2bb6491f7464db81eddb0a973674015e6079397e
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-09-03  Chris Dumez  <cdumez@apple.com>
2
3         Unreviewed, rolling out r221552.
4
5         Broke the build
6
7         Reverted changeset:
8
9         "[WTF] Add C++03 allocator interface for GCC < 6"
10         https://bugs.webkit.org/show_bug.cgi?id=176301
11         http://trac.webkit.org/changeset/221552
12
13 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
14
15         [WTF] Add C++03 allocator interface for GCC < 6
16         https://bugs.webkit.org/show_bug.cgi?id=176301
17
18         Reviewed by Darin Adler.
19
20         * dfg/DFGObjectAllocationSinkingPhase.cpp:
21
22 2017-09-03  Yusuke Suzuki  <utatane.tea@gmail.com>
23
24         [JSC] Clean up BytecodeLivenessAnalysis
25         https://bugs.webkit.org/show_bug.cgi?id=176295
26
27         Reviewed by Saam Barati.
28
29         Previously, computeDefsForBytecodeOffset was a bit customizable.
30         This is used for try-catch handler's liveness analysis. But after
31         careful generatorification implementation, it is now not necessary.
32         This patch drops this customizability.
33
34         * bytecode/BytecodeGeneratorification.cpp:
35         (JSC::GeneratorLivenessAnalysis::computeDefsForBytecodeOffset): Deleted.
36         (JSC::GeneratorLivenessAnalysis::computeUsesForBytecodeOffset): Deleted.
37         * bytecode/BytecodeLivenessAnalysis.cpp:
38         (JSC::BytecodeLivenessAnalysis::computeKills):
39         (JSC::BytecodeLivenessAnalysis::computeDefsForBytecodeOffset): Deleted.
40         (JSC::BytecodeLivenessAnalysis::computeUsesForBytecodeOffset): Deleted.
41         * bytecode/BytecodeLivenessAnalysis.h:
42         * bytecode/BytecodeLivenessAnalysisInlines.h:
43         (JSC::BytecodeLivenessPropagation::stepOverInstruction):
44         (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBytecodeOffset):
45         (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBlock):
46         (JSC::BytecodeLivenessPropagation::getLivenessInfoAtBytecodeOffset):
47         (JSC::BytecodeLivenessPropagation::runLivenessFixpoint):
48         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::stepOverInstruction): Deleted.
49         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::computeLocalLivenessForBytecodeOffset): Deleted.
50         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::computeLocalLivenessForBlock): Deleted.
51         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::getLivenessInfoAtBytecodeOffset): Deleted.
52         (JSC::BytecodeLivenessPropagation<DerivedAnalysis>::runLivenessFixpoint): Deleted.
53
54 2017-09-03  Sam Weinig  <sam@webkit.org>
55
56         Remove CanvasProxy
57         https://bugs.webkit.org/show_bug.cgi?id=176288
58
59         Reviewed by Yusuke Suzuki.
60
61         CanvasProxy does not appear to be in any current HTML spec
62         and was disabled and unimplemented in our tree. Time to 
63         get rid of it.
64
65         * Configurations/FeatureDefines.xcconfig:
66
67 2017-09-02  Oliver Hunt  <oliver@apple.com>
68
69         Need an API to get the global context from JSObjectRef
70         https://bugs.webkit.org/show_bug.cgi?id=176291
71
72         Reviewed by Saam Barati.
73
74         Very simple additional API, starting off as SPI on principle.
75
76         * API/JSObjectRef.cpp:
77         (JSObjectGetGlobalContext):
78         * API/JSObjectRefPrivate.h:
79         * API/tests/testapi.c:
80         (main):
81
82 2017-09-02  Yusuke Suzuki  <utatane.tea@gmail.com>
83
84         [DFG] Relax arity requirement
85         https://bugs.webkit.org/show_bug.cgi?id=175523
86
87         Reviewed by Saam Barati.
88
89         Our DFG pipeline gives up inlining when the arity of the target function is more than the number of the arguments.
90         It effectively prevents us from inlining and optimizing functions, which takes some optional arguments in the form
91         of the pre-ES6.
92
93         This patch removes the above restriction by performing the arity fixup in DFG.
94
95         SixSpeed shows improvement when we can inline arity-mismatched functions. (For example, calling generator.next()).
96
97                                        baseline                  patched
98
99         defaults.es5             1232.1226+-20.6775    ^    442.3326+-26.1883       ^ definitely 2.7855x faster
100         rest.es6                    5.3406+-0.8588     ^      3.5812+-0.5388        ^ definitely 1.4913x faster
101         spread-generator.es6      320.9107+-12.4808         310.4295+-12.0047         might be 1.0338x faster
102         generator.es6             318.3514+-9.6023     ^    286.4974+-12.6203       ^ definitely 1.1112x faster
103
104         * bytecode/InlineCallFrame.cpp:
105         (JSC::InlineCallFrame::dumpInContext const):
106         * bytecode/InlineCallFrame.h:
107         (JSC::InlineCallFrame::InlineCallFrame):
108         * dfg/DFGAbstractInterpreterInlines.h:
109         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
110         * dfg/DFGArgumentsEliminationPhase.cpp:
111         * dfg/DFGArgumentsUtilities.cpp:
112         (JSC::DFG::argumentsInvolveStackSlot):
113         (JSC::DFG::emitCodeToGetArgumentsArrayLength):
114         * dfg/DFGByteCodeParser.cpp:
115         (JSC::DFG::ByteCodeParser::setLocal):
116         (JSC::DFG::ByteCodeParser::setArgument):
117         (JSC::DFG::ByteCodeParser::findArgumentPositionForLocal):
118         (JSC::DFG::ByteCodeParser::flush):
119         (JSC::DFG::ByteCodeParser::getArgumentCount):
120         (JSC::DFG::ByteCodeParser::inliningCost):
121         (JSC::DFG::ByteCodeParser::inlineCall):
122         (JSC::DFG::ByteCodeParser::attemptToInlineCall):
123         (JSC::DFG::ByteCodeParser::parseBlock):
124         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
125         * dfg/DFGCommonData.cpp:
126         (JSC::DFG::CommonData::validateReferences):
127         * dfg/DFGConstantFoldingPhase.cpp:
128         (JSC::DFG::ConstantFoldingPhase::foldConstants):
129         * dfg/DFGGraph.cpp:
130         (JSC::DFG::Graph::isLiveInBytecode):
131         * dfg/DFGGraph.h:
132         (JSC::DFG::Graph::forAllLocalsLiveInBytecode):
133         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
134         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
135         * dfg/DFGOSRExit.cpp:
136         (JSC::DFG::OSRExit::emitRestoreArguments):
137         * dfg/DFGOSRExitCompilerCommon.cpp:
138         (JSC::DFG::reifyInlinedCallFrames):
139         * dfg/DFGPreciseLocalClobberize.h:
140         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
141         * dfg/DFGSpeculativeJIT.cpp:
142         (JSC::DFG::SpeculativeJIT::emitGetLength):
143         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
144         * dfg/DFGStackLayoutPhase.cpp:
145         (JSC::DFG::StackLayoutPhase::run):
146         * ftl/FTLCompile.cpp:
147         (JSC::FTL::compile):
148         * ftl/FTLLowerDFGToB3.cpp:
149         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
150         (JSC::FTL::DFG::LowerDFGToB3::getArgumentsLength):
151         * ftl/FTLOperations.cpp:
152         (JSC::FTL::operationMaterializeObjectInOSR):
153         * interpreter/StackVisitor.cpp:
154         (JSC::StackVisitor::readInlinedFrame):
155         * jit/AssemblyHelpers.h:
156         (JSC::AssemblyHelpers::argumentsStart):
157         * jit/SetupVarargsFrame.cpp:
158         (JSC::emitSetupVarargsFrameFastCase):
159         * runtime/ClonedArguments.cpp:
160         (JSC::ClonedArguments::createWithInlineFrame):
161         * runtime/CommonSlowPaths.h:
162         (JSC::CommonSlowPaths::numberOfExtraSlots):
163         (JSC::CommonSlowPaths::numberOfStackPaddingSlots):
164         (JSC::CommonSlowPaths::numberOfStackPaddingSlotsWithExtraSlots):
165         (JSC::CommonSlowPaths::arityCheckFor):
166         * runtime/StackAlignment.h:
167         (JSC::stackAlignmentBytes):
168         (JSC::stackAlignmentRegisters):
169
170 2017-09-01  Yusuke Suzuki  <utatane.tea@gmail.com>
171
172         [FTL] FTL allocation for async Function is incorrect
173         https://bugs.webkit.org/show_bug.cgi?id=176214
174
175         Reviewed by Saam Barati.
176
177         In FTL, allocating async function / async generator function was incorrectly using
178         JSFunction logic. While it is not observable right now since sizeof(JSFunction) == sizeof(JSAsyncFunction),
179         but it is a bug.
180
181         * ftl/FTLLowerDFGToB3.cpp:
182         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
183
184 2017-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
185
186         [JSC] Fix "name" and "length" of Proxy revoke function
187         https://bugs.webkit.org/show_bug.cgi?id=176155
188
189         Reviewed by Mark Lam.
190
191         ProxyRevoke's length should be configurable. And it does not have
192         its own name. We add NameVisibility enum to InternalFunction to
193         control visibility of the name.
194
195         * runtime/InternalFunction.cpp:
196         (JSC::InternalFunction::finishCreation):
197         * runtime/InternalFunction.h:
198         * runtime/ProxyRevoke.cpp:
199         (JSC::ProxyRevoke::finishCreation):
200
201 2017-08-31  Saam Barati  <sbarati@apple.com>
202
203         Throwing an exception in the DFG/FTL should not cause a jettison
204         https://bugs.webkit.org/show_bug.cgi?id=176060
205         <rdar://problem/34143348>
206
207         Reviewed by Keith Miller.
208
209         Throwing an exception is not something that should be a jettison-able
210         OSR exit. We used to count Throw/ThrowStaticError towards our OSR exit
211         counts which could cause a CodeBlock to jettison and recompile. This
212         was dumb. Throwing an exception is not a reason to jettison and
213         recompile in the way that a speculation failure is. This patch
214         treats Throw/ThrowStaticError as true terminals in DFG IR.
215
216         * bytecode/BytecodeUseDef.h:
217         (JSC::computeUsesForBytecodeOffset):
218         * dfg/DFGAbstractInterpreterInlines.h:
219         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
220         * dfg/DFGByteCodeParser.cpp:
221         (JSC::DFG::ByteCodeParser::parseBlock):
222         * dfg/DFGClobberize.h:
223         (JSC::DFG::clobberize):
224         * dfg/DFGFixupPhase.cpp:
225         (JSC::DFG::FixupPhase::fixupNode):
226         * dfg/DFGInPlaceAbstractState.cpp:
227         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
228         * dfg/DFGNode.h:
229         (JSC::DFG::Node::isTerminal):
230         (JSC::DFG::Node::isPseudoTerminal):
231         (JSC::DFG::Node::errorType):
232         * dfg/DFGNodeType.h:
233         * dfg/DFGOperations.cpp:
234         * dfg/DFGOperations.h:
235         * dfg/DFGPredictionPropagationPhase.cpp:
236         * dfg/DFGSpeculativeJIT.cpp:
237         (JSC::DFG::SpeculativeJIT::compileThrow):
238         (JSC::DFG::SpeculativeJIT::compileThrowStaticError):
239         * dfg/DFGSpeculativeJIT.h:
240         (JSC::DFG::SpeculativeJIT::callOperation):
241         * dfg/DFGSpeculativeJIT32_64.cpp:
242         (JSC::DFG::SpeculativeJIT::compile):
243         * dfg/DFGSpeculativeJIT64.cpp:
244         (JSC::DFG::SpeculativeJIT::compile):
245         * ftl/FTLLowerDFGToB3.cpp:
246         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
247         (JSC::FTL::DFG::LowerDFGToB3::compileThrow):
248         (JSC::FTL::DFG::LowerDFGToB3::compileThrowStaticError):
249         * jit/JITOperations.h:
250
251 2017-08-31  Saam Barati  <sbarati@apple.com>
252
253         Graph::methodOfGettingAValueProfileFor compares NodeOrigin instead of the semantic CodeOrigin
254         https://bugs.webkit.org/show_bug.cgi?id=176206
255
256         Reviewed by Keith Miller.
257
258         Mark fixed the main issue in Graph::methodOfGettingAValueProfileFor in r208560
259         when he fixed it from overwriting invalid parts of the ArithProfile when the
260         currentNode and the operandNode are from the same bytecode. However, the
261         mechanism used to determine same bytecode was comparing NodeOrigin. That's
262         slightly wrong. We need to compare semantic origin, since two NodeOrigins can
263         have the same semantic origin, but differ only in exitOK. For example,
264         in the below IR, the DoubleRep and the Phi have the same semantic
265         origin, but different NodeOrigins.
266
267         43 Phi(JS|PureInt, NonBoolInt32|NonIntAsdouble, W:SideState, bc#63, ExitInvalid)
268         58 ExitOK(MustGen, W:SideState, bc#63)
269         51 DoubleRep(Check:Number:Kill:@43, Double|PureInt, BytecodeDouble, Exits, bc#63)
270         54 ArithNegate(DoubleRep:Kill:@51<Double>, Double|UseAsOther|MayHaveDoubleResult, AnyIntAsDouble|NonIntAsdouble, NotSet, Exits, bc#63)
271
272         * dfg/DFGGraph.cpp:
273         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
274
275 2017-08-31  Don Olmstead  <don.olmstead@sony.com>
276
277         [CMake] Make USE_CF conditional within Windows
278         https://bugs.webkit.org/show_bug.cgi?id=176173
279
280         Reviewed by Alex Christensen.
281
282         * PlatformWin.cmake:
283
284 2017-08-31  Saam Barati  <sbarati@apple.com>
285
286         useSeparatedWXHeap should never be true when not on iOS
287         https://bugs.webkit.org/show_bug.cgi?id=176190
288
289         Reviewed by JF Bastien.
290
291         If you set useSeparatedWXHeap to true on X86_64, and launch the jsc shell,
292         the process insta-crashes. Let's silently ignore that option and set it
293         to false when not on iOS.
294
295         * runtime/Options.cpp:
296         (JSC::recomputeDependentOptions):
297
298 2017-08-31  Filip Pizlo  <fpizlo@apple.com>
299
300         Fix debug crashes.
301
302         Rubber stamped by Mark Lam.
303
304         * runtime/JSArrayBufferView.cpp:
305         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
306
307 2017-08-31  Filip Pizlo  <fpizlo@apple.com>
308
309         All of the different ArrayBuffer::data's should be CagedPtr<>
310         https://bugs.webkit.org/show_bug.cgi?id=175515
311
312         Reviewed by Michael Saboff.
313         
314         This straightforwardly implements what the title says.
315
316         * runtime/ArrayBuffer.cpp:
317         (JSC::SharedArrayBufferContents::~SharedArrayBufferContents):
318         (JSC::ArrayBufferContents::destroy):
319         (JSC::ArrayBufferContents::tryAllocate):
320         (JSC::ArrayBufferContents::makeShared):
321         (JSC::ArrayBufferContents::copyTo):
322         (JSC::ArrayBuffer::createFromBytes):
323         (JSC::ArrayBuffer::transferTo):
324         * runtime/ArrayBuffer.h:
325         (JSC::SharedArrayBufferContents::data const):
326         (JSC::ArrayBufferContents::data const):
327         (JSC::ArrayBuffer::data):
328         (JSC::ArrayBuffer::data const):
329         * runtime/ArrayBufferView.h:
330         (JSC::ArrayBufferView::baseAddress const):
331         * runtime/CagedBarrierPtr.h: Added a specialization so that CagedBarrierPtr<Gigacage::Foo, void> is valid.
332         * runtime/DataView.h:
333         (JSC::DataView::get):
334         (JSC::DataView::set):
335         * runtime/JSArrayBufferView.cpp:
336         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
337         * runtime/JSArrayBufferView.h:
338         (JSC::JSArrayBufferView::ConstructionContext::vector const):
339         (JSC::JSArrayBufferView::vector const):
340         * runtime/JSGenericTypedArrayViewInlines.h:
341         (JSC::JSGenericTypedArrayView<Adaptor>::visitChildren):
342
343 2017-08-22  Filip Pizlo  <fpizlo@apple.com>
344
345         Strings need to be in some kind of gigacage
346         https://bugs.webkit.org/show_bug.cgi?id=174924
347
348         Reviewed by Oliver Hunt.
349
350         * runtime/JSString.cpp:
351         (JSC::JSRopeString::resolveRopeToAtomicString const):
352         (JSC::JSRopeString::resolveRope const):
353         * runtime/JSString.h:
354         (JSC::JSString::create):
355         (JSC::JSString::createHasOtherOwner):
356         * runtime/JSStringBuilder.h:
357         * runtime/VM.h:
358         (JSC::VM::gigacageAuxiliarySpace):
359
360 2017-08-31  Yusuke Suzuki  <utatane.tea@gmail.com>
361
362         [JSC] Use reifying system for "name" property of builtin JSFunction
363         https://bugs.webkit.org/show_bug.cgi?id=175260
364
365         Reviewed by Saam Barati.
366
367         Currently builtin JSFunction uses direct property for "name", which is different
368         from usual JSFunction. Usual JSFunction uses reifying system for "name". We would like
369         to apply this reifying mechanism to builtin JSFunction to simplify code and drop
370         JSFunction::createBuiltinFunction.
371
372         We would like to store the "correct" name in FunctionExecutable. For example,
373         we would like to store the name like "get [Symbol.species]" to FunctionExecutable
374         instead of specifying name when creating JSFunction. To do so, we add a new
375         annotations, @getter and @overriddenName. When @getter is specified, the name of
376         the function becomes "get xxx". And when @overriddenName="xxx" is specified,
377         the name of the function becomes "xxx".
378
379         We also treat @xxx as anonymous builtin functions that cannot be achieved in
380         the current JS without privilege.
381
382         * Scripts/builtins/builtins_generate_combined_header.py:
383         (generate_section_for_code_table_macro):
384         * Scripts/builtins/builtins_generate_combined_implementation.py:
385         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
386         * Scripts/builtins/builtins_generate_separate_header.py:
387         (generate_section_for_code_table_macro):
388         * Scripts/builtins/builtins_generate_separate_implementation.py:
389         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
390         * Scripts/builtins/builtins_model.py:
391         (BuiltinFunction.__init__):
392         (BuiltinFunction.fromString):
393         * Scripts/builtins/builtins_templates.py:
394         * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Combined.js:
395         (overriddenName.string_appeared_here.match):
396         (intrinsic.RegExpTestIntrinsic.test):
397         * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Separate.js:
398         (overriddenName.string_appeared_here.match):
399         (intrinsic.RegExpTestIntrinsic.test):
400         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
401         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
402         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
403         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
404         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
405         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
406         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
407         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
408         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
409         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
410         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
411         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
412         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
413         * builtins/AsyncIteratorPrototype.js:
414         (symbolAsyncIteratorGetter): Deleted.
415         * builtins/BuiltinExecutables.cpp:
416         (JSC::BuiltinExecutables::BuiltinExecutables):
417         * builtins/BuiltinExecutables.h:
418         * builtins/BuiltinNames.h:
419         * builtins/FunctionPrototype.js:
420         (symbolHasInstance): Deleted.
421         * builtins/GlobalOperations.js:
422         (globalPrivate.speciesGetter): Deleted.
423         * builtins/IteratorPrototype.js:
424         (symbolIteratorGetter): Deleted.
425         * builtins/PromiseConstructor.js:
426         (all.newResolveElement.return.resolve):
427         (all.newResolveElement):
428         (all):
429         * builtins/PromiseOperations.js:
430         (globalPrivate.newPromiseCapability.executor):
431         (globalPrivate.newPromiseCapability):
432         (globalPrivate.createResolvingFunctions.resolve):
433         (globalPrivate.createResolvingFunctions.reject):
434         (globalPrivate.createResolvingFunctions):
435         * builtins/RegExpPrototype.js:
436         (match): Deleted.
437         (replace): Deleted.
438         (search): Deleted.
439         (split): Deleted.
440         * jsc.cpp:
441         (functionCreateBuiltin):
442         * runtime/AsyncIteratorPrototype.cpp:
443         (JSC::AsyncIteratorPrototype::finishCreation):
444         * runtime/FunctionPrototype.cpp:
445         (JSC::FunctionPrototype::addFunctionProperties):
446         * runtime/IteratorPrototype.cpp:
447         (JSC::IteratorPrototype::finishCreation):
448         * runtime/JSFunction.cpp:
449         (JSC::JSFunction::finishCreation):
450         (JSC::JSFunction::getOwnNonIndexPropertyNames):
451         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
452         (JSC::JSFunction::createBuiltinFunction): Deleted.
453         * runtime/JSFunction.h:
454         * runtime/JSGlobalObject.cpp:
455         (JSC::JSGlobalObject::init):
456         * runtime/JSObject.cpp:
457         (JSC::JSObject::putDirectBuiltinFunction):
458         (JSC::JSObject::putDirectBuiltinFunctionWithoutTransition):
459         * runtime/JSTypedArrayViewPrototype.cpp:
460         (JSC::JSTypedArrayViewPrototype::finishCreation):
461         * runtime/Lookup.cpp:
462         (JSC::reifyStaticAccessor):
463         * runtime/MapPrototype.cpp:
464         (JSC::MapPrototype::finishCreation):
465         * runtime/RegExpPrototype.cpp:
466         (JSC::RegExpPrototype::finishCreation):
467         * runtime/SetPrototype.cpp:
468         (JSC::SetPrototype::finishCreation):
469
470 2017-08-30  Ryan Haddad  <ryanhaddad@apple.com>
471
472         Unreviewed, rolling out r221327.
473
474         This change caused test262 failures.
475
476         Reverted changeset:
477
478         "[JSC] Use reifying system for "name" property of builtin
479         JSFunction"
480         https://bugs.webkit.org/show_bug.cgi?id=175260
481         http://trac.webkit.org/changeset/221327
482
483 2017-08-30  Matt Lewis  <jlewis3@apple.com>
484
485         Unreviewed, rolling out r221384.
486
487         This patch caused multiple 32-bit JSC test failures.
488
489         Reverted changeset:
490
491         "Strings need to be in some kind of gigacage"
492         https://bugs.webkit.org/show_bug.cgi?id=174924
493         http://trac.webkit.org/changeset/221384
494
495 2017-08-30  Saam Barati  <sbarati@apple.com>
496
497         semicolon is being interpreted as an = in the LiteralParser
498         https://bugs.webkit.org/show_bug.cgi?id=176114
499
500         Reviewed by Oliver Hunt.
501
502         When lexing a semicolon in the LiteralParser, we were properly
503         setting the TokenType on the current token, however, we were
504         *returning* the wrong TokenType. The lex function both returns
505         the TokenType and sets it on the current token. Semicolon was
506         setting the TokenType to semicolon, but returning the TokenType
507         for '='. This caused programs like `x;123` to be interpreted as
508         `x=123`.
509
510         * runtime/LiteralParser.cpp:
511         (JSC::LiteralParser<CharType>::Lexer::lex):
512         (JSC::LiteralParser<CharType>::Lexer::next):
513
514 2017-08-22  Filip Pizlo  <fpizlo@apple.com>
515
516         Strings need to be in some kind of gigacage
517         https://bugs.webkit.org/show_bug.cgi?id=174924
518
519         Reviewed by Oliver Hunt.
520
521         * runtime/JSString.cpp:
522         (JSC::JSRopeString::resolveRopeToAtomicString const):
523         (JSC::JSRopeString::resolveRope const):
524         * runtime/JSString.h:
525         (JSC::JSString::create):
526         (JSC::JSString::createHasOtherOwner):
527         * runtime/JSStringBuilder.h:
528         * runtime/VM.h:
529         (JSC::VM::gigacageAuxiliarySpace):
530
531 2017-08-30  Oleksandr Skachkov  <gskachkov@gmail.com>
532
533         [ESNext] Async iteration - Implement async iteration statement: for-await-of
534         https://bugs.webkit.org/show_bug.cgi?id=166698
535
536         Reviewed by Yusuke Suzuki.
537
538         Implementation of the for-await-of statement.
539
540         * bytecompiler/BytecodeGenerator.cpp:
541         (JSC::BytecodeGenerator::emitEnumeration):
542         (JSC::BytecodeGenerator::emitIteratorNext):
543         * bytecompiler/BytecodeGenerator.h:
544         * parser/ASTBuilder.h:
545         (JSC::ASTBuilder::createForOfLoop):
546         * parser/NodeConstructors.h:
547         (JSC::ForOfNode::ForOfNode):
548         * parser/Nodes.h:
549         (JSC::ForOfNode::isForAwait const):
550         * parser/Parser.cpp:
551         (JSC::Parser<LexerType>::parseForStatement):
552         * parser/Parser.h:
553         (JSC::Scope::setSourceParseMode):
554         (JSC::Scope::setIsFunction):
555         (JSC::Scope::setIsAsyncGeneratorFunction):
556         (JSC::Scope::setIsAsyncGeneratorFunctionBody):
557         * parser/SyntaxChecker.h:
558         (JSC::SyntaxChecker::createForOfLoop):
559
560 2017-08-29  Commit Queue  <commit-queue@webkit.org>
561
562         Unreviewed, rolling out r221317.
563         https://bugs.webkit.org/show_bug.cgi?id=176090
564
565         "It broke a testing mode because we will never FTL compile a
566         function that repeatedly throws" (Requested by saamyjoon on
567         #webkit).
568
569         Reverted changeset:
570
571         "Throwing an exception in the DFG/FTL should not be a
572         jettison-able OSR exit"
573         https://bugs.webkit.org/show_bug.cgi?id=176060
574         http://trac.webkit.org/changeset/221317
575
576 2017-08-29  Yusuke Suzuki  <utatane.tea@gmail.com>
577
578         [DFG] Add constant folding rule to convert CompareStrictEq(Untyped, Untyped [with non string cell constant]) to CompareEqPtr(Untyped)
579         https://bugs.webkit.org/show_bug.cgi?id=175895
580
581         Reviewed by Saam Barati.
582
583         We have `bucket === @sentinelMapBucket` code in builtin. Since @sentinelMapBucket and bucket
584         are MapBucket cell (SpecCellOther), we do not have any good fixup for CompareStrictEq.
585         But rather than introducing a special fixup edge (like, NonStringCellUse), converting
586         CompareStrictEq(Untyped, Untyped) to CompareEqPtr is simpler.
587         In constant folding phase, we convert CompareStrictEq(Untyped, Untyped) to CompareEqPtr(Untyed)
588         if one side of the children is constant non String cell.
589
590         This slightly optimizes map/set iteration.
591
592         set-for-each          4.5064+-0.3072     ^      3.2862+-0.2098        ^ definitely 1.3713x faster
593         large-map-iteration  56.2583+-1.6640           53.6798+-2.0097          might be 1.0480x faster
594         set-for-of            8.8058+-0.5953     ^      7.5832+-0.3805        ^ definitely 1.1612x faster
595         map-for-each          4.2633+-0.2694     ^      3.3967+-0.3013        ^ definitely 1.2551x faster
596         map-for-of           13.1556+-0.5707           12.4911+-0.6004          might be 1.0532x faster
597
598         * dfg/DFGAbstractInterpreterInlines.h:
599         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
600         * dfg/DFGConstantFoldingPhase.cpp:
601         (JSC::DFG::ConstantFoldingPhase::foldConstants):
602         * dfg/DFGNode.h:
603         (JSC::DFG::Node::convertToCompareEqPtr):
604
605 2017-08-29  Yusuke Suzuki  <utatane.tea@gmail.com>
606
607         [JSC] Use reifying system for "name" property of builtin JSFunction
608         https://bugs.webkit.org/show_bug.cgi?id=175260
609
610         Reviewed by Saam Barati.
611
612         Currently builtin JSFunction uses direct property for "name", which is different
613         from usual JSFunction. Usual JSFunction uses reifying system for "name". We would like
614         to apply this reifying mechanism to builtin JSFunction to simplify code and drop
615         JSFunction::createBuiltinFunction.
616
617         We would like to store the "correct" name in FunctionExecutable. For example,
618         we would like to store the name like "get [Symbol.species]" to FunctionExecutable
619         instead of specifying name when creating JSFunction. To do so, we add a new
620         annotations, @getter and @overriddenName. When @getter is specified, the name of
621         the function becomes "get xxx". And when @overriddenName="xxx" is specified,
622         the name of the function becomes "xxx".
623
624         * Scripts/builtins/builtins_generate_combined_header.py:
625         (generate_section_for_code_table_macro):
626         * Scripts/builtins/builtins_generate_combined_implementation.py:
627         (BuiltinsCombinedImplementationGenerator.generate_secondary_header_includes):
628         * Scripts/builtins/builtins_generate_separate_header.py:
629         (generate_section_for_code_table_macro):
630         * Scripts/builtins/builtins_generate_separate_implementation.py:
631         (BuiltinsSeparateImplementationGenerator.generate_secondary_header_includes):
632         * Scripts/builtins/builtins_model.py:
633         (BuiltinFunction.__init__):
634         (BuiltinFunction.fromString):
635         * Scripts/builtins/builtins_templates.py:
636         * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Combined.js:
637         (overriddenName.string_appeared_here.match):
638         (intrinsic.RegExpTestIntrinsic.test):
639         * Scripts/tests/builtins/JavaScriptCore-Builtin.prototype-Separate.js:
640         (overriddenName.string_appeared_here.match):
641         (intrinsic.RegExpTestIntrinsic.test):
642         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Combined.js-result:
643         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.Promise-Separate.js-result:
644         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Combined.js-result:
645         * Scripts/tests/builtins/expected/JavaScriptCore-Builtin.prototype-Separate.js-result:
646         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Combined.js-result:
647         * Scripts/tests/builtins/expected/JavaScriptCore-BuiltinConstructor-Separate.js-result:
648         * Scripts/tests/builtins/expected/JavaScriptCore-InternalClashingNames-Combined.js-result:
649         * Scripts/tests/builtins/expected/WebCore-AnotherGuardedInternalBuiltin-Separate.js-result:
650         * Scripts/tests/builtins/expected/WebCore-ArbitraryConditionalGuard-Separate.js-result:
651         * Scripts/tests/builtins/expected/WebCore-GuardedBuiltin-Separate.js-result:
652         * Scripts/tests/builtins/expected/WebCore-GuardedInternalBuiltin-Separate.js-result:
653         * Scripts/tests/builtins/expected/WebCore-UnguardedBuiltin-Separate.js-result:
654         * Scripts/tests/builtins/expected/WebCore-xmlCasingTest-Separate.js-result:
655         * builtins/BuiltinExecutables.cpp:
656         (JSC::BuiltinExecutables::BuiltinExecutables):
657         * builtins/BuiltinExecutables.h:
658         * builtins/FunctionPrototype.js:
659         (symbolHasInstance): Deleted.
660         * builtins/GlobalOperations.js:
661         (globalPrivate.speciesGetter): Deleted.
662         * builtins/IteratorPrototype.js:
663         (symbolIteratorGetter): Deleted.
664         * builtins/RegExpPrototype.js:
665         (match): Deleted.
666         (replace): Deleted.
667         (search): Deleted.
668         (split): Deleted.
669         * jsc.cpp:
670         (functionCreateBuiltin):
671         * runtime/FunctionPrototype.cpp:
672         (JSC::FunctionPrototype::addFunctionProperties):
673         * runtime/IteratorPrototype.cpp:
674         (JSC::IteratorPrototype::finishCreation):
675         * runtime/JSFunction.cpp:
676         (JSC::JSFunction::getOwnNonIndexPropertyNames):
677         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
678         (JSC::JSFunction::createBuiltinFunction): Deleted.
679         * runtime/JSFunction.h:
680         * runtime/JSGlobalObject.cpp:
681         (JSC::JSGlobalObject::init):
682         * runtime/JSObject.cpp:
683         (JSC::JSObject::putDirectBuiltinFunction):
684         (JSC::JSObject::putDirectBuiltinFunctionWithoutTransition):
685         * runtime/JSTypedArrayViewPrototype.cpp:
686         (JSC::JSTypedArrayViewPrototype::finishCreation):
687         * runtime/Lookup.cpp:
688         (JSC::reifyStaticAccessor):
689         * runtime/RegExpPrototype.cpp:
690         (JSC::RegExpPrototype::finishCreation):
691
692 2017-08-29  Saam Barati  <sbarati@apple.com>
693
694         Throwing an exception in the DFG/FTL should not be a jettison-able OSR exit
695         https://bugs.webkit.org/show_bug.cgi?id=176060
696
697         Reviewed by Michael Saboff.
698
699         OSR exitting when we throw an exception is expected behavior. We should
700         not count these exits towards our jettison OSR exit threshold.
701
702         * bytecode/ExitKind.cpp:
703         (JSC::exitKindToString):
704         (JSC::exitKindMayJettison):
705         * bytecode/ExitKind.h:
706         * dfg/DFGSpeculativeJIT32_64.cpp:
707         (JSC::DFG::SpeculativeJIT::compile):
708         * dfg/DFGSpeculativeJIT64.cpp:
709         (JSC::DFG::SpeculativeJIT::compile):
710         * ftl/FTLLowerDFGToB3.cpp:
711         (JSC::FTL::DFG::LowerDFGToB3::compileThrow):
712
713 2017-08-29  Chris Dumez  <cdumez@apple.com>
714
715         Add initial support for dataTransferItem.webkitGetAsEntry()
716         https://bugs.webkit.org/show_bug.cgi?id=176038
717         <rdar://problem/34121095>
718
719         Reviewed by Wenson Hsieh.
720
721         Add CommonIdentifier needed by [EnabledAtRuntime].
722
723         * runtime/CommonIdentifiers.h:
724
725 2017-08-27  Devin Rousso  <webkit@devinrousso.com>
726
727         Web Inspector: Record actions performed on WebGLRenderingContext
728         https://bugs.webkit.org/show_bug.cgi?id=174483
729         <rdar://problem/34040722>
730
731         Reviewed by Matt Baker.
732
733         * inspector/protocol/Recording.json:
734         * inspector/scripts/codegen/generator.py:
735         Add type and mapping for WebGL: "canvas-webgl" => CanvasWebGL
736
737 2017-08-26  Yusuke Suzuki  <utatane.tea@gmail.com>
738
739         Unreviewed, suppress warnings in GTK port
740
741         The "block" variable hides the argument variable.
742
743         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
744         (JSC::DFG::LiveCatchVariablePreservationPhase::isValidFlushLocation):
745
746 2017-08-26  Yusuke Suzuki  <utatane.tea@gmail.com>
747
748         Merge WeakMapData into JSWeakMap and JSWeakSet
749         https://bugs.webkit.org/show_bug.cgi?id=143919
750
751         Reviewed by Darin Adler.
752
753         This patch changes WeakMapData from JSCell to JSDestructibleObject,
754         renaming it to WeakMapBase, and JSWeakMap and JSWeakSet simply inherit
755         it instead of separately allocating WeakMapData. This reduces memory
756         consumption and allocation times.
757
758         Also this patch a bit optimizes sizeof(DeadKeyCleaner) by dropping m_target
759         field. Since this class is always embedded in WeakMapBase, we can calculate
760         WeakMapBase address from the address of DeadKeyCleaner.
761
762         This patch does not include the optimization changing WeakMapData to Set
763         for JSWeakSet.
764
765         * CMakeLists.txt:
766         * JavaScriptCore.xcodeproj/project.pbxproj:
767         * inspector/JSInjectedScriptHost.cpp:
768         (Inspector::JSInjectedScriptHost::weakMapSize):
769         (Inspector::JSInjectedScriptHost::weakMapEntries):
770         (Inspector::JSInjectedScriptHost::weakSetSize):
771         (Inspector::JSInjectedScriptHost::weakSetEntries):
772         * runtime/JSWeakMap.cpp:
773         (JSC::JSWeakMap::finishCreation): Deleted.
774         (JSC::JSWeakMap::visitChildren): Deleted.
775         * runtime/JSWeakMap.h:
776         (JSC::JSWeakMap::createStructure): Deleted.
777         (JSC::JSWeakMap::create): Deleted.
778         (JSC::JSWeakMap::weakMapData): Deleted.
779         (JSC::JSWeakMap::JSWeakMap): Deleted.
780         * runtime/JSWeakSet.cpp:
781         (JSC::JSWeakSet::finishCreation): Deleted.
782         (JSC::JSWeakSet::visitChildren): Deleted.
783         * runtime/JSWeakSet.h:
784         (JSC::JSWeakSet::createStructure): Deleted.
785         (JSC::JSWeakSet::create): Deleted.
786         (JSC::JSWeakSet::weakMapData): Deleted.
787         (JSC::JSWeakSet::JSWeakSet): Deleted.
788         * runtime/VM.cpp:
789         (JSC::VM::VM):
790         * runtime/VM.h:
791         * runtime/WeakMapBase.cpp: Renamed from Source/JavaScriptCore/runtime/WeakMapData.cpp.
792         (JSC::WeakMapBase::WeakMapBase):
793         (JSC::WeakMapBase::destroy):
794         (JSC::WeakMapBase::estimatedSize):
795         (JSC::WeakMapBase::visitChildren):
796         (JSC::WeakMapBase::set):
797         (JSC::WeakMapBase::get):
798         (JSC::WeakMapBase::remove):
799         (JSC::WeakMapBase::contains):
800         (JSC::WeakMapBase::clear):
801         (JSC::WeakMapBase::DeadKeyCleaner::target):
802         (JSC::WeakMapBase::DeadKeyCleaner::visitWeakReferences):
803         (JSC::WeakMapBase::DeadKeyCleaner::finalizeUnconditionally):
804         * runtime/WeakMapBase.h: Renamed from Source/JavaScriptCore/runtime/WeakMapData.h.
805         (JSC::WeakMapBase::size const):
806         * runtime/WeakMapPrototype.cpp:
807         (JSC::getWeakMap):
808         (JSC::protoFuncWeakMapDelete):
809         (JSC::protoFuncWeakMapGet):
810         (JSC::protoFuncWeakMapHas):
811         (JSC::protoFuncWeakMapSet):
812         (JSC::getWeakMapData): Deleted.
813         * runtime/WeakSetPrototype.cpp:
814         (JSC::getWeakSet):
815         (JSC::protoFuncWeakSetDelete):
816         (JSC::protoFuncWeakSetHas):
817         (JSC::protoFuncWeakSetAdd):
818         (JSC::getWeakMapData): Deleted.
819
820 2017-08-25  Daniel Bates  <dabates@apple.com>
821
822         Demarcate code added due to lack of NSDMI for aggregates
823         https://bugs.webkit.org/show_bug.cgi?id=175990
824
825         Reviewed by Andy Estes.
826
827         * domjit/DOMJITEffect.h:
828         (JSC::DOMJIT::Effect::Effect):
829         (JSC::DOMJIT::Effect::forWrite):
830         (JSC::DOMJIT::Effect::forRead):
831         (JSC::DOMJIT::Effect::forReadWrite):
832         (JSC::DOMJIT::Effect::forPure):
833         (JSC::DOMJIT::Effect::forDef):
834         * runtime/HasOwnPropertyCache.h:
835         (JSC::HasOwnPropertyCache::Entry::Entry):
836         (JSC::HasOwnPropertyCache::Entry::operator=): Deleted.
837         * wasm/WasmFormat.h: Modernize some of the code while I am here. Also
838         make some comments read well.
839         (JSC::Wasm::CallableFunction::CallableFunction):
840         * wasm/js/WebAssemblyFunction.cpp:
841         (JSC::WebAssemblyFunction::WebAssemblyFunction):
842         * wasm/js/WebAssemblyWrapperFunction.cpp:
843         (JSC::WebAssemblyWrapperFunction::create):
844
845 2017-08-25  Saam Barati  <sbarati@apple.com>
846
847         Unreviewed. Fix 32-bit after r221196
848
849         * jit/JITOpcodes32_64.cpp:
850         (JSC::JIT::emit_op_catch):
851
852 2017-08-25  Chris Dumez  <cdumez@apple.com>
853
854         Land stubs for File and Directory Entries API interfaces
855         https://bugs.webkit.org/show_bug.cgi?id=175993
856         <rdar://problem/34087477>
857
858         Reviewed by Ryosuke Niwa.
859
860         Add CommonIdentifiers needed for [EnabledAtRuntime].
861
862         * runtime/CommonIdentifiers.h:
863
864 2017-08-25  Brian Burg  <bburg@apple.com>
865
866         Web Automation: add capabilities to control ICE candidate filtering and insecure media capture
867         https://bugs.webkit.org/show_bug.cgi?id=175563
868         <rdar://problem/33734492>
869
870         Reviewed by Joseph Pecoraro.
871
872         Add macros for new capability protocol string names. Let's use a reverse
873         domain name notification for these capabilities so we know whether they are
874         intended for a particular client/port or any WebKit client, and what feature they
875         are related to (i.e., webrtc).
876
877         * inspector/remote/RemoteInspectorConstants.h:
878
879 2017-08-24  Brian Burg  <bburg@apple.com>
880
881         Web Automation: use automation session configurations to propagate per-session settings
882         https://bugs.webkit.org/show_bug.cgi?id=175562
883         <rdar://problem/30853362>
884
885         Reviewed by Joseph Pecoraro.
886
887         Add a Cocoa-specific code path to forward capabilities when requesting
888         a new session from the remote inspector (i.e., automation) client.
889
890         If other ports want to use this, then we can convert Cocoa types to WebKit types later.
891
892         * inspector/remote/RemoteInspector.h:
893         * inspector/remote/RemoteInspectorConstants.h:
894         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
895         (Inspector::RemoteInspector::receivedAutomationSessionRequestMessage):
896
897 2017-08-25  Saam Barati  <sbarati@apple.com>
898
899         DFG::JITCode::osrEntry should get sorted since we perform a binary search on it
900         https://bugs.webkit.org/show_bug.cgi?id=175893
901
902         Reviewed by Mark Lam.
903
904         * dfg/DFGJITCode.cpp:
905         (JSC::DFG::JITCode::finalizeOSREntrypoints):
906         * dfg/DFGJITCode.h:
907         (JSC::DFG::JITCode::finalizeCatchOSREntrypoints): Deleted.
908         * dfg/DFGSpeculativeJIT.cpp:
909         (JSC::DFG::SpeculativeJIT::linkOSREntries):
910
911 2017-08-25  Saam Barati  <sbarati@apple.com>
912
913         Support compiling catch in the DFG
914         https://bugs.webkit.org/show_bug.cgi?id=174590
915         <rdar://problem/34047845>
916
917         Reviewed by Filip Pizlo.
918
919         This patch implements OSR entry into op_catch in the DFG. We will support OSR entry
920         into the FTL in a followup: https://bugs.webkit.org/show_bug.cgi?id=175396
921         
922         To implement catch in the DFG, this patch introduces the concept of multiple
923         entrypoints into CPS/LoadStore DFG IR. A lot of this patch is stringing this concept
924         through the DFG. Many phases used to assume that Graph::block(0) is the only root, and this
925         patch contains many straight forward changes generalizing the code to handle more than
926         one entrypoint.
927         
928         A main building block of this is moving to two CFG types: SSACFG and CPSCFG. SSACFG
929         is the same CFG we used to have. CPSCFG is a new type that introduces a fake root
930         that has an outgoing edge to all the entrypoints. This allows our existing graph algorithms
931         to Just Work over CPSCFG. For example, there is now the concept of SSADominators vs CPSDominators,
932         and SSANaturalLoops vs CPSNaturalLoops.
933         
934         The way we compile the catch entrypoint is by bootstrapping the state
935         of the program by loading all live bytecode locals from a buffer. The OSR
936         entry code will store all live values into that buffer before jumping to
937         the entrypoint. The OSR entry code is also responsible for performing type
938         proofs of the arguments before doing an OSR entry. If there is a type
939         mismatch, it's not legal to OSR enter into the DFG compilation. Currently,
940         each catch entrypoint knows the argument type proofs it must perform to enter
941         into the DFG. Currently, all entrypoints' arguments flush format are unified
942         via ArgumentPosition, but this is just an implementation detail. The code is
943         written more generally to assume that each entrypoint may perform its own distinct
944         proof.
945         
946         op_catch now performs value profiling for all live bytecode locals in the
947         LLInt and baseline JIT. This information is then fed into the DFG via the
948         ExtractCatchLocal node in the prediction propagation phase.
949         
950         This patch also changes how we generate op_catch in bytecode. All op_catches
951         are now split out at the end of the program in bytecode. This ensures that
952         no op_catch is inside a try block. This is needed to ensure correctness in
953         the DFGLiveCatchVariablePreservationPhase. That phase only inserts flushes
954         before SetLocals inside a try block. If an op_catch were in a try block, this
955         would cause the phase to insert a Flush before one of the state bootstrapping
956         SetLocals, which would generate invalid IR. Moving op_catch to be generated on
957         its own at the end of a bytecode stream seemed like the most elegant solution since
958         it better represents that we treat op_catch as an entrypoint. This is true
959         both in the DFG and in the baseline and LLInt: we don't reach an op_catch
960         via normal control flow. Because op_catch cannot throw, this will not break
961         any previous semantics of op_catch. Logically, it'd be valid to split try
962         blocks around any non-throwing bytecode operation.
963
964         * CMakeLists.txt:
965         * JavaScriptCore.xcodeproj/project.pbxproj:
966         * bytecode/BytecodeDumper.cpp:
967         (JSC::BytecodeDumper<Block>::dumpBytecode):
968         * bytecode/BytecodeList.json:
969         * bytecode/BytecodeUseDef.h:
970         (JSC::computeUsesForBytecodeOffset):
971         * bytecode/CodeBlock.cpp:
972         (JSC::CodeBlock::finishCreation):
973         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffset):
974         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
975         (JSC::CodeBlock::validate):
976         * bytecode/CodeBlock.h:
977         * bytecode/ValueProfile.h:
978         (JSC::ValueProfile::ValueProfile):
979         (JSC::ValueProfileAndOperandBuffer::ValueProfileAndOperandBuffer):
980         (JSC::ValueProfileAndOperandBuffer::~ValueProfileAndOperandBuffer):
981         (JSC::ValueProfileAndOperandBuffer::forEach):
982         * bytecompiler/BytecodeGenerator.cpp:
983         (JSC::BytecodeGenerator::generate):
984         (JSC::BytecodeGenerator::BytecodeGenerator):
985         (JSC::BytecodeGenerator::emitCatch):
986         (JSC::BytecodeGenerator::emitEnumeration):
987         * bytecompiler/BytecodeGenerator.h:
988         * bytecompiler/NodesCodegen.cpp:
989         (JSC::TryNode::emitBytecode):
990         * dfg/DFGAbstractInterpreterInlines.h:
991         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
992         * dfg/DFGBackwardsCFG.h:
993         (JSC::DFG::BackwardsCFG::BackwardsCFG):
994         * dfg/DFGBasicBlock.cpp:
995         (JSC::DFG::BasicBlock::BasicBlock):
996         * dfg/DFGBasicBlock.h:
997         (JSC::DFG::BasicBlock::findTerminal const):
998         * dfg/DFGByteCodeParser.cpp:
999         (JSC::DFG::ByteCodeParser::setDirect):
1000         (JSC::DFG::ByteCodeParser::flush):
1001         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
1002         (JSC::DFG::ByteCodeParser::DelayedSetLocal::execute):
1003         (JSC::DFG::ByteCodeParser::parseBlock):
1004         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1005         (JSC::DFG::ByteCodeParser::parse):
1006         * dfg/DFGCFG.h:
1007         (JSC::DFG::CFG::root):
1008         (JSC::DFG::CFG::roots):
1009         (JSC::DFG::CPSCFG::CPSCFG):
1010         (JSC::DFG::selectCFG):
1011         * dfg/DFGCPSRethreadingPhase.cpp:
1012         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
1013         * dfg/DFGCSEPhase.cpp:
1014         * dfg/DFGClobberize.h:
1015         (JSC::DFG::clobberize):
1016         * dfg/DFGControlEquivalenceAnalysis.h:
1017         (JSC::DFG::ControlEquivalenceAnalysis::ControlEquivalenceAnalysis):
1018         * dfg/DFGDCEPhase.cpp:
1019         (JSC::DFG::DCEPhase::run):
1020         * dfg/DFGDisassembler.cpp:
1021         (JSC::DFG::Disassembler::createDumpList):
1022         * dfg/DFGDoesGC.cpp:
1023         (JSC::DFG::doesGC):
1024         * dfg/DFGDominators.h:
1025         (JSC::DFG::Dominators::Dominators):
1026         (JSC::DFG::ensureDominatorsForCFG):
1027         * dfg/DFGEdgeDominates.h:
1028         (JSC::DFG::EdgeDominates::EdgeDominates):
1029         (JSC::DFG::EdgeDominates::operator()):
1030         * dfg/DFGFixupPhase.cpp:
1031         (JSC::DFG::FixupPhase::fixupNode):
1032         (JSC::DFG::FixupPhase::fixupChecksInBlock):
1033         * dfg/DFGFlushFormat.h:
1034         * dfg/DFGGraph.cpp:
1035         (JSC::DFG::Graph::Graph):
1036         (JSC::DFG::unboxLoopNode):
1037         (JSC::DFG::Graph::dumpBlockHeader):
1038         (JSC::DFG::Graph::dump):
1039         (JSC::DFG::Graph::determineReachability):
1040         (JSC::DFG::Graph::invalidateCFG):
1041         (JSC::DFG::Graph::blocksInPreOrder):
1042         (JSC::DFG::Graph::blocksInPostOrder):
1043         (JSC::DFG::Graph::ensureCPSDominators):
1044         (JSC::DFG::Graph::ensureSSADominators):
1045         (JSC::DFG::Graph::ensureCPSNaturalLoops):
1046         (JSC::DFG::Graph::ensureSSANaturalLoops):
1047         (JSC::DFG::Graph::ensureBackwardsCFG):
1048         (JSC::DFG::Graph::ensureBackwardsDominators):
1049         (JSC::DFG::Graph::ensureControlEquivalenceAnalysis):
1050         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
1051         (JSC::DFG::Graph::clearCPSCFGData):
1052         (JSC::DFG::Graph::ensureDominators): Deleted.
1053         (JSC::DFG::Graph::ensurePrePostNumbering): Deleted.
1054         (JSC::DFG::Graph::ensureNaturalLoops): Deleted.
1055         * dfg/DFGGraph.h:
1056         (JSC::DFG::Graph::willCatchExceptionInMachineFrame):
1057         (JSC::DFG::Graph::isEntrypoint const):
1058         * dfg/DFGInPlaceAbstractState.cpp:
1059         (JSC::DFG::InPlaceAbstractState::initialize):
1060         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
1061         * dfg/DFGJITCode.cpp:
1062         (JSC::DFG::JITCode::shrinkToFit):
1063         * dfg/DFGJITCode.h:
1064         (JSC::DFG::JITCode::catchOSREntryDataForBytecodeIndex):
1065         (JSC::DFG::JITCode::finalizeCatchOSREntrypoints):
1066         (JSC::DFG::JITCode::appendCatchEntrypoint):
1067         * dfg/DFGJITCompiler.cpp:
1068         (JSC::DFG::JITCompiler::compile):
1069         (JSC::DFG::JITCompiler::compileFunction):
1070         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
1071         (JSC::DFG::JITCompiler::noticeOSREntry):
1072         (JSC::DFG::JITCompiler::makeCatchOSREntryBuffer):
1073         * dfg/DFGJITCompiler.h:
1074         * dfg/DFGLICMPhase.cpp:
1075         (JSC::DFG::LICMPhase::run):
1076         (JSC::DFG::LICMPhase::attemptHoist):
1077         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
1078         (JSC::DFG::LiveCatchVariablePreservationPhase::run):
1079         (JSC::DFG::LiveCatchVariablePreservationPhase::isValidFlushLocation):
1080         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
1081         (JSC::DFG::LiveCatchVariablePreservationPhase::newVariableAccessData):
1082         (JSC::DFG::LiveCatchVariablePreservationPhase::willCatchException): Deleted.
1083         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlock): Deleted.
1084         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
1085         (JSC::DFG::createPreHeader):
1086         (JSC::DFG::LoopPreHeaderCreationPhase::run):
1087         * dfg/DFGMaximalFlushInsertionPhase.cpp:
1088         (JSC::DFG::MaximalFlushInsertionPhase::run):
1089         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
1090         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
1091         * dfg/DFGMayExit.cpp:
1092         * dfg/DFGNaturalLoops.h:
1093         (JSC::DFG::NaturalLoops::NaturalLoops):
1094         * dfg/DFGNode.h:
1095         (JSC::DFG::Node::isSwitch const):
1096         (JSC::DFG::Node::successor):
1097         (JSC::DFG::Node::catchOSREntryIndex const):
1098         (JSC::DFG::Node::catchLocalPrediction):
1099         (JSC::DFG::Node::isSwitch): Deleted.
1100         * dfg/DFGNodeType.h:
1101         * dfg/DFGOSREntry.cpp:
1102         (JSC::DFG::prepareCatchOSREntry):
1103         * dfg/DFGOSREntry.h:
1104         * dfg/DFGOSREntrypointCreationPhase.cpp:
1105         (JSC::DFG::OSREntrypointCreationPhase::run):
1106         * dfg/DFGOSRExitCompilerCommon.cpp:
1107         (JSC::DFG::handleExitCounts):
1108         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1109         * dfg/DFGPlan.cpp:
1110         (JSC::DFG::Plan::compileInThreadImpl):
1111         * dfg/DFGPrePostNumbering.cpp:
1112         (JSC::DFG::PrePostNumbering::PrePostNumbering): Deleted.
1113         (JSC::DFG::PrePostNumbering::~PrePostNumbering): Deleted.
1114         (WTF::printInternal): Deleted.
1115         * dfg/DFGPrePostNumbering.h:
1116         (): Deleted.
1117         (JSC::DFG::PrePostNumbering::preNumber const): Deleted.
1118         (JSC::DFG::PrePostNumbering::postNumber const): Deleted.
1119         (JSC::DFG::PrePostNumbering::isStrictAncestorOf const): Deleted.
1120         (JSC::DFG::PrePostNumbering::isAncestorOf const): Deleted.
1121         (JSC::DFG::PrePostNumbering::isStrictDescendantOf const): Deleted.
1122         (JSC::DFG::PrePostNumbering::isDescendantOf const): Deleted.
1123         (JSC::DFG::PrePostNumbering::edgeKind const): Deleted.
1124         * dfg/DFGPredictionInjectionPhase.cpp:
1125         (JSC::DFG::PredictionInjectionPhase::run):
1126         * dfg/DFGPredictionPropagationPhase.cpp:
1127         * dfg/DFGPutStackSinkingPhase.cpp:
1128         * dfg/DFGSSACalculator.cpp:
1129         (JSC::DFG::SSACalculator::nonLocalReachingDef):
1130         (JSC::DFG::SSACalculator::reachingDefAtTail):
1131         * dfg/DFGSSACalculator.h:
1132         (JSC::DFG::SSACalculator::computePhis):
1133         * dfg/DFGSSAConversionPhase.cpp:
1134         (JSC::DFG::SSAConversionPhase::run):
1135         (JSC::DFG::performSSAConversion):
1136         * dfg/DFGSafeToExecute.h:
1137         (JSC::DFG::safeToExecute):
1138         * dfg/DFGSpeculativeJIT.cpp:
1139         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1140         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
1141         (JSC::DFG::SpeculativeJIT::createOSREntries):
1142         (JSC::DFG::SpeculativeJIT::linkOSREntries):
1143         * dfg/DFGSpeculativeJIT32_64.cpp:
1144         (JSC::DFG::SpeculativeJIT::compile):
1145         * dfg/DFGSpeculativeJIT64.cpp:
1146         (JSC::DFG::SpeculativeJIT::compile):
1147         * dfg/DFGStaticExecutionCountEstimationPhase.cpp:
1148         (JSC::DFG::StaticExecutionCountEstimationPhase::run):
1149         * dfg/DFGStrengthReductionPhase.cpp:
1150         (JSC::DFG::StrengthReductionPhase::handleNode):
1151         * dfg/DFGTierUpCheckInjectionPhase.cpp:
1152         (JSC::DFG::TierUpCheckInjectionPhase::run):
1153         (JSC::DFG::TierUpCheckInjectionPhase::buildNaturalLoopToLoopHintMap):
1154         * dfg/DFGTypeCheckHoistingPhase.cpp:
1155         (JSC::DFG::TypeCheckHoistingPhase::run):
1156         * dfg/DFGValidate.cpp:
1157         * ftl/FTLLink.cpp:
1158         (JSC::FTL::link):
1159         * ftl/FTLLowerDFGToB3.cpp:
1160         (JSC::FTL::DFG::LowerDFGToB3::lower):
1161         (JSC::FTL::DFG::LowerDFGToB3::safelyInvalidateAfterTermination):
1162         (JSC::FTL::DFG::LowerDFGToB3::isValid):
1163         * jit/JIT.h:
1164         * jit/JITInlines.h:
1165         (JSC::JIT::callOperation):
1166         * jit/JITOpcodes.cpp:
1167         (JSC::JIT::emit_op_catch):
1168         * jit/JITOpcodes32_64.cpp:
1169         (JSC::JIT::emit_op_catch):
1170         * jit/JITOperations.cpp:
1171         * jit/JITOperations.h:
1172         * llint/LLIntSlowPaths.cpp:
1173         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1174         * llint/LLIntSlowPaths.h:
1175         * llint/LowLevelInterpreter32_64.asm:
1176         * llint/LowLevelInterpreter64.asm:
1177
1178 2017-08-25  Keith Miller  <keith_miller@apple.com>
1179
1180         Explore increasing max JSString::m_length to UINT_MAX.
1181         https://bugs.webkit.org/show_bug.cgi?id=163955
1182         <rdar://problem/32001499>
1183
1184         Reviewed by JF Bastien.
1185
1186         This can cause us to release assert on some code paths. I don't
1187         see a reason to maintain this restriction.
1188
1189         * runtime/JSString.h:
1190         (JSC::JSString::length const):
1191         (JSC::JSString::setLength):
1192         (JSC::JSString::isValidLength): Deleted.
1193         * runtime/JSStringBuilder.h:
1194         (JSC::jsMakeNontrivialString):
1195
1196 2017-08-24  Commit Queue  <commit-queue@webkit.org>
1197
1198         Unreviewed, rolling out r221119, r221124, and r221143.
1199         https://bugs.webkit.org/show_bug.cgi?id=175973
1200
1201         "I think it regressed JSBench by 20%" (Requested by saamyjoon
1202         on #webkit).
1203
1204         Reverted changesets:
1205
1206         "Support compiling catch in the DFG"
1207         https://bugs.webkit.org/show_bug.cgi?id=174590
1208         http://trac.webkit.org/changeset/221119
1209
1210         "Unreviewed, build fix in GTK port"
1211         https://bugs.webkit.org/show_bug.cgi?id=174590
1212         http://trac.webkit.org/changeset/221124
1213
1214         "DFG::JITCode::osrEntry should get sorted since we perform a
1215         binary search on it"
1216         https://bugs.webkit.org/show_bug.cgi?id=175893
1217         http://trac.webkit.org/changeset/221143
1218
1219 2017-08-24  Michael Saboff  <msaboff@apple.com>
1220
1221         Enable moving fixed character class terms after fixed character terms for BMP only character classes
1222         https://bugs.webkit.org/show_bug.cgi?id=175958
1223
1224         Reviewed by Saam Barati.
1225
1226         Currently we don't perform the reordering optimiaztion of fixed character terms that
1227         follow fixed character class terms for Unicode patterns.
1228
1229         This change allows that reordering when the character class contains only BMP
1230         characters.
1231
1232         This fix is covered by existing tests.
1233
1234         * yarr/YarrJIT.cpp:
1235         (JSC::Yarr::YarrGenerator::optimizeAlternative):
1236
1237 2017-08-24  Michael Saboff  <msaboff@apple.com>
1238
1239         Add support for RegExp "dotAll" flag
1240         https://bugs.webkit.org/show_bug.cgi?id=175924
1241
1242         Reviewed by Keith Miller.
1243
1244         The dotAll RegExp flag, 's', changes . to match any character including line terminators.
1245         Added a the "dotAll" identifier as well as RegExp.prototype.dotAll getter.
1246         Added a new any character CharacterClass that is used to match . terms in a dotAll flags
1247         RegExp.  In the YARR pattern and parsing code, changed the NewlineClassID, which was only
1248         used for '.' processing, to DotClassID.  The selection of which builtin character class
1249         that DotClassID resolves to when generating the pattern is conditional on the dotAll flag.
1250         This NewlineClassID to DotClassID refactoring includes the atomBuiltInCharacterClass() in
1251         the WebCore content extensions code in the PatternParser class.
1252
1253         As an optimization, the Yarr JIT actually doesn't perform match checks against the builtin
1254         any character CharacterClass, it merely reads the character.  There is another optimization
1255         in our DotStart enclosure processing where a non-capturing regular expression in the form
1256         of .*<expression.*, with options beginning ^ and/or trailing $, match the contained
1257         expression and then look for the extents of the surrounding .*'s.  When used with the
1258         dotAll flag, that processing alwys results with the beinning of the string and the end
1259         of the string.  Therefore we short circuit the finding the beginning and end of the line
1260         or string with dotAll patterns.
1261
1262         * bytecode/BytecodeDumper.cpp:
1263         (JSC::regexpToSourceString):
1264         * runtime/CommonIdentifiers.h:
1265         * runtime/RegExp.cpp:
1266         (JSC::regExpFlags):
1267         (JSC::RegExpFunctionalTestCollector::outputOneTest):
1268         * runtime/RegExp.h:
1269         * runtime/RegExpKey.h:
1270         * runtime/RegExpPrototype.cpp:
1271         (JSC::RegExpPrototype::finishCreation):
1272         (JSC::flagsString):
1273         (JSC::regExpProtoGetterDotAll):
1274         * yarr/YarrInterpreter.cpp:
1275         (JSC::Yarr::Interpreter::matchDotStarEnclosure):
1276         * yarr/YarrInterpreter.h:
1277         (JSC::Yarr::BytecodePattern::dotAll const):
1278         * yarr/YarrJIT.cpp:
1279         (JSC::Yarr::YarrGenerator::optimizeAlternative):
1280         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
1281         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
1282         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
1283         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
1284         (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
1285         * yarr/YarrParser.h:
1286         (JSC::Yarr::Parser::parseTokens):
1287         * yarr/YarrPattern.cpp:
1288         (JSC::Yarr::YarrPatternConstructor::atomBuiltInCharacterClass):
1289         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassBuiltIn):
1290         (JSC::Yarr::YarrPatternConstructor::optimizeDotStarWrappedExpressions):
1291         (JSC::Yarr::YarrPattern::YarrPattern):
1292         (JSC::Yarr::PatternTerm::dump):
1293         (JSC::Yarr::anycharCreate):
1294         * yarr/YarrPattern.h:
1295         (JSC::Yarr::YarrPattern::reset):
1296         (JSC::Yarr::YarrPattern::anyCharacterClass):
1297         (JSC::Yarr::YarrPattern::dotAll const):
1298
1299 2017-08-23  Filip Pizlo  <fpizlo@apple.com>
1300
1301         Reduce Gigacage sizes
1302         https://bugs.webkit.org/show_bug.cgi?id=175920
1303
1304         Reviewed by Mark Lam.
1305
1306         Teach all of the code generators to use the right gigacage masks.
1307
1308         Also teach Wasm that it has much less memory for signaling memories. With 32GB, we have room for 7 signaling memories. But if
1309         we actually did that, then we'd have no memory left for anything else. So, this caps us at 4 signaling memories.
1310
1311         * ftl/FTLLowerDFGToB3.cpp:
1312         (JSC::FTL::DFG::LowerDFGToB3::caged):
1313         * jit/AssemblyHelpers.h:
1314         (JSC::AssemblyHelpers::cage):
1315         (JSC::AssemblyHelpers::cageConditionally):
1316         * llint/LowLevelInterpreter64.asm:
1317         * runtime/Options.h:
1318
1319 2017-08-24  Saam Barati  <sbarati@apple.com>
1320
1321         DFG::JITCode::osrEntry should get sorted since we perform a binary search on it
1322         https://bugs.webkit.org/show_bug.cgi?id=175893
1323
1324         Reviewed by Mark Lam.
1325
1326         * dfg/DFGJITCode.cpp:
1327         (JSC::DFG::JITCode::finalizeOSREntrypoints):
1328         * dfg/DFGJITCode.h:
1329         (JSC::DFG::JITCode::finalizeCatchOSREntrypoints): Deleted.
1330         * dfg/DFGSpeculativeJIT.cpp:
1331         (JSC::DFG::SpeculativeJIT::linkOSREntries):
1332
1333 2017-08-23  Keith Miller  <keith_miller@apple.com>
1334
1335         Fix Titzer bench on iOS.
1336         https://bugs.webkit.org/show_bug.cgi?id=175917
1337
1338         Reviewed by Ryosuke Niwa.
1339
1340         Currently, Titzer bench doesn't run on iOS since the benchmark
1341         allocates lots of physical pages that it never actually writes
1342         to. We limited the total number wasm physical pages to the ram
1343         size of the phone, which caused us to fail a memory
1344         allocation. This patch changes it so we will allocate up to 3x ram
1345         size, which seems to fix the problem.
1346
1347         * wasm/WasmMemory.cpp:
1348
1349 2017-08-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1350
1351         Unreviewed, fix for test262
1352         https://bugs.webkit.org/show_bug.cgi?id=175915
1353
1354         * runtime/MapPrototype.cpp:
1355         (JSC::MapPrototype::finishCreation):
1356         * runtime/SetPrototype.cpp:
1357         (JSC::SetPrototype::finishCreation):
1358
1359 2017-08-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1360
1361         Unreviewed, build fix in GTK port
1362         https://bugs.webkit.org/show_bug.cgi?id=174590
1363
1364         * bytecompiler/BytecodeGenerator.cpp:
1365         (JSC::BytecodeGenerator::emitCatch):
1366         * bytecompiler/BytecodeGenerator.h:
1367
1368 2017-08-23  Saam Barati  <sbarati@apple.com>
1369
1370         Support compiling catch in the DFG
1371         https://bugs.webkit.org/show_bug.cgi?id=174590
1372
1373         Reviewed by Filip Pizlo.
1374
1375         This patch implements OSR entry into op_catch in the DFG. We will support OSR entry
1376         into the FTL in a followup: https://bugs.webkit.org/show_bug.cgi?id=175396
1377         
1378         To implement catch in the DFG, this patch introduces the concept of multiple
1379         entrypoints into CPS/LoadStore DFG IR. A lot of this patch is stringing this concept
1380         through the DFG. Many phases used to assume that Graph::block(0) is the only root, and this
1381         patch contains many straight forward changes generalizing the code to handle more than
1382         one entrypoint.
1383         
1384         A main building block of this is moving to two CFG types: SSACFG and CPSCFG. SSACFG
1385         is the same CFG we used to have. CPSCFG is a new type that introduces a fake root
1386         that has an outgoing edge to all the entrypoints. This allows our existing graph algorithms
1387         to Just Work over CPSCFG. For example, there is now the concept of SSADominators vs CPSDominators,
1388         and SSANaturalLoops vs CPSNaturalLoops.
1389         
1390         The way we compile the catch entrypoint is by bootstrapping the state
1391         of the program by loading all live bytecode locals from a buffer. The OSR
1392         entry code will store all live values into that buffer before jumping to
1393         the entrypoint. The OSR entry code is also responsible for performing type
1394         proofs of the arguments before doing an OSR entry. If there is a type
1395         mismatch, it's not legal to OSR enter into the DFG compilation. Currently,
1396         each catch entrypoint knows the argument type proofs it must perform to enter
1397         into the DFG. Currently, all entrypoints' arguments flush format are unified
1398         via ArgumentPosition, but this is just an implementation detail. The code is
1399         written more generally to assume that each entrypoint may perform its own distinct
1400         proof.
1401         
1402         op_catch now performs value profiling for all live bytecode locals in the
1403         LLInt and baseline JIT. This information is then fed into the DFG via the
1404         ExtractCatchLocal node in the prediction propagation phase.
1405         
1406         This patch also changes how we generate op_catch in bytecode. All op_catches
1407         are now split out at the end of the program in bytecode. This ensures that
1408         no op_catch is inside a try block. This is needed to ensure correctness in
1409         the DFGLiveCatchVariablePreservationPhase. That phase only inserts flushes
1410         before SetLocals inside a try block. If an op_catch were in a try block, this
1411         would cause the phase to insert a Flush before one of the state bootstrapping
1412         SetLocals, which would generate invalid IR. Moving op_catch to be generated on
1413         its own at the end of a bytecode stream seemed like the most elegant solution since
1414         it better represents that we treat op_catch as an entrypoint. This is true
1415         both in the DFG and in the baseline and LLInt: we don't reach an op_catch
1416         via normal control flow. Because op_catch cannot throw, this will not break
1417         any previous semantics of op_catch. Logically, it'd be valid to split try
1418         blocks around any non-throwing bytecode operation.
1419
1420         * CMakeLists.txt:
1421         * JavaScriptCore.xcodeproj/project.pbxproj:
1422         * bytecode/BytecodeDumper.cpp:
1423         (JSC::BytecodeDumper<Block>::dumpBytecode):
1424         * bytecode/BytecodeList.json:
1425         * bytecode/BytecodeUseDef.h:
1426         (JSC::computeUsesForBytecodeOffset):
1427         * bytecode/CodeBlock.cpp:
1428         (JSC::CodeBlock::finishCreation):
1429         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
1430         (JSC::CodeBlock::validate):
1431         * bytecode/CodeBlock.h:
1432         * bytecode/ValueProfile.h:
1433         (JSC::ValueProfile::ValueProfile):
1434         (JSC::ValueProfileAndOperandBuffer::ValueProfileAndOperandBuffer):
1435         (JSC::ValueProfileAndOperandBuffer::~ValueProfileAndOperandBuffer):
1436         (JSC::ValueProfileAndOperandBuffer::forEach):
1437         * bytecompiler/BytecodeGenerator.cpp:
1438         (JSC::BytecodeGenerator::generate):
1439         (JSC::BytecodeGenerator::BytecodeGenerator):
1440         (JSC::BytecodeGenerator::emitCatch):
1441         (JSC::BytecodeGenerator::emitEnumeration):
1442         * bytecompiler/BytecodeGenerator.h:
1443         * bytecompiler/NodesCodegen.cpp:
1444         (JSC::TryNode::emitBytecode):
1445         * dfg/DFGAbstractInterpreterInlines.h:
1446         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1447         * dfg/DFGBackwardsCFG.h:
1448         (JSC::DFG::BackwardsCFG::BackwardsCFG):
1449         * dfg/DFGBasicBlock.cpp:
1450         (JSC::DFG::BasicBlock::BasicBlock):
1451         * dfg/DFGBasicBlock.h:
1452         (JSC::DFG::BasicBlock::findTerminal const):
1453         * dfg/DFGByteCodeParser.cpp:
1454         (JSC::DFG::ByteCodeParser::setDirect):
1455         (JSC::DFG::ByteCodeParser::flush):
1456         (JSC::DFG::ByteCodeParser::DelayedSetLocal::DelayedSetLocal):
1457         (JSC::DFG::ByteCodeParser::DelayedSetLocal::execute):
1458         (JSC::DFG::ByteCodeParser::parseBlock):
1459         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1460         (JSC::DFG::ByteCodeParser::parse):
1461         * dfg/DFGCFG.h:
1462         (JSC::DFG::CFG::root):
1463         (JSC::DFG::CFG::roots):
1464         (JSC::DFG::CPSCFG::CPSCFG):
1465         (JSC::DFG::selectCFG):
1466         * dfg/DFGCPSRethreadingPhase.cpp:
1467         (JSC::DFG::CPSRethreadingPhase::specialCaseArguments):
1468         * dfg/DFGCSEPhase.cpp:
1469         * dfg/DFGClobberize.h:
1470         (JSC::DFG::clobberize):
1471         * dfg/DFGControlEquivalenceAnalysis.h:
1472         (JSC::DFG::ControlEquivalenceAnalysis::ControlEquivalenceAnalysis):
1473         * dfg/DFGDCEPhase.cpp:
1474         (JSC::DFG::DCEPhase::run):
1475         * dfg/DFGDisassembler.cpp:
1476         (JSC::DFG::Disassembler::createDumpList):
1477         * dfg/DFGDoesGC.cpp:
1478         (JSC::DFG::doesGC):
1479         * dfg/DFGDominators.h:
1480         (JSC::DFG::Dominators::Dominators):
1481         (JSC::DFG::ensureDominatorsForCFG):
1482         * dfg/DFGEdgeDominates.h:
1483         (JSC::DFG::EdgeDominates::EdgeDominates):
1484         (JSC::DFG::EdgeDominates::operator()):
1485         * dfg/DFGFixupPhase.cpp:
1486         (JSC::DFG::FixupPhase::fixupNode):
1487         (JSC::DFG::FixupPhase::fixupChecksInBlock):
1488         * dfg/DFGFlushFormat.h:
1489         * dfg/DFGGraph.cpp:
1490         (JSC::DFG::Graph::Graph):
1491         (JSC::DFG::unboxLoopNode):
1492         (JSC::DFG::Graph::dumpBlockHeader):
1493         (JSC::DFG::Graph::dump):
1494         (JSC::DFG::Graph::determineReachability):
1495         (JSC::DFG::Graph::invalidateCFG):
1496         (JSC::DFG::Graph::blocksInPreOrder):
1497         (JSC::DFG::Graph::blocksInPostOrder):
1498         (JSC::DFG::Graph::ensureCPSDominators):
1499         (JSC::DFG::Graph::ensureSSADominators):
1500         (JSC::DFG::Graph::ensureCPSNaturalLoops):
1501         (JSC::DFG::Graph::ensureSSANaturalLoops):
1502         (JSC::DFG::Graph::ensureBackwardsCFG):
1503         (JSC::DFG::Graph::ensureBackwardsDominators):
1504         (JSC::DFG::Graph::ensureControlEquivalenceAnalysis):
1505         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
1506         (JSC::DFG::Graph::clearCPSCFGData):
1507         (JSC::DFG::Graph::ensureDominators): Deleted.
1508         (JSC::DFG::Graph::ensurePrePostNumbering): Deleted.
1509         (JSC::DFG::Graph::ensureNaturalLoops): Deleted.
1510         * dfg/DFGGraph.h:
1511         (JSC::DFG::Graph::willCatchExceptionInMachineFrame):
1512         (JSC::DFG::Graph::isEntrypoint const):
1513         * dfg/DFGInPlaceAbstractState.cpp:
1514         (JSC::DFG::InPlaceAbstractState::initialize):
1515         (JSC::DFG::InPlaceAbstractState::mergeToSuccessors):
1516         * dfg/DFGJITCode.cpp:
1517         (JSC::DFG::JITCode::shrinkToFit):
1518         * dfg/DFGJITCode.h:
1519         (JSC::DFG::JITCode::catchOSREntryDataForBytecodeIndex):
1520         (JSC::DFG::JITCode::finalizeCatchOSREntrypoints):
1521         (JSC::DFG::JITCode::appendCatchEntrypoint):
1522         * dfg/DFGJITCompiler.cpp:
1523         (JSC::DFG::JITCompiler::compile):
1524         (JSC::DFG::JITCompiler::compileFunction):
1525         (JSC::DFG::JITCompiler::noticeCatchEntrypoint):
1526         (JSC::DFG::JITCompiler::noticeOSREntry):
1527         (JSC::DFG::JITCompiler::makeCatchOSREntryBuffer):
1528         * dfg/DFGJITCompiler.h:
1529         * dfg/DFGLICMPhase.cpp:
1530         (JSC::DFG::LICMPhase::run):
1531         (JSC::DFG::LICMPhase::attemptHoist):
1532         * dfg/DFGLiveCatchVariablePreservationPhase.cpp:
1533         (JSC::DFG::LiveCatchVariablePreservationPhase::run):
1534         (JSC::DFG::LiveCatchVariablePreservationPhase::isValidFlushLocation):
1535         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlockForTryCatch):
1536         (JSC::DFG::LiveCatchVariablePreservationPhase::newVariableAccessData):
1537         (JSC::DFG::LiveCatchVariablePreservationPhase::willCatchException): Deleted.
1538         (JSC::DFG::LiveCatchVariablePreservationPhase::handleBlock): Deleted.
1539         * dfg/DFGLoopPreHeaderCreationPhase.cpp:
1540         (JSC::DFG::createPreHeader):
1541         (JSC::DFG::LoopPreHeaderCreationPhase::run):
1542         * dfg/DFGMaximalFlushInsertionPhase.cpp:
1543         (JSC::DFG::MaximalFlushInsertionPhase::run):
1544         (JSC::DFG::MaximalFlushInsertionPhase::treatRegularBlock):
1545         (JSC::DFG::MaximalFlushInsertionPhase::treatRootBlock):
1546         * dfg/DFGMayExit.cpp:
1547         * dfg/DFGNaturalLoops.h:
1548         (JSC::DFG::NaturalLoops::NaturalLoops):
1549         * dfg/DFGNode.h:
1550         (JSC::DFG::Node::isSwitch const):
1551         (JSC::DFG::Node::successor):
1552         (JSC::DFG::Node::catchOSREntryIndex const):
1553         (JSC::DFG::Node::catchLocalPrediction):
1554         (JSC::DFG::Node::isSwitch): Deleted.
1555         * dfg/DFGNodeType.h:
1556         * dfg/DFGOSREntry.cpp:
1557         (JSC::DFG::prepareCatchOSREntry):
1558         * dfg/DFGOSREntry.h:
1559         * dfg/DFGOSREntrypointCreationPhase.cpp:
1560         (JSC::DFG::OSREntrypointCreationPhase::run):
1561         * dfg/DFGOSRExitCompilerCommon.cpp:
1562         (JSC::DFG::handleExitCounts):
1563         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1564         * dfg/DFGPlan.cpp:
1565         (JSC::DFG::Plan::compileInThreadImpl):
1566         * dfg/DFGPrePostNumbering.cpp:
1567         (JSC::DFG::PrePostNumbering::PrePostNumbering): Deleted.
1568         (JSC::DFG::PrePostNumbering::~PrePostNumbering): Deleted.
1569         (WTF::printInternal): Deleted.
1570         * dfg/DFGPrePostNumbering.h:
1571         (): Deleted.
1572         (JSC::DFG::PrePostNumbering::preNumber const): Deleted.
1573         (JSC::DFG::PrePostNumbering::postNumber const): Deleted.
1574         (JSC::DFG::PrePostNumbering::isStrictAncestorOf const): Deleted.
1575         (JSC::DFG::PrePostNumbering::isAncestorOf const): Deleted.
1576         (JSC::DFG::PrePostNumbering::isStrictDescendantOf const): Deleted.
1577         (JSC::DFG::PrePostNumbering::isDescendantOf const): Deleted.
1578         (JSC::DFG::PrePostNumbering::edgeKind const): Deleted.
1579         * dfg/DFGPredictionInjectionPhase.cpp:
1580         (JSC::DFG::PredictionInjectionPhase::run):
1581         * dfg/DFGPredictionPropagationPhase.cpp:
1582         * dfg/DFGPutStackSinkingPhase.cpp:
1583         * dfg/DFGSSACalculator.cpp:
1584         (JSC::DFG::SSACalculator::nonLocalReachingDef):
1585         (JSC::DFG::SSACalculator::reachingDefAtTail):
1586         * dfg/DFGSSACalculator.h:
1587         (JSC::DFG::SSACalculator::computePhis):
1588         * dfg/DFGSSAConversionPhase.cpp:
1589         (JSC::DFG::SSAConversionPhase::run):
1590         (JSC::DFG::performSSAConversion):
1591         * dfg/DFGSafeToExecute.h:
1592         (JSC::DFG::safeToExecute):
1593         * dfg/DFGSpeculativeJIT.cpp:
1594         (JSC::DFG::SpeculativeJIT::compileCurrentBlock):
1595         (JSC::DFG::SpeculativeJIT::checkArgumentTypes):
1596         (JSC::DFG::SpeculativeJIT::createOSREntries):
1597         (JSC::DFG::SpeculativeJIT::linkOSREntries):
1598         * dfg/DFGSpeculativeJIT32_64.cpp:
1599         (JSC::DFG::SpeculativeJIT::compile):
1600         * dfg/DFGSpeculativeJIT64.cpp:
1601         (JSC::DFG::SpeculativeJIT::compile):
1602         * dfg/DFGStaticExecutionCountEstimationPhase.cpp:
1603         (JSC::DFG::StaticExecutionCountEstimationPhase::run):
1604         * dfg/DFGStrengthReductionPhase.cpp:
1605         (JSC::DFG::StrengthReductionPhase::handleNode):
1606         * dfg/DFGTierUpCheckInjectionPhase.cpp:
1607         (JSC::DFG::TierUpCheckInjectionPhase::run):
1608         (JSC::DFG::TierUpCheckInjectionPhase::buildNaturalLoopToLoopHintMap):
1609         * dfg/DFGTypeCheckHoistingPhase.cpp:
1610         (JSC::DFG::TypeCheckHoistingPhase::run):
1611         * dfg/DFGValidate.cpp:
1612         * ftl/FTLLink.cpp:
1613         (JSC::FTL::link):
1614         * ftl/FTLLowerDFGToB3.cpp:
1615         (JSC::FTL::DFG::LowerDFGToB3::lower):
1616         (JSC::FTL::DFG::LowerDFGToB3::safelyInvalidateAfterTermination):
1617         (JSC::FTL::DFG::LowerDFGToB3::isValid):
1618         * jit/JIT.h:
1619         * jit/JITInlines.h:
1620         (JSC::JIT::callOperation):
1621         * jit/JITOpcodes.cpp:
1622         (JSC::JIT::emit_op_catch):
1623         * jit/JITOpcodes32_64.cpp:
1624         (JSC::JIT::emit_op_catch):
1625         * jit/JITOperations.cpp:
1626         * jit/JITOperations.h:
1627         * llint/LLIntSlowPaths.cpp:
1628         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1629         * llint/LLIntSlowPaths.h:
1630         * llint/LowLevelInterpreter32_64.asm:
1631         * llint/LowLevelInterpreter64.asm:
1632
1633 2017-08-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1634
1635         Unreviewed, debug build fix
1636         https://bugs.webkit.org/show_bug.cgi?id=174355
1637
1638         * ftl/FTLLowerDFGToB3.cpp:
1639         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucketNext):
1640
1641 2017-08-23  Michael Saboff  <msaboff@apple.com>
1642
1643         REGRESSION (r221052): DumpRenderTree crashed in com.apple.JavaScriptCore: JSC::Yarr::YarrCodeBlock::execute + 137
1644         https://bugs.webkit.org/show_bug.cgi?id=175903
1645
1646         Reviewed by Saam Barati.
1647
1648         In generateCharacterClassGreedy we were incrementing the "count" register before checking
1649         for the end of the input string.  The at-end-of-input check is the final check before
1650         knowing that the current character matched.  In this case, the end of input check
1651         indicates that we ran out of prechecked characters and therefore should fail the match of
1652         the current character.  The backtracking code uses the value in the "count" register as
1653         the number of character that successfully matched, which shouldn't include the current
1654         character.  Therefore we need to move the incrementing of "count" to after the
1655         at end of input check.
1656
1657         Through code inspection of the expectations of other backtracking code, I determined that 
1658         the non greedy character class matching code had a similar issue.  I fixed that as well
1659         and added a new test case.
1660
1661         * yarr/YarrJIT.cpp:
1662         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
1663         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
1664
1665 2017-08-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1666
1667         [JSC] Optimize Map iteration with intrinsic
1668         https://bugs.webkit.org/show_bug.cgi?id=174355
1669
1670         Reviewed by Saam Barati.
1671
1672         This patch optimizes Map/Set iteration by taking the approach similar to Array iteration.
1673         We create a simple iterator object instead of JSMapIterator and JSSetIterator. And we
1674         directly handles Map/Set buckets in JS builtins. We carefully create mapIteratorNext and
1675         setIteratorNext functions which should be inlined. This leads significant performance boost
1676         when they are inlined in for-of iteration.
1677
1678         This patch changes how DFG and FTL handles MapBucket if the bucket is not found.
1679         Previously, we use nullptr for that, and DFG and FTL specially handle this nullptr as bucket.
1680         Instead, this patch introduces sentinel buckets. They are marked as deleted, and not linked
1681         to any hash maps. And its key and value fields are filled with Undefined. By returning this
1682         sentinel bucket instead of returning nullptr, we simplify DFG and FTL's LoadXXXFromMapBucket
1683         code.
1684
1685         We still keep JSMapIterator and JSSetIterator because they are useful to serialize Map and Set
1686         in WebCore. So they are not used in user observable JS. We change them from JS objects to JS cells.
1687
1688         Existing microbenchmarks shows performance improvements.
1689
1690         large-map-iteration                           164.1622+-4.1618     ^     56.6284+-1.5355        ^ definitely 2.8989x faster
1691         set-for-of                                     15.4369+-1.0631     ^      9.2955+-0.5979        ^ definitely 1.6607x faster
1692         map-for-each                                    7.5889+-0.5792     ^      6.3011+-0.4816        ^ definitely 1.2044x faster
1693         map-for-of                                     32.3904+-1.3003     ^     12.6907+-0.6118        ^ definitely 2.5523x faster
1694         map-rehash                                     13.9275+-0.9187     ^     11.5367+-0.6430        ^ definitely 1.2072x faster
1695
1696         * CMakeLists.txt:
1697         * DerivedSources.make:
1698         * builtins/ArrayPrototype.js:
1699         (globalPrivate.createArrayIterator):
1700         * builtins/BuiltinNames.h:
1701         * builtins/MapIteratorPrototype.js: Copied from Source/JavaScriptCore/builtins/MapPrototype.js.
1702         (globalPrivate.mapIteratorNext):
1703         (next):
1704         * builtins/MapPrototype.js:
1705         (globalPrivate.createMapIterator):
1706         (values):
1707         (keys):
1708         (entries):
1709         (forEach):
1710         * builtins/SetIteratorPrototype.js: Copied from Source/JavaScriptCore/builtins/MapPrototype.js.
1711         (globalPrivate.setIteratorNext):
1712         (next):
1713         * builtins/SetPrototype.js:
1714         (globalPrivate.createSetIterator):
1715         (values):
1716         (entries):
1717         (forEach):
1718         * bytecode/BytecodeIntrinsicRegistry.cpp:
1719         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1720         * bytecode/BytecodeIntrinsicRegistry.h:
1721         * bytecode/SpeculatedType.h:
1722         * dfg/DFGAbstractInterpreterInlines.h:
1723         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1724         * dfg/DFGByteCodeParser.cpp:
1725         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1726         * dfg/DFGClobberize.h:
1727         (JSC::DFG::clobberize):
1728         * dfg/DFGDoesGC.cpp:
1729         (JSC::DFG::doesGC):
1730         * dfg/DFGFixupPhase.cpp:
1731         (JSC::DFG::FixupPhase::fixupNode):
1732         * dfg/DFGHeapLocation.cpp:
1733         (WTF::printInternal):
1734         * dfg/DFGHeapLocation.h:
1735         * dfg/DFGNode.h:
1736         (JSC::DFG::Node::hasHeapPrediction):
1737         (JSC::DFG::Node::hasBucketOwnerType):
1738         (JSC::DFG::Node::bucketOwnerType):
1739         (JSC::DFG::Node::OpInfoWrapper::as const):
1740         * dfg/DFGNodeType.h:
1741         * dfg/DFGOperations.cpp:
1742         * dfg/DFGPredictionPropagationPhase.cpp:
1743         * dfg/DFGSafeToExecute.h:
1744         (JSC::DFG::safeToExecute):
1745         * dfg/DFGSpeculativeJIT.cpp:
1746         (JSC::DFG::SpeculativeJIT::compileGetMapBucketHead):
1747         (JSC::DFG::SpeculativeJIT::compileGetMapBucketNext):
1748         (JSC::DFG::SpeculativeJIT::compileLoadKeyFromMapBucket):
1749         (JSC::DFG::SpeculativeJIT::compileLoadValueFromMapBucket):
1750         (JSC::DFG::SpeculativeJIT::compileCompareEqPtr): Deleted.
1751         * dfg/DFGSpeculativeJIT.h:
1752         * dfg/DFGSpeculativeJIT32_64.cpp:
1753         (JSC::DFG::SpeculativeJIT::compileCompareEqPtr):
1754         (JSC::DFG::SpeculativeJIT::compile):
1755         * dfg/DFGSpeculativeJIT64.cpp:
1756         (JSC::DFG::SpeculativeJIT::compileCompareEqPtr):
1757         (JSC::DFG::SpeculativeJIT::compile):
1758         * ftl/FTLAbstractHeapRepository.h:
1759         * ftl/FTLCapabilities.cpp:
1760         (JSC::FTL::canCompile):
1761         * ftl/FTLLowerDFGToB3.cpp:
1762         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1763         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
1764         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucketHead):
1765         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucketNext):
1766         (JSC::FTL::DFG::LowerDFGToB3::compileLoadValueFromMapBucket):
1767         (JSC::FTL::DFG::LowerDFGToB3::compileLoadKeyFromMapBucket):
1768         (JSC::FTL::DFG::LowerDFGToB3::setStorage):
1769         (JSC::FTL::DFG::LowerDFGToB3::compileLoadFromJSMapBucket): Deleted.
1770         (JSC::FTL::DFG::LowerDFGToB3::compileIsNonEmptyMapBucket): Deleted.
1771         (JSC::FTL::DFG::LowerDFGToB3::lowMapBucket): Deleted.
1772         (JSC::FTL::DFG::LowerDFGToB3::setMapBucket): Deleted.
1773         * inspector/JSInjectedScriptHost.cpp:
1774         (Inspector::JSInjectedScriptHost::subtype):
1775         (Inspector::JSInjectedScriptHost::getInternalProperties):
1776         (Inspector::cloneMapIteratorObject):
1777         (Inspector::cloneSetIteratorObject):
1778         (Inspector::JSInjectedScriptHost::iteratorEntries):
1779         * runtime/HashMapImpl.h:
1780         (JSC::HashMapBucket::createSentinel):
1781         (JSC::HashMapBucket::offsetOfNext):
1782         (JSC::HashMapBucket::offsetOfDeleted):
1783         (JSC::HashMapImpl::offsetOfHead):
1784         * runtime/Intrinsic.cpp:
1785         (JSC::intrinsicName):
1786         * runtime/Intrinsic.h:
1787         * runtime/JSGlobalObject.cpp:
1788         (JSC::JSGlobalObject::init):
1789         * runtime/JSGlobalObject.h:
1790         * runtime/JSMap.h:
1791         * runtime/JSMapIterator.cpp:
1792         (JSC::JSMapIterator::clone): Deleted.
1793         * runtime/JSMapIterator.h:
1794         (JSC::JSMapIterator::iteratedValue const):
1795         * runtime/JSSet.h:
1796         * runtime/JSSetIterator.cpp:
1797         (JSC::JSSetIterator::clone): Deleted.
1798         * runtime/JSSetIterator.h:
1799         (JSC::JSSetIterator::iteratedValue const):
1800         * runtime/MapConstructor.cpp:
1801         (JSC::mapPrivateFuncMapBucketHead):
1802         (JSC::mapPrivateFuncMapBucketNext):
1803         (JSC::mapPrivateFuncMapBucketKey):
1804         (JSC::mapPrivateFuncMapBucketValue):
1805         * runtime/MapConstructor.h:
1806         * runtime/MapIteratorPrototype.cpp:
1807         (JSC::MapIteratorPrototype::finishCreation):
1808         (JSC::MapIteratorPrototypeFuncNext): Deleted.
1809         * runtime/MapPrototype.cpp:
1810         (JSC::MapPrototype::finishCreation):
1811         (JSC::mapProtoFuncValues): Deleted.
1812         (JSC::mapProtoFuncEntries): Deleted.
1813         (JSC::mapProtoFuncKeys): Deleted.
1814         (JSC::privateFuncMapIterator): Deleted.
1815         (JSC::privateFuncMapIteratorNext): Deleted.
1816         * runtime/MapPrototype.h:
1817         * runtime/SetConstructor.cpp:
1818         (JSC::setPrivateFuncSetBucketHead):
1819         (JSC::setPrivateFuncSetBucketNext):
1820         (JSC::setPrivateFuncSetBucketKey):
1821         * runtime/SetConstructor.h:
1822         * runtime/SetIteratorPrototype.cpp:
1823         (JSC::SetIteratorPrototype::finishCreation):
1824         (JSC::SetIteratorPrototypeFuncNext): Deleted.
1825         * runtime/SetPrototype.cpp:
1826         (JSC::SetPrototype::finishCreation):
1827         (JSC::setProtoFuncSize):
1828         (JSC::setProtoFuncValues): Deleted.
1829         (JSC::setProtoFuncEntries): Deleted.
1830         (JSC::privateFuncSetIterator): Deleted.
1831         (JSC::privateFuncSetIteratorNext): Deleted.
1832         * runtime/SetPrototype.h:
1833         * runtime/VM.cpp:
1834         (JSC::VM::VM):
1835         * runtime/VM.h:
1836
1837 2017-08-23  David Kilzer  <ddkilzer@apple.com>
1838
1839         Fix -Wcast-qual warnings in JavaScriptCore with new clang compiler
1840         <https://webkit.org/b/175889>
1841         <rdar://problem/33667497>
1842
1843         Reviewed by Mark Lam.
1844
1845         * API/ObjCCallbackFunction.mm:
1846         (JSC::objCCallbackFunctionCallAsConstructor): Use
1847         const_cast<JSObjectRef>() since JSValueRef is const while
1848         JSObjectRef is not.
1849         * API/tests/CurrentThisInsideBlockGetterTest.mm:
1850         (+[JSValue valueWithConstructorDescriptor:inContext:]): Use
1851         const_cast<void*>() since JSObjectMake() takes a void*, but
1852         CFBridgingRetain() returns const void*.
1853
1854 2017-08-23  Robin Morisset  <rmorisset@apple.com>
1855
1856         Make GetDynamicVar propagate heap predictions instead of saying HeapTop
1857         https://bugs.webkit.org/show_bug.cgi?id=175738
1858
1859         Reviewed by Saam Barati.
1860
1861         The heap prediction always end up in m_opInfo2. But GetDynamicVar was already storing getPutInfo in there.
1862         So we move that one into m_opInfo. We can do this because it is 32-bit, and the already present identifierNumber
1863         is also 32-bit, so we can pack both in m_opInfo (which is 64 bits).
1864
1865         * dfg/DFGByteCodeParser.cpp:
1866         (JSC::DFG::makeDynamicVarOpInfo):
1867         (JSC::DFG::ByteCodeParser::parseBlock):
1868         * dfg/DFGNode.h:
1869         (JSC::DFG::Node::getPutInfo):
1870         (JSC::DFG::Node::hasHeapPrediction):
1871         * dfg/DFGPredictionPropagationPhase.cpp:
1872
1873 2017-08-23  Skachkov Oleksandr  <gskachkov@gmail.com>
1874
1875         [ESNext] Async iteration - Implement Async Generator - runtime
1876         https://bugs.webkit.org/show_bug.cgi?id=175240
1877
1878         Reviewed by Yusuke Suzuki.
1879
1880         Current implementation is draft version of Async Iteration. 
1881         Link to spec https://tc39.github.io/proposal-async-iteration/
1882        
1883         To implement async generator added new states that show reason why async generator was suspended:
1884         # yield - return promise with result
1885         # await - wait until promise will be resolved and then continue
1886        
1887         The main difference between async function and async generator is that, 
1888         async function returns promise but async generator returns
1889         object with methods (next, throw and return) that return promise that 
1890         can be resolved with pair of properties value and done.
1891         Async generator functions are similar to generator functions, with the following differences:
1892         # When called, async generator functions return an object, an async generator 
1893         whose methods (next, throw, and return) return promises for { value, done }, 
1894         instead of directly returning { value, done }. 
1895         This automatically makes the returned async generator objects async iterators.
1896         # await expressions and for-await-of statements are allowed.
1897         # The behavior of yield* is modified to support 
1898           delegation to sync and async iterables
1899
1900         * CMakeLists.txt:
1901         * DerivedSources.make:
1902         * JavaScriptCore.xcodeproj/project.pbxproj:
1903         * builtins/AsyncFromSyncIteratorPrototype.js: Added.
1904         (next.try):
1905         (next):
1906         (return.try):
1907         (return):
1908         (throw.try):
1909         (throw):
1910         (globalPrivate.createAsyncFromSyncIterator):
1911         (globalPrivate.AsyncFromSyncIteratorConstructor):
1912         * builtins/AsyncGeneratorPrototype.js: Added.
1913         (globalPrivate.createAsyncGeneratorQueue):
1914         (globalPrivate.asyncGeneratorQueueIsEmpty):
1915         (globalPrivate.asyncGeneratorQueueCreateItem):
1916         (globalPrivate.asyncGeneratorQueueEnqueue):
1917         (globalPrivate.asyncGeneratorQueueDequeue):
1918         (globalPrivate.asyncGeneratorQueueGetFirstValue):
1919         (globalPrivate.asyncGeneratorDequeue):
1920         (globalPrivate.isExecutionState):
1921         (globalPrivate.isSuspendYieldState):
1922         (globalPrivate.asyncGeneratorReject):
1923         (globalPrivate.asyncGeneratorResolve):
1924         (asyncGeneratorYieldAwaited):
1925         (globalPrivate.asyncGeneratorYield):
1926         (const.onRejected):
1927         (globalPrivate.awaitValue):
1928         (const.onFulfilled):
1929         (globalPrivate.doAsyncGeneratorBodyCall):
1930         (globalPrivate.asyncGeneratorResumeNext.):
1931         (globalPrivate.asyncGeneratorResumeNext):
1932         (globalPrivate.asyncGeneratorEnqueue):
1933         (next):
1934         (return):
1935         (throw):
1936         * builtins/AsyncIteratorPrototype.js: Added.
1937         (symbolAsyncIteratorGetter):
1938         * builtins/BuiltinNames.h:
1939         * bytecode/BytecodeDumper.cpp:
1940         (JSC::BytecodeDumper<Block>::dumpBytecode):
1941         * bytecode/BytecodeIntrinsicRegistry.cpp:
1942         (JSC::BytecodeIntrinsicRegistry::BytecodeIntrinsicRegistry):
1943         * bytecode/BytecodeIntrinsicRegistry.h:
1944         * bytecode/BytecodeList.json:
1945         * bytecode/BytecodeUseDef.h:
1946         (JSC::computeUsesForBytecodeOffset):
1947         (JSC::computeDefsForBytecodeOffset):
1948         * bytecompiler/BytecodeGenerator.cpp:
1949         (JSC::BytecodeGenerator::BytecodeGenerator):
1950         (JSC::BytecodeGenerator::emitCreateAsyncGeneratorQueue):
1951         (JSC::BytecodeGenerator::emitPutAsyncGeneratorFields):
1952         (JSC::BytecodeGenerator::emitNewFunctionExpressionCommon):
1953         (JSC::BytecodeGenerator::emitNewFunction):
1954         (JSC::BytecodeGenerator::emitIteratorNextWithValue):
1955         (JSC::BytecodeGenerator::emitIteratorClose):
1956         (JSC::BytecodeGenerator::emitYieldPoint):
1957         (JSC::BytecodeGenerator::emitYield):
1958         (JSC::BytecodeGenerator::emitCallIterator):
1959         (JSC::BytecodeGenerator::emitAwait):
1960         (JSC::BytecodeGenerator::emitGetIterator):
1961         (JSC::BytecodeGenerator::emitGetAsyncIterator):
1962         (JSC::BytecodeGenerator::emitDelegateYield):
1963         * bytecompiler/BytecodeGenerator.h:
1964         * bytecompiler/NodesCodegen.cpp:
1965         (JSC::ReturnNode::emitBytecode):
1966         (JSC::FunctionNode::emitBytecode):
1967         (JSC::YieldExprNode::emitBytecode):
1968         (JSC::AwaitExprNode::emitBytecode):
1969         * dfg/DFGAbstractInterpreterInlines.h:
1970         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1971         * dfg/DFGByteCodeParser.cpp:
1972         (JSC::DFG::ByteCodeParser::parseBlock):
1973         * dfg/DFGCapabilities.cpp:
1974         (JSC::DFG::capabilityLevel):
1975         * dfg/DFGClobberize.h:
1976         (JSC::DFG::clobberize):
1977         * dfg/DFGClobbersExitState.cpp:
1978         (JSC::DFG::clobbersExitState):
1979         * dfg/DFGDoesGC.cpp:
1980         (JSC::DFG::doesGC):
1981         * dfg/DFGFixupPhase.cpp:
1982         (JSC::DFG::FixupPhase::fixupNode):
1983         * dfg/DFGMayExit.cpp:
1984         * dfg/DFGNode.h:
1985         (JSC::DFG::Node::convertToPhantomNewFunction):
1986         (JSC::DFG::Node::convertToPhantomNewAsyncGeneratorFunction):
1987         (JSC::DFG::Node::hasCellOperand):
1988         (JSC::DFG::Node::isFunctionAllocation):
1989         (JSC::DFG::Node::isPhantomFunctionAllocation):
1990         (JSC::DFG::Node::isPhantomAllocation):
1991         * dfg/DFGNodeType.h:
1992         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1993         * dfg/DFGPredictionPropagationPhase.cpp:
1994         * dfg/DFGSafeToExecute.h:
1995         (JSC::DFG::safeToExecute):
1996         * dfg/DFGSpeculativeJIT.cpp:
1997         (JSC::DFG::SpeculativeJIT::compileNewFunction):
1998         * dfg/DFGSpeculativeJIT32_64.cpp:
1999         (JSC::DFG::SpeculativeJIT::compile):
2000         * dfg/DFGSpeculativeJIT64.cpp:
2001         (JSC::DFG::SpeculativeJIT::compile):
2002         * dfg/DFGStoreBarrierInsertionPhase.cpp:
2003         * dfg/DFGValidate.cpp:
2004         * ftl/FTLCapabilities.cpp:
2005         (JSC::FTL::canCompile):
2006         * ftl/FTLLowerDFGToB3.cpp:
2007         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2008         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
2009         * ftl/FTLOperations.cpp:
2010         (JSC::FTL::operationPopulateObjectInOSR):
2011         (JSC::FTL::operationMaterializeObjectInOSR):
2012         * jit/JIT.cpp:
2013         (JSC::JIT::privateCompileMainPass):
2014         * jit/JIT.h:
2015         * jit/JITOpcodes.cpp:
2016         (JSC::JIT::emitNewFuncCommon):
2017         (JSC::JIT::emit_op_new_async_generator_func):
2018         (JSC::JIT::emit_op_new_async_func):
2019         (JSC::JIT::emitNewFuncExprCommon):
2020         (JSC::JIT::emit_op_new_async_generator_func_exp):
2021         * jit/JITOperations.cpp:
2022         * jit/JITOperations.h:
2023         * llint/LLIntSlowPaths.cpp:
2024         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2025         * llint/LLIntSlowPaths.h:
2026         * llint/LowLevelInterpreter.asm:
2027         * parser/ASTBuilder.h:
2028         (JSC::ASTBuilder::createFunctionMetadata):
2029         * runtime/AsyncFromSyncIteratorPrototype.cpp: Added.
2030         (JSC::AsyncFromSyncIteratorPrototype::AsyncFromSyncIteratorPrototype):
2031         (JSC::AsyncFromSyncIteratorPrototype::finishCreation):
2032         (JSC::AsyncFromSyncIteratorPrototype::create):
2033         * runtime/AsyncFromSyncIteratorPrototype.h: Added.
2034         (JSC::AsyncFromSyncIteratorPrototype::createStructure):
2035         * runtime/AsyncGeneratorFunctionConstructor.cpp: Added.
2036         (JSC::AsyncGeneratorFunctionConstructor::AsyncGeneratorFunctionConstructor):
2037         (JSC::AsyncGeneratorFunctionConstructor::finishCreation):
2038         (JSC::callAsyncGeneratorFunctionConstructor):
2039         (JSC::constructAsyncGeneratorFunctionConstructor):
2040         (JSC::AsyncGeneratorFunctionConstructor::getCallData):
2041         (JSC::AsyncGeneratorFunctionConstructor::getConstructData):
2042         * runtime/AsyncGeneratorFunctionConstructor.h: Added.
2043         (JSC::AsyncGeneratorFunctionConstructor::create):
2044         (JSC::AsyncGeneratorFunctionConstructor::createStructure):
2045         * runtime/AsyncGeneratorFunctionPrototype.cpp: Added.
2046         (JSC::AsyncGeneratorFunctionPrototype::AsyncGeneratorFunctionPrototype):
2047         (JSC::AsyncGeneratorFunctionPrototype::finishCreation):
2048         * runtime/AsyncGeneratorFunctionPrototype.h: Added.
2049         (JSC::AsyncGeneratorFunctionPrototype::create):
2050         (JSC::AsyncGeneratorFunctionPrototype::createStructure):
2051         * runtime/AsyncGeneratorPrototype.cpp: Added.
2052         (JSC::AsyncGeneratorPrototype::finishCreation):
2053         * runtime/AsyncGeneratorPrototype.h: Added.
2054         (JSC::AsyncGeneratorPrototype::create):
2055         (JSC::AsyncGeneratorPrototype::createStructure):
2056         (JSC::AsyncGeneratorPrototype::AsyncGeneratorPrototype):
2057         * runtime/AsyncIteratorPrototype.cpp: Added.
2058         (JSC::AsyncIteratorPrototype::finishCreation):
2059         * runtime/AsyncIteratorPrototype.h: Added.
2060         (JSC::AsyncIteratorPrototype::create):
2061         (JSC::AsyncIteratorPrototype::createStructure):
2062         (JSC::AsyncIteratorPrototype::AsyncIteratorPrototype):
2063         * runtime/CommonIdentifiers.h:
2064         * runtime/FunctionConstructor.cpp:
2065         (JSC::constructFunctionSkippingEvalEnabledCheck):
2066         * runtime/FunctionConstructor.h:
2067         * runtime/FunctionExecutable.h:
2068         * runtime/JSAsyncGeneratorFunction.cpp: Added.
2069         (JSC::JSAsyncGeneratorFunction::JSAsyncGeneratorFunction):
2070         (JSC::JSAsyncGeneratorFunction::createImpl):
2071         (JSC::JSAsyncGeneratorFunction::create):
2072         (JSC::JSAsyncGeneratorFunction::createWithInvalidatedReallocationWatchpoint):
2073         * runtime/JSAsyncGeneratorFunction.h: Added.
2074         (JSC::JSAsyncGeneratorFunction::allocationSize):
2075         (JSC::JSAsyncGeneratorFunction::createStructure):
2076         * runtime/JSFunction.cpp:
2077         (JSC::JSFunction::getOwnPropertySlot):
2078         * runtime/JSGlobalObject.cpp:
2079         (JSC::JSGlobalObject::init):
2080         (JSC::JSGlobalObject::visitChildren):
2081         * runtime/JSGlobalObject.h:
2082         (JSC::JSGlobalObject::asyncIteratorPrototype const):
2083         (JSC::JSGlobalObject::asyncGeneratorPrototype const):
2084         (JSC::JSGlobalObject::asyncGeneratorFunctionPrototype const):
2085         (JSC::JSGlobalObject::asyncGeneratorFunctionStructure const):
2086         * runtime/Options.h:
2087
2088 2017-08-22  Michael Saboff  <msaboff@apple.com>
2089
2090         Implement Unicode RegExp support in the YARR JIT
2091         https://bugs.webkit.org/show_bug.cgi?id=174646
2092
2093         Reviewed by Filip Pizlo.
2094
2095         This support is only implemented for 64 bit platforms.  It wouldn't be too hard to add support
2096         for 32 bit platforms with a reasonable number of spare registers.  This code slightly refactors
2097         register usage to reduce the number of callee save registers used for non-Unicode expressions.
2098         For Unicode expressions, there are several more registers used to store constants values for
2099         processing surrogate pairs as well as discerning whether a character belongs to the Basic
2100         Multilingual Plane (BMP) or one of the Supplemental Planes.
2101
2102         This implements JIT support for Unicode expressions very similar to how the interpreter works.
2103         Just like in the interpreter, backtracking code uses more space on the stack to save positions.
2104         Moved the BackTrackInfo* structs to YarrPattern as separate functions.  Added xxxIndex()
2105         functions to each of these to simplify how the JIT code reads and writes the structure fields.
2106
2107         Given that reading surrogate pairs and transforming them into a single code point takes a
2108         little processing, the code that implements reading a Unicode character is implemented as a
2109         leaf function added to the end of the JIT'ed code.  The calling convention for
2110         "tryReadUnicodeCharacterHelper()" is non-standard given that the rest of the code assumes
2111         that argument values stay in argument registers for most of the generated code.
2112         That helper takes the starting character address in one register, regUnicodeInputAndTrail,
2113         and uses another dedicated temporary register, regUnicodeTemp.  The result is typically
2114         returned in regT0.  If another return register is requested, we'll create an inline copy of
2115         that function.
2116
2117         Added a new flag to CharacterClass to signify if a class has non-BMP characters.  This flag
2118         is used in optimizeAlternative() where we swap the order of a fixed character class term with
2119         a fixed character term that immediately follows it.  Since the non-BMP character class may
2120         increment "index" when matching, that must be done first before trying to match a fixed
2121         character term later in the string.
2122
2123         Given the usefulness of the LEA instruction on X86 to create a single pointer value from a
2124         base with index and offset, which the YARR JIT uses heavily, I added a new macroAssembler
2125         function, getEffectiveAddress64(), with an ARM64 implementation.  It just calls x86Lea64()
2126         on X86-64.  Also added an ImplicitAddress version of load16Unaligned().
2127
2128         (JSC::MacroAssemblerARM64::load16Unaligned):
2129         (JSC::MacroAssemblerARM64::getEffectiveAddress64):
2130         * assembler/MacroAssemblerX86Common.h:
2131         (JSC::MacroAssemblerX86Common::load16Unaligned):
2132         (JSC::MacroAssemblerX86Common::load16):
2133         * assembler/MacroAssemblerX86_64.h:
2134         (JSC::MacroAssemblerX86_64::getEffectiveAddress64):
2135         * create_regex_tables:
2136         * runtime/RegExp.cpp:
2137         (JSC::RegExp::compile):
2138         * yarr/YarrInterpreter.cpp:
2139         * yarr/YarrJIT.cpp:
2140         (JSC::Yarr::YarrGenerator::optimizeAlternative):
2141         (JSC::Yarr::YarrGenerator::matchCharacterClass):
2142         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
2143         (JSC::Yarr::YarrGenerator::tryReadUnicodeChar):
2144         (JSC::Yarr::YarrGenerator::readCharacter):
2145         (JSC::Yarr::YarrGenerator::jumpIfCharNotEquals):
2146         (JSC::Yarr::YarrGenerator::matchAssertionWordchar):
2147         (JSC::Yarr::YarrGenerator::generateAssertionWordBoundary):
2148         (JSC::Yarr::YarrGenerator::generatePatternCharacterOnce):
2149         (JSC::Yarr::YarrGenerator::generatePatternCharacterFixed):
2150         (JSC::Yarr::YarrGenerator::generatePatternCharacterGreedy):
2151         (JSC::Yarr::YarrGenerator::backtrackPatternCharacterGreedy):
2152         (JSC::Yarr::YarrGenerator::generatePatternCharacterNonGreedy):
2153         (JSC::Yarr::YarrGenerator::backtrackPatternCharacterNonGreedy):
2154         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
2155         (JSC::Yarr::YarrGenerator::backtrackCharacterClassOnce):
2156         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
2157         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
2158         (JSC::Yarr::YarrGenerator::backtrackCharacterClassGreedy):
2159         (JSC::Yarr::YarrGenerator::generateCharacterClassNonGreedy):
2160         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
2161         (JSC::Yarr::YarrGenerator::generate):
2162         (JSC::Yarr::YarrGenerator::backtrack):
2163         (JSC::Yarr::YarrGenerator::generateTryReadUnicodeCharacterHelper):
2164         (JSC::Yarr::YarrGenerator::generateEnter):
2165         (JSC::Yarr::YarrGenerator::generateReturn):
2166         (JSC::Yarr::YarrGenerator::YarrGenerator):
2167         (JSC::Yarr::YarrGenerator::compile):
2168         * yarr/YarrJIT.h:
2169         * yarr/YarrPattern.cpp:
2170         (JSC::Yarr::CharacterClassConstructor::CharacterClassConstructor):
2171         (JSC::Yarr::CharacterClassConstructor::reset):
2172         (JSC::Yarr::CharacterClassConstructor::charClass):
2173         (JSC::Yarr::CharacterClassConstructor::addSorted):
2174         (JSC::Yarr::CharacterClassConstructor::addSortedRange):
2175         (JSC::Yarr::CharacterClassConstructor::hasNonBMPCharacters):
2176         (JSC::Yarr::YarrPatternConstructor::setupAlternativeOffsets):
2177         * yarr/YarrPattern.h:
2178         (JSC::Yarr::CharacterClass::CharacterClass):
2179         (JSC::Yarr::BackTrackInfoPatternCharacter::beginIndex):
2180         (JSC::Yarr::BackTrackInfoPatternCharacter::matchAmountIndex):
2181         (JSC::Yarr::BackTrackInfoCharacterClass::beginIndex):
2182         (JSC::Yarr::BackTrackInfoCharacterClass::matchAmountIndex):
2183         (JSC::Yarr::BackTrackInfoBackReference::beginIndex):
2184         (JSC::Yarr::BackTrackInfoBackReference::matchAmountIndex):
2185         (JSC::Yarr::BackTrackInfoAlternative::offsetIndex):
2186         (JSC::Yarr::BackTrackInfoParentheticalAssertion::beginIndex):
2187         (JSC::Yarr::BackTrackInfoParenthesesOnce::beginIndex):
2188         (JSC::Yarr::BackTrackInfoParenthesesTerminal::beginIndex):
2189
2190 2017-08-22  Per Arne Vollan  <pvollan@apple.com>
2191
2192         Implement 64-bit MacroAssembler::probe support for Windows.
2193         https://bugs.webkit.org/show_bug.cgi?id=175724
2194
2195         Reviewed by Mark Lam.
2196
2197         This is needed to enable the DFG. MSVC does no longer support inline assembly
2198         for 64-bit, which means we have to put the code in an asm file.
2199
2200         * assembler/MacroAssemblerX86Common.cpp:
2201         (JSC::booleanTrueForAvoidingNoReturnDeclaration): Deleted.
2202         * jit/JITStubsMSVC64.asm:
2203
2204 2017-08-22  Devin Rousso  <webkit@devinrousso.com>
2205
2206         Web Inspector: provide way for ShaderPrograms to be enabled/disabled
2207         https://bugs.webkit.org/show_bug.cgi?id=175400
2208
2209         Reviewed by Matt Baker.
2210
2211         * inspector/protocol/Canvas.json:
2212         Add `setShaderProgramDisabled` command that sets the `disabled` flag on the given shader
2213         program to the supplied boolean value. If this value is true, calls to `drawArrays` and
2214         `drawElements` when that program is in use will have no effect.
2215
2216 2017-08-22  Keith Miller  <keith_miller@apple.com>
2217
2218         Unriviewed, fix windows build... for realz.
2219
2220         * CMakeLists.txt:
2221
2222 2017-08-22  Saam Barati  <sbarati@apple.com>
2223
2224         We are using valueProfileForBytecodeOffset when there may not be a value profile
2225         https://bugs.webkit.org/show_bug.cgi?id=175812
2226
2227         Reviewed by Michael Saboff.
2228
2229         This patch uses the type system to aid the code around CodeBlock's ValueProfile
2230         accessor methods. valueProfileForBytecodeOffset used to return ValueProfile*,
2231         so there were callers of this that thought it could return nullptr when there
2232         was no such ValueProfile. This was not the case, it always returned a non-null
2233         pointer. This patch changes valueProfileForBytecodeOffset to return ValueProfile&
2234         and adds a new tryGetValueProfileForBytecodeOffset method that returns ValueProfile*
2235         and does the right thing if there is no such ValueProfile.
2236         
2237         This patch also changes the other ValueProfile accessors on CodeBlock to
2238         return ValueProfile& instead of ValueProfile*. Some callers handled the null
2239         case unnecessarily, and using the type system to specify the result can't be
2240         null removes these useless branches.
2241
2242         * bytecode/CodeBlock.cpp:
2243         (JSC::CodeBlock::updateAllPredictionsAndCountLiveness):
2244         (JSC::CodeBlock::dumpValueProfiles):
2245         (JSC::CodeBlock::tryGetValueProfileForBytecodeOffset):
2246         (JSC::CodeBlock::valueProfileForBytecodeOffset):
2247         (JSC::CodeBlock::validate):
2248         * bytecode/CodeBlock.h:
2249         (JSC::CodeBlock::valueProfileForArgument):
2250         (JSC::CodeBlock::valueProfile):
2251         (JSC::CodeBlock::valueProfilePredictionForBytecodeOffset):
2252         (JSC::CodeBlock::getFromAllValueProfiles):
2253         * dfg/DFGByteCodeParser.cpp:
2254         (JSC::DFG::ByteCodeParser::handleInlining):
2255         * dfg/DFGGraph.cpp:
2256         (JSC::DFG::Graph::methodOfGettingAValueProfileFor):
2257         * dfg/DFGPredictionInjectionPhase.cpp:
2258         (JSC::DFG::PredictionInjectionPhase::run):
2259         * jit/JIT.h:
2260         * jit/JITInlines.h:
2261         (JSC::JIT::emitValueProfilingSite):
2262         * profiler/ProfilerBytecodeSequence.cpp:
2263         (JSC::Profiler::BytecodeSequence::BytecodeSequence):
2264         * tools/HeapVerifier.cpp:
2265         (JSC::HeapVerifier::validateJSCell):
2266
2267 2017-08-22  Keith Miller  <keith_miller@apple.com>
2268
2269         Unreviewed, fix windows build... maybe.
2270
2271         * CMakeLists.txt:
2272
2273 2017-08-22  Keith Miller  <keith_miller@apple.com>
2274
2275         Unreviewed, fix cloop build.
2276
2277         * JavaScriptCore.xcodeproj/project.pbxproj:
2278
2279 2017-08-22  Per Arne Vollan  <pvollan@apple.com>
2280
2281         [Win][Release] Crash when running testmasm executable.
2282         https://bugs.webkit.org/show_bug.cgi?id=175772
2283
2284         Reviewed by Mark Lam.
2285
2286         We need to save and restore the modified registers in case one or more registers are callee saved
2287         on the relevant platforms.
2288
2289         * assembler/testmasm.cpp:
2290         (JSC::testProbeReadsArgumentRegisters):
2291         (JSC::testProbeWritesArgumentRegisters):
2292
2293 2017-08-21  Mark Lam  <mark.lam@apple.com>
2294
2295         Change probe code to use static_assert instead of COMPILE_ASSERT.
2296         https://bugs.webkit.org/show_bug.cgi?id=175762
2297
2298         Reviewed by JF Bastien.
2299
2300         * assembler/MacroAssemblerARM.cpp:
2301         * assembler/MacroAssemblerARM64.cpp:
2302         (JSC::MacroAssembler::probe): Deleted.
2303         * assembler/MacroAssemblerARMv7.cpp:
2304         * assembler/MacroAssemblerX86Common.cpp:
2305
2306 2017-08-21  Keith Miller  <keith_miller@apple.com>
2307
2308         Make generate_offset_extractor.rb architectures argument more robust
2309         https://bugs.webkit.org/show_bug.cgi?id=175809
2310
2311         Reviewed by Joseph Pecoraro.
2312
2313         It turns out that some of our builders pass their architectures as
2314         space separated lists.  I decided to just make the splitting of
2315         our list robust to any reasonable combination of spaces and
2316         commas.
2317
2318         * offlineasm/generate_offset_extractor.rb:
2319
2320 2017-08-21  Keith Miller  <keith_miller@apple.com>
2321
2322         Only generate offline asm for the ARCHS (xcodebuild) or the current system (CMake)
2323         https://bugs.webkit.org/show_bug.cgi?id=175690
2324
2325         Reviewed by Michael Saboff.
2326
2327         This should reduce some of the time we spend building offline asm
2328         in our builds (except for linux since they already did this).
2329
2330         * CMakeLists.txt:
2331         * JavaScriptCore.xcodeproj/project.pbxproj:
2332         * offlineasm/backends.rb:
2333         * offlineasm/generate_offset_extractor.rb:
2334
2335 2017-08-20  Mark Lam  <mark.lam@apple.com>
2336
2337         Gardening: fix CLoop build.
2338         https://bugs.webkit.org/show_bug.cgi?id=175688
2339         <rdar://problem/33436870>
2340
2341         Not reviewed.
2342
2343         Make these files dependent on ENABLE(MASM_PROBE).
2344
2345         * assembler/ProbeContext.cpp:
2346         * assembler/ProbeContext.h:
2347         * assembler/ProbeStack.cpp:
2348         * assembler/ProbeStack.h:
2349
2350 2017-08-20  Mark Lam  <mark.lam@apple.com>
2351
2352         Enhance MacroAssembler::probe() to allow the probe function to resize the stack frame and alter stack data in one pass.
2353         https://bugs.webkit.org/show_bug.cgi?id=175688
2354         <rdar://problem/33436870>
2355
2356         Reviewed by JF Bastien.
2357
2358         With this patch, the clients of the MacroAssembler::probe() can now change
2359         stack values without having to worry about whether there is enough room in the
2360         current stack frame for it or not.  This is done using the Probe::Context's stack
2361         member like so:
2362
2363             jit.probe([] (Probe::Context& context) {
2364                 auto cpu = context.cpu;
2365                 auto stack = context.stack();
2366                 uintptr_t* currentSP = cpu.sp<uintptr_t*>();
2367
2368                 // Get a value at the current stack pointer location.
2369                 auto value = stack.get<uintptr_t>(currentSP);
2370
2371                 // Set a value above the current stack pointer (within current frame).
2372                 stack.set<uintptr_t>(currentSP + 10, value);
2373
2374                 // Set a value below the current stack pointer (out of current frame).
2375                 stack.set<uintptr_t>(currentSP - 10, value);
2376
2377                 // Set the new stack pointer.
2378                 cpu.sp() = currentSP - 20;
2379             });
2380
2381         What happens behind the scene:
2382
2383         1. the generated JIT probe code will now call Probe::executeProbe(), and
2384            Probe::executeProbe() will in turn call the client's probe function.
2385
2386            Probe::executeProbe() receives the Probe::State on the machine stack passed
2387            to it by the probe trampoline.  Probe::executeProbe() will instantiate a
2388            Probe::Context to be passed to the client's probe function.  The client will
2389            no longer see the Probe::State directly.
2390
2391         2. The Probe::Context comes with a Probe::Stack which serves as a manager of
2392            stack pages.  Currently, each page is 1K in size.
2393            Probe::Context::stack() returns a reference to an instance of Probe::Stack.
2394
2395         3. Invoking get() of set() on Probe::Stack with an address will lead to the
2396            following:
2397
2398            a. the address will be decoded to a baseAddress that points to the 1K page
2399               that contains that address.
2400
2401            b. the Probe::Stack will check if it already has a cached 1K page for that baseAddress.
2402               If so, go to step (f).  Else, continue with step (c).
2403
2404            c. the Probe::Stack will malloc a 1K mirror page, and memcpy the 1K stack page
2405               for that specified baseAddress to this mirror page.
2406
2407            d. the mirror page will be added to the ProbeStack's m_pages HashMap,
2408               keyed on the baseAddress.
2409
2410            e. the ProbeStack will also cache the last baseAddress and its corresponding
2411               mirror page in use.  With memory accesses tending to be localized, this
2412               will save us from having to look up the page in the HashMap.
2413
2414            f. get() will map the requested address to a physical address in the mirror
2415               page, and return the value at that location.
2416
2417            g. set() will map the requested address to a physical address in the mirror
2418               page, and set the value at that location in the mirror page.
2419
2420               set() will also set a dirty bit corresponding to the "cache line" that
2421               was modified in the mirror page.
2422
2423         4. When the client's probe function returns, Probe::executeProbe() will check if
2424            there are stack changes that need to be applied.  If stack changes are needed:
2425
2426            a. Probe::executeProbe() will adjust the stack pointer to ensure enough stack
2427               space is available to flush the dirty stack pages.  It will also register a
2428               flushStackDirtyPages callback function in the Probe::State.  Thereafter,
2429               Probe::executeProbe() returns to the probe trampoline.
2430
2431            b. the probe trampoline adjusts the stack pointer, moves the Probe::State to
2432               a safe place if needed, and then calls the flushStackDirtyPages callback
2433               if needed.
2434
2435            c. the flushStackDirtyPages() callback iterates the Probe::Stack's m_pages
2436               HashMap and flush all dirty "cache lines" to the machine stack.
2437               Thereafter, flushStackDirtyPages() returns to the probe trampoline.
2438
2439            d. lastly, the probe trampoline will restore all register values and return
2440               to the pc set in the Probe::State.
2441
2442         To make this patch work, I also had to do the following work:
2443
2444         5. Refactor MacroAssembler::CPUState into Probe::CPUState.
2445            Mainly, this means moving the code over to ProbeContext.h.
2446            I also added some convenience accessor methods for spr registers. 
2447
2448            Moved Probe::Context over to its own file ProbeContext.h/cpp.
2449
2450         6. Fix all probe trampolines to pass the address of Probe::executeProbe in
2451            addition to the client's probe function and arg.
2452
2453            I also took this opportunity to optimize the generated JIT probe code to
2454            minimize the amount of memory stores needed. 
2455
2456         7. Simplified the ARM64 probe trampoline.  The ARM64 probe only supports changing
2457            either lr or pc (or neither), but not both at in the same probe invocation.
2458            The ARM64 probe trampoline used to have to check for this invariant in the
2459            assembly trampoline code.  With the introduction of Probe::executeProbe(),
2460            we can now do it there and simplify the trampoline.
2461
2462         8. Fix a bug in the old  ARM64 probe trampoline for the case where the client
2463            changes lr.  That code path never worked before, but has now been fixed.
2464
2465         9. Removed trustedImm32FromPtr() helper functions in MacroAssemblerARM and
2466            MacroAssemblerARMv7.
2467
2468            We can now use move() with TrustedImmPtr, and it does the same thing but in a
2469            more generic way.
2470
2471        10. ARMv7's move() emitter may encode a T1 move instruction, which happens to have
2472            the same semantics as movs (according to the Thumb spec).  This means these
2473            instructions may trash the APSR flags before we have a chance to preserve them.
2474
2475            This patch changes MacroAssemblerARMv7's probe() to preserve the APSR register
2476            early on.  This entails adding support for the mrs instruction in the
2477            ARMv7Assembler.
2478
2479        10. Change testmasm's testProbeModifiesStackValues() to now modify stack values
2480            the easy way.
2481
2482            Also fixed testmasm tests which check flag registers to only compare the
2483            portions that are modifiable by the client i.e. some masking is applied.
2484
2485         This patch has passed the testmasm tests on x86, x86_64, arm64, and armv7.
2486
2487         * CMakeLists.txt:
2488         * JavaScriptCore.xcodeproj/project.pbxproj:
2489         * assembler/ARMv7Assembler.h:
2490         (JSC::ARMv7Assembler::mrs):
2491         * assembler/AbstractMacroAssembler.h:
2492         * assembler/MacroAssembler.cpp:
2493         (JSC::stdFunctionCallback):
2494         (JSC::MacroAssembler::probe):
2495         * assembler/MacroAssembler.h:
2496         (JSC::MacroAssembler::CPUState::gprName): Deleted.
2497         (JSC::MacroAssembler::CPUState::sprName): Deleted.
2498         (JSC::MacroAssembler::CPUState::fprName): Deleted.
2499         (JSC::MacroAssembler::CPUState::gpr): Deleted.
2500         (JSC::MacroAssembler::CPUState::spr): Deleted.
2501         (JSC::MacroAssembler::CPUState::fpr): Deleted.
2502         (JSC:: const): Deleted.
2503         (JSC::MacroAssembler::CPUState::fpr const): Deleted.
2504         (JSC::MacroAssembler::CPUState::pc): Deleted.
2505         (JSC::MacroAssembler::CPUState::fp): Deleted.
2506         (JSC::MacroAssembler::CPUState::sp): Deleted.
2507         (JSC::MacroAssembler::CPUState::pc const): Deleted.
2508         (JSC::MacroAssembler::CPUState::fp const): Deleted.
2509         (JSC::MacroAssembler::CPUState::sp const): Deleted.
2510         (JSC::Probe::State::gpr): Deleted.
2511         (JSC::Probe::State::spr): Deleted.
2512         (JSC::Probe::State::fpr): Deleted.
2513         (JSC::Probe::State::gprName): Deleted.
2514         (JSC::Probe::State::sprName): Deleted.
2515         (JSC::Probe::State::fprName): Deleted.
2516         (JSC::Probe::State::pc): Deleted.
2517         (JSC::Probe::State::fp): Deleted.
2518         (JSC::Probe::State::sp): Deleted.
2519         * assembler/MacroAssemblerARM.cpp:
2520         (JSC::MacroAssembler::probe):
2521         * assembler/MacroAssemblerARM.h:
2522         (JSC::MacroAssemblerARM::trustedImm32FromPtr): Deleted.
2523         * assembler/MacroAssemblerARM64.cpp:
2524         (JSC::MacroAssembler::probe):
2525         (JSC::arm64ProbeError): Deleted.
2526         * assembler/MacroAssemblerARMv7.cpp:
2527         (JSC::MacroAssembler::probe):
2528         * assembler/MacroAssemblerARMv7.h:
2529         (JSC::MacroAssemblerARMv7::armV7Condition):
2530         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr): Deleted.
2531         * assembler/MacroAssemblerPrinter.cpp:
2532         (JSC::Printer::printCallback):
2533         * assembler/MacroAssemblerPrinter.h:
2534         * assembler/MacroAssemblerX86Common.cpp:
2535         (JSC::ctiMasmProbeTrampoline):
2536         (JSC::MacroAssembler::probe):
2537         * assembler/Printer.h:
2538         (JSC::Printer::Context::Context):
2539         * assembler/ProbeContext.cpp: Added.
2540         (JSC::Probe::executeProbe):
2541         (JSC::Probe::handleProbeStackInitialization):
2542         (JSC::Probe::probeStateForContext):
2543         * assembler/ProbeContext.h: Added.
2544         (JSC::Probe::CPUState::gprName):
2545         (JSC::Probe::CPUState::sprName):
2546         (JSC::Probe::CPUState::fprName):
2547         (JSC::Probe::CPUState::gpr):
2548         (JSC::Probe::CPUState::spr):
2549         (JSC::Probe::CPUState::fpr):
2550         (JSC::Probe:: const):
2551         (JSC::Probe::CPUState::fpr const):
2552         (JSC::Probe::CPUState::pc):
2553         (JSC::Probe::CPUState::fp):
2554         (JSC::Probe::CPUState::sp):
2555         (JSC::Probe::CPUState::pc const):
2556         (JSC::Probe::CPUState::fp const):
2557         (JSC::Probe::CPUState::sp const):
2558         (JSC::Probe::Context::Context):
2559         (JSC::Probe::Context::gpr):
2560         (JSC::Probe::Context::spr):
2561         (JSC::Probe::Context::fpr):
2562         (JSC::Probe::Context::gprName):
2563         (JSC::Probe::Context::sprName):
2564         (JSC::Probe::Context::fprName):
2565         (JSC::Probe::Context::pc):
2566         (JSC::Probe::Context::fp):
2567         (JSC::Probe::Context::sp):
2568         (JSC::Probe::Context::stack):
2569         (JSC::Probe::Context::hasWritesToFlush):
2570         (JSC::Probe::Context::releaseStack):
2571         * assembler/ProbeStack.cpp: Added.
2572         (JSC::Probe::Page::Page):
2573         (JSC::Probe::Page::flushWrites):
2574         (JSC::Probe::Stack::Stack):
2575         (JSC::Probe::Stack::hasWritesToFlush):
2576         (JSC::Probe::Stack::flushWrites):
2577         (JSC::Probe::Stack::ensurePageFor):
2578         * assembler/ProbeStack.h: Added.
2579         (JSC::Probe::Page::baseAddressFor):
2580         (JSC::Probe::Page::chunkAddressFor):
2581         (JSC::Probe::Page::baseAddress):
2582         (JSC::Probe::Page::get):
2583         (JSC::Probe::Page::set):
2584         (JSC::Probe::Page::hasWritesToFlush const):
2585         (JSC::Probe::Page::flushWritesIfNeeded):
2586         (JSC::Probe::Page::dirtyBitFor):
2587         (JSC::Probe::Page::physicalAddressFor):
2588         (JSC::Probe::Stack::Stack):
2589         (JSC::Probe::Stack::lowWatermark):
2590         (JSC::Probe::Stack::get):
2591         (JSC::Probe::Stack::set):
2592         (JSC::Probe::Stack::newStackPointer const):
2593         (JSC::Probe::Stack::setNewStackPointer):
2594         (JSC::Probe::Stack::isValid):
2595         (JSC::Probe::Stack::pageFor):
2596         * assembler/testmasm.cpp:
2597         (JSC::testProbeReadsArgumentRegisters):
2598         (JSC::testProbeWritesArgumentRegisters):
2599         (JSC::testProbePreservesGPRS):
2600         (JSC::testProbeModifiesStackPointer):
2601         (JSC::testProbeModifiesStackPointerToInsideProbeStateOnStack):
2602         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
2603         (JSC::testProbeModifiesProgramCounter):
2604         (JSC::testProbeModifiesStackValues):
2605         (JSC::run):
2606         (): Deleted.
2607         (JSC::fillStack): Deleted.
2608         (JSC::testProbeModifiesStackWithCallback): Deleted.
2609
2610 2017-08-19  Andy Estes  <aestes@apple.com>
2611
2612         [Payment Request] Add interface stubs
2613         https://bugs.webkit.org/show_bug.cgi?id=175730
2614
2615         Reviewed by Youenn Fablet.
2616
2617         * runtime/CommonIdentifiers.h:
2618
2619 2017-08-18  Per Arne Vollan  <pvollan@apple.com>
2620
2621         Implement 32-bit MacroAssembler::probe support for Windows.
2622         https://bugs.webkit.org/show_bug.cgi?id=175449
2623
2624         Reviewed by Mark Lam.
2625
2626         This is needed to enable the DFG.
2627
2628         * assembler/MacroAssemblerX86Common.cpp:
2629         * assembler/testmasm.cpp:
2630         (JSC::run):
2631         (dllLauncherEntryPoint):
2632         * shell/CMakeLists.txt:
2633         * shell/PlatformWin.cmake:
2634
2635 2017-08-18  Mark Lam  <mark.lam@apple.com>
2636
2637         Rename ProbeContext and ProbeFunction to Probe::State and Probe::Function.
2638         https://bugs.webkit.org/show_bug.cgi?id=175725
2639         <rdar://problem/33965477>
2640
2641         Rubber-stamped by JF Bastien.
2642
2643         This is purely a refactoring patch (in preparation for the introduction of a
2644         Probe::Context data structure in https://bugs.webkit.org/show_bug.cgi?id=175688
2645         later).  This patch does not change any semantics / behavior.
2646
2647         * assembler/AbstractMacroAssembler.h:
2648         * assembler/MacroAssembler.cpp:
2649         (JSC::stdFunctionCallback):
2650         (JSC::MacroAssembler::probe):
2651         * assembler/MacroAssembler.h:
2652         (JSC::ProbeContext::gpr): Deleted.
2653         (JSC::ProbeContext::spr): Deleted.
2654         (JSC::ProbeContext::fpr): Deleted.
2655         (JSC::ProbeContext::gprName): Deleted.
2656         (JSC::ProbeContext::sprName): Deleted.
2657         (JSC::ProbeContext::fprName): Deleted.
2658         (JSC::ProbeContext::pc): Deleted.
2659         (JSC::ProbeContext::fp): Deleted.
2660         (JSC::ProbeContext::sp): Deleted.
2661         * assembler/MacroAssemblerARM.cpp:
2662         (JSC::MacroAssembler::probe):
2663         * assembler/MacroAssemblerARM.h:
2664         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
2665         * assembler/MacroAssemblerARM64.cpp:
2666         (JSC::arm64ProbeError):
2667         (JSC::MacroAssembler::probe):
2668         * assembler/MacroAssemblerARMv7.cpp:
2669         (JSC::MacroAssembler::probe):
2670         * assembler/MacroAssemblerARMv7.h:
2671         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr):
2672         * assembler/MacroAssemblerPrinter.cpp:
2673         (JSC::Printer::printCallback):
2674         * assembler/MacroAssemblerPrinter.h:
2675         * assembler/MacroAssemblerX86Common.cpp:
2676         (JSC::MacroAssembler::probe):
2677         * assembler/Printer.h:
2678         (JSC::Printer::Context::Context):
2679         * assembler/testmasm.cpp:
2680         (JSC::testProbeReadsArgumentRegisters):
2681         (JSC::testProbeWritesArgumentRegisters):
2682         (JSC::testProbePreservesGPRS):
2683         (JSC::testProbeModifiesStackPointer):
2684         (JSC::testProbeModifiesStackPointerToInsideProbeStateOnStack):
2685         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
2686         (JSC::testProbeModifiesProgramCounter):
2687         (JSC::fillStack):
2688         (JSC::testProbeModifiesStackWithCallback):
2689         (JSC::run):
2690         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack): Deleted.
2691
2692 2017-08-17  JF Bastien  <jfbastien@apple.com>
2693
2694         WebAssembly: const in unreachable code decoded incorrectly, erroneously rejects binary as invalid
2695         https://bugs.webkit.org/show_bug.cgi?id=175693
2696         <rdar://problem/33952443>
2697
2698         Reviewed by Saam Barati.
2699
2700         64-bit constants in an unreachable context were being decoded as
2701         32-bit constants. This is pretty benign because unreachable code
2702         shouldn't occur often. The effect is that 64-bit constants which
2703         can't be encoded as 32-bit constants would cause the binary to be
2704         rejected.
2705
2706         At the same time, 32-bit integer constants should be decoded as signed.
2707
2708         * wasm/WasmFunctionParser.h:
2709         (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
2710
2711 2017-08-17  Robin Morisset  <rmorisset@apple.com>
2712
2713         Teach DFGFixupPhase.cpp that the current scope is always a cell
2714         https://bugs.webkit.org/show_bug.cgi?id=175610
2715
2716         Reviewed by Keith Miller.
2717
2718         Also teach it that the argument to with can usually be speculated to be an object,
2719         since toObject() is called on it.
2720
2721         * dfg/DFGFixupPhase.cpp:
2722         (JSC::DFG::FixupPhase::fixupNode):
2723         * dfg/DFGSpeculativeJIT.cpp:
2724         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
2725         * dfg/DFGSpeculativeJIT.h:
2726         (JSC::DFG::SpeculativeJIT::callOperation):
2727         * ftl/FTLLowerDFGToB3.cpp:
2728         (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
2729         * jit/JITOperations.cpp:
2730         * jit/JITOperations.h:
2731
2732 2017-08-17  Matt Baker  <mattbaker@apple.com>
2733
2734         Web Inspector: remove unused private struct from InspectorScriptProfilerAgent
2735         https://bugs.webkit.org/show_bug.cgi?id=175644
2736
2737         Reviewed by Brian Burg.
2738
2739         * inspector/agents/InspectorScriptProfilerAgent.h:
2740
2741 2017-08-17  Mark Lam  <mark.lam@apple.com>
2742
2743         Only use 16 VFP registers if !CPU(ARM_NEON).
2744         https://bugs.webkit.org/show_bug.cgi?id=175514
2745
2746         Reviewed by JF Bastien.
2747
2748         Deleted q16-q31 FPQuadRegisterID enums in ARMv7Assembler.h.  The NEON spec
2749         says that there are only 16 128-bit NEON registers.  This change is merely to
2750         correct the code documentation of these registers.  The FPQuadRegisterID are
2751         currently unused.
2752
2753         * assembler/ARMAssembler.h:
2754         (JSC::ARMAssembler::lastFPRegister):
2755         (JSC::ARMAssembler::fprName):
2756         * assembler/ARMv7Assembler.h:
2757         (JSC::ARMv7Assembler::lastFPRegister):
2758         (JSC::ARMv7Assembler::fprName):
2759         * assembler/MacroAssemblerARM.cpp:
2760         * assembler/MacroAssemblerARMv7.cpp:
2761
2762 2017-08-17  Andreas Kling  <akling@apple.com>
2763
2764         Disable CSS regions at compile time
2765         https://bugs.webkit.org/show_bug.cgi?id=175630
2766
2767         Reviewed by Antti Koivisto.
2768
2769         * Configurations/FeatureDefines.xcconfig:
2770
2771 2017-08-17  Jacobo Aragunde Pérez  <jaragunde@igalia.com>
2772
2773         [WPE][GTK] Ensure proper casting of data in gvariants
2774         https://bugs.webkit.org/show_bug.cgi?id=175667
2775
2776         Reviewed by Michael Catanzaro.
2777
2778         g_variant_new requires data to have the correct width for their types, using
2779         casting if necessary. Some data of type `unsigned` were being saved to `guint64`
2780         types without explicit casting, leading to undefined behavior in some platforms.
2781
2782         * inspector/remote/glib/RemoteInspectorGlib.cpp:
2783         (Inspector::RemoteInspector::listingForInspectionTarget const):
2784         (Inspector::RemoteInspector::listingForAutomationTarget const):
2785         (Inspector::RemoteInspector::sendMessageToRemote):
2786
2787 2017-08-17  Yusuke Suzuki  <utatane.tea@gmail.com>
2788
2789         [JSC] Avoid code bloating for iteration if block does not have "break"
2790         https://bugs.webkit.org/show_bug.cgi?id=173228
2791
2792         Reviewed by Keith Miller.
2793
2794         Currently, we always emit code for breaked path when emitting for-of iteration.
2795         But we can know that this breaked path can be used when emitting the bytecode.
2796
2797         This patch adds LabelScope::breakTargetMayBeBound(), which returns true if
2798         the break label may be bound. We emit a breaked path only when it returns
2799         true. This reduces bytecode bloating when using for-of iteration.
2800
2801         * bytecompiler/BytecodeGenerator.cpp:
2802         (JSC::Label::setLocation):
2803         (JSC::BytecodeGenerator::newLabel):
2804         (JSC::BytecodeGenerator::emitLabel):
2805         (JSC::BytecodeGenerator::pushFinallyControlFlowScope):
2806         (JSC::BytecodeGenerator::breakTarget):
2807         (JSC::BytecodeGenerator::continueTarget):
2808         (JSC::BytecodeGenerator::emitEnumeration):
2809         * bytecompiler/BytecodeGenerator.h:
2810         * bytecompiler/Label.h:
2811         (JSC::Label::bind const):
2812         (JSC::Label::hasOneRef const):
2813         (JSC::Label::isBound const):
2814         (JSC::Label::Label): Deleted.
2815         * bytecompiler/LabelScope.h:
2816         (JSC::LabelScope::hasOneRef const):
2817         (JSC::LabelScope::breakTargetMayBeBound const):
2818         * bytecompiler/NodesCodegen.cpp:
2819         (JSC::ContinueNode::trivialTarget):
2820         (JSC::ContinueNode::emitBytecode):
2821         (JSC::BreakNode::trivialTarget):
2822         (JSC::BreakNode::emitBytecode):
2823
2824 2017-08-17  Csaba Osztrogonác  <ossy@webkit.org>
2825
2826         ARM build fix after r220807 and r220834.
2827         https://bugs.webkit.org/show_bug.cgi?id=175617
2828
2829         Unreviewed typo fix.
2830
2831         * assembler/MacroAssemblerARM.cpp:
2832
2833 2017-08-17  Mark Lam  <mark.lam@apple.com>
2834
2835         Gardening: build fix for ARM_TRADITIONAL after r220807.
2836         https://bugs.webkit.org/show_bug.cgi?id=175617
2837
2838         Not reviewed.
2839
2840         * assembler/MacroAssemblerARM.cpp:
2841
2842 2017-08-16  Mark Lam  <mark.lam@apple.com>
2843
2844         Add back the ability to disable MASM_PROBE from the build.
2845         https://bugs.webkit.org/show_bug.cgi?id=175656
2846         <rdar://problem/33933720>
2847
2848         Reviewed by Yusuke Suzuki.
2849
2850         This is needed for ports that the existing MASM_PROBE implementation doesn't work
2851         well with e.g. GTK with ARM_THUMB2.  Note that if the DFG_JIT will be disabled by
2852         default if !ENABLE(MASM_PROBE).
2853
2854         * assembler/AbstractMacroAssembler.h:
2855         * assembler/MacroAssembler.cpp:
2856         * assembler/MacroAssembler.h:
2857         * assembler/MacroAssemblerARM.cpp:
2858         * assembler/MacroAssemblerARM64.cpp:
2859         * assembler/MacroAssemblerARMv7.cpp:
2860         * assembler/MacroAssemblerPrinter.cpp:
2861         * assembler/MacroAssemblerPrinter.h:
2862         * assembler/MacroAssemblerX86Common.cpp:
2863         * assembler/testmasm.cpp:
2864         (JSC::run):
2865         * b3/B3LowerToAir.cpp:
2866         * b3/air/AirPrintSpecial.cpp:
2867         * b3/air/AirPrintSpecial.h:
2868
2869 2017-08-16  Dan Bernstein  <mitz@apple.com>
2870
2871         [Cocoa] Older-iOS install name symbols are being exported on other platforms
2872         https://bugs.webkit.org/show_bug.cgi?id=175654
2873
2874         Reviewed by Tim Horton.
2875
2876         * API/JSBase.cpp: Define the symbols only when targeting iOS.
2877
2878 2017-08-16  Matt Baker  <mattbaker@apple.com>
2879
2880         Web Inspector: capture async stack trace when workers/main context posts a message
2881         https://bugs.webkit.org/show_bug.cgi?id=167084
2882         <rdar://problem/30033673>
2883
2884         Reviewed by Brian Burg.
2885
2886         * inspector/agents/InspectorDebuggerAgent.h:
2887         Add `PostMessage` async call type.
2888
2889 2017-08-16  Mark Lam  <mark.lam@apple.com>
2890
2891         Enhance MacroAssembler::probe() to support an initializeStackFunction callback.
2892         https://bugs.webkit.org/show_bug.cgi?id=175617
2893         <rdar://problem/33912104>
2894
2895         Reviewed by JF Bastien.
2896
2897         This patch adds a new feature to MacroAssembler::probe() where the probe function
2898         can provide a ProbeFunction callback to fill in stack values after the stack
2899         pointer has been adjusted.  The probe function can use this feature as follows:
2900
2901         1. Set the new sp value in the ProbeContext's CPUState.
2902
2903         2. Set the ProbeContext's initializeStackFunction to a ProbeFunction callback
2904            which will do the work of filling in the stack values after the probe
2905            trampoline has adjusted the machine stack pointer.
2906
2907         3. Set the ProbeContext's initializeStackArgs to any value that the client wants
2908            to pass to the initializeStackFunction callback.
2909
2910         4. Return from the probe function.
2911
2912         Upon returning from the probe function, the probe trampoline will adjust the
2913         the stack pointer based on the sp value in CPUState.  If initializeStackFunction
2914         is not set, the probe trampoline will restore registers and return to its caller.
2915
2916         If initializeStackFunction is set, the trampoline will move the ProbeContext
2917         beyond the range of the stack pointer i.e. it will place the new ProbeContext at
2918         an address lower than where CPUState.sp() points.  This ensures that the
2919         ProbeContext will not be trashed by the initializeStackFunction when it writes to
2920         the stack.  Then, the trampoline will call back to the initializeStackFunction
2921         ProbeFunction to let it fill in the stack values as desired.  The
2922         initializeStackFunction ProbeFunction will be passed the moved ProbeContext at
2923         the new location.
2924
2925         initializeStackFunction may now write to the stack at addresses greater or
2926         equal to CPUState.sp(), but not below that.  initializeStackFunction is also
2927         not allowed to change CPUState.sp().  If the initializeStackFunction does not
2928         abide by these rules, then behavior is undefined, and bad things may happen.
2929
2930         For future reference, some implementation details that this patch needed to
2931         be mindful of:
2932
2933         1. When the probe trampoline allocates stack space for the ProbeContext, it
2934            should include OUT_SIZE as well.  This ensures that it doesn't have to move
2935            the ProbeContext on exit if the probe function didn't change the sp.
2936
2937         2. If the trampoline has to move the ProbeContext, it needs to point the machine
2938            sp to new ProbeContext first before copying over the ProbeContext data.  This
2939            protects the new ProbeContext from possibly being trashed by interrupts.
2940
2941         3. When computing the new address of ProbeContext to move to, we need to make
2942            sure that it is properly aligned in accordance with stack ABI requirements
2943            (just like we did when we allocated the ProbeContext on entry to the
2944            probe trampoline).
2945
2946         4. When copying the ProbeContext to its new location, the trampoline should
2947            always copy words from low addresses to high addresses.  This is because if
2948            we're moving the ProbeContext, we'll always be moving it to a lower address.
2949
2950         * assembler/MacroAssembler.h:
2951         * assembler/MacroAssemblerARM.cpp:
2952         * assembler/MacroAssemblerARM64.cpp:
2953         * assembler/MacroAssemblerARMv7.cpp:
2954         * assembler/MacroAssemblerX86Common.cpp:
2955         * assembler/testmasm.cpp:
2956         (JSC::testProbePreservesGPRS):
2957         (JSC::testProbeModifiesStackPointer):
2958         (JSC::fillStack):
2959         (JSC::testProbeModifiesStackWithCallback):
2960         (JSC::run):
2961
2962 2017-08-16  Csaba Osztrogonác  <ossy@webkit.org>
2963
2964         Fix JSCOnly ARM buildbots after r220047 and r220184
2965         https://bugs.webkit.org/show_bug.cgi?id=174993
2966
2967         Reviewed by Carlos Alberto Lopez Perez.
2968
2969         * CMakeLists.txt: Generate only one backend on Linux to save build time.
2970
2971 2017-08-16  Andy Estes  <aestes@apple.com>
2972
2973         [Payment Request] Add an ENABLE flag and an experimental feature preference
2974         https://bugs.webkit.org/show_bug.cgi?id=175622
2975
2976         Reviewed by Tim Horton.
2977
2978         * Configurations/FeatureDefines.xcconfig:
2979
2980 2017-08-15  Robin Morisset  <rmorisset@apple.com>
2981
2982         We are too conservative about the effects of PushWithScope
2983         https://bugs.webkit.org/show_bug.cgi?id=175584
2984
2985         Reviewed by Saam Barati.
2986
2987         PushWithScope converts its argument to an object (this can throw a type error,
2988         but has no other observable effect), and allocates a new scope, that it then
2989         makes the new current scope. We were a bit too
2990         conservative in saying that it clobbers the world.
2991
2992         * dfg/DFGAbstractInterpreterInlines.h:
2993         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2994         * dfg/DFGClobberize.h:
2995         (JSC::DFG::clobberize):
2996         * dfg/DFGDoesGC.cpp:
2997         (JSC::DFG::doesGC):
2998
2999 2017-08-15  Ryosuke Niwa  <rniwa@webkit.org>
3000
3001         Make DataTransferItemList work with plain text entries
3002         https://bugs.webkit.org/show_bug.cgi?id=175596
3003
3004         Reviewed by Wenson Hsieh.
3005
3006         Added DataTransferItem as a common identifier since it's a runtime enabled feature.
3007
3008         * runtime/CommonIdentifiers.h:
3009
3010 2017-08-15  Robin Morisset  <rmorisset@apple.com>
3011
3012         Support the 'with' keyword in FTL
3013         https://bugs.webkit.org/show_bug.cgi?id=175585
3014
3015         Reviewed by Saam Barati.
3016
3017         Also makes sure that the order of arguments of PushWithScope, op_push_with_scope, JSWithScope::create()
3018         and so on is consistent (always parentScope first, the new scopeObject second). We used to go from one
3019         to the other at different step which was quite confusing. I picked this order for consistency with CreateActivation
3020         that takes its parentScope argument first.
3021
3022         * bytecompiler/BytecodeGenerator.cpp:
3023         (JSC::BytecodeGenerator::emitPushWithScope):
3024         * debugger/DebuggerCallFrame.cpp:
3025         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
3026         * dfg/DFGByteCodeParser.cpp:
3027         (JSC::DFG::ByteCodeParser::parseBlock):
3028         * dfg/DFGFixupPhase.cpp:
3029         (JSC::DFG::FixupPhase::fixupNode):
3030         * dfg/DFGSpeculativeJIT.cpp:
3031         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
3032         * ftl/FTLCapabilities.cpp:
3033         (JSC::FTL::canCompile):
3034         * ftl/FTLLowerDFGToB3.cpp:
3035         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3036         (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
3037         * jit/JITOperations.cpp:
3038         * runtime/CommonSlowPaths.cpp:
3039         (JSC::SLOW_PATH_DECL):
3040         * runtime/Completion.cpp:
3041         (JSC::evaluateWithScopeExtension):
3042         * runtime/JSWithScope.cpp:
3043         (JSC::JSWithScope::create):
3044         * runtime/JSWithScope.h:
3045
3046 2017-08-15  Saam Barati  <sbarati@apple.com>
3047
3048         Make VM::scratchBufferForSize thread safe
3049         https://bugs.webkit.org/show_bug.cgi?id=175604
3050
3051         Reviewed by Geoffrey Garen and Mark Lam.
3052
3053         I want to use the VM::scratchBufferForSize in another patch I'm writing.
3054         The use case for my other patch is to call it from the compiler thread.
3055         When reading the code, I saw that this API was not thread safe. This patch
3056         makes it thread safe. It actually turns out we were calling this API from
3057         the compiler thread already when we created FTL::State for an FTL OSR entry
3058         compilation, and from FTLLowerDFGToB3. That code was racy and wrong, but
3059         is now correct with this patch.
3060
3061         * runtime/VM.cpp:
3062         (JSC::VM::VM):
3063         (JSC::VM::~VM):
3064         (JSC::VM::gatherConservativeRoots):
3065         (JSC::VM::scratchBufferForSize):
3066         * runtime/VM.h:
3067         (JSC::VM::scratchBufferForSize): Deleted.
3068
3069 2017-08-15  Keith Miller  <keith_miller@apple.com>
3070
3071         JSC named bytecode offsets should use references rather than pointers
3072         https://bugs.webkit.org/show_bug.cgi?id=175601
3073
3074         Reviewed by Saam Barati.
3075
3076         * dfg/DFGByteCodeParser.cpp:
3077         (JSC::DFG::ByteCodeParser::parseBlock):
3078         * jit/JITOpcodes.cpp:
3079         (JSC::JIT::emit_op_overrides_has_instance):
3080         (JSC::JIT::emit_op_instanceof):
3081         (JSC::JIT::emitSlow_op_instanceof):
3082         (JSC::JIT::emitSlow_op_instanceof_custom):
3083         * jit/JITOpcodes32_64.cpp:
3084         (JSC::JIT::emit_op_overrides_has_instance):
3085         (JSC::JIT::emit_op_instanceof):
3086         (JSC::JIT::emitSlow_op_instanceof):
3087         (JSC::JIT::emitSlow_op_instanceof_custom):
3088
3089 2017-08-15  Keith Miller  <keith_miller@apple.com>
3090
3091         Enable named offsets into JSC bytecodes
3092         https://bugs.webkit.org/show_bug.cgi?id=175561
3093
3094         Reviewed by Mark Lam.
3095
3096         This patch adds the ability to add named offsets into JSC's
3097         bytecodes.  In the bytecode json file, instead of listing a
3098         length, you can now list a set of names and their types. Each
3099         opcode with an offsets property will have a struct named after the
3100         opcode by in our C++ naming style. For example,
3101         op_overrides_has_instance would become OpOverridesHasInstance. The
3102         struct has the same memory layout as the instruction list has but
3103         comes with handy named accessors.
3104
3105         As a first cut I converted the various instanceof bytecodes to use
3106         named offsets.
3107
3108         As an example op_overrides_has_instance produces the following struct:
3109
3110         struct OpOverridesHasInstance {
3111         public:
3112             Opcode& opcode() { return *reinterpret_cast<Opcode*>(&m_opcode); }
3113             const Opcode& opcode() const { return *reinterpret_cast<const Opcode*>(&m_opcode); }
3114             int& dst() { return *reinterpret_cast<int*>(&m_dst); }
3115             const int& dst() const { return *reinterpret_cast<const int*>(&m_dst); }
3116             int& constructor() { return *reinterpret_cast<int*>(&m_constructor); }
3117             const int& constructor() const { return *reinterpret_cast<const int*>(&m_constructor); }
3118             int& hasInstanceValue() { return *reinterpret_cast<int*>(&m_hasInstanceValue); }
3119             const int& hasInstanceValue() const { return *reinterpret_cast<const int*>(&m_hasInstanceValue); }
3120
3121         private:
3122             friend class LLIntOffsetsExtractor;
3123             std::aligned_storage<sizeof(Opcode), sizeof(Instruction)>::type m_opcode;
3124             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_dst;
3125             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_constructor;
3126             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_hasInstanceValue;
3127         };
3128
3129         * CMakeLists.txt:
3130         * DerivedSources.make:
3131         * JavaScriptCore.xcodeproj/project.pbxproj:
3132         * bytecode/BytecodeList.json:
3133         * dfg/DFGByteCodeParser.cpp:
3134         (JSC::DFG::ByteCodeParser::parseBlock):
3135         * generate-bytecode-files:
3136         * jit/JITOpcodes.cpp:
3137         (JSC::JIT::emit_op_overrides_has_instance):
3138         (JSC::JIT::emit_op_instanceof):
3139         (JSC::JIT::emitSlow_op_instanceof):
3140         (JSC::JIT::emitSlow_op_instanceof_custom):
3141         * jit/JITOpcodes32_64.cpp:
3142         (JSC::JIT::emit_op_overrides_has_instance):
3143         (JSC::JIT::emit_op_instanceof):
3144         (JSC::JIT::emitSlow_op_instanceof):
3145         (JSC::JIT::emitSlow_op_instanceof_custom):
3146         * llint/LLIntOffsetsExtractor.cpp:
3147         * llint/LowLevelInterpreter.asm:
3148         * llint/LowLevelInterpreter32_64.asm:
3149         * llint/LowLevelInterpreter64.asm:
3150
3151 2017-08-15  Mark Lam  <mark.lam@apple.com>
3152
3153         Update testmasm to use new CPUState APIs.
3154         https://bugs.webkit.org/show_bug.cgi?id=175573
3155
3156         Reviewed by Keith Miller.
3157
3158         1. Applied convenience CPUState accessors to minimize casting.
3159         2. Converted the CHECK macro to CHECK_EQ to get more friendly failure debugging
3160            messages.
3161         3. Removed the CHECK_DOUBLE_BITWISE_EQ macro.  We can just use CHECK_EQ now since
3162            casting is (mostly) no longer an issue.
3163         4. Replaced the use of testDoubleWord(id) with bitwise_cast<double>(testWord64(id))
3164            to make it clear that we're comparing against the bit values of testWord64(id).
3165         5. Added a "Completed N tests" message at the end of running all tests.
3166            This makes it easy to tell at a glance that testmasm completed successfully
3167            versus when it crashed midway in a test.  The number of tests also serves as
3168            a quick checksum to confirm that we ran the number of tests we expected.
3169
3170         * assembler/testmasm.cpp:
3171         (WTF::printInternal):
3172         (JSC::testSimple):
3173         (JSC::testProbeReadsArgumentRegisters):
3174         (JSC::testProbeWritesArgumentRegisters):
3175         (JSC::testProbePreservesGPRS):
3176         (JSC::testProbeModifiesStackPointer):
3177         (JSC::testProbeModifiesProgramCounter):
3178         (JSC::run):
3179
3180 2017-08-14  Keith Miller  <keith_miller@apple.com>
3181
3182         Add testing tool to lie to the DFG about profiles
3183         https://bugs.webkit.org/show_bug.cgi?id=175487
3184
3185         Reviewed by Saam Barati.
3186
3187         This patch adds a new bytecode identity_with_profile that lets
3188         us lie to the DFG about what profiles it has seen as the input to
3189         another bytecode. Previously, there was no reliable way to force
3190         a given profile when we tired up.
3191
3192         * bytecode/BytecodeDumper.cpp:
3193         (JSC::BytecodeDumper<Block>::dumpBytecode):
3194         * bytecode/BytecodeIntrinsicRegistry.h:
3195         * bytecode/BytecodeList.json:
3196         * bytecode/BytecodeUseDef.h:
3197         (JSC::computeUsesForBytecodeOffset):
3198         (JSC::computeDefsForBytecodeOffset):
3199         * bytecode/SpeculatedType.cpp:
3200         (JSC::speculationFromString):
3201         * bytecode/SpeculatedType.h:
3202         * bytecompiler/BytecodeGenerator.cpp:
3203         (JSC::BytecodeGenerator::emitIdWithProfile):
3204         * bytecompiler/BytecodeGenerator.h:
3205         * bytecompiler/NodesCodegen.cpp:
3206         (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
3207         * dfg/DFGAbstractInterpreterInlines.h:
3208         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3209         * dfg/DFGByteCodeParser.cpp:
3210         (JSC::DFG::ByteCodeParser::parseBlock):
3211         * dfg/DFGCapabilities.cpp:
3212         (JSC::DFG::capabilityLevel):
3213         * dfg/DFGClobberize.h:
3214         (JSC::DFG::clobberize):
3215         * dfg/DFGDoesGC.cpp:
3216         (JSC::DFG::doesGC):
3217         * dfg/DFGFixupPhase.cpp:
3218         (JSC::DFG::FixupPhase::fixupNode):
3219         * dfg/DFGMayExit.cpp:
3220         * dfg/DFGNode.h:
3221         (JSC::DFG::Node::getForcedPrediction):
3222         * dfg/DFGNodeType.h:
3223         * dfg/DFGPredictionPropagationPhase.cpp:
3224         * dfg/DFGSafeToExecute.h:
3225         (JSC::DFG::safeToExecute):
3226         * dfg/DFGSpeculativeJIT32_64.cpp:
3227         (JSC::DFG::SpeculativeJIT::compile):
3228         * dfg/DFGSpeculativeJIT64.cpp:
3229         (JSC::DFG::SpeculativeJIT::compile):
3230         * dfg/DFGValidate.cpp:
3231         * jit/JIT.cpp:
3232         (JSC::JIT::privateCompileMainPass):
3233         * jit/JIT.h:
3234         * jit/JITOpcodes.cpp:
3235         (JSC::JIT::emit_op_identity_with_profile):
3236         * jit/JITOpcodes32_64.cpp:
3237         (JSC::JIT::emit_op_identity_with_profile):
3238         * llint/LowLevelInterpreter.asm:
3239
3240 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
3241
3242         Remove Proximity Events and related code
3243         https://bugs.webkit.org/show_bug.cgi?id=175545
3244
3245         Reviewed by Daniel Bates.
3246
3247         No platform enables Proximity Events, so remove code inside ENABLE(PROXIMITY_EVENTS)
3248         and other related code.
3249
3250         * Configurations/FeatureDefines.xcconfig:
3251
3252 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
3253
3254         Remove ENABLE(REQUEST_AUTOCOMPLETE) code, which was disabled everywhere
3255         https://bugs.webkit.org/show_bug.cgi?id=175504
3256
3257         Reviewed by Sam Weinig.
3258
3259         * Configurations/FeatureDefines.xcconfig:
3260
3261 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
3262
3263         Remove ENABLE_VIEW_MODE_CSS_MEDIA and related code
3264         https://bugs.webkit.org/show_bug.cgi?id=175557
3265
3266         Reviewed by Jon Lee.
3267
3268         No port cares about the ENABLE(VIEW_MODE_CSS_MEDIA) feature, so remove it.
3269
3270         * Configurations/FeatureDefines.xcconfig:
3271
3272 2017-08-14  Robin Morisset  <rmorisset@apple.com>
3273
3274         Support the 'with' keyword in DFG
3275         https://bugs.webkit.org/show_bug.cgi?id=175470
3276
3277         Reviewed by Saam Barati.
3278
3279         Not particularly optimized at the moment, the goal is just to avoid
3280         the DFG bailing out of any function with this keyword.
3281
3282         * dfg/DFGAbstractInterpreterInlines.h:
3283         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3284         * dfg/DFGByteCodeParser.cpp:
3285         (JSC::DFG::ByteCodeParser::parseBlock):
3286         * dfg/DFGCapabilities.cpp:
3287         (JSC::DFG::capabilityLevel):
3288         * dfg/DFGClobberize.h:
3289         (JSC::DFG::clobberize):
3290         * dfg/DFGDoesGC.cpp:
3291         (JSC::DFG::doesGC):
3292         * dfg/DFGFixupPhase.cpp:
3293         (JSC::DFG::FixupPhase::fixupNode):
3294         * dfg/DFGNodeType.h:
3295         * dfg/DFGPredictionPropagationPhase.cpp:
3296         * dfg/DFGSafeToExecute.h:
3297         (JSC::DFG::safeToExecute):
3298         * dfg/DFGSpeculativeJIT.cpp:
3299         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
3300         * dfg/DFGSpeculativeJIT.h:
3301         (JSC::DFG::SpeculativeJIT::callOperation):
3302         * dfg/DFGSpeculativeJIT32_64.cpp:
3303         (JSC::DFG::SpeculativeJIT::compile):
3304         * dfg/DFGSpeculativeJIT64.cpp:
3305         (JSC::DFG::SpeculativeJIT::compile):
3306         * jit/JITOperations.cpp:
3307         * jit/JITOperations.h:
3308
3309 2017-08-14  Mark Lam  <mark.lam@apple.com>
3310
3311         Add some convenience utility accessor methods to MacroAssembler::CPUState.
3312         https://bugs.webkit.org/show_bug.cgi?id=175549
3313         <rdar://problem/33884868>
3314
3315         Reviewed by Saam Barati.
3316
3317         Previously, in order to read ProbeContext CPUState registers, we used to need to
3318         do it this way:
3319
3320             ExecState* exec = reinterpret_cast<ExecState*>(cpu.fp());
3321             uint32_t i32 = static_cast<uint32_t>(cpu.gpr(GPRInfo::regT0));
3322             void* p = reinterpret_cast<void*>(cpu.gpr(GPRInfo::regT1));
3323             uint64_t u64 = bitwise_cast<uint64_t>(cpu.fpr(FPRInfo::fpRegT0));
3324
3325         With this patch, we can now read them this way instead:
3326         
3327             ExecState* exec = cpu.fp<ExecState*>();
3328             uint32_t i32 = cpu.gpr<uint32_t>(GPRInfo::regT0);
3329             void* p = cpu.gpr<void*>(GPRInfo::regT1);
3330             uint64_t u64 = cpu.fpr<uint64_t>(FPRInfo::fpRegT0);
3331
3332         * assembler/MacroAssembler.h:
3333         (JSC:: const):
3334         (JSC::MacroAssembler::CPUState::fpr const):
3335         (JSC::MacroAssembler::CPUState::pc const):
3336         (JSC::MacroAssembler::CPUState::fp const):
3337         (JSC::MacroAssembler::CPUState::sp const):
3338         (JSC::ProbeContext::pc):
3339         (JSC::ProbeContext::fp):
3340         (JSC::ProbeContext::sp):
3341
3342 2017-08-12  Filip Pizlo  <fpizlo@apple.com>
3343
3344         Put the ScopedArgumentsTable's ScopeOffset array in some gigacage
3345         https://bugs.webkit.org/show_bug.cgi?id=174921
3346
3347         Reviewed by Mark Lam.
3348         
3349         Uses CagedUniquePtr<> to cage the ScopeOffset array.
3350
3351         * dfg/DFGSpeculativeJIT.cpp:
3352         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
3353         * ftl/FTLLowerDFGToB3.cpp:
3354         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
3355         * jit/JITPropertyAccess.cpp:
3356         (JSC::JIT::emitScopedArgumentsGetByVal):
3357         * runtime/ScopedArgumentsTable.cpp:
3358         (JSC::ScopedArgumentsTable::create):
3359         (JSC::ScopedArgumentsTable::setLength):
3360         * runtime/ScopedArgumentsTable.h:
3361
3362 2017-08-14  Mark Lam  <mark.lam@apple.com>
3363
3364         Gardening: fix Windows build.
3365         https://bugs.webkit.org/show_bug.cgi?id=175446
3366
3367         Not reviewed.
3368
3369         * assembler/MacroAssemblerX86Common.cpp:
3370         (JSC::booleanTrueForAvoidingNoReturnDeclaration):
3371         (JSC::ctiMasmProbeTrampoline):
3372
3373 2017-08-12  Csaba Osztrogonác  <ossy@webkit.org>
3374
3375         [ARM64] Use x29 and x30 instead of fp and lr to make GCC happy
3376         https://bugs.webkit.org/show_bug.cgi?id=175512
3377         <rdar://problem/33863584>
3378
3379         Reviewed by Mark Lam.
3380
3381         * CMakeLists.txt: Added MacroAssemblerARM64.cpp.
3382         * assembler/MacroAssemblerARM64.cpp: Use x29 and x30 instead of fp and lr to make GCC happy.
3383
3384 2017-08-12  Csaba Osztrogonác  <ossy@webkit.org>
3385
3386         ARM_TRADITIONAL: static assertion failed: ProbeContext_size_matches_ctiMasmProbeTrampoline
3387         https://bugs.webkit.org/show_bug.cgi?id=175513
3388
3389         Reviewed by Mark Lam.
3390
3391         * assembler/MacroAssemblerARM.cpp: Added d16-d31 FP registers too.
3392
3393 2017-08-12  Filip Pizlo  <fpizlo@apple.com>
3394
3395         FTL's compileGetTypedArrayByteOffset needs to do caging
3396         https://bugs.webkit.org/show_bug.cgi?id=175366
3397
3398         Reviewed by Saam Barati.
3399         
3400         While implementing boxing in the DFG, I noticed that there was some missing boxing in the FTL. This
3401         fixes the case in GetTypedArrayByteOffset, and files FIXMEs for more such cases.
3402
3403         * dfg/DFGSpeculativeJIT.cpp:
3404         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
3405         * ftl/FTLLowerDFGToB3.cpp:
3406         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
3407         (JSC::FTL::DFG::LowerDFGToB3::cagedMayBeNull):
3408         * runtime/ArrayBuffer.h:
3409         * runtime/ArrayBufferView.h:
3410         * runtime/JSArrayBufferView.h:
3411
3412 2017-08-11  Ryosuke Niwa  <rniwa@webkit.org>
3413
3414         Replace DATA_TRANSFER_ITEMS by a runtime flag and add a stub implementation
3415         https://bugs.webkit.org/show_bug.cgi?id=175474
3416         <rdar://problem/33844628>
3417
3418         Reviewed by Wenson Hsieh.
3419
3420         * Configurations/FeatureDefines.xcconfig:
3421         * runtime/CommonIdentifiers.h:
3422
3423 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
3424
3425         Caging shouldn't have to use a patchpoint for adding
3426         https://bugs.webkit.org/show_bug.cgi?id=175483
3427
3428         Reviewed by Mark Lam.
3429
3430         Caging involves doing a Add(ptr, largeConstant). All of B3's heuristics for how to deal with
3431         constants and associative operations dictate that you always want to sink constants. For example,
3432         Add(Add(a, constant), b) always becomes Add(Add(a, b), constant). This is profitable because in
3433         typical code, it reveals downstream optimizations. But it's terrible in the case of caging, because
3434         we want the large constant (which is shared by all caging operations) to be hoisted. Reassociating to
3435         sink constants obscures the constant in this case. Currently, moveConstants is not smart enough to
3436         reassociate, so instead of sinking largeConstant, it tries (and often fails) to sink some other
3437         constants instead. Without some hacks, this is a 5% Kraken regression and a 1.6% Octane regression.
3438         It's not clear that moveConstants could ever be smart enough to rematerialize that constant and then
3439         hoist it - that would require quite a bit of algebraic reasoning. But the only case we know of where
3440         our current constant reassociation heuristics are wrong is caging. So, we can get away with some
3441         hacks for just stopping B3's reassociation only in this specific case.
3442         
3443         Previously, we achieved this by concealing the Add(ptr, largeConstant) inside a patchpoint. That's
3444         OK, but patchpoints are expensive. They require a SharedTask instance. They require callbacks from
3445         the backend, including during register allocation. And they cannot be CSE'd. We do want B3 to know
3446         that if we cage the same pointer in two places, both places will compute the same value.
3447         
3448         This patch improves the situation by introducing the Opaque opcode. This is handled by LowerToAir as
3449         if it was Identity, but all prior phases treat it as an unknown pure unary idempotent operation. I.e.
3450         they know that Opaque(x) == Opaque(x) and that Opaque(Opaque(x)) == Opaque(x). But they don't know
3451         that Opaque(x) == x until LowerToAir. So, you can use Opaque exactly when you know that B3 will mess
3452         up your code but Air won't. (Currently we know of no cases where Air messes things up on a large
3453         enough scale to warrant new opcodes.)
3454         
3455         This change is perf-neutral, but may start to help as I add more uses of caged() in the FTL. It also
3456         makes the code a bit less ugly.
3457
3458         * b3/B3LowerToAir.cpp:
3459         (JSC::B3::Air::LowerToAir::shouldCopyPropagate):
3460         (JSC::B3::Air::LowerToAir::lower):
3461         * b3/B3Opcode.cpp:
3462         (WTF::printInternal):
3463         * b3/B3Opcode.h:
3464         * b3/B3ReduceStrength.cpp:
3465         * b3/B3Validate.cpp:
3466         * b3/B3Value.cpp:
3467         (JSC::B3::Value::effects const):
3468         (JSC::B3::Value::key const):
3469         (JSC::B3::Value::isFree const):
3470         (JSC::B3::Value::typeFor):
3471         * b3/B3Value.h:
3472         * b3/B3ValueKey.cpp:
3473         (JSC::B3::ValueKey::materialize const):
3474         * ftl/FTLLowerDFGToB3.cpp:
3475         (JSC::FTL::DFG::LowerDFGToB3::caged):
3476         * ftl/FTLOutput.cpp:
3477         (JSC::FTL::Output::opaque):
3478         * ftl/FTLOutput.h:
3479
3480 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
3481
3482         ScopedArguments overflow storage needs to be in the JSValue gigacage
3483         https://bugs.webkit.org/show_bug.cgi?id=174923
3484
3485         Reviewed by Saam Barati.
3486         
3487         ScopedArguments overflow storage sits at the end of the ScopedArguments object, so we put that
3488         object into the JSValue gigacage.
3489
3490         * dfg/DFGSpeculativeJIT.cpp:
3491         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
3492         * ftl/FTLLowerDFGToB3.cpp:
3493         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
3494         * jit/JITPropertyAccess.cpp:
3495         (JSC::JIT::emitScopedArgumentsGetByVal):
3496         * runtime/ScopedArguments.h:
3497         (JSC::ScopedArguments::subspaceFor):
3498         (JSC::ScopedArguments::overflowStorage const):
3499
3500 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
3501
3502         JSLexicalEnvironment needs to be in the JSValue gigacage
3503         https://bugs.webkit.org/show_bug.cgi?id=174922
3504
3505         Reviewed by Michael Saboff.
3506         
3507         We can sorta random access the JSLexicalEnvironment. So, we put it in the JSValue gigacage and make
3508         the only random accesses use pointer caging.
3509         
3510         We don't need to do anything to normal lexical environment accesses.
3511
3512         * dfg/DFGSpeculativeJIT.cpp:
3513         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
3514         * ftl/FTLLowerDFGToB3.cpp:
3515         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
3516         * runtime/JSEnvironmentRecord.h:
3517         (JSC::JSEnvironmentRecord::subspaceFor):
3518         (JSC::JSEnvironmentRecord::variables):
3519
3520 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
3521
3522         DirectArguments should be in the JSValue gigacage
3523         https://bugs.webkit.org/show_bug.cgi?id=174920
3524
3525         Reviewed by Michael Saboff.
3526         
3527         This puts DirectArguments in a new subspace for cells that want to be in the JSValue gigacage. All
3528         indexed accesses to DirectArguments now do caging. get_from_arguments/put_to_arguments are exempted
3529         because they always operate on a DirectArguments that is pointed to directly from the stack, they are
3530         required to use fixed offsets, and you can only store JSValues.
3531
3532         * dfg/DFGSpeculativeJIT.cpp:
3533         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
3534         * ftl/FTLLowerDFGToB3.cpp:
3535         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
3536         * jit/JITPropertyAccess.cpp:
3537         (JSC::JIT::emitDirectArgumentsGetByVal):
3538         * runtime/DirectArguments.h:
3539         (JSC::DirectArguments::subspaceFor):
3540         (JSC::DirectArguments::storage):
3541         * runtime/VM.cpp:
3542         (JSC::VM::VM):
3543         * runtime/VM.h:
3544
3545 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
3546
3547         Unreviewed, add a FIXME.
3548
3549         * ftl/FTLLowerDFGToB3.cpp:
3550         (JSC::FTL::DFG::LowerDFGToB3::caged):
3551
3552 2017-08-10  Sam Weinig  <sam@webkit.org>
3553
3554         WTF::Function does not allow for reference / non-default constructible return types
3555         https://bugs.webkit.org/show_bug.cgi?id=175244
3556
3557         Reviewed by Chris Dumez.
3558
3559         * runtime/ArrayBuffer.cpp:
3560         (JSC::ArrayBufferContents::transferTo):
3561         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
3562         destroy call needed to be a no-op anyway, since the data is being moved.
3563
3564 2017-08-11  Mark Lam  <mark.lam@apple.com>
3565
3566         Gardening: fix CLoop build.
3567         https://bugs.webkit.org/show_bug.cgi?id=175446
3568         <rdar://problem/33836545>
3569
3570         Not reviewed.
3571
3572         * assembler/MacroAssemblerPrinter.cpp:
3573
3574 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
3575
3576         DFG should do caging
3577         https://bugs.webkit.org/show_bug.cgi?id=174918
3578
3579         Reviewed by Saam Barati.
3580         
3581         Adds the appropriate cage() calls to the DFG, including a cageTypedArrayStorage() helper that does
3582         the conditional caging with a watchpoint.
3583         
3584         This might be a 1% SunSpider slow-down, but it's not clear.
3585
3586         * dfg/DFGSpeculativeJIT.cpp:
3587         (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
3588         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
3589         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
3590         (JSC::DFG::SpeculativeJIT::compileCreateRest):
3591         (JSC::DFG::SpeculativeJIT::compileSpread):
3592         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
3593         (JSC::DFG::SpeculativeJIT::compileArraySlice):
3594         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
3595         * dfg/DFGSpeculativeJIT.h:
3596         * dfg/DFGSpeculativeJIT64.cpp:
3597         (JSC::DFG::SpeculativeJIT::compile):
3598
3599 2017-08-11  Yusuke Suzuki  <utatane.tea@gmail.com>
3600
3601         Unreviewed, build fix for x86 GTK port
3602         https://bugs.webkit.org/show_bug.cgi?id=175446
3603
3604         Use pushfl/popfl instead of pushfd/popfd.
3605
3606         * assembler/MacroAssemblerX86Common.cpp:
3607
3608 2017-08-10  Mark Lam  <mark.lam@apple.com>
3609
3610         Make the MASM_PROBE mechanism mandatory for DFG and FTL builds.
3611         https://bugs.webkit.org/show_bug.cgi?id=175446
3612         <rdar://problem/33836545>
3613
3614         Reviewed by Saam Barati.
3615
3616         * assembler/AbstractMacroAssembler.h:
3617         * assembler/MacroAssembler.cpp:
3618         (JSC::MacroAssembler::probe):
3619         * assembler/MacroAssembler.h:
3620         * assembler/MacroAssemblerARM.cpp:
3621         (JSC::MacroAssembler::probe):
3622         * assembler/MacroAssemblerARM.h:
3623         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
3624         * assembler/MacroAssemblerARM64.cpp:
3625         (JSC::MacroAssembler::probe):
3626         * assembler/MacroAssemblerARMv7.cpp:
3627         (JSC::MacroAssembler::probe):
3628         * assembler/MacroAssemblerARMv7.h:
3629         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr):
3630         * assembler/MacroAssemblerPrinter.cpp:
3631         * assembler/MacroAssemblerPrinter.h:
3632         * assembler/MacroAssemblerX86Common.cpp:
3633         * assembler/testmasm.cpp:
3634         (JSC::isSpecialGPR):
3635         (JSC::testProbeModifiesProgramCounter):
3636         (JSC::run):
3637         * b3/B3LowerToAir.cpp:
3638         (JSC::B3::Air::LowerToAir::print):
3639         * b3/air/AirPrintSpecial.cpp:
3640         * b3/air/AirPrintSpecial.h:
3641
3642 2017-08-10  Mark Lam  <mark.lam@apple.com>
3643
3644         Apply the UNLIKELY macro to some unlikely things.
3645         https://bugs.webkit.org/show_bug.cgi?id=175440
3646         <rdar://problem/33834767>
3647
3648         Reviewed by Yusuke Suzuki.
3649
3650         * bytecode/CodeBlock.cpp:
3651         (JSC::CodeBlock::~CodeBlock):
3652         (JSC::CodeBlock::jettison):
3653         * dfg/DFGByteCodeParser.cpp:
3654         (JSC::DFG::ByteCodeParser::handleCall):
3655         (JSC::DFG::ByteCodeParser::handleVarargsCall):
3656         (JSC::DFG::ByteCodeParser::handleGetById):
3657         (JSC::DFG::ByteCodeParser::handlePutById):
3658         (JSC::DFG::ByteCodeParser::parseBlock):
3659         (JSC::DFG::ByteCodeParser::parseCodeBlock):
3660         * dfg/DFGJITCompiler.cpp:
3661         (JSC::DFG::JITCompiler::JITCompiler):
3662         (JSC::DFG::JITCompiler::linkOSRExits):
3663         (JSC::DFG::JITCompiler::link):
3664         (JSC::DFG::JITCompiler::disassemble):
3665         * dfg/DFGJITFinalizer.cpp:
3666         (JSC::DFG::JITFinalizer::finalizeCommon):
3667         * dfg/DFGOSRExit.cpp:
3668         (JSC::DFG::OSRExit::compileOSRExit):
3669         * dfg/DFGPlan.cpp:
3670         (JSC::DFG::Plan::Plan):
3671         * ftl/FTLJITFinalizer.cpp:
3672         (JSC::FTL::JITFinalizer::finalizeCommon):
3673         * ftl/FTLLink.cpp:
3674         (JSC::FTL::link):
3675         * ftl/FTLOSRExitCompiler.cpp:
3676         (JSC::FTL::compileStub):
3677         * jit/JIT.cpp:
3678         (JSC::JIT::privateCompileMainPass):
3679         (JSC::JIT::compileWithoutLinking):
3680         (JSC::JIT::link):
3681         * runtime/ScriptExecutable.cpp:
3682         (JSC::ScriptExecutable::installCode):
3683         * runtime/VM.cpp:
3684         (JSC::VM::VM):
3685
3686 2017-08-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3687
3688         [WTF] ThreadSpecific should not introduce additional indirection
3689         https://bugs.webkit.org/show_bug.cgi?id=175187
3690
3691         Reviewed by Mark Lam.
3692
3693         * runtime/Identifier.cpp:
3694
3695 2017-08-10  Tim Horton  <timothy_horton@apple.com>
3696
3697         Remove some unused lambda captures so that WebKit builds with -Wunused-lambda-capture
3698         https://bugs.webkit.org/show_bug.cgi?id=175436
3699         <rdar://problem/33667497>
3700
3701         Reviewed by Simon Fraser.
3702
3703         * interpreter/Interpreter.cpp:
3704         (JSC::Interpreter::Interpreter):
3705
3706 2017-08-10  Michael Catanzaro  <mcatanzaro@igalia.com>
3707
3708         Remove ENABLE_GAMEPAD_DEPRECATED
3709         https://bugs.webkit.org/show_bug.cgi?id=175361
3710
3711         Reviewed by Carlos Garcia Campos.
3712
3713         * Configurations/FeatureDefines.xcconfig:
3714
3715 2017-08-09  Caio Lima  <ticaiolima@gmail.com>
3716
3717         [JSC] Create JSSet constructor that accepts it's size as parameter
3718         https://bugs.webkit.org/show_bug.cgi?id=173297
3719
3720         Reviewed by Saam Barati.
3721
3722         This patch is adding a new constructor to JSSet that gives its
3723         expected initial size. It is important to avoid re-hashing and mutiple
3724         allocations when we know the final size of JSSet, such as in
3725         CodeBlock::setConstantIdentifierSetRegisters.
3726
3727         * bytecode/CodeBlock.cpp:
3728         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
3729         * runtime/HashMapImpl.h:
3730         (JSC::HashMapImpl::HashMapImpl):
3731         * runtime/JSSet.h:
3732
3733 2017-08-09  Commit Queue  <commit-queue@webkit.org>
3734
3735         Unreviewed, rolling out r220466, r220477, and r220487.
3736         https://bugs.webkit.org/show_bug.cgi?id=175411
3737
3738         This change broke existing API tests and follow up fixes did
3739         not resolve all the issues. (Requested by ryanhaddad on
3740         #webkit).
3741
3742         Reverted changesets:
3743
3744         https://bugs.webkit.org/show_bug.cgi?id=175244
3745         http://trac.webkit.org/changeset/220466
3746
3747         "WTF::Function does not allow for reference / non-default
3748         constructible return types"
3749         https://bugs.webkit.org/show_bug.cgi?id=175244
3750         http://trac.webkit.org/changeset/220477
3751
3752         https://bugs.webkit.org/show_bug.cgi?id=175244
3753         http://trac.webkit.org/changeset/220487
3754
3755 2017-08-09  Caitlin Potter  <caitp@igalia.com>
3756
3757         Early error on ANY operator before new.target
3758         https://bugs.webkit.org/show_bug.cgi?id=157970
3759
3760         Reviewed by Saam Barati.
3761
3762         Instead of throwing if any unary operator precedes new.target, only
3763         throw if the unary operator updates the reference.
3764
3765         The following become legal in JSC:
3766
3767         ```
3768         !new.target
3769         ~new.target
3770         typeof new.target
3771         delete new.target
3772         void new.target
3773         ```
3774
3775         All of which are legal in v8 and SpiderMonkey in strict and sloppy mode
3776
3777         * parser/Parser.cpp:
3778         (JSC::Parser<LexerType>::parseUnaryExpression):
3779
3780 2017-08-09  Sam Weinig  <sam@webkit.org>
3781
3782         WTF::Function does not allow for reference / non-default constructible return types
3783         https://bugs.webkit.org/show_bug.cgi?id=175244
3784
3785         Reviewed by Chris Dumez.
3786
3787         * runtime/ArrayBuffer.cpp:
3788         (JSC::ArrayBufferContents::transferTo):
3789         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
3790         destroy call needed to be a no-op anyway, since the data is being moved.
3791
3792 2017-08-09  Wenson Hsieh  <wenson_hsieh@apple.com>
3793
3794         [iOS DnD] ENABLE_DRAG_SUPPORT should be turned off for iOS 10 and enabled by default
3795         https://bugs.webkit.org/show_bug.cgi?id=175392
3796         <rdar://problem/33783207>
3797
3798         Reviewed by Tim Horton and Megan Gardner.
3799
3800         Tweak FeatureDefines to enable drag and drop by default, and disable only on unsupported platforms (i.e. iOS 10).
3801
3802         * Configurations/FeatureDefines.xcconfig:
3803
3804 2017-08-09  Robin Morisset  <rmorisset@apple.com>
3805
3806         Make JSC_validateExceptionChecks=1 succeed on JSTests/stress/v8-deltablue-strict.js.
3807         https://bugs.webkit.org/show_bug.cgi?id=175358
3808
3809         Reviewed by Mark Lam.
3810
3811         * jit/JITOperations.cpp:
3812         * runtime/JSObjectInlines.h:
3813         (JSC::JSObject::putInlineForJSObject):
3814
3815 2017-08-09  Ryan Haddad  <ryanhaddad@apple.com>
3816
3817         Unreviewed, rolling out r220457.
3818
3819         This change introduced API test failures.
3820
3821         Reverted changeset:
3822
3823         "WTF::Function does not allow for reference / non-default
3824         constructible return types"
3825         https://bugs.webkit.org/show_bug.cgi?id=175244
3826         http://trac.webkit.org/changeset/220457
3827
3828 2017-08-09  Sam Weinig  <sam@webkit.org>
3829
3830         WTF::Function does not allow for reference / non-default constructible return types
3831         https://bugs.webkit.org/show_bug.cgi?id=175244
3832
3833         Reviewed by Chris Dumez.
3834
3835         * runtime/ArrayBuffer.cpp:
3836         (JSC::ArrayBufferContents::transferTo):
3837         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
3838         destroy call needed to be a no-op anyway, since the data is being moved.
3839
3840 2017-08-09  Oleksandr Skachkov  <gskachkov@gmail.com>
3841
3842         REGRESSION: 2 test262/test/language/statements/async-function failures
3843         https://bugs.webkit.org/show_bug.cgi?id=175334
3844
3845         Reviewed by Yusuke Suzuki.
3846
3847         Switch off useAsyncIterator by default
3848
3849         * runtime/Options.h:
3850
3851 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
3852
3853         ICs should do caging
3854         https://bugs.webkit.org/show_bug.cgi?id=175295
3855
3856         Reviewed by Saam Barati.
3857         
3858         Adds the appropriate cage() calls in our inline caches.
3859
3860         * bytecode/AccessCase.cpp:
3861         (JSC::AccessCase::generateImpl):
3862         * bytecode/InlineAccess.cpp:
3863         (JSC::InlineAccess::dumpCacheSizesAndCrash):
3864         (JSC::InlineAccess::generateSelfPropertyAccess):
3865         (JSC::InlineAccess::generateSelfPropertyReplace):
3866         (JSC::InlineAccess::generateArrayLength):
3867
3868 2017-08-08  Devin Rousso  <drousso@apple.com>
3869
3870         Web Inspector: Canvas: support editing WebGL shaders
3871         https://bugs.webkit.org/show_bug.cgi?id=124211
3872         <rdar://problem/15448958>
3873
3874         Reviewed by Matt Baker.
3875
3876         * inspector/protocol/Canvas.json:
3877         Add `updateShader` command that will change the given shader's source to the provided string,
3878         recompile, and relink it to its associated program.
3879         Drive-by: add description to `requestShaderSource` command.
3880
3881 2017-08-08  Robin Morisset  <rmorisset@apple.com>
3882
3883         Make JSC_validateExceptionChecks=1 succeed on JSTests/slowMicrobenchmarks/spread-small-array.js.
3884         https://bugs.webkit.org/show_bug.cgi?id=175347
3885
3886         Reviewed by Saam Barati.
3887
3888         This is done by making finishCreation explicitely check for exceptions after setConstantRegister and setConstantIdentifiersSetRegisters.
3889         I chose to have this check replace the boolean returned previously by these functions for readability. The performance impact should be
3890         negligible considering how much more finishCreation does.
3891         This fix then caused another issue to appear as it was now clear that finishCreation can throw. And since it is called by ProgramCodeBlock::create(),
3892         FunctionCodeBlock::create() and friends, that are in turn called by ScriptExecutable::newCodeBlockFor, this last function also required a few tweaks.
3893
3894         * bytecode/CodeBlock.cpp:
3895         (JSC::CodeBlock::finishCreation):
3896         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
3897         (JSC::CodeBlock::setConstantRegisters):
3898         * bytecode/CodeBlock.h:
3899         * runtime/ScriptExecutable.cpp:
3900         (JSC::ScriptExecutable::newCodeBlockFor):
3901
3902 2017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
3903
3904         Unreviewed, fix Ubuntu LTS build
3905         https://bugs.webkit.org/show_bug.cgi?id=174490
3906
3907         * inspector/remote/glib/RemoteInspectorGlib.cpp:
3908         * inspector/remote/glib/RemoteInspe