1fa5b64dc8a78967de4bf08e1aea1d88c282cbb7
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-06-20  Konstantin Tokarev  <annulen@yandex.ru>
2
3         Remove excessive include directives from WTF
4         https://bugs.webkit.org/show_bug.cgi?id=173553
5
6         Reviewed by Saam Barati.
7
8         * profiler/ProfilerDatabase.cpp: Added missing include directive.
9         * runtime/SamplingProfiler.cpp: Ditto.
10
11 2017-06-20  Oleksandr Skachkov  <gskachkov@gmail.com>
12
13         Revert changes in bug#160417 about extending `null` not being a derived class
14         https://bugs.webkit.org/show_bug.cgi?id=169293
15
16         Reviewed by Saam Barati.
17
18         Reverted changes in bug#160417 about extending `null` not being a derived class 
19         according to changes in spec:
20         https://github.com/tc39/ecma262/commit/c57ef95c45a371f9c9485bb1c3881dbdc04524a2
21
22         * builtins/BuiltinNames.h:
23         * bytecompiler/BytecodeGenerator.cpp:
24         (JSC::BytecodeGenerator::BytecodeGenerator):
25         (JSC::BytecodeGenerator::emitReturn):
26         * bytecompiler/NodesCodegen.cpp:
27         (JSC::ClassExprNode::emitBytecode):
28
29 2017-06-20  Saam Barati  <sbarati@apple.com>
30
31         repatchIn needs to lock the CodeBlock's lock
32         https://bugs.webkit.org/show_bug.cgi?id=173573
33
34         Reviewed by Yusuke Suzuki.
35
36         CodeBlock::propagateTransitions and CodeBlock::visitWeakly grab the CodeBlock's
37         lock before modifying the StructureStubInfo/PolymorphicAccess. When regenerating
38         an IC, we must hold the CodeBlock's to prevent the executing thread from racing
39         with the marking thread. repatchIn was not grabbing the lock. I haven't been
40         able to get it to crash, but this is needed for the same reasons that get and put IC
41         regeneration grab the lock.
42
43         * jit/Repatch.cpp:
44         (JSC::repatchIn):
45
46 2017-06-19  Devin Rousso  <drousso@apple.com>
47
48         Web Inspector: create canvas content view and details sidebar panel
49         https://bugs.webkit.org/show_bug.cgi?id=138941
50         <rdar://problem/19051672>
51
52         Reviewed by Joseph Pecoraro.
53
54         * inspector/protocol/Canvas.json:
55          - Add an optional `nodeId` attribute to the `Canvas` type.
56          - Add `requestNode` command for getting the node id of the backing canvas element.
57          - Add `requestContent` command for getting the current image content of the canvas.
58
59 2017-06-19  Yusuke Suzuki  <utatane.tea@gmail.com>
60
61         Unreviewed, build fix for ARM
62
63         * assembler/MacroAssemblerARM.h:
64         (JSC::MacroAssemblerARM::internalCompare32):
65
66 2017-06-13  Yusuke Suzuki  <utatane.tea@gmail.com>
67
68         [DFG] More ArrayIndexOf fixups for various types
69         https://bugs.webkit.org/show_bug.cgi?id=173176
70
71         Reviewed by Saam Barati.
72
73         This patch further expands coverage of ArrayIndexOf optimization in DFG and FTL.
74
75         1. We attempt to fold ArrayIndexOf to constant (-1) if we know that its array
76         never contains the given search value.
77
78         2. We support Symbol and Other specialization additionally. Especially, Other is
79         useful because null/undefined can be used as a sentinel value.
80
81         One interesting thing is that Array.prototype.indexOf does not consider holes as
82         undefineds. Thus,
83
84             var array = [,,,,,,,];
85             array.indexOf(undefined); // => -1
86
87         This can be trivially achieved in JSC because Empty and Undefined are different values.
88
89         * dfg/DFGFixupPhase.cpp:
90         (JSC::DFG::FixupPhase::fixupNode):
91         (JSC::DFG::FixupPhase::fixupArrayIndexOf):
92         * dfg/DFGSpeculativeJIT.cpp:
93         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
94         (JSC::DFG::SpeculativeJIT::speculateOther):
95         * dfg/DFGSpeculativeJIT.h:
96         * ftl/FTLLowerDFGToB3.cpp:
97         (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):
98
99 2017-06-19  Caio Lima  <ticaiolima@gmail.com>
100
101         [ARMv6][DFG] ARM MacroAssembler is always emitting cmn when immediate is 0
102         https://bugs.webkit.org/show_bug.cgi?id=172972
103
104         Reviewed by Mark Lam.
105
106         We are changing internalCompare32 implementation in ARM
107         MacroAssembler to emit "cmp" when the "right.value" is 0.
108         It is generating wrong comparison cases, since the
109         semantics of cmn is opposite of cmp[1]. One case that it's breaking is
110         "branch32(MacroAssembler::Above, gpr, TrustedImm32(0))", where ends
111         resulting in following assembly code:
112
113         ```
114         cmn $r0, #0
115         bhi <address>
116         ```
117
118         However, as cmn is similar to "adds", it will never take the branch
119         when $r0 > 0. In that case, the correct opcode is "cmp". With this
120         patch we will fix current broken tests that uses
121         "branch32(MacroAssembler::Above, gpr, TrustedImm32(0))",
122         such as ForwardVarargs, Spread and GetRestLength.
123
124         [1] - http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.dui0204j/Cihiddid.html
125
126         * assembler/MacroAssemblerARM.h:
127         (JSC::MacroAssemblerARM::internalCompare32):
128
129 2017-06-19  Joseph Pecoraro  <pecoraro@apple.com>
130
131         test262: Completion values for control flow do not match the spec
132         https://bugs.webkit.org/show_bug.cgi?id=171265
133
134         Reviewed by Saam Barati.
135
136         * bytecompiler/BytecodeGenerator.h:
137         (JSC::BytecodeGenerator::shouldBeConcernedWithCompletionValue):
138         When we care about having proper completion values (global code
139         in programs, modules, and eval) insert undefined results for
140         control flow statements.
141
142         * bytecompiler/NodesCodegen.cpp:
143         (JSC::SourceElements::emitBytecode):
144         Reduce writing a default `undefined` value to the completion result to
145         only once before the last statement we know will produce a value.
146
147         (JSC::IfElseNode::emitBytecode):
148         (JSC::WithNode::emitBytecode):
149         (JSC::WhileNode::emitBytecode):
150         (JSC::ForNode::emitBytecode):
151         (JSC::ForInNode::emitBytecode):
152         (JSC::ForOfNode::emitBytecode):
153         (JSC::SwitchNode::emitBytecode):
154         Insert an undefined to handle cases where code may break out of an
155         if/else or with statement (break/continue).
156
157         (JSC::TryNode::emitBytecode):
158         Same handling for break cases. Also, finally block statement completion
159         values are always ignored for the try statement result.
160
161         (JSC::ClassDeclNode::emitBytecode):
162         Class declarations, like function declarations, produce an empty result.
163
164         * parser/Nodes.cpp:
165         (JSC::SourceElements::lastStatement):
166         (JSC::SourceElements::hasCompletionValue):
167         (JSC::SourceElements::hasEarlyBreakOrContinue):
168         (JSC::BlockNode::lastStatement):
169         (JSC::BlockNode::singleStatement):
170         (JSC::BlockNode::hasCompletionValue):
171         (JSC::BlockNode::hasEarlyBreakOrContinue):
172         (JSC::ScopeNode::singleStatement):
173         (JSC::ScopeNode::hasCompletionValue):
174         (JSC::ScopeNode::hasEarlyBreakOrContinue):
175         The only non-trivial cases need to loop through their list of statements
176         to determine if this has a completion value or not. Likewise for
177         determining if there is an early break / continue, meaning a break or
178         continue statement with no preceding statement that has a completion value.
179
180         * parser/Nodes.h:
181         (JSC::StatementNode::next):
182         (JSC::StatementNode::hasCompletionValue):
183         Helper to check if a statement nodes produces a completion value or not.
184
185 2017-06-19  Adrian Perez de Castro  <aperez@igalia.com>
186
187         Missing <functional> includes make builds fail with GCC 7.x
188         https://bugs.webkit.org/show_bug.cgi?id=173544
189
190         Unreviewed gardening.
191
192         Fix compilation with GCC 7.
193
194         * API/tests/CompareAndSwapTest.cpp:
195         * runtime/VMEntryScope.h:
196
197 2017-06-17  Keith Miller  <keith_miller@apple.com>
198
199         ArrayBuffer constructor needs to create subclass structures before its buffer
200         https://bugs.webkit.org/show_bug.cgi?id=173510
201
202         Reviewed by Yusuke Suzuki.
203
204         * runtime/JSArrayBufferConstructor.cpp:
205         (JSC::constructArrayBuffer):
206
207 2017-06-17  Keith Miller  <keith_miller@apple.com>
208
209         ArrayPrototype methods should use JSValue::toLength for non-Arrays.
210         https://bugs.webkit.org/show_bug.cgi?id=173506
211
212         Reviewed by Ryosuke Niwa.
213
214         This patch changes the result of unshift if old length +
215         unshift.arguments.length > (2 ** 53) - 1 to be a type error. Also,
216         the getLength function, which was always incorrect to use, has
217         been removed. Additionally, some cases where we were using a
218         constant for (2 ** 53) - 1 have been replaced with
219         maxSafeInteger()
220
221         * interpreter/Interpreter.cpp:
222         (JSC::sizeOfVarargs):
223         * runtime/ArrayPrototype.cpp:
224         (JSC::arrayProtoFuncToLocaleString):
225         (JSC::arrayProtoFuncPop):
226         (JSC::arrayProtoFuncPush):
227         (JSC::arrayProtoFuncReverse):
228         (JSC::arrayProtoFuncShift):
229         (JSC::arrayProtoFuncSlice):
230         (JSC::arrayProtoFuncSplice):
231         (JSC::arrayProtoFuncUnShift):
232         (JSC::arrayProtoFuncIndexOf):
233         (JSC::arrayProtoFuncLastIndexOf):
234         * runtime/JSArrayInlines.h:
235         (JSC::getLength): Deleted.
236         * runtime/JSCJSValue.cpp:
237         (JSC::JSValue::toLength):
238         * runtime/NumberConstructor.cpp:
239         (JSC::numberConstructorFuncIsSafeInteger):
240
241 2017-06-16  Matt Baker  <mattbaker@apple.com>
242
243         Web Inspector: Instrument 2D/WebGL canvas contexts in the backend
244         https://bugs.webkit.org/show_bug.cgi?id=172623
245         <rdar://problem/32415986>
246
247         Reviewed by Devin Rousso and Joseph Pecoraro.
248
249         This patch adds a basic Canvas protocol. It includes Canvas and related
250         types and events for monitoring the lifetime of canvases in the page.
251
252         * CMakeLists.txt:
253         * DerivedSources.make:
254         * inspector/protocol/Canvas.json: Added.
255
256         * inspector/scripts/codegen/generator.py:
257         (Generator.stylized_name_for_enum_value):
258         Add special handling for Canvas.ContextType protocol enumeration,
259         so that "canvas-2d" and "webgl" map to `Canvas2D` and `WebGL`.
260
261 2017-06-16  Wenson Hsieh  <wenson_hsieh@apple.com>
262
263         [iOS DnD] Upstream iOS drag and drop implementation into OpenSource WebKit
264         https://bugs.webkit.org/show_bug.cgi?id=173366
265         <rdar://problem/32767014>
266
267         Reviewed by Tim Horton.
268
269         Introduce ENABLE_DATA_INTERACTION and ENABLE_DRAG_SUPPORT to FeatureDefines.xcconfig.
270
271         * Configurations/FeatureDefines.xcconfig:
272
273 2017-06-16  Yusuke Suzuki  <utatane.tea@gmail.com>
274
275         [JSC] Add fast path for Object.assign
276         https://bugs.webkit.org/show_bug.cgi?id=173416
277
278         Reviewed by Mark Lam.
279
280         In Object.assign implementation, we need to ensure that given key is still enumerable own key.
281         This seems duplicate look up. And we want to avoid this. However, we still need to perform this
282         check in the face of Proxy. Proxy can observe that this check is done correctly.
283
284         In almost all the cases, the above check is duplicate to the subsequent [[Get]] operation.
285         In this patch, we perform this check. But at that time, we investigate `isTaintedByOpaqueObject()`.
286         If it is false, we can say that getOwnPropertySlot is pure. In that case, we can just retrieve the
287         value by calling `slot.getValue()`.
288
289         This further improves performance of Object.assign.
290
291                                         baseline                  patched
292
293             object-assign.es6      363.6706+-6.4381     ^    324.1769+-6.9624        ^ definitely 1.1218x faster
294
295         * runtime/ObjectConstructor.cpp:
296         (JSC::objectConstructorAssign):
297
298 2017-06-16  Michael Saboff  <msaboff@apple.com>
299
300         Intermittent crash running Internal/Tests/InternalJSTests/Regress/radar-24300617.js
301         https://bugs.webkit.org/show_bug.cgi?id=173488
302
303         Reviewed by Filip Pizlo.
304
305         ClonedArguments lazily sets its callee and interator properties and it used its own inline
306         code to initialize its butterfly.  This means that these lazily set properties can have
307         bogus values in those slots.  Instead, let's use the standard BUtterfly:tryCreate() method
308         to create the butterfly as it clears out of line properties.
309
310         * runtime/ClonedArguments.cpp:
311         (JSC::ClonedArguments::createEmpty):
312
313 2017-06-16  Mark Lam  <mark.lam@apple.com>
314
315         Interpreter methods for mapping between Opcode and OpcodeID need not be instance methods.
316         https://bugs.webkit.org/show_bug.cgi?id=173491
317
318         Reviewed by Keith Miller.
319
320         The implementation are based on static data. There's no need to get the
321         interpreter instance. Hence, we can make these methods static and avoid doing
322         unnecessary work to compute the interpreter this pointer.
323
324         Also removed the unused isCallBytecode method.
325
326         * bytecode/BytecodeBasicBlock.cpp:
327         (JSC::BytecodeBasicBlock::computeImpl):
328         * bytecode/BytecodeDumper.cpp:
329         (JSC::BytecodeDumper<Block>::printGetByIdOp):
330         (JSC::BytecodeDumper<Block>::printGetByIdCacheStatus):
331         (JSC::BytecodeDumper<Block>::dumpBytecode):
332         (JSC::BytecodeDumper<Block>::dumpBlock):
333         * bytecode/BytecodeLivenessAnalysis.cpp:
334         (JSC::BytecodeLivenessAnalysis::dumpResults):
335         * bytecode/BytecodeLivenessAnalysisInlines.h:
336         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::stepOverInstruction):
337         * bytecode/BytecodeRewriter.cpp:
338         (JSC::BytecodeRewriter::adjustJumpTargetsInFragment):
339         * bytecode/CallLinkStatus.cpp:
340         (JSC::CallLinkStatus::computeFromLLInt):
341         * bytecode/CodeBlock.cpp:
342         (JSC::CodeBlock::finishCreation):
343         (JSC::CodeBlock::propagateTransitions):
344         (JSC::CodeBlock::finalizeLLIntInlineCaches):
345         (JSC::CodeBlock::hasOpDebugForLineAndColumn):
346         (JSC::CodeBlock::usesOpcode):
347         (JSC::CodeBlock::valueProfileForBytecodeOffset):
348         (JSC::CodeBlock::arithProfileForPC):
349         (JSC::CodeBlock::insertBasicBlockBoundariesForControlFlowProfiler):
350         * bytecode/PreciseJumpTargets.cpp:
351         (JSC::getJumpTargetsForBytecodeOffset):
352         (JSC::computePreciseJumpTargetsInternal):
353         (JSC::findJumpTargetsForBytecodeOffset):
354         * bytecode/PreciseJumpTargetsInlines.h:
355         (JSC::extractStoredJumpTargetsForBytecodeOffset):
356         * bytecode/UnlinkedCodeBlock.cpp:
357         (JSC::UnlinkedCodeBlock::applyModification):
358         * dfg/DFGByteCodeParser.cpp:
359         (JSC::DFG::ByteCodeParser::getPredictionWithoutOSRExit):
360         (JSC::DFG::ByteCodeParser::parseBlock):
361         * dfg/DFGCapabilities.cpp:
362         (JSC::DFG::capabilityLevel):
363         * interpreter/Interpreter.cpp:
364         (JSC::Interpreter::Interpreter):
365         (JSC::Interpreter::isOpcode):
366         (): Deleted.
367         * interpreter/Interpreter.h:
368         (JSC::Interpreter::getOpcode): Deleted.
369         (JSC::Interpreter::getOpcodeID): Deleted.
370         (JSC::Interpreter::isCallBytecode): Deleted.
371         * interpreter/InterpreterInlines.h:
372         (JSC::Interpreter::getOpcode):
373         (JSC::Interpreter::getOpcodeID):
374         * jit/JIT.cpp:
375         (JSC::JIT::privateCompileMainPass):
376         (JSC::JIT::privateCompileSlowCases):
377         * jit/JITOpcodes.cpp:
378         (JSC::JIT::emitNewFuncCommon):
379         (JSC::JIT::emitNewFuncExprCommon):
380         * jit/JITPropertyAccess.cpp:
381         (JSC::JIT::emitSlow_op_put_by_val):
382         (JSC::JIT::privateCompilePutByVal):
383         * jit/JITPropertyAccess32_64.cpp:
384         (JSC::JIT::emitSlow_op_put_by_val):
385         * llint/LLIntSlowPaths.cpp:
386         (JSC::LLInt::llint_trace_operand):
387         (JSC::LLInt::llint_trace_value):
388         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
389         * profiler/ProfilerBytecodeSequence.cpp:
390         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
391
392 2017-06-16  Matt Lewis  <jlewis3@apple.com>
393
394         Unreviewed, rolling out r218376.
395
396         The patch cause multiple Layout Test Crashes.
397
398         Reverted changeset:
399
400         "Web Inspector: Instrument 2D/WebGL canvas contexts in the
401         backend"
402         https://bugs.webkit.org/show_bug.cgi?id=172623
403         http://trac.webkit.org/changeset/218376
404
405 2017-06-16  Konstantin Tokarev  <annulen@yandex.ru>
406
407         REGRESSION(r166799): LogsPageMessagesToSystemConsoleEnabled corrupts non-ASCII characters
408         https://bugs.webkit.org/show_bug.cgi?id=173470
409
410         Reviewed by Joseph Pecoraro.
411
412         ConsoleClient::printConsoleMessageWithArguments() incorrectly uses
413         const char* overload of StringBuilder::append() that assummes Latin1
414         encoding, not UTF8.
415
416         * runtime/ConsoleClient.cpp:
417         (JSC::ConsoleClient::printConsoleMessageWithArguments):
418
419 2017-06-15  Mark Lam  <mark.lam@apple.com>
420
421         Add a JSRunLoopTimer registry in VM.
422         https://bugs.webkit.org/show_bug.cgi?id=173429
423         <rdar://problem/31287961>
424
425         Reviewed by Filip Pizlo.
426
427         This way, we can be sure we've got every JSRunLoopTimer instance covered if we
428         need to change their run loop (e.g. when setting to the WebThread's run loop).
429
430         * heap/Heap.cpp:
431         (JSC::Heap::Heap):
432         (JSC::Heap::setRunLoop): Deleted.
433         * heap/Heap.h:
434         (JSC::Heap::runLoop): Deleted.
435         * runtime/JSRunLoopTimer.cpp:
436         (JSC::JSRunLoopTimer::JSRunLoopTimer):
437         (JSC::JSRunLoopTimer::setRunLoop):
438         (JSC::JSRunLoopTimer::~JSRunLoopTimer):
439         * runtime/VM.cpp:
440         (JSC::VM::VM):
441         (JSC::VM::registerRunLoopTimer):
442         (JSC::VM::unregisterRunLoopTimer):
443         (JSC::VM::setRunLoop):
444         * runtime/VM.h:
445         (JSC::VM::runLoop):
446
447 2017-06-15  Joseph Pecoraro  <pecoraro@apple.com>
448
449         [Cocoa] Modernize some internal initializers to use instancetype instead of id
450         https://bugs.webkit.org/show_bug.cgi?id=173112
451
452         Reviewed by Wenson Hsieh.
453
454         * API/JSContextInternal.h:
455         * API/JSWrapperMap.h:
456         * API/JSWrapperMap.mm:
457         (-[JSObjCClassInfo initForClass:]):
458         (-[JSWrapperMap initWithGlobalContextRef:]):
459
460 2017-06-15  Matt Baker  <mattbaker@apple.com>
461
462         Web Inspector: Instrument 2D/WebGL canvas contexts in the backend
463         https://bugs.webkit.org/show_bug.cgi?id=172623
464         <rdar://problem/32415986>
465
466         Reviewed by Devin Rousso.
467
468         This patch adds a basic Canvas protocol. It includes Canvas and related
469         types and events for monitoring the lifetime of canvases in the page.
470
471         * CMakeLists.txt:
472         * DerivedSources.make:
473         * inspector/protocol/Canvas.json: Added.
474
475         * inspector/scripts/codegen/generator.py:
476         (Generator.stylized_name_for_enum_value):
477         Add special handling for Canvas.ContextType protocol enumeration,
478         so that "canvas-2d" and "webgl" map to `Canvas2D` and `WebGL`.
479
480 2017-06-15  Keith Miller  <keith_miller@apple.com>
481
482         Add logging to MachineStackMarker to try to diagnose crashes in the wild
483         https://bugs.webkit.org/show_bug.cgi?id=173427
484
485         Reviewed by Mark Lam.
486
487         This patch adds some logging to the MachineStackMarker constructor
488         to help figure out where we are seeing crashes. Since macOS does
489         not support os_log_info my hope is that if we set all the callee
490         save registers before making any calls in the C++ code we can
491         figure out which calls is the source of the crash. We also, set
492         all the caller save registers before returning in case some
493         weirdness is happening in the Heap constructor.
494
495         This logging should not matter from a performance perspective. We
496         only create MachineStackMarkers when we are creating a new VM,
497         which is already expensive.
498
499         * heap/MachineStackMarker.cpp:
500         (JSC::MachineThreads::MachineThreads):
501
502 2017-06-15  Yusuke Suzuki  <utatane.tea@gmail.com>
503
504         [JSC] Implement Object.assign in C++
505         https://bugs.webkit.org/show_bug.cgi?id=173414
506
507         Reviewed by Saam Barati.
508
509         Implementing Object.assign in JS is not so good compared to C++ version because,
510
511         1. JS version allocates JS array for object own keys. And we allocate JSString / Symbol for each key.
512         But basically, they can be handled as UniquedStringImpl in C++. Allocating these cells are wasteful.
513
514         2. While implementing builtins in JS offers some good type speculation chances, Object.assign is inherently super polymorphic.
515         So JS's type profile doesn't help well.
516
517         3. We have a chance to introduce various fast path for Object.assign in C++.
518
519         This patch moves implementation from JS to C++. It achieves the above (1) and (2). (3) is filed in [1].
520
521         We can see 1.65x improvement in SixSpeed object-assign.es6.
522
523                                     baseline                  patched
524
525         object-assign.es6      643.3253+-8.0521     ^    389.1075+-8.8840        ^ definitely 1.6533x faster
526
527         [1]: https://bugs.webkit.org/show_bug.cgi?id=173416
528
529         * builtins/ObjectConstructor.js:
530         (entries):
531         (assign): Deleted.
532         * runtime/JSCJSValueInlines.h:
533         (JSC::JSValue::putInline):
534         * runtime/JSCell.h:
535         * runtime/JSCellInlines.h:
536         (JSC::JSCell::putInline):
537         * runtime/JSObject.cpp:
538         (JSC::JSObject::put):
539         * runtime/JSObject.h:
540         * runtime/JSObjectInlines.h:
541         (JSC::JSObject::putInlineForJSObject):
542         (JSC::JSObject::putInline): Deleted.
543         * runtime/ObjectConstructor.cpp:
544         (JSC::objectConstructorAssign):
545
546 2017-06-14  Dan Bernstein  <mitz@apple.com>
547
548         [Cocoa] Objective-C class whose name begins with an underscore can’t be exported to JavaScript
549         https://bugs.webkit.org/show_bug.cgi?id=168578
550
551         Reviewed by Geoff Garen.
552
553         * API/JSWrapperMap.mm:
554         (allocateConstructorForCustomClass): Updated for change to forEachProtocolImplementingProtocol.
555         (-[JSObjCClassInfo allocateConstructorAndPrototype]): Ditto.
556         (-[JSWrapperMap classInfoForClass:]): If the class name begins with an underscore, check if
557           it defines conformance to a JSExport-derived protocol and if so, avoid using the
558           superclass as a substitute as we’d normally do.
559
560         * API/ObjcRuntimeExtras.h:
561         (forEachProtocolImplementingProtocol): Added a "stop" argument to the block to let callers
562           bail out.
563
564         * API/tests/JSExportTests.mm:
565         (+[JSExportTests classNamePrefixedWithUnderscoreTest]): New test for this.
566         (runJSExportTests): Run new test.
567
568 2017-06-14  Yusuke Suzuki  <utatane.tea@gmail.com>
569
570         Unreviewed, suppress invalid register alloation validation assertion in 32 bit part 2
571         https://bugs.webkit.org/show_bug.cgi?id=172421
572
573         * dfg/DFGSpeculativeJIT.cpp:
574         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
575
576 2017-06-14  Claudio Saavedra  <csaavedra@igalia.com>
577
578         REGRESSION: 15 new jsc failures in WPE and GTK+
579         https://bugs.webkit.org/show_bug.cgi?id=173349
580
581         Reviewed by JF Bastien.
582
583         Recent changes to generateWasm.py are not accounted for from
584         CMake, which leads to WasmOps.h not being regenerated in partial
585         builds. Make generateWasm.py an additional dependency.
586         * CMakeLists.txt:
587
588 2017-06-13  Joseph Pecoraro  <pecoraro@apple.com>
589
590         Debugger has unexpected effect on program correctness
591         https://bugs.webkit.org/show_bug.cgi?id=172683
592
593         Reviewed by Saam Barati.
594
595         * inspector/InjectedScriptSource.js:
596         (InjectedScript.RemoteObject.prototype._appendPropertyPreviews):
597         (InjectedScript.RemoteObject.prototype._isPreviewableObjectInternal):
598         (BasicCommandLineAPI):
599         Eliminate for..of use with Arrays from InjectedScriptSource as it can be observable.
600         We still use it for Set / Map iteration which we can eliminate when moving to builtins.
601
602 2017-06-13  JF Bastien  <jfbastien@apple.com>
603
604         WebAssembly: fix erroneous signature comment
605         https://bugs.webkit.org/show_bug.cgi?id=173334
606
607         Reviewed by Keith Miller.
608
609         * wasm/WasmSignature.h:
610
611 2017-06-13  Michael Saboff  <msaboff@apple.com>
612
613         Refactor AbsenceOfSetter to AbsenceOfSetEffects
614         https://bugs.webkit.org/show_bug.cgi?id=173322
615
616         Reviewed by Filip Pizlo.
617
618         * bytecode/ObjectPropertyCondition.h:
619         (JSC::ObjectPropertyCondition::absenceOfSetEffectWithoutBarrier):
620         (JSC::ObjectPropertyCondition::absenceOfSetEffect):
621         (JSC::ObjectPropertyCondition::absenceOfSetterWithoutBarrier): Deleted.
622         (JSC::ObjectPropertyCondition::absenceOfSetter): Deleted.
623         * bytecode/ObjectPropertyConditionSet.cpp:
624         (JSC::generateConditionsForPropertySetterMiss):
625         (JSC::generateConditionsForPropertySetterMissConcurrently):
626         * bytecode/PropertyCondition.cpp:
627         (JSC::PropertyCondition::dumpInContext):
628         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
629         (JSC::PropertyCondition::isStillValid):
630         (WTF::printInternal):
631         * bytecode/PropertyCondition.h:
632         (JSC::PropertyCondition::absenceOfSetEffectWithoutBarrier):
633         (JSC::PropertyCondition::absenceOfSetEffect):
634         (JSC::PropertyCondition::hasPrototype):
635         (JSC::PropertyCondition::hash):
636         (JSC::PropertyCondition::operator==):
637         (JSC::PropertyCondition::absenceOfSetterWithoutBarrier): Deleted.
638         (JSC::PropertyCondition::absenceOfSetter): Deleted.
639
640 2017-06-13  JF Bastien  <jfbastien@apple.com>
641
642         WebAssembly: import updated spec tests
643         https://bugs.webkit.org/show_bug.cgi?id=173287
644         <rdar://problem/32725975>
645
646         Reviewed by Saam Barati.
647
648         Import spec tests as of 31c641cc15f2aedbec2fa45a5185f68416df578b,
649         with a few modifications so things work.
650
651         Fix a bunch of bugs found through this process, and punt a few tests (which I
652         marked as blocked by this bug).
653
654         Fixes:
655
656         Fix load / store alignment: r216908 erroneously implemented it as bit alignment
657         instead of byte alignment. It was also missing memory-alignment.js despite it
658         being in the ChangeLog, so add it too. This allows spec-test/align.wast.js to
659         pass.
660
661         Tables can be imported or in a section. There can be only one, but sections can
662         be empty. An Elements section can exist if there's no Table, as long as it is
663         also empty.
664
665         Memories can be imported or in a section. There can be only one, but sections
666         can be empty. A Data section can exist if there's no Memory, as long as it is
667         also empty.
668
669         Prototypes: stringify without .prototype. in the string.
670
671         WebAssembly.Table.prototype.grow was plain wrong: it takes a delta parameter,
672         not a final size, and throws a RangeError on failure, not a TypeError.
673
674         Fix compile / instantiate so the reject the promise if given an argument of the
675         wrong type (instead of failing instantly).
676
677         Fix async on neuter test.
678
679         Element section shouldn't affect any Table if any of the elements are out of
680         bounds. We need to process it in two passes.
681
682         Segment section shouldn't affect any Data if any of the segments are out of
683         bounds. We need to process it in two passes.
684
685         Empty data segments are valid, but only when there is no memory. Their index
686         still gets validated, and has to be zero.
687
688         Punts:
689
690         Error messages with context, the test seems overly restrictive but this is
691         minor.
692
693         compile/instantiate/validate property descriptors.
694
695         UTF-8 bugs.
696
697         Temporarily disable NaN tests. We need to go back and implement the following
698         semantics: https://github.com/WebAssembly/spec/pull/414 This doesn't matter as
699         much as getting all the other tests passing.
700
701         Worth noting for NaNs: f64.no_fold_mul_one (also a NaN test) as well as
702         no_fold_promote_demote (an interesting corner case which we get wrong). mul by
703         one is (assert_return (invoke \"f64.no_fold_mul_one\" (i64.const
704         0x7ff4000000000000)) (i64.const 0x7ff8000000000000)) which means converting sNaN
705         to qNaN, and promote/demote is (assert_return (invoke \"no_fold_promote_demote\"
706         (i32.const 0x7fa00000)) (i32.const 0x7fc00000)) which is the same. I'm not sure
707         why they're not allowed.
708
709         * wasm/WasmB3IRGenerator.cpp:
710         * wasm/WasmFunctionParser.h:
711         * wasm/WasmModuleParser.cpp:
712         * wasm/WasmModuleParser.h:
713         * wasm/WasmParser.h:
714         (JSC::Wasm::Parser<SuccessType>::consumeUTF8String):
715         * wasm/generateWasm.py:
716         (memoryLog2Alignment):
717         * wasm/js/JSWebAssemblyTable.cpp:
718         (JSC::JSWebAssemblyTable::grow):
719         * wasm/js/JSWebAssemblyTable.h:
720         * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
721         * wasm/js/WebAssemblyInstancePrototype.cpp:
722         * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
723         * wasm/js/WebAssemblyMemoryPrototype.cpp:
724         * wasm/js/WebAssemblyModulePrototype.cpp:
725         * wasm/js/WebAssemblyModuleRecord.cpp:
726         (JSC::WebAssemblyModuleRecord::evaluate):
727         * wasm/js/WebAssemblyPrototype.cpp:
728         (JSC::webAssemblyCompileFunc):
729         (JSC::resolve):
730         (JSC::instantiate):
731         (JSC::compileAndInstantiate):
732         (JSC::webAssemblyInstantiateFunc):
733         * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
734         * wasm/js/WebAssemblyTablePrototype.cpp:
735         (JSC::webAssemblyTableProtoFuncGrow):
736
737 2017-06-13  Michael Saboff  <msaboff@apple.com>
738
739         DFG doesn't properly handle a property that is change to read only in a prototype
740         https://bugs.webkit.org/show_bug.cgi?id=173321
741
742         Reviewed by Filip Pizlo.
743
744         We need to check for ReadOnly as well as a not being a Setter when checking
745         an AbsenceOfSetter.
746
747         * bytecode/PropertyCondition.cpp:
748         (JSC::PropertyCondition::isStillValidAssumingImpurePropertyWatchpoint):
749
750 2017-06-13  Daniel Bates  <dabates@apple.com>
751
752         Implement W3C Secure Contexts Draft Specification
753         https://bugs.webkit.org/show_bug.cgi?id=158121
754         <rdar://problem/26012994>
755
756         Reviewed by Brent Fulgham.
757
758         Part 4
759
760         Adds isSecureContext to the list of common identifiers as needed to support
761         toggling its exposure from a runtime enabled feature flag.
762
763         * runtime/CommonIdentifiers.h:
764
765 2017-06-13  Don Olmstead  <don.olmstead@sony.com>
766
767         [JSC] Remove redundant includes in config.h
768         https://bugs.webkit.org/show_bug.cgi?id=173294
769
770         Reviewed by Alex Christensen.
771
772         * config.h:
773
774 2017-06-12  Saam Barati  <sbarati@apple.com>
775
776         We should not claim that SpecEmpty is filtered out of cell checks on 64 bit platforms
777         https://bugs.webkit.org/show_bug.cgi?id=172957
778         <rdar://problem/32602704>
779
780         Reviewed by Filip Pizlo.
781
782         Consider this program:
783         ```
784         block#1:
785         n: GetClosureVar(..., |this|) // this will load empty JSValue()
786         SetLocal(Cell:@n, locFoo) // Cell check succeeds because JSValue() looks like a cell
787         Branch(#2, #3)
788         
789         Block#3:
790         x: GetLocal(locFoo)
791         y: CheckNotEmpty(@x)
792         ```
793         
794         If we claim that a cell check filters out the empty value, we will
795         incorrectly eliminate the CheckNotEmpty node @y. This patch fixes AI,
796         FTLLowerDFGToB3, and DFGSpeculativeJIT to no longer make this claim.
797         
798         On 64 bit platforms:
799         - Cell use kind *now allows* the empty value to pass through.
800         - CellOrOther use kind *now allows* for the empty value to pass through
801         - NotCell use kind *no longer allows* the empty value to pass through.
802
803         * assembler/CPU.h:
804         (JSC::isARMv7IDIVSupported):
805         (JSC::isARM64):
806         (JSC::isX86):
807         (JSC::isX86_64):
808         (JSC::is64Bit):
809         (JSC::is32Bit):
810         (JSC::isMIPS):
811         Make these functions constexpr so we can use them in static variable assignment.
812
813         * bytecode/SpeculatedType.h:
814         * dfg/DFGSpeculativeJIT.cpp:
815         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
816         (JSC::DFG::SpeculativeJIT::compileDoubleRep):
817         (JSC::DFG::SpeculativeJIT::compileLogicalNotStringOrOther):
818         (JSC::DFG::SpeculativeJIT::emitStringOrOtherBranch):
819         (JSC::DFG::SpeculativeJIT::speculateCell):
820         (JSC::DFG::SpeculativeJIT::speculateCellOrOther):
821         (JSC::DFG::SpeculativeJIT::speculateObjectOrOther):
822         (JSC::DFG::SpeculativeJIT::speculateString):
823         (JSC::DFG::SpeculativeJIT::speculateStringOrOther):
824         (JSC::DFG::SpeculativeJIT::speculateSymbol):
825         (JSC::DFG::SpeculativeJIT::speculateNotCell):
826         * dfg/DFGSpeculativeJIT32_64.cpp:
827         * dfg/DFGSpeculativeJIT64.cpp:
828         (JSC::DFG::SpeculativeJIT::fillSpeculateCell):
829         (JSC::DFG::SpeculativeJIT::compileObjectToObjectOrOtherEquality):
830         (JSC::DFG::SpeculativeJIT::compilePeepHoleObjectToObjectOrOtherEquality):
831         (JSC::DFG::SpeculativeJIT::compileObjectOrOtherLogicalNot):
832         (JSC::DFG::SpeculativeJIT::emitObjectOrOtherBranch):
833         * dfg/DFGUseKind.h:
834         (JSC::DFG::typeFilterFor):
835         * ftl/FTLLowerDFGToB3.cpp:
836         (JSC::FTL::DFG::LowerDFGToB3::compileDoubleRep):
837         (JSC::FTL::DFG::LowerDFGToB3::numberOrNotCellToInt32):
838         (JSC::FTL::DFG::LowerDFGToB3::compareEqObjectOrOtherToObject):
839         (JSC::FTL::DFG::LowerDFGToB3::boolify):
840         (JSC::FTL::DFG::LowerDFGToB3::equalNullOrUndefined):
841         (JSC::FTL::DFG::LowerDFGToB3::lowCell):
842         (JSC::FTL::DFG::LowerDFGToB3::lowNotCell):
843         (JSC::FTL::DFG::LowerDFGToB3::isCellOrMisc):
844         (JSC::FTL::DFG::LowerDFGToB3::isNotCellOrMisc):
845         (JSC::FTL::DFG::LowerDFGToB3::isNotCell):
846         (JSC::FTL::DFG::LowerDFGToB3::isCell):
847         (JSC::FTL::DFG::LowerDFGToB3::speculateCellOrOther):
848         (JSC::FTL::DFG::LowerDFGToB3::speculateObjectOrOther):
849         (JSC::FTL::DFG::LowerDFGToB3::speculateString):
850         (JSC::FTL::DFG::LowerDFGToB3::speculateStringOrOther):
851         (JSC::FTL::DFG::LowerDFGToB3::speculateSymbol):
852
853 2017-06-12  Yusuke Suzuki  <utatane.tea@gmail.com>
854
855         Unreviewed, suppress invalid register alloation validation assertion in 32 bit
856         https://bugs.webkit.org/show_bug.cgi?id=172421
857
858         * dfg/DFGSpeculativeJIT.cpp:
859         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
860
861 2017-06-12  Oleksandr Skachkov  <gskachkov@gmail.com>
862
863         We incorrectly allow escaped characters in keyword tokens
864         https://bugs.webkit.org/show_bug.cgi?id=171310
865
866         Reviewed by Yusuke Suzuki.
867
868         According spec it is not allow to use escaped characters in 
869         keywords. https://tc39.github.io/ecma262/#sec-reserved-words
870         Current patch implements this requirements.
871
872
873         * parser/Lexer.cpp:
874         (JSC::Lexer<CharacterType>::parseIdentifierSlowCase):
875         * parser/Parser.cpp:
876         (JSC::Parser<LexerType>::printUnexpectedTokenText):
877         * parser/ParserTokens.h:
878
879 2017-06-12  Yusuke Suzuki  <utatane.tea@gmail.com>
880
881         Unreviewed, add branch64(Cond, BaseIndex, RegisterID) for ARM64
882         https://bugs.webkit.org/show_bug.cgi?id=172421
883
884         * assembler/MacroAssemblerARM64.h:
885         (JSC::MacroAssemblerARM64::branch64):
886         (JSC::MacroAssemblerARM64::branchPtr):
887
888 2017-06-12  Commit Queue  <commit-queue@webkit.org>
889
890         Unreviewed, rolling out r218093.
891         https://bugs.webkit.org/show_bug.cgi?id=173259
892
893         Break builds (Requested by yusukesuzuki on #webkit).
894
895         Reverted changeset:
896
897         "Unreviewed, build fix for ARM64"
898         https://bugs.webkit.org/show_bug.cgi?id=172421
899         http://trac.webkit.org/changeset/218093
900
901 2017-06-12  Yusuke Suzuki  <utatane.tea@gmail.com>
902
903         Unreviewed, build fix for ARM64
904         https://bugs.webkit.org/show_bug.cgi?id=172421
905
906         * dfg/DFGSpeculativeJIT.cpp:
907         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
908
909 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
910
911         [DFG] Add ArrayIndexOf intrinsic
912         https://bugs.webkit.org/show_bug.cgi?id=172421
913
914         Reviewed by Saam Barati.
915
916         This patch introduces ArrayIndexOfInstrinsic for DFG and FTL optimizations.
917         We emit array check and go fast path if the array is Array::Int32, Array::Double
918         or Array::Continugous. In addition, for Array::Int32 and Array::Double case,
919         we have inlined fast paths.
920
921         With updated ARES-6 Babylon,
922
923         Before
924             firstIteration:     45.76 +- 3.87 ms
925             averageWorstCase:   24.41 +- 2.17 ms
926             steadyState:        8.01 +- 0.22 ms
927         After
928             firstIteration:     45.64 +- 4.23 ms
929             averageWorstCase:   23.03 +- 3.34 ms
930             steadyState:        7.33 +- 0.34 ms
931
932         In SixSpeed.
933                                          baseline                  patched
934
935             map-set-lookup.es5      734.4701+-10.4383    ^    102.0968+-2.6357        ^ definitely 7.1939x faster
936             map-set.es5              41.1396+-1.0558     ^     33.1916+-0.7986        ^ definitely 1.2395x faster
937             map-set-object.es5       62.8317+-1.2518     ^     45.6944+-0.8369        ^ definitely 1.3750x faster
938
939         * dfg/DFGAbstractInterpreterInlines.h:
940         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
941         * dfg/DFGByteCodeParser.cpp:
942         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
943         * dfg/DFGClobberize.h:
944         (JSC::DFG::clobberize):
945         * dfg/DFGDoesGC.cpp:
946         (JSC::DFG::doesGC):
947         * dfg/DFGFixupPhase.cpp:
948         (JSC::DFG::FixupPhase::fixupNode):
949         * dfg/DFGNode.h:
950         (JSC::DFG::Node::hasArrayMode):
951         * dfg/DFGNodeType.h:
952         * dfg/DFGOperations.cpp:
953         * dfg/DFGOperations.h:
954         * dfg/DFGPredictionPropagationPhase.cpp:
955         * dfg/DFGSafeToExecute.h:
956         (JSC::DFG::safeToExecute):
957         * dfg/DFGSpeculativeJIT.cpp:
958         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
959         (JSC::DFG::SpeculativeJIT::speculateObject):
960         * dfg/DFGSpeculativeJIT.h:
961         (JSC::DFG::SpeculativeJIT::callOperation):
962         * dfg/DFGSpeculativeJIT32_64.cpp:
963         (JSC::DFG::SpeculativeJIT::compile):
964         * dfg/DFGSpeculativeJIT64.cpp:
965         (JSC::DFG::SpeculativeJIT::compile):
966         (JSC::DFG::SpeculativeJIT::speculateInt32):
967         * ftl/FTLCapabilities.cpp:
968         (JSC::FTL::canCompile):
969         * ftl/FTLLowerDFGToB3.cpp:
970         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
971         (JSC::FTL::DFG::LowerDFGToB3::compileArrayIndexOf):
972         * jit/JITOperations.h:
973         * runtime/ArrayPrototype.cpp:
974         (JSC::ArrayPrototype::finishCreation):
975         * runtime/Intrinsic.cpp:
976         (JSC::intrinsicName):
977         * runtime/Intrinsic.h:
978
979 2017-06-11  Keith Miller  <keith_miller@apple.com>
980
981         TypedArray constructor with string shouldn't throw
982         https://bugs.webkit.org/show_bug.cgi?id=173181
983
984         Reviewed by JF Bastien.
985
986         We should be coercing primitive arguments to numbers in the various
987         TypedArray constructors.
988
989         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
990         (JSC::constructGenericTypedArrayViewWithArguments):
991
992 2017-06-11  Yusuke Suzuki  <utatane.tea@gmail.com>
993
994         [WTF] Make ThreadMessage portable
995         https://bugs.webkit.org/show_bug.cgi?id=172073
996
997         Reviewed by Keith Miller.
998
999         * runtime/MachineContext.h:
1000         (JSC::MachineContext::stackPointer):
1001         * tools/CodeProfiling.cpp:
1002         (JSC::profilingTimer):
1003
1004 2017-06-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1005
1006         [JSC] Shrink Structure size
1007         https://bugs.webkit.org/show_bug.cgi?id=173239
1008
1009         Reviewed by Mark Lam.
1010
1011         We find that the size of our Structure is slightly enlarged due to paddings.
1012         By changing the order of members, we can reduce the size from 120 to 112.
1013         This is good because 120 and 112 are categorized into different size classes.
1014         For 120, we allocate 128 bytes. And for 112, we allocate 112 bytes.
1015         We now save 16 bytes per Structure for free.
1016
1017         * runtime/ConcurrentJSLock.h:
1018         * runtime/Structure.cpp:
1019         (JSC::Structure::Structure):
1020         * runtime/Structure.h:
1021
1022 2017-06-11  Konstantin Tokarev  <annulen@yandex.ru>
1023
1024         Unreviewed, attempt to fix JSC tests on Win after r217771
1025
1026         * jsc.cpp:
1027         (currentWorkingDirectory): buffer is not NULL-terminated
1028
1029 2017-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>
1030
1031         [WTF] Add RegisteredSymbolImpl
1032         https://bugs.webkit.org/show_bug.cgi?id=173230
1033
1034         Reviewed by Mark Lam.
1035
1036         * runtime/SymbolConstructor.cpp:
1037         (JSC::symbolConstructorKeyFor):
1038
1039 2017-06-10  Dan Bernstein  <mitz@apple.com>
1040
1041         Reverted r218056 because it made the IDE reindex constantly.
1042
1043         * Configurations/DebugRelease.xcconfig:
1044
1045 2017-06-10  Dan Bernstein  <mitz@apple.com>
1046
1047         [Xcode] With Xcode 9 developer beta, everything rebuilds when switching between command-line and IDE
1048         https://bugs.webkit.org/show_bug.cgi?id=173223
1049
1050         Reviewed by Sam Weinig.
1051
1052         The rebuilds were happening due to a difference in the compiler options that the IDE and
1053         xcodebuild were specifying. Only the IDE was passing the -index-store-path option. To make
1054         xcodebuild pass that option, too, set CLANG_INDEX_STORE_ENABLE to YES if it is unset, and
1055         specify an appropriate path in CLANG_INDEX_STORE_PATH.
1056
1057         * Configurations/DebugRelease.xcconfig:
1058
1059 2017-06-10  Yusuke Suzuki  <utatane.tea@gmail.com>
1060
1061         [JSC] Update RegExp.prototype.[@@search]] implementation according to the latest spec
1062         https://bugs.webkit.org/show_bug.cgi?id=173227
1063
1064         Reviewed by Mark Lam.
1065
1066         The latest spec introduces slight change to RegExp.prototype.[@@search].
1067         This patch applies this change. Basically, this change is done in the slow path of
1068         the RegExp.prototype[@@search].
1069         https://tc39.github.io/ecma262/#sec-regexp.prototype-@@search
1070
1071         * builtins/RegExpPrototype.js:
1072         (search):
1073
1074 2017-06-09  Chris Dumez  <cdumez@apple.com>
1075
1076         Update Thread::create() to take in a WTF::Function instead of a std::function
1077         https://bugs.webkit.org/show_bug.cgi?id=173175
1078
1079         Reviewed by Mark Lam.
1080
1081         * API/tests/CompareAndSwapTest.cpp:
1082         (testCompareAndSwap):
1083
1084 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1085
1086         [DFG] Add verboseDFGOSRExit
1087         https://bugs.webkit.org/show_bug.cgi?id=173156
1088
1089         Reviewed by Saam Barati.
1090
1091         This patch adds verboseDFGOSRExit which is similar to verboseFTLOSRExit.
1092
1093         * dfg/DFGOSRExitCompiler.cpp:
1094         * runtime/Options.h:
1095
1096 2017-06-09  Guillaume Emont  <guijemont@igalia.com>
1097
1098         [JSC][MIPS] Add MacroAssemblerMIPS::xor32(Address, RegisterID) implementation
1099         https://bugs.webkit.org/show_bug.cgi?id=173170
1100
1101         Reviewed by Yusuke Suzuki.
1102
1103         MIPS does not build since r217711 because it is missing this
1104         implementation. This patch fixes the build.
1105
1106         * assembler/MacroAssemblerMIPS.h:
1107         (JSC::MacroAssemblerMIPS::xor32):
1108
1109 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1110
1111         [JSC] FTL does not require dlfcn
1112         https://bugs.webkit.org/show_bug.cgi?id=173143
1113
1114         Reviewed by Darin Adler.
1115
1116         We no longer use LLVM library. Thus, dlfcn.h is not necessary.
1117         Also, ProcessID is not used in FTLLowerDFGToB3.cpp.
1118
1119         * ftl/FTLLowerDFGToB3.cpp:
1120
1121 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1122
1123         [DFG] Add --verboseDFGFailure
1124         https://bugs.webkit.org/show_bug.cgi?id=173155
1125
1126         Reviewed by Sam Weinig.
1127
1128         Similar to verboseFTLFailure, JSC should have verboseDFGFailure flag to show DFG failures quickly.
1129
1130         * dfg/DFGCapabilities.cpp:
1131         (JSC::DFG::verboseCapabilities):
1132         (JSC::DFG::debugFail):
1133         * runtime/Options.cpp:
1134         (JSC::recomputeDependentOptions):
1135         * runtime/Options.h:
1136
1137 2017-06-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1138
1139         [JSC] Drop OS(DARWIN) for VM_TAG_FOR_WEBASSEMBLY_MEMORY
1140         https://bugs.webkit.org/show_bug.cgi?id=173147
1141
1142         Reviewed by JF Bastien.
1143
1144         Because this value becomes -1 in non-Darwin environments.
1145         Thus, we do not need to use OS(DARWIN) here.
1146
1147         * wasm/WasmMemory.cpp:
1148
1149 2017-06-09  Daewoong Jang  <daewoong.jang@navercorp.com>
1150
1151         Reduce compiler warnings
1152         https://bugs.webkit.org/show_bug.cgi?id=172078
1153
1154         Reviewed by Yusuke Suzuki.
1155
1156         * runtime/IntlDateTimeFormat.h:
1157
1158 2017-06-08  Joseph Pecoraro  <pecoraro@apple.com>
1159
1160         [Cocoa] JSWrapperMap leaks for all JSContexts
1161         https://bugs.webkit.org/show_bug.cgi?id=173110
1162         <rdar://problem/32602198>
1163
1164         Reviewed by Geoffrey Garen.
1165
1166         * API/JSContext.mm:
1167         (-[JSContext ensureWrapperMap]):
1168         Ensure this allocation gets released.
1169
1170 2017-06-08  Filip Pizlo  <fpizlo@apple.com>
1171
1172         REGRESSION: js/dom/prototype-chain-caching-with-impure-get-own-property-slot-traps-5.html has a flaky failure
1173         https://bugs.webkit.org/show_bug.cgi?id=161156
1174
1175         Reviewed by Saam Barati.
1176         
1177         Since LLInt does not register impure property watchpoints for self property accesses, it
1178         shouldn't try to cache accesses that require a watchpoint.
1179         
1180         This manifested as a flaky failure because the test would fire the watchpoint after we had
1181         usually already tiered up. Without concurrent JIT, we would have always tiered up before
1182         getting to the bad case. With concurrent JIT, we would sometimes not tier up by that time. This
1183         also adds a test that deterministically failed in LLInt without this change; it does so by just
1184         running a lot shorter.
1185
1186         * llint/LLIntSlowPaths.cpp:
1187         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1188
1189 2017-06-08  Keith Miller  <keith_miller@apple.com>
1190
1191         WebAssembly: We should only create wrappers for functions that can be exported
1192         https://bugs.webkit.org/show_bug.cgi?id=173088
1193
1194         Reviewed by Saam Barati.
1195
1196         This patch makes it so we only create wrappers for WebAssembly functions that
1197         can actually be exported. It appears to be a ~2.5% speedup on WasmBench compile times.
1198
1199         This patch also removes most of the old testWasmModuleFunctions api from the jsc CLI.
1200         Most of the tests were duplicates of ones in the spec-tests directory. The others I
1201         have converted to use the normal API.
1202
1203         * jsc.cpp:
1204         (GlobalObject::finishCreation):
1205         (valueWithTypeOfWasmValue): Deleted.
1206         (box): Deleted.
1207         (callWasmFunction): Deleted.
1208         (functionTestWasmModuleFunctions): Deleted.
1209         * wasm/WasmB3IRGenerator.cpp:
1210         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1211         (JSC::Wasm::createJSToWasmWrapper):
1212         (JSC::Wasm::parseAndCompile):
1213         * wasm/WasmB3IRGenerator.h:
1214         * wasm/WasmBBQPlan.cpp:
1215         (JSC::Wasm::BBQPlan::prepare):
1216         (JSC::Wasm::BBQPlan::compileFunctions):
1217         (JSC::Wasm::BBQPlan::complete):
1218         * wasm/WasmBBQPlan.h:
1219         * wasm/WasmBBQPlanInlines.h:
1220         (JSC::Wasm::BBQPlan::initializeCallees):
1221         * wasm/WasmCodeBlock.cpp:
1222         (JSC::Wasm::CodeBlock::CodeBlock):
1223         * wasm/WasmCodeBlock.h:
1224         (JSC::Wasm::CodeBlock::jsEntrypointCalleeFromFunctionIndexSpace):
1225         * wasm/WasmFormat.h:
1226         * wasm/WasmOMGPlan.cpp:
1227         (JSC::Wasm::OMGPlan::work):
1228
1229 2017-06-07  JF Bastien  <jfbastien@apple.com>
1230
1231         WebAssembly: test imports and exports with 16-bit characters
1232         https://bugs.webkit.org/show_bug.cgi?id=165977
1233         <rdar://problem/29760130>
1234
1235         Reviewed by Saam Barati.
1236
1237         Add the missing UTF-8 conversions. Improve import failure error
1238         messages, otherwise it's hard to figure out which import is wrong.
1239
1240         * wasm/js/JSWebAssemblyInstance.cpp:
1241         (JSC::JSWebAssemblyInstance::create):
1242         * wasm/js/WebAssemblyModuleRecord.cpp:
1243         (JSC::WebAssemblyModuleRecord::finishCreation):
1244         (JSC::WebAssemblyModuleRecord::link):
1245
1246 2017-06-07  Devin Rousso  <drousso@apple.com>
1247
1248         Web Inspector: Add ContextMenu item to log WebSocket object to console
1249         https://bugs.webkit.org/show_bug.cgi?id=172878
1250
1251         Reviewed by Joseph Pecoraro.
1252
1253         * inspector/protocol/Network.json:
1254         Add resolveWebSocket command.
1255
1256 2017-06-07  Jon Davis  <jond@apple.com>
1257
1258         Update feature status for features Supported In Preview
1259         https://bugs.webkit.org/show_bug.cgi?id=173071
1260
1261         Reviewed by Darin Adler.
1262
1263         Updated Media Capture and Streams, Performance Observer, Resource Timing Level 2,
1264         User Timing Level 2, Web Cryptography API, WebGL 2, WebRTC.
1265
1266         * features.json:
1267
1268 2017-06-07  Saam Barati  <sbarati@apple.com>
1269
1270         Assertion failure in com.apple.WebKit.WebContent.Development in com.apple.JavaScriptCore: JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined + 141
1271         https://bugs.webkit.org/show_bug.cgi?id=172673
1272         <rdar://problem/32250144>
1273
1274         Reviewed by Mark Lam.
1275
1276         This patch simply removes this assertion. It's faulty because it
1277         races with the main thread when doing concurrent compilation.
1278         
1279         Consider a program with:
1280         - a FrozenValue over an object O and Structure S1. S1 starts off as dfgWatchable() being true.
1281         - Structure S2
1282         
1283         The DFG IR is like so:
1284           a: JSConstant(O) // FrozenValue {O, S1}
1285           b: CheckStructure(@a, S2)
1286           c: ToThis(@a)
1287           d: CheckEq(@c, nullConstant)
1288           Branch(@d)
1289         
1290         The AbstractValue for @a will start off as having a finite structure because S1 is dfgWatchable().
1291         When running AI, we'll notice that node @b will OSR exit, so nodes after
1292         @b are unreachable. Later in the compilation, S1 is no longer dfgWatchable().
1293         Now, when running AI, @a will have Top for its structure set. No longer will
1294         we think @b exits.
1295         
1296         The DFG backend asserts that under such a situation, we should have simplified
1297         the CheckEq to false. However, this is a racy thing to assert, since the
1298         transition from dfgWatchable() to !dfgWatchable() can happen right before we
1299         enter the backend. Hence, this assertion is not valid.
1300         
1301         (Note, the generated code for the above program will never actually execute.
1302         Since we noticed S1 as dfgWatchable(), we make the compilation dependent on
1303         S1 not transitioning. S1 transitions, so we won't actually run the code that
1304         gets compiled.)
1305
1306         * dfg/DFGSpeculativeJIT64.cpp:
1307         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranchNullOrUndefined):
1308
1309 2017-06-07  Yusuke Suzuki  <utatane.tea@gmail.com>
1310
1311         [JSC] has_generic_property never accepts non-String
1312         https://bugs.webkit.org/show_bug.cgi?id=173057
1313
1314         Reviewed by Darin Adler.
1315
1316         We never pass non-String value to has_generic_property bytecode.
1317
1318         * runtime/CommonSlowPaths.cpp:
1319         (JSC::SLOW_PATH_DECL):
1320
1321 2017-06-06  Fujii Hironori  <Hironori.Fujii@sony.com>
1322
1323         [Win][x86-64] Some callee saved registers aren't preserved
1324         https://bugs.webkit.org/show_bug.cgi?id=171266
1325
1326         Reviewed by Saam Barati.
1327
1328         * jit/RegisterSet.cpp:
1329         (JSC::RegisterSet::calleeSaveRegisters): Added edi and esi for X86_64 Windows.
1330
1331 2017-06-06  Mark Lam  <mark.lam@apple.com>
1332
1333         Contiguous storage butterfly length should not exceed MAX_STORAGE_VECTOR_LENGTH.
1334         https://bugs.webkit.org/show_bug.cgi?id=173035
1335         <rdar://problem/32554593>
1336
1337         Reviewed by Geoffrey Garen and Filip Pizlo.
1338
1339         Also added and fixed up some assertions.
1340
1341         * runtime/ArrayConventions.h:
1342         * runtime/JSArray.cpp:
1343         (JSC::JSArray::setLength):
1344         * runtime/JSObject.cpp:
1345         (JSC::JSObject::createInitialIndexedStorage):
1346         (JSC::JSObject::ensureLengthSlow):
1347         (JSC::JSObject::reallocateAndShrinkButterfly):
1348         * runtime/JSObject.h:
1349         (JSC::JSObject::ensureLength):
1350         * runtime/RegExpObject.cpp:
1351         (JSC::collectMatches):
1352         * runtime/RegExpPrototype.cpp:
1353         (JSC::regExpProtoFuncSplitFast):
1354
1355 2017-06-06  Saam Barati  <sbarati@apple.com>
1356
1357         Make sure we restore SP when doing calls that could be to JS
1358         https://bugs.webkit.org/show_bug.cgi?id=172946
1359         <rdar://problem/32579026>
1360
1361         Reviewed by JF Bastien.
1362
1363         I was worried that there was a bug where we'd call JS, JS would tail call,
1364         and we'd end up with a bogus SP. However, this bug does not exist since wasm
1365         always calls to JS through a stub, and the stub treats SP as a callee save.
1366         
1367         I wrote a test for this, and also made a note that this is the needed ABI.
1368
1369         * wasm/WasmBinding.cpp:
1370         (JSC::Wasm::wasmToJs):
1371
1372 2017-06-06  Keith Miller  <keith_miller@apple.com>
1373
1374         OMG tier up checks should be a patchpoint
1375         https://bugs.webkit.org/show_bug.cgi?id=172944
1376
1377         Reviewed by Saam Barati.
1378
1379         Tier up checks in BBQ should be done as a patchpoint rather than individual B3 opcodes.
1380         In order to reduce code generated out of line in each function. We generate a single stub
1381         that pushes all the callee-saves. This looks like a 5-10% compile time speedup.
1382
1383         * wasm/WasmB3IRGenerator.cpp:
1384         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1385         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
1386         (JSC::Wasm::B3IRGenerator::addLoop):
1387         * wasm/WasmThunks.cpp:
1388         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
1389         * wasm/WasmThunks.h:
1390
1391 2017-06-06  Darin Adler  <darin@apple.com>
1392
1393         Cut down use of WTF_ARRAY_LENGTH
1394         https://bugs.webkit.org/show_bug.cgi?id=172997
1395
1396         Reviewed by Chris Dumez.
1397
1398         * parser/Lexer.cpp:
1399         (JSC::singleEscape): Use WTF_ARRAY_LENGTH instead of ARRAY_SIZE.
1400
1401         * runtime/NumberPrototype.cpp:
1402         (JSC::toStringWithRadix): Use std::end instead of WTF_ARRAY_LENGTH.
1403
1404 2017-06-06  Konstantin Tokarev  <annulen@yandex.ru>
1405
1406         Add missing <functional> includes
1407         https://bugs.webkit.org/show_bug.cgi?id=173017
1408
1409         Patch by Thiago Macieira <thiago.macieira@intel.com>
1410         Reviewed by Yusuke Suzuki.
1411
1412         This patch fixes compilation with GCC 7.
1413
1414         * inspector/InspectorBackendDispatcher.h:
1415
1416 2017-06-06  Filip Pizlo  <fpizlo@apple.com>
1417
1418         Unreviewed, fix 32-bit build.
1419
1420         * jit/JITOpcodes.cpp:
1421         (JSC::JIT::emit_op_unreachable):
1422
1423 2017-06-06  Joseph Pecoraro  <pecoraro@apple.com>
1424
1425         Unreviewed rollout r217807. Caused a test to crash.
1426
1427         * heap/HeapSnapshotBuilder.cpp:
1428         (JSC::HeapSnapshotBuilder::buildSnapshot):
1429         (JSC::HeapSnapshotBuilder::json):
1430         (): Deleted.
1431         * heap/HeapSnapshotBuilder.h:
1432         * runtime/JSObject.cpp:
1433         (JSC::JSObject::calculatedClassName):
1434
1435 2017-06-06  Filip Pizlo  <fpizlo@apple.com>
1436
1437         index out of bound in bytecodebasicblock
1438         https://bugs.webkit.org/show_bug.cgi?id=172963
1439
1440         Reviewed by Saam Barati and Mark Lam.
1441         
1442         We were leaving an unterminated basic block when generating CodeForCall for a class
1443         constructor. This was mostly benign since that unterminated block was not reachable, but it
1444         does cause an ASSERT.
1445         
1446         This fixes the issue by appending op_unreachable to that block. I added op_unreachable because
1447         this really is the cleanest and most idiomatic way to solve this problem, so even though it
1448         makes the change bigger it's probabably worth it.
1449
1450         * bytecode/BytecodeDumper.cpp:
1451         (JSC::BytecodeDumper<Block>::dumpBytecode):
1452         * bytecode/BytecodeList.json:
1453         * bytecode/BytecodeUseDef.h:
1454         (JSC::computeUsesForBytecodeOffset):
1455         (JSC::computeDefsForBytecodeOffset):
1456         * bytecode/Opcode.h:
1457         (JSC::isTerminal):
1458         * bytecompiler/BytecodeGenerator.cpp:
1459         (JSC::BytecodeGenerator::generate):
1460         (JSC::BytecodeGenerator::emitUnreachable):
1461         * bytecompiler/BytecodeGenerator.h:
1462         * dfg/DFGByteCodeParser.cpp:
1463         (JSC::DFG::ByteCodeParser::parseBlock):
1464         * dfg/DFGCapabilities.cpp:
1465         (JSC::DFG::capabilityLevel):
1466         * ftl/FTLLowerDFGToB3.cpp:
1467         (JSC::FTL::DFG::LowerDFGToB3::compileUnreachable):
1468         * jit/JIT.cpp:
1469         (JSC::JIT::privateCompileMainPass):
1470         * jit/JIT.h:
1471         * jit/JITOpcodes.cpp:
1472         (JSC::JIT::emit_op_unreachable):
1473         * llint/LowLevelInterpreter.asm:
1474         * runtime/CommonSlowPaths.cpp:
1475         (JSC::SLOW_PATH_DECL):
1476         * runtime/CommonSlowPaths.h:
1477
1478 2017-06-06  Ryan Haddad  <ryanhaddad@apple.com>
1479
1480         Unreviewed, rolling out r217812.
1481
1482         This change caused test failures on arm64.
1483
1484         Reverted changeset:
1485
1486         "OMG tier up checks should be a patchpoint"
1487         https://bugs.webkit.org/show_bug.cgi?id=172944
1488         http://trac.webkit.org/changeset/217812
1489
1490 2017-06-06  Carlos Garcia Campos  <cgarcia@igalia.com>
1491
1492         [WPE] Enable remote inspector
1493         https://bugs.webkit.org/show_bug.cgi?id=172971
1494
1495         Reviewed by Žan Doberšek.
1496
1497         We can just build the current glib remote inspector, without adding a frontend implementation and using a
1498         WebKitGTK+ browser as frontend for now.
1499
1500         * PlatformWPE.cmake: Add remote inspector files to compilation.
1501         * inspector/remote/glib/RemoteInspectorUtils.cpp:
1502         (Inspector::backendCommands): Load the inspector resources library.
1503
1504 2017-06-06  Carlos Garcia Campos  <cgarcia@igalia.com>
1505
1506         [GLIB] Make remote inspector DBus protocol common to all glib based ports
1507         https://bugs.webkit.org/show_bug.cgi?id=172970
1508
1509         Reviewed by Žan Doberšek.
1510
1511         We are currently using "webkitgtk" in the names of DBus interfaces and object paths inside an ifdef with the
1512         idea that other ports could use their own names. However, the protocol is the same, so we could use the same
1513         names and make all glib based ports compatible to each other. This way we could use the GTK+ MiniBrowser to
1514         debug WPE, without having to implement the frontend part in WPE yet.
1515
1516         * inspector/remote/glib/RemoteInspectorGlib.cpp: Use webkit instead of webkitgtk and reomve platform idfeds.
1517         * inspector/remote/glib/RemoteInspectorServer.cpp: Ditto.
1518
1519 2017-06-06  Carlos Garcia Campos  <cgarcia@igalia.com>
1520
1521         [GTK] Web Process deadlock when closing the remote inspector frontend
1522         https://bugs.webkit.org/show_bug.cgi?id=172973
1523
1524         Reviewed by Žan Doberšek.
1525
1526         We are taking the remote inspector mutex twice. First close message is received, and receivedCloseMessage()
1527         takes the mutex. Then RemoteConnectionToTarget::close() is called that, when connected, calls
1528         PageDebuggable::disconnect() that ends up calling RemoteInspector::updateTarget() that also takes the remote
1529         inspector mutex. We should release the mutex before calling RemoteConnectionToTarget::close().
1530
1531         * inspector/remote/glib/RemoteInspectorGlib.cpp:
1532         (Inspector::RemoteInspector::receivedCloseMessage):
1533
1534 2017-06-05  Saam Barati  <sbarati@apple.com>
1535
1536         Try to fix features.json by adding an ESNext section.
1537
1538         Unreviewed.
1539
1540         * features.json:
1541
1542 2017-06-05  David Kilzer  <ddkilzer@apple.com>
1543
1544         Follow-up: Update JSC's features.json
1545         https://bugs.webkit.org/show_bug.cgi?id=172942
1546
1547         Rubber-stamped by Jon Davis.
1548
1549         * features.json: Change "Supported in preview" to
1550         "Supported" to try to fix <https://webkit.org/status/>.
1551
1552 2017-06-05  Saam Barati  <sbarati@apple.com>
1553
1554         We don't properly parse init_expr when the opcode is an unexpected opcode
1555         https://bugs.webkit.org/show_bug.cgi?id=172945
1556
1557         Reviewed by JF Bastien.
1558
1559         The bug is a simple typo. It should use the constant
1560         `true` instead of `false` when invoking the WASM_PARSER_FAIL_IF
1561         macro. This failure is already caught by spec tests that fail
1562         on arm64 devices.
1563
1564         * wasm/WasmModuleParser.cpp:
1565
1566 2017-06-05  Keith Miller  <keith_miller@apple.com>
1567
1568         OMG tier up checks should be a patchpoint
1569         https://bugs.webkit.org/show_bug.cgi?id=172944
1570
1571         Reviewed by Saam Barati.
1572
1573         Tier up checks in BBQ should be done as a patchpoint rather than individual B3 opcodes.
1574         In order to reduce code generated out of line in each function. We generate a single stub
1575         that pushes all the callee-saves. This looks like a 5-10% compile time speedup.
1576
1577         * wasm/WasmB3IRGenerator.cpp:
1578         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1579         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
1580         (JSC::Wasm::B3IRGenerator::addLoop):
1581         * wasm/WasmThunks.cpp:
1582         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
1583         * wasm/WasmThunks.h:
1584
1585 2017-06-05  Joseph Pecoraro  <pecoraro@apple.com>
1586
1587         Remove unused VM members
1588         https://bugs.webkit.org/show_bug.cgi?id=172941
1589
1590         Reviewed by Mark Lam.
1591
1592         * runtime/HashMapImpl.h:
1593         (JSC::HashMapImpl::selectStructure): Deleted.
1594         * runtime/VM.cpp:
1595         (JSC::VM::VM):
1596         * runtime/VM.h:
1597
1598 2017-06-05  Joseph Pecoraro  <pecoraro@apple.com>
1599
1600         Web Inspector: Improve ES6 Class instances in Heap Snapshot instances view
1601         https://bugs.webkit.org/show_bug.cgi?id=172848
1602         <rdar://problem/25709212>
1603
1604         Reviewed by Saam Barati.
1605
1606         * heap/HeapSnapshotBuilder.h:
1607         * heap/HeapSnapshotBuilder.cpp:
1608         Update the snapshot version. Change the node's 0 | 1 internal value
1609         to be a 32bit bit flag. This is nice in that it is both compatible
1610         with the previous snapshot version and the same size. We can use more
1611         flags in the future.
1612
1613         (JSC::HeapSnapshotBuilder::json):
1614         In cases where the classInfo gives us "Object" check for a better
1615         class name by checking (o).__proto__.constructor.name. We avoid this
1616         check in cases where (o).hasOwnProperty("constructor") which is the
1617         case for most Foo.prototype objects. Otherwise this would get the
1618         name of the Foo superclass for the Foo.prototype object.
1619
1620         * runtime/JSObject.cpp:
1621         (JSC::JSObject::calculatedClassName):
1622         Handle some possible edge cases that were not handled before. Such
1623         as a JSObject without a GlobalObject, and an object which doesn't
1624         have a default getPrototype. Try to make the code a little clearer.
1625
1626 2017-06-05  Saam Barati  <sbarati@apple.com>
1627
1628         Update JSC's features.json
1629         https://bugs.webkit.org/show_bug.cgi?id=172942
1630
1631         Rubber stamped by Mark Lam.
1632
1633         * features.json:
1634
1635 2017-06-04  Konstantin Tokarev  <annulen@yandex.ru>
1636
1637         Fix build of Windows-specific code with ICU 59.1
1638         https://bugs.webkit.org/show_bug.cgi?id=172729
1639
1640         Reviewed by Darin Adler.
1641
1642         Fix conversions from WTF::String to wchar_t* and vice versa.
1643
1644         * jsc.cpp:
1645         (currentWorkingDirectory):
1646         (fetchModuleFromLocalFileSystem):
1647         * runtime/DateConversion.cpp:
1648         (JSC::formatDateTime):
1649
1650 2017-06-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1651
1652         [JSC] Drop unnecessary USE(CF) guard for getenv
1653         https://bugs.webkit.org/show_bug.cgi?id=172903
1654
1655         Reviewed by Sam Weinig.
1656
1657         getenv is not related to USE(CF) and OS(UNIX). It seems that this
1658         ifdef only hits in WinCairo, but WinCairo can use getenv.
1659         Moreover, in VM::VM, we already use getenv without any ifdef guard.
1660
1661         This patch just drops it.
1662
1663         * runtime/VM.cpp:
1664         (JSC::enableAssembler):
1665
1666 2017-06-04  Yusuke Suzuki  <utatane.tea@gmail.com>
1667
1668         [JSC] Drop OS(DARWIN) for uintptr_t type conflict
1669         https://bugs.webkit.org/show_bug.cgi?id=172904
1670
1671         Reviewed by Sam Weinig.
1672
1673         In non-Darwin environment, uintptr_t may have the same type
1674         to uint64_t. We avoided the compile error by using OS(DARWIN).
1675         But, since it depends on cstdint implementaion rather than OS, it is flaky.
1676         Instead, we just use template parameter IntegralType.
1677         And we describe the type constraint in a SFINAE manner.
1678
1679         * dfg/DFGOpInfo.h:
1680         (JSC::DFG::OpInfo::OpInfo):
1681
1682 2017-06-03  Csaba Osztrogonác  <ossy@webkit.org>
1683
1684         [ARM] Unreviewed buildfix after r217711.
1685
1686         * assembler/MacroAssemblerARM.h:
1687         (JSC::MacroAssemblerARM::xor32):
1688
1689 2017-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1690
1691         ASSERTION FAILED: "We should only declare a function as a lexically scoped variable in scopes where var declarations aren't allowed. ..." for function redeclaration with async function module export
1692         https://bugs.webkit.org/show_bug.cgi?id=168844
1693
1694         Reviewed by Saam Barati.
1695
1696         As the same to the exported function declaration, we should set statementDepth = 1 for exported async function declaration.
1697
1698         * parser/Parser.cpp:
1699         (JSC::DepthManager::DepthManager):
1700         (JSC::Parser<LexerType>::parseExportDeclaration):
1701         * parser/Parser.h:
1702         (JSC::Parser::DepthManager::DepthManager): Deleted.
1703         (JSC::Parser::DepthManager::~DepthManager): Deleted.
1704
1705 2017-06-02  Keith Miller  <keith_miller@apple.com>
1706
1707         Defer installing mach breakpoint handler until watchdog is actually called
1708         https://bugs.webkit.org/show_bug.cgi?id=172885
1709
1710         Reviewed by Saam Barati.
1711
1712         Eagerly installing the mach breakpoint handler causes issues with Xcode GUI debugging.
1713         This hides the issue, so it won't occur as often.
1714
1715         * runtime/VMTraps.cpp:
1716         (JSC::VMTraps::SignalSender::send):
1717         (JSC::VMTraps::VMTraps): Deleted.
1718         * runtime/VMTraps.h:
1719
1720 2017-06-02  Filip Pizlo  <fpizlo@apple.com>
1721
1722         Atomics.load and Atomics.store need to be fully fenced
1723         https://bugs.webkit.org/show_bug.cgi?id=172844
1724
1725         Reviewed by Keith Miller.
1726         
1727         Implement fully fenced loads and stores in FTL using AtomicXchgAdd(0, ptr) for the load and
1728         AtomicXchg(value, ptr) for the store.
1729         
1730         DFG needed no changes because it implements all atomics using a CAS loop.
1731         
1732         AtomicsObject.cpp now uses new Atomic<> API for fully fences loads and stores.
1733         
1734         Prior to this change, we used half fences (acquire/release) for atomic loads and stores. This
1735         is not correct according to my current understanding of the SAB memory model, which requires
1736         that atomic operations are SC with respect to everything not just other atomics.
1737
1738         * ftl/FTLLowerDFGToB3.cpp:
1739         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
1740         * ftl/FTLOutput.cpp:
1741         (JSC::FTL::Output::atomicWeakCAS):
1742         * ftl/FTLOutput.h:
1743         * runtime/AtomicsObject.cpp:
1744
1745 2017-06-02  Ryan Haddad  <ryanhaddad@apple.com>
1746
1747         Unreviewed, attempt to fix the iOS build after r217711.
1748
1749         * assembler/MacroAssemblerARM64.h:
1750         (JSC::MacroAssemblerARM64::xor32):
1751         (JSC::MacroAssemblerARM64::xor64):
1752
1753 2017-06-01  Filip Pizlo  <fpizlo@apple.com>
1754
1755         GC should use scrambled free-lists
1756         https://bugs.webkit.org/show_bug.cgi?id=172793
1757
1758         Reviewed by Mark Lam.
1759         
1760         Previously, our bump'n'pop allocator would use a conventional linked-list for the free-list.
1761         The linked-list would be threaded through free memory, as is the usual convention.
1762         
1763         This scrambles the next pointers of that free-list. It also scrambles the head pointer, because
1764         this leads to a more natural fast-path structure and saves one register on ARM64.
1765         
1766         The secret with which pointers are scrambled is per-allocator. Allocators choose a new secret
1767         every time they do a sweep-to-pop.
1768         
1769         This doesn't change the behavior of the bump part of bump'n'pop, but it does refactor the code
1770         quite a bit. Previously, there were four copies of the allocator fast path: two in
1771         MarkedAllocatorInlines.h, one in MarkedAllocator.cpp, and one in AssemblyHelpers.h. The JIT one
1772         was obviously different-looking, but the other three were almost identical. This moves all of
1773         that logic into FreeList. There are now just two copies of the allocator: FreeListInlines.h and
1774         AssemblyHelpers.h.
1775         
1776         This appears to be just as fast as our previously allocator.
1777
1778         * JavaScriptCore.xcodeproj/project.pbxproj:
1779         * heap/FreeList.cpp:
1780         (JSC::FreeList::FreeList):
1781         (JSC::FreeList::~FreeList):
1782         (JSC::FreeList::clear):
1783         (JSC::FreeList::initializeList):
1784         (JSC::FreeList::initializeBump):
1785         (JSC::FreeList::contains):
1786         (JSC::FreeList::dump):
1787         * heap/FreeList.h:
1788         (JSC::FreeList::allocationWillFail):
1789         (JSC::FreeList::originalSize):
1790         (JSC::FreeList::addressOfList):
1791         (JSC::FreeList::offsetOfBlock):
1792         (JSC::FreeList::offsetOfList):
1793         (JSC::FreeList::offsetOfIndex):
1794         (JSC::FreeList::offsetOfPayloadEnd):
1795         (JSC::FreeList::offsetOfRemaining):
1796         (JSC::FreeList::offsetOfOriginalSize):
1797         (JSC::FreeList::FreeList): Deleted.
1798         (JSC::FreeList::list): Deleted.
1799         (JSC::FreeList::bump): Deleted.
1800         (JSC::FreeList::operator==): Deleted.
1801         (JSC::FreeList::operator!=): Deleted.
1802         (JSC::FreeList::operator bool): Deleted.
1803         * heap/FreeListInlines.h: Added.
1804         (JSC::FreeList::addFreeCell):
1805         (JSC::FreeList::allocate):
1806         (JSC::FreeList::forEach):
1807         (JSC::FreeList::toOffset):
1808         (JSC::FreeList::fromOffset):
1809         * heap/IncrementalSweeper.cpp:
1810         (JSC::IncrementalSweeper::sweepNextBlock):
1811         * heap/MarkedAllocator.cpp:
1812         (JSC::MarkedAllocator::MarkedAllocator):
1813         (JSC::MarkedAllocator::didConsumeFreeList):
1814         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
1815         (JSC::MarkedAllocator::tryAllocateIn):
1816         (JSC::MarkedAllocator::allocateSlowCaseImpl):
1817         (JSC::MarkedAllocator::stopAllocating):
1818         (JSC::MarkedAllocator::prepareForAllocation):
1819         (JSC::MarkedAllocator::resumeAllocating):
1820         (JSC::MarkedAllocator::sweep):
1821         (JSC::MarkedAllocator::setFreeList): Deleted.
1822         * heap/MarkedAllocator.h:
1823         (JSC::MarkedAllocator::freeList):
1824         (JSC::MarkedAllocator::isFreeListedCell): Deleted.
1825         * heap/MarkedAllocatorInlines.h:
1826         (JSC::MarkedAllocator::isFreeListedCell):
1827         (JSC::MarkedAllocator::tryAllocate):
1828         (JSC::MarkedAllocator::allocate):
1829         * heap/MarkedBlock.cpp:
1830         (JSC::MarkedBlock::Handle::stopAllocating):
1831         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
1832         (JSC::MarkedBlock::Handle::resumeAllocating):
1833         (JSC::MarkedBlock::Handle::zap):
1834         (JSC::MarkedBlock::Handle::sweep):
1835         (JSC::MarkedBlock::Handle::isFreeListedCell):
1836         (JSC::MarkedBlock::Handle::forEachFreeCell): Deleted.
1837         * heap/MarkedBlock.h:
1838         * heap/MarkedBlockInlines.h:
1839         (JSC::MarkedBlock::Handle::specializedSweep):
1840         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace):
1841         (JSC::MarkedBlock::Handle::isFreeListedCell): Deleted.
1842         * heap/Subspace.cpp:
1843         (JSC::Subspace::finishSweep):
1844         * heap/Subspace.h:
1845         * jit/AssemblyHelpers.h:
1846         (JSC::AssemblyHelpers::emitAllocateWithNonNullAllocator):
1847         * runtime/JSDestructibleObjectSubspace.cpp:
1848         (JSC::JSDestructibleObjectSubspace::finishSweep):
1849         * runtime/JSDestructibleObjectSubspace.h:
1850         * runtime/JSSegmentedVariableObjectSubspace.cpp:
1851         (JSC::JSSegmentedVariableObjectSubspace::finishSweep):
1852         * runtime/JSSegmentedVariableObjectSubspace.h:
1853         * runtime/JSStringSubspace.cpp:
1854         (JSC::JSStringSubspace::finishSweep):
1855         * runtime/JSStringSubspace.h:
1856         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp:
1857         (JSC::JSWebAssemblyCodeBlockSubspace::finishSweep):
1858         * wasm/js/JSWebAssemblyCodeBlockSubspace.h:
1859
1860 2017-06-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1861
1862         [JSC] Use @globalPrivate for concatSlowPath
1863         https://bugs.webkit.org/show_bug.cgi?id=172802
1864
1865         Reviewed by Darin Adler.
1866
1867         Use @globalPrivate instead of manually putting it to JSGlobalObject.
1868
1869         * builtins/ArrayPrototype.js:
1870         (concatSlowPath): Deleted.
1871         * runtime/JSGlobalObject.cpp:
1872         (JSC::JSGlobalObject::init):
1873
1874 2017-06-01  Andy Estes  <aestes@apple.com>
1875
1876         REGRESSION (r217626): ENABLE_APPLE_PAY_SESSION_V3 was disabled by mistake
1877         https://bugs.webkit.org/show_bug.cgi?id=172828
1878
1879         Reviewed by Beth Dakin.
1880
1881         * Configurations/FeatureDefines.xcconfig:
1882
1883 2017-06-01  Keith Miller  <keith_miller@apple.com>
1884
1885         Undo rollout in r217638 with bug fix
1886         https://bugs.webkit.org/show_bug.cgi?id=172824
1887
1888         Unreviewed, reland patch with unused set_state code removed.
1889
1890         * API/tests/ExecutionTimeLimitTest.cpp:
1891         (dispatchTermitateCallback):
1892         (testExecutionTimeLimit):
1893         * runtime/JSLock.cpp:
1894         (JSC::JSLock::didAcquireLock):
1895         * runtime/Options.cpp:
1896         (JSC::overrideDefaults):
1897         (JSC::Options::initialize):
1898         * runtime/Options.h:
1899         * runtime/VMTraps.cpp:
1900         (JSC::SignalContext::SignalContext):
1901         (JSC::SignalContext::adjustPCToPointToTrappingInstruction):
1902         (JSC::installSignalHandler):
1903         (JSC::VMTraps::SignalSender::send):
1904         * tools/SigillCrashAnalyzer.cpp:
1905         (JSC::SignalContext::SignalContext):
1906         (JSC::SignalContext::dump):
1907         (JSC::installCrashHandler):
1908         * wasm/WasmBBQPlan.cpp:
1909         (JSC::Wasm::BBQPlan::compileFunctions):
1910         * wasm/WasmFaultSignalHandler.cpp:
1911         (JSC::Wasm::trapHandler):
1912         (JSC::Wasm::enableFastMemory):
1913         * wasm/WasmMachineThreads.cpp:
1914         (JSC::Wasm::resetInstructionCacheOnAllThreads):
1915
1916 2017-06-01  Guillaume Emont  <guijemont@igalia.com>
1917
1918         [JSC][MIPS] SamplingProfiler::timerLoop() sleeps for 4000+ seconds
1919         https://bugs.webkit.org/show_bug.cgi?id=172800
1920
1921         Reviewed by Saam Barati.
1922
1923         This fixes a static_cast<uint64_t> by making it a cast to int64_t
1924         instead, which looks like the original intent. This fixes the
1925         sampling-profiler tests in JSTests/stress.
1926
1927         * runtime/SamplingProfiler.cpp:
1928         (JSC::SamplingProfiler::timerLoop):
1929
1930 2017-06-01  Tomas Popela  <tpopela@redhat.com>, Mark Lam  <mark.lam@apple.com>
1931
1932         RELEASE_ASSERT_NOT_REACHED() in InferredType::kindForFlags() on Big-Endians
1933         https://bugs.webkit.org/show_bug.cgi?id=170945
1934
1935         Reviewed by Mark Lam.
1936
1937         Re-define PutByIdFlags as a int32_t enum explicitly because it is
1938         stored as an int32_t value in UnlinkedInstruction.  This prevents
1939         a bug on 64-bit big endian architectures where the word order is
1940         inverted (when we convert the UnlinkedInstruction into a CodeBlock
1941         Instruction), resulting in the PutByIdFlags value not being stored in
1942         the 32-bit word that the rest of the code expects it to be in.
1943
1944         * bytecode/PutByIdFlags.h:
1945
1946 2017-05-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1947
1948         [JSC] Implement String.prototype.concat in JS builtins
1949         https://bugs.webkit.org/show_bug.cgi?id=172798
1950
1951         Reviewed by Sam Weinig.
1952
1953         Since we have highly effective + operation for strings,
1954         implementing String.prototype.concat in JS simplifies the
1955         implementation and improves performance by using speculated
1956         types.
1957
1958         Added microbenchmarks show performance improvement.
1959
1960         string-concat-long-convert     1063.2787+-12.9101    ^    109.0855+-2.8083        ^ definitely 9.7472x faster
1961         string-concat-convert          1111.1366+-12.2363    ^     99.3402+-1.9874        ^ definitely 11.1852x faster
1962         string-concat                   131.7377+-3.8359     ^     54.3949+-0.9580        ^ definitely 2.4219x faster
1963         string-concat-long               79.4726+-1.9644     ^     64.6301+-1.4941        ^ definitely 1.2297x faster
1964
1965         * builtins/StringPrototype.js:
1966         (globalPrivate.stringConcatSlowPath):
1967         (concat):
1968         * runtime/StringPrototype.cpp:
1969         (JSC::StringPrototype::finishCreation):
1970         (JSC::stringProtoFuncConcat): Deleted.
1971
1972 2017-05-31  Mark Lam  <mark.lam@apple.com>
1973
1974         Remove overrides of visitChildren() that do not add any functionality.
1975         https://bugs.webkit.org/show_bug.cgi?id=172789
1976         <rdar://problem/32500865>
1977
1978         Reviewed by Andreas Kling.
1979
1980         * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
1981         (JSC::UnlinkedModuleProgramCodeBlock::visitChildren): Deleted.
1982         * bytecode/UnlinkedModuleProgramCodeBlock.h:
1983         * bytecode/UnlinkedProgramCodeBlock.cpp:
1984         (JSC::UnlinkedProgramCodeBlock::visitChildren): Deleted.
1985         * bytecode/UnlinkedProgramCodeBlock.h:
1986         * wasm/js/WebAssemblyFunction.cpp:
1987         (JSC::WebAssemblyFunction::visitChildren): Deleted.
1988         * wasm/js/WebAssemblyFunction.h:
1989         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1990         (JSC::WebAssemblyInstanceConstructor::visitChildren): Deleted.
1991         * wasm/js/WebAssemblyInstanceConstructor.h:
1992         * wasm/js/WebAssemblyMemoryConstructor.cpp:
1993         (JSC::WebAssemblyMemoryConstructor::visitChildren): Deleted.
1994         * wasm/js/WebAssemblyMemoryConstructor.h:
1995         * wasm/js/WebAssemblyModuleConstructor.cpp:
1996         (JSC::WebAssemblyModuleConstructor::visitChildren): Deleted.
1997         * wasm/js/WebAssemblyModuleConstructor.h:
1998         * wasm/js/WebAssemblyTableConstructor.cpp:
1999         (JSC::WebAssemblyTableConstructor::visitChildren): Deleted.
2000         * wasm/js/WebAssemblyTableConstructor.h:
2001
2002 2017-05-31  Commit Queue  <commit-queue@webkit.org>
2003
2004         Unreviewed, rolling out r217611 and r217631.
2005         https://bugs.webkit.org/show_bug.cgi?id=172785
2006
2007         "caused wasm-hashset-many.html to become flaky." (Requested by
2008         keith_miller on #webkit).
2009
2010         Reverted changesets:
2011
2012         "Reland r216808, underlying lldb bug has been fixed."
2013         https://bugs.webkit.org/show_bug.cgi?id=172759
2014         http://trac.webkit.org/changeset/217611
2015
2016         "Use dispatch queues for mach exceptions"
2017         https://bugs.webkit.org/show_bug.cgi?id=172775
2018         http://trac.webkit.org/changeset/217631
2019
2020 2017-05-31  Oleksandr Skachkov  <gskachkov@gmail.com>
2021
2022         Rolling out: Prevent async methods named 'function'
2023         https://bugs.webkit.org/show_bug.cgi?id=172776
2024
2025         Reviewed by Mark Lam.
2026
2027         Rolling out https://bugs.webkit.org/show_bug.cgi?id=172660 r217578, 
2028         https://bugs.webkit.org/show_bug.cgi?id=172598  r217478
2029         PR to spec was closed, so changes need to roll out. See
2030         https://github.com/tc39/ecma262/pull/884#issuecomment-305212494 
2031
2032         * parser/Parser.cpp:
2033         (JSC::Parser<LexerType>::parseClass):
2034         (JSC::Parser<LexerType>::parsePropertyMethod):
2035
2036 2017-05-31  Andy Estes  <aestes@apple.com>
2037
2038         Rename ENABLE_APPLE_PAY_DELEGATE to ENABLE_APPLE_PAY_SESSION_V3 and bump the supported version number
2039         https://bugs.webkit.org/show_bug.cgi?id=172366
2040
2041         Reviewed by Daniel Bates.
2042
2043         * Configurations/FeatureDefines.xcconfig:
2044
2045 2017-05-31  Keith Miller  <keith_miller@apple.com>
2046
2047         Reland r216808, underlying lldb bug has been fixed.
2048         https://bugs.webkit.org/show_bug.cgi?id=172759
2049
2050
2051         Unreviewed, relanding old patch. See: rdar://problem/31183352
2052
2053         * API/tests/ExecutionTimeLimitTest.cpp:
2054         (dispatchTermitateCallback):
2055         (testExecutionTimeLimit):
2056         * runtime/JSLock.cpp:
2057         (JSC::JSLock::didAcquireLock):
2058         * runtime/Options.cpp:
2059         (JSC::overrideDefaults):
2060         (JSC::Options::initialize):
2061         * runtime/Options.h:
2062         * runtime/VMTraps.cpp:
2063         (JSC::SignalContext::SignalContext):
2064         (JSC::SignalContext::adjustPCToPointToTrappingInstruction):
2065         (JSC::installSignalHandler):
2066         (JSC::VMTraps::SignalSender::send):
2067         * tools/SigillCrashAnalyzer.cpp:
2068         (JSC::SignalContext::SignalContext):
2069         (JSC::SignalContext::dump):
2070         (JSC::installCrashHandler):
2071         * wasm/WasmBBQPlan.cpp:
2072         (JSC::Wasm::BBQPlan::compileFunctions):
2073         * wasm/WasmFaultSignalHandler.cpp:
2074         (JSC::Wasm::trapHandler):
2075         (JSC::Wasm::enableFastMemory):
2076         * wasm/WasmMachineThreads.cpp:
2077         (JSC::Wasm::resetInstructionCacheOnAllThreads):
2078
2079 2017-05-31  Keith Miller  <keith_miller@apple.com>
2080
2081         Fix leak in PromiseDeferredTimer
2082         https://bugs.webkit.org/show_bug.cgi?id=172755
2083
2084         Reviewed by JF Bastien.
2085
2086         We were not properly freeing the list of dependencies if we were already tracking the promise before.
2087         This is because addPendingPromise takes the list of dependencies as an rvalue-reference. In the case
2088         where we were already tracking the promise we append the provided dependency list to the existing list.
2089         Since we never bound or rvalue-ref to a non-temporary value we never destructed the Vector, leaking its
2090         contents.
2091
2092         * runtime/PromiseDeferredTimer.cpp:
2093         (JSC::PromiseDeferredTimer::addPendingPromise):
2094
2095 2017-05-30  Oleksandr Skachkov  <gskachkov@gmail.com>
2096
2097         Prevent async methods named 'function' in Object literal
2098         https://bugs.webkit.org/show_bug.cgi?id=172660
2099
2100         Reviewed by Saam Barati.
2101
2102         Prevent async method named 'function' in object.
2103         https://github.com/tc39/ecma262/pull/884
2104
2105         * parser/Parser.cpp:
2106         (JSC::Parser<LexerType>::parsePropertyMethod):
2107
2108 2017-05-30  Oleksandr Skachkov  <gskachkov@gmail.com>
2109
2110         ASSERTION FAILED: generator.isConstructor() || generator.derivedContextType() == DerivedContextType::DerivedConstructorContext
2111         https://bugs.webkit.org/show_bug.cgi?id=171274
2112
2113         Reviewed by Saam Barati.
2114
2115         Current patch allow to use async arrow function within constructor,
2116         and allow to access to `this`. Current patch force load 'this' from 
2117         virtual scope each time as we access to `this` in async arrow function
2118         within constructor it is neccessary because async function can be 
2119         suspended and `superCall` can be called and async function resumed. 
2120    
2121         * bytecompiler/BytecodeGenerator.cpp:
2122         (JSC::BytecodeGenerator::emitPutGeneratorFields):
2123         (JSC::BytecodeGenerator::ensureThis):
2124         * bytecompiler/BytecodeGenerator.h:
2125         (JSC::BytecodeGenerator::makeFunction):
2126
2127 2017-05-30  Ali Juma  <ajuma@chromium.org>
2128
2129         [CredentialManagement] Incorporate IDL updates from latest spec
2130         https://bugs.webkit.org/show_bug.cgi?id=172011
2131
2132         Reviewed by Daniel Bates.
2133
2134         * runtime/CommonIdentifiers.h:
2135
2136 2017-05-30  Alex Christensen  <achristensen@webkit.org>
2137
2138         Update libwebrtc configuration
2139         https://bugs.webkit.org/show_bug.cgi?id=172727
2140
2141         Reviewed by Geoffrey Garen.
2142
2143         * Configurations/FeatureDefines.xcconfig:
2144
2145 2017-05-28  Dan Bernstein  <mitz@apple.com>
2146
2147         [Xcode] ALWAYS_SEARCH_USER_PATHS is set to YES
2148         https://bugs.webkit.org/show_bug.cgi?id=172691
2149
2150         Reviewed by Tim Horton.
2151
2152         * Configurations/Base.xcconfig: Set ALWAYS_SEARCH_USER_PATHS to NO.
2153         * JavaScriptCore.xcodeproj/project.pbxproj: Added ParseInt.h to the JavaScriptCore target.
2154
2155 2017-05-28  Yusuke Suzuki  <utatane.tea@gmail.com>
2156
2157         [JSC] Provide better type information of toLength and tighten bytecode
2158         https://bugs.webkit.org/show_bug.cgi?id=172690
2159
2160         Reviewed by Sam Weinig.
2161
2162         In this patch, we carefully leverage operator + in order to
2163
2164         1. tighten bytecode
2165
2166         operator+ emits to_number bytecode. What this bytecode does is the same
2167         to @Number() call. It is more efficient, and it is smaller bytecode
2168         than @Number() call (load global variable @Number, set up arguments, and
2169         call it).
2170
2171         2. offer better type prediction data
2172
2173         Now, we have code like
2174
2175             length > 0 ? (length < @MAX_SAFE_INTEGER ? length : @MAX_SAFE_INTEGER) : 0
2176
2177         This is not good because DFG prediction propagation phase predicts as Double
2178         since @MAX_SAFE_INTEGER is double. But actually it rarely becomes Double.
2179         Usually, the result becomes Int32. This patch leverages to_number in a bit
2180         interesting way: to_number has value profiling to offer better type prediction.
2181         This value profiling can offer a chance to change the prediction to Int32 efficiently.
2182         It is a bit tricky. But it is worth doing to speed up our builtin functions,
2183         which should leverage all the JSC's tricky things to be optimized.
2184
2185         Related microbenchmarks show performance improvement.
2186
2187                                                   baseline                  patched
2188
2189             array-prototype-forEach           50.2348+-2.2331           49.7568+-2.3507
2190             array-prototype-map               51.0574+-1.8166           47.9531+-2.1653          might be 1.0647x faster
2191             array-prototype-some              52.3926+-1.8882     ^     48.3632+-2.0852        ^ definitely 1.0833x faster
2192             array-prototype-every             52.7394+-2.0712           50.2896+-2.1480          might be 1.0487x faster
2193             array-prototype-reduce            54.9994+-2.3638           51.8716+-2.6253          might be 1.0603x faster
2194             array-prototype-reduceRight      209.7594+-9.2594     ^     51.5867+-2.5745        ^ definitely 4.0662x faster
2195
2196
2197         * builtins/GlobalOperations.js:
2198         (globalPrivate.toInteger):
2199         (globalPrivate.toLength):
2200
2201 2017-05-28  Sam Weinig  <sam@webkit.org>
2202
2203         [WebIDL] @@iterator should only be accessed once when disambiguating a union type
2204         https://bugs.webkit.org/show_bug.cgi?id=172684
2205
2206         Reviewed by Yusuke Suzuki.
2207
2208         * runtime/IteratorOperations.cpp:
2209         (JSC::iteratorMethod):
2210         (JSC::iteratorForIterable):
2211         * runtime/IteratorOperations.h:
2212         (JSC::forEachInIterable):
2213         Add additional iterator helpers to allow union + sequence conversion code
2214         to check for iterability by getting the iterator method, and iterate using
2215         that method later on.
2216
2217 2017-05-28  Yusuke Suzuki  <utatane.tea@gmail.com>
2218
2219         Unreviewed, build fix for Windows
2220         https://bugs.webkit.org/show_bug.cgi?id=172413
2221
2222         Optimized jsDynamicCast for JSMap and JSSet will be handled in [1].
2223
2224         [1]: https://bugs.webkit.org/show_bug.cgi?id=172685
2225
2226         * runtime/JSMap.h:
2227         (JSC::isJSMap):
2228         (JSC::jsDynamicCast): Deleted.
2229         (JSC::>): Deleted.
2230         * runtime/JSSet.h:
2231         (JSC::isJSSet):
2232         (JSC::jsDynamicCast): Deleted.
2233         (JSC::>): Deleted.
2234         * runtime/MapConstructor.cpp:
2235         (JSC::constructMap):
2236         * runtime/SetConstructor.cpp:
2237         (JSC::constructSet):
2238
2239 2017-05-28  Mark Lam  <mark.lam@apple.com>
2240
2241         Implement a faster Interpreter::getOpcodeID().
2242         https://bugs.webkit.org/show_bug.cgi?id=172669
2243
2244         Reviewed by Saam Barati.
2245
2246         We can implement Interpreter::getOpcodeID() without a hash table lookup by always
2247         embedding the OpcodeID in the 32-bit word just before the start of the LLInt
2248         handler code that executes each opcode.  getOpcodeID() can therefore just read
2249         the 32-bits before the opcode address to get its OpcodeID.
2250
2251         This is currently only enabled for CPU(X86), CPU(X86_64), CPU(ARM64),
2252         CPU(ARM_THUMB2), and only for OS(DARWIN).  It'll probably just work for linux as
2253         well, but I'll let the Linux folks turn that on after they have verified that it
2254         works on linux too.
2255
2256         I'll also take this opportunity to clean up how we initialize the opcodeIDTable:
2257         1. we only need to initialize it once per process, not once per VM / interpreter
2258            instance.
2259         2. we can initialize it in the Interpreter constructor instead of requiring a
2260            separate call to an initialize() function.
2261
2262         On debug builds, the Interpreter constructor will also verify that getOpcodeID()
2263         is working correctly for each opcode when USE(LLINT_EMBEDDED_OPCODE_ID).
2264
2265         * bytecode/BytecodeList.json:
2266         * generate-bytecode-files:
2267         * interpreter/Interpreter.cpp:
2268         (JSC::Interpreter::Interpreter):
2269         (JSC::Interpreter::opcodeIDTable):
2270         (JSC::Interpreter::initialize): Deleted.
2271         * interpreter/Interpreter.h:
2272         (JSC::Interpreter::getOpcode):
2273         (JSC::Interpreter::getOpcodeID):
2274         * llint/LowLevelInterpreter.cpp:
2275         * runtime/VM.cpp:
2276         (JSC::VM::VM):
2277
2278 2017-05-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2279
2280         [JSC] Map and Set constructors should have fast path for cloning
2281         https://bugs.webkit.org/show_bug.cgi?id=172413
2282
2283         Reviewed by Saam Barati.
2284
2285         In this patch, we add a fast path for cloning in Set and Map constructors.
2286
2287         In ARES-6 Air, we have code like `new Set(set)` to clone the given set.
2288         At that time, our generic path just iterates the given set object and add
2289         it to the newly created one. It is quite slow because we need to follow
2290         the iterator protocol inside C++ and we need to call set.add() repeatedly
2291         while the given set guarantees the elements are unique.
2292
2293         This patch implements clone() function to JSMap and JSSet. Cloning JSMap
2294         and JSSet are done really fast without invoking any observable JS functions.
2295         To check whether we can use this clone() function in Set and Map constructors,
2296         we set several watchpoints.
2297
2298         In the case of Set,
2299
2300         1. Set.prototype[Symbol.iterator] is not changed.
2301         2. SetIterator.prototype.next is not changed.
2302         3. Set.prototype.add is not changed.
2303         4. The given Set does not have [Symbol.iterator] function in its instance.
2304         5. The given Set's [[Prototype]] is Set.prototype.
2305         6. Newly created set's [[Prototype]] is Set.prototype.
2306
2307         If the above requirements are met, cloning the given Set is not observable to users.
2308         Thus we can take a fast path.
2309
2310         Currently, we do not integrate this optimization into DFG and FTL.
2311         And we do not optimize other iterables. For example, we can optimize Set
2312         constructor taking Int32 Array. And we should optimize generic iterator cases too.
2313         They are planned as part of a separate bug[1].
2314
2315         This change improves ARES-6 Air by 5.3% in steady state.
2316
2317         Baseline:
2318             Running... Air ( 1  to go)
2319             firstIteration:     76.41 +- 15.60 ms
2320             averageWorstCase:   40.63 +- 7.54 ms
2321             steadyState:        9.13 +- 0.51 ms
2322
2323
2324         Patched:
2325             Running... Air ( 1  to go)
2326             firstIteration:     75.00 +- 22.54 ms
2327             averageWorstCase:   39.18 +- 8.45 ms
2328             steadyState:        8.67 +- 0.28 ms
2329
2330         [1]: https://bugs.webkit.org/show_bug.cgi?id=172419
2331
2332         * CMakeLists.txt:
2333         * JavaScriptCore.xcodeproj/project.pbxproj:
2334         * runtime/ArrayIteratorAdaptiveWatchpoint.cpp: Removed.
2335         * runtime/HashMapImpl.h:
2336         (JSC::HashMapBucket::extractValue):
2337         (JSC::HashMapImpl::finishCreation):
2338         (JSC::HashMapImpl::add):
2339         (JSC::HashMapImpl::setUpHeadAndTail):
2340         (JSC::HashMapImpl::addNormalizedNonExistingForCloning):
2341         (JSC::HashMapImpl::addNormalizedInternal):
2342         * runtime/InternalFunction.cpp:
2343         (JSC::InternalFunction::createSubclassStructureSlow):
2344         (JSC::InternalFunction::createSubclassStructure): Deleted.
2345         * runtime/InternalFunction.h:
2346         (JSC::InternalFunction::createSubclassStructure):
2347         * runtime/JSGlobalObject.cpp:
2348         (JSC::JSGlobalObject::JSGlobalObject):
2349         (JSC::JSGlobalObject::init):
2350         (JSC::JSGlobalObject::visitChildren):
2351         * runtime/JSGlobalObject.h:
2352         (JSC::JSGlobalObject::mapIteratorProtocolWatchpoint):
2353         (JSC::JSGlobalObject::setIteratorProtocolWatchpoint):
2354         (JSC::JSGlobalObject::mapSetWatchpoint):
2355         (JSC::JSGlobalObject::setAddWatchpoint):
2356         (JSC::JSGlobalObject::mapPrototype):
2357         (JSC::JSGlobalObject::jsSetPrototype):
2358         (JSC::JSGlobalObject::setStructure):
2359         * runtime/JSGlobalObjectInlines.h:
2360         (JSC::JSGlobalObject::isMapPrototypeIteratorProtocolFastAndNonObservable):
2361         (JSC::JSGlobalObject::isSetPrototypeIteratorProtocolFastAndNonObservable):
2362         (JSC::JSGlobalObject::isMapPrototypeSetFastAndNonObservable):
2363         (JSC::JSGlobalObject::isSetPrototypeAddFastAndNonObservable):
2364         * runtime/JSMap.cpp:
2365         (JSC::JSMap::clone):
2366         (JSC::JSMap::canCloneFastAndNonObservable):
2367         * runtime/JSMap.h:
2368         (JSC::jsDynamicCast):
2369         (JSC::>):
2370         (JSC::JSMap::createStructure): Deleted.
2371         (JSC::JSMap::create): Deleted.
2372         (JSC::JSMap::set): Deleted.
2373         (JSC::JSMap::JSMap): Deleted.
2374         * runtime/JSSet.cpp:
2375         (JSC::JSSet::clone):
2376         (JSC::JSSet::canCloneFastAndNonObservable):
2377         * runtime/JSSet.h:
2378         (JSC::jsDynamicCast):
2379         (JSC::>):
2380         (JSC::JSSet::createStructure): Deleted.
2381         (JSC::JSSet::create): Deleted.
2382         (JSC::JSSet::JSSet): Deleted.
2383         * runtime/MapConstructor.cpp:
2384         (JSC::constructMap):
2385         * runtime/ObjectPropertyChangeAdaptiveWatchpoint.h: Renamed from Source/JavaScriptCore/runtime/ArrayIteratorAdaptiveWatchpoint.h.
2386         (JSC::ObjectPropertyChangeAdaptiveWatchpoint::ObjectPropertyChangeAdaptiveWatchpoint):
2387         * runtime/SetConstructor.cpp:
2388         (JSC::constructSet):
2389
2390 2017-05-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2391
2392         [DOMJIT] Move DOMJIT patchpoint infrastructure out of domjit
2393         https://bugs.webkit.org/show_bug.cgi?id=172260
2394
2395         Reviewed by Filip Pizlo.
2396
2397         DOMJIT::Patchpoint is now used for generalized CheckSubClass. And it becomes mature enough
2398         to be used as a general-purpose injectable compiler over all the JIT tiers.
2399
2400         We extract DOMJIT::Patchpoint to jit/ and rename it JSC::Snippet.
2401
2402         * CMakeLists.txt:
2403         * JavaScriptCore.xcodeproj/project.pbxproj:
2404         * bytecode/AccessCaseSnippetParams.cpp: Renamed from Source/JavaScriptCore/bytecode/DOMJITAccessCasePatchpointParams.cpp.
2405         (JSC::SlowPathCallGeneratorWithArguments::generateImpl):
2406         (JSC::AccessCaseSnippetParams::emitSlowPathCalls):
2407         * bytecode/AccessCaseSnippetParams.h: Renamed from Source/JavaScriptCore/bytecode/DOMJITAccessCasePatchpointParams.h.
2408         (JSC::AccessCaseSnippetParams::AccessCaseSnippetParams):
2409         * bytecode/GetterSetterAccessCase.cpp:
2410         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
2411         * dfg/DFGAbstractInterpreterInlines.h:
2412         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2413         * dfg/DFGByteCodeParser.cpp:
2414         (JSC::DFG::blessCallDOMGetter):
2415         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
2416         * dfg/DFGClobberize.h:
2417         (JSC::DFG::clobberize):
2418         * dfg/DFGFixupPhase.cpp:
2419         (JSC::DFG::FixupPhase::fixupNode):
2420         * dfg/DFGGraph.h:
2421         * dfg/DFGNode.h:
2422         * dfg/DFGSnippetParams.cpp: Renamed from Source/JavaScriptCore/dfg/DFGDOMJITPatchpointParams.cpp.
2423         * dfg/DFGSnippetParams.h: Renamed from Source/JavaScriptCore/dfg/DFGDOMJITPatchpointParams.h.
2424         (JSC::DFG::SnippetParams::SnippetParams):
2425         * dfg/DFGSpeculativeJIT.cpp:
2426         (JSC::DFG::allocateTemporaryRegistersForSnippet):
2427         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
2428         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
2429         (JSC::DFG::allocateTemporaryRegistersForPatchpoint): Deleted.
2430         * domjit/DOMJITCallDOMGetterSnippet.h: Renamed from Source/JavaScriptCore/domjit/DOMJITCallDOMGetterPatchpoint.h.
2431         (JSC::DOMJIT::CallDOMGetterSnippet::create):
2432         * domjit/DOMJITGetterSetter.h:
2433         * domjit/DOMJITSignature.h:
2434         * domjit/DOMJITValue.h: Removed.
2435         * ftl/FTLLowerDFGToB3.cpp:
2436         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
2437         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
2438         * ftl/FTLSnippetParams.cpp: Renamed from Source/JavaScriptCore/ftl/FTLDOMJITPatchpointParams.cpp.
2439         * ftl/FTLSnippetParams.h: Renamed from Source/JavaScriptCore/ftl/FTLDOMJITPatchpointParams.h.
2440         (JSC::FTL::SnippetParams::SnippetParams):
2441         * jit/Snippet.h: Renamed from Source/JavaScriptCore/domjit/DOMJITPatchpoint.h.
2442         (JSC::Snippet::create):
2443         (JSC::Snippet::setGenerator):
2444         (JSC::Snippet::generator):
2445         * jit/SnippetParams.h: Renamed from Source/JavaScriptCore/domjit/DOMJITPatchpointParams.h.
2446         (JSC::SnippetParams::~SnippetParams):
2447         (JSC::SnippetParams::Value::Value):
2448         (JSC::SnippetParams::Value::isGPR):
2449         (JSC::SnippetParams::Value::isFPR):
2450         (JSC::SnippetParams::Value::isJSValueRegs):
2451         (JSC::SnippetParams::Value::gpr):
2452         (JSC::SnippetParams::Value::fpr):
2453         (JSC::SnippetParams::Value::jsValueRegs):
2454         (JSC::SnippetParams::Value::reg):
2455         (JSC::SnippetParams::Value::value):
2456         (JSC::SnippetParams::SnippetParams):
2457         * jit/SnippetReg.h: Renamed from Source/JavaScriptCore/domjit/DOMJITReg.h.
2458         (JSC::SnippetReg::SnippetReg):
2459         * jit/SnippetSlowPathCalls.h: Renamed from Source/JavaScriptCore/domjit/DOMJITSlowPathCalls.h.
2460         * jsc.cpp:
2461         (WTF::DOMJITNode::checkSubClassSnippet):
2462         (WTF::DOMJITFunctionObject::checkSubClassSnippet):
2463         (WTF::DOMJITNode::checkSubClassPatchpoint): Deleted.
2464         (WTF::DOMJITFunctionObject::checkSubClassPatchpoint): Deleted.
2465         * runtime/ClassInfo.h:
2466
2467 2017-05-26  Keith Miller  <keith_miller@apple.com>
2468
2469         REEGRESSION(r217459): testapi fails in JSExportTest's wrapperForNSObjectisObject().
2470         https://bugs.webkit.org/show_bug.cgi?id=172654
2471
2472         Reviewed by Mark Lam.
2473
2474         The test's intent is to assert that an exception has not been
2475         thrown (as indicated by the message string), but the test was
2476         erroneously checking for ! the right condition. This is now fixed.
2477
2478         * API/tests/JSExportTests.mm:
2479         (wrapperForNSObjectisObject):
2480
2481 2017-05-26  Joseph Pecoraro  <pecoraro@apple.com>
2482
2483         JSContext Inspector: Improve the reliability of automatically pausing in auto-attach
2484         https://bugs.webkit.org/show_bug.cgi?id=172664
2485         <rdar://problem/32362933>
2486
2487         Reviewed by Matt Baker.
2488
2489         Automatically pause on connection was triggering a pause before the
2490         frontend may have initialized. Often during frontend initialization
2491         the frontend may perform an action that clears the pause state requested
2492         by the developer. This change defers the pause until after the frontend
2493         has initialized, right before returning to the application's code.
2494
2495         * inspector/remote/RemoteControllableTarget.h:
2496         * inspector/remote/RemoteInspectionTarget.h:
2497         * inspector/remote/cocoa/RemoteConnectionToTargetCocoa.mm:
2498         (Inspector::RemoteConnectionToTarget::setup):
2499         * inspector/remote/glib/RemoteConnectionToTargetGlib.cpp:
2500         (Inspector::RemoteConnectionToTarget::setup):
2501         * runtime/JSGlobalObjectDebuggable.cpp:
2502         (JSC::JSGlobalObjectDebuggable::connect):
2503         (JSC::JSGlobalObjectDebuggable::pause): Deleted.
2504         * runtime/JSGlobalObjectDebuggable.h:
2505         Pass an immediatelyPause boolean on to the controller. Remove
2506         the current path that invokes a pause before initialization.
2507
2508         * inspector/JSGlobalObjectInspectorController.h:
2509         * inspector/JSGlobalObjectInspectorController.cpp:
2510         (Inspector::JSGlobalObjectInspectorController::connectFrontend):
2511         (Inspector::JSGlobalObjectInspectorController::disconnectFrontend):
2512         Manage should immediately pause state.
2513
2514         (Inspector::JSGlobalObjectInspectorController::frontendInitialized):
2515         (Inspector::JSGlobalObjectInspectorController::pause): Deleted.
2516         When initialized, trigger a pause if requested.
2517
2518 2017-05-26  Mark Lam  <mark.lam@apple.com>
2519
2520         Temporarily commenting out a JSExportTest test until webkit.org/b/172654 is fixed.
2521         https://bugs.webkit.org/show_bug.cgi?id=172655
2522
2523         Reviewed by Saam Barati.
2524
2525         * API/tests/JSExportTests.mm:
2526         (wrapperForNSObjectisObject):
2527
2528 2017-05-26  Mark Lam  <mark.lam@apple.com>
2529
2530         REGRESSION(216914): testCFStrings encounters an invalid ExecState callee pointer.
2531         https://bugs.webkit.org/show_bug.cgi?id=172651
2532
2533         Reviewed by Saam Barati.
2534
2535         This is because the assertion utility functions used in testCFStrings() expects
2536         to get the JSGlobalContextRef from the global context variable.  However,
2537         testCFStrings() creates its own JSGlobalContextRef but does not set the global
2538         context variable to it.
2539
2540         The fix is to make testCFStrings() initialize the global context variable properly.
2541
2542         * API/tests/testapi.c:
2543         (testCFStrings):
2544
2545 2017-05-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2546
2547         Give ModuleProgram the same treatment that we did for ProgramCode in bug#167725
2548         https://bugs.webkit.org/show_bug.cgi?id=167805
2549
2550         Reviewed by Saam Barati.
2551
2552         Since ModuleProgramExecutable is executed only once, we can skip compiling
2553         code unreachable from the current program count. This can skip massive
2554         initialization code.
2555
2556         We already do this for global code in bug#167725. This patch extends it to
2557         module code.
2558
2559         * interpreter/Interpreter.cpp:
2560         (JSC::Interpreter::executeModuleProgram):
2561         * interpreter/Interpreter.h:
2562         * jit/JIT.cpp:
2563         (JSC::JIT::privateCompileMainPass):
2564         * runtime/JSModuleRecord.cpp:
2565         (JSC::JSModuleRecord::evaluate):
2566         * runtime/JSModuleRecord.h:
2567         (JSC::JSModuleRecord::moduleProgramExecutable): Deleted.
2568
2569 2017-05-26  Oleksandr Skachkov  <gskachkov@gmail.com>
2570
2571         Prevent async methods named 'function'
2572         https://bugs.webkit.org/show_bug.cgi?id=172598
2573
2574         Reviewed by Mark Lam.
2575
2576         Prevent async method named 'function' in class.
2577         Link to change in ecma262 specification
2578         https://github.com/tc39/ecma262/pull/884
2579
2580         * parser/Parser.cpp:
2581         (JSC::Parser<LexerType>::parseClass):
2582
2583 2017-05-25  Yusuke Suzuki  <utatane.tea@gmail.com>
2584
2585         Unreviewed, build fix for GCC
2586
2587         std::tuple does not have implicit constructor.
2588         Thus, we cannot use implicit construction with initializer brace.
2589         We should specify the name like `GetInst { }`.
2590
2591         * bytecompiler/BytecodeGenerator.h:
2592         (JSC::StructureForInContext::addGetInst):
2593
2594 2017-05-25  Keith Miller  <keith_miller@apple.com>
2595
2596         Cleanup tests after r217240
2597         https://bugs.webkit.org/show_bug.cgi?id=172466
2598
2599         Reviewed by Mark Lam.
2600
2601         I forgot to make my test an actual test. Also, remove second call runJSExportTests()
2602
2603         * API/tests/JSExportTests.mm:
2604         (wrapperForNSObjectisObject):
2605         * API/tests/testapi.mm:
2606         (testObjectiveCAPIMain):
2607
2608 2017-05-25  Michael Saboff  <msaboff@apple.com>
2609
2610         The default setting of Option::criticalGCMemoryThreshold is too high for iOS
2611         https://bugs.webkit.org/show_bug.cgi?id=172617
2612
2613         Reviewed by Mark Lam.
2614
2615         Reducing criticalGCMemoryThreshold to 0.80 eliminated jetsam on iOS devices
2616         when tested running JetStream.
2617
2618         * runtime/Options.h:
2619
2620 2017-05-25  Saam Barati  <sbarati@apple.com>
2621
2622         Our for-in optimization in the bytecode generator does its static analysis incorrectly
2623         https://bugs.webkit.org/show_bug.cgi?id=172532
2624         <rdar://problem/32369452>
2625
2626         Reviewed by Mark Lam.
2627
2628         Our static analysis for when a for-in induction variable
2629         is written to tried to its analysis as we generate
2630         bytecode. This has issues, since it does not account for
2631         the dynamic execution path of the program. Let's consider
2632         a program where our old analysis worked:
2633         
2634         ```
2635         for (let p in o) {
2636             o[p]; // We can transform this into a fast get_direct_pname
2637             p = 20;
2638             o[p]; // We cannot transform this since p has been changed.
2639         }
2640         ```
2641         
2642         However, our static analysis did not account for loops, which exist
2643         in JavaScript. e.g, it would incorrectly compile this program as:
2644         ```
2645         for (let p in o) {
2646             for (let i = 0; i < 20; ++i) {
2647                 o[p]; // It transforms this to use get_direct_pname even though p will be over-written if we get here from the inner loop back edge!
2648                 p = 20;
2649                 o[p]; // We correctly do not transform this.
2650             } 
2651         }
2652         ```
2653         
2654         Because of this flaw, I've made the optimization more conservative.
2655         We now optimistically emit code for the optimized access. However,
2656         if a for-in context is *ever* invalidated, before we pop it off
2657         the stack, we rewrite the program's optimized accesses to no longer
2658         be optimized. To do this, each context keeps track of its optimized
2659         accesses.
2660         
2661         This patch also adds a new bytecode, op_nop, which is just a no-op.
2662         It was helpful to add this because reverting get_direct_pname to get_by_val
2663         will leave us with an extra instruction word because get_direct_pname is
2664         has a length of 7 where get_by_val has a length of 6. This leaves us with
2665         an extra slot that we fill with an op_nop.
2666
2667         * bytecode/BytecodeDumper.cpp:
2668         (JSC::BytecodeDumper<Block>::dumpBytecode):
2669         * bytecode/BytecodeList.json:
2670         * bytecode/BytecodeUseDef.h:
2671         (JSC::computeUsesForBytecodeOffset):
2672         (JSC::computeDefsForBytecodeOffset):
2673         * bytecompiler/BytecodeGenerator.cpp:
2674         (JSC::BytecodeGenerator::emitGetByVal):
2675         (JSC::BytecodeGenerator::popIndexedForInScope):
2676         (JSC::BytecodeGenerator::popStructureForInScope):
2677         (JSC::BytecodeGenerator::invalidateForInContextForLocal):
2678         (JSC::StructureForInContext::pop):
2679         (JSC::IndexedForInContext::pop):
2680         * bytecompiler/BytecodeGenerator.h:
2681         (JSC::StructureForInContext::addGetInst):
2682         (JSC::IndexedForInContext::addGetInst):
2683         * dfg/DFGByteCodeParser.cpp:
2684         (JSC::DFG::ByteCodeParser::parseBlock):
2685         * dfg/DFGCapabilities.cpp:
2686         (JSC::DFG::capabilityLevel):
2687         * jit/JIT.cpp:
2688         (JSC::JIT::privateCompileMainPass):
2689         * jit/JIT.h:
2690         * jit/JITOpcodes.cpp:
2691         (JSC::JIT::emit_op_nop):
2692         * llint/LowLevelInterpreter.asm:
2693
2694 2017-05-25  Mark Lam  <mark.lam@apple.com>
2695
2696         ObjectToStringAdaptiveInferredPropertyValueWatchpoint should not reinstall itself nor handleFire if it's dying shortly.
2697         https://bugs.webkit.org/show_bug.cgi?id=172548
2698         <rdar://problem/31458393>
2699
2700         Reviewed by Filip Pizlo.
2701
2702         Consider the following scenario:
2703
2704         1. A ObjectToStringAdaptiveInferredPropertyValueWatchpoint O1, watches for
2705            structure transitions, e.g. structure S2 transitioning to structure S3.
2706            In this case, O1 would be installed in S2's watchpoint set.
2707         2. When the structure transition happens, structure S2 will fire watchpoint O1.
2708         3. O1's handler will normally re-install itself in the watchpoint set of the new
2709            "transitioned to" structure S3.
2710         4. "Installation" here requires writing into the StructureRareData SD3 of the new
2711            structure S3.  If SD3 does not exist yet, the installation process will trigger
2712            the allocation of StructureRareData SD3.
2713         5. It is possible that the Structure S1, and StructureRareData SD1 that owns the
2714            ObjectToStringAdaptiveInferredPropertyValueWatchpoint O1 is no longer reachable
2715            by the GC, and therefore will be collected soon.
2716         6. The allocation of SD3 in (4) may trigger the sweeping of the StructureRareData
2717            SD1.  This, in turn, triggers the deletion of the
2718            ObjectToStringAdaptiveInferredPropertyValueWatchpoint O1.
2719
2720         After O1 is deleted in (6) and SD3 is allocated in (4), execution continues in
2721         AdaptiveInferredPropertyValueWatchpointBase::fire() where O1 gets installed in
2722         structure S3's watchpoint set.  This is obviously incorrect because O1 is already
2723         deleted.  The result is that badness happens later when S3's watchpoint set fires
2724         its watchpoints and accesses the deleted O1.
2725
2726         The fix is to enhance AdaptiveInferredPropertyValueWatchpointBase::fire() to
2727         check if "this" is still valid before proceeding to re-install itself or to
2728         invoke its handleFire() method.
2729
2730         ObjectToStringAdaptiveInferredPropertyValueWatchpoint (which extends
2731         AdaptiveInferredPropertyValueWatchpointBase) will override its isValid() method,
2732         and return false its owner StructureRareData is no longer reachable by the GC.
2733         This ensures that it won't be deleted while it's installed to any watchpoint set.
2734
2735         Additional considerations and notes:
2736         1. In the above, I talked about the ObjectToStringAdaptiveInferredPropertyValueWatchpoint
2737            being installed in watchpoint sets.  What actually happens is that
2738            ObjectToStringAdaptiveInferredPropertyValueWatchpoint has 2 members
2739            (m_structureWatchpoint and m_propertyWatchpoint) which may be installed in
2740            watchpoint sets.  The ObjectToStringAdaptiveInferredPropertyValueWatchpoint is
2741            not itself a Watchpoint object.
2742
2743            But for brevity, in the above, I refer to the ObjectToStringAdaptiveInferredPropertyValueWatchpoint
2744            instead of its Watchpoint members.  The description of the issue is still
2745            accurate given the life-cycle of the Watchpoint members are embedded in the
2746            enclosing ObjectToStringAdaptiveInferredPropertyValueWatchpoint object, and
2747            hence, they share the same life-cycle.
2748
2749         2. The top of AdaptiveInferredPropertyValueWatchpointBase::fire() removes its
2750            m_structureWatchpoint and m_propertyWatchpoint if they have been added to any
2751            watchpoint sets.  This is safe to do even if the owner StructureRareData is no
2752            longer reachable by the GC.
2753
2754            This is because the only way we can get to AdaptiveInferredPropertyValueWatchpointBase::fire()
2755            is if its Watchpoint members are still installed in some watchpoint set that
2756            fired.  This means that the AdaptiveInferredPropertyValueWatchpointBase
2757            instance has not been deleted yet, because its destructor will automatically
2758            remove the Watchpoint members from any watchpoint sets.
2759
2760         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.cpp:
2761         (JSC::AdaptiveInferredPropertyValueWatchpointBase::fire):
2762         (JSC::AdaptiveInferredPropertyValueWatchpointBase::isValid):
2763         * bytecode/AdaptiveInferredPropertyValueWatchpointBase.h:
2764         * heap/FreeList.cpp:
2765         (JSC::FreeList::contains):
2766         * heap/FreeList.h:
2767         * heap/HeapCell.h:
2768         * heap/HeapCellInlines.h:
2769         (JSC::HeapCell::isLive):
2770         * heap/MarkedAllocator.h:
2771         (JSC::MarkedAllocator::isFreeListedCell):
2772         * heap/MarkedBlock.h:
2773         * heap/MarkedBlockInlines.h:
2774         (JSC::MarkedBlock::Handle::isFreeListedCell):
2775         * runtime/StructureRareData.cpp:
2776         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::isValid):
2777
2778 2017-05-23  Saam Barati  <sbarati@apple.com>
2779
2780         We should not mmap zero bytes for a memory in Wasm
2781         https://bugs.webkit.org/show_bug.cgi?id=172528
2782         <rdar://problem/32257076>
2783
2784         Reviewed by Mark Lam.
2785
2786         This patch fixes a bug where we would call into mmap with zero bytes
2787         when creating a slow WasmMemory with zero initial page size. This fix
2788         is simple: if we don't have any initial bytes, we just call the constructor
2789         in WasmMemory that's meant to handle this case.
2790
2791         * wasm/WasmMemory.cpp:
2792         (JSC::Wasm::Memory::create):
2793
2794 2017-05-23  Brian Burg  <bburg@apple.com>
2795
2796         REGRESSION(r217051): Automation sessions fail to complete bootstrap
2797         https://bugs.webkit.org/show_bug.cgi?id=172513
2798         <rdar://problem/32338354>
2799
2800         Reviewed by Joseph Pecoraro.
2801
2802         The changes to be more strict about typechecking messages were too strict.
2803
2804         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
2805         (Inspector::RemoteInspector::receivedSetupMessage):
2806         WIRAutomatically is an optional key in the setup message. In the relay, this key gets copied
2807         into an NSDictionary as NSNull if the key isn't present in a forwarded command.
2808         We need to revert NSNull values to nil, since it's valid to call [nil boolValue] but not
2809         [[NSNull null] boolValue]. We also need to allow for nil in the typecheck for this key.
2810
2811 2017-05-23  Myles C. Maxfield  <mmaxfield@apple.com>
2812
2813         Remove dead ENABLE(FONT_LOAD_EVENTS) code
2814         https://bugs.webkit.org/show_bug.cgi?id=172517
2815
2816         Rubber-stamped by Simon Fraser.
2817
2818         * Configurations/FeatureDefines.xcconfig:
2819
2820 2017-05-23  Saam Barati  <sbarati@apple.com>
2821
2822         CFGSimplificationPhase should not merge a block with itself
2823         https://bugs.webkit.org/show_bug.cgi?id=172508
2824         <rdar://problem/28424006>
2825
2826         Reviewed by Keith Miller.
2827
2828         CFGSimplificationPhase can run into or create IR that ends up with a
2829         block that has a Jump to itself, and no other predecessors. It should
2830         gracefully handle such IR. Before this patch, it would not. The only criteria
2831         for merging 'block' with 'targetBlock' used to be that 'targetBlock.predecessors.size() == 1'.
2832         The code is written in such a way that if we merge a block with itself, we
2833         will infinite loop until we run out of memory.
2834         
2835         Merging a block with itself does not make sense for a few reasons. First,
2836         we're joining the contents of two blocks. What is the definition of joining
2837         a block with itself? I suppose we could simply unroll this self loop
2838         one level, but that would not be wise because this self loop is by definition
2839         unreachable unless it's the root block in the graph (which I think is
2840         invalid IR since we'd never generate bytecode that would do this).
2841         
2842         This patch employs an easy fix: we can't merge a block with itself.
2843
2844         * dfg/DFGCFGSimplificationPhase.cpp:
2845         (JSC::DFG::CFGSimplificationPhase::canMergeBlocks):
2846         (JSC::DFG::CFGSimplificationPhase::run):
2847         (JSC::DFG::CFGSimplificationPhase::convertToJump):
2848         (JSC::DFG::CFGSimplificationPhase::mergeBlocks):
2849
2850 2017-05-22  Brian Burg  <bburg@apple.com>
2851
2852         Web Inspector: webkit reload policy should match default behavior
2853         https://bugs.webkit.org/show_bug.cgi?id=171385
2854         <rdar://problem/31871515>
2855
2856         Reviewed by Joseph Pecoraro.
2857
2858         Add a new option to Page.reload that allows the test harness
2859         to reload its test page using the old reload behavior.
2860
2861         The new behavior of revalidating expired cached subresources only
2862         is the current default, since only the test harness needs the old behavior.
2863
2864         * inspector/protocol/Page.json:
2865
2866 2017-05-22  Keith Miller  <keith_miller@apple.com>
2867
2868         [Cocoa] An exported Objective C class’s prototype and constructor don't persist across JSContext deallocation
2869         https://bugs.webkit.org/show_bug.cgi?id=167708
2870
2871         Reviewed by Geoffrey Garen.
2872
2873         This patch moves the Objective C wrapper map to the global object. In order to make this work the JSWrapperMap
2874         class no longer holds a reference to the JSContext. Instead, the context must be provided when getting a wrapper.
2875
2876         Also, this patch fixes a "bug" where we would observe changes to the Object property on the global object when
2877         creating a wrapper for NSObject.
2878
2879         * API/APICast.h:
2880         (toJSGlobalObject):
2881         * API/JSContext.mm:
2882         (-[JSContext ensureWrapperMap]):
2883         (-[JSContext initWithVirtualMachine:]):
2884         (-[JSContext dealloc]):
2885         (-[JSContext wrapperMap]):
2886         (-[JSContext initWithGlobalContextRef:]):
2887         (-[JSContext wrapperForObjCObject:]):
2888         (-[JSContext wrapperForJSObject:]):
2889         * API/JSWrapperMap.h:
2890         * API/JSWrapperMap.mm:
2891         (-[JSObjCClassInfo initForClass:]):
2892         (-[JSObjCClassInfo allocateConstructorAndPrototypeInContext:]):
2893         (-[JSObjCClassInfo wrapperForObject:inContext:]):
2894         (-[JSObjCClassInfo constructorInContext:]):
2895         (-[JSObjCClassInfo prototypeInContext:]):
2896         (-[JSWrapperMap initWithGlobalContextRef:]):
2897         (-[JSWrapperMap classInfoForClass:]):
2898         (-[JSWrapperMap jsWrapperForObject:inContext:]):
2899         (-[JSWrapperMap objcWrapperForJSValueRef:inContext:]):
2900         (-[JSObjCClassInfo initWithContext:forClass:]): Deleted.
2901         (-[JSObjCClassInfo allocateConstructorAndPrototype]): Deleted.
2902         (-[JSObjCClassInfo wrapperForObject:]): Deleted.
2903         (-[JSObjCClassInfo constructor]): Deleted.
2904         (-[JSObjCClassInfo prototype]): Deleted.
2905         (-[JSWrapperMap initWithContext:]): Deleted.
2906         (-[JSWrapperMap jsWrapperForObject:]): Deleted.
2907         (-[JSWrapperMap objcWrapperForJSValueRef:]): Deleted.
2908         * API/tests/JSExportTests.mm:
2909         (wrapperLifetimeIsTiedToGlobalObject):
2910         (runJSExportTests):
2911         * API/tests/testapi.mm:
2912         * runtime/JSGlobalObject.h:
2913         (JSC::JSGlobalObject::wrapperMap):
2914         (JSC::JSGlobalObject::setWrapperMap):
2915
2916 2017-05-22  Filip Pizlo  <fpizlo@apple.com>
2917
2918         FTL stack overflow handling should not assume that B3 never selects callee-saves in the prologue
2919         https://bugs.webkit.org/show_bug.cgi?id=172455
2920
2921         Reviewed by Mark Lam.
2922         
2923         The FTL needs to run B3's callee-save register restoration before it runs the exception
2924         handler's callee-save register restoration.  This exposes B3's callee-save register
2925         algorithm in AssemblyHelpers so that the FTL can call it.
2926
2927         * b3/air/AirGenerate.cpp:
2928         (JSC::B3::Air::generate):
2929         * ftl/FTLLowerDFGToB3.cpp:
2930         (JSC::FTL::DFG::LowerDFGToB3::lower): Fix the bug.
2931         * heap/Subspace.cpp: Added some debugging support.
2932         (JSC::Subspace::allocate):
2933         (JSC::Subspace::tryAllocate):
2934         (JSC::Subspace::didAllocate):
2935         * heap/Subspace.h:
2936         * jit/AssemblyHelpers.h:
2937         (JSC::AssemblyHelpers::addressFor):
2938         (JSC::AssemblyHelpers::emitSave):
2939         (JSC::AssemblyHelpers::emitRestore):
2940
2941 2017-05-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2942
2943         [FTL] Support GetByVal with ArrayStorage and SlowPutArrayStorage
2944         https://bugs.webkit.org/show_bug.cgi?id=172216
2945
2946         Reviewed by Saam Barati.
2947
2948         This patch adds GetByVal support for ArrayStorage and SlowPutArrayStorage.
2949         To lower CheckInBounds in FTL, we add a new GetVectorLength op. It only accepts
2950         ArrayStorage and SlowPutArrayStorage, then it produces vector length.
2951         CheckInBounds uses this vector length to perform bound checking for ArrayStorage
2952         and SlowPutArrayStorage.
2953
2954         * dfg/DFGAbstractInterpreterInlines.h:
2955         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2956         * dfg/DFGArrayMode.cpp:
2957         (JSC::DFG::permitsBoundsCheckLowering):
2958         * dfg/DFGClobberize.h:
2959         (JSC::DFG::clobberize):
2960         * dfg/DFGDoesGC.cpp:
2961         (JSC::DFG::doesGC):
2962         * dfg/DFGFixupPhase.cpp:
2963         (JSC::DFG::FixupPhase::fixupNode):
2964         * dfg/DFGHeapLocation.cpp:
2965         (WTF::printInternal):
2966         * dfg/DFGHeapLocation.h:
2967         * dfg/DFGIntegerRangeOptimizationPhase.cpp:
2968         * dfg/DFGNode.h:
2969         (JSC::DFG::Node::hasArrayMode):
2970         * dfg/DFGNodeType.h:
2971         * dfg/DFGPredictionPropagationPhase.cpp:
2972         * dfg/DFGSSALoweringPhase.cpp:
2973         (JSC::DFG::SSALoweringPhase::lowerBoundsCheck):
2974         * dfg/DFGSafeToExecute.h:
2975         (JSC::DFG::safeToExecute):
2976         * dfg/DFGSpeculativeJIT32_64.cpp:
2977         (JSC::DFG::SpeculativeJIT::compile):
2978         * dfg/DFGSpeculativeJIT64.cpp:
2979         (JSC::DFG::SpeculativeJIT::compile):
2980         * ftl/FTLAbstractHeapRepository.h:
2981         (JSC::FTL::AbstractHeapRepository::forIndexingType):
2982         (JSC::FTL::AbstractHeapRepository::forArrayType):
2983         * ftl/FTLCapabilities.cpp:
2984         (JSC::FTL::canCompile):
2985         * ftl/FTLLowerDFGToB3.cpp:
2986         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2987         (JSC::FTL::DFG::LowerDFGToB3::compileGetVectorLength):
2988         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2989         * jit/JITPropertyAccess.cpp:
2990         (JSC::JIT::emitArrayStoragePutByVal):
2991         * jit/JITPropertyAccess32_64.cpp:
2992         (JSC::JIT::emitArrayStorageLoad):
2993         (JSC::JIT::emitArrayStoragePutByVal):
2994
2995 2017-05-21  Saam Barati  <sbarati@apple.com>
2996
2997         We incorrectly throw a syntax error when declaring a top level for-loop iteration variable the same as a parameter
2998         https://bugs.webkit.org/show_bug.cgi?id=171041
2999         <rdar://problem/32082516>
3000
3001         Reviewed by Yusuke Suzuki.
3002
3003         We were treating a for-loop variable declaration potentially as a top
3004         level statement, e.g, in a program like this:
3005         ```
3006         function foo() {
3007             for (let variable of expr) { }
3008         }
3009         ```
3010         But we should not be. This had the consequence of making this type of program
3011         throw a syntax error:
3012         ```
3013         function foo(arg) {
3014             for (let arg of expr) { }
3015         }
3016         ```
3017         even though it should not. The fix is simple, we just need to increment the
3018         statement depth before parsing anything inside the for loop.
3019
3020         * parser/Parser.cpp:
3021         (JSC::Parser<LexerType>::parseForStatement):
3022
3023 2017-05-19  Yusuke Suzuki  <utatane.tea@gmail.com>
3024
3025         [JSC] Make get_by_val & string "499" to number 499
3026         https://bugs.webkit.org/show_bug.cgi?id=172225
3027
3028         Reviewed by Saam Barati.
3029
3030         Property subscript will be converted by ToString. So JS code is not aware of
3031         the original type of the subscript value. But our get_by_val can leverage
3032         information if the given subscript is number. Thus, passing number instead of
3033         string can improve the performance of get_by_val in all the tiers.
3034
3035         In this patch, we add BytecodeGenerator::emitNodeForProperty. It attempts to
3036         convert the given value to Int32 index constant if the given value is a string
3037         that can be converted to Int32.
3038
3039         This patch improves SixSpeed map-string.es5 by 9.8x. This accessing form can
3040         appear in some code like accessing the result of JSON.
3041
3042             map-string.es5     1640.6738+-110.9182   ^    167.4121+-23.8328       ^ definitely 9.8002x faster
3043
3044         * bytecompiler/BytecodeGenerator.h:
3045         (JSC::BytecodeGenerator::emitNodeForProperty):
3046         (JSC::BytecodeGenerator::emitNodeForLeftHandSideForProperty):
3047         * bytecompiler/NodesCodegen.cpp:
3048         (JSC::TaggedTemplateNode::emitBytecode):
3049         (JSC::BracketAccessorNode::emitBytecode):
3050         (JSC::BytecodeIntrinsicNode::emit_intrinsic_putByValDirect):
3051         (JSC::FunctionCallBracketNode::emitBytecode):
3052         (JSC::PostfixNode::emitBracket):
3053         (JSC::PrefixNode::emitBracket):
3054         (JSC::AssignBracketNode::emitBytecode):
3055         (JSC::ReadModifyBracketNode::emitBytecode):
3056         (JSC::ForInNode::emitLoopHeader):
3057         (JSC::ForOfNode::emitBytecode):
3058         (JSC::ObjectPatternNode::bindValue):
3059         (JSC::AssignmentElementNode::bindValue):
3060
3061 2017-05-21  Saam Barati  <sbarati@apple.com>
3062
3063         We overwrite the callee save space on the stack when throwing stack overflow from wasm
3064         https://bugs.webkit.org/show_bug.cgi?id=172316
3065
3066         Reviewed by Mark Lam.
3067
3068         When throwing a stack overflow exception, the overflow
3069         thunk would do the following:
3070           move fp, sp
3071           populate argument registers
3072           call C code
3073         
3074         However, the C function is allowed to clobber our spilled
3075         callee saves that live below fp. The reason I did this move is that
3076         when we jump to this code, we've proven that sp is out of bounds on
3077         the stack. So we're not allowed to just use its value or keep growing
3078         the stack from that point. However, this patch revises this approach
3079         to be the same in spirit, but actually correct. We conservatively assume
3080         the B3 function we're coming from could have saved all callee saves.
3081         So we emit code like this now:
3082           add -maxNumCalleeSaveSpace, fp, sp
3083           populate argument registers
3084           call C code
3085         
3086         This ensures our callee saves will not be overwritten. Note
3087         that fp is still in a valid stack range here, since the thing
3088         calling the wasm code did a stack check. Also note that maxNumCalleeSaveSpace
3089         is less than our redzone size, so it's safe to decrement sp by 
3090         this amount.
3091         
3092         The previously added wasm stack overflow test is an instance crash
3093         without this change on arm64. It also appears that this test crashed
3094         on some other x86 devices.
3095
3096         * wasm/WasmThunks.cpp:
3097         (JSC::Wasm::throwStackOverflowFromWasmThunkGenerator):
3098
3099 2017-05-20  Chris Dumez  <cdumez@apple.com>
3100
3101         Drop [NoInterfaceObject] from RTCDTMFSender and RTCStatsReport
3102         https://bugs.webkit.org/show_bug.cgi?id=172418
3103
3104         Reviewed by Youenn Fablet.
3105
3106         Add CommonIdentifiers that are now needed.
3107
3108         * runtime/CommonIdentifiers.h:
3109
3110 2017-05-20  Yusuke Suzuki  <utatane.tea@gmail.com>
3111
3112         Unreviewed, add scope.release() to propertyIsEnumerable functions.
3113         https://bugs.webkit.org/show_bug.cgi?id=172411
3114
3115         * runtime/JSGlobalObjectFunctions.cpp:
3116         (JSC::globalFuncPropertyIsEnumerable):
3117         * runtime/ObjectPrototype.cpp:
3118         (JSC::objectProtoFuncPropertyIsEnumerable):
3119
3120 2017-05-20  Yusuke Suzuki  <utatane.tea@gmail.com>
3121
3122         [JSC] Drop MapBase
3123         https://bugs.webkit.org/show_bug.cgi?id=172417
3124
3125         Reviewed by Sam Weinig.
3126
3127         MapBase is a purely additional indirection. JSMap and JSSet can directly inherit HashMapImpl.
3128         Thus MapBase is unnecessary. This patch drops it.
3129         It is good because we can eliminate one indirection when accessing to map implementation.
3130         Moreover, we can drop one unnecessary allocation per Map and Set.
3131
3132         * CMakeLists.txt:
3133         * JavaScriptCore.xcodeproj/project.pbxproj:
3134         * dfg/DFGSpeculativeJIT64.cpp:
3135         (JSC::DFG::SpeculativeJIT::compile):
3136         * ftl/FTLAbstractHeapRepository.h:
3137         * ftl/FTLLowerDFGToB3.cpp:
3138         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
3139         * runtime/HashMapImpl.cpp:
3140         (JSC::HashMapImpl<HashMapBucket>::estimatedSize):
3141         (JSC::getHashMapImplKeyClassInfo): Deleted.
3142         (JSC::getHashMapImplKeyValueClassInfo): Deleted.
3143         * runtime/HashMapImpl.h:
3144         (JSC::HashMapImpl::finishCreation):
3145         (JSC::HashMapImpl::get):
3146         (JSC::HashMapImpl::info): Deleted.
3147         (JSC::HashMapImpl::createStructure): Deleted.
3148         (JSC::HashMapImpl::create): Deleted.
3149         * runtime/JSMap.h:
3150         (JSC::JSMap::set):
3151         (JSC::JSMap::get): Deleted.
3152         * runtime/JSMapIterator.cpp:
3153         (JSC::JSMapIterator::finishCreation):
3154         * runtime/JSSet.h:
3155         (JSC::JSSet::add): Deleted.
3156         * runtime/JSSetIterator.cpp:
3157         (JSC::JSSetIterator::finishCreation):
3158         * runtime/MapBase.cpp: Removed.
3159         * runtime/MapBase.h: Removed.
3160         * runtime/MapPrototype.cpp:
3161         (JSC::mapProtoFuncSize):
3162         * runtime/SetConstructor.cpp:
3163         (JSC::constructSet):
3164         * runtime/SetPrototype.cpp:
3165         (JSC::setProtoFuncSize):
3166         * runtime/VM.cpp:
3167         (JSC::VM::VM):
3168
3169 2017-05-20  Yusuke Suzuki  <utatane.tea@gmail.com>
3170
3171         [JSC] Speedup Object.assign for slow case by using propertyIsEnumerable
3172         https://bugs.webkit.org/show_bug.cgi?id=172411
3173
3174         Reviewed by Sam Weinig.
3175
3176         We use @Reflect.@getOwnPropertyDescriptor() to check
3177
3178         1. the descriptor exists,
3179         2. and the descriptor.enumrable is true
3180
3181         But Object::propertyIsEnumerable does the completely same thing without
3182         allocating a new object for property descriptor.
3183
3184         In this patch, we add a new private function @propertyIsEnumerable, and
3185         use it in Object.assign implementation. It does not allocate unnecessary
3186         objects. It is good for GC-pressure and performance.
3187
3188         This patch improves SixSpeed object-assign.es6 by 1.7x. While this patch
3189         does not introduce a fast path for objects that do not have accessors,
3190         and it could speed up things further, this patch can speed up the common
3191         slow path cases that is the current implementation of Object.assign.
3192
3193             object-assign.es6     1103.2487+-21.5602    ^    621.8478+-34.9875       ^ definitely 1.7741x faster
3194
3195         * builtins/BuiltinNames.h:
3196         * builtins/ObjectConstructor.js:
3197         (globalPrivate.enumerableOwnProperties):
3198         (assign):
3199         * runtime/JSGlobalObject.cpp:
3200         (JSC::JSGlobalObject::init):
3201         * runtime/JSGlobalObjectFunctions.cpp:
3202         (JSC::globalFuncPropertyIsEnumerable):
3203         * runtime/JSGlobalObjectFunctions.h:
3204
3205 2017-05-19  Yusuke Suzuki  <utatane.tea@gmail.com>
3206
3207         [JSC] Enable testapi on Mac CMake build
3208         https://bugs.webkit.org/show_bug.cgi?id=172354
3209
3210         Reviewed by Alex Christensen.
3211
3212         This patch makes testapi buildable and runnable for Mac CMake port.
3213
3214         * API/tests/DateTests.mm:
3215         (+[DateTests JSDateToNSDateTest]):
3216         (+[DateTests roundTripThroughJSDateTest]):
3217         This test only works with the en_US locale.
3218
3219         * shell/CMakeLists.txt:
3220         * shell/PlatformMac.cmake:
3221         Some of tests rely on ARC. We enable ARC for those files.
3222
3223         * shell/PlatformWin.cmake:
3224         Clean up.
3225
3226 2017-05-19  Mark Lam  <mark.lam@apple.com>
3227
3228         [Re-landing] DFG::SpeculativeJIT::pickCanTrample() is wrongly ignoring result registers.
3229         https://bugs.webkit.org/show_bug.cgi?id=172383
3230         <rdar://problem/31418651>
3231
3232         Reviewed by Filip Pizlo.
3233
3234         pickCanTrample() is wrongly assuming that one of regT0 and regT1 is always
3235         available as a scratch register.  This assumption is wrong if this canTrample
3236         register is used for a silentFill() after an operation that returns a result in
3237         regT0 or regT1.
3238
3239         Turns out the only reason we need the canTrample register is for
3240         SetDoubleConstant.  We can remove the need for this canTrample register by
3241         introducing a moveDouble() pseudo instruction in the MacroAssembler to do the
3242         job using the scratchRegister() on X86_64 or the dataMemoryTempRegister() on
3243         ARM64.  In so doing, we can simplify the silentFill() code and eliminate the bug.
3244
3245         Update for re-landing: Changed ARM64 to use scratchRegister() as well.
3246         scratchRegister() is the proper way to get the underlying dataMemoryTempRegister()
3247         as a scratch register.
3248
3249         * assembler/MacroAssembler.h:
3250         (JSC::MacroAssembler::moveDouble):
3251         * dfg/DFGArrayifySlowPathGenerator.h:
3252         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
3253         (JSC::DFG::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator):
3254         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
3255         * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
3256         * dfg/DFGSlowPathGenerator.h:
3257         (JSC::DFG::CallSlowPathGenerator::tearDown):
3258         * dfg/DFGSpeculativeJIT.cpp:
3259         (JSC::DFG::SpeculativeJIT::silentFill):
3260         (JSC::DFG::SpeculativeJIT::compileToLowerCase):
3261         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
3262         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
3263         (JSC::DFG::SpeculativeJIT::emitUntypedBitOp):
3264         (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
3265         (JSC::DFG::SpeculativeJIT::compileArithDiv):
3266         (JSC::DFG::SpeculativeJIT::compileArraySlice):
3267         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
3268         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
3269         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
3270         * dfg/DFGSpeculativeJIT.h:
3271         (JSC::DFG::SpeculativeJIT::silentFill):
3272         (JSC::DFG::SpeculativeJIT::silentSpillAllRegisters):
3273         (JSC::DFG::SpeculativeJIT::silentFillAllRegisters):
3274         (JSC::DFG::SpeculativeJIT::pickCanTrample): Deleted.
3275         * dfg/DFGSpeculativeJIT32_64.cpp:
3276         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
3277         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
3278         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
3279         (JSC::DFG::SpeculativeJIT::emitCall):
3280         (JSC::DFG::SpeculativeJIT::compile):
3281         * dfg/DFGSpeculativeJIT64.cpp:
3282         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
3283         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
3284         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
3285         (JSC::DFG::SpeculativeJIT::emitCall):
3286         (JSC::DFG::SpeculativeJIT::compile):
3287         (JSC::DFG::SpeculativeJIT::convertAnyInt):
3288
3289 2017-05-19  Ryan Haddad  <ryanhaddad@apple.com>
3290
3291         Unreviewed, rolling out r217156.
3292
3293         This change broke the iOS build.
3294
3295         Reverted changeset:
3296
3297         "DFG::SpeculativeJIT::pickCanTrample() is wrongly ignoring
3298         result registers."
3299         https://bugs.webkit.org/show_bug.cgi?id=172383
3300         http://trac.webkit.org/changeset/217156
3301
3302 2017-05-19  Mark Lam  <mark.lam@apple.com>
3303
3304         Add missing exception check.
3305         https://bugs.webkit.org/show_bug.cgi?id=172346
3306         <rdar://problem/32289640>
3307
3308         Reviewed by Geoffrey Garen.
3309
3310         * runtime/JSObject.cpp:
3311         (JSC::JSObject::hasInstance):
3312
3313 2017-05-19  Mark Lam  <mark.lam@apple.com>
3314
3315         DFG::SpeculativeJIT::pickCanTrample() is wrongly ignoring result registers.
3316         https://bugs.webkit.org/show_bug.cgi?id=172383
3317         <rdar://problem/31418651>
3318
3319         Reviewed by Filip Pizlo.
3320
3321         pickCanTrample() is wrongly assuming that one of regT0 and regT1 is always
3322         available as a scratch register.  This assumption is wrong if this canTrample
3323         register is used for a silentFill() after an operation that returns a result in
3324         regT0 or regT1.
3325
3326         Turns out the only reason we need the canTrample register is for
3327         SetDoubleConstant.  We can remove the need for this canTrample register by
3328         introducing a moveDouble() pseudo instruction in the MacroAssembler to do the
3329         job using the scratchRegister() on X86_64 or the dataMemoryTempRegister() on
3330         ARM64.  In so doing, we can simplify the silentFill() code and eliminate the bug.
3331
3332         * assembler/MacroAssembler.h:
3333         (JSC::MacroAssembler::moveDouble):
3334         * dfg/DFGArrayifySlowPathGenerator.h:
3335         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
3336         (JSC::DFG::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator::CallArrayAllocatorWithVariableStructureVariableSizeSlowPathGenerator):
3337         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
3338         * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
3339         * dfg/DFGSlowPathGenerator.h:
3340         (JSC::DFG::CallSlowPathGenerator::tearDown):
3341         * dfg/DFGSpeculativeJIT.cpp:
3342         (JSC::DFG::SpeculativeJIT::silentFill):
3343         (JSC::DFG::SpeculativeJIT::compileToLowerCase):
3344         (JSC::DFG::SpeculativeJIT::compileValueToInt32):
3345         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
3346         (JSC::DFG::SpeculativeJIT::emitUntypedBitOp):
3347         (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
3348         (JSC::DFG::SpeculativeJIT::compileArithDiv):
3349         (JSC::DFG::SpeculativeJIT::compileArraySlice):
3350         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
3351         (JSC::DFG::SpeculativeJIT::emitSwitchStringOnString):
3352         (JSC::DFG::SpeculativeJIT::compileStoreBarrier):
3353         * dfg/DFGSpeculativeJIT.h:
3354         (JSC::DFG::SpeculativeJIT::silentFill):
3355         (JSC::DFG::SpeculativeJIT::silentSpillAllRegisters):
3356         (JSC::DFG::SpeculativeJIT::silentFillAllRegisters):
3357         (JSC::DFG::SpeculativeJIT::pickCanTrample): Deleted.
3358         * dfg/DFGSpeculativeJIT32_64.cpp:
3359         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
3360         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
3361         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
3362         (JSC::DFG::SpeculativeJIT::emitCall):
3363         (JSC::DFG::SpeculativeJIT::compile):
3364         * dfg/DFGSpeculativeJIT64.cpp:
3365         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeBranch):
3366         (JSC::DFG::SpeculativeJIT::nonSpeculativePeepholeStrictEq):
3367         (JSC::DFG::SpeculativeJIT::nonSpeculativeNonPeepholeStrictEq):
3368         (JSC::DFG::SpeculativeJIT::emitCall):
3369         (JSC::DFG::SpeculativeJIT::compile):
3370         (JSC::DFG::SpeculativeJIT::convertAnyInt):
3371
3372 2017-05-19  Filip Pizlo  <fpizlo@apple.com>
3373
3374         Deduplicate some code in arrayProtoPrivateFuncConcatMemcpy
3375         https://bugs.webkit.org/show_bug.cgi?id=172382
3376
3377         Reviewed by Saam Barati.
3378         
3379         This is just a small clean-up - my last patch here created some unnecessary code duplication.
3380
3381         * runtime/ArrayPrototype.cpp:
3382         (JSC::arrayProtoPrivateFuncConcatMemcpy):
3383
3384 2017-05-19  Filip Pizlo  <fpizlo@apple.com>
3385
3386         arrayProtoPrivateFuncConcatMemcpy needs to be down with firstArray being undecided
3387         https://bugs.webkit.org/show_bug.cgi?id=172369
3388
3389         Reviewed by Mark Lam.
3390
3391         * heap/Subspace.cpp: Reshaped the code a bit to aid debugging.
3392         (JSC::Subspace::allocate):
3393         (JSC::Subspace::tryAllocate):
3394         * runtime/ArrayPrototype.cpp:
3395         (JSC::arrayProtoPrivateFuncConcatMemcpy): Fix the bug!
3396         * runtime/ObjectInitializationScope.cpp: Provide even better feedback.
3397         (JSC::ObjectInitializationScope::verifyPropertiesAreInitialized):
3398
3399 2017-05-18  Filip Pizlo  <fpizlo@apple.com>
3400
3401         B3::Value::effects() says that having a fence range implies the fence bit, but on x86_64 we lower loadAcq/storeRel to load/store so the store-before-load fence bit orderings won't be honored
3402         https://bugs.webkit.org/show_bug.cgi?id=172306
3403
3404         Reviewed by Michael Saboff.
3405         
3406         This changes B3 to emit xchg and its variants for fenced stores on x86. This ensures that
3407         fenced stores cannot be reordered around other fenced instructions. Previously, B3 emitted
3408         normal store instructions for fenced stores. That's wrong because then you get reorderings
3409         that are possible in TSO but impossible in SC. Fenced instructions are supposed to be SC
3410         with respect for each other.
3411         
3412         This is imprecise. If you really just wanted a store-release, then every X86 store does this.
3413         But, in B3, fenced stores are ARM-style store-release, meaning that they are fenced with
3414         respect to all other fences. If we ever did want to say that something is a store release in
3415         the traditional sense, then we'd want MemoryValue to have a fence flag. Then, having a fence
3416         range without the fence flag would mean the traditional store-release, which lowers to a
3417         normal store on x86. But to my knowledge, that traditional store-release is only useful for
3418         unlocking spinlocks. We don't use spinlocks in JSC. Adaptive locks require CAS for unlock,
3419         and B3 CAS is plenty fast. I think it's OK to have this small imprecision of giving clients
3420         an ARM-style store-release on x86 using xchg.
3421         
3422         The implication of this change is that the FTL no longer violates the SAB memory model.
3423
3424         * assembler/MacroAssemblerX86Common.h:
3425         (JSC::MacroAssemblerX86Common::xchg8):
3426         (JSC::MacroAssemblerX86Common::xchg16):
3427         (JSC::MacroAssemblerX86Common::xchg32):
3428         (JSC::MacroAssemblerX86Common::loadAcq8): Deleted.
3429         (JSC::MacroAssemblerX86Common::loadAcq8SignedExtendTo32): Deleted.
3430         (JSC::MacroAssemblerX86Common::loadAcq16): Deleted.
3431         (JSC::MacroAssemblerX86Common::loadAcq16SignedExtendTo32): Deleted.
3432         (JSC::MacroAssemblerX86Common::loadAcq32): Deleted.
3433         (JSC::MacroAssemblerX86Common::storeRel8): Deleted.
3434         (JSC::MacroAssemblerX86Common::storeRel16): Deleted.
3435         (JSC::MacroAssemblerX86Common::storeRel32): Deleted.
3436         * assembler/MacroAssemblerX86_64.h:
3437         (JSC::MacroAssemblerX86_64::xchg64):
3438         (JSC::MacroAssemblerX86_64::loadAcq64): Deleted.
3439         (JSC::MacroAssemblerX86_64::storeRel64): Deleted.
3440         * b3/B3LowerToAir.cpp:
3441         (JSC::B3::Air::LowerToAir::ArgPromise::inst):
3442         (JSC::B3::Air::LowerToAir::trappingInst):
3443         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp):
3444         (JSC::B3::Air::LowerToAir::createStore):
3445         (JSC::B3::Air::LowerToAir::storeOpcode):
3446         (JSC::B3::Air::LowerToAir::appendStore):
3447         (JSC::B3::Air::LowerToAir::append):
3448         (JSC::B3::Air::LowerToAir::appendTrapping):
3449         (JSC::B3::Air::LowerToAir::fillStackmap):
3450         (JSC::B3::Air::LowerToAir::lower):
3451         * b3/air/AirKind.cpp:
3452         (JSC::B3::Air::Kind::dump):
3453         * b3/air/AirKind.h:
3454         (JSC::B3::Air::Kind::Kind):
3455         (JSC::B3::Air::Kind::operator==):
3456         (JSC::B3::Air::Kind::hash):
3457         * b3/air/AirLowerAfterRegAlloc.cpp:
3458         (JSC::B3::Air::lowerAfterRegAlloc):
3459         * b3/air/AirLowerMacros.cpp:
3460         (JSC::B3::Air::lowerMacros):
3461         * b3/air/AirOpcode.opcodes:
3462         * b3/air/AirValidate.cpp:
3463         * b3/air/opcode_generator.rb:
3464         * b3/testb3.cpp:
3465         (JSC::B3::correctSqrt):
3466         (JSC::B3::testSqrtArg):
3467         (JSC::B3::testSqrtImm):
3468         (JSC::B3::testSqrtMem):
3469         (JSC::B3::testSqrtArgWithUselessDoubleConversion):
3470         (JSC::B3::testSqrtArgWithEffectfulDoubleConversion):
3471         (JSC::B3::testStoreRelAddLoadAcq32):
3472         (JSC::B3::testTrappingLoad):
3473         (JSC::B3::testTrappingStore):
3474         (JSC::B3::testTrappingLoadAddStore):
3475         (JSC::B3::testTrappingLoadDCE):
3476
3477 2017-05-19  Don Olmstead  <don.olmstead@am.sony.com>
3478
3479         [JSC] Remove PLATFORM(WIN) references
3480         https://bugs.webkit.org/show_bug.cgi?id=172294
3481
3482         Reviewed by Yusuke Suzuki.
3483
3484         * heap/MachineStackMarker.cpp:
3485         (JSC::MachineThreads::removeThread):
3486         * llint/LLIntOfflineAsmConfig.h:
3487         * runtime/ConfigFile.h:
3488         * runtime/VM.cpp:
3489         (JSC::VM::updateStackLimits):
3490
3491 2017-05-19  Yusuke Suzuki  <utatane.tea@gmail.com>
3492
3493         [JSC][DFG][DOMJIT] Extend CheckDOM to CheckSubClass
3494         https://bugs.webkit.org/show_bug.cgi?id=172098
3495
3496         Reviewed by Saam Barati.
3497
3498         In this patch, we generalize CheckDOM to CheckSubClass.
3499         It can accept any ClassInfo and perform ClassInfo check
3500         in DFG / FTL. Now, we add a new function pointer to ClassInfo,
3501         checkSubClassPatchpoint. It can create DOMJIT patchpoint
3502         for that ClassInfo. It it natural that ClassInfo holds the
3503         way to emit DOMJIT::Patchpoint to perform CheckSubClass
3504         rather than having it in each DOMJIT getter / function
3505         signature annotation.
3506
3507         One problem is that it enlarges the size of ClassInfo.
3508         But this is the best place to put this function pointer.
3509         By doing so, we can add a patchpoint for CheckSubClass
3510         in an non-intrusive manner: WebCore can inject patchpoints
3511         without interactive JSC.
3512
3513         We still have a way to reduce the size of ClassInfo if
3514         we move ArrayBuffer related methods out to the other places.
3515
3516         This patch touches many files because we add a new function
3517         pointer to ClassInfo. But they are basically mechanical change.
3518
3519         * API/JSAPIWrapperObject.mm:
3520         * API/JSCallbackConstructor.cpp:
3521         * API/JSCallbackFunction.cpp:
3522         * API/JSCallbackObject.cpp:
3523         * API/ObjCCallbackFunction.mm:
3524         * CMakeLists.txt:
3525         * JavaScriptCore.xcodeproj/project.pbxproj:
3526         * bytecode/CodeBlock.cpp:
3527         * bytecode/DOMJITAccessCasePatchpointParams.h:
3528         (JSC::DOMJITAccessCasePatchpointParams::DOMJITAccessCasePatchpointParams):
3529         * bytecode/EvalCodeBlock.cpp:
3530         * bytecode/FunctionCodeBlock.cpp:
3531         * bytecode/GetterSetterAccessCase.cpp:
3532         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
3533         * bytecode/ModuleProgramCodeBlock.cpp:
3534         * bytecode/ProgramCodeBlock.cpp:
3535         * bytecode/UnlinkedCodeBlock.cpp:
3536         * bytecode/UnlinkedEvalCodeBlock.cpp:
3537         * bytecode/UnlinkedFunctionCodeBlock.cpp:
3538         * bytecode/UnlinkedFunctionExecutable.cpp:
3539         * bytecode/UnlinkedModuleProgramCodeBlock.cpp:
3540         * bytecode/UnlinkedProgramCodeBlock.cpp:
3541         * debugger/DebuggerScope.cpp:
3542         * dfg/DFGAbstractInterpreterInlines.h:
3543         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3544         * dfg/DFGByteCodeParser.cpp:
3545         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
3546         * dfg/DFGClobberize.h:
3547         (JSC::DFG::clobberize):
3548         * dfg/DFGConstantFoldingPhase.cpp:
3549         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3550         * dfg/DFGDOMJITPatchpointParams.h:
3551         (JSC::DFG::DOMJITPatchpointParams::DOMJITPatchpointParams):
3552         * dfg/DFGDoesGC.cpp:
3553         (JSC::DFG::doesGC):
3554         * dfg/DFGFixupPhase.cpp:
3555         (JSC::DFG::FixupPhase::fixupNode):
3556         (JSC::DFG::FixupPhase::attemptToMakeCallDOM):
3557         (JSC::DFG::FixupPhase::fixupCheckSubClass):
3558         (JSC::DFG::FixupPhase::fixupCheckDOM): Deleted.
3559         * dfg/DFGGraph.cpp:
3560         (JSC::DFG::Graph::dump):
3561         * dfg/DFGNode.h:
3562         (JSC::DFG::Node::hasClassInfo):
3563         (JSC::DFG::Node::classInfo):
3564         (JSC::DFG::Node::hasCheckDOMPatchpoint): Deleted.
3565         (JSC::DFG::Node::checkDOMPatchpoint): Deleted.
3566         * dfg/DFGNodeType.h:
3567         * dfg/DFGPredictionPropagationPhase.cpp:
3568         * dfg/DFGSafeToExecute.h:
3569         (JSC::DFG::safeToExecute):
3570         * dfg/DFGSpeculativeJIT.cpp:
3571         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
3572         (JSC::DFG::SpeculativeJIT::compileCheckDOM): Deleted.
3573         * dfg/DFGSpeculativeJIT.h:
3574         (JSC::DFG::SpeculativeJIT::vm):
3575         * dfg/DFGSpeculativeJIT32_64.cpp:
3576         (JSC::DFG::SpeculativeJIT::compile):
3577         * dfg/DFGSpeculativeJIT64.cpp:
3578         (JSC::DFG::SpeculativeJIT::compile):
3579         * domjit/DOMJITGetterSetter.h:
3580         * domjit/DOMJITPatchpointParams.h:
3581         (JSC::DOMJIT::PatchpointParams::PatchpointParams):
3582         (JSC::DOMJIT::PatchpointParams::vm):
3583         * domjit/DOMJITSignature.h:
3584         (JSC::DOMJIT::Signature::Signature):
3585         (JSC::DOMJIT::Signature::checkDOM): Deleted.
3586         * ftl/FTLAbstractHeapRepository.h:
3587         * ftl/FTLCapabilities.cpp:
3588         (JSC::FTL::canCompile):
3589         * ftl/FTLDOMJITPatchpointParams.h:
3590         (JSC::FTL::DOMJITPatchpointParams::DOMJITPatchpointParams):
3591         * ftl/FTLLowerDFGToB3.cpp:
3592         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3593         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
3594         (JSC::FTL::DFG::LowerDFGToB3::compileCheckDOM): Deleted.
3595         * inspector/JSInjectedScriptHost.cpp:
3596         * inspector/JSInjectedScriptHostPrototype.cpp:
3597         * inspector/JSJavaScriptCallFrame.cpp:
3598         * inspector/JSJavaScriptCallFramePrototype.cpp:
3599         * jsc.cpp:
3600         (WTF::DOMJITNode::checkSubClassPatchpoint):
3601         (WTF::DOMJITFunctionObject::checkSubClassPatchpoint):
3602         (WTF::DOMJITFunctionObject::finishCreation):
3603         (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
3604         (WTF::DOMJITCheckSubClassObject::createStructure):
3605         (WTF::DOMJITCheckSubClassObject::create):
3606         (WTF::DOMJITCheckSubClassObject::safeFunction):
3607         (WTF::DOMJITCheckSubClassObject::unsafeFunction):
3608         (WTF::DOMJITCheckSubClassObject::finishCreation):
3609         (GlobalObject::finishCreation):
3610         (functionCreateDOMJITCheckSubClassObject):
3611         (WTF::DOMJITNode::checkDOMJITNode): Deleted.
3612         (WTF::DOMJITFunctionObject::checkDOMJITNode): Deleted.
3613         * runtime/AbstractModuleRecord.cpp:
3614         * runtime/ArrayBufferNeuteringWatchpoint.cpp:
3615         * runtime/ArrayConstructor.cpp:
3616         * runtime/ArrayIteratorPrototype.cpp:
3617         * runtime/ArrayPrototype.cpp:
3618         * runtime/AsyncFunctionConstructor.cpp:
3619         * runtime/AsyncFunctionPrototype.cpp:
3620         * runtime/AtomicsObject.cpp:
3621         * runtime/BooleanConstructor.cpp:
3622         * runtime/BooleanObject.cpp:
3623         * runtime/BooleanPrototype.cpp:
3624         * runtime/ClassInfo.cpp: Copied from Source/JavaScriptCore/tools/JSDollarVM.cpp.
3625         (JSC::ClassInfo::dump):
3626         * runtime/ClassInfo.h:
3627         (JSC::ClassInfo::offsetOfParentClass):
3628         * runtime/ClonedArguments.cpp:
3629         * runtime/ConsoleObject.cpp:
3630         * runtime/CustomGetterSetter.cpp:
3631         * runtime/DateConstructor.cpp:
3632         * runtime/DateInstance.cpp:
3633         * runtime/DatePrototype.cpp:
3634         * runtime/DirectArguments.cpp:
3635         * runtime/Error.cpp:
3636         * runtime/ErrorConstructor.cpp:
3637         * runtime/ErrorInstance.cpp:
3638         * runtime/ErrorPrototype.cpp:
3639         * runtime/EvalExecutable.cpp:
3640         * runtime/Exception.cpp:
3641         * runtime/ExceptionHelpers.cpp:
3642         * runtime/ExecutableBase.cpp:
3643         * runtime/FunctionConstructor.cpp:
3644         * runtime/FunctionExecutable.cpp:
3645         * runtime/FunctionPrototype.cpp:
3646         * runtime/FunctionRareData.cpp:
3647         * runtime/GeneratorFunctionConstructor.cpp:
3648         * runtime/GeneratorFunctionPrototype.cpp:
3649         * runtime/GeneratorPrototype.cpp:
3650         * runtime/GetterSetter.cpp:
3651         * runtime/HashMapImpl.cpp:
3652         * runtime/HashMapImpl.h:
3653         * runtime/InferredType.cpp:
3654         (JSC::InferredType::create):
3655         * runtime/InferredTypeTable.cpp:
3656         * runtime/InferredValue.cpp:
3657         * runtime/InspectorInstrumentationObject.cpp:
3658         * runtime/InternalFunction.cpp:
3659         * runtime/IntlCollator.cpp:
3660         * runtime/IntlCollatorConstructor.cpp:
3661         * runtime/IntlCollatorPrototype.cpp:
3662         * runtime/IntlDateTimeFormat.cpp:
3663         * runtime/IntlDateTimeFormatConstructor.cpp:
3664         * runtime/IntlDateTimeFormatPrototype.cpp:
3665         * runtime/IntlNumberFormat.cpp:
3666         * runtime/IntlNumberFormatConstructor.cpp:
3667         * runtime/IntlNumberFormatPrototype.cpp:
3668         * runtime/IntlObject.cpp:
3669         * runtime/IteratorPrototype.cpp:
3670         * runtime/JSAPIValueWrapper.cpp:
3671         * runtime/JSArray.cpp:
3672         * runtime/JSArrayBuffer.cpp:
3673         * runtime/JSArrayBufferConstructor.cpp:
3674         * runtime/JSArrayBufferPrototype.cpp:
3675         * runtime/JSArrayBufferView.cpp:
3676         * runtime/JSAsyncFunction.cpp:
3677         * runtime/JSBoundFunction.cpp:
3678         * runtime/JSCallee.cpp:
3679         * runtime/JSCustomGetterSetterFunction.cpp:
3680         * runtime/JSDataView.cpp:
3681         * runtime/JSDataViewPrototype.cpp:
3682         * runtime/JSEnvironmentRecord.cpp:
3683         * runtime/JSFixedArray.cpp:
3684         * runtime/JSFunction.cpp:
3685         * runtime/JSGeneratorFunction.cpp:
3686         * runtime/JSGlobalLexicalEnvironment.cpp:
3687         * runtime/JSGlobalObject.cpp:
3688         * runtime/JSInternalPromise.cpp:
3689         * runtime/JSInternalPromiseConstructor.cpp:
3690         * runtime/JSInternalPromiseDeferred.cpp:
3691         * runtime/JSInternalPromisePrototype.cpp:
3692         * runtime/JSLexicalEnvironment.cpp:
3693         * runtime/JSMap.cpp:
3694         * runtime/JSMapIterator.cpp:
3695         * runtime/JSModuleEnvironment.cpp:
3696         * runtime/JSModuleLoader.cpp:
3697         * runtime/JSModuleNamespaceObject.cpp:
3698         * runtime/JSModuleRecord.cpp:
3699         * runtime/JSNativeStdFunction.cpp:
3700         * runtime/JSONObject.cpp:
3701         * runtime/JSObject.cpp:
3702         * runtime/JSPromise.cpp:
3703         * runtime/JSPromiseConstructor.cpp:
3704         * runtime/JSPromiseDeferred.cpp:
3705         * runtime/JSPromisePrototype.cpp:
3706         * runtime/JSPropertyNameEnumerator.cpp:
3707         * runtime/JSPropertyNameIterator.cpp:
3708         * runtime/JSProxy.cpp:
3709         * runtime/JSScriptFetcher.cpp:
3710         * runtime/JSSet.cpp:
3711         * runtime/JSSetIterator.cpp:
3712         * runtime/JSSourceCode.cpp:
3713         * runtime/JSString.cpp:
3714         * runtime/JSStringIterator.cpp:
3715         * runtime/JSSymbolTableObject.cpp:
3716         * runtime/JSTemplateRegistryKey.cpp:
3717         * runtime/JSTypedArrayConstructors.cpp:
3718         * runtime/JSTypedArrayPrototypes.cpp:
3719         * runtime/JSTypedArrayViewConstructor.cpp:
3720         * runtime/JSTypedArrays.cpp:
3721         * runtime/JSWeakMap.cpp:
3722         * runtime/JSWeakSet.cpp:
3723         * runtime/JSWithScope.cpp:
3724         * runtime/MapConstructor.cpp:
3725         * runtime/MapIteratorPrototype.cpp:
3726         * runtime/MapPrototype.cpp:
3727         * runtime/MathObject.cpp:
3728         * runtime/ModuleLoaderPrototype.cpp:
3729         * runtime/ModuleProgramExecutable.cpp:
3730         * runtime/NativeErrorConstructor.cpp:
3731         * runtime/NativeExecutable.cpp:
3732         * runtime/NativeStdFunctionCell.cpp:
3733         * runtime/NullGetterFunction.cpp:
3734         * runtime/NullSetterFunction.cpp:
3735         * runtime/NumberConstructor.cpp:
3736         * runtime/NumberObject.cpp:
3737         * runtime/NumberPrototype.cpp:
3738         * runtime/ObjectConstructor.cpp:
3739         * runtime/ObjectPrototype.cpp:
3740         * runtime/ProgramExecutable.cpp:
3741         * runtime/PropertyTable.cpp:
3742         * runtime/ProxyConstructor.cpp:
3743         * runtime/ProxyObject.cpp:
3744         * runtime/ProxyRevoke.cpp:
3745         * runtime/ReflectObject.cpp:
3746         * runtime/RegExp.cpp:
3747         * runtime/RegExpConstructor.cpp:
3748         * runtime/RegExpObject.cpp:
3749         * runtime/RegExpPrototype.cpp:
3750         * runtime/ScopedArguments.cpp:
3751         * runtime/ScopedArgumentsTable.cpp:
3752         * runtime/ScriptExecutable.cpp:
3753         * runtime/SetConstructor.cpp:
3754         * runtime/SetIteratorPrototype.cpp:
3755         * runtime/SetPrototype.cpp:
3756         * runtime/SparseArrayValueMap.cpp:
3757         * runtime/StrictEvalActivation.cpp:
3758         * runtime/StringConstructor.cpp:
3759         * runtime/StringIteratorPrototype.cpp:
3760         * runtime/StringObject.cpp:
3761         * runtime/StringPrototype.cpp:
3762         * runtime/Structure.cpp:
3763         * runtime/StructureChain.cpp:
3764         * runtime/StructureRareData.cpp:
3765         * runtime/Symbol.cpp:
3766         * runtime/SymbolConstructor.cpp:
3767         * runtime/SymbolObject.cpp:
3768         * runtime/SymbolPrototype.cpp:
3769         * runtime/SymbolTable.cpp:
3770         * runtime/WeakMapConstructor.cpp:
3771         * runtime/WeakMapData.cpp:
3772         * runtime/WeakMapPrototype.cpp:
3773         * runtime/WeakSetConstructor.cpp:
3774         * runtime/WeakSetPrototype.cpp:
3775         * testRegExp.cpp:
3776         * tools/JSDollarVM.cpp:
3777         * tools/JSDollarVMPrototype.cpp:
3778         * wasm/JSWebAssembly.cpp:
3779         * wasm/js/JSWebAssemblyCodeBlock.cpp:
3780         * wasm/js/JSWebAssemblyCompileError.cpp:
3781         * wasm/js/JSWebAssemblyInstance.cpp:
3782         * wasm/js/JSWebAssemblyLinkError.cpp:
3783         * wasm/js/JSWebAssemblyMemory.cpp:
3784         * wasm/js/JSWebAssemblyModule.cpp:
3785         * wasm/js/JSWebAssemblyRuntimeError.cpp:
3786         * wasm/js/JSWebAssemblyTable.cpp:
3787         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
3788         * wasm/js/WebAssemblyCompileErrorPrototype.cpp:
3789         * wasm/js/WebAssemblyFunction.cpp:
3790         * wasm/js/WebAssemblyFunctionBase.cpp:
3791         * wasm/js/WebAssemblyInstanceConstructor.cpp:
3792         * wasm/js/WebAssemblyInstancePrototype.cpp:
3793         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
3794         * wasm/js/WebAssemblyLinkErrorPrototype.cpp:
3795         * wasm/js/WebAssemblyMemoryConstructor.cpp:
3796         * wasm/js/WebAssemblyMemoryPrototype.cpp:
3797         * wasm/js/WebAssemblyModuleConstructor.cpp:
3798         * wasm/js/WebAssemblyModulePrototype.cpp:
3799         * wasm/js/WebAssemblyModuleRecord.cpp:
3800         * wasm/js/WebAssemblyPrototype.cpp:
3801         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
3802         * wasm/js/WebAssemblyRuntimeErrorPrototype.cpp:
3803         * wasm/js/WebAssemblyTableConstructor.cpp:
3804         * wasm/js/WebAssemblyTablePrototype.cpp:
3805         * wasm/js/WebAssemblyToJSCallee.cpp:
3806         * wasm/js/WebAssemblyWrapperFunction.cpp:
3807
3808 2017-05-18  JF Bastien  <jfbastien@apple.com>
3809
3810         WebAssembly: exports is a getter
3811         https://bugs.webkit.org/show_bug.cgi?id=172129
3812
3813         Reviewed by Saam Barati.
3814
3815         As updated here: https://github.com/WebAssembly/design/pull/1062
3816
3817         * wasm/js/JSWebAssemblyInstance.cpp:
3818         (JSC::JSWebAssemblyInstance::finishCreation): don't putDirect here anymore
3819         * wasm/js/JSWebAssemblyInstance.h:
3820         (JSC::JSWebAssemblyInstance::moduleNamespaceObject): add accessor
3821         * wasm/js/WebAssemblyFunctionBase.cpp: squelch causing a warning
3822         * wasm/js/WebAssemblyInstancePrototype.cpp: use LUT
3823         (JSC::getInstance): helper, as in surrounding files
3824         (JSC::webAssemblyInstanceProtoFuncExports): instead of putDirect
3825         * wasm/js/WebAssemblyMemoryPrototype.cpp: pass VM around as for Table
3826         (JSC::getMemory):
3827         (JSC::webAssemblyMemoryProtoFuncGrow):
3828         (JSC::webAssemblyMemoryProtoFuncBuffer):
3829         * wasm/js/WebAssemblyTablePrototype.cpp: static everywhere as with other code
3830         (JSC::webAssemblyTableProtoFuncLength):
3831         (JSC::webAssemblyTableProtoFuncGrow):
3832         (JSC::webAssemblyTableProtoFuncGet):
3833         (JSC::webAssemblyTableProtoFuncSet):
3834
3835 2017-05-18  Saam Barati  <sbarati@apple.com>
3836
3837         Proxy's [[Get]] passes incorrect receiver
3838         https://bugs.webkit.org/show_bug.cgi?id=164849
3839         <rdar://problem/31767058>
3840
3841         Reviewed by Yusuke Suzuki.
3842
3843         * runtime/ProxyObject.cpp:
3844         (JSC::performProxyGet):
3845
3846 2017-05-18  Andy Estes  <aestes@apple.com>
3847
3848         ENABLE(APPLE_PAY_DELEGATE) should be NO on macOS Sierra and earlier
3849         https://bugs.webkit.org/show_bug.cgi?id=172305
3850
3851         Reviewed by Anders Carlsson.
3852
3853         * Configurations/FeatureDefines.xcconfig:
3854
3855 2017-05-18  Saam Barati  <sbarati@apple.com>
3856
3857         We need to destroy worker threads in jsc.cpp
3858         https://bugs.webkit.org/show_bug.cgi?id=170751
3859         <rdar://problem/31800412>
3860
3861         Reviewed by Filip Pizlo.
3862
3863         This patch fixes a bug where a $ agent worker would still
3864         have compilation threads running after the thread the worker
3865         was created on dies. This manifested itself inside DFG AI where
3866         we would notice a string constant is atomic, then the worker
3867         thread would die, destroying its atomic string table, then
3868         we'd notice the same string is no longer atomic, and we'd crash
3869         because we'd fail to see the same speculated type for the same
3870         JSValue.
3871         
3872         This patch makes it so that $ agent workers destroy their VM when
3873         they're done executing. Before a VM gets destroyed, it ensures that
3874         all its compilation threads finish.
3875
3876         * jsc.cpp:
3877         (functionDollarAgentStart):
3878         (runJSC):
3879         (jscmain):
3880
3881 2017-05-18  Michael Saboff  <msaboff@apple.com>
3882
3883         Add FTL whitelist debugging option
3884         https://bugs.webkit.org/show_bug.cgi?id=172321
3885
3886         Reviewed by Saam Barati.
3887
3888         * dfg/DFGTierUpCheckInjectionPhase.cpp:
3889         (JSC::DFG::ensureGlobalFTLWhitelist):
3890         (JSC::DFG::TierUpCheckInjectionPhase::run):
3891         * runtime/Options.h:
3892         * tools/FunctionWhitelist.cpp:
3893         (JSC::FunctionWhitelist::contains):
3894
3895 2017-05-18  Filip Pizlo  <fpizlo@apple.com>
3896
3897         Constructor calls set this too early
3898         https://bugs.webkit.org/show_bug.cgi?id=172302
3899
3900         Reviewed by Saam Barati.
3901         
3902         We were setting this before evaluating the arguments, so this code:
3903         
3904             var x = 42;
3905             new x(x = function() { });
3906         
3907         Would crash because we would pass 42 as this, and create_this would treat it as a cell.
3908         Dereferencing a non-cell is guaranteed to crash.
3909
3910         * bytecompiler/BytecodeGenerator.cpp:
3911         (JSC::BytecodeGenerator::emitConstruct):
3912         * bytecompiler/BytecodeGenerator.h:
3913         * bytecompiler/NodesCodegen.cpp:
3914         (JSC::NewExprNode::emitBytecode):
3915         (JSC::FunctionCallValueNode::emitBytecode):
3916
3917 2017-05-18  Saam Barati  <sbarati@apple.com>
3918
3919         WebAssembly: perform stack checks
3920         https://bugs.webkit.org/show_bug.cgi?id=165546
3921         <rdar://problem/29760307>
3922
3923         Reviewed by Filip Pizlo.
3924
3925         This patch adds stack checks to wasm. It implements it by storing the stack
3926         bounds on the Context.
3927         
3928         Stack checking works as normal, except we do a small optimization for terminal
3929         nodes in the call tree (nodes that don't make any calls). These nodes will
3930         only do a stack check if their frame size is beyond 1024 bytes. Otherwise,
3931         it's assumed the parent that called them did their stack check for them.
3932         This is because all things that make calls make sure to do an extra 1024
3933         bytes whenever doing a stack check.
3934         
3935         We also take into account stack size for potential JS calls when doing
3936         stack checks since our JS stubs don't do this on their own. Each frame
3937         will ensure it does a stack check large enough for any potential JS call
3938         stubs it'll execute.
3939         
3940         Surprisingly, this patch is neutral on WasmBench and TitzerBench.
3941
3942         * llint/LLIntData.cpp:
3943         (JSC::LLInt::Data::performAssertions):
3944         * llint/LowLevelInterpreter.asm:
3945         * runtime/Error.cpp:
3946         (JSC::createRangeError):
3947         (JSC::addErrorInfoAndGetBytecodeOffset):
3948         I fixed a bug here where we assumed that the first frame that has line
3949         and column info would be in our stack trace. This is not correct
3950         since we limit our stack trace size. If everything in our limited
3951         size stack trace is Wasm, then we won't have any frames with line
3952         and column info.
3953         * runtime/Error.h:
3954         * runtime/ExceptionHelpers.cpp:
3955         (JSC::createStackOverflowError):
3956         * runtime/ExceptionHelpers.h:
3957         * runtime/JSGlobalObject.cpp:
3958