Make generate_offset_extractor.rb architectures argument more robust
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-08-21  Keith Miller  <keith_miller@apple.com>
2
3         Make generate_offset_extractor.rb architectures argument more robust
4         https://bugs.webkit.org/show_bug.cgi?id=175809
5
6         Reviewed by Joseph Pecoraro.
7
8         It turns out that some of our builders pass their architectures as
9         space separated lists.  I decided to just make the splitting of
10         our list robust to any reasonable combination of spaces and
11         commas.
12
13         * offlineasm/generate_offset_extractor.rb:
14
15 2017-08-21  Keith Miller  <keith_miller@apple.com>
16
17         Only generate offline asm for the ARCHS (xcodebuild) or the current system (CMake)
18         https://bugs.webkit.org/show_bug.cgi?id=175690
19
20         Reviewed by Michael Saboff.
21
22         This should reduce some of the time we spend building offline asm
23         in our builds (except for linux since they already did this).
24
25         * CMakeLists.txt:
26         * JavaScriptCore.xcodeproj/project.pbxproj:
27         * offlineasm/backends.rb:
28         * offlineasm/generate_offset_extractor.rb:
29
30 2017-08-20  Mark Lam  <mark.lam@apple.com>
31
32         Gardening: fix CLoop build.
33         https://bugs.webkit.org/show_bug.cgi?id=175688
34         <rdar://problem/33436870>
35
36         Not reviewed.
37
38         Make these files dependent on ENABLE(MASM_PROBE).
39
40         * assembler/ProbeContext.cpp:
41         * assembler/ProbeContext.h:
42         * assembler/ProbeStack.cpp:
43         * assembler/ProbeStack.h:
44
45 2017-08-20  Mark Lam  <mark.lam@apple.com>
46
47         Enhance MacroAssembler::probe() to allow the probe function to resize the stack frame and alter stack data in one pass.
48         https://bugs.webkit.org/show_bug.cgi?id=175688
49         <rdar://problem/33436870>
50
51         Reviewed by JF Bastien.
52
53         With this patch, the clients of the MacroAssembler::probe() can now change
54         stack values without having to worry about whether there is enough room in the
55         current stack frame for it or not.  This is done using the Probe::Context's stack
56         member like so:
57
58             jit.probe([] (Probe::Context& context) {
59                 auto cpu = context.cpu;
60                 auto stack = context.stack();
61                 uintptr_t* currentSP = cpu.sp<uintptr_t*>();
62
63                 // Get a value at the current stack pointer location.
64                 auto value = stack.get<uintptr_t>(currentSP);
65
66                 // Set a value above the current stack pointer (within current frame).
67                 stack.set<uintptr_t>(currentSP + 10, value);
68
69                 // Set a value below the current stack pointer (out of current frame).
70                 stack.set<uintptr_t>(currentSP - 10, value);
71
72                 // Set the new stack pointer.
73                 cpu.sp() = currentSP - 20;
74             });
75
76         What happens behind the scene:
77
78         1. the generated JIT probe code will now call Probe::executeProbe(), and
79            Probe::executeProbe() will in turn call the client's probe function.
80
81            Probe::executeProbe() receives the Probe::State on the machine stack passed
82            to it by the probe trampoline.  Probe::executeProbe() will instantiate a
83            Probe::Context to be passed to the client's probe function.  The client will
84            no longer see the Probe::State directly.
85
86         2. The Probe::Context comes with a Probe::Stack which serves as a manager of
87            stack pages.  Currently, each page is 1K in size.
88            Probe::Context::stack() returns a reference to an instance of Probe::Stack.
89
90         3. Invoking get() of set() on Probe::Stack with an address will lead to the
91            following:
92
93            a. the address will be decoded to a baseAddress that points to the 1K page
94               that contains that address.
95
96            b. the Probe::Stack will check if it already has a cached 1K page for that baseAddress.
97               If so, go to step (f).  Else, continue with step (c).
98
99            c. the Probe::Stack will malloc a 1K mirror page, and memcpy the 1K stack page
100               for that specified baseAddress to this mirror page.
101
102            d. the mirror page will be added to the ProbeStack's m_pages HashMap,
103               keyed on the baseAddress.
104
105            e. the ProbeStack will also cache the last baseAddress and its corresponding
106               mirror page in use.  With memory accesses tending to be localized, this
107               will save us from having to look up the page in the HashMap.
108
109            f. get() will map the requested address to a physical address in the mirror
110               page, and return the value at that location.
111
112            g. set() will map the requested address to a physical address in the mirror
113               page, and set the value at that location in the mirror page.
114
115               set() will also set a dirty bit corresponding to the "cache line" that
116               was modified in the mirror page.
117
118         4. When the client's probe function returns, Probe::executeProbe() will check if
119            there are stack changes that need to be applied.  If stack changes are needed:
120
121            a. Probe::executeProbe() will adjust the stack pointer to ensure enough stack
122               space is available to flush the dirty stack pages.  It will also register a
123               flushStackDirtyPages callback function in the Probe::State.  Thereafter,
124               Probe::executeProbe() returns to the probe trampoline.
125
126            b. the probe trampoline adjusts the stack pointer, moves the Probe::State to
127               a safe place if needed, and then calls the flushStackDirtyPages callback
128               if needed.
129
130            c. the flushStackDirtyPages() callback iterates the Probe::Stack's m_pages
131               HashMap and flush all dirty "cache lines" to the machine stack.
132               Thereafter, flushStackDirtyPages() returns to the probe trampoline.
133
134            d. lastly, the probe trampoline will restore all register values and return
135               to the pc set in the Probe::State.
136
137         To make this patch work, I also had to do the following work:
138
139         5. Refactor MacroAssembler::CPUState into Probe::CPUState.
140            Mainly, this means moving the code over to ProbeContext.h.
141            I also added some convenience accessor methods for spr registers. 
142
143            Moved Probe::Context over to its own file ProbeContext.h/cpp.
144
145         6. Fix all probe trampolines to pass the address of Probe::executeProbe in
146            addition to the client's probe function and arg.
147
148            I also took this opportunity to optimize the generated JIT probe code to
149            minimize the amount of memory stores needed. 
150
151         7. Simplified the ARM64 probe trampoline.  The ARM64 probe only supports changing
152            either lr or pc (or neither), but not both at in the same probe invocation.
153            The ARM64 probe trampoline used to have to check for this invariant in the
154            assembly trampoline code.  With the introduction of Probe::executeProbe(),
155            we can now do it there and simplify the trampoline.
156
157         8. Fix a bug in the old  ARM64 probe trampoline for the case where the client
158            changes lr.  That code path never worked before, but has now been fixed.
159
160         9. Removed trustedImm32FromPtr() helper functions in MacroAssemblerARM and
161            MacroAssemblerARMv7.
162
163            We can now use move() with TrustedImmPtr, and it does the same thing but in a
164            more generic way.
165
166        10. ARMv7's move() emitter may encode a T1 move instruction, which happens to have
167            the same semantics as movs (according to the Thumb spec).  This means these
168            instructions may trash the APSR flags before we have a chance to preserve them.
169
170            This patch changes MacroAssemblerARMv7's probe() to preserve the APSR register
171            early on.  This entails adding support for the mrs instruction in the
172            ARMv7Assembler.
173
174        10. Change testmasm's testProbeModifiesStackValues() to now modify stack values
175            the easy way.
176
177            Also fixed testmasm tests which check flag registers to only compare the
178            portions that are modifiable by the client i.e. some masking is applied.
179
180         This patch has passed the testmasm tests on x86, x86_64, arm64, and armv7.
181
182         * CMakeLists.txt:
183         * JavaScriptCore.xcodeproj/project.pbxproj:
184         * assembler/ARMv7Assembler.h:
185         (JSC::ARMv7Assembler::mrs):
186         * assembler/AbstractMacroAssembler.h:
187         * assembler/MacroAssembler.cpp:
188         (JSC::stdFunctionCallback):
189         (JSC::MacroAssembler::probe):
190         * assembler/MacroAssembler.h:
191         (JSC::MacroAssembler::CPUState::gprName): Deleted.
192         (JSC::MacroAssembler::CPUState::sprName): Deleted.
193         (JSC::MacroAssembler::CPUState::fprName): Deleted.
194         (JSC::MacroAssembler::CPUState::gpr): Deleted.
195         (JSC::MacroAssembler::CPUState::spr): Deleted.
196         (JSC::MacroAssembler::CPUState::fpr): Deleted.
197         (JSC:: const): Deleted.
198         (JSC::MacroAssembler::CPUState::fpr const): Deleted.
199         (JSC::MacroAssembler::CPUState::pc): Deleted.
200         (JSC::MacroAssembler::CPUState::fp): Deleted.
201         (JSC::MacroAssembler::CPUState::sp): Deleted.
202         (JSC::MacroAssembler::CPUState::pc const): Deleted.
203         (JSC::MacroAssembler::CPUState::fp const): Deleted.
204         (JSC::MacroAssembler::CPUState::sp const): Deleted.
205         (JSC::Probe::State::gpr): Deleted.
206         (JSC::Probe::State::spr): Deleted.
207         (JSC::Probe::State::fpr): Deleted.
208         (JSC::Probe::State::gprName): Deleted.
209         (JSC::Probe::State::sprName): Deleted.
210         (JSC::Probe::State::fprName): Deleted.
211         (JSC::Probe::State::pc): Deleted.
212         (JSC::Probe::State::fp): Deleted.
213         (JSC::Probe::State::sp): Deleted.
214         * assembler/MacroAssemblerARM.cpp:
215         (JSC::MacroAssembler::probe):
216         * assembler/MacroAssemblerARM.h:
217         (JSC::MacroAssemblerARM::trustedImm32FromPtr): Deleted.
218         * assembler/MacroAssemblerARM64.cpp:
219         (JSC::MacroAssembler::probe):
220         (JSC::arm64ProbeError): Deleted.
221         * assembler/MacroAssemblerARMv7.cpp:
222         (JSC::MacroAssembler::probe):
223         * assembler/MacroAssemblerARMv7.h:
224         (JSC::MacroAssemblerARMv7::armV7Condition):
225         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr): Deleted.
226         * assembler/MacroAssemblerPrinter.cpp:
227         (JSC::Printer::printCallback):
228         * assembler/MacroAssemblerPrinter.h:
229         * assembler/MacroAssemblerX86Common.cpp:
230         (JSC::ctiMasmProbeTrampoline):
231         (JSC::MacroAssembler::probe):
232         * assembler/Printer.h:
233         (JSC::Printer::Context::Context):
234         * assembler/ProbeContext.cpp: Added.
235         (JSC::Probe::executeProbe):
236         (JSC::Probe::handleProbeStackInitialization):
237         (JSC::Probe::probeStateForContext):
238         * assembler/ProbeContext.h: Added.
239         (JSC::Probe::CPUState::gprName):
240         (JSC::Probe::CPUState::sprName):
241         (JSC::Probe::CPUState::fprName):
242         (JSC::Probe::CPUState::gpr):
243         (JSC::Probe::CPUState::spr):
244         (JSC::Probe::CPUState::fpr):
245         (JSC::Probe:: const):
246         (JSC::Probe::CPUState::fpr const):
247         (JSC::Probe::CPUState::pc):
248         (JSC::Probe::CPUState::fp):
249         (JSC::Probe::CPUState::sp):
250         (JSC::Probe::CPUState::pc const):
251         (JSC::Probe::CPUState::fp const):
252         (JSC::Probe::CPUState::sp const):
253         (JSC::Probe::Context::Context):
254         (JSC::Probe::Context::gpr):
255         (JSC::Probe::Context::spr):
256         (JSC::Probe::Context::fpr):
257         (JSC::Probe::Context::gprName):
258         (JSC::Probe::Context::sprName):
259         (JSC::Probe::Context::fprName):
260         (JSC::Probe::Context::pc):
261         (JSC::Probe::Context::fp):
262         (JSC::Probe::Context::sp):
263         (JSC::Probe::Context::stack):
264         (JSC::Probe::Context::hasWritesToFlush):
265         (JSC::Probe::Context::releaseStack):
266         * assembler/ProbeStack.cpp: Added.
267         (JSC::Probe::Page::Page):
268         (JSC::Probe::Page::flushWrites):
269         (JSC::Probe::Stack::Stack):
270         (JSC::Probe::Stack::hasWritesToFlush):
271         (JSC::Probe::Stack::flushWrites):
272         (JSC::Probe::Stack::ensurePageFor):
273         * assembler/ProbeStack.h: Added.
274         (JSC::Probe::Page::baseAddressFor):
275         (JSC::Probe::Page::chunkAddressFor):
276         (JSC::Probe::Page::baseAddress):
277         (JSC::Probe::Page::get):
278         (JSC::Probe::Page::set):
279         (JSC::Probe::Page::hasWritesToFlush const):
280         (JSC::Probe::Page::flushWritesIfNeeded):
281         (JSC::Probe::Page::dirtyBitFor):
282         (JSC::Probe::Page::physicalAddressFor):
283         (JSC::Probe::Stack::Stack):
284         (JSC::Probe::Stack::lowWatermark):
285         (JSC::Probe::Stack::get):
286         (JSC::Probe::Stack::set):
287         (JSC::Probe::Stack::newStackPointer const):
288         (JSC::Probe::Stack::setNewStackPointer):
289         (JSC::Probe::Stack::isValid):
290         (JSC::Probe::Stack::pageFor):
291         * assembler/testmasm.cpp:
292         (JSC::testProbeReadsArgumentRegisters):
293         (JSC::testProbeWritesArgumentRegisters):
294         (JSC::testProbePreservesGPRS):
295         (JSC::testProbeModifiesStackPointer):
296         (JSC::testProbeModifiesStackPointerToInsideProbeStateOnStack):
297         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
298         (JSC::testProbeModifiesProgramCounter):
299         (JSC::testProbeModifiesStackValues):
300         (JSC::run):
301         (): Deleted.
302         (JSC::fillStack): Deleted.
303         (JSC::testProbeModifiesStackWithCallback): Deleted.
304
305 2017-08-19  Andy Estes  <aestes@apple.com>
306
307         [Payment Request] Add interface stubs
308         https://bugs.webkit.org/show_bug.cgi?id=175730
309
310         Reviewed by Youenn Fablet.
311
312         * runtime/CommonIdentifiers.h:
313
314 2017-08-18  Per Arne Vollan  <pvollan@apple.com>
315
316         Implement 32-bit MacroAssembler::probe support for Windows.
317         https://bugs.webkit.org/show_bug.cgi?id=175449
318
319         Reviewed by Mark Lam.
320
321         This is needed to enable the DFG.
322
323         * assembler/MacroAssemblerX86Common.cpp:
324         * assembler/testmasm.cpp:
325         (JSC::run):
326         (dllLauncherEntryPoint):
327         * shell/CMakeLists.txt:
328         * shell/PlatformWin.cmake:
329
330 2017-08-18  Mark Lam  <mark.lam@apple.com>
331
332         Rename ProbeContext and ProbeFunction to Probe::State and Probe::Function.
333         https://bugs.webkit.org/show_bug.cgi?id=175725
334         <rdar://problem/33965477>
335
336         Rubber-stamped by JF Bastien.
337
338         This is purely a refactoring patch (in preparation for the introduction of a
339         Probe::Context data structure in https://bugs.webkit.org/show_bug.cgi?id=175688
340         later).  This patch does not change any semantics / behavior.
341
342         * assembler/AbstractMacroAssembler.h:
343         * assembler/MacroAssembler.cpp:
344         (JSC::stdFunctionCallback):
345         (JSC::MacroAssembler::probe):
346         * assembler/MacroAssembler.h:
347         (JSC::ProbeContext::gpr): Deleted.
348         (JSC::ProbeContext::spr): Deleted.
349         (JSC::ProbeContext::fpr): Deleted.
350         (JSC::ProbeContext::gprName): Deleted.
351         (JSC::ProbeContext::sprName): Deleted.
352         (JSC::ProbeContext::fprName): Deleted.
353         (JSC::ProbeContext::pc): Deleted.
354         (JSC::ProbeContext::fp): Deleted.
355         (JSC::ProbeContext::sp): Deleted.
356         * assembler/MacroAssemblerARM.cpp:
357         (JSC::MacroAssembler::probe):
358         * assembler/MacroAssemblerARM.h:
359         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
360         * assembler/MacroAssemblerARM64.cpp:
361         (JSC::arm64ProbeError):
362         (JSC::MacroAssembler::probe):
363         * assembler/MacroAssemblerARMv7.cpp:
364         (JSC::MacroAssembler::probe):
365         * assembler/MacroAssemblerARMv7.h:
366         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr):
367         * assembler/MacroAssemblerPrinter.cpp:
368         (JSC::Printer::printCallback):
369         * assembler/MacroAssemblerPrinter.h:
370         * assembler/MacroAssemblerX86Common.cpp:
371         (JSC::MacroAssembler::probe):
372         * assembler/Printer.h:
373         (JSC::Printer::Context::Context):
374         * assembler/testmasm.cpp:
375         (JSC::testProbeReadsArgumentRegisters):
376         (JSC::testProbeWritesArgumentRegisters):
377         (JSC::testProbePreservesGPRS):
378         (JSC::testProbeModifiesStackPointer):
379         (JSC::testProbeModifiesStackPointerToInsideProbeStateOnStack):
380         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
381         (JSC::testProbeModifiesProgramCounter):
382         (JSC::fillStack):
383         (JSC::testProbeModifiesStackWithCallback):
384         (JSC::run):
385         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack): Deleted.
386
387 2017-08-17  JF Bastien  <jfbastien@apple.com>
388
389         WebAssembly: const in unreachable code decoded incorrectly, erroneously rejects binary as invalid
390         https://bugs.webkit.org/show_bug.cgi?id=175693
391         <rdar://problem/33952443>
392
393         Reviewed by Saam Barati.
394
395         64-bit constants in an unreachable context were being decoded as
396         32-bit constants. This is pretty benign because unreachable code
397         shouldn't occur often. The effect is that 64-bit constants which
398         can't be encoded as 32-bit constants would cause the binary to be
399         rejected.
400
401         At the same time, 32-bit integer constants should be decoded as signed.
402
403         * wasm/WasmFunctionParser.h:
404         (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
405
406 2017-08-17  Robin Morisset  <rmorisset@apple.com>
407
408         Teach DFGFixupPhase.cpp that the current scope is always a cell
409         https://bugs.webkit.org/show_bug.cgi?id=175610
410
411         Reviewed by Keith Miller.
412
413         Also teach it that the argument to with can usually be speculated to be an object,
414         since toObject() is called on it.
415
416         * dfg/DFGFixupPhase.cpp:
417         (JSC::DFG::FixupPhase::fixupNode):
418         * dfg/DFGSpeculativeJIT.cpp:
419         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
420         * dfg/DFGSpeculativeJIT.h:
421         (JSC::DFG::SpeculativeJIT::callOperation):
422         * ftl/FTLLowerDFGToB3.cpp:
423         (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
424         * jit/JITOperations.cpp:
425         * jit/JITOperations.h:
426
427 2017-08-17  Matt Baker  <mattbaker@apple.com>
428
429         Web Inspector: remove unused private struct from InspectorScriptProfilerAgent
430         https://bugs.webkit.org/show_bug.cgi?id=175644
431
432         Reviewed by Brian Burg.
433
434         * inspector/agents/InspectorScriptProfilerAgent.h:
435
436 2017-08-17  Mark Lam  <mark.lam@apple.com>
437
438         Only use 16 VFP registers if !CPU(ARM_NEON).
439         https://bugs.webkit.org/show_bug.cgi?id=175514
440
441         Reviewed by JF Bastien.
442
443         Deleted q16-q31 FPQuadRegisterID enums in ARMv7Assembler.h.  The NEON spec
444         says that there are only 16 128-bit NEON registers.  This change is merely to
445         correct the code documentation of these registers.  The FPQuadRegisterID are
446         currently unused.
447
448         * assembler/ARMAssembler.h:
449         (JSC::ARMAssembler::lastFPRegister):
450         (JSC::ARMAssembler::fprName):
451         * assembler/ARMv7Assembler.h:
452         (JSC::ARMv7Assembler::lastFPRegister):
453         (JSC::ARMv7Assembler::fprName):
454         * assembler/MacroAssemblerARM.cpp:
455         * assembler/MacroAssemblerARMv7.cpp:
456
457 2017-08-17  Andreas Kling  <akling@apple.com>
458
459         Disable CSS regions at compile time
460         https://bugs.webkit.org/show_bug.cgi?id=175630
461
462         Reviewed by Antti Koivisto.
463
464         * Configurations/FeatureDefines.xcconfig:
465
466 2017-08-17  Jacobo Aragunde Pérez  <jaragunde@igalia.com>
467
468         [WPE][GTK] Ensure proper casting of data in gvariants
469         https://bugs.webkit.org/show_bug.cgi?id=175667
470
471         Reviewed by Michael Catanzaro.
472
473         g_variant_new requires data to have the correct width for their types, using
474         casting if necessary. Some data of type `unsigned` were being saved to `guint64`
475         types without explicit casting, leading to undefined behavior in some platforms.
476
477         * inspector/remote/glib/RemoteInspectorGlib.cpp:
478         (Inspector::RemoteInspector::listingForInspectionTarget const):
479         (Inspector::RemoteInspector::listingForAutomationTarget const):
480         (Inspector::RemoteInspector::sendMessageToRemote):
481
482 2017-08-17  Yusuke Suzuki  <utatane.tea@gmail.com>
483
484         [JSC] Avoid code bloating for iteration if block does not have "break"
485         https://bugs.webkit.org/show_bug.cgi?id=173228
486
487         Reviewed by Keith Miller.
488
489         Currently, we always emit code for breaked path when emitting for-of iteration.
490         But we can know that this breaked path can be used when emitting the bytecode.
491
492         This patch adds LabelScope::breakTargetMayBeBound(), which returns true if
493         the break label may be bound. We emit a breaked path only when it returns
494         true. This reduces bytecode bloating when using for-of iteration.
495
496         * bytecompiler/BytecodeGenerator.cpp:
497         (JSC::Label::setLocation):
498         (JSC::BytecodeGenerator::newLabel):
499         (JSC::BytecodeGenerator::emitLabel):
500         (JSC::BytecodeGenerator::pushFinallyControlFlowScope):
501         (JSC::BytecodeGenerator::breakTarget):
502         (JSC::BytecodeGenerator::continueTarget):
503         (JSC::BytecodeGenerator::emitEnumeration):
504         * bytecompiler/BytecodeGenerator.h:
505         * bytecompiler/Label.h:
506         (JSC::Label::bind const):
507         (JSC::Label::hasOneRef const):
508         (JSC::Label::isBound const):
509         (JSC::Label::Label): Deleted.
510         * bytecompiler/LabelScope.h:
511         (JSC::LabelScope::hasOneRef const):
512         (JSC::LabelScope::breakTargetMayBeBound const):
513         * bytecompiler/NodesCodegen.cpp:
514         (JSC::ContinueNode::trivialTarget):
515         (JSC::ContinueNode::emitBytecode):
516         (JSC::BreakNode::trivialTarget):
517         (JSC::BreakNode::emitBytecode):
518
519 2017-08-17  Csaba Osztrogonác  <ossy@webkit.org>
520
521         ARM build fix after r220807 and r220834.
522         https://bugs.webkit.org/show_bug.cgi?id=175617
523
524         Unreviewed typo fix.
525
526         * assembler/MacroAssemblerARM.cpp:
527
528 2017-08-17  Mark Lam  <mark.lam@apple.com>
529
530         Gardening: build fix for ARM_TRADITIONAL after r220807.
531         https://bugs.webkit.org/show_bug.cgi?id=175617
532
533         Not reviewed.
534
535         * assembler/MacroAssemblerARM.cpp:
536
537 2017-08-16  Mark Lam  <mark.lam@apple.com>
538
539         Add back the ability to disable MASM_PROBE from the build.
540         https://bugs.webkit.org/show_bug.cgi?id=175656
541         <rdar://problem/33933720>
542
543         Reviewed by Yusuke Suzuki.
544
545         This is needed for ports that the existing MASM_PROBE implementation doesn't work
546         well with e.g. GTK with ARM_THUMB2.  Note that if the DFG_JIT will be disabled by
547         default if !ENABLE(MASM_PROBE).
548
549         * assembler/AbstractMacroAssembler.h:
550         * assembler/MacroAssembler.cpp:
551         * assembler/MacroAssembler.h:
552         * assembler/MacroAssemblerARM.cpp:
553         * assembler/MacroAssemblerARM64.cpp:
554         * assembler/MacroAssemblerARMv7.cpp:
555         * assembler/MacroAssemblerPrinter.cpp:
556         * assembler/MacroAssemblerPrinter.h:
557         * assembler/MacroAssemblerX86Common.cpp:
558         * assembler/testmasm.cpp:
559         (JSC::run):
560         * b3/B3LowerToAir.cpp:
561         * b3/air/AirPrintSpecial.cpp:
562         * b3/air/AirPrintSpecial.h:
563
564 2017-08-16  Dan Bernstein  <mitz@apple.com>
565
566         [Cocoa] Older-iOS install name symbols are being exported on other platforms
567         https://bugs.webkit.org/show_bug.cgi?id=175654
568
569         Reviewed by Tim Horton.
570
571         * API/JSBase.cpp: Define the symbols only when targeting iOS.
572
573 2017-08-16  Matt Baker  <mattbaker@apple.com>
574
575         Web Inspector: capture async stack trace when workers/main context posts a message
576         https://bugs.webkit.org/show_bug.cgi?id=167084
577         <rdar://problem/30033673>
578
579         Reviewed by Brian Burg.
580
581         * inspector/agents/InspectorDebuggerAgent.h:
582         Add `PostMessage` async call type.
583
584 2017-08-16  Mark Lam  <mark.lam@apple.com>
585
586         Enhance MacroAssembler::probe() to support an initializeStackFunction callback.
587         https://bugs.webkit.org/show_bug.cgi?id=175617
588         <rdar://problem/33912104>
589
590         Reviewed by JF Bastien.
591
592         This patch adds a new feature to MacroAssembler::probe() where the probe function
593         can provide a ProbeFunction callback to fill in stack values after the stack
594         pointer has been adjusted.  The probe function can use this feature as follows:
595
596         1. Set the new sp value in the ProbeContext's CPUState.
597
598         2. Set the ProbeContext's initializeStackFunction to a ProbeFunction callback
599            which will do the work of filling in the stack values after the probe
600            trampoline has adjusted the machine stack pointer.
601
602         3. Set the ProbeContext's initializeStackArgs to any value that the client wants
603            to pass to the initializeStackFunction callback.
604
605         4. Return from the probe function.
606
607         Upon returning from the probe function, the probe trampoline will adjust the
608         the stack pointer based on the sp value in CPUState.  If initializeStackFunction
609         is not set, the probe trampoline will restore registers and return to its caller.
610
611         If initializeStackFunction is set, the trampoline will move the ProbeContext
612         beyond the range of the stack pointer i.e. it will place the new ProbeContext at
613         an address lower than where CPUState.sp() points.  This ensures that the
614         ProbeContext will not be trashed by the initializeStackFunction when it writes to
615         the stack.  Then, the trampoline will call back to the initializeStackFunction
616         ProbeFunction to let it fill in the stack values as desired.  The
617         initializeStackFunction ProbeFunction will be passed the moved ProbeContext at
618         the new location.
619
620         initializeStackFunction may now write to the stack at addresses greater or
621         equal to CPUState.sp(), but not below that.  initializeStackFunction is also
622         not allowed to change CPUState.sp().  If the initializeStackFunction does not
623         abide by these rules, then behavior is undefined, and bad things may happen.
624
625         For future reference, some implementation details that this patch needed to
626         be mindful of:
627
628         1. When the probe trampoline allocates stack space for the ProbeContext, it
629            should include OUT_SIZE as well.  This ensures that it doesn't have to move
630            the ProbeContext on exit if the probe function didn't change the sp.
631
632         2. If the trampoline has to move the ProbeContext, it needs to point the machine
633            sp to new ProbeContext first before copying over the ProbeContext data.  This
634            protects the new ProbeContext from possibly being trashed by interrupts.
635
636         3. When computing the new address of ProbeContext to move to, we need to make
637            sure that it is properly aligned in accordance with stack ABI requirements
638            (just like we did when we allocated the ProbeContext on entry to the
639            probe trampoline).
640
641         4. When copying the ProbeContext to its new location, the trampoline should
642            always copy words from low addresses to high addresses.  This is because if
643            we're moving the ProbeContext, we'll always be moving it to a lower address.
644
645         * assembler/MacroAssembler.h:
646         * assembler/MacroAssemblerARM.cpp:
647         * assembler/MacroAssemblerARM64.cpp:
648         * assembler/MacroAssemblerARMv7.cpp:
649         * assembler/MacroAssemblerX86Common.cpp:
650         * assembler/testmasm.cpp:
651         (JSC::testProbePreservesGPRS):
652         (JSC::testProbeModifiesStackPointer):
653         (JSC::fillStack):
654         (JSC::testProbeModifiesStackWithCallback):
655         (JSC::run):
656
657 2017-08-16  Csaba Osztrogonác  <ossy@webkit.org>
658
659         Fix JSCOnly ARM buildbots after r220047 and r220184
660         https://bugs.webkit.org/show_bug.cgi?id=174993
661
662         Reviewed by Carlos Alberto Lopez Perez.
663
664         * CMakeLists.txt: Generate only one backend on Linux to save build time.
665
666 2017-08-16  Andy Estes  <aestes@apple.com>
667
668         [Payment Request] Add an ENABLE flag and an experimental feature preference
669         https://bugs.webkit.org/show_bug.cgi?id=175622
670
671         Reviewed by Tim Horton.
672
673         * Configurations/FeatureDefines.xcconfig:
674
675 2017-08-15  Robin Morisset  <rmorisset@apple.com>
676
677         We are too conservative about the effects of PushWithScope
678         https://bugs.webkit.org/show_bug.cgi?id=175584
679
680         Reviewed by Saam Barati.
681
682         PushWithScope converts its argument to an object (this can throw a type error,
683         but has no other observable effect), and allocates a new scope, that it then
684         makes the new current scope. We were a bit too
685         conservative in saying that it clobbers the world.
686
687         * dfg/DFGAbstractInterpreterInlines.h:
688         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
689         * dfg/DFGClobberize.h:
690         (JSC::DFG::clobberize):
691         * dfg/DFGDoesGC.cpp:
692         (JSC::DFG::doesGC):
693
694 2017-08-15  Ryosuke Niwa  <rniwa@webkit.org>
695
696         Make DataTransferItemList work with plain text entries
697         https://bugs.webkit.org/show_bug.cgi?id=175596
698
699         Reviewed by Wenson Hsieh.
700
701         Added DataTransferItem as a common identifier since it's a runtime enabled feature.
702
703         * runtime/CommonIdentifiers.h:
704
705 2017-08-15  Robin Morisset  <rmorisset@apple.com>
706
707         Support the 'with' keyword in FTL
708         https://bugs.webkit.org/show_bug.cgi?id=175585
709
710         Reviewed by Saam Barati.
711
712         Also makes sure that the order of arguments of PushWithScope, op_push_with_scope, JSWithScope::create()
713         and so on is consistent (always parentScope first, the new scopeObject second). We used to go from one
714         to the other at different step which was quite confusing. I picked this order for consistency with CreateActivation
715         that takes its parentScope argument first.
716
717         * bytecompiler/BytecodeGenerator.cpp:
718         (JSC::BytecodeGenerator::emitPushWithScope):
719         * debugger/DebuggerCallFrame.cpp:
720         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
721         * dfg/DFGByteCodeParser.cpp:
722         (JSC::DFG::ByteCodeParser::parseBlock):
723         * dfg/DFGFixupPhase.cpp:
724         (JSC::DFG::FixupPhase::fixupNode):
725         * dfg/DFGSpeculativeJIT.cpp:
726         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
727         * ftl/FTLCapabilities.cpp:
728         (JSC::FTL::canCompile):
729         * ftl/FTLLowerDFGToB3.cpp:
730         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
731         (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
732         * jit/JITOperations.cpp:
733         * runtime/CommonSlowPaths.cpp:
734         (JSC::SLOW_PATH_DECL):
735         * runtime/Completion.cpp:
736         (JSC::evaluateWithScopeExtension):
737         * runtime/JSWithScope.cpp:
738         (JSC::JSWithScope::create):
739         * runtime/JSWithScope.h:
740
741 2017-08-15  Saam Barati  <sbarati@apple.com>
742
743         Make VM::scratchBufferForSize thread safe
744         https://bugs.webkit.org/show_bug.cgi?id=175604
745
746         Reviewed by Geoffrey Garen and Mark Lam.
747
748         I want to use the VM::scratchBufferForSize in another patch I'm writing.
749         The use case for my other patch is to call it from the compiler thread.
750         When reading the code, I saw that this API was not thread safe. This patch
751         makes it thread safe. It actually turns out we were calling this API from
752         the compiler thread already when we created FTL::State for an FTL OSR entry
753         compilation, and from FTLLowerDFGToB3. That code was racy and wrong, but
754         is now correct with this patch.
755
756         * runtime/VM.cpp:
757         (JSC::VM::VM):
758         (JSC::VM::~VM):
759         (JSC::VM::gatherConservativeRoots):
760         (JSC::VM::scratchBufferForSize):
761         * runtime/VM.h:
762         (JSC::VM::scratchBufferForSize): Deleted.
763
764 2017-08-15  Keith Miller  <keith_miller@apple.com>
765
766         JSC named bytecode offsets should use references rather than pointers
767         https://bugs.webkit.org/show_bug.cgi?id=175601
768
769         Reviewed by Saam Barati.
770
771         * dfg/DFGByteCodeParser.cpp:
772         (JSC::DFG::ByteCodeParser::parseBlock):
773         * jit/JITOpcodes.cpp:
774         (JSC::JIT::emit_op_overrides_has_instance):
775         (JSC::JIT::emit_op_instanceof):
776         (JSC::JIT::emitSlow_op_instanceof):
777         (JSC::JIT::emitSlow_op_instanceof_custom):
778         * jit/JITOpcodes32_64.cpp:
779         (JSC::JIT::emit_op_overrides_has_instance):
780         (JSC::JIT::emit_op_instanceof):
781         (JSC::JIT::emitSlow_op_instanceof):
782         (JSC::JIT::emitSlow_op_instanceof_custom):
783
784 2017-08-15  Keith Miller  <keith_miller@apple.com>
785
786         Enable named offsets into JSC bytecodes
787         https://bugs.webkit.org/show_bug.cgi?id=175561
788
789         Reviewed by Mark Lam.
790
791         This patch adds the ability to add named offsets into JSC's
792         bytecodes.  In the bytecode json file, instead of listing a
793         length, you can now list a set of names and their types. Each
794         opcode with an offsets property will have a struct named after the
795         opcode by in our C++ naming style. For example,
796         op_overrides_has_instance would become OpOverridesHasInstance. The
797         struct has the same memory layout as the instruction list has but
798         comes with handy named accessors.
799
800         As a first cut I converted the various instanceof bytecodes to use
801         named offsets.
802
803         As an example op_overrides_has_instance produces the following struct:
804
805         struct OpOverridesHasInstance {
806         public:
807             Opcode& opcode() { return *reinterpret_cast<Opcode*>(&m_opcode); }
808             const Opcode& opcode() const { return *reinterpret_cast<const Opcode*>(&m_opcode); }
809             int& dst() { return *reinterpret_cast<int*>(&m_dst); }
810             const int& dst() const { return *reinterpret_cast<const int*>(&m_dst); }
811             int& constructor() { return *reinterpret_cast<int*>(&m_constructor); }
812             const int& constructor() const { return *reinterpret_cast<const int*>(&m_constructor); }
813             int& hasInstanceValue() { return *reinterpret_cast<int*>(&m_hasInstanceValue); }
814             const int& hasInstanceValue() const { return *reinterpret_cast<const int*>(&m_hasInstanceValue); }
815
816         private:
817             friend class LLIntOffsetsExtractor;
818             std::aligned_storage<sizeof(Opcode), sizeof(Instruction)>::type m_opcode;
819             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_dst;
820             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_constructor;
821             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_hasInstanceValue;
822         };
823
824         * CMakeLists.txt:
825         * DerivedSources.make:
826         * JavaScriptCore.xcodeproj/project.pbxproj:
827         * bytecode/BytecodeList.json:
828         * dfg/DFGByteCodeParser.cpp:
829         (JSC::DFG::ByteCodeParser::parseBlock):
830         * generate-bytecode-files:
831         * jit/JITOpcodes.cpp:
832         (JSC::JIT::emit_op_overrides_has_instance):
833         (JSC::JIT::emit_op_instanceof):
834         (JSC::JIT::emitSlow_op_instanceof):
835         (JSC::JIT::emitSlow_op_instanceof_custom):
836         * jit/JITOpcodes32_64.cpp:
837         (JSC::JIT::emit_op_overrides_has_instance):
838         (JSC::JIT::emit_op_instanceof):
839         (JSC::JIT::emitSlow_op_instanceof):
840         (JSC::JIT::emitSlow_op_instanceof_custom):
841         * llint/LLIntOffsetsExtractor.cpp:
842         * llint/LowLevelInterpreter.asm:
843         * llint/LowLevelInterpreter32_64.asm:
844         * llint/LowLevelInterpreter64.asm:
845
846 2017-08-15  Mark Lam  <mark.lam@apple.com>
847
848         Update testmasm to use new CPUState APIs.
849         https://bugs.webkit.org/show_bug.cgi?id=175573
850
851         Reviewed by Keith Miller.
852
853         1. Applied convenience CPUState accessors to minimize casting.
854         2. Converted the CHECK macro to CHECK_EQ to get more friendly failure debugging
855            messages.
856         3. Removed the CHECK_DOUBLE_BITWISE_EQ macro.  We can just use CHECK_EQ now since
857            casting is (mostly) no longer an issue.
858         4. Replaced the use of testDoubleWord(id) with bitwise_cast<double>(testWord64(id))
859            to make it clear that we're comparing against the bit values of testWord64(id).
860         5. Added a "Completed N tests" message at the end of running all tests.
861            This makes it easy to tell at a glance that testmasm completed successfully
862            versus when it crashed midway in a test.  The number of tests also serves as
863            a quick checksum to confirm that we ran the number of tests we expected.
864
865         * assembler/testmasm.cpp:
866         (WTF::printInternal):
867         (JSC::testSimple):
868         (JSC::testProbeReadsArgumentRegisters):
869         (JSC::testProbeWritesArgumentRegisters):
870         (JSC::testProbePreservesGPRS):
871         (JSC::testProbeModifiesStackPointer):
872         (JSC::testProbeModifiesProgramCounter):
873         (JSC::run):
874
875 2017-08-14  Keith Miller  <keith_miller@apple.com>
876
877         Add testing tool to lie to the DFG about profiles
878         https://bugs.webkit.org/show_bug.cgi?id=175487
879
880         Reviewed by Saam Barati.
881
882         This patch adds a new bytecode identity_with_profile that lets
883         us lie to the DFG about what profiles it has seen as the input to
884         another bytecode. Previously, there was no reliable way to force
885         a given profile when we tired up.
886
887         * bytecode/BytecodeDumper.cpp:
888         (JSC::BytecodeDumper<Block>::dumpBytecode):
889         * bytecode/BytecodeIntrinsicRegistry.h:
890         * bytecode/BytecodeList.json:
891         * bytecode/BytecodeUseDef.h:
892         (JSC::computeUsesForBytecodeOffset):
893         (JSC::computeDefsForBytecodeOffset):
894         * bytecode/SpeculatedType.cpp:
895         (JSC::speculationFromString):
896         * bytecode/SpeculatedType.h:
897         * bytecompiler/BytecodeGenerator.cpp:
898         (JSC::BytecodeGenerator::emitIdWithProfile):
899         * bytecompiler/BytecodeGenerator.h:
900         * bytecompiler/NodesCodegen.cpp:
901         (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
902         * dfg/DFGAbstractInterpreterInlines.h:
903         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
904         * dfg/DFGByteCodeParser.cpp:
905         (JSC::DFG::ByteCodeParser::parseBlock):
906         * dfg/DFGCapabilities.cpp:
907         (JSC::DFG::capabilityLevel):
908         * dfg/DFGClobberize.h:
909         (JSC::DFG::clobberize):
910         * dfg/DFGDoesGC.cpp:
911         (JSC::DFG::doesGC):
912         * dfg/DFGFixupPhase.cpp:
913         (JSC::DFG::FixupPhase::fixupNode):
914         * dfg/DFGMayExit.cpp:
915         * dfg/DFGNode.h:
916         (JSC::DFG::Node::getForcedPrediction):
917         * dfg/DFGNodeType.h:
918         * dfg/DFGPredictionPropagationPhase.cpp:
919         * dfg/DFGSafeToExecute.h:
920         (JSC::DFG::safeToExecute):
921         * dfg/DFGSpeculativeJIT32_64.cpp:
922         (JSC::DFG::SpeculativeJIT::compile):
923         * dfg/DFGSpeculativeJIT64.cpp:
924         (JSC::DFG::SpeculativeJIT::compile):
925         * dfg/DFGValidate.cpp:
926         * jit/JIT.cpp:
927         (JSC::JIT::privateCompileMainPass):
928         * jit/JIT.h:
929         * jit/JITOpcodes.cpp:
930         (JSC::JIT::emit_op_identity_with_profile):
931         * jit/JITOpcodes32_64.cpp:
932         (JSC::JIT::emit_op_identity_with_profile):
933         * llint/LowLevelInterpreter.asm:
934
935 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
936
937         Remove Proximity Events and related code
938         https://bugs.webkit.org/show_bug.cgi?id=175545
939
940         Reviewed by Daniel Bates.
941
942         No platform enables Proximity Events, so remove code inside ENABLE(PROXIMITY_EVENTS)
943         and other related code.
944
945         * Configurations/FeatureDefines.xcconfig:
946
947 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
948
949         Remove ENABLE(REQUEST_AUTOCOMPLETE) code, which was disabled everywhere
950         https://bugs.webkit.org/show_bug.cgi?id=175504
951
952         Reviewed by Sam Weinig.
953
954         * Configurations/FeatureDefines.xcconfig:
955
956 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
957
958         Remove ENABLE_VIEW_MODE_CSS_MEDIA and related code
959         https://bugs.webkit.org/show_bug.cgi?id=175557
960
961         Reviewed by Jon Lee.
962
963         No port cares about the ENABLE(VIEW_MODE_CSS_MEDIA) feature, so remove it.
964
965         * Configurations/FeatureDefines.xcconfig:
966
967 2017-08-14  Robin Morisset  <rmorisset@apple.com>
968
969         Support the 'with' keyword in DFG
970         https://bugs.webkit.org/show_bug.cgi?id=175470
971
972         Reviewed by Saam Barati.
973
974         Not particularly optimized at the moment, the goal is just to avoid
975         the DFG bailing out of any function with this keyword.
976
977         * dfg/DFGAbstractInterpreterInlines.h:
978         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
979         * dfg/DFGByteCodeParser.cpp:
980         (JSC::DFG::ByteCodeParser::parseBlock):
981         * dfg/DFGCapabilities.cpp:
982         (JSC::DFG::capabilityLevel):
983         * dfg/DFGClobberize.h:
984         (JSC::DFG::clobberize):
985         * dfg/DFGDoesGC.cpp:
986         (JSC::DFG::doesGC):
987         * dfg/DFGFixupPhase.cpp:
988         (JSC::DFG::FixupPhase::fixupNode):
989         * dfg/DFGNodeType.h:
990         * dfg/DFGPredictionPropagationPhase.cpp:
991         * dfg/DFGSafeToExecute.h:
992         (JSC::DFG::safeToExecute):
993         * dfg/DFGSpeculativeJIT.cpp:
994         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
995         * dfg/DFGSpeculativeJIT.h:
996         (JSC::DFG::SpeculativeJIT::callOperation):
997         * dfg/DFGSpeculativeJIT32_64.cpp:
998         (JSC::DFG::SpeculativeJIT::compile):
999         * dfg/DFGSpeculativeJIT64.cpp:
1000         (JSC::DFG::SpeculativeJIT::compile):
1001         * jit/JITOperations.cpp:
1002         * jit/JITOperations.h:
1003
1004 2017-08-14  Mark Lam  <mark.lam@apple.com>
1005
1006         Add some convenience utility accessor methods to MacroAssembler::CPUState.
1007         https://bugs.webkit.org/show_bug.cgi?id=175549
1008         <rdar://problem/33884868>
1009
1010         Reviewed by Saam Barati.
1011
1012         Previously, in order to read ProbeContext CPUState registers, we used to need to
1013         do it this way:
1014
1015             ExecState* exec = reinterpret_cast<ExecState*>(cpu.fp());
1016             uint32_t i32 = static_cast<uint32_t>(cpu.gpr(GPRInfo::regT0));
1017             void* p = reinterpret_cast<void*>(cpu.gpr(GPRInfo::regT1));
1018             uint64_t u64 = bitwise_cast<uint64_t>(cpu.fpr(FPRInfo::fpRegT0));
1019
1020         With this patch, we can now read them this way instead:
1021         
1022             ExecState* exec = cpu.fp<ExecState*>();
1023             uint32_t i32 = cpu.gpr<uint32_t>(GPRInfo::regT0);
1024             void* p = cpu.gpr<void*>(GPRInfo::regT1);
1025             uint64_t u64 = cpu.fpr<uint64_t>(FPRInfo::fpRegT0);
1026
1027         * assembler/MacroAssembler.h:
1028         (JSC:: const):
1029         (JSC::MacroAssembler::CPUState::fpr const):
1030         (JSC::MacroAssembler::CPUState::pc const):
1031         (JSC::MacroAssembler::CPUState::fp const):
1032         (JSC::MacroAssembler::CPUState::sp const):
1033         (JSC::ProbeContext::pc):
1034         (JSC::ProbeContext::fp):
1035         (JSC::ProbeContext::sp):
1036
1037 2017-08-12  Filip Pizlo  <fpizlo@apple.com>
1038
1039         Put the ScopedArgumentsTable's ScopeOffset array in some gigacage
1040         https://bugs.webkit.org/show_bug.cgi?id=174921
1041
1042         Reviewed by Mark Lam.
1043         
1044         Uses CagedUniquePtr<> to cage the ScopeOffset array.
1045
1046         * dfg/DFGSpeculativeJIT.cpp:
1047         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1048         * ftl/FTLLowerDFGToB3.cpp:
1049         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1050         * jit/JITPropertyAccess.cpp:
1051         (JSC::JIT::emitScopedArgumentsGetByVal):
1052         * runtime/ScopedArgumentsTable.cpp:
1053         (JSC::ScopedArgumentsTable::create):
1054         (JSC::ScopedArgumentsTable::setLength):
1055         * runtime/ScopedArgumentsTable.h:
1056
1057 2017-08-14  Mark Lam  <mark.lam@apple.com>
1058
1059         Gardening: fix Windows build.
1060         https://bugs.webkit.org/show_bug.cgi?id=175446
1061
1062         Not reviewed.
1063
1064         * assembler/MacroAssemblerX86Common.cpp:
1065         (JSC::booleanTrueForAvoidingNoReturnDeclaration):
1066         (JSC::ctiMasmProbeTrampoline):
1067
1068 2017-08-12  Csaba Osztrogonác  <ossy@webkit.org>
1069
1070         [ARM64] Use x29 and x30 instead of fp and lr to make GCC happy
1071         https://bugs.webkit.org/show_bug.cgi?id=175512
1072         <rdar://problem/33863584>
1073
1074         Reviewed by Mark Lam.
1075
1076         * CMakeLists.txt: Added MacroAssemblerARM64.cpp.
1077         * assembler/MacroAssemblerARM64.cpp: Use x29 and x30 instead of fp and lr to make GCC happy.
1078
1079 2017-08-12  Csaba Osztrogonác  <ossy@webkit.org>
1080
1081         ARM_TRADITIONAL: static assertion failed: ProbeContext_size_matches_ctiMasmProbeTrampoline
1082         https://bugs.webkit.org/show_bug.cgi?id=175513
1083
1084         Reviewed by Mark Lam.
1085
1086         * assembler/MacroAssemblerARM.cpp: Added d16-d31 FP registers too.
1087
1088 2017-08-12  Filip Pizlo  <fpizlo@apple.com>
1089
1090         FTL's compileGetTypedArrayByteOffset needs to do caging
1091         https://bugs.webkit.org/show_bug.cgi?id=175366
1092
1093         Reviewed by Saam Barati.
1094         
1095         While implementing boxing in the DFG, I noticed that there was some missing boxing in the FTL. This
1096         fixes the case in GetTypedArrayByteOffset, and files FIXMEs for more such cases.
1097
1098         * dfg/DFGSpeculativeJIT.cpp:
1099         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
1100         * ftl/FTLLowerDFGToB3.cpp:
1101         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
1102         (JSC::FTL::DFG::LowerDFGToB3::cagedMayBeNull):
1103         * runtime/ArrayBuffer.h:
1104         * runtime/ArrayBufferView.h:
1105         * runtime/JSArrayBufferView.h:
1106
1107 2017-08-11  Ryosuke Niwa  <rniwa@webkit.org>
1108
1109         Replace DATA_TRANSFER_ITEMS by a runtime flag and add a stub implementation
1110         https://bugs.webkit.org/show_bug.cgi?id=175474
1111         <rdar://problem/33844628>
1112
1113         Reviewed by Wenson Hsieh.
1114
1115         * Configurations/FeatureDefines.xcconfig:
1116         * runtime/CommonIdentifiers.h:
1117
1118 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1119
1120         Caging shouldn't have to use a patchpoint for adding
1121         https://bugs.webkit.org/show_bug.cgi?id=175483
1122
1123         Reviewed by Mark Lam.
1124
1125         Caging involves doing a Add(ptr, largeConstant). All of B3's heuristics for how to deal with
1126         constants and associative operations dictate that you always want to sink constants. For example,
1127         Add(Add(a, constant), b) always becomes Add(Add(a, b), constant). This is profitable because in
1128         typical code, it reveals downstream optimizations. But it's terrible in the case of caging, because
1129         we want the large constant (which is shared by all caging operations) to be hoisted. Reassociating to
1130         sink constants obscures the constant in this case. Currently, moveConstants is not smart enough to
1131         reassociate, so instead of sinking largeConstant, it tries (and often fails) to sink some other
1132         constants instead. Without some hacks, this is a 5% Kraken regression and a 1.6% Octane regression.
1133         It's not clear that moveConstants could ever be smart enough to rematerialize that constant and then
1134         hoist it - that would require quite a bit of algebraic reasoning. But the only case we know of where
1135         our current constant reassociation heuristics are wrong is caging. So, we can get away with some
1136         hacks for just stopping B3's reassociation only in this specific case.
1137         
1138         Previously, we achieved this by concealing the Add(ptr, largeConstant) inside a patchpoint. That's
1139         OK, but patchpoints are expensive. They require a SharedTask instance. They require callbacks from
1140         the backend, including during register allocation. And they cannot be CSE'd. We do want B3 to know
1141         that if we cage the same pointer in two places, both places will compute the same value.
1142         
1143         This patch improves the situation by introducing the Opaque opcode. This is handled by LowerToAir as
1144         if it was Identity, but all prior phases treat it as an unknown pure unary idempotent operation. I.e.
1145         they know that Opaque(x) == Opaque(x) and that Opaque(Opaque(x)) == Opaque(x). But they don't know
1146         that Opaque(x) == x until LowerToAir. So, you can use Opaque exactly when you know that B3 will mess
1147         up your code but Air won't. (Currently we know of no cases where Air messes things up on a large
1148         enough scale to warrant new opcodes.)
1149         
1150         This change is perf-neutral, but may start to help as I add more uses of caged() in the FTL. It also
1151         makes the code a bit less ugly.
1152
1153         * b3/B3LowerToAir.cpp:
1154         (JSC::B3::Air::LowerToAir::shouldCopyPropagate):
1155         (JSC::B3::Air::LowerToAir::lower):
1156         * b3/B3Opcode.cpp:
1157         (WTF::printInternal):
1158         * b3/B3Opcode.h:
1159         * b3/B3ReduceStrength.cpp:
1160         * b3/B3Validate.cpp:
1161         * b3/B3Value.cpp:
1162         (JSC::B3::Value::effects const):
1163         (JSC::B3::Value::key const):
1164         (JSC::B3::Value::isFree const):
1165         (JSC::B3::Value::typeFor):
1166         * b3/B3Value.h:
1167         * b3/B3ValueKey.cpp:
1168         (JSC::B3::ValueKey::materialize const):
1169         * ftl/FTLLowerDFGToB3.cpp:
1170         (JSC::FTL::DFG::LowerDFGToB3::caged):
1171         * ftl/FTLOutput.cpp:
1172         (JSC::FTL::Output::opaque):
1173         * ftl/FTLOutput.h:
1174
1175 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1176
1177         ScopedArguments overflow storage needs to be in the JSValue gigacage
1178         https://bugs.webkit.org/show_bug.cgi?id=174923
1179
1180         Reviewed by Saam Barati.
1181         
1182         ScopedArguments overflow storage sits at the end of the ScopedArguments object, so we put that
1183         object into the JSValue gigacage.
1184
1185         * dfg/DFGSpeculativeJIT.cpp:
1186         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1187         * ftl/FTLLowerDFGToB3.cpp:
1188         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1189         * jit/JITPropertyAccess.cpp:
1190         (JSC::JIT::emitScopedArgumentsGetByVal):
1191         * runtime/ScopedArguments.h:
1192         (JSC::ScopedArguments::subspaceFor):
1193         (JSC::ScopedArguments::overflowStorage const):
1194
1195 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1196
1197         JSLexicalEnvironment needs to be in the JSValue gigacage
1198         https://bugs.webkit.org/show_bug.cgi?id=174922
1199
1200         Reviewed by Michael Saboff.
1201         
1202         We can sorta random access the JSLexicalEnvironment. So, we put it in the JSValue gigacage and make
1203         the only random accesses use pointer caging.
1204         
1205         We don't need to do anything to normal lexical environment accesses.
1206
1207         * dfg/DFGSpeculativeJIT.cpp:
1208         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1209         * ftl/FTLLowerDFGToB3.cpp:
1210         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1211         * runtime/JSEnvironmentRecord.h:
1212         (JSC::JSEnvironmentRecord::subspaceFor):
1213         (JSC::JSEnvironmentRecord::variables):
1214
1215 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1216
1217         DirectArguments should be in the JSValue gigacage
1218         https://bugs.webkit.org/show_bug.cgi?id=174920
1219
1220         Reviewed by Michael Saboff.
1221         
1222         This puts DirectArguments in a new subspace for cells that want to be in the JSValue gigacage. All
1223         indexed accesses to DirectArguments now do caging. get_from_arguments/put_to_arguments are exempted
1224         because they always operate on a DirectArguments that is pointed to directly from the stack, they are
1225         required to use fixed offsets, and you can only store JSValues.
1226
1227         * dfg/DFGSpeculativeJIT.cpp:
1228         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
1229         * ftl/FTLLowerDFGToB3.cpp:
1230         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1231         * jit/JITPropertyAccess.cpp:
1232         (JSC::JIT::emitDirectArgumentsGetByVal):
1233         * runtime/DirectArguments.h:
1234         (JSC::DirectArguments::subspaceFor):
1235         (JSC::DirectArguments::storage):
1236         * runtime/VM.cpp:
1237         (JSC::VM::VM):
1238         * runtime/VM.h:
1239
1240 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1241
1242         Unreviewed, add a FIXME.
1243
1244         * ftl/FTLLowerDFGToB3.cpp:
1245         (JSC::FTL::DFG::LowerDFGToB3::caged):
1246
1247 2017-08-10  Sam Weinig  <sam@webkit.org>
1248
1249         WTF::Function does not allow for reference / non-default constructible return types
1250         https://bugs.webkit.org/show_bug.cgi?id=175244
1251
1252         Reviewed by Chris Dumez.
1253
1254         * runtime/ArrayBuffer.cpp:
1255         (JSC::ArrayBufferContents::transferTo):
1256         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
1257         destroy call needed to be a no-op anyway, since the data is being moved.
1258
1259 2017-08-11  Mark Lam  <mark.lam@apple.com>
1260
1261         Gardening: fix CLoop build.
1262         https://bugs.webkit.org/show_bug.cgi?id=175446
1263         <rdar://problem/33836545>
1264
1265         Not reviewed.
1266
1267         * assembler/MacroAssemblerPrinter.cpp:
1268
1269 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
1270
1271         DFG should do caging
1272         https://bugs.webkit.org/show_bug.cgi?id=174918
1273
1274         Reviewed by Saam Barati.
1275         
1276         Adds the appropriate cage() calls to the DFG, including a cageTypedArrayStorage() helper that does
1277         the conditional caging with a watchpoint.
1278         
1279         This might be a 1% SunSpider slow-down, but it's not clear.
1280
1281         * dfg/DFGSpeculativeJIT.cpp:
1282         (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
1283         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
1284         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
1285         (JSC::DFG::SpeculativeJIT::compileCreateRest):
1286         (JSC::DFG::SpeculativeJIT::compileSpread):
1287         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
1288         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1289         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
1290         * dfg/DFGSpeculativeJIT.h:
1291         * dfg/DFGSpeculativeJIT64.cpp:
1292         (JSC::DFG::SpeculativeJIT::compile):
1293
1294 2017-08-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1295
1296         Unreviewed, build fix for x86 GTK port
1297         https://bugs.webkit.org/show_bug.cgi?id=175446
1298
1299         Use pushfl/popfl instead of pushfd/popfd.
1300
1301         * assembler/MacroAssemblerX86Common.cpp:
1302
1303 2017-08-10  Mark Lam  <mark.lam@apple.com>
1304
1305         Make the MASM_PROBE mechanism mandatory for DFG and FTL builds.
1306         https://bugs.webkit.org/show_bug.cgi?id=175446
1307         <rdar://problem/33836545>
1308
1309         Reviewed by Saam Barati.
1310
1311         * assembler/AbstractMacroAssembler.h:
1312         * assembler/MacroAssembler.cpp:
1313         (JSC::MacroAssembler::probe):
1314         * assembler/MacroAssembler.h:
1315         * assembler/MacroAssemblerARM.cpp:
1316         (JSC::MacroAssembler::probe):
1317         * assembler/MacroAssemblerARM.h:
1318         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
1319         * assembler/MacroAssemblerARM64.cpp:
1320         (JSC::MacroAssembler::probe):
1321         * assembler/MacroAssemblerARMv7.cpp:
1322         (JSC::MacroAssembler::probe):
1323         * assembler/MacroAssemblerARMv7.h:
1324         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr):
1325         * assembler/MacroAssemblerPrinter.cpp:
1326         * assembler/MacroAssemblerPrinter.h:
1327         * assembler/MacroAssemblerX86Common.cpp:
1328         * assembler/testmasm.cpp:
1329         (JSC::isSpecialGPR):
1330         (JSC::testProbeModifiesProgramCounter):
1331         (JSC::run):
1332         * b3/B3LowerToAir.cpp:
1333         (JSC::B3::Air::LowerToAir::print):
1334         * b3/air/AirPrintSpecial.cpp:
1335         * b3/air/AirPrintSpecial.h:
1336
1337 2017-08-10  Mark Lam  <mark.lam@apple.com>
1338
1339         Apply the UNLIKELY macro to some unlikely things.
1340         https://bugs.webkit.org/show_bug.cgi?id=175440
1341         <rdar://problem/33834767>
1342
1343         Reviewed by Yusuke Suzuki.
1344
1345         * bytecode/CodeBlock.cpp:
1346         (JSC::CodeBlock::~CodeBlock):
1347         (JSC::CodeBlock::jettison):
1348         * dfg/DFGByteCodeParser.cpp:
1349         (JSC::DFG::ByteCodeParser::handleCall):
1350         (JSC::DFG::ByteCodeParser::handleVarargsCall):
1351         (JSC::DFG::ByteCodeParser::handleGetById):
1352         (JSC::DFG::ByteCodeParser::handlePutById):
1353         (JSC::DFG::ByteCodeParser::parseBlock):
1354         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1355         * dfg/DFGJITCompiler.cpp:
1356         (JSC::DFG::JITCompiler::JITCompiler):
1357         (JSC::DFG::JITCompiler::linkOSRExits):
1358         (JSC::DFG::JITCompiler::link):
1359         (JSC::DFG::JITCompiler::disassemble):
1360         * dfg/DFGJITFinalizer.cpp:
1361         (JSC::DFG::JITFinalizer::finalizeCommon):
1362         * dfg/DFGOSRExit.cpp:
1363         (JSC::DFG::OSRExit::compileOSRExit):
1364         * dfg/DFGPlan.cpp:
1365         (JSC::DFG::Plan::Plan):
1366         * ftl/FTLJITFinalizer.cpp:
1367         (JSC::FTL::JITFinalizer::finalizeCommon):
1368         * ftl/FTLLink.cpp:
1369         (JSC::FTL::link):
1370         * ftl/FTLOSRExitCompiler.cpp:
1371         (JSC::FTL::compileStub):
1372         * jit/JIT.cpp:
1373         (JSC::JIT::privateCompileMainPass):
1374         (JSC::JIT::compileWithoutLinking):
1375         (JSC::JIT::link):
1376         * runtime/ScriptExecutable.cpp:
1377         (JSC::ScriptExecutable::installCode):
1378         * runtime/VM.cpp:
1379         (JSC::VM::VM):
1380
1381 2017-08-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1382
1383         [WTF] ThreadSpecific should not introduce additional indirection
1384         https://bugs.webkit.org/show_bug.cgi?id=175187
1385
1386         Reviewed by Mark Lam.
1387
1388         * runtime/Identifier.cpp:
1389
1390 2017-08-10  Tim Horton  <timothy_horton@apple.com>
1391
1392         Remove some unused lambda captures so that WebKit builds with -Wunused-lambda-capture
1393         https://bugs.webkit.org/show_bug.cgi?id=175436
1394         <rdar://problem/33667497>
1395
1396         Reviewed by Simon Fraser.
1397
1398         * interpreter/Interpreter.cpp:
1399         (JSC::Interpreter::Interpreter):
1400
1401 2017-08-10  Michael Catanzaro  <mcatanzaro@igalia.com>
1402
1403         Remove ENABLE_GAMEPAD_DEPRECATED
1404         https://bugs.webkit.org/show_bug.cgi?id=175361
1405
1406         Reviewed by Carlos Garcia Campos.
1407
1408         * Configurations/FeatureDefines.xcconfig:
1409
1410 2017-08-09  Caio Lima  <ticaiolima@gmail.com>
1411
1412         [JSC] Create JSSet constructor that accepts it's size as parameter
1413         https://bugs.webkit.org/show_bug.cgi?id=173297
1414
1415         Reviewed by Saam Barati.
1416
1417         This patch is adding a new constructor to JSSet that gives its
1418         expected initial size. It is important to avoid re-hashing and mutiple
1419         allocations when we know the final size of JSSet, such as in
1420         CodeBlock::setConstantIdentifierSetRegisters.
1421
1422         * bytecode/CodeBlock.cpp:
1423         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
1424         * runtime/HashMapImpl.h:
1425         (JSC::HashMapImpl::HashMapImpl):
1426         * runtime/JSSet.h:
1427
1428 2017-08-09  Commit Queue  <commit-queue@webkit.org>
1429
1430         Unreviewed, rolling out r220466, r220477, and r220487.
1431         https://bugs.webkit.org/show_bug.cgi?id=175411
1432
1433         This change broke existing API tests and follow up fixes did
1434         not resolve all the issues. (Requested by ryanhaddad on
1435         #webkit).
1436
1437         Reverted changesets:
1438
1439         https://bugs.webkit.org/show_bug.cgi?id=175244
1440         http://trac.webkit.org/changeset/220466
1441
1442         "WTF::Function does not allow for reference / non-default
1443         constructible return types"
1444         https://bugs.webkit.org/show_bug.cgi?id=175244
1445         http://trac.webkit.org/changeset/220477
1446
1447         https://bugs.webkit.org/show_bug.cgi?id=175244
1448         http://trac.webkit.org/changeset/220487
1449
1450 2017-08-09  Caitlin Potter  <caitp@igalia.com>
1451
1452         Early error on ANY operator before new.target
1453         https://bugs.webkit.org/show_bug.cgi?id=157970
1454
1455         Reviewed by Saam Barati.
1456
1457         Instead of throwing if any unary operator precedes new.target, only
1458         throw if the unary operator updates the reference.
1459
1460         The following become legal in JSC:
1461
1462         ```
1463         !new.target
1464         ~new.target
1465         typeof new.target
1466         delete new.target
1467         void new.target
1468         ```
1469
1470         All of which are legal in v8 and SpiderMonkey in strict and sloppy mode
1471
1472         * parser/Parser.cpp:
1473         (JSC::Parser<LexerType>::parseUnaryExpression):
1474
1475 2017-08-09  Sam Weinig  <sam@webkit.org>
1476
1477         WTF::Function does not allow for reference / non-default constructible return types
1478         https://bugs.webkit.org/show_bug.cgi?id=175244
1479
1480         Reviewed by Chris Dumez.
1481
1482         * runtime/ArrayBuffer.cpp:
1483         (JSC::ArrayBufferContents::transferTo):
1484         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
1485         destroy call needed to be a no-op anyway, since the data is being moved.
1486
1487 2017-08-09  Wenson Hsieh  <wenson_hsieh@apple.com>
1488
1489         [iOS DnD] ENABLE_DRAG_SUPPORT should be turned off for iOS 10 and enabled by default
1490         https://bugs.webkit.org/show_bug.cgi?id=175392
1491         <rdar://problem/33783207>
1492
1493         Reviewed by Tim Horton and Megan Gardner.
1494
1495         Tweak FeatureDefines to enable drag and drop by default, and disable only on unsupported platforms (i.e. iOS 10).
1496
1497         * Configurations/FeatureDefines.xcconfig:
1498
1499 2017-08-09  Robin Morisset  <rmorisset@apple.com>
1500
1501         Make JSC_validateExceptionChecks=1 succeed on JSTests/stress/v8-deltablue-strict.js.
1502         https://bugs.webkit.org/show_bug.cgi?id=175358
1503
1504         Reviewed by Mark Lam.
1505
1506         * jit/JITOperations.cpp:
1507         * runtime/JSObjectInlines.h:
1508         (JSC::JSObject::putInlineForJSObject):
1509
1510 2017-08-09  Ryan Haddad  <ryanhaddad@apple.com>
1511
1512         Unreviewed, rolling out r220457.
1513
1514         This change introduced API test failures.
1515
1516         Reverted changeset:
1517
1518         "WTF::Function does not allow for reference / non-default
1519         constructible return types"
1520         https://bugs.webkit.org/show_bug.cgi?id=175244
1521         http://trac.webkit.org/changeset/220457
1522
1523 2017-08-09  Sam Weinig  <sam@webkit.org>
1524
1525         WTF::Function does not allow for reference / non-default constructible return types
1526         https://bugs.webkit.org/show_bug.cgi?id=175244
1527
1528         Reviewed by Chris Dumez.
1529
1530         * runtime/ArrayBuffer.cpp:
1531         (JSC::ArrayBufferContents::transferTo):
1532         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
1533         destroy call needed to be a no-op anyway, since the data is being moved.
1534
1535 2017-08-09  Oleksandr Skachkov  <gskachkov@gmail.com>
1536
1537         REGRESSION: 2 test262/test/language/statements/async-function failures
1538         https://bugs.webkit.org/show_bug.cgi?id=175334
1539
1540         Reviewed by Yusuke Suzuki.
1541
1542         Switch off useAsyncIterator by default
1543
1544         * runtime/Options.h:
1545
1546 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
1547
1548         ICs should do caging
1549         https://bugs.webkit.org/show_bug.cgi?id=175295
1550
1551         Reviewed by Saam Barati.
1552         
1553         Adds the appropriate cage() calls in our inline caches.
1554
1555         * bytecode/AccessCase.cpp:
1556         (JSC::AccessCase::generateImpl):
1557         * bytecode/InlineAccess.cpp:
1558         (JSC::InlineAccess::dumpCacheSizesAndCrash):
1559         (JSC::InlineAccess::generateSelfPropertyAccess):
1560         (JSC::InlineAccess::generateSelfPropertyReplace):
1561         (JSC::InlineAccess::generateArrayLength):
1562
1563 2017-08-08  Devin Rousso  <drousso@apple.com>
1564
1565         Web Inspector: Canvas: support editing WebGL shaders
1566         https://bugs.webkit.org/show_bug.cgi?id=124211
1567         <rdar://problem/15448958>
1568
1569         Reviewed by Matt Baker.
1570
1571         * inspector/protocol/Canvas.json:
1572         Add `updateShader` command that will change the given shader's source to the provided string,
1573         recompile, and relink it to its associated program.
1574         Drive-by: add description to `requestShaderSource` command.
1575
1576 2017-08-08  Robin Morisset  <rmorisset@apple.com>
1577
1578         Make JSC_validateExceptionChecks=1 succeed on JSTests/slowMicrobenchmarks/spread-small-array.js.
1579         https://bugs.webkit.org/show_bug.cgi?id=175347
1580
1581         Reviewed by Saam Barati.
1582
1583         This is done by making finishCreation explicitely check for exceptions after setConstantRegister and setConstantIdentifiersSetRegisters.
1584         I chose to have this check replace the boolean returned previously by these functions for readability. The performance impact should be
1585         negligible considering how much more finishCreation does.
1586         This fix then caused another issue to appear as it was now clear that finishCreation can throw. And since it is called by ProgramCodeBlock::create(),
1587         FunctionCodeBlock::create() and friends, that are in turn called by ScriptExecutable::newCodeBlockFor, this last function also required a few tweaks.
1588
1589         * bytecode/CodeBlock.cpp:
1590         (JSC::CodeBlock::finishCreation):
1591         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
1592         (JSC::CodeBlock::setConstantRegisters):
1593         * bytecode/CodeBlock.h:
1594         * runtime/ScriptExecutable.cpp:
1595         (JSC::ScriptExecutable::newCodeBlockFor):
1596
1597 2017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
1598
1599         Unreviewed, fix Ubuntu LTS build
1600         https://bugs.webkit.org/show_bug.cgi?id=174490
1601
1602         * inspector/remote/glib/RemoteInspectorGlib.cpp:
1603         * inspector/remote/glib/RemoteInspectorServer.cpp:
1604
1605 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
1606
1607         Baseline JIT should do caging
1608         https://bugs.webkit.org/show_bug.cgi?id=175037
1609
1610         Reviewed by Mark Lam.
1611         
1612         Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
1613         
1614         Also modifies FTL caging to be more defensive when caging is disabled.
1615         
1616         Relanded with fixed AssemblyHelpers::cageConditionally().
1617
1618         * bytecode/AccessCase.cpp:
1619         (JSC::AccessCase::generateImpl):
1620         * bytecode/InlineAccess.cpp:
1621         (JSC::InlineAccess::dumpCacheSizesAndCrash):
1622         (JSC::InlineAccess::generateSelfPropertyAccess):
1623         (JSC::InlineAccess::generateSelfPropertyReplace):
1624         (JSC::InlineAccess::generateArrayLength):
1625         * ftl/FTLLowerDFGToB3.cpp:
1626         (JSC::FTL::DFG::LowerDFGToB3::caged):
1627         * jit/AssemblyHelpers.h:
1628         (JSC::AssemblyHelpers::cage):
1629         (JSC::AssemblyHelpers::cageConditionally):
1630         * jit/JITPropertyAccess.cpp:
1631         (JSC::JIT::emitDoubleLoad):
1632         (JSC::JIT::emitContiguousLoad):
1633         (JSC::JIT::emitArrayStorageLoad):
1634         (JSC::JIT::emitGenericContiguousPutByVal):
1635         (JSC::JIT::emitArrayStoragePutByVal):
1636         (JSC::JIT::emit_op_get_from_scope):
1637         (JSC::JIT::emit_op_put_to_scope):
1638         (JSC::JIT::emitIntTypedArrayGetByVal):
1639         (JSC::JIT::emitFloatTypedArrayGetByVal):
1640         (JSC::JIT::emitIntTypedArrayPutByVal):
1641         (JSC::JIT::emitFloatTypedArrayPutByVal):
1642         * jsc.cpp:
1643         (jscmain):
1644         (primitiveGigacageDisabled): Deleted.
1645
1646 2017-08-08  Ryan Haddad  <ryanhaddad@apple.com>
1647
1648         Unreviewed, rolling out r220368.
1649
1650         This change caused WK1 tests to exit early with crashes.
1651
1652         Reverted changeset:
1653
1654         "Baseline JIT should do caging"
1655         https://bugs.webkit.org/show_bug.cgi?id=175037
1656         http://trac.webkit.org/changeset/220368
1657
1658 2017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
1659
1660         [CMake] Properly test if compiler supports compiler flags
1661         https://bugs.webkit.org/show_bug.cgi?id=174490
1662
1663         Reviewed by Konstantin Tokarev.
1664
1665         * API/tests/PingPongStackOverflowTest.cpp:
1666         (testPingPongStackOverflow):
1667         * API/tests/testapi.c:
1668         * b3/testb3.cpp:
1669         (JSC::B3::testPatchpointLotsOfLateAnys):
1670
1671 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1672
1673         [Linux] Clear WasmMemory with madvice instead of memset
1674         https://bugs.webkit.org/show_bug.cgi?id=175150
1675
1676         Reviewed by Filip Pizlo.
1677
1678         In Linux, zeroing pages with memset populates backing store.
1679         Instead, we should use madvise with MADV_DONTNEED. It discards
1680         pages. And if you access these pages, on-demand-zero-pages will
1681         be shown.
1682
1683         We also commit grown pages in all OSes.
1684
1685         * wasm/WasmMemory.cpp:
1686         (JSC::Wasm::commitZeroPages):
1687         (JSC::Wasm::Memory::create):
1688         (JSC::Wasm::Memory::grow):
1689
1690 2017-08-07  Robin Morisset  <rmorisset@apple.com>
1691
1692         GetOwnProperty of TypedArray indexed fields is wrongly configurable
1693         https://bugs.webkit.org/show_bug.cgi?id=175307
1694
1695         Reviewed by Saam Barati.
1696
1697         ```
1698         let a = new Uint8Array(10);
1699         let b = Object.getOwnPropertyDescriptor(a, 0);
1700         assert(b.configurable === false);
1701         ```
1702         should not fail: by section 9.4.5.1 (https://tc39.github.io/ecma262/#sec-integer-indexed-exotic-objects-getownproperty-p) 
1703         that applies to integer indexed exotic objects, and section 22.2.7 (https://tc39.github.io/ecma262/#sec-properties-of-typedarray-instances)
1704         that says that typed arrays are integer indexed exotic objects.
1705
1706         * runtime/JSGenericTypedArrayViewInlines.h:
1707         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
1708
1709 2017-08-07  Filip Pizlo  <fpizlo@apple.com>
1710
1711         Baseline JIT should do caging
1712         https://bugs.webkit.org/show_bug.cgi?id=175037
1713
1714         Reviewed by Mark Lam.
1715         
1716         Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
1717         
1718         Also modifies FTL caging to be more defensive when caging is disabled.
1719
1720         * ftl/FTLLowerDFGToB3.cpp:
1721         (JSC::FTL::DFG::LowerDFGToB3::caged):
1722         * jit/AssemblyHelpers.h:
1723         (JSC::AssemblyHelpers::cage):
1724         (JSC::AssemblyHelpers::cageConditionally):
1725         * jit/JITPropertyAccess.cpp:
1726         (JSC::JIT::emitDoubleLoad):
1727         (JSC::JIT::emitContiguousLoad):
1728         (JSC::JIT::emitArrayStorageLoad):
1729         (JSC::JIT::emitGenericContiguousPutByVal):
1730         (JSC::JIT::emitArrayStoragePutByVal):
1731         (JSC::JIT::emit_op_get_from_scope):
1732         (JSC::JIT::emit_op_put_to_scope):
1733         (JSC::JIT::emitIntTypedArrayGetByVal):
1734         (JSC::JIT::emitFloatTypedArrayGetByVal):
1735         (JSC::JIT::emitIntTypedArrayPutByVal):
1736         (JSC::JIT::emitFloatTypedArrayPutByVal):
1737         * jsc.cpp:
1738         (jscmain):
1739         (primitiveGigacageDisabled): Deleted.
1740
1741 2017-08-06  Filip Pizlo  <fpizlo@apple.com>
1742
1743         Primitive auxiliaries and JSValue auxiliaries should have separate gigacages
1744         https://bugs.webkit.org/show_bug.cgi?id=174919
1745
1746         Reviewed by Keith Miller.
1747         
1748         This adapts JSC to there being two gigacages.
1749         
1750         To make matters simpler, this turns AlignedMemoryAllocators into per-VM instances rather than
1751         singletons. I don't think we were gaining anything by making them be singletons.
1752         
1753         This makes it easy to teach GigacageAlignedMemoryAllocator that there are multiple kinds of
1754         gigacages. We'll have one of those allocators per cage.
1755         
1756         From there, this change teaches everyone who previously knew about cages that there are two cages.
1757         This means having to specify either Gigacage::Primitive or Gigacage::JSValue. In most places, this is
1758         easy: typed arrays are Primitive and butterflies are JSValue. But there are a few places where it's
1759         not so obvious, so this change introduces some helpers to make it easy to define what cage you want
1760         to use in one place and refer to it abstractly. We do this in DirectArguments and GenericArguments.h
1761         
1762         A lot of the magic of this change is due to CagedBarrierPtr, which combines AuxiliaryBarrier and
1763         CagedPtr. This removes one layer of "get()" calls from a bunch of places.
1764
1765         * JavaScriptCore.xcodeproj/project.pbxproj:
1766         * bytecode/AccessCase.cpp:
1767         (JSC::AccessCase::generateImpl):
1768         * dfg/DFGSpeculativeJIT.cpp:
1769         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1770         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1771         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1772         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
1773         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
1774         * ftl/FTLLowerDFGToB3.cpp:
1775         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
1776         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
1777         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
1778         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
1779         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1780         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
1781         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
1782         (JSC::FTL::DFG::LowerDFGToB3::caged):
1783         * heap/FastMallocAlignedMemoryAllocator.cpp:
1784         (JSC::FastMallocAlignedMemoryAllocator::instance): Deleted.
1785         * heap/FastMallocAlignedMemoryAllocator.h:
1786         * heap/GigacageAlignedMemoryAllocator.cpp:
1787         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
1788         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
1789         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
1790         (JSC::GigacageAlignedMemoryAllocator::dump const):
1791         (JSC::GigacageAlignedMemoryAllocator::instance): Deleted.
1792         * heap/GigacageAlignedMemoryAllocator.h:
1793         * jsc.cpp:
1794         (primitiveGigacageDisabled):
1795         (jscmain):
1796         (gigacageDisabled): Deleted.
1797         * llint/LowLevelInterpreter64.asm:
1798         * runtime/ArrayBuffer.cpp:
1799         (JSC::ArrayBufferContents::tryAllocate):
1800         (JSC::ArrayBuffer::createAdopted):
1801         (JSC::ArrayBuffer::createFromBytes):
1802         * runtime/AuxiliaryBarrier.h:
1803         * runtime/ButterflyInlines.h:
1804         (JSC::Butterfly::createUninitialized):
1805         (JSC::Butterfly::tryCreate):
1806         (JSC::Butterfly::growArrayRight):
1807         * runtime/CagedBarrierPtr.h: Added.
1808         (JSC::CagedBarrierPtr::CagedBarrierPtr):
1809         (JSC::CagedBarrierPtr::clear):
1810         (JSC::CagedBarrierPtr::set):
1811         (JSC::CagedBarrierPtr::get const):
1812         (JSC::CagedBarrierPtr::getMayBeNull const):
1813         (JSC::CagedBarrierPtr::operator== const):
1814         (JSC::CagedBarrierPtr::operator!= const):
1815         (JSC::CagedBarrierPtr::operator bool const):
1816         (JSC::CagedBarrierPtr::setWithoutBarrier):
1817         (JSC::CagedBarrierPtr::operator* const):
1818         (JSC::CagedBarrierPtr::operator-> const):
1819         (JSC::CagedBarrierPtr::operator[] const):
1820         * runtime/DirectArguments.cpp:
1821         (JSC::DirectArguments::overrideThings):
1822         (JSC::DirectArguments::unmapArgument):
1823         * runtime/DirectArguments.h:
1824         (JSC::DirectArguments::isMappedArgument const):
1825         * runtime/GenericArguments.h:
1826         * runtime/GenericArgumentsInlines.h:
1827         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
1828         (JSC::GenericArguments<Type>::setModifiedArgumentDescriptor):
1829         (JSC::GenericArguments<Type>::isModifiedArgumentDescriptor):
1830         * runtime/HashMapImpl.cpp:
1831         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
1832         * runtime/HashMapImpl.h:
1833         (JSC::HashMapBuffer::create):
1834         (JSC::HashMapImpl::buffer const):
1835         (JSC::HashMapImpl::rehash):
1836         * runtime/JSArray.cpp:
1837         (JSC::JSArray::tryCreateUninitializedRestricted):
1838         (JSC::JSArray::unshiftCountSlowCase):
1839         (JSC::JSArray::setLength):
1840         (JSC::JSArray::pop):
1841         (JSC::JSArray::push):
1842         (JSC::JSArray::fastSlice):
1843         (JSC::JSArray::shiftCountWithArrayStorage):
1844         (JSC::JSArray::shiftCountWithAnyIndexingType):
1845         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1846         (JSC::JSArray::fillArgList):
1847         (JSC::JSArray::copyToArguments):
1848         * runtime/JSArray.h:
1849         (JSC::JSArray::tryCreate):
1850         * runtime/JSArrayBufferView.cpp:
1851         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1852         (JSC::JSArrayBufferView::finalize):
1853         * runtime/JSLock.cpp:
1854         (JSC::JSLock::didAcquireLock):
1855         * runtime/JSObject.cpp:
1856         (JSC::JSObject::heapSnapshot):
1857         (JSC::JSObject::getOwnPropertySlotByIndex):
1858         (JSC::JSObject::putByIndex):
1859         (JSC::JSObject::enterDictionaryIndexingMode):
1860         (JSC::JSObject::createInitialIndexedStorage):
1861         (JSC::JSObject::createArrayStorage):
1862         (JSC::JSObject::convertUndecidedToInt32):
1863         (JSC::JSObject::convertUndecidedToDouble):
1864         (JSC::JSObject::convertUndecidedToContiguous):
1865         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
1866         (JSC::JSObject::convertUndecidedToArrayStorage):
1867         (JSC::JSObject::convertInt32ToDouble):
1868         (JSC::JSObject::convertInt32ToContiguous):
1869         (JSC::JSObject::convertInt32ToArrayStorage):
1870         (JSC::JSObject::convertDoubleToContiguous):
1871         (JSC::JSObject::convertDoubleToArrayStorage):
1872         (JSC::JSObject::convertContiguousToArrayStorage):
1873         (JSC::JSObject::setIndexQuicklyToUndecided):
1874         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
1875         (JSC::JSObject::deletePropertyByIndex):
1876         (JSC::JSObject::getOwnPropertyNames):
1877         (JSC::JSObject::putIndexedDescriptor):
1878         (JSC::JSObject::defineOwnIndexedProperty):
1879         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1880         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
1881         (JSC::JSObject::getNewVectorLength):
1882         (JSC::JSObject::ensureLengthSlow):
1883         (JSC::JSObject::reallocateAndShrinkButterfly):
1884         (JSC::JSObject::allocateMoreOutOfLineStorage):
1885         (JSC::JSObject::getEnumerableLength):
1886         * runtime/JSObject.h:
1887         (JSC::JSObject::getArrayLength const):
1888         (JSC::JSObject::getVectorLength):
1889         (JSC::JSObject::putDirectIndex):
1890         (JSC::JSObject::canGetIndexQuickly):
1891         (JSC::JSObject::getIndexQuickly):
1892         (JSC::JSObject::tryGetIndexQuickly const):
1893         (JSC::JSObject::canSetIndexQuickly):
1894         (JSC::JSObject::setIndexQuickly):
1895         (JSC::JSObject::initializeIndex):
1896         (JSC::JSObject::initializeIndexWithoutBarrier):
1897         (JSC::JSObject::hasSparseMap):
1898         (JSC::JSObject::inSparseIndexingMode):
1899         (JSC::JSObject::butterfly const):
1900         (JSC::JSObject::butterfly):
1901         (JSC::JSObject::outOfLineStorage const):
1902         (JSC::JSObject::outOfLineStorage):
1903         (JSC::JSObject::ensureInt32):
1904         (JSC::JSObject::ensureDouble):
1905         (JSC::JSObject::ensureContiguous):
1906         (JSC::JSObject::ensureArrayStorage):
1907         (JSC::JSObject::arrayStorage):
1908         (JSC::JSObject::arrayStorageOrNull):
1909         (JSC::JSObject::ensureLength):
1910         * runtime/RegExpMatchesArray.h:
1911         (JSC::tryCreateUninitializedRegExpMatchesArray):
1912         * runtime/VM.cpp:
1913         (JSC::VM::VM):
1914         (JSC::VM::~VM):
1915         (JSC::VM::primitiveGigacageDisabledCallback):
1916         (JSC::VM::primitiveGigacageDisabled):
1917         (JSC::VM::gigacageDisabledCallback): Deleted.
1918         (JSC::VM::gigacageDisabled): Deleted.
1919         * runtime/VM.h:
1920         (JSC::VM::gigacageAuxiliarySpace):
1921         (JSC::VM::firePrimitiveGigacageEnabledIfNecessary):
1922         (JSC::VM::primitiveGigacageEnabled):
1923         (JSC::VM::fireGigacageEnabledIfNecessary): Deleted.
1924         (JSC::VM::gigacageEnabled): Deleted.
1925         * wasm/WasmMemory.cpp:
1926         (JSC::Wasm::Memory::create):
1927         (JSC::Wasm::Memory::~Memory):
1928         (JSC::Wasm::Memory::grow):
1929
1930 2017-08-07  Commit Queue  <commit-queue@webkit.org>
1931
1932         Unreviewed, rolling out r220144.
1933         https://bugs.webkit.org/show_bug.cgi?id=175276
1934
1935         "It did not actually speed things up in the way I expected"
1936         (Requested by saamyjoon on #webkit).
1937
1938         Reverted changeset:
1939
1940         "On memory-constrained iOS devices, reduce the rate at which
1941         the JS heap grows before a GC to try to keep more memory
1942         available for the system"
1943         https://bugs.webkit.org/show_bug.cgi?id=175041
1944         http://trac.webkit.org/changeset/220144
1945
1946 2017-08-07  Ryan Haddad  <ryanhaddad@apple.com>
1947
1948         Unreviewed, rolling out r220299.
1949
1950         This change caused LayoutTest inspector/dom-debugger/dom-
1951         breakpoints.html to fail.
1952
1953         Reverted changeset:
1954
1955         "Web Inspector: capture async stack trace when workers/main
1956         context posts a message"
1957         https://bugs.webkit.org/show_bug.cgi?id=167084
1958         http://trac.webkit.org/changeset/220299
1959
1960 2017-08-07  Brian Burg  <bburg@apple.com>
1961
1962         Remove CANVAS_PATH compilation guard
1963         https://bugs.webkit.org/show_bug.cgi?id=175207
1964
1965         Reviewed by Sam Weinig.
1966
1967         * Configurations/FeatureDefines.xcconfig:
1968
1969 2017-08-07  Keith Miller  <keith_miller@apple.com>
1970
1971         REGRESSION: wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js failing on JSC Debug bots
1972         https://bugs.webkit.org/show_bug.cgi?id=175256
1973
1974         Reviewed by Saam Barati.
1975
1976         The check in createFromBytes just needed to check that the buffer was not null before
1977         calling isCaged.
1978
1979         * runtime/ArrayBuffer.cpp:
1980         (JSC::ArrayBuffer::createFromBytes):
1981
1982 2017-08-05  Carlos Garcia Campos  <cgarcia@igalia.com>
1983
1984         [GTK][WPE] Add API to provide browser information required by automation
1985         https://bugs.webkit.org/show_bug.cgi?id=175130
1986
1987         Reviewed by Brian Burg.
1988
1989         Add browserName and browserVersion to RemoteInspector::Client::Capabilities and virtual methods to the Client to
1990         get them.
1991
1992         * inspector/remote/RemoteInspector.cpp:
1993         (Inspector::RemoteInspector::updateClientCapabilities): Update also browserName and browserVersion.
1994         * inspector/remote/RemoteInspector.h:
1995         * inspector/remote/glib/RemoteInspectorGlib.cpp:
1996         (Inspector::RemoteInspector::requestAutomationSession): Call updateClientCapabilities() after the session is
1997         requested to ensure they are updated before StartAutomationSession reply is sent.
1998         * inspector/remote/glib/RemoteInspectorServer.cpp: Add browserName and browserVersion as return values of
1999         StartAutomationSession mesasage.
2000
2001 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2002
2003         Promise resolve and reject function should have length = 1
2004         https://bugs.webkit.org/show_bug.cgi?id=175242
2005
2006         Reviewed by Saam Barati.
2007
2008         Previously we have separate system for "length" and "name" for builtin functions.
2009         The builtin functions do not use lazy reifying system. Instead, they have direct
2010         properties when instantiating it. While the function created for properties (like
2011         Array.prototype.filter) is created by JSFunction::createBuiltin(), function inside
2012         these builtin functions are just created by JSFunction::create(). Since it does
2013         not set any values for "length", these functions do not have "length" property.
2014         So, the resolve and reject functions passed to Promise's executor do not have
2015         "length" property.
2016
2017         This patch make builtin functions use standard lazy reifying system for "length".
2018         So, "length" property of the builtin function just works as if the normal functions
2019         do.
2020
2021         * runtime/JSFunction.cpp:
2022         (JSC::JSFunction::createBuiltinFunction):
2023         (JSC::JSFunction::getOwnPropertySlot):
2024         (JSC::JSFunction::getOwnNonIndexPropertyNames):
2025         (JSC::JSFunction::put):
2026         (JSC::JSFunction::deleteProperty):
2027         (JSC::JSFunction::defineOwnProperty):
2028         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
2029         (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
2030         (JSC::JSFunction::reifyLazyLengthIfNeeded):
2031         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
2032         (JSC::JSFunction::reifyBoundNameIfNeeded): Deleted.
2033         * runtime/JSFunction.h:
2034
2035 2017-08-06  Oleksandr Skachkov  <gskachkov@gmail.com>
2036
2037         [ESNext] Async iteration - Implement Async Generator - parser
2038         https://bugs.webkit.org/show_bug.cgi?id=175210
2039
2040         Reviewed by Yusuke Suzuki.
2041
2042         Current implementation is draft version of Async Iteration. 
2043         Link to spec https://tc39.github.io/proposal-async-iteration/
2044
2045         Current patch implement only parser part of the Async generator
2046         Runtime part will be in next ptches
2047
2048         * parser/ASTBuilder.h:
2049         (JSC::ASTBuilder::createFunctionMetadata):
2050         * parser/Parser.cpp:
2051         (JSC::getAsynFunctionBodyParseMode):
2052         (JSC::Parser<LexerType>::parseInner):
2053         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
2054         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
2055         (JSC::stringArticleForFunctionMode):
2056         (JSC::stringForFunctionMode):
2057         (JSC::Parser<LexerType>::parseFunctionInfo):
2058         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
2059         (JSC::Parser<LexerType>::parseClass):
2060         (JSC::Parser<LexerType>::parseProperty):
2061         (JSC::Parser<LexerType>::parsePropertyMethod):
2062         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
2063         * parser/Parser.h:
2064         (JSC::Scope::setSourceParseMode):
2065         * parser/ParserModes.h:
2066         (JSC::isFunctionParseMode):
2067         (JSC::isAsyncFunctionParseMode):
2068         (JSC::isAsyncArrowFunctionParseMode):
2069         (JSC::isAsyncGeneratorFunctionParseMode):
2070         (JSC::isAsyncFunctionOrAsyncGeneratorWrapperParseMode):
2071         (JSC::isAsyncFunctionWrapperParseMode):
2072         (JSC::isAsyncFunctionBodyParseMode):
2073         (JSC::isGeneratorMethodParseMode):
2074         (JSC::isAsyncMethodParseMode):
2075         (JSC::isAsyncGeneratorMethodParseMode):
2076         (JSC::isMethodParseMode):
2077         (JSC::isGeneratorOrAsyncFunctionBodyParseMode):
2078         (JSC::isGeneratorOrAsyncFunctionWrapperParseMode):
2079
2080 2017-08-05  Filip Pizlo  <fpizlo@apple.com>
2081
2082         REGRESSION (r219895-219897): Number of leaks on Open Source went from 9240 to 235983 and is now at 302372
2083         https://bugs.webkit.org/show_bug.cgi?id=175083
2084
2085         Reviewed by Oliver Hunt.
2086         
2087         This fixes the leak by making MarkedBlock::specializedSweep call destructors when the block is empty,
2088         even if we are using the pop path.
2089         
2090         Also, this fixes HeapCellInlines.h to no longer include MarkedBlockInlines.h. That's pretty
2091         important, since MarkedBlockInlines.h is the GC's internal guts - we don't want to have to recompile
2092         the world just because we changed it.
2093         
2094         Finally, this adds a new testing SPI for waiting for all VMs to finish destructing. This makes it
2095         easier to debug leaks.
2096
2097         * bytecode/AccessCase.cpp:
2098         * bytecode/PolymorphicAccess.cpp:
2099         * heap/HeapCell.cpp:
2100         (JSC::HeapCell::isLive):
2101         * heap/HeapCellInlines.h:
2102         (JSC::HeapCell::isLive): Deleted.
2103         * heap/MarkedAllocator.cpp:
2104         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2105         (JSC::MarkedAllocator::endMarking):
2106         * heap/MarkedBlockInlines.h:
2107         (JSC::MarkedBlock::Handle::specializedSweep):
2108         * jit/AssemblyHelpers.cpp:
2109         * jit/Repatch.cpp:
2110         * runtime/TestRunnerUtils.h:
2111         * runtime/VM.cpp:
2112         (JSC::waitForVMDestruction):
2113         (JSC::VM::~VM):
2114
2115 2017-08-05  Mark Lam  <mark.lam@apple.com>
2116
2117         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 3].
2118         https://bugs.webkit.org/show_bug.cgi?id=175228
2119         <rdar://problem/33735737>
2120
2121         Reviewed by Saam Barati.
2122
2123         Merge the 32-bit OSRExit::compileExit() method into the 64-bit version, and
2124         delete OSRExit32_64.cpp.
2125
2126         * CMakeLists.txt:
2127         * JavaScriptCore.xcodeproj/project.pbxproj:
2128         * dfg/DFGOSRExit.cpp:
2129         (JSC::DFG::OSRExit::compileExit):
2130         * dfg/DFGOSRExit32_64.cpp: Removed.
2131         * jit/GPRInfo.h:
2132         (JSC::JSValueSource::payloadGPR const):
2133
2134 2017-08-04  Youenn Fablet  <youenn@apple.com>
2135
2136         [Cache API] Add Cache and CacheStorage IDL definitions
2137         https://bugs.webkit.org/show_bug.cgi?id=175201
2138
2139         Reviewed by Brady Eidson.
2140
2141         * runtime/CommonIdentifiers.h:
2142
2143 2017-08-04  Mark Lam  <mark.lam@apple.com>
2144
2145         Fix typo in testmasm.cpp: ENABLE(JSVALUE64) should be USE(JSVALUE64).
2146         https://bugs.webkit.org/show_bug.cgi?id=175230
2147         <rdar://problem/33735857>
2148
2149         Reviewed by Saam Barati.
2150
2151         * assembler/testmasm.cpp:
2152         (JSC::testProbeReadsArgumentRegisters):
2153         (JSC::testProbeWritesArgumentRegisters):
2154
2155 2017-08-04  Mark Lam  <mark.lam@apple.com>
2156
2157         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 2].
2158         https://bugs.webkit.org/show_bug.cgi?id=175214
2159         <rdar://problem/33733308>
2160
2161         Rubber-stamped by Michael Saboff.
2162
2163         Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused
2164         DFGOSRExitCompiler files.
2165
2166         Also renamed DFGOSRExitCompiler32_64.cpp to DFGOSRExit32_64.cpp.
2167
2168         Also move debugOperationPrintSpeculationFailure() into DFGOSRExit.cpp.  It's only
2169         used by compileOSRExit(), and will be changed to not be a DFG operation function
2170         when we use JIT probes for DFG OSR exits later in
2171         https://bugs.webkit.org/show_bug.cgi?id=175144.
2172
2173         * CMakeLists.txt:
2174         * JavaScriptCore.xcodeproj/project.pbxproj:
2175         * dfg/DFGJITCompiler.cpp:
2176         * dfg/DFGOSRExit.cpp:
2177         (JSC::DFG::OSRExit::emitRestoreArguments):
2178         (JSC::DFG::OSRExit::compileOSRExit):
2179         (JSC::DFG::OSRExit::compileExit):
2180         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
2181         * dfg/DFGOSRExit.h:
2182         * dfg/DFGOSRExit32_64.cpp: Copied from Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp.
2183         * dfg/DFGOSRExitCompiler.cpp: Removed.
2184         * dfg/DFGOSRExitCompiler.h: Removed.
2185         * dfg/DFGOSRExitCompiler32_64.cpp: Removed.
2186         * dfg/DFGOSRExitCompiler64.cpp: Removed.
2187         * dfg/DFGOperations.cpp:
2188         * dfg/DFGOperations.h:
2189         * dfg/DFGThunks.cpp:
2190
2191 2017-08-04  Matt Baker  <mattbaker@apple.com>
2192
2193         Web Inspector: capture async stack trace when workers/main context posts a message
2194         https://bugs.webkit.org/show_bug.cgi?id=167084
2195         <rdar://problem/30033673>
2196
2197         Reviewed by Brian Burg.
2198
2199         * inspector/agents/InspectorDebuggerAgent.h:
2200         Add `PostMessage` async call type.
2201
2202 2017-08-04  Mark Lam  <mark.lam@apple.com>
2203
2204         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 1].
2205         https://bugs.webkit.org/show_bug.cgi?id=175208
2206         <rdar://problem/33732402>
2207
2208         Reviewed by Saam Barati.
2209
2210         This will minimize the code diff and make it easier to review the patch for
2211         https://bugs.webkit.org/show_bug.cgi?id=175144 later.  We'll do this patch in 3
2212         steps:
2213
2214         1. Do the code changes to move methods into OSRExit.
2215         2. Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused DFGOSRExitCompiler files.
2216         3. Merge the 32-bit OSRExitCompiler methods into the 64-bit version, and delete DFGOSRExitCompiler32_64.cpp.
2217
2218         Splitting this refactoring into these 3 steps also makes it easier to review this
2219         patch and understand what is being changed.
2220
2221         * dfg/DFGOSRExit.h:
2222         * dfg/DFGOSRExitCompiler.cpp:
2223         (JSC::DFG::OSRExit::emitRestoreArguments):
2224         (JSC::DFG::OSRExit::compileOSRExit):
2225         (JSC::DFG::OSRExitCompiler::emitRestoreArguments): Deleted.
2226         (): Deleted.
2227         * dfg/DFGOSRExitCompiler.h:
2228         (JSC::DFG::OSRExitCompiler::OSRExitCompiler): Deleted.
2229         (): Deleted.
2230         * dfg/DFGOSRExitCompiler32_64.cpp:
2231         (JSC::DFG::OSRExit::compileExit):
2232         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
2233         * dfg/DFGOSRExitCompiler64.cpp:
2234         (JSC::DFG::OSRExit::compileExit):
2235         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
2236         * dfg/DFGThunks.cpp:
2237         (JSC::DFG::osrExitGenerationThunkGenerator):
2238
2239 2017-08-04  Devin Rousso  <drousso@apple.com>
2240
2241         Web Inspector: add source view for WebGL shader programs
2242         https://bugs.webkit.org/show_bug.cgi?id=138593
2243         <rdar://problem/18936194>
2244
2245         Reviewed by Matt Baker.
2246
2247         * inspector/protocol/Canvas.json:
2248          - Add `ShaderType` enum that contains "vertex" and "fragment".
2249          - Add `requestShaderSource` command that will return the original source code for a given
2250            shader program and shader type.
2251
2252 2017-08-03  Filip Pizlo  <fpizlo@apple.com>
2253
2254         The allocator used to allocate memory for MarkedBlocks and LargeAllocations should not be the Subspace itself
2255         https://bugs.webkit.org/show_bug.cgi?id=175141
2256
2257         Reviewed by Mark Lam.
2258         
2259         To make it easier to have multiple gigacages and maybe even fancier methods of allocating, this
2260         decouples the allocator used to allocate memory from the GC Subspace. This means we no longer have
2261         to create a new Subspace subclass to allocate memory a different way. Instead, the allocator is now
2262         determined by the AlignedMemoryAllocator object.
2263         
2264         This also simplifies trading of blocks. Before, Subspaces had to determine if other Subspaces could
2265         trade blocks with them using canTradeBlocksWith(). This makes it difficult for two different
2266         Subspaces that both use the same underlying allocator to realize that they can trade blocks with
2267         each other. Now, you just need to ask the block being stolen and the subspace doing the stealing if
2268         they use the same AlignedMemoryAllocator.
2269
2270         * CMakeLists.txt:
2271         * JavaScriptCore.xcodeproj/project.pbxproj:
2272         * heap/AlignedMemoryAllocator.cpp: Added.
2273         (JSC::AlignedMemoryAllocator::AlignedMemoryAllocator):
2274         (JSC::AlignedMemoryAllocator::~AlignedMemoryAllocator):
2275         * heap/AlignedMemoryAllocator.h: Added.
2276         * heap/FastMallocAlignedMemoryAllocator.cpp: Added.
2277         (JSC::FastMallocAlignedMemoryAllocator::singleton):
2278         (JSC::FastMallocAlignedMemoryAllocator::FastMallocAlignedMemoryAllocator):
2279         (JSC::FastMallocAlignedMemoryAllocator::~FastMallocAlignedMemoryAllocator):
2280         (JSC::FastMallocAlignedMemoryAllocator::tryAllocateAlignedMemory):
2281         (JSC::FastMallocAlignedMemoryAllocator::freeAlignedMemory):
2282         (JSC::FastMallocAlignedMemoryAllocator::dump const):
2283         * heap/FastMallocAlignedMemoryAllocator.h: Added.
2284         * heap/GigacageAlignedMemoryAllocator.cpp: Added.
2285         (JSC::GigacageAlignedMemoryAllocator::singleton):
2286         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
2287         (JSC::GigacageAlignedMemoryAllocator::~GigacageAlignedMemoryAllocator):
2288         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
2289         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
2290         (JSC::GigacageAlignedMemoryAllocator::dump const):
2291         * heap/GigacageAlignedMemoryAllocator.h: Added.
2292         * heap/GigacageSubspace.cpp: Removed.
2293         * heap/GigacageSubspace.h: Removed.
2294         * heap/LargeAllocation.cpp:
2295         (JSC::LargeAllocation::tryCreate):
2296         (JSC::LargeAllocation::destroy):
2297         * heap/MarkedAllocator.cpp:
2298         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2299         * heap/MarkedBlock.cpp:
2300         (JSC::MarkedBlock::tryCreate):
2301         (JSC::MarkedBlock::Handle::Handle):
2302         (JSC::MarkedBlock::Handle::~Handle):
2303         (JSC::MarkedBlock::Handle::didAddToAllocator):
2304         (JSC::MarkedBlock::Handle::subspace const):
2305         * heap/MarkedBlock.h:
2306         (JSC::MarkedBlock::Handle::alignedMemoryAllocator const):
2307         (JSC::MarkedBlock::Handle::subspace const): Deleted.
2308         * heap/Subspace.cpp:
2309         (JSC::Subspace::Subspace):
2310         (JSC::Subspace::findEmptyBlockToSteal):
2311         (JSC::Subspace::canTradeBlocksWith): Deleted.
2312         (JSC::Subspace::tryAllocateAlignedMemory): Deleted.
2313         (JSC::Subspace::freeAlignedMemory): Deleted.
2314         * heap/Subspace.h:
2315         (JSC::Subspace::name const):
2316         (JSC::Subspace::alignedMemoryAllocator const):
2317         * runtime/JSDestructibleObjectSubspace.cpp:
2318         (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace):
2319         * runtime/JSDestructibleObjectSubspace.h:
2320         * runtime/JSSegmentedVariableObjectSubspace.cpp:
2321         (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace):
2322         * runtime/JSSegmentedVariableObjectSubspace.h:
2323         * runtime/JSStringSubspace.cpp:
2324         (JSC::JSStringSubspace::JSStringSubspace):
2325         * runtime/JSStringSubspace.h:
2326         * runtime/VM.cpp:
2327         (JSC::VM::VM):
2328         * runtime/VM.h:
2329         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp:
2330         (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace):
2331         * wasm/js/JSWebAssemblyCodeBlockSubspace.h:
2332
2333 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
2334
2335         [ESNext] Async iteration - update feature.json
2336         https://bugs.webkit.org/show_bug.cgi?id=175197
2337
2338         Reviewed by Yusuke Suzuki.
2339
2340         Update feature.json to add status of the Async Iteration
2341
2342         * features.json:
2343
2344 2017-08-04  Matt Lewis  <jlewis3@apple.com>
2345
2346         Unreviewed, rolling out r220271.
2347
2348         Rolling out due to Layout Test failing on iOS Simulator.
2349
2350         Reverted changeset:
2351
2352         "Remove STREAMS_API compilation guard"
2353         https://bugs.webkit.org/show_bug.cgi?id=175165
2354         http://trac.webkit.org/changeset/220271
2355
2356 2017-08-04  Youenn Fablet  <youenn@apple.com>
2357
2358         Remove STREAMS_API compilation guard
2359         https://bugs.webkit.org/show_bug.cgi?id=175165
2360
2361         Reviewed by Darin Adler.
2362
2363         * Configurations/FeatureDefines.xcconfig:
2364
2365 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
2366
2367         [EsNext] Async iteration - Add feature flag
2368         https://bugs.webkit.org/show_bug.cgi?id=166694
2369
2370         Reviewed by Yusuke Suzuki.
2371
2372         Add feature flag to JSC to switch on/off Async Iterator
2373
2374         * runtime/Options.h:
2375
2376 2017-08-03  Brian Burg  <bburg@apple.com>
2377
2378         Remove ENABLE(WEB_SOCKET) guards
2379         https://bugs.webkit.org/show_bug.cgi?id=167044
2380
2381         Reviewed by Joseph Pecoraro.
2382
2383         * Configurations/FeatureDefines.xcconfig:
2384
2385 2017-08-03  Youenn Fablet  <youenn@apple.com>
2386
2387         Remove FETCH_API compilation guard
2388         https://bugs.webkit.org/show_bug.cgi?id=175154
2389
2390         Reviewed by Chris Dumez.
2391
2392         * Configurations/FeatureDefines.xcconfig:
2393
2394 2017-08-03  Matt Baker  <mattbaker@apple.com>
2395
2396         Web Inspector: Instrument WebGLProgram created/deleted
2397         https://bugs.webkit.org/show_bug.cgi?id=175059
2398
2399         Reviewed by Devin Rousso.
2400
2401         Extend the Canvas protocol with types/events for tracking WebGLPrograms.
2402
2403         * inspector/protocol/Canvas.json:
2404
2405 2017-08-03  Brady Eidson  <beidson@apple.com>
2406
2407         Add SW IDLs and stub out basic functionality.
2408         https://bugs.webkit.org/show_bug.cgi?id=175115
2409
2410         Reviewed by Chris Dumez.
2411
2412         * Configurations/FeatureDefines.xcconfig:
2413
2414         * runtime/CommonIdentifiers.h:
2415
2416 2017-08-03  Mark Lam  <mark.lam@apple.com>
2417
2418         Rename ScratchBuffer::activeLengthPtr to addressOfActiveLength.
2419         https://bugs.webkit.org/show_bug.cgi?id=175142
2420         <rdar://problem/33704528>
2421
2422         Reviewed by Filip Pizlo.
2423
2424         The convention in the rest of of JSC for such methods which return the address of
2425         a field is to name them "addressOf<field name>".  We'll rename
2426         ScratchBuffer::activeLengthPtr to be consistent with this convention.
2427
2428         * dfg/DFGSpeculativeJIT.cpp:
2429         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
2430         * dfg/DFGSpeculativeJIT32_64.cpp:
2431         (JSC::DFG::SpeculativeJIT::compile):
2432         * dfg/DFGSpeculativeJIT64.cpp:
2433         (JSC::DFG::SpeculativeJIT::compile):
2434         * dfg/DFGThunks.cpp:
2435         (JSC::DFG::osrExitGenerationThunkGenerator):
2436         * ftl/FTLLowerDFGToB3.cpp:
2437         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
2438         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
2439         * ftl/FTLThunks.cpp:
2440         (JSC::FTL::genericGenerationThunkGenerator):
2441         * jit/AssemblyHelpers.cpp:
2442         (JSC::AssemblyHelpers::debugCall):
2443         * jit/ScratchRegisterAllocator.cpp:
2444         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
2445         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
2446         * runtime/VM.h:
2447         (JSC::ScratchBuffer::addressOfActiveLength):
2448         (JSC::ScratchBuffer::activeLengthPtr): Deleted.
2449         * wasm/WasmBinding.cpp:
2450         (JSC::Wasm::wasmToJs):
2451
2452 2017-08-02  Devin Rousso  <drousso@apple.com>
2453
2454         Web Inspector: add stack trace information for each RecordingAction
2455         https://bugs.webkit.org/show_bug.cgi?id=174663
2456
2457         Reviewed by Joseph Pecoraro.
2458
2459         * inspector/ScriptCallFrame.h:
2460         Add `operator==` so that when a ScriptCallFrame object is held in a Vector, calling `find`
2461         with an existing value doesn't need require a functor and can use existing code.
2462
2463         * interpreter/StackVisitor.h:
2464         * interpreter/StackVisitor.cpp:
2465         (JSC::StackVisitor::Frame::isWasmFrame const): Inlined in header.
2466
2467 2017-08-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2468
2469         Merge WTFThreadData to Thread::current
2470         https://bugs.webkit.org/show_bug.cgi?id=174716
2471
2472         Reviewed by Mark Lam.
2473
2474         Use Thread::current() instead.
2475
2476         * API/JSContext.mm:
2477         (+[JSContext currentContext]):
2478         (+[JSContext currentThis]):
2479         (+[JSContext currentCallee]):
2480         (+[JSContext currentArguments]):
2481         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
2482         (-[JSContext endCallbackWithData:]):
2483         * heap/Heap.cpp:
2484         (JSC::Heap::requestCollection):
2485         * runtime/Completion.cpp:
2486         (JSC::checkSyntax):
2487         (JSC::checkModuleSyntax):
2488         (JSC::evaluate):
2489         (JSC::loadAndEvaluateModule):
2490         (JSC::loadModule):
2491         (JSC::linkAndEvaluateModule):
2492         (JSC::importModule):
2493         * runtime/Identifier.cpp:
2494         (JSC::Identifier::checkCurrentAtomicStringTable):
2495         * runtime/InitializeThreading.cpp:
2496         (JSC::initializeThreading):
2497         * runtime/JSLock.cpp:
2498         (JSC::JSLock::didAcquireLock):
2499         (JSC::JSLock::willReleaseLock):
2500         (JSC::JSLock::dropAllLocks):
2501         (JSC::JSLock::grabAllLocks):
2502         * runtime/JSLock.h:
2503         * runtime/VM.cpp:
2504         (JSC::VM::VM):
2505         (JSC::VM::updateStackLimits):
2506         (JSC::VM::committedStackByteCount):
2507         * runtime/VM.h:
2508         (JSC::VM::isSafeToRecurse const):
2509         * runtime/VMEntryScope.cpp:
2510         (JSC::VMEntryScope::VMEntryScope):
2511         * runtime/VMInlines.h:
2512         (JSC::VM::ensureStackCapacityFor):
2513         * yarr/YarrPattern.cpp:
2514         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
2515
2516 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
2517
2518         LLInt should do pointer caging
2519         https://bugs.webkit.org/show_bug.cgi?id=175036
2520
2521         Reviewed by Keith Miller.
2522
2523         Implementing this in the LLInt was challenging because offlineasm did not previously know
2524         how to load from globals. This teaches it how to do that on Darwin/x86_64, which happens
2525         to be where the Gigacage is enabled right now.
2526
2527         * llint/LLIntOfflineAsmConfig.h:
2528         * llint/LowLevelInterpreter64.asm:
2529         * offlineasm/ast.rb:
2530         * offlineasm/x86.rb:
2531
2532 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
2533
2534         Sweeping should only scribble when sweeping to free list
2535         https://bugs.webkit.org/show_bug.cgi?id=175105
2536
2537         Reviewed by Saam Barati.
2538         
2539         I just saw a crash on the bots where a destructor call attempt dereferenced scribbled memory. This
2540         can happen because the bump path of specializedSweep will scribble in SweepOnly, which replaces the
2541         zap word (i.e. 0) with the scribble word (i.e. 0xbadbeef0). This is a recent regression, since we
2542         didn't used to do destruction on the bump path. No destruction, no zapping. Looking at the pop
2543         path, we only scribble when we SweepToFreeList. This ensures that we only overwrite the zap word
2544         when it doesn't matter anyway because we're building a free list.
2545         
2546         This is a fix for those crashes on the bots because it means that we'll no longer scribble over the
2547         zap.
2548
2549         * heap/MarkedBlockInlines.h:
2550         (JSC::MarkedBlock::Handle::specializedSweep):
2551
2552 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
2553
2554         All C++ accesses to JSObject::m_butterfly should do caging
2555         https://bugs.webkit.org/show_bug.cgi?id=175039
2556
2557         Reviewed by Keith Miller.
2558         
2559         Makes JSObject::m_butterfly a AuxiliaryBarrier<CagedPtr<Butterfly>> and adopts the CagedPtr<> API.
2560         This ensures that you can't cause C++ code to access a butterfly that has been rewired to point
2561         outside the gigacage.
2562
2563         * runtime/JSArray.cpp:
2564         (JSC::JSArray::setLength):
2565         (JSC::JSArray::pop):
2566         (JSC::JSArray::push):
2567         (JSC::JSArray::shiftCountWithAnyIndexingType):
2568         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2569         (JSC::JSArray::fillArgList):
2570         (JSC::JSArray::copyToArguments):
2571         * runtime/JSObject.cpp:
2572         (JSC::JSObject::heapSnapshot):
2573         (JSC::JSObject::createInitialIndexedStorage):
2574         (JSC::JSObject::createArrayStorage):
2575         (JSC::JSObject::convertUndecidedToInt32):
2576         (JSC::JSObject::convertUndecidedToDouble):
2577         (JSC::JSObject::convertUndecidedToContiguous):
2578         (JSC::JSObject::convertInt32ToDouble):
2579         (JSC::JSObject::convertInt32ToArrayStorage):
2580         (JSC::JSObject::convertDoubleToContiguous):
2581         (JSC::JSObject::convertDoubleToArrayStorage):
2582         (JSC::JSObject::convertContiguousToArrayStorage):
2583         (JSC::JSObject::defineOwnIndexedProperty):
2584         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2585         (JSC::JSObject::ensureLengthSlow):
2586         (JSC::JSObject::allocateMoreOutOfLineStorage):
2587         * runtime/JSObject.h:
2588         (JSC::JSObject::canGetIndexQuickly):
2589         (JSC::JSObject::getIndexQuickly):
2590         (JSC::JSObject::tryGetIndexQuickly const):
2591         (JSC::JSObject::canSetIndexQuickly):
2592         (JSC::JSObject::setIndexQuickly):
2593         (JSC::JSObject::initializeIndex):
2594         (JSC::JSObject::initializeIndexWithoutBarrier):
2595         (JSC::JSObject::butterfly const):
2596         (JSC::JSObject::butterfly):
2597
2598 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
2599
2600         We should be OK with the gigacage being disabled on gmalloc
2601         https://bugs.webkit.org/show_bug.cgi?id=175082
2602
2603         Reviewed by Michael Saboff.
2604
2605         * jsc.cpp:
2606         (jscmain):
2607
2608 2017-08-02  Saam Barati  <sbarati@apple.com>
2609
2610         On memory-constrained iOS devices, reduce the rate at which the JS heap grows before a GC to try to keep more memory available for the system
2611         https://bugs.webkit.org/show_bug.cgi?id=175041
2612         <rdar://problem/33659370>
2613
2614         Reviewed by Filip Pizlo.
2615
2616         The testing I have done shows that this new function is a ~10%
2617         progression running JetStream on 1GB iOS devices. I've also tried
2618         this on a few > 1GB iOS devices, and the testing shows this is either neutral
2619         or a regression. Right now, we'll just enable this for <= 1GB devices
2620         since it's a win. In the future, we might want to either look into
2621         tweaking these parameters or coming up with a new function for > 1GB
2622         devices.
2623
2624         * heap/Heap.cpp:
2625         * runtime/Options.h:
2626
2627 2017-08-01  Filip Pizlo  <fpizlo@apple.com>
2628
2629         Bmalloc and GC should put auxiliaries (butterflies, typed array backing stores) in a gigacage (separate multi-GB VM region)
2630         https://bugs.webkit.org/show_bug.cgi?id=174727
2631
2632         Reviewed by Mark Lam.
2633         
2634         This adopts the Gigacage for the GigacageSubspace, which we use for Auxiliary allocations. Also, in
2635         one place in the code - the FTL codegen for butterfly and typed array access - we "cage" the accesses
2636         themselves. Basically, we do masking to ensure that the pointer points into the gigacage.
2637         
2638         This is neutral on JetStream.
2639
2640         * CMakeLists.txt:
2641         * JavaScriptCore.xcodeproj/project.pbxproj:
2642         * b3/B3InsertionSet.cpp:
2643         (JSC::B3::InsertionSet::execute):
2644         * dfg/DFGAbstractInterpreterInlines.h:
2645         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2646         * dfg/DFGArgumentsEliminationPhase.cpp:
2647         * dfg/DFGClobberize.cpp:
2648         (JSC::DFG::readsOverlap):
2649         * dfg/DFGClobberize.h:
2650         (JSC::DFG::clobberize):
2651         * dfg/DFGDoesGC.cpp:
2652         (JSC::DFG::doesGC):
2653         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Added.
2654         (JSC::DFG::performFixedButterflyAccessUncaging):
2655         * dfg/DFGFixedButterflyAccessUncagingPhase.h: Added.
2656         * dfg/DFGFixupPhase.cpp:
2657         (JSC::DFG::FixupPhase::fixupNode):
2658         * dfg/DFGHeapLocation.cpp:
2659         (WTF::printInternal):
2660         * dfg/DFGHeapLocation.h:
2661         * dfg/DFGNodeType.h:
2662         * dfg/DFGPlan.cpp:
2663         (JSC::DFG::Plan::compileInThreadImpl):
2664         * dfg/DFGPredictionPropagationPhase.cpp:
2665         * dfg/DFGSafeToExecute.h:
2666         (JSC::DFG::safeToExecute):
2667         * dfg/DFGSpeculativeJIT.cpp:
2668         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
2669         * dfg/DFGSpeculativeJIT32_64.cpp:
2670         (JSC::DFG::SpeculativeJIT::compile):
2671         * dfg/DFGSpeculativeJIT64.cpp:
2672         (JSC::DFG::SpeculativeJIT::compile):
2673         * dfg/DFGTypeCheckHoistingPhase.cpp:
2674         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2675         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
2676         * ftl/FTLCapabilities.cpp:
2677         (JSC::FTL::canCompile):
2678         * ftl/FTLLowerDFGToB3.cpp:
2679         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2680         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
2681         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
2682         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2683         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
2684         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
2685         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
2686         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
2687         (JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase):
2688         (JSC::FTL::DFG::LowerDFGToB3::caged):
2689         * heap/GigacageSubspace.cpp: Added.
2690         (JSC::GigacageSubspace::GigacageSubspace):
2691         (JSC::GigacageSubspace::~GigacageSubspace):
2692         (JSC::GigacageSubspace::tryAllocateAlignedMemory):
2693         (JSC::GigacageSubspace::freeAlignedMemory):
2694         (JSC::GigacageSubspace::canTradeBlocksWith):
2695         * heap/GigacageSubspace.h: Added.
2696         * heap/Heap.cpp:
2697         (JSC::Heap::Heap):
2698         (JSC::Heap::lastChanceToFinalize):
2699         (JSC::Heap::finalize):
2700         (JSC::Heap::sweepInFinalize):
2701         (JSC::Heap::updateAllocationLimits):
2702         (JSC::Heap::shouldDoFullCollection):
2703         (JSC::Heap::collectIfNecessaryOrDefer):
2704         (JSC::Heap::reportWebAssemblyFastMemoriesAllocated): Deleted.
2705         (JSC::Heap::webAssemblyFastMemoriesThisCycleAtThreshold const): Deleted.
2706         (JSC::Heap::sweepLargeAllocations): Deleted.
2707         (JSC::Heap::didAllocateWebAssemblyFastMemories): Deleted.
2708         * heap/Heap.h:
2709         * heap/LargeAllocation.cpp:
2710         (JSC::LargeAllocation::tryCreate):
2711         (JSC::LargeAllocation::destroy):
2712         * heap/MarkedAllocator.cpp:
2713         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2714         (JSC::MarkedAllocator::tryAllocateBlock):
2715         * heap/MarkedBlock.cpp:
2716         (JSC::MarkedBlock::tryCreate):
2717         (JSC::MarkedBlock::Handle::Handle):
2718         (JSC::MarkedBlock::Handle::~Handle):
2719         (JSC::MarkedBlock::Handle::didAddToAllocator):
2720         (JSC::MarkedBlock::Handle::subspace const): Deleted.
2721         * heap/MarkedBlock.h:
2722         (JSC::MarkedBlock::Handle::subspace const):
2723         * heap/MarkedSpace.cpp:
2724         (JSC::MarkedSpace::~MarkedSpace):
2725         (JSC::MarkedSpace::freeMemory):
2726         (JSC::MarkedSpace::prepareForAllocation):
2727         (JSC::MarkedSpace::addMarkedAllocator):
2728         (JSC::MarkedSpace::findEmptyBlockToSteal): Deleted.
2729         * heap/MarkedSpace.h:
2730         (JSC::MarkedSpace::firstAllocator const):
2731         (JSC::MarkedSpace::allocatorForEmptyAllocation const): Deleted.
2732         * heap/Subspace.cpp:
2733         (JSC::Subspace::Subspace):
2734         (JSC::Subspace::canTradeBlocksWith):
2735         (JSC::Subspace::tryAllocateAlignedMemory):
2736         (JSC::Subspace::freeAlignedMemory):
2737         (JSC::Subspace::prepareForAllocation):
2738         (JSC::Subspace::findEmptyBlockToSteal):
2739         * heap/Subspace.h:
2740         (JSC::Subspace::didCreateFirstAllocator):
2741         * heap/SubspaceInlines.h:
2742         (JSC::Subspace::forEachAllocator):
2743         (JSC::Subspace::forEachMarkedBlock):
2744         (JSC::Subspace::forEachNotEmptyMarkedBlock):
2745         * jit/JITPropertyAccess.cpp:
2746         (JSC::JIT::emitDoubleLoad):
2747         (JSC::JIT::emitContiguousLoad):
2748         (JSC::JIT::emitArrayStorageLoad):
2749         (JSC::JIT::emitGenericContiguousPutByVal):
2750         (JSC::JIT::emitArrayStoragePutByVal):
2751         (JSC::JIT::emit_op_get_from_scope):
2752         (JSC::JIT::emit_op_put_to_scope):
2753         (JSC::JIT::emitIntTypedArrayGetByVal):
2754         (JSC::JIT::emitFloatTypedArrayGetByVal):
2755         (JSC::JIT::emitIntTypedArrayPutByVal):
2756         (JSC::JIT::emitFloatTypedArrayPutByVal):
2757         * jsc.cpp:
2758         (fillBufferWithContentsOfFile):
2759         (functionReadFile):
2760         (gigacageDisabled):
2761         (jscmain):
2762         * llint/LowLevelInterpreter64.asm:
2763         * runtime/ArrayBuffer.cpp:
2764         (JSC::ArrayBufferContents::tryAllocate):
2765         (JSC::ArrayBuffer::createAdopted):
2766         (JSC::ArrayBuffer::createFromBytes):
2767         (JSC::ArrayBuffer::tryCreate):
2768         * runtime/IndexingHeader.h:
2769         * runtime/InitializeThreading.cpp:
2770         (JSC::initializeThreading):
2771         * runtime/JSArrayBuffer.cpp:
2772         * runtime/JSArrayBufferView.cpp:
2773         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2774         (JSC::JSArrayBufferView::finalize):
2775         * runtime/JSLock.cpp:
2776         (JSC::JSLock::didAcquireLock):
2777         * runtime/JSObject.h:
2778         * runtime/Options.cpp:
2779         (JSC::recomputeDependentOptions):
2780         * runtime/Options.h:
2781         * runtime/ScopedArgumentsTable.h:
2782         * runtime/VM.cpp:
2783         (JSC::VM::VM):
2784         (JSC::VM::~VM):
2785         (JSC::VM::gigacageDisabledCallback):
2786         (JSC::VM::gigacageDisabled):
2787         * runtime/VM.h:
2788         (JSC::VM::fireGigacageEnabledIfNecessary):
2789         (JSC::VM::gigacageEnabled):
2790         * wasm/WasmB3IRGenerator.cpp:
2791         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2792         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
2793         * wasm/WasmCodeBlock.cpp:
2794         (JSC::Wasm::CodeBlock::isSafeToRun):
2795         * wasm/WasmMemory.cpp:
2796         (JSC::Wasm::makeString):
2797         (JSC::Wasm::Memory::create):
2798         (JSC::Wasm::Memory::~Memory):
2799         (JSC::Wasm::Memory::addressIsInActiveFastMemory):
2800         (JSC::Wasm::Memory::grow):
2801         (JSC::Wasm::Memory::initializePreallocations): Deleted.
2802         (JSC::Wasm::Memory::maxFastMemoryCount): Deleted.
2803         * wasm/WasmMemory.h:
2804         * wasm/js/JSWebAssemblyInstance.cpp:
2805         (JSC::JSWebAssemblyInstance::create):
2806         * wasm/js/JSWebAssemblyMemory.cpp:
2807         (JSC::JSWebAssemblyMemory::grow):
2808         (JSC::JSWebAssemblyMemory::finishCreation):
2809         * wasm/js/JSWebAssemblyMemory.h:
2810         (JSC::JSWebAssemblyMemory::subspaceFor):
2811
2812 2017-07-31  Mark Lam  <mark.lam@apple.com>
2813
2814         Added some UNLIKELYs to operationOptimize().
2815         https://bugs.webkit.org/show_bug.cgi?id=174976
2816
2817         Reviewed by JF Bastien.
2818
2819         * jit/JITOperations.cpp:
2820
2821 2017-07-31  Keith Miller  <keith_miller@apple.com>
2822
2823         Make more things LLInt constexprs
2824         https://bugs.webkit.org/show_bug.cgi?id=174994
2825
2826         Reviewed by Saam Barati.
2827
2828         This patch makes more const values in the LLInt constexprs.
2829         It also deletes all of the no longer necessary static_asserts in
2830         LLIntData.cpp. Finally, it fixes a typo in parser.rb.
2831
2832         * interpreter/ShadowChicken.h:
2833         (JSC::ShadowChicken::Packet::tailMarker):
2834         * llint/LLIntData.cpp:
2835         (JSC::LLInt::Data::performAssertions):
2836         * llint/LowLevelInterpreter.asm:
2837         * offlineasm/generate_offset_extractor.rb:
2838         * offlineasm/parser.rb:
2839
2840 2017-07-31  Matt Lewis  <jlewis3@apple.com>
2841
2842         Unreviewed, rolling out r220060.
2843
2844         This broke our internal builds. Contact reviewer of patch for
2845         more information.
2846
2847         Reverted changeset:
2848
2849         "Merge WTFThreadData to Thread::current"
2850         https://bugs.webkit.org/show_bug.cgi?id=174716
2851         http://trac.webkit.org/changeset/220060
2852
2853 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2854
2855         [JSC] Support optional catch binding
2856         https://bugs.webkit.org/show_bug.cgi?id=174981
2857
2858         Reviewed by Saam Barati.
2859
2860         This patch implements optional catch binding proposal[1], which is now stage 3.
2861         This proposal adds a new `catch` brace with no error value binding.
2862
2863             ```
2864                 try {
2865                     ...
2866                 } catch {
2867                     ...
2868                 }
2869             ```
2870
2871         Sometimes we do not need to get error value actually. For example, the function returns
2872         boolean which means whether the function succeeds.
2873
2874             ```
2875             function parse(result) // -> bool
2876             {
2877                  try {
2878                      parseInner(result);
2879                  } catch {
2880                      return false;
2881                  }
2882                  return true;
2883             }
2884             ```
2885
2886         In the above case, we are not interested in the actual error value. Without this syntax,
2887         we always need to introduce a binding for an error value that is just ignored.
2888
2889         [1]: https://michaelficarra.github.io/optional-catch-binding-proposal/
2890
2891         * bytecompiler/NodesCodegen.cpp:
2892         (JSC::TryNode::emitBytecode):
2893         * parser/Parser.cpp:
2894         (JSC::Parser<LexerType>::parseTryStatement):
2895
2896 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2897
2898         Merge WTFThreadData to Thread::current
2899         https://bugs.webkit.org/show_bug.cgi?id=174716
2900
2901         Reviewed by Sam Weinig.
2902
2903         Use Thread::current() instead.
2904
2905         * API/JSContext.mm:
2906         (+[JSContext currentContext]):
2907         (+[JSContext currentThis]):
2908         (+[JSContext currentCallee]):
2909         (+[JSContext currentArguments]):
2910         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
2911         (-[JSContext endCallbackWithData:]):
2912         * heap/Heap.cpp:
2913         (JSC::Heap::requestCollection):
2914         * runtime/Completion.cpp:
2915         (JSC::checkSyntax):
2916         (JSC::checkModuleSyntax):
2917         (JSC::evaluate):
2918         (JSC::loadAndEvaluateModule):
2919         (JSC::loadModule):
2920         (JSC::linkAndEvaluateModule):
2921         (JSC::importModule):
2922         * runtime/Identifier.cpp:
2923         (JSC::Identifier::checkCurrentAtomicStringTable):
2924         * runtime/InitializeThreading.cpp:
2925         (JSC::initializeThreading):
2926         * runtime/JSLock.cpp:
2927         (JSC::JSLock::didAcquireLock):
2928         (JSC::JSLock::willReleaseLock):
2929         (JSC::JSLock::dropAllLocks):
2930         (JSC::JSLock::grabAllLocks):
2931         * runtime/JSLock.h:
2932         * runtime/VM.cpp:
2933         (JSC::VM::VM):
2934         (JSC::VM::updateStackLimits):
2935         (JSC::VM::committedStackByteCount):
2936         * runtime/VM.h:
2937         (JSC::VM::isSafeToRecurse const):
2938         * runtime/VMEntryScope.cpp:
2939         (JSC::VMEntryScope::VMEntryScope):
2940         * runtime/VMInlines.h:
2941         (JSC::VM::ensureStackCapacityFor):
2942         * yarr/YarrPattern.cpp:
2943         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
2944
2945 2017-07-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2946
2947         [WTF] Introduce Private Symbols
2948         https://bugs.webkit.org/show_bug.cgi?id=174935
2949
2950         Reviewed by Darin Adler.
2951
2952         Use SymbolImpl::isPrivate().
2953
2954         * builtins/BuiltinNames.cpp:
2955         * builtins/BuiltinNames.h:
2956         (JSC::BuiltinNames::isPrivateName): Deleted.
2957         * builtins/BuiltinUtils.h:
2958         * bytecode/BytecodeIntrinsicRegistry.cpp:
2959         (JSC::BytecodeIntrinsicRegistry::lookup):
2960         * runtime/CommonIdentifiers.cpp:
2961         (JSC::CommonIdentifiers::isPrivateName): Deleted.
2962         * runtime/CommonIdentifiers.h:
2963         * runtime/ExceptionHelpers.cpp:
2964         (JSC::createUndefinedVariableError):
2965         * runtime/Identifier.h:
2966         (JSC::Identifier::isPrivateName):
2967         * runtime/IdentifierInlines.h:
2968         (JSC::identifierToSafePublicJSValue):
2969         * runtime/ObjectConstructor.cpp:
2970         (JSC::objectConstructorAssign):
2971         (JSC::defineProperties):
2972         (JSC::setIntegrityLevel):
2973         (JSC::testIntegrityLevel):
2974         (JSC::ownPropertyKeys):
2975         * runtime/PrivateName.h:
2976         (JSC::PrivateName::PrivateName):
2977         * runtime/PropertyName.h:
2978         (JSC::PropertyName::isPrivateName):
2979         * runtime/ProxyObject.cpp:
2980         (JSC::performProxyGet):
2981         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2982         (JSC::ProxyObject::performHasProperty):
2983         (JSC::ProxyObject::performPut):
2984         (JSC::ProxyObject::performDelete):
2985         (JSC::ProxyObject::performDefineOwnProperty):
2986
2987 2017-07-29  Keith Miller  <keith_miller@apple.com>
2988
2989         LLInt offsets extractor should be able to handle C++ constexprs
2990         https://bugs.webkit.org/show_bug.cgi?id=174964
2991
2992         Reviewed by Saam Barati.
2993
2994         This patch adds new syntax to the offline asm language. The new keyword,
2995         constexpr, takes the subsequent identifier and maps it to a C++ constexpr
2996         expression. Additionally, if the value is not an identifier you can wrap it in
2997         parentheses. e.g. constexpr (myConstexprFunction() + OBJECT_OFFSET(Foo, bar)),
2998         which will get converted into:
2999         static_cast<int64_t>(myConstexprFunction() + OBJECT_OFFSET(Foo, bar));
3000
3001         This patch also changes the data format the LLIntOffsetsExtractor
3002         binary produces.  Previously, it would produce unsigned values,
3003         after this patch every value is an int64_t.  Using an int64_t is
3004         useful because it means that we can represent any constant needed.
3005         int32_t masks are sign extended then passed then converted to a
3006         negative literal sting in the assembler so it will be the constant
3007         expected.
3008
3009         * llint/LLIntOffsetsExtractor.cpp:
3010         (JSC::LLIntOffsetsExtractor::dummy):
3011         * llint/LowLevelInterpreter.asm:
3012         * llint/LowLevelInterpreter64.asm:
3013         * offlineasm/asm.rb:
3014         * offlineasm/ast.rb:
3015         * offlineasm/generate_offset_extractor.rb:
3016         * offlineasm/offsets.rb:
3017         * offlineasm/parser.rb:
3018         * offlineasm/transform.rb:
3019
3020 2017-07-28  Matt Baker  <mattbaker@apple.com>
3021
3022         Web Inspector: capture an async stack trace when web content calls addEventListener
3023         https://bugs.webkit.org/show_bug.cgi?id=174739
3024         <rdar://problem/33468197>
3025
3026         Reviewed by Brian Burg.
3027
3028         Allow debugger agents to perform custom logic when asynchronous stack
3029         trace data is cleared. For example, the PageDebuggerAgent would clear
3030         its list of registered listeners for which call stacks have been recorded.
3031
3032         * inspector/agents/InspectorDebuggerAgent.cpp:
3033         (Inspector::InspectorDebuggerAgent::clearAsyncStackTraceData):
3034         * inspector/agents/InspectorDebuggerAgent.h:
3035
3036 2017-07-28  Mark Lam  <mark.lam@apple.com>
3037
3038         ObjectToStringAdaptiveStructureWatchpoint should not fire if it's dying imminently.
3039         https://bugs.webkit.org/show_bug.cgi?id=174948
3040         <rdar://problem/33495680>
3041
3042         Reviewed by Filip Pizlo.
3043
3044         ObjectToStringAdaptiveStructureWatchpoint is owned by StructureRareData.  If its
3045         owner StructureRareData is already known to be dead (in terms of GC liveness) but
3046         hasn't been destructed yet (i.e. not swept by the GC yet), we should ignore all
3047         requests to fire this watchpoint.
3048
3049         If the GC had the chance to sweep the StructureRareData, thereby destructing the
3050         ObjectToStringAdaptiveStructureWatchpoint, it (the watchpoint) would have removed
3051         itself from the WatchpointSet it was on.  Hence, it would not have been fired.
3052
3053         But since the watchpoint hasn't been destructed yet, it still remains on the
3054         WatchpointSet and needs to guard against being fired in this state.  The fix is
3055         to simply return early if its owner StructureRareData is not live.  This has the
3056         effect of the watchpoint fire being a no-op, which is equivalent to the watchpoint
3057         not firing as we would expect.
3058
3059         This patch also removes some cargo cult copying of watchpoint code which
3060         instantiates a StringFireDetail.  In a few cases, that StringFireDetail is never
3061         used.  This patch removes these unnecessary instantiations.
3062
3063         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
3064         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
3065         * runtime/StructureRareData.cpp:
3066         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
3067         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
3068
3069 2017-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
3070
3071         ASSERTION FAILED: candidate->op() == PhantomCreateRest || candidate->op() == PhantomDirectArguments || candidate->op() == PhantomClonedArguments || candidate->op() == PhantomSpread || candidate->op() == PhantomNewArrayWithSpread
3072         https://bugs.webkit.org/show_bug.cgi?id=174900
3073
3074         Reviewed by Saam Barati.
3075
3076         In the arguments elimination phase, due to high cost of AI, we intentionally do not run AI.
3077         Instead, we use ForceOSRExit etc. (pseudo terminals) not to look into unreachable nodes.
3078         The problem is that even transforming phase also checks this pseudo terminals.
3079
3080             BB1
3081             1: ForceOSRExit
3082             2: CreateDirectArguments
3083
3084             BB2
3085             3: GetButterfly(@2)
3086             4: ForceOSRExit
3087
3088         In the above case, @2 is not converted to PhantomDirectArguments. But @3 is processed. And the assertion fires.
3089
3090         In this patch, we do not list candidates up after seeing pseudo terminals in basic blocks.
3091
3092         * dfg/DFGArgumentsEliminationPhase.cpp:
3093
3094 2017-07-27  Oleksandr Skachkov  <gskachkov@gmail.com>
3095
3096         [ES] Add support finally to Promise
3097         https://bugs.webkit.org/show_bug.cgi?id=174503
3098
3099         Reviewed by Yusuke Suzuki.
3100
3101         Add support `finally` method to Promise according
3102         to the https://bugs.webkit.org/show_bug.cgi?id=174503
3103         Current spec on STAGE 3 
3104         https://github.com/tc39/proposal-promise-finally
3105
3106         * builtins/PromisePrototype.js:
3107         (finally):
3108         (const.valueThunk):
3109         (globalPrivate.getThenFinally):
3110         (const.thrower):
3111         (globalPrivate.getCatchFinally):
3112         * runtime/JSPromisePrototype.cpp:
3113
3114 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3115
3116         Unreviewed, build fix for CLoop
3117         https://bugs.webkit.org/show_bug.cgi?id=171637
3118
3119         * domjit/DOMJITGetterSetter.h:
3120
3121 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3122
3123         Hoist DOM binding attribute getter prologue into JavaScriptCore taking advantage of DOMJIT / CheckSubClass
3124         https://bugs.webkit.org/show_bug.cgi?id=171637
3125
3126         Reviewed by Darin Adler.
3127
3128         Each DOM attribute getter has the code to perform ClassInfo check. But it is largely duplicate and causes code bloating.
3129         In this patch, we move ClassInfo check from WebCore to JSC and reduce code size.
3130
3131         We introduce DOMAnnotation which has ClassInfo* and DOMJIT::GetterSetter*. If the getter is not DOMJIT getter, this
3132         DOMJIT::GetterSetter becomes nullptr. We support such a CustomAccessorGetter in all the JIT tiers.
3133
3134         In IC, we drop CheckSubClass completely since IC's Structure check subsumes it. We do not enable this optimization for
3135         op_get_by_id_with_this case yet.
3136         In DFG and FTL, we emit CheckSubClass node. Which is typically removed by CheckStructure leading to CheckSubClass.
3137
3138         And we add DOMAttributeGetterSetter, which is derived class of CustomGetterSetter. It holds DOMAnnotation and perform
3139         ClassInfo check.
3140
3141         * CMakeLists.txt:
3142         * JavaScriptCore.xcodeproj/project.pbxproj:
3143         * bytecode/AccessCase.cpp:
3144         (JSC::AccessCase::generateImpl):
3145         * bytecode/GetByIdStatus.cpp:
3146         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
3147         * bytecode/GetByIdVariant.cpp:
3148         (JSC::GetByIdVariant::GetByIdVariant):
3149         (JSC::GetByIdVariant::operator=):
3150         (JSC::GetByIdVariant::attemptToMerge):
3151         (JSC::GetByIdVariant::dumpInContext):
3152         * bytecode/GetByIdVariant.h:
3153         (JSC::GetByIdVariant::customAccessorGetter):
3154         (JSC::GetByIdVariant::domAttribute):
3155         (JSC::GetByIdVariant::domJIT): Deleted.
3156         * bytecode/GetterSetterAccessCase.cpp:
3157         (JSC::GetterSetterAccessCase::create):
3158         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
3159         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
3160         * bytecode/GetterSetterAccessCase.h:
3161         (JSC::GetterSetterAccessCase::domAttribute):
3162         (JSC::GetterSetterAccessCase::customAccessor):
3163         (JSC::GetterSetterAccessCase::domJIT): Deleted.
3164         * bytecompiler/BytecodeGenerator.cpp:
3165         (JSC::BytecodeGenerator::instantiateLexicalVariables):
3166         * create_hash_table:
3167         * dfg/DFGAbstractInterpreterInlines.h:
3168         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3169         * dfg/DFGByteCodeParser.cpp:
3170         (JSC::DFG::blessCallDOMGetter):
3171         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
3172         (JSC::DFG::ByteCodeParser::handleGetById):
3173         * dfg/DFGClobberize.h:
3174         (JSC::DFG::clobberize):
3175         * dfg/DFGFixupPhase.cpp:
3176         (JSC::DFG::FixupPhase::fixupNode):
3177         * dfg/DFGNode.h:
3178         * dfg/DFGSpeculativeJIT.cpp:
3179         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
3180         * dfg/DFGSpeculativeJIT.h:
3181         (JSC::DFG::SpeculativeJIT::callCustomGetter):
3182         * domjit/DOMJITGetterSetter.h:
3183         (JSC::DOMJIT::GetterSetter::GetterSetter):
3184         (JSC::DOMJIT::GetterSetter::getter):
3185         (JSC::DOMJIT::GetterSetter::compiler):
3186         (JSC::DOMJIT::GetterSetter::resultType):
3187         (JSC::DOMJIT::GetterSetter::~GetterSetter): Deleted.
3188         (JSC::DOMJIT::GetterSetter::setter): Deleted.
3189         (JSC::DOMJIT::GetterSetter::thisClassInfo): Deleted.
3190         * ftl/FTLLowerDFGToB3.cpp:
3191         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
3192         * jit/Repatch.cpp:
3193         (JSC::tryCacheGetByID):
3194         * jsc.cpp:
3195         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
3196         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
3197         (WTF::DOMJITGetter::customGetter):
3198         (WTF::DOMJITGetter::finishCreation):
3199         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
3200         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
3201         (WTF::DOMJITGetterComplex::customGetter):
3202         (WTF::DOMJITGetterComplex::finishCreation):
3203         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
3204         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::slowCall): Deleted.
3205         (WTF::DOMJITGetter::domJITNodeGetterSetter): Deleted.
3206         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
3207         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::slowCall): Deleted.
3208         (WTF::DOMJITGetterComplex::domJITNodeGetterSetter): Deleted.
3209         * runtime/CustomGetterSetter.h:
3210         (JSC::CustomGetterSetter::create):
3211         (JSC::CustomGetterSetter::setter):
3212         (JSC::CustomGetterSetter::CustomGetterSetter):
3213         (): Deleted.
3214         * runtime/DOMAnnotation.h: Added.
3215         (JSC::operator==):
3216         (JSC::operator!=):
3217         * runtime/DOMAttributeGetterSetter.cpp: Added.
3218         * runtime/DOMAttributeGetterSetter.h: Copied from Source/JavaScriptCore/runtime/CustomGetterSetter.h.
3219         (JSC::isDOMAttributeGetterSetter):
3220         * runtime/Error.cpp:
3221         (JSC::throwDOMAttributeGetterTypeError):
3222         * runtime/Error.h:
3223         (JSC::throwVMDOMAttributeGetterTypeError):
3224         * runtime/JSCustomGetterSetterFunction.cpp:
3225         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
3226         * runtime/JSObject.cpp:
3227         (JSC::JSObject::putInlineSlow):
3228         (JSC::JSObject::deleteProperty):
3229         (JSC::JSObject::getOwnStaticPropertySlot):
3230         (JSC::JSObject::reifyAllStaticProperties):
3231         (JSC::JSObject::fillGetterPropertySlot):
3232         (JSC::JSObject::findPropertyHashEntry): Deleted.
3233         * runtime/JSObject.h:
3234         (JSC::JSObject::getOwnNonIndexPropertySlot):
3235         (JSC::JSObject::fillCustomGetterPropertySlot):
3236         * runtime/Lookup.cpp:
3237         (JSC::setUpStaticFunctionSlot):
3238         * runtime/Lookup.h:
3239         (JSC::HashTableValue::domJIT):
3240         (JSC::getStaticPropertySlotFromTable):
3241         (JSC::putEntry):
3242         (JSC::lookupPut):
3243         (JSC::reifyStaticProperty):
3244         (JSC::reifyStaticProperties):
3245         Each static property table has a new field ClassInfo*. It indicates that which ClassInfo check DOMAttribute registered in
3246         this static property table requires.
3247
3248         * runtime/ProgramExecutable.cpp:
3249         (JSC::ProgramExecutable::initializeGlobalProperties):
3250         * runtime/PropertyName.h:
3251         * runtime/PropertySlot.cpp:
3252         (JSC::PropertySlot::customGetter):
3253         (JSC::PropertySlot::customAccessorGetter):
3254         * runtime/PropertySlot.h:
3255         (JSC::PropertySlot::domAttribute):
3256         (JSC::PropertySlot::setCustom):
3257         (JSC::PropertySlot::setCacheableCustom):
3258         (JSC::PropertySlot::getValue):
3259         (JSC::PropertySlot::domJIT): Deleted.
3260         * runtime/VM.cpp:
3261         (JSC::VM::VM):
3262         * runtime/VM.h:
3263
3264 2017-07-26  Devin Rousso  <drousso@apple.com>
3265
3266         Web Inspector: create protocol for recording Canvas contexts
3267         https://bugs.webkit.org/show_bug.cgi?id=174481
3268
3269         Reviewed by Joseph Pecoraro.
3270
3271         * inspector/protocol/Canvas.json:
3272          - Add `requestRecording` command to mark the provided canvas as having requested a recording.
3273          - Add `cancelRecording` command to clear a previously marked canvas and flush any recorded data.
3274          - Add `recordingFinished` event that is fired once a recording is finished.
3275
3276         * CMakeLists.txt:
3277         * DerivedSources.make:
3278         * inspector/protocol/Recording.json: Added.
3279          - Add `Type` enum that lists the types of recordings
3280          - Add `InitialState` type that contains information about the canvas context at the
3281            beginning of the recording.
3282          - Add `Frame` type that holds a list of actions that were recorded.
3283          - Add `Recording` type as the container object of recording data.
3284
3285         * inspector/scripts/codegen/generate_js_backend_commands.py:
3286         (JSBackendCommandsGenerator.generate_domain):
3287         Create an agent for domains with no events or commands.
3288
3289         * inspector/InspectorValues.h:
3290         Make Array `get` public so that values can be retrieved if needed.
3291
3292 2017-07-26  Brian Burg  <bburg@apple.com>
3293
3294         Remove WEB_TIMING feature flag
3295         https://bugs.webkit.org/show_bug.cgi?id=174795
3296
3297         Reviewed by Alex Christensen.
3298
3299         * Configurations/FeatureDefines.xcconfig:
3300
3301 2017-07-26  Mark Lam  <mark.lam@apple.com>
3302
3303         Add the ability to change sp and pc to the ARM64 JIT probe.
3304         https://bugs.webkit.org/show_bug.cgi?id=174697
3305         <rdar://problem/33436965>
3306
3307         Reviewed by JF Bastien.
3308
3309         This patch implements the following:
3310
3311         1. The ARM64 probe now supports modifying the pc and sp.
3312
3313            However, lr is not preserved when modifying the pc because it is used as the
3314            scratch register for the indirect jump. Hence, the probe handler function
3315            may not modify both lr and pc in the same probe invocation.
3316
3317         2. Fix probe tests to use bitwise comparison when comparing double register
3318            values. Otherwise, equivalent nan values will be interpreted as not equivalent.
3319
3320         3. Change the minimum offset increment in testProbeModifiesStackPointer to be
3321            16 bytes for ARM64.  This is because the ARM64 probe now uses the ldp and stp
3322            instructions which require 16 byte alignment for their memory access.
3323
3324         * assembler/MacroAssemblerARM64.cpp:
3325         (JSC::arm64ProbeError):
3326         (JSC::MacroAssembler::probe):
3327         (JSC::arm64ProbeTrampoline): Deleted.
3328         * assembler/testmasm.cpp:
3329         (JSC::isSpecialGPR):
3330         (JSC::testProbeReadsArgumentRegisters):
3331         (JSC::testProbeWritesArgumentRegisters):
3332         (JSC::testProbePreservesGPRS):
3333         (JSC::testProbeModifiesStackPointer):
3334         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
3335         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
3336
3337 2017-07-25  JF Bastien  <jfbastien@apple.com>
3338
3339         WebAssembly: generate smaller binaries
3340         https://bugs.webkit.org/show_bug.cgi?id=174818
3341
3342         Reviewed by Filip Pizlo.
3343
3344         This patch reduces generated code size for WebAssembly in 2 ways:
3345
3346         1. Use the ZR register when storing zero on ARM64.
3347         2. Synthesize wasm context lazily.
3348
3349         This leads to a modest size reduction on both x86-64 and ARM64 for
3350         large WebAssembly games, without any performance loss on WasmBench
3351         and TitzerBench.
3352
3353         The reason this works is that these games, using Emscripten,
3354         generate 100k+ tiny functions, and our JIT allocation granule
3355         rounds all allocations up to 32 bytes. There are plenty of other
3356         simple gains to be had, I've filed a follow-up bug at
3357         webkit.org/b/174819
3358
3359         We should further avoid the per-function cost of tiering, which
3360         represents the bulk of code generated for small functions.
3361
3362         * assembler/MacroAssemblerARM64.h:
3363         (JSC::MacroAssemblerARM64::storeZero64):
3364         * assembler/MacroAssemblerX86_64.h:
3365         (JSC::MacroAssemblerX86_64::storeZero64):
3366         * b3/B3LowerToAir.cpp:
3367         (JSC::B3::Air::LowerToAir::createStore): this doesn't make sense
3368         for x86 because it constrains register reuse and codegen in a way
3369         that doesn't affect ARM64 because it has a dedicated zero
3370         register.
3371         * b3/air/AirOpcode.opcodes: add the storeZero64 opcode.
3372         * wasm/WasmB3IRGenerator.cpp:
3373         (JSC::Wasm::B3IRGenerator::instanceValue):
3374         (JSC::Wasm::B3IRGenerator::restoreWasmContext):
3375         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3376         (JSC::Wasm::B3IRGenerator::materializeWasmContext): Deleted.
3377
3378 2017-07-23  Filip Pizlo  <fpizlo@apple.com>
3379
3380         B3 should do LICM
3381         https://bugs.webkit.org/show_bug.cgi?id=174750
3382
3383         Reviewed by Keith Miller and Saam Barati.
3384         
3385         Added a LICM phase to B3. This phase is called hoistLoopInvariantValues, to conform to the B3 naming
3386         convention for phases (it has to be an imperative). The phase uses NaturalLoops and BackwardsDominators,
3387         so this adds those analyses to B3. BackwardsDominators was already available in templatized form. This
3388         change templatizes DFG::NaturalLoops so that we can just use it.
3389         
3390         The LICM phase itself is really simple. We are decently precise with our handling of everything except
3391         the relationship between control dependence and side exits.
3392         
3393         Also added a bunch of tests.
3394         
3395         This isn't super important. It's perf-neutral on JS benchmarks. FTL already does LICM on DFG SSA IR, and
3396         probably all current WebAssembly content has had LICM done to it. That being said, this is a cheap phase