[Linux] Clear WasmMemory with madvice instead of memset
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [Linux] Clear WasmMemory with madvice instead of memset
4         https://bugs.webkit.org/show_bug.cgi?id=175150
5
6         Reviewed by Filip Pizlo.
7
8         In Linux, zeroing pages with memset populates backing store.
9         Instead, we should use madvise with MADV_DONTNEED. It discards
10         pages. And if you access these pages, on-demand-zero-pages will
11         be shown.
12
13         We also commit grown pages in all OSes.
14
15         * wasm/WasmMemory.cpp:
16         (JSC::Wasm::commitZeroPages):
17         (JSC::Wasm::Memory::create):
18         (JSC::Wasm::Memory::grow):
19
20 2017-08-07  Robin Morisset  <rmorisset@apple.com>
21
22         GetOwnProperty of TypedArray indexed fields is wrongly configurable
23         https://bugs.webkit.org/show_bug.cgi?id=175307
24
25         Reviewed by Saam Barati.
26
27         ```
28         let a = new Uint8Array(10);
29         let b = Object.getOwnPropertyDescriptor(a, 0);
30         assert(b.configurable === false);
31         ```
32         should not fail: by section 9.4.5.1 (https://tc39.github.io/ecma262/#sec-integer-indexed-exotic-objects-getownproperty-p) 
33         that applies to integer indexed exotic objects, and section 22.2.7 (https://tc39.github.io/ecma262/#sec-properties-of-typedarray-instances)
34         that says that typed arrays are integer indexed exotic objects.
35
36         * runtime/JSGenericTypedArrayViewInlines.h:
37         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
38
39 2017-08-07  Filip Pizlo  <fpizlo@apple.com>
40
41         Baseline JIT should do caging
42         https://bugs.webkit.org/show_bug.cgi?id=175037
43
44         Reviewed by Mark Lam.
45         
46         Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
47         
48         Also modifies FTL caging to be more defensive when caging is disabled.
49
50         * ftl/FTLLowerDFGToB3.cpp:
51         (JSC::FTL::DFG::LowerDFGToB3::caged):
52         * jit/AssemblyHelpers.h:
53         (JSC::AssemblyHelpers::cage):
54         (JSC::AssemblyHelpers::cageConditionally):
55         * jit/JITPropertyAccess.cpp:
56         (JSC::JIT::emitDoubleLoad):
57         (JSC::JIT::emitContiguousLoad):
58         (JSC::JIT::emitArrayStorageLoad):
59         (JSC::JIT::emitGenericContiguousPutByVal):
60         (JSC::JIT::emitArrayStoragePutByVal):
61         (JSC::JIT::emit_op_get_from_scope):
62         (JSC::JIT::emit_op_put_to_scope):
63         (JSC::JIT::emitIntTypedArrayGetByVal):
64         (JSC::JIT::emitFloatTypedArrayGetByVal):
65         (JSC::JIT::emitIntTypedArrayPutByVal):
66         (JSC::JIT::emitFloatTypedArrayPutByVal):
67         * jsc.cpp:
68         (jscmain):
69         (primitiveGigacageDisabled): Deleted.
70
71 2017-08-06  Filip Pizlo  <fpizlo@apple.com>
72
73         Primitive auxiliaries and JSValue auxiliaries should have separate gigacages
74         https://bugs.webkit.org/show_bug.cgi?id=174919
75
76         Reviewed by Keith Miller.
77         
78         This adapts JSC to there being two gigacages.
79         
80         To make matters simpler, this turns AlignedMemoryAllocators into per-VM instances rather than
81         singletons. I don't think we were gaining anything by making them be singletons.
82         
83         This makes it easy to teach GigacageAlignedMemoryAllocator that there are multiple kinds of
84         gigacages. We'll have one of those allocators per cage.
85         
86         From there, this change teaches everyone who previously knew about cages that there are two cages.
87         This means having to specify either Gigacage::Primitive or Gigacage::JSValue. In most places, this is
88         easy: typed arrays are Primitive and butterflies are JSValue. But there are a few places where it's
89         not so obvious, so this change introduces some helpers to make it easy to define what cage you want
90         to use in one place and refer to it abstractly. We do this in DirectArguments and GenericArguments.h
91         
92         A lot of the magic of this change is due to CagedBarrierPtr, which combines AuxiliaryBarrier and
93         CagedPtr. This removes one layer of "get()" calls from a bunch of places.
94
95         * JavaScriptCore.xcodeproj/project.pbxproj:
96         * bytecode/AccessCase.cpp:
97         (JSC::AccessCase::generateImpl):
98         * dfg/DFGSpeculativeJIT.cpp:
99         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
100         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
101         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
102         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
103         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
104         * ftl/FTLLowerDFGToB3.cpp:
105         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
106         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
107         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
108         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
109         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
110         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
111         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
112         (JSC::FTL::DFG::LowerDFGToB3::caged):
113         * heap/FastMallocAlignedMemoryAllocator.cpp:
114         (JSC::FastMallocAlignedMemoryAllocator::instance): Deleted.
115         * heap/FastMallocAlignedMemoryAllocator.h:
116         * heap/GigacageAlignedMemoryAllocator.cpp:
117         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
118         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
119         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
120         (JSC::GigacageAlignedMemoryAllocator::dump const):
121         (JSC::GigacageAlignedMemoryAllocator::instance): Deleted.
122         * heap/GigacageAlignedMemoryAllocator.h:
123         * jsc.cpp:
124         (primitiveGigacageDisabled):
125         (jscmain):
126         (gigacageDisabled): Deleted.
127         * llint/LowLevelInterpreter64.asm:
128         * runtime/ArrayBuffer.cpp:
129         (JSC::ArrayBufferContents::tryAllocate):
130         (JSC::ArrayBuffer::createAdopted):
131         (JSC::ArrayBuffer::createFromBytes):
132         * runtime/AuxiliaryBarrier.h:
133         * runtime/ButterflyInlines.h:
134         (JSC::Butterfly::createUninitialized):
135         (JSC::Butterfly::tryCreate):
136         (JSC::Butterfly::growArrayRight):
137         * runtime/CagedBarrierPtr.h: Added.
138         (JSC::CagedBarrierPtr::CagedBarrierPtr):
139         (JSC::CagedBarrierPtr::clear):
140         (JSC::CagedBarrierPtr::set):
141         (JSC::CagedBarrierPtr::get const):
142         (JSC::CagedBarrierPtr::getMayBeNull const):
143         (JSC::CagedBarrierPtr::operator== const):
144         (JSC::CagedBarrierPtr::operator!= const):
145         (JSC::CagedBarrierPtr::operator bool const):
146         (JSC::CagedBarrierPtr::setWithoutBarrier):
147         (JSC::CagedBarrierPtr::operator* const):
148         (JSC::CagedBarrierPtr::operator-> const):
149         (JSC::CagedBarrierPtr::operator[] const):
150         * runtime/DirectArguments.cpp:
151         (JSC::DirectArguments::overrideThings):
152         (JSC::DirectArguments::unmapArgument):
153         * runtime/DirectArguments.h:
154         (JSC::DirectArguments::isMappedArgument const):
155         * runtime/GenericArguments.h:
156         * runtime/GenericArgumentsInlines.h:
157         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
158         (JSC::GenericArguments<Type>::setModifiedArgumentDescriptor):
159         (JSC::GenericArguments<Type>::isModifiedArgumentDescriptor):
160         * runtime/HashMapImpl.cpp:
161         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
162         * runtime/HashMapImpl.h:
163         (JSC::HashMapBuffer::create):
164         (JSC::HashMapImpl::buffer const):
165         (JSC::HashMapImpl::rehash):
166         * runtime/JSArray.cpp:
167         (JSC::JSArray::tryCreateUninitializedRestricted):
168         (JSC::JSArray::unshiftCountSlowCase):
169         (JSC::JSArray::setLength):
170         (JSC::JSArray::pop):
171         (JSC::JSArray::push):
172         (JSC::JSArray::fastSlice):
173         (JSC::JSArray::shiftCountWithArrayStorage):
174         (JSC::JSArray::shiftCountWithAnyIndexingType):
175         (JSC::JSArray::unshiftCountWithAnyIndexingType):
176         (JSC::JSArray::fillArgList):
177         (JSC::JSArray::copyToArguments):
178         * runtime/JSArray.h:
179         (JSC::JSArray::tryCreate):
180         * runtime/JSArrayBufferView.cpp:
181         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
182         (JSC::JSArrayBufferView::finalize):
183         * runtime/JSLock.cpp:
184         (JSC::JSLock::didAcquireLock):
185         * runtime/JSObject.cpp:
186         (JSC::JSObject::heapSnapshot):
187         (JSC::JSObject::getOwnPropertySlotByIndex):
188         (JSC::JSObject::putByIndex):
189         (JSC::JSObject::enterDictionaryIndexingMode):
190         (JSC::JSObject::createInitialIndexedStorage):
191         (JSC::JSObject::createArrayStorage):
192         (JSC::JSObject::convertUndecidedToInt32):
193         (JSC::JSObject::convertUndecidedToDouble):
194         (JSC::JSObject::convertUndecidedToContiguous):
195         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
196         (JSC::JSObject::convertUndecidedToArrayStorage):
197         (JSC::JSObject::convertInt32ToDouble):
198         (JSC::JSObject::convertInt32ToContiguous):
199         (JSC::JSObject::convertInt32ToArrayStorage):
200         (JSC::JSObject::convertDoubleToContiguous):
201         (JSC::JSObject::convertDoubleToArrayStorage):
202         (JSC::JSObject::convertContiguousToArrayStorage):
203         (JSC::JSObject::setIndexQuicklyToUndecided):
204         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
205         (JSC::JSObject::deletePropertyByIndex):
206         (JSC::JSObject::getOwnPropertyNames):
207         (JSC::JSObject::putIndexedDescriptor):
208         (JSC::JSObject::defineOwnIndexedProperty):
209         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
210         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
211         (JSC::JSObject::getNewVectorLength):
212         (JSC::JSObject::ensureLengthSlow):
213         (JSC::JSObject::reallocateAndShrinkButterfly):
214         (JSC::JSObject::allocateMoreOutOfLineStorage):
215         (JSC::JSObject::getEnumerableLength):
216         * runtime/JSObject.h:
217         (JSC::JSObject::getArrayLength const):
218         (JSC::JSObject::getVectorLength):
219         (JSC::JSObject::putDirectIndex):
220         (JSC::JSObject::canGetIndexQuickly):
221         (JSC::JSObject::getIndexQuickly):
222         (JSC::JSObject::tryGetIndexQuickly const):
223         (JSC::JSObject::canSetIndexQuickly):
224         (JSC::JSObject::setIndexQuickly):
225         (JSC::JSObject::initializeIndex):
226         (JSC::JSObject::initializeIndexWithoutBarrier):
227         (JSC::JSObject::hasSparseMap):
228         (JSC::JSObject::inSparseIndexingMode):
229         (JSC::JSObject::butterfly const):
230         (JSC::JSObject::butterfly):
231         (JSC::JSObject::outOfLineStorage const):
232         (JSC::JSObject::outOfLineStorage):
233         (JSC::JSObject::ensureInt32):
234         (JSC::JSObject::ensureDouble):
235         (JSC::JSObject::ensureContiguous):
236         (JSC::JSObject::ensureArrayStorage):
237         (JSC::JSObject::arrayStorage):
238         (JSC::JSObject::arrayStorageOrNull):
239         (JSC::JSObject::ensureLength):
240         * runtime/RegExpMatchesArray.h:
241         (JSC::tryCreateUninitializedRegExpMatchesArray):
242         * runtime/VM.cpp:
243         (JSC::VM::VM):
244         (JSC::VM::~VM):
245         (JSC::VM::primitiveGigacageDisabledCallback):
246         (JSC::VM::primitiveGigacageDisabled):
247         (JSC::VM::gigacageDisabledCallback): Deleted.
248         (JSC::VM::gigacageDisabled): Deleted.
249         * runtime/VM.h:
250         (JSC::VM::gigacageAuxiliarySpace):
251         (JSC::VM::firePrimitiveGigacageEnabledIfNecessary):
252         (JSC::VM::primitiveGigacageEnabled):
253         (JSC::VM::fireGigacageEnabledIfNecessary): Deleted.
254         (JSC::VM::gigacageEnabled): Deleted.
255         * wasm/WasmMemory.cpp:
256         (JSC::Wasm::Memory::create):
257         (JSC::Wasm::Memory::~Memory):
258         (JSC::Wasm::Memory::grow):
259
260 2017-08-07  Commit Queue  <commit-queue@webkit.org>
261
262         Unreviewed, rolling out r220144.
263         https://bugs.webkit.org/show_bug.cgi?id=175276
264
265         "It did not actually speed things up in the way I expected"
266         (Requested by saamyjoon on #webkit).
267
268         Reverted changeset:
269
270         "On memory-constrained iOS devices, reduce the rate at which
271         the JS heap grows before a GC to try to keep more memory
272         available for the system"
273         https://bugs.webkit.org/show_bug.cgi?id=175041
274         http://trac.webkit.org/changeset/220144
275
276 2017-08-07  Ryan Haddad  <ryanhaddad@apple.com>
277
278         Unreviewed, rolling out r220299.
279
280         This change caused LayoutTest inspector/dom-debugger/dom-
281         breakpoints.html to fail.
282
283         Reverted changeset:
284
285         "Web Inspector: capture async stack trace when workers/main
286         context posts a message"
287         https://bugs.webkit.org/show_bug.cgi?id=167084
288         http://trac.webkit.org/changeset/220299
289
290 2017-08-07  Brian Burg  <bburg@apple.com>
291
292         Remove CANVAS_PATH compilation guard
293         https://bugs.webkit.org/show_bug.cgi?id=175207
294
295         Reviewed by Sam Weinig.
296
297         * Configurations/FeatureDefines.xcconfig:
298
299 2017-08-07  Keith Miller  <keith_miller@apple.com>
300
301         REGRESSION: wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js failing on JSC Debug bots
302         https://bugs.webkit.org/show_bug.cgi?id=175256
303
304         Reviewed by Saam Barati.
305
306         The check in createFromBytes just needed to check that the buffer was not null before
307         calling isCaged.
308
309         * runtime/ArrayBuffer.cpp:
310         (JSC::ArrayBuffer::createFromBytes):
311
312 2017-08-05  Carlos Garcia Campos  <cgarcia@igalia.com>
313
314         [GTK][WPE] Add API to provide browser information required by automation
315         https://bugs.webkit.org/show_bug.cgi?id=175130
316
317         Reviewed by Brian Burg.
318
319         Add browserName and browserVersion to RemoteInspector::Client::Capabilities and virtual methods to the Client to
320         get them.
321
322         * inspector/remote/RemoteInspector.cpp:
323         (Inspector::RemoteInspector::updateClientCapabilities): Update also browserName and browserVersion.
324         * inspector/remote/RemoteInspector.h:
325         * inspector/remote/glib/RemoteInspectorGlib.cpp:
326         (Inspector::RemoteInspector::requestAutomationSession): Call updateClientCapabilities() after the session is
327         requested to ensure they are updated before StartAutomationSession reply is sent.
328         * inspector/remote/glib/RemoteInspectorServer.cpp: Add browserName and browserVersion as return values of
329         StartAutomationSession mesasage.
330
331 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
332
333         Promise resolve and reject function should have length = 1
334         https://bugs.webkit.org/show_bug.cgi?id=175242
335
336         Reviewed by Saam Barati.
337
338         Previously we have separate system for "length" and "name" for builtin functions.
339         The builtin functions do not use lazy reifying system. Instead, they have direct
340         properties when instantiating it. While the function created for properties (like
341         Array.prototype.filter) is created by JSFunction::createBuiltin(), function inside
342         these builtin functions are just created by JSFunction::create(). Since it does
343         not set any values for "length", these functions do not have "length" property.
344         So, the resolve and reject functions passed to Promise's executor do not have
345         "length" property.
346
347         This patch make builtin functions use standard lazy reifying system for "length".
348         So, "length" property of the builtin function just works as if the normal functions
349         do.
350
351         * runtime/JSFunction.cpp:
352         (JSC::JSFunction::createBuiltinFunction):
353         (JSC::JSFunction::getOwnPropertySlot):
354         (JSC::JSFunction::getOwnNonIndexPropertyNames):
355         (JSC::JSFunction::put):
356         (JSC::JSFunction::deleteProperty):
357         (JSC::JSFunction::defineOwnProperty):
358         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
359         (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
360         (JSC::JSFunction::reifyLazyLengthIfNeeded):
361         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
362         (JSC::JSFunction::reifyBoundNameIfNeeded): Deleted.
363         * runtime/JSFunction.h:
364
365 2017-08-06  Oleksandr Skachkov  <gskachkov@gmail.com>
366
367         [ESNext] Async iteration - Implement Async Generator - parser
368         https://bugs.webkit.org/show_bug.cgi?id=175210
369
370         Reviewed by Yusuke Suzuki.
371
372         Current implementation is draft version of Async Iteration. 
373         Link to spec https://tc39.github.io/proposal-async-iteration/
374
375         Current patch implement only parser part of the Async generator
376         Runtime part will be in next ptches
377
378         * parser/ASTBuilder.h:
379         (JSC::ASTBuilder::createFunctionMetadata):
380         * parser/Parser.cpp:
381         (JSC::getAsynFunctionBodyParseMode):
382         (JSC::Parser<LexerType>::parseInner):
383         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
384         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
385         (JSC::stringArticleForFunctionMode):
386         (JSC::stringForFunctionMode):
387         (JSC::Parser<LexerType>::parseFunctionInfo):
388         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
389         (JSC::Parser<LexerType>::parseClass):
390         (JSC::Parser<LexerType>::parseProperty):
391         (JSC::Parser<LexerType>::parsePropertyMethod):
392         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
393         * parser/Parser.h:
394         (JSC::Scope::setSourceParseMode):
395         * parser/ParserModes.h:
396         (JSC::isFunctionParseMode):
397         (JSC::isAsyncFunctionParseMode):
398         (JSC::isAsyncArrowFunctionParseMode):
399         (JSC::isAsyncGeneratorFunctionParseMode):
400         (JSC::isAsyncFunctionOrAsyncGeneratorWrapperParseMode):
401         (JSC::isAsyncFunctionWrapperParseMode):
402         (JSC::isAsyncFunctionBodyParseMode):
403         (JSC::isGeneratorMethodParseMode):
404         (JSC::isAsyncMethodParseMode):
405         (JSC::isAsyncGeneratorMethodParseMode):
406         (JSC::isMethodParseMode):
407         (JSC::isGeneratorOrAsyncFunctionBodyParseMode):
408         (JSC::isGeneratorOrAsyncFunctionWrapperParseMode):
409
410 2017-08-05  Filip Pizlo  <fpizlo@apple.com>
411
412         REGRESSION (r219895-219897): Number of leaks on Open Source went from 9240 to 235983 and is now at 302372
413         https://bugs.webkit.org/show_bug.cgi?id=175083
414
415         Reviewed by Oliver Hunt.
416         
417         This fixes the leak by making MarkedBlock::specializedSweep call destructors when the block is empty,
418         even if we are using the pop path.
419         
420         Also, this fixes HeapCellInlines.h to no longer include MarkedBlockInlines.h. That's pretty
421         important, since MarkedBlockInlines.h is the GC's internal guts - we don't want to have to recompile
422         the world just because we changed it.
423         
424         Finally, this adds a new testing SPI for waiting for all VMs to finish destructing. This makes it
425         easier to debug leaks.
426
427         * bytecode/AccessCase.cpp:
428         * bytecode/PolymorphicAccess.cpp:
429         * heap/HeapCell.cpp:
430         (JSC::HeapCell::isLive):
431         * heap/HeapCellInlines.h:
432         (JSC::HeapCell::isLive): Deleted.
433         * heap/MarkedAllocator.cpp:
434         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
435         (JSC::MarkedAllocator::endMarking):
436         * heap/MarkedBlockInlines.h:
437         (JSC::MarkedBlock::Handle::specializedSweep):
438         * jit/AssemblyHelpers.cpp:
439         * jit/Repatch.cpp:
440         * runtime/TestRunnerUtils.h:
441         * runtime/VM.cpp:
442         (JSC::waitForVMDestruction):
443         (JSC::VM::~VM):
444
445 2017-08-05  Mark Lam  <mark.lam@apple.com>
446
447         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 3].
448         https://bugs.webkit.org/show_bug.cgi?id=175228
449         <rdar://problem/33735737>
450
451         Reviewed by Saam Barati.
452
453         Merge the 32-bit OSRExit::compileExit() method into the 64-bit version, and
454         delete OSRExit32_64.cpp.
455
456         * CMakeLists.txt:
457         * JavaScriptCore.xcodeproj/project.pbxproj:
458         * dfg/DFGOSRExit.cpp:
459         (JSC::DFG::OSRExit::compileExit):
460         * dfg/DFGOSRExit32_64.cpp: Removed.
461         * jit/GPRInfo.h:
462         (JSC::JSValueSource::payloadGPR const):
463
464 2017-08-04  Youenn Fablet  <youenn@apple.com>
465
466         [Cache API] Add Cache and CacheStorage IDL definitions
467         https://bugs.webkit.org/show_bug.cgi?id=175201
468
469         Reviewed by Brady Eidson.
470
471         * runtime/CommonIdentifiers.h:
472
473 2017-08-04  Mark Lam  <mark.lam@apple.com>
474
475         Fix typo in testmasm.cpp: ENABLE(JSVALUE64) should be USE(JSVALUE64).
476         https://bugs.webkit.org/show_bug.cgi?id=175230
477         <rdar://problem/33735857>
478
479         Reviewed by Saam Barati.
480
481         * assembler/testmasm.cpp:
482         (JSC::testProbeReadsArgumentRegisters):
483         (JSC::testProbeWritesArgumentRegisters):
484
485 2017-08-04  Mark Lam  <mark.lam@apple.com>
486
487         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 2].
488         https://bugs.webkit.org/show_bug.cgi?id=175214
489         <rdar://problem/33733308>
490
491         Rubber-stamped by Michael Saboff.
492
493         Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused
494         DFGOSRExitCompiler files.
495
496         Also renamed DFGOSRExitCompiler32_64.cpp to DFGOSRExit32_64.cpp.
497
498         Also move debugOperationPrintSpeculationFailure() into DFGOSRExit.cpp.  It's only
499         used by compileOSRExit(), and will be changed to not be a DFG operation function
500         when we use JIT probes for DFG OSR exits later in
501         https://bugs.webkit.org/show_bug.cgi?id=175144.
502
503         * CMakeLists.txt:
504         * JavaScriptCore.xcodeproj/project.pbxproj:
505         * dfg/DFGJITCompiler.cpp:
506         * dfg/DFGOSRExit.cpp:
507         (JSC::DFG::OSRExit::emitRestoreArguments):
508         (JSC::DFG::OSRExit::compileOSRExit):
509         (JSC::DFG::OSRExit::compileExit):
510         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
511         * dfg/DFGOSRExit.h:
512         * dfg/DFGOSRExit32_64.cpp: Copied from Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp.
513         * dfg/DFGOSRExitCompiler.cpp: Removed.
514         * dfg/DFGOSRExitCompiler.h: Removed.
515         * dfg/DFGOSRExitCompiler32_64.cpp: Removed.
516         * dfg/DFGOSRExitCompiler64.cpp: Removed.
517         * dfg/DFGOperations.cpp:
518         * dfg/DFGOperations.h:
519         * dfg/DFGThunks.cpp:
520
521 2017-08-04  Matt Baker  <mattbaker@apple.com>
522
523         Web Inspector: capture async stack trace when workers/main context posts a message
524         https://bugs.webkit.org/show_bug.cgi?id=167084
525         <rdar://problem/30033673>
526
527         Reviewed by Brian Burg.
528
529         * inspector/agents/InspectorDebuggerAgent.h:
530         Add `PostMessage` async call type.
531
532 2017-08-04  Mark Lam  <mark.lam@apple.com>
533
534         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 1].
535         https://bugs.webkit.org/show_bug.cgi?id=175208
536         <rdar://problem/33732402>
537
538         Reviewed by Saam Barati.
539
540         This will minimize the code diff and make it easier to review the patch for
541         https://bugs.webkit.org/show_bug.cgi?id=175144 later.  We'll do this patch in 3
542         steps:
543
544         1. Do the code changes to move methods into OSRExit.
545         2. Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused DFGOSRExitCompiler files.
546         3. Merge the 32-bit OSRExitCompiler methods into the 64-bit version, and delete DFGOSRExitCompiler32_64.cpp.
547
548         Splitting this refactoring into these 3 steps also makes it easier to review this
549         patch and understand what is being changed.
550
551         * dfg/DFGOSRExit.h:
552         * dfg/DFGOSRExitCompiler.cpp:
553         (JSC::DFG::OSRExit::emitRestoreArguments):
554         (JSC::DFG::OSRExit::compileOSRExit):
555         (JSC::DFG::OSRExitCompiler::emitRestoreArguments): Deleted.
556         (): Deleted.
557         * dfg/DFGOSRExitCompiler.h:
558         (JSC::DFG::OSRExitCompiler::OSRExitCompiler): Deleted.
559         (): Deleted.
560         * dfg/DFGOSRExitCompiler32_64.cpp:
561         (JSC::DFG::OSRExit::compileExit):
562         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
563         * dfg/DFGOSRExitCompiler64.cpp:
564         (JSC::DFG::OSRExit::compileExit):
565         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
566         * dfg/DFGThunks.cpp:
567         (JSC::DFG::osrExitGenerationThunkGenerator):
568
569 2017-08-04  Devin Rousso  <drousso@apple.com>
570
571         Web Inspector: add source view for WebGL shader programs
572         https://bugs.webkit.org/show_bug.cgi?id=138593
573         <rdar://problem/18936194>
574
575         Reviewed by Matt Baker.
576
577         * inspector/protocol/Canvas.json:
578          - Add `ShaderType` enum that contains "vertex" and "fragment".
579          - Add `requestShaderSource` command that will return the original source code for a given
580            shader program and shader type.
581
582 2017-08-03  Filip Pizlo  <fpizlo@apple.com>
583
584         The allocator used to allocate memory for MarkedBlocks and LargeAllocations should not be the Subspace itself
585         https://bugs.webkit.org/show_bug.cgi?id=175141
586
587         Reviewed by Mark Lam.
588         
589         To make it easier to have multiple gigacages and maybe even fancier methods of allocating, this
590         decouples the allocator used to allocate memory from the GC Subspace. This means we no longer have
591         to create a new Subspace subclass to allocate memory a different way. Instead, the allocator is now
592         determined by the AlignedMemoryAllocator object.
593         
594         This also simplifies trading of blocks. Before, Subspaces had to determine if other Subspaces could
595         trade blocks with them using canTradeBlocksWith(). This makes it difficult for two different
596         Subspaces that both use the same underlying allocator to realize that they can trade blocks with
597         each other. Now, you just need to ask the block being stolen and the subspace doing the stealing if
598         they use the same AlignedMemoryAllocator.
599
600         * CMakeLists.txt:
601         * JavaScriptCore.xcodeproj/project.pbxproj:
602         * heap/AlignedMemoryAllocator.cpp: Added.
603         (JSC::AlignedMemoryAllocator::AlignedMemoryAllocator):
604         (JSC::AlignedMemoryAllocator::~AlignedMemoryAllocator):
605         * heap/AlignedMemoryAllocator.h: Added.
606         * heap/FastMallocAlignedMemoryAllocator.cpp: Added.
607         (JSC::FastMallocAlignedMemoryAllocator::singleton):
608         (JSC::FastMallocAlignedMemoryAllocator::FastMallocAlignedMemoryAllocator):
609         (JSC::FastMallocAlignedMemoryAllocator::~FastMallocAlignedMemoryAllocator):
610         (JSC::FastMallocAlignedMemoryAllocator::tryAllocateAlignedMemory):
611         (JSC::FastMallocAlignedMemoryAllocator::freeAlignedMemory):
612         (JSC::FastMallocAlignedMemoryAllocator::dump const):
613         * heap/FastMallocAlignedMemoryAllocator.h: Added.
614         * heap/GigacageAlignedMemoryAllocator.cpp: Added.
615         (JSC::GigacageAlignedMemoryAllocator::singleton):
616         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
617         (JSC::GigacageAlignedMemoryAllocator::~GigacageAlignedMemoryAllocator):
618         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
619         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
620         (JSC::GigacageAlignedMemoryAllocator::dump const):
621         * heap/GigacageAlignedMemoryAllocator.h: Added.
622         * heap/GigacageSubspace.cpp: Removed.
623         * heap/GigacageSubspace.h: Removed.
624         * heap/LargeAllocation.cpp:
625         (JSC::LargeAllocation::tryCreate):
626         (JSC::LargeAllocation::destroy):
627         * heap/MarkedAllocator.cpp:
628         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
629         * heap/MarkedBlock.cpp:
630         (JSC::MarkedBlock::tryCreate):
631         (JSC::MarkedBlock::Handle::Handle):
632         (JSC::MarkedBlock::Handle::~Handle):
633         (JSC::MarkedBlock::Handle::didAddToAllocator):
634         (JSC::MarkedBlock::Handle::subspace const):
635         * heap/MarkedBlock.h:
636         (JSC::MarkedBlock::Handle::alignedMemoryAllocator const):
637         (JSC::MarkedBlock::Handle::subspace const): Deleted.
638         * heap/Subspace.cpp:
639         (JSC::Subspace::Subspace):
640         (JSC::Subspace::findEmptyBlockToSteal):
641         (JSC::Subspace::canTradeBlocksWith): Deleted.
642         (JSC::Subspace::tryAllocateAlignedMemory): Deleted.
643         (JSC::Subspace::freeAlignedMemory): Deleted.
644         * heap/Subspace.h:
645         (JSC::Subspace::name const):
646         (JSC::Subspace::alignedMemoryAllocator const):
647         * runtime/JSDestructibleObjectSubspace.cpp:
648         (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace):
649         * runtime/JSDestructibleObjectSubspace.h:
650         * runtime/JSSegmentedVariableObjectSubspace.cpp:
651         (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace):
652         * runtime/JSSegmentedVariableObjectSubspace.h:
653         * runtime/JSStringSubspace.cpp:
654         (JSC::JSStringSubspace::JSStringSubspace):
655         * runtime/JSStringSubspace.h:
656         * runtime/VM.cpp:
657         (JSC::VM::VM):
658         * runtime/VM.h:
659         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp:
660         (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace):
661         * wasm/js/JSWebAssemblyCodeBlockSubspace.h:
662
663 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
664
665         [ESNext] Async iteration - update feature.json
666         https://bugs.webkit.org/show_bug.cgi?id=175197
667
668         Reviewed by Yusuke Suzuki.
669
670         Update feature.json to add status of the Async Iteration
671
672         * features.json:
673
674 2017-08-04  Matt Lewis  <jlewis3@apple.com>
675
676         Unreviewed, rolling out r220271.
677
678         Rolling out due to Layout Test failing on iOS Simulator.
679
680         Reverted changeset:
681
682         "Remove STREAMS_API compilation guard"
683         https://bugs.webkit.org/show_bug.cgi?id=175165
684         http://trac.webkit.org/changeset/220271
685
686 2017-08-04  Youenn Fablet  <youenn@apple.com>
687
688         Remove STREAMS_API compilation guard
689         https://bugs.webkit.org/show_bug.cgi?id=175165
690
691         Reviewed by Darin Adler.
692
693         * Configurations/FeatureDefines.xcconfig:
694
695 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
696
697         [EsNext] Async iteration - Add feature flag
698         https://bugs.webkit.org/show_bug.cgi?id=166694
699
700         Reviewed by Yusuke Suzuki.
701
702         Add feature flag to JSC to switch on/off Async Iterator
703
704         * runtime/Options.h:
705
706 2017-08-03  Brian Burg  <bburg@apple.com>
707
708         Remove ENABLE(WEB_SOCKET) guards
709         https://bugs.webkit.org/show_bug.cgi?id=167044
710
711         Reviewed by Joseph Pecoraro.
712
713         * Configurations/FeatureDefines.xcconfig:
714
715 2017-08-03  Youenn Fablet  <youenn@apple.com>
716
717         Remove FETCH_API compilation guard
718         https://bugs.webkit.org/show_bug.cgi?id=175154
719
720         Reviewed by Chris Dumez.
721
722         * Configurations/FeatureDefines.xcconfig:
723
724 2017-08-03  Matt Baker  <mattbaker@apple.com>
725
726         Web Inspector: Instrument WebGLProgram created/deleted
727         https://bugs.webkit.org/show_bug.cgi?id=175059
728
729         Reviewed by Devin Rousso.
730
731         Extend the Canvas protocol with types/events for tracking WebGLPrograms.
732
733         * inspector/protocol/Canvas.json:
734
735 2017-08-03  Brady Eidson  <beidson@apple.com>
736
737         Add SW IDLs and stub out basic functionality.
738         https://bugs.webkit.org/show_bug.cgi?id=175115
739
740         Reviewed by Chris Dumez.
741
742         * Configurations/FeatureDefines.xcconfig:
743
744         * runtime/CommonIdentifiers.h:
745
746 2017-08-03  Mark Lam  <mark.lam@apple.com>
747
748         Rename ScratchBuffer::activeLengthPtr to addressOfActiveLength.
749         https://bugs.webkit.org/show_bug.cgi?id=175142
750         <rdar://problem/33704528>
751
752         Reviewed by Filip Pizlo.
753
754         The convention in the rest of of JSC for such methods which return the address of
755         a field is to name them "addressOf<field name>".  We'll rename
756         ScratchBuffer::activeLengthPtr to be consistent with this convention.
757
758         * dfg/DFGSpeculativeJIT.cpp:
759         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
760         * dfg/DFGSpeculativeJIT32_64.cpp:
761         (JSC::DFG::SpeculativeJIT::compile):
762         * dfg/DFGSpeculativeJIT64.cpp:
763         (JSC::DFG::SpeculativeJIT::compile):
764         * dfg/DFGThunks.cpp:
765         (JSC::DFG::osrExitGenerationThunkGenerator):
766         * ftl/FTLLowerDFGToB3.cpp:
767         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
768         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
769         * ftl/FTLThunks.cpp:
770         (JSC::FTL::genericGenerationThunkGenerator):
771         * jit/AssemblyHelpers.cpp:
772         (JSC::AssemblyHelpers::debugCall):
773         * jit/ScratchRegisterAllocator.cpp:
774         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
775         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
776         * runtime/VM.h:
777         (JSC::ScratchBuffer::addressOfActiveLength):
778         (JSC::ScratchBuffer::activeLengthPtr): Deleted.
779         * wasm/WasmBinding.cpp:
780         (JSC::Wasm::wasmToJs):
781
782 2017-08-02  Devin Rousso  <drousso@apple.com>
783
784         Web Inspector: add stack trace information for each RecordingAction
785         https://bugs.webkit.org/show_bug.cgi?id=174663
786
787         Reviewed by Joseph Pecoraro.
788
789         * inspector/ScriptCallFrame.h:
790         Add `operator==` so that when a ScriptCallFrame object is held in a Vector, calling `find`
791         with an existing value doesn't need require a functor and can use existing code.
792
793         * interpreter/StackVisitor.h:
794         * interpreter/StackVisitor.cpp:
795         (JSC::StackVisitor::Frame::isWasmFrame const): Inlined in header.
796
797 2017-08-02  Yusuke Suzuki  <utatane.tea@gmail.com>
798
799         Merge WTFThreadData to Thread::current
800         https://bugs.webkit.org/show_bug.cgi?id=174716
801
802         Reviewed by Mark Lam.
803
804         Use Thread::current() instead.
805
806         * API/JSContext.mm:
807         (+[JSContext currentContext]):
808         (+[JSContext currentThis]):
809         (+[JSContext currentCallee]):
810         (+[JSContext currentArguments]):
811         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
812         (-[JSContext endCallbackWithData:]):
813         * heap/Heap.cpp:
814         (JSC::Heap::requestCollection):
815         * runtime/Completion.cpp:
816         (JSC::checkSyntax):
817         (JSC::checkModuleSyntax):
818         (JSC::evaluate):
819         (JSC::loadAndEvaluateModule):
820         (JSC::loadModule):
821         (JSC::linkAndEvaluateModule):
822         (JSC::importModule):
823         * runtime/Identifier.cpp:
824         (JSC::Identifier::checkCurrentAtomicStringTable):
825         * runtime/InitializeThreading.cpp:
826         (JSC::initializeThreading):
827         * runtime/JSLock.cpp:
828         (JSC::JSLock::didAcquireLock):
829         (JSC::JSLock::willReleaseLock):
830         (JSC::JSLock::dropAllLocks):
831         (JSC::JSLock::grabAllLocks):
832         * runtime/JSLock.h:
833         * runtime/VM.cpp:
834         (JSC::VM::VM):
835         (JSC::VM::updateStackLimits):
836         (JSC::VM::committedStackByteCount):
837         * runtime/VM.h:
838         (JSC::VM::isSafeToRecurse const):
839         * runtime/VMEntryScope.cpp:
840         (JSC::VMEntryScope::VMEntryScope):
841         * runtime/VMInlines.h:
842         (JSC::VM::ensureStackCapacityFor):
843         * yarr/YarrPattern.cpp:
844         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
845
846 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
847
848         LLInt should do pointer caging
849         https://bugs.webkit.org/show_bug.cgi?id=175036
850
851         Reviewed by Keith Miller.
852
853         Implementing this in the LLInt was challenging because offlineasm did not previously know
854         how to load from globals. This teaches it how to do that on Darwin/x86_64, which happens
855         to be where the Gigacage is enabled right now.
856
857         * llint/LLIntOfflineAsmConfig.h:
858         * llint/LowLevelInterpreter64.asm:
859         * offlineasm/ast.rb:
860         * offlineasm/x86.rb:
861
862 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
863
864         Sweeping should only scribble when sweeping to free list
865         https://bugs.webkit.org/show_bug.cgi?id=175105
866
867         Reviewed by Saam Barati.
868         
869         I just saw a crash on the bots where a destructor call attempt dereferenced scribbled memory. This
870         can happen because the bump path of specializedSweep will scribble in SweepOnly, which replaces the
871         zap word (i.e. 0) with the scribble word (i.e. 0xbadbeef0). This is a recent regression, since we
872         didn't used to do destruction on the bump path. No destruction, no zapping. Looking at the pop
873         path, we only scribble when we SweepToFreeList. This ensures that we only overwrite the zap word
874         when it doesn't matter anyway because we're building a free list.
875         
876         This is a fix for those crashes on the bots because it means that we'll no longer scribble over the
877         zap.
878
879         * heap/MarkedBlockInlines.h:
880         (JSC::MarkedBlock::Handle::specializedSweep):
881
882 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
883
884         All C++ accesses to JSObject::m_butterfly should do caging
885         https://bugs.webkit.org/show_bug.cgi?id=175039
886
887         Reviewed by Keith Miller.
888         
889         Makes JSObject::m_butterfly a AuxiliaryBarrier<CagedPtr<Butterfly>> and adopts the CagedPtr<> API.
890         This ensures that you can't cause C++ code to access a butterfly that has been rewired to point
891         outside the gigacage.
892
893         * runtime/JSArray.cpp:
894         (JSC::JSArray::setLength):
895         (JSC::JSArray::pop):
896         (JSC::JSArray::push):
897         (JSC::JSArray::shiftCountWithAnyIndexingType):
898         (JSC::JSArray::unshiftCountWithAnyIndexingType):
899         (JSC::JSArray::fillArgList):
900         (JSC::JSArray::copyToArguments):
901         * runtime/JSObject.cpp:
902         (JSC::JSObject::heapSnapshot):
903         (JSC::JSObject::createInitialIndexedStorage):
904         (JSC::JSObject::createArrayStorage):
905         (JSC::JSObject::convertUndecidedToInt32):
906         (JSC::JSObject::convertUndecidedToDouble):
907         (JSC::JSObject::convertUndecidedToContiguous):
908         (JSC::JSObject::convertInt32ToDouble):
909         (JSC::JSObject::convertInt32ToArrayStorage):
910         (JSC::JSObject::convertDoubleToContiguous):
911         (JSC::JSObject::convertDoubleToArrayStorage):
912         (JSC::JSObject::convertContiguousToArrayStorage):
913         (JSC::JSObject::defineOwnIndexedProperty):
914         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
915         (JSC::JSObject::ensureLengthSlow):
916         (JSC::JSObject::allocateMoreOutOfLineStorage):
917         * runtime/JSObject.h:
918         (JSC::JSObject::canGetIndexQuickly):
919         (JSC::JSObject::getIndexQuickly):
920         (JSC::JSObject::tryGetIndexQuickly const):
921         (JSC::JSObject::canSetIndexQuickly):
922         (JSC::JSObject::setIndexQuickly):
923         (JSC::JSObject::initializeIndex):
924         (JSC::JSObject::initializeIndexWithoutBarrier):
925         (JSC::JSObject::butterfly const):
926         (JSC::JSObject::butterfly):
927
928 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
929
930         We should be OK with the gigacage being disabled on gmalloc
931         https://bugs.webkit.org/show_bug.cgi?id=175082
932
933         Reviewed by Michael Saboff.
934
935         * jsc.cpp:
936         (jscmain):
937
938 2017-08-02  Saam Barati  <sbarati@apple.com>
939
940         On memory-constrained iOS devices, reduce the rate at which the JS heap grows before a GC to try to keep more memory available for the system
941         https://bugs.webkit.org/show_bug.cgi?id=175041
942         <rdar://problem/33659370>
943
944         Reviewed by Filip Pizlo.
945
946         The testing I have done shows that this new function is a ~10%
947         progression running JetStream on 1GB iOS devices. I've also tried
948         this on a few > 1GB iOS devices, and the testing shows this is either neutral
949         or a regression. Right now, we'll just enable this for <= 1GB devices
950         since it's a win. In the future, we might want to either look into
951         tweaking these parameters or coming up with a new function for > 1GB
952         devices.
953
954         * heap/Heap.cpp:
955         * runtime/Options.h:
956
957 2017-08-01  Filip Pizlo  <fpizlo@apple.com>
958
959         Bmalloc and GC should put auxiliaries (butterflies, typed array backing stores) in a gigacage (separate multi-GB VM region)
960         https://bugs.webkit.org/show_bug.cgi?id=174727
961
962         Reviewed by Mark Lam.
963         
964         This adopts the Gigacage for the GigacageSubspace, which we use for Auxiliary allocations. Also, in
965         one place in the code - the FTL codegen for butterfly and typed array access - we "cage" the accesses
966         themselves. Basically, we do masking to ensure that the pointer points into the gigacage.
967         
968         This is neutral on JetStream.
969
970         * CMakeLists.txt:
971         * JavaScriptCore.xcodeproj/project.pbxproj:
972         * b3/B3InsertionSet.cpp:
973         (JSC::B3::InsertionSet::execute):
974         * dfg/DFGAbstractInterpreterInlines.h:
975         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
976         * dfg/DFGArgumentsEliminationPhase.cpp:
977         * dfg/DFGClobberize.cpp:
978         (JSC::DFG::readsOverlap):
979         * dfg/DFGClobberize.h:
980         (JSC::DFG::clobberize):
981         * dfg/DFGDoesGC.cpp:
982         (JSC::DFG::doesGC):
983         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Added.
984         (JSC::DFG::performFixedButterflyAccessUncaging):
985         * dfg/DFGFixedButterflyAccessUncagingPhase.h: Added.
986         * dfg/DFGFixupPhase.cpp:
987         (JSC::DFG::FixupPhase::fixupNode):
988         * dfg/DFGHeapLocation.cpp:
989         (WTF::printInternal):
990         * dfg/DFGHeapLocation.h:
991         * dfg/DFGNodeType.h:
992         * dfg/DFGPlan.cpp:
993         (JSC::DFG::Plan::compileInThreadImpl):
994         * dfg/DFGPredictionPropagationPhase.cpp:
995         * dfg/DFGSafeToExecute.h:
996         (JSC::DFG::safeToExecute):
997         * dfg/DFGSpeculativeJIT.cpp:
998         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
999         * dfg/DFGSpeculativeJIT32_64.cpp:
1000         (JSC::DFG::SpeculativeJIT::compile):
1001         * dfg/DFGSpeculativeJIT64.cpp:
1002         (JSC::DFG::SpeculativeJIT::compile):
1003         * dfg/DFGTypeCheckHoistingPhase.cpp:
1004         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
1005         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
1006         * ftl/FTLCapabilities.cpp:
1007         (JSC::FTL::canCompile):
1008         * ftl/FTLLowerDFGToB3.cpp:
1009         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1010         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
1011         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
1012         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1013         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1014         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
1015         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
1016         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
1017         (JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase):
1018         (JSC::FTL::DFG::LowerDFGToB3::caged):
1019         * heap/GigacageSubspace.cpp: Added.
1020         (JSC::GigacageSubspace::GigacageSubspace):
1021         (JSC::GigacageSubspace::~GigacageSubspace):
1022         (JSC::GigacageSubspace::tryAllocateAlignedMemory):
1023         (JSC::GigacageSubspace::freeAlignedMemory):
1024         (JSC::GigacageSubspace::canTradeBlocksWith):
1025         * heap/GigacageSubspace.h: Added.
1026         * heap/Heap.cpp:
1027         (JSC::Heap::Heap):
1028         (JSC::Heap::lastChanceToFinalize):
1029         (JSC::Heap::finalize):
1030         (JSC::Heap::sweepInFinalize):
1031         (JSC::Heap::updateAllocationLimits):
1032         (JSC::Heap::shouldDoFullCollection):
1033         (JSC::Heap::collectIfNecessaryOrDefer):
1034         (JSC::Heap::reportWebAssemblyFastMemoriesAllocated): Deleted.
1035         (JSC::Heap::webAssemblyFastMemoriesThisCycleAtThreshold const): Deleted.
1036         (JSC::Heap::sweepLargeAllocations): Deleted.
1037         (JSC::Heap::didAllocateWebAssemblyFastMemories): Deleted.
1038         * heap/Heap.h:
1039         * heap/LargeAllocation.cpp:
1040         (JSC::LargeAllocation::tryCreate):
1041         (JSC::LargeAllocation::destroy):
1042         * heap/MarkedAllocator.cpp:
1043         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
1044         (JSC::MarkedAllocator::tryAllocateBlock):
1045         * heap/MarkedBlock.cpp:
1046         (JSC::MarkedBlock::tryCreate):
1047         (JSC::MarkedBlock::Handle::Handle):
1048         (JSC::MarkedBlock::Handle::~Handle):
1049         (JSC::MarkedBlock::Handle::didAddToAllocator):
1050         (JSC::MarkedBlock::Handle::subspace const): Deleted.
1051         * heap/MarkedBlock.h:
1052         (JSC::MarkedBlock::Handle::subspace const):
1053         * heap/MarkedSpace.cpp:
1054         (JSC::MarkedSpace::~MarkedSpace):
1055         (JSC::MarkedSpace::freeMemory):
1056         (JSC::MarkedSpace::prepareForAllocation):
1057         (JSC::MarkedSpace::addMarkedAllocator):
1058         (JSC::MarkedSpace::findEmptyBlockToSteal): Deleted.
1059         * heap/MarkedSpace.h:
1060         (JSC::MarkedSpace::firstAllocator const):
1061         (JSC::MarkedSpace::allocatorForEmptyAllocation const): Deleted.
1062         * heap/Subspace.cpp:
1063         (JSC::Subspace::Subspace):
1064         (JSC::Subspace::canTradeBlocksWith):
1065         (JSC::Subspace::tryAllocateAlignedMemory):
1066         (JSC::Subspace::freeAlignedMemory):
1067         (JSC::Subspace::prepareForAllocation):
1068         (JSC::Subspace::findEmptyBlockToSteal):
1069         * heap/Subspace.h:
1070         (JSC::Subspace::didCreateFirstAllocator):
1071         * heap/SubspaceInlines.h:
1072         (JSC::Subspace::forEachAllocator):
1073         (JSC::Subspace::forEachMarkedBlock):
1074         (JSC::Subspace::forEachNotEmptyMarkedBlock):
1075         * jit/JITPropertyAccess.cpp:
1076         (JSC::JIT::emitDoubleLoad):
1077         (JSC::JIT::emitContiguousLoad):
1078         (JSC::JIT::emitArrayStorageLoad):
1079         (JSC::JIT::emitGenericContiguousPutByVal):
1080         (JSC::JIT::emitArrayStoragePutByVal):
1081         (JSC::JIT::emit_op_get_from_scope):
1082         (JSC::JIT::emit_op_put_to_scope):
1083         (JSC::JIT::emitIntTypedArrayGetByVal):
1084         (JSC::JIT::emitFloatTypedArrayGetByVal):
1085         (JSC::JIT::emitIntTypedArrayPutByVal):
1086         (JSC::JIT::emitFloatTypedArrayPutByVal):
1087         * jsc.cpp:
1088         (fillBufferWithContentsOfFile):
1089         (functionReadFile):
1090         (gigacageDisabled):
1091         (jscmain):
1092         * llint/LowLevelInterpreter64.asm:
1093         * runtime/ArrayBuffer.cpp:
1094         (JSC::ArrayBufferContents::tryAllocate):
1095         (JSC::ArrayBuffer::createAdopted):
1096         (JSC::ArrayBuffer::createFromBytes):
1097         (JSC::ArrayBuffer::tryCreate):
1098         * runtime/IndexingHeader.h:
1099         * runtime/InitializeThreading.cpp:
1100         (JSC::initializeThreading):
1101         * runtime/JSArrayBuffer.cpp:
1102         * runtime/JSArrayBufferView.cpp:
1103         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1104         (JSC::JSArrayBufferView::finalize):
1105         * runtime/JSLock.cpp:
1106         (JSC::JSLock::didAcquireLock):
1107         * runtime/JSObject.h:
1108         * runtime/Options.cpp:
1109         (JSC::recomputeDependentOptions):
1110         * runtime/Options.h:
1111         * runtime/ScopedArgumentsTable.h:
1112         * runtime/VM.cpp:
1113         (JSC::VM::VM):
1114         (JSC::VM::~VM):
1115         (JSC::VM::gigacageDisabledCallback):
1116         (JSC::VM::gigacageDisabled):
1117         * runtime/VM.h:
1118         (JSC::VM::fireGigacageEnabledIfNecessary):
1119         (JSC::VM::gigacageEnabled):
1120         * wasm/WasmB3IRGenerator.cpp:
1121         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1122         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
1123         * wasm/WasmCodeBlock.cpp:
1124         (JSC::Wasm::CodeBlock::isSafeToRun):
1125         * wasm/WasmMemory.cpp:
1126         (JSC::Wasm::makeString):
1127         (JSC::Wasm::Memory::create):
1128         (JSC::Wasm::Memory::~Memory):
1129         (JSC::Wasm::Memory::addressIsInActiveFastMemory):
1130         (JSC::Wasm::Memory::grow):
1131         (JSC::Wasm::Memory::initializePreallocations): Deleted.
1132         (JSC::Wasm::Memory::maxFastMemoryCount): Deleted.
1133         * wasm/WasmMemory.h:
1134         * wasm/js/JSWebAssemblyInstance.cpp:
1135         (JSC::JSWebAssemblyInstance::create):
1136         * wasm/js/JSWebAssemblyMemory.cpp:
1137         (JSC::JSWebAssemblyMemory::grow):
1138         (JSC::JSWebAssemblyMemory::finishCreation):
1139         * wasm/js/JSWebAssemblyMemory.h:
1140         (JSC::JSWebAssemblyMemory::subspaceFor):
1141
1142 2017-07-31  Mark Lam  <mark.lam@apple.com>
1143
1144         Added some UNLIKELYs to operationOptimize().
1145         https://bugs.webkit.org/show_bug.cgi?id=174976
1146
1147         Reviewed by JF Bastien.
1148
1149         * jit/JITOperations.cpp:
1150
1151 2017-07-31  Keith Miller  <keith_miller@apple.com>
1152
1153         Make more things LLInt constexprs
1154         https://bugs.webkit.org/show_bug.cgi?id=174994
1155
1156         Reviewed by Saam Barati.
1157
1158         This patch makes more const values in the LLInt constexprs.
1159         It also deletes all of the no longer necessary static_asserts in
1160         LLIntData.cpp. Finally, it fixes a typo in parser.rb.
1161
1162         * interpreter/ShadowChicken.h:
1163         (JSC::ShadowChicken::Packet::tailMarker):
1164         * llint/LLIntData.cpp:
1165         (JSC::LLInt::Data::performAssertions):
1166         * llint/LowLevelInterpreter.asm:
1167         * offlineasm/generate_offset_extractor.rb:
1168         * offlineasm/parser.rb:
1169
1170 2017-07-31  Matt Lewis  <jlewis3@apple.com>
1171
1172         Unreviewed, rolling out r220060.
1173
1174         This broke our internal builds. Contact reviewer of patch for
1175         more information.
1176
1177         Reverted changeset:
1178
1179         "Merge WTFThreadData to Thread::current"
1180         https://bugs.webkit.org/show_bug.cgi?id=174716
1181         http://trac.webkit.org/changeset/220060
1182
1183 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1184
1185         [JSC] Support optional catch binding
1186         https://bugs.webkit.org/show_bug.cgi?id=174981
1187
1188         Reviewed by Saam Barati.
1189
1190         This patch implements optional catch binding proposal[1], which is now stage 3.
1191         This proposal adds a new `catch` brace with no error value binding.
1192
1193             ```
1194                 try {
1195                     ...
1196                 } catch {
1197                     ...
1198                 }
1199             ```
1200
1201         Sometimes we do not need to get error value actually. For example, the function returns
1202         boolean which means whether the function succeeds.
1203
1204             ```
1205             function parse(result) // -> bool
1206             {
1207                  try {
1208                      parseInner(result);
1209                  } catch {
1210                      return false;
1211                  }
1212                  return true;
1213             }
1214             ```
1215
1216         In the above case, we are not interested in the actual error value. Without this syntax,
1217         we always need to introduce a binding for an error value that is just ignored.
1218
1219         [1]: https://michaelficarra.github.io/optional-catch-binding-proposal/
1220
1221         * bytecompiler/NodesCodegen.cpp:
1222         (JSC::TryNode::emitBytecode):
1223         * parser/Parser.cpp:
1224         (JSC::Parser<LexerType>::parseTryStatement):
1225
1226 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1227
1228         Merge WTFThreadData to Thread::current
1229         https://bugs.webkit.org/show_bug.cgi?id=174716
1230
1231         Reviewed by Sam Weinig.
1232
1233         Use Thread::current() instead.
1234
1235         * API/JSContext.mm:
1236         (+[JSContext currentContext]):
1237         (+[JSContext currentThis]):
1238         (+[JSContext currentCallee]):
1239         (+[JSContext currentArguments]):
1240         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
1241         (-[JSContext endCallbackWithData:]):
1242         * heap/Heap.cpp:
1243         (JSC::Heap::requestCollection):
1244         * runtime/Completion.cpp:
1245         (JSC::checkSyntax):
1246         (JSC::checkModuleSyntax):
1247         (JSC::evaluate):
1248         (JSC::loadAndEvaluateModule):
1249         (JSC::loadModule):
1250         (JSC::linkAndEvaluateModule):
1251         (JSC::importModule):
1252         * runtime/Identifier.cpp:
1253         (JSC::Identifier::checkCurrentAtomicStringTable):
1254         * runtime/InitializeThreading.cpp:
1255         (JSC::initializeThreading):
1256         * runtime/JSLock.cpp:
1257         (JSC::JSLock::didAcquireLock):
1258         (JSC::JSLock::willReleaseLock):
1259         (JSC::JSLock::dropAllLocks):
1260         (JSC::JSLock::grabAllLocks):
1261         * runtime/JSLock.h:
1262         * runtime/VM.cpp:
1263         (JSC::VM::VM):
1264         (JSC::VM::updateStackLimits):
1265         (JSC::VM::committedStackByteCount):
1266         * runtime/VM.h:
1267         (JSC::VM::isSafeToRecurse const):
1268         * runtime/VMEntryScope.cpp:
1269         (JSC::VMEntryScope::VMEntryScope):
1270         * runtime/VMInlines.h:
1271         (JSC::VM::ensureStackCapacityFor):
1272         * yarr/YarrPattern.cpp:
1273         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
1274
1275 2017-07-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1276
1277         [WTF] Introduce Private Symbols
1278         https://bugs.webkit.org/show_bug.cgi?id=174935
1279
1280         Reviewed by Darin Adler.
1281
1282         Use SymbolImpl::isPrivate().
1283
1284         * builtins/BuiltinNames.cpp:
1285         * builtins/BuiltinNames.h:
1286         (JSC::BuiltinNames::isPrivateName): Deleted.
1287         * builtins/BuiltinUtils.h:
1288         * bytecode/BytecodeIntrinsicRegistry.cpp:
1289         (JSC::BytecodeIntrinsicRegistry::lookup):
1290         * runtime/CommonIdentifiers.cpp:
1291         (JSC::CommonIdentifiers::isPrivateName): Deleted.
1292         * runtime/CommonIdentifiers.h:
1293         * runtime/ExceptionHelpers.cpp:
1294         (JSC::createUndefinedVariableError):
1295         * runtime/Identifier.h:
1296         (JSC::Identifier::isPrivateName):
1297         * runtime/IdentifierInlines.h:
1298         (JSC::identifierToSafePublicJSValue):
1299         * runtime/ObjectConstructor.cpp:
1300         (JSC::objectConstructorAssign):
1301         (JSC::defineProperties):
1302         (JSC::setIntegrityLevel):
1303         (JSC::testIntegrityLevel):
1304         (JSC::ownPropertyKeys):
1305         * runtime/PrivateName.h:
1306         (JSC::PrivateName::PrivateName):
1307         * runtime/PropertyName.h:
1308         (JSC::PropertyName::isPrivateName):
1309         * runtime/ProxyObject.cpp:
1310         (JSC::performProxyGet):
1311         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1312         (JSC::ProxyObject::performHasProperty):
1313         (JSC::ProxyObject::performPut):
1314         (JSC::ProxyObject::performDelete):
1315         (JSC::ProxyObject::performDefineOwnProperty):
1316
1317 2017-07-29  Keith Miller  <keith_miller@apple.com>
1318
1319         LLInt offsets extractor should be able to handle C++ constexprs
1320         https://bugs.webkit.org/show_bug.cgi?id=174964
1321
1322         Reviewed by Saam Barati.
1323
1324         This patch adds new syntax to the offline asm language. The new keyword,
1325         constexpr, takes the subsequent identifier and maps it to a C++ constexpr
1326         expression. Additionally, if the value is not an identifier you can wrap it in
1327         parentheses. e.g. constexpr (myConstexprFunction() + OBJECT_OFFSET(Foo, bar)),
1328         which will get converted into:
1329         static_cast<int64_t>(myConstexprFunction() + OBJECT_OFFSET(Foo, bar));
1330
1331         This patch also changes the data format the LLIntOffsetsExtractor
1332         binary produces.  Previously, it would produce unsigned values,
1333         after this patch every value is an int64_t.  Using an int64_t is
1334         useful because it means that we can represent any constant needed.
1335         int32_t masks are sign extended then passed then converted to a
1336         negative literal sting in the assembler so it will be the constant
1337         expected.
1338
1339         * llint/LLIntOffsetsExtractor.cpp:
1340         (JSC::LLIntOffsetsExtractor::dummy):
1341         * llint/LowLevelInterpreter.asm:
1342         * llint/LowLevelInterpreter64.asm:
1343         * offlineasm/asm.rb:
1344         * offlineasm/ast.rb:
1345         * offlineasm/generate_offset_extractor.rb:
1346         * offlineasm/offsets.rb:
1347         * offlineasm/parser.rb:
1348         * offlineasm/transform.rb:
1349
1350 2017-07-28  Matt Baker  <mattbaker@apple.com>
1351
1352         Web Inspector: capture an async stack trace when web content calls addEventListener
1353         https://bugs.webkit.org/show_bug.cgi?id=174739
1354         <rdar://problem/33468197>
1355
1356         Reviewed by Brian Burg.
1357
1358         Allow debugger agents to perform custom logic when asynchronous stack
1359         trace data is cleared. For example, the PageDebuggerAgent would clear
1360         its list of registered listeners for which call stacks have been recorded.
1361
1362         * inspector/agents/InspectorDebuggerAgent.cpp:
1363         (Inspector::InspectorDebuggerAgent::clearAsyncStackTraceData):
1364         * inspector/agents/InspectorDebuggerAgent.h:
1365
1366 2017-07-28  Mark Lam  <mark.lam@apple.com>
1367
1368         ObjectToStringAdaptiveStructureWatchpoint should not fire if it's dying imminently.
1369         https://bugs.webkit.org/show_bug.cgi?id=174948
1370         <rdar://problem/33495680>
1371
1372         Reviewed by Filip Pizlo.
1373
1374         ObjectToStringAdaptiveStructureWatchpoint is owned by StructureRareData.  If its
1375         owner StructureRareData is already known to be dead (in terms of GC liveness) but
1376         hasn't been destructed yet (i.e. not swept by the GC yet), we should ignore all
1377         requests to fire this watchpoint.
1378
1379         If the GC had the chance to sweep the StructureRareData, thereby destructing the
1380         ObjectToStringAdaptiveStructureWatchpoint, it (the watchpoint) would have removed
1381         itself from the WatchpointSet it was on.  Hence, it would not have been fired.
1382
1383         But since the watchpoint hasn't been destructed yet, it still remains on the
1384         WatchpointSet and needs to guard against being fired in this state.  The fix is
1385         to simply return early if its owner StructureRareData is not live.  This has the
1386         effect of the watchpoint fire being a no-op, which is equivalent to the watchpoint
1387         not firing as we would expect.
1388
1389         This patch also removes some cargo cult copying of watchpoint code which
1390         instantiates a StringFireDetail.  In a few cases, that StringFireDetail is never
1391         used.  This patch removes these unnecessary instantiations.
1392
1393         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
1394         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
1395         * runtime/StructureRareData.cpp:
1396         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
1397         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
1398
1399 2017-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
1400
1401         ASSERTION FAILED: candidate->op() == PhantomCreateRest || candidate->op() == PhantomDirectArguments || candidate->op() == PhantomClonedArguments || candidate->op() == PhantomSpread || candidate->op() == PhantomNewArrayWithSpread
1402         https://bugs.webkit.org/show_bug.cgi?id=174900
1403
1404         Reviewed by Saam Barati.
1405
1406         In the arguments elimination phase, due to high cost of AI, we intentionally do not run AI.
1407         Instead, we use ForceOSRExit etc. (pseudo terminals) not to look into unreachable nodes.
1408         The problem is that even transforming phase also checks this pseudo terminals.
1409
1410             BB1
1411             1: ForceOSRExit
1412             2: CreateDirectArguments
1413
1414             BB2
1415             3: GetButterfly(@2)
1416             4: ForceOSRExit
1417
1418         In the above case, @2 is not converted to PhantomDirectArguments. But @3 is processed. And the assertion fires.
1419
1420         In this patch, we do not list candidates up after seeing pseudo terminals in basic blocks.
1421
1422         * dfg/DFGArgumentsEliminationPhase.cpp:
1423
1424 2017-07-27  Oleksandr Skachkov  <gskachkov@gmail.com>
1425
1426         [ES] Add support finally to Promise
1427         https://bugs.webkit.org/show_bug.cgi?id=174503
1428
1429         Reviewed by Yusuke Suzuki.
1430
1431         Add support `finally` method to Promise according
1432         to the https://bugs.webkit.org/show_bug.cgi?id=174503
1433         Current spec on STAGE 3 
1434         https://github.com/tc39/proposal-promise-finally
1435
1436         * builtins/PromisePrototype.js:
1437         (finally):
1438         (const.valueThunk):
1439         (globalPrivate.getThenFinally):
1440         (const.thrower):
1441         (globalPrivate.getCatchFinally):
1442         * runtime/JSPromisePrototype.cpp:
1443
1444 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1445
1446         Unreviewed, build fix for CLoop
1447         https://bugs.webkit.org/show_bug.cgi?id=171637
1448
1449         * domjit/DOMJITGetterSetter.h:
1450
1451 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1452
1453         Hoist DOM binding attribute getter prologue into JavaScriptCore taking advantage of DOMJIT / CheckSubClass
1454         https://bugs.webkit.org/show_bug.cgi?id=171637
1455
1456         Reviewed by Darin Adler.
1457
1458         Each DOM attribute getter has the code to perform ClassInfo check. But it is largely duplicate and causes code bloating.
1459         In this patch, we move ClassInfo check from WebCore to JSC and reduce code size.
1460
1461         We introduce DOMAnnotation which has ClassInfo* and DOMJIT::GetterSetter*. If the getter is not DOMJIT getter, this
1462         DOMJIT::GetterSetter becomes nullptr. We support such a CustomAccessorGetter in all the JIT tiers.
1463
1464         In IC, we drop CheckSubClass completely since IC's Structure check subsumes it. We do not enable this optimization for
1465         op_get_by_id_with_this case yet.
1466         In DFG and FTL, we emit CheckSubClass node. Which is typically removed by CheckStructure leading to CheckSubClass.
1467
1468         And we add DOMAttributeGetterSetter, which is derived class of CustomGetterSetter. It holds DOMAnnotation and perform
1469         ClassInfo check.
1470
1471         * CMakeLists.txt:
1472         * JavaScriptCore.xcodeproj/project.pbxproj:
1473         * bytecode/AccessCase.cpp:
1474         (JSC::AccessCase::generateImpl):
1475         * bytecode/GetByIdStatus.cpp:
1476         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
1477         * bytecode/GetByIdVariant.cpp:
1478         (JSC::GetByIdVariant::GetByIdVariant):
1479         (JSC::GetByIdVariant::operator=):
1480         (JSC::GetByIdVariant::attemptToMerge):
1481         (JSC::GetByIdVariant::dumpInContext):
1482         * bytecode/GetByIdVariant.h:
1483         (JSC::GetByIdVariant::customAccessorGetter):
1484         (JSC::GetByIdVariant::domAttribute):
1485         (JSC::GetByIdVariant::domJIT): Deleted.
1486         * bytecode/GetterSetterAccessCase.cpp:
1487         (JSC::GetterSetterAccessCase::create):
1488         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
1489         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
1490         * bytecode/GetterSetterAccessCase.h:
1491         (JSC::GetterSetterAccessCase::domAttribute):
1492         (JSC::GetterSetterAccessCase::customAccessor):
1493         (JSC::GetterSetterAccessCase::domJIT): Deleted.
1494         * bytecompiler/BytecodeGenerator.cpp:
1495         (JSC::BytecodeGenerator::instantiateLexicalVariables):
1496         * create_hash_table:
1497         * dfg/DFGAbstractInterpreterInlines.h:
1498         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1499         * dfg/DFGByteCodeParser.cpp:
1500         (JSC::DFG::blessCallDOMGetter):
1501         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
1502         (JSC::DFG::ByteCodeParser::handleGetById):
1503         * dfg/DFGClobberize.h:
1504         (JSC::DFG::clobberize):
1505         * dfg/DFGFixupPhase.cpp:
1506         (JSC::DFG::FixupPhase::fixupNode):
1507         * dfg/DFGNode.h:
1508         * dfg/DFGSpeculativeJIT.cpp:
1509         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
1510         * dfg/DFGSpeculativeJIT.h:
1511         (JSC::DFG::SpeculativeJIT::callCustomGetter):
1512         * domjit/DOMJITGetterSetter.h:
1513         (JSC::DOMJIT::GetterSetter::GetterSetter):
1514         (JSC::DOMJIT::GetterSetter::getter):
1515         (JSC::DOMJIT::GetterSetter::compiler):
1516         (JSC::DOMJIT::GetterSetter::resultType):
1517         (JSC::DOMJIT::GetterSetter::~GetterSetter): Deleted.
1518         (JSC::DOMJIT::GetterSetter::setter): Deleted.
1519         (JSC::DOMJIT::GetterSetter::thisClassInfo): Deleted.
1520         * ftl/FTLLowerDFGToB3.cpp:
1521         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
1522         * jit/Repatch.cpp:
1523         (JSC::tryCacheGetByID):
1524         * jsc.cpp:
1525         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
1526         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
1527         (WTF::DOMJITGetter::customGetter):
1528         (WTF::DOMJITGetter::finishCreation):
1529         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
1530         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
1531         (WTF::DOMJITGetterComplex::customGetter):
1532         (WTF::DOMJITGetterComplex::finishCreation):
1533         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
1534         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::slowCall): Deleted.
1535         (WTF::DOMJITGetter::domJITNodeGetterSetter): Deleted.
1536         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
1537         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::slowCall): Deleted.
1538         (WTF::DOMJITGetterComplex::domJITNodeGetterSetter): Deleted.
1539         * runtime/CustomGetterSetter.h:
1540         (JSC::CustomGetterSetter::create):
1541         (JSC::CustomGetterSetter::setter):
1542         (JSC::CustomGetterSetter::CustomGetterSetter):
1543         (): Deleted.
1544         * runtime/DOMAnnotation.h: Added.
1545         (JSC::operator==):
1546         (JSC::operator!=):
1547         * runtime/DOMAttributeGetterSetter.cpp: Added.
1548         * runtime/DOMAttributeGetterSetter.h: Copied from Source/JavaScriptCore/runtime/CustomGetterSetter.h.
1549         (JSC::isDOMAttributeGetterSetter):
1550         * runtime/Error.cpp:
1551         (JSC::throwDOMAttributeGetterTypeError):
1552         * runtime/Error.h:
1553         (JSC::throwVMDOMAttributeGetterTypeError):
1554         * runtime/JSCustomGetterSetterFunction.cpp:
1555         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
1556         * runtime/JSObject.cpp:
1557         (JSC::JSObject::putInlineSlow):
1558         (JSC::JSObject::deleteProperty):
1559         (JSC::JSObject::getOwnStaticPropertySlot):
1560         (JSC::JSObject::reifyAllStaticProperties):
1561         (JSC::JSObject::fillGetterPropertySlot):
1562         (JSC::JSObject::findPropertyHashEntry): Deleted.
1563         * runtime/JSObject.h:
1564         (JSC::JSObject::getOwnNonIndexPropertySlot):
1565         (JSC::JSObject::fillCustomGetterPropertySlot):
1566         * runtime/Lookup.cpp:
1567         (JSC::setUpStaticFunctionSlot):
1568         * runtime/Lookup.h:
1569         (JSC::HashTableValue::domJIT):
1570         (JSC::getStaticPropertySlotFromTable):
1571         (JSC::putEntry):
1572         (JSC::lookupPut):
1573         (JSC::reifyStaticProperty):
1574         (JSC::reifyStaticProperties):
1575         Each static property table has a new field ClassInfo*. It indicates that which ClassInfo check DOMAttribute registered in
1576         this static property table requires.
1577
1578         * runtime/ProgramExecutable.cpp:
1579         (JSC::ProgramExecutable::initializeGlobalProperties):
1580         * runtime/PropertyName.h:
1581         * runtime/PropertySlot.cpp:
1582         (JSC::PropertySlot::customGetter):
1583         (JSC::PropertySlot::customAccessorGetter):
1584         * runtime/PropertySlot.h:
1585         (JSC::PropertySlot::domAttribute):
1586         (JSC::PropertySlot::setCustom):
1587         (JSC::PropertySlot::setCacheableCustom):
1588         (JSC::PropertySlot::getValue):
1589         (JSC::PropertySlot::domJIT): Deleted.
1590         * runtime/VM.cpp:
1591         (JSC::VM::VM):
1592         * runtime/VM.h:
1593
1594 2017-07-26  Devin Rousso  <drousso@apple.com>
1595
1596         Web Inspector: create protocol for recording Canvas contexts
1597         https://bugs.webkit.org/show_bug.cgi?id=174481
1598
1599         Reviewed by Joseph Pecoraro.
1600
1601         * inspector/protocol/Canvas.json:
1602          - Add `requestRecording` command to mark the provided canvas as having requested a recording.
1603          - Add `cancelRecording` command to clear a previously marked canvas and flush any recorded data.
1604          - Add `recordingFinished` event that is fired once a recording is finished.
1605
1606         * CMakeLists.txt:
1607         * DerivedSources.make:
1608         * inspector/protocol/Recording.json: Added.
1609          - Add `Type` enum that lists the types of recordings
1610          - Add `InitialState` type that contains information about the canvas context at the
1611            beginning of the recording.
1612          - Add `Frame` type that holds a list of actions that were recorded.
1613          - Add `Recording` type as the container object of recording data.
1614
1615         * inspector/scripts/codegen/generate_js_backend_commands.py:
1616         (JSBackendCommandsGenerator.generate_domain):
1617         Create an agent for domains with no events or commands.
1618
1619         * inspector/InspectorValues.h:
1620         Make Array `get` public so that values can be retrieved if needed.
1621
1622 2017-07-26  Brian Burg  <bburg@apple.com>
1623
1624         Remove WEB_TIMING feature flag
1625         https://bugs.webkit.org/show_bug.cgi?id=174795
1626
1627         Reviewed by Alex Christensen.
1628
1629         * Configurations/FeatureDefines.xcconfig:
1630
1631 2017-07-26  Mark Lam  <mark.lam@apple.com>
1632
1633         Add the ability to change sp and pc to the ARM64 JIT probe.
1634         https://bugs.webkit.org/show_bug.cgi?id=174697
1635         <rdar://problem/33436965>
1636
1637         Reviewed by JF Bastien.
1638
1639         This patch implements the following:
1640
1641         1. The ARM64 probe now supports modifying the pc and sp.
1642
1643            However, lr is not preserved when modifying the pc because it is used as the
1644            scratch register for the indirect jump. Hence, the probe handler function
1645            may not modify both lr and pc in the same probe invocation.
1646
1647         2. Fix probe tests to use bitwise comparison when comparing double register
1648            values. Otherwise, equivalent nan values will be interpreted as not equivalent.
1649
1650         3. Change the minimum offset increment in testProbeModifiesStackPointer to be
1651            16 bytes for ARM64.  This is because the ARM64 probe now uses the ldp and stp
1652            instructions which require 16 byte alignment for their memory access.
1653
1654         * assembler/MacroAssemblerARM64.cpp:
1655         (JSC::arm64ProbeError):
1656         (JSC::MacroAssembler::probe):
1657         (JSC::arm64ProbeTrampoline): Deleted.
1658         * assembler/testmasm.cpp:
1659         (JSC::isSpecialGPR):
1660         (JSC::testProbeReadsArgumentRegisters):
1661         (JSC::testProbeWritesArgumentRegisters):
1662         (JSC::testProbePreservesGPRS):
1663         (JSC::testProbeModifiesStackPointer):
1664         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
1665         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
1666
1667 2017-07-25  JF Bastien  <jfbastien@apple.com>
1668
1669         WebAssembly: generate smaller binaries
1670         https://bugs.webkit.org/show_bug.cgi?id=174818
1671
1672         Reviewed by Filip Pizlo.
1673
1674         This patch reduces generated code size for WebAssembly in 2 ways:
1675
1676         1. Use the ZR register when storing zero on ARM64.
1677         2. Synthesize wasm context lazily.
1678
1679         This leads to a modest size reduction on both x86-64 and ARM64 for
1680         large WebAssembly games, without any performance loss on WasmBench
1681         and TitzerBench.
1682
1683         The reason this works is that these games, using Emscripten,
1684         generate 100k+ tiny functions, and our JIT allocation granule
1685         rounds all allocations up to 32 bytes. There are plenty of other
1686         simple gains to be had, I've filed a follow-up bug at
1687         webkit.org/b/174819
1688
1689         We should further avoid the per-function cost of tiering, which
1690         represents the bulk of code generated for small functions.
1691
1692         * assembler/MacroAssemblerARM64.h:
1693         (JSC::MacroAssemblerARM64::storeZero64):
1694         * assembler/MacroAssemblerX86_64.h:
1695         (JSC::MacroAssemblerX86_64::storeZero64):
1696         * b3/B3LowerToAir.cpp:
1697         (JSC::B3::Air::LowerToAir::createStore): this doesn't make sense
1698         for x86 because it constrains register reuse and codegen in a way
1699         that doesn't affect ARM64 because it has a dedicated zero
1700         register.
1701         * b3/air/AirOpcode.opcodes: add the storeZero64 opcode.
1702         * wasm/WasmB3IRGenerator.cpp:
1703         (JSC::Wasm::B3IRGenerator::instanceValue):
1704         (JSC::Wasm::B3IRGenerator::restoreWasmContext):
1705         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1706         (JSC::Wasm::B3IRGenerator::materializeWasmContext): Deleted.
1707
1708 2017-07-23  Filip Pizlo  <fpizlo@apple.com>
1709
1710         B3 should do LICM
1711         https://bugs.webkit.org/show_bug.cgi?id=174750
1712
1713         Reviewed by Keith Miller and Saam Barati.
1714         
1715         Added a LICM phase to B3. This phase is called hoistLoopInvariantValues, to conform to the B3 naming
1716         convention for phases (it has to be an imperative). The phase uses NaturalLoops and BackwardsDominators,
1717         so this adds those analyses to B3. BackwardsDominators was already available in templatized form. This
1718         change templatizes DFG::NaturalLoops so that we can just use it.
1719         
1720         The LICM phase itself is really simple. We are decently precise with our handling of everything except
1721         the relationship between control dependence and side exits.
1722         
1723         Also added a bunch of tests.
1724         
1725         This isn't super important. It's perf-neutral on JS benchmarks. FTL already does LICM on DFG SSA IR, and
1726         probably all current WebAssembly content has had LICM done to it. That being said, this is a cheap phase
1727         so it doesn't hurt to have it.
1728         
1729         I wrote it because I thought I needed it for bug 174727. It turns out that there's a better way to
1730         handle the problem I had, so I ended up not needed it - but by then I had already written it. I think
1731         it's good to have it because LICM is one of those core compiler phases; every compiler has it
1732         eventually.
1733
1734         * CMakeLists.txt:
1735         * JavaScriptCore.xcodeproj/project.pbxproj:
1736         * b3/B3BackwardsCFG.h: Added.
1737         (JSC::B3::BackwardsCFG::BackwardsCFG):
1738         * b3/B3BackwardsDominators.h: Added.
1739         (JSC::B3::BackwardsDominators::BackwardsDominators):
1740         * b3/B3BasicBlock.cpp:
1741         (JSC::B3::BasicBlock::appendNonTerminal):
1742         * b3/B3Effects.h:
1743         * b3/B3EnsureLoopPreHeaders.cpp: Added.
1744         (JSC::B3::ensureLoopPreHeaders):
1745         * b3/B3EnsureLoopPreHeaders.h: Added.
1746         * b3/B3Generate.cpp:
1747         (JSC::B3::generateToAir):
1748         * b3/B3HoistLoopInvariantValues.cpp: Added.
1749         (JSC::B3::hoistLoopInvariantValues):
1750         * b3/B3HoistLoopInvariantValues.h: Added.
1751         * b3/B3NaturalLoops.h: Added.
1752         (JSC::B3::NaturalLoops::NaturalLoops):
1753         * b3/B3Procedure.cpp:
1754         (JSC::B3::Procedure::invalidateCFG):
1755         (JSC::B3::Procedure::naturalLoops):
1756         (JSC::B3::Procedure::backwardsCFG):
1757         (JSC::B3::Procedure::backwardsDominators):
1758         * b3/B3Procedure.h:
1759         * b3/testb3.cpp:
1760         (JSC::B3::generateLoop):
1761         (JSC::B3::makeArrayForLoops):
1762         (JSC::B3::generateLoopNotBackwardsDominant):
1763         (JSC::B3::oneFunction):
1764         (JSC::B3::noOpFunction):
1765         (JSC::B3::testLICMPure):
1766         (JSC::B3::testLICMPureSideExits):
1767         (JSC::B3::testLICMPureWritesPinned):
1768         (JSC::B3::testLICMPureWrites):
1769         (JSC::B3::testLICMReadsLocalState):
1770         (JSC::B3::testLICMReadsPinned):
1771         (JSC::B3::testLICMReads):
1772         (JSC::B3::testLICMPureNotBackwardsDominant):
1773         (JSC::B3::testLICMPureFoiledByChild):
1774         (JSC::B3::testLICMPureNotBackwardsDominantFoiledByChild):
1775         (JSC::B3::testLICMExitsSideways):
1776         (JSC::B3::testLICMWritesLocalState):
1777         (JSC::B3::testLICMWrites):
1778         (JSC::B3::testLICMFence):
1779         (JSC::B3::testLICMWritesPinned):
1780         (JSC::B3::testLICMControlDependent):
1781         (JSC::B3::testLICMControlDependentNotBackwardsDominant):
1782         (JSC::B3::testLICMControlDependentSideExits):
1783         (JSC::B3::testLICMReadsPinnedWritesPinned):
1784         (JSC::B3::testLICMReadsWritesDifferentHeaps):
1785         (JSC::B3::testLICMReadsWritesOverlappingHeaps):
1786         (JSC::B3::testLICMDefaultCall):
1787         (JSC::B3::run):
1788         * dfg/DFGBasicBlock.h:
1789         * dfg/DFGCFG.h:
1790         * dfg/DFGNaturalLoops.cpp: Removed.
1791         * dfg/DFGNaturalLoops.h:
1792         (JSC::DFG::NaturalLoops::NaturalLoops):
1793         (JSC::DFG::NaturalLoop::NaturalLoop): Deleted.
1794         (JSC::DFG::NaturalLoop::header): Deleted.
1795         (JSC::DFG::NaturalLoop::size): Deleted.
1796         (JSC::DFG::NaturalLoop::at): Deleted.
1797         (JSC::DFG::NaturalLoop::operator[]): Deleted.
1798         (JSC::DFG::NaturalLoop::contains): Deleted.
1799         (JSC::DFG::NaturalLoop::index): Deleted.
1800         (JSC::DFG::NaturalLoop::isOuterMostLoop): Deleted.
1801         (JSC::DFG::NaturalLoop::addBlock): Deleted.
1802         (JSC::DFG::NaturalLoops::numLoops): Deleted.
1803         (JSC::DFG::NaturalLoops::loop): Deleted.
1804         (JSC::DFG::NaturalLoops::headerOf): Deleted.
1805         (JSC::DFG::NaturalLoops::innerMostLoopOf): Deleted.
1806         (JSC::DFG::NaturalLoops::innerMostOuterLoop): Deleted.
1807         (JSC::DFG::NaturalLoops::belongsTo): Deleted.
1808         (JSC::DFG::NaturalLoops::loopDepth): Deleted.
1809
1810 2017-07-24  Filip Pizlo  <fpizlo@apple.com>
1811
1812         GC should be fine with trading blocks between destructor and non-destructor blocks
1813         https://bugs.webkit.org/show_bug.cgi?id=174811
1814
1815         Reviewed by Mark Lam.
1816         
1817         Our GC has the ability to trade blocks between MarkedAllocators. A MarkedAllocator is a
1818         size-class-within-a-Subspace. The ability to trade helps reduce memory wastage due to
1819         fragmentation. Prior to this change, this only worked between blocks that did not have destructors.
1820         This was partly a policy decision. But mostly, it was fallout from the way we use the `empty` block
1821         set.
1822         
1823         Here's how `empty` used to work. If a block is empty, we don't run destructors. We say that a block
1824         is empty if:
1825         
1826         A) It has no live objects and its a non-destructor block, or
1827         B) We just allocated it (so it has no destructors even if it's a destructor block), or
1828         C) We just stole it from another allocator (so it also has no destructors), or
1829         D) We just swept the block and ran all destructors.
1830         
1831         Case (A) is for trading blocks. That's how a different MarkedAllocator would know that this is a
1832         block that could be stolen.
1833
1834         Cases (B) and (C) need to be detected for correctness, since otherwise we might try to run
1835         destructors in blocks that have garbage bits. In that case, the isZapped check won't detect that
1836         cells don't need destruction, so without having the `empty` bit we would try to destruct garbage
1837         and crash. Currently, we know that we have cases (B) and (C) when the block is empty.
1838         
1839         Case (D) is necessary for detecting which blocks can be removed when we `shrink` the heap.
1840         
1841         If we tried to enable trading of blocks between allocators without making any changes to how
1842         `empty` works, then it just would not work. We have to set the `empty` bits of blocks that have no
1843         live objects in order for those bits to be candidates for trading. But if we do that, then our
1844         logic for cases (B-D) will think that the block has no destructible objects. That's bad, since then
1845         our destructors won't run and we'll leak memory.
1846         
1847         This change fixes this issue by decoupling the "do I have destructors" question from the "do I have
1848         live objects" question by introducing a new `destructible` bitvector. The GC flags all live blocks
1849         as being destructible at the end. We clear the destructible bit in cases (B-D). Cases (B-C) are
1850         handled entirely by the new destrictible bit, while case (D) is detected by looking for blocks that
1851         are (empty & ~destructible).
1852         
1853         Then we can simply remove all destructor-oriented special-casing of the `empty` bit. And we can
1854         remove destructor-oriented special-casing of block trading.
1855
1856         This is a perf-neutral change. We expect most free memory to be in non-destructor blocks anyway,
1857         so this change is more about clean-up than perf. But, this could reduce memory usage in some
1858         pathological cases.
1859         
1860         * heap/MarkedAllocator.cpp:
1861         (JSC::MarkedAllocator::findEmptyBlockToSteal):
1862         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
1863         (JSC::MarkedAllocator::endMarking):
1864         (JSC::MarkedAllocator::shrink):
1865         (JSC::MarkedAllocator::shouldStealEmptyBlocksFromOtherAllocators): Deleted.
1866         * heap/MarkedAllocator.h:
1867         * heap/MarkedBlock.cpp:
1868         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
1869         (JSC::MarkedBlock::Handle::sweep):
1870         * heap/MarkedBlockInlines.h:
1871         (JSC::MarkedBlock::Handle::specializedSweep):
1872         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace):
1873         (JSC::MarkedBlock::Handle::emptyMode):
1874
1875 2017-07-25  Keith Miller  <keith_miller@apple.com>
1876
1877         Remove Broken CompareEq constant folding phase.
1878         https://bugs.webkit.org/show_bug.cgi?id=174846
1879         <rdar://problem/32978808>
1880
1881         Reviewed by Saam Barati.
1882
1883         This bug happened when we would get code like the following:
1884
1885         a: JSConst(Undefined)
1886         b: GetLocal(SomeObjectOrUndefined)
1887         ...
1888         c: CompareEq(Check:ObjectOrOther:b, Check:ObjectOrOther:a)
1889
1890         constant folding will turn this into:
1891
1892         a: JSConst(Undefined)
1893         b: GetLocal(SomeObjectOrUndefined)
1894         ...
1895         c: CompareEq(Check:ObjectOrOther:b, Other:a)
1896
1897         But the SpeculativeJIT/FTL lowering will fail to check b
1898         properly which leads to an assertion failure in the AI.
1899
1900         I'll follow up with a more robust fix later. For now, I'll remove the
1901         case that generates the code. Removing the code appears to be perf
1902         neutral.
1903
1904         * dfg/DFGConstantFoldingPhase.cpp:
1905         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1906
1907 2017-07-25  Matt Baker  <mattbaker@apple.com>
1908
1909         Web Inspector: Refactoring: extract async stack trace logic from InspectorInstrumentation
1910         https://bugs.webkit.org/show_bug.cgi?id=174738
1911
1912         Reviewed by Brian Burg.
1913
1914         Move AsyncCallType enum to InspectorDebuggerAgent, which manages async
1915         stack traces. This preserves the call type in JSC, makes the range of
1916         possible call types explicit, and is safer than passing ints.
1917
1918         * inspector/agents/InspectorDebuggerAgent.cpp:
1919         (Inspector::InspectorDebuggerAgent::asyncCallIdentifier):
1920         (Inspector::InspectorDebuggerAgent::didScheduleAsyncCall):
1921         (Inspector::InspectorDebuggerAgent::didCancelAsyncCall):
1922         (Inspector::InspectorDebuggerAgent::willDispatchAsyncCall):
1923         * inspector/agents/InspectorDebuggerAgent.h:
1924
1925 2017-07-25  Mark Lam  <mark.lam@apple.com>
1926
1927         Fix bugs in probe code to change sp on x86, x86_64 and 32-bit ARM.
1928         https://bugs.webkit.org/show_bug.cgi?id=174809
1929         <rdar://problem/33504759>
1930
1931         Reviewed by Filip Pizlo.
1932
1933         1. When the probe handler function changes the sp register to point to the
1934            region of stack in the middle of the ProbeContext on the stack, there is a
1935            bug where the ProbeContext's register values to be restored can be over-written
1936            before they can be restored.  This is now fixed.
1937
1938         2. Added more robust probe tests for changing the sp register.
1939
1940         3. Made existing probe tests to ensure that probe handlers were actually called.
1941
1942         4. Added some verification to testProbePreservesGPRS().
1943
1944         5. Change all the probe tests to fail early on discovering an error instead of
1945            batching till the end of the test.  This helps point a finger to the failing
1946            issue earlier.
1947
1948         This patch was tested on x86, x86_64, and ARMv7.  ARM64 probe code will be fixed
1949         next in https://bugs.webkit.org/show_bug.cgi?id=174697.
1950
1951         * assembler/MacroAssemblerARM.cpp:
1952         * assembler/MacroAssemblerARMv7.cpp:
1953         * assembler/MacroAssemblerX86Common.cpp:
1954         * assembler/testmasm.cpp:
1955         (JSC::testProbeReadsArgumentRegisters):
1956         (JSC::testProbeWritesArgumentRegisters):
1957         (JSC::testProbePreservesGPRS):
1958         (JSC::testProbeModifiesStackPointer):
1959         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
1960         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
1961         (JSC::testProbeModifiesProgramCounter):
1962         (JSC::run):
1963
1964 2017-07-25  Brian Burg  <bburg@apple.com>
1965
1966         Web Automation: add support for uploading files
1967         https://bugs.webkit.org/show_bug.cgi?id=174797
1968         <rdar://problem/28485063>
1969
1970         Reviewed by Joseph Pecoraro.
1971
1972         * inspector/scripts/generate-inspector-protocol-bindings.py:
1973         (generate_from_specification):
1974         Start generating frontend dispatcher code if the target framework is 'WebKit'.
1975
1976         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
1977         (CppFrontendDispatcherImplementationGenerator.generate_output):
1978         Use a framework include for InspectorFrontendRouter.h since this generated code
1979         will be compiled outside of WebCore.framework.
1980
1981         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
1982         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1983         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1984         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
1985         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
1986         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
1987         * inspector/scripts/tests/generic/expected/enum-values.json-result:
1988         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
1989         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
1990         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
1991         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
1992         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
1993         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
1994         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
1995         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1996         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1997         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
1998         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
1999         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
2000         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
2001         Rebaseline code generator tests.
2002
2003 2017-07-24  Mark Lam  <mark.lam@apple.com>
2004
2005         Gardening: fixed C Loop build after r219790.
2006         https://bugs.webkit.org/show_bug.cgi?id=174696
2007
2008         Not reviewed.
2009
2010         * assembler/testmasm.cpp:
2011
2012 2017-07-23  Mark Lam  <mark.lam@apple.com>
2013
2014         Create regression tests for the JIT probe.
2015         https://bugs.webkit.org/show_bug.cgi?id=174696
2016         <rdar://problem/33436922>
2017
2018         Reviewed by Saam Barati.
2019
2020         The new testmasm will test the following:
2021         1. the probe is able to read the value of CPU registers.
2022         2. the probe is able to write the value of CPU registers.
2023         3. the probe is able to preserve all CPU registers.
2024         4. special case of (2): the probe is able to change the value of the stack pointer.
2025         5. special case of (2): the probe is able to change the value of the program counter
2026            i.e. the probe can change where the code continues executing upon returning from
2027            the probe.
2028
2029         Currently, the x86, x86_64, and ARMv7 ports passes the test.  ARM64 does not
2030         because it does not support changing the sp and pc yet.  The ARM64 probe
2031         implementation will be fixed in https://bugs.webkit.org/show_bug.cgi?id=174697
2032         later.
2033
2034         * Configurations/ToolExecutable.xcconfig:
2035         * JavaScriptCore.xcodeproj/project.pbxproj:
2036         * assembler/MacroAssembler.h:
2037         (JSC::MacroAssembler::CPUState::pc):
2038         (JSC::MacroAssembler::CPUState::fp):
2039         (JSC::MacroAssembler::CPUState::sp):
2040         (JSC::ProbeContext::pc):
2041         (JSC::ProbeContext::fp):
2042         (JSC::ProbeContext::sp):
2043         * assembler/MacroAssemblerARM64.cpp:
2044         (JSC::arm64ProbeTrampoline):
2045         * assembler/MacroAssemblerPrinter.cpp:
2046         (JSC::Printer::printPCRegister):
2047         * assembler/testmasm.cpp: Added.
2048         (hiddenTruthBecauseNoReturnIsStupid):
2049         (usage):
2050         (JSC::nextID):
2051         (JSC::isPC):
2052         (JSC::isSP):
2053         (JSC::isFP):
2054         (JSC::compile):
2055         (JSC::invoke):
2056         (JSC::compileAndRun):
2057         (JSC::testSimple):
2058         (JSC::testProbeReadsArgumentRegisters):
2059         (JSC::testProbeWritesArgumentRegisters):
2060         (JSC::testFunctionToTrashRegisters):
2061         (JSC::testProbePreservesGPRS):
2062         (JSC::testProbeModifiesStackPointer):
2063         (JSC::testProbeModifiesProgramCounter):
2064         (JSC::run):
2065         (run):
2066         (main):
2067         * b3/air/testair.cpp:
2068         (usage):
2069         * shell/CMakeLists.txt:
2070
2071 2017-07-14  Filip Pizlo  <fpizlo@apple.com>
2072
2073         It should be easy to decide how WebKit yields
2074         https://bugs.webkit.org/show_bug.cgi?id=174298
2075
2076         Reviewed by Saam Barati.
2077         
2078         Use the new WTF::Thread::yield() function for yielding instead of the C++ function.
2079
2080         * heap/Heap.cpp:
2081         (JSC::Heap::resumeThePeriphery):
2082         * heap/VisitingTimeout.h:
2083         * runtime/JSCell.cpp:
2084         (JSC::JSCell::lockSlow):
2085         (JSC::JSCell::unlockSlow):
2086         * runtime/JSCell.h:
2087         * runtime/JSCellInlines.h:
2088         (JSC::JSCell::lock):
2089         (JSC::JSCell::unlock):
2090         * runtime/JSLock.cpp:
2091         (JSC::JSLock::grabAllLocks):
2092         * runtime/SamplingProfiler.cpp:
2093
2094 2017-07-21  Mark Lam  <mark.lam@apple.com>
2095
2096         Refactor MASM probe CPUState to use arrays for register storage.
2097         https://bugs.webkit.org/show_bug.cgi?id=174694
2098
2099         Reviewed by Keith Miller.
2100
2101         Using arrays for register storage in CPUState allows us to do away with the
2102         huge switch statements to decode each register id.  We can now simply index into
2103         the arrays.
2104
2105         With this patch, we now:
2106
2107         1. Remove the need for macros for defining the list of CPU registers.
2108            We can go back to simple enums.  This makes the code easier to read.
2109
2110         2. Make the assembler the authority on register names.
2111            Most of this code is moved into the assembler from GPRInfo and FPRInfo.
2112            GPRInfo and FPRInfo now forwards to the assembler.
2113
2114         3. Make the assembler the authority on the number of registers of each type.
2115
2116         4. Fix a "bug" in ARMv7's lastRegister().  It was previously omitting lr and pc.
2117            This is inconsistent with how every other CPU architecture implements
2118            lastRegister().  This patch fixes it to return the true last GPR i.e. pc, but
2119            updates RegisterSet::reservedHardwareRegisters() to exclude those registers.
2120
2121         * assembler/ARM64Assembler.h:
2122         (JSC::ARM64Assembler::numberOfRegisters):
2123         (JSC::ARM64Assembler::firstSPRegister):
2124         (JSC::ARM64Assembler::lastSPRegister):
2125         (JSC::ARM64Assembler::numberOfSPRegisters):
2126         (JSC::ARM64Assembler::numberOfFPRegisters):
2127         (JSC::ARM64Assembler::gprName):
2128         (JSC::ARM64Assembler::sprName):
2129         (JSC::ARM64Assembler::fprName):
2130         * assembler/ARMAssembler.h:
2131         (JSC::ARMAssembler::numberOfRegisters):
2132         (JSC::ARMAssembler::firstSPRegister):
2133         (JSC::ARMAssembler::lastSPRegister):
2134         (JSC::ARMAssembler::numberOfSPRegisters):
2135         (JSC::ARMAssembler::numberOfFPRegisters):
2136         (JSC::ARMAssembler::gprName):
2137         (JSC::ARMAssembler::sprName):
2138         (JSC::ARMAssembler::fprName):
2139         * assembler/ARMv7Assembler.h:
2140         (JSC::ARMv7Assembler::lastRegister):
2141         (JSC::ARMv7Assembler::numberOfRegisters):
2142         (JSC::ARMv7Assembler::firstSPRegister):
2143         (JSC::ARMv7Assembler::lastSPRegister):
2144         (JSC::ARMv7Assembler::numberOfSPRegisters):
2145         (JSC::ARMv7Assembler::numberOfFPRegisters):
2146         (JSC::ARMv7Assembler::gprName):
2147         (JSC::ARMv7Assembler::sprName):
2148         (JSC::ARMv7Assembler::fprName):
2149         * assembler/AbstractMacroAssembler.h:
2150         (JSC::AbstractMacroAssembler::numberOfRegisters):
2151         (JSC::AbstractMacroAssembler::gprName):
2152         (JSC::AbstractMacroAssembler::firstSPRegister):
2153         (JSC::AbstractMacroAssembler::lastSPRegister):
2154         (JSC::AbstractMacroAssembler::numberOfSPRegisters):
2155         (JSC::AbstractMacroAssembler::sprName):
2156         (JSC::AbstractMacroAssembler::numberOfFPRegisters):
2157         (JSC::AbstractMacroAssembler::fprName):
2158         * assembler/MIPSAssembler.h:
2159         (JSC::MIPSAssembler::numberOfRegisters):
2160         (JSC::MIPSAssembler::firstSPRegister):
2161         (JSC::MIPSAssembler::lastSPRegister):
2162         (JSC::MIPSAssembler::numberOfSPRegisters):
2163         (JSC::MIPSAssembler::numberOfFPRegisters):
2164         (JSC::MIPSAssembler::gprName):
2165         (JSC::MIPSAssembler::sprName):
2166         (JSC::MIPSAssembler::fprName):
2167         * assembler/MacroAssembler.h:
2168         (JSC::MacroAssembler::CPUState::gprName):
2169         (JSC::MacroAssembler::CPUState::sprName):
2170         (JSC::MacroAssembler::CPUState::fprName):
2171         (JSC::MacroAssembler::CPUState::gpr):
2172         (JSC::MacroAssembler::CPUState::spr):
2173         (JSC::MacroAssembler::CPUState::fpr):
2174         (JSC::MacroAssembler::CPUState::pc):
2175         (JSC::MacroAssembler::CPUState::fp):
2176         (JSC::MacroAssembler::CPUState::sp):
2177         (JSC::ProbeContext::gpr):
2178         (JSC::ProbeContext::spr):
2179         (JSC::ProbeContext::fpr):
2180         (JSC::ProbeContext::gprName):
2181         (JSC::ProbeContext::sprName):
2182         (JSC::ProbeContext::fprName):
2183         (JSC::MacroAssembler::numberOfRegisters): Deleted.
2184         (JSC::MacroAssembler::numberOfFPRegisters): Deleted.
2185         * assembler/MacroAssemblerARM.cpp:
2186         * assembler/MacroAssemblerARM64.cpp:
2187         (JSC::arm64ProbeTrampoline):
2188         * assembler/MacroAssemblerARMv7.cpp:
2189         * assembler/MacroAssemblerPrinter.cpp:
2190         (JSC::Printer::nextID):
2191         (JSC::Printer::printAllRegisters):
2192         (JSC::Printer::printPCRegister):
2193         (JSC::Printer::printRegisterID):
2194         (JSC::Printer::printAddress):
2195         * assembler/MacroAssemblerX86Common.cpp:
2196         * assembler/X86Assembler.h:
2197         (JSC::X86Assembler::numberOfRegisters):
2198         (JSC::X86Assembler::firstSPRegister):
2199         (JSC::X86Assembler::lastSPRegister):
2200         (JSC::X86Assembler::numberOfSPRegisters):
2201         (JSC::X86Assembler::numberOfFPRegisters):
2202         (JSC::X86Assembler::gprName):
2203         (JSC::X86Assembler::sprName):
2204         (JSC::X86Assembler::fprName):
2205         * jit/FPRInfo.h:
2206         (JSC::FPRInfo::debugName):
2207         * jit/GPRInfo.h:
2208         (JSC::GPRInfo::debugName):
2209         * jit/RegisterSet.cpp:
2210         (JSC::RegisterSet::reservedHardwareRegisters):
2211
2212 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2213
2214         [JSC] Introduce static symbols
2215         https://bugs.webkit.org/show_bug.cgi?id=158863
2216
2217         Reviewed by Darin Adler.
2218
2219         We use StaticSymbolImpl to initialize PrivateNames and builtin Symbols.
2220         As a result, we can share the same Symbol values between VMs and threads.
2221         And we do not need to allocate Ref<SymbolImpl> for these symbols at runtime.
2222
2223         * CMakeLists.txt:
2224         * JavaScriptCore.xcodeproj/project.pbxproj:
2225         * builtins/BuiltinNames.cpp: Added.
2226         Suppress warning C4307, integral constant overflow. It is intentional in constexpr hash value calculation.
2227
2228         * builtins/BuiltinNames.h:
2229         (JSC::BuiltinNames::BuiltinNames):
2230         * builtins/BuiltinUtils.h:
2231
2232 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2233
2234         [FTL] Arguments elimination is suppressed by unreachable blocks
2235         https://bugs.webkit.org/show_bug.cgi?id=174352
2236
2237         Reviewed by Filip Pizlo.
2238
2239         If we do not execute `op_get_by_id`, our value profiling tells us unpredictable and DFG emits ForceOSRExit.
2240         The problem is that arguments elimination phase checks escaping even when ForceOSRExit preceeds.
2241         Since GetById without information can escape arguments if it is specified, non-executed code including
2242         op_get_by_id with arguments can escape arguments.
2243
2244         For example,
2245
2246             function test(flag)
2247             {
2248                 if (flag) {
2249                     // This is not executed, but emits GetById with arguments.
2250                     // It prevents us from eliminating materialization.
2251                     return arguments.length;
2252                 }
2253                 return arguments.length;
2254             }
2255             noInline(test);
2256             while (true)
2257                 test(false);
2258
2259         We do not perform CFA and dead-node clipping yet when performing arguments elimination phase.
2260         So this GetById exists and escapes arguments.
2261
2262         To solve this problem, our arguments elimination phase checks preceding pseudo-terminal nodes.
2263         If it is shown, following GetById does not escape arguments. Compared to performing AI, it is
2264         lightweight. But it catches much of typical cases we failed to perform arguments elimination.
2265
2266         * dfg/DFGArgumentsEliminationPhase.cpp:
2267         * dfg/DFGNode.h:
2268         (JSC::DFG::Node::isPseudoTerminal):
2269         * dfg/DFGValidate.cpp:
2270
2271 2017-07-20  Chris Dumez  <cdumez@apple.com>
2272
2273         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable
2274         https://bugs.webkit.org/show_bug.cgi?id=174660
2275
2276         Reviewed by Geoffrey Garen.
2277
2278         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable.
2279         This essentially replaces a branch to figure out if the new size is less or greater than the
2280         current size by an assertion.
2281
2282         * b3/B3BasicBlockUtils.h:
2283         (JSC::B3::clearPredecessors):
2284         * b3/B3InferSwitches.cpp:
2285         * b3/B3LowerToAir.cpp:
2286         (JSC::B3::Air::LowerToAir::finishAppendingInstructions):
2287         * b3/B3ReduceStrength.cpp:
2288         * b3/B3SparseCollection.h:
2289         (JSC::B3::SparseCollection::packIndices):
2290         * b3/B3UseCounts.cpp:
2291         (JSC::B3::UseCounts::UseCounts):
2292         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
2293         * b3/air/AirEmitShuffle.cpp:
2294         (JSC::B3::Air::emitShuffle):
2295         * b3/air/AirLowerAfterRegAlloc.cpp:
2296         (JSC::B3::Air::lowerAfterRegAlloc):
2297         * b3/air/AirOptimizeBlockOrder.cpp:
2298         (JSC::B3::Air::optimizeBlockOrder):
2299         * bytecode/Operands.h:
2300         (JSC::Operands::ensureLocals):
2301         * bytecode/PreciseJumpTargets.cpp:
2302         (JSC::computePreciseJumpTargetsInternal):
2303         * dfg/DFGBlockInsertionSet.cpp:
2304         (JSC::DFG::BlockInsertionSet::execute):
2305         * dfg/DFGBlockMapInlines.h:
2306         (JSC::DFG::BlockMap<T>::BlockMap):
2307         * dfg/DFGByteCodeParser.cpp:
2308         (JSC::DFG::ByteCodeParser::processSetLocalQueue):
2309         (JSC::DFG::ByteCodeParser::clearCaches):
2310         * dfg/DFGDisassembler.cpp:
2311         (JSC::DFG::Disassembler::Disassembler):
2312         * dfg/DFGFlowIndexing.cpp:
2313         (JSC::DFG::FlowIndexing::recompute):
2314         * dfg/DFGGraph.cpp:
2315         (JSC::DFG::Graph::registerFrozenValues):
2316         * dfg/DFGInPlaceAbstractState.cpp:
2317         (JSC::DFG::setLiveValues):
2318         * dfg/DFGLICMPhase.cpp:
2319         (JSC::DFG::LICMPhase::run):
2320         * dfg/DFGLivenessAnalysisPhase.cpp:
2321         * dfg/DFGNaturalLoops.cpp:
2322         (JSC::DFG::NaturalLoops::NaturalLoops):
2323         * dfg/DFGStoreBarrierClusteringPhase.cpp:
2324         * ftl/FTLLowerDFGToB3.cpp:
2325         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2326         * heap/CodeBlockSet.cpp:
2327         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
2328         * heap/MarkedSpace.cpp:
2329         (JSC::MarkedSpace::sweepLargeAllocations):
2330         * inspector/ContentSearchUtilities.cpp:
2331         (Inspector::ContentSearchUtilities::findMagicComment):
2332         * interpreter/ShadowChicken.cpp:
2333         (JSC::ShadowChicken::update):
2334         * parser/ASTBuilder.h:
2335         (JSC::ASTBuilder::shrinkOperandStackBy):
2336         * parser/Lexer.h:
2337         (JSC::Lexer::setOffset):
2338         * runtime/RegExpInlines.h:
2339         (JSC::RegExp::matchInline):
2340         * runtime/RegExpPrototype.cpp:
2341         (JSC::genericSplit):
2342         * yarr/RegularExpression.cpp:
2343         (JSC::Yarr::RegularExpression::match):
2344
2345 2017-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2346
2347         [WTF] Use ThreadGroup to bookkeep active threads for Mach exception
2348         https://bugs.webkit.org/show_bug.cgi?id=174678
2349
2350         Reviewed by Mark Lam.
2351
2352         Use Thread& instead.
2353
2354         * runtime/JSLock.cpp:
2355         (JSC::JSLock::didAcquireLock):
2356
2357 2017-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2358
2359         [WTF] Implement WTF::ThreadGroup
2360         https://bugs.webkit.org/show_bug.cgi?id=174081
2361
2362         Reviewed by Mark Lam.
2363
2364         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
2365         And SamplingProfiler and others interact with WTF::Thread directly.
2366
2367         * API/tests/ExecutionTimeLimitTest.cpp:
2368         * heap/MachineStackMarker.cpp:
2369         (JSC::MachineThreads::MachineThreads):
2370         (JSC::captureStack):
2371         (JSC::MachineThreads::tryCopyOtherThreadStack):
2372         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2373         (JSC::MachineThreads::gatherConservativeRoots):
2374         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
2375         (JSC::ActiveMachineThreadsManager::add): Deleted.
2376         (JSC::ActiveMachineThreadsManager::remove): Deleted.
2377         (JSC::ActiveMachineThreadsManager::contains): Deleted.
2378         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
2379         (JSC::activeMachineThreadsManager): Deleted.
2380         (JSC::MachineThreads::~MachineThreads): Deleted.
2381         (JSC::MachineThreads::addCurrentThread): Deleted.
2382         (): Deleted.
2383         (JSC::MachineThreads::removeThread): Deleted.
2384         (JSC::MachineThreads::removeThreadIfFound): Deleted.
2385         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
2386         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
2387         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
2388         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
2389         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
2390         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
2391         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
2392         * heap/MachineStackMarker.h:
2393         (JSC::MachineThreads::addCurrentThread):
2394         (JSC::MachineThreads::getLock):
2395         (JSC::MachineThreads::threads):
2396         (JSC::MachineThreads::MachineThread::suspend): Deleted.
2397         (JSC::MachineThreads::MachineThread::resume): Deleted.
2398         (JSC::MachineThreads::MachineThread::threadID): Deleted.
2399         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
2400         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
2401         (JSC::MachineThreads::threadsListHead): Deleted.
2402         * runtime/SamplingProfiler.cpp:
2403         (JSC::FrameWalker::isValidFramePointer):
2404         (JSC::SamplingProfiler::SamplingProfiler):
2405         (JSC::SamplingProfiler::takeSample):
2406         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
2407         * runtime/SamplingProfiler.h:
2408         * wasm/WasmMachineThreads.cpp:
2409         (JSC::Wasm::resetInstructionCacheOnAllThreads):
2410
2411 2017-07-18  Andy Estes  <aestes@apple.com>
2412
2413         [Xcode] Enable CLANG_WARN_RANGE_LOOP_ANALYSIS
2414         https://bugs.webkit.org/show_bug.cgi?id=174631
2415
2416         Reviewed by Tim Horton.
2417
2418         * Configurations/Base.xcconfig:
2419         * b3/B3FoldPathConstants.cpp:
2420         * b3/B3LowerMacros.cpp:
2421         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
2422         * dfg/DFGByteCodeParser.cpp:
2423         (JSC::DFG::ByteCodeParser::check):
2424         (JSC::DFG::ByteCodeParser::planLoad):
2425
2426 2017-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2427
2428         WTF::Thread should have the threads stack bounds.
2429         https://bugs.webkit.org/show_bug.cgi?id=173975
2430
2431         Reviewed by Mark Lam.
2432
2433         There is a site in JSC that try to walk another thread's stack.
2434         Currently, stack bounds are stored in WTFThreadData which is located
2435         in TLS. Thus, only the thread itself can access its own WTFThreadData.
2436         We workaround this situation by holding StackBounds in MachineThread in JSC,
2437         but StackBounds should be put in WTF::Thread instead.
2438
2439         This patch adds StackBounds to WTF::Thread. StackBounds information is tightly
2440         coupled with Thread. Thus putting it in WTF::Thread is natural choice.
2441
2442         * heap/MachineStackMarker.cpp:
2443         (JSC::MachineThreads::MachineThread::MachineThread):
2444         (JSC::MachineThreads::MachineThread::captureStack):
2445         * heap/MachineStackMarker.h:
2446         (JSC::MachineThreads::MachineThread::stackBase):
2447         (JSC::MachineThreads::MachineThread::stackEnd):
2448         * runtime/VMTraps.cpp:
2449
2450 2017-07-18  Andy Estes  <aestes@apple.com>
2451
2452         [Xcode] Enable CLANG_WARN_OBJC_LITERAL_CONVERSION
2453         https://bugs.webkit.org/show_bug.cgi?id=174631
2454
2455         Reviewed by Sam Weinig.
2456
2457         * Configurations/Base.xcconfig:
2458
2459 2017-07-18  Joseph Pecoraro  <pecoraro@apple.com>
2460
2461         Web Inspector: Modernize InjectedScriptSource
2462         https://bugs.webkit.org/show_bug.cgi?id=173890
2463
2464         Reviewed by Brian Burg.
2465
2466         * inspector/InjectedScript.h:
2467         Reorder functions to be slightly better.
2468
2469         * inspector/InjectedScriptSource.js:
2470         - Convert to classes named InjectedScript and RemoteObject
2471         - Align InjectedScript's API with the wrapper C++ interfaces
2472         - Move some code to RemoteObject where appropriate (subtype, describe)
2473         - Move some code to helper functions (isPrimitiveValue, isDefined)
2474         - Refactor for readability and modern features
2475         - Remove some unused / unnecessary code
2476
2477 2017-07-18  Mark Lam  <mark.lam@apple.com>
2478
2479         Butterfly storage need not be initialized for indexing type Undecided.
2480         https://bugs.webkit.org/show_bug.cgi?id=174516
2481
2482         Reviewed by Saam Barati.
2483
2484         While it's not incorrect to initialize the butterfly storage when the
2485         indexingType is Undecided, it is inefficient as we'll end up initializing
2486         it again later when we convert the storage to a different indexingType.
2487         Some of our code already skips initializing Undecided butterflies.
2488         This patch makes it the consistent behavior everywhere.
2489
2490         * dfg/DFGSpeculativeJIT.cpp:
2491         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2492         * runtime/JSArray.cpp:
2493         (JSC::JSArray::tryCreateUninitializedRestricted):
2494         * runtime/JSArray.h:
2495         (JSC::JSArray::tryCreate):
2496         * runtime/JSObject.cpp:
2497         (JSC::JSObject::ensureLengthSlow):
2498
2499 2017-07-18  Saam Barati  <sbarati@apple.com>
2500
2501         AirLowerAfterRegAlloc may incorrectly use a callee save that's live as a scratch register
2502         https://bugs.webkit.org/show_bug.cgi?id=174515
2503         <rdar://problem/33358092>
2504
2505         Reviewed by Filip Pizlo.
2506
2507         AirLowerAfterRegAlloc was computing the set of available scratch
2508         registers incorrectly. It was always excluding callee save registers
2509         from the set of live registers. It did not guarantee that live callee save
2510         registers were not in the set of scratch registers that could
2511         get clobbered. That's incorrect as the shuffling code is free
2512         to overwrite whatever is in the scratch register it gets passed.
2513
2514         * b3/air/AirLowerAfterRegAlloc.cpp:
2515         (JSC::B3::Air::lowerAfterRegAlloc):
2516         * b3/testb3.cpp:
2517         (JSC::B3::functionNineArgs):
2518         (JSC::B3::testShuffleDoesntTrashCalleeSaves):
2519         (JSC::B3::run):
2520         * jit/RegisterSet.h:
2521
2522 2017-07-18  Andy Estes  <aestes@apple.com>
2523
2524         [Xcode] Enable CLANG_WARN_NON_LITERAL_NULL_CONVERSION
2525         https://bugs.webkit.org/show_bug.cgi?id=174631
2526
2527         Reviewed by Dan Bernstein.
2528
2529         * Configurations/Base.xcconfig:
2530
2531 2017-07-18  Devin Rousso  <drousso@apple.com>
2532
2533         Web Inspector: Add memoryCost to Inspector Protocol objects
2534         https://bugs.webkit.org/show_bug.cgi?id=174478
2535
2536         Reviewed by Joseph Pecoraro.
2537
2538         For non-array and non-object InspectorValue, calculate memoryCost as the sizeof the object,
2539         plus the memoryCost of the data if it is a string.
2540
2541         For array InspectorValue, calculate memoryCost as the sum of the memoryCost of all items.
2542
2543         For object InspectorValue, calculate memoryCost as the sum of the memoryCost of the string
2544         key plus the memoryCost of the InspectorValue for each entry.
2545
2546         Test: TestWebKitAPI/Tests/JavaScriptCore/InspectorValue.cpp
2547
2548         * inspector/InspectorValues.h:
2549         * inspector/InspectorValues.cpp:
2550         (Inspector::InspectorValue::memoryCost):
2551         (Inspector::InspectorObjectBase::memoryCost):
2552         (Inspector::InspectorArrayBase::memoryCost):
2553
2554 2017-07-18  Andy Estes  <aestes@apple.com>
2555
2556         [Xcode] Enable CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING
2557         https://bugs.webkit.org/show_bug.cgi?id=174631
2558
2559         Reviewed by Darin Adler.
2560
2561         * Configurations/Base.xcconfig:
2562
2563 2017-07-18  Michael Saboff  <msaboff@apple.com>
2564
2565         [JSC] There should be a debug option to dump a compiled RegExp Pattern
2566         https://bugs.webkit.org/show_bug.cgi?id=174601
2567
2568         Reviewed by Alex Christensen.
2569
2570         Added the debug option dumpCompiledRegExpPatterns which will dump the YarrPattern and related
2571         objects after a regular expression has been compiled.
2572
2573         * runtime/Options.h:
2574         * yarr/YarrPattern.cpp:
2575         (JSC::Yarr::YarrPattern::compile):
2576         (JSC::Yarr::indentForNestingLevel):
2577         (JSC::Yarr::dumpUChar32):
2578         (JSC::Yarr::PatternAlternative::dump):
2579         (JSC::Yarr::PatternTerm::dumpQuantifier):
2580         (JSC::Yarr::PatternTerm::dump):
2581         (JSC::Yarr::PatternDisjunction::dump):
2582         (JSC::Yarr::YarrPattern::dumpPattern):
2583         * yarr/YarrPattern.h:
2584         (JSC::Yarr::YarrPattern::global):
2585
2586 2017-07-17  Darin Adler  <darin@apple.com>
2587
2588         Improve use of NeverDestroyed
2589         https://bugs.webkit.org/show_bug.cgi?id=174348
2590
2591         Reviewed by Sam Weinig.
2592
2593         * heap/MachineStackMarker.cpp:
2594         * wasm/WasmMemory.cpp:
2595         Removed unneeded includes of NeverDestroyed.h in files that do not make use
2596         of NeverDestroyed.
2597
2598 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
2599
2600         [CMake] Macros in WebKitMacros.cmake should be prefixed with WEBKIT_ namespace
2601         https://bugs.webkit.org/show_bug.cgi?id=174547
2602
2603         Reviewed by Alex Christensen.
2604
2605         * CMakeLists.txt:
2606         * shell/CMakeLists.txt:
2607
2608 2017-07-17  Saam Barati  <sbarati@apple.com>
2609
2610         Remove custom defined RELEASE_ASSERT in DFGObjectAllocationSinkingPhase
2611         https://bugs.webkit.org/show_bug.cgi?id=174584
2612
2613         Rubber stamped by Keith Miller.
2614
2615         I used it to diagnose a bug. The bug is now fixed. This custom
2616         RELEASE_ASSERT is no longer needed.
2617
2618         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2619
2620 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
2621
2622         -Wformat-truncation warning in ConfigFile.cpp
2623         https://bugs.webkit.org/show_bug.cgi?id=174506
2624
2625         Reviewed by Darin Adler.
2626
2627         Check if the JSC config filename would be truncated due to exceeding max path length. If so,
2628         return ParseError.
2629
2630         * runtime/ConfigFile.cpp:
2631         (JSC::ConfigFile::parse):
2632
2633 2017-07-17  Konstantin Tokarev  <annulen@yandex.ru>
2634
2635         [CMake] Create targets before WEBKIT_INCLUDE_CONFIG_FILES_IF_EXISTS is called
2636         https://bugs.webkit.org/show_bug.cgi?id=174557
2637
2638         Reviewed by Michael Catanzaro.
2639
2640         * CMakeLists.txt:
2641
2642 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2643
2644         [WTF] Use std::unique_ptr for StackTrace
2645         https://bugs.webkit.org/show_bug.cgi?id=174495
2646
2647         Reviewed by Alex Christensen.
2648
2649         * runtime/ExceptionScope.cpp:
2650         (JSC::ExceptionScope::unexpectedExceptionMessage):
2651         * runtime/VM.cpp:
2652         (JSC::VM::throwException):
2653
2654 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2655
2656         [JSC] Use WTFMove to prune liveness in DFGAvailabilityMap
2657         https://bugs.webkit.org/show_bug.cgi?id=174423
2658
2659         Reviewed by Saam Barati.
2660
2661         * dfg/DFGAvailabilityMap.cpp:
2662         (JSC::DFG::AvailabilityMap::pruneHeap):
2663         (JSC::DFG::AvailabilityMap::pruneByLiveness):
2664
2665 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
2666
2667         Fix compiler warnings when building with GCC 7
2668         https://bugs.webkit.org/show_bug.cgi?id=174463
2669
2670         Reviewed by Darin Adler.
2671
2672         * disassembler/udis86/udis86_decode.c:
2673         (decode_operand):
2674
2675 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
2676
2677         Incorrect assertion in JSC::CallLinkInfo::callTypeFor
2678         https://bugs.webkit.org/show_bug.cgi?id=174467
2679
2680         Reviewed by Saam Barati.
2681
2682         * bytecode/CallLinkInfo.cpp:
2683         (JSC::CallLinkInfo::callTypeFor):
2684
2685 2017-07-13  Joseph Pecoraro  <pecoraro@apple.com>
2686
2687         Web Inspector: Remove unused and untested Page domain commands
2688         https://bugs.webkit.org/show_bug.cgi?id=174429
2689
2690         Reviewed by Timothy Hatcher.
2691
2692         * inspector/protocol/Page.json:
2693
2694 2017-07-13  Saam Barati  <sbarati@apple.com>
2695
2696         Missing exception check in JSObject::hasInstance
2697         https://bugs.webkit.org/show_bug.cgi?id=174455
2698         <rdar://problem/31384608>
2699
2700         Reviewed by Mark Lam.
2701
2702         * runtime/JSObject.cpp:
2703         (JSC::JSObject::hasInstance):
2704
2705 2017-07-13  Caio Lima  <ticaiolima@gmail.com>
2706
2707         [ESnext] Implement Object Spread
2708         https://bugs.webkit.org/show_bug.cgi?id=167963
2709
2710         Reviewed by Saam Barati.
2711
2712         This patch implements ECMA262 stage 3 Object Spread proposal [1].
2713         It's implemented using CopyDataPropertiesNoExclusions to copy
2714         all enumerable keys from object being spreaded. The implementation of
2715         CopyDataPropertiesNoExclusions follows the CopyDataProperties
2716         implementation, however we don't receive excludedNames as parameter.
2717
2718         [1] - https://github.com/tc39/proposal-object-rest-spread
2719
2720         * builtins/GlobalOperations.js:
2721         (globalPrivate.copyDataPropertiesNoExclusions):
2722         * bytecompiler/BytecodeGenerator.cpp:
2723         (JSC::BytecodeGenerator::emitLoad):
2724         * bytecompiler/NodesCodegen.cpp:
2725         (JSC::PropertyListNode::emitBytecode):
2726         (JSC::ObjectSpreadExpressionNode::emitBytecode):
2727         * parser/ASTBuilder.h:
2728         (JSC::ASTBuilder::createObjectSpreadExpression):
2729         (JSC::ASTBuilder::createProperty):
2730         * parser/NodeConstructors.h:
2731         (JSC::PropertyNode::PropertyNode):
2732         (JSC::ObjectSpreadExpressionNode::ObjectSpreadExpressionNode):
2733         * parser/Nodes.h:
2734         (JSC::ObjectSpreadExpressionNode::expression):
2735         * parser/Parser.cpp:
2736         (JSC::Parser<LexerType>::parseProperty):
2737         * parser/SyntaxChecker.h:
2738         (JSC::SyntaxChecker::createObjectSpreadExpression):
2739         (JSC::SyntaxChecker::createProperty):
2740
2741 2017-07-12  Mark Lam  <mark.lam@apple.com>
2742
2743         Gardening: build fix after r219434.
2744         https://bugs.webkit.org/show_bug.cgi?id=174441
2745
2746         Not reviewed.
2747
2748         Make public some MacroAssembler functions that are needed by the probe implementationq.
2749
2750         * assembler/MacroAssemblerARM.h:
2751         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
2752         * assembler/MacroAssemblerARMv7.h:
2753         (JSC::MacroAssemblerARMv7::linkCall):
2754
2755 2017-07-12  Mark Lam  <mark.lam@apple.com>
2756
2757         Move Probe code from AbstractMacroAssembler to MacroAssembler.
2758         https://bugs.webkit.org/show_bug.cgi?id=174441
2759
2760         Reviewed by Saam Barati.
2761
2762         This is a pure refactoring patch for moving probe code from the AbstractMacroAssembler
2763         to MacroAssembler.  There is no code behavior change.
2764
2765         * assembler/AbstractMacroAssembler.h:
2766         (JSC::AbstractMacroAssembler<AssemblerType>::Address::indexedBy):
2767         (JSC::AbstractMacroAssembler::CPUState::gprName): Deleted.
2768         (JSC::AbstractMacroAssembler::CPUState::fprName): Deleted.
2769         (JSC::AbstractMacroAssembler::CPUState::gpr): Deleted.
2770         (JSC::AbstractMacroAssembler::CPUState::fpr): Deleted.
2771         (JSC::MacroAssemblerType>::Address::indexedBy): Deleted.
2772         * assembler/MacroAssembler.h:
2773         (JSC::MacroAssembler::CPUState::gprName):
2774         (JSC::MacroAssembler::CPUState::fprName):
2775         (JSC::MacroAssembler::CPUState::gpr):
2776         (JSC::MacroAssembler::CPUState::fpr):
2777         * assembler/MacroAssemblerARM.cpp:
2778         (JSC::MacroAssembler::probe):
2779         (JSC::MacroAssemblerARM::probe): Deleted.
2780         * assembler/MacroAssemblerARM.h:
2781         * assembler/MacroAssemblerARM64.cpp:
2782         (JSC::MacroAssembler::probe):
2783         (JSC::MacroAssemblerARM64::probe): Deleted.
2784         * assembler/MacroAssemblerARM64.h:
2785         * assembler/MacroAssemblerARMv7.cpp:
2786         (JSC::MacroAssembler::probe):
2787         (JSC::MacroAssemblerARMv7::probe): Deleted.
2788         * assembler/MacroAssemblerARMv7.h:
2789         * assembler/MacroAssemblerMIPS.h:
2790         * assembler/MacroAssemblerX86Common.cpp:
2791         (JSC::MacroAssembler::probe):
2792         (JSC::MacroAssemblerX86Common::probe): Deleted.
2793         * assembler/MacroAssemblerX86Common.h:
2794
2795 2017-07-12  Saam Barati  <sbarati@apple.com>
2796
2797         GenericArguments consults the wrong state when tracking modified argument descriptors and mapped arguments
2798         https://bugs.webkit.org/show_bug.cgi?id=174411
2799         <rdar://problem/31696186>
2800
2801         Reviewed by Mark Lam.
2802
2803         The code for deleting an argument was incorrectly referencing state
2804         when it decided if it should unmap or mark a property as having its
2805         descriptor modified. This patch fixes the bug where if we delete a
2806         property, we would sometimes not unmap an argument when deleting it.
2807
2808         * runtime/GenericArgumentsInlines.h:
2809         (JSC::GenericArguments<Type>::getOwnPropertySlot):
2810         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
2811         (JSC::GenericArguments<Type>::deleteProperty):
2812         (JSC::GenericArguments<Type>::deletePropertyByIndex):
2813
2814 2017-07-12  Commit Queue  <commit-queue@webkit.org>
2815
2816         Unreviewed, rolling out r219176.
2817         https://bugs.webkit.org/show_bug.cgi?id=174436
2818
2819         "Can cause infinite recursion on iOS" (Requested by mlam on
2820         #webkit).
2821
2822         Reverted changeset:
2823
2824         "WTF::Thread should have the threads stack bounds."
2825         https://bugs.webkit.org/show_bug.cgi?id=173975
2826         http://trac.webkit.org/changeset/219176
2827
2828 2017-07-12  Matt Lewis  <jlewis3@apple.com>
2829
2830         Unreviewed, rolling out r219401.
2831
2832         This revision rolled out the previous patch, but after talking
2833         with reviewer, a rebaseline is what was needed.Rolling back in
2834         before rebaseline.
2835
2836         Reverted changeset:
2837
2838         "Unreviewed, rolling out r219379."
2839         https://bugs.webkit.org/show_bug.cgi?id=174400
2840         http://trac.webkit.org/changeset/219401
2841
2842 2017-07-12  Matt Lewis  <jlewis3@apple.com>
2843
2844         Unreviewed, rolling out r219379.
2845
2846         This revision caused a consistent failure in the test
2847         fast/dom/Window/property-access-on-cached-window-after-frame-
2848         removed.html.
2849
2850         Reverted changeset:
2851
2852         "Remove NAVIGATOR_HWCONCURRENCY"
2853         https://bugs.webkit.org/show_bug.cgi?id=174400
2854         http://trac.webkit.org/changeset/219379
2855
2856 2017-07-12  Tooru Fujisawa [:arai]  <arai.unmht@gmail.com>
2857
2858         Wrong radix used in Unicode Escape in invalid character error message
2859         https://bugs.webkit.org/show_bug.cgi?id=174419
2860
2861         Reviewed by Alex Christensen.
2862
2863         * parser/Lexer.cpp:
2864         (JSC::Lexer<T>::invalidCharacterMessage):
2865
2866 2017-07-11  Dean Jackson  <dino@apple.com>
2867
2868         Remove NAVIGATOR_HWCONCURRENCY
2869         https://bugs.webkit.org/show_bug.cgi?id=174400
2870
2871         Reviewed by Sam Weinig.
2872
2873         * Configurations/FeatureDefines.xcconfig:
2874
2875 2017-07-11  Dean Jackson  <dino@apple.com>
2876
2877         Rolling out r219372.
2878
2879         * Configurations/FeatureDefines.xcconfig:
2880
2881 2017-07-11  Dean Jackson  <dino@apple.com>
2882
2883         Remove NAVIGATOR_HWCONCURRENCY
2884         https://bugs.webkit.org/show_bug.cgi?id=174400
2885
2886         Reviewed by Sam Weinig.
2887
2888         * Configurations/FeatureDefines.xcconfig:
2889
2890 2017-07-11  Saam Barati  <sbarati@apple.com>
2891
2892         remove the empty JavaScriptCore/wasm/js/WebAssemblyFunctionCell.* files
2893         https://bugs.webkit.org/show_bug.cgi?id=174397
2894
2895         Rubber stamped by David Kilzer.
2896
2897         * wasm/js/WebAssemblyFunctionCell.cpp: Removed.
2898         * wasm/js/WebAssemblyFunctionCell.h: Removed.
2899
2900 2017-07-10  Saam Barati  <sbarati@apple.com>
2901
2902         Allocation sinking phase should consider a CheckStructure that would fail as an escape
2903         https://bugs.webkit.org/show_bug.cgi?id=174321
2904         <rdar://problem/32604963>
2905
2906         Reviewed by Filip Pizlo.
2907
2908         When the allocation sinking phase was generating stores to materialize
2909         objects in a cycle with each other, it would assume that each materialized
2910         object had a valid, non empty, set of structures. This is an OK assumption for
2911         the phase to make because how do you materialize an object with no structure?
2912         
2913         The abstract interpretation part of the phase will model what's in the heap.
2914         However, it would sometimes model that a CheckStructure would fail. The phase
2915         did nothing special for this; it just stored the empty set of structures for
2916         its representation of a particular allocation. However, what the phase proved
2917         in such a scenario is that, had the CheckStructure executed, it would have exited.
2918         
2919         This patch treats such CheckStructures and MultiGetByOffsets as escape points.
2920         This will cause the allocation in question to be materialized just before
2921         the CheckStructure, and then at execution time, the CheckStructure will exit.
2922         
2923         I wasn't able to write a test case for this. However, I was able to reproduce
2924         this crash by manually editing the IR. I've opened a separate bug to help us
2925         create a testing framework for writing tests for hard to reproduce bugs like this:
2926         https://bugs.webkit.org/show_bug.cgi?id=174322
2927
2928         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2929
2930 2017-07-10  Devin Rousso  <drousso@apple.com>
2931
2932         Web Inspector: Highlight matching CSS canvas clients when hovering contexts in the Resources tab
2933         https://bugs.webkit.org/show_bug.cgi?id=174279
2934
2935         Reviewed by Matt Baker.
2936
2937         * inspector/protocol/DOM.json:
2938         Add `highlightNodeList` command that will highlight each node in the given list.
2939
2940 2017-07-03  Brian Burg  <bburg@apple.com>
2941
2942         Web Replay: remove some unused code
2943         https://bugs.webkit.org/show_bug.cgi?id=173903
2944
2945         Rubber-stamped by Joseph Pecoraro.
2946
2947         * CMakeLists.txt:
2948         * Configurations/FeatureDefines.xcconfig:
2949         * DerivedSources.make:
2950         * JavaScriptCore.xcodeproj/project.pbxproj:
2951         * inspector/protocol/Replay.json: Removed.
2952         * replay/EmptyInputCursor.h: Removed.
2953         * replay/EncodedValue.cpp: Removed.
2954         * replay/EncodedValue.h: Removed.
2955         * replay/InputCursor.h: Removed.
2956         * replay/JSInputs.json: Removed.
2957         * replay/NondeterministicInput.h: Removed.
2958         * replay/scripts/CodeGeneratorReplayInputs.py: Removed.
2959         * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Removed.
2960         * replay/scripts/tests/expected/fail-on-c-style-enum-no-storage.json-error: Removed.
2961         * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Removed.
2962         * replay/scripts/tests/expected/fail-on-duplicate-input-names.json-error: Removed.
2963         * replay/scripts/tests/expected/fail-on-duplicate-type-names.json-error: Removed.
2964         * replay/scripts/tests/expected/fail-on-enum-type-missing-values.json-error: Removed.
2965         * replay/scripts/tests/expected/fail-on-missing-input-member-name.json-error: Removed.
2966         * replay/scripts/tests/expected/fail-on-missing-input-name.json-error: Removed.
2967         * replay/scripts/tests/expected/fail-on-missing-input-queue.json-error: Removed.
2968         * replay/scripts/tests/expected/fail-on-missing-type-mode.json-error: Removed.
2969         * replay/scripts/tests/expected/fail-on-missing-type-name.json-error: Removed.
2970         * replay/scripts/tests/expected/fail-on-unknown-input-queue.json-error: Removed.
2971         * replay/scripts/tests/expected/fail-on-unknown-member-type.json-error: Removed.
2972         * replay/scripts/tests/expected/fail-on-unknown-type-mode.json-error: Removed.
2973         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp: Removed.
2974         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h: Removed.
2975         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp: Removed.
2976         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h: Removed.
2977         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Removed.
2978         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Removed.
2979         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Removed.
2980         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Removed.
2981         * replay/scripts/tests/expected/generate-event-loop-shape-types.json-error: Removed.
2982         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp: Removed.
2983         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h: Removed.
2984         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp: Removed.
2985         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Removed.
2986         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.cpp: Removed.
2987         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h: Removed.
2988         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp: Removed.
2989         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h: Removed.
2990         * replay/scripts/tests/fail-on-c-style-enum-no-storage.json: Removed.
2991         * replay/scripts/tests/fail-on-duplicate-enum-type.json: Removed.
2992         * replay/scripts/tests/fail-on-duplicate-input-names.json: Removed.
2993         * replay/scripts/tests/fail-on-duplicate-type-names.json: Removed.
2994         * replay/scripts/tests/fail-on-enum-type-missing-values.json: Removed.
2995         * replay/scripts/tests/fail-on-missing-input-member-name.json: Removed.
2996         * replay/scripts/tests/fail-on-missing-input-name.json: Removed.
2997         * replay/scripts/tests/fail-on-missing-input-queue.json: Removed.
2998         * replay/scripts/tests/fail-on-missing-type-mode.json: Removed.
2999         * replay/scripts/tests/fail-on-missing-type-name.json: Removed.
3000         * replay/scripts/tests/fail-on-unknown-input-queue.json: Removed.
3001         * replay/scripts/tests/fail-on-unknown-member-type.json: Removed.
3002         * replay/scripts/tests/fail-on-unknown-type-mode.json: Removed.
3003         * replay/scripts/tests/generate-enum-encoding-helpers-with-guarded-values.json: Removed.
3004         * replay/scripts/tests/generate-enum-encoding-helpers.json: Removed.
3005         * replay/scripts/tests/generate-enum-with-guard.json: Removed.
3006         * replay/scripts/tests/generate-enums-with-same-base-name.json: Removed.
3007         * replay/scripts/tests/generate-event-loop-shape-types.json: Removed.
3008         * replay/scripts/tests/generate-input-with-guard.json: Removed.
3009         * replay/scripts/tests/generate-input-with-vector-members.json: Removed.
3010         * replay/scripts/tests/generate-inputs-with-flags.json: Removed.
3011         * replay/scripts/tests/generate-memoized-type-modes.json: Removed.
3012         * runtime/DateConstructor.cpp:
3013         (JSC::constructDate):
3014         (JSC::dateNow):
3015         (JSC::deterministicCurrentTime): Deleted.
3016         * runtime/JSGlobalObject.cpp:
3017         (JSC::JSGlobalObject::JSGlobalObject):
3018         (JSC::JSGlobalObject::setInputCursor): Deleted.
3019         * runtime/JSGlobalObject.h:
3020         (JSC::JSGlobalObject::inputCursor): Deleted.
3021
3022 2017-07-10  Carlos Garcia Campos  <cgarcia@igalia.com>
3023
3024         Move make-js-file-arrays.py from WebCore to JavaScriptCore
3025         https://bugs.webkit.org/show_bug.cgi?id=174024
3026
3027         Reviewed by Michael Catanzaro.
3028
3029         It's currently used only by WebCore, but it depends on other JavaScriptCore scripts and it's not WebCore
3030         specific at all. I plan to use it to compile the JavaScript atoms used by the WebDriver implementation.
3031         Added command line option to pass the namespace to use instead of using WebCore.
3032
3033         * JavaScriptCore.xcodeproj/project.pbxproj:
3034         * Scripts/make-js-file-arrays.py: Renamed from Source/WebCore/Scripts/make-js-file-arrays.py.
3035         (main):
3036
3037 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3038
3039         [JSC] Drop LineNumberAdder since we no longer treat <LF><CR> (not <CR><LF>) as one line terminator
3040         https://bugs.webkit.org/show_bug.cgi?id=174296
3041
3042         Reviewed by Mark Lam.
3043
3044         Previously, we treat <LF><CR> as one line terminator. So we increase line number by one.
3045         It caused a problem in scanning template literals. While template literals normalize
3046         <LF><CR> to <LF><LF>, we still needed to increase line number by only one.
3047         To handle it correctly, LineNumberAdder is introduced.
3048
3049         As of r219263, <LF><CR> is counted as two line terminators. So we do not need to have
3050         LineNumberAdder. Let's just use shiftLineTerminator() instead.
3051
3052         * parser/Lexer.cpp:
3053         (JSC::Lexer<T>::parseTemplateLiteral):
3054         (JSC::LineNumberAdder::LineNumberAdder): Deleted.
3055         (JSC::LineNumberAdder::clear): Deleted.
3056         (JSC::LineNumberAdder::add): Deleted.
3057
3058 2017-07-09  Dan Bernstein  <mitz@apple.com>
3059
3060         [Xcode] ICU headers aren’t treated as system headers after r219155
3061         https://bugs.webkit.org/show_bug.cgi?id=174299
3062
3063         Reviewed by Sam Weinig.
3064
3065         * Configurations/JavaScriptCore.xcconfig: Pass --system-header-prefix=unicode/ to the C and
3066           C++ compilers.
3067
3068 * runtime/IntlCollator.cpp: Removed documentation warning suppression.
3069         * runtime/IntlDateTimeFormat.cpp: Ditto.
3070         * runtime/JSGlobalObject.cpp: Ditto.
3071         * runtime/StringPrototype.cpp: Ditto.
3072
3073 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3074
3075         [JSC] Use fastMalloc / fastFree for STL containers
3076         https://bugs.webkit.org/show_bug.cgi?id=174297
3077
3078         Reviewed by Sam Weinig.
3079
3080         In some places, we intentionally use STL containers over WTF containers.
3081         For example, we sometimes use std::unordered_{set,map} instead of WTF::Hash{Set,Map}
3082         because we do not have effective empty / deleted representations in the space of key's value.
3083         But just using STL container means using libc's malloc instead of our fast malloc (bmalloc if it is enabled).
3084
3085         We introduce WTF::FastAllocator. This is C++ allocator implementation using fastMalloc and fastFree.
3086         We specify this allocator to STL containers' template parameter to allocate memory from fastMalloc.
3087
3088         This WTF::FastAllocator gives us a chance to use STL containers if it is necessary
3089         without compromising memory allocation throughput.
3090
3091         * dfg/DFGGraph.h:
3092         * dfg/DFGIntegerCheckCombiningPhase.cpp:
3093         * ftl/FTLLowerDFGToB3.cpp:
3094         (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
3095         * runtime/FunctionHasExecutedCache.h:
3096         * runtime/TypeLocationCache.h:
3097
3098 2017-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3099
3100         Drop NOSNIFF compile flag
3101         https://bugs.webkit.org/show_bug.cgi?id=174289
3102
3103         Reviewed by Michael Catanzaro.
3104
3105         * Configurations/FeatureDefines.xcconfig:
3106
3107 2017-07-07  AJ Ringer  <aringer@apple.com>
3108
3109         Lower the max_protection for the separated heap
3110         https://bugs.webkit.org/show_bug.cgi?id=174281
3111
3112         Reviewed by Oliver Hunt.
3113
3114         Switch to vm_protect so we can set maximum page protection.
3115
3116         * jit/ExecutableAllocator.cpp:
3117         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
3118         (JSC::ExecutableAllocator::allocate):
3119
3120 2017-07-07  Devin Rousso  <drousso@apple.com>
3121
3122         Web Inspector: Show all elements currently using a given CSS Canvas
3123         https://bugs.webkit.org/show_bug.cgi?id=173965
3124
3125         Reviewed by Joseph Pecoraro.
3126
3127         * inspector/protocol/Canvas.json:
3128          - Add `requestCSSCanvasClientNodes` command for getting the node IDs all nodes using this
3129            canvas via -webkit-canvas.
3130          - Add `cssCanvasClientNodesChanged` event that is dispatched whenever a node is
3131            added/removed from the list of -webkit-canvas clients.
3132
3133 2017-07-07  Mark Lam  <mark.lam@apple.com>
3134
3135         \n\r is not the same as \r\n.
3136         https://bugs.webkit.org/show_bug.cgi?id=173053
3137
3138         Reviewed by Keith Miller.
3139
3140         * parser/Lexer.cpp:
3141         (JSC::Lexer<T>::shiftLineTerminator):
3142         (JSC::LineNumberAdder::add):
3143
3144 2017-07-07  Commit Queue  <commit-queue@webkit.org>
3145
3146         Unreviewed, rolling out r219238, r219239, and r219241.
3147         https://bugs.webkit.org/show_bug.cgi?id=174265
3148
3149         "fast/workers/dedicated-worker-lifecycle.html is flaky"
3150         (Requested by yusukesuzuki on #webkit).
3151
3152         Reverted changesets:
3153
3154         "[WTF] Implement WTF::ThreadGroup"
3155         https://bugs.webkit.org/show_bug.cgi?id=174081
3156         http://trac.webkit.org/changeset/219238
3157
3158         "Unreviewed, build fix after r219238"
3159         https://bugs.webkit.org/show_bug.cgi?id=174081
3160         http://trac.webkit.org/changeset/219239
3161
3162         "Unreviewed, CLoop build fix after r219238"
3163         https://bugs.webkit.org/show_bug.cgi?id=174081
3164         http://trac.webkit.org/changeset/219241
3165
3166 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
3167
3168         Unreviewed, CLoop build fix after r219238
3169         https://bugs.webkit.org/show_bug.cgi?id=174081
3170
3171         * heap/MachineStackMarker.cpp:
3172
3173 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
3174
3175         [WTF] Implement WTF::ThreadGroup
3176         https://bugs.webkit.org/show_bug.cgi?id=174081
3177
3178         Reviewed by Mark Lam.
3179
3180         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
3181         And SamplingProfiler and others interact with WTF::Thread directly.
3182
3183         * API/tests/ExecutionTimeLimitTest.cpp:
3184         * heap/MachineStackMarker.cpp:
3185         (JSC::MachineThreads::MachineThreads):
3186         (JSC::captureStack):
3187         (JSC::MachineThreads::tryCopyOtherThreadStack):
3188         (JSC::MachineThreads::tryCopyOtherThreadStacks):
3189         (JSC::MachineThreads::gatherConservativeRoots):
3190         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
3191         (JSC::ActiveMachineThreadsManager::add): Deleted.
3192         (JSC::ActiveMachineThreadsManager::remove): Deleted.
3193         (JSC::ActiveMachineThreadsManager::contains): Deleted.
3194         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
3195         (JSC::activeMachineThreadsManager): Deleted.
3196         (JSC::MachineThreads::~MachineThreads): Deleted.
3197         (JSC::MachineThreads::addCurrentThread): Deleted.
3198         (): Deleted.
3199         (JSC::MachineThreads::removeThread): Deleted.
3200         (JSC::MachineThreads::removeThreadIfFound): Deleted.
3201         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
3202         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
3203         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
3204         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
3205         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
3206         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
3207         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
3208         * heap/MachineStackMarker.h:
3209         (JSC::MachineThreads::addCurrentThread):
3210         (JSC::MachineThreads::getLock):
3211         (JSC::MachineThreads::threads):
3212         (JSC::MachineThreads::MachineThread::suspend): Deleted.
3213         (JSC::MachineThreads::MachineThread::resume): Deleted.
3214         (JSC::MachineThreads::MachineThread::threadID): Deleted.
3215         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
3216         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
3217         (JSC::MachineThreads::threadsListHead): Deleted.
3218         * runtime/SamplingProfiler.cpp:
3219         (JSC::FrameWalker::isValidFramePointer):
3220         (JSC::SamplingProfiler::SamplingProfiler):
3221         (JSC::SamplingProfiler::takeSample):
3222         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
3223         * runtime/SamplingProfiler.h:
3224         * wasm/WasmMachineThreads.cpp:
3225         (JSC::Wasm::resetInstructionCacheOnAllThreads):
3226
3227 2017-07-06  Saam Barati  <sbarati@apple.com>
3228
3229         We are missing places where we invalidate the for-in context
3230         https://bugs.webkit.org/show_bug.cgi?id=174184
3231
3232         Reviewed by Geoffrey Garen.
3233
3234         * bytecompiler/BytecodeGenerator.cpp:
3235         (JSC::BytecodeGenerator::invalidateForInContextForLocal):
3236         * bytecompiler/NodesCodegen.cpp:
3237         (JSC::EmptyLetExpression::emitBytecode):
3238         (JSC::ForInNode::emitLoopHeader):
3239         (JSC::ForOfNode::emitBytecode):
3240         (JSC::BindingNode::bindValue):
3241
3242 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
3243
3244         Unreviewed, suppress warnings in GCC environment
3245
3246         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3247         * runtime/IntlCollator.cpp:
3248         * runtime/IntlDateTimeFormat.cpp:
3249         * runtime/JSGlobalObject.cpp:
3250         * runtime/StringPrototype.cpp:
3251
3252 2017-07-05  Saam Barati  <sbarati@apple.com>
3253
3254         NewArray in FTLLowerDFGToB3 does not handle speculating on doubles when having a bad time
3255         https://bugs.webkit.org/show_bug.cgi?id=174188
3256         <rdar://problem/30581423>
3257
3258         Reviewed by Mark Lam.
3259
3260         We were calling lowJSValue(edge) when we were speculating the
3261         edge as double. This isn't allowed. We should have been using
3262         lowDouble.
3263         
3264         This patch also adds a new option, called useArrayAllocationProfiling,
3265         which defaults to true. When false, it will make the array allocation
3266         profile not actually sample seen arrays. It'll force the allocation
3267         profile's predicted indexing type to be ArrayWithUndecided. Adding
3268         this option made it trivial to write a test for this bug.
3269
3270         * bytecode/ArrayAllocationProfile.cpp:
3271         (JSC::ArrayAllocationProfile::updateIndexingType):
3272         * ftl/FTLLowerDFGToB3.cpp:
3273         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
3274         * runtime/Options.h:
3275
3276 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
3277
3278         WTF::Thread should have the threads stack bounds.
3279         https://bugs.webkit.org/show_bug.cgi?id=173975
3280
3281         Reviewed by Keith Miller.
3282
3283         There is a site in JSC that try to walk another thread's stack.
3284         Currently, stack bounds are stored in WTFThreadData which is located
3285         in TLS. Thus, only the thread itself can access its own WTFThreadData.
3286         We workaround this situation by holding StackBounds in MachineThread in JSC,
3287         but StackBounds should be put in WTF::Thread instead.
3288
3289         This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
3290         information is tightly coupled with Thread. Thus putting it in WTF::Thread
3291         is natural choice.
3292
3293         * heap/MachineStackMarker.cpp:
3294         (JSC::MachineThreads::MachineThread::MachineThread):
3295         (JSC::MachineThreads::MachineThread::captureStack):
3296         * heap/MachineStackMarker.h:
3297         (JSC::MachineThreads::MachineThread::stackBase):
3298         (JSC::MachineThreads::MachineThread::stackEnd):
3299         * runtime/InitializeThreading.cpp:
3300         (JSC::initializeThreading):
3301         * runtime/VM.cpp:
3302         (JSC::VM::VM):
3303         (JSC::VM::updateStackLimits):
3304         (JSC::VM::committedStackByteCount):
3305         * runtime/VM.h:
3306         (JSC::VM::isSafeToRecurse):
3307         * runtime/VMEntryScope.cpp:
3308         (JSC::VMEntryScope::VMEntryScope):
3309         * runtime/VMInlines.h:
3310         (JSC::VM::ensureStackCapacityFor):
3311         * runtime/VMTraps.cpp:
3312         * yarr/YarrPattern.cpp:
3313         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
3314
3315 2017-07-05  Keith Miller  <keith_miller@apple.com>
3316
3317         Crashing with information should have an abort reason
3318         https://bugs.webkit.org/show_bug.cgi?id=174185
3319
3320         Reviewed by Saam Barati.
3321
3322         Add crash information for the abstract interpreter and add an enum
3323         value for object allocation sinking.
3324
3325         * assembler/AbortReason.h:
3326         * dfg/DFGAbstractInterpreterInlines.h:
3327         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
3328         * dfg/DFGGraph.cpp:
3329         (JSC::DFG::logDFGAssertionFailure):
3330         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3331
3332 2017-07-03  Myles C. Maxfield  <mmaxfield@apple.com>
3333
3334         Remove copy of ICU headers from WebKit
3335         https://bugs.webkit.org/show_bug.cgi?id=116407
3336
3337         Reviewed by Alex Christensen.
3338
3339         Use WTF's copy of ICU headers.
3340
3341         * Configurations/Base.xcconfig:
3342         * icu/unicode/localpointer.h: Removed.
3343         * icu/unicode/parseerr.h: Removed.
3344         * icu/unicode/platform.h: Removed.
3345         * icu/unicode/ptypes.h: Removed.
3346         * icu/unicode/putil.h: Removed.
3347         * icu/unicode/uchar.h: Removed.
3348         * icu/unicode/ucnv.h: Removed.
3349         * icu/unicode/ucnv_err.h: Removed.
3350         * icu/unicode/ucol.h: Removed.
3351         * icu/unicode/uconfig.h: Removed.
3352         * icu/unicode/ucurr.h: Removed.
3353         * icu/unicode/uenum.h: Removed.
3354         * icu/unicode/uiter.h: Removed.
3355         * icu/unicode/uloc.h: Removed.
3356         * icu/unicode/umachine.h: Removed.
3357         * icu/unicode/unorm.h: Removed.
3358         * icu/unicode/unorm2.h: Removed.
3359         * icu/unicode/urename.h: Removed.
3360         * icu/unicode/uscript.h: Removed.
3361         * icu/unicode/uset.h: Removed.
3362         * icu/unicode/ustring.h: Removed.
3363         * icu/unicode/utf.h: Removed.
3364         * icu/unicode/utf16.h: Removed.
3365         * icu/unicode/utf8.h: Removed.
3366         * icu/unicode/utf_old.h: Removed.
3367         * icu/unicode/utypes.h: Removed.
3368         * icu/unicode/uvernum.h: Removed.
3369         * icu/unicode/uversion.h: Removed.
3370         * runtime/IntlCollator.cpp:
3371         * runtime/IntlDateTimeFormat.cpp:
3372         (JSC::IntlDateTimeFormat::partTypeString):
3373         * runtime/JSGlobalObject.cpp:
3374         * runtime/StringPrototype.cpp:
3375         (JSC::normalize):
3376         (JSC::stringProtoFuncNormalize):
3377
3378 2017-07-05  Devin Rousso  <drousso@apple.com>
3379
3380         Web Inspector: Allow users to log any tracked canvas context
3381         https://bugs.webkit.org/show_bug.cgi?id=173397
3382         <rdar://problem/33111581>
3383
3384         Reviewed by Joseph Pecoraro.
3385
3386         * inspector/protocol/Canvas.json:
3387         Add `resolveCanvasContext` command that returns a RemoteObject for the given canvas context.
3388
3389 2017-07-05  Jonathan Bedard  <jbedard@apple.com>
3390
3391         Add WebKitPrivateFrameworkStubs for iOS 11
3392         https://bugs.webkit.org/show_bug.cgi?id=173988
3393
3394