[WPE] Add libepoxy to the Jhbuild moduleset
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-07-23  Mark Lam  <mark.lam@apple.com>
2
3         Create regression tests for the JIT probe.
4         https://bugs.webkit.org/show_bug.cgi?id=174696
5         <rdar://problem/33436922>
6
7         Reviewed by Saam Barati.
8
9         The new testmasm will test the following:
10         1. the probe is able to read the value of CPU registers.
11         2. the probe is able to write the value of CPU registers.
12         3. the probe is able to preserve all CPU registers.
13         4. special case of (2): the probe is able to change the value of the stack pointer.
14         5. special case of (2): the probe is able to change the value of the program counter
15            i.e. the probe can change where the code continues executing upon returning from
16            the probe.
17
18         Currently, the x86, x86_64, and ARMv7 ports passes the test.  ARM64 does not
19         because it does not support changing the sp and pc yet.  The ARM64 probe
20         implementation will be fixed in https://bugs.webkit.org/show_bug.cgi?id=174697
21         later.
22
23         * Configurations/ToolExecutable.xcconfig:
24         * JavaScriptCore.xcodeproj/project.pbxproj:
25         * assembler/MacroAssembler.h:
26         (JSC::MacroAssembler::CPUState::pc):
27         (JSC::MacroAssembler::CPUState::fp):
28         (JSC::MacroAssembler::CPUState::sp):
29         (JSC::ProbeContext::pc):
30         (JSC::ProbeContext::fp):
31         (JSC::ProbeContext::sp):
32         * assembler/MacroAssemblerARM64.cpp:
33         (JSC::arm64ProbeTrampoline):
34         * assembler/MacroAssemblerPrinter.cpp:
35         (JSC::Printer::printPCRegister):
36         * assembler/testmasm.cpp: Added.
37         (hiddenTruthBecauseNoReturnIsStupid):
38         (usage):
39         (JSC::nextID):
40         (JSC::isPC):
41         (JSC::isSP):
42         (JSC::isFP):
43         (JSC::compile):
44         (JSC::invoke):
45         (JSC::compileAndRun):
46         (JSC::testSimple):
47         (JSC::testProbeReadsArgumentRegisters):
48         (JSC::testProbeWritesArgumentRegisters):
49         (JSC::testFunctionToTrashRegisters):
50         (JSC::testProbePreservesGPRS):
51         (JSC::testProbeModifiesStackPointer):
52         (JSC::testProbeModifiesProgramCounter):
53         (JSC::run):
54         (run):
55         (main):
56         * b3/air/testair.cpp:
57         (usage):
58         * shell/CMakeLists.txt:
59
60 2017-07-14  Filip Pizlo  <fpizlo@apple.com>
61
62         It should be easy to decide how WebKit yields
63         https://bugs.webkit.org/show_bug.cgi?id=174298
64
65         Reviewed by Saam Barati.
66         
67         Use the new WTF::Thread::yield() function for yielding instead of the C++ function.
68
69         * heap/Heap.cpp:
70         (JSC::Heap::resumeThePeriphery):
71         * heap/VisitingTimeout.h:
72         * runtime/JSCell.cpp:
73         (JSC::JSCell::lockSlow):
74         (JSC::JSCell::unlockSlow):
75         * runtime/JSCell.h:
76         * runtime/JSCellInlines.h:
77         (JSC::JSCell::lock):
78         (JSC::JSCell::unlock):
79         * runtime/JSLock.cpp:
80         (JSC::JSLock::grabAllLocks):
81         * runtime/SamplingProfiler.cpp:
82
83 2017-07-21  Mark Lam  <mark.lam@apple.com>
84
85         Refactor MASM probe CPUState to use arrays for register storage.
86         https://bugs.webkit.org/show_bug.cgi?id=174694
87
88         Reviewed by Keith Miller.
89
90         Using arrays for register storage in CPUState allows us to do away with the
91         huge switch statements to decode each register id.  We can now simply index into
92         the arrays.
93
94         With this patch, we now:
95
96         1. Remove the need for macros for defining the list of CPU registers.
97            We can go back to simple enums.  This makes the code easier to read.
98
99         2. Make the assembler the authority on register names.
100            Most of this code is moved into the assembler from GPRInfo and FPRInfo.
101            GPRInfo and FPRInfo now forwards to the assembler.
102
103         3. Make the assembler the authority on the number of registers of each type.
104
105         4. Fix a "bug" in ARMv7's lastRegister().  It was previously omitting lr and pc.
106            This is inconsistent with how every other CPU architecture implements
107            lastRegister().  This patch fixes it to return the true last GPR i.e. pc, but
108            updates RegisterSet::reservedHardwareRegisters() to exclude those registers.
109
110         * assembler/ARM64Assembler.h:
111         (JSC::ARM64Assembler::numberOfRegisters):
112         (JSC::ARM64Assembler::firstSPRegister):
113         (JSC::ARM64Assembler::lastSPRegister):
114         (JSC::ARM64Assembler::numberOfSPRegisters):
115         (JSC::ARM64Assembler::numberOfFPRegisters):
116         (JSC::ARM64Assembler::gprName):
117         (JSC::ARM64Assembler::sprName):
118         (JSC::ARM64Assembler::fprName):
119         * assembler/ARMAssembler.h:
120         (JSC::ARMAssembler::numberOfRegisters):
121         (JSC::ARMAssembler::firstSPRegister):
122         (JSC::ARMAssembler::lastSPRegister):
123         (JSC::ARMAssembler::numberOfSPRegisters):
124         (JSC::ARMAssembler::numberOfFPRegisters):
125         (JSC::ARMAssembler::gprName):
126         (JSC::ARMAssembler::sprName):
127         (JSC::ARMAssembler::fprName):
128         * assembler/ARMv7Assembler.h:
129         (JSC::ARMv7Assembler::lastRegister):
130         (JSC::ARMv7Assembler::numberOfRegisters):
131         (JSC::ARMv7Assembler::firstSPRegister):
132         (JSC::ARMv7Assembler::lastSPRegister):
133         (JSC::ARMv7Assembler::numberOfSPRegisters):
134         (JSC::ARMv7Assembler::numberOfFPRegisters):
135         (JSC::ARMv7Assembler::gprName):
136         (JSC::ARMv7Assembler::sprName):
137         (JSC::ARMv7Assembler::fprName):
138         * assembler/AbstractMacroAssembler.h:
139         (JSC::AbstractMacroAssembler::numberOfRegisters):
140         (JSC::AbstractMacroAssembler::gprName):
141         (JSC::AbstractMacroAssembler::firstSPRegister):
142         (JSC::AbstractMacroAssembler::lastSPRegister):
143         (JSC::AbstractMacroAssembler::numberOfSPRegisters):
144         (JSC::AbstractMacroAssembler::sprName):
145         (JSC::AbstractMacroAssembler::numberOfFPRegisters):
146         (JSC::AbstractMacroAssembler::fprName):
147         * assembler/MIPSAssembler.h:
148         (JSC::MIPSAssembler::numberOfRegisters):
149         (JSC::MIPSAssembler::firstSPRegister):
150         (JSC::MIPSAssembler::lastSPRegister):
151         (JSC::MIPSAssembler::numberOfSPRegisters):
152         (JSC::MIPSAssembler::numberOfFPRegisters):
153         (JSC::MIPSAssembler::gprName):
154         (JSC::MIPSAssembler::sprName):
155         (JSC::MIPSAssembler::fprName):
156         * assembler/MacroAssembler.h:
157         (JSC::MacroAssembler::CPUState::gprName):
158         (JSC::MacroAssembler::CPUState::sprName):
159         (JSC::MacroAssembler::CPUState::fprName):
160         (JSC::MacroAssembler::CPUState::gpr):
161         (JSC::MacroAssembler::CPUState::spr):
162         (JSC::MacroAssembler::CPUState::fpr):
163         (JSC::MacroAssembler::CPUState::pc):
164         (JSC::MacroAssembler::CPUState::fp):
165         (JSC::MacroAssembler::CPUState::sp):
166         (JSC::ProbeContext::gpr):
167         (JSC::ProbeContext::spr):
168         (JSC::ProbeContext::fpr):
169         (JSC::ProbeContext::gprName):
170         (JSC::ProbeContext::sprName):
171         (JSC::ProbeContext::fprName):
172         (JSC::MacroAssembler::numberOfRegisters): Deleted.
173         (JSC::MacroAssembler::numberOfFPRegisters): Deleted.
174         * assembler/MacroAssemblerARM.cpp:
175         * assembler/MacroAssemblerARM64.cpp:
176         (JSC::arm64ProbeTrampoline):
177         * assembler/MacroAssemblerARMv7.cpp:
178         * assembler/MacroAssemblerPrinter.cpp:
179         (JSC::Printer::nextID):
180         (JSC::Printer::printAllRegisters):
181         (JSC::Printer::printPCRegister):
182         (JSC::Printer::printRegisterID):
183         (JSC::Printer::printAddress):
184         * assembler/MacroAssemblerX86Common.cpp:
185         * assembler/X86Assembler.h:
186         (JSC::X86Assembler::numberOfRegisters):
187         (JSC::X86Assembler::firstSPRegister):
188         (JSC::X86Assembler::lastSPRegister):
189         (JSC::X86Assembler::numberOfSPRegisters):
190         (JSC::X86Assembler::numberOfFPRegisters):
191         (JSC::X86Assembler::gprName):
192         (JSC::X86Assembler::sprName):
193         (JSC::X86Assembler::fprName):
194         * jit/FPRInfo.h:
195         (JSC::FPRInfo::debugName):
196         * jit/GPRInfo.h:
197         (JSC::GPRInfo::debugName):
198         * jit/RegisterSet.cpp:
199         (JSC::RegisterSet::reservedHardwareRegisters):
200
201 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
202
203         [JSC] Introduce static symbols
204         https://bugs.webkit.org/show_bug.cgi?id=158863
205
206         Reviewed by Darin Adler.
207
208         We use StaticSymbolImpl to initialize PrivateNames and builtin Symbols.
209         As a result, we can share the same Symbol values between VMs and threads.
210         And we do not need to allocate Ref<SymbolImpl> for these symbols at runtime.
211
212         * CMakeLists.txt:
213         * JavaScriptCore.xcodeproj/project.pbxproj:
214         * builtins/BuiltinNames.cpp: Added.
215         Suppress warning C4307, integral constant overflow. It is intentional in constexpr hash value calculation.
216
217         * builtins/BuiltinNames.h:
218         (JSC::BuiltinNames::BuiltinNames):
219         * builtins/BuiltinUtils.h:
220
221 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
222
223         [FTL] Arguments elimination is suppressed by unreachable blocks
224         https://bugs.webkit.org/show_bug.cgi?id=174352
225
226         Reviewed by Filip Pizlo.
227
228         If we do not execute `op_get_by_id`, our value profiling tells us unpredictable and DFG emits ForceOSRExit.
229         The problem is that arguments elimination phase checks escaping even when ForceOSRExit preceeds.
230         Since GetById without information can escape arguments if it is specified, non-executed code including
231         op_get_by_id with arguments can escape arguments.
232
233         For example,
234
235             function test(flag)
236             {
237                 if (flag) {
238                     // This is not executed, but emits GetById with arguments.
239                     // It prevents us from eliminating materialization.
240                     return arguments.length;
241                 }
242                 return arguments.length;
243             }
244             noInline(test);
245             while (true)
246                 test(false);
247
248         We do not perform CFA and dead-node clipping yet when performing arguments elimination phase.
249         So this GetById exists and escapes arguments.
250
251         To solve this problem, our arguments elimination phase checks preceding pseudo-terminal nodes.
252         If it is shown, following GetById does not escape arguments. Compared to performing AI, it is
253         lightweight. But it catches much of typical cases we failed to perform arguments elimination.
254
255         * dfg/DFGArgumentsEliminationPhase.cpp:
256         * dfg/DFGNode.h:
257         (JSC::DFG::Node::isPseudoTerminal):
258         * dfg/DFGValidate.cpp:
259
260 2017-07-20  Chris Dumez  <cdumez@apple.com>
261
262         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable
263         https://bugs.webkit.org/show_bug.cgi?id=174660
264
265         Reviewed by Geoffrey Garen.
266
267         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable.
268         This essentially replaces a branch to figure out if the new size is less or greater than the
269         current size by an assertion.
270
271         * b3/B3BasicBlockUtils.h:
272         (JSC::B3::clearPredecessors):
273         * b3/B3InferSwitches.cpp:
274         * b3/B3LowerToAir.cpp:
275         (JSC::B3::Air::LowerToAir::finishAppendingInstructions):
276         * b3/B3ReduceStrength.cpp:
277         * b3/B3SparseCollection.h:
278         (JSC::B3::SparseCollection::packIndices):
279         * b3/B3UseCounts.cpp:
280         (JSC::B3::UseCounts::UseCounts):
281         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
282         * b3/air/AirEmitShuffle.cpp:
283         (JSC::B3::Air::emitShuffle):
284         * b3/air/AirLowerAfterRegAlloc.cpp:
285         (JSC::B3::Air::lowerAfterRegAlloc):
286         * b3/air/AirOptimizeBlockOrder.cpp:
287         (JSC::B3::Air::optimizeBlockOrder):
288         * bytecode/Operands.h:
289         (JSC::Operands::ensureLocals):
290         * bytecode/PreciseJumpTargets.cpp:
291         (JSC::computePreciseJumpTargetsInternal):
292         * dfg/DFGBlockInsertionSet.cpp:
293         (JSC::DFG::BlockInsertionSet::execute):
294         * dfg/DFGBlockMapInlines.h:
295         (JSC::DFG::BlockMap<T>::BlockMap):
296         * dfg/DFGByteCodeParser.cpp:
297         (JSC::DFG::ByteCodeParser::processSetLocalQueue):
298         (JSC::DFG::ByteCodeParser::clearCaches):
299         * dfg/DFGDisassembler.cpp:
300         (JSC::DFG::Disassembler::Disassembler):
301         * dfg/DFGFlowIndexing.cpp:
302         (JSC::DFG::FlowIndexing::recompute):
303         * dfg/DFGGraph.cpp:
304         (JSC::DFG::Graph::registerFrozenValues):
305         * dfg/DFGInPlaceAbstractState.cpp:
306         (JSC::DFG::setLiveValues):
307         * dfg/DFGLICMPhase.cpp:
308         (JSC::DFG::LICMPhase::run):
309         * dfg/DFGLivenessAnalysisPhase.cpp:
310         * dfg/DFGNaturalLoops.cpp:
311         (JSC::DFG::NaturalLoops::NaturalLoops):
312         * dfg/DFGStoreBarrierClusteringPhase.cpp:
313         * ftl/FTLLowerDFGToB3.cpp:
314         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
315         * heap/CodeBlockSet.cpp:
316         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
317         * heap/MarkedSpace.cpp:
318         (JSC::MarkedSpace::sweepLargeAllocations):
319         * inspector/ContentSearchUtilities.cpp:
320         (Inspector::ContentSearchUtilities::findMagicComment):
321         * interpreter/ShadowChicken.cpp:
322         (JSC::ShadowChicken::update):
323         * parser/ASTBuilder.h:
324         (JSC::ASTBuilder::shrinkOperandStackBy):
325         * parser/Lexer.h:
326         (JSC::Lexer::setOffset):
327         * runtime/RegExpInlines.h:
328         (JSC::RegExp::matchInline):
329         * runtime/RegExpPrototype.cpp:
330         (JSC::genericSplit):
331         * yarr/RegularExpression.cpp:
332         (JSC::Yarr::RegularExpression::match):
333
334 2017-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
335
336         [WTF] Use ThreadGroup to bookkeep active threads for Mach exception
337         https://bugs.webkit.org/show_bug.cgi?id=174678
338
339         Reviewed by Mark Lam.
340
341         Use Thread& instead.
342
343         * runtime/JSLock.cpp:
344         (JSC::JSLock::didAcquireLock):
345
346 2017-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
347
348         [WTF] Implement WTF::ThreadGroup
349         https://bugs.webkit.org/show_bug.cgi?id=174081
350
351         Reviewed by Mark Lam.
352
353         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
354         And SamplingProfiler and others interact with WTF::Thread directly.
355
356         * API/tests/ExecutionTimeLimitTest.cpp:
357         * heap/MachineStackMarker.cpp:
358         (JSC::MachineThreads::MachineThreads):
359         (JSC::captureStack):
360         (JSC::MachineThreads::tryCopyOtherThreadStack):
361         (JSC::MachineThreads::tryCopyOtherThreadStacks):
362         (JSC::MachineThreads::gatherConservativeRoots):
363         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
364         (JSC::ActiveMachineThreadsManager::add): Deleted.
365         (JSC::ActiveMachineThreadsManager::remove): Deleted.
366         (JSC::ActiveMachineThreadsManager::contains): Deleted.
367         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
368         (JSC::activeMachineThreadsManager): Deleted.
369         (JSC::MachineThreads::~MachineThreads): Deleted.
370         (JSC::MachineThreads::addCurrentThread): Deleted.
371         (): Deleted.
372         (JSC::MachineThreads::removeThread): Deleted.
373         (JSC::MachineThreads::removeThreadIfFound): Deleted.
374         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
375         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
376         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
377         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
378         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
379         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
380         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
381         * heap/MachineStackMarker.h:
382         (JSC::MachineThreads::addCurrentThread):
383         (JSC::MachineThreads::getLock):
384         (JSC::MachineThreads::threads):
385         (JSC::MachineThreads::MachineThread::suspend): Deleted.
386         (JSC::MachineThreads::MachineThread::resume): Deleted.
387         (JSC::MachineThreads::MachineThread::threadID): Deleted.
388         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
389         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
390         (JSC::MachineThreads::threadsListHead): Deleted.
391         * runtime/SamplingProfiler.cpp:
392         (JSC::FrameWalker::isValidFramePointer):
393         (JSC::SamplingProfiler::SamplingProfiler):
394         (JSC::SamplingProfiler::takeSample):
395         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
396         * runtime/SamplingProfiler.h:
397         * wasm/WasmMachineThreads.cpp:
398         (JSC::Wasm::resetInstructionCacheOnAllThreads):
399
400 2017-07-18  Andy Estes  <aestes@apple.com>
401
402         [Xcode] Enable CLANG_WARN_RANGE_LOOP_ANALYSIS
403         https://bugs.webkit.org/show_bug.cgi?id=174631
404
405         Reviewed by Tim Horton.
406
407         * Configurations/Base.xcconfig:
408         * b3/B3FoldPathConstants.cpp:
409         * b3/B3LowerMacros.cpp:
410         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
411         * dfg/DFGByteCodeParser.cpp:
412         (JSC::DFG::ByteCodeParser::check):
413         (JSC::DFG::ByteCodeParser::planLoad):
414
415 2017-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
416
417         WTF::Thread should have the threads stack bounds.
418         https://bugs.webkit.org/show_bug.cgi?id=173975
419
420         Reviewed by Mark Lam.
421
422         There is a site in JSC that try to walk another thread's stack.
423         Currently, stack bounds are stored in WTFThreadData which is located
424         in TLS. Thus, only the thread itself can access its own WTFThreadData.
425         We workaround this situation by holding StackBounds in MachineThread in JSC,
426         but StackBounds should be put in WTF::Thread instead.
427
428         This patch adds StackBounds to WTF::Thread. StackBounds information is tightly
429         coupled with Thread. Thus putting it in WTF::Thread is natural choice.
430
431         * heap/MachineStackMarker.cpp:
432         (JSC::MachineThreads::MachineThread::MachineThread):
433         (JSC::MachineThreads::MachineThread::captureStack):
434         * heap/MachineStackMarker.h:
435         (JSC::MachineThreads::MachineThread::stackBase):
436         (JSC::MachineThreads::MachineThread::stackEnd):
437         * runtime/VMTraps.cpp:
438
439 2017-07-18  Andy Estes  <aestes@apple.com>
440
441         [Xcode] Enable CLANG_WARN_OBJC_LITERAL_CONVERSION
442         https://bugs.webkit.org/show_bug.cgi?id=174631
443
444         Reviewed by Sam Weinig.
445
446         * Configurations/Base.xcconfig:
447
448 2017-07-18  Joseph Pecoraro  <pecoraro@apple.com>
449
450         Web Inspector: Modernize InjectedScriptSource
451         https://bugs.webkit.org/show_bug.cgi?id=173890
452
453         Reviewed by Brian Burg.
454
455         * inspector/InjectedScript.h:
456         Reorder functions to be slightly better.
457
458         * inspector/InjectedScriptSource.js:
459         - Convert to classes named InjectedScript and RemoteObject
460         - Align InjectedScript's API with the wrapper C++ interfaces
461         - Move some code to RemoteObject where appropriate (subtype, describe)
462         - Move some code to helper functions (isPrimitiveValue, isDefined)
463         - Refactor for readability and modern features
464         - Remove some unused / unnecessary code
465
466 2017-07-18  Mark Lam  <mark.lam@apple.com>
467
468         Butterfly storage need not be initialized for indexing type Undecided.
469         https://bugs.webkit.org/show_bug.cgi?id=174516
470
471         Reviewed by Saam Barati.
472
473         While it's not incorrect to initialize the butterfly storage when the
474         indexingType is Undecided, it is inefficient as we'll end up initializing
475         it again later when we convert the storage to a different indexingType.
476         Some of our code already skips initializing Undecided butterflies.
477         This patch makes it the consistent behavior everywhere.
478
479         * dfg/DFGSpeculativeJIT.cpp:
480         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
481         * runtime/JSArray.cpp:
482         (JSC::JSArray::tryCreateUninitializedRestricted):
483         * runtime/JSArray.h:
484         (JSC::JSArray::tryCreate):
485         * runtime/JSObject.cpp:
486         (JSC::JSObject::ensureLengthSlow):
487
488 2017-07-18  Saam Barati  <sbarati@apple.com>
489
490         AirLowerAfterRegAlloc may incorrectly use a callee save that's live as a scratch register
491         https://bugs.webkit.org/show_bug.cgi?id=174515
492         <rdar://problem/33358092>
493
494         Reviewed by Filip Pizlo.
495
496         AirLowerAfterRegAlloc was computing the set of available scratch
497         registers incorrectly. It was always excluding callee save registers
498         from the set of live registers. It did not guarantee that live callee save
499         registers were not in the set of scratch registers that could
500         get clobbered. That's incorrect as the shuffling code is free
501         to overwrite whatever is in the scratch register it gets passed.
502
503         * b3/air/AirLowerAfterRegAlloc.cpp:
504         (JSC::B3::Air::lowerAfterRegAlloc):
505         * b3/testb3.cpp:
506         (JSC::B3::functionNineArgs):
507         (JSC::B3::testShuffleDoesntTrashCalleeSaves):
508         (JSC::B3::run):
509         * jit/RegisterSet.h:
510
511 2017-07-18  Andy Estes  <aestes@apple.com>
512
513         [Xcode] Enable CLANG_WARN_NON_LITERAL_NULL_CONVERSION
514         https://bugs.webkit.org/show_bug.cgi?id=174631
515
516         Reviewed by Dan Bernstein.
517
518         * Configurations/Base.xcconfig:
519
520 2017-07-18  Devin Rousso  <drousso@apple.com>
521
522         Web Inspector: Add memoryCost to Inspector Protocol objects
523         https://bugs.webkit.org/show_bug.cgi?id=174478
524
525         Reviewed by Joseph Pecoraro.
526
527         For non-array and non-object InspectorValue, calculate memoryCost as the sizeof the object,
528         plus the memoryCost of the data if it is a string.
529
530         For array InspectorValue, calculate memoryCost as the sum of the memoryCost of all items.
531
532         For object InspectorValue, calculate memoryCost as the sum of the memoryCost of the string
533         key plus the memoryCost of the InspectorValue for each entry.
534
535         Test: TestWebKitAPI/Tests/JavaScriptCore/InspectorValue.cpp
536
537         * inspector/InspectorValues.h:
538         * inspector/InspectorValues.cpp:
539         (Inspector::InspectorValue::memoryCost):
540         (Inspector::InspectorObjectBase::memoryCost):
541         (Inspector::InspectorArrayBase::memoryCost):
542
543 2017-07-18  Andy Estes  <aestes@apple.com>
544
545         [Xcode] Enable CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING
546         https://bugs.webkit.org/show_bug.cgi?id=174631
547
548         Reviewed by Darin Adler.
549
550         * Configurations/Base.xcconfig:
551
552 2017-07-18  Michael Saboff  <msaboff@apple.com>
553
554         [JSC] There should be a debug option to dump a compiled RegExp Pattern
555         https://bugs.webkit.org/show_bug.cgi?id=174601
556
557         Reviewed by Alex Christensen.
558
559         Added the debug option dumpCompiledRegExpPatterns which will dump the YarrPattern and related
560         objects after a regular expression has been compiled.
561
562         * runtime/Options.h:
563         * yarr/YarrPattern.cpp:
564         (JSC::Yarr::YarrPattern::compile):
565         (JSC::Yarr::indentForNestingLevel):
566         (JSC::Yarr::dumpUChar32):
567         (JSC::Yarr::PatternAlternative::dump):
568         (JSC::Yarr::PatternTerm::dumpQuantifier):
569         (JSC::Yarr::PatternTerm::dump):
570         (JSC::Yarr::PatternDisjunction::dump):
571         (JSC::Yarr::YarrPattern::dumpPattern):
572         * yarr/YarrPattern.h:
573         (JSC::Yarr::YarrPattern::global):
574
575 2017-07-17  Darin Adler  <darin@apple.com>
576
577         Improve use of NeverDestroyed
578         https://bugs.webkit.org/show_bug.cgi?id=174348
579
580         Reviewed by Sam Weinig.
581
582         * heap/MachineStackMarker.cpp:
583         * wasm/WasmMemory.cpp:
584         Removed unneeded includes of NeverDestroyed.h in files that do not make use
585         of NeverDestroyed.
586
587 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
588
589         [CMake] Macros in WebKitMacros.cmake should be prefixed with WEBKIT_ namespace
590         https://bugs.webkit.org/show_bug.cgi?id=174547
591
592         Reviewed by Alex Christensen.
593
594         * CMakeLists.txt:
595         * shell/CMakeLists.txt:
596
597 2017-07-17  Saam Barati  <sbarati@apple.com>
598
599         Remove custom defined RELEASE_ASSERT in DFGObjectAllocationSinkingPhase
600         https://bugs.webkit.org/show_bug.cgi?id=174584
601
602         Rubber stamped by Keith Miller.
603
604         I used it to diagnose a bug. The bug is now fixed. This custom
605         RELEASE_ASSERT is no longer needed.
606
607         * dfg/DFGObjectAllocationSinkingPhase.cpp:
608
609 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
610
611         -Wformat-truncation warning in ConfigFile.cpp
612         https://bugs.webkit.org/show_bug.cgi?id=174506
613
614         Reviewed by Darin Adler.
615
616         Check if the JSC config filename would be truncated due to exceeding max path length. If so,
617         return ParseError.
618
619         * runtime/ConfigFile.cpp:
620         (JSC::ConfigFile::parse):
621
622 2017-07-17  Konstantin Tokarev  <annulen@yandex.ru>
623
624         [CMake] Create targets before WEBKIT_INCLUDE_CONFIG_FILES_IF_EXISTS is called
625         https://bugs.webkit.org/show_bug.cgi?id=174557
626
627         Reviewed by Michael Catanzaro.
628
629         * CMakeLists.txt:
630
631 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
632
633         [WTF] Use std::unique_ptr for StackTrace
634         https://bugs.webkit.org/show_bug.cgi?id=174495
635
636         Reviewed by Alex Christensen.
637
638         * runtime/ExceptionScope.cpp:
639         (JSC::ExceptionScope::unexpectedExceptionMessage):
640         * runtime/VM.cpp:
641         (JSC::VM::throwException):
642
643 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
644
645         [JSC] Use WTFMove to prune liveness in DFGAvailabilityMap
646         https://bugs.webkit.org/show_bug.cgi?id=174423
647
648         Reviewed by Saam Barati.
649
650         * dfg/DFGAvailabilityMap.cpp:
651         (JSC::DFG::AvailabilityMap::pruneHeap):
652         (JSC::DFG::AvailabilityMap::pruneByLiveness):
653
654 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
655
656         Fix compiler warnings when building with GCC 7
657         https://bugs.webkit.org/show_bug.cgi?id=174463
658
659         Reviewed by Darin Adler.
660
661         * disassembler/udis86/udis86_decode.c:
662         (decode_operand):
663
664 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
665
666         Incorrect assertion in JSC::CallLinkInfo::callTypeFor
667         https://bugs.webkit.org/show_bug.cgi?id=174467
668
669         Reviewed by Saam Barati.
670
671         * bytecode/CallLinkInfo.cpp:
672         (JSC::CallLinkInfo::callTypeFor):
673
674 2017-07-13  Joseph Pecoraro  <pecoraro@apple.com>
675
676         Web Inspector: Remove unused and untested Page domain commands
677         https://bugs.webkit.org/show_bug.cgi?id=174429
678
679         Reviewed by Timothy Hatcher.
680
681         * inspector/protocol/Page.json:
682
683 2017-07-13  Saam Barati  <sbarati@apple.com>
684
685         Missing exception check in JSObject::hasInstance
686         https://bugs.webkit.org/show_bug.cgi?id=174455
687         <rdar://problem/31384608>
688
689         Reviewed by Mark Lam.
690
691         * runtime/JSObject.cpp:
692         (JSC::JSObject::hasInstance):
693
694 2017-07-13  Caio Lima  <ticaiolima@gmail.com>
695
696         [ESnext] Implement Object Spread
697         https://bugs.webkit.org/show_bug.cgi?id=167963
698
699         Reviewed by Saam Barati.
700
701         This patch implements ECMA262 stage 3 Object Spread proposal [1].
702         It's implemented using CopyDataPropertiesNoExclusions to copy
703         all enumerable keys from object being spreaded. The implementation of
704         CopyDataPropertiesNoExclusions follows the CopyDataProperties
705         implementation, however we don't receive excludedNames as parameter.
706
707         [1] - https://github.com/tc39/proposal-object-rest-spread
708
709         * builtins/GlobalOperations.js:
710         (globalPrivate.copyDataPropertiesNoExclusions):
711         * bytecompiler/BytecodeGenerator.cpp:
712         (JSC::BytecodeGenerator::emitLoad):
713         * bytecompiler/NodesCodegen.cpp:
714         (JSC::PropertyListNode::emitBytecode):
715         (JSC::ObjectSpreadExpressionNode::emitBytecode):
716         * parser/ASTBuilder.h:
717         (JSC::ASTBuilder::createObjectSpreadExpression):
718         (JSC::ASTBuilder::createProperty):
719         * parser/NodeConstructors.h:
720         (JSC::PropertyNode::PropertyNode):
721         (JSC::ObjectSpreadExpressionNode::ObjectSpreadExpressionNode):
722         * parser/Nodes.h:
723         (JSC::ObjectSpreadExpressionNode::expression):
724         * parser/Parser.cpp:
725         (JSC::Parser<LexerType>::parseProperty):
726         * parser/SyntaxChecker.h:
727         (JSC::SyntaxChecker::createObjectSpreadExpression):
728         (JSC::SyntaxChecker::createProperty):
729
730 2017-07-12  Mark Lam  <mark.lam@apple.com>
731
732         Gardening: build fix after r219434.
733         https://bugs.webkit.org/show_bug.cgi?id=174441
734
735         Not reviewed.
736
737         Make public some MacroAssembler functions that are needed by the probe implementationq.
738
739         * assembler/MacroAssemblerARM.h:
740         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
741         * assembler/MacroAssemblerARMv7.h:
742         (JSC::MacroAssemblerARMv7::linkCall):
743
744 2017-07-12  Mark Lam  <mark.lam@apple.com>
745
746         Move Probe code from AbstractMacroAssembler to MacroAssembler.
747         https://bugs.webkit.org/show_bug.cgi?id=174441
748
749         Reviewed by Saam Barati.
750
751         This is a pure refactoring patch for moving probe code from the AbstractMacroAssembler
752         to MacroAssembler.  There is no code behavior change.
753
754         * assembler/AbstractMacroAssembler.h:
755         (JSC::AbstractMacroAssembler<AssemblerType>::Address::indexedBy):
756         (JSC::AbstractMacroAssembler::CPUState::gprName): Deleted.
757         (JSC::AbstractMacroAssembler::CPUState::fprName): Deleted.
758         (JSC::AbstractMacroAssembler::CPUState::gpr): Deleted.
759         (JSC::AbstractMacroAssembler::CPUState::fpr): Deleted.
760         (JSC::MacroAssemblerType>::Address::indexedBy): Deleted.
761         * assembler/MacroAssembler.h:
762         (JSC::MacroAssembler::CPUState::gprName):
763         (JSC::MacroAssembler::CPUState::fprName):
764         (JSC::MacroAssembler::CPUState::gpr):
765         (JSC::MacroAssembler::CPUState::fpr):
766         * assembler/MacroAssemblerARM.cpp:
767         (JSC::MacroAssembler::probe):
768         (JSC::MacroAssemblerARM::probe): Deleted.
769         * assembler/MacroAssemblerARM.h:
770         * assembler/MacroAssemblerARM64.cpp:
771         (JSC::MacroAssembler::probe):
772         (JSC::MacroAssemblerARM64::probe): Deleted.
773         * assembler/MacroAssemblerARM64.h:
774         * assembler/MacroAssemblerARMv7.cpp:
775         (JSC::MacroAssembler::probe):
776         (JSC::MacroAssemblerARMv7::probe): Deleted.
777         * assembler/MacroAssemblerARMv7.h:
778         * assembler/MacroAssemblerMIPS.h:
779         * assembler/MacroAssemblerX86Common.cpp:
780         (JSC::MacroAssembler::probe):
781         (JSC::MacroAssemblerX86Common::probe): Deleted.
782         * assembler/MacroAssemblerX86Common.h:
783
784 2017-07-12  Saam Barati  <sbarati@apple.com>
785
786         GenericArguments consults the wrong state when tracking modified argument descriptors and mapped arguments
787         https://bugs.webkit.org/show_bug.cgi?id=174411
788         <rdar://problem/31696186>
789
790         Reviewed by Mark Lam.
791
792         The code for deleting an argument was incorrectly referencing state
793         when it decided if it should unmap or mark a property as having its
794         descriptor modified. This patch fixes the bug where if we delete a
795         property, we would sometimes not unmap an argument when deleting it.
796
797         * runtime/GenericArgumentsInlines.h:
798         (JSC::GenericArguments<Type>::getOwnPropertySlot):
799         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
800         (JSC::GenericArguments<Type>::deleteProperty):
801         (JSC::GenericArguments<Type>::deletePropertyByIndex):
802
803 2017-07-12  Commit Queue  <commit-queue@webkit.org>
804
805         Unreviewed, rolling out r219176.
806         https://bugs.webkit.org/show_bug.cgi?id=174436
807
808         "Can cause infinite recursion on iOS" (Requested by mlam on
809         #webkit).
810
811         Reverted changeset:
812
813         "WTF::Thread should have the threads stack bounds."
814         https://bugs.webkit.org/show_bug.cgi?id=173975
815         http://trac.webkit.org/changeset/219176
816
817 2017-07-12  Matt Lewis  <jlewis3@apple.com>
818
819         Unreviewed, rolling out r219401.
820
821         This revision rolled out the previous patch, but after talking
822         with reviewer, a rebaseline is what was needed.Rolling back in
823         before rebaseline.
824
825         Reverted changeset:
826
827         "Unreviewed, rolling out r219379."
828         https://bugs.webkit.org/show_bug.cgi?id=174400
829         http://trac.webkit.org/changeset/219401
830
831 2017-07-12  Matt Lewis  <jlewis3@apple.com>
832
833         Unreviewed, rolling out r219379.
834
835         This revision caused a consistent failure in the test
836         fast/dom/Window/property-access-on-cached-window-after-frame-
837         removed.html.
838
839         Reverted changeset:
840
841         "Remove NAVIGATOR_HWCONCURRENCY"
842         https://bugs.webkit.org/show_bug.cgi?id=174400
843         http://trac.webkit.org/changeset/219379
844
845 2017-07-12  Tooru Fujisawa [:arai]  <arai.unmht@gmail.com>
846
847         Wrong radix used in Unicode Escape in invalid character error message
848         https://bugs.webkit.org/show_bug.cgi?id=174419
849
850         Reviewed by Alex Christensen.
851
852         * parser/Lexer.cpp:
853         (JSC::Lexer<T>::invalidCharacterMessage):
854
855 2017-07-11  Dean Jackson  <dino@apple.com>
856
857         Remove NAVIGATOR_HWCONCURRENCY
858         https://bugs.webkit.org/show_bug.cgi?id=174400
859
860         Reviewed by Sam Weinig.
861
862         * Configurations/FeatureDefines.xcconfig:
863
864 2017-07-11  Dean Jackson  <dino@apple.com>
865
866         Rolling out r219372.
867
868         * Configurations/FeatureDefines.xcconfig:
869
870 2017-07-11  Dean Jackson  <dino@apple.com>
871
872         Remove NAVIGATOR_HWCONCURRENCY
873         https://bugs.webkit.org/show_bug.cgi?id=174400
874
875         Reviewed by Sam Weinig.
876
877         * Configurations/FeatureDefines.xcconfig:
878
879 2017-07-11  Saam Barati  <sbarati@apple.com>
880
881         remove the empty JavaScriptCore/wasm/js/WebAssemblyFunctionCell.* files
882         https://bugs.webkit.org/show_bug.cgi?id=174397
883
884         Rubber stamped by David Kilzer.
885
886         * wasm/js/WebAssemblyFunctionCell.cpp: Removed.
887         * wasm/js/WebAssemblyFunctionCell.h: Removed.
888
889 2017-07-10  Saam Barati  <sbarati@apple.com>
890
891         Allocation sinking phase should consider a CheckStructure that would fail as an escape
892         https://bugs.webkit.org/show_bug.cgi?id=174321
893         <rdar://problem/32604963>
894
895         Reviewed by Filip Pizlo.
896
897         When the allocation sinking phase was generating stores to materialize
898         objects in a cycle with each other, it would assume that each materialized
899         object had a valid, non empty, set of structures. This is an OK assumption for
900         the phase to make because how do you materialize an object with no structure?
901         
902         The abstract interpretation part of the phase will model what's in the heap.
903         However, it would sometimes model that a CheckStructure would fail. The phase
904         did nothing special for this; it just stored the empty set of structures for
905         its representation of a particular allocation. However, what the phase proved
906         in such a scenario is that, had the CheckStructure executed, it would have exited.
907         
908         This patch treats such CheckStructures and MultiGetByOffsets as escape points.
909         This will cause the allocation in question to be materialized just before
910         the CheckStructure, and then at execution time, the CheckStructure will exit.
911         
912         I wasn't able to write a test case for this. However, I was able to reproduce
913         this crash by manually editing the IR. I've opened a separate bug to help us
914         create a testing framework for writing tests for hard to reproduce bugs like this:
915         https://bugs.webkit.org/show_bug.cgi?id=174322
916
917         * dfg/DFGObjectAllocationSinkingPhase.cpp:
918
919 2017-07-10  Devin Rousso  <drousso@apple.com>
920
921         Web Inspector: Highlight matching CSS canvas clients when hovering contexts in the Resources tab
922         https://bugs.webkit.org/show_bug.cgi?id=174279
923
924         Reviewed by Matt Baker.
925
926         * inspector/protocol/DOM.json:
927         Add `highlightNodeList` command that will highlight each node in the given list.
928
929 2017-07-03  Brian Burg  <bburg@apple.com>
930
931         Web Replay: remove some unused code
932         https://bugs.webkit.org/show_bug.cgi?id=173903
933
934         Rubber-stamped by Joseph Pecoraro.
935
936         * CMakeLists.txt:
937         * Configurations/FeatureDefines.xcconfig:
938         * DerivedSources.make:
939         * JavaScriptCore.xcodeproj/project.pbxproj:
940         * inspector/protocol/Replay.json: Removed.
941         * replay/EmptyInputCursor.h: Removed.
942         * replay/EncodedValue.cpp: Removed.
943         * replay/EncodedValue.h: Removed.
944         * replay/InputCursor.h: Removed.
945         * replay/JSInputs.json: Removed.
946         * replay/NondeterministicInput.h: Removed.
947         * replay/scripts/CodeGeneratorReplayInputs.py: Removed.
948         * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Removed.
949         * replay/scripts/tests/expected/fail-on-c-style-enum-no-storage.json-error: Removed.
950         * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Removed.
951         * replay/scripts/tests/expected/fail-on-duplicate-input-names.json-error: Removed.
952         * replay/scripts/tests/expected/fail-on-duplicate-type-names.json-error: Removed.
953         * replay/scripts/tests/expected/fail-on-enum-type-missing-values.json-error: Removed.
954         * replay/scripts/tests/expected/fail-on-missing-input-member-name.json-error: Removed.
955         * replay/scripts/tests/expected/fail-on-missing-input-name.json-error: Removed.
956         * replay/scripts/tests/expected/fail-on-missing-input-queue.json-error: Removed.
957         * replay/scripts/tests/expected/fail-on-missing-type-mode.json-error: Removed.
958         * replay/scripts/tests/expected/fail-on-missing-type-name.json-error: Removed.
959         * replay/scripts/tests/expected/fail-on-unknown-input-queue.json-error: Removed.
960         * replay/scripts/tests/expected/fail-on-unknown-member-type.json-error: Removed.
961         * replay/scripts/tests/expected/fail-on-unknown-type-mode.json-error: Removed.
962         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp: Removed.
963         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h: Removed.
964         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp: Removed.
965         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h: Removed.
966         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Removed.
967         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Removed.
968         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Removed.
969         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Removed.
970         * replay/scripts/tests/expected/generate-event-loop-shape-types.json-error: Removed.
971         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp: Removed.
972         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h: Removed.
973         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp: Removed.
974         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Removed.
975         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.cpp: Removed.
976         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h: Removed.
977         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp: Removed.
978         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h: Removed.
979         * replay/scripts/tests/fail-on-c-style-enum-no-storage.json: Removed.
980         * replay/scripts/tests/fail-on-duplicate-enum-type.json: Removed.
981         * replay/scripts/tests/fail-on-duplicate-input-names.json: Removed.
982         * replay/scripts/tests/fail-on-duplicate-type-names.json: Removed.
983         * replay/scripts/tests/fail-on-enum-type-missing-values.json: Removed.
984         * replay/scripts/tests/fail-on-missing-input-member-name.json: Removed.
985         * replay/scripts/tests/fail-on-missing-input-name.json: Removed.
986         * replay/scripts/tests/fail-on-missing-input-queue.json: Removed.
987         * replay/scripts/tests/fail-on-missing-type-mode.json: Removed.
988         * replay/scripts/tests/fail-on-missing-type-name.json: Removed.
989         * replay/scripts/tests/fail-on-unknown-input-queue.json: Removed.
990         * replay/scripts/tests/fail-on-unknown-member-type.json: Removed.
991         * replay/scripts/tests/fail-on-unknown-type-mode.json: Removed.
992         * replay/scripts/tests/generate-enum-encoding-helpers-with-guarded-values.json: Removed.
993         * replay/scripts/tests/generate-enum-encoding-helpers.json: Removed.
994         * replay/scripts/tests/generate-enum-with-guard.json: Removed.
995         * replay/scripts/tests/generate-enums-with-same-base-name.json: Removed.
996         * replay/scripts/tests/generate-event-loop-shape-types.json: Removed.
997         * replay/scripts/tests/generate-input-with-guard.json: Removed.
998         * replay/scripts/tests/generate-input-with-vector-members.json: Removed.
999         * replay/scripts/tests/generate-inputs-with-flags.json: Removed.
1000         * replay/scripts/tests/generate-memoized-type-modes.json: Removed.
1001         * runtime/DateConstructor.cpp:
1002         (JSC::constructDate):
1003         (JSC::dateNow):
1004         (JSC::deterministicCurrentTime): Deleted.
1005         * runtime/JSGlobalObject.cpp:
1006         (JSC::JSGlobalObject::JSGlobalObject):
1007         (JSC::JSGlobalObject::setInputCursor): Deleted.
1008         * runtime/JSGlobalObject.h:
1009         (JSC::JSGlobalObject::inputCursor): Deleted.
1010
1011 2017-07-10  Carlos Garcia Campos  <cgarcia@igalia.com>
1012
1013         Move make-js-file-arrays.py from WebCore to JavaScriptCore
1014         https://bugs.webkit.org/show_bug.cgi?id=174024
1015
1016         Reviewed by Michael Catanzaro.
1017
1018         It's currently used only by WebCore, but it depends on other JavaScriptCore scripts and it's not WebCore
1019         specific at all. I plan to use it to compile the JavaScript atoms used by the WebDriver implementation.
1020         Added command line option to pass the namespace to use instead of using WebCore.
1021
1022         * JavaScriptCore.xcodeproj/project.pbxproj:
1023         * Scripts/make-js-file-arrays.py: Renamed from Source/WebCore/Scripts/make-js-file-arrays.py.
1024         (main):
1025
1026 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1027
1028         [JSC] Drop LineNumberAdder since we no longer treat <LF><CR> (not <CR><LF>) as one line terminator
1029         https://bugs.webkit.org/show_bug.cgi?id=174296
1030
1031         Reviewed by Mark Lam.
1032
1033         Previously, we treat <LF><CR> as one line terminator. So we increase line number by one.
1034         It caused a problem in scanning template literals. While template literals normalize
1035         <LF><CR> to <LF><LF>, we still needed to increase line number by only one.
1036         To handle it correctly, LineNumberAdder is introduced.
1037
1038         As of r219263, <LF><CR> is counted as two line terminators. So we do not need to have
1039         LineNumberAdder. Let's just use shiftLineTerminator() instead.
1040
1041         * parser/Lexer.cpp:
1042         (JSC::Lexer<T>::parseTemplateLiteral):
1043         (JSC::LineNumberAdder::LineNumberAdder): Deleted.
1044         (JSC::LineNumberAdder::clear): Deleted.
1045         (JSC::LineNumberAdder::add): Deleted.
1046
1047 2017-07-09  Dan Bernstein  <mitz@apple.com>
1048
1049         [Xcode] ICU headers aren’t treated as system headers after r219155
1050         https://bugs.webkit.org/show_bug.cgi?id=174299
1051
1052         Reviewed by Sam Weinig.
1053
1054         * Configurations/JavaScriptCore.xcconfig: Pass --system-header-prefix=unicode/ to the C and
1055           C++ compilers.
1056
1057 * runtime/IntlCollator.cpp: Removed documentation warning suppression.
1058         * runtime/IntlDateTimeFormat.cpp: Ditto.
1059         * runtime/JSGlobalObject.cpp: Ditto.
1060         * runtime/StringPrototype.cpp: Ditto.
1061
1062 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1063
1064         [JSC] Use fastMalloc / fastFree for STL containers
1065         https://bugs.webkit.org/show_bug.cgi?id=174297
1066
1067         Reviewed by Sam Weinig.
1068
1069         In some places, we intentionally use STL containers over WTF containers.
1070         For example, we sometimes use std::unordered_{set,map} instead of WTF::Hash{Set,Map}
1071         because we do not have effective empty / deleted representations in the space of key's value.
1072         But just using STL container means using libc's malloc instead of our fast malloc (bmalloc if it is enabled).
1073
1074         We introduce WTF::FastAllocator. This is C++ allocator implementation using fastMalloc and fastFree.
1075         We specify this allocator to STL containers' template parameter to allocate memory from fastMalloc.
1076
1077         This WTF::FastAllocator gives us a chance to use STL containers if it is necessary
1078         without compromising memory allocation throughput.
1079
1080         * dfg/DFGGraph.h:
1081         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1082         * ftl/FTLLowerDFGToB3.cpp:
1083         (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
1084         * runtime/FunctionHasExecutedCache.h:
1085         * runtime/TypeLocationCache.h:
1086
1087 2017-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1088
1089         Drop NOSNIFF compile flag
1090         https://bugs.webkit.org/show_bug.cgi?id=174289
1091
1092         Reviewed by Michael Catanzaro.
1093
1094         * Configurations/FeatureDefines.xcconfig:
1095
1096 2017-07-07  AJ Ringer  <aringer@apple.com>
1097
1098         Lower the max_protection for the separated heap
1099         https://bugs.webkit.org/show_bug.cgi?id=174281
1100
1101         Reviewed by Oliver Hunt.
1102
1103         Switch to vm_protect so we can set maximum page protection.
1104
1105         * jit/ExecutableAllocator.cpp:
1106         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
1107         (JSC::ExecutableAllocator::allocate):
1108
1109 2017-07-07  Devin Rousso  <drousso@apple.com>
1110
1111         Web Inspector: Show all elements currently using a given CSS Canvas
1112         https://bugs.webkit.org/show_bug.cgi?id=173965
1113
1114         Reviewed by Joseph Pecoraro.
1115
1116         * inspector/protocol/Canvas.json:
1117          - Add `requestCSSCanvasClientNodes` command for getting the node IDs all nodes using this
1118            canvas via -webkit-canvas.
1119          - Add `cssCanvasClientNodesChanged` event that is dispatched whenever a node is
1120            added/removed from the list of -webkit-canvas clients.
1121
1122 2017-07-07  Mark Lam  <mark.lam@apple.com>
1123
1124         \n\r is not the same as \r\n.
1125         https://bugs.webkit.org/show_bug.cgi?id=173053
1126
1127         Reviewed by Keith Miller.
1128
1129         * parser/Lexer.cpp:
1130         (JSC::Lexer<T>::shiftLineTerminator):
1131         (JSC::LineNumberAdder::add):
1132
1133 2017-07-07  Commit Queue  <commit-queue@webkit.org>
1134
1135         Unreviewed, rolling out r219238, r219239, and r219241.
1136         https://bugs.webkit.org/show_bug.cgi?id=174265
1137
1138         "fast/workers/dedicated-worker-lifecycle.html is flaky"
1139         (Requested by yusukesuzuki on #webkit).
1140
1141         Reverted changesets:
1142
1143         "[WTF] Implement WTF::ThreadGroup"
1144         https://bugs.webkit.org/show_bug.cgi?id=174081
1145         http://trac.webkit.org/changeset/219238
1146
1147         "Unreviewed, build fix after r219238"
1148         https://bugs.webkit.org/show_bug.cgi?id=174081
1149         http://trac.webkit.org/changeset/219239
1150
1151         "Unreviewed, CLoop build fix after r219238"
1152         https://bugs.webkit.org/show_bug.cgi?id=174081
1153         http://trac.webkit.org/changeset/219241
1154
1155 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1156
1157         Unreviewed, CLoop build fix after r219238
1158         https://bugs.webkit.org/show_bug.cgi?id=174081
1159
1160         * heap/MachineStackMarker.cpp:
1161
1162 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
1163
1164         [WTF] Implement WTF::ThreadGroup
1165         https://bugs.webkit.org/show_bug.cgi?id=174081
1166
1167         Reviewed by Mark Lam.
1168
1169         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
1170         And SamplingProfiler and others interact with WTF::Thread directly.
1171
1172         * API/tests/ExecutionTimeLimitTest.cpp:
1173         * heap/MachineStackMarker.cpp:
1174         (JSC::MachineThreads::MachineThreads):
1175         (JSC::captureStack):
1176         (JSC::MachineThreads::tryCopyOtherThreadStack):
1177         (JSC::MachineThreads::tryCopyOtherThreadStacks):
1178         (JSC::MachineThreads::gatherConservativeRoots):
1179         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
1180         (JSC::ActiveMachineThreadsManager::add): Deleted.
1181         (JSC::ActiveMachineThreadsManager::remove): Deleted.
1182         (JSC::ActiveMachineThreadsManager::contains): Deleted.
1183         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
1184         (JSC::activeMachineThreadsManager): Deleted.
1185         (JSC::MachineThreads::~MachineThreads): Deleted.
1186         (JSC::MachineThreads::addCurrentThread): Deleted.
1187         (): Deleted.
1188         (JSC::MachineThreads::removeThread): Deleted.
1189         (JSC::MachineThreads::removeThreadIfFound): Deleted.
1190         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
1191         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
1192         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
1193         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
1194         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
1195         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
1196         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
1197         * heap/MachineStackMarker.h:
1198         (JSC::MachineThreads::addCurrentThread):
1199         (JSC::MachineThreads::getLock):
1200         (JSC::MachineThreads::threads):
1201         (JSC::MachineThreads::MachineThread::suspend): Deleted.
1202         (JSC::MachineThreads::MachineThread::resume): Deleted.
1203         (JSC::MachineThreads::MachineThread::threadID): Deleted.
1204         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
1205         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
1206         (JSC::MachineThreads::threadsListHead): Deleted.
1207         * runtime/SamplingProfiler.cpp:
1208         (JSC::FrameWalker::isValidFramePointer):
1209         (JSC::SamplingProfiler::SamplingProfiler):
1210         (JSC::SamplingProfiler::takeSample):
1211         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
1212         * runtime/SamplingProfiler.h:
1213         * wasm/WasmMachineThreads.cpp:
1214         (JSC::Wasm::resetInstructionCacheOnAllThreads):
1215
1216 2017-07-06  Saam Barati  <sbarati@apple.com>
1217
1218         We are missing places where we invalidate the for-in context
1219         https://bugs.webkit.org/show_bug.cgi?id=174184
1220
1221         Reviewed by Geoffrey Garen.
1222
1223         * bytecompiler/BytecodeGenerator.cpp:
1224         (JSC::BytecodeGenerator::invalidateForInContextForLocal):
1225         * bytecompiler/NodesCodegen.cpp:
1226         (JSC::EmptyLetExpression::emitBytecode):
1227         (JSC::ForInNode::emitLoopHeader):
1228         (JSC::ForOfNode::emitBytecode):
1229         (JSC::BindingNode::bindValue):
1230
1231 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1232
1233         Unreviewed, suppress warnings in GCC environment
1234
1235         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1236         * runtime/IntlCollator.cpp:
1237         * runtime/IntlDateTimeFormat.cpp:
1238         * runtime/JSGlobalObject.cpp:
1239         * runtime/StringPrototype.cpp:
1240
1241 2017-07-05  Saam Barati  <sbarati@apple.com>
1242
1243         NewArray in FTLLowerDFGToB3 does not handle speculating on doubles when having a bad time
1244         https://bugs.webkit.org/show_bug.cgi?id=174188
1245         <rdar://problem/30581423>
1246
1247         Reviewed by Mark Lam.
1248
1249         We were calling lowJSValue(edge) when we were speculating the
1250         edge as double. This isn't allowed. We should have been using
1251         lowDouble.
1252         
1253         This patch also adds a new option, called useArrayAllocationProfiling,
1254         which defaults to true. When false, it will make the array allocation
1255         profile not actually sample seen arrays. It'll force the allocation
1256         profile's predicted indexing type to be ArrayWithUndecided. Adding
1257         this option made it trivial to write a test for this bug.
1258
1259         * bytecode/ArrayAllocationProfile.cpp:
1260         (JSC::ArrayAllocationProfile::updateIndexingType):
1261         * ftl/FTLLowerDFGToB3.cpp:
1262         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
1263         * runtime/Options.h:
1264
1265 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
1266
1267         WTF::Thread should have the threads stack bounds.
1268         https://bugs.webkit.org/show_bug.cgi?id=173975
1269
1270         Reviewed by Keith Miller.
1271
1272         There is a site in JSC that try to walk another thread's stack.
1273         Currently, stack bounds are stored in WTFThreadData which is located
1274         in TLS. Thus, only the thread itself can access its own WTFThreadData.
1275         We workaround this situation by holding StackBounds in MachineThread in JSC,
1276         but StackBounds should be put in WTF::Thread instead.
1277
1278         This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
1279         information is tightly coupled with Thread. Thus putting it in WTF::Thread
1280         is natural choice.
1281
1282         * heap/MachineStackMarker.cpp:
1283         (JSC::MachineThreads::MachineThread::MachineThread):
1284         (JSC::MachineThreads::MachineThread::captureStack):
1285         * heap/MachineStackMarker.h:
1286         (JSC::MachineThreads::MachineThread::stackBase):
1287         (JSC::MachineThreads::MachineThread::stackEnd):
1288         * runtime/InitializeThreading.cpp:
1289         (JSC::initializeThreading):
1290         * runtime/VM.cpp:
1291         (JSC::VM::VM):
1292         (JSC::VM::updateStackLimits):
1293         (JSC::VM::committedStackByteCount):
1294         * runtime/VM.h:
1295         (JSC::VM::isSafeToRecurse):
1296         * runtime/VMEntryScope.cpp:
1297         (JSC::VMEntryScope::VMEntryScope):
1298         * runtime/VMInlines.h:
1299         (JSC::VM::ensureStackCapacityFor):
1300         * runtime/VMTraps.cpp:
1301         * yarr/YarrPattern.cpp:
1302         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
1303
1304 2017-07-05  Keith Miller  <keith_miller@apple.com>
1305
1306         Crashing with information should have an abort reason
1307         https://bugs.webkit.org/show_bug.cgi?id=174185
1308
1309         Reviewed by Saam Barati.
1310
1311         Add crash information for the abstract interpreter and add an enum
1312         value for object allocation sinking.
1313
1314         * assembler/AbortReason.h:
1315         * dfg/DFGAbstractInterpreterInlines.h:
1316         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
1317         * dfg/DFGGraph.cpp:
1318         (JSC::DFG::logDFGAssertionFailure):
1319         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1320
1321 2017-07-03  Myles C. Maxfield  <mmaxfield@apple.com>
1322
1323         Remove copy of ICU headers from WebKit
1324         https://bugs.webkit.org/show_bug.cgi?id=116407
1325
1326         Reviewed by Alex Christensen.
1327
1328         Use WTF's copy of ICU headers.
1329
1330         * Configurations/Base.xcconfig:
1331         * icu/unicode/localpointer.h: Removed.
1332         * icu/unicode/parseerr.h: Removed.
1333         * icu/unicode/platform.h: Removed.
1334         * icu/unicode/ptypes.h: Removed.
1335         * icu/unicode/putil.h: Removed.
1336         * icu/unicode/uchar.h: Removed.
1337         * icu/unicode/ucnv.h: Removed.
1338         * icu/unicode/ucnv_err.h: Removed.
1339         * icu/unicode/ucol.h: Removed.
1340         * icu/unicode/uconfig.h: Removed.
1341         * icu/unicode/ucurr.h: Removed.
1342         * icu/unicode/uenum.h: Removed.
1343         * icu/unicode/uiter.h: Removed.
1344         * icu/unicode/uloc.h: Removed.
1345         * icu/unicode/umachine.h: Removed.
1346         * icu/unicode/unorm.h: Removed.
1347         * icu/unicode/unorm2.h: Removed.
1348         * icu/unicode/urename.h: Removed.
1349         * icu/unicode/uscript.h: Removed.
1350         * icu/unicode/uset.h: Removed.
1351         * icu/unicode/ustring.h: Removed.
1352         * icu/unicode/utf.h: Removed.
1353         * icu/unicode/utf16.h: Removed.
1354         * icu/unicode/utf8.h: Removed.
1355         * icu/unicode/utf_old.h: Removed.
1356         * icu/unicode/utypes.h: Removed.
1357         * icu/unicode/uvernum.h: Removed.
1358         * icu/unicode/uversion.h: Removed.
1359         * runtime/IntlCollator.cpp:
1360         * runtime/IntlDateTimeFormat.cpp:
1361         (JSC::IntlDateTimeFormat::partTypeString):
1362         * runtime/JSGlobalObject.cpp:
1363         * runtime/StringPrototype.cpp:
1364         (JSC::normalize):
1365         (JSC::stringProtoFuncNormalize):
1366
1367 2017-07-05  Devin Rousso  <drousso@apple.com>
1368
1369         Web Inspector: Allow users to log any tracked canvas context
1370         https://bugs.webkit.org/show_bug.cgi?id=173397
1371         <rdar://problem/33111581>
1372
1373         Reviewed by Joseph Pecoraro.
1374
1375         * inspector/protocol/Canvas.json:
1376         Add `resolveCanvasContext` command that returns a RemoteObject for the given canvas context.
1377
1378 2017-07-05  Jonathan Bedard  <jbedard@apple.com>
1379
1380         Add WebKitPrivateFrameworkStubs for iOS 11
1381         https://bugs.webkit.org/show_bug.cgi?id=173988
1382
1383         Reviewed by David Kilzer.
1384
1385         * Configurations/Base.xcconfig: iphoneos and iphonesimulator should use the
1386         same directory for private framework stubs.
1387
1388 2017-07-05  JF Bastien  <jfbastien@apple.com>
1389
1390         WebAssembly: implement name section's module name, skip unknown sections
1391         https://bugs.webkit.org/show_bug.cgi?id=172008
1392
1393         Reviewed by Keith Miller.
1394
1395         Parse the WebAssembly module name properly, and skip unknown
1396         sections. This is useful because as toolchains support new types
1397         of names we want to keep displaying the information we know about
1398         and simply ignore new information. That capability was designed
1399         into WebAssembly's name section.
1400
1401         Failure to commit this patch would mean that WebKit won't display
1402         stack trace information, which would make developers sad.
1403
1404         Module names were added here: https://github.com/WebAssembly/design/pull/1055
1405
1406         Note that this patch doesn't do anything with the parsed name! Two
1407         reasons for this: module names aren't supported in binaryen yet,
1408         so I can't write a simple binary test; and using the name is a
1409         slightly riskier change because it requires changing StackVisitor
1410         + StackFrame (where they print "[wasm code]") which requires
1411         figuring out the frame's Module. The latter bit isn't trivial
1412         because we only know wasm frames from their tag bits, and
1413         CodeBlocks are always nullptr.
1414
1415         Binaryen bug: https://github.com/WebAssembly/binaryen/issues/1010
1416
1417         I filed #174098 to use the module name.
1418
1419         * wasm/WasmFormat.h:
1420         (JSC::Wasm::isValidNameType):
1421         * wasm/WasmNameSectionParser.cpp:
1422
1423 2017-07-04  Joseph Pecoraro  <pecoraro@apple.com>
1424
1425         Cleanup some StringBuilder use
1426         https://bugs.webkit.org/show_bug.cgi?id=174118
1427
1428         Reviewed by Andreas Kling.
1429
1430         * runtime/FunctionConstructor.cpp:
1431         (JSC::constructFunctionSkippingEvalEnabledCheck):
1432         * tools/FunctionOverrides.cpp:
1433         (JSC::parseClause):
1434         * wasm/WasmOMGPlan.cpp:
1435         * wasm/WasmPlan.cpp:
1436         * wasm/WasmValidate.cpp:
1437
1438 2017-07-03  Saam Barati  <sbarati@apple.com>
1439
1440         LayoutTest workers/bomb.html is a Crash
1441         https://bugs.webkit.org/show_bug.cgi?id=167757
1442         <rdar://problem/33086462>
1443
1444         Reviewed by Keith Miller.
1445
1446         VMTraps::SignalSender was accessing VM fields even after
1447         the VM was destroyed. This happened when the SignalSender
1448         thread was in the middle of its work() function while VMTraps
1449         was notified that the VM was shutting down. The VM would proceed
1450         to run its destructor even after the SignalSender thread finished
1451         doing its work. This means that the SignalSender thread was accessing
1452         VM field eve after VM was destructed (including itself, since it is
1453         transitively owned by the VM). The VM must wait for the SignalSender
1454         thread to shutdown before it can continue to destruct itself.
1455
1456         * runtime/VMTraps.cpp:
1457         (JSC::VMTraps::willDestroyVM):
1458
1459 2017-07-03  Saam Barati  <sbarati@apple.com>
1460
1461         DFGBytecodeParser op_to_this does not access the correct instruction offset for to this status
1462         https://bugs.webkit.org/show_bug.cgi?id=174110
1463
1464         Reviewed by Michael Saboff.
1465
1466         * dfg/DFGByteCodeParser.cpp:
1467         (JSC::DFG::ByteCodeParser::parseBlock):
1468
1469 2017-07-03  Saam Barati  <sbarati@apple.com>
1470
1471         Add a new assertion to object allocation sinking phase
1472         https://bugs.webkit.org/show_bug.cgi?id=174107
1473
1474         Rubber stamped by Filip Pizlo.
1475
1476         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1477
1478 2017-07-03  Commit Queue  <commit-queue@webkit.org>
1479
1480         Unreviewed, rolling out r219060.
1481         https://bugs.webkit.org/show_bug.cgi?id=174108
1482
1483         crashing constantly when initializing UIWebView (Requested by
1484         thorton on #webkit).
1485
1486         Reverted changeset:
1487
1488         "WTF::Thread should have the threads stack bounds."
1489         https://bugs.webkit.org/show_bug.cgi?id=173975
1490         http://trac.webkit.org/changeset/219060
1491
1492 2017-07-03  Matt Lewis  <jlewis3@apple.com>
1493
1494         Unreviewed, rolling out r219103.
1495
1496         Caused multiple build failures.
1497
1498         Reverted changeset:
1499
1500         "Remove copy of ICU headers from WebKit"
1501         https://bugs.webkit.org/show_bug.cgi?id=116407
1502         http://trac.webkit.org/changeset/219103
1503
1504 2017-07-03  Myles C. Maxfield  <mmaxfield@apple.com>
1505
1506         Remove copy of ICU headers from WebKit
1507         https://bugs.webkit.org/show_bug.cgi?id=116407
1508
1509         Reviewed by Alex Christensen.
1510
1511         Use WTF's copy of ICU headers.
1512
1513         * Configurations/Base.xcconfig:
1514         * icu/unicode/localpointer.h: Removed.
1515         * icu/unicode/parseerr.h: Removed.
1516         * icu/unicode/platform.h: Removed.
1517         * icu/unicode/ptypes.h: Removed.
1518         * icu/unicode/putil.h: Removed.
1519         * icu/unicode/uchar.h: Removed.
1520         * icu/unicode/ucnv.h: Removed.
1521         * icu/unicode/ucnv_err.h: Removed.
1522         * icu/unicode/ucol.h: Removed.
1523         * icu/unicode/uconfig.h: Removed.
1524         * icu/unicode/ucurr.h: Removed.
1525         * icu/unicode/uenum.h: Removed.
1526         * icu/unicode/uiter.h: Removed.
1527         * icu/unicode/uloc.h: Removed.
1528         * icu/unicode/umachine.h: Removed.
1529         * icu/unicode/unorm.h: Removed.
1530         * icu/unicode/unorm2.h: Removed.
1531         * icu/unicode/urename.h: Removed.
1532         * icu/unicode/uscript.h: Removed.
1533         * icu/unicode/uset.h: Removed.
1534         * icu/unicode/ustring.h: Removed.
1535         * icu/unicode/utf.h: Removed.
1536         * icu/unicode/utf16.h: Removed.
1537         * icu/unicode/utf8.h: Removed.
1538         * icu/unicode/utf_old.h: Removed.
1539         * icu/unicode/utypes.h: Removed.
1540         * icu/unicode/uvernum.h: Removed.
1541         * icu/unicode/uversion.h: Removed.
1542         * runtime/IntlCollator.cpp:
1543         * runtime/IntlDateTimeFormat.cpp:
1544         * runtime/JSGlobalObject.cpp:
1545         * runtime/StringPrototype.cpp:
1546
1547 2017-07-03  Saam Barati  <sbarati@apple.com>
1548
1549         Add better crash logging for allocation sinking phase
1550         https://bugs.webkit.org/show_bug.cgi?id=174102
1551         <rdar://problem/33112092>
1552
1553         Rubber stamped by Filip Pizlo.
1554
1555         I'm trying to gather better information from crashlogs about why
1556         we're crashing in the allocation sinking phase. I'm adding a allocation
1557         sinking specific RELEASE_ASSERT as well as marking a few functions as
1558         NEVER_INLINE to have the stack traces in the crash trace contain more
1559         actionable information.
1560
1561         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1562
1563 2017-07-03  Sam Weinig  <sam@webkit.org>
1564
1565         [WebIDL] Remove more unnecessary uses of the preprocessor in idl files
1566         https://bugs.webkit.org/show_bug.cgi?id=174083
1567
1568         Reviewed by Alex Christensen.
1569
1570         * Configurations/FeatureDefines.xcconfig:
1571         Add ENABLE_NAVIGATOR_STANDALONE.
1572
1573 2017-07-03  Andy Estes  <aestes@apple.com>
1574
1575         [Xcode] Add an experimental setting to build with ccache
1576         https://bugs.webkit.org/show_bug.cgi?id=173875
1577
1578         Reviewed by Tim Horton.
1579
1580         * Configurations/DebugRelease.xcconfig: Included ccache.xcconfig.
1581
1582 2017-07-03  Devin Rousso  <drousso@apple.com>
1583
1584         Web Inspector: Support listing WebGL2 and WebGPU contexts
1585         https://bugs.webkit.org/show_bug.cgi?id=173396
1586
1587         Reviewed by Joseph Pecoraro.
1588
1589         * inspector/protocol/Canvas.json:
1590         * inspector/scripts/codegen/generator.py:
1591         (Generator.stylized_name_for_enum_value):
1592         Add cases for handling new Canvas.ContextType protocol enumerations:
1593          - "webgl2" maps to `WebGL2`
1594          - "webgpu" maps to `WebGPU`
1595
1596 2017-07-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1597
1598         WTF::Thread should have the threads stack bounds.
1599         https://bugs.webkit.org/show_bug.cgi?id=173975
1600
1601         Reviewed by Mark Lam.
1602
1603         There is a site in JSC that try to walk another thread's stack.
1604         Currently, stack bounds are stored in WTFThreadData which is located
1605         in TLS. Thus, only the thread itself can access its own WTFThreadData.
1606         We workaround this situation by holding StackBounds in MachineThread in JSC,
1607         but StackBounds should be put in WTF::Thread instead.
1608
1609         This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
1610         information is tightly coupled with Thread. Thus putting it in WTF::Thread
1611         is natural choice.
1612
1613         * heap/MachineStackMarker.cpp:
1614         (JSC::MachineThreads::MachineThread::MachineThread):
1615         (JSC::MachineThreads::MachineThread::captureStack):
1616         * heap/MachineStackMarker.h:
1617         (JSC::MachineThreads::MachineThread::stackBase):
1618         (JSC::MachineThreads::MachineThread::stackEnd):
1619         * runtime/InitializeThreading.cpp:
1620         (JSC::initializeThreading):
1621         * runtime/VM.cpp:
1622         (JSC::VM::VM):
1623         (JSC::VM::updateStackLimits):
1624         (JSC::VM::committedStackByteCount):
1625         * runtime/VM.h:
1626         (JSC::VM::isSafeToRecurse):
1627         * runtime/VMEntryScope.cpp:
1628         (JSC::VMEntryScope::VMEntryScope):
1629         * runtime/VMInlines.h:
1630         (JSC::VM::ensureStackCapacityFor):
1631         * runtime/VMTraps.cpp:
1632         * yarr/YarrPattern.cpp:
1633         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
1634
1635 2017-07-01  Dan Bernstein  <mitz@apple.com>
1636
1637         [iOS] Remove code only needed when building for iOS 9.x
1638         https://bugs.webkit.org/show_bug.cgi?id=174068
1639
1640         Reviewed by Tim Horton.
1641
1642         * Configurations/FeatureDefines.xcconfig:
1643         * jit/ExecutableAllocator.cpp:
1644         * runtime/Options.cpp:
1645         (JSC::recomputeDependentOptions):
1646
1647 2017-07-01  Dan Bernstein  <mitz@apple.com>
1648
1649         [macOS] Remove code only needed when building for OS X Yosemite
1650         https://bugs.webkit.org/show_bug.cgi?id=174067
1651
1652         Reviewed by Tim Horton.
1653
1654         * API/WebKitAvailability.h:
1655         * Configurations/Base.xcconfig:
1656         * Configurations/DebugRelease.xcconfig:
1657         * Configurations/FeatureDefines.xcconfig:
1658         * Configurations/Version.xcconfig:
1659
1660 2017-07-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1661
1662         Unreviewed, build fix for GCC
1663         https://bugs.webkit.org/show_bug.cgi?id=174034
1664
1665         * b3/testb3.cpp:
1666         (JSC::B3::testDoubleLiteralComparison):
1667
1668 2017-06-30  Keith Miller  <keith_miller@apple.com>
1669
1670         Force crashWithInfo to be out of line.
1671         https://bugs.webkit.org/show_bug.cgi?id=174028
1672
1673         Reviewed by Filip Pizlo.
1674
1675         Update DFG_ASSERT macro to call CRASH_WITH_SECURITY_IMPLICATION_AND_INFO.
1676
1677         * dfg/DFGGraph.cpp:
1678         (JSC::DFG::logDFGAssertionFailure):
1679         (JSC::DFG::Graph::logAssertionFailure):
1680         (JSC::DFG::crash): Deleted.
1681         (JSC::DFG::Graph::handleAssertionFailure): Deleted.
1682         * dfg/DFGGraph.h:
1683
1684 2017-06-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1685
1686         [JSC] Use AbstractMacroAssembler::random instead of holding WeakRandom in JIT
1687         https://bugs.webkit.org/show_bug.cgi?id=174053
1688
1689         Reviewed by Geoffrey Garen.
1690
1691         We already have AbstractMacroAssembler::random() function. Use it instead.
1692
1693         * jit/JIT.cpp:
1694         (JSC::JIT::JIT):
1695         (JSC::JIT::compileWithoutLinking):
1696         * jit/JIT.h:
1697
1698 2017-06-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1699
1700         [WTF] Drop SymbolRegistry::keyForSymbol
1701         https://bugs.webkit.org/show_bug.cgi?id=174052
1702
1703         Reviewed by Sam Weinig.
1704
1705         * runtime/SymbolConstructor.cpp:
1706         (JSC::symbolConstructorKeyFor):
1707
1708 2017-06-30  Saam Barati  <sbarati@apple.com>
1709
1710         B3ReduceStrength should reduce EqualOrUnordered over const float input
1711         https://bugs.webkit.org/show_bug.cgi?id=174039
1712
1713         Reviewed by Michael Saboff.
1714
1715         We perform this folding for ConstDoubleValue. It is simply
1716         an oversight that we didn't do it for ConstFloatValue.
1717
1718         * b3/B3ConstFloatValue.cpp:
1719         (JSC::B3::ConstFloatValue::equalOrUnorderedConstant):
1720         * b3/B3ConstFloatValue.h:
1721         * b3/testb3.cpp:
1722         (JSC::B3::testFloatEqualOrUnorderedFolding):
1723         (JSC::B3::testFloatEqualOrUnorderedFoldingNaN):
1724         (JSC::B3::testFloatEqualOrUnorderedDontFold):
1725         (JSC::B3::run):
1726
1727 2017-06-30  Matt Baker  <mattbaker@apple.com>
1728
1729         Web Inspector: AsyncStackTrace nodes can be corrupted when truncating
1730         https://bugs.webkit.org/show_bug.cgi?id=173840
1731         <rdar://problem/30840820>
1732
1733         Reviewed by Joseph Pecoraro.
1734
1735         When truncating an asynchronous stack trace, the parent chain is traversed
1736         until a locked node is found. The path from this node to the root is shared
1737         by more than one stack trace, and cannot be safely modified. Starting at
1738         the first locked node, the path is cloned and becomes a new stack trace tree.
1739
1740         However, the clone operation initialized each new AsyncStackTrace node with
1741         the original node's parent. This would increment the child count of the original
1742         node. When cloning nodes, new nodes should not have their parent set until the
1743         next node up the parent chain is cloned.
1744
1745         * inspector/AsyncStackTrace.cpp:
1746         (Inspector::AsyncStackTrace::truncate):
1747
1748 2017-06-30  Michael Saboff  <msaboff@apple.com>
1749
1750         RegExp's  anchored with .* with \g flag can return wrong match start for strings with multiple matches
1751         https://bugs.webkit.org/show_bug.cgi?id=174044
1752
1753         Reviewed by Oliver Hunt.
1754
1755         The .* enclosure optimization didn't respect that we can start matching from a non-zero
1756         index.  This optimization treats /.*<some-terms>.*/ by first matching the <some-terms> and
1757         then finding the extent of the match by going back to the beginning of the line and going
1758         forward to the end of the line.  The code that went back to the beginning of the line
1759         checked for an index of 0 instead of comparing the index to the start position.  This start
1760         position is passed as the initial index.
1761
1762         Added another temporary register to the YARR JIT to contain the start position for
1763         platforms that have spare registers.
1764
1765         * yarr/Yarr.h:
1766         * yarr/YarrInterpreter.cpp:
1767         (JSC::Yarr::Interpreter::matchDotStarEnclosure):
1768         (JSC::Yarr::Interpreter::Interpreter):
1769         * yarr/YarrJIT.cpp:
1770         (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
1771         (JSC::Yarr::YarrGenerator::compile):
1772         * yarr/YarrPattern.cpp:
1773         (JSC::Yarr::YarrPattern::YarrPattern):
1774         * yarr/YarrPattern.h:
1775         (JSC::Yarr::YarrPattern::reset):
1776
1777 2017-06-30  Saam Barati  <sbarati@apple.com>
1778
1779         B3MoveConstants floatZero() returns the wrong ValueKey
1780         https://bugs.webkit.org/show_bug.cgi?id=174040
1781
1782         Reviewed by Filip Pizlo.
1783
1784         It had a typo where the ValueKey for floatZero() produces a Double
1785         instead of a Float.
1786
1787         * b3/B3MoveConstants.cpp:
1788
1789 2017-06-30  Saam Barati  <sbarati@apple.com>
1790
1791         B3ReduceDoubleToFloat incorrectly reduces operations over two double constants
1792         https://bugs.webkit.org/show_bug.cgi?id=174034
1793         <rdar://problem/30793007>
1794
1795         Reviewed by Filip Pizlo.
1796
1797         B3ReduceDoubleToFloat had a bug in it where it would incorrectly
1798         reduce binary operations over double constants into the same binary
1799         operation over the double constants casted to floats. This is clearly
1800         incorrect as these two things will produce different values. For example:
1801         
1802         a = DoubleConst(bitwise_cast<double>(0x8000000000000001ull))
1803         b = DoubleConst(bitwise_cast<double>(0x0000000000000000ull))
1804         c = EqualOrUnordered(@a, @b) // produces 0
1805         
1806         into:
1807         
1808         a = FloatConst(static_cast<float>(bitwise_cast<double>(0x8000000000000001ull)))
1809         b = FloatConst(static_cast<float>(bitwise_cast<double>(0x0000000000000000ull)))
1810         c = EqualOrUnordered(@a, @b) // produces 1
1811         
1812         Which produces a different value for @c.
1813
1814         * b3/B3ReduceDoubleToFloat.cpp:
1815         * b3/testb3.cpp:
1816         (JSC::B3::doubleEq):
1817         (JSC::B3::doubleNeq):
1818         (JSC::B3::doubleGt):
1819         (JSC::B3::doubleGte):
1820         (JSC::B3::doubleLt):
1821         (JSC::B3::doubleLte):
1822         (JSC::B3::testDoubleLiteralComparison):
1823         (JSC::B3::run):
1824
1825 2017-06-29  Jer Noble  <jer.noble@apple.com>
1826
1827         Make Legacy EME API controlled by RuntimeEnabled setting.
1828         https://bugs.webkit.org/show_bug.cgi?id=173994
1829
1830         Reviewed by Sam Weinig.
1831
1832         * Configurations/FeatureDefines.xcconfig:
1833         * runtime/CommonIdentifiers.h:
1834
1835 2017-06-30  Ryosuke Niwa  <rniwa@webkit.org>
1836
1837         Ran sort-Xcode-project-file.
1838
1839         * JavaScriptCore.xcodeproj/project.pbxproj:
1840
1841 2017-06-30  Matt Lewis  <jlewis3@apple.com>
1842
1843         Unreviewed, rolling out r218992.
1844
1845         The patch broke the iOS device builds.
1846
1847         Reverted changeset:
1848
1849         "DFG_ASSERT should allow stuffing registers before trapping."
1850         https://bugs.webkit.org/show_bug.cgi?id=174005
1851         http://trac.webkit.org/changeset/218992
1852
1853 2017-06-30  Filip Pizlo  <fpizlo@apple.com>
1854
1855         RegExpCachedResult::setInput should reify left and right contexts
1856         https://bugs.webkit.org/show_bug.cgi?id=173818
1857
1858         Reviewed by Keith Miller.
1859         
1860         If you don't reify them in setInput, then when you later try to reify them, you'll end up
1861         using indices into an old input string to create a substring of a new input string. That
1862         never goes well.
1863
1864         * runtime/RegExpCachedResult.cpp:
1865         (JSC::RegExpCachedResult::setInput):
1866
1867 2017-06-30  Keith Miller  <keith_miller@apple.com>
1868
1869         DFG_ASSERT should allow stuffing registers before trapping.
1870         https://bugs.webkit.org/show_bug.cgi?id=174005
1871
1872         Reviewed by Mark Lam.
1873
1874         DFG_ASSERT currently prints error data to stderr before crashing,
1875         which is nice for local development. In the wild, however, we
1876         can't see this information in crash logs. This patch enables
1877         stuffing some of the most useful information from DFG_ASSERTS into
1878         up to five registers right before crashing. The values stuffed
1879         should not impact any logging during local development.
1880
1881         * assembler/AbortReason.h:
1882         * dfg/DFGAbstractInterpreterInlines.h:
1883         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
1884         * dfg/DFGGraph.cpp:
1885         (JSC::DFG::logForCrash):
1886         (JSC::DFG::Graph::logAssertionFailure):
1887         (JSC::DFG::crash): Deleted.
1888         (JSC::DFG::Graph::handleAssertionFailure): Deleted.
1889         * dfg/DFGGraph.h:
1890
1891 2017-06-29  Saam Barati  <sbarati@apple.com>
1892
1893         Calculating postCapacity in unshiftCountSlowCase is wrong
1894         https://bugs.webkit.org/show_bug.cgi?id=173992
1895         <rdar://problem/32283199>
1896
1897         Reviewed by Keith Miller.
1898
1899         This patch fixes a bug inside unshiftCountSlowCase where we would use
1900         more memory than we allocated. The bug was when deciding how much extra
1901         space we have after the vector we've allocated. This area is called the
1902         postCapacity. The largest legal postCapacity value we could use is the
1903         space we allocated minus the space we need:
1904         largestPossiblePostCapacity = newStorageCapacity - requiredVectorLength;
1905         However, the code was calculating the postCapacity as:
1906         postCapacity = max(newStorageCapacity - requiredVectorLength, count);
1907         
1908         where count is how many elements we're appending. Depending on the inputs,
1909         count could be larger than (newStorageCapacity - requiredVectorLength). This
1910         would cause us to use more memory than we actually allocated.
1911
1912         * runtime/JSArray.cpp:
1913         (JSC::JSArray::unshiftCountSlowCase):
1914
1915 2017-06-29  Commit Queue  <commit-queue@webkit.org>
1916
1917         Unreviewed, rolling out r218512.
1918         https://bugs.webkit.org/show_bug.cgi?id=173981
1919
1920         "It changes the behavior of the JS API's JSEvaluateScript
1921         which breaks TurboTax" (Requested by saamyjoon on #webkit).
1922
1923         Reverted changeset:
1924
1925         "test262: Completion values for control flow do not match the
1926         spec"
1927         https://bugs.webkit.org/show_bug.cgi?id=171265
1928         http://trac.webkit.org/changeset/218512
1929
1930 2017-06-29  JF Bastien  <jfbastien@apple.com>
1931
1932         WebAssembly: disable some APIs under CSP
1933         https://bugs.webkit.org/show_bug.cgi?id=173892
1934         <rdar://problem/32914613>
1935
1936         Reviewed by Daniel Bates.
1937
1938         We should disable parts of WebAssembly under Content Security
1939         Policy as discussed here:
1940
1941         https://github.com/WebAssembly/design/issues/1092
1942
1943         Exactly what should be disabled isn't super clear, so we may as
1944         well be conservative and disable many things if developers already
1945         opted into CSP. It's easy to loosen what we disable later.
1946
1947         This patch disables:
1948         - WebAssembly.Instance
1949         - WebAssembly.instantiate
1950         - WebAssembly.Memory
1951         - WebAssembly.Table
1952
1953         And leaves:
1954         - WebAssembly on the global object
1955         - WebAssembly.Module
1956         - WebAssembly.compile
1957         - WebAssembly.CompileError
1958         - WebAssembly.LinkError
1959
1960         Nothing because currently unimplmented:
1961         - WebAssembly.compileStreaming
1962         - WebAssembly.instantiateStreaming
1963
1964         That way it won't be possible to call WebAssembly-compiled code,
1965         or create memories (which use fancy 4GiB allocations
1966         sometimes). Table isn't really useful on its own, and eventually
1967         we may make them shareable so without more details it seems benign
1968         to disable them (and useless if we don't).
1969
1970         I haven't done anything with postMessage, so you can still
1971         postMessage a WebAssembly.Module cross-CSP, but you can't
1972         instantiate it so it's useless. Because of this I elected to leave
1973         WebAssembly.Module and friends available.
1974
1975         I haven't added any new directives. It's still unsafe-eval. We can
1976         add something else later, but it seems odd to add a WebAssembly as
1977         a new capability and tell developers "you should have been using
1978         this directive which we just implemented if you wanted to disable
1979         WebAssembly which didn't exist when you adopted CSP". So IMO we
1980         should keep unsafe-eval as it currently is, add WebAssembly to
1981         what it disables, and later consider having two new directives
1982         which do each individually or something.
1983
1984         In all cases I throw an EvalError *before* other WebAssembly
1985         errors would be produced.
1986
1987         Note that, as for eval, reporting doesn't work and is tracked by
1988         https://webkit.org/b/111869
1989
1990         * runtime/JSGlobalObject.cpp:
1991         (JSC::JSGlobalObject::JSGlobalObject):
1992         * runtime/JSGlobalObject.h:
1993         (JSC::JSGlobalObject::webAssemblyEnabled):
1994         (JSC::JSGlobalObject::webAssemblyDisabledErrorMessage):
1995         (JSC::JSGlobalObject::setWebAssemblyEnabled):
1996         * wasm/js/JSWebAssemblyInstance.cpp:
1997         (JSC::JSWebAssemblyInstance::create):
1998         * wasm/js/JSWebAssemblyMemory.cpp:
1999         (JSC::JSWebAssemblyMemory::create):
2000         * wasm/js/JSWebAssemblyMemory.h:
2001         * wasm/js/JSWebAssemblyTable.cpp:
2002         (JSC::JSWebAssemblyTable::create):
2003         * wasm/js/WebAssemblyMemoryConstructor.cpp:
2004         (JSC::constructJSWebAssemblyMemory):
2005
2006 2017-06-28  Keith Miller  <keith_miller@apple.com>
2007
2008         VMTraps has some races
2009         https://bugs.webkit.org/show_bug.cgi?id=173941
2010
2011         Reviewed by Michael Saboff.
2012
2013         This patch refactors much of the VMTraps API.
2014
2015         On the message sending side:
2016
2017         1) No longer uses the Yarr JIT check to determine if we are in
2018         RegExp code. That was unsound because RegExp JIT code can be run
2019         on compilation threads.  Instead it looks at the current frame's
2020         code block slot and checks if it is valid, which is the same as
2021         what it did for JIT code previously.
2022
2023         2) Only have one signal sender thread, previously, there could be
2024         many at once, which caused some data races. Additionally, the
2025         signal sender thread is an automatic thread so it will deallocate
2026         itself when not in use.
2027
2028         On the VMTraps breakpoint side:
2029
2030         1) We now have a true mapping of if we hit a breakpoint instead of
2031         a JIT assertion. So the exception handler won't eat JIT assertions
2032         anymore.
2033
2034         2) It jettisons all CodeBlocks that have VMTraps breakpoints on
2035         them instead of every CodeBlock on the stack. This both prevents
2036         us from hitting stale VMTraps breakpoints and also doesn't OSR
2037         codeblocks that otherwise don't need to be jettisoned.
2038
2039         3) The old exception handler could theoretically fail for a couple
2040         of reasons then resume execution with a clobbered instruction
2041         set. This patch will kill the program if the exception handler
2042         would fail.
2043
2044         This patch also refactors some of the jsc.cpp functions to take the
2045         CommandLine options object instead of individual options. Also, there
2046         is a new command line option that makes exceptions due to watchdog
2047         timeouts an acceptable result.
2048
2049         * API/tests/testapi.c:
2050         (main):
2051         * bytecode/CodeBlock.cpp:
2052         (JSC::CodeBlock::installVMTrapBreakpoints):
2053         * dfg/DFGCommonData.cpp:
2054         (JSC::DFG::pcCodeBlockMap):
2055         (JSC::DFG::CommonData::invalidate):
2056         (JSC::DFG::CommonData::~CommonData):
2057         (JSC::DFG::CommonData::installVMTrapBreakpoints):
2058         (JSC::DFG::codeBlockForVMTrapPC):
2059         * dfg/DFGCommonData.h:
2060         * jsc.cpp:
2061         (functionDollarAgentStart):
2062         (checkUncaughtException):
2063         (checkException):
2064         (runWithOptions):
2065         (printUsageStatement):
2066         (CommandLine::parseArguments):
2067         (jscmain):
2068         (runWithScripts): Deleted.
2069         * runtime/JSLock.cpp:
2070         (JSC::JSLock::didAcquireLock):
2071         * runtime/VMTraps.cpp:
2072         (JSC::sanitizedTopCallFrame):
2073         (JSC::VMTraps::tryInstallTrapBreakpoints):
2074         (JSC::VMTraps::willDestroyVM):
2075         (JSC::VMTraps::fireTrap):
2076         (JSC::VMTraps::handleTraps):
2077         (JSC::VMTraps::VMTraps):
2078         (JSC::VMTraps::~VMTraps):
2079         (JSC::findActiveVMAndStackBounds): Deleted.
2080         (JSC::installSignalHandler): Deleted.
2081         (JSC::VMTraps::addSignalSender): Deleted.
2082         (JSC::VMTraps::removeSignalSender): Deleted.
2083         (JSC::VMTraps::SignalSender::willDestroyVM): Deleted.
2084         (JSC::VMTraps::SignalSender::send): Deleted.
2085         * runtime/VMTraps.h:
2086         (JSC::VMTraps::~VMTraps): Deleted.
2087         (JSC::VMTraps::SignalSender::SignalSender): Deleted.
2088
2089 2017-06-28  Devin Rousso  <drousso@apple.com>
2090
2091         Web Inspector: Instrument active pixel memory used by canvases
2092         https://bugs.webkit.org/show_bug.cgi?id=173087
2093         <rdar://problem/32719261>
2094
2095         Reviewed by Joseph Pecoraro.
2096
2097         * inspector/protocol/Canvas.json:
2098          - Add optional `memoryCost` attribute to the `Canvas` type.
2099          - Add `canvasMemoryChanged` event that is dispatched when the `memoryCost` of a canvas changes.
2100
2101 2017-06-28  Joseph Pecoraro  <pecoraro@apple.com>
2102
2103         Web Inspector: Cleanup Protocol JSON files
2104         https://bugs.webkit.org/show_bug.cgi?id=173934
2105
2106         Reviewed by Matt Baker.
2107
2108         * inspector/protocol/ApplicationCache.json:
2109         * inspector/protocol/CSS.json:
2110         * inspector/protocol/Console.json:
2111         * inspector/protocol/DOM.json:
2112         * inspector/protocol/DOMDebugger.json:
2113         * inspector/protocol/Debugger.json:
2114         * inspector/protocol/LayerTree.json:
2115         * inspector/protocol/Network.json:
2116         * inspector/protocol/Page.json:
2117         * inspector/protocol/Runtime.json:
2118         Be more consistent about placement of `description` property.
2119
2120 2017-06-27  Joseph Pecoraro  <pecoraro@apple.com>
2121
2122         Web Inspector: Remove unused Inspector domain events
2123         https://bugs.webkit.org/show_bug.cgi?id=173905
2124
2125         Reviewed by Matt Baker.
2126
2127         * inspector/protocol/Inspector.json:
2128
2129 2017-06-28  JF Bastien  <jfbastien@apple.com>
2130
2131         Ensure that computed new stack pointer values do not underflow.
2132         https://bugs.webkit.org/show_bug.cgi?id=173700
2133         <rdar://problem/32926032>
2134
2135         Reviewed by Filip Pizlo and Saam Barati, update reviewed by Mark Lam.
2136
2137         Patch by Mark Lam, with the following fix:
2138
2139         Re-apply this patch, it originally broke the ARM build because the llint code
2140         generated `subs xzr, x3, sp` which isn't valid ARM64: the third operand cannot
2141         be SP (that encoding would be ZR instead, subtracting zero). Flip the comparison
2142         and operands to emit valid code (because the second operand can be SP).
2143
2144         1. Added a RELEASE_ASSERT to BytecodeGenerator::generate() to ensure that
2145            m_numCalleeLocals is sane.
2146
2147         2. Added underflow checks in LLInt code and VarargsFrame code.
2148
2149         3. Introduce minimumReservedZoneSize, which is hardcoded to 16K.
2150            Ensure that Options::reservedZoneSize() is at least minimumReservedZoneSize.
2151            Ensure that Options::softReservedZoneSize() is at least greater than
2152            Options::reservedZoneSize() by minimumReservedZoneSize.
2153
2154         4. Ensure that stack checks emitted by JIT tiers include an underflow check if
2155            and only if the max size of the frame is greater than Options::reservedZoneSize().
2156
2157            By design, we are guaranteed to have at least Options::reservedZoneSize() bytes
2158            of memory at the bottom (end) of the stack.  This means that, at any time, the
2159            frame pointer must be at least Options::reservedZoneSize() bytes away from the
2160            end of the stack.  Hence, if the max frame size is less than
2161            Options::reservedZoneSize(), there's no way that frame pointer - max
2162            frame size can underflow, and we can elide the underflow check.
2163
2164            Note that we use Options::reservedZoneSize() instead of
2165            Options::softReservedZoneSize() for determine if we need an underflow check.
2166            This is because the softStackLimit that is used for stack checks can be set
2167            based on Options::reservedZoneSize() during error handling (e.g. when creating
2168            strings for instantiating the Error object).  Hence, the guaranteed minimum of
2169            distance between the frame pointer and the end of the stack is
2170            Options::reservedZoneSize() and nor Options::softReservedZoneSize().
2171
2172            Note also that we ensure that Options::reservedZoneSize() is at least
2173            minimumReservedZoneSize (i.e. 16K).  In typical deployments,
2174            Options::reservedZoneSize() may be larger.  Using Options::reservedZoneSize()
2175            instead of minimumReservedZoneSize gives us more chances to elide underflow
2176            checks.
2177
2178         * JavaScriptCore.xcodeproj/project.pbxproj:
2179         * bytecompiler/BytecodeGenerator.cpp:
2180         (JSC::BytecodeGenerator::generate):
2181         * dfg/DFGGraph.cpp:
2182         (JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit):
2183         * dfg/DFGJITCompiler.cpp:
2184         (JSC::DFG::emitStackOverflowCheck):
2185         (JSC::DFG::JITCompiler::compile):
2186         (JSC::DFG::JITCompiler::compileFunction):
2187         * ftl/FTLLowerDFGToB3.cpp:
2188         (JSC::FTL::DFG::LowerDFGToB3::lower):
2189         * jit/JIT.cpp:
2190         (JSC::JIT::compileWithoutLinking):
2191         * jit/SetupVarargsFrame.cpp:
2192         (JSC::emitSetupVarargsFrameFastCase):
2193         * llint/LLIntSlowPaths.cpp:
2194         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2195         * llint/LowLevelInterpreter.asm:
2196         * llint/LowLevelInterpreter32_64.asm:
2197         * llint/LowLevelInterpreter64.asm:
2198         * runtime/MinimumReservedZoneSize.h: Added.
2199         * runtime/Options.cpp:
2200         (JSC::recomputeDependentOptions):
2201         * runtime/VM.cpp:
2202         (JSC::VM::updateStackLimits):
2203         * wasm/WasmB3IRGenerator.cpp:
2204         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2205         * wasm/js/WebAssemblyFunction.cpp:
2206         (JSC::callWebAssemblyFunction):
2207
2208 2017-06-28  Chris Dumez  <cdumez@apple.com>
2209
2210         Unreviewed, rolling out r218869.
2211
2212         Broke the iOS build
2213
2214         Reverted changeset:
2215
2216         "Ensure that computed new stack pointer values do not
2217         underflow."
2218         https://bugs.webkit.org/show_bug.cgi?id=173700
2219         http://trac.webkit.org/changeset/218869
2220
2221 2017-06-28  Chris Dumez  <cdumez@apple.com>
2222
2223         Unreviewed, rolling out r218873.
2224
2225         Broke the iOS build
2226
2227         Reverted changeset:
2228
2229         "Gardening: CLoop build fix."
2230         https://bugs.webkit.org/show_bug.cgi?id=173700
2231         http://trac.webkit.org/changeset/218873
2232
2233 2017-06-28  Mark Lam  <mark.lam@apple.com>
2234
2235         Gardening: CLoop build fix.
2236         https://bugs.webkit.org/show_bug.cgi?id=173700
2237         <rdar://problem/32926032>
2238
2239         Not reviewed.
2240
2241         * llint/LLIntSlowPaths.cpp:
2242         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2243
2244 2017-06-28  Mark Lam  <mark.lam@apple.com>
2245
2246         Ensure that computed new stack pointer values do not underflow.
2247         https://bugs.webkit.org/show_bug.cgi?id=173700
2248         <rdar://problem/32926032>
2249
2250         Reviewed by Filip Pizlo and Saam Barati.
2251
2252         1. Added a RELEASE_ASSERT to BytecodeGenerator::generate() to ensure that
2253            m_numCalleeLocals is sane.
2254
2255         2. Added underflow checks in LLInt code and VarargsFrame code.
2256
2257         3. Introduce minimumReservedZoneSize, which is hardcoded to 16K.
2258            Ensure that Options::reservedZoneSize() is at least minimumReservedZoneSize.
2259            Ensure that Options::softReservedZoneSize() is at least greater than
2260            Options::reservedZoneSize() by minimumReservedZoneSize.
2261
2262         4. Ensure that stack checks emitted by JIT tiers include an underflow check if
2263            and only if the max size of the frame is greater than Options::reservedZoneSize().
2264
2265            By design, we are guaranteed to have at least Options::reservedZoneSize() bytes
2266            of memory at the bottom (end) of the stack.  This means that, at any time, the
2267            frame pointer must be at least Options::reservedZoneSize() bytes away from the
2268            end of the stack.  Hence, if the max frame size is less than
2269            Options::reservedZoneSize(), there's no way that frame pointer - max
2270            frame size can underflow, and we can elide the underflow check.
2271
2272            Note that we use Options::reservedZoneSize() instead of
2273            Options::softReservedZoneSize() for determine if we need an underflow check.
2274            This is because the softStackLimit that is used for stack checks can be set
2275            based on Options::reservedZoneSize() during error handling (e.g. when creating
2276            strings for instantiating the Error object).  Hence, the guaranteed minimum of
2277            distance between the frame pointer and the end of the stack is
2278            Options::reservedZoneSize() and nor Options::softReservedZoneSize().
2279
2280            Note also that we ensure that Options::reservedZoneSize() is at least
2281            minimumReservedZoneSize (i.e. 16K).  In typical deployments,
2282            Options::reservedZoneSize() may be larger.  Using Options::reservedZoneSize()
2283            instead of minimumReservedZoneSize gives us more chances to elide underflow
2284            checks.
2285
2286         * JavaScriptCore.xcodeproj/project.pbxproj:
2287         * bytecompiler/BytecodeGenerator.cpp:
2288         (JSC::BytecodeGenerator::generate):
2289         * dfg/DFGGraph.cpp:
2290         (JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit):
2291         * dfg/DFGJITCompiler.cpp:
2292         (JSC::DFG::JITCompiler::compile):
2293         (JSC::DFG::JITCompiler::compileFunction):
2294         * ftl/FTLLowerDFGToB3.cpp:
2295         (JSC::FTL::DFG::LowerDFGToB3::lower):
2296         * jit/JIT.cpp:
2297         (JSC::JIT::compileWithoutLinking):
2298         * jit/SetupVarargsFrame.cpp:
2299         (JSC::emitSetupVarargsFrameFastCase):
2300         * llint/LLIntSlowPaths.cpp:
2301         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2302         * llint/LowLevelInterpreter.asm:
2303         * llint/LowLevelInterpreter32_64.asm:
2304         * llint/LowLevelInterpreter64.asm:
2305         * runtime/MinimumReservedZoneSize.h: Added.
2306         * runtime/Options.cpp:
2307         (JSC::recomputeDependentOptions):
2308         * runtime/VM.cpp:
2309         (JSC::VM::updateStackLimits):
2310         * wasm/WasmB3IRGenerator.cpp:
2311         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2312         * wasm/js/WebAssemblyFunction.cpp:
2313         (JSC::callWebAssemblyFunction):
2314
2315 2017-06-27  JF Bastien  <jfbastien@apple.com>
2316
2317         WebAssembly: running out of executable memory should throw OoM
2318         https://bugs.webkit.org/show_bug.cgi?id=171537
2319         <rdar://problem/32963338>
2320
2321         Reviewed by Saam Barati.
2322
2323         Both on first compile with BBQ as well as on tier-up with OMG,
2324         running out of X memory shouldn't cause the entire program to
2325         terminate. An exception will do when compiling initial code (since
2326         we don't have any other fallback at the moment), and refusal to
2327         tier up will do as well (it'll just be slower).
2328
2329         This is useful because programs which generate huge amounts of
2330         code simply look like crashes, which developers report to
2331         us. Getting a JavaScript exception instead is much clearer.
2332
2333         * jit/ExecutableAllocator.cpp:
2334         (JSC::ExecutableAllocator::allocate):
2335         * llint/LLIntSlowPaths.cpp:
2336         (JSC::LLInt::shouldJIT):
2337         * runtime/Options.h:
2338         * wasm/WasmBBQPlan.cpp:
2339         (JSC::Wasm::BBQPlan::prepare):
2340         (JSC::Wasm::BBQPlan::complete):
2341         * wasm/WasmBinding.cpp:
2342         (JSC::Wasm::wasmToJs):
2343         (JSC::Wasm::wasmToWasm):
2344         * wasm/WasmBinding.h:
2345         * wasm/WasmOMGPlan.cpp:
2346         (JSC::Wasm::OMGPlan::work):
2347         * wasm/js/JSWebAssemblyCodeBlock.cpp:
2348         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
2349         * wasm/js/JSWebAssemblyCodeBlock.h:
2350         * wasm/js/JSWebAssemblyInstance.cpp:
2351         (JSC::JSWebAssemblyInstance::finalizeCreation):
2352
2353 2017-06-27  Saam Barati  <sbarati@apple.com>
2354
2355         JITStubRoutine::passesFilter should use isJITPC
2356         https://bugs.webkit.org/show_bug.cgi?id=173906
2357
2358         Reviewed by JF Bastien.
2359
2360         This patch makes JITStubRoutine use the isJITPC abstraction defined
2361         inside ExecutableAllocator.h. Before, JITStubRoutine was using a
2362         hardcoded platform size constant. This means it'd do the wrong thing
2363         if Options::jitMemoryReservationSize() was larger than the defined
2364         constant for that platform. This patch also removes a bunch of
2365         dead code in that file.
2366
2367         * jit/ExecutableAllocator.cpp:
2368         * jit/ExecutableAllocator.h:
2369         * jit/JITStubRoutine.h:
2370         (JSC::JITStubRoutine::passesFilter):
2371         (JSC::JITStubRoutine::canPerformRangeFilter): Deleted.
2372         (JSC::JITStubRoutine::filteringStartAddress): Deleted.
2373         (JSC::JITStubRoutine::filteringExtentSize): Deleted.
2374
2375 2017-06-27  Saam Barati  <sbarati@apple.com>
2376
2377         Fix some stale comments in Wasm code base
2378         https://bugs.webkit.org/show_bug.cgi?id=173814
2379
2380         Reviewed by Mark Lam.
2381
2382         * wasm/WasmBinding.cpp:
2383         (JSC::Wasm::wasmToJs):
2384         * wasm/WasmOMGPlan.cpp:
2385         (JSC::Wasm::runOMGPlanForIndex):
2386
2387 2017-06-27  Caio Lima  <ticaiolima@gmail.com>
2388
2389         [ESnext] Implement Object Rest - Implementing Object Rest Destructuring
2390         https://bugs.webkit.org/show_bug.cgi?id=167962
2391
2392         Reviewed by Saam Barati.
2393
2394         Object Rest/Spread Destructing proposal is in stage 3[1] and this
2395         Patch is a prototype implementation of it. A simple change over the
2396         parser was necessary to support the new '...' token on Object Pattern
2397         destruction rule. In the bytecode generator side, We changed the
2398         bytecode generated on ObjectPatternNode::bindValue to store in an
2399         set the identifiers of already destructured properties, following spec draft
2400         section[2], and then pass it as excludedNames to CopyDataProperties.
2401         The rest destructuring calls copyDataProperties to perform the
2402         copy of rest properties in rhs.
2403
2404         We also implemented CopyDataProperties as private JS global operation
2405         on builtins/GlobalOperations.js following it's specification on [3].
2406         It is implemented using Set object to verify if a property is on
2407         excludedNames to keep this algorithm with O(n + m) complexity, where n
2408         = number of source's own properties and m = excludedNames.length.
2409
2410         In this implementation we aren't using excludeList as constant if
2411         destructuring pattern contains computed property, i.e. we can
2412         just determine the key to be excluded at runtime. If we can define all
2413         identifiers in the pattern in compile time, we then create a
2414         constant JSSet. This approach gives a good performance improvement,
2415         since we allocate the excludeSet just once, reducing GC pressure.
2416
2417         [1] - https://github.com/tc39/proposal-object-rest-spread
2418         [2] - https://tc39.github.io/proposal-object-rest-spread/#Rest-RuntimeSemantics-PropertyDestructuringAssignmentEvaluation
2419         [3] - https://tc39.github.io/proposal-object-rest-spread/#AbstractOperations-CopyDataProperties
2420
2421         * builtins/BuiltinNames.h:
2422         * builtins/GlobalOperations.js:
2423         (globalPrivate.copyDataProperties):
2424         * bytecode/CodeBlock.cpp:
2425         (JSC::CodeBlock::finishCreation):
2426         * bytecompiler/NodesCodegen.cpp:
2427         (JSC::ObjectPatternNode::bindValue):
2428         * parser/ASTBuilder.h:
2429         (JSC::ASTBuilder::appendObjectPatternEntry):
2430         (JSC::ASTBuilder::appendObjectPatternRestEntry):
2431         (JSC::ASTBuilder::setContainsObjectRestElement):
2432         * parser/Nodes.h:
2433         (JSC::ObjectPatternNode::appendEntry):
2434         (JSC::ObjectPatternNode::setContainsRestElement):
2435         * parser/Parser.cpp:
2436         (JSC::Parser<LexerType>::parseDestructuringPattern):
2437         (JSC::Parser<LexerType>::parseProperty):
2438         * parser/SyntaxChecker.h:
2439         (JSC::SyntaxChecker::operatorStackPop):
2440         * runtime/JSGlobalObject.cpp:
2441         (JSC::JSGlobalObject::init):
2442         * runtime/JSGlobalObject.h:
2443         (JSC::JSGlobalObject::asyncFunctionStructure):
2444         (JSC::JSGlobalObject::setStructure): Deleted.
2445         * runtime/JSGlobalObjectFunctions.cpp:
2446         (JSC::privateToObject):
2447         * runtime/JSGlobalObjectFunctions.h:
2448         * runtime/ObjectConstructor.cpp:
2449         (JSC::ObjectConstructor::finishCreation):
2450         * runtime/SetPrototype.cpp:
2451         (JSC::SetPrototype::finishCreation):
2452
2453 2017-06-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2454
2455         [JSC] Do not touch VM after notifying Ready in DFG::Worklist
2456         https://bugs.webkit.org/show_bug.cgi?id=173888
2457
2458         Reviewed by Saam Barati.
2459
2460         After notifying Plan::Ready and releasing Worklist lock, VM can be destroyed.
2461         Thus, Plan::vm() can return a destroyed VM. Do not touch it.
2462         This causes occasional SEGV / assertion failures in workers/bomb test.
2463
2464         * dfg/DFGWorklist.cpp:
2465
2466 2017-06-27  Saam Barati  <sbarati@apple.com>
2467
2468         Remove an inaccurate comment inside DFGClobberize.h
2469         https://bugs.webkit.org/show_bug.cgi?id=163874
2470
2471         Reviewed by Filip Pizlo.
2472
2473         The comment said that Clobberize may or may not be sound if run prior to
2474         doing type inference. This is not correct, though. Clobberize *must* be sound
2475         prior do doing type inference since we use it inside the BytecodeParser, which
2476         is the very first thing the DFG does.
2477
2478         * dfg/DFGClobberize.h:
2479         (JSC::DFG::clobberize):
2480
2481 2017-06-27  Saam Barati  <sbarati@apple.com>
2482
2483         Function constructor needs to follow the spec and validate parameters and body independently
2484         https://bugs.webkit.org/show_bug.cgi?id=173303
2485         <rdar://problem/32732526>
2486
2487         Reviewed by Keith Miller.
2488
2489         The Function constructor must check the arguments and body strings
2490         independently for syntax errors. People rely on this specified behavior
2491         to verify that a particular string is a valid function body. We used
2492         to check these things strings concatenated together, instead of
2493         independently. For example, this used to be valid: `Function("/*", "*/){")`.
2494         However, we should throw a syntax error here since "(/*)" is not a valid
2495         parameter list, and "*/){" is not a valid body.
2496         
2497         To implement the specified behavior, we check the syntax independently of
2498         both the body and the parameter list. To check that the parameter list has
2499         valid syntax, we check that it is valid if in a function with an empty body.
2500         To check that the body has valid syntax, we check it is valid in a function
2501         with an empty parameter list.
2502
2503         * runtime/FunctionConstructor.cpp:
2504         (JSC::constructFunctionSkippingEvalEnabledCheck):
2505
2506 2017-06-27  Ting-Wei Lan  <lantw44@gmail.com>
2507
2508         Add missing includes to fix compilation error on FreeBSD
2509         https://bugs.webkit.org/show_bug.cgi?id=172919
2510
2511         Reviewed by Mark Lam.
2512
2513         * API/JSRemoteInspector.h:
2514         * API/tests/GlobalContextWithFinalizerTest.cpp:
2515         * API/tests/TypedArrayCTest.cpp:
2516
2517 2017-06-27  Joseph Pecoraro  <pecoraro@apple.com>
2518
2519         Web Inspector: Crash generating object preview for ArrayIterator
2520         https://bugs.webkit.org/show_bug.cgi?id=173754
2521         <rdar://problem/32859012>
2522
2523         Reviewed by Saam Barati.
2524
2525         When Inspector generates an object preview for an ArrayIterator instance it made
2526         a "clone" of the original ArrayIterator instance by constructing a new object with
2527         the instance's structure. However, user code could have modified that instance's
2528         structure, such as adding / removing properties. The `return` property had special
2529         meaning, and our clone did not fill that slot. This approach is brittle in that
2530         we weren't satisfying the expectations of an object with a particular Structure,
2531         and the original goal of having Web Inspector peek values of built-in Iterators
2532         was to avoid observable behavior.
2533
2534         This tightens Web Inspector's Iterator preview to only peek values if the
2535         Iterators would actually be non-observable. It also builds an ArrayIterator
2536         clone like a regular object construction.
2537
2538         * inspector/JSInjectedScriptHost.cpp:
2539         (Inspector::cloneArrayIteratorObject):
2540         Build up the Object from scratch with a new ArrayIterator prototype.
2541
2542         (Inspector::JSInjectedScriptHost::iteratorEntries):
2543         Only clone and peek iterators if it would not be observable.
2544         Also update iteration to be more in line with IterationOperations, such as when
2545         we call iteratorClose.
2546
2547         * runtime/JSGlobalObject.cpp:
2548         (JSC::JSGlobalObject::JSGlobalObject):
2549         (JSC::JSGlobalObject::init):
2550         * runtime/JSGlobalObject.h:
2551         (JSC::JSGlobalObject::stringIteratorProtocolWatchpoint):
2552         * runtime/JSGlobalObjectInlines.h:
2553         (JSC::JSGlobalObject::isStringPrototypeIteratorProtocolFastAndNonObservable):
2554         Add a StringIterator WatchPoint in line with the Array/Map/Set iterator watchpoints.
2555
2556         * runtime/JSMap.cpp:
2557         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
2558         (JSC::JSMap::canCloneFastAndNonObservable):
2559         * runtime/JSMap.h:
2560         * runtime/JSSet.cpp:
2561         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
2562         (JSC::JSSet::canCloneFastAndNonObservable):
2563         * runtime/JSSet.h:
2564         Promote isIteratorProtocolFastAndNonObservable to a method.
2565
2566         * runtime/JSObject.cpp:
2567         (JSC::canDoFastPutDirectIndex):
2568         * runtime/JSTypeInfo.h:
2569         (JSC::TypeInfo::isArgumentsType):
2570         Helper to detect if an Object is an Arguments type.
2571
2572 2017-06-26  Saam Barati  <sbarati@apple.com>
2573
2574         RegExpPrototype.js builtin uses for-of iteration which is almost certainly incorrect
2575         https://bugs.webkit.org/show_bug.cgi?id=173740
2576
2577         Reviewed by Mark Lam.
2578
2579         The builtin was using for-of iteration to iterate over an internal
2580         list in its algorithm. For-of iteration is observable via user code
2581         in the global object, so this approach was wrong as it would break if
2582         a user changed the Array iteration protocol in some way.
2583
2584         * builtins/RegExpPrototype.js:
2585         (replace):
2586
2587 2017-06-26  Mark Lam  <mark.lam@apple.com>
2588
2589         Renamed DumpRegisterFunctor to DumpReturnVirtualPCFunctor.
2590         https://bugs.webkit.org/show_bug.cgi?id=173848
2591
2592         Reviewed by JF Bastien.
2593
2594         This functor only dumps the return VirtualPC.
2595
2596         * interpreter/Interpreter.cpp:
2597         (JSC::DumpReturnVirtualPCFunctor::DumpReturnVirtualPCFunctor):
2598         (JSC::Interpreter::dumpRegisters):
2599         (JSC::DumpRegisterFunctor::DumpRegisterFunctor): Deleted.
2600         (JSC::DumpRegisterFunctor::operator()): Deleted.
2601
2602 2017-06-26  Saam Barati  <sbarati@apple.com>
2603
2604         Crash in JSC::Lexer<unsigned char>::setCode
2605         https://bugs.webkit.org/show_bug.cgi?id=172754
2606
2607         Reviewed by Mark Lam.
2608
2609         The lexer was asking one of its buffers to reserve initial space that
2610         was O(text size in bytes). For large sources, this would end up causing
2611         the vector to overflow and crash. This patch changes this code be like
2612         the Lexer's other buffers and to only reserve a small starting buffer.
2613
2614         * parser/Lexer.cpp:
2615         (JSC::Lexer<T>::setCode):
2616
2617 2017-06-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2618
2619         [WTF] Drop Thread::create(obsolete things) API since we can use lambda
2620         https://bugs.webkit.org/show_bug.cgi?id=173825
2621
2622         Reviewed by Saam Barati.
2623
2624         * jsc.cpp:
2625         (startTimeoutThreadIfNeeded):
2626         (timeoutThreadMain): Deleted.
2627
2628 2017-06-26  Konstantin Tokarev  <annulen@yandex.ru>
2629
2630         Unreviewed, add missing header for CLoop
2631
2632         * runtime/SymbolTable.cpp:
2633
2634 2017-06-26  Konstantin Tokarev  <annulen@yandex.ru>
2635
2636         Unreviewed, add missing header icncludes
2637
2638         * parser/Lexer.h:
2639
2640 2017-06-25  Konstantin Tokarev  <annulen@yandex.ru>
2641
2642         Remove excessive headers from JavaScriptCore
2643         https://bugs.webkit.org/show_bug.cgi?id=173812
2644
2645         Reviewed by Darin Adler.
2646
2647         * API/APIUtils.h:
2648         * assembler/LinkBuffer.cpp:
2649         * assembler/MacroAssemblerCodeRef.cpp:
2650         * b3/air/AirLiveness.h:
2651         * b3/air/AirLowerAfterRegAlloc.cpp:
2652         * bindings/ScriptValue.cpp:
2653         * bindings/ScriptValue.h:
2654         * bytecode/AccessCase.cpp:
2655         * bytecode/AccessCase.h:
2656         * bytecode/ArrayProfile.h:
2657         * bytecode/BytecodeDumper.h:
2658         * bytecode/BytecodeIntrinsicRegistry.cpp:
2659         * bytecode/BytecodeKills.h:
2660         * bytecode/BytecodeLivenessAnalysis.h:
2661         * bytecode/BytecodeUseDef.h:
2662         * bytecode/CallLinkStatus.h:
2663         * bytecode/CodeBlock.h:
2664         * bytecode/CodeOrigin.h:
2665         * bytecode/ComplexGetStatus.h:
2666         * bytecode/GetByIdStatus.h:
2667         * bytecode/GetByIdVariant.h:
2668         * bytecode/InlineCallFrame.h:
2669         * bytecode/InlineCallFrameSet.h:
2670         * bytecode/Instruction.h:
2671         * bytecode/InternalFunctionAllocationProfile.h:
2672         * bytecode/JumpTable.h:
2673         * bytecode/MethodOfGettingAValueProfile.h:
2674         * bytecode/ObjectPropertyConditionSet.h:
2675         * bytecode/Operands.h:
2676         * bytecode/PolymorphicAccess.h:
2677         * bytecode/PutByIdStatus.h:
2678         * bytecode/SpeculatedType.cpp:
2679         * bytecode/StructureSet.h:
2680         * bytecode/StructureStubInfo.h:
2681         * bytecode/UnlinkedCodeBlock.h:
2682         * bytecode/UnlinkedFunctionExecutable.h:
2683         * bytecode/ValueProfile.h:
2684         * bytecompiler/BytecodeGenerator.cpp:
2685         * bytecompiler/BytecodeGenerator.h:
2686         * bytecompiler/Label.h:
2687         * bytecompiler/StaticPropertyAnalysis.h:
2688         * debugger/DebuggerCallFrame.cpp:
2689         * dfg/DFGAbstractInterpreter.h:
2690         * dfg/DFGAdjacencyList.h:
2691         * dfg/DFGArgumentsUtilities.h:
2692         * dfg/DFGArrayMode.h:
2693         * dfg/DFGArrayifySlowPathGenerator.h:
2694         * dfg/DFGBackwardsPropagationPhase.h:
2695         * dfg/DFGBasicBlock.h:
2696         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
2697         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
2698         * dfg/DFGCapabilities.h:
2699         * dfg/DFGCommon.h:
2700         * dfg/DFGCommonData.h:
2701         * dfg/DFGDesiredIdentifiers.h:
2702         * dfg/DFGDesiredWatchpoints.h:
2703         * dfg/DFGDisassembler.cpp:
2704         * dfg/DFGDominators.h:
2705         * dfg/DFGDriver.cpp:
2706         * dfg/DFGDriver.h:
2707         * dfg/DFGEdgeDominates.h:
2708         * dfg/DFGFinalizer.h:
2709         * dfg/DFGGenerationInfo.h:
2710         * dfg/DFGJITCompiler.cpp:
2711         * dfg/DFGJITCompiler.h:
2712         * dfg/DFGJITFinalizer.h:
2713         * dfg/DFGLivenessAnalysisPhase.h:
2714         * dfg/DFGMinifiedNode.h:
2715         * dfg/DFGMultiGetByOffsetData.h:
2716         * dfg/DFGNaturalLoops.cpp:
2717         * dfg/DFGNaturalLoops.h:
2718         * dfg/DFGNode.h:
2719         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
2720         * dfg/DFGOSRExit.h:
2721         * dfg/DFGOSRExitCompilationInfo.h:
2722         * dfg/DFGOSRExitCompiler.cpp:
2723         * dfg/DFGOSRExitCompiler.h:
2724         * dfg/DFGOSRExitJumpPlaceholder.h:
2725         * dfg/DFGOperations.cpp:
2726         * dfg/DFGOperations.h:
2727         * dfg/DFGPlan.h:
2728         * dfg/DFGPreciseLocalClobberize.h:
2729         * dfg/DFGPromotedHeapLocation.h:
2730         * dfg/DFGRegisteredStructure.h:
2731         * dfg/DFGRegisteredStructureSet.h:
2732         * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
2733         * dfg/DFGSlowPathGenerator.h:
2734         * dfg/DFGSnippetParams.h:
2735         * dfg/DFGSpeculativeJIT.h:
2736         * dfg/DFGToFTLDeferredCompilationCallback.h:
2737         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h:
2738         * dfg/DFGValidate.h:
2739         * dfg/DFGValueSource.h:
2740         * dfg/DFGVariableEvent.h:
2741         * dfg/DFGVariableEventStream.h:
2742         * dfg/DFGWorklist.h:
2743         * domjit/DOMJITCallDOMGetterSnippet.h:
2744         * domjit/DOMJITEffect.h:
2745         * ftl/FTLLink.cpp:
2746         * ftl/FTLLowerDFGToB3.cpp:
2747         * ftl/FTLPatchpointExceptionHandle.h:
2748         * heap/AllocatorAttributes.h:
2749         * heap/CodeBlockSet.h:
2750         * heap/DeferGC.h:
2751         * heap/GCSegmentedArray.h:
2752         * heap/Heap.cpp:
2753         * heap/Heap.h:
2754         * heap/IncrementalSweeper.h:
2755         * heap/ListableHandler.h:
2756         * heap/MachineStackMarker.h:
2757         * heap/MarkedAllocator.h:
2758         * heap/MarkedBlock.cpp:
2759         * heap/MarkedBlock.h:
2760         * heap/MarkingConstraint.h:
2761         * heap/SlotVisitor.cpp:
2762         * heap/SlotVisitor.h:
2763         * inspector/ConsoleMessage.cpp:
2764         * inspector/ConsoleMessage.h:
2765         * inspector/InjectedScript.h:
2766         * inspector/InjectedScriptHost.h:
2767         * inspector/InjectedScriptManager.cpp:
2768         * inspector/JSGlobalObjectInspectorController.cpp:
2769         * inspector/JavaScriptCallFrame.h:
2770         * inspector/ScriptCallStack.h:
2771         * inspector/ScriptCallStackFactory.cpp:
2772         * inspector/ScriptDebugServer.h:
2773         * inspector/agents/InspectorConsoleAgent.h:
2774         * inspector/agents/InspectorDebuggerAgent.cpp:
2775         * inspector/agents/InspectorDebuggerAgent.h:
2776         * inspector/agents/InspectorHeapAgent.cpp:
2777         * inspector/agents/InspectorHeapAgent.h:
2778         * inspector/agents/InspectorRuntimeAgent.h:
2779         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2780         * inspector/agents/InspectorScriptProfilerAgent.h:
2781         * inspector/agents/JSGlobalObjectConsoleAgent.h:
2782         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
2783         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
2784         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
2785         * inspector/augmentable/AlternateDispatchableAgent.h:
2786         * interpreter/CLoopStack.h:
2787         * interpreter/CachedCall.h:
2788         * interpreter/CallFrame.h:
2789         * interpreter/Interpreter.cpp:
2790         * interpreter/Interpreter.h:
2791         * jit/AssemblyHelpers.cpp:
2792         * jit/AssemblyHelpers.h:
2793         * jit/CCallHelpers.h:
2794         * jit/CallFrameShuffler.h:
2795         * jit/ExecutableAllocator.h:
2796         * jit/GCAwareJITStubRoutine.h:
2797         * jit/HostCallReturnValue.h:
2798         * jit/ICStats.h:
2799         * jit/JIT.cpp:
2800         * jit/JIT.h:
2801         * jit/JITAddGenerator.h:
2802         * jit/JITCall32_64.cpp:
2803         * jit/JITCode.h:
2804         * jit/JITDisassembler.cpp:
2805         * jit/JITExceptions.cpp:
2806         * jit/JITMathIC.h:
2807         * jit/JITOpcodes.cpp:
2808         * jit/JITOperations.cpp:
2809         * jit/JITOperations.h:
2810         * jit/JITThunks.cpp:
2811         * jit/JITThunks.h:
2812         * jit/JSInterfaceJIT.h:
2813         * jit/PCToCodeOriginMap.h:
2814         * jit/PolymorphicCallStubRoutine.h:
2815         * jit/RegisterSet.h:
2816         * jit/Repatch.h:
2817         * jit/SetupVarargsFrame.h:
2818         * jit/Snippet.h:
2819         * jit/SnippetParams.h:
2820         * jit/ThunkGenerators.h:
2821         * jsc.cpp:
2822         * llint/LLIntCLoop.h:
2823         * llint/LLIntEntrypoint.h:
2824         * llint/LLIntExceptions.h:
2825         * llint/LLIntOfflineAsmConfig.h:
2826         * llint/LLIntSlowPaths.cpp:
2827         * parser/NodeConstructors.h:
2828         * parser/Nodes.cpp:
2829         * parser/Nodes.h:
2830         * parser/Parser.cpp:
2831         * parser/Parser.h:
2832         * parser/ParserTokens.h:
2833         * parser/SourceProviderCacheItem.h:
2834         * profiler/ProfilerBytecodeSequence.h:
2835         * profiler/ProfilerDatabase.cpp:
2836         * profiler/ProfilerDatabase.h:
2837         * profiler/ProfilerOrigin.h:
2838         * profiler/ProfilerOriginStack.h:
2839         * profiler/ProfilerProfiledBytecodes.h:
2840         * profiler/ProfilerUID.h:
2841         * runtime/AbstractModuleRecord.h:
2842         * runtime/ArrayConstructor.h:
2843         * runtime/ArrayConventions.h:
2844         * runtime/ArrayIteratorPrototype.h:
2845         * runtime/ArrayPrototype.h:
2846         * runtime/BasicBlockLocation.h:
2847         * runtime/Butterfly.h:
2848         * runtime/CallData.cpp:
2849         * runtime/CodeCache.h:
2850         * runtime/CommonSlowPaths.cpp:
2851         * runtime/CommonSlowPaths.h:
2852         * runtime/CommonSlowPathsExceptions.cpp:
2853         * runtime/Completion.cpp:
2854         * runtime/ControlFlowProfiler.h:
2855         * runtime/DateInstanceCache.h:
2856         * runtime/ErrorConstructor.h:
2857         * runtime/ErrorInstance.h:
2858         * runtime/ExceptionHelpers.cpp:
2859         * runtime/ExceptionHelpers.h:
2860         * runtime/ExecutableBase.h:
2861         * runtime/FunctionExecutable.h:
2862         * runtime/HasOwnPropertyCache.h:
2863         * runtime/Identifier.h:
2864         * runtime/InternalFunction.h:
2865         * runtime/IntlCollator.cpp:
2866         * runtime/IntlCollatorPrototype.h:
2867         * runtime/IntlDateTimeFormatPrototype.h:
2868         * runtime/IntlNumberFormat.cpp:
2869         * runtime/IntlNumberFormatPrototype.h:
2870         * runtime/IteratorOperations.cpp:
2871         * runtime/JSArray.h:
2872         * runtime/JSArrayBufferPrototype.h:
2873         * runtime/JSCJSValue.h:
2874         * runtime/JSCJSValueInlines.h:
2875         * runtime/JSCell.h:
2876         * runtime/JSFunction.cpp:
2877         * runtime/JSFunction.h:
2878         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2879         * runtime/JSGlobalObject.cpp:
2880         * runtime/JSGlobalObject.h:
2881         * runtime/JSGlobalObjectDebuggable.cpp:
2882         * runtime/JSGlobalObjectDebuggable.h:
2883         * runtime/JSGlobalObjectFunctions.cpp:
2884         * runtime/JSGlobalObjectFunctions.h:
2885         * runtime/JSJob.cpp:
2886         * runtime/JSLock.h:
2887         * runtime/JSModuleLoader.cpp:
2888         * runtime/JSModuleNamespaceObject.h:
2889         * runtime/JSModuleRecord.h:
2890         * runtime/JSObject.cpp:
2891         * runtime/JSObject.h:
2892         * runtime/JSRunLoopTimer.h:
2893         * runtime/JSTemplateRegistryKey.h:
2894         * runtime/JSTypedArrayPrototypes.cpp:
2895         * runtime/JSTypedArrayPrototypes.h:
2896         * runtime/JSTypedArrays.h:
2897         * runtime/LiteralParser.h:
2898         * runtime/MatchResult.h:
2899         * runtime/MemoryStatistics.h:
2900         * runtime/PrivateName.h:
2901         * runtime/PromiseDeferredTimer.h:
2902         * runtime/ProxyObject.h:
2903         * runtime/RegExp.h:
2904         * runtime/SamplingProfiler.cpp:
2905         * runtime/SmallStrings.h:
2906         * runtime/StringPrototype.cpp:
2907         * runtime/StringRecursionChecker.h:
2908         * runtime/Structure.h:
2909         * runtime/SymbolConstructor.h:
2910         * runtime/SymbolPrototype.cpp:
2911         * runtime/SymbolPrototype.h:
2912         * runtime/TypeProfiler.h:
2913         * runtime/TypeProfilerLog.h:
2914         * runtime/TypedArrayType.h:
2915         * runtime/VM.cpp:
2916         * runtime/VM.h:
2917         * runtime/VMEntryScope.h:
2918         * runtime/WeakMapData.h:
2919         * runtime/WriteBarrier.h:
2920         * tools/FunctionOverrides.cpp:
2921         * tools/FunctionOverrides.h:
2922         * wasm/WasmBinding.cpp:
2923         * wasm/js/JSWebAssemblyCodeBlock.h:
2924         * wasm/js/WebAssemblyPrototype.cpp:
2925         * yarr/Yarr.h:
2926         * yarr/YarrJIT.cpp:
2927         * yarr/YarrJIT.h:
2928         * yarr/YarrParser.h:
2929
2930 2017-06-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2931
2932         [JSC] Clean up Object.entries implementation
2933         https://bugs.webkit.org/show_bug.cgi?id=173759
2934
2935         Reviewed by Sam Weinig.
2936
2937         This patch cleans up Object.entries implementation.
2938         We drop unused private functions. And we merge the
2939         implementation into Object.entries.
2940
2941         It slightly speeds up Object.entries speed.
2942
2943                                      baseline                  patched
2944
2945             object-entries      148.0101+-5.6627          142.1877+-4.8661          might be 1.0409x faster
2946
2947
2948         * builtins/BuiltinNames.h:
2949         * builtins/ObjectConstructor.js:
2950         (entries):
2951         (globalPrivate.enumerableOwnProperties): Deleted.
2952         * runtime/JSGlobalObject.cpp:
2953         (JSC::JSGlobalObject::init):
2954         * runtime/ObjectConstructor.cpp:
2955         (JSC::ownEnumerablePropertyKeys): Deleted.
2956         * runtime/ObjectConstructor.h:
2957
2958 2017-06-24  Joseph Pecoraro  <pecoraro@apple.com>
2959
2960         Remove Reflect.enumerate
2961         https://bugs.webkit.org/show_bug.cgi?id=173806
2962
2963         Reviewed by Yusuke Suzuki.
2964
2965         * CMakeLists.txt:
2966         * JavaScriptCore.xcodeproj/project.pbxproj:
2967         * inspector/JSInjectedScriptHost.cpp:
2968         (Inspector::JSInjectedScriptHost::subtype):
2969         (Inspector::JSInjectedScriptHost::getInternalProperties):
2970         (Inspector::JSInjectedScriptHost::iteratorEntries):
2971         * runtime/JSGlobalObject.cpp:
2972         (JSC::JSGlobalObject::init):
2973         (JSC::JSGlobalObject::visitChildren):
2974         * runtime/JSPropertyNameIterator.cpp: Removed.
2975         * runtime/JSPropertyNameIterator.h: Removed.
2976         * runtime/ReflectObject.cpp:
2977         (JSC::reflectObjectEnumerate): Deleted.
2978
2979 2017-06-23  Keith Miller  <keith_miller@apple.com>
2980
2981         Switch VMTraps to use halt instructions rather than breakpoint instructions
2982         https://bugs.webkit.org/show_bug.cgi?id=173677
2983         <rdar://problem/32178892>
2984
2985         Reviewed by JF Bastien.
2986
2987         Using the breakpoint instruction for VMTraps caused issues with lldb.
2988         Since we only need some way to stop execution we can, in theory, use
2989         any exceptioning instruction we want. I went with the halt instruction
2990         on X86 since that is the only one byte instruction that does not
2991         breakpoint (in my tests both 0xf1 and 0xd6 produced EXC_BREAKPOINT).
2992         On ARM we use the data cache clearing instruction with the zero register,
2993         which triggers a segmentation fault.
2994
2995         Also, update the platform code to only use signaling VMTraps
2996         on where we have an appropriate instruction (x86 and ARM64).
2997
2998         * API/tests/ExecutionTimeLimitTest.cpp:
2999         (testExecutionTimeLimit):
3000         * assembler/ARM64Assembler.h:
3001         (JSC::ARM64Assembler::replaceWithVMHalt):
3002         (JSC::ARM64Assembler::dataCacheZeroVirtualAddress):
3003         (JSC::ARM64Assembler::replaceWithBkpt): Deleted.
3004         * assembler/ARMAssembler.h:
3005         (JSC::ARMAssembler::replaceWithBkpt): Deleted.
3006         * assembler/ARMv7Assembler.h:
3007         (JSC::ARMv7Assembler::replaceWithBkpt): Deleted.
3008         * assembler/MIPSAssembler.h:
3009         (JSC::MIPSAssembler::replaceWithBkpt): Deleted.
3010         * assembler/MacroAssemblerARM.h:
3011         (JSC::MacroAssemblerARM::replaceWithBreakpoint): Deleted.
3012         * assembler/MacroAssemblerARM64.h:
3013         (JSC::MacroAssemblerARM64::replaceWithVMHalt):
3014         (JSC::MacroAssemblerARM64::replaceWithBreakpoint): Deleted.
3015         * assembler/MacroAssemblerARMv7.h:
3016         (JSC::MacroAssemblerARMv7::storeFence):
3017         (JSC::MacroAssemblerARMv7::replaceWithBreakpoint): Deleted.
3018         * assembler/MacroAssemblerMIPS.h:
3019         (JSC::MacroAssemblerMIPS::replaceWithBreakpoint): Deleted.
3020         * assembler/MacroAssemblerX86Common.h:
3021         (JSC::MacroAssemblerX86Common::replaceWithVMHalt):
3022         (JSC::MacroAssemblerX86Common::replaceWithBreakpoint): Deleted.
3023         * assembler/X86Assembler.h:
3024         (JSC::X86Assembler::replaceWithHlt):
3025         (JSC::X86Assembler::replaceWithInt3): Deleted.
3026         * dfg/DFGJumpReplacement.cpp:
3027         (JSC::DFG::JumpReplacement::installVMTrapBreakpoint):
3028         * runtime/VMTraps.cpp:
3029         (JSC::SignalContext::SignalContext):
3030         (JSC::installSignalHandler):
3031         (JSC::SignalContext::adjustPCToPointToTrappingInstruction): Deleted.
3032         * wasm/WasmFaultSignalHandler.cpp:
3033         (JSC::Wasm::enableFastMemory):
3034
3035 2017-06-22  Saam Barati  <sbarati@apple.com>
3036
3037         The lowering of Identity in the DFG backend needs to use ManualOperandSpeculation
3038         https://bugs.webkit.org/show_bug.cgi?id=173743
3039         <rdar://problem/32932536>
3040
3041         Reviewed by Mark Lam.
3042
3043         The code always manually speculates, however, we weren't specifying
3044         ManualOperandSpeculation when creating a JSValueOperand. This would
3045         fire an assertion in JSValueOperand construction for a node like:
3046         Identity(String:@otherNode)
3047         
3048         I spent about 45 minutes trying to craft a test and came up
3049         empty. However, this fixes a debug assertion on an internal
3050         Apple website.
3051
3052         * dfg/DFGSpeculativeJIT32_64.cpp:
3053         (JSC::DFG::SpeculativeJIT::compile):
3054         * dfg/DFGSpeculativeJIT64.cpp:
3055         (JSC::DFG::SpeculativeJIT::compile):
3056
3057 2017-06-22  Saam Barati  <sbarati@apple.com>
3058
3059         ValueRep(DoubleRep(@v)) can not simply convert to @v
3060         https://bugs.webkit.org/show_bug.cgi?id=173687
3061         <rdar://problem/32855563>
3062
3063         Reviewed by Mark Lam.
3064
3065         Consider this IR:
3066          block#x
3067           p: Phi() // int32 and double flows into this phi from various control flow
3068           d: DoubleRep(@p)
3069           some uses of @d here
3070           v: ValueRep(DoubleRepUse:@d)
3071           a: NewArrayWithSize(Int32:@v)
3072           some more nodes here ...
3073         
3074         Because the flow of ValueRep(DoubleRep(@p)) will not produce an Int32,
3075         AI proves that the Int32 check will fail. Constant folding phase removes
3076         all nodes after @a and inserts an Unreachable after the NewArrayWithSize node.
3077         
3078         The IR then looks like this:
3079         block#x
3080           p: Phi() // int32 and double flows into this phi from various control flow
3081           d: DoubleRep(@p)
3082           some uses of @d here
3083           v: ValueRep(DoubleRepUse:@d)
3084           a: NewArrayWithSize(Int32:@v)
3085           Unreachable
3086         
3087         However, there was a strength reduction rule that tries eliminate redundant
3088         conversions. It used to convert the program to:
3089         block#x
3090           p: Phi() // int32 and double flows into this phi from various control flow
3091           d: DoubleRep(@p)
3092           some uses of @d here
3093           a: NewArrayWithSize(Int32:@p)
3094           Unreachable
3095         
3096         However, at runtime, @p will actually be an Int32, so @a will not OSR exit,
3097         and we'll crash. This patch removes this strength reduction rule since it
3098         does not maintain what would have happened if we executed the program before
3099         the rule.
3100         
3101         This rule is also wrong for other types of programs (I'm not sure we'd
3102         actually emit this code, but if such IR were generated, we would previously
3103         optimize it incorrectly):
3104         @a: Constant(JSTrue)
3105         @b: DoubleRep(@a)
3106         @c: ValueRep(@b)
3107         @d: use(@c)
3108         
3109         However, the strength reduction rule would've transformed this into:
3110         @a: Constant(JSTrue)
3111         @d: use(@a)
3112         
3113         And this would be wrong because node @c before the transformation would
3114         have produced the JSValue jsNumber(1.0).
3115         
3116         This patch was neutral in the benchmark run I did.
3117
3118         * dfg/DFGStrengthReductionPhase.cpp:
3119         (JSC::DFG::StrengthReductionPhase::handleNode):
3120
3121 2017-06-22  JF Bastien  <jfbastien@apple.com>
3122
3123         ARM64: doubled executable memory limit from 32MiB to 64MiB
3124         https://bugs.webkit.org/show_bug.cgi?id=173734
3125         <rdar://problem/32932407>
3126
3127         Reviewed by Oliver Hunt.
3128
3129         Some WebAssembly programs stress the amount of memory we have
3130         available, especially when we consider tiering (BBQ never dies,
3131         and is bigger that OMG). Tiering to OMG just piles on more memory,
3132         and we're also competing with JavaScript.
3133
3134         * jit/ExecutableAllocator.h:
3135
3136 2017-06-22  Joseph Pecoraro  <pecoraro@apple.com>
3137
3138         Web Inspector: Pausing with a deep call stack can be very slow, avoid eagerly generating object previews
3139         https://bugs.webkit.org/show_bug.cgi?id=173698
3140
3141         Reviewed by Matt Baker.
3142
3143         When pausing in a deep call stack the majority of the time spent in JavaScriptCore
3144         when preparing Inspector pause information is spent generating object previews for
3145         the `thisObject` of each of the call frames. In some cases, this could be more
3146         than 95% of the time generating pause information. In the common case, only one of
3147         these (the top frame) will ever be seen by users. This change avoids eagerly
3148         generating object previews up front and let the frontend request previews if they
3149         are needed.
3150
3151         This introduces the `Runtime.getPreview` protocol command. This can be used to:
3152
3153             - Get a preview for a RemoteObject that did not have a preview but could.
3154             - Update a preview for a RemoteObject that had a preview.
3155
3156         This patch only uses it for the first case, but the second is valid and may be
3157         something we want to do in the future.
3158
3159         * inspector/protocol/Runtime.json:
3160         A new command to get an up to date preview for an object.
3161
3162         * inspector/InjectedScript.h:
3163         * inspector/InjectedScript.cpp:
3164         (Inspector::InjectedScript::getPreview):
3165         * inspector/agents/InspectorRuntimeAgent.cpp:
3166         (Inspector::InspectorRuntimeAgent::getPreview):
3167         * inspector/agents/InspectorRuntimeAgent.h:
3168         Plumbing for the new command.
3169
3170         * inspector/InjectedScriptSource.js:
3171         (InjectedScript.prototype.getPreview):
3172         Implementation just uses the existing helper.
3173
3174         (InjectedScript.CallFrameProxy):
3175         Do not generate a preview for the this object as it may not be shown.
3176         Let the frontend request a preview if it wants or needs one.
3177
3178 2017-06-22  Joseph Pecoraro  <pecoraro@apple.com>
3179
3180         Web Inspector: Remove stale "rawScopes" concept that was never available in JSC
3181         https://bugs.webkit.org/show_bug.cgi?id=173686
3182
3183         Reviewed by Mark Lam.
3184
3185         * inspector/InjectedScript.cpp:
3186         (Inspector::InjectedScript::functionDetails):
3187         * inspector/InjectedScriptSource.js:
3188         (InjectedScript.prototype.functionDetails):
3189         * inspector/JSInjectedScriptHost.cpp:
3190         (Inspector::JSInjectedScriptHost::functionDetails):
3191
3192 2017-06-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3193
3194         [JSC] Object.values should be implemented in C++
3195         https://bugs.webkit.org/show_bug.cgi?id=173703
3196
3197         Reviewed by Sam Weinig.
3198
3199         As the same to Object.assign, Object.values() is also inherently polymorphic.
3200         And allocating JSString / Symbol for Identifier and JSArray for Object.keys()
3201         result is costly.
3202
3203         In this patch, we implement Object.values() in C++. It can avoid above allocations.
3204         Furthermore, by using `slot.isTaintedByOpaqueObject()` information, we can skip
3205         non-observable JSObject::get() calls.
3206
3207         This improves performance by 2.49x. And also now Object.values() beats
3208         Object.keys(object).map(key => object[key]) implementation.
3209
3210                                              baseline                  patched
3211
3212             object-values               132.1551+-3.7209     ^     53.1254+-1.6139        ^ definitely 2.4876x faster
3213             object-keys-map-values       78.2008+-2.1378     ?     78.9078+-2.2121        ?
3214
3215         * builtins/ObjectConstructor.js:
3216         (values): Deleted.
3217         * runtime/ObjectConstructor.cpp:
3218         (JSC::objectConstructorValues):
3219
3220 2017-06-21  Saam Barati  <sbarati@apple.com>
3221
3222         ArrayPrototype.map builtin declares a var it does not use
3223         https://bugs.webkit.org/show_bug.cgi?id=173685
3224
3225         Reviewed by Keith Miller.
3226
3227         * builtins/ArrayPrototype.js:
3228         (map):
3229
3230 2017-06-21  Saam Barati  <sbarati@apple.com>
3231
3232         eval virtual call is incorrect in the baseline JIT
3233         https://bugs.webkit.org/show_bug.cgi?id=173587
3234         <rdar://problem/32867897>
3235
3236         Reviewed by Michael Saboff.
3237
3238         When making a virtual call for call_eval, e.g, when the thing
3239         we're calling isn't actually eval, we end up calling the caller
3240         instead of the callee. This is clearly wrong. The code ends up
3241         issuing a load for the Callee in the callers frame instead of
3242         the callee we're calling. The fix is simple, we just need to
3243         load the real callee. Only the 32-bit baseline JIT had this bug.
3244
3245         * jit/JITCall32_64.cpp:
3246         (JSC::JIT::compileCallEvalSlowCase):
3247
3248 2017-06-21  Joseph Pecoraro  <pecoraro@apple.com>
3249
3250         Web Inspector: Using "break on all exceptions" when throwing stack overflow hangs inspector
3251         https://bugs.webkit.org/show_bug.cgi?id=172432
3252         <rdar://problem/29870873>
3253
3254         Reviewed by Saam Barati.
3255
3256         Avoid pausing on StackOverflow and OutOfMemory errors to avoid a hang.
3257         We will proceed to improve debugging of these cases in the follow-up bugs.
3258
3259         * debugger/Debugger.cpp:
3260         (JSC::Debugger::exception):
3261         Ignore pausing on these errors.
3262
3263         * runtime/ErrorInstance.h:
3264         (JSC::ErrorInstance::setStackOverflowError):
3265         (JSC::ErrorInstance::isStackOverflowError):
3266         (JSC::ErrorInstance::setOutOfMemoryError):
3267         (JSC::ErrorInstance::isOutOfMemoryError):
3268         * runtime/ExceptionHelpers.cpp:
3269         (JSC::createStackOverflowError):
3270         * runtime/Error.cpp:
3271         (JSC::createOutOfMemoryError):
3272         Mark these kinds of errors.
3273
3274 2017-06-21  Saam Barati  <sbarati@apple.com>
3275
3276         Make it clear that regenerating ICs are holding the CodeBlock's lock by passing the locker as a parameter
3277         https://bugs.webkit.org/show_bug.cgi?id=173609
3278
3279         Reviewed by Keith Miller.
3280
3281         This patch makes many of the IC generating functions require a locker as
3282         a parameter. We do this in other places in JSC to indicate that
3283         a particular API is only valid while a particular lock is held.
3284         This is the case when generating ICs. This patch just makes it
3285         explicit in the IC generating interface.
3286
3287         * bytecode/PolymorphicAccess.cpp:
3288         (JSC::PolymorphicAccess::addCases):
3289         (JSC::PolymorphicAccess::addCase):
3290         (JSC::PolymorphicAccess::commit):
3291         (JSC::PolymorphicAccess::regenerate):
3292         * bytecode/PolymorphicAccess.h:
3293         * bytecode/StructureStubInfo.cpp:
3294         (JSC::StructureStubInfo::addAccessCase):
3295         (JSC::StructureStubInfo::initStub): Deleted.
3296         * bytecode/StructureStubInfo.h:
3297         * jit/Repatch.cpp:
3298         (JSC::tryCacheGetByID):
3299         (JSC::repatchGetByID):
3300         (JSC::tryCachePutByID):
3301         (JSC::repatchPutByID):
3302         (JSC::tryRepatchIn):
3303         (JSC::repatchIn):
3304
3305 2017-06-20  Myles C. Maxfield  <mmaxfield@apple.com>
3306
3307         Disable font variations on macOS Sierra and iOS 10
3308         https://bugs.webkit.org/show_bug.cgi?id=173618
3309         <rdar://problem/32879164>
3310
3311         Reviewed by Jon Lee.
3312
3313         * Configurations/FeatureDefines.xcconfig:
3314
3315 2017-06-20  Keith Miller  <keith_miller@apple.com>
3316
3317         Fix leak of ModuleInformations in BBQPlan constructors.
3318         https://bugs.webkit.org/show_bug.cgi?id=173577
3319
3320         Reviewed by Saam Barati.
3321
3322         This patch fixes a leak in the BBQPlan constructiors. Previously,
3323         the plans were calling makeRef on the newly constructed objects.
3324         This patch fixes the issue and uses adoptRef instead. Additionally,
3325         an old, incorrect, attempt to fix the leak is removed.
3326
3327         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
3328         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
3329         * jit/JITWorklist.cpp:
3330         (JSC::JITWorklist::Thread::Thread):
3331         * runtime/PromiseDeferredTimer.cpp:
3332         (JSC::PromiseDeferredTimer::addPendingPromise):
3333         * runtime/VM.cpp:
3334         (JSC::VM::VM):
3335         * wasm/WasmBBQPlan.cpp:
3336         (JSC::Wasm::BBQPlan::BBQPlan):
3337         * wasm/WasmPlan.cpp:
3338         (JSC::Wasm::Plan::Plan):
3339
3340 2017-06-20  Devin Rousso  <drousso@apple.com>
3341
3342         Web Inspector: Send context attributes for tracked canvases
3343         https://bugs.webkit.org/show_bug.cgi?id=173327
3344
3345         Reviewed by Joseph Pecoraro.
3346
3347         * inspector/protocol/Canvas.json:
3348         Add ContextAttributes object type that is optionally used for WebGL canvases.
3349
3350 2017-06-20  Konstantin Tokarev  <annulen@yandex.ru>
3351
3352         Remove excessive include directives from WTF
3353         https://bugs.webkit.org/show_bug.cgi?id=173553
3354
3355         Reviewed by Saam Barati.
3356
3357         * profiler/ProfilerDatabase.cpp: Added missing include directive.
3358         * runtime/SamplingProfiler.cpp: Ditto.
3359
3360 2017-06-20  Oleksandr Skachkov  <gskachkov@gmail.com>
3361
3362         Revert changes in bug#160417 about extending `null` not being a derived class
3363         https://bugs.webkit.org/show_bug.cgi?id=169293
3364
3365         Reviewed by Saam Barati.
3366
3367         Reverted changes in bug#160417 about extending `null` not being a derived class 
3368         according to changes in spec:
3369         https://github.com/tc39/ecma262/commit/c57ef95c45a371f9c9485bb1c3881dbdc04524a2
3370
3371         * builtins/BuiltinNames.h:
3372         * bytecompiler/BytecodeGenerator.cpp:
3373         (JSC::BytecodeGenerator::BytecodeGenerator):
3374         (JSC::BytecodeGenerator::emitReturn):
3375         * bytecompiler/NodesCodegen.cpp:
3376         (JSC::ClassExprNode::emitBytecode):
3377
3378 2017-06-20  Saam Barati  <sbarati@apple.com>
3379
3380         repatchIn needs to lock the CodeBlock's lock
3381         https://bugs.webkit.org/show_bug.cgi?id=173573
3382
3383         Reviewed by Yusuke Suzuki.
3384
3385         CodeBlock::propagateTransitions and CodeBlock::visitWeakly grab the CodeBlock's
3386         lock before modifying the StructureStubInfo/PolymorphicAccess. When regenerating
3387         an IC, we must hold the CodeBlock's to prevent the executing thread from racing
3388         with the marking thread. repatchIn was not grabbing the lock. I haven't been
3389         able to get it to crash, but this is needed for the same reasons that get and put IC
3390         regeneration grab the lock.
3391
3392         * jit/Repatch.cpp:
3393         (JSC::repatchIn):
3394
3395 2017-06-19  Devin Rousso  <drousso@apple.com>
3396
3397         Web Inspector: create canvas content view and details sidebar panel
3398         https://bugs.webkit.org/show_bug.cgi?id=138941
3399         <rdar://problem/19051672>
3400
3401         Reviewed by Joseph Pecoraro.
3402
3403         * inspector/protocol/Canvas.json:
3404          - Add an optional `nodeId` attribute to the `Canvas` type.
3405          - Add `requestNode` command for getting the node id of the backing canvas element.
3406          - Add `requestContent` command for getting the current image content of the canvas.
3407
3408 2017-06-19  Yusuke Suzuki  <utatane.tea@gmail.com>
3409
3410         Unreviewed, build fix for ARM
3411
3412         * assembler/MacroAssemblerARM.h: