686cbedeafcb42b0ae245162743a345b8afe3a31
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-08-21  Keith Miller  <keith_miller@apple.com>
2
3         Only generate offline asm for the ARCHS (xcodebuild) or the current system (CMake)
4         https://bugs.webkit.org/show_bug.cgi?id=175690
5
6         Reviewed by Michael Saboff.
7
8         This should reduce some of the time we spend building offline asm
9         in our builds (except for linux since they already did this).
10
11         * CMakeLists.txt:
12         * JavaScriptCore.xcodeproj/project.pbxproj:
13         * offlineasm/backends.rb:
14         * offlineasm/generate_offset_extractor.rb:
15
16 2017-08-20  Mark Lam  <mark.lam@apple.com>
17
18         Gardening: fix CLoop build.
19         https://bugs.webkit.org/show_bug.cgi?id=175688
20         <rdar://problem/33436870>
21
22         Not reviewed.
23
24         Make these files dependent on ENABLE(MASM_PROBE).
25
26         * assembler/ProbeContext.cpp:
27         * assembler/ProbeContext.h:
28         * assembler/ProbeStack.cpp:
29         * assembler/ProbeStack.h:
30
31 2017-08-20  Mark Lam  <mark.lam@apple.com>
32
33         Enhance MacroAssembler::probe() to allow the probe function to resize the stack frame and alter stack data in one pass.
34         https://bugs.webkit.org/show_bug.cgi?id=175688
35         <rdar://problem/33436870>
36
37         Reviewed by JF Bastien.
38
39         With this patch, the clients of the MacroAssembler::probe() can now change
40         stack values without having to worry about whether there is enough room in the
41         current stack frame for it or not.  This is done using the Probe::Context's stack
42         member like so:
43
44             jit.probe([] (Probe::Context& context) {
45                 auto cpu = context.cpu;
46                 auto stack = context.stack();
47                 uintptr_t* currentSP = cpu.sp<uintptr_t*>();
48
49                 // Get a value at the current stack pointer location.
50                 auto value = stack.get<uintptr_t>(currentSP);
51
52                 // Set a value above the current stack pointer (within current frame).
53                 stack.set<uintptr_t>(currentSP + 10, value);
54
55                 // Set a value below the current stack pointer (out of current frame).
56                 stack.set<uintptr_t>(currentSP - 10, value);
57
58                 // Set the new stack pointer.
59                 cpu.sp() = currentSP - 20;
60             });
61
62         What happens behind the scene:
63
64         1. the generated JIT probe code will now call Probe::executeProbe(), and
65            Probe::executeProbe() will in turn call the client's probe function.
66
67            Probe::executeProbe() receives the Probe::State on the machine stack passed
68            to it by the probe trampoline.  Probe::executeProbe() will instantiate a
69            Probe::Context to be passed to the client's probe function.  The client will
70            no longer see the Probe::State directly.
71
72         2. The Probe::Context comes with a Probe::Stack which serves as a manager of
73            stack pages.  Currently, each page is 1K in size.
74            Probe::Context::stack() returns a reference to an instance of Probe::Stack.
75
76         3. Invoking get() of set() on Probe::Stack with an address will lead to the
77            following:
78
79            a. the address will be decoded to a baseAddress that points to the 1K page
80               that contains that address.
81
82            b. the Probe::Stack will check if it already has a cached 1K page for that baseAddress.
83               If so, go to step (f).  Else, continue with step (c).
84
85            c. the Probe::Stack will malloc a 1K mirror page, and memcpy the 1K stack page
86               for that specified baseAddress to this mirror page.
87
88            d. the mirror page will be added to the ProbeStack's m_pages HashMap,
89               keyed on the baseAddress.
90
91            e. the ProbeStack will also cache the last baseAddress and its corresponding
92               mirror page in use.  With memory accesses tending to be localized, this
93               will save us from having to look up the page in the HashMap.
94
95            f. get() will map the requested address to a physical address in the mirror
96               page, and return the value at that location.
97
98            g. set() will map the requested address to a physical address in the mirror
99               page, and set the value at that location in the mirror page.
100
101               set() will also set a dirty bit corresponding to the "cache line" that
102               was modified in the mirror page.
103
104         4. When the client's probe function returns, Probe::executeProbe() will check if
105            there are stack changes that need to be applied.  If stack changes are needed:
106
107            a. Probe::executeProbe() will adjust the stack pointer to ensure enough stack
108               space is available to flush the dirty stack pages.  It will also register a
109               flushStackDirtyPages callback function in the Probe::State.  Thereafter,
110               Probe::executeProbe() returns to the probe trampoline.
111
112            b. the probe trampoline adjusts the stack pointer, moves the Probe::State to
113               a safe place if needed, and then calls the flushStackDirtyPages callback
114               if needed.
115
116            c. the flushStackDirtyPages() callback iterates the Probe::Stack's m_pages
117               HashMap and flush all dirty "cache lines" to the machine stack.
118               Thereafter, flushStackDirtyPages() returns to the probe trampoline.
119
120            d. lastly, the probe trampoline will restore all register values and return
121               to the pc set in the Probe::State.
122
123         To make this patch work, I also had to do the following work:
124
125         5. Refactor MacroAssembler::CPUState into Probe::CPUState.
126            Mainly, this means moving the code over to ProbeContext.h.
127            I also added some convenience accessor methods for spr registers. 
128
129            Moved Probe::Context over to its own file ProbeContext.h/cpp.
130
131         6. Fix all probe trampolines to pass the address of Probe::executeProbe in
132            addition to the client's probe function and arg.
133
134            I also took this opportunity to optimize the generated JIT probe code to
135            minimize the amount of memory stores needed. 
136
137         7. Simplified the ARM64 probe trampoline.  The ARM64 probe only supports changing
138            either lr or pc (or neither), but not both at in the same probe invocation.
139            The ARM64 probe trampoline used to have to check for this invariant in the
140            assembly trampoline code.  With the introduction of Probe::executeProbe(),
141            we can now do it there and simplify the trampoline.
142
143         8. Fix a bug in the old  ARM64 probe trampoline for the case where the client
144            changes lr.  That code path never worked before, but has now been fixed.
145
146         9. Removed trustedImm32FromPtr() helper functions in MacroAssemblerARM and
147            MacroAssemblerARMv7.
148
149            We can now use move() with TrustedImmPtr, and it does the same thing but in a
150            more generic way.
151
152        10. ARMv7's move() emitter may encode a T1 move instruction, which happens to have
153            the same semantics as movs (according to the Thumb spec).  This means these
154            instructions may trash the APSR flags before we have a chance to preserve them.
155
156            This patch changes MacroAssemblerARMv7's probe() to preserve the APSR register
157            early on.  This entails adding support for the mrs instruction in the
158            ARMv7Assembler.
159
160        10. Change testmasm's testProbeModifiesStackValues() to now modify stack values
161            the easy way.
162
163            Also fixed testmasm tests which check flag registers to only compare the
164            portions that are modifiable by the client i.e. some masking is applied.
165
166         This patch has passed the testmasm tests on x86, x86_64, arm64, and armv7.
167
168         * CMakeLists.txt:
169         * JavaScriptCore.xcodeproj/project.pbxproj:
170         * assembler/ARMv7Assembler.h:
171         (JSC::ARMv7Assembler::mrs):
172         * assembler/AbstractMacroAssembler.h:
173         * assembler/MacroAssembler.cpp:
174         (JSC::stdFunctionCallback):
175         (JSC::MacroAssembler::probe):
176         * assembler/MacroAssembler.h:
177         (JSC::MacroAssembler::CPUState::gprName): Deleted.
178         (JSC::MacroAssembler::CPUState::sprName): Deleted.
179         (JSC::MacroAssembler::CPUState::fprName): Deleted.
180         (JSC::MacroAssembler::CPUState::gpr): Deleted.
181         (JSC::MacroAssembler::CPUState::spr): Deleted.
182         (JSC::MacroAssembler::CPUState::fpr): Deleted.
183         (JSC:: const): Deleted.
184         (JSC::MacroAssembler::CPUState::fpr const): Deleted.
185         (JSC::MacroAssembler::CPUState::pc): Deleted.
186         (JSC::MacroAssembler::CPUState::fp): Deleted.
187         (JSC::MacroAssembler::CPUState::sp): Deleted.
188         (JSC::MacroAssembler::CPUState::pc const): Deleted.
189         (JSC::MacroAssembler::CPUState::fp const): Deleted.
190         (JSC::MacroAssembler::CPUState::sp const): Deleted.
191         (JSC::Probe::State::gpr): Deleted.
192         (JSC::Probe::State::spr): Deleted.
193         (JSC::Probe::State::fpr): Deleted.
194         (JSC::Probe::State::gprName): Deleted.
195         (JSC::Probe::State::sprName): Deleted.
196         (JSC::Probe::State::fprName): Deleted.
197         (JSC::Probe::State::pc): Deleted.
198         (JSC::Probe::State::fp): Deleted.
199         (JSC::Probe::State::sp): Deleted.
200         * assembler/MacroAssemblerARM.cpp:
201         (JSC::MacroAssembler::probe):
202         * assembler/MacroAssemblerARM.h:
203         (JSC::MacroAssemblerARM::trustedImm32FromPtr): Deleted.
204         * assembler/MacroAssemblerARM64.cpp:
205         (JSC::MacroAssembler::probe):
206         (JSC::arm64ProbeError): Deleted.
207         * assembler/MacroAssemblerARMv7.cpp:
208         (JSC::MacroAssembler::probe):
209         * assembler/MacroAssemblerARMv7.h:
210         (JSC::MacroAssemblerARMv7::armV7Condition):
211         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr): Deleted.
212         * assembler/MacroAssemblerPrinter.cpp:
213         (JSC::Printer::printCallback):
214         * assembler/MacroAssemblerPrinter.h:
215         * assembler/MacroAssemblerX86Common.cpp:
216         (JSC::ctiMasmProbeTrampoline):
217         (JSC::MacroAssembler::probe):
218         * assembler/Printer.h:
219         (JSC::Printer::Context::Context):
220         * assembler/ProbeContext.cpp: Added.
221         (JSC::Probe::executeProbe):
222         (JSC::Probe::handleProbeStackInitialization):
223         (JSC::Probe::probeStateForContext):
224         * assembler/ProbeContext.h: Added.
225         (JSC::Probe::CPUState::gprName):
226         (JSC::Probe::CPUState::sprName):
227         (JSC::Probe::CPUState::fprName):
228         (JSC::Probe::CPUState::gpr):
229         (JSC::Probe::CPUState::spr):
230         (JSC::Probe::CPUState::fpr):
231         (JSC::Probe:: const):
232         (JSC::Probe::CPUState::fpr const):
233         (JSC::Probe::CPUState::pc):
234         (JSC::Probe::CPUState::fp):
235         (JSC::Probe::CPUState::sp):
236         (JSC::Probe::CPUState::pc const):
237         (JSC::Probe::CPUState::fp const):
238         (JSC::Probe::CPUState::sp const):
239         (JSC::Probe::Context::Context):
240         (JSC::Probe::Context::gpr):
241         (JSC::Probe::Context::spr):
242         (JSC::Probe::Context::fpr):
243         (JSC::Probe::Context::gprName):
244         (JSC::Probe::Context::sprName):
245         (JSC::Probe::Context::fprName):
246         (JSC::Probe::Context::pc):
247         (JSC::Probe::Context::fp):
248         (JSC::Probe::Context::sp):
249         (JSC::Probe::Context::stack):
250         (JSC::Probe::Context::hasWritesToFlush):
251         (JSC::Probe::Context::releaseStack):
252         * assembler/ProbeStack.cpp: Added.
253         (JSC::Probe::Page::Page):
254         (JSC::Probe::Page::flushWrites):
255         (JSC::Probe::Stack::Stack):
256         (JSC::Probe::Stack::hasWritesToFlush):
257         (JSC::Probe::Stack::flushWrites):
258         (JSC::Probe::Stack::ensurePageFor):
259         * assembler/ProbeStack.h: Added.
260         (JSC::Probe::Page::baseAddressFor):
261         (JSC::Probe::Page::chunkAddressFor):
262         (JSC::Probe::Page::baseAddress):
263         (JSC::Probe::Page::get):
264         (JSC::Probe::Page::set):
265         (JSC::Probe::Page::hasWritesToFlush const):
266         (JSC::Probe::Page::flushWritesIfNeeded):
267         (JSC::Probe::Page::dirtyBitFor):
268         (JSC::Probe::Page::physicalAddressFor):
269         (JSC::Probe::Stack::Stack):
270         (JSC::Probe::Stack::lowWatermark):
271         (JSC::Probe::Stack::get):
272         (JSC::Probe::Stack::set):
273         (JSC::Probe::Stack::newStackPointer const):
274         (JSC::Probe::Stack::setNewStackPointer):
275         (JSC::Probe::Stack::isValid):
276         (JSC::Probe::Stack::pageFor):
277         * assembler/testmasm.cpp:
278         (JSC::testProbeReadsArgumentRegisters):
279         (JSC::testProbeWritesArgumentRegisters):
280         (JSC::testProbePreservesGPRS):
281         (JSC::testProbeModifiesStackPointer):
282         (JSC::testProbeModifiesStackPointerToInsideProbeStateOnStack):
283         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
284         (JSC::testProbeModifiesProgramCounter):
285         (JSC::testProbeModifiesStackValues):
286         (JSC::run):
287         (): Deleted.
288         (JSC::fillStack): Deleted.
289         (JSC::testProbeModifiesStackWithCallback): Deleted.
290
291 2017-08-19  Andy Estes  <aestes@apple.com>
292
293         [Payment Request] Add interface stubs
294         https://bugs.webkit.org/show_bug.cgi?id=175730
295
296         Reviewed by Youenn Fablet.
297
298         * runtime/CommonIdentifiers.h:
299
300 2017-08-18  Per Arne Vollan  <pvollan@apple.com>
301
302         Implement 32-bit MacroAssembler::probe support for Windows.
303         https://bugs.webkit.org/show_bug.cgi?id=175449
304
305         Reviewed by Mark Lam.
306
307         This is needed to enable the DFG.
308
309         * assembler/MacroAssemblerX86Common.cpp:
310         * assembler/testmasm.cpp:
311         (JSC::run):
312         (dllLauncherEntryPoint):
313         * shell/CMakeLists.txt:
314         * shell/PlatformWin.cmake:
315
316 2017-08-18  Mark Lam  <mark.lam@apple.com>
317
318         Rename ProbeContext and ProbeFunction to Probe::State and Probe::Function.
319         https://bugs.webkit.org/show_bug.cgi?id=175725
320         <rdar://problem/33965477>
321
322         Rubber-stamped by JF Bastien.
323
324         This is purely a refactoring patch (in preparation for the introduction of a
325         Probe::Context data structure in https://bugs.webkit.org/show_bug.cgi?id=175688
326         later).  This patch does not change any semantics / behavior.
327
328         * assembler/AbstractMacroAssembler.h:
329         * assembler/MacroAssembler.cpp:
330         (JSC::stdFunctionCallback):
331         (JSC::MacroAssembler::probe):
332         * assembler/MacroAssembler.h:
333         (JSC::ProbeContext::gpr): Deleted.
334         (JSC::ProbeContext::spr): Deleted.
335         (JSC::ProbeContext::fpr): Deleted.
336         (JSC::ProbeContext::gprName): Deleted.
337         (JSC::ProbeContext::sprName): Deleted.
338         (JSC::ProbeContext::fprName): Deleted.
339         (JSC::ProbeContext::pc): Deleted.
340         (JSC::ProbeContext::fp): Deleted.
341         (JSC::ProbeContext::sp): Deleted.
342         * assembler/MacroAssemblerARM.cpp:
343         (JSC::MacroAssembler::probe):
344         * assembler/MacroAssemblerARM.h:
345         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
346         * assembler/MacroAssemblerARM64.cpp:
347         (JSC::arm64ProbeError):
348         (JSC::MacroAssembler::probe):
349         * assembler/MacroAssemblerARMv7.cpp:
350         (JSC::MacroAssembler::probe):
351         * assembler/MacroAssemblerARMv7.h:
352         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr):
353         * assembler/MacroAssemblerPrinter.cpp:
354         (JSC::Printer::printCallback):
355         * assembler/MacroAssemblerPrinter.h:
356         * assembler/MacroAssemblerX86Common.cpp:
357         (JSC::MacroAssembler::probe):
358         * assembler/Printer.h:
359         (JSC::Printer::Context::Context):
360         * assembler/testmasm.cpp:
361         (JSC::testProbeReadsArgumentRegisters):
362         (JSC::testProbeWritesArgumentRegisters):
363         (JSC::testProbePreservesGPRS):
364         (JSC::testProbeModifiesStackPointer):
365         (JSC::testProbeModifiesStackPointerToInsideProbeStateOnStack):
366         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
367         (JSC::testProbeModifiesProgramCounter):
368         (JSC::fillStack):
369         (JSC::testProbeModifiesStackWithCallback):
370         (JSC::run):
371         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack): Deleted.
372
373 2017-08-17  JF Bastien  <jfbastien@apple.com>
374
375         WebAssembly: const in unreachable code decoded incorrectly, erroneously rejects binary as invalid
376         https://bugs.webkit.org/show_bug.cgi?id=175693
377         <rdar://problem/33952443>
378
379         Reviewed by Saam Barati.
380
381         64-bit constants in an unreachable context were being decoded as
382         32-bit constants. This is pretty benign because unreachable code
383         shouldn't occur often. The effect is that 64-bit constants which
384         can't be encoded as 32-bit constants would cause the binary to be
385         rejected.
386
387         At the same time, 32-bit integer constants should be decoded as signed.
388
389         * wasm/WasmFunctionParser.h:
390         (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
391
392 2017-08-17  Robin Morisset  <rmorisset@apple.com>
393
394         Teach DFGFixupPhase.cpp that the current scope is always a cell
395         https://bugs.webkit.org/show_bug.cgi?id=175610
396
397         Reviewed by Keith Miller.
398
399         Also teach it that the argument to with can usually be speculated to be an object,
400         since toObject() is called on it.
401
402         * dfg/DFGFixupPhase.cpp:
403         (JSC::DFG::FixupPhase::fixupNode):
404         * dfg/DFGSpeculativeJIT.cpp:
405         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
406         * dfg/DFGSpeculativeJIT.h:
407         (JSC::DFG::SpeculativeJIT::callOperation):
408         * ftl/FTLLowerDFGToB3.cpp:
409         (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
410         * jit/JITOperations.cpp:
411         * jit/JITOperations.h:
412
413 2017-08-17  Matt Baker  <mattbaker@apple.com>
414
415         Web Inspector: remove unused private struct from InspectorScriptProfilerAgent
416         https://bugs.webkit.org/show_bug.cgi?id=175644
417
418         Reviewed by Brian Burg.
419
420         * inspector/agents/InspectorScriptProfilerAgent.h:
421
422 2017-08-17  Mark Lam  <mark.lam@apple.com>
423
424         Only use 16 VFP registers if !CPU(ARM_NEON).
425         https://bugs.webkit.org/show_bug.cgi?id=175514
426
427         Reviewed by JF Bastien.
428
429         Deleted q16-q31 FPQuadRegisterID enums in ARMv7Assembler.h.  The NEON spec
430         says that there are only 16 128-bit NEON registers.  This change is merely to
431         correct the code documentation of these registers.  The FPQuadRegisterID are
432         currently unused.
433
434         * assembler/ARMAssembler.h:
435         (JSC::ARMAssembler::lastFPRegister):
436         (JSC::ARMAssembler::fprName):
437         * assembler/ARMv7Assembler.h:
438         (JSC::ARMv7Assembler::lastFPRegister):
439         (JSC::ARMv7Assembler::fprName):
440         * assembler/MacroAssemblerARM.cpp:
441         * assembler/MacroAssemblerARMv7.cpp:
442
443 2017-08-17  Andreas Kling  <akling@apple.com>
444
445         Disable CSS regions at compile time
446         https://bugs.webkit.org/show_bug.cgi?id=175630
447
448         Reviewed by Antti Koivisto.
449
450         * Configurations/FeatureDefines.xcconfig:
451
452 2017-08-17  Jacobo Aragunde Pérez  <jaragunde@igalia.com>
453
454         [WPE][GTK] Ensure proper casting of data in gvariants
455         https://bugs.webkit.org/show_bug.cgi?id=175667
456
457         Reviewed by Michael Catanzaro.
458
459         g_variant_new requires data to have the correct width for their types, using
460         casting if necessary. Some data of type `unsigned` were being saved to `guint64`
461         types without explicit casting, leading to undefined behavior in some platforms.
462
463         * inspector/remote/glib/RemoteInspectorGlib.cpp:
464         (Inspector::RemoteInspector::listingForInspectionTarget const):
465         (Inspector::RemoteInspector::listingForAutomationTarget const):
466         (Inspector::RemoteInspector::sendMessageToRemote):
467
468 2017-08-17  Yusuke Suzuki  <utatane.tea@gmail.com>
469
470         [JSC] Avoid code bloating for iteration if block does not have "break"
471         https://bugs.webkit.org/show_bug.cgi?id=173228
472
473         Reviewed by Keith Miller.
474
475         Currently, we always emit code for breaked path when emitting for-of iteration.
476         But we can know that this breaked path can be used when emitting the bytecode.
477
478         This patch adds LabelScope::breakTargetMayBeBound(), which returns true if
479         the break label may be bound. We emit a breaked path only when it returns
480         true. This reduces bytecode bloating when using for-of iteration.
481
482         * bytecompiler/BytecodeGenerator.cpp:
483         (JSC::Label::setLocation):
484         (JSC::BytecodeGenerator::newLabel):
485         (JSC::BytecodeGenerator::emitLabel):
486         (JSC::BytecodeGenerator::pushFinallyControlFlowScope):
487         (JSC::BytecodeGenerator::breakTarget):
488         (JSC::BytecodeGenerator::continueTarget):
489         (JSC::BytecodeGenerator::emitEnumeration):
490         * bytecompiler/BytecodeGenerator.h:
491         * bytecompiler/Label.h:
492         (JSC::Label::bind const):
493         (JSC::Label::hasOneRef const):
494         (JSC::Label::isBound const):
495         (JSC::Label::Label): Deleted.
496         * bytecompiler/LabelScope.h:
497         (JSC::LabelScope::hasOneRef const):
498         (JSC::LabelScope::breakTargetMayBeBound const):
499         * bytecompiler/NodesCodegen.cpp:
500         (JSC::ContinueNode::trivialTarget):
501         (JSC::ContinueNode::emitBytecode):
502         (JSC::BreakNode::trivialTarget):
503         (JSC::BreakNode::emitBytecode):
504
505 2017-08-17  Csaba Osztrogonác  <ossy@webkit.org>
506
507         ARM build fix after r220807 and r220834.
508         https://bugs.webkit.org/show_bug.cgi?id=175617
509
510         Unreviewed typo fix.
511
512         * assembler/MacroAssemblerARM.cpp:
513
514 2017-08-17  Mark Lam  <mark.lam@apple.com>
515
516         Gardening: build fix for ARM_TRADITIONAL after r220807.
517         https://bugs.webkit.org/show_bug.cgi?id=175617
518
519         Not reviewed.
520
521         * assembler/MacroAssemblerARM.cpp:
522
523 2017-08-16  Mark Lam  <mark.lam@apple.com>
524
525         Add back the ability to disable MASM_PROBE from the build.
526         https://bugs.webkit.org/show_bug.cgi?id=175656
527         <rdar://problem/33933720>
528
529         Reviewed by Yusuke Suzuki.
530
531         This is needed for ports that the existing MASM_PROBE implementation doesn't work
532         well with e.g. GTK with ARM_THUMB2.  Note that if the DFG_JIT will be disabled by
533         default if !ENABLE(MASM_PROBE).
534
535         * assembler/AbstractMacroAssembler.h:
536         * assembler/MacroAssembler.cpp:
537         * assembler/MacroAssembler.h:
538         * assembler/MacroAssemblerARM.cpp:
539         * assembler/MacroAssemblerARM64.cpp:
540         * assembler/MacroAssemblerARMv7.cpp:
541         * assembler/MacroAssemblerPrinter.cpp:
542         * assembler/MacroAssemblerPrinter.h:
543         * assembler/MacroAssemblerX86Common.cpp:
544         * assembler/testmasm.cpp:
545         (JSC::run):
546         * b3/B3LowerToAir.cpp:
547         * b3/air/AirPrintSpecial.cpp:
548         * b3/air/AirPrintSpecial.h:
549
550 2017-08-16  Dan Bernstein  <mitz@apple.com>
551
552         [Cocoa] Older-iOS install name symbols are being exported on other platforms
553         https://bugs.webkit.org/show_bug.cgi?id=175654
554
555         Reviewed by Tim Horton.
556
557         * API/JSBase.cpp: Define the symbols only when targeting iOS.
558
559 2017-08-16  Matt Baker  <mattbaker@apple.com>
560
561         Web Inspector: capture async stack trace when workers/main context posts a message
562         https://bugs.webkit.org/show_bug.cgi?id=167084
563         <rdar://problem/30033673>
564
565         Reviewed by Brian Burg.
566
567         * inspector/agents/InspectorDebuggerAgent.h:
568         Add `PostMessage` async call type.
569
570 2017-08-16  Mark Lam  <mark.lam@apple.com>
571
572         Enhance MacroAssembler::probe() to support an initializeStackFunction callback.
573         https://bugs.webkit.org/show_bug.cgi?id=175617
574         <rdar://problem/33912104>
575
576         Reviewed by JF Bastien.
577
578         This patch adds a new feature to MacroAssembler::probe() where the probe function
579         can provide a ProbeFunction callback to fill in stack values after the stack
580         pointer has been adjusted.  The probe function can use this feature as follows:
581
582         1. Set the new sp value in the ProbeContext's CPUState.
583
584         2. Set the ProbeContext's initializeStackFunction to a ProbeFunction callback
585            which will do the work of filling in the stack values after the probe
586            trampoline has adjusted the machine stack pointer.
587
588         3. Set the ProbeContext's initializeStackArgs to any value that the client wants
589            to pass to the initializeStackFunction callback.
590
591         4. Return from the probe function.
592
593         Upon returning from the probe function, the probe trampoline will adjust the
594         the stack pointer based on the sp value in CPUState.  If initializeStackFunction
595         is not set, the probe trampoline will restore registers and return to its caller.
596
597         If initializeStackFunction is set, the trampoline will move the ProbeContext
598         beyond the range of the stack pointer i.e. it will place the new ProbeContext at
599         an address lower than where CPUState.sp() points.  This ensures that the
600         ProbeContext will not be trashed by the initializeStackFunction when it writes to
601         the stack.  Then, the trampoline will call back to the initializeStackFunction
602         ProbeFunction to let it fill in the stack values as desired.  The
603         initializeStackFunction ProbeFunction will be passed the moved ProbeContext at
604         the new location.
605
606         initializeStackFunction may now write to the stack at addresses greater or
607         equal to CPUState.sp(), but not below that.  initializeStackFunction is also
608         not allowed to change CPUState.sp().  If the initializeStackFunction does not
609         abide by these rules, then behavior is undefined, and bad things may happen.
610
611         For future reference, some implementation details that this patch needed to
612         be mindful of:
613
614         1. When the probe trampoline allocates stack space for the ProbeContext, it
615            should include OUT_SIZE as well.  This ensures that it doesn't have to move
616            the ProbeContext on exit if the probe function didn't change the sp.
617
618         2. If the trampoline has to move the ProbeContext, it needs to point the machine
619            sp to new ProbeContext first before copying over the ProbeContext data.  This
620            protects the new ProbeContext from possibly being trashed by interrupts.
621
622         3. When computing the new address of ProbeContext to move to, we need to make
623            sure that it is properly aligned in accordance with stack ABI requirements
624            (just like we did when we allocated the ProbeContext on entry to the
625            probe trampoline).
626
627         4. When copying the ProbeContext to its new location, the trampoline should
628            always copy words from low addresses to high addresses.  This is because if
629            we're moving the ProbeContext, we'll always be moving it to a lower address.
630
631         * assembler/MacroAssembler.h:
632         * assembler/MacroAssemblerARM.cpp:
633         * assembler/MacroAssemblerARM64.cpp:
634         * assembler/MacroAssemblerARMv7.cpp:
635         * assembler/MacroAssemblerX86Common.cpp:
636         * assembler/testmasm.cpp:
637         (JSC::testProbePreservesGPRS):
638         (JSC::testProbeModifiesStackPointer):
639         (JSC::fillStack):
640         (JSC::testProbeModifiesStackWithCallback):
641         (JSC::run):
642
643 2017-08-16  Csaba Osztrogonác  <ossy@webkit.org>
644
645         Fix JSCOnly ARM buildbots after r220047 and r220184
646         https://bugs.webkit.org/show_bug.cgi?id=174993
647
648         Reviewed by Carlos Alberto Lopez Perez.
649
650         * CMakeLists.txt: Generate only one backend on Linux to save build time.
651
652 2017-08-16  Andy Estes  <aestes@apple.com>
653
654         [Payment Request] Add an ENABLE flag and an experimental feature preference
655         https://bugs.webkit.org/show_bug.cgi?id=175622
656
657         Reviewed by Tim Horton.
658
659         * Configurations/FeatureDefines.xcconfig:
660
661 2017-08-15  Robin Morisset  <rmorisset@apple.com>
662
663         We are too conservative about the effects of PushWithScope
664         https://bugs.webkit.org/show_bug.cgi?id=175584
665
666         Reviewed by Saam Barati.
667
668         PushWithScope converts its argument to an object (this can throw a type error,
669         but has no other observable effect), and allocates a new scope, that it then
670         makes the new current scope. We were a bit too
671         conservative in saying that it clobbers the world.
672
673         * dfg/DFGAbstractInterpreterInlines.h:
674         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
675         * dfg/DFGClobberize.h:
676         (JSC::DFG::clobberize):
677         * dfg/DFGDoesGC.cpp:
678         (JSC::DFG::doesGC):
679
680 2017-08-15  Ryosuke Niwa  <rniwa@webkit.org>
681
682         Make DataTransferItemList work with plain text entries
683         https://bugs.webkit.org/show_bug.cgi?id=175596
684
685         Reviewed by Wenson Hsieh.
686
687         Added DataTransferItem as a common identifier since it's a runtime enabled feature.
688
689         * runtime/CommonIdentifiers.h:
690
691 2017-08-15  Robin Morisset  <rmorisset@apple.com>
692
693         Support the 'with' keyword in FTL
694         https://bugs.webkit.org/show_bug.cgi?id=175585
695
696         Reviewed by Saam Barati.
697
698         Also makes sure that the order of arguments of PushWithScope, op_push_with_scope, JSWithScope::create()
699         and so on is consistent (always parentScope first, the new scopeObject second). We used to go from one
700         to the other at different step which was quite confusing. I picked this order for consistency with CreateActivation
701         that takes its parentScope argument first.
702
703         * bytecompiler/BytecodeGenerator.cpp:
704         (JSC::BytecodeGenerator::emitPushWithScope):
705         * debugger/DebuggerCallFrame.cpp:
706         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
707         * dfg/DFGByteCodeParser.cpp:
708         (JSC::DFG::ByteCodeParser::parseBlock):
709         * dfg/DFGFixupPhase.cpp:
710         (JSC::DFG::FixupPhase::fixupNode):
711         * dfg/DFGSpeculativeJIT.cpp:
712         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
713         * ftl/FTLCapabilities.cpp:
714         (JSC::FTL::canCompile):
715         * ftl/FTLLowerDFGToB3.cpp:
716         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
717         (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
718         * jit/JITOperations.cpp:
719         * runtime/CommonSlowPaths.cpp:
720         (JSC::SLOW_PATH_DECL):
721         * runtime/Completion.cpp:
722         (JSC::evaluateWithScopeExtension):
723         * runtime/JSWithScope.cpp:
724         (JSC::JSWithScope::create):
725         * runtime/JSWithScope.h:
726
727 2017-08-15  Saam Barati  <sbarati@apple.com>
728
729         Make VM::scratchBufferForSize thread safe
730         https://bugs.webkit.org/show_bug.cgi?id=175604
731
732         Reviewed by Geoffrey Garen and Mark Lam.
733
734         I want to use the VM::scratchBufferForSize in another patch I'm writing.
735         The use case for my other patch is to call it from the compiler thread.
736         When reading the code, I saw that this API was not thread safe. This patch
737         makes it thread safe. It actually turns out we were calling this API from
738         the compiler thread already when we created FTL::State for an FTL OSR entry
739         compilation, and from FTLLowerDFGToB3. That code was racy and wrong, but
740         is now correct with this patch.
741
742         * runtime/VM.cpp:
743         (JSC::VM::VM):
744         (JSC::VM::~VM):
745         (JSC::VM::gatherConservativeRoots):
746         (JSC::VM::scratchBufferForSize):
747         * runtime/VM.h:
748         (JSC::VM::scratchBufferForSize): Deleted.
749
750 2017-08-15  Keith Miller  <keith_miller@apple.com>
751
752         JSC named bytecode offsets should use references rather than pointers
753         https://bugs.webkit.org/show_bug.cgi?id=175601
754
755         Reviewed by Saam Barati.
756
757         * dfg/DFGByteCodeParser.cpp:
758         (JSC::DFG::ByteCodeParser::parseBlock):
759         * jit/JITOpcodes.cpp:
760         (JSC::JIT::emit_op_overrides_has_instance):
761         (JSC::JIT::emit_op_instanceof):
762         (JSC::JIT::emitSlow_op_instanceof):
763         (JSC::JIT::emitSlow_op_instanceof_custom):
764         * jit/JITOpcodes32_64.cpp:
765         (JSC::JIT::emit_op_overrides_has_instance):
766         (JSC::JIT::emit_op_instanceof):
767         (JSC::JIT::emitSlow_op_instanceof):
768         (JSC::JIT::emitSlow_op_instanceof_custom):
769
770 2017-08-15  Keith Miller  <keith_miller@apple.com>
771
772         Enable named offsets into JSC bytecodes
773         https://bugs.webkit.org/show_bug.cgi?id=175561
774
775         Reviewed by Mark Lam.
776
777         This patch adds the ability to add named offsets into JSC's
778         bytecodes.  In the bytecode json file, instead of listing a
779         length, you can now list a set of names and their types. Each
780         opcode with an offsets property will have a struct named after the
781         opcode by in our C++ naming style. For example,
782         op_overrides_has_instance would become OpOverridesHasInstance. The
783         struct has the same memory layout as the instruction list has but
784         comes with handy named accessors.
785
786         As a first cut I converted the various instanceof bytecodes to use
787         named offsets.
788
789         As an example op_overrides_has_instance produces the following struct:
790
791         struct OpOverridesHasInstance {
792         public:
793             Opcode& opcode() { return *reinterpret_cast<Opcode*>(&m_opcode); }
794             const Opcode& opcode() const { return *reinterpret_cast<const Opcode*>(&m_opcode); }
795             int& dst() { return *reinterpret_cast<int*>(&m_dst); }
796             const int& dst() const { return *reinterpret_cast<const int*>(&m_dst); }
797             int& constructor() { return *reinterpret_cast<int*>(&m_constructor); }
798             const int& constructor() const { return *reinterpret_cast<const int*>(&m_constructor); }
799             int& hasInstanceValue() { return *reinterpret_cast<int*>(&m_hasInstanceValue); }
800             const int& hasInstanceValue() const { return *reinterpret_cast<const int*>(&m_hasInstanceValue); }
801
802         private:
803             friend class LLIntOffsetsExtractor;
804             std::aligned_storage<sizeof(Opcode), sizeof(Instruction)>::type m_opcode;
805             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_dst;
806             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_constructor;
807             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_hasInstanceValue;
808         };
809
810         * CMakeLists.txt:
811         * DerivedSources.make:
812         * JavaScriptCore.xcodeproj/project.pbxproj:
813         * bytecode/BytecodeList.json:
814         * dfg/DFGByteCodeParser.cpp:
815         (JSC::DFG::ByteCodeParser::parseBlock):
816         * generate-bytecode-files:
817         * jit/JITOpcodes.cpp:
818         (JSC::JIT::emit_op_overrides_has_instance):
819         (JSC::JIT::emit_op_instanceof):
820         (JSC::JIT::emitSlow_op_instanceof):
821         (JSC::JIT::emitSlow_op_instanceof_custom):
822         * jit/JITOpcodes32_64.cpp:
823         (JSC::JIT::emit_op_overrides_has_instance):
824         (JSC::JIT::emit_op_instanceof):
825         (JSC::JIT::emitSlow_op_instanceof):
826         (JSC::JIT::emitSlow_op_instanceof_custom):
827         * llint/LLIntOffsetsExtractor.cpp:
828         * llint/LowLevelInterpreter.asm:
829         * llint/LowLevelInterpreter32_64.asm:
830         * llint/LowLevelInterpreter64.asm:
831
832 2017-08-15  Mark Lam  <mark.lam@apple.com>
833
834         Update testmasm to use new CPUState APIs.
835         https://bugs.webkit.org/show_bug.cgi?id=175573
836
837         Reviewed by Keith Miller.
838
839         1. Applied convenience CPUState accessors to minimize casting.
840         2. Converted the CHECK macro to CHECK_EQ to get more friendly failure debugging
841            messages.
842         3. Removed the CHECK_DOUBLE_BITWISE_EQ macro.  We can just use CHECK_EQ now since
843            casting is (mostly) no longer an issue.
844         4. Replaced the use of testDoubleWord(id) with bitwise_cast<double>(testWord64(id))
845            to make it clear that we're comparing against the bit values of testWord64(id).
846         5. Added a "Completed N tests" message at the end of running all tests.
847            This makes it easy to tell at a glance that testmasm completed successfully
848            versus when it crashed midway in a test.  The number of tests also serves as
849            a quick checksum to confirm that we ran the number of tests we expected.
850
851         * assembler/testmasm.cpp:
852         (WTF::printInternal):
853         (JSC::testSimple):
854         (JSC::testProbeReadsArgumentRegisters):
855         (JSC::testProbeWritesArgumentRegisters):
856         (JSC::testProbePreservesGPRS):
857         (JSC::testProbeModifiesStackPointer):
858         (JSC::testProbeModifiesProgramCounter):
859         (JSC::run):
860
861 2017-08-14  Keith Miller  <keith_miller@apple.com>
862
863         Add testing tool to lie to the DFG about profiles
864         https://bugs.webkit.org/show_bug.cgi?id=175487
865
866         Reviewed by Saam Barati.
867
868         This patch adds a new bytecode identity_with_profile that lets
869         us lie to the DFG about what profiles it has seen as the input to
870         another bytecode. Previously, there was no reliable way to force
871         a given profile when we tired up.
872
873         * bytecode/BytecodeDumper.cpp:
874         (JSC::BytecodeDumper<Block>::dumpBytecode):
875         * bytecode/BytecodeIntrinsicRegistry.h:
876         * bytecode/BytecodeList.json:
877         * bytecode/BytecodeUseDef.h:
878         (JSC::computeUsesForBytecodeOffset):
879         (JSC::computeDefsForBytecodeOffset):
880         * bytecode/SpeculatedType.cpp:
881         (JSC::speculationFromString):
882         * bytecode/SpeculatedType.h:
883         * bytecompiler/BytecodeGenerator.cpp:
884         (JSC::BytecodeGenerator::emitIdWithProfile):
885         * bytecompiler/BytecodeGenerator.h:
886         * bytecompiler/NodesCodegen.cpp:
887         (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
888         * dfg/DFGAbstractInterpreterInlines.h:
889         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
890         * dfg/DFGByteCodeParser.cpp:
891         (JSC::DFG::ByteCodeParser::parseBlock):
892         * dfg/DFGCapabilities.cpp:
893         (JSC::DFG::capabilityLevel):
894         * dfg/DFGClobberize.h:
895         (JSC::DFG::clobberize):
896         * dfg/DFGDoesGC.cpp:
897         (JSC::DFG::doesGC):
898         * dfg/DFGFixupPhase.cpp:
899         (JSC::DFG::FixupPhase::fixupNode):
900         * dfg/DFGMayExit.cpp:
901         * dfg/DFGNode.h:
902         (JSC::DFG::Node::getForcedPrediction):
903         * dfg/DFGNodeType.h:
904         * dfg/DFGPredictionPropagationPhase.cpp:
905         * dfg/DFGSafeToExecute.h:
906         (JSC::DFG::safeToExecute):
907         * dfg/DFGSpeculativeJIT32_64.cpp:
908         (JSC::DFG::SpeculativeJIT::compile):
909         * dfg/DFGSpeculativeJIT64.cpp:
910         (JSC::DFG::SpeculativeJIT::compile):
911         * dfg/DFGValidate.cpp:
912         * jit/JIT.cpp:
913         (JSC::JIT::privateCompileMainPass):
914         * jit/JIT.h:
915         * jit/JITOpcodes.cpp:
916         (JSC::JIT::emit_op_identity_with_profile):
917         * jit/JITOpcodes32_64.cpp:
918         (JSC::JIT::emit_op_identity_with_profile):
919         * llint/LowLevelInterpreter.asm:
920
921 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
922
923         Remove Proximity Events and related code
924         https://bugs.webkit.org/show_bug.cgi?id=175545
925
926         Reviewed by Daniel Bates.
927
928         No platform enables Proximity Events, so remove code inside ENABLE(PROXIMITY_EVENTS)
929         and other related code.
930
931         * Configurations/FeatureDefines.xcconfig:
932
933 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
934
935         Remove ENABLE(REQUEST_AUTOCOMPLETE) code, which was disabled everywhere
936         https://bugs.webkit.org/show_bug.cgi?id=175504
937
938         Reviewed by Sam Weinig.
939
940         * Configurations/FeatureDefines.xcconfig:
941
942 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
943
944         Remove ENABLE_VIEW_MODE_CSS_MEDIA and related code
945         https://bugs.webkit.org/show_bug.cgi?id=175557
946
947         Reviewed by Jon Lee.
948
949         No port cares about the ENABLE(VIEW_MODE_CSS_MEDIA) feature, so remove it.
950
951         * Configurations/FeatureDefines.xcconfig:
952
953 2017-08-14  Robin Morisset  <rmorisset@apple.com>
954
955         Support the 'with' keyword in DFG
956         https://bugs.webkit.org/show_bug.cgi?id=175470
957
958         Reviewed by Saam Barati.
959
960         Not particularly optimized at the moment, the goal is just to avoid
961         the DFG bailing out of any function with this keyword.
962
963         * dfg/DFGAbstractInterpreterInlines.h:
964         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
965         * dfg/DFGByteCodeParser.cpp:
966         (JSC::DFG::ByteCodeParser::parseBlock):
967         * dfg/DFGCapabilities.cpp:
968         (JSC::DFG::capabilityLevel):
969         * dfg/DFGClobberize.h:
970         (JSC::DFG::clobberize):
971         * dfg/DFGDoesGC.cpp:
972         (JSC::DFG::doesGC):
973         * dfg/DFGFixupPhase.cpp:
974         (JSC::DFG::FixupPhase::fixupNode):
975         * dfg/DFGNodeType.h:
976         * dfg/DFGPredictionPropagationPhase.cpp:
977         * dfg/DFGSafeToExecute.h:
978         (JSC::DFG::safeToExecute):
979         * dfg/DFGSpeculativeJIT.cpp:
980         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
981         * dfg/DFGSpeculativeJIT.h:
982         (JSC::DFG::SpeculativeJIT::callOperation):
983         * dfg/DFGSpeculativeJIT32_64.cpp:
984         (JSC::DFG::SpeculativeJIT::compile):
985         * dfg/DFGSpeculativeJIT64.cpp:
986         (JSC::DFG::SpeculativeJIT::compile):
987         * jit/JITOperations.cpp:
988         * jit/JITOperations.h:
989
990 2017-08-14  Mark Lam  <mark.lam@apple.com>
991
992         Add some convenience utility accessor methods to MacroAssembler::CPUState.
993         https://bugs.webkit.org/show_bug.cgi?id=175549
994         <rdar://problem/33884868>
995
996         Reviewed by Saam Barati.
997
998         Previously, in order to read ProbeContext CPUState registers, we used to need to
999         do it this way:
1000
1001             ExecState* exec = reinterpret_cast<ExecState*>(cpu.fp());
1002             uint32_t i32 = static_cast<uint32_t>(cpu.gpr(GPRInfo::regT0));
1003             void* p = reinterpret_cast<void*>(cpu.gpr(GPRInfo::regT1));
1004             uint64_t u64 = bitwise_cast<uint64_t>(cpu.fpr(FPRInfo::fpRegT0));
1005
1006         With this patch, we can now read them this way instead:
1007         
1008             ExecState* exec = cpu.fp<ExecState*>();
1009             uint32_t i32 = cpu.gpr<uint32_t>(GPRInfo::regT0);
1010             void* p = cpu.gpr<void*>(GPRInfo::regT1);
1011             uint64_t u64 = cpu.fpr<uint64_t>(FPRInfo::fpRegT0);
1012
1013         * assembler/MacroAssembler.h:
1014         (JSC:: const):
1015         (JSC::MacroAssembler::CPUState::fpr const):
1016         (JSC::MacroAssembler::CPUState::pc const):
1017         (JSC::MacroAssembler::CPUState::fp const):
1018         (JSC::MacroAssembler::CPUState::sp const):
1019         (JSC::ProbeContext::pc):
1020         (JSC::ProbeContext::fp):
1021         (JSC::ProbeContext::sp):
1022
1023 2017-08-12  Filip Pizlo  <fpizlo@apple.com>
1024
1025         Put the ScopedArgumentsTable's ScopeOffset array in some gigacage
1026         https://bugs.webkit.org/show_bug.cgi?id=174921
1027
1028         Reviewed by Mark Lam.
1029         
1030         Uses CagedUniquePtr<> to cage the ScopeOffset array.
1031
1032         * dfg/DFGSpeculativeJIT.cpp:
1033         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1034         * ftl/FTLLowerDFGToB3.cpp:
1035         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1036         * jit/JITPropertyAccess.cpp:
1037         (JSC::JIT::emitScopedArgumentsGetByVal):
1038         * runtime/ScopedArgumentsTable.cpp:
1039         (JSC::ScopedArgumentsTable::create):
1040         (JSC::ScopedArgumentsTable::setLength):
1041         * runtime/ScopedArgumentsTable.h:
1042
1043 2017-08-14  Mark Lam  <mark.lam@apple.com>
1044
1045         Gardening: fix Windows build.
1046         https://bugs.webkit.org/show_bug.cgi?id=175446
1047
1048         Not reviewed.
1049
1050         * assembler/MacroAssemblerX86Common.cpp:
1051         (JSC::booleanTrueForAvoidingNoReturnDeclaration):
1052         (JSC::ctiMasmProbeTrampoline):
1053
1054 2017-08-12  Csaba Osztrogonác  <ossy@webkit.org>
1055
1056         [ARM64] Use x29 and x30 instead of fp and lr to make GCC happy
1057         https://bugs.webkit.org/show_bug.cgi?id=175512
1058         <rdar://problem/33863584>
1059
1060         Reviewed by Mark Lam.
1061
1062         * CMakeLists.txt: Added MacroAssemblerARM64.cpp.
1063         * assembler/MacroAssemblerARM64.cpp: Use x29 and x30 instead of fp and lr to make GCC happy.
1064
1065 2017-08-12  Csaba Osztrogonác  <ossy@webkit.org>
1066
1067         ARM_TRADITIONAL: static assertion failed: ProbeContext_size_matches_ctiMasmProbeTrampoline
1068         https://bugs.webkit.org/show_bug.cgi?id=175513
1069
1070         Reviewed by Mark Lam.
1071
1072         * assembler/MacroAssemblerARM.cpp: Added d16-d31 FP registers too.
1073
1074 2017-08-12  Filip Pizlo  <fpizlo@apple.com>
1075
1076         FTL's compileGetTypedArrayByteOffset needs to do caging
1077         https://bugs.webkit.org/show_bug.cgi?id=175366
1078
1079         Reviewed by Saam Barati.
1080         
1081         While implementing boxing in the DFG, I noticed that there was some missing boxing in the FTL. This
1082         fixes the case in GetTypedArrayByteOffset, and files FIXMEs for more such cases.
1083
1084         * dfg/DFGSpeculativeJIT.cpp:
1085         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
1086         * ftl/FTLLowerDFGToB3.cpp:
1087         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
1088         (JSC::FTL::DFG::LowerDFGToB3::cagedMayBeNull):
1089         * runtime/ArrayBuffer.h:
1090         * runtime/ArrayBufferView.h:
1091         * runtime/JSArrayBufferView.h:
1092
1093 2017-08-11  Ryosuke Niwa  <rniwa@webkit.org>
1094
1095         Replace DATA_TRANSFER_ITEMS by a runtime flag and add a stub implementation
1096         https://bugs.webkit.org/show_bug.cgi?id=175474
1097         <rdar://problem/33844628>
1098
1099         Reviewed by Wenson Hsieh.
1100
1101         * Configurations/FeatureDefines.xcconfig:
1102         * runtime/CommonIdentifiers.h:
1103
1104 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1105
1106         Caging shouldn't have to use a patchpoint for adding
1107         https://bugs.webkit.org/show_bug.cgi?id=175483
1108
1109         Reviewed by Mark Lam.
1110
1111         Caging involves doing a Add(ptr, largeConstant). All of B3's heuristics for how to deal with
1112         constants and associative operations dictate that you always want to sink constants. For example,
1113         Add(Add(a, constant), b) always becomes Add(Add(a, b), constant). This is profitable because in
1114         typical code, it reveals downstream optimizations. But it's terrible in the case of caging, because
1115         we want the large constant (which is shared by all caging operations) to be hoisted. Reassociating to
1116         sink constants obscures the constant in this case. Currently, moveConstants is not smart enough to
1117         reassociate, so instead of sinking largeConstant, it tries (and often fails) to sink some other
1118         constants instead. Without some hacks, this is a 5% Kraken regression and a 1.6% Octane regression.
1119         It's not clear that moveConstants could ever be smart enough to rematerialize that constant and then
1120         hoist it - that would require quite a bit of algebraic reasoning. But the only case we know of where
1121         our current constant reassociation heuristics are wrong is caging. So, we can get away with some
1122         hacks for just stopping B3's reassociation only in this specific case.
1123         
1124         Previously, we achieved this by concealing the Add(ptr, largeConstant) inside a patchpoint. That's
1125         OK, but patchpoints are expensive. They require a SharedTask instance. They require callbacks from
1126         the backend, including during register allocation. And they cannot be CSE'd. We do want B3 to know
1127         that if we cage the same pointer in two places, both places will compute the same value.
1128         
1129         This patch improves the situation by introducing the Opaque opcode. This is handled by LowerToAir as
1130         if it was Identity, but all prior phases treat it as an unknown pure unary idempotent operation. I.e.
1131         they know that Opaque(x) == Opaque(x) and that Opaque(Opaque(x)) == Opaque(x). But they don't know
1132         that Opaque(x) == x until LowerToAir. So, you can use Opaque exactly when you know that B3 will mess
1133         up your code but Air won't. (Currently we know of no cases where Air messes things up on a large
1134         enough scale to warrant new opcodes.)
1135         
1136         This change is perf-neutral, but may start to help as I add more uses of caged() in the FTL. It also
1137         makes the code a bit less ugly.
1138
1139         * b3/B3LowerToAir.cpp:
1140         (JSC::B3::Air::LowerToAir::shouldCopyPropagate):
1141         (JSC::B3::Air::LowerToAir::lower):
1142         * b3/B3Opcode.cpp:
1143         (WTF::printInternal):
1144         * b3/B3Opcode.h:
1145         * b3/B3ReduceStrength.cpp:
1146         * b3/B3Validate.cpp:
1147         * b3/B3Value.cpp:
1148         (JSC::B3::Value::effects const):
1149         (JSC::B3::Value::key const):
1150         (JSC::B3::Value::isFree const):
1151         (JSC::B3::Value::typeFor):
1152         * b3/B3Value.h:
1153         * b3/B3ValueKey.cpp:
1154         (JSC::B3::ValueKey::materialize const):
1155         * ftl/FTLLowerDFGToB3.cpp:
1156         (JSC::FTL::DFG::LowerDFGToB3::caged):
1157         * ftl/FTLOutput.cpp:
1158         (JSC::FTL::Output::opaque):
1159         * ftl/FTLOutput.h:
1160
1161 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1162
1163         ScopedArguments overflow storage needs to be in the JSValue gigacage
1164         https://bugs.webkit.org/show_bug.cgi?id=174923
1165
1166         Reviewed by Saam Barati.
1167         
1168         ScopedArguments overflow storage sits at the end of the ScopedArguments object, so we put that
1169         object into the JSValue gigacage.
1170
1171         * dfg/DFGSpeculativeJIT.cpp:
1172         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1173         * ftl/FTLLowerDFGToB3.cpp:
1174         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1175         * jit/JITPropertyAccess.cpp:
1176         (JSC::JIT::emitScopedArgumentsGetByVal):
1177         * runtime/ScopedArguments.h:
1178         (JSC::ScopedArguments::subspaceFor):
1179         (JSC::ScopedArguments::overflowStorage const):
1180
1181 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1182
1183         JSLexicalEnvironment needs to be in the JSValue gigacage
1184         https://bugs.webkit.org/show_bug.cgi?id=174922
1185
1186         Reviewed by Michael Saboff.
1187         
1188         We can sorta random access the JSLexicalEnvironment. So, we put it in the JSValue gigacage and make
1189         the only random accesses use pointer caging.
1190         
1191         We don't need to do anything to normal lexical environment accesses.
1192
1193         * dfg/DFGSpeculativeJIT.cpp:
1194         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1195         * ftl/FTLLowerDFGToB3.cpp:
1196         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1197         * runtime/JSEnvironmentRecord.h:
1198         (JSC::JSEnvironmentRecord::subspaceFor):
1199         (JSC::JSEnvironmentRecord::variables):
1200
1201 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1202
1203         DirectArguments should be in the JSValue gigacage
1204         https://bugs.webkit.org/show_bug.cgi?id=174920
1205
1206         Reviewed by Michael Saboff.
1207         
1208         This puts DirectArguments in a new subspace for cells that want to be in the JSValue gigacage. All
1209         indexed accesses to DirectArguments now do caging. get_from_arguments/put_to_arguments are exempted
1210         because they always operate on a DirectArguments that is pointed to directly from the stack, they are
1211         required to use fixed offsets, and you can only store JSValues.
1212
1213         * dfg/DFGSpeculativeJIT.cpp:
1214         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
1215         * ftl/FTLLowerDFGToB3.cpp:
1216         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1217         * jit/JITPropertyAccess.cpp:
1218         (JSC::JIT::emitDirectArgumentsGetByVal):
1219         * runtime/DirectArguments.h:
1220         (JSC::DirectArguments::subspaceFor):
1221         (JSC::DirectArguments::storage):
1222         * runtime/VM.cpp:
1223         (JSC::VM::VM):
1224         * runtime/VM.h:
1225
1226 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1227
1228         Unreviewed, add a FIXME.
1229
1230         * ftl/FTLLowerDFGToB3.cpp:
1231         (JSC::FTL::DFG::LowerDFGToB3::caged):
1232
1233 2017-08-10  Sam Weinig  <sam@webkit.org>
1234
1235         WTF::Function does not allow for reference / non-default constructible return types
1236         https://bugs.webkit.org/show_bug.cgi?id=175244
1237
1238         Reviewed by Chris Dumez.
1239
1240         * runtime/ArrayBuffer.cpp:
1241         (JSC::ArrayBufferContents::transferTo):
1242         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
1243         destroy call needed to be a no-op anyway, since the data is being moved.
1244
1245 2017-08-11  Mark Lam  <mark.lam@apple.com>
1246
1247         Gardening: fix CLoop build.
1248         https://bugs.webkit.org/show_bug.cgi?id=175446
1249         <rdar://problem/33836545>
1250
1251         Not reviewed.
1252
1253         * assembler/MacroAssemblerPrinter.cpp:
1254
1255 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
1256
1257         DFG should do caging
1258         https://bugs.webkit.org/show_bug.cgi?id=174918
1259
1260         Reviewed by Saam Barati.
1261         
1262         Adds the appropriate cage() calls to the DFG, including a cageTypedArrayStorage() helper that does
1263         the conditional caging with a watchpoint.
1264         
1265         This might be a 1% SunSpider slow-down, but it's not clear.
1266
1267         * dfg/DFGSpeculativeJIT.cpp:
1268         (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
1269         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
1270         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
1271         (JSC::DFG::SpeculativeJIT::compileCreateRest):
1272         (JSC::DFG::SpeculativeJIT::compileSpread):
1273         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
1274         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1275         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
1276         * dfg/DFGSpeculativeJIT.h:
1277         * dfg/DFGSpeculativeJIT64.cpp:
1278         (JSC::DFG::SpeculativeJIT::compile):
1279
1280 2017-08-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1281
1282         Unreviewed, build fix for x86 GTK port
1283         https://bugs.webkit.org/show_bug.cgi?id=175446
1284
1285         Use pushfl/popfl instead of pushfd/popfd.
1286
1287         * assembler/MacroAssemblerX86Common.cpp:
1288
1289 2017-08-10  Mark Lam  <mark.lam@apple.com>
1290
1291         Make the MASM_PROBE mechanism mandatory for DFG and FTL builds.
1292         https://bugs.webkit.org/show_bug.cgi?id=175446
1293         <rdar://problem/33836545>
1294
1295         Reviewed by Saam Barati.
1296
1297         * assembler/AbstractMacroAssembler.h:
1298         * assembler/MacroAssembler.cpp:
1299         (JSC::MacroAssembler::probe):
1300         * assembler/MacroAssembler.h:
1301         * assembler/MacroAssemblerARM.cpp:
1302         (JSC::MacroAssembler::probe):
1303         * assembler/MacroAssemblerARM.h:
1304         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
1305         * assembler/MacroAssemblerARM64.cpp:
1306         (JSC::MacroAssembler::probe):
1307         * assembler/MacroAssemblerARMv7.cpp:
1308         (JSC::MacroAssembler::probe):
1309         * assembler/MacroAssemblerARMv7.h:
1310         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr):
1311         * assembler/MacroAssemblerPrinter.cpp:
1312         * assembler/MacroAssemblerPrinter.h:
1313         * assembler/MacroAssemblerX86Common.cpp:
1314         * assembler/testmasm.cpp:
1315         (JSC::isSpecialGPR):
1316         (JSC::testProbeModifiesProgramCounter):
1317         (JSC::run):
1318         * b3/B3LowerToAir.cpp:
1319         (JSC::B3::Air::LowerToAir::print):
1320         * b3/air/AirPrintSpecial.cpp:
1321         * b3/air/AirPrintSpecial.h:
1322
1323 2017-08-10  Mark Lam  <mark.lam@apple.com>
1324
1325         Apply the UNLIKELY macro to some unlikely things.
1326         https://bugs.webkit.org/show_bug.cgi?id=175440
1327         <rdar://problem/33834767>
1328
1329         Reviewed by Yusuke Suzuki.
1330
1331         * bytecode/CodeBlock.cpp:
1332         (JSC::CodeBlock::~CodeBlock):
1333         (JSC::CodeBlock::jettison):
1334         * dfg/DFGByteCodeParser.cpp:
1335         (JSC::DFG::ByteCodeParser::handleCall):
1336         (JSC::DFG::ByteCodeParser::handleVarargsCall):
1337         (JSC::DFG::ByteCodeParser::handleGetById):
1338         (JSC::DFG::ByteCodeParser::handlePutById):
1339         (JSC::DFG::ByteCodeParser::parseBlock):
1340         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1341         * dfg/DFGJITCompiler.cpp:
1342         (JSC::DFG::JITCompiler::JITCompiler):
1343         (JSC::DFG::JITCompiler::linkOSRExits):
1344         (JSC::DFG::JITCompiler::link):
1345         (JSC::DFG::JITCompiler::disassemble):
1346         * dfg/DFGJITFinalizer.cpp:
1347         (JSC::DFG::JITFinalizer::finalizeCommon):
1348         * dfg/DFGOSRExit.cpp:
1349         (JSC::DFG::OSRExit::compileOSRExit):
1350         * dfg/DFGPlan.cpp:
1351         (JSC::DFG::Plan::Plan):
1352         * ftl/FTLJITFinalizer.cpp:
1353         (JSC::FTL::JITFinalizer::finalizeCommon):
1354         * ftl/FTLLink.cpp:
1355         (JSC::FTL::link):
1356         * ftl/FTLOSRExitCompiler.cpp:
1357         (JSC::FTL::compileStub):
1358         * jit/JIT.cpp:
1359         (JSC::JIT::privateCompileMainPass):
1360         (JSC::JIT::compileWithoutLinking):
1361         (JSC::JIT::link):
1362         * runtime/ScriptExecutable.cpp:
1363         (JSC::ScriptExecutable::installCode):
1364         * runtime/VM.cpp:
1365         (JSC::VM::VM):
1366
1367 2017-08-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1368
1369         [WTF] ThreadSpecific should not introduce additional indirection
1370         https://bugs.webkit.org/show_bug.cgi?id=175187
1371
1372         Reviewed by Mark Lam.
1373
1374         * runtime/Identifier.cpp:
1375
1376 2017-08-10  Tim Horton  <timothy_horton@apple.com>
1377
1378         Remove some unused lambda captures so that WebKit builds with -Wunused-lambda-capture
1379         https://bugs.webkit.org/show_bug.cgi?id=175436
1380         <rdar://problem/33667497>
1381
1382         Reviewed by Simon Fraser.
1383
1384         * interpreter/Interpreter.cpp:
1385         (JSC::Interpreter::Interpreter):
1386
1387 2017-08-10  Michael Catanzaro  <mcatanzaro@igalia.com>
1388
1389         Remove ENABLE_GAMEPAD_DEPRECATED
1390         https://bugs.webkit.org/show_bug.cgi?id=175361
1391
1392         Reviewed by Carlos Garcia Campos.
1393
1394         * Configurations/FeatureDefines.xcconfig:
1395
1396 2017-08-09  Caio Lima  <ticaiolima@gmail.com>
1397
1398         [JSC] Create JSSet constructor that accepts it's size as parameter
1399         https://bugs.webkit.org/show_bug.cgi?id=173297
1400
1401         Reviewed by Saam Barati.
1402
1403         This patch is adding a new constructor to JSSet that gives its
1404         expected initial size. It is important to avoid re-hashing and mutiple
1405         allocations when we know the final size of JSSet, such as in
1406         CodeBlock::setConstantIdentifierSetRegisters.
1407
1408         * bytecode/CodeBlock.cpp:
1409         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
1410         * runtime/HashMapImpl.h:
1411         (JSC::HashMapImpl::HashMapImpl):
1412         * runtime/JSSet.h:
1413
1414 2017-08-09  Commit Queue  <commit-queue@webkit.org>
1415
1416         Unreviewed, rolling out r220466, r220477, and r220487.
1417         https://bugs.webkit.org/show_bug.cgi?id=175411
1418
1419         This change broke existing API tests and follow up fixes did
1420         not resolve all the issues. (Requested by ryanhaddad on
1421         #webkit).
1422
1423         Reverted changesets:
1424
1425         https://bugs.webkit.org/show_bug.cgi?id=175244
1426         http://trac.webkit.org/changeset/220466
1427
1428         "WTF::Function does not allow for reference / non-default
1429         constructible return types"
1430         https://bugs.webkit.org/show_bug.cgi?id=175244
1431         http://trac.webkit.org/changeset/220477
1432
1433         https://bugs.webkit.org/show_bug.cgi?id=175244
1434         http://trac.webkit.org/changeset/220487
1435
1436 2017-08-09  Caitlin Potter  <caitp@igalia.com>
1437
1438         Early error on ANY operator before new.target
1439         https://bugs.webkit.org/show_bug.cgi?id=157970
1440
1441         Reviewed by Saam Barati.
1442
1443         Instead of throwing if any unary operator precedes new.target, only
1444         throw if the unary operator updates the reference.
1445
1446         The following become legal in JSC:
1447
1448         ```
1449         !new.target
1450         ~new.target
1451         typeof new.target
1452         delete new.target
1453         void new.target
1454         ```
1455
1456         All of which are legal in v8 and SpiderMonkey in strict and sloppy mode
1457
1458         * parser/Parser.cpp:
1459         (JSC::Parser<LexerType>::parseUnaryExpression):
1460
1461 2017-08-09  Sam Weinig  <sam@webkit.org>
1462
1463         WTF::Function does not allow for reference / non-default constructible return types
1464         https://bugs.webkit.org/show_bug.cgi?id=175244
1465
1466         Reviewed by Chris Dumez.
1467
1468         * runtime/ArrayBuffer.cpp:
1469         (JSC::ArrayBufferContents::transferTo):
1470         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
1471         destroy call needed to be a no-op anyway, since the data is being moved.
1472
1473 2017-08-09  Wenson Hsieh  <wenson_hsieh@apple.com>
1474
1475         [iOS DnD] ENABLE_DRAG_SUPPORT should be turned off for iOS 10 and enabled by default
1476         https://bugs.webkit.org/show_bug.cgi?id=175392
1477         <rdar://problem/33783207>
1478
1479         Reviewed by Tim Horton and Megan Gardner.
1480
1481         Tweak FeatureDefines to enable drag and drop by default, and disable only on unsupported platforms (i.e. iOS 10).
1482
1483         * Configurations/FeatureDefines.xcconfig:
1484
1485 2017-08-09  Robin Morisset  <rmorisset@apple.com>
1486
1487         Make JSC_validateExceptionChecks=1 succeed on JSTests/stress/v8-deltablue-strict.js.
1488         https://bugs.webkit.org/show_bug.cgi?id=175358
1489
1490         Reviewed by Mark Lam.
1491
1492         * jit/JITOperations.cpp:
1493         * runtime/JSObjectInlines.h:
1494         (JSC::JSObject::putInlineForJSObject):
1495
1496 2017-08-09  Ryan Haddad  <ryanhaddad@apple.com>
1497
1498         Unreviewed, rolling out r220457.
1499
1500         This change introduced API test failures.
1501
1502         Reverted changeset:
1503
1504         "WTF::Function does not allow for reference / non-default
1505         constructible return types"
1506         https://bugs.webkit.org/show_bug.cgi?id=175244
1507         http://trac.webkit.org/changeset/220457
1508
1509 2017-08-09  Sam Weinig  <sam@webkit.org>
1510
1511         WTF::Function does not allow for reference / non-default constructible return types
1512         https://bugs.webkit.org/show_bug.cgi?id=175244
1513
1514         Reviewed by Chris Dumez.
1515
1516         * runtime/ArrayBuffer.cpp:
1517         (JSC::ArrayBufferContents::transferTo):
1518         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
1519         destroy call needed to be a no-op anyway, since the data is being moved.
1520
1521 2017-08-09  Oleksandr Skachkov  <gskachkov@gmail.com>
1522
1523         REGRESSION: 2 test262/test/language/statements/async-function failures
1524         https://bugs.webkit.org/show_bug.cgi?id=175334
1525
1526         Reviewed by Yusuke Suzuki.
1527
1528         Switch off useAsyncIterator by default
1529
1530         * runtime/Options.h:
1531
1532 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
1533
1534         ICs should do caging
1535         https://bugs.webkit.org/show_bug.cgi?id=175295
1536
1537         Reviewed by Saam Barati.
1538         
1539         Adds the appropriate cage() calls in our inline caches.
1540
1541         * bytecode/AccessCase.cpp:
1542         (JSC::AccessCase::generateImpl):
1543         * bytecode/InlineAccess.cpp:
1544         (JSC::InlineAccess::dumpCacheSizesAndCrash):
1545         (JSC::InlineAccess::generateSelfPropertyAccess):
1546         (JSC::InlineAccess::generateSelfPropertyReplace):
1547         (JSC::InlineAccess::generateArrayLength):
1548
1549 2017-08-08  Devin Rousso  <drousso@apple.com>
1550
1551         Web Inspector: Canvas: support editing WebGL shaders
1552         https://bugs.webkit.org/show_bug.cgi?id=124211
1553         <rdar://problem/15448958>
1554
1555         Reviewed by Matt Baker.
1556
1557         * inspector/protocol/Canvas.json:
1558         Add `updateShader` command that will change the given shader's source to the provided string,
1559         recompile, and relink it to its associated program.
1560         Drive-by: add description to `requestShaderSource` command.
1561
1562 2017-08-08  Robin Morisset  <rmorisset@apple.com>
1563
1564         Make JSC_validateExceptionChecks=1 succeed on JSTests/slowMicrobenchmarks/spread-small-array.js.
1565         https://bugs.webkit.org/show_bug.cgi?id=175347
1566
1567         Reviewed by Saam Barati.
1568
1569         This is done by making finishCreation explicitely check for exceptions after setConstantRegister and setConstantIdentifiersSetRegisters.
1570         I chose to have this check replace the boolean returned previously by these functions for readability. The performance impact should be
1571         negligible considering how much more finishCreation does.
1572         This fix then caused another issue to appear as it was now clear that finishCreation can throw. And since it is called by ProgramCodeBlock::create(),
1573         FunctionCodeBlock::create() and friends, that are in turn called by ScriptExecutable::newCodeBlockFor, this last function also required a few tweaks.
1574
1575         * bytecode/CodeBlock.cpp:
1576         (JSC::CodeBlock::finishCreation):
1577         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
1578         (JSC::CodeBlock::setConstantRegisters):
1579         * bytecode/CodeBlock.h:
1580         * runtime/ScriptExecutable.cpp:
1581         (JSC::ScriptExecutable::newCodeBlockFor):
1582
1583 2017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
1584
1585         Unreviewed, fix Ubuntu LTS build
1586         https://bugs.webkit.org/show_bug.cgi?id=174490
1587
1588         * inspector/remote/glib/RemoteInspectorGlib.cpp:
1589         * inspector/remote/glib/RemoteInspectorServer.cpp:
1590
1591 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
1592
1593         Baseline JIT should do caging
1594         https://bugs.webkit.org/show_bug.cgi?id=175037
1595
1596         Reviewed by Mark Lam.
1597         
1598         Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
1599         
1600         Also modifies FTL caging to be more defensive when caging is disabled.
1601         
1602         Relanded with fixed AssemblyHelpers::cageConditionally().
1603
1604         * bytecode/AccessCase.cpp:
1605         (JSC::AccessCase::generateImpl):
1606         * bytecode/InlineAccess.cpp:
1607         (JSC::InlineAccess::dumpCacheSizesAndCrash):
1608         (JSC::InlineAccess::generateSelfPropertyAccess):
1609         (JSC::InlineAccess::generateSelfPropertyReplace):
1610         (JSC::InlineAccess::generateArrayLength):
1611         * ftl/FTLLowerDFGToB3.cpp:
1612         (JSC::FTL::DFG::LowerDFGToB3::caged):
1613         * jit/AssemblyHelpers.h:
1614         (JSC::AssemblyHelpers::cage):
1615         (JSC::AssemblyHelpers::cageConditionally):
1616         * jit/JITPropertyAccess.cpp:
1617         (JSC::JIT::emitDoubleLoad):
1618         (JSC::JIT::emitContiguousLoad):
1619         (JSC::JIT::emitArrayStorageLoad):
1620         (JSC::JIT::emitGenericContiguousPutByVal):
1621         (JSC::JIT::emitArrayStoragePutByVal):
1622         (JSC::JIT::emit_op_get_from_scope):
1623         (JSC::JIT::emit_op_put_to_scope):
1624         (JSC::JIT::emitIntTypedArrayGetByVal):
1625         (JSC::JIT::emitFloatTypedArrayGetByVal):
1626         (JSC::JIT::emitIntTypedArrayPutByVal):
1627         (JSC::JIT::emitFloatTypedArrayPutByVal):
1628         * jsc.cpp:
1629         (jscmain):
1630         (primitiveGigacageDisabled): Deleted.
1631
1632 2017-08-08  Ryan Haddad  <ryanhaddad@apple.com>
1633
1634         Unreviewed, rolling out r220368.
1635
1636         This change caused WK1 tests to exit early with crashes.
1637
1638         Reverted changeset:
1639
1640         "Baseline JIT should do caging"
1641         https://bugs.webkit.org/show_bug.cgi?id=175037
1642         http://trac.webkit.org/changeset/220368
1643
1644 2017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
1645
1646         [CMake] Properly test if compiler supports compiler flags
1647         https://bugs.webkit.org/show_bug.cgi?id=174490
1648
1649         Reviewed by Konstantin Tokarev.
1650
1651         * API/tests/PingPongStackOverflowTest.cpp:
1652         (testPingPongStackOverflow):
1653         * API/tests/testapi.c:
1654         * b3/testb3.cpp:
1655         (JSC::B3::testPatchpointLotsOfLateAnys):
1656
1657 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1658
1659         [Linux] Clear WasmMemory with madvice instead of memset
1660         https://bugs.webkit.org/show_bug.cgi?id=175150
1661
1662         Reviewed by Filip Pizlo.
1663
1664         In Linux, zeroing pages with memset populates backing store.
1665         Instead, we should use madvise with MADV_DONTNEED. It discards
1666         pages. And if you access these pages, on-demand-zero-pages will
1667         be shown.
1668
1669         We also commit grown pages in all OSes.
1670
1671         * wasm/WasmMemory.cpp:
1672         (JSC::Wasm::commitZeroPages):
1673         (JSC::Wasm::Memory::create):
1674         (JSC::Wasm::Memory::grow):
1675
1676 2017-08-07  Robin Morisset  <rmorisset@apple.com>
1677
1678         GetOwnProperty of TypedArray indexed fields is wrongly configurable
1679         https://bugs.webkit.org/show_bug.cgi?id=175307
1680
1681         Reviewed by Saam Barati.
1682
1683         ```
1684         let a = new Uint8Array(10);
1685         let b = Object.getOwnPropertyDescriptor(a, 0);
1686         assert(b.configurable === false);
1687         ```
1688         should not fail: by section 9.4.5.1 (https://tc39.github.io/ecma262/#sec-integer-indexed-exotic-objects-getownproperty-p) 
1689         that applies to integer indexed exotic objects, and section 22.2.7 (https://tc39.github.io/ecma262/#sec-properties-of-typedarray-instances)
1690         that says that typed arrays are integer indexed exotic objects.
1691
1692         * runtime/JSGenericTypedArrayViewInlines.h:
1693         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
1694
1695 2017-08-07  Filip Pizlo  <fpizlo@apple.com>
1696
1697         Baseline JIT should do caging
1698         https://bugs.webkit.org/show_bug.cgi?id=175037
1699
1700         Reviewed by Mark Lam.
1701         
1702         Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
1703         
1704         Also modifies FTL caging to be more defensive when caging is disabled.
1705
1706         * ftl/FTLLowerDFGToB3.cpp:
1707         (JSC::FTL::DFG::LowerDFGToB3::caged):
1708         * jit/AssemblyHelpers.h:
1709         (JSC::AssemblyHelpers::cage):
1710         (JSC::AssemblyHelpers::cageConditionally):
1711         * jit/JITPropertyAccess.cpp:
1712         (JSC::JIT::emitDoubleLoad):
1713         (JSC::JIT::emitContiguousLoad):
1714         (JSC::JIT::emitArrayStorageLoad):
1715         (JSC::JIT::emitGenericContiguousPutByVal):
1716         (JSC::JIT::emitArrayStoragePutByVal):
1717         (JSC::JIT::emit_op_get_from_scope):
1718         (JSC::JIT::emit_op_put_to_scope):
1719         (JSC::JIT::emitIntTypedArrayGetByVal):
1720         (JSC::JIT::emitFloatTypedArrayGetByVal):
1721         (JSC::JIT::emitIntTypedArrayPutByVal):
1722         (JSC::JIT::emitFloatTypedArrayPutByVal):
1723         * jsc.cpp:
1724         (jscmain):
1725         (primitiveGigacageDisabled): Deleted.
1726
1727 2017-08-06  Filip Pizlo  <fpizlo@apple.com>
1728
1729         Primitive auxiliaries and JSValue auxiliaries should have separate gigacages
1730         https://bugs.webkit.org/show_bug.cgi?id=174919
1731
1732         Reviewed by Keith Miller.
1733         
1734         This adapts JSC to there being two gigacages.
1735         
1736         To make matters simpler, this turns AlignedMemoryAllocators into per-VM instances rather than
1737         singletons. I don't think we were gaining anything by making them be singletons.
1738         
1739         This makes it easy to teach GigacageAlignedMemoryAllocator that there are multiple kinds of
1740         gigacages. We'll have one of those allocators per cage.
1741         
1742         From there, this change teaches everyone who previously knew about cages that there are two cages.
1743         This means having to specify either Gigacage::Primitive or Gigacage::JSValue. In most places, this is
1744         easy: typed arrays are Primitive and butterflies are JSValue. But there are a few places where it's
1745         not so obvious, so this change introduces some helpers to make it easy to define what cage you want
1746         to use in one place and refer to it abstractly. We do this in DirectArguments and GenericArguments.h
1747         
1748         A lot of the magic of this change is due to CagedBarrierPtr, which combines AuxiliaryBarrier and
1749         CagedPtr. This removes one layer of "get()" calls from a bunch of places.
1750
1751         * JavaScriptCore.xcodeproj/project.pbxproj:
1752         * bytecode/AccessCase.cpp:
1753         (JSC::AccessCase::generateImpl):
1754         * dfg/DFGSpeculativeJIT.cpp:
1755         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1756         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1757         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1758         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
1759         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
1760         * ftl/FTLLowerDFGToB3.cpp:
1761         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
1762         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
1763         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
1764         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
1765         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1766         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
1767         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
1768         (JSC::FTL::DFG::LowerDFGToB3::caged):
1769         * heap/FastMallocAlignedMemoryAllocator.cpp:
1770         (JSC::FastMallocAlignedMemoryAllocator::instance): Deleted.
1771         * heap/FastMallocAlignedMemoryAllocator.h:
1772         * heap/GigacageAlignedMemoryAllocator.cpp:
1773         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
1774         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
1775         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
1776         (JSC::GigacageAlignedMemoryAllocator::dump const):
1777         (JSC::GigacageAlignedMemoryAllocator::instance): Deleted.
1778         * heap/GigacageAlignedMemoryAllocator.h:
1779         * jsc.cpp:
1780         (primitiveGigacageDisabled):
1781         (jscmain):
1782         (gigacageDisabled): Deleted.
1783         * llint/LowLevelInterpreter64.asm:
1784         * runtime/ArrayBuffer.cpp:
1785         (JSC::ArrayBufferContents::tryAllocate):
1786         (JSC::ArrayBuffer::createAdopted):
1787         (JSC::ArrayBuffer::createFromBytes):
1788         * runtime/AuxiliaryBarrier.h:
1789         * runtime/ButterflyInlines.h:
1790         (JSC::Butterfly::createUninitialized):
1791         (JSC::Butterfly::tryCreate):
1792         (JSC::Butterfly::growArrayRight):
1793         * runtime/CagedBarrierPtr.h: Added.
1794         (JSC::CagedBarrierPtr::CagedBarrierPtr):
1795         (JSC::CagedBarrierPtr::clear):
1796         (JSC::CagedBarrierPtr::set):
1797         (JSC::CagedBarrierPtr::get const):
1798         (JSC::CagedBarrierPtr::getMayBeNull const):
1799         (JSC::CagedBarrierPtr::operator== const):
1800         (JSC::CagedBarrierPtr::operator!= const):
1801         (JSC::CagedBarrierPtr::operator bool const):
1802         (JSC::CagedBarrierPtr::setWithoutBarrier):
1803         (JSC::CagedBarrierPtr::operator* const):
1804         (JSC::CagedBarrierPtr::operator-> const):
1805         (JSC::CagedBarrierPtr::operator[] const):
1806         * runtime/DirectArguments.cpp:
1807         (JSC::DirectArguments::overrideThings):
1808         (JSC::DirectArguments::unmapArgument):
1809         * runtime/DirectArguments.h:
1810         (JSC::DirectArguments::isMappedArgument const):
1811         * runtime/GenericArguments.h:
1812         * runtime/GenericArgumentsInlines.h:
1813         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
1814         (JSC::GenericArguments<Type>::setModifiedArgumentDescriptor):
1815         (JSC::GenericArguments<Type>::isModifiedArgumentDescriptor):
1816         * runtime/HashMapImpl.cpp:
1817         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
1818         * runtime/HashMapImpl.h:
1819         (JSC::HashMapBuffer::create):
1820         (JSC::HashMapImpl::buffer const):
1821         (JSC::HashMapImpl::rehash):
1822         * runtime/JSArray.cpp:
1823         (JSC::JSArray::tryCreateUninitializedRestricted):
1824         (JSC::JSArray::unshiftCountSlowCase):
1825         (JSC::JSArray::setLength):
1826         (JSC::JSArray::pop):
1827         (JSC::JSArray::push):
1828         (JSC::JSArray::fastSlice):
1829         (JSC::JSArray::shiftCountWithArrayStorage):
1830         (JSC::JSArray::shiftCountWithAnyIndexingType):
1831         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1832         (JSC::JSArray::fillArgList):
1833         (JSC::JSArray::copyToArguments):
1834         * runtime/JSArray.h:
1835         (JSC::JSArray::tryCreate):
1836         * runtime/JSArrayBufferView.cpp:
1837         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1838         (JSC::JSArrayBufferView::finalize):
1839         * runtime/JSLock.cpp:
1840         (JSC::JSLock::didAcquireLock):
1841         * runtime/JSObject.cpp:
1842         (JSC::JSObject::heapSnapshot):
1843         (JSC::JSObject::getOwnPropertySlotByIndex):
1844         (JSC::JSObject::putByIndex):
1845         (JSC::JSObject::enterDictionaryIndexingMode):
1846         (JSC::JSObject::createInitialIndexedStorage):
1847         (JSC::JSObject::createArrayStorage):
1848         (JSC::JSObject::convertUndecidedToInt32):
1849         (JSC::JSObject::convertUndecidedToDouble):
1850         (JSC::JSObject::convertUndecidedToContiguous):
1851         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
1852         (JSC::JSObject::convertUndecidedToArrayStorage):
1853         (JSC::JSObject::convertInt32ToDouble):
1854         (JSC::JSObject::convertInt32ToContiguous):
1855         (JSC::JSObject::convertInt32ToArrayStorage):
1856         (JSC::JSObject::convertDoubleToContiguous):
1857         (JSC::JSObject::convertDoubleToArrayStorage):
1858         (JSC::JSObject::convertContiguousToArrayStorage):
1859         (JSC::JSObject::setIndexQuicklyToUndecided):
1860         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
1861         (JSC::JSObject::deletePropertyByIndex):
1862         (JSC::JSObject::getOwnPropertyNames):
1863         (JSC::JSObject::putIndexedDescriptor):
1864         (JSC::JSObject::defineOwnIndexedProperty):
1865         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1866         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
1867         (JSC::JSObject::getNewVectorLength):
1868         (JSC::JSObject::ensureLengthSlow):
1869         (JSC::JSObject::reallocateAndShrinkButterfly):
1870         (JSC::JSObject::allocateMoreOutOfLineStorage):
1871         (JSC::JSObject::getEnumerableLength):
1872         * runtime/JSObject.h:
1873         (JSC::JSObject::getArrayLength const):
1874         (JSC::JSObject::getVectorLength):
1875         (JSC::JSObject::putDirectIndex):
1876         (JSC::JSObject::canGetIndexQuickly):
1877         (JSC::JSObject::getIndexQuickly):
1878         (JSC::JSObject::tryGetIndexQuickly const):
1879         (JSC::JSObject::canSetIndexQuickly):
1880         (JSC::JSObject::setIndexQuickly):
1881         (JSC::JSObject::initializeIndex):
1882         (JSC::JSObject::initializeIndexWithoutBarrier):
1883         (JSC::JSObject::hasSparseMap):
1884         (JSC::JSObject::inSparseIndexingMode):
1885         (JSC::JSObject::butterfly const):
1886         (JSC::JSObject::butterfly):
1887         (JSC::JSObject::outOfLineStorage const):
1888         (JSC::JSObject::outOfLineStorage):
1889         (JSC::JSObject::ensureInt32):
1890         (JSC::JSObject::ensureDouble):
1891         (JSC::JSObject::ensureContiguous):
1892         (JSC::JSObject::ensureArrayStorage):
1893         (JSC::JSObject::arrayStorage):
1894         (JSC::JSObject::arrayStorageOrNull):
1895         (JSC::JSObject::ensureLength):
1896         * runtime/RegExpMatchesArray.h:
1897         (JSC::tryCreateUninitializedRegExpMatchesArray):
1898         * runtime/VM.cpp:
1899         (JSC::VM::VM):
1900         (JSC::VM::~VM):
1901         (JSC::VM::primitiveGigacageDisabledCallback):
1902         (JSC::VM::primitiveGigacageDisabled):
1903         (JSC::VM::gigacageDisabledCallback): Deleted.
1904         (JSC::VM::gigacageDisabled): Deleted.
1905         * runtime/VM.h:
1906         (JSC::VM::gigacageAuxiliarySpace):
1907         (JSC::VM::firePrimitiveGigacageEnabledIfNecessary):
1908         (JSC::VM::primitiveGigacageEnabled):
1909         (JSC::VM::fireGigacageEnabledIfNecessary): Deleted.
1910         (JSC::VM::gigacageEnabled): Deleted.
1911         * wasm/WasmMemory.cpp:
1912         (JSC::Wasm::Memory::create):
1913         (JSC::Wasm::Memory::~Memory):
1914         (JSC::Wasm::Memory::grow):
1915
1916 2017-08-07  Commit Queue  <commit-queue@webkit.org>
1917
1918         Unreviewed, rolling out r220144.
1919         https://bugs.webkit.org/show_bug.cgi?id=175276
1920
1921         "It did not actually speed things up in the way I expected"
1922         (Requested by saamyjoon on #webkit).
1923
1924         Reverted changeset:
1925
1926         "On memory-constrained iOS devices, reduce the rate at which
1927         the JS heap grows before a GC to try to keep more memory
1928         available for the system"
1929         https://bugs.webkit.org/show_bug.cgi?id=175041
1930         http://trac.webkit.org/changeset/220144
1931
1932 2017-08-07  Ryan Haddad  <ryanhaddad@apple.com>
1933
1934         Unreviewed, rolling out r220299.
1935
1936         This change caused LayoutTest inspector/dom-debugger/dom-
1937         breakpoints.html to fail.
1938
1939         Reverted changeset:
1940
1941         "Web Inspector: capture async stack trace when workers/main
1942         context posts a message"
1943         https://bugs.webkit.org/show_bug.cgi?id=167084
1944         http://trac.webkit.org/changeset/220299
1945
1946 2017-08-07  Brian Burg  <bburg@apple.com>
1947
1948         Remove CANVAS_PATH compilation guard
1949         https://bugs.webkit.org/show_bug.cgi?id=175207
1950
1951         Reviewed by Sam Weinig.
1952
1953         * Configurations/FeatureDefines.xcconfig:
1954
1955 2017-08-07  Keith Miller  <keith_miller@apple.com>
1956
1957         REGRESSION: wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js failing on JSC Debug bots
1958         https://bugs.webkit.org/show_bug.cgi?id=175256
1959
1960         Reviewed by Saam Barati.
1961
1962         The check in createFromBytes just needed to check that the buffer was not null before
1963         calling isCaged.
1964
1965         * runtime/ArrayBuffer.cpp:
1966         (JSC::ArrayBuffer::createFromBytes):
1967
1968 2017-08-05  Carlos Garcia Campos  <cgarcia@igalia.com>
1969
1970         [GTK][WPE] Add API to provide browser information required by automation
1971         https://bugs.webkit.org/show_bug.cgi?id=175130
1972
1973         Reviewed by Brian Burg.
1974
1975         Add browserName and browserVersion to RemoteInspector::Client::Capabilities and virtual methods to the Client to
1976         get them.
1977
1978         * inspector/remote/RemoteInspector.cpp:
1979         (Inspector::RemoteInspector::updateClientCapabilities): Update also browserName and browserVersion.
1980         * inspector/remote/RemoteInspector.h:
1981         * inspector/remote/glib/RemoteInspectorGlib.cpp:
1982         (Inspector::RemoteInspector::requestAutomationSession): Call updateClientCapabilities() after the session is
1983         requested to ensure they are updated before StartAutomationSession reply is sent.
1984         * inspector/remote/glib/RemoteInspectorServer.cpp: Add browserName and browserVersion as return values of
1985         StartAutomationSession mesasage.
1986
1987 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1988
1989         Promise resolve and reject function should have length = 1
1990         https://bugs.webkit.org/show_bug.cgi?id=175242
1991
1992         Reviewed by Saam Barati.
1993
1994         Previously we have separate system for "length" and "name" for builtin functions.
1995         The builtin functions do not use lazy reifying system. Instead, they have direct
1996         properties when instantiating it. While the function created for properties (like
1997         Array.prototype.filter) is created by JSFunction::createBuiltin(), function inside
1998         these builtin functions are just created by JSFunction::create(). Since it does
1999         not set any values for "length", these functions do not have "length" property.
2000         So, the resolve and reject functions passed to Promise's executor do not have
2001         "length" property.
2002
2003         This patch make builtin functions use standard lazy reifying system for "length".
2004         So, "length" property of the builtin function just works as if the normal functions
2005         do.
2006
2007         * runtime/JSFunction.cpp:
2008         (JSC::JSFunction::createBuiltinFunction):
2009         (JSC::JSFunction::getOwnPropertySlot):
2010         (JSC::JSFunction::getOwnNonIndexPropertyNames):
2011         (JSC::JSFunction::put):
2012         (JSC::JSFunction::deleteProperty):
2013         (JSC::JSFunction::defineOwnProperty):
2014         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
2015         (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
2016         (JSC::JSFunction::reifyLazyLengthIfNeeded):
2017         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
2018         (JSC::JSFunction::reifyBoundNameIfNeeded): Deleted.
2019         * runtime/JSFunction.h:
2020
2021 2017-08-06  Oleksandr Skachkov  <gskachkov@gmail.com>
2022
2023         [ESNext] Async iteration - Implement Async Generator - parser
2024         https://bugs.webkit.org/show_bug.cgi?id=175210
2025
2026         Reviewed by Yusuke Suzuki.
2027
2028         Current implementation is draft version of Async Iteration. 
2029         Link to spec https://tc39.github.io/proposal-async-iteration/
2030
2031         Current patch implement only parser part of the Async generator
2032         Runtime part will be in next ptches
2033
2034         * parser/ASTBuilder.h:
2035         (JSC::ASTBuilder::createFunctionMetadata):
2036         * parser/Parser.cpp:
2037         (JSC::getAsynFunctionBodyParseMode):
2038         (JSC::Parser<LexerType>::parseInner):
2039         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
2040         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
2041         (JSC::stringArticleForFunctionMode):
2042         (JSC::stringForFunctionMode):
2043         (JSC::Parser<LexerType>::parseFunctionInfo):
2044         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
2045         (JSC::Parser<LexerType>::parseClass):
2046         (JSC::Parser<LexerType>::parseProperty):
2047         (JSC::Parser<LexerType>::parsePropertyMethod):
2048         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
2049         * parser/Parser.h:
2050         (JSC::Scope::setSourceParseMode):
2051         * parser/ParserModes.h:
2052         (JSC::isFunctionParseMode):
2053         (JSC::isAsyncFunctionParseMode):
2054         (JSC::isAsyncArrowFunctionParseMode):
2055         (JSC::isAsyncGeneratorFunctionParseMode):
2056         (JSC::isAsyncFunctionOrAsyncGeneratorWrapperParseMode):
2057         (JSC::isAsyncFunctionWrapperParseMode):
2058         (JSC::isAsyncFunctionBodyParseMode):
2059         (JSC::isGeneratorMethodParseMode):
2060         (JSC::isAsyncMethodParseMode):
2061         (JSC::isAsyncGeneratorMethodParseMode):
2062         (JSC::isMethodParseMode):
2063         (JSC::isGeneratorOrAsyncFunctionBodyParseMode):
2064         (JSC::isGeneratorOrAsyncFunctionWrapperParseMode):
2065
2066 2017-08-05  Filip Pizlo  <fpizlo@apple.com>
2067
2068         REGRESSION (r219895-219897): Number of leaks on Open Source went from 9240 to 235983 and is now at 302372
2069         https://bugs.webkit.org/show_bug.cgi?id=175083
2070
2071         Reviewed by Oliver Hunt.
2072         
2073         This fixes the leak by making MarkedBlock::specializedSweep call destructors when the block is empty,
2074         even if we are using the pop path.
2075         
2076         Also, this fixes HeapCellInlines.h to no longer include MarkedBlockInlines.h. That's pretty
2077         important, since MarkedBlockInlines.h is the GC's internal guts - we don't want to have to recompile
2078         the world just because we changed it.
2079         
2080         Finally, this adds a new testing SPI for waiting for all VMs to finish destructing. This makes it
2081         easier to debug leaks.
2082
2083         * bytecode/AccessCase.cpp:
2084         * bytecode/PolymorphicAccess.cpp:
2085         * heap/HeapCell.cpp:
2086         (JSC::HeapCell::isLive):
2087         * heap/HeapCellInlines.h:
2088         (JSC::HeapCell::isLive): Deleted.
2089         * heap/MarkedAllocator.cpp:
2090         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2091         (JSC::MarkedAllocator::endMarking):
2092         * heap/MarkedBlockInlines.h:
2093         (JSC::MarkedBlock::Handle::specializedSweep):
2094         * jit/AssemblyHelpers.cpp:
2095         * jit/Repatch.cpp:
2096         * runtime/TestRunnerUtils.h:
2097         * runtime/VM.cpp:
2098         (JSC::waitForVMDestruction):
2099         (JSC::VM::~VM):
2100
2101 2017-08-05  Mark Lam  <mark.lam@apple.com>
2102
2103         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 3].
2104         https://bugs.webkit.org/show_bug.cgi?id=175228
2105         <rdar://problem/33735737>
2106
2107         Reviewed by Saam Barati.
2108
2109         Merge the 32-bit OSRExit::compileExit() method into the 64-bit version, and
2110         delete OSRExit32_64.cpp.
2111
2112         * CMakeLists.txt:
2113         * JavaScriptCore.xcodeproj/project.pbxproj:
2114         * dfg/DFGOSRExit.cpp:
2115         (JSC::DFG::OSRExit::compileExit):
2116         * dfg/DFGOSRExit32_64.cpp: Removed.
2117         * jit/GPRInfo.h:
2118         (JSC::JSValueSource::payloadGPR const):
2119
2120 2017-08-04  Youenn Fablet  <youenn@apple.com>
2121
2122         [Cache API] Add Cache and CacheStorage IDL definitions
2123         https://bugs.webkit.org/show_bug.cgi?id=175201
2124
2125         Reviewed by Brady Eidson.
2126
2127         * runtime/CommonIdentifiers.h:
2128
2129 2017-08-04  Mark Lam  <mark.lam@apple.com>
2130
2131         Fix typo in testmasm.cpp: ENABLE(JSVALUE64) should be USE(JSVALUE64).
2132         https://bugs.webkit.org/show_bug.cgi?id=175230
2133         <rdar://problem/33735857>
2134
2135         Reviewed by Saam Barati.
2136
2137         * assembler/testmasm.cpp:
2138         (JSC::testProbeReadsArgumentRegisters):
2139         (JSC::testProbeWritesArgumentRegisters):
2140
2141 2017-08-04  Mark Lam  <mark.lam@apple.com>
2142
2143         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 2].
2144         https://bugs.webkit.org/show_bug.cgi?id=175214
2145         <rdar://problem/33733308>
2146
2147         Rubber-stamped by Michael Saboff.
2148
2149         Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused
2150         DFGOSRExitCompiler files.
2151
2152         Also renamed DFGOSRExitCompiler32_64.cpp to DFGOSRExit32_64.cpp.
2153
2154         Also move debugOperationPrintSpeculationFailure() into DFGOSRExit.cpp.  It's only
2155         used by compileOSRExit(), and will be changed to not be a DFG operation function
2156         when we use JIT probes for DFG OSR exits later in
2157         https://bugs.webkit.org/show_bug.cgi?id=175144.
2158
2159         * CMakeLists.txt:
2160         * JavaScriptCore.xcodeproj/project.pbxproj:
2161         * dfg/DFGJITCompiler.cpp:
2162         * dfg/DFGOSRExit.cpp:
2163         (JSC::DFG::OSRExit::emitRestoreArguments):
2164         (JSC::DFG::OSRExit::compileOSRExit):
2165         (JSC::DFG::OSRExit::compileExit):
2166         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
2167         * dfg/DFGOSRExit.h:
2168         * dfg/DFGOSRExit32_64.cpp: Copied from Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp.
2169         * dfg/DFGOSRExitCompiler.cpp: Removed.
2170         * dfg/DFGOSRExitCompiler.h: Removed.
2171         * dfg/DFGOSRExitCompiler32_64.cpp: Removed.
2172         * dfg/DFGOSRExitCompiler64.cpp: Removed.
2173         * dfg/DFGOperations.cpp:
2174         * dfg/DFGOperations.h:
2175         * dfg/DFGThunks.cpp:
2176
2177 2017-08-04  Matt Baker  <mattbaker@apple.com>
2178
2179         Web Inspector: capture async stack trace when workers/main context posts a message
2180         https://bugs.webkit.org/show_bug.cgi?id=167084
2181         <rdar://problem/30033673>
2182
2183         Reviewed by Brian Burg.
2184
2185         * inspector/agents/InspectorDebuggerAgent.h:
2186         Add `PostMessage` async call type.
2187
2188 2017-08-04  Mark Lam  <mark.lam@apple.com>
2189
2190         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 1].
2191         https://bugs.webkit.org/show_bug.cgi?id=175208
2192         <rdar://problem/33732402>
2193
2194         Reviewed by Saam Barati.
2195
2196         This will minimize the code diff and make it easier to review the patch for
2197         https://bugs.webkit.org/show_bug.cgi?id=175144 later.  We'll do this patch in 3
2198         steps:
2199
2200         1. Do the code changes to move methods into OSRExit.
2201         2. Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused DFGOSRExitCompiler files.
2202         3. Merge the 32-bit OSRExitCompiler methods into the 64-bit version, and delete DFGOSRExitCompiler32_64.cpp.
2203
2204         Splitting this refactoring into these 3 steps also makes it easier to review this
2205         patch and understand what is being changed.
2206
2207         * dfg/DFGOSRExit.h:
2208         * dfg/DFGOSRExitCompiler.cpp:
2209         (JSC::DFG::OSRExit::emitRestoreArguments):
2210         (JSC::DFG::OSRExit::compileOSRExit):
2211         (JSC::DFG::OSRExitCompiler::emitRestoreArguments): Deleted.
2212         (): Deleted.
2213         * dfg/DFGOSRExitCompiler.h:
2214         (JSC::DFG::OSRExitCompiler::OSRExitCompiler): Deleted.
2215         (): Deleted.
2216         * dfg/DFGOSRExitCompiler32_64.cpp:
2217         (JSC::DFG::OSRExit::compileExit):
2218         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
2219         * dfg/DFGOSRExitCompiler64.cpp:
2220         (JSC::DFG::OSRExit::compileExit):
2221         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
2222         * dfg/DFGThunks.cpp:
2223         (JSC::DFG::osrExitGenerationThunkGenerator):
2224
2225 2017-08-04  Devin Rousso  <drousso@apple.com>
2226
2227         Web Inspector: add source view for WebGL shader programs
2228         https://bugs.webkit.org/show_bug.cgi?id=138593
2229         <rdar://problem/18936194>
2230
2231         Reviewed by Matt Baker.
2232
2233         * inspector/protocol/Canvas.json:
2234          - Add `ShaderType` enum that contains "vertex" and "fragment".
2235          - Add `requestShaderSource` command that will return the original source code for a given
2236            shader program and shader type.
2237
2238 2017-08-03  Filip Pizlo  <fpizlo@apple.com>
2239
2240         The allocator used to allocate memory for MarkedBlocks and LargeAllocations should not be the Subspace itself
2241         https://bugs.webkit.org/show_bug.cgi?id=175141
2242
2243         Reviewed by Mark Lam.
2244         
2245         To make it easier to have multiple gigacages and maybe even fancier methods of allocating, this
2246         decouples the allocator used to allocate memory from the GC Subspace. This means we no longer have
2247         to create a new Subspace subclass to allocate memory a different way. Instead, the allocator is now
2248         determined by the AlignedMemoryAllocator object.
2249         
2250         This also simplifies trading of blocks. Before, Subspaces had to determine if other Subspaces could
2251         trade blocks with them using canTradeBlocksWith(). This makes it difficult for two different
2252         Subspaces that both use the same underlying allocator to realize that they can trade blocks with
2253         each other. Now, you just need to ask the block being stolen and the subspace doing the stealing if
2254         they use the same AlignedMemoryAllocator.
2255
2256         * CMakeLists.txt:
2257         * JavaScriptCore.xcodeproj/project.pbxproj:
2258         * heap/AlignedMemoryAllocator.cpp: Added.
2259         (JSC::AlignedMemoryAllocator::AlignedMemoryAllocator):
2260         (JSC::AlignedMemoryAllocator::~AlignedMemoryAllocator):
2261         * heap/AlignedMemoryAllocator.h: Added.
2262         * heap/FastMallocAlignedMemoryAllocator.cpp: Added.
2263         (JSC::FastMallocAlignedMemoryAllocator::singleton):
2264         (JSC::FastMallocAlignedMemoryAllocator::FastMallocAlignedMemoryAllocator):
2265         (JSC::FastMallocAlignedMemoryAllocator::~FastMallocAlignedMemoryAllocator):
2266         (JSC::FastMallocAlignedMemoryAllocator::tryAllocateAlignedMemory):
2267         (JSC::FastMallocAlignedMemoryAllocator::freeAlignedMemory):
2268         (JSC::FastMallocAlignedMemoryAllocator::dump const):
2269         * heap/FastMallocAlignedMemoryAllocator.h: Added.
2270         * heap/GigacageAlignedMemoryAllocator.cpp: Added.
2271         (JSC::GigacageAlignedMemoryAllocator::singleton):
2272         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
2273         (JSC::GigacageAlignedMemoryAllocator::~GigacageAlignedMemoryAllocator):
2274         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
2275         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
2276         (JSC::GigacageAlignedMemoryAllocator::dump const):
2277         * heap/GigacageAlignedMemoryAllocator.h: Added.
2278         * heap/GigacageSubspace.cpp: Removed.
2279         * heap/GigacageSubspace.h: Removed.
2280         * heap/LargeAllocation.cpp:
2281         (JSC::LargeAllocation::tryCreate):
2282         (JSC::LargeAllocation::destroy):
2283         * heap/MarkedAllocator.cpp:
2284         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2285         * heap/MarkedBlock.cpp:
2286         (JSC::MarkedBlock::tryCreate):
2287         (JSC::MarkedBlock::Handle::Handle):
2288         (JSC::MarkedBlock::Handle::~Handle):
2289         (JSC::MarkedBlock::Handle::didAddToAllocator):
2290         (JSC::MarkedBlock::Handle::subspace const):
2291         * heap/MarkedBlock.h:
2292         (JSC::MarkedBlock::Handle::alignedMemoryAllocator const):
2293         (JSC::MarkedBlock::Handle::subspace const): Deleted.
2294         * heap/Subspace.cpp:
2295         (JSC::Subspace::Subspace):
2296         (JSC::Subspace::findEmptyBlockToSteal):
2297         (JSC::Subspace::canTradeBlocksWith): Deleted.
2298         (JSC::Subspace::tryAllocateAlignedMemory): Deleted.
2299         (JSC::Subspace::freeAlignedMemory): Deleted.
2300         * heap/Subspace.h:
2301         (JSC::Subspace::name const):
2302         (JSC::Subspace::alignedMemoryAllocator const):
2303         * runtime/JSDestructibleObjectSubspace.cpp:
2304         (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace):
2305         * runtime/JSDestructibleObjectSubspace.h:
2306         * runtime/JSSegmentedVariableObjectSubspace.cpp:
2307         (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace):
2308         * runtime/JSSegmentedVariableObjectSubspace.h:
2309         * runtime/JSStringSubspace.cpp:
2310         (JSC::JSStringSubspace::JSStringSubspace):
2311         * runtime/JSStringSubspace.h:
2312         * runtime/VM.cpp:
2313         (JSC::VM::VM):
2314         * runtime/VM.h:
2315         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp:
2316         (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace):
2317         * wasm/js/JSWebAssemblyCodeBlockSubspace.h:
2318
2319 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
2320
2321         [ESNext] Async iteration - update feature.json
2322         https://bugs.webkit.org/show_bug.cgi?id=175197
2323
2324         Reviewed by Yusuke Suzuki.
2325
2326         Update feature.json to add status of the Async Iteration
2327
2328         * features.json:
2329
2330 2017-08-04  Matt Lewis  <jlewis3@apple.com>
2331
2332         Unreviewed, rolling out r220271.
2333
2334         Rolling out due to Layout Test failing on iOS Simulator.
2335
2336         Reverted changeset:
2337
2338         "Remove STREAMS_API compilation guard"
2339         https://bugs.webkit.org/show_bug.cgi?id=175165
2340         http://trac.webkit.org/changeset/220271
2341
2342 2017-08-04  Youenn Fablet  <youenn@apple.com>
2343
2344         Remove STREAMS_API compilation guard
2345         https://bugs.webkit.org/show_bug.cgi?id=175165
2346
2347         Reviewed by Darin Adler.
2348
2349         * Configurations/FeatureDefines.xcconfig:
2350
2351 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
2352
2353         [EsNext] Async iteration - Add feature flag
2354         https://bugs.webkit.org/show_bug.cgi?id=166694
2355
2356         Reviewed by Yusuke Suzuki.
2357
2358         Add feature flag to JSC to switch on/off Async Iterator
2359
2360         * runtime/Options.h:
2361
2362 2017-08-03  Brian Burg  <bburg@apple.com>
2363
2364         Remove ENABLE(WEB_SOCKET) guards
2365         https://bugs.webkit.org/show_bug.cgi?id=167044
2366
2367         Reviewed by Joseph Pecoraro.
2368
2369         * Configurations/FeatureDefines.xcconfig:
2370
2371 2017-08-03  Youenn Fablet  <youenn@apple.com>
2372
2373         Remove FETCH_API compilation guard
2374         https://bugs.webkit.org/show_bug.cgi?id=175154
2375
2376         Reviewed by Chris Dumez.
2377
2378         * Configurations/FeatureDefines.xcconfig:
2379
2380 2017-08-03  Matt Baker  <mattbaker@apple.com>
2381
2382         Web Inspector: Instrument WebGLProgram created/deleted
2383         https://bugs.webkit.org/show_bug.cgi?id=175059
2384
2385         Reviewed by Devin Rousso.
2386
2387         Extend the Canvas protocol with types/events for tracking WebGLPrograms.
2388
2389         * inspector/protocol/Canvas.json:
2390
2391 2017-08-03  Brady Eidson  <beidson@apple.com>
2392
2393         Add SW IDLs and stub out basic functionality.
2394         https://bugs.webkit.org/show_bug.cgi?id=175115
2395
2396         Reviewed by Chris Dumez.
2397
2398         * Configurations/FeatureDefines.xcconfig:
2399
2400         * runtime/CommonIdentifiers.h:
2401
2402 2017-08-03  Mark Lam  <mark.lam@apple.com>
2403
2404         Rename ScratchBuffer::activeLengthPtr to addressOfActiveLength.
2405         https://bugs.webkit.org/show_bug.cgi?id=175142
2406         <rdar://problem/33704528>
2407
2408         Reviewed by Filip Pizlo.
2409
2410         The convention in the rest of of JSC for such methods which return the address of
2411         a field is to name them "addressOf<field name>".  We'll rename
2412         ScratchBuffer::activeLengthPtr to be consistent with this convention.
2413
2414         * dfg/DFGSpeculativeJIT.cpp:
2415         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
2416         * dfg/DFGSpeculativeJIT32_64.cpp:
2417         (JSC::DFG::SpeculativeJIT::compile):
2418         * dfg/DFGSpeculativeJIT64.cpp:
2419         (JSC::DFG::SpeculativeJIT::compile):
2420         * dfg/DFGThunks.cpp:
2421         (JSC::DFG::osrExitGenerationThunkGenerator):
2422         * ftl/FTLLowerDFGToB3.cpp:
2423         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
2424         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
2425         * ftl/FTLThunks.cpp:
2426         (JSC::FTL::genericGenerationThunkGenerator):
2427         * jit/AssemblyHelpers.cpp:
2428         (JSC::AssemblyHelpers::debugCall):
2429         * jit/ScratchRegisterAllocator.cpp:
2430         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
2431         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
2432         * runtime/VM.h:
2433         (JSC::ScratchBuffer::addressOfActiveLength):
2434         (JSC::ScratchBuffer::activeLengthPtr): Deleted.
2435         * wasm/WasmBinding.cpp:
2436         (JSC::Wasm::wasmToJs):
2437
2438 2017-08-02  Devin Rousso  <drousso@apple.com>
2439
2440         Web Inspector: add stack trace information for each RecordingAction
2441         https://bugs.webkit.org/show_bug.cgi?id=174663
2442
2443         Reviewed by Joseph Pecoraro.
2444
2445         * inspector/ScriptCallFrame.h:
2446         Add `operator==` so that when a ScriptCallFrame object is held in a Vector, calling `find`
2447         with an existing value doesn't need require a functor and can use existing code.
2448
2449         * interpreter/StackVisitor.h:
2450         * interpreter/StackVisitor.cpp:
2451         (JSC::StackVisitor::Frame::isWasmFrame const): Inlined in header.
2452
2453 2017-08-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2454
2455         Merge WTFThreadData to Thread::current
2456         https://bugs.webkit.org/show_bug.cgi?id=174716
2457
2458         Reviewed by Mark Lam.
2459
2460         Use Thread::current() instead.
2461
2462         * API/JSContext.mm:
2463         (+[JSContext currentContext]):
2464         (+[JSContext currentThis]):
2465         (+[JSContext currentCallee]):
2466         (+[JSContext currentArguments]):
2467         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
2468         (-[JSContext endCallbackWithData:]):
2469         * heap/Heap.cpp:
2470         (JSC::Heap::requestCollection):
2471         * runtime/Completion.cpp:
2472         (JSC::checkSyntax):
2473         (JSC::checkModuleSyntax):
2474         (JSC::evaluate):
2475         (JSC::loadAndEvaluateModule):
2476         (JSC::loadModule):
2477         (JSC::linkAndEvaluateModule):
2478         (JSC::importModule):
2479         * runtime/Identifier.cpp:
2480         (JSC::Identifier::checkCurrentAtomicStringTable):
2481         * runtime/InitializeThreading.cpp:
2482         (JSC::initializeThreading):
2483         * runtime/JSLock.cpp:
2484         (JSC::JSLock::didAcquireLock):
2485         (JSC::JSLock::willReleaseLock):
2486         (JSC::JSLock::dropAllLocks):
2487         (JSC::JSLock::grabAllLocks):
2488         * runtime/JSLock.h:
2489         * runtime/VM.cpp:
2490         (JSC::VM::VM):
2491         (JSC::VM::updateStackLimits):
2492         (JSC::VM::committedStackByteCount):
2493         * runtime/VM.h:
2494         (JSC::VM::isSafeToRecurse const):
2495         * runtime/VMEntryScope.cpp:
2496         (JSC::VMEntryScope::VMEntryScope):
2497         * runtime/VMInlines.h:
2498         (JSC::VM::ensureStackCapacityFor):
2499         * yarr/YarrPattern.cpp:
2500         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
2501
2502 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
2503
2504         LLInt should do pointer caging
2505         https://bugs.webkit.org/show_bug.cgi?id=175036
2506
2507         Reviewed by Keith Miller.
2508
2509         Implementing this in the LLInt was challenging because offlineasm did not previously know
2510         how to load from globals. This teaches it how to do that on Darwin/x86_64, which happens
2511         to be where the Gigacage is enabled right now.
2512
2513         * llint/LLIntOfflineAsmConfig.h:
2514         * llint/LowLevelInterpreter64.asm:
2515         * offlineasm/ast.rb:
2516         * offlineasm/x86.rb:
2517
2518 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
2519
2520         Sweeping should only scribble when sweeping to free list
2521         https://bugs.webkit.org/show_bug.cgi?id=175105
2522
2523         Reviewed by Saam Barati.
2524         
2525         I just saw a crash on the bots where a destructor call attempt dereferenced scribbled memory. This
2526         can happen because the bump path of specializedSweep will scribble in SweepOnly, which replaces the
2527         zap word (i.e. 0) with the scribble word (i.e. 0xbadbeef0). This is a recent regression, since we
2528         didn't used to do destruction on the bump path. No destruction, no zapping. Looking at the pop
2529         path, we only scribble when we SweepToFreeList. This ensures that we only overwrite the zap word
2530         when it doesn't matter anyway because we're building a free list.
2531         
2532         This is a fix for those crashes on the bots because it means that we'll no longer scribble over the
2533         zap.
2534
2535         * heap/MarkedBlockInlines.h:
2536         (JSC::MarkedBlock::Handle::specializedSweep):
2537
2538 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
2539
2540         All C++ accesses to JSObject::m_butterfly should do caging
2541         https://bugs.webkit.org/show_bug.cgi?id=175039
2542
2543         Reviewed by Keith Miller.
2544         
2545         Makes JSObject::m_butterfly a AuxiliaryBarrier<CagedPtr<Butterfly>> and adopts the CagedPtr<> API.
2546         This ensures that you can't cause C++ code to access a butterfly that has been rewired to point
2547         outside the gigacage.
2548
2549         * runtime/JSArray.cpp:
2550         (JSC::JSArray::setLength):
2551         (JSC::JSArray::pop):
2552         (JSC::JSArray::push):
2553         (JSC::JSArray::shiftCountWithAnyIndexingType):
2554         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2555         (JSC::JSArray::fillArgList):
2556         (JSC::JSArray::copyToArguments):
2557         * runtime/JSObject.cpp:
2558         (JSC::JSObject::heapSnapshot):
2559         (JSC::JSObject::createInitialIndexedStorage):
2560         (JSC::JSObject::createArrayStorage):
2561         (JSC::JSObject::convertUndecidedToInt32):
2562         (JSC::JSObject::convertUndecidedToDouble):
2563         (JSC::JSObject::convertUndecidedToContiguous):
2564         (JSC::JSObject::convertInt32ToDouble):
2565         (JSC::JSObject::convertInt32ToArrayStorage):
2566         (JSC::JSObject::convertDoubleToContiguous):
2567         (JSC::JSObject::convertDoubleToArrayStorage):
2568         (JSC::JSObject::convertContiguousToArrayStorage):
2569         (JSC::JSObject::defineOwnIndexedProperty):
2570         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2571         (JSC::JSObject::ensureLengthSlow):
2572         (JSC::JSObject::allocateMoreOutOfLineStorage):
2573         * runtime/JSObject.h:
2574         (JSC::JSObject::canGetIndexQuickly):
2575         (JSC::JSObject::getIndexQuickly):
2576         (JSC::JSObject::tryGetIndexQuickly const):
2577         (JSC::JSObject::canSetIndexQuickly):
2578         (JSC::JSObject::setIndexQuickly):
2579         (JSC::JSObject::initializeIndex):
2580         (JSC::JSObject::initializeIndexWithoutBarrier):
2581         (JSC::JSObject::butterfly const):
2582         (JSC::JSObject::butterfly):
2583
2584 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
2585
2586         We should be OK with the gigacage being disabled on gmalloc
2587         https://bugs.webkit.org/show_bug.cgi?id=175082
2588
2589         Reviewed by Michael Saboff.
2590
2591         * jsc.cpp:
2592         (jscmain):
2593
2594 2017-08-02  Saam Barati  <sbarati@apple.com>
2595
2596         On memory-constrained iOS devices, reduce the rate at which the JS heap grows before a GC to try to keep more memory available for the system
2597         https://bugs.webkit.org/show_bug.cgi?id=175041
2598         <rdar://problem/33659370>
2599
2600         Reviewed by Filip Pizlo.
2601
2602         The testing I have done shows that this new function is a ~10%
2603         progression running JetStream on 1GB iOS devices. I've also tried
2604         this on a few > 1GB iOS devices, and the testing shows this is either neutral
2605         or a regression. Right now, we'll just enable this for <= 1GB devices
2606         since it's a win. In the future, we might want to either look into
2607         tweaking these parameters or coming up with a new function for > 1GB
2608         devices.
2609
2610         * heap/Heap.cpp:
2611         * runtime/Options.h:
2612
2613 2017-08-01  Filip Pizlo  <fpizlo@apple.com>
2614
2615         Bmalloc and GC should put auxiliaries (butterflies, typed array backing stores) in a gigacage (separate multi-GB VM region)
2616         https://bugs.webkit.org/show_bug.cgi?id=174727
2617
2618         Reviewed by Mark Lam.
2619         
2620         This adopts the Gigacage for the GigacageSubspace, which we use for Auxiliary allocations. Also, in
2621         one place in the code - the FTL codegen for butterfly and typed array access - we "cage" the accesses
2622         themselves. Basically, we do masking to ensure that the pointer points into the gigacage.
2623         
2624         This is neutral on JetStream.
2625
2626         * CMakeLists.txt:
2627         * JavaScriptCore.xcodeproj/project.pbxproj:
2628         * b3/B3InsertionSet.cpp:
2629         (JSC::B3::InsertionSet::execute):
2630         * dfg/DFGAbstractInterpreterInlines.h:
2631         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2632         * dfg/DFGArgumentsEliminationPhase.cpp:
2633         * dfg/DFGClobberize.cpp:
2634         (JSC::DFG::readsOverlap):
2635         * dfg/DFGClobberize.h:
2636         (JSC::DFG::clobberize):
2637         * dfg/DFGDoesGC.cpp:
2638         (JSC::DFG::doesGC):
2639         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Added.
2640         (JSC::DFG::performFixedButterflyAccessUncaging):
2641         * dfg/DFGFixedButterflyAccessUncagingPhase.h: Added.
2642         * dfg/DFGFixupPhase.cpp:
2643         (JSC::DFG::FixupPhase::fixupNode):
2644         * dfg/DFGHeapLocation.cpp:
2645         (WTF::printInternal):
2646         * dfg/DFGHeapLocation.h:
2647         * dfg/DFGNodeType.h:
2648         * dfg/DFGPlan.cpp:
2649         (JSC::DFG::Plan::compileInThreadImpl):
2650         * dfg/DFGPredictionPropagationPhase.cpp:
2651         * dfg/DFGSafeToExecute.h:
2652         (JSC::DFG::safeToExecute):
2653         * dfg/DFGSpeculativeJIT.cpp:
2654         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
2655         * dfg/DFGSpeculativeJIT32_64.cpp:
2656         (JSC::DFG::SpeculativeJIT::compile):
2657         * dfg/DFGSpeculativeJIT64.cpp:
2658         (JSC::DFG::SpeculativeJIT::compile):
2659         * dfg/DFGTypeCheckHoistingPhase.cpp:
2660         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2661         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
2662         * ftl/FTLCapabilities.cpp:
2663         (JSC::FTL::canCompile):
2664         * ftl/FTLLowerDFGToB3.cpp:
2665         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2666         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
2667         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
2668         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2669         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
2670         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
2671         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
2672         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
2673         (JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase):
2674         (JSC::FTL::DFG::LowerDFGToB3::caged):
2675         * heap/GigacageSubspace.cpp: Added.
2676         (JSC::GigacageSubspace::GigacageSubspace):
2677         (JSC::GigacageSubspace::~GigacageSubspace):
2678         (JSC::GigacageSubspace::tryAllocateAlignedMemory):
2679         (JSC::GigacageSubspace::freeAlignedMemory):
2680         (JSC::GigacageSubspace::canTradeBlocksWith):
2681         * heap/GigacageSubspace.h: Added.
2682         * heap/Heap.cpp:
2683         (JSC::Heap::Heap):
2684         (JSC::Heap::lastChanceToFinalize):
2685         (JSC::Heap::finalize):
2686         (JSC::Heap::sweepInFinalize):
2687         (JSC::Heap::updateAllocationLimits):
2688         (JSC::Heap::shouldDoFullCollection):
2689         (JSC::Heap::collectIfNecessaryOrDefer):
2690         (JSC::Heap::reportWebAssemblyFastMemoriesAllocated): Deleted.
2691         (JSC::Heap::webAssemblyFastMemoriesThisCycleAtThreshold const): Deleted.
2692         (JSC::Heap::sweepLargeAllocations): Deleted.
2693         (JSC::Heap::didAllocateWebAssemblyFastMemories): Deleted.
2694         * heap/Heap.h:
2695         * heap/LargeAllocation.cpp:
2696         (JSC::LargeAllocation::tryCreate):
2697         (JSC::LargeAllocation::destroy):
2698         * heap/MarkedAllocator.cpp:
2699         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2700         (JSC::MarkedAllocator::tryAllocateBlock):
2701         * heap/MarkedBlock.cpp:
2702         (JSC::MarkedBlock::tryCreate):
2703         (JSC::MarkedBlock::Handle::Handle):
2704         (JSC::MarkedBlock::Handle::~Handle):
2705         (JSC::MarkedBlock::Handle::didAddToAllocator):
2706         (JSC::MarkedBlock::Handle::subspace const): Deleted.
2707         * heap/MarkedBlock.h:
2708         (JSC::MarkedBlock::Handle::subspace const):
2709         * heap/MarkedSpace.cpp:
2710         (JSC::MarkedSpace::~MarkedSpace):
2711         (JSC::MarkedSpace::freeMemory):
2712         (JSC::MarkedSpace::prepareForAllocation):
2713         (JSC::MarkedSpace::addMarkedAllocator):
2714         (JSC::MarkedSpace::findEmptyBlockToSteal): Deleted.
2715         * heap/MarkedSpace.h:
2716         (JSC::MarkedSpace::firstAllocator const):
2717         (JSC::MarkedSpace::allocatorForEmptyAllocation const): Deleted.
2718         * heap/Subspace.cpp:
2719         (JSC::Subspace::Subspace):
2720         (JSC::Subspace::canTradeBlocksWith):
2721         (JSC::Subspace::tryAllocateAlignedMemory):
2722         (JSC::Subspace::freeAlignedMemory):
2723         (JSC::Subspace::prepareForAllocation):
2724         (JSC::Subspace::findEmptyBlockToSteal):
2725         * heap/Subspace.h:
2726         (JSC::Subspace::didCreateFirstAllocator):
2727         * heap/SubspaceInlines.h:
2728         (JSC::Subspace::forEachAllocator):
2729         (JSC::Subspace::forEachMarkedBlock):
2730         (JSC::Subspace::forEachNotEmptyMarkedBlock):
2731         * jit/JITPropertyAccess.cpp:
2732         (JSC::JIT::emitDoubleLoad):
2733         (JSC::JIT::emitContiguousLoad):
2734         (JSC::JIT::emitArrayStorageLoad):
2735         (JSC::JIT::emitGenericContiguousPutByVal):
2736         (JSC::JIT::emitArrayStoragePutByVal):
2737         (JSC::JIT::emit_op_get_from_scope):
2738         (JSC::JIT::emit_op_put_to_scope):
2739         (JSC::JIT::emitIntTypedArrayGetByVal):
2740         (JSC::JIT::emitFloatTypedArrayGetByVal):
2741         (JSC::JIT::emitIntTypedArrayPutByVal):
2742         (JSC::JIT::emitFloatTypedArrayPutByVal):
2743         * jsc.cpp:
2744         (fillBufferWithContentsOfFile):
2745         (functionReadFile):
2746         (gigacageDisabled):
2747         (jscmain):
2748         * llint/LowLevelInterpreter64.asm:
2749         * runtime/ArrayBuffer.cpp:
2750         (JSC::ArrayBufferContents::tryAllocate):
2751         (JSC::ArrayBuffer::createAdopted):
2752         (JSC::ArrayBuffer::createFromBytes):
2753         (JSC::ArrayBuffer::tryCreate):
2754         * runtime/IndexingHeader.h:
2755         * runtime/InitializeThreading.cpp:
2756         (JSC::initializeThreading):
2757         * runtime/JSArrayBuffer.cpp:
2758         * runtime/JSArrayBufferView.cpp:
2759         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2760         (JSC::JSArrayBufferView::finalize):
2761         * runtime/JSLock.cpp:
2762         (JSC::JSLock::didAcquireLock):
2763         * runtime/JSObject.h:
2764         * runtime/Options.cpp:
2765         (JSC::recomputeDependentOptions):
2766         * runtime/Options.h:
2767         * runtime/ScopedArgumentsTable.h:
2768         * runtime/VM.cpp:
2769         (JSC::VM::VM):
2770         (JSC::VM::~VM):
2771         (JSC::VM::gigacageDisabledCallback):
2772         (JSC::VM::gigacageDisabled):
2773         * runtime/VM.h:
2774         (JSC::VM::fireGigacageEnabledIfNecessary):
2775         (JSC::VM::gigacageEnabled):
2776         * wasm/WasmB3IRGenerator.cpp:
2777         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2778         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
2779         * wasm/WasmCodeBlock.cpp:
2780         (JSC::Wasm::CodeBlock::isSafeToRun):
2781         * wasm/WasmMemory.cpp:
2782         (JSC::Wasm::makeString):
2783         (JSC::Wasm::Memory::create):
2784         (JSC::Wasm::Memory::~Memory):
2785         (JSC::Wasm::Memory::addressIsInActiveFastMemory):
2786         (JSC::Wasm::Memory::grow):
2787         (JSC::Wasm::Memory::initializePreallocations): Deleted.
2788         (JSC::Wasm::Memory::maxFastMemoryCount): Deleted.
2789         * wasm/WasmMemory.h:
2790         * wasm/js/JSWebAssemblyInstance.cpp:
2791         (JSC::JSWebAssemblyInstance::create):
2792         * wasm/js/JSWebAssemblyMemory.cpp:
2793         (JSC::JSWebAssemblyMemory::grow):
2794         (JSC::JSWebAssemblyMemory::finishCreation):
2795         * wasm/js/JSWebAssemblyMemory.h:
2796         (JSC::JSWebAssemblyMemory::subspaceFor):
2797
2798 2017-07-31  Mark Lam  <mark.lam@apple.com>
2799
2800         Added some UNLIKELYs to operationOptimize().
2801         https://bugs.webkit.org/show_bug.cgi?id=174976
2802
2803         Reviewed by JF Bastien.
2804
2805         * jit/JITOperations.cpp:
2806
2807 2017-07-31  Keith Miller  <keith_miller@apple.com>
2808
2809         Make more things LLInt constexprs
2810         https://bugs.webkit.org/show_bug.cgi?id=174994
2811
2812         Reviewed by Saam Barati.
2813
2814         This patch makes more const values in the LLInt constexprs.
2815         It also deletes all of the no longer necessary static_asserts in
2816         LLIntData.cpp. Finally, it fixes a typo in parser.rb.
2817
2818         * interpreter/ShadowChicken.h:
2819         (JSC::ShadowChicken::Packet::tailMarker):
2820         * llint/LLIntData.cpp:
2821         (JSC::LLInt::Data::performAssertions):
2822         * llint/LowLevelInterpreter.asm:
2823         * offlineasm/generate_offset_extractor.rb:
2824         * offlineasm/parser.rb:
2825
2826 2017-07-31  Matt Lewis  <jlewis3@apple.com>
2827
2828         Unreviewed, rolling out r220060.
2829
2830         This broke our internal builds. Contact reviewer of patch for
2831         more information.
2832
2833         Reverted changeset:
2834
2835         "Merge WTFThreadData to Thread::current"
2836         https://bugs.webkit.org/show_bug.cgi?id=174716
2837         http://trac.webkit.org/changeset/220060
2838
2839 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2840
2841         [JSC] Support optional catch binding
2842         https://bugs.webkit.org/show_bug.cgi?id=174981
2843
2844         Reviewed by Saam Barati.
2845
2846         This patch implements optional catch binding proposal[1], which is now stage 3.
2847         This proposal adds a new `catch` brace with no error value binding.
2848
2849             ```
2850                 try {
2851                     ...
2852                 } catch {
2853                     ...
2854                 }
2855             ```
2856
2857         Sometimes we do not need to get error value actually. For example, the function returns
2858         boolean which means whether the function succeeds.
2859
2860             ```
2861             function parse(result) // -> bool
2862             {
2863                  try {
2864                      parseInner(result);
2865                  } catch {
2866                      return false;
2867                  }
2868                  return true;
2869             }
2870             ```
2871
2872         In the above case, we are not interested in the actual error value. Without this syntax,
2873         we always need to introduce a binding for an error value that is just ignored.
2874
2875         [1]: https://michaelficarra.github.io/optional-catch-binding-proposal/
2876
2877         * bytecompiler/NodesCodegen.cpp:
2878         (JSC::TryNode::emitBytecode):
2879         * parser/Parser.cpp:
2880         (JSC::Parser<LexerType>::parseTryStatement):
2881
2882 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2883
2884         Merge WTFThreadData to Thread::current
2885         https://bugs.webkit.org/show_bug.cgi?id=174716
2886
2887         Reviewed by Sam Weinig.
2888
2889         Use Thread::current() instead.
2890
2891         * API/JSContext.mm:
2892         (+[JSContext currentContext]):
2893         (+[JSContext currentThis]):
2894         (+[JSContext currentCallee]):
2895         (+[JSContext currentArguments]):
2896         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
2897         (-[JSContext endCallbackWithData:]):
2898         * heap/Heap.cpp:
2899         (JSC::Heap::requestCollection):
2900         * runtime/Completion.cpp:
2901         (JSC::checkSyntax):
2902         (JSC::checkModuleSyntax):
2903         (JSC::evaluate):
2904         (JSC::loadAndEvaluateModule):
2905         (JSC::loadModule):
2906         (JSC::linkAndEvaluateModule):
2907         (JSC::importModule):
2908         * runtime/Identifier.cpp:
2909         (JSC::Identifier::checkCurrentAtomicStringTable):
2910         * runtime/InitializeThreading.cpp:
2911         (JSC::initializeThreading):
2912         * runtime/JSLock.cpp:
2913         (JSC::JSLock::didAcquireLock):
2914         (JSC::JSLock::willReleaseLock):
2915         (JSC::JSLock::dropAllLocks):
2916         (JSC::JSLock::grabAllLocks):
2917         * runtime/JSLock.h:
2918         * runtime/VM.cpp:
2919         (JSC::VM::VM):
2920         (JSC::VM::updateStackLimits):
2921         (JSC::VM::committedStackByteCount):
2922         * runtime/VM.h:
2923         (JSC::VM::isSafeToRecurse const):
2924         * runtime/VMEntryScope.cpp:
2925         (JSC::VMEntryScope::VMEntryScope):
2926         * runtime/VMInlines.h:
2927         (JSC::VM::ensureStackCapacityFor):
2928         * yarr/YarrPattern.cpp:
2929         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
2930
2931 2017-07-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2932
2933         [WTF] Introduce Private Symbols
2934         https://bugs.webkit.org/show_bug.cgi?id=174935
2935
2936         Reviewed by Darin Adler.
2937
2938         Use SymbolImpl::isPrivate().
2939
2940         * builtins/BuiltinNames.cpp:
2941         * builtins/BuiltinNames.h:
2942         (JSC::BuiltinNames::isPrivateName): Deleted.
2943         * builtins/BuiltinUtils.h:
2944         * bytecode/BytecodeIntrinsicRegistry.cpp:
2945         (JSC::BytecodeIntrinsicRegistry::lookup):
2946         * runtime/CommonIdentifiers.cpp:
2947         (JSC::CommonIdentifiers::isPrivateName): Deleted.
2948         * runtime/CommonIdentifiers.h:
2949         * runtime/ExceptionHelpers.cpp:
2950         (JSC::createUndefinedVariableError):
2951         * runtime/Identifier.h:
2952         (JSC::Identifier::isPrivateName):
2953         * runtime/IdentifierInlines.h:
2954         (JSC::identifierToSafePublicJSValue):
2955         * runtime/ObjectConstructor.cpp:
2956         (JSC::objectConstructorAssign):
2957         (JSC::defineProperties):
2958         (JSC::setIntegrityLevel):
2959         (JSC::testIntegrityLevel):
2960         (JSC::ownPropertyKeys):
2961         * runtime/PrivateName.h:
2962         (JSC::PrivateName::PrivateName):
2963         * runtime/PropertyName.h:
2964         (JSC::PropertyName::isPrivateName):
2965         * runtime/ProxyObject.cpp:
2966         (JSC::performProxyGet):
2967         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2968         (JSC::ProxyObject::performHasProperty):
2969         (JSC::ProxyObject::performPut):
2970         (JSC::ProxyObject::performDelete):
2971         (JSC::ProxyObject::performDefineOwnProperty):
2972
2973 2017-07-29  Keith Miller  <keith_miller@apple.com>
2974
2975         LLInt offsets extractor should be able to handle C++ constexprs
2976         https://bugs.webkit.org/show_bug.cgi?id=174964
2977
2978         Reviewed by Saam Barati.
2979
2980         This patch adds new syntax to the offline asm language. The new keyword,
2981         constexpr, takes the subsequent identifier and maps it to a C++ constexpr
2982         expression. Additionally, if the value is not an identifier you can wrap it in
2983         parentheses. e.g. constexpr (myConstexprFunction() + OBJECT_OFFSET(Foo, bar)),
2984         which will get converted into:
2985         static_cast<int64_t>(myConstexprFunction() + OBJECT_OFFSET(Foo, bar));
2986
2987         This patch also changes the data format the LLIntOffsetsExtractor
2988         binary produces.  Previously, it would produce unsigned values,
2989         after this patch every value is an int64_t.  Using an int64_t is
2990         useful because it means that we can represent any constant needed.
2991         int32_t masks are sign extended then passed then converted to a
2992         negative literal sting in the assembler so it will be the constant
2993         expected.
2994
2995         * llint/LLIntOffsetsExtractor.cpp:
2996         (JSC::LLIntOffsetsExtractor::dummy):
2997         * llint/LowLevelInterpreter.asm:
2998         * llint/LowLevelInterpreter64.asm:
2999         * offlineasm/asm.rb:
3000         * offlineasm/ast.rb:
3001         * offlineasm/generate_offset_extractor.rb:
3002         * offlineasm/offsets.rb:
3003         * offlineasm/parser.rb:
3004         * offlineasm/transform.rb:
3005
3006 2017-07-28  Matt Baker  <mattbaker@apple.com>
3007
3008         Web Inspector: capture an async stack trace when web content calls addEventListener
3009         https://bugs.webkit.org/show_bug.cgi?id=174739
3010         <rdar://problem/33468197>
3011
3012         Reviewed by Brian Burg.
3013
3014         Allow debugger agents to perform custom logic when asynchronous stack
3015         trace data is cleared. For example, the PageDebuggerAgent would clear
3016         its list of registered listeners for which call stacks have been recorded.
3017
3018         * inspector/agents/InspectorDebuggerAgent.cpp:
3019         (Inspector::InspectorDebuggerAgent::clearAsyncStackTraceData):
3020         * inspector/agents/InspectorDebuggerAgent.h:
3021
3022 2017-07-28  Mark Lam  <mark.lam@apple.com>
3023
3024         ObjectToStringAdaptiveStructureWatchpoint should not fire if it's dying imminently.
3025         https://bugs.webkit.org/show_bug.cgi?id=174948
3026         <rdar://problem/33495680>
3027
3028         Reviewed by Filip Pizlo.
3029
3030         ObjectToStringAdaptiveStructureWatchpoint is owned by StructureRareData.  If its
3031         owner StructureRareData is already known to be dead (in terms of GC liveness) but
3032         hasn't been destructed yet (i.e. not swept by the GC yet), we should ignore all
3033         requests to fire this watchpoint.
3034
3035         If the GC had the chance to sweep the StructureRareData, thereby destructing the
3036         ObjectToStringAdaptiveStructureWatchpoint, it (the watchpoint) would have removed
3037         itself from the WatchpointSet it was on.  Hence, it would not have been fired.
3038
3039         But since the watchpoint hasn't been destructed yet, it still remains on the
3040         WatchpointSet and needs to guard against being fired in this state.  The fix is
3041         to simply return early if its owner StructureRareData is not live.  This has the
3042         effect of the watchpoint fire being a no-op, which is equivalent to the watchpoint
3043         not firing as we would expect.
3044
3045         This patch also removes some cargo cult copying of watchpoint code which
3046         instantiates a StringFireDetail.  In a few cases, that StringFireDetail is never
3047         used.  This patch removes these unnecessary instantiations.
3048
3049         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
3050         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
3051         * runtime/StructureRareData.cpp:
3052         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
3053         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
3054
3055 2017-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
3056
3057         ASSERTION FAILED: candidate->op() == PhantomCreateRest || candidate->op() == PhantomDirectArguments || candidate->op() == PhantomClonedArguments || candidate->op() == PhantomSpread || candidate->op() == PhantomNewArrayWithSpread
3058         https://bugs.webkit.org/show_bug.cgi?id=174900
3059
3060         Reviewed by Saam Barati.
3061
3062         In the arguments elimination phase, due to high cost of AI, we intentionally do not run AI.
3063         Instead, we use ForceOSRExit etc. (pseudo terminals) not to look into unreachable nodes.
3064         The problem is that even transforming phase also checks this pseudo terminals.
3065
3066             BB1
3067             1: ForceOSRExit
3068             2: CreateDirectArguments
3069
3070             BB2
3071             3: GetButterfly(@2)
3072             4: ForceOSRExit
3073
3074         In the above case, @2 is not converted to PhantomDirectArguments. But @3 is processed. And the assertion fires.
3075
3076         In this patch, we do not list candidates up after seeing pseudo terminals in basic blocks.
3077
3078         * dfg/DFGArgumentsEliminationPhase.cpp:
3079
3080 2017-07-27  Oleksandr Skachkov  <gskachkov@gmail.com>
3081
3082         [ES] Add support finally to Promise
3083         https://bugs.webkit.org/show_bug.cgi?id=174503
3084
3085         Reviewed by Yusuke Suzuki.
3086
3087         Add support `finally` method to Promise according
3088         to the https://bugs.webkit.org/show_bug.cgi?id=174503
3089         Current spec on STAGE 3 
3090         https://github.com/tc39/proposal-promise-finally
3091
3092         * builtins/PromisePrototype.js:
3093         (finally):
3094         (const.valueThunk):
3095         (globalPrivate.getThenFinally):
3096         (const.thrower):
3097         (globalPrivate.getCatchFinally):
3098         * runtime/JSPromisePrototype.cpp:
3099
3100 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3101
3102         Unreviewed, build fix for CLoop
3103         https://bugs.webkit.org/show_bug.cgi?id=171637
3104
3105         * domjit/DOMJITGetterSetter.h:
3106
3107 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3108
3109         Hoist DOM binding attribute getter prologue into JavaScriptCore taking advantage of DOMJIT / CheckSubClass
3110         https://bugs.webkit.org/show_bug.cgi?id=171637
3111
3112         Reviewed by Darin Adler.
3113
3114         Each DOM attribute getter has the code to perform ClassInfo check. But it is largely duplicate and causes code bloating.
3115         In this patch, we move ClassInfo check from WebCore to JSC and reduce code size.
3116
3117         We introduce DOMAnnotation which has ClassInfo* and DOMJIT::GetterSetter*. If the getter is not DOMJIT getter, this
3118         DOMJIT::GetterSetter becomes nullptr. We support such a CustomAccessorGetter in all the JIT tiers.
3119
3120         In IC, we drop CheckSubClass completely since IC's Structure check subsumes it. We do not enable this optimization for
3121         op_get_by_id_with_this case yet.
3122         In DFG and FTL, we emit CheckSubClass node. Which is typically removed by CheckStructure leading to CheckSubClass.
3123
3124         And we add DOMAttributeGetterSetter, which is derived class of CustomGetterSetter. It holds DOMAnnotation and perform
3125         ClassInfo check.
3126
3127         * CMakeLists.txt:
3128         * JavaScriptCore.xcodeproj/project.pbxproj:
3129         * bytecode/AccessCase.cpp:
3130         (JSC::AccessCase::generateImpl):
3131         * bytecode/GetByIdStatus.cpp:
3132         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
3133         * bytecode/GetByIdVariant.cpp:
3134         (JSC::GetByIdVariant::GetByIdVariant):
3135         (JSC::GetByIdVariant::operator=):
3136         (JSC::GetByIdVariant::attemptToMerge):
3137         (JSC::GetByIdVariant::dumpInContext):
3138         * bytecode/GetByIdVariant.h:
3139         (JSC::GetByIdVariant::customAccessorGetter):
3140         (JSC::GetByIdVariant::domAttribute):
3141         (JSC::GetByIdVariant::domJIT): Deleted.
3142         * bytecode/GetterSetterAccessCase.cpp:
3143         (JSC::GetterSetterAccessCase::create):
3144         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
3145         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
3146         * bytecode/GetterSetterAccessCase.h:
3147         (JSC::GetterSetterAccessCase::domAttribute):
3148         (JSC::GetterSetterAccessCase::customAccessor):
3149         (JSC::GetterSetterAccessCase::domJIT): Deleted.
3150         * bytecompiler/BytecodeGenerator.cpp:
3151         (JSC::BytecodeGenerator::instantiateLexicalVariables):
3152         * create_hash_table:
3153         * dfg/DFGAbstractInterpreterInlines.h:
3154         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3155         * dfg/DFGByteCodeParser.cpp:
3156         (JSC::DFG::blessCallDOMGetter):
3157         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
3158         (JSC::DFG::ByteCodeParser::handleGetById):
3159         * dfg/DFGClobberize.h:
3160         (JSC::DFG::clobberize):
3161         * dfg/DFGFixupPhase.cpp:
3162         (JSC::DFG::FixupPhase::fixupNode):
3163         * dfg/DFGNode.h:
3164         * dfg/DFGSpeculativeJIT.cpp:
3165         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
3166         * dfg/DFGSpeculativeJIT.h:
3167         (JSC::DFG::SpeculativeJIT::callCustomGetter):
3168         * domjit/DOMJITGetterSetter.h:
3169         (JSC::DOMJIT::GetterSetter::GetterSetter):
3170         (JSC::DOMJIT::GetterSetter::getter):
3171         (JSC::DOMJIT::GetterSetter::compiler):
3172         (JSC::DOMJIT::GetterSetter::resultType):
3173         (JSC::DOMJIT::GetterSetter::~GetterSetter): Deleted.
3174         (JSC::DOMJIT::GetterSetter::setter): Deleted.
3175         (JSC::DOMJIT::GetterSetter::thisClassInfo): Deleted.
3176         * ftl/FTLLowerDFGToB3.cpp:
3177         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
3178         * jit/Repatch.cpp:
3179         (JSC::tryCacheGetByID):
3180         * jsc.cpp:
3181         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
3182         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
3183         (WTF::DOMJITGetter::customGetter):
3184         (WTF::DOMJITGetter::finishCreation):
3185         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
3186         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
3187         (WTF::DOMJITGetterComplex::customGetter):
3188         (WTF::DOMJITGetterComplex::finishCreation):
3189         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
3190         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::slowCall): Deleted.
3191         (WTF::DOMJITGetter::domJITNodeGetterSetter): Deleted.
3192         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
3193         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::slowCall): Deleted.
3194         (WTF::DOMJITGetterComplex::domJITNodeGetterSetter): Deleted.
3195         * runtime/CustomGetterSetter.h:
3196         (JSC::CustomGetterSetter::create):
3197         (JSC::CustomGetterSetter::setter):
3198         (JSC::CustomGetterSetter::CustomGetterSetter):
3199         (): Deleted.
3200         * runtime/DOMAnnotation.h: Added.
3201         (JSC::operator==):
3202         (JSC::operator!=):
3203         * runtime/DOMAttributeGetterSetter.cpp: Added.
3204         * runtime/DOMAttributeGetterSetter.h: Copied from Source/JavaScriptCore/runtime/CustomGetterSetter.h.
3205         (JSC::isDOMAttributeGetterSetter):
3206         * runtime/Error.cpp:
3207         (JSC::throwDOMAttributeGetterTypeError):
3208         * runtime/Error.h:
3209         (JSC::throwVMDOMAttributeGetterTypeError):
3210         * runtime/JSCustomGetterSetterFunction.cpp:
3211         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
3212         * runtime/JSObject.cpp:
3213         (JSC::JSObject::putInlineSlow):
3214         (JSC::JSObject::deleteProperty):
3215         (JSC::JSObject::getOwnStaticPropertySlot):
3216         (JSC::JSObject::reifyAllStaticProperties):
3217         (JSC::JSObject::fillGetterPropertySlot):
3218         (JSC::JSObject::findPropertyHashEntry): Deleted.
3219         * runtime/JSObject.h:
3220         (JSC::JSObject::getOwnNonIndexPropertySlot):
3221         (JSC::JSObject::fillCustomGetterPropertySlot):
3222         * runtime/Lookup.cpp:
3223         (JSC::setUpStaticFunctionSlot):
3224         * runtime/Lookup.h:
3225         (JSC::HashTableValue::domJIT):
3226         (JSC::getStaticPropertySlotFromTable):
3227         (JSC::putEntry):
3228         (JSC::lookupPut):
3229         (JSC::reifyStaticProperty):
3230         (JSC::reifyStaticProperties):
3231         Each static property table has a new field ClassInfo*. It indicates that which ClassInfo check DOMAttribute registered in
3232         this static property table requires.
3233
3234         * runtime/ProgramExecutable.cpp:
3235         (JSC::ProgramExecutable::initializeGlobalProperties):
3236         * runtime/PropertyName.h:
3237         * runtime/PropertySlot.cpp:
3238         (JSC::PropertySlot::customGetter):
3239         (JSC::PropertySlot::customAccessorGetter):
3240         * runtime/PropertySlot.h:
3241         (JSC::PropertySlot::domAttribute):
3242         (JSC::PropertySlot::setCustom):
3243         (JSC::PropertySlot::setCacheableCustom):
3244         (JSC::PropertySlot::getValue):
3245         (JSC::PropertySlot::domJIT): Deleted.
3246         * runtime/VM.cpp:
3247         (JSC::VM::VM):
3248         * runtime/VM.h:
3249
3250 2017-07-26  Devin Rousso  <drousso@apple.com>
3251
3252         Web Inspector: create protocol for recording Canvas contexts
3253         https://bugs.webkit.org/show_bug.cgi?id=174481
3254
3255         Reviewed by Joseph Pecoraro.
3256
3257         * inspector/protocol/Canvas.json:
3258          - Add `requestRecording` command to mark the provided canvas as having requested a recording.
3259          - Add `cancelRecording` command to clear a previously marked canvas and flush any recorded data.
3260          - Add `recordingFinished` event that is fired once a recording is finished.
3261
3262         * CMakeLists.txt:
3263         * DerivedSources.make:
3264         * inspector/protocol/Recording.json: Added.
3265          - Add `Type` enum that lists the types of recordings
3266          - Add `InitialState` type that contains information about the canvas context at the
3267            beginning of the recording.
3268          - Add `Frame` type that holds a list of actions that were recorded.
3269          - Add `Recording` type as the container object of recording data.
3270
3271         * inspector/scripts/codegen/generate_js_backend_commands.py:
3272         (JSBackendCommandsGenerator.generate_domain):
3273         Create an agent for domains with no events or commands.
3274
3275         * inspector/InspectorValues.h:
3276         Make Array `get` public so that values can be retrieved if needed.
3277
3278 2017-07-26  Brian Burg  <bburg@apple.com>
3279
3280         Remove WEB_TIMING feature flag
3281         https://bugs.webkit.org/show_bug.cgi?id=174795
3282
3283         Reviewed by Alex Christensen.
3284
3285         * Configurations/FeatureDefines.xcconfig:
3286
3287 2017-07-26  Mark Lam  <mark.lam@apple.com>
3288
3289         Add the ability to change sp and pc to the ARM64 JIT probe.
3290         https://bugs.webkit.org/show_bug.cgi?id=174697
3291         <rdar://problem/33436965>
3292
3293         Reviewed by JF Bastien.
3294
3295         This patch implements the following:
3296
3297         1. The ARM64 probe now supports modifying the pc and sp.
3298
3299            However, lr is not preserved when modifying the pc because it is used as the
3300            scratch register for the indirect jump. Hence, the probe handler function
3301            may not modify both lr and pc in the same probe invocation.
3302
3303         2. Fix probe tests to use bitwise comparison when comparing double register
3304            values. Otherwise, equivalent nan values will be interpreted as not equivalent.
3305
3306         3. Change the minimum offset increment in testProbeModifiesStackPointer to be
3307            16 bytes for ARM64.  This is because the ARM64 probe now uses the ldp and stp
3308            instructions which require 16 byte alignment for their memory access.
3309
3310         * assembler/MacroAssemblerARM64.cpp:
3311         (JSC::arm64ProbeError):
3312         (JSC::MacroAssembler::probe):
3313         (JSC::arm64ProbeTrampoline): Deleted.
3314         * assembler/testmasm.cpp:
3315         (JSC::isSpecialGPR):
3316         (JSC::testProbeReadsArgumentRegisters):
3317         (JSC::testProbeWritesArgumentRegisters):
3318         (JSC::testProbePreservesGPRS):
3319         (JSC::testProbeModifiesStackPointer):
3320         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
3321         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
3322
3323 2017-07-25  JF Bastien  <jfbastien@apple.com>
3324
3325         WebAssembly: generate smaller binaries
3326         https://bugs.webkit.org/show_bug.cgi?id=174818
3327
3328         Reviewed by Filip Pizlo.
3329
3330         This patch reduces generated code size for WebAssembly in 2 ways:
3331
3332         1. Use the ZR register when storing zero on ARM64.
3333         2. Synthesize wasm context lazily.
3334
3335         This leads to a modest size reduction on both x86-64 and ARM64 for
3336         large WebAssembly games, without any performance loss on WasmBench
3337         and TitzerBench.
3338
3339         The reason this works is that these games, using Emscripten,
3340         generate 100k+ tiny functions, and our JIT allocation granule
3341         rounds all allocations up to 32 bytes. There are plenty of other
3342         simple gains to be had, I've filed a follow-up bug at
3343         webkit.org/b/174819
3344
3345         We should further avoid the per-function cost of tiering, which
3346         represents the bulk of code generated for small functions.
3347
3348         * assembler/MacroAssemblerARM64.h:
3349         (JSC::MacroAssemblerARM64::storeZero64):
3350         * assembler/MacroAssemblerX86_64.h:
3351         (JSC::MacroAssemblerX86_64::storeZero64):
3352         * b3/B3LowerToAir.cpp:
3353         (JSC::B3::Air::LowerToAir::createStore): this doesn't make sense
3354         for x86 because it constrains register reuse and codegen in a way
3355         that doesn't affect ARM64 because it has a dedicated zero
3356         register.
3357         * b3/air/AirOpcode.opcodes: add the storeZero64 opcode.
3358         * wasm/WasmB3IRGenerator.cpp:
3359         (JSC::Wasm::B3IRGenerator::instanceValue):
3360         (JSC::Wasm::B3IRGenerator::restoreWasmContext):
3361         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3362         (JSC::Wasm::B3IRGenerator::materializeWasmContext): Deleted.
3363
3364 2017-07-23  Filip Pizlo  <fpizlo@apple.com>
3365
3366         B3 should do LICM
3367         https://bugs.webkit.org/show_bug.cgi?id=174750
3368
3369         Reviewed by Keith Miller and Saam Barati.
3370         
3371         Added a LICM phase to B3. This phase is called hoistLoopInvariantValues, to conform to the B3 naming
3372         convention for phases (it has to be an imperative). The phase uses NaturalLoops and BackwardsDominators,
3373         so this adds those analyses to B3. BackwardsDominators was already available in templatized form. This
3374         change templatizes DFG::NaturalLoops so that we can just use it.
3375         
3376         The LICM phase itself is really simple. We are decently precise with our handling of everything except
3377         the relationship between control dependence and side exits.
3378         
3379         Also added a bunch of tests.
3380         
3381         This isn't super important. It's perf-neutral on JS benchmarks. FTL already does LICM on DFG SSA IR, and
3382         probably all current WebAssembly content has had LICM done to it. That being said, this is a cheap phase
3383         so it doesn't hurt to have it.
3384         
3385         I wrote it because I thought I needed it for bug 174727. It turns out that there's a better way to
3386         handle the problem I had, so I ended up not needed it - but by then I had already written it. I think
3387         it's good to have it because LICM is one of those core compiler phases; every compiler has it
3388         eventually.
3389
3390         * CMakeLists.txt:
3391         * JavaScriptCore.xcodeproj/project.pbxproj:
3392         * b3/B3BackwardsCFG.h: Added.
3393         (JSC::B3::BackwardsCFG::BackwardsCFG):
3394         * b3/B3BackwardsDominators.h: Added.
3395         (JSC::B3::BackwardsDominators::BackwardsDominators):
3396         * b3/B3BasicBlock.cpp:
3397         (JSC::B3::BasicBlock::appendNonTerminal):
3398         * b3/B3Effects.h:
3399         * b3/B3EnsureLoopPreHeaders.cpp: Added.
3400         (JSC::B3::ensureLoopPreHeaders):
3401         * b3/B3EnsureLoopPreHeaders.h: Added.
3402         * b3/B3Generate.cpp:
3403         (JSC::B3::generateToAir):
3404         * b3/B3HoistLoopInvariantValues.cpp: Added.
3405         (JSC::B3::hoistLoopInvariantValues):
3406         * b3/B3HoistLoopInvariantValues.h: Added.
3407         * b3/B3NaturalLoops.h: Added.
3408         (JSC::B3::NaturalLoops::NaturalLoops):
3409         * b3/B3Procedure.cpp:
3410         (JSC::B3::Procedure::invalidateCFG):
3411         (JSC::B3::Procedure::naturalLoops):
3412         (JSC::B3::Procedure::backwardsCFG):
3413         (JSC::B3::Procedure::backwardsDominators):
3414         * b3/B3Procedure.h:
3415         * b3/testb3.cpp:
3416         (JSC::B3::generateLoop):
3417         (JSC::B3::makeArrayForLoops):
3418         (JSC::B3::generateLoopNotBackwardsDominant):
3419         (JSC::B3::oneFunction):
3420         (JSC::B3::noOpFunction):
3421         (JSC::B3::testLICMPure):
3422         (JSC::B3::testLICMPureSideExits):
3423         (JSC::B3::testLICMPureWritesPinned):
3424         (JSC::B3::testLICMPureWrites):
3425         (JSC::B3::testLICMReadsLocalState):
3426         (JSC::B3::testLICMReadsPinned):
3427         (JSC::B3::testLICMReads):
3428         (JSC::B3::testLICMPureNotBackwardsDominant):
3429         (JSC::B3::testLICMPureFoiledByChild):
3430         (JSC::B3::testLICMPureNotBackwardsDominantFoiledByChild):
3431         (JSC::B3::testLICMExitsSideways):
3432         (JSC::B3::testLICMWritesLocalState):
3433         (JSC::B3::testLICMWrites):
3434         (JSC::B3::testLICMFence):
3435         (JSC::B3::testLICMWritesPinned):
3436         (JSC::B3::testLICMControlDependent):
3437         (JSC::B3::testLICMControlDependentNotBackwardsDominant):
3438         (JSC::B3::testLICMControlDependentSideExits):
3439         (JSC::B3::testLICMReadsPinnedWritesPinned):
3440         (JSC::B3::testLICMReadsWritesDifferentHeaps):
3441         (JSC::B3::testLICMReadsWritesOverlappingHeaps):
3442         (JSC::B3::testLICMDefaultCall):
3443         (JSC::B3::run):
3444         * dfg/DFGBasicBlock.h:
3445         * dfg/DFGCFG.h:
3446         * dfg/DFGNaturalLoops.cpp: Removed.
3447         * dfg/DFGNaturalLoops.h:
3448         (JSC::DFG::NaturalLoops::NaturalLoops):
3449         (JSC::DFG::NaturalLoop::NaturalLoop): Deleted.
3450         (JSC::DFG::NaturalLoop::header): Deleted.
3451         (JSC::DFG::NaturalLoop::size): Deleted.
3452         (JSC::DFG::NaturalLoop::at): Deleted.
3453         (JSC::DFG::NaturalLoop::operator[]): Deleted.
3454         (JSC::DFG::NaturalLoop::contains): Deleted.
3455         (JSC::DFG::NaturalLoop::index): Deleted.
3456         (JSC::DFG::NaturalLoop::isOuterMostLoop): Deleted.
3457         (JSC::DFG::NaturalLoop::addBlock): Deleted.
3458         (JSC::DFG::NaturalLoops::numLoops): Deleted.
3459         (JSC::DFG::NaturalLoops::loop): Deleted.
3460         (JSC::DFG::NaturalLoops::headerOf): Deleted.
3461         (JSC::DFG::NaturalLoops::innerMostLoopOf): Deleted.
3462         (JSC::DFG::NaturalLoops::innerMostOuterLoop): Deleted.
3463         (JSC::DFG::NaturalLoops::belongsTo): Deleted.
3464         (JSC::DFG::NaturalLoops::loopDepth): Deleted.
3465
3466 2017-07-24  Filip Pizlo  <fpizlo@apple.com>
3467
3468         GC should be fine with trading blocks between destructor and non-destructor blocks
3469         https://bugs.webkit.org/show_bug.cgi?id=174811
3470
3471         Reviewed by Mark Lam.
3472         
3473         Our GC has the ability to trade blocks between MarkedAllocators. A MarkedAllocator is a
3474         size-class-within-a-Subspace. The ability to trade helps reduce memory wastage due to
3475         fragmentation. Prior to this change, this only worked between blocks that did not have destructors.
3476         This was partly a policy decision. But mostly, it was fallout from the way we use the `empty` block
3477         set.
3478         
3479         Here's how `empty` used to work. If a block is empty, we don't run destructors. We say that a block
3480         is empty if:
3481         
3482         A) It has no live objects and its a non-destructor block, or
3483         B) We just allocated it (so it has no destructors even if it's a destructor block), or
3484         C) We just stole it from another allocator (so it also has no destructors), or
3485         D) We just swept the block and ran all destructors.
3486         
3487         Case (A) is for trading blocks. That's how a different MarkedAllocator would know that this is a
3488         block that could be stolen.
3489
3490         Cases (B) and (C) need to be detected for correctness, since otherwise we might try to run
3491         destructors in blocks that have garbage bits. In that case, the isZapped check won't detect that
3492         cells don't need destruction, so without having the `empty` bit we would try to destruct garbage
3493         and crash. Currently, we know that we have cases (B) and (C) when the block is empty.
3494         
3495         Case (D) is necessary for detecting which blocks can be removed when we `shrink` the heap.
3496         
3497         If we tried to enable trading of blocks between allocators without making any changes to how
3498         `empty` works, then it just would not work. We have to set the `empty` bits of blocks that have no
3499         live objects in order for those bits to be candidates for trading. But if we do that, then our
3500         logic for cases (B-D) will think that the block has no destructible objects. That's bad, since then
3501         our destructors won't run and we'll leak memory.
3502         
3503         This change fixes this issue by decoupling the "do I have destructors" question from the "do I have
3504         live objects" question by introducing a new `destructible` bitvector. The GC flags all live blocks
3505         as being destructible at the end. We clear the destructible bit in cases (B-D). Cases (B-C) are
3506         handled entirely by the new destrictible bit, while case (D) is detected by looking for blocks that
3507         are (empty & ~destructible).
3508         
3509         Then we can simply remove all destructor-oriented special-casing of the `empty` bit. And we can
3510         remove destructor-oriented special-casing of block trading.
3511
3512         This is a perf-neutral change. We expect most free memory to be in non-destructor blocks anyway,
3513         so this change is more about clean-up than perf. But, this could reduce memory usage in some
3514         pathological cases.
3515         
3516         * heap/MarkedAllocator.cpp:
3517         (JSC::MarkedAllocator::findEmptyBlockToSteal):
3518         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
3519         (JSC::MarkedAllocator::endMarking):
3520         (JSC::MarkedAllocator::shrink):
3521         (JSC::MarkedAllocator::shouldStealEmptyBlocksFromOtherAllocators): Deleted.
3522         * heap/MarkedAllocator.h:
3523         * heap/MarkedBlock.cpp:
3524         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
3525         (JSC::MarkedBlock::Handle::sweep):
3526         * heap/MarkedBlockInlines.h:
3527         (JSC::MarkedBlock::Handle::specializedSweep):
3528         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace):
3529         (JSC::MarkedBlock::Handle::emptyMode):
3530
3531 2017-07-25  Keith Miller  <keith_miller@apple.com>
3532
3533         Remove Broken CompareEq constant folding phase.
3534         https://bugs.webkit.org/show_bug.cgi?id=174846
3535         <rdar://problem/32978808>
3536
3537         Reviewed by Saam Barati.
3538
3539         This bug happened when we would get code like the following:
3540
3541         a: JSConst(Undefined)
3542         b: GetLocal(SomeObjectOrUndefined)
3543         ...
3544         c: CompareEq(Check:ObjectOrOther:b, Check:ObjectOrOther:a)
3545
3546         constant folding will turn this into:
3547
3548         a: JSConst(Undefined)
3549         b: GetLocal(SomeObjectOrUndefined)
3550         ...
3551         c: CompareEq(Check:ObjectOrOther:b, Other:a)
3552
3553         But the SpeculativeJIT/FTL lowering will fail to check b
3554         properly which leads to an assertion failure in the AI.
3555
3556         I'll follow up with a more robust fix later. For now, I'll remove the
3557         case that generates the code. Removing the code appears to be perf
3558         neutral.
3559
3560         * dfg/DFGConstantFoldingPhase.cpp:
3561         (JSC::DFG::ConstantFoldingPhase::foldConstants):
3562
3563 2017-07-25  Matt Baker  <mattbaker@apple.com>
3564
3565         Web Inspector: Refactoring: extract async stack trace logic from InspectorInstrumentation
3566         https://bugs.webkit.org/show_bug.cgi?id=174738
3567
3568         Reviewed by Brian Burg.
3569
3570         Move AsyncCallType enum to InspectorDebuggerAgent, which manages async
3571         stack traces. This preserves the call type in JSC, makes the range of
3572         possible call types explicit, and is safer than passing ints.
3573
3574         * inspector/agents/InspectorDebuggerAgent.cpp:
3575         (Inspector::InspectorDebuggerAgent::asyncCallIdentifier):
3576         (Inspector::InspectorDebuggerAgent::didScheduleAsyncCall):
3577         (Inspector::InspectorDebuggerAgent::didCancelAsyncCall):
3578         (Inspector::InspectorDebuggerAgent::willDispatchAsyncCall):
3579         * inspector/agents/InspectorDebuggerAgent.h:
3580
3581 2017-07-25  Mark Lam  <mark.lam@apple.com>
3582
3583         Fix bugs in probe code to change sp on x86, x86_64 and 32-bit ARM.
3584         https://bugs.webkit.org/show_bug.cgi?id=174809
3585         <rdar://problem/33504759>
3586
3587         Reviewed by Filip Pizlo.
3588
3589         1. When the probe handler function changes the sp register to point to the
3590            region of stack in the middle of the ProbeContext on the stack, there is a
3591            bug where the ProbeContext's register values to be restored can be over-written
3592            before they can be restored.  This is now fixed.
3593
3594         2. Added more robust probe tests for changing the sp register.
3595
3596         3. Made existing probe tests to ensure that probe handlers were actually called.
3597
3598         4. Added some verification to testProbePreservesGPRS().
3599
3600         5. Change all the probe tests to fail early on discovering an error instead of
3601            batching till the end of the test.  This helps point a finger to the failing
3602            issue earlier.
3603
3604         This patch was tested on x86, x86_64, and ARMv7.  ARM64 probe code will be fixed
3605         next in https://bugs.webkit.org/show_bug.cgi?id=174697.
3606
3607         * assembler/MacroAssemblerARM.cpp:
3608         * assembler/MacroAssemblerARMv7.cpp:
3609         * assembler/MacroAssemblerX86Common.cpp:
3610         * assembler/testmasm.cpp:
3611         (JSC::testProbeReadsArgumentRegisters):
3612         (JSC::testProbeWritesArgumentRegisters):
3613         (JSC::testProbePreservesGPRS):
3614         (JSC::testProbeModifiesStackPointer):
3615         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
3616         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
3617         (JSC::testProbeModifiesProgramCounter):
3618         (JSC::run):
3619
3620 2017-07-25  Brian Burg  <bburg@apple.com>
3621
3622         Web Automation: add support for uploading files
3623         https://bugs.webkit.org/show_bug.cgi?id=174797
3624         <rdar://problem/28485063>
3625
3626         Reviewed by Joseph Pecoraro.
3627
3628         * inspector/scripts/generate-inspector-protocol-bindings.py:
3629         (generate_from_specification):
3630         Start generating frontend dispatcher code if the target framework is 'WebKit'.
3631
3632         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
3633         (CppFrontendDispatcherImplementationGenerator.generate_output):
3634         Use a framework include for InspectorFrontendRouter.h since this generated code
3635         will be compiled outside of WebCore.framework.
3636
3637         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
3638         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
3639         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
3640         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
3641         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
3642         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
3643         * inspector/scripts/tests/generic/expected/enum-values.json-result:
3644         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
3645         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
3646         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
3647         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
3648         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
3649         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
3650         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
3651         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
3652         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
3653         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
3654         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
3655         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
3656         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
3657         Rebaseline code generator tests.
3658
3659 2017-07-24  Mark Lam  <mark.lam@apple.com>
3660
3661         Gardening: fixed C Loop build after r219790.
3662         https://bugs.webkit.org/show_bug.cgi?id=174696
3663
3664         Not reviewed.
3665
3666         * assembler/testmasm.cpp:
3667
3668 2017-07-23  Mark Lam  <mark.lam@apple.com>
3669
3670         Create regression tests for the JIT probe.
3671         https://bugs.webkit.org/show_bug.cgi?id=174696
3672         <rdar://problem/33436922>
3673
3674         Reviewed by Saam Barati.
3675
3676         The new testmasm will test the following:
3677         1. the probe is able to read the value of CPU registers.
3678         2. the probe is able to write the value of CPU registers.
3679         3. the probe is able to preserve all CPU registers.
3680         4. special case of (2): the probe is able to change the value of the stack pointer.
3681         5. special case of (2): the probe is able to change the value of the program counter
3682            i.e. the probe can change where the code continues executing upon returning from
3683            the probe.
3684
3685         Currently, the x86, x86_64, and ARMv7 ports passes the test.  ARM64 does not
3686         because it does not support changing the sp and pc yet.  The ARM64 probe
3687         implementation will be fixed in https://bugs.webkit.org/show_bug.cgi?id=174697
3688         later.
3689
3690         * Configurations/ToolExecutable.xcconfig:
3691         * JavaScriptCore.xcodeproj/project.pbxproj:
3692         * assembler/MacroAssembler.h:
3693         (JSC::MacroAssembler::CPUState::pc):
3694         (JSC::MacroAssembler::CPUState::fp):
3695         (JSC::MacroAssembler::CPUState::sp):
3696         (JSC::ProbeContext::pc):
3697         (JSC::ProbeContext::fp):
3698         (JSC::ProbeContext::sp):
3699         * assembler/MacroAssemblerARM64.cpp:
3700         (JSC::arm64ProbeTrampoline):
3701         * assembler/MacroAssemblerPrinter.cpp:
3702         (JSC::Printer::printPCRegister):
3703         * assembler/testmasm.cpp: Added.
3704         (hiddenTruthBecauseNoReturnIsStupid):
3705         (usage):
3706         (JSC::nextID):
3707         (JSC::isPC):
3708         (JSC::isSP):
3709         (JSC::isFP):
3710         (JSC::compile):
3711         (JSC::invoke):
3712         (JSC::compileAndRun):
3713         (JSC::testSimple):
3714         (JSC::testProbeReadsArgumentRegisters):
3715         (JSC::testProbeWritesArgumentRegisters):
3716         (JSC::testFunctionToTrashRegisters):
3717         (JSC::testProbePreservesGPRS):
3718         (JSC::testProbeModifiesStackPointer):
3719         (JSC::testProbeModifiesProgramCounter):
3720         (JSC::run):
3721         (run):
3722         (main):
3723         * b3/air/testair.cpp:
3724         (usage):
3725         * shell/CMakeLists.txt:
3726
3727 2017-07-14  Filip Pizlo  <fpizlo@apple.com>
3728
3729         It should be easy to decide how WebKit yields
3730         https://bugs.webkit.org/show_bug.cgi?id=174298
3731
3732         Reviewed by Saam Barati.
3733         
3734         Use the new WTF::Thread::yield() function for yielding instead of the C++ function.
3735
3736         * heap/Heap.cpp:
3737         (JSC::Heap::resumeThePeriphery):
3738         * heap/VisitingTimeout.h:
3739         * runtime/JSCell.cpp:
3740         (JSC::JSCell::lockSlow):
3741         (JSC::JSCell::unlockSlow):
3742         * runtime/JSCell.h:
3743         * runtime/JSCellInlines.h:
3744         (JSC::JSCell::lock):
3745         (JSC::JSCell::unlock):
3746         * runtime/JSLock.cpp:
3747         (JSC::JSLock::grabAllLocks):
3748         * runtime/SamplingProfiler.cpp:
3749
3750 2017-07-21  Mark Lam  <mark.lam@apple.com>
3751
3752         Refactor MASM probe CPUState to use arrays for register storage.
3753         https://bugs.webkit.org/show_bug.cgi?id=174694
3754
3755         Reviewed by Keith Miller.
3756
3757         Using arrays for register storage in CPUState allows us to do away with the
3758         huge switch statements to decode each register id.  We can now simply index into
3759         the arrays.
3760
3761         With this patch, we now:
3762
3763         1. Remove the need for macros for defining the list of CPU registers.
3764            We can go back to simple enums.  This makes the code easier to read.
3765
3766         2. Make the assembler the authority on register names.
3767            Most of this code is moved into the assembler from GPRInfo and FPRInfo.
3768            GPRInfo and FPRInfo now forwards to the assembler.
3769
3770         3. Make the assembler the authority on the number of registers of each type.
3771
3772         4. Fix a "bug" in ARMv7's lastRegister().  It was previously omitting lr and pc.
3773            This is inconsistent with how every other CPU architecture implements
3774            lastRegister().  This patch fixes it to return the true last GPR i.e. pc, but
3775            updates RegisterSet::reservedHardwareRegisters() to exclude those registers.
3776
3777         * assembler/ARM64Assembler.h:
3778         (JSC::ARM64Assembler::numberOfRegisters):
3779         (JSC::ARM64Assembler::firstSPRegister):
3780         (JSC::ARM64Assembler::lastSPRegister):
3781         (JSC::ARM64Assembler::numberOfSPRegisters):
3782         (JSC::ARM64Assembler::numberOfFPRegisters):
3783         (JSC::ARM64Assembler::gprName):
3784         (JSC::ARM64Assembler::sprName):
3785         (JSC::ARM64Assembler::fprName):
3786         * assembler/ARMAssembler.h:
3787         (JSC::ARMAssembler::numberOfRegisters):
3788         (JSC::ARMAssembler::firstSPRegister):
3789         (JSC::ARMAssembler::lastSPRegister):
3790         (JSC::ARMAssembler::numberOfSPRegisters):
3791         (JSC::ARMAssembler::numberOfFPRegisters):
3792         (JSC::ARMAssembler::gprName):
3793         (JSC::ARMAssembler::sprName):
3794         (JSC::ARMAssembler::fprName):
3795         * assembler/ARMv7Assembler.h:
3796         (JSC::ARMv7Assembler::lastRegister):
3797         (JSC::ARMv7Assembler::numberOfRegisters):
3798         (JSC::ARMv7Assembler::firstSPRegister):
3799         (JSC::ARMv7Assembler::lastSPRegister):
3800         (JSC::ARMv7Assembler::numberOfSPRegisters):
3801         (JSC::ARMv7Assembler::numberOfFPRegisters):
3802         (JSC::ARMv7Assembler::gprName):
3803         (JSC::ARMv7Assembler::sprName):
3804         (JSC::ARMv7Assembler::fprName):
3805         * assembler/AbstractMacroAssembler.h:
3806         (JSC::AbstractMacroAssembler::numberOfRegisters):
3807         (JSC::AbstractMacroAssembler::gprName):
3808         (JSC::AbstractMacroAssembler::firstSPRegister):
3809         (JSC::AbstractMacroAssembler::lastSPRegister):
3810         (JSC::AbstractMacroAssembler::numberOfSPRegisters):
3811         (JSC::AbstractMacroAssembler::sprName):
3812         (JSC::AbstractMacroAssembler::numberOfFPRegisters):
3813         (JSC::AbstractMacroAssembler::fprName):
3814         * assembler/MIPSAssembler.h:
3815         (JSC::MIPSAssembler::numberOfRegisters):
3816         (JSC::MIPSAssembler::firstSPRegister):
3817         (JSC::MIPSAssembler::lastSPRegister):
3818         (JSC::MIPSAssembler::numberOfSPRegisters):
3819         (JSC::MIPSAssembler::numberOfFPRegisters):
3820         (JSC::MIPSAssembler::gprName):
3821         (JSC::MIPSAssembler::sprName):
3822         (JSC::MIPSAssembler::fprName):
3823         * assembler/MacroAssembler.h:
3824         (JSC::MacroAssembler::CPUState::gprName):
3825         (JSC::MacroAssembler::CPUState::sprName):
3826         (JSC::MacroAssembler::CPUState::fprName):
3827         (JSC::MacroAssembler::CPUState::gpr):
3828         (JSC::MacroAssembler::CPUState::spr):
3829         (JSC::MacroAssembler::CPUState::fpr):
3830         (JSC::MacroAssembler::CPUState::pc):
3831         (JSC::MacroAssembler::CPUState::fp):
3832         (JSC::MacroAssembler::CPUState::sp):
3833         (JSC::ProbeContext::gpr):
3834         (JSC::ProbeContext::spr):
3835         (JSC::ProbeContext::fpr):
3836         (JSC::ProbeContext::gprName):
3837         (JSC::ProbeContext::sprName):
3838         (JSC::ProbeContext::fprName):
3839         (JSC::MacroAssembler::numberOfRegisters): Deleted.
3840         (JSC::MacroAssembler::numberOfFPRegisters): Deleted.
3841         * assembler/MacroAssemblerARM.cpp:
3842         * assembler/MacroAssemblerARM64.cpp:
3843         (JSC::arm64ProbeTrampoline):
3844         * assembler/MacroAssemblerARMv7.cpp:
3845         * assembler/MacroAssemblerPrinter.cpp:
3846         (JSC::Printer::nextID):
3847         (JSC::Printer::printAllRegisters):
3848         (JSC::Printer::printPCRegister):
3849         (JSC::Printer::printRegisterID):
3850         (JSC::Printer::printAddress):
3851         * assembler/MacroAssemblerX86Common.cpp:
3852         * assembler/X86Assembler.h:
3853         (JSC::X86Assembler::numberOfRegisters):
3854         (JSC::X86Assembler::firstSPRegister):
3855         (JSC::X86Assembler::lastSPRegister):
3856         (JSC::X86Assembler::numberOfSPRegisters):
3857         (JSC::X86Assembler::numberOfFPRegisters):
3858         (JSC::X86Assembler::gprName):
3859         (JSC::X86Assembler::sprName):
3860         (JSC::X86Assembler::fprName):
3861         * jit/FPRInfo.h:
3862         (JSC::FPRInfo::debugName):
3863         * jit/GPRInfo.h:
3864         (JSC::GPRInfo::debugName):
3865         * jit/RegisterSet.cpp:
3866         (JSC::RegisterSet::reservedHardwareRegisters):
3867
3868 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
3869
3870         [JSC] Introduce static symbols
3871         https://bugs.webkit.org/show_bug.cgi?id=158863
3872
3873         Reviewed by Darin Adler.
3874
3875         We use StaticSymbolImpl to initialize PrivateNames and builtin Symbols.
3876         As a result, we can share the same Symbol values between VMs and threads.
3877         And we do not need to allocate Ref<SymbolImpl> for these symbols at runtime.
3878
3879         * CMakeLists.txt:
3880         * JavaScriptCore.xcodeproj/project.pbxproj:
3881         * builtins/BuiltinNames.cpp: Added.
3882         Suppress warning C4307, integral constant overflow. It is intentional in constexpr hash value calculation.
3883
3884         * builtins/BuiltinNames.h:
3885         (JSC::BuiltinNames::BuiltinNames):
3886         * builtins/BuiltinUtils.h:
3887
3888 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
3889
3890         [FTL] Arguments elimination is suppressed by unreachable blocks
3891         https://bugs.webkit.org/show_bug.cgi?id=174352
3892
3893         Reviewed by Filip Pizlo.
3894
3895         If we do not execute `op_get_by_id`, our value profiling tells us unpredictable and DFG emits ForceOSRExit.
3896         The problem is that arguments elimination phase checks escaping even when ForceOSRExit preceeds.
3897         Since GetById without information can escape arguments if it is specified, non-executed code including
3898         op_get_by_id with arguments can escape arguments.
3899
3900         For example,
3901
3902             function test(flag)
3903             {
3904                 if (flag) {
3905                     // This is not executed, but emits GetById with arguments.
3906                     // It prevents us from eliminating materialization.
3907                     return arguments.length;
3908                 }
3909                 return arguments.length;
3910             }
3911             noInline(test);
3912             while (true)
3913                 test(false);
3914
3915         We do not perform CFA and dead-node clipping yet when performing arguments elimination phase.
3916         So this GetById exists and escapes arguments.
3917
3918         To solve this problem, our arguments elimination phase checks preceding pseudo-terminal nodes.
3919         If it is shown, following GetById does not escape arguments. Compared to performing AI, it is
3920         lightweight. But it catches much of typical cases we failed to perform arguments elimination.
3921
3922         * dfg/DFGArgumentsEliminationPhase.cpp:
3923         * dfg/DFGNode.h:
3924         (JSC::DFG::Node::isPseudoTerminal):
3925         * dfg/DFGValidate.cpp:
3926
3927 2017-07-20  Chris Dumez  <cdumez@apple.com>
3928
3929         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable
3930         https://bugs.webkit.org/show_bug.cgi?id=174660
3931
3932         Reviewed by Geoffrey Garen.
3933
3934         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable.
3935         This essentially replaces a branch to figure out if the new size is less or greater than the
3936         current size by an assertion.
3937
3938         * b3/B3BasicBlockUtils.h:
3939         (JSC::B3::clearPredecessors):
3940         * b3/B3InferSwitches.cpp:
3941         * b3/B3LowerToAir.cpp:
3942         (JSC::B3::Air::LowerToAir::finishAppendingInstructions):
3943         * b3/B3ReduceStrength.cpp:
3944         * b3/B3SparseCollection.h:
3945         (JSC::B3::SparseCollection::packIndices):
3946         * b3/B3UseCounts.cpp:
3947         (JSC::B3::UseCounts::UseCounts):
3948         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
3949         * b3/air/AirEmitShuffle.cpp: