6903b82e9cd636a46c40ec2bd6c93c0e658c8224
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-08-09  Robin Morisset  <rmorisset@apple.com>
2
3         Make JSC_validateExceptionChecks=1 succeed on JSTests/stress/v8-deltablue-strict.js.
4         https://bugs.webkit.org/show_bug.cgi?id=175358
5
6         Reviewed by Mark Lam.
7
8         * jit/JITOperations.cpp:
9         * runtime/JSObjectInlines.h:
10         (JSC::JSObject::putInlineForJSObject):
11
12 2017-08-09  Ryan Haddad  <ryanhaddad@apple.com>
13
14         Unreviewed, rolling out r220457.
15
16         This change introduced API test failures.
17
18         Reverted changeset:
19
20         "WTF::Function does not allow for reference / non-default
21         constructible return types"
22         https://bugs.webkit.org/show_bug.cgi?id=175244
23         http://trac.webkit.org/changeset/220457
24
25 2017-08-09  Sam Weinig  <sam@webkit.org>
26
27         WTF::Function does not allow for reference / non-default constructible return types
28         https://bugs.webkit.org/show_bug.cgi?id=175244
29
30         Reviewed by Chris Dumez.
31
32         * runtime/ArrayBuffer.cpp:
33         (JSC::ArrayBufferContents::transferTo):
34         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
35         destroy call needed to be a no-op anyway, since the data is being moved.
36
37 2017-08-09  Oleksandr Skachkov  <gskachkov@gmail.com>
38
39         REGRESSION: 2 test262/test/language/statements/async-function failures
40         https://bugs.webkit.org/show_bug.cgi?id=175334
41
42         Reviewed by Yusuke Suzuki.
43
44         Switch off useAsyncIterator by default
45
46         * runtime/Options.h:
47
48 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
49
50         ICs should do caging
51         https://bugs.webkit.org/show_bug.cgi?id=175295
52
53         Reviewed by Saam Barati.
54         
55         Adds the appropriate cage() calls in our inline caches.
56
57         * bytecode/AccessCase.cpp:
58         (JSC::AccessCase::generateImpl):
59         * bytecode/InlineAccess.cpp:
60         (JSC::InlineAccess::dumpCacheSizesAndCrash):
61         (JSC::InlineAccess::generateSelfPropertyAccess):
62         (JSC::InlineAccess::generateSelfPropertyReplace):
63         (JSC::InlineAccess::generateArrayLength):
64
65 2017-08-08  Devin Rousso  <drousso@apple.com>
66
67         Web Inspector: Canvas: support editing WebGL shaders
68         https://bugs.webkit.org/show_bug.cgi?id=124211
69         <rdar://problem/15448958>
70
71         Reviewed by Matt Baker.
72
73         * inspector/protocol/Canvas.json:
74         Add `updateShader` command that will change the given shader's source to the provided string,
75         recompile, and relink it to its associated program.
76         Drive-by: add description to `requestShaderSource` command.
77
78 2017-08-08  Robin Morisset  <rmorisset@apple.com>
79
80         Make JSC_validateExceptionChecks=1 succeed on JSTests/slowMicrobenchmarks/spread-small-array.js.
81         https://bugs.webkit.org/show_bug.cgi?id=175347
82
83         Reviewed by Saam Barati.
84
85         This is done by making finishCreation explicitely check for exceptions after setConstantRegister and setConstantIdentifiersSetRegisters.
86         I chose to have this check replace the boolean returned previously by these functions for readability. The performance impact should be
87         negligible considering how much more finishCreation does.
88         This fix then caused another issue to appear as it was now clear that finishCreation can throw. And since it is called by ProgramCodeBlock::create(),
89         FunctionCodeBlock::create() and friends, that are in turn called by ScriptExecutable::newCodeBlockFor, this last function also required a few tweaks.
90
91         * bytecode/CodeBlock.cpp:
92         (JSC::CodeBlock::finishCreation):
93         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
94         (JSC::CodeBlock::setConstantRegisters):
95         * bytecode/CodeBlock.h:
96         * runtime/ScriptExecutable.cpp:
97         (JSC::ScriptExecutable::newCodeBlockFor):
98
99 2017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
100
101         Unreviewed, fix Ubuntu LTS build
102         https://bugs.webkit.org/show_bug.cgi?id=174490
103
104         * inspector/remote/glib/RemoteInspectorGlib.cpp:
105         * inspector/remote/glib/RemoteInspectorServer.cpp:
106
107 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
108
109         Baseline JIT should do caging
110         https://bugs.webkit.org/show_bug.cgi?id=175037
111
112         Reviewed by Mark Lam.
113         
114         Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
115         
116         Also modifies FTL caging to be more defensive when caging is disabled.
117         
118         Relanded with fixed AssemblyHelpers::cageConditionally().
119
120         * bytecode/AccessCase.cpp:
121         (JSC::AccessCase::generateImpl):
122         * bytecode/InlineAccess.cpp:
123         (JSC::InlineAccess::dumpCacheSizesAndCrash):
124         (JSC::InlineAccess::generateSelfPropertyAccess):
125         (JSC::InlineAccess::generateSelfPropertyReplace):
126         (JSC::InlineAccess::generateArrayLength):
127         * ftl/FTLLowerDFGToB3.cpp:
128         (JSC::FTL::DFG::LowerDFGToB3::caged):
129         * jit/AssemblyHelpers.h:
130         (JSC::AssemblyHelpers::cage):
131         (JSC::AssemblyHelpers::cageConditionally):
132         * jit/JITPropertyAccess.cpp:
133         (JSC::JIT::emitDoubleLoad):
134         (JSC::JIT::emitContiguousLoad):
135         (JSC::JIT::emitArrayStorageLoad):
136         (JSC::JIT::emitGenericContiguousPutByVal):
137         (JSC::JIT::emitArrayStoragePutByVal):
138         (JSC::JIT::emit_op_get_from_scope):
139         (JSC::JIT::emit_op_put_to_scope):
140         (JSC::JIT::emitIntTypedArrayGetByVal):
141         (JSC::JIT::emitFloatTypedArrayGetByVal):
142         (JSC::JIT::emitIntTypedArrayPutByVal):
143         (JSC::JIT::emitFloatTypedArrayPutByVal):
144         * jsc.cpp:
145         (jscmain):
146         (primitiveGigacageDisabled): Deleted.
147
148 2017-08-08  Ryan Haddad  <ryanhaddad@apple.com>
149
150         Unreviewed, rolling out r220368.
151
152         This change caused WK1 tests to exit early with crashes.
153
154         Reverted changeset:
155
156         "Baseline JIT should do caging"
157         https://bugs.webkit.org/show_bug.cgi?id=175037
158         http://trac.webkit.org/changeset/220368
159
160 2017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
161
162         [CMake] Properly test if compiler supports compiler flags
163         https://bugs.webkit.org/show_bug.cgi?id=174490
164
165         Reviewed by Konstantin Tokarev.
166
167         * API/tests/PingPongStackOverflowTest.cpp:
168         (testPingPongStackOverflow):
169         * API/tests/testapi.c:
170         * b3/testb3.cpp:
171         (JSC::B3::testPatchpointLotsOfLateAnys):
172
173 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
174
175         [Linux] Clear WasmMemory with madvice instead of memset
176         https://bugs.webkit.org/show_bug.cgi?id=175150
177
178         Reviewed by Filip Pizlo.
179
180         In Linux, zeroing pages with memset populates backing store.
181         Instead, we should use madvise with MADV_DONTNEED. It discards
182         pages. And if you access these pages, on-demand-zero-pages will
183         be shown.
184
185         We also commit grown pages in all OSes.
186
187         * wasm/WasmMemory.cpp:
188         (JSC::Wasm::commitZeroPages):
189         (JSC::Wasm::Memory::create):
190         (JSC::Wasm::Memory::grow):
191
192 2017-08-07  Robin Morisset  <rmorisset@apple.com>
193
194         GetOwnProperty of TypedArray indexed fields is wrongly configurable
195         https://bugs.webkit.org/show_bug.cgi?id=175307
196
197         Reviewed by Saam Barati.
198
199         ```
200         let a = new Uint8Array(10);
201         let b = Object.getOwnPropertyDescriptor(a, 0);
202         assert(b.configurable === false);
203         ```
204         should not fail: by section 9.4.5.1 (https://tc39.github.io/ecma262/#sec-integer-indexed-exotic-objects-getownproperty-p) 
205         that applies to integer indexed exotic objects, and section 22.2.7 (https://tc39.github.io/ecma262/#sec-properties-of-typedarray-instances)
206         that says that typed arrays are integer indexed exotic objects.
207
208         * runtime/JSGenericTypedArrayViewInlines.h:
209         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
210
211 2017-08-07  Filip Pizlo  <fpizlo@apple.com>
212
213         Baseline JIT should do caging
214         https://bugs.webkit.org/show_bug.cgi?id=175037
215
216         Reviewed by Mark Lam.
217         
218         Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
219         
220         Also modifies FTL caging to be more defensive when caging is disabled.
221
222         * ftl/FTLLowerDFGToB3.cpp:
223         (JSC::FTL::DFG::LowerDFGToB3::caged):
224         * jit/AssemblyHelpers.h:
225         (JSC::AssemblyHelpers::cage):
226         (JSC::AssemblyHelpers::cageConditionally):
227         * jit/JITPropertyAccess.cpp:
228         (JSC::JIT::emitDoubleLoad):
229         (JSC::JIT::emitContiguousLoad):
230         (JSC::JIT::emitArrayStorageLoad):
231         (JSC::JIT::emitGenericContiguousPutByVal):
232         (JSC::JIT::emitArrayStoragePutByVal):
233         (JSC::JIT::emit_op_get_from_scope):
234         (JSC::JIT::emit_op_put_to_scope):
235         (JSC::JIT::emitIntTypedArrayGetByVal):
236         (JSC::JIT::emitFloatTypedArrayGetByVal):
237         (JSC::JIT::emitIntTypedArrayPutByVal):
238         (JSC::JIT::emitFloatTypedArrayPutByVal):
239         * jsc.cpp:
240         (jscmain):
241         (primitiveGigacageDisabled): Deleted.
242
243 2017-08-06  Filip Pizlo  <fpizlo@apple.com>
244
245         Primitive auxiliaries and JSValue auxiliaries should have separate gigacages
246         https://bugs.webkit.org/show_bug.cgi?id=174919
247
248         Reviewed by Keith Miller.
249         
250         This adapts JSC to there being two gigacages.
251         
252         To make matters simpler, this turns AlignedMemoryAllocators into per-VM instances rather than
253         singletons. I don't think we were gaining anything by making them be singletons.
254         
255         This makes it easy to teach GigacageAlignedMemoryAllocator that there are multiple kinds of
256         gigacages. We'll have one of those allocators per cage.
257         
258         From there, this change teaches everyone who previously knew about cages that there are two cages.
259         This means having to specify either Gigacage::Primitive or Gigacage::JSValue. In most places, this is
260         easy: typed arrays are Primitive and butterflies are JSValue. But there are a few places where it's
261         not so obvious, so this change introduces some helpers to make it easy to define what cage you want
262         to use in one place and refer to it abstractly. We do this in DirectArguments and GenericArguments.h
263         
264         A lot of the magic of this change is due to CagedBarrierPtr, which combines AuxiliaryBarrier and
265         CagedPtr. This removes one layer of "get()" calls from a bunch of places.
266
267         * JavaScriptCore.xcodeproj/project.pbxproj:
268         * bytecode/AccessCase.cpp:
269         (JSC::AccessCase::generateImpl):
270         * dfg/DFGSpeculativeJIT.cpp:
271         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
272         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
273         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
274         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
275         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
276         * ftl/FTLLowerDFGToB3.cpp:
277         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
278         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
279         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
280         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
281         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
282         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
283         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
284         (JSC::FTL::DFG::LowerDFGToB3::caged):
285         * heap/FastMallocAlignedMemoryAllocator.cpp:
286         (JSC::FastMallocAlignedMemoryAllocator::instance): Deleted.
287         * heap/FastMallocAlignedMemoryAllocator.h:
288         * heap/GigacageAlignedMemoryAllocator.cpp:
289         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
290         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
291         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
292         (JSC::GigacageAlignedMemoryAllocator::dump const):
293         (JSC::GigacageAlignedMemoryAllocator::instance): Deleted.
294         * heap/GigacageAlignedMemoryAllocator.h:
295         * jsc.cpp:
296         (primitiveGigacageDisabled):
297         (jscmain):
298         (gigacageDisabled): Deleted.
299         * llint/LowLevelInterpreter64.asm:
300         * runtime/ArrayBuffer.cpp:
301         (JSC::ArrayBufferContents::tryAllocate):
302         (JSC::ArrayBuffer::createAdopted):
303         (JSC::ArrayBuffer::createFromBytes):
304         * runtime/AuxiliaryBarrier.h:
305         * runtime/ButterflyInlines.h:
306         (JSC::Butterfly::createUninitialized):
307         (JSC::Butterfly::tryCreate):
308         (JSC::Butterfly::growArrayRight):
309         * runtime/CagedBarrierPtr.h: Added.
310         (JSC::CagedBarrierPtr::CagedBarrierPtr):
311         (JSC::CagedBarrierPtr::clear):
312         (JSC::CagedBarrierPtr::set):
313         (JSC::CagedBarrierPtr::get const):
314         (JSC::CagedBarrierPtr::getMayBeNull const):
315         (JSC::CagedBarrierPtr::operator== const):
316         (JSC::CagedBarrierPtr::operator!= const):
317         (JSC::CagedBarrierPtr::operator bool const):
318         (JSC::CagedBarrierPtr::setWithoutBarrier):
319         (JSC::CagedBarrierPtr::operator* const):
320         (JSC::CagedBarrierPtr::operator-> const):
321         (JSC::CagedBarrierPtr::operator[] const):
322         * runtime/DirectArguments.cpp:
323         (JSC::DirectArguments::overrideThings):
324         (JSC::DirectArguments::unmapArgument):
325         * runtime/DirectArguments.h:
326         (JSC::DirectArguments::isMappedArgument const):
327         * runtime/GenericArguments.h:
328         * runtime/GenericArgumentsInlines.h:
329         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
330         (JSC::GenericArguments<Type>::setModifiedArgumentDescriptor):
331         (JSC::GenericArguments<Type>::isModifiedArgumentDescriptor):
332         * runtime/HashMapImpl.cpp:
333         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
334         * runtime/HashMapImpl.h:
335         (JSC::HashMapBuffer::create):
336         (JSC::HashMapImpl::buffer const):
337         (JSC::HashMapImpl::rehash):
338         * runtime/JSArray.cpp:
339         (JSC::JSArray::tryCreateUninitializedRestricted):
340         (JSC::JSArray::unshiftCountSlowCase):
341         (JSC::JSArray::setLength):
342         (JSC::JSArray::pop):
343         (JSC::JSArray::push):
344         (JSC::JSArray::fastSlice):
345         (JSC::JSArray::shiftCountWithArrayStorage):
346         (JSC::JSArray::shiftCountWithAnyIndexingType):
347         (JSC::JSArray::unshiftCountWithAnyIndexingType):
348         (JSC::JSArray::fillArgList):
349         (JSC::JSArray::copyToArguments):
350         * runtime/JSArray.h:
351         (JSC::JSArray::tryCreate):
352         * runtime/JSArrayBufferView.cpp:
353         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
354         (JSC::JSArrayBufferView::finalize):
355         * runtime/JSLock.cpp:
356         (JSC::JSLock::didAcquireLock):
357         * runtime/JSObject.cpp:
358         (JSC::JSObject::heapSnapshot):
359         (JSC::JSObject::getOwnPropertySlotByIndex):
360         (JSC::JSObject::putByIndex):
361         (JSC::JSObject::enterDictionaryIndexingMode):
362         (JSC::JSObject::createInitialIndexedStorage):
363         (JSC::JSObject::createArrayStorage):
364         (JSC::JSObject::convertUndecidedToInt32):
365         (JSC::JSObject::convertUndecidedToDouble):
366         (JSC::JSObject::convertUndecidedToContiguous):
367         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
368         (JSC::JSObject::convertUndecidedToArrayStorage):
369         (JSC::JSObject::convertInt32ToDouble):
370         (JSC::JSObject::convertInt32ToContiguous):
371         (JSC::JSObject::convertInt32ToArrayStorage):
372         (JSC::JSObject::convertDoubleToContiguous):
373         (JSC::JSObject::convertDoubleToArrayStorage):
374         (JSC::JSObject::convertContiguousToArrayStorage):
375         (JSC::JSObject::setIndexQuicklyToUndecided):
376         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
377         (JSC::JSObject::deletePropertyByIndex):
378         (JSC::JSObject::getOwnPropertyNames):
379         (JSC::JSObject::putIndexedDescriptor):
380         (JSC::JSObject::defineOwnIndexedProperty):
381         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
382         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
383         (JSC::JSObject::getNewVectorLength):
384         (JSC::JSObject::ensureLengthSlow):
385         (JSC::JSObject::reallocateAndShrinkButterfly):
386         (JSC::JSObject::allocateMoreOutOfLineStorage):
387         (JSC::JSObject::getEnumerableLength):
388         * runtime/JSObject.h:
389         (JSC::JSObject::getArrayLength const):
390         (JSC::JSObject::getVectorLength):
391         (JSC::JSObject::putDirectIndex):
392         (JSC::JSObject::canGetIndexQuickly):
393         (JSC::JSObject::getIndexQuickly):
394         (JSC::JSObject::tryGetIndexQuickly const):
395         (JSC::JSObject::canSetIndexQuickly):
396         (JSC::JSObject::setIndexQuickly):
397         (JSC::JSObject::initializeIndex):
398         (JSC::JSObject::initializeIndexWithoutBarrier):
399         (JSC::JSObject::hasSparseMap):
400         (JSC::JSObject::inSparseIndexingMode):
401         (JSC::JSObject::butterfly const):
402         (JSC::JSObject::butterfly):
403         (JSC::JSObject::outOfLineStorage const):
404         (JSC::JSObject::outOfLineStorage):
405         (JSC::JSObject::ensureInt32):
406         (JSC::JSObject::ensureDouble):
407         (JSC::JSObject::ensureContiguous):
408         (JSC::JSObject::ensureArrayStorage):
409         (JSC::JSObject::arrayStorage):
410         (JSC::JSObject::arrayStorageOrNull):
411         (JSC::JSObject::ensureLength):
412         * runtime/RegExpMatchesArray.h:
413         (JSC::tryCreateUninitializedRegExpMatchesArray):
414         * runtime/VM.cpp:
415         (JSC::VM::VM):
416         (JSC::VM::~VM):
417         (JSC::VM::primitiveGigacageDisabledCallback):
418         (JSC::VM::primitiveGigacageDisabled):
419         (JSC::VM::gigacageDisabledCallback): Deleted.
420         (JSC::VM::gigacageDisabled): Deleted.
421         * runtime/VM.h:
422         (JSC::VM::gigacageAuxiliarySpace):
423         (JSC::VM::firePrimitiveGigacageEnabledIfNecessary):
424         (JSC::VM::primitiveGigacageEnabled):
425         (JSC::VM::fireGigacageEnabledIfNecessary): Deleted.
426         (JSC::VM::gigacageEnabled): Deleted.
427         * wasm/WasmMemory.cpp:
428         (JSC::Wasm::Memory::create):
429         (JSC::Wasm::Memory::~Memory):
430         (JSC::Wasm::Memory::grow):
431
432 2017-08-07  Commit Queue  <commit-queue@webkit.org>
433
434         Unreviewed, rolling out r220144.
435         https://bugs.webkit.org/show_bug.cgi?id=175276
436
437         "It did not actually speed things up in the way I expected"
438         (Requested by saamyjoon on #webkit).
439
440         Reverted changeset:
441
442         "On memory-constrained iOS devices, reduce the rate at which
443         the JS heap grows before a GC to try to keep more memory
444         available for the system"
445         https://bugs.webkit.org/show_bug.cgi?id=175041
446         http://trac.webkit.org/changeset/220144
447
448 2017-08-07  Ryan Haddad  <ryanhaddad@apple.com>
449
450         Unreviewed, rolling out r220299.
451
452         This change caused LayoutTest inspector/dom-debugger/dom-
453         breakpoints.html to fail.
454
455         Reverted changeset:
456
457         "Web Inspector: capture async stack trace when workers/main
458         context posts a message"
459         https://bugs.webkit.org/show_bug.cgi?id=167084
460         http://trac.webkit.org/changeset/220299
461
462 2017-08-07  Brian Burg  <bburg@apple.com>
463
464         Remove CANVAS_PATH compilation guard
465         https://bugs.webkit.org/show_bug.cgi?id=175207
466
467         Reviewed by Sam Weinig.
468
469         * Configurations/FeatureDefines.xcconfig:
470
471 2017-08-07  Keith Miller  <keith_miller@apple.com>
472
473         REGRESSION: wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js failing on JSC Debug bots
474         https://bugs.webkit.org/show_bug.cgi?id=175256
475
476         Reviewed by Saam Barati.
477
478         The check in createFromBytes just needed to check that the buffer was not null before
479         calling isCaged.
480
481         * runtime/ArrayBuffer.cpp:
482         (JSC::ArrayBuffer::createFromBytes):
483
484 2017-08-05  Carlos Garcia Campos  <cgarcia@igalia.com>
485
486         [GTK][WPE] Add API to provide browser information required by automation
487         https://bugs.webkit.org/show_bug.cgi?id=175130
488
489         Reviewed by Brian Burg.
490
491         Add browserName and browserVersion to RemoteInspector::Client::Capabilities and virtual methods to the Client to
492         get them.
493
494         * inspector/remote/RemoteInspector.cpp:
495         (Inspector::RemoteInspector::updateClientCapabilities): Update also browserName and browserVersion.
496         * inspector/remote/RemoteInspector.h:
497         * inspector/remote/glib/RemoteInspectorGlib.cpp:
498         (Inspector::RemoteInspector::requestAutomationSession): Call updateClientCapabilities() after the session is
499         requested to ensure they are updated before StartAutomationSession reply is sent.
500         * inspector/remote/glib/RemoteInspectorServer.cpp: Add browserName and browserVersion as return values of
501         StartAutomationSession mesasage.
502
503 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
504
505         Promise resolve and reject function should have length = 1
506         https://bugs.webkit.org/show_bug.cgi?id=175242
507
508         Reviewed by Saam Barati.
509
510         Previously we have separate system for "length" and "name" for builtin functions.
511         The builtin functions do not use lazy reifying system. Instead, they have direct
512         properties when instantiating it. While the function created for properties (like
513         Array.prototype.filter) is created by JSFunction::createBuiltin(), function inside
514         these builtin functions are just created by JSFunction::create(). Since it does
515         not set any values for "length", these functions do not have "length" property.
516         So, the resolve and reject functions passed to Promise's executor do not have
517         "length" property.
518
519         This patch make builtin functions use standard lazy reifying system for "length".
520         So, "length" property of the builtin function just works as if the normal functions
521         do.
522
523         * runtime/JSFunction.cpp:
524         (JSC::JSFunction::createBuiltinFunction):
525         (JSC::JSFunction::getOwnPropertySlot):
526         (JSC::JSFunction::getOwnNonIndexPropertyNames):
527         (JSC::JSFunction::put):
528         (JSC::JSFunction::deleteProperty):
529         (JSC::JSFunction::defineOwnProperty):
530         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
531         (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
532         (JSC::JSFunction::reifyLazyLengthIfNeeded):
533         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
534         (JSC::JSFunction::reifyBoundNameIfNeeded): Deleted.
535         * runtime/JSFunction.h:
536
537 2017-08-06  Oleksandr Skachkov  <gskachkov@gmail.com>
538
539         [ESNext] Async iteration - Implement Async Generator - parser
540         https://bugs.webkit.org/show_bug.cgi?id=175210
541
542         Reviewed by Yusuke Suzuki.
543
544         Current implementation is draft version of Async Iteration. 
545         Link to spec https://tc39.github.io/proposal-async-iteration/
546
547         Current patch implement only parser part of the Async generator
548         Runtime part will be in next ptches
549
550         * parser/ASTBuilder.h:
551         (JSC::ASTBuilder::createFunctionMetadata):
552         * parser/Parser.cpp:
553         (JSC::getAsynFunctionBodyParseMode):
554         (JSC::Parser<LexerType>::parseInner):
555         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
556         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
557         (JSC::stringArticleForFunctionMode):
558         (JSC::stringForFunctionMode):
559         (JSC::Parser<LexerType>::parseFunctionInfo):
560         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
561         (JSC::Parser<LexerType>::parseClass):
562         (JSC::Parser<LexerType>::parseProperty):
563         (JSC::Parser<LexerType>::parsePropertyMethod):
564         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
565         * parser/Parser.h:
566         (JSC::Scope::setSourceParseMode):
567         * parser/ParserModes.h:
568         (JSC::isFunctionParseMode):
569         (JSC::isAsyncFunctionParseMode):
570         (JSC::isAsyncArrowFunctionParseMode):
571         (JSC::isAsyncGeneratorFunctionParseMode):
572         (JSC::isAsyncFunctionOrAsyncGeneratorWrapperParseMode):
573         (JSC::isAsyncFunctionWrapperParseMode):
574         (JSC::isAsyncFunctionBodyParseMode):
575         (JSC::isGeneratorMethodParseMode):
576         (JSC::isAsyncMethodParseMode):
577         (JSC::isAsyncGeneratorMethodParseMode):
578         (JSC::isMethodParseMode):
579         (JSC::isGeneratorOrAsyncFunctionBodyParseMode):
580         (JSC::isGeneratorOrAsyncFunctionWrapperParseMode):
581
582 2017-08-05  Filip Pizlo  <fpizlo@apple.com>
583
584         REGRESSION (r219895-219897): Number of leaks on Open Source went from 9240 to 235983 and is now at 302372
585         https://bugs.webkit.org/show_bug.cgi?id=175083
586
587         Reviewed by Oliver Hunt.
588         
589         This fixes the leak by making MarkedBlock::specializedSweep call destructors when the block is empty,
590         even if we are using the pop path.
591         
592         Also, this fixes HeapCellInlines.h to no longer include MarkedBlockInlines.h. That's pretty
593         important, since MarkedBlockInlines.h is the GC's internal guts - we don't want to have to recompile
594         the world just because we changed it.
595         
596         Finally, this adds a new testing SPI for waiting for all VMs to finish destructing. This makes it
597         easier to debug leaks.
598
599         * bytecode/AccessCase.cpp:
600         * bytecode/PolymorphicAccess.cpp:
601         * heap/HeapCell.cpp:
602         (JSC::HeapCell::isLive):
603         * heap/HeapCellInlines.h:
604         (JSC::HeapCell::isLive): Deleted.
605         * heap/MarkedAllocator.cpp:
606         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
607         (JSC::MarkedAllocator::endMarking):
608         * heap/MarkedBlockInlines.h:
609         (JSC::MarkedBlock::Handle::specializedSweep):
610         * jit/AssemblyHelpers.cpp:
611         * jit/Repatch.cpp:
612         * runtime/TestRunnerUtils.h:
613         * runtime/VM.cpp:
614         (JSC::waitForVMDestruction):
615         (JSC::VM::~VM):
616
617 2017-08-05  Mark Lam  <mark.lam@apple.com>
618
619         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 3].
620         https://bugs.webkit.org/show_bug.cgi?id=175228
621         <rdar://problem/33735737>
622
623         Reviewed by Saam Barati.
624
625         Merge the 32-bit OSRExit::compileExit() method into the 64-bit version, and
626         delete OSRExit32_64.cpp.
627
628         * CMakeLists.txt:
629         * JavaScriptCore.xcodeproj/project.pbxproj:
630         * dfg/DFGOSRExit.cpp:
631         (JSC::DFG::OSRExit::compileExit):
632         * dfg/DFGOSRExit32_64.cpp: Removed.
633         * jit/GPRInfo.h:
634         (JSC::JSValueSource::payloadGPR const):
635
636 2017-08-04  Youenn Fablet  <youenn@apple.com>
637
638         [Cache API] Add Cache and CacheStorage IDL definitions
639         https://bugs.webkit.org/show_bug.cgi?id=175201
640
641         Reviewed by Brady Eidson.
642
643         * runtime/CommonIdentifiers.h:
644
645 2017-08-04  Mark Lam  <mark.lam@apple.com>
646
647         Fix typo in testmasm.cpp: ENABLE(JSVALUE64) should be USE(JSVALUE64).
648         https://bugs.webkit.org/show_bug.cgi?id=175230
649         <rdar://problem/33735857>
650
651         Reviewed by Saam Barati.
652
653         * assembler/testmasm.cpp:
654         (JSC::testProbeReadsArgumentRegisters):
655         (JSC::testProbeWritesArgumentRegisters):
656
657 2017-08-04  Mark Lam  <mark.lam@apple.com>
658
659         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 2].
660         https://bugs.webkit.org/show_bug.cgi?id=175214
661         <rdar://problem/33733308>
662
663         Rubber-stamped by Michael Saboff.
664
665         Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused
666         DFGOSRExitCompiler files.
667
668         Also renamed DFGOSRExitCompiler32_64.cpp to DFGOSRExit32_64.cpp.
669
670         Also move debugOperationPrintSpeculationFailure() into DFGOSRExit.cpp.  It's only
671         used by compileOSRExit(), and will be changed to not be a DFG operation function
672         when we use JIT probes for DFG OSR exits later in
673         https://bugs.webkit.org/show_bug.cgi?id=175144.
674
675         * CMakeLists.txt:
676         * JavaScriptCore.xcodeproj/project.pbxproj:
677         * dfg/DFGJITCompiler.cpp:
678         * dfg/DFGOSRExit.cpp:
679         (JSC::DFG::OSRExit::emitRestoreArguments):
680         (JSC::DFG::OSRExit::compileOSRExit):
681         (JSC::DFG::OSRExit::compileExit):
682         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
683         * dfg/DFGOSRExit.h:
684         * dfg/DFGOSRExit32_64.cpp: Copied from Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp.
685         * dfg/DFGOSRExitCompiler.cpp: Removed.
686         * dfg/DFGOSRExitCompiler.h: Removed.
687         * dfg/DFGOSRExitCompiler32_64.cpp: Removed.
688         * dfg/DFGOSRExitCompiler64.cpp: Removed.
689         * dfg/DFGOperations.cpp:
690         * dfg/DFGOperations.h:
691         * dfg/DFGThunks.cpp:
692
693 2017-08-04  Matt Baker  <mattbaker@apple.com>
694
695         Web Inspector: capture async stack trace when workers/main context posts a message
696         https://bugs.webkit.org/show_bug.cgi?id=167084
697         <rdar://problem/30033673>
698
699         Reviewed by Brian Burg.
700
701         * inspector/agents/InspectorDebuggerAgent.h:
702         Add `PostMessage` async call type.
703
704 2017-08-04  Mark Lam  <mark.lam@apple.com>
705
706         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 1].
707         https://bugs.webkit.org/show_bug.cgi?id=175208
708         <rdar://problem/33732402>
709
710         Reviewed by Saam Barati.
711
712         This will minimize the code diff and make it easier to review the patch for
713         https://bugs.webkit.org/show_bug.cgi?id=175144 later.  We'll do this patch in 3
714         steps:
715
716         1. Do the code changes to move methods into OSRExit.
717         2. Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused DFGOSRExitCompiler files.
718         3. Merge the 32-bit OSRExitCompiler methods into the 64-bit version, and delete DFGOSRExitCompiler32_64.cpp.
719
720         Splitting this refactoring into these 3 steps also makes it easier to review this
721         patch and understand what is being changed.
722
723         * dfg/DFGOSRExit.h:
724         * dfg/DFGOSRExitCompiler.cpp:
725         (JSC::DFG::OSRExit::emitRestoreArguments):
726         (JSC::DFG::OSRExit::compileOSRExit):
727         (JSC::DFG::OSRExitCompiler::emitRestoreArguments): Deleted.
728         (): Deleted.
729         * dfg/DFGOSRExitCompiler.h:
730         (JSC::DFG::OSRExitCompiler::OSRExitCompiler): Deleted.
731         (): Deleted.
732         * dfg/DFGOSRExitCompiler32_64.cpp:
733         (JSC::DFG::OSRExit::compileExit):
734         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
735         * dfg/DFGOSRExitCompiler64.cpp:
736         (JSC::DFG::OSRExit::compileExit):
737         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
738         * dfg/DFGThunks.cpp:
739         (JSC::DFG::osrExitGenerationThunkGenerator):
740
741 2017-08-04  Devin Rousso  <drousso@apple.com>
742
743         Web Inspector: add source view for WebGL shader programs
744         https://bugs.webkit.org/show_bug.cgi?id=138593
745         <rdar://problem/18936194>
746
747         Reviewed by Matt Baker.
748
749         * inspector/protocol/Canvas.json:
750          - Add `ShaderType` enum that contains "vertex" and "fragment".
751          - Add `requestShaderSource` command that will return the original source code for a given
752            shader program and shader type.
753
754 2017-08-03  Filip Pizlo  <fpizlo@apple.com>
755
756         The allocator used to allocate memory for MarkedBlocks and LargeAllocations should not be the Subspace itself
757         https://bugs.webkit.org/show_bug.cgi?id=175141
758
759         Reviewed by Mark Lam.
760         
761         To make it easier to have multiple gigacages and maybe even fancier methods of allocating, this
762         decouples the allocator used to allocate memory from the GC Subspace. This means we no longer have
763         to create a new Subspace subclass to allocate memory a different way. Instead, the allocator is now
764         determined by the AlignedMemoryAllocator object.
765         
766         This also simplifies trading of blocks. Before, Subspaces had to determine if other Subspaces could
767         trade blocks with them using canTradeBlocksWith(). This makes it difficult for two different
768         Subspaces that both use the same underlying allocator to realize that they can trade blocks with
769         each other. Now, you just need to ask the block being stolen and the subspace doing the stealing if
770         they use the same AlignedMemoryAllocator.
771
772         * CMakeLists.txt:
773         * JavaScriptCore.xcodeproj/project.pbxproj:
774         * heap/AlignedMemoryAllocator.cpp: Added.
775         (JSC::AlignedMemoryAllocator::AlignedMemoryAllocator):
776         (JSC::AlignedMemoryAllocator::~AlignedMemoryAllocator):
777         * heap/AlignedMemoryAllocator.h: Added.
778         * heap/FastMallocAlignedMemoryAllocator.cpp: Added.
779         (JSC::FastMallocAlignedMemoryAllocator::singleton):
780         (JSC::FastMallocAlignedMemoryAllocator::FastMallocAlignedMemoryAllocator):
781         (JSC::FastMallocAlignedMemoryAllocator::~FastMallocAlignedMemoryAllocator):
782         (JSC::FastMallocAlignedMemoryAllocator::tryAllocateAlignedMemory):
783         (JSC::FastMallocAlignedMemoryAllocator::freeAlignedMemory):
784         (JSC::FastMallocAlignedMemoryAllocator::dump const):
785         * heap/FastMallocAlignedMemoryAllocator.h: Added.
786         * heap/GigacageAlignedMemoryAllocator.cpp: Added.
787         (JSC::GigacageAlignedMemoryAllocator::singleton):
788         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
789         (JSC::GigacageAlignedMemoryAllocator::~GigacageAlignedMemoryAllocator):
790         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
791         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
792         (JSC::GigacageAlignedMemoryAllocator::dump const):
793         * heap/GigacageAlignedMemoryAllocator.h: Added.
794         * heap/GigacageSubspace.cpp: Removed.
795         * heap/GigacageSubspace.h: Removed.
796         * heap/LargeAllocation.cpp:
797         (JSC::LargeAllocation::tryCreate):
798         (JSC::LargeAllocation::destroy):
799         * heap/MarkedAllocator.cpp:
800         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
801         * heap/MarkedBlock.cpp:
802         (JSC::MarkedBlock::tryCreate):
803         (JSC::MarkedBlock::Handle::Handle):
804         (JSC::MarkedBlock::Handle::~Handle):
805         (JSC::MarkedBlock::Handle::didAddToAllocator):
806         (JSC::MarkedBlock::Handle::subspace const):
807         * heap/MarkedBlock.h:
808         (JSC::MarkedBlock::Handle::alignedMemoryAllocator const):
809         (JSC::MarkedBlock::Handle::subspace const): Deleted.
810         * heap/Subspace.cpp:
811         (JSC::Subspace::Subspace):
812         (JSC::Subspace::findEmptyBlockToSteal):
813         (JSC::Subspace::canTradeBlocksWith): Deleted.
814         (JSC::Subspace::tryAllocateAlignedMemory): Deleted.
815         (JSC::Subspace::freeAlignedMemory): Deleted.
816         * heap/Subspace.h:
817         (JSC::Subspace::name const):
818         (JSC::Subspace::alignedMemoryAllocator const):
819         * runtime/JSDestructibleObjectSubspace.cpp:
820         (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace):
821         * runtime/JSDestructibleObjectSubspace.h:
822         * runtime/JSSegmentedVariableObjectSubspace.cpp:
823         (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace):
824         * runtime/JSSegmentedVariableObjectSubspace.h:
825         * runtime/JSStringSubspace.cpp:
826         (JSC::JSStringSubspace::JSStringSubspace):
827         * runtime/JSStringSubspace.h:
828         * runtime/VM.cpp:
829         (JSC::VM::VM):
830         * runtime/VM.h:
831         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp:
832         (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace):
833         * wasm/js/JSWebAssemblyCodeBlockSubspace.h:
834
835 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
836
837         [ESNext] Async iteration - update feature.json
838         https://bugs.webkit.org/show_bug.cgi?id=175197
839
840         Reviewed by Yusuke Suzuki.
841
842         Update feature.json to add status of the Async Iteration
843
844         * features.json:
845
846 2017-08-04  Matt Lewis  <jlewis3@apple.com>
847
848         Unreviewed, rolling out r220271.
849
850         Rolling out due to Layout Test failing on iOS Simulator.
851
852         Reverted changeset:
853
854         "Remove STREAMS_API compilation guard"
855         https://bugs.webkit.org/show_bug.cgi?id=175165
856         http://trac.webkit.org/changeset/220271
857
858 2017-08-04  Youenn Fablet  <youenn@apple.com>
859
860         Remove STREAMS_API compilation guard
861         https://bugs.webkit.org/show_bug.cgi?id=175165
862
863         Reviewed by Darin Adler.
864
865         * Configurations/FeatureDefines.xcconfig:
866
867 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
868
869         [EsNext] Async iteration - Add feature flag
870         https://bugs.webkit.org/show_bug.cgi?id=166694
871
872         Reviewed by Yusuke Suzuki.
873
874         Add feature flag to JSC to switch on/off Async Iterator
875
876         * runtime/Options.h:
877
878 2017-08-03  Brian Burg  <bburg@apple.com>
879
880         Remove ENABLE(WEB_SOCKET) guards
881         https://bugs.webkit.org/show_bug.cgi?id=167044
882
883         Reviewed by Joseph Pecoraro.
884
885         * Configurations/FeatureDefines.xcconfig:
886
887 2017-08-03  Youenn Fablet  <youenn@apple.com>
888
889         Remove FETCH_API compilation guard
890         https://bugs.webkit.org/show_bug.cgi?id=175154
891
892         Reviewed by Chris Dumez.
893
894         * Configurations/FeatureDefines.xcconfig:
895
896 2017-08-03  Matt Baker  <mattbaker@apple.com>
897
898         Web Inspector: Instrument WebGLProgram created/deleted
899         https://bugs.webkit.org/show_bug.cgi?id=175059
900
901         Reviewed by Devin Rousso.
902
903         Extend the Canvas protocol with types/events for tracking WebGLPrograms.
904
905         * inspector/protocol/Canvas.json:
906
907 2017-08-03  Brady Eidson  <beidson@apple.com>
908
909         Add SW IDLs and stub out basic functionality.
910         https://bugs.webkit.org/show_bug.cgi?id=175115
911
912         Reviewed by Chris Dumez.
913
914         * Configurations/FeatureDefines.xcconfig:
915
916         * runtime/CommonIdentifiers.h:
917
918 2017-08-03  Mark Lam  <mark.lam@apple.com>
919
920         Rename ScratchBuffer::activeLengthPtr to addressOfActiveLength.
921         https://bugs.webkit.org/show_bug.cgi?id=175142
922         <rdar://problem/33704528>
923
924         Reviewed by Filip Pizlo.
925
926         The convention in the rest of of JSC for such methods which return the address of
927         a field is to name them "addressOf<field name>".  We'll rename
928         ScratchBuffer::activeLengthPtr to be consistent with this convention.
929
930         * dfg/DFGSpeculativeJIT.cpp:
931         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
932         * dfg/DFGSpeculativeJIT32_64.cpp:
933         (JSC::DFG::SpeculativeJIT::compile):
934         * dfg/DFGSpeculativeJIT64.cpp:
935         (JSC::DFG::SpeculativeJIT::compile):
936         * dfg/DFGThunks.cpp:
937         (JSC::DFG::osrExitGenerationThunkGenerator):
938         * ftl/FTLLowerDFGToB3.cpp:
939         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
940         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
941         * ftl/FTLThunks.cpp:
942         (JSC::FTL::genericGenerationThunkGenerator):
943         * jit/AssemblyHelpers.cpp:
944         (JSC::AssemblyHelpers::debugCall):
945         * jit/ScratchRegisterAllocator.cpp:
946         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
947         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
948         * runtime/VM.h:
949         (JSC::ScratchBuffer::addressOfActiveLength):
950         (JSC::ScratchBuffer::activeLengthPtr): Deleted.
951         * wasm/WasmBinding.cpp:
952         (JSC::Wasm::wasmToJs):
953
954 2017-08-02  Devin Rousso  <drousso@apple.com>
955
956         Web Inspector: add stack trace information for each RecordingAction
957         https://bugs.webkit.org/show_bug.cgi?id=174663
958
959         Reviewed by Joseph Pecoraro.
960
961         * inspector/ScriptCallFrame.h:
962         Add `operator==` so that when a ScriptCallFrame object is held in a Vector, calling `find`
963         with an existing value doesn't need require a functor and can use existing code.
964
965         * interpreter/StackVisitor.h:
966         * interpreter/StackVisitor.cpp:
967         (JSC::StackVisitor::Frame::isWasmFrame const): Inlined in header.
968
969 2017-08-02  Yusuke Suzuki  <utatane.tea@gmail.com>
970
971         Merge WTFThreadData to Thread::current
972         https://bugs.webkit.org/show_bug.cgi?id=174716
973
974         Reviewed by Mark Lam.
975
976         Use Thread::current() instead.
977
978         * API/JSContext.mm:
979         (+[JSContext currentContext]):
980         (+[JSContext currentThis]):
981         (+[JSContext currentCallee]):
982         (+[JSContext currentArguments]):
983         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
984         (-[JSContext endCallbackWithData:]):
985         * heap/Heap.cpp:
986         (JSC::Heap::requestCollection):
987         * runtime/Completion.cpp:
988         (JSC::checkSyntax):
989         (JSC::checkModuleSyntax):
990         (JSC::evaluate):
991         (JSC::loadAndEvaluateModule):
992         (JSC::loadModule):
993         (JSC::linkAndEvaluateModule):
994         (JSC::importModule):
995         * runtime/Identifier.cpp:
996         (JSC::Identifier::checkCurrentAtomicStringTable):
997         * runtime/InitializeThreading.cpp:
998         (JSC::initializeThreading):
999         * runtime/JSLock.cpp:
1000         (JSC::JSLock::didAcquireLock):
1001         (JSC::JSLock::willReleaseLock):
1002         (JSC::JSLock::dropAllLocks):
1003         (JSC::JSLock::grabAllLocks):
1004         * runtime/JSLock.h:
1005         * runtime/VM.cpp:
1006         (JSC::VM::VM):
1007         (JSC::VM::updateStackLimits):
1008         (JSC::VM::committedStackByteCount):
1009         * runtime/VM.h:
1010         (JSC::VM::isSafeToRecurse const):
1011         * runtime/VMEntryScope.cpp:
1012         (JSC::VMEntryScope::VMEntryScope):
1013         * runtime/VMInlines.h:
1014         (JSC::VM::ensureStackCapacityFor):
1015         * yarr/YarrPattern.cpp:
1016         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
1017
1018 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
1019
1020         LLInt should do pointer caging
1021         https://bugs.webkit.org/show_bug.cgi?id=175036
1022
1023         Reviewed by Keith Miller.
1024
1025         Implementing this in the LLInt was challenging because offlineasm did not previously know
1026         how to load from globals. This teaches it how to do that on Darwin/x86_64, which happens
1027         to be where the Gigacage is enabled right now.
1028
1029         * llint/LLIntOfflineAsmConfig.h:
1030         * llint/LowLevelInterpreter64.asm:
1031         * offlineasm/ast.rb:
1032         * offlineasm/x86.rb:
1033
1034 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
1035
1036         Sweeping should only scribble when sweeping to free list
1037         https://bugs.webkit.org/show_bug.cgi?id=175105
1038
1039         Reviewed by Saam Barati.
1040         
1041         I just saw a crash on the bots where a destructor call attempt dereferenced scribbled memory. This
1042         can happen because the bump path of specializedSweep will scribble in SweepOnly, which replaces the
1043         zap word (i.e. 0) with the scribble word (i.e. 0xbadbeef0). This is a recent regression, since we
1044         didn't used to do destruction on the bump path. No destruction, no zapping. Looking at the pop
1045         path, we only scribble when we SweepToFreeList. This ensures that we only overwrite the zap word
1046         when it doesn't matter anyway because we're building a free list.
1047         
1048         This is a fix for those crashes on the bots because it means that we'll no longer scribble over the
1049         zap.
1050
1051         * heap/MarkedBlockInlines.h:
1052         (JSC::MarkedBlock::Handle::specializedSweep):
1053
1054 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
1055
1056         All C++ accesses to JSObject::m_butterfly should do caging
1057         https://bugs.webkit.org/show_bug.cgi?id=175039
1058
1059         Reviewed by Keith Miller.
1060         
1061         Makes JSObject::m_butterfly a AuxiliaryBarrier<CagedPtr<Butterfly>> and adopts the CagedPtr<> API.
1062         This ensures that you can't cause C++ code to access a butterfly that has been rewired to point
1063         outside the gigacage.
1064
1065         * runtime/JSArray.cpp:
1066         (JSC::JSArray::setLength):
1067         (JSC::JSArray::pop):
1068         (JSC::JSArray::push):
1069         (JSC::JSArray::shiftCountWithAnyIndexingType):
1070         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1071         (JSC::JSArray::fillArgList):
1072         (JSC::JSArray::copyToArguments):
1073         * runtime/JSObject.cpp:
1074         (JSC::JSObject::heapSnapshot):
1075         (JSC::JSObject::createInitialIndexedStorage):
1076         (JSC::JSObject::createArrayStorage):
1077         (JSC::JSObject::convertUndecidedToInt32):
1078         (JSC::JSObject::convertUndecidedToDouble):
1079         (JSC::JSObject::convertUndecidedToContiguous):
1080         (JSC::JSObject::convertInt32ToDouble):
1081         (JSC::JSObject::convertInt32ToArrayStorage):
1082         (JSC::JSObject::convertDoubleToContiguous):
1083         (JSC::JSObject::convertDoubleToArrayStorage):
1084         (JSC::JSObject::convertContiguousToArrayStorage):
1085         (JSC::JSObject::defineOwnIndexedProperty):
1086         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1087         (JSC::JSObject::ensureLengthSlow):
1088         (JSC::JSObject::allocateMoreOutOfLineStorage):
1089         * runtime/JSObject.h:
1090         (JSC::JSObject::canGetIndexQuickly):
1091         (JSC::JSObject::getIndexQuickly):
1092         (JSC::JSObject::tryGetIndexQuickly const):
1093         (JSC::JSObject::canSetIndexQuickly):
1094         (JSC::JSObject::setIndexQuickly):
1095         (JSC::JSObject::initializeIndex):
1096         (JSC::JSObject::initializeIndexWithoutBarrier):
1097         (JSC::JSObject::butterfly const):
1098         (JSC::JSObject::butterfly):
1099
1100 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
1101
1102         We should be OK with the gigacage being disabled on gmalloc
1103         https://bugs.webkit.org/show_bug.cgi?id=175082
1104
1105         Reviewed by Michael Saboff.
1106
1107         * jsc.cpp:
1108         (jscmain):
1109
1110 2017-08-02  Saam Barati  <sbarati@apple.com>
1111
1112         On memory-constrained iOS devices, reduce the rate at which the JS heap grows before a GC to try to keep more memory available for the system
1113         https://bugs.webkit.org/show_bug.cgi?id=175041
1114         <rdar://problem/33659370>
1115
1116         Reviewed by Filip Pizlo.
1117
1118         The testing I have done shows that this new function is a ~10%
1119         progression running JetStream on 1GB iOS devices. I've also tried
1120         this on a few > 1GB iOS devices, and the testing shows this is either neutral
1121         or a regression. Right now, we'll just enable this for <= 1GB devices
1122         since it's a win. In the future, we might want to either look into
1123         tweaking these parameters or coming up with a new function for > 1GB
1124         devices.
1125
1126         * heap/Heap.cpp:
1127         * runtime/Options.h:
1128
1129 2017-08-01  Filip Pizlo  <fpizlo@apple.com>
1130
1131         Bmalloc and GC should put auxiliaries (butterflies, typed array backing stores) in a gigacage (separate multi-GB VM region)
1132         https://bugs.webkit.org/show_bug.cgi?id=174727
1133
1134         Reviewed by Mark Lam.
1135         
1136         This adopts the Gigacage for the GigacageSubspace, which we use for Auxiliary allocations. Also, in
1137         one place in the code - the FTL codegen for butterfly and typed array access - we "cage" the accesses
1138         themselves. Basically, we do masking to ensure that the pointer points into the gigacage.
1139         
1140         This is neutral on JetStream.
1141
1142         * CMakeLists.txt:
1143         * JavaScriptCore.xcodeproj/project.pbxproj:
1144         * b3/B3InsertionSet.cpp:
1145         (JSC::B3::InsertionSet::execute):
1146         * dfg/DFGAbstractInterpreterInlines.h:
1147         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1148         * dfg/DFGArgumentsEliminationPhase.cpp:
1149         * dfg/DFGClobberize.cpp:
1150         (JSC::DFG::readsOverlap):
1151         * dfg/DFGClobberize.h:
1152         (JSC::DFG::clobberize):
1153         * dfg/DFGDoesGC.cpp:
1154         (JSC::DFG::doesGC):
1155         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Added.
1156         (JSC::DFG::performFixedButterflyAccessUncaging):
1157         * dfg/DFGFixedButterflyAccessUncagingPhase.h: Added.
1158         * dfg/DFGFixupPhase.cpp:
1159         (JSC::DFG::FixupPhase::fixupNode):
1160         * dfg/DFGHeapLocation.cpp:
1161         (WTF::printInternal):
1162         * dfg/DFGHeapLocation.h:
1163         * dfg/DFGNodeType.h:
1164         * dfg/DFGPlan.cpp:
1165         (JSC::DFG::Plan::compileInThreadImpl):
1166         * dfg/DFGPredictionPropagationPhase.cpp:
1167         * dfg/DFGSafeToExecute.h:
1168         (JSC::DFG::safeToExecute):
1169         * dfg/DFGSpeculativeJIT.cpp:
1170         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
1171         * dfg/DFGSpeculativeJIT32_64.cpp:
1172         (JSC::DFG::SpeculativeJIT::compile):
1173         * dfg/DFGSpeculativeJIT64.cpp:
1174         (JSC::DFG::SpeculativeJIT::compile):
1175         * dfg/DFGTypeCheckHoistingPhase.cpp:
1176         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
1177         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
1178         * ftl/FTLCapabilities.cpp:
1179         (JSC::FTL::canCompile):
1180         * ftl/FTLLowerDFGToB3.cpp:
1181         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1182         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
1183         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
1184         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1185         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1186         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
1187         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
1188         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
1189         (JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase):
1190         (JSC::FTL::DFG::LowerDFGToB3::caged):
1191         * heap/GigacageSubspace.cpp: Added.
1192         (JSC::GigacageSubspace::GigacageSubspace):
1193         (JSC::GigacageSubspace::~GigacageSubspace):
1194         (JSC::GigacageSubspace::tryAllocateAlignedMemory):
1195         (JSC::GigacageSubspace::freeAlignedMemory):
1196         (JSC::GigacageSubspace::canTradeBlocksWith):
1197         * heap/GigacageSubspace.h: Added.
1198         * heap/Heap.cpp:
1199         (JSC::Heap::Heap):
1200         (JSC::Heap::lastChanceToFinalize):
1201         (JSC::Heap::finalize):
1202         (JSC::Heap::sweepInFinalize):
1203         (JSC::Heap::updateAllocationLimits):
1204         (JSC::Heap::shouldDoFullCollection):
1205         (JSC::Heap::collectIfNecessaryOrDefer):
1206         (JSC::Heap::reportWebAssemblyFastMemoriesAllocated): Deleted.
1207         (JSC::Heap::webAssemblyFastMemoriesThisCycleAtThreshold const): Deleted.
1208         (JSC::Heap::sweepLargeAllocations): Deleted.
1209         (JSC::Heap::didAllocateWebAssemblyFastMemories): Deleted.
1210         * heap/Heap.h:
1211         * heap/LargeAllocation.cpp:
1212         (JSC::LargeAllocation::tryCreate):
1213         (JSC::LargeAllocation::destroy):
1214         * heap/MarkedAllocator.cpp:
1215         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
1216         (JSC::MarkedAllocator::tryAllocateBlock):
1217         * heap/MarkedBlock.cpp:
1218         (JSC::MarkedBlock::tryCreate):
1219         (JSC::MarkedBlock::Handle::Handle):
1220         (JSC::MarkedBlock::Handle::~Handle):
1221         (JSC::MarkedBlock::Handle::didAddToAllocator):
1222         (JSC::MarkedBlock::Handle::subspace const): Deleted.
1223         * heap/MarkedBlock.h:
1224         (JSC::MarkedBlock::Handle::subspace const):
1225         * heap/MarkedSpace.cpp:
1226         (JSC::MarkedSpace::~MarkedSpace):
1227         (JSC::MarkedSpace::freeMemory):
1228         (JSC::MarkedSpace::prepareForAllocation):
1229         (JSC::MarkedSpace::addMarkedAllocator):
1230         (JSC::MarkedSpace::findEmptyBlockToSteal): Deleted.
1231         * heap/MarkedSpace.h:
1232         (JSC::MarkedSpace::firstAllocator const):
1233         (JSC::MarkedSpace::allocatorForEmptyAllocation const): Deleted.
1234         * heap/Subspace.cpp:
1235         (JSC::Subspace::Subspace):
1236         (JSC::Subspace::canTradeBlocksWith):
1237         (JSC::Subspace::tryAllocateAlignedMemory):
1238         (JSC::Subspace::freeAlignedMemory):
1239         (JSC::Subspace::prepareForAllocation):
1240         (JSC::Subspace::findEmptyBlockToSteal):
1241         * heap/Subspace.h:
1242         (JSC::Subspace::didCreateFirstAllocator):
1243         * heap/SubspaceInlines.h:
1244         (JSC::Subspace::forEachAllocator):
1245         (JSC::Subspace::forEachMarkedBlock):
1246         (JSC::Subspace::forEachNotEmptyMarkedBlock):
1247         * jit/JITPropertyAccess.cpp:
1248         (JSC::JIT::emitDoubleLoad):
1249         (JSC::JIT::emitContiguousLoad):
1250         (JSC::JIT::emitArrayStorageLoad):
1251         (JSC::JIT::emitGenericContiguousPutByVal):
1252         (JSC::JIT::emitArrayStoragePutByVal):
1253         (JSC::JIT::emit_op_get_from_scope):
1254         (JSC::JIT::emit_op_put_to_scope):
1255         (JSC::JIT::emitIntTypedArrayGetByVal):
1256         (JSC::JIT::emitFloatTypedArrayGetByVal):
1257         (JSC::JIT::emitIntTypedArrayPutByVal):
1258         (JSC::JIT::emitFloatTypedArrayPutByVal):
1259         * jsc.cpp:
1260         (fillBufferWithContentsOfFile):
1261         (functionReadFile):
1262         (gigacageDisabled):
1263         (jscmain):
1264         * llint/LowLevelInterpreter64.asm:
1265         * runtime/ArrayBuffer.cpp:
1266         (JSC::ArrayBufferContents::tryAllocate):
1267         (JSC::ArrayBuffer::createAdopted):
1268         (JSC::ArrayBuffer::createFromBytes):
1269         (JSC::ArrayBuffer::tryCreate):
1270         * runtime/IndexingHeader.h:
1271         * runtime/InitializeThreading.cpp:
1272         (JSC::initializeThreading):
1273         * runtime/JSArrayBuffer.cpp:
1274         * runtime/JSArrayBufferView.cpp:
1275         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1276         (JSC::JSArrayBufferView::finalize):
1277         * runtime/JSLock.cpp:
1278         (JSC::JSLock::didAcquireLock):
1279         * runtime/JSObject.h:
1280         * runtime/Options.cpp:
1281         (JSC::recomputeDependentOptions):
1282         * runtime/Options.h:
1283         * runtime/ScopedArgumentsTable.h:
1284         * runtime/VM.cpp:
1285         (JSC::VM::VM):
1286         (JSC::VM::~VM):
1287         (JSC::VM::gigacageDisabledCallback):
1288         (JSC::VM::gigacageDisabled):
1289         * runtime/VM.h:
1290         (JSC::VM::fireGigacageEnabledIfNecessary):
1291         (JSC::VM::gigacageEnabled):
1292         * wasm/WasmB3IRGenerator.cpp:
1293         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1294         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
1295         * wasm/WasmCodeBlock.cpp:
1296         (JSC::Wasm::CodeBlock::isSafeToRun):
1297         * wasm/WasmMemory.cpp:
1298         (JSC::Wasm::makeString):
1299         (JSC::Wasm::Memory::create):
1300         (JSC::Wasm::Memory::~Memory):
1301         (JSC::Wasm::Memory::addressIsInActiveFastMemory):
1302         (JSC::Wasm::Memory::grow):
1303         (JSC::Wasm::Memory::initializePreallocations): Deleted.
1304         (JSC::Wasm::Memory::maxFastMemoryCount): Deleted.
1305         * wasm/WasmMemory.h:
1306         * wasm/js/JSWebAssemblyInstance.cpp:
1307         (JSC::JSWebAssemblyInstance::create):
1308         * wasm/js/JSWebAssemblyMemory.cpp:
1309         (JSC::JSWebAssemblyMemory::grow):
1310         (JSC::JSWebAssemblyMemory::finishCreation):
1311         * wasm/js/JSWebAssemblyMemory.h:
1312         (JSC::JSWebAssemblyMemory::subspaceFor):
1313
1314 2017-07-31  Mark Lam  <mark.lam@apple.com>
1315
1316         Added some UNLIKELYs to operationOptimize().
1317         https://bugs.webkit.org/show_bug.cgi?id=174976
1318
1319         Reviewed by JF Bastien.
1320
1321         * jit/JITOperations.cpp:
1322
1323 2017-07-31  Keith Miller  <keith_miller@apple.com>
1324
1325         Make more things LLInt constexprs
1326         https://bugs.webkit.org/show_bug.cgi?id=174994
1327
1328         Reviewed by Saam Barati.
1329
1330         This patch makes more const values in the LLInt constexprs.
1331         It also deletes all of the no longer necessary static_asserts in
1332         LLIntData.cpp. Finally, it fixes a typo in parser.rb.
1333
1334         * interpreter/ShadowChicken.h:
1335         (JSC::ShadowChicken::Packet::tailMarker):
1336         * llint/LLIntData.cpp:
1337         (JSC::LLInt::Data::performAssertions):
1338         * llint/LowLevelInterpreter.asm:
1339         * offlineasm/generate_offset_extractor.rb:
1340         * offlineasm/parser.rb:
1341
1342 2017-07-31  Matt Lewis  <jlewis3@apple.com>
1343
1344         Unreviewed, rolling out r220060.
1345
1346         This broke our internal builds. Contact reviewer of patch for
1347         more information.
1348
1349         Reverted changeset:
1350
1351         "Merge WTFThreadData to Thread::current"
1352         https://bugs.webkit.org/show_bug.cgi?id=174716
1353         http://trac.webkit.org/changeset/220060
1354
1355 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1356
1357         [JSC] Support optional catch binding
1358         https://bugs.webkit.org/show_bug.cgi?id=174981
1359
1360         Reviewed by Saam Barati.
1361
1362         This patch implements optional catch binding proposal[1], which is now stage 3.
1363         This proposal adds a new `catch` brace with no error value binding.
1364
1365             ```
1366                 try {
1367                     ...
1368                 } catch {
1369                     ...
1370                 }
1371             ```
1372
1373         Sometimes we do not need to get error value actually. For example, the function returns
1374         boolean which means whether the function succeeds.
1375
1376             ```
1377             function parse(result) // -> bool
1378             {
1379                  try {
1380                      parseInner(result);
1381                  } catch {
1382                      return false;
1383                  }
1384                  return true;
1385             }
1386             ```
1387
1388         In the above case, we are not interested in the actual error value. Without this syntax,
1389         we always need to introduce a binding for an error value that is just ignored.
1390
1391         [1]: https://michaelficarra.github.io/optional-catch-binding-proposal/
1392
1393         * bytecompiler/NodesCodegen.cpp:
1394         (JSC::TryNode::emitBytecode):
1395         * parser/Parser.cpp:
1396         (JSC::Parser<LexerType>::parseTryStatement):
1397
1398 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1399
1400         Merge WTFThreadData to Thread::current
1401         https://bugs.webkit.org/show_bug.cgi?id=174716
1402
1403         Reviewed by Sam Weinig.
1404
1405         Use Thread::current() instead.
1406
1407         * API/JSContext.mm:
1408         (+[JSContext currentContext]):
1409         (+[JSContext currentThis]):
1410         (+[JSContext currentCallee]):
1411         (+[JSContext currentArguments]):
1412         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
1413         (-[JSContext endCallbackWithData:]):
1414         * heap/Heap.cpp:
1415         (JSC::Heap::requestCollection):
1416         * runtime/Completion.cpp:
1417         (JSC::checkSyntax):
1418         (JSC::checkModuleSyntax):
1419         (JSC::evaluate):
1420         (JSC::loadAndEvaluateModule):
1421         (JSC::loadModule):
1422         (JSC::linkAndEvaluateModule):
1423         (JSC::importModule):
1424         * runtime/Identifier.cpp:
1425         (JSC::Identifier::checkCurrentAtomicStringTable):
1426         * runtime/InitializeThreading.cpp:
1427         (JSC::initializeThreading):
1428         * runtime/JSLock.cpp:
1429         (JSC::JSLock::didAcquireLock):
1430         (JSC::JSLock::willReleaseLock):
1431         (JSC::JSLock::dropAllLocks):
1432         (JSC::JSLock::grabAllLocks):
1433         * runtime/JSLock.h:
1434         * runtime/VM.cpp:
1435         (JSC::VM::VM):
1436         (JSC::VM::updateStackLimits):
1437         (JSC::VM::committedStackByteCount):
1438         * runtime/VM.h:
1439         (JSC::VM::isSafeToRecurse const):
1440         * runtime/VMEntryScope.cpp:
1441         (JSC::VMEntryScope::VMEntryScope):
1442         * runtime/VMInlines.h:
1443         (JSC::VM::ensureStackCapacityFor):
1444         * yarr/YarrPattern.cpp:
1445         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
1446
1447 2017-07-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1448
1449         [WTF] Introduce Private Symbols
1450         https://bugs.webkit.org/show_bug.cgi?id=174935
1451
1452         Reviewed by Darin Adler.
1453
1454         Use SymbolImpl::isPrivate().
1455
1456         * builtins/BuiltinNames.cpp:
1457         * builtins/BuiltinNames.h:
1458         (JSC::BuiltinNames::isPrivateName): Deleted.
1459         * builtins/BuiltinUtils.h:
1460         * bytecode/BytecodeIntrinsicRegistry.cpp:
1461         (JSC::BytecodeIntrinsicRegistry::lookup):
1462         * runtime/CommonIdentifiers.cpp:
1463         (JSC::CommonIdentifiers::isPrivateName): Deleted.
1464         * runtime/CommonIdentifiers.h:
1465         * runtime/ExceptionHelpers.cpp:
1466         (JSC::createUndefinedVariableError):
1467         * runtime/Identifier.h:
1468         (JSC::Identifier::isPrivateName):
1469         * runtime/IdentifierInlines.h:
1470         (JSC::identifierToSafePublicJSValue):
1471         * runtime/ObjectConstructor.cpp:
1472         (JSC::objectConstructorAssign):
1473         (JSC::defineProperties):
1474         (JSC::setIntegrityLevel):
1475         (JSC::testIntegrityLevel):
1476         (JSC::ownPropertyKeys):
1477         * runtime/PrivateName.h:
1478         (JSC::PrivateName::PrivateName):
1479         * runtime/PropertyName.h:
1480         (JSC::PropertyName::isPrivateName):
1481         * runtime/ProxyObject.cpp:
1482         (JSC::performProxyGet):
1483         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1484         (JSC::ProxyObject::performHasProperty):
1485         (JSC::ProxyObject::performPut):
1486         (JSC::ProxyObject::performDelete):
1487         (JSC::ProxyObject::performDefineOwnProperty):
1488
1489 2017-07-29  Keith Miller  <keith_miller@apple.com>
1490
1491         LLInt offsets extractor should be able to handle C++ constexprs
1492         https://bugs.webkit.org/show_bug.cgi?id=174964
1493
1494         Reviewed by Saam Barati.
1495
1496         This patch adds new syntax to the offline asm language. The new keyword,
1497         constexpr, takes the subsequent identifier and maps it to a C++ constexpr
1498         expression. Additionally, if the value is not an identifier you can wrap it in
1499         parentheses. e.g. constexpr (myConstexprFunction() + OBJECT_OFFSET(Foo, bar)),
1500         which will get converted into:
1501         static_cast<int64_t>(myConstexprFunction() + OBJECT_OFFSET(Foo, bar));
1502
1503         This patch also changes the data format the LLIntOffsetsExtractor
1504         binary produces.  Previously, it would produce unsigned values,
1505         after this patch every value is an int64_t.  Using an int64_t is
1506         useful because it means that we can represent any constant needed.
1507         int32_t masks are sign extended then passed then converted to a
1508         negative literal sting in the assembler so it will be the constant
1509         expected.
1510
1511         * llint/LLIntOffsetsExtractor.cpp:
1512         (JSC::LLIntOffsetsExtractor::dummy):
1513         * llint/LowLevelInterpreter.asm:
1514         * llint/LowLevelInterpreter64.asm:
1515         * offlineasm/asm.rb:
1516         * offlineasm/ast.rb:
1517         * offlineasm/generate_offset_extractor.rb:
1518         * offlineasm/offsets.rb:
1519         * offlineasm/parser.rb:
1520         * offlineasm/transform.rb:
1521
1522 2017-07-28  Matt Baker  <mattbaker@apple.com>
1523
1524         Web Inspector: capture an async stack trace when web content calls addEventListener
1525         https://bugs.webkit.org/show_bug.cgi?id=174739
1526         <rdar://problem/33468197>
1527
1528         Reviewed by Brian Burg.
1529
1530         Allow debugger agents to perform custom logic when asynchronous stack
1531         trace data is cleared. For example, the PageDebuggerAgent would clear
1532         its list of registered listeners for which call stacks have been recorded.
1533
1534         * inspector/agents/InspectorDebuggerAgent.cpp:
1535         (Inspector::InspectorDebuggerAgent::clearAsyncStackTraceData):
1536         * inspector/agents/InspectorDebuggerAgent.h:
1537
1538 2017-07-28  Mark Lam  <mark.lam@apple.com>
1539
1540         ObjectToStringAdaptiveStructureWatchpoint should not fire if it's dying imminently.
1541         https://bugs.webkit.org/show_bug.cgi?id=174948
1542         <rdar://problem/33495680>
1543
1544         Reviewed by Filip Pizlo.
1545
1546         ObjectToStringAdaptiveStructureWatchpoint is owned by StructureRareData.  If its
1547         owner StructureRareData is already known to be dead (in terms of GC liveness) but
1548         hasn't been destructed yet (i.e. not swept by the GC yet), we should ignore all
1549         requests to fire this watchpoint.
1550
1551         If the GC had the chance to sweep the StructureRareData, thereby destructing the
1552         ObjectToStringAdaptiveStructureWatchpoint, it (the watchpoint) would have removed
1553         itself from the WatchpointSet it was on.  Hence, it would not have been fired.
1554
1555         But since the watchpoint hasn't been destructed yet, it still remains on the
1556         WatchpointSet and needs to guard against being fired in this state.  The fix is
1557         to simply return early if its owner StructureRareData is not live.  This has the
1558         effect of the watchpoint fire being a no-op, which is equivalent to the watchpoint
1559         not firing as we would expect.
1560
1561         This patch also removes some cargo cult copying of watchpoint code which
1562         instantiates a StringFireDetail.  In a few cases, that StringFireDetail is never
1563         used.  This patch removes these unnecessary instantiations.
1564
1565         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
1566         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
1567         * runtime/StructureRareData.cpp:
1568         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
1569         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
1570
1571 2017-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
1572
1573         ASSERTION FAILED: candidate->op() == PhantomCreateRest || candidate->op() == PhantomDirectArguments || candidate->op() == PhantomClonedArguments || candidate->op() == PhantomSpread || candidate->op() == PhantomNewArrayWithSpread
1574         https://bugs.webkit.org/show_bug.cgi?id=174900
1575
1576         Reviewed by Saam Barati.
1577
1578         In the arguments elimination phase, due to high cost of AI, we intentionally do not run AI.
1579         Instead, we use ForceOSRExit etc. (pseudo terminals) not to look into unreachable nodes.
1580         The problem is that even transforming phase also checks this pseudo terminals.
1581
1582             BB1
1583             1: ForceOSRExit
1584             2: CreateDirectArguments
1585
1586             BB2
1587             3: GetButterfly(@2)
1588             4: ForceOSRExit
1589
1590         In the above case, @2 is not converted to PhantomDirectArguments. But @3 is processed. And the assertion fires.
1591
1592         In this patch, we do not list candidates up after seeing pseudo terminals in basic blocks.
1593
1594         * dfg/DFGArgumentsEliminationPhase.cpp:
1595
1596 2017-07-27  Oleksandr Skachkov  <gskachkov@gmail.com>
1597
1598         [ES] Add support finally to Promise
1599         https://bugs.webkit.org/show_bug.cgi?id=174503
1600
1601         Reviewed by Yusuke Suzuki.
1602
1603         Add support `finally` method to Promise according
1604         to the https://bugs.webkit.org/show_bug.cgi?id=174503
1605         Current spec on STAGE 3 
1606         https://github.com/tc39/proposal-promise-finally
1607
1608         * builtins/PromisePrototype.js:
1609         (finally):
1610         (const.valueThunk):
1611         (globalPrivate.getThenFinally):
1612         (const.thrower):
1613         (globalPrivate.getCatchFinally):
1614         * runtime/JSPromisePrototype.cpp:
1615
1616 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1617
1618         Unreviewed, build fix for CLoop
1619         https://bugs.webkit.org/show_bug.cgi?id=171637
1620
1621         * domjit/DOMJITGetterSetter.h:
1622
1623 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1624
1625         Hoist DOM binding attribute getter prologue into JavaScriptCore taking advantage of DOMJIT / CheckSubClass
1626         https://bugs.webkit.org/show_bug.cgi?id=171637
1627
1628         Reviewed by Darin Adler.
1629
1630         Each DOM attribute getter has the code to perform ClassInfo check. But it is largely duplicate and causes code bloating.
1631         In this patch, we move ClassInfo check from WebCore to JSC and reduce code size.
1632
1633         We introduce DOMAnnotation which has ClassInfo* and DOMJIT::GetterSetter*. If the getter is not DOMJIT getter, this
1634         DOMJIT::GetterSetter becomes nullptr. We support such a CustomAccessorGetter in all the JIT tiers.
1635
1636         In IC, we drop CheckSubClass completely since IC's Structure check subsumes it. We do not enable this optimization for
1637         op_get_by_id_with_this case yet.
1638         In DFG and FTL, we emit CheckSubClass node. Which is typically removed by CheckStructure leading to CheckSubClass.
1639
1640         And we add DOMAttributeGetterSetter, which is derived class of CustomGetterSetter. It holds DOMAnnotation and perform
1641         ClassInfo check.
1642
1643         * CMakeLists.txt:
1644         * JavaScriptCore.xcodeproj/project.pbxproj:
1645         * bytecode/AccessCase.cpp:
1646         (JSC::AccessCase::generateImpl):
1647         * bytecode/GetByIdStatus.cpp:
1648         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
1649         * bytecode/GetByIdVariant.cpp:
1650         (JSC::GetByIdVariant::GetByIdVariant):
1651         (JSC::GetByIdVariant::operator=):
1652         (JSC::GetByIdVariant::attemptToMerge):
1653         (JSC::GetByIdVariant::dumpInContext):
1654         * bytecode/GetByIdVariant.h:
1655         (JSC::GetByIdVariant::customAccessorGetter):
1656         (JSC::GetByIdVariant::domAttribute):
1657         (JSC::GetByIdVariant::domJIT): Deleted.
1658         * bytecode/GetterSetterAccessCase.cpp:
1659         (JSC::GetterSetterAccessCase::create):
1660         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
1661         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
1662         * bytecode/GetterSetterAccessCase.h:
1663         (JSC::GetterSetterAccessCase::domAttribute):
1664         (JSC::GetterSetterAccessCase::customAccessor):
1665         (JSC::GetterSetterAccessCase::domJIT): Deleted.
1666         * bytecompiler/BytecodeGenerator.cpp:
1667         (JSC::BytecodeGenerator::instantiateLexicalVariables):
1668         * create_hash_table:
1669         * dfg/DFGAbstractInterpreterInlines.h:
1670         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1671         * dfg/DFGByteCodeParser.cpp:
1672         (JSC::DFG::blessCallDOMGetter):
1673         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
1674         (JSC::DFG::ByteCodeParser::handleGetById):
1675         * dfg/DFGClobberize.h:
1676         (JSC::DFG::clobberize):
1677         * dfg/DFGFixupPhase.cpp:
1678         (JSC::DFG::FixupPhase::fixupNode):
1679         * dfg/DFGNode.h:
1680         * dfg/DFGSpeculativeJIT.cpp:
1681         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
1682         * dfg/DFGSpeculativeJIT.h:
1683         (JSC::DFG::SpeculativeJIT::callCustomGetter):
1684         * domjit/DOMJITGetterSetter.h:
1685         (JSC::DOMJIT::GetterSetter::GetterSetter):
1686         (JSC::DOMJIT::GetterSetter::getter):
1687         (JSC::DOMJIT::GetterSetter::compiler):
1688         (JSC::DOMJIT::GetterSetter::resultType):
1689         (JSC::DOMJIT::GetterSetter::~GetterSetter): Deleted.
1690         (JSC::DOMJIT::GetterSetter::setter): Deleted.
1691         (JSC::DOMJIT::GetterSetter::thisClassInfo): Deleted.
1692         * ftl/FTLLowerDFGToB3.cpp:
1693         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
1694         * jit/Repatch.cpp:
1695         (JSC::tryCacheGetByID):
1696         * jsc.cpp:
1697         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
1698         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
1699         (WTF::DOMJITGetter::customGetter):
1700         (WTF::DOMJITGetter::finishCreation):
1701         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
1702         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
1703         (WTF::DOMJITGetterComplex::customGetter):
1704         (WTF::DOMJITGetterComplex::finishCreation):
1705         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
1706         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::slowCall): Deleted.
1707         (WTF::DOMJITGetter::domJITNodeGetterSetter): Deleted.
1708         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
1709         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::slowCall): Deleted.
1710         (WTF::DOMJITGetterComplex::domJITNodeGetterSetter): Deleted.
1711         * runtime/CustomGetterSetter.h:
1712         (JSC::CustomGetterSetter::create):
1713         (JSC::CustomGetterSetter::setter):
1714         (JSC::CustomGetterSetter::CustomGetterSetter):
1715         (): Deleted.
1716         * runtime/DOMAnnotation.h: Added.
1717         (JSC::operator==):
1718         (JSC::operator!=):
1719         * runtime/DOMAttributeGetterSetter.cpp: Added.
1720         * runtime/DOMAttributeGetterSetter.h: Copied from Source/JavaScriptCore/runtime/CustomGetterSetter.h.
1721         (JSC::isDOMAttributeGetterSetter):
1722         * runtime/Error.cpp:
1723         (JSC::throwDOMAttributeGetterTypeError):
1724         * runtime/Error.h:
1725         (JSC::throwVMDOMAttributeGetterTypeError):
1726         * runtime/JSCustomGetterSetterFunction.cpp:
1727         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
1728         * runtime/JSObject.cpp:
1729         (JSC::JSObject::putInlineSlow):
1730         (JSC::JSObject::deleteProperty):
1731         (JSC::JSObject::getOwnStaticPropertySlot):
1732         (JSC::JSObject::reifyAllStaticProperties):
1733         (JSC::JSObject::fillGetterPropertySlot):
1734         (JSC::JSObject::findPropertyHashEntry): Deleted.
1735         * runtime/JSObject.h:
1736         (JSC::JSObject::getOwnNonIndexPropertySlot):
1737         (JSC::JSObject::fillCustomGetterPropertySlot):
1738         * runtime/Lookup.cpp:
1739         (JSC::setUpStaticFunctionSlot):
1740         * runtime/Lookup.h:
1741         (JSC::HashTableValue::domJIT):
1742         (JSC::getStaticPropertySlotFromTable):
1743         (JSC::putEntry):
1744         (JSC::lookupPut):
1745         (JSC::reifyStaticProperty):
1746         (JSC::reifyStaticProperties):
1747         Each static property table has a new field ClassInfo*. It indicates that which ClassInfo check DOMAttribute registered in
1748         this static property table requires.
1749
1750         * runtime/ProgramExecutable.cpp:
1751         (JSC::ProgramExecutable::initializeGlobalProperties):
1752         * runtime/PropertyName.h:
1753         * runtime/PropertySlot.cpp:
1754         (JSC::PropertySlot::customGetter):
1755         (JSC::PropertySlot::customAccessorGetter):
1756         * runtime/PropertySlot.h:
1757         (JSC::PropertySlot::domAttribute):
1758         (JSC::PropertySlot::setCustom):
1759         (JSC::PropertySlot::setCacheableCustom):
1760         (JSC::PropertySlot::getValue):
1761         (JSC::PropertySlot::domJIT): Deleted.
1762         * runtime/VM.cpp:
1763         (JSC::VM::VM):
1764         * runtime/VM.h:
1765
1766 2017-07-26  Devin Rousso  <drousso@apple.com>
1767
1768         Web Inspector: create protocol for recording Canvas contexts
1769         https://bugs.webkit.org/show_bug.cgi?id=174481
1770
1771         Reviewed by Joseph Pecoraro.
1772
1773         * inspector/protocol/Canvas.json:
1774          - Add `requestRecording` command to mark the provided canvas as having requested a recording.
1775          - Add `cancelRecording` command to clear a previously marked canvas and flush any recorded data.
1776          - Add `recordingFinished` event that is fired once a recording is finished.
1777
1778         * CMakeLists.txt:
1779         * DerivedSources.make:
1780         * inspector/protocol/Recording.json: Added.
1781          - Add `Type` enum that lists the types of recordings
1782          - Add `InitialState` type that contains information about the canvas context at the
1783            beginning of the recording.
1784          - Add `Frame` type that holds a list of actions that were recorded.
1785          - Add `Recording` type as the container object of recording data.
1786
1787         * inspector/scripts/codegen/generate_js_backend_commands.py:
1788         (JSBackendCommandsGenerator.generate_domain):
1789         Create an agent for domains with no events or commands.
1790
1791         * inspector/InspectorValues.h:
1792         Make Array `get` public so that values can be retrieved if needed.
1793
1794 2017-07-26  Brian Burg  <bburg@apple.com>
1795
1796         Remove WEB_TIMING feature flag
1797         https://bugs.webkit.org/show_bug.cgi?id=174795
1798
1799         Reviewed by Alex Christensen.
1800
1801         * Configurations/FeatureDefines.xcconfig:
1802
1803 2017-07-26  Mark Lam  <mark.lam@apple.com>
1804
1805         Add the ability to change sp and pc to the ARM64 JIT probe.
1806         https://bugs.webkit.org/show_bug.cgi?id=174697
1807         <rdar://problem/33436965>
1808
1809         Reviewed by JF Bastien.
1810
1811         This patch implements the following:
1812
1813         1. The ARM64 probe now supports modifying the pc and sp.
1814
1815            However, lr is not preserved when modifying the pc because it is used as the
1816            scratch register for the indirect jump. Hence, the probe handler function
1817            may not modify both lr and pc in the same probe invocation.
1818
1819         2. Fix probe tests to use bitwise comparison when comparing double register
1820            values. Otherwise, equivalent nan values will be interpreted as not equivalent.
1821
1822         3. Change the minimum offset increment in testProbeModifiesStackPointer to be
1823            16 bytes for ARM64.  This is because the ARM64 probe now uses the ldp and stp
1824            instructions which require 16 byte alignment for their memory access.
1825
1826         * assembler/MacroAssemblerARM64.cpp:
1827         (JSC::arm64ProbeError):
1828         (JSC::MacroAssembler::probe):
1829         (JSC::arm64ProbeTrampoline): Deleted.
1830         * assembler/testmasm.cpp:
1831         (JSC::isSpecialGPR):
1832         (JSC::testProbeReadsArgumentRegisters):
1833         (JSC::testProbeWritesArgumentRegisters):
1834         (JSC::testProbePreservesGPRS):
1835         (JSC::testProbeModifiesStackPointer):
1836         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
1837         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
1838
1839 2017-07-25  JF Bastien  <jfbastien@apple.com>
1840
1841         WebAssembly: generate smaller binaries
1842         https://bugs.webkit.org/show_bug.cgi?id=174818
1843
1844         Reviewed by Filip Pizlo.
1845
1846         This patch reduces generated code size for WebAssembly in 2 ways:
1847
1848         1. Use the ZR register when storing zero on ARM64.
1849         2. Synthesize wasm context lazily.
1850
1851         This leads to a modest size reduction on both x86-64 and ARM64 for
1852         large WebAssembly games, without any performance loss on WasmBench
1853         and TitzerBench.
1854
1855         The reason this works is that these games, using Emscripten,
1856         generate 100k+ tiny functions, and our JIT allocation granule
1857         rounds all allocations up to 32 bytes. There are plenty of other
1858         simple gains to be had, I've filed a follow-up bug at
1859         webkit.org/b/174819
1860
1861         We should further avoid the per-function cost of tiering, which
1862         represents the bulk of code generated for small functions.
1863
1864         * assembler/MacroAssemblerARM64.h:
1865         (JSC::MacroAssemblerARM64::storeZero64):
1866         * assembler/MacroAssemblerX86_64.h:
1867         (JSC::MacroAssemblerX86_64::storeZero64):
1868         * b3/B3LowerToAir.cpp:
1869         (JSC::B3::Air::LowerToAir::createStore): this doesn't make sense
1870         for x86 because it constrains register reuse and codegen in a way
1871         that doesn't affect ARM64 because it has a dedicated zero
1872         register.
1873         * b3/air/AirOpcode.opcodes: add the storeZero64 opcode.
1874         * wasm/WasmB3IRGenerator.cpp:
1875         (JSC::Wasm::B3IRGenerator::instanceValue):
1876         (JSC::Wasm::B3IRGenerator::restoreWasmContext):
1877         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1878         (JSC::Wasm::B3IRGenerator::materializeWasmContext): Deleted.
1879
1880 2017-07-23  Filip Pizlo  <fpizlo@apple.com>
1881
1882         B3 should do LICM
1883         https://bugs.webkit.org/show_bug.cgi?id=174750
1884
1885         Reviewed by Keith Miller and Saam Barati.
1886         
1887         Added a LICM phase to B3. This phase is called hoistLoopInvariantValues, to conform to the B3 naming
1888         convention for phases (it has to be an imperative). The phase uses NaturalLoops and BackwardsDominators,
1889         so this adds those analyses to B3. BackwardsDominators was already available in templatized form. This
1890         change templatizes DFG::NaturalLoops so that we can just use it.
1891         
1892         The LICM phase itself is really simple. We are decently precise with our handling of everything except
1893         the relationship between control dependence and side exits.
1894         
1895         Also added a bunch of tests.
1896         
1897         This isn't super important. It's perf-neutral on JS benchmarks. FTL already does LICM on DFG SSA IR, and
1898         probably all current WebAssembly content has had LICM done to it. That being said, this is a cheap phase
1899         so it doesn't hurt to have it.
1900         
1901         I wrote it because I thought I needed it for bug 174727. It turns out that there's a better way to
1902         handle the problem I had, so I ended up not needed it - but by then I had already written it. I think
1903         it's good to have it because LICM is one of those core compiler phases; every compiler has it
1904         eventually.
1905
1906         * CMakeLists.txt:
1907         * JavaScriptCore.xcodeproj/project.pbxproj:
1908         * b3/B3BackwardsCFG.h: Added.
1909         (JSC::B3::BackwardsCFG::BackwardsCFG):
1910         * b3/B3BackwardsDominators.h: Added.
1911         (JSC::B3::BackwardsDominators::BackwardsDominators):
1912         * b3/B3BasicBlock.cpp:
1913         (JSC::B3::BasicBlock::appendNonTerminal):
1914         * b3/B3Effects.h:
1915         * b3/B3EnsureLoopPreHeaders.cpp: Added.
1916         (JSC::B3::ensureLoopPreHeaders):
1917         * b3/B3EnsureLoopPreHeaders.h: Added.
1918         * b3/B3Generate.cpp:
1919         (JSC::B3::generateToAir):
1920         * b3/B3HoistLoopInvariantValues.cpp: Added.
1921         (JSC::B3::hoistLoopInvariantValues):
1922         * b3/B3HoistLoopInvariantValues.h: Added.
1923         * b3/B3NaturalLoops.h: Added.
1924         (JSC::B3::NaturalLoops::NaturalLoops):
1925         * b3/B3Procedure.cpp:
1926         (JSC::B3::Procedure::invalidateCFG):
1927         (JSC::B3::Procedure::naturalLoops):
1928         (JSC::B3::Procedure::backwardsCFG):
1929         (JSC::B3::Procedure::backwardsDominators):
1930         * b3/B3Procedure.h:
1931         * b3/testb3.cpp:
1932         (JSC::B3::generateLoop):
1933         (JSC::B3::makeArrayForLoops):
1934         (JSC::B3::generateLoopNotBackwardsDominant):
1935         (JSC::B3::oneFunction):
1936         (JSC::B3::noOpFunction):
1937         (JSC::B3::testLICMPure):
1938         (JSC::B3::testLICMPureSideExits):
1939         (JSC::B3::testLICMPureWritesPinned):
1940         (JSC::B3::testLICMPureWrites):
1941         (JSC::B3::testLICMReadsLocalState):
1942         (JSC::B3::testLICMReadsPinned):
1943         (JSC::B3::testLICMReads):
1944         (JSC::B3::testLICMPureNotBackwardsDominant):
1945         (JSC::B3::testLICMPureFoiledByChild):
1946         (JSC::B3::testLICMPureNotBackwardsDominantFoiledByChild):
1947         (JSC::B3::testLICMExitsSideways):
1948         (JSC::B3::testLICMWritesLocalState):
1949         (JSC::B3::testLICMWrites):
1950         (JSC::B3::testLICMFence):
1951         (JSC::B3::testLICMWritesPinned):
1952         (JSC::B3::testLICMControlDependent):
1953         (JSC::B3::testLICMControlDependentNotBackwardsDominant):
1954         (JSC::B3::testLICMControlDependentSideExits):
1955         (JSC::B3::testLICMReadsPinnedWritesPinned):
1956         (JSC::B3::testLICMReadsWritesDifferentHeaps):
1957         (JSC::B3::testLICMReadsWritesOverlappingHeaps):
1958         (JSC::B3::testLICMDefaultCall):
1959         (JSC::B3::run):
1960         * dfg/DFGBasicBlock.h:
1961         * dfg/DFGCFG.h:
1962         * dfg/DFGNaturalLoops.cpp: Removed.
1963         * dfg/DFGNaturalLoops.h:
1964         (JSC::DFG::NaturalLoops::NaturalLoops):
1965         (JSC::DFG::NaturalLoop::NaturalLoop): Deleted.
1966         (JSC::DFG::NaturalLoop::header): Deleted.
1967         (JSC::DFG::NaturalLoop::size): Deleted.
1968         (JSC::DFG::NaturalLoop::at): Deleted.
1969         (JSC::DFG::NaturalLoop::operator[]): Deleted.
1970         (JSC::DFG::NaturalLoop::contains): Deleted.
1971         (JSC::DFG::NaturalLoop::index): Deleted.
1972         (JSC::DFG::NaturalLoop::isOuterMostLoop): Deleted.
1973         (JSC::DFG::NaturalLoop::addBlock): Deleted.
1974         (JSC::DFG::NaturalLoops::numLoops): Deleted.
1975         (JSC::DFG::NaturalLoops::loop): Deleted.
1976         (JSC::DFG::NaturalLoops::headerOf): Deleted.
1977         (JSC::DFG::NaturalLoops::innerMostLoopOf): Deleted.
1978         (JSC::DFG::NaturalLoops::innerMostOuterLoop): Deleted.
1979         (JSC::DFG::NaturalLoops::belongsTo): Deleted.
1980         (JSC::DFG::NaturalLoops::loopDepth): Deleted.
1981
1982 2017-07-24  Filip Pizlo  <fpizlo@apple.com>
1983
1984         GC should be fine with trading blocks between destructor and non-destructor blocks
1985         https://bugs.webkit.org/show_bug.cgi?id=174811
1986
1987         Reviewed by Mark Lam.
1988         
1989         Our GC has the ability to trade blocks between MarkedAllocators. A MarkedAllocator is a
1990         size-class-within-a-Subspace. The ability to trade helps reduce memory wastage due to
1991         fragmentation. Prior to this change, this only worked between blocks that did not have destructors.
1992         This was partly a policy decision. But mostly, it was fallout from the way we use the `empty` block
1993         set.
1994         
1995         Here's how `empty` used to work. If a block is empty, we don't run destructors. We say that a block
1996         is empty if:
1997         
1998         A) It has no live objects and its a non-destructor block, or
1999         B) We just allocated it (so it has no destructors even if it's a destructor block), or
2000         C) We just stole it from another allocator (so it also has no destructors), or
2001         D) We just swept the block and ran all destructors.
2002         
2003         Case (A) is for trading blocks. That's how a different MarkedAllocator would know that this is a
2004         block that could be stolen.
2005
2006         Cases (B) and (C) need to be detected for correctness, since otherwise we might try to run
2007         destructors in blocks that have garbage bits. In that case, the isZapped check won't detect that
2008         cells don't need destruction, so without having the `empty` bit we would try to destruct garbage
2009         and crash. Currently, we know that we have cases (B) and (C) when the block is empty.
2010         
2011         Case (D) is necessary for detecting which blocks can be removed when we `shrink` the heap.
2012         
2013         If we tried to enable trading of blocks between allocators without making any changes to how
2014         `empty` works, then it just would not work. We have to set the `empty` bits of blocks that have no
2015         live objects in order for those bits to be candidates for trading. But if we do that, then our
2016         logic for cases (B-D) will think that the block has no destructible objects. That's bad, since then
2017         our destructors won't run and we'll leak memory.
2018         
2019         This change fixes this issue by decoupling the "do I have destructors" question from the "do I have
2020         live objects" question by introducing a new `destructible` bitvector. The GC flags all live blocks
2021         as being destructible at the end. We clear the destructible bit in cases (B-D). Cases (B-C) are
2022         handled entirely by the new destrictible bit, while case (D) is detected by looking for blocks that
2023         are (empty & ~destructible).
2024         
2025         Then we can simply remove all destructor-oriented special-casing of the `empty` bit. And we can
2026         remove destructor-oriented special-casing of block trading.
2027
2028         This is a perf-neutral change. We expect most free memory to be in non-destructor blocks anyway,
2029         so this change is more about clean-up than perf. But, this could reduce memory usage in some
2030         pathological cases.
2031         
2032         * heap/MarkedAllocator.cpp:
2033         (JSC::MarkedAllocator::findEmptyBlockToSteal):
2034         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2035         (JSC::MarkedAllocator::endMarking):
2036         (JSC::MarkedAllocator::shrink):
2037         (JSC::MarkedAllocator::shouldStealEmptyBlocksFromOtherAllocators): Deleted.
2038         * heap/MarkedAllocator.h:
2039         * heap/MarkedBlock.cpp:
2040         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
2041         (JSC::MarkedBlock::Handle::sweep):
2042         * heap/MarkedBlockInlines.h:
2043         (JSC::MarkedBlock::Handle::specializedSweep):
2044         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace):
2045         (JSC::MarkedBlock::Handle::emptyMode):
2046
2047 2017-07-25  Keith Miller  <keith_miller@apple.com>
2048
2049         Remove Broken CompareEq constant folding phase.
2050         https://bugs.webkit.org/show_bug.cgi?id=174846
2051         <rdar://problem/32978808>
2052
2053         Reviewed by Saam Barati.
2054
2055         This bug happened when we would get code like the following:
2056
2057         a: JSConst(Undefined)
2058         b: GetLocal(SomeObjectOrUndefined)
2059         ...
2060         c: CompareEq(Check:ObjectOrOther:b, Check:ObjectOrOther:a)
2061
2062         constant folding will turn this into:
2063
2064         a: JSConst(Undefined)
2065         b: GetLocal(SomeObjectOrUndefined)
2066         ...
2067         c: CompareEq(Check:ObjectOrOther:b, Other:a)
2068
2069         But the SpeculativeJIT/FTL lowering will fail to check b
2070         properly which leads to an assertion failure in the AI.
2071
2072         I'll follow up with a more robust fix later. For now, I'll remove the
2073         case that generates the code. Removing the code appears to be perf
2074         neutral.
2075
2076         * dfg/DFGConstantFoldingPhase.cpp:
2077         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2078
2079 2017-07-25  Matt Baker  <mattbaker@apple.com>
2080
2081         Web Inspector: Refactoring: extract async stack trace logic from InspectorInstrumentation
2082         https://bugs.webkit.org/show_bug.cgi?id=174738
2083
2084         Reviewed by Brian Burg.
2085
2086         Move AsyncCallType enum to InspectorDebuggerAgent, which manages async
2087         stack traces. This preserves the call type in JSC, makes the range of
2088         possible call types explicit, and is safer than passing ints.
2089
2090         * inspector/agents/InspectorDebuggerAgent.cpp:
2091         (Inspector::InspectorDebuggerAgent::asyncCallIdentifier):
2092         (Inspector::InspectorDebuggerAgent::didScheduleAsyncCall):
2093         (Inspector::InspectorDebuggerAgent::didCancelAsyncCall):
2094         (Inspector::InspectorDebuggerAgent::willDispatchAsyncCall):
2095         * inspector/agents/InspectorDebuggerAgent.h:
2096
2097 2017-07-25  Mark Lam  <mark.lam@apple.com>
2098
2099         Fix bugs in probe code to change sp on x86, x86_64 and 32-bit ARM.
2100         https://bugs.webkit.org/show_bug.cgi?id=174809
2101         <rdar://problem/33504759>
2102
2103         Reviewed by Filip Pizlo.
2104
2105         1. When the probe handler function changes the sp register to point to the
2106            region of stack in the middle of the ProbeContext on the stack, there is a
2107            bug where the ProbeContext's register values to be restored can be over-written
2108            before they can be restored.  This is now fixed.
2109
2110         2. Added more robust probe tests for changing the sp register.
2111
2112         3. Made existing probe tests to ensure that probe handlers were actually called.
2113
2114         4. Added some verification to testProbePreservesGPRS().
2115
2116         5. Change all the probe tests to fail early on discovering an error instead of
2117            batching till the end of the test.  This helps point a finger to the failing
2118            issue earlier.
2119
2120         This patch was tested on x86, x86_64, and ARMv7.  ARM64 probe code will be fixed
2121         next in https://bugs.webkit.org/show_bug.cgi?id=174697.
2122
2123         * assembler/MacroAssemblerARM.cpp:
2124         * assembler/MacroAssemblerARMv7.cpp:
2125         * assembler/MacroAssemblerX86Common.cpp:
2126         * assembler/testmasm.cpp:
2127         (JSC::testProbeReadsArgumentRegisters):
2128         (JSC::testProbeWritesArgumentRegisters):
2129         (JSC::testProbePreservesGPRS):
2130         (JSC::testProbeModifiesStackPointer):
2131         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
2132         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
2133         (JSC::testProbeModifiesProgramCounter):
2134         (JSC::run):
2135
2136 2017-07-25  Brian Burg  <bburg@apple.com>
2137
2138         Web Automation: add support for uploading files
2139         https://bugs.webkit.org/show_bug.cgi?id=174797
2140         <rdar://problem/28485063>
2141
2142         Reviewed by Joseph Pecoraro.
2143
2144         * inspector/scripts/generate-inspector-protocol-bindings.py:
2145         (generate_from_specification):
2146         Start generating frontend dispatcher code if the target framework is 'WebKit'.
2147
2148         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
2149         (CppFrontendDispatcherImplementationGenerator.generate_output):
2150         Use a framework include for InspectorFrontendRouter.h since this generated code
2151         will be compiled outside of WebCore.framework.
2152
2153         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
2154         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2155         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2156         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
2157         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
2158         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
2159         * inspector/scripts/tests/generic/expected/enum-values.json-result:
2160         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2161         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
2162         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
2163         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
2164         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
2165         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
2166         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
2167         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2168         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
2169         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
2170         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
2171         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
2172         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
2173         Rebaseline code generator tests.
2174
2175 2017-07-24  Mark Lam  <mark.lam@apple.com>
2176
2177         Gardening: fixed C Loop build after r219790.
2178         https://bugs.webkit.org/show_bug.cgi?id=174696
2179
2180         Not reviewed.
2181
2182         * assembler/testmasm.cpp:
2183
2184 2017-07-23  Mark Lam  <mark.lam@apple.com>
2185
2186         Create regression tests for the JIT probe.
2187         https://bugs.webkit.org/show_bug.cgi?id=174696
2188         <rdar://problem/33436922>
2189
2190         Reviewed by Saam Barati.
2191
2192         The new testmasm will test the following:
2193         1. the probe is able to read the value of CPU registers.
2194         2. the probe is able to write the value of CPU registers.
2195         3. the probe is able to preserve all CPU registers.
2196         4. special case of (2): the probe is able to change the value of the stack pointer.
2197         5. special case of (2): the probe is able to change the value of the program counter
2198            i.e. the probe can change where the code continues executing upon returning from
2199            the probe.
2200
2201         Currently, the x86, x86_64, and ARMv7 ports passes the test.  ARM64 does not
2202         because it does not support changing the sp and pc yet.  The ARM64 probe
2203         implementation will be fixed in https://bugs.webkit.org/show_bug.cgi?id=174697
2204         later.
2205
2206         * Configurations/ToolExecutable.xcconfig:
2207         * JavaScriptCore.xcodeproj/project.pbxproj:
2208         * assembler/MacroAssembler.h:
2209         (JSC::MacroAssembler::CPUState::pc):
2210         (JSC::MacroAssembler::CPUState::fp):
2211         (JSC::MacroAssembler::CPUState::sp):
2212         (JSC::ProbeContext::pc):
2213         (JSC::ProbeContext::fp):
2214         (JSC::ProbeContext::sp):
2215         * assembler/MacroAssemblerARM64.cpp:
2216         (JSC::arm64ProbeTrampoline):
2217         * assembler/MacroAssemblerPrinter.cpp:
2218         (JSC::Printer::printPCRegister):
2219         * assembler/testmasm.cpp: Added.
2220         (hiddenTruthBecauseNoReturnIsStupid):
2221         (usage):
2222         (JSC::nextID):
2223         (JSC::isPC):
2224         (JSC::isSP):
2225         (JSC::isFP):
2226         (JSC::compile):
2227         (JSC::invoke):
2228         (JSC::compileAndRun):
2229         (JSC::testSimple):
2230         (JSC::testProbeReadsArgumentRegisters):
2231         (JSC::testProbeWritesArgumentRegisters):
2232         (JSC::testFunctionToTrashRegisters):
2233         (JSC::testProbePreservesGPRS):
2234         (JSC::testProbeModifiesStackPointer):
2235         (JSC::testProbeModifiesProgramCounter):
2236         (JSC::run):
2237         (run):
2238         (main):
2239         * b3/air/testair.cpp:
2240         (usage):
2241         * shell/CMakeLists.txt:
2242
2243 2017-07-14  Filip Pizlo  <fpizlo@apple.com>
2244
2245         It should be easy to decide how WebKit yields
2246         https://bugs.webkit.org/show_bug.cgi?id=174298
2247
2248         Reviewed by Saam Barati.
2249         
2250         Use the new WTF::Thread::yield() function for yielding instead of the C++ function.
2251
2252         * heap/Heap.cpp:
2253         (JSC::Heap::resumeThePeriphery):
2254         * heap/VisitingTimeout.h:
2255         * runtime/JSCell.cpp:
2256         (JSC::JSCell::lockSlow):
2257         (JSC::JSCell::unlockSlow):
2258         * runtime/JSCell.h:
2259         * runtime/JSCellInlines.h:
2260         (JSC::JSCell::lock):
2261         (JSC::JSCell::unlock):
2262         * runtime/JSLock.cpp:
2263         (JSC::JSLock::grabAllLocks):
2264         * runtime/SamplingProfiler.cpp:
2265
2266 2017-07-21  Mark Lam  <mark.lam@apple.com>
2267
2268         Refactor MASM probe CPUState to use arrays for register storage.
2269         https://bugs.webkit.org/show_bug.cgi?id=174694
2270
2271         Reviewed by Keith Miller.
2272
2273         Using arrays for register storage in CPUState allows us to do away with the
2274         huge switch statements to decode each register id.  We can now simply index into
2275         the arrays.
2276
2277         With this patch, we now:
2278
2279         1. Remove the need for macros for defining the list of CPU registers.
2280            We can go back to simple enums.  This makes the code easier to read.
2281
2282         2. Make the assembler the authority on register names.
2283            Most of this code is moved into the assembler from GPRInfo and FPRInfo.
2284            GPRInfo and FPRInfo now forwards to the assembler.
2285
2286         3. Make the assembler the authority on the number of registers of each type.
2287
2288         4. Fix a "bug" in ARMv7's lastRegister().  It was previously omitting lr and pc.
2289            This is inconsistent with how every other CPU architecture implements
2290            lastRegister().  This patch fixes it to return the true last GPR i.e. pc, but
2291            updates RegisterSet::reservedHardwareRegisters() to exclude those registers.
2292
2293         * assembler/ARM64Assembler.h:
2294         (JSC::ARM64Assembler::numberOfRegisters):
2295         (JSC::ARM64Assembler::firstSPRegister):
2296         (JSC::ARM64Assembler::lastSPRegister):
2297         (JSC::ARM64Assembler::numberOfSPRegisters):
2298         (JSC::ARM64Assembler::numberOfFPRegisters):
2299         (JSC::ARM64Assembler::gprName):
2300         (JSC::ARM64Assembler::sprName):
2301         (JSC::ARM64Assembler::fprName):
2302         * assembler/ARMAssembler.h:
2303         (JSC::ARMAssembler::numberOfRegisters):
2304         (JSC::ARMAssembler::firstSPRegister):
2305         (JSC::ARMAssembler::lastSPRegister):
2306         (JSC::ARMAssembler::numberOfSPRegisters):
2307         (JSC::ARMAssembler::numberOfFPRegisters):
2308         (JSC::ARMAssembler::gprName):
2309         (JSC::ARMAssembler::sprName):
2310         (JSC::ARMAssembler::fprName):
2311         * assembler/ARMv7Assembler.h:
2312         (JSC::ARMv7Assembler::lastRegister):
2313         (JSC::ARMv7Assembler::numberOfRegisters):
2314         (JSC::ARMv7Assembler::firstSPRegister):
2315         (JSC::ARMv7Assembler::lastSPRegister):
2316         (JSC::ARMv7Assembler::numberOfSPRegisters):
2317         (JSC::ARMv7Assembler::numberOfFPRegisters):
2318         (JSC::ARMv7Assembler::gprName):
2319         (JSC::ARMv7Assembler::sprName):
2320         (JSC::ARMv7Assembler::fprName):
2321         * assembler/AbstractMacroAssembler.h:
2322         (JSC::AbstractMacroAssembler::numberOfRegisters):
2323         (JSC::AbstractMacroAssembler::gprName):
2324         (JSC::AbstractMacroAssembler::firstSPRegister):
2325         (JSC::AbstractMacroAssembler::lastSPRegister):
2326         (JSC::AbstractMacroAssembler::numberOfSPRegisters):
2327         (JSC::AbstractMacroAssembler::sprName):
2328         (JSC::AbstractMacroAssembler::numberOfFPRegisters):
2329         (JSC::AbstractMacroAssembler::fprName):
2330         * assembler/MIPSAssembler.h:
2331         (JSC::MIPSAssembler::numberOfRegisters):
2332         (JSC::MIPSAssembler::firstSPRegister):
2333         (JSC::MIPSAssembler::lastSPRegister):
2334         (JSC::MIPSAssembler::numberOfSPRegisters):
2335         (JSC::MIPSAssembler::numberOfFPRegisters):
2336         (JSC::MIPSAssembler::gprName):
2337         (JSC::MIPSAssembler::sprName):
2338         (JSC::MIPSAssembler::fprName):
2339         * assembler/MacroAssembler.h:
2340         (JSC::MacroAssembler::CPUState::gprName):
2341         (JSC::MacroAssembler::CPUState::sprName):
2342         (JSC::MacroAssembler::CPUState::fprName):
2343         (JSC::MacroAssembler::CPUState::gpr):
2344         (JSC::MacroAssembler::CPUState::spr):
2345         (JSC::MacroAssembler::CPUState::fpr):
2346         (JSC::MacroAssembler::CPUState::pc):
2347         (JSC::MacroAssembler::CPUState::fp):
2348         (JSC::MacroAssembler::CPUState::sp):
2349         (JSC::ProbeContext::gpr):
2350         (JSC::ProbeContext::spr):
2351         (JSC::ProbeContext::fpr):
2352         (JSC::ProbeContext::gprName):
2353         (JSC::ProbeContext::sprName):
2354         (JSC::ProbeContext::fprName):
2355         (JSC::MacroAssembler::numberOfRegisters): Deleted.
2356         (JSC::MacroAssembler::numberOfFPRegisters): Deleted.
2357         * assembler/MacroAssemblerARM.cpp:
2358         * assembler/MacroAssemblerARM64.cpp:
2359         (JSC::arm64ProbeTrampoline):
2360         * assembler/MacroAssemblerARMv7.cpp:
2361         * assembler/MacroAssemblerPrinter.cpp:
2362         (JSC::Printer::nextID):
2363         (JSC::Printer::printAllRegisters):
2364         (JSC::Printer::printPCRegister):
2365         (JSC::Printer::printRegisterID):
2366         (JSC::Printer::printAddress):
2367         * assembler/MacroAssemblerX86Common.cpp:
2368         * assembler/X86Assembler.h:
2369         (JSC::X86Assembler::numberOfRegisters):
2370         (JSC::X86Assembler::firstSPRegister):
2371         (JSC::X86Assembler::lastSPRegister):
2372         (JSC::X86Assembler::numberOfSPRegisters):
2373         (JSC::X86Assembler::numberOfFPRegisters):
2374         (JSC::X86Assembler::gprName):
2375         (JSC::X86Assembler::sprName):
2376         (JSC::X86Assembler::fprName):
2377         * jit/FPRInfo.h:
2378         (JSC::FPRInfo::debugName):
2379         * jit/GPRInfo.h:
2380         (JSC::GPRInfo::debugName):
2381         * jit/RegisterSet.cpp:
2382         (JSC::RegisterSet::reservedHardwareRegisters):
2383
2384 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2385
2386         [JSC] Introduce static symbols
2387         https://bugs.webkit.org/show_bug.cgi?id=158863
2388
2389         Reviewed by Darin Adler.
2390
2391         We use StaticSymbolImpl to initialize PrivateNames and builtin Symbols.
2392         As a result, we can share the same Symbol values between VMs and threads.
2393         And we do not need to allocate Ref<SymbolImpl> for these symbols at runtime.
2394
2395         * CMakeLists.txt:
2396         * JavaScriptCore.xcodeproj/project.pbxproj:
2397         * builtins/BuiltinNames.cpp: Added.
2398         Suppress warning C4307, integral constant overflow. It is intentional in constexpr hash value calculation.
2399
2400         * builtins/BuiltinNames.h:
2401         (JSC::BuiltinNames::BuiltinNames):
2402         * builtins/BuiltinUtils.h:
2403
2404 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2405
2406         [FTL] Arguments elimination is suppressed by unreachable blocks
2407         https://bugs.webkit.org/show_bug.cgi?id=174352
2408
2409         Reviewed by Filip Pizlo.
2410
2411         If we do not execute `op_get_by_id`, our value profiling tells us unpredictable and DFG emits ForceOSRExit.
2412         The problem is that arguments elimination phase checks escaping even when ForceOSRExit preceeds.
2413         Since GetById without information can escape arguments if it is specified, non-executed code including
2414         op_get_by_id with arguments can escape arguments.
2415
2416         For example,
2417
2418             function test(flag)
2419             {
2420                 if (flag) {
2421                     // This is not executed, but emits GetById with arguments.
2422                     // It prevents us from eliminating materialization.
2423                     return arguments.length;
2424                 }
2425                 return arguments.length;
2426             }
2427             noInline(test);
2428             while (true)
2429                 test(false);
2430
2431         We do not perform CFA and dead-node clipping yet when performing arguments elimination phase.
2432         So this GetById exists and escapes arguments.
2433
2434         To solve this problem, our arguments elimination phase checks preceding pseudo-terminal nodes.
2435         If it is shown, following GetById does not escape arguments. Compared to performing AI, it is
2436         lightweight. But it catches much of typical cases we failed to perform arguments elimination.
2437
2438         * dfg/DFGArgumentsEliminationPhase.cpp:
2439         * dfg/DFGNode.h:
2440         (JSC::DFG::Node::isPseudoTerminal):
2441         * dfg/DFGValidate.cpp:
2442
2443 2017-07-20  Chris Dumez  <cdumez@apple.com>
2444
2445         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable
2446         https://bugs.webkit.org/show_bug.cgi?id=174660
2447
2448         Reviewed by Geoffrey Garen.
2449
2450         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable.
2451         This essentially replaces a branch to figure out if the new size is less or greater than the
2452         current size by an assertion.
2453
2454         * b3/B3BasicBlockUtils.h:
2455         (JSC::B3::clearPredecessors):
2456         * b3/B3InferSwitches.cpp:
2457         * b3/B3LowerToAir.cpp:
2458         (JSC::B3::Air::LowerToAir::finishAppendingInstructions):
2459         * b3/B3ReduceStrength.cpp:
2460         * b3/B3SparseCollection.h:
2461         (JSC::B3::SparseCollection::packIndices):
2462         * b3/B3UseCounts.cpp:
2463         (JSC::B3::UseCounts::UseCounts):
2464         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
2465         * b3/air/AirEmitShuffle.cpp:
2466         (JSC::B3::Air::emitShuffle):
2467         * b3/air/AirLowerAfterRegAlloc.cpp:
2468         (JSC::B3::Air::lowerAfterRegAlloc):
2469         * b3/air/AirOptimizeBlockOrder.cpp:
2470         (JSC::B3::Air::optimizeBlockOrder):
2471         * bytecode/Operands.h:
2472         (JSC::Operands::ensureLocals):
2473         * bytecode/PreciseJumpTargets.cpp:
2474         (JSC::computePreciseJumpTargetsInternal):
2475         * dfg/DFGBlockInsertionSet.cpp:
2476         (JSC::DFG::BlockInsertionSet::execute):
2477         * dfg/DFGBlockMapInlines.h:
2478         (JSC::DFG::BlockMap<T>::BlockMap):
2479         * dfg/DFGByteCodeParser.cpp:
2480         (JSC::DFG::ByteCodeParser::processSetLocalQueue):
2481         (JSC::DFG::ByteCodeParser::clearCaches):
2482         * dfg/DFGDisassembler.cpp:
2483         (JSC::DFG::Disassembler::Disassembler):
2484         * dfg/DFGFlowIndexing.cpp:
2485         (JSC::DFG::FlowIndexing::recompute):
2486         * dfg/DFGGraph.cpp:
2487         (JSC::DFG::Graph::registerFrozenValues):
2488         * dfg/DFGInPlaceAbstractState.cpp:
2489         (JSC::DFG::setLiveValues):
2490         * dfg/DFGLICMPhase.cpp:
2491         (JSC::DFG::LICMPhase::run):
2492         * dfg/DFGLivenessAnalysisPhase.cpp:
2493         * dfg/DFGNaturalLoops.cpp:
2494         (JSC::DFG::NaturalLoops::NaturalLoops):
2495         * dfg/DFGStoreBarrierClusteringPhase.cpp:
2496         * ftl/FTLLowerDFGToB3.cpp:
2497         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2498         * heap/CodeBlockSet.cpp:
2499         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
2500         * heap/MarkedSpace.cpp:
2501         (JSC::MarkedSpace::sweepLargeAllocations):
2502         * inspector/ContentSearchUtilities.cpp:
2503         (Inspector::ContentSearchUtilities::findMagicComment):
2504         * interpreter/ShadowChicken.cpp:
2505         (JSC::ShadowChicken::update):
2506         * parser/ASTBuilder.h:
2507         (JSC::ASTBuilder::shrinkOperandStackBy):
2508         * parser/Lexer.h:
2509         (JSC::Lexer::setOffset):
2510         * runtime/RegExpInlines.h:
2511         (JSC::RegExp::matchInline):
2512         * runtime/RegExpPrototype.cpp:
2513         (JSC::genericSplit):
2514         * yarr/RegularExpression.cpp:
2515         (JSC::Yarr::RegularExpression::match):
2516
2517 2017-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2518
2519         [WTF] Use ThreadGroup to bookkeep active threads for Mach exception
2520         https://bugs.webkit.org/show_bug.cgi?id=174678
2521
2522         Reviewed by Mark Lam.
2523
2524         Use Thread& instead.
2525
2526         * runtime/JSLock.cpp:
2527         (JSC::JSLock::didAcquireLock):
2528
2529 2017-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2530
2531         [WTF] Implement WTF::ThreadGroup
2532         https://bugs.webkit.org/show_bug.cgi?id=174081
2533
2534         Reviewed by Mark Lam.
2535
2536         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
2537         And SamplingProfiler and others interact with WTF::Thread directly.
2538
2539         * API/tests/ExecutionTimeLimitTest.cpp:
2540         * heap/MachineStackMarker.cpp:
2541         (JSC::MachineThreads::MachineThreads):
2542         (JSC::captureStack):
2543         (JSC::MachineThreads::tryCopyOtherThreadStack):
2544         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2545         (JSC::MachineThreads::gatherConservativeRoots):
2546         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
2547         (JSC::ActiveMachineThreadsManager::add): Deleted.
2548         (JSC::ActiveMachineThreadsManager::remove): Deleted.
2549         (JSC::ActiveMachineThreadsManager::contains): Deleted.
2550         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
2551         (JSC::activeMachineThreadsManager): Deleted.
2552         (JSC::MachineThreads::~MachineThreads): Deleted.
2553         (JSC::MachineThreads::addCurrentThread): Deleted.
2554         (): Deleted.
2555         (JSC::MachineThreads::removeThread): Deleted.
2556         (JSC::MachineThreads::removeThreadIfFound): Deleted.
2557         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
2558         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
2559         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
2560         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
2561         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
2562         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
2563         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
2564         * heap/MachineStackMarker.h:
2565         (JSC::MachineThreads::addCurrentThread):
2566         (JSC::MachineThreads::getLock):
2567         (JSC::MachineThreads::threads):
2568         (JSC::MachineThreads::MachineThread::suspend): Deleted.
2569         (JSC::MachineThreads::MachineThread::resume): Deleted.
2570         (JSC::MachineThreads::MachineThread::threadID): Deleted.
2571         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
2572         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
2573         (JSC::MachineThreads::threadsListHead): Deleted.
2574         * runtime/SamplingProfiler.cpp:
2575         (JSC::FrameWalker::isValidFramePointer):
2576         (JSC::SamplingProfiler::SamplingProfiler):
2577         (JSC::SamplingProfiler::takeSample):
2578         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
2579         * runtime/SamplingProfiler.h:
2580         * wasm/WasmMachineThreads.cpp:
2581         (JSC::Wasm::resetInstructionCacheOnAllThreads):
2582
2583 2017-07-18  Andy Estes  <aestes@apple.com>
2584
2585         [Xcode] Enable CLANG_WARN_RANGE_LOOP_ANALYSIS
2586         https://bugs.webkit.org/show_bug.cgi?id=174631
2587
2588         Reviewed by Tim Horton.
2589
2590         * Configurations/Base.xcconfig:
2591         * b3/B3FoldPathConstants.cpp:
2592         * b3/B3LowerMacros.cpp:
2593         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
2594         * dfg/DFGByteCodeParser.cpp:
2595         (JSC::DFG::ByteCodeParser::check):
2596         (JSC::DFG::ByteCodeParser::planLoad):
2597
2598 2017-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2599
2600         WTF::Thread should have the threads stack bounds.
2601         https://bugs.webkit.org/show_bug.cgi?id=173975
2602
2603         Reviewed by Mark Lam.
2604
2605         There is a site in JSC that try to walk another thread's stack.
2606         Currently, stack bounds are stored in WTFThreadData which is located
2607         in TLS. Thus, only the thread itself can access its own WTFThreadData.
2608         We workaround this situation by holding StackBounds in MachineThread in JSC,
2609         but StackBounds should be put in WTF::Thread instead.
2610
2611         This patch adds StackBounds to WTF::Thread. StackBounds information is tightly
2612         coupled with Thread. Thus putting it in WTF::Thread is natural choice.
2613
2614         * heap/MachineStackMarker.cpp:
2615         (JSC::MachineThreads::MachineThread::MachineThread):
2616         (JSC::MachineThreads::MachineThread::captureStack):
2617         * heap/MachineStackMarker.h:
2618         (JSC::MachineThreads::MachineThread::stackBase):
2619         (JSC::MachineThreads::MachineThread::stackEnd):
2620         * runtime/VMTraps.cpp:
2621
2622 2017-07-18  Andy Estes  <aestes@apple.com>
2623
2624         [Xcode] Enable CLANG_WARN_OBJC_LITERAL_CONVERSION
2625         https://bugs.webkit.org/show_bug.cgi?id=174631
2626
2627         Reviewed by Sam Weinig.
2628
2629         * Configurations/Base.xcconfig:
2630
2631 2017-07-18  Joseph Pecoraro  <pecoraro@apple.com>
2632
2633         Web Inspector: Modernize InjectedScriptSource
2634         https://bugs.webkit.org/show_bug.cgi?id=173890
2635
2636         Reviewed by Brian Burg.
2637
2638         * inspector/InjectedScript.h:
2639         Reorder functions to be slightly better.
2640
2641         * inspector/InjectedScriptSource.js:
2642         - Convert to classes named InjectedScript and RemoteObject
2643         - Align InjectedScript's API with the wrapper C++ interfaces
2644         - Move some code to RemoteObject where appropriate (subtype, describe)
2645         - Move some code to helper functions (isPrimitiveValue, isDefined)
2646         - Refactor for readability and modern features
2647         - Remove some unused / unnecessary code
2648
2649 2017-07-18  Mark Lam  <mark.lam@apple.com>
2650
2651         Butterfly storage need not be initialized for indexing type Undecided.
2652         https://bugs.webkit.org/show_bug.cgi?id=174516
2653
2654         Reviewed by Saam Barati.
2655
2656         While it's not incorrect to initialize the butterfly storage when the
2657         indexingType is Undecided, it is inefficient as we'll end up initializing
2658         it again later when we convert the storage to a different indexingType.
2659         Some of our code already skips initializing Undecided butterflies.
2660         This patch makes it the consistent behavior everywhere.
2661
2662         * dfg/DFGSpeculativeJIT.cpp:
2663         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2664         * runtime/JSArray.cpp:
2665         (JSC::JSArray::tryCreateUninitializedRestricted):
2666         * runtime/JSArray.h:
2667         (JSC::JSArray::tryCreate):
2668         * runtime/JSObject.cpp:
2669         (JSC::JSObject::ensureLengthSlow):
2670
2671 2017-07-18  Saam Barati  <sbarati@apple.com>
2672
2673         AirLowerAfterRegAlloc may incorrectly use a callee save that's live as a scratch register
2674         https://bugs.webkit.org/show_bug.cgi?id=174515
2675         <rdar://problem/33358092>
2676
2677         Reviewed by Filip Pizlo.
2678
2679         AirLowerAfterRegAlloc was computing the set of available scratch
2680         registers incorrectly. It was always excluding callee save registers
2681         from the set of live registers. It did not guarantee that live callee save
2682         registers were not in the set of scratch registers that could
2683         get clobbered. That's incorrect as the shuffling code is free
2684         to overwrite whatever is in the scratch register it gets passed.
2685
2686         * b3/air/AirLowerAfterRegAlloc.cpp:
2687         (JSC::B3::Air::lowerAfterRegAlloc):
2688         * b3/testb3.cpp:
2689         (JSC::B3::functionNineArgs):
2690         (JSC::B3::testShuffleDoesntTrashCalleeSaves):
2691         (JSC::B3::run):
2692         * jit/RegisterSet.h:
2693
2694 2017-07-18  Andy Estes  <aestes@apple.com>
2695
2696         [Xcode] Enable CLANG_WARN_NON_LITERAL_NULL_CONVERSION
2697         https://bugs.webkit.org/show_bug.cgi?id=174631
2698
2699         Reviewed by Dan Bernstein.
2700
2701         * Configurations/Base.xcconfig:
2702
2703 2017-07-18  Devin Rousso  <drousso@apple.com>
2704
2705         Web Inspector: Add memoryCost to Inspector Protocol objects
2706         https://bugs.webkit.org/show_bug.cgi?id=174478
2707
2708         Reviewed by Joseph Pecoraro.
2709
2710         For non-array and non-object InspectorValue, calculate memoryCost as the sizeof the object,
2711         plus the memoryCost of the data if it is a string.
2712
2713         For array InspectorValue, calculate memoryCost as the sum of the memoryCost of all items.
2714
2715         For object InspectorValue, calculate memoryCost as the sum of the memoryCost of the string
2716         key plus the memoryCost of the InspectorValue for each entry.
2717
2718         Test: TestWebKitAPI/Tests/JavaScriptCore/InspectorValue.cpp
2719
2720         * inspector/InspectorValues.h:
2721         * inspector/InspectorValues.cpp:
2722         (Inspector::InspectorValue::memoryCost):
2723         (Inspector::InspectorObjectBase::memoryCost):
2724         (Inspector::InspectorArrayBase::memoryCost):
2725
2726 2017-07-18  Andy Estes  <aestes@apple.com>
2727
2728         [Xcode] Enable CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING
2729         https://bugs.webkit.org/show_bug.cgi?id=174631
2730
2731         Reviewed by Darin Adler.
2732
2733         * Configurations/Base.xcconfig:
2734
2735 2017-07-18  Michael Saboff  <msaboff@apple.com>
2736
2737         [JSC] There should be a debug option to dump a compiled RegExp Pattern
2738         https://bugs.webkit.org/show_bug.cgi?id=174601
2739
2740         Reviewed by Alex Christensen.
2741
2742         Added the debug option dumpCompiledRegExpPatterns which will dump the YarrPattern and related
2743         objects after a regular expression has been compiled.
2744
2745         * runtime/Options.h:
2746         * yarr/YarrPattern.cpp:
2747         (JSC::Yarr::YarrPattern::compile):
2748         (JSC::Yarr::indentForNestingLevel):
2749         (JSC::Yarr::dumpUChar32):
2750         (JSC::Yarr::PatternAlternative::dump):
2751         (JSC::Yarr::PatternTerm::dumpQuantifier):
2752         (JSC::Yarr::PatternTerm::dump):
2753         (JSC::Yarr::PatternDisjunction::dump):
2754         (JSC::Yarr::YarrPattern::dumpPattern):
2755         * yarr/YarrPattern.h:
2756         (JSC::Yarr::YarrPattern::global):
2757
2758 2017-07-17  Darin Adler  <darin@apple.com>
2759
2760         Improve use of NeverDestroyed
2761         https://bugs.webkit.org/show_bug.cgi?id=174348
2762
2763         Reviewed by Sam Weinig.
2764
2765         * heap/MachineStackMarker.cpp:
2766         * wasm/WasmMemory.cpp:
2767         Removed unneeded includes of NeverDestroyed.h in files that do not make use
2768         of NeverDestroyed.
2769
2770 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
2771
2772         [CMake] Macros in WebKitMacros.cmake should be prefixed with WEBKIT_ namespace
2773         https://bugs.webkit.org/show_bug.cgi?id=174547
2774
2775         Reviewed by Alex Christensen.
2776
2777         * CMakeLists.txt:
2778         * shell/CMakeLists.txt:
2779
2780 2017-07-17  Saam Barati  <sbarati@apple.com>
2781
2782         Remove custom defined RELEASE_ASSERT in DFGObjectAllocationSinkingPhase
2783         https://bugs.webkit.org/show_bug.cgi?id=174584
2784
2785         Rubber stamped by Keith Miller.
2786
2787         I used it to diagnose a bug. The bug is now fixed. This custom
2788         RELEASE_ASSERT is no longer needed.
2789
2790         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2791
2792 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
2793
2794         -Wformat-truncation warning in ConfigFile.cpp
2795         https://bugs.webkit.org/show_bug.cgi?id=174506
2796
2797         Reviewed by Darin Adler.
2798
2799         Check if the JSC config filename would be truncated due to exceeding max path length. If so,
2800         return ParseError.
2801
2802         * runtime/ConfigFile.cpp:
2803         (JSC::ConfigFile::parse):
2804
2805 2017-07-17  Konstantin Tokarev  <annulen@yandex.ru>
2806
2807         [CMake] Create targets before WEBKIT_INCLUDE_CONFIG_FILES_IF_EXISTS is called
2808         https://bugs.webkit.org/show_bug.cgi?id=174557
2809
2810         Reviewed by Michael Catanzaro.
2811
2812         * CMakeLists.txt:
2813
2814 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2815
2816         [WTF] Use std::unique_ptr for StackTrace
2817         https://bugs.webkit.org/show_bug.cgi?id=174495
2818
2819         Reviewed by Alex Christensen.
2820
2821         * runtime/ExceptionScope.cpp:
2822         (JSC::ExceptionScope::unexpectedExceptionMessage):
2823         * runtime/VM.cpp:
2824         (JSC::VM::throwException):
2825
2826 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2827
2828         [JSC] Use WTFMove to prune liveness in DFGAvailabilityMap
2829         https://bugs.webkit.org/show_bug.cgi?id=174423
2830
2831         Reviewed by Saam Barati.
2832
2833         * dfg/DFGAvailabilityMap.cpp:
2834         (JSC::DFG::AvailabilityMap::pruneHeap):
2835         (JSC::DFG::AvailabilityMap::pruneByLiveness):
2836
2837 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
2838
2839         Fix compiler warnings when building with GCC 7
2840         https://bugs.webkit.org/show_bug.cgi?id=174463
2841
2842         Reviewed by Darin Adler.
2843
2844         * disassembler/udis86/udis86_decode.c:
2845         (decode_operand):
2846
2847 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
2848
2849         Incorrect assertion in JSC::CallLinkInfo::callTypeFor
2850         https://bugs.webkit.org/show_bug.cgi?id=174467
2851
2852         Reviewed by Saam Barati.
2853
2854         * bytecode/CallLinkInfo.cpp:
2855         (JSC::CallLinkInfo::callTypeFor):
2856
2857 2017-07-13  Joseph Pecoraro  <pecoraro@apple.com>
2858
2859         Web Inspector: Remove unused and untested Page domain commands
2860         https://bugs.webkit.org/show_bug.cgi?id=174429
2861
2862         Reviewed by Timothy Hatcher.
2863
2864         * inspector/protocol/Page.json:
2865
2866 2017-07-13  Saam Barati  <sbarati@apple.com>
2867
2868         Missing exception check in JSObject::hasInstance
2869         https://bugs.webkit.org/show_bug.cgi?id=174455
2870         <rdar://problem/31384608>
2871
2872         Reviewed by Mark Lam.
2873
2874         * runtime/JSObject.cpp:
2875         (JSC::JSObject::hasInstance):
2876
2877 2017-07-13  Caio Lima  <ticaiolima@gmail.com>
2878
2879         [ESnext] Implement Object Spread
2880         https://bugs.webkit.org/show_bug.cgi?id=167963
2881
2882         Reviewed by Saam Barati.
2883
2884         This patch implements ECMA262 stage 3 Object Spread proposal [1].
2885         It's implemented using CopyDataPropertiesNoExclusions to copy
2886         all enumerable keys from object being spreaded. The implementation of
2887         CopyDataPropertiesNoExclusions follows the CopyDataProperties
2888         implementation, however we don't receive excludedNames as parameter.
2889
2890         [1] - https://github.com/tc39/proposal-object-rest-spread
2891
2892         * builtins/GlobalOperations.js:
2893         (globalPrivate.copyDataPropertiesNoExclusions):
2894         * bytecompiler/BytecodeGenerator.cpp:
2895         (JSC::BytecodeGenerator::emitLoad):
2896         * bytecompiler/NodesCodegen.cpp:
2897         (JSC::PropertyListNode::emitBytecode):
2898         (JSC::ObjectSpreadExpressionNode::emitBytecode):
2899         * parser/ASTBuilder.h:
2900         (JSC::ASTBuilder::createObjectSpreadExpression):
2901         (JSC::ASTBuilder::createProperty):
2902         * parser/NodeConstructors.h:
2903         (JSC::PropertyNode::PropertyNode):
2904         (JSC::ObjectSpreadExpressionNode::ObjectSpreadExpressionNode):
2905         * parser/Nodes.h:
2906         (JSC::ObjectSpreadExpressionNode::expression):
2907         * parser/Parser.cpp:
2908         (JSC::Parser<LexerType>::parseProperty):
2909         * parser/SyntaxChecker.h:
2910         (JSC::SyntaxChecker::createObjectSpreadExpression):
2911         (JSC::SyntaxChecker::createProperty):
2912
2913 2017-07-12  Mark Lam  <mark.lam@apple.com>
2914
2915         Gardening: build fix after r219434.
2916         https://bugs.webkit.org/show_bug.cgi?id=174441
2917
2918         Not reviewed.
2919
2920         Make public some MacroAssembler functions that are needed by the probe implementationq.
2921
2922         * assembler/MacroAssemblerARM.h:
2923         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
2924         * assembler/MacroAssemblerARMv7.h:
2925         (JSC::MacroAssemblerARMv7::linkCall):
2926
2927 2017-07-12  Mark Lam  <mark.lam@apple.com>
2928
2929         Move Probe code from AbstractMacroAssembler to MacroAssembler.
2930         https://bugs.webkit.org/show_bug.cgi?id=174441
2931
2932         Reviewed by Saam Barati.
2933
2934         This is a pure refactoring patch for moving probe code from the AbstractMacroAssembler
2935         to MacroAssembler.  There is no code behavior change.
2936
2937         * assembler/AbstractMacroAssembler.h:
2938         (JSC::AbstractMacroAssembler<AssemblerType>::Address::indexedBy):
2939         (JSC::AbstractMacroAssembler::CPUState::gprName): Deleted.
2940         (JSC::AbstractMacroAssembler::CPUState::fprName): Deleted.
2941         (JSC::AbstractMacroAssembler::CPUState::gpr): Deleted.
2942         (JSC::AbstractMacroAssembler::CPUState::fpr): Deleted.
2943         (JSC::MacroAssemblerType>::Address::indexedBy): Deleted.
2944         * assembler/MacroAssembler.h:
2945         (JSC::MacroAssembler::CPUState::gprName):
2946         (JSC::MacroAssembler::CPUState::fprName):
2947         (JSC::MacroAssembler::CPUState::gpr):
2948         (JSC::MacroAssembler::CPUState::fpr):
2949         * assembler/MacroAssemblerARM.cpp:
2950         (JSC::MacroAssembler::probe):
2951         (JSC::MacroAssemblerARM::probe): Deleted.
2952         * assembler/MacroAssemblerARM.h:
2953         * assembler/MacroAssemblerARM64.cpp:
2954         (JSC::MacroAssembler::probe):
2955         (JSC::MacroAssemblerARM64::probe): Deleted.
2956         * assembler/MacroAssemblerARM64.h:
2957         * assembler/MacroAssemblerARMv7.cpp:
2958         (JSC::MacroAssembler::probe):
2959         (JSC::MacroAssemblerARMv7::probe): Deleted.
2960         * assembler/MacroAssemblerARMv7.h:
2961         * assembler/MacroAssemblerMIPS.h:
2962         * assembler/MacroAssemblerX86Common.cpp:
2963         (JSC::MacroAssembler::probe):
2964         (JSC::MacroAssemblerX86Common::probe): Deleted.
2965         * assembler/MacroAssemblerX86Common.h:
2966
2967 2017-07-12  Saam Barati  <sbarati@apple.com>
2968
2969         GenericArguments consults the wrong state when tracking modified argument descriptors and mapped arguments
2970         https://bugs.webkit.org/show_bug.cgi?id=174411
2971         <rdar://problem/31696186>
2972
2973         Reviewed by Mark Lam.
2974
2975         The code for deleting an argument was incorrectly referencing state
2976         when it decided if it should unmap or mark a property as having its
2977         descriptor modified. This patch fixes the bug where if we delete a
2978         property, we would sometimes not unmap an argument when deleting it.
2979
2980         * runtime/GenericArgumentsInlines.h:
2981         (JSC::GenericArguments<Type>::getOwnPropertySlot):
2982         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
2983         (JSC::GenericArguments<Type>::deleteProperty):
2984         (JSC::GenericArguments<Type>::deletePropertyByIndex):
2985
2986 2017-07-12  Commit Queue  <commit-queue@webkit.org>
2987
2988         Unreviewed, rolling out r219176.
2989         https://bugs.webkit.org/show_bug.cgi?id=174436
2990
2991         "Can cause infinite recursion on iOS" (Requested by mlam on
2992         #webkit).
2993
2994         Reverted changeset:
2995
2996         "WTF::Thread should have the threads stack bounds."
2997         https://bugs.webkit.org/show_bug.cgi?id=173975
2998         http://trac.webkit.org/changeset/219176
2999
3000 2017-07-12  Matt Lewis  <jlewis3@apple.com>
3001
3002         Unreviewed, rolling out r219401.
3003
3004         This revision rolled out the previous patch, but after talking
3005         with reviewer, a rebaseline is what was needed.Rolling back in
3006         before rebaseline.
3007
3008         Reverted changeset:
3009
3010         "Unreviewed, rolling out r219379."
3011         https://bugs.webkit.org/show_bug.cgi?id=174400
3012         http://trac.webkit.org/changeset/219401
3013
3014 2017-07-12  Matt Lewis  <jlewis3@apple.com>
3015
3016         Unreviewed, rolling out r219379.
3017
3018         This revision caused a consistent failure in the test
3019         fast/dom/Window/property-access-on-cached-window-after-frame-
3020         removed.html.
3021
3022         Reverted changeset:
3023
3024         "Remove NAVIGATOR_HWCONCURRENCY"
3025         https://bugs.webkit.org/show_bug.cgi?id=174400
3026         http://trac.webkit.org/changeset/219379
3027
3028 2017-07-12  Tooru Fujisawa [:arai]  <arai.unmht@gmail.com>
3029
3030         Wrong radix used in Unicode Escape in invalid character error message
3031         https://bugs.webkit.org/show_bug.cgi?id=174419
3032
3033         Reviewed by Alex Christensen.
3034
3035         * parser/Lexer.cpp:
3036         (JSC::Lexer<T>::invalidCharacterMessage):
3037
3038 2017-07-11  Dean Jackson  <dino@apple.com>
3039
3040         Remove NAVIGATOR_HWCONCURRENCY
3041         https://bugs.webkit.org/show_bug.cgi?id=174400
3042
3043         Reviewed by Sam Weinig.
3044
3045         * Configurations/FeatureDefines.xcconfig:
3046
3047 2017-07-11  Dean Jackson  <dino@apple.com>
3048
3049         Rolling out r219372.
3050
3051         * Configurations/FeatureDefines.xcconfig:
3052
3053 2017-07-11  Dean Jackson  <dino@apple.com>
3054
3055         Remove NAVIGATOR_HWCONCURRENCY
3056         https://bugs.webkit.org/show_bug.cgi?id=174400
3057
3058         Reviewed by Sam Weinig.
3059
3060         * Configurations/FeatureDefines.xcconfig:
3061
3062 2017-07-11  Saam Barati  <sbarati@apple.com>
3063
3064         remove the empty JavaScriptCore/wasm/js/WebAssemblyFunctionCell.* files
3065         https://bugs.webkit.org/show_bug.cgi?id=174397
3066
3067         Rubber stamped by David Kilzer.
3068
3069         * wasm/js/WebAssemblyFunctionCell.cpp: Removed.
3070         * wasm/js/WebAssemblyFunctionCell.h: Removed.
3071
3072 2017-07-10  Saam Barati  <sbarati@apple.com>
3073
3074         Allocation sinking phase should consider a CheckStructure that would fail as an escape
3075         https://bugs.webkit.org/show_bug.cgi?id=174321
3076         <rdar://problem/32604963>
3077
3078         Reviewed by Filip Pizlo.
3079
3080         When the allocation sinking phase was generating stores to materialize
3081         objects in a cycle with each other, it would assume that each materialized
3082         object had a valid, non empty, set of structures. This is an OK assumption for
3083         the phase to make because how do you materialize an object with no structure?
3084         
3085         The abstract interpretation part of the phase will model what's in the heap.
3086         However, it would sometimes model that a CheckStructure would fail. The phase
3087         did nothing special for this; it just stored the empty set of structures for
3088         its representation of a particular allocation. However, what the phase proved
3089         in such a scenario is that, had the CheckStructure executed, it would have exited.
3090         
3091         This patch treats such CheckStructures and MultiGetByOffsets as escape points.
3092         This will cause the allocation in question to be materialized just before
3093         the CheckStructure, and then at execution time, the CheckStructure will exit.
3094         
3095         I wasn't able to write a test case for this. However, I was able to reproduce
3096         this crash by manually editing the IR. I've opened a separate bug to help us
3097         create a testing framework for writing tests for hard to reproduce bugs like this:
3098         https://bugs.webkit.org/show_bug.cgi?id=174322
3099
3100         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3101
3102 2017-07-10  Devin Rousso  <drousso@apple.com>
3103
3104         Web Inspector: Highlight matching CSS canvas clients when hovering contexts in the Resources tab
3105         https://bugs.webkit.org/show_bug.cgi?id=174279
3106
3107         Reviewed by Matt Baker.
3108
3109         * inspector/protocol/DOM.json:
3110         Add `highlightNodeList` command that will highlight each node in the given list.
3111
3112 2017-07-03  Brian Burg  <bburg@apple.com>
3113
3114         Web Replay: remove some unused code
3115         https://bugs.webkit.org/show_bug.cgi?id=173903
3116
3117         Rubber-stamped by Joseph Pecoraro.
3118
3119         * CMakeLists.txt:
3120         * Configurations/FeatureDefines.xcconfig:
3121         * DerivedSources.make:
3122         * JavaScriptCore.xcodeproj/project.pbxproj:
3123         * inspector/protocol/Replay.json: Removed.
3124         * replay/EmptyInputCursor.h: Removed.
3125         * replay/EncodedValue.cpp: Removed.
3126         * replay/EncodedValue.h: Removed.
3127         * replay/InputCursor.h: Removed.
3128         * replay/JSInputs.json: Removed.
3129         * replay/NondeterministicInput.h: Removed.
3130         * replay/scripts/CodeGeneratorReplayInputs.py: Removed.
3131         * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Removed.
3132         * replay/scripts/tests/expected/fail-on-c-style-enum-no-storage.json-error: Removed.
3133         * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Removed.
3134         * replay/scripts/tests/expected/fail-on-duplicate-input-names.json-error: Removed.
3135         * replay/scripts/tests/expected/fail-on-duplicate-type-names.json-error: Removed.
3136         * replay/scripts/tests/expected/fail-on-enum-type-missing-values.json-error: Removed.
3137         * replay/scripts/tests/expected/fail-on-missing-input-member-name.json-error: Removed.
3138         * replay/scripts/tests/expected/fail-on-missing-input-name.json-error: Removed.
3139         * replay/scripts/tests/expected/fail-on-missing-input-queue.json-error: Removed.
3140         * replay/scripts/tests/expected/fail-on-missing-type-mode.json-error: Removed.
3141         * replay/scripts/tests/expected/fail-on-missing-type-name.json-error: Removed.
3142         * replay/scripts/tests/expected/fail-on-unknown-input-queue.json-error: Removed.
3143         * replay/scripts/tests/expected/fail-on-unknown-member-type.json-error: Removed.
3144         * replay/scripts/tests/expected/fail-on-unknown-type-mode.json-error: Removed.
3145         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp: Removed.
3146         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h: Removed.
3147         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp: Removed.
3148         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h: Removed.
3149         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Removed.
3150         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Removed.
3151         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Removed.
3152         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Removed.
3153         * replay/scripts/tests/expected/generate-event-loop-shape-types.json-error: Removed.
3154         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp: Removed.
3155         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h: Removed.
3156         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp: Removed.
3157         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Removed.
3158         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.cpp: Removed.
3159         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h: Removed.
3160         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp: Removed.
3161         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h: Removed.
3162         * replay/scripts/tests/fail-on-c-style-enum-no-storage.json: Removed.
3163         * replay/scripts/tests/fail-on-duplicate-enum-type.json: Removed.
3164         * replay/scripts/tests/fail-on-duplicate-input-names.json: Removed.
3165         * replay/scripts/tests/fail-on-duplicate-type-names.json: Removed.
3166         * replay/scripts/tests/fail-on-enum-type-missing-values.json: Removed.
3167         * replay/scripts/tests/fail-on-missing-input-member-name.json: Removed.
3168         * replay/scripts/tests/fail-on-missing-input-name.json: Removed.
3169         * replay/scripts/tests/fail-on-missing-input-queue.json: Removed.
3170         * replay/scripts/tests/fail-on-missing-type-mode.json: Removed.
3171         * replay/scripts/tests/fail-on-missing-type-name.json: Removed.
3172         * replay/scripts/tests/fail-on-unknown-input-queue.json: Removed.
3173         * replay/scripts/tests/fail-on-unknown-member-type.json: Removed.
3174         * replay/scripts/tests/fail-on-unknown-type-mode.json: Removed.
3175         * replay/scripts/tests/generate-enum-encoding-helpers-with-guarded-values.json: Removed.
3176         * replay/scripts/tests/generate-enum-encoding-helpers.json: Removed.
3177         * replay/scripts/tests/generate-enum-with-guard.json: Removed.
3178         * replay/scripts/tests/generate-enums-with-same-base-name.json: Removed.
3179         * replay/scripts/tests/generate-event-loop-shape-types.json: Removed.
3180         * replay/scripts/tests/generate-input-with-guard.json: Removed.
3181         * replay/scripts/tests/generate-input-with-vector-members.json: Removed.
3182         * replay/scripts/tests/generate-inputs-with-flags.json: Removed.
3183         * replay/scripts/tests/generate-memoized-type-modes.json: Removed.
3184         * runtime/DateConstructor.cpp:
3185         (JSC::constructDate):
3186         (JSC::dateNow):
3187         (JSC::deterministicCurrentTime): Deleted.
3188         * runtime/JSGlobalObject.cpp:
3189         (JSC::JSGlobalObject::JSGlobalObject):
3190         (JSC::JSGlobalObject::setInputCursor): Deleted.
3191         * runtime/JSGlobalObject.h:
3192         (JSC::JSGlobalObject::inputCursor): Deleted.
3193
3194 2017-07-10  Carlos Garcia Campos  <cgarcia@igalia.com>
3195
3196         Move make-js-file-arrays.py from WebCore to JavaScriptCore
3197         https://bugs.webkit.org/show_bug.cgi?id=174024
3198
3199         Reviewed by Michael Catanzaro.
3200
3201         It's currently used only by WebCore, but it depends on other JavaScriptCore scripts and it's not WebCore
3202         specific at all. I plan to use it to compile the JavaScript atoms used by the WebDriver implementation.
3203         Added command line option to pass the namespace to use instead of using WebCore.
3204
3205         * JavaScriptCore.xcodeproj/project.pbxproj:
3206         * Scripts/make-js-file-arrays.py: Renamed from Source/WebCore/Scripts/make-js-file-arrays.py.
3207         (main):
3208
3209 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3210
3211         [JSC] Drop LineNumberAdder since we no longer treat <LF><CR> (not <CR><LF>) as one line terminator
3212         https://bugs.webkit.org/show_bug.cgi?id=174296
3213
3214         Reviewed by Mark Lam.
3215
3216         Previously, we treat <LF><CR> as one line terminator. So we increase line number by one.
3217         It caused a problem in scanning template literals. While template literals normalize
3218         <LF><CR> to <LF><LF>, we still needed to increase line number by only one.
3219         To handle it correctly, LineNumberAdder is introduced.
3220
3221         As of r219263, <LF><CR> is counted as two line terminators. So we do not need to have
3222         LineNumberAdder. Let's just use shiftLineTerminator() instead.
3223
3224         * parser/Lexer.cpp:
3225         (JSC::Lexer<T>::parseTemplateLiteral):
3226         (JSC::LineNumberAdder::LineNumberAdder): Deleted.
3227         (JSC::LineNumberAdder::clear): Deleted.
3228         (JSC::LineNumberAdder::add): Deleted.
3229
3230 2017-07-09  Dan Bernstein  <mitz@apple.com>
3231
3232         [Xcode] ICU headers aren’t treated as system headers after r219155
3233         https://bugs.webkit.org/show_bug.cgi?id=174299
3234
3235         Reviewed by Sam Weinig.
3236
3237         * Configurations/JavaScriptCore.xcconfig: Pass --system-header-prefix=unicode/ to the C and
3238           C++ compilers.
3239
3240 * runtime/IntlCollator.cpp: Removed documentation warning suppression.
3241         * runtime/IntlDateTimeFormat.cpp: Ditto.
3242         * runtime/JSGlobalObject.cpp: Ditto.
3243         * runtime/StringPrototype.cpp: Ditto.
3244
3245 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3246
3247         [JSC] Use fastMalloc / fastFree for STL containers
3248         https://bugs.webkit.org/show_bug.cgi?id=174297
3249
3250         Reviewed by Sam Weinig.
3251
3252         In some places, we intentionally use STL containers over WTF containers.
3253         For example, we sometimes use std::unordered_{set,map} instead of WTF::Hash{Set,Map}
3254         because we do not have effective empty / deleted representations in the space of key's value.
3255         But just using STL container means using libc's malloc instead of our fast malloc (bmalloc if it is enabled).
3256
3257         We introduce WTF::FastAllocator. This is C++ allocator implementation using fastMalloc and fastFree.
3258         We specify this allocator to STL containers' template parameter to allocate memory from fastMalloc.
3259
3260         This WTF::FastAllocator gives us a chance to use STL containers if it is necessary
3261         without compromising memory allocation throughput.
3262
3263         * dfg/DFGGraph.h:
3264         * dfg/DFGIntegerCheckCombiningPhase.cpp:
3265         * ftl/FTLLowerDFGToB3.cpp:
3266         (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
3267         * runtime/FunctionHasExecutedCache.h:
3268         * runtime/TypeLocationCache.h:
3269
3270 2017-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3271
3272         Drop NOSNIFF compile flag
3273         https://bugs.webkit.org/show_bug.cgi?id=174289
3274
3275         Reviewed by Michael Catanzaro.
3276
3277         * Configurations/FeatureDefines.xcconfig:
3278
3279 2017-07-07  AJ Ringer  <aringer@apple.com>
3280
3281         Lower the max_protection for the separated heap
3282         https://bugs.webkit.org/show_bug.cgi?id=174281
3283
3284         Reviewed by Oliver Hunt.
3285
3286         Switch to vm_protect so we can set maximum page protection.
3287
3288         * jit/ExecutableAllocator.cpp:
3289         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
3290         (JSC::ExecutableAllocator::allocate):
3291
3292 2017-07-07  Devin Rousso  <drousso@apple.com>
3293
3294         Web Inspector: Show all elements currently using a given CSS Canvas
3295         https://bugs.webkit.org/show_bug.cgi?id=173965
3296
3297         Reviewed by Joseph Pecoraro.
3298
3299         * inspector/protocol/Canvas.json:
3300          - Add `requestCSSCanvasClientNodes` command for getting the node IDs all nodes using this
3301            canvas via -webkit-canvas.
3302          - Add `cssCanvasClientNodesChanged` event that is dispatched whenever a node is
3303            added/removed from the list of -webkit-canvas clients.
3304
3305 2017-07-07  Mark Lam  <mark.lam@apple.com>
3306
3307         \n\r is not the same as \r\n.
3308         https://bugs.webkit.org/show_bug.cgi?id=173053
3309
3310         Reviewed by Keith Miller.
3311
3312         * parser/Lexer.cpp:
3313         (JSC::Lexer<T>::shiftLineTerminator):
3314         (JSC::LineNumberAdder::add):
3315
3316 2017-07-07  Commit Queue  <commit-queue@webkit.org>
3317
3318         Unreviewed, rolling out r219238, r219239, and r219241.
3319         https://bugs.webkit.org/show_bug.cgi?id=174265
3320
3321         "fast/workers/dedicated-worker-lifecycle.html is flaky"
3322         (Requested by yusukesuzuki on #webkit).
3323
3324         Reverted changesets:
3325
3326         "[WTF] Implement WTF::ThreadGroup"
3327         https://bugs.webkit.org/show_bug.cgi?id=174081
3328         http://trac.webkit.org/changeset/219238
3329
3330         "Unreviewed, build fix after r219238"
3331         https://bugs.webkit.org/show_bug.cgi?id=174081
3332         http://trac.webkit.org/changeset/219239
3333
3334         "Unreviewed, CLoop build fix after r219238"
3335         https://bugs.webkit.org/show_bug.cgi?id=174081
3336         http://trac.webkit.org/changeset/219241
3337
3338 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
3339
3340         Unreviewed, CLoop build fix after r219238
3341         https://bugs.webkit.org/show_bug.cgi?id=174081
3342
3343         * heap/MachineStackMarker.cpp:
3344
3345 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
3346
3347         [WTF] Implement WTF::ThreadGroup
3348         https://bugs.webkit.org/show_bug.cgi?id=174081
3349
3350         Reviewed by Mark Lam.
3351
3352         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
3353         And SamplingProfiler and others interact with WTF::Thread directly.
3354
3355         * API/tests/ExecutionTimeLimitTest.cpp:
3356         * heap/MachineStackMarker.cpp:
3357         (JSC::MachineThreads::MachineThreads):
3358         (JSC::captureStack):
3359         (JSC::MachineThreads::tryCopyOtherThreadStack):
3360         (JSC::MachineThreads::tryCopyOtherThreadStacks):
3361         (JSC::MachineThreads::gatherConservativeRoots):
3362         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
3363         (JSC::ActiveMachineThreadsManager::add): Deleted.
3364         (JSC::ActiveMachineThreadsManager::remove): Deleted.
3365         (JSC::ActiveMachineThreadsManager::contains): Deleted.
3366         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
3367         (JSC::activeMachineThreadsManager): Deleted.
3368         (JSC::MachineThreads::~MachineThreads): Deleted.
3369         (JSC::MachineThreads::addCurrentThread): Deleted.
3370         (): Deleted.
3371         (JSC::MachineThreads::removeThread): Deleted.
3372         (JSC::MachineThreads::removeThreadIfFound): Deleted.
3373         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
3374         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
3375         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
3376         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
3377         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
3378         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
3379         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
3380         * heap/MachineStackMarker.h:
3381         (JSC::MachineThreads::addCurrentThread):
3382         (JSC::MachineThreads::getLock):
3383         (JSC::MachineThreads::threads):
3384         (JSC::MachineThreads::MachineThread::suspend): Deleted.
3385         (JSC::MachineThreads::MachineThread::resume): Deleted.
3386         (JSC::MachineThreads::MachineThread::threadID): Deleted.
3387         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
3388         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
3389         (JSC::MachineThreads::threadsListHead): Deleted.
3390         * runtime/SamplingProfiler.cpp:
3391         (JSC::FrameWalker::isValidFramePointer):
3392         (JSC::SamplingProfiler::SamplingProfiler):
3393         (JSC::SamplingProfiler::takeSample):
3394         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
3395         * runtime/SamplingProfiler.h:
3396         * wasm/WasmMachineThreads.cpp:
3397         (JSC::Wasm::resetInstructionCacheOnAllThreads):
3398
3399 2017-07-06  Saam Barati  <sbarati@apple.com>
3400
3401         We are missing places where we invalidate the for-in context
3402         https://bugs.webkit.org/show_bug.cgi?id=174184
3403
3404         Reviewed by Geoffrey Garen.
3405
3406         * bytecompiler/BytecodeGenerator.cpp:
3407         (JSC::BytecodeGenerator::invalidateForInContextForLocal):
3408         * bytecompiler/NodesCodegen.cpp:
3409         (JSC::EmptyLetExpression::emitBytecode):
3410         (JSC::ForInNode::emitLoopHeader):
3411         (JSC::ForOfNode::emitBytecode):
3412         (JSC::BindingNode::bindValue):
3413
3414 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
3415
3416         Unreviewed, suppress warnings in GCC environment
3417
3418         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3419         * runtime/IntlCollator.cpp:
3420         * runtime/IntlDateTimeFormat.cpp:
3421         * runtime/JSGlobalObject.cpp:
3422         * runtime/StringPrototype.cpp:
3423
3424 2017-07-05  Saam Barati  <sbarati@apple.com>
3425
3426         NewArray in FTLLowerDFGToB3 does not handle speculating on doubles when having a bad time
3427         https://bugs.webkit.org/show_bug.cgi?id=174188
3428         <rdar://problem/30581423>
3429
3430         Reviewed by Mark Lam.
3431
3432         We were calling lowJSValue(edge) when we were speculating the
3433         edge as double. This isn't allowed. We should have been using
3434         lowDouble.
3435         
3436         This patch also adds a new option, called useArrayAllocationProfiling,
3437         which defaults to true. When false, it will make the array allocation
3438         profile not actually sample seen arrays. It'll force the allocation
3439         profile's predicted indexing type to be ArrayWithUndecided. Adding
3440         this option made it trivial to write a test for this bug.
3441
3442         * bytecode/ArrayAllocationProfile.cpp:
3443         (JSC::ArrayAllocationProfile::updateIndexingType):
3444         * ftl/FTLLowerDFGToB3.cpp:
3445         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
3446         * runtime/Options.h:
3447
3448 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
3449
3450         WTF::Thread should have the threads stack bounds.
3451         https://bugs.webkit.org/show_bug.cgi?id=173975
3452
3453         Reviewed by Keith Miller.
3454
3455         There is a site in JSC that try to walk another thread's stack.
3456         Currently, stack bounds are stored in WTFThreadData which is located
3457         in TLS. Thus, only the thread itself can access its own WTFThreadData.
3458         We workaround this situation by holding StackBounds in MachineThread in JSC,
3459         but StackBounds should be put in WTF::Thread instead.
3460
3461         This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
3462         information is tightly coupled with Thread. Thus putting it in WTF::Thread
3463         is natural choice.
3464
3465         * heap/MachineStackMarker.cpp:
3466         (JSC::MachineThreads::MachineThread::MachineThread):
3467         (JSC::MachineThreads::MachineThread::captureStack):
3468         * heap/MachineStackMarker.h:
3469         (JSC::MachineThreads::MachineThread::stackBase):
3470         (JSC::MachineThreads::MachineThread::stackEnd):
3471         * runtime/InitializeThreading.cpp:
3472         (JSC::initializeThreading):
3473         * runtime/VM.cpp:
3474         (JSC::VM::VM):
3475         (JSC::VM::updateStackLimits):
3476         (JSC::VM::committedStackByteCount):
3477         * runtime/VM.h:
3478         (JSC::VM::isSafeToRecurse):
3479         * runtime/VMEntryScope.cpp:
3480         (JSC::VMEntryScope::VMEntryScope):
3481         * runtime/VMInlines.h:
3482         (JSC::VM::ensureStackCapacityFor):
3483         * runtime/VMTraps.cpp:
3484         * yarr/YarrPattern.cpp:
3485         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
3486
3487 2017-07-05  Keith Miller  <keith_miller@apple.com>
3488
3489         Crashing with information should have an abort reason
3490         https://bugs.webkit.org/show_bug.cgi?id=174185
3491
3492         Reviewed by Saam Barati.
3493
3494         Add crash information for the abstract interpreter and add an enum
3495         value for object allocation sinking.
3496
3497         * assembler/AbortReason.h:
3498         * dfg/DFGAbstractInterpreterInlines.h:
3499         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
3500         * dfg/DFGGraph.cpp:
3501         (JSC::DFG::logDFGAssertionFailure):
3502         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3503
3504 2017-07-03  Myles C. Maxfield  <mmaxfield@apple.com>
3505
3506         Remove copy of ICU headers from WebKit
3507         https://bugs.webkit.org/show_bug.cgi?id=116407
3508
3509         Reviewed by Alex Christensen.
3510
3511         Use WTF's copy of ICU headers.
3512
3513         * Configurations/Base.xcconfig:
3514         * icu/unicode/localpointer.h: Removed.
3515         * icu/unicode/parseerr.h: Removed.
3516         * icu/unicode/platform.h: Removed.
3517         * icu/unicode/ptypes.h: Removed.
3518         * icu/unicode/putil.h: Removed.
3519         * icu/unicode/uchar.h: Removed.
3520         * icu/unicode/ucnv.h: Removed.
3521         * icu/unicode/ucnv_err.h: Removed.
3522         * icu/unicode/ucol.h: Removed.
3523         * icu/unicode/uconfig.h: Removed.
3524         * icu/unicode/ucurr.h: Removed.
3525         * icu/unicode/uenum.h: Removed.
3526         * icu/unicode/uiter.h: Removed.
3527         * icu/unicode/uloc.h: Removed.
3528         * icu/unicode/umachine.h: Removed.
3529         * icu/unicode/unorm.h: Removed.
3530         * icu/unicode/unorm2.h: Removed.
3531         * icu/unicode/urename.h: Removed.
3532         * icu/unicode/uscript.h: Removed.
3533         * icu/unicode/uset.h: Removed.
3534         * icu/unicode/ustring.h: Removed.
3535         * icu/unicode/utf.h: Removed.
3536         * icu/unicode/utf16.h: Removed.
3537         * icu/unicode/utf8.h: Removed.
3538         * icu/unicode/utf_old.h: Removed.
3539         * icu/unicode/utypes.h: Removed.
3540         * icu/unicode/uvernum.h: Removed.
3541         * icu/unicode/uversion.h: Removed.
3542         * runtime/IntlCollator.cpp:
3543         * runtime/IntlDateTimeFormat.cpp:
3544         (JSC::IntlDateTimeFormat::partTypeString):
3545         * runtime/JSGlobalObject.cpp:
3546         * runtime/StringPrototype.cpp:
3547         (JSC::normalize):
3548         (JSC::stringProtoFuncNormalize):
3549
3550 2017-07-05  Devin Rousso  <drousso@apple.com>
3551
3552         Web Inspector: Allow users to log any tracked canvas context
3553         https://bugs.webkit.org/show_bug.cgi?id=173397
3554         <rdar://problem/33111581>
3555
3556         Reviewed by Joseph Pecoraro.
3557
3558         * inspector/protocol/Canvas.json:
3559         Add `resolveCanvasContext` command that returns a RemoteObject for the given canvas context.
3560
3561 2017-07-05  Jonathan Bedard  <jbedard@apple.com>
3562
3563         Add WebKitPrivateFrameworkStubs for iOS 11
3564         https://bugs.webkit.org/show_bug.cgi?id=173988
3565
3566         Reviewed by David Kilzer.
3567
3568         * Configurations/Base.xcconfig: iphoneos and iphonesimulator should use the
3569         same directory for private framework stubs.
3570
3571 2017-07-05  JF Bastien  <jfbastien@apple.com>
3572
3573         WebAssembly: implement name section's module name, skip unknown sections
3574         https://bugs.webkit.org/show_bug.cgi?id=172008
3575
3576         Reviewed by Keith Miller.
3577
3578         Parse the WebAssembly module name properly, and skip unknown
3579         sections. This is useful because as toolchains support new types
3580         of names we want to keep displaying the information we know about
3581         and simply ignore new information. That capability was designed
3582         into WebAssembly's name section.
3583
3584         Failure to commit this patch would mean that WebKit won't display
3585         stack trace information, which would make developers sad.
3586
3587         Module names were added here: https://github.com/WebAssembly/design/pull/1055
3588
3589         Note that this patch doesn't do anything with the parsed name! Two
3590         reasons for this: module names aren't supported in binaryen yet,
3591         so I can't write a simple binary test; and using the name is a
3592         slightly riskier change because it requires changing StackVisitor
3593         + StackFrame (where they print "[wasm code]") which requires
3594         figuring out the frame's Module. The latter bit isn't trivial
3595         because we only know wasm frames from their tag bits, and
3596         CodeBlocks are always nullptr.
3597
3598         Binaryen bug: https://github.com/WebAssembly/binaryen/issues/1010
3599
3600         I filed #174098 to use the module name.
3601
3602         * wasm/WasmFormat.h:
3603         (JSC::Wasm::isValidNameType):
3604         * wasm/WasmNameSectionParser.cpp:
3605
3606 2017-07-04  Joseph Pecoraro  <pecoraro@apple.com>
3607
3608         Cleanup some StringBuilder use
3609         https://bugs.webkit.org/show_bug.cgi?id=174118
3610
3611         Reviewed by Andreas Kling.
3612
3613         * runtime/FunctionConstructor.cpp:
3614         (JSC::constructFunctionSkippingEvalEnabledCheck):
3615         * tools/FunctionOverrides.cpp:
3616         (JSC::parseClause):
3617         * wasm/WasmOMGPlan.cpp:
3618         * wasm/WasmPlan.cpp:
3619         * wasm/WasmValidate.cpp:
3620
3621 2017-07-03  Saam Barati  <sbarati@apple.com>
3622
3623         LayoutTest workers/bomb.html is a Crash
3624         https://bugs.webkit.org/show_bug.cgi?id=167757
3625         <rdar://problem/33086462>
3626
3627         Reviewed by Keith Miller.
3628
3629         VMTraps::SignalSender was accessing VM fields even after
3630         the VM was destroyed. This happened when the SignalSender
3631         thread was in the middle of its work() function while VMTraps
3632         was notified that the VM was shutting down. The VM would proceed
3633         to run its destructor even after the SignalSender thread finished
3634         doing its work. This means that the SignalSender thread was accessing
3635         VM field eve after VM was destructed (including itself, since it is
3636         transitively owned by the VM). The VM must wait for the SignalSender
3637         thread to shutdown before it can continue to destruct itself.
3638
3639         * runtime/VMTraps.cpp:
3640         (JSC::VMTraps::willDestroyVM):
3641
3642 2017-07-03  Saam Barati  <sbarati@apple.com>
3643
3644         DFGBytecodeParser op_to_this does not access the correct instruction offset for to this status
3645         https://bugs.webkit.org/show_bug.cgi?id=174110
3646
3647         Reviewed by Michael Saboff.
3648
3649         * dfg/DFGByteCodeParser.cpp:
3650         (JSC::DFG::ByteCodeParser::parseBlock):
3651
3652 2017-07-03  Saam Barati  <sbarati@apple.com>
3653
3654         Add a new assertion to object allocation sinking phase
3655         https://bugs.webkit.org/show_bug.cgi?id=174107
3656
3657         Rubber stamped by Filip Pizlo.
3658
3659         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3660
3661 2017-07-03  Commit Queue  <commit-queue@webkit.org>
3662
3663         Unreviewed, rolling out r219060.
3664         https://bugs.webkit.org/show_bug.cgi?id=174108
3665
3666         crashing constantly when initializing UIWebView (Requested by
3667         thorton on #webkit).
3668
3669         Reverted changeset:
3670
3671         "WTF::Thread should have the threads stack bounds."
3672         https://bugs.webkit.org/show_bug.cgi?id=173975
3673         http://trac.webkit.org/changeset/219060
3674
3675 2017-07-03  Matt Lewis  <jlewis3@apple.com>
3676
3677         Unreviewed, rolling out r219103.
3678
3679         Caused multiple build failures.
3680
3681         Reverted changeset:
3682
3683         "Remove copy of ICU headers from WebKit"
3684         https://bugs.webkit.org/show_bug.cgi?id=116407
3685         http://trac.webkit.org/changeset/219103
3686
3687 2017-07-03  Myles C. Maxfield  <mmaxfield@apple.com>
3688
3689         Remove copy of ICU headers from WebKit
3690         https://bugs.webkit.org/show_bug.cgi?id=116407
3691
3692         Reviewed by Alex Christensen.
3693
3694         Use WTF's copy of ICU headers.
3695
3696         * Configurations/Base.xcconfig:
3697         * icu/unicode/localpointer.h: Removed.
3698         * icu/unicode/parseerr.h: Removed.
3699         * icu/unicode/platform.h: Removed.
3700         * icu/unicode/ptypes.h: Removed.
3701         * icu/unicode/putil.h: Removed.
3702         * icu/unicode/uchar.h: Removed.
3703         * icu/unicode/ucnv.h: Removed.
3704         * icu/unicode/ucnv_err.h: Removed.
3705         * icu/unicode/ucol.h: Removed.
3706         * icu/unicode/uconfig.h: Removed.
3707         * icu/unicode/ucurr.h: Removed.
3708         * icu/unicode/uenum.h: Removed.
3709         * icu/unicode/uiter.h: Removed.
3710         * icu/unicode/uloc.h: Removed.
3711         * icu/unicode/umachine.h: Removed.
3712         * icu/unicode/unorm.h: Removed.
3713         * icu/unicode/unorm2.h: Removed.
3714         * icu/unicode/urename.h: Removed.
3715         * icu/unicode/uscript.h: Removed.
3716         * icu/unicode/uset.h: Removed.
3717         * icu/unicode/ustring.h: Removed.
3718         * icu/unicode/utf.h: Removed.
3719         * icu/unicode/utf16.h: Removed.
3720         * icu/unicode/utf8.h: Removed.
3721         * icu/unicode/utf_old.h: Removed.
3722         * icu/unicode/utypes.h: Removed.
3723         * icu/unicode/uvernum.h: Removed.
3724         * icu/unicode/uversion.h: Removed.
3725         * runtime/IntlCollator.cpp:
3726         * runtime/IntlDateTimeFormat.cpp:
3727         * runtime/JSGlobalObject.cpp:
3728         * runtime/StringPrototype.cpp:
3729
3730 2017-07-03  Saam Barati  <sbarati@apple.com>
3731
3732         Add better crash logging for allocation sinking phase
3733         https://bugs.webkit.org/show_bug.cgi?id=174102
3734         <rdar://problem/33112092>
3735
3736         Rubber stamped by Filip Pizlo.
3737
3738         I'm trying to gather better information from crashlogs about why
3739         we're crashing in the allocation sinking phase. I'm adding a allocation
3740         sinking specific RELEASE_ASSERT as well as marking a few functions as
3741         NEVER_INLINE to have the stack traces in the crash trace contain more
3742         actionable information.
3743
3744         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3745
3746 2017-07-03  Sam Weinig  <sam@webkit.org>
3747
3748         [WebIDL] Remove more unnecessary uses of the preprocessor in idl files
3749         https://bugs.webkit.org/show_bug.cgi?id=174083
3750
3751         Reviewed by Alex Christensen.
3752
3753         * Configurations/FeatureDefines.xcconfig:
3754         Add ENABLE_NAVIGATOR_STANDALONE.
3755
3756 2017-07-03  Andy Estes  <aestes@apple.com>
3757
3758         [Xcode] Add an experimental setting to build with ccache
3759         https://bugs.webkit.org/show_bug.cgi?id=173875
3760
3761         Reviewed by Tim Horton.
3762
3763         * Configurations/DebugRelease.xcconfig: Included ccache.xcconfig.
3764
3765 2017-07-03  Devin Rousso  <drousso@apple.com>
3766
3767         Web Inspector: Support listing WebGL2 and WebGPU contexts
3768         https://bugs.webkit.org/show_bug.cgi?id=173396
3769
3770         Reviewed by Joseph Pecoraro.
3771
3772         * inspector/protocol/Canvas.json:
3773         * inspector/scripts/codegen/generator.py:
3774         (Generator.stylized_name_for_enum_value):
3775         Add cases for handling new Canvas.ContextType protocol enumerations:
3776          - "webgl2" maps to `WebGL2`
3777          - "webgpu" maps to `WebGPU`
3778
3779 2017-07-02  Yusuke Suzuki  <utatane.tea@gmail.com>
3780
3781         WTF::Thread should have the threads stack bounds.
3782         https://bugs.webkit.org/show_bug.cgi?id=173975
3783
3784         Reviewed by Mark Lam.
3785
3786         There is a site in JSC that try to walk another thread's stack.
3787         Currently, stack bounds are stored in WTFThreadData which is located
3788         in TLS. Thus, only the thread itself can access its own WTFThreadData.
3789         We workaround this situation by holding StackBounds in MachineThread in JSC,
3790         but StackBounds should be put in WTF::Thread instead.
3791
3792         This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
3793         information is tightly coupled with Thread. Thus putting it in WTF::Thread
3794         is natural choice.
3795
3796         * heap/MachineStackMarker.cpp:
3797         (JSC::MachineThreads::MachineThread::MachineThread):
3798         (JSC::MachineThreads::MachineThread::captureStack):
3799         * heap/MachineStackMarker.h:
3800         (JSC::MachineThreads::MachineThread::stackBase):
3801         (JSC::MachineThreads::MachineThread::stackEnd):
3802         * runtime/InitializeThreading.cpp:
3803         (JSC::initializeThreading):
3804         * runtime/VM.cpp:
3805         (JSC::VM::VM):
3806         (JSC::VM::updateStackLimits):
3807         (JSC::VM::committedStackByteCount):
3808         * runtime/VM.h:
3809         (JSC::VM::isSafeToRecurse):
3810         * runtime/VMEntryScope.cpp:
3811         (JSC::VMEntryScope::VMEntryScope):
3812         * runtime/VMInlines.h:
3813         (JSC::VM::ensureStackCapacityFor):
3814         * runtime/VMTraps.cpp:
3815         * yarr/YarrPattern.cpp:
3816         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
3817
3818 2017-07-01  Dan Bernstein  <mitz@apple.com>
3819
3820         [iOS] Remove code only needed when building for iOS 9.x
3821         https://bugs.webkit.org/show_bug.cgi?id=174068
3822
3823         Reviewed by Tim Horton.
3824
3825         * Configurations/FeatureDefines.xcconfig:
3826         * jit/ExecutableAllocator.cpp:
3827         * runtime/Options.cpp:
3828         (JSC::recomputeDependentOptions):
3829
3830 2017-07-01  Dan Bernstein  <mitz@apple.com>
3831
3832         [macOS] Remove code only needed when building for OS X Yosemite
3833         https://bugs.webkit.org/show_bug.cgi?id=174067
3834
3835         Reviewed by Tim Horton.
3836
3837         * API/WebKitAvailability.h:
3838         * Configurations/Base.xcconfig:
3839         * Configurations/DebugRelease.xcconfig:
3840         * Configurations/FeatureDefines.xcconfig:
3841         * Configurations/Version.xcconfig:
3842
3843 2017-07-01  Yusuke Suzuki  <utatane.tea@gmail.com>
3844
3845         Unreviewed, build fix for GCC
3846         https://bugs.webkit.org/show_bug.cgi?id=174034
3847
3848         * b3/testb3.cpp:
3849         (JSC::B3::testDoubleLiteralComparison):
3850
3851 2017-06-30  Keith Miller  <keith_miller@apple.com>
3852
3853         Force crashWithInfo to be out of line.
3854         https://bugs.webkit.org/show_bug.cgi?id=174028
3855
3856         Reviewed by Filip Pizlo.
3857
3858         Update DFG_ASSERT macro to call CRASH_WITH_SECURITY_IMPLICATION_AND_INFO.
3859
3860         * dfg/DFGGraph.cpp:
3861         (JSC::DFG::logDFGAssertionFailure):
3862         (JSC::DFG::Graph::logAssertionFailure):
3863         (JSC::DFG::crash): Deleted.
3864         (JSC::DFG::Graph::handleAssertionFailure): Deleted.
3865         * dfg/DFGGraph.h:
3866
3867 2017-06-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3868
3869         [JSC] Use AbstractMacroAssembler::random instead of holding WeakRandom in JIT
3870         https://bugs.webkit.org/show_bug.cgi?id=174053
3871
3872         Reviewed by Geoffrey Garen.
3873
3874         We already have AbstractMacroAssembler::random() function. Use it instead.
3875
3876         * jit/JIT.cpp:
3877         (JSC::JIT::JIT):
3878         (JSC::JIT::compileWithoutLinking):
3879         * jit/JIT.h:
3880
3881 2017-06-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3882
3883         [WTF] Drop SymbolRegistry::keyForSymbol
3884         https://bugs.webkit.org/show_bug.cgi?id=174052
3885
3886         Reviewed by Sam Weinig.
3887
3888         * runtime/SymbolConstructor.cpp:
3889         (JSC::symbolConstructorKeyFor):
3890
3891 2017-06-30  Saam Barati  <sbarati@apple.com>
3892
3893         B3ReduceStrength should reduce EqualOrUnordered over const float input
3894         https://bugs.webkit.org/show_bug.cgi?id=174039
3895
3896         Reviewed by Michael Saboff.
3897
3898         We perform this folding for ConstDoubleValue. It is simply
3899         an oversight that we didn't do it for ConstFloatValue.
3900
3901         * b3/B3ConstFloatValue.cpp:
3902         (JSC::B3::ConstFloatValue::equalOrUnorderedConstant):
3903         * b3/B3ConstFloatValue.h:
3904         * b3/testb3.cpp:
3905         (JSC::B3::testFloatEqualOrUnorderedFolding):
3906         (JSC::B3::testFloatEqualOrUnorderedFoldingNaN):
3907         (JSC::B3::testFloatEqualOrUnorderedDontFold):
3908         (JSC::B3::run):
3909
3910 2017-06-30  Matt Baker  <mattbaker@apple.com>
3911
3912         Web Inspector: AsyncStackTrace nodes can be corrupted when truncating
3913         https://bugs.webkit.org/show_bug.cgi?id=173840
3914         <rdar://problem/30840820>
3915
3916         Reviewed by Joseph Pecoraro.
3917
3918         When truncating an asynchronous stack trace, the parent chain is traversed
3919         until a locked node is found. The path from this node to the root is shared
3920         by more than one stack trace, and cannot be safely modified. Starting at
3921         the first locked node, the path is cloned and becomes a new stack trace tree.
3922
3923         However, the clone operation initialized each new AsyncStackTrace node with
3924         the original node's parent. This would increment the child count of the original
3925         node. When cloning nodes, new nodes should not have their parent set until the
3926         next node up the parent chain is cloned.
3927
3928         * inspector/AsyncStackTrace.cpp:
3929         (Inspector::AsyncStackTrace::truncate):
3930
3931 2017-06-30  Michael Saboff  <msaboff@apple.com>
3932
3933         RegExp's  anchored with .* with \g flag can return wrong match start for strings with multiple matches
3934         https://bugs.webkit.org/show_bug.cgi?id=174044
3935
3936         Reviewed by Oliver Hunt.
3937
3938         The .* enclosure optimization didn't respect that we can start matching from a non-zero
3939         index.  This optimization treats /.*<some-terms>.*/ by first matching the <some-terms> and
3940         then finding the extent of the match by going back to the beginning of the line and going
3941         forward to the end of the line.  The code that went back to the beginning of the line
3942         checked for an index of 0 instead of comparing the index to the start position.  This start
3943         position is passed as the initial index.
3944
3945         Added another temporary register to the YARR JIT to contain the start position for
3946         platforms that have spare registers.
3947
3948         * yarr/Yarr.h:
3949         * yarr/YarrInterpreter.cpp:
3950         (JSC::Yarr::Interpreter::matchDotStarEnclosure):
3951         (JSC::Yarr::Interpreter::Interpreter):
3952         * yarr/YarrJIT.cpp:
3953         (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
3954         (JSC::Yarr::YarrGenerator::compile):
3955         * yarr/YarrPattern.cpp:
3956         (JSC::Yarr::YarrPattern::YarrPattern):
3957         * yarr/YarrPattern.h:
3958         (JSC::Yarr::YarrPattern::reset):
3959
3960 2017-06-30  Saam Barati  <sbarati@apple.com>
3961
3962         B3MoveConstants floatZero() returns the wrong ValueKey
3963         https://bugs.webkit.org/show_bug.cgi?id=174040
3964
3965         Reviewed by Filip Pizlo.
3966
3967         It had a typo where the ValueKey for floatZero() produces a Double
3968         instead of a Float.
3969
3970         * b3/B3MoveConstants.cpp:
3971
3972 2017-06-30  Saam Barati  <sbarati@apple.com>
3973
3974         B3ReduceDoubleToFloat incorrectly reduces operations over two double constants
3975         https://bugs.webkit.org/show_bug.cgi?id=174034
3976         <rdar://problem/30793007>
3977
3978         Reviewed by Filip Pizlo.
3979
3980         B3ReduceDoubleToFloat had a bug in it where it would incorrectly
3981         reduce binary operations over double constants into the same binary
3982         operation over the double constants casted to floats. This is clearly
3983   &