1f6f514c6c02cae2976d94bb27026b9efdbdab61
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-08-12  Filip Pizlo  <fpizlo@apple.com>
2
3         Put the ScopedArgumentsTable's ScopeOffset array in some gigacage
4         https://bugs.webkit.org/show_bug.cgi?id=174921
5
6         Reviewed by Mark Lam.
7         
8         Uses CagedUniquePtr<> to cage the ScopeOffset array.
9
10         * dfg/DFGSpeculativeJIT.cpp:
11         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
12         * ftl/FTLLowerDFGToB3.cpp:
13         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
14         * jit/JITPropertyAccess.cpp:
15         (JSC::JIT::emitScopedArgumentsGetByVal):
16         * runtime/ScopedArgumentsTable.cpp:
17         (JSC::ScopedArgumentsTable::create):
18         (JSC::ScopedArgumentsTable::setLength):
19         * runtime/ScopedArgumentsTable.h:
20
21 2017-08-14  Mark Lam  <mark.lam@apple.com>
22
23         Gardening: fix Windows build.
24         https://bugs.webkit.org/show_bug.cgi?id=175446
25
26         Not reviewed.
27
28         * assembler/MacroAssemblerX86Common.cpp:
29         (JSC::booleanTrueForAvoidingNoReturnDeclaration):
30         (JSC::ctiMasmProbeTrampoline):
31
32 2017-08-12  Csaba Osztrogonác  <ossy@webkit.org>
33
34         [ARM64] Use x29 and x30 instead of fp and lr to make GCC happy
35         https://bugs.webkit.org/show_bug.cgi?id=175512
36         <rdar://problem/33863584>
37
38         Reviewed by Mark Lam.
39
40         * CMakeLists.txt: Added MacroAssemblerARM64.cpp.
41         * assembler/MacroAssemblerARM64.cpp: Use x29 and x30 instead of fp and lr to make GCC happy.
42
43 2017-08-12  Csaba Osztrogonác  <ossy@webkit.org>
44
45         ARM_TRADITIONAL: static assertion failed: ProbeContext_size_matches_ctiMasmProbeTrampoline
46         https://bugs.webkit.org/show_bug.cgi?id=175513
47
48         Reviewed by Mark Lam.
49
50         * assembler/MacroAssemblerARM.cpp: Added d16-d31 FP registers too.
51
52 2017-08-12  Filip Pizlo  <fpizlo@apple.com>
53
54         FTL's compileGetTypedArrayByteOffset needs to do caging
55         https://bugs.webkit.org/show_bug.cgi?id=175366
56
57         Reviewed by Saam Barati.
58         
59         While implementing boxing in the DFG, I noticed that there was some missing boxing in the FTL. This
60         fixes the case in GetTypedArrayByteOffset, and files FIXMEs for more such cases.
61
62         * dfg/DFGSpeculativeJIT.cpp:
63         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
64         * ftl/FTLLowerDFGToB3.cpp:
65         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
66         (JSC::FTL::DFG::LowerDFGToB3::cagedMayBeNull):
67         * runtime/ArrayBuffer.h:
68         * runtime/ArrayBufferView.h:
69         * runtime/JSArrayBufferView.h:
70
71 2017-08-11  Ryosuke Niwa  <rniwa@webkit.org>
72
73         Replace DATA_TRANSFER_ITEMS by a runtime flag and add a stub implementation
74         https://bugs.webkit.org/show_bug.cgi?id=175474
75         <rdar://problem/33844628>
76
77         Reviewed by Wenson Hsieh.
78
79         * Configurations/FeatureDefines.xcconfig:
80         * runtime/CommonIdentifiers.h:
81
82 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
83
84         Caging shouldn't have to use a patchpoint for adding
85         https://bugs.webkit.org/show_bug.cgi?id=175483
86
87         Reviewed by Mark Lam.
88
89         Caging involves doing a Add(ptr, largeConstant). All of B3's heuristics for how to deal with
90         constants and associative operations dictate that you always want to sink constants. For example,
91         Add(Add(a, constant), b) always becomes Add(Add(a, b), constant). This is profitable because in
92         typical code, it reveals downstream optimizations. But it's terrible in the case of caging, because
93         we want the large constant (which is shared by all caging operations) to be hoisted. Reassociating to
94         sink constants obscures the constant in this case. Currently, moveConstants is not smart enough to
95         reassociate, so instead of sinking largeConstant, it tries (and often fails) to sink some other
96         constants instead. Without some hacks, this is a 5% Kraken regression and a 1.6% Octane regression.
97         It's not clear that moveConstants could ever be smart enough to rematerialize that constant and then
98         hoist it - that would require quite a bit of algebraic reasoning. But the only case we know of where
99         our current constant reassociation heuristics are wrong is caging. So, we can get away with some
100         hacks for just stopping B3's reassociation only in this specific case.
101         
102         Previously, we achieved this by concealing the Add(ptr, largeConstant) inside a patchpoint. That's
103         OK, but patchpoints are expensive. They require a SharedTask instance. They require callbacks from
104         the backend, including during register allocation. And they cannot be CSE'd. We do want B3 to know
105         that if we cage the same pointer in two places, both places will compute the same value.
106         
107         This patch improves the situation by introducing the Opaque opcode. This is handled by LowerToAir as
108         if it was Identity, but all prior phases treat it as an unknown pure unary idempotent operation. I.e.
109         they know that Opaque(x) == Opaque(x) and that Opaque(Opaque(x)) == Opaque(x). But they don't know
110         that Opaque(x) == x until LowerToAir. So, you can use Opaque exactly when you know that B3 will mess
111         up your code but Air won't. (Currently we know of no cases where Air messes things up on a large
112         enough scale to warrant new opcodes.)
113         
114         This change is perf-neutral, but may start to help as I add more uses of caged() in the FTL. It also
115         makes the code a bit less ugly.
116
117         * b3/B3LowerToAir.cpp:
118         (JSC::B3::Air::LowerToAir::shouldCopyPropagate):
119         (JSC::B3::Air::LowerToAir::lower):
120         * b3/B3Opcode.cpp:
121         (WTF::printInternal):
122         * b3/B3Opcode.h:
123         * b3/B3ReduceStrength.cpp:
124         * b3/B3Validate.cpp:
125         * b3/B3Value.cpp:
126         (JSC::B3::Value::effects const):
127         (JSC::B3::Value::key const):
128         (JSC::B3::Value::isFree const):
129         (JSC::B3::Value::typeFor):
130         * b3/B3Value.h:
131         * b3/B3ValueKey.cpp:
132         (JSC::B3::ValueKey::materialize const):
133         * ftl/FTLLowerDFGToB3.cpp:
134         (JSC::FTL::DFG::LowerDFGToB3::caged):
135         * ftl/FTLOutput.cpp:
136         (JSC::FTL::Output::opaque):
137         * ftl/FTLOutput.h:
138
139 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
140
141         ScopedArguments overflow storage needs to be in the JSValue gigacage
142         https://bugs.webkit.org/show_bug.cgi?id=174923
143
144         Reviewed by Saam Barati.
145         
146         ScopedArguments overflow storage sits at the end of the ScopedArguments object, so we put that
147         object into the JSValue gigacage.
148
149         * dfg/DFGSpeculativeJIT.cpp:
150         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
151         * ftl/FTLLowerDFGToB3.cpp:
152         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
153         * jit/JITPropertyAccess.cpp:
154         (JSC::JIT::emitScopedArgumentsGetByVal):
155         * runtime/ScopedArguments.h:
156         (JSC::ScopedArguments::subspaceFor):
157         (JSC::ScopedArguments::overflowStorage const):
158
159 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
160
161         JSLexicalEnvironment needs to be in the JSValue gigacage
162         https://bugs.webkit.org/show_bug.cgi?id=174922
163
164         Reviewed by Michael Saboff.
165         
166         We can sorta random access the JSLexicalEnvironment. So, we put it in the JSValue gigacage and make
167         the only random accesses use pointer caging.
168         
169         We don't need to do anything to normal lexical environment accesses.
170
171         * dfg/DFGSpeculativeJIT.cpp:
172         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
173         * ftl/FTLLowerDFGToB3.cpp:
174         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
175         * runtime/JSEnvironmentRecord.h:
176         (JSC::JSEnvironmentRecord::subspaceFor):
177         (JSC::JSEnvironmentRecord::variables):
178
179 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
180
181         DirectArguments should be in the JSValue gigacage
182         https://bugs.webkit.org/show_bug.cgi?id=174920
183
184         Reviewed by Michael Saboff.
185         
186         This puts DirectArguments in a new subspace for cells that want to be in the JSValue gigacage. All
187         indexed accesses to DirectArguments now do caging. get_from_arguments/put_to_arguments are exempted
188         because they always operate on a DirectArguments that is pointed to directly from the stack, they are
189         required to use fixed offsets, and you can only store JSValues.
190
191         * dfg/DFGSpeculativeJIT.cpp:
192         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
193         * ftl/FTLLowerDFGToB3.cpp:
194         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
195         * jit/JITPropertyAccess.cpp:
196         (JSC::JIT::emitDirectArgumentsGetByVal):
197         * runtime/DirectArguments.h:
198         (JSC::DirectArguments::subspaceFor):
199         (JSC::DirectArguments::storage):
200         * runtime/VM.cpp:
201         (JSC::VM::VM):
202         * runtime/VM.h:
203
204 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
205
206         Unreviewed, add a FIXME.
207
208         * ftl/FTLLowerDFGToB3.cpp:
209         (JSC::FTL::DFG::LowerDFGToB3::caged):
210
211 2017-08-10  Sam Weinig  <sam@webkit.org>
212
213         WTF::Function does not allow for reference / non-default constructible return types
214         https://bugs.webkit.org/show_bug.cgi?id=175244
215
216         Reviewed by Chris Dumez.
217
218         * runtime/ArrayBuffer.cpp:
219         (JSC::ArrayBufferContents::transferTo):
220         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
221         destroy call needed to be a no-op anyway, since the data is being moved.
222
223 2017-08-11  Mark Lam  <mark.lam@apple.com>
224
225         Gardening: fix CLoop build.
226         https://bugs.webkit.org/show_bug.cgi?id=175446
227         <rdar://problem/33836545>
228
229         Not reviewed.
230
231         * assembler/MacroAssemblerPrinter.cpp:
232
233 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
234
235         DFG should do caging
236         https://bugs.webkit.org/show_bug.cgi?id=174918
237
238         Reviewed by Saam Barati.
239         
240         Adds the appropriate cage() calls to the DFG, including a cageTypedArrayStorage() helper that does
241         the conditional caging with a watchpoint.
242         
243         This might be a 1% SunSpider slow-down, but it's not clear.
244
245         * dfg/DFGSpeculativeJIT.cpp:
246         (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
247         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
248         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
249         (JSC::DFG::SpeculativeJIT::compileCreateRest):
250         (JSC::DFG::SpeculativeJIT::compileSpread):
251         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
252         (JSC::DFG::SpeculativeJIT::compileArraySlice):
253         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
254         * dfg/DFGSpeculativeJIT.h:
255         * dfg/DFGSpeculativeJIT64.cpp:
256         (JSC::DFG::SpeculativeJIT::compile):
257
258 2017-08-11  Yusuke Suzuki  <utatane.tea@gmail.com>
259
260         Unreviewed, build fix for x86 GTK port
261         https://bugs.webkit.org/show_bug.cgi?id=175446
262
263         Use pushfl/popfl instead of pushfd/popfd.
264
265         * assembler/MacroAssemblerX86Common.cpp:
266
267 2017-08-10  Mark Lam  <mark.lam@apple.com>
268
269         Make the MASM_PROBE mechanism mandatory for DFG and FTL builds.
270         https://bugs.webkit.org/show_bug.cgi?id=175446
271         <rdar://problem/33836545>
272
273         Reviewed by Saam Barati.
274
275         * assembler/AbstractMacroAssembler.h:
276         * assembler/MacroAssembler.cpp:
277         (JSC::MacroAssembler::probe):
278         * assembler/MacroAssembler.h:
279         * assembler/MacroAssemblerARM.cpp:
280         (JSC::MacroAssembler::probe):
281         * assembler/MacroAssemblerARM.h:
282         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
283         * assembler/MacroAssemblerARM64.cpp:
284         (JSC::MacroAssembler::probe):
285         * assembler/MacroAssemblerARMv7.cpp:
286         (JSC::MacroAssembler::probe):
287         * assembler/MacroAssemblerARMv7.h:
288         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr):
289         * assembler/MacroAssemblerPrinter.cpp:
290         * assembler/MacroAssemblerPrinter.h:
291         * assembler/MacroAssemblerX86Common.cpp:
292         * assembler/testmasm.cpp:
293         (JSC::isSpecialGPR):
294         (JSC::testProbeModifiesProgramCounter):
295         (JSC::run):
296         * b3/B3LowerToAir.cpp:
297         (JSC::B3::Air::LowerToAir::print):
298         * b3/air/AirPrintSpecial.cpp:
299         * b3/air/AirPrintSpecial.h:
300
301 2017-08-10  Mark Lam  <mark.lam@apple.com>
302
303         Apply the UNLIKELY macro to some unlikely things.
304         https://bugs.webkit.org/show_bug.cgi?id=175440
305         <rdar://problem/33834767>
306
307         Reviewed by Yusuke Suzuki.
308
309         * bytecode/CodeBlock.cpp:
310         (JSC::CodeBlock::~CodeBlock):
311         (JSC::CodeBlock::jettison):
312         * dfg/DFGByteCodeParser.cpp:
313         (JSC::DFG::ByteCodeParser::handleCall):
314         (JSC::DFG::ByteCodeParser::handleVarargsCall):
315         (JSC::DFG::ByteCodeParser::handleGetById):
316         (JSC::DFG::ByteCodeParser::handlePutById):
317         (JSC::DFG::ByteCodeParser::parseBlock):
318         (JSC::DFG::ByteCodeParser::parseCodeBlock):
319         * dfg/DFGJITCompiler.cpp:
320         (JSC::DFG::JITCompiler::JITCompiler):
321         (JSC::DFG::JITCompiler::linkOSRExits):
322         (JSC::DFG::JITCompiler::link):
323         (JSC::DFG::JITCompiler::disassemble):
324         * dfg/DFGJITFinalizer.cpp:
325         (JSC::DFG::JITFinalizer::finalizeCommon):
326         * dfg/DFGOSRExit.cpp:
327         (JSC::DFG::OSRExit::compileOSRExit):
328         * dfg/DFGPlan.cpp:
329         (JSC::DFG::Plan::Plan):
330         * ftl/FTLJITFinalizer.cpp:
331         (JSC::FTL::JITFinalizer::finalizeCommon):
332         * ftl/FTLLink.cpp:
333         (JSC::FTL::link):
334         * ftl/FTLOSRExitCompiler.cpp:
335         (JSC::FTL::compileStub):
336         * jit/JIT.cpp:
337         (JSC::JIT::privateCompileMainPass):
338         (JSC::JIT::compileWithoutLinking):
339         (JSC::JIT::link):
340         * runtime/ScriptExecutable.cpp:
341         (JSC::ScriptExecutable::installCode):
342         * runtime/VM.cpp:
343         (JSC::VM::VM):
344
345 2017-08-09  Yusuke Suzuki  <utatane.tea@gmail.com>
346
347         [WTF] ThreadSpecific should not introduce additional indirection
348         https://bugs.webkit.org/show_bug.cgi?id=175187
349
350         Reviewed by Mark Lam.
351
352         * runtime/Identifier.cpp:
353
354 2017-08-10  Tim Horton  <timothy_horton@apple.com>
355
356         Remove some unused lambda captures so that WebKit builds with -Wunused-lambda-capture
357         https://bugs.webkit.org/show_bug.cgi?id=175436
358         <rdar://problem/33667497>
359
360         Reviewed by Simon Fraser.
361
362         * interpreter/Interpreter.cpp:
363         (JSC::Interpreter::Interpreter):
364
365 2017-08-10  Michael Catanzaro  <mcatanzaro@igalia.com>
366
367         Remove ENABLE_GAMEPAD_DEPRECATED
368         https://bugs.webkit.org/show_bug.cgi?id=175361
369
370         Reviewed by Carlos Garcia Campos.
371
372         * Configurations/FeatureDefines.xcconfig:
373
374 2017-08-09  Caio Lima  <ticaiolima@gmail.com>
375
376         [JSC] Create JSSet constructor that accepts it's size as parameter
377         https://bugs.webkit.org/show_bug.cgi?id=173297
378
379         Reviewed by Saam Barati.
380
381         This patch is adding a new constructor to JSSet that gives its
382         expected initial size. It is important to avoid re-hashing and mutiple
383         allocations when we know the final size of JSSet, such as in
384         CodeBlock::setConstantIdentifierSetRegisters.
385
386         * bytecode/CodeBlock.cpp:
387         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
388         * runtime/HashMapImpl.h:
389         (JSC::HashMapImpl::HashMapImpl):
390         * runtime/JSSet.h:
391
392 2017-08-09  Commit Queue  <commit-queue@webkit.org>
393
394         Unreviewed, rolling out r220466, r220477, and r220487.
395         https://bugs.webkit.org/show_bug.cgi?id=175411
396
397         This change broke existing API tests and follow up fixes did
398         not resolve all the issues. (Requested by ryanhaddad on
399         #webkit).
400
401         Reverted changesets:
402
403         https://bugs.webkit.org/show_bug.cgi?id=175244
404         http://trac.webkit.org/changeset/220466
405
406         "WTF::Function does not allow for reference / non-default
407         constructible return types"
408         https://bugs.webkit.org/show_bug.cgi?id=175244
409         http://trac.webkit.org/changeset/220477
410
411         https://bugs.webkit.org/show_bug.cgi?id=175244
412         http://trac.webkit.org/changeset/220487
413
414 2017-08-09  Caitlin Potter  <caitp@igalia.com>
415
416         Early error on ANY operator before new.target
417         https://bugs.webkit.org/show_bug.cgi?id=157970
418
419         Reviewed by Saam Barati.
420
421         Instead of throwing if any unary operator precedes new.target, only
422         throw if the unary operator updates the reference.
423
424         The following become legal in JSC:
425
426         ```
427         !new.target
428         ~new.target
429         typeof new.target
430         delete new.target
431         void new.target
432         ```
433
434         All of which are legal in v8 and SpiderMonkey in strict and sloppy mode
435
436         * parser/Parser.cpp:
437         (JSC::Parser<LexerType>::parseUnaryExpression):
438
439 2017-08-09  Sam Weinig  <sam@webkit.org>
440
441         WTF::Function does not allow for reference / non-default constructible return types
442         https://bugs.webkit.org/show_bug.cgi?id=175244
443
444         Reviewed by Chris Dumez.
445
446         * runtime/ArrayBuffer.cpp:
447         (JSC::ArrayBufferContents::transferTo):
448         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
449         destroy call needed to be a no-op anyway, since the data is being moved.
450
451 2017-08-09  Wenson Hsieh  <wenson_hsieh@apple.com>
452
453         [iOS DnD] ENABLE_DRAG_SUPPORT should be turned off for iOS 10 and enabled by default
454         https://bugs.webkit.org/show_bug.cgi?id=175392
455         <rdar://problem/33783207>
456
457         Reviewed by Tim Horton and Megan Gardner.
458
459         Tweak FeatureDefines to enable drag and drop by default, and disable only on unsupported platforms (i.e. iOS 10).
460
461         * Configurations/FeatureDefines.xcconfig:
462
463 2017-08-09  Robin Morisset  <rmorisset@apple.com>
464
465         Make JSC_validateExceptionChecks=1 succeed on JSTests/stress/v8-deltablue-strict.js.
466         https://bugs.webkit.org/show_bug.cgi?id=175358
467
468         Reviewed by Mark Lam.
469
470         * jit/JITOperations.cpp:
471         * runtime/JSObjectInlines.h:
472         (JSC::JSObject::putInlineForJSObject):
473
474 2017-08-09  Ryan Haddad  <ryanhaddad@apple.com>
475
476         Unreviewed, rolling out r220457.
477
478         This change introduced API test failures.
479
480         Reverted changeset:
481
482         "WTF::Function does not allow for reference / non-default
483         constructible return types"
484         https://bugs.webkit.org/show_bug.cgi?id=175244
485         http://trac.webkit.org/changeset/220457
486
487 2017-08-09  Sam Weinig  <sam@webkit.org>
488
489         WTF::Function does not allow for reference / non-default constructible return types
490         https://bugs.webkit.org/show_bug.cgi?id=175244
491
492         Reviewed by Chris Dumez.
493
494         * runtime/ArrayBuffer.cpp:
495         (JSC::ArrayBufferContents::transferTo):
496         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
497         destroy call needed to be a no-op anyway, since the data is being moved.
498
499 2017-08-09  Oleksandr Skachkov  <gskachkov@gmail.com>
500
501         REGRESSION: 2 test262/test/language/statements/async-function failures
502         https://bugs.webkit.org/show_bug.cgi?id=175334
503
504         Reviewed by Yusuke Suzuki.
505
506         Switch off useAsyncIterator by default
507
508         * runtime/Options.h:
509
510 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
511
512         ICs should do caging
513         https://bugs.webkit.org/show_bug.cgi?id=175295
514
515         Reviewed by Saam Barati.
516         
517         Adds the appropriate cage() calls in our inline caches.
518
519         * bytecode/AccessCase.cpp:
520         (JSC::AccessCase::generateImpl):
521         * bytecode/InlineAccess.cpp:
522         (JSC::InlineAccess::dumpCacheSizesAndCrash):
523         (JSC::InlineAccess::generateSelfPropertyAccess):
524         (JSC::InlineAccess::generateSelfPropertyReplace):
525         (JSC::InlineAccess::generateArrayLength):
526
527 2017-08-08  Devin Rousso  <drousso@apple.com>
528
529         Web Inspector: Canvas: support editing WebGL shaders
530         https://bugs.webkit.org/show_bug.cgi?id=124211
531         <rdar://problem/15448958>
532
533         Reviewed by Matt Baker.
534
535         * inspector/protocol/Canvas.json:
536         Add `updateShader` command that will change the given shader's source to the provided string,
537         recompile, and relink it to its associated program.
538         Drive-by: add description to `requestShaderSource` command.
539
540 2017-08-08  Robin Morisset  <rmorisset@apple.com>
541
542         Make JSC_validateExceptionChecks=1 succeed on JSTests/slowMicrobenchmarks/spread-small-array.js.
543         https://bugs.webkit.org/show_bug.cgi?id=175347
544
545         Reviewed by Saam Barati.
546
547         This is done by making finishCreation explicitely check for exceptions after setConstantRegister and setConstantIdentifiersSetRegisters.
548         I chose to have this check replace the boolean returned previously by these functions for readability. The performance impact should be
549         negligible considering how much more finishCreation does.
550         This fix then caused another issue to appear as it was now clear that finishCreation can throw. And since it is called by ProgramCodeBlock::create(),
551         FunctionCodeBlock::create() and friends, that are in turn called by ScriptExecutable::newCodeBlockFor, this last function also required a few tweaks.
552
553         * bytecode/CodeBlock.cpp:
554         (JSC::CodeBlock::finishCreation):
555         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
556         (JSC::CodeBlock::setConstantRegisters):
557         * bytecode/CodeBlock.h:
558         * runtime/ScriptExecutable.cpp:
559         (JSC::ScriptExecutable::newCodeBlockFor):
560
561 2017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
562
563         Unreviewed, fix Ubuntu LTS build
564         https://bugs.webkit.org/show_bug.cgi?id=174490
565
566         * inspector/remote/glib/RemoteInspectorGlib.cpp:
567         * inspector/remote/glib/RemoteInspectorServer.cpp:
568
569 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
570
571         Baseline JIT should do caging
572         https://bugs.webkit.org/show_bug.cgi?id=175037
573
574         Reviewed by Mark Lam.
575         
576         Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
577         
578         Also modifies FTL caging to be more defensive when caging is disabled.
579         
580         Relanded with fixed AssemblyHelpers::cageConditionally().
581
582         * bytecode/AccessCase.cpp:
583         (JSC::AccessCase::generateImpl):
584         * bytecode/InlineAccess.cpp:
585         (JSC::InlineAccess::dumpCacheSizesAndCrash):
586         (JSC::InlineAccess::generateSelfPropertyAccess):
587         (JSC::InlineAccess::generateSelfPropertyReplace):
588         (JSC::InlineAccess::generateArrayLength):
589         * ftl/FTLLowerDFGToB3.cpp:
590         (JSC::FTL::DFG::LowerDFGToB3::caged):
591         * jit/AssemblyHelpers.h:
592         (JSC::AssemblyHelpers::cage):
593         (JSC::AssemblyHelpers::cageConditionally):
594         * jit/JITPropertyAccess.cpp:
595         (JSC::JIT::emitDoubleLoad):
596         (JSC::JIT::emitContiguousLoad):
597         (JSC::JIT::emitArrayStorageLoad):
598         (JSC::JIT::emitGenericContiguousPutByVal):
599         (JSC::JIT::emitArrayStoragePutByVal):
600         (JSC::JIT::emit_op_get_from_scope):
601         (JSC::JIT::emit_op_put_to_scope):
602         (JSC::JIT::emitIntTypedArrayGetByVal):
603         (JSC::JIT::emitFloatTypedArrayGetByVal):
604         (JSC::JIT::emitIntTypedArrayPutByVal):
605         (JSC::JIT::emitFloatTypedArrayPutByVal):
606         * jsc.cpp:
607         (jscmain):
608         (primitiveGigacageDisabled): Deleted.
609
610 2017-08-08  Ryan Haddad  <ryanhaddad@apple.com>
611
612         Unreviewed, rolling out r220368.
613
614         This change caused WK1 tests to exit early with crashes.
615
616         Reverted changeset:
617
618         "Baseline JIT should do caging"
619         https://bugs.webkit.org/show_bug.cgi?id=175037
620         http://trac.webkit.org/changeset/220368
621
622 2017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
623
624         [CMake] Properly test if compiler supports compiler flags
625         https://bugs.webkit.org/show_bug.cgi?id=174490
626
627         Reviewed by Konstantin Tokarev.
628
629         * API/tests/PingPongStackOverflowTest.cpp:
630         (testPingPongStackOverflow):
631         * API/tests/testapi.c:
632         * b3/testb3.cpp:
633         (JSC::B3::testPatchpointLotsOfLateAnys):
634
635 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
636
637         [Linux] Clear WasmMemory with madvice instead of memset
638         https://bugs.webkit.org/show_bug.cgi?id=175150
639
640         Reviewed by Filip Pizlo.
641
642         In Linux, zeroing pages with memset populates backing store.
643         Instead, we should use madvise with MADV_DONTNEED. It discards
644         pages. And if you access these pages, on-demand-zero-pages will
645         be shown.
646
647         We also commit grown pages in all OSes.
648
649         * wasm/WasmMemory.cpp:
650         (JSC::Wasm::commitZeroPages):
651         (JSC::Wasm::Memory::create):
652         (JSC::Wasm::Memory::grow):
653
654 2017-08-07  Robin Morisset  <rmorisset@apple.com>
655
656         GetOwnProperty of TypedArray indexed fields is wrongly configurable
657         https://bugs.webkit.org/show_bug.cgi?id=175307
658
659         Reviewed by Saam Barati.
660
661         ```
662         let a = new Uint8Array(10);
663         let b = Object.getOwnPropertyDescriptor(a, 0);
664         assert(b.configurable === false);
665         ```
666         should not fail: by section 9.4.5.1 (https://tc39.github.io/ecma262/#sec-integer-indexed-exotic-objects-getownproperty-p) 
667         that applies to integer indexed exotic objects, and section 22.2.7 (https://tc39.github.io/ecma262/#sec-properties-of-typedarray-instances)
668         that says that typed arrays are integer indexed exotic objects.
669
670         * runtime/JSGenericTypedArrayViewInlines.h:
671         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
672
673 2017-08-07  Filip Pizlo  <fpizlo@apple.com>
674
675         Baseline JIT should do caging
676         https://bugs.webkit.org/show_bug.cgi?id=175037
677
678         Reviewed by Mark Lam.
679         
680         Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
681         
682         Also modifies FTL caging to be more defensive when caging is disabled.
683
684         * ftl/FTLLowerDFGToB3.cpp:
685         (JSC::FTL::DFG::LowerDFGToB3::caged):
686         * jit/AssemblyHelpers.h:
687         (JSC::AssemblyHelpers::cage):
688         (JSC::AssemblyHelpers::cageConditionally):
689         * jit/JITPropertyAccess.cpp:
690         (JSC::JIT::emitDoubleLoad):
691         (JSC::JIT::emitContiguousLoad):
692         (JSC::JIT::emitArrayStorageLoad):
693         (JSC::JIT::emitGenericContiguousPutByVal):
694         (JSC::JIT::emitArrayStoragePutByVal):
695         (JSC::JIT::emit_op_get_from_scope):
696         (JSC::JIT::emit_op_put_to_scope):
697         (JSC::JIT::emitIntTypedArrayGetByVal):
698         (JSC::JIT::emitFloatTypedArrayGetByVal):
699         (JSC::JIT::emitIntTypedArrayPutByVal):
700         (JSC::JIT::emitFloatTypedArrayPutByVal):
701         * jsc.cpp:
702         (jscmain):
703         (primitiveGigacageDisabled): Deleted.
704
705 2017-08-06  Filip Pizlo  <fpizlo@apple.com>
706
707         Primitive auxiliaries and JSValue auxiliaries should have separate gigacages
708         https://bugs.webkit.org/show_bug.cgi?id=174919
709
710         Reviewed by Keith Miller.
711         
712         This adapts JSC to there being two gigacages.
713         
714         To make matters simpler, this turns AlignedMemoryAllocators into per-VM instances rather than
715         singletons. I don't think we were gaining anything by making them be singletons.
716         
717         This makes it easy to teach GigacageAlignedMemoryAllocator that there are multiple kinds of
718         gigacages. We'll have one of those allocators per cage.
719         
720         From there, this change teaches everyone who previously knew about cages that there are two cages.
721         This means having to specify either Gigacage::Primitive or Gigacage::JSValue. In most places, this is
722         easy: typed arrays are Primitive and butterflies are JSValue. But there are a few places where it's
723         not so obvious, so this change introduces some helpers to make it easy to define what cage you want
724         to use in one place and refer to it abstractly. We do this in DirectArguments and GenericArguments.h
725         
726         A lot of the magic of this change is due to CagedBarrierPtr, which combines AuxiliaryBarrier and
727         CagedPtr. This removes one layer of "get()" calls from a bunch of places.
728
729         * JavaScriptCore.xcodeproj/project.pbxproj:
730         * bytecode/AccessCase.cpp:
731         (JSC::AccessCase::generateImpl):
732         * dfg/DFGSpeculativeJIT.cpp:
733         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
734         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
735         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
736         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
737         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
738         * ftl/FTLLowerDFGToB3.cpp:
739         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
740         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
741         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
742         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
743         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
744         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
745         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
746         (JSC::FTL::DFG::LowerDFGToB3::caged):
747         * heap/FastMallocAlignedMemoryAllocator.cpp:
748         (JSC::FastMallocAlignedMemoryAllocator::instance): Deleted.
749         * heap/FastMallocAlignedMemoryAllocator.h:
750         * heap/GigacageAlignedMemoryAllocator.cpp:
751         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
752         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
753         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
754         (JSC::GigacageAlignedMemoryAllocator::dump const):
755         (JSC::GigacageAlignedMemoryAllocator::instance): Deleted.
756         * heap/GigacageAlignedMemoryAllocator.h:
757         * jsc.cpp:
758         (primitiveGigacageDisabled):
759         (jscmain):
760         (gigacageDisabled): Deleted.
761         * llint/LowLevelInterpreter64.asm:
762         * runtime/ArrayBuffer.cpp:
763         (JSC::ArrayBufferContents::tryAllocate):
764         (JSC::ArrayBuffer::createAdopted):
765         (JSC::ArrayBuffer::createFromBytes):
766         * runtime/AuxiliaryBarrier.h:
767         * runtime/ButterflyInlines.h:
768         (JSC::Butterfly::createUninitialized):
769         (JSC::Butterfly::tryCreate):
770         (JSC::Butterfly::growArrayRight):
771         * runtime/CagedBarrierPtr.h: Added.
772         (JSC::CagedBarrierPtr::CagedBarrierPtr):
773         (JSC::CagedBarrierPtr::clear):
774         (JSC::CagedBarrierPtr::set):
775         (JSC::CagedBarrierPtr::get const):
776         (JSC::CagedBarrierPtr::getMayBeNull const):
777         (JSC::CagedBarrierPtr::operator== const):
778         (JSC::CagedBarrierPtr::operator!= const):
779         (JSC::CagedBarrierPtr::operator bool const):
780         (JSC::CagedBarrierPtr::setWithoutBarrier):
781         (JSC::CagedBarrierPtr::operator* const):
782         (JSC::CagedBarrierPtr::operator-> const):
783         (JSC::CagedBarrierPtr::operator[] const):
784         * runtime/DirectArguments.cpp:
785         (JSC::DirectArguments::overrideThings):
786         (JSC::DirectArguments::unmapArgument):
787         * runtime/DirectArguments.h:
788         (JSC::DirectArguments::isMappedArgument const):
789         * runtime/GenericArguments.h:
790         * runtime/GenericArgumentsInlines.h:
791         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
792         (JSC::GenericArguments<Type>::setModifiedArgumentDescriptor):
793         (JSC::GenericArguments<Type>::isModifiedArgumentDescriptor):
794         * runtime/HashMapImpl.cpp:
795         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
796         * runtime/HashMapImpl.h:
797         (JSC::HashMapBuffer::create):
798         (JSC::HashMapImpl::buffer const):
799         (JSC::HashMapImpl::rehash):
800         * runtime/JSArray.cpp:
801         (JSC::JSArray::tryCreateUninitializedRestricted):
802         (JSC::JSArray::unshiftCountSlowCase):
803         (JSC::JSArray::setLength):
804         (JSC::JSArray::pop):
805         (JSC::JSArray::push):
806         (JSC::JSArray::fastSlice):
807         (JSC::JSArray::shiftCountWithArrayStorage):
808         (JSC::JSArray::shiftCountWithAnyIndexingType):
809         (JSC::JSArray::unshiftCountWithAnyIndexingType):
810         (JSC::JSArray::fillArgList):
811         (JSC::JSArray::copyToArguments):
812         * runtime/JSArray.h:
813         (JSC::JSArray::tryCreate):
814         * runtime/JSArrayBufferView.cpp:
815         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
816         (JSC::JSArrayBufferView::finalize):
817         * runtime/JSLock.cpp:
818         (JSC::JSLock::didAcquireLock):
819         * runtime/JSObject.cpp:
820         (JSC::JSObject::heapSnapshot):
821         (JSC::JSObject::getOwnPropertySlotByIndex):
822         (JSC::JSObject::putByIndex):
823         (JSC::JSObject::enterDictionaryIndexingMode):
824         (JSC::JSObject::createInitialIndexedStorage):
825         (JSC::JSObject::createArrayStorage):
826         (JSC::JSObject::convertUndecidedToInt32):
827         (JSC::JSObject::convertUndecidedToDouble):
828         (JSC::JSObject::convertUndecidedToContiguous):
829         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
830         (JSC::JSObject::convertUndecidedToArrayStorage):
831         (JSC::JSObject::convertInt32ToDouble):
832         (JSC::JSObject::convertInt32ToContiguous):
833         (JSC::JSObject::convertInt32ToArrayStorage):
834         (JSC::JSObject::convertDoubleToContiguous):
835         (JSC::JSObject::convertDoubleToArrayStorage):
836         (JSC::JSObject::convertContiguousToArrayStorage):
837         (JSC::JSObject::setIndexQuicklyToUndecided):
838         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
839         (JSC::JSObject::deletePropertyByIndex):
840         (JSC::JSObject::getOwnPropertyNames):
841         (JSC::JSObject::putIndexedDescriptor):
842         (JSC::JSObject::defineOwnIndexedProperty):
843         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
844         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
845         (JSC::JSObject::getNewVectorLength):
846         (JSC::JSObject::ensureLengthSlow):
847         (JSC::JSObject::reallocateAndShrinkButterfly):
848         (JSC::JSObject::allocateMoreOutOfLineStorage):
849         (JSC::JSObject::getEnumerableLength):
850         * runtime/JSObject.h:
851         (JSC::JSObject::getArrayLength const):
852         (JSC::JSObject::getVectorLength):
853         (JSC::JSObject::putDirectIndex):
854         (JSC::JSObject::canGetIndexQuickly):
855         (JSC::JSObject::getIndexQuickly):
856         (JSC::JSObject::tryGetIndexQuickly const):
857         (JSC::JSObject::canSetIndexQuickly):
858         (JSC::JSObject::setIndexQuickly):
859         (JSC::JSObject::initializeIndex):
860         (JSC::JSObject::initializeIndexWithoutBarrier):
861         (JSC::JSObject::hasSparseMap):
862         (JSC::JSObject::inSparseIndexingMode):
863         (JSC::JSObject::butterfly const):
864         (JSC::JSObject::butterfly):
865         (JSC::JSObject::outOfLineStorage const):
866         (JSC::JSObject::outOfLineStorage):
867         (JSC::JSObject::ensureInt32):
868         (JSC::JSObject::ensureDouble):
869         (JSC::JSObject::ensureContiguous):
870         (JSC::JSObject::ensureArrayStorage):
871         (JSC::JSObject::arrayStorage):
872         (JSC::JSObject::arrayStorageOrNull):
873         (JSC::JSObject::ensureLength):
874         * runtime/RegExpMatchesArray.h:
875         (JSC::tryCreateUninitializedRegExpMatchesArray):
876         * runtime/VM.cpp:
877         (JSC::VM::VM):
878         (JSC::VM::~VM):
879         (JSC::VM::primitiveGigacageDisabledCallback):
880         (JSC::VM::primitiveGigacageDisabled):
881         (JSC::VM::gigacageDisabledCallback): Deleted.
882         (JSC::VM::gigacageDisabled): Deleted.
883         * runtime/VM.h:
884         (JSC::VM::gigacageAuxiliarySpace):
885         (JSC::VM::firePrimitiveGigacageEnabledIfNecessary):
886         (JSC::VM::primitiveGigacageEnabled):
887         (JSC::VM::fireGigacageEnabledIfNecessary): Deleted.
888         (JSC::VM::gigacageEnabled): Deleted.
889         * wasm/WasmMemory.cpp:
890         (JSC::Wasm::Memory::create):
891         (JSC::Wasm::Memory::~Memory):
892         (JSC::Wasm::Memory::grow):
893
894 2017-08-07  Commit Queue  <commit-queue@webkit.org>
895
896         Unreviewed, rolling out r220144.
897         https://bugs.webkit.org/show_bug.cgi?id=175276
898
899         "It did not actually speed things up in the way I expected"
900         (Requested by saamyjoon on #webkit).
901
902         Reverted changeset:
903
904         "On memory-constrained iOS devices, reduce the rate at which
905         the JS heap grows before a GC to try to keep more memory
906         available for the system"
907         https://bugs.webkit.org/show_bug.cgi?id=175041
908         http://trac.webkit.org/changeset/220144
909
910 2017-08-07  Ryan Haddad  <ryanhaddad@apple.com>
911
912         Unreviewed, rolling out r220299.
913
914         This change caused LayoutTest inspector/dom-debugger/dom-
915         breakpoints.html to fail.
916
917         Reverted changeset:
918
919         "Web Inspector: capture async stack trace when workers/main
920         context posts a message"
921         https://bugs.webkit.org/show_bug.cgi?id=167084
922         http://trac.webkit.org/changeset/220299
923
924 2017-08-07  Brian Burg  <bburg@apple.com>
925
926         Remove CANVAS_PATH compilation guard
927         https://bugs.webkit.org/show_bug.cgi?id=175207
928
929         Reviewed by Sam Weinig.
930
931         * Configurations/FeatureDefines.xcconfig:
932
933 2017-08-07  Keith Miller  <keith_miller@apple.com>
934
935         REGRESSION: wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js failing on JSC Debug bots
936         https://bugs.webkit.org/show_bug.cgi?id=175256
937
938         Reviewed by Saam Barati.
939
940         The check in createFromBytes just needed to check that the buffer was not null before
941         calling isCaged.
942
943         * runtime/ArrayBuffer.cpp:
944         (JSC::ArrayBuffer::createFromBytes):
945
946 2017-08-05  Carlos Garcia Campos  <cgarcia@igalia.com>
947
948         [GTK][WPE] Add API to provide browser information required by automation
949         https://bugs.webkit.org/show_bug.cgi?id=175130
950
951         Reviewed by Brian Burg.
952
953         Add browserName and browserVersion to RemoteInspector::Client::Capabilities and virtual methods to the Client to
954         get them.
955
956         * inspector/remote/RemoteInspector.cpp:
957         (Inspector::RemoteInspector::updateClientCapabilities): Update also browserName and browserVersion.
958         * inspector/remote/RemoteInspector.h:
959         * inspector/remote/glib/RemoteInspectorGlib.cpp:
960         (Inspector::RemoteInspector::requestAutomationSession): Call updateClientCapabilities() after the session is
961         requested to ensure they are updated before StartAutomationSession reply is sent.
962         * inspector/remote/glib/RemoteInspectorServer.cpp: Add browserName and browserVersion as return values of
963         StartAutomationSession mesasage.
964
965 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
966
967         Promise resolve and reject function should have length = 1
968         https://bugs.webkit.org/show_bug.cgi?id=175242
969
970         Reviewed by Saam Barati.
971
972         Previously we have separate system for "length" and "name" for builtin functions.
973         The builtin functions do not use lazy reifying system. Instead, they have direct
974         properties when instantiating it. While the function created for properties (like
975         Array.prototype.filter) is created by JSFunction::createBuiltin(), function inside
976         these builtin functions are just created by JSFunction::create(). Since it does
977         not set any values for "length", these functions do not have "length" property.
978         So, the resolve and reject functions passed to Promise's executor do not have
979         "length" property.
980
981         This patch make builtin functions use standard lazy reifying system for "length".
982         So, "length" property of the builtin function just works as if the normal functions
983         do.
984
985         * runtime/JSFunction.cpp:
986         (JSC::JSFunction::createBuiltinFunction):
987         (JSC::JSFunction::getOwnPropertySlot):
988         (JSC::JSFunction::getOwnNonIndexPropertyNames):
989         (JSC::JSFunction::put):
990         (JSC::JSFunction::deleteProperty):
991         (JSC::JSFunction::defineOwnProperty):
992         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
993         (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
994         (JSC::JSFunction::reifyLazyLengthIfNeeded):
995         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
996         (JSC::JSFunction::reifyBoundNameIfNeeded): Deleted.
997         * runtime/JSFunction.h:
998
999 2017-08-06  Oleksandr Skachkov  <gskachkov@gmail.com>
1000
1001         [ESNext] Async iteration - Implement Async Generator - parser
1002         https://bugs.webkit.org/show_bug.cgi?id=175210
1003
1004         Reviewed by Yusuke Suzuki.
1005
1006         Current implementation is draft version of Async Iteration. 
1007         Link to spec https://tc39.github.io/proposal-async-iteration/
1008
1009         Current patch implement only parser part of the Async generator
1010         Runtime part will be in next ptches
1011
1012         * parser/ASTBuilder.h:
1013         (JSC::ASTBuilder::createFunctionMetadata):
1014         * parser/Parser.cpp:
1015         (JSC::getAsynFunctionBodyParseMode):
1016         (JSC::Parser<LexerType>::parseInner):
1017         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
1018         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
1019         (JSC::stringArticleForFunctionMode):
1020         (JSC::stringForFunctionMode):
1021         (JSC::Parser<LexerType>::parseFunctionInfo):
1022         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
1023         (JSC::Parser<LexerType>::parseClass):
1024         (JSC::Parser<LexerType>::parseProperty):
1025         (JSC::Parser<LexerType>::parsePropertyMethod):
1026         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
1027         * parser/Parser.h:
1028         (JSC::Scope::setSourceParseMode):
1029         * parser/ParserModes.h:
1030         (JSC::isFunctionParseMode):
1031         (JSC::isAsyncFunctionParseMode):
1032         (JSC::isAsyncArrowFunctionParseMode):
1033         (JSC::isAsyncGeneratorFunctionParseMode):
1034         (JSC::isAsyncFunctionOrAsyncGeneratorWrapperParseMode):
1035         (JSC::isAsyncFunctionWrapperParseMode):
1036         (JSC::isAsyncFunctionBodyParseMode):
1037         (JSC::isGeneratorMethodParseMode):
1038         (JSC::isAsyncMethodParseMode):
1039         (JSC::isAsyncGeneratorMethodParseMode):
1040         (JSC::isMethodParseMode):
1041         (JSC::isGeneratorOrAsyncFunctionBodyParseMode):
1042         (JSC::isGeneratorOrAsyncFunctionWrapperParseMode):
1043
1044 2017-08-05  Filip Pizlo  <fpizlo@apple.com>
1045
1046         REGRESSION (r219895-219897): Number of leaks on Open Source went from 9240 to 235983 and is now at 302372
1047         https://bugs.webkit.org/show_bug.cgi?id=175083
1048
1049         Reviewed by Oliver Hunt.
1050         
1051         This fixes the leak by making MarkedBlock::specializedSweep call destructors when the block is empty,
1052         even if we are using the pop path.
1053         
1054         Also, this fixes HeapCellInlines.h to no longer include MarkedBlockInlines.h. That's pretty
1055         important, since MarkedBlockInlines.h is the GC's internal guts - we don't want to have to recompile
1056         the world just because we changed it.
1057         
1058         Finally, this adds a new testing SPI for waiting for all VMs to finish destructing. This makes it
1059         easier to debug leaks.
1060
1061         * bytecode/AccessCase.cpp:
1062         * bytecode/PolymorphicAccess.cpp:
1063         * heap/HeapCell.cpp:
1064         (JSC::HeapCell::isLive):
1065         * heap/HeapCellInlines.h:
1066         (JSC::HeapCell::isLive): Deleted.
1067         * heap/MarkedAllocator.cpp:
1068         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
1069         (JSC::MarkedAllocator::endMarking):
1070         * heap/MarkedBlockInlines.h:
1071         (JSC::MarkedBlock::Handle::specializedSweep):
1072         * jit/AssemblyHelpers.cpp:
1073         * jit/Repatch.cpp:
1074         * runtime/TestRunnerUtils.h:
1075         * runtime/VM.cpp:
1076         (JSC::waitForVMDestruction):
1077         (JSC::VM::~VM):
1078
1079 2017-08-05  Mark Lam  <mark.lam@apple.com>
1080
1081         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 3].
1082         https://bugs.webkit.org/show_bug.cgi?id=175228
1083         <rdar://problem/33735737>
1084
1085         Reviewed by Saam Barati.
1086
1087         Merge the 32-bit OSRExit::compileExit() method into the 64-bit version, and
1088         delete OSRExit32_64.cpp.
1089
1090         * CMakeLists.txt:
1091         * JavaScriptCore.xcodeproj/project.pbxproj:
1092         * dfg/DFGOSRExit.cpp:
1093         (JSC::DFG::OSRExit::compileExit):
1094         * dfg/DFGOSRExit32_64.cpp: Removed.
1095         * jit/GPRInfo.h:
1096         (JSC::JSValueSource::payloadGPR const):
1097
1098 2017-08-04  Youenn Fablet  <youenn@apple.com>
1099
1100         [Cache API] Add Cache and CacheStorage IDL definitions
1101         https://bugs.webkit.org/show_bug.cgi?id=175201
1102
1103         Reviewed by Brady Eidson.
1104
1105         * runtime/CommonIdentifiers.h:
1106
1107 2017-08-04  Mark Lam  <mark.lam@apple.com>
1108
1109         Fix typo in testmasm.cpp: ENABLE(JSVALUE64) should be USE(JSVALUE64).
1110         https://bugs.webkit.org/show_bug.cgi?id=175230
1111         <rdar://problem/33735857>
1112
1113         Reviewed by Saam Barati.
1114
1115         * assembler/testmasm.cpp:
1116         (JSC::testProbeReadsArgumentRegisters):
1117         (JSC::testProbeWritesArgumentRegisters):
1118
1119 2017-08-04  Mark Lam  <mark.lam@apple.com>
1120
1121         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 2].
1122         https://bugs.webkit.org/show_bug.cgi?id=175214
1123         <rdar://problem/33733308>
1124
1125         Rubber-stamped by Michael Saboff.
1126
1127         Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused
1128         DFGOSRExitCompiler files.
1129
1130         Also renamed DFGOSRExitCompiler32_64.cpp to DFGOSRExit32_64.cpp.
1131
1132         Also move debugOperationPrintSpeculationFailure() into DFGOSRExit.cpp.  It's only
1133         used by compileOSRExit(), and will be changed to not be a DFG operation function
1134         when we use JIT probes for DFG OSR exits later in
1135         https://bugs.webkit.org/show_bug.cgi?id=175144.
1136
1137         * CMakeLists.txt:
1138         * JavaScriptCore.xcodeproj/project.pbxproj:
1139         * dfg/DFGJITCompiler.cpp:
1140         * dfg/DFGOSRExit.cpp:
1141         (JSC::DFG::OSRExit::emitRestoreArguments):
1142         (JSC::DFG::OSRExit::compileOSRExit):
1143         (JSC::DFG::OSRExit::compileExit):
1144         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
1145         * dfg/DFGOSRExit.h:
1146         * dfg/DFGOSRExit32_64.cpp: Copied from Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp.
1147         * dfg/DFGOSRExitCompiler.cpp: Removed.
1148         * dfg/DFGOSRExitCompiler.h: Removed.
1149         * dfg/DFGOSRExitCompiler32_64.cpp: Removed.
1150         * dfg/DFGOSRExitCompiler64.cpp: Removed.
1151         * dfg/DFGOperations.cpp:
1152         * dfg/DFGOperations.h:
1153         * dfg/DFGThunks.cpp:
1154
1155 2017-08-04  Matt Baker  <mattbaker@apple.com>
1156
1157         Web Inspector: capture async stack trace when workers/main context posts a message
1158         https://bugs.webkit.org/show_bug.cgi?id=167084
1159         <rdar://problem/30033673>
1160
1161         Reviewed by Brian Burg.
1162
1163         * inspector/agents/InspectorDebuggerAgent.h:
1164         Add `PostMessage` async call type.
1165
1166 2017-08-04  Mark Lam  <mark.lam@apple.com>
1167
1168         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 1].
1169         https://bugs.webkit.org/show_bug.cgi?id=175208
1170         <rdar://problem/33732402>
1171
1172         Reviewed by Saam Barati.
1173
1174         This will minimize the code diff and make it easier to review the patch for
1175         https://bugs.webkit.org/show_bug.cgi?id=175144 later.  We'll do this patch in 3
1176         steps:
1177
1178         1. Do the code changes to move methods into OSRExit.
1179         2. Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused DFGOSRExitCompiler files.
1180         3. Merge the 32-bit OSRExitCompiler methods into the 64-bit version, and delete DFGOSRExitCompiler32_64.cpp.
1181
1182         Splitting this refactoring into these 3 steps also makes it easier to review this
1183         patch and understand what is being changed.
1184
1185         * dfg/DFGOSRExit.h:
1186         * dfg/DFGOSRExitCompiler.cpp:
1187         (JSC::DFG::OSRExit::emitRestoreArguments):
1188         (JSC::DFG::OSRExit::compileOSRExit):
1189         (JSC::DFG::OSRExitCompiler::emitRestoreArguments): Deleted.
1190         (): Deleted.
1191         * dfg/DFGOSRExitCompiler.h:
1192         (JSC::DFG::OSRExitCompiler::OSRExitCompiler): Deleted.
1193         (): Deleted.
1194         * dfg/DFGOSRExitCompiler32_64.cpp:
1195         (JSC::DFG::OSRExit::compileExit):
1196         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
1197         * dfg/DFGOSRExitCompiler64.cpp:
1198         (JSC::DFG::OSRExit::compileExit):
1199         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
1200         * dfg/DFGThunks.cpp:
1201         (JSC::DFG::osrExitGenerationThunkGenerator):
1202
1203 2017-08-04  Devin Rousso  <drousso@apple.com>
1204
1205         Web Inspector: add source view for WebGL shader programs
1206         https://bugs.webkit.org/show_bug.cgi?id=138593
1207         <rdar://problem/18936194>
1208
1209         Reviewed by Matt Baker.
1210
1211         * inspector/protocol/Canvas.json:
1212          - Add `ShaderType` enum that contains "vertex" and "fragment".
1213          - Add `requestShaderSource` command that will return the original source code for a given
1214            shader program and shader type.
1215
1216 2017-08-03  Filip Pizlo  <fpizlo@apple.com>
1217
1218         The allocator used to allocate memory for MarkedBlocks and LargeAllocations should not be the Subspace itself
1219         https://bugs.webkit.org/show_bug.cgi?id=175141
1220
1221         Reviewed by Mark Lam.
1222         
1223         To make it easier to have multiple gigacages and maybe even fancier methods of allocating, this
1224         decouples the allocator used to allocate memory from the GC Subspace. This means we no longer have
1225         to create a new Subspace subclass to allocate memory a different way. Instead, the allocator is now
1226         determined by the AlignedMemoryAllocator object.
1227         
1228         This also simplifies trading of blocks. Before, Subspaces had to determine if other Subspaces could
1229         trade blocks with them using canTradeBlocksWith(). This makes it difficult for two different
1230         Subspaces that both use the same underlying allocator to realize that they can trade blocks with
1231         each other. Now, you just need to ask the block being stolen and the subspace doing the stealing if
1232         they use the same AlignedMemoryAllocator.
1233
1234         * CMakeLists.txt:
1235         * JavaScriptCore.xcodeproj/project.pbxproj:
1236         * heap/AlignedMemoryAllocator.cpp: Added.
1237         (JSC::AlignedMemoryAllocator::AlignedMemoryAllocator):
1238         (JSC::AlignedMemoryAllocator::~AlignedMemoryAllocator):
1239         * heap/AlignedMemoryAllocator.h: Added.
1240         * heap/FastMallocAlignedMemoryAllocator.cpp: Added.
1241         (JSC::FastMallocAlignedMemoryAllocator::singleton):
1242         (JSC::FastMallocAlignedMemoryAllocator::FastMallocAlignedMemoryAllocator):
1243         (JSC::FastMallocAlignedMemoryAllocator::~FastMallocAlignedMemoryAllocator):
1244         (JSC::FastMallocAlignedMemoryAllocator::tryAllocateAlignedMemory):
1245         (JSC::FastMallocAlignedMemoryAllocator::freeAlignedMemory):
1246         (JSC::FastMallocAlignedMemoryAllocator::dump const):
1247         * heap/FastMallocAlignedMemoryAllocator.h: Added.
1248         * heap/GigacageAlignedMemoryAllocator.cpp: Added.
1249         (JSC::GigacageAlignedMemoryAllocator::singleton):
1250         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
1251         (JSC::GigacageAlignedMemoryAllocator::~GigacageAlignedMemoryAllocator):
1252         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
1253         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
1254         (JSC::GigacageAlignedMemoryAllocator::dump const):
1255         * heap/GigacageAlignedMemoryAllocator.h: Added.
1256         * heap/GigacageSubspace.cpp: Removed.
1257         * heap/GigacageSubspace.h: Removed.
1258         * heap/LargeAllocation.cpp:
1259         (JSC::LargeAllocation::tryCreate):
1260         (JSC::LargeAllocation::destroy):
1261         * heap/MarkedAllocator.cpp:
1262         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
1263         * heap/MarkedBlock.cpp:
1264         (JSC::MarkedBlock::tryCreate):
1265         (JSC::MarkedBlock::Handle::Handle):
1266         (JSC::MarkedBlock::Handle::~Handle):
1267         (JSC::MarkedBlock::Handle::didAddToAllocator):
1268         (JSC::MarkedBlock::Handle::subspace const):
1269         * heap/MarkedBlock.h:
1270         (JSC::MarkedBlock::Handle::alignedMemoryAllocator const):
1271         (JSC::MarkedBlock::Handle::subspace const): Deleted.
1272         * heap/Subspace.cpp:
1273         (JSC::Subspace::Subspace):
1274         (JSC::Subspace::findEmptyBlockToSteal):
1275         (JSC::Subspace::canTradeBlocksWith): Deleted.
1276         (JSC::Subspace::tryAllocateAlignedMemory): Deleted.
1277         (JSC::Subspace::freeAlignedMemory): Deleted.
1278         * heap/Subspace.h:
1279         (JSC::Subspace::name const):
1280         (JSC::Subspace::alignedMemoryAllocator const):
1281         * runtime/JSDestructibleObjectSubspace.cpp:
1282         (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace):
1283         * runtime/JSDestructibleObjectSubspace.h:
1284         * runtime/JSSegmentedVariableObjectSubspace.cpp:
1285         (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace):
1286         * runtime/JSSegmentedVariableObjectSubspace.h:
1287         * runtime/JSStringSubspace.cpp:
1288         (JSC::JSStringSubspace::JSStringSubspace):
1289         * runtime/JSStringSubspace.h:
1290         * runtime/VM.cpp:
1291         (JSC::VM::VM):
1292         * runtime/VM.h:
1293         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp:
1294         (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace):
1295         * wasm/js/JSWebAssemblyCodeBlockSubspace.h:
1296
1297 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
1298
1299         [ESNext] Async iteration - update feature.json
1300         https://bugs.webkit.org/show_bug.cgi?id=175197
1301
1302         Reviewed by Yusuke Suzuki.
1303
1304         Update feature.json to add status of the Async Iteration
1305
1306         * features.json:
1307
1308 2017-08-04  Matt Lewis  <jlewis3@apple.com>
1309
1310         Unreviewed, rolling out r220271.
1311
1312         Rolling out due to Layout Test failing on iOS Simulator.
1313
1314         Reverted changeset:
1315
1316         "Remove STREAMS_API compilation guard"
1317         https://bugs.webkit.org/show_bug.cgi?id=175165
1318         http://trac.webkit.org/changeset/220271
1319
1320 2017-08-04  Youenn Fablet  <youenn@apple.com>
1321
1322         Remove STREAMS_API compilation guard
1323         https://bugs.webkit.org/show_bug.cgi?id=175165
1324
1325         Reviewed by Darin Adler.
1326
1327         * Configurations/FeatureDefines.xcconfig:
1328
1329 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
1330
1331         [EsNext] Async iteration - Add feature flag
1332         https://bugs.webkit.org/show_bug.cgi?id=166694
1333
1334         Reviewed by Yusuke Suzuki.
1335
1336         Add feature flag to JSC to switch on/off Async Iterator
1337
1338         * runtime/Options.h:
1339
1340 2017-08-03  Brian Burg  <bburg@apple.com>
1341
1342         Remove ENABLE(WEB_SOCKET) guards
1343         https://bugs.webkit.org/show_bug.cgi?id=167044
1344
1345         Reviewed by Joseph Pecoraro.
1346
1347         * Configurations/FeatureDefines.xcconfig:
1348
1349 2017-08-03  Youenn Fablet  <youenn@apple.com>
1350
1351         Remove FETCH_API compilation guard
1352         https://bugs.webkit.org/show_bug.cgi?id=175154
1353
1354         Reviewed by Chris Dumez.
1355
1356         * Configurations/FeatureDefines.xcconfig:
1357
1358 2017-08-03  Matt Baker  <mattbaker@apple.com>
1359
1360         Web Inspector: Instrument WebGLProgram created/deleted
1361         https://bugs.webkit.org/show_bug.cgi?id=175059
1362
1363         Reviewed by Devin Rousso.
1364
1365         Extend the Canvas protocol with types/events for tracking WebGLPrograms.
1366
1367         * inspector/protocol/Canvas.json:
1368
1369 2017-08-03  Brady Eidson  <beidson@apple.com>
1370
1371         Add SW IDLs and stub out basic functionality.
1372         https://bugs.webkit.org/show_bug.cgi?id=175115
1373
1374         Reviewed by Chris Dumez.
1375
1376         * Configurations/FeatureDefines.xcconfig:
1377
1378         * runtime/CommonIdentifiers.h:
1379
1380 2017-08-03  Mark Lam  <mark.lam@apple.com>
1381
1382         Rename ScratchBuffer::activeLengthPtr to addressOfActiveLength.
1383         https://bugs.webkit.org/show_bug.cgi?id=175142
1384         <rdar://problem/33704528>
1385
1386         Reviewed by Filip Pizlo.
1387
1388         The convention in the rest of of JSC for such methods which return the address of
1389         a field is to name them "addressOf<field name>".  We'll rename
1390         ScratchBuffer::activeLengthPtr to be consistent with this convention.
1391
1392         * dfg/DFGSpeculativeJIT.cpp:
1393         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
1394         * dfg/DFGSpeculativeJIT32_64.cpp:
1395         (JSC::DFG::SpeculativeJIT::compile):
1396         * dfg/DFGSpeculativeJIT64.cpp:
1397         (JSC::DFG::SpeculativeJIT::compile):
1398         * dfg/DFGThunks.cpp:
1399         (JSC::DFG::osrExitGenerationThunkGenerator):
1400         * ftl/FTLLowerDFGToB3.cpp:
1401         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
1402         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
1403         * ftl/FTLThunks.cpp:
1404         (JSC::FTL::genericGenerationThunkGenerator):
1405         * jit/AssemblyHelpers.cpp:
1406         (JSC::AssemblyHelpers::debugCall):
1407         * jit/ScratchRegisterAllocator.cpp:
1408         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
1409         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
1410         * runtime/VM.h:
1411         (JSC::ScratchBuffer::addressOfActiveLength):
1412         (JSC::ScratchBuffer::activeLengthPtr): Deleted.
1413         * wasm/WasmBinding.cpp:
1414         (JSC::Wasm::wasmToJs):
1415
1416 2017-08-02  Devin Rousso  <drousso@apple.com>
1417
1418         Web Inspector: add stack trace information for each RecordingAction
1419         https://bugs.webkit.org/show_bug.cgi?id=174663
1420
1421         Reviewed by Joseph Pecoraro.
1422
1423         * inspector/ScriptCallFrame.h:
1424         Add `operator==` so that when a ScriptCallFrame object is held in a Vector, calling `find`
1425         with an existing value doesn't need require a functor and can use existing code.
1426
1427         * interpreter/StackVisitor.h:
1428         * interpreter/StackVisitor.cpp:
1429         (JSC::StackVisitor::Frame::isWasmFrame const): Inlined in header.
1430
1431 2017-08-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1432
1433         Merge WTFThreadData to Thread::current
1434         https://bugs.webkit.org/show_bug.cgi?id=174716
1435
1436         Reviewed by Mark Lam.
1437
1438         Use Thread::current() instead.
1439
1440         * API/JSContext.mm:
1441         (+[JSContext currentContext]):
1442         (+[JSContext currentThis]):
1443         (+[JSContext currentCallee]):
1444         (+[JSContext currentArguments]):
1445         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
1446         (-[JSContext endCallbackWithData:]):
1447         * heap/Heap.cpp:
1448         (JSC::Heap::requestCollection):
1449         * runtime/Completion.cpp:
1450         (JSC::checkSyntax):
1451         (JSC::checkModuleSyntax):
1452         (JSC::evaluate):
1453         (JSC::loadAndEvaluateModule):
1454         (JSC::loadModule):
1455         (JSC::linkAndEvaluateModule):
1456         (JSC::importModule):
1457         * runtime/Identifier.cpp:
1458         (JSC::Identifier::checkCurrentAtomicStringTable):
1459         * runtime/InitializeThreading.cpp:
1460         (JSC::initializeThreading):
1461         * runtime/JSLock.cpp:
1462         (JSC::JSLock::didAcquireLock):
1463         (JSC::JSLock::willReleaseLock):
1464         (JSC::JSLock::dropAllLocks):
1465         (JSC::JSLock::grabAllLocks):
1466         * runtime/JSLock.h:
1467         * runtime/VM.cpp:
1468         (JSC::VM::VM):
1469         (JSC::VM::updateStackLimits):
1470         (JSC::VM::committedStackByteCount):
1471         * runtime/VM.h:
1472         (JSC::VM::isSafeToRecurse const):
1473         * runtime/VMEntryScope.cpp:
1474         (JSC::VMEntryScope::VMEntryScope):
1475         * runtime/VMInlines.h:
1476         (JSC::VM::ensureStackCapacityFor):
1477         * yarr/YarrPattern.cpp:
1478         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
1479
1480 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
1481
1482         LLInt should do pointer caging
1483         https://bugs.webkit.org/show_bug.cgi?id=175036
1484
1485         Reviewed by Keith Miller.
1486
1487         Implementing this in the LLInt was challenging because offlineasm did not previously know
1488         how to load from globals. This teaches it how to do that on Darwin/x86_64, which happens
1489         to be where the Gigacage is enabled right now.
1490
1491         * llint/LLIntOfflineAsmConfig.h:
1492         * llint/LowLevelInterpreter64.asm:
1493         * offlineasm/ast.rb:
1494         * offlineasm/x86.rb:
1495
1496 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
1497
1498         Sweeping should only scribble when sweeping to free list
1499         https://bugs.webkit.org/show_bug.cgi?id=175105
1500
1501         Reviewed by Saam Barati.
1502         
1503         I just saw a crash on the bots where a destructor call attempt dereferenced scribbled memory. This
1504         can happen because the bump path of specializedSweep will scribble in SweepOnly, which replaces the
1505         zap word (i.e. 0) with the scribble word (i.e. 0xbadbeef0). This is a recent regression, since we
1506         didn't used to do destruction on the bump path. No destruction, no zapping. Looking at the pop
1507         path, we only scribble when we SweepToFreeList. This ensures that we only overwrite the zap word
1508         when it doesn't matter anyway because we're building a free list.
1509         
1510         This is a fix for those crashes on the bots because it means that we'll no longer scribble over the
1511         zap.
1512
1513         * heap/MarkedBlockInlines.h:
1514         (JSC::MarkedBlock::Handle::specializedSweep):
1515
1516 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
1517
1518         All C++ accesses to JSObject::m_butterfly should do caging
1519         https://bugs.webkit.org/show_bug.cgi?id=175039
1520
1521         Reviewed by Keith Miller.
1522         
1523         Makes JSObject::m_butterfly a AuxiliaryBarrier<CagedPtr<Butterfly>> and adopts the CagedPtr<> API.
1524         This ensures that you can't cause C++ code to access a butterfly that has been rewired to point
1525         outside the gigacage.
1526
1527         * runtime/JSArray.cpp:
1528         (JSC::JSArray::setLength):
1529         (JSC::JSArray::pop):
1530         (JSC::JSArray::push):
1531         (JSC::JSArray::shiftCountWithAnyIndexingType):
1532         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1533         (JSC::JSArray::fillArgList):
1534         (JSC::JSArray::copyToArguments):
1535         * runtime/JSObject.cpp:
1536         (JSC::JSObject::heapSnapshot):
1537         (JSC::JSObject::createInitialIndexedStorage):
1538         (JSC::JSObject::createArrayStorage):
1539         (JSC::JSObject::convertUndecidedToInt32):
1540         (JSC::JSObject::convertUndecidedToDouble):
1541         (JSC::JSObject::convertUndecidedToContiguous):
1542         (JSC::JSObject::convertInt32ToDouble):
1543         (JSC::JSObject::convertInt32ToArrayStorage):
1544         (JSC::JSObject::convertDoubleToContiguous):
1545         (JSC::JSObject::convertDoubleToArrayStorage):
1546         (JSC::JSObject::convertContiguousToArrayStorage):
1547         (JSC::JSObject::defineOwnIndexedProperty):
1548         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1549         (JSC::JSObject::ensureLengthSlow):
1550         (JSC::JSObject::allocateMoreOutOfLineStorage):
1551         * runtime/JSObject.h:
1552         (JSC::JSObject::canGetIndexQuickly):
1553         (JSC::JSObject::getIndexQuickly):
1554         (JSC::JSObject::tryGetIndexQuickly const):
1555         (JSC::JSObject::canSetIndexQuickly):
1556         (JSC::JSObject::setIndexQuickly):
1557         (JSC::JSObject::initializeIndex):
1558         (JSC::JSObject::initializeIndexWithoutBarrier):
1559         (JSC::JSObject::butterfly const):
1560         (JSC::JSObject::butterfly):
1561
1562 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
1563
1564         We should be OK with the gigacage being disabled on gmalloc
1565         https://bugs.webkit.org/show_bug.cgi?id=175082
1566
1567         Reviewed by Michael Saboff.
1568
1569         * jsc.cpp:
1570         (jscmain):
1571
1572 2017-08-02  Saam Barati  <sbarati@apple.com>
1573
1574         On memory-constrained iOS devices, reduce the rate at which the JS heap grows before a GC to try to keep more memory available for the system
1575         https://bugs.webkit.org/show_bug.cgi?id=175041
1576         <rdar://problem/33659370>
1577
1578         Reviewed by Filip Pizlo.
1579
1580         The testing I have done shows that this new function is a ~10%
1581         progression running JetStream on 1GB iOS devices. I've also tried
1582         this on a few > 1GB iOS devices, and the testing shows this is either neutral
1583         or a regression. Right now, we'll just enable this for <= 1GB devices
1584         since it's a win. In the future, we might want to either look into
1585         tweaking these parameters or coming up with a new function for > 1GB
1586         devices.
1587
1588         * heap/Heap.cpp:
1589         * runtime/Options.h:
1590
1591 2017-08-01  Filip Pizlo  <fpizlo@apple.com>
1592
1593         Bmalloc and GC should put auxiliaries (butterflies, typed array backing stores) in a gigacage (separate multi-GB VM region)
1594         https://bugs.webkit.org/show_bug.cgi?id=174727
1595
1596         Reviewed by Mark Lam.
1597         
1598         This adopts the Gigacage for the GigacageSubspace, which we use for Auxiliary allocations. Also, in
1599         one place in the code - the FTL codegen for butterfly and typed array access - we "cage" the accesses
1600         themselves. Basically, we do masking to ensure that the pointer points into the gigacage.
1601         
1602         This is neutral on JetStream.
1603
1604         * CMakeLists.txt:
1605         * JavaScriptCore.xcodeproj/project.pbxproj:
1606         * b3/B3InsertionSet.cpp:
1607         (JSC::B3::InsertionSet::execute):
1608         * dfg/DFGAbstractInterpreterInlines.h:
1609         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1610         * dfg/DFGArgumentsEliminationPhase.cpp:
1611         * dfg/DFGClobberize.cpp:
1612         (JSC::DFG::readsOverlap):
1613         * dfg/DFGClobberize.h:
1614         (JSC::DFG::clobberize):
1615         * dfg/DFGDoesGC.cpp:
1616         (JSC::DFG::doesGC):
1617         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Added.
1618         (JSC::DFG::performFixedButterflyAccessUncaging):
1619         * dfg/DFGFixedButterflyAccessUncagingPhase.h: Added.
1620         * dfg/DFGFixupPhase.cpp:
1621         (JSC::DFG::FixupPhase::fixupNode):
1622         * dfg/DFGHeapLocation.cpp:
1623         (WTF::printInternal):
1624         * dfg/DFGHeapLocation.h:
1625         * dfg/DFGNodeType.h:
1626         * dfg/DFGPlan.cpp:
1627         (JSC::DFG::Plan::compileInThreadImpl):
1628         * dfg/DFGPredictionPropagationPhase.cpp:
1629         * dfg/DFGSafeToExecute.h:
1630         (JSC::DFG::safeToExecute):
1631         * dfg/DFGSpeculativeJIT.cpp:
1632         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
1633         * dfg/DFGSpeculativeJIT32_64.cpp:
1634         (JSC::DFG::SpeculativeJIT::compile):
1635         * dfg/DFGSpeculativeJIT64.cpp:
1636         (JSC::DFG::SpeculativeJIT::compile):
1637         * dfg/DFGTypeCheckHoistingPhase.cpp:
1638         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
1639         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
1640         * ftl/FTLCapabilities.cpp:
1641         (JSC::FTL::canCompile):
1642         * ftl/FTLLowerDFGToB3.cpp:
1643         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1644         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
1645         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
1646         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1647         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1648         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
1649         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
1650         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
1651         (JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase):
1652         (JSC::FTL::DFG::LowerDFGToB3::caged):
1653         * heap/GigacageSubspace.cpp: Added.
1654         (JSC::GigacageSubspace::GigacageSubspace):
1655         (JSC::GigacageSubspace::~GigacageSubspace):
1656         (JSC::GigacageSubspace::tryAllocateAlignedMemory):
1657         (JSC::GigacageSubspace::freeAlignedMemory):
1658         (JSC::GigacageSubspace::canTradeBlocksWith):
1659         * heap/GigacageSubspace.h: Added.
1660         * heap/Heap.cpp:
1661         (JSC::Heap::Heap):
1662         (JSC::Heap::lastChanceToFinalize):
1663         (JSC::Heap::finalize):
1664         (JSC::Heap::sweepInFinalize):
1665         (JSC::Heap::updateAllocationLimits):
1666         (JSC::Heap::shouldDoFullCollection):
1667         (JSC::Heap::collectIfNecessaryOrDefer):
1668         (JSC::Heap::reportWebAssemblyFastMemoriesAllocated): Deleted.
1669         (JSC::Heap::webAssemblyFastMemoriesThisCycleAtThreshold const): Deleted.
1670         (JSC::Heap::sweepLargeAllocations): Deleted.
1671         (JSC::Heap::didAllocateWebAssemblyFastMemories): Deleted.
1672         * heap/Heap.h:
1673         * heap/LargeAllocation.cpp:
1674         (JSC::LargeAllocation::tryCreate):
1675         (JSC::LargeAllocation::destroy):
1676         * heap/MarkedAllocator.cpp:
1677         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
1678         (JSC::MarkedAllocator::tryAllocateBlock):
1679         * heap/MarkedBlock.cpp:
1680         (JSC::MarkedBlock::tryCreate):
1681         (JSC::MarkedBlock::Handle::Handle):
1682         (JSC::MarkedBlock::Handle::~Handle):
1683         (JSC::MarkedBlock::Handle::didAddToAllocator):
1684         (JSC::MarkedBlock::Handle::subspace const): Deleted.
1685         * heap/MarkedBlock.h:
1686         (JSC::MarkedBlock::Handle::subspace const):
1687         * heap/MarkedSpace.cpp:
1688         (JSC::MarkedSpace::~MarkedSpace):
1689         (JSC::MarkedSpace::freeMemory):
1690         (JSC::MarkedSpace::prepareForAllocation):
1691         (JSC::MarkedSpace::addMarkedAllocator):
1692         (JSC::MarkedSpace::findEmptyBlockToSteal): Deleted.
1693         * heap/MarkedSpace.h:
1694         (JSC::MarkedSpace::firstAllocator const):
1695         (JSC::MarkedSpace::allocatorForEmptyAllocation const): Deleted.
1696         * heap/Subspace.cpp:
1697         (JSC::Subspace::Subspace):
1698         (JSC::Subspace::canTradeBlocksWith):
1699         (JSC::Subspace::tryAllocateAlignedMemory):
1700         (JSC::Subspace::freeAlignedMemory):
1701         (JSC::Subspace::prepareForAllocation):
1702         (JSC::Subspace::findEmptyBlockToSteal):
1703         * heap/Subspace.h:
1704         (JSC::Subspace::didCreateFirstAllocator):
1705         * heap/SubspaceInlines.h:
1706         (JSC::Subspace::forEachAllocator):
1707         (JSC::Subspace::forEachMarkedBlock):
1708         (JSC::Subspace::forEachNotEmptyMarkedBlock):
1709         * jit/JITPropertyAccess.cpp:
1710         (JSC::JIT::emitDoubleLoad):
1711         (JSC::JIT::emitContiguousLoad):
1712         (JSC::JIT::emitArrayStorageLoad):
1713         (JSC::JIT::emitGenericContiguousPutByVal):
1714         (JSC::JIT::emitArrayStoragePutByVal):
1715         (JSC::JIT::emit_op_get_from_scope):
1716         (JSC::JIT::emit_op_put_to_scope):
1717         (JSC::JIT::emitIntTypedArrayGetByVal):
1718         (JSC::JIT::emitFloatTypedArrayGetByVal):
1719         (JSC::JIT::emitIntTypedArrayPutByVal):
1720         (JSC::JIT::emitFloatTypedArrayPutByVal):
1721         * jsc.cpp:
1722         (fillBufferWithContentsOfFile):
1723         (functionReadFile):
1724         (gigacageDisabled):
1725         (jscmain):
1726         * llint/LowLevelInterpreter64.asm:
1727         * runtime/ArrayBuffer.cpp:
1728         (JSC::ArrayBufferContents::tryAllocate):
1729         (JSC::ArrayBuffer::createAdopted):
1730         (JSC::ArrayBuffer::createFromBytes):
1731         (JSC::ArrayBuffer::tryCreate):
1732         * runtime/IndexingHeader.h:
1733         * runtime/InitializeThreading.cpp:
1734         (JSC::initializeThreading):
1735         * runtime/JSArrayBuffer.cpp:
1736         * runtime/JSArrayBufferView.cpp:
1737         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1738         (JSC::JSArrayBufferView::finalize):
1739         * runtime/JSLock.cpp:
1740         (JSC::JSLock::didAcquireLock):
1741         * runtime/JSObject.h:
1742         * runtime/Options.cpp:
1743         (JSC::recomputeDependentOptions):
1744         * runtime/Options.h:
1745         * runtime/ScopedArgumentsTable.h:
1746         * runtime/VM.cpp:
1747         (JSC::VM::VM):
1748         (JSC::VM::~VM):
1749         (JSC::VM::gigacageDisabledCallback):
1750         (JSC::VM::gigacageDisabled):
1751         * runtime/VM.h:
1752         (JSC::VM::fireGigacageEnabledIfNecessary):
1753         (JSC::VM::gigacageEnabled):
1754         * wasm/WasmB3IRGenerator.cpp:
1755         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1756         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
1757         * wasm/WasmCodeBlock.cpp:
1758         (JSC::Wasm::CodeBlock::isSafeToRun):
1759         * wasm/WasmMemory.cpp:
1760         (JSC::Wasm::makeString):
1761         (JSC::Wasm::Memory::create):
1762         (JSC::Wasm::Memory::~Memory):
1763         (JSC::Wasm::Memory::addressIsInActiveFastMemory):
1764         (JSC::Wasm::Memory::grow):
1765         (JSC::Wasm::Memory::initializePreallocations): Deleted.
1766         (JSC::Wasm::Memory::maxFastMemoryCount): Deleted.
1767         * wasm/WasmMemory.h:
1768         * wasm/js/JSWebAssemblyInstance.cpp:
1769         (JSC::JSWebAssemblyInstance::create):
1770         * wasm/js/JSWebAssemblyMemory.cpp:
1771         (JSC::JSWebAssemblyMemory::grow):
1772         (JSC::JSWebAssemblyMemory::finishCreation):
1773         * wasm/js/JSWebAssemblyMemory.h:
1774         (JSC::JSWebAssemblyMemory::subspaceFor):
1775
1776 2017-07-31  Mark Lam  <mark.lam@apple.com>
1777
1778         Added some UNLIKELYs to operationOptimize().
1779         https://bugs.webkit.org/show_bug.cgi?id=174976
1780
1781         Reviewed by JF Bastien.
1782
1783         * jit/JITOperations.cpp:
1784
1785 2017-07-31  Keith Miller  <keith_miller@apple.com>
1786
1787         Make more things LLInt constexprs
1788         https://bugs.webkit.org/show_bug.cgi?id=174994
1789
1790         Reviewed by Saam Barati.
1791
1792         This patch makes more const values in the LLInt constexprs.
1793         It also deletes all of the no longer necessary static_asserts in
1794         LLIntData.cpp. Finally, it fixes a typo in parser.rb.
1795
1796         * interpreter/ShadowChicken.h:
1797         (JSC::ShadowChicken::Packet::tailMarker):
1798         * llint/LLIntData.cpp:
1799         (JSC::LLInt::Data::performAssertions):
1800         * llint/LowLevelInterpreter.asm:
1801         * offlineasm/generate_offset_extractor.rb:
1802         * offlineasm/parser.rb:
1803
1804 2017-07-31  Matt Lewis  <jlewis3@apple.com>
1805
1806         Unreviewed, rolling out r220060.
1807
1808         This broke our internal builds. Contact reviewer of patch for
1809         more information.
1810
1811         Reverted changeset:
1812
1813         "Merge WTFThreadData to Thread::current"
1814         https://bugs.webkit.org/show_bug.cgi?id=174716
1815         http://trac.webkit.org/changeset/220060
1816
1817 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1818
1819         [JSC] Support optional catch binding
1820         https://bugs.webkit.org/show_bug.cgi?id=174981
1821
1822         Reviewed by Saam Barati.
1823
1824         This patch implements optional catch binding proposal[1], which is now stage 3.
1825         This proposal adds a new `catch` brace with no error value binding.
1826
1827             ```
1828                 try {
1829                     ...
1830                 } catch {
1831                     ...
1832                 }
1833             ```
1834
1835         Sometimes we do not need to get error value actually. For example, the function returns
1836         boolean which means whether the function succeeds.
1837
1838             ```
1839             function parse(result) // -> bool
1840             {
1841                  try {
1842                      parseInner(result);
1843                  } catch {
1844                      return false;
1845                  }
1846                  return true;
1847             }
1848             ```
1849
1850         In the above case, we are not interested in the actual error value. Without this syntax,
1851         we always need to introduce a binding for an error value that is just ignored.
1852
1853         [1]: https://michaelficarra.github.io/optional-catch-binding-proposal/
1854
1855         * bytecompiler/NodesCodegen.cpp:
1856         (JSC::TryNode::emitBytecode):
1857         * parser/Parser.cpp:
1858         (JSC::Parser<LexerType>::parseTryStatement):
1859
1860 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1861
1862         Merge WTFThreadData to Thread::current
1863         https://bugs.webkit.org/show_bug.cgi?id=174716
1864
1865         Reviewed by Sam Weinig.
1866
1867         Use Thread::current() instead.
1868
1869         * API/JSContext.mm:
1870         (+[JSContext currentContext]):
1871         (+[JSContext currentThis]):
1872         (+[JSContext currentCallee]):
1873         (+[JSContext currentArguments]):
1874         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
1875         (-[JSContext endCallbackWithData:]):
1876         * heap/Heap.cpp:
1877         (JSC::Heap::requestCollection):
1878         * runtime/Completion.cpp:
1879         (JSC::checkSyntax):
1880         (JSC::checkModuleSyntax):
1881         (JSC::evaluate):
1882         (JSC::loadAndEvaluateModule):
1883         (JSC::loadModule):
1884         (JSC::linkAndEvaluateModule):
1885         (JSC::importModule):
1886         * runtime/Identifier.cpp:
1887         (JSC::Identifier::checkCurrentAtomicStringTable):
1888         * runtime/InitializeThreading.cpp:
1889         (JSC::initializeThreading):
1890         * runtime/JSLock.cpp:
1891         (JSC::JSLock::didAcquireLock):
1892         (JSC::JSLock::willReleaseLock):
1893         (JSC::JSLock::dropAllLocks):
1894         (JSC::JSLock::grabAllLocks):
1895         * runtime/JSLock.h:
1896         * runtime/VM.cpp:
1897         (JSC::VM::VM):
1898         (JSC::VM::updateStackLimits):
1899         (JSC::VM::committedStackByteCount):
1900         * runtime/VM.h:
1901         (JSC::VM::isSafeToRecurse const):
1902         * runtime/VMEntryScope.cpp:
1903         (JSC::VMEntryScope::VMEntryScope):
1904         * runtime/VMInlines.h:
1905         (JSC::VM::ensureStackCapacityFor):
1906         * yarr/YarrPattern.cpp:
1907         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
1908
1909 2017-07-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1910
1911         [WTF] Introduce Private Symbols
1912         https://bugs.webkit.org/show_bug.cgi?id=174935
1913
1914         Reviewed by Darin Adler.
1915
1916         Use SymbolImpl::isPrivate().
1917
1918         * builtins/BuiltinNames.cpp:
1919         * builtins/BuiltinNames.h:
1920         (JSC::BuiltinNames::isPrivateName): Deleted.
1921         * builtins/BuiltinUtils.h:
1922         * bytecode/BytecodeIntrinsicRegistry.cpp:
1923         (JSC::BytecodeIntrinsicRegistry::lookup):
1924         * runtime/CommonIdentifiers.cpp:
1925         (JSC::CommonIdentifiers::isPrivateName): Deleted.
1926         * runtime/CommonIdentifiers.h:
1927         * runtime/ExceptionHelpers.cpp:
1928         (JSC::createUndefinedVariableError):
1929         * runtime/Identifier.h:
1930         (JSC::Identifier::isPrivateName):
1931         * runtime/IdentifierInlines.h:
1932         (JSC::identifierToSafePublicJSValue):
1933         * runtime/ObjectConstructor.cpp:
1934         (JSC::objectConstructorAssign):
1935         (JSC::defineProperties):
1936         (JSC::setIntegrityLevel):
1937         (JSC::testIntegrityLevel):
1938         (JSC::ownPropertyKeys):
1939         * runtime/PrivateName.h:
1940         (JSC::PrivateName::PrivateName):
1941         * runtime/PropertyName.h:
1942         (JSC::PropertyName::isPrivateName):
1943         * runtime/ProxyObject.cpp:
1944         (JSC::performProxyGet):
1945         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1946         (JSC::ProxyObject::performHasProperty):
1947         (JSC::ProxyObject::performPut):
1948         (JSC::ProxyObject::performDelete):
1949         (JSC::ProxyObject::performDefineOwnProperty):
1950
1951 2017-07-29  Keith Miller  <keith_miller@apple.com>
1952
1953         LLInt offsets extractor should be able to handle C++ constexprs
1954         https://bugs.webkit.org/show_bug.cgi?id=174964
1955
1956         Reviewed by Saam Barati.
1957
1958         This patch adds new syntax to the offline asm language. The new keyword,
1959         constexpr, takes the subsequent identifier and maps it to a C++ constexpr
1960         expression. Additionally, if the value is not an identifier you can wrap it in
1961         parentheses. e.g. constexpr (myConstexprFunction() + OBJECT_OFFSET(Foo, bar)),
1962         which will get converted into:
1963         static_cast<int64_t>(myConstexprFunction() + OBJECT_OFFSET(Foo, bar));
1964
1965         This patch also changes the data format the LLIntOffsetsExtractor
1966         binary produces.  Previously, it would produce unsigned values,
1967         after this patch every value is an int64_t.  Using an int64_t is
1968         useful because it means that we can represent any constant needed.
1969         int32_t masks are sign extended then passed then converted to a
1970         negative literal sting in the assembler so it will be the constant
1971         expected.
1972
1973         * llint/LLIntOffsetsExtractor.cpp:
1974         (JSC::LLIntOffsetsExtractor::dummy):
1975         * llint/LowLevelInterpreter.asm:
1976         * llint/LowLevelInterpreter64.asm:
1977         * offlineasm/asm.rb:
1978         * offlineasm/ast.rb:
1979         * offlineasm/generate_offset_extractor.rb:
1980         * offlineasm/offsets.rb:
1981         * offlineasm/parser.rb:
1982         * offlineasm/transform.rb:
1983
1984 2017-07-28  Matt Baker  <mattbaker@apple.com>
1985
1986         Web Inspector: capture an async stack trace when web content calls addEventListener
1987         https://bugs.webkit.org/show_bug.cgi?id=174739
1988         <rdar://problem/33468197>
1989
1990         Reviewed by Brian Burg.
1991
1992         Allow debugger agents to perform custom logic when asynchronous stack
1993         trace data is cleared. For example, the PageDebuggerAgent would clear
1994         its list of registered listeners for which call stacks have been recorded.
1995
1996         * inspector/agents/InspectorDebuggerAgent.cpp:
1997         (Inspector::InspectorDebuggerAgent::clearAsyncStackTraceData):
1998         * inspector/agents/InspectorDebuggerAgent.h:
1999
2000 2017-07-28  Mark Lam  <mark.lam@apple.com>
2001
2002         ObjectToStringAdaptiveStructureWatchpoint should not fire if it's dying imminently.
2003         https://bugs.webkit.org/show_bug.cgi?id=174948
2004         <rdar://problem/33495680>
2005
2006         Reviewed by Filip Pizlo.
2007
2008         ObjectToStringAdaptiveStructureWatchpoint is owned by StructureRareData.  If its
2009         owner StructureRareData is already known to be dead (in terms of GC liveness) but
2010         hasn't been destructed yet (i.e. not swept by the GC yet), we should ignore all
2011         requests to fire this watchpoint.
2012
2013         If the GC had the chance to sweep the StructureRareData, thereby destructing the
2014         ObjectToStringAdaptiveStructureWatchpoint, it (the watchpoint) would have removed
2015         itself from the WatchpointSet it was on.  Hence, it would not have been fired.
2016
2017         But since the watchpoint hasn't been destructed yet, it still remains on the
2018         WatchpointSet and needs to guard against being fired in this state.  The fix is
2019         to simply return early if its owner StructureRareData is not live.  This has the
2020         effect of the watchpoint fire being a no-op, which is equivalent to the watchpoint
2021         not firing as we would expect.
2022
2023         This patch also removes some cargo cult copying of watchpoint code which
2024         instantiates a StringFireDetail.  In a few cases, that StringFireDetail is never
2025         used.  This patch removes these unnecessary instantiations.
2026
2027         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2028         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
2029         * runtime/StructureRareData.cpp:
2030         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
2031         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
2032
2033 2017-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
2034
2035         ASSERTION FAILED: candidate->op() == PhantomCreateRest || candidate->op() == PhantomDirectArguments || candidate->op() == PhantomClonedArguments || candidate->op() == PhantomSpread || candidate->op() == PhantomNewArrayWithSpread
2036         https://bugs.webkit.org/show_bug.cgi?id=174900
2037
2038         Reviewed by Saam Barati.
2039
2040         In the arguments elimination phase, due to high cost of AI, we intentionally do not run AI.
2041         Instead, we use ForceOSRExit etc. (pseudo terminals) not to look into unreachable nodes.
2042         The problem is that even transforming phase also checks this pseudo terminals.
2043
2044             BB1
2045             1: ForceOSRExit
2046             2: CreateDirectArguments
2047
2048             BB2
2049             3: GetButterfly(@2)
2050             4: ForceOSRExit
2051
2052         In the above case, @2 is not converted to PhantomDirectArguments. But @3 is processed. And the assertion fires.
2053
2054         In this patch, we do not list candidates up after seeing pseudo terminals in basic blocks.
2055
2056         * dfg/DFGArgumentsEliminationPhase.cpp:
2057
2058 2017-07-27  Oleksandr Skachkov  <gskachkov@gmail.com>
2059
2060         [ES] Add support finally to Promise
2061         https://bugs.webkit.org/show_bug.cgi?id=174503
2062
2063         Reviewed by Yusuke Suzuki.
2064
2065         Add support `finally` method to Promise according
2066         to the https://bugs.webkit.org/show_bug.cgi?id=174503
2067         Current spec on STAGE 3 
2068         https://github.com/tc39/proposal-promise-finally
2069
2070         * builtins/PromisePrototype.js:
2071         (finally):
2072         (const.valueThunk):
2073         (globalPrivate.getThenFinally):
2074         (const.thrower):
2075         (globalPrivate.getCatchFinally):
2076         * runtime/JSPromisePrototype.cpp:
2077
2078 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2079
2080         Unreviewed, build fix for CLoop
2081         https://bugs.webkit.org/show_bug.cgi?id=171637
2082
2083         * domjit/DOMJITGetterSetter.h:
2084
2085 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2086
2087         Hoist DOM binding attribute getter prologue into JavaScriptCore taking advantage of DOMJIT / CheckSubClass
2088         https://bugs.webkit.org/show_bug.cgi?id=171637
2089
2090         Reviewed by Darin Adler.
2091
2092         Each DOM attribute getter has the code to perform ClassInfo check. But it is largely duplicate and causes code bloating.
2093         In this patch, we move ClassInfo check from WebCore to JSC and reduce code size.
2094
2095         We introduce DOMAnnotation which has ClassInfo* and DOMJIT::GetterSetter*. If the getter is not DOMJIT getter, this
2096         DOMJIT::GetterSetter becomes nullptr. We support such a CustomAccessorGetter in all the JIT tiers.
2097
2098         In IC, we drop CheckSubClass completely since IC's Structure check subsumes it. We do not enable this optimization for
2099         op_get_by_id_with_this case yet.
2100         In DFG and FTL, we emit CheckSubClass node. Which is typically removed by CheckStructure leading to CheckSubClass.
2101
2102         And we add DOMAttributeGetterSetter, which is derived class of CustomGetterSetter. It holds DOMAnnotation and perform
2103         ClassInfo check.
2104
2105         * CMakeLists.txt:
2106         * JavaScriptCore.xcodeproj/project.pbxproj:
2107         * bytecode/AccessCase.cpp:
2108         (JSC::AccessCase::generateImpl):
2109         * bytecode/GetByIdStatus.cpp:
2110         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
2111         * bytecode/GetByIdVariant.cpp:
2112         (JSC::GetByIdVariant::GetByIdVariant):
2113         (JSC::GetByIdVariant::operator=):
2114         (JSC::GetByIdVariant::attemptToMerge):
2115         (JSC::GetByIdVariant::dumpInContext):
2116         * bytecode/GetByIdVariant.h:
2117         (JSC::GetByIdVariant::customAccessorGetter):
2118         (JSC::GetByIdVariant::domAttribute):
2119         (JSC::GetByIdVariant::domJIT): Deleted.
2120         * bytecode/GetterSetterAccessCase.cpp:
2121         (JSC::GetterSetterAccessCase::create):
2122         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
2123         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
2124         * bytecode/GetterSetterAccessCase.h:
2125         (JSC::GetterSetterAccessCase::domAttribute):
2126         (JSC::GetterSetterAccessCase::customAccessor):
2127         (JSC::GetterSetterAccessCase::domJIT): Deleted.
2128         * bytecompiler/BytecodeGenerator.cpp:
2129         (JSC::BytecodeGenerator::instantiateLexicalVariables):
2130         * create_hash_table:
2131         * dfg/DFGAbstractInterpreterInlines.h:
2132         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2133         * dfg/DFGByteCodeParser.cpp:
2134         (JSC::DFG::blessCallDOMGetter):
2135         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
2136         (JSC::DFG::ByteCodeParser::handleGetById):
2137         * dfg/DFGClobberize.h:
2138         (JSC::DFG::clobberize):
2139         * dfg/DFGFixupPhase.cpp:
2140         (JSC::DFG::FixupPhase::fixupNode):
2141         * dfg/DFGNode.h:
2142         * dfg/DFGSpeculativeJIT.cpp:
2143         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
2144         * dfg/DFGSpeculativeJIT.h:
2145         (JSC::DFG::SpeculativeJIT::callCustomGetter):
2146         * domjit/DOMJITGetterSetter.h:
2147         (JSC::DOMJIT::GetterSetter::GetterSetter):
2148         (JSC::DOMJIT::GetterSetter::getter):
2149         (JSC::DOMJIT::GetterSetter::compiler):
2150         (JSC::DOMJIT::GetterSetter::resultType):
2151         (JSC::DOMJIT::GetterSetter::~GetterSetter): Deleted.
2152         (JSC::DOMJIT::GetterSetter::setter): Deleted.
2153         (JSC::DOMJIT::GetterSetter::thisClassInfo): Deleted.
2154         * ftl/FTLLowerDFGToB3.cpp:
2155         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
2156         * jit/Repatch.cpp:
2157         (JSC::tryCacheGetByID):
2158         * jsc.cpp:
2159         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
2160         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
2161         (WTF::DOMJITGetter::customGetter):
2162         (WTF::DOMJITGetter::finishCreation):
2163         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
2164         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
2165         (WTF::DOMJITGetterComplex::customGetter):
2166         (WTF::DOMJITGetterComplex::finishCreation):
2167         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
2168         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::slowCall): Deleted.
2169         (WTF::DOMJITGetter::domJITNodeGetterSetter): Deleted.
2170         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
2171         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::slowCall): Deleted.
2172         (WTF::DOMJITGetterComplex::domJITNodeGetterSetter): Deleted.
2173         * runtime/CustomGetterSetter.h:
2174         (JSC::CustomGetterSetter::create):
2175         (JSC::CustomGetterSetter::setter):
2176         (JSC::CustomGetterSetter::CustomGetterSetter):
2177         (): Deleted.
2178         * runtime/DOMAnnotation.h: Added.
2179         (JSC::operator==):
2180         (JSC::operator!=):
2181         * runtime/DOMAttributeGetterSetter.cpp: Added.
2182         * runtime/DOMAttributeGetterSetter.h: Copied from Source/JavaScriptCore/runtime/CustomGetterSetter.h.
2183         (JSC::isDOMAttributeGetterSetter):
2184         * runtime/Error.cpp:
2185         (JSC::throwDOMAttributeGetterTypeError):
2186         * runtime/Error.h:
2187         (JSC::throwVMDOMAttributeGetterTypeError):
2188         * runtime/JSCustomGetterSetterFunction.cpp:
2189         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
2190         * runtime/JSObject.cpp:
2191         (JSC::JSObject::putInlineSlow):
2192         (JSC::JSObject::deleteProperty):
2193         (JSC::JSObject::getOwnStaticPropertySlot):
2194         (JSC::JSObject::reifyAllStaticProperties):
2195         (JSC::JSObject::fillGetterPropertySlot):
2196         (JSC::JSObject::findPropertyHashEntry): Deleted.
2197         * runtime/JSObject.h:
2198         (JSC::JSObject::getOwnNonIndexPropertySlot):
2199         (JSC::JSObject::fillCustomGetterPropertySlot):
2200         * runtime/Lookup.cpp:
2201         (JSC::setUpStaticFunctionSlot):
2202         * runtime/Lookup.h:
2203         (JSC::HashTableValue::domJIT):
2204         (JSC::getStaticPropertySlotFromTable):
2205         (JSC::putEntry):
2206         (JSC::lookupPut):
2207         (JSC::reifyStaticProperty):
2208         (JSC::reifyStaticProperties):
2209         Each static property table has a new field ClassInfo*. It indicates that which ClassInfo check DOMAttribute registered in
2210         this static property table requires.
2211
2212         * runtime/ProgramExecutable.cpp:
2213         (JSC::ProgramExecutable::initializeGlobalProperties):
2214         * runtime/PropertyName.h:
2215         * runtime/PropertySlot.cpp:
2216         (JSC::PropertySlot::customGetter):
2217         (JSC::PropertySlot::customAccessorGetter):
2218         * runtime/PropertySlot.h:
2219         (JSC::PropertySlot::domAttribute):
2220         (JSC::PropertySlot::setCustom):
2221         (JSC::PropertySlot::setCacheableCustom):
2222         (JSC::PropertySlot::getValue):
2223         (JSC::PropertySlot::domJIT): Deleted.
2224         * runtime/VM.cpp:
2225         (JSC::VM::VM):
2226         * runtime/VM.h:
2227
2228 2017-07-26  Devin Rousso  <drousso@apple.com>
2229
2230         Web Inspector: create protocol for recording Canvas contexts
2231         https://bugs.webkit.org/show_bug.cgi?id=174481
2232
2233         Reviewed by Joseph Pecoraro.
2234
2235         * inspector/protocol/Canvas.json:
2236          - Add `requestRecording` command to mark the provided canvas as having requested a recording.
2237          - Add `cancelRecording` command to clear a previously marked canvas and flush any recorded data.
2238          - Add `recordingFinished` event that is fired once a recording is finished.
2239
2240         * CMakeLists.txt:
2241         * DerivedSources.make:
2242         * inspector/protocol/Recording.json: Added.
2243          - Add `Type` enum that lists the types of recordings
2244          - Add `InitialState` type that contains information about the canvas context at the
2245            beginning of the recording.
2246          - Add `Frame` type that holds a list of actions that were recorded.
2247          - Add `Recording` type as the container object of recording data.
2248
2249         * inspector/scripts/codegen/generate_js_backend_commands.py:
2250         (JSBackendCommandsGenerator.generate_domain):
2251         Create an agent for domains with no events or commands.
2252
2253         * inspector/InspectorValues.h:
2254         Make Array `get` public so that values can be retrieved if needed.
2255
2256 2017-07-26  Brian Burg  <bburg@apple.com>
2257
2258         Remove WEB_TIMING feature flag
2259         https://bugs.webkit.org/show_bug.cgi?id=174795
2260
2261         Reviewed by Alex Christensen.
2262
2263         * Configurations/FeatureDefines.xcconfig:
2264
2265 2017-07-26  Mark Lam  <mark.lam@apple.com>
2266
2267         Add the ability to change sp and pc to the ARM64 JIT probe.
2268         https://bugs.webkit.org/show_bug.cgi?id=174697
2269         <rdar://problem/33436965>
2270
2271         Reviewed by JF Bastien.
2272
2273         This patch implements the following:
2274
2275         1. The ARM64 probe now supports modifying the pc and sp.
2276
2277            However, lr is not preserved when modifying the pc because it is used as the
2278            scratch register for the indirect jump. Hence, the probe handler function
2279            may not modify both lr and pc in the same probe invocation.
2280
2281         2. Fix probe tests to use bitwise comparison when comparing double register
2282            values. Otherwise, equivalent nan values will be interpreted as not equivalent.
2283
2284         3. Change the minimum offset increment in testProbeModifiesStackPointer to be
2285            16 bytes for ARM64.  This is because the ARM64 probe now uses the ldp and stp
2286            instructions which require 16 byte alignment for their memory access.
2287
2288         * assembler/MacroAssemblerARM64.cpp:
2289         (JSC::arm64ProbeError):
2290         (JSC::MacroAssembler::probe):
2291         (JSC::arm64ProbeTrampoline): Deleted.
2292         * assembler/testmasm.cpp:
2293         (JSC::isSpecialGPR):
2294         (JSC::testProbeReadsArgumentRegisters):
2295         (JSC::testProbeWritesArgumentRegisters):
2296         (JSC::testProbePreservesGPRS):
2297         (JSC::testProbeModifiesStackPointer):
2298         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
2299         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
2300
2301 2017-07-25  JF Bastien  <jfbastien@apple.com>
2302
2303         WebAssembly: generate smaller binaries
2304         https://bugs.webkit.org/show_bug.cgi?id=174818
2305
2306         Reviewed by Filip Pizlo.
2307
2308         This patch reduces generated code size for WebAssembly in 2 ways:
2309
2310         1. Use the ZR register when storing zero on ARM64.
2311         2. Synthesize wasm context lazily.
2312
2313         This leads to a modest size reduction on both x86-64 and ARM64 for
2314         large WebAssembly games, without any performance loss on WasmBench
2315         and TitzerBench.
2316
2317         The reason this works is that these games, using Emscripten,
2318         generate 100k+ tiny functions, and our JIT allocation granule
2319         rounds all allocations up to 32 bytes. There are plenty of other
2320         simple gains to be had, I've filed a follow-up bug at
2321         webkit.org/b/174819
2322
2323         We should further avoid the per-function cost of tiering, which
2324         represents the bulk of code generated for small functions.
2325
2326         * assembler/MacroAssemblerARM64.h:
2327         (JSC::MacroAssemblerARM64::storeZero64):
2328         * assembler/MacroAssemblerX86_64.h:
2329         (JSC::MacroAssemblerX86_64::storeZero64):
2330         * b3/B3LowerToAir.cpp:
2331         (JSC::B3::Air::LowerToAir::createStore): this doesn't make sense
2332         for x86 because it constrains register reuse and codegen in a way
2333         that doesn't affect ARM64 because it has a dedicated zero
2334         register.
2335         * b3/air/AirOpcode.opcodes: add the storeZero64 opcode.
2336         * wasm/WasmB3IRGenerator.cpp:
2337         (JSC::Wasm::B3IRGenerator::instanceValue):
2338         (JSC::Wasm::B3IRGenerator::restoreWasmContext):
2339         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2340         (JSC::Wasm::B3IRGenerator::materializeWasmContext): Deleted.
2341
2342 2017-07-23  Filip Pizlo  <fpizlo@apple.com>
2343
2344         B3 should do LICM
2345         https://bugs.webkit.org/show_bug.cgi?id=174750
2346
2347         Reviewed by Keith Miller and Saam Barati.
2348         
2349         Added a LICM phase to B3. This phase is called hoistLoopInvariantValues, to conform to the B3 naming
2350         convention for phases (it has to be an imperative). The phase uses NaturalLoops and BackwardsDominators,
2351         so this adds those analyses to B3. BackwardsDominators was already available in templatized form. This
2352         change templatizes DFG::NaturalLoops so that we can just use it.
2353         
2354         The LICM phase itself is really simple. We are decently precise with our handling of everything except
2355         the relationship between control dependence and side exits.
2356         
2357         Also added a bunch of tests.
2358         
2359         This isn't super important. It's perf-neutral on JS benchmarks. FTL already does LICM on DFG SSA IR, and
2360         probably all current WebAssembly content has had LICM done to it. That being said, this is a cheap phase
2361         so it doesn't hurt to have it.
2362         
2363         I wrote it because I thought I needed it for bug 174727. It turns out that there's a better way to
2364         handle the problem I had, so I ended up not needed it - but by then I had already written it. I think
2365         it's good to have it because LICM is one of those core compiler phases; every compiler has it
2366         eventually.
2367
2368         * CMakeLists.txt:
2369         * JavaScriptCore.xcodeproj/project.pbxproj:
2370         * b3/B3BackwardsCFG.h: Added.
2371         (JSC::B3::BackwardsCFG::BackwardsCFG):
2372         * b3/B3BackwardsDominators.h: Added.
2373         (JSC::B3::BackwardsDominators::BackwardsDominators):
2374         * b3/B3BasicBlock.cpp:
2375         (JSC::B3::BasicBlock::appendNonTerminal):
2376         * b3/B3Effects.h:
2377         * b3/B3EnsureLoopPreHeaders.cpp: Added.
2378         (JSC::B3::ensureLoopPreHeaders):
2379         * b3/B3EnsureLoopPreHeaders.h: Added.
2380         * b3/B3Generate.cpp:
2381         (JSC::B3::generateToAir):
2382         * b3/B3HoistLoopInvariantValues.cpp: Added.
2383         (JSC::B3::hoistLoopInvariantValues):
2384         * b3/B3HoistLoopInvariantValues.h: Added.
2385         * b3/B3NaturalLoops.h: Added.
2386         (JSC::B3::NaturalLoops::NaturalLoops):
2387         * b3/B3Procedure.cpp:
2388         (JSC::B3::Procedure::invalidateCFG):
2389         (JSC::B3::Procedure::naturalLoops):
2390         (JSC::B3::Procedure::backwardsCFG):
2391         (JSC::B3::Procedure::backwardsDominators):
2392         * b3/B3Procedure.h:
2393         * b3/testb3.cpp:
2394         (JSC::B3::generateLoop):
2395         (JSC::B3::makeArrayForLoops):
2396         (JSC::B3::generateLoopNotBackwardsDominant):
2397         (JSC::B3::oneFunction):
2398         (JSC::B3::noOpFunction):
2399         (JSC::B3::testLICMPure):
2400         (JSC::B3::testLICMPureSideExits):
2401         (JSC::B3::testLICMPureWritesPinned):
2402         (JSC::B3::testLICMPureWrites):
2403         (JSC::B3::testLICMReadsLocalState):
2404         (JSC::B3::testLICMReadsPinned):
2405         (JSC::B3::testLICMReads):
2406         (JSC::B3::testLICMPureNotBackwardsDominant):
2407         (JSC::B3::testLICMPureFoiledByChild):
2408         (JSC::B3::testLICMPureNotBackwardsDominantFoiledByChild):
2409         (JSC::B3::testLICMExitsSideways):
2410         (JSC::B3::testLICMWritesLocalState):
2411         (JSC::B3::testLICMWrites):
2412         (JSC::B3::testLICMFence):
2413         (JSC::B3::testLICMWritesPinned):
2414         (JSC::B3::testLICMControlDependent):
2415         (JSC::B3::testLICMControlDependentNotBackwardsDominant):
2416         (JSC::B3::testLICMControlDependentSideExits):
2417         (JSC::B3::testLICMReadsPinnedWritesPinned):
2418         (JSC::B3::testLICMReadsWritesDifferentHeaps):
2419         (JSC::B3::testLICMReadsWritesOverlappingHeaps):
2420         (JSC::B3::testLICMDefaultCall):
2421         (JSC::B3::run):
2422         * dfg/DFGBasicBlock.h:
2423         * dfg/DFGCFG.h:
2424         * dfg/DFGNaturalLoops.cpp: Removed.
2425         * dfg/DFGNaturalLoops.h:
2426         (JSC::DFG::NaturalLoops::NaturalLoops):
2427         (JSC::DFG::NaturalLoop::NaturalLoop): Deleted.
2428         (JSC::DFG::NaturalLoop::header): Deleted.
2429         (JSC::DFG::NaturalLoop::size): Deleted.
2430         (JSC::DFG::NaturalLoop::at): Deleted.
2431         (JSC::DFG::NaturalLoop::operator[]): Deleted.
2432         (JSC::DFG::NaturalLoop::contains): Deleted.
2433         (JSC::DFG::NaturalLoop::index): Deleted.
2434         (JSC::DFG::NaturalLoop::isOuterMostLoop): Deleted.
2435         (JSC::DFG::NaturalLoop::addBlock): Deleted.
2436         (JSC::DFG::NaturalLoops::numLoops): Deleted.
2437         (JSC::DFG::NaturalLoops::loop): Deleted.
2438         (JSC::DFG::NaturalLoops::headerOf): Deleted.
2439         (JSC::DFG::NaturalLoops::innerMostLoopOf): Deleted.
2440         (JSC::DFG::NaturalLoops::innerMostOuterLoop): Deleted.
2441         (JSC::DFG::NaturalLoops::belongsTo): Deleted.
2442         (JSC::DFG::NaturalLoops::loopDepth): Deleted.
2443
2444 2017-07-24  Filip Pizlo  <fpizlo@apple.com>
2445
2446         GC should be fine with trading blocks between destructor and non-destructor blocks
2447         https://bugs.webkit.org/show_bug.cgi?id=174811
2448
2449         Reviewed by Mark Lam.
2450         
2451         Our GC has the ability to trade blocks between MarkedAllocators. A MarkedAllocator is a
2452         size-class-within-a-Subspace. The ability to trade helps reduce memory wastage due to
2453         fragmentation. Prior to this change, this only worked between blocks that did not have destructors.
2454         This was partly a policy decision. But mostly, it was fallout from the way we use the `empty` block
2455         set.
2456         
2457         Here's how `empty` used to work. If a block is empty, we don't run destructors. We say that a block
2458         is empty if:
2459         
2460         A) It has no live objects and its a non-destructor block, or
2461         B) We just allocated it (so it has no destructors even if it's a destructor block), or
2462         C) We just stole it from another allocator (so it also has no destructors), or
2463         D) We just swept the block and ran all destructors.
2464         
2465         Case (A) is for trading blocks. That's how a different MarkedAllocator would know that this is a
2466         block that could be stolen.
2467
2468         Cases (B) and (C) need to be detected for correctness, since otherwise we might try to run
2469         destructors in blocks that have garbage bits. In that case, the isZapped check won't detect that
2470         cells don't need destruction, so without having the `empty` bit we would try to destruct garbage
2471         and crash. Currently, we know that we have cases (B) and (C) when the block is empty.
2472         
2473         Case (D) is necessary for detecting which blocks can be removed when we `shrink` the heap.
2474         
2475         If we tried to enable trading of blocks between allocators without making any changes to how
2476         `empty` works, then it just would not work. We have to set the `empty` bits of blocks that have no
2477         live objects in order for those bits to be candidates for trading. But if we do that, then our
2478         logic for cases (B-D) will think that the block has no destructible objects. That's bad, since then
2479         our destructors won't run and we'll leak memory.
2480         
2481         This change fixes this issue by decoupling the "do I have destructors" question from the "do I have
2482         live objects" question by introducing a new `destructible` bitvector. The GC flags all live blocks
2483         as being destructible at the end. We clear the destructible bit in cases (B-D). Cases (B-C) are
2484         handled entirely by the new destrictible bit, while case (D) is detected by looking for blocks that
2485         are (empty & ~destructible).
2486         
2487         Then we can simply remove all destructor-oriented special-casing of the `empty` bit. And we can
2488         remove destructor-oriented special-casing of block trading.
2489
2490         This is a perf-neutral change. We expect most free memory to be in non-destructor blocks anyway,
2491         so this change is more about clean-up than perf. But, this could reduce memory usage in some
2492         pathological cases.
2493         
2494         * heap/MarkedAllocator.cpp:
2495         (JSC::MarkedAllocator::findEmptyBlockToSteal):
2496         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2497         (JSC::MarkedAllocator::endMarking):
2498         (JSC::MarkedAllocator::shrink):
2499         (JSC::MarkedAllocator::shouldStealEmptyBlocksFromOtherAllocators): Deleted.
2500         * heap/MarkedAllocator.h:
2501         * heap/MarkedBlock.cpp:
2502         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
2503         (JSC::MarkedBlock::Handle::sweep):
2504         * heap/MarkedBlockInlines.h:
2505         (JSC::MarkedBlock::Handle::specializedSweep):
2506         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace):
2507         (JSC::MarkedBlock::Handle::emptyMode):
2508
2509 2017-07-25  Keith Miller  <keith_miller@apple.com>
2510
2511         Remove Broken CompareEq constant folding phase.
2512         https://bugs.webkit.org/show_bug.cgi?id=174846
2513         <rdar://problem/32978808>
2514
2515         Reviewed by Saam Barati.
2516
2517         This bug happened when we would get code like the following:
2518
2519         a: JSConst(Undefined)
2520         b: GetLocal(SomeObjectOrUndefined)
2521         ...
2522         c: CompareEq(Check:ObjectOrOther:b, Check:ObjectOrOther:a)
2523
2524         constant folding will turn this into:
2525
2526         a: JSConst(Undefined)
2527         b: GetLocal(SomeObjectOrUndefined)
2528         ...
2529         c: CompareEq(Check:ObjectOrOther:b, Other:a)
2530
2531         But the SpeculativeJIT/FTL lowering will fail to check b
2532         properly which leads to an assertion failure in the AI.
2533
2534         I'll follow up with a more robust fix later. For now, I'll remove the
2535         case that generates the code. Removing the code appears to be perf
2536         neutral.
2537
2538         * dfg/DFGConstantFoldingPhase.cpp:
2539         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2540
2541 2017-07-25  Matt Baker  <mattbaker@apple.com>
2542
2543         Web Inspector: Refactoring: extract async stack trace logic from InspectorInstrumentation
2544         https://bugs.webkit.org/show_bug.cgi?id=174738
2545
2546         Reviewed by Brian Burg.
2547
2548         Move AsyncCallType enum to InspectorDebuggerAgent, which manages async
2549         stack traces. This preserves the call type in JSC, makes the range of
2550         possible call types explicit, and is safer than passing ints.
2551
2552         * inspector/agents/InspectorDebuggerAgent.cpp:
2553         (Inspector::InspectorDebuggerAgent::asyncCallIdentifier):
2554         (Inspector::InspectorDebuggerAgent::didScheduleAsyncCall):
2555         (Inspector::InspectorDebuggerAgent::didCancelAsyncCall):
2556         (Inspector::InspectorDebuggerAgent::willDispatchAsyncCall):
2557         * inspector/agents/InspectorDebuggerAgent.h:
2558
2559 2017-07-25  Mark Lam  <mark.lam@apple.com>
2560
2561         Fix bugs in probe code to change sp on x86, x86_64 and 32-bit ARM.
2562         https://bugs.webkit.org/show_bug.cgi?id=174809
2563         <rdar://problem/33504759>
2564
2565         Reviewed by Filip Pizlo.
2566
2567         1. When the probe handler function changes the sp register to point to the
2568            region of stack in the middle of the ProbeContext on the stack, there is a
2569            bug where the ProbeContext's register values to be restored can be over-written
2570            before they can be restored.  This is now fixed.
2571
2572         2. Added more robust probe tests for changing the sp register.
2573
2574         3. Made existing probe tests to ensure that probe handlers were actually called.
2575
2576         4. Added some verification to testProbePreservesGPRS().
2577
2578         5. Change all the probe tests to fail early on discovering an error instead of
2579            batching till the end of the test.  This helps point a finger to the failing
2580            issue earlier.
2581
2582         This patch was tested on x86, x86_64, and ARMv7.  ARM64 probe code will be fixed
2583         next in https://bugs.webkit.org/show_bug.cgi?id=174697.
2584
2585         * assembler/MacroAssemblerARM.cpp:
2586         * assembler/MacroAssemblerARMv7.cpp:
2587         * assembler/MacroAssemblerX86Common.cpp:
2588         * assembler/testmasm.cpp:
2589         (JSC::testProbeReadsArgumentRegisters):
2590         (JSC::testProbeWritesArgumentRegisters):
2591         (JSC::testProbePreservesGPRS):
2592         (JSC::testProbeModifiesStackPointer):
2593         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
2594         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
2595         (JSC::testProbeModifiesProgramCounter):
2596         (JSC::run):
2597
2598 2017-07-25  Brian Burg  <bburg@apple.com>
2599
2600         Web Automation: add support for uploading files
2601         https://bugs.webkit.org/show_bug.cgi?id=174797
2602         <rdar://problem/28485063>
2603
2604         Reviewed by Joseph Pecoraro.
2605
2606         * inspector/scripts/generate-inspector-protocol-bindings.py:
2607         (generate_from_specification):
2608         Start generating frontend dispatcher code if the target framework is 'WebKit'.
2609
2610         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
2611         (CppFrontendDispatcherImplementationGenerator.generate_output):
2612         Use a framework include for InspectorFrontendRouter.h since this generated code
2613         will be compiled outside of WebCore.framework.
2614
2615         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
2616         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2617         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2618         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
2619         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
2620         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
2621         * inspector/scripts/tests/generic/expected/enum-values.json-result:
2622         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2623         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
2624         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
2625         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
2626         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
2627         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
2628         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
2629         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2630         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
2631         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
2632         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
2633         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
2634         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
2635         Rebaseline code generator tests.
2636
2637 2017-07-24  Mark Lam  <mark.lam@apple.com>
2638
2639         Gardening: fixed C Loop build after r219790.
2640         https://bugs.webkit.org/show_bug.cgi?id=174696
2641
2642         Not reviewed.
2643
2644         * assembler/testmasm.cpp:
2645
2646 2017-07-23  Mark Lam  <mark.lam@apple.com>
2647
2648         Create regression tests for the JIT probe.
2649         https://bugs.webkit.org/show_bug.cgi?id=174696
2650         <rdar://problem/33436922>
2651
2652         Reviewed by Saam Barati.
2653
2654         The new testmasm will test the following:
2655         1. the probe is able to read the value of CPU registers.
2656         2. the probe is able to write the value of CPU registers.
2657         3. the probe is able to preserve all CPU registers.
2658         4. special case of (2): the probe is able to change the value of the stack pointer.
2659         5. special case of (2): the probe is able to change the value of the program counter
2660            i.e. the probe can change where the code continues executing upon returning from
2661            the probe.
2662
2663         Currently, the x86, x86_64, and ARMv7 ports passes the test.  ARM64 does not
2664         because it does not support changing the sp and pc yet.  The ARM64 probe
2665         implementation will be fixed in https://bugs.webkit.org/show_bug.cgi?id=174697
2666         later.
2667
2668         * Configurations/ToolExecutable.xcconfig:
2669         * JavaScriptCore.xcodeproj/project.pbxproj:
2670         * assembler/MacroAssembler.h:
2671         (JSC::MacroAssembler::CPUState::pc):
2672         (JSC::MacroAssembler::CPUState::fp):
2673         (JSC::MacroAssembler::CPUState::sp):
2674         (JSC::ProbeContext::pc):
2675         (JSC::ProbeContext::fp):
2676         (JSC::ProbeContext::sp):
2677         * assembler/MacroAssemblerARM64.cpp:
2678         (JSC::arm64ProbeTrampoline):
2679         * assembler/MacroAssemblerPrinter.cpp:
2680         (JSC::Printer::printPCRegister):
2681         * assembler/testmasm.cpp: Added.
2682         (hiddenTruthBecauseNoReturnIsStupid):
2683         (usage):
2684         (JSC::nextID):
2685         (JSC::isPC):
2686         (JSC::isSP):
2687         (JSC::isFP):
2688         (JSC::compile):
2689         (JSC::invoke):
2690         (JSC::compileAndRun):
2691         (JSC::testSimple):
2692         (JSC::testProbeReadsArgumentRegisters):
2693         (JSC::testProbeWritesArgumentRegisters):
2694         (JSC::testFunctionToTrashRegisters):
2695         (JSC::testProbePreservesGPRS):
2696         (JSC::testProbeModifiesStackPointer):
2697         (JSC::testProbeModifiesProgramCounter):
2698         (JSC::run):
2699         (run):
2700         (main):
2701         * b3/air/testair.cpp:
2702         (usage):
2703         * shell/CMakeLists.txt:
2704
2705 2017-07-14  Filip Pizlo  <fpizlo@apple.com>
2706
2707         It should be easy to decide how WebKit yields
2708         https://bugs.webkit.org/show_bug.cgi?id=174298
2709
2710         Reviewed by Saam Barati.
2711         
2712         Use the new WTF::Thread::yield() function for yielding instead of the C++ function.
2713
2714         * heap/Heap.cpp:
2715         (JSC::Heap::resumeThePeriphery):
2716         * heap/VisitingTimeout.h:
2717         * runtime/JSCell.cpp:
2718         (JSC::JSCell::lockSlow):
2719         (JSC::JSCell::unlockSlow):
2720         * runtime/JSCell.h:
2721         * runtime/JSCellInlines.h:
2722         (JSC::JSCell::lock):
2723         (JSC::JSCell::unlock):
2724         * runtime/JSLock.cpp:
2725         (JSC::JSLock::grabAllLocks):
2726         * runtime/SamplingProfiler.cpp:
2727
2728 2017-07-21  Mark Lam  <mark.lam@apple.com>
2729
2730         Refactor MASM probe CPUState to use arrays for register storage.
2731         https://bugs.webkit.org/show_bug.cgi?id=174694
2732
2733         Reviewed by Keith Miller.
2734
2735         Using arrays for register storage in CPUState allows us to do away with the
2736         huge switch statements to decode each register id.  We can now simply index into
2737         the arrays.
2738
2739         With this patch, we now:
2740
2741         1. Remove the need for macros for defining the list of CPU registers.
2742            We can go back to simple enums.  This makes the code easier to read.
2743
2744         2. Make the assembler the authority on register names.
2745            Most of this code is moved into the assembler from GPRInfo and FPRInfo.
2746            GPRInfo and FPRInfo now forwards to the assembler.
2747
2748         3. Make the assembler the authority on the number of registers of each type.
2749
2750         4. Fix a "bug" in ARMv7's lastRegister().  It was previously omitting lr and pc.
2751            This is inconsistent with how every other CPU architecture implements
2752            lastRegister().  This patch fixes it to return the true last GPR i.e. pc, but
2753            updates RegisterSet::reservedHardwareRegisters() to exclude those registers.
2754
2755         * assembler/ARM64Assembler.h:
2756         (JSC::ARM64Assembler::numberOfRegisters):
2757         (JSC::ARM64Assembler::firstSPRegister):
2758         (JSC::ARM64Assembler::lastSPRegister):
2759         (JSC::ARM64Assembler::numberOfSPRegisters):
2760         (JSC::ARM64Assembler::numberOfFPRegisters):
2761         (JSC::ARM64Assembler::gprName):
2762         (JSC::ARM64Assembler::sprName):
2763         (JSC::ARM64Assembler::fprName):
2764         * assembler/ARMAssembler.h:
2765         (JSC::ARMAssembler::numberOfRegisters):
2766         (JSC::ARMAssembler::firstSPRegister):
2767         (JSC::ARMAssembler::lastSPRegister):
2768         (JSC::ARMAssembler::numberOfSPRegisters):
2769         (JSC::ARMAssembler::numberOfFPRegisters):
2770         (JSC::ARMAssembler::gprName):
2771         (JSC::ARMAssembler::sprName):
2772         (JSC::ARMAssembler::fprName):
2773         * assembler/ARMv7Assembler.h:
2774         (JSC::ARMv7Assembler::lastRegister):
2775         (JSC::ARMv7Assembler::numberOfRegisters):
2776         (JSC::ARMv7Assembler::firstSPRegister):
2777         (JSC::ARMv7Assembler::lastSPRegister):
2778         (JSC::ARMv7Assembler::numberOfSPRegisters):
2779         (JSC::ARMv7Assembler::numberOfFPRegisters):
2780         (JSC::ARMv7Assembler::gprName):
2781         (JSC::ARMv7Assembler::sprName):
2782         (JSC::ARMv7Assembler::fprName):
2783         * assembler/AbstractMacroAssembler.h:
2784         (JSC::AbstractMacroAssembler::numberOfRegisters):
2785         (JSC::AbstractMacroAssembler::gprName):
2786         (JSC::AbstractMacroAssembler::firstSPRegister):
2787         (JSC::AbstractMacroAssembler::lastSPRegister):
2788         (JSC::AbstractMacroAssembler::numberOfSPRegisters):
2789         (JSC::AbstractMacroAssembler::sprName):
2790         (JSC::AbstractMacroAssembler::numberOfFPRegisters):
2791         (JSC::AbstractMacroAssembler::fprName):
2792         * assembler/MIPSAssembler.h:
2793         (JSC::MIPSAssembler::numberOfRegisters):
2794         (JSC::MIPSAssembler::firstSPRegister):
2795         (JSC::MIPSAssembler::lastSPRegister):
2796         (JSC::MIPSAssembler::numberOfSPRegisters):
2797         (JSC::MIPSAssembler::numberOfFPRegisters):
2798         (JSC::MIPSAssembler::gprName):
2799         (JSC::MIPSAssembler::sprName):
2800         (JSC::MIPSAssembler::fprName):
2801         * assembler/MacroAssembler.h:
2802         (JSC::MacroAssembler::CPUState::gprName):
2803         (JSC::MacroAssembler::CPUState::sprName):
2804         (JSC::MacroAssembler::CPUState::fprName):
2805         (JSC::MacroAssembler::CPUState::gpr):
2806         (JSC::MacroAssembler::CPUState::spr):
2807         (JSC::MacroAssembler::CPUState::fpr):
2808         (JSC::MacroAssembler::CPUState::pc):
2809         (JSC::MacroAssembler::CPUState::fp):
2810         (JSC::MacroAssembler::CPUState::sp):
2811         (JSC::ProbeContext::gpr):
2812         (JSC::ProbeContext::spr):
2813         (JSC::ProbeContext::fpr):
2814         (JSC::ProbeContext::gprName):
2815         (JSC::ProbeContext::sprName):
2816         (JSC::ProbeContext::fprName):
2817         (JSC::MacroAssembler::numberOfRegisters): Deleted.
2818         (JSC::MacroAssembler::numberOfFPRegisters): Deleted.
2819         * assembler/MacroAssemblerARM.cpp:
2820         * assembler/MacroAssemblerARM64.cpp:
2821         (JSC::arm64ProbeTrampoline):
2822         * assembler/MacroAssemblerARMv7.cpp:
2823         * assembler/MacroAssemblerPrinter.cpp:
2824         (JSC::Printer::nextID):
2825         (JSC::Printer::printAllRegisters):
2826         (JSC::Printer::printPCRegister):
2827         (JSC::Printer::printRegisterID):
2828         (JSC::Printer::printAddress):
2829         * assembler/MacroAssemblerX86Common.cpp:
2830         * assembler/X86Assembler.h:
2831         (JSC::X86Assembler::numberOfRegisters):
2832         (JSC::X86Assembler::firstSPRegister):
2833         (JSC::X86Assembler::lastSPRegister):
2834         (JSC::X86Assembler::numberOfSPRegisters):
2835         (JSC::X86Assembler::numberOfFPRegisters):
2836         (JSC::X86Assembler::gprName):
2837         (JSC::X86Assembler::sprName):
2838         (JSC::X86Assembler::fprName):
2839         * jit/FPRInfo.h:
2840         (JSC::FPRInfo::debugName):
2841         * jit/GPRInfo.h:
2842         (JSC::GPRInfo::debugName):
2843         * jit/RegisterSet.cpp:
2844         (JSC::RegisterSet::reservedHardwareRegisters):
2845
2846 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2847
2848         [JSC] Introduce static symbols
2849         https://bugs.webkit.org/show_bug.cgi?id=158863
2850
2851         Reviewed by Darin Adler.
2852
2853         We use StaticSymbolImpl to initialize PrivateNames and builtin Symbols.
2854         As a result, we can share the same Symbol values between VMs and threads.
2855         And we do not need to allocate Ref<SymbolImpl> for these symbols at runtime.
2856
2857         * CMakeLists.txt:
2858         * JavaScriptCore.xcodeproj/project.pbxproj:
2859         * builtins/BuiltinNames.cpp: Added.
2860         Suppress warning C4307, integral constant overflow. It is intentional in constexpr hash value calculation.
2861
2862         * builtins/BuiltinNames.h:
2863         (JSC::BuiltinNames::BuiltinNames):
2864         * builtins/BuiltinUtils.h:
2865
2866 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2867
2868         [FTL] Arguments elimination is suppressed by unreachable blocks
2869         https://bugs.webkit.org/show_bug.cgi?id=174352
2870
2871         Reviewed by Filip Pizlo.
2872
2873         If we do not execute `op_get_by_id`, our value profiling tells us unpredictable and DFG emits ForceOSRExit.
2874         The problem is that arguments elimination phase checks escaping even when ForceOSRExit preceeds.
2875         Since GetById without information can escape arguments if it is specified, non-executed code including
2876         op_get_by_id with arguments can escape arguments.
2877
2878         For example,
2879
2880             function test(flag)
2881             {
2882                 if (flag) {
2883                     // This is not executed, but emits GetById with arguments.
2884                     // It prevents us from eliminating materialization.
2885                     return arguments.length;
2886                 }
2887                 return arguments.length;
2888             }
2889             noInline(test);
2890             while (true)
2891                 test(false);
2892
2893         We do not perform CFA and dead-node clipping yet when performing arguments elimination phase.
2894         So this GetById exists and escapes arguments.
2895
2896         To solve this problem, our arguments elimination phase checks preceding pseudo-terminal nodes.
2897         If it is shown, following GetById does not escape arguments. Compared to performing AI, it is
2898         lightweight. But it catches much of typical cases we failed to perform arguments elimination.
2899
2900         * dfg/DFGArgumentsEliminationPhase.cpp:
2901         * dfg/DFGNode.h:
2902         (JSC::DFG::Node::isPseudoTerminal):
2903         * dfg/DFGValidate.cpp:
2904
2905 2017-07-20  Chris Dumez  <cdumez@apple.com>
2906
2907         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable
2908         https://bugs.webkit.org/show_bug.cgi?id=174660
2909
2910         Reviewed by Geoffrey Garen.
2911
2912         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable.
2913         This essentially replaces a branch to figure out if the new size is less or greater than the
2914         current size by an assertion.
2915
2916         * b3/B3BasicBlockUtils.h:
2917         (JSC::B3::clearPredecessors):
2918         * b3/B3InferSwitches.cpp:
2919         * b3/B3LowerToAir.cpp:
2920         (JSC::B3::Air::LowerToAir::finishAppendingInstructions):
2921         * b3/B3ReduceStrength.cpp:
2922         * b3/B3SparseCollection.h:
2923         (JSC::B3::SparseCollection::packIndices):
2924         * b3/B3UseCounts.cpp:
2925         (JSC::B3::UseCounts::UseCounts):
2926         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
2927         * b3/air/AirEmitShuffle.cpp:
2928         (JSC::B3::Air::emitShuffle):
2929         * b3/air/AirLowerAfterRegAlloc.cpp:
2930         (JSC::B3::Air::lowerAfterRegAlloc):
2931         * b3/air/AirOptimizeBlockOrder.cpp:
2932         (JSC::B3::Air::optimizeBlockOrder):
2933         * bytecode/Operands.h:
2934         (JSC::Operands::ensureLocals):
2935         * bytecode/PreciseJumpTargets.cpp:
2936         (JSC::computePreciseJumpTargetsInternal):
2937         * dfg/DFGBlockInsertionSet.cpp:
2938         (JSC::DFG::BlockInsertionSet::execute):
2939         * dfg/DFGBlockMapInlines.h:
2940         (JSC::DFG::BlockMap<T>::BlockMap):
2941         * dfg/DFGByteCodeParser.cpp:
2942         (JSC::DFG::ByteCodeParser::processSetLocalQueue):
2943         (JSC::DFG::ByteCodeParser::clearCaches):
2944         * dfg/DFGDisassembler.cpp:
2945         (JSC::DFG::Disassembler::Disassembler):
2946         * dfg/DFGFlowIndexing.cpp:
2947         (JSC::DFG::FlowIndexing::recompute):
2948         * dfg/DFGGraph.cpp:
2949         (JSC::DFG::Graph::registerFrozenValues):
2950         * dfg/DFGInPlaceAbstractState.cpp:
2951         (JSC::DFG::setLiveValues):
2952         * dfg/DFGLICMPhase.cpp:
2953         (JSC::DFG::LICMPhase::run):
2954         * dfg/DFGLivenessAnalysisPhase.cpp:
2955         * dfg/DFGNaturalLoops.cpp:
2956         (JSC::DFG::NaturalLoops::NaturalLoops):
2957         * dfg/DFGStoreBarrierClusteringPhase.cpp:
2958         * ftl/FTLLowerDFGToB3.cpp:
2959         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2960         * heap/CodeBlockSet.cpp:
2961         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
2962         * heap/MarkedSpace.cpp:
2963         (JSC::MarkedSpace::sweepLargeAllocations):
2964         * inspector/ContentSearchUtilities.cpp:
2965         (Inspector::ContentSearchUtilities::findMagicComment):
2966         * interpreter/ShadowChicken.cpp:
2967         (JSC::ShadowChicken::update):
2968         * parser/ASTBuilder.h:
2969         (JSC::ASTBuilder::shrinkOperandStackBy):
2970         * parser/Lexer.h:
2971         (JSC::Lexer::setOffset):
2972         * runtime/RegExpInlines.h:
2973         (JSC::RegExp::matchInline):
2974         * runtime/RegExpPrototype.cpp:
2975         (JSC::genericSplit):
2976         * yarr/RegularExpression.cpp:
2977         (JSC::Yarr::RegularExpression::match):
2978
2979 2017-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2980
2981         [WTF] Use ThreadGroup to bookkeep active threads for Mach exception
2982         https://bugs.webkit.org/show_bug.cgi?id=174678
2983
2984         Reviewed by Mark Lam.
2985
2986         Use Thread& instead.
2987
2988         * runtime/JSLock.cpp:
2989         (JSC::JSLock::didAcquireLock):
2990
2991 2017-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2992
2993         [WTF] Implement WTF::ThreadGroup
2994         https://bugs.webkit.org/show_bug.cgi?id=174081
2995
2996         Reviewed by Mark Lam.
2997
2998         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
2999         And SamplingProfiler and others interact with WTF::Thread directly.
3000
3001         * API/tests/ExecutionTimeLimitTest.cpp:
3002         * heap/MachineStackMarker.cpp:
3003         (JSC::MachineThreads::MachineThreads):
3004         (JSC::captureStack):
3005         (JSC::MachineThreads::tryCopyOtherThreadStack):
3006         (JSC::MachineThreads::tryCopyOtherThreadStacks):
3007         (JSC::MachineThreads::gatherConservativeRoots):
3008         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
3009         (JSC::ActiveMachineThreadsManager::add): Deleted.
3010         (JSC::ActiveMachineThreadsManager::remove): Deleted.
3011         (JSC::ActiveMachineThreadsManager::contains): Deleted.
3012         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
3013         (JSC::activeMachineThreadsManager): Deleted.
3014         (JSC::MachineThreads::~MachineThreads): Deleted.
3015         (JSC::MachineThreads::addCurrentThread): Deleted.
3016         (): Deleted.
3017         (JSC::MachineThreads::removeThread): Deleted.
3018         (JSC::MachineThreads::removeThreadIfFound): Deleted.
3019         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
3020         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
3021         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
3022         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
3023         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
3024         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
3025         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
3026         * heap/MachineStackMarker.h:
3027         (JSC::MachineThreads::addCurrentThread):
3028         (JSC::MachineThreads::getLock):
3029         (JSC::MachineThreads::threads):
3030         (JSC::MachineThreads::MachineThread::suspend): Deleted.
3031         (JSC::MachineThreads::MachineThread::resume): Deleted.
3032         (JSC::MachineThreads::MachineThread::threadID): Deleted.
3033         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
3034         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
3035         (JSC::MachineThreads::threadsListHead): Deleted.
3036         * runtime/SamplingProfiler.cpp:
3037         (JSC::FrameWalker::isValidFramePointer):
3038         (JSC::SamplingProfiler::SamplingProfiler):
3039         (JSC::SamplingProfiler::takeSample):
3040         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
3041         * runtime/SamplingProfiler.h:
3042         * wasm/WasmMachineThreads.cpp:
3043         (JSC::Wasm::resetInstructionCacheOnAllThreads):
3044
3045 2017-07-18  Andy Estes  <aestes@apple.com>
3046
3047         [Xcode] Enable CLANG_WARN_RANGE_LOOP_ANALYSIS
3048         https://bugs.webkit.org/show_bug.cgi?id=174631
3049
3050         Reviewed by Tim Horton.
3051
3052         * Configurations/Base.xcconfig:
3053         * b3/B3FoldPathConstants.cpp:
3054         * b3/B3LowerMacros.cpp:
3055         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
3056         * dfg/DFGByteCodeParser.cpp:
3057         (JSC::DFG::ByteCodeParser::check):
3058         (JSC::DFG::ByteCodeParser::planLoad):
3059
3060 2017-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
3061
3062         WTF::Thread should have the threads stack bounds.
3063         https://bugs.webkit.org/show_bug.cgi?id=173975
3064
3065         Reviewed by Mark Lam.
3066
3067         There is a site in JSC that try to walk another thread's stack.
3068         Currently, stack bounds are stored in WTFThreadData which is located
3069         in TLS. Thus, only the thread itself can access its own WTFThreadData.
3070         We workaround this situation by holding StackBounds in MachineThread in JSC,
3071         but StackBounds should be put in WTF::Thread instead.
3072
3073         This patch adds StackBounds to WTF::Thread. StackBounds information is tightly
3074         coupled with Thread. Thus putting it in WTF::Thread is natural choice.
3075
3076         * heap/MachineStackMarker.cpp:
3077         (JSC::MachineThreads::MachineThread::MachineThread):
3078         (JSC::MachineThreads::MachineThread::captureStack):
3079         * heap/MachineStackMarker.h:
3080         (JSC::MachineThreads::MachineThread::stackBase):
3081         (JSC::MachineThreads::MachineThread::stackEnd):
3082         * runtime/VMTraps.cpp:
3083
3084 2017-07-18  Andy Estes  <aestes@apple.com>
3085
3086         [Xcode] Enable CLANG_WARN_OBJC_LITERAL_CONVERSION
3087         https://bugs.webkit.org/show_bug.cgi?id=174631
3088
3089         Reviewed by Sam Weinig.
3090
3091         * Configurations/Base.xcconfig:
3092
3093 2017-07-18  Joseph Pecoraro  <pecoraro@apple.com>
3094
3095         Web Inspector: Modernize InjectedScriptSource
3096         https://bugs.webkit.org/show_bug.cgi?id=173890
3097
3098         Reviewed by Brian Burg.
3099
3100         * inspector/InjectedScript.h:
3101         Reorder functions to be slightly better.
3102
3103         * inspector/InjectedScriptSource.js:
3104         - Convert to classes named InjectedScript and RemoteObject
3105         - Align InjectedScript's API with the wrapper C++ interfaces
3106         - Move some code to RemoteObject where appropriate (subtype, describe)
3107         - Move some code to helper functions (isPrimitiveValue, isDefined)
3108         - Refactor for readability and modern features
3109         - Remove some unused / unnecessary code
3110
3111 2017-07-18  Mark Lam  <mark.lam@apple.com>
3112
3113         Butterfly storage need not be initialized for indexing type Undecided.
3114         https://bugs.webkit.org/show_bug.cgi?id=174516
3115
3116         Reviewed by Saam Barati.
3117
3118         While it's not incorrect to initialize the butterfly storage when the
3119         indexingType is Undecided, it is inefficient as we'll end up initializing
3120         it again later when we convert the storage to a different indexingType.
3121         Some of our code already skips initializing Undecided butterflies.
3122         This patch makes it the consistent behavior everywhere.
3123
3124         * dfg/DFGSpeculativeJIT.cpp:
3125         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
3126         * runtime/JSArray.cpp:
3127         (JSC::JSArray::tryCreateUninitializedRestricted):
3128         * runtime/JSArray.h:
3129         (JSC::JSArray::tryCreate):
3130         * runtime/JSObject.cpp:
3131         (JSC::JSObject::ensureLengthSlow):
3132
3133 2017-07-18  Saam Barati  <sbarati@apple.com>
3134
3135         AirLowerAfterRegAlloc may incorrectly use a callee save that's live as a scratch register
3136         https://bugs.webkit.org/show_bug.cgi?id=174515
3137         <rdar://problem/33358092>
3138
3139         Reviewed by Filip Pizlo.
3140
3141         AirLowerAfterRegAlloc was computing the set of available scratch
3142         registers incorrectly. It was always excluding callee save registers
3143         from the set of live registers. It did not guarantee that live callee save
3144         registers were not in the set of scratch registers that could
3145         get clobbered. That's incorrect as the shuffling code is free
3146         to overwrite whatever is in the scratch register it gets passed.
3147
3148         * b3/air/AirLowerAfterRegAlloc.cpp:
3149         (JSC::B3::Air::lowerAfterRegAlloc):
3150         * b3/testb3.cpp:
3151         (JSC::B3::functionNineArgs):
3152         (JSC::B3::testShuffleDoesntTrashCalleeSaves):
3153         (JSC::B3::run):
3154         * jit/RegisterSet.h:
3155
3156 2017-07-18  Andy Estes  <aestes@apple.com>
3157
3158         [Xcode] Enable CLANG_WARN_NON_LITERAL_NULL_CONVERSION
3159         https://bugs.webkit.org/show_bug.cgi?id=174631
3160
3161         Reviewed by Dan Bernstein.
3162
3163         * Configurations/Base.xcconfig:
3164
3165 2017-07-18  Devin Rousso  <drousso@apple.com>
3166
3167         Web Inspector: Add memoryCost to Inspector Protocol objects
3168         https://bugs.webkit.org/show_bug.cgi?id=174478
3169
3170         Reviewed by Joseph Pecoraro.
3171
3172         For non-array and non-object InspectorValue, calculate memoryCost as the sizeof the object,
3173         plus the memoryCost of the data if it is a string.
3174
3175         For array InspectorValue, calculate memoryCost as the sum of the memoryCost of all items.
3176
3177         For object InspectorValue, calculate memoryCost as the sum of the memoryCost of the string
3178         key plus the memoryCost of the InspectorValue for each entry.
3179
3180         Test: TestWebKitAPI/Tests/JavaScriptCore/InspectorValue.cpp
3181
3182         * inspector/InspectorValues.h:
3183         * inspector/InspectorValues.cpp:
3184         (Inspector::InspectorValue::memoryCost):
3185         (Inspector::InspectorObjectBase::memoryCost):
3186         (Inspector::InspectorArrayBase::memoryCost):
3187
3188 2017-07-18  Andy Estes  <aestes@apple.com>
3189
3190         [Xcode] Enable CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING
3191         https://bugs.webkit.org/show_bug.cgi?id=174631
3192
3193         Reviewed by Darin Adler.
3194
3195         * Configurations/Base.xcconfig:
3196
3197 2017-07-18  Michael Saboff  <msaboff@apple.com>
3198
3199         [JSC] There should be a debug option to dump a compiled RegExp Pattern
3200         https://bugs.webkit.org/show_bug.cgi?id=174601
3201
3202         Reviewed by Alex Christensen.
3203
3204         Added the debug option dumpCompiledRegExpPatterns which will dump the YarrPattern and related
3205         objects after a regular expression has been compiled.
3206
3207         * runtime/Options.h:
3208         * yarr/YarrPattern.cpp:
3209         (JSC::Yarr::YarrPattern::compile):
3210         (JSC::Yarr::indentForNestingLevel):
3211         (JSC::Yarr::dumpUChar32):
3212         (JSC::Yarr::PatternAlternative::dump):
3213         (JSC::Yarr::PatternTerm::dumpQuantifier):
3214         (JSC::Yarr::PatternTerm::dump):
3215         (JSC::Yarr::PatternDisjunction::dump):
3216         (JSC::Yarr::YarrPattern::dumpPattern):
3217         * yarr/YarrPattern.h:
3218         (JSC::Yarr::YarrPattern::global):
3219
3220 2017-07-17  Darin Adler  <darin@apple.com>
3221
3222         Improve use of NeverDestroyed
3223         https://bugs.webkit.org/show_bug.cgi?id=174348
3224
3225         Reviewed by Sam Weinig.
3226
3227         * heap/MachineStackMarker.cpp:
3228         * wasm/WasmMemory.cpp:
3229         Removed unneeded includes of NeverDestroyed.h in files that do not make use
3230         of NeverDestroyed.
3231
3232 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
3233
3234         [CMake] Macros in WebKitMacros.cmake should be prefixed with WEBKIT_ namespace
3235         https://bugs.webkit.org/show_bug.cgi?id=174547
3236
3237         Reviewed by Alex Christensen.
3238
3239         * CMakeLists.txt:
3240         * shell/CMakeLists.txt:
3241
3242 2017-07-17  Saam Barati  <sbarati@apple.com>
3243
3244         Remove custom defined RELEASE_ASSERT in DFGObjectAllocationSinkingPhase
3245         https://bugs.webkit.org/show_bug.cgi?id=174584
3246
3247         Rubber stamped by Keith Miller.
3248
3249         I used it to diagnose a bug. The bug is now fixed. This custom
3250         RELEASE_ASSERT is no longer needed.
3251
3252         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3253
3254 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
3255
3256         -Wformat-truncation warning in ConfigFile.cpp
3257         https://bugs.webkit.org/show_bug.cgi?id=174506
3258
3259         Reviewed by Darin Adler.
3260
3261         Check if the JSC config filename would be truncated due to exceeding max path length. If so,
3262         return ParseError.
3263
3264         * runtime/ConfigFile.cpp:
3265         (JSC::ConfigFile::parse):
3266
3267 2017-07-17  Konstantin Tokarev  <annulen@yandex.ru>
3268
3269         [CMake] Create targets before WEBKIT_INCLUDE_CONFIG_FILES_IF_EXISTS is called
3270         https://bugs.webkit.org/show_bug.cgi?id=174557
3271
3272         Reviewed by Michael Catanzaro.
3273
3274         * CMakeLists.txt:
3275
3276 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3277
3278         [WTF] Use std::unique_ptr for StackTrace
3279         https://bugs.webkit.org/show_bug.cgi?id=174495
3280
3281         Reviewed by Alex Christensen.
3282
3283         * runtime/ExceptionScope.cpp:
3284         (JSC::ExceptionScope::unexpectedExceptionMessage):
3285         * runtime/VM.cpp:
3286         (JSC::VM::throwException):
3287
3288 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3289
3290         [JSC] Use WTFMove to prune liveness in DFGAvailabilityMap
3291         https://bugs.webkit.org/show_bug.cgi?id=174423
3292
3293         Reviewed by Saam Barati.
3294
3295         * dfg/DFGAvailabilityMap.cpp:
3296         (JSC::DFG::AvailabilityMap::pruneHeap):
3297         (JSC::DFG::AvailabilityMap::pruneByLiveness):
3298
3299 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
3300
3301         Fix compiler warnings when building with GCC 7
3302         https://bugs.webkit.org/show_bug.cgi?id=174463
3303
3304         Reviewed by Darin Adler.
3305
3306         * disassembler/udis86/udis86_decode.c:
3307         (decode_operand):
3308
3309 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
3310
3311         Incorrect assertion in JSC::CallLinkInfo::callTypeFor
3312         https://bugs.webkit.org/show_bug.cgi?id=174467
3313
3314         Reviewed by Saam Barati.
3315
3316         * bytecode/CallLinkInfo.cpp:
3317         (JSC::CallLinkInfo::callTypeFor):
3318
3319 2017-07-13  Joseph Pecoraro  <pecoraro@apple.com>
3320
3321         Web Inspector: Remove unused and untested Page domain commands
3322         https://bugs.webkit.org/show_bug.cgi?id=174429
3323
3324         Reviewed by Timothy Hatcher.
3325
3326         * inspector/protocol/Page.json:
3327
3328 2017-07-13  Saam Barati  <sbarati@apple.com>
3329
3330         Missing exception check in JSObject::hasInstance
3331         https://bugs.webkit.org/show_bug.cgi?id=174455
3332         <rdar://problem/31384608>
3333
3334         Reviewed by Mark Lam.
3335
3336         * runtime/JSObject.cpp:
3337         (JSC::JSObject::hasInstance):
3338
3339 2017-07-13  Caio Lima  <ticaiolima@gmail.com>
3340
3341         [ESnext] Implement Object Spread
3342         https://bugs.webkit.org/show_bug.cgi?id=167963
3343
3344         Reviewed by Saam Barati.
3345
3346         This patch implements ECMA262 stage 3 Object Spread proposal [1].
3347         It's implemented using CopyDataPropertiesNoExclusions to copy
3348         all enumerable keys from object being spreaded. The implementation of
3349         CopyDataPropertiesNoExclusions follows the CopyDataProperties
3350         implementation, however we don't receive excludedNames as parameter.
3351
3352         [1] - https://github.com/tc39/proposal-object-rest-spread
3353
3354         * builtins/GlobalOperations.js:
3355         (globalPrivate.copyDataPropertiesNoExclusions):
3356         * bytecompiler/BytecodeGenerator.cpp:
3357         (JSC::BytecodeGenerator::emitLoad):
3358         * bytecompiler/NodesCodegen.cpp:
3359         (JSC::PropertyListNode::emitBytecode):
3360         (JSC::ObjectSpreadExpressionNode::emitBytecode):
3361         * parser/ASTBuilder.h:
3362         (JSC::ASTBuilder::createObjectSpreadExpression):
3363         (JSC::ASTBuilder::createProperty):
3364         * parser/NodeConstructors.h:
3365         (JSC::PropertyNode::PropertyNode):
3366         (JSC::ObjectSpreadExpressionNode::ObjectSpreadExpressionNode):
3367         * parser/Nodes.h:
3368         (JSC::ObjectSpreadExpressionNode::expression):
3369         * parser/Parser.cpp:
3370         (JSC::Parser<LexerType>::parseProperty):
3371         * parser/SyntaxChecker.h:
3372         (JSC::SyntaxChecker::createObjectSpreadExpression):
3373         (JSC::SyntaxChecker::createProperty):
3374
3375 2017-07-12  Mark Lam  <mark.lam@apple.com>
3376
3377         Gardening: build fix after r219434.
3378         https://bugs.webkit.org/show_bug.cgi?id=174441
3379
3380         Not reviewed.
3381
3382         Make public some MacroAssembler functions that are needed by the probe implementationq.
3383
3384         * assembler/MacroAssemblerARM.h:
3385         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
3386         * assembler/MacroAssemblerARMv7.h:
3387         (JSC::MacroAssemblerARMv7::linkCall):
3388
3389 2017-07-12  Mark Lam  <mark.lam@apple.com>
3390
3391         Move Probe code from AbstractMacroAssembler to MacroAssembler.
3392         https://bugs.webkit.org/show_bug.cgi?id=174441
3393
3394         Reviewed by Saam Barati.
3395
3396         This is a pure refactoring patch for moving probe code from the AbstractMacroAssembler
3397         to MacroAssembler.  There is no code behavior change.
3398
3399         * assembler/AbstractMacroAssembler.h:
3400         (JSC::AbstractMacroAssembler<AssemblerType>::Address::indexedBy):
3401         (JSC::AbstractMacroAssembler::CPUState::gprName): Deleted.
3402         (JSC::AbstractMacroAssembler::CPUState::fprName): Deleted.
3403         (JSC::AbstractMacroAssembler::CPUState::gpr): Deleted.
3404         (JSC::AbstractMacroAssembler::CPUState::fpr): Deleted.
3405         (JSC::MacroAssemblerType>::Address::indexedBy): Deleted.
3406         * assembler/MacroAssembler.h:
3407         (JSC::MacroAssembler::CPUState::gprName):
3408         (JSC::MacroAssembler::CPUState::fprName):
3409         (JSC::MacroAssembler::CPUState::gpr):
3410         (JSC::MacroAssembler::CPUState::fpr):
3411         * assembler/MacroAssemblerARM.cpp:
3412         (JSC::MacroAssembler::probe):
3413         (JSC::MacroAssemblerARM::probe): Deleted.
3414         * assembler/MacroAssemblerARM.h:
3415         * assembler/MacroAssemblerARM64.cpp:
3416         (JSC::MacroAssembler::probe):
3417         (JSC::MacroAssemblerARM64::probe): Deleted.
3418         * assembler/MacroAssemblerARM64.h:
3419         * assembler/MacroAssemblerARMv7.cpp:
3420         (JSC::MacroAssembler::probe):
3421         (JSC::MacroAssemblerARMv7::probe): Deleted.
3422         * assembler/MacroAssemblerARMv7.h:
3423         * assembler/MacroAssemblerMIPS.h:
3424         * assembler/MacroAssemblerX86Common.cpp:
3425         (JSC::MacroAssembler::probe):
3426         (JSC::MacroAssemblerX86Common::probe): Deleted.
3427         * assembler/MacroAssemblerX86Common.h:
3428
3429 2017-07-12  Saam Barati  <sbarati@apple.com>
3430
3431         GenericArguments consults the wrong state when tracking modified argument descriptors and mapped arguments
3432         https://bugs.webkit.org/show_bug.cgi?id=174411
3433         <rdar://problem/31696186>
3434
3435         Reviewed by Mark Lam.
3436
3437         The code for deleting an argument was incorrectly referencing state
3438         when it decided if it should unmap or mark a property as having its
3439         descriptor modified. This patch fixes the bug where if we delete a
3440         property, we would sometimes not unmap an argument when deleting it.
3441
3442         * runtime/GenericArgumentsInlines.h:
3443         (JSC::GenericArguments<Type>::getOwnPropertySlot):
3444         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
3445         (JSC::GenericArguments<Type>::deleteProperty):
3446         (JSC::GenericArguments<Type>::deletePropertyByIndex):
3447
3448 2017-07-12  Commit Queue  <commit-queue@webkit.org>
3449
3450         Unreviewed, rolling out r219176.
3451         https://bugs.webkit.org/show_bug.cgi?id=174436
3452
3453         "Can cause infinite recursion on iOS" (Requested by mlam on
3454         #webkit).
3455
3456         Reverted changeset:
3457
3458         "WTF::Thread should have the threads stack bounds."
3459         https://bugs.webkit.org/show_bug.cgi?id=173975
3460         http://trac.webkit.org/changeset/219176
3461
3462 2017-07-12  Matt Lewis  <jlewis3@apple.com>
3463
3464         Unreviewed, rolling out r219401.
3465
3466         This revision rolled out the previous patch, but after talking
3467         with reviewer, a rebaseline is what was needed.Rolling back in
3468         before rebaseline.
3469
3470         Reverted changeset:
3471
3472         "Unreviewed, rolling out r219379."
3473         https://bugs.webkit.org/show_bug.cgi?id=174400
3474         http://trac.webkit.org/changeset/219401
3475
3476 2017-07-12  Matt Lewis  <jlewis3@apple.com>
3477
3478         Unreviewed, rolling out r219379.
3479
3480         This revision caused a consistent failure in the test
3481         fast/dom/Window/property-access-on-cached-window-after-frame-
3482         removed.html.
3483
3484         Reverted changeset:
3485
3486         "Remove NAVIGATOR_HWCONCURRENCY"
3487         https://bugs.webkit.org/show_bug.cgi?id=174400
3488         http://trac.webkit.org/changeset/219379
3489
3490 2017-07-12  Tooru Fujisawa [:arai]  <arai.unmht@gmail.com>
3491
3492         Wrong radix used in Unicode Escape in invalid character error message
3493         https://bugs.webkit.org/show_bug.cgi?id=174419
3494
3495         Reviewed by Alex Christensen.
3496
3497         * parser/Lexer.cpp:
3498         (JSC::Lexer<T>::invalidCharacterMessage):
3499
3500 2017-07-11  Dean Jackson  <dino@apple.com>
3501
3502         Remove NAVIGATOR_HWCONCURRENCY
3503         https://bugs.webkit.org/show_bug.cgi?id=174400
3504
3505         Reviewed by Sam Weinig.
3506
3507         * Configurations/FeatureDefines.xcconfig:
3508
3509 2017-07-11  Dean Jackson  <dino@apple.com>
3510
3511         Rolling out r219372.
3512
3513         * Configurations/FeatureDefines.xcconfig:
3514
3515 2017-07-11  Dean Jackson  <dino@apple.com>
3516
3517         Remove NAVIGATOR_HWCONCURRENCY
3518         https://bugs.webkit.org/show_bug.cgi?id=174400
3519
3520         Reviewed by Sam Weinig.
3521
3522         * Configurations/FeatureDefines.xcconfig:
3523
3524 2017-07-11  Saam Barati  <sbarati@apple.com>
3525
3526         remove the empty JavaScriptCore/wasm/js/WebAssemblyFunctionCell.* files
3527         https://bugs.webkit.org/show_bug.cgi?id=174397
3528
3529         Rubber stamped by David Kilzer.
3530
3531         * wasm/js/WebAssemblyFunctionCell.cpp: Removed.
3532         * wasm/js/WebAssemblyFunctionCell.h: Removed.
3533
3534 2017-07-10  Saam Barati  <sbarati@apple.com>
3535
3536         Allocation sinking phase should consider a CheckStructure that would fail as an escape
3537         https://bugs.webkit.org/show_bug.cgi?id=174321
3538         <rdar://problem/32604963>
3539
3540         Reviewed by Filip Pizlo.
3541
3542         When the allocation sinking phase was generating stores to materialize
3543         objects in a cycle with each other, it would assume that each materialized
3544         object had a valid, non empty, set of structures. This is an OK assumption for
3545         the phase to make because how do you materialize an object with no structure?
3546         
3547         The abstract interpretation part of the phase will model what's in the heap.
3548         However, it would sometimes model that a CheckStructure would fail. The phase
3549         did nothing special for this; it just stored the empty set of structures for
3550         its representation of a particular allocation. However, what the phase proved
3551         in such a scenario is that, had the CheckStructure executed, it would have exited.
3552         
3553         This patch treats such CheckStructures and MultiGetByOffsets as escape points.
3554         This will cause the allocation in question to be materialized just before
3555         the CheckStructure, and then at execution time, the CheckStructure will exit.
3556         
3557         I wasn't able to write a test case for this. However, I was able to reproduce
3558         this crash by manually editing the IR. I've opened a separate bug to help us
3559         create a testing framework for writing tests for hard to reproduce bugs like this:
3560         https://bugs.webkit.org/show_bug.cgi?id=174322
3561
3562         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3563
3564 2017-07-10  Devin Rousso  <drousso@apple.com>
3565
3566         Web Inspector: Highlight matching CSS canvas clients when hovering contexts in the Resources tab
3567         https://bugs.webkit.org/show_bug.cgi?id=174279
3568
3569         Reviewed by Matt Baker.
3570
3571         * inspector/protocol/DOM.json:
3572         Add `highlightNodeList` command that will highlight each node in the given list.
3573
3574 2017-07-03  Brian Burg  <bburg@apple.com>
3575
3576         Web Replay: remove some unused code
3577         https://bugs.webkit.org/show_bug.cgi?id=173903
3578
3579         Rubber-stamped by Joseph Pecoraro.
3580
3581         * CMakeLists.txt:
3582         * Configurations/FeatureDefines.xcconfig:
3583         * DerivedSources.make:
3584         * JavaScriptCore.xcodeproj/project.pbxproj:
3585         * inspector/protocol/Replay.json: Removed.
3586         * replay/EmptyInputCursor.h: Removed.
3587         * replay/EncodedValue.cpp: Removed.
3588         * replay/EncodedValue.h: Removed.
3589         * replay/InputCursor.h: Removed.
3590         * replay/JSInputs.json: Removed.
3591         * replay/NondeterministicInput.h: Removed.
3592         * replay/scripts/CodeGeneratorReplayInputs.py: Removed.
3593         * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Removed.
3594         * replay/scripts/tests/expected/fail-on-c-style-enum-no-storage.json-error: Removed.
3595         * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Removed.
3596         * replay/scripts/tests/expected/fail-on-duplicate-input-names.json-error: Removed.
3597         * replay/scripts/tests/expected/fail-on-duplicate-type-names.json-error: Removed.
3598         * replay/scripts/tests/expected/fail-on-enum-type-missing-values.json-error: Removed.
3599         * replay/scripts/tests/expected/fail-on-missing-input-member-name.json-error: Removed.
3600         * replay/scripts/tests/expected/fail-on-missing-input-name.json-error: Removed.
3601         * replay/scripts/tests/expected/fail-on-missing-input-queue.json-error: Removed.
3602         * replay/scripts/tests/expected/fail-on-missing-type-mode.json-error: Removed.
3603         * replay/scripts/tests/expected/fail-on-missing-type-name.json-error: Removed.
3604         * replay/scripts/tests/expected/fail-on-unknown-input-queue.json-error: Removed.
3605         * replay/scripts/tests/expected/fail-on-unknown-member-type.json-error: Removed.
3606         * replay/scripts/tests/expected/fail-on-unknown-type-mode.json-error: Removed.
3607         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp: Removed.
3608         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h: Removed.
3609         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp: Removed.
3610         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h: Removed.
3611         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Removed.
3612         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Removed.
3613         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Removed.
3614         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Removed.
3615         * replay/scripts/tests/expected/generate-event-loop-shape-types.json-error: Removed.
3616         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp: Removed.
3617         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h: Removed.
3618         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp: Removed.
3619         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Removed.
3620         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.cpp: Removed.
3621         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h: Removed.
3622         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp: Removed.
3623         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h: Removed.
3624         * replay/scripts/tests/fail-on-c-style-enum-no-storage.json: Removed.
3625         * replay/scripts/tests/fail-on-duplicate-enum-type.json: Removed.
3626         * replay/scripts/tests/fail-on-duplicate-input-names.json: Removed.
3627         * replay/scripts/tests/fail-on-duplicate-type-names.json: Removed.
3628         * replay/scripts/tests/fail-on-enum-type-missing-values.json: Removed.
3629         * replay/scripts/tests/fail-on-missing-input-member-name.json: Removed.
3630         * replay/scripts/tests/fail-on-missing-input-name.json: Removed.
3631         * replay/scripts/tests/fail-on-missing-input-queue.json: Removed.
3632         * replay/scripts/tests/fail-on-missing-type-mode.json: Removed.
3633         * replay/scripts/tests/fail-on-missing-type-name.json: Removed.
3634         * replay/scripts/tests/fail-on-unknown-input-queue.json: Removed.
3635         * replay/scripts/tests/fail-on-unknown-member-type.json: Removed.
3636         * replay/scripts/tests/fail-on-unknown-type-mode.json: Removed.
3637         * replay/scripts/tests/generate-enum-encoding-helpers-with-guarded-values.json: Removed.
3638         * replay/scripts/tests/generate-enum-encoding-helpers.json: Removed.
3639         * replay/scripts/tests/generate-enum-with-guard.json: Removed.
3640         * replay/scripts/tests/generate-enums-with-same-base-name.json: Removed.
3641         * replay/scripts/tests/generate-event-loop-shape-types.json: Removed.
3642         * replay/scripts/tests/generate-input-with-guard.json: Removed.
3643         * replay/scripts/tests/generate-input-with-vector-members.json: Removed.
3644         * replay/scripts/tests/generate-inputs-with-flags.json: Removed.
3645         * replay/scripts/tests/generate-memoized-type-modes.json: Removed.
3646         * runtime/DateConstructor.cpp:
3647         (JSC::constructDate):
3648         (JSC::dateNow):
3649         (JSC::deterministicCurrentTime): Deleted.
3650         * runtime/JSGlobalObject.cpp:
3651         (JSC::JSGlobalObject::JSGlobalObject):
3652         (JSC::JSGlobalObject::setInputCursor): Deleted.
3653         * runtime/JSGlobalObject.h:
3654         (JSC::JSGlobalObject::inputCursor): Deleted.
3655
3656 2017-07-10  Carlos Garcia Campos  <cgarcia@igalia.com>
3657
3658         Move make-js-file-arrays.py from WebCore to JavaScriptCore
3659         https://bugs.webkit.org/show_bug.cgi?id=174024
3660
3661         Reviewed by Michael Catanzaro.
3662
3663         It's currently used only by WebCore, but it depends on other JavaScriptCore scripts and it's not WebCore
3664         specific at all. I plan to use it to compile the JavaScript atoms used by the WebDriver implementation.
3665         Added command line option to pass the namespace to use instead of using WebCore.
3666
3667         * JavaScriptCore.xcodeproj/project.pbxproj:
3668         * Scripts/make-js-file-arrays.py: Renamed from Source/WebCore/Scripts/make-js-file-arrays.py.
3669         (main):
3670
3671 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3672
3673         [JSC] Drop LineNumberAdder since we no longer treat <LF><CR> (not <CR><LF>) as one line terminator
3674         https://bugs.webkit.org/show_bug.cgi?id=174296
3675
3676         Reviewed by Mark Lam.
3677
3678         Previously, we treat <LF><CR> as one line terminator. So we increase line number by one.
3679         It caused a problem in scanning template literals. While template literals normalize
3680         <LF><CR> to <LF><LF>, we still needed to increase line number by only one.
3681         To handle it correctly, LineNumberAdder is introduced.
3682
3683         As of r219263, <LF><CR> is counted as two line terminators. So we do not need to have
3684         LineNumberAdder. Let's just use shiftLineTerminator() instead.
3685
3686         * parser/Lexer.cpp:
3687         (JSC::Lexer<T>::parseTemplateLiteral):
3688         (JSC::LineNumberAdder::LineNumberAdder): Deleted.
3689         (JSC::LineNumberAdder::clear): Deleted.
3690         (JSC::LineNumberAdder::add): Deleted.
3691
3692 2017-07-09  Dan Bernstein  <mitz@apple.com>
3693
3694         [Xcode] ICU headers aren’t treated as system headers after r219155
3695         https://bugs.webkit.org/show_bug.cgi?id=174299
3696
3697         Reviewed by Sam Weinig.
3698
3699         * Configurations/JavaScriptCore.xcconfig: Pass --system-header-prefix=unicode/ to the C and
3700           C++ compilers.
3701
3702 * runtime/IntlCollator.cpp: Removed documentation warning suppression.
3703         * runtime/IntlDateTimeFormat.cpp: Ditto.
3704         * runtime/JSGlobalObject.cpp: Ditto.
3705         * runtime/StringPrototype.cpp: Ditto.
3706
3707 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3708
3709         [JSC] Use fastMalloc / fastFree for STL containers
3710         https://bugs.webkit.org/show_bug.cgi?id=174297
3711
3712         Reviewed by Sam Weinig.
3713
3714         In some places, we intentionally use STL containers over WTF containers.
3715         For example, we sometimes use std::unordered_{set,map} instead of WTF::Hash{Set,Map}
3716         because we do not have effective empty / deleted representations in the space of key's value.
3717         But just using STL container means using libc's malloc instead of our fast malloc (bmalloc if it is enabled).
3718
3719         We introduce WTF::FastAllocator. This is C++ allocator implementation using fastMalloc and fastFree.
3720         We specify this allocator to STL containers' template parameter to allocate memory from fastMalloc.
3721
3722         This WTF::FastAllocator gives us a chance to use STL containers if it is necessary
3723         without compromising memory allocation throughput.
3724
3725         * dfg/DFGGraph.h:
3726         * dfg/DFGIntegerCheckCombiningPhase.cpp:
3727         * ftl/FTLLowerDFGToB3.cpp:
3728         (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
3729         * runtime/FunctionHasExecutedCache.h:
3730         * runtime/TypeLocationCache.h:
3731
3732 2017-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3733
3734         Drop NOSNIFF compile flag
3735         https://bugs.webkit.org/show_bug.cgi?id=174289
3736
3737         Reviewed by Michael Catanzaro.
3738
3739         * Configurations/FeatureDefines.xcconfig:
3740
3741 2017-07-07  AJ Ringer  <aringer@apple.com>
3742
3743         Lower the max_protection for the separated heap
3744         https://bugs.webkit.org/show_bug.cgi?id=174281
3745
3746         Reviewed by Oliver Hunt.
3747
3748         Switch to vm_protect so we can set maximum page protection.
3749
3750         * jit/ExecutableAllocator.cpp:
3751         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
3752         (JSC::ExecutableAllocator::allocate):
3753
3754 2017-07-07  Devin Rousso  <drousso@apple.com>
3755
3756         Web Inspector: Show all elements currently using a given CSS Canvas
3757         https://bugs.webkit.org/show_bug.cgi?id=173965
3758
3759         Reviewed by Joseph Pecoraro.
3760
3761         * inspector/protocol/Canvas.json:
3762          - Add `requestCSSCanvasClientNodes` command for getting the node IDs all nodes using this
3763            canvas via -webkit-canvas.
3764          - Add `cssCanvasClientNodesChanged` event that is dispatched whenever a node is
3765            added/removed from the list of -webkit-canvas clients.
3766
3767 2017-07-07  Mark Lam  <mark.lam@apple.com>
3768
3769         \n\r is not the same as \r\n.
3770         https://bugs.webkit.org/show_bug.cgi?id=173053
3771
3772         Reviewed by Keith Miller.
3773
3774         * parser/Lexer.cpp:
3775         (JSC::Lexer<T>::shiftLineTerminator):
3776         (JSC::LineNumberAdder::add):
3777
3778 2017-07-07  Commit Queue  <commit-queue@webkit.org>
3779
3780         Unreviewed, rolling out r219238, r219239, and r219241.
3781         https://bugs.webkit.org/show_bug.cgi?id=174265
3782
3783         "fast/workers/dedicated-worker-lifecycle.html is flaky"
3784         (Requested by yusukesuzuki on #webkit).
3785
3786         Reverted changesets:
3787
3788         "[WTF] Implement WTF::ThreadGroup"
3789         https://bugs.webkit.org/show_bug.cgi?id=174081
3790         http://trac.webkit.org/changeset/219238
3791
3792         "Unreviewed, build fix after r219238"
3793         https://bugs.webkit.org/show_bug.cgi?id=174081
3794         http://trac.webkit.org/changeset/219239
3795
3796         "Unreviewed, CLoop build fix after r219238"
3797         https://bugs.webkit.org/show_bug.cgi?id=174081
3798         http://trac.webkit.org/changeset/219241
3799
3800 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
3801
3802         Unreviewed, CLoop build fix after r219238
3803         https://bugs.webkit.org/show_bug.cgi?id=174081
3804
3805         * heap/MachineStackMarker.cpp:
3806
3807 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
3808
3809         [WTF] Implement WTF::ThreadGroup
3810         https://bugs.webkit.org/show_bug.cgi?id=174081
3811
3812         Reviewed by Mark Lam.
3813
3814         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
3815         And SamplingProfiler and others interact with WTF::Thread directly.
3816
3817         * API/tests/ExecutionTimeLimitTest.cpp:
3818         * heap/MachineStackMarker.cpp:
3819         (JSC::MachineThreads::MachineThreads):
3820         (JSC::captureStack):
3821         (JSC::MachineThreads::tryCopyOtherThreadStack):
3822         (JSC::MachineThreads::tryCopyOtherThreadStacks):
3823         (JSC::MachineThreads::gatherConservativeRoots):
3824         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
3825         (JSC::ActiveMachineThreadsManager::add): Deleted.
3826         (JSC::ActiveMachineThreadsManager::remove): Deleted.
3827         (JSC::ActiveMachineThreadsManager::contains): Deleted.
3828         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
3829         (JSC::activeMachineThreadsManager): Deleted.
3830         (JSC::MachineThreads::~MachineThreads): Deleted.
3831         (JSC::MachineThreads::addCurrentThread): Deleted.
3832         (): Deleted.
3833         (JSC::MachineThreads::removeThread): Deleted.
3834         (JSC::MachineThreads::removeThreadIfFound): Deleted.
3835         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
3836         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
3837         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
3838         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
3839         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
3840         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
3841         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
3842         * heap/MachineStackMarker.h:
3843         (JSC::MachineThreads::addCurrentThread):
3844         (JSC::MachineThreads::getLock):
3845         (JSC::MachineThreads::threads):
3846         (JSC::MachineThreads::MachineThread::suspend): Deleted.
3847         (JSC::MachineThreads::MachineThread::resume): Deleted.
3848         (JSC::MachineThreads::MachineThread::threadID): Deleted.
3849         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
3850         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
3851         (JSC::MachineThreads::threadsListHead): Deleted.
3852         * runtime/SamplingProfiler.cpp:
3853         (JSC::FrameWalker::isValidFramePointer):
3854         (JSC::SamplingProfiler::SamplingProfiler):
3855         (JSC::SamplingProfiler::takeSample):
3856         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
3857         * runtime/SamplingProfiler.h:
3858         * wasm/WasmMachineThreads.cpp:
3859         (JSC::Wasm::resetInstructionCacheOnAllThreads):
3860
3861 2017-07-06  Saam Barati  <sbarati@apple.com>
3862
3863         We are missing places where we invalidate the for-in context
3864         https://bugs.webkit.org/show_bug.cgi?id=174184
3865
3866         Reviewed by Geoffrey Garen.
3867
3868         * bytecompiler/BytecodeGenerator.cpp:
3869         (JSC::BytecodeGenerator::invalidateForInContextForLocal):
3870         * bytecompiler/NodesCodegen.cpp:
3871         (JSC::EmptyLetExpression::emitBytecode):
3872         (JSC::ForInNode::emitLoopHeader):
3873         (JSC::ForOfNode::emitBytecode):
3874         (JSC::BindingNode::bindValue):
3875
3876 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
3877
3878         Unreviewed, suppress warnings in GCC environment
3879
3880         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3881         * runtime/IntlCollator.cpp:
3882         * runtime/IntlDateTimeFormat.cpp:
3883         * runtime/JSGlobalObject.cpp:
3884         * runtime/StringPrototype.cpp:
3885
3886 2017-07-05  Saam Barati  <sbarati@apple.com>
3887
3888         NewArray in FTLLowerDFGToB3 does not handle speculating on doubles when having a bad time
3889         https://bugs.webkit.org/show_bug.cgi?id=174188
3890         <rdar://problem/30581423>
3891
3892         Reviewed by Mark Lam.
3893
3894         We were calling lowJSValue(edge) when we were speculating the
3895         edge as double. This isn't allowed. We should have been using
3896         lowDouble.
3897         
3898         This patch also adds a new option, called useArrayAllocationProfiling,
3899         which defaults to true. When false, it will make the array allocation
3900         profile not actually sample seen arrays. It'll force the allocation
3901         profile's predicted indexing type to be ArrayWithUndecided. Adding
3902         this option made it trivial to write a test for this bug.
3903
3904         * bytecode/ArrayAllocationProfile.cpp:
3905         (JSC::ArrayAllocationProfile::updateIndexingType):
3906         * ftl/FTLLowerDFGToB3.cpp:
3907         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
3908         * runtime/Options.h:
3909
3910 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
3911
3912         WTF::Thread should have the threads stack bounds.
3913         https://bugs.webkit.org/show_bug.cgi?id=173975
3914
3915         Reviewed by Keith Miller.
3916
3917         There is a site in JSC that try to walk another thread's stack.
3918         Currently, stack bounds are stored in WTFThreadData which is located
3919         in TLS. Thus, only the thread itself can access its own WTFThreadData.
3920         We workaround this situation by holding StackBounds in MachineThread in JSC,
3921         but StackBounds should be put in WTF::Thread instead.
3922
3923         This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
3924         information is tightly coupled with Thread. Thus putting it in WTF::Thread
3925         is natural choice.
3926
3927         * heap/MachineStackMarker.cpp:
3928         (JSC::MachineThreads::MachineThread::MachineThread):
3929         (JSC::MachineThreads::MachineThread::captureStack):
3930         * heap/MachineStackMarker.h:
3931         (JSC::MachineThreads::MachineThread::stackBase):
3932         (JSC::MachineThreads::MachineThread::stackEnd):
3933         * runtime/InitializeThreading.cpp:
3934         (JSC::initializeThreading):
3935         * runtime/VM.cpp:
3936         (JSC::VM::VM):
3937         (JSC::VM::updateStackLimits):
3938         (JSC::VM::committedStackByteCount):
3939         * runtime/VM.h:
3940         (JSC::VM::isSafeToRecurse):
3941         * runtime/VMEntryScope.cpp:
3942         (JSC::VMEntryScope::VMEntryScope):
3943         * runtime/VMInlines.h:
3944         (JSC::VM::ensureStackCapacityFor):
3945         * runtime/VMTraps.cpp:
3946         * yarr/YarrPattern.cpp:
3947         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
3948
3949 2017-07-05  Keith Miller  <keith_miller@apple.com>
3950
3951         Crashing with information should have an abort reason
3952         https://bugs.webkit.org/show_bug.cgi?id=174185
3953
3954         Reviewed by Saam Barati.
3955
3956         Add crash information for the abstract interpreter and add an enum
3957         value for object allocation sinking.
3958
3959         * assembler/AbortReason.h:
3960         * dfg/DFGAbstractInterpreterInlines.h:
3961         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
3962         * dfg/DFGGraph.cpp:
3963         (JSC::DFG::logDFGAssertionFailure):
3964         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3965
3966 2017-07-03  Myles C. Maxfield  <mmaxfield@apple.com>
3967
3968         Remove copy of ICU headers from WebKit
3969         https://bugs.webkit.org/show_bug.cgi?id=116407
3970
3971         Reviewed by Alex Christensen.
3972
3973         Use WTF's copy of ICU headers.
3974
3975         * Configurations/Base.xcconfig:
3976         * icu/unicode/localpointer.h: Removed.
3977         * icu/unicode/parseerr.h: Removed.
3978         * icu/unicode/platform.h: Removed.
3979         * icu/u