[EsNext] Async iteration - Add feature flag
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
2
3         [EsNext] Async iteration - Add feature flag
4         https://bugs.webkit.org/show_bug.cgi?id=166694
5
6         Reviewed by Yusuke Suzuki.
7
8         Add feature flag to JSC to switch on/off Async Iterator
9
10         * runtime/Options.h:
11
12 2017-08-03  Brian Burg  <bburg@apple.com>
13
14         Remove ENABLE(WEB_SOCKET) guards
15         https://bugs.webkit.org/show_bug.cgi?id=167044
16
17         Reviewed by Joseph Pecoraro.
18
19         * Configurations/FeatureDefines.xcconfig:
20
21 2017-08-03  Youenn Fablet  <youenn@apple.com>
22
23         Remove FETCH_API compilation guard
24         https://bugs.webkit.org/show_bug.cgi?id=175154
25
26         Reviewed by Chris Dumez.
27
28         * Configurations/FeatureDefines.xcconfig:
29
30 2017-08-03  Matt Baker  <mattbaker@apple.com>
31
32         Web Inspector: Instrument WebGLProgram created/deleted
33         https://bugs.webkit.org/show_bug.cgi?id=175059
34
35         Reviewed by Devin Rousso.
36
37         Extend the Canvas protocol with types/events for tracking WebGLPrograms.
38
39         * inspector/protocol/Canvas.json:
40
41 2017-08-03  Brady Eidson  <beidson@apple.com>
42
43         Add SW IDLs and stub out basic functionality.
44         https://bugs.webkit.org/show_bug.cgi?id=175115
45
46         Reviewed by Chris Dumez.
47
48         * Configurations/FeatureDefines.xcconfig:
49
50         * runtime/CommonIdentifiers.h:
51
52 2017-08-03  Mark Lam  <mark.lam@apple.com>
53
54         Rename ScratchBuffer::activeLengthPtr to addressOfActiveLength.
55         https://bugs.webkit.org/show_bug.cgi?id=175142
56         <rdar://problem/33704528>
57
58         Reviewed by Filip Pizlo.
59
60         The convention in the rest of of JSC for such methods which return the address of
61         a field is to name them "addressOf<field name>".  We'll rename
62         ScratchBuffer::activeLengthPtr to be consistent with this convention.
63
64         * dfg/DFGSpeculativeJIT.cpp:
65         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
66         * dfg/DFGSpeculativeJIT32_64.cpp:
67         (JSC::DFG::SpeculativeJIT::compile):
68         * dfg/DFGSpeculativeJIT64.cpp:
69         (JSC::DFG::SpeculativeJIT::compile):
70         * dfg/DFGThunks.cpp:
71         (JSC::DFG::osrExitGenerationThunkGenerator):
72         * ftl/FTLLowerDFGToB3.cpp:
73         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
74         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
75         * ftl/FTLThunks.cpp:
76         (JSC::FTL::genericGenerationThunkGenerator):
77         * jit/AssemblyHelpers.cpp:
78         (JSC::AssemblyHelpers::debugCall):
79         * jit/ScratchRegisterAllocator.cpp:
80         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
81         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
82         * runtime/VM.h:
83         (JSC::ScratchBuffer::addressOfActiveLength):
84         (JSC::ScratchBuffer::activeLengthPtr): Deleted.
85         * wasm/WasmBinding.cpp:
86         (JSC::Wasm::wasmToJs):
87
88 2017-08-02  Devin Rousso  <drousso@apple.com>
89
90         Web Inspector: add stack trace information for each RecordingAction
91         https://bugs.webkit.org/show_bug.cgi?id=174663
92
93         Reviewed by Joseph Pecoraro.
94
95         * inspector/ScriptCallFrame.h:
96         Add `operator==` so that when a ScriptCallFrame object is held in a Vector, calling `find`
97         with an existing value doesn't need require a functor and can use existing code.
98
99         * interpreter/StackVisitor.h:
100         * interpreter/StackVisitor.cpp:
101         (JSC::StackVisitor::Frame::isWasmFrame const): Inlined in header.
102
103 2017-08-02  Yusuke Suzuki  <utatane.tea@gmail.com>
104
105         Merge WTFThreadData to Thread::current
106         https://bugs.webkit.org/show_bug.cgi?id=174716
107
108         Reviewed by Mark Lam.
109
110         Use Thread::current() instead.
111
112         * API/JSContext.mm:
113         (+[JSContext currentContext]):
114         (+[JSContext currentThis]):
115         (+[JSContext currentCallee]):
116         (+[JSContext currentArguments]):
117         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
118         (-[JSContext endCallbackWithData:]):
119         * heap/Heap.cpp:
120         (JSC::Heap::requestCollection):
121         * runtime/Completion.cpp:
122         (JSC::checkSyntax):
123         (JSC::checkModuleSyntax):
124         (JSC::evaluate):
125         (JSC::loadAndEvaluateModule):
126         (JSC::loadModule):
127         (JSC::linkAndEvaluateModule):
128         (JSC::importModule):
129         * runtime/Identifier.cpp:
130         (JSC::Identifier::checkCurrentAtomicStringTable):
131         * runtime/InitializeThreading.cpp:
132         (JSC::initializeThreading):
133         * runtime/JSLock.cpp:
134         (JSC::JSLock::didAcquireLock):
135         (JSC::JSLock::willReleaseLock):
136         (JSC::JSLock::dropAllLocks):
137         (JSC::JSLock::grabAllLocks):
138         * runtime/JSLock.h:
139         * runtime/VM.cpp:
140         (JSC::VM::VM):
141         (JSC::VM::updateStackLimits):
142         (JSC::VM::committedStackByteCount):
143         * runtime/VM.h:
144         (JSC::VM::isSafeToRecurse const):
145         * runtime/VMEntryScope.cpp:
146         (JSC::VMEntryScope::VMEntryScope):
147         * runtime/VMInlines.h:
148         (JSC::VM::ensureStackCapacityFor):
149         * yarr/YarrPattern.cpp:
150         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
151
152 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
153
154         LLInt should do pointer caging
155         https://bugs.webkit.org/show_bug.cgi?id=175036
156
157         Reviewed by Keith Miller.
158
159         Implementing this in the LLInt was challenging because offlineasm did not previously know
160         how to load from globals. This teaches it how to do that on Darwin/x86_64, which happens
161         to be where the Gigacage is enabled right now.
162
163         * llint/LLIntOfflineAsmConfig.h:
164         * llint/LowLevelInterpreter64.asm:
165         * offlineasm/ast.rb:
166         * offlineasm/x86.rb:
167
168 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
169
170         Sweeping should only scribble when sweeping to free list
171         https://bugs.webkit.org/show_bug.cgi?id=175105
172
173         Reviewed by Saam Barati.
174         
175         I just saw a crash on the bots where a destructor call attempt dereferenced scribbled memory. This
176         can happen because the bump path of specializedSweep will scribble in SweepOnly, which replaces the
177         zap word (i.e. 0) with the scribble word (i.e. 0xbadbeef0). This is a recent regression, since we
178         didn't used to do destruction on the bump path. No destruction, no zapping. Looking at the pop
179         path, we only scribble when we SweepToFreeList. This ensures that we only overwrite the zap word
180         when it doesn't matter anyway because we're building a free list.
181         
182         This is a fix for those crashes on the bots because it means that we'll no longer scribble over the
183         zap.
184
185         * heap/MarkedBlockInlines.h:
186         (JSC::MarkedBlock::Handle::specializedSweep):
187
188 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
189
190         All C++ accesses to JSObject::m_butterfly should do caging
191         https://bugs.webkit.org/show_bug.cgi?id=175039
192
193         Reviewed by Keith Miller.
194         
195         Makes JSObject::m_butterfly a AuxiliaryBarrier<CagedPtr<Butterfly>> and adopts the CagedPtr<> API.
196         This ensures that you can't cause C++ code to access a butterfly that has been rewired to point
197         outside the gigacage.
198
199         * runtime/JSArray.cpp:
200         (JSC::JSArray::setLength):
201         (JSC::JSArray::pop):
202         (JSC::JSArray::push):
203         (JSC::JSArray::shiftCountWithAnyIndexingType):
204         (JSC::JSArray::unshiftCountWithAnyIndexingType):
205         (JSC::JSArray::fillArgList):
206         (JSC::JSArray::copyToArguments):
207         * runtime/JSObject.cpp:
208         (JSC::JSObject::heapSnapshot):
209         (JSC::JSObject::createInitialIndexedStorage):
210         (JSC::JSObject::createArrayStorage):
211         (JSC::JSObject::convertUndecidedToInt32):
212         (JSC::JSObject::convertUndecidedToDouble):
213         (JSC::JSObject::convertUndecidedToContiguous):
214         (JSC::JSObject::convertInt32ToDouble):
215         (JSC::JSObject::convertInt32ToArrayStorage):
216         (JSC::JSObject::convertDoubleToContiguous):
217         (JSC::JSObject::convertDoubleToArrayStorage):
218         (JSC::JSObject::convertContiguousToArrayStorage):
219         (JSC::JSObject::defineOwnIndexedProperty):
220         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
221         (JSC::JSObject::ensureLengthSlow):
222         (JSC::JSObject::allocateMoreOutOfLineStorage):
223         * runtime/JSObject.h:
224         (JSC::JSObject::canGetIndexQuickly):
225         (JSC::JSObject::getIndexQuickly):
226         (JSC::JSObject::tryGetIndexQuickly const):
227         (JSC::JSObject::canSetIndexQuickly):
228         (JSC::JSObject::setIndexQuickly):
229         (JSC::JSObject::initializeIndex):
230         (JSC::JSObject::initializeIndexWithoutBarrier):
231         (JSC::JSObject::butterfly const):
232         (JSC::JSObject::butterfly):
233
234 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
235
236         We should be OK with the gigacage being disabled on gmalloc
237         https://bugs.webkit.org/show_bug.cgi?id=175082
238
239         Reviewed by Michael Saboff.
240
241         * jsc.cpp:
242         (jscmain):
243
244 2017-08-02  Saam Barati  <sbarati@apple.com>
245
246         On memory-constrained iOS devices, reduce the rate at which the JS heap grows before a GC to try to keep more memory available for the system
247         https://bugs.webkit.org/show_bug.cgi?id=175041
248         <rdar://problem/33659370>
249
250         Reviewed by Filip Pizlo.
251
252         The testing I have done shows that this new function is a ~10%
253         progression running JetStream on 1GB iOS devices. I've also tried
254         this on a few > 1GB iOS devices, and the testing shows this is either neutral
255         or a regression. Right now, we'll just enable this for <= 1GB devices
256         since it's a win. In the future, we might want to either look into
257         tweaking these parameters or coming up with a new function for > 1GB
258         devices.
259
260         * heap/Heap.cpp:
261         * runtime/Options.h:
262
263 2017-08-01  Filip Pizlo  <fpizlo@apple.com>
264
265         Bmalloc and GC should put auxiliaries (butterflies, typed array backing stores) in a gigacage (separate multi-GB VM region)
266         https://bugs.webkit.org/show_bug.cgi?id=174727
267
268         Reviewed by Mark Lam.
269         
270         This adopts the Gigacage for the GigacageSubspace, which we use for Auxiliary allocations. Also, in
271         one place in the code - the FTL codegen for butterfly and typed array access - we "cage" the accesses
272         themselves. Basically, we do masking to ensure that the pointer points into the gigacage.
273         
274         This is neutral on JetStream.
275
276         * CMakeLists.txt:
277         * JavaScriptCore.xcodeproj/project.pbxproj:
278         * b3/B3InsertionSet.cpp:
279         (JSC::B3::InsertionSet::execute):
280         * dfg/DFGAbstractInterpreterInlines.h:
281         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
282         * dfg/DFGArgumentsEliminationPhase.cpp:
283         * dfg/DFGClobberize.cpp:
284         (JSC::DFG::readsOverlap):
285         * dfg/DFGClobberize.h:
286         (JSC::DFG::clobberize):
287         * dfg/DFGDoesGC.cpp:
288         (JSC::DFG::doesGC):
289         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Added.
290         (JSC::DFG::performFixedButterflyAccessUncaging):
291         * dfg/DFGFixedButterflyAccessUncagingPhase.h: Added.
292         * dfg/DFGFixupPhase.cpp:
293         (JSC::DFG::FixupPhase::fixupNode):
294         * dfg/DFGHeapLocation.cpp:
295         (WTF::printInternal):
296         * dfg/DFGHeapLocation.h:
297         * dfg/DFGNodeType.h:
298         * dfg/DFGPlan.cpp:
299         (JSC::DFG::Plan::compileInThreadImpl):
300         * dfg/DFGPredictionPropagationPhase.cpp:
301         * dfg/DFGSafeToExecute.h:
302         (JSC::DFG::safeToExecute):
303         * dfg/DFGSpeculativeJIT.cpp:
304         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
305         * dfg/DFGSpeculativeJIT32_64.cpp:
306         (JSC::DFG::SpeculativeJIT::compile):
307         * dfg/DFGSpeculativeJIT64.cpp:
308         (JSC::DFG::SpeculativeJIT::compile):
309         * dfg/DFGTypeCheckHoistingPhase.cpp:
310         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
311         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
312         * ftl/FTLCapabilities.cpp:
313         (JSC::FTL::canCompile):
314         * ftl/FTLLowerDFGToB3.cpp:
315         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
316         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
317         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
318         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
319         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
320         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
321         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
322         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
323         (JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase):
324         (JSC::FTL::DFG::LowerDFGToB3::caged):
325         * heap/GigacageSubspace.cpp: Added.
326         (JSC::GigacageSubspace::GigacageSubspace):
327         (JSC::GigacageSubspace::~GigacageSubspace):
328         (JSC::GigacageSubspace::tryAllocateAlignedMemory):
329         (JSC::GigacageSubspace::freeAlignedMemory):
330         (JSC::GigacageSubspace::canTradeBlocksWith):
331         * heap/GigacageSubspace.h: Added.
332         * heap/Heap.cpp:
333         (JSC::Heap::Heap):
334         (JSC::Heap::lastChanceToFinalize):
335         (JSC::Heap::finalize):
336         (JSC::Heap::sweepInFinalize):
337         (JSC::Heap::updateAllocationLimits):
338         (JSC::Heap::shouldDoFullCollection):
339         (JSC::Heap::collectIfNecessaryOrDefer):
340         (JSC::Heap::reportWebAssemblyFastMemoriesAllocated): Deleted.
341         (JSC::Heap::webAssemblyFastMemoriesThisCycleAtThreshold const): Deleted.
342         (JSC::Heap::sweepLargeAllocations): Deleted.
343         (JSC::Heap::didAllocateWebAssemblyFastMemories): Deleted.
344         * heap/Heap.h:
345         * heap/LargeAllocation.cpp:
346         (JSC::LargeAllocation::tryCreate):
347         (JSC::LargeAllocation::destroy):
348         * heap/MarkedAllocator.cpp:
349         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
350         (JSC::MarkedAllocator::tryAllocateBlock):
351         * heap/MarkedBlock.cpp:
352         (JSC::MarkedBlock::tryCreate):
353         (JSC::MarkedBlock::Handle::Handle):
354         (JSC::MarkedBlock::Handle::~Handle):
355         (JSC::MarkedBlock::Handle::didAddToAllocator):
356         (JSC::MarkedBlock::Handle::subspace const): Deleted.
357         * heap/MarkedBlock.h:
358         (JSC::MarkedBlock::Handle::subspace const):
359         * heap/MarkedSpace.cpp:
360         (JSC::MarkedSpace::~MarkedSpace):
361         (JSC::MarkedSpace::freeMemory):
362         (JSC::MarkedSpace::prepareForAllocation):
363         (JSC::MarkedSpace::addMarkedAllocator):
364         (JSC::MarkedSpace::findEmptyBlockToSteal): Deleted.
365         * heap/MarkedSpace.h:
366         (JSC::MarkedSpace::firstAllocator const):
367         (JSC::MarkedSpace::allocatorForEmptyAllocation const): Deleted.
368         * heap/Subspace.cpp:
369         (JSC::Subspace::Subspace):
370         (JSC::Subspace::canTradeBlocksWith):
371         (JSC::Subspace::tryAllocateAlignedMemory):
372         (JSC::Subspace::freeAlignedMemory):
373         (JSC::Subspace::prepareForAllocation):
374         (JSC::Subspace::findEmptyBlockToSteal):
375         * heap/Subspace.h:
376         (JSC::Subspace::didCreateFirstAllocator):
377         * heap/SubspaceInlines.h:
378         (JSC::Subspace::forEachAllocator):
379         (JSC::Subspace::forEachMarkedBlock):
380         (JSC::Subspace::forEachNotEmptyMarkedBlock):
381         * jit/JITPropertyAccess.cpp:
382         (JSC::JIT::emitDoubleLoad):
383         (JSC::JIT::emitContiguousLoad):
384         (JSC::JIT::emitArrayStorageLoad):
385         (JSC::JIT::emitGenericContiguousPutByVal):
386         (JSC::JIT::emitArrayStoragePutByVal):
387         (JSC::JIT::emit_op_get_from_scope):
388         (JSC::JIT::emit_op_put_to_scope):
389         (JSC::JIT::emitIntTypedArrayGetByVal):
390         (JSC::JIT::emitFloatTypedArrayGetByVal):
391         (JSC::JIT::emitIntTypedArrayPutByVal):
392         (JSC::JIT::emitFloatTypedArrayPutByVal):
393         * jsc.cpp:
394         (fillBufferWithContentsOfFile):
395         (functionReadFile):
396         (gigacageDisabled):
397         (jscmain):
398         * llint/LowLevelInterpreter64.asm:
399         * runtime/ArrayBuffer.cpp:
400         (JSC::ArrayBufferContents::tryAllocate):
401         (JSC::ArrayBuffer::createAdopted):
402         (JSC::ArrayBuffer::createFromBytes):
403         (JSC::ArrayBuffer::tryCreate):
404         * runtime/IndexingHeader.h:
405         * runtime/InitializeThreading.cpp:
406         (JSC::initializeThreading):
407         * runtime/JSArrayBuffer.cpp:
408         * runtime/JSArrayBufferView.cpp:
409         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
410         (JSC::JSArrayBufferView::finalize):
411         * runtime/JSLock.cpp:
412         (JSC::JSLock::didAcquireLock):
413         * runtime/JSObject.h:
414         * runtime/Options.cpp:
415         (JSC::recomputeDependentOptions):
416         * runtime/Options.h:
417         * runtime/ScopedArgumentsTable.h:
418         * runtime/VM.cpp:
419         (JSC::VM::VM):
420         (JSC::VM::~VM):
421         (JSC::VM::gigacageDisabledCallback):
422         (JSC::VM::gigacageDisabled):
423         * runtime/VM.h:
424         (JSC::VM::fireGigacageEnabledIfNecessary):
425         (JSC::VM::gigacageEnabled):
426         * wasm/WasmB3IRGenerator.cpp:
427         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
428         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
429         * wasm/WasmCodeBlock.cpp:
430         (JSC::Wasm::CodeBlock::isSafeToRun):
431         * wasm/WasmMemory.cpp:
432         (JSC::Wasm::makeString):
433         (JSC::Wasm::Memory::create):
434         (JSC::Wasm::Memory::~Memory):
435         (JSC::Wasm::Memory::addressIsInActiveFastMemory):
436         (JSC::Wasm::Memory::grow):
437         (JSC::Wasm::Memory::initializePreallocations): Deleted.
438         (JSC::Wasm::Memory::maxFastMemoryCount): Deleted.
439         * wasm/WasmMemory.h:
440         * wasm/js/JSWebAssemblyInstance.cpp:
441         (JSC::JSWebAssemblyInstance::create):
442         * wasm/js/JSWebAssemblyMemory.cpp:
443         (JSC::JSWebAssemblyMemory::grow):
444         (JSC::JSWebAssemblyMemory::finishCreation):
445         * wasm/js/JSWebAssemblyMemory.h:
446         (JSC::JSWebAssemblyMemory::subspaceFor):
447
448 2017-07-31  Mark Lam  <mark.lam@apple.com>
449
450         Added some UNLIKELYs to operationOptimize().
451         https://bugs.webkit.org/show_bug.cgi?id=174976
452
453         Reviewed by JF Bastien.
454
455         * jit/JITOperations.cpp:
456
457 2017-07-31  Keith Miller  <keith_miller@apple.com>
458
459         Make more things LLInt constexprs
460         https://bugs.webkit.org/show_bug.cgi?id=174994
461
462         Reviewed by Saam Barati.
463
464         This patch makes more const values in the LLInt constexprs.
465         It also deletes all of the no longer necessary static_asserts in
466         LLIntData.cpp. Finally, it fixes a typo in parser.rb.
467
468         * interpreter/ShadowChicken.h:
469         (JSC::ShadowChicken::Packet::tailMarker):
470         * llint/LLIntData.cpp:
471         (JSC::LLInt::Data::performAssertions):
472         * llint/LowLevelInterpreter.asm:
473         * offlineasm/generate_offset_extractor.rb:
474         * offlineasm/parser.rb:
475
476 2017-07-31  Matt Lewis  <jlewis3@apple.com>
477
478         Unreviewed, rolling out r220060.
479
480         This broke our internal builds. Contact reviewer of patch for
481         more information.
482
483         Reverted changeset:
484
485         "Merge WTFThreadData to Thread::current"
486         https://bugs.webkit.org/show_bug.cgi?id=174716
487         http://trac.webkit.org/changeset/220060
488
489 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
490
491         [JSC] Support optional catch binding
492         https://bugs.webkit.org/show_bug.cgi?id=174981
493
494         Reviewed by Saam Barati.
495
496         This patch implements optional catch binding proposal[1], which is now stage 3.
497         This proposal adds a new `catch` brace with no error value binding.
498
499             ```
500                 try {
501                     ...
502                 } catch {
503                     ...
504                 }
505             ```
506
507         Sometimes we do not need to get error value actually. For example, the function returns
508         boolean which means whether the function succeeds.
509
510             ```
511             function parse(result) // -> bool
512             {
513                  try {
514                      parseInner(result);
515                  } catch {
516                      return false;
517                  }
518                  return true;
519             }
520             ```
521
522         In the above case, we are not interested in the actual error value. Without this syntax,
523         we always need to introduce a binding for an error value that is just ignored.
524
525         [1]: https://michaelficarra.github.io/optional-catch-binding-proposal/
526
527         * bytecompiler/NodesCodegen.cpp:
528         (JSC::TryNode::emitBytecode):
529         * parser/Parser.cpp:
530         (JSC::Parser<LexerType>::parseTryStatement):
531
532 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
533
534         Merge WTFThreadData to Thread::current
535         https://bugs.webkit.org/show_bug.cgi?id=174716
536
537         Reviewed by Sam Weinig.
538
539         Use Thread::current() instead.
540
541         * API/JSContext.mm:
542         (+[JSContext currentContext]):
543         (+[JSContext currentThis]):
544         (+[JSContext currentCallee]):
545         (+[JSContext currentArguments]):
546         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
547         (-[JSContext endCallbackWithData:]):
548         * heap/Heap.cpp:
549         (JSC::Heap::requestCollection):
550         * runtime/Completion.cpp:
551         (JSC::checkSyntax):
552         (JSC::checkModuleSyntax):
553         (JSC::evaluate):
554         (JSC::loadAndEvaluateModule):
555         (JSC::loadModule):
556         (JSC::linkAndEvaluateModule):
557         (JSC::importModule):
558         * runtime/Identifier.cpp:
559         (JSC::Identifier::checkCurrentAtomicStringTable):
560         * runtime/InitializeThreading.cpp:
561         (JSC::initializeThreading):
562         * runtime/JSLock.cpp:
563         (JSC::JSLock::didAcquireLock):
564         (JSC::JSLock::willReleaseLock):
565         (JSC::JSLock::dropAllLocks):
566         (JSC::JSLock::grabAllLocks):
567         * runtime/JSLock.h:
568         * runtime/VM.cpp:
569         (JSC::VM::VM):
570         (JSC::VM::updateStackLimits):
571         (JSC::VM::committedStackByteCount):
572         * runtime/VM.h:
573         (JSC::VM::isSafeToRecurse const):
574         * runtime/VMEntryScope.cpp:
575         (JSC::VMEntryScope::VMEntryScope):
576         * runtime/VMInlines.h:
577         (JSC::VM::ensureStackCapacityFor):
578         * yarr/YarrPattern.cpp:
579         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
580
581 2017-07-30  Yusuke Suzuki  <utatane.tea@gmail.com>
582
583         [WTF] Introduce Private Symbols
584         https://bugs.webkit.org/show_bug.cgi?id=174935
585
586         Reviewed by Darin Adler.
587
588         Use SymbolImpl::isPrivate().
589
590         * builtins/BuiltinNames.cpp:
591         * builtins/BuiltinNames.h:
592         (JSC::BuiltinNames::isPrivateName): Deleted.
593         * builtins/BuiltinUtils.h:
594         * bytecode/BytecodeIntrinsicRegistry.cpp:
595         (JSC::BytecodeIntrinsicRegistry::lookup):
596         * runtime/CommonIdentifiers.cpp:
597         (JSC::CommonIdentifiers::isPrivateName): Deleted.
598         * runtime/CommonIdentifiers.h:
599         * runtime/ExceptionHelpers.cpp:
600         (JSC::createUndefinedVariableError):
601         * runtime/Identifier.h:
602         (JSC::Identifier::isPrivateName):
603         * runtime/IdentifierInlines.h:
604         (JSC::identifierToSafePublicJSValue):
605         * runtime/ObjectConstructor.cpp:
606         (JSC::objectConstructorAssign):
607         (JSC::defineProperties):
608         (JSC::setIntegrityLevel):
609         (JSC::testIntegrityLevel):
610         (JSC::ownPropertyKeys):
611         * runtime/PrivateName.h:
612         (JSC::PrivateName::PrivateName):
613         * runtime/PropertyName.h:
614         (JSC::PropertyName::isPrivateName):
615         * runtime/ProxyObject.cpp:
616         (JSC::performProxyGet):
617         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
618         (JSC::ProxyObject::performHasProperty):
619         (JSC::ProxyObject::performPut):
620         (JSC::ProxyObject::performDelete):
621         (JSC::ProxyObject::performDefineOwnProperty):
622
623 2017-07-29  Keith Miller  <keith_miller@apple.com>
624
625         LLInt offsets extractor should be able to handle C++ constexprs
626         https://bugs.webkit.org/show_bug.cgi?id=174964
627
628         Reviewed by Saam Barati.
629
630         This patch adds new syntax to the offline asm language. The new keyword,
631         constexpr, takes the subsequent identifier and maps it to a C++ constexpr
632         expression. Additionally, if the value is not an identifier you can wrap it in
633         parentheses. e.g. constexpr (myConstexprFunction() + OBJECT_OFFSET(Foo, bar)),
634         which will get converted into:
635         static_cast<int64_t>(myConstexprFunction() + OBJECT_OFFSET(Foo, bar));
636
637         This patch also changes the data format the LLIntOffsetsExtractor
638         binary produces.  Previously, it would produce unsigned values,
639         after this patch every value is an int64_t.  Using an int64_t is
640         useful because it means that we can represent any constant needed.
641         int32_t masks are sign extended then passed then converted to a
642         negative literal sting in the assembler so it will be the constant
643         expected.
644
645         * llint/LLIntOffsetsExtractor.cpp:
646         (JSC::LLIntOffsetsExtractor::dummy):
647         * llint/LowLevelInterpreter.asm:
648         * llint/LowLevelInterpreter64.asm:
649         * offlineasm/asm.rb:
650         * offlineasm/ast.rb:
651         * offlineasm/generate_offset_extractor.rb:
652         * offlineasm/offsets.rb:
653         * offlineasm/parser.rb:
654         * offlineasm/transform.rb:
655
656 2017-07-28  Matt Baker  <mattbaker@apple.com>
657
658         Web Inspector: capture an async stack trace when web content calls addEventListener
659         https://bugs.webkit.org/show_bug.cgi?id=174739
660         <rdar://problem/33468197>
661
662         Reviewed by Brian Burg.
663
664         Allow debugger agents to perform custom logic when asynchronous stack
665         trace data is cleared. For example, the PageDebuggerAgent would clear
666         its list of registered listeners for which call stacks have been recorded.
667
668         * inspector/agents/InspectorDebuggerAgent.cpp:
669         (Inspector::InspectorDebuggerAgent::clearAsyncStackTraceData):
670         * inspector/agents/InspectorDebuggerAgent.h:
671
672 2017-07-28  Mark Lam  <mark.lam@apple.com>
673
674         ObjectToStringAdaptiveStructureWatchpoint should not fire if it's dying imminently.
675         https://bugs.webkit.org/show_bug.cgi?id=174948
676         <rdar://problem/33495680>
677
678         Reviewed by Filip Pizlo.
679
680         ObjectToStringAdaptiveStructureWatchpoint is owned by StructureRareData.  If its
681         owner StructureRareData is already known to be dead (in terms of GC liveness) but
682         hasn't been destructed yet (i.e. not swept by the GC yet), we should ignore all
683         requests to fire this watchpoint.
684
685         If the GC had the chance to sweep the StructureRareData, thereby destructing the
686         ObjectToStringAdaptiveStructureWatchpoint, it (the watchpoint) would have removed
687         itself from the WatchpointSet it was on.  Hence, it would not have been fired.
688
689         But since the watchpoint hasn't been destructed yet, it still remains on the
690         WatchpointSet and needs to guard against being fired in this state.  The fix is
691         to simply return early if its owner StructureRareData is not live.  This has the
692         effect of the watchpoint fire being a no-op, which is equivalent to the watchpoint
693         not firing as we would expect.
694
695         This patch also removes some cargo cult copying of watchpoint code which
696         instantiates a StringFireDetail.  In a few cases, that StringFireDetail is never
697         used.  This patch removes these unnecessary instantiations.
698
699         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
700         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
701         * runtime/StructureRareData.cpp:
702         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
703         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
704
705 2017-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
706
707         ASSERTION FAILED: candidate->op() == PhantomCreateRest || candidate->op() == PhantomDirectArguments || candidate->op() == PhantomClonedArguments || candidate->op() == PhantomSpread || candidate->op() == PhantomNewArrayWithSpread
708         https://bugs.webkit.org/show_bug.cgi?id=174900
709
710         Reviewed by Saam Barati.
711
712         In the arguments elimination phase, due to high cost of AI, we intentionally do not run AI.
713         Instead, we use ForceOSRExit etc. (pseudo terminals) not to look into unreachable nodes.
714         The problem is that even transforming phase also checks this pseudo terminals.
715
716             BB1
717             1: ForceOSRExit
718             2: CreateDirectArguments
719
720             BB2
721             3: GetButterfly(@2)
722             4: ForceOSRExit
723
724         In the above case, @2 is not converted to PhantomDirectArguments. But @3 is processed. And the assertion fires.
725
726         In this patch, we do not list candidates up after seeing pseudo terminals in basic blocks.
727
728         * dfg/DFGArgumentsEliminationPhase.cpp:
729
730 2017-07-27  Oleksandr Skachkov  <gskachkov@gmail.com>
731
732         [ES] Add support finally to Promise
733         https://bugs.webkit.org/show_bug.cgi?id=174503
734
735         Reviewed by Yusuke Suzuki.
736
737         Add support `finally` method to Promise according
738         to the https://bugs.webkit.org/show_bug.cgi?id=174503
739         Current spec on STAGE 3 
740         https://github.com/tc39/proposal-promise-finally
741
742         * builtins/PromisePrototype.js:
743         (finally):
744         (const.valueThunk):
745         (globalPrivate.getThenFinally):
746         (const.thrower):
747         (globalPrivate.getCatchFinally):
748         * runtime/JSPromisePrototype.cpp:
749
750 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
751
752         Unreviewed, build fix for CLoop
753         https://bugs.webkit.org/show_bug.cgi?id=171637
754
755         * domjit/DOMJITGetterSetter.h:
756
757 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
758
759         Hoist DOM binding attribute getter prologue into JavaScriptCore taking advantage of DOMJIT / CheckSubClass
760         https://bugs.webkit.org/show_bug.cgi?id=171637
761
762         Reviewed by Darin Adler.
763
764         Each DOM attribute getter has the code to perform ClassInfo check. But it is largely duplicate and causes code bloating.
765         In this patch, we move ClassInfo check from WebCore to JSC and reduce code size.
766
767         We introduce DOMAnnotation which has ClassInfo* and DOMJIT::GetterSetter*. If the getter is not DOMJIT getter, this
768         DOMJIT::GetterSetter becomes nullptr. We support such a CustomAccessorGetter in all the JIT tiers.
769
770         In IC, we drop CheckSubClass completely since IC's Structure check subsumes it. We do not enable this optimization for
771         op_get_by_id_with_this case yet.
772         In DFG and FTL, we emit CheckSubClass node. Which is typically removed by CheckStructure leading to CheckSubClass.
773
774         And we add DOMAttributeGetterSetter, which is derived class of CustomGetterSetter. It holds DOMAnnotation and perform
775         ClassInfo check.
776
777         * CMakeLists.txt:
778         * JavaScriptCore.xcodeproj/project.pbxproj:
779         * bytecode/AccessCase.cpp:
780         (JSC::AccessCase::generateImpl):
781         * bytecode/GetByIdStatus.cpp:
782         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
783         * bytecode/GetByIdVariant.cpp:
784         (JSC::GetByIdVariant::GetByIdVariant):
785         (JSC::GetByIdVariant::operator=):
786         (JSC::GetByIdVariant::attemptToMerge):
787         (JSC::GetByIdVariant::dumpInContext):
788         * bytecode/GetByIdVariant.h:
789         (JSC::GetByIdVariant::customAccessorGetter):
790         (JSC::GetByIdVariant::domAttribute):
791         (JSC::GetByIdVariant::domJIT): Deleted.
792         * bytecode/GetterSetterAccessCase.cpp:
793         (JSC::GetterSetterAccessCase::create):
794         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
795         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
796         * bytecode/GetterSetterAccessCase.h:
797         (JSC::GetterSetterAccessCase::domAttribute):
798         (JSC::GetterSetterAccessCase::customAccessor):
799         (JSC::GetterSetterAccessCase::domJIT): Deleted.
800         * bytecompiler/BytecodeGenerator.cpp:
801         (JSC::BytecodeGenerator::instantiateLexicalVariables):
802         * create_hash_table:
803         * dfg/DFGAbstractInterpreterInlines.h:
804         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
805         * dfg/DFGByteCodeParser.cpp:
806         (JSC::DFG::blessCallDOMGetter):
807         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
808         (JSC::DFG::ByteCodeParser::handleGetById):
809         * dfg/DFGClobberize.h:
810         (JSC::DFG::clobberize):
811         * dfg/DFGFixupPhase.cpp:
812         (JSC::DFG::FixupPhase::fixupNode):
813         * dfg/DFGNode.h:
814         * dfg/DFGSpeculativeJIT.cpp:
815         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
816         * dfg/DFGSpeculativeJIT.h:
817         (JSC::DFG::SpeculativeJIT::callCustomGetter):
818         * domjit/DOMJITGetterSetter.h:
819         (JSC::DOMJIT::GetterSetter::GetterSetter):
820         (JSC::DOMJIT::GetterSetter::getter):
821         (JSC::DOMJIT::GetterSetter::compiler):
822         (JSC::DOMJIT::GetterSetter::resultType):
823         (JSC::DOMJIT::GetterSetter::~GetterSetter): Deleted.
824         (JSC::DOMJIT::GetterSetter::setter): Deleted.
825         (JSC::DOMJIT::GetterSetter::thisClassInfo): Deleted.
826         * ftl/FTLLowerDFGToB3.cpp:
827         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
828         * jit/Repatch.cpp:
829         (JSC::tryCacheGetByID):
830         * jsc.cpp:
831         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
832         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
833         (WTF::DOMJITGetter::customGetter):
834         (WTF::DOMJITGetter::finishCreation):
835         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
836         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
837         (WTF::DOMJITGetterComplex::customGetter):
838         (WTF::DOMJITGetterComplex::finishCreation):
839         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
840         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::slowCall): Deleted.
841         (WTF::DOMJITGetter::domJITNodeGetterSetter): Deleted.
842         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
843         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::slowCall): Deleted.
844         (WTF::DOMJITGetterComplex::domJITNodeGetterSetter): Deleted.
845         * runtime/CustomGetterSetter.h:
846         (JSC::CustomGetterSetter::create):
847         (JSC::CustomGetterSetter::setter):
848         (JSC::CustomGetterSetter::CustomGetterSetter):
849         (): Deleted.
850         * runtime/DOMAnnotation.h: Added.
851         (JSC::operator==):
852         (JSC::operator!=):
853         * runtime/DOMAttributeGetterSetter.cpp: Added.
854         * runtime/DOMAttributeGetterSetter.h: Copied from Source/JavaScriptCore/runtime/CustomGetterSetter.h.
855         (JSC::isDOMAttributeGetterSetter):
856         * runtime/Error.cpp:
857         (JSC::throwDOMAttributeGetterTypeError):
858         * runtime/Error.h:
859         (JSC::throwVMDOMAttributeGetterTypeError):
860         * runtime/JSCustomGetterSetterFunction.cpp:
861         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
862         * runtime/JSObject.cpp:
863         (JSC::JSObject::putInlineSlow):
864         (JSC::JSObject::deleteProperty):
865         (JSC::JSObject::getOwnStaticPropertySlot):
866         (JSC::JSObject::reifyAllStaticProperties):
867         (JSC::JSObject::fillGetterPropertySlot):
868         (JSC::JSObject::findPropertyHashEntry): Deleted.
869         * runtime/JSObject.h:
870         (JSC::JSObject::getOwnNonIndexPropertySlot):
871         (JSC::JSObject::fillCustomGetterPropertySlot):
872         * runtime/Lookup.cpp:
873         (JSC::setUpStaticFunctionSlot):
874         * runtime/Lookup.h:
875         (JSC::HashTableValue::domJIT):
876         (JSC::getStaticPropertySlotFromTable):
877         (JSC::putEntry):
878         (JSC::lookupPut):
879         (JSC::reifyStaticProperty):
880         (JSC::reifyStaticProperties):
881         Each static property table has a new field ClassInfo*. It indicates that which ClassInfo check DOMAttribute registered in
882         this static property table requires.
883
884         * runtime/ProgramExecutable.cpp:
885         (JSC::ProgramExecutable::initializeGlobalProperties):
886         * runtime/PropertyName.h:
887         * runtime/PropertySlot.cpp:
888         (JSC::PropertySlot::customGetter):
889         (JSC::PropertySlot::customAccessorGetter):
890         * runtime/PropertySlot.h:
891         (JSC::PropertySlot::domAttribute):
892         (JSC::PropertySlot::setCustom):
893         (JSC::PropertySlot::setCacheableCustom):
894         (JSC::PropertySlot::getValue):
895         (JSC::PropertySlot::domJIT): Deleted.
896         * runtime/VM.cpp:
897         (JSC::VM::VM):
898         * runtime/VM.h:
899
900 2017-07-26  Devin Rousso  <drousso@apple.com>
901
902         Web Inspector: create protocol for recording Canvas contexts
903         https://bugs.webkit.org/show_bug.cgi?id=174481
904
905         Reviewed by Joseph Pecoraro.
906
907         * inspector/protocol/Canvas.json:
908          - Add `requestRecording` command to mark the provided canvas as having requested a recording.
909          - Add `cancelRecording` command to clear a previously marked canvas and flush any recorded data.
910          - Add `recordingFinished` event that is fired once a recording is finished.
911
912         * CMakeLists.txt:
913         * DerivedSources.make:
914         * inspector/protocol/Recording.json: Added.
915          - Add `Type` enum that lists the types of recordings
916          - Add `InitialState` type that contains information about the canvas context at the
917            beginning of the recording.
918          - Add `Frame` type that holds a list of actions that were recorded.
919          - Add `Recording` type as the container object of recording data.
920
921         * inspector/scripts/codegen/generate_js_backend_commands.py:
922         (JSBackendCommandsGenerator.generate_domain):
923         Create an agent for domains with no events or commands.
924
925         * inspector/InspectorValues.h:
926         Make Array `get` public so that values can be retrieved if needed.
927
928 2017-07-26  Brian Burg  <bburg@apple.com>
929
930         Remove WEB_TIMING feature flag
931         https://bugs.webkit.org/show_bug.cgi?id=174795
932
933         Reviewed by Alex Christensen.
934
935         * Configurations/FeatureDefines.xcconfig:
936
937 2017-07-26  Mark Lam  <mark.lam@apple.com>
938
939         Add the ability to change sp and pc to the ARM64 JIT probe.
940         https://bugs.webkit.org/show_bug.cgi?id=174697
941         <rdar://problem/33436965>
942
943         Reviewed by JF Bastien.
944
945         This patch implements the following:
946
947         1. The ARM64 probe now supports modifying the pc and sp.
948
949            However, lr is not preserved when modifying the pc because it is used as the
950            scratch register for the indirect jump. Hence, the probe handler function
951            may not modify both lr and pc in the same probe invocation.
952
953         2. Fix probe tests to use bitwise comparison when comparing double register
954            values. Otherwise, equivalent nan values will be interpreted as not equivalent.
955
956         3. Change the minimum offset increment in testProbeModifiesStackPointer to be
957            16 bytes for ARM64.  This is because the ARM64 probe now uses the ldp and stp
958            instructions which require 16 byte alignment for their memory access.
959
960         * assembler/MacroAssemblerARM64.cpp:
961         (JSC::arm64ProbeError):
962         (JSC::MacroAssembler::probe):
963         (JSC::arm64ProbeTrampoline): Deleted.
964         * assembler/testmasm.cpp:
965         (JSC::isSpecialGPR):
966         (JSC::testProbeReadsArgumentRegisters):
967         (JSC::testProbeWritesArgumentRegisters):
968         (JSC::testProbePreservesGPRS):
969         (JSC::testProbeModifiesStackPointer):
970         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
971         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
972
973 2017-07-25  JF Bastien  <jfbastien@apple.com>
974
975         WebAssembly: generate smaller binaries
976         https://bugs.webkit.org/show_bug.cgi?id=174818
977
978         Reviewed by Filip Pizlo.
979
980         This patch reduces generated code size for WebAssembly in 2 ways:
981
982         1. Use the ZR register when storing zero on ARM64.
983         2. Synthesize wasm context lazily.
984
985         This leads to a modest size reduction on both x86-64 and ARM64 for
986         large WebAssembly games, without any performance loss on WasmBench
987         and TitzerBench.
988
989         The reason this works is that these games, using Emscripten,
990         generate 100k+ tiny functions, and our JIT allocation granule
991         rounds all allocations up to 32 bytes. There are plenty of other
992         simple gains to be had, I've filed a follow-up bug at
993         webkit.org/b/174819
994
995         We should further avoid the per-function cost of tiering, which
996         represents the bulk of code generated for small functions.
997
998         * assembler/MacroAssemblerARM64.h:
999         (JSC::MacroAssemblerARM64::storeZero64):
1000         * assembler/MacroAssemblerX86_64.h:
1001         (JSC::MacroAssemblerX86_64::storeZero64):
1002         * b3/B3LowerToAir.cpp:
1003         (JSC::B3::Air::LowerToAir::createStore): this doesn't make sense
1004         for x86 because it constrains register reuse and codegen in a way
1005         that doesn't affect ARM64 because it has a dedicated zero
1006         register.
1007         * b3/air/AirOpcode.opcodes: add the storeZero64 opcode.
1008         * wasm/WasmB3IRGenerator.cpp:
1009         (JSC::Wasm::B3IRGenerator::instanceValue):
1010         (JSC::Wasm::B3IRGenerator::restoreWasmContext):
1011         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1012         (JSC::Wasm::B3IRGenerator::materializeWasmContext): Deleted.
1013
1014 2017-07-23  Filip Pizlo  <fpizlo@apple.com>
1015
1016         B3 should do LICM
1017         https://bugs.webkit.org/show_bug.cgi?id=174750
1018
1019         Reviewed by Keith Miller and Saam Barati.
1020         
1021         Added a LICM phase to B3. This phase is called hoistLoopInvariantValues, to conform to the B3 naming
1022         convention for phases (it has to be an imperative). The phase uses NaturalLoops and BackwardsDominators,
1023         so this adds those analyses to B3. BackwardsDominators was already available in templatized form. This
1024         change templatizes DFG::NaturalLoops so that we can just use it.
1025         
1026         The LICM phase itself is really simple. We are decently precise with our handling of everything except
1027         the relationship between control dependence and side exits.
1028         
1029         Also added a bunch of tests.
1030         
1031         This isn't super important. It's perf-neutral on JS benchmarks. FTL already does LICM on DFG SSA IR, and
1032         probably all current WebAssembly content has had LICM done to it. That being said, this is a cheap phase
1033         so it doesn't hurt to have it.
1034         
1035         I wrote it because I thought I needed it for bug 174727. It turns out that there's a better way to
1036         handle the problem I had, so I ended up not needed it - but by then I had already written it. I think
1037         it's good to have it because LICM is one of those core compiler phases; every compiler has it
1038         eventually.
1039
1040         * CMakeLists.txt:
1041         * JavaScriptCore.xcodeproj/project.pbxproj:
1042         * b3/B3BackwardsCFG.h: Added.
1043         (JSC::B3::BackwardsCFG::BackwardsCFG):
1044         * b3/B3BackwardsDominators.h: Added.
1045         (JSC::B3::BackwardsDominators::BackwardsDominators):
1046         * b3/B3BasicBlock.cpp:
1047         (JSC::B3::BasicBlock::appendNonTerminal):
1048         * b3/B3Effects.h:
1049         * b3/B3EnsureLoopPreHeaders.cpp: Added.
1050         (JSC::B3::ensureLoopPreHeaders):
1051         * b3/B3EnsureLoopPreHeaders.h: Added.
1052         * b3/B3Generate.cpp:
1053         (JSC::B3::generateToAir):
1054         * b3/B3HoistLoopInvariantValues.cpp: Added.
1055         (JSC::B3::hoistLoopInvariantValues):
1056         * b3/B3HoistLoopInvariantValues.h: Added.
1057         * b3/B3NaturalLoops.h: Added.
1058         (JSC::B3::NaturalLoops::NaturalLoops):
1059         * b3/B3Procedure.cpp:
1060         (JSC::B3::Procedure::invalidateCFG):
1061         (JSC::B3::Procedure::naturalLoops):
1062         (JSC::B3::Procedure::backwardsCFG):
1063         (JSC::B3::Procedure::backwardsDominators):
1064         * b3/B3Procedure.h:
1065         * b3/testb3.cpp:
1066         (JSC::B3::generateLoop):
1067         (JSC::B3::makeArrayForLoops):
1068         (JSC::B3::generateLoopNotBackwardsDominant):
1069         (JSC::B3::oneFunction):
1070         (JSC::B3::noOpFunction):
1071         (JSC::B3::testLICMPure):
1072         (JSC::B3::testLICMPureSideExits):
1073         (JSC::B3::testLICMPureWritesPinned):
1074         (JSC::B3::testLICMPureWrites):
1075         (JSC::B3::testLICMReadsLocalState):
1076         (JSC::B3::testLICMReadsPinned):
1077         (JSC::B3::testLICMReads):
1078         (JSC::B3::testLICMPureNotBackwardsDominant):
1079         (JSC::B3::testLICMPureFoiledByChild):
1080         (JSC::B3::testLICMPureNotBackwardsDominantFoiledByChild):
1081         (JSC::B3::testLICMExitsSideways):
1082         (JSC::B3::testLICMWritesLocalState):
1083         (JSC::B3::testLICMWrites):
1084         (JSC::B3::testLICMFence):
1085         (JSC::B3::testLICMWritesPinned):
1086         (JSC::B3::testLICMControlDependent):
1087         (JSC::B3::testLICMControlDependentNotBackwardsDominant):
1088         (JSC::B3::testLICMControlDependentSideExits):
1089         (JSC::B3::testLICMReadsPinnedWritesPinned):
1090         (JSC::B3::testLICMReadsWritesDifferentHeaps):
1091         (JSC::B3::testLICMReadsWritesOverlappingHeaps):
1092         (JSC::B3::testLICMDefaultCall):
1093         (JSC::B3::run):
1094         * dfg/DFGBasicBlock.h:
1095         * dfg/DFGCFG.h:
1096         * dfg/DFGNaturalLoops.cpp: Removed.
1097         * dfg/DFGNaturalLoops.h:
1098         (JSC::DFG::NaturalLoops::NaturalLoops):
1099         (JSC::DFG::NaturalLoop::NaturalLoop): Deleted.
1100         (JSC::DFG::NaturalLoop::header): Deleted.
1101         (JSC::DFG::NaturalLoop::size): Deleted.
1102         (JSC::DFG::NaturalLoop::at): Deleted.
1103         (JSC::DFG::NaturalLoop::operator[]): Deleted.
1104         (JSC::DFG::NaturalLoop::contains): Deleted.
1105         (JSC::DFG::NaturalLoop::index): Deleted.
1106         (JSC::DFG::NaturalLoop::isOuterMostLoop): Deleted.
1107         (JSC::DFG::NaturalLoop::addBlock): Deleted.
1108         (JSC::DFG::NaturalLoops::numLoops): Deleted.
1109         (JSC::DFG::NaturalLoops::loop): Deleted.
1110         (JSC::DFG::NaturalLoops::headerOf): Deleted.
1111         (JSC::DFG::NaturalLoops::innerMostLoopOf): Deleted.
1112         (JSC::DFG::NaturalLoops::innerMostOuterLoop): Deleted.
1113         (JSC::DFG::NaturalLoops::belongsTo): Deleted.
1114         (JSC::DFG::NaturalLoops::loopDepth): Deleted.
1115
1116 2017-07-24  Filip Pizlo  <fpizlo@apple.com>
1117
1118         GC should be fine with trading blocks between destructor and non-destructor blocks
1119         https://bugs.webkit.org/show_bug.cgi?id=174811
1120
1121         Reviewed by Mark Lam.
1122         
1123         Our GC has the ability to trade blocks between MarkedAllocators. A MarkedAllocator is a
1124         size-class-within-a-Subspace. The ability to trade helps reduce memory wastage due to
1125         fragmentation. Prior to this change, this only worked between blocks that did not have destructors.
1126         This was partly a policy decision. But mostly, it was fallout from the way we use the `empty` block
1127         set.
1128         
1129         Here's how `empty` used to work. If a block is empty, we don't run destructors. We say that a block
1130         is empty if:
1131         
1132         A) It has no live objects and its a non-destructor block, or
1133         B) We just allocated it (so it has no destructors even if it's a destructor block), or
1134         C) We just stole it from another allocator (so it also has no destructors), or
1135         D) We just swept the block and ran all destructors.
1136         
1137         Case (A) is for trading blocks. That's how a different MarkedAllocator would know that this is a
1138         block that could be stolen.
1139
1140         Cases (B) and (C) need to be detected for correctness, since otherwise we might try to run
1141         destructors in blocks that have garbage bits. In that case, the isZapped check won't detect that
1142         cells don't need destruction, so without having the `empty` bit we would try to destruct garbage
1143         and crash. Currently, we know that we have cases (B) and (C) when the block is empty.
1144         
1145         Case (D) is necessary for detecting which blocks can be removed when we `shrink` the heap.
1146         
1147         If we tried to enable trading of blocks between allocators without making any changes to how
1148         `empty` works, then it just would not work. We have to set the `empty` bits of blocks that have no
1149         live objects in order for those bits to be candidates for trading. But if we do that, then our
1150         logic for cases (B-D) will think that the block has no destructible objects. That's bad, since then
1151         our destructors won't run and we'll leak memory.
1152         
1153         This change fixes this issue by decoupling the "do I have destructors" question from the "do I have
1154         live objects" question by introducing a new `destructible` bitvector. The GC flags all live blocks
1155         as being destructible at the end. We clear the destructible bit in cases (B-D). Cases (B-C) are
1156         handled entirely by the new destrictible bit, while case (D) is detected by looking for blocks that
1157         are (empty & ~destructible).
1158         
1159         Then we can simply remove all destructor-oriented special-casing of the `empty` bit. And we can
1160         remove destructor-oriented special-casing of block trading.
1161
1162         This is a perf-neutral change. We expect most free memory to be in non-destructor blocks anyway,
1163         so this change is more about clean-up than perf. But, this could reduce memory usage in some
1164         pathological cases.
1165         
1166         * heap/MarkedAllocator.cpp:
1167         (JSC::MarkedAllocator::findEmptyBlockToSteal):
1168         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
1169         (JSC::MarkedAllocator::endMarking):
1170         (JSC::MarkedAllocator::shrink):
1171         (JSC::MarkedAllocator::shouldStealEmptyBlocksFromOtherAllocators): Deleted.
1172         * heap/MarkedAllocator.h:
1173         * heap/MarkedBlock.cpp:
1174         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
1175         (JSC::MarkedBlock::Handle::sweep):
1176         * heap/MarkedBlockInlines.h:
1177         (JSC::MarkedBlock::Handle::specializedSweep):
1178         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace):
1179         (JSC::MarkedBlock::Handle::emptyMode):
1180
1181 2017-07-25  Keith Miller  <keith_miller@apple.com>
1182
1183         Remove Broken CompareEq constant folding phase.
1184         https://bugs.webkit.org/show_bug.cgi?id=174846
1185         <rdar://problem/32978808>
1186
1187         Reviewed by Saam Barati.
1188
1189         This bug happened when we would get code like the following:
1190
1191         a: JSConst(Undefined)
1192         b: GetLocal(SomeObjectOrUndefined)
1193         ...
1194         c: CompareEq(Check:ObjectOrOther:b, Check:ObjectOrOther:a)
1195
1196         constant folding will turn this into:
1197
1198         a: JSConst(Undefined)
1199         b: GetLocal(SomeObjectOrUndefined)
1200         ...
1201         c: CompareEq(Check:ObjectOrOther:b, Other:a)
1202
1203         But the SpeculativeJIT/FTL lowering will fail to check b
1204         properly which leads to an assertion failure in the AI.
1205
1206         I'll follow up with a more robust fix later. For now, I'll remove the
1207         case that generates the code. Removing the code appears to be perf
1208         neutral.
1209
1210         * dfg/DFGConstantFoldingPhase.cpp:
1211         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1212
1213 2017-07-25  Matt Baker  <mattbaker@apple.com>
1214
1215         Web Inspector: Refactoring: extract async stack trace logic from InspectorInstrumentation
1216         https://bugs.webkit.org/show_bug.cgi?id=174738
1217
1218         Reviewed by Brian Burg.
1219
1220         Move AsyncCallType enum to InspectorDebuggerAgent, which manages async
1221         stack traces. This preserves the call type in JSC, makes the range of
1222         possible call types explicit, and is safer than passing ints.
1223
1224         * inspector/agents/InspectorDebuggerAgent.cpp:
1225         (Inspector::InspectorDebuggerAgent::asyncCallIdentifier):
1226         (Inspector::InspectorDebuggerAgent::didScheduleAsyncCall):
1227         (Inspector::InspectorDebuggerAgent::didCancelAsyncCall):
1228         (Inspector::InspectorDebuggerAgent::willDispatchAsyncCall):
1229         * inspector/agents/InspectorDebuggerAgent.h:
1230
1231 2017-07-25  Mark Lam  <mark.lam@apple.com>
1232
1233         Fix bugs in probe code to change sp on x86, x86_64 and 32-bit ARM.
1234         https://bugs.webkit.org/show_bug.cgi?id=174809
1235         <rdar://problem/33504759>
1236
1237         Reviewed by Filip Pizlo.
1238
1239         1. When the probe handler function changes the sp register to point to the
1240            region of stack in the middle of the ProbeContext on the stack, there is a
1241            bug where the ProbeContext's register values to be restored can be over-written
1242            before they can be restored.  This is now fixed.
1243
1244         2. Added more robust probe tests for changing the sp register.
1245
1246         3. Made existing probe tests to ensure that probe handlers were actually called.
1247
1248         4. Added some verification to testProbePreservesGPRS().
1249
1250         5. Change all the probe tests to fail early on discovering an error instead of
1251            batching till the end of the test.  This helps point a finger to the failing
1252            issue earlier.
1253
1254         This patch was tested on x86, x86_64, and ARMv7.  ARM64 probe code will be fixed
1255         next in https://bugs.webkit.org/show_bug.cgi?id=174697.
1256
1257         * assembler/MacroAssemblerARM.cpp:
1258         * assembler/MacroAssemblerARMv7.cpp:
1259         * assembler/MacroAssemblerX86Common.cpp:
1260         * assembler/testmasm.cpp:
1261         (JSC::testProbeReadsArgumentRegisters):
1262         (JSC::testProbeWritesArgumentRegisters):
1263         (JSC::testProbePreservesGPRS):
1264         (JSC::testProbeModifiesStackPointer):
1265         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
1266         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
1267         (JSC::testProbeModifiesProgramCounter):
1268         (JSC::run):
1269
1270 2017-07-25  Brian Burg  <bburg@apple.com>
1271
1272         Web Automation: add support for uploading files
1273         https://bugs.webkit.org/show_bug.cgi?id=174797
1274         <rdar://problem/28485063>
1275
1276         Reviewed by Joseph Pecoraro.
1277
1278         * inspector/scripts/generate-inspector-protocol-bindings.py:
1279         (generate_from_specification):
1280         Start generating frontend dispatcher code if the target framework is 'WebKit'.
1281
1282         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
1283         (CppFrontendDispatcherImplementationGenerator.generate_output):
1284         Use a framework include for InspectorFrontendRouter.h since this generated code
1285         will be compiled outside of WebCore.framework.
1286
1287         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
1288         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1289         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1290         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
1291         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
1292         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
1293         * inspector/scripts/tests/generic/expected/enum-values.json-result:
1294         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
1295         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
1296         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
1297         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
1298         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
1299         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
1300         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
1301         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1302         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1303         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
1304         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
1305         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
1306         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
1307         Rebaseline code generator tests.
1308
1309 2017-07-24  Mark Lam  <mark.lam@apple.com>
1310
1311         Gardening: fixed C Loop build after r219790.
1312         https://bugs.webkit.org/show_bug.cgi?id=174696
1313
1314         Not reviewed.
1315
1316         * assembler/testmasm.cpp:
1317
1318 2017-07-23  Mark Lam  <mark.lam@apple.com>
1319
1320         Create regression tests for the JIT probe.
1321         https://bugs.webkit.org/show_bug.cgi?id=174696
1322         <rdar://problem/33436922>
1323
1324         Reviewed by Saam Barati.
1325
1326         The new testmasm will test the following:
1327         1. the probe is able to read the value of CPU registers.
1328         2. the probe is able to write the value of CPU registers.
1329         3. the probe is able to preserve all CPU registers.
1330         4. special case of (2): the probe is able to change the value of the stack pointer.
1331         5. special case of (2): the probe is able to change the value of the program counter
1332            i.e. the probe can change where the code continues executing upon returning from
1333            the probe.
1334
1335         Currently, the x86, x86_64, and ARMv7 ports passes the test.  ARM64 does not
1336         because it does not support changing the sp and pc yet.  The ARM64 probe
1337         implementation will be fixed in https://bugs.webkit.org/show_bug.cgi?id=174697
1338         later.
1339
1340         * Configurations/ToolExecutable.xcconfig:
1341         * JavaScriptCore.xcodeproj/project.pbxproj:
1342         * assembler/MacroAssembler.h:
1343         (JSC::MacroAssembler::CPUState::pc):
1344         (JSC::MacroAssembler::CPUState::fp):
1345         (JSC::MacroAssembler::CPUState::sp):
1346         (JSC::ProbeContext::pc):
1347         (JSC::ProbeContext::fp):
1348         (JSC::ProbeContext::sp):
1349         * assembler/MacroAssemblerARM64.cpp:
1350         (JSC::arm64ProbeTrampoline):
1351         * assembler/MacroAssemblerPrinter.cpp:
1352         (JSC::Printer::printPCRegister):
1353         * assembler/testmasm.cpp: Added.
1354         (hiddenTruthBecauseNoReturnIsStupid):
1355         (usage):
1356         (JSC::nextID):
1357         (JSC::isPC):
1358         (JSC::isSP):
1359         (JSC::isFP):
1360         (JSC::compile):
1361         (JSC::invoke):
1362         (JSC::compileAndRun):
1363         (JSC::testSimple):
1364         (JSC::testProbeReadsArgumentRegisters):
1365         (JSC::testProbeWritesArgumentRegisters):
1366         (JSC::testFunctionToTrashRegisters):
1367         (JSC::testProbePreservesGPRS):
1368         (JSC::testProbeModifiesStackPointer):
1369         (JSC::testProbeModifiesProgramCounter):
1370         (JSC::run):
1371         (run):
1372         (main):
1373         * b3/air/testair.cpp:
1374         (usage):
1375         * shell/CMakeLists.txt:
1376
1377 2017-07-14  Filip Pizlo  <fpizlo@apple.com>
1378
1379         It should be easy to decide how WebKit yields
1380         https://bugs.webkit.org/show_bug.cgi?id=174298
1381
1382         Reviewed by Saam Barati.
1383         
1384         Use the new WTF::Thread::yield() function for yielding instead of the C++ function.
1385
1386         * heap/Heap.cpp:
1387         (JSC::Heap::resumeThePeriphery):
1388         * heap/VisitingTimeout.h:
1389         * runtime/JSCell.cpp:
1390         (JSC::JSCell::lockSlow):
1391         (JSC::JSCell::unlockSlow):
1392         * runtime/JSCell.h:
1393         * runtime/JSCellInlines.h:
1394         (JSC::JSCell::lock):
1395         (JSC::JSCell::unlock):
1396         * runtime/JSLock.cpp:
1397         (JSC::JSLock::grabAllLocks):
1398         * runtime/SamplingProfiler.cpp:
1399
1400 2017-07-21  Mark Lam  <mark.lam@apple.com>
1401
1402         Refactor MASM probe CPUState to use arrays for register storage.
1403         https://bugs.webkit.org/show_bug.cgi?id=174694
1404
1405         Reviewed by Keith Miller.
1406
1407         Using arrays for register storage in CPUState allows us to do away with the
1408         huge switch statements to decode each register id.  We can now simply index into
1409         the arrays.
1410
1411         With this patch, we now:
1412
1413         1. Remove the need for macros for defining the list of CPU registers.
1414            We can go back to simple enums.  This makes the code easier to read.
1415
1416         2. Make the assembler the authority on register names.
1417            Most of this code is moved into the assembler from GPRInfo and FPRInfo.
1418            GPRInfo and FPRInfo now forwards to the assembler.
1419
1420         3. Make the assembler the authority on the number of registers of each type.
1421
1422         4. Fix a "bug" in ARMv7's lastRegister().  It was previously omitting lr and pc.
1423            This is inconsistent with how every other CPU architecture implements
1424            lastRegister().  This patch fixes it to return the true last GPR i.e. pc, but
1425            updates RegisterSet::reservedHardwareRegisters() to exclude those registers.
1426
1427         * assembler/ARM64Assembler.h:
1428         (JSC::ARM64Assembler::numberOfRegisters):
1429         (JSC::ARM64Assembler::firstSPRegister):
1430         (JSC::ARM64Assembler::lastSPRegister):
1431         (JSC::ARM64Assembler::numberOfSPRegisters):
1432         (JSC::ARM64Assembler::numberOfFPRegisters):
1433         (JSC::ARM64Assembler::gprName):
1434         (JSC::ARM64Assembler::sprName):
1435         (JSC::ARM64Assembler::fprName):
1436         * assembler/ARMAssembler.h:
1437         (JSC::ARMAssembler::numberOfRegisters):
1438         (JSC::ARMAssembler::firstSPRegister):
1439         (JSC::ARMAssembler::lastSPRegister):
1440         (JSC::ARMAssembler::numberOfSPRegisters):
1441         (JSC::ARMAssembler::numberOfFPRegisters):
1442         (JSC::ARMAssembler::gprName):
1443         (JSC::ARMAssembler::sprName):
1444         (JSC::ARMAssembler::fprName):
1445         * assembler/ARMv7Assembler.h:
1446         (JSC::ARMv7Assembler::lastRegister):
1447         (JSC::ARMv7Assembler::numberOfRegisters):
1448         (JSC::ARMv7Assembler::firstSPRegister):
1449         (JSC::ARMv7Assembler::lastSPRegister):
1450         (JSC::ARMv7Assembler::numberOfSPRegisters):
1451         (JSC::ARMv7Assembler::numberOfFPRegisters):
1452         (JSC::ARMv7Assembler::gprName):
1453         (JSC::ARMv7Assembler::sprName):
1454         (JSC::ARMv7Assembler::fprName):
1455         * assembler/AbstractMacroAssembler.h:
1456         (JSC::AbstractMacroAssembler::numberOfRegisters):
1457         (JSC::AbstractMacroAssembler::gprName):
1458         (JSC::AbstractMacroAssembler::firstSPRegister):
1459         (JSC::AbstractMacroAssembler::lastSPRegister):
1460         (JSC::AbstractMacroAssembler::numberOfSPRegisters):
1461         (JSC::AbstractMacroAssembler::sprName):
1462         (JSC::AbstractMacroAssembler::numberOfFPRegisters):
1463         (JSC::AbstractMacroAssembler::fprName):
1464         * assembler/MIPSAssembler.h:
1465         (JSC::MIPSAssembler::numberOfRegisters):
1466         (JSC::MIPSAssembler::firstSPRegister):
1467         (JSC::MIPSAssembler::lastSPRegister):
1468         (JSC::MIPSAssembler::numberOfSPRegisters):
1469         (JSC::MIPSAssembler::numberOfFPRegisters):
1470         (JSC::MIPSAssembler::gprName):
1471         (JSC::MIPSAssembler::sprName):
1472         (JSC::MIPSAssembler::fprName):
1473         * assembler/MacroAssembler.h:
1474         (JSC::MacroAssembler::CPUState::gprName):
1475         (JSC::MacroAssembler::CPUState::sprName):
1476         (JSC::MacroAssembler::CPUState::fprName):
1477         (JSC::MacroAssembler::CPUState::gpr):
1478         (JSC::MacroAssembler::CPUState::spr):
1479         (JSC::MacroAssembler::CPUState::fpr):
1480         (JSC::MacroAssembler::CPUState::pc):
1481         (JSC::MacroAssembler::CPUState::fp):
1482         (JSC::MacroAssembler::CPUState::sp):
1483         (JSC::ProbeContext::gpr):
1484         (JSC::ProbeContext::spr):
1485         (JSC::ProbeContext::fpr):
1486         (JSC::ProbeContext::gprName):
1487         (JSC::ProbeContext::sprName):
1488         (JSC::ProbeContext::fprName):
1489         (JSC::MacroAssembler::numberOfRegisters): Deleted.
1490         (JSC::MacroAssembler::numberOfFPRegisters): Deleted.
1491         * assembler/MacroAssemblerARM.cpp:
1492         * assembler/MacroAssemblerARM64.cpp:
1493         (JSC::arm64ProbeTrampoline):
1494         * assembler/MacroAssemblerARMv7.cpp:
1495         * assembler/MacroAssemblerPrinter.cpp:
1496         (JSC::Printer::nextID):
1497         (JSC::Printer::printAllRegisters):
1498         (JSC::Printer::printPCRegister):
1499         (JSC::Printer::printRegisterID):
1500         (JSC::Printer::printAddress):
1501         * assembler/MacroAssemblerX86Common.cpp:
1502         * assembler/X86Assembler.h:
1503         (JSC::X86Assembler::numberOfRegisters):
1504         (JSC::X86Assembler::firstSPRegister):
1505         (JSC::X86Assembler::lastSPRegister):
1506         (JSC::X86Assembler::numberOfSPRegisters):
1507         (JSC::X86Assembler::numberOfFPRegisters):
1508         (JSC::X86Assembler::gprName):
1509         (JSC::X86Assembler::sprName):
1510         (JSC::X86Assembler::fprName):
1511         * jit/FPRInfo.h:
1512         (JSC::FPRInfo::debugName):
1513         * jit/GPRInfo.h:
1514         (JSC::GPRInfo::debugName):
1515         * jit/RegisterSet.cpp:
1516         (JSC::RegisterSet::reservedHardwareRegisters):
1517
1518 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1519
1520         [JSC] Introduce static symbols
1521         https://bugs.webkit.org/show_bug.cgi?id=158863
1522
1523         Reviewed by Darin Adler.
1524
1525         We use StaticSymbolImpl to initialize PrivateNames and builtin Symbols.
1526         As a result, we can share the same Symbol values between VMs and threads.
1527         And we do not need to allocate Ref<SymbolImpl> for these symbols at runtime.
1528
1529         * CMakeLists.txt:
1530         * JavaScriptCore.xcodeproj/project.pbxproj:
1531         * builtins/BuiltinNames.cpp: Added.
1532         Suppress warning C4307, integral constant overflow. It is intentional in constexpr hash value calculation.
1533
1534         * builtins/BuiltinNames.h:
1535         (JSC::BuiltinNames::BuiltinNames):
1536         * builtins/BuiltinUtils.h:
1537
1538 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1539
1540         [FTL] Arguments elimination is suppressed by unreachable blocks
1541         https://bugs.webkit.org/show_bug.cgi?id=174352
1542
1543         Reviewed by Filip Pizlo.
1544
1545         If we do not execute `op_get_by_id`, our value profiling tells us unpredictable and DFG emits ForceOSRExit.
1546         The problem is that arguments elimination phase checks escaping even when ForceOSRExit preceeds.
1547         Since GetById without information can escape arguments if it is specified, non-executed code including
1548         op_get_by_id with arguments can escape arguments.
1549
1550         For example,
1551
1552             function test(flag)
1553             {
1554                 if (flag) {
1555                     // This is not executed, but emits GetById with arguments.
1556                     // It prevents us from eliminating materialization.
1557                     return arguments.length;
1558                 }
1559                 return arguments.length;
1560             }
1561             noInline(test);
1562             while (true)
1563                 test(false);
1564
1565         We do not perform CFA and dead-node clipping yet when performing arguments elimination phase.
1566         So this GetById exists and escapes arguments.
1567
1568         To solve this problem, our arguments elimination phase checks preceding pseudo-terminal nodes.
1569         If it is shown, following GetById does not escape arguments. Compared to performing AI, it is
1570         lightweight. But it catches much of typical cases we failed to perform arguments elimination.
1571
1572         * dfg/DFGArgumentsEliminationPhase.cpp:
1573         * dfg/DFGNode.h:
1574         (JSC::DFG::Node::isPseudoTerminal):
1575         * dfg/DFGValidate.cpp:
1576
1577 2017-07-20  Chris Dumez  <cdumez@apple.com>
1578
1579         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable
1580         https://bugs.webkit.org/show_bug.cgi?id=174660
1581
1582         Reviewed by Geoffrey Garen.
1583
1584         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable.
1585         This essentially replaces a branch to figure out if the new size is less or greater than the
1586         current size by an assertion.
1587
1588         * b3/B3BasicBlockUtils.h:
1589         (JSC::B3::clearPredecessors):
1590         * b3/B3InferSwitches.cpp:
1591         * b3/B3LowerToAir.cpp:
1592         (JSC::B3::Air::LowerToAir::finishAppendingInstructions):
1593         * b3/B3ReduceStrength.cpp:
1594         * b3/B3SparseCollection.h:
1595         (JSC::B3::SparseCollection::packIndices):
1596         * b3/B3UseCounts.cpp:
1597         (JSC::B3::UseCounts::UseCounts):
1598         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
1599         * b3/air/AirEmitShuffle.cpp:
1600         (JSC::B3::Air::emitShuffle):
1601         * b3/air/AirLowerAfterRegAlloc.cpp:
1602         (JSC::B3::Air::lowerAfterRegAlloc):
1603         * b3/air/AirOptimizeBlockOrder.cpp:
1604         (JSC::B3::Air::optimizeBlockOrder):
1605         * bytecode/Operands.h:
1606         (JSC::Operands::ensureLocals):
1607         * bytecode/PreciseJumpTargets.cpp:
1608         (JSC::computePreciseJumpTargetsInternal):
1609         * dfg/DFGBlockInsertionSet.cpp:
1610         (JSC::DFG::BlockInsertionSet::execute):
1611         * dfg/DFGBlockMapInlines.h:
1612         (JSC::DFG::BlockMap<T>::BlockMap):
1613         * dfg/DFGByteCodeParser.cpp:
1614         (JSC::DFG::ByteCodeParser::processSetLocalQueue):
1615         (JSC::DFG::ByteCodeParser::clearCaches):
1616         * dfg/DFGDisassembler.cpp:
1617         (JSC::DFG::Disassembler::Disassembler):
1618         * dfg/DFGFlowIndexing.cpp:
1619         (JSC::DFG::FlowIndexing::recompute):
1620         * dfg/DFGGraph.cpp:
1621         (JSC::DFG::Graph::registerFrozenValues):
1622         * dfg/DFGInPlaceAbstractState.cpp:
1623         (JSC::DFG::setLiveValues):
1624         * dfg/DFGLICMPhase.cpp:
1625         (JSC::DFG::LICMPhase::run):
1626         * dfg/DFGLivenessAnalysisPhase.cpp:
1627         * dfg/DFGNaturalLoops.cpp:
1628         (JSC::DFG::NaturalLoops::NaturalLoops):
1629         * dfg/DFGStoreBarrierClusteringPhase.cpp:
1630         * ftl/FTLLowerDFGToB3.cpp:
1631         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1632         * heap/CodeBlockSet.cpp:
1633         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
1634         * heap/MarkedSpace.cpp:
1635         (JSC::MarkedSpace::sweepLargeAllocations):
1636         * inspector/ContentSearchUtilities.cpp:
1637         (Inspector::ContentSearchUtilities::findMagicComment):
1638         * interpreter/ShadowChicken.cpp:
1639         (JSC::ShadowChicken::update):
1640         * parser/ASTBuilder.h:
1641         (JSC::ASTBuilder::shrinkOperandStackBy):
1642         * parser/Lexer.h:
1643         (JSC::Lexer::setOffset):
1644         * runtime/RegExpInlines.h:
1645         (JSC::RegExp::matchInline):
1646         * runtime/RegExpPrototype.cpp:
1647         (JSC::genericSplit):
1648         * yarr/RegularExpression.cpp:
1649         (JSC::Yarr::RegularExpression::match):
1650
1651 2017-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1652
1653         [WTF] Use ThreadGroup to bookkeep active threads for Mach exception
1654         https://bugs.webkit.org/show_bug.cgi?id=174678
1655
1656         Reviewed by Mark Lam.
1657
1658         Use Thread& instead.
1659
1660         * runtime/JSLock.cpp:
1661         (JSC::JSLock::didAcquireLock):
1662
1663 2017-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1664
1665         [WTF] Implement WTF::ThreadGroup
1666         https://bugs.webkit.org/show_bug.cgi?id=174081
1667
1668         Reviewed by Mark Lam.
1669
1670         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
1671         And SamplingProfiler and others interact with WTF::Thread directly.
1672
1673         * API/tests/ExecutionTimeLimitTest.cpp:
1674         * heap/MachineStackMarker.cpp:
1675         (JSC::MachineThreads::MachineThreads):
1676         (JSC::captureStack):
1677         (JSC::MachineThreads::tryCopyOtherThreadStack):
1678         (JSC::MachineThreads::tryCopyOtherThreadStacks):
1679         (JSC::MachineThreads::gatherConservativeRoots):
1680         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
1681         (JSC::ActiveMachineThreadsManager::add): Deleted.
1682         (JSC::ActiveMachineThreadsManager::remove): Deleted.
1683         (JSC::ActiveMachineThreadsManager::contains): Deleted.
1684         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
1685         (JSC::activeMachineThreadsManager): Deleted.
1686         (JSC::MachineThreads::~MachineThreads): Deleted.
1687         (JSC::MachineThreads::addCurrentThread): Deleted.
1688         (): Deleted.
1689         (JSC::MachineThreads::removeThread): Deleted.
1690         (JSC::MachineThreads::removeThreadIfFound): Deleted.
1691         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
1692         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
1693         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
1694         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
1695         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
1696         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
1697         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
1698         * heap/MachineStackMarker.h:
1699         (JSC::MachineThreads::addCurrentThread):
1700         (JSC::MachineThreads::getLock):
1701         (JSC::MachineThreads::threads):
1702         (JSC::MachineThreads::MachineThread::suspend): Deleted.
1703         (JSC::MachineThreads::MachineThread::resume): Deleted.
1704         (JSC::MachineThreads::MachineThread::threadID): Deleted.
1705         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
1706         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
1707         (JSC::MachineThreads::threadsListHead): Deleted.
1708         * runtime/SamplingProfiler.cpp:
1709         (JSC::FrameWalker::isValidFramePointer):
1710         (JSC::SamplingProfiler::SamplingProfiler):
1711         (JSC::SamplingProfiler::takeSample):
1712         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
1713         * runtime/SamplingProfiler.h:
1714         * wasm/WasmMachineThreads.cpp:
1715         (JSC::Wasm::resetInstructionCacheOnAllThreads):
1716
1717 2017-07-18  Andy Estes  <aestes@apple.com>
1718
1719         [Xcode] Enable CLANG_WARN_RANGE_LOOP_ANALYSIS
1720         https://bugs.webkit.org/show_bug.cgi?id=174631
1721
1722         Reviewed by Tim Horton.
1723
1724         * Configurations/Base.xcconfig:
1725         * b3/B3FoldPathConstants.cpp:
1726         * b3/B3LowerMacros.cpp:
1727         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
1728         * dfg/DFGByteCodeParser.cpp:
1729         (JSC::DFG::ByteCodeParser::check):
1730         (JSC::DFG::ByteCodeParser::planLoad):
1731
1732 2017-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1733
1734         WTF::Thread should have the threads stack bounds.
1735         https://bugs.webkit.org/show_bug.cgi?id=173975
1736
1737         Reviewed by Mark Lam.
1738
1739         There is a site in JSC that try to walk another thread's stack.
1740         Currently, stack bounds are stored in WTFThreadData which is located
1741         in TLS. Thus, only the thread itself can access its own WTFThreadData.
1742         We workaround this situation by holding StackBounds in MachineThread in JSC,
1743         but StackBounds should be put in WTF::Thread instead.
1744
1745         This patch adds StackBounds to WTF::Thread. StackBounds information is tightly
1746         coupled with Thread. Thus putting it in WTF::Thread is natural choice.
1747
1748         * heap/MachineStackMarker.cpp:
1749         (JSC::MachineThreads::MachineThread::MachineThread):
1750         (JSC::MachineThreads::MachineThread::captureStack):
1751         * heap/MachineStackMarker.h:
1752         (JSC::MachineThreads::MachineThread::stackBase):
1753         (JSC::MachineThreads::MachineThread::stackEnd):
1754         * runtime/VMTraps.cpp:
1755
1756 2017-07-18  Andy Estes  <aestes@apple.com>
1757
1758         [Xcode] Enable CLANG_WARN_OBJC_LITERAL_CONVERSION
1759         https://bugs.webkit.org/show_bug.cgi?id=174631
1760
1761         Reviewed by Sam Weinig.
1762
1763         * Configurations/Base.xcconfig:
1764
1765 2017-07-18  Joseph Pecoraro  <pecoraro@apple.com>
1766
1767         Web Inspector: Modernize InjectedScriptSource
1768         https://bugs.webkit.org/show_bug.cgi?id=173890
1769
1770         Reviewed by Brian Burg.
1771
1772         * inspector/InjectedScript.h:
1773         Reorder functions to be slightly better.
1774
1775         * inspector/InjectedScriptSource.js:
1776         - Convert to classes named InjectedScript and RemoteObject
1777         - Align InjectedScript's API with the wrapper C++ interfaces
1778         - Move some code to RemoteObject where appropriate (subtype, describe)
1779         - Move some code to helper functions (isPrimitiveValue, isDefined)
1780         - Refactor for readability and modern features
1781         - Remove some unused / unnecessary code
1782
1783 2017-07-18  Mark Lam  <mark.lam@apple.com>
1784
1785         Butterfly storage need not be initialized for indexing type Undecided.
1786         https://bugs.webkit.org/show_bug.cgi?id=174516
1787
1788         Reviewed by Saam Barati.
1789
1790         While it's not incorrect to initialize the butterfly storage when the
1791         indexingType is Undecided, it is inefficient as we'll end up initializing
1792         it again later when we convert the storage to a different indexingType.
1793         Some of our code already skips initializing Undecided butterflies.
1794         This patch makes it the consistent behavior everywhere.
1795
1796         * dfg/DFGSpeculativeJIT.cpp:
1797         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1798         * runtime/JSArray.cpp:
1799         (JSC::JSArray::tryCreateUninitializedRestricted):
1800         * runtime/JSArray.h:
1801         (JSC::JSArray::tryCreate):
1802         * runtime/JSObject.cpp:
1803         (JSC::JSObject::ensureLengthSlow):
1804
1805 2017-07-18  Saam Barati  <sbarati@apple.com>
1806
1807         AirLowerAfterRegAlloc may incorrectly use a callee save that's live as a scratch register
1808         https://bugs.webkit.org/show_bug.cgi?id=174515
1809         <rdar://problem/33358092>
1810
1811         Reviewed by Filip Pizlo.
1812
1813         AirLowerAfterRegAlloc was computing the set of available scratch
1814         registers incorrectly. It was always excluding callee save registers
1815         from the set of live registers. It did not guarantee that live callee save
1816         registers were not in the set of scratch registers that could
1817         get clobbered. That's incorrect as the shuffling code is free
1818         to overwrite whatever is in the scratch register it gets passed.
1819
1820         * b3/air/AirLowerAfterRegAlloc.cpp:
1821         (JSC::B3::Air::lowerAfterRegAlloc):
1822         * b3/testb3.cpp:
1823         (JSC::B3::functionNineArgs):
1824         (JSC::B3::testShuffleDoesntTrashCalleeSaves):
1825         (JSC::B3::run):
1826         * jit/RegisterSet.h:
1827
1828 2017-07-18  Andy Estes  <aestes@apple.com>
1829
1830         [Xcode] Enable CLANG_WARN_NON_LITERAL_NULL_CONVERSION
1831         https://bugs.webkit.org/show_bug.cgi?id=174631
1832
1833         Reviewed by Dan Bernstein.
1834
1835         * Configurations/Base.xcconfig:
1836
1837 2017-07-18  Devin Rousso  <drousso@apple.com>
1838
1839         Web Inspector: Add memoryCost to Inspector Protocol objects
1840         https://bugs.webkit.org/show_bug.cgi?id=174478
1841
1842         Reviewed by Joseph Pecoraro.
1843
1844         For non-array and non-object InspectorValue, calculate memoryCost as the sizeof the object,
1845         plus the memoryCost of the data if it is a string.
1846
1847         For array InspectorValue, calculate memoryCost as the sum of the memoryCost of all items.
1848
1849         For object InspectorValue, calculate memoryCost as the sum of the memoryCost of the string
1850         key plus the memoryCost of the InspectorValue for each entry.
1851
1852         Test: TestWebKitAPI/Tests/JavaScriptCore/InspectorValue.cpp
1853
1854         * inspector/InspectorValues.h:
1855         * inspector/InspectorValues.cpp:
1856         (Inspector::InspectorValue::memoryCost):
1857         (Inspector::InspectorObjectBase::memoryCost):
1858         (Inspector::InspectorArrayBase::memoryCost):
1859
1860 2017-07-18  Andy Estes  <aestes@apple.com>
1861
1862         [Xcode] Enable CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING
1863         https://bugs.webkit.org/show_bug.cgi?id=174631
1864
1865         Reviewed by Darin Adler.
1866
1867         * Configurations/Base.xcconfig:
1868
1869 2017-07-18  Michael Saboff  <msaboff@apple.com>
1870
1871         [JSC] There should be a debug option to dump a compiled RegExp Pattern
1872         https://bugs.webkit.org/show_bug.cgi?id=174601
1873
1874         Reviewed by Alex Christensen.
1875
1876         Added the debug option dumpCompiledRegExpPatterns which will dump the YarrPattern and related
1877         objects after a regular expression has been compiled.
1878
1879         * runtime/Options.h:
1880         * yarr/YarrPattern.cpp:
1881         (JSC::Yarr::YarrPattern::compile):
1882         (JSC::Yarr::indentForNestingLevel):
1883         (JSC::Yarr::dumpUChar32):
1884         (JSC::Yarr::PatternAlternative::dump):
1885         (JSC::Yarr::PatternTerm::dumpQuantifier):
1886         (JSC::Yarr::PatternTerm::dump):
1887         (JSC::Yarr::PatternDisjunction::dump):
1888         (JSC::Yarr::YarrPattern::dumpPattern):
1889         * yarr/YarrPattern.h:
1890         (JSC::Yarr::YarrPattern::global):
1891
1892 2017-07-17  Darin Adler  <darin@apple.com>
1893
1894         Improve use of NeverDestroyed
1895         https://bugs.webkit.org/show_bug.cgi?id=174348
1896
1897         Reviewed by Sam Weinig.
1898
1899         * heap/MachineStackMarker.cpp:
1900         * wasm/WasmMemory.cpp:
1901         Removed unneeded includes of NeverDestroyed.h in files that do not make use
1902         of NeverDestroyed.
1903
1904 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
1905
1906         [CMake] Macros in WebKitMacros.cmake should be prefixed with WEBKIT_ namespace
1907         https://bugs.webkit.org/show_bug.cgi?id=174547
1908
1909         Reviewed by Alex Christensen.
1910
1911         * CMakeLists.txt:
1912         * shell/CMakeLists.txt:
1913
1914 2017-07-17  Saam Barati  <sbarati@apple.com>
1915
1916         Remove custom defined RELEASE_ASSERT in DFGObjectAllocationSinkingPhase
1917         https://bugs.webkit.org/show_bug.cgi?id=174584
1918
1919         Rubber stamped by Keith Miller.
1920
1921         I used it to diagnose a bug. The bug is now fixed. This custom
1922         RELEASE_ASSERT is no longer needed.
1923
1924         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1925
1926 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
1927
1928         -Wformat-truncation warning in ConfigFile.cpp
1929         https://bugs.webkit.org/show_bug.cgi?id=174506
1930
1931         Reviewed by Darin Adler.
1932
1933         Check if the JSC config filename would be truncated due to exceeding max path length. If so,
1934         return ParseError.
1935
1936         * runtime/ConfigFile.cpp:
1937         (JSC::ConfigFile::parse):
1938
1939 2017-07-17  Konstantin Tokarev  <annulen@yandex.ru>
1940
1941         [CMake] Create targets before WEBKIT_INCLUDE_CONFIG_FILES_IF_EXISTS is called
1942         https://bugs.webkit.org/show_bug.cgi?id=174557
1943
1944         Reviewed by Michael Catanzaro.
1945
1946         * CMakeLists.txt:
1947
1948 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1949
1950         [WTF] Use std::unique_ptr for StackTrace
1951         https://bugs.webkit.org/show_bug.cgi?id=174495
1952
1953         Reviewed by Alex Christensen.
1954
1955         * runtime/ExceptionScope.cpp:
1956         (JSC::ExceptionScope::unexpectedExceptionMessage):
1957         * runtime/VM.cpp:
1958         (JSC::VM::throwException):
1959
1960 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1961
1962         [JSC] Use WTFMove to prune liveness in DFGAvailabilityMap
1963         https://bugs.webkit.org/show_bug.cgi?id=174423
1964
1965         Reviewed by Saam Barati.
1966
1967         * dfg/DFGAvailabilityMap.cpp:
1968         (JSC::DFG::AvailabilityMap::pruneHeap):
1969         (JSC::DFG::AvailabilityMap::pruneByLiveness):
1970
1971 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
1972
1973         Fix compiler warnings when building with GCC 7
1974         https://bugs.webkit.org/show_bug.cgi?id=174463
1975
1976         Reviewed by Darin Adler.
1977
1978         * disassembler/udis86/udis86_decode.c:
1979         (decode_operand):
1980
1981 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
1982
1983         Incorrect assertion in JSC::CallLinkInfo::callTypeFor
1984         https://bugs.webkit.org/show_bug.cgi?id=174467
1985
1986         Reviewed by Saam Barati.
1987
1988         * bytecode/CallLinkInfo.cpp:
1989         (JSC::CallLinkInfo::callTypeFor):
1990
1991 2017-07-13  Joseph Pecoraro  <pecoraro@apple.com>
1992
1993         Web Inspector: Remove unused and untested Page domain commands
1994         https://bugs.webkit.org/show_bug.cgi?id=174429
1995
1996         Reviewed by Timothy Hatcher.
1997
1998         * inspector/protocol/Page.json:
1999
2000 2017-07-13  Saam Barati  <sbarati@apple.com>
2001
2002         Missing exception check in JSObject::hasInstance
2003         https://bugs.webkit.org/show_bug.cgi?id=174455
2004         <rdar://problem/31384608>
2005
2006         Reviewed by Mark Lam.
2007
2008         * runtime/JSObject.cpp:
2009         (JSC::JSObject::hasInstance):
2010
2011 2017-07-13  Caio Lima  <ticaiolima@gmail.com>
2012
2013         [ESnext] Implement Object Spread
2014         https://bugs.webkit.org/show_bug.cgi?id=167963
2015
2016         Reviewed by Saam Barati.
2017
2018         This patch implements ECMA262 stage 3 Object Spread proposal [1].
2019         It's implemented using CopyDataPropertiesNoExclusions to copy
2020         all enumerable keys from object being spreaded. The implementation of
2021         CopyDataPropertiesNoExclusions follows the CopyDataProperties
2022         implementation, however we don't receive excludedNames as parameter.
2023
2024         [1] - https://github.com/tc39/proposal-object-rest-spread
2025
2026         * builtins/GlobalOperations.js:
2027         (globalPrivate.copyDataPropertiesNoExclusions):
2028         * bytecompiler/BytecodeGenerator.cpp:
2029         (JSC::BytecodeGenerator::emitLoad):
2030         * bytecompiler/NodesCodegen.cpp:
2031         (JSC::PropertyListNode::emitBytecode):
2032         (JSC::ObjectSpreadExpressionNode::emitBytecode):
2033         * parser/ASTBuilder.h:
2034         (JSC::ASTBuilder::createObjectSpreadExpression):
2035         (JSC::ASTBuilder::createProperty):
2036         * parser/NodeConstructors.h:
2037         (JSC::PropertyNode::PropertyNode):
2038         (JSC::ObjectSpreadExpressionNode::ObjectSpreadExpressionNode):
2039         * parser/Nodes.h:
2040         (JSC::ObjectSpreadExpressionNode::expression):
2041         * parser/Parser.cpp:
2042         (JSC::Parser<LexerType>::parseProperty):
2043         * parser/SyntaxChecker.h:
2044         (JSC::SyntaxChecker::createObjectSpreadExpression):
2045         (JSC::SyntaxChecker::createProperty):
2046
2047 2017-07-12  Mark Lam  <mark.lam@apple.com>
2048
2049         Gardening: build fix after r219434.
2050         https://bugs.webkit.org/show_bug.cgi?id=174441
2051
2052         Not reviewed.
2053
2054         Make public some MacroAssembler functions that are needed by the probe implementationq.
2055
2056         * assembler/MacroAssemblerARM.h:
2057         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
2058         * assembler/MacroAssemblerARMv7.h:
2059         (JSC::MacroAssemblerARMv7::linkCall):
2060
2061 2017-07-12  Mark Lam  <mark.lam@apple.com>
2062
2063         Move Probe code from AbstractMacroAssembler to MacroAssembler.
2064         https://bugs.webkit.org/show_bug.cgi?id=174441
2065
2066         Reviewed by Saam Barati.
2067
2068         This is a pure refactoring patch for moving probe code from the AbstractMacroAssembler
2069         to MacroAssembler.  There is no code behavior change.
2070
2071         * assembler/AbstractMacroAssembler.h:
2072         (JSC::AbstractMacroAssembler<AssemblerType>::Address::indexedBy):
2073         (JSC::AbstractMacroAssembler::CPUState::gprName): Deleted.
2074         (JSC::AbstractMacroAssembler::CPUState::fprName): Deleted.
2075         (JSC::AbstractMacroAssembler::CPUState::gpr): Deleted.
2076         (JSC::AbstractMacroAssembler::CPUState::fpr): Deleted.
2077         (JSC::MacroAssemblerType>::Address::indexedBy): Deleted.
2078         * assembler/MacroAssembler.h:
2079         (JSC::MacroAssembler::CPUState::gprName):
2080         (JSC::MacroAssembler::CPUState::fprName):
2081         (JSC::MacroAssembler::CPUState::gpr):
2082         (JSC::MacroAssembler::CPUState::fpr):
2083         * assembler/MacroAssemblerARM.cpp:
2084         (JSC::MacroAssembler::probe):
2085         (JSC::MacroAssemblerARM::probe): Deleted.
2086         * assembler/MacroAssemblerARM.h:
2087         * assembler/MacroAssemblerARM64.cpp:
2088         (JSC::MacroAssembler::probe):
2089         (JSC::MacroAssemblerARM64::probe): Deleted.
2090         * assembler/MacroAssemblerARM64.h:
2091         * assembler/MacroAssemblerARMv7.cpp:
2092         (JSC::MacroAssembler::probe):
2093         (JSC::MacroAssemblerARMv7::probe): Deleted.
2094         * assembler/MacroAssemblerARMv7.h:
2095         * assembler/MacroAssemblerMIPS.h:
2096         * assembler/MacroAssemblerX86Common.cpp:
2097         (JSC::MacroAssembler::probe):
2098         (JSC::MacroAssemblerX86Common::probe): Deleted.
2099         * assembler/MacroAssemblerX86Common.h:
2100
2101 2017-07-12  Saam Barati  <sbarati@apple.com>
2102
2103         GenericArguments consults the wrong state when tracking modified argument descriptors and mapped arguments
2104         https://bugs.webkit.org/show_bug.cgi?id=174411
2105         <rdar://problem/31696186>
2106
2107         Reviewed by Mark Lam.
2108
2109         The code for deleting an argument was incorrectly referencing state
2110         when it decided if it should unmap or mark a property as having its
2111         descriptor modified. This patch fixes the bug where if we delete a
2112         property, we would sometimes not unmap an argument when deleting it.
2113
2114         * runtime/GenericArgumentsInlines.h:
2115         (JSC::GenericArguments<Type>::getOwnPropertySlot):
2116         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
2117         (JSC::GenericArguments<Type>::deleteProperty):
2118         (JSC::GenericArguments<Type>::deletePropertyByIndex):
2119
2120 2017-07-12  Commit Queue  <commit-queue@webkit.org>
2121
2122         Unreviewed, rolling out r219176.
2123         https://bugs.webkit.org/show_bug.cgi?id=174436
2124
2125         "Can cause infinite recursion on iOS" (Requested by mlam on
2126         #webkit).
2127
2128         Reverted changeset:
2129
2130         "WTF::Thread should have the threads stack bounds."
2131         https://bugs.webkit.org/show_bug.cgi?id=173975
2132         http://trac.webkit.org/changeset/219176
2133
2134 2017-07-12  Matt Lewis  <jlewis3@apple.com>
2135
2136         Unreviewed, rolling out r219401.
2137
2138         This revision rolled out the previous patch, but after talking
2139         with reviewer, a rebaseline is what was needed.Rolling back in
2140         before rebaseline.
2141
2142         Reverted changeset:
2143
2144         "Unreviewed, rolling out r219379."
2145         https://bugs.webkit.org/show_bug.cgi?id=174400
2146         http://trac.webkit.org/changeset/219401
2147
2148 2017-07-12  Matt Lewis  <jlewis3@apple.com>
2149
2150         Unreviewed, rolling out r219379.
2151
2152         This revision caused a consistent failure in the test
2153         fast/dom/Window/property-access-on-cached-window-after-frame-
2154         removed.html.
2155
2156         Reverted changeset:
2157
2158         "Remove NAVIGATOR_HWCONCURRENCY"
2159         https://bugs.webkit.org/show_bug.cgi?id=174400
2160         http://trac.webkit.org/changeset/219379
2161
2162 2017-07-12  Tooru Fujisawa [:arai]  <arai.unmht@gmail.com>
2163
2164         Wrong radix used in Unicode Escape in invalid character error message
2165         https://bugs.webkit.org/show_bug.cgi?id=174419
2166
2167         Reviewed by Alex Christensen.
2168
2169         * parser/Lexer.cpp:
2170         (JSC::Lexer<T>::invalidCharacterMessage):
2171
2172 2017-07-11  Dean Jackson  <dino@apple.com>
2173
2174         Remove NAVIGATOR_HWCONCURRENCY
2175         https://bugs.webkit.org/show_bug.cgi?id=174400
2176
2177         Reviewed by Sam Weinig.
2178
2179         * Configurations/FeatureDefines.xcconfig:
2180
2181 2017-07-11  Dean Jackson  <dino@apple.com>
2182
2183         Rolling out r219372.
2184
2185         * Configurations/FeatureDefines.xcconfig:
2186
2187 2017-07-11  Dean Jackson  <dino@apple.com>
2188
2189         Remove NAVIGATOR_HWCONCURRENCY
2190         https://bugs.webkit.org/show_bug.cgi?id=174400
2191
2192         Reviewed by Sam Weinig.
2193
2194         * Configurations/FeatureDefines.xcconfig:
2195
2196 2017-07-11  Saam Barati  <sbarati@apple.com>
2197
2198         remove the empty JavaScriptCore/wasm/js/WebAssemblyFunctionCell.* files
2199         https://bugs.webkit.org/show_bug.cgi?id=174397
2200
2201         Rubber stamped by David Kilzer.
2202
2203         * wasm/js/WebAssemblyFunctionCell.cpp: Removed.
2204         * wasm/js/WebAssemblyFunctionCell.h: Removed.
2205
2206 2017-07-10  Saam Barati  <sbarati@apple.com>
2207
2208         Allocation sinking phase should consider a CheckStructure that would fail as an escape
2209         https://bugs.webkit.org/show_bug.cgi?id=174321
2210         <rdar://problem/32604963>
2211
2212         Reviewed by Filip Pizlo.
2213
2214         When the allocation sinking phase was generating stores to materialize
2215         objects in a cycle with each other, it would assume that each materialized
2216         object had a valid, non empty, set of structures. This is an OK assumption for
2217         the phase to make because how do you materialize an object with no structure?
2218         
2219         The abstract interpretation part of the phase will model what's in the heap.
2220         However, it would sometimes model that a CheckStructure would fail. The phase
2221         did nothing special for this; it just stored the empty set of structures for
2222         its representation of a particular allocation. However, what the phase proved
2223         in such a scenario is that, had the CheckStructure executed, it would have exited.
2224         
2225         This patch treats such CheckStructures and MultiGetByOffsets as escape points.
2226         This will cause the allocation in question to be materialized just before
2227         the CheckStructure, and then at execution time, the CheckStructure will exit.
2228         
2229         I wasn't able to write a test case for this. However, I was able to reproduce
2230         this crash by manually editing the IR. I've opened a separate bug to help us
2231         create a testing framework for writing tests for hard to reproduce bugs like this:
2232         https://bugs.webkit.org/show_bug.cgi?id=174322
2233
2234         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2235
2236 2017-07-10  Devin Rousso  <drousso@apple.com>
2237
2238         Web Inspector: Highlight matching CSS canvas clients when hovering contexts in the Resources tab
2239         https://bugs.webkit.org/show_bug.cgi?id=174279
2240
2241         Reviewed by Matt Baker.
2242
2243         * inspector/protocol/DOM.json:
2244         Add `highlightNodeList` command that will highlight each node in the given list.
2245
2246 2017-07-03  Brian Burg  <bburg@apple.com>
2247
2248         Web Replay: remove some unused code
2249         https://bugs.webkit.org/show_bug.cgi?id=173903
2250
2251         Rubber-stamped by Joseph Pecoraro.
2252
2253         * CMakeLists.txt:
2254         * Configurations/FeatureDefines.xcconfig:
2255         * DerivedSources.make:
2256         * JavaScriptCore.xcodeproj/project.pbxproj:
2257         * inspector/protocol/Replay.json: Removed.
2258         * replay/EmptyInputCursor.h: Removed.
2259         * replay/EncodedValue.cpp: Removed.
2260         * replay/EncodedValue.h: Removed.
2261         * replay/InputCursor.h: Removed.
2262         * replay/JSInputs.json: Removed.
2263         * replay/NondeterministicInput.h: Removed.
2264         * replay/scripts/CodeGeneratorReplayInputs.py: Removed.
2265         * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Removed.
2266         * replay/scripts/tests/expected/fail-on-c-style-enum-no-storage.json-error: Removed.
2267         * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Removed.
2268         * replay/scripts/tests/expected/fail-on-duplicate-input-names.json-error: Removed.
2269         * replay/scripts/tests/expected/fail-on-duplicate-type-names.json-error: Removed.
2270         * replay/scripts/tests/expected/fail-on-enum-type-missing-values.json-error: Removed.
2271         * replay/scripts/tests/expected/fail-on-missing-input-member-name.json-error: Removed.
2272         * replay/scripts/tests/expected/fail-on-missing-input-name.json-error: Removed.
2273         * replay/scripts/tests/expected/fail-on-missing-input-queue.json-error: Removed.
2274         * replay/scripts/tests/expected/fail-on-missing-type-mode.json-error: Removed.
2275         * replay/scripts/tests/expected/fail-on-missing-type-name.json-error: Removed.
2276         * replay/scripts/tests/expected/fail-on-unknown-input-queue.json-error: Removed.
2277         * replay/scripts/tests/expected/fail-on-unknown-member-type.json-error: Removed.
2278         * replay/scripts/tests/expected/fail-on-unknown-type-mode.json-error: Removed.
2279         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp: Removed.
2280         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h: Removed.
2281         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp: Removed.
2282         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h: Removed.
2283         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Removed.
2284         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Removed.
2285         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Removed.
2286         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Removed.
2287         * replay/scripts/tests/expected/generate-event-loop-shape-types.json-error: Removed.
2288         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp: Removed.
2289         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h: Removed.
2290         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp: Removed.
2291         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Removed.
2292         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.cpp: Removed.
2293         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h: Removed.
2294         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp: Removed.
2295         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h: Removed.
2296         * replay/scripts/tests/fail-on-c-style-enum-no-storage.json: Removed.
2297         * replay/scripts/tests/fail-on-duplicate-enum-type.json: Removed.
2298         * replay/scripts/tests/fail-on-duplicate-input-names.json: Removed.
2299         * replay/scripts/tests/fail-on-duplicate-type-names.json: Removed.
2300         * replay/scripts/tests/fail-on-enum-type-missing-values.json: Removed.
2301         * replay/scripts/tests/fail-on-missing-input-member-name.json: Removed.
2302         * replay/scripts/tests/fail-on-missing-input-name.json: Removed.
2303         * replay/scripts/tests/fail-on-missing-input-queue.json: Removed.
2304         * replay/scripts/tests/fail-on-missing-type-mode.json: Removed.
2305         * replay/scripts/tests/fail-on-missing-type-name.json: Removed.
2306         * replay/scripts/tests/fail-on-unknown-input-queue.json: Removed.
2307         * replay/scripts/tests/fail-on-unknown-member-type.json: Removed.
2308         * replay/scripts/tests/fail-on-unknown-type-mode.json: Removed.
2309         * replay/scripts/tests/generate-enum-encoding-helpers-with-guarded-values.json: Removed.
2310         * replay/scripts/tests/generate-enum-encoding-helpers.json: Removed.
2311         * replay/scripts/tests/generate-enum-with-guard.json: Removed.
2312         * replay/scripts/tests/generate-enums-with-same-base-name.json: Removed.
2313         * replay/scripts/tests/generate-event-loop-shape-types.json: Removed.
2314         * replay/scripts/tests/generate-input-with-guard.json: Removed.
2315         * replay/scripts/tests/generate-input-with-vector-members.json: Removed.
2316         * replay/scripts/tests/generate-inputs-with-flags.json: Removed.
2317         * replay/scripts/tests/generate-memoized-type-modes.json: Removed.
2318         * runtime/DateConstructor.cpp:
2319         (JSC::constructDate):
2320         (JSC::dateNow):
2321         (JSC::deterministicCurrentTime): Deleted.
2322         * runtime/JSGlobalObject.cpp:
2323         (JSC::JSGlobalObject::JSGlobalObject):
2324         (JSC::JSGlobalObject::setInputCursor): Deleted.
2325         * runtime/JSGlobalObject.h:
2326         (JSC::JSGlobalObject::inputCursor): Deleted.
2327
2328 2017-07-10  Carlos Garcia Campos  <cgarcia@igalia.com>
2329
2330         Move make-js-file-arrays.py from WebCore to JavaScriptCore
2331         https://bugs.webkit.org/show_bug.cgi?id=174024
2332
2333         Reviewed by Michael Catanzaro.
2334
2335         It's currently used only by WebCore, but it depends on other JavaScriptCore scripts and it's not WebCore
2336         specific at all. I plan to use it to compile the JavaScript atoms used by the WebDriver implementation.
2337         Added command line option to pass the namespace to use instead of using WebCore.
2338
2339         * JavaScriptCore.xcodeproj/project.pbxproj:
2340         * Scripts/make-js-file-arrays.py: Renamed from Source/WebCore/Scripts/make-js-file-arrays.py.
2341         (main):
2342
2343 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2344
2345         [JSC] Drop LineNumberAdder since we no longer treat <LF><CR> (not <CR><LF>) as one line terminator
2346         https://bugs.webkit.org/show_bug.cgi?id=174296
2347
2348         Reviewed by Mark Lam.
2349
2350         Previously, we treat <LF><CR> as one line terminator. So we increase line number by one.
2351         It caused a problem in scanning template literals. While template literals normalize
2352         <LF><CR> to <LF><LF>, we still needed to increase line number by only one.
2353         To handle it correctly, LineNumberAdder is introduced.
2354
2355         As of r219263, <LF><CR> is counted as two line terminators. So we do not need to have
2356         LineNumberAdder. Let's just use shiftLineTerminator() instead.
2357
2358         * parser/Lexer.cpp:
2359         (JSC::Lexer<T>::parseTemplateLiteral):
2360         (JSC::LineNumberAdder::LineNumberAdder): Deleted.
2361         (JSC::LineNumberAdder::clear): Deleted.
2362         (JSC::LineNumberAdder::add): Deleted.
2363
2364 2017-07-09  Dan Bernstein  <mitz@apple.com>
2365
2366         [Xcode] ICU headers aren’t treated as system headers after r219155
2367         https://bugs.webkit.org/show_bug.cgi?id=174299
2368
2369         Reviewed by Sam Weinig.
2370
2371         * Configurations/JavaScriptCore.xcconfig: Pass --system-header-prefix=unicode/ to the C and
2372           C++ compilers.
2373
2374 * runtime/IntlCollator.cpp: Removed documentation warning suppression.
2375         * runtime/IntlDateTimeFormat.cpp: Ditto.
2376         * runtime/JSGlobalObject.cpp: Ditto.
2377         * runtime/StringPrototype.cpp: Ditto.
2378
2379 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2380
2381         [JSC] Use fastMalloc / fastFree for STL containers
2382         https://bugs.webkit.org/show_bug.cgi?id=174297
2383
2384         Reviewed by Sam Weinig.
2385
2386         In some places, we intentionally use STL containers over WTF containers.
2387         For example, we sometimes use std::unordered_{set,map} instead of WTF::Hash{Set,Map}
2388         because we do not have effective empty / deleted representations in the space of key's value.
2389         But just using STL container means using libc's malloc instead of our fast malloc (bmalloc if it is enabled).
2390
2391         We introduce WTF::FastAllocator. This is C++ allocator implementation using fastMalloc and fastFree.
2392         We specify this allocator to STL containers' template parameter to allocate memory from fastMalloc.
2393
2394         This WTF::FastAllocator gives us a chance to use STL containers if it is necessary
2395         without compromising memory allocation throughput.
2396
2397         * dfg/DFGGraph.h:
2398         * dfg/DFGIntegerCheckCombiningPhase.cpp:
2399         * ftl/FTLLowerDFGToB3.cpp:
2400         (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
2401         * runtime/FunctionHasExecutedCache.h:
2402         * runtime/TypeLocationCache.h:
2403
2404 2017-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2405
2406         Drop NOSNIFF compile flag
2407         https://bugs.webkit.org/show_bug.cgi?id=174289
2408
2409         Reviewed by Michael Catanzaro.
2410
2411         * Configurations/FeatureDefines.xcconfig:
2412
2413 2017-07-07  AJ Ringer  <aringer@apple.com>
2414
2415         Lower the max_protection for the separated heap
2416         https://bugs.webkit.org/show_bug.cgi?id=174281
2417
2418         Reviewed by Oliver Hunt.
2419
2420         Switch to vm_protect so we can set maximum page protection.
2421
2422         * jit/ExecutableAllocator.cpp:
2423         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
2424         (JSC::ExecutableAllocator::allocate):
2425
2426 2017-07-07  Devin Rousso  <drousso@apple.com>
2427
2428         Web Inspector: Show all elements currently using a given CSS Canvas
2429         https://bugs.webkit.org/show_bug.cgi?id=173965
2430
2431         Reviewed by Joseph Pecoraro.
2432
2433         * inspector/protocol/Canvas.json:
2434          - Add `requestCSSCanvasClientNodes` command for getting the node IDs all nodes using this
2435            canvas via -webkit-canvas.
2436          - Add `cssCanvasClientNodesChanged` event that is dispatched whenever a node is
2437            added/removed from the list of -webkit-canvas clients.
2438
2439 2017-07-07  Mark Lam  <mark.lam@apple.com>
2440
2441         \n\r is not the same as \r\n.
2442         https://bugs.webkit.org/show_bug.cgi?id=173053
2443
2444         Reviewed by Keith Miller.
2445
2446         * parser/Lexer.cpp:
2447         (JSC::Lexer<T>::shiftLineTerminator):
2448         (JSC::LineNumberAdder::add):
2449
2450 2017-07-07  Commit Queue  <commit-queue@webkit.org>
2451
2452         Unreviewed, rolling out r219238, r219239, and r219241.
2453         https://bugs.webkit.org/show_bug.cgi?id=174265
2454
2455         "fast/workers/dedicated-worker-lifecycle.html is flaky"
2456         (Requested by yusukesuzuki on #webkit).
2457
2458         Reverted changesets:
2459
2460         "[WTF] Implement WTF::ThreadGroup"
2461         https://bugs.webkit.org/show_bug.cgi?id=174081
2462         http://trac.webkit.org/changeset/219238
2463
2464         "Unreviewed, build fix after r219238"
2465         https://bugs.webkit.org/show_bug.cgi?id=174081
2466         http://trac.webkit.org/changeset/219239
2467
2468         "Unreviewed, CLoop build fix after r219238"
2469         https://bugs.webkit.org/show_bug.cgi?id=174081
2470         http://trac.webkit.org/changeset/219241
2471
2472 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2473
2474         Unreviewed, CLoop build fix after r219238
2475         https://bugs.webkit.org/show_bug.cgi?id=174081
2476
2477         * heap/MachineStackMarker.cpp:
2478
2479 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2480
2481         [WTF] Implement WTF::ThreadGroup
2482         https://bugs.webkit.org/show_bug.cgi?id=174081
2483
2484         Reviewed by Mark Lam.
2485
2486         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
2487         And SamplingProfiler and others interact with WTF::Thread directly.
2488
2489         * API/tests/ExecutionTimeLimitTest.cpp:
2490         * heap/MachineStackMarker.cpp:
2491         (JSC::MachineThreads::MachineThreads):
2492         (JSC::captureStack):
2493         (JSC::MachineThreads::tryCopyOtherThreadStack):
2494         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2495         (JSC::MachineThreads::gatherConservativeRoots):
2496         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
2497         (JSC::ActiveMachineThreadsManager::add): Deleted.
2498         (JSC::ActiveMachineThreadsManager::remove): Deleted.
2499         (JSC::ActiveMachineThreadsManager::contains): Deleted.
2500         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
2501         (JSC::activeMachineThreadsManager): Deleted.
2502         (JSC::MachineThreads::~MachineThreads): Deleted.
2503         (JSC::MachineThreads::addCurrentThread): Deleted.
2504         (): Deleted.
2505         (JSC::MachineThreads::removeThread): Deleted.
2506         (JSC::MachineThreads::removeThreadIfFound): Deleted.
2507         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
2508         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
2509         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
2510         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
2511         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
2512         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
2513         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
2514         * heap/MachineStackMarker.h:
2515         (JSC::MachineThreads::addCurrentThread):
2516         (JSC::MachineThreads::getLock):
2517         (JSC::MachineThreads::threads):
2518         (JSC::MachineThreads::MachineThread::suspend): Deleted.
2519         (JSC::MachineThreads::MachineThread::resume): Deleted.
2520         (JSC::MachineThreads::MachineThread::threadID): Deleted.
2521         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
2522         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
2523         (JSC::MachineThreads::threadsListHead): Deleted.
2524         * runtime/SamplingProfiler.cpp:
2525         (JSC::FrameWalker::isValidFramePointer):
2526         (JSC::SamplingProfiler::SamplingProfiler):
2527         (JSC::SamplingProfiler::takeSample):
2528         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
2529         * runtime/SamplingProfiler.h:
2530         * wasm/WasmMachineThreads.cpp:
2531         (JSC::Wasm::resetInstructionCacheOnAllThreads):
2532
2533 2017-07-06  Saam Barati  <sbarati@apple.com>
2534
2535         We are missing places where we invalidate the for-in context
2536         https://bugs.webkit.org/show_bug.cgi?id=174184
2537
2538         Reviewed by Geoffrey Garen.
2539
2540         * bytecompiler/BytecodeGenerator.cpp:
2541         (JSC::BytecodeGenerator::invalidateForInContextForLocal):
2542         * bytecompiler/NodesCodegen.cpp:
2543         (JSC::EmptyLetExpression::emitBytecode):
2544         (JSC::ForInNode::emitLoopHeader):
2545         (JSC::ForOfNode::emitBytecode):
2546         (JSC::BindingNode::bindValue):
2547
2548 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2549
2550         Unreviewed, suppress warnings in GCC environment
2551
2552         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2553         * runtime/IntlCollator.cpp:
2554         * runtime/IntlDateTimeFormat.cpp:
2555         * runtime/JSGlobalObject.cpp:
2556         * runtime/StringPrototype.cpp:
2557
2558 2017-07-05  Saam Barati  <sbarati@apple.com>
2559
2560         NewArray in FTLLowerDFGToB3 does not handle speculating on doubles when having a bad time
2561         https://bugs.webkit.org/show_bug.cgi?id=174188
2562         <rdar://problem/30581423>
2563
2564         Reviewed by Mark Lam.
2565
2566         We were calling lowJSValue(edge) when we were speculating the
2567         edge as double. This isn't allowed. We should have been using
2568         lowDouble.
2569         
2570         This patch also adds a new option, called useArrayAllocationProfiling,
2571         which defaults to true. When false, it will make the array allocation
2572         profile not actually sample seen arrays. It'll force the allocation
2573         profile's predicted indexing type to be ArrayWithUndecided. Adding
2574         this option made it trivial to write a test for this bug.
2575
2576         * bytecode/ArrayAllocationProfile.cpp:
2577         (JSC::ArrayAllocationProfile::updateIndexingType):
2578         * ftl/FTLLowerDFGToB3.cpp:
2579         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
2580         * runtime/Options.h:
2581
2582 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2583
2584         WTF::Thread should have the threads stack bounds.
2585         https://bugs.webkit.org/show_bug.cgi?id=173975
2586
2587         Reviewed by Keith Miller.
2588
2589         There is a site in JSC that try to walk another thread's stack.
2590         Currently, stack bounds are stored in WTFThreadData which is located
2591         in TLS. Thus, only the thread itself can access its own WTFThreadData.
2592         We workaround this situation by holding StackBounds in MachineThread in JSC,
2593         but StackBounds should be put in WTF::Thread instead.
2594
2595         This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
2596         information is tightly coupled with Thread. Thus putting it in WTF::Thread
2597         is natural choice.
2598
2599         * heap/MachineStackMarker.cpp:
2600         (JSC::MachineThreads::MachineThread::MachineThread):
2601         (JSC::MachineThreads::MachineThread::captureStack):
2602         * heap/MachineStackMarker.h:
2603         (JSC::MachineThreads::MachineThread::stackBase):
2604         (JSC::MachineThreads::MachineThread::stackEnd):
2605         * runtime/InitializeThreading.cpp:
2606         (JSC::initializeThreading):
2607         * runtime/VM.cpp:
2608         (JSC::VM::VM):
2609         (JSC::VM::updateStackLimits):
2610         (JSC::VM::committedStackByteCount):
2611         * runtime/VM.h:
2612         (JSC::VM::isSafeToRecurse):
2613         * runtime/VMEntryScope.cpp:
2614         (JSC::VMEntryScope::VMEntryScope):
2615         * runtime/VMInlines.h:
2616         (JSC::VM::ensureStackCapacityFor):
2617         * runtime/VMTraps.cpp:
2618         * yarr/YarrPattern.cpp:
2619         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
2620
2621 2017-07-05  Keith Miller  <keith_miller@apple.com>
2622
2623         Crashing with information should have an abort reason
2624         https://bugs.webkit.org/show_bug.cgi?id=174185
2625
2626         Reviewed by Saam Barati.
2627
2628         Add crash information for the abstract interpreter and add an enum
2629         value for object allocation sinking.
2630
2631         * assembler/AbortReason.h:
2632         * dfg/DFGAbstractInterpreterInlines.h:
2633         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
2634         * dfg/DFGGraph.cpp:
2635         (JSC::DFG::logDFGAssertionFailure):
2636         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2637
2638 2017-07-03  Myles C. Maxfield  <mmaxfield@apple.com>
2639
2640         Remove copy of ICU headers from WebKit
2641         https://bugs.webkit.org/show_bug.cgi?id=116407
2642
2643         Reviewed by Alex Christensen.
2644
2645         Use WTF's copy of ICU headers.
2646
2647         * Configurations/Base.xcconfig:
2648         * icu/unicode/localpointer.h: Removed.
2649         * icu/unicode/parseerr.h: Removed.
2650         * icu/unicode/platform.h: Removed.
2651         * icu/unicode/ptypes.h: Removed.
2652         * icu/unicode/putil.h: Removed.
2653         * icu/unicode/uchar.h: Removed.
2654         * icu/unicode/ucnv.h: Removed.
2655         * icu/unicode/ucnv_err.h: Removed.
2656         * icu/unicode/ucol.h: Removed.
2657         * icu/unicode/uconfig.h: Removed.
2658         * icu/unicode/ucurr.h: Removed.
2659         * icu/unicode/uenum.h: Removed.
2660         * icu/unicode/uiter.h: Removed.
2661         * icu/unicode/uloc.h: Removed.
2662         * icu/unicode/umachine.h: Removed.
2663         * icu/unicode/unorm.h: Removed.
2664         * icu/unicode/unorm2.h: Removed.
2665         * icu/unicode/urename.h: Removed.
2666         * icu/unicode/uscript.h: Removed.
2667         * icu/unicode/uset.h: Removed.
2668         * icu/unicode/ustring.h: Removed.
2669         * icu/unicode/utf.h: Removed.
2670         * icu/unicode/utf16.h: Removed.
2671         * icu/unicode/utf8.h: Removed.
2672         * icu/unicode/utf_old.h: Removed.
2673         * icu/unicode/utypes.h: Removed.
2674         * icu/unicode/uvernum.h: Removed.
2675         * icu/unicode/uversion.h: Removed.
2676         * runtime/IntlCollator.cpp:
2677         * runtime/IntlDateTimeFormat.cpp:
2678         (JSC::IntlDateTimeFormat::partTypeString):
2679         * runtime/JSGlobalObject.cpp:
2680         * runtime/StringPrototype.cpp:
2681         (JSC::normalize):
2682         (JSC::stringProtoFuncNormalize):
2683
2684 2017-07-05  Devin Rousso  <drousso@apple.com>
2685
2686         Web Inspector: Allow users to log any tracked canvas context
2687         https://bugs.webkit.org/show_bug.cgi?id=173397
2688         <rdar://problem/33111581>
2689
2690         Reviewed by Joseph Pecoraro.
2691
2692         * inspector/protocol/Canvas.json:
2693         Add `resolveCanvasContext` command that returns a RemoteObject for the given canvas context.
2694
2695 2017-07-05  Jonathan Bedard  <jbedard@apple.com>
2696
2697         Add WebKitPrivateFrameworkStubs for iOS 11
2698         https://bugs.webkit.org/show_bug.cgi?id=173988
2699
2700         Reviewed by David Kilzer.
2701
2702         * Configurations/Base.xcconfig: iphoneos and iphonesimulator should use the
2703         same directory for private framework stubs.
2704
2705 2017-07-05  JF Bastien  <jfbastien@apple.com>
2706
2707         WebAssembly: implement name section's module name, skip unknown sections
2708         https://bugs.webkit.org/show_bug.cgi?id=172008
2709
2710         Reviewed by Keith Miller.
2711
2712         Parse the WebAssembly module name properly, and skip unknown
2713         sections. This is useful because as toolchains support new types
2714         of names we want to keep displaying the information we know about
2715         and simply ignore new information. That capability was designed
2716         into WebAssembly's name section.
2717
2718         Failure to commit this patch would mean that WebKit won't display
2719         stack trace information, which would make developers sad.
2720
2721         Module names were added here: https://github.com/WebAssembly/design/pull/1055
2722
2723         Note that this patch doesn't do anything with the parsed name! Two
2724         reasons for this: module names aren't supported in binaryen yet,
2725         so I can't write a simple binary test; and using the name is a
2726         slightly riskier change because it requires changing StackVisitor
2727         + StackFrame (where they print "[wasm code]") which requires
2728         figuring out the frame's Module. The latter bit isn't trivial
2729         because we only know wasm frames from their tag bits, and
2730         CodeBlocks are always nullptr.
2731
2732         Binaryen bug: https://github.com/WebAssembly/binaryen/issues/1010
2733
2734         I filed #174098 to use the module name.
2735
2736         * wasm/WasmFormat.h:
2737         (JSC::Wasm::isValidNameType):
2738         * wasm/WasmNameSectionParser.cpp:
2739
2740 2017-07-04  Joseph Pecoraro  <pecoraro@apple.com>
2741
2742         Cleanup some StringBuilder use
2743         https://bugs.webkit.org/show_bug.cgi?id=174118
2744
2745         Reviewed by Andreas Kling.
2746
2747         * runtime/FunctionConstructor.cpp:
2748         (JSC::constructFunctionSkippingEvalEnabledCheck):
2749         * tools/FunctionOverrides.cpp:
2750         (JSC::parseClause):
2751         * wasm/WasmOMGPlan.cpp:
2752         * wasm/WasmPlan.cpp:
2753         * wasm/WasmValidate.cpp:
2754
2755 2017-07-03  Saam Barati  <sbarati@apple.com>
2756
2757         LayoutTest workers/bomb.html is a Crash
2758         https://bugs.webkit.org/show_bug.cgi?id=167757
2759         <rdar://problem/33086462>
2760
2761         Reviewed by Keith Miller.
2762
2763         VMTraps::SignalSender was accessing VM fields even after
2764         the VM was destroyed. This happened when the SignalSender
2765         thread was in the middle of its work() function while VMTraps
2766         was notified that the VM was shutting down. The VM would proceed
2767         to run its destructor even after the SignalSender thread finished
2768         doing its work. This means that the SignalSender thread was accessing
2769         VM field eve after VM was destructed (including itself, since it is
2770         transitively owned by the VM). The VM must wait for the SignalSender
2771         thread to shutdown before it can continue to destruct itself.
2772
2773         * runtime/VMTraps.cpp:
2774         (JSC::VMTraps::willDestroyVM):
2775
2776 2017-07-03  Saam Barati  <sbarati@apple.com>
2777
2778         DFGBytecodeParser op_to_this does not access the correct instruction offset for to this status
2779         https://bugs.webkit.org/show_bug.cgi?id=174110
2780
2781         Reviewed by Michael Saboff.
2782
2783         * dfg/DFGByteCodeParser.cpp:
2784         (JSC::DFG::ByteCodeParser::parseBlock):
2785
2786 2017-07-03  Saam Barati  <sbarati@apple.com>
2787
2788         Add a new assertion to object allocation sinking phase
2789         https://bugs.webkit.org/show_bug.cgi?id=174107
2790
2791         Rubber stamped by Filip Pizlo.
2792
2793         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2794
2795 2017-07-03  Commit Queue  <commit-queue@webkit.org>
2796
2797         Unreviewed, rolling out r219060.
2798         https://bugs.webkit.org/show_bug.cgi?id=174108
2799
2800         crashing constantly when initializing UIWebView (Requested by
2801         thorton on #webkit).
2802
2803         Reverted changeset:
2804
2805         "WTF::Thread should have the threads stack bounds."
2806         https://bugs.webkit.org/show_bug.cgi?id=173975
2807         http://trac.webkit.org/changeset/219060
2808
2809 2017-07-03  Matt Lewis  <jlewis3@apple.com>
2810
2811         Unreviewed, rolling out r219103.
2812
2813         Caused multiple build failures.
2814
2815         Reverted changeset:
2816
2817         "Remove copy of ICU headers from WebKit"
2818         https://bugs.webkit.org/show_bug.cgi?id=116407
2819         http://trac.webkit.org/changeset/219103
2820
2821 2017-07-03  Myles C. Maxfield  <mmaxfield@apple.com>
2822
2823         Remove copy of ICU headers from WebKit
2824         https://bugs.webkit.org/show_bug.cgi?id=116407
2825
2826         Reviewed by Alex Christensen.
2827
2828         Use WTF's copy of ICU headers.
2829
2830         * Configurations/Base.xcconfig:
2831         * icu/unicode/localpointer.h: Removed.
2832         * icu/unicode/parseerr.h: Removed.
2833         * icu/unicode/platform.h: Removed.
2834         * icu/unicode/ptypes.h: Removed.
2835         * icu/unicode/putil.h: Removed.
2836         * icu/unicode/uchar.h: Removed.
2837         * icu/unicode/ucnv.h: Removed.
2838         * icu/unicode/ucnv_err.h: Removed.
2839         * icu/unicode/ucol.h: Removed.
2840         * icu/unicode/uconfig.h: Removed.
2841         * icu/unicode/ucurr.h: Removed.
2842         * icu/unicode/uenum.h: Removed.
2843         * icu/unicode/uiter.h: Removed.
2844         * icu/unicode/uloc.h: Removed.
2845         * icu/unicode/umachine.h: Removed.
2846         * icu/unicode/unorm.h: Removed.
2847         * icu/unicode/unorm2.h: Removed.
2848         * icu/unicode/urename.h: Removed.
2849         * icu/unicode/uscript.h: Removed.
2850         * icu/unicode/uset.h: Removed.
2851         * icu/unicode/ustring.h: Removed.
2852         * icu/unicode/utf.h: Removed.
2853         * icu/unicode/utf16.h: Removed.
2854         * icu/unicode/utf8.h: Removed.
2855         * icu/unicode/utf_old.h: Removed.
2856         * icu/unicode/utypes.h: Removed.
2857         * icu/unicode/uvernum.h: Removed.
2858         * icu/unicode/uversion.h: Removed.
2859         * runtime/IntlCollator.cpp:
2860         * runtime/IntlDateTimeFormat.cpp:
2861         * runtime/JSGlobalObject.cpp:
2862         * runtime/StringPrototype.cpp:
2863
2864 2017-07-03  Saam Barati  <sbarati@apple.com>
2865
2866         Add better crash logging for allocation sinking phase
2867         https://bugs.webkit.org/show_bug.cgi?id=174102
2868         <rdar://problem/33112092>
2869
2870         Rubber stamped by Filip Pizlo.
2871
2872         I'm trying to gather better information from crashlogs about why
2873         we're crashing in the allocation sinking phase. I'm adding a allocation
2874         sinking specific RELEASE_ASSERT as well as marking a few functions as
2875         NEVER_INLINE to have the stack traces in the crash trace contain more
2876         actionable information.
2877
2878         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2879
2880 2017-07-03  Sam Weinig  <sam@webkit.org>
2881
2882         [WebIDL] Remove more unnecessary uses of the preprocessor in idl files
2883         https://bugs.webkit.org/show_bug.cgi?id=174083
2884
2885         Reviewed by Alex Christensen.
2886
2887         * Configurations/FeatureDefines.xcconfig:
2888         Add ENABLE_NAVIGATOR_STANDALONE.
2889
2890 2017-07-03  Andy Estes  <aestes@apple.com>
2891
2892         [Xcode] Add an experimental setting to build with ccache
2893         https://bugs.webkit.org/show_bug.cgi?id=173875
2894
2895         Reviewed by Tim Horton.
2896
2897         * Configurations/DebugRelease.xcconfig: Included ccache.xcconfig.
2898
2899 2017-07-03  Devin Rousso  <drousso@apple.com>
2900
2901         Web Inspector: Support listing WebGL2 and WebGPU contexts
2902         https://bugs.webkit.org/show_bug.cgi?id=173396
2903
2904         Reviewed by Joseph Pecoraro.
2905
2906         * inspector/protocol/Canvas.json:
2907         * inspector/scripts/codegen/generator.py:
2908         (Generator.stylized_name_for_enum_value):
2909         Add cases for handling new Canvas.ContextType protocol enumerations:
2910          - "webgl2" maps to `WebGL2`
2911          - "webgpu" maps to `WebGPU`
2912
2913 2017-07-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2914
2915         WTF::Thread should have the threads stack bounds.
2916         https://bugs.webkit.org/show_bug.cgi?id=173975
2917
2918         Reviewed by Mark Lam.
2919
2920         There is a site in JSC that try to walk another thread's stack.
2921         Currently, stack bounds are stored in WTFThreadData which is located
2922         in TLS. Thus, only the thread itself can access its own WTFThreadData.
2923         We workaround this situation by holding StackBounds in MachineThread in JSC,
2924         but StackBounds should be put in WTF::Thread instead.
2925
2926         This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
2927         information is tightly coupled with Thread. Thus putting it in WTF::Thread
2928         is natural choice.
2929
2930         * heap/MachineStackMarker.cpp:
2931         (JSC::MachineThreads::MachineThread::MachineThread):
2932         (JSC::MachineThreads::MachineThread::captureStack):
2933         * heap/MachineStackMarker.h:
2934         (JSC::MachineThreads::MachineThread::stackBase):
2935         (JSC::MachineThreads::MachineThread::stackEnd):
2936         * runtime/InitializeThreading.cpp:
2937         (JSC::initializeThreading):
2938         * runtime/VM.cpp:
2939         (JSC::VM::VM):
2940         (JSC::VM::updateStackLimits):
2941         (JSC::VM::committedStackByteCount):
2942         * runtime/VM.h:
2943         (JSC::VM::isSafeToRecurse):
2944         * runtime/VMEntryScope.cpp:
2945         (JSC::VMEntryScope::VMEntryScope):
2946         * runtime/VMInlines.h:
2947         (JSC::VM::ensureStackCapacityFor):
2948         * runtime/VMTraps.cpp:
2949         * yarr/YarrPattern.cpp:
2950         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
2951
2952 2017-07-01  Dan Bernstein  <mitz@apple.com>
2953
2954         [iOS] Remove code only needed when building for iOS 9.x
2955         https://bugs.webkit.org/show_bug.cgi?id=174068
2956
2957         Reviewed by Tim Horton.
2958
2959         * Configurations/FeatureDefines.xcconfig:
2960         * jit/ExecutableAllocator.cpp:
2961         * runtime/Options.cpp:
2962         (JSC::recomputeDependentOptions):
2963
2964 2017-07-01  Dan Bernstein  <mitz@apple.com>
2965
2966         [macOS] Remove code only needed when building for OS X Yosemite
2967         https://bugs.webkit.org/show_bug.cgi?id=174067
2968
2969         Reviewed by Tim Horton.
2970
2971         * API/WebKitAvailability.h:
2972         * Configurations/Base.xcconfig:
2973         * Configurations/DebugRelease.xcconfig:
2974         * Configurations/FeatureDefines.xcconfig:
2975         * Configurations/Version.xcconfig:
2976
2977 2017-07-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2978
2979         Unreviewed, build fix for GCC
2980         https://bugs.webkit.org/show_bug.cgi?id=174034
2981
2982         * b3/testb3.cpp:
2983         (JSC::B3::testDoubleLiteralComparison):
2984
2985 2017-06-30  Keith Miller  <keith_miller@apple.com>
2986
2987         Force crashWithInfo to be out of line.
2988         https://bugs.webkit.org/show_bug.cgi?id=174028
2989
2990         Reviewed by Filip Pizlo.
2991
2992         Update DFG_ASSERT macro to call CRASH_WITH_SECURITY_IMPLICATION_AND_INFO.
2993
2994         * dfg/DFGGraph.cpp:
2995         (JSC::DFG::logDFGAssertionFailure):
2996         (JSC::DFG::Graph::logAssertionFailure):
2997         (JSC::DFG::crash): Deleted.
2998         (JSC::DFG::Graph::handleAssertionFailure): Deleted.
2999         * dfg/DFGGraph.h:
3000
3001 2017-06-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3002
3003         [JSC] Use AbstractMacroAssembler::random instead of holding WeakRandom in JIT
3004         https://bugs.webkit.org/show_bug.cgi?id=174053
3005
3006         Reviewed by Geoffrey Garen.
3007
3008         We already have AbstractMacroAssembler::random() function. Use it instead.
3009
3010         * jit/JIT.cpp:
3011         (JSC::JIT::JIT):
3012         (JSC::JIT::compileWithoutLinking):
3013         * jit/JIT.h:
3014
3015 2017-06-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3016
3017         [WTF] Drop SymbolRegistry::keyForSymbol
3018         https://bugs.webkit.org/show_bug.cgi?id=174052
3019
3020         Reviewed by Sam Weinig.
3021
3022         * runtime/SymbolConstructor.cpp:
3023         (JSC::symbolConstructorKeyFor):
3024
3025 2017-06-30  Saam Barati  <sbarati@apple.com>
3026
3027         B3ReduceStrength should reduce EqualOrUnordered over const float input
3028         https://bugs.webkit.org/show_bug.cgi?id=174039
3029
3030         Reviewed by Michael Saboff.
3031
3032         We perform this folding for ConstDoubleValue. It is simply
3033         an oversight that we didn't do it for ConstFloatValue.
3034
3035         * b3/B3ConstFloatValue.cpp:
3036         (JSC::B3::ConstFloatValue::equalOrUnorderedConstant):
3037         * b3/B3ConstFloatValue.h:
3038         * b3/testb3.cpp:
3039         (JSC::B3::testFloatEqualOrUnorderedFolding):
3040         (JSC::B3::testFloatEqualOrUnorderedFoldingNaN):
3041         (JSC::B3::testFloatEqualOrUnorderedDontFold):
3042         (JSC::B3::run):
3043
3044 2017-06-30  Matt Baker  <mattbaker@apple.com>
3045
3046         Web Inspector: AsyncStackTrace nodes can be corrupted when truncating
3047         https://bugs.webkit.org/show_bug.cgi?id=173840
3048         <rdar://problem/30840820>
3049
3050         Reviewed by Joseph Pecoraro.
3051
3052         When truncating an asynchronous stack trace, the parent chain is traversed
3053         until a locked node is found. The path from this node to the root is shared
3054         by more than one stack trace, and cannot be safely modified. Starting at
3055         the first locked node, the path is cloned and becomes a new stack trace tree.
3056
3057         However, the clone operation initialized each new AsyncStackTrace node with
3058         the original node's parent. This would increment the child count of the original
3059         node. When cloning nodes, new nodes should not have their parent set until the
3060         next node up the parent chain is cloned.
3061
3062         * inspector/AsyncStackTrace.cpp:
3063         (Inspector::AsyncStackTrace::truncate):
3064
3065 2017-06-30  Michael Saboff  <msaboff@apple.com>
3066
3067         RegExp's  anchored with .* with \g flag can return wrong match start for strings with multiple matches
3068         https://bugs.webkit.org/show_bug.cgi?id=174044
3069
3070         Reviewed by Oliver Hunt.
3071
3072         The .* enclosure optimization didn't respect that we can start matching from a non-zero
3073         index.  This optimization treats /.*<some-terms>.*/ by first matching the <some-terms> and
3074         then finding the extent of the match by going back to the beginning of the line and going
3075         forward to the end of the line.  The code that went back to the beginning of the line
3076         checked for an index of 0 instead of comparing the index to the start position.  This start
3077         position is passed as the initial index.
3078
3079         Added another temporary register to the YARR JIT to contain the start position for
3080         platforms that have spare registers.
3081
3082         * yarr/Yarr.h:
3083         * yarr/YarrInterpreter.cpp:
3084         (JSC::Yarr::Interpreter::matchDotStarEnclosure):
3085         (JSC::Yarr::Interpreter::Interpreter):
3086         * yarr/YarrJIT.cpp:
3087         (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
3088         (JSC::Yarr::YarrGenerator::compile):
3089         * yarr/YarrPattern.cpp:
3090         (JSC::Yarr::YarrPattern::YarrPattern):
3091         * yarr/YarrPattern.h:
3092         (JSC::Yarr::YarrPattern::reset):
3093
3094 2017-06-30  Saam Barati  <sbarati@apple.com>
3095
3096         B3MoveConstants floatZero() returns the wrong ValueKey
3097         https://bugs.webkit.org/show_bug.cgi?id=174040
3098
3099         Reviewed by Filip Pizlo.
3100
3101         It had a typo where the ValueKey for floatZero() produces a Double
3102         instead of a Float.
3103
3104         * b3/B3MoveConstants.cpp:
3105
3106 2017-06-30  Saam Barati  <sbarati@apple.com>
3107
3108         B3ReduceDoubleToFloat incorrectly reduces operations over two double constants
3109         https://bugs.webkit.org/show_bug.cgi?id=174034
3110         <rdar://problem/30793007>
3111
3112         Reviewed by Filip Pizlo.
3113
3114         B3ReduceDoubleToFloat had a bug in it where it would incorrectly
3115         reduce binary operations over double constants into the same binary
3116         operation over the double constants casted to floats. This is clearly
3117         incorrect as these two things will produce different values. For example:
3118         
3119         a = DoubleConst(bitwise_cast<double>(0x8000000000000001ull))
3120         b = DoubleConst(bitwise_cast<double>(0x0000000000000000ull))
3121         c = EqualOrUnordered(@a, @b) // produces 0
3122         
3123         into:
3124         
3125         a = FloatConst(static_cast<float>(bitwise_cast<double>(0x8000000000000001ull)))
3126         b = FloatConst(static_cast<float>(bitwise_cast<double>(0x0000000000000000ull)))
3127         c = EqualOrUnordered(@a, @b) // produces 1
3128         
3129         Which produces a different value for @c.
3130
3131         * b3/B3ReduceDoubleToFloat.cpp:
3132         * b3/testb3.cpp:
3133         (JSC::B3::doubleEq):
3134         (JSC::B3::doubleNeq):
3135         (JSC::B3::doubleGt):
3136         (JSC::B3::doubleGte):
3137         (JSC::B3::doubleLt):
3138         (JSC::B3::doubleLte):
3139         (JSC::B3::testDoubleLiteralComparison):
3140         (JSC::B3::run):
3141
3142 2017-06-29  Jer Noble  <jer.noble@apple.com>
3143
3144         Make Legacy EME API controlled by RuntimeEnabled setting.
3145         https://bugs.webkit.org/show_bug.cgi?id=173994
3146
3147         Reviewed by Sam Weinig.
3148
3149         * Configurations/FeatureDefines.xcconfig:
3150         * runtime/CommonIdentifiers.h:
3151
3152 2017-06-30  Ryosuke Niwa  <rniwa@webkit.org>
3153
3154         Ran sort-Xcode-project-file.
3155
3156         * JavaScriptCore.xcodeproj/project.pbxproj:
3157
3158 2017-06-30  Matt Lewis  <jlewis3@apple.com>
3159
3160         Unreviewed, rolling out r218992.
3161
3162         The patch broke the iOS device builds.
3163
3164         Reverted changeset:
3165
3166         "DFG_ASSERT should allow stuffing registers before trapping."
3167         https://bugs.webkit.org/show_bug.cgi?id=174005
3168         http://trac.webkit.org/changeset/218992
3169
3170 2017-06-30  Filip Pizlo  <fpizlo@apple.com>
3171
3172         RegExpCachedResult::setInput should reify left and right contexts
3173         https://bugs.webkit.org/show_bug.cgi?id=173818
3174
3175         Reviewed by Keith Miller.
3176         
3177         If you don't reify them in setInput, then when you later try to reify them, you'll end up
3178         using indices into an old input string to create a substring of a new input string. That
3179         never goes well.
3180
3181         * runtime/RegExpCachedResult.cpp:
3182         (JSC::RegExpCachedResult::setInput):
3183
3184 2017-06-30  Keith Miller  <keith_miller@apple.com>
3185
3186         DFG_ASSERT should allow stuffing registers before trapping.
3187         https://bugs.webkit.org/show_bug.cgi?id=174005
3188
3189         Reviewed by Mark Lam.
3190
3191         DFG_ASSERT currently prints error data to stderr before crashing,
3192         which is nice for local development. In the wild, however, we
3193         can't see this information in crash logs. This patch enables
3194         stuffing some of the most useful information from DFG_ASSERTS into
3195         up to five registers right before crashing. The values stuffed
3196         should not impact any logging during local development.
3197
3198         * assembler/AbortReason.h:
3199         * dfg/DFGAbstractInterpreterInlines.h:
3200         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
3201         * dfg/DFGGraph.cpp:
3202         (JSC::DFG::logForCrash):
3203         (JSC::DFG::Graph::logAssertionFailure):
3204         (JSC::DFG::crash): Deleted.
3205         (JSC::DFG::Graph::handleAssertionFailure): Deleted.
3206         * dfg/DFGGraph.h:
3207
3208 2017-06-29  Saam Barati  <sbarati@apple.com>
3209
3210         Calculating postCapacity in unshiftCountSlowCase is wrong
3211         https://bugs.webkit.org/show_bug.cgi?id=173992
3212         <rdar://problem/32283199>
3213
3214         Reviewed by Keith Miller.
3215
3216         This patch fixes a bug inside unshiftCountSlowCase where we would use
3217         more memory than we allocated. The bug was when deciding how much extra
3218         space we have after the vector we've allocated. This area is called the
3219         postCapacity. The largest legal postCapacity value we could use is the
3220         space we allocated minus the space we need:
3221         largestPossiblePostCapacity = newStorageCapacity - requiredVectorLength;
3222         However, the code was calculating the postCapacity as:
3223         postCapacity = max(newStorageCapacity - requiredVectorLength, count);
3224         
3225         where count is how many elements we're appending. Depending on the inputs,
3226         count could be larger than (newStorageCapacity - requiredVectorLength). This
3227         would cause us to use more memory than we actually allocated.
3228
3229         * runtime/JSArray.cpp:
3230         (JSC::JSArray::unshiftCountSlowCase):
3231
3232 2017-06-29  Commit Queue  <commit-queue@webkit.org>
3233
3234         Unreviewed, rolling out r218512.
3235         https://bugs.webkit.org/show_bug.cgi?id=173981
3236
3237         "It changes the behavior of the JS API's JSEvaluateScript
3238         which breaks TurboTax" (Requested by saamyjoon on #webkit).
3239
3240         Reverted changeset:
3241
3242         "test262: Completion values for control flow do not match the
3243         spec"
3244         https://bugs.webkit.org/show_bug.cgi?id=171265
3245         http://trac.webkit.org/changeset/218512
3246
3247 2017-06-29  JF Bastien  <jfbastien@apple.com>
3248
3249         WebAssembly: disable some APIs under CSP
3250         https://bugs.webkit.org/show_bug.cgi?id=173892
3251         <rdar://problem/32914613>
3252
3253         Reviewed by Daniel Bates.
3254
3255         We should disable parts of WebAssembly under Content Security
3256         Policy as discussed here:
3257
3258         https://github.com/WebAssembly/design/issues/1092
3259
3260         Exactly what should be disabled isn't super clear, so we may as
3261         well be conservative and disable many things if developers already
3262         opted into CSP. It's easy to loosen what we disable later.
3263
3264         This patch disables:
3265         - WebAssembly.Instance
3266         - WebAssembly.instantiate
3267         - WebAssembly.Memory
3268         - WebAssembly.Table
3269
3270         And leaves:
3271         - WebAssembly on the global object
3272         - WebAssembly.Module
3273         - WebAssembly.compile
3274         - WebAssembly.CompileError
3275         - WebAssembly.LinkError
3276
3277         Nothing because currently unimplmented:
3278         - WebAssembly.compileStreaming
3279         - WebAssembly.instantiateStreaming
3280
3281         That way it won't be possible to call WebAssembly-compiled code,
3282         or create memories (which use fancy 4GiB allocations
3283         sometimes). Table isn't really useful on its own, and eventually
3284         we may make them shareable so without more details it seems benign
3285         to disable them (and useless if we don't).
3286
3287         I haven't done anything with postMessage, so you can still
3288         postMessage a WebAssembly.Module cross-CSP, but you can't
3289         instantiate it so it's useless. Because of this I elected to leave
3290         WebAssembly.Module and friends available.
3291
3292         I haven't added any new directives. It's still unsafe-eval. We can
3293         add something else later, but it seems odd to add a WebAssembly as
3294         a new capability and tell developers "you should have been using
3295         this directive which we just implemented if you wanted to disable
3296         WebAssembly which didn't exist when you adopted CSP". So IMO we
3297         should keep unsafe-eval as it currently is, add WebAssembly to
3298         what it disables, and later consider having two new directives
3299         which do each individually or something.
3300
3301         In all cases I throw an EvalError *before* other WebAssembly
3302         errors would be produced.
3303
3304         Note that, as for eval, reporting doesn't work and is tracked by
3305         https://webkit.org/b/111869
3306
3307         * runtime/JSGlobalObject.cpp:
3308         (JSC::JSGlobalObject::JSGlobalObject):
3309         * runtime/JSGlobalObject.h:
3310         (JSC::JSGlobalObject::webAssemblyEnabled):
3311         (JSC::JSGlobalObject::webAssemblyDisabledErrorMessage):
3312         (JSC::JSGlobalObject::setWebAssemblyEnabled):
3313         * wasm/js/JSWebAssemblyInstance.cpp:
3314         (JSC::JSWebAssemblyInstance::create):
3315         * wasm/js/JSWebAssemblyMemory.cpp:
3316         (JSC::JSWebAssemblyMemory::create):
3317         * wasm/js/JSWebAssemblyMemory.h:
3318         * wasm/js/JSWebAssemblyTable.cpp:
3319         (JSC::JSWebAssemblyTable::create):
3320         * wasm/js/WebAssemblyMemoryConstructor.cpp:
3321         (JSC::constructJSWebAssemblyMemory):
3322
3323 2017-06-28  Keith Miller  <keith_miller@apple.com>
3324
3325         VMTraps has some races
3326         https://bugs.webkit.org/show_bug.cgi?id=173941
3327
3328         Reviewed by Michael Saboff.
3329
3330         This patch refactors much of the VMTraps API.
3331
3332         On the message sending side:
3333
3334         1) No longer uses the Yarr JIT check to determine if we are in
3335         RegExp code. That was unsound because RegExp JIT code can be run
3336         on compilation threads.  Instead it looks at the current frame's
3337         code block slot and checks if it is valid, which is the same as
3338         what it did for JIT code previously.
3339
3340         2) Only have one signal sender thread, previously, there could be
3341         many at once, which caused some data races. Additionally, the
3342         signal sender thread is an automatic thread so it will deallocate
3343         itself when not in use.
3344
3345         On the VMTraps breakpoint side:
3346
3347         1) We now have a true mapping of if we hit a breakpoint instead of
3348         a JIT assertion. So the exception handler won't eat JIT assertions
3349         anymore.
3350
3351         2) It jettisons all CodeBlocks that have VMTraps breakpoints on
3352         them instead of every CodeBlock on the stack. This both prevents
3353         us from hitting stale VMTraps breakpoints and also doesn't OSR
3354         codeblocks that otherwise don't need to be jettisoned.
3355
3356         3) The old exception handler could theoretically fail for a couple
3357         of reasons then resume execution with a clobbered instruction
3358         set. This patch will kill the program if the exception handler
3359         would fail.
3360
3361         This patch also refactors some of the jsc.cpp functions to take the
3362         CommandLine options object instead of individual options. Also, there
3363         is a new command line option that makes exceptions due to watchdog
3364         timeouts an acceptable result.
3365
3366         * API/tests/testapi.c:
3367         (main):
3368         * bytecode/CodeBlock.cpp:
3369         (JSC::CodeBlock::installVMTrapBreakpoints):
3370         * dfg/DFGCommonData.cpp:
3371         (JSC::DFG::pcCodeBlockMap):
3372         (JSC::DFG::CommonData::invalidate):
3373         (JSC::DFG::CommonData::~CommonData):
3374         (JSC::DFG::CommonData::installVMTrapBreakpoints):
3375         (JSC::DFG::codeBlockForVMTrapPC):
3376         * dfg/DFGCommonData.h:
3377         * jsc.cpp:
3378         (functionDollarAgentStart):
3379         (checkUncaughtException):
3380         (checkException):
3381         (runWithOptions):
3382         (printUsageStatement):
3383         (CommandLine::parseArguments):
3384         (jscmain):
3385         (runWithScripts): Deleted.
3386         * runtime/JSLock.cpp:
3387         (JSC::JSLock::didAcquireLock):
3388         * runtime/VMTraps.cpp:
3389         (JSC::sanitizedTopCallFrame):
3390         (JSC::VMTraps::tryInstallTrapBreakpoints):
3391         (JSC::VMTraps::willDestroyVM):
3392         (JSC::VMTraps::fireTrap):
3393         (JSC::VMTraps::handleTraps):
3394         (JSC::VMTraps::VMTraps):
3395         (JSC::VMTraps::~VMTraps):
3396         (JSC::findActiveVMAndStackBounds): Deleted.
3397         (JSC::installSignalHandler): Deleted.
3398         (JSC::VMTraps::addSignalSender): Deleted.
3399         (JSC::VMTraps::removeSignalSender): Deleted.
3400         (JSC::VMTraps::SignalSender::willDestroyVM): Deleted.
3401         (JSC::VMTraps::SignalSender::send): Deleted.
3402         * runtime/VMTraps.h:
3403         (JSC::VMTraps::~VMTraps): Deleted.
3404         (JSC::VMTraps::SignalSender::SignalSender): Deleted.
3405
3406 2017-06-28  Devin Rousso  <drousso@apple.com>