306da106228a9401b5874cecc80dc4d0af402ea8
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [DFG] Introduce {Set,Map,WeakMap}Fields
4         https://bugs.webkit.org/show_bug.cgi?id=179925
5
6         Reviewed by Saam Barati.
7
8         SetAdd and MapSet uses `write(MiscFields)`, but it is not correct. It accidentally
9         writes readonly MiscFields which is used by various nodes and make optimization
10         conservative.
11
12         We introduce JSSetFields, JSMapFields, and JSWeakMapFields to precisely model clobberizing of Map, Set, and WeakMap.
13
14         * dfg/DFGAbstractHeap.h:
15         * dfg/DFGByteCodeParser.cpp:
16         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
17         * dfg/DFGClobberize.h:
18         (JSC::DFG::clobberize):
19         * dfg/DFGHeapLocation.cpp:
20         (WTF::printInternal):
21         * dfg/DFGHeapLocation.h:
22         * dfg/DFGNode.h:
23         (JSC::DFG::Node::hasBucketOwnerType):
24
25 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
26
27         [JSC] Remove JSStringBuilder
28         https://bugs.webkit.org/show_bug.cgi?id=180016
29
30         Reviewed by Saam Barati.
31
32         JSStringBuilder is replaced with WTF::StringBuilder.
33         This patch removes remaning uses and drop JSStringBuilder.
34
35         * JavaScriptCore.xcodeproj/project.pbxproj:
36         * runtime/ArrayPrototype.cpp:
37         * runtime/AsyncFunctionPrototype.cpp:
38         * runtime/AsyncGeneratorFunctionPrototype.cpp:
39         * runtime/ErrorPrototype.cpp:
40         * runtime/FunctionPrototype.cpp:
41         * runtime/GeneratorFunctionPrototype.cpp:
42         * runtime/JSGlobalObjectFunctions.cpp:
43         (JSC::decode):
44         (JSC::globalFuncEscape):
45         * runtime/JSStringBuilder.h: Removed.
46         * runtime/JSStringInlines.h:
47         (JSC::jsMakeNontrivialString):
48         * runtime/RegExpPrototype.cpp:
49         * runtime/StringPrototype.cpp:
50
51 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
52
53         [DFG] Remove GetLocalUnlinked
54         https://bugs.webkit.org/show_bug.cgi?id=180017
55
56         Reviewed by Saam Barati.
57
58         Since DFGArgumentsSimplificationPhase is removed 2 years ago, GetLocalUnlinked is no longer used in DFG.
59         This patch just removes it.
60
61         * dfg/DFGAbstractInterpreterInlines.h:
62         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
63         * dfg/DFGClobberize.h:
64         (JSC::DFG::clobberize):
65         * dfg/DFGCommon.h:
66         * dfg/DFGDoesGC.cpp:
67         (JSC::DFG::doesGC):
68         * dfg/DFGFixupPhase.cpp:
69         (JSC::DFG::FixupPhase::fixupNode):
70         * dfg/DFGGraph.cpp:
71         (JSC::DFG::Graph::dump):
72         * dfg/DFGNode.h:
73         (JSC::DFG::Node::hasUnlinkedLocal):
74         (JSC::DFG::Node::convertToGetLocalUnlinked): Deleted.
75         (JSC::DFG::Node::convertToGetLocal): Deleted.
76         (JSC::DFG::Node::hasUnlinkedMachineLocal): Deleted.
77         (JSC::DFG::Node::setUnlinkedMachineLocal): Deleted.
78         (JSC::DFG::Node::unlinkedMachineLocal): Deleted.
79         * dfg/DFGNodeType.h:
80         * dfg/DFGPredictionPropagationPhase.cpp:
81         * dfg/DFGSafeToExecute.h:
82         (JSC::DFG::safeToExecute):
83         * dfg/DFGSpeculativeJIT32_64.cpp:
84         (JSC::DFG::SpeculativeJIT::compile):
85         * dfg/DFGSpeculativeJIT64.cpp:
86         (JSC::DFG::SpeculativeJIT::compile):
87         * dfg/DFGStackLayoutPhase.cpp:
88         (JSC::DFG::StackLayoutPhase::run):
89         * dfg/DFGValidate.cpp:
90
91 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
92
93         Make ArgList::data() private again when we can remove callWasmFunction().
94         https://bugs.webkit.org/show_bug.cgi?id=168582
95
96         Reviewed by JF Bastien.
97
98         Make ArgList::data() private since we already removed callWasmFunction.
99
100         * runtime/ArgList.h:
101
102 2016-08-05  Darin Adler  <darin@apple.com>
103
104         Fix some minor problems in the StringImpl header
105         https://bugs.webkit.org/show_bug.cgi?id=160630
106
107         Reviewed by Brent Fulgham.
108
109         * inspector/ContentSearchUtilities.cpp: Removed a lot of unneeded explicit
110         Yarr namespacing since we use "using namespace" in this file.
111
112 2017-11-24  Mark Lam  <mark.lam@apple.com>
113
114         Fix CLoop::sanitizeStack() bug where it was clearing part of the JS stack in use.
115         https://bugs.webkit.org/show_bug.cgi?id=179936
116         <rdar://problem/35623998>
117
118         Reviewed by Saam Barati.
119
120         This issue was uncovered when we enabled --useDollarVM=true on the JSC tests.
121         See https://bugs.webkit.org/show_bug.cgi?id=179684.
122
123         Basically, in the case of the failing test we observed, op_tail_call_forward_arguments
124         was allocating stack space to stash arguments (to be forwarded) and new frame
125         info.  The location of this new stash space happens to lie beyond the top of frame
126         of the tail call caller frame.  After stashing the arguments, the code proceeded
127         to load the callee codeBlock.  This triggered an allocation, which in turn,
128         triggered stack sanitization.  The CLoop stack sanitizer was relying on
129         frame->topOfFrame() to tell it where the top of the used stack is.  In this case,
130         that turned out to be inadequate.  As a result, part of the stashed data was
131         zeroed out, and subsequently led to a crash.
132
133         This bug does not affect JIT builds (i.e. the ASM LLint) for 2 reasons:
134         1. JIT builds do stack sanitization in the LLInt code itself (different from the
135            CLoop implementation), and the sanitizer there is aware of the true top of
136            stack value (i.e. the stack pointer).
137         2. JIT builds don't use a parallel stack like the CLoop.  The presence of the
138            parallel stack is one condition necessary for reproducing this issue.
139
140         The fix is to make the CLoop record the stack pointer in CLoopStack::m_currentStackPointer
141         every time before it calls out to native C++ code.  This also brings the CLoop's
142         behavior closer to hardware behavior where we can know where the stack pointer
143         is after calling from JS back into native C++ code, which makes it easier to
144         reason about correctness.       
145
146         Also simplified the various stack boundary calculations (removed the +1 and -1
147         adjustments).  The CLoopStack bounds are now:
148
149             reservationTop(): the lowest reserved address that can be within stack bounds.
150             m_commitTop: the lowest address within stack bounds that has been committed.
151             lowAddress() aka m_end: the lowest stack address that JS code can use.
152             m_lastStackPointer: cache of the last m_currentStackPointer value.
153             m_currentStackPointer: the CLoopStack stack pointer value when calling from JS into C++ code.
154             highAddress(): the highest address just beyond the bounds of the stack.
155
156         Also deleted some unneeded code.
157
158         * interpreter/CLoopStack.cpp:
159         (JSC::CLoopStack::CLoopStack):
160         (JSC::CLoopStack::gatherConservativeRoots):
161         (JSC::CLoopStack::sanitizeStack):
162         (JSC::CLoopStack::setSoftReservedZoneSize):
163         * interpreter/CLoopStack.h:
164         (JSC::CLoopStack::setCurrentStackPointer):
165         (JSC::CLoopStack::lowAddress const):
166
167         (JSC::CLoopStack::baseOfStack const): Deleted.
168         - Not needed after we simplified the code and removed all the +1/-1 adjustments.
169           Now, it has the exact same value as highAddress() and can be removed.
170
171         * interpreter/CLoopStackInlines.h:
172         (JSC::CLoopStack::ensureCapacityFor):
173         (JSC::CLoopStack::currentStackPointer):
174         (JSC::CLoopStack::setCLoopStackLimit):
175
176         (JSC::CLoopStack::topOfFrameFor): Deleted.
177         - Not needed.
178
179         (JSC::CLoopStack::topOfStack): Deleted.
180         - Supplanted by currentStackPointer().
181
182         (JSC::CLoopStack::shrink): Deleted.
183         - This is unused.
184
185         * llint/LowLevelInterpreter.cpp:
186         (JSC::CLoop::execute):
187         - Introduce a StackPointerScope to restore the original CLoopStack::m_currentStackPointer
188           upon exitting the interpreter loop.
189
190         * offlineasm/cloop.rb:
191         - Added setting of CLoopStack::m_currentStackPointer at boundary points where we
192           call from JS into C++ code.
193
194         * tools/VMInspector.h:
195         - Added some default argument values. These were being used while debugging this
196           issue.
197
198 2017-11-24  Yusuke Suzuki  <utatane.tea@gmail.com>
199
200         [JSC] Make empty key as deleted mark in HashMapBucket and drop m_deleted field
201         https://bugs.webkit.org/show_bug.cgi?id=179923
202
203         Reviewed by Darin Adler.
204
205         We do not set empty as a key in HashMapBucket since JSMap / JSSet can expose it to users.
206         So we can use it as a marker of deleted bucket.
207
208         This patch uses empty key as a deleted flag, and drop m_deleted field of HashMapBucket.
209         It shrinks the size of HashMapBucket much.
210
211         * dfg/DFGSpeculativeJIT.cpp:
212         (JSC::DFG::SpeculativeJIT::compileGetMapBucketNext):
213         * ftl/FTLAbstractHeapRepository.h:
214         * ftl/FTLLowerDFGToB3.cpp:
215         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucketNext):
216         * runtime/HashMapImpl.h:
217         (JSC::HashMapBucket::createSentinel):
218         We make sentinel bucket as (undefined, undefined) since DFG/FTL can load a value from sentinels.
219         While the sentinel's deleted flag becomes false since key is set, it is not a problem since deleted
220         flag of sentinel bucket is not used.
221
222         (JSC::HashMapBucket::HashMapBucket):
223         (JSC::HashMapBucket::deleted const):
224         (JSC::HashMapBucket::makeDeleted):
225         (JSC::HashMapImpl::remove):
226         (JSC::HashMapImpl::clear):
227         (JSC::HashMapImpl::setUpHeadAndTail):
228         (JSC::HashMapImpl::addNormalizedInternal):
229         (JSC::HashMapBucket::setDeleted): Deleted.
230         (JSC::HashMapBucket::offsetOfDeleted): Deleted.
231         (): Deleted.
232
233 2017-11-24  Mark Lam  <mark.lam@apple.com>
234
235         Move unsafe jsc shell test functions to the $vm object.
236         https://bugs.webkit.org/show_bug.cgi?id=179980
237
238         Reviewed by Yusuke Suzuki.
239
240         Also removed setElementRoot() which was not used.
241
242         * jsc.cpp:
243         (GlobalObject::finishCreation):
244         (WTF::Element::Element): Deleted.
245         (WTF::Element::root const): Deleted.
246         (WTF::Element::setRoot): Deleted.
247         (WTF::Element::create): Deleted.
248         (WTF::Element::visitChildren): Deleted.
249         (WTF::Element::createStructure): Deleted.
250         (WTF::Root::Root): Deleted.
251         (WTF::Root::element): Deleted.
252         (WTF::Root::setElement): Deleted.
253         (WTF::Root::create): Deleted.
254         (WTF::Root::createStructure): Deleted.
255         (WTF::Root::visitChildren): Deleted.
256         (WTF::ImpureGetter::ImpureGetter): Deleted.
257         (WTF::ImpureGetter::createStructure): Deleted.
258         (WTF::ImpureGetter::create): Deleted.
259         (WTF::ImpureGetter::finishCreation): Deleted.
260         (WTF::ImpureGetter::getOwnPropertySlot): Deleted.
261         (WTF::ImpureGetter::visitChildren): Deleted.
262         (WTF::ImpureGetter::setDelegate): Deleted.
263         (WTF::CustomGetter::CustomGetter): Deleted.
264         (WTF::CustomGetter::createStructure): Deleted.
265         (WTF::CustomGetter::create): Deleted.
266         (WTF::CustomGetter::getOwnPropertySlot): Deleted.
267         (WTF::CustomGetter::customGetter): Deleted.
268         (WTF::CustomGetter::customGetterAcessor): Deleted.
269         (WTF::RuntimeArray::create): Deleted.
270         (WTF::RuntimeArray::~RuntimeArray): Deleted.
271         (WTF::RuntimeArray::destroy): Deleted.
272         (WTF::RuntimeArray::getOwnPropertySlot): Deleted.
273         (WTF::RuntimeArray::getOwnPropertySlotByIndex): Deleted.
274         (WTF::RuntimeArray::put): Deleted.
275         (WTF::RuntimeArray::deleteProperty): Deleted.
276         (WTF::RuntimeArray::getLength const): Deleted.
277         (WTF::RuntimeArray::createPrototype): Deleted.
278         (WTF::RuntimeArray::createStructure): Deleted.
279         (WTF::RuntimeArray::finishCreation): Deleted.
280         (WTF::RuntimeArray::RuntimeArray): Deleted.
281         (WTF::RuntimeArray::lengthGetter): Deleted.
282         (WTF::SimpleObject::SimpleObject): Deleted.
283         (WTF::SimpleObject::create): Deleted.
284         (WTF::SimpleObject::visitChildren): Deleted.
285         (WTF::SimpleObject::createStructure): Deleted.
286         (WTF::SimpleObject::hiddenValue): Deleted.
287         (WTF::SimpleObject::setHiddenValue): Deleted.
288         (WTF::DOMJITNode::DOMJITNode): Deleted.
289         (WTF::DOMJITNode::createStructure): Deleted.
290         (WTF::DOMJITNode::checkSubClassSnippet): Deleted.
291         (WTF::DOMJITNode::create): Deleted.
292         (WTF::DOMJITNode::value const): Deleted.
293         (WTF::DOMJITNode::offsetOfValue): Deleted.
294         (WTF::DOMJITGetter::DOMJITGetter): Deleted.
295         (WTF::DOMJITGetter::createStructure): Deleted.
296         (WTF::DOMJITGetter::create): Deleted.
297         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute): Deleted.
298         (WTF::DOMJITGetter::DOMJITAttribute::slowCall): Deleted.
299         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter): Deleted.
300         (WTF::DOMJITGetter::customGetter): Deleted.
301         (WTF::DOMJITGetter::finishCreation): Deleted.
302         (WTF::DOMJITGetterComplex::DOMJITGetterComplex): Deleted.
303         (WTF::DOMJITGetterComplex::createStructure): Deleted.
304         (WTF::DOMJITGetterComplex::create): Deleted.
305         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute): Deleted.
306         (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall): Deleted.
307         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter): Deleted.
308         (WTF::DOMJITGetterComplex::functionEnableException): Deleted.
309         (WTF::DOMJITGetterComplex::customGetter): Deleted.
310         (WTF::DOMJITGetterComplex::finishCreation): Deleted.
311         (WTF::DOMJITFunctionObject::DOMJITFunctionObject): Deleted.
312         (WTF::DOMJITFunctionObject::createStructure): Deleted.
313         (WTF::DOMJITFunctionObject::create): Deleted.
314         (WTF::DOMJITFunctionObject::safeFunction): Deleted.
315         (WTF::DOMJITFunctionObject::unsafeFunction): Deleted.
316         (WTF::DOMJITFunctionObject::checkSubClassSnippet): Deleted.
317         (WTF::DOMJITFunctionObject::finishCreation): Deleted.
318         (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject): Deleted.
319         (WTF::DOMJITCheckSubClassObject::createStructure): Deleted.
320         (WTF::DOMJITCheckSubClassObject::create): Deleted.
321         (WTF::DOMJITCheckSubClassObject::safeFunction): Deleted.
322         (WTF::DOMJITCheckSubClassObject::unsafeFunction): Deleted.
323         (WTF::DOMJITCheckSubClassObject::finishCreation): Deleted.
324         (WTF::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject): Deleted.
325         (WTF::DOMJITGetterBaseJSObject::createStructure): Deleted.
326         (WTF::DOMJITGetterBaseJSObject::create): Deleted.
327         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute): Deleted.
328         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall): Deleted.
329         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter): Deleted.
330         (WTF::DOMJITGetterBaseJSObject::customGetter): Deleted.
331         (WTF::DOMJITGetterBaseJSObject::finishCreation): Deleted.
332         (WTF::Element::handleOwner): Deleted.
333         (WTF::Element::finishCreation): Deleted.
334         (JSTestCustomGetterSetter::JSTestCustomGetterSetter): Deleted.
335         (JSTestCustomGetterSetter::create): Deleted.
336         (JSTestCustomGetterSetter::createStructure): Deleted.
337         (customGetAccessor): Deleted.
338         (customGetValue): Deleted.
339         (customSetAccessor): Deleted.
340         (customSetValue): Deleted.
341         (JSTestCustomGetterSetter::finishCreation): Deleted.
342         (GlobalObject::addConstructableFunction): Deleted.
343         (functionCreateRoot): Deleted.
344         (functionCreateElement): Deleted.
345         (functionGetElement): Deleted.
346         (functionSetElementRoot): Deleted.
347         (functionCreateSimpleObject): Deleted.
348         (functionGetHiddenValue): Deleted.
349         (functionSetHiddenValue): Deleted.
350         (functionCreateProxy): Deleted.
351         (functionCreateRuntimeArray): Deleted.
352         (functionCreateImpureGetter): Deleted.
353         (functionCreateCustomGetterObject): Deleted.
354         (functionCreateDOMJITNodeObject): Deleted.
355         (functionCreateDOMJITGetterObject): Deleted.
356         (functionCreateDOMJITGetterComplexObject): Deleted.
357         (functionCreateDOMJITFunctionObject): Deleted.
358         (functionCreateDOMJITCheckSubClassObject): Deleted.
359         (functionCreateDOMJITGetterBaseJSObject): Deleted.
360         (functionSetImpureGetterDelegate): Deleted.
361         (functionGetGetterSetter): Deleted.
362         (functionShadowChickenFunctionsOnStack): Deleted.
363         (functionSetGlobalConstRedeclarationShouldNotThrow): Deleted.
364         (functionGlobalObjectForObject): Deleted.
365         (functionLoadGetterFromGetterSetter): Deleted.
366         (functionCreateCustomTestGetterSetter): Deleted.
367         (functionAbort): Deleted.
368         (functionFindTypeForExpression): Deleted.
369         (functionReturnTypeFor): Deleted.
370         (functionDumpBasicBlockExecutionRanges): Deleted.
371         (functionHasBasicBlockExecuted): Deleted.
372         (functionBasicBlockExecutionCount): Deleted.
373         (functionEnableExceptionFuzz): Deleted.
374         (functionCreateBuiltin): Deleted.
375         * runtime/JSGlobalObject.cpp:
376         (JSC::JSGlobalObject::init):
377         * tools/JSDollarVM.cpp:
378         (WTF::Element::Element):
379         (WTF::Element::root const):
380         (WTF::Element::setRoot):
381         (WTF::Element::create):
382         (WTF::Element::visitChildren):
383         (WTF::Element::createStructure):
384         (WTF::Root::Root):
385         (WTF::Root::element):
386         (WTF::Root::setElement):
387         (WTF::Root::create):
388         (WTF::Root::createStructure):
389         (WTF::Root::visitChildren):
390         (WTF::SimpleObject::SimpleObject):
391         (WTF::SimpleObject::create):
392         (WTF::SimpleObject::visitChildren):
393         (WTF::SimpleObject::createStructure):
394         (WTF::SimpleObject::hiddenValue):
395         (WTF::SimpleObject::setHiddenValue):
396         (WTF::ImpureGetter::ImpureGetter):
397         (WTF::ImpureGetter::createStructure):
398         (WTF::ImpureGetter::create):
399         (WTF::ImpureGetter::finishCreation):
400         (WTF::ImpureGetter::getOwnPropertySlot):
401         (WTF::ImpureGetter::visitChildren):
402         (WTF::ImpureGetter::setDelegate):
403         (WTF::CustomGetter::CustomGetter):
404         (WTF::CustomGetter::createStructure):
405         (WTF::CustomGetter::create):
406         (WTF::CustomGetter::getOwnPropertySlot):
407         (WTF::CustomGetter::customGetter):
408         (WTF::CustomGetter::customGetterAcessor):
409         (WTF::RuntimeArray::create):
410         (WTF::RuntimeArray::~RuntimeArray):
411         (WTF::RuntimeArray::destroy):
412         (WTF::RuntimeArray::getOwnPropertySlot):
413         (WTF::RuntimeArray::getOwnPropertySlotByIndex):
414         (WTF::RuntimeArray::put):
415         (WTF::RuntimeArray::deleteProperty):
416         (WTF::RuntimeArray::getLength const):
417         (WTF::RuntimeArray::createPrototype):
418         (WTF::RuntimeArray::createStructure):
419         (WTF::RuntimeArray::finishCreation):
420         (WTF::RuntimeArray::RuntimeArray):
421         (WTF::RuntimeArray::lengthGetter):
422         (WTF::DOMJITNode::DOMJITNode):
423         (WTF::DOMJITNode::createStructure):
424         (WTF::DOMJITNode::checkSubClassSnippet):
425         (WTF::DOMJITNode::create):
426         (WTF::DOMJITNode::value const):
427         (WTF::DOMJITNode::offsetOfValue):
428         (WTF::DOMJITGetter::DOMJITGetter):
429         (WTF::DOMJITGetter::createStructure):
430         (WTF::DOMJITGetter::create):
431         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
432         (WTF::DOMJITGetter::DOMJITAttribute::slowCall):
433         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
434         (WTF::DOMJITGetter::customGetter):
435         (WTF::DOMJITGetter::finishCreation):
436         (WTF::DOMJITGetterComplex::DOMJITGetterComplex):
437         (WTF::DOMJITGetterComplex::createStructure):
438         (WTF::DOMJITGetterComplex::create):
439         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
440         (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall):
441         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
442         (WTF::DOMJITGetterComplex::functionEnableException):
443         (WTF::DOMJITGetterComplex::customGetter):
444         (WTF::DOMJITGetterComplex::finishCreation):
445         (WTF::DOMJITFunctionObject::DOMJITFunctionObject):
446         (WTF::DOMJITFunctionObject::createStructure):
447         (WTF::DOMJITFunctionObject::create):
448         (WTF::DOMJITFunctionObject::safeFunction):
449         (WTF::DOMJITFunctionObject::unsafeFunction):
450         (WTF::DOMJITFunctionObject::checkSubClassSnippet):
451         (WTF::DOMJITFunctionObject::finishCreation):
452         (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
453         (WTF::DOMJITCheckSubClassObject::createStructure):
454         (WTF::DOMJITCheckSubClassObject::create):
455         (WTF::DOMJITCheckSubClassObject::safeFunction):
456         (WTF::DOMJITCheckSubClassObject::unsafeFunction):
457         (WTF::DOMJITCheckSubClassObject::finishCreation):
458         (WTF::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject):
459         (WTF::DOMJITGetterBaseJSObject::createStructure):
460         (WTF::DOMJITGetterBaseJSObject::create):
461         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute):
462         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
463         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter):
464         (WTF::DOMJITGetterBaseJSObject::customGetter):
465         (WTF::DOMJITGetterBaseJSObject::finishCreation):
466         (WTF::Message::releaseContents):
467         (WTF::Message::index const):
468         (WTF::JSTestCustomGetterSetter::JSTestCustomGetterSetter):
469         (WTF::JSTestCustomGetterSetter::create):
470         (WTF::JSTestCustomGetterSetter::createStructure):
471         (WTF::customGetAccessor):
472         (WTF::customGetValue):
473         (WTF::customSetAccessor):
474         (WTF::customSetValue):
475         (WTF::JSTestCustomGetterSetter::finishCreation):
476         (WTF::Element::handleOwner):
477         (WTF::Element::finishCreation):
478         (JSC::functionCrash):
479         (JSC::functionCreateProxy):
480         (JSC::functionCreateRuntimeArray):
481         (JSC::functionCreateImpureGetter):
482         (JSC::functionCreateCustomGetterObject):
483         (JSC::functionCreateDOMJITNodeObject):
484         (JSC::functionCreateDOMJITGetterObject):
485         (JSC::functionCreateDOMJITGetterComplexObject):
486         (JSC::functionCreateDOMJITFunctionObject):
487         (JSC::functionCreateDOMJITCheckSubClassObject):
488         (JSC::functionCreateDOMJITGetterBaseJSObject):
489         (JSC::functionSetImpureGetterDelegate):
490         (JSC::functionCreateBuiltin):
491         (JSC::functionCreateRoot):
492         (JSC::functionCreateElement):
493         (JSC::functionGetElement):
494         (JSC::functionCreateSimpleObject):
495         (JSC::functionGetHiddenValue):
496         (JSC::functionSetHiddenValue):
497         (JSC::functionShadowChickenFunctionsOnStack):
498         (JSC::functionSetGlobalConstRedeclarationShouldNotThrow):
499         (JSC::functionFindTypeForExpression):
500         (JSC::functionReturnTypeFor):
501         (JSC::functionDumpBasicBlockExecutionRanges):
502         (JSC::functionHasBasicBlockExecuted):
503         (JSC::functionBasicBlockExecutionCount):
504         (JSC::functionEnableExceptionFuzz):
505         (JSC::functionGlobalObjectForObject):
506         (JSC::functionGetGetterSetter):
507         (JSC::functionLoadGetterFromGetterSetter):
508         (JSC::functionCreateCustomTestGetterSetter):
509         (JSC::JSDollarVM::finishCreation):
510         (JSC::JSDollarVM::addFunction):
511         (JSC::JSDollarVM::addConstructibleFunction):
512         * tools/JSDollarVM.h:
513         (JSC::JSDollarVM::create):
514
515 2017-11-23  Simon Fraser  <simon.fraser@apple.com>
516
517         Minor ArrayBufferView cleanup
518         https://bugs.webkit.org/show_bug.cgi?id=179966
519
520         Reviewed by Darin Adler.
521         
522         Use void* for data pointers when we don't need to do offset math. Use const for
523         source pointers.
524         
525         Prefer uint8_t* to char*.
526         
527         Add comments noting that the assertions should not be made release assertions
528         as recommended by the style checker, since the point is to avoid the virtual byteLength()
529         call in release.
530
531         * runtime/ArrayBufferView.h:
532         (JSC::ArrayBufferView::setImpl):
533         (JSC::ArrayBufferView::setRangeImpl):
534         (JSC::ArrayBufferView::getRangeImpl):
535         (JSC::ArrayBufferView::zeroRangeImpl):
536
537 2017-11-23  Darin Adler  <darin@apple.com>
538
539         Reduce WTF::String operations that do unnecessary Unicode operations instead of ASCII
540         https://bugs.webkit.org/show_bug.cgi?id=179907
541
542         Reviewed by Sam Weinig.
543
544         * inspector/agents/InspectorDebuggerAgent.cpp:
545         (Inspector::matches): Removed explicit TextCaseSensitive because RegularExpression now
546         defaults to that.
547
548         * runtime/StringPrototype.cpp:
549         (JSC::stringIncludesImpl): Use String::find since there is no overload of
550         String::contains that takes a start offset now that we removed the one that took a
551         caseSensitive boolean. We can add one later if we like, but this should do for now.
552
553         * yarr/RegularExpression.h: Moved the TextCaseSensitivity enumeration here from
554         the StringImpl.h header because it is only used here.
555
556 2017-11-22  Simon Fraser  <simon.fraser@apple.com>
557
558         Followup after r225084: if anyone called GenericTypedArrayView() it didn't compile,
559         because of a getRangeUnchecked/getRangeImpl name mismatch; fixed to use getRangeImpl().
560         
561         Also name the argument to zeroRange() to 'count' since it's an item count.
562
563         * runtime/GenericTypedArrayView.h:
564         (JSC::GenericTypedArrayView::zeroRange):
565         (JSC::GenericTypedArrayView::getRange):
566
567 2017-11-21  Simon Fraser  <simon.fraser@apple.com>
568
569         Allow for more efficient use of GenericTypedArrayView
570         https://bugs.webkit.org/show_bug.cgi?id=179899
571
572         Reviewed by Sam Weinig.
573         
574         Fix ArrayBufferView::setRange() to not make two virtual function calls to byteLength()
575         under setRangeImpl(). There is only one caller in GenericTypedArrayView, and it can pass
576         in a length.
577
578         Add GenericTypedArrayView::getRange() to fetch a range of elements, also without virtual
579         byteLength() calls.
580         
581         Renamed 'dataLength' to 'count' in setRange() to be clearer.
582         
583         Added setNative() for callers who don't need clamping of doubles.
584
585         * runtime/ArrayBufferView.h:
586         (JSC::ArrayBufferView::setRangeImpl):
587         (JSC::ArrayBufferView::getRangeImpl):
588         * runtime/GenericTypedArrayView.h:
589         (JSC::GenericTypedArrayView::setRange):
590         (JSC::GenericTypedArrayView::setNative const):
591         (JSC::GenericTypedArrayView::getRange):
592         (JSC::GenericTypedArrayView::checkInboundData const):
593         (JSC::GenericTypedArrayView::internalByteLength const):
594
595 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
596
597         [DFG][FTL] Support MapSet / SetAdd intrinsics
598         https://bugs.webkit.org/show_bug.cgi?id=179858
599
600         Reviewed by Saam Barati.
601
602         Map.prototype.set and Set.prototype.add uses MapHash value anyway.
603         By handling them as MapSet and SetAdd DFG nodes and decoupling
604         MapSet and SetAdd nodes from MapHash DFG node, we have a chance to
605         remove duplicate MapHash calculation for the same key.
606
607         One story is *set-if-not-exists*.
608
609             if (!map.has(key))
610                 map.set(key, value);
611
612         In the above code, both `has` and `set` require hash value for `key`.
613         If we can change `set` to the series of DFG nodes:
614
615             1: MapHash(key)
616             2: MapSet(MapObjectUse:map, Untyped:key, Untyped:value, Int32Use:@1)
617
618         we can remove duplicate @1 produced by `has` operation.
619
620         This patch improves SixSpeed map-set.es6 and map-set-object.es6 by 20.5% and 20.4% respectively,
621
622                                          baseline                  patched
623
624             map-set.es6             246.2413+-15.2084    ^    204.3679+-11.2408       ^ definitely 1.2049x faster
625             map-set-object.es6      266.5075+-17.2289    ^    221.2792+-12.2948       ^ definitely 1.2044x faster
626
627         Microbenchmarks
628
629             map-has-and-set         148.1522+-7.6665     ^    131.4552+-7.8846        ^ definitely 1.1270x faster
630
631         * dfg/DFGAbstractInterpreterInlines.h:
632         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
633         * dfg/DFGByteCodeParser.cpp:
634         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
635         * dfg/DFGClobberize.h:
636         (JSC::DFG::clobberize):
637         * dfg/DFGDoesGC.cpp:
638         (JSC::DFG::doesGC):
639         * dfg/DFGFixupPhase.cpp:
640         (JSC::DFG::FixupPhase::fixupNode):
641         * dfg/DFGNodeType.h:
642         * dfg/DFGOperations.cpp:
643         * dfg/DFGOperations.h:
644         * dfg/DFGPredictionPropagationPhase.cpp:
645         * dfg/DFGSafeToExecute.h:
646         (JSC::DFG::safeToExecute):
647         * dfg/DFGSpeculativeJIT.cpp:
648         (JSC::DFG::SpeculativeJIT::compileSetAdd):
649         (JSC::DFG::SpeculativeJIT::compileMapSet):
650         * dfg/DFGSpeculativeJIT.h:
651         (JSC::DFG::SpeculativeJIT::callOperation):
652         * dfg/DFGSpeculativeJIT32_64.cpp:
653         (JSC::DFG::SpeculativeJIT::compile):
654         * dfg/DFGSpeculativeJIT64.cpp:
655         (JSC::DFG::SpeculativeJIT::compile):
656         * ftl/FTLCapabilities.cpp:
657         (JSC::FTL::canCompile):
658         * ftl/FTLLowerDFGToB3.cpp:
659         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
660         (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd):
661         (JSC::FTL::DFG::LowerDFGToB3::compileMapSet):
662         * jit/JITOperations.h:
663         * runtime/HashMapImpl.h:
664         (JSC::HashMapImpl::addNormalized):
665         (JSC::HashMapImpl::addNormalizedInternal):
666         * runtime/Intrinsic.cpp:
667         (JSC::intrinsicName):
668         * runtime/Intrinsic.h:
669         * runtime/MapPrototype.cpp:
670         (JSC::MapPrototype::finishCreation):
671         * runtime/SetPrototype.cpp:
672         (JSC::SetPrototype::finishCreation):
673
674 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
675
676         [JSC] Allow poly proto for intrinsic getters
677         https://bugs.webkit.org/show_bug.cgi?id=179550
678
679         Reviewed by Saam Barati.
680
681         This patch allows intrinsic getters to accept poly proto.
682         We propagate PolyProtoAccessChain in IntrinsicGetterAccessCase to perform
683         poly proto checks. And we extend UnderscoreProtoIntrinsic to emit
684         code for poly proto case.
685
686         * bytecode/IntrinsicGetterAccessCase.cpp:
687         (JSC::IntrinsicGetterAccessCase::IntrinsicGetterAccessCase):
688         (JSC::IntrinsicGetterAccessCase::create):
689         * bytecode/IntrinsicGetterAccessCase.h:
690         * jit/IntrinsicEmitter.cpp:
691         (JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
692         (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
693         * jit/Repatch.cpp:
694         (JSC::tryCacheGetByID):
695
696 2017-11-20  Don Olmstead  <don.olmstead@sony.com>
697
698         Detect __declspec within JSBase.h
699         https://bugs.webkit.org/show_bug.cgi?id=179892
700
701         Reviewed by Darin Adler.
702
703         * API/JSBase.h:
704
705 2017-11-19  Tim Horton  <timothy_horton@apple.com>
706
707         Remove unused TOUCH_ICON_LOADING feature flag
708         https://bugs.webkit.org/show_bug.cgi?id=179873
709
710         Reviewed by Simon Fraser.
711
712         * Configurations/FeatureDefines.xcconfig:
713
714 2017-11-19  Yusuke Suzuki  <utatane.tea@gmail.com>
715
716         Add CPU(UNKNOWN) to cover all the unknown CPU types
717         https://bugs.webkit.org/show_bug.cgi?id=179243
718
719         Reviewed by JF Bastien.
720
721         * CMakeLists.txt:
722
723 2017-11-19  Tim Horton  <timothy_horton@apple.com>
724
725         Remove unused LEGACY_VENDOR_PREFIXES feature flag
726         https://bugs.webkit.org/show_bug.cgi?id=179872
727
728         Reviewed by Darin Adler.
729
730         * Configurations/FeatureDefines.xcconfig:
731
732 2017-11-18  Tim Horton  <timothy_horton@apple.com>
733
734         Fix typos in closing ENABLE() comments
735         https://bugs.webkit.org/show_bug.cgi?id=179869
736
737         Unreviewed.
738
739         * wasm/WasmMemory.h:
740         * wasm/WasmMemoryMode.h:
741
742 2017-11-17  JF Bastien  <jfbastien@apple.com>
743
744         NFC update ClassInfo to C++14
745         https://bugs.webkit.org/show_bug.cgi?id=179783
746
747         Reviewed by Mark Lam.
748
749         Forked from #179734, use `using` instead of `typedef`. It's easier
750         to read.
751
752         * runtime/ClassInfo.h:
753
754 2017-11-17  JF Bastien  <jfbastien@apple.com>
755
756         WebAssembly JS API: throw when a promise can't be created
757         https://bugs.webkit.org/show_bug.cgi?id=179826
758         <rdar://problem/35455813>
759
760         Reviewed by Mark Lam.
761
762         Failure *in* a promise causes rejection, but failure to create a
763         promise (because of stack overflow) isn't really spec'd (as all
764         stack things JS). This applies to WebAssembly.compile and
765         WebAssembly.instantiate.
766
767         Dan's current proposal says:
768
769             https://littledan.github.io/spec/document/js-api/index.html#stack-overflow
770
771             Whenever a stack overflow occurs in WebAssembly code, the same
772             class of exception is thrown as for a stack overflow in
773             JavaScript. The particular exception here is
774             implementation-defined in both cases.
775
776             Note: ECMAScript doesn’t specify any sort of behavior on stack
777             overflow; implementations have been observed to throw RangeError,
778             InternalError or Error. Any is valid here.
779
780         This is for general stack overflow within WebAssembly, not
781         specifically for promise creation within JavaScript, but it seems
782         like a stack overflow in promise creation should follow the same
783         rule instead of, say, swallowing the overflow and returning
784         undefined.
785
786         * wasm/js/WebAssemblyPrototype.cpp:
787         (JSC::webAssemblyCompileFunc):
788         (JSC::webAssemblyInstantiateFunc):
789
790 2017-11-16  Daniel Bates  <dabates@apple.com>
791
792         Add feature define for alternative presentation button element
793         https://bugs.webkit.org/show_bug.cgi?id=179692
794         Part of <rdar://problem/34917108>
795
796         Reviewed by Andy Estes.
797
798         Only enabled on Cocoa platforms by default.
799
800         * Configurations/FeatureDefines.xcconfig:
801
802 2017-11-16  Saam Barati  <sbarati@apple.com>
803
804         Fix a bug with cpuid in the FTL.
805
806         Rubber stamped by Mark Lam.
807
808         Before uploading the previous patch, I tried to condense the code. I
809         accidentally removed a crucial line saying that CPUID clobbers various
810         registers.
811
812         * ftl/FTLLowerDFGToB3.cpp:
813         (JSC::FTL::DFG::LowerDFGToB3::compileCPUIntrinsic):
814
815 2017-11-16  Saam Barati  <sbarati@apple.com>
816
817         Add some X86 intrinsics to $vm to help with some perf testing
818         https://bugs.webkit.org/show_bug.cgi?id=179693
819
820         Reviewed by Mark Lam.
821
822         I've been doing some local perf testing of various ideas and have
823         had these come in handy. I'm going to land them to dollarVM to prevent
824         having to add them to my local build every time I do perf testing.
825
826         * assembler/MacroAssemblerX86Common.h:
827         (JSC::MacroAssemblerX86Common::mfence):
828         (JSC::MacroAssemblerX86Common::rdtsc):
829         (JSC::MacroAssemblerX86Common::pause):
830         (JSC::MacroAssemblerX86Common::cpuid):
831         * assembler/X86Assembler.h:
832         (JSC::X86Assembler::rdtsc):
833         (JSC::X86Assembler::pause):
834         (JSC::X86Assembler::cpuid):
835         * dfg/DFGAbstractInterpreterInlines.h:
836         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
837         * dfg/DFGByteCodeParser.cpp:
838         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
839         * dfg/DFGClobberize.h:
840         (JSC::DFG::clobberize):
841         * dfg/DFGDoesGC.cpp:
842         (JSC::DFG::doesGC):
843         * dfg/DFGFixupPhase.cpp:
844         (JSC::DFG::FixupPhase::fixupNode):
845         * dfg/DFGGraph.cpp:
846         (JSC::DFG::Graph::dump):
847         * dfg/DFGNode.h:
848         (JSC::DFG::Node::intrinsic):
849         * dfg/DFGNodeType.h:
850         * dfg/DFGPredictionPropagationPhase.cpp:
851         * dfg/DFGSafeToExecute.h:
852         (JSC::DFG::safeToExecute):
853         * dfg/DFGSpeculativeJIT32_64.cpp:
854         (JSC::DFG::SpeculativeJIT::compile):
855         * dfg/DFGSpeculativeJIT64.cpp:
856         (JSC::DFG::SpeculativeJIT::compile):
857         * dfg/DFGValidate.cpp:
858         * ftl/FTLCapabilities.cpp:
859         (JSC::FTL::canCompile):
860         * ftl/FTLLowerDFGToB3.cpp:
861         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
862         (JSC::FTL::DFG::LowerDFGToB3::compileCPUIntrinsic):
863         * runtime/Intrinsic.cpp:
864         (JSC::intrinsicName):
865         * runtime/Intrinsic.h:
866         * tools/JSDollarVM.cpp:
867         (JSC::functionCpuMfence):
868         (JSC::functionCpuRdtsc):
869         (JSC::functionCpuCpuid):
870         (JSC::functionCpuPause):
871         (JSC::functionCpuClflush):
872         (JSC::JSDollarVM::finishCreation):
873
874 2017-11-16  JF Bastien  <jfbastien@apple.com>
875
876         It should be easier to reify lazy property names
877         https://bugs.webkit.org/show_bug.cgi?id=179734
878         <rdar://problem/35492521>
879
880         Reviewed by Keith Miller.
881
882         We reify lazy property names in a few different ways, each
883         specific to the JSCell implementation, in put() instead of having
884         a special function to do reification. Let's make that simpler.
885
886         This patch makes it easier to reify property names in a uniform
887         manner, and does so in JSFunction. As a follow up I'll use the
888         same mechanics for:
889
890         ClonedArguments   callee, iteratorSymbol (Symbol.iterator)
891         ErrorConstructor  stackTraceLimit
892         ErrorInstance     line, column, sourceURL, stack
893         GenericArguments  length, callee, iteratorSymbol (Symbol.iterator)
894         GetterSetter      RELEASE_ASSERT_NOT_REACHED()
895         JSArray           length
896         RegExpObject      lastIndex
897         StringObject      length
898
899         * runtime/ClassInfo.h: Add reifyPropertyNameIfNeeded to method table.
900         * runtime/JSCell.cpp:
901         (JSC::JSCell::reifyPropertyNameIfNeeded): by default, don't reify.
902         * runtime/JSCell.h:
903         * runtime/JSFunction.cpp: `name` and `length` can be reified.
904         (JSC::JSFunction::reifyPropertyNameIfNeeded):
905         (JSC::JSFunction::put):
906         (JSC::JSFunction::reifyLength):
907         (JSC::JSFunction::reifyName):
908         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
909         (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
910         (JSC::JSFunction::reifyLazyLengthIfNeeded):
911         (JSC::JSFunction::reifyLazyNameIfNeeded):
912         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
913         * runtime/JSFunction.h:
914         (JSC::JSFunction::isLazy):
915         (JSC::JSFunction::isReified):
916         * runtime/JSObjectInlines.h:
917         (JSC::JSObject::putDirectInternal): do the reification here.
918
919 2017-11-16  Robin Morisset  <rmorisset@apple.com>
920
921         Provide a runtime option for disabling the optimization of recursive tail calls
922         https://bugs.webkit.org/show_bug.cgi?id=179765
923
924         Reviewed by Mark Lam.
925
926         * bytecode/PreciseJumpTargets.cpp:
927         (JSC::getJumpTargetsForBytecodeOffset):
928         * bytecompiler/BytecodeGenerator.cpp:
929         (JSC::BytecodeGenerator::emitEnter):
930         * dfg/DFGByteCodeParser.cpp:
931         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
932         * runtime/Options.h:
933
934 2017-11-16  Robin Morisset  <rmorisset@apple.com>
935
936         Fix null pointer dereference in bytecodeDumper
937         https://bugs.webkit.org/show_bug.cgi?id=179764
938
939         Reviewed by Mark Lam.
940
941         The problem was just a call to lastSeenCallee() that was unguarded by haveLastSeenCallee().
942
943         * bytecode/BytecodeDumper.cpp:
944         (JSC::BytecodeDumper<Block>::printCallOp):
945
946 2017-11-16  Robin Morisset  <rmorisset@apple.com>
947
948         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
949         https://bugs.webkit.org/show_bug.cgi?id=179763
950         <rdar://problem/35550513>
951
952         Reviewed by Keith Miller.
953
954         Fix null pointer dereference caused by an eliminated tdz_check
955
956         The problem was when doing an OSR entry in DFG while |this| was null
957         (because super() had not yet been called in the constructor of this
958         subclass), it would be marked as non-null, and the tdz_check eliminated.
959
960         * dfg/DFGInPlaceAbstractState.cpp:
961         (JSC::DFG::InPlaceAbstractState::initialize):
962
963 2017-11-15  Ryan Haddad  <ryanhaddad@apple.com>
964
965         Unreviewed, rolling out r224863.
966
967         Introduced LayoutTest crashes on iOS Simulator.
968
969         Reverted changeset:
970
971         "Move JSONValues to WTF and convert uses of InspectorValues.h
972         to JSONValues.h"
973         https://bugs.webkit.org/show_bug.cgi?id=173793
974         https://trac.webkit.org/changeset/224863
975
976 2017-11-14  Mark Lam  <mark.lam@apple.com>
977
978         Gardening: CLoop build fix after r224862.
979         https://bugs.webkit.org/show_bug.cgi?id=179699
980
981         Not reviewed..
982
983         * bytecode/CodeBlock.h:
984         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
985
986 2017-11-14  Carlos Garcia Campos  <cgarcia@igalia.com>
987
988         Move JSONValues to WTF and convert uses of InspectorValues.h to JSONValues.h
989         https://bugs.webkit.org/show_bug.cgi?id=173793
990
991         Reviewed by Brian Burg.
992
993         Based on patch by Brian Burg.
994
995         * JavaScriptCore.xcodeproj/project.pbxproj:
996         * Sources.txt:
997         * bindings/ScriptValue.cpp:
998         (Inspector::jsToInspectorValue):
999         (Inspector::toInspectorValue):
1000         (Deprecated::ScriptValue::toInspectorValue const):
1001         * bindings/ScriptValue.h:
1002         * inspector/AsyncStackTrace.cpp:
1003         * inspector/ConsoleMessage.cpp:
1004         * inspector/ContentSearchUtilities.cpp:
1005         * inspector/InjectedScript.cpp:
1006         (Inspector::InjectedScript::getFunctionDetails):
1007         (Inspector::InjectedScript::functionDetails):
1008         (Inspector::InjectedScript::getPreview):
1009         (Inspector::InjectedScript::getProperties):
1010         (Inspector::InjectedScript::getDisplayableProperties):
1011         (Inspector::InjectedScript::getInternalProperties):
1012         (Inspector::InjectedScript::getCollectionEntries):
1013         (Inspector::InjectedScript::saveResult):
1014         (Inspector::InjectedScript::wrapCallFrames const):
1015         (Inspector::InjectedScript::wrapObject const):
1016         (Inspector::InjectedScript::wrapTable const):
1017         (Inspector::InjectedScript::previewValue const):
1018         (Inspector::InjectedScript::setExceptionValue):
1019         (Inspector::InjectedScript::clearExceptionValue):
1020         (Inspector::InjectedScript::inspectObject):
1021         (Inspector::InjectedScript::releaseObject):
1022         * inspector/InjectedScriptBase.cpp:
1023         (Inspector::InjectedScriptBase::makeCall):
1024         (Inspector::InjectedScriptBase::makeEvalCall):
1025         * inspector/InjectedScriptBase.h:
1026         * inspector/InjectedScriptManager.cpp:
1027         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
1028         * inspector/InspectorBackendDispatcher.cpp:
1029         (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
1030         (Inspector::BackendDispatcher::dispatch):
1031         (Inspector::BackendDispatcher::sendResponse):
1032         (Inspector::BackendDispatcher::sendPendingErrors):
1033         (Inspector::BackendDispatcher::getPropertyValue):
1034         (Inspector::castToInteger):
1035         (Inspector::castToNumber):
1036         (Inspector::BackendDispatcher::getInteger):
1037         (Inspector::BackendDispatcher::getDouble):
1038         (Inspector::BackendDispatcher::getString):
1039         (Inspector::BackendDispatcher::getBoolean):
1040         (Inspector::BackendDispatcher::getObject):
1041         (Inspector::BackendDispatcher::getArray):
1042         (Inspector::BackendDispatcher::getValue):
1043         * inspector/InspectorBackendDispatcher.h:
1044         * inspector/InspectorProtocolTypes.h:
1045         (Inspector::Protocol::Array::openAccessors):
1046         (Inspector::Protocol::PrimitiveBindingTraits::assertValueHasExpectedType):
1047         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast):
1048         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType):
1049         (Inspector::Protocol::BindingTraits<JSON::Value>::assertValueHasExpectedType):
1050         * inspector/ScriptCallFrame.cpp:
1051         * inspector/ScriptCallStack.cpp:
1052         * inspector/agents/InspectorAgent.cpp:
1053         (Inspector::InspectorAgent::inspect):
1054         * inspector/agents/InspectorAgent.h:
1055         * inspector/agents/InspectorDebuggerAgent.cpp:
1056         (Inspector::buildAssertPauseReason):
1057         (Inspector::buildCSPViolationPauseReason):
1058         (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
1059         (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
1060         (Inspector::buildObjectForBreakpointCookie):
1061         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
1062         (Inspector::parseLocation):
1063         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
1064         (Inspector::InspectorDebuggerAgent::setBreakpoint):
1065         (Inspector::InspectorDebuggerAgent::continueToLocation):
1066         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
1067         (Inspector::InspectorDebuggerAgent::didParseSource):
1068         (Inspector::InspectorDebuggerAgent::breakProgram):
1069         * inspector/agents/InspectorDebuggerAgent.h:
1070         * inspector/agents/InspectorRuntimeAgent.cpp:
1071         (Inspector::InspectorRuntimeAgent::callFunctionOn):
1072         (Inspector::InspectorRuntimeAgent::saveResult):
1073         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1074         * inspector/agents/InspectorRuntimeAgent.h:
1075         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
1076         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
1077         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
1078         (CppBackendDispatcherImplementationGenerator.generate_output):
1079         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
1080         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
1081         (CppFrontendDispatcherHeaderGenerator.generate_output):
1082         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
1083         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
1084         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
1085         (_generate_unchecked_setter_for_member):
1086         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
1087         (CppProtocolTypesImplementationGenerator):
1088         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1089         (ObjCBackendDispatcherImplementationGenerator.generate_output):
1090         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
1091         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1092         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
1093         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
1094         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
1095         * inspector/scripts/codegen/generate_objc_internal_header.py:
1096         (ObjCInternalHeaderGenerator.generate_output):
1097         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1098         (ObjCProtocolTypesImplementationGenerator.generate_output):
1099         * inspector/scripts/codegen/generator.py:
1100         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
1101         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1102         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1103         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
1104         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
1105         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
1106         * inspector/scripts/tests/generic/expected/enum-values.json-result:
1107         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
1108         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
1109         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
1110         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
1111         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
1112         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
1113         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
1114         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1115         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1116         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
1117         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
1118         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
1119         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
1120
1121 2017-11-14  Mark Lam  <mark.lam@apple.com>
1122
1123         Fix a bit-rotted Interpreter::dumpRegisters() and make it more robust.
1124         https://bugs.webkit.org/show_bug.cgi?id=179699
1125         <rdar://problem/35462346>
1126
1127         Reviewed by Michael Saboff.
1128
1129         * interpreter/Interpreter.cpp:
1130         (JSC::Interpreter::dumpRegisters):
1131         - Need to skip the callee saved registers
1132
1133 2017-11-14  Guillaume Emont  <guijemont@igalia.com>
1134
1135         REGRESSION(r224623) [MIPS] branchTruncateDoubleToInt32() doesn't set return register when branching
1136         https://bugs.webkit.org/show_bug.cgi?id=179563
1137
1138         Reviewed by Carlos Alberto Lopez Perez.
1139
1140         When run with BranchIfTruncateSuccessful,
1141         branchTruncateDoubleToInt32() should set the destination register
1142         before branching.
1143         This change also removes branchTruncateDoubleToUInt32() as it is
1144         deprecated (see r160205), merges branchOnTruncateResult() into
1145         branchTruncateDoubleToInt32() and adds test cases in testmasm.
1146
1147         * assembler/MacroAssemblerMIPS.h:
1148         (JSC::MacroAssemblerMIPS::branchOnTruncateResult): Deleted.
1149         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
1150         Properly set dest before branching.
1151         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUInt32): Deleted.
1152         * assembler/testmasm.cpp:
1153         (JSC::testBranchTruncateDoubleToInt32):
1154         (JSC::run):
1155         Add tests for branchTruncateDoubleToInt32().
1156
1157 2017-11-14  Daniel Bates  <dabates@apple.com>
1158
1159         Update comment in FeatureDefines.xcconfig to reflect location of Visual Studio property files
1160         for feature defines
1161
1162         Following r195498 and r201917 the Visual Studio property files for feature defines have
1163         moved from directory WebKitLibraries/win/tools/vsprops to directory Source/cmake/tools/vsprops.
1164         Update the comment in FeatureDefines.xcconfig to reflect the new location and names of these
1165         files.
1166
1167         * Configurations/FeatureDefines.xcconfig:
1168
1169 2017-11-14  Mark Lam  <mark.lam@apple.com>
1170
1171         Remove JSDollarVMPrototype.
1172         https://bugs.webkit.org/show_bug.cgi?id=179685
1173
1174         Reviewed by Saam Barati.
1175
1176         1. Move the JSDollarVMPrototype C++ utility functions into VMInspector.cpp.
1177
1178            This allows us to call these functions during lldb debugging sessions using
1179            VMInspector::foo() instead of JSDollarVMPrototype::foo().  It makes sense that
1180            VMInspector provides VM debugging utility methods.  It doesn't make sense to
1181            have a JSDollarVMPrototype object provide these methods.
1182
1183            Plus, it's shorter to type VMInspector than JSDollarVMPrototype.
1184
1185         2. Move the JSDollarVMPrototype JS functions into JSDollarVM.cpp.
1186
1187            JSDollarVM is a special object used only for debugging purposes.  There's no
1188            gain in requiring its methods to be stored in a prototype object other than to
1189            conform to typical JS convention.  We can remove this complexity.
1190
1191         * JavaScriptCore.xcodeproj/project.pbxproj:
1192         * Sources.txt:
1193         * runtime/JSGlobalObject.cpp:
1194         (JSC::JSGlobalObject::init):
1195         * tools/JSDollarVM.cpp:
1196         (JSC::JSDollarVM::addFunction):
1197         (JSC::functionCrash):
1198         (JSC::functionDFGTrue):
1199         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
1200         (JSC::CallerFrameJITTypeFunctor::operator() const):
1201         (JSC::CallerFrameJITTypeFunctor::jitType):
1202         (JSC::functionLLintTrue):
1203         (JSC::functionJITTrue):
1204         (JSC::functionGC):
1205         (JSC::functionEdenGC):
1206         (JSC::functionCodeBlockForFrame):
1207         (JSC::codeBlockFromArg):
1208         (JSC::functionCodeBlockFor):
1209         (JSC::functionPrintSourceFor):
1210         (JSC::functionPrintBytecodeFor):
1211         (JSC::functionPrint):
1212         (JSC::functionPrintCallFrame):
1213         (JSC::functionPrintStack):
1214         (JSC::functionValue):
1215         (JSC::functionGetPID):
1216         (JSC::JSDollarVM::finishCreation):
1217         * tools/JSDollarVM.h:
1218         (JSC::JSDollarVM::create):
1219         * tools/JSDollarVMPrototype.cpp: Removed.
1220         * tools/JSDollarVMPrototype.h: Removed.
1221         * tools/VMInspector.cpp:
1222         (JSC::VMInspector::currentThreadOwnsJSLock):
1223         (JSC::ensureCurrentThreadOwnsJSLock):
1224         (JSC::VMInspector::gc):
1225         (JSC::VMInspector::edenGC):
1226         (JSC::VMInspector::isInHeap):
1227         (JSC::CellAddressCheckFunctor::CellAddressCheckFunctor):
1228         (JSC::CellAddressCheckFunctor::operator() const):
1229         (JSC::VMInspector::isValidCell):
1230         (JSC::VMInspector::isValidCodeBlock):
1231         (JSC::VMInspector::codeBlockForFrame):
1232         (JSC::PrintFrameFunctor::PrintFrameFunctor):
1233         (JSC::PrintFrameFunctor::operator() const):
1234         (JSC::VMInspector::printCallFrame):
1235         (JSC::VMInspector::printStack):
1236         (JSC::VMInspector::printValue):
1237         * tools/VMInspector.h:
1238
1239 2017-11-14  Joseph Pecoraro  <pecoraro@apple.com>
1240
1241         Web Inspector: Add a ServiceWorker domain to get information about an inspected ServiceWorker
1242         https://bugs.webkit.org/show_bug.cgi?id=179640
1243         <rdar://problem/35517361>
1244
1245         Reviewed by Devin Rousso.
1246
1247         * CMakeLists.txt:
1248         * DerivedSources.make:
1249         Gate the ServiceWorker domain on the ENABLE feature flag.
1250
1251         * inspector/protocol/ServiceWorker.json: Added.
1252         New domain to be made available inside of a ServiceWorker target.
1253
1254 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1255
1256         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
1257         https://bugs.webkit.org/show_bug.cgi?id=179594
1258
1259         Reviewed by Saam Barati.
1260
1261         Currently we handle OOB access to DirectArguments as GetByVal(Array::Generic).
1262         If we can handle it as GetByVal(Array::DirectArguments+OutOfBounds), we can (1) optimize
1263         `arguments[i]` accesses if i is in bound, and (2) encourage arguments elimination phase
1264         to convert CreateDirectArguments and GetByVal(Array::DirectArguments+OutOfBounds) to
1265         PhantomDirectArguments and GetMyArgumentOutOfBounds respectively.
1266
1267         This patch introduces Array::DirectArguments+OutOfBounds array mode. GetByVal can
1268         accept this type, and emit optimized code compared to Array::Generic case.
1269
1270         We make OOB check failures in GetByVal(Array::DirectArguments+InBounds) as OutOfBounds
1271         exit instead of ExoticObjectMode.
1272
1273         This change significantly improves SixSpeed rest.es5 since it uses OOB access.
1274         Our arguments elimination phase can change CreateDirectArguments to PhantomDirectArguments.
1275
1276             rest.es5                       59.6719+-2.2440     ^      3.1634+-0.5507        ^ definitely 18.8635x faster
1277
1278         * dfg/DFGArgumentsEliminationPhase.cpp:
1279         * dfg/DFGArrayMode.cpp:
1280         (JSC::DFG::ArrayMode::refine const):
1281         * dfg/DFGClobberize.h:
1282         (JSC::DFG::clobberize):
1283         * dfg/DFGSpeculativeJIT.cpp:
1284         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
1285         * ftl/FTLLowerDFGToB3.cpp:
1286         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1287         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
1288
1289 2017-11-14  Saam Barati  <sbarati@apple.com>
1290
1291         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
1292         https://bugs.webkit.org/show_bug.cgi?id=179639
1293         <rdar://problem/35513018>
1294
1295         Reviewed by JF Bastien.
1296
1297         Calling Wasm::Memory::grow from the JIT may cause us to GC. When we GC, we will
1298         walk the stack for ShadowChicken (and maybe other things). We weren't updating
1299         topCallFrame when calling grow from the Wasm JIT. This would cause the GC to
1300         use stale topCallFrame bits in VM, often leading to crashes. This patch fixes
1301         this bug by giving Wasm::Instance a lambda that is called when we need to store
1302         the topCallFrame. Users of Wasm::Instance can provide a function to do this action.
1303         Currently, JSWebAssemblyInstance passes in a lambda that stores to
1304         VM.topCallFrame.
1305
1306         * wasm/WasmB3IRGenerator.cpp:
1307         (JSC::Wasm::B3IRGenerator::addGrowMemory):
1308         * wasm/WasmInstance.cpp:
1309         (JSC::Wasm::Instance::Instance):
1310         (JSC::Wasm::Instance::create):
1311         * wasm/WasmInstance.h:
1312         (JSC::Wasm::Instance::storeTopCallFrame):
1313         * wasm/js/JSWebAssemblyInstance.cpp:
1314         (JSC::JSWebAssemblyInstance::create):
1315         * wasm/js/JSWebAssemblyInstance.h:
1316         * wasm/js/WasmToJS.cpp:
1317         (JSC::Wasm::wasmToJSException):
1318         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1319         (JSC::constructJSWebAssemblyInstance):
1320         * wasm/js/WebAssemblyPrototype.cpp:
1321         (JSC::instantiate):
1322
1323 2017-11-13  Saam Barati  <sbarati@apple.com>
1324
1325         Remove pointer caging for HashMapImpl, JSLexicalEnvironment, DirectArguments, ScopedArguments, and ScopedArgumentsTable
1326         https://bugs.webkit.org/show_bug.cgi?id=179203
1327
1328         Reviewed by Yusuke Suzuki.
1329
1330         This patch only removes the pointer caging for the described types in the title.
1331         These types still allocate out of the gigacage. This is a just a cost vs benefit
1332         tradeoff of performance vs security.
1333
1334         * dfg/DFGSpeculativeJIT.cpp:
1335         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
1336         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1337         * ftl/FTLLowerDFGToB3.cpp:
1338         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1339         * jit/JITPropertyAccess.cpp:
1340         (JSC::JIT::emitDirectArgumentsGetByVal):
1341         (JSC::JIT::emitScopedArgumentsGetByVal):
1342         * runtime/DirectArguments.h:
1343         (JSC::DirectArguments::storage):
1344         * runtime/HashMapImpl.cpp:
1345         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
1346         * runtime/HashMapImpl.h:
1347         * runtime/JSLexicalEnvironment.h:
1348         (JSC::JSLexicalEnvironment::variables):
1349         * runtime/ScopedArguments.h:
1350         (JSC::ScopedArguments::overflowStorage const):
1351
1352 2017-11-08  Keith Miller  <keith_miller@apple.com>
1353
1354         Async iteration should only fetch the next method once and add feature flag
1355         https://bugs.webkit.org/show_bug.cgi?id=179451
1356
1357         Reviewed by Geoffrey Garen.
1358
1359         Add feature flag for Async iteration. Also, change async iteration to match
1360         the expected behavior of the proposal.
1361
1362         * Configurations/FeatureDefines.xcconfig:
1363         * builtins/AsyncFromSyncIteratorPrototype.js:
1364         (globalPrivate.createAsyncFromSyncIterator):
1365         (globalPrivate.AsyncFromSyncIteratorConstructor):
1366         * builtins/BuiltinNames.h:
1367         * bytecompiler/BytecodeGenerator.cpp:
1368         (JSC::BytecodeGenerator::emitGetAsyncIterator):
1369         * runtime/Options.h:
1370
1371 2017-11-13  Mark Lam  <mark.lam@apple.com>
1372
1373         Add more overflow check book-keeping for MarkedArgumentBuffer.
1374         https://bugs.webkit.org/show_bug.cgi?id=179634
1375         <rdar://problem/35492517>
1376
1377         Reviewed by Saam Barati.
1378
1379         * runtime/ArgList.h:
1380         (JSC::MarkedArgumentBuffer::overflowCheckNotNeeded):
1381         * runtime/JSJob.cpp:
1382         (JSC::JSJobMicrotask::run):
1383         * runtime/ObjectConstructor.cpp:
1384         (JSC::defineProperties):
1385         * runtime/ReflectObject.cpp:
1386         (JSC::reflectObjectConstruct):
1387
1388 2017-11-13  Guillaume Emont  <guijemont@igalia.com>
1389
1390         [JSC] Remove ARM implementation of branchTruncateDoubleToUInt32
1391         https://bugs.webkit.org/show_bug.cgi?id=179542
1392
1393         Reviewed by Alex Christensen.
1394
1395         * assembler/MacroAssemblerARM.h:
1396         (JSC::MacroAssemblerARM::branchTruncateDoubleToUint32): Removed.
1397
1398 2017-11-13  Mark Lam  <mark.lam@apple.com>
1399
1400         Make the jsc shell loadGetterFromGetterSetter() function more robust.
1401         https://bugs.webkit.org/show_bug.cgi?id=179619
1402         <rdar://problem/35492518>
1403
1404         Reviewed by Saam Barati.
1405
1406         * jsc.cpp:
1407         (functionLoadGetterFromGetterSetter):
1408
1409 2017-11-12  Darin Adler  <darin@apple.com>
1410
1411         More is<> and downcast<>, less static_cast<>
1412         https://bugs.webkit.org/show_bug.cgi?id=179600
1413
1414         Reviewed by Chris Dumez.
1415
1416         * runtime/JSString.h:
1417         (JSC::jsSubstring): Removed unneeded static_cast; length already returns unsigned.
1418         (JSC::jsSubstringOfResolved): Ditto.
1419
1420 2017-11-12  Mark Lam  <mark.lam@apple.com>
1421
1422         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
1423         https://bugs.webkit.org/show_bug.cgi?id=179562
1424         <rdar://problem/35467022>
1425
1426         Reviewed by Saam Barati.
1427
1428         * dfg/DFGFixupPhase.cpp:
1429         (JSC::DFG::FixupPhase::fixupNode):
1430         * dfg/DFGOperations.cpp:
1431         * dfg/DFGSafeToExecute.h:
1432         (JSC::DFG::SafeToExecuteEdge::operator()):
1433         * dfg/DFGSpeculativeJIT.cpp:
1434         (JSC::DFG::SpeculativeJIT::speculateNotSymbol):
1435         (JSC::DFG::SpeculativeJIT::speculate):
1436         * dfg/DFGSpeculativeJIT.h:
1437         * dfg/DFGUseKind.cpp:
1438         (WTF::printInternal):
1439         * dfg/DFGUseKind.h:
1440         (JSC::DFG::typeFilterFor):
1441         * ftl/FTLCapabilities.cpp:
1442         (JSC::FTL::canCompile):
1443         * ftl/FTLLowerDFGToB3.cpp:
1444         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1445         (JSC::FTL::DFG::LowerDFGToB3::speculateNotSymbol):
1446
1447 2017-11-11  Devin Rousso  <webkit@devinrousso.com>
1448
1449         Web Inspector: Canvas tab: show detailed status during canvas recording
1450         https://bugs.webkit.org/show_bug.cgi?id=178185
1451         <rdar://problem/34939862>
1452
1453         Reviewed by Brian Burg.
1454
1455         * inspector/protocol/Canvas.json:
1456         Add a `recordingProgress` event that is sent to the frontend that contains all the frame
1457         payloads since the last Canvas.recordingProgress event and the current buffer usage.
1458
1459         * inspector/protocol/Recording.json:
1460         Remove the required `frames` parameter from the Recording protocol object, as they will be
1461         sent in batches via the Canvas.recordingProgress event.
1462
1463 2017-11-10  Joseph Pecoraro  <pecoraro@apple.com>
1464
1465         Web Inspector: Make http status codes be "integer" instead of "number" in protocol
1466         https://bugs.webkit.org/show_bug.cgi?id=179543
1467
1468         Reviewed by Antoine Quint.
1469
1470         * inspector/protocol/Network.json:
1471         Use a better type for the status code.
1472
1473 2017-11-10  Robin Morisset  <rmorisset@apple.com>
1474
1475         The memory consumption of DFG::BasicBlock can be easily reduced a bit
1476         https://bugs.webkit.org/show_bug.cgi?id=179528
1477
1478         Reviewed by Saam Barati.
1479
1480         A few changes here:
1481         - Reordering some fields of DFG::BasicBlock to reduce padding
1482         - Making the enum fields that are glorified booleans fit into a u8
1483         - Make each Operands object have a single vector that holds all arguments followed by all locals, instead of two vectors.
1484           This change works because we never increase the number of arguments after allocating an Operands object.
1485           It lets us avoid one extra capacity field and one extra pointer field per Operands,
1486           and more importantly one allocation per Operands whenever both vectors would have overflowed their inlined buffer.
1487           Additionally, if a single vector would have overflowed its inline buffer, while the other would have had some free space,
1488           we have a chance to avoid an allocation.
1489         - Finally, the three methods argumentForIndex, variableForIndex and indexForOperand were deleted since they were dead code.
1490
1491         * bytecode/Operands.h:
1492         (JSC::Operands::Operands):
1493         (JSC::Operands::numberOfArguments const):
1494         (JSC::Operands::numberOfLocals const):
1495         (JSC::Operands::argument):
1496         (JSC::Operands::argument const):
1497         (JSC::Operands::local):
1498         (JSC::Operands::local const):
1499         (JSC::Operands::ensureLocals):
1500         (JSC::Operands::setLocal):
1501         (JSC::Operands::getLocal):
1502         (JSC::Operands::setArgumentFirstTime):
1503         (JSC::Operands::setLocalFirstTime):
1504         (JSC::Operands::operand):
1505         (JSC::Operands::setOperand):
1506         (JSC::Operands::size const):
1507         (JSC::Operands::at const):
1508         (JSC::Operands::at):
1509         (JSC::Operands::isArgument const):
1510         (JSC::Operands::isVariable const):
1511         (JSC::Operands::virtualRegisterForIndex const):
1512         (JSC::Operands::fill):
1513         (JSC::Operands::operator== const):
1514         (JSC::Operands::argumentForIndex const): Deleted.
1515         (JSC::Operands::variableForIndex const): Deleted.
1516         (JSC::Operands::indexForOperand const): Deleted.
1517         * dfg/DFGBasicBlock.cpp:
1518         (JSC::DFG::BasicBlock::BasicBlock):
1519         * dfg/DFGBasicBlock.h:
1520         * dfg/DFGBranchDirection.h:
1521         * dfg/DFGStructureClobberState.h:
1522
1523 2017-11-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1524
1525         [JSC] Retry module fetching if previous request fails
1526         https://bugs.webkit.org/show_bug.cgi?id=178168
1527
1528         Reviewed by Saam Barati.
1529
1530         According to the latest spec, the failed fetching operation can be retried if it is requested again.
1531         For example,
1532
1533             <script type="module" integrity="shaXXX-bad" src="./A.js"></script>
1534             <script type="module" integrity="shaXXX-correct" src="./A.js"></script>
1535
1536         When performing the first module fetching, integrity check fails, and the load of this module becomes failed.
1537         But when loading the second module, we do not use the cached failure result in the first module loading.
1538         We retry fetching for "./A.js". In this case, we have a correct integrity and module fetching succeeds.
1539         This is specified in whatwg/HTML[1]. If the fetching fails, we do not cache it.
1540
1541         Interestingly, fetching result and instantiation result will be cached if they succeeds. This is because we would
1542         like to cache modules based on their URLs. As a result,
1543
1544             <script type="module" integrity="shaXXX-correct" src="./A.js"></script>
1545             <script type="module" integrity="shaXXX-bad" src="./A.js"></script>
1546
1547         In the above case, the first loading succeeds. And the second loading also succeeds since the succeeded fetching and
1548         instantiation are cached in the module pipeline.
1549
1550         This patch implements the above semantics. Previously, our module pipeline always caches the result. If the fetching
1551         failed, all the subsequent fetching for the same URL fails even if we have different integrity values. We retry fetching
1552         if the previous one fails. As an overview of our change,
1553
1554         1. Fetching result should be cached only if it succeeds. Two or more on-the-fly fetching requests to the same URLs should
1555            be unified. But if currently executing one fails, other attempts should retry fetching.
1556
1557         2. Instantiation should be cached if fetching succeeds.
1558
1559         3. Satisfying should be cached if it succeeds.
1560
1561         [1]: https://html.spec.whatwg.org/#fetch-a-single-module-script
1562
1563         * builtins/ModuleLoaderPrototype.js:
1564         (requestFetch):
1565         (requestInstantiate):
1566         (requestSatisfy):
1567         (link):
1568         (loadModule):
1569         * runtime/JSGlobalObject.cpp:
1570         (JSC::JSGlobalObject::init):
1571
1572 2017-11-09  Devin Rousso  <webkit@devinrousso.com>
1573
1574         Web Inspector: support undo/redo of insertAdjacentHTML
1575         https://bugs.webkit.org/show_bug.cgi?id=179283
1576
1577         Reviewed by Joseph Pecoraro.
1578
1579         * inspector/protocol/DOM.json:
1580         Add `insertAdjacentHTML` command that executes an undoable version of `insertAdjacentHTML`
1581         on the given node.
1582
1583 2017-11-09  Joseph Pecoraro  <pecoraro@apple.com>
1584
1585         Web Inspector: Make domain availability a list of types instead of a single type
1586         https://bugs.webkit.org/show_bug.cgi?id=179457
1587
1588         Reviewed by Brian Burg.
1589
1590         * inspector/scripts/codegen/generate_js_backend_commands.py:
1591         (JSBackendCommandsGenerator.generate_domain):
1592         Update output of `InspectorBackend.activateDomain` to include the list.
1593
1594         * inspector/scripts/codegen/models.py:
1595         (Protocol.parse_domain):
1596         Parse `availability` as a list and include a new supported value of "service-worker".
1597
1598         * inspector/protocol/ApplicationCache.json:
1599         * inspector/protocol/CSS.json:
1600         * inspector/protocol/Canvas.json:
1601         * inspector/protocol/DOM.json:
1602         * inspector/protocol/DOMDebugger.json:
1603         * inspector/protocol/DOMStorage.json:
1604         * inspector/protocol/Database.json:
1605         * inspector/protocol/IndexedDB.json:
1606         * inspector/protocol/LayerTree.json:
1607         * inspector/protocol/Memory.json:
1608         * inspector/protocol/Network.json:
1609         * inspector/protocol/Page.json:
1610         * inspector/protocol/Timeline.json:
1611         * inspector/protocol/Worker.json:
1612         Update `availability` to be a list.
1613
1614         * inspector/scripts/tests/generic/domain-availability.json:
1615         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
1616         * inspector/scripts/tests/generic/expected/fail-on-domain-availability-type.json-error: Added.
1617         * inspector/scripts/tests/generic/expected/fail-on-domain-availability-value.json-error: Added.
1618         * inspector/scripts/tests/generic/expected/fail-on-domain-availability.json-error:
1619         * inspector/scripts/tests/generic/fail-on-domain-availability-type.json: Copied from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-availability.json.
1620         * inspector/scripts/tests/generic/fail-on-domain-availability-value.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-availability.json.
1621         Update tests to include a test for the type and an invalid value.
1622
1623 2017-11-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1624
1625         [JSC][JIT] Clean up SlowPathCall stubs
1626         https://bugs.webkit.org/show_bug.cgi?id=179247
1627
1628         Reviewed by Saam Barati.
1629
1630         We have bunch of duplicate functions that just call a slow path function.
1631         This patch cleans up the above duplication.
1632
1633         * jit/JIT.cpp:
1634         (JSC::JIT::emitSlowCaseCall):
1635         (JSC::JIT::privateCompileSlowCases):
1636         * jit/JIT.h:
1637         * jit/JITArithmetic.cpp:
1638         (JSC::JIT::emitSlow_op_unsigned): Deleted.
1639         (JSC::JIT::emitSlow_op_inc): Deleted.
1640         (JSC::JIT::emitSlow_op_dec): Deleted.
1641         (JSC::JIT::emitSlow_op_bitand): Deleted.
1642         (JSC::JIT::emitSlow_op_bitor): Deleted.
1643         (JSC::JIT::emitSlow_op_bitxor): Deleted.
1644         (JSC::JIT::emitSlow_op_lshift): Deleted.
1645         (JSC::JIT::emitSlow_op_rshift): Deleted.
1646         (JSC::JIT::emitSlow_op_urshift): Deleted.
1647         (JSC::JIT::emitSlow_op_div): Deleted.
1648         * jit/JITArithmetic32_64.cpp:
1649         (JSC::JIT::emitSlow_op_unsigned): Deleted.
1650         (JSC::JIT::emitSlow_op_inc): Deleted.
1651         (JSC::JIT::emitSlow_op_dec): Deleted.
1652         * jit/JITOpcodes.cpp:
1653         (JSC::JIT::emitSlow_op_create_this): Deleted.
1654         (JSC::JIT::emitSlow_op_check_tdz): Deleted.
1655         (JSC::JIT::emitSlow_op_to_this): Deleted.
1656         (JSC::JIT::emitSlow_op_to_primitive): Deleted.
1657         (JSC::JIT::emitSlow_op_not): Deleted.
1658         (JSC::JIT::emitSlow_op_stricteq): Deleted.
1659         (JSC::JIT::emitSlow_op_nstricteq): Deleted.
1660         (JSC::JIT::emitSlow_op_to_number): Deleted.
1661         (JSC::JIT::emitSlow_op_to_string): Deleted.
1662         (JSC::JIT::emitSlow_op_to_object): Deleted.
1663         (JSC::JIT::emitSlow_op_get_direct_pname): Deleted.
1664         (JSC::JIT::emitSlow_op_has_structure_property): Deleted.
1665         * jit/JITOpcodes32_64.cpp:
1666         (JSC::JIT::emitSlow_op_to_primitive): Deleted.
1667         (JSC::JIT::emitSlow_op_not): Deleted.
1668         (JSC::JIT::emitSlow_op_stricteq): Deleted.
1669         (JSC::JIT::emitSlow_op_nstricteq): Deleted.
1670         (JSC::JIT::emitSlow_op_to_number): Deleted.
1671         (JSC::JIT::emitSlow_op_to_string): Deleted.
1672         (JSC::JIT::emitSlow_op_to_object): Deleted.
1673         (JSC::JIT::emitSlow_op_create_this): Deleted.
1674         (JSC::JIT::emitSlow_op_to_this): Deleted.
1675         (JSC::JIT::emitSlow_op_check_tdz): Deleted.
1676         (JSC::JIT::emitSlow_op_get_direct_pname): Deleted.
1677         * jit/JITPropertyAccess.cpp:
1678         (JSC::JIT::emitSlow_op_resolve_scope): Deleted.
1679         * jit/JITPropertyAccess32_64.cpp:
1680         (JSC::JIT::emit_op_resolve_scope):
1681         (JSC::JIT::emitSlow_op_resolve_scope): Deleted.
1682         * jit/SlowPathCall.h:
1683         (JSC::JITSlowPathCall::JITSlowPathCall):
1684         * runtime/CommonSlowPaths.cpp:
1685         (JSC::SLOW_PATH_DECL):
1686         * runtime/CommonSlowPaths.h:
1687
1688 2017-11-09  Guillaume Emont  <guijemont@igalia.com>
1689
1690         [JSC][MIPS] Use fcsr to check the validity of the result of trunc.w.d
1691         https://bugs.webkit.org/show_bug.cgi?id=179446
1692
1693         Reviewed by Žan Doberšek.
1694
1695         The trunc.w.d mips instruction should give a 0x7fffffff result when
1696         the source value is Infinity, NaN, or rounds to an integer outside the
1697         range -2^31 to 2^31 -1. This is what branchTruncateDoubleToInt32() and
1698         branchTruncateDoubleToUInt32() have been relying on. It turns out that
1699         this assumption is not true on some CPUs, including on the ci20 on
1700         which we run the testbot (we get 0x80000000 instead). We should the
1701         invalid operation cause bit instead to check whether the source value
1702         could be properly truncated. This requires the addition of the cfc1
1703         instruction, as well as the special registers that can be used with it
1704         (control registers of CP1).
1705
1706         * assembler/MIPSAssembler.h:
1707         (JSC::MIPSAssembler::firstSPRegister):
1708         (JSC::MIPSAssembler::lastSPRegister):
1709         (JSC::MIPSAssembler::numberOfSPRegisters):
1710         (JSC::MIPSAssembler::sprName):
1711         Added control registers of CP1.
1712         (JSC::MIPSAssembler::cfc1):
1713         Added.
1714         * assembler/MacroAssemblerMIPS.h:
1715         (JSC::MacroAssemblerMIPS::branchOnTruncateResult):
1716         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
1717         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUint32):
1718         Use fcsr to check if the value could be properly truncated.
1719
1720 2017-11-08  Jeremy Jones  <jeremyj@apple.com>
1721
1722         HTMLMediaElement should not use element fullscreen on iOS
1723         https://bugs.webkit.org/show_bug.cgi?id=179418
1724         rdar://problem/35409277
1725
1726         Reviewed by Eric Carlson.
1727
1728         Add ENABLE_VIDEO_USES_ELEMENT_FULLSCREEN to determine if HTMLMediaElement should use element full screen or not.
1729
1730         * Configurations/FeatureDefines.xcconfig:
1731
1732 2017-11-08  Joseph Pecoraro  <pecoraro@apple.com>
1733
1734         Web Inspector: Show Internal properties of PaymentRequest in Web Inspector Console
1735         https://bugs.webkit.org/show_bug.cgi?id=179276
1736
1737         Reviewed by Andy Estes.
1738
1739         * inspector/InjectedScriptHost.h:
1740         * inspector/JSInjectedScriptHost.cpp:
1741         (Inspector::JSInjectedScriptHost::getInternalProperties):
1742         Call through to virtual implementation so that WebCore can provide custom
1743         internal properties for Web / DOM objects.
1744
1745 2017-11-08  Saam Barati  <sbarati@apple.com>
1746
1747         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
1748         https://bugs.webkit.org/show_bug.cgi?id=177792
1749
1750         Reviewed by Yusuke Suzuki.
1751
1752         Before this patch, if a JSFunction's rare data initialized its allocation profile
1753         before its backing Executable's poly proto watchpoint was invalidated, that
1754         JSFunction would continue to allocate non-poly proto objects until its allocation
1755         profile was cleared (which essentially never happens in practice). This patch
1756         improves on this pathology. A JSFunction's rare data will now watch the poly
1757         proto watchpoint if it's still valid and clear its allocation profile when we
1758         detect that we should go poly proto.
1759
1760         * bytecode/ObjectAllocationProfile.h:
1761         * bytecode/ObjectAllocationProfileInlines.h:
1762         (JSC::ObjectAllocationProfile::initializeProfile):
1763         * runtime/FunctionRareData.cpp:
1764         (JSC::FunctionRareData::initializeObjectAllocationProfile):
1765         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::fireInternal):
1766         * runtime/FunctionRareData.h:
1767         (JSC::FunctionRareData::hasAllocationProfileClearingWatchpoint const):
1768         (JSC::FunctionRareData::createAllocationProfileClearingWatchpoint):
1769         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::AllocationProfileClearingWatchpoint):
1770
1771 2017-11-08  Keith Miller  <keith_miller@apple.com>
1772
1773         Add super sampler begin and end bytecodes.
1774         https://bugs.webkit.org/show_bug.cgi?id=179376
1775
1776         Reviewed by Filip Pizlo.
1777
1778         This patch adds a way to measure a narrow range of bytecodes for
1779         performance. This is done using the same infrastructure as the
1780         super sampler. I also added a class that helps do the bytecode
1781         checking with RAII. One problem with the current way this is done
1782         is that we don't handle decrementing early exits, either from
1783         branches or exceptions. So, when using this API users need to
1784         ensure that there are no early exits or that those exits don't
1785         occur on the measure code.
1786
1787         * JavaScriptCore.xcodeproj/project.pbxproj:
1788         * bytecode/BytecodeDumper.cpp:
1789         (JSC::BytecodeDumper<Block>::dumpBytecode):
1790         * bytecode/BytecodeList.json:
1791         * bytecode/BytecodeUseDef.h:
1792         (JSC::computeUsesForBytecodeOffset):
1793         (JSC::computeDefsForBytecodeOffset):
1794         * bytecompiler/BytecodeGenerator.cpp:
1795         (JSC::BytecodeGenerator::emitSuperSamplerBegin):
1796         (JSC::BytecodeGenerator::emitSuperSamplerEnd):
1797         * bytecompiler/BytecodeGenerator.h:
1798         * bytecompiler/SuperSamplerBytecodeScope.h: Added.
1799         (JSC::SuperSamplerBytecodeScope::SuperSamplerBytecodeScope):
1800         (JSC::SuperSamplerBytecodeScope::~SuperSamplerBytecodeScope):
1801         * dfg/DFGAbstractInterpreterInlines.h:
1802         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1803         * dfg/DFGByteCodeParser.cpp:
1804         (JSC::DFG::ByteCodeParser::parseBlock):
1805         * dfg/DFGClobberize.h:
1806         (JSC::DFG::clobberize):
1807         * dfg/DFGClobbersExitState.cpp:
1808         (JSC::DFG::clobbersExitState):
1809         * dfg/DFGDoesGC.cpp:
1810         (JSC::DFG::doesGC):
1811         * dfg/DFGFixupPhase.cpp:
1812         (JSC::DFG::FixupPhase::fixupNode):
1813         * dfg/DFGMayExit.cpp:
1814         * dfg/DFGNodeType.h:
1815         * dfg/DFGPredictionPropagationPhase.cpp:
1816         * dfg/DFGSafeToExecute.h:
1817         (JSC::DFG::safeToExecute):
1818         * dfg/DFGSpeculativeJIT.cpp:
1819         * dfg/DFGSpeculativeJIT32_64.cpp:
1820         (JSC::DFG::SpeculativeJIT::compile):
1821         * dfg/DFGSpeculativeJIT64.cpp:
1822         (JSC::DFG::SpeculativeJIT::compile):
1823         * ftl/FTLCapabilities.cpp:
1824         (JSC::FTL::canCompile):
1825         * ftl/FTLLowerDFGToB3.cpp:
1826         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1827         (JSC::FTL::DFG::LowerDFGToB3::compileSuperSamplerBegin):
1828         (JSC::FTL::DFG::LowerDFGToB3::compileSuperSamplerEnd):
1829         * jit/JIT.cpp:
1830         (JSC::JIT::privateCompileMainPass):
1831         * jit/JIT.h:
1832         * jit/JITOpcodes.cpp:
1833         (JSC::JIT::emit_op_super_sampler_begin):
1834         (JSC::JIT::emit_op_super_sampler_end):
1835         * llint/LLIntSlowPaths.cpp:
1836         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1837         * llint/LLIntSlowPaths.h:
1838         * llint/LowLevelInterpreter.asm:
1839
1840 2017-11-08  Robin Morisset  <rmorisset@apple.com>
1841
1842         Turn recursive tail calls into loops
1843         https://bugs.webkit.org/show_bug.cgi?id=176601
1844
1845         Reviewed by Saam Barati.
1846
1847         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
1848
1849         We want to turn recursive tail calls into loops early in the pipeline, so that the loops can then be optimized.
1850         One difficulty is that we need to split the entry block of the function we are jumping to in order to have somewhere to jump to.
1851         Worse: it is not necessarily the first block of the codeBlock, because of inlining! So we must do the splitting in the DFGByteCodeParser, at the same time as inlining.
1852         We do this part through modifying the computation of the jump targets.
1853         Importantly, we only do this splitting for functions that have tail calls.
1854         It is the only case where the optimisation is sound, and doing the splitting unconditionnaly destroys performance on Octane/raytrace.
1855
1856         We must then do the actual transformation also in DFGByteCodeParser, to avoid code motion moving code out of the body of what will become a loop.
1857         The transformation is entirely contained in handleRecursiveTailCall, which is hooked to the inlining machinery.
1858
1859         * bytecode/CodeBlock.h:
1860         (JSC::CodeBlock::hasTailCalls const):
1861         * bytecode/PreciseJumpTargets.cpp:
1862         (JSC::getJumpTargetsForBytecodeOffset):
1863         (JSC::computePreciseJumpTargetsInternal):
1864         * bytecode/UnlinkedCodeBlock.cpp:
1865         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1866         * bytecode/UnlinkedCodeBlock.h:
1867         (JSC::UnlinkedCodeBlock::hasTailCalls const):
1868         (JSC::UnlinkedCodeBlock::setHasTailCalls):
1869         * bytecompiler/BytecodeGenerator.cpp:
1870         (JSC::BytecodeGenerator::emitEnter):
1871         (JSC::BytecodeGenerator::emitCallInTailPosition):
1872         * dfg/DFGByteCodeParser.cpp:
1873         (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
1874         (JSC::DFG::ByteCodeParser::makeBlockTargetable):
1875         (JSC::DFG::ByteCodeParser::handleCall):
1876         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
1877         (JSC::DFG::ByteCodeParser::parseBlock):
1878         (JSC::DFG::ByteCodeParser::parse):
1879
1880 2017-11-08  Joseph Pecoraro  <pecoraro@apple.com>
1881
1882         Web Inspector: Remove unused Page.ScriptIdentifier protocol type
1883         https://bugs.webkit.org/show_bug.cgi?id=179407
1884
1885         Reviewed by Matt Baker.
1886
1887         * inspector/protocol/Page.json:
1888         Remove unused protocol type.
1889
1890 2017-11-08  Carlos Garcia Campos  <cgarcia@igalia.com>
1891
1892         Web Inspector: use JSON::{Array,Object,Value} instead of Inspector{Array,Object,Value}
1893         https://bugs.webkit.org/show_bug.cgi?id=173619
1894
1895         Reviewed by Alex Christensen and Brian Burg.
1896
1897         Eventually all classes used for our JSON-RPC message passing should be outside
1898         of the Inspector namespace since the protocol is used outside of Inspector code.
1899         This will also allow us to unify the primitive JSON types with parameteric types
1900         like Inspector::Protocol::Array<T> and other protocol-related types which don't
1901         need to be in the Inspector namespace.
1902
1903         Start this refactoring off by making JSON::Value a typedef for InspectorValue. In following
1904         patches, other clients will move to use JSON::Value and friends. When all uses are
1905         changed, the actual implementation will be renamed. This patch just focuses on the typedef
1906         and making changes in generated protocol code.
1907
1908         Original patch by Brian Burg, rebased and updated by me.
1909
1910         * inspector/InspectorValues.cpp:
1911         * inspector/InspectorValues.h:
1912         * inspector/scripts/codegen/cpp_generator.py:
1913         (CppGenerator.cpp_protocol_type_for_type):
1914         (CppGenerator.cpp_type_for_unchecked_formal_in_parameter):
1915         (CppGenerator.cpp_type_for_type_with_name):
1916         (CppGenerator.cpp_type_for_stack_in_parameter):
1917         * inspector/scripts/codegen/cpp_generator_templates.py:
1918         (void):
1919         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
1920         (_generate_class_for_object_declaration):
1921         (_generate_forward_declarations_for_binding_traits):
1922         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
1923         (CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration):
1924         (CppProtocolTypesImplementationGenerator._generate_assertion_for_enum):
1925         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
1926         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1927         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1928         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
1929         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
1930         * inspector/scripts/tests/generic/expected/enum-values.json-result:
1931         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
1932         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
1933         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
1934         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1935         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1936         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
1937         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
1938         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
1939
1940 2017-11-07  Maciej Stachowiak  <mjs@apple.com>
1941
1942         Get rid of unsightly hex numbers from unified build object files
1943         https://bugs.webkit.org/show_bug.cgi?id=179410
1944
1945         Reviewed by Saam Barati.
1946
1947         * JavaScriptCore.xcodeproj/project.pbxproj: Rename UnifiedSource*.mm to UnifiedSource*-mm.mm for more readable build output.
1948
1949 2017-11-07  Saam Barati  <sbarati@apple.com>
1950
1951         Only cage double butterfly accesses
1952         https://bugs.webkit.org/show_bug.cgi?id=179202
1953
1954         Reviewed by Mark Lam.
1955
1956         This patch removes caging from all butterfly accesses except double loads/stores.
1957         This is a performance vs security tradeoff. Double loads/stores are the only butterfly
1958         loads/stores that can write arbitrary bit patterns, so we choose to keep them safe
1959         by caging. The other load/stores we are no longer caging to get back performance on
1960         various benchmarks.
1961
1962         * bytecode/AccessCase.cpp:
1963         (JSC::AccessCase::generateImpl):
1964         * bytecode/InlineAccess.cpp:
1965         (JSC::InlineAccess::dumpCacheSizesAndCrash):
1966         (JSC::InlineAccess::generateSelfPropertyAccess):
1967         (JSC::InlineAccess::generateSelfPropertyReplace):
1968         (JSC::InlineAccess::generateArrayLength):
1969         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp:
1970         * dfg/DFGSpeculativeJIT.cpp:
1971         (JSC::DFG::SpeculativeJIT::compileCreateRest):
1972         (JSC::DFG::SpeculativeJIT::compileSpread):
1973         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
1974         * dfg/DFGSpeculativeJIT64.cpp:
1975         (JSC::DFG::SpeculativeJIT::compile):
1976         * ftl/FTLLowerDFGToB3.cpp:
1977         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
1978         * jit/JITPropertyAccess.cpp:
1979         (JSC::JIT::emitContiguousLoad):
1980         (JSC::JIT::emitArrayStorageLoad):
1981         (JSC::JIT::emitGenericContiguousPutByVal):
1982         (JSC::JIT::emitArrayStoragePutByVal):
1983         (JSC::JIT::emit_op_get_from_scope):
1984         (JSC::JIT::emit_op_put_to_scope):
1985         * llint/LowLevelInterpreter64.asm:
1986         * runtime/AuxiliaryBarrier.h:
1987         (JSC::AuxiliaryBarrier::operator-> const):
1988         * runtime/Butterfly.h:
1989         (JSC::Butterfly::caged):
1990         (JSC::Butterfly::contiguousDouble):
1991         * runtime/JSArray.cpp:
1992         (JSC::JSArray::setLength):
1993         (JSC::JSArray::pop):
1994         (JSC::JSArray::shiftCountWithAnyIndexingType):
1995         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1996         (JSC::JSArray::fillArgList):
1997         (JSC::JSArray::copyToArguments):
1998         * runtime/JSArrayInlines.h:
1999         (JSC::JSArray::pushInline):
2000         * runtime/JSObject.cpp:
2001         (JSC::JSObject::heapSnapshot):
2002         (JSC::JSObject::createInitialIndexedStorage):
2003         (JSC::JSObject::createArrayStorage):
2004         (JSC::JSObject::convertUndecidedToInt32):
2005         (JSC::JSObject::ensureLengthSlow):
2006         (JSC::JSObject::reallocateAndShrinkButterfly):
2007         (JSC::JSObject::allocateMoreOutOfLineStorage):
2008         * runtime/JSObject.h:
2009         (JSC::JSObject::canGetIndexQuickly):
2010         (JSC::JSObject::getIndexQuickly):
2011         (JSC::JSObject::tryGetIndexQuickly const):
2012         (JSC::JSObject::canSetIndexQuickly):
2013         (JSC::JSObject::butterfly const):
2014         (JSC::JSObject::butterfly):
2015
2016 2017-11-07  Mark Lam  <mark.lam@apple.com>
2017
2018         Introduce a default RegisterSet constructor so that we can use { } notation.
2019         https://bugs.webkit.org/show_bug.cgi?id=179389
2020
2021         Reviewed by Saam Barati.
2022
2023         I also replaced uses of "RegisterSet()" with "{ }" where the use of "RegisterSet()"
2024         does not add any code documentation value.
2025
2026         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
2027         * b3/air/AirCode.cpp:
2028         (JSC::B3::Air::Code::setRegsInPriorityOrder):
2029         * b3/air/AirPrintSpecial.cpp:
2030         (JSC::B3::Air::PrintSpecial::extraEarlyClobberedRegs):
2031         (JSC::B3::Air::PrintSpecial::extraClobberedRegs):
2032         * b3/air/testair.cpp:
2033         * bytecode/PolymorphicAccess.h:
2034         (JSC::AccessGenerationState::preserveLiveRegistersToStackForCall):
2035         (JSC::AccessGenerationState::restoreLiveRegistersFromStackForCall):
2036         * dfg/DFGJITCode.cpp:
2037         (JSC::DFG::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
2038         * ftl/FTLJITCode.cpp:
2039         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
2040         * jit/JITCode.cpp:
2041         (JSC::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
2042         * jit/RegisterSet.cpp:
2043         (JSC::RegisterSet::reservedHardwareRegisters):
2044         (JSC::RegisterSet::runtimeRegisters):
2045         (JSC::RegisterSet::macroScratchRegisters):
2046         * jit/RegisterSet.h:
2047         (JSC::RegisterSet::RegisterSet):
2048         * wasm/WasmB3IRGenerator.cpp:
2049         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
2050
2051 2017-11-07  Mark Lam  <mark.lam@apple.com>
2052
2053         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
2054         https://bugs.webkit.org/show_bug.cgi?id=179355
2055         <rdar://problem/35263053>
2056
2057         Reviewed by Saam Barati.
2058
2059         In the Transition case in AccessCase::generateImpl(), we were restoring registers
2060         using restoreLiveRegistersFromStackForCall() without excluding the scratchGPR
2061         where we previously stashed the reallocated butterfly.  If the generated code is
2062         under heavy register pressure, scratchGPR could have been from the set of preserved
2063         registers, and hence, would be restored by restoreLiveRegistersFromStackForCall().
2064         As a result, the restoration would trash the butterfly result we stored there.
2065         This patch fixes the issue by excluding the scratchGPR in the restoration.
2066
2067         * bytecode/AccessCase.cpp:
2068         (JSC::AccessCase::generateImpl):
2069
2070 2017-11-06  Robin Morisset  <rmorisset@apple.com>
2071
2072         CodeBlock::usesOpcode() is dead code
2073         https://bugs.webkit.org/show_bug.cgi?id=179316
2074
2075         Reviewed by Yusuke Suzuki.
2076
2077         Remove CodeBlock::usesOpcode which is dead code
2078
2079         * bytecode/CodeBlock.cpp:
2080         * bytecode/CodeBlock.h:
2081
2082 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2083
2084         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
2085         https://bugs.webkit.org/show_bug.cgi?id=144458
2086
2087         Reviewed by Saam Barati.
2088
2089         Previously only JSFunction is handled by CallLinkInfo's caching mechanism. This means that
2090         InternalFunction calls are not cached and they always go to the slow path. This is not good because
2091
2092         1. We need to query getCallData/getConstructData every time in the slow path.
2093         2. CallLinkInfo tells nothing in the higher tier JITs.
2094
2095         This patch starts handling InternalFunction in CallLinkInfo's caching mechanism. We change InternalFunction
2096         to hold pointers to the functions for call and construct. We have new stubs that can call/construct
2097         InternalFunction. And we return this code pointer as a result of setup call to use CallLinkInfo mechanism.
2098
2099         This patch is critical to optimizing derived Array construction[1] since it starts using CallLinkInfo
2100         for InternalFunction. Previously we did not record any information to CallLinkInfo. Except for the
2101         case that DFGByteCodeParser figures out InternalFunction constant, we cannot attempt to emit DFG
2102         nodes for these InternalFunctions since CallLinkInfo tells us nothing.
2103
2104         Attached microbenchmarks show performance improvement.
2105
2106                                                            baseline                  patched
2107
2108         dfg-internal-function-construct                 1.6439+-0.0826     ^      1.2829+-0.0727        ^ definitely 1.2813x faster
2109         dfg-internal-function-not-handled-construct     2.1862+-0.1361            2.0696+-0.1201          might be 1.0564x faster
2110         dfg-internal-function-not-handled-call         20.7592+-0.9085           19.7369+-0.7921          might be 1.0518x faster
2111         dfg-internal-function-call                      1.6856+-0.0967     ^      1.2771+-0.0744        ^ definitely 1.3198x faster
2112
2113         [1]: https://bugs.webkit.org/show_bug.cgi?id=178064
2114
2115         * API/JSCallbackFunction.cpp:
2116         (JSC::JSCallbackFunction::JSCallbackFunction):
2117         (JSC::JSCallbackFunction::getCallData): Deleted.
2118         * API/JSCallbackFunction.h:
2119         (JSC::JSCallbackFunction::createStructure):
2120         * API/ObjCCallbackFunction.h:
2121         (JSC::ObjCCallbackFunction::createStructure):
2122         * API/ObjCCallbackFunction.mm:
2123         (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
2124         (JSC::ObjCCallbackFunction::getCallData): Deleted.
2125         (JSC::ObjCCallbackFunction::getConstructData): Deleted.
2126         * bytecode/BytecodeDumper.cpp:
2127         (JSC::BytecodeDumper<Block>::printCallOp):
2128         * bytecode/BytecodeList.json:
2129         * bytecode/CallLinkInfo.cpp:
2130         (JSC::CallLinkInfo::setCallee):
2131         (JSC::CallLinkInfo::callee):
2132         (JSC::CallLinkInfo::setLastSeenCallee):
2133         (JSC::CallLinkInfo::lastSeenCallee):
2134         (JSC::CallLinkInfo::visitWeak):
2135         * bytecode/CallLinkInfo.h:
2136         * bytecode/CallLinkStatus.cpp:
2137         (JSC::CallLinkStatus::computeFromCallLinkInfo):
2138         * bytecode/LLIntCallLinkInfo.h:
2139         * jit/JITOperations.cpp:
2140         * jit/JITThunks.cpp:
2141         (JSC::JITThunks::ctiInternalFunctionCall):
2142         (JSC::JITThunks::ctiInternalFunctionConstruct):
2143         * jit/JITThunks.h:
2144         * jit/Repatch.cpp:
2145         (JSC::linkFor):
2146         (JSC::linkPolymorphicCall):
2147         * jit/Repatch.h:
2148         * jit/ThunkGenerators.cpp:
2149         (JSC::virtualThunkFor):
2150         (JSC::nativeForGenerator):
2151         (JSC::nativeCallGenerator):
2152         (JSC::nativeTailCallGenerator):
2153         (JSC::nativeTailCallWithoutSavedTagsGenerator):
2154         (JSC::nativeConstructGenerator):
2155         (JSC::internalFunctionCallGenerator):
2156         (JSC::internalFunctionConstructGenerator):
2157         * jit/ThunkGenerators.h:
2158         * llint/LLIntSlowPaths.cpp:
2159         (JSC::LLInt::setUpCall):
2160         * llint/LowLevelInterpreter.asm:
2161         * llint/LowLevelInterpreter32_64.asm:
2162         * llint/LowLevelInterpreter64.asm:
2163         * runtime/ArrayConstructor.cpp:
2164         (JSC::ArrayConstructor::ArrayConstructor):
2165         (JSC::ArrayConstructor::getConstructData): Deleted.
2166         (JSC::ArrayConstructor::getCallData): Deleted.
2167         * runtime/ArrayConstructor.h:
2168         (JSC::ArrayConstructor::createStructure):
2169         * runtime/AsyncFunctionConstructor.cpp:
2170         (JSC::AsyncFunctionConstructor::AsyncFunctionConstructor):
2171         (JSC::AsyncFunctionConstructor::finishCreation):
2172         (JSC::AsyncFunctionConstructor::getCallData): Deleted.
2173         (JSC::AsyncFunctionConstructor::getConstructData): Deleted.
2174         * runtime/AsyncFunctionConstructor.h:
2175         (JSC::AsyncFunctionConstructor::createStructure):
2176         * runtime/AsyncGeneratorFunctionConstructor.cpp:
2177         (JSC::AsyncGeneratorFunctionConstructor::AsyncGeneratorFunctionConstructor):
2178         (JSC::AsyncGeneratorFunctionConstructor::finishCreation):
2179         (JSC::AsyncGeneratorFunctionConstructor::getCallData): Deleted.
2180         (JSC::AsyncGeneratorFunctionConstructor::getConstructData): Deleted.
2181         * runtime/AsyncGeneratorFunctionConstructor.h:
2182         (JSC::AsyncGeneratorFunctionConstructor::createStructure):
2183         * runtime/BooleanConstructor.cpp:
2184         (JSC::callBooleanConstructor):
2185         (JSC::BooleanConstructor::BooleanConstructor):
2186         (JSC::BooleanConstructor::finishCreation):
2187         (JSC::BooleanConstructor::getConstructData): Deleted.
2188         (JSC::BooleanConstructor::getCallData): Deleted.
2189         * runtime/BooleanConstructor.h:
2190         (JSC::BooleanConstructor::createStructure):
2191         * runtime/DateConstructor.cpp:
2192         (JSC::DateConstructor::DateConstructor):
2193         (JSC::DateConstructor::getConstructData): Deleted.
2194         (JSC::DateConstructor::getCallData): Deleted.
2195         * runtime/DateConstructor.h:
2196         (JSC::DateConstructor::createStructure):
2197         * runtime/Error.h:
2198         (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
2199         (JSC::StrictModeTypeErrorFunction::createStructure):
2200         (JSC::StrictModeTypeErrorFunction::getConstructData): Deleted.
2201         (JSC::StrictModeTypeErrorFunction::getCallData): Deleted.
2202         * runtime/ErrorConstructor.cpp:
2203         (JSC::ErrorConstructor::ErrorConstructor):
2204         (JSC::ErrorConstructor::getConstructData): Deleted.
2205         (JSC::ErrorConstructor::getCallData): Deleted.
2206         * runtime/ErrorConstructor.h:
2207         (JSC::ErrorConstructor::createStructure):
2208         * runtime/FunctionConstructor.cpp:
2209         (JSC::FunctionConstructor::FunctionConstructor):
2210         (JSC::FunctionConstructor::finishCreation):
2211         (JSC::FunctionConstructor::getConstructData): Deleted.
2212         (JSC::FunctionConstructor::getCallData): Deleted.
2213         * runtime/FunctionConstructor.h:
2214         (JSC::FunctionConstructor::createStructure):
2215         * runtime/FunctionPrototype.cpp:
2216         (JSC::callFunctionPrototype):
2217         (JSC::FunctionPrototype::FunctionPrototype):
2218         (JSC::FunctionPrototype::getCallData): Deleted.
2219         * runtime/FunctionPrototype.h:
2220         (JSC::FunctionPrototype::createStructure):
2221         * runtime/GeneratorFunctionConstructor.cpp:
2222         (JSC::GeneratorFunctionConstructor::GeneratorFunctionConstructor):
2223         (JSC::GeneratorFunctionConstructor::finishCreation):
2224         (JSC::GeneratorFunctionConstructor::getCallData): Deleted.
2225         (JSC::GeneratorFunctionConstructor::getConstructData): Deleted.
2226         * runtime/GeneratorFunctionConstructor.h:
2227         (JSC::GeneratorFunctionConstructor::createStructure):
2228         * runtime/InternalFunction.cpp:
2229         (JSC::InternalFunction::InternalFunction):
2230         (JSC::InternalFunction::finishCreation):
2231         (JSC::InternalFunction::getCallData):
2232         (JSC::InternalFunction::getConstructData):
2233         * runtime/InternalFunction.h:
2234         (JSC::InternalFunction::createStructure):
2235         (JSC::InternalFunction::nativeFunctionFor):
2236         (JSC::InternalFunction::offsetOfNativeFunctionFor):
2237         * runtime/IntlCollatorConstructor.cpp:
2238         (JSC::IntlCollatorConstructor::createStructure):
2239         (JSC::IntlCollatorConstructor::IntlCollatorConstructor):
2240         (JSC::IntlCollatorConstructor::getConstructData): Deleted.
2241         (JSC::IntlCollatorConstructor::getCallData): Deleted.
2242         * runtime/IntlCollatorConstructor.h:
2243         * runtime/IntlDateTimeFormatConstructor.cpp:
2244         (JSC::IntlDateTimeFormatConstructor::createStructure):
2245         (JSC::IntlDateTimeFormatConstructor::IntlDateTimeFormatConstructor):
2246         (JSC::IntlDateTimeFormatConstructor::getConstructData): Deleted.
2247         (JSC::IntlDateTimeFormatConstructor::getCallData): Deleted.
2248         * runtime/IntlDateTimeFormatConstructor.h:
2249         * runtime/IntlNumberFormatConstructor.cpp:
2250         (JSC::IntlNumberFormatConstructor::createStructure):
2251         (JSC::IntlNumberFormatConstructor::IntlNumberFormatConstructor):
2252         (JSC::IntlNumberFormatConstructor::getConstructData): Deleted.
2253         (JSC::IntlNumberFormatConstructor::getCallData): Deleted.
2254         * runtime/IntlNumberFormatConstructor.h:
2255         * runtime/JSArrayBufferConstructor.cpp:
2256         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
2257         (JSC::JSArrayBufferConstructor::createStructure):
2258         (JSC::JSArrayBufferConstructor::getConstructData): Deleted.
2259         (JSC::JSArrayBufferConstructor::getCallData): Deleted.
2260         * runtime/JSArrayBufferConstructor.h:
2261         * runtime/JSGenericTypedArrayViewConstructor.h:
2262         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2263         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::JSGenericTypedArrayViewConstructor):
2264         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::createStructure):
2265         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getConstructData): Deleted.
2266         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData): Deleted.
2267         * runtime/JSInternalPromiseConstructor.cpp:
2268         (JSC::JSInternalPromiseConstructor::createStructure):
2269         (JSC::JSInternalPromiseConstructor::JSInternalPromiseConstructor):
2270         (JSC::JSInternalPromiseConstructor::getConstructData): Deleted.
2271         (JSC::JSInternalPromiseConstructor::getCallData): Deleted.
2272         * runtime/JSInternalPromiseConstructor.h:
2273         * runtime/JSPromiseConstructor.cpp:
2274         (JSC::JSPromiseConstructor::createStructure):
2275         (JSC::JSPromiseConstructor::JSPromiseConstructor):
2276         (JSC::JSPromiseConstructor::getConstructData): Deleted.
2277         (JSC::JSPromiseConstructor::getCallData): Deleted.
2278         * runtime/JSPromiseConstructor.h:
2279         * runtime/JSType.h:
2280         * runtime/JSTypedArrayViewConstructor.cpp:
2281         (JSC::JSTypedArrayViewConstructor::JSTypedArrayViewConstructor):
2282         (JSC::JSTypedArrayViewConstructor::createStructure):
2283         (JSC::JSTypedArrayViewConstructor::getConstructData): Deleted.
2284         (JSC::JSTypedArrayViewConstructor::getCallData): Deleted.
2285         * runtime/JSTypedArrayViewConstructor.h:
2286         * runtime/MapConstructor.cpp:
2287         (JSC::MapConstructor::MapConstructor):
2288         (JSC::MapConstructor::getConstructData): Deleted.
2289         (JSC::MapConstructor::getCallData): Deleted.
2290         * runtime/MapConstructor.h:
2291         (JSC::MapConstructor::createStructure):
2292         (JSC::MapConstructor::MapConstructor): Deleted.
2293         * runtime/NativeErrorConstructor.cpp:
2294         (JSC::NativeErrorConstructor::NativeErrorConstructor):
2295         (JSC::NativeErrorConstructor::getConstructData): Deleted.
2296         (JSC::NativeErrorConstructor::getCallData): Deleted.
2297         * runtime/NativeErrorConstructor.h:
2298         (JSC::NativeErrorConstructor::createStructure):
2299         * runtime/NullGetterFunction.cpp:
2300         (JSC::NullGetterFunction::NullGetterFunction):
2301         (JSC::NullGetterFunction::getCallData): Deleted.
2302         (JSC::NullGetterFunction::getConstructData): Deleted.
2303         * runtime/NullGetterFunction.h:
2304         (JSC::NullGetterFunction::createStructure):
2305         (JSC::NullGetterFunction::NullGetterFunction): Deleted.
2306         * runtime/NullSetterFunction.cpp:
2307         (JSC::NullSetterFunction::NullSetterFunction):
2308         (JSC::NullSetterFunction::getCallData): Deleted.
2309         (JSC::NullSetterFunction::getConstructData): Deleted.
2310         * runtime/NullSetterFunction.h:
2311         (JSC::NullSetterFunction::createStructure):
2312         (JSC::NullSetterFunction::NullSetterFunction): Deleted.
2313         * runtime/NumberConstructor.cpp:
2314         (JSC::NumberConstructor::NumberConstructor):
2315         (JSC::constructNumberConstructor):
2316         (JSC::constructWithNumberConstructor): Deleted.
2317         (JSC::NumberConstructor::getConstructData): Deleted.
2318         (JSC::NumberConstructor::getCallData): Deleted.
2319         * runtime/NumberConstructor.h:
2320         (JSC::NumberConstructor::createStructure):
2321         * runtime/ObjectConstructor.cpp:
2322         (JSC::ObjectConstructor::ObjectConstructor):
2323         (JSC::ObjectConstructor::getConstructData): Deleted.
2324         (JSC::ObjectConstructor::getCallData): Deleted.
2325         * runtime/ObjectConstructor.h:
2326         (JSC::ObjectConstructor::createStructure):
2327         * runtime/ProxyConstructor.cpp:
2328         (JSC::ProxyConstructor::ProxyConstructor):
2329         (JSC::ProxyConstructor::getConstructData): Deleted.
2330         (JSC::ProxyConstructor::getCallData): Deleted.
2331         * runtime/ProxyConstructor.h:
2332         (JSC::ProxyConstructor::createStructure):
2333         * runtime/ProxyRevoke.cpp:
2334         (JSC::ProxyRevoke::ProxyRevoke):
2335         (JSC::ProxyRevoke::getCallData): Deleted.
2336         * runtime/ProxyRevoke.h:
2337         (JSC::ProxyRevoke::createStructure):
2338         * runtime/RegExpConstructor.cpp:
2339         (JSC::RegExpConstructor::RegExpConstructor):
2340         (JSC::RegExpConstructor::getConstructData): Deleted.
2341         (JSC::RegExpConstructor::getCallData): Deleted.
2342         * runtime/RegExpConstructor.h:
2343         (JSC::RegExpConstructor::createStructure):
2344         * runtime/SetConstructor.cpp:
2345         (JSC::SetConstructor::SetConstructor):
2346         (JSC::SetConstructor::getConstructData): Deleted.
2347         (JSC::SetConstructor::getCallData): Deleted.
2348         * runtime/SetConstructor.h:
2349         (JSC::SetConstructor::createStructure):
2350         (JSC::SetConstructor::SetConstructor): Deleted.
2351         * runtime/StringConstructor.cpp:
2352         (JSC::StringConstructor::StringConstructor):
2353         (JSC::StringConstructor::getConstructData): Deleted.
2354         (JSC::StringConstructor::getCallData): Deleted.
2355         * runtime/StringConstructor.h:
2356         (JSC::StringConstructor::createStructure):
2357         * runtime/SymbolConstructor.cpp:
2358         (JSC::SymbolConstructor::SymbolConstructor):
2359         (JSC::SymbolConstructor::getConstructData): Deleted.
2360         (JSC::SymbolConstructor::getCallData): Deleted.
2361         * runtime/SymbolConstructor.h:
2362         (JSC::SymbolConstructor::createStructure):
2363         * runtime/VM.cpp:
2364         (JSC::VM::VM):
2365         (JSC::VM::getCTIInternalFunctionTrampolineFor):
2366         * runtime/VM.h:
2367         * runtime/WeakMapConstructor.cpp:
2368         (JSC::WeakMapConstructor::WeakMapConstructor):
2369         (JSC::WeakMapConstructor::getConstructData): Deleted.
2370         (JSC::WeakMapConstructor::getCallData): Deleted.
2371         * runtime/WeakMapConstructor.h:
2372         (JSC::WeakMapConstructor::createStructure):
2373         (JSC::WeakMapConstructor::WeakMapConstructor): Deleted.
2374         * runtime/WeakSetConstructor.cpp:
2375         (JSC::WeakSetConstructor::WeakSetConstructor):
2376         (JSC::WeakSetConstructor::getConstructData): Deleted.
2377         (JSC::WeakSetConstructor::getCallData): Deleted.
2378         * runtime/WeakSetConstructor.h:
2379         (JSC::WeakSetConstructor::createStructure):
2380         (JSC::WeakSetConstructor::WeakSetConstructor): Deleted.
2381         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
2382         (JSC::WebAssemblyCompileErrorConstructor::createStructure):
2383         (JSC::WebAssemblyCompileErrorConstructor::WebAssemblyCompileErrorConstructor):
2384         (JSC::WebAssemblyCompileErrorConstructor::getConstructData): Deleted.
2385         (JSC::WebAssemblyCompileErrorConstructor::getCallData): Deleted.
2386         * wasm/js/WebAssemblyCompileErrorConstructor.h:
2387         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2388         (JSC::WebAssemblyInstanceConstructor::createStructure):
2389         (JSC::WebAssemblyInstanceConstructor::WebAssemblyInstanceConstructor):
2390         (JSC::WebAssemblyInstanceConstructor::getConstructData): Deleted.
2391         (JSC::WebAssemblyInstanceConstructor::getCallData): Deleted.
2392         * wasm/js/WebAssemblyInstanceConstructor.h:
2393         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
2394         (JSC::WebAssemblyLinkErrorConstructor::createStructure):
2395         (JSC::WebAssemblyLinkErrorConstructor::WebAssemblyLinkErrorConstructor):
2396         (JSC::WebAssemblyLinkErrorConstructor::getConstructData): Deleted.
2397         (JSC::WebAssemblyLinkErrorConstructor::getCallData): Deleted.
2398         * wasm/js/WebAssemblyLinkErrorConstructor.h:
2399         * wasm/js/WebAssemblyMemoryConstructor.cpp:
2400         (JSC::WebAssemblyMemoryConstructor::createStructure):
2401         (JSC::WebAssemblyMemoryConstructor::WebAssemblyMemoryConstructor):
2402         (JSC::WebAssemblyMemoryConstructor::getConstructData): Deleted.
2403         (JSC::WebAssemblyMemoryConstructor::getCallData): Deleted.
2404         * wasm/js/WebAssemblyMemoryConstructor.h:
2405         * wasm/js/WebAssemblyModuleConstructor.cpp:
2406         (JSC::WebAssemblyModuleConstructor::createStructure):
2407         (JSC::WebAssemblyModuleConstructor::WebAssemblyModuleConstructor):
2408         (JSC::WebAssemblyModuleConstructor::getConstructData): Deleted.
2409         (JSC::WebAssemblyModuleConstructor::getCallData): Deleted.
2410         * wasm/js/WebAssemblyModuleConstructor.h:
2411         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
2412         (JSC::WebAssemblyRuntimeErrorConstructor::createStructure):
2413         (JSC::WebAssemblyRuntimeErrorConstructor::WebAssemblyRuntimeErrorConstructor):
2414         (JSC::WebAssemblyRuntimeErrorConstructor::getConstructData): Deleted.
2415         (JSC::WebAssemblyRuntimeErrorConstructor::getCallData): Deleted.
2416         * wasm/js/WebAssemblyRuntimeErrorConstructor.h:
2417         * wasm/js/WebAssemblyTableConstructor.cpp:
2418         (JSC::WebAssemblyTableConstructor::createStructure):
2419         (JSC::WebAssemblyTableConstructor::WebAssemblyTableConstructor):
2420         (JSC::WebAssemblyTableConstructor::getConstructData): Deleted.
2421         (JSC::WebAssemblyTableConstructor::getCallData): Deleted.
2422         * wasm/js/WebAssemblyTableConstructor.h:
2423
2424 2017-11-03  Michael Saboff  <msaboff@apple.com>
2425
2426         The Abstract Interpreter needs to change similar to clobberize() in r224366
2427         https://bugs.webkit.org/show_bug.cgi?id=179267
2428
2429         Reviewed by Saam Barati.
2430
2431         Add clobberWorld() to HasGenericProperty, HasStructureProperty & GetPropertyEnumerator
2432         cases in the abstract interpreter to match what was done for r224366.
2433
2434         * dfg/DFGAbstractInterpreterInlines.h:
2435         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2436
2437 2017-11-03  Keith Miller  <keith_miller@apple.com>
2438
2439         PutProperytSlot should inform the IC about the property before effects.
2440         https://bugs.webkit.org/show_bug.cgi?id=179262
2441
2442         Reviewed by Mark Lam.
2443
2444         This patch fixes an issue where we choose to cache setters based on
2445         incorrect information. If we did so we might end up OSR exiting
2446         more than we would otherwise need to. The new model is that the
2447         PutPropertySlot should inform the IC of what the property looked
2448         like before any potential side effects might have occurred.
2449
2450         * runtime/JSObject.cpp:
2451         (JSC::JSObject::putInlineSlow):
2452         * runtime/Lookup.h:
2453         (JSC::putEntry):
2454
2455 2017-11-03  Mark Lam  <mark.lam@apple.com>
2456
2457         CachedCall (and its clients) needs overflow checks.
2458         https://bugs.webkit.org/show_bug.cgi?id=179185
2459
2460         Reviewed by JF Bastien.
2461
2462         * interpreter/CachedCall.h:
2463         (JSC::CachedCall::CachedCall):
2464         (JSC::CachedCall::hasOverflowedArguments):
2465         * runtime/ArgList.h:
2466         (JSC::MarkedArgumentBuffer::clear):
2467         * runtime/StringPrototype.cpp:
2468         (JSC::replaceUsingRegExpSearch):
2469
2470 2017-11-03  Devin Rousso  <webkit@devinrousso.com>
2471
2472         Web Inspector: Canvas2D Profiling: highlight expensive context commands in the captured command log
2473         https://bugs.webkit.org/show_bug.cgi?id=178302
2474         <rdar://problem/33158849>
2475
2476         Reviewed by Brian Burg.
2477
2478         * inspector/protocol/Recording.json:
2479         Add `duration` to each Frame that represents the total time of all the recorded actions.
2480
2481 2017-11-02  Devin Rousso  <webkit@devinrousso.com>
2482
2483         Web Inspector: Canvas Tab: show supported GL extensions for selected canvas
2484         https://bugs.webkit.org/show_bug.cgi?id=179070
2485         <rdar://problem/35278276>
2486
2487         Reviewed by Brian Burg.
2488
2489         * inspector/protocol/Canvas.json:
2490         Add `extensionEnabled` event that is fired each time `getExtension` is called with a
2491         different string on a WebGL context.
2492
2493 2017-11-02  Joseph Pecoraro  <pecoraro@apple.com>
2494
2495         Make ServiceWorker a Remote Inspector debuggable target
2496         https://bugs.webkit.org/show_bug.cgi?id=179043
2497         <rdar://problem/34126008>
2498
2499         Reviewed by Brian Burg.
2500
2501         * inspector/remote/RemoteControllableTarget.h:
2502         * inspector/remote/RemoteInspectionTarget.h:
2503         * inspector/remote/RemoteInspectorConstants.h:
2504         Include a new ServiceWorker remote inspector target type.
2505
2506         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
2507         (Inspector::RemoteInspector::listingForInspectionTarget const):
2508         Implement listing for a ServiceWorker to include a URL like a page.
2509
2510         * inspector/remote/glib/RemoteInspectorGlib.cpp:
2511         (Inspector::RemoteInspector::listingForInspectionTarget const):
2512         Bail for ServiceWorker support in glib. They will need to implement their support.
2513
2514 2017-11-02  Michael Saboff  <msaboff@apple.com>
2515
2516         DFG needs to handle code motion of code in for..in loop bodies
2517         https://bugs.webkit.org/show_bug.cgi?id=179212
2518
2519         Reviewed by Keith Miller.
2520
2521         The processing of the DFG nodes HasGenericProperty, HasStructureProperty & GetPropertyEnumerator
2522         make calls with side effects.  Updated clobberize() for those nodes to take that into account.
2523
2524         * dfg/DFGClobberize.h:
2525         (JSC::DFG::clobberize):
2526
2527 2017-11-02  Joseph Pecoraro  <pecoraro@apple.com>
2528
2529         Inspector should display service worker served responses properly
2530         https://bugs.webkit.org/show_bug.cgi?id=178597
2531         <rdar://problem/35186111>
2532
2533         Reviewed by Brian Burg.
2534
2535         * inspector/protocol/Network.json:
2536         Expose a new "service-worker" response source.
2537
2538 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
2539
2540         AI does not correctly model the clobber case of ArithClz32
2541         https://bugs.webkit.org/show_bug.cgi?id=179188
2542
2543         Reviewed by Michael Saboff.
2544
2545         The non-Int32 case clobbers the world because it may call valueOf.
2546
2547         * dfg/DFGAbstractInterpreterInlines.h:
2548         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2549
2550 2017-11-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2551
2552         Unreviewed, release throw scope
2553         https://bugs.webkit.org/show_bug.cgi?id=178726
2554
2555         * dfg/DFGOperations.cpp:
2556
2557 2017-11-02  Frederic Wang  <fwang@igalia.com>
2558
2559         Add references to bug 179167 in FIXME comments
2560         https://bugs.webkit.org/show_bug.cgi?id=179168
2561
2562         Reviewed by Daniel Bates.
2563
2564         * Configurations/FeatureDefines.xcconfig:
2565
2566 2017-11-01  Jeremy Jones  <jeremyj@apple.com>
2567
2568         Implement WKFullscreenWindowController for iOS.
2569         https://bugs.webkit.org/show_bug.cgi?id=178924
2570         rdar://problem/34697120
2571
2572         Reviewed by Simon Fraser.
2573
2574         Enable ENABLE_FULLSCREEN_API for iOS.
2575
2576         * Configurations/FeatureDefines.xcconfig:
2577
2578 2017-11-01  Mark Lam  <mark.lam@apple.com>
2579
2580         Add support to throw OOM if MarkedArgumentBuffer may overflow.
2581         https://bugs.webkit.org/show_bug.cgi?id=179092
2582         <rdar://problem/35116160>
2583
2584         Reviewed by Saam Barati.
2585
2586         The test for overflowing a MarkedArgumentBuffer will run for a ridiculously long
2587         time, which renders it unsuitable for automated tests.  Instead, I've run a
2588         test manually to verify that an OutOfMemoryError will be thrown when an overflow
2589         occurs.
2590
2591         The MarkedArgumentBuffer's destructor will now assert that the client has indeed
2592         checked for an overflow after invoking methods that may result in an overflow i.e.
2593         the destructor checks that MarkedArgumentBuffer::hasOverflowed() has been called.
2594         This is only done on debug builds.
2595
2596         * API/JSObjectRef.cpp:
2597         (JSObjectMakeFunction):
2598         (JSObjectMakeArray):
2599         (JSObjectMakeDate):
2600         (JSObjectMakeRegExp):
2601         (JSObjectCallAsFunction):
2602         (JSObjectCallAsConstructor):
2603         * dfg/DFGOperations.cpp:
2604         * inspector/InjectedScriptManager.cpp:
2605         (Inspector::InjectedScriptManager::createInjectedScript):
2606         * inspector/JSJavaScriptCallFrame.cpp:
2607         (Inspector::JSJavaScriptCallFrame::scopeChain const):
2608         * interpreter/Interpreter.cpp:
2609         (JSC::Interpreter::executeProgram):
2610         * jsc.cpp:
2611         (functionDollarAgentReceiveBroadcast):
2612         * runtime/ArgList.cpp:
2613         (JSC::MarkedArgumentBuffer::slowEnsureCapacity):
2614         (JSC::MarkedArgumentBuffer::expandCapacity):
2615         (JSC::MarkedArgumentBuffer::slowAppend):
2616         * runtime/ArgList.h:
2617         (JSC::MarkedArgumentBuffer::~MarkedArgumentBuffer):
2618         (JSC::MarkedArgumentBuffer::appendWithAction):
2619         (JSC::MarkedArgumentBuffer::append):
2620         (JSC::MarkedArgumentBuffer::appendWithCrashOnOverflow):
2621         (JSC::MarkedArgumentBuffer::hasOverflowed):
2622         (JSC::MarkedArgumentBuffer::setNeedsOverflowCheck):
2623         (JSC::MarkedArgumentBuffer::clearNeedsOverflowCheck):
2624         * runtime/ArrayPrototype.cpp:
2625         * runtime/CommonSlowPaths.cpp:
2626         (JSC::SLOW_PATH_DECL):
2627         * runtime/GetterSetter.cpp:
2628         (JSC::callSetter):
2629         * runtime/IteratorOperations.cpp:
2630         (JSC::iteratorNext):
2631         (JSC::iteratorClose):
2632         * runtime/JSBoundFunction.cpp:
2633         (JSC::boundThisNoArgsFunctionCall):
2634         (JSC::boundFunctionCall):
2635         (JSC::boundThisNoArgsFunctionConstruct):
2636         (JSC::boundFunctionConstruct):
2637         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2638         (JSC::constructGenericTypedArrayViewFromIterator):
2639         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2640         (JSC::genericTypedArrayViewProtoFuncSlice):
2641         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
2642         * runtime/JSGlobalObject.cpp:
2643         (JSC::JSGlobalObject::haveABadTime):
2644         * runtime/JSInternalPromise.cpp:
2645         (JSC::JSInternalPromise::then):
2646         * runtime/JSJob.cpp:
2647         (JSC::JSJobMicrotask::run):
2648         * runtime/JSMapIterator.cpp:
2649         (JSC::JSMapIterator::createPair):
2650         * runtime/JSModuleLoader.cpp:
2651         (JSC::JSModuleLoader::provideFetch):
2652         (JSC::JSModuleLoader::loadAndEvaluateModule):
2653         (JSC::JSModuleLoader::loadModule):
2654         (JSC::JSModuleLoader::linkAndEvaluateModule):
2655         (JSC::JSModuleLoader::requestImportModule):
2656         * runtime/JSONObject.cpp:
2657         (JSC::Stringifier::toJSONImpl):
2658         (JSC::Stringifier::appendStringifiedValue):
2659         (JSC::Walker::callReviver):
2660         * runtime/JSObject.cpp:
2661         (JSC::ordinarySetSlow):
2662         (JSC::callToPrimitiveFunction):
2663         (JSC::JSObject::hasInstance):
2664         * runtime/JSPromise.cpp:
2665         (JSC::JSPromise::initialize):
2666         (JSC::JSPromise::resolve):
2667         * runtime/JSPromiseDeferred.cpp:
2668         (JSC::newPromiseCapability):
2669         (JSC::callFunction):
2670         * runtime/JSSetIterator.cpp:
2671         (JSC::JSSetIterator::createPair):
2672         * runtime/LiteralParser.cpp:
2673         (JSC::LiteralParser<CharType>::parse):
2674         * runtime/MapConstructor.cpp:
2675         (JSC::constructMap):
2676         * runtime/ObjectConstructor.cpp:
2677         (JSC::defineProperties):
2678         * runtime/ProxyObject.cpp:
2679         (JSC::performProxyGet):
2680         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2681         (JSC::ProxyObject::performHasProperty):
2682         (JSC::ProxyObject::performPut):
2683         (JSC::performProxyCall):
2684         (JSC::performProxyConstruct):
2685         (JSC::ProxyObject::performDelete):
2686         (JSC::ProxyObject::performPreventExtensions):
2687         (JSC::ProxyObject::performIsExtensible):
2688         (JSC::ProxyObject::performDefineOwnProperty):
2689         (JSC::ProxyObject::performGetOwnPropertyNames):
2690         (JSC::ProxyObject::performSetPrototype):
2691         (JSC::ProxyObject::performGetPrototype):
2692         * runtime/ReflectObject.cpp:
2693         (JSC::reflectObjectConstruct):
2694         * runtime/SetConstructor.cpp:
2695         (JSC::constructSet):
2696         * runtime/StringPrototype.cpp:
2697         (JSC::replaceUsingRegExpSearch):
2698         (JSC::replaceUsingStringSearch):
2699         * runtime/WeakMapConstructor.cpp:
2700         (JSC::constructWeakMap):
2701         * runtime/WeakSetConstructor.cpp:
2702         (JSC::constructWeakSet):
2703         * wasm/js/WasmToJS.cpp:
2704         (JSC::Wasm::wasmToJS):
2705
2706 2017-11-01  Michael Saboff  <msaboff@apple.com>
2707
2708         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
2709         https://bugs.webkit.org/show_bug.cgi?id=179140
2710
2711         Reviewed by Saam Barati.
2712
2713         Added overflow checks to computation of arg count plus this.
2714
2715         * dfg/DFGSpeculativeJIT32_64.cpp:
2716         (JSC::DFG::SpeculativeJIT::compile):
2717         * dfg/DFGSpeculativeJIT64.cpp:
2718         (JSC::DFG::SpeculativeJIT::compile):
2719         * ftl/FTLLowerDFGToB3.cpp:
2720         (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs):
2721
2722 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2723
2724         Unreviewed, use weakPointer instead of FTLOutput::weakPointer
2725         https://bugs.webkit.org/show_bug.cgi?id=178934
2726
2727         * ftl/FTLLowerDFGToB3.cpp:
2728         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
2729
2730 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2731
2732         [JSC] Introduce @toObject
2733         https://bugs.webkit.org/show_bug.cgi?id=178726
2734
2735         Reviewed by Saam Barati.
2736
2737         This patch introduces @toObject intrinsic. And we introduce op_to_object bytecode and DFG ToObject node.
2738         Previously we emulated @toObject behavior in builtin JS. But it consumes much bytecode size while @toObject
2739         is frequently seen and defined clearly in the spec. Furthermore, the emulated @toObject always calls
2740         ObjectConstructor in LLInt and Baseline.
2741
2742         We add a new intrinsic `@toObject(target, "error message")`. It takes an error message string constant to
2743         offer understandable messages in builtin JS. We can change the frequently seen "emulated ToObject" operation
2744
2745             if (this === @undefined || this === null)
2746                 @throwTypeError("error message");
2747             var object = @Object(this);
2748
2749         with
2750
2751             var object = @toObject(this, "error message");
2752
2753         And we handle op_to_object in DFG as ToObject node. While CallObjectConstructor does not throw an error for null/undefined,
2754         ToObject needs to throw an error for null/undefined. So it is marked as MustGenerate and it clobbers the world.
2755         In fixup phase, we attempt to convert ToObject to CallObjectConstructor with edge filters to relax its side effect.
2756
2757         It also fixes a bug that CallObjectConstructor DFG node uses Node's semantic GlobalObject instead of function's one.
2758
2759         * builtins/ArrayConstructor.js:
2760         (from):
2761         * builtins/ArrayPrototype.js:
2762         (values):
2763         (keys):
2764         (entries):
2765         (reduce):
2766         (reduceRight):
2767         (every):
2768         (forEach):
2769         (filter):
2770         (map):
2771         (some):
2772         (fill):
2773         (find):
2774         (findIndex):
2775         (includes):
2776         (sort):
2777         (globalPrivate.concatSlowPath):
2778         (copyWithin):
2779         * builtins/DatePrototype.js:
2780         (toLocaleString.toDateTimeOptionsAnyAll):
2781         (toLocaleString):
2782         (toLocaleDateString.toDateTimeOptionsDateDate):
2783         (toLocaleDateString):
2784         (toLocaleTimeString.toDateTimeOptionsTimeTime):
2785         (toLocaleTimeString):
2786         * builtins/GlobalOperations.js:
2787         (globalPrivate.copyDataProperties):
2788         (globalPrivate.copyDataPropertiesNoExclusions):
2789         * builtins/ObjectConstructor.js:
2790         (entries):
2791         * builtins/StringConstructor.js:
2792         (raw):
2793         * builtins/TypedArrayConstructor.js:
2794         (from):
2795         * builtins/TypedArrayPrototype.js:
2796         (map):
2797         (filter):
2798         * bytecode/BytecodeDumper.cpp:
2799         (JSC::BytecodeDumper<Block>::dumpBytecode):
2800         * bytecode/BytecodeIntrinsicRegistry.h:
2801         * bytecode/BytecodeList.json:
2802         * bytecode/BytecodeUseDef.h:
2803         (JSC::computeUsesForBytecodeOffset):
2804         (JSC::computeDefsForBytecodeOffset):
2805         * bytecode/CodeBlock.cpp:
2806         (JSC::CodeBlock::finishCreation):
2807         * bytecompiler/BytecodeGenerator.cpp:
2808         (JSC::BytecodeGenerator::emitToObject):
2809         * bytecompiler/BytecodeGenerator.h:
2810         * bytecompiler/NodesCodegen.cpp:
2811         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toObject):
2812         * dfg/DFGAbstractInterpreterInlines.h:
2813         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2814         * dfg/DFGByteCodeParser.cpp:
2815         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2816         (JSC::DFG::ByteCodeParser::parseBlock):
2817         * dfg/DFGCapabilities.cpp:
2818         (JSC::DFG::capabilityLevel):
2819         * dfg/DFGClobberize.h:
2820         (JSC::DFG::clobberize):
2821         * dfg/DFGDoesGC.cpp:
2822         (JSC::DFG::doesGC):
2823         * dfg/DFGFixupPhase.cpp:
2824         (JSC::DFG::FixupPhase::fixupNode):
2825         (JSC::DFG::FixupPhase::fixupToObject):
2826         (JSC::DFG::FixupPhase::fixupCallObjectConstructor):
2827         * dfg/DFGNode.h:
2828         (JSC::DFG::Node::convertToCallObjectConstructor):
2829         (JSC::DFG::Node::convertToNewStringObject):
2830         (JSC::DFG::Node::convertToNewObject):
2831         (JSC::DFG::Node::hasIdentifier):
2832         (JSC::DFG::Node::hasHeapPrediction):
2833         (JSC::DFG::Node::hasCellOperand):
2834         * dfg/DFGNodeType.h:
2835         * dfg/DFGOperations.cpp:
2836         * dfg/DFGOperations.h:
2837         * dfg/DFGPredictionPropagationPhase.cpp:
2838         * dfg/DFGSafeToExecute.h:
2839         (JSC::DFG::safeToExecute):
2840         * dfg/DFGSpeculativeJIT.cpp:
2841         (JSC::DFG::SpeculativeJIT::compileToObjectOrCallObjectConstructor):
2842         (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor): Deleted.
2843         * dfg/DFGSpeculativeJIT.h:
2844         (JSC::DFG::SpeculativeJIT::callOperation):
2845         * dfg/DFGSpeculativeJIT32_64.cpp:
2846         (JSC::DFG::SpeculativeJIT::compile):
2847         * dfg/DFGSpeculativeJIT64.cpp:
2848         (JSC::DFG::SpeculativeJIT::compile):
2849         * ftl/FTLCapabilities.cpp:
2850         (JSC::FTL::canCompile):
2851         * ftl/FTLLowerDFGToB3.cpp:
2852         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2853         (JSC::FTL::DFG::LowerDFGToB3::compileToObjectOrCallObjectConstructor):
2854         (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor): Deleted.
2855         * jit/JIT.cpp:
2856         (JSC::JIT::privateCompileMainPass):
2857         (JSC::JIT::privateCompileSlowCases):
2858         * jit/JIT.h:
2859         * jit/JITOpcodes.cpp:
2860         (JSC::JIT::emit_op_to_object):
2861         (JSC::JIT::emitSlow_op_to_object):
2862         * jit/JITOpcodes32_64.cpp:
2863         (JSC::JIT::emit_op_to_object):
2864         (JSC::JIT::emitSlow_op_to_object):
2865         * jit/JITOperations.cpp:
2866         * jit/JITOperations.h:
2867         * llint/LowLevelInterpreter32_64.asm:
2868         * llint/LowLevelInterpreter64.asm:
2869         * runtime/CommonSlowPaths.cpp:
2870         (JSC::SLOW_PATH_DECL):
2871         * runtime/CommonSlowPaths.h:
2872
2873 2017-11-01  Fujii Hironori  <Hironori.Fujii@sony.com>
2874
2875         Use LazyNeverDestroyed instead of DEFINE_GLOBAL
2876         https://bugs.webkit.org/show_bug.cgi?id=174979
2877
2878         Reviewed by Yusuke Suzuki.
2879
2880         * config.h: Removed definitions of SKIP_STATIC_CONSTRUCTORS_ON_MSVC and SKIP_STATIC_CONSTRUCTORS_ON_GCC.
2881
2882 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2883
2884         [DFG][FTL] Introduce StringSlice
2885         https://bugs.webkit.org/show_bug.cgi?id=178934
2886
2887         Reviewed by Saam Barati.
2888
2889         String.prototype.slice is one of the most frequently called function in ARES-6/Babylon.
2890         This patch introduces StringSlice DFG node to optimize it in DFG and FTL.
2891
2892         This patch's StringSlice node optimizes the following things.
2893
2894         1. Empty string generation is accelerated. It is fully executed inline.
2895         2. One char string generation is accelerated. `< 0x100` character is supported right now.
2896         It is the same to charAt acceleration.
2897         3. We calculate start and end index in DFG/FTL with Int32Use information and call optimized
2898         operation.
2899
2900         We do not inline (3)'s operation right now since we do not have a way to call bmalloc allocation from DFG / FTL.
2901         And we do not optimize String.prototype.{substring,substr} right now. But they can be optimized based on this change
2902         in subsequent changes.
2903
2904         This patch improves ARES-6/Babylon performance by 3% in steady state.
2905
2906         Baseline:
2907             Running... Babylon ( 1  to go)
2908             firstIteration:     50.05 +- 13.68 ms
2909             averageWorstCase:   16.80 +- 1.27 ms
2910             steadyState:        7.53 +- 0.22 ms
2911
2912         Patched:
2913             Running... Babylon ( 1  to go)
2914             firstIteration:     50.91 +- 13.41 ms
2915             averageWorstCase:   16.12 +- 0.99 ms
2916             steadyState:        7.30 +- 0.29 ms
2917
2918         * dfg/DFGAbstractInterpreterInlines.h:
2919         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2920         * dfg/DFGBackwardsPropagationPhase.cpp:
2921         (JSC::DFG::BackwardsPropagationPhase::propagate):
2922         * dfg/DFGByteCodeParser.cpp:
2923         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2924         * dfg/DFGClobberize.h:
2925         (JSC::DFG::clobberize):
2926         * dfg/DFGDoesGC.cpp:
2927         (JSC::DFG::doesGC):
2928         * dfg/DFGFixupPhase.cpp:
2929         (JSC::DFG::FixupPhase::fixupNode):
2930         * dfg/DFGNodeType.h:
2931         * dfg/DFGOperations.cpp:
2932         * dfg/DFGOperations.h:
2933         * dfg/DFGPredictionPropagationPhase.cpp:
2934         * dfg/DFGSafeToExecute.h:
2935         (JSC::DFG::safeToExecute):
2936         * dfg/DFGSpeculativeJIT.cpp:
2937         (JSC::DFG::SpeculativeJIT::compileStringSlice):
2938         (JSC::DFG::SpeculativeJIT::emitPopulateSliceIndex):
2939         (JSC::DFG::SpeculativeJIT::compileArraySlice):
2940         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
2941         * dfg/DFGSpeculativeJIT.h:
2942         (JSC::DFG::SpeculativeJIT::callOperation):
2943         * dfg/DFGSpeculativeJIT32_64.cpp:
2944         (JSC::DFG::SpeculativeJIT::compile):
2945         * dfg/DFGSpeculativeJIT64.cpp:
2946         (JSC::DFG::SpeculativeJIT::compile):
2947         * ftl/FTLCapabilities.cpp:
2948         (JSC::FTL::canCompile):
2949         * ftl/FTLLowerDFGToB3.cpp:
2950         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2951         (JSC::FTL::DFG::LowerDFGToB3::populateSliceRange):
2952         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
2953         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
2954         * jit/JITOperations.h:
2955         * runtime/Intrinsic.cpp:
2956         (JSC::intrinsicName):
2957         * runtime/Intrinsic.h:
2958         * runtime/StringPrototype.cpp:
2959         (JSC::StringPrototype::finishCreation):
2960
2961 2017-10-31  JF Bastien  <jfbastien@apple.com>
2962
2963         WebAssembly: Wasm::IndexOrName has a raw pointer to Name
2964         https://bugs.webkit.org/show_bug.cgi?id=176644
2965
2966         Reviewed by Michael Saboff.
2967
2968         IndexOrName now keeps a RefPtr to its original NameSection, which
2969         holds the Name (or references nullptr if Index). Holding onto the
2970         entire section seems like the better thing to do, since backtraces
2971         probably contain multiple names from the same Module.
2972
2973         * JavaScriptCore.xcodeproj/project.pbxproj:
2974         * interpreter/Interpreter.cpp:
2975         (JSC::GetStackTraceFunctor::operator() const):
2976         * interpreter/StackVisitor.h: Frame is no longer POD because of the
2977         RefPtr.
2978         * runtime/StackFrame.cpp:
2979         (JSC::StackFrame::StackFrame):
2980         * runtime/StackFrame.h: Drop the union, size is now 40 bytes.
2981         (JSC::StackFrame::StackFrame): Deleted. Initialized in class instead.
2982         (JSC::StackFrame::wasm): Deleted. Make it a ctor instead.
2983         * wasm/WasmBBQPlanInlines.h:
2984         (JSC::Wasm::BBQPlan::initializeCallees):
2985         * wasm/WasmCallee.cpp:
2986         (JSC::Wasm::Callee::Callee):
2987         * wasm/WasmCallee.h:
2988         (JSC::Wasm::Callee::create):
2989         * wasm/WasmFormat.h: Move NameSection to its own header.
2990         (JSC::Wasm::isValidNameType):
2991         (JSC::Wasm::NameSection::get): Deleted.
2992         * wasm/WasmIndexOrName.cpp:
2993         (JSC::Wasm::IndexOrName::IndexOrName):
2994         (JSC::Wasm::makeString):
2995         * wasm/WasmIndexOrName.h:
2996         (JSC::Wasm::IndexOrName::IndexOrName):
2997         (JSC::Wasm::IndexOrName::isEmpty const):
2998         (JSC::Wasm::IndexOrName::isIndex const):
2999         * wasm/WasmModuleInformation.cpp:
3000         (JSC::Wasm::ModuleInformation::ModuleInformation):
3001         * wasm/WasmModuleInformation.h:
3002         (JSC::Wasm::ModuleInformation::ModuleInformation): Deleted.
3003         * wasm/WasmNameSection.h:
3004         (JSC::Wasm::NameSection::get):
3005         (JSC::Wasm::NameSection::create): Deleted.
3006         * wasm/WasmNameSectionParser.cpp:
3007         (JSC::Wasm::NameSectionParser::parse):
3008         * wasm/WasmNameSectionParser.h:
3009         * wasm/WasmOMGPlan.cpp:
3010         (JSC::Wasm::OMGPlan::work):
3011
3012 2017-10-31  Tim Horton  <timothy_horton@apple.com>
3013
3014         Clean up some drag and drop feature flags
3015         https://bugs.webkit.org/show_bug.cgi?id=179082
3016
3017         Reviewed by Simon Fraser.
3018
3019         * Configurations/FeatureDefines.xcconfig:
3020
3021 2017-10-31  Commit Queue  <commit-queue@webkit.org>
3022
3023         Unreviewed, rolling out r224243, r224246, and r224248.
3024         https://bugs.webkit.org/show_bug.cgi?id=179083
3025
3026         The patch and fix broke the Windows build. (Requested by
3027         mlewis13 on #webkit).
3028
3029         Reverted changesets:
3030
3031         "StructureStubInfo should have GPRReg members not int8_ts"
3032         https://bugs.webkit.org/show_bug.cgi?id=179071
3033         https://trac.webkit.org/changeset/224243
3034
3035         "Make all register enums be backed by uint8_t."
3036         https://bugs.webkit.org/show_bug.cgi?id=179074
3037         https://trac.webkit.org/changeset/224246
3038
3039         "Unreviewed, windows build fix."
3040         https://trac.webkit.org/changeset/224248
3041
3042 2017-10-31  Tim Horton  <timothy_horton@apple.com>
3043
3044         Fix up some content filtering feature flags
3045         https://bugs.webkit.org/show_bug.cgi?id=179079
3046
3047         Reviewed by Simon Fraser.
3048
3049         * Configurations/FeatureDefines.xcconfig:
3050
3051 2017-10-31  Keith Miller  <keith_miller@apple.com>
3052
3053         Unreviewed, windows build fix.
3054
3055         * assembler/X86Assembler.h:
3056         (JSC::X86Assembler::numberOfRegisters):
3057         (JSC::X86Assembler::numberOfSPRegisters):
3058         (JSC::X86Assembler::numberOfFPRegisters):
3059
3060 2017-10-31  Keith Miller  <keith_miller@apple.com>
3061
3062         Make all register enums be backed by uint8_t.
3063         https://bugs.webkit.org/show_bug.cgi?id=179074
3064
3065         Reviewed by Mark Lam.
3066
3067         * assembler/ARM64Assembler.h:
3068         * assembler/ARMAssembler.h:
3069         * assembler/ARMv7Assembler.h:
3070         * assembler/MIPSAssembler.h:
3071         * assembler/MacroAssembler.h:
3072         * assembler/X86Assembler.h:
3073
3074 2017-10-31  Keith Miller  <keith_miller@apple.com>
3075
3076         StructureStubInfo should have GPRReg members not int8_ts
3077         https://bugs.webkit.org/show_bug.cgi?id=179071
3078
3079         Reviewed by Michael Saboff.
3080
3081         This patch makes the various RegisterID enums be backed by
3082         uint8_t. This means that we can remove the old int8_t members in
3083         StructureStubInfo and replace them with the correct enum types.
3084
3085         Also, this fixes an indentation issue in ARMv7Assembler.h.
3086
3087         * assembler/ARM64Assembler.h:
3088         * assembler/ARMAssembler.h:
3089         * assembler/ARMv7Assembler.h:
3090         (JSC::ARMRegisters::asSingle):
3091         (JSC::ARMRegisters::asDouble):
3092         * assembler/MIPSAssembler.h:
3093         * assembler/X86Assembler.h:
3094         * bytecode/InlineAccess.cpp:
3095         (JSC::InlineAccess::generateSelfPropertyAccess):
3096         (JSC::getScratchRegister):
3097         * bytecode/PolymorphicAccess.cpp:
3098         (JSC::PolymorphicAccess::regenerate):
3099         * bytecode/StructureStubInfo.h:
3100         (JSC::StructureStubInfo::valueRegs const):
3101         * dfg/DFGSpeculativeJIT.cpp:
3102         (JSC::DFG::SpeculativeJIT::compileIn):
3103         * ftl/FTLLowerDFGToB3.cpp:
3104         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
3105         * jit/JITInlineCacheGenerator.cpp:
3106         (JSC::JITByIdGenerator::JITByIdGenerator):
3107         (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator):
3108
3109 2017-10-31  Devin Rousso  <webkit@devinrousso.com>
3110
3111         Web Inspector: make ScriptCallStack::maxCallStackSizeToCapture the default value when capturing backtraces
3112         https://bugs.webkit.org/show_bug.cgi?id=179048
3113
3114         Reviewed by Mark Lam.
3115
3116         * inspector/ScriptCallStackFactory.h:
3117         * inspector/ScriptCallStackFactory.cpp:
3118         (createScriptCallStack):
3119         (createScriptCallStackForConsole):
3120         (createScriptCallStackFromException):
3121
3122         * inspector/ConsoleMessage.cpp:
3123         (Inspector::ConsoleMessage::autogenerateMetadata):
3124         * inspector/JSGlobalObjectInspectorController.cpp:
3125         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
3126         * inspector/agents/InspectorConsoleAgent.cpp:
3127         (Inspector::InspectorConsoleAgent::count):
3128         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
3129         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
3130
3131 2017-10-31  Carlos Garcia Campos  <cgarcia@igalia.com>
3132
3133         Unreviewed. Fix GTK+ make distcheck.
3134
3135         Ensure DERIVED_SOURCES_JAVASCRIPTCORE_DIR/yarr is created before scripts generating files there are run.
3136
3137         * CMakeLists.txt:
3138
3139 2017-10-30  Saam Barati  <sbarati@apple.com>
3140
3141         We need a storeStoreFence before storing to the instruction stream's live variable catch data
3142         https://bugs.webkit.org/show_bug.cgi?id=178649
3143
3144         Reviewed by Keith Miller.
3145
3146         * bytecode/CodeBlock.cpp:
3147         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
3148
3149 2017-10-30  Michael Catanzaro  <mcatanzaro@igalia.com>
3150
3151         [WPE] Fix build warnings
3152         https://bugs.webkit.org/show_bug.cgi?id=178899
3153
3154         Reviewed by Carlos Alberto Lopez Perez.
3155
3156         * PlatformWPE.cmake:
3157
3158 2017-10-30  Zan Dobersek  <zdobersek@igalia.com>
3159
3160         [ARMv7] Fix initial start register support in YarrJIT
3161         https://bugs.webkit.org/show_bug.cgi?id=178641
3162
3163         Reviewed by Saam Barati.
3164
3165         * yarr/YarrJIT.cpp: On ARMv7, use r8 as the initialStart register in the
3166         YarrGenerator class. r6 should be avoided since it's already used inside
3167         MacroAssemblerARMv7 as addressTempRegister. r7 isn't picked because it
3168         can be used as the frame pointer register when targetting ARM Thumb2.
3169
3170 2017-10-30  Zan Dobersek  <zdobersek@igalia.com>
3171
3172         [ARM64][Linux] Re-enable Gigacage
3173         https://bugs.webkit.org/show_bug.cgi?id=178130
3174
3175         Reviewed by Michael Catanzaro.
3176
3177         Guard the current globaladdr opcode implementation for ARM64 with
3178         OS(DARWIN) as it's only usable for Mach-O.
3179
3180         For OS(LINUX), ELF-supported :got: and :got_lo12: relocation specifiers
3181         have to be used. The .loh directive can't be used as it's not supported
3182         in GCC or the ld linker.
3183
3184         On every other OS target, a compilation error is thrown.
3185
3186         * offlineasm/arm64.rb:
3187
3188 2017-10-27  Devin Rousso  <webkit@devinrousso.com>
3189
3190         Web Inspector: Canvas Tab: no way to see backtrace of where a canvas context was created
3191         https://bugs.webkit.org/show_bug.cgi?id=178799
3192         <rdar://problem/35175805>
3193
3194         Reviewed by Brian Burg.
3195
3196         * inspector/protocol/Canvas.json:
3197         Add optional `backtrace` to Canvas type that is an array of Console.CallFrame.
3198
3199 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3200
3201         [JSC] Tweak ES6 generator function to allow inlining
3202         https://bugs.webkit.org/show_bug.cgi?id=178935
3203
3204         Reviewed by Saam Barati.
3205
3206         We optimize builtins' generator helper functions to allow them inlined in the caller side.
3207         This patch adjust the layer between @generatorResume, next(), throw(), and return() to allow
3208         them inlined in DFG.
3209
3210                                        baseline                  patched
3211
3212         spread-generator.es6      301.2637+-11.1011    ^    260.5905+-14.2258       ^ definitely 1.1561x faster
3213         generator.es6             269.6030+-13.2435    ^    148.8840+-6.7614        ^ definitely 1.8108x faster
3214
3215         * builtins/GeneratorPrototype.js:
3216         (globalPrivate.generatorResume):
3217         (next):
3218         (return):
3219         (throw):
3220
3221 2017-10-27  Saam Barati  <sbarati@apple.com>
3222
3223         Bytecode liveness should live on UnlinkedCodeBlock so it can be shared amongst CodeBlocks
3224         https://bugs.webkit.org/show_bug.cgi?id=178949
3225
3226         Reviewed by Keith Miller.
3227
3228         This patch stores BytecodeLiveness on UnlinkedCodeBlock instead of CodeBlock
3229         so that we don't need to recompute liveness for the same UnlinkedCodeBlock
3230         more than once. To do this, this patch solidifies the invariant that CodeBlock
3231         linking can't do anything that would change the result of liveness. For example,
3232         it can't introduce new locals. This invariant was met my JSC before, because we
3233         didn't do anything in bytecode linking that would change liveness. However, it is
3234         now a correctness requirement that we don't do anything that would change the
3235         result of running liveness. To support this change, I've refactored BytecodeGraph
3236         to not be tied to a CodeBlockType*. Things that perform liveness will pass in
3237         CodeBlockType* and the instruction stream as needed. This means that we may
3238         compute liveness with one CodeBlock*'s instruction stream, and then perform
3239         queries on that analysis with a different CodeBlock*'s instruction stream.
3240
3241         This seems to be a 2% JSBench progression.
3242
3243         * bytecode/BytecodeGeneratorification.cpp:
3244         (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
3245         (JSC::BytecodeGeneratorification::graph):
3246         (JSC::BytecodeGeneratorification::storageForGeneratorLocal):
3247         (JSC::GeneratorLivenessAnalysis::run):
3248         (JSC::BytecodeGeneratorification::run):
3249         * bytecode/BytecodeGraph.h:
3250         (JSC::BytecodeGraph::BytecodeGraph):
3251         (JSC::BytecodeGraph::codeBlock const): Deleted.
3252         (JSC::BytecodeGraph::instructions): Deleted.
3253         (JSC::BytecodeGraph<Block>::BytecodeGraph): Deleted.
3254         * bytecode/BytecodeLivenessAnalysis.cpp:
3255         (JSC::BytecodeLivenessAnalysis::BytecodeLivenessAnalysis):
3256         (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
3257         (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
3258         (JSC::BytecodeLivenessAnalysis::computeKills):
3259         (JSC::BytecodeLivenessAnalysis::dumpResults):
3260         (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset): Deleted.
3261         (JSC::BytecodeLivenessAnalysis::compute): Deleted.
3262         * bytecode/BytecodeLivenessAnalysis.h:
3263         * bytecode/BytecodeLivenessAnalysisInlines.h:
3264         (JSC::BytecodeLivenessPropagation::stepOverInstruction):
3265         (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBytecodeOffset):
3266         (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBlock):
3267         (JSC::BytecodeLivenessPropagation::getLivenessInfoAtBytecodeOffset):
3268         (JSC::BytecodeLivenessPropagation::runLivenessFixpoint):
3269         * bytecode/BytecodeRewriter.cpp:
3270         (JSC::BytecodeRewriter::applyModification):
3271         (JSC::BytecodeRewriter::execute):
3272         (JSC::BytecodeRewriter::adjustJumpTargetsInFragment):
3273         * bytecode/BytecodeRewriter.h:
3274         (JSC::BytecodeRewriter::BytecodeRewriter):
3275         (JSC::BytecodeRewriter::removeBytecode):
3276         (JSC::BytecodeRewriter::graph):
3277         * bytecode/CodeBlock.cpp:
3278         (JSC::CodeBlock::finishCreation):
3279         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
3280         (JSC::CodeBlock::validate):
3281         (JSC::CodeBlock::livenessAnalysisSlow): Deleted.
3282         * bytecode/CodeBlock.h:
3283         (JSC::CodeBlock::livenessAnalysis):
3284         * bytecode/UnlinkedCodeBlock.cpp:
3285         (JSC::UnlinkedCodeBlock::applyModification):
3286         (JSC::UnlinkedCodeBlock::livenessAnalysisSlow):
3287         * bytecode/UnlinkedCodeBlock.h:
3288         (JSC::UnlinkedCodeBlock::livenessAnalysis):
3289         * dfg/DFGGraph.cpp:
3290         (JSC::DFG::Graph::livenessFor):
3291         (JSC::DFG::Graph::killsFor):
3292         * dfg/DFGPlan.cpp:
3293         (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
3294         * jit/JIT.cpp:
3295         (JSC::JIT::privateCompileMainPass):
3296
3297 2017-10-27  Keith Miller  <keith_miller@apple.com>
3298
3299         Add unified source list files and build scripts to Xcode project navigator
3300         https://bugs.webkit.org/show_bug.cgi?id=178959
3301
3302         Reviewed by Andy Estes.
3303
3304         Also, Add some extra source files for so new .cpp/.mm files don't cause the build
3305         to fail right away. We already do this in WebCore.
3306
3307         * JavaScriptCore.xcodeproj/project.pbxproj:
3308         * PlatformMac.cmake:
3309         * SourcesCocoa.txt: Renamed from Source/JavaScriptCore/SourcesMac.txt.
3310
3311 2017-10-27  JF Bastien  <jfbastien@apple.com>
3312
3313         WebAssembly: update arbitrary limits to what browsers use
3314         https://bugs.webkit.org/show_bug.cgi?id=178946
3315         <rdar://problem/34257412>
3316         <rdar://problem/34501154>
3317
3318         Reviewed by Saam Barati.
3319
3320         https://github.com/WebAssembly/design/issues/1138 discusses the
3321         arbitrary function size limit, which it turns out Chrome and
3322         Firefox didn't enforce. We didn't use it because it was
3323         ridiculously low and actual programs ran into that limit (bummer
3324         for Edge which just shipped it...). Now that we agree on a high
3325         arbitrary program limit, let's update it! While I'm doing this
3326         there are a few other spots that I polished to use Checked or
3327         better check limits overall.
3328
3329         * wasm/WasmB3IRGenerator.cpp:
3330         (JSC::Wasm::B3IRGenerator::addLocal):
3331         * wasm/WasmFormat.cpp:
3332         (JSC::Wasm::Segment::create):
3333         * wasm/WasmFunctionParser.h:
3334         (JSC::Wasm::FunctionParser<Context>::parse):
3335         * wasm/WasmInstance.cpp:
3336         * wasm/WasmLimits.h:
3337         * wasm/WasmModuleParser.cpp:
3338         (JSC::Wasm::ModuleParser::parseGlobal):
3339         (JSC::Wasm::ModuleParser::parseCode):
3340         (JSC::Wasm::ModuleParser::parseData):
3341         * wasm/WasmSignature.h:
3342         (JSC::Wasm::Signature::allocatedSize):
3343         * wasm/WasmTable.cpp:
3344         (JSC::Wasm::Table::Table):
3345         * wasm/js/JSWebAssemblyTable.cpp:
3346         (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
3347         (JSC::JSWebAssemblyTable::grow):
3348
3349 2017-10-26  Michael Saboff  <msaboff@apple.com>
3350
3351         REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
3352         https://bugs.webkit.org/show_bug.cgi?id=178890
3353
3354         Reviewed by Keith Miller.
3355
3356         We need to let a contained subpattern backtrack before declaring that the containing
3357         parenthesis doesn't match.  If the subpattern fails to match backtracking, then we
3358         can check to see if we trying to backtrack below the minimum match count.
3359         
3360         * yarr/YarrInterpreter.cpp:
3361         (JSC::Yarr::Interpreter::backtrackParentheses):
3362
3363 2017-10-26  Mark Lam  <mark.lam@apple.com>
3364
3365         JSRopeString::RopeBuilder::append() should check for overflows.
3366         https://bugs.webkit.org/show_bug.cgi?id=178385
3367         <rdar://problem/35027468>
3368
3369         Reviewed by Saam Barati.
3370
3371         1. Made RopeString check for overflow like the Checked class does.
3372         2. Added a missing overflow check in objectProtoFuncToString().
3373
3374         * runtime/JSString.cpp:
3375         (JSC::JSRopeString::RopeBuilder<RecordOverflow>::expand):
3376         (JSC::JSRopeString::RopeBuilder::expand): Deleted.
3377         * runtime/JSString.h:
3378         * runtime/ObjectPrototype.cpp:
3379         (JSC::objectProtoFuncToString):
3380         * runtime/Operations.h:
3381         (JSC::jsStringFromRegisterArray):
3382         (JSC::jsStringFromArguments):
3383
3384 2017-10-26  JF Bastien  <jfbastien@apple.com>
3385
3386         WebAssembly: no VM / JS version of our implementation
3387         https://bugs.webkit.org/show_bug.cgi?id=177472
3388
3389         Reviewed by Michael Saboff.
3390
3391         This patch removes all appearances of "JS" and "VM" in the wasm
3392         directory. These now only appear in the wasm/js directory, which
3393         is only used in a JS embedding of wasm. It should therefore now be
3394         possible to create non-JS embeddings of wasm through JSC, though
3395         it'll still require:
3396
3397           - Mild codegen for wasm<->embedder calls;
3398           - A strategy for trap handling (no need for full unwind! Could kill).
3399           - Creation of the Wasm::* objects.
3400           - Calling convention handling to call the embedder.
3401           - Handling of multiple embedders (see #177475, this is optional).
3402
3403         Most of the patch consists in renaming JSWebAssemblyInstance to
3404         Instance, and removing temporary copies which I'd added to make
3405         this specific patch very simple.
3406
3407         * interpreter/CallFrame.cpp:
3408         (JSC::CallFrame::wasmAwareLexicalGlobalObject): this one place
3409         which needs to know about who "owns" the Wasm::Instance. In a JS
3410         embedding it's the JSWebAssemblyInstance.
3411         * wasm/WasmB3IRGenerator.cpp:
3412         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3413         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
3414         (JSC::Wasm::B3IRGenerator::addGrowMemory):
3415         (JSC::Wasm::B3IRGenerator::addCurrentMemory):
3416         (JSC::Wasm::B3IRGenerator::getGlobal):
3417         (JSC::Wasm::B3IRGenerator::setGlobal):
3418         (JSC::Wasm::B3IRGenerator::addCall):
3419         (JSC::Wasm::B3IRGenerator::addCallIndirect):
3420         * wasm/WasmBinding.cpp:
3421         (JSC::Wasm::wasmToWasm):
3422         * wasm/WasmContext.cpp:
3423         (JSC::Wasm::Context::load const):
3424         (JSC::Wasm::Context::store):
3425         * wasm/WasmContext.h:
3426         * wasm/WasmEmbedder.h:
3427         * wasm/WasmInstance.cpp:
3428         (JSC::Wasm::Instance::Instance):
3429         (JSC::Wasm::Instance::create):
3430         (JSC::Wasm::Instance::extraMemoryAllocated const):
3431         * wasm/WasmInstance.h: add an "owner", the Wasm::Context, move the
3432         "tail" import information from JSWebAssemblyInstance over to here.
3433         (JSC::Wasm::Instance::finalizeCreation):
3434         (JSC::Wasm::Instance::owner const):
3435         (JSC::Wasm::Instance::offsetOfOwner):
3436         (JSC::Wasm::Instance::context const):
3437         (JSC::Wasm::Instance::setMemory):
3438         (JSC::Wasm::Instance::setTable):
3439         (JSC::Wasm::Instance::offsetOfMemory):
3440         (JSC::Wasm::Instance::offsetOfGlobals):
3441         (JSC::Wasm::Instance::offsetOfTable):
3442         (JSC::Wasm::Instance::offsetOfTail):
3443         (JSC::Wasm::Instance::numImportFunctions const):
3444         (JSC::Wasm::Instance::importFunctionInfo):
3445         (JSC::Wasm::Instance::offsetOfTargetInstance):
3446         (JSC::Wasm::Instance::offsetOfWasmEntrypoint):
3447         (JSC::Wasm::Instance::offsetOfWasmToEmbedderStubExecutableAddress):
3448         (JSC::Wasm::Instance::offsetOfImportFunction):
3449         (JSC::Wasm::Instance::importFunction):
3450         (JSC::Wasm::Instance::allocationSize):
3451         (JSC::Wasm::Instance::create): Deleted.
3452         * wasm/WasmOMGPlan.cpp:
3453         (JSC::Wasm::OMGPlan::runForIndex):
3454         * wasm/WasmOMGPlan.h:
3455         * wasm/WasmTable.cpp:
3456         (JSC::Wasm::Table::Table):
3457         (JSC::Wasm::Table::setFunction):
3458         * wasm/WasmTable.h:
3459         * wasm/WasmThunks.cpp:
3460         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
3461         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
3462         * wasm/js/JSToWasm.cpp:
3463         (JSC::Wasm::createJSToWasmWrapper):
3464         * wasm/js/JSWebAssemblyInstance.cpp: delete code that is now on Wasm::Instance
3465         (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance): The embedder
3466         decides what the import function is. Here we must properly
3467         placement-new it to what we've elected (and initialize it later).
3468         (JSC::JSWebAssemblyInstance::visitChildren):
3469         (JSC::JSWebAssemblyInstance::finalizeCreation):
3470         (JSC::JSWebAssemblyInstance::create):
3471         * wasm/js/JSWebAssemblyInstance.h: delete code that is now on Wasm::Instance
3472         (JSC::JSWebAssemblyInstance::instance):
3473         (JSC::JSWebAssemblyInstance::moduleNamespaceObject):
3474         (JSC::JSWebAssemblyInstance::setMemory):
3475         (JSC::JSWebAssemblyInstance::table):
3476         (JSC::JSWebAssemblyInstance::setTable):
3477         (JSC::JSWebAssemblyInstance::offsetOfInstance):
3478         (JSC::JSWebAssemblyInstance::offsetOfCallee):
3479         (JSC::JSWebAssemblyInstance::context const): Deleted.
3480         (JSC::JSWebAssemblyInstance::offsetOfTail): Deleted.
3481         (): Deleted.
3482         (JSC::JSWebAssemblyInstance::importFunctionInfo): Deleted.
3483         (JSC::JSWebAssemblyInstance::offsetOfTargetInstance): Deleted.
3484         (JSC::JSWebAssemblyInstance::offsetOfWasmEntrypoint): Deleted.
3485         (JSC::JSWebAssemblyInstance::offsetOfWasmToEmbedderStubExecutableAddress): Deleted.
3486         (JSC::JSWebAssemblyInstance::offsetOfImportFunction): Deleted.
3487         (JSC::JSWebAssemblyInstance::importFunction): Deleted.
3488         (JSC::JSWebAssemblyInstance::internalMemory): Deleted.
3489         (JSC::JSWebAssemblyInstance::wasmCodeBlock const): Deleted.
3490         (JSC::JSWebAssemblyInstance::offsetOfWasmTable): Deleted.
3491         (JSC::JSWebAssemblyInstance::offsetOfGlobals): Deleted.
3492         (JSC::JSWebAssemblyInstance::offsetOfCodeBlock): Deleted.
3493         (JSC::JSWebAssemblyInstance::offsetOfWasmCodeBlock): Deleted.
3494         (JSC::JSWebAssemblyInstance::offsetOfCachedStackLimit): Deleted.
3495         (JSC::JSWebAssemblyInstance::offsetOfWasmMemory): Deleted.
3496         (JSC::JSWebAssemblyInstance::offsetOfTopEntryFramePointer): Deleted.
3497         (JSC::JSWebAssemblyInstance::cachedStackLimit const): Deleted.
3498         (JSC::JSWebAssemblyInstance::setCachedStackLimit): Deleted.
3499         (JSC::JSWebAssemblyInstance::wasmMemory): Deleted.
3500         (JSC::JSWebAssemblyInstance::wasmModule): Deleted.
3501         (JSC::JSWebAssemblyInstance::allocationSize): Deleted.
3502         * wasm/js/JSWebAssemblyTable.cpp:
3503         (JSC::JSWebAssemblyTable::setFunction):
3504         * wasm/js/WasmToJS.cpp: One extra indirection to find the JSWebAssemblyInstance.
3505         (JSC::Wasm::materializeImportJSCell):
3506         (JSC::Wasm::handleBadI64Use):
3507         (JSC::Wasm::wasmToJS):
3508         (JSC::Wasm::wasmToJSException):
3509         * wasm/js/WasmToJS.h:
3510         * wasm/js/WebAssemblyFunction.cpp:
3511         (JSC::callWebAssemblyFunction):
3512         * wasm/js/WebAssemblyInstanceConstructor.cpp:
3513         (JSC::constructJSWebAssemblyInstance):
3514         * wasm/js/WebAssemblyModuleRecord.cpp:
3515         (JSC::WebAssemblyModuleRecord::link):
3516         (JSC::WebAssemblyModuleRecord::evaluate):
3517         * wasm/js/WebAssemblyPrototype.cpp:
3518         (JSC::instantiate):
3519         * wasm/js/WebAssemblyWrapperFunction.cpp:
3520         (JSC::WebAssemblyWrapperFunction::create):
3521
3522 2017-10-25  Devin Rousso  <webkit@devinrousso.com>
3523
3524         Web Inspector: provide a way to enable/disable event listeners
3525         https://bugs.webkit.org/show_bug.cgi?id=177451
3526         <rdar://problem/34994925>
3527
3528         Reviewed by Joseph Pecoraro.
3529
3530         * inspector/protocol/DOM.json:
3531         Add `setEventListenerDisabled` command that enables/disables a specific event listener
3532         during event dispatch. When a disabled event listener is fired, the listener's callback will
3533         not be called.
3534
3535 2017-10-25  Commit Queue  <commit-queue@webkit.org>
3536
3537         Unreviewed, rolling out r223691 and r223729.
3538         https://bugs.webkit.org/show_bug.cgi?id=178834
3539
3540         Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
3541         by rniwa on #webkit).
3542
3543         Reverted changesets:
3544
3545         "Turn recursive tail calls into loops"
3546         https://bugs.webkit.org/show_bug.cgi?id=176601
3547         https://trac.webkit.org/changeset/223691
3548
3549         "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
3550         comparison is always false due to limited range of data type
3551         [-Wtype-limits]"
3552         https://bugs.webkit.org/show_bug.cgi?id=178543
3553         https://trac.webkit.org/changeset/223729
3554
3555 2017-10-25  Michael Saboff  <msaboff@apple.com>
3556
3557         REGRESSION(r223937): Use of -fobjc-weak causes build failures with older compilers
3558         https://bugs.webkit.org/show_bug.cgi?id=178825
3559
3560         Reviewed by Mark Lam.
3561
3562         Enable ARC for ARM64_32.  This eliminate the need for setting CLANG_ENABLE_OBJC_WEAK.
3563
3564         * Configurations/ToolExecutable.xcconfig:
3565
3566 2017-10-25  Keith Miller  <keith_miller@apple.com>
3567
3568         Fix implicit cast of enum, which seems to break the windows build of unified sources.
3569         https://bugs.webkit.org/show_bug.cgi?id=178822
3570
3571         Reviewed by Saam Barati.
3572
3573         * bytecode/DFGExitProfile.h:
3574         (JSC::DFG::FrequentExitSite::hash const):
3575
3576 2017-10-24  Michael Saboff  <msaboff@apple.com>
3577
3578         Allow OjbC Weak References when building TestAPI
3579         https://bugs.webkit.org/show_bug.cgi?id=178748
3580
3581         Reviewed by Dan Bernstein.
3582
3583         Set TestAPI build flag Weak References in Manual Retain Release to true.
3584
3585         * JavaScriptCore.xcodeproj/project.pbxproj: Reverted.
3586         * Configurations/ToolExecutable.xcconfig: Changed the flag here instead.
3587
3588 2017-10-24  Eric Carlson  <eric.carlson@apple.com>
3589
3590         Web Inspector: Enable WebKit logging configuration and display
3591         https://bugs.webkit.org/show_bug.cgi?id=177027
3592         <rdar://problem/33964767>
3593
3594         Reviewed by Joseph Pecoraro.
3595
3596         * inspector/ConsoleMessage.cpp:
3597         (Inspector::messageSourceValue): Inspector::Protocol::Console::ConsoleMessage -> 
3598             Inspector::Protocol::Console::ChannelSource.
3599         * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
3600         (Inspector::JSGlobalObjectConsoleAgent::getLoggingChannels): There are no logging channels
3601             specific to a JSContext yet, so return an empty channel array.
3602         (Inspector::JSGlobalObjectConsoleAgent::setLoggingChannelLevel): No channels, return an error.
3603         * inspector/agents/JSGlobalObjectConsoleAgent.h:
3604
3605         * inspector/protocol/Console.json: Add ChannelSource, ChannelLevel, and Channel. Add getLoggingChannels
3606             and setLoggingChannelLevel.
3607
3608         * inspector/scripts/codegen/generator.py: Special case "webrtc"-> "WebRTC".
3609         * inspector/scripts/tests/generic/expected/enum-values.json-result:
3610         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
3611         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
3612         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
3613         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
3614
3615         * runtime/ConsoleTypes.h: Add Media and WebRTC.
3616
3617 2017-10-24  Michael Saboff  <msaboff@apple.com>
3618
3619         Allow OjbC Weak References when building TestAPI
3620         https://bugs.webkit.org/show_bug.cgi?id=178748
3621
3622         Reviewed by Saam Barati.
3623
3624         Set TestAPI build flag Weak References in Manual Retain Release to true.
3625
3626         * JavaScriptCore.xcodeproj/project.pbxproj:
3627
3628 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
3629
3630         [FTL] Support NewStringObject
3631         https://bugs.webkit.org/show_bug.cgi?id=178737
3632
3633         Reviewed by Saam Barati.
3634
3635         FTL should support NewStringObject and encourage use of NewStringObject in DFG pipeline.
3636         After this change, we can convert `CallObjectConstructor(String)` to `NewStringObject(String)`.
3637
3638         * ftl/FTLAbstractHeapRepository.h:
3639         * ftl/FTLCapabilities.cpp:
3640         (JSC::FTL::canCompile):
3641         * ftl/FTLLowerDFGToB3.cpp:
3642         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3643         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
3644
3645 2017-10-24  Guillaume Emont  <guijemont@igalia.com>
3646
3647         [mips] fix offsets of branches that have to go over a jump
3648         https://bugs.webkit.org/show_bug.cgi?id=153464
3649
3650         The jump() function creates 8 instructions, but the offsets of branches
3651         meant to go over them only account for 6. In most cases, this is not an
3652         issue as the last two instructions of jump() would be nops, but in the
3653         rarer case where the jump destination is in a different 256 MB segment,
3654         MIPSAssembler::linkWithOffset() will rewrite the code in a way in which
3655         the last 4 instructions would be a 2 instruction load (lui/ori) into
3656         $t9, a "j $t9" and then a nop. The wrong offset will mean that the
3657         previous branches meant to go over the whole jump will branch to the
3658         "j $t9" instruction, which would jump to whatever is currently in $t9
3659         (since lui/ori would not be executed).
3660
3661         Reviewed by Michael Catanzaro.
3662
3663         * assembler/MacroAssemblerMIPS.h:
3664         (JSC::MacroAssemblerMIPS::branchAdd32):
3665         (JSC::MacroAssemblerMIPS::branchMul32):
3666         (JSC::MacroAssemblerMIPS::branchSub32):
3667         Fix the offsets of branches meant to go over code generated by jump().
3668
3669 2017-10-24  JF Bastien  <jfbastien@apple.com>
3670
3671         WebAssembly: NFC renames of things that aren't JS-specific
3672         https://bugs.webkit.org/show_bug.cgi?id=178738
3673
3674         Reviewed by Saam Barati.
3675
3676         * wasm/WasmB3IRGenerator.cpp:
3677         (JSC::Wasm::parseAndCompile):
3678         * wasm/WasmB3IRGenerator.h:
3679         * wasm/WasmBBQPlan.cpp:
3680         (JSC::Wasm::BBQPlan::complete):
3681         * wasm/WasmCodeBlock.cpp:
3682         (JSC::Wasm::CodeBlock::CodeBlock):
3683         * wasm/WasmCodeBlock.h:
3684         (JSC::Wasm::CodeBlock::embedderEntrypointCalleeFromFunctionIndexSpace):
3685         (JSC::Wasm::CodeBlock::jsEntrypointCalleeFromFunctionIndexSpace): Deleted.
3686         * wasm/WasmFormat.h:
3687         * wasm/js/JSToWasm.cpp:
3688         (JSC::Wasm::createJSToWasmWrapper):
3689         * wasm/js/WebAssemblyModuleRecord.cpp:
3690         (JSC::WebAssemblyModuleRecord::link):
3691         (JSC::WebAssemblyModuleRecord::evaluate):
3692
3693 2017-10-24  Stephan Szabo  <stephan.szabo@sony.com>
3694
3695         [Win][JSCOnly] Make jsconly build testapi and dlls and copy dlls when running tests
3696         https://bugs.webkit.org/show_bug.cgi?id=177279
3697
3698         Reviewed by Yusuke Suzuki.
3699
3700         * shell/PlatformJSCOnly.cmake: Added.
3701
3702 2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
3703
3704         [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
3705         https://bugs.webkit.org/show_bug.cgi?id=178308
3706
3707         Reviewed by Mark Lam.
3708
3709         With the change of the spec[1], we now do not need to remember star resolution modules.
3710         We reflect this change to our implementation. Since this change is covered by test262,
3711         this patch improves the score of test262.
3712
3713         We also add logging to ResolveExport to debug it easily.
3714
3715         [1]: https://github.com/tc39/ecma262/commit/a865e778ff0fc60e26e3e1c589635103710766a1
3716
3717         * runtime/AbstractModuleRecord.cpp:
3718         (JSC::AbstractModuleRecord::ResolveQuery::dump const):
3719         (JSC::AbstractModuleRecord::resolveExportImpl):
3720
3721 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
3722
3723         [JSC] Use emitDumbVirtualCall in 32bit JIT
3724         https://bugs.webkit.org/show_bug.cgi?id=178644
3725
3726         Reviewed by Mark Lam.
3727
3728         This patch aligns 32bit JIT op_call_eval slow case to 64bit version by using emitDumbVirtualCall.
3729
3730         * jit/JITCall32_64.cpp:
3731         (JSC::JIT::compileCallEvalSlowCase):
3732
3733 2017-10-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3734
3735         [JSC] Drop ArityCheckData
3736         https://bugs.webkit.org/show_bug.cgi?id=178648
3737
3738         Reviewed by Mark Lam.
3739
3740         ArityCheckData is used to return a pair of `slotsToAdd` and `thunkToCall`.
3741         However, use of `thunkToCall` is removed in 64bit environment at r189575.
3742
3743         We remove `thunkToCall` and align 32bit implementation to 64bit implementation.
3744         Since we no longer need to have the above pair, we can remove ArityCheckData too.
3745
3746         * llint/LowLevelInterpreter32_64.asm:
3747         * llint/LowLevelInterpreter64.asm:
3748         * runtime/CommonSlowPaths.cpp:
3749         (JSC::SLOW_PATH_DECL):
3750         (JSC::setupArityCheckData): Deleted.
3751         * runtime/CommonSlowPaths.h:
3752         * runtime/VM.cpp:
3753         (JSC::VM::VM):
3754         * runtime/VM.h:
3755
3756 2017-10-23  Keith Miller  <keith_miller@apple.com>
3757
3758         Unreviewed, reland r223866
3759
3760         Didn't break the windows build...
3761
3762         Restored changeset:
3763
3764         "WebAssembly: topEntryFrame on Wasm::Instance"
3765         https://bugs.webkit.org/show_bug.cgi?id=178690
3766         https://trac.webkit.org/changeset/223866
3767
3768
3769 2017-10-23  Commit Queue  <commit-queue@webkit.org>
3770
3771         Unreviewed, rolling out r223866.
3772         https://bugs.webkit.org/show_bug.cgi?id=178699
3773
3774         Probably broke the windows build (Requested by keith_miller on
3775         #webkit).
3776
3777         Reverted changeset:
3778
3779         "WebAssembly: topEntryFrame on Wasm::Instance"
3780         https://bugs.webkit.org/show_bug.cgi?id=178690
3781         https://trac.webkit.org/changeset/223866
3782
3783 2017-10-23  Joseph Pecoraro  <pecoraro@apple.com>
3784
3785         Web Inspector: Remove unused Console.setMonitoringXHREnabled
3786         https://bugs.webkit.org/show_bug.cgi?id=178617
3787
3788         Reviewed by Sam Weinig.
3789
3790         * JavaScriptCore.xcodeproj/project.pbxproj:
3791         * Sources.txt:
3792         * inspector/agents/InspectorConsoleAgent.h:
3793         * inspector/agents/JSGlobalObjectConsoleAgent.cpp: Removed.
3794         * inspector/agents/JSGlobalObjectConsoleAgent.h: Removed.
3795         * inspector/protocol/Console.json:
3796         Removed files and method.
3797
3798         * inspector/JSGlobalObjectInspectorController.cpp:
3799         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
3800         This can use the base ConsoleAgent now.
3801
3802 2017-10-23  JF Bastien  <jfbastien@apple.com>
3803
3804         WebAssembly: topEntryFrame on Wasm::Instance
3805         https://bugs.webkit.org/show_bug.cgi?id=178690
3806
3807         Reviewed by Saam Barati.
3808
3809         topEntryFrame is usually on VM, but for a no-VM WebAssembly we
3810         need to hold topEntryFrame elsewhere, and generated code cannot
3811         hard-code where topEntryFrame live. Do this at creation time of
3812         Wasm::Instance, and then generated code will just load from
3813         wherever Wasm::Instance was told topEntryFrame is. In a JavaScript
3814         embedding this is still from VM, so all of the unwinding machinery
3815         stays the same.
3816
3817         * dfg/DFGOSREntry.cpp:
3818         (JSC::DFG::prepareOSREntry):
3819         * dfg/DFGOSRExit.cpp:
3820         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
3821         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
3822         * ftl/FTLOSRExitCompiler.cpp:
3823         (JSC::FTL::compileStub):
3824         * interpreter/Interpreter.cpp:
3825         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
3826         * jit/AssemblyHelpers.cpp:
3827         (JSC::AssemblyHelpers::restoreCalleeSavesFromEntryFrameCalleeSavesBuffer):
3828         (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBufferImpl):
3829         * jit/AssemblyHelpers.h:
3830         (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBuffer):
3831         The default parameter was never non-defaulted from any of the
3832         callers. The new version calls the impl directly because it
3833         doesn't have VM and doesn't hard-code the address of
3834         topEntryFrame.
3835         * jit/RegisterSet.cpp:
3836         (JSC::RegisterSet::vmCalleeSaveRegisterOffsets): This was weird on
3837         VM because it's not really VM-specific.
3838         * jit/RegisterSet.h:
3839         * runtime/VM.cpp:
3840         (JSC::VM::getAllCalleeSaveRegisterOffsets): Deleted.
3841         * runtime/VM.h:
3842         (JSC::VM::getCTIStub):
3843         * wasm/WasmB3IRGenerator.cpp:
3844         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3845         (JSC::Wasm::B3IRGenerator::addCall):
3846         (JSC::Wasm::B3IRGenerator::addCallIndirect):
3847         * wasm/WasmInstance.cpp:
3848         (JSC::Wasm::Instance::Instance):
3849         * wasm/WasmInstance.h: topEntryFramePointer will eventually live
3850         here for real. Right now it's mirrored in JSWebAssemblyInstance
3851         because that's the acting Context.
3852         (JSC::Wasm::Instance::create):
3853         (JSC::Wasm::Instance::offsetOfTopEntryFramePointer):
3854         * wasm/WasmThunks.cpp:
3855         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
3856         * wasm/js/JSWebAssemblyInstance.cpp:
3857         (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
3858         * wasm/js/JSWebAssemblyInstance.h: Mirror Wasm::Instance temporarily.
3859         (JSC::JSWebAssemblyInstance::offsetOfCallee):
3860         (JSC::JSWebAssemblyInstance::offsetOfTopEntryFramePointer):
3861         (JSC::JSWebAssemblyInstance::offsetOfVM): Deleted.
3862         * wasm/js/WebAssemblyInstanceConstructor.cpp:
3863         (JSC::constructJSWebAssemblyInstance):
3864         * wasm/js/WebAssemblyPrototype.cpp:
3865         (JSC::instantiate):
3866
3867 2017-10-23  Joseph Pecoraro  <pecoraro@apple.com>
3868
3869         Web Inspector: Please support HAR Export for network traffic
3870         https://bugs.webkit.org/show_bug.cgi?id=146692
3871         <rdar://problem/7463672>
3872
3873         Reviewed by Brian Burg.
3874
3875         * inspector/protocol/Network.json:
3876         Add a walltime to each send request.
3877
3878 2017-10-23  Matt Lewis  <jlewis3@apple.com>
3879
3880         Unreviewed, rolling out r223820.
3881
3882         This caused a build break on Windows.
3883
3884         Reverted changeset:
3885
3886         "Web Inspector: Remove unused Console.setMonitoringXHREnabled"
3887         https://bugs.webkit.org/show_bug.cgi?id=178617
3888         https://trac.webkit.org/changeset/223820
3889
3890 2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
3891
3892         [JSC] Use fastJoin in Array#toString
3893         https://bugs.webkit.org/show_bug.cgi?id=178062
3894
3895         Reviewed by Darin Adler.
3896
3897         Array#toString()'s fast path uses original join operation.
3898         But this should use fastJoin if possible.
3899         This patch adds a fast path using fastJoin in Array#toString.
3900         And we also extend fastJoin to perform fast joining for int32
3901         arrays.
3902
3903                                              baseline                  patched
3904
3905         double-array-to-string          126.6157+-5.8625     ^    103.7343+-4.4968        ^ definitely 1.2206x faster
3906         int32-array-to-string            64.7792+-2.6524           61.2390+-2.1749          might be 1.0578x faster
3907         contiguous-array-to-string       62.6224+-2.6388     ^     56.9899+-2.0852        ^ definitely 1.0988x faster
3908
3909
3910         * runtime/ArrayPrototype.cpp:
3911         (JSC::fastJoin):
3912         (JSC::arrayProtoFuncToString):
3913         (JSC::arrayProtoFuncToLocaleString):
3914         * runtime/JSStringJoiner.h:
3915         (JSC::JSStringJoiner::appendWithoutSideEffects):
3916         (JSC::JSStringJoiner::appendInt32):
3917         (JSC::JSStringJoiner::appendDouble):
3918
3919 2017-10-22  Zan Dobersek  <zdobersek@igalia.com>
3920
3921         [JSC] Remove !(OS(LINUX) && CPU(ARM64)) guards in RegisterState.h
3922         https://bugs.webkit.org/show_bug.cgi?id=178452
3923
3924         Reviewed by Yusuke Suzuki.
3925
3926         * heap/RegisterState.h: Re-enable the custom RegisterState and
3927         ALLOCATE_AND_GET_REGISTER_STATE definitions on ARM64 Linux. These don't
3928         cause any crashes nowadays.
3929
3930 2017-10-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3931
3932     &