Fix typo in testmasm.cpp: ENABLE(JSVALUE64) should be USE(JSVALUE64).
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-08-04  Mark Lam  <mark.lam@apple.com>
2
3         Fix typo in testmasm.cpp: ENABLE(JSVALUE64) should be USE(JSVALUE64).
4         https://bugs.webkit.org/show_bug.cgi?id=175230
5         <rdar://problem/33735857>
6
7         Reviewed by Saam Barati.
8
9         * assembler/testmasm.cpp:
10         (JSC::testProbeReadsArgumentRegisters):
11         (JSC::testProbeWritesArgumentRegisters):
12
13 2017-08-04  Mark Lam  <mark.lam@apple.com>
14
15         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 2].
16         https://bugs.webkit.org/show_bug.cgi?id=175214
17         <rdar://problem/33733308>
18
19         Rubber-stamped by Michael Saboff.
20
21         Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused
22         DFGOSRExitCompiler files.
23
24         Also renamed DFGOSRExitCompiler32_64.cpp to DFGOSRExit32_64.cpp.
25
26         Also move debugOperationPrintSpeculationFailure() into DFGOSRExit.cpp.  It's only
27         used by compileOSRExit(), and will be changed to not be a DFG operation function
28         when we use JIT probes for DFG OSR exits later in
29         https://bugs.webkit.org/show_bug.cgi?id=175144.
30
31         * CMakeLists.txt:
32         * JavaScriptCore.xcodeproj/project.pbxproj:
33         * dfg/DFGJITCompiler.cpp:
34         * dfg/DFGOSRExit.cpp:
35         (JSC::DFG::OSRExit::emitRestoreArguments):
36         (JSC::DFG::OSRExit::compileOSRExit):
37         (JSC::DFG::OSRExit::compileExit):
38         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
39         * dfg/DFGOSRExit.h:
40         * dfg/DFGOSRExit32_64.cpp: Copied from Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp.
41         * dfg/DFGOSRExitCompiler.cpp: Removed.
42         * dfg/DFGOSRExitCompiler.h: Removed.
43         * dfg/DFGOSRExitCompiler32_64.cpp: Removed.
44         * dfg/DFGOSRExitCompiler64.cpp: Removed.
45         * dfg/DFGOperations.cpp:
46         * dfg/DFGOperations.h:
47         * dfg/DFGThunks.cpp:
48
49 2017-08-04  Matt Baker  <mattbaker@apple.com>
50
51         Web Inspector: capture async stack trace when workers/main context posts a message
52         https://bugs.webkit.org/show_bug.cgi?id=167084
53         <rdar://problem/30033673>
54
55         Reviewed by Brian Burg.
56
57         * inspector/agents/InspectorDebuggerAgent.h:
58         Add `PostMessage` async call type.
59
60 2017-08-04  Mark Lam  <mark.lam@apple.com>
61
62         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 1].
63         https://bugs.webkit.org/show_bug.cgi?id=175208
64         <rdar://problem/33732402>
65
66         Reviewed by Saam Barati.
67
68         This will minimize the code diff and make it easier to review the patch for
69         https://bugs.webkit.org/show_bug.cgi?id=175144 later.  We'll do this patch in 3
70         steps:
71
72         1. Do the code changes to move methods into OSRExit.
73         2. Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused DFGOSRExitCompiler files.
74         3. Merge the 32-bit OSRExitCompiler methods into the 64-bit version, and delete DFGOSRExitCompiler32_64.cpp.
75
76         Splitting this refactoring into these 3 steps also makes it easier to review this
77         patch and understand what is being changed.
78
79         * dfg/DFGOSRExit.h:
80         * dfg/DFGOSRExitCompiler.cpp:
81         (JSC::DFG::OSRExit::emitRestoreArguments):
82         (JSC::DFG::OSRExit::compileOSRExit):
83         (JSC::DFG::OSRExitCompiler::emitRestoreArguments): Deleted.
84         (): Deleted.
85         * dfg/DFGOSRExitCompiler.h:
86         (JSC::DFG::OSRExitCompiler::OSRExitCompiler): Deleted.
87         (): Deleted.
88         * dfg/DFGOSRExitCompiler32_64.cpp:
89         (JSC::DFG::OSRExit::compileExit):
90         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
91         * dfg/DFGOSRExitCompiler64.cpp:
92         (JSC::DFG::OSRExit::compileExit):
93         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
94         * dfg/DFGThunks.cpp:
95         (JSC::DFG::osrExitGenerationThunkGenerator):
96
97 2017-08-04  Devin Rousso  <drousso@apple.com>
98
99         Web Inspector: add source view for WebGL shader programs
100         https://bugs.webkit.org/show_bug.cgi?id=138593
101         <rdar://problem/18936194>
102
103         Reviewed by Matt Baker.
104
105         * inspector/protocol/Canvas.json:
106          - Add `ShaderType` enum that contains "vertex" and "fragment".
107          - Add `requestShaderSource` command that will return the original source code for a given
108            shader program and shader type.
109
110 2017-08-03  Filip Pizlo  <fpizlo@apple.com>
111
112         The allocator used to allocate memory for MarkedBlocks and LargeAllocations should not be the Subspace itself
113         https://bugs.webkit.org/show_bug.cgi?id=175141
114
115         Reviewed by Mark Lam.
116         
117         To make it easier to have multiple gigacages and maybe even fancier methods of allocating, this
118         decouples the allocator used to allocate memory from the GC Subspace. This means we no longer have
119         to create a new Subspace subclass to allocate memory a different way. Instead, the allocator is now
120         determined by the AlignedMemoryAllocator object.
121         
122         This also simplifies trading of blocks. Before, Subspaces had to determine if other Subspaces could
123         trade blocks with them using canTradeBlocksWith(). This makes it difficult for two different
124         Subspaces that both use the same underlying allocator to realize that they can trade blocks with
125         each other. Now, you just need to ask the block being stolen and the subspace doing the stealing if
126         they use the same AlignedMemoryAllocator.
127
128         * CMakeLists.txt:
129         * JavaScriptCore.xcodeproj/project.pbxproj:
130         * heap/AlignedMemoryAllocator.cpp: Added.
131         (JSC::AlignedMemoryAllocator::AlignedMemoryAllocator):
132         (JSC::AlignedMemoryAllocator::~AlignedMemoryAllocator):
133         * heap/AlignedMemoryAllocator.h: Added.
134         * heap/FastMallocAlignedMemoryAllocator.cpp: Added.
135         (JSC::FastMallocAlignedMemoryAllocator::singleton):
136         (JSC::FastMallocAlignedMemoryAllocator::FastMallocAlignedMemoryAllocator):
137         (JSC::FastMallocAlignedMemoryAllocator::~FastMallocAlignedMemoryAllocator):
138         (JSC::FastMallocAlignedMemoryAllocator::tryAllocateAlignedMemory):
139         (JSC::FastMallocAlignedMemoryAllocator::freeAlignedMemory):
140         (JSC::FastMallocAlignedMemoryAllocator::dump const):
141         * heap/FastMallocAlignedMemoryAllocator.h: Added.
142         * heap/GigacageAlignedMemoryAllocator.cpp: Added.
143         (JSC::GigacageAlignedMemoryAllocator::singleton):
144         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
145         (JSC::GigacageAlignedMemoryAllocator::~GigacageAlignedMemoryAllocator):
146         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
147         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
148         (JSC::GigacageAlignedMemoryAllocator::dump const):
149         * heap/GigacageAlignedMemoryAllocator.h: Added.
150         * heap/GigacageSubspace.cpp: Removed.
151         * heap/GigacageSubspace.h: Removed.
152         * heap/LargeAllocation.cpp:
153         (JSC::LargeAllocation::tryCreate):
154         (JSC::LargeAllocation::destroy):
155         * heap/MarkedAllocator.cpp:
156         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
157         * heap/MarkedBlock.cpp:
158         (JSC::MarkedBlock::tryCreate):
159         (JSC::MarkedBlock::Handle::Handle):
160         (JSC::MarkedBlock::Handle::~Handle):
161         (JSC::MarkedBlock::Handle::didAddToAllocator):
162         (JSC::MarkedBlock::Handle::subspace const):
163         * heap/MarkedBlock.h:
164         (JSC::MarkedBlock::Handle::alignedMemoryAllocator const):
165         (JSC::MarkedBlock::Handle::subspace const): Deleted.
166         * heap/Subspace.cpp:
167         (JSC::Subspace::Subspace):
168         (JSC::Subspace::findEmptyBlockToSteal):
169         (JSC::Subspace::canTradeBlocksWith): Deleted.
170         (JSC::Subspace::tryAllocateAlignedMemory): Deleted.
171         (JSC::Subspace::freeAlignedMemory): Deleted.
172         * heap/Subspace.h:
173         (JSC::Subspace::name const):
174         (JSC::Subspace::alignedMemoryAllocator const):
175         * runtime/JSDestructibleObjectSubspace.cpp:
176         (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace):
177         * runtime/JSDestructibleObjectSubspace.h:
178         * runtime/JSSegmentedVariableObjectSubspace.cpp:
179         (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace):
180         * runtime/JSSegmentedVariableObjectSubspace.h:
181         * runtime/JSStringSubspace.cpp:
182         (JSC::JSStringSubspace::JSStringSubspace):
183         * runtime/JSStringSubspace.h:
184         * runtime/VM.cpp:
185         (JSC::VM::VM):
186         * runtime/VM.h:
187         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp:
188         (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace):
189         * wasm/js/JSWebAssemblyCodeBlockSubspace.h:
190
191 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
192
193         [ESNext] Async iteration - update feature.json
194         https://bugs.webkit.org/show_bug.cgi?id=175197
195
196         Reviewed by Yusuke Suzuki.
197
198         Update feature.json to add status of the Async Iteration
199
200         * features.json:
201
202 2017-08-04  Matt Lewis  <jlewis3@apple.com>
203
204         Unreviewed, rolling out r220271.
205
206         Rolling out due to Layout Test failing on iOS Simulator.
207
208         Reverted changeset:
209
210         "Remove STREAMS_API compilation guard"
211         https://bugs.webkit.org/show_bug.cgi?id=175165
212         http://trac.webkit.org/changeset/220271
213
214 2017-08-04  Youenn Fablet  <youenn@apple.com>
215
216         Remove STREAMS_API compilation guard
217         https://bugs.webkit.org/show_bug.cgi?id=175165
218
219         Reviewed by Darin Adler.
220
221         * Configurations/FeatureDefines.xcconfig:
222
223 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
224
225         [EsNext] Async iteration - Add feature flag
226         https://bugs.webkit.org/show_bug.cgi?id=166694
227
228         Reviewed by Yusuke Suzuki.
229
230         Add feature flag to JSC to switch on/off Async Iterator
231
232         * runtime/Options.h:
233
234 2017-08-03  Brian Burg  <bburg@apple.com>
235
236         Remove ENABLE(WEB_SOCKET) guards
237         https://bugs.webkit.org/show_bug.cgi?id=167044
238
239         Reviewed by Joseph Pecoraro.
240
241         * Configurations/FeatureDefines.xcconfig:
242
243 2017-08-03  Youenn Fablet  <youenn@apple.com>
244
245         Remove FETCH_API compilation guard
246         https://bugs.webkit.org/show_bug.cgi?id=175154
247
248         Reviewed by Chris Dumez.
249
250         * Configurations/FeatureDefines.xcconfig:
251
252 2017-08-03  Matt Baker  <mattbaker@apple.com>
253
254         Web Inspector: Instrument WebGLProgram created/deleted
255         https://bugs.webkit.org/show_bug.cgi?id=175059
256
257         Reviewed by Devin Rousso.
258
259         Extend the Canvas protocol with types/events for tracking WebGLPrograms.
260
261         * inspector/protocol/Canvas.json:
262
263 2017-08-03  Brady Eidson  <beidson@apple.com>
264
265         Add SW IDLs and stub out basic functionality.
266         https://bugs.webkit.org/show_bug.cgi?id=175115
267
268         Reviewed by Chris Dumez.
269
270         * Configurations/FeatureDefines.xcconfig:
271
272         * runtime/CommonIdentifiers.h:
273
274 2017-08-03  Mark Lam  <mark.lam@apple.com>
275
276         Rename ScratchBuffer::activeLengthPtr to addressOfActiveLength.
277         https://bugs.webkit.org/show_bug.cgi?id=175142
278         <rdar://problem/33704528>
279
280         Reviewed by Filip Pizlo.
281
282         The convention in the rest of of JSC for such methods which return the address of
283         a field is to name them "addressOf<field name>".  We'll rename
284         ScratchBuffer::activeLengthPtr to be consistent with this convention.
285
286         * dfg/DFGSpeculativeJIT.cpp:
287         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
288         * dfg/DFGSpeculativeJIT32_64.cpp:
289         (JSC::DFG::SpeculativeJIT::compile):
290         * dfg/DFGSpeculativeJIT64.cpp:
291         (JSC::DFG::SpeculativeJIT::compile):
292         * dfg/DFGThunks.cpp:
293         (JSC::DFG::osrExitGenerationThunkGenerator):
294         * ftl/FTLLowerDFGToB3.cpp:
295         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
296         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
297         * ftl/FTLThunks.cpp:
298         (JSC::FTL::genericGenerationThunkGenerator):
299         * jit/AssemblyHelpers.cpp:
300         (JSC::AssemblyHelpers::debugCall):
301         * jit/ScratchRegisterAllocator.cpp:
302         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
303         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
304         * runtime/VM.h:
305         (JSC::ScratchBuffer::addressOfActiveLength):
306         (JSC::ScratchBuffer::activeLengthPtr): Deleted.
307         * wasm/WasmBinding.cpp:
308         (JSC::Wasm::wasmToJs):
309
310 2017-08-02  Devin Rousso  <drousso@apple.com>
311
312         Web Inspector: add stack trace information for each RecordingAction
313         https://bugs.webkit.org/show_bug.cgi?id=174663
314
315         Reviewed by Joseph Pecoraro.
316
317         * inspector/ScriptCallFrame.h:
318         Add `operator==` so that when a ScriptCallFrame object is held in a Vector, calling `find`
319         with an existing value doesn't need require a functor and can use existing code.
320
321         * interpreter/StackVisitor.h:
322         * interpreter/StackVisitor.cpp:
323         (JSC::StackVisitor::Frame::isWasmFrame const): Inlined in header.
324
325 2017-08-02  Yusuke Suzuki  <utatane.tea@gmail.com>
326
327         Merge WTFThreadData to Thread::current
328         https://bugs.webkit.org/show_bug.cgi?id=174716
329
330         Reviewed by Mark Lam.
331
332         Use Thread::current() instead.
333
334         * API/JSContext.mm:
335         (+[JSContext currentContext]):
336         (+[JSContext currentThis]):
337         (+[JSContext currentCallee]):
338         (+[JSContext currentArguments]):
339         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
340         (-[JSContext endCallbackWithData:]):
341         * heap/Heap.cpp:
342         (JSC::Heap::requestCollection):
343         * runtime/Completion.cpp:
344         (JSC::checkSyntax):
345         (JSC::checkModuleSyntax):
346         (JSC::evaluate):
347         (JSC::loadAndEvaluateModule):
348         (JSC::loadModule):
349         (JSC::linkAndEvaluateModule):
350         (JSC::importModule):
351         * runtime/Identifier.cpp:
352         (JSC::Identifier::checkCurrentAtomicStringTable):
353         * runtime/InitializeThreading.cpp:
354         (JSC::initializeThreading):
355         * runtime/JSLock.cpp:
356         (JSC::JSLock::didAcquireLock):
357         (JSC::JSLock::willReleaseLock):
358         (JSC::JSLock::dropAllLocks):
359         (JSC::JSLock::grabAllLocks):
360         * runtime/JSLock.h:
361         * runtime/VM.cpp:
362         (JSC::VM::VM):
363         (JSC::VM::updateStackLimits):
364         (JSC::VM::committedStackByteCount):
365         * runtime/VM.h:
366         (JSC::VM::isSafeToRecurse const):
367         * runtime/VMEntryScope.cpp:
368         (JSC::VMEntryScope::VMEntryScope):
369         * runtime/VMInlines.h:
370         (JSC::VM::ensureStackCapacityFor):
371         * yarr/YarrPattern.cpp:
372         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
373
374 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
375
376         LLInt should do pointer caging
377         https://bugs.webkit.org/show_bug.cgi?id=175036
378
379         Reviewed by Keith Miller.
380
381         Implementing this in the LLInt was challenging because offlineasm did not previously know
382         how to load from globals. This teaches it how to do that on Darwin/x86_64, which happens
383         to be where the Gigacage is enabled right now.
384
385         * llint/LLIntOfflineAsmConfig.h:
386         * llint/LowLevelInterpreter64.asm:
387         * offlineasm/ast.rb:
388         * offlineasm/x86.rb:
389
390 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
391
392         Sweeping should only scribble when sweeping to free list
393         https://bugs.webkit.org/show_bug.cgi?id=175105
394
395         Reviewed by Saam Barati.
396         
397         I just saw a crash on the bots where a destructor call attempt dereferenced scribbled memory. This
398         can happen because the bump path of specializedSweep will scribble in SweepOnly, which replaces the
399         zap word (i.e. 0) with the scribble word (i.e. 0xbadbeef0). This is a recent regression, since we
400         didn't used to do destruction on the bump path. No destruction, no zapping. Looking at the pop
401         path, we only scribble when we SweepToFreeList. This ensures that we only overwrite the zap word
402         when it doesn't matter anyway because we're building a free list.
403         
404         This is a fix for those crashes on the bots because it means that we'll no longer scribble over the
405         zap.
406
407         * heap/MarkedBlockInlines.h:
408         (JSC::MarkedBlock::Handle::specializedSweep):
409
410 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
411
412         All C++ accesses to JSObject::m_butterfly should do caging
413         https://bugs.webkit.org/show_bug.cgi?id=175039
414
415         Reviewed by Keith Miller.
416         
417         Makes JSObject::m_butterfly a AuxiliaryBarrier<CagedPtr<Butterfly>> and adopts the CagedPtr<> API.
418         This ensures that you can't cause C++ code to access a butterfly that has been rewired to point
419         outside the gigacage.
420
421         * runtime/JSArray.cpp:
422         (JSC::JSArray::setLength):
423         (JSC::JSArray::pop):
424         (JSC::JSArray::push):
425         (JSC::JSArray::shiftCountWithAnyIndexingType):
426         (JSC::JSArray::unshiftCountWithAnyIndexingType):
427         (JSC::JSArray::fillArgList):
428         (JSC::JSArray::copyToArguments):
429         * runtime/JSObject.cpp:
430         (JSC::JSObject::heapSnapshot):
431         (JSC::JSObject::createInitialIndexedStorage):
432         (JSC::JSObject::createArrayStorage):
433         (JSC::JSObject::convertUndecidedToInt32):
434         (JSC::JSObject::convertUndecidedToDouble):
435         (JSC::JSObject::convertUndecidedToContiguous):
436         (JSC::JSObject::convertInt32ToDouble):
437         (JSC::JSObject::convertInt32ToArrayStorage):
438         (JSC::JSObject::convertDoubleToContiguous):
439         (JSC::JSObject::convertDoubleToArrayStorage):
440         (JSC::JSObject::convertContiguousToArrayStorage):
441         (JSC::JSObject::defineOwnIndexedProperty):
442         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
443         (JSC::JSObject::ensureLengthSlow):
444         (JSC::JSObject::allocateMoreOutOfLineStorage):
445         * runtime/JSObject.h:
446         (JSC::JSObject::canGetIndexQuickly):
447         (JSC::JSObject::getIndexQuickly):
448         (JSC::JSObject::tryGetIndexQuickly const):
449         (JSC::JSObject::canSetIndexQuickly):
450         (JSC::JSObject::setIndexQuickly):
451         (JSC::JSObject::initializeIndex):
452         (JSC::JSObject::initializeIndexWithoutBarrier):
453         (JSC::JSObject::butterfly const):
454         (JSC::JSObject::butterfly):
455
456 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
457
458         We should be OK with the gigacage being disabled on gmalloc
459         https://bugs.webkit.org/show_bug.cgi?id=175082
460
461         Reviewed by Michael Saboff.
462
463         * jsc.cpp:
464         (jscmain):
465
466 2017-08-02  Saam Barati  <sbarati@apple.com>
467
468         On memory-constrained iOS devices, reduce the rate at which the JS heap grows before a GC to try to keep more memory available for the system
469         https://bugs.webkit.org/show_bug.cgi?id=175041
470         <rdar://problem/33659370>
471
472         Reviewed by Filip Pizlo.
473
474         The testing I have done shows that this new function is a ~10%
475         progression running JetStream on 1GB iOS devices. I've also tried
476         this on a few > 1GB iOS devices, and the testing shows this is either neutral
477         or a regression. Right now, we'll just enable this for <= 1GB devices
478         since it's a win. In the future, we might want to either look into
479         tweaking these parameters or coming up with a new function for > 1GB
480         devices.
481
482         * heap/Heap.cpp:
483         * runtime/Options.h:
484
485 2017-08-01  Filip Pizlo  <fpizlo@apple.com>
486
487         Bmalloc and GC should put auxiliaries (butterflies, typed array backing stores) in a gigacage (separate multi-GB VM region)
488         https://bugs.webkit.org/show_bug.cgi?id=174727
489
490         Reviewed by Mark Lam.
491         
492         This adopts the Gigacage for the GigacageSubspace, which we use for Auxiliary allocations. Also, in
493         one place in the code - the FTL codegen for butterfly and typed array access - we "cage" the accesses
494         themselves. Basically, we do masking to ensure that the pointer points into the gigacage.
495         
496         This is neutral on JetStream.
497
498         * CMakeLists.txt:
499         * JavaScriptCore.xcodeproj/project.pbxproj:
500         * b3/B3InsertionSet.cpp:
501         (JSC::B3::InsertionSet::execute):
502         * dfg/DFGAbstractInterpreterInlines.h:
503         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
504         * dfg/DFGArgumentsEliminationPhase.cpp:
505         * dfg/DFGClobberize.cpp:
506         (JSC::DFG::readsOverlap):
507         * dfg/DFGClobberize.h:
508         (JSC::DFG::clobberize):
509         * dfg/DFGDoesGC.cpp:
510         (JSC::DFG::doesGC):
511         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Added.
512         (JSC::DFG::performFixedButterflyAccessUncaging):
513         * dfg/DFGFixedButterflyAccessUncagingPhase.h: Added.
514         * dfg/DFGFixupPhase.cpp:
515         (JSC::DFG::FixupPhase::fixupNode):
516         * dfg/DFGHeapLocation.cpp:
517         (WTF::printInternal):
518         * dfg/DFGHeapLocation.h:
519         * dfg/DFGNodeType.h:
520         * dfg/DFGPlan.cpp:
521         (JSC::DFG::Plan::compileInThreadImpl):
522         * dfg/DFGPredictionPropagationPhase.cpp:
523         * dfg/DFGSafeToExecute.h:
524         (JSC::DFG::safeToExecute):
525         * dfg/DFGSpeculativeJIT.cpp:
526         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
527         * dfg/DFGSpeculativeJIT32_64.cpp:
528         (JSC::DFG::SpeculativeJIT::compile):
529         * dfg/DFGSpeculativeJIT64.cpp:
530         (JSC::DFG::SpeculativeJIT::compile):
531         * dfg/DFGTypeCheckHoistingPhase.cpp:
532         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
533         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
534         * ftl/FTLCapabilities.cpp:
535         (JSC::FTL::canCompile):
536         * ftl/FTLLowerDFGToB3.cpp:
537         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
538         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
539         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
540         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
541         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
542         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
543         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
544         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
545         (JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase):
546         (JSC::FTL::DFG::LowerDFGToB3::caged):
547         * heap/GigacageSubspace.cpp: Added.
548         (JSC::GigacageSubspace::GigacageSubspace):
549         (JSC::GigacageSubspace::~GigacageSubspace):
550         (JSC::GigacageSubspace::tryAllocateAlignedMemory):
551         (JSC::GigacageSubspace::freeAlignedMemory):
552         (JSC::GigacageSubspace::canTradeBlocksWith):
553         * heap/GigacageSubspace.h: Added.
554         * heap/Heap.cpp:
555         (JSC::Heap::Heap):
556         (JSC::Heap::lastChanceToFinalize):
557         (JSC::Heap::finalize):
558         (JSC::Heap::sweepInFinalize):
559         (JSC::Heap::updateAllocationLimits):
560         (JSC::Heap::shouldDoFullCollection):
561         (JSC::Heap::collectIfNecessaryOrDefer):
562         (JSC::Heap::reportWebAssemblyFastMemoriesAllocated): Deleted.
563         (JSC::Heap::webAssemblyFastMemoriesThisCycleAtThreshold const): Deleted.
564         (JSC::Heap::sweepLargeAllocations): Deleted.
565         (JSC::Heap::didAllocateWebAssemblyFastMemories): Deleted.
566         * heap/Heap.h:
567         * heap/LargeAllocation.cpp:
568         (JSC::LargeAllocation::tryCreate):
569         (JSC::LargeAllocation::destroy):
570         * heap/MarkedAllocator.cpp:
571         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
572         (JSC::MarkedAllocator::tryAllocateBlock):
573         * heap/MarkedBlock.cpp:
574         (JSC::MarkedBlock::tryCreate):
575         (JSC::MarkedBlock::Handle::Handle):
576         (JSC::MarkedBlock::Handle::~Handle):
577         (JSC::MarkedBlock::Handle::didAddToAllocator):
578         (JSC::MarkedBlock::Handle::subspace const): Deleted.
579         * heap/MarkedBlock.h:
580         (JSC::MarkedBlock::Handle::subspace const):
581         * heap/MarkedSpace.cpp:
582         (JSC::MarkedSpace::~MarkedSpace):
583         (JSC::MarkedSpace::freeMemory):
584         (JSC::MarkedSpace::prepareForAllocation):
585         (JSC::MarkedSpace::addMarkedAllocator):
586         (JSC::MarkedSpace::findEmptyBlockToSteal): Deleted.
587         * heap/MarkedSpace.h:
588         (JSC::MarkedSpace::firstAllocator const):
589         (JSC::MarkedSpace::allocatorForEmptyAllocation const): Deleted.
590         * heap/Subspace.cpp:
591         (JSC::Subspace::Subspace):
592         (JSC::Subspace::canTradeBlocksWith):
593         (JSC::Subspace::tryAllocateAlignedMemory):
594         (JSC::Subspace::freeAlignedMemory):
595         (JSC::Subspace::prepareForAllocation):
596         (JSC::Subspace::findEmptyBlockToSteal):
597         * heap/Subspace.h:
598         (JSC::Subspace::didCreateFirstAllocator):
599         * heap/SubspaceInlines.h:
600         (JSC::Subspace::forEachAllocator):
601         (JSC::Subspace::forEachMarkedBlock):
602         (JSC::Subspace::forEachNotEmptyMarkedBlock):
603         * jit/JITPropertyAccess.cpp:
604         (JSC::JIT::emitDoubleLoad):
605         (JSC::JIT::emitContiguousLoad):
606         (JSC::JIT::emitArrayStorageLoad):
607         (JSC::JIT::emitGenericContiguousPutByVal):
608         (JSC::JIT::emitArrayStoragePutByVal):
609         (JSC::JIT::emit_op_get_from_scope):
610         (JSC::JIT::emit_op_put_to_scope):
611         (JSC::JIT::emitIntTypedArrayGetByVal):
612         (JSC::JIT::emitFloatTypedArrayGetByVal):
613         (JSC::JIT::emitIntTypedArrayPutByVal):
614         (JSC::JIT::emitFloatTypedArrayPutByVal):
615         * jsc.cpp:
616         (fillBufferWithContentsOfFile):
617         (functionReadFile):
618         (gigacageDisabled):
619         (jscmain):
620         * llint/LowLevelInterpreter64.asm:
621         * runtime/ArrayBuffer.cpp:
622         (JSC::ArrayBufferContents::tryAllocate):
623         (JSC::ArrayBuffer::createAdopted):
624         (JSC::ArrayBuffer::createFromBytes):
625         (JSC::ArrayBuffer::tryCreate):
626         * runtime/IndexingHeader.h:
627         * runtime/InitializeThreading.cpp:
628         (JSC::initializeThreading):
629         * runtime/JSArrayBuffer.cpp:
630         * runtime/JSArrayBufferView.cpp:
631         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
632         (JSC::JSArrayBufferView::finalize):
633         * runtime/JSLock.cpp:
634         (JSC::JSLock::didAcquireLock):
635         * runtime/JSObject.h:
636         * runtime/Options.cpp:
637         (JSC::recomputeDependentOptions):
638         * runtime/Options.h:
639         * runtime/ScopedArgumentsTable.h:
640         * runtime/VM.cpp:
641         (JSC::VM::VM):
642         (JSC::VM::~VM):
643         (JSC::VM::gigacageDisabledCallback):
644         (JSC::VM::gigacageDisabled):
645         * runtime/VM.h:
646         (JSC::VM::fireGigacageEnabledIfNecessary):
647         (JSC::VM::gigacageEnabled):
648         * wasm/WasmB3IRGenerator.cpp:
649         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
650         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
651         * wasm/WasmCodeBlock.cpp:
652         (JSC::Wasm::CodeBlock::isSafeToRun):
653         * wasm/WasmMemory.cpp:
654         (JSC::Wasm::makeString):
655         (JSC::Wasm::Memory::create):
656         (JSC::Wasm::Memory::~Memory):
657         (JSC::Wasm::Memory::addressIsInActiveFastMemory):
658         (JSC::Wasm::Memory::grow):
659         (JSC::Wasm::Memory::initializePreallocations): Deleted.
660         (JSC::Wasm::Memory::maxFastMemoryCount): Deleted.
661         * wasm/WasmMemory.h:
662         * wasm/js/JSWebAssemblyInstance.cpp:
663         (JSC::JSWebAssemblyInstance::create):
664         * wasm/js/JSWebAssemblyMemory.cpp:
665         (JSC::JSWebAssemblyMemory::grow):
666         (JSC::JSWebAssemblyMemory::finishCreation):
667         * wasm/js/JSWebAssemblyMemory.h:
668         (JSC::JSWebAssemblyMemory::subspaceFor):
669
670 2017-07-31  Mark Lam  <mark.lam@apple.com>
671
672         Added some UNLIKELYs to operationOptimize().
673         https://bugs.webkit.org/show_bug.cgi?id=174976
674
675         Reviewed by JF Bastien.
676
677         * jit/JITOperations.cpp:
678
679 2017-07-31  Keith Miller  <keith_miller@apple.com>
680
681         Make more things LLInt constexprs
682         https://bugs.webkit.org/show_bug.cgi?id=174994
683
684         Reviewed by Saam Barati.
685
686         This patch makes more const values in the LLInt constexprs.
687         It also deletes all of the no longer necessary static_asserts in
688         LLIntData.cpp. Finally, it fixes a typo in parser.rb.
689
690         * interpreter/ShadowChicken.h:
691         (JSC::ShadowChicken::Packet::tailMarker):
692         * llint/LLIntData.cpp:
693         (JSC::LLInt::Data::performAssertions):
694         * llint/LowLevelInterpreter.asm:
695         * offlineasm/generate_offset_extractor.rb:
696         * offlineasm/parser.rb:
697
698 2017-07-31  Matt Lewis  <jlewis3@apple.com>
699
700         Unreviewed, rolling out r220060.
701
702         This broke our internal builds. Contact reviewer of patch for
703         more information.
704
705         Reverted changeset:
706
707         "Merge WTFThreadData to Thread::current"
708         https://bugs.webkit.org/show_bug.cgi?id=174716
709         http://trac.webkit.org/changeset/220060
710
711 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
712
713         [JSC] Support optional catch binding
714         https://bugs.webkit.org/show_bug.cgi?id=174981
715
716         Reviewed by Saam Barati.
717
718         This patch implements optional catch binding proposal[1], which is now stage 3.
719         This proposal adds a new `catch` brace with no error value binding.
720
721             ```
722                 try {
723                     ...
724                 } catch {
725                     ...
726                 }
727             ```
728
729         Sometimes we do not need to get error value actually. For example, the function returns
730         boolean which means whether the function succeeds.
731
732             ```
733             function parse(result) // -> bool
734             {
735                  try {
736                      parseInner(result);
737                  } catch {
738                      return false;
739                  }
740                  return true;
741             }
742             ```
743
744         In the above case, we are not interested in the actual error value. Without this syntax,
745         we always need to introduce a binding for an error value that is just ignored.
746
747         [1]: https://michaelficarra.github.io/optional-catch-binding-proposal/
748
749         * bytecompiler/NodesCodegen.cpp:
750         (JSC::TryNode::emitBytecode):
751         * parser/Parser.cpp:
752         (JSC::Parser<LexerType>::parseTryStatement):
753
754 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
755
756         Merge WTFThreadData to Thread::current
757         https://bugs.webkit.org/show_bug.cgi?id=174716
758
759         Reviewed by Sam Weinig.
760
761         Use Thread::current() instead.
762
763         * API/JSContext.mm:
764         (+[JSContext currentContext]):
765         (+[JSContext currentThis]):
766         (+[JSContext currentCallee]):
767         (+[JSContext currentArguments]):
768         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
769         (-[JSContext endCallbackWithData:]):
770         * heap/Heap.cpp:
771         (JSC::Heap::requestCollection):
772         * runtime/Completion.cpp:
773         (JSC::checkSyntax):
774         (JSC::checkModuleSyntax):
775         (JSC::evaluate):
776         (JSC::loadAndEvaluateModule):
777         (JSC::loadModule):
778         (JSC::linkAndEvaluateModule):
779         (JSC::importModule):
780         * runtime/Identifier.cpp:
781         (JSC::Identifier::checkCurrentAtomicStringTable):
782         * runtime/InitializeThreading.cpp:
783         (JSC::initializeThreading):
784         * runtime/JSLock.cpp:
785         (JSC::JSLock::didAcquireLock):
786         (JSC::JSLock::willReleaseLock):
787         (JSC::JSLock::dropAllLocks):
788         (JSC::JSLock::grabAllLocks):
789         * runtime/JSLock.h:
790         * runtime/VM.cpp:
791         (JSC::VM::VM):
792         (JSC::VM::updateStackLimits):
793         (JSC::VM::committedStackByteCount):
794         * runtime/VM.h:
795         (JSC::VM::isSafeToRecurse const):
796         * runtime/VMEntryScope.cpp:
797         (JSC::VMEntryScope::VMEntryScope):
798         * runtime/VMInlines.h:
799         (JSC::VM::ensureStackCapacityFor):
800         * yarr/YarrPattern.cpp:
801         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
802
803 2017-07-30  Yusuke Suzuki  <utatane.tea@gmail.com>
804
805         [WTF] Introduce Private Symbols
806         https://bugs.webkit.org/show_bug.cgi?id=174935
807
808         Reviewed by Darin Adler.
809
810         Use SymbolImpl::isPrivate().
811
812         * builtins/BuiltinNames.cpp:
813         * builtins/BuiltinNames.h:
814         (JSC::BuiltinNames::isPrivateName): Deleted.
815         * builtins/BuiltinUtils.h:
816         * bytecode/BytecodeIntrinsicRegistry.cpp:
817         (JSC::BytecodeIntrinsicRegistry::lookup):
818         * runtime/CommonIdentifiers.cpp:
819         (JSC::CommonIdentifiers::isPrivateName): Deleted.
820         * runtime/CommonIdentifiers.h:
821         * runtime/ExceptionHelpers.cpp:
822         (JSC::createUndefinedVariableError):
823         * runtime/Identifier.h:
824         (JSC::Identifier::isPrivateName):
825         * runtime/IdentifierInlines.h:
826         (JSC::identifierToSafePublicJSValue):
827         * runtime/ObjectConstructor.cpp:
828         (JSC::objectConstructorAssign):
829         (JSC::defineProperties):
830         (JSC::setIntegrityLevel):
831         (JSC::testIntegrityLevel):
832         (JSC::ownPropertyKeys):
833         * runtime/PrivateName.h:
834         (JSC::PrivateName::PrivateName):
835         * runtime/PropertyName.h:
836         (JSC::PropertyName::isPrivateName):
837         * runtime/ProxyObject.cpp:
838         (JSC::performProxyGet):
839         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
840         (JSC::ProxyObject::performHasProperty):
841         (JSC::ProxyObject::performPut):
842         (JSC::ProxyObject::performDelete):
843         (JSC::ProxyObject::performDefineOwnProperty):
844
845 2017-07-29  Keith Miller  <keith_miller@apple.com>
846
847         LLInt offsets extractor should be able to handle C++ constexprs
848         https://bugs.webkit.org/show_bug.cgi?id=174964
849
850         Reviewed by Saam Barati.
851
852         This patch adds new syntax to the offline asm language. The new keyword,
853         constexpr, takes the subsequent identifier and maps it to a C++ constexpr
854         expression. Additionally, if the value is not an identifier you can wrap it in
855         parentheses. e.g. constexpr (myConstexprFunction() + OBJECT_OFFSET(Foo, bar)),
856         which will get converted into:
857         static_cast<int64_t>(myConstexprFunction() + OBJECT_OFFSET(Foo, bar));
858
859         This patch also changes the data format the LLIntOffsetsExtractor
860         binary produces.  Previously, it would produce unsigned values,
861         after this patch every value is an int64_t.  Using an int64_t is
862         useful because it means that we can represent any constant needed.
863         int32_t masks are sign extended then passed then converted to a
864         negative literal sting in the assembler so it will be the constant
865         expected.
866
867         * llint/LLIntOffsetsExtractor.cpp:
868         (JSC::LLIntOffsetsExtractor::dummy):
869         * llint/LowLevelInterpreter.asm:
870         * llint/LowLevelInterpreter64.asm:
871         * offlineasm/asm.rb:
872         * offlineasm/ast.rb:
873         * offlineasm/generate_offset_extractor.rb:
874         * offlineasm/offsets.rb:
875         * offlineasm/parser.rb:
876         * offlineasm/transform.rb:
877
878 2017-07-28  Matt Baker  <mattbaker@apple.com>
879
880         Web Inspector: capture an async stack trace when web content calls addEventListener
881         https://bugs.webkit.org/show_bug.cgi?id=174739
882         <rdar://problem/33468197>
883
884         Reviewed by Brian Burg.
885
886         Allow debugger agents to perform custom logic when asynchronous stack
887         trace data is cleared. For example, the PageDebuggerAgent would clear
888         its list of registered listeners for which call stacks have been recorded.
889
890         * inspector/agents/InspectorDebuggerAgent.cpp:
891         (Inspector::InspectorDebuggerAgent::clearAsyncStackTraceData):
892         * inspector/agents/InspectorDebuggerAgent.h:
893
894 2017-07-28  Mark Lam  <mark.lam@apple.com>
895
896         ObjectToStringAdaptiveStructureWatchpoint should not fire if it's dying imminently.
897         https://bugs.webkit.org/show_bug.cgi?id=174948
898         <rdar://problem/33495680>
899
900         Reviewed by Filip Pizlo.
901
902         ObjectToStringAdaptiveStructureWatchpoint is owned by StructureRareData.  If its
903         owner StructureRareData is already known to be dead (in terms of GC liveness) but
904         hasn't been destructed yet (i.e. not swept by the GC yet), we should ignore all
905         requests to fire this watchpoint.
906
907         If the GC had the chance to sweep the StructureRareData, thereby destructing the
908         ObjectToStringAdaptiveStructureWatchpoint, it (the watchpoint) would have removed
909         itself from the WatchpointSet it was on.  Hence, it would not have been fired.
910
911         But since the watchpoint hasn't been destructed yet, it still remains on the
912         WatchpointSet and needs to guard against being fired in this state.  The fix is
913         to simply return early if its owner StructureRareData is not live.  This has the
914         effect of the watchpoint fire being a no-op, which is equivalent to the watchpoint
915         not firing as we would expect.
916
917         This patch also removes some cargo cult copying of watchpoint code which
918         instantiates a StringFireDetail.  In a few cases, that StringFireDetail is never
919         used.  This patch removes these unnecessary instantiations.
920
921         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
922         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
923         * runtime/StructureRareData.cpp:
924         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
925         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
926
927 2017-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
928
929         ASSERTION FAILED: candidate->op() == PhantomCreateRest || candidate->op() == PhantomDirectArguments || candidate->op() == PhantomClonedArguments || candidate->op() == PhantomSpread || candidate->op() == PhantomNewArrayWithSpread
930         https://bugs.webkit.org/show_bug.cgi?id=174900
931
932         Reviewed by Saam Barati.
933
934         In the arguments elimination phase, due to high cost of AI, we intentionally do not run AI.
935         Instead, we use ForceOSRExit etc. (pseudo terminals) not to look into unreachable nodes.
936         The problem is that even transforming phase also checks this pseudo terminals.
937
938             BB1
939             1: ForceOSRExit
940             2: CreateDirectArguments
941
942             BB2
943             3: GetButterfly(@2)
944             4: ForceOSRExit
945
946         In the above case, @2 is not converted to PhantomDirectArguments. But @3 is processed. And the assertion fires.
947
948         In this patch, we do not list candidates up after seeing pseudo terminals in basic blocks.
949
950         * dfg/DFGArgumentsEliminationPhase.cpp:
951
952 2017-07-27  Oleksandr Skachkov  <gskachkov@gmail.com>
953
954         [ES] Add support finally to Promise
955         https://bugs.webkit.org/show_bug.cgi?id=174503
956
957         Reviewed by Yusuke Suzuki.
958
959         Add support `finally` method to Promise according
960         to the https://bugs.webkit.org/show_bug.cgi?id=174503
961         Current spec on STAGE 3 
962         https://github.com/tc39/proposal-promise-finally
963
964         * builtins/PromisePrototype.js:
965         (finally):
966         (const.valueThunk):
967         (globalPrivate.getThenFinally):
968         (const.thrower):
969         (globalPrivate.getCatchFinally):
970         * runtime/JSPromisePrototype.cpp:
971
972 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
973
974         Unreviewed, build fix for CLoop
975         https://bugs.webkit.org/show_bug.cgi?id=171637
976
977         * domjit/DOMJITGetterSetter.h:
978
979 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
980
981         Hoist DOM binding attribute getter prologue into JavaScriptCore taking advantage of DOMJIT / CheckSubClass
982         https://bugs.webkit.org/show_bug.cgi?id=171637
983
984         Reviewed by Darin Adler.
985
986         Each DOM attribute getter has the code to perform ClassInfo check. But it is largely duplicate and causes code bloating.
987         In this patch, we move ClassInfo check from WebCore to JSC and reduce code size.
988
989         We introduce DOMAnnotation which has ClassInfo* and DOMJIT::GetterSetter*. If the getter is not DOMJIT getter, this
990         DOMJIT::GetterSetter becomes nullptr. We support such a CustomAccessorGetter in all the JIT tiers.
991
992         In IC, we drop CheckSubClass completely since IC's Structure check subsumes it. We do not enable this optimization for
993         op_get_by_id_with_this case yet.
994         In DFG and FTL, we emit CheckSubClass node. Which is typically removed by CheckStructure leading to CheckSubClass.
995
996         And we add DOMAttributeGetterSetter, which is derived class of CustomGetterSetter. It holds DOMAnnotation and perform
997         ClassInfo check.
998
999         * CMakeLists.txt:
1000         * JavaScriptCore.xcodeproj/project.pbxproj:
1001         * bytecode/AccessCase.cpp:
1002         (JSC::AccessCase::generateImpl):
1003         * bytecode/GetByIdStatus.cpp:
1004         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
1005         * bytecode/GetByIdVariant.cpp:
1006         (JSC::GetByIdVariant::GetByIdVariant):
1007         (JSC::GetByIdVariant::operator=):
1008         (JSC::GetByIdVariant::attemptToMerge):
1009         (JSC::GetByIdVariant::dumpInContext):
1010         * bytecode/GetByIdVariant.h:
1011         (JSC::GetByIdVariant::customAccessorGetter):
1012         (JSC::GetByIdVariant::domAttribute):
1013         (JSC::GetByIdVariant::domJIT): Deleted.
1014         * bytecode/GetterSetterAccessCase.cpp:
1015         (JSC::GetterSetterAccessCase::create):
1016         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
1017         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
1018         * bytecode/GetterSetterAccessCase.h:
1019         (JSC::GetterSetterAccessCase::domAttribute):
1020         (JSC::GetterSetterAccessCase::customAccessor):
1021         (JSC::GetterSetterAccessCase::domJIT): Deleted.
1022         * bytecompiler/BytecodeGenerator.cpp:
1023         (JSC::BytecodeGenerator::instantiateLexicalVariables):
1024         * create_hash_table:
1025         * dfg/DFGAbstractInterpreterInlines.h:
1026         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1027         * dfg/DFGByteCodeParser.cpp:
1028         (JSC::DFG::blessCallDOMGetter):
1029         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
1030         (JSC::DFG::ByteCodeParser::handleGetById):
1031         * dfg/DFGClobberize.h:
1032         (JSC::DFG::clobberize):
1033         * dfg/DFGFixupPhase.cpp:
1034         (JSC::DFG::FixupPhase::fixupNode):
1035         * dfg/DFGNode.h:
1036         * dfg/DFGSpeculativeJIT.cpp:
1037         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
1038         * dfg/DFGSpeculativeJIT.h:
1039         (JSC::DFG::SpeculativeJIT::callCustomGetter):
1040         * domjit/DOMJITGetterSetter.h:
1041         (JSC::DOMJIT::GetterSetter::GetterSetter):
1042         (JSC::DOMJIT::GetterSetter::getter):
1043         (JSC::DOMJIT::GetterSetter::compiler):
1044         (JSC::DOMJIT::GetterSetter::resultType):
1045         (JSC::DOMJIT::GetterSetter::~GetterSetter): Deleted.
1046         (JSC::DOMJIT::GetterSetter::setter): Deleted.
1047         (JSC::DOMJIT::GetterSetter::thisClassInfo): Deleted.
1048         * ftl/FTLLowerDFGToB3.cpp:
1049         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
1050         * jit/Repatch.cpp:
1051         (JSC::tryCacheGetByID):
1052         * jsc.cpp:
1053         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
1054         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
1055         (WTF::DOMJITGetter::customGetter):
1056         (WTF::DOMJITGetter::finishCreation):
1057         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
1058         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
1059         (WTF::DOMJITGetterComplex::customGetter):
1060         (WTF::DOMJITGetterComplex::finishCreation):
1061         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
1062         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::slowCall): Deleted.
1063         (WTF::DOMJITGetter::domJITNodeGetterSetter): Deleted.
1064         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
1065         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::slowCall): Deleted.
1066         (WTF::DOMJITGetterComplex::domJITNodeGetterSetter): Deleted.
1067         * runtime/CustomGetterSetter.h:
1068         (JSC::CustomGetterSetter::create):
1069         (JSC::CustomGetterSetter::setter):
1070         (JSC::CustomGetterSetter::CustomGetterSetter):
1071         (): Deleted.
1072         * runtime/DOMAnnotation.h: Added.
1073         (JSC::operator==):
1074         (JSC::operator!=):
1075         * runtime/DOMAttributeGetterSetter.cpp: Added.
1076         * runtime/DOMAttributeGetterSetter.h: Copied from Source/JavaScriptCore/runtime/CustomGetterSetter.h.
1077         (JSC::isDOMAttributeGetterSetter):
1078         * runtime/Error.cpp:
1079         (JSC::throwDOMAttributeGetterTypeError):
1080         * runtime/Error.h:
1081         (JSC::throwVMDOMAttributeGetterTypeError):
1082         * runtime/JSCustomGetterSetterFunction.cpp:
1083         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
1084         * runtime/JSObject.cpp:
1085         (JSC::JSObject::putInlineSlow):
1086         (JSC::JSObject::deleteProperty):
1087         (JSC::JSObject::getOwnStaticPropertySlot):
1088         (JSC::JSObject::reifyAllStaticProperties):
1089         (JSC::JSObject::fillGetterPropertySlot):
1090         (JSC::JSObject::findPropertyHashEntry): Deleted.
1091         * runtime/JSObject.h:
1092         (JSC::JSObject::getOwnNonIndexPropertySlot):
1093         (JSC::JSObject::fillCustomGetterPropertySlot):
1094         * runtime/Lookup.cpp:
1095         (JSC::setUpStaticFunctionSlot):
1096         * runtime/Lookup.h:
1097         (JSC::HashTableValue::domJIT):
1098         (JSC::getStaticPropertySlotFromTable):
1099         (JSC::putEntry):
1100         (JSC::lookupPut):
1101         (JSC::reifyStaticProperty):
1102         (JSC::reifyStaticProperties):
1103         Each static property table has a new field ClassInfo*. It indicates that which ClassInfo check DOMAttribute registered in
1104         this static property table requires.
1105
1106         * runtime/ProgramExecutable.cpp:
1107         (JSC::ProgramExecutable::initializeGlobalProperties):
1108         * runtime/PropertyName.h:
1109         * runtime/PropertySlot.cpp:
1110         (JSC::PropertySlot::customGetter):
1111         (JSC::PropertySlot::customAccessorGetter):
1112         * runtime/PropertySlot.h:
1113         (JSC::PropertySlot::domAttribute):
1114         (JSC::PropertySlot::setCustom):
1115         (JSC::PropertySlot::setCacheableCustom):
1116         (JSC::PropertySlot::getValue):
1117         (JSC::PropertySlot::domJIT): Deleted.
1118         * runtime/VM.cpp:
1119         (JSC::VM::VM):
1120         * runtime/VM.h:
1121
1122 2017-07-26  Devin Rousso  <drousso@apple.com>
1123
1124         Web Inspector: create protocol for recording Canvas contexts
1125         https://bugs.webkit.org/show_bug.cgi?id=174481
1126
1127         Reviewed by Joseph Pecoraro.
1128
1129         * inspector/protocol/Canvas.json:
1130          - Add `requestRecording` command to mark the provided canvas as having requested a recording.
1131          - Add `cancelRecording` command to clear a previously marked canvas and flush any recorded data.
1132          - Add `recordingFinished` event that is fired once a recording is finished.
1133
1134         * CMakeLists.txt:
1135         * DerivedSources.make:
1136         * inspector/protocol/Recording.json: Added.
1137          - Add `Type` enum that lists the types of recordings
1138          - Add `InitialState` type that contains information about the canvas context at the
1139            beginning of the recording.
1140          - Add `Frame` type that holds a list of actions that were recorded.
1141          - Add `Recording` type as the container object of recording data.
1142
1143         * inspector/scripts/codegen/generate_js_backend_commands.py:
1144         (JSBackendCommandsGenerator.generate_domain):
1145         Create an agent for domains with no events or commands.
1146
1147         * inspector/InspectorValues.h:
1148         Make Array `get` public so that values can be retrieved if needed.
1149
1150 2017-07-26  Brian Burg  <bburg@apple.com>
1151
1152         Remove WEB_TIMING feature flag
1153         https://bugs.webkit.org/show_bug.cgi?id=174795
1154
1155         Reviewed by Alex Christensen.
1156
1157         * Configurations/FeatureDefines.xcconfig:
1158
1159 2017-07-26  Mark Lam  <mark.lam@apple.com>
1160
1161         Add the ability to change sp and pc to the ARM64 JIT probe.
1162         https://bugs.webkit.org/show_bug.cgi?id=174697
1163         <rdar://problem/33436965>
1164
1165         Reviewed by JF Bastien.
1166
1167         This patch implements the following:
1168
1169         1. The ARM64 probe now supports modifying the pc and sp.
1170
1171            However, lr is not preserved when modifying the pc because it is used as the
1172            scratch register for the indirect jump. Hence, the probe handler function
1173            may not modify both lr and pc in the same probe invocation.
1174
1175         2. Fix probe tests to use bitwise comparison when comparing double register
1176            values. Otherwise, equivalent nan values will be interpreted as not equivalent.
1177
1178         3. Change the minimum offset increment in testProbeModifiesStackPointer to be
1179            16 bytes for ARM64.  This is because the ARM64 probe now uses the ldp and stp
1180            instructions which require 16 byte alignment for their memory access.
1181
1182         * assembler/MacroAssemblerARM64.cpp:
1183         (JSC::arm64ProbeError):
1184         (JSC::MacroAssembler::probe):
1185         (JSC::arm64ProbeTrampoline): Deleted.
1186         * assembler/testmasm.cpp:
1187         (JSC::isSpecialGPR):
1188         (JSC::testProbeReadsArgumentRegisters):
1189         (JSC::testProbeWritesArgumentRegisters):
1190         (JSC::testProbePreservesGPRS):
1191         (JSC::testProbeModifiesStackPointer):
1192         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
1193         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
1194
1195 2017-07-25  JF Bastien  <jfbastien@apple.com>
1196
1197         WebAssembly: generate smaller binaries
1198         https://bugs.webkit.org/show_bug.cgi?id=174818
1199
1200         Reviewed by Filip Pizlo.
1201
1202         This patch reduces generated code size for WebAssembly in 2 ways:
1203
1204         1. Use the ZR register when storing zero on ARM64.
1205         2. Synthesize wasm context lazily.
1206
1207         This leads to a modest size reduction on both x86-64 and ARM64 for
1208         large WebAssembly games, without any performance loss on WasmBench
1209         and TitzerBench.
1210
1211         The reason this works is that these games, using Emscripten,
1212         generate 100k+ tiny functions, and our JIT allocation granule
1213         rounds all allocations up to 32 bytes. There are plenty of other
1214         simple gains to be had, I've filed a follow-up bug at
1215         webkit.org/b/174819
1216
1217         We should further avoid the per-function cost of tiering, which
1218         represents the bulk of code generated for small functions.
1219
1220         * assembler/MacroAssemblerARM64.h:
1221         (JSC::MacroAssemblerARM64::storeZero64):
1222         * assembler/MacroAssemblerX86_64.h:
1223         (JSC::MacroAssemblerX86_64::storeZero64):
1224         * b3/B3LowerToAir.cpp:
1225         (JSC::B3::Air::LowerToAir::createStore): this doesn't make sense
1226         for x86 because it constrains register reuse and codegen in a way
1227         that doesn't affect ARM64 because it has a dedicated zero
1228         register.
1229         * b3/air/AirOpcode.opcodes: add the storeZero64 opcode.
1230         * wasm/WasmB3IRGenerator.cpp:
1231         (JSC::Wasm::B3IRGenerator::instanceValue):
1232         (JSC::Wasm::B3IRGenerator::restoreWasmContext):
1233         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1234         (JSC::Wasm::B3IRGenerator::materializeWasmContext): Deleted.
1235
1236 2017-07-23  Filip Pizlo  <fpizlo@apple.com>
1237
1238         B3 should do LICM
1239         https://bugs.webkit.org/show_bug.cgi?id=174750
1240
1241         Reviewed by Keith Miller and Saam Barati.
1242         
1243         Added a LICM phase to B3. This phase is called hoistLoopInvariantValues, to conform to the B3 naming
1244         convention for phases (it has to be an imperative). The phase uses NaturalLoops and BackwardsDominators,
1245         so this adds those analyses to B3. BackwardsDominators was already available in templatized form. This
1246         change templatizes DFG::NaturalLoops so that we can just use it.
1247         
1248         The LICM phase itself is really simple. We are decently precise with our handling of everything except
1249         the relationship between control dependence and side exits.
1250         
1251         Also added a bunch of tests.
1252         
1253         This isn't super important. It's perf-neutral on JS benchmarks. FTL already does LICM on DFG SSA IR, and
1254         probably all current WebAssembly content has had LICM done to it. That being said, this is a cheap phase
1255         so it doesn't hurt to have it.
1256         
1257         I wrote it because I thought I needed it for bug 174727. It turns out that there's a better way to
1258         handle the problem I had, so I ended up not needed it - but by then I had already written it. I think
1259         it's good to have it because LICM is one of those core compiler phases; every compiler has it
1260         eventually.
1261
1262         * CMakeLists.txt:
1263         * JavaScriptCore.xcodeproj/project.pbxproj:
1264         * b3/B3BackwardsCFG.h: Added.
1265         (JSC::B3::BackwardsCFG::BackwardsCFG):
1266         * b3/B3BackwardsDominators.h: Added.
1267         (JSC::B3::BackwardsDominators::BackwardsDominators):
1268         * b3/B3BasicBlock.cpp:
1269         (JSC::B3::BasicBlock::appendNonTerminal):
1270         * b3/B3Effects.h:
1271         * b3/B3EnsureLoopPreHeaders.cpp: Added.
1272         (JSC::B3::ensureLoopPreHeaders):
1273         * b3/B3EnsureLoopPreHeaders.h: Added.
1274         * b3/B3Generate.cpp:
1275         (JSC::B3::generateToAir):
1276         * b3/B3HoistLoopInvariantValues.cpp: Added.
1277         (JSC::B3::hoistLoopInvariantValues):
1278         * b3/B3HoistLoopInvariantValues.h: Added.
1279         * b3/B3NaturalLoops.h: Added.
1280         (JSC::B3::NaturalLoops::NaturalLoops):
1281         * b3/B3Procedure.cpp:
1282         (JSC::B3::Procedure::invalidateCFG):
1283         (JSC::B3::Procedure::naturalLoops):
1284         (JSC::B3::Procedure::backwardsCFG):
1285         (JSC::B3::Procedure::backwardsDominators):
1286         * b3/B3Procedure.h:
1287         * b3/testb3.cpp:
1288         (JSC::B3::generateLoop):
1289         (JSC::B3::makeArrayForLoops):
1290         (JSC::B3::generateLoopNotBackwardsDominant):
1291         (JSC::B3::oneFunction):
1292         (JSC::B3::noOpFunction):
1293         (JSC::B3::testLICMPure):
1294         (JSC::B3::testLICMPureSideExits):
1295         (JSC::B3::testLICMPureWritesPinned):
1296         (JSC::B3::testLICMPureWrites):
1297         (JSC::B3::testLICMReadsLocalState):
1298         (JSC::B3::testLICMReadsPinned):
1299         (JSC::B3::testLICMReads):
1300         (JSC::B3::testLICMPureNotBackwardsDominant):
1301         (JSC::B3::testLICMPureFoiledByChild):
1302         (JSC::B3::testLICMPureNotBackwardsDominantFoiledByChild):
1303         (JSC::B3::testLICMExitsSideways):
1304         (JSC::B3::testLICMWritesLocalState):
1305         (JSC::B3::testLICMWrites):
1306         (JSC::B3::testLICMFence):
1307         (JSC::B3::testLICMWritesPinned):
1308         (JSC::B3::testLICMControlDependent):
1309         (JSC::B3::testLICMControlDependentNotBackwardsDominant):
1310         (JSC::B3::testLICMControlDependentSideExits):
1311         (JSC::B3::testLICMReadsPinnedWritesPinned):
1312         (JSC::B3::testLICMReadsWritesDifferentHeaps):
1313         (JSC::B3::testLICMReadsWritesOverlappingHeaps):
1314         (JSC::B3::testLICMDefaultCall):
1315         (JSC::B3::run):
1316         * dfg/DFGBasicBlock.h:
1317         * dfg/DFGCFG.h:
1318         * dfg/DFGNaturalLoops.cpp: Removed.
1319         * dfg/DFGNaturalLoops.h:
1320         (JSC::DFG::NaturalLoops::NaturalLoops):
1321         (JSC::DFG::NaturalLoop::NaturalLoop): Deleted.
1322         (JSC::DFG::NaturalLoop::header): Deleted.
1323         (JSC::DFG::NaturalLoop::size): Deleted.
1324         (JSC::DFG::NaturalLoop::at): Deleted.
1325         (JSC::DFG::NaturalLoop::operator[]): Deleted.
1326         (JSC::DFG::NaturalLoop::contains): Deleted.
1327         (JSC::DFG::NaturalLoop::index): Deleted.
1328         (JSC::DFG::NaturalLoop::isOuterMostLoop): Deleted.
1329         (JSC::DFG::NaturalLoop::addBlock): Deleted.
1330         (JSC::DFG::NaturalLoops::numLoops): Deleted.
1331         (JSC::DFG::NaturalLoops::loop): Deleted.
1332         (JSC::DFG::NaturalLoops::headerOf): Deleted.
1333         (JSC::DFG::NaturalLoops::innerMostLoopOf): Deleted.
1334         (JSC::DFG::NaturalLoops::innerMostOuterLoop): Deleted.
1335         (JSC::DFG::NaturalLoops::belongsTo): Deleted.
1336         (JSC::DFG::NaturalLoops::loopDepth): Deleted.
1337
1338 2017-07-24  Filip Pizlo  <fpizlo@apple.com>
1339
1340         GC should be fine with trading blocks between destructor and non-destructor blocks
1341         https://bugs.webkit.org/show_bug.cgi?id=174811
1342
1343         Reviewed by Mark Lam.
1344         
1345         Our GC has the ability to trade blocks between MarkedAllocators. A MarkedAllocator is a
1346         size-class-within-a-Subspace. The ability to trade helps reduce memory wastage due to
1347         fragmentation. Prior to this change, this only worked between blocks that did not have destructors.
1348         This was partly a policy decision. But mostly, it was fallout from the way we use the `empty` block
1349         set.
1350         
1351         Here's how `empty` used to work. If a block is empty, we don't run destructors. We say that a block
1352         is empty if:
1353         
1354         A) It has no live objects and its a non-destructor block, or
1355         B) We just allocated it (so it has no destructors even if it's a destructor block), or
1356         C) We just stole it from another allocator (so it also has no destructors), or
1357         D) We just swept the block and ran all destructors.
1358         
1359         Case (A) is for trading blocks. That's how a different MarkedAllocator would know that this is a
1360         block that could be stolen.
1361
1362         Cases (B) and (C) need to be detected for correctness, since otherwise we might try to run
1363         destructors in blocks that have garbage bits. In that case, the isZapped check won't detect that
1364         cells don't need destruction, so without having the `empty` bit we would try to destruct garbage
1365         and crash. Currently, we know that we have cases (B) and (C) when the block is empty.
1366         
1367         Case (D) is necessary for detecting which blocks can be removed when we `shrink` the heap.
1368         
1369         If we tried to enable trading of blocks between allocators without making any changes to how
1370         `empty` works, then it just would not work. We have to set the `empty` bits of blocks that have no
1371         live objects in order for those bits to be candidates for trading. But if we do that, then our
1372         logic for cases (B-D) will think that the block has no destructible objects. That's bad, since then
1373         our destructors won't run and we'll leak memory.
1374         
1375         This change fixes this issue by decoupling the "do I have destructors" question from the "do I have
1376         live objects" question by introducing a new `destructible` bitvector. The GC flags all live blocks
1377         as being destructible at the end. We clear the destructible bit in cases (B-D). Cases (B-C) are
1378         handled entirely by the new destrictible bit, while case (D) is detected by looking for blocks that
1379         are (empty & ~destructible).
1380         
1381         Then we can simply remove all destructor-oriented special-casing of the `empty` bit. And we can
1382         remove destructor-oriented special-casing of block trading.
1383
1384         This is a perf-neutral change. We expect most free memory to be in non-destructor blocks anyway,
1385         so this change is more about clean-up than perf. But, this could reduce memory usage in some
1386         pathological cases.
1387         
1388         * heap/MarkedAllocator.cpp:
1389         (JSC::MarkedAllocator::findEmptyBlockToSteal):
1390         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
1391         (JSC::MarkedAllocator::endMarking):
1392         (JSC::MarkedAllocator::shrink):
1393         (JSC::MarkedAllocator::shouldStealEmptyBlocksFromOtherAllocators): Deleted.
1394         * heap/MarkedAllocator.h:
1395         * heap/MarkedBlock.cpp:
1396         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
1397         (JSC::MarkedBlock::Handle::sweep):
1398         * heap/MarkedBlockInlines.h:
1399         (JSC::MarkedBlock::Handle::specializedSweep):
1400         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace):
1401         (JSC::MarkedBlock::Handle::emptyMode):
1402
1403 2017-07-25  Keith Miller  <keith_miller@apple.com>
1404
1405         Remove Broken CompareEq constant folding phase.
1406         https://bugs.webkit.org/show_bug.cgi?id=174846
1407         <rdar://problem/32978808>
1408
1409         Reviewed by Saam Barati.
1410
1411         This bug happened when we would get code like the following:
1412
1413         a: JSConst(Undefined)
1414         b: GetLocal(SomeObjectOrUndefined)
1415         ...
1416         c: CompareEq(Check:ObjectOrOther:b, Check:ObjectOrOther:a)
1417
1418         constant folding will turn this into:
1419
1420         a: JSConst(Undefined)
1421         b: GetLocal(SomeObjectOrUndefined)
1422         ...
1423         c: CompareEq(Check:ObjectOrOther:b, Other:a)
1424
1425         But the SpeculativeJIT/FTL lowering will fail to check b
1426         properly which leads to an assertion failure in the AI.
1427
1428         I'll follow up with a more robust fix later. For now, I'll remove the
1429         case that generates the code. Removing the code appears to be perf
1430         neutral.
1431
1432         * dfg/DFGConstantFoldingPhase.cpp:
1433         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1434
1435 2017-07-25  Matt Baker  <mattbaker@apple.com>
1436
1437         Web Inspector: Refactoring: extract async stack trace logic from InspectorInstrumentation
1438         https://bugs.webkit.org/show_bug.cgi?id=174738
1439
1440         Reviewed by Brian Burg.
1441
1442         Move AsyncCallType enum to InspectorDebuggerAgent, which manages async
1443         stack traces. This preserves the call type in JSC, makes the range of
1444         possible call types explicit, and is safer than passing ints.
1445
1446         * inspector/agents/InspectorDebuggerAgent.cpp:
1447         (Inspector::InspectorDebuggerAgent::asyncCallIdentifier):
1448         (Inspector::InspectorDebuggerAgent::didScheduleAsyncCall):
1449         (Inspector::InspectorDebuggerAgent::didCancelAsyncCall):
1450         (Inspector::InspectorDebuggerAgent::willDispatchAsyncCall):
1451         * inspector/agents/InspectorDebuggerAgent.h:
1452
1453 2017-07-25  Mark Lam  <mark.lam@apple.com>
1454
1455         Fix bugs in probe code to change sp on x86, x86_64 and 32-bit ARM.
1456         https://bugs.webkit.org/show_bug.cgi?id=174809
1457         <rdar://problem/33504759>
1458
1459         Reviewed by Filip Pizlo.
1460
1461         1. When the probe handler function changes the sp register to point to the
1462            region of stack in the middle of the ProbeContext on the stack, there is a
1463            bug where the ProbeContext's register values to be restored can be over-written
1464            before they can be restored.  This is now fixed.
1465
1466         2. Added more robust probe tests for changing the sp register.
1467
1468         3. Made existing probe tests to ensure that probe handlers were actually called.
1469
1470         4. Added some verification to testProbePreservesGPRS().
1471
1472         5. Change all the probe tests to fail early on discovering an error instead of
1473            batching till the end of the test.  This helps point a finger to the failing
1474            issue earlier.
1475
1476         This patch was tested on x86, x86_64, and ARMv7.  ARM64 probe code will be fixed
1477         next in https://bugs.webkit.org/show_bug.cgi?id=174697.
1478
1479         * assembler/MacroAssemblerARM.cpp:
1480         * assembler/MacroAssemblerARMv7.cpp:
1481         * assembler/MacroAssemblerX86Common.cpp:
1482         * assembler/testmasm.cpp:
1483         (JSC::testProbeReadsArgumentRegisters):
1484         (JSC::testProbeWritesArgumentRegisters):
1485         (JSC::testProbePreservesGPRS):
1486         (JSC::testProbeModifiesStackPointer):
1487         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
1488         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
1489         (JSC::testProbeModifiesProgramCounter):
1490         (JSC::run):
1491
1492 2017-07-25  Brian Burg  <bburg@apple.com>
1493
1494         Web Automation: add support for uploading files
1495         https://bugs.webkit.org/show_bug.cgi?id=174797
1496         <rdar://problem/28485063>
1497
1498         Reviewed by Joseph Pecoraro.
1499
1500         * inspector/scripts/generate-inspector-protocol-bindings.py:
1501         (generate_from_specification):
1502         Start generating frontend dispatcher code if the target framework is 'WebKit'.
1503
1504         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
1505         (CppFrontendDispatcherImplementationGenerator.generate_output):
1506         Use a framework include for InspectorFrontendRouter.h since this generated code
1507         will be compiled outside of WebCore.framework.
1508
1509         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
1510         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1511         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1512         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
1513         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
1514         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
1515         * inspector/scripts/tests/generic/expected/enum-values.json-result:
1516         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
1517         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
1518         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
1519         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
1520         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
1521         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
1522         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
1523         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1524         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1525         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
1526         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
1527         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
1528         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
1529         Rebaseline code generator tests.
1530
1531 2017-07-24  Mark Lam  <mark.lam@apple.com>
1532
1533         Gardening: fixed C Loop build after r219790.
1534         https://bugs.webkit.org/show_bug.cgi?id=174696
1535
1536         Not reviewed.
1537
1538         * assembler/testmasm.cpp:
1539
1540 2017-07-23  Mark Lam  <mark.lam@apple.com>
1541
1542         Create regression tests for the JIT probe.
1543         https://bugs.webkit.org/show_bug.cgi?id=174696
1544         <rdar://problem/33436922>
1545
1546         Reviewed by Saam Barati.
1547
1548         The new testmasm will test the following:
1549         1. the probe is able to read the value of CPU registers.
1550         2. the probe is able to write the value of CPU registers.
1551         3. the probe is able to preserve all CPU registers.
1552         4. special case of (2): the probe is able to change the value of the stack pointer.
1553         5. special case of (2): the probe is able to change the value of the program counter
1554            i.e. the probe can change where the code continues executing upon returning from
1555            the probe.
1556
1557         Currently, the x86, x86_64, and ARMv7 ports passes the test.  ARM64 does not
1558         because it does not support changing the sp and pc yet.  The ARM64 probe
1559         implementation will be fixed in https://bugs.webkit.org/show_bug.cgi?id=174697
1560         later.
1561
1562         * Configurations/ToolExecutable.xcconfig:
1563         * JavaScriptCore.xcodeproj/project.pbxproj:
1564         * assembler/MacroAssembler.h:
1565         (JSC::MacroAssembler::CPUState::pc):
1566         (JSC::MacroAssembler::CPUState::fp):
1567         (JSC::MacroAssembler::CPUState::sp):
1568         (JSC::ProbeContext::pc):
1569         (JSC::ProbeContext::fp):
1570         (JSC::ProbeContext::sp):
1571         * assembler/MacroAssemblerARM64.cpp:
1572         (JSC::arm64ProbeTrampoline):
1573         * assembler/MacroAssemblerPrinter.cpp:
1574         (JSC::Printer::printPCRegister):
1575         * assembler/testmasm.cpp: Added.
1576         (hiddenTruthBecauseNoReturnIsStupid):
1577         (usage):
1578         (JSC::nextID):
1579         (JSC::isPC):
1580         (JSC::isSP):
1581         (JSC::isFP):
1582         (JSC::compile):
1583         (JSC::invoke):
1584         (JSC::compileAndRun):
1585         (JSC::testSimple):
1586         (JSC::testProbeReadsArgumentRegisters):
1587         (JSC::testProbeWritesArgumentRegisters):
1588         (JSC::testFunctionToTrashRegisters):
1589         (JSC::testProbePreservesGPRS):
1590         (JSC::testProbeModifiesStackPointer):
1591         (JSC::testProbeModifiesProgramCounter):
1592         (JSC::run):
1593         (run):
1594         (main):
1595         * b3/air/testair.cpp:
1596         (usage):
1597         * shell/CMakeLists.txt:
1598
1599 2017-07-14  Filip Pizlo  <fpizlo@apple.com>
1600
1601         It should be easy to decide how WebKit yields
1602         https://bugs.webkit.org/show_bug.cgi?id=174298
1603
1604         Reviewed by Saam Barati.
1605         
1606         Use the new WTF::Thread::yield() function for yielding instead of the C++ function.
1607
1608         * heap/Heap.cpp:
1609         (JSC::Heap::resumeThePeriphery):
1610         * heap/VisitingTimeout.h:
1611         * runtime/JSCell.cpp:
1612         (JSC::JSCell::lockSlow):
1613         (JSC::JSCell::unlockSlow):
1614         * runtime/JSCell.h:
1615         * runtime/JSCellInlines.h:
1616         (JSC::JSCell::lock):
1617         (JSC::JSCell::unlock):
1618         * runtime/JSLock.cpp:
1619         (JSC::JSLock::grabAllLocks):
1620         * runtime/SamplingProfiler.cpp:
1621
1622 2017-07-21  Mark Lam  <mark.lam@apple.com>
1623
1624         Refactor MASM probe CPUState to use arrays for register storage.
1625         https://bugs.webkit.org/show_bug.cgi?id=174694
1626
1627         Reviewed by Keith Miller.
1628
1629         Using arrays for register storage in CPUState allows us to do away with the
1630         huge switch statements to decode each register id.  We can now simply index into
1631         the arrays.
1632
1633         With this patch, we now:
1634
1635         1. Remove the need for macros for defining the list of CPU registers.
1636            We can go back to simple enums.  This makes the code easier to read.
1637
1638         2. Make the assembler the authority on register names.
1639            Most of this code is moved into the assembler from GPRInfo and FPRInfo.
1640            GPRInfo and FPRInfo now forwards to the assembler.
1641
1642         3. Make the assembler the authority on the number of registers of each type.
1643
1644         4. Fix a "bug" in ARMv7's lastRegister().  It was previously omitting lr and pc.
1645            This is inconsistent with how every other CPU architecture implements
1646            lastRegister().  This patch fixes it to return the true last GPR i.e. pc, but
1647            updates RegisterSet::reservedHardwareRegisters() to exclude those registers.
1648
1649         * assembler/ARM64Assembler.h:
1650         (JSC::ARM64Assembler::numberOfRegisters):
1651         (JSC::ARM64Assembler::firstSPRegister):
1652         (JSC::ARM64Assembler::lastSPRegister):
1653         (JSC::ARM64Assembler::numberOfSPRegisters):
1654         (JSC::ARM64Assembler::numberOfFPRegisters):
1655         (JSC::ARM64Assembler::gprName):
1656         (JSC::ARM64Assembler::sprName):
1657         (JSC::ARM64Assembler::fprName):
1658         * assembler/ARMAssembler.h:
1659         (JSC::ARMAssembler::numberOfRegisters):
1660         (JSC::ARMAssembler::firstSPRegister):
1661         (JSC::ARMAssembler::lastSPRegister):
1662         (JSC::ARMAssembler::numberOfSPRegisters):
1663         (JSC::ARMAssembler::numberOfFPRegisters):
1664         (JSC::ARMAssembler::gprName):
1665         (JSC::ARMAssembler::sprName):
1666         (JSC::ARMAssembler::fprName):
1667         * assembler/ARMv7Assembler.h:
1668         (JSC::ARMv7Assembler::lastRegister):
1669         (JSC::ARMv7Assembler::numberOfRegisters):
1670         (JSC::ARMv7Assembler::firstSPRegister):
1671         (JSC::ARMv7Assembler::lastSPRegister):
1672         (JSC::ARMv7Assembler::numberOfSPRegisters):
1673         (JSC::ARMv7Assembler::numberOfFPRegisters):
1674         (JSC::ARMv7Assembler::gprName):
1675         (JSC::ARMv7Assembler::sprName):
1676         (JSC::ARMv7Assembler::fprName):
1677         * assembler/AbstractMacroAssembler.h:
1678         (JSC::AbstractMacroAssembler::numberOfRegisters):
1679         (JSC::AbstractMacroAssembler::gprName):
1680         (JSC::AbstractMacroAssembler::firstSPRegister):
1681         (JSC::AbstractMacroAssembler::lastSPRegister):
1682         (JSC::AbstractMacroAssembler::numberOfSPRegisters):
1683         (JSC::AbstractMacroAssembler::sprName):
1684         (JSC::AbstractMacroAssembler::numberOfFPRegisters):
1685         (JSC::AbstractMacroAssembler::fprName):
1686         * assembler/MIPSAssembler.h:
1687         (JSC::MIPSAssembler::numberOfRegisters):
1688         (JSC::MIPSAssembler::firstSPRegister):
1689         (JSC::MIPSAssembler::lastSPRegister):
1690         (JSC::MIPSAssembler::numberOfSPRegisters):
1691         (JSC::MIPSAssembler::numberOfFPRegisters):
1692         (JSC::MIPSAssembler::gprName):
1693         (JSC::MIPSAssembler::sprName):
1694         (JSC::MIPSAssembler::fprName):
1695         * assembler/MacroAssembler.h:
1696         (JSC::MacroAssembler::CPUState::gprName):
1697         (JSC::MacroAssembler::CPUState::sprName):
1698         (JSC::MacroAssembler::CPUState::fprName):
1699         (JSC::MacroAssembler::CPUState::gpr):
1700         (JSC::MacroAssembler::CPUState::spr):
1701         (JSC::MacroAssembler::CPUState::fpr):
1702         (JSC::MacroAssembler::CPUState::pc):
1703         (JSC::MacroAssembler::CPUState::fp):
1704         (JSC::MacroAssembler::CPUState::sp):
1705         (JSC::ProbeContext::gpr):
1706         (JSC::ProbeContext::spr):
1707         (JSC::ProbeContext::fpr):
1708         (JSC::ProbeContext::gprName):
1709         (JSC::ProbeContext::sprName):
1710         (JSC::ProbeContext::fprName):
1711         (JSC::MacroAssembler::numberOfRegisters): Deleted.
1712         (JSC::MacroAssembler::numberOfFPRegisters): Deleted.
1713         * assembler/MacroAssemblerARM.cpp:
1714         * assembler/MacroAssemblerARM64.cpp:
1715         (JSC::arm64ProbeTrampoline):
1716         * assembler/MacroAssemblerARMv7.cpp:
1717         * assembler/MacroAssemblerPrinter.cpp:
1718         (JSC::Printer::nextID):
1719         (JSC::Printer::printAllRegisters):
1720         (JSC::Printer::printPCRegister):
1721         (JSC::Printer::printRegisterID):
1722         (JSC::Printer::printAddress):
1723         * assembler/MacroAssemblerX86Common.cpp:
1724         * assembler/X86Assembler.h:
1725         (JSC::X86Assembler::numberOfRegisters):
1726         (JSC::X86Assembler::firstSPRegister):
1727         (JSC::X86Assembler::lastSPRegister):
1728         (JSC::X86Assembler::numberOfSPRegisters):
1729         (JSC::X86Assembler::numberOfFPRegisters):
1730         (JSC::X86Assembler::gprName):
1731         (JSC::X86Assembler::sprName):
1732         (JSC::X86Assembler::fprName):
1733         * jit/FPRInfo.h:
1734         (JSC::FPRInfo::debugName):
1735         * jit/GPRInfo.h:
1736         (JSC::GPRInfo::debugName):
1737         * jit/RegisterSet.cpp:
1738         (JSC::RegisterSet::reservedHardwareRegisters):
1739
1740 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1741
1742         [JSC] Introduce static symbols
1743         https://bugs.webkit.org/show_bug.cgi?id=158863
1744
1745         Reviewed by Darin Adler.
1746
1747         We use StaticSymbolImpl to initialize PrivateNames and builtin Symbols.
1748         As a result, we can share the same Symbol values between VMs and threads.
1749         And we do not need to allocate Ref<SymbolImpl> for these symbols at runtime.
1750
1751         * CMakeLists.txt:
1752         * JavaScriptCore.xcodeproj/project.pbxproj:
1753         * builtins/BuiltinNames.cpp: Added.
1754         Suppress warning C4307, integral constant overflow. It is intentional in constexpr hash value calculation.
1755
1756         * builtins/BuiltinNames.h:
1757         (JSC::BuiltinNames::BuiltinNames):
1758         * builtins/BuiltinUtils.h:
1759
1760 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1761
1762         [FTL] Arguments elimination is suppressed by unreachable blocks
1763         https://bugs.webkit.org/show_bug.cgi?id=174352
1764
1765         Reviewed by Filip Pizlo.
1766
1767         If we do not execute `op_get_by_id`, our value profiling tells us unpredictable and DFG emits ForceOSRExit.
1768         The problem is that arguments elimination phase checks escaping even when ForceOSRExit preceeds.
1769         Since GetById without information can escape arguments if it is specified, non-executed code including
1770         op_get_by_id with arguments can escape arguments.
1771
1772         For example,
1773
1774             function test(flag)
1775             {
1776                 if (flag) {
1777                     // This is not executed, but emits GetById with arguments.
1778                     // It prevents us from eliminating materialization.
1779                     return arguments.length;
1780                 }
1781                 return arguments.length;
1782             }
1783             noInline(test);
1784             while (true)
1785                 test(false);
1786
1787         We do not perform CFA and dead-node clipping yet when performing arguments elimination phase.
1788         So this GetById exists and escapes arguments.
1789
1790         To solve this problem, our arguments elimination phase checks preceding pseudo-terminal nodes.
1791         If it is shown, following GetById does not escape arguments. Compared to performing AI, it is
1792         lightweight. But it catches much of typical cases we failed to perform arguments elimination.
1793
1794         * dfg/DFGArgumentsEliminationPhase.cpp:
1795         * dfg/DFGNode.h:
1796         (JSC::DFG::Node::isPseudoTerminal):
1797         * dfg/DFGValidate.cpp:
1798
1799 2017-07-20  Chris Dumez  <cdumez@apple.com>
1800
1801         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable
1802         https://bugs.webkit.org/show_bug.cgi?id=174660
1803
1804         Reviewed by Geoffrey Garen.
1805
1806         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable.
1807         This essentially replaces a branch to figure out if the new size is less or greater than the
1808         current size by an assertion.
1809
1810         * b3/B3BasicBlockUtils.h:
1811         (JSC::B3::clearPredecessors):
1812         * b3/B3InferSwitches.cpp:
1813         * b3/B3LowerToAir.cpp:
1814         (JSC::B3::Air::LowerToAir::finishAppendingInstructions):
1815         * b3/B3ReduceStrength.cpp:
1816         * b3/B3SparseCollection.h:
1817         (JSC::B3::SparseCollection::packIndices):
1818         * b3/B3UseCounts.cpp:
1819         (JSC::B3::UseCounts::UseCounts):
1820         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
1821         * b3/air/AirEmitShuffle.cpp:
1822         (JSC::B3::Air::emitShuffle):
1823         * b3/air/AirLowerAfterRegAlloc.cpp:
1824         (JSC::B3::Air::lowerAfterRegAlloc):
1825         * b3/air/AirOptimizeBlockOrder.cpp:
1826         (JSC::B3::Air::optimizeBlockOrder):
1827         * bytecode/Operands.h:
1828         (JSC::Operands::ensureLocals):
1829         * bytecode/PreciseJumpTargets.cpp:
1830         (JSC::computePreciseJumpTargetsInternal):
1831         * dfg/DFGBlockInsertionSet.cpp:
1832         (JSC::DFG::BlockInsertionSet::execute):
1833         * dfg/DFGBlockMapInlines.h:
1834         (JSC::DFG::BlockMap<T>::BlockMap):
1835         * dfg/DFGByteCodeParser.cpp:
1836         (JSC::DFG::ByteCodeParser::processSetLocalQueue):
1837         (JSC::DFG::ByteCodeParser::clearCaches):
1838         * dfg/DFGDisassembler.cpp:
1839         (JSC::DFG::Disassembler::Disassembler):
1840         * dfg/DFGFlowIndexing.cpp:
1841         (JSC::DFG::FlowIndexing::recompute):
1842         * dfg/DFGGraph.cpp:
1843         (JSC::DFG::Graph::registerFrozenValues):
1844         * dfg/DFGInPlaceAbstractState.cpp:
1845         (JSC::DFG::setLiveValues):
1846         * dfg/DFGLICMPhase.cpp:
1847         (JSC::DFG::LICMPhase::run):
1848         * dfg/DFGLivenessAnalysisPhase.cpp:
1849         * dfg/DFGNaturalLoops.cpp:
1850         (JSC::DFG::NaturalLoops::NaturalLoops):
1851         * dfg/DFGStoreBarrierClusteringPhase.cpp:
1852         * ftl/FTLLowerDFGToB3.cpp:
1853         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1854         * heap/CodeBlockSet.cpp:
1855         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
1856         * heap/MarkedSpace.cpp:
1857         (JSC::MarkedSpace::sweepLargeAllocations):
1858         * inspector/ContentSearchUtilities.cpp:
1859         (Inspector::ContentSearchUtilities::findMagicComment):
1860         * interpreter/ShadowChicken.cpp:
1861         (JSC::ShadowChicken::update):
1862         * parser/ASTBuilder.h:
1863         (JSC::ASTBuilder::shrinkOperandStackBy):
1864         * parser/Lexer.h:
1865         (JSC::Lexer::setOffset):
1866         * runtime/RegExpInlines.h:
1867         (JSC::RegExp::matchInline):
1868         * runtime/RegExpPrototype.cpp:
1869         (JSC::genericSplit):
1870         * yarr/RegularExpression.cpp:
1871         (JSC::Yarr::RegularExpression::match):
1872
1873 2017-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1874
1875         [WTF] Use ThreadGroup to bookkeep active threads for Mach exception
1876         https://bugs.webkit.org/show_bug.cgi?id=174678
1877
1878         Reviewed by Mark Lam.
1879
1880         Use Thread& instead.
1881
1882         * runtime/JSLock.cpp:
1883         (JSC::JSLock::didAcquireLock):
1884
1885 2017-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1886
1887         [WTF] Implement WTF::ThreadGroup
1888         https://bugs.webkit.org/show_bug.cgi?id=174081
1889
1890         Reviewed by Mark Lam.
1891
1892         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
1893         And SamplingProfiler and others interact with WTF::Thread directly.
1894
1895         * API/tests/ExecutionTimeLimitTest.cpp:
1896         * heap/MachineStackMarker.cpp:
1897         (JSC::MachineThreads::MachineThreads):
1898         (JSC::captureStack):
1899         (JSC::MachineThreads::tryCopyOtherThreadStack):
1900         (JSC::MachineThreads::tryCopyOtherThreadStacks):
1901         (JSC::MachineThreads::gatherConservativeRoots):
1902         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
1903         (JSC::ActiveMachineThreadsManager::add): Deleted.
1904         (JSC::ActiveMachineThreadsManager::remove): Deleted.
1905         (JSC::ActiveMachineThreadsManager::contains): Deleted.
1906         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
1907         (JSC::activeMachineThreadsManager): Deleted.
1908         (JSC::MachineThreads::~MachineThreads): Deleted.
1909         (JSC::MachineThreads::addCurrentThread): Deleted.
1910         (): Deleted.
1911         (JSC::MachineThreads::removeThread): Deleted.
1912         (JSC::MachineThreads::removeThreadIfFound): Deleted.
1913         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
1914         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
1915         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
1916         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
1917         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
1918         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
1919         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
1920         * heap/MachineStackMarker.h:
1921         (JSC::MachineThreads::addCurrentThread):
1922         (JSC::MachineThreads::getLock):
1923         (JSC::MachineThreads::threads):
1924         (JSC::MachineThreads::MachineThread::suspend): Deleted.
1925         (JSC::MachineThreads::MachineThread::resume): Deleted.
1926         (JSC::MachineThreads::MachineThread::threadID): Deleted.
1927         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
1928         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
1929         (JSC::MachineThreads::threadsListHead): Deleted.
1930         * runtime/SamplingProfiler.cpp:
1931         (JSC::FrameWalker::isValidFramePointer):
1932         (JSC::SamplingProfiler::SamplingProfiler):
1933         (JSC::SamplingProfiler::takeSample):
1934         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
1935         * runtime/SamplingProfiler.h:
1936         * wasm/WasmMachineThreads.cpp:
1937         (JSC::Wasm::resetInstructionCacheOnAllThreads):
1938
1939 2017-07-18  Andy Estes  <aestes@apple.com>
1940
1941         [Xcode] Enable CLANG_WARN_RANGE_LOOP_ANALYSIS
1942         https://bugs.webkit.org/show_bug.cgi?id=174631
1943
1944         Reviewed by Tim Horton.
1945
1946         * Configurations/Base.xcconfig:
1947         * b3/B3FoldPathConstants.cpp:
1948         * b3/B3LowerMacros.cpp:
1949         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
1950         * dfg/DFGByteCodeParser.cpp:
1951         (JSC::DFG::ByteCodeParser::check):
1952         (JSC::DFG::ByteCodeParser::planLoad):
1953
1954 2017-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1955
1956         WTF::Thread should have the threads stack bounds.
1957         https://bugs.webkit.org/show_bug.cgi?id=173975
1958
1959         Reviewed by Mark Lam.
1960
1961         There is a site in JSC that try to walk another thread's stack.
1962         Currently, stack bounds are stored in WTFThreadData which is located
1963         in TLS. Thus, only the thread itself can access its own WTFThreadData.
1964         We workaround this situation by holding StackBounds in MachineThread in JSC,
1965         but StackBounds should be put in WTF::Thread instead.
1966
1967         This patch adds StackBounds to WTF::Thread. StackBounds information is tightly
1968         coupled with Thread. Thus putting it in WTF::Thread is natural choice.
1969
1970         * heap/MachineStackMarker.cpp:
1971         (JSC::MachineThreads::MachineThread::MachineThread):
1972         (JSC::MachineThreads::MachineThread::captureStack):
1973         * heap/MachineStackMarker.h:
1974         (JSC::MachineThreads::MachineThread::stackBase):
1975         (JSC::MachineThreads::MachineThread::stackEnd):
1976         * runtime/VMTraps.cpp:
1977
1978 2017-07-18  Andy Estes  <aestes@apple.com>
1979
1980         [Xcode] Enable CLANG_WARN_OBJC_LITERAL_CONVERSION
1981         https://bugs.webkit.org/show_bug.cgi?id=174631
1982
1983         Reviewed by Sam Weinig.
1984
1985         * Configurations/Base.xcconfig:
1986
1987 2017-07-18  Joseph Pecoraro  <pecoraro@apple.com>
1988
1989         Web Inspector: Modernize InjectedScriptSource
1990         https://bugs.webkit.org/show_bug.cgi?id=173890
1991
1992         Reviewed by Brian Burg.
1993
1994         * inspector/InjectedScript.h:
1995         Reorder functions to be slightly better.
1996
1997         * inspector/InjectedScriptSource.js:
1998         - Convert to classes named InjectedScript and RemoteObject
1999         - Align InjectedScript's API with the wrapper C++ interfaces
2000         - Move some code to RemoteObject where appropriate (subtype, describe)
2001         - Move some code to helper functions (isPrimitiveValue, isDefined)
2002         - Refactor for readability and modern features
2003         - Remove some unused / unnecessary code
2004
2005 2017-07-18  Mark Lam  <mark.lam@apple.com>
2006
2007         Butterfly storage need not be initialized for indexing type Undecided.
2008         https://bugs.webkit.org/show_bug.cgi?id=174516
2009
2010         Reviewed by Saam Barati.
2011
2012         While it's not incorrect to initialize the butterfly storage when the
2013         indexingType is Undecided, it is inefficient as we'll end up initializing
2014         it again later when we convert the storage to a different indexingType.
2015         Some of our code already skips initializing Undecided butterflies.
2016         This patch makes it the consistent behavior everywhere.
2017
2018         * dfg/DFGSpeculativeJIT.cpp:
2019         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2020         * runtime/JSArray.cpp:
2021         (JSC::JSArray::tryCreateUninitializedRestricted):
2022         * runtime/JSArray.h:
2023         (JSC::JSArray::tryCreate):
2024         * runtime/JSObject.cpp:
2025         (JSC::JSObject::ensureLengthSlow):
2026
2027 2017-07-18  Saam Barati  <sbarati@apple.com>
2028
2029         AirLowerAfterRegAlloc may incorrectly use a callee save that's live as a scratch register
2030         https://bugs.webkit.org/show_bug.cgi?id=174515
2031         <rdar://problem/33358092>
2032
2033         Reviewed by Filip Pizlo.
2034
2035         AirLowerAfterRegAlloc was computing the set of available scratch
2036         registers incorrectly. It was always excluding callee save registers
2037         from the set of live registers. It did not guarantee that live callee save
2038         registers were not in the set of scratch registers that could
2039         get clobbered. That's incorrect as the shuffling code is free
2040         to overwrite whatever is in the scratch register it gets passed.
2041
2042         * b3/air/AirLowerAfterRegAlloc.cpp:
2043         (JSC::B3::Air::lowerAfterRegAlloc):
2044         * b3/testb3.cpp:
2045         (JSC::B3::functionNineArgs):
2046         (JSC::B3::testShuffleDoesntTrashCalleeSaves):
2047         (JSC::B3::run):
2048         * jit/RegisterSet.h:
2049
2050 2017-07-18  Andy Estes  <aestes@apple.com>
2051
2052         [Xcode] Enable CLANG_WARN_NON_LITERAL_NULL_CONVERSION
2053         https://bugs.webkit.org/show_bug.cgi?id=174631
2054
2055         Reviewed by Dan Bernstein.
2056
2057         * Configurations/Base.xcconfig:
2058
2059 2017-07-18  Devin Rousso  <drousso@apple.com>
2060
2061         Web Inspector: Add memoryCost to Inspector Protocol objects
2062         https://bugs.webkit.org/show_bug.cgi?id=174478
2063
2064         Reviewed by Joseph Pecoraro.
2065
2066         For non-array and non-object InspectorValue, calculate memoryCost as the sizeof the object,
2067         plus the memoryCost of the data if it is a string.
2068
2069         For array InspectorValue, calculate memoryCost as the sum of the memoryCost of all items.
2070
2071         For object InspectorValue, calculate memoryCost as the sum of the memoryCost of the string
2072         key plus the memoryCost of the InspectorValue for each entry.
2073
2074         Test: TestWebKitAPI/Tests/JavaScriptCore/InspectorValue.cpp
2075
2076         * inspector/InspectorValues.h:
2077         * inspector/InspectorValues.cpp:
2078         (Inspector::InspectorValue::memoryCost):
2079         (Inspector::InspectorObjectBase::memoryCost):
2080         (Inspector::InspectorArrayBase::memoryCost):
2081
2082 2017-07-18  Andy Estes  <aestes@apple.com>
2083
2084         [Xcode] Enable CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING
2085         https://bugs.webkit.org/show_bug.cgi?id=174631
2086
2087         Reviewed by Darin Adler.
2088
2089         * Configurations/Base.xcconfig:
2090
2091 2017-07-18  Michael Saboff  <msaboff@apple.com>
2092
2093         [JSC] There should be a debug option to dump a compiled RegExp Pattern
2094         https://bugs.webkit.org/show_bug.cgi?id=174601
2095
2096         Reviewed by Alex Christensen.
2097
2098         Added the debug option dumpCompiledRegExpPatterns which will dump the YarrPattern and related
2099         objects after a regular expression has been compiled.
2100
2101         * runtime/Options.h:
2102         * yarr/YarrPattern.cpp:
2103         (JSC::Yarr::YarrPattern::compile):
2104         (JSC::Yarr::indentForNestingLevel):
2105         (JSC::Yarr::dumpUChar32):
2106         (JSC::Yarr::PatternAlternative::dump):
2107         (JSC::Yarr::PatternTerm::dumpQuantifier):
2108         (JSC::Yarr::PatternTerm::dump):
2109         (JSC::Yarr::PatternDisjunction::dump):
2110         (JSC::Yarr::YarrPattern::dumpPattern):
2111         * yarr/YarrPattern.h:
2112         (JSC::Yarr::YarrPattern::global):
2113
2114 2017-07-17  Darin Adler  <darin@apple.com>
2115
2116         Improve use of NeverDestroyed
2117         https://bugs.webkit.org/show_bug.cgi?id=174348
2118
2119         Reviewed by Sam Weinig.
2120
2121         * heap/MachineStackMarker.cpp:
2122         * wasm/WasmMemory.cpp:
2123         Removed unneeded includes of NeverDestroyed.h in files that do not make use
2124         of NeverDestroyed.
2125
2126 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
2127
2128         [CMake] Macros in WebKitMacros.cmake should be prefixed with WEBKIT_ namespace
2129         https://bugs.webkit.org/show_bug.cgi?id=174547
2130
2131         Reviewed by Alex Christensen.
2132
2133         * CMakeLists.txt:
2134         * shell/CMakeLists.txt:
2135
2136 2017-07-17  Saam Barati  <sbarati@apple.com>
2137
2138         Remove custom defined RELEASE_ASSERT in DFGObjectAllocationSinkingPhase
2139         https://bugs.webkit.org/show_bug.cgi?id=174584
2140
2141         Rubber stamped by Keith Miller.
2142
2143         I used it to diagnose a bug. The bug is now fixed. This custom
2144         RELEASE_ASSERT is no longer needed.
2145
2146         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2147
2148 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
2149
2150         -Wformat-truncation warning in ConfigFile.cpp
2151         https://bugs.webkit.org/show_bug.cgi?id=174506
2152
2153         Reviewed by Darin Adler.
2154
2155         Check if the JSC config filename would be truncated due to exceeding max path length. If so,
2156         return ParseError.
2157
2158         * runtime/ConfigFile.cpp:
2159         (JSC::ConfigFile::parse):
2160
2161 2017-07-17  Konstantin Tokarev  <annulen@yandex.ru>
2162
2163         [CMake] Create targets before WEBKIT_INCLUDE_CONFIG_FILES_IF_EXISTS is called
2164         https://bugs.webkit.org/show_bug.cgi?id=174557
2165
2166         Reviewed by Michael Catanzaro.
2167
2168         * CMakeLists.txt:
2169
2170 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2171
2172         [WTF] Use std::unique_ptr for StackTrace
2173         https://bugs.webkit.org/show_bug.cgi?id=174495
2174
2175         Reviewed by Alex Christensen.
2176
2177         * runtime/ExceptionScope.cpp:
2178         (JSC::ExceptionScope::unexpectedExceptionMessage):
2179         * runtime/VM.cpp:
2180         (JSC::VM::throwException):
2181
2182 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2183
2184         [JSC] Use WTFMove to prune liveness in DFGAvailabilityMap
2185         https://bugs.webkit.org/show_bug.cgi?id=174423
2186
2187         Reviewed by Saam Barati.
2188
2189         * dfg/DFGAvailabilityMap.cpp:
2190         (JSC::DFG::AvailabilityMap::pruneHeap):
2191         (JSC::DFG::AvailabilityMap::pruneByLiveness):
2192
2193 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
2194
2195         Fix compiler warnings when building with GCC 7
2196         https://bugs.webkit.org/show_bug.cgi?id=174463
2197
2198         Reviewed by Darin Adler.
2199
2200         * disassembler/udis86/udis86_decode.c:
2201         (decode_operand):
2202
2203 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
2204
2205         Incorrect assertion in JSC::CallLinkInfo::callTypeFor
2206         https://bugs.webkit.org/show_bug.cgi?id=174467
2207
2208         Reviewed by Saam Barati.
2209
2210         * bytecode/CallLinkInfo.cpp:
2211         (JSC::CallLinkInfo::callTypeFor):
2212
2213 2017-07-13  Joseph Pecoraro  <pecoraro@apple.com>
2214
2215         Web Inspector: Remove unused and untested Page domain commands
2216         https://bugs.webkit.org/show_bug.cgi?id=174429
2217
2218         Reviewed by Timothy Hatcher.
2219
2220         * inspector/protocol/Page.json:
2221
2222 2017-07-13  Saam Barati  <sbarati@apple.com>
2223
2224         Missing exception check in JSObject::hasInstance
2225         https://bugs.webkit.org/show_bug.cgi?id=174455
2226         <rdar://problem/31384608>
2227
2228         Reviewed by Mark Lam.
2229
2230         * runtime/JSObject.cpp:
2231         (JSC::JSObject::hasInstance):
2232
2233 2017-07-13  Caio Lima  <ticaiolima@gmail.com>
2234
2235         [ESnext] Implement Object Spread
2236         https://bugs.webkit.org/show_bug.cgi?id=167963
2237
2238         Reviewed by Saam Barati.
2239
2240         This patch implements ECMA262 stage 3 Object Spread proposal [1].
2241         It's implemented using CopyDataPropertiesNoExclusions to copy
2242         all enumerable keys from object being spreaded. The implementation of
2243         CopyDataPropertiesNoExclusions follows the CopyDataProperties
2244         implementation, however we don't receive excludedNames as parameter.
2245
2246         [1] - https://github.com/tc39/proposal-object-rest-spread
2247
2248         * builtins/GlobalOperations.js:
2249         (globalPrivate.copyDataPropertiesNoExclusions):
2250         * bytecompiler/BytecodeGenerator.cpp:
2251         (JSC::BytecodeGenerator::emitLoad):
2252         * bytecompiler/NodesCodegen.cpp:
2253         (JSC::PropertyListNode::emitBytecode):
2254         (JSC::ObjectSpreadExpressionNode::emitBytecode):
2255         * parser/ASTBuilder.h:
2256         (JSC::ASTBuilder::createObjectSpreadExpression):
2257         (JSC::ASTBuilder::createProperty):
2258         * parser/NodeConstructors.h:
2259         (JSC::PropertyNode::PropertyNode):
2260         (JSC::ObjectSpreadExpressionNode::ObjectSpreadExpressionNode):
2261         * parser/Nodes.h:
2262         (JSC::ObjectSpreadExpressionNode::expression):
2263         * parser/Parser.cpp:
2264         (JSC::Parser<LexerType>::parseProperty):
2265         * parser/SyntaxChecker.h:
2266         (JSC::SyntaxChecker::createObjectSpreadExpression):
2267         (JSC::SyntaxChecker::createProperty):
2268
2269 2017-07-12  Mark Lam  <mark.lam@apple.com>
2270
2271         Gardening: build fix after r219434.
2272         https://bugs.webkit.org/show_bug.cgi?id=174441
2273
2274         Not reviewed.
2275
2276         Make public some MacroAssembler functions that are needed by the probe implementationq.
2277
2278         * assembler/MacroAssemblerARM.h:
2279         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
2280         * assembler/MacroAssemblerARMv7.h:
2281         (JSC::MacroAssemblerARMv7::linkCall):
2282
2283 2017-07-12  Mark Lam  <mark.lam@apple.com>
2284
2285         Move Probe code from AbstractMacroAssembler to MacroAssembler.
2286         https://bugs.webkit.org/show_bug.cgi?id=174441
2287
2288         Reviewed by Saam Barati.
2289
2290         This is a pure refactoring patch for moving probe code from the AbstractMacroAssembler
2291         to MacroAssembler.  There is no code behavior change.
2292
2293         * assembler/AbstractMacroAssembler.h:
2294         (JSC::AbstractMacroAssembler<AssemblerType>::Address::indexedBy):
2295         (JSC::AbstractMacroAssembler::CPUState::gprName): Deleted.
2296         (JSC::AbstractMacroAssembler::CPUState::fprName): Deleted.
2297         (JSC::AbstractMacroAssembler::CPUState::gpr): Deleted.
2298         (JSC::AbstractMacroAssembler::CPUState::fpr): Deleted.
2299         (JSC::MacroAssemblerType>::Address::indexedBy): Deleted.
2300         * assembler/MacroAssembler.h:
2301         (JSC::MacroAssembler::CPUState::gprName):
2302         (JSC::MacroAssembler::CPUState::fprName):
2303         (JSC::MacroAssembler::CPUState::gpr):
2304         (JSC::MacroAssembler::CPUState::fpr):
2305         * assembler/MacroAssemblerARM.cpp:
2306         (JSC::MacroAssembler::probe):
2307         (JSC::MacroAssemblerARM::probe): Deleted.
2308         * assembler/MacroAssemblerARM.h:
2309         * assembler/MacroAssemblerARM64.cpp:
2310         (JSC::MacroAssembler::probe):
2311         (JSC::MacroAssemblerARM64::probe): Deleted.
2312         * assembler/MacroAssemblerARM64.h:
2313         * assembler/MacroAssemblerARMv7.cpp:
2314         (JSC::MacroAssembler::probe):
2315         (JSC::MacroAssemblerARMv7::probe): Deleted.
2316         * assembler/MacroAssemblerARMv7.h:
2317         * assembler/MacroAssemblerMIPS.h:
2318         * assembler/MacroAssemblerX86Common.cpp:
2319         (JSC::MacroAssembler::probe):
2320         (JSC::MacroAssemblerX86Common::probe): Deleted.
2321         * assembler/MacroAssemblerX86Common.h:
2322
2323 2017-07-12  Saam Barati  <sbarati@apple.com>
2324
2325         GenericArguments consults the wrong state when tracking modified argument descriptors and mapped arguments
2326         https://bugs.webkit.org/show_bug.cgi?id=174411
2327         <rdar://problem/31696186>
2328
2329         Reviewed by Mark Lam.
2330
2331         The code for deleting an argument was incorrectly referencing state
2332         when it decided if it should unmap or mark a property as having its
2333         descriptor modified. This patch fixes the bug where if we delete a
2334         property, we would sometimes not unmap an argument when deleting it.
2335
2336         * runtime/GenericArgumentsInlines.h:
2337         (JSC::GenericArguments<Type>::getOwnPropertySlot):
2338         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
2339         (JSC::GenericArguments<Type>::deleteProperty):
2340         (JSC::GenericArguments<Type>::deletePropertyByIndex):
2341
2342 2017-07-12  Commit Queue  <commit-queue@webkit.org>
2343
2344         Unreviewed, rolling out r219176.
2345         https://bugs.webkit.org/show_bug.cgi?id=174436
2346
2347         "Can cause infinite recursion on iOS" (Requested by mlam on
2348         #webkit).
2349
2350         Reverted changeset:
2351
2352         "WTF::Thread should have the threads stack bounds."
2353         https://bugs.webkit.org/show_bug.cgi?id=173975
2354         http://trac.webkit.org/changeset/219176
2355
2356 2017-07-12  Matt Lewis  <jlewis3@apple.com>
2357
2358         Unreviewed, rolling out r219401.
2359
2360         This revision rolled out the previous patch, but after talking
2361         with reviewer, a rebaseline is what was needed.Rolling back in
2362         before rebaseline.
2363
2364         Reverted changeset:
2365
2366         "Unreviewed, rolling out r219379."
2367         https://bugs.webkit.org/show_bug.cgi?id=174400
2368         http://trac.webkit.org/changeset/219401
2369
2370 2017-07-12  Matt Lewis  <jlewis3@apple.com>
2371
2372         Unreviewed, rolling out r219379.
2373
2374         This revision caused a consistent failure in the test
2375         fast/dom/Window/property-access-on-cached-window-after-frame-
2376         removed.html.
2377
2378         Reverted changeset:
2379
2380         "Remove NAVIGATOR_HWCONCURRENCY"
2381         https://bugs.webkit.org/show_bug.cgi?id=174400
2382         http://trac.webkit.org/changeset/219379
2383
2384 2017-07-12  Tooru Fujisawa [:arai]  <arai.unmht@gmail.com>
2385
2386         Wrong radix used in Unicode Escape in invalid character error message
2387         https://bugs.webkit.org/show_bug.cgi?id=174419
2388
2389         Reviewed by Alex Christensen.
2390
2391         * parser/Lexer.cpp:
2392         (JSC::Lexer<T>::invalidCharacterMessage):
2393
2394 2017-07-11  Dean Jackson  <dino@apple.com>
2395
2396         Remove NAVIGATOR_HWCONCURRENCY
2397         https://bugs.webkit.org/show_bug.cgi?id=174400
2398
2399         Reviewed by Sam Weinig.
2400
2401         * Configurations/FeatureDefines.xcconfig:
2402
2403 2017-07-11  Dean Jackson  <dino@apple.com>
2404
2405         Rolling out r219372.
2406
2407         * Configurations/FeatureDefines.xcconfig:
2408
2409 2017-07-11  Dean Jackson  <dino@apple.com>
2410
2411         Remove NAVIGATOR_HWCONCURRENCY
2412         https://bugs.webkit.org/show_bug.cgi?id=174400
2413
2414         Reviewed by Sam Weinig.
2415
2416         * Configurations/FeatureDefines.xcconfig:
2417
2418 2017-07-11  Saam Barati  <sbarati@apple.com>
2419
2420         remove the empty JavaScriptCore/wasm/js/WebAssemblyFunctionCell.* files
2421         https://bugs.webkit.org/show_bug.cgi?id=174397
2422
2423         Rubber stamped by David Kilzer.
2424
2425         * wasm/js/WebAssemblyFunctionCell.cpp: Removed.
2426         * wasm/js/WebAssemblyFunctionCell.h: Removed.
2427
2428 2017-07-10  Saam Barati  <sbarati@apple.com>
2429
2430         Allocation sinking phase should consider a CheckStructure that would fail as an escape
2431         https://bugs.webkit.org/show_bug.cgi?id=174321
2432         <rdar://problem/32604963>
2433
2434         Reviewed by Filip Pizlo.
2435
2436         When the allocation sinking phase was generating stores to materialize
2437         objects in a cycle with each other, it would assume that each materialized
2438         object had a valid, non empty, set of structures. This is an OK assumption for
2439         the phase to make because how do you materialize an object with no structure?
2440         
2441         The abstract interpretation part of the phase will model what's in the heap.
2442         However, it would sometimes model that a CheckStructure would fail. The phase
2443         did nothing special for this; it just stored the empty set of structures for
2444         its representation of a particular allocation. However, what the phase proved
2445         in such a scenario is that, had the CheckStructure executed, it would have exited.
2446         
2447         This patch treats such CheckStructures and MultiGetByOffsets as escape points.
2448         This will cause the allocation in question to be materialized just before
2449         the CheckStructure, and then at execution time, the CheckStructure will exit.
2450         
2451         I wasn't able to write a test case for this. However, I was able to reproduce
2452         this crash by manually editing the IR. I've opened a separate bug to help us
2453         create a testing framework for writing tests for hard to reproduce bugs like this:
2454         https://bugs.webkit.org/show_bug.cgi?id=174322
2455
2456         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2457
2458 2017-07-10  Devin Rousso  <drousso@apple.com>
2459
2460         Web Inspector: Highlight matching CSS canvas clients when hovering contexts in the Resources tab
2461         https://bugs.webkit.org/show_bug.cgi?id=174279
2462
2463         Reviewed by Matt Baker.
2464
2465         * inspector/protocol/DOM.json:
2466         Add `highlightNodeList` command that will highlight each node in the given list.
2467
2468 2017-07-03  Brian Burg  <bburg@apple.com>
2469
2470         Web Replay: remove some unused code
2471         https://bugs.webkit.org/show_bug.cgi?id=173903
2472
2473         Rubber-stamped by Joseph Pecoraro.
2474
2475         * CMakeLists.txt:
2476         * Configurations/FeatureDefines.xcconfig:
2477         * DerivedSources.make:
2478         * JavaScriptCore.xcodeproj/project.pbxproj:
2479         * inspector/protocol/Replay.json: Removed.
2480         * replay/EmptyInputCursor.h: Removed.
2481         * replay/EncodedValue.cpp: Removed.
2482         * replay/EncodedValue.h: Removed.
2483         * replay/InputCursor.h: Removed.
2484         * replay/JSInputs.json: Removed.
2485         * replay/NondeterministicInput.h: Removed.
2486         * replay/scripts/CodeGeneratorReplayInputs.py: Removed.
2487         * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Removed.
2488         * replay/scripts/tests/expected/fail-on-c-style-enum-no-storage.json-error: Removed.
2489         * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Removed.
2490         * replay/scripts/tests/expected/fail-on-duplicate-input-names.json-error: Removed.
2491         * replay/scripts/tests/expected/fail-on-duplicate-type-names.json-error: Removed.
2492         * replay/scripts/tests/expected/fail-on-enum-type-missing-values.json-error: Removed.
2493         * replay/scripts/tests/expected/fail-on-missing-input-member-name.json-error: Removed.
2494         * replay/scripts/tests/expected/fail-on-missing-input-name.json-error: Removed.
2495         * replay/scripts/tests/expected/fail-on-missing-input-queue.json-error: Removed.
2496         * replay/scripts/tests/expected/fail-on-missing-type-mode.json-error: Removed.
2497         * replay/scripts/tests/expected/fail-on-missing-type-name.json-error: Removed.
2498         * replay/scripts/tests/expected/fail-on-unknown-input-queue.json-error: Removed.
2499         * replay/scripts/tests/expected/fail-on-unknown-member-type.json-error: Removed.
2500         * replay/scripts/tests/expected/fail-on-unknown-type-mode.json-error: Removed.
2501         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp: Removed.
2502         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h: Removed.
2503         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp: Removed.
2504         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h: Removed.
2505         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Removed.
2506         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Removed.
2507         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Removed.
2508         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Removed.
2509         * replay/scripts/tests/expected/generate-event-loop-shape-types.json-error: Removed.
2510         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp: Removed.
2511         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h: Removed.
2512         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp: Removed.
2513         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Removed.
2514         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.cpp: Removed.
2515         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h: Removed.
2516         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp: Removed.
2517         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h: Removed.
2518         * replay/scripts/tests/fail-on-c-style-enum-no-storage.json: Removed.
2519         * replay/scripts/tests/fail-on-duplicate-enum-type.json: Removed.
2520         * replay/scripts/tests/fail-on-duplicate-input-names.json: Removed.
2521         * replay/scripts/tests/fail-on-duplicate-type-names.json: Removed.
2522         * replay/scripts/tests/fail-on-enum-type-missing-values.json: Removed.
2523         * replay/scripts/tests/fail-on-missing-input-member-name.json: Removed.
2524         * replay/scripts/tests/fail-on-missing-input-name.json: Removed.
2525         * replay/scripts/tests/fail-on-missing-input-queue.json: Removed.
2526         * replay/scripts/tests/fail-on-missing-type-mode.json: Removed.
2527         * replay/scripts/tests/fail-on-missing-type-name.json: Removed.
2528         * replay/scripts/tests/fail-on-unknown-input-queue.json: Removed.
2529         * replay/scripts/tests/fail-on-unknown-member-type.json: Removed.
2530         * replay/scripts/tests/fail-on-unknown-type-mode.json: Removed.
2531         * replay/scripts/tests/generate-enum-encoding-helpers-with-guarded-values.json: Removed.
2532         * replay/scripts/tests/generate-enum-encoding-helpers.json: Removed.
2533         * replay/scripts/tests/generate-enum-with-guard.json: Removed.
2534         * replay/scripts/tests/generate-enums-with-same-base-name.json: Removed.
2535         * replay/scripts/tests/generate-event-loop-shape-types.json: Removed.
2536         * replay/scripts/tests/generate-input-with-guard.json: Removed.
2537         * replay/scripts/tests/generate-input-with-vector-members.json: Removed.
2538         * replay/scripts/tests/generate-inputs-with-flags.json: Removed.
2539         * replay/scripts/tests/generate-memoized-type-modes.json: Removed.
2540         * runtime/DateConstructor.cpp:
2541         (JSC::constructDate):
2542         (JSC::dateNow):
2543         (JSC::deterministicCurrentTime): Deleted.
2544         * runtime/JSGlobalObject.cpp:
2545         (JSC::JSGlobalObject::JSGlobalObject):
2546         (JSC::JSGlobalObject::setInputCursor): Deleted.
2547         * runtime/JSGlobalObject.h:
2548         (JSC::JSGlobalObject::inputCursor): Deleted.
2549
2550 2017-07-10  Carlos Garcia Campos  <cgarcia@igalia.com>
2551
2552         Move make-js-file-arrays.py from WebCore to JavaScriptCore
2553         https://bugs.webkit.org/show_bug.cgi?id=174024
2554
2555         Reviewed by Michael Catanzaro.
2556
2557         It's currently used only by WebCore, but it depends on other JavaScriptCore scripts and it's not WebCore
2558         specific at all. I plan to use it to compile the JavaScript atoms used by the WebDriver implementation.
2559         Added command line option to pass the namespace to use instead of using WebCore.
2560
2561         * JavaScriptCore.xcodeproj/project.pbxproj:
2562         * Scripts/make-js-file-arrays.py: Renamed from Source/WebCore/Scripts/make-js-file-arrays.py.
2563         (main):
2564
2565 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2566
2567         [JSC] Drop LineNumberAdder since we no longer treat <LF><CR> (not <CR><LF>) as one line terminator
2568         https://bugs.webkit.org/show_bug.cgi?id=174296
2569
2570         Reviewed by Mark Lam.
2571
2572         Previously, we treat <LF><CR> as one line terminator. So we increase line number by one.
2573         It caused a problem in scanning template literals. While template literals normalize
2574         <LF><CR> to <LF><LF>, we still needed to increase line number by only one.
2575         To handle it correctly, LineNumberAdder is introduced.
2576
2577         As of r219263, <LF><CR> is counted as two line terminators. So we do not need to have
2578         LineNumberAdder. Let's just use shiftLineTerminator() instead.
2579
2580         * parser/Lexer.cpp:
2581         (JSC::Lexer<T>::parseTemplateLiteral):
2582         (JSC::LineNumberAdder::LineNumberAdder): Deleted.
2583         (JSC::LineNumberAdder::clear): Deleted.
2584         (JSC::LineNumberAdder::add): Deleted.
2585
2586 2017-07-09  Dan Bernstein  <mitz@apple.com>
2587
2588         [Xcode] ICU headers aren’t treated as system headers after r219155
2589         https://bugs.webkit.org/show_bug.cgi?id=174299
2590
2591         Reviewed by Sam Weinig.
2592
2593         * Configurations/JavaScriptCore.xcconfig: Pass --system-header-prefix=unicode/ to the C and
2594           C++ compilers.
2595
2596 * runtime/IntlCollator.cpp: Removed documentation warning suppression.
2597         * runtime/IntlDateTimeFormat.cpp: Ditto.
2598         * runtime/JSGlobalObject.cpp: Ditto.
2599         * runtime/StringPrototype.cpp: Ditto.
2600
2601 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2602
2603         [JSC] Use fastMalloc / fastFree for STL containers
2604         https://bugs.webkit.org/show_bug.cgi?id=174297
2605
2606         Reviewed by Sam Weinig.
2607
2608         In some places, we intentionally use STL containers over WTF containers.
2609         For example, we sometimes use std::unordered_{set,map} instead of WTF::Hash{Set,Map}
2610         because we do not have effective empty / deleted representations in the space of key's value.
2611         But just using STL container means using libc's malloc instead of our fast malloc (bmalloc if it is enabled).
2612
2613         We introduce WTF::FastAllocator. This is C++ allocator implementation using fastMalloc and fastFree.
2614         We specify this allocator to STL containers' template parameter to allocate memory from fastMalloc.
2615
2616         This WTF::FastAllocator gives us a chance to use STL containers if it is necessary
2617         without compromising memory allocation throughput.
2618
2619         * dfg/DFGGraph.h:
2620         * dfg/DFGIntegerCheckCombiningPhase.cpp:
2621         * ftl/FTLLowerDFGToB3.cpp:
2622         (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
2623         * runtime/FunctionHasExecutedCache.h:
2624         * runtime/TypeLocationCache.h:
2625
2626 2017-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2627
2628         Drop NOSNIFF compile flag
2629         https://bugs.webkit.org/show_bug.cgi?id=174289
2630
2631         Reviewed by Michael Catanzaro.
2632
2633         * Configurations/FeatureDefines.xcconfig:
2634
2635 2017-07-07  AJ Ringer  <aringer@apple.com>
2636
2637         Lower the max_protection for the separated heap
2638         https://bugs.webkit.org/show_bug.cgi?id=174281
2639
2640         Reviewed by Oliver Hunt.
2641
2642         Switch to vm_protect so we can set maximum page protection.
2643
2644         * jit/ExecutableAllocator.cpp:
2645         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
2646         (JSC::ExecutableAllocator::allocate):
2647
2648 2017-07-07  Devin Rousso  <drousso@apple.com>
2649
2650         Web Inspector: Show all elements currently using a given CSS Canvas
2651         https://bugs.webkit.org/show_bug.cgi?id=173965
2652
2653         Reviewed by Joseph Pecoraro.
2654
2655         * inspector/protocol/Canvas.json:
2656          - Add `requestCSSCanvasClientNodes` command for getting the node IDs all nodes using this
2657            canvas via -webkit-canvas.
2658          - Add `cssCanvasClientNodesChanged` event that is dispatched whenever a node is
2659            added/removed from the list of -webkit-canvas clients.
2660
2661 2017-07-07  Mark Lam  <mark.lam@apple.com>
2662
2663         \n\r is not the same as \r\n.
2664         https://bugs.webkit.org/show_bug.cgi?id=173053
2665
2666         Reviewed by Keith Miller.
2667
2668         * parser/Lexer.cpp:
2669         (JSC::Lexer<T>::shiftLineTerminator):
2670         (JSC::LineNumberAdder::add):
2671
2672 2017-07-07  Commit Queue  <commit-queue@webkit.org>
2673
2674         Unreviewed, rolling out r219238, r219239, and r219241.
2675         https://bugs.webkit.org/show_bug.cgi?id=174265
2676
2677         "fast/workers/dedicated-worker-lifecycle.html is flaky"
2678         (Requested by yusukesuzuki on #webkit).
2679
2680         Reverted changesets:
2681
2682         "[WTF] Implement WTF::ThreadGroup"
2683         https://bugs.webkit.org/show_bug.cgi?id=174081
2684         http://trac.webkit.org/changeset/219238
2685
2686         "Unreviewed, build fix after r219238"
2687         https://bugs.webkit.org/show_bug.cgi?id=174081
2688         http://trac.webkit.org/changeset/219239
2689
2690         "Unreviewed, CLoop build fix after r219238"
2691         https://bugs.webkit.org/show_bug.cgi?id=174081
2692         http://trac.webkit.org/changeset/219241
2693
2694 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2695
2696         Unreviewed, CLoop build fix after r219238
2697         https://bugs.webkit.org/show_bug.cgi?id=174081
2698
2699         * heap/MachineStackMarker.cpp:
2700
2701 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2702
2703         [WTF] Implement WTF::ThreadGroup
2704         https://bugs.webkit.org/show_bug.cgi?id=174081
2705
2706         Reviewed by Mark Lam.
2707
2708         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
2709         And SamplingProfiler and others interact with WTF::Thread directly.
2710
2711         * API/tests/ExecutionTimeLimitTest.cpp:
2712         * heap/MachineStackMarker.cpp:
2713         (JSC::MachineThreads::MachineThreads):
2714         (JSC::captureStack):
2715         (JSC::MachineThreads::tryCopyOtherThreadStack):
2716         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2717         (JSC::MachineThreads::gatherConservativeRoots):
2718         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
2719         (JSC::ActiveMachineThreadsManager::add): Deleted.
2720         (JSC::ActiveMachineThreadsManager::remove): Deleted.
2721         (JSC::ActiveMachineThreadsManager::contains): Deleted.
2722         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
2723         (JSC::activeMachineThreadsManager): Deleted.
2724         (JSC::MachineThreads::~MachineThreads): Deleted.
2725         (JSC::MachineThreads::addCurrentThread): Deleted.
2726         (): Deleted.
2727         (JSC::MachineThreads::removeThread): Deleted.
2728         (JSC::MachineThreads::removeThreadIfFound): Deleted.
2729         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
2730         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
2731         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
2732         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
2733         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
2734         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
2735         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
2736         * heap/MachineStackMarker.h:
2737         (JSC::MachineThreads::addCurrentThread):
2738         (JSC::MachineThreads::getLock):
2739         (JSC::MachineThreads::threads):
2740         (JSC::MachineThreads::MachineThread::suspend): Deleted.
2741         (JSC::MachineThreads::MachineThread::resume): Deleted.
2742         (JSC::MachineThreads::MachineThread::threadID): Deleted.
2743         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
2744         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
2745         (JSC::MachineThreads::threadsListHead): Deleted.
2746         * runtime/SamplingProfiler.cpp:
2747         (JSC::FrameWalker::isValidFramePointer):
2748         (JSC::SamplingProfiler::SamplingProfiler):
2749         (JSC::SamplingProfiler::takeSample):
2750         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
2751         * runtime/SamplingProfiler.h:
2752         * wasm/WasmMachineThreads.cpp:
2753         (JSC::Wasm::resetInstructionCacheOnAllThreads):
2754
2755 2017-07-06  Saam Barati  <sbarati@apple.com>
2756
2757         We are missing places where we invalidate the for-in context
2758         https://bugs.webkit.org/show_bug.cgi?id=174184
2759
2760         Reviewed by Geoffrey Garen.
2761
2762         * bytecompiler/BytecodeGenerator.cpp:
2763         (JSC::BytecodeGenerator::invalidateForInContextForLocal):
2764         * bytecompiler/NodesCodegen.cpp:
2765         (JSC::EmptyLetExpression::emitBytecode):
2766         (JSC::ForInNode::emitLoopHeader):
2767         (JSC::ForOfNode::emitBytecode):
2768         (JSC::BindingNode::bindValue):
2769
2770 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2771
2772         Unreviewed, suppress warnings in GCC environment
2773
2774         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2775         * runtime/IntlCollator.cpp:
2776         * runtime/IntlDateTimeFormat.cpp:
2777         * runtime/JSGlobalObject.cpp:
2778         * runtime/StringPrototype.cpp:
2779
2780 2017-07-05  Saam Barati  <sbarati@apple.com>
2781
2782         NewArray in FTLLowerDFGToB3 does not handle speculating on doubles when having a bad time
2783         https://bugs.webkit.org/show_bug.cgi?id=174188
2784         <rdar://problem/30581423>
2785
2786         Reviewed by Mark Lam.
2787
2788         We were calling lowJSValue(edge) when we were speculating the
2789         edge as double. This isn't allowed. We should have been using
2790         lowDouble.
2791         
2792         This patch also adds a new option, called useArrayAllocationProfiling,
2793         which defaults to true. When false, it will make the array allocation
2794         profile not actually sample seen arrays. It'll force the allocation
2795         profile's predicted indexing type to be ArrayWithUndecided. Adding
2796         this option made it trivial to write a test for this bug.
2797
2798         * bytecode/ArrayAllocationProfile.cpp:
2799         (JSC::ArrayAllocationProfile::updateIndexingType):
2800         * ftl/FTLLowerDFGToB3.cpp:
2801         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
2802         * runtime/Options.h:
2803
2804 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2805
2806         WTF::Thread should have the threads stack bounds.
2807         https://bugs.webkit.org/show_bug.cgi?id=173975
2808
2809         Reviewed by Keith Miller.
2810
2811         There is a site in JSC that try to walk another thread's stack.
2812         Currently, stack bounds are stored in WTFThreadData which is located
2813         in TLS. Thus, only the thread itself can access its own WTFThreadData.
2814         We workaround this situation by holding StackBounds in MachineThread in JSC,
2815         but StackBounds should be put in WTF::Thread instead.
2816
2817         This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
2818         information is tightly coupled with Thread. Thus putting it in WTF::Thread
2819         is natural choice.
2820
2821         * heap/MachineStackMarker.cpp:
2822         (JSC::MachineThreads::MachineThread::MachineThread):
2823         (JSC::MachineThreads::MachineThread::captureStack):
2824         * heap/MachineStackMarker.h:
2825         (JSC::MachineThreads::MachineThread::stackBase):
2826         (JSC::MachineThreads::MachineThread::stackEnd):
2827         * runtime/InitializeThreading.cpp:
2828         (JSC::initializeThreading):
2829         * runtime/VM.cpp:
2830         (JSC::VM::VM):
2831         (JSC::VM::updateStackLimits):
2832         (JSC::VM::committedStackByteCount):
2833         * runtime/VM.h:
2834         (JSC::VM::isSafeToRecurse):
2835         * runtime/VMEntryScope.cpp:
2836         (JSC::VMEntryScope::VMEntryScope):
2837         * runtime/VMInlines.h:
2838         (JSC::VM::ensureStackCapacityFor):
2839         * runtime/VMTraps.cpp:
2840         * yarr/YarrPattern.cpp:
2841         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
2842
2843 2017-07-05  Keith Miller  <keith_miller@apple.com>
2844
2845         Crashing with information should have an abort reason
2846         https://bugs.webkit.org/show_bug.cgi?id=174185
2847
2848         Reviewed by Saam Barati.
2849
2850         Add crash information for the abstract interpreter and add an enum
2851         value for object allocation sinking.
2852
2853         * assembler/AbortReason.h:
2854         * dfg/DFGAbstractInterpreterInlines.h:
2855         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
2856         * dfg/DFGGraph.cpp:
2857         (JSC::DFG::logDFGAssertionFailure):
2858         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2859
2860 2017-07-03  Myles C. Maxfield  <mmaxfield@apple.com>
2861
2862         Remove copy of ICU headers from WebKit
2863         https://bugs.webkit.org/show_bug.cgi?id=116407
2864
2865         Reviewed by Alex Christensen.
2866
2867         Use WTF's copy of ICU headers.
2868
2869         * Configurations/Base.xcconfig:
2870         * icu/unicode/localpointer.h: Removed.
2871         * icu/unicode/parseerr.h: Removed.
2872         * icu/unicode/platform.h: Removed.
2873         * icu/unicode/ptypes.h: Removed.
2874         * icu/unicode/putil.h: Removed.
2875         * icu/unicode/uchar.h: Removed.
2876         * icu/unicode/ucnv.h: Removed.
2877         * icu/unicode/ucnv_err.h: Removed.
2878         * icu/unicode/ucol.h: Removed.
2879         * icu/unicode/uconfig.h: Removed.
2880         * icu/unicode/ucurr.h: Removed.
2881         * icu/unicode/uenum.h: Removed.
2882         * icu/unicode/uiter.h: Removed.
2883         * icu/unicode/uloc.h: Removed.
2884         * icu/unicode/umachine.h: Removed.
2885         * icu/unicode/unorm.h: Removed.
2886         * icu/unicode/unorm2.h: Removed.
2887         * icu/unicode/urename.h: Removed.
2888         * icu/unicode/uscript.h: Removed.
2889         * icu/unicode/uset.h: Removed.
2890         * icu/unicode/ustring.h: Removed.
2891         * icu/unicode/utf.h: Removed.
2892         * icu/unicode/utf16.h: Removed.
2893         * icu/unicode/utf8.h: Removed.
2894         * icu/unicode/utf_old.h: Removed.
2895         * icu/unicode/utypes.h: Removed.
2896         * icu/unicode/uvernum.h: Removed.
2897         * icu/unicode/uversion.h: Removed.
2898         * runtime/IntlCollator.cpp:
2899         * runtime/IntlDateTimeFormat.cpp:
2900         (JSC::IntlDateTimeFormat::partTypeString):
2901         * runtime/JSGlobalObject.cpp:
2902         * runtime/StringPrototype.cpp:
2903         (JSC::normalize):
2904         (JSC::stringProtoFuncNormalize):
2905
2906 2017-07-05  Devin Rousso  <drousso@apple.com>
2907
2908         Web Inspector: Allow users to log any tracked canvas context
2909         https://bugs.webkit.org/show_bug.cgi?id=173397
2910         <rdar://problem/33111581>
2911
2912         Reviewed by Joseph Pecoraro.
2913
2914         * inspector/protocol/Canvas.json:
2915         Add `resolveCanvasContext` command that returns a RemoteObject for the given canvas context.
2916
2917 2017-07-05  Jonathan Bedard  <jbedard@apple.com>
2918
2919         Add WebKitPrivateFrameworkStubs for iOS 11
2920         https://bugs.webkit.org/show_bug.cgi?id=173988
2921
2922         Reviewed by David Kilzer.
2923
2924         * Configurations/Base.xcconfig: iphoneos and iphonesimulator should use the
2925         same directory for private framework stubs.
2926
2927 2017-07-05  JF Bastien  <jfbastien@apple.com>
2928
2929         WebAssembly: implement name section's module name, skip unknown sections
2930         https://bugs.webkit.org/show_bug.cgi?id=172008
2931
2932         Reviewed by Keith Miller.
2933
2934         Parse the WebAssembly module name properly, and skip unknown
2935         sections. This is useful because as toolchains support new types
2936         of names we want to keep displaying the information we know about
2937         and simply ignore new information. That capability was designed
2938         into WebAssembly's name section.
2939
2940         Failure to commit this patch would mean that WebKit won't display
2941         stack trace information, which would make developers sad.
2942
2943         Module names were added here: https://github.com/WebAssembly/design/pull/1055
2944
2945         Note that this patch doesn't do anything with the parsed name! Two
2946         reasons for this: module names aren't supported in binaryen yet,
2947         so I can't write a simple binary test; and using the name is a
2948         slightly riskier change because it requires changing StackVisitor
2949         + StackFrame (where they print "[wasm code]") which requires
2950         figuring out the frame's Module. The latter bit isn't trivial
2951         because we only know wasm frames from their tag bits, and
2952         CodeBlocks are always nullptr.
2953
2954         Binaryen bug: https://github.com/WebAssembly/binaryen/issues/1010
2955
2956         I filed #174098 to use the module name.
2957
2958         * wasm/WasmFormat.h:
2959         (JSC::Wasm::isValidNameType):
2960         * wasm/WasmNameSectionParser.cpp:
2961
2962 2017-07-04  Joseph Pecoraro  <pecoraro@apple.com>
2963
2964         Cleanup some StringBuilder use
2965         https://bugs.webkit.org/show_bug.cgi?id=174118
2966
2967         Reviewed by Andreas Kling.
2968
2969         * runtime/FunctionConstructor.cpp:
2970         (JSC::constructFunctionSkippingEvalEnabledCheck):
2971         * tools/FunctionOverrides.cpp:
2972         (JSC::parseClause):
2973         * wasm/WasmOMGPlan.cpp:
2974         * wasm/WasmPlan.cpp:
2975         * wasm/WasmValidate.cpp:
2976
2977 2017-07-03  Saam Barati  <sbarati@apple.com>
2978
2979         LayoutTest workers/bomb.html is a Crash
2980         https://bugs.webkit.org/show_bug.cgi?id=167757
2981         <rdar://problem/33086462>
2982
2983         Reviewed by Keith Miller.
2984
2985         VMTraps::SignalSender was accessing VM fields even after
2986         the VM was destroyed. This happened when the SignalSender
2987         thread was in the middle of its work() function while VMTraps
2988         was notified that the VM was shutting down. The VM would proceed
2989         to run its destructor even after the SignalSender thread finished
2990         doing its work. This means that the SignalSender thread was accessing
2991         VM field eve after VM was destructed (including itself, since it is
2992         transitively owned by the VM). The VM must wait for the SignalSender
2993         thread to shutdown before it can continue to destruct itself.
2994
2995         * runtime/VMTraps.cpp:
2996         (JSC::VMTraps::willDestroyVM):
2997
2998 2017-07-03  Saam Barati  <sbarati@apple.com>
2999
3000         DFGBytecodeParser op_to_this does not access the correct instruction offset for to this status
3001         https://bugs.webkit.org/show_bug.cgi?id=174110
3002
3003         Reviewed by Michael Saboff.
3004
3005         * dfg/DFGByteCodeParser.cpp:
3006         (JSC::DFG::ByteCodeParser::parseBlock):
3007
3008 2017-07-03  Saam Barati  <sbarati@apple.com>
3009
3010         Add a new assertion to object allocation sinking phase
3011         https://bugs.webkit.org/show_bug.cgi?id=174107
3012
3013         Rubber stamped by Filip Pizlo.
3014
3015         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3016
3017 2017-07-03  Commit Queue  <commit-queue@webkit.org>
3018
3019         Unreviewed, rolling out r219060.
3020         https://bugs.webkit.org/show_bug.cgi?id=174108
3021
3022         crashing constantly when initializing UIWebView (Requested by
3023         thorton on #webkit).
3024
3025         Reverted changeset:
3026
3027         "WTF::Thread should have the threads stack bounds."
3028         https://bugs.webkit.org/show_bug.cgi?id=173975
3029         http://trac.webkit.org/changeset/219060
3030
3031 2017-07-03  Matt Lewis  <jlewis3@apple.com>
3032
3033         Unreviewed, rolling out r219103.
3034
3035         Caused multiple build failures.
3036
3037         Reverted changeset:
3038
3039         "Remove copy of ICU headers from WebKit"
3040         https://bugs.webkit.org/show_bug.cgi?id=116407
3041         http://trac.webkit.org/changeset/219103
3042
3043 2017-07-03  Myles C. Maxfield  <mmaxfield@apple.com>
3044
3045         Remove copy of ICU headers from WebKit
3046         https://bugs.webkit.org/show_bug.cgi?id=116407
3047
3048         Reviewed by Alex Christensen.
3049
3050         Use WTF's copy of ICU headers.
3051
3052         * Configurations/Base.xcconfig:
3053         * icu/unicode/localpointer.h: Removed.
3054         * icu/unicode/parseerr.h: Removed.
3055         * icu/unicode/platform.h: Removed.
3056         * icu/unicode/ptypes.h: Removed.
3057         * icu/unicode/putil.h: Removed.
3058         * icu/unicode/uchar.h: Removed.
3059         * icu/unicode/ucnv.h: Removed.
3060         * icu/unicode/ucnv_err.h: Removed.
3061         * icu/unicode/ucol.h: Removed.
3062         * icu/unicode/uconfig.h: Removed.
3063         * icu/unicode/ucurr.h: Removed.
3064         * icu/unicode/uenum.h: Removed.
3065         * icu/unicode/uiter.h: Removed.
3066         * icu/unicode/uloc.h: Removed.
3067         * icu/unicode/umachine.h: Removed.
3068         * icu/unicode/unorm.h: Removed.
3069         * icu/unicode/unorm2.h: Removed.
3070         * icu/unicode/urename.h: Removed.
3071         * icu/unicode/uscript.h: Removed.
3072         * icu/unicode/uset.h: Removed.
3073         * icu/unicode/ustring.h: Removed.
3074         * icu/unicode/utf.h: Removed.
3075         * icu/unicode/utf16.h: Removed.
3076         * icu/unicode/utf8.h: Removed.
3077         * icu/unicode/utf_old.h: Removed.
3078         * icu/unicode/utypes.h: Removed.
3079         * icu/unicode/uvernum.h: Removed.
3080         * icu/unicode/uversion.h: Removed.
3081         * runtime/IntlCollator.cpp:
3082         * runtime/IntlDateTimeFormat.cpp:
3083         * runtime/JSGlobalObject.cpp:
3084         * runtime/StringPrototype.cpp:
3085
3086 2017-07-03  Saam Barati  <sbarati@apple.com>
3087
3088         Add better crash logging for allocation sinking phase
3089         https://bugs.webkit.org/show_bug.cgi?id=174102
3090         <rdar://problem/33112092>
3091
3092         Rubber stamped by Filip Pizlo.
3093
3094         I'm trying to gather better information from crashlogs about why
3095         we're crashing in the allocation sinking phase. I'm adding a allocation
3096         sinking specific RELEASE_ASSERT as well as marking a few functions as
3097         NEVER_INLINE to have the stack traces in the crash trace contain more
3098         actionable information.
3099
3100         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3101
3102 2017-07-03  Sam Weinig  <sam@webkit.org>
3103
3104         [WebIDL] Remove more unnecessary uses of the preprocessor in idl files
3105         https://bugs.webkit.org/show_bug.cgi?id=174083
3106
3107         Reviewed by Alex Christensen.
3108
3109         * Configurations/FeatureDefines.xcconfig:
3110         Add ENABLE_NAVIGATOR_STANDALONE.
3111
3112 2017-07-03  Andy Estes  <aestes@apple.com>
3113
3114         [Xcode] Add an experimental setting to build with ccache
3115         https://bugs.webkit.org/show_bug.cgi?id=173875
3116
3117         Reviewed by Tim Horton.
3118
3119         * Configurations/DebugRelease.xcconfig: Included ccache.xcconfig.
3120
3121 2017-07-03  Devin Rousso  <drousso@apple.com>
3122
3123         Web Inspector: Support listing WebGL2 and WebGPU contexts
3124         https://bugs.webkit.org/show_bug.cgi?id=173396
3125
3126         Reviewed by Joseph Pecoraro.
3127
3128         * inspector/protocol/Canvas.json:
3129         * inspector/scripts/codegen/generator.py:
3130         (Generator.stylized_name_for_enum_value):
3131         Add cases for handling new Canvas.ContextType protocol enumerations:
3132          - "webgl2" maps to `WebGL2`
3133          - "webgpu" maps to `WebGPU`
3134
3135 2017-07-02  Yusuke Suzuki  <utatane.tea@gmail.com>
3136
3137         WTF::Thread should have the threads stack bounds.
3138         https://bugs.webkit.org/show_bug.cgi?id=173975
3139
3140         Reviewed by Mark Lam.
3141
3142         There is a site in JSC that try to walk another thread's stack.
3143         Currently, stack bounds are stored in WTFThreadData which is located
3144         in TLS. Thus, only the thread itself can access its own WTFThreadData.
3145         We workaround this situation by holding StackBounds in MachineThread in JSC,
3146         but StackBounds should be put in WTF::Thread instead.
3147
3148         This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
3149         information is tightly coupled with Thread. Thus putting it in WTF::Thread
3150         is natural choice.
3151
3152         * heap/MachineStackMarker.cpp:
3153         (JSC::MachineThreads::MachineThread::MachineThread):
3154         (JSC::MachineThreads::MachineThread::captureStack):
3155         * heap/MachineStackMarker.h:
3156         (JSC::MachineThreads::MachineThread::stackBase):
3157         (JSC::MachineThreads::MachineThread::stackEnd):
3158         * runtime/InitializeThreading.cpp:
3159         (JSC::initializeThreading):
3160         * runtime/VM.cpp:
3161         (JSC::VM::VM):
3162         (JSC::VM::updateStackLimits):
3163         (JSC::VM::committedStackByteCount):
3164         * runtime/VM.h:
3165         (JSC::VM::isSafeToRecurse):
3166         * runtime/VMEntryScope.cpp:
3167         (JSC::VMEntryScope::VMEntryScope):
3168         * runtime/VMInlines.h:
3169         (JSC::VM::ensureStackCapacityFor):
3170         * runtime/VMTraps.cpp:
3171         * yarr/YarrPattern.cpp:
3172         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
3173
3174 2017-07-01  Dan Bernstein  <mitz@apple.com>
3175
3176         [iOS] Remove code only needed when building for iOS 9.x
3177         https://bugs.webkit.org/show_bug.cgi?id=174068
3178
3179         Reviewed by Tim Horton.
3180
3181         * Configurations/FeatureDefines.xcconfig:
3182         * jit/ExecutableAllocator.cpp:
3183         * runtime/Options.cpp:
3184         (JSC::recomputeDependentOptions):
3185
3186 2017-07-01  Dan Bernstein  <mitz@apple.com>
3187
3188         [macOS] Remove code only needed when building for OS X Yosemite
3189         https://bugs.webkit.org/show_bug.cgi?id=174067
3190
3191         Reviewed by Tim Horton.
3192
3193         * API/WebKitAvailability.h:
3194         * Configurations/Base.xcconfig:
3195         * Configurations/DebugRelease.xcconfig:
3196         * Configurations/FeatureDefines.xcconfig:
3197         * Configurations/Version.xcconfig:
3198
3199 2017-07-01  Yusuke Suzuki  <utatane.tea@gmail.com>
3200
3201         Unreviewed, build fix for GCC
3202         https://bugs.webkit.org/show_bug.cgi?id=174034
3203
3204         * b3/testb3.cpp:
3205         (JSC::B3::testDoubleLiteralComparison):
3206
3207 2017-06-30  Keith Miller  <keith_miller@apple.com>
3208
3209         Force crashWithInfo to be out of line.
3210         https://bugs.webkit.org/show_bug.cgi?id=174028
3211
3212         Reviewed by Filip Pizlo.
3213
3214         Update DFG_ASSERT macro to call CRASH_WITH_SECURITY_IMPLICATION_AND_INFO.
3215
3216         * dfg/DFGGraph.cpp:
3217         (JSC::DFG::logDFGAssertionFailure):
3218         (JSC::DFG::Graph::logAssertionFailure):
3219         (JSC::DFG::crash): Deleted.
3220         (JSC::DFG::Graph::handleAssertionFailure): Deleted.
3221         * dfg/DFGGraph.h:
3222
3223 2017-06-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3224
3225         [JSC] Use AbstractMacroAssembler::random instead of holding WeakRandom in JIT
3226         https://bugs.webkit.org/show_bug.cgi?id=174053
3227
3228         Reviewed by Geoffrey Garen.
3229
3230         We already have AbstractMacroAssembler::random() function. Use it instead.
3231
3232         * jit/JIT.cpp:
3233         (JSC::JIT::JIT):
3234         (JSC::JIT::compileWithoutLinking):
3235         * jit/JIT.h:
3236
3237 2017-06-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3238
3239         [WTF] Drop SymbolRegistry::keyForSymbol
3240         https://bugs.webkit.org/show_bug.cgi?id=174052
3241
3242         Reviewed by Sam Weinig.
3243
3244         * runtime/SymbolConstructor.cpp:
3245         (JSC::symbolConstructorKeyFor):
3246
3247 2017-06-30  Saam Barati  <sbarati@apple.com>
3248
3249         B3ReduceStrength should reduce EqualOrUnordered over const float input
3250         https://bugs.webkit.org/show_bug.cgi?id=174039
3251
3252         Reviewed by Michael Saboff.
3253
3254         We perform this folding for ConstDoubleValue. It is simply
3255         an oversight that we didn't do it for ConstFloatValue.
3256
3257         * b3/B3ConstFloatValue.cpp:
3258         (JSC::B3::ConstFloatValue::equalOrUnorderedConstant):
3259         * b3/B3ConstFloatValue.h:
3260         * b3/testb3.cpp:
3261         (JSC::B3::testFloatEqualOrUnorderedFolding):
3262         (JSC::B3::testFloatEqualOrUnorderedFoldingNaN):
3263         (JSC::B3::testFloatEqualOrUnorderedDontFold):
3264         (JSC::B3::run):
3265
3266 2017-06-30  Matt Baker  <mattbaker@apple.com>
3267
3268         Web Inspector: AsyncStackTrace nodes can be corrupted when truncating
3269         https://bugs.webkit.org/show_bug.cgi?id=173840
3270         <rdar://problem/30840820>
3271
3272         Reviewed by Joseph Pecoraro.
3273
3274         When truncating an asynchronous stack trace, the parent chain is traversed
3275         until a locked node is found. The path from this node to the root is shared
3276         by more than one stack trace, and cannot be safely modified. Starting at
3277         the first locked node, the path is cloned and becomes a new stack trace tree.
3278
3279         However, the clone operation initialized each new AsyncStackTrace node with
3280         the original node's parent. This would increment the child count of the original
3281         node. When cloning nodes, new nodes should not have their parent set until the
3282         next node up the parent chain is cloned.
3283
3284         * inspector/AsyncStackTrace.cpp:
3285         (Inspector::AsyncStackTrace::truncate):
3286
3287 2017-06-30  Michael Saboff  <msaboff@apple.com>
3288
3289         RegExp's  anchored with .* with \g flag can return wrong match start for strings with multiple matches
3290         https://bugs.webkit.org/show_bug.cgi?id=174044
3291
3292         Reviewed by Oliver Hunt.
3293
3294         The .* enclosure optimization didn't respect that we can start matching from a non-zero
3295         index.  This optimization treats /.*<some-terms>.*/ by first matching the <some-terms> and
3296         then finding the extent of the match by going back to the beginning of the line and going
3297         forward to the end of the line.  The code that went back to the beginning of the line
3298         checked for an index of 0 instead of comparing the index to the start position.  This start
3299         position is passed as the initial index.
3300
3301         Added another temporary register to the YARR JIT to contain the start position for
3302         platforms that have spare registers.
3303
3304         * yarr/Yarr.h:
3305         * yarr/YarrInterpreter.cpp:
3306         (JSC::Yarr::Interpreter::matchDotStarEnclosure):
3307         (JSC::Yarr::Interpreter::Interpreter):
3308         * yarr/YarrJIT.cpp:
3309         (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
3310         (JSC::Yarr::YarrGenerator::compile):
3311         * yarr/YarrPattern.cpp:
3312         (JSC::Yarr::YarrPattern::YarrPattern):
3313         * yarr/YarrPattern.h:
3314         (JSC::Yarr::YarrPattern::reset):
3315
3316 2017-06-30  Saam Barati  <sbarati@apple.com>
3317
3318         B3MoveConstants floatZero() returns the wrong ValueKey
3319         https://bugs.webkit.org/show_bug.cgi?id=174040
3320
3321         Reviewed by Filip Pizlo.
3322
3323         It had a typo where the ValueKey for floatZero() produces a Double
3324         instead of a Float.
3325
3326         * b3/B3MoveConstants.cpp:
3327
3328 2017-06-30  Saam Barati  <sbarati@apple.com>
3329
3330         B3ReduceDoubleToFloat incorrectly reduces operations over two double constants
3331         https://bugs.webkit.org/show_bug.cgi?id=174034
3332         <rdar://problem/30793007>
3333
3334         Reviewed by Filip Pizlo.
3335
3336         B3ReduceDoubleToFloat had a bug in it where it would incorrectly
3337         reduce binary operations over double constants into the same binary
3338         operation over the double constants casted to floats. This is clearly
3339         incorrect as these two things will produce different values. For example:
3340         
3341         a = DoubleConst(bitwise_cast<double>(0x8000000000000001ull))
3342         b = DoubleConst(bitwise_cast<double>(0x0000000000000000ull))
3343         c = EqualOrUnordered(@a, @b) // produces 0
3344         
3345         into:
3346         
3347         a = FloatConst(static_cast<float>(bitwise_cast<double>(0x8000000000000001ull)))
3348         b = FloatConst(static_cast<float>(bitwise_cast<double>(0x0000000000000000ull)))
3349         c = EqualOrUnordered(@a, @b) // produces 1
3350         
3351         Which produces a different value for @c.
3352
3353         * b3/B3ReduceDoubleToFloat.cpp:
3354         * b3/testb3.cpp:
3355         (JSC::B3::doubleEq):
3356         (JSC::B3::doubleNeq):
3357         (JSC::B3::doubleGt):
3358         (JSC::B3::doubleGte):
3359         (JSC::B3::doubleLt):
3360         (JSC::B3::doubleLte):
3361         (JSC::B3::testDoubleLiteralComparison):
3362         (JSC::B3::run):
3363
3364 2017-06-29  Jer Noble  <jer.noble@apple.com>
3365
3366         Make Legacy EME API controlled by RuntimeEnabled setting.
3367         https://bugs.webkit.org/show_bug.cgi?id=173994
3368
3369         Reviewed by Sam Weinig.
3370
3371         * Configurations/FeatureDefines.xcconfig:
3372         * runtime/CommonIdentifiers.h:
3373
3374 2017-06-30  Ryosuke Niwa  <rniwa@webkit.org>
3375
3376         Ran sort-Xcode-project-file.
3377
3378         * JavaScriptCore.xcodeproj/project.pbxproj:
3379
3380 2017-06-30  Matt Lewis  <jlewis3@apple.com>
3381
3382         Unreviewed, rolling out r218992.
3383
3384         The patch broke the iOS device builds.
3385
3386         Reverted changeset:
3387
3388         "DFG_ASSERT should allow stuffing registers before trapping."
3389         https://bugs.webkit.org/show_bug.cgi?id=174005
3390         http://trac.webkit.org/changeset/218992
3391
3392 2017-06-30  Filip Pizlo  <fpizlo@apple.com>
3393
3394         RegExpCachedResult::setInput should reify left and right contexts
3395         https://bugs.webkit.org/show_bug.cgi?id=173818
3396
3397         Reviewed by Keith Miller.
3398         
3399         If you don't reify them in setInput, then when you later try to reify them, you'll end up
3400         using indices into an old input string to create a substring of a new input string. That
3401         never goes well.
3402
3403         * runtime/RegExpCachedResult.cpp:
3404         (JSC::RegExpCachedResult::setInput):
3405
3406 2017-06-30  Keith Miller  <keith_miller@apple.com>
3407
3408         DFG_ASSERT should allow stuffing registers before trapping.