Unreviewed, forgot to add { }
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-12-14  Keith Miller  <keith_miller@apple.com>
2
3         Unreviewed, forgot to add { }
4
5         * runtime/JSObject.h:
6         (JSC::JSObject::setButterfly):
7         (JSC::JSObject::nukeStructureAndSetButterfly):
8
9 2017-12-14  Devin Rousso  <webkit@devinrousso.com>
10
11         Web Inspector: replace HTMLCanvasElement with CanvasRenderingContext for instrumentation logic
12         https://bugs.webkit.org/show_bug.cgi?id=180770
13
14         Reviewed by Joseph Pecoraro.
15
16         * inspector/protocol/Canvas.json:
17
18 2017-12-14  Keith Miller  <keith_miller@apple.com>
19
20         Fix assertion in JSObject's structure setting methods
21         https://bugs.webkit.org/show_bug.cgi?id=180840
22
23         Reviewed by Mark Lam.
24
25         I forgot that when Typed Arrays have non-indexed properties
26         added to them, they call the generic code. The generic code
27         in turn calls the regular structure setting methods. Thus,
28         these assertions were invalid and we should just avoid setting
29         the indexing mask if we have a Typed Array.
30
31         * runtime/JSObject.h:
32         (JSC::JSObject::setButterfly):
33         (JSC::JSObject::nukeStructureAndSetButterfly):
34
35 2017-12-14  Michael Saboff  <msaboff@apple.com>
36
37         REGRESSION (r225695): Repro crash on yahoo login page
38         https://bugs.webkit.org/show_bug.cgi?id=180761
39
40         Reviewed by JF Bastien.
41
42         Relanding r225695 with a fix.
43
44         The fix is that we need to save the return address for a parentheses in
45         the ParenContext because it is actually used by any immediately contained
46         alternatives.
47
48         Also did a little refactoring, changing occurances of PatternContext to
49         ParenContext since that is the name of the structure.
50
51         * runtime/RegExp.cpp:
52         (JSC::byteCodeCompilePattern):
53         (JSC::RegExp::byteCodeCompileIfNecessary):
54         (JSC::RegExp::compile):
55         (JSC::RegExp::compileMatchOnly):
56         * runtime/RegExp.h:
57         * runtime/RegExpInlines.h:
58         (JSC::RegExp::matchInline):
59         * testRegExp.cpp:
60         (parseRegExpLine):
61         (runFromFiles):
62         * yarr/Yarr.h:
63         * yarr/YarrInterpreter.cpp:
64         (JSC::Yarr::ByteCompiler::compile):
65         (JSC::Yarr::ByteCompiler::dumpDisjunction):
66         * yarr/YarrJIT.cpp:
67         (JSC::Yarr::YarrGenerator::ParenContextSizes::ParenContextSizes):
68         (JSC::Yarr::YarrGenerator::ParenContextSizes::numSubpatterns):
69         (JSC::Yarr::YarrGenerator::ParenContextSizes::frameSlots):
70         (JSC::Yarr::YarrGenerator::ParenContext::sizeFor):
71         (JSC::Yarr::YarrGenerator::ParenContext::nextOffset):
72         (JSC::Yarr::YarrGenerator::ParenContext::beginOffset):
73         (JSC::Yarr::YarrGenerator::ParenContext::matchAmountOffset):
74         (JSC::Yarr::YarrGenerator::ParenContext::returnAddressOffset):
75         (JSC::Yarr::YarrGenerator::ParenContext::subpatternOffset):
76         (JSC::Yarr::YarrGenerator::ParenContext::savedFrameOffset):
77         (JSC::Yarr::YarrGenerator::initParenContextFreeList):
78         (JSC::Yarr::YarrGenerator::allocateParenContext):
79         (JSC::Yarr::YarrGenerator::freeParenContext):
80         (JSC::Yarr::YarrGenerator::saveParenContext):
81         (JSC::Yarr::YarrGenerator::restoreParenContext):
82         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
83         (JSC::Yarr::YarrGenerator::storeToFrame):
84         (JSC::Yarr::YarrGenerator::generateJITFailReturn):
85         (JSC::Yarr::YarrGenerator::clearMatches):
86         (JSC::Yarr::YarrGenerator::generate):
87         (JSC::Yarr::YarrGenerator::backtrack):
88         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
89         (JSC::Yarr::YarrGenerator::generateEnter):
90         (JSC::Yarr::YarrGenerator::generateReturn):
91         (JSC::Yarr::YarrGenerator::YarrGenerator):
92         (JSC::Yarr::YarrGenerator::compile):
93         * yarr/YarrJIT.h:
94         (JSC::Yarr::YarrCodeBlock::execute):
95         * yarr/YarrPattern.cpp:
96         (JSC::Yarr::indentForNestingLevel):
97         (JSC::Yarr::dumpUChar32):
98         (JSC::Yarr::dumpCharacterClass):
99         (JSC::Yarr::PatternTerm::dump):
100         (JSC::Yarr::YarrPattern::dumpPattern):
101         * yarr/YarrPattern.h:
102         (JSC::Yarr::PatternTerm::containsAnyCaptures):
103         (JSC::Yarr::BackTrackInfoParenthesesOnce::returnAddressIndex):
104         (JSC::Yarr::BackTrackInfoParentheses::beginIndex):
105         (JSC::Yarr::BackTrackInfoParentheses::returnAddressIndex):
106         (JSC::Yarr::BackTrackInfoParentheses::matchAmountIndex):
107         (JSC::Yarr::BackTrackInfoParentheses::parenContextHeadIndex):
108         (JSC::Yarr::BackTrackInfoAlternative::offsetIndex): Deleted.
109
110 2017-12-13  Keith Miller  <keith_miller@apple.com>
111
112         JSObjects should have a mask for loading indexed properties
113         https://bugs.webkit.org/show_bug.cgi?id=180768
114
115         Reviewed by Mark Lam.
116
117         This patch adds a new member to JSObject that holds an indexing
118         mask.  The indexing mask is bitwise anded with the index used to
119         load a property.  If for whatever reason an attacker is able to
120         clobber the vectorLength of our butterfly they still won't be able
121         to read substantially past the end of the buttefly. For
122         performance reasons we don't use the indexing masking for
123         TypedArrays. Since TypedArrays are already gigacaged the risk of
124         wild reads is still restricted.
125
126         This patch is a <1% regression on Speedometer and ~3% regression
127         on JetStream in my testing.
128
129         * assembler/MacroAssembler.h:
130         (JSC::MacroAssembler::urshiftPtr):
131         * bytecode/AccessCase.cpp:
132         (JSC::AccessCase::generateImpl):
133         * dfg/DFGAbstractHeap.h:
134         * dfg/DFGClobberize.h:
135         (JSC::DFG::clobberize):
136         * dfg/DFGSpeculativeJIT.cpp:
137         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
138         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
139         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
140         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
141         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
142         (JSC::DFG::SpeculativeJIT::compileArraySlice):
143         (JSC::DFG::SpeculativeJIT::compileNukeStructureAndSetButterfly):
144         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
145         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
146         * dfg/DFGSpeculativeJIT.h:
147         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
148         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
149         * dfg/DFGSpeculativeJIT32_64.cpp:
150         (JSC::DFG::SpeculativeJIT::compile):
151         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
152         * dfg/DFGSpeculativeJIT64.cpp:
153         (JSC::DFG::SpeculativeJIT::compile):
154         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
155         * ftl/FTLAbstractHeap.cpp:
156         (JSC::FTL::IndexedAbstractHeap::baseIndex):
157         * ftl/FTLAbstractHeap.h:
158         * ftl/FTLAbstractHeapRepository.h:
159         * ftl/FTLLowerDFGToB3.cpp:
160         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
161         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
162         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
163         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
164         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
165         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
166         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
167         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
168         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
169         (JSC::FTL::DFG::LowerDFGToB3::maskedIndex):
170         (JSC::FTL::DFG::LowerDFGToB3::computeButterflyIndexingMask):
171         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
172         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
173         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
174         (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
175         * ftl/FTLOutput.h:
176         (JSC::FTL::Output::baseIndex):
177         * jit/AssemblyHelpers.h:
178         (JSC::AssemblyHelpers::emitComputeButterflyIndexingMask):
179         (JSC::AssemblyHelpers::nukeStructureAndStoreButterfly):
180         (JSC::AssemblyHelpers::emitAllocateJSObject):
181         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
182         (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
183         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
184         (JSC::AssemblyHelpers::storeButterfly): Deleted.
185         * jit/JITOpcodes.cpp:
186         (JSC::JIT::emit_op_new_object):
187         (JSC::JIT::emit_op_create_this):
188         * jit/JITOpcodes32_64.cpp:
189         (JSC::JIT::emit_op_new_object):
190         (JSC::JIT::emit_op_create_this):
191         * jit/JITPropertyAccess.cpp:
192         (JSC::JIT::emitDoubleLoad):
193         (JSC::JIT::emitContiguousLoad):
194         (JSC::JIT::emitArrayStorageLoad):
195         * llint/LowLevelInterpreter32_64.asm:
196         * llint/LowLevelInterpreter64.asm:
197         * runtime/ArrayStorage.h:
198         (JSC::ArrayStorage::availableVectorLength):
199         * runtime/Butterfly.h:
200         (JSC::ContiguousData::ContiguousData):
201         (JSC::ContiguousData::at const):
202         (JSC::ContiguousData::at):
203         (JSC::Butterfly::publicLength const):
204         (JSC::Butterfly::vectorLength const):
205         (JSC::Butterfly::computeIndexingMaskForVectorLength):
206         (JSC::Butterfly::computeIndexingMask):
207         (JSC::Butterfly::contiguousInt32):
208         (JSC::ContiguousData::operator[] const): Deleted.
209         (JSC::ContiguousData::operator[]): Deleted.
210         (JSC::Butterfly::publicLength): Deleted.
211         (JSC::Butterfly::vectorLength): Deleted.
212         * runtime/ButterflyInlines.h:
213         (JSC::ContiguousData<T>::at const):
214         (JSC::ContiguousData<T>::at):
215         * runtime/ClonedArguments.cpp:
216         (JSC::ClonedArguments::createEmpty):
217         * runtime/JSArray.cpp:
218         (JSC::JSArray::tryCreateUninitializedRestricted):
219         (JSC::JSArray::appendMemcpy):
220         (JSC::JSArray::setLength):
221         (JSC::JSArray::pop):
222         (JSC::JSArray::fastSlice):
223         (JSC::JSArray::shiftCountWithArrayStorage):
224         (JSC::JSArray::shiftCountWithAnyIndexingType):
225         (JSC::JSArray::unshiftCountWithAnyIndexingType):
226         (JSC::JSArray::fillArgList):
227         (JSC::JSArray::copyToArguments):
228         * runtime/JSArrayBufferView.cpp:
229         (JSC::JSArrayBufferView::JSArrayBufferView):
230         * runtime/JSArrayInlines.h:
231         (JSC::JSArray::pushInline):
232         * runtime/JSFixedArray.h:
233         (JSC::JSFixedArray::createFromArray):
234         * runtime/JSGenericTypedArrayViewInlines.h:
235         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
236         * runtime/JSObject.cpp:
237         (JSC::JSObject::getOwnPropertySlotByIndex):
238         (JSC::JSObject::putByIndex):
239         (JSC::JSObject::createInitialInt32):
240         (JSC::JSObject::createInitialDouble):
241         (JSC::JSObject::createInitialContiguous):
242         (JSC::JSObject::convertUndecidedToInt32):
243         (JSC::JSObject::convertUndecidedToDouble):
244         (JSC::JSObject::convertUndecidedToContiguous):
245         (JSC::JSObject::convertInt32ToDouble):
246         (JSC::JSObject::convertInt32ToArrayStorage):
247         (JSC::JSObject::convertDoubleToContiguous):
248         (JSC::JSObject::convertDoubleToArrayStorage):
249         (JSC::JSObject::convertContiguousToArrayStorage):
250         (JSC::JSObject::createInitialForValueAndSet):
251         (JSC::JSObject::deletePropertyByIndex):
252         (JSC::JSObject::getOwnPropertyNames):
253         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
254         (JSC::JSObject::countElements):
255         (JSC::JSObject::ensureLengthSlow):
256         (JSC::JSObject::reallocateAndShrinkButterfly):
257         (JSC::JSObject::getEnumerableLength):
258         * runtime/JSObject.h:
259         (JSC::JSObject::canGetIndexQuickly):
260         (JSC::JSObject::getIndexQuickly):
261         (JSC::JSObject::tryGetIndexQuickly const):
262         (JSC::JSObject::setIndexQuickly):
263         (JSC::JSObject::initializeIndex):
264         (JSC::JSObject::initializeIndexWithoutBarrier):
265         (JSC::JSObject::butterflyIndexingMaskOffset):
266         (JSC::JSObject::butterflyIndexingMask const):
267         (JSC::JSObject::setButterflyWithIndexingMask):
268         (JSC::JSObject::setButterfly):
269         (JSC::JSObject::nukeStructureAndSetButterfly):
270         (JSC::JSObject::JSObject):
271         * runtime/RegExpMatchesArray.h:
272         (JSC::tryCreateUninitializedRegExpMatchesArray):
273         * runtime/Structure.cpp:
274         (JSC::Structure::flattenDictionaryStructure):
275
276 2017-12-14  David Kilzer  <ddkilzer@apple.com>
277
278         REGRESSION (r225799/r225887): Remove duplicate entries for JSCPoisonedPtr.h in Xcode project
279
280         Fixes the following warning during builds:
281
282             Warning: Multiple build commands for output file WebKitBuild/Release/JavaScriptCore.framework/Versions/A/PrivateHeaders/JSCPoisonedPtr.h
283
284         * JavaScriptCore.xcodeproj/project.pbxproj: Remove duplicate
285         entries for JSCPoisonedPtr.h.
286
287 2017-12-14  David Kilzer  <ddkilzer@apple.com>
288
289         REGRESSION (r225887): Build broke due to missing includes in InferredValue.h
290         <https://bugs.webkit.org/show_bug.cgi?id=180738>
291
292         * runtime/InferredValue.h: Attempt to fix build by adding
293         missing #include statements.
294
295 2017-12-13  Filip Pizlo  <fpizlo@apple.com>
296
297         Octane/richards regressed by a whopping 20% because eliminateCommonSubexpressions has a weird fixpoint requirement
298         https://bugs.webkit.org/show_bug.cgi?id=180783
299
300         Reviewed by Saam Barati.
301         
302         This fixes the regression by fixpointing CSE. We need to fixpoint CSE because of this case:
303         
304             BB#1:
305                 a: Load(@x)
306                 b: Load(@x)
307                 c: Load(@b)
308             BB#2:
309                 d: Load(@b)
310             BB#3:
311                 e: Load(@b)
312         
313         Lets assume that #3 loops around to #2, so to eliminate @d, we need to prove that it's redundant
314         with both @c and @e. The problem is that by the time we get to @d, the CSE state will look like
315         this:
316
317             BB#1:
318                 a: Load(@x)
319                 b: Load(@x)
320                 c: Load(@a)
321                 memoryAtTail: {@x=>@a, @a=>@c}
322             BB#2:
323                 d: Load(@a) [sic]
324                 memoryAtTail: {@b=>@d}
325             BB#3:
326                 e: Load(@b)
327                 memoryAtTail: {@b=>@e} [sic]
328         
329         Note that #3's atTail map is keyed on @b, which was the old (no longer canonical) version of @a.
330         But @d's children were already substituted, so it refers to @a. Since @a is not in #3's atTail
331         map, we don't find it and leave the redundancy.
332         
333         I think that the cleanest solution is to fixpoint. CSE is pretty cheap, so hopefully we can afford
334         this. It fixes the richards regression, since richards is super dependent on B3 CSE.
335
336         * b3/B3EliminateCommonSubexpressions.cpp: Logging.
337         * b3/B3Generate.cpp:
338         (JSC::B3::generateToAir): Fix the bug.
339         * b3/air/AirReportUsedRegisters.cpp:
340         (JSC::B3::Air::reportUsedRegisters): Logging.
341         * dfg/DFGByteCodeParser.cpp:
342         * dfg/DFGSSAConversionPhase.cpp:
343         (JSC::DFG::SSAConversionPhase::run): Don't generate EntrySwitch if we don't need it (makes IR easier to read).
344         * ftl/FTLLowerDFGToB3.cpp:
345         (JSC::FTL::DFG::LowerDFGToB3::lower): Don't generate EntrySwitch if we don't need it (makes IR easier to read).
346
347 2017-12-13  Joseph Pecoraro  <pecoraro@apple.com>
348
349         REGRESSION: Web Inspector: Opening inspector crashes page if there are empty resources
350         https://bugs.webkit.org/show_bug.cgi?id=180787
351         <rdar://problem/35934838>
352
353         Reviewed by Brian Burg.
354
355         * inspector/ContentSearchUtilities.cpp:
356         (Inspector::ContentSearchUtilities::findMagicComment):
357         For empty / null strings just return. There is no use
358         trying to search them for a long common syntax.
359
360 2017-12-13  Saam Barati  <sbarati@apple.com>
361
362         Arrow functions need their own structure because they have different properties than sloppy functions
363         https://bugs.webkit.org/show_bug.cgi?id=180779
364         <rdar://problem/35814591>
365
366         Reviewed by Mark Lam.
367
368         We were using the same structure for sloppy functions and
369         arrow functions. This broke our IC caching machinery because
370         these two types of functions actually have different properties.
371         This patch gives them different structures.
372
373         * dfg/DFGAbstractInterpreterInlines.h:
374         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
375         * dfg/DFGSpeculativeJIT.cpp:
376         (JSC::DFG::SpeculativeJIT::compileNewFunction):
377         * ftl/FTLLowerDFGToB3.cpp:
378         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
379         * runtime/FunctionConstructor.cpp:
380         (JSC::constructFunctionSkippingEvalEnabledCheck):
381         * runtime/JSFunction.cpp:
382         (JSC::JSFunction::selectStructureForNewFuncExp):
383         (JSC::JSFunction::create):
384         * runtime/JSFunction.h:
385         * runtime/JSFunctionInlines.h:
386         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
387         * runtime/JSGlobalObject.cpp:
388         (JSC::JSGlobalObject::init):
389         (JSC::JSGlobalObject::visitChildren):
390         * runtime/JSGlobalObject.h:
391         (JSC::JSGlobalObject::arrowFunctionStructure const):
392
393 2017-12-12  Filip Pizlo  <fpizlo@apple.com>
394
395         InferredValue should use IsoSubspace
396         https://bugs.webkit.org/show_bug.cgi?id=180738
397
398         Reviewed by Keith Miller.
399         
400         This moves InferredValue into an IsoSubspace and then takes advantage of this to get rid of
401         its UnconditionalFinalizer.
402
403         * JavaScriptCore.xcodeproj/project.pbxproj:
404         * heap/Heap.cpp:
405         (JSC::Heap::finalizeUnconditionalFinalizers):
406         * runtime/InferredValue.cpp:
407         (JSC::InferredValue::visitChildren):
408         (JSC::InferredValue::ValueCleanup::ValueCleanup): Deleted.
409         (JSC::InferredValue::ValueCleanup::~ValueCleanup): Deleted.
410         (JSC::InferredValue::ValueCleanup::finalizeUnconditionally): Deleted.
411         * runtime/InferredValue.h:
412         (JSC::InferredValue::subspaceFor):
413         * runtime/InferredValueInlines.h: Added.
414         (JSC::InferredValue::finalizeUnconditionally):
415         * runtime/VM.cpp:
416         (JSC::VM::VM):
417         * runtime/VM.h:
418
419 2017-12-13  Devin Rousso  <webkit@devinrousso.com>
420
421         Web Inspector: add instrumentation for ImageBitmapRenderingContext
422         https://bugs.webkit.org/show_bug.cgi?id=180736
423
424         Reviewed by Joseph Pecoraro.
425
426         * inspector/protocol/Canvas.json:
427         * inspector/scripts/codegen/generator.py:
428
429 2017-12-13  Saam Barati  <sbarati@apple.com>
430
431         Take a value driven approach to how we emit structure checks in TypeCheckHoistingPhase to obviate the need for static_assert guards
432         https://bugs.webkit.org/show_bug.cgi?id=180771
433
434         Reviewed by JF Bastien.
435
436         * dfg/DFGTypeCheckHoistingPhase.cpp:
437         (JSC::DFG::TypeCheckHoistingPhase::run):
438
439 2017-12-13  Saam Barati  <sbarati@apple.com>
440
441         REGRESSION(r225844): Around 850 new JSC failures on 32-bit
442         https://bugs.webkit.org/show_bug.cgi?id=180764
443
444         Unreviewed. We should only emit CheckStructureOrEmpty on 64 bit platforms.
445
446         * dfg/DFGTypeCheckHoistingPhase.cpp:
447         (JSC::DFG::TypeCheckHoistingPhase::run):
448
449 2017-12-13  Michael Saboff  <msaboff@apple.com>
450
451         Unreviewed rollout of r225695. Caused a crash on yahoo login page.
452
453         That bug tracked in https://bugs.webkit.org/show_bug.cgi?id=180761.
454
455         * runtime/RegExp.cpp:
456         (JSC::RegExp::compile):
457         (JSC::RegExp::compileMatchOnly):
458         (JSC::byteCodeCompilePattern): Deleted.
459         (JSC::RegExp::byteCodeCompileIfNecessary): Deleted.
460         * runtime/RegExp.h:
461         * runtime/RegExpInlines.h:
462         (JSC::RegExp::matchInline):
463         * testRegExp.cpp:
464         (parseRegExpLine):
465         (runFromFiles):
466         * yarr/Yarr.h:
467         * yarr/YarrInterpreter.cpp:
468         (JSC::Yarr::ByteCompiler::compile):
469         (JSC::Yarr::ByteCompiler::dumpDisjunction):
470         (JSC::Yarr::ByteCompiler::emitDisjunction):
471         * yarr/YarrJIT.cpp:
472         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
473         (JSC::Yarr::YarrGenerator::generate):
474         (JSC::Yarr::YarrGenerator::backtrack):
475         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
476         (JSC::Yarr::YarrGenerator::generateEnter):
477         (JSC::Yarr::YarrGenerator::generateReturn):
478         (JSC::Yarr::YarrGenerator::YarrGenerator):
479         (JSC::Yarr::YarrGenerator::compile):
480         (JSC::Yarr::YarrGenerator::ParenContextSizes::ParenContextSizes): Deleted.
481         (JSC::Yarr::YarrGenerator::ParenContextSizes::numSubpatterns): Deleted.
482         (JSC::Yarr::YarrGenerator::ParenContextSizes::frameSlots): Deleted.
483         (JSC::Yarr::YarrGenerator::ParenContext::sizeFor): Deleted.
484         (JSC::Yarr::YarrGenerator::ParenContext::nextOffset): Deleted.
485         (JSC::Yarr::YarrGenerator::ParenContext::beginOffset): Deleted.
486         (JSC::Yarr::YarrGenerator::ParenContext::matchAmountOffset): Deleted.
487         (JSC::Yarr::YarrGenerator::ParenContext::subpatternOffset): Deleted.
488         (JSC::Yarr::YarrGenerator::ParenContext::savedFrameOffset): Deleted.
489         (JSC::Yarr::YarrGenerator::initParenContextFreeList): Deleted.
490         (JSC::Yarr::YarrGenerator::allocatePatternContext): Deleted.
491         (JSC::Yarr::YarrGenerator::freePatternContext): Deleted.
492         (JSC::Yarr::YarrGenerator::savePatternContext): Deleted.
493         (JSC::Yarr::YarrGenerator::restorePatternContext): Deleted.
494         (JSC::Yarr::YarrGenerator::generateJITFailReturn): Deleted.
495         (JSC::Yarr::YarrGenerator::clearMatches): Deleted.
496         * yarr/YarrJIT.h:
497         (JSC::Yarr::YarrCodeBlock::execute):
498         * yarr/YarrPattern.cpp:
499         (JSC::Yarr::indentForNestingLevel):
500         (JSC::Yarr::dumpUChar32):
501         (JSC::Yarr::PatternTerm::dump):
502         (JSC::Yarr::YarrPattern::dumpPattern):
503         (JSC::Yarr::dumpCharacterClass): Deleted.
504         * yarr/YarrPattern.h:
505         (JSC::Yarr::BackTrackInfoAlternative::offsetIndex):
506         (JSC::Yarr::BackTrackInfoParenthesesOnce::beginIndex):
507         (JSC::Yarr::PatternTerm::containsAnyCaptures): Deleted.
508         (JSC::Yarr::BackTrackInfoParenthesesOnce::returnAddressIndex): Deleted.
509         (JSC::Yarr::BackTrackInfoParentheses::beginIndex): Deleted.
510         (JSC::Yarr::BackTrackInfoParentheses::returnAddressIndex): Deleted.
511         (JSC::Yarr::BackTrackInfoParentheses::matchAmountIndex): Deleted.
512         (JSC::Yarr::BackTrackInfoParentheses::patternContextHeadIndex): Deleted.
513
514 2017-12-13  Mark Lam  <mark.lam@apple.com>
515
516         Fill out some Poisoned APIs, fix some bugs, and add some tests.
517         https://bugs.webkit.org/show_bug.cgi?id=180724
518         <rdar://problem/36006884>
519
520         Reviewed by JF Bastien.
521
522         * runtime/StructureTransitionTable.h:
523
524 2017-12-13  Caio Lima  <ticaiolima@gmail.com>
525
526         [ESNext][BigInt] Breking tests on Debug build and 32-bits due to missing Exception check
527         https://bugs.webkit.org/show_bug.cgi?id=180746
528
529         Reviewed by Saam Barati.
530
531         We have some uncatched exceptions that could happen due to OOM into
532         JSBigInt::allocateFor and JSBigInt::toStringGeneric. This patching is
533         catching such exceptions properly.
534
535         * runtime/JSBigInt.cpp:
536         (JSC::JSBigInt::allocateFor):
537         (JSC::JSBigInt::parseInt):
538         * runtime/JSCJSValue.cpp:
539         (JSC::JSValue::toStringSlowCase const):
540
541 2017-12-13  Saam Barati  <sbarati@apple.com>
542
543         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
544         https://bugs.webkit.org/show_bug.cgi?id=163579
545         <rdar://problem/35455798>
546
547         Reviewed by Mark Lam.
548
549         Some functions in JavaScript do not have the "caller" and "arguments" properties.
550         For example, strict functions do not. When reading our code that dealt with these
551         types of functions, it was simply all wrong. We were doing weird things depending
552         on the method table hook. This patch fixes this by doing what we should've been
553         doing all along: when the JSFunction does not own the "caller"/"arguments" property,
554         it should defer to its base class implementation for the various method table hooks.
555
556         * runtime/JSFunction.cpp:
557         (JSC::JSFunction::put):
558         (JSC::JSFunction::deleteProperty):
559         (JSC::JSFunction::defineOwnProperty):
560
561 2017-12-13  Saam Barati  <sbarati@apple.com>
562
563         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
564         https://bugs.webkit.org/show_bug.cgi?id=180734
565         <rdar://problem/35640547>
566
567         Reviewed by Yusuke Suzuki.
568
569         The |this| value may be TDZ. If type check hoisting phase
570         hoists a CheckStructure to it, it will crash. This patch
571         makes it so we emit CheckStructureOrEmpty for |this|.
572
573         * dfg/DFGTypeCheckHoistingPhase.cpp:
574         (JSC::DFG::TypeCheckHoistingPhase::run):
575
576 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
577
578         [JSC] Optimize Object.assign by single transition acceleration
579         https://bugs.webkit.org/show_bug.cgi?id=180644
580
581         Reviewed by Saam Barati.
582
583         Handling single transition is critical. Since this get() function is only used
584         in Structure.cpp's 2 functions and it is quite small, we can annotate `inline`
585         to accelerate it.
586
587         This improves SixSpeed/object-assign.es6 by 2.8%.
588
589                                     baseline                  patched
590
591         object-assign.es6      382.3548+-8.0461          371.6496+-5.7439          might be 1.0288x faster
592
593         * runtime/Structure.cpp:
594         (JSC::StructureTransitionTable::get const):
595
596 2017-12-12  Filip Pizlo  <fpizlo@apple.com>
597
598         Structure, StructureRareData, and PropertyTable should be in IsoSubspaces
599         https://bugs.webkit.org/show_bug.cgi?id=180732
600
601         Rubber stamped by Mark Lam.
602         
603         We should eventually move all fixed-size cells into IsoSubspaces. I don't know if they are
604         scalable enough to support that, so we should do it carefully.
605
606         * heap/MarkedSpace.cpp:
607         * runtime/PropertyMapHashTable.h:
608         * runtime/Structure.h:
609         * runtime/StructureRareData.h:
610         * runtime/VM.cpp:
611         (JSC::VM::VM):
612         * runtime/VM.h:
613
614 2017-12-12  Saam Barati  <sbarati@apple.com>
615
616         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
617         https://bugs.webkit.org/show_bug.cgi?id=180725
618         <rdar://problem/35970511>
619
620         Reviewed by Michael Saboff.
621
622         * dfg/DFGClobberize.h:
623         (JSC::DFG::clobberize):
624         * dfg/DFGPreciseLocalClobberize.h:
625         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
626
627 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
628
629         [JSC] Implement optimized WeakMap and WeakSet
630         https://bugs.webkit.org/show_bug.cgi?id=179929
631
632         Reviewed by Saam Barati.
633
634         This patch introduces WeakMapImpl to optimize WeakMap and WeakSet.
635         This is similar to HashMapImpl. But,
636
637         1. WeakMapImpl's bucket is not allocated in GC heap since WeakMap
638         do not need to have iterators.
639
640         2. WeakMapImpl's buffer is allocated in JSValue Gigacage instead
641         of auxiliary buffer. This is because we would like to allocate buffer
642         when finalizing GC. At that time, WeakMapImpl prunes dead entries and
643         shrink it if necessary. However, allocating from the GC heap during
644         finalization is not allowed.
645
646         In particular, (2) is important since it ensures any WeakMap operations
647         do not cause GC. Since GC may collect dead keys in WeakMap, rehash WeakMap,
648         and reallocate/change WeakMap's buffer, ensuring that any WeakMap operations
649         do not cause GC makes our implementation simple. To ensure this, we place
650         DisallowGC for each WeakMap's interface.
651
652         In DFG, we introduce WeakMapGet and ExtractValueFromWeakMapGet nodes.
653         WeakMapGet looks up entry in WeakMapImpl and returns value. If it is
654         WeakMap, it returns value. And it returns key if it is WeakSet. If it
655         does not find a corresponding entry, it returns JSEmpty.
656         ExtractValueFromWeakMapGet converts JSEmpty to JSUndefined.
657
658         This patch improves WeakMap and WeakSet operations.
659
660                                      baseline                  patched
661
662             weak-set-key        240.6932+-10.4923    ^    148.7606+-6.1784        ^ definitely 1.6180x faster
663             weak-map-key        174.3176+-8.2680     ^    151.7053+-6.8723        ^ definitely 1.1491x faster
664
665         * JavaScriptCore.xcodeproj/project.pbxproj:
666         * Sources.txt:
667         * dfg/DFGAbstractHeap.h:
668         * dfg/DFGAbstractInterpreterInlines.h:
669         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
670         * dfg/DFGByteCodeParser.cpp:
671         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
672         * dfg/DFGClobberize.h:
673         (JSC::DFG::clobberize):
674         * dfg/DFGDoesGC.cpp:
675         (JSC::DFG::doesGC):
676         * dfg/DFGFixupPhase.cpp:
677         (JSC::DFG::FixupPhase::fixupNode):
678         * dfg/DFGNode.h:
679         (JSC::DFG::Node::hasHeapPrediction):
680         * dfg/DFGNodeType.h:
681         * dfg/DFGOperations.cpp:
682         * dfg/DFGOperations.h:
683         * dfg/DFGPredictionPropagationPhase.cpp:
684         * dfg/DFGSafeToExecute.h:
685         (JSC::DFG::safeToExecute):
686         * dfg/DFGSpeculativeJIT.cpp:
687         (JSC::DFG::SpeculativeJIT::compileExtractValueFromWeakMapGet):
688         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
689         * dfg/DFGSpeculativeJIT.h:
690         * dfg/DFGSpeculativeJIT32_64.cpp:
691         (JSC::DFG::SpeculativeJIT::compile):
692         * dfg/DFGSpeculativeJIT64.cpp:
693         (JSC::DFG::SpeculativeJIT::compile):
694         * ftl/FTLAbstractHeapRepository.h:
695         * ftl/FTLCapabilities.cpp:
696         (JSC::FTL::canCompile):
697         * ftl/FTLLowerDFGToB3.cpp:
698         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
699         (JSC::FTL::DFG::LowerDFGToB3::compileExtractValueFromWeakMapGet):
700         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
701         * inspector/JSInjectedScriptHost.cpp:
702         (Inspector::JSInjectedScriptHost::weakMapEntries):
703         (Inspector::JSInjectedScriptHost::weakSetEntries):
704         Existing code is incorrect. They can run GC and break WeakMap's iterator.
705         We introduce takeSnapshot function to WeakMapImpl, which retrieves live
706         entries without causing any GC.
707
708         * runtime/HashMapImpl.h:
709         (JSC::shouldShrink):
710         (JSC::shouldRehashAfterAdd):
711         (JSC::nextCapacity):
712         (JSC::HashMapImpl::shouldRehashAfterAdd const):
713         (JSC::HashMapImpl::shouldShrink const):
714         (JSC::HashMapImpl::rehash):
715         (JSC::WeakMapHash::hash): Deleted.
716         (JSC::WeakMapHash::equal): Deleted.
717         * runtime/Intrinsic.cpp:
718         (JSC::intrinsicName):
719         * runtime/Intrinsic.h:
720         * runtime/JSWeakMap.cpp:
721         * runtime/JSWeakMap.h:
722         * runtime/JSWeakSet.cpp:
723         * runtime/JSWeakSet.h:
724         * runtime/VM.cpp:
725         * runtime/WeakGCMap.h:
726         (JSC::WeakGCMap::forEach): Deleted.
727         * runtime/WeakMapBase.cpp: Removed.
728         * runtime/WeakMapBase.h: Removed.
729         * runtime/WeakMapConstructor.cpp:
730         (JSC::constructWeakMap):
731         * runtime/WeakMapImpl.cpp: Added.
732         (JSC::WeakMapImpl<WeakMapBucket>::destroy):
733         (JSC::WeakMapImpl<WeakMapBucket>::visitChildren):
734         (JSC::WeakMapImpl<WeakMapBucket>::estimatedSize):
735         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::visitWeakReferences):
736         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitWeakReferences):
737         (JSC::WeakMapImpl<WeakMapBucket>::finalizeUnconditionally):
738         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::takeSnapshot):
739         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::takeSnapshot):
740         * runtime/WeakMapImpl.h: Added.
741         (JSC::jsWeakMapHash):
742         (JSC::nextCapacityAfterRemoveBatching):
743         (JSC::WeakMapBucket::setKey):
744         (JSC::WeakMapBucket::setValue):
745         (JSC::WeakMapBucket::key const):
746         (JSC::WeakMapBucket::value const):
747         (JSC::WeakMapBucket::copyFrom):
748         (JSC::WeakMapBucket::offsetOfKey):
749         (JSC::WeakMapBucket::offsetOfValue):
750         (JSC::WeakMapBucket::extractValue):
751         (JSC::WeakMapBucket::isEmpty):
752         (JSC::WeakMapBucket::deletedKey):
753         (JSC::WeakMapBucket::isDeleted):
754         (JSC::WeakMapBucket::makeDeleted):
755         (JSC::WeakMapBucket::visitAggregate):
756         (JSC::WeakMapBucket::clearValue):
757         (JSC::WeakMapBuffer::allocationSize):
758         (JSC::WeakMapBuffer::buffer const):
759         (JSC::WeakMapBuffer::create):
760         (JSC::WeakMapBuffer::reset):
761         (JSC::WeakMapImpl::WeakMapImpl):
762         (JSC::WeakMapImpl::finishCreation):
763         (JSC::WeakMapImpl::get):
764         (JSC::WeakMapImpl::has):
765         (JSC::WeakMapImpl::add):
766         (JSC::WeakMapImpl::remove):
767         (JSC::WeakMapImpl::size const):
768         (JSC::WeakMapImpl::offsetOfBuffer):
769         (JSC::WeakMapImpl::offsetOfCapacity):
770         (JSC::WeakMapImpl::findBucket):
771         (JSC::WeakMapImpl::buffer const):
772         (JSC::WeakMapImpl::forEach):
773         (JSC::WeakMapImpl::shouldRehashAfterAdd const):
774         (JSC::WeakMapImpl::shouldShrink const):
775         (JSC::WeakMapImpl::canUseBucket):
776         (JSC::WeakMapImpl::addInternal):
777         (JSC::WeakMapImpl::findBucketAlreadyHashed):
778         (JSC::WeakMapImpl::rehash):
779         (JSC::WeakMapImpl::checkConsistency const):
780         (JSC::WeakMapImpl::makeAndSetNewBuffer):
781         (JSC::WeakMapImpl::assertBufferIsEmpty const):
782         (JSC::WeakMapImpl::DeadKeyCleaner::target):
783         * runtime/WeakMapPrototype.cpp:
784         (JSC::WeakMapPrototype::finishCreation):
785         (JSC::protoFuncWeakMapGet):
786         (JSC::protoFuncWeakMapHas):
787         * runtime/WeakSetConstructor.cpp:
788         (JSC::constructWeakSet):
789         * runtime/WeakSetPrototype.cpp:
790         (JSC::WeakSetPrototype::finishCreation):
791         (JSC::protoFuncWeakSetHas):
792         (JSC::protoFuncWeakSetAdd):
793
794 2017-12-11  Filip Pizlo  <fpizlo@apple.com>
795
796         It should be possible to flag a cell for unconditional finalization
797         https://bugs.webkit.org/show_bug.cgi?id=180636
798
799         Reviewed by Saam Barati.
800         
801         UnconditionalFinalizers were annoying - you had to allocate them and you had to manage a
802         global linked list - but they had some nice properties:
803         
804         - You only did the hardest work (creating the UnconditionalFinalizer) on first GC where you
805           survived and needed it.
806             -> Just needing it wasn't enough.
807             -> Just surviving wasn't enough.
808         
809         The new API based on IsoSubspaces meant that just surviving was enough to cause unconditional
810         finalizer logic to be invoked. I think that's not great. InferredType got around this by
811         making InferredStructure a cell, but this was a gross hack. For one, it meant that
812         InferredStructure would survive during the GC in which its finalizer obviated the need for its
813         existence. It's not really an idiom I want us to repeat because it sounds like the sort of
814         thing that turns out to be subtly broken.
815         
816         We really need to have a way of indicating when you have entered into the state that requires
817         your unconditional finalizer to be invoked. Basically, we want to be able to track the set of
818         objects that need unconditional finalizers. Only the subset of that set that overlaps with the
819         set of marked objects needs to be accurate. The easiest way to do this is a hierarchy of
820         bitvectors: one to say which MarkedBlocks have objects that have unconditional finalizers, and
821         another level to say which atoms within a MarkedBlock have unconditional finalizers.
822         
823         This change introduces IsoCellSet, which couples itself to the MarkedAllocator of some
824         IsoSubspace to allow maintaining a set of objects (well, cells - you could do this with
825         auxiliaries) that belong to that IsoSubspace. It'll have undefined behavior if you try to
826         add/remove/contains an object that isn't in that IsoSubspace. For objects in that subspace,
827         you can add/remove/contains and forEachMarkedCell. The cost of each IsoCellSet is at worst
828         about 0.8% increase in size to every object in the subspace that the set is attached to. So,
829         it makes sense to have a handful per subspace max. This change only needs one per subspace,
830         but you could imagine more if we do this for WeakReferenceHarvester.
831         
832         To absolutely minimize the possibility that this incurs costs, the add/remove/contains
833         functions can be used from any thread so long as forEachMarkedCell isn't running. This means
834         that InferredType only needs to add itself to the set during visitChildren. Thus, it needs to
835         both survive and need it for the hardest work to take place. The work of adding does involve
836         a gnarly load chain that ends in a CAS: load block handle from block, load index, load
837         segment, load bitvector, load bit -> if not set, then CAS. That's five dependent loads!
838         However, it's perfect for running in parallel since the only write operations are to widely
839         dispersed cache lines that contain the bits underlying the set.
840         
841         The best part is how forEachMarkedCell works. That skips blocks that don't have any objects
842         that need unconditional finalizers, and only touches the memory of marked objects that have
843         the unconditional finalizer bit set. It will walk those objects in roughly address order. I
844         previously found that this speeds up walking over a lot of objects when I made similar changes
845         for DOM GC (calling visitAdditionalChildren via forEachMarkedCell rather than by walking a
846         HashSet).
847         
848         This change makes InferredStructure be a malloc object again, but now it's in an IsoHeap.
849         
850         My expectation for this change is that it's perf-neutral. Long-term, it gives us a path
851         forward for eliminating UnconditionalFinalizer and WeakReferenceHarvester while using
852         IsoSubspace in more places.
853
854         * JavaScriptCore.xcodeproj/project.pbxproj:
855         * Sources.txt:
856         * heap/AtomIndices.h: Added.
857         (JSC::AtomIndices::AtomIndices):
858         * heap/Heap.cpp:
859         (JSC::Heap::finalizeUnconditionalFinalizers):
860         * heap/Heap.h:
861         * heap/IsoCellSet.cpp: Added.
862         (JSC::IsoCellSet::IsoCellSet):
863         (JSC::IsoCellSet::~IsoCellSet):
864         (JSC::IsoCellSet::addSlow):
865         (JSC::IsoCellSet::didResizeBits):
866         (JSC::IsoCellSet::didRemoveBlock):
867         (JSC::IsoCellSet::sweepToFreeList):
868         * heap/IsoCellSet.h: Added.
869         * heap/IsoCellSetInlines.h: Added.
870         (JSC::IsoCellSet::add):
871         (JSC::IsoCellSet::remove):
872         (JSC::IsoCellSet::contains const):
873         (JSC::IsoCellSet::forEachMarkedCell):
874         * heap/IsoSubspace.cpp:
875         (JSC::IsoSubspace::didResizeBits):
876         (JSC::IsoSubspace::didRemoveBlock):
877         (JSC::IsoSubspace::didBeginSweepingToFreeList):
878         * heap/IsoSubspace.h:
879         * heap/MarkedAllocator.cpp:
880         (JSC::MarkedAllocator::addBlock):
881         (JSC::MarkedAllocator::removeBlock):
882         * heap/MarkedAllocator.h:
883         * heap/MarkedAllocatorInlines.h:
884         * heap/MarkedBlock.cpp:
885         (JSC::MarkedBlock::Handle::sweep):
886         (JSC::MarkedBlock::Handle::isEmpty): Deleted.
887         * heap/MarkedBlock.h:
888         (JSC::MarkedBlock::marks const):
889         (JSC::MarkedBlock::Handle::newlyAllocated const):
890         * heap/MarkedBlockInlines.h:
891         (JSC::MarkedBlock::Handle::isAllocated):
892         (JSC::MarkedBlock::Handle::isEmpty):
893         (JSC::MarkedBlock::Handle::emptyMode):
894         (JSC::MarkedBlock::Handle::forEachMarkedCell):
895         * heap/Subspace.cpp:
896         (JSC::Subspace::didResizeBits):
897         (JSC::Subspace::didRemoveBlock):
898         (JSC::Subspace::didBeginSweepingToFreeList):
899         * heap/Subspace.h:
900         * heap/SubspaceInlines.h:
901         (JSC::Subspace::forEachMarkedCell):
902         * runtime/InferredStructure.cpp:
903         (JSC::InferredStructure::InferredStructure):
904         (JSC::InferredStructure::create): Deleted.
905         (JSC::InferredStructure::destroy): Deleted.
906         (JSC::InferredStructure::createStructure): Deleted.
907         (JSC::InferredStructure::visitChildren): Deleted.
908         (JSC::InferredStructure::finalizeUnconditionally): Deleted.
909         (JSC::InferredStructure::finishCreation): Deleted.
910         * runtime/InferredStructure.h:
911         * runtime/InferredStructureWatchpoint.cpp:
912         (JSC::InferredStructureWatchpoint::fireInternal):
913         * runtime/InferredType.cpp:
914         (JSC::InferredType::visitChildren):
915         (JSC::InferredType::willStoreValueSlow):
916         (JSC::InferredType::makeTopSlow):
917         (JSC::InferredType::set):
918         (JSC::InferredType::removeStructure):
919         (JSC::InferredType::finalizeUnconditionally):
920         * runtime/InferredType.h:
921         * runtime/VM.cpp:
922         (JSC::VM::VM):
923         * runtime/VM.h:
924
925 2017-12-12  Saam Barati  <sbarati@apple.com>
926
927         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
928         https://bugs.webkit.org/show_bug.cgi?id=180723
929         <rdar://problem/35859726>
930
931         Reviewed by JF Bastien.
932
933         * dfg/DFGConstantFoldingPhase.cpp:
934         (JSC::DFG::ConstantFoldingPhase::foldConstants):
935
936 2017-12-04  Brian Burg  <bburg@apple.com>
937
938         Web Inspector: modernize InjectedScript a bit
939         https://bugs.webkit.org/show_bug.cgi?id=180367
940
941         Reviewed by Timothy Hatcher.
942
943         Stop using out parameters passed by pointer, use references instead.
944         Stop using OptOutput<T> in favor of std::optional where possible.
945         If there is only one out-parameter and a void return type, then return the value.
946
947         * inspector/InjectedScript.h:
948         * inspector/InjectedScript.cpp:
949         (Inspector::InjectedScript::evaluate):
950         (Inspector::InjectedScript::callFunctionOn):
951         (Inspector::InjectedScript::evaluateOnCallFrame):
952         (Inspector::InjectedScript::getFunctionDetails):
953         (Inspector::InjectedScript::functionDetails):
954         (Inspector::InjectedScript::getPreview):
955         (Inspector::InjectedScript::getProperties):
956         (Inspector::InjectedScript::getDisplayableProperties):
957         (Inspector::InjectedScript::getInternalProperties):
958         (Inspector::InjectedScript::getCollectionEntries):
959         (Inspector::InjectedScript::saveResult):
960         (Inspector::InjectedScript::setExceptionValue):
961         (Inspector::InjectedScript::clearExceptionValue):
962         (Inspector::InjectedScript::inspectObject):
963         (Inspector::InjectedScript::releaseObject):
964
965         * inspector/InjectedScriptBase.h:
966         * inspector/InjectedScriptBase.cpp:
967         (Inspector::InjectedScriptBase::InjectedScriptBase):
968         Declare m_environment with a default initializer.
969
970         (Inspector::InjectedScriptBase::makeCall):
971         (Inspector::InjectedScriptBase::makeEvalCall):
972         Just return the result, no need for an out-parameter.
973         Rearrange some code paths now that we can just return a result.
974         Return a Ref<JSON::Value> since it is either a result value or error value.
975         Use out_ prefixes in a few places to improve readability.
976
977         * inspector/agents/InspectorDebuggerAgent.cpp:
978         (Inspector::InspectorDebuggerAgent::getFunctionDetails):
979         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
980         * inspector/agents/InspectorHeapAgent.cpp:
981         (Inspector::InspectorHeapAgent::getPreview):
982         * inspector/agents/InspectorRuntimeAgent.cpp:
983         (Inspector::InspectorRuntimeAgent::evaluate):
984         (Inspector::InspectorRuntimeAgent::callFunctionOn):
985         (Inspector::InspectorRuntimeAgent::getPreview):
986         (Inspector::InspectorRuntimeAgent::getProperties):
987         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
988         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
989         (Inspector::InspectorRuntimeAgent::saveResult):
990         Adapt to InjectedScript changes. In some cases we need to bridge OptOutput<T>
991         and std::optional until the former is removed from generated method signatures.
992
993 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
994
995         [ESNext][BigInt] Implement BigInt literals and JSBigInt
996         https://bugs.webkit.org/show_bug.cgi?id=179000
997
998         Reviewed by Darin Adler and Yusuke Suzuki.
999
1000         This patch starts the implementation of BigInt primitive on
1001         JavaScriptCore. We are introducing BigInt primitive and
1002         implementing it on JSBigInt as a subclass of JSCell with [[BigIntData]]
1003         field implemented contiguosly on memory as inline storage of JSBigInt to
1004         take advantages on performance due to cache locality. The
1005         implementation allows 64 or 32 bitwise arithmetic operations.
1006         JSBigInt also has m_sign to store the sign of [[BigIntData]] and
1007         m_length that keeps track of BigInt length.
1008         The implementation is following the V8 one. [[BigIntData]] is manipulated
1009         by JSBigInt::setDigit(index, value) and JSBigInt::digit(index) operations.
1010         We also have some operations to support arithmetics over digits.
1011
1012         It is important to notice that on our representation,
1013         JSBigInt::dataStorage()[0] represents the least significant digit and
1014         JSBigInt::dataStorage()[m_length - 1] represents the most siginificant digit.
1015
1016         We are also introducing into this Patch the BigInt literals lexer and
1017         syntax parsing support. The operation Strict Equals on BigInts is also being
1018         implemented to enable tests.
1019         These features are being implemented behind a runtime flage "--useBigInt" and
1020         are disabled by default.
1021
1022         * JavaScriptCore.xcodeproj/project.pbxproj:
1023         * Sources.txt:
1024         * bytecode/CodeBlock.cpp:
1025         * bytecompiler/BytecodeGenerator.cpp:
1026         (JSC::BytecodeGenerator::emitEqualityOp):
1027         (JSC::BytecodeGenerator::addBigIntConstant):
1028         * bytecompiler/BytecodeGenerator.h:
1029         (JSC::BytecodeGenerator::BigIntEntryHash::hash):
1030         (JSC::BytecodeGenerator::BigIntEntryHash::equal):
1031         * bytecompiler/NodesCodegen.cpp:
1032         (JSC::BigIntNode::jsValue const):
1033         * dfg/DFGAbstractInterpreterInlines.h:
1034         (JSC::DFG::isToThisAnIdentity):
1035         * interpreter/Interpreter.cpp:
1036         (JSC::sizeOfVarargs):
1037         * llint/LLIntData.cpp:
1038         (JSC::LLInt::Data::performAssertions):
1039         * llint/LowLevelInterpreter.asm:
1040         * parser/ASTBuilder.h:
1041         (JSC::ASTBuilder::createBigInt):
1042         * parser/Lexer.cpp:
1043         (JSC::Lexer<T>::parseBinary):
1044         (JSC::Lexer<T>::parseOctal):
1045         (JSC::Lexer<T>::parseDecimal):
1046         (JSC::Lexer<T>::lex):
1047         (JSC::Lexer<T>::parseHex): Deleted.
1048         * parser/Lexer.h:
1049         * parser/NodeConstructors.h:
1050         (JSC::BigIntNode::BigIntNode):
1051         * parser/Nodes.h:
1052         (JSC::ExpressionNode::isBigInt const):
1053         (JSC::BigIntNode::value):
1054         * parser/Parser.cpp:
1055         (JSC::Parser<LexerType>::parsePrimaryExpression):
1056         * parser/ParserTokens.h:
1057         * parser/ResultType.h:
1058         (JSC::ResultType::definitelyIsBigInt const):
1059         (JSC::ResultType::mightBeBigInt const):
1060         (JSC::ResultType::isNotBigInt const):
1061         (JSC::ResultType::addResultType):
1062         (JSC::ResultType::bigIntType):
1063         (JSC::ResultType::forAdd):
1064         (JSC::ResultType::forLogicalOp):
1065         * parser/SyntaxChecker.h:
1066         (JSC::SyntaxChecker::createBigInt):
1067         * runtime/CommonIdentifiers.h:
1068         * runtime/JSBigInt.cpp: Added.
1069         (JSC::JSBigInt::visitChildren):
1070         (JSC::JSBigInt::JSBigInt):
1071         (JSC::JSBigInt::initialize):
1072         (JSC::JSBigInt::createStructure):
1073         (JSC::JSBigInt::createZero):
1074         (JSC::JSBigInt::allocationSize):
1075         (JSC::JSBigInt::createWithLength):
1076         (JSC::JSBigInt::finishCreation):
1077         (JSC::JSBigInt::toPrimitive const):
1078         (JSC::JSBigInt::singleDigitValueForString):
1079         (JSC::JSBigInt::parseInt):
1080         (JSC::JSBigInt::toString):
1081         (JSC::JSBigInt::isZero):
1082         (JSC::JSBigInt::inplaceMultiplyAdd):
1083         (JSC::JSBigInt::digitAdd):
1084         (JSC::JSBigInt::digitSub):
1085         (JSC::JSBigInt::digitMul):
1086         (JSC::JSBigInt::digitPow):
1087         (JSC::JSBigInt::digitDiv):
1088         (JSC::JSBigInt::internalMultiplyAdd):
1089         (JSC::JSBigInt::equalToBigInt):
1090         (JSC::JSBigInt::absoluteDivSmall):
1091         (JSC::JSBigInt::calculateMaximumCharactersRequired):
1092         (JSC::JSBigInt::toStringGeneric):
1093         (JSC::JSBigInt::rightTrim):
1094         (JSC::JSBigInt::allocateFor):
1095         (JSC::JSBigInt::estimatedSize):
1096         (JSC::JSBigInt::toNumber const):
1097         (JSC::JSBigInt::getPrimitiveNumber const):
1098         * runtime/JSBigInt.h: Added.
1099         (JSC::JSBigInt::setSign):
1100         (JSC::JSBigInt::sign const):
1101         (JSC::JSBigInt::setLength):
1102         (JSC::JSBigInt::length const):
1103         (JSC::JSBigInt::parseInt):
1104         (JSC::JSBigInt::offsetOfData):
1105         (JSC::JSBigInt::dataStorage):
1106         (JSC::JSBigInt::digit):
1107         (JSC::JSBigInt::setDigit):
1108         (JSC::asBigInt):
1109         * runtime/JSCJSValue.cpp:
1110         (JSC::JSValue::synthesizePrototype const):
1111         (JSC::JSValue::toStringSlowCase const):
1112         * runtime/JSCJSValue.h:
1113         * runtime/JSCJSValueInlines.h:
1114         (JSC::JSValue::isBigInt const):
1115         (JSC::JSValue::strictEqualSlowCaseInline):
1116         * runtime/JSCell.cpp:
1117         (JSC::JSCell::put):
1118         (JSC::JSCell::putByIndex):
1119         (JSC::JSCell::toPrimitive const):
1120         (JSC::JSCell::getPrimitiveNumber const):
1121         (JSC::JSCell::toNumber const):
1122         (JSC::JSCell::toObjectSlow const):
1123         * runtime/JSCell.h:
1124         * runtime/JSCellInlines.h:
1125         (JSC::JSCell::isBigInt const):
1126         * runtime/JSType.h:
1127         * runtime/MathCommon.h:
1128         (JSC::clz64):
1129         * runtime/NumberPrototype.cpp:
1130         * runtime/Operations.cpp:
1131         (JSC::jsTypeStringForValue):
1132         (JSC::jsIsObjectTypeOrNull):
1133         * runtime/Options.h:
1134         * runtime/ParseInt.h:
1135         * runtime/SmallStrings.h:
1136         (JSC::SmallStrings::typeString const):
1137         * runtime/StructureInlines.h:
1138         (JSC::prototypeForLookupPrimitiveImpl):
1139         * runtime/TypeofType.cpp:
1140         (WTF::printInternal):
1141         * runtime/TypeofType.h:
1142         * runtime/VM.cpp:
1143         (JSC::VM::VM):
1144         * runtime/VM.h:
1145
1146 2017-12-12  Guillaume Emont  <guijemont@igalia.com>
1147
1148         LLInt: reserve 16 bytes of stack on MIPS for native calls
1149         https://bugs.webkit.org/show_bug.cgi?id=180653
1150
1151         Reviewed by Carlos Alberto Lopez Perez.
1152
1153         * llint/LowLevelInterpreter32_64.asm:
1154         On MIPS, substract 24 from the stack pointer (16 for calling
1155         convention + 8 to be 16-aligned) instead of the 8 on other platforms
1156         (for alignment).
1157
1158 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1159
1160         [WTF] Thread::create should have Thread::tryCreate
1161         https://bugs.webkit.org/show_bug.cgi?id=180333
1162
1163         Reviewed by Darin Adler.
1164
1165         * assembler/testmasm.cpp:
1166         (JSC::run):
1167         * b3/air/testair.cpp:
1168         * b3/testb3.cpp:
1169         (JSC::B3::run):
1170         * jsc.cpp:
1171         (functionDollarAgentStart):
1172
1173 2017-12-11  Michael Saboff  <msaboff@apple.com>
1174
1175         REGRESSION(r225683): Chakra test failure in es6/regex-unicode.js for 32bit builds
1176         https://bugs.webkit.org/show_bug.cgi?id=180685
1177
1178         Reviewed by Saam Barati.
1179
1180         The characterClass->m_anyCharacter check at the top of checkCharacterClass() caused
1181         the character class check to return true without reading the character.  Given that
1182         the character could be a surrogate pair, we need to read the character even if we
1183         don't have the check it.
1184
1185         * yarr/YarrInterpreter.cpp:
1186         (JSC::Yarr::Interpreter::testCharacterClass):
1187         (JSC::Yarr::Interpreter::checkCharacterClass):
1188
1189 2017-12-11  Saam Barati  <sbarati@apple.com>
1190
1191         We need to disableCaching() in ErrorInstance when we materialize properties
1192         https://bugs.webkit.org/show_bug.cgi?id=180343
1193         <rdar://problem/35833002>
1194
1195         Reviewed by Mark Lam.
1196
1197         This patch fixes a bug in ErrorInstance where we forgot to call PutPropertySlot::disableCaching
1198         on puts() to a property that we lazily materialized. Forgetting to do this goes against the
1199         PutPropertySlot's caching API. This lazy materialization caused the ErrorInstance to transition
1200         from a Structure A to a Structure B. However, we were telling the IC that we were caching an
1201         existing property only found on Structure B. This is obviously wrong as it would lead to an
1202         OOB store if we didn't already crash when generating the IC.
1203
1204         * jit/Repatch.cpp:
1205         (JSC::tryCachePutByID):
1206         * runtime/ErrorInstance.cpp:
1207         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
1208         (JSC::ErrorInstance::put):
1209         * runtime/ErrorInstance.h:
1210         * runtime/Structure.cpp:
1211         (JSC::Structure::didCachePropertyReplacement):
1212
1213 2017-12-11  Fujii Hironori  <Hironori.Fujii@sony.com>
1214
1215         [WinCairo] DLLLauncherMain should use SetDllDirectory
1216         https://bugs.webkit.org/show_bug.cgi?id=180642
1217
1218         Reviewed by Alex Christensen.
1219
1220         Windows have icuuc.dll in the system directory. WebKit should find
1221         one in WebKitLibraries directory, not one in the system directory.
1222
1223         * shell/DLLLauncherMain.cpp:
1224         (modifyPath): Use SetDllDirectory for WebKitLibraries directory instead of modifying path.
1225
1226 2017-12-11  Eric Carlson  <eric.carlson@apple.com>
1227
1228         Web Inspector: Optionally log WebKit log parameters as JSON
1229         https://bugs.webkit.org/show_bug.cgi?id=180529
1230         <rdar://problem/35909462>
1231
1232         Reviewed by Joseph Pecoraro.
1233
1234         * inspector/ConsoleMessage.cpp:
1235         (Inspector::ConsoleMessage::ConsoleMessage): New constructor that takes a vector of JSON log
1236         values. Concatenate all adjacent strings to make logging cleaner.
1237         (Inspector::ConsoleMessage::addToFrontend): Process WebKit logging arguments.
1238         (Inspector::ConsoleMessage::scriptState const):
1239         * inspector/ConsoleMessage.h:
1240
1241         * inspector/InjectedScript.cpp:
1242         (Inspector::InjectedScript::wrapJSONString const): Wrap JSON string log arguments.
1243         * inspector/InjectedScript.h:
1244         * inspector/InjectedScriptSource.js:
1245         (let.InjectedScript.prototype.wrapJSONString):
1246
1247 2017-12-11  Joseph Pecoraro  <pecoraro@apple.com>
1248
1249         Remove unused builtin names
1250         https://bugs.webkit.org/show_bug.cgi?id=180673
1251
1252         Reviewed by Keith Miller.
1253
1254         * builtins/BuiltinNames.h:
1255
1256 2017-12-11  David Quesada  <david_quesada@apple.com>
1257
1258         Turn on ENABLE_APPLICATION_MANIFEST
1259         https://bugs.webkit.org/show_bug.cgi?id=180562
1260         rdar://problem/35924737
1261
1262         Reviewed by Geoffrey Garen.
1263
1264         * Configurations/FeatureDefines.xcconfig:
1265
1266 2017-12-10  Filip Pizlo  <fpizlo@apple.com>
1267
1268         Harden a few assertions in GC sweep
1269         https://bugs.webkit.org/show_bug.cgi?id=180634
1270
1271         Reviewed by Saam Barati.
1272         
1273         This turns one dynamic check into a release assertion and upgrades another assertion to a release
1274         assertion.
1275
1276         * heap/MarkedBlock.cpp:
1277         (JSC::MarkedBlock::Handle::sweep):
1278
1279 2017-12-10  Konstantin Tokarev  <annulen@yandex.ru>
1280
1281         [python] Modernize "except" usage for python3 compatibility
1282         https://bugs.webkit.org/show_bug.cgi?id=180612
1283
1284         Reviewed by Michael Catanzaro.
1285
1286         * inspector/scripts/generate-inspector-protocol-bindings.py:
1287
1288 2017-12-05  Filip Pizlo  <fpizlo@apple.com>
1289
1290         InferredType should not use UnconditionalFinalizer
1291         https://bugs.webkit.org/show_bug.cgi?id=180456
1292
1293         Reviewed by Saam Barati.
1294         
1295         This turns InferredStructure into a cell so that we can unconditionally finalize them without
1296         having to add things to the UnconditionalFinalizer list. I'm removing all uses of
1297         UnconditionalFinalizers and WeakReferenceHarvesters because the data structures used to manage
1298         them are a top cause of lock contention in the parallel GC. Also, we don't need those data
1299         structures if we use IsoSubspaces, subspace iteration, and marking constraints.
1300
1301         * JavaScriptCore.xcodeproj/project.pbxproj:
1302         * Sources.txt:
1303         * heap/Heap.cpp:
1304         (JSC::Heap::finalizeUnconditionalFinalizers):
1305         * heap/Heap.h:
1306         * runtime/InferredStructure.cpp: Added.
1307         (JSC::InferredStructure::create):
1308         (JSC::InferredStructure::destroy):
1309         (JSC::InferredStructure::createStructure):
1310         (JSC::InferredStructure::visitChildren):
1311         (JSC::InferredStructure::finalizeUnconditionally):
1312         (JSC::InferredStructure::InferredStructure):
1313         (JSC::InferredStructure::finishCreation):
1314         * runtime/InferredStructure.h: Added.
1315         * runtime/InferredStructureWatchpoint.cpp: Added.
1316         (JSC::InferredStructureWatchpoint::fireInternal):
1317         * runtime/InferredStructureWatchpoint.h: Added.
1318         * runtime/InferredType.cpp:
1319         (JSC::InferredType::visitChildren):
1320         (JSC::InferredType::willStoreValueSlow):
1321         (JSC::InferredType::makeTopSlow):
1322         (JSC::InferredType::set):
1323         (JSC::InferredType::removeStructure):
1324         (JSC::InferredType::InferredStructureWatchpoint::fireInternal): Deleted.
1325         (JSC::InferredType::InferredStructureFinalizer::finalizeUnconditionally): Deleted.
1326         (JSC::InferredType::InferredStructure::InferredStructure): Deleted.
1327         * runtime/InferredType.h:
1328         * runtime/VM.cpp:
1329         (JSC::VM::VM):
1330         * runtime/VM.h:
1331
1332 2017-12-09  Konstantin Tokarev  <annulen@yandex.ru>
1333
1334         [python] Replace print >> operator with print() function for python3 compatibility
1335         https://bugs.webkit.org/show_bug.cgi?id=180611
1336
1337         Reviewed by Michael Catanzaro.
1338
1339         * Scripts/make-js-file-arrays.py:
1340         (main):
1341
1342 2017-12-08  Joseph Pecoraro  <pecoraro@apple.com>
1343
1344         ServiceWorker Inspector: Various issues inspecting service worker on mobile.twitter.com
1345         https://bugs.webkit.org/show_bug.cgi?id=180520
1346         <rdar://problem/35900764>
1347
1348         Reviewed by Brian Burg.
1349
1350         * inspector/protocol/ServiceWorker.json:
1351         Include content script content in the initialization info.
1352
1353 2017-12-08  Konstantin Tokarev  <annulen@yandex.ru>
1354
1355         [python] Replace print operator with print() function for python3 compatibility
1356         https://bugs.webkit.org/show_bug.cgi?id=180592
1357
1358         Reviewed by Michael Catanzaro.
1359
1360         * Scripts/generateYarrUnicodePropertyTables.py:
1361         (openOrExit):
1362         (verifyUCDFilesExist):
1363         (Aliases.parsePropertyAliasesFile):
1364         (Aliases.parsePropertyValueAliasesFile):
1365         * Scripts/make-js-file-arrays.py:
1366         (main):
1367         * generate-bytecode-files:
1368
1369 2017-12-08  Mark Lam  <mark.lam@apple.com>
1370
1371         Need to unpoison native function pointers for CLoop.
1372         https://bugs.webkit.org/show_bug.cgi?id=180601
1373         <rdar://problem/35942028>
1374
1375         Reviewed by JF Bastien.
1376
1377         * llint/LowLevelInterpreter64.asm:
1378
1379 2017-12-08  Michael Saboff  <msaboff@apple.com>
1380
1381         YARR: JIT RegExps with greedy parenthesized sub patterns
1382         https://bugs.webkit.org/show_bug.cgi?id=180538
1383
1384         Reviewed by JF Bastien.
1385
1386         This patch adds JIT support for regular expressions containing greedy counted
1387         parenthesis.  An example expression that couldn't be JIT'ed before is /q(a|b)*q/.
1388
1389         Just like in the interpreter, expressions with nested parenthetical subpatterns
1390         require saving the results of previous matches of the parentheses contents along
1391         with any associated state.  This saved state is needed in the case that we need
1392         to backtrack.  This state is called ParenContext within the code space allocated
1393         for this ParenContext is managed using a simple block allocator within the JIT'ed
1394         code.  The raw space managed by this allocator is passed into the JIT'ed function.
1395
1396         Since this fixed sized space may be exceeded, this patch adds a fallback mechanism.
1397         If the JIT'ed code exhausts all its ParenContext space, it returns a new error
1398         JSRegExpJITCodeFailure.  The caller will then bytecompile and interpret the
1399         expression.
1400
1401         Due to increased register usage by the parenthesis handling code, the use of
1402         registers by the JIT engine was restructured, with registers used for Unicode
1403         pattern matching replaced with constants.
1404
1405         Reworked some of the context structures that are used across the interpreter
1406         and JIT implementations to make them a little more uniform and to handle the
1407         needs of JIT'ing the new parentheses forms.
1408
1409         To help with development and debugging of this code, compiled patterns dumping
1410         code was enhanced.  Also added the ability to also dump interpreter ByteCodes.
1411
1412         * runtime/RegExp.cpp:
1413         (JSC::byteCodeCompilePattern):
1414         (JSC::RegExp::byteCodeCompileIfNecessary):
1415         (JSC::RegExp::compile):
1416         (JSC::RegExp::compileMatchOnly):
1417         * runtime/RegExp.h:
1418         * runtime/RegExpInlines.h:
1419         (JSC::RegExp::matchInline):
1420         * testRegExp.cpp:
1421         (parseRegExpLine):
1422         (runFromFiles):
1423         * yarr/Yarr.h:
1424         * yarr/YarrInterpreter.cpp:
1425         (JSC::Yarr::ByteCompiler::compile):
1426         (JSC::Yarr::ByteCompiler::dumpDisjunction):
1427         * yarr/YarrJIT.cpp:
1428         (JSC::Yarr::YarrGenerator::ParenContextSizes::ParenContextSizes):
1429         (JSC::Yarr::YarrGenerator::ParenContextSizes::numSubpatterns):
1430         (JSC::Yarr::YarrGenerator::ParenContextSizes::frameSlots):
1431         (JSC::Yarr::YarrGenerator::ParenContext::sizeFor):
1432         (JSC::Yarr::YarrGenerator::ParenContext::nextOffset):
1433         (JSC::Yarr::YarrGenerator::ParenContext::beginOffset):
1434         (JSC::Yarr::YarrGenerator::ParenContext::matchAmountOffset):
1435         (JSC::Yarr::YarrGenerator::ParenContext::subpatternOffset):
1436         (JSC::Yarr::YarrGenerator::ParenContext::savedFrameOffset):
1437         (JSC::Yarr::YarrGenerator::initParenContextFreeList):
1438         (JSC::Yarr::YarrGenerator::allocatePatternContext):
1439         (JSC::Yarr::YarrGenerator::freePatternContext):
1440         (JSC::Yarr::YarrGenerator::savePatternContext):
1441         (JSC::Yarr::YarrGenerator::restorePatternContext):
1442         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
1443         (JSC::Yarr::YarrGenerator::storeToFrame):
1444         (JSC::Yarr::YarrGenerator::generateJITFailReturn):
1445         (JSC::Yarr::YarrGenerator::clearMatches):
1446         (JSC::Yarr::YarrGenerator::generate):
1447         (JSC::Yarr::YarrGenerator::backtrack):
1448         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
1449         (JSC::Yarr::YarrGenerator::generateEnter):
1450         (JSC::Yarr::YarrGenerator::generateReturn):
1451         (JSC::Yarr::YarrGenerator::YarrGenerator):
1452         (JSC::Yarr::YarrGenerator::compile):
1453         * yarr/YarrJIT.h:
1454         (JSC::Yarr::YarrCodeBlock::execute):
1455         * yarr/YarrPattern.cpp:
1456         (JSC::Yarr::indentForNestingLevel):
1457         (JSC::Yarr::dumpUChar32):
1458         (JSC::Yarr::dumpCharacterClass):
1459         (JSC::Yarr::PatternTerm::dump):
1460         (JSC::Yarr::YarrPattern::dumpPattern):
1461         * yarr/YarrPattern.h:
1462         (JSC::Yarr::PatternTerm::containsAnyCaptures):
1463         (JSC::Yarr::BackTrackInfoParenthesesOnce::returnAddressIndex):
1464         (JSC::Yarr::BackTrackInfoParentheses::beginIndex):
1465         (JSC::Yarr::BackTrackInfoParentheses::returnAddressIndex):
1466         (JSC::Yarr::BackTrackInfoParentheses::matchAmountIndex):
1467         (JSC::Yarr::BackTrackInfoParentheses::patternContextHeadIndex):
1468         (JSC::Yarr::BackTrackInfoAlternative::offsetIndex): Deleted.
1469
1470 2017-12-08  Joseph Pecoraro  <pecoraro@apple.com>
1471
1472         Web Inspector: CRASH at InspectorConsoleAgent::enable when iterating mutable list of buffered console messages
1473         https://bugs.webkit.org/show_bug.cgi?id=180590
1474         <rdar://problem/35882767>
1475
1476         Reviewed by Mark Lam.
1477
1478         * inspector/agents/InspectorConsoleAgent.cpp:
1479         (Inspector::InspectorConsoleAgent::enable):
1480         Swap the messages to a Vector that won't change during iteration.
1481
1482 2017-12-08  Michael Saboff  <msaboff@apple.com>
1483
1484         YARR: Coalesce constructed character classes
1485         https://bugs.webkit.org/show_bug.cgi?id=180537
1486
1487         Reviewed by JF Bastien.
1488
1489         When adding characters or character ranges to a character class being constructed,
1490         we now coalesce adjacent characters and character ranges.  When we create a
1491         character class after construction is complete, we do a final coalescing pass
1492         across the character list and ranges to catch any remaining coalescing
1493         opportunities.
1494
1495         Added an optimization for character classes that will match any character.
1496         This is somewhat common in code created before the /s (dotAll) flag was added
1497         to the engine.
1498
1499         * yarr/YarrInterpreter.cpp:
1500         (JSC::Yarr::Interpreter::checkCharacterClass):
1501         * yarr/YarrJIT.cpp:
1502         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
1503         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
1504         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
1505         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
1506         * yarr/YarrPattern.cpp:
1507         (JSC::Yarr::CharacterClassConstructor::CharacterClassConstructor):
1508         (JSC::Yarr::CharacterClassConstructor::reset):
1509         (JSC::Yarr::CharacterClassConstructor::charClass):
1510         (JSC::Yarr::CharacterClassConstructor::addSorted):
1511         (JSC::Yarr::CharacterClassConstructor::addSortedRange):
1512         (JSC::Yarr::CharacterClassConstructor::mergeRangesFrom):
1513         (JSC::Yarr::CharacterClassConstructor::coalesceTables):
1514         (JSC::Yarr::CharacterClassConstructor::anyCharacter):
1515         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassEnd):
1516         (JSC::Yarr::PatternTerm::dump):
1517         (JSC::Yarr::anycharCreate):
1518         * yarr/YarrPattern.h:
1519         (JSC::Yarr::CharacterClass::CharacterClass):
1520
1521 2017-12-07  Saam Barati  <sbarati@apple.com>
1522
1523         Modify our dollar VM clflush intrinsic to aid in some perf testing
1524         https://bugs.webkit.org/show_bug.cgi?id=180559
1525
1526         Reviewed by Mark Lam.
1527
1528         * tools/JSDollarVM.cpp:
1529         (JSC::functionCpuClflush):
1530         (JSC::functionDeltaBetweenButterflies):
1531         (JSC::JSDollarVM::finishCreation):
1532
1533 2017-12-07  Eric Carlson  <eric.carlson@apple.com>
1534
1535         Simplify log channel configuration UI
1536         https://bugs.webkit.org/show_bug.cgi?id=180527
1537         <rdar://problem/35908382>
1538
1539         Reviewed by Joseph Pecoraro.
1540
1541         * inspector/protocol/Console.json:
1542
1543 2017-12-07  Mark Lam  <mark.lam@apple.com>
1544
1545         Apply poisoning to some native code pointers.
1546         https://bugs.webkit.org/show_bug.cgi?id=180541
1547         <rdar://problem/35916875>
1548
1549         Reviewed by Filip Pizlo.
1550
1551         Renamed g_classInfoPoison to g_globalDataPoison.
1552         Renamed g_masmPoison to g_jitCodePoison.
1553         Introduced g_nativeCodePoison.
1554         Applied g_nativeCodePoison to poisoning some native code pointers.
1555
1556         Introduced non-random Int32 poison values (in JSCPoison.h) for use with pointers
1557         to malloc allocated data structures (where needed).
1558
1559         * API/JSCallbackFunction.h:
1560         (JSC::JSCallbackFunction::functionCallback):
1561         * JavaScriptCore.xcodeproj/project.pbxproj:
1562         * jit/ThunkGenerators.cpp:
1563         (JSC::nativeForGenerator):
1564         * llint/LowLevelInterpreter64.asm:
1565         * runtime/CustomGetterSetter.h:
1566         (JSC::CustomGetterSetter::getter const):
1567         (JSC::CustomGetterSetter::setter const):
1568         * runtime/InternalFunction.cpp:
1569         (JSC::InternalFunction::getCallData):
1570         (JSC::InternalFunction::getConstructData):
1571         * runtime/InternalFunction.h:
1572         (JSC::InternalFunction::nativeFunctionFor):
1573         * runtime/JSCPoison.h: Added.
1574         * runtime/JSCPoisonedPtr.cpp:
1575         (JSC::initializePoison):
1576         * runtime/JSCPoisonedPtr.h:
1577         * runtime/Lookup.h:
1578         * runtime/NativeExecutable.cpp:
1579         (JSC::NativeExecutable::hashFor const):
1580         * runtime/NativeExecutable.h:
1581         * runtime/Structure.cpp:
1582         (JSC::StructureTransitionTable::setSingleTransition):
1583         * runtime/StructureTransitionTable.h:
1584         (JSC::StructureTransitionTable::StructureTransitionTable):
1585         (JSC::StructureTransitionTable::isUsingSingleSlot const):
1586         (JSC::StructureTransitionTable::map const):
1587         (JSC::StructureTransitionTable::weakImpl const):
1588         (JSC::StructureTransitionTable::setMap):
1589
1590 2017-12-07  Joseph Pecoraro  <pecoraro@apple.com>
1591
1592         Web Inspector: Fix style in remote inspector classes
1593         https://bugs.webkit.org/show_bug.cgi?id=180545
1594
1595         Reviewed by Youenn Fablet.
1596
1597         * inspector/remote/RemoteControllableTarget.h:
1598         * inspector/remote/RemoteInspectionTarget.h:
1599         * runtime/JSGlobalObjectDebuggable.h:
1600
1601 2017-12-07  Per Arne Vollan  <pvollan@apple.com>
1602
1603         Use fastAlignedFree to free aligned memory.
1604         https://bugs.webkit.org/show_bug.cgi?id=180540
1605
1606         Reviewed by Saam Barati.
1607
1608         * heap/IsoAlignedMemoryAllocator.cpp:
1609         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
1610
1611 2017-12-07  Matt Lewis  <jlewis3@apple.com>
1612
1613         Unreviewed, rolling out r225634.
1614
1615         This caused layout tests to time out.
1616
1617         Reverted changeset:
1618
1619         "Simplify log channel configuration UI"
1620         https://bugs.webkit.org/show_bug.cgi?id=180527
1621         https://trac.webkit.org/changeset/225634
1622
1623 2017-12-07  Eric Carlson  <eric.carlson@apple.com>
1624
1625         Simplify log channel configuration UI
1626         https://bugs.webkit.org/show_bug.cgi?id=180527
1627         <rdar://problem/35908382>
1628
1629         Reviewed by Joseph Pecoraro.
1630
1631         * inspector/protocol/Console.json:
1632
1633 2017-12-07  Mark Lam  <mark.lam@apple.com>
1634
1635         [Re-landing r225620] Refactoring: Rename ScrambledPtr to Poisoned.
1636         https://bugs.webkit.org/show_bug.cgi?id=180514
1637
1638         Reviewed by Saam Barati and JF Bastien.
1639
1640         Re-landing r225620 with speculative build fix for GCC 7.
1641
1642         * API/JSCallbackObject.h:
1643         * API/JSObjectRef.cpp:
1644         (classInfoPrivate):
1645         * JavaScriptCore.xcodeproj/project.pbxproj:
1646         * Sources.txt:
1647         * assembler/MacroAssemblerCodeRef.h:
1648         (JSC::FunctionPtr::FunctionPtr):
1649         (JSC::FunctionPtr::value const):
1650         (JSC::FunctionPtr::executableAddress const):
1651         (JSC::ReturnAddressPtr::ReturnAddressPtr):
1652         (JSC::ReturnAddressPtr::value const):
1653         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
1654         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
1655         (JSC::MacroAssemblerCodePtr::poisonedPtr const):
1656         (JSC::MacroAssemblerCodePtr:: const):
1657         (JSC::MacroAssemblerCodePtr::operator! const):
1658         (JSC::MacroAssemblerCodePtr::operator== const):
1659         (JSC::MacroAssemblerCodePtr::emptyValue):
1660         (JSC::MacroAssemblerCodePtr::deletedValue):
1661         (JSC::MacroAssemblerCodePtr::scrambledPtr const): Deleted.
1662         * b3/B3LowerMacros.cpp:
1663         * b3/testb3.cpp:
1664         (JSC::B3::testInterpreter):
1665         * dfg/DFGSpeculativeJIT.cpp:
1666         (JSC::DFG::SpeculativeJIT::checkArray):
1667         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
1668         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1669         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1670         * ftl/FTLLowerDFGToB3.cpp:
1671         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
1672         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1673         * jit/AssemblyHelpers.h:
1674         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
1675         * jit/SpecializedThunkJIT.h:
1676         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
1677         * jit/ThunkGenerators.cpp:
1678         (JSC::virtualThunkFor):
1679         (JSC::boundThisNoArgsFunctionCallGenerator):
1680         * llint/LLIntSlowPaths.cpp:
1681         (JSC::LLInt::handleHostCall):
1682         (JSC::LLInt::setUpCall):
1683         * llint/LowLevelInterpreter64.asm:
1684         * runtime/InitializeThreading.cpp:
1685         (JSC::initializeThreading):
1686         * runtime/JSCPoisonedPtr.cpp: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.cpp.
1687         (JSC::initializePoison):
1688         (JSC::initializeScrambledPtrKeys): Deleted.
1689         * runtime/JSCPoisonedPtr.h: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.h.
1690         * runtime/JSCScrambledPtr.cpp: Removed.
1691         * runtime/JSCScrambledPtr.h: Removed.
1692         * runtime/JSDestructibleObject.h:
1693         (JSC::JSDestructibleObject::classInfo const):
1694         * runtime/JSSegmentedVariableObject.h:
1695         (JSC::JSSegmentedVariableObject::classInfo const):
1696         * runtime/Structure.h:
1697         * runtime/VM.h:
1698
1699 2017-12-07  Michael Catanzaro  <mcatanzaro@igalia.com>
1700
1701         Unreviewed, rolling out r225620
1702         https://bugs.webkit.org/show_bug.cgi?id=180514
1703         <rdar://problem/35901694>
1704
1705         It broke the build with GCC 7, and I don't know how to fix it.
1706
1707         * API/JSCallbackObject.h:
1708         * API/JSObjectRef.cpp:
1709         (classInfoPrivate):
1710         * JavaScriptCore.xcodeproj/project.pbxproj:
1711         * Sources.txt:
1712         * assembler/MacroAssemblerCodeRef.h:
1713         (JSC::FunctionPtr::FunctionPtr):
1714         (JSC::FunctionPtr::value const):
1715         (JSC::FunctionPtr::executableAddress const):
1716         (JSC::ReturnAddressPtr::ReturnAddressPtr):
1717         (JSC::ReturnAddressPtr::value const):
1718         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
1719         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
1720         (JSC::MacroAssemblerCodePtr::scrambledPtr const):
1721         (JSC::MacroAssemblerCodePtr:: const):
1722         (JSC::MacroAssemblerCodePtr::operator! const):
1723         (JSC::MacroAssemblerCodePtr::operator== const):
1724         (JSC::MacroAssemblerCodePtr::emptyValue):
1725         (JSC::MacroAssemblerCodePtr::deletedValue):
1726         (JSC::MacroAssemblerCodePtr::poisonedPtr const): Deleted.
1727         * b3/B3LowerMacros.cpp:
1728         * b3/testb3.cpp:
1729         (JSC::B3::testInterpreter):
1730         * dfg/DFGSpeculativeJIT.cpp:
1731         (JSC::DFG::SpeculativeJIT::checkArray):
1732         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
1733         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1734         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1735         * ftl/FTLLowerDFGToB3.cpp:
1736         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
1737         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1738         * jit/AssemblyHelpers.h:
1739         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
1740         * jit/SpecializedThunkJIT.h:
1741         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
1742         * jit/ThunkGenerators.cpp:
1743         (JSC::virtualThunkFor):
1744         (JSC::boundThisNoArgsFunctionCallGenerator):
1745         * llint/LLIntSlowPaths.cpp:
1746         (JSC::LLInt::handleHostCall):
1747         (JSC::LLInt::setUpCall):
1748         * llint/LowLevelInterpreter64.asm:
1749         * runtime/InitializeThreading.cpp:
1750         (JSC::initializeThreading):
1751         * runtime/JSCScrambledPtr.cpp: Renamed from Source/JavaScriptCore/runtime/JSCPoisonedPtr.cpp.
1752         (JSC::initializeScrambledPtrKeys):
1753         * runtime/JSCScrambledPtr.h: Renamed from Source/JavaScriptCore/runtime/JSCPoisonedPtr.h.
1754         * runtime/JSDestructibleObject.h:
1755         (JSC::JSDestructibleObject::classInfo const):
1756         * runtime/JSSegmentedVariableObject.h:
1757         (JSC::JSSegmentedVariableObject::classInfo const):
1758         * runtime/Structure.h:
1759         * runtime/VM.h:
1760
1761 2017-12-06  Mark Lam  <mark.lam@apple.com>
1762
1763         Refactoring: Rename ScrambledPtr to Poisoned.
1764         https://bugs.webkit.org/show_bug.cgi?id=180514
1765
1766         Reviewed by Saam Barati.
1767
1768         * API/JSCallbackObject.h:
1769         * API/JSObjectRef.cpp:
1770         (classInfoPrivate):
1771         * JavaScriptCore.xcodeproj/project.pbxproj:
1772         * Sources.txt:
1773         * assembler/MacroAssemblerCodeRef.h:
1774         (JSC::FunctionPtr::FunctionPtr):
1775         (JSC::FunctionPtr::value const):
1776         (JSC::FunctionPtr::executableAddress const):
1777         (JSC::ReturnAddressPtr::ReturnAddressPtr):
1778         (JSC::ReturnAddressPtr::value const):
1779         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
1780         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
1781         (JSC::MacroAssemblerCodePtr::poisonedPtr const):
1782         (JSC::MacroAssemblerCodePtr:: const):
1783         (JSC::MacroAssemblerCodePtr::operator! const):
1784         (JSC::MacroAssemblerCodePtr::operator== const):
1785         (JSC::MacroAssemblerCodePtr::emptyValue):
1786         (JSC::MacroAssemblerCodePtr::deletedValue):
1787         (JSC::MacroAssemblerCodePtr::scrambledPtr const): Deleted.
1788         * b3/B3LowerMacros.cpp:
1789         * b3/testb3.cpp:
1790         (JSC::B3::testInterpreter):
1791         * dfg/DFGSpeculativeJIT.cpp:
1792         (JSC::DFG::SpeculativeJIT::checkArray):
1793         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
1794         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1795         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1796         * ftl/FTLLowerDFGToB3.cpp:
1797         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
1798         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1799         * jit/AssemblyHelpers.h:
1800         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
1801         * jit/SpecializedThunkJIT.h:
1802         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
1803         * jit/ThunkGenerators.cpp:
1804         (JSC::virtualThunkFor):
1805         (JSC::boundThisNoArgsFunctionCallGenerator):
1806         * llint/LLIntSlowPaths.cpp:
1807         (JSC::LLInt::handleHostCall):
1808         (JSC::LLInt::setUpCall):
1809         * llint/LowLevelInterpreter64.asm:
1810         * runtime/InitializeThreading.cpp:
1811         (JSC::initializeThreading):
1812         * runtime/JSCPoisonedPtr.cpp: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.cpp.
1813         (JSC::initializePoison):
1814         (JSC::initializeScrambledPtrKeys): Deleted.
1815         * runtime/JSCPoisonedPtr.h: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.h.
1816         * runtime/JSCScrambledPtr.cpp: Removed.
1817         * runtime/JSCScrambledPtr.h: Removed.
1818         * runtime/JSDestructibleObject.h:
1819         (JSC::JSDestructibleObject::classInfo const):
1820         * runtime/JSSegmentedVariableObject.h:
1821         (JSC::JSSegmentedVariableObject::classInfo const):
1822         * runtime/Structure.h:
1823         * runtime/VM.h:
1824
1825 2017-12-02  Darin Adler  <darin@apple.com>
1826
1827         Modernize some aspects of text codecs, eliminate WebKit use of strcasecmp
1828         https://bugs.webkit.org/show_bug.cgi?id=180009
1829
1830         Reviewed by Alex Christensen.
1831
1832         * bytecode/ArrayProfile.cpp: Removed include of StringExtras.h.
1833         * bytecode/CodeBlock.cpp: Ditto.
1834         * bytecode/ExecutionCounter.cpp: Ditto.
1835         * runtime/ConfigFile.cpp: Ditto.
1836         * runtime/DatePrototype.cpp: Ditto.
1837         * runtime/IndexingType.cpp: Ditto.
1838         * runtime/JSCJSValue.cpp: Ditto.
1839         * runtime/JSDateMath.cpp: Ditto.
1840         * runtime/JSGlobalObjectFunctions.cpp: Ditto.
1841         * runtime/Options.cpp: Ditto.
1842         (JSC::parse): Use equalLettersIgnoringASCIICase instead of strcasecmp.
1843
1844 2017-12-06  Saam Barati  <sbarati@apple.com>
1845
1846         ASSERTION FAILED: vm->currentThreadIsHoldingAPILock() in void JSC::sanitizeStackForVM(JSC::VM *)
1847         https://bugs.webkit.org/show_bug.cgi?id=180438
1848         <rdar://problem/35862342>
1849
1850         Reviewed by Yusuke Suzuki.
1851
1852         A couple inspector methods that take stacktraces need
1853         to grab the JSLock.
1854
1855         * inspector/ScriptCallStackFactory.cpp:
1856         (Inspector::createScriptCallStack):
1857         (Inspector::createScriptCallStackForConsole):
1858
1859 2017-12-05  Stephan Szabo  <stephan.szabo@sony.com>
1860
1861         Switch windows build to Visual Studio 2017
1862         https://bugs.webkit.org/show_bug.cgi?id=172412
1863
1864         Reviewed by Per Arne Vollan.
1865
1866         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
1867
1868 2017-12-05  JF Bastien  <jfbastien@apple.com>
1869
1870         WebAssembly: don't eagerly checksum
1871         https://bugs.webkit.org/show_bug.cgi?id=180441
1872         <rdar://problem/35156628>
1873
1874         Reviewed by Saam Barati.
1875
1876         Make checksumming of module optional for now. The bots think the
1877         checksum hurt compile-time. I'd measured it and couldn't see a
1878         difference, and still can't at this point in time, but we'll see
1879         if disabling it fixes the bots. If so then I can make it lazy upon
1880         first backtrace construction, or I can try out MD5 instead of
1881         SHA1.
1882
1883         * runtime/Options.h:
1884         * wasm/WasmModuleInformation.cpp:
1885         (JSC::Wasm::ModuleInformation::ModuleInformation):
1886         * wasm/WasmModuleInformation.h:
1887         * wasm/WasmNameSection.h:
1888         (JSC::Wasm::NameSection::NameSection):
1889
1890 2017-12-05  Filip Pizlo  <fpizlo@apple.com>
1891
1892         IsoAlignedMemoryAllocator needs to free all of its memory when the VM destructs
1893         https://bugs.webkit.org/show_bug.cgi?id=180425
1894
1895         Reviewed by Saam Barati.
1896         
1897         Failure to do so causes leaks after starting workers.
1898
1899         * heap/IsoAlignedMemoryAllocator.cpp:
1900         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
1901         (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
1902
1903 2017-12-05  Per Arne Vollan  <pvollan@apple.com>
1904
1905         [Win64] Compile error in testmasm.cpp.
1906         https://bugs.webkit.org/show_bug.cgi?id=180436
1907
1908         Reviewed by Mark Lam.
1909
1910         Fix MSVC warning (32-bit shift implicitly converted to 64 bits).
1911         
1912         * assembler/testmasm.cpp:
1913         (JSC::testGetEffectiveAddress):
1914
1915 2017-12-01  Filip Pizlo  <fpizlo@apple.com>
1916
1917         GC constraint solving should be parallel
1918         https://bugs.webkit.org/show_bug.cgi?id=179934
1919
1920         Reviewed by JF Bastien.
1921         
1922         This makes it possible to do constraint solving in parallel. This looks like a 1% Speedometer
1923         speed-up. It's more than 1% on trunk-Speedometer.
1924         
1925         The constraint solver supports running constraints in parallel in two different ways:
1926         
1927         - Run multiple constraints in parallel to each other. This only works for constraints that can
1928           tolerate other constraints running concurrently to them (constraint.concurrency() ==
1929           ConstraintConcurrency::Concurrent). This is the most basic kind of parallelism that the
1930           constraint solver supports. All constraints except the JSC SPI constraints are concurrent. We
1931           could probably make them concurrent, but I'm playing it safe for now.
1932         
1933         - A constraint can create parallel work for itself, which the constraint solver will interleave
1934           with other stuff. A constraint can report that it has parallel work by returning
1935           ConstraintParallelism::Parallel from its executeImpl() function. Then the solver will allow that
1936           constraint's doParallelWorkImpl() function to run on as many GC marker threads as are available,
1937           for as long as that function wants to run.
1938         
1939         It's not possible to have a non-concurrent constraint that creates parallel work.
1940         
1941         The parallelism is implemented in terms of the existing GC marker threads. This turns out to be
1942         most natural for two reasons:
1943         
1944         - No need to start any other threads.
1945         
1946         - The constraints all want to be passed a SlotVisitor. Running on the marker threads means having
1947           access to those threads' SlotVisitors. Also, it means less load balancing. The solver will
1948           create work on each marking thread's SlotVisitor. When the solver is done "stealing" a marker
1949           thread, that thread will have work it can start doing immediately. Before this change, we had to
1950           contribute the work found by the constraint solver to the global worklist so that it could be
1951           distributed to the marker threads by load balancing. This change probably helps to avoid that
1952           load balancing step.
1953         
1954         A lot of this change is about making it easy to iterate GC data structures in parallel. This
1955         change makes almost all constraints parallel-enabled, but only the DOM's output constraint uses
1956         the parallel work API. That constraint iterates the marked cells in two subspaces. This change
1957         makes it very easy to compose parallel iterators over subspaces, allocators, blocks, and cells.
1958         The marked cell parallel iterator is composed out of parallel iterators for the others. A parallel
1959         iterator is just an iterator that can do an atomic next() very quickly. We abstract them using
1960         RefPtr<SharedTask<...()>>, where ... is the type returned from the iterator. We know it's done
1961         when it returns a falsish version of ... (in the current code, that's always a pointer type, so
1962         done is indicated by null).
1963         
1964         * API/JSMarkingConstraintPrivate.cpp:
1965         (JSContextGroupAddMarkingConstraint):
1966         * API/JSVirtualMachine.mm:
1967         (scanExternalObjectGraph):
1968         (scanExternalRememberedSet):
1969         * JavaScriptCore.xcodeproj/project.pbxproj:
1970         * Sources.txt:
1971         * bytecode/AccessCase.cpp:
1972         (JSC::AccessCase::propagateTransitions const):
1973         * bytecode/CodeBlock.cpp:
1974         (JSC::CodeBlock::visitWeakly):
1975         (JSC::CodeBlock::shouldJettisonDueToOldAge):
1976         (JSC::shouldMarkTransition):
1977         (JSC::CodeBlock::propagateTransitions):
1978         (JSC::CodeBlock::determineLiveness):
1979         * dfg/DFGWorklist.cpp:
1980         * ftl/FTLCompile.cpp:
1981         (JSC::FTL::compile):
1982         * heap/ConstraintParallelism.h: Added.
1983         (WTF::printInternal):
1984         * heap/Heap.cpp:
1985         (JSC::Heap::Heap):
1986         (JSC::Heap::addToRememberedSet):
1987         (JSC::Heap::runFixpointPhase):
1988         (JSC::Heap::stopThePeriphery):
1989         (JSC::Heap::resumeThePeriphery):
1990         (JSC::Heap::addCoreConstraints):
1991         (JSC::Heap::setBonusVisitorTask):
1992         (JSC::Heap::runTaskInParallel):
1993         (JSC::Heap::forEachSlotVisitor): Deleted.
1994         * heap/Heap.h:
1995         (JSC::Heap::worldIsRunning const):
1996         (JSC::Heap::runFunctionInParallel):
1997         * heap/HeapInlines.h:
1998         (JSC::Heap::worldIsStopped const):
1999         (JSC::Heap::isMarked):
2000         (JSC::Heap::incrementDeferralDepth):
2001         (JSC::Heap::decrementDeferralDepth):
2002         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
2003         (JSC::Heap::forEachSlotVisitor):
2004         (JSC::Heap::collectorBelievesThatTheWorldIsStopped const): Deleted.
2005         (JSC::Heap::isMarkedConcurrently): Deleted.
2006         * heap/HeapSnapshotBuilder.cpp:
2007         (JSC::HeapSnapshotBuilder::appendNode):
2008         * heap/LargeAllocation.h:
2009         (JSC::LargeAllocation::isMarked):
2010         (JSC::LargeAllocation::isMarkedConcurrently): Deleted.
2011         * heap/LockDuringMarking.h:
2012         (JSC::lockDuringMarking):
2013         * heap/MarkedAllocator.cpp:
2014         (JSC::MarkedAllocator::parallelNotEmptyBlockSource):
2015         * heap/MarkedAllocator.h:
2016         * heap/MarkedBlock.h:
2017         (JSC::MarkedBlock::aboutToMark):
2018         (JSC::MarkedBlock::isMarked):
2019         (JSC::MarkedBlock::areMarksStaleWithDependency): Deleted.
2020         (JSC::MarkedBlock::isMarkedConcurrently): Deleted.
2021         * heap/MarkedSpace.h:
2022         (JSC::MarkedSpace::activeWeakSetsBegin):
2023         (JSC::MarkedSpace::activeWeakSetsEnd):
2024         (JSC::MarkedSpace::newActiveWeakSetsBegin):
2025         (JSC::MarkedSpace::newActiveWeakSetsEnd):
2026         * heap/MarkingConstraint.cpp:
2027         (JSC::MarkingConstraint::MarkingConstraint):
2028         (JSC::MarkingConstraint::execute):
2029         (JSC::MarkingConstraint::quickWorkEstimate):
2030         (JSC::MarkingConstraint::workEstimate):
2031         (JSC::MarkingConstraint::doParallelWork):
2032         (JSC::MarkingConstraint::finishParallelWork):
2033         (JSC::MarkingConstraint::doParallelWorkImpl):
2034         (JSC::MarkingConstraint::finishParallelWorkImpl):
2035         * heap/MarkingConstraint.h:
2036         (JSC::MarkingConstraint::lastExecuteParallelism const):
2037         (JSC::MarkingConstraint::parallelism const):
2038         (JSC::MarkingConstraint::quickWorkEstimate): Deleted.
2039         (JSC::MarkingConstraint::workEstimate): Deleted.
2040         * heap/MarkingConstraintSet.cpp:
2041         (JSC::MarkingConstraintSet::MarkingConstraintSet):
2042         (JSC::MarkingConstraintSet::add):
2043         (JSC::MarkingConstraintSet::executeConvergence):
2044         (JSC::MarkingConstraintSet::executeConvergenceImpl):
2045         (JSC::MarkingConstraintSet::executeAll):
2046         (JSC::MarkingConstraintSet::ExecutionContext::ExecutionContext): Deleted.
2047         (JSC::MarkingConstraintSet::ExecutionContext::didVisitSomething const): Deleted.
2048         (JSC::MarkingConstraintSet::ExecutionContext::shouldTimeOut const): Deleted.
2049         (JSC::MarkingConstraintSet::ExecutionContext::drain): Deleted.
2050         (JSC::MarkingConstraintSet::ExecutionContext::didExecute const): Deleted.
2051         (JSC::MarkingConstraintSet::ExecutionContext::execute): Deleted.
2052         (): Deleted.
2053         * heap/MarkingConstraintSet.h:
2054         * heap/MarkingConstraintSolver.cpp: Added.
2055         (JSC::MarkingConstraintSolver::MarkingConstraintSolver):
2056         (JSC::MarkingConstraintSolver::~MarkingConstraintSolver):
2057         (JSC::MarkingConstraintSolver::didVisitSomething const):
2058         (JSC::MarkingConstraintSolver::execute):
2059         (JSC::MarkingConstraintSolver::drain):
2060         (JSC::MarkingConstraintSolver::converge):
2061         (JSC::MarkingConstraintSolver::runExecutionThread):
2062         (JSC::MarkingConstraintSolver::didExecute):
2063         * heap/MarkingConstraintSolver.h: Added.
2064         * heap/OpaqueRootSet.h: Removed.
2065         * heap/ParallelSourceAdapter.h: Added.
2066         (JSC::ParallelSourceAdapter::ParallelSourceAdapter):
2067         (JSC::createParallelSourceAdapter):
2068         * heap/SimpleMarkingConstraint.cpp: Added.
2069         (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
2070         (JSC::SimpleMarkingConstraint::~SimpleMarkingConstraint):
2071         (JSC::SimpleMarkingConstraint::quickWorkEstimate):
2072         (JSC::SimpleMarkingConstraint::executeImpl):
2073         * heap/SimpleMarkingConstraint.h: Added.
2074         * heap/SlotVisitor.cpp:
2075         (JSC::SlotVisitor::didStartMarking):
2076         (JSC::SlotVisitor::reset):
2077         (JSC::SlotVisitor::appendToMarkStack):
2078         (JSC::SlotVisitor::visitChildren):
2079         (JSC::SlotVisitor::updateMutatorIsStopped):
2080         (JSC::SlotVisitor::mutatorIsStoppedIsUpToDate const):
2081         (JSC::SlotVisitor::drain):
2082         (JSC::SlotVisitor::performIncrementOfDraining):
2083         (JSC::SlotVisitor::didReachTermination):
2084         (JSC::SlotVisitor::hasWork):
2085         (JSC::SlotVisitor::drainFromShared):
2086         (JSC::SlotVisitor::drainInParallelPassively):
2087         (JSC::SlotVisitor::waitForTermination):
2088         (JSC::SlotVisitor::addOpaqueRoot): Deleted.
2089         (JSC::SlotVisitor::containsOpaqueRoot const): Deleted.
2090         (JSC::SlotVisitor::containsOpaqueRootTriState const): Deleted.
2091         (JSC::SlotVisitor::mergeIfNecessary): Deleted.
2092         (JSC::SlotVisitor::mergeOpaqueRootsIfProfitable): Deleted.
2093         (JSC::SlotVisitor::mergeOpaqueRoots): Deleted.
2094         * heap/SlotVisitor.h:
2095         * heap/SlotVisitorInlines.h:
2096         (JSC::SlotVisitor::addOpaqueRoot):
2097         (JSC::SlotVisitor::containsOpaqueRoot const):
2098         (JSC::SlotVisitor::vm):
2099         (JSC::SlotVisitor::vm const):
2100         * heap/Subspace.cpp:
2101         (JSC::Subspace::parallelAllocatorSource):
2102         (JSC::Subspace::parallelNotEmptyMarkedBlockSource):
2103         * heap/Subspace.h:
2104         * heap/SubspaceInlines.h:
2105         (JSC::Subspace::forEachMarkedCellInParallel):
2106         * heap/VisitCounter.h: Added.
2107         (JSC::VisitCounter::VisitCounter):
2108         (JSC::VisitCounter::visitCount const):
2109         * heap/VisitingTimeout.h: Removed.
2110         * heap/WeakBlock.cpp:
2111         (JSC::WeakBlock::specializedVisit):
2112         * runtime/Structure.cpp:
2113         (JSC::Structure::isCheapDuringGC):
2114         (JSC::Structure::markIfCheap):
2115
2116 2017-12-04  JF Bastien  <jfbastien@apple.com>
2117
2118         Math: don't redundantly check for exceptions, just release scope
2119         https://bugs.webkit.org/show_bug.cgi?id=180395
2120
2121         Rubber stamped by Mark Lam.
2122
2123         Two of the exceptions checks could just have been exception scope
2124         releases before the return, which is ever-so-slightly more
2125         efficient. The same technically applies where we have loops over
2126         parameters, but doing the scope release there isn't really more
2127         efficient and is way harder to read.
2128
2129         * runtime/MathObject.cpp:
2130         (JSC::mathProtoFuncATan2):
2131         (JSC::mathProtoFuncPow):
2132
2133 2017-12-04  David Quesada  <david_quesada@apple.com>
2134
2135         Add a class for parsing application manifests
2136         https://bugs.webkit.org/show_bug.cgi?id=177973
2137         rdar://problem/34747949
2138
2139         Reviewed by Geoffrey Garen.
2140
2141         * Configurations/FeatureDefines.xcconfig: Add ENABLE_APPLICATION_MANIFEST feature flag.
2142
2143 2017-12-04  JF Bastien  <jfbastien@apple.com>
2144
2145         Update std::expected to match libc++ coding style
2146         https://bugs.webkit.org/show_bug.cgi?id=180264
2147
2148         Reviewed by Alex Christensen.
2149
2150         Update various uses of Expected.
2151
2152         * wasm/WasmModule.h:
2153         * wasm/WasmModuleParser.cpp:
2154         (JSC::Wasm::ModuleParser::parseImport):
2155         (JSC::Wasm::ModuleParser::parseTableHelper):
2156         (JSC::Wasm::ModuleParser::parseTable):
2157         (JSC::Wasm::ModuleParser::parseMemoryHelper):
2158         * wasm/WasmParser.h:
2159         * wasm/generateWasmValidateInlinesHeader.py:
2160         (loadMacro):
2161         (storeMacro):
2162         * wasm/js/JSWebAssemblyModule.cpp:
2163         (JSC::JSWebAssemblyModule::createStub):
2164         * wasm/js/JSWebAssemblyModule.h:
2165
2166 2017-12-04  Saam Barati  <sbarati@apple.com>
2167
2168         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
2169         https://bugs.webkit.org/show_bug.cgi?id=180366
2170         <rdar://problem/35685877>
2171
2172         Reviewed by Michael Saboff.
2173
2174         On the TailCall slow path, the CallFrameShuffler will build the frame with
2175         respect to SP instead of FP. However, this may overwrite slots on the stack
2176         that are needed if the slow path C call does a stack walk. The slow path
2177         C call does a stack walk when it throws an exception. This patch fixes
2178         this bug by ensuring that the top of the stack in the FTL always has enough
2179         space to allow CallFrameShuffler to build a frame without overwriting any
2180         items on the stack that are needed when doing a stack walk.
2181
2182         * ftl/FTLLowerDFGToB3.cpp:
2183         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
2184
2185 2017-12-04  Devin Rousso  <webkit@devinrousso.com>
2186
2187         Web Inspector: provide method for recording CanvasRenderingContext2D from JavaScript
2188         https://bugs.webkit.org/show_bug.cgi?id=175166
2189         <rdar://problem/34040740>
2190
2191         Reviewed by Joseph Pecoraro.
2192
2193         * inspector/protocol/Recording.json:
2194         Add optional `name` that will be used by the frontend for uniquely identifying the Recording.
2195
2196         * inspector/JSGlobalObjectConsoleClient.h:
2197         * inspector/JSGlobalObjectConsoleClient.cpp:
2198         (Inspector::JSGlobalObjectConsoleClient::record):
2199         (Inspector::JSGlobalObjectConsoleClient::recordEnd):
2200
2201         * runtime/ConsoleClient.h:
2202         * runtime/ConsoleObject.cpp:
2203         (JSC::ConsoleObject::finishCreation):
2204         (JSC::consoleProtoFuncRecord):
2205         (JSC::consoleProtoFuncRecordEnd):
2206
2207 2017-12-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2208
2209         WTF shouldn't have both Thread and ThreadIdentifier
2210         https://bugs.webkit.org/show_bug.cgi?id=180308
2211
2212         Reviewed by Darin Adler.
2213
2214         * heap/MachineStackMarker.cpp:
2215         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2216         * llint/LLIntSlowPaths.cpp:
2217         (JSC::LLInt::llint_trace_operand):
2218         (JSC::LLInt::llint_trace_value):
2219         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2220         (JSC::LLInt::traceFunctionPrologue):
2221         * runtime/ExceptionScope.cpp:
2222         (JSC::ExceptionScope::unexpectedExceptionMessage):
2223         * runtime/JSLock.h:
2224         (JSC::JSLock::currentThreadIsHoldingLock):
2225         * runtime/VM.cpp:
2226         (JSC::VM::throwException):
2227         * runtime/VM.h:
2228         (JSC::VM::throwingThread const):
2229         (JSC::VM::clearException):
2230         * tools/HeapVerifier.cpp:
2231         (JSC::HeapVerifier::printVerificationHeader):
2232
2233 2017-12-03  Caio Lima  <ticaiolima@gmail.com>
2234
2235         Rename DestroyFunc to avoid redefinition on unified build
2236         https://bugs.webkit.org/show_bug.cgi?id=180335
2237
2238         Reviewed by Filip Pizlo.
2239
2240         Changing DestroyFunc structures to more specific names to avoid
2241         conflits on unified builds.
2242
2243         * heap/HeapCellType.cpp:
2244         (JSC::HeapCellType::finishSweep):
2245         (JSC::HeapCellType::destroy):
2246         * runtime/JSDestructibleObjectHeapCellType.cpp:
2247         (JSC::JSDestructibleObjectHeapCellType::finishSweep):
2248         (JSC::JSDestructibleObjectHeapCellType::destroy):
2249         * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
2250         (JSC::JSSegmentedVariableObjectHeapCellType::finishSweep):
2251         (JSC::JSSegmentedVariableObjectHeapCellType::destroy):
2252         * runtime/JSStringHeapCellType.cpp:
2253         (JSC::JSStringHeapCellType::finishSweep):
2254         (JSC::JSStringHeapCellType::destroy):
2255         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
2256         (JSC::JSWebAssemblyCodeBlockHeapCellType::finishSweep):
2257         (JSC::JSWebAssemblyCodeBlockHeapCellType::destroy):
2258
2259 2017-12-01  JF Bastien  <jfbastien@apple.com>
2260
2261         JavaScriptCore: missing exception checks in Math functions that take more than one argument
2262         https://bugs.webkit.org/show_bug.cgi?id=180297
2263         <rdar://problem/35745556>
2264
2265         Reviewed by Mark Lam.
2266
2267         * runtime/MathObject.cpp:
2268         (JSC::mathProtoFuncATan2):
2269         (JSC::mathProtoFuncMax):
2270         (JSC::mathProtoFuncMin):
2271         (JSC::mathProtoFuncPow):
2272
2273 2017-12-01  Mark Lam  <mark.lam@apple.com>
2274
2275         Let's scramble ClassInfo pointers in cells.
2276         https://bugs.webkit.org/show_bug.cgi?id=180291
2277         <rdar://problem/35807620>
2278
2279         Reviewed by JF Bastien.
2280
2281         * API/JSCallbackObject.h:
2282         * API/JSObjectRef.cpp:
2283         (classInfoPrivate):
2284         * JavaScriptCore.xcodeproj/project.pbxproj:
2285         * Sources.txt:
2286         * assembler/MacroAssemblerCodeRef.cpp:
2287         (JSC::MacroAssemblerCodePtr::initialize): Deleted.
2288         * assembler/MacroAssemblerCodeRef.h:
2289         (JSC::MacroAssemblerCodePtr:: const):
2290         (JSC::MacroAssemblerCodePtr::hash const):
2291         * dfg/DFGSpeculativeJIT.cpp:
2292         (JSC::DFG::SpeculativeJIT::checkArray):
2293         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
2294         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
2295         * ftl/FTLLowerDFGToB3.cpp:
2296         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
2297         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
2298         * jit/AssemblyHelpers.h:
2299         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
2300         * jit/SpecializedThunkJIT.h:
2301         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
2302         * runtime/InitializeThreading.cpp:
2303         (JSC::initializeThreading):
2304         * runtime/JSCScrambledPtr.cpp: Added.
2305         (JSC::initializeScrambledPtrKeys):
2306         * runtime/JSCScrambledPtr.h: Added.
2307         * runtime/JSDestructibleObject.h:
2308         (JSC::JSDestructibleObject::classInfo const):
2309         * runtime/JSSegmentedVariableObject.h:
2310         (JSC::JSSegmentedVariableObject::classInfo const):
2311         * runtime/Structure.h:
2312         * runtime/VM.h:
2313
2314 2017-12-01  Brian Burg  <bburg@apple.com>
2315
2316         Web Inspector: move Inspector::Protocol::Array<T> to JSON namespace
2317         https://bugs.webkit.org/show_bug.cgi?id=173662
2318
2319         Reviewed by Joseph Pecoraro.
2320
2321         Adopt new type names. Fix protocol generator to use correct type names.
2322
2323         * inspector/ConsoleMessage.cpp:
2324         (Inspector::ConsoleMessage::addToFrontend):
2325         Improve namings and use 'auto' when the type is obvious and repeated.
2326
2327         * inspector/ContentSearchUtilities.cpp:
2328         (Inspector::ContentSearchUtilities::searchInTextByLines):
2329         * inspector/ContentSearchUtilities.h:
2330         * inspector/InjectedScript.cpp:
2331         (Inspector::InjectedScript::getProperties):
2332         (Inspector::InjectedScript::getDisplayableProperties):
2333         (Inspector::InjectedScript::getInternalProperties):
2334         (Inspector::InjectedScript::getCollectionEntries):
2335         (Inspector::InjectedScript::wrapCallFrames const):
2336         * inspector/InjectedScript.h:
2337         * inspector/InspectorProtocolTypes.h:
2338         (Inspector::Protocol::BindingTraits<JSON::ArrayOf<T>>::runtimeCast):
2339         (Inspector::Protocol::Array::Array): Deleted.
2340         (Inspector::Protocol::Array::openAccessors): Deleted.
2341         (Inspector::Protocol::Array::addItem): Deleted.
2342         (Inspector::Protocol::Array::create): Deleted.
2343         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast): Deleted.
2344         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType): Deleted.
2345         Move the implementation out of this file.
2346
2347         * inspector/ScriptCallStack.cpp:
2348         (Inspector::ScriptCallStack::buildInspectorArray const):
2349         * inspector/ScriptCallStack.h:
2350         * inspector/agents/InspectorAgent.cpp:
2351         (Inspector::InspectorAgent::activateExtraDomain):
2352         (Inspector::InspectorAgent::activateExtraDomains):
2353         * inspector/agents/InspectorAgent.h:
2354         * inspector/agents/InspectorConsoleAgent.cpp:
2355         (Inspector::InspectorConsoleAgent::getLoggingChannels):
2356         * inspector/agents/InspectorConsoleAgent.h:
2357         * inspector/agents/InspectorDebuggerAgent.cpp:
2358         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
2359         (Inspector::InspectorDebuggerAgent::searchInContent):
2360         (Inspector::InspectorDebuggerAgent::currentCallFrames):
2361         * inspector/agents/InspectorDebuggerAgent.h:
2362         * inspector/agents/InspectorRuntimeAgent.cpp:
2363         (Inspector::InspectorRuntimeAgent::getProperties):
2364         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
2365         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
2366         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2367         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
2368         * inspector/agents/InspectorRuntimeAgent.h:
2369         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2370         (Inspector::buildSamples):
2371         Use more 'auto' and rename a variable.
2372
2373         * inspector/scripts/codegen/cpp_generator.py:
2374         (CppGenerator.cpp_protocol_type_for_type):
2375         Adopt new type names. This exposed a latent bug where we should have been
2376         unwrapping an AliasedType prior to generating a C++ type for it. The aliased
2377         type may be an array, in which case we would have generated the wrong type.
2378
2379         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2380         (_generate_typedefs_for_domain.JSON):
2381         (_generate_typedefs_for_domain.Inspector): Deleted.
2382         * inspector/scripts/codegen/objc_generator.py:
2383         (ObjCGenerator.protocol_type_for_type):
2384         (ObjCGenerator.objc_protocol_export_expression_for_variable):
2385         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2386         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2387         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2388         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
2389         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
2390         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2391         Rebaseline.
2392
2393         * runtime/TypeSet.cpp:
2394         (JSC::TypeSet::allStructureRepresentations const):
2395         (JSC::StructureShape::inspectorRepresentation):
2396         * runtime/TypeSet.h:
2397
2398 2017-12-01  Saam Barati  <sbarati@apple.com>
2399
2400         Having a bad time needs to handle ArrayClass indexing type as well
2401         https://bugs.webkit.org/show_bug.cgi?id=180274
2402         <rdar://problem/35667869>
2403
2404         Reviewed by Keith Miller and Mark Lam.
2405
2406         We need to make sure to transition ArrayClass to SlowPutArrayStorage as well.
2407         Otherwise, we'll end up with the wrong Structure, which will lead us to not
2408         adhere to the spec. The bug was that we were not considering ArrayClass inside 
2409         hasBrokenIndexing. This patch rewrites that function to automatically opt
2410         in non-empty indexing types as broken, instead of having to opt out all
2411         non-empty indexing types besides SlowPutArrayStorage.
2412
2413         * runtime/IndexingType.h:
2414         (JSC::hasSlowPutArrayStorage):
2415         (JSC::shouldUseSlowPut):
2416         * runtime/JSGlobalObject.cpp:
2417         * runtime/JSObject.cpp:
2418         (JSC::JSObject::switchToSlowPutArrayStorage):
2419
2420 2017-12-01  JF Bastien  <jfbastien@apple.com>
2421
2422         WebAssembly: stack trace improvement follow-ups
2423         https://bugs.webkit.org/show_bug.cgi?id=180273
2424
2425         Reviewed by Saam Barati.
2426
2427         * wasm/WasmIndexOrName.cpp:
2428         (JSC::Wasm::makeString):
2429         * wasm/WasmIndexOrName.h:
2430         (JSC::Wasm::IndexOrName::nameSection const):
2431         * wasm/WasmNameSection.h:
2432         (JSC::Wasm::NameSection::NameSection):
2433         (JSC::Wasm::NameSection::get):
2434
2435 2017-12-01  JF Bastien  <jfbastien@apple.com>
2436
2437         WebAssembly: restore cached stack limit after out-call
2438         https://bugs.webkit.org/show_bug.cgi?id=179106
2439         <rdar://problem/35337525>
2440
2441         Reviewed by Saam Barati.
2442
2443         We cache the stack limit on the Instance so that we can do fast
2444         stack checks where required. In regular usage the stack limit
2445         never changes because we always run on the same thread, but in
2446         rare cases an API user can totally migrate which thread (and
2447         therefore stack) is used for execution between WebAssembly
2448         traces. For that reason we set the cached stack limit to
2449         UINTPTR_MAX on the outgoing Instance when transitioning back into
2450         a different Instance. We usually restore the cached stack limit in
2451         Context::store, but this wasn't called on all code paths. We had a
2452         bug where an Instance calling into itself indirectly would
2453         therefore fail to restore its cached stack limit properly.
2454
2455         This patch therefore restores the cached stack limit after direct
2456         calls which could be to imports (both wasm->wasm and
2457         wasm->embedder). We have to do all of them because we have no way
2458         of knowing what imports will do (they're known at instantiation
2459         time, not compilation time, and different instances can have
2460         different imports). To make this efficient we also add a pointer
2461         to the canonical location of the stack limit (i.e. the extra
2462         indirection we're trying to save by caching the stack limit on the
2463         Instance in the first place). This is potentially a small perf hit
2464         on imported direct calls.
2465
2466         It's hard to say what the performance cost will be because we
2467         haven't seen much code in the wild which does this. We're adding
2468         two dependent loads and a store of the loaded value, which is
2469         unlikely to get used soon after. It's more code, but on an
2470         out-of-order processor it doesn't contribute to the critical path.
2471
2472         * wasm/WasmB3IRGenerator.cpp:
2473         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
2474         (JSC::Wasm::B3IRGenerator::addGrowMemory):
2475         (JSC::Wasm::B3IRGenerator::addCall):
2476         (JSC::Wasm::B3IRGenerator::addCallIndirect):
2477         * wasm/WasmInstance.cpp:
2478         (JSC::Wasm::Instance::Instance):
2479         (JSC::Wasm::Instance::create):
2480         * wasm/WasmInstance.h:
2481         (JSC::Wasm::Instance::offsetOfPointerToActualStackLimit):
2482         (JSC::Wasm::Instance::cachedStackLimit const):
2483         (JSC::Wasm::Instance::setCachedStackLimit):
2484         * wasm/js/JSWebAssemblyInstance.cpp:
2485         (JSC::JSWebAssemblyInstance::create):
2486         * wasm/js/WebAssemblyFunction.cpp:
2487         (JSC::callWebAssemblyFunction):
2488
2489 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2490
2491         [JSC] Use JSFixedArray for op_new_array_buffer
2492         https://bugs.webkit.org/show_bug.cgi?id=180084
2493
2494         Reviewed by Saam Barati.
2495
2496         For op_new_array_buffer, we have a special constant buffer in CodeBlock.
2497         But using JSFixedArray is better because,
2498
2499         1. In DFG, we have special hashing mechanism to avoid duplicating constant buffer from the same CodeBlock.
2500            If we use JSFixedArray, this is unnecessary since JSFixedArray is handled just as JS constant.
2501
2502         2. In a subsequent patch[1], we would like to support Spread(PhantomNewArrayBuffer). If NewArrayBuffer
2503            has JSFixedArray, we can just emit a held JSFixedArray.
2504
2505         3. We can reduce length of op_new_array_buffer since JSFixedArray holds this.
2506
2507         4. We can fold NewArrayBufferData into uint64_t. No need to maintain a bag of NewArrayBufferData in DFG.
2508
2509         5. We do not need to look up constant buffer from CodeBlock if buffer data is necessary. Our NewArrayBuffer
2510            DFG node has JSFixedArray as its cellOperand. This makes materializing PhantomNewArrayBuffer easy, which
2511            will be introduced in [1].
2512
2513         [1]: https://bugs.webkit.org/show_bug.cgi?id=179762
2514
2515         * bytecode/BytecodeDumper.cpp:
2516         (JSC::BytecodeDumper<Block>::dumpBytecode):
2517         * bytecode/BytecodeList.json:
2518         * bytecode/BytecodeUseDef.h:
2519         (JSC::computeUsesForBytecodeOffset):
2520         * bytecode/CodeBlock.cpp:
2521         (JSC::CodeBlock::finishCreation):
2522         * bytecode/CodeBlock.h:
2523         (JSC::CodeBlock::numberOfConstantBuffers const): Deleted.
2524         (JSC::CodeBlock::addConstantBuffer): Deleted.
2525         (JSC::CodeBlock::constantBufferAsVector): Deleted.
2526         (JSC::CodeBlock::constantBuffer): Deleted.
2527         * bytecode/UnlinkedCodeBlock.cpp:
2528         (JSC::UnlinkedCodeBlock::shrinkToFit):
2529         * bytecode/UnlinkedCodeBlock.h:
2530         (JSC::UnlinkedCodeBlock::constantBufferCount): Deleted.
2531         (JSC::UnlinkedCodeBlock::addConstantBuffer): Deleted.
2532         (JSC::UnlinkedCodeBlock::constantBuffer const): Deleted.
2533         (JSC::UnlinkedCodeBlock::constantBuffer): Deleted.
2534         * bytecompiler/BytecodeGenerator.cpp:
2535         (JSC::BytecodeGenerator::emitNewArray):
2536         (JSC::BytecodeGenerator::addConstantBuffer): Deleted.
2537         * bytecompiler/BytecodeGenerator.h:
2538         * dfg/DFGByteCodeParser.cpp:
2539         (JSC::DFG::ByteCodeParser::parseBlock):
2540         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2541         (JSC::DFG::ConstantBufferKey::ConstantBufferKey): Deleted.
2542         (JSC::DFG::ConstantBufferKey::operator== const): Deleted.
2543         (JSC::DFG::ConstantBufferKey::hash const): Deleted.
2544         (JSC::DFG::ConstantBufferKey::isHashTableDeletedValue const): Deleted.
2545         (JSC::DFG::ConstantBufferKey::codeBlock const): Deleted.
2546         (JSC::DFG::ConstantBufferKey::index const): Deleted.
2547         (JSC::DFG::ConstantBufferKeyHash::hash): Deleted.
2548         (JSC::DFG::ConstantBufferKeyHash::equal): Deleted.
2549         * dfg/DFGClobberize.h:
2550         (JSC::DFG::clobberize):
2551         * dfg/DFGGraph.cpp:
2552         (JSC::DFG::Graph::dump):
2553         * dfg/DFGGraph.h:
2554         * dfg/DFGNode.h:
2555         (JSC::DFG::Node::hasNewArrayBufferData):
2556         (JSC::DFG::Node::newArrayBufferData):
2557         (JSC::DFG::Node::hasVectorLengthHint):
2558         (JSC::DFG::Node::vectorLengthHint):
2559         (JSC::DFG::Node::indexingType):
2560         (JSC::DFG::Node::hasCellOperand):
2561         (JSC::DFG::Node::OpInfoWrapper::operator=):
2562         (JSC::DFG::Node::OpInfoWrapper::asNewArrayBufferData const):
2563         (JSC::DFG::Node::hasConstantBuffer): Deleted.
2564         (JSC::DFG::Node::startConstant): Deleted.
2565         (JSC::DFG::Node::numConstants): Deleted.
2566         * dfg/DFGOperations.cpp:
2567         * dfg/DFGOperations.h:
2568         * dfg/DFGSpeculativeJIT.h:
2569         (JSC::DFG::SpeculativeJIT::callOperation):
2570         * dfg/DFGSpeculativeJIT32_64.cpp:
2571         (JSC::DFG::SpeculativeJIT::compile):
2572         * dfg/DFGSpeculativeJIT64.cpp:
2573         (JSC::DFG::SpeculativeJIT::compile):
2574         * ftl/FTLLowerDFGToB3.cpp:
2575         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
2576         * jit/JIT.cpp:
2577         (JSC::JIT::privateCompileMainPass):
2578         * jit/JIT.h:
2579         * jit/JITOpcodes.cpp:
2580         (JSC::JIT::emit_op_new_array_buffer): Deleted.
2581         * jit/JITOperations.cpp:
2582         * jit/JITOperations.h:
2583         * llint/LLIntSlowPaths.cpp:
2584         * llint/LLIntSlowPaths.h:
2585         * llint/LowLevelInterpreter.asm:
2586         * runtime/CommonSlowPaths.cpp:
2587         (JSC::SLOW_PATH_DECL):
2588         * runtime/CommonSlowPaths.h:
2589         * runtime/JSFixedArray.cpp:
2590         (JSC::JSFixedArray::dumpToStream):
2591         * runtime/JSFixedArray.h:
2592         (JSC::JSFixedArray::create):
2593         (JSC::JSFixedArray::get const):
2594         (JSC::JSFixedArray::set):
2595         (JSC::JSFixedArray::buffer const):
2596         (JSC::JSFixedArray::values const):
2597         (JSC::JSFixedArray::length const):
2598         (JSC::JSFixedArray::get): Deleted.
2599
2600 2017-11-30  JF Bastien  <jfbastien@apple.com>
2601
2602         WebAssembly: improve stack trace
2603         https://bugs.webkit.org/show_bug.cgi?id=179343
2604
2605         Reviewed by Saam Barati.
2606
2607         Stack traces now include:
2608
2609           - Module name, if provided by the name section.
2610           - Module SHA1 hash if no name was provided
2611           - Stub identification, to differentiate from user code
2612           - Slightly different naming to match design from:
2613               https://github.com/WebAssembly/design/blob/master/Web.md#developer-facing-display-conventions
2614
2615         * interpreter/StackVisitor.cpp:
2616         (JSC::StackVisitor::Frame::functionName const):
2617         * runtime/StackFrame.cpp:
2618         (JSC::StackFrame::functionName const):
2619         (JSC::StackFrame::visitChildren):
2620         * wasm/WasmIndexOrName.cpp:
2621         (JSC::Wasm::IndexOrName::IndexOrName):
2622         (JSC::Wasm::makeString):
2623         * wasm/WasmIndexOrName.h:
2624         (JSC::Wasm::IndexOrName::nameSection const):
2625         * wasm/WasmModuleInformation.cpp:
2626         (JSC::Wasm::ModuleInformation::ModuleInformation):
2627         * wasm/WasmModuleInformation.h:
2628         * wasm/WasmNameSection.h:
2629         (JSC::Wasm::NameSection::NameSection):
2630         (JSC::Wasm::NameSection::get):
2631         * wasm/WasmNameSectionParser.cpp:
2632         (JSC::Wasm::NameSectionParser::parse):
2633
2634 2017-11-30  Stephan Szabo  <stephan.szabo@sony.com>
2635
2636         Make LegacyCustomProtocolManager optional for network process
2637         https://bugs.webkit.org/show_bug.cgi?id=176230
2638
2639         Reviewed by Alex Christensen.
2640
2641         * Configurations/FeatureDefines.xcconfig:
2642
2643 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2644
2645         [JSC] Remove easy toRemove & map.remove() use in OAS phase
2646         https://bugs.webkit.org/show_bug.cgi?id=180208
2647
2648         Reviewed by Mark Lam.
2649
2650         In this patch, we replace Vector<> toRemove & map.remove loop with removeIf,
2651         to optimize this common pattern. This patch only modifies apparent ones.
2652         But we can apply this refactoring further to OAS phase in the future.
2653
2654         One thing we should care is that predicate of removeIf should not touch the
2655         removing set itself. In this patch, we apply this change to (1) apparently
2656         correct one and (2) things in DFG OAS phase since it is very slow.
2657
2658         * b3/B3MoveConstants.cpp:
2659         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2660
2661 2017-11-30  Commit Queue  <commit-queue@webkit.org>
2662
2663         Unreviewed, rolling out r225362.
2664         https://bugs.webkit.org/show_bug.cgi?id=180225
2665
2666         removeIf predicate function can touch remove target set
2667         (Requested by yusukesuzuki on #webkit).
2668
2669         Reverted changeset:
2670
2671         "[JSC] Remove easy toRemove & map.remove() use"
2672         https://bugs.webkit.org/show_bug.cgi?id=180208
2673         https://trac.webkit.org/changeset/225362
2674
2675 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2676
2677         [JSC] Use AllocatorIfExists for MaterializeNewObject
2678         https://bugs.webkit.org/show_bug.cgi?id=180189
2679
2680         Reviewed by Filip Pizlo.
2681
2682         I don't think anyone guarantees this allocator exists at this phase.
2683         And nullptr allocator just works here. We change AllocatorForMode
2684         to AllocatorIfExists to accept nullptr for allocator.
2685
2686         * ftl/FTLLowerDFGToB3.cpp:
2687         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2688
2689 2017-11-30  Mark Lam  <mark.lam@apple.com>
2690
2691         Let's scramble MacroAssemblerCodePtr values.
2692         https://bugs.webkit.org/show_bug.cgi?id=180169
2693         <rdar://problem/35758340>
2694
2695         Reviewed by Filip Pizlo, Saam Barati, and JF Bastien.
2696
2697         1. MacroAssemblerCodePtr now stores a ScrambledPtr instead of a void*.
2698
2699         2. MacroAssemblerCodePtr's executableAddress() and dataLocation() now take a
2700            template argument type that will be used to cast the result.  This makes the
2701            client code that uses these functions a little less verbose.
2702
2703         3. Change the code base in general to minimize passing void* code pointers around.
2704            We now pass MacroAssemblerCodePtr as much as possible, and descramble it only
2705            at the last moment when we need the underlying code pointer.
2706
2707         4. Added some MasmScrambledPtr paranoid asserts that are disabled (not built) by
2708            default.  I'm leaving them in because they are instrumental in finding bugs
2709            where not all MacroAssemblerCodePtr values were not scrambled as expected.
2710            I expect them to be useful in the near future as we add more scrambling.
2711
2712         5. Also disable the casting operator on MacroAssemblerCodePtr (except for
2713            explicit casts to a boolean).  This ensures that clients will always explicitly
2714            use scrambledBits() or executableAddress() to get a value based on which value
2715            they actually need.
2716
2717         5. Added currentThread() id to the logging in LLIntSlowPath trace functions.
2718            This was helpful when debugging tests that ran multiple VMs concurrently on
2719            different threads.
2720
2721         MacroAssemblerCodePtr is currently supported on 64-bit builds (including the
2722         CLoop).  It is not yet supported in 32-bit and Windows because we don't
2723         currently have a way to read a global variable from their LLInt code.
2724
2725         * assembler/AbstractMacroAssembler.h:
2726         (JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
2727         (JSC::AbstractMacroAssembler::linkPointer):
2728         * assembler/CodeLocation.h:
2729         (JSC::CodeLocationCommon::instructionAtOffset):
2730         (JSC::CodeLocationCommon::labelAtOffset):
2731         (JSC::CodeLocationCommon::jumpAtOffset):
2732         (JSC::CodeLocationCommon::callAtOffset):
2733         (JSC::CodeLocationCommon::nearCallAtOffset):
2734         (JSC::CodeLocationCommon::dataLabelPtrAtOffset):
2735         (JSC::CodeLocationCommon::dataLabel32AtOffset):
2736         (JSC::CodeLocationCommon::dataLabelCompactAtOffset):
2737         (JSC::CodeLocationCommon::convertibleLoadAtOffset):
2738         * assembler/LinkBuffer.cpp:
2739         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
2740         * assembler/LinkBuffer.h:
2741         (JSC::LinkBuffer::link):
2742         (JSC::LinkBuffer::patch):
2743         * assembler/MacroAssemblerCodeRef.cpp:
2744         (JSC::MacroAssemblerCodePtr::initialize):
2745         * assembler/MacroAssemblerCodeRef.h:
2746         (JSC::FunctionPtr::FunctionPtr):
2747         (JSC::FunctionPtr::value const):
2748         (JSC::FunctionPtr::executableAddress const):
2749         (JSC::ReturnAddressPtr::ReturnAddressPtr):
2750         (JSC::ReturnAddressPtr::value const):
2751         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
2752         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
2753         (JSC::MacroAssemblerCodePtr::scrambledPtr const):
2754         (JSC::MacroAssemblerCodePtr:: const):
2755         (JSC::MacroAssemblerCodePtr::operator! const):
2756         (JSC::MacroAssemblerCodePtr::operator bool const):
2757         (JSC::MacroAssemblerCodePtr::operator== const):
2758         (JSC::MacroAssemblerCodePtr::hash const):
2759         (JSC::MacroAssemblerCodePtr::emptyValue):
2760         (JSC::MacroAssemblerCodePtr::deletedValue):
2761         (JSC::MacroAssemblerCodePtr::executableAddress const): Deleted.
2762         (JSC::MacroAssemblerCodePtr::dataLocation const): Deleted.
2763         * b3/B3LowerMacros.cpp:
2764         * b3/testb3.cpp:
2765         (JSC::B3::testInterpreter):
2766         * dfg/DFGDisassembler.cpp:
2767         (JSC::DFG::Disassembler::dumpDisassembly):
2768         * dfg/DFGJITCompiler.cpp:
2769         (JSC::DFG::JITCompiler::link):
2770         (JSC::DFG::JITCompiler::compileFunction):
2771         * dfg/DFGOperations.cpp:
2772         * dfg/DFGSpeculativeJIT.cpp:
2773         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
2774         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
2775         (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
2776         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
2777         * dfg/DFGSpeculativeJIT.h:
2778         * disassembler/Disassembler.cpp:
2779         (JSC::disassemble):
2780         * disassembler/UDis86Disassembler.cpp:
2781         (JSC::tryToDisassembleWithUDis86):
2782         * ftl/FTLCompile.cpp:
2783         (JSC::FTL::compile):
2784         * ftl/FTLJITCode.cpp:
2785         (JSC::FTL::JITCode::executableAddressAtOffset):
2786         * ftl/FTLLink.cpp:
2787         (JSC::FTL::link):
2788         * ftl/FTLLowerDFGToB3.cpp:
2789         (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
2790         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
2791         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
2792         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2793         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
2794         * interpreter/InterpreterInlines.h:
2795         (JSC::Interpreter::getOpcodeID):
2796         * jit/JITArithmetic.cpp:
2797         (JSC::JIT::emitMathICFast):
2798         (JSC::JIT::emitMathICSlow):
2799         * jit/JITCode.cpp:
2800         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
2801         (JSC::JITCodeWithCodeRef::dataAddressAtOffset):
2802         (JSC::JITCodeWithCodeRef::offsetOf):
2803         * jit/JITDisassembler.cpp:
2804         (JSC::JITDisassembler::dumpDisassembly):
2805         * jit/PCToCodeOriginMap.cpp:
2806         (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
2807         * jit/Repatch.cpp:
2808         (JSC::ftlThunkAwareRepatchCall):
2809         * jit/ThunkGenerators.cpp:
2810         (JSC::virtualThunkFor):
2811         (JSC::boundThisNoArgsFunctionCallGenerator):
2812         * llint/LLIntSlowPaths.cpp:
2813         (JSC::LLInt::llint_trace_operand):
2814         (JSC::LLInt::llint_trace_value):
2815         (JSC::LLInt::handleHostCall):
2816         (JSC::LLInt::setUpCall):
2817         * llint/LowLevelInterpreter64.asm:
2818         * offlineasm/cloop.rb:
2819         * runtime/InitializeThreading.cpp:
2820         (JSC::initializeThreading):
2821         * wasm/WasmBBQPlan.cpp:
2822         (JSC::Wasm::BBQPlan::complete):
2823         * wasm/WasmCallee.h:
2824         (JSC::Wasm::Callee::entrypoint const):
2825         * wasm/WasmCodeBlock.cpp:
2826         (JSC::Wasm::CodeBlock::CodeBlock):
2827         * wasm/WasmOMGPlan.cpp:
2828         (JSC::Wasm::OMGPlan::work):
2829         * wasm/js/WasmToJS.cpp:
2830         (JSC::Wasm::wasmToJS):
2831         * wasm/js/WebAssemblyFunction.cpp:
2832         (JSC::callWebAssemblyFunction):
2833         * wasm/js/WebAssemblyFunction.h:
2834         * wasm/js/WebAssemblyWrapperFunction.cpp:
2835         (JSC::WebAssemblyWrapperFunction::create):
2836
2837 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2838
2839         [JSC] Remove easy toRemove & map.remove() use
2840         https://bugs.webkit.org/show_bug.cgi?id=180208
2841
2842         Reviewed by Mark Lam.
2843
2844         In this patch, we replace Vector<> toRemove & map.remove loop with removeIf,
2845         to optimize this common pattern. This patch only modifies apparent ones.
2846         But we can apply this refactoring further to OAS phase in the future.
2847
2848         * b3/B3MoveConstants.cpp:
2849         * dfg/DFGArgumentsEliminationPhase.cpp:
2850         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2851         * wasm/WasmSignature.cpp:
2852         (JSC::Wasm::SignatureInformation::tryCleanup):
2853
2854 2017-11-29  Yusuke Suzuki  <utatane.tea@gmail.com>
2855
2856         [JSC] Use getEffectiveAddress more in JSC
2857         https://bugs.webkit.org/show_bug.cgi?id=180154
2858
2859         Reviewed by Mark Lam.
2860
2861         We can use MacroAssembler::getEffectiveAddress for stack height calculation.
2862         And we also add MacroAssembler::negPtr(src, dest) variation.
2863
2864         * assembler/MacroAssembler.h:
2865         (JSC::MacroAssembler::negPtr):
2866         * assembler/MacroAssemblerARM.h:
2867         (JSC::MacroAssemblerARM::neg32):
2868         * assembler/MacroAssemblerARM64.h:
2869         (JSC::MacroAssemblerARM64::neg32):
2870         (JSC::MacroAssemblerARM64::neg64):
2871         * assembler/MacroAssemblerARMv7.h:
2872         (JSC::MacroAssemblerARMv7::neg32):
2873         * assembler/MacroAssemblerMIPS.h:
2874         (JSC::MacroAssemblerMIPS::neg32):
2875         * assembler/MacroAssemblerX86Common.h:
2876         (JSC::MacroAssemblerX86Common::neg32):
2877         * assembler/MacroAssemblerX86_64.h:
2878         (JSC::MacroAssemblerX86_64::neg64):
2879         * dfg/DFGThunks.cpp:
2880         (JSC::DFG::osrEntryThunkGenerator):
2881         * ftl/FTLLowerDFGToB3.cpp:
2882         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2883         * jit/SetupVarargsFrame.cpp:
2884         (JSC::emitSetVarargsFrame):
2885
2886 2017-11-30  Mark Lam  <mark.lam@apple.com>
2887
2888         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
2889         https://bugs.webkit.org/show_bug.cgi?id=180219
2890         <rdar://problem/35696536>
2891
2892         Reviewed by Filip Pizlo.
2893
2894         * jsc.cpp:
2895         (functionFlashHeapAccess):
2896
2897 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2898
2899         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
2900         https://bugs.webkit.org/show_bug.cgi?id=180190
2901
2902         Reviewed by Mark Lam.
2903
2904         If DFG HasIndexedProperty node observes negative index, it goes to a slow
2905         path by calling operationHasIndexedProperty. The problem is that
2906         operationHasIndexedProperty does not account negative index. Negative index
2907         was used as uint32 array index.
2908
2909         In this patch we add a path for negative index in operationHasIndexedProperty.
2910         And rename it to operationHasIndexedPropertyByInt to make intension clear.
2911         We also move operationHasIndexedPropertyByInt from JITOperations to DFGOperations
2912         since it is only used in DFG and FTL.
2913
2914         While fixing this bug, we found that our op_in does not record OutOfBound feedback.
2915         This causes repeated OSR exit and significantly regresses the performance. We opened
2916         a bug to track this issue[1].
2917
2918         [1]: https://bugs.webkit.org/show_bug.cgi?id=180192
2919
2920         * dfg/DFGOperations.cpp:
2921         * dfg/DFGOperations.h:
2922         * dfg/DFGSpeculativeJIT32_64.cpp:
2923         (JSC::DFG::SpeculativeJIT::compile):
2924         * dfg/DFGSpeculativeJIT64.cpp:
2925         (JSC::DFG::SpeculativeJIT::compile):
2926         * ftl/FTLLowerDFGToB3.cpp:
2927         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
2928         * jit/JITOperations.cpp:
2929         * jit/JITOperations.h:
2930
2931 2017-11-30  Michael Saboff  <msaboff@apple.com>
2932
2933         Allow JSC command line tool to accept UTF8
2934         https://bugs.webkit.org/show_bug.cgi?id=180205
2935
2936         Reviewed by Keith Miller.
2937
2938         This unifies the UTF8 handling of interactive mode with that of source files.
2939
2940         * jsc.cpp:
2941         (runInteractive):
2942
2943 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2944
2945         REGRESSION(r225314): [Linux] More than 2000 jsc tests are failing after r225314
2946         https://bugs.webkit.org/show_bug.cgi?id=180185
2947
2948         Reviewed by Carlos Garcia Campos.
2949
2950         After r225314, we start using AllocatorForMode::MustAlreadyHaveAllocator for JSRopeString's allocatorFor.
2951         But it is different from the original code used before r225314. Since DFGSpeculativeJIT::emitAllocateJSCell
2952         can accept nullptr allocator, the behavior of the original code is AllocatorForMode::AllocatorIfExists.
2953         And JSRopeString's allocator may not exist at this point if any JSRopeString is not allocated. But MakeRope
2954         DFG node can be emitted if we see untaken path includes String + String code.
2955
2956         This patch fixes Linux JSC crashes by changing JSRopeString's AllocatorForMode to AllocatorIfExists.
2957         As a result, only one user of AllocatorForMode::MustAlreadyHaveAllocator is MaterializeNewObject in FTL.
2958         I'm not sure why this condition (MustAlreadyHaveAllocator) is ensured. But this code is the same to the
2959         original code used before r225314.
2960
2961         * dfg/DFGSpeculativeJIT.cpp:
2962         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2963         * ftl/FTLLowerDFGToB3.cpp:
2964         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2965
2966 2017-11-28  Filip Pizlo  <fpizlo@apple.com>
2967
2968         CodeBlockSet::deleteUnmarkedAndUnreferenced can be a little more efficient
2969         https://bugs.webkit.org/show_bug.cgi?id=180108
2970
2971         Reviewed by Saam Barati.
2972         
2973         This was creating a vector of things to remove and then removing them. I think I remember writing
2974         this code, and I did that because at the time we did not have removeAllMatching, which is
2975         definitely better. This is a minuscule optimization for Speedometer. I wanted to land this
2976         obvious improvement before I did more fundamental things to this code.
2977
2978         * heap/CodeBlockSet.cpp:
2979         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
2980
2981 2017-11-29  Filip Pizlo  <fpizlo@apple.com>
2982
2983         GC should support isoheaps
2984         https://bugs.webkit.org/show_bug.cgi?id=179288
2985
2986         Reviewed by Saam Barati.
2987         
2988         This expands the power of the Subspace API in JSC:
2989         
2990         - Everything associated with describing the types of objects is now part of the HeapCellType class.
2991           We have different HeapCellTypes for different destruction strategies. Any Subspace can use any
2992           HeapCellType; these are orthogonal things.
2993         
2994         - There are now two variants of Subspace: CompleteSubspace, which can allocate any size objects using
2995           any AlignedMemoryAllocator; and IsoSubspace, which can allocate just one size of object and uses a
2996           special virtual memory pool for that purpose. Like bmalloc's IsoHeap, IsoSubspace hoards virtual
2997           pages but releases the physical pages as part of the respective allocator's scavenging policy
2998           (the Scavenger in bmalloc for IsoHeap and the incremental sweep and full sweep in Riptide for
2999           IsoSubspace).
3000         
3001         So far, this patch just puts subtypes of ExecutableBase in IsoSubspaces. If it works, we can use it
3002         for more things.
3003         
3004         This does not have any effect on JetStream (0.18% faster with p = 0.69).
3005
3006         * JavaScriptCore.xcodeproj/project.pbxproj:
3007         * Sources.txt:
3008         * bytecode/AccessCase.cpp:
3009         (JSC::AccessCase::generateImpl):
3010         * bytecode/ObjectAllocationProfileInlines.h:
3011         (JSC::ObjectAllocationProfile::initializeProfile):
3012         * dfg/DFGSpeculativeJIT.cpp:
3013         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
3014         (JSC::DFG::SpeculativeJIT::compileMakeRope):
3015         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
3016         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3017         * dfg/DFGSpeculativeJIT64.cpp:
3018         (JSC::DFG::SpeculativeJIT::compile):
3019         * ftl/FTLAbstractHeapRepository.h:
3020         * ftl/FTLLowerDFGToB3.cpp:
3021         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
3022         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
3023         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
3024         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
3025         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
3026         * heap/AlignedMemoryAllocator.cpp:
3027         (JSC::AlignedMemoryAllocator::registerAllocator):
3028         (JSC::AlignedMemoryAllocator::registerSubspace):
3029         * heap/AlignedMemoryAllocator.h:
3030         (JSC::AlignedMemoryAllocator::firstAllocator const):
3031         * heap/AllocationFailureMode.h: Added.
3032         * heap/CompleteSubspace.cpp: Added.
3033         (JSC::CompleteSubspace::CompleteSubspace):
3034         (JSC::CompleteSubspace::~CompleteSubspace):
3035         (JSC::CompleteSubspace::allocatorFor):
3036         (JSC::CompleteSubspace::allocate):
3037         (JSC::CompleteSubspace::allocateNonVirtual):
3038         (JSC::CompleteSubspace::allocatorForSlow):
3039         (JSC::CompleteSubspace::allocateSlow):
3040         (JSC::CompleteSubspace::tryAllocateSlow):
3041         * heap/CompleteSubspace.h: Added.
3042         (JSC::CompleteSubspace::offsetOfAllocatorForSizeStep):
3043         (JSC::CompleteSubspace::allocatorForSizeStep):
3044         (JSC::CompleteSubspace::allocatorForNonVirtual):
3045         * heap/HeapCellType.cpp: Added.
3046         (JSC::HeapCellType::HeapCellType):
3047         (JSC::HeapCellType::~HeapCellType):
3048         (JSC::HeapCellType::finishSweep):
3049         (JSC::HeapCellType::destroy):
3050         * heap/HeapCellType.h: Added.
3051         (JSC::HeapCellType::attributes const):
3052         * heap/IsoAlignedMemoryAllocator.cpp: Added.
3053         (JSC::IsoAlignedMemoryAllocator::IsoAlignedMemoryAllocator):
3054         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
3055         (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
3056         (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
3057         (JSC::IsoAlignedMemoryAllocator::dump const):
3058         * heap/IsoAlignedMemoryAllocator.h: Added.
3059         * heap/IsoSubspace.cpp: Added.
3060         (JSC::IsoSubspace::IsoSubspace):
3061         (JSC::IsoSubspace::~IsoSubspace):
3062         (JSC::IsoSubspace::allocatorFor):
3063         (JSC::IsoSubspace::allocatorForNonVirtual):
3064         (JSC::IsoSubspace::allocate):
3065         (JSC::IsoSubspace::allocateNonVirtual):
3066         * heap/IsoSubspace.h: Added.
3067         (JSC::IsoSubspace::size const):
3068         * heap/MarkedAllocator.cpp:
3069         (JSC::MarkedAllocator::MarkedAllocator):
3070         (JSC::MarkedAllocator::setSubspace):
3071         (JSC::MarkedAllocator::allocateSlowCase):
3072         (JSC::MarkedAllocator::tryAllocateSlowCase): Deleted.
3073         (JSC::MarkedAllocator::allocateSlowCaseImpl): Deleted.
3074         * heap/MarkedAllocator.h:
3075         (JSC::MarkedAllocator::nextAllocatorInAlignedMemoryAllocator const):
3076         (JSC::MarkedAllocator::setNextAllocatorInAlignedMemoryAllocator):
3077         * heap/MarkedAllocatorInlines.h:
3078         (JSC::MarkedAllocator::allocate):
3079         (JSC::MarkedAllocator::tryAllocate): Deleted.
3080         * heap/MarkedBlock.h:
3081         * heap/MarkedBlockInlines.h:
3082         (JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType):
3083         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace): Deleted.
3084         * heap/MarkedSpace.cpp:
3085         (JSC::MarkedSpace::addMarkedAllocator):
3086         * heap/MarkedSpace.h:
3087         * heap/Subspace.cpp:
3088         (JSC::Subspace::Subspace):
3089         (JSC::Subspace::initialize):
3090         (JSC::Subspace::finishSweep):
3091         (JSC::Subspace::destroy):
3092         (JSC::Subspace::prepareForAllocation):
3093         (JSC::Subspace::findEmptyBlockToSteal):
3094         (): Deleted.
3095         (JSC::Subspace::allocate): Deleted.
3096         (JSC::Subspace::tryAllocate): Deleted.
3097         (JSC::Subspace::allocatorForSlow): Deleted.
3098         (JSC::Subspace::allocateSlow): Deleted.
3099         (JSC::Subspace::tryAllocateSlow): Deleted.
3100         (JSC::Subspace::didAllocate): Deleted.
3101         * heap/Subspace.h:
3102         (JSC::Subspace::heapCellType const):
3103         (JSC::Subspace::nextSubspaceInAlignedMemoryAllocator const):
3104         (JSC::Subspace::setNextSubspaceInAlignedMemoryAllocator):
3105         (JSC::Subspace::offsetOfAllocatorForSizeStep): Deleted.
3106         (JSC::Subspace::allocatorForSizeStep): Deleted.
3107         (JSC::Subspace::tryAllocatorFor): Deleted.
3108         (JSC::Subspace::allocatorFor): Deleted.
3109         * jit/AssemblyHelpers.h:
3110         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
3111         (JSC::AssemblyHelpers::emitAllocateVariableSized):
3112         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
3113         * jit/JITOpcodes.cpp:
3114         (JSC::JIT::emit_op_new_object):
3115         * runtime/ButterflyInlines.h:
3116         (JSC::Butterfly::createUninitialized):
3117         (JSC::Butterfly::tryCreate):
3118         (JSC::Butterfly::growArrayRight):
3119         * runtime/DirectArguments.cpp:
3120         (JSC::DirectArguments::overrideThings):
3121         * runtime/DirectArguments.h:
3122         (JSC::DirectArguments::subspaceFor):
3123         * runtime/DirectEvalExecutable.h:
3124         * runtime/EvalExecutable.h:
3125         * runtime/ExecutableBase.h:
3126         (JSC::ExecutableBase::subspaceFor):
3127         * runtime/FunctionExecutable.h:
3128         * runtime/GenericArgumentsInlines.h:
3129         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
3130         * runtime/HashMapImpl.h:
3131         (JSC::HashMapBuffer::create):
3132         * runtime/IndirectEvalExecutable.h:
3133         * runtime/JSArray.cpp:
3134         (JSC::JSArray::tryCreateUninitializedRestricted):
3135         (JSC::JSArray::unshiftCountSlowCase):
3136         * runtime/JSArray.h:
3137         (JSC::JSArray::tryCreate):
3138         * runtime/JSArrayBufferView.cpp:
3139         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
3140         * runtime/JSCell.h:
3141         (JSC::subspaceFor):
3142         * runtime/JSCellInlines.h:
3143         (JSC::JSCell::subspaceFor):
3144         (JSC::tryAllocateCellHelper):
3145         (JSC::allocateCell):
3146         (JSC::tryAllocateCell):
3147         * runtime/JSDestructibleObject.h:
3148         (JSC::JSDestructibleObject::subspaceFor):
3149         * runtime/JSDestructibleObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.cpp.
3150         (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
3151         (JSC::JSDestructibleObjectHeapCellType::~JSDestructibleObjectHeapCellType):
3152         (JSC::JSDestructibleObjectHeapCellType::finishSweep):
3153         (JSC::JSDestructibleObjectHeapCellType::destroy):
3154         (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace): Deleted.
3155         (JSC::JSDestructibleObjectSubspace::~JSDestructibleObjectSubspace): Deleted.
3156         (JSC::JSDestructibleObjectSubspace::finishSweep): Deleted.
3157         (JSC::JSDestructibleObjectSubspace::destroy): Deleted.
3158         * runtime/JSDestructibleObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.h.
3159         * runtime/JSDestructibleObjectSubspace.cpp: Removed.
3160         * runtime/JSDestructibleObjectSubspace.h: Removed.
3161         * runtime/JSLexicalEnvironment.h:
3162         (JSC::JSLexicalEnvironment::subspaceFor):
3163         * runtime/JSSegmentedVariableObject.h:
3164         (JSC::JSSegmentedVariableObject::subspaceFor):
3165         * runtime/JSSegmentedVariableObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.cpp.
3166         (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
3167         (JSC::JSSegmentedVariableObjectHeapCellType::~JSSegmentedVariableObjectHeapCellType):
3168         (JSC::JSSegmentedVariableObjectHeapCellType::finishSweep):
3169         (JSC::JSSegmentedVariableObjectHeapCellType::destroy):
3170         (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace): Deleted.
3171         (JSC::JSSegmentedVariableObjectSubspace::~JSSegmentedVariableObjectSubspace): Deleted.
3172         (JSC::JSSegmentedVariableObjectSubspace::finishSweep): Deleted.
3173         (JSC::JSSegmentedVariableObjectSubspace::destroy): Deleted.
3174         * runtime/JSSegmentedVariableObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.h.
3175         * runtime/JSSegmentedVariableObjectSubspace.cpp: Removed.
3176         * runtime/JSSegmentedVariableObjectSubspace.h: Removed.
3177         * runtime/JSString.h:
3178         (JSC::JSString::subspaceFor):
3179         * runtime/JSStringHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.cpp.
3180         (JSC::JSStringHeapCellType::JSStringHeapCellType):
3181         (JSC::JSStringHeapCellType::~JSStringHeapCellType):
3182         (JSC::JSStringHeapCellType::finishSweep):
3183         (JSC::JSStringHeapCellType::destroy):
3184         (JSC::JSStringSubspace::JSStringSubspace): Deleted.
3185         (JSC::JSStringSubspace::~JSStringSubspace): Deleted.
3186         (JSC::JSStringSubspace::finishSweep): Deleted.
3187         (JSC::JSStringSubspace::destroy): Deleted.
3188         * runtime/JSStringHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.h.
3189         * runtime/JSStringSubspace.cpp: Removed.
3190         * runtime/JSStringSubspace.h: Removed.
3191         * runtime/ModuleProgramExecutable.h:
3192         * runtime/NativeExecutable.h:
3193         * runtime/ProgramExecutable.h:
3194         * runtime/RegExpMatchesArray.h:
3195         (JSC::tryCreateUninitializedRegExpMatchesArray):
3196         * runtime/ScopedArguments.h:
3197         (JSC::ScopedArguments::subspaceFor):
3198         * runtime/VM.cpp:
3199         (JSC::VM::VM):
3200         * runtime/VM.h:
3201         (JSC::VM::gigacageAuxiliarySpace):
3202         * wasm/js/JSWebAssemblyCodeBlock.h:
3203         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.cpp.
3204         (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
3205         (JSC::JSWebAssemblyCodeBlockHeapCellType::~JSWebAssemblyCodeBlockHeapCellType):
3206         (JSC::JSWebAssemblyCodeBlockHeapCellType::finishSweep):
3207         (JSC::JSWebAssemblyCodeBlockHeapCellType::destroy):
3208         (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace): Deleted.
3209         (JSC::JSWebAssemblyCodeBlockSubspace::~JSWebAssemblyCodeBlockSubspace): Deleted.
3210         (JSC::JSWebAssemblyCodeBlockSubspace::finishSweep): Deleted.
3211         (JSC::JSWebAssemblyCodeBlockSubspace::destroy): Deleted.
3212         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.h.
3213         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp: Removed.
3214         * wasm/js/JSWebAssemblyCodeBlockSubspace.h: Removed.
3215         * wasm/js/JSWebAssemblyMemory.h:
3216         (JSC::JSWebAssemblyMemory::subspaceFor):
3217
3218 2017-11-29  Saam Barati  <sbarati@apple.com>
3219
3220         Remove pointer caging for double arrays
3221         https://bugs.webkit.org/show_bug.cgi?id=180163
3222
3223         Reviewed by Mark Lam.
3224
3225         This patch removes pointer caging from double arrays. Like
3226         my previous removals of pointer caging, this is a security vs
3227         performance tradeoff. We believe that butterflies being allocated
3228         in the cage and with a 32GB runway gives us enough security that
3229         pointer caging the butterfly just for double arrays does not add
3230         enough security benefit for the performance hit it incurs.
3231         
3232         This patch also removes the GetButterflyWithoutCaging node and
3233         the FixedButterflyAccessUncaging phase. The node is no longer needed
3234         because now all GetButterfly nodes are not caged. The phase is removed
3235         since we no longer have two nodes.
3236
3237         * dfg/DFGAbstractInterpreterInlines.h:
3238         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3239         * dfg/DFGArgumentsEliminationPhase.cpp:
3240         * dfg/DFGClobberize.h:
3241         (JSC::DFG::clobberize):
3242         * dfg/DFGDoesGC.cpp:
3243         (JSC::DFG::doesGC):
3244         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Removed.
3245         * dfg/DFGFixedButterflyAccessUncagingPhase.h: Removed.
3246         * dfg/DFGFixupPhase.cpp:
3247         (JSC::DFG::FixupPhase::fixupNode):
3248         * dfg/DFGHeapLocation.cpp:
3249         (WTF::printInternal):
3250         * dfg/DFGHeapLocation.h:
3251         * dfg/DFGNodeType.h:
3252         * dfg/DFGPlan.cpp:
3253         (JSC::DFG::Plan::compileInThreadImpl):
3254         * dfg/DFGPredictionPropagationPhase.cpp:
3255         * dfg/DFGSafeToExecute.h:
3256         (JSC::DFG::safeToExecute):
3257         * dfg/DFGSpeculativeJIT.cpp:
3258         (JSC::DFG::SpeculativeJIT::compileSpread):
3259         (JSC::DFG::SpeculativeJIT::compileArraySlice):
3260         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
3261         * dfg/DFGSpeculativeJIT32_64.cpp:
3262         (JSC::DFG::SpeculativeJIT::compile):
3263         * dfg/DFGSpeculativeJIT64.cpp:
3264         (JSC::DFG::SpeculativeJIT::compile):
3265         * dfg/DFGTypeCheckHoistingPhase.cpp:
3266         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
3267         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
3268         * ftl/FTLCapabilities.cpp:
3269         (JSC::FTL::canCompile):
3270         * ftl/FTLLowerDFGToB3.cpp:
3271         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3272         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
3273         * jit/JITPropertyAccess.cpp:
3274         (JSC::JIT::emitDoubleLoad):
3275         (JSC::JIT::emitGenericContiguousPutByVal):
3276         * runtime/Butterfly.h:
3277         (JSC::Butterfly::pointer):
3278         (JSC::Butterfly::contiguousDouble):
3279         (JSC::Butterfly::caged): Deleted.
3280         * runtime/ButterflyInlines.h:
3281         (JSC::Butterfly::createOrGrowPropertyStorage):
3282         * runtime/JSObject.cpp:
3283         (JSC::JSObject::ensureLengthSlow):
3284         (JSC::JSObject::reallocateAndShrinkButterfly):
3285
3286 2017-11-29  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
3287
3288         [MIPS][JSC] Implement MacroAssembler::probe support on MIPS
3289         https://bugs.webkit.org/show_bug.cgi?id=175447
3290
3291         Reviewed by Carlos Alberto Lopez Perez.
3292
3293         This patch allows DFG JIT to be enabled on MIPS platforms.
3294
3295         * Sources.txt:
3296         * assembler/MIPSAssembler.h:
3297         (JSC::MIPSAssembler::lastSPRegister):
3298         (JSC::MIPSAssembler::numberOfSPRegisters):
3299         (JSC::MIPSAssembler::sprName):
3300         * assembler/MacroAssemblerMIPS.cpp: Added.
3301         (JSC::MacroAssembler::probe):
3302         * assembler/ProbeContext.cpp:
3303         (JSC::Probe::executeProbe):
3304         * assembler/ProbeContext.h:
3305         (JSC::Probe::CPUState::pc):
3306         * assembler/testmasm.cpp:
3307         (JSC::isSpecialGPR):
3308         (JSC::testProbePreservesGPRS):
3309         (JSC::testProbeModifiesStackPointer):
3310         (JSC::testProbeModifiesStackValues):
3311
3312 2017-11-29  Matt Lewis  <jlewis3@apple.com>
3313
3314         Unreviewed, rolling out r225286.
3315
3316         The source files within this patch have been marked as
3317         executable.
3318
3319         Reverted changeset:
3320
3321         "[MIPS][JSC] Implement MacroAssembler::probe support on MIPS"
3322         https://bugs.webkit.org/show_bug.cgi?id=175447
3323         https://trac.webkit.org/changeset/225286
3324
3325 2017-11-29  Alex Christensen  <achristensen@webkit.org>
3326
3327         Fix Mac CMake build.
3328
3329         * PlatformMac.cmake:
3330
3331 2017-11-29  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
3332
3333         [MIPS][JSC] Implement MacroAssembler::probe support on MIPS
3334         https://bugs.webkit.org/show_bug.cgi?id=175447
3335
3336         Reviewed by Carlos Alberto Lopez Perez.
3337
3338         This patch allows DFG JIT to be enabled on MIPS platforms.
3339
3340         * Sources.txt:
3341         * assembler/MIPSAssembler.h:
3342         (JSC::MIPSAssembler::lastSPRegister):
3343         (JSC::MIPSAssembler::numberOfSPRegisters):
3344         (JSC::MIPSAssembler::sprName):
3345         * assembler/MacroAssemblerMIPS.cpp: Added.
3346         (JSC::MacroAssembler::probe):
3347         * assembler/ProbeContext.cpp:
3348         (JSC::Probe::executeProbe):
3349         * assembler/ProbeContext.h:
3350         (JSC::Probe::CPUState::pc):
3351         * assembler/testmasm.cpp:
3352         (JSC::isSpecialGPR):
3353         (JSC::testProbePreservesGPRS):
3354         (JSC::testProbeModifiesStackPointer):
3355         (JSC::testProbeModifiesStackValues):
3356
3357 2017-11-28  JF Bastien  <jfbastien@apple.com>