Unreviewed, fix cloop build.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-08-22  Keith Miller  <keith_miller@apple.com>
2
3         Unreviewed, fix cloop build.
4
5         * JavaScriptCore.xcodeproj/project.pbxproj:
6
7 2017-08-22  Per Arne Vollan  <pvollan@apple.com>
8
9         [Win][Release] Crash when running testmasm executable.
10         https://bugs.webkit.org/show_bug.cgi?id=175772
11
12         Reviewed by Mark Lam.
13
14         We need to save and restore the modified registers in case one or more registers are callee saved
15         on the relevant platforms.
16
17         * assembler/testmasm.cpp:
18         (JSC::testProbeReadsArgumentRegisters):
19         (JSC::testProbeWritesArgumentRegisters):
20
21 2017-08-21  Mark Lam  <mark.lam@apple.com>
22
23         Change probe code to use static_assert instead of COMPILE_ASSERT.
24         https://bugs.webkit.org/show_bug.cgi?id=175762
25
26         Reviewed by JF Bastien.
27
28         * assembler/MacroAssemblerARM.cpp:
29         * assembler/MacroAssemblerARM64.cpp:
30         (JSC::MacroAssembler::probe): Deleted.
31         * assembler/MacroAssemblerARMv7.cpp:
32         * assembler/MacroAssemblerX86Common.cpp:
33
34 2017-08-21  Keith Miller  <keith_miller@apple.com>
35
36         Make generate_offset_extractor.rb architectures argument more robust
37         https://bugs.webkit.org/show_bug.cgi?id=175809
38
39         Reviewed by Joseph Pecoraro.
40
41         It turns out that some of our builders pass their architectures as
42         space separated lists.  I decided to just make the splitting of
43         our list robust to any reasonable combination of spaces and
44         commas.
45
46         * offlineasm/generate_offset_extractor.rb:
47
48 2017-08-21  Keith Miller  <keith_miller@apple.com>
49
50         Only generate offline asm for the ARCHS (xcodebuild) or the current system (CMake)
51         https://bugs.webkit.org/show_bug.cgi?id=175690
52
53         Reviewed by Michael Saboff.
54
55         This should reduce some of the time we spend building offline asm
56         in our builds (except for linux since they already did this).
57
58         * CMakeLists.txt:
59         * JavaScriptCore.xcodeproj/project.pbxproj:
60         * offlineasm/backends.rb:
61         * offlineasm/generate_offset_extractor.rb:
62
63 2017-08-20  Mark Lam  <mark.lam@apple.com>
64
65         Gardening: fix CLoop build.
66         https://bugs.webkit.org/show_bug.cgi?id=175688
67         <rdar://problem/33436870>
68
69         Not reviewed.
70
71         Make these files dependent on ENABLE(MASM_PROBE).
72
73         * assembler/ProbeContext.cpp:
74         * assembler/ProbeContext.h:
75         * assembler/ProbeStack.cpp:
76         * assembler/ProbeStack.h:
77
78 2017-08-20  Mark Lam  <mark.lam@apple.com>
79
80         Enhance MacroAssembler::probe() to allow the probe function to resize the stack frame and alter stack data in one pass.
81         https://bugs.webkit.org/show_bug.cgi?id=175688
82         <rdar://problem/33436870>
83
84         Reviewed by JF Bastien.
85
86         With this patch, the clients of the MacroAssembler::probe() can now change
87         stack values without having to worry about whether there is enough room in the
88         current stack frame for it or not.  This is done using the Probe::Context's stack
89         member like so:
90
91             jit.probe([] (Probe::Context& context) {
92                 auto cpu = context.cpu;
93                 auto stack = context.stack();
94                 uintptr_t* currentSP = cpu.sp<uintptr_t*>();
95
96                 // Get a value at the current stack pointer location.
97                 auto value = stack.get<uintptr_t>(currentSP);
98
99                 // Set a value above the current stack pointer (within current frame).
100                 stack.set<uintptr_t>(currentSP + 10, value);
101
102                 // Set a value below the current stack pointer (out of current frame).
103                 stack.set<uintptr_t>(currentSP - 10, value);
104
105                 // Set the new stack pointer.
106                 cpu.sp() = currentSP - 20;
107             });
108
109         What happens behind the scene:
110
111         1. the generated JIT probe code will now call Probe::executeProbe(), and
112            Probe::executeProbe() will in turn call the client's probe function.
113
114            Probe::executeProbe() receives the Probe::State on the machine stack passed
115            to it by the probe trampoline.  Probe::executeProbe() will instantiate a
116            Probe::Context to be passed to the client's probe function.  The client will
117            no longer see the Probe::State directly.
118
119         2. The Probe::Context comes with a Probe::Stack which serves as a manager of
120            stack pages.  Currently, each page is 1K in size.
121            Probe::Context::stack() returns a reference to an instance of Probe::Stack.
122
123         3. Invoking get() of set() on Probe::Stack with an address will lead to the
124            following:
125
126            a. the address will be decoded to a baseAddress that points to the 1K page
127               that contains that address.
128
129            b. the Probe::Stack will check if it already has a cached 1K page for that baseAddress.
130               If so, go to step (f).  Else, continue with step (c).
131
132            c. the Probe::Stack will malloc a 1K mirror page, and memcpy the 1K stack page
133               for that specified baseAddress to this mirror page.
134
135            d. the mirror page will be added to the ProbeStack's m_pages HashMap,
136               keyed on the baseAddress.
137
138            e. the ProbeStack will also cache the last baseAddress and its corresponding
139               mirror page in use.  With memory accesses tending to be localized, this
140               will save us from having to look up the page in the HashMap.
141
142            f. get() will map the requested address to a physical address in the mirror
143               page, and return the value at that location.
144
145            g. set() will map the requested address to a physical address in the mirror
146               page, and set the value at that location in the mirror page.
147
148               set() will also set a dirty bit corresponding to the "cache line" that
149               was modified in the mirror page.
150
151         4. When the client's probe function returns, Probe::executeProbe() will check if
152            there are stack changes that need to be applied.  If stack changes are needed:
153
154            a. Probe::executeProbe() will adjust the stack pointer to ensure enough stack
155               space is available to flush the dirty stack pages.  It will also register a
156               flushStackDirtyPages callback function in the Probe::State.  Thereafter,
157               Probe::executeProbe() returns to the probe trampoline.
158
159            b. the probe trampoline adjusts the stack pointer, moves the Probe::State to
160               a safe place if needed, and then calls the flushStackDirtyPages callback
161               if needed.
162
163            c. the flushStackDirtyPages() callback iterates the Probe::Stack's m_pages
164               HashMap and flush all dirty "cache lines" to the machine stack.
165               Thereafter, flushStackDirtyPages() returns to the probe trampoline.
166
167            d. lastly, the probe trampoline will restore all register values and return
168               to the pc set in the Probe::State.
169
170         To make this patch work, I also had to do the following work:
171
172         5. Refactor MacroAssembler::CPUState into Probe::CPUState.
173            Mainly, this means moving the code over to ProbeContext.h.
174            I also added some convenience accessor methods for spr registers. 
175
176            Moved Probe::Context over to its own file ProbeContext.h/cpp.
177
178         6. Fix all probe trampolines to pass the address of Probe::executeProbe in
179            addition to the client's probe function and arg.
180
181            I also took this opportunity to optimize the generated JIT probe code to
182            minimize the amount of memory stores needed. 
183
184         7. Simplified the ARM64 probe trampoline.  The ARM64 probe only supports changing
185            either lr or pc (or neither), but not both at in the same probe invocation.
186            The ARM64 probe trampoline used to have to check for this invariant in the
187            assembly trampoline code.  With the introduction of Probe::executeProbe(),
188            we can now do it there and simplify the trampoline.
189
190         8. Fix a bug in the old  ARM64 probe trampoline for the case where the client
191            changes lr.  That code path never worked before, but has now been fixed.
192
193         9. Removed trustedImm32FromPtr() helper functions in MacroAssemblerARM and
194            MacroAssemblerARMv7.
195
196            We can now use move() with TrustedImmPtr, and it does the same thing but in a
197            more generic way.
198
199        10. ARMv7's move() emitter may encode a T1 move instruction, which happens to have
200            the same semantics as movs (according to the Thumb spec).  This means these
201            instructions may trash the APSR flags before we have a chance to preserve them.
202
203            This patch changes MacroAssemblerARMv7's probe() to preserve the APSR register
204            early on.  This entails adding support for the mrs instruction in the
205            ARMv7Assembler.
206
207        10. Change testmasm's testProbeModifiesStackValues() to now modify stack values
208            the easy way.
209
210            Also fixed testmasm tests which check flag registers to only compare the
211            portions that are modifiable by the client i.e. some masking is applied.
212
213         This patch has passed the testmasm tests on x86, x86_64, arm64, and armv7.
214
215         * CMakeLists.txt:
216         * JavaScriptCore.xcodeproj/project.pbxproj:
217         * assembler/ARMv7Assembler.h:
218         (JSC::ARMv7Assembler::mrs):
219         * assembler/AbstractMacroAssembler.h:
220         * assembler/MacroAssembler.cpp:
221         (JSC::stdFunctionCallback):
222         (JSC::MacroAssembler::probe):
223         * assembler/MacroAssembler.h:
224         (JSC::MacroAssembler::CPUState::gprName): Deleted.
225         (JSC::MacroAssembler::CPUState::sprName): Deleted.
226         (JSC::MacroAssembler::CPUState::fprName): Deleted.
227         (JSC::MacroAssembler::CPUState::gpr): Deleted.
228         (JSC::MacroAssembler::CPUState::spr): Deleted.
229         (JSC::MacroAssembler::CPUState::fpr): Deleted.
230         (JSC:: const): Deleted.
231         (JSC::MacroAssembler::CPUState::fpr const): Deleted.
232         (JSC::MacroAssembler::CPUState::pc): Deleted.
233         (JSC::MacroAssembler::CPUState::fp): Deleted.
234         (JSC::MacroAssembler::CPUState::sp): Deleted.
235         (JSC::MacroAssembler::CPUState::pc const): Deleted.
236         (JSC::MacroAssembler::CPUState::fp const): Deleted.
237         (JSC::MacroAssembler::CPUState::sp const): Deleted.
238         (JSC::Probe::State::gpr): Deleted.
239         (JSC::Probe::State::spr): Deleted.
240         (JSC::Probe::State::fpr): Deleted.
241         (JSC::Probe::State::gprName): Deleted.
242         (JSC::Probe::State::sprName): Deleted.
243         (JSC::Probe::State::fprName): Deleted.
244         (JSC::Probe::State::pc): Deleted.
245         (JSC::Probe::State::fp): Deleted.
246         (JSC::Probe::State::sp): Deleted.
247         * assembler/MacroAssemblerARM.cpp:
248         (JSC::MacroAssembler::probe):
249         * assembler/MacroAssemblerARM.h:
250         (JSC::MacroAssemblerARM::trustedImm32FromPtr): Deleted.
251         * assembler/MacroAssemblerARM64.cpp:
252         (JSC::MacroAssembler::probe):
253         (JSC::arm64ProbeError): Deleted.
254         * assembler/MacroAssemblerARMv7.cpp:
255         (JSC::MacroAssembler::probe):
256         * assembler/MacroAssemblerARMv7.h:
257         (JSC::MacroAssemblerARMv7::armV7Condition):
258         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr): Deleted.
259         * assembler/MacroAssemblerPrinter.cpp:
260         (JSC::Printer::printCallback):
261         * assembler/MacroAssemblerPrinter.h:
262         * assembler/MacroAssemblerX86Common.cpp:
263         (JSC::ctiMasmProbeTrampoline):
264         (JSC::MacroAssembler::probe):
265         * assembler/Printer.h:
266         (JSC::Printer::Context::Context):
267         * assembler/ProbeContext.cpp: Added.
268         (JSC::Probe::executeProbe):
269         (JSC::Probe::handleProbeStackInitialization):
270         (JSC::Probe::probeStateForContext):
271         * assembler/ProbeContext.h: Added.
272         (JSC::Probe::CPUState::gprName):
273         (JSC::Probe::CPUState::sprName):
274         (JSC::Probe::CPUState::fprName):
275         (JSC::Probe::CPUState::gpr):
276         (JSC::Probe::CPUState::spr):
277         (JSC::Probe::CPUState::fpr):
278         (JSC::Probe:: const):
279         (JSC::Probe::CPUState::fpr const):
280         (JSC::Probe::CPUState::pc):
281         (JSC::Probe::CPUState::fp):
282         (JSC::Probe::CPUState::sp):
283         (JSC::Probe::CPUState::pc const):
284         (JSC::Probe::CPUState::fp const):
285         (JSC::Probe::CPUState::sp const):
286         (JSC::Probe::Context::Context):
287         (JSC::Probe::Context::gpr):
288         (JSC::Probe::Context::spr):
289         (JSC::Probe::Context::fpr):
290         (JSC::Probe::Context::gprName):
291         (JSC::Probe::Context::sprName):
292         (JSC::Probe::Context::fprName):
293         (JSC::Probe::Context::pc):
294         (JSC::Probe::Context::fp):
295         (JSC::Probe::Context::sp):
296         (JSC::Probe::Context::stack):
297         (JSC::Probe::Context::hasWritesToFlush):
298         (JSC::Probe::Context::releaseStack):
299         * assembler/ProbeStack.cpp: Added.
300         (JSC::Probe::Page::Page):
301         (JSC::Probe::Page::flushWrites):
302         (JSC::Probe::Stack::Stack):
303         (JSC::Probe::Stack::hasWritesToFlush):
304         (JSC::Probe::Stack::flushWrites):
305         (JSC::Probe::Stack::ensurePageFor):
306         * assembler/ProbeStack.h: Added.
307         (JSC::Probe::Page::baseAddressFor):
308         (JSC::Probe::Page::chunkAddressFor):
309         (JSC::Probe::Page::baseAddress):
310         (JSC::Probe::Page::get):
311         (JSC::Probe::Page::set):
312         (JSC::Probe::Page::hasWritesToFlush const):
313         (JSC::Probe::Page::flushWritesIfNeeded):
314         (JSC::Probe::Page::dirtyBitFor):
315         (JSC::Probe::Page::physicalAddressFor):
316         (JSC::Probe::Stack::Stack):
317         (JSC::Probe::Stack::lowWatermark):
318         (JSC::Probe::Stack::get):
319         (JSC::Probe::Stack::set):
320         (JSC::Probe::Stack::newStackPointer const):
321         (JSC::Probe::Stack::setNewStackPointer):
322         (JSC::Probe::Stack::isValid):
323         (JSC::Probe::Stack::pageFor):
324         * assembler/testmasm.cpp:
325         (JSC::testProbeReadsArgumentRegisters):
326         (JSC::testProbeWritesArgumentRegisters):
327         (JSC::testProbePreservesGPRS):
328         (JSC::testProbeModifiesStackPointer):
329         (JSC::testProbeModifiesStackPointerToInsideProbeStateOnStack):
330         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
331         (JSC::testProbeModifiesProgramCounter):
332         (JSC::testProbeModifiesStackValues):
333         (JSC::run):
334         (): Deleted.
335         (JSC::fillStack): Deleted.
336         (JSC::testProbeModifiesStackWithCallback): Deleted.
337
338 2017-08-19  Andy Estes  <aestes@apple.com>
339
340         [Payment Request] Add interface stubs
341         https://bugs.webkit.org/show_bug.cgi?id=175730
342
343         Reviewed by Youenn Fablet.
344
345         * runtime/CommonIdentifiers.h:
346
347 2017-08-18  Per Arne Vollan  <pvollan@apple.com>
348
349         Implement 32-bit MacroAssembler::probe support for Windows.
350         https://bugs.webkit.org/show_bug.cgi?id=175449
351
352         Reviewed by Mark Lam.
353
354         This is needed to enable the DFG.
355
356         * assembler/MacroAssemblerX86Common.cpp:
357         * assembler/testmasm.cpp:
358         (JSC::run):
359         (dllLauncherEntryPoint):
360         * shell/CMakeLists.txt:
361         * shell/PlatformWin.cmake:
362
363 2017-08-18  Mark Lam  <mark.lam@apple.com>
364
365         Rename ProbeContext and ProbeFunction to Probe::State and Probe::Function.
366         https://bugs.webkit.org/show_bug.cgi?id=175725
367         <rdar://problem/33965477>
368
369         Rubber-stamped by JF Bastien.
370
371         This is purely a refactoring patch (in preparation for the introduction of a
372         Probe::Context data structure in https://bugs.webkit.org/show_bug.cgi?id=175688
373         later).  This patch does not change any semantics / behavior.
374
375         * assembler/AbstractMacroAssembler.h:
376         * assembler/MacroAssembler.cpp:
377         (JSC::stdFunctionCallback):
378         (JSC::MacroAssembler::probe):
379         * assembler/MacroAssembler.h:
380         (JSC::ProbeContext::gpr): Deleted.
381         (JSC::ProbeContext::spr): Deleted.
382         (JSC::ProbeContext::fpr): Deleted.
383         (JSC::ProbeContext::gprName): Deleted.
384         (JSC::ProbeContext::sprName): Deleted.
385         (JSC::ProbeContext::fprName): Deleted.
386         (JSC::ProbeContext::pc): Deleted.
387         (JSC::ProbeContext::fp): Deleted.
388         (JSC::ProbeContext::sp): Deleted.
389         * assembler/MacroAssemblerARM.cpp:
390         (JSC::MacroAssembler::probe):
391         * assembler/MacroAssemblerARM.h:
392         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
393         * assembler/MacroAssemblerARM64.cpp:
394         (JSC::arm64ProbeError):
395         (JSC::MacroAssembler::probe):
396         * assembler/MacroAssemblerARMv7.cpp:
397         (JSC::MacroAssembler::probe):
398         * assembler/MacroAssemblerARMv7.h:
399         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr):
400         * assembler/MacroAssemblerPrinter.cpp:
401         (JSC::Printer::printCallback):
402         * assembler/MacroAssemblerPrinter.h:
403         * assembler/MacroAssemblerX86Common.cpp:
404         (JSC::MacroAssembler::probe):
405         * assembler/Printer.h:
406         (JSC::Printer::Context::Context):
407         * assembler/testmasm.cpp:
408         (JSC::testProbeReadsArgumentRegisters):
409         (JSC::testProbeWritesArgumentRegisters):
410         (JSC::testProbePreservesGPRS):
411         (JSC::testProbeModifiesStackPointer):
412         (JSC::testProbeModifiesStackPointerToInsideProbeStateOnStack):
413         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
414         (JSC::testProbeModifiesProgramCounter):
415         (JSC::fillStack):
416         (JSC::testProbeModifiesStackWithCallback):
417         (JSC::run):
418         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack): Deleted.
419
420 2017-08-17  JF Bastien  <jfbastien@apple.com>
421
422         WebAssembly: const in unreachable code decoded incorrectly, erroneously rejects binary as invalid
423         https://bugs.webkit.org/show_bug.cgi?id=175693
424         <rdar://problem/33952443>
425
426         Reviewed by Saam Barati.
427
428         64-bit constants in an unreachable context were being decoded as
429         32-bit constants. This is pretty benign because unreachable code
430         shouldn't occur often. The effect is that 64-bit constants which
431         can't be encoded as 32-bit constants would cause the binary to be
432         rejected.
433
434         At the same time, 32-bit integer constants should be decoded as signed.
435
436         * wasm/WasmFunctionParser.h:
437         (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
438
439 2017-08-17  Robin Morisset  <rmorisset@apple.com>
440
441         Teach DFGFixupPhase.cpp that the current scope is always a cell
442         https://bugs.webkit.org/show_bug.cgi?id=175610
443
444         Reviewed by Keith Miller.
445
446         Also teach it that the argument to with can usually be speculated to be an object,
447         since toObject() is called on it.
448
449         * dfg/DFGFixupPhase.cpp:
450         (JSC::DFG::FixupPhase::fixupNode):
451         * dfg/DFGSpeculativeJIT.cpp:
452         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
453         * dfg/DFGSpeculativeJIT.h:
454         (JSC::DFG::SpeculativeJIT::callOperation):
455         * ftl/FTLLowerDFGToB3.cpp:
456         (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
457         * jit/JITOperations.cpp:
458         * jit/JITOperations.h:
459
460 2017-08-17  Matt Baker  <mattbaker@apple.com>
461
462         Web Inspector: remove unused private struct from InspectorScriptProfilerAgent
463         https://bugs.webkit.org/show_bug.cgi?id=175644
464
465         Reviewed by Brian Burg.
466
467         * inspector/agents/InspectorScriptProfilerAgent.h:
468
469 2017-08-17  Mark Lam  <mark.lam@apple.com>
470
471         Only use 16 VFP registers if !CPU(ARM_NEON).
472         https://bugs.webkit.org/show_bug.cgi?id=175514
473
474         Reviewed by JF Bastien.
475
476         Deleted q16-q31 FPQuadRegisterID enums in ARMv7Assembler.h.  The NEON spec
477         says that there are only 16 128-bit NEON registers.  This change is merely to
478         correct the code documentation of these registers.  The FPQuadRegisterID are
479         currently unused.
480
481         * assembler/ARMAssembler.h:
482         (JSC::ARMAssembler::lastFPRegister):
483         (JSC::ARMAssembler::fprName):
484         * assembler/ARMv7Assembler.h:
485         (JSC::ARMv7Assembler::lastFPRegister):
486         (JSC::ARMv7Assembler::fprName):
487         * assembler/MacroAssemblerARM.cpp:
488         * assembler/MacroAssemblerARMv7.cpp:
489
490 2017-08-17  Andreas Kling  <akling@apple.com>
491
492         Disable CSS regions at compile time
493         https://bugs.webkit.org/show_bug.cgi?id=175630
494
495         Reviewed by Antti Koivisto.
496
497         * Configurations/FeatureDefines.xcconfig:
498
499 2017-08-17  Jacobo Aragunde Pérez  <jaragunde@igalia.com>
500
501         [WPE][GTK] Ensure proper casting of data in gvariants
502         https://bugs.webkit.org/show_bug.cgi?id=175667
503
504         Reviewed by Michael Catanzaro.
505
506         g_variant_new requires data to have the correct width for their types, using
507         casting if necessary. Some data of type `unsigned` were being saved to `guint64`
508         types without explicit casting, leading to undefined behavior in some platforms.
509
510         * inspector/remote/glib/RemoteInspectorGlib.cpp:
511         (Inspector::RemoteInspector::listingForInspectionTarget const):
512         (Inspector::RemoteInspector::listingForAutomationTarget const):
513         (Inspector::RemoteInspector::sendMessageToRemote):
514
515 2017-08-17  Yusuke Suzuki  <utatane.tea@gmail.com>
516
517         [JSC] Avoid code bloating for iteration if block does not have "break"
518         https://bugs.webkit.org/show_bug.cgi?id=173228
519
520         Reviewed by Keith Miller.
521
522         Currently, we always emit code for breaked path when emitting for-of iteration.
523         But we can know that this breaked path can be used when emitting the bytecode.
524
525         This patch adds LabelScope::breakTargetMayBeBound(), which returns true if
526         the break label may be bound. We emit a breaked path only when it returns
527         true. This reduces bytecode bloating when using for-of iteration.
528
529         * bytecompiler/BytecodeGenerator.cpp:
530         (JSC::Label::setLocation):
531         (JSC::BytecodeGenerator::newLabel):
532         (JSC::BytecodeGenerator::emitLabel):
533         (JSC::BytecodeGenerator::pushFinallyControlFlowScope):
534         (JSC::BytecodeGenerator::breakTarget):
535         (JSC::BytecodeGenerator::continueTarget):
536         (JSC::BytecodeGenerator::emitEnumeration):
537         * bytecompiler/BytecodeGenerator.h:
538         * bytecompiler/Label.h:
539         (JSC::Label::bind const):
540         (JSC::Label::hasOneRef const):
541         (JSC::Label::isBound const):
542         (JSC::Label::Label): Deleted.
543         * bytecompiler/LabelScope.h:
544         (JSC::LabelScope::hasOneRef const):
545         (JSC::LabelScope::breakTargetMayBeBound const):
546         * bytecompiler/NodesCodegen.cpp:
547         (JSC::ContinueNode::trivialTarget):
548         (JSC::ContinueNode::emitBytecode):
549         (JSC::BreakNode::trivialTarget):
550         (JSC::BreakNode::emitBytecode):
551
552 2017-08-17  Csaba Osztrogonác  <ossy@webkit.org>
553
554         ARM build fix after r220807 and r220834.
555         https://bugs.webkit.org/show_bug.cgi?id=175617
556
557         Unreviewed typo fix.
558
559         * assembler/MacroAssemblerARM.cpp:
560
561 2017-08-17  Mark Lam  <mark.lam@apple.com>
562
563         Gardening: build fix for ARM_TRADITIONAL after r220807.
564         https://bugs.webkit.org/show_bug.cgi?id=175617
565
566         Not reviewed.
567
568         * assembler/MacroAssemblerARM.cpp:
569
570 2017-08-16  Mark Lam  <mark.lam@apple.com>
571
572         Add back the ability to disable MASM_PROBE from the build.
573         https://bugs.webkit.org/show_bug.cgi?id=175656
574         <rdar://problem/33933720>
575
576         Reviewed by Yusuke Suzuki.
577
578         This is needed for ports that the existing MASM_PROBE implementation doesn't work
579         well with e.g. GTK with ARM_THUMB2.  Note that if the DFG_JIT will be disabled by
580         default if !ENABLE(MASM_PROBE).
581
582         * assembler/AbstractMacroAssembler.h:
583         * assembler/MacroAssembler.cpp:
584         * assembler/MacroAssembler.h:
585         * assembler/MacroAssemblerARM.cpp:
586         * assembler/MacroAssemblerARM64.cpp:
587         * assembler/MacroAssemblerARMv7.cpp:
588         * assembler/MacroAssemblerPrinter.cpp:
589         * assembler/MacroAssemblerPrinter.h:
590         * assembler/MacroAssemblerX86Common.cpp:
591         * assembler/testmasm.cpp:
592         (JSC::run):
593         * b3/B3LowerToAir.cpp:
594         * b3/air/AirPrintSpecial.cpp:
595         * b3/air/AirPrintSpecial.h:
596
597 2017-08-16  Dan Bernstein  <mitz@apple.com>
598
599         [Cocoa] Older-iOS install name symbols are being exported on other platforms
600         https://bugs.webkit.org/show_bug.cgi?id=175654
601
602         Reviewed by Tim Horton.
603
604         * API/JSBase.cpp: Define the symbols only when targeting iOS.
605
606 2017-08-16  Matt Baker  <mattbaker@apple.com>
607
608         Web Inspector: capture async stack trace when workers/main context posts a message
609         https://bugs.webkit.org/show_bug.cgi?id=167084
610         <rdar://problem/30033673>
611
612         Reviewed by Brian Burg.
613
614         * inspector/agents/InspectorDebuggerAgent.h:
615         Add `PostMessage` async call type.
616
617 2017-08-16  Mark Lam  <mark.lam@apple.com>
618
619         Enhance MacroAssembler::probe() to support an initializeStackFunction callback.
620         https://bugs.webkit.org/show_bug.cgi?id=175617
621         <rdar://problem/33912104>
622
623         Reviewed by JF Bastien.
624
625         This patch adds a new feature to MacroAssembler::probe() where the probe function
626         can provide a ProbeFunction callback to fill in stack values after the stack
627         pointer has been adjusted.  The probe function can use this feature as follows:
628
629         1. Set the new sp value in the ProbeContext's CPUState.
630
631         2. Set the ProbeContext's initializeStackFunction to a ProbeFunction callback
632            which will do the work of filling in the stack values after the probe
633            trampoline has adjusted the machine stack pointer.
634
635         3. Set the ProbeContext's initializeStackArgs to any value that the client wants
636            to pass to the initializeStackFunction callback.
637
638         4. Return from the probe function.
639
640         Upon returning from the probe function, the probe trampoline will adjust the
641         the stack pointer based on the sp value in CPUState.  If initializeStackFunction
642         is not set, the probe trampoline will restore registers and return to its caller.
643
644         If initializeStackFunction is set, the trampoline will move the ProbeContext
645         beyond the range of the stack pointer i.e. it will place the new ProbeContext at
646         an address lower than where CPUState.sp() points.  This ensures that the
647         ProbeContext will not be trashed by the initializeStackFunction when it writes to
648         the stack.  Then, the trampoline will call back to the initializeStackFunction
649         ProbeFunction to let it fill in the stack values as desired.  The
650         initializeStackFunction ProbeFunction will be passed the moved ProbeContext at
651         the new location.
652
653         initializeStackFunction may now write to the stack at addresses greater or
654         equal to CPUState.sp(), but not below that.  initializeStackFunction is also
655         not allowed to change CPUState.sp().  If the initializeStackFunction does not
656         abide by these rules, then behavior is undefined, and bad things may happen.
657
658         For future reference, some implementation details that this patch needed to
659         be mindful of:
660
661         1. When the probe trampoline allocates stack space for the ProbeContext, it
662            should include OUT_SIZE as well.  This ensures that it doesn't have to move
663            the ProbeContext on exit if the probe function didn't change the sp.
664
665         2. If the trampoline has to move the ProbeContext, it needs to point the machine
666            sp to new ProbeContext first before copying over the ProbeContext data.  This
667            protects the new ProbeContext from possibly being trashed by interrupts.
668
669         3. When computing the new address of ProbeContext to move to, we need to make
670            sure that it is properly aligned in accordance with stack ABI requirements
671            (just like we did when we allocated the ProbeContext on entry to the
672            probe trampoline).
673
674         4. When copying the ProbeContext to its new location, the trampoline should
675            always copy words from low addresses to high addresses.  This is because if
676            we're moving the ProbeContext, we'll always be moving it to a lower address.
677
678         * assembler/MacroAssembler.h:
679         * assembler/MacroAssemblerARM.cpp:
680         * assembler/MacroAssemblerARM64.cpp:
681         * assembler/MacroAssemblerARMv7.cpp:
682         * assembler/MacroAssemblerX86Common.cpp:
683         * assembler/testmasm.cpp:
684         (JSC::testProbePreservesGPRS):
685         (JSC::testProbeModifiesStackPointer):
686         (JSC::fillStack):
687         (JSC::testProbeModifiesStackWithCallback):
688         (JSC::run):
689
690 2017-08-16  Csaba Osztrogonác  <ossy@webkit.org>
691
692         Fix JSCOnly ARM buildbots after r220047 and r220184
693         https://bugs.webkit.org/show_bug.cgi?id=174993
694
695         Reviewed by Carlos Alberto Lopez Perez.
696
697         * CMakeLists.txt: Generate only one backend on Linux to save build time.
698
699 2017-08-16  Andy Estes  <aestes@apple.com>
700
701         [Payment Request] Add an ENABLE flag and an experimental feature preference
702         https://bugs.webkit.org/show_bug.cgi?id=175622
703
704         Reviewed by Tim Horton.
705
706         * Configurations/FeatureDefines.xcconfig:
707
708 2017-08-15  Robin Morisset  <rmorisset@apple.com>
709
710         We are too conservative about the effects of PushWithScope
711         https://bugs.webkit.org/show_bug.cgi?id=175584
712
713         Reviewed by Saam Barati.
714
715         PushWithScope converts its argument to an object (this can throw a type error,
716         but has no other observable effect), and allocates a new scope, that it then
717         makes the new current scope. We were a bit too
718         conservative in saying that it clobbers the world.
719
720         * dfg/DFGAbstractInterpreterInlines.h:
721         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
722         * dfg/DFGClobberize.h:
723         (JSC::DFG::clobberize):
724         * dfg/DFGDoesGC.cpp:
725         (JSC::DFG::doesGC):
726
727 2017-08-15  Ryosuke Niwa  <rniwa@webkit.org>
728
729         Make DataTransferItemList work with plain text entries
730         https://bugs.webkit.org/show_bug.cgi?id=175596
731
732         Reviewed by Wenson Hsieh.
733
734         Added DataTransferItem as a common identifier since it's a runtime enabled feature.
735
736         * runtime/CommonIdentifiers.h:
737
738 2017-08-15  Robin Morisset  <rmorisset@apple.com>
739
740         Support the 'with' keyword in FTL
741         https://bugs.webkit.org/show_bug.cgi?id=175585
742
743         Reviewed by Saam Barati.
744
745         Also makes sure that the order of arguments of PushWithScope, op_push_with_scope, JSWithScope::create()
746         and so on is consistent (always parentScope first, the new scopeObject second). We used to go from one
747         to the other at different step which was quite confusing. I picked this order for consistency with CreateActivation
748         that takes its parentScope argument first.
749
750         * bytecompiler/BytecodeGenerator.cpp:
751         (JSC::BytecodeGenerator::emitPushWithScope):
752         * debugger/DebuggerCallFrame.cpp:
753         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
754         * dfg/DFGByteCodeParser.cpp:
755         (JSC::DFG::ByteCodeParser::parseBlock):
756         * dfg/DFGFixupPhase.cpp:
757         (JSC::DFG::FixupPhase::fixupNode):
758         * dfg/DFGSpeculativeJIT.cpp:
759         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
760         * ftl/FTLCapabilities.cpp:
761         (JSC::FTL::canCompile):
762         * ftl/FTLLowerDFGToB3.cpp:
763         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
764         (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
765         * jit/JITOperations.cpp:
766         * runtime/CommonSlowPaths.cpp:
767         (JSC::SLOW_PATH_DECL):
768         * runtime/Completion.cpp:
769         (JSC::evaluateWithScopeExtension):
770         * runtime/JSWithScope.cpp:
771         (JSC::JSWithScope::create):
772         * runtime/JSWithScope.h:
773
774 2017-08-15  Saam Barati  <sbarati@apple.com>
775
776         Make VM::scratchBufferForSize thread safe
777         https://bugs.webkit.org/show_bug.cgi?id=175604
778
779         Reviewed by Geoffrey Garen and Mark Lam.
780
781         I want to use the VM::scratchBufferForSize in another patch I'm writing.
782         The use case for my other patch is to call it from the compiler thread.
783         When reading the code, I saw that this API was not thread safe. This patch
784         makes it thread safe. It actually turns out we were calling this API from
785         the compiler thread already when we created FTL::State for an FTL OSR entry
786         compilation, and from FTLLowerDFGToB3. That code was racy and wrong, but
787         is now correct with this patch.
788
789         * runtime/VM.cpp:
790         (JSC::VM::VM):
791         (JSC::VM::~VM):
792         (JSC::VM::gatherConservativeRoots):
793         (JSC::VM::scratchBufferForSize):
794         * runtime/VM.h:
795         (JSC::VM::scratchBufferForSize): Deleted.
796
797 2017-08-15  Keith Miller  <keith_miller@apple.com>
798
799         JSC named bytecode offsets should use references rather than pointers
800         https://bugs.webkit.org/show_bug.cgi?id=175601
801
802         Reviewed by Saam Barati.
803
804         * dfg/DFGByteCodeParser.cpp:
805         (JSC::DFG::ByteCodeParser::parseBlock):
806         * jit/JITOpcodes.cpp:
807         (JSC::JIT::emit_op_overrides_has_instance):
808         (JSC::JIT::emit_op_instanceof):
809         (JSC::JIT::emitSlow_op_instanceof):
810         (JSC::JIT::emitSlow_op_instanceof_custom):
811         * jit/JITOpcodes32_64.cpp:
812         (JSC::JIT::emit_op_overrides_has_instance):
813         (JSC::JIT::emit_op_instanceof):
814         (JSC::JIT::emitSlow_op_instanceof):
815         (JSC::JIT::emitSlow_op_instanceof_custom):
816
817 2017-08-15  Keith Miller  <keith_miller@apple.com>
818
819         Enable named offsets into JSC bytecodes
820         https://bugs.webkit.org/show_bug.cgi?id=175561
821
822         Reviewed by Mark Lam.
823
824         This patch adds the ability to add named offsets into JSC's
825         bytecodes.  In the bytecode json file, instead of listing a
826         length, you can now list a set of names and their types. Each
827         opcode with an offsets property will have a struct named after the
828         opcode by in our C++ naming style. For example,
829         op_overrides_has_instance would become OpOverridesHasInstance. The
830         struct has the same memory layout as the instruction list has but
831         comes with handy named accessors.
832
833         As a first cut I converted the various instanceof bytecodes to use
834         named offsets.
835
836         As an example op_overrides_has_instance produces the following struct:
837
838         struct OpOverridesHasInstance {
839         public:
840             Opcode& opcode() { return *reinterpret_cast<Opcode*>(&m_opcode); }
841             const Opcode& opcode() const { return *reinterpret_cast<const Opcode*>(&m_opcode); }
842             int& dst() { return *reinterpret_cast<int*>(&m_dst); }
843             const int& dst() const { return *reinterpret_cast<const int*>(&m_dst); }
844             int& constructor() { return *reinterpret_cast<int*>(&m_constructor); }
845             const int& constructor() const { return *reinterpret_cast<const int*>(&m_constructor); }
846             int& hasInstanceValue() { return *reinterpret_cast<int*>(&m_hasInstanceValue); }
847             const int& hasInstanceValue() const { return *reinterpret_cast<const int*>(&m_hasInstanceValue); }
848
849         private:
850             friend class LLIntOffsetsExtractor;
851             std::aligned_storage<sizeof(Opcode), sizeof(Instruction)>::type m_opcode;
852             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_dst;
853             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_constructor;
854             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_hasInstanceValue;
855         };
856
857         * CMakeLists.txt:
858         * DerivedSources.make:
859         * JavaScriptCore.xcodeproj/project.pbxproj:
860         * bytecode/BytecodeList.json:
861         * dfg/DFGByteCodeParser.cpp:
862         (JSC::DFG::ByteCodeParser::parseBlock):
863         * generate-bytecode-files:
864         * jit/JITOpcodes.cpp:
865         (JSC::JIT::emit_op_overrides_has_instance):
866         (JSC::JIT::emit_op_instanceof):
867         (JSC::JIT::emitSlow_op_instanceof):
868         (JSC::JIT::emitSlow_op_instanceof_custom):
869         * jit/JITOpcodes32_64.cpp:
870         (JSC::JIT::emit_op_overrides_has_instance):
871         (JSC::JIT::emit_op_instanceof):
872         (JSC::JIT::emitSlow_op_instanceof):
873         (JSC::JIT::emitSlow_op_instanceof_custom):
874         * llint/LLIntOffsetsExtractor.cpp:
875         * llint/LowLevelInterpreter.asm:
876         * llint/LowLevelInterpreter32_64.asm:
877         * llint/LowLevelInterpreter64.asm:
878
879 2017-08-15  Mark Lam  <mark.lam@apple.com>
880
881         Update testmasm to use new CPUState APIs.
882         https://bugs.webkit.org/show_bug.cgi?id=175573
883
884         Reviewed by Keith Miller.
885
886         1. Applied convenience CPUState accessors to minimize casting.
887         2. Converted the CHECK macro to CHECK_EQ to get more friendly failure debugging
888            messages.
889         3. Removed the CHECK_DOUBLE_BITWISE_EQ macro.  We can just use CHECK_EQ now since
890            casting is (mostly) no longer an issue.
891         4. Replaced the use of testDoubleWord(id) with bitwise_cast<double>(testWord64(id))
892            to make it clear that we're comparing against the bit values of testWord64(id).
893         5. Added a "Completed N tests" message at the end of running all tests.
894            This makes it easy to tell at a glance that testmasm completed successfully
895            versus when it crashed midway in a test.  The number of tests also serves as
896            a quick checksum to confirm that we ran the number of tests we expected.
897
898         * assembler/testmasm.cpp:
899         (WTF::printInternal):
900         (JSC::testSimple):
901         (JSC::testProbeReadsArgumentRegisters):
902         (JSC::testProbeWritesArgumentRegisters):
903         (JSC::testProbePreservesGPRS):
904         (JSC::testProbeModifiesStackPointer):
905         (JSC::testProbeModifiesProgramCounter):
906         (JSC::run):
907
908 2017-08-14  Keith Miller  <keith_miller@apple.com>
909
910         Add testing tool to lie to the DFG about profiles
911         https://bugs.webkit.org/show_bug.cgi?id=175487
912
913         Reviewed by Saam Barati.
914
915         This patch adds a new bytecode identity_with_profile that lets
916         us lie to the DFG about what profiles it has seen as the input to
917         another bytecode. Previously, there was no reliable way to force
918         a given profile when we tired up.
919
920         * bytecode/BytecodeDumper.cpp:
921         (JSC::BytecodeDumper<Block>::dumpBytecode):
922         * bytecode/BytecodeIntrinsicRegistry.h:
923         * bytecode/BytecodeList.json:
924         * bytecode/BytecodeUseDef.h:
925         (JSC::computeUsesForBytecodeOffset):
926         (JSC::computeDefsForBytecodeOffset):
927         * bytecode/SpeculatedType.cpp:
928         (JSC::speculationFromString):
929         * bytecode/SpeculatedType.h:
930         * bytecompiler/BytecodeGenerator.cpp:
931         (JSC::BytecodeGenerator::emitIdWithProfile):
932         * bytecompiler/BytecodeGenerator.h:
933         * bytecompiler/NodesCodegen.cpp:
934         (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
935         * dfg/DFGAbstractInterpreterInlines.h:
936         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
937         * dfg/DFGByteCodeParser.cpp:
938         (JSC::DFG::ByteCodeParser::parseBlock):
939         * dfg/DFGCapabilities.cpp:
940         (JSC::DFG::capabilityLevel):
941         * dfg/DFGClobberize.h:
942         (JSC::DFG::clobberize):
943         * dfg/DFGDoesGC.cpp:
944         (JSC::DFG::doesGC):
945         * dfg/DFGFixupPhase.cpp:
946         (JSC::DFG::FixupPhase::fixupNode):
947         * dfg/DFGMayExit.cpp:
948         * dfg/DFGNode.h:
949         (JSC::DFG::Node::getForcedPrediction):
950         * dfg/DFGNodeType.h:
951         * dfg/DFGPredictionPropagationPhase.cpp:
952         * dfg/DFGSafeToExecute.h:
953         (JSC::DFG::safeToExecute):
954         * dfg/DFGSpeculativeJIT32_64.cpp:
955         (JSC::DFG::SpeculativeJIT::compile):
956         * dfg/DFGSpeculativeJIT64.cpp:
957         (JSC::DFG::SpeculativeJIT::compile):
958         * dfg/DFGValidate.cpp:
959         * jit/JIT.cpp:
960         (JSC::JIT::privateCompileMainPass):
961         * jit/JIT.h:
962         * jit/JITOpcodes.cpp:
963         (JSC::JIT::emit_op_identity_with_profile):
964         * jit/JITOpcodes32_64.cpp:
965         (JSC::JIT::emit_op_identity_with_profile):
966         * llint/LowLevelInterpreter.asm:
967
968 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
969
970         Remove Proximity Events and related code
971         https://bugs.webkit.org/show_bug.cgi?id=175545
972
973         Reviewed by Daniel Bates.
974
975         No platform enables Proximity Events, so remove code inside ENABLE(PROXIMITY_EVENTS)
976         and other related code.
977
978         * Configurations/FeatureDefines.xcconfig:
979
980 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
981
982         Remove ENABLE(REQUEST_AUTOCOMPLETE) code, which was disabled everywhere
983         https://bugs.webkit.org/show_bug.cgi?id=175504
984
985         Reviewed by Sam Weinig.
986
987         * Configurations/FeatureDefines.xcconfig:
988
989 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
990
991         Remove ENABLE_VIEW_MODE_CSS_MEDIA and related code
992         https://bugs.webkit.org/show_bug.cgi?id=175557
993
994         Reviewed by Jon Lee.
995
996         No port cares about the ENABLE(VIEW_MODE_CSS_MEDIA) feature, so remove it.
997
998         * Configurations/FeatureDefines.xcconfig:
999
1000 2017-08-14  Robin Morisset  <rmorisset@apple.com>
1001
1002         Support the 'with' keyword in DFG
1003         https://bugs.webkit.org/show_bug.cgi?id=175470
1004
1005         Reviewed by Saam Barati.
1006
1007         Not particularly optimized at the moment, the goal is just to avoid
1008         the DFG bailing out of any function with this keyword.
1009
1010         * dfg/DFGAbstractInterpreterInlines.h:
1011         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1012         * dfg/DFGByteCodeParser.cpp:
1013         (JSC::DFG::ByteCodeParser::parseBlock):
1014         * dfg/DFGCapabilities.cpp:
1015         (JSC::DFG::capabilityLevel):
1016         * dfg/DFGClobberize.h:
1017         (JSC::DFG::clobberize):
1018         * dfg/DFGDoesGC.cpp:
1019         (JSC::DFG::doesGC):
1020         * dfg/DFGFixupPhase.cpp:
1021         (JSC::DFG::FixupPhase::fixupNode):
1022         * dfg/DFGNodeType.h:
1023         * dfg/DFGPredictionPropagationPhase.cpp:
1024         * dfg/DFGSafeToExecute.h:
1025         (JSC::DFG::safeToExecute):
1026         * dfg/DFGSpeculativeJIT.cpp:
1027         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
1028         * dfg/DFGSpeculativeJIT.h:
1029         (JSC::DFG::SpeculativeJIT::callOperation):
1030         * dfg/DFGSpeculativeJIT32_64.cpp:
1031         (JSC::DFG::SpeculativeJIT::compile):
1032         * dfg/DFGSpeculativeJIT64.cpp:
1033         (JSC::DFG::SpeculativeJIT::compile):
1034         * jit/JITOperations.cpp:
1035         * jit/JITOperations.h:
1036
1037 2017-08-14  Mark Lam  <mark.lam@apple.com>
1038
1039         Add some convenience utility accessor methods to MacroAssembler::CPUState.
1040         https://bugs.webkit.org/show_bug.cgi?id=175549
1041         <rdar://problem/33884868>
1042
1043         Reviewed by Saam Barati.
1044
1045         Previously, in order to read ProbeContext CPUState registers, we used to need to
1046         do it this way:
1047
1048             ExecState* exec = reinterpret_cast<ExecState*>(cpu.fp());
1049             uint32_t i32 = static_cast<uint32_t>(cpu.gpr(GPRInfo::regT0));
1050             void* p = reinterpret_cast<void*>(cpu.gpr(GPRInfo::regT1));
1051             uint64_t u64 = bitwise_cast<uint64_t>(cpu.fpr(FPRInfo::fpRegT0));
1052
1053         With this patch, we can now read them this way instead:
1054         
1055             ExecState* exec = cpu.fp<ExecState*>();
1056             uint32_t i32 = cpu.gpr<uint32_t>(GPRInfo::regT0);
1057             void* p = cpu.gpr<void*>(GPRInfo::regT1);
1058             uint64_t u64 = cpu.fpr<uint64_t>(FPRInfo::fpRegT0);
1059
1060         * assembler/MacroAssembler.h:
1061         (JSC:: const):
1062         (JSC::MacroAssembler::CPUState::fpr const):
1063         (JSC::MacroAssembler::CPUState::pc const):
1064         (JSC::MacroAssembler::CPUState::fp const):
1065         (JSC::MacroAssembler::CPUState::sp const):
1066         (JSC::ProbeContext::pc):
1067         (JSC::ProbeContext::fp):
1068         (JSC::ProbeContext::sp):
1069
1070 2017-08-12  Filip Pizlo  <fpizlo@apple.com>
1071
1072         Put the ScopedArgumentsTable's ScopeOffset array in some gigacage
1073         https://bugs.webkit.org/show_bug.cgi?id=174921
1074
1075         Reviewed by Mark Lam.
1076         
1077         Uses CagedUniquePtr<> to cage the ScopeOffset array.
1078
1079         * dfg/DFGSpeculativeJIT.cpp:
1080         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1081         * ftl/FTLLowerDFGToB3.cpp:
1082         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1083         * jit/JITPropertyAccess.cpp:
1084         (JSC::JIT::emitScopedArgumentsGetByVal):
1085         * runtime/ScopedArgumentsTable.cpp:
1086         (JSC::ScopedArgumentsTable::create):
1087         (JSC::ScopedArgumentsTable::setLength):
1088         * runtime/ScopedArgumentsTable.h:
1089
1090 2017-08-14  Mark Lam  <mark.lam@apple.com>
1091
1092         Gardening: fix Windows build.
1093         https://bugs.webkit.org/show_bug.cgi?id=175446
1094
1095         Not reviewed.
1096
1097         * assembler/MacroAssemblerX86Common.cpp:
1098         (JSC::booleanTrueForAvoidingNoReturnDeclaration):
1099         (JSC::ctiMasmProbeTrampoline):
1100
1101 2017-08-12  Csaba Osztrogonác  <ossy@webkit.org>
1102
1103         [ARM64] Use x29 and x30 instead of fp and lr to make GCC happy
1104         https://bugs.webkit.org/show_bug.cgi?id=175512
1105         <rdar://problem/33863584>
1106
1107         Reviewed by Mark Lam.
1108
1109         * CMakeLists.txt: Added MacroAssemblerARM64.cpp.
1110         * assembler/MacroAssemblerARM64.cpp: Use x29 and x30 instead of fp and lr to make GCC happy.
1111
1112 2017-08-12  Csaba Osztrogonác  <ossy@webkit.org>
1113
1114         ARM_TRADITIONAL: static assertion failed: ProbeContext_size_matches_ctiMasmProbeTrampoline
1115         https://bugs.webkit.org/show_bug.cgi?id=175513
1116
1117         Reviewed by Mark Lam.
1118
1119         * assembler/MacroAssemblerARM.cpp: Added d16-d31 FP registers too.
1120
1121 2017-08-12  Filip Pizlo  <fpizlo@apple.com>
1122
1123         FTL's compileGetTypedArrayByteOffset needs to do caging
1124         https://bugs.webkit.org/show_bug.cgi?id=175366
1125
1126         Reviewed by Saam Barati.
1127         
1128         While implementing boxing in the DFG, I noticed that there was some missing boxing in the FTL. This
1129         fixes the case in GetTypedArrayByteOffset, and files FIXMEs for more such cases.
1130
1131         * dfg/DFGSpeculativeJIT.cpp:
1132         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
1133         * ftl/FTLLowerDFGToB3.cpp:
1134         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
1135         (JSC::FTL::DFG::LowerDFGToB3::cagedMayBeNull):
1136         * runtime/ArrayBuffer.h:
1137         * runtime/ArrayBufferView.h:
1138         * runtime/JSArrayBufferView.h:
1139
1140 2017-08-11  Ryosuke Niwa  <rniwa@webkit.org>
1141
1142         Replace DATA_TRANSFER_ITEMS by a runtime flag and add a stub implementation
1143         https://bugs.webkit.org/show_bug.cgi?id=175474
1144         <rdar://problem/33844628>
1145
1146         Reviewed by Wenson Hsieh.
1147
1148         * Configurations/FeatureDefines.xcconfig:
1149         * runtime/CommonIdentifiers.h:
1150
1151 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1152
1153         Caging shouldn't have to use a patchpoint for adding
1154         https://bugs.webkit.org/show_bug.cgi?id=175483
1155
1156         Reviewed by Mark Lam.
1157
1158         Caging involves doing a Add(ptr, largeConstant). All of B3's heuristics for how to deal with
1159         constants and associative operations dictate that you always want to sink constants. For example,
1160         Add(Add(a, constant), b) always becomes Add(Add(a, b), constant). This is profitable because in
1161         typical code, it reveals downstream optimizations. But it's terrible in the case of caging, because
1162         we want the large constant (which is shared by all caging operations) to be hoisted. Reassociating to
1163         sink constants obscures the constant in this case. Currently, moveConstants is not smart enough to
1164         reassociate, so instead of sinking largeConstant, it tries (and often fails) to sink some other
1165         constants instead. Without some hacks, this is a 5% Kraken regression and a 1.6% Octane regression.
1166         It's not clear that moveConstants could ever be smart enough to rematerialize that constant and then
1167         hoist it - that would require quite a bit of algebraic reasoning. But the only case we know of where
1168         our current constant reassociation heuristics are wrong is caging. So, we can get away with some
1169         hacks for just stopping B3's reassociation only in this specific case.
1170         
1171         Previously, we achieved this by concealing the Add(ptr, largeConstant) inside a patchpoint. That's
1172         OK, but patchpoints are expensive. They require a SharedTask instance. They require callbacks from
1173         the backend, including during register allocation. And they cannot be CSE'd. We do want B3 to know
1174         that if we cage the same pointer in two places, both places will compute the same value.
1175         
1176         This patch improves the situation by introducing the Opaque opcode. This is handled by LowerToAir as
1177         if it was Identity, but all prior phases treat it as an unknown pure unary idempotent operation. I.e.
1178         they know that Opaque(x) == Opaque(x) and that Opaque(Opaque(x)) == Opaque(x). But they don't know
1179         that Opaque(x) == x until LowerToAir. So, you can use Opaque exactly when you know that B3 will mess
1180         up your code but Air won't. (Currently we know of no cases where Air messes things up on a large
1181         enough scale to warrant new opcodes.)
1182         
1183         This change is perf-neutral, but may start to help as I add more uses of caged() in the FTL. It also
1184         makes the code a bit less ugly.
1185
1186         * b3/B3LowerToAir.cpp:
1187         (JSC::B3::Air::LowerToAir::shouldCopyPropagate):
1188         (JSC::B3::Air::LowerToAir::lower):
1189         * b3/B3Opcode.cpp:
1190         (WTF::printInternal):
1191         * b3/B3Opcode.h:
1192         * b3/B3ReduceStrength.cpp:
1193         * b3/B3Validate.cpp:
1194         * b3/B3Value.cpp:
1195         (JSC::B3::Value::effects const):
1196         (JSC::B3::Value::key const):
1197         (JSC::B3::Value::isFree const):
1198         (JSC::B3::Value::typeFor):
1199         * b3/B3Value.h:
1200         * b3/B3ValueKey.cpp:
1201         (JSC::B3::ValueKey::materialize const):
1202         * ftl/FTLLowerDFGToB3.cpp:
1203         (JSC::FTL::DFG::LowerDFGToB3::caged):
1204         * ftl/FTLOutput.cpp:
1205         (JSC::FTL::Output::opaque):
1206         * ftl/FTLOutput.h:
1207
1208 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1209
1210         ScopedArguments overflow storage needs to be in the JSValue gigacage
1211         https://bugs.webkit.org/show_bug.cgi?id=174923
1212
1213         Reviewed by Saam Barati.
1214         
1215         ScopedArguments overflow storage sits at the end of the ScopedArguments object, so we put that
1216         object into the JSValue gigacage.
1217
1218         * dfg/DFGSpeculativeJIT.cpp:
1219         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1220         * ftl/FTLLowerDFGToB3.cpp:
1221         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1222         * jit/JITPropertyAccess.cpp:
1223         (JSC::JIT::emitScopedArgumentsGetByVal):
1224         * runtime/ScopedArguments.h:
1225         (JSC::ScopedArguments::subspaceFor):
1226         (JSC::ScopedArguments::overflowStorage const):
1227
1228 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1229
1230         JSLexicalEnvironment needs to be in the JSValue gigacage
1231         https://bugs.webkit.org/show_bug.cgi?id=174922
1232
1233         Reviewed by Michael Saboff.
1234         
1235         We can sorta random access the JSLexicalEnvironment. So, we put it in the JSValue gigacage and make
1236         the only random accesses use pointer caging.
1237         
1238         We don't need to do anything to normal lexical environment accesses.
1239
1240         * dfg/DFGSpeculativeJIT.cpp:
1241         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1242         * ftl/FTLLowerDFGToB3.cpp:
1243         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1244         * runtime/JSEnvironmentRecord.h:
1245         (JSC::JSEnvironmentRecord::subspaceFor):
1246         (JSC::JSEnvironmentRecord::variables):
1247
1248 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1249
1250         DirectArguments should be in the JSValue gigacage
1251         https://bugs.webkit.org/show_bug.cgi?id=174920
1252
1253         Reviewed by Michael Saboff.
1254         
1255         This puts DirectArguments in a new subspace for cells that want to be in the JSValue gigacage. All
1256         indexed accesses to DirectArguments now do caging. get_from_arguments/put_to_arguments are exempted
1257         because they always operate on a DirectArguments that is pointed to directly from the stack, they are
1258         required to use fixed offsets, and you can only store JSValues.
1259
1260         * dfg/DFGSpeculativeJIT.cpp:
1261         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
1262         * ftl/FTLLowerDFGToB3.cpp:
1263         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1264         * jit/JITPropertyAccess.cpp:
1265         (JSC::JIT::emitDirectArgumentsGetByVal):
1266         * runtime/DirectArguments.h:
1267         (JSC::DirectArguments::subspaceFor):
1268         (JSC::DirectArguments::storage):
1269         * runtime/VM.cpp:
1270         (JSC::VM::VM):
1271         * runtime/VM.h:
1272
1273 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1274
1275         Unreviewed, add a FIXME.
1276
1277         * ftl/FTLLowerDFGToB3.cpp:
1278         (JSC::FTL::DFG::LowerDFGToB3::caged):
1279
1280 2017-08-10  Sam Weinig  <sam@webkit.org>
1281
1282         WTF::Function does not allow for reference / non-default constructible return types
1283         https://bugs.webkit.org/show_bug.cgi?id=175244
1284
1285         Reviewed by Chris Dumez.
1286
1287         * runtime/ArrayBuffer.cpp:
1288         (JSC::ArrayBufferContents::transferTo):
1289         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
1290         destroy call needed to be a no-op anyway, since the data is being moved.
1291
1292 2017-08-11  Mark Lam  <mark.lam@apple.com>
1293
1294         Gardening: fix CLoop build.
1295         https://bugs.webkit.org/show_bug.cgi?id=175446
1296         <rdar://problem/33836545>
1297
1298         Not reviewed.
1299
1300         * assembler/MacroAssemblerPrinter.cpp:
1301
1302 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
1303
1304         DFG should do caging
1305         https://bugs.webkit.org/show_bug.cgi?id=174918
1306
1307         Reviewed by Saam Barati.
1308         
1309         Adds the appropriate cage() calls to the DFG, including a cageTypedArrayStorage() helper that does
1310         the conditional caging with a watchpoint.
1311         
1312         This might be a 1% SunSpider slow-down, but it's not clear.
1313
1314         * dfg/DFGSpeculativeJIT.cpp:
1315         (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
1316         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
1317         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
1318         (JSC::DFG::SpeculativeJIT::compileCreateRest):
1319         (JSC::DFG::SpeculativeJIT::compileSpread):
1320         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
1321         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1322         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
1323         * dfg/DFGSpeculativeJIT.h:
1324         * dfg/DFGSpeculativeJIT64.cpp:
1325         (JSC::DFG::SpeculativeJIT::compile):
1326
1327 2017-08-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1328
1329         Unreviewed, build fix for x86 GTK port
1330         https://bugs.webkit.org/show_bug.cgi?id=175446
1331
1332         Use pushfl/popfl instead of pushfd/popfd.
1333
1334         * assembler/MacroAssemblerX86Common.cpp:
1335
1336 2017-08-10  Mark Lam  <mark.lam@apple.com>
1337
1338         Make the MASM_PROBE mechanism mandatory for DFG and FTL builds.
1339         https://bugs.webkit.org/show_bug.cgi?id=175446
1340         <rdar://problem/33836545>
1341
1342         Reviewed by Saam Barati.
1343
1344         * assembler/AbstractMacroAssembler.h:
1345         * assembler/MacroAssembler.cpp:
1346         (JSC::MacroAssembler::probe):
1347         * assembler/MacroAssembler.h:
1348         * assembler/MacroAssemblerARM.cpp:
1349         (JSC::MacroAssembler::probe):
1350         * assembler/MacroAssemblerARM.h:
1351         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
1352         * assembler/MacroAssemblerARM64.cpp:
1353         (JSC::MacroAssembler::probe):
1354         * assembler/MacroAssemblerARMv7.cpp:
1355         (JSC::MacroAssembler::probe):
1356         * assembler/MacroAssemblerARMv7.h:
1357         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr):
1358         * assembler/MacroAssemblerPrinter.cpp:
1359         * assembler/MacroAssemblerPrinter.h:
1360         * assembler/MacroAssemblerX86Common.cpp:
1361         * assembler/testmasm.cpp:
1362         (JSC::isSpecialGPR):
1363         (JSC::testProbeModifiesProgramCounter):
1364         (JSC::run):
1365         * b3/B3LowerToAir.cpp:
1366         (JSC::B3::Air::LowerToAir::print):
1367         * b3/air/AirPrintSpecial.cpp:
1368         * b3/air/AirPrintSpecial.h:
1369
1370 2017-08-10  Mark Lam  <mark.lam@apple.com>
1371
1372         Apply the UNLIKELY macro to some unlikely things.
1373         https://bugs.webkit.org/show_bug.cgi?id=175440
1374         <rdar://problem/33834767>
1375
1376         Reviewed by Yusuke Suzuki.
1377
1378         * bytecode/CodeBlock.cpp:
1379         (JSC::CodeBlock::~CodeBlock):
1380         (JSC::CodeBlock::jettison):
1381         * dfg/DFGByteCodeParser.cpp:
1382         (JSC::DFG::ByteCodeParser::handleCall):
1383         (JSC::DFG::ByteCodeParser::handleVarargsCall):
1384         (JSC::DFG::ByteCodeParser::handleGetById):
1385         (JSC::DFG::ByteCodeParser::handlePutById):
1386         (JSC::DFG::ByteCodeParser::parseBlock):
1387         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1388         * dfg/DFGJITCompiler.cpp:
1389         (JSC::DFG::JITCompiler::JITCompiler):
1390         (JSC::DFG::JITCompiler::linkOSRExits):
1391         (JSC::DFG::JITCompiler::link):
1392         (JSC::DFG::JITCompiler::disassemble):
1393         * dfg/DFGJITFinalizer.cpp:
1394         (JSC::DFG::JITFinalizer::finalizeCommon):
1395         * dfg/DFGOSRExit.cpp:
1396         (JSC::DFG::OSRExit::compileOSRExit):
1397         * dfg/DFGPlan.cpp:
1398         (JSC::DFG::Plan::Plan):
1399         * ftl/FTLJITFinalizer.cpp:
1400         (JSC::FTL::JITFinalizer::finalizeCommon):
1401         * ftl/FTLLink.cpp:
1402         (JSC::FTL::link):
1403         * ftl/FTLOSRExitCompiler.cpp:
1404         (JSC::FTL::compileStub):
1405         * jit/JIT.cpp:
1406         (JSC::JIT::privateCompileMainPass):
1407         (JSC::JIT::compileWithoutLinking):
1408         (JSC::JIT::link):
1409         * runtime/ScriptExecutable.cpp:
1410         (JSC::ScriptExecutable::installCode):
1411         * runtime/VM.cpp:
1412         (JSC::VM::VM):
1413
1414 2017-08-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1415
1416         [WTF] ThreadSpecific should not introduce additional indirection
1417         https://bugs.webkit.org/show_bug.cgi?id=175187
1418
1419         Reviewed by Mark Lam.
1420
1421         * runtime/Identifier.cpp:
1422
1423 2017-08-10  Tim Horton  <timothy_horton@apple.com>
1424
1425         Remove some unused lambda captures so that WebKit builds with -Wunused-lambda-capture
1426         https://bugs.webkit.org/show_bug.cgi?id=175436
1427         <rdar://problem/33667497>
1428
1429         Reviewed by Simon Fraser.
1430
1431         * interpreter/Interpreter.cpp:
1432         (JSC::Interpreter::Interpreter):
1433
1434 2017-08-10  Michael Catanzaro  <mcatanzaro@igalia.com>
1435
1436         Remove ENABLE_GAMEPAD_DEPRECATED
1437         https://bugs.webkit.org/show_bug.cgi?id=175361
1438
1439         Reviewed by Carlos Garcia Campos.
1440
1441         * Configurations/FeatureDefines.xcconfig:
1442
1443 2017-08-09  Caio Lima  <ticaiolima@gmail.com>
1444
1445         [JSC] Create JSSet constructor that accepts it's size as parameter
1446         https://bugs.webkit.org/show_bug.cgi?id=173297
1447
1448         Reviewed by Saam Barati.
1449
1450         This patch is adding a new constructor to JSSet that gives its
1451         expected initial size. It is important to avoid re-hashing and mutiple
1452         allocations when we know the final size of JSSet, such as in
1453         CodeBlock::setConstantIdentifierSetRegisters.
1454
1455         * bytecode/CodeBlock.cpp:
1456         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
1457         * runtime/HashMapImpl.h:
1458         (JSC::HashMapImpl::HashMapImpl):
1459         * runtime/JSSet.h:
1460
1461 2017-08-09  Commit Queue  <commit-queue@webkit.org>
1462
1463         Unreviewed, rolling out r220466, r220477, and r220487.
1464         https://bugs.webkit.org/show_bug.cgi?id=175411
1465
1466         This change broke existing API tests and follow up fixes did
1467         not resolve all the issues. (Requested by ryanhaddad on
1468         #webkit).
1469
1470         Reverted changesets:
1471
1472         https://bugs.webkit.org/show_bug.cgi?id=175244
1473         http://trac.webkit.org/changeset/220466
1474
1475         "WTF::Function does not allow for reference / non-default
1476         constructible return types"
1477         https://bugs.webkit.org/show_bug.cgi?id=175244
1478         http://trac.webkit.org/changeset/220477
1479
1480         https://bugs.webkit.org/show_bug.cgi?id=175244
1481         http://trac.webkit.org/changeset/220487
1482
1483 2017-08-09  Caitlin Potter  <caitp@igalia.com>
1484
1485         Early error on ANY operator before new.target
1486         https://bugs.webkit.org/show_bug.cgi?id=157970
1487
1488         Reviewed by Saam Barati.
1489
1490         Instead of throwing if any unary operator precedes new.target, only
1491         throw if the unary operator updates the reference.
1492
1493         The following become legal in JSC:
1494
1495         ```
1496         !new.target
1497         ~new.target
1498         typeof new.target
1499         delete new.target
1500         void new.target
1501         ```
1502
1503         All of which are legal in v8 and SpiderMonkey in strict and sloppy mode
1504
1505         * parser/Parser.cpp:
1506         (JSC::Parser<LexerType>::parseUnaryExpression):
1507
1508 2017-08-09  Sam Weinig  <sam@webkit.org>
1509
1510         WTF::Function does not allow for reference / non-default constructible return types
1511         https://bugs.webkit.org/show_bug.cgi?id=175244
1512
1513         Reviewed by Chris Dumez.
1514
1515         * runtime/ArrayBuffer.cpp:
1516         (JSC::ArrayBufferContents::transferTo):
1517         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
1518         destroy call needed to be a no-op anyway, since the data is being moved.
1519
1520 2017-08-09  Wenson Hsieh  <wenson_hsieh@apple.com>
1521
1522         [iOS DnD] ENABLE_DRAG_SUPPORT should be turned off for iOS 10 and enabled by default
1523         https://bugs.webkit.org/show_bug.cgi?id=175392
1524         <rdar://problem/33783207>
1525
1526         Reviewed by Tim Horton and Megan Gardner.
1527
1528         Tweak FeatureDefines to enable drag and drop by default, and disable only on unsupported platforms (i.e. iOS 10).
1529
1530         * Configurations/FeatureDefines.xcconfig:
1531
1532 2017-08-09  Robin Morisset  <rmorisset@apple.com>
1533
1534         Make JSC_validateExceptionChecks=1 succeed on JSTests/stress/v8-deltablue-strict.js.
1535         https://bugs.webkit.org/show_bug.cgi?id=175358
1536
1537         Reviewed by Mark Lam.
1538
1539         * jit/JITOperations.cpp:
1540         * runtime/JSObjectInlines.h:
1541         (JSC::JSObject::putInlineForJSObject):
1542
1543 2017-08-09  Ryan Haddad  <ryanhaddad@apple.com>
1544
1545         Unreviewed, rolling out r220457.
1546
1547         This change introduced API test failures.
1548
1549         Reverted changeset:
1550
1551         "WTF::Function does not allow for reference / non-default
1552         constructible return types"
1553         https://bugs.webkit.org/show_bug.cgi?id=175244
1554         http://trac.webkit.org/changeset/220457
1555
1556 2017-08-09  Sam Weinig  <sam@webkit.org>
1557
1558         WTF::Function does not allow for reference / non-default constructible return types
1559         https://bugs.webkit.org/show_bug.cgi?id=175244
1560
1561         Reviewed by Chris Dumez.
1562
1563         * runtime/ArrayBuffer.cpp:
1564         (JSC::ArrayBufferContents::transferTo):
1565         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
1566         destroy call needed to be a no-op anyway, since the data is being moved.
1567
1568 2017-08-09  Oleksandr Skachkov  <gskachkov@gmail.com>
1569
1570         REGRESSION: 2 test262/test/language/statements/async-function failures
1571         https://bugs.webkit.org/show_bug.cgi?id=175334
1572
1573         Reviewed by Yusuke Suzuki.
1574
1575         Switch off useAsyncIterator by default
1576
1577         * runtime/Options.h:
1578
1579 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
1580
1581         ICs should do caging
1582         https://bugs.webkit.org/show_bug.cgi?id=175295
1583
1584         Reviewed by Saam Barati.
1585         
1586         Adds the appropriate cage() calls in our inline caches.
1587
1588         * bytecode/AccessCase.cpp:
1589         (JSC::AccessCase::generateImpl):
1590         * bytecode/InlineAccess.cpp:
1591         (JSC::InlineAccess::dumpCacheSizesAndCrash):
1592         (JSC::InlineAccess::generateSelfPropertyAccess):
1593         (JSC::InlineAccess::generateSelfPropertyReplace):
1594         (JSC::InlineAccess::generateArrayLength):
1595
1596 2017-08-08  Devin Rousso  <drousso@apple.com>
1597
1598         Web Inspector: Canvas: support editing WebGL shaders
1599         https://bugs.webkit.org/show_bug.cgi?id=124211
1600         <rdar://problem/15448958>
1601
1602         Reviewed by Matt Baker.
1603
1604         * inspector/protocol/Canvas.json:
1605         Add `updateShader` command that will change the given shader's source to the provided string,
1606         recompile, and relink it to its associated program.
1607         Drive-by: add description to `requestShaderSource` command.
1608
1609 2017-08-08  Robin Morisset  <rmorisset@apple.com>
1610
1611         Make JSC_validateExceptionChecks=1 succeed on JSTests/slowMicrobenchmarks/spread-small-array.js.
1612         https://bugs.webkit.org/show_bug.cgi?id=175347
1613
1614         Reviewed by Saam Barati.
1615
1616         This is done by making finishCreation explicitely check for exceptions after setConstantRegister and setConstantIdentifiersSetRegisters.
1617         I chose to have this check replace the boolean returned previously by these functions for readability. The performance impact should be
1618         negligible considering how much more finishCreation does.
1619         This fix then caused another issue to appear as it was now clear that finishCreation can throw. And since it is called by ProgramCodeBlock::create(),
1620         FunctionCodeBlock::create() and friends, that are in turn called by ScriptExecutable::newCodeBlockFor, this last function also required a few tweaks.
1621
1622         * bytecode/CodeBlock.cpp:
1623         (JSC::CodeBlock::finishCreation):
1624         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
1625         (JSC::CodeBlock::setConstantRegisters):
1626         * bytecode/CodeBlock.h:
1627         * runtime/ScriptExecutable.cpp:
1628         (JSC::ScriptExecutable::newCodeBlockFor):
1629
1630 2017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
1631
1632         Unreviewed, fix Ubuntu LTS build
1633         https://bugs.webkit.org/show_bug.cgi?id=174490
1634
1635         * inspector/remote/glib/RemoteInspectorGlib.cpp:
1636         * inspector/remote/glib/RemoteInspectorServer.cpp:
1637
1638 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
1639
1640         Baseline JIT should do caging
1641         https://bugs.webkit.org/show_bug.cgi?id=175037
1642
1643         Reviewed by Mark Lam.
1644         
1645         Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
1646         
1647         Also modifies FTL caging to be more defensive when caging is disabled.
1648         
1649         Relanded with fixed AssemblyHelpers::cageConditionally().
1650
1651         * bytecode/AccessCase.cpp:
1652         (JSC::AccessCase::generateImpl):
1653         * bytecode/InlineAccess.cpp:
1654         (JSC::InlineAccess::dumpCacheSizesAndCrash):
1655         (JSC::InlineAccess::generateSelfPropertyAccess):
1656         (JSC::InlineAccess::generateSelfPropertyReplace):
1657         (JSC::InlineAccess::generateArrayLength):
1658         * ftl/FTLLowerDFGToB3.cpp:
1659         (JSC::FTL::DFG::LowerDFGToB3::caged):
1660         * jit/AssemblyHelpers.h:
1661         (JSC::AssemblyHelpers::cage):
1662         (JSC::AssemblyHelpers::cageConditionally):
1663         * jit/JITPropertyAccess.cpp:
1664         (JSC::JIT::emitDoubleLoad):
1665         (JSC::JIT::emitContiguousLoad):
1666         (JSC::JIT::emitArrayStorageLoad):
1667         (JSC::JIT::emitGenericContiguousPutByVal):
1668         (JSC::JIT::emitArrayStoragePutByVal):
1669         (JSC::JIT::emit_op_get_from_scope):
1670         (JSC::JIT::emit_op_put_to_scope):
1671         (JSC::JIT::emitIntTypedArrayGetByVal):
1672         (JSC::JIT::emitFloatTypedArrayGetByVal):
1673         (JSC::JIT::emitIntTypedArrayPutByVal):
1674         (JSC::JIT::emitFloatTypedArrayPutByVal):
1675         * jsc.cpp:
1676         (jscmain):
1677         (primitiveGigacageDisabled): Deleted.
1678
1679 2017-08-08  Ryan Haddad  <ryanhaddad@apple.com>
1680
1681         Unreviewed, rolling out r220368.
1682
1683         This change caused WK1 tests to exit early with crashes.
1684
1685         Reverted changeset:
1686
1687         "Baseline JIT should do caging"
1688         https://bugs.webkit.org/show_bug.cgi?id=175037
1689         http://trac.webkit.org/changeset/220368
1690
1691 2017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
1692
1693         [CMake] Properly test if compiler supports compiler flags
1694         https://bugs.webkit.org/show_bug.cgi?id=174490
1695
1696         Reviewed by Konstantin Tokarev.
1697
1698         * API/tests/PingPongStackOverflowTest.cpp:
1699         (testPingPongStackOverflow):
1700         * API/tests/testapi.c:
1701         * b3/testb3.cpp:
1702         (JSC::B3::testPatchpointLotsOfLateAnys):
1703
1704 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1705
1706         [Linux] Clear WasmMemory with madvice instead of memset
1707         https://bugs.webkit.org/show_bug.cgi?id=175150
1708
1709         Reviewed by Filip Pizlo.
1710
1711         In Linux, zeroing pages with memset populates backing store.
1712         Instead, we should use madvise with MADV_DONTNEED. It discards
1713         pages. And if you access these pages, on-demand-zero-pages will
1714         be shown.
1715
1716         We also commit grown pages in all OSes.
1717
1718         * wasm/WasmMemory.cpp:
1719         (JSC::Wasm::commitZeroPages):
1720         (JSC::Wasm::Memory::create):
1721         (JSC::Wasm::Memory::grow):
1722
1723 2017-08-07  Robin Morisset  <rmorisset@apple.com>
1724
1725         GetOwnProperty of TypedArray indexed fields is wrongly configurable
1726         https://bugs.webkit.org/show_bug.cgi?id=175307
1727
1728         Reviewed by Saam Barati.
1729
1730         ```
1731         let a = new Uint8Array(10);
1732         let b = Object.getOwnPropertyDescriptor(a, 0);
1733         assert(b.configurable === false);
1734         ```
1735         should not fail: by section 9.4.5.1 (https://tc39.github.io/ecma262/#sec-integer-indexed-exotic-objects-getownproperty-p) 
1736         that applies to integer indexed exotic objects, and section 22.2.7 (https://tc39.github.io/ecma262/#sec-properties-of-typedarray-instances)
1737         that says that typed arrays are integer indexed exotic objects.
1738
1739         * runtime/JSGenericTypedArrayViewInlines.h:
1740         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
1741
1742 2017-08-07  Filip Pizlo  <fpizlo@apple.com>
1743
1744         Baseline JIT should do caging
1745         https://bugs.webkit.org/show_bug.cgi?id=175037
1746
1747         Reviewed by Mark Lam.
1748         
1749         Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
1750         
1751         Also modifies FTL caging to be more defensive when caging is disabled.
1752
1753         * ftl/FTLLowerDFGToB3.cpp:
1754         (JSC::FTL::DFG::LowerDFGToB3::caged):
1755         * jit/AssemblyHelpers.h:
1756         (JSC::AssemblyHelpers::cage):
1757         (JSC::AssemblyHelpers::cageConditionally):
1758         * jit/JITPropertyAccess.cpp:
1759         (JSC::JIT::emitDoubleLoad):
1760         (JSC::JIT::emitContiguousLoad):
1761         (JSC::JIT::emitArrayStorageLoad):
1762         (JSC::JIT::emitGenericContiguousPutByVal):
1763         (JSC::JIT::emitArrayStoragePutByVal):
1764         (JSC::JIT::emit_op_get_from_scope):
1765         (JSC::JIT::emit_op_put_to_scope):
1766         (JSC::JIT::emitIntTypedArrayGetByVal):
1767         (JSC::JIT::emitFloatTypedArrayGetByVal):
1768         (JSC::JIT::emitIntTypedArrayPutByVal):
1769         (JSC::JIT::emitFloatTypedArrayPutByVal):
1770         * jsc.cpp:
1771         (jscmain):
1772         (primitiveGigacageDisabled): Deleted.
1773
1774 2017-08-06  Filip Pizlo  <fpizlo@apple.com>
1775
1776         Primitive auxiliaries and JSValue auxiliaries should have separate gigacages
1777         https://bugs.webkit.org/show_bug.cgi?id=174919
1778
1779         Reviewed by Keith Miller.
1780         
1781         This adapts JSC to there being two gigacages.
1782         
1783         To make matters simpler, this turns AlignedMemoryAllocators into per-VM instances rather than
1784         singletons. I don't think we were gaining anything by making them be singletons.
1785         
1786         This makes it easy to teach GigacageAlignedMemoryAllocator that there are multiple kinds of
1787         gigacages. We'll have one of those allocators per cage.
1788         
1789         From there, this change teaches everyone who previously knew about cages that there are two cages.
1790         This means having to specify either Gigacage::Primitive or Gigacage::JSValue. In most places, this is
1791         easy: typed arrays are Primitive and butterflies are JSValue. But there are a few places where it's
1792         not so obvious, so this change introduces some helpers to make it easy to define what cage you want
1793         to use in one place and refer to it abstractly. We do this in DirectArguments and GenericArguments.h
1794         
1795         A lot of the magic of this change is due to CagedBarrierPtr, which combines AuxiliaryBarrier and
1796         CagedPtr. This removes one layer of "get()" calls from a bunch of places.
1797
1798         * JavaScriptCore.xcodeproj/project.pbxproj:
1799         * bytecode/AccessCase.cpp:
1800         (JSC::AccessCase::generateImpl):
1801         * dfg/DFGSpeculativeJIT.cpp:
1802         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1803         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1804         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1805         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
1806         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
1807         * ftl/FTLLowerDFGToB3.cpp:
1808         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
1809         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
1810         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
1811         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
1812         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1813         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
1814         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
1815         (JSC::FTL::DFG::LowerDFGToB3::caged):
1816         * heap/FastMallocAlignedMemoryAllocator.cpp:
1817         (JSC::FastMallocAlignedMemoryAllocator::instance): Deleted.
1818         * heap/FastMallocAlignedMemoryAllocator.h:
1819         * heap/GigacageAlignedMemoryAllocator.cpp:
1820         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
1821         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
1822         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
1823         (JSC::GigacageAlignedMemoryAllocator::dump const):
1824         (JSC::GigacageAlignedMemoryAllocator::instance): Deleted.
1825         * heap/GigacageAlignedMemoryAllocator.h:
1826         * jsc.cpp:
1827         (primitiveGigacageDisabled):
1828         (jscmain):
1829         (gigacageDisabled): Deleted.
1830         * llint/LowLevelInterpreter64.asm:
1831         * runtime/ArrayBuffer.cpp:
1832         (JSC::ArrayBufferContents::tryAllocate):
1833         (JSC::ArrayBuffer::createAdopted):
1834         (JSC::ArrayBuffer::createFromBytes):
1835         * runtime/AuxiliaryBarrier.h:
1836         * runtime/ButterflyInlines.h:
1837         (JSC::Butterfly::createUninitialized):
1838         (JSC::Butterfly::tryCreate):
1839         (JSC::Butterfly::growArrayRight):
1840         * runtime/CagedBarrierPtr.h: Added.
1841         (JSC::CagedBarrierPtr::CagedBarrierPtr):
1842         (JSC::CagedBarrierPtr::clear):
1843         (JSC::CagedBarrierPtr::set):
1844         (JSC::CagedBarrierPtr::get const):
1845         (JSC::CagedBarrierPtr::getMayBeNull const):
1846         (JSC::CagedBarrierPtr::operator== const):
1847         (JSC::CagedBarrierPtr::operator!= const):
1848         (JSC::CagedBarrierPtr::operator bool const):
1849         (JSC::CagedBarrierPtr::setWithoutBarrier):
1850         (JSC::CagedBarrierPtr::operator* const):
1851         (JSC::CagedBarrierPtr::operator-> const):
1852         (JSC::CagedBarrierPtr::operator[] const):
1853         * runtime/DirectArguments.cpp:
1854         (JSC::DirectArguments::overrideThings):
1855         (JSC::DirectArguments::unmapArgument):
1856         * runtime/DirectArguments.h:
1857         (JSC::DirectArguments::isMappedArgument const):
1858         * runtime/GenericArguments.h:
1859         * runtime/GenericArgumentsInlines.h:
1860         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
1861         (JSC::GenericArguments<Type>::setModifiedArgumentDescriptor):
1862         (JSC::GenericArguments<Type>::isModifiedArgumentDescriptor):
1863         * runtime/HashMapImpl.cpp:
1864         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
1865         * runtime/HashMapImpl.h:
1866         (JSC::HashMapBuffer::create):
1867         (JSC::HashMapImpl::buffer const):
1868         (JSC::HashMapImpl::rehash):
1869         * runtime/JSArray.cpp:
1870         (JSC::JSArray::tryCreateUninitializedRestricted):
1871         (JSC::JSArray::unshiftCountSlowCase):
1872         (JSC::JSArray::setLength):
1873         (JSC::JSArray::pop):
1874         (JSC::JSArray::push):
1875         (JSC::JSArray::fastSlice):
1876         (JSC::JSArray::shiftCountWithArrayStorage):
1877         (JSC::JSArray::shiftCountWithAnyIndexingType):
1878         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1879         (JSC::JSArray::fillArgList):
1880         (JSC::JSArray::copyToArguments):
1881         * runtime/JSArray.h:
1882         (JSC::JSArray::tryCreate):
1883         * runtime/JSArrayBufferView.cpp:
1884         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1885         (JSC::JSArrayBufferView::finalize):
1886         * runtime/JSLock.cpp:
1887         (JSC::JSLock::didAcquireLock):
1888         * runtime/JSObject.cpp:
1889         (JSC::JSObject::heapSnapshot):
1890         (JSC::JSObject::getOwnPropertySlotByIndex):
1891         (JSC::JSObject::putByIndex):
1892         (JSC::JSObject::enterDictionaryIndexingMode):
1893         (JSC::JSObject::createInitialIndexedStorage):
1894         (JSC::JSObject::createArrayStorage):
1895         (JSC::JSObject::convertUndecidedToInt32):
1896         (JSC::JSObject::convertUndecidedToDouble):
1897         (JSC::JSObject::convertUndecidedToContiguous):
1898         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
1899         (JSC::JSObject::convertUndecidedToArrayStorage):
1900         (JSC::JSObject::convertInt32ToDouble):
1901         (JSC::JSObject::convertInt32ToContiguous):
1902         (JSC::JSObject::convertInt32ToArrayStorage):
1903         (JSC::JSObject::convertDoubleToContiguous):
1904         (JSC::JSObject::convertDoubleToArrayStorage):
1905         (JSC::JSObject::convertContiguousToArrayStorage):
1906         (JSC::JSObject::setIndexQuicklyToUndecided):
1907         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
1908         (JSC::JSObject::deletePropertyByIndex):
1909         (JSC::JSObject::getOwnPropertyNames):
1910         (JSC::JSObject::putIndexedDescriptor):
1911         (JSC::JSObject::defineOwnIndexedProperty):
1912         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1913         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
1914         (JSC::JSObject::getNewVectorLength):
1915         (JSC::JSObject::ensureLengthSlow):
1916         (JSC::JSObject::reallocateAndShrinkButterfly):
1917         (JSC::JSObject::allocateMoreOutOfLineStorage):
1918         (JSC::JSObject::getEnumerableLength):
1919         * runtime/JSObject.h:
1920         (JSC::JSObject::getArrayLength const):
1921         (JSC::JSObject::getVectorLength):
1922         (JSC::JSObject::putDirectIndex):
1923         (JSC::JSObject::canGetIndexQuickly):
1924         (JSC::JSObject::getIndexQuickly):
1925         (JSC::JSObject::tryGetIndexQuickly const):
1926         (JSC::JSObject::canSetIndexQuickly):
1927         (JSC::JSObject::setIndexQuickly):
1928         (JSC::JSObject::initializeIndex):
1929         (JSC::JSObject::initializeIndexWithoutBarrier):
1930         (JSC::JSObject::hasSparseMap):
1931         (JSC::JSObject::inSparseIndexingMode):
1932         (JSC::JSObject::butterfly const):
1933         (JSC::JSObject::butterfly):
1934         (JSC::JSObject::outOfLineStorage const):
1935         (JSC::JSObject::outOfLineStorage):
1936         (JSC::JSObject::ensureInt32):
1937         (JSC::JSObject::ensureDouble):
1938         (JSC::JSObject::ensureContiguous):
1939         (JSC::JSObject::ensureArrayStorage):
1940         (JSC::JSObject::arrayStorage):
1941         (JSC::JSObject::arrayStorageOrNull):
1942         (JSC::JSObject::ensureLength):
1943         * runtime/RegExpMatchesArray.h:
1944         (JSC::tryCreateUninitializedRegExpMatchesArray):
1945         * runtime/VM.cpp:
1946         (JSC::VM::VM):
1947         (JSC::VM::~VM):
1948         (JSC::VM::primitiveGigacageDisabledCallback):
1949         (JSC::VM::primitiveGigacageDisabled):
1950         (JSC::VM::gigacageDisabledCallback): Deleted.
1951         (JSC::VM::gigacageDisabled): Deleted.
1952         * runtime/VM.h:
1953         (JSC::VM::gigacageAuxiliarySpace):
1954         (JSC::VM::firePrimitiveGigacageEnabledIfNecessary):
1955         (JSC::VM::primitiveGigacageEnabled):
1956         (JSC::VM::fireGigacageEnabledIfNecessary): Deleted.
1957         (JSC::VM::gigacageEnabled): Deleted.
1958         * wasm/WasmMemory.cpp:
1959         (JSC::Wasm::Memory::create):
1960         (JSC::Wasm::Memory::~Memory):
1961         (JSC::Wasm::Memory::grow):
1962
1963 2017-08-07  Commit Queue  <commit-queue@webkit.org>
1964
1965         Unreviewed, rolling out r220144.
1966         https://bugs.webkit.org/show_bug.cgi?id=175276
1967
1968         "It did not actually speed things up in the way I expected"
1969         (Requested by saamyjoon on #webkit).
1970
1971         Reverted changeset:
1972
1973         "On memory-constrained iOS devices, reduce the rate at which
1974         the JS heap grows before a GC to try to keep more memory
1975         available for the system"
1976         https://bugs.webkit.org/show_bug.cgi?id=175041
1977         http://trac.webkit.org/changeset/220144
1978
1979 2017-08-07  Ryan Haddad  <ryanhaddad@apple.com>
1980
1981         Unreviewed, rolling out r220299.
1982
1983         This change caused LayoutTest inspector/dom-debugger/dom-
1984         breakpoints.html to fail.
1985
1986         Reverted changeset:
1987
1988         "Web Inspector: capture async stack trace when workers/main
1989         context posts a message"
1990         https://bugs.webkit.org/show_bug.cgi?id=167084
1991         http://trac.webkit.org/changeset/220299
1992
1993 2017-08-07  Brian Burg  <bburg@apple.com>
1994
1995         Remove CANVAS_PATH compilation guard
1996         https://bugs.webkit.org/show_bug.cgi?id=175207
1997
1998         Reviewed by Sam Weinig.
1999
2000         * Configurations/FeatureDefines.xcconfig:
2001
2002 2017-08-07  Keith Miller  <keith_miller@apple.com>
2003
2004         REGRESSION: wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js failing on JSC Debug bots
2005         https://bugs.webkit.org/show_bug.cgi?id=175256
2006
2007         Reviewed by Saam Barati.
2008
2009         The check in createFromBytes just needed to check that the buffer was not null before
2010         calling isCaged.
2011
2012         * runtime/ArrayBuffer.cpp:
2013         (JSC::ArrayBuffer::createFromBytes):
2014
2015 2017-08-05  Carlos Garcia Campos  <cgarcia@igalia.com>
2016
2017         [GTK][WPE] Add API to provide browser information required by automation
2018         https://bugs.webkit.org/show_bug.cgi?id=175130
2019
2020         Reviewed by Brian Burg.
2021
2022         Add browserName and browserVersion to RemoteInspector::Client::Capabilities and virtual methods to the Client to
2023         get them.
2024
2025         * inspector/remote/RemoteInspector.cpp:
2026         (Inspector::RemoteInspector::updateClientCapabilities): Update also browserName and browserVersion.
2027         * inspector/remote/RemoteInspector.h:
2028         * inspector/remote/glib/RemoteInspectorGlib.cpp:
2029         (Inspector::RemoteInspector::requestAutomationSession): Call updateClientCapabilities() after the session is
2030         requested to ensure they are updated before StartAutomationSession reply is sent.
2031         * inspector/remote/glib/RemoteInspectorServer.cpp: Add browserName and browserVersion as return values of
2032         StartAutomationSession mesasage.
2033
2034 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2035
2036         Promise resolve and reject function should have length = 1
2037         https://bugs.webkit.org/show_bug.cgi?id=175242
2038
2039         Reviewed by Saam Barati.
2040
2041         Previously we have separate system for "length" and "name" for builtin functions.
2042         The builtin functions do not use lazy reifying system. Instead, they have direct
2043         properties when instantiating it. While the function created for properties (like
2044         Array.prototype.filter) is created by JSFunction::createBuiltin(), function inside
2045         these builtin functions are just created by JSFunction::create(). Since it does
2046         not set any values for "length", these functions do not have "length" property.
2047         So, the resolve and reject functions passed to Promise's executor do not have
2048         "length" property.
2049
2050         This patch make builtin functions use standard lazy reifying system for "length".
2051         So, "length" property of the builtin function just works as if the normal functions
2052         do.
2053
2054         * runtime/JSFunction.cpp:
2055         (JSC::JSFunction::createBuiltinFunction):
2056         (JSC::JSFunction::getOwnPropertySlot):
2057         (JSC::JSFunction::getOwnNonIndexPropertyNames):
2058         (JSC::JSFunction::put):
2059         (JSC::JSFunction::deleteProperty):
2060         (JSC::JSFunction::defineOwnProperty):
2061         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
2062         (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
2063         (JSC::JSFunction::reifyLazyLengthIfNeeded):
2064         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
2065         (JSC::JSFunction::reifyBoundNameIfNeeded): Deleted.
2066         * runtime/JSFunction.h:
2067
2068 2017-08-06  Oleksandr Skachkov  <gskachkov@gmail.com>
2069
2070         [ESNext] Async iteration - Implement Async Generator - parser
2071         https://bugs.webkit.org/show_bug.cgi?id=175210
2072
2073         Reviewed by Yusuke Suzuki.
2074
2075         Current implementation is draft version of Async Iteration. 
2076         Link to spec https://tc39.github.io/proposal-async-iteration/
2077
2078         Current patch implement only parser part of the Async generator
2079         Runtime part will be in next ptches
2080
2081         * parser/ASTBuilder.h:
2082         (JSC::ASTBuilder::createFunctionMetadata):
2083         * parser/Parser.cpp:
2084         (JSC::getAsynFunctionBodyParseMode):
2085         (JSC::Parser<LexerType>::parseInner):
2086         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
2087         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
2088         (JSC::stringArticleForFunctionMode):
2089         (JSC::stringForFunctionMode):
2090         (JSC::Parser<LexerType>::parseFunctionInfo):
2091         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
2092         (JSC::Parser<LexerType>::parseClass):
2093         (JSC::Parser<LexerType>::parseProperty):
2094         (JSC::Parser<LexerType>::parsePropertyMethod):
2095         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
2096         * parser/Parser.h:
2097         (JSC::Scope::setSourceParseMode):
2098         * parser/ParserModes.h:
2099         (JSC::isFunctionParseMode):
2100         (JSC::isAsyncFunctionParseMode):
2101         (JSC::isAsyncArrowFunctionParseMode):
2102         (JSC::isAsyncGeneratorFunctionParseMode):
2103         (JSC::isAsyncFunctionOrAsyncGeneratorWrapperParseMode):
2104         (JSC::isAsyncFunctionWrapperParseMode):
2105         (JSC::isAsyncFunctionBodyParseMode):
2106         (JSC::isGeneratorMethodParseMode):
2107         (JSC::isAsyncMethodParseMode):
2108         (JSC::isAsyncGeneratorMethodParseMode):
2109         (JSC::isMethodParseMode):
2110         (JSC::isGeneratorOrAsyncFunctionBodyParseMode):
2111         (JSC::isGeneratorOrAsyncFunctionWrapperParseMode):
2112
2113 2017-08-05  Filip Pizlo  <fpizlo@apple.com>
2114
2115         REGRESSION (r219895-219897): Number of leaks on Open Source went from 9240 to 235983 and is now at 302372
2116         https://bugs.webkit.org/show_bug.cgi?id=175083
2117
2118         Reviewed by Oliver Hunt.
2119         
2120         This fixes the leak by making MarkedBlock::specializedSweep call destructors when the block is empty,
2121         even if we are using the pop path.
2122         
2123         Also, this fixes HeapCellInlines.h to no longer include MarkedBlockInlines.h. That's pretty
2124         important, since MarkedBlockInlines.h is the GC's internal guts - we don't want to have to recompile
2125         the world just because we changed it.
2126         
2127         Finally, this adds a new testing SPI for waiting for all VMs to finish destructing. This makes it
2128         easier to debug leaks.
2129
2130         * bytecode/AccessCase.cpp:
2131         * bytecode/PolymorphicAccess.cpp:
2132         * heap/HeapCell.cpp:
2133         (JSC::HeapCell::isLive):
2134         * heap/HeapCellInlines.h:
2135         (JSC::HeapCell::isLive): Deleted.
2136         * heap/MarkedAllocator.cpp:
2137         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2138         (JSC::MarkedAllocator::endMarking):
2139         * heap/MarkedBlockInlines.h:
2140         (JSC::MarkedBlock::Handle::specializedSweep):
2141         * jit/AssemblyHelpers.cpp:
2142         * jit/Repatch.cpp:
2143         * runtime/TestRunnerUtils.h:
2144         * runtime/VM.cpp:
2145         (JSC::waitForVMDestruction):
2146         (JSC::VM::~VM):
2147
2148 2017-08-05  Mark Lam  <mark.lam@apple.com>
2149
2150         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 3].
2151         https://bugs.webkit.org/show_bug.cgi?id=175228
2152         <rdar://problem/33735737>
2153
2154         Reviewed by Saam Barati.
2155
2156         Merge the 32-bit OSRExit::compileExit() method into the 64-bit version, and
2157         delete OSRExit32_64.cpp.
2158
2159         * CMakeLists.txt:
2160         * JavaScriptCore.xcodeproj/project.pbxproj:
2161         * dfg/DFGOSRExit.cpp:
2162         (JSC::DFG::OSRExit::compileExit):
2163         * dfg/DFGOSRExit32_64.cpp: Removed.
2164         * jit/GPRInfo.h:
2165         (JSC::JSValueSource::payloadGPR const):
2166
2167 2017-08-04  Youenn Fablet  <youenn@apple.com>
2168
2169         [Cache API] Add Cache and CacheStorage IDL definitions
2170         https://bugs.webkit.org/show_bug.cgi?id=175201
2171
2172         Reviewed by Brady Eidson.
2173
2174         * runtime/CommonIdentifiers.h:
2175
2176 2017-08-04  Mark Lam  <mark.lam@apple.com>
2177
2178         Fix typo in testmasm.cpp: ENABLE(JSVALUE64) should be USE(JSVALUE64).
2179         https://bugs.webkit.org/show_bug.cgi?id=175230
2180         <rdar://problem/33735857>
2181
2182         Reviewed by Saam Barati.
2183
2184         * assembler/testmasm.cpp:
2185         (JSC::testProbeReadsArgumentRegisters):
2186         (JSC::testProbeWritesArgumentRegisters):
2187
2188 2017-08-04  Mark Lam  <mark.lam@apple.com>
2189
2190         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 2].
2191         https://bugs.webkit.org/show_bug.cgi?id=175214
2192         <rdar://problem/33733308>
2193
2194         Rubber-stamped by Michael Saboff.
2195
2196         Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused
2197         DFGOSRExitCompiler files.
2198
2199         Also renamed DFGOSRExitCompiler32_64.cpp to DFGOSRExit32_64.cpp.
2200
2201         Also move debugOperationPrintSpeculationFailure() into DFGOSRExit.cpp.  It's only
2202         used by compileOSRExit(), and will be changed to not be a DFG operation function
2203         when we use JIT probes for DFG OSR exits later in
2204         https://bugs.webkit.org/show_bug.cgi?id=175144.
2205
2206         * CMakeLists.txt:
2207         * JavaScriptCore.xcodeproj/project.pbxproj:
2208         * dfg/DFGJITCompiler.cpp:
2209         * dfg/DFGOSRExit.cpp:
2210         (JSC::DFG::OSRExit::emitRestoreArguments):
2211         (JSC::DFG::OSRExit::compileOSRExit):
2212         (JSC::DFG::OSRExit::compileExit):
2213         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
2214         * dfg/DFGOSRExit.h:
2215         * dfg/DFGOSRExit32_64.cpp: Copied from Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp.
2216         * dfg/DFGOSRExitCompiler.cpp: Removed.
2217         * dfg/DFGOSRExitCompiler.h: Removed.
2218         * dfg/DFGOSRExitCompiler32_64.cpp: Removed.
2219         * dfg/DFGOSRExitCompiler64.cpp: Removed.
2220         * dfg/DFGOperations.cpp:
2221         * dfg/DFGOperations.h:
2222         * dfg/DFGThunks.cpp:
2223
2224 2017-08-04  Matt Baker  <mattbaker@apple.com>
2225
2226         Web Inspector: capture async stack trace when workers/main context posts a message
2227         https://bugs.webkit.org/show_bug.cgi?id=167084
2228         <rdar://problem/30033673>
2229
2230         Reviewed by Brian Burg.
2231
2232         * inspector/agents/InspectorDebuggerAgent.h:
2233         Add `PostMessage` async call type.
2234
2235 2017-08-04  Mark Lam  <mark.lam@apple.com>
2236
2237         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 1].
2238         https://bugs.webkit.org/show_bug.cgi?id=175208
2239         <rdar://problem/33732402>
2240
2241         Reviewed by Saam Barati.
2242
2243         This will minimize the code diff and make it easier to review the patch for
2244         https://bugs.webkit.org/show_bug.cgi?id=175144 later.  We'll do this patch in 3
2245         steps:
2246
2247         1. Do the code changes to move methods into OSRExit.
2248         2. Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused DFGOSRExitCompiler files.
2249         3. Merge the 32-bit OSRExitCompiler methods into the 64-bit version, and delete DFGOSRExitCompiler32_64.cpp.
2250
2251         Splitting this refactoring into these 3 steps also makes it easier to review this
2252         patch and understand what is being changed.
2253
2254         * dfg/DFGOSRExit.h:
2255         * dfg/DFGOSRExitCompiler.cpp:
2256         (JSC::DFG::OSRExit::emitRestoreArguments):
2257         (JSC::DFG::OSRExit::compileOSRExit):
2258         (JSC::DFG::OSRExitCompiler::emitRestoreArguments): Deleted.
2259         (): Deleted.
2260         * dfg/DFGOSRExitCompiler.h:
2261         (JSC::DFG::OSRExitCompiler::OSRExitCompiler): Deleted.
2262         (): Deleted.
2263         * dfg/DFGOSRExitCompiler32_64.cpp:
2264         (JSC::DFG::OSRExit::compileExit):
2265         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
2266         * dfg/DFGOSRExitCompiler64.cpp:
2267         (JSC::DFG::OSRExit::compileExit):
2268         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
2269         * dfg/DFGThunks.cpp:
2270         (JSC::DFG::osrExitGenerationThunkGenerator):
2271
2272 2017-08-04  Devin Rousso  <drousso@apple.com>
2273
2274         Web Inspector: add source view for WebGL shader programs
2275         https://bugs.webkit.org/show_bug.cgi?id=138593
2276         <rdar://problem/18936194>
2277
2278         Reviewed by Matt Baker.
2279
2280         * inspector/protocol/Canvas.json:
2281          - Add `ShaderType` enum that contains "vertex" and "fragment".
2282          - Add `requestShaderSource` command that will return the original source code for a given
2283            shader program and shader type.
2284
2285 2017-08-03  Filip Pizlo  <fpizlo@apple.com>
2286
2287         The allocator used to allocate memory for MarkedBlocks and LargeAllocations should not be the Subspace itself
2288         https://bugs.webkit.org/show_bug.cgi?id=175141
2289
2290         Reviewed by Mark Lam.
2291         
2292         To make it easier to have multiple gigacages and maybe even fancier methods of allocating, this
2293         decouples the allocator used to allocate memory from the GC Subspace. This means we no longer have
2294         to create a new Subspace subclass to allocate memory a different way. Instead, the allocator is now
2295         determined by the AlignedMemoryAllocator object.
2296         
2297         This also simplifies trading of blocks. Before, Subspaces had to determine if other Subspaces could
2298         trade blocks with them using canTradeBlocksWith(). This makes it difficult for two different
2299         Subspaces that both use the same underlying allocator to realize that they can trade blocks with
2300         each other. Now, you just need to ask the block being stolen and the subspace doing the stealing if
2301         they use the same AlignedMemoryAllocator.
2302
2303         * CMakeLists.txt:
2304         * JavaScriptCore.xcodeproj/project.pbxproj:
2305         * heap/AlignedMemoryAllocator.cpp: Added.
2306         (JSC::AlignedMemoryAllocator::AlignedMemoryAllocator):
2307         (JSC::AlignedMemoryAllocator::~AlignedMemoryAllocator):
2308         * heap/AlignedMemoryAllocator.h: Added.
2309         * heap/FastMallocAlignedMemoryAllocator.cpp: Added.
2310         (JSC::FastMallocAlignedMemoryAllocator::singleton):
2311         (JSC::FastMallocAlignedMemoryAllocator::FastMallocAlignedMemoryAllocator):
2312         (JSC::FastMallocAlignedMemoryAllocator::~FastMallocAlignedMemoryAllocator):
2313         (JSC::FastMallocAlignedMemoryAllocator::tryAllocateAlignedMemory):
2314         (JSC::FastMallocAlignedMemoryAllocator::freeAlignedMemory):
2315         (JSC::FastMallocAlignedMemoryAllocator::dump const):
2316         * heap/FastMallocAlignedMemoryAllocator.h: Added.
2317         * heap/GigacageAlignedMemoryAllocator.cpp: Added.
2318         (JSC::GigacageAlignedMemoryAllocator::singleton):
2319         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
2320         (JSC::GigacageAlignedMemoryAllocator::~GigacageAlignedMemoryAllocator):
2321         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
2322         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
2323         (JSC::GigacageAlignedMemoryAllocator::dump const):
2324         * heap/GigacageAlignedMemoryAllocator.h: Added.
2325         * heap/GigacageSubspace.cpp: Removed.
2326         * heap/GigacageSubspace.h: Removed.
2327         * heap/LargeAllocation.cpp:
2328         (JSC::LargeAllocation::tryCreate):
2329         (JSC::LargeAllocation::destroy):
2330         * heap/MarkedAllocator.cpp:
2331         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2332         * heap/MarkedBlock.cpp:
2333         (JSC::MarkedBlock::tryCreate):
2334         (JSC::MarkedBlock::Handle::Handle):
2335         (JSC::MarkedBlock::Handle::~Handle):
2336         (JSC::MarkedBlock::Handle::didAddToAllocator):
2337         (JSC::MarkedBlock::Handle::subspace const):
2338         * heap/MarkedBlock.h:
2339         (JSC::MarkedBlock::Handle::alignedMemoryAllocator const):
2340         (JSC::MarkedBlock::Handle::subspace const): Deleted.
2341         * heap/Subspace.cpp:
2342         (JSC::Subspace::Subspace):
2343         (JSC::Subspace::findEmptyBlockToSteal):
2344         (JSC::Subspace::canTradeBlocksWith): Deleted.
2345         (JSC::Subspace::tryAllocateAlignedMemory): Deleted.
2346         (JSC::Subspace::freeAlignedMemory): Deleted.
2347         * heap/Subspace.h:
2348         (JSC::Subspace::name const):
2349         (JSC::Subspace::alignedMemoryAllocator const):
2350         * runtime/JSDestructibleObjectSubspace.cpp:
2351         (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace):
2352         * runtime/JSDestructibleObjectSubspace.h:
2353         * runtime/JSSegmentedVariableObjectSubspace.cpp:
2354         (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace):
2355         * runtime/JSSegmentedVariableObjectSubspace.h:
2356         * runtime/JSStringSubspace.cpp:
2357         (JSC::JSStringSubspace::JSStringSubspace):
2358         * runtime/JSStringSubspace.h:
2359         * runtime/VM.cpp:
2360         (JSC::VM::VM):
2361         * runtime/VM.h:
2362         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp:
2363         (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace):
2364         * wasm/js/JSWebAssemblyCodeBlockSubspace.h:
2365
2366 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
2367
2368         [ESNext] Async iteration - update feature.json
2369         https://bugs.webkit.org/show_bug.cgi?id=175197
2370
2371         Reviewed by Yusuke Suzuki.
2372
2373         Update feature.json to add status of the Async Iteration
2374
2375         * features.json:
2376
2377 2017-08-04  Matt Lewis  <jlewis3@apple.com>
2378
2379         Unreviewed, rolling out r220271.
2380
2381         Rolling out due to Layout Test failing on iOS Simulator.
2382
2383         Reverted changeset:
2384
2385         "Remove STREAMS_API compilation guard"
2386         https://bugs.webkit.org/show_bug.cgi?id=175165
2387         http://trac.webkit.org/changeset/220271
2388
2389 2017-08-04  Youenn Fablet  <youenn@apple.com>
2390
2391         Remove STREAMS_API compilation guard
2392         https://bugs.webkit.org/show_bug.cgi?id=175165
2393
2394         Reviewed by Darin Adler.
2395
2396         * Configurations/FeatureDefines.xcconfig:
2397
2398 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
2399
2400         [EsNext] Async iteration - Add feature flag
2401         https://bugs.webkit.org/show_bug.cgi?id=166694
2402
2403         Reviewed by Yusuke Suzuki.
2404
2405         Add feature flag to JSC to switch on/off Async Iterator
2406
2407         * runtime/Options.h:
2408
2409 2017-08-03  Brian Burg  <bburg@apple.com>
2410
2411         Remove ENABLE(WEB_SOCKET) guards
2412         https://bugs.webkit.org/show_bug.cgi?id=167044
2413
2414         Reviewed by Joseph Pecoraro.
2415
2416         * Configurations/FeatureDefines.xcconfig:
2417
2418 2017-08-03  Youenn Fablet  <youenn@apple.com>
2419
2420         Remove FETCH_API compilation guard
2421         https://bugs.webkit.org/show_bug.cgi?id=175154
2422
2423         Reviewed by Chris Dumez.
2424
2425         * Configurations/FeatureDefines.xcconfig:
2426
2427 2017-08-03  Matt Baker  <mattbaker@apple.com>
2428
2429         Web Inspector: Instrument WebGLProgram created/deleted
2430         https://bugs.webkit.org/show_bug.cgi?id=175059
2431
2432         Reviewed by Devin Rousso.
2433
2434         Extend the Canvas protocol with types/events for tracking WebGLPrograms.
2435
2436         * inspector/protocol/Canvas.json:
2437
2438 2017-08-03  Brady Eidson  <beidson@apple.com>
2439
2440         Add SW IDLs and stub out basic functionality.
2441         https://bugs.webkit.org/show_bug.cgi?id=175115
2442
2443         Reviewed by Chris Dumez.
2444
2445         * Configurations/FeatureDefines.xcconfig:
2446
2447         * runtime/CommonIdentifiers.h:
2448
2449 2017-08-03  Mark Lam  <mark.lam@apple.com>
2450
2451         Rename ScratchBuffer::activeLengthPtr to addressOfActiveLength.
2452         https://bugs.webkit.org/show_bug.cgi?id=175142
2453         <rdar://problem/33704528>
2454
2455         Reviewed by Filip Pizlo.
2456
2457         The convention in the rest of of JSC for such methods which return the address of
2458         a field is to name them "addressOf<field name>".  We'll rename
2459         ScratchBuffer::activeLengthPtr to be consistent with this convention.
2460
2461         * dfg/DFGSpeculativeJIT.cpp:
2462         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
2463         * dfg/DFGSpeculativeJIT32_64.cpp:
2464         (JSC::DFG::SpeculativeJIT::compile):
2465         * dfg/DFGSpeculativeJIT64.cpp:
2466         (JSC::DFG::SpeculativeJIT::compile):
2467         * dfg/DFGThunks.cpp:
2468         (JSC::DFG::osrExitGenerationThunkGenerator):
2469         * ftl/FTLLowerDFGToB3.cpp:
2470         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
2471         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
2472         * ftl/FTLThunks.cpp:
2473         (JSC::FTL::genericGenerationThunkGenerator):
2474         * jit/AssemblyHelpers.cpp:
2475         (JSC::AssemblyHelpers::debugCall):
2476         * jit/ScratchRegisterAllocator.cpp:
2477         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
2478         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
2479         * runtime/VM.h:
2480         (JSC::ScratchBuffer::addressOfActiveLength):
2481         (JSC::ScratchBuffer::activeLengthPtr): Deleted.
2482         * wasm/WasmBinding.cpp:
2483         (JSC::Wasm::wasmToJs):
2484
2485 2017-08-02  Devin Rousso  <drousso@apple.com>
2486
2487         Web Inspector: add stack trace information for each RecordingAction
2488         https://bugs.webkit.org/show_bug.cgi?id=174663
2489
2490         Reviewed by Joseph Pecoraro.
2491
2492         * inspector/ScriptCallFrame.h:
2493         Add `operator==` so that when a ScriptCallFrame object is held in a Vector, calling `find`
2494         with an existing value doesn't need require a functor and can use existing code.
2495
2496         * interpreter/StackVisitor.h:
2497         * interpreter/StackVisitor.cpp:
2498         (JSC::StackVisitor::Frame::isWasmFrame const): Inlined in header.
2499
2500 2017-08-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2501
2502         Merge WTFThreadData to Thread::current
2503         https://bugs.webkit.org/show_bug.cgi?id=174716
2504
2505         Reviewed by Mark Lam.
2506
2507         Use Thread::current() instead.
2508
2509         * API/JSContext.mm:
2510         (+[JSContext currentContext]):
2511         (+[JSContext currentThis]):
2512         (+[JSContext currentCallee]):
2513         (+[JSContext currentArguments]):
2514         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
2515         (-[JSContext endCallbackWithData:]):
2516         * heap/Heap.cpp:
2517         (JSC::Heap::requestCollection):
2518         * runtime/Completion.cpp:
2519         (JSC::checkSyntax):
2520         (JSC::checkModuleSyntax):
2521         (JSC::evaluate):
2522         (JSC::loadAndEvaluateModule):
2523         (JSC::loadModule):
2524         (JSC::linkAndEvaluateModule):
2525         (JSC::importModule):
2526         * runtime/Identifier.cpp:
2527         (JSC::Identifier::checkCurrentAtomicStringTable):
2528         * runtime/InitializeThreading.cpp:
2529         (JSC::initializeThreading):
2530         * runtime/JSLock.cpp:
2531         (JSC::JSLock::didAcquireLock):
2532         (JSC::JSLock::willReleaseLock):
2533         (JSC::JSLock::dropAllLocks):
2534         (JSC::JSLock::grabAllLocks):
2535         * runtime/JSLock.h:
2536         * runtime/VM.cpp:
2537         (JSC::VM::VM):
2538         (JSC::VM::updateStackLimits):
2539         (JSC::VM::committedStackByteCount):
2540         * runtime/VM.h:
2541         (JSC::VM::isSafeToRecurse const):
2542         * runtime/VMEntryScope.cpp:
2543         (JSC::VMEntryScope::VMEntryScope):
2544         * runtime/VMInlines.h:
2545         (JSC::VM::ensureStackCapacityFor):
2546         * yarr/YarrPattern.cpp:
2547         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
2548
2549 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
2550
2551         LLInt should do pointer caging
2552         https://bugs.webkit.org/show_bug.cgi?id=175036
2553
2554         Reviewed by Keith Miller.
2555
2556         Implementing this in the LLInt was challenging because offlineasm did not previously know
2557         how to load from globals. This teaches it how to do that on Darwin/x86_64, which happens
2558         to be where the Gigacage is enabled right now.
2559
2560         * llint/LLIntOfflineAsmConfig.h:
2561         * llint/LowLevelInterpreter64.asm:
2562         * offlineasm/ast.rb:
2563         * offlineasm/x86.rb:
2564
2565 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
2566
2567         Sweeping should only scribble when sweeping to free list
2568         https://bugs.webkit.org/show_bug.cgi?id=175105
2569
2570         Reviewed by Saam Barati.
2571         
2572         I just saw a crash on the bots where a destructor call attempt dereferenced scribbled memory. This
2573         can happen because the bump path of specializedSweep will scribble in SweepOnly, which replaces the
2574         zap word (i.e. 0) with the scribble word (i.e. 0xbadbeef0). This is a recent regression, since we
2575         didn't used to do destruction on the bump path. No destruction, no zapping. Looking at the pop
2576         path, we only scribble when we SweepToFreeList. This ensures that we only overwrite the zap word
2577         when it doesn't matter anyway because we're building a free list.
2578         
2579         This is a fix for those crashes on the bots because it means that we'll no longer scribble over the
2580         zap.
2581
2582         * heap/MarkedBlockInlines.h:
2583         (JSC::MarkedBlock::Handle::specializedSweep):
2584
2585 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
2586
2587         All C++ accesses to JSObject::m_butterfly should do caging
2588         https://bugs.webkit.org/show_bug.cgi?id=175039
2589
2590         Reviewed by Keith Miller.
2591         
2592         Makes JSObject::m_butterfly a AuxiliaryBarrier<CagedPtr<Butterfly>> and adopts the CagedPtr<> API.
2593         This ensures that you can't cause C++ code to access a butterfly that has been rewired to point
2594         outside the gigacage.
2595
2596         * runtime/JSArray.cpp:
2597         (JSC::JSArray::setLength):
2598         (JSC::JSArray::pop):
2599         (JSC::JSArray::push):
2600         (JSC::JSArray::shiftCountWithAnyIndexingType):
2601         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2602         (JSC::JSArray::fillArgList):
2603         (JSC::JSArray::copyToArguments):
2604         * runtime/JSObject.cpp:
2605         (JSC::JSObject::heapSnapshot):
2606         (JSC::JSObject::createInitialIndexedStorage):
2607         (JSC::JSObject::createArrayStorage):
2608         (JSC::JSObject::convertUndecidedToInt32):
2609         (JSC::JSObject::convertUndecidedToDouble):
2610         (JSC::JSObject::convertUndecidedToContiguous):
2611         (JSC::JSObject::convertInt32ToDouble):
2612         (JSC::JSObject::convertInt32ToArrayStorage):
2613         (JSC::JSObject::convertDoubleToContiguous):
2614         (JSC::JSObject::convertDoubleToArrayStorage):
2615         (JSC::JSObject::convertContiguousToArrayStorage):
2616         (JSC::JSObject::defineOwnIndexedProperty):
2617         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2618         (JSC::JSObject::ensureLengthSlow):
2619         (JSC::JSObject::allocateMoreOutOfLineStorage):
2620         * runtime/JSObject.h:
2621         (JSC::JSObject::canGetIndexQuickly):
2622         (JSC::JSObject::getIndexQuickly):
2623         (JSC::JSObject::tryGetIndexQuickly const):
2624         (JSC::JSObject::canSetIndexQuickly):
2625         (JSC::JSObject::setIndexQuickly):
2626         (JSC::JSObject::initializeIndex):
2627         (JSC::JSObject::initializeIndexWithoutBarrier):
2628         (JSC::JSObject::butterfly const):
2629         (JSC::JSObject::butterfly):
2630
2631 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
2632
2633         We should be OK with the gigacage being disabled on gmalloc
2634         https://bugs.webkit.org/show_bug.cgi?id=175082
2635
2636         Reviewed by Michael Saboff.
2637
2638         * jsc.cpp:
2639         (jscmain):
2640
2641 2017-08-02  Saam Barati  <sbarati@apple.com>
2642
2643         On memory-constrained iOS devices, reduce the rate at which the JS heap grows before a GC to try to keep more memory available for the system
2644         https://bugs.webkit.org/show_bug.cgi?id=175041
2645         <rdar://problem/33659370>
2646
2647         Reviewed by Filip Pizlo.
2648
2649         The testing I have done shows that this new function is a ~10%
2650         progression running JetStream on 1GB iOS devices. I've also tried
2651         this on a few > 1GB iOS devices, and the testing shows this is either neutral
2652         or a regression. Right now, we'll just enable this for <= 1GB devices
2653         since it's a win. In the future, we might want to either look into
2654         tweaking these parameters or coming up with a new function for > 1GB
2655         devices.
2656
2657         * heap/Heap.cpp:
2658         * runtime/Options.h:
2659
2660 2017-08-01  Filip Pizlo  <fpizlo@apple.com>
2661
2662         Bmalloc and GC should put auxiliaries (butterflies, typed array backing stores) in a gigacage (separate multi-GB VM region)
2663         https://bugs.webkit.org/show_bug.cgi?id=174727
2664
2665         Reviewed by Mark Lam.
2666         
2667         This adopts the Gigacage for the GigacageSubspace, which we use for Auxiliary allocations. Also, in
2668         one place in the code - the FTL codegen for butterfly and typed array access - we "cage" the accesses
2669         themselves. Basically, we do masking to ensure that the pointer points into the gigacage.
2670         
2671         This is neutral on JetStream.
2672
2673         * CMakeLists.txt:
2674         * JavaScriptCore.xcodeproj/project.pbxproj:
2675         * b3/B3InsertionSet.cpp:
2676         (JSC::B3::InsertionSet::execute):
2677         * dfg/DFGAbstractInterpreterInlines.h:
2678         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2679         * dfg/DFGArgumentsEliminationPhase.cpp:
2680         * dfg/DFGClobberize.cpp:
2681         (JSC::DFG::readsOverlap):
2682         * dfg/DFGClobberize.h:
2683         (JSC::DFG::clobberize):
2684         * dfg/DFGDoesGC.cpp:
2685         (JSC::DFG::doesGC):
2686         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Added.
2687         (JSC::DFG::performFixedButterflyAccessUncaging):
2688         * dfg/DFGFixedButterflyAccessUncagingPhase.h: Added.
2689         * dfg/DFGFixupPhase.cpp:
2690         (JSC::DFG::FixupPhase::fixupNode):
2691         * dfg/DFGHeapLocation.cpp:
2692         (WTF::printInternal):
2693         * dfg/DFGHeapLocation.h:
2694         * dfg/DFGNodeType.h:
2695         * dfg/DFGPlan.cpp:
2696         (JSC::DFG::Plan::compileInThreadImpl):
2697         * dfg/DFGPredictionPropagationPhase.cpp:
2698         * dfg/DFGSafeToExecute.h:
2699         (JSC::DFG::safeToExecute):
2700         * dfg/DFGSpeculativeJIT.cpp:
2701         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
2702         * dfg/DFGSpeculativeJIT32_64.cpp:
2703         (JSC::DFG::SpeculativeJIT::compile):
2704         * dfg/DFGSpeculativeJIT64.cpp:
2705         (JSC::DFG::SpeculativeJIT::compile):
2706         * dfg/DFGTypeCheckHoistingPhase.cpp:
2707         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2708         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
2709         * ftl/FTLCapabilities.cpp:
2710         (JSC::FTL::canCompile):
2711         * ftl/FTLLowerDFGToB3.cpp:
2712         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2713         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
2714         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
2715         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2716         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
2717         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
2718         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
2719         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
2720         (JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase):
2721         (JSC::FTL::DFG::LowerDFGToB3::caged):
2722         * heap/GigacageSubspace.cpp: Added.
2723         (JSC::GigacageSubspace::GigacageSubspace):
2724         (JSC::GigacageSubspace::~GigacageSubspace):
2725         (JSC::GigacageSubspace::tryAllocateAlignedMemory):
2726         (JSC::GigacageSubspace::freeAlignedMemory):
2727         (JSC::GigacageSubspace::canTradeBlocksWith):
2728         * heap/GigacageSubspace.h: Added.
2729         * heap/Heap.cpp:
2730         (JSC::Heap::Heap):
2731         (JSC::Heap::lastChanceToFinalize):
2732         (JSC::Heap::finalize):
2733         (JSC::Heap::sweepInFinalize):
2734         (JSC::Heap::updateAllocationLimits):
2735         (JSC::Heap::shouldDoFullCollection):
2736         (JSC::Heap::collectIfNecessaryOrDefer):
2737         (JSC::Heap::reportWebAssemblyFastMemoriesAllocated): Deleted.
2738         (JSC::Heap::webAssemblyFastMemoriesThisCycleAtThreshold const): Deleted.
2739         (JSC::Heap::sweepLargeAllocations): Deleted.
2740         (JSC::Heap::didAllocateWebAssemblyFastMemories): Deleted.
2741         * heap/Heap.h:
2742         * heap/LargeAllocation.cpp:
2743         (JSC::LargeAllocation::tryCreate):
2744         (JSC::LargeAllocation::destroy):
2745         * heap/MarkedAllocator.cpp:
2746         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2747         (JSC::MarkedAllocator::tryAllocateBlock):
2748         * heap/MarkedBlock.cpp:
2749         (JSC::MarkedBlock::tryCreate):
2750         (JSC::MarkedBlock::Handle::Handle):
2751         (JSC::MarkedBlock::Handle::~Handle):
2752         (JSC::MarkedBlock::Handle::didAddToAllocator):
2753         (JSC::MarkedBlock::Handle::subspace const): Deleted.
2754         * heap/MarkedBlock.h:
2755         (JSC::MarkedBlock::Handle::subspace const):
2756         * heap/MarkedSpace.cpp:
2757         (JSC::MarkedSpace::~MarkedSpace):
2758         (JSC::MarkedSpace::freeMemory):
2759         (JSC::MarkedSpace::prepareForAllocation):
2760         (JSC::MarkedSpace::addMarkedAllocator):
2761         (JSC::MarkedSpace::findEmptyBlockToSteal): Deleted.
2762         * heap/MarkedSpace.h:
2763         (JSC::MarkedSpace::firstAllocator const):
2764         (JSC::MarkedSpace::allocatorForEmptyAllocation const): Deleted.
2765         * heap/Subspace.cpp:
2766         (JSC::Subspace::Subspace):
2767         (JSC::Subspace::canTradeBlocksWith):
2768         (JSC::Subspace::tryAllocateAlignedMemory):
2769         (JSC::Subspace::freeAlignedMemory):
2770         (JSC::Subspace::prepareForAllocation):
2771         (JSC::Subspace::findEmptyBlockToSteal):
2772         * heap/Subspace.h:
2773         (JSC::Subspace::didCreateFirstAllocator):
2774         * heap/SubspaceInlines.h:
2775         (JSC::Subspace::forEachAllocator):
2776         (JSC::Subspace::forEachMarkedBlock):
2777         (JSC::Subspace::forEachNotEmptyMarkedBlock):
2778         * jit/JITPropertyAccess.cpp:
2779         (JSC::JIT::emitDoubleLoad):
2780         (JSC::JIT::emitContiguousLoad):
2781         (JSC::JIT::emitArrayStorageLoad):
2782         (JSC::JIT::emitGenericContiguousPutByVal):
2783         (JSC::JIT::emitArrayStoragePutByVal):
2784         (JSC::JIT::emit_op_get_from_scope):
2785         (JSC::JIT::emit_op_put_to_scope):
2786         (JSC::JIT::emitIntTypedArrayGetByVal):
2787         (JSC::JIT::emitFloatTypedArrayGetByVal):
2788         (JSC::JIT::emitIntTypedArrayPutByVal):
2789         (JSC::JIT::emitFloatTypedArrayPutByVal):
2790         * jsc.cpp:
2791         (fillBufferWithContentsOfFile):
2792         (functionReadFile):
2793         (gigacageDisabled):
2794         (jscmain):
2795         * llint/LowLevelInterpreter64.asm:
2796         * runtime/ArrayBuffer.cpp:
2797         (JSC::ArrayBufferContents::tryAllocate):
2798         (JSC::ArrayBuffer::createAdopted):
2799         (JSC::ArrayBuffer::createFromBytes):
2800         (JSC::ArrayBuffer::tryCreate):
2801         * runtime/IndexingHeader.h:
2802         * runtime/InitializeThreading.cpp:
2803         (JSC::initializeThreading):
2804         * runtime/JSArrayBuffer.cpp:
2805         * runtime/JSArrayBufferView.cpp:
2806         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2807         (JSC::JSArrayBufferView::finalize):
2808         * runtime/JSLock.cpp:
2809         (JSC::JSLock::didAcquireLock):
2810         * runtime/JSObject.h:
2811         * runtime/Options.cpp:
2812         (JSC::recomputeDependentOptions):
2813         * runtime/Options.h:
2814         * runtime/ScopedArgumentsTable.h:
2815         * runtime/VM.cpp:
2816         (JSC::VM::VM):
2817         (JSC::VM::~VM):
2818         (JSC::VM::gigacageDisabledCallback):
2819         (JSC::VM::gigacageDisabled):
2820         * runtime/VM.h:
2821         (JSC::VM::fireGigacageEnabledIfNecessary):
2822         (JSC::VM::gigacageEnabled):
2823         * wasm/WasmB3IRGenerator.cpp:
2824         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2825         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
2826         * wasm/WasmCodeBlock.cpp:
2827         (JSC::Wasm::CodeBlock::isSafeToRun):
2828         * wasm/WasmMemory.cpp:
2829         (JSC::Wasm::makeString):
2830         (JSC::Wasm::Memory::create):
2831         (JSC::Wasm::Memory::~Memory):
2832         (JSC::Wasm::Memory::addressIsInActiveFastMemory):
2833         (JSC::Wasm::Memory::grow):
2834         (JSC::Wasm::Memory::initializePreallocations): Deleted.
2835         (JSC::Wasm::Memory::maxFastMemoryCount): Deleted.
2836         * wasm/WasmMemory.h:
2837         * wasm/js/JSWebAssemblyInstance.cpp:
2838         (JSC::JSWebAssemblyInstance::create):
2839         * wasm/js/JSWebAssemblyMemory.cpp:
2840         (JSC::JSWebAssemblyMemory::grow):
2841         (JSC::JSWebAssemblyMemory::finishCreation):
2842         * wasm/js/JSWebAssemblyMemory.h:
2843         (JSC::JSWebAssemblyMemory::subspaceFor):
2844
2845 2017-07-31  Mark Lam  <mark.lam@apple.com>
2846
2847         Added some UNLIKELYs to operationOptimize().
2848         https://bugs.webkit.org/show_bug.cgi?id=174976
2849
2850         Reviewed by JF Bastien.
2851
2852         * jit/JITOperations.cpp:
2853
2854 2017-07-31  Keith Miller  <keith_miller@apple.com>
2855
2856         Make more things LLInt constexprs
2857         https://bugs.webkit.org/show_bug.cgi?id=174994
2858
2859         Reviewed by Saam Barati.
2860
2861         This patch makes more const values in the LLInt constexprs.
2862         It also deletes all of the no longer necessary static_asserts in
2863         LLIntData.cpp. Finally, it fixes a typo in parser.rb.
2864
2865         * interpreter/ShadowChicken.h:
2866         (JSC::ShadowChicken::Packet::tailMarker):
2867         * llint/LLIntData.cpp:
2868         (JSC::LLInt::Data::performAssertions):
2869         * llint/LowLevelInterpreter.asm:
2870         * offlineasm/generate_offset_extractor.rb:
2871         * offlineasm/parser.rb:
2872
2873 2017-07-31  Matt Lewis  <jlewis3@apple.com>
2874
2875         Unreviewed, rolling out r220060.
2876
2877         This broke our internal builds. Contact reviewer of patch for
2878         more information.
2879
2880         Reverted changeset:
2881
2882         "Merge WTFThreadData to Thread::current"
2883         https://bugs.webkit.org/show_bug.cgi?id=174716
2884         http://trac.webkit.org/changeset/220060
2885
2886 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2887
2888         [JSC] Support optional catch binding
2889         https://bugs.webkit.org/show_bug.cgi?id=174981
2890
2891         Reviewed by Saam Barati.
2892
2893         This patch implements optional catch binding proposal[1], which is now stage 3.
2894         This proposal adds a new `catch` brace with no error value binding.
2895
2896             ```
2897                 try {
2898                     ...
2899                 } catch {
2900                     ...
2901                 }
2902             ```
2903
2904         Sometimes we do not need to get error value actually. For example, the function returns
2905         boolean which means whether the function succeeds.
2906
2907             ```
2908             function parse(result) // -> bool
2909             {
2910                  try {
2911                      parseInner(result);
2912                  } catch {
2913                      return false;
2914                  }
2915                  return true;
2916             }
2917             ```
2918
2919         In the above case, we are not interested in the actual error value. Without this syntax,
2920         we always need to introduce a binding for an error value that is just ignored.
2921
2922         [1]: https://michaelficarra.github.io/optional-catch-binding-proposal/
2923
2924         * bytecompiler/NodesCodegen.cpp:
2925         (JSC::TryNode::emitBytecode):
2926         * parser/Parser.cpp:
2927         (JSC::Parser<LexerType>::parseTryStatement):
2928
2929 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2930
2931         Merge WTFThreadData to Thread::current
2932         https://bugs.webkit.org/show_bug.cgi?id=174716
2933
2934         Reviewed by Sam Weinig.
2935
2936         Use Thread::current() instead.
2937
2938         * API/JSContext.mm:
2939         (+[JSContext currentContext]):
2940         (+[JSContext currentThis]):
2941         (+[JSContext currentCallee]):
2942         (+[JSContext currentArguments]):
2943         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
2944         (-[JSContext endCallbackWithData:]):
2945         * heap/Heap.cpp:
2946         (JSC::Heap::requestCollection):
2947         * runtime/Completion.cpp:
2948         (JSC::checkSyntax):
2949         (JSC::checkModuleSyntax):
2950         (JSC::evaluate):
2951         (JSC::loadAndEvaluateModule):
2952         (JSC::loadModule):
2953         (JSC::linkAndEvaluateModule):
2954         (JSC::importModule):
2955         * runtime/Identifier.cpp:
2956         (JSC::Identifier::checkCurrentAtomicStringTable):
2957         * runtime/InitializeThreading.cpp:
2958         (JSC::initializeThreading):
2959         * runtime/JSLock.cpp:
2960         (JSC::JSLock::didAcquireLock):
2961         (JSC::JSLock::willReleaseLock):
2962         (JSC::JSLock::dropAllLocks):
2963         (JSC::JSLock::grabAllLocks):
2964         * runtime/JSLock.h:
2965         * runtime/VM.cpp:
2966         (JSC::VM::VM):
2967         (JSC::VM::updateStackLimits):
2968         (JSC::VM::committedStackByteCount):
2969         * runtime/VM.h:
2970         (JSC::VM::isSafeToRecurse const):
2971         * runtime/VMEntryScope.cpp:
2972         (JSC::VMEntryScope::VMEntryScope):
2973         * runtime/VMInlines.h:
2974         (JSC::VM::ensureStackCapacityFor):
2975         * yarr/YarrPattern.cpp:
2976         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
2977
2978 2017-07-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2979
2980         [WTF] Introduce Private Symbols
2981         https://bugs.webkit.org/show_bug.cgi?id=174935
2982
2983         Reviewed by Darin Adler.
2984
2985         Use SymbolImpl::isPrivate().
2986
2987         * builtins/BuiltinNames.cpp:
2988         * builtins/BuiltinNames.h:
2989         (JSC::BuiltinNames::isPrivateName): Deleted.
2990         * builtins/BuiltinUtils.h:
2991         * bytecode/BytecodeIntrinsicRegistry.cpp:
2992         (JSC::BytecodeIntrinsicRegistry::lookup):
2993         * runtime/CommonIdentifiers.cpp:
2994         (JSC::CommonIdentifiers::isPrivateName): Deleted.
2995         * runtime/CommonIdentifiers.h:
2996         * runtime/ExceptionHelpers.cpp:
2997         (JSC::createUndefinedVariableError):
2998         * runtime/Identifier.h:
2999         (JSC::Identifier::isPrivateName):
3000         * runtime/IdentifierInlines.h:
3001         (JSC::identifierToSafePublicJSValue):
3002         * runtime/ObjectConstructor.cpp:
3003         (JSC::objectConstructorAssign):
3004         (JSC::defineProperties):
3005         (JSC::setIntegrityLevel):
3006         (JSC::testIntegrityLevel):
3007         (JSC::ownPropertyKeys):
3008         * runtime/PrivateName.h:
3009         (JSC::PrivateName::PrivateName):
3010         * runtime/PropertyName.h:
3011         (JSC::PropertyName::isPrivateName):
3012         * runtime/ProxyObject.cpp:
3013         (JSC::performProxyGet):
3014         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
3015         (JSC::ProxyObject::performHasProperty):
3016         (JSC::ProxyObject::performPut):
3017         (JSC::ProxyObject::performDelete):
3018         (JSC::ProxyObject::performDefineOwnProperty):
3019
3020 2017-07-29  Keith Miller  <keith_miller@apple.com>
3021
3022         LLInt offsets extractor should be able to handle C++ constexprs
3023         https://bugs.webkit.org/show_bug.cgi?id=174964
3024
3025         Reviewed by Saam Barati.
3026
3027         This patch adds new syntax to the offline asm language. The new keyword,
3028         constexpr, takes the subsequent identifier and maps it to a C++ constexpr
3029         expression. Additionally, if the value is not an identifier you can wrap it in
3030         parentheses. e.g. constexpr (myConstexprFunction() + OBJECT_OFFSET(Foo, bar)),
3031         which will get converted into:
3032         static_cast<int64_t>(myConstexprFunction() + OBJECT_OFFSET(Foo, bar));
3033
3034         This patch also changes the data format the LLIntOffsetsExtractor
3035         binary produces.  Previously, it would produce unsigned values,
3036         after this patch every value is an int64_t.  Using an int64_t is
3037         useful because it means that we can represent any constant needed.
3038         int32_t masks are sign extended then passed then converted to a
3039         negative literal sting in the assembler so it will be the constant
3040         expected.
3041
3042         * llint/LLIntOffsetsExtractor.cpp:
3043         (JSC::LLIntOffsetsExtractor::dummy):
3044         * llint/LowLevelInterpreter.asm:
3045         * llint/LowLevelInterpreter64.asm:
3046         * offlineasm/asm.rb:
3047         * offlineasm/ast.rb:
3048         * offlineasm/generate_offset_extractor.rb:
3049         * offlineasm/offsets.rb:
3050         * offlineasm/parser.rb:
3051         * offlineasm/transform.rb:
3052
3053 2017-07-28  Matt Baker  <mattbaker@apple.com>
3054
3055         Web Inspector: capture an async stack trace when web content calls addEventListener
3056         https://bugs.webkit.org/show_bug.cgi?id=174739
3057         <rdar://problem/33468197>
3058
3059         Reviewed by Brian Burg.
3060
3061         Allow debugger agents to perform custom logic when asynchronous stack
3062         trace data is cleared. For example, the PageDebuggerAgent would clear
3063         its list of registered listeners for which call stacks have been recorded.
3064
3065         * inspector/agents/InspectorDebuggerAgent.cpp:
3066         (Inspector::InspectorDebuggerAgent::clearAsyncStackTraceData):
3067         * inspector/agents/InspectorDebuggerAgent.h:
3068
3069 2017-07-28  Mark Lam  <mark.lam@apple.com>
3070
3071         ObjectToStringAdaptiveStructureWatchpoint should not fire if it's dying imminently.
3072         https://bugs.webkit.org/show_bug.cgi?id=174948
3073         <rdar://problem/33495680>
3074
3075         Reviewed by Filip Pizlo.
3076
3077         ObjectToStringAdaptiveStructureWatchpoint is owned by StructureRareData.  If its
3078         owner StructureRareData is already known to be dead (in terms of GC liveness) but
3079         hasn't been destructed yet (i.e. not swept by the GC yet), we should ignore all
3080         requests to fire this watchpoint.
3081
3082         If the GC had the chance to sweep the StructureRareData, thereby destructing the
3083         ObjectToStringAdaptiveStructureWatchpoint, it (the watchpoint) would have removed
3084         itself from the WatchpointSet it was on.  Hence, it would not have been fired.
3085
3086         But since the watchpoint hasn't been destructed yet, it still remains on the
3087         WatchpointSet and needs to guard against being fired in this state.  The fix is
3088         to simply return early if its owner StructureRareData is not live.  This has the
3089         effect of the watchpoint fire being a no-op, which is equivalent to the watchpoint
3090         not firing as we would expect.
3091
3092         This patch also removes some cargo cult copying of watchpoint code which
3093         instantiates a StringFireDetail.  In a few cases, that StringFireDetail is never
3094         used.  This patch removes these unnecessary instantiations.
3095
3096         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
3097         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
3098         * runtime/StructureRareData.cpp:
3099         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
3100         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
3101
3102 2017-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
3103
3104         ASSERTION FAILED: candidate->op() == PhantomCreateRest || candidate->op() == PhantomDirectArguments || candidate->op() == PhantomClonedArguments || candidate->op() == PhantomSpread || candidate->op() == PhantomNewArrayWithSpread
3105         https://bugs.webkit.org/show_bug.cgi?id=174900
3106
3107         Reviewed by Saam Barati.
3108
3109         In the arguments elimination phase, due to high cost of AI, we intentionally do not run AI.
3110         Instead, we use ForceOSRExit etc. (pseudo terminals) not to look into unreachable nodes.
3111         The problem is that even transforming phase also checks this pseudo terminals.
3112
3113             BB1
3114             1: ForceOSRExit
3115             2: CreateDirectArguments
3116
3117             BB2
3118             3: GetButterfly(@2)
3119             4: ForceOSRExit
3120
3121         In the above case, @2 is not converted to PhantomDirectArguments. But @3 is processed. And the assertion fires.
3122
3123         In this patch, we do not list candidates up after seeing pseudo terminals in basic blocks.
3124
3125         * dfg/DFGArgumentsEliminationPhase.cpp:
3126
3127 2017-07-27  Oleksandr Skachkov  <gskachkov@gmail.com>
3128
3129         [ES] Add support finally to Promise
3130         https://bugs.webkit.org/show_bug.cgi?id=174503
3131
3132         Reviewed by Yusuke Suzuki.
3133
3134         Add support `finally` method to Promise according
3135         to the https://bugs.webkit.org/show_bug.cgi?id=174503
3136         Current spec on STAGE 3 
3137         https://github.com/tc39/proposal-promise-finally
3138
3139         * builtins/PromisePrototype.js:
3140         (finally):
3141         (const.valueThunk):
3142         (globalPrivate.getThenFinally):
3143         (const.thrower):
3144         (globalPrivate.getCatchFinally):
3145         * runtime/JSPromisePrototype.cpp:
3146
3147 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3148
3149         Unreviewed, build fix for CLoop
3150         https://bugs.webkit.org/show_bug.cgi?id=171637
3151
3152         * domjit/DOMJITGetterSetter.h:
3153
3154 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3155
3156         Hoist DOM binding attribute getter prologue into JavaScriptCore taking advantage of DOMJIT / CheckSubClass
3157         https://bugs.webkit.org/show_bug.cgi?id=171637
3158
3159         Reviewed by Darin Adler.
3160
3161         Each DOM attribute getter has the code to perform ClassInfo check. But it is largely duplicate and causes code bloating.
3162         In this patch, we move ClassInfo check from WebCore to JSC and reduce code size.
3163
3164         We introduce DOMAnnotation which has ClassInfo* and DOMJIT::GetterSetter*. If the getter is not DOMJIT getter, this
3165         DOMJIT::GetterSetter becomes nullptr. We support such a CustomAccessorGetter in all the JIT tiers.
3166
3167         In IC, we drop CheckSubClass completely since IC's Structure check subsumes it. We do not enable this optimization for
3168         op_get_by_id_with_this case yet.
3169         In DFG and FTL, we emit CheckSubClass node. Which is typically removed by CheckStructure leading to CheckSubClass.
3170
3171         And we add DOMAttributeGetterSetter, which is derived class of CustomGetterSetter. It holds DOMAnnotation and perform
3172         ClassInfo check.
3173
3174         * CMakeLists.txt:
3175         * JavaScriptCore.xcodeproj/project.pbxproj:
3176         * bytecode/AccessCase.cpp:
3177         (JSC::AccessCase::generateImpl):
3178         * bytecode/GetByIdStatus.cpp:
3179         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
3180         * bytecode/GetByIdVariant.cpp:
3181         (JSC::GetByIdVariant::GetByIdVariant):
3182         (JSC::GetByIdVariant::operator=):
3183         (JSC::GetByIdVariant::attemptToMerge):
3184         (JSC::GetByIdVariant::dumpInContext):
3185         * bytecode/GetByIdVariant.h:
3186         (JSC::GetByIdVariant::customAccessorGetter):
3187         (JSC::GetByIdVariant::domAttribute):
3188         (JSC::GetByIdVariant::domJIT): Deleted.
3189         * bytecode/GetterSetterAccessCase.cpp:
3190         (JSC::GetterSetterAccessCase::create):
3191         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
3192         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
3193         * bytecode/GetterSetterAccessCase.h:
3194         (JSC::GetterSetterAccessCase::domAttribute):
3195         (JSC::GetterSetterAccessCase::customAccessor):
3196         (JSC::GetterSetterAccessCase::domJIT): Deleted.
3197         * bytecompiler/BytecodeGenerator.cpp:
3198         (JSC::BytecodeGenerator::instantiateLexicalVariables):
3199         * create_hash_table:
3200         * dfg/DFGAbstractInterpreterInlines.h:
3201         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3202         * dfg/DFGByteCodeParser.cpp:
3203         (JSC::DFG::blessCallDOMGetter):
3204         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
3205         (JSC::DFG::ByteCodeParser::handleGetById):
3206         * dfg/DFGClobberize.h:
3207         (JSC::DFG::clobberize):
3208         * dfg/DFGFixupPhase.cpp:
3209         (JSC::DFG::FixupPhase::fixupNode):
3210         * dfg/DFGNode.h:
3211         * dfg/DFGSpeculativeJIT.cpp:
3212         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
3213         * dfg/DFGSpeculativeJIT.h:
3214         (JSC::DFG::SpeculativeJIT::callCustomGetter):
3215         * domjit/DOMJITGetterSetter.h:
3216         (JSC::DOMJIT::GetterSetter::GetterSetter):
3217         (JSC::DOMJIT::GetterSetter::getter):
3218         (JSC::DOMJIT::GetterSetter::compiler):
3219         (JSC::DOMJIT::GetterSetter::resultType):
3220         (JSC::DOMJIT::GetterSetter::~GetterSetter): Deleted.
3221         (JSC::DOMJIT::GetterSetter::setter): Deleted.
3222         (JSC::DOMJIT::GetterSetter::thisClassInfo): Deleted.
3223         * ftl/FTLLowerDFGToB3.cpp:
3224         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
3225         * jit/Repatch.cpp:
3226         (JSC::tryCacheGetByID):
3227         * jsc.cpp:
3228         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
3229         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
3230         (WTF::DOMJITGetter::customGetter):
3231         (WTF::DOMJITGetter::finishCreation):
3232         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
3233         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
3234         (WTF::DOMJITGetterComplex::customGetter):
3235         (WTF::DOMJITGetterComplex::finishCreation):
3236         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
3237         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::slowCall): Deleted.
3238         (WTF::DOMJITGetter::domJITNodeGetterSetter): Deleted.
3239         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
3240         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::slowCall): Deleted.
3241         (WTF::DOMJITGetterComplex::domJITNodeGetterSetter): Deleted.
3242         * runtime/CustomGetterSetter.h:
3243         (JSC::CustomGetterSetter::create):
3244         (JSC::CustomGetterSetter::setter):
3245         (JSC::CustomGetterSetter::CustomGetterSetter):
3246         (): Deleted.
3247         * runtime/DOMAnnotation.h: Added.
3248         (JSC::operator==):
3249         (JSC::operator!=):
3250         * runtime/DOMAttributeGetterSetter.cpp: Added.
3251         * runtime/DOMAttributeGetterSetter.h: Copied from Source/JavaScriptCore/runtime/CustomGetterSetter.h.
3252         (JSC::isDOMAttributeGetterSetter):
3253         * runtime/Error.cpp:
3254         (JSC::throwDOMAttributeGetterTypeError):
3255         * runtime/Error.h:
3256         (JSC::throwVMDOMAttributeGetterTypeError):
3257         * runtime/JSCustomGetterSetterFunction.cpp:
3258         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
3259         * runtime/JSObject.cpp:
3260         (JSC::JSObject::putInlineSlow):
3261         (JSC::JSObject::deleteProperty):
3262         (JSC::JSObject::getOwnStaticPropertySlot):
3263         (JSC::JSObject::reifyAllStaticProperties):
3264         (JSC::JSObject::fillGetterPropertySlot):
3265         (JSC::JSObject::findPropertyHashEntry): Deleted.
3266         * runtime/JSObject.h:
3267         (JSC::JSObject::getOwnNonIndexPropertySlot):
3268         (JSC::JSObject::fillCustomGetterPropertySlot):
3269         * runtime/Lookup.cpp:
3270         (JSC::setUpStaticFunctionSlot):
3271         * runtime/Lookup.h:
3272         (JSC::HashTableValue::domJIT):
3273         (JSC::getStaticPropertySlotFromTable):
3274         (JSC::putEntry):
3275         (JSC::lookupPut):
3276         (JSC::reifyStaticProperty):
3277         (JSC::reifyStaticProperties):
3278         Each static property table has a new field ClassInfo*. It indicates that which ClassInfo check DOMAttribute registered in
3279         this static property table requires.
3280
3281         * runtime/ProgramExecutable.cpp:
3282         (JSC::ProgramExecutable::initializeGlobalProperties):
3283         * runtime/PropertyName.h:
3284         * runtime/PropertySlot.cpp:
3285         (JSC::PropertySlot::customGetter):
3286         (JSC::PropertySlot::customAccessorGetter):
3287         * runtime/PropertySlot.h:
3288         (JSC::PropertySlot::domAttribute):
3289         (JSC::PropertySlot::setCustom):
3290         (JSC::PropertySlot::setCacheableCustom):
3291         (JSC::PropertySlot::getValue):
3292         (JSC::PropertySlot::domJIT): Deleted.
3293         * runtime/VM.cpp:
3294         (JSC::VM::VM):
3295         * runtime/VM.h:
3296
3297 2017-07-26  Devin Rousso  <drousso@apple.com>
3298
3299         Web Inspector: create protocol for recording Canvas contexts
3300         https://bugs.webkit.org/show_bug.cgi?id=174481
3301
3302         Reviewed by Joseph Pecoraro.
3303
3304         * inspector/protocol/Canvas.json:
3305          - Add `requestRecording` command to mark the provided canvas as having requested a recording.
3306          - Add `cancelRecording` command to clear a previously marked canvas and flush any recorded data.
3307          - Add `recordingFinished` event that is fired once a recording is finished.
3308
3309         * CMakeLists.txt:
3310         * DerivedSources.make:
3311         * inspector/protocol/Recording.json: Added.
3312          - Add `Type` enum that lists the types of recordings
3313          - Add `InitialState` type that contains information about the canvas context at the
3314            beginning of the recording.
3315          - Add `Frame` type that holds a list of actions that were recorded.
3316          - Add `Recording` type as the container object of recording data.
3317
3318         * inspector/scripts/codegen/generate_js_backend_commands.py:
3319         (JSBackendCommandsGenerator.generate_domain):
3320         Create an agent for domains with no events or commands.
3321
3322         * inspector/InspectorValues.h:
3323         Make Array `get` public so that values can be retrieved if needed.
3324
3325 2017-07-26  Brian Burg  <bburg@apple.com>
3326
3327         Remove WEB_TIMING feature flag
3328         https://bugs.webkit.org/show_bug.cgi?id=174795
3329
3330         Reviewed by Alex Christensen.
3331
3332         * Configurations/FeatureDefines.xcconfig:
3333
3334 2017-07-26  Mark Lam  <mark.lam@apple.com>
3335
3336         Add the ability to change sp and pc to the ARM64 JIT probe.
3337         https://bugs.webkit.org/show_bug.cgi?id=174697
3338         <rdar://problem/33436965>
3339
3340         Reviewed by JF Bastien.
3341
3342         This patch implements the following:
3343
3344         1. The ARM64 probe now supports modifying the pc and sp.
3345
3346            However, lr is not preserved when modifying the pc because it is used as the
3347            scratch register for the indirect jump. Hence, the probe handler function
3348            may not modify both lr and pc in the same probe invocation.
3349
3350         2. Fix probe tests to use bitwise comparison when comparing double register
3351            values. Otherwise, equivalent nan values will be interpreted as not equivalent.
3352
3353         3. Change the minimum offset increment in testProbeModifiesStackPointer to be
3354            16 bytes for ARM64.  This is because the ARM64 probe now uses the ldp and stp
3355            instructions which require 16 byte alignment for their memory access.
3356
3357         * assembler/MacroAssemblerARM64.cpp:
3358         (JSC::arm64ProbeError):
3359         (JSC::MacroAssembler::probe):
3360         (JSC::arm64ProbeTrampoline): Deleted.
3361         * assembler/testmasm.cpp:
3362         (JSC::isSpecialGPR):
3363         (JSC::testProbeReadsArgumentRegisters):
3364         (JSC::testProbeWritesArgumentRegisters):
3365         (JSC::testProbePreservesGPRS):
3366         (JSC::testProbeModifiesStackPointer):
3367         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
3368         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
3369
3370 2017-07-25  JF Bastien  <jfbastien@apple.com>
3371
3372         WebAssembly: generate smaller binaries
3373         https://bugs.webkit.org/show_bug.cgi?id=174818
3374
3375         Reviewed by Filip Pizlo.
3376
3377         This patch reduces generated code size for WebAssembly in 2 ways:
3378
3379         1. Use the ZR register when storing zero on ARM64.
3380         2. Synthesize wasm context lazily.
3381
3382         This leads to a modest size reduction on both x86-64 and ARM64 for
3383         large WebAssembly games, without any performance loss on WasmBench
3384         and TitzerBench.
3385
3386         The reason this works is that these games, using Emscripten,
3387         generate 100k+ tiny functions, and our JIT allocation granule
3388         rounds all allocations up to 32 bytes. There are plenty of other
3389         simple gains to be had, I've filed a follow-up bug at
3390         webkit.org/b/174819
3391
3392         We should further avoid the per-function cost of tiering, which
3393         represents the bulk of code generated for small functions.
3394
3395         * assembler/MacroAssemblerARM64.h:
3396         (JSC::MacroAssemblerARM64::storeZero64):
3397         * assembler/MacroAssemblerX86_64.h:
3398         (JSC::MacroAssemblerX86_64::storeZero64):
3399         * b3/B3LowerToAir.cpp:
3400         (JSC::B3::Air::LowerToAir::createStore): this doesn't make sense
3401         for x86 because it constrains register reuse and codegen in a way