4441f73201c3af082114e59d902c5e39a1ff4a1d
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-12-14  Devin Rousso  <webkit@devinrousso.com>
2
3         Web Inspector: replace HTMLCanvasElement with CanvasRenderingContext for instrumentation logic
4         https://bugs.webkit.org/show_bug.cgi?id=180770
5
6         Reviewed by Joseph Pecoraro.
7
8         * inspector/protocol/Canvas.json:
9
10 2017-12-14  Keith Miller  <keith_miller@apple.com>
11
12         Fix assertion in JSObject's structure setting methods
13         https://bugs.webkit.org/show_bug.cgi?id=180840
14
15         Reviewed by Mark Lam.
16
17         I forgot that when Typed Arrays have non-indexed properties
18         added to them, they call the generic code. The generic code
19         in turn calls the regular structure setting methods. Thus,
20         these assertions were invalid and we should just avoid setting
21         the indexing mask if we have a Typed Array.
22
23         * runtime/JSObject.h:
24         (JSC::JSObject::setButterfly):
25         (JSC::JSObject::nukeStructureAndSetButterfly):
26
27 2017-12-14  Michael Saboff  <msaboff@apple.com>
28
29         REGRESSION (r225695): Repro crash on yahoo login page
30         https://bugs.webkit.org/show_bug.cgi?id=180761
31
32         Reviewed by JF Bastien.
33
34         Relanding r225695 with a fix.
35
36         The fix is that we need to save the return address for a parentheses in
37         the ParenContext because it is actually used by any immediately contained
38         alternatives.
39
40         Also did a little refactoring, changing occurances of PatternContext to
41         ParenContext since that is the name of the structure.
42
43         * runtime/RegExp.cpp:
44         (JSC::byteCodeCompilePattern):
45         (JSC::RegExp::byteCodeCompileIfNecessary):
46         (JSC::RegExp::compile):
47         (JSC::RegExp::compileMatchOnly):
48         * runtime/RegExp.h:
49         * runtime/RegExpInlines.h:
50         (JSC::RegExp::matchInline):
51         * testRegExp.cpp:
52         (parseRegExpLine):
53         (runFromFiles):
54         * yarr/Yarr.h:
55         * yarr/YarrInterpreter.cpp:
56         (JSC::Yarr::ByteCompiler::compile):
57         (JSC::Yarr::ByteCompiler::dumpDisjunction):
58         * yarr/YarrJIT.cpp:
59         (JSC::Yarr::YarrGenerator::ParenContextSizes::ParenContextSizes):
60         (JSC::Yarr::YarrGenerator::ParenContextSizes::numSubpatterns):
61         (JSC::Yarr::YarrGenerator::ParenContextSizes::frameSlots):
62         (JSC::Yarr::YarrGenerator::ParenContext::sizeFor):
63         (JSC::Yarr::YarrGenerator::ParenContext::nextOffset):
64         (JSC::Yarr::YarrGenerator::ParenContext::beginOffset):
65         (JSC::Yarr::YarrGenerator::ParenContext::matchAmountOffset):
66         (JSC::Yarr::YarrGenerator::ParenContext::returnAddressOffset):
67         (JSC::Yarr::YarrGenerator::ParenContext::subpatternOffset):
68         (JSC::Yarr::YarrGenerator::ParenContext::savedFrameOffset):
69         (JSC::Yarr::YarrGenerator::initParenContextFreeList):
70         (JSC::Yarr::YarrGenerator::allocateParenContext):
71         (JSC::Yarr::YarrGenerator::freeParenContext):
72         (JSC::Yarr::YarrGenerator::saveParenContext):
73         (JSC::Yarr::YarrGenerator::restoreParenContext):
74         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
75         (JSC::Yarr::YarrGenerator::storeToFrame):
76         (JSC::Yarr::YarrGenerator::generateJITFailReturn):
77         (JSC::Yarr::YarrGenerator::clearMatches):
78         (JSC::Yarr::YarrGenerator::generate):
79         (JSC::Yarr::YarrGenerator::backtrack):
80         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
81         (JSC::Yarr::YarrGenerator::generateEnter):
82         (JSC::Yarr::YarrGenerator::generateReturn):
83         (JSC::Yarr::YarrGenerator::YarrGenerator):
84         (JSC::Yarr::YarrGenerator::compile):
85         * yarr/YarrJIT.h:
86         (JSC::Yarr::YarrCodeBlock::execute):
87         * yarr/YarrPattern.cpp:
88         (JSC::Yarr::indentForNestingLevel):
89         (JSC::Yarr::dumpUChar32):
90         (JSC::Yarr::dumpCharacterClass):
91         (JSC::Yarr::PatternTerm::dump):
92         (JSC::Yarr::YarrPattern::dumpPattern):
93         * yarr/YarrPattern.h:
94         (JSC::Yarr::PatternTerm::containsAnyCaptures):
95         (JSC::Yarr::BackTrackInfoParenthesesOnce::returnAddressIndex):
96         (JSC::Yarr::BackTrackInfoParentheses::beginIndex):
97         (JSC::Yarr::BackTrackInfoParentheses::returnAddressIndex):
98         (JSC::Yarr::BackTrackInfoParentheses::matchAmountIndex):
99         (JSC::Yarr::BackTrackInfoParentheses::parenContextHeadIndex):
100         (JSC::Yarr::BackTrackInfoAlternative::offsetIndex): Deleted.
101
102 2017-12-13  Keith Miller  <keith_miller@apple.com>
103
104         JSObjects should have a mask for loading indexed properties
105         https://bugs.webkit.org/show_bug.cgi?id=180768
106
107         Reviewed by Mark Lam.
108
109         This patch adds a new member to JSObject that holds an indexing
110         mask.  The indexing mask is bitwise anded with the index used to
111         load a property.  If for whatever reason an attacker is able to
112         clobber the vectorLength of our butterfly they still won't be able
113         to read substantially past the end of the buttefly. For
114         performance reasons we don't use the indexing masking for
115         TypedArrays. Since TypedArrays are already gigacaged the risk of
116         wild reads is still restricted.
117
118         This patch is a <1% regression on Speedometer and ~3% regression
119         on JetStream in my testing.
120
121         * assembler/MacroAssembler.h:
122         (JSC::MacroAssembler::urshiftPtr):
123         * bytecode/AccessCase.cpp:
124         (JSC::AccessCase::generateImpl):
125         * dfg/DFGAbstractHeap.h:
126         * dfg/DFGClobberize.h:
127         (JSC::DFG::clobberize):
128         * dfg/DFGSpeculativeJIT.cpp:
129         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
130         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
131         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
132         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
133         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
134         (JSC::DFG::SpeculativeJIT::compileArraySlice):
135         (JSC::DFG::SpeculativeJIT::compileNukeStructureAndSetButterfly):
136         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
137         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
138         * dfg/DFGSpeculativeJIT.h:
139         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
140         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
141         * dfg/DFGSpeculativeJIT32_64.cpp:
142         (JSC::DFG::SpeculativeJIT::compile):
143         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
144         * dfg/DFGSpeculativeJIT64.cpp:
145         (JSC::DFG::SpeculativeJIT::compile):
146         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
147         * ftl/FTLAbstractHeap.cpp:
148         (JSC::FTL::IndexedAbstractHeap::baseIndex):
149         * ftl/FTLAbstractHeap.h:
150         * ftl/FTLAbstractHeapRepository.h:
151         * ftl/FTLLowerDFGToB3.cpp:
152         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
153         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
154         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
155         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
156         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
157         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
158         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
159         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
160         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
161         (JSC::FTL::DFG::LowerDFGToB3::maskedIndex):
162         (JSC::FTL::DFG::LowerDFGToB3::computeButterflyIndexingMask):
163         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
164         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
165         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
166         (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
167         * ftl/FTLOutput.h:
168         (JSC::FTL::Output::baseIndex):
169         * jit/AssemblyHelpers.h:
170         (JSC::AssemblyHelpers::emitComputeButterflyIndexingMask):
171         (JSC::AssemblyHelpers::nukeStructureAndStoreButterfly):
172         (JSC::AssemblyHelpers::emitAllocateJSObject):
173         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
174         (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
175         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
176         (JSC::AssemblyHelpers::storeButterfly): Deleted.
177         * jit/JITOpcodes.cpp:
178         (JSC::JIT::emit_op_new_object):
179         (JSC::JIT::emit_op_create_this):
180         * jit/JITOpcodes32_64.cpp:
181         (JSC::JIT::emit_op_new_object):
182         (JSC::JIT::emit_op_create_this):
183         * jit/JITPropertyAccess.cpp:
184         (JSC::JIT::emitDoubleLoad):
185         (JSC::JIT::emitContiguousLoad):
186         (JSC::JIT::emitArrayStorageLoad):
187         * llint/LowLevelInterpreter32_64.asm:
188         * llint/LowLevelInterpreter64.asm:
189         * runtime/ArrayStorage.h:
190         (JSC::ArrayStorage::availableVectorLength):
191         * runtime/Butterfly.h:
192         (JSC::ContiguousData::ContiguousData):
193         (JSC::ContiguousData::at const):
194         (JSC::ContiguousData::at):
195         (JSC::Butterfly::publicLength const):
196         (JSC::Butterfly::vectorLength const):
197         (JSC::Butterfly::computeIndexingMaskForVectorLength):
198         (JSC::Butterfly::computeIndexingMask):
199         (JSC::Butterfly::contiguousInt32):
200         (JSC::ContiguousData::operator[] const): Deleted.
201         (JSC::ContiguousData::operator[]): Deleted.
202         (JSC::Butterfly::publicLength): Deleted.
203         (JSC::Butterfly::vectorLength): Deleted.
204         * runtime/ButterflyInlines.h:
205         (JSC::ContiguousData<T>::at const):
206         (JSC::ContiguousData<T>::at):
207         * runtime/ClonedArguments.cpp:
208         (JSC::ClonedArguments::createEmpty):
209         * runtime/JSArray.cpp:
210         (JSC::JSArray::tryCreateUninitializedRestricted):
211         (JSC::JSArray::appendMemcpy):
212         (JSC::JSArray::setLength):
213         (JSC::JSArray::pop):
214         (JSC::JSArray::fastSlice):
215         (JSC::JSArray::shiftCountWithArrayStorage):
216         (JSC::JSArray::shiftCountWithAnyIndexingType):
217         (JSC::JSArray::unshiftCountWithAnyIndexingType):
218         (JSC::JSArray::fillArgList):
219         (JSC::JSArray::copyToArguments):
220         * runtime/JSArrayBufferView.cpp:
221         (JSC::JSArrayBufferView::JSArrayBufferView):
222         * runtime/JSArrayInlines.h:
223         (JSC::JSArray::pushInline):
224         * runtime/JSFixedArray.h:
225         (JSC::JSFixedArray::createFromArray):
226         * runtime/JSGenericTypedArrayViewInlines.h:
227         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
228         * runtime/JSObject.cpp:
229         (JSC::JSObject::getOwnPropertySlotByIndex):
230         (JSC::JSObject::putByIndex):
231         (JSC::JSObject::createInitialInt32):
232         (JSC::JSObject::createInitialDouble):
233         (JSC::JSObject::createInitialContiguous):
234         (JSC::JSObject::convertUndecidedToInt32):
235         (JSC::JSObject::convertUndecidedToDouble):
236         (JSC::JSObject::convertUndecidedToContiguous):
237         (JSC::JSObject::convertInt32ToDouble):
238         (JSC::JSObject::convertInt32ToArrayStorage):
239         (JSC::JSObject::convertDoubleToContiguous):
240         (JSC::JSObject::convertDoubleToArrayStorage):
241         (JSC::JSObject::convertContiguousToArrayStorage):
242         (JSC::JSObject::createInitialForValueAndSet):
243         (JSC::JSObject::deletePropertyByIndex):
244         (JSC::JSObject::getOwnPropertyNames):
245         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
246         (JSC::JSObject::countElements):
247         (JSC::JSObject::ensureLengthSlow):
248         (JSC::JSObject::reallocateAndShrinkButterfly):
249         (JSC::JSObject::getEnumerableLength):
250         * runtime/JSObject.h:
251         (JSC::JSObject::canGetIndexQuickly):
252         (JSC::JSObject::getIndexQuickly):
253         (JSC::JSObject::tryGetIndexQuickly const):
254         (JSC::JSObject::setIndexQuickly):
255         (JSC::JSObject::initializeIndex):
256         (JSC::JSObject::initializeIndexWithoutBarrier):
257         (JSC::JSObject::butterflyIndexingMaskOffset):
258         (JSC::JSObject::butterflyIndexingMask const):
259         (JSC::JSObject::setButterflyWithIndexingMask):
260         (JSC::JSObject::setButterfly):
261         (JSC::JSObject::nukeStructureAndSetButterfly):
262         (JSC::JSObject::JSObject):
263         * runtime/RegExpMatchesArray.h:
264         (JSC::tryCreateUninitializedRegExpMatchesArray):
265         * runtime/Structure.cpp:
266         (JSC::Structure::flattenDictionaryStructure):
267
268 2017-12-14  David Kilzer  <ddkilzer@apple.com>
269
270         REGRESSION (r225799/r225887): Remove duplicate entries for JSCPoisonedPtr.h in Xcode project
271
272         Fixes the following warning during builds:
273
274             Warning: Multiple build commands for output file WebKitBuild/Release/JavaScriptCore.framework/Versions/A/PrivateHeaders/JSCPoisonedPtr.h
275
276         * JavaScriptCore.xcodeproj/project.pbxproj: Remove duplicate
277         entries for JSCPoisonedPtr.h.
278
279 2017-12-14  David Kilzer  <ddkilzer@apple.com>
280
281         REGRESSION (r225887): Build broke due to missing includes in InferredValue.h
282         <https://bugs.webkit.org/show_bug.cgi?id=180738>
283
284         * runtime/InferredValue.h: Attempt to fix build by adding
285         missing #include statements.
286
287 2017-12-13  Filip Pizlo  <fpizlo@apple.com>
288
289         Octane/richards regressed by a whopping 20% because eliminateCommonSubexpressions has a weird fixpoint requirement
290         https://bugs.webkit.org/show_bug.cgi?id=180783
291
292         Reviewed by Saam Barati.
293         
294         This fixes the regression by fixpointing CSE. We need to fixpoint CSE because of this case:
295         
296             BB#1:
297                 a: Load(@x)
298                 b: Load(@x)
299                 c: Load(@b)
300             BB#2:
301                 d: Load(@b)
302             BB#3:
303                 e: Load(@b)
304         
305         Lets assume that #3 loops around to #2, so to eliminate @d, we need to prove that it's redundant
306         with both @c and @e. The problem is that by the time we get to @d, the CSE state will look like
307         this:
308
309             BB#1:
310                 a: Load(@x)
311                 b: Load(@x)
312                 c: Load(@a)
313                 memoryAtTail: {@x=>@a, @a=>@c}
314             BB#2:
315                 d: Load(@a) [sic]
316                 memoryAtTail: {@b=>@d}
317             BB#3:
318                 e: Load(@b)
319                 memoryAtTail: {@b=>@e} [sic]
320         
321         Note that #3's atTail map is keyed on @b, which was the old (no longer canonical) version of @a.
322         But @d's children were already substituted, so it refers to @a. Since @a is not in #3's atTail
323         map, we don't find it and leave the redundancy.
324         
325         I think that the cleanest solution is to fixpoint. CSE is pretty cheap, so hopefully we can afford
326         this. It fixes the richards regression, since richards is super dependent on B3 CSE.
327
328         * b3/B3EliminateCommonSubexpressions.cpp: Logging.
329         * b3/B3Generate.cpp:
330         (JSC::B3::generateToAir): Fix the bug.
331         * b3/air/AirReportUsedRegisters.cpp:
332         (JSC::B3::Air::reportUsedRegisters): Logging.
333         * dfg/DFGByteCodeParser.cpp:
334         * dfg/DFGSSAConversionPhase.cpp:
335         (JSC::DFG::SSAConversionPhase::run): Don't generate EntrySwitch if we don't need it (makes IR easier to read).
336         * ftl/FTLLowerDFGToB3.cpp:
337         (JSC::FTL::DFG::LowerDFGToB3::lower): Don't generate EntrySwitch if we don't need it (makes IR easier to read).
338
339 2017-12-13  Joseph Pecoraro  <pecoraro@apple.com>
340
341         REGRESSION: Web Inspector: Opening inspector crashes page if there are empty resources
342         https://bugs.webkit.org/show_bug.cgi?id=180787
343         <rdar://problem/35934838>
344
345         Reviewed by Brian Burg.
346
347         * inspector/ContentSearchUtilities.cpp:
348         (Inspector::ContentSearchUtilities::findMagicComment):
349         For empty / null strings just return. There is no use
350         trying to search them for a long common syntax.
351
352 2017-12-13  Saam Barati  <sbarati@apple.com>
353
354         Arrow functions need their own structure because they have different properties than sloppy functions
355         https://bugs.webkit.org/show_bug.cgi?id=180779
356         <rdar://problem/35814591>
357
358         Reviewed by Mark Lam.
359
360         We were using the same structure for sloppy functions and
361         arrow functions. This broke our IC caching machinery because
362         these two types of functions actually have different properties.
363         This patch gives them different structures.
364
365         * dfg/DFGAbstractInterpreterInlines.h:
366         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
367         * dfg/DFGSpeculativeJIT.cpp:
368         (JSC::DFG::SpeculativeJIT::compileNewFunction):
369         * ftl/FTLLowerDFGToB3.cpp:
370         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
371         * runtime/FunctionConstructor.cpp:
372         (JSC::constructFunctionSkippingEvalEnabledCheck):
373         * runtime/JSFunction.cpp:
374         (JSC::JSFunction::selectStructureForNewFuncExp):
375         (JSC::JSFunction::create):
376         * runtime/JSFunction.h:
377         * runtime/JSFunctionInlines.h:
378         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
379         * runtime/JSGlobalObject.cpp:
380         (JSC::JSGlobalObject::init):
381         (JSC::JSGlobalObject::visitChildren):
382         * runtime/JSGlobalObject.h:
383         (JSC::JSGlobalObject::arrowFunctionStructure const):
384
385 2017-12-12  Filip Pizlo  <fpizlo@apple.com>
386
387         InferredValue should use IsoSubspace
388         https://bugs.webkit.org/show_bug.cgi?id=180738
389
390         Reviewed by Keith Miller.
391         
392         This moves InferredValue into an IsoSubspace and then takes advantage of this to get rid of
393         its UnconditionalFinalizer.
394
395         * JavaScriptCore.xcodeproj/project.pbxproj:
396         * heap/Heap.cpp:
397         (JSC::Heap::finalizeUnconditionalFinalizers):
398         * runtime/InferredValue.cpp:
399         (JSC::InferredValue::visitChildren):
400         (JSC::InferredValue::ValueCleanup::ValueCleanup): Deleted.
401         (JSC::InferredValue::ValueCleanup::~ValueCleanup): Deleted.
402         (JSC::InferredValue::ValueCleanup::finalizeUnconditionally): Deleted.
403         * runtime/InferredValue.h:
404         (JSC::InferredValue::subspaceFor):
405         * runtime/InferredValueInlines.h: Added.
406         (JSC::InferredValue::finalizeUnconditionally):
407         * runtime/VM.cpp:
408         (JSC::VM::VM):
409         * runtime/VM.h:
410
411 2017-12-13  Devin Rousso  <webkit@devinrousso.com>
412
413         Web Inspector: add instrumentation for ImageBitmapRenderingContext
414         https://bugs.webkit.org/show_bug.cgi?id=180736
415
416         Reviewed by Joseph Pecoraro.
417
418         * inspector/protocol/Canvas.json:
419         * inspector/scripts/codegen/generator.py:
420
421 2017-12-13  Saam Barati  <sbarati@apple.com>
422
423         Take a value driven approach to how we emit structure checks in TypeCheckHoistingPhase to obviate the need for static_assert guards
424         https://bugs.webkit.org/show_bug.cgi?id=180771
425
426         Reviewed by JF Bastien.
427
428         * dfg/DFGTypeCheckHoistingPhase.cpp:
429         (JSC::DFG::TypeCheckHoistingPhase::run):
430
431 2017-12-13  Saam Barati  <sbarati@apple.com>
432
433         REGRESSION(r225844): Around 850 new JSC failures on 32-bit
434         https://bugs.webkit.org/show_bug.cgi?id=180764
435
436         Unreviewed. We should only emit CheckStructureOrEmpty on 64 bit platforms.
437
438         * dfg/DFGTypeCheckHoistingPhase.cpp:
439         (JSC::DFG::TypeCheckHoistingPhase::run):
440
441 2017-12-13  Michael Saboff  <msaboff@apple.com>
442
443         Unreviewed rollout of r225695. Caused a crash on yahoo login page.
444
445         That bug tracked in https://bugs.webkit.org/show_bug.cgi?id=180761.
446
447         * runtime/RegExp.cpp:
448         (JSC::RegExp::compile):
449         (JSC::RegExp::compileMatchOnly):
450         (JSC::byteCodeCompilePattern): Deleted.
451         (JSC::RegExp::byteCodeCompileIfNecessary): Deleted.
452         * runtime/RegExp.h:
453         * runtime/RegExpInlines.h:
454         (JSC::RegExp::matchInline):
455         * testRegExp.cpp:
456         (parseRegExpLine):
457         (runFromFiles):
458         * yarr/Yarr.h:
459         * yarr/YarrInterpreter.cpp:
460         (JSC::Yarr::ByteCompiler::compile):
461         (JSC::Yarr::ByteCompiler::dumpDisjunction):
462         (JSC::Yarr::ByteCompiler::emitDisjunction):
463         * yarr/YarrJIT.cpp:
464         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
465         (JSC::Yarr::YarrGenerator::generate):
466         (JSC::Yarr::YarrGenerator::backtrack):
467         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
468         (JSC::Yarr::YarrGenerator::generateEnter):
469         (JSC::Yarr::YarrGenerator::generateReturn):
470         (JSC::Yarr::YarrGenerator::YarrGenerator):
471         (JSC::Yarr::YarrGenerator::compile):
472         (JSC::Yarr::YarrGenerator::ParenContextSizes::ParenContextSizes): Deleted.
473         (JSC::Yarr::YarrGenerator::ParenContextSizes::numSubpatterns): Deleted.
474         (JSC::Yarr::YarrGenerator::ParenContextSizes::frameSlots): Deleted.
475         (JSC::Yarr::YarrGenerator::ParenContext::sizeFor): Deleted.
476         (JSC::Yarr::YarrGenerator::ParenContext::nextOffset): Deleted.
477         (JSC::Yarr::YarrGenerator::ParenContext::beginOffset): Deleted.
478         (JSC::Yarr::YarrGenerator::ParenContext::matchAmountOffset): Deleted.
479         (JSC::Yarr::YarrGenerator::ParenContext::subpatternOffset): Deleted.
480         (JSC::Yarr::YarrGenerator::ParenContext::savedFrameOffset): Deleted.
481         (JSC::Yarr::YarrGenerator::initParenContextFreeList): Deleted.
482         (JSC::Yarr::YarrGenerator::allocatePatternContext): Deleted.
483         (JSC::Yarr::YarrGenerator::freePatternContext): Deleted.
484         (JSC::Yarr::YarrGenerator::savePatternContext): Deleted.
485         (JSC::Yarr::YarrGenerator::restorePatternContext): Deleted.
486         (JSC::Yarr::YarrGenerator::generateJITFailReturn): Deleted.
487         (JSC::Yarr::YarrGenerator::clearMatches): Deleted.
488         * yarr/YarrJIT.h:
489         (JSC::Yarr::YarrCodeBlock::execute):
490         * yarr/YarrPattern.cpp:
491         (JSC::Yarr::indentForNestingLevel):
492         (JSC::Yarr::dumpUChar32):
493         (JSC::Yarr::PatternTerm::dump):
494         (JSC::Yarr::YarrPattern::dumpPattern):
495         (JSC::Yarr::dumpCharacterClass): Deleted.
496         * yarr/YarrPattern.h:
497         (JSC::Yarr::BackTrackInfoAlternative::offsetIndex):
498         (JSC::Yarr::BackTrackInfoParenthesesOnce::beginIndex):
499         (JSC::Yarr::PatternTerm::containsAnyCaptures): Deleted.
500         (JSC::Yarr::BackTrackInfoParenthesesOnce::returnAddressIndex): Deleted.
501         (JSC::Yarr::BackTrackInfoParentheses::beginIndex): Deleted.
502         (JSC::Yarr::BackTrackInfoParentheses::returnAddressIndex): Deleted.
503         (JSC::Yarr::BackTrackInfoParentheses::matchAmountIndex): Deleted.
504         (JSC::Yarr::BackTrackInfoParentheses::patternContextHeadIndex): Deleted.
505
506 2017-12-13  Mark Lam  <mark.lam@apple.com>
507
508         Fill out some Poisoned APIs, fix some bugs, and add some tests.
509         https://bugs.webkit.org/show_bug.cgi?id=180724
510         <rdar://problem/36006884>
511
512         Reviewed by JF Bastien.
513
514         * runtime/StructureTransitionTable.h:
515
516 2017-12-13  Caio Lima  <ticaiolima@gmail.com>
517
518         [ESNext][BigInt] Breking tests on Debug build and 32-bits due to missing Exception check
519         https://bugs.webkit.org/show_bug.cgi?id=180746
520
521         Reviewed by Saam Barati.
522
523         We have some uncatched exceptions that could happen due to OOM into
524         JSBigInt::allocateFor and JSBigInt::toStringGeneric. This patching is
525         catching such exceptions properly.
526
527         * runtime/JSBigInt.cpp:
528         (JSC::JSBigInt::allocateFor):
529         (JSC::JSBigInt::parseInt):
530         * runtime/JSCJSValue.cpp:
531         (JSC::JSValue::toStringSlowCase const):
532
533 2017-12-13  Saam Barati  <sbarati@apple.com>
534
535         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
536         https://bugs.webkit.org/show_bug.cgi?id=163579
537         <rdar://problem/35455798>
538
539         Reviewed by Mark Lam.
540
541         Some functions in JavaScript do not have the "caller" and "arguments" properties.
542         For example, strict functions do not. When reading our code that dealt with these
543         types of functions, it was simply all wrong. We were doing weird things depending
544         on the method table hook. This patch fixes this by doing what we should've been
545         doing all along: when the JSFunction does not own the "caller"/"arguments" property,
546         it should defer to its base class implementation for the various method table hooks.
547
548         * runtime/JSFunction.cpp:
549         (JSC::JSFunction::put):
550         (JSC::JSFunction::deleteProperty):
551         (JSC::JSFunction::defineOwnProperty):
552
553 2017-12-13  Saam Barati  <sbarati@apple.com>
554
555         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
556         https://bugs.webkit.org/show_bug.cgi?id=180734
557         <rdar://problem/35640547>
558
559         Reviewed by Yusuke Suzuki.
560
561         The |this| value may be TDZ. If type check hoisting phase
562         hoists a CheckStructure to it, it will crash. This patch
563         makes it so we emit CheckStructureOrEmpty for |this|.
564
565         * dfg/DFGTypeCheckHoistingPhase.cpp:
566         (JSC::DFG::TypeCheckHoistingPhase::run):
567
568 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
569
570         [JSC] Optimize Object.assign by single transition acceleration
571         https://bugs.webkit.org/show_bug.cgi?id=180644
572
573         Reviewed by Saam Barati.
574
575         Handling single transition is critical. Since this get() function is only used
576         in Structure.cpp's 2 functions and it is quite small, we can annotate `inline`
577         to accelerate it.
578
579         This improves SixSpeed/object-assign.es6 by 2.8%.
580
581                                     baseline                  patched
582
583         object-assign.es6      382.3548+-8.0461          371.6496+-5.7439          might be 1.0288x faster
584
585         * runtime/Structure.cpp:
586         (JSC::StructureTransitionTable::get const):
587
588 2017-12-12  Filip Pizlo  <fpizlo@apple.com>
589
590         Structure, StructureRareData, and PropertyTable should be in IsoSubspaces
591         https://bugs.webkit.org/show_bug.cgi?id=180732
592
593         Rubber stamped by Mark Lam.
594         
595         We should eventually move all fixed-size cells into IsoSubspaces. I don't know if they are
596         scalable enough to support that, so we should do it carefully.
597
598         * heap/MarkedSpace.cpp:
599         * runtime/PropertyMapHashTable.h:
600         * runtime/Structure.h:
601         * runtime/StructureRareData.h:
602         * runtime/VM.cpp:
603         (JSC::VM::VM):
604         * runtime/VM.h:
605
606 2017-12-12  Saam Barati  <sbarati@apple.com>
607
608         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
609         https://bugs.webkit.org/show_bug.cgi?id=180725
610         <rdar://problem/35970511>
611
612         Reviewed by Michael Saboff.
613
614         * dfg/DFGClobberize.h:
615         (JSC::DFG::clobberize):
616         * dfg/DFGPreciseLocalClobberize.h:
617         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
618
619 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
620
621         [JSC] Implement optimized WeakMap and WeakSet
622         https://bugs.webkit.org/show_bug.cgi?id=179929
623
624         Reviewed by Saam Barati.
625
626         This patch introduces WeakMapImpl to optimize WeakMap and WeakSet.
627         This is similar to HashMapImpl. But,
628
629         1. WeakMapImpl's bucket is not allocated in GC heap since WeakMap
630         do not need to have iterators.
631
632         2. WeakMapImpl's buffer is allocated in JSValue Gigacage instead
633         of auxiliary buffer. This is because we would like to allocate buffer
634         when finalizing GC. At that time, WeakMapImpl prunes dead entries and
635         shrink it if necessary. However, allocating from the GC heap during
636         finalization is not allowed.
637
638         In particular, (2) is important since it ensures any WeakMap operations
639         do not cause GC. Since GC may collect dead keys in WeakMap, rehash WeakMap,
640         and reallocate/change WeakMap's buffer, ensuring that any WeakMap operations
641         do not cause GC makes our implementation simple. To ensure this, we place
642         DisallowGC for each WeakMap's interface.
643
644         In DFG, we introduce WeakMapGet and ExtractValueFromWeakMapGet nodes.
645         WeakMapGet looks up entry in WeakMapImpl and returns value. If it is
646         WeakMap, it returns value. And it returns key if it is WeakSet. If it
647         does not find a corresponding entry, it returns JSEmpty.
648         ExtractValueFromWeakMapGet converts JSEmpty to JSUndefined.
649
650         This patch improves WeakMap and WeakSet operations.
651
652                                      baseline                  patched
653
654             weak-set-key        240.6932+-10.4923    ^    148.7606+-6.1784        ^ definitely 1.6180x faster
655             weak-map-key        174.3176+-8.2680     ^    151.7053+-6.8723        ^ definitely 1.1491x faster
656
657         * JavaScriptCore.xcodeproj/project.pbxproj:
658         * Sources.txt:
659         * dfg/DFGAbstractHeap.h:
660         * dfg/DFGAbstractInterpreterInlines.h:
661         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
662         * dfg/DFGByteCodeParser.cpp:
663         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
664         * dfg/DFGClobberize.h:
665         (JSC::DFG::clobberize):
666         * dfg/DFGDoesGC.cpp:
667         (JSC::DFG::doesGC):
668         * dfg/DFGFixupPhase.cpp:
669         (JSC::DFG::FixupPhase::fixupNode):
670         * dfg/DFGNode.h:
671         (JSC::DFG::Node::hasHeapPrediction):
672         * dfg/DFGNodeType.h:
673         * dfg/DFGOperations.cpp:
674         * dfg/DFGOperations.h:
675         * dfg/DFGPredictionPropagationPhase.cpp:
676         * dfg/DFGSafeToExecute.h:
677         (JSC::DFG::safeToExecute):
678         * dfg/DFGSpeculativeJIT.cpp:
679         (JSC::DFG::SpeculativeJIT::compileExtractValueFromWeakMapGet):
680         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
681         * dfg/DFGSpeculativeJIT.h:
682         * dfg/DFGSpeculativeJIT32_64.cpp:
683         (JSC::DFG::SpeculativeJIT::compile):
684         * dfg/DFGSpeculativeJIT64.cpp:
685         (JSC::DFG::SpeculativeJIT::compile):
686         * ftl/FTLAbstractHeapRepository.h:
687         * ftl/FTLCapabilities.cpp:
688         (JSC::FTL::canCompile):
689         * ftl/FTLLowerDFGToB3.cpp:
690         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
691         (JSC::FTL::DFG::LowerDFGToB3::compileExtractValueFromWeakMapGet):
692         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
693         * inspector/JSInjectedScriptHost.cpp:
694         (Inspector::JSInjectedScriptHost::weakMapEntries):
695         (Inspector::JSInjectedScriptHost::weakSetEntries):
696         Existing code is incorrect. They can run GC and break WeakMap's iterator.
697         We introduce takeSnapshot function to WeakMapImpl, which retrieves live
698         entries without causing any GC.
699
700         * runtime/HashMapImpl.h:
701         (JSC::shouldShrink):
702         (JSC::shouldRehashAfterAdd):
703         (JSC::nextCapacity):
704         (JSC::HashMapImpl::shouldRehashAfterAdd const):
705         (JSC::HashMapImpl::shouldShrink const):
706         (JSC::HashMapImpl::rehash):
707         (JSC::WeakMapHash::hash): Deleted.
708         (JSC::WeakMapHash::equal): Deleted.
709         * runtime/Intrinsic.cpp:
710         (JSC::intrinsicName):
711         * runtime/Intrinsic.h:
712         * runtime/JSWeakMap.cpp:
713         * runtime/JSWeakMap.h:
714         * runtime/JSWeakSet.cpp:
715         * runtime/JSWeakSet.h:
716         * runtime/VM.cpp:
717         * runtime/WeakGCMap.h:
718         (JSC::WeakGCMap::forEach): Deleted.
719         * runtime/WeakMapBase.cpp: Removed.
720         * runtime/WeakMapBase.h: Removed.
721         * runtime/WeakMapConstructor.cpp:
722         (JSC::constructWeakMap):
723         * runtime/WeakMapImpl.cpp: Added.
724         (JSC::WeakMapImpl<WeakMapBucket>::destroy):
725         (JSC::WeakMapImpl<WeakMapBucket>::visitChildren):
726         (JSC::WeakMapImpl<WeakMapBucket>::estimatedSize):
727         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::visitWeakReferences):
728         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitWeakReferences):
729         (JSC::WeakMapImpl<WeakMapBucket>::finalizeUnconditionally):
730         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::takeSnapshot):
731         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::takeSnapshot):
732         * runtime/WeakMapImpl.h: Added.
733         (JSC::jsWeakMapHash):
734         (JSC::nextCapacityAfterRemoveBatching):
735         (JSC::WeakMapBucket::setKey):
736         (JSC::WeakMapBucket::setValue):
737         (JSC::WeakMapBucket::key const):
738         (JSC::WeakMapBucket::value const):
739         (JSC::WeakMapBucket::copyFrom):
740         (JSC::WeakMapBucket::offsetOfKey):
741         (JSC::WeakMapBucket::offsetOfValue):
742         (JSC::WeakMapBucket::extractValue):
743         (JSC::WeakMapBucket::isEmpty):
744         (JSC::WeakMapBucket::deletedKey):
745         (JSC::WeakMapBucket::isDeleted):
746         (JSC::WeakMapBucket::makeDeleted):
747         (JSC::WeakMapBucket::visitAggregate):
748         (JSC::WeakMapBucket::clearValue):
749         (JSC::WeakMapBuffer::allocationSize):
750         (JSC::WeakMapBuffer::buffer const):
751         (JSC::WeakMapBuffer::create):
752         (JSC::WeakMapBuffer::reset):
753         (JSC::WeakMapImpl::WeakMapImpl):
754         (JSC::WeakMapImpl::finishCreation):
755         (JSC::WeakMapImpl::get):
756         (JSC::WeakMapImpl::has):
757         (JSC::WeakMapImpl::add):
758         (JSC::WeakMapImpl::remove):
759         (JSC::WeakMapImpl::size const):
760         (JSC::WeakMapImpl::offsetOfBuffer):
761         (JSC::WeakMapImpl::offsetOfCapacity):
762         (JSC::WeakMapImpl::findBucket):
763         (JSC::WeakMapImpl::buffer const):
764         (JSC::WeakMapImpl::forEach):
765         (JSC::WeakMapImpl::shouldRehashAfterAdd const):
766         (JSC::WeakMapImpl::shouldShrink const):
767         (JSC::WeakMapImpl::canUseBucket):
768         (JSC::WeakMapImpl::addInternal):
769         (JSC::WeakMapImpl::findBucketAlreadyHashed):
770         (JSC::WeakMapImpl::rehash):
771         (JSC::WeakMapImpl::checkConsistency const):
772         (JSC::WeakMapImpl::makeAndSetNewBuffer):
773         (JSC::WeakMapImpl::assertBufferIsEmpty const):
774         (JSC::WeakMapImpl::DeadKeyCleaner::target):
775         * runtime/WeakMapPrototype.cpp:
776         (JSC::WeakMapPrototype::finishCreation):
777         (JSC::protoFuncWeakMapGet):
778         (JSC::protoFuncWeakMapHas):
779         * runtime/WeakSetConstructor.cpp:
780         (JSC::constructWeakSet):
781         * runtime/WeakSetPrototype.cpp:
782         (JSC::WeakSetPrototype::finishCreation):
783         (JSC::protoFuncWeakSetHas):
784         (JSC::protoFuncWeakSetAdd):
785
786 2017-12-11  Filip Pizlo  <fpizlo@apple.com>
787
788         It should be possible to flag a cell for unconditional finalization
789         https://bugs.webkit.org/show_bug.cgi?id=180636
790
791         Reviewed by Saam Barati.
792         
793         UnconditionalFinalizers were annoying - you had to allocate them and you had to manage a
794         global linked list - but they had some nice properties:
795         
796         - You only did the hardest work (creating the UnconditionalFinalizer) on first GC where you
797           survived and needed it.
798             -> Just needing it wasn't enough.
799             -> Just surviving wasn't enough.
800         
801         The new API based on IsoSubspaces meant that just surviving was enough to cause unconditional
802         finalizer logic to be invoked. I think that's not great. InferredType got around this by
803         making InferredStructure a cell, but this was a gross hack. For one, it meant that
804         InferredStructure would survive during the GC in which its finalizer obviated the need for its
805         existence. It's not really an idiom I want us to repeat because it sounds like the sort of
806         thing that turns out to be subtly broken.
807         
808         We really need to have a way of indicating when you have entered into the state that requires
809         your unconditional finalizer to be invoked. Basically, we want to be able to track the set of
810         objects that need unconditional finalizers. Only the subset of that set that overlaps with the
811         set of marked objects needs to be accurate. The easiest way to do this is a hierarchy of
812         bitvectors: one to say which MarkedBlocks have objects that have unconditional finalizers, and
813         another level to say which atoms within a MarkedBlock have unconditional finalizers.
814         
815         This change introduces IsoCellSet, which couples itself to the MarkedAllocator of some
816         IsoSubspace to allow maintaining a set of objects (well, cells - you could do this with
817         auxiliaries) that belong to that IsoSubspace. It'll have undefined behavior if you try to
818         add/remove/contains an object that isn't in that IsoSubspace. For objects in that subspace,
819         you can add/remove/contains and forEachMarkedCell. The cost of each IsoCellSet is at worst
820         about 0.8% increase in size to every object in the subspace that the set is attached to. So,
821         it makes sense to have a handful per subspace max. This change only needs one per subspace,
822         but you could imagine more if we do this for WeakReferenceHarvester.
823         
824         To absolutely minimize the possibility that this incurs costs, the add/remove/contains
825         functions can be used from any thread so long as forEachMarkedCell isn't running. This means
826         that InferredType only needs to add itself to the set during visitChildren. Thus, it needs to
827         both survive and need it for the hardest work to take place. The work of adding does involve
828         a gnarly load chain that ends in a CAS: load block handle from block, load index, load
829         segment, load bitvector, load bit -> if not set, then CAS. That's five dependent loads!
830         However, it's perfect for running in parallel since the only write operations are to widely
831         dispersed cache lines that contain the bits underlying the set.
832         
833         The best part is how forEachMarkedCell works. That skips blocks that don't have any objects
834         that need unconditional finalizers, and only touches the memory of marked objects that have
835         the unconditional finalizer bit set. It will walk those objects in roughly address order. I
836         previously found that this speeds up walking over a lot of objects when I made similar changes
837         for DOM GC (calling visitAdditionalChildren via forEachMarkedCell rather than by walking a
838         HashSet).
839         
840         This change makes InferredStructure be a malloc object again, but now it's in an IsoHeap.
841         
842         My expectation for this change is that it's perf-neutral. Long-term, it gives us a path
843         forward for eliminating UnconditionalFinalizer and WeakReferenceHarvester while using
844         IsoSubspace in more places.
845
846         * JavaScriptCore.xcodeproj/project.pbxproj:
847         * Sources.txt:
848         * heap/AtomIndices.h: Added.
849         (JSC::AtomIndices::AtomIndices):
850         * heap/Heap.cpp:
851         (JSC::Heap::finalizeUnconditionalFinalizers):
852         * heap/Heap.h:
853         * heap/IsoCellSet.cpp: Added.
854         (JSC::IsoCellSet::IsoCellSet):
855         (JSC::IsoCellSet::~IsoCellSet):
856         (JSC::IsoCellSet::addSlow):
857         (JSC::IsoCellSet::didResizeBits):
858         (JSC::IsoCellSet::didRemoveBlock):
859         (JSC::IsoCellSet::sweepToFreeList):
860         * heap/IsoCellSet.h: Added.
861         * heap/IsoCellSetInlines.h: Added.
862         (JSC::IsoCellSet::add):
863         (JSC::IsoCellSet::remove):
864         (JSC::IsoCellSet::contains const):
865         (JSC::IsoCellSet::forEachMarkedCell):
866         * heap/IsoSubspace.cpp:
867         (JSC::IsoSubspace::didResizeBits):
868         (JSC::IsoSubspace::didRemoveBlock):
869         (JSC::IsoSubspace::didBeginSweepingToFreeList):
870         * heap/IsoSubspace.h:
871         * heap/MarkedAllocator.cpp:
872         (JSC::MarkedAllocator::addBlock):
873         (JSC::MarkedAllocator::removeBlock):
874         * heap/MarkedAllocator.h:
875         * heap/MarkedAllocatorInlines.h:
876         * heap/MarkedBlock.cpp:
877         (JSC::MarkedBlock::Handle::sweep):
878         (JSC::MarkedBlock::Handle::isEmpty): Deleted.
879         * heap/MarkedBlock.h:
880         (JSC::MarkedBlock::marks const):
881         (JSC::MarkedBlock::Handle::newlyAllocated const):
882         * heap/MarkedBlockInlines.h:
883         (JSC::MarkedBlock::Handle::isAllocated):
884         (JSC::MarkedBlock::Handle::isEmpty):
885         (JSC::MarkedBlock::Handle::emptyMode):
886         (JSC::MarkedBlock::Handle::forEachMarkedCell):
887         * heap/Subspace.cpp:
888         (JSC::Subspace::didResizeBits):
889         (JSC::Subspace::didRemoveBlock):
890         (JSC::Subspace::didBeginSweepingToFreeList):
891         * heap/Subspace.h:
892         * heap/SubspaceInlines.h:
893         (JSC::Subspace::forEachMarkedCell):
894         * runtime/InferredStructure.cpp:
895         (JSC::InferredStructure::InferredStructure):
896         (JSC::InferredStructure::create): Deleted.
897         (JSC::InferredStructure::destroy): Deleted.
898         (JSC::InferredStructure::createStructure): Deleted.
899         (JSC::InferredStructure::visitChildren): Deleted.
900         (JSC::InferredStructure::finalizeUnconditionally): Deleted.
901         (JSC::InferredStructure::finishCreation): Deleted.
902         * runtime/InferredStructure.h:
903         * runtime/InferredStructureWatchpoint.cpp:
904         (JSC::InferredStructureWatchpoint::fireInternal):
905         * runtime/InferredType.cpp:
906         (JSC::InferredType::visitChildren):
907         (JSC::InferredType::willStoreValueSlow):
908         (JSC::InferredType::makeTopSlow):
909         (JSC::InferredType::set):
910         (JSC::InferredType::removeStructure):
911         (JSC::InferredType::finalizeUnconditionally):
912         * runtime/InferredType.h:
913         * runtime/VM.cpp:
914         (JSC::VM::VM):
915         * runtime/VM.h:
916
917 2017-12-12  Saam Barati  <sbarati@apple.com>
918
919         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
920         https://bugs.webkit.org/show_bug.cgi?id=180723
921         <rdar://problem/35859726>
922
923         Reviewed by JF Bastien.
924
925         * dfg/DFGConstantFoldingPhase.cpp:
926         (JSC::DFG::ConstantFoldingPhase::foldConstants):
927
928 2017-12-04  Brian Burg  <bburg@apple.com>
929
930         Web Inspector: modernize InjectedScript a bit
931         https://bugs.webkit.org/show_bug.cgi?id=180367
932
933         Reviewed by Timothy Hatcher.
934
935         Stop using out parameters passed by pointer, use references instead.
936         Stop using OptOutput<T> in favor of std::optional where possible.
937         If there is only one out-parameter and a void return type, then return the value.
938
939         * inspector/InjectedScript.h:
940         * inspector/InjectedScript.cpp:
941         (Inspector::InjectedScript::evaluate):
942         (Inspector::InjectedScript::callFunctionOn):
943         (Inspector::InjectedScript::evaluateOnCallFrame):
944         (Inspector::InjectedScript::getFunctionDetails):
945         (Inspector::InjectedScript::functionDetails):
946         (Inspector::InjectedScript::getPreview):
947         (Inspector::InjectedScript::getProperties):
948         (Inspector::InjectedScript::getDisplayableProperties):
949         (Inspector::InjectedScript::getInternalProperties):
950         (Inspector::InjectedScript::getCollectionEntries):
951         (Inspector::InjectedScript::saveResult):
952         (Inspector::InjectedScript::setExceptionValue):
953         (Inspector::InjectedScript::clearExceptionValue):
954         (Inspector::InjectedScript::inspectObject):
955         (Inspector::InjectedScript::releaseObject):
956
957         * inspector/InjectedScriptBase.h:
958         * inspector/InjectedScriptBase.cpp:
959         (Inspector::InjectedScriptBase::InjectedScriptBase):
960         Declare m_environment with a default initializer.
961
962         (Inspector::InjectedScriptBase::makeCall):
963         (Inspector::InjectedScriptBase::makeEvalCall):
964         Just return the result, no need for an out-parameter.
965         Rearrange some code paths now that we can just return a result.
966         Return a Ref<JSON::Value> since it is either a result value or error value.
967         Use out_ prefixes in a few places to improve readability.
968
969         * inspector/agents/InspectorDebuggerAgent.cpp:
970         (Inspector::InspectorDebuggerAgent::getFunctionDetails):
971         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
972         * inspector/agents/InspectorHeapAgent.cpp:
973         (Inspector::InspectorHeapAgent::getPreview):
974         * inspector/agents/InspectorRuntimeAgent.cpp:
975         (Inspector::InspectorRuntimeAgent::evaluate):
976         (Inspector::InspectorRuntimeAgent::callFunctionOn):
977         (Inspector::InspectorRuntimeAgent::getPreview):
978         (Inspector::InspectorRuntimeAgent::getProperties):
979         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
980         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
981         (Inspector::InspectorRuntimeAgent::saveResult):
982         Adapt to InjectedScript changes. In some cases we need to bridge OptOutput<T>
983         and std::optional until the former is removed from generated method signatures.
984
985 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
986
987         [ESNext][BigInt] Implement BigInt literals and JSBigInt
988         https://bugs.webkit.org/show_bug.cgi?id=179000
989
990         Reviewed by Darin Adler and Yusuke Suzuki.
991
992         This patch starts the implementation of BigInt primitive on
993         JavaScriptCore. We are introducing BigInt primitive and
994         implementing it on JSBigInt as a subclass of JSCell with [[BigIntData]]
995         field implemented contiguosly on memory as inline storage of JSBigInt to
996         take advantages on performance due to cache locality. The
997         implementation allows 64 or 32 bitwise arithmetic operations.
998         JSBigInt also has m_sign to store the sign of [[BigIntData]] and
999         m_length that keeps track of BigInt length.
1000         The implementation is following the V8 one. [[BigIntData]] is manipulated
1001         by JSBigInt::setDigit(index, value) and JSBigInt::digit(index) operations.
1002         We also have some operations to support arithmetics over digits.
1003
1004         It is important to notice that on our representation,
1005         JSBigInt::dataStorage()[0] represents the least significant digit and
1006         JSBigInt::dataStorage()[m_length - 1] represents the most siginificant digit.
1007
1008         We are also introducing into this Patch the BigInt literals lexer and
1009         syntax parsing support. The operation Strict Equals on BigInts is also being
1010         implemented to enable tests.
1011         These features are being implemented behind a runtime flage "--useBigInt" and
1012         are disabled by default.
1013
1014         * JavaScriptCore.xcodeproj/project.pbxproj:
1015         * Sources.txt:
1016         * bytecode/CodeBlock.cpp:
1017         * bytecompiler/BytecodeGenerator.cpp:
1018         (JSC::BytecodeGenerator::emitEqualityOp):
1019         (JSC::BytecodeGenerator::addBigIntConstant):
1020         * bytecompiler/BytecodeGenerator.h:
1021         (JSC::BytecodeGenerator::BigIntEntryHash::hash):
1022         (JSC::BytecodeGenerator::BigIntEntryHash::equal):
1023         * bytecompiler/NodesCodegen.cpp:
1024         (JSC::BigIntNode::jsValue const):
1025         * dfg/DFGAbstractInterpreterInlines.h:
1026         (JSC::DFG::isToThisAnIdentity):
1027         * interpreter/Interpreter.cpp:
1028         (JSC::sizeOfVarargs):
1029         * llint/LLIntData.cpp:
1030         (JSC::LLInt::Data::performAssertions):
1031         * llint/LowLevelInterpreter.asm:
1032         * parser/ASTBuilder.h:
1033         (JSC::ASTBuilder::createBigInt):
1034         * parser/Lexer.cpp:
1035         (JSC::Lexer<T>::parseBinary):
1036         (JSC::Lexer<T>::parseOctal):
1037         (JSC::Lexer<T>::parseDecimal):
1038         (JSC::Lexer<T>::lex):
1039         (JSC::Lexer<T>::parseHex): Deleted.
1040         * parser/Lexer.h:
1041         * parser/NodeConstructors.h:
1042         (JSC::BigIntNode::BigIntNode):
1043         * parser/Nodes.h:
1044         (JSC::ExpressionNode::isBigInt const):
1045         (JSC::BigIntNode::value):
1046         * parser/Parser.cpp:
1047         (JSC::Parser<LexerType>::parsePrimaryExpression):
1048         * parser/ParserTokens.h:
1049         * parser/ResultType.h:
1050         (JSC::ResultType::definitelyIsBigInt const):
1051         (JSC::ResultType::mightBeBigInt const):
1052         (JSC::ResultType::isNotBigInt const):
1053         (JSC::ResultType::addResultType):
1054         (JSC::ResultType::bigIntType):
1055         (JSC::ResultType::forAdd):
1056         (JSC::ResultType::forLogicalOp):
1057         * parser/SyntaxChecker.h:
1058         (JSC::SyntaxChecker::createBigInt):
1059         * runtime/CommonIdentifiers.h:
1060         * runtime/JSBigInt.cpp: Added.
1061         (JSC::JSBigInt::visitChildren):
1062         (JSC::JSBigInt::JSBigInt):
1063         (JSC::JSBigInt::initialize):
1064         (JSC::JSBigInt::createStructure):
1065         (JSC::JSBigInt::createZero):
1066         (JSC::JSBigInt::allocationSize):
1067         (JSC::JSBigInt::createWithLength):
1068         (JSC::JSBigInt::finishCreation):
1069         (JSC::JSBigInt::toPrimitive const):
1070         (JSC::JSBigInt::singleDigitValueForString):
1071         (JSC::JSBigInt::parseInt):
1072         (JSC::JSBigInt::toString):
1073         (JSC::JSBigInt::isZero):
1074         (JSC::JSBigInt::inplaceMultiplyAdd):
1075         (JSC::JSBigInt::digitAdd):
1076         (JSC::JSBigInt::digitSub):
1077         (JSC::JSBigInt::digitMul):
1078         (JSC::JSBigInt::digitPow):
1079         (JSC::JSBigInt::digitDiv):
1080         (JSC::JSBigInt::internalMultiplyAdd):
1081         (JSC::JSBigInt::equalToBigInt):
1082         (JSC::JSBigInt::absoluteDivSmall):
1083         (JSC::JSBigInt::calculateMaximumCharactersRequired):
1084         (JSC::JSBigInt::toStringGeneric):
1085         (JSC::JSBigInt::rightTrim):
1086         (JSC::JSBigInt::allocateFor):
1087         (JSC::JSBigInt::estimatedSize):
1088         (JSC::JSBigInt::toNumber const):
1089         (JSC::JSBigInt::getPrimitiveNumber const):
1090         * runtime/JSBigInt.h: Added.
1091         (JSC::JSBigInt::setSign):
1092         (JSC::JSBigInt::sign const):
1093         (JSC::JSBigInt::setLength):
1094         (JSC::JSBigInt::length const):
1095         (JSC::JSBigInt::parseInt):
1096         (JSC::JSBigInt::offsetOfData):
1097         (JSC::JSBigInt::dataStorage):
1098         (JSC::JSBigInt::digit):
1099         (JSC::JSBigInt::setDigit):
1100         (JSC::asBigInt):
1101         * runtime/JSCJSValue.cpp:
1102         (JSC::JSValue::synthesizePrototype const):
1103         (JSC::JSValue::toStringSlowCase const):
1104         * runtime/JSCJSValue.h:
1105         * runtime/JSCJSValueInlines.h:
1106         (JSC::JSValue::isBigInt const):
1107         (JSC::JSValue::strictEqualSlowCaseInline):
1108         * runtime/JSCell.cpp:
1109         (JSC::JSCell::put):
1110         (JSC::JSCell::putByIndex):
1111         (JSC::JSCell::toPrimitive const):
1112         (JSC::JSCell::getPrimitiveNumber const):
1113         (JSC::JSCell::toNumber const):
1114         (JSC::JSCell::toObjectSlow const):
1115         * runtime/JSCell.h:
1116         * runtime/JSCellInlines.h:
1117         (JSC::JSCell::isBigInt const):
1118         * runtime/JSType.h:
1119         * runtime/MathCommon.h:
1120         (JSC::clz64):
1121         * runtime/NumberPrototype.cpp:
1122         * runtime/Operations.cpp:
1123         (JSC::jsTypeStringForValue):
1124         (JSC::jsIsObjectTypeOrNull):
1125         * runtime/Options.h:
1126         * runtime/ParseInt.h:
1127         * runtime/SmallStrings.h:
1128         (JSC::SmallStrings::typeString const):
1129         * runtime/StructureInlines.h:
1130         (JSC::prototypeForLookupPrimitiveImpl):
1131         * runtime/TypeofType.cpp:
1132         (WTF::printInternal):
1133         * runtime/TypeofType.h:
1134         * runtime/VM.cpp:
1135         (JSC::VM::VM):
1136         * runtime/VM.h:
1137
1138 2017-12-12  Guillaume Emont  <guijemont@igalia.com>
1139
1140         LLInt: reserve 16 bytes of stack on MIPS for native calls
1141         https://bugs.webkit.org/show_bug.cgi?id=180653
1142
1143         Reviewed by Carlos Alberto Lopez Perez.
1144
1145         * llint/LowLevelInterpreter32_64.asm:
1146         On MIPS, substract 24 from the stack pointer (16 for calling
1147         convention + 8 to be 16-aligned) instead of the 8 on other platforms
1148         (for alignment).
1149
1150 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1151
1152         [WTF] Thread::create should have Thread::tryCreate
1153         https://bugs.webkit.org/show_bug.cgi?id=180333
1154
1155         Reviewed by Darin Adler.
1156
1157         * assembler/testmasm.cpp:
1158         (JSC::run):
1159         * b3/air/testair.cpp:
1160         * b3/testb3.cpp:
1161         (JSC::B3::run):
1162         * jsc.cpp:
1163         (functionDollarAgentStart):
1164
1165 2017-12-11  Michael Saboff  <msaboff@apple.com>
1166
1167         REGRESSION(r225683): Chakra test failure in es6/regex-unicode.js for 32bit builds
1168         https://bugs.webkit.org/show_bug.cgi?id=180685
1169
1170         Reviewed by Saam Barati.
1171
1172         The characterClass->m_anyCharacter check at the top of checkCharacterClass() caused
1173         the character class check to return true without reading the character.  Given that
1174         the character could be a surrogate pair, we need to read the character even if we
1175         don't have the check it.
1176
1177         * yarr/YarrInterpreter.cpp:
1178         (JSC::Yarr::Interpreter::testCharacterClass):
1179         (JSC::Yarr::Interpreter::checkCharacterClass):
1180
1181 2017-12-11  Saam Barati  <sbarati@apple.com>
1182
1183         We need to disableCaching() in ErrorInstance when we materialize properties
1184         https://bugs.webkit.org/show_bug.cgi?id=180343
1185         <rdar://problem/35833002>
1186
1187         Reviewed by Mark Lam.
1188
1189         This patch fixes a bug in ErrorInstance where we forgot to call PutPropertySlot::disableCaching
1190         on puts() to a property that we lazily materialized. Forgetting to do this goes against the
1191         PutPropertySlot's caching API. This lazy materialization caused the ErrorInstance to transition
1192         from a Structure A to a Structure B. However, we were telling the IC that we were caching an
1193         existing property only found on Structure B. This is obviously wrong as it would lead to an
1194         OOB store if we didn't already crash when generating the IC.
1195
1196         * jit/Repatch.cpp:
1197         (JSC::tryCachePutByID):
1198         * runtime/ErrorInstance.cpp:
1199         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
1200         (JSC::ErrorInstance::put):
1201         * runtime/ErrorInstance.h:
1202         * runtime/Structure.cpp:
1203         (JSC::Structure::didCachePropertyReplacement):
1204
1205 2017-12-11  Fujii Hironori  <Hironori.Fujii@sony.com>
1206
1207         [WinCairo] DLLLauncherMain should use SetDllDirectory
1208         https://bugs.webkit.org/show_bug.cgi?id=180642
1209
1210         Reviewed by Alex Christensen.
1211
1212         Windows have icuuc.dll in the system directory. WebKit should find
1213         one in WebKitLibraries directory, not one in the system directory.
1214
1215         * shell/DLLLauncherMain.cpp:
1216         (modifyPath): Use SetDllDirectory for WebKitLibraries directory instead of modifying path.
1217
1218 2017-12-11  Eric Carlson  <eric.carlson@apple.com>
1219
1220         Web Inspector: Optionally log WebKit log parameters as JSON
1221         https://bugs.webkit.org/show_bug.cgi?id=180529
1222         <rdar://problem/35909462>
1223
1224         Reviewed by Joseph Pecoraro.
1225
1226         * inspector/ConsoleMessage.cpp:
1227         (Inspector::ConsoleMessage::ConsoleMessage): New constructor that takes a vector of JSON log
1228         values. Concatenate all adjacent strings to make logging cleaner.
1229         (Inspector::ConsoleMessage::addToFrontend): Process WebKit logging arguments.
1230         (Inspector::ConsoleMessage::scriptState const):
1231         * inspector/ConsoleMessage.h:
1232
1233         * inspector/InjectedScript.cpp:
1234         (Inspector::InjectedScript::wrapJSONString const): Wrap JSON string log arguments.
1235         * inspector/InjectedScript.h:
1236         * inspector/InjectedScriptSource.js:
1237         (let.InjectedScript.prototype.wrapJSONString):
1238
1239 2017-12-11  Joseph Pecoraro  <pecoraro@apple.com>
1240
1241         Remove unused builtin names
1242         https://bugs.webkit.org/show_bug.cgi?id=180673
1243
1244         Reviewed by Keith Miller.
1245
1246         * builtins/BuiltinNames.h:
1247
1248 2017-12-11  David Quesada  <david_quesada@apple.com>
1249
1250         Turn on ENABLE_APPLICATION_MANIFEST
1251         https://bugs.webkit.org/show_bug.cgi?id=180562
1252         rdar://problem/35924737
1253
1254         Reviewed by Geoffrey Garen.
1255
1256         * Configurations/FeatureDefines.xcconfig:
1257
1258 2017-12-10  Filip Pizlo  <fpizlo@apple.com>
1259
1260         Harden a few assertions in GC sweep
1261         https://bugs.webkit.org/show_bug.cgi?id=180634
1262
1263         Reviewed by Saam Barati.
1264         
1265         This turns one dynamic check into a release assertion and upgrades another assertion to a release
1266         assertion.
1267
1268         * heap/MarkedBlock.cpp:
1269         (JSC::MarkedBlock::Handle::sweep):
1270
1271 2017-12-10  Konstantin Tokarev  <annulen@yandex.ru>
1272
1273         [python] Modernize "except" usage for python3 compatibility
1274         https://bugs.webkit.org/show_bug.cgi?id=180612
1275
1276         Reviewed by Michael Catanzaro.
1277
1278         * inspector/scripts/generate-inspector-protocol-bindings.py:
1279
1280 2017-12-05  Filip Pizlo  <fpizlo@apple.com>
1281
1282         InferredType should not use UnconditionalFinalizer
1283         https://bugs.webkit.org/show_bug.cgi?id=180456
1284
1285         Reviewed by Saam Barati.
1286         
1287         This turns InferredStructure into a cell so that we can unconditionally finalize them without
1288         having to add things to the UnconditionalFinalizer list. I'm removing all uses of
1289         UnconditionalFinalizers and WeakReferenceHarvesters because the data structures used to manage
1290         them are a top cause of lock contention in the parallel GC. Also, we don't need those data
1291         structures if we use IsoSubspaces, subspace iteration, and marking constraints.
1292
1293         * JavaScriptCore.xcodeproj/project.pbxproj:
1294         * Sources.txt:
1295         * heap/Heap.cpp:
1296         (JSC::Heap::finalizeUnconditionalFinalizers):
1297         * heap/Heap.h:
1298         * runtime/InferredStructure.cpp: Added.
1299         (JSC::InferredStructure::create):
1300         (JSC::InferredStructure::destroy):
1301         (JSC::InferredStructure::createStructure):
1302         (JSC::InferredStructure::visitChildren):
1303         (JSC::InferredStructure::finalizeUnconditionally):
1304         (JSC::InferredStructure::InferredStructure):
1305         (JSC::InferredStructure::finishCreation):
1306         * runtime/InferredStructure.h: Added.
1307         * runtime/InferredStructureWatchpoint.cpp: Added.
1308         (JSC::InferredStructureWatchpoint::fireInternal):
1309         * runtime/InferredStructureWatchpoint.h: Added.
1310         * runtime/InferredType.cpp:
1311         (JSC::InferredType::visitChildren):
1312         (JSC::InferredType::willStoreValueSlow):
1313         (JSC::InferredType::makeTopSlow):
1314         (JSC::InferredType::set):
1315         (JSC::InferredType::removeStructure):
1316         (JSC::InferredType::InferredStructureWatchpoint::fireInternal): Deleted.
1317         (JSC::InferredType::InferredStructureFinalizer::finalizeUnconditionally): Deleted.
1318         (JSC::InferredType::InferredStructure::InferredStructure): Deleted.
1319         * runtime/InferredType.h:
1320         * runtime/VM.cpp:
1321         (JSC::VM::VM):
1322         * runtime/VM.h:
1323
1324 2017-12-09  Konstantin Tokarev  <annulen@yandex.ru>
1325
1326         [python] Replace print >> operator with print() function for python3 compatibility
1327         https://bugs.webkit.org/show_bug.cgi?id=180611
1328
1329         Reviewed by Michael Catanzaro.
1330
1331         * Scripts/make-js-file-arrays.py:
1332         (main):
1333
1334 2017-12-08  Joseph Pecoraro  <pecoraro@apple.com>
1335
1336         ServiceWorker Inspector: Various issues inspecting service worker on mobile.twitter.com
1337         https://bugs.webkit.org/show_bug.cgi?id=180520
1338         <rdar://problem/35900764>
1339
1340         Reviewed by Brian Burg.
1341
1342         * inspector/protocol/ServiceWorker.json:
1343         Include content script content in the initialization info.
1344
1345 2017-12-08  Konstantin Tokarev  <annulen@yandex.ru>
1346
1347         [python] Replace print operator with print() function for python3 compatibility
1348         https://bugs.webkit.org/show_bug.cgi?id=180592
1349
1350         Reviewed by Michael Catanzaro.
1351
1352         * Scripts/generateYarrUnicodePropertyTables.py:
1353         (openOrExit):
1354         (verifyUCDFilesExist):
1355         (Aliases.parsePropertyAliasesFile):
1356         (Aliases.parsePropertyValueAliasesFile):
1357         * Scripts/make-js-file-arrays.py:
1358         (main):
1359         * generate-bytecode-files:
1360
1361 2017-12-08  Mark Lam  <mark.lam@apple.com>
1362
1363         Need to unpoison native function pointers for CLoop.
1364         https://bugs.webkit.org/show_bug.cgi?id=180601
1365         <rdar://problem/35942028>
1366
1367         Reviewed by JF Bastien.
1368
1369         * llint/LowLevelInterpreter64.asm:
1370
1371 2017-12-08  Michael Saboff  <msaboff@apple.com>
1372
1373         YARR: JIT RegExps with greedy parenthesized sub patterns
1374         https://bugs.webkit.org/show_bug.cgi?id=180538
1375
1376         Reviewed by JF Bastien.
1377
1378         This patch adds JIT support for regular expressions containing greedy counted
1379         parenthesis.  An example expression that couldn't be JIT'ed before is /q(a|b)*q/.
1380
1381         Just like in the interpreter, expressions with nested parenthetical subpatterns
1382         require saving the results of previous matches of the parentheses contents along
1383         with any associated state.  This saved state is needed in the case that we need
1384         to backtrack.  This state is called ParenContext within the code space allocated
1385         for this ParenContext is managed using a simple block allocator within the JIT'ed
1386         code.  The raw space managed by this allocator is passed into the JIT'ed function.
1387
1388         Since this fixed sized space may be exceeded, this patch adds a fallback mechanism.
1389         If the JIT'ed code exhausts all its ParenContext space, it returns a new error
1390         JSRegExpJITCodeFailure.  The caller will then bytecompile and interpret the
1391         expression.
1392
1393         Due to increased register usage by the parenthesis handling code, the use of
1394         registers by the JIT engine was restructured, with registers used for Unicode
1395         pattern matching replaced with constants.
1396
1397         Reworked some of the context structures that are used across the interpreter
1398         and JIT implementations to make them a little more uniform and to handle the
1399         needs of JIT'ing the new parentheses forms.
1400
1401         To help with development and debugging of this code, compiled patterns dumping
1402         code was enhanced.  Also added the ability to also dump interpreter ByteCodes.
1403
1404         * runtime/RegExp.cpp:
1405         (JSC::byteCodeCompilePattern):
1406         (JSC::RegExp::byteCodeCompileIfNecessary):
1407         (JSC::RegExp::compile):
1408         (JSC::RegExp::compileMatchOnly):
1409         * runtime/RegExp.h:
1410         * runtime/RegExpInlines.h:
1411         (JSC::RegExp::matchInline):
1412         * testRegExp.cpp:
1413         (parseRegExpLine):
1414         (runFromFiles):
1415         * yarr/Yarr.h:
1416         * yarr/YarrInterpreter.cpp:
1417         (JSC::Yarr::ByteCompiler::compile):
1418         (JSC::Yarr::ByteCompiler::dumpDisjunction):
1419         * yarr/YarrJIT.cpp:
1420         (JSC::Yarr::YarrGenerator::ParenContextSizes::ParenContextSizes):
1421         (JSC::Yarr::YarrGenerator::ParenContextSizes::numSubpatterns):
1422         (JSC::Yarr::YarrGenerator::ParenContextSizes::frameSlots):
1423         (JSC::Yarr::YarrGenerator::ParenContext::sizeFor):
1424         (JSC::Yarr::YarrGenerator::ParenContext::nextOffset):
1425         (JSC::Yarr::YarrGenerator::ParenContext::beginOffset):
1426         (JSC::Yarr::YarrGenerator::ParenContext::matchAmountOffset):
1427         (JSC::Yarr::YarrGenerator::ParenContext::subpatternOffset):
1428         (JSC::Yarr::YarrGenerator::ParenContext::savedFrameOffset):
1429         (JSC::Yarr::YarrGenerator::initParenContextFreeList):
1430         (JSC::Yarr::YarrGenerator::allocatePatternContext):
1431         (JSC::Yarr::YarrGenerator::freePatternContext):
1432         (JSC::Yarr::YarrGenerator::savePatternContext):
1433         (JSC::Yarr::YarrGenerator::restorePatternContext):
1434         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
1435         (JSC::Yarr::YarrGenerator::storeToFrame):
1436         (JSC::Yarr::YarrGenerator::generateJITFailReturn):
1437         (JSC::Yarr::YarrGenerator::clearMatches):
1438         (JSC::Yarr::YarrGenerator::generate):
1439         (JSC::Yarr::YarrGenerator::backtrack):
1440         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
1441         (JSC::Yarr::YarrGenerator::generateEnter):
1442         (JSC::Yarr::YarrGenerator::generateReturn):
1443         (JSC::Yarr::YarrGenerator::YarrGenerator):
1444         (JSC::Yarr::YarrGenerator::compile):
1445         * yarr/YarrJIT.h:
1446         (JSC::Yarr::YarrCodeBlock::execute):
1447         * yarr/YarrPattern.cpp:
1448         (JSC::Yarr::indentForNestingLevel):
1449         (JSC::Yarr::dumpUChar32):
1450         (JSC::Yarr::dumpCharacterClass):
1451         (JSC::Yarr::PatternTerm::dump):
1452         (JSC::Yarr::YarrPattern::dumpPattern):
1453         * yarr/YarrPattern.h:
1454         (JSC::Yarr::PatternTerm::containsAnyCaptures):
1455         (JSC::Yarr::BackTrackInfoParenthesesOnce::returnAddressIndex):
1456         (JSC::Yarr::BackTrackInfoParentheses::beginIndex):
1457         (JSC::Yarr::BackTrackInfoParentheses::returnAddressIndex):
1458         (JSC::Yarr::BackTrackInfoParentheses::matchAmountIndex):
1459         (JSC::Yarr::BackTrackInfoParentheses::patternContextHeadIndex):
1460         (JSC::Yarr::BackTrackInfoAlternative::offsetIndex): Deleted.
1461
1462 2017-12-08  Joseph Pecoraro  <pecoraro@apple.com>
1463
1464         Web Inspector: CRASH at InspectorConsoleAgent::enable when iterating mutable list of buffered console messages
1465         https://bugs.webkit.org/show_bug.cgi?id=180590
1466         <rdar://problem/35882767>
1467
1468         Reviewed by Mark Lam.
1469
1470         * inspector/agents/InspectorConsoleAgent.cpp:
1471         (Inspector::InspectorConsoleAgent::enable):
1472         Swap the messages to a Vector that won't change during iteration.
1473
1474 2017-12-08  Michael Saboff  <msaboff@apple.com>
1475
1476         YARR: Coalesce constructed character classes
1477         https://bugs.webkit.org/show_bug.cgi?id=180537
1478
1479         Reviewed by JF Bastien.
1480
1481         When adding characters or character ranges to a character class being constructed,
1482         we now coalesce adjacent characters and character ranges.  When we create a
1483         character class after construction is complete, we do a final coalescing pass
1484         across the character list and ranges to catch any remaining coalescing
1485         opportunities.
1486
1487         Added an optimization for character classes that will match any character.
1488         This is somewhat common in code created before the /s (dotAll) flag was added
1489         to the engine.
1490
1491         * yarr/YarrInterpreter.cpp:
1492         (JSC::Yarr::Interpreter::checkCharacterClass):
1493         * yarr/YarrJIT.cpp:
1494         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
1495         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
1496         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
1497         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
1498         * yarr/YarrPattern.cpp:
1499         (JSC::Yarr::CharacterClassConstructor::CharacterClassConstructor):
1500         (JSC::Yarr::CharacterClassConstructor::reset):
1501         (JSC::Yarr::CharacterClassConstructor::charClass):
1502         (JSC::Yarr::CharacterClassConstructor::addSorted):
1503         (JSC::Yarr::CharacterClassConstructor::addSortedRange):
1504         (JSC::Yarr::CharacterClassConstructor::mergeRangesFrom):
1505         (JSC::Yarr::CharacterClassConstructor::coalesceTables):
1506         (JSC::Yarr::CharacterClassConstructor::anyCharacter):
1507         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassEnd):
1508         (JSC::Yarr::PatternTerm::dump):
1509         (JSC::Yarr::anycharCreate):
1510         * yarr/YarrPattern.h:
1511         (JSC::Yarr::CharacterClass::CharacterClass):
1512
1513 2017-12-07  Saam Barati  <sbarati@apple.com>
1514
1515         Modify our dollar VM clflush intrinsic to aid in some perf testing
1516         https://bugs.webkit.org/show_bug.cgi?id=180559
1517
1518         Reviewed by Mark Lam.
1519
1520         * tools/JSDollarVM.cpp:
1521         (JSC::functionCpuClflush):
1522         (JSC::functionDeltaBetweenButterflies):
1523         (JSC::JSDollarVM::finishCreation):
1524
1525 2017-12-07  Eric Carlson  <eric.carlson@apple.com>
1526
1527         Simplify log channel configuration UI
1528         https://bugs.webkit.org/show_bug.cgi?id=180527
1529         <rdar://problem/35908382>
1530
1531         Reviewed by Joseph Pecoraro.
1532
1533         * inspector/protocol/Console.json:
1534
1535 2017-12-07  Mark Lam  <mark.lam@apple.com>
1536
1537         Apply poisoning to some native code pointers.
1538         https://bugs.webkit.org/show_bug.cgi?id=180541
1539         <rdar://problem/35916875>
1540
1541         Reviewed by Filip Pizlo.
1542
1543         Renamed g_classInfoPoison to g_globalDataPoison.
1544         Renamed g_masmPoison to g_jitCodePoison.
1545         Introduced g_nativeCodePoison.
1546         Applied g_nativeCodePoison to poisoning some native code pointers.
1547
1548         Introduced non-random Int32 poison values (in JSCPoison.h) for use with pointers
1549         to malloc allocated data structures (where needed).
1550
1551         * API/JSCallbackFunction.h:
1552         (JSC::JSCallbackFunction::functionCallback):
1553         * JavaScriptCore.xcodeproj/project.pbxproj:
1554         * jit/ThunkGenerators.cpp:
1555         (JSC::nativeForGenerator):
1556         * llint/LowLevelInterpreter64.asm:
1557         * runtime/CustomGetterSetter.h:
1558         (JSC::CustomGetterSetter::getter const):
1559         (JSC::CustomGetterSetter::setter const):
1560         * runtime/InternalFunction.cpp:
1561         (JSC::InternalFunction::getCallData):
1562         (JSC::InternalFunction::getConstructData):
1563         * runtime/InternalFunction.h:
1564         (JSC::InternalFunction::nativeFunctionFor):
1565         * runtime/JSCPoison.h: Added.
1566         * runtime/JSCPoisonedPtr.cpp:
1567         (JSC::initializePoison):
1568         * runtime/JSCPoisonedPtr.h:
1569         * runtime/Lookup.h:
1570         * runtime/NativeExecutable.cpp:
1571         (JSC::NativeExecutable::hashFor const):
1572         * runtime/NativeExecutable.h:
1573         * runtime/Structure.cpp:
1574         (JSC::StructureTransitionTable::setSingleTransition):
1575         * runtime/StructureTransitionTable.h:
1576         (JSC::StructureTransitionTable::StructureTransitionTable):
1577         (JSC::StructureTransitionTable::isUsingSingleSlot const):
1578         (JSC::StructureTransitionTable::map const):
1579         (JSC::StructureTransitionTable::weakImpl const):
1580         (JSC::StructureTransitionTable::setMap):
1581
1582 2017-12-07  Joseph Pecoraro  <pecoraro@apple.com>
1583
1584         Web Inspector: Fix style in remote inspector classes
1585         https://bugs.webkit.org/show_bug.cgi?id=180545
1586
1587         Reviewed by Youenn Fablet.
1588
1589         * inspector/remote/RemoteControllableTarget.h:
1590         * inspector/remote/RemoteInspectionTarget.h:
1591         * runtime/JSGlobalObjectDebuggable.h:
1592
1593 2017-12-07  Per Arne Vollan  <pvollan@apple.com>
1594
1595         Use fastAlignedFree to free aligned memory.
1596         https://bugs.webkit.org/show_bug.cgi?id=180540
1597
1598         Reviewed by Saam Barati.
1599
1600         * heap/IsoAlignedMemoryAllocator.cpp:
1601         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
1602
1603 2017-12-07  Matt Lewis  <jlewis3@apple.com>
1604
1605         Unreviewed, rolling out r225634.
1606
1607         This caused layout tests to time out.
1608
1609         Reverted changeset:
1610
1611         "Simplify log channel configuration UI"
1612         https://bugs.webkit.org/show_bug.cgi?id=180527
1613         https://trac.webkit.org/changeset/225634
1614
1615 2017-12-07  Eric Carlson  <eric.carlson@apple.com>
1616
1617         Simplify log channel configuration UI
1618         https://bugs.webkit.org/show_bug.cgi?id=180527
1619         <rdar://problem/35908382>
1620
1621         Reviewed by Joseph Pecoraro.
1622
1623         * inspector/protocol/Console.json:
1624
1625 2017-12-07  Mark Lam  <mark.lam@apple.com>
1626
1627         [Re-landing r225620] Refactoring: Rename ScrambledPtr to Poisoned.
1628         https://bugs.webkit.org/show_bug.cgi?id=180514
1629
1630         Reviewed by Saam Barati and JF Bastien.
1631
1632         Re-landing r225620 with speculative build fix for GCC 7.
1633
1634         * API/JSCallbackObject.h:
1635         * API/JSObjectRef.cpp:
1636         (classInfoPrivate):
1637         * JavaScriptCore.xcodeproj/project.pbxproj:
1638         * Sources.txt:
1639         * assembler/MacroAssemblerCodeRef.h:
1640         (JSC::FunctionPtr::FunctionPtr):
1641         (JSC::FunctionPtr::value const):
1642         (JSC::FunctionPtr::executableAddress const):
1643         (JSC::ReturnAddressPtr::ReturnAddressPtr):
1644         (JSC::ReturnAddressPtr::value const):
1645         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
1646         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
1647         (JSC::MacroAssemblerCodePtr::poisonedPtr const):
1648         (JSC::MacroAssemblerCodePtr:: const):
1649         (JSC::MacroAssemblerCodePtr::operator! const):
1650         (JSC::MacroAssemblerCodePtr::operator== const):
1651         (JSC::MacroAssemblerCodePtr::emptyValue):
1652         (JSC::MacroAssemblerCodePtr::deletedValue):
1653         (JSC::MacroAssemblerCodePtr::scrambledPtr const): Deleted.
1654         * b3/B3LowerMacros.cpp:
1655         * b3/testb3.cpp:
1656         (JSC::B3::testInterpreter):
1657         * dfg/DFGSpeculativeJIT.cpp:
1658         (JSC::DFG::SpeculativeJIT::checkArray):
1659         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
1660         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1661         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1662         * ftl/FTLLowerDFGToB3.cpp:
1663         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
1664         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1665         * jit/AssemblyHelpers.h:
1666         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
1667         * jit/SpecializedThunkJIT.h:
1668         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
1669         * jit/ThunkGenerators.cpp:
1670         (JSC::virtualThunkFor):
1671         (JSC::boundThisNoArgsFunctionCallGenerator):
1672         * llint/LLIntSlowPaths.cpp:
1673         (JSC::LLInt::handleHostCall):
1674         (JSC::LLInt::setUpCall):
1675         * llint/LowLevelInterpreter64.asm:
1676         * runtime/InitializeThreading.cpp:
1677         (JSC::initializeThreading):
1678         * runtime/JSCPoisonedPtr.cpp: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.cpp.
1679         (JSC::initializePoison):
1680         (JSC::initializeScrambledPtrKeys): Deleted.
1681         * runtime/JSCPoisonedPtr.h: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.h.
1682         * runtime/JSCScrambledPtr.cpp: Removed.
1683         * runtime/JSCScrambledPtr.h: Removed.
1684         * runtime/JSDestructibleObject.h:
1685         (JSC::JSDestructibleObject::classInfo const):
1686         * runtime/JSSegmentedVariableObject.h:
1687         (JSC::JSSegmentedVariableObject::classInfo const):
1688         * runtime/Structure.h:
1689         * runtime/VM.h:
1690
1691 2017-12-07  Michael Catanzaro  <mcatanzaro@igalia.com>
1692
1693         Unreviewed, rolling out r225620
1694         https://bugs.webkit.org/show_bug.cgi?id=180514
1695         <rdar://problem/35901694>
1696
1697         It broke the build with GCC 7, and I don't know how to fix it.
1698
1699         * API/JSCallbackObject.h:
1700         * API/JSObjectRef.cpp:
1701         (classInfoPrivate):
1702         * JavaScriptCore.xcodeproj/project.pbxproj:
1703         * Sources.txt:
1704         * assembler/MacroAssemblerCodeRef.h:
1705         (JSC::FunctionPtr::FunctionPtr):
1706         (JSC::FunctionPtr::value const):
1707         (JSC::FunctionPtr::executableAddress const):
1708         (JSC::ReturnAddressPtr::ReturnAddressPtr):
1709         (JSC::ReturnAddressPtr::value const):
1710         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
1711         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
1712         (JSC::MacroAssemblerCodePtr::scrambledPtr const):
1713         (JSC::MacroAssemblerCodePtr:: const):
1714         (JSC::MacroAssemblerCodePtr::operator! const):
1715         (JSC::MacroAssemblerCodePtr::operator== const):
1716         (JSC::MacroAssemblerCodePtr::emptyValue):
1717         (JSC::MacroAssemblerCodePtr::deletedValue):
1718         (JSC::MacroAssemblerCodePtr::poisonedPtr const): Deleted.
1719         * b3/B3LowerMacros.cpp:
1720         * b3/testb3.cpp:
1721         (JSC::B3::testInterpreter):
1722         * dfg/DFGSpeculativeJIT.cpp:
1723         (JSC::DFG::SpeculativeJIT::checkArray):
1724         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
1725         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1726         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1727         * ftl/FTLLowerDFGToB3.cpp:
1728         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
1729         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1730         * jit/AssemblyHelpers.h:
1731         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
1732         * jit/SpecializedThunkJIT.h:
1733         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
1734         * jit/ThunkGenerators.cpp:
1735         (JSC::virtualThunkFor):
1736         (JSC::boundThisNoArgsFunctionCallGenerator):
1737         * llint/LLIntSlowPaths.cpp:
1738         (JSC::LLInt::handleHostCall):
1739         (JSC::LLInt::setUpCall):
1740         * llint/LowLevelInterpreter64.asm:
1741         * runtime/InitializeThreading.cpp:
1742         (JSC::initializeThreading):
1743         * runtime/JSCScrambledPtr.cpp: Renamed from Source/JavaScriptCore/runtime/JSCPoisonedPtr.cpp.
1744         (JSC::initializeScrambledPtrKeys):
1745         * runtime/JSCScrambledPtr.h: Renamed from Source/JavaScriptCore/runtime/JSCPoisonedPtr.h.
1746         * runtime/JSDestructibleObject.h:
1747         (JSC::JSDestructibleObject::classInfo const):
1748         * runtime/JSSegmentedVariableObject.h:
1749         (JSC::JSSegmentedVariableObject::classInfo const):
1750         * runtime/Structure.h:
1751         * runtime/VM.h:
1752
1753 2017-12-06  Mark Lam  <mark.lam@apple.com>
1754
1755         Refactoring: Rename ScrambledPtr to Poisoned.
1756         https://bugs.webkit.org/show_bug.cgi?id=180514
1757
1758         Reviewed by Saam Barati.
1759
1760         * API/JSCallbackObject.h:
1761         * API/JSObjectRef.cpp:
1762         (classInfoPrivate):
1763         * JavaScriptCore.xcodeproj/project.pbxproj:
1764         * Sources.txt:
1765         * assembler/MacroAssemblerCodeRef.h:
1766         (JSC::FunctionPtr::FunctionPtr):
1767         (JSC::FunctionPtr::value const):
1768         (JSC::FunctionPtr::executableAddress const):
1769         (JSC::ReturnAddressPtr::ReturnAddressPtr):
1770         (JSC::ReturnAddressPtr::value const):
1771         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
1772         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
1773         (JSC::MacroAssemblerCodePtr::poisonedPtr const):
1774         (JSC::MacroAssemblerCodePtr:: const):
1775         (JSC::MacroAssemblerCodePtr::operator! const):
1776         (JSC::MacroAssemblerCodePtr::operator== const):
1777         (JSC::MacroAssemblerCodePtr::emptyValue):
1778         (JSC::MacroAssemblerCodePtr::deletedValue):
1779         (JSC::MacroAssemblerCodePtr::scrambledPtr const): Deleted.
1780         * b3/B3LowerMacros.cpp:
1781         * b3/testb3.cpp:
1782         (JSC::B3::testInterpreter):
1783         * dfg/DFGSpeculativeJIT.cpp:
1784         (JSC::DFG::SpeculativeJIT::checkArray):
1785         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
1786         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1787         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1788         * ftl/FTLLowerDFGToB3.cpp:
1789         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
1790         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1791         * jit/AssemblyHelpers.h:
1792         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
1793         * jit/SpecializedThunkJIT.h:
1794         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
1795         * jit/ThunkGenerators.cpp:
1796         (JSC::virtualThunkFor):
1797         (JSC::boundThisNoArgsFunctionCallGenerator):
1798         * llint/LLIntSlowPaths.cpp:
1799         (JSC::LLInt::handleHostCall):
1800         (JSC::LLInt::setUpCall):
1801         * llint/LowLevelInterpreter64.asm:
1802         * runtime/InitializeThreading.cpp:
1803         (JSC::initializeThreading):
1804         * runtime/JSCPoisonedPtr.cpp: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.cpp.
1805         (JSC::initializePoison):
1806         (JSC::initializeScrambledPtrKeys): Deleted.
1807         * runtime/JSCPoisonedPtr.h: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.h.
1808         * runtime/JSCScrambledPtr.cpp: Removed.
1809         * runtime/JSCScrambledPtr.h: Removed.
1810         * runtime/JSDestructibleObject.h:
1811         (JSC::JSDestructibleObject::classInfo const):
1812         * runtime/JSSegmentedVariableObject.h:
1813         (JSC::JSSegmentedVariableObject::classInfo const):
1814         * runtime/Structure.h:
1815         * runtime/VM.h:
1816
1817 2017-12-02  Darin Adler  <darin@apple.com>
1818
1819         Modernize some aspects of text codecs, eliminate WebKit use of strcasecmp
1820         https://bugs.webkit.org/show_bug.cgi?id=180009
1821
1822         Reviewed by Alex Christensen.
1823
1824         * bytecode/ArrayProfile.cpp: Removed include of StringExtras.h.
1825         * bytecode/CodeBlock.cpp: Ditto.
1826         * bytecode/ExecutionCounter.cpp: Ditto.
1827         * runtime/ConfigFile.cpp: Ditto.
1828         * runtime/DatePrototype.cpp: Ditto.
1829         * runtime/IndexingType.cpp: Ditto.
1830         * runtime/JSCJSValue.cpp: Ditto.
1831         * runtime/JSDateMath.cpp: Ditto.
1832         * runtime/JSGlobalObjectFunctions.cpp: Ditto.
1833         * runtime/Options.cpp: Ditto.
1834         (JSC::parse): Use equalLettersIgnoringASCIICase instead of strcasecmp.
1835
1836 2017-12-06  Saam Barati  <sbarati@apple.com>
1837
1838         ASSERTION FAILED: vm->currentThreadIsHoldingAPILock() in void JSC::sanitizeStackForVM(JSC::VM *)
1839         https://bugs.webkit.org/show_bug.cgi?id=180438
1840         <rdar://problem/35862342>
1841
1842         Reviewed by Yusuke Suzuki.
1843
1844         A couple inspector methods that take stacktraces need
1845         to grab the JSLock.
1846
1847         * inspector/ScriptCallStackFactory.cpp:
1848         (Inspector::createScriptCallStack):
1849         (Inspector::createScriptCallStackForConsole):
1850
1851 2017-12-05  Stephan Szabo  <stephan.szabo@sony.com>
1852
1853         Switch windows build to Visual Studio 2017
1854         https://bugs.webkit.org/show_bug.cgi?id=172412
1855
1856         Reviewed by Per Arne Vollan.
1857
1858         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
1859
1860 2017-12-05  JF Bastien  <jfbastien@apple.com>
1861
1862         WebAssembly: don't eagerly checksum
1863         https://bugs.webkit.org/show_bug.cgi?id=180441
1864         <rdar://problem/35156628>
1865
1866         Reviewed by Saam Barati.
1867
1868         Make checksumming of module optional for now. The bots think the
1869         checksum hurt compile-time. I'd measured it and couldn't see a
1870         difference, and still can't at this point in time, but we'll see
1871         if disabling it fixes the bots. If so then I can make it lazy upon
1872         first backtrace construction, or I can try out MD5 instead of
1873         SHA1.
1874
1875         * runtime/Options.h:
1876         * wasm/WasmModuleInformation.cpp:
1877         (JSC::Wasm::ModuleInformation::ModuleInformation):
1878         * wasm/WasmModuleInformation.h:
1879         * wasm/WasmNameSection.h:
1880         (JSC::Wasm::NameSection::NameSection):
1881
1882 2017-12-05  Filip Pizlo  <fpizlo@apple.com>
1883
1884         IsoAlignedMemoryAllocator needs to free all of its memory when the VM destructs
1885         https://bugs.webkit.org/show_bug.cgi?id=180425
1886
1887         Reviewed by Saam Barati.
1888         
1889         Failure to do so causes leaks after starting workers.
1890
1891         * heap/IsoAlignedMemoryAllocator.cpp:
1892         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
1893         (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
1894
1895 2017-12-05  Per Arne Vollan  <pvollan@apple.com>
1896
1897         [Win64] Compile error in testmasm.cpp.
1898         https://bugs.webkit.org/show_bug.cgi?id=180436
1899
1900         Reviewed by Mark Lam.
1901
1902         Fix MSVC warning (32-bit shift implicitly converted to 64 bits).
1903         
1904         * assembler/testmasm.cpp:
1905         (JSC::testGetEffectiveAddress):
1906
1907 2017-12-01  Filip Pizlo  <fpizlo@apple.com>
1908
1909         GC constraint solving should be parallel
1910         https://bugs.webkit.org/show_bug.cgi?id=179934
1911
1912         Reviewed by JF Bastien.
1913         
1914         This makes it possible to do constraint solving in parallel. This looks like a 1% Speedometer
1915         speed-up. It's more than 1% on trunk-Speedometer.
1916         
1917         The constraint solver supports running constraints in parallel in two different ways:
1918         
1919         - Run multiple constraints in parallel to each other. This only works for constraints that can
1920           tolerate other constraints running concurrently to them (constraint.concurrency() ==
1921           ConstraintConcurrency::Concurrent). This is the most basic kind of parallelism that the
1922           constraint solver supports. All constraints except the JSC SPI constraints are concurrent. We
1923           could probably make them concurrent, but I'm playing it safe for now.
1924         
1925         - A constraint can create parallel work for itself, which the constraint solver will interleave
1926           with other stuff. A constraint can report that it has parallel work by returning
1927           ConstraintParallelism::Parallel from its executeImpl() function. Then the solver will allow that
1928           constraint's doParallelWorkImpl() function to run on as many GC marker threads as are available,
1929           for as long as that function wants to run.
1930         
1931         It's not possible to have a non-concurrent constraint that creates parallel work.
1932         
1933         The parallelism is implemented in terms of the existing GC marker threads. This turns out to be
1934         most natural for two reasons:
1935         
1936         - No need to start any other threads.
1937         
1938         - The constraints all want to be passed a SlotVisitor. Running on the marker threads means having
1939           access to those threads' SlotVisitors. Also, it means less load balancing. The solver will
1940           create work on each marking thread's SlotVisitor. When the solver is done "stealing" a marker
1941           thread, that thread will have work it can start doing immediately. Before this change, we had to
1942           contribute the work found by the constraint solver to the global worklist so that it could be
1943           distributed to the marker threads by load balancing. This change probably helps to avoid that
1944           load balancing step.
1945         
1946         A lot of this change is about making it easy to iterate GC data structures in parallel. This
1947         change makes almost all constraints parallel-enabled, but only the DOM's output constraint uses
1948         the parallel work API. That constraint iterates the marked cells in two subspaces. This change
1949         makes it very easy to compose parallel iterators over subspaces, allocators, blocks, and cells.
1950         The marked cell parallel iterator is composed out of parallel iterators for the others. A parallel
1951         iterator is just an iterator that can do an atomic next() very quickly. We abstract them using
1952         RefPtr<SharedTask<...()>>, where ... is the type returned from the iterator. We know it's done
1953         when it returns a falsish version of ... (in the current code, that's always a pointer type, so
1954         done is indicated by null).
1955         
1956         * API/JSMarkingConstraintPrivate.cpp:
1957         (JSContextGroupAddMarkingConstraint):
1958         * API/JSVirtualMachine.mm:
1959         (scanExternalObjectGraph):
1960         (scanExternalRememberedSet):
1961         * JavaScriptCore.xcodeproj/project.pbxproj:
1962         * Sources.txt:
1963         * bytecode/AccessCase.cpp:
1964         (JSC::AccessCase::propagateTransitions const):
1965         * bytecode/CodeBlock.cpp:
1966         (JSC::CodeBlock::visitWeakly):
1967         (JSC::CodeBlock::shouldJettisonDueToOldAge):
1968         (JSC::shouldMarkTransition):
1969         (JSC::CodeBlock::propagateTransitions):
1970         (JSC::CodeBlock::determineLiveness):
1971         * dfg/DFGWorklist.cpp:
1972         * ftl/FTLCompile.cpp:
1973         (JSC::FTL::compile):
1974         * heap/ConstraintParallelism.h: Added.
1975         (WTF::printInternal):
1976         * heap/Heap.cpp:
1977         (JSC::Heap::Heap):
1978         (JSC::Heap::addToRememberedSet):
1979         (JSC::Heap::runFixpointPhase):
1980         (JSC::Heap::stopThePeriphery):
1981         (JSC::Heap::resumeThePeriphery):
1982         (JSC::Heap::addCoreConstraints):
1983         (JSC::Heap::setBonusVisitorTask):
1984         (JSC::Heap::runTaskInParallel):
1985         (JSC::Heap::forEachSlotVisitor): Deleted.
1986         * heap/Heap.h:
1987         (JSC::Heap::worldIsRunning const):
1988         (JSC::Heap::runFunctionInParallel):
1989         * heap/HeapInlines.h:
1990         (JSC::Heap::worldIsStopped const):
1991         (JSC::Heap::isMarked):
1992         (JSC::Heap::incrementDeferralDepth):
1993         (JSC::Heap::decrementDeferralDepth):
1994         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
1995         (JSC::Heap::forEachSlotVisitor):
1996         (JSC::Heap::collectorBelievesThatTheWorldIsStopped const): Deleted.
1997         (JSC::Heap::isMarkedConcurrently): Deleted.
1998         * heap/HeapSnapshotBuilder.cpp:
1999         (JSC::HeapSnapshotBuilder::appendNode):
2000         * heap/LargeAllocation.h:
2001         (JSC::LargeAllocation::isMarked):
2002         (JSC::LargeAllocation::isMarkedConcurrently): Deleted.
2003         * heap/LockDuringMarking.h:
2004         (JSC::lockDuringMarking):
2005         * heap/MarkedAllocator.cpp:
2006         (JSC::MarkedAllocator::parallelNotEmptyBlockSource):
2007         * heap/MarkedAllocator.h:
2008         * heap/MarkedBlock.h:
2009         (JSC::MarkedBlock::aboutToMark):
2010         (JSC::MarkedBlock::isMarked):
2011         (JSC::MarkedBlock::areMarksStaleWithDependency): Deleted.
2012         (JSC::MarkedBlock::isMarkedConcurrently): Deleted.
2013         * heap/MarkedSpace.h:
2014         (JSC::MarkedSpace::activeWeakSetsBegin):
2015         (JSC::MarkedSpace::activeWeakSetsEnd):
2016         (JSC::MarkedSpace::newActiveWeakSetsBegin):
2017         (JSC::MarkedSpace::newActiveWeakSetsEnd):
2018         * heap/MarkingConstraint.cpp:
2019         (JSC::MarkingConstraint::MarkingConstraint):
2020         (JSC::MarkingConstraint::execute):
2021         (JSC::MarkingConstraint::quickWorkEstimate):
2022         (JSC::MarkingConstraint::workEstimate):
2023         (JSC::MarkingConstraint::doParallelWork):
2024         (JSC::MarkingConstraint::finishParallelWork):
2025         (JSC::MarkingConstraint::doParallelWorkImpl):
2026         (JSC::MarkingConstraint::finishParallelWorkImpl):
2027         * heap/MarkingConstraint.h:
2028         (JSC::MarkingConstraint::lastExecuteParallelism const):
2029         (JSC::MarkingConstraint::parallelism const):
2030         (JSC::MarkingConstraint::quickWorkEstimate): Deleted.
2031         (JSC::MarkingConstraint::workEstimate): Deleted.
2032         * heap/MarkingConstraintSet.cpp:
2033         (JSC::MarkingConstraintSet::MarkingConstraintSet):
2034         (JSC::MarkingConstraintSet::add):
2035         (JSC::MarkingConstraintSet::executeConvergence):
2036         (JSC::MarkingConstraintSet::executeConvergenceImpl):
2037         (JSC::MarkingConstraintSet::executeAll):
2038         (JSC::MarkingConstraintSet::ExecutionContext::ExecutionContext): Deleted.
2039         (JSC::MarkingConstraintSet::ExecutionContext::didVisitSomething const): Deleted.
2040         (JSC::MarkingConstraintSet::ExecutionContext::shouldTimeOut const): Deleted.
2041         (JSC::MarkingConstraintSet::ExecutionContext::drain): Deleted.
2042         (JSC::MarkingConstraintSet::ExecutionContext::didExecute const): Deleted.
2043         (JSC::MarkingConstraintSet::ExecutionContext::execute): Deleted.
2044         (): Deleted.
2045         * heap/MarkingConstraintSet.h:
2046         * heap/MarkingConstraintSolver.cpp: Added.
2047         (JSC::MarkingConstraintSolver::MarkingConstraintSolver):
2048         (JSC::MarkingConstraintSolver::~MarkingConstraintSolver):
2049         (JSC::MarkingConstraintSolver::didVisitSomething const):
2050         (JSC::MarkingConstraintSolver::execute):
2051         (JSC::MarkingConstraintSolver::drain):
2052         (JSC::MarkingConstraintSolver::converge):
2053         (JSC::MarkingConstraintSolver::runExecutionThread):
2054         (JSC::MarkingConstraintSolver::didExecute):
2055         * heap/MarkingConstraintSolver.h: Added.
2056         * heap/OpaqueRootSet.h: Removed.
2057         * heap/ParallelSourceAdapter.h: Added.
2058         (JSC::ParallelSourceAdapter::ParallelSourceAdapter):
2059         (JSC::createParallelSourceAdapter):
2060         * heap/SimpleMarkingConstraint.cpp: Added.
2061         (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
2062         (JSC::SimpleMarkingConstraint::~SimpleMarkingConstraint):
2063         (JSC::SimpleMarkingConstraint::quickWorkEstimate):
2064         (JSC::SimpleMarkingConstraint::executeImpl):
2065         * heap/SimpleMarkingConstraint.h: Added.
2066         * heap/SlotVisitor.cpp:
2067         (JSC::SlotVisitor::didStartMarking):
2068         (JSC::SlotVisitor::reset):
2069         (JSC::SlotVisitor::appendToMarkStack):
2070         (JSC::SlotVisitor::visitChildren):
2071         (JSC::SlotVisitor::updateMutatorIsStopped):
2072         (JSC::SlotVisitor::mutatorIsStoppedIsUpToDate const):
2073         (JSC::SlotVisitor::drain):
2074         (JSC::SlotVisitor::performIncrementOfDraining):
2075         (JSC::SlotVisitor::didReachTermination):
2076         (JSC::SlotVisitor::hasWork):
2077         (JSC::SlotVisitor::drainFromShared):
2078         (JSC::SlotVisitor::drainInParallelPassively):
2079         (JSC::SlotVisitor::waitForTermination):
2080         (JSC::SlotVisitor::addOpaqueRoot): Deleted.
2081         (JSC::SlotVisitor::containsOpaqueRoot const): Deleted.
2082         (JSC::SlotVisitor::containsOpaqueRootTriState const): Deleted.
2083         (JSC::SlotVisitor::mergeIfNecessary): Deleted.
2084         (JSC::SlotVisitor::mergeOpaqueRootsIfProfitable): Deleted.
2085         (JSC::SlotVisitor::mergeOpaqueRoots): Deleted.
2086         * heap/SlotVisitor.h:
2087         * heap/SlotVisitorInlines.h:
2088         (JSC::SlotVisitor::addOpaqueRoot):
2089         (JSC::SlotVisitor::containsOpaqueRoot const):
2090         (JSC::SlotVisitor::vm):
2091         (JSC::SlotVisitor::vm const):
2092         * heap/Subspace.cpp:
2093         (JSC::Subspace::parallelAllocatorSource):
2094         (JSC::Subspace::parallelNotEmptyMarkedBlockSource):
2095         * heap/Subspace.h:
2096         * heap/SubspaceInlines.h:
2097         (JSC::Subspace::forEachMarkedCellInParallel):
2098         * heap/VisitCounter.h: Added.
2099         (JSC::VisitCounter::VisitCounter):
2100         (JSC::VisitCounter::visitCount const):
2101         * heap/VisitingTimeout.h: Removed.
2102         * heap/WeakBlock.cpp:
2103         (JSC::WeakBlock::specializedVisit):
2104         * runtime/Structure.cpp:
2105         (JSC::Structure::isCheapDuringGC):
2106         (JSC::Structure::markIfCheap):
2107
2108 2017-12-04  JF Bastien  <jfbastien@apple.com>
2109
2110         Math: don't redundantly check for exceptions, just release scope
2111         https://bugs.webkit.org/show_bug.cgi?id=180395
2112
2113         Rubber stamped by Mark Lam.
2114
2115         Two of the exceptions checks could just have been exception scope
2116         releases before the return, which is ever-so-slightly more
2117         efficient. The same technically applies where we have loops over
2118         parameters, but doing the scope release there isn't really more
2119         efficient and is way harder to read.
2120
2121         * runtime/MathObject.cpp:
2122         (JSC::mathProtoFuncATan2):
2123         (JSC::mathProtoFuncPow):
2124
2125 2017-12-04  David Quesada  <david_quesada@apple.com>
2126
2127         Add a class for parsing application manifests
2128         https://bugs.webkit.org/show_bug.cgi?id=177973
2129         rdar://problem/34747949
2130
2131         Reviewed by Geoffrey Garen.
2132
2133         * Configurations/FeatureDefines.xcconfig: Add ENABLE_APPLICATION_MANIFEST feature flag.
2134
2135 2017-12-04  JF Bastien  <jfbastien@apple.com>
2136
2137         Update std::expected to match libc++ coding style
2138         https://bugs.webkit.org/show_bug.cgi?id=180264
2139
2140         Reviewed by Alex Christensen.
2141
2142         Update various uses of Expected.
2143
2144         * wasm/WasmModule.h:
2145         * wasm/WasmModuleParser.cpp:
2146         (JSC::Wasm::ModuleParser::parseImport):
2147         (JSC::Wasm::ModuleParser::parseTableHelper):
2148         (JSC::Wasm::ModuleParser::parseTable):
2149         (JSC::Wasm::ModuleParser::parseMemoryHelper):
2150         * wasm/WasmParser.h:
2151         * wasm/generateWasmValidateInlinesHeader.py:
2152         (loadMacro):
2153         (storeMacro):
2154         * wasm/js/JSWebAssemblyModule.cpp:
2155         (JSC::JSWebAssemblyModule::createStub):
2156         * wasm/js/JSWebAssemblyModule.h:
2157
2158 2017-12-04  Saam Barati  <sbarati@apple.com>
2159
2160         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
2161         https://bugs.webkit.org/show_bug.cgi?id=180366
2162         <rdar://problem/35685877>
2163
2164         Reviewed by Michael Saboff.
2165
2166         On the TailCall slow path, the CallFrameShuffler will build the frame with
2167         respect to SP instead of FP. However, this may overwrite slots on the stack
2168         that are needed if the slow path C call does a stack walk. The slow path
2169         C call does a stack walk when it throws an exception. This patch fixes
2170         this bug by ensuring that the top of the stack in the FTL always has enough
2171         space to allow CallFrameShuffler to build a frame without overwriting any
2172         items on the stack that are needed when doing a stack walk.
2173
2174         * ftl/FTLLowerDFGToB3.cpp:
2175         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
2176
2177 2017-12-04  Devin Rousso  <webkit@devinrousso.com>
2178
2179         Web Inspector: provide method for recording CanvasRenderingContext2D from JavaScript
2180         https://bugs.webkit.org/show_bug.cgi?id=175166
2181         <rdar://problem/34040740>
2182
2183         Reviewed by Joseph Pecoraro.
2184
2185         * inspector/protocol/Recording.json:
2186         Add optional `name` that will be used by the frontend for uniquely identifying the Recording.
2187
2188         * inspector/JSGlobalObjectConsoleClient.h:
2189         * inspector/JSGlobalObjectConsoleClient.cpp:
2190         (Inspector::JSGlobalObjectConsoleClient::record):
2191         (Inspector::JSGlobalObjectConsoleClient::recordEnd):
2192
2193         * runtime/ConsoleClient.h:
2194         * runtime/ConsoleObject.cpp:
2195         (JSC::ConsoleObject::finishCreation):
2196         (JSC::consoleProtoFuncRecord):
2197         (JSC::consoleProtoFuncRecordEnd):
2198
2199 2017-12-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2200
2201         WTF shouldn't have both Thread and ThreadIdentifier
2202         https://bugs.webkit.org/show_bug.cgi?id=180308
2203
2204         Reviewed by Darin Adler.
2205
2206         * heap/MachineStackMarker.cpp:
2207         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2208         * llint/LLIntSlowPaths.cpp:
2209         (JSC::LLInt::llint_trace_operand):
2210         (JSC::LLInt::llint_trace_value):
2211         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2212         (JSC::LLInt::traceFunctionPrologue):
2213         * runtime/ExceptionScope.cpp:
2214         (JSC::ExceptionScope::unexpectedExceptionMessage):
2215         * runtime/JSLock.h:
2216         (JSC::JSLock::currentThreadIsHoldingLock):
2217         * runtime/VM.cpp:
2218         (JSC::VM::throwException):
2219         * runtime/VM.h:
2220         (JSC::VM::throwingThread const):
2221         (JSC::VM::clearException):
2222         * tools/HeapVerifier.cpp:
2223         (JSC::HeapVerifier::printVerificationHeader):
2224
2225 2017-12-03  Caio Lima  <ticaiolima@gmail.com>
2226
2227         Rename DestroyFunc to avoid redefinition on unified build
2228         https://bugs.webkit.org/show_bug.cgi?id=180335
2229
2230         Reviewed by Filip Pizlo.
2231
2232         Changing DestroyFunc structures to more specific names to avoid
2233         conflits on unified builds.
2234
2235         * heap/HeapCellType.cpp:
2236         (JSC::HeapCellType::finishSweep):
2237         (JSC::HeapCellType::destroy):
2238         * runtime/JSDestructibleObjectHeapCellType.cpp:
2239         (JSC::JSDestructibleObjectHeapCellType::finishSweep):
2240         (JSC::JSDestructibleObjectHeapCellType::destroy):
2241         * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
2242         (JSC::JSSegmentedVariableObjectHeapCellType::finishSweep):
2243         (JSC::JSSegmentedVariableObjectHeapCellType::destroy):
2244         * runtime/JSStringHeapCellType.cpp:
2245         (JSC::JSStringHeapCellType::finishSweep):
2246         (JSC::JSStringHeapCellType::destroy):
2247         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
2248         (JSC::JSWebAssemblyCodeBlockHeapCellType::finishSweep):
2249         (JSC::JSWebAssemblyCodeBlockHeapCellType::destroy):
2250
2251 2017-12-01  JF Bastien  <jfbastien@apple.com>
2252
2253         JavaScriptCore: missing exception checks in Math functions that take more than one argument
2254         https://bugs.webkit.org/show_bug.cgi?id=180297
2255         <rdar://problem/35745556>
2256
2257         Reviewed by Mark Lam.
2258
2259         * runtime/MathObject.cpp:
2260         (JSC::mathProtoFuncATan2):
2261         (JSC::mathProtoFuncMax):
2262         (JSC::mathProtoFuncMin):
2263         (JSC::mathProtoFuncPow):
2264
2265 2017-12-01  Mark Lam  <mark.lam@apple.com>
2266
2267         Let's scramble ClassInfo pointers in cells.
2268         https://bugs.webkit.org/show_bug.cgi?id=180291
2269         <rdar://problem/35807620>
2270
2271         Reviewed by JF Bastien.
2272
2273         * API/JSCallbackObject.h:
2274         * API/JSObjectRef.cpp:
2275         (classInfoPrivate):
2276         * JavaScriptCore.xcodeproj/project.pbxproj:
2277         * Sources.txt:
2278         * assembler/MacroAssemblerCodeRef.cpp:
2279         (JSC::MacroAssemblerCodePtr::initialize): Deleted.
2280         * assembler/MacroAssemblerCodeRef.h:
2281         (JSC::MacroAssemblerCodePtr:: const):
2282         (JSC::MacroAssemblerCodePtr::hash const):
2283         * dfg/DFGSpeculativeJIT.cpp:
2284         (JSC::DFG::SpeculativeJIT::checkArray):
2285         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
2286         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
2287         * ftl/FTLLowerDFGToB3.cpp:
2288         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
2289         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
2290         * jit/AssemblyHelpers.h:
2291         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
2292         * jit/SpecializedThunkJIT.h:
2293         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
2294         * runtime/InitializeThreading.cpp:
2295         (JSC::initializeThreading):
2296         * runtime/JSCScrambledPtr.cpp: Added.
2297         (JSC::initializeScrambledPtrKeys):
2298         * runtime/JSCScrambledPtr.h: Added.
2299         * runtime/JSDestructibleObject.h:
2300         (JSC::JSDestructibleObject::classInfo const):
2301         * runtime/JSSegmentedVariableObject.h:
2302         (JSC::JSSegmentedVariableObject::classInfo const):
2303         * runtime/Structure.h:
2304         * runtime/VM.h:
2305
2306 2017-12-01  Brian Burg  <bburg@apple.com>
2307
2308         Web Inspector: move Inspector::Protocol::Array<T> to JSON namespace
2309         https://bugs.webkit.org/show_bug.cgi?id=173662
2310
2311         Reviewed by Joseph Pecoraro.
2312
2313         Adopt new type names. Fix protocol generator to use correct type names.
2314
2315         * inspector/ConsoleMessage.cpp:
2316         (Inspector::ConsoleMessage::addToFrontend):
2317         Improve namings and use 'auto' when the type is obvious and repeated.
2318
2319         * inspector/ContentSearchUtilities.cpp:
2320         (Inspector::ContentSearchUtilities::searchInTextByLines):
2321         * inspector/ContentSearchUtilities.h:
2322         * inspector/InjectedScript.cpp:
2323         (Inspector::InjectedScript::getProperties):
2324         (Inspector::InjectedScript::getDisplayableProperties):
2325         (Inspector::InjectedScript::getInternalProperties):
2326         (Inspector::InjectedScript::getCollectionEntries):
2327         (Inspector::InjectedScript::wrapCallFrames const):
2328         * inspector/InjectedScript.h:
2329         * inspector/InspectorProtocolTypes.h:
2330         (Inspector::Protocol::BindingTraits<JSON::ArrayOf<T>>::runtimeCast):
2331         (Inspector::Protocol::Array::Array): Deleted.
2332         (Inspector::Protocol::Array::openAccessors): Deleted.
2333         (Inspector::Protocol::Array::addItem): Deleted.
2334         (Inspector::Protocol::Array::create): Deleted.
2335         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast): Deleted.
2336         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType): Deleted.
2337         Move the implementation out of this file.
2338
2339         * inspector/ScriptCallStack.cpp:
2340         (Inspector::ScriptCallStack::buildInspectorArray const):
2341         * inspector/ScriptCallStack.h:
2342         * inspector/agents/InspectorAgent.cpp:
2343         (Inspector::InspectorAgent::activateExtraDomain):
2344         (Inspector::InspectorAgent::activateExtraDomains):
2345         * inspector/agents/InspectorAgent.h:
2346         * inspector/agents/InspectorConsoleAgent.cpp:
2347         (Inspector::InspectorConsoleAgent::getLoggingChannels):
2348         * inspector/agents/InspectorConsoleAgent.h:
2349         * inspector/agents/InspectorDebuggerAgent.cpp:
2350         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
2351         (Inspector::InspectorDebuggerAgent::searchInContent):
2352         (Inspector::InspectorDebuggerAgent::currentCallFrames):
2353         * inspector/agents/InspectorDebuggerAgent.h:
2354         * inspector/agents/InspectorRuntimeAgent.cpp:
2355         (Inspector::InspectorRuntimeAgent::getProperties):
2356         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
2357         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
2358         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2359         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
2360         * inspector/agents/InspectorRuntimeAgent.h:
2361         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2362         (Inspector::buildSamples):
2363         Use more 'auto' and rename a variable.
2364
2365         * inspector/scripts/codegen/cpp_generator.py:
2366         (CppGenerator.cpp_protocol_type_for_type):
2367         Adopt new type names. This exposed a latent bug where we should have been
2368         unwrapping an AliasedType prior to generating a C++ type for it. The aliased
2369         type may be an array, in which case we would have generated the wrong type.
2370
2371         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2372         (_generate_typedefs_for_domain.JSON):
2373         (_generate_typedefs_for_domain.Inspector): Deleted.
2374         * inspector/scripts/codegen/objc_generator.py:
2375         (ObjCGenerator.protocol_type_for_type):
2376         (ObjCGenerator.objc_protocol_export_expression_for_variable):
2377         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2378         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2379         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2380         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
2381         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
2382         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2383         Rebaseline.
2384
2385         * runtime/TypeSet.cpp:
2386         (JSC::TypeSet::allStructureRepresentations const):
2387         (JSC::StructureShape::inspectorRepresentation):
2388         * runtime/TypeSet.h:
2389
2390 2017-12-01  Saam Barati  <sbarati@apple.com>
2391
2392         Having a bad time needs to handle ArrayClass indexing type as well
2393         https://bugs.webkit.org/show_bug.cgi?id=180274
2394         <rdar://problem/35667869>
2395
2396         Reviewed by Keith Miller and Mark Lam.
2397
2398         We need to make sure to transition ArrayClass to SlowPutArrayStorage as well.
2399         Otherwise, we'll end up with the wrong Structure, which will lead us to not
2400         adhere to the spec. The bug was that we were not considering ArrayClass inside 
2401         hasBrokenIndexing. This patch rewrites that function to automatically opt
2402         in non-empty indexing types as broken, instead of having to opt out all
2403         non-empty indexing types besides SlowPutArrayStorage.
2404
2405         * runtime/IndexingType.h:
2406         (JSC::hasSlowPutArrayStorage):
2407         (JSC::shouldUseSlowPut):
2408         * runtime/JSGlobalObject.cpp:
2409         * runtime/JSObject.cpp:
2410         (JSC::JSObject::switchToSlowPutArrayStorage):
2411
2412 2017-12-01  JF Bastien  <jfbastien@apple.com>
2413
2414         WebAssembly: stack trace improvement follow-ups
2415         https://bugs.webkit.org/show_bug.cgi?id=180273
2416
2417         Reviewed by Saam Barati.
2418
2419         * wasm/WasmIndexOrName.cpp:
2420         (JSC::Wasm::makeString):
2421         * wasm/WasmIndexOrName.h:
2422         (JSC::Wasm::IndexOrName::nameSection const):
2423         * wasm/WasmNameSection.h:
2424         (JSC::Wasm::NameSection::NameSection):
2425         (JSC::Wasm::NameSection::get):
2426
2427 2017-12-01  JF Bastien  <jfbastien@apple.com>
2428
2429         WebAssembly: restore cached stack limit after out-call
2430         https://bugs.webkit.org/show_bug.cgi?id=179106
2431         <rdar://problem/35337525>
2432
2433         Reviewed by Saam Barati.
2434
2435         We cache the stack limit on the Instance so that we can do fast
2436         stack checks where required. In regular usage the stack limit
2437         never changes because we always run on the same thread, but in
2438         rare cases an API user can totally migrate which thread (and
2439         therefore stack) is used for execution between WebAssembly
2440         traces. For that reason we set the cached stack limit to
2441         UINTPTR_MAX on the outgoing Instance when transitioning back into
2442         a different Instance. We usually restore the cached stack limit in
2443         Context::store, but this wasn't called on all code paths. We had a
2444         bug where an Instance calling into itself indirectly would
2445         therefore fail to restore its cached stack limit properly.
2446
2447         This patch therefore restores the cached stack limit after direct
2448         calls which could be to imports (both wasm->wasm and
2449         wasm->embedder). We have to do all of them because we have no way
2450         of knowing what imports will do (they're known at instantiation
2451         time, not compilation time, and different instances can have
2452         different imports). To make this efficient we also add a pointer
2453         to the canonical location of the stack limit (i.e. the extra
2454         indirection we're trying to save by caching the stack limit on the
2455         Instance in the first place). This is potentially a small perf hit
2456         on imported direct calls.
2457
2458         It's hard to say what the performance cost will be because we
2459         haven't seen much code in the wild which does this. We're adding
2460         two dependent loads and a store of the loaded value, which is
2461         unlikely to get used soon after. It's more code, but on an
2462         out-of-order processor it doesn't contribute to the critical path.
2463
2464         * wasm/WasmB3IRGenerator.cpp:
2465         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
2466         (JSC::Wasm::B3IRGenerator::addGrowMemory):
2467         (JSC::Wasm::B3IRGenerator::addCall):
2468         (JSC::Wasm::B3IRGenerator::addCallIndirect):
2469         * wasm/WasmInstance.cpp:
2470         (JSC::Wasm::Instance::Instance):
2471         (JSC::Wasm::Instance::create):
2472         * wasm/WasmInstance.h:
2473         (JSC::Wasm::Instance::offsetOfPointerToActualStackLimit):
2474         (JSC::Wasm::Instance::cachedStackLimit const):
2475         (JSC::Wasm::Instance::setCachedStackLimit):
2476         * wasm/js/JSWebAssemblyInstance.cpp:
2477         (JSC::JSWebAssemblyInstance::create):
2478         * wasm/js/WebAssemblyFunction.cpp:
2479         (JSC::callWebAssemblyFunction):
2480
2481 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2482
2483         [JSC] Use JSFixedArray for op_new_array_buffer
2484         https://bugs.webkit.org/show_bug.cgi?id=180084
2485
2486         Reviewed by Saam Barati.
2487
2488         For op_new_array_buffer, we have a special constant buffer in CodeBlock.
2489         But using JSFixedArray is better because,
2490
2491         1. In DFG, we have special hashing mechanism to avoid duplicating constant buffer from the same CodeBlock.
2492            If we use JSFixedArray, this is unnecessary since JSFixedArray is handled just as JS constant.
2493
2494         2. In a subsequent patch[1], we would like to support Spread(PhantomNewArrayBuffer). If NewArrayBuffer
2495            has JSFixedArray, we can just emit a held JSFixedArray.
2496
2497         3. We can reduce length of op_new_array_buffer since JSFixedArray holds this.
2498
2499         4. We can fold NewArrayBufferData into uint64_t. No need to maintain a bag of NewArrayBufferData in DFG.
2500
2501         5. We do not need to look up constant buffer from CodeBlock if buffer data is necessary. Our NewArrayBuffer
2502            DFG node has JSFixedArray as its cellOperand. This makes materializing PhantomNewArrayBuffer easy, which
2503            will be introduced in [1].
2504
2505         [1]: https://bugs.webkit.org/show_bug.cgi?id=179762
2506
2507         * bytecode/BytecodeDumper.cpp:
2508         (JSC::BytecodeDumper<Block>::dumpBytecode):
2509         * bytecode/BytecodeList.json:
2510         * bytecode/BytecodeUseDef.h:
2511         (JSC::computeUsesForBytecodeOffset):
2512         * bytecode/CodeBlock.cpp:
2513         (JSC::CodeBlock::finishCreation):
2514         * bytecode/CodeBlock.h:
2515         (JSC::CodeBlock::numberOfConstantBuffers const): Deleted.
2516         (JSC::CodeBlock::addConstantBuffer): Deleted.
2517         (JSC::CodeBlock::constantBufferAsVector): Deleted.
2518         (JSC::CodeBlock::constantBuffer): Deleted.
2519         * bytecode/UnlinkedCodeBlock.cpp:
2520         (JSC::UnlinkedCodeBlock::shrinkToFit):
2521         * bytecode/UnlinkedCodeBlock.h:
2522         (JSC::UnlinkedCodeBlock::constantBufferCount): Deleted.
2523         (JSC::UnlinkedCodeBlock::addConstantBuffer): Deleted.
2524         (JSC::UnlinkedCodeBlock::constantBuffer const): Deleted.
2525         (JSC::UnlinkedCodeBlock::constantBuffer): Deleted.
2526         * bytecompiler/BytecodeGenerator.cpp:
2527         (JSC::BytecodeGenerator::emitNewArray):
2528         (JSC::BytecodeGenerator::addConstantBuffer): Deleted.
2529         * bytecompiler/BytecodeGenerator.h:
2530         * dfg/DFGByteCodeParser.cpp:
2531         (JSC::DFG::ByteCodeParser::parseBlock):
2532         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2533         (JSC::DFG::ConstantBufferKey::ConstantBufferKey): Deleted.
2534         (JSC::DFG::ConstantBufferKey::operator== const): Deleted.
2535         (JSC::DFG::ConstantBufferKey::hash const): Deleted.
2536         (JSC::DFG::ConstantBufferKey::isHashTableDeletedValue const): Deleted.
2537         (JSC::DFG::ConstantBufferKey::codeBlock const): Deleted.
2538         (JSC::DFG::ConstantBufferKey::index const): Deleted.
2539         (JSC::DFG::ConstantBufferKeyHash::hash): Deleted.
2540         (JSC::DFG::ConstantBufferKeyHash::equal): Deleted.
2541         * dfg/DFGClobberize.h:
2542         (JSC::DFG::clobberize):
2543         * dfg/DFGGraph.cpp:
2544         (JSC::DFG::Graph::dump):
2545         * dfg/DFGGraph.h:
2546         * dfg/DFGNode.h:
2547         (JSC::DFG::Node::hasNewArrayBufferData):
2548         (JSC::DFG::Node::newArrayBufferData):
2549         (JSC::DFG::Node::hasVectorLengthHint):
2550         (JSC::DFG::Node::vectorLengthHint):
2551         (JSC::DFG::Node::indexingType):
2552         (JSC::DFG::Node::hasCellOperand):
2553         (JSC::DFG::Node::OpInfoWrapper::operator=):
2554         (JSC::DFG::Node::OpInfoWrapper::asNewArrayBufferData const):
2555         (JSC::DFG::Node::hasConstantBuffer): Deleted.
2556         (JSC::DFG::Node::startConstant): Deleted.
2557         (JSC::DFG::Node::numConstants): Deleted.
2558         * dfg/DFGOperations.cpp:
2559         * dfg/DFGOperations.h:
2560         * dfg/DFGSpeculativeJIT.h:
2561         (JSC::DFG::SpeculativeJIT::callOperation):
2562         * dfg/DFGSpeculativeJIT32_64.cpp:
2563         (JSC::DFG::SpeculativeJIT::compile):
2564         * dfg/DFGSpeculativeJIT64.cpp:
2565         (JSC::DFG::SpeculativeJIT::compile):
2566         * ftl/FTLLowerDFGToB3.cpp:
2567         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
2568         * jit/JIT.cpp:
2569         (JSC::JIT::privateCompileMainPass):
2570         * jit/JIT.h:
2571         * jit/JITOpcodes.cpp:
2572         (JSC::JIT::emit_op_new_array_buffer): Deleted.
2573         * jit/JITOperations.cpp:
2574         * jit/JITOperations.h:
2575         * llint/LLIntSlowPaths.cpp:
2576         * llint/LLIntSlowPaths.h:
2577         * llint/LowLevelInterpreter.asm:
2578         * runtime/CommonSlowPaths.cpp:
2579         (JSC::SLOW_PATH_DECL):
2580         * runtime/CommonSlowPaths.h:
2581         * runtime/JSFixedArray.cpp:
2582         (JSC::JSFixedArray::dumpToStream):
2583         * runtime/JSFixedArray.h:
2584         (JSC::JSFixedArray::create):
2585         (JSC::JSFixedArray::get const):
2586         (JSC::JSFixedArray::set):
2587         (JSC::JSFixedArray::buffer const):
2588         (JSC::JSFixedArray::values const):
2589         (JSC::JSFixedArray::length const):
2590         (JSC::JSFixedArray::get): Deleted.
2591
2592 2017-11-30  JF Bastien  <jfbastien@apple.com>
2593
2594         WebAssembly: improve stack trace
2595         https://bugs.webkit.org/show_bug.cgi?id=179343
2596
2597         Reviewed by Saam Barati.
2598
2599         Stack traces now include:
2600
2601           - Module name, if provided by the name section.
2602           - Module SHA1 hash if no name was provided
2603           - Stub identification, to differentiate from user code
2604           - Slightly different naming to match design from:
2605               https://github.com/WebAssembly/design/blob/master/Web.md#developer-facing-display-conventions
2606
2607         * interpreter/StackVisitor.cpp:
2608         (JSC::StackVisitor::Frame::functionName const):
2609         * runtime/StackFrame.cpp:
2610         (JSC::StackFrame::functionName const):
2611         (JSC::StackFrame::visitChildren):
2612         * wasm/WasmIndexOrName.cpp:
2613         (JSC::Wasm::IndexOrName::IndexOrName):
2614         (JSC::Wasm::makeString):
2615         * wasm/WasmIndexOrName.h:
2616         (JSC::Wasm::IndexOrName::nameSection const):
2617         * wasm/WasmModuleInformation.cpp:
2618         (JSC::Wasm::ModuleInformation::ModuleInformation):
2619         * wasm/WasmModuleInformation.h:
2620         * wasm/WasmNameSection.h:
2621         (JSC::Wasm::NameSection::NameSection):
2622         (JSC::Wasm::NameSection::get):
2623         * wasm/WasmNameSectionParser.cpp:
2624         (JSC::Wasm::NameSectionParser::parse):
2625
2626 2017-11-30  Stephan Szabo  <stephan.szabo@sony.com>
2627
2628         Make LegacyCustomProtocolManager optional for network process
2629         https://bugs.webkit.org/show_bug.cgi?id=176230
2630
2631         Reviewed by Alex Christensen.
2632
2633         * Configurations/FeatureDefines.xcconfig:
2634
2635 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2636
2637         [JSC] Remove easy toRemove & map.remove() use in OAS phase
2638         https://bugs.webkit.org/show_bug.cgi?id=180208
2639
2640         Reviewed by Mark Lam.
2641
2642         In this patch, we replace Vector<> toRemove & map.remove loop with removeIf,
2643         to optimize this common pattern. This patch only modifies apparent ones.
2644         But we can apply this refactoring further to OAS phase in the future.
2645
2646         One thing we should care is that predicate of removeIf should not touch the
2647         removing set itself. In this patch, we apply this change to (1) apparently
2648         correct one and (2) things in DFG OAS phase since it is very slow.
2649
2650         * b3/B3MoveConstants.cpp:
2651         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2652
2653 2017-11-30  Commit Queue  <commit-queue@webkit.org>
2654
2655         Unreviewed, rolling out r225362.
2656         https://bugs.webkit.org/show_bug.cgi?id=180225
2657
2658         removeIf predicate function can touch remove target set
2659         (Requested by yusukesuzuki on #webkit).
2660
2661         Reverted changeset:
2662
2663         "[JSC] Remove easy toRemove & map.remove() use"
2664         https://bugs.webkit.org/show_bug.cgi?id=180208
2665         https://trac.webkit.org/changeset/225362
2666
2667 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2668
2669         [JSC] Use AllocatorIfExists for MaterializeNewObject
2670         https://bugs.webkit.org/show_bug.cgi?id=180189
2671
2672         Reviewed by Filip Pizlo.
2673
2674         I don't think anyone guarantees this allocator exists at this phase.
2675         And nullptr allocator just works here. We change AllocatorForMode
2676         to AllocatorIfExists to accept nullptr for allocator.
2677
2678         * ftl/FTLLowerDFGToB3.cpp:
2679         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2680
2681 2017-11-30  Mark Lam  <mark.lam@apple.com>
2682
2683         Let's scramble MacroAssemblerCodePtr values.
2684         https://bugs.webkit.org/show_bug.cgi?id=180169
2685         <rdar://problem/35758340>
2686
2687         Reviewed by Filip Pizlo, Saam Barati, and JF Bastien.
2688
2689         1. MacroAssemblerCodePtr now stores a ScrambledPtr instead of a void*.
2690
2691         2. MacroAssemblerCodePtr's executableAddress() and dataLocation() now take a
2692            template argument type that will be used to cast the result.  This makes the
2693            client code that uses these functions a little less verbose.
2694
2695         3. Change the code base in general to minimize passing void* code pointers around.
2696            We now pass MacroAssemblerCodePtr as much as possible, and descramble it only
2697            at the last moment when we need the underlying code pointer.
2698
2699         4. Added some MasmScrambledPtr paranoid asserts that are disabled (not built) by
2700            default.  I'm leaving them in because they are instrumental in finding bugs
2701            where not all MacroAssemblerCodePtr values were not scrambled as expected.
2702            I expect them to be useful in the near future as we add more scrambling.
2703
2704         5. Also disable the casting operator on MacroAssemblerCodePtr (except for
2705            explicit casts to a boolean).  This ensures that clients will always explicitly
2706            use scrambledBits() or executableAddress() to get a value based on which value
2707            they actually need.
2708
2709         5. Added currentThread() id to the logging in LLIntSlowPath trace functions.
2710            This was helpful when debugging tests that ran multiple VMs concurrently on
2711            different threads.
2712
2713         MacroAssemblerCodePtr is currently supported on 64-bit builds (including the
2714         CLoop).  It is not yet supported in 32-bit and Windows because we don't
2715         currently have a way to read a global variable from their LLInt code.
2716
2717         * assembler/AbstractMacroAssembler.h:
2718         (JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
2719         (JSC::AbstractMacroAssembler::linkPointer):
2720         * assembler/CodeLocation.h:
2721         (JSC::CodeLocationCommon::instructionAtOffset):
2722         (JSC::CodeLocationCommon::labelAtOffset):
2723         (JSC::CodeLocationCommon::jumpAtOffset):
2724         (JSC::CodeLocationCommon::callAtOffset):
2725         (JSC::CodeLocationCommon::nearCallAtOffset):
2726         (JSC::CodeLocationCommon::dataLabelPtrAtOffset):
2727         (JSC::CodeLocationCommon::dataLabel32AtOffset):
2728         (JSC::CodeLocationCommon::dataLabelCompactAtOffset):
2729         (JSC::CodeLocationCommon::convertibleLoadAtOffset):
2730         * assembler/LinkBuffer.cpp:
2731         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
2732         * assembler/LinkBuffer.h:
2733         (JSC::LinkBuffer::link):
2734         (JSC::LinkBuffer::patch):
2735         * assembler/MacroAssemblerCodeRef.cpp:
2736         (JSC::MacroAssemblerCodePtr::initialize):
2737         * assembler/MacroAssemblerCodeRef.h:
2738         (JSC::FunctionPtr::FunctionPtr):
2739         (JSC::FunctionPtr::value const):
2740         (JSC::FunctionPtr::executableAddress const):
2741         (JSC::ReturnAddressPtr::ReturnAddressPtr):
2742         (JSC::ReturnAddressPtr::value const):
2743         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
2744         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
2745         (JSC::MacroAssemblerCodePtr::scrambledPtr const):
2746         (JSC::MacroAssemblerCodePtr:: const):
2747         (JSC::MacroAssemblerCodePtr::operator! const):
2748         (JSC::MacroAssemblerCodePtr::operator bool const):
2749         (JSC::MacroAssemblerCodePtr::operator== const):
2750         (JSC::MacroAssemblerCodePtr::hash const):
2751         (JSC::MacroAssemblerCodePtr::emptyValue):
2752         (JSC::MacroAssemblerCodePtr::deletedValue):
2753         (JSC::MacroAssemblerCodePtr::executableAddress const): Deleted.
2754         (JSC::MacroAssemblerCodePtr::dataLocation const): Deleted.
2755         * b3/B3LowerMacros.cpp:
2756         * b3/testb3.cpp:
2757         (JSC::B3::testInterpreter):
2758         * dfg/DFGDisassembler.cpp:
2759         (JSC::DFG::Disassembler::dumpDisassembly):
2760         * dfg/DFGJITCompiler.cpp:
2761         (JSC::DFG::JITCompiler::link):
2762         (JSC::DFG::JITCompiler::compileFunction):
2763         * dfg/DFGOperations.cpp:
2764         * dfg/DFGSpeculativeJIT.cpp:
2765         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
2766         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
2767         (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
2768         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
2769         * dfg/DFGSpeculativeJIT.h:
2770         * disassembler/Disassembler.cpp:
2771         (JSC::disassemble):
2772         * disassembler/UDis86Disassembler.cpp:
2773         (JSC::tryToDisassembleWithUDis86):
2774         * ftl/FTLCompile.cpp:
2775         (JSC::FTL::compile):
2776         * ftl/FTLJITCode.cpp:
2777         (JSC::FTL::JITCode::executableAddressAtOffset):
2778         * ftl/FTLLink.cpp:
2779         (JSC::FTL::link):
2780         * ftl/FTLLowerDFGToB3.cpp:
2781         (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
2782         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
2783         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
2784         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2785         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
2786         * interpreter/InterpreterInlines.h:
2787         (JSC::Interpreter::getOpcodeID):
2788         * jit/JITArithmetic.cpp:
2789         (JSC::JIT::emitMathICFast):
2790         (JSC::JIT::emitMathICSlow):
2791         * jit/JITCode.cpp:
2792         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
2793         (JSC::JITCodeWithCodeRef::dataAddressAtOffset):
2794         (JSC::JITCodeWithCodeRef::offsetOf):
2795         * jit/JITDisassembler.cpp:
2796         (JSC::JITDisassembler::dumpDisassembly):
2797         * jit/PCToCodeOriginMap.cpp:
2798         (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
2799         * jit/Repatch.cpp:
2800         (JSC::ftlThunkAwareRepatchCall):
2801         * jit/ThunkGenerators.cpp:
2802         (JSC::virtualThunkFor):
2803         (JSC::boundThisNoArgsFunctionCallGenerator):
2804         * llint/LLIntSlowPaths.cpp:
2805         (JSC::LLInt::llint_trace_operand):
2806         (JSC::LLInt::llint_trace_value):
2807         (JSC::LLInt::handleHostCall):
2808         (JSC::LLInt::setUpCall):
2809         * llint/LowLevelInterpreter64.asm:
2810         * offlineasm/cloop.rb:
2811         * runtime/InitializeThreading.cpp:
2812         (JSC::initializeThreading):
2813         * wasm/WasmBBQPlan.cpp:
2814         (JSC::Wasm::BBQPlan::complete):
2815         * wasm/WasmCallee.h:
2816         (JSC::Wasm::Callee::entrypoint const):
2817         * wasm/WasmCodeBlock.cpp:
2818         (JSC::Wasm::CodeBlock::CodeBlock):
2819         * wasm/WasmOMGPlan.cpp:
2820         (JSC::Wasm::OMGPlan::work):
2821         * wasm/js/WasmToJS.cpp:
2822         (JSC::Wasm::wasmToJS):
2823         * wasm/js/WebAssemblyFunction.cpp:
2824         (JSC::callWebAssemblyFunction):
2825         * wasm/js/WebAssemblyFunction.h:
2826         * wasm/js/WebAssemblyWrapperFunction.cpp:
2827         (JSC::WebAssemblyWrapperFunction::create):
2828
2829 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2830
2831         [JSC] Remove easy toRemove & map.remove() use
2832         https://bugs.webkit.org/show_bug.cgi?id=180208
2833
2834         Reviewed by Mark Lam.
2835
2836         In this patch, we replace Vector<> toRemove & map.remove loop with removeIf,
2837         to optimize this common pattern. This patch only modifies apparent ones.
2838         But we can apply this refactoring further to OAS phase in the future.
2839
2840         * b3/B3MoveConstants.cpp:
2841         * dfg/DFGArgumentsEliminationPhase.cpp:
2842         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2843         * wasm/WasmSignature.cpp:
2844         (JSC::Wasm::SignatureInformation::tryCleanup):
2845
2846 2017-11-29  Yusuke Suzuki  <utatane.tea@gmail.com>
2847
2848         [JSC] Use getEffectiveAddress more in JSC
2849         https://bugs.webkit.org/show_bug.cgi?id=180154
2850
2851         Reviewed by Mark Lam.
2852
2853         We can use MacroAssembler::getEffectiveAddress for stack height calculation.
2854         And we also add MacroAssembler::negPtr(src, dest) variation.
2855
2856         * assembler/MacroAssembler.h:
2857         (JSC::MacroAssembler::negPtr):
2858         * assembler/MacroAssemblerARM.h:
2859         (JSC::MacroAssemblerARM::neg32):
2860         * assembler/MacroAssemblerARM64.h:
2861         (JSC::MacroAssemblerARM64::neg32):
2862         (JSC::MacroAssemblerARM64::neg64):
2863         * assembler/MacroAssemblerARMv7.h:
2864         (JSC::MacroAssemblerARMv7::neg32):
2865         * assembler/MacroAssemblerMIPS.h:
2866         (JSC::MacroAssemblerMIPS::neg32):
2867         * assembler/MacroAssemblerX86Common.h:
2868         (JSC::MacroAssemblerX86Common::neg32):
2869         * assembler/MacroAssemblerX86_64.h:
2870         (JSC::MacroAssemblerX86_64::neg64):
2871         * dfg/DFGThunks.cpp:
2872         (JSC::DFG::osrEntryThunkGenerator):
2873         * ftl/FTLLowerDFGToB3.cpp:
2874         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2875         * jit/SetupVarargsFrame.cpp:
2876         (JSC::emitSetVarargsFrame):
2877
2878 2017-11-30  Mark Lam  <mark.lam@apple.com>
2879
2880         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
2881         https://bugs.webkit.org/show_bug.cgi?id=180219
2882         <rdar://problem/35696536>
2883
2884         Reviewed by Filip Pizlo.
2885
2886         * jsc.cpp:
2887         (functionFlashHeapAccess):
2888
2889 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2890
2891         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
2892         https://bugs.webkit.org/show_bug.cgi?id=180190
2893
2894         Reviewed by Mark Lam.
2895
2896         If DFG HasIndexedProperty node observes negative index, it goes to a slow
2897         path by calling operationHasIndexedProperty. The problem is that
2898         operationHasIndexedProperty does not account negative index. Negative index
2899         was used as uint32 array index.
2900
2901         In this patch we add a path for negative index in operationHasIndexedProperty.
2902         And rename it to operationHasIndexedPropertyByInt to make intension clear.
2903         We also move operationHasIndexedPropertyByInt from JITOperations to DFGOperations
2904         since it is only used in DFG and FTL.
2905
2906         While fixing this bug, we found that our op_in does not record OutOfBound feedback.
2907         This causes repeated OSR exit and significantly regresses the performance. We opened
2908         a bug to track this issue[1].
2909
2910         [1]: https://bugs.webkit.org/show_bug.cgi?id=180192
2911
2912         * dfg/DFGOperations.cpp:
2913         * dfg/DFGOperations.h:
2914         * dfg/DFGSpeculativeJIT32_64.cpp:
2915         (JSC::DFG::SpeculativeJIT::compile):
2916         * dfg/DFGSpeculativeJIT64.cpp:
2917         (JSC::DFG::SpeculativeJIT::compile):
2918         * ftl/FTLLowerDFGToB3.cpp:
2919         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
2920         * jit/JITOperations.cpp:
2921         * jit/JITOperations.h:
2922
2923 2017-11-30  Michael Saboff  <msaboff@apple.com>
2924
2925         Allow JSC command line tool to accept UTF8
2926         https://bugs.webkit.org/show_bug.cgi?id=180205
2927
2928         Reviewed by Keith Miller.
2929
2930         This unifies the UTF8 handling of interactive mode with that of source files.
2931
2932         * jsc.cpp:
2933         (runInteractive):
2934
2935 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2936
2937         REGRESSION(r225314): [Linux] More than 2000 jsc tests are failing after r225314
2938         https://bugs.webkit.org/show_bug.cgi?id=180185
2939
2940         Reviewed by Carlos Garcia Campos.
2941
2942         After r225314, we start using AllocatorForMode::MustAlreadyHaveAllocator for JSRopeString's allocatorFor.
2943         But it is different from the original code used before r225314. Since DFGSpeculativeJIT::emitAllocateJSCell
2944         can accept nullptr allocator, the behavior of the original code is AllocatorForMode::AllocatorIfExists.
2945         And JSRopeString's allocator may not exist at this point if any JSRopeString is not allocated. But MakeRope
2946         DFG node can be emitted if we see untaken path includes String + String code.
2947
2948         This patch fixes Linux JSC crashes by changing JSRopeString's AllocatorForMode to AllocatorIfExists.
2949         As a result, only one user of AllocatorForMode::MustAlreadyHaveAllocator is MaterializeNewObject in FTL.
2950         I'm not sure why this condition (MustAlreadyHaveAllocator) is ensured. But this code is the same to the
2951         original code used before r225314.
2952
2953         * dfg/DFGSpeculativeJIT.cpp:
2954         (JSC::DFG::SpeculativeJIT::compileMakeRope):
2955         * ftl/FTLLowerDFGToB3.cpp:
2956         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
2957
2958 2017-11-28  Filip Pizlo  <fpizlo@apple.com>
2959
2960         CodeBlockSet::deleteUnmarkedAndUnreferenced can be a little more efficient
2961         https://bugs.webkit.org/show_bug.cgi?id=180108
2962
2963         Reviewed by Saam Barati.
2964         
2965         This was creating a vector of things to remove and then removing them. I think I remember writing
2966         this code, and I did that because at the time we did not have removeAllMatching, which is
2967         definitely better. This is a minuscule optimization for Speedometer. I wanted to land this
2968         obvious improvement before I did more fundamental things to this code.
2969
2970         * heap/CodeBlockSet.cpp:
2971         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
2972
2973 2017-11-29  Filip Pizlo  <fpizlo@apple.com>
2974
2975         GC should support isoheaps
2976         https://bugs.webkit.org/show_bug.cgi?id=179288
2977
2978         Reviewed by Saam Barati.
2979         
2980         This expands the power of the Subspace API in JSC:
2981         
2982         - Everything associated with describing the types of objects is now part of the HeapCellType class.
2983           We have different HeapCellTypes for different destruction strategies. Any Subspace can use any
2984           HeapCellType; these are orthogonal things.
2985         
2986         - There are now two variants of Subspace: CompleteSubspace, which can allocate any size objects using
2987           any AlignedMemoryAllocator; and IsoSubspace, which can allocate just one size of object and uses a
2988           special virtual memory pool for that purpose. Like bmalloc's IsoHeap, IsoSubspace hoards virtual
2989           pages but releases the physical pages as part of the respective allocator's scavenging policy
2990           (the Scavenger in bmalloc for IsoHeap and the incremental sweep and full sweep in Riptide for
2991           IsoSubspace).
2992         
2993         So far, this patch just puts subtypes of ExecutableBase in IsoSubspaces. If it works, we can use it
2994         for more things.
2995         
2996         This does not have any effect on JetStream (0.18% faster with p = 0.69).
2997
2998         * JavaScriptCore.xcodeproj/project.pbxproj:
2999         * Sources.txt:
3000         * bytecode/AccessCase.cpp:
3001         (JSC::AccessCase::generateImpl):
3002         * bytecode/ObjectAllocationProfileInlines.h:
3003         (JSC::ObjectAllocationProfile::initializeProfile):
3004         * dfg/DFGSpeculativeJIT.cpp:
3005         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
3006         (JSC::DFG::SpeculativeJIT::compileMakeRope):
3007         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
3008         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3009         * dfg/DFGSpeculativeJIT64.cpp:
3010         (JSC::DFG::SpeculativeJIT::compile):
3011         * ftl/FTLAbstractHeapRepository.h:
3012         * ftl/FTLLowerDFGToB3.cpp:
3013         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
3014         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
3015         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
3016         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
3017         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
3018         * heap/AlignedMemoryAllocator.cpp:
3019         (JSC::AlignedMemoryAllocator::registerAllocator):
3020         (JSC::AlignedMemoryAllocator::registerSubspace):
3021         * heap/AlignedMemoryAllocator.h:
3022         (JSC::AlignedMemoryAllocator::firstAllocator const):
3023         * heap/AllocationFailureMode.h: Added.
3024         * heap/CompleteSubspace.cpp: Added.
3025         (JSC::CompleteSubspace::CompleteSubspace):
3026         (JSC::CompleteSubspace::~CompleteSubspace):
3027         (JSC::CompleteSubspace::allocatorFor):
3028         (JSC::CompleteSubspace::allocate):
3029         (JSC::CompleteSubspace::allocateNonVirtual):
3030         (JSC::CompleteSubspace::allocatorForSlow):
3031         (JSC::CompleteSubspace::allocateSlow):
3032         (JSC::CompleteSubspace::tryAllocateSlow):
3033         * heap/CompleteSubspace.h: Added.
3034         (JSC::CompleteSubspace::offsetOfAllocatorForSizeStep):
3035         (JSC::CompleteSubspace::allocatorForSizeStep):
3036         (JSC::CompleteSubspace::allocatorForNonVirtual):
3037         * heap/HeapCellType.cpp: Added.
3038         (JSC::HeapCellType::HeapCellType):
3039         (JSC::HeapCellType::~HeapCellType):
3040         (JSC::HeapCellType::finishSweep):
3041         (JSC::HeapCellType::destroy):
3042         * heap/HeapCellType.h: Added.
3043         (JSC::HeapCellType::attributes const):
3044         * heap/IsoAlignedMemoryAllocator.cpp: Added.
3045         (JSC::IsoAlignedMemoryAllocator::IsoAlignedMemoryAllocator):
3046         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
3047         (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
3048         (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
3049         (JSC::IsoAlignedMemoryAllocator::dump const):
3050         * heap/IsoAlignedMemoryAllocator.h: Added.
3051         * heap/IsoSubspace.cpp: Added.
3052         (JSC::IsoSubspace::IsoSubspace):
3053         (JSC::IsoSubspace::~IsoSubspace):
3054         (JSC::IsoSubspace::allocatorFor):
3055         (JSC::IsoSubspace::allocatorForNonVirtual):
3056         (JSC::IsoSubspace::allocate):
3057         (JSC::IsoSubspace::allocateNonVirtual):
3058         * heap/IsoSubspace.h: Added.
3059         (JSC::IsoSubspace::size const):
3060         * heap/MarkedAllocator.cpp:
3061         (JSC::MarkedAllocator::MarkedAllocator):
3062         (JSC::MarkedAllocator::setSubspace):
3063         (JSC::MarkedAllocator::allocateSlowCase):
3064         (JSC::MarkedAllocator::tryAllocateSlowCase): Deleted.
3065         (JSC::MarkedAllocator::allocateSlowCaseImpl): Deleted.
3066         * heap/MarkedAllocator.h:
3067         (JSC::MarkedAllocator::nextAllocatorInAlignedMemoryAllocator const):
3068         (JSC::MarkedAllocator::setNextAllocatorInAlignedMemoryAllocator):
3069         * heap/MarkedAllocatorInlines.h:
3070         (JSC::MarkedAllocator::allocate):
3071         (JSC::MarkedAllocator::tryAllocate): Deleted.
3072         * heap/MarkedBlock.h:
3073         * heap/MarkedBlockInlines.h:
3074         (JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType):
3075         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace): Deleted.
3076         * heap/MarkedSpace.cpp:
3077         (JSC::MarkedSpace::addMarkedAllocator):
3078         * heap/MarkedSpace.h:
3079         * heap/Subspace.cpp:
3080         (JSC::Subspace::Subspace):
3081         (JSC::Subspace::initialize):
3082         (JSC::Subspace::finishSweep):
3083         (JSC::Subspace::destroy):
3084         (JSC::Subspace::prepareForAllocation):
3085         (JSC::Subspace::findEmptyBlockToSteal):
3086         (): Deleted.
3087         (JSC::Subspace::allocate): Deleted.
3088         (JSC::Subspace::tryAllocate): Deleted.
3089         (JSC::Subspace::allocatorForSlow): Deleted.
3090         (JSC::Subspace::allocateSlow): Deleted.
3091         (JSC::Subspace::tryAllocateSlow): Deleted.
3092         (JSC::Subspace::didAllocate): Deleted.
3093         * heap/Subspace.h:
3094         (JSC::Subspace::heapCellType const):
3095         (JSC::Subspace::nextSubspaceInAlignedMemoryAllocator const):
3096         (JSC::Subspace::setNextSubspaceInAlignedMemoryAllocator):
3097         (JSC::Subspace::offsetOfAllocatorForSizeStep): Deleted.
3098         (JSC::Subspace::allocatorForSizeStep): Deleted.
3099         (JSC::Subspace::tryAllocatorFor): Deleted.
3100         (JSC::Subspace::allocatorFor): Deleted.
3101         * jit/AssemblyHelpers.h:
3102         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
3103         (JSC::AssemblyHelpers::emitAllocateVariableSized):
3104         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
3105         * jit/JITOpcodes.cpp:
3106         (JSC::JIT::emit_op_new_object):
3107         * runtime/ButterflyInlines.h:
3108         (JSC::Butterfly::createUninitialized):
3109         (JSC::Butterfly::tryCreate):
3110         (JSC::Butterfly::growArrayRight):
3111         * runtime/DirectArguments.cpp:
3112         (JSC::DirectArguments::overrideThings):
3113         * runtime/DirectArguments.h:
3114         (JSC::DirectArguments::subspaceFor):
3115         * runtime/DirectEvalExecutable.h:
3116         * runtime/EvalExecutable.h:
3117         * runtime/ExecutableBase.h:
3118         (JSC::ExecutableBase::subspaceFor):
3119         * runtime/FunctionExecutable.h:
3120         * runtime/GenericArgumentsInlines.h:
3121         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
3122         * runtime/HashMapImpl.h:
3123         (JSC::HashMapBuffer::create):
3124         * runtime/IndirectEvalExecutable.h:
3125         * runtime/JSArray.cpp:
3126         (JSC::JSArray::tryCreateUninitializedRestricted):
3127         (JSC::JSArray::unshiftCountSlowCase):
3128         * runtime/JSArray.h:
3129         (JSC::JSArray::tryCreate):
3130         * runtime/JSArrayBufferView.cpp:
3131         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
3132         * runtime/JSCell.h:
3133         (JSC::subspaceFor):
3134         * runtime/JSCellInlines.h:
3135         (JSC::JSCell::subspaceFor):
3136         (JSC::tryAllocateCellHelper):
3137         (JSC::allocateCell):
3138         (JSC::tryAllocateCell):
3139         * runtime/JSDestructibleObject.h:
3140         (JSC::JSDestructibleObject::subspaceFor):
3141         * runtime/JSDestructibleObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.cpp.
3142         (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
3143         (JSC::JSDestructibleObjectHeapCellType::~JSDestructibleObjectHeapCellType):
3144         (JSC::JSDestructibleObjectHeapCellType::finishSweep):
3145         (JSC::JSDestructibleObjectHeapCellType::destroy):
3146         (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace): Deleted.
3147         (JSC::JSDestructibleObjectSubspace::~JSDestructibleObjectSubspace): Deleted.
3148         (JSC::JSDestructibleObjectSubspace::finishSweep): Deleted.
3149         (JSC::JSDestructibleObjectSubspace::destroy): Deleted.
3150         * runtime/JSDestructibleObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.h.
3151         * runtime/JSDestructibleObjectSubspace.cpp: Removed.
3152         * runtime/JSDestructibleObjectSubspace.h: Removed.
3153         * runtime/JSLexicalEnvironment.h:
3154         (JSC::JSLexicalEnvironment::subspaceFor):
3155         * runtime/JSSegmentedVariableObject.h:
3156         (JSC::JSSegmentedVariableObject::subspaceFor):
3157         * runtime/JSSegmentedVariableObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.cpp.
3158         (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
3159         (JSC::JSSegmentedVariableObjectHeapCellType::~JSSegmentedVariableObjectHeapCellType):
3160         (JSC::JSSegmentedVariableObjectHeapCellType::finishSweep):
3161         (JSC::JSSegmentedVariableObjectHeapCellType::destroy):
3162         (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace): Deleted.
3163         (JSC::JSSegmentedVariableObjectSubspace::~JSSegmentedVariableObjectSubspace): Deleted.
3164         (JSC::JSSegmentedVariableObjectSubspace::finishSweep): Deleted.
3165         (JSC::JSSegmentedVariableObjectSubspace::destroy): Deleted.
3166         * runtime/JSSegmentedVariableObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.h.
3167         * runtime/JSSegmentedVariableObjectSubspace.cpp: Removed.
3168         * runtime/JSSegmentedVariableObjectSubspace.h: Removed.
3169         * runtime/JSString.h:
3170         (JSC::JSString::subspaceFor):
3171         * runtime/JSStringHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.cpp.
3172         (JSC::JSStringHeapCellType::JSStringHeapCellType):
3173         (JSC::JSStringHeapCellType::~JSStringHeapCellType):
3174         (JSC::JSStringHeapCellType::finishSweep):
3175         (JSC::JSStringHeapCellType::destroy):
3176         (JSC::JSStringSubspace::JSStringSubspace): Deleted.
3177         (JSC::JSStringSubspace::~JSStringSubspace): Deleted.
3178         (JSC::JSStringSubspace::finishSweep): Deleted.
3179         (JSC::JSStringSubspace::destroy): Deleted.
3180         * runtime/JSStringHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.h.
3181         * runtime/JSStringSubspace.cpp: Removed.
3182         * runtime/JSStringSubspace.h: Removed.
3183         * runtime/ModuleProgramExecutable.h:
3184         * runtime/NativeExecutable.h:
3185         * runtime/ProgramExecutable.h:
3186         * runtime/RegExpMatchesArray.h:
3187         (JSC::tryCreateUninitializedRegExpMatchesArray):
3188         * runtime/ScopedArguments.h:
3189         (JSC::ScopedArguments::subspaceFor):
3190         * runtime/VM.cpp:
3191         (JSC::VM::VM):
3192         * runtime/VM.h:
3193         (JSC::VM::gigacageAuxiliarySpace):
3194         * wasm/js/JSWebAssemblyCodeBlock.h:
3195         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.cpp.
3196         (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
3197         (JSC::JSWebAssemblyCodeBlockHeapCellType::~JSWebAssemblyCodeBlockHeapCellType):
3198         (JSC::JSWebAssemblyCodeBlockHeapCellType::finishSweep):
3199         (JSC::JSWebAssemblyCodeBlockHeapCellType::destroy):
3200         (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace): Deleted.
3201         (JSC::JSWebAssemblyCodeBlockSubspace::~JSWebAssemblyCodeBlockSubspace): Deleted.
3202         (JSC::JSWebAssemblyCodeBlockSubspace::finishSweep): Deleted.
3203         (JSC::JSWebAssemblyCodeBlockSubspace::destroy): Deleted.
3204         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.h.
3205         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp: Removed.
3206         * wasm/js/JSWebAssemblyCodeBlockSubspace.h: Removed.
3207         * wasm/js/JSWebAssemblyMemory.h:
3208         (JSC::JSWebAssemblyMemory::subspaceFor):
3209
3210 2017-11-29  Saam Barati  <sbarati@apple.com>
3211
3212         Remove pointer caging for double arrays
3213         https://bugs.webkit.org/show_bug.cgi?id=180163
3214
3215         Reviewed by Mark Lam.
3216
3217         This patch removes pointer caging from double arrays. Like
3218         my previous removals of pointer caging, this is a security vs
3219         performance tradeoff. We believe that butterflies being allocated
3220         in the cage and with a 32GB runway gives us enough security that
3221         pointer caging the butterfly just for double arrays does not add
3222         enough security benefit for the performance hit it incurs.
3223         
3224         This patch also removes the GetButterflyWithoutCaging node and
3225         the FixedButterflyAccessUncaging phase. The node is no longer needed
3226         because now all GetButterfly nodes are not caged. The phase is removed
3227         since we no longer have two nodes.
3228
3229         * dfg/DFGAbstractInterpreterInlines.h:
3230         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3231         * dfg/DFGArgumentsEliminationPhase.cpp:
3232         * dfg/DFGClobberize.h:
3233         (JSC::DFG::clobberize):
3234         * dfg/DFGDoesGC.cpp:
3235         (JSC::DFG::doesGC):
3236         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Removed.
3237         * dfg/DFGFixedButterflyAccessUncagingPhase.h: Removed.
3238         * dfg/DFGFixupPhase.cpp:
3239         (JSC::DFG::FixupPhase::fixupNode):
3240         * dfg/DFGHeapLocation.cpp:
3241         (WTF::printInternal):
3242         * dfg/DFGHeapLocation.h:
3243         * dfg/DFGNodeType.h:
3244         * dfg/DFGPlan.cpp:
3245         (JSC::DFG::Plan::compileInThreadImpl):
3246         * dfg/DFGPredictionPropagationPhase.cpp:
3247         * dfg/DFGSafeToExecute.h:
3248         (JSC::DFG::safeToExecute):
3249         * dfg/DFGSpeculativeJIT.cpp:
3250         (JSC::DFG::SpeculativeJIT::compileSpread):
3251         (JSC::DFG::SpeculativeJIT::compileArraySlice):
3252         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
3253         * dfg/DFGSpeculativeJIT32_64.cpp:
3254         (JSC::DFG::SpeculativeJIT::compile):
3255         * dfg/DFGSpeculativeJIT64.cpp:
3256         (JSC::DFG::SpeculativeJIT::compile):
3257         * dfg/DFGTypeCheckHoistingPhase.cpp:
3258         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
3259         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
3260         * ftl/FTLCapabilities.cpp:
3261         (JSC::FTL::canCompile):
3262         * ftl/FTLLowerDFGToB3.cpp:
3263         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3264         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
3265         * jit/JITPropertyAccess.cpp:
3266         (JSC::JIT::emitDoubleLoad):
3267         (JSC::JIT::emitGenericContiguousPutByVal):
3268         * runtime/Butterfly.h:
3269         (JSC::Butterfly::pointer):
3270         (JSC::Butterfly::contiguousDouble):
3271         (JSC::Butterfly::caged): Deleted.
3272         * runtime/ButterflyInlines.h:
3273         (JSC::Butterfly::createOrGrowPropertyStorage):
3274         * runtime/JSObject.cpp:
3275         (JSC::JSObject::ensureLengthSlow):
3276         (JSC::JSObject::reallocateAndShrinkButterfly):
3277
3278 2017-11-29  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
3279
3280         [MIPS][JSC] Implement MacroAssembler::probe support on MIPS
3281         https://bugs.webkit.org/show_bug.cgi?id=175447
3282
3283         Reviewed by Carlos Alberto Lopez Perez.
3284
3285         This patch allows DFG JIT to be enabled on MIPS platforms.
3286
3287         * Sources.txt:
3288         * assembler/MIPSAssembler.h:
3289         (JSC::MIPSAssembler::lastSPRegister):
3290         (JSC::MIPSAssembler::numberOfSPRegisters):
3291         (JSC::MIPSAssembler::sprName):
3292         * assembler/MacroAssemblerMIPS.cpp: Added.
3293         (JSC::MacroAssembler::probe):
3294         * assembler/ProbeContext.cpp:
3295         (JSC::Probe::executeProbe):
3296         * assembler/ProbeContext.h:
3297         (JSC::Probe::CPUState::pc):
3298         * assembler/testmasm.cpp:
3299         (JSC::isSpecialGPR):
3300         (JSC::testProbePreservesGPRS):
3301         (JSC::testProbeModifiesStackPointer):
3302         (JSC::testProbeModifiesStackValues):
3303
3304 2017-11-29  Matt Lewis  <jlewis3@apple.com>
3305
3306         Unreviewed, rolling out r225286.
3307
3308         The source files within this patch have been marked as
3309         executable.
3310
3311         Reverted changeset:
3312
3313         "[MIPS][JSC] Implement MacroAssembler::probe support on MIPS"
3314         https://bugs.webkit.org/show_bug.cgi?id=175447
3315         https://trac.webkit.org/changeset/225286
3316
3317 2017-11-29  Alex Christensen  <achristensen@webkit.org>
3318
3319         Fix Mac CMake build.
3320
3321         * PlatformMac.cmake:
3322
3323 2017-11-29  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
3324
3325         [MIPS][JSC] Implement MacroAssembler::probe support on MIPS
3326         https://bugs.webkit.org/show_bug.cgi?id=175447
3327
3328         Reviewed by Carlos Alberto Lopez Perez.
3329
3330         This patch allows DFG JIT to be enabled on MIPS platforms.
3331
3332         * Sources.txt:
3333         * assembler/MIPSAssembler.h:
3334         (JSC::MIPSAssembler::lastSPRegister):
3335         (JSC::MIPSAssembler::numberOfSPRegisters):
3336         (JSC::MIPSAssembler::sprName):
3337         * assembler/MacroAssemblerMIPS.cpp: Added.
3338         (JSC::MacroAssembler::probe):
3339         * assembler/ProbeContext.cpp:
3340         (JSC::Probe::executeProbe):
3341         * assembler/ProbeContext.h:
3342         (JSC::Probe::CPUState::pc):
3343         * assembler/testmasm.cpp:
3344         (JSC::isSpecialGPR):
3345         (JSC::testProbePreservesGPRS):
3346         (JSC::testProbeModifiesStackPointer):
3347         (JSC::testProbeModifiesStackValues):
3348
3349 2017-11-28  JF Bastien  <jfbastien@apple.com>
3350
3351         Strict and sloppy functions shouldn't share structure
3352         https://bugs.webkit.org/show_bug.cgi?id=180103
3353         <rdar://problem/35667847>
3354
3355         Reviewed by Saam Barati.
3356
3357         Sloppy and strict functions don't act the same when it comes to
3358         arguments, caller, and callee. Sharing a structure means that
3359         anything that is cached gets shared, and that's incorrect.
3360
3361         * dfg/DFGAbstractInterpreterInlines.h:
3362         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3363         * dfg/DFGSpeculativeJIT.cpp:
3364         (JSC::DFG::SpeculativeJIT::compileNewFunction):
3365         * ftl/FTLLowerDFGToB3.cpp:
3366         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
3367         * runtime/FunctionConstructor.cpp:
3368         (JSC::constructFunctionSkippingEvalEnabledCheck):
3369         * runtime/JSFunction.cpp:
3370         (JSC::JSFunction::create): the second ::create is always strict
3371         because it applies to native functions.
3372         * runtime/JSFunctionInlines.h:
3373         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
3374         * runtime/JSGlobalObject.cpp:
3375         (JSC::JSGlobalObject::init):
3376         (JSC::JSGlobalObject::visitChildren):
3377         * runtime/JSGlobalObject.h:
3378         (JSC::JSGlobalObject::strictFunctionStructure const):
3379         (JSC::JSGlobalObject::sloppyFunctionStructure const):
3380         (JSC::JSGlobalObject::nativeStdFunctionStructure const):
3381         (JSC::JSGlobalObject::functionStructure const): Deleted. Renamed.
3382         (JSC::JSGlobalObject::namedFunctionStructure const): Deleted. Drive-by, unused.
3383
3384 2017-11-29  Yusuke Suzuki  <utatane.tea@gmail.com>
3385
3386         [JSC] Add MacroAssembler::getEffectiveAddress in all platforms
3387         https://bugs.webkit.org/show_bug.cgi?id=180070
3388
3389         Reviewed by Saam Barati.
3390
3391         This patch adds getEffectiveAddress in all JIT platforms.
3392         This is abstracted version of x86 lea.
3393
3394         We also fix a bug in Yarr that uses branch32 instead of branchPtr for addresses.
3395
3396         * assembler/MacroAssemblerARM.h:
3397         (JSC::MacroAssemblerARM::getEffectiveAddress):
3398         * assembler/MacroAssemblerARM64.h:
3399         (JSC::MacroAssemblerARM64::getEffectiveAddress):
3400         (JSC::MacroAssemblerARM64::getEffectiveAddress64): Deleted.
3401         * assembler/MacroAssemblerARMv7.h:
3402         (JSC::MacroAssemblerARMv7::getEffectiveAddress):
3403         * assembler/MacroAssemblerMIPS.h:
3404         (JSC::MacroAssemblerMIPS::getEffectiveAddress):
3405         * assembler/MacroAssemblerX86.h:
3406         (JSC::MacroAssemblerX86::getEffectiveAddress):
3407         * assembler/MacroAssemblerX86_64.h:
3408         (JSC::MacroAssemblerX86_64::getEffectiveAddress):
3409         (JSC::MacroAssemblerX86_64::getEffectiveAddress64): Deleted.
3410         * assembler/testmasm.cpp:
3411         (JSC::testGetEffectiveAddress):
3412         (JSC::run):
3413         * dfg/DFGSpeculativeJIT.cpp:
3414         (JSC::DFG::SpeculativeJIT::compileArrayPush):
3415         * yarr/YarrJIT.cpp:
3416         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
3417         (JSC::Yarr::YarrGenerator::tryReadUnicodeChar):
3418
3419 2017-11-29  Robin Morisset  <rmorisset@apple.com>
3420
3421         The recursive tail call optimisation is wrong on closures
3422         https://bugs.webkit.org/show_bug.cgi?id=179835
3423
3424         Reviewed by Saam Barati.
3425
3426         The problem is that we only check the executable of the callee, not whatever variables might have been captured.
3427         As a stopgap measure this patch just does not do the optimisation for closures.
3428
3429         * dfg/DFGByteCodeParser.cpp:
3430         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
3431
3432 2017-11-28  Joseph Pecoraro  <pecoraro@apple.com>
3433
3434         Web Inspector: Cleanup Inspector classes be more consistent about using fast malloc / noncopyable
3435         https://bugs.webkit.org/show_bug.cgi?id=180119
3436
3437         Reviewed by Devin Rousso.
3438
3439         * inspector/InjectedScriptManager.h:
3440         * inspector/JSGlobalObjectScriptDebugServer.h:
3441         * inspector/agents/InspectorHeapAgent.h:
3442         * inspector/agents/InspectorRuntimeAgent.h:
3443         * inspector/agents/InspectorScriptProfilerAgent.h:
3444         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
3445
3446 2017-11-28  Joseph Pecoraro  <pecoraro@apple.com>
3447
3448         ServiceWorker Inspector: Frontend changes to support Network tab and sub resources
3449         https://bugs.webkit.org/show_bug.cgi?id=179642
3450         <rdar://problem/35517704>
3451
3452         Reviewed by Brian Burg.
3453
3454         * inspector/protocol/Network.json:
3455         Expose the NetworkAgent for a Service Worker inspector.
3456
3457  2017-11-28  Brian Burg  <bburg@apple.com>
3458
3459         [Cocoa] Clean up names of conversion methods after renaming InspectorValue to JSON::Value
3460         https://bugs.webkit.org/show_bug.cgi?id=179696
3461
3462         Reviewed by Timothy Hatcher.
3463
3464         * inspector/scripts/codegen/generate_objc_header.py:
3465         (ObjCHeaderGenerator._generate_type_interface):
3466         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
3467         (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
3468         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_protocol_object):
3469         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_json_object): Deleted.
3470         * inspector/scripts/codegen/objc_generator.py:
3471         (ObjCGenerator.protocol_type_for_raw_name):
3472         (ObjCGenerator.objc_protocol_export_expression_for_variable):
3473         (ObjCGenerator.objc_protocol_export_expression_for_variable.is):
3474         (ObjCGenerator.objc_protocol_import_expression_for_variable):
3475         (ObjCGenerator.objc_protocol_import_expression_for_variable.is):
3476         (ObjCGenerator.objc_to_protocol_expression_for_member.is):
3477         (ObjCGenerator.objc_to_protocol_expression_for_member):
3478         (ObjCGenerator.protocol_to_objc_expression_for_member.is):
3479         (ObjCGenerator.protocol_to_objc_expression_for_member):
3480         (ObjCGenerator.protocol_to_objc_code_block_for_object_member):
3481         (ObjCGenerator.objc_setter_method_for_member_internal):
3482         (ObjCGenerator.objc_getter_method_for_member_internal):
3483         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
3484         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
3485         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
3486         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
3487         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
3488         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
3489         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
3490         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
3491         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
3492         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
3493
3494 2017-11-27  JF Bastien  <jfbastien@apple.com>
3495
3496         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
3497         https://bugs.webkit.org/show_bug.cgi?id=180051
3498         <rdar://problem/35614371>
3499
3500         Reviewed by Saam Barati.
3501
3502         Checking for int32 isn't sufficient when uint32 is expected
3503         afterwards. While we're here, also use Checked<>.
3504
3505         * dfg/DFGAbstractInterpreterInlines.h:
3506         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3507
3508 2017-11-14  Carlos Garcia Campos  <cgarcia@igalia.com>
3509
3510         Move JSONValues to WTF and convert uses of InspectorValues.h to JSONValues.h
3511         https://bugs.webkit.org/show_bug.cgi?id=173793
3512
3513         Reviewed by Joseph Pecoraro.
3514
3515         Based on patch by Brian Burg.
3516
3517         * JavaScriptCore.xcodeproj/project.pbxproj:
3518         * Sources.txt:
3519         * bindings/ScriptValue.cpp:
3520         (Inspector::jsToInspectorValue):
3521         (Inspector::toInspectorValue):
3522         (Deprecated::ScriptValue::toInspectorValue const):
3523         * bindings/ScriptValue.h:
3524         * inspector/AsyncStackTrace.cpp:
3525         * inspector/ConsoleMessage.cpp:
3526         * inspector/ContentSearchUtilities.cpp:
3527         * inspector/DeprecatedInspectorValues.cpp: Added.
3528         * inspector/DeprecatedInspectorValues.h: Added.
3529         Keep the old symbols around in JavaScriptCore so that builds with the
3530         public iOS SDK continue to work. These older SDKs include a version of
3531         WebInspector.framework that expects to find InspectorArray and other
3532         symbols in JavaScriptCore.framework.
3533
3534         * inspector/InjectedScript.cpp:
3535         (Inspector::InjectedScript::getFunctionDetails):
3536         (Inspector::InjectedScript::functionDetails):
3537         (Inspector::InjectedScript::getPreview):
3538         (Inspector::InjectedScript::getProperties):
3539         (Inspector::InjectedScript::getDisplayableProperties):
3540         (Inspector::InjectedScript::getInternalProperties):
3541         (Inspector::InjectedScript::getCollectionEntries):
3542         (Inspector::InjectedScript::saveResult):
3543         (Inspector::InjectedScript::wrapCallFrames const):
3544         (Inspector::InjectedScript::wrapObject const):
3545         (Inspector::InjectedScript::wrapTable const):
3546         (Inspector::InjectedScript::previewValue const):
3547         (Inspector::InjectedScript::setExceptionValue):
3548         (Inspector::InjectedScript::clearExceptionValue):
3549         (Inspector::InjectedScript::inspectObject):
3550         (Inspector::InjectedScript::releaseObject):
3551         * inspector/InjectedScriptBase.cpp:
3552         (Inspector::InjectedScriptBase::makeCall):
3553         (Inspector::InjectedScriptBase::makeEvalCall):
3554         * inspector/InjectedScriptBase.h:
3555         * inspector/InjectedScriptManager.cpp:
3556         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
3557         * inspector/InspectorBackendDispatcher.cpp:
3558         (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
3559         (Inspector::BackendDispatcher::dispatch):
3560         (Inspector::BackendDispatcher::sendResponse):
3561         (Inspector::BackendDispatcher::sendPendingErrors):
3562         (Inspector::BackendDispatcher::getPropertyValue):
3563         (Inspector::castToInteger):
3564         (Inspector::castToNumber):
3565         (Inspector::BackendDispatcher::getInteger):
3566         (Inspector::BackendDispatcher::getDouble):
3567         (Inspector::BackendDispatcher::getString):
3568         (Inspector::BackendDispatcher::getBoolean):
3569         (Inspector::BackendDispatcher::getObject):
3570         (Inspector::BackendDispatcher::getArray):
3571         (Inspector::BackendDispatcher::getValue):
3572         * inspector/InspectorBackendDispatcher.h:
3573         We need to keep around the sendResponse() variant with a parameter that
3574         has the InspectorObject type, as older WebInspector.framework versions
3575         expect this symbol to exist. Introduce a variant with arity 3 that can
3576         be used in TOT so as to avoid having two methods with the same name, arity, and
3577         different parameter types.
3578
3579         When system WebInspector.framework is updated, we can remove the legacy
3580         method variant that uses the InspectorObject type. At that point, we can
3581         transition TOT to use the 2-arity variant, and delete the 3-arity variant
3582         when system WebInspector.framework is updated once more to use the 2-arity one.
3583
3584         * inspector/InspectorProtocolTypes.h:
3585         (Inspector::Protocol::Array::openAccessors):
3586         (Inspector::Protocol::PrimitiveBindingTraits::assertValueHasExpectedType):
3587         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast):
3588         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType):
3589         (Inspector::Protocol::BindingTraits<JSON::Value>::assertValueHasExpectedType):
3590         * inspector/ScriptCallFrame.cpp:
3591         * inspector/ScriptCallStack.cpp:
3592         * inspector/agents/InspectorAgent.cpp:
3593         (Inspector::InspectorAgent::inspect):
3594         * inspector/agents/InspectorAgent.h:
3595         * inspector/agents/InspectorDebuggerAgent.cpp:
3596         (Inspector::buildAssertPauseReason):
3597         (Inspector::buildCSPViolationPauseReason):
3598         (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
3599         (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
3600         (Inspector::buildObjectForBreakpointCookie):
3601         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
3602         (Inspector::parseLocation):
3603         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
3604         (Inspector::InspectorDebuggerAgent::setBreakpoint):
3605         (Inspector::InspectorDebuggerAgent::continueToLocation):
3606         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
3607         (Inspector::InspectorDebuggerAgent::didParseSource):
3608         (Inspector::InspectorDebuggerAgent::breakProgram):
3609         * inspector/agents/InspectorDebuggerAgent.h:
3610         * inspector/agents/InspectorRuntimeAgent.cpp:
3611         (Inspector::InspectorRuntimeAgent::callFunctionOn):
3612         (Inspector::InspectorRuntimeAgent::saveResult):
3613         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
3614         * inspector/agents/InspectorRuntimeAgent.h:
3615         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
3616         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
3617         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
3618         (CppBackendDispatcherImplementationGenerator.generate_output):
3619         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
3620         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
3621         (CppFrontendDispatcherHeaderGenerator.generate_output):
3622         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
3623         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
3624         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
3625         (_generate_unchecked_setter_for_member):
3626         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
3627         (CppProtocolTypesImplementationGenerator):
3628         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
3629         (ObjCBackendDispatcherImplementationGenerator.generate_output):
3630         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
3631         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
3632         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
3633         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
3634         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
3635         * inspector/scripts/codegen/generate_objc_internal_header.py:
3636         (ObjCInternalHeaderGenerator.generate_output):
3637         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
3638         (ObjCProtocolTypesImplementationGenerator.generate_output):
3639         * inspector/scripts/codegen/generator.py:
3640         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
3641         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
3642         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
3643         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
3644         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
3645         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
3646         * inspector/scripts/tests/generic/expected/enum-values.json-result:
3647         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
3648         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
3649         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
3650         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
3651         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
3652         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
3653         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
3654         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
3655         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
3656         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
3657         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
3658         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
3659         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
3660
3661 2017-11-28  Robin Morisset  <rmorisset@apple.com>
3662
3663         Support recursive tail call optimization for polymorphic calls
3664         https://bugs.webkit.org/show_bug.cgi?id=178390
3665
3666         Reviewed by Saam Barati.
3667
3668         Comes with a large but fairly simple refactoring: the inlining path for varargs and non-varargs calls now converge a lot later,
3669         eliminating some redundant checks, and simplifying a few parts of the inlining pipeline.
3670
3671         Also removes some dead code from inlineCall(): there was a special path for when m_continuationBlock is null, but it should never be (now checked with RELEASE_ASSERT).
3672
3673         * dfg/DFGByteCodeParser.cpp:
3674         (JSC::DFG::ByteCodeParser::handleCall):
3675         (JSC::DFG::ByteCodeParser::handleVarargsCall):
3676         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
3677         (JSC::DFG::ByteCodeParser::inlineCall):
3678         (JSC::DFG::ByteCodeParser::handleCallVariant):
3679         (JSC::DFG::ByteCodeParser::handleVarargsInlining):
3680         (JSC::DFG::ByteCodeParser::getInliningBalance):
3681         (JSC::DFG::ByteCodeParser::handleInlining):
3682         (JSC::DFG::ByteCodeParser::attemptToInlineCall): Deleted.
3683
3684 2017-11-27  Saam Barati  <sbarati@apple.com>
3685
3686         Spread can escape when CreateRest does not
3687         https://bugs.webkit.org/show_bug.cgi?id=180057
3688         <rdar://problem/35676119>
3689
3690         Reviewed by JF Bastien.
3691
3692         We previously did not handle Spread(PhantomCreateRest) only because I did not
3693         think it was possible to generate this IR. I was wrong. We can generate
3694         such IR when we have a PutStack(Spread) but nothing escapes the CreateRest.
3695         This IR is rare to generate since we normally don't PutStack(Spread) because
3696         the SetLocal almost always gets eliminated because of how our bytecode generates
3697         op_spread. However, there exists a test case showing it is possible. Supporting
3698         this IR pattern in FTLLower is trivial. This patch implements it and rewrites
3699         the Validation rule for Spread.
3700
3701         * dfg/DFGOperations.cpp:
3702         * dfg/DFGOperations.h:
3703         * dfg/DFGValidate.cpp:
3704         * ftl/FTLLowerDFGToB3.cpp:
3705         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
3706         * runtime/JSFixedArray.h:
3707         (JSC::JSFixedArray::tryCreate):
3708
3709 2017-11-27  Don Olmstead  <don.olmstead@sony.com>
3710
3711         [CMake][Win] Conditionally select DLL CRT or static CRT
3712         https://bugs.webkit.org/show_bug.cgi?id=170594
3713
3714         Reviewed by Alex Christensen.
3715
3716         * shell/PlatformWin.cmake:
3717
3718 2017-11-27  Saam Barati  <sbarati@apple.com>
3719
3720         Having a bad time watchpoint firing during compilation revealed a racy assertion
3721         https://bugs.webkit.org/show_bug.cgi?id=180048
3722         <rdar://problem/35700009>
3723
3724         Reviewed by Mark Lam.
3725
3726         While a DFG compilation is watching the having a bad time watchpoint, it was
3727         asserting that the rest parameter structure has indexing type ArrayWithContiguous.
3728         However, if the having a bad time watchpoint fires during the compilation,
3729         this particular structure will no longer have ArrayWithContiguous indexing type.
3730         This patch fixes this racy assertion to be aware that the watchpoint may fire
3731         during compilation.
3732
3733         * dfg/DFGSpeculativeJIT.cpp:
3734         (JSC::DFG::SpeculativeJIT::compileCreateRest):
3735         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
3736
3737 2017-11-27  Tim Horton  <timothy_horton@apple.com>
3738
3739         One too many zeroes in macOS version number in FeatureDefines
3740         https://bugs.webkit.org/show_bug.cgi?id=180011
3741
3742         Reviewed by Dan Bernstein.
3743
3744         * Configurations/FeatureDefines.xcconfig:
3745
3746 2017-11-27  Robin Morisset  <rmorisset@apple.com>
3747
3748         Update DFGSafeToExecute to be aware that ArrayPush is now a varargs node
3749         https://bugs.webkit.org/show_bug.cgi?id=179821
3750
3751         Reviewed by Saam Barati.
3752
3753         * dfg/DFGSafeToExecute.h:
3754         (JSC::DFG::safeToExecute):
3755
3756 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
3757
3758         [DFG] Add NormalizeMapKey DFG IR
3759         https://bugs.webkit.org/show_bug.cgi?id=179912
3760
3761         Reviewed by Saam Barati.
3762
3763         This patch introduces NormalizeMapKey DFG node. It executes what normalizeMapKey does in inlined manner.
3764         By separating this from MapHash and Map/Set related operations, we can perform CSE onto that, and we
3765         do not need to call normalizeMapKey conservatively in DFG operations.
3766         This can reduce slow path case in Untyped GetMapBucket since we can normalize keys in DFG/FTL.
3767
3768         * dfg/DFGAbstractInterpreterInlines.h:
3769         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3770         * dfg/DFGByteCodeParser.cpp:
3771         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3772         * dfg/DFGClobberize.h:
3773         (JSC::DFG::clobberize):
3774         * dfg/DFGDoesGC.cpp:
3775         (JSC::DFG::doesGC):
3776         * dfg/DFGFixupPhase.cpp:
3777         (JSC::DFG::FixupPhase::fixupNode):
3778         (JSC::DFG::FixupPhase::fixupNormalizeMapKey):
3779         * dfg/DFGNodeType.h:
3780         * dfg/DFGOperations.cpp:
3781         * dfg/DFGPredictionPropagationPhase.cpp:
3782         * dfg/DFGSafeToExecute.h:
3783         (JSC::DFG::safeToExecute):
3784         * dfg/DFGSpeculativeJIT.cpp:
3785         (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
3786         * dfg/DFGSpeculativeJIT.h:
3787         * dfg/DFGSpeculativeJIT32_64.cpp:
3788         (JSC::DFG::SpeculativeJIT::compile):
3789         * dfg/DFGSpeculativeJIT64.cpp:
3790         (JSC::DFG::SpeculativeJIT::compile):
3791         * ftl/FTLCapabilities.cpp:
3792         (JSC::FTL::canCompile):
3793         * ftl/FTLLowerDFGToB3.cpp:
3794         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3795         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
3796         (JSC::FTL::DFG::LowerDFGToB3::compileNormalizeMapKey):
3797         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
3798         * runtime/HashMapImpl.h:
3799
3800 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
3801
3802         [FTL] Support DeleteById and DeleteByVal
3803         https://bugs.webkit.org/show_bug.cgi?id=180022
3804
3805         Reviewed by Saam Barati.
3806
3807         We should increase the coverage of FTL. Even if the code includes DeleteById,
3808         it does not mean that remaining part of the code should not be optimized in FTL.
3809         Right now, even CallEval and `with` scope are handled in FTL.
3810
3811         This patch just adds DeleteById and DeleteByVal handling to FTL to allow optimizing
3812         code including them.
3813
3814         * ftl/FTLCapabilities.cpp:
3815         (JSC::FTL::canCompile):
3816         * ftl/FTLLowerDFGToB3.cpp:
3817         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3818         (JSC::FTL::DFG::LowerDFGToB3::compileDeleteById):
3819         (JSC::FTL::DFG::LowerDFGToB3::compileDeleteByVal):
3820
3821 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
3822
3823         [DFG] Introduce {Set,Map,WeakMap}Fields
3824         https://bugs.webkit.org/show_bug.cgi?id=179925
3825
3826         Reviewed by Saam Barati.
3827
3828         SetAdd and MapSet uses `write(MiscFields)`, but it is not correct. It accidentally
3829         writes readonly MiscFields which is used by various nodes and make optimization
3830         conservative.
3831
3832         We introduce JSSetFields, JSMapFields, and JSWeakMapFields to precisely model clobberizing of Map, Set, and WeakMap.
3833
3834         * dfg/DFGAbstractHeap.h:
3835         * dfg/DFGByteCodeParser.cpp:
3836         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3837         * dfg/DFGClobberize.h:
3838         (JSC::DFG::clobberize):
3839         * dfg/DFGHeapLocation.cpp:
3840         (WTF::printInternal):
3841         * dfg/DFGHeapLocation.h:
3842         * dfg/DFGNode.h:
3843         (JSC::DFG::Node::hasBucketOwnerType):
3844
3845 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
3846
3847         [JSC] Remove JSStringBuilder
3848         https://bugs.webkit.org/show_bug.cgi?id=180016
3849
3850         Reviewed by Saam Barati.
3851
3852         JSStringBuilder is replaced with WTF::StringBuilder.
3853         This patch removes remaning uses and drop JSStringBuilder.
3854
3855         * JavaScriptCore.xcodeproj/project.pbxproj:
3856         * runtime/ArrayPrototype.cpp:
3857         * runtime/AsyncFunctionPrototype.cpp:
3858         * runtime/AsyncGeneratorFunctionPrototype.cpp:
3859         * runtime/ErrorPrototype.cpp:
3860         * runtime/FunctionPrototype.cpp:
3861         * runtime/GeneratorFunctionPrototype.cpp:
3862         * runtime/JSGlobalObjectFunctions.cpp:
3863         (JSC::decode):
3864         (JSC::globalFuncEscape):
3865         * runtime/JSStringBuilder.h: Removed.
3866         * runtime/JSStringInlines.h:
3867         (JSC::jsMakeNontrivialString):
3868         * runtime/RegExpPrototype.cpp:
3869         * runtime/StringPrototype.cpp:
3870
3871 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
3872
3873         [DFG] Remove GetLocalUnlinked
3874         https://bugs.webkit.org/show_bug.cgi?id=180017
3875
3876         Reviewed by Saam Barati.
3877
3878         Since DFGArgumentsSimplificationPhase is removed 2 years ago, GetLocalUnlinked is no longer used in DFG.
3879         This patch just removes it.
3880
3881         * dfg/DFGAbstractInterpreterInlines.h:
3882         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3883         * dfg/DFGClobberize.h:
3884         (JSC::DFG::clobberize):
3885         * dfg/DFGCommon.h:
3886         * dfg/DFGDoesGC.cpp:
3887         (JSC::DFG::doesGC):
3888         * dfg/DFGFixupPhase.cpp:
3889         (JSC::DFG::FixupPhase::fixupNode):
3890         * dfg/DFGGraph.cpp:
3891         (JSC::DFG::Graph::dump):
3892         * dfg/DFGNode.h:
3893         (JSC::DFG::Node::hasUnlinkedLocal):
3894         (JSC::DFG::Node::convertToGetLocalUnlinked): Deleted.
3895         (JSC::DFG::Node::convertToGetLocal): Deleted.
3896         (JSC::DFG::Node::hasUnlinkedMachineLocal): Deleted.
3897         (JSC::DFG::Node::setUnlinkedMachineLocal): Deleted.
3898         (JSC::DFG::Node::unlinkedMachineLocal): Deleted.
3899         * dfg/DFGNodeType.h:
3900         * dfg/DFGPredictionPropagationPhase.cpp:
3901         * dfg/DFGSafeToExecute.h:
3902         (JSC::DFG::safeToExecute):
3903         * dfg/DFGSpeculativeJIT32_64.cpp:
3904         (JSC::DFG::SpeculativeJIT::compile):
3905         * dfg/DFGSpeculativeJIT64.cpp:
3906         (JSC::DFG::SpeculativeJIT::compile):
3907         * dfg/DFGStackLayoutPhase.cpp:
3908         (JSC::DFG::StackLayoutPhase::run):
3909         * dfg/DFGValidate.cpp: