
2707         (JSC::JIT::emit_op_get_from_scope):
2708         (JSC::JIT::emit_op_put_to_scope):
2709         (JSC::JIT::emitIntTypedArrayGetByVal):
2710         (JSC::JIT::emitFloatTypedArrayGetByVal):
2711         (JSC::JIT::emitIntTypedArrayPutByVal):
2712         (JSC::JIT::emitFloatTypedArrayPutByVal):
2713         * jsc.cpp:
2714         (fillBufferWithContentsOfFile):
2715         (functionReadFile):
2716         (gigacageDisabled):
2717         (jscmain):
2718         * llint/LowLevelInterpreter64.asm:
2719         * runtime/ArrayBuffer.cpp:
2720         (JSC::ArrayBufferContents::tryAllocate):
2721         (JSC::ArrayBuffer::createAdopted):
2722         (JSC::ArrayBuffer::createFromBytes):
2723         (JSC::ArrayBuffer::tryCreate):
2724         * runtime/IndexingHeader.h:
2725         * runtime/InitializeThreading.cpp:
2726         (JSC::initializeThreading):
2727         * runtime/JSArrayBuffer.cpp:
2728         * runtime/JSArrayBufferView.cpp:
2729         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2730         (JSC::JSArrayBufferView::finalize):
2731         * runtime/JSLock.cpp:
2732         (JSC::JSLock::didAcquireLock):
2733         * runtime/JSObject.h:
2734         * runtime/Options.cpp:
2735         (JSC::recomputeDependentOptions):
2736         * runtime/Options.h:
2737         * runtime/ScopedArgumentsTable.h:
2738         * runtime/VM.cpp:
2739         (JSC::VM::VM):
2740         (JSC::VM::~VM):
2741         (JSC::VM::gigacageDisabledCallback):
2742         (JSC::VM::gigacageDisabled):
2743         * runtime/VM.h:
2744         (JSC::VM::fireGigacageEnabledIfNecessary):
2745         (JSC::VM::gigacageEnabled):
2746         * wasm/WasmB3IRGenerator.cpp:
2747         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2748         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
2749         * wasm/WasmCodeBlock.cpp:
2750         (JSC::Wasm::CodeBlock::isSafeToRun):
2751         * wasm/WasmMemory.cpp:
2752         (JSC::Wasm::makeString):
2753         (JSC::Wasm::Memory::create):
2754         (JSC::Wasm::Memory::~Memory):
2755         (JSC::Wasm::Memory::addressIsInActiveFastMemory):
2756         (JSC::Wasm::Memory::grow):
2757         (JSC::Wasm::Memory::initializePreallocations): Deleted.
2758         (JSC::Wasm::Memory::maxFastMemoryCount): Deleted.
2759         * wasm/WasmMemory.h:
2760         * wasm/js/JSWebAssemblyInstance.cpp:
2761         (JSC::JSWebAssemblyInstance::create):
2762         * wasm/js/JSWebAssemblyMemory.cpp:
2763         (JSC::JSWebAssemblyMemory::grow):
2764         (JSC::JSWebAssemblyMemory::finishCreation):
2765         * wasm/js/JSWebAssemblyMemory.h:
2766         (JSC::JSWebAssemblyMemory::subspaceFor):
2767
2768 2017-07-31  Mark Lam  <mark.lam@apple.com>
2769
2770         Added some UNLIKELYs to operationOptimize().
2771         https://bugs.webkit.org/show_bug.cgi?id=174976
2772
2773         Reviewed by JF Bastien.
2774
2775         * jit/JITOperations.cpp:
2776
2777 2017-07-31  Keith Miller  <keith_miller@apple.com>
2778
2779         Make more things LLInt constexprs
2780         https://bugs.webkit.org/show_bug.cgi?id=174994
2781
2782         Reviewed by Saam Barati.
2783
2784         This patch makes more const values in the LLInt constexprs.
2785         It also deletes all of the no longer necessary static_asserts in
2786         LLIntData.cpp. Finally, it fixes a typo in parser.rb.
2787
2788         * interpreter/ShadowChicken.h:
2789         (JSC::ShadowChicken::Packet::tailMarker):
2790         * llint/LLIntData.cpp:
2791         (JSC::LLInt::Data::performAssertions):
2792         * llint/LowLevelInterpreter.asm:
2793         * offlineasm/generate_offset_extractor.rb:
2794         * offlineasm/parser.rb:
2795
2796 2017-07-31  Matt Lewis  <jlewis3@apple.com>
2797
2798         Unreviewed, rolling out r220060.
2799
2800         This broke our internal builds. Contact reviewer of patch for
2801         more information.
2802
2803         Reverted changeset:
2804
2805         "Merge WTFThreadData to Thread::current"
2806         https://bugs.webkit.org/show_bug.cgi?id=174716
2807         http://trac.webkit.org/changeset/220060
2808
2809 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2810
2811         [JSC] Support optional catch binding
2812         https://bugs.webkit.org/show_bug.cgi?id=174981
2813
2814         Reviewed by Saam Barati.
2815
2816         This patch implements optional catch binding proposal[1], which is now stage 3.
2817         This proposal adds a new `catch` brace with no error value binding.
2818
2819             ```
2820                 try {
2821                     ...
2822                 } catch {
2823                     ...
2824                 }
2825             ```
2826
2827         Sometimes we do not need to get error value actually. For example, the function returns
2828         boolean which means whether the function succeeds.
2829
2830             ```
2831             function parse(result) // -> bool
2832             {
2833                  try {
2834                      parseInner(result);
2835                  } catch {
2836                      return false;
2837                  }
2838                  return true;
2839             }
2840             ```
2841
2842         In the above case, we are not interested in the actual error value. Without this syntax,
2843         we always need to introduce a binding for an error value that is just ignored.
2844
2845         [1]: https://michaelficarra.github.io/optional-catch-binding-proposal/
2846
2847         * bytecompiler/NodesCodegen.cpp:
2848         (JSC::TryNode::emitBytecode):
2849         * parser/Parser.cpp:
2850         (JSC::Parser<LexerType>::parseTryStatement):
2851
2852 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2853
2854         Merge WTFThreadData to Thread::current
2855         https://bugs.webkit.org/show_bug.cgi?id=174716
2856
2857         Reviewed by Sam Weinig.
2858
2859         Use Thread::current() instead.
2860
2861         * API/JSContext.mm:
2862         (+[JSContext currentContext]):
2863         (+[JSContext currentThis]):
2864         (+[JSContext currentCallee]):
2865         (+[JSContext currentArguments]):
2866         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
2867         (-[JSContext endCallbackWithData:]):
2868         * heap/Heap.cpp:
2869         (JSC::Heap::requestCollection):
2870         * runtime/Completion.cpp:
2871         (JSC::checkSyntax):
2872         (JSC::checkModuleSyntax):
2873         (JSC::evaluate):
2874         (JSC::loadAndEvaluateModule):
2875         (JSC::loadModule):
2876         (JSC::linkAndEvaluateModule):
2877         (JSC::importModule):
2878         * runtime/Identifier.cpp:
2879         (JSC::Identifier::checkCurrentAtomicStringTable):
2880         * runtime/InitializeThreading.cpp:
2881         (JSC::initializeThreading):
2882         * runtime/JSLock.cpp:
2883         (JSC::JSLock::didAcquireLock):
2884         (JSC::JSLock::willReleaseLock):
2885         (JSC::JSLock::dropAllLocks):
2886         (JSC::JSLock::grabAllLocks):
2887         * runtime/JSLock.h:
2888         * runtime/VM.cpp:
2889         (JSC::VM::VM):
2890         (JSC::VM::updateStackLimits):
2891         (JSC::VM::committedStackByteCount):
2892         * runtime/VM.h:
2893         (JSC::VM::isSafeToRecurse const):
2894         * runtime/VMEntryScope.cpp:
2895         (JSC::VMEntryScope::VMEntryScope):
2896         * runtime/VMInlines.h:
2897         (JSC::VM::ensureStackCapacityFor):
2898         * yarr/YarrPattern.cpp:
2899         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
2900
2901 2017-07-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2902
2903         [WTF] Introduce Private Symbols
2904         https://bugs.webkit.org/show_bug.cgi?id=174935
2905
2906         Reviewed by Darin Adler.
2907
2908         Use SymbolImpl::isPrivate().
2909
2910         * builtins/BuiltinNames.cpp:
2911         * builtins/BuiltinNames.h:
2912         (JSC::BuiltinNames::isPrivateName): Deleted.
2913         * builtins/BuiltinUtils.h:
2914         * bytecode/BytecodeIntrinsicRegistry.cpp:
2915         (JSC::BytecodeIntrinsicRegistry::lookup):
2916         * runtime/CommonIdentifiers.cpp:
2917         (JSC::CommonIdentifiers::isPrivateName): Deleted.
2918         * runtime/CommonIdentifiers.h:
2919         * runtime/ExceptionHelpers.cpp:
2920         (JSC::createUndefinedVariableError):
2921         * runtime/Identifier.h:
2922         (JSC::Identifier::isPrivateName):
2923         * runtime/IdentifierInlines.h:
2924         (JSC::identifierToSafePublicJSValue):
2925         * runtime/ObjectConstructor.cpp:
2926         (JSC::objectConstructorAssign):
2927         (JSC::defineProperties):
2928         (JSC::setIntegrityLevel):
2929         (JSC::testIntegrityLevel):
2930         (JSC::ownPropertyKeys):
2931         * runtime/PrivateName.h:
2932         (JSC::PrivateName::PrivateName):
2933         * runtime/PropertyName.h:
2934         (JSC::PropertyName::isPrivateName):
2935         * runtime/ProxyObject.cpp:
2936         (JSC::performProxyGet):
2937         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2938         (JSC::ProxyObject::performHasProperty):
2939         (JSC::ProxyObject::performPut):
2940         (JSC::ProxyObject::performDelete):
2941         (JSC::ProxyObject::performDefineOwnProperty):
2942
2943 2017-07-29  Keith Miller  <keith_miller@apple.com>
2944
2945         LLInt offsets extractor should be able to handle C++ constexprs
2946         https://bugs.webkit.org/show_bug.cgi?id=174964
2947
2948         Reviewed by Saam Barati.
2949
2950         This patch adds new syntax to the offline asm language. The new keyword,
2951         constexpr, takes the subsequent identifier and maps it to a C++ constexpr
2952         expression. Additionally, if the value is not an identifier you can wrap it in
2953         parentheses. e.g. constexpr (myConstexprFunction() + OBJECT_OFFSET(Foo, bar)),
2954         which will get converted into:
2955         static_cast<int64_t>(myConstexprFunction() + OBJECT_OFFSET(Foo, bar));
2956
2957         This patch also changes the data format the LLIntOffsetsExtractor
2958         binary produces.  Previously, it would produce unsigned values,
2959         after this patch every value is an int64_t.  Using an int64_t is
2960         useful because it means that we can represent any constant needed.
2961         int32_t masks are sign extended then passed then converted to a
2962         negative literal sting in the assembler so it will be the constant
2963         expected.
2964
2965         * llint/LLIntOffsetsExtractor.cpp:
2966         (JSC::LLIntOffsetsExtractor::dummy):
2967         * llint/LowLevelInterpreter.asm:
2968         * llint/LowLevelInterpreter64.asm:
2969         * offlineasm/asm.rb:
2970         * offlineasm/ast.rb:
2971         * offlineasm/generate_offset_extractor.rb:
2972         * offlineasm/offsets.rb:
2973         * offlineasm/parser.rb:
2974         * offlineasm/transform.rb:
2975
2976 2017-07-28  Matt Baker  <mattbaker@apple.com>
2977
2978         Web Inspector: capture an async stack trace when web content calls addEventListener
2979         https://bugs.webkit.org/show_bug.cgi?id=174739
2980         <rdar://problem/33468197>
2981
2982         Reviewed by Brian Burg.
2983
2984         Allow debugger agents to perform custom logic when asynchronous stack
2985         trace data is cleared. For example, the PageDebuggerAgent would clear
2986         its list of registered listeners for which call stacks have been recorded.
2987
2988         * inspector/agents/InspectorDebuggerAgent.cpp:
2989         (Inspector::InspectorDebuggerAgent::clearAsyncStackTraceData):
2990         * inspector/agents/InspectorDebuggerAgent.h:
2991
2992 2017-07-28  Mark Lam  <mark.lam@apple.com>
2993
2994         ObjectToStringAdaptiveStructureWatchpoint should not fire if it's dying imminently.
2995         https://bugs.webkit.org/show_bug.cgi?id=174948
2996         <rdar://problem/33495680>
2997
2998         Reviewed by Filip Pizlo.
2999
3000         ObjectToStringAdaptiveStructureWatchpoint is owned by StructureRareData.  If its
3001         owner StructureRareData is already known to be dead (in terms of GC liveness) but
3002         hasn't been destructed yet (i.e. not swept by the GC yet), we should ignore all
3003         requests to fire this watchpoint.
3004
3005         If the GC had the chance to sweep the StructureRareData, thereby destructing the
3006         ObjectToStringAdaptiveStructureWatchpoint, it (the watchpoint) would have removed
3007         itself from the WatchpointSet it was on.  Hence, it would not have been fired.
3008
3009         But since the watchpoint hasn't been destructed yet, it still remains on the
3010         WatchpointSet and needs to guard against being fired in this state.  The fix is
3011         to simply return early if its owner StructureRareData is not live.  This has the
3012         effect of the watchpoint fire being a no-op, which is equivalent to the watchpoint
3013         not firing as we would expect.
3014
3015         This patch also removes some cargo cult copying of watchpoint code which
3016         instantiates a StringFireDetail.  In a few cases, that StringFireDetail is never
3017         used.  This patch removes these unnecessary instantiations.
3018
3019         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
3020         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
3021         * runtime/StructureRareData.cpp:
3022         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
3023         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
3024
3025 2017-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
3026
3027         ASSERTION FAILED: candidate->op() == PhantomCreateRest || candidate->op() == PhantomDirectArguments || candidate->op() == PhantomClonedArguments || candidate->op() == PhantomSpread || candidate->op() == PhantomNewArrayWithSpread
3028         https://bugs.webkit.org/show_bug.cgi?id=174900
3029
3030         Reviewed by Saam Barati.
3031
3032         In the arguments elimination phase, due to high cost of AI, we intentionally do not run AI.
3033         Instead, we use ForceOSRExit etc. (pseudo terminals) not to look into unreachable nodes.
3034         The problem is that even transforming phase also checks this pseudo terminals.
3035
3036             BB1
3037             1: ForceOSRExit
3038             2: CreateDirectArguments
3039
3040             BB2
3041             3: GetButterfly(@2)
3042             4: ForceOSRExit
3043
3044         In the above case, @2 is not converted to PhantomDirectArguments. But @3 is processed. And the assertion fires.
3045
3046         In this patch, we do not list candidates up after seeing pseudo terminals in basic blocks.
3047
3048         * dfg/DFGArgumentsEliminationPhase.cpp:
3049
3050 2017-07-27  Oleksandr Skachkov  <gskachkov@gmail.com>
3051
3052         [ES] Add support finally to Promise
3053         https://bugs.webkit.org/show_bug.cgi?id=174503
3054
3055         Reviewed by Yusuke Suzuki.
3056
3057         Add support `finally` method to Promise according
3058         to the https://bugs.webkit.org/show_bug.cgi?id=174503
3059         Current spec on STAGE 3 
3060         https://github.com/tc39/proposal-promise-finally
3061
3062         * builtins/PromisePrototype.js:
3063         (finally):
3064         (const.valueThunk):
3065         (globalPrivate.getThenFinally):
3066         (const.thrower):
3067         (globalPrivate.getCatchFinally):
3068         * runtime/JSPromisePrototype.cpp:
3069
3070 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3071
3072         Unreviewed, build fix for CLoop
3073         https://bugs.webkit.org/show_bug.cgi?id=171637
3074
3075         * domjit/DOMJITGetterSetter.h:
3076
3077 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3078
3079         Hoist DOM binding attribute getter prologue into JavaScriptCore taking advantage of DOMJIT / CheckSubClass
3080         https://bugs.webkit.org/show_bug.cgi?id=171637
3081
3082         Reviewed by Darin Adler.
3083
3084         Each DOM attribute getter has the code to perform ClassInfo check. But it is largely duplicate and causes code bloating.
3085         In this patch, we move ClassInfo check from WebCore to JSC and reduce code size.
3086
3087         We introduce DOMAnnotation which has ClassInfo* and DOMJIT::GetterSetter*. If the getter is not DOMJIT getter, this
3088         DOMJIT::GetterSetter becomes nullptr. We support such a CustomAccessorGetter in all the JIT tiers.
3089
3090         In IC, we drop CheckSubClass completely since IC's Structure check subsumes it. We do not enable this optimization for
3091         op_get_by_id_with_this case yet.
3092         In DFG and FTL, we emit CheckSubClass node. Which is typically removed by CheckStructure leading to CheckSubClass.
3093
3094         And we add DOMAttributeGetterSetter, which is derived class of CustomGetterSetter. It holds DOMAnnotation and perform
3095         ClassInfo check.
3096
3097         * CMakeLists.txt:
3098         * JavaScriptCore.xcodeproj/project.pbxproj:
3099         * bytecode/AccessCase.cpp:
3100         (JSC::AccessCase::generateImpl):
3101         * bytecode/GetByIdStatus.cpp:
3102         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
3103         * bytecode/GetByIdVariant.cpp:
3104         (JSC::GetByIdVariant::GetByIdVariant):
3105         (JSC::GetByIdVariant::operator=):
3106         (JSC::GetByIdVariant::attemptToMerge):
3107         (JSC::GetByIdVariant::dumpInContext):
3108         * bytecode/GetByIdVariant.h:
3109         (JSC::GetByIdVariant::customAccessorGetter):
3110         (JSC::GetByIdVariant::domAttribute):
3111         (JSC::GetByIdVariant::domJIT): Deleted.
3112         * bytecode/GetterSetterAccessCase.cpp:
3113         (JSC::GetterSetterAccessCase::create):
3114         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
3115         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
3116         * bytecode/GetterSetterAccessCase.h:
3117         (JSC::GetterSetterAccessCase::domAttribute):
3118         (JSC::GetterSetterAccessCase::customAccessor):
3119         (JSC::GetterSetterAccessCase::domJIT): Deleted.
3120         * bytecompiler/BytecodeGenerator.cpp:
3121         (JSC::BytecodeGenerator::instantiateLexicalVariables):
3122         * create_hash_table:
3123         * dfg/DFGAbstractInterpreterInlines.h:
3124         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3125         * dfg/DFGByteCodeParser.cpp:
3126         (JSC::DFG::blessCallDOMGetter):
3127         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
3128         (JSC::DFG::ByteCodeParser::handleGetById):
3129         * dfg/DFGClobberize.h:
3130         (JSC::DFG::clobberize):
3131         * dfg/DFGFixupPhase.cpp:
3132         (JSC::DFG::FixupPhase::fixupNode):
3133         * dfg/DFGNode.h:
3134         * dfg/DFGSpeculativeJIT.cpp:
3135         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
3136         * dfg/DFGSpeculativeJIT.h:
3137         (JSC::DFG::SpeculativeJIT::callCustomGetter):
3138         * domjit/DOMJITGetterSetter.h:
3139         (JSC::DOMJIT::GetterSetter::GetterSetter):
3140         (JSC::DOMJIT::GetterSetter::getter):
3141         (JSC::DOMJIT::GetterSetter::compiler):
3142         (JSC::DOMJIT::GetterSetter::resultType):
3143         (JSC::DOMJIT::GetterSetter::~GetterSetter): Deleted.
3144         (JSC::DOMJIT::GetterSetter::setter): Deleted.
3145         (JSC::DOMJIT::GetterSetter::thisClassInfo): Deleted.
3146         * ftl/FTLLowerDFGToB3.cpp:
3147         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
3148         * jit/Repatch.cpp:
3149         (JSC::tryCacheGetByID):
3150         * jsc.cpp:
3151         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
3152         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
3153         (WTF::DOMJITGetter::customGetter):
3154         (WTF::DOMJITGetter::finishCreation):
3155         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
3156         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
3157         (WTF::DOMJITGetterComplex::customGetter):
3158         (WTF::DOMJITGetterComplex::finishCreation):
3159         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
3160         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::slowCall): Deleted.
3161         (WTF::DOMJITGetter::domJITNodeGetterSetter): Deleted.
3162         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
3163         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::slowCall): Deleted.
3164         (WTF::DOMJITGetterComplex::domJITNodeGetterSetter): Deleted.
3165         * runtime/CustomGetterSetter.h:
3166         (JSC::CustomGetterSetter::create):
3167         (JSC::CustomGetterSetter::setter):
3168         (JSC::CustomGetterSetter::CustomGetterSetter):
3169         (): Deleted.
3170         * runtime/DOMAnnotation.h: Added.
3171         (JSC::operator==):
3172         (JSC::operator!=):
3173         * runtime/DOMAttributeGetterSetter.cpp: Added.
3174         * runtime/DOMAttributeGetterSetter.h: Copied from Source/JavaScriptCore/runtime/CustomGetterSetter.h.
3175         (JSC::isDOMAttributeGetterSetter):
3176         * runtime/Error.cpp:
3177         (JSC::throwDOMAttributeGetterTypeError):
3178         * runtime/Error.h:
3179         (JSC::throwVMDOMAttributeGetterTypeError):
3180         * runtime/JSCustomGetterSetterFunction.cpp:
3181         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
3182         * runtime/JSObject.cpp:
3183         (JSC::JSObject::putInlineSlow):
3184         (JSC::JSObject::deleteProperty):
3185         (JSC::JSObject::getOwnStaticPropertySlot):
3186         (JSC::JSObject::reifyAllStaticProperties):
3187         (JSC::JSObject::fillGetterPropertySlot):
3188         (JSC::JSObject::findPropertyHashEntry): Deleted.
3189         * runtime/JSObject.h:
3190         (JSC::JSObject::getOwnNonIndexPropertySlot):
3191         (JSC::JSObject::fillCustomGetterPropertySlot):
3192         * runtime/Lookup.cpp:
3193         (JSC::setUpStaticFunctionSlot):
3194         * runtime/Lookup.h:
3195         (JSC::HashTableValue::domJIT):
3196         (JSC::getStaticPropertySlotFromTable):
3197         (JSC::putEntry):
3198         (JSC::lookupPut):
3199         (JSC::reifyStaticProperty):
3200         (JSC::reifyStaticProperties):
3201         Each static property table has a new field ClassInfo*. It indicates that which ClassInfo check DOMAttribute registered in
3202         this static property table requires.
3203
3204         * runtime/ProgramExecutable.cpp:
3205         (JSC::ProgramExecutable::initializeGlobalProperties):
3206         * runtime/PropertyName.h:
3207         * runtime/PropertySlot.cpp:
3208         (JSC::PropertySlot::customGetter):
3209         (JSC::PropertySlot::customAccessorGetter):
3210         * runtime/PropertySlot.h:
3211         (JSC::PropertySlot::domAttribute):
3212         (JSC::PropertySlot::setCustom):
3213         (JSC::PropertySlot::setCacheableCustom):
3214         (JSC::PropertySlot::getValue):
3215         (JSC::PropertySlot::domJIT): Deleted.
3216         * runtime/VM.cpp:
3217         (JSC::VM::VM):
3218         * runtime/VM.h:
3219
3220 2017-07-26  Devin Rousso  <drousso@apple.com>
3221
3222         Web Inspector: create protocol for recording Canvas contexts
3223         https://bugs.webkit.org/show_bug.cgi?id=174481
3224
3225         Reviewed by Joseph Pecoraro.
3226
3227         * inspector/protocol/Canvas.json:
3228          - Add `requestRecording` command to mark the provided canvas as having requested a recording.
3229          - Add `cancelRecording` command to clear a previously marked canvas and flush any recorded data.
3230          - Add `recordingFinished` event that is fired once a recording is finished.
3231
3232         * CMakeLists.txt:
3233         * DerivedSources.make:
3234         * inspector/protocol/Recording.json: Added.
3235          - Add `Type` enum that lists the types of recordings
3236          - Add `InitialState` type that contains information about the canvas context at the
3237            beginning of the recording.
3238          - Add `Frame` type that holds a list of actions that were recorded.
3239          - Add `Recording` type as the container object of recording data.
3240
3241         * inspector/scripts/codegen/generate_js_backend_commands.py:
3242         (JSBackendCommandsGenerator.generate_domain):
3243         Create an agent for domains with no events or commands.
3244
3245         * inspector/InspectorValues.h:
3246         Make Array `get` public so that values can be retrieved if needed.
3247
3248 2017-07-26  Brian Burg  <bburg@apple.com>
3249
3250         Remove WEB_TIMING feature flag
3251         https://bugs.webkit.org/show_bug.cgi?id=174795
3252
3253         Reviewed by Alex Christensen.
3254
3255         * Configurations/FeatureDefines.xcconfig:
3256
3257 2017-07-26  Mark Lam  <mark.lam@apple.com>
3258
3259         Add the ability to change sp and pc to the ARM64 JIT probe.
3260         https://bugs.webkit.org/show_bug.cgi?id=174697
3261         <rdar://problem/33436965>
3262
3263         Reviewed by JF Bastien.
3264
3265         This patch implements the following:
3266
3267         1. The ARM64 probe now supports modifying the pc and sp.
3268
3269            However, lr is not preserved when modifying the pc because it is used as the
3270            scratch register for the indirect jump. Hence, the probe handler function
3271            may not modify both lr and pc in the same probe invocation.
3272
3273         2. Fix probe tests to use bitwise comparison when comparing double register
3274            values. Otherwise, equivalent nan values will be interpreted as not equivalent.
3275
3276         3. Change the minimum offset increment in testProbeModifiesStackPointer to be
3277            16 bytes for ARM64.  This is because the ARM64 probe now uses the ldp and stp
3278            instructions which require 16 byte alignment for their memory access.
3279
3280         * assembler/MacroAssemblerARM64.cpp:
3281         (JSC::arm64ProbeError):
3282         (JSC::MacroAssembler::probe):
3283         (JSC::arm64ProbeTrampoline): Deleted.
3284         * assembler/testmasm.cpp:
3285         (JSC::isSpecialGPR):
3286         (JSC::testProbeReadsArgumentRegisters):
3287         (JSC::testProbeWritesArgumentRegisters):
3288         (JSC::testProbePreservesGPRS):
3289         (JSC::testProbeModifiesStackPointer):
3290         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
3291         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
3292
3293 2017-07-25  JF Bastien  <jfbastien@apple.com>
3294
3295         WebAssembly: generate smaller binaries
3296         https://bugs.webkit.org/show_bug.cgi?id=174818
3297
3298         Reviewed by Filip Pizlo.
3299
3300         This patch reduces generated code size for WebAssembly in 2 ways:
3301
3302         1. Use the ZR register when storing zero on ARM64.
3303         2. Synthesize wasm context lazily.
3304
3305         This leads to a modest size reduction on both x86-64 and ARM64 for
3306         large WebAssembly games, without any performance loss on WasmBench
3307         and TitzerBench.
3308
3309         The reason this works is that these games, using Emscripten,
3310         generate 100k+ tiny functions, and our JIT allocation granule
3311         rounds all allocations up to 32 bytes. There are plenty of other
3312         simple gains to be had, I've filed a follow-up bug at
3313         webkit.org/b/174819
3314
3315         We should further avoid the per-function cost of tiering, which
3316         represents the bulk of code generated for small functions.
3317
3318         * assembler/MacroAssemblerARM64.h:
3319         (JSC::MacroAssemblerARM64::storeZero64):
3320         * assembler/MacroAssemblerX86_64.h:
3321         (JSC::MacroAssemblerX86_64::storeZero64):
3322         * b3/B3LowerToAir.cpp:
3323         (JSC::B3::Air::LowerToAir::createStore): this doesn't make sense
3324         for x86 because it constrains register reuse and codegen in a way
3325         that doesn't affect ARM64 because it has a dedicated zero
3326         register.
3327         * b3/air/AirOpcode.opcodes: add the storeZero64 opcode.
3328         * wasm/WasmB3IRGenerator.cpp:
3329         (JSC::Wasm::B3IRGenerator::instanceValue):
3330         (JSC::Wasm::B3IRGenerator::restoreWasmContext):
3331         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3332         (JSC::Wasm::B3IRGenerator::materializeWasmContext): Deleted.
3333
3334 2017-07-23  Filip Pizlo  <fpizlo@apple.com>
3335
3336         B3 should do LICM
3337         https://bugs.webkit.org/show_bug.cgi?id=174750
3338
3339         Reviewed by Keith Miller and Saam Barati.
3340         
3341         Added a LICM phase to B3. This phase is called hoistLoopInvariantValues, to conform to the B3 naming
3342         convention for phases (it has to be an imperative). The phase uses NaturalLoops and BackwardsDominators,
3343         so this adds those analyses to B3. BackwardsDominators was already available in templatized form. This
3344         change templatizes DFG::NaturalLoops so that we can just use it.
3345         
3346         The LICM phase itself is really simple. We are decently precise with our handling of everything except
3347         the relationship between control dependence and side exits.
3348         
3349         Also added a bunch of tests.
3350         
3351         This isn't super important. It's perf-neutral on JS benchmarks. FTL already does LICM on DFG SSA IR, and
3352         probably all current WebAssembly content has had LICM done to it. That being said, this is a cheap phase
3353         so it doesn't hurt to have it.
3354         
3355         I wrote it because I thought I needed it for bug 174727. It turns out that there's a better way to
3356         handle the problem I had, so I ended up not needed it - but by then I had already written it. I think
3357         it's good to have it because LICM is one of those core compiler phases; every compiler has it
3358         eventually.
3359
3360         * CMakeLists.txt:
3361         * JavaScriptCore.xcodeproj/project.pbxproj:
3362         * b3/B3BackwardsCFG.h: Added.
3363         (JSC::B3::BackwardsCFG::BackwardsCFG):
3364         * b3/B3BackwardsDominators.h: Added.
3365         (JSC::B3::BackwardsDominators::BackwardsDominators):
3366         * b3/B3BasicBlock.cpp:
3367         (JSC::B3::BasicBlock::appendNonTerminal):
3368         * b3/B3Effects.h:
3369         * b3/B3EnsureLoopPreHeaders.cpp: Added.
3370         (JSC::B3::ensureLoopPreHeaders):
3371         * b3/B3EnsureLoopPreHeaders.h: Added.
3372         * b3/B3Generate.cpp:
3373         (JSC::B3::generateToAir):
3374         * b3/B3HoistLoopInvariantValues.cpp: Added.
3375         (JSC::B3::hoistLoopInvariantValues):
3376         * b3/B3HoistLoopInvariantValues.h: Added.
3377         * b3/B3NaturalLoops.h: Added.
3378         (JSC::B3::NaturalLoops::NaturalLoops):
3379         * b3/B3Procedure.cpp:
3380         (JSC::B3::Procedure::invalidateCFG):
3381         (JSC::B3::Procedure::naturalLoops):
3382         (JSC::B3::Procedure::backwardsCFG):
3383         (JSC::B3::Procedure::backwardsDominators):
3384         * b3/B3Procedure.h:
3385         * b3/testb3.cpp:
3386         (JSC::B3::generateLoop):
3387         (JSC::B3::makeArrayForLoops):
3388         (JSC::B3::generateLoopNotBackwardsDominant):
3389         (JSC::B3::oneFunction):
3390         (JSC::B3::noOpFunction):
3391         (JSC::B3::testLICMPure):
3392         (JSC::B3::testLICMPureSideExits):
3393         (JSC::B3::testLICMPureWritesPinned):