[Win][Release] Crash when running testmasm executable.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-08-22  Per Arne Vollan  <pvollan@apple.com>
2
3         [Win][Release] Crash when running testmasm executable.
4         https://bugs.webkit.org/show_bug.cgi?id=175772
5
6         Reviewed by Mark Lam.
7
8         We need to save and restore the modified registers in case one or more registers are callee saved
9         on the relevant platforms.
10
11         * assembler/testmasm.cpp:
12         (JSC::testProbeReadsArgumentRegisters):
13         (JSC::testProbeWritesArgumentRegisters):
14
15 2017-08-21  Mark Lam  <mark.lam@apple.com>
16
17         Change probe code to use static_assert instead of COMPILE_ASSERT.
18         https://bugs.webkit.org/show_bug.cgi?id=175762
19
20         Reviewed by JF Bastien.
21
22         * assembler/MacroAssemblerARM.cpp:
23         * assembler/MacroAssemblerARM64.cpp:
24         (JSC::MacroAssembler::probe): Deleted.
25         * assembler/MacroAssemblerARMv7.cpp:
26         * assembler/MacroAssemblerX86Common.cpp:
27
28 2017-08-21  Keith Miller  <keith_miller@apple.com>
29
30         Make generate_offset_extractor.rb architectures argument more robust
31         https://bugs.webkit.org/show_bug.cgi?id=175809
32
33         Reviewed by Joseph Pecoraro.
34
35         It turns out that some of our builders pass their architectures as
36         space separated lists.  I decided to just make the splitting of
37         our list robust to any reasonable combination of spaces and
38         commas.
39
40         * offlineasm/generate_offset_extractor.rb:
41
42 2017-08-21  Keith Miller  <keith_miller@apple.com>
43
44         Only generate offline asm for the ARCHS (xcodebuild) or the current system (CMake)
45         https://bugs.webkit.org/show_bug.cgi?id=175690
46
47         Reviewed by Michael Saboff.
48
49         This should reduce some of the time we spend building offline asm
50         in our builds (except for linux since they already did this).
51
52         * CMakeLists.txt:
53         * JavaScriptCore.xcodeproj/project.pbxproj:
54         * offlineasm/backends.rb:
55         * offlineasm/generate_offset_extractor.rb:
56
57 2017-08-20  Mark Lam  <mark.lam@apple.com>
58
59         Gardening: fix CLoop build.
60         https://bugs.webkit.org/show_bug.cgi?id=175688
61         <rdar://problem/33436870>
62
63         Not reviewed.
64
65         Make these files dependent on ENABLE(MASM_PROBE).
66
67         * assembler/ProbeContext.cpp:
68         * assembler/ProbeContext.h:
69         * assembler/ProbeStack.cpp:
70         * assembler/ProbeStack.h:
71
72 2017-08-20  Mark Lam  <mark.lam@apple.com>
73
74         Enhance MacroAssembler::probe() to allow the probe function to resize the stack frame and alter stack data in one pass.
75         https://bugs.webkit.org/show_bug.cgi?id=175688
76         <rdar://problem/33436870>
77
78         Reviewed by JF Bastien.
79
80         With this patch, the clients of the MacroAssembler::probe() can now change
81         stack values without having to worry about whether there is enough room in the
82         current stack frame for it or not.  This is done using the Probe::Context's stack
83         member like so:
84
85             jit.probe([] (Probe::Context& context) {
86                 auto cpu = context.cpu;
87                 auto stack = context.stack();
88                 uintptr_t* currentSP = cpu.sp<uintptr_t*>();
89
90                 // Get a value at the current stack pointer location.
91                 auto value = stack.get<uintptr_t>(currentSP);
92
93                 // Set a value above the current stack pointer (within current frame).
94                 stack.set<uintptr_t>(currentSP + 10, value);
95
96                 // Set a value below the current stack pointer (out of current frame).
97                 stack.set<uintptr_t>(currentSP - 10, value);
98
99                 // Set the new stack pointer.
100                 cpu.sp() = currentSP - 20;
101             });
102
103         What happens behind the scene:
104
105         1. the generated JIT probe code will now call Probe::executeProbe(), and
106            Probe::executeProbe() will in turn call the client's probe function.
107
108            Probe::executeProbe() receives the Probe::State on the machine stack passed
109            to it by the probe trampoline.  Probe::executeProbe() will instantiate a
110            Probe::Context to be passed to the client's probe function.  The client will
111            no longer see the Probe::State directly.
112
113         2. The Probe::Context comes with a Probe::Stack which serves as a manager of
114            stack pages.  Currently, each page is 1K in size.
115            Probe::Context::stack() returns a reference to an instance of Probe::Stack.
116
117         3. Invoking get() of set() on Probe::Stack with an address will lead to the
118            following:
119
120            a. the address will be decoded to a baseAddress that points to the 1K page
121               that contains that address.
122
123            b. the Probe::Stack will check if it already has a cached 1K page for that baseAddress.
124               If so, go to step (f).  Else, continue with step (c).
125
126            c. the Probe::Stack will malloc a 1K mirror page, and memcpy the 1K stack page
127               for that specified baseAddress to this mirror page.
128
129            d. the mirror page will be added to the ProbeStack's m_pages HashMap,
130               keyed on the baseAddress.
131
132            e. the ProbeStack will also cache the last baseAddress and its corresponding
133               mirror page in use.  With memory accesses tending to be localized, this
134               will save us from having to look up the page in the HashMap.
135
136            f. get() will map the requested address to a physical address in the mirror
137               page, and return the value at that location.
138
139            g. set() will map the requested address to a physical address in the mirror
140               page, and set the value at that location in the mirror page.
141
142               set() will also set a dirty bit corresponding to the "cache line" that
143               was modified in the mirror page.
144
145         4. When the client's probe function returns, Probe::executeProbe() will check if
146            there are stack changes that need to be applied.  If stack changes are needed:
147
148            a. Probe::executeProbe() will adjust the stack pointer to ensure enough stack
149               space is available to flush the dirty stack pages.  It will also register a
150               flushStackDirtyPages callback function in the Probe::State.  Thereafter,
151               Probe::executeProbe() returns to the probe trampoline.
152
153            b. the probe trampoline adjusts the stack pointer, moves the Probe::State to
154               a safe place if needed, and then calls the flushStackDirtyPages callback
155               if needed.
156
157            c. the flushStackDirtyPages() callback iterates the Probe::Stack's m_pages
158               HashMap and flush all dirty "cache lines" to the machine stack.
159               Thereafter, flushStackDirtyPages() returns to the probe trampoline.
160
161            d. lastly, the probe trampoline will restore all register values and return
162               to the pc set in the Probe::State.
163
164         To make this patch work, I also had to do the following work:
165
166         5. Refactor MacroAssembler::CPUState into Probe::CPUState.
167            Mainly, this means moving the code over to ProbeContext.h.
168            I also added some convenience accessor methods for spr registers. 
169
170            Moved Probe::Context over to its own file ProbeContext.h/cpp.
171
172         6. Fix all probe trampolines to pass the address of Probe::executeProbe in
173            addition to the client's probe function and arg.
174
175            I also took this opportunity to optimize the generated JIT probe code to
176            minimize the amount of memory stores needed. 
177
178         7. Simplified the ARM64 probe trampoline.  The ARM64 probe only supports changing
179            either lr or pc (or neither), but not both at in the same probe invocation.
180            The ARM64 probe trampoline used to have to check for this invariant in the
181            assembly trampoline code.  With the introduction of Probe::executeProbe(),
182            we can now do it there and simplify the trampoline.
183
184         8. Fix a bug in the old  ARM64 probe trampoline for the case where the client
185            changes lr.  That code path never worked before, but has now been fixed.
186
187         9. Removed trustedImm32FromPtr() helper functions in MacroAssemblerARM and
188            MacroAssemblerARMv7.
189
190            We can now use move() with TrustedImmPtr, and it does the same thing but in a
191            more generic way.
192
193        10. ARMv7's move() emitter may encode a T1 move instruction, which happens to have
194            the same semantics as movs (according to the Thumb spec).  This means these
195            instructions may trash the APSR flags before we have a chance to preserve them.
196
197            This patch changes MacroAssemblerARMv7's probe() to preserve the APSR register
198            early on.  This entails adding support for the mrs instruction in the
199            ARMv7Assembler.
200
201        10. Change testmasm's testProbeModifiesStackValues() to now modify stack values
202            the easy way.
203
204            Also fixed testmasm tests which check flag registers to only compare the
205            portions that are modifiable by the client i.e. some masking is applied.
206
207         This patch has passed the testmasm tests on x86, x86_64, arm64, and armv7.
208
209         * CMakeLists.txt:
210         * JavaScriptCore.xcodeproj/project.pbxproj:
211         * assembler/ARMv7Assembler.h:
212         (JSC::ARMv7Assembler::mrs):
213         * assembler/AbstractMacroAssembler.h:
214         * assembler/MacroAssembler.cpp:
215         (JSC::stdFunctionCallback):
216         (JSC::MacroAssembler::probe):
217         * assembler/MacroAssembler.h:
218         (JSC::MacroAssembler::CPUState::gprName): Deleted.
219         (JSC::MacroAssembler::CPUState::sprName): Deleted.
220         (JSC::MacroAssembler::CPUState::fprName): Deleted.
221         (JSC::MacroAssembler::CPUState::gpr): Deleted.
222         (JSC::MacroAssembler::CPUState::spr): Deleted.
223         (JSC::MacroAssembler::CPUState::fpr): Deleted.
224         (JSC:: const): Deleted.
225         (JSC::MacroAssembler::CPUState::fpr const): Deleted.
226         (JSC::MacroAssembler::CPUState::pc): Deleted.
227         (JSC::MacroAssembler::CPUState::fp): Deleted.
228         (JSC::MacroAssembler::CPUState::sp): Deleted.
229         (JSC::MacroAssembler::CPUState::pc const): Deleted.
230         (JSC::MacroAssembler::CPUState::fp const): Deleted.
231         (JSC::MacroAssembler::CPUState::sp const): Deleted.
232         (JSC::Probe::State::gpr): Deleted.
233         (JSC::Probe::State::spr): Deleted.
234         (JSC::Probe::State::fpr): Deleted.
235         (JSC::Probe::State::gprName): Deleted.
236         (JSC::Probe::State::sprName): Deleted.
237         (JSC::Probe::State::fprName): Deleted.
238         (JSC::Probe::State::pc): Deleted.
239         (JSC::Probe::State::fp): Deleted.
240         (JSC::Probe::State::sp): Deleted.
241         * assembler/MacroAssemblerARM.cpp:
242         (JSC::MacroAssembler::probe):
243         * assembler/MacroAssemblerARM.h:
244         (JSC::MacroAssemblerARM::trustedImm32FromPtr): Deleted.
245         * assembler/MacroAssemblerARM64.cpp:
246         (JSC::MacroAssembler::probe):
247         (JSC::arm64ProbeError): Deleted.
248         * assembler/MacroAssemblerARMv7.cpp:
249         (JSC::MacroAssembler::probe):
250         * assembler/MacroAssemblerARMv7.h:
251         (JSC::MacroAssemblerARMv7::armV7Condition):
252         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr): Deleted.
253         * assembler/MacroAssemblerPrinter.cpp:
254         (JSC::Printer::printCallback):
255         * assembler/MacroAssemblerPrinter.h:
256         * assembler/MacroAssemblerX86Common.cpp:
257         (JSC::ctiMasmProbeTrampoline):
258         (JSC::MacroAssembler::probe):
259         * assembler/Printer.h:
260         (JSC::Printer::Context::Context):
261         * assembler/ProbeContext.cpp: Added.
262         (JSC::Probe::executeProbe):
263         (JSC::Probe::handleProbeStackInitialization):
264         (JSC::Probe::probeStateForContext):
265         * assembler/ProbeContext.h: Added.
266         (JSC::Probe::CPUState::gprName):
267         (JSC::Probe::CPUState::sprName):
268         (JSC::Probe::CPUState::fprName):
269         (JSC::Probe::CPUState::gpr):
270         (JSC::Probe::CPUState::spr):
271         (JSC::Probe::CPUState::fpr):
272         (JSC::Probe:: const):
273         (JSC::Probe::CPUState::fpr const):
274         (JSC::Probe::CPUState::pc):
275         (JSC::Probe::CPUState::fp):
276         (JSC::Probe::CPUState::sp):
277         (JSC::Probe::CPUState::pc const):
278         (JSC::Probe::CPUState::fp const):
279         (JSC::Probe::CPUState::sp const):
280         (JSC::Probe::Context::Context):
281         (JSC::Probe::Context::gpr):
282         (JSC::Probe::Context::spr):
283         (JSC::Probe::Context::fpr):
284         (JSC::Probe::Context::gprName):
285         (JSC::Probe::Context::sprName):
286         (JSC::Probe::Context::fprName):
287         (JSC::Probe::Context::pc):
288         (JSC::Probe::Context::fp):
289         (JSC::Probe::Context::sp):
290         (JSC::Probe::Context::stack):
291         (JSC::Probe::Context::hasWritesToFlush):
292         (JSC::Probe::Context::releaseStack):
293         * assembler/ProbeStack.cpp: Added.
294         (JSC::Probe::Page::Page):
295         (JSC::Probe::Page::flushWrites):
296         (JSC::Probe::Stack::Stack):
297         (JSC::Probe::Stack::hasWritesToFlush):
298         (JSC::Probe::Stack::flushWrites):
299         (JSC::Probe::Stack::ensurePageFor):
300         * assembler/ProbeStack.h: Added.
301         (JSC::Probe::Page::baseAddressFor):
302         (JSC::Probe::Page::chunkAddressFor):
303         (JSC::Probe::Page::baseAddress):
304         (JSC::Probe::Page::get):
305         (JSC::Probe::Page::set):
306         (JSC::Probe::Page::hasWritesToFlush const):
307         (JSC::Probe::Page::flushWritesIfNeeded):
308         (JSC::Probe::Page::dirtyBitFor):
309         (JSC::Probe::Page::physicalAddressFor):
310         (JSC::Probe::Stack::Stack):
311         (JSC::Probe::Stack::lowWatermark):
312         (JSC::Probe::Stack::get):
313         (JSC::Probe::Stack::set):
314         (JSC::Probe::Stack::newStackPointer const):
315         (JSC::Probe::Stack::setNewStackPointer):
316         (JSC::Probe::Stack::isValid):
317         (JSC::Probe::Stack::pageFor):
318         * assembler/testmasm.cpp:
319         (JSC::testProbeReadsArgumentRegisters):
320         (JSC::testProbeWritesArgumentRegisters):
321         (JSC::testProbePreservesGPRS):
322         (JSC::testProbeModifiesStackPointer):
323         (JSC::testProbeModifiesStackPointerToInsideProbeStateOnStack):
324         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
325         (JSC::testProbeModifiesProgramCounter):
326         (JSC::testProbeModifiesStackValues):
327         (JSC::run):
328         (): Deleted.
329         (JSC::fillStack): Deleted.
330         (JSC::testProbeModifiesStackWithCallback): Deleted.
331
332 2017-08-19  Andy Estes  <aestes@apple.com>
333
334         [Payment Request] Add interface stubs
335         https://bugs.webkit.org/show_bug.cgi?id=175730
336
337         Reviewed by Youenn Fablet.
338
339         * runtime/CommonIdentifiers.h:
340
341 2017-08-18  Per Arne Vollan  <pvollan@apple.com>
342
343         Implement 32-bit MacroAssembler::probe support for Windows.
344         https://bugs.webkit.org/show_bug.cgi?id=175449
345
346         Reviewed by Mark Lam.
347
348         This is needed to enable the DFG.
349
350         * assembler/MacroAssemblerX86Common.cpp:
351         * assembler/testmasm.cpp:
352         (JSC::run):
353         (dllLauncherEntryPoint):
354         * shell/CMakeLists.txt:
355         * shell/PlatformWin.cmake:
356
357 2017-08-18  Mark Lam  <mark.lam@apple.com>
358
359         Rename ProbeContext and ProbeFunction to Probe::State and Probe::Function.
360         https://bugs.webkit.org/show_bug.cgi?id=175725
361         <rdar://problem/33965477>
362
363         Rubber-stamped by JF Bastien.
364
365         This is purely a refactoring patch (in preparation for the introduction of a
366         Probe::Context data structure in https://bugs.webkit.org/show_bug.cgi?id=175688
367         later).  This patch does not change any semantics / behavior.
368
369         * assembler/AbstractMacroAssembler.h:
370         * assembler/MacroAssembler.cpp:
371         (JSC::stdFunctionCallback):
372         (JSC::MacroAssembler::probe):
373         * assembler/MacroAssembler.h:
374         (JSC::ProbeContext::gpr): Deleted.
375         (JSC::ProbeContext::spr): Deleted.
376         (JSC::ProbeContext::fpr): Deleted.
377         (JSC::ProbeContext::gprName): Deleted.
378         (JSC::ProbeContext::sprName): Deleted.
379         (JSC::ProbeContext::fprName): Deleted.
380         (JSC::ProbeContext::pc): Deleted.
381         (JSC::ProbeContext::fp): Deleted.
382         (JSC::ProbeContext::sp): Deleted.
383         * assembler/MacroAssemblerARM.cpp:
384         (JSC::MacroAssembler::probe):
385         * assembler/MacroAssemblerARM.h:
386         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
387         * assembler/MacroAssemblerARM64.cpp:
388         (JSC::arm64ProbeError):
389         (JSC::MacroAssembler::probe):
390         * assembler/MacroAssemblerARMv7.cpp:
391         (JSC::MacroAssembler::probe):
392         * assembler/MacroAssemblerARMv7.h:
393         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr):
394         * assembler/MacroAssemblerPrinter.cpp:
395         (JSC::Printer::printCallback):
396         * assembler/MacroAssemblerPrinter.h:
397         * assembler/MacroAssemblerX86Common.cpp:
398         (JSC::MacroAssembler::probe):
399         * assembler/Printer.h:
400         (JSC::Printer::Context::Context):
401         * assembler/testmasm.cpp:
402         (JSC::testProbeReadsArgumentRegisters):
403         (JSC::testProbeWritesArgumentRegisters):
404         (JSC::testProbePreservesGPRS):
405         (JSC::testProbeModifiesStackPointer):
406         (JSC::testProbeModifiesStackPointerToInsideProbeStateOnStack):
407         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
408         (JSC::testProbeModifiesProgramCounter):
409         (JSC::fillStack):
410         (JSC::testProbeModifiesStackWithCallback):
411         (JSC::run):
412         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack): Deleted.
413
414 2017-08-17  JF Bastien  <jfbastien@apple.com>
415
416         WebAssembly: const in unreachable code decoded incorrectly, erroneously rejects binary as invalid
417         https://bugs.webkit.org/show_bug.cgi?id=175693
418         <rdar://problem/33952443>
419
420         Reviewed by Saam Barati.
421
422         64-bit constants in an unreachable context were being decoded as
423         32-bit constants. This is pretty benign because unreachable code
424         shouldn't occur often. The effect is that 64-bit constants which
425         can't be encoded as 32-bit constants would cause the binary to be
426         rejected.
427
428         At the same time, 32-bit integer constants should be decoded as signed.
429
430         * wasm/WasmFunctionParser.h:
431         (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
432
433 2017-08-17  Robin Morisset  <rmorisset@apple.com>
434
435         Teach DFGFixupPhase.cpp that the current scope is always a cell
436         https://bugs.webkit.org/show_bug.cgi?id=175610
437
438         Reviewed by Keith Miller.
439
440         Also teach it that the argument to with can usually be speculated to be an object,
441         since toObject() is called on it.
442
443         * dfg/DFGFixupPhase.cpp:
444         (JSC::DFG::FixupPhase::fixupNode):
445         * dfg/DFGSpeculativeJIT.cpp:
446         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
447         * dfg/DFGSpeculativeJIT.h:
448         (JSC::DFG::SpeculativeJIT::callOperation):
449         * ftl/FTLLowerDFGToB3.cpp:
450         (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
451         * jit/JITOperations.cpp:
452         * jit/JITOperations.h:
453
454 2017-08-17  Matt Baker  <mattbaker@apple.com>
455
456         Web Inspector: remove unused private struct from InspectorScriptProfilerAgent
457         https://bugs.webkit.org/show_bug.cgi?id=175644
458
459         Reviewed by Brian Burg.
460
461         * inspector/agents/InspectorScriptProfilerAgent.h:
462
463 2017-08-17  Mark Lam  <mark.lam@apple.com>
464
465         Only use 16 VFP registers if !CPU(ARM_NEON).
466         https://bugs.webkit.org/show_bug.cgi?id=175514
467
468         Reviewed by JF Bastien.
469
470         Deleted q16-q31 FPQuadRegisterID enums in ARMv7Assembler.h.  The NEON spec
471         says that there are only 16 128-bit NEON registers.  This change is merely to
472         correct the code documentation of these registers.  The FPQuadRegisterID are
473         currently unused.
474
475         * assembler/ARMAssembler.h:
476         (JSC::ARMAssembler::lastFPRegister):
477         (JSC::ARMAssembler::fprName):
478         * assembler/ARMv7Assembler.h:
479         (JSC::ARMv7Assembler::lastFPRegister):
480         (JSC::ARMv7Assembler::fprName):
481         * assembler/MacroAssemblerARM.cpp:
482         * assembler/MacroAssemblerARMv7.cpp:
483
484 2017-08-17  Andreas Kling  <akling@apple.com>
485
486         Disable CSS regions at compile time
487         https://bugs.webkit.org/show_bug.cgi?id=175630
488
489         Reviewed by Antti Koivisto.
490
491         * Configurations/FeatureDefines.xcconfig:
492
493 2017-08-17  Jacobo Aragunde Pérez  <jaragunde@igalia.com>
494
495         [WPE][GTK] Ensure proper casting of data in gvariants
496         https://bugs.webkit.org/show_bug.cgi?id=175667
497
498         Reviewed by Michael Catanzaro.
499
500         g_variant_new requires data to have the correct width for their types, using
501         casting if necessary. Some data of type `unsigned` were being saved to `guint64`
502         types without explicit casting, leading to undefined behavior in some platforms.
503
504         * inspector/remote/glib/RemoteInspectorGlib.cpp:
505         (Inspector::RemoteInspector::listingForInspectionTarget const):
506         (Inspector::RemoteInspector::listingForAutomationTarget const):
507         (Inspector::RemoteInspector::sendMessageToRemote):
508
509 2017-08-17  Yusuke Suzuki  <utatane.tea@gmail.com>
510
511         [JSC] Avoid code bloating for iteration if block does not have "break"
512         https://bugs.webkit.org/show_bug.cgi?id=173228
513
514         Reviewed by Keith Miller.
515
516         Currently, we always emit code for breaked path when emitting for-of iteration.
517         But we can know that this breaked path can be used when emitting the bytecode.
518
519         This patch adds LabelScope::breakTargetMayBeBound(), which returns true if
520         the break label may be bound. We emit a breaked path only when it returns
521         true. This reduces bytecode bloating when using for-of iteration.
522
523         * bytecompiler/BytecodeGenerator.cpp:
524         (JSC::Label::setLocation):
525         (JSC::BytecodeGenerator::newLabel):
526         (JSC::BytecodeGenerator::emitLabel):
527         (JSC::BytecodeGenerator::pushFinallyControlFlowScope):
528         (JSC::BytecodeGenerator::breakTarget):
529         (JSC::BytecodeGenerator::continueTarget):
530         (JSC::BytecodeGenerator::emitEnumeration):
531         * bytecompiler/BytecodeGenerator.h:
532         * bytecompiler/Label.h:
533         (JSC::Label::bind const):
534         (JSC::Label::hasOneRef const):
535         (JSC::Label::isBound const):
536         (JSC::Label::Label): Deleted.
537         * bytecompiler/LabelScope.h:
538         (JSC::LabelScope::hasOneRef const):
539         (JSC::LabelScope::breakTargetMayBeBound const):
540         * bytecompiler/NodesCodegen.cpp:
541         (JSC::ContinueNode::trivialTarget):
542         (JSC::ContinueNode::emitBytecode):
543         (JSC::BreakNode::trivialTarget):
544         (JSC::BreakNode::emitBytecode):
545
546 2017-08-17  Csaba Osztrogonác  <ossy@webkit.org>
547
548         ARM build fix after r220807 and r220834.
549         https://bugs.webkit.org/show_bug.cgi?id=175617
550
551         Unreviewed typo fix.
552
553         * assembler/MacroAssemblerARM.cpp:
554
555 2017-08-17  Mark Lam  <mark.lam@apple.com>
556
557         Gardening: build fix for ARM_TRADITIONAL after r220807.
558         https://bugs.webkit.org/show_bug.cgi?id=175617
559
560         Not reviewed.
561
562         * assembler/MacroAssemblerARM.cpp:
563
564 2017-08-16  Mark Lam  <mark.lam@apple.com>
565
566         Add back the ability to disable MASM_PROBE from the build.
567         https://bugs.webkit.org/show_bug.cgi?id=175656
568         <rdar://problem/33933720>
569
570         Reviewed by Yusuke Suzuki.
571
572         This is needed for ports that the existing MASM_PROBE implementation doesn't work
573         well with e.g. GTK with ARM_THUMB2.  Note that if the DFG_JIT will be disabled by
574         default if !ENABLE(MASM_PROBE).
575
576         * assembler/AbstractMacroAssembler.h:
577         * assembler/MacroAssembler.cpp:
578         * assembler/MacroAssembler.h:
579         * assembler/MacroAssemblerARM.cpp:
580         * assembler/MacroAssemblerARM64.cpp:
581         * assembler/MacroAssemblerARMv7.cpp:
582         * assembler/MacroAssemblerPrinter.cpp:
583         * assembler/MacroAssemblerPrinter.h:
584         * assembler/MacroAssemblerX86Common.cpp:
585         * assembler/testmasm.cpp:
586         (JSC::run):
587         * b3/B3LowerToAir.cpp:
588         * b3/air/AirPrintSpecial.cpp:
589         * b3/air/AirPrintSpecial.h:
590
591 2017-08-16  Dan Bernstein  <mitz@apple.com>
592
593         [Cocoa] Older-iOS install name symbols are being exported on other platforms
594         https://bugs.webkit.org/show_bug.cgi?id=175654
595
596         Reviewed by Tim Horton.
597
598         * API/JSBase.cpp: Define the symbols only when targeting iOS.
599
600 2017-08-16  Matt Baker  <mattbaker@apple.com>
601
602         Web Inspector: capture async stack trace when workers/main context posts a message
603         https://bugs.webkit.org/show_bug.cgi?id=167084
604         <rdar://problem/30033673>
605
606         Reviewed by Brian Burg.
607
608         * inspector/agents/InspectorDebuggerAgent.h:
609         Add `PostMessage` async call type.
610
611 2017-08-16  Mark Lam  <mark.lam@apple.com>
612
613         Enhance MacroAssembler::probe() to support an initializeStackFunction callback.
614         https://bugs.webkit.org/show_bug.cgi?id=175617
615         <rdar://problem/33912104>
616
617         Reviewed by JF Bastien.
618
619         This patch adds a new feature to MacroAssembler::probe() where the probe function
620         can provide a ProbeFunction callback to fill in stack values after the stack
621         pointer has been adjusted.  The probe function can use this feature as follows:
622
623         1. Set the new sp value in the ProbeContext's CPUState.
624
625         2. Set the ProbeContext's initializeStackFunction to a ProbeFunction callback
626            which will do the work of filling in the stack values after the probe
627            trampoline has adjusted the machine stack pointer.
628
629         3. Set the ProbeContext's initializeStackArgs to any value that the client wants
630            to pass to the initializeStackFunction callback.
631
632         4. Return from the probe function.
633
634         Upon returning from the probe function, the probe trampoline will adjust the
635         the stack pointer based on the sp value in CPUState.  If initializeStackFunction
636         is not set, the probe trampoline will restore registers and return to its caller.
637
638         If initializeStackFunction is set, the trampoline will move the ProbeContext
639         beyond the range of the stack pointer i.e. it will place the new ProbeContext at
640         an address lower than where CPUState.sp() points.  This ensures that the
641         ProbeContext will not be trashed by the initializeStackFunction when it writes to
642         the stack.  Then, the trampoline will call back to the initializeStackFunction
643         ProbeFunction to let it fill in the stack values as desired.  The
644         initializeStackFunction ProbeFunction will be passed the moved ProbeContext at
645         the new location.
646
647         initializeStackFunction may now write to the stack at addresses greater or
648         equal to CPUState.sp(), but not below that.  initializeStackFunction is also
649         not allowed to change CPUState.sp().  If the initializeStackFunction does not
650         abide by these rules, then behavior is undefined, and bad things may happen.
651
652         For future reference, some implementation details that this patch needed to
653         be mindful of:
654
655         1. When the probe trampoline allocates stack space for the ProbeContext, it
656            should include OUT_SIZE as well.  This ensures that it doesn't have to move
657            the ProbeContext on exit if the probe function didn't change the sp.
658
659         2. If the trampoline has to move the ProbeContext, it needs to point the machine
660            sp to new ProbeContext first before copying over the ProbeContext data.  This
661            protects the new ProbeContext from possibly being trashed by interrupts.
662
663         3. When computing the new address of ProbeContext to move to, we need to make
664            sure that it is properly aligned in accordance with stack ABI requirements
665            (just like we did when we allocated the ProbeContext on entry to the
666            probe trampoline).
667
668         4. When copying the ProbeContext to its new location, the trampoline should
669            always copy words from low addresses to high addresses.  This is because if
670            we're moving the ProbeContext, we'll always be moving it to a lower address.
671
672         * assembler/MacroAssembler.h:
673         * assembler/MacroAssemblerARM.cpp:
674         * assembler/MacroAssemblerARM64.cpp:
675         * assembler/MacroAssemblerARMv7.cpp:
676         * assembler/MacroAssemblerX86Common.cpp:
677         * assembler/testmasm.cpp:
678         (JSC::testProbePreservesGPRS):
679         (JSC::testProbeModifiesStackPointer):
680         (JSC::fillStack):
681         (JSC::testProbeModifiesStackWithCallback):
682         (JSC::run):
683
684 2017-08-16  Csaba Osztrogonác  <ossy@webkit.org>
685
686         Fix JSCOnly ARM buildbots after r220047 and r220184
687         https://bugs.webkit.org/show_bug.cgi?id=174993
688
689         Reviewed by Carlos Alberto Lopez Perez.
690
691         * CMakeLists.txt: Generate only one backend on Linux to save build time.
692
693 2017-08-16  Andy Estes  <aestes@apple.com>
694
695         [Payment Request] Add an ENABLE flag and an experimental feature preference
696         https://bugs.webkit.org/show_bug.cgi?id=175622
697
698         Reviewed by Tim Horton.
699
700         * Configurations/FeatureDefines.xcconfig:
701
702 2017-08-15  Robin Morisset  <rmorisset@apple.com>
703
704         We are too conservative about the effects of PushWithScope
705         https://bugs.webkit.org/show_bug.cgi?id=175584
706
707         Reviewed by Saam Barati.
708
709         PushWithScope converts its argument to an object (this can throw a type error,
710         but has no other observable effect), and allocates a new scope, that it then
711         makes the new current scope. We were a bit too
712         conservative in saying that it clobbers the world.
713
714         * dfg/DFGAbstractInterpreterInlines.h:
715         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
716         * dfg/DFGClobberize.h:
717         (JSC::DFG::clobberize):
718         * dfg/DFGDoesGC.cpp:
719         (JSC::DFG::doesGC):
720
721 2017-08-15  Ryosuke Niwa  <rniwa@webkit.org>
722
723         Make DataTransferItemList work with plain text entries
724         https://bugs.webkit.org/show_bug.cgi?id=175596
725
726         Reviewed by Wenson Hsieh.
727
728         Added DataTransferItem as a common identifier since it's a runtime enabled feature.
729
730         * runtime/CommonIdentifiers.h:
731
732 2017-08-15  Robin Morisset  <rmorisset@apple.com>
733
734         Support the 'with' keyword in FTL
735         https://bugs.webkit.org/show_bug.cgi?id=175585
736
737         Reviewed by Saam Barati.
738
739         Also makes sure that the order of arguments of PushWithScope, op_push_with_scope, JSWithScope::create()
740         and so on is consistent (always parentScope first, the new scopeObject second). We used to go from one
741         to the other at different step which was quite confusing. I picked this order for consistency with CreateActivation
742         that takes its parentScope argument first.
743
744         * bytecompiler/BytecodeGenerator.cpp:
745         (JSC::BytecodeGenerator::emitPushWithScope):
746         * debugger/DebuggerCallFrame.cpp:
747         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
748         * dfg/DFGByteCodeParser.cpp:
749         (JSC::DFG::ByteCodeParser::parseBlock):
750         * dfg/DFGFixupPhase.cpp:
751         (JSC::DFG::FixupPhase::fixupNode):
752         * dfg/DFGSpeculativeJIT.cpp:
753         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
754         * ftl/FTLCapabilities.cpp:
755         (JSC::FTL::canCompile):
756         * ftl/FTLLowerDFGToB3.cpp:
757         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
758         (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
759         * jit/JITOperations.cpp:
760         * runtime/CommonSlowPaths.cpp:
761         (JSC::SLOW_PATH_DECL):
762         * runtime/Completion.cpp:
763         (JSC::evaluateWithScopeExtension):
764         * runtime/JSWithScope.cpp:
765         (JSC::JSWithScope::create):
766         * runtime/JSWithScope.h:
767
768 2017-08-15  Saam Barati  <sbarati@apple.com>
769
770         Make VM::scratchBufferForSize thread safe
771         https://bugs.webkit.org/show_bug.cgi?id=175604
772
773         Reviewed by Geoffrey Garen and Mark Lam.
774
775         I want to use the VM::scratchBufferForSize in another patch I'm writing.
776         The use case for my other patch is to call it from the compiler thread.
777         When reading the code, I saw that this API was not thread safe. This patch
778         makes it thread safe. It actually turns out we were calling this API from
779         the compiler thread already when we created FTL::State for an FTL OSR entry
780         compilation, and from FTLLowerDFGToB3. That code was racy and wrong, but
781         is now correct with this patch.
782
783         * runtime/VM.cpp:
784         (JSC::VM::VM):
785         (JSC::VM::~VM):
786         (JSC::VM::gatherConservativeRoots):
787         (JSC::VM::scratchBufferForSize):
788         * runtime/VM.h:
789         (JSC::VM::scratchBufferForSize): Deleted.
790
791 2017-08-15  Keith Miller  <keith_miller@apple.com>
792
793         JSC named bytecode offsets should use references rather than pointers
794         https://bugs.webkit.org/show_bug.cgi?id=175601
795
796         Reviewed by Saam Barati.
797
798         * dfg/DFGByteCodeParser.cpp:
799         (JSC::DFG::ByteCodeParser::parseBlock):
800         * jit/JITOpcodes.cpp:
801         (JSC::JIT::emit_op_overrides_has_instance):
802         (JSC::JIT::emit_op_instanceof):
803         (JSC::JIT::emitSlow_op_instanceof):
804         (JSC::JIT::emitSlow_op_instanceof_custom):
805         * jit/JITOpcodes32_64.cpp:
806         (JSC::JIT::emit_op_overrides_has_instance):
807         (JSC::JIT::emit_op_instanceof):
808         (JSC::JIT::emitSlow_op_instanceof):
809         (JSC::JIT::emitSlow_op_instanceof_custom):
810
811 2017-08-15  Keith Miller  <keith_miller@apple.com>
812
813         Enable named offsets into JSC bytecodes
814         https://bugs.webkit.org/show_bug.cgi?id=175561
815
816         Reviewed by Mark Lam.
817
818         This patch adds the ability to add named offsets into JSC's
819         bytecodes.  In the bytecode json file, instead of listing a
820         length, you can now list a set of names and their types. Each
821         opcode with an offsets property will have a struct named after the
822         opcode by in our C++ naming style. For example,
823         op_overrides_has_instance would become OpOverridesHasInstance. The
824         struct has the same memory layout as the instruction list has but
825         comes with handy named accessors.
826
827         As a first cut I converted the various instanceof bytecodes to use
828         named offsets.
829
830         As an example op_overrides_has_instance produces the following struct:
831
832         struct OpOverridesHasInstance {
833         public:
834             Opcode& opcode() { return *reinterpret_cast<Opcode*>(&m_opcode); }
835             const Opcode& opcode() const { return *reinterpret_cast<const Opcode*>(&m_opcode); }
836             int& dst() { return *reinterpret_cast<int*>(&m_dst); }
837             const int& dst() const { return *reinterpret_cast<const int*>(&m_dst); }
838             int& constructor() { return *reinterpret_cast<int*>(&m_constructor); }
839             const int& constructor() const { return *reinterpret_cast<const int*>(&m_constructor); }
840             int& hasInstanceValue() { return *reinterpret_cast<int*>(&m_hasInstanceValue); }
841             const int& hasInstanceValue() const { return *reinterpret_cast<const int*>(&m_hasInstanceValue); }
842
843         private:
844             friend class LLIntOffsetsExtractor;
845             std::aligned_storage<sizeof(Opcode), sizeof(Instruction)>::type m_opcode;
846             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_dst;
847             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_constructor;
848             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_hasInstanceValue;
849         };
850
851         * CMakeLists.txt:
852         * DerivedSources.make:
853         * JavaScriptCore.xcodeproj/project.pbxproj:
854         * bytecode/BytecodeList.json:
855         * dfg/DFGByteCodeParser.cpp:
856         (JSC::DFG::ByteCodeParser::parseBlock):
857         * generate-bytecode-files:
858         * jit/JITOpcodes.cpp:
859         (JSC::JIT::emit_op_overrides_has_instance):
860         (JSC::JIT::emit_op_instanceof):
861         (JSC::JIT::emitSlow_op_instanceof):
862         (JSC::JIT::emitSlow_op_instanceof_custom):
863         * jit/JITOpcodes32_64.cpp:
864         (JSC::JIT::emit_op_overrides_has_instance):
865         (JSC::JIT::emit_op_instanceof):
866         (JSC::JIT::emitSlow_op_instanceof):
867         (JSC::JIT::emitSlow_op_instanceof_custom):
868         * llint/LLIntOffsetsExtractor.cpp:
869         * llint/LowLevelInterpreter.asm:
870         * llint/LowLevelInterpreter32_64.asm:
871         * llint/LowLevelInterpreter64.asm:
872
873 2017-08-15  Mark Lam  <mark.lam@apple.com>
874
875         Update testmasm to use new CPUState APIs.
876         https://bugs.webkit.org/show_bug.cgi?id=175573
877
878         Reviewed by Keith Miller.
879
880         1. Applied convenience CPUState accessors to minimize casting.
881         2. Converted the CHECK macro to CHECK_EQ to get more friendly failure debugging
882            messages.
883         3. Removed the CHECK_DOUBLE_BITWISE_EQ macro.  We can just use CHECK_EQ now since
884            casting is (mostly) no longer an issue.
885         4. Replaced the use of testDoubleWord(id) with bitwise_cast<double>(testWord64(id))
886            to make it clear that we're comparing against the bit values of testWord64(id).
887         5. Added a "Completed N tests" message at the end of running all tests.
888            This makes it easy to tell at a glance that testmasm completed successfully
889            versus when it crashed midway in a test.  The number of tests also serves as
890            a quick checksum to confirm that we ran the number of tests we expected.
891
892         * assembler/testmasm.cpp:
893         (WTF::printInternal):
894         (JSC::testSimple):
895         (JSC::testProbeReadsArgumentRegisters):
896         (JSC::testProbeWritesArgumentRegisters):
897         (JSC::testProbePreservesGPRS):
898         (JSC::testProbeModifiesStackPointer):
899         (JSC::testProbeModifiesProgramCounter):
900         (JSC::run):
901
902 2017-08-14  Keith Miller  <keith_miller@apple.com>
903
904         Add testing tool to lie to the DFG about profiles
905         https://bugs.webkit.org/show_bug.cgi?id=175487
906
907         Reviewed by Saam Barati.
908
909         This patch adds a new bytecode identity_with_profile that lets
910         us lie to the DFG about what profiles it has seen as the input to
911         another bytecode. Previously, there was no reliable way to force
912         a given profile when we tired up.
913
914         * bytecode/BytecodeDumper.cpp:
915         (JSC::BytecodeDumper<Block>::dumpBytecode):
916         * bytecode/BytecodeIntrinsicRegistry.h:
917         * bytecode/BytecodeList.json:
918         * bytecode/BytecodeUseDef.h:
919         (JSC::computeUsesForBytecodeOffset):
920         (JSC::computeDefsForBytecodeOffset):
921         * bytecode/SpeculatedType.cpp:
922         (JSC::speculationFromString):
923         * bytecode/SpeculatedType.h:
924         * bytecompiler/BytecodeGenerator.cpp:
925         (JSC::BytecodeGenerator::emitIdWithProfile):
926         * bytecompiler/BytecodeGenerator.h:
927         * bytecompiler/NodesCodegen.cpp:
928         (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
929         * dfg/DFGAbstractInterpreterInlines.h:
930         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
931         * dfg/DFGByteCodeParser.cpp:
932         (JSC::DFG::ByteCodeParser::parseBlock):
933         * dfg/DFGCapabilities.cpp:
934         (JSC::DFG::capabilityLevel):
935         * dfg/DFGClobberize.h:
936         (JSC::DFG::clobberize):
937         * dfg/DFGDoesGC.cpp:
938         (JSC::DFG::doesGC):
939         * dfg/DFGFixupPhase.cpp:
940         (JSC::DFG::FixupPhase::fixupNode):
941         * dfg/DFGMayExit.cpp:
942         * dfg/DFGNode.h:
943         (JSC::DFG::Node::getForcedPrediction):
944         * dfg/DFGNodeType.h:
945         * dfg/DFGPredictionPropagationPhase.cpp:
946         * dfg/DFGSafeToExecute.h:
947         (JSC::DFG::safeToExecute):
948         * dfg/DFGSpeculativeJIT32_64.cpp:
949         (JSC::DFG::SpeculativeJIT::compile):
950         * dfg/DFGSpeculativeJIT64.cpp:
951         (JSC::DFG::SpeculativeJIT::compile):
952         * dfg/DFGValidate.cpp:
953         * jit/JIT.cpp:
954         (JSC::JIT::privateCompileMainPass):
955         * jit/JIT.h:
956         * jit/JITOpcodes.cpp:
957         (JSC::JIT::emit_op_identity_with_profile):
958         * jit/JITOpcodes32_64.cpp:
959         (JSC::JIT::emit_op_identity_with_profile):
960         * llint/LowLevelInterpreter.asm:
961
962 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
963
964         Remove Proximity Events and related code
965         https://bugs.webkit.org/show_bug.cgi?id=175545
966
967         Reviewed by Daniel Bates.
968
969         No platform enables Proximity Events, so remove code inside ENABLE(PROXIMITY_EVENTS)
970         and other related code.
971
972         * Configurations/FeatureDefines.xcconfig:
973
974 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
975
976         Remove ENABLE(REQUEST_AUTOCOMPLETE) code, which was disabled everywhere
977         https://bugs.webkit.org/show_bug.cgi?id=175504
978
979         Reviewed by Sam Weinig.
980
981         * Configurations/FeatureDefines.xcconfig:
982
983 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
984
985         Remove ENABLE_VIEW_MODE_CSS_MEDIA and related code
986         https://bugs.webkit.org/show_bug.cgi?id=175557
987
988         Reviewed by Jon Lee.
989
990         No port cares about the ENABLE(VIEW_MODE_CSS_MEDIA) feature, so remove it.
991
992         * Configurations/FeatureDefines.xcconfig:
993
994 2017-08-14  Robin Morisset  <rmorisset@apple.com>
995
996         Support the 'with' keyword in DFG
997         https://bugs.webkit.org/show_bug.cgi?id=175470
998
999         Reviewed by Saam Barati.
1000
1001         Not particularly optimized at the moment, the goal is just to avoid
1002         the DFG bailing out of any function with this keyword.
1003
1004         * dfg/DFGAbstractInterpreterInlines.h:
1005         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1006         * dfg/DFGByteCodeParser.cpp:
1007         (JSC::DFG::ByteCodeParser::parseBlock):
1008         * dfg/DFGCapabilities.cpp:
1009         (JSC::DFG::capabilityLevel):
1010         * dfg/DFGClobberize.h:
1011         (JSC::DFG::clobberize):
1012         * dfg/DFGDoesGC.cpp:
1013         (JSC::DFG::doesGC):
1014         * dfg/DFGFixupPhase.cpp:
1015         (JSC::DFG::FixupPhase::fixupNode):
1016         * dfg/DFGNodeType.h:
1017         * dfg/DFGPredictionPropagationPhase.cpp:
1018         * dfg/DFGSafeToExecute.h:
1019         (JSC::DFG::safeToExecute):
1020         * dfg/DFGSpeculativeJIT.cpp:
1021         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
1022         * dfg/DFGSpeculativeJIT.h:
1023         (JSC::DFG::SpeculativeJIT::callOperation):
1024         * dfg/DFGSpeculativeJIT32_64.cpp:
1025         (JSC::DFG::SpeculativeJIT::compile):
1026         * dfg/DFGSpeculativeJIT64.cpp:
1027         (JSC::DFG::SpeculativeJIT::compile):
1028         * jit/JITOperations.cpp:
1029         * jit/JITOperations.h:
1030
1031 2017-08-14  Mark Lam  <mark.lam@apple.com>
1032
1033         Add some convenience utility accessor methods to MacroAssembler::CPUState.
1034         https://bugs.webkit.org/show_bug.cgi?id=175549
1035         <rdar://problem/33884868>
1036
1037         Reviewed by Saam Barati.
1038
1039         Previously, in order to read ProbeContext CPUState registers, we used to need to
1040         do it this way:
1041
1042             ExecState* exec = reinterpret_cast<ExecState*>(cpu.fp());
1043             uint32_t i32 = static_cast<uint32_t>(cpu.gpr(GPRInfo::regT0));
1044             void* p = reinterpret_cast<void*>(cpu.gpr(GPRInfo::regT1));
1045             uint64_t u64 = bitwise_cast<uint64_t>(cpu.fpr(FPRInfo::fpRegT0));
1046
1047         With this patch, we can now read them this way instead:
1048         
1049             ExecState* exec = cpu.fp<ExecState*>();
1050             uint32_t i32 = cpu.gpr<uint32_t>(GPRInfo::regT0);
1051             void* p = cpu.gpr<void*>(GPRInfo::regT1);
1052             uint64_t u64 = cpu.fpr<uint64_t>(FPRInfo::fpRegT0);
1053
1054         * assembler/MacroAssembler.h:
1055         (JSC:: const):
1056         (JSC::MacroAssembler::CPUState::fpr const):
1057         (JSC::MacroAssembler::CPUState::pc const):
1058         (JSC::MacroAssembler::CPUState::fp const):
1059         (JSC::MacroAssembler::CPUState::sp const):
1060         (JSC::ProbeContext::pc):
1061         (JSC::ProbeContext::fp):
1062         (JSC::ProbeContext::sp):
1063
1064 2017-08-12  Filip Pizlo  <fpizlo@apple.com>
1065
1066         Put the ScopedArgumentsTable's ScopeOffset array in some gigacage
1067         https://bugs.webkit.org/show_bug.cgi?id=174921
1068
1069         Reviewed by Mark Lam.
1070         
1071         Uses CagedUniquePtr<> to cage the ScopeOffset array.
1072
1073         * dfg/DFGSpeculativeJIT.cpp:
1074         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1075         * ftl/FTLLowerDFGToB3.cpp:
1076         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1077         * jit/JITPropertyAccess.cpp:
1078         (JSC::JIT::emitScopedArgumentsGetByVal):
1079         * runtime/ScopedArgumentsTable.cpp:
1080         (JSC::ScopedArgumentsTable::create):
1081         (JSC::ScopedArgumentsTable::setLength):
1082         * runtime/ScopedArgumentsTable.h:
1083
1084 2017-08-14  Mark Lam  <mark.lam@apple.com>
1085
1086         Gardening: fix Windows build.
1087         https://bugs.webkit.org/show_bug.cgi?id=175446
1088
1089         Not reviewed.
1090
1091         * assembler/MacroAssemblerX86Common.cpp:
1092         (JSC::booleanTrueForAvoidingNoReturnDeclaration):
1093         (JSC::ctiMasmProbeTrampoline):
1094
1095 2017-08-12  Csaba Osztrogonác  <ossy@webkit.org>
1096
1097         [ARM64] Use x29 and x30 instead of fp and lr to make GCC happy
1098         https://bugs.webkit.org/show_bug.cgi?id=175512
1099         <rdar://problem/33863584>
1100
1101         Reviewed by Mark Lam.
1102
1103         * CMakeLists.txt: Added MacroAssemblerARM64.cpp.
1104         * assembler/MacroAssemblerARM64.cpp: Use x29 and x30 instead of fp and lr to make GCC happy.
1105
1106 2017-08-12  Csaba Osztrogonác  <ossy@webkit.org>
1107
1108         ARM_TRADITIONAL: static assertion failed: ProbeContext_size_matches_ctiMasmProbeTrampoline
1109         https://bugs.webkit.org/show_bug.cgi?id=175513
1110
1111         Reviewed by Mark Lam.
1112
1113         * assembler/MacroAssemblerARM.cpp: Added d16-d31 FP registers too.
1114
1115 2017-08-12  Filip Pizlo  <fpizlo@apple.com>
1116
1117         FTL's compileGetTypedArrayByteOffset needs to do caging
1118         https://bugs.webkit.org/show_bug.cgi?id=175366
1119
1120         Reviewed by Saam Barati.
1121         
1122         While implementing boxing in the DFG, I noticed that there was some missing boxing in the FTL. This
1123         fixes the case in GetTypedArrayByteOffset, and files FIXMEs for more such cases.
1124
1125         * dfg/DFGSpeculativeJIT.cpp:
1126         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
1127         * ftl/FTLLowerDFGToB3.cpp:
1128         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
1129         (JSC::FTL::DFG::LowerDFGToB3::cagedMayBeNull):
1130         * runtime/ArrayBuffer.h:
1131         * runtime/ArrayBufferView.h:
1132         * runtime/JSArrayBufferView.h:
1133
1134 2017-08-11  Ryosuke Niwa  <rniwa@webkit.org>
1135
1136         Replace DATA_TRANSFER_ITEMS by a runtime flag and add a stub implementation
1137         https://bugs.webkit.org/show_bug.cgi?id=175474
1138         <rdar://problem/33844628>
1139
1140         Reviewed by Wenson Hsieh.
1141
1142         * Configurations/FeatureDefines.xcconfig:
1143         * runtime/CommonIdentifiers.h:
1144
1145 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1146
1147         Caging shouldn't have to use a patchpoint for adding
1148         https://bugs.webkit.org/show_bug.cgi?id=175483
1149
1150         Reviewed by Mark Lam.
1151
1152         Caging involves doing a Add(ptr, largeConstant). All of B3's heuristics for how to deal with
1153         constants and associative operations dictate that you always want to sink constants. For example,
1154         Add(Add(a, constant), b) always becomes Add(Add(a, b), constant). This is profitable because in
1155         typical code, it reveals downstream optimizations. But it's terrible in the case of caging, because
1156         we want the large constant (which is shared by all caging operations) to be hoisted. Reassociating to
1157         sink constants obscures the constant in this case. Currently, moveConstants is not smart enough to
1158         reassociate, so instead of sinking largeConstant, it tries (and often fails) to sink some other
1159         constants instead. Without some hacks, this is a 5% Kraken regression and a 1.6% Octane regression.
1160         It's not clear that moveConstants could ever be smart enough to rematerialize that constant and then
1161         hoist it - that would require quite a bit of algebraic reasoning. But the only case we know of where
1162         our current constant reassociation heuristics are wrong is caging. So, we can get away with some
1163         hacks for just stopping B3's reassociation only in this specific case.
1164         
1165         Previously, we achieved this by concealing the Add(ptr, largeConstant) inside a patchpoint. That's
1166         OK, but patchpoints are expensive. They require a SharedTask instance. They require callbacks from
1167         the backend, including during register allocation. And they cannot be CSE'd. We do want B3 to know
1168         that if we cage the same pointer in two places, both places will compute the same value.
1169         
1170         This patch improves the situation by introducing the Opaque opcode. This is handled by LowerToAir as
1171         if it was Identity, but all prior phases treat it as an unknown pure unary idempotent operation. I.e.
1172         they know that Opaque(x) == Opaque(x) and that Opaque(Opaque(x)) == Opaque(x). But they don't know
1173         that Opaque(x) == x until LowerToAir. So, you can use Opaque exactly when you know that B3 will mess
1174         up your code but Air won't. (Currently we know of no cases where Air messes things up on a large
1175         enough scale to warrant new opcodes.)
1176         
1177         This change is perf-neutral, but may start to help as I add more uses of caged() in the FTL. It also
1178         makes the code a bit less ugly.
1179
1180         * b3/B3LowerToAir.cpp:
1181         (JSC::B3::Air::LowerToAir::shouldCopyPropagate):
1182         (JSC::B3::Air::LowerToAir::lower):
1183         * b3/B3Opcode.cpp:
1184         (WTF::printInternal):
1185         * b3/B3Opcode.h:
1186         * b3/B3ReduceStrength.cpp:
1187         * b3/B3Validate.cpp:
1188         * b3/B3Value.cpp:
1189         (JSC::B3::Value::effects const):
1190         (JSC::B3::Value::key const):
1191         (JSC::B3::Value::isFree const):
1192         (JSC::B3::Value::typeFor):
1193         * b3/B3Value.h:
1194         * b3/B3ValueKey.cpp:
1195         (JSC::B3::ValueKey::materialize const):
1196         * ftl/FTLLowerDFGToB3.cpp:
1197         (JSC::FTL::DFG::LowerDFGToB3::caged):
1198         * ftl/FTLOutput.cpp:
1199         (JSC::FTL::Output::opaque):
1200         * ftl/FTLOutput.h:
1201
1202 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1203
1204         ScopedArguments overflow storage needs to be in the JSValue gigacage
1205         https://bugs.webkit.org/show_bug.cgi?id=174923
1206
1207         Reviewed by Saam Barati.
1208         
1209         ScopedArguments overflow storage sits at the end of the ScopedArguments object, so we put that
1210         object into the JSValue gigacage.
1211
1212         * dfg/DFGSpeculativeJIT.cpp:
1213         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1214         * ftl/FTLLowerDFGToB3.cpp:
1215         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1216         * jit/JITPropertyAccess.cpp:
1217         (JSC::JIT::emitScopedArgumentsGetByVal):
1218         * runtime/ScopedArguments.h:
1219         (JSC::ScopedArguments::subspaceFor):
1220         (JSC::ScopedArguments::overflowStorage const):
1221
1222 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1223
1224         JSLexicalEnvironment needs to be in the JSValue gigacage
1225         https://bugs.webkit.org/show_bug.cgi?id=174922
1226
1227         Reviewed by Michael Saboff.
1228         
1229         We can sorta random access the JSLexicalEnvironment. So, we put it in the JSValue gigacage and make
1230         the only random accesses use pointer caging.
1231         
1232         We don't need to do anything to normal lexical environment accesses.
1233
1234         * dfg/DFGSpeculativeJIT.cpp:
1235         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1236         * ftl/FTLLowerDFGToB3.cpp:
1237         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1238         * runtime/JSEnvironmentRecord.h:
1239         (JSC::JSEnvironmentRecord::subspaceFor):
1240         (JSC::JSEnvironmentRecord::variables):
1241
1242 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1243
1244         DirectArguments should be in the JSValue gigacage
1245         https://bugs.webkit.org/show_bug.cgi?id=174920
1246
1247         Reviewed by Michael Saboff.
1248         
1249         This puts DirectArguments in a new subspace for cells that want to be in the JSValue gigacage. All
1250         indexed accesses to DirectArguments now do caging. get_from_arguments/put_to_arguments are exempted
1251         because they always operate on a DirectArguments that is pointed to directly from the stack, they are
1252         required to use fixed offsets, and you can only store JSValues.
1253
1254         * dfg/DFGSpeculativeJIT.cpp:
1255         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
1256         * ftl/FTLLowerDFGToB3.cpp:
1257         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1258         * jit/JITPropertyAccess.cpp:
1259         (JSC::JIT::emitDirectArgumentsGetByVal):
1260         * runtime/DirectArguments.h:
1261         (JSC::DirectArguments::subspaceFor):
1262         (JSC::DirectArguments::storage):
1263         * runtime/VM.cpp:
1264         (JSC::VM::VM):
1265         * runtime/VM.h:
1266
1267 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1268
1269         Unreviewed, add a FIXME.
1270
1271         * ftl/FTLLowerDFGToB3.cpp:
1272         (JSC::FTL::DFG::LowerDFGToB3::caged):
1273
1274 2017-08-10  Sam Weinig  <sam@webkit.org>
1275
1276         WTF::Function does not allow for reference / non-default constructible return types
1277         https://bugs.webkit.org/show_bug.cgi?id=175244
1278
1279         Reviewed by Chris Dumez.
1280
1281         * runtime/ArrayBuffer.cpp:
1282         (JSC::ArrayBufferContents::transferTo):
1283         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
1284         destroy call needed to be a no-op anyway, since the data is being moved.
1285
1286 2017-08-11  Mark Lam  <mark.lam@apple.com>
1287
1288         Gardening: fix CLoop build.
1289         https://bugs.webkit.org/show_bug.cgi?id=175446
1290         <rdar://problem/33836545>
1291
1292         Not reviewed.
1293
1294         * assembler/MacroAssemblerPrinter.cpp:
1295
1296 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
1297
1298         DFG should do caging
1299         https://bugs.webkit.org/show_bug.cgi?id=174918
1300
1301         Reviewed by Saam Barati.
1302         
1303         Adds the appropriate cage() calls to the DFG, including a cageTypedArrayStorage() helper that does
1304         the conditional caging with a watchpoint.
1305         
1306         This might be a 1% SunSpider slow-down, but it's not clear.
1307
1308         * dfg/DFGSpeculativeJIT.cpp:
1309         (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
1310         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
1311         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
1312         (JSC::DFG::SpeculativeJIT::compileCreateRest):
1313         (JSC::DFG::SpeculativeJIT::compileSpread):
1314         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
1315         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1316         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
1317         * dfg/DFGSpeculativeJIT.h:
1318         * dfg/DFGSpeculativeJIT64.cpp:
1319         (JSC::DFG::SpeculativeJIT::compile):
1320
1321 2017-08-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1322
1323         Unreviewed, build fix for x86 GTK port
1324         https://bugs.webkit.org/show_bug.cgi?id=175446
1325
1326         Use pushfl/popfl instead of pushfd/popfd.
1327
1328         * assembler/MacroAssemblerX86Common.cpp:
1329
1330 2017-08-10  Mark Lam  <mark.lam@apple.com>
1331
1332         Make the MASM_PROBE mechanism mandatory for DFG and FTL builds.
1333         https://bugs.webkit.org/show_bug.cgi?id=175446
1334         <rdar://problem/33836545>
1335
1336         Reviewed by Saam Barati.
1337
1338         * assembler/AbstractMacroAssembler.h:
1339         * assembler/MacroAssembler.cpp:
1340         (JSC::MacroAssembler::probe):
1341         * assembler/MacroAssembler.h:
1342         * assembler/MacroAssemblerARM.cpp:
1343         (JSC::MacroAssembler::probe):
1344         * assembler/MacroAssemblerARM.h:
1345         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
1346         * assembler/MacroAssemblerARM64.cpp:
1347         (JSC::MacroAssembler::probe):
1348         * assembler/MacroAssemblerARMv7.cpp:
1349         (JSC::MacroAssembler::probe):
1350         * assembler/MacroAssemblerARMv7.h:
1351         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr):
1352         * assembler/MacroAssemblerPrinter.cpp:
1353         * assembler/MacroAssemblerPrinter.h:
1354         * assembler/MacroAssemblerX86Common.cpp:
1355         * assembler/testmasm.cpp:
1356         (JSC::isSpecialGPR):
1357         (JSC::testProbeModifiesProgramCounter):
1358         (JSC::run):
1359         * b3/B3LowerToAir.cpp:
1360         (JSC::B3::Air::LowerToAir::print):
1361         * b3/air/AirPrintSpecial.cpp:
1362         * b3/air/AirPrintSpecial.h:
1363
1364 2017-08-10  Mark Lam  <mark.lam@apple.com>
1365
1366         Apply the UNLIKELY macro to some unlikely things.
1367         https://bugs.webkit.org/show_bug.cgi?id=175440
1368         <rdar://problem/33834767>
1369
1370         Reviewed by Yusuke Suzuki.
1371
1372         * bytecode/CodeBlock.cpp:
1373         (JSC::CodeBlock::~CodeBlock):
1374         (JSC::CodeBlock::jettison):
1375         * dfg/DFGByteCodeParser.cpp:
1376         (JSC::DFG::ByteCodeParser::handleCall):
1377         (JSC::DFG::ByteCodeParser::handleVarargsCall):
1378         (JSC::DFG::ByteCodeParser::handleGetById):
1379         (JSC::DFG::ByteCodeParser::handlePutById):
1380         (JSC::DFG::ByteCodeParser::parseBlock):
1381         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1382         * dfg/DFGJITCompiler.cpp:
1383         (JSC::DFG::JITCompiler::JITCompiler):
1384         (JSC::DFG::JITCompiler::linkOSRExits):
1385         (JSC::DFG::JITCompiler::link):
1386         (JSC::DFG::JITCompiler::disassemble):
1387         * dfg/DFGJITFinalizer.cpp:
1388         (JSC::DFG::JITFinalizer::finalizeCommon):
1389         * dfg/DFGOSRExit.cpp:
1390         (JSC::DFG::OSRExit::compileOSRExit):
1391         * dfg/DFGPlan.cpp:
1392         (JSC::DFG::Plan::Plan):
1393         * ftl/FTLJITFinalizer.cpp:
1394         (JSC::FTL::JITFinalizer::finalizeCommon):
1395         * ftl/FTLLink.cpp:
1396         (JSC::FTL::link):
1397         * ftl/FTLOSRExitCompiler.cpp:
1398         (JSC::FTL::compileStub):
1399         * jit/JIT.cpp:
1400         (JSC::JIT::privateCompileMainPass):
1401         (JSC::JIT::compileWithoutLinking):
1402         (JSC::JIT::link):
1403         * runtime/ScriptExecutable.cpp:
1404         (JSC::ScriptExecutable::installCode):
1405         * runtime/VM.cpp:
1406         (JSC::VM::VM):
1407
1408 2017-08-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1409
1410         [WTF] ThreadSpecific should not introduce additional indirection
1411         https://bugs.webkit.org/show_bug.cgi?id=175187
1412
1413         Reviewed by Mark Lam.
1414
1415         * runtime/Identifier.cpp:
1416
1417 2017-08-10  Tim Horton  <timothy_horton@apple.com>
1418
1419         Remove some unused lambda captures so that WebKit builds with -Wunused-lambda-capture
1420         https://bugs.webkit.org/show_bug.cgi?id=175436
1421         <rdar://problem/33667497>
1422
1423         Reviewed by Simon Fraser.
1424
1425         * interpreter/Interpreter.cpp:
1426         (JSC::Interpreter::Interpreter):
1427
1428 2017-08-10  Michael Catanzaro  <mcatanzaro@igalia.com>
1429
1430         Remove ENABLE_GAMEPAD_DEPRECATED
1431         https://bugs.webkit.org/show_bug.cgi?id=175361
1432
1433         Reviewed by Carlos Garcia Campos.
1434
1435         * Configurations/FeatureDefines.xcconfig:
1436
1437 2017-08-09  Caio Lima  <ticaiolima@gmail.com>
1438
1439         [JSC] Create JSSet constructor that accepts it's size as parameter
1440         https://bugs.webkit.org/show_bug.cgi?id=173297
1441
1442         Reviewed by Saam Barati.
1443
1444         This patch is adding a new constructor to JSSet that gives its
1445         expected initial size. It is important to avoid re-hashing and mutiple
1446         allocations when we know the final size of JSSet, such as in
1447         CodeBlock::setConstantIdentifierSetRegisters.
1448
1449         * bytecode/CodeBlock.cpp:
1450         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
1451         * runtime/HashMapImpl.h:
1452         (JSC::HashMapImpl::HashMapImpl):
1453         * runtime/JSSet.h:
1454
1455 2017-08-09  Commit Queue  <commit-queue@webkit.org>
1456
1457         Unreviewed, rolling out r220466, r220477, and r220487.
1458         https://bugs.webkit.org/show_bug.cgi?id=175411
1459
1460         This change broke existing API tests and follow up fixes did
1461         not resolve all the issues. (Requested by ryanhaddad on
1462         #webkit).
1463
1464         Reverted changesets:
1465
1466         https://bugs.webkit.org/show_bug.cgi?id=175244
1467         http://trac.webkit.org/changeset/220466
1468
1469         "WTF::Function does not allow for reference / non-default
1470         constructible return types"
1471         https://bugs.webkit.org/show_bug.cgi?id=175244
1472         http://trac.webkit.org/changeset/220477
1473
1474         https://bugs.webkit.org/show_bug.cgi?id=175244
1475         http://trac.webkit.org/changeset/220487
1476
1477 2017-08-09  Caitlin Potter  <caitp@igalia.com>
1478
1479         Early error on ANY operator before new.target
1480         https://bugs.webkit.org/show_bug.cgi?id=157970
1481
1482         Reviewed by Saam Barati.
1483
1484         Instead of throwing if any unary operator precedes new.target, only
1485         throw if the unary operator updates the reference.
1486
1487         The following become legal in JSC:
1488
1489         ```
1490         !new.target
1491         ~new.target
1492         typeof new.target
1493         delete new.target
1494         void new.target
1495         ```
1496
1497         All of which are legal in v8 and SpiderMonkey in strict and sloppy mode
1498
1499         * parser/Parser.cpp:
1500         (JSC::Parser<LexerType>::parseUnaryExpression):
1501
1502 2017-08-09  Sam Weinig  <sam@webkit.org>
1503
1504         WTF::Function does not allow for reference / non-default constructible return types
1505         https://bugs.webkit.org/show_bug.cgi?id=175244
1506
1507         Reviewed by Chris Dumez.
1508
1509         * runtime/ArrayBuffer.cpp:
1510         (JSC::ArrayBufferContents::transferTo):
1511         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
1512         destroy call needed to be a no-op anyway, since the data is being moved.
1513
1514 2017-08-09  Wenson Hsieh  <wenson_hsieh@apple.com>
1515
1516         [iOS DnD] ENABLE_DRAG_SUPPORT should be turned off for iOS 10 and enabled by default
1517         https://bugs.webkit.org/show_bug.cgi?id=175392
1518         <rdar://problem/33783207>
1519
1520         Reviewed by Tim Horton and Megan Gardner.
1521
1522         Tweak FeatureDefines to enable drag and drop by default, and disable only on unsupported platforms (i.e. iOS 10).
1523
1524         * Configurations/FeatureDefines.xcconfig:
1525
1526 2017-08-09  Robin Morisset  <rmorisset@apple.com>
1527
1528         Make JSC_validateExceptionChecks=1 succeed on JSTests/stress/v8-deltablue-strict.js.
1529         https://bugs.webkit.org/show_bug.cgi?id=175358
1530
1531         Reviewed by Mark Lam.
1532
1533         * jit/JITOperations.cpp:
1534         * runtime/JSObjectInlines.h:
1535         (JSC::JSObject::putInlineForJSObject):
1536
1537 2017-08-09  Ryan Haddad  <ryanhaddad@apple.com>
1538
1539         Unreviewed, rolling out r220457.
1540
1541         This change introduced API test failures.
1542
1543         Reverted changeset:
1544
1545         "WTF::Function does not allow for reference / non-default
1546         constructible return types"
1547         https://bugs.webkit.org/show_bug.cgi?id=175244
1548         http://trac.webkit.org/changeset/220457
1549
1550 2017-08-09  Sam Weinig  <sam@webkit.org>
1551
1552         WTF::Function does not allow for reference / non-default constructible return types
1553         https://bugs.webkit.org/show_bug.cgi?id=175244
1554
1555         Reviewed by Chris Dumez.
1556
1557         * runtime/ArrayBuffer.cpp:
1558         (JSC::ArrayBufferContents::transferTo):
1559         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
1560         destroy call needed to be a no-op anyway, since the data is being moved.
1561
1562 2017-08-09  Oleksandr Skachkov  <gskachkov@gmail.com>
1563
1564         REGRESSION: 2 test262/test/language/statements/async-function failures
1565         https://bugs.webkit.org/show_bug.cgi?id=175334
1566
1567         Reviewed by Yusuke Suzuki.
1568
1569         Switch off useAsyncIterator by default
1570
1571         * runtime/Options.h:
1572
1573 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
1574
1575         ICs should do caging
1576         https://bugs.webkit.org/show_bug.cgi?id=175295
1577
1578         Reviewed by Saam Barati.
1579         
1580         Adds the appropriate cage() calls in our inline caches.
1581
1582         * bytecode/AccessCase.cpp:
1583         (JSC::AccessCase::generateImpl):
1584         * bytecode/InlineAccess.cpp:
1585         (JSC::InlineAccess::dumpCacheSizesAndCrash):
1586         (JSC::InlineAccess::generateSelfPropertyAccess):
1587         (JSC::InlineAccess::generateSelfPropertyReplace):
1588         (JSC::InlineAccess::generateArrayLength):
1589
1590 2017-08-08  Devin Rousso  <drousso@apple.com>
1591
1592         Web Inspector: Canvas: support editing WebGL shaders
1593         https://bugs.webkit.org/show_bug.cgi?id=124211
1594         <rdar://problem/15448958>
1595
1596         Reviewed by Matt Baker.
1597
1598         * inspector/protocol/Canvas.json:
1599         Add `updateShader` command that will change the given shader's source to the provided string,
1600         recompile, and relink it to its associated program.
1601         Drive-by: add description to `requestShaderSource` command.
1602
1603 2017-08-08  Robin Morisset  <rmorisset@apple.com>
1604
1605         Make JSC_validateExceptionChecks=1 succeed on JSTests/slowMicrobenchmarks/spread-small-array.js.
1606         https://bugs.webkit.org/show_bug.cgi?id=175347
1607
1608         Reviewed by Saam Barati.
1609
1610         This is done by making finishCreation explicitely check for exceptions after setConstantRegister and setConstantIdentifiersSetRegisters.
1611         I chose to have this check replace the boolean returned previously by these functions for readability. The performance impact should be
1612         negligible considering how much more finishCreation does.
1613         This fix then caused another issue to appear as it was now clear that finishCreation can throw. And since it is called by ProgramCodeBlock::create(),
1614         FunctionCodeBlock::create() and friends, that are in turn called by ScriptExecutable::newCodeBlockFor, this last function also required a few tweaks.
1615
1616         * bytecode/CodeBlock.cpp:
1617         (JSC::CodeBlock::finishCreation):
1618         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
1619         (JSC::CodeBlock::setConstantRegisters):
1620         * bytecode/CodeBlock.h:
1621         * runtime/ScriptExecutable.cpp:
1622         (JSC::ScriptExecutable::newCodeBlockFor):
1623
1624 2017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
1625
1626         Unreviewed, fix Ubuntu LTS build
1627         https://bugs.webkit.org/show_bug.cgi?id=174490
1628
1629         * inspector/remote/glib/RemoteInspectorGlib.cpp:
1630         * inspector/remote/glib/RemoteInspectorServer.cpp:
1631
1632 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
1633
1634         Baseline JIT should do caging
1635         https://bugs.webkit.org/show_bug.cgi?id=175037
1636
1637         Reviewed by Mark Lam.
1638         
1639         Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
1640         
1641         Also modifies FTL caging to be more defensive when caging is disabled.
1642         
1643         Relanded with fixed AssemblyHelpers::cageConditionally().
1644
1645         * bytecode/AccessCase.cpp:
1646         (JSC::AccessCase::generateImpl):
1647         * bytecode/InlineAccess.cpp:
1648         (JSC::InlineAccess::dumpCacheSizesAndCrash):
1649         (JSC::InlineAccess::generateSelfPropertyAccess):
1650         (JSC::InlineAccess::generateSelfPropertyReplace):
1651         (JSC::InlineAccess::generateArrayLength):
1652         * ftl/FTLLowerDFGToB3.cpp:
1653         (JSC::FTL::DFG::LowerDFGToB3::caged):
1654         * jit/AssemblyHelpers.h:
1655         (JSC::AssemblyHelpers::cage):
1656         (JSC::AssemblyHelpers::cageConditionally):
1657         * jit/JITPropertyAccess.cpp:
1658         (JSC::JIT::emitDoubleLoad):
1659         (JSC::JIT::emitContiguousLoad):
1660         (JSC::JIT::emitArrayStorageLoad):
1661         (JSC::JIT::emitGenericContiguousPutByVal):
1662         (JSC::JIT::emitArrayStoragePutByVal):
1663         (JSC::JIT::emit_op_get_from_scope):
1664         (JSC::JIT::emit_op_put_to_scope):
1665         (JSC::JIT::emitIntTypedArrayGetByVal):
1666         (JSC::JIT::emitFloatTypedArrayGetByVal):
1667         (JSC::JIT::emitIntTypedArrayPutByVal):
1668         (JSC::JIT::emitFloatTypedArrayPutByVal):
1669         * jsc.cpp:
1670         (jscmain):
1671         (primitiveGigacageDisabled): Deleted.
1672
1673 2017-08-08  Ryan Haddad  <ryanhaddad@apple.com>
1674
1675         Unreviewed, rolling out r220368.
1676
1677         This change caused WK1 tests to exit early with crashes.
1678
1679         Reverted changeset:
1680
1681         "Baseline JIT should do caging"
1682         https://bugs.webkit.org/show_bug.cgi?id=175037
1683         http://trac.webkit.org/changeset/220368
1684
1685 2017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
1686
1687         [CMake] Properly test if compiler supports compiler flags
1688         https://bugs.webkit.org/show_bug.cgi?id=174490
1689
1690         Reviewed by Konstantin Tokarev.
1691
1692         * API/tests/PingPongStackOverflowTest.cpp:
1693         (testPingPongStackOverflow):
1694         * API/tests/testapi.c:
1695         * b3/testb3.cpp:
1696         (JSC::B3::testPatchpointLotsOfLateAnys):
1697
1698 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1699
1700         [Linux] Clear WasmMemory with madvice instead of memset
1701         https://bugs.webkit.org/show_bug.cgi?id=175150
1702
1703         Reviewed by Filip Pizlo.
1704
1705         In Linux, zeroing pages with memset populates backing store.
1706         Instead, we should use madvise with MADV_DONTNEED. It discards
1707         pages. And if you access these pages, on-demand-zero-pages will
1708         be shown.
1709
1710         We also commit grown pages in all OSes.
1711
1712         * wasm/WasmMemory.cpp:
1713         (JSC::Wasm::commitZeroPages):
1714         (JSC::Wasm::Memory::create):
1715         (JSC::Wasm::Memory::grow):
1716
1717 2017-08-07  Robin Morisset  <rmorisset@apple.com>
1718
1719         GetOwnProperty of TypedArray indexed fields is wrongly configurable
1720         https://bugs.webkit.org/show_bug.cgi?id=175307
1721
1722         Reviewed by Saam Barati.
1723
1724         ```
1725         let a = new Uint8Array(10);
1726         let b = Object.getOwnPropertyDescriptor(a, 0);
1727         assert(b.configurable === false);
1728         ```
1729         should not fail: by section 9.4.5.1 (https://tc39.github.io/ecma262/#sec-integer-indexed-exotic-objects-getownproperty-p) 
1730         that applies to integer indexed exotic objects, and section 22.2.7 (https://tc39.github.io/ecma262/#sec-properties-of-typedarray-instances)
1731         that says that typed arrays are integer indexed exotic objects.
1732
1733         * runtime/JSGenericTypedArrayViewInlines.h:
1734         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
1735
1736 2017-08-07  Filip Pizlo  <fpizlo@apple.com>
1737
1738         Baseline JIT should do caging
1739         https://bugs.webkit.org/show_bug.cgi?id=175037
1740
1741         Reviewed by Mark Lam.
1742         
1743         Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
1744         
1745         Also modifies FTL caging to be more defensive when caging is disabled.
1746
1747         * ftl/FTLLowerDFGToB3.cpp:
1748         (JSC::FTL::DFG::LowerDFGToB3::caged):
1749         * jit/AssemblyHelpers.h:
1750         (JSC::AssemblyHelpers::cage):
1751         (JSC::AssemblyHelpers::cageConditionally):
1752         * jit/JITPropertyAccess.cpp:
1753         (JSC::JIT::emitDoubleLoad):
1754         (JSC::JIT::emitContiguousLoad):
1755         (JSC::JIT::emitArrayStorageLoad):
1756         (JSC::JIT::emitGenericContiguousPutByVal):
1757         (JSC::JIT::emitArrayStoragePutByVal):
1758         (JSC::JIT::emit_op_get_from_scope):
1759         (JSC::JIT::emit_op_put_to_scope):
1760         (JSC::JIT::emitIntTypedArrayGetByVal):
1761         (JSC::JIT::emitFloatTypedArrayGetByVal):
1762         (JSC::JIT::emitIntTypedArrayPutByVal):
1763         (JSC::JIT::emitFloatTypedArrayPutByVal):
1764         * jsc.cpp:
1765         (jscmain):
1766         (primitiveGigacageDisabled): Deleted.
1767
1768 2017-08-06  Filip Pizlo  <fpizlo@apple.com>
1769
1770         Primitive auxiliaries and JSValue auxiliaries should have separate gigacages
1771         https://bugs.webkit.org/show_bug.cgi?id=174919
1772
1773         Reviewed by Keith Miller.
1774         
1775         This adapts JSC to there being two gigacages.
1776         
1777         To make matters simpler, this turns AlignedMemoryAllocators into per-VM instances rather than
1778         singletons. I don't think we were gaining anything by making them be singletons.
1779         
1780         This makes it easy to teach GigacageAlignedMemoryAllocator that there are multiple kinds of
1781         gigacages. We'll have one of those allocators per cage.
1782         
1783         From there, this change teaches everyone who previously knew about cages that there are two cages.
1784         This means having to specify either Gigacage::Primitive or Gigacage::JSValue. In most places, this is
1785         easy: typed arrays are Primitive and butterflies are JSValue. But there are a few places where it's
1786         not so obvious, so this change introduces some helpers to make it easy to define what cage you want
1787         to use in one place and refer to it abstractly. We do this in DirectArguments and GenericArguments.h
1788         
1789         A lot of the magic of this change is due to CagedBarrierPtr, which combines AuxiliaryBarrier and
1790         CagedPtr. This removes one layer of "get()" calls from a bunch of places.
1791
1792         * JavaScriptCore.xcodeproj/project.pbxproj:
1793         * bytecode/AccessCase.cpp:
1794         (JSC::AccessCase::generateImpl):
1795         * dfg/DFGSpeculativeJIT.cpp:
1796         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1797         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1798         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1799         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
1800         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
1801         * ftl/FTLLowerDFGToB3.cpp:
1802         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
1803         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
1804         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
1805         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
1806         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1807         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
1808         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
1809         (JSC::FTL::DFG::LowerDFGToB3::caged):
1810         * heap/FastMallocAlignedMemoryAllocator.cpp:
1811         (JSC::FastMallocAlignedMemoryAllocator::instance): Deleted.
1812         * heap/FastMallocAlignedMemoryAllocator.h:
1813         * heap/GigacageAlignedMemoryAllocator.cpp:
1814         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
1815         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
1816         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
1817         (JSC::GigacageAlignedMemoryAllocator::dump const):
1818         (JSC::GigacageAlignedMemoryAllocator::instance): Deleted.
1819         * heap/GigacageAlignedMemoryAllocator.h:
1820         * jsc.cpp:
1821         (primitiveGigacageDisabled):
1822         (jscmain):
1823         (gigacageDisabled): Deleted.
1824         * llint/LowLevelInterpreter64.asm:
1825         * runtime/ArrayBuffer.cpp:
1826         (JSC::ArrayBufferContents::tryAllocate):
1827         (JSC::ArrayBuffer::createAdopted):
1828         (JSC::ArrayBuffer::createFromBytes):
1829         * runtime/AuxiliaryBarrier.h:
1830         * runtime/ButterflyInlines.h:
1831         (JSC::Butterfly::createUninitialized):
1832         (JSC::Butterfly::tryCreate):
1833         (JSC::Butterfly::growArrayRight):
1834         * runtime/CagedBarrierPtr.h: Added.
1835         (JSC::CagedBarrierPtr::CagedBarrierPtr):
1836         (JSC::CagedBarrierPtr::clear):
1837         (JSC::CagedBarrierPtr::set):
1838         (JSC::CagedBarrierPtr::get const):
1839         (JSC::CagedBarrierPtr::getMayBeNull const):
1840         (JSC::CagedBarrierPtr::operator== const):
1841         (JSC::CagedBarrierPtr::operator!= const):
1842         (JSC::CagedBarrierPtr::operator bool const):
1843         (JSC::CagedBarrierPtr::setWithoutBarrier):
1844         (JSC::CagedBarrierPtr::operator* const):
1845         (JSC::CagedBarrierPtr::operator-> const):
1846         (JSC::CagedBarrierPtr::operator[] const):
1847         * runtime/DirectArguments.cpp:
1848         (JSC::DirectArguments::overrideThings):
1849         (JSC::DirectArguments::unmapArgument):
1850         * runtime/DirectArguments.h:
1851         (JSC::DirectArguments::isMappedArgument const):
1852         * runtime/GenericArguments.h:
1853         * runtime/GenericArgumentsInlines.h:
1854         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
1855         (JSC::GenericArguments<Type>::setModifiedArgumentDescriptor):
1856         (JSC::GenericArguments<Type>::isModifiedArgumentDescriptor):
1857         * runtime/HashMapImpl.cpp:
1858         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
1859         * runtime/HashMapImpl.h:
1860         (JSC::HashMapBuffer::create):
1861         (JSC::HashMapImpl::buffer const):
1862         (JSC::HashMapImpl::rehash):
1863         * runtime/JSArray.cpp:
1864         (JSC::JSArray::tryCreateUninitializedRestricted):
1865         (JSC::JSArray::unshiftCountSlowCase):
1866         (JSC::JSArray::setLength):
1867         (JSC::JSArray::pop):
1868         (JSC::JSArray::push):
1869         (JSC::JSArray::fastSlice):
1870         (JSC::JSArray::shiftCountWithArrayStorage):
1871         (JSC::JSArray::shiftCountWithAnyIndexingType):
1872         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1873         (JSC::JSArray::fillArgList):
1874         (JSC::JSArray::copyToArguments):
1875         * runtime/JSArray.h:
1876         (JSC::JSArray::tryCreate):
1877         * runtime/JSArrayBufferView.cpp:
1878         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1879         (JSC::JSArrayBufferView::finalize):
1880         * runtime/JSLock.cpp:
1881         (JSC::JSLock::didAcquireLock):
1882         * runtime/JSObject.cpp:
1883         (JSC::JSObject::heapSnapshot):
1884         (JSC::JSObject::getOwnPropertySlotByIndex):
1885         (JSC::JSObject::putByIndex):
1886         (JSC::JSObject::enterDictionaryIndexingMode):
1887         (JSC::JSObject::createInitialIndexedStorage):
1888         (JSC::JSObject::createArrayStorage):
1889         (JSC::JSObject::convertUndecidedToInt32):
1890         (JSC::JSObject::convertUndecidedToDouble):
1891         (JSC::JSObject::convertUndecidedToContiguous):
1892         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
1893         (JSC::JSObject::convertUndecidedToArrayStorage):
1894         (JSC::JSObject::convertInt32ToDouble):
1895         (JSC::JSObject::convertInt32ToContiguous):
1896         (JSC::JSObject::convertInt32ToArrayStorage):
1897         (JSC::JSObject::convertDoubleToContiguous):
1898         (JSC::JSObject::convertDoubleToArrayStorage):
1899         (JSC::JSObject::convertContiguousToArrayStorage):
1900         (JSC::JSObject::setIndexQuicklyToUndecided):
1901         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
1902         (JSC::JSObject::deletePropertyByIndex):
1903         (JSC::JSObject::getOwnPropertyNames):
1904         (JSC::JSObject::putIndexedDescriptor):
1905         (JSC::JSObject::defineOwnIndexedProperty):
1906         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1907         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
1908         (JSC::JSObject::getNewVectorLength):
1909         (JSC::JSObject::ensureLengthSlow):
1910         (JSC::JSObject::reallocateAndShrinkButterfly):
1911         (JSC::JSObject::allocateMoreOutOfLineStorage):
1912         (JSC::JSObject::getEnumerableLength):
1913         * runtime/JSObject.h:
1914         (JSC::JSObject::getArrayLength const):
1915         (JSC::JSObject::getVectorLength):
1916         (JSC::JSObject::putDirectIndex):
1917         (JSC::JSObject::canGetIndexQuickly):
1918         (JSC::JSObject::getIndexQuickly):
1919         (JSC::JSObject::tryGetIndexQuickly const):
1920         (JSC::JSObject::canSetIndexQuickly):
1921         (JSC::JSObject::setIndexQuickly):
1922         (JSC::JSObject::initializeIndex):
1923         (JSC::JSObject::initializeIndexWithoutBarrier):
1924         (JSC::JSObject::hasSparseMap):
1925         (JSC::JSObject::inSparseIndexingMode):
1926         (JSC::JSObject::butterfly const):
1927         (JSC::JSObject::butterfly):
1928         (JSC::JSObject::outOfLineStorage const):
1929         (JSC::JSObject::outOfLineStorage):
1930         (JSC::JSObject::ensureInt32):
1931         (JSC::JSObject::ensureDouble):
1932         (JSC::JSObject::ensureContiguous):
1933         (JSC::JSObject::ensureArrayStorage):
1934         (JSC::JSObject::arrayStorage):
1935         (JSC::JSObject::arrayStorageOrNull):
1936         (JSC::JSObject::ensureLength):
1937         * runtime/RegExpMatchesArray.h:
1938         (JSC::tryCreateUninitializedRegExpMatchesArray):
1939         * runtime/VM.cpp:
1940         (JSC::VM::VM):
1941         (JSC::VM::~VM):
1942         (JSC::VM::primitiveGigacageDisabledCallback):
1943         (JSC::VM::primitiveGigacageDisabled):
1944         (JSC::VM::gigacageDisabledCallback): Deleted.
1945         (JSC::VM::gigacageDisabled): Deleted.
1946         * runtime/VM.h:
1947         (JSC::VM::gigacageAuxiliarySpace):
1948         (JSC::VM::firePrimitiveGigacageEnabledIfNecessary):
1949         (JSC::VM::primitiveGigacageEnabled):
1950         (JSC::VM::fireGigacageEnabledIfNecessary): Deleted.
1951         (JSC::VM::gigacageEnabled): Deleted.
1952         * wasm/WasmMemory.cpp:
1953         (JSC::Wasm::Memory::create):
1954         (JSC::Wasm::Memory::~Memory):
1955         (JSC::Wasm::Memory::grow):
1956
1957 2017-08-07  Commit Queue  <commit-queue@webkit.org>
1958
1959         Unreviewed, rolling out r220144.
1960         https://bugs.webkit.org/show_bug.cgi?id=175276
1961
1962         "It did not actually speed things up in the way I expected"
1963         (Requested by saamyjoon on #webkit).
1964
1965         Reverted changeset:
1966
1967         "On memory-constrained iOS devices, reduce the rate at which
1968         the JS heap grows before a GC to try to keep more memory
1969         available for the system"
1970         https://bugs.webkit.org/show_bug.cgi?id=175041
1971         http://trac.webkit.org/changeset/220144
1972
1973 2017-08-07  Ryan Haddad  <ryanhaddad@apple.com>
1974
1975         Unreviewed, rolling out r220299.
1976
1977         This change caused LayoutTest inspector/dom-debugger/dom-
1978         breakpoints.html to fail.
1979
1980         Reverted changeset:
1981
1982         "Web Inspector: capture async stack trace when workers/main
1983         context posts a message"
1984         https://bugs.webkit.org/show_bug.cgi?id=167084
1985         http://trac.webkit.org/changeset/220299
1986
1987 2017-08-07  Brian Burg  <bburg@apple.com>
1988
1989         Remove CANVAS_PATH compilation guard
1990         https://bugs.webkit.org/show_bug.cgi?id=175207
1991
1992         Reviewed by Sam Weinig.
1993
1994         * Configurations/FeatureDefines.xcconfig:
1995
1996 2017-08-07  Keith Miller  <keith_miller@apple.com>
1997
1998         REGRESSION: wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js failing on JSC Debug bots
1999         https://bugs.webkit.org/show_bug.cgi?id=175256
2000
2001         Reviewed by Saam Barati.
2002
2003         The check in createFromBytes just needed to check that the buffer was not null before
2004         calling isCaged.
2005
2006         * runtime/ArrayBuffer.cpp:
2007         (JSC::ArrayBuffer::createFromBytes):
2008
2009 2017-08-05  Carlos Garcia Campos  <cgarcia@igalia.com>
2010
2011         [GTK][WPE] Add API to provide browser information required by automation
2012         https://bugs.webkit.org/show_bug.cgi?id=175130
2013
2014         Reviewed by Brian Burg.
2015
2016         Add browserName and browserVersion to RemoteInspector::Client::Capabilities and virtual methods to the Client to
2017         get them.
2018
2019         * inspector/remote/RemoteInspector.cpp:
2020         (Inspector::RemoteInspector::updateClientCapabilities): Update also browserName and browserVersion.
2021         * inspector/remote/RemoteInspector.h:
2022         * inspector/remote/glib/RemoteInspectorGlib.cpp:
2023         (Inspector::RemoteInspector::requestAutomationSession): Call updateClientCapabilities() after the session is
2024         requested to ensure they are updated before StartAutomationSession reply is sent.
2025         * inspector/remote/glib/RemoteInspectorServer.cpp: Add browserName and browserVersion as return values of
2026         StartAutomationSession mesasage.
2027
2028 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2029
2030         Promise resolve and reject function should have length = 1
2031         https://bugs.webkit.org/show_bug.cgi?id=175242
2032
2033         Reviewed by Saam Barati.
2034
2035         Previously we have separate system for "length" and "name" for builtin functions.
2036         The builtin functions do not use lazy reifying system. Instead, they have direct
2037         properties when instantiating it. While the function created for properties (like
2038         Array.prototype.filter) is created by JSFunction::createBuiltin(), function inside
2039         these builtin functions are just created by JSFunction::create(). Since it does
2040         not set any values for "length", these functions do not have "length" property.
2041         So, the resolve and reject functions passed to Promise's executor do not have
2042         "length" property.
2043
2044         This patch make builtin functions use standard lazy reifying system for "length".
2045         So, "length" property of the builtin function just works as if the normal functions
2046         do.
2047
2048         * runtime/JSFunction.cpp:
2049         (JSC::JSFunction::createBuiltinFunction):
2050         (JSC::JSFunction::getOwnPropertySlot):
2051         (JSC::JSFunction::getOwnNonIndexPropertyNames):
2052         (JSC::JSFunction::put):
2053         (JSC::JSFunction::deleteProperty):
2054         (JSC::JSFunction::defineOwnProperty):
2055         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
2056         (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
2057         (JSC::JSFunction::reifyLazyLengthIfNeeded):
2058         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
2059         (JSC::JSFunction::reifyBoundNameIfNeeded): Deleted.
2060         * runtime/JSFunction.h:
2061
2062 2017-08-06  Oleksandr Skachkov  <gskachkov@gmail.com>
2063
2064         [ESNext] Async iteration - Implement Async Generator - parser
2065         https://bugs.webkit.org/show_bug.cgi?id=175210
2066
2067         Reviewed by Yusuke Suzuki.
2068
2069         Current implementation is draft version of Async Iteration. 
2070         Link to spec https://tc39.github.io/proposal-async-iteration/
2071
2072         Current patch implement only parser part of the Async generator
2073         Runtime part will be in next ptches
2074
2075         * parser/ASTBuilder.h:
2076         (JSC::ASTBuilder::createFunctionMetadata):
2077         * parser/Parser.cpp:
2078         (JSC::getAsynFunctionBodyParseMode):
2079         (JSC::Parser<LexerType>::parseInner):
2080         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
2081         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
2082         (JSC::stringArticleForFunctionMode):
2083         (JSC::stringForFunctionMode):
2084         (JSC::Parser<LexerType>::parseFunctionInfo):
2085         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
2086         (JSC::Parser<LexerType>::parseClass):
2087         (JSC::Parser<LexerType>::parseProperty):
2088         (JSC::Parser<LexerType>::parsePropertyMethod):
2089         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
2090         * parser/Parser.h:
2091         (JSC::Scope::setSourceParseMode):
2092         * parser/ParserModes.h:
2093         (JSC::isFunctionParseMode):
2094         (JSC::isAsyncFunctionParseMode):
2095         (JSC::isAsyncArrowFunctionParseMode):
2096         (JSC::isAsyncGeneratorFunctionParseMode):
2097         (JSC::isAsyncFunctionOrAsyncGeneratorWrapperParseMode):
2098         (JSC::isAsyncFunctionWrapperParseMode):
2099         (JSC::isAsyncFunctionBodyParseMode):
2100         (JSC::isGeneratorMethodParseMode):
2101         (JSC::isAsyncMethodParseMode):
2102         (JSC::isAsyncGeneratorMethodParseMode):
2103         (JSC::isMethodParseMode):
2104         (JSC::isGeneratorOrAsyncFunctionBodyParseMode):
2105         (JSC::isGeneratorOrAsyncFunctionWrapperParseMode):
2106
2107 2017-08-05  Filip Pizlo  <fpizlo@apple.com>
2108
2109         REGRESSION (r219895-219897): Number of leaks on Open Source went from 9240 to 235983 and is now at 302372
2110         https://bugs.webkit.org/show_bug.cgi?id=175083
2111
2112         Reviewed by Oliver Hunt.
2113         
2114         This fixes the leak by making MarkedBlock::specializedSweep call destructors when the block is empty,
2115         even if we are using the pop path.
2116         
2117         Also, this fixes HeapCellInlines.h to no longer include MarkedBlockInlines.h. That's pretty
2118         important, since MarkedBlockInlines.h is the GC's internal guts - we don't want to have to recompile
2119         the world just because we changed it.
2120         
2121         Finally, this adds a new testing SPI for waiting for all VMs to finish destructing. This makes it
2122         easier to debug leaks.
2123
2124         * bytecode/AccessCase.cpp:
2125         * bytecode/PolymorphicAccess.cpp:
2126         * heap/HeapCell.cpp:
2127         (JSC::HeapCell::isLive):
2128         * heap/HeapCellInlines.h:
2129         (JSC::HeapCell::isLive): Deleted.
2130         * heap/MarkedAllocator.cpp:
2131         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2132         (JSC::MarkedAllocator::endMarking):
2133         * heap/MarkedBlockInlines.h:
2134         (JSC::MarkedBlock::Handle::specializedSweep):
2135         * jit/AssemblyHelpers.cpp:
2136         * jit/Repatch.cpp:
2137         * runtime/TestRunnerUtils.h:
2138         * runtime/VM.cpp:
2139         (JSC::waitForVMDestruction):
2140         (JSC::VM::~VM):
2141
2142 2017-08-05  Mark Lam  <mark.lam@apple.com>
2143
2144         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 3].
2145         https://bugs.webkit.org/show_bug.cgi?id=175228
2146         <rdar://problem/33735737>
2147
2148         Reviewed by Saam Barati.
2149
2150         Merge the 32-bit OSRExit::compileExit() method into the 64-bit version, and
2151         delete OSRExit32_64.cpp.
2152
2153         * CMakeLists.txt:
2154         * JavaScriptCore.xcodeproj/project.pbxproj:
2155         * dfg/DFGOSRExit.cpp:
2156         (JSC::DFG::OSRExit::compileExit):
2157         * dfg/DFGOSRExit32_64.cpp: Removed.
2158         * jit/GPRInfo.h:
2159         (JSC::JSValueSource::payloadGPR const):
2160
2161 2017-08-04  Youenn Fablet  <youenn@apple.com>
2162
2163         [Cache API] Add Cache and CacheStorage IDL definitions
2164         https://bugs.webkit.org/show_bug.cgi?id=175201
2165
2166         Reviewed by Brady Eidson.
2167
2168         * runtime/CommonIdentifiers.h:
2169
2170 2017-08-04  Mark Lam  <mark.lam@apple.com>
2171
2172         Fix typo in testmasm.cpp: ENABLE(JSVALUE64) should be USE(JSVALUE64).
2173         https://bugs.webkit.org/show_bug.cgi?id=175230
2174         <rdar://problem/33735857>
2175
2176         Reviewed by Saam Barati.
2177
2178         * assembler/testmasm.cpp:
2179         (JSC::testProbeReadsArgumentRegisters):
2180         (JSC::testProbeWritesArgumentRegisters):
2181
2182 2017-08-04  Mark Lam  <mark.lam@apple.com>
2183
2184         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 2].
2185         https://bugs.webkit.org/show_bug.cgi?id=175214
2186         <rdar://problem/33733308>
2187
2188         Rubber-stamped by Michael Saboff.
2189
2190         Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused
2191         DFGOSRExitCompiler files.
2192
2193         Also renamed DFGOSRExitCompiler32_64.cpp to DFGOSRExit32_64.cpp.
2194
2195         Also move debugOperationPrintSpeculationFailure() into DFGOSRExit.cpp.  It's only
2196         used by compileOSRExit(), and will be changed to not be a DFG operation function
2197         when we use JIT probes for DFG OSR exits later in
2198         https://bugs.webkit.org/show_bug.cgi?id=175144.
2199
2200         * CMakeLists.txt:
2201         * JavaScriptCore.xcodeproj/project.pbxproj:
2202         * dfg/DFGJITCompiler.cpp:
2203         * dfg/DFGOSRExit.cpp:
2204         (JSC::DFG::OSRExit::emitRestoreArguments):
2205         (JSC::DFG::OSRExit::compileOSRExit):
2206         (JSC::DFG::OSRExit::compileExit):
2207         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
2208         * dfg/DFGOSRExit.h:
2209         * dfg/DFGOSRExit32_64.cpp: Copied from Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp.
2210         * dfg/DFGOSRExitCompiler.cpp: Removed.
2211         * dfg/DFGOSRExitCompiler.h: Removed.
2212         * dfg/DFGOSRExitCompiler32_64.cpp: Removed.
2213         * dfg/DFGOSRExitCompiler64.cpp: Removed.
2214         * dfg/DFGOperations.cpp:
2215         * dfg/DFGOperations.h:
2216         * dfg/DFGThunks.cpp:
2217
2218 2017-08-04  Matt Baker  <mattbaker@apple.com>
2219
2220         Web Inspector: capture async stack trace when workers/main context posts a message
2221         https://bugs.webkit.org/show_bug.cgi?id=167084
2222         <rdar://problem/30033673>
2223
2224         Reviewed by Brian Burg.
2225
2226         * inspector/agents/InspectorDebuggerAgent.h:
2227         Add `PostMessage` async call type.
2228
2229 2017-08-04  Mark Lam  <mark.lam@apple.com>
2230
2231         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 1].
2232         https://bugs.webkit.org/show_bug.cgi?id=175208
2233         <rdar://problem/33732402>
2234
2235         Reviewed by Saam Barati.
2236
2237         This will minimize the code diff and make it easier to review the patch for
2238         https://bugs.webkit.org/show_bug.cgi?id=175144 later.  We'll do this patch in 3
2239         steps:
2240
2241         1. Do the code changes to move methods into OSRExit.
2242         2. Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused DFGOSRExitCompiler files.
2243         3. Merge the 32-bit OSRExitCompiler methods into the 64-bit version, and delete DFGOSRExitCompiler32_64.cpp.
2244
2245         Splitting this refactoring into these 3 steps also makes it easier to review this
2246         patch and understand what is being changed.
2247
2248         * dfg/DFGOSRExit.h:
2249         * dfg/DFGOSRExitCompiler.cpp:
2250         (JSC::DFG::OSRExit::emitRestoreArguments):
2251         (JSC::DFG::OSRExit::compileOSRExit):
2252         (JSC::DFG::OSRExitCompiler::emitRestoreArguments): Deleted.
2253         (): Deleted.
2254         * dfg/DFGOSRExitCompiler.h:
2255         (JSC::DFG::OSRExitCompiler::OSRExitCompiler): Deleted.
2256         (): Deleted.
2257         * dfg/DFGOSRExitCompiler32_64.cpp:
2258         (JSC::DFG::OSRExit::compileExit):
2259         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
2260         * dfg/DFGOSRExitCompiler64.cpp:
2261         (JSC::DFG::OSRExit::compileExit):
2262         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
2263         * dfg/DFGThunks.cpp:
2264         (JSC::DFG::osrExitGenerationThunkGenerator):
2265
2266 2017-08-04  Devin Rousso  <drousso@apple.com>
2267
2268         Web Inspector: add source view for WebGL shader programs
2269         https://bugs.webkit.org/show_bug.cgi?id=138593
2270         <rdar://problem/18936194>
2271
2272         Reviewed by Matt Baker.
2273
2274         * inspector/protocol/Canvas.json:
2275          - Add `ShaderType` enum that contains "vertex" and "fragment".
2276          - Add `requestShaderSource` command that will return the original source code for a given
2277            shader program and shader type.
2278
2279 2017-08-03  Filip Pizlo  <fpizlo@apple.com>
2280
2281         The allocator used to allocate memory for MarkedBlocks and LargeAllocations should not be the Subspace itself
2282         https://bugs.webkit.org/show_bug.cgi?id=175141
2283
2284         Reviewed by Mark Lam.
2285         
2286         To make it easier to have multiple gigacages and maybe even fancier methods of allocating, this
2287         decouples the allocator used to allocate memory from the GC Subspace. This means we no longer have
2288         to create a new Subspace subclass to allocate memory a different way. Instead, the allocator is now
2289         determined by the AlignedMemoryAllocator object.
2290         
2291         This also simplifies trading of blocks. Before, Subspaces had to determine if other Subspaces could
2292         trade blocks with them using canTradeBlocksWith(). This makes it difficult for two different
2293         Subspaces that both use the same underlying allocator to realize that they can trade blocks with
2294         each other. Now, you just need to ask the block being stolen and the subspace doing the stealing if
2295         they use the same AlignedMemoryAllocator.
2296
2297         * CMakeLists.txt:
2298         * JavaScriptCore.xcodeproj/project.pbxproj:
2299         * heap/AlignedMemoryAllocator.cpp: Added.
2300         (JSC::AlignedMemoryAllocator::AlignedMemoryAllocator):
2301         (JSC::AlignedMemoryAllocator::~AlignedMemoryAllocator):
2302         * heap/AlignedMemoryAllocator.h: Added.
2303         * heap/FastMallocAlignedMemoryAllocator.cpp: Added.
2304         (JSC::FastMallocAlignedMemoryAllocator::singleton):
2305         (JSC::FastMallocAlignedMemoryAllocator::FastMallocAlignedMemoryAllocator):
2306         (JSC::FastMallocAlignedMemoryAllocator::~FastMallocAlignedMemoryAllocator):
2307         (JSC::FastMallocAlignedMemoryAllocator::tryAllocateAlignedMemory):
2308         (JSC::FastMallocAlignedMemoryAllocator::freeAlignedMemory):
2309         (JSC::FastMallocAlignedMemoryAllocator::dump const):
2310         * heap/FastMallocAlignedMemoryAllocator.h: Added.
2311         * heap/GigacageAlignedMemoryAllocator.cpp: Added.
2312         (JSC::GigacageAlignedMemoryAllocator::singleton):
2313         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
2314         (JSC::GigacageAlignedMemoryAllocator::~GigacageAlignedMemoryAllocator):
2315         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
2316         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
2317         (JSC::GigacageAlignedMemoryAllocator::dump const):
2318         * heap/GigacageAlignedMemoryAllocator.h: Added.
2319         * heap/GigacageSubspace.cpp: Removed.
2320         * heap/GigacageSubspace.h: Removed.
2321         * heap/LargeAllocation.cpp:
2322         (JSC::LargeAllocation::tryCreate):
2323         (JSC::LargeAllocation::destroy):
2324         * heap/MarkedAllocator.cpp:
2325         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2326         * heap/MarkedBlock.cpp:
2327         (JSC::MarkedBlock::tryCreate):
2328         (JSC::MarkedBlock::Handle::Handle):
2329         (JSC::MarkedBlock::Handle::~Handle):
2330         (JSC::MarkedBlock::Handle::didAddToAllocator):
2331         (JSC::MarkedBlock::Handle::subspace const):
2332         * heap/MarkedBlock.h:
2333         (JSC::MarkedBlock::Handle::alignedMemoryAllocator const):
2334         (JSC::MarkedBlock::Handle::subspace const): Deleted.
2335         * heap/Subspace.cpp:
2336         (JSC::Subspace::Subspace):
2337         (JSC::Subspace::findEmptyBlockToSteal):
2338         (JSC::Subspace::canTradeBlocksWith): Deleted.
2339         (JSC::Subspace::tryAllocateAlignedMemory): Deleted.
2340         (JSC::Subspace::freeAlignedMemory): Deleted.
2341         * heap/Subspace.h:
2342         (JSC::Subspace::name const):
2343         (JSC::Subspace::alignedMemoryAllocator const):
2344         * runtime/JSDestructibleObjectSubspace.cpp:
2345         (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace):
2346         * runtime/JSDestructibleObjectSubspace.h:
2347         * runtime/JSSegmentedVariableObjectSubspace.cpp:
2348         (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace):
2349         * runtime/JSSegmentedVariableObjectSubspace.h:
2350         * runtime/JSStringSubspace.cpp:
2351         (JSC::JSStringSubspace::JSStringSubspace):
2352         * runtime/JSStringSubspace.h:
2353         * runtime/VM.cpp:
2354         (JSC::VM::VM):
2355         * runtime/VM.h:
2356         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp:
2357         (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace):
2358         * wasm/js/JSWebAssemblyCodeBlockSubspace.h:
2359
2360 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
2361
2362         [ESNext] Async iteration - update feature.json
2363         https://bugs.webkit.org/show_bug.cgi?id=175197
2364
2365         Reviewed by Yusuke Suzuki.
2366
2367         Update feature.json to add status of the Async Iteration
2368
2369         * features.json:
2370
2371 2017-08-04  Matt Lewis  <jlewis3@apple.com>
2372
2373         Unreviewed, rolling out r220271.
2374
2375         Rolling out due to Layout Test failing on iOS Simulator.
2376
2377         Reverted changeset:
2378
2379         "Remove STREAMS_API compilation guard"
2380         https://bugs.webkit.org/show_bug.cgi?id=175165
2381         http://trac.webkit.org/changeset/220271
2382
2383 2017-08-04  Youenn Fablet  <youenn@apple.com>
2384
2385         Remove STREAMS_API compilation guard
2386         https://bugs.webkit.org/show_bug.cgi?id=175165
2387
2388         Reviewed by Darin Adler.
2389
2390         * Configurations/FeatureDefines.xcconfig:
2391
2392 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
2393
2394         [EsNext] Async iteration - Add feature flag
2395         https://bugs.webkit.org/show_bug.cgi?id=166694
2396
2397         Reviewed by Yusuke Suzuki.
2398
2399         Add feature flag to JSC to switch on/off Async Iterator
2400
2401         * runtime/Options.h:
2402
2403 2017-08-03  Brian Burg  <bburg@apple.com>
2404
2405         Remove ENABLE(WEB_SOCKET) guards
2406         https://bugs.webkit.org/show_bug.cgi?id=167044
2407
2408         Reviewed by Joseph Pecoraro.
2409
2410         * Configurations/FeatureDefines.xcconfig:
2411
2412 2017-08-03  Youenn Fablet  <youenn@apple.com>
2413
2414         Remove FETCH_API compilation guard
2415         https://bugs.webkit.org/show_bug.cgi?id=175154
2416
2417         Reviewed by Chris Dumez.
2418
2419         * Configurations/FeatureDefines.xcconfig:
2420
2421 2017-08-03  Matt Baker  <mattbaker@apple.com>
2422
2423         Web Inspector: Instrument WebGLProgram created/deleted
2424         https://bugs.webkit.org/show_bug.cgi?id=175059
2425
2426         Reviewed by Devin Rousso.
2427
2428         Extend the Canvas protocol with types/events for tracking WebGLPrograms.
2429
2430         * inspector/protocol/Canvas.json:
2431
2432 2017-08-03  Brady Eidson  <beidson@apple.com>
2433
2434         Add SW IDLs and stub out basic functionality.
2435         https://bugs.webkit.org/show_bug.cgi?id=175115
2436
2437         Reviewed by Chris Dumez.
2438
2439         * Configurations/FeatureDefines.xcconfig:
2440
2441         * runtime/CommonIdentifiers.h:
2442
2443 2017-08-03  Mark Lam  <mark.lam@apple.com>
2444
2445         Rename ScratchBuffer::activeLengthPtr to addressOfActiveLength.
2446         https://bugs.webkit.org/show_bug.cgi?id=175142
2447         <rdar://problem/33704528>
2448
2449         Reviewed by Filip Pizlo.
2450
2451         The convention in the rest of of JSC for such methods which return the address of
2452         a field is to name them "addressOf<field name>".  We'll rename
2453         ScratchBuffer::activeLengthPtr to be consistent with this convention.
2454
2455         * dfg/DFGSpeculativeJIT.cpp:
2456         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
2457         * dfg/DFGSpeculativeJIT32_64.cpp:
2458         (JSC::DFG::SpeculativeJIT::compile):
2459         * dfg/DFGSpeculativeJIT64.cpp:
2460         (JSC::DFG::SpeculativeJIT::compile):
2461         * dfg/DFGThunks.cpp:
2462         (JSC::DFG::osrExitGenerationThunkGenerator):
2463         * ftl/FTLLowerDFGToB3.cpp:
2464         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
2465         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
2466         * ftl/FTLThunks.cpp:
2467         (JSC::FTL::genericGenerationThunkGenerator):
2468         * jit/AssemblyHelpers.cpp:
2469         (JSC::AssemblyHelpers::debugCall):
2470         * jit/ScratchRegisterAllocator.cpp:
2471         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
2472         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
2473         * runtime/VM.h:
2474         (JSC::ScratchBuffer::addressOfActiveLength):
2475         (JSC::ScratchBuffer::activeLengthPtr): Deleted.
2476         * wasm/WasmBinding.cpp:
2477         (JSC::Wasm::wasmToJs):
2478
2479 2017-08-02  Devin Rousso  <drousso@apple.com>
2480
2481         Web Inspector: add stack trace information for each RecordingAction
2482         https://bugs.webkit.org/show_bug.cgi?id=174663
2483
2484         Reviewed by Joseph Pecoraro.
2485
2486         * inspector/ScriptCallFrame.h:
2487         Add `operator==` so that when a ScriptCallFrame object is held in a Vector, calling `find`
2488         with an existing value doesn't need require a functor and can use existing code.
2489
2490         * interpreter/StackVisitor.h:
2491         * interpreter/StackVisitor.cpp:
2492         (JSC::StackVisitor::Frame::isWasmFrame const): Inlined in header.
2493
2494 2017-08-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2495
2496         Merge WTFThreadData to Thread::current
2497         https://bugs.webkit.org/show_bug.cgi?id=174716
2498
2499         Reviewed by Mark Lam.
2500
2501         Use Thread::current() instead.
2502
2503         * API/JSContext.mm:
2504         (+[JSContext currentContext]):
2505         (+[JSContext currentThis]):
2506         (+[JSContext currentCallee]):
2507         (+[JSContext currentArguments]):
2508         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
2509         (-[JSContext endCallbackWithData:]):
2510         * heap/Heap.cpp:
2511         (JSC::Heap::requestCollection):
2512         * runtime/Completion.cpp:
2513         (JSC::checkSyntax):
2514         (JSC::checkModuleSyntax):
2515         (JSC::evaluate):
2516         (JSC::loadAndEvaluateModule):
2517         (JSC::loadModule):
2518         (JSC::linkAndEvaluateModule):
2519         (JSC::importModule):
2520         * runtime/Identifier.cpp:
2521         (JSC::Identifier::checkCurrentAtomicStringTable):
2522         * runtime/InitializeThreading.cpp:
2523         (JSC::initializeThreading):
2524         * runtime/JSLock.cpp:
2525         (JSC::JSLock::didAcquireLock):
2526         (JSC::JSLock::willReleaseLock):
2527         (JSC::JSLock::dropAllLocks):
2528         (JSC::JSLock::grabAllLocks):
2529         * runtime/JSLock.h:
2530         * runtime/VM.cpp:
2531         (JSC::VM::VM):
2532         (JSC::VM::updateStackLimits):
2533         (JSC::VM::committedStackByteCount):
2534         * runtime/VM.h:
2535         (JSC::VM::isSafeToRecurse const):
2536         * runtime/VMEntryScope.cpp:
2537         (JSC::VMEntryScope::VMEntryScope):
2538         * runtime/VMInlines.h:
2539         (JSC::VM::ensureStackCapacityFor):
2540         * yarr/YarrPattern.cpp:
2541         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
2542
2543 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
2544
2545         LLInt should do pointer caging
2546         https://bugs.webkit.org/show_bug.cgi?id=175036
2547
2548         Reviewed by Keith Miller.
2549
2550         Implementing this in the LLInt was challenging because offlineasm did not previously know
2551         how to load from globals. This teaches it how to do that on Darwin/x86_64, which happens
2552         to be where the Gigacage is enabled right now.
2553
2554         * llint/LLIntOfflineAsmConfig.h:
2555         * llint/LowLevelInterpreter64.asm:
2556         * offlineasm/ast.rb:
2557         * offlineasm/x86.rb:
2558
2559 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
2560
2561         Sweeping should only scribble when sweeping to free list
2562         https://bugs.webkit.org/show_bug.cgi?id=175105
2563
2564         Reviewed by Saam Barati.
2565         
2566         I just saw a crash on the bots where a destructor call attempt dereferenced scribbled memory. This
2567         can happen because the bump path of specializedSweep will scribble in SweepOnly, which replaces the
2568         zap word (i.e. 0) with the scribble word (i.e. 0xbadbeef0). This is a recent regression, since we
2569         didn't used to do destruction on the bump path. No destruction, no zapping. Looking at the pop
2570         path, we only scribble when we SweepToFreeList. This ensures that we only overwrite the zap word
2571         when it doesn't matter anyway because we're building a free list.
2572         
2573         This is a fix for those crashes on the bots because it means that we'll no longer scribble over the
2574         zap.
2575
2576         * heap/MarkedBlockInlines.h:
2577         (JSC::MarkedBlock::Handle::specializedSweep):
2578
2579 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
2580
2581         All C++ accesses to JSObject::m_butterfly should do caging
2582         https://bugs.webkit.org/show_bug.cgi?id=175039
2583
2584         Reviewed by Keith Miller.
2585         
2586         Makes JSObject::m_butterfly a AuxiliaryBarrier<CagedPtr<Butterfly>> and adopts the CagedPtr<> API.
2587         This ensures that you can't cause C++ code to access a butterfly that has been rewired to point
2588         outside the gigacage.
2589
2590         * runtime/JSArray.cpp:
2591         (JSC::JSArray::setLength):
2592         (JSC::JSArray::pop):
2593         (JSC::JSArray::push):
2594         (JSC::JSArray::shiftCountWithAnyIndexingType):
2595         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2596         (JSC::JSArray::fillArgList):
2597         (JSC::JSArray::copyToArguments):
2598         * runtime/JSObject.cpp:
2599         (JSC::JSObject::heapSnapshot):
2600         (JSC::JSObject::createInitialIndexedStorage):
2601         (JSC::JSObject::createArrayStorage):
2602         (JSC::JSObject::convertUndecidedToInt32):
2603         (JSC::JSObject::convertUndecidedToDouble):
2604         (JSC::JSObject::convertUndecidedToContiguous):
2605         (JSC::JSObject::convertInt32ToDouble):
2606         (JSC::JSObject::convertInt32ToArrayStorage):
2607         (JSC::JSObject::convertDoubleToContiguous):
2608         (JSC::JSObject::convertDoubleToArrayStorage):
2609         (JSC::JSObject::convertContiguousToArrayStorage):
2610         (JSC::JSObject::defineOwnIndexedProperty):
2611         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2612         (JSC::JSObject::ensureLengthSlow):
2613         (JSC::JSObject::allocateMoreOutOfLineStorage):
2614         * runtime/JSObject.h:
2615         (JSC::JSObject::canGetIndexQuickly):
2616         (JSC::JSObject::getIndexQuickly):
2617         (JSC::JSObject::tryGetIndexQuickly const):
2618         (JSC::JSObject::canSetIndexQuickly):
2619         (JSC::JSObject::setIndexQuickly):
2620         (JSC::JSObject::initializeIndex):
2621         (JSC::JSObject::initializeIndexWithoutBarrier):
2622         (JSC::JSObject::butterfly const):
2623         (JSC::JSObject::butterfly):
2624
2625 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
2626
2627         We should be OK with the gigacage being disabled on gmalloc
2628         https://bugs.webkit.org/show_bug.cgi?id=175082
2629
2630         Reviewed by Michael Saboff.
2631
2632         * jsc.cpp:
2633         (jscmain):
2634
2635 2017-08-02  Saam Barati  <sbarati@apple.com>
2636
2637         On memory-constrained iOS devices, reduce the rate at which the JS heap grows before a GC to try to keep more memory available for the system
2638         https://bugs.webkit.org/show_bug.cgi?id=175041
2639         <rdar://problem/33659370>
2640
2641         Reviewed by Filip Pizlo.
2642
2643         The testing I have done shows that this new function is a ~10%
2644         progression running JetStream on 1GB iOS devices. I've also tried
2645         this on a few > 1GB iOS devices, and the testing shows this is either neutral
2646         or a regression. Right now, we'll just enable this for <= 1GB devices
2647         since it's a win. In the future, we might want to either look into
2648         tweaking these parameters or coming up with a new function for > 1GB
2649         devices.
2650
2651         * heap/Heap.cpp:
2652         * runtime/Options.h:
2653
2654 2017-08-01  Filip Pizlo  <fpizlo@apple.com>
2655
2656         Bmalloc and GC should put auxiliaries (butterflies, typed array backing stores) in a gigacage (separate multi-GB VM region)
2657         https://bugs.webkit.org/show_bug.cgi?id=174727
2658
2659         Reviewed by Mark Lam.
2660         
2661         This adopts the Gigacage for the GigacageSubspace, which we use for Auxiliary allocations. Also, in
2662         one place in the code - the FTL codegen for butterfly and typed array access - we "cage" the accesses
2663         themselves. Basically, we do masking to ensure that the pointer points into the gigacage.
2664         
2665         This is neutral on JetStream.
2666
2667         * CMakeLists.txt:
2668         * JavaScriptCore.xcodeproj/project.pbxproj:
2669         * b3/B3InsertionSet.cpp:
2670         (JSC::B3::InsertionSet::execute):
2671         * dfg/DFGAbstractInterpreterInlines.h:
2672         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2673         * dfg/DFGArgumentsEliminationPhase.cpp:
2674         * dfg/DFGClobberize.cpp:
2675         (JSC::DFG::readsOverlap):
2676         * dfg/DFGClobberize.h:
2677         (JSC::DFG::clobberize):
2678         * dfg/DFGDoesGC.cpp:
2679         (JSC::DFG::doesGC):
2680         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Added.
2681         (JSC::DFG::performFixedButterflyAccessUncaging):
2682         * dfg/DFGFixedButterflyAccessUncagingPhase.h: Added.
2683         * dfg/DFGFixupPhase.cpp:
2684         (JSC::DFG::FixupPhase::fixupNode):
2685         * dfg/DFGHeapLocation.cpp:
2686         (WTF::printInternal):
2687         * dfg/DFGHeapLocation.h:
2688         * dfg/DFGNodeType.h:
2689         * dfg/DFGPlan.cpp:
2690         (JSC::DFG::Plan::compileInThreadImpl):
2691         * dfg/DFGPredictionPropagationPhase.cpp:
2692         * dfg/DFGSafeToExecute.h:
2693         (JSC::DFG::safeToExecute):
2694         * dfg/DFGSpeculativeJIT.cpp:
2695         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
2696         * dfg/DFGSpeculativeJIT32_64.cpp:
2697         (JSC::DFG::SpeculativeJIT::compile):
2698         * dfg/DFGSpeculativeJIT64.cpp:
2699         (JSC::DFG::SpeculativeJIT::compile):
2700         * dfg/DFGTypeCheckHoistingPhase.cpp:
2701         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2702         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
2703         * ftl/FTLCapabilities.cpp:
2704         (JSC::FTL::canCompile):
2705         * ftl/FTLLowerDFGToB3.cpp:
2706         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2707         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
2708         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
2709         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2710         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
2711         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
2712         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
2713         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
2714         (JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase):
2715         (JSC::FTL::DFG::LowerDFGToB3::caged):
2716         * heap/GigacageSubspace.cpp: Added.
2717         (JSC::GigacageSubspace::GigacageSubspace):
2718         (JSC::GigacageSubspace::~GigacageSubspace):
2719         (JSC::GigacageSubspace::tryAllocateAlignedMemory):
2720         (JSC::GigacageSubspace::freeAlignedMemory):
2721         (JSC::GigacageSubspace::canTradeBlocksWith):
2722         * heap/GigacageSubspace.h: Added.
2723         * heap/Heap.cpp:
2724         (JSC::Heap::Heap):
2725         (JSC::Heap::lastChanceToFinalize):
2726         (JSC::Heap::finalize):
2727         (JSC::Heap::sweepInFinalize):
2728         (JSC::Heap::updateAllocationLimits):
2729         (JSC::Heap::shouldDoFullCollection):
2730         (JSC::Heap::collectIfNecessaryOrDefer):
2731         (JSC::Heap::reportWebAssemblyFastMemoriesAllocated): Deleted.
2732         (JSC::Heap::webAssemblyFastMemoriesThisCycleAtThreshold const): Deleted.
2733         (JSC::Heap::sweepLargeAllocations): Deleted.
2734         (JSC::Heap::didAllocateWebAssemblyFastMemories): Deleted.
2735         * heap/Heap.h:
2736         * heap/LargeAllocation.cpp:
2737         (JSC::LargeAllocation::tryCreate):
2738         (JSC::LargeAllocation::destroy):
2739         * heap/MarkedAllocator.cpp:
2740         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2741         (JSC::MarkedAllocator::tryAllocateBlock):
2742         * heap/MarkedBlock.cpp:
2743         (JSC::MarkedBlock::tryCreate):
2744         (JSC::MarkedBlock::Handle::Handle):
2745         (JSC::MarkedBlock::Handle::~Handle):
2746         (JSC::MarkedBlock::Handle::didAddToAllocator):
2747         (JSC::MarkedBlock::Handle::subspace const): Deleted.
2748         * heap/MarkedBlock.h:
2749         (JSC::MarkedBlock::Handle::subspace const):
2750         * heap/MarkedSpace.cpp:
2751         (JSC::MarkedSpace::~MarkedSpace):
2752         (JSC::MarkedSpace::freeMemory):
2753         (JSC::MarkedSpace::prepareForAllocation):
2754         (JSC::MarkedSpace::addMarkedAllocator):
2755         (JSC::MarkedSpace::findEmptyBlockToSteal): Deleted.
2756         * heap/MarkedSpace.h:
2757         (JSC::MarkedSpace::firstAllocator const):
2758         (JSC::MarkedSpace::allocatorForEmptyAllocation const): Deleted.
2759         * heap/Subspace.cpp:
2760         (JSC::Subspace::Subspace):
2761         (JSC::Subspace::canTradeBlocksWith):
2762         (JSC::Subspace::tryAllocateAlignedMemory):
2763         (JSC::Subspace::freeAlignedMemory):
2764         (JSC::Subspace::prepareForAllocation):
2765         (JSC::Subspace::findEmptyBlockToSteal):
2766         * heap/Subspace.h:
2767         (JSC::Subspace::didCreateFirstAllocator):
2768         * heap/SubspaceInlines.h:
2769         (JSC::Subspace::forEachAllocator):
2770         (JSC::Subspace::forEachMarkedBlock):
2771         (JSC::Subspace::forEachNotEmptyMarkedBlock):
2772         * jit/JITPropertyAccess.cpp:
2773         (JSC::JIT::emitDoubleLoad):
2774         (JSC::JIT::emitContiguousLoad):
2775         (JSC::JIT::emitArrayStorageLoad):
2776         (JSC::JIT::emitGenericContiguousPutByVal):
2777         (JSC::JIT::emitArrayStoragePutByVal):
2778         (JSC::JIT::emit_op_get_from_scope):
2779         (JSC::JIT::emit_op_put_to_scope):
2780         (JSC::JIT::emitIntTypedArrayGetByVal):
2781         (JSC::JIT::emitFloatTypedArrayGetByVal):
2782         (JSC::JIT::emitIntTypedArrayPutByVal):
2783         (JSC::JIT::emitFloatTypedArrayPutByVal):
2784         * jsc.cpp:
2785         (fillBufferWithContentsOfFile):
2786         (functionReadFile):
2787         (gigacageDisabled):
2788         (jscmain):
2789         * llint/LowLevelInterpreter64.asm:
2790         * runtime/ArrayBuffer.cpp:
2791         (JSC::ArrayBufferContents::tryAllocate):
2792         (JSC::ArrayBuffer::createAdopted):
2793         (JSC::ArrayBuffer::createFromBytes):
2794         (JSC::ArrayBuffer::tryCreate):
2795         * runtime/IndexingHeader.h:
2796         * runtime/InitializeThreading.cpp:
2797         (JSC::initializeThreading):
2798         * runtime/JSArrayBuffer.cpp:
2799         * runtime/JSArrayBufferView.cpp:
2800         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2801         (JSC::JSArrayBufferView::finalize):
2802         * runtime/JSLock.cpp:
2803         (JSC::JSLock::didAcquireLock):
2804         * runtime/JSObject.h:
2805         * runtime/Options.cpp:
2806         (JSC::recomputeDependentOptions):
2807         * runtime/Options.h:
2808         * runtime/ScopedArgumentsTable.h:
2809         * runtime/VM.cpp:
2810         (JSC::VM::VM):
2811         (JSC::VM::~VM):
2812         (JSC::VM::gigacageDisabledCallback):
2813         (JSC::VM::gigacageDisabled):
2814         * runtime/VM.h:
2815         (JSC::VM::fireGigacageEnabledIfNecessary):
2816         (JSC::VM::gigacageEnabled):
2817         * wasm/WasmB3IRGenerator.cpp:
2818         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2819         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
2820         * wasm/WasmCodeBlock.cpp:
2821         (JSC::Wasm::CodeBlock::isSafeToRun):
2822         * wasm/WasmMemory.cpp:
2823         (JSC::Wasm::makeString):
2824         (JSC::Wasm::Memory::create):
2825         (JSC::Wasm::Memory::~Memory):
2826         (JSC::Wasm::Memory::addressIsInActiveFastMemory):
2827         (JSC::Wasm::Memory::grow):
2828         (JSC::Wasm::Memory::initializePreallocations): Deleted.
2829         (JSC::Wasm::Memory::maxFastMemoryCount): Deleted.
2830         * wasm/WasmMemory.h:
2831         * wasm/js/JSWebAssemblyInstance.cpp:
2832         (JSC::JSWebAssemblyInstance::create):
2833         * wasm/js/JSWebAssemblyMemory.cpp:
2834         (JSC::JSWebAssemblyMemory::grow):
2835         (JSC::JSWebAssemblyMemory::finishCreation):
2836         * wasm/js/JSWebAssemblyMemory.h:
2837         (JSC::JSWebAssemblyMemory::subspaceFor):
2838
2839 2017-07-31  Mark Lam  <mark.lam@apple.com>
2840
2841         Added some UNLIKELYs to operationOptimize().
2842         https://bugs.webkit.org/show_bug.cgi?id=174976
2843
2844         Reviewed by JF Bastien.
2845
2846         * jit/JITOperations.cpp:
2847
2848 2017-07-31  Keith Miller  <keith_miller@apple.com>
2849
2850         Make more things LLInt constexprs
2851         https://bugs.webkit.org/show_bug.cgi?id=174994
2852
2853         Reviewed by Saam Barati.
2854
2855         This patch makes more const values in the LLInt constexprs.
2856         It also deletes all of the no longer necessary static_asserts in
2857         LLIntData.cpp. Finally, it fixes a typo in parser.rb.
2858
2859         * interpreter/ShadowChicken.h:
2860         (JSC::ShadowChicken::Packet::tailMarker):
2861         * llint/LLIntData.cpp:
2862         (JSC::LLInt::Data::performAssertions):
2863         * llint/LowLevelInterpreter.asm:
2864         * offlineasm/generate_offset_extractor.rb:
2865         * offlineasm/parser.rb:
2866
2867 2017-07-31  Matt Lewis  <jlewis3@apple.com>
2868
2869         Unreviewed, rolling out r220060.
2870
2871         This broke our internal builds. Contact reviewer of patch for
2872         more information.
2873
2874         Reverted changeset:
2875
2876         "Merge WTFThreadData to Thread::current"
2877         https://bugs.webkit.org/show_bug.cgi?id=174716
2878         http://trac.webkit.org/changeset/220060
2879
2880 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2881
2882         [JSC] Support optional catch binding
2883         https://bugs.webkit.org/show_bug.cgi?id=174981
2884
2885         Reviewed by Saam Barati.
2886
2887         This patch implements optional catch binding proposal[1], which is now stage 3.
2888         This proposal adds a new `catch` brace with no error value binding.
2889
2890             ```
2891                 try {
2892                     ...
2893                 } catch {
2894                     ...
2895                 }
2896             ```
2897
2898         Sometimes we do not need to get error value actually. For example, the function returns
2899         boolean which means whether the function succeeds.
2900
2901             ```
2902             function parse(result) // -> bool
2903             {
2904                  try {
2905                      parseInner(result);
2906                  } catch {
2907                      return false;
2908                  }
2909                  return true;
2910             }
2911             ```
2912
2913         In the above case, we are not interested in the actual error value. Without this syntax,
2914         we always need to introduce a binding for an error value that is just ignored.
2915
2916         [1]: https://michaelficarra.github.io/optional-catch-binding-proposal/
2917
2918         * bytecompiler/NodesCodegen.cpp:
2919         (JSC::TryNode::emitBytecode):
2920         * parser/Parser.cpp:
2921         (JSC::Parser<LexerType>::parseTryStatement):
2922
2923 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2924
2925         Merge WTFThreadData to Thread::current
2926         https://bugs.webkit.org/show_bug.cgi?id=174716
2927
2928         Reviewed by Sam Weinig.
2929
2930         Use Thread::current() instead.
2931
2932         * API/JSContext.mm:
2933         (+[JSContext currentContext]):
2934         (+[JSContext currentThis]):
2935         (+[JSContext currentCallee]):
2936         (+[JSContext currentArguments]):
2937         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
2938         (-[JSContext endCallbackWithData:]):
2939         * heap/Heap.cpp:
2940         (JSC::Heap::requestCollection):
2941         * runtime/Completion.cpp:
2942         (JSC::checkSyntax):
2943         (JSC::checkModuleSyntax):
2944         (JSC::evaluate):
2945         (JSC::loadAndEvaluateModule):
2946         (JSC::loadModule):
2947         (JSC::linkAndEvaluateModule):
2948         (JSC::importModule):
2949         * runtime/Identifier.cpp:
2950         (JSC::Identifier::checkCurrentAtomicStringTable):
2951         * runtime/InitializeThreading.cpp:
2952         (JSC::initializeThreading):
2953         * runtime/JSLock.cpp:
2954         (JSC::JSLock::didAcquireLock):
2955         (JSC::JSLock::willReleaseLock):
2956         (JSC::JSLock::dropAllLocks):
2957         (JSC::JSLock::grabAllLocks):
2958         * runtime/JSLock.h:
2959         * runtime/VM.cpp:
2960         (JSC::VM::VM):
2961         (JSC::VM::updateStackLimits):
2962         (JSC::VM::committedStackByteCount):
2963         * runtime/VM.h:
2964         (JSC::VM::isSafeToRecurse const):
2965         * runtime/VMEntryScope.cpp:
2966         (JSC::VMEntryScope::VMEntryScope):
2967         * runtime/VMInlines.h:
2968         (JSC::VM::ensureStackCapacityFor):
2969         * yarr/YarrPattern.cpp:
2970         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
2971
2972 2017-07-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2973
2974         [WTF] Introduce Private Symbols
2975         https://bugs.webkit.org/show_bug.cgi?id=174935
2976
2977         Reviewed by Darin Adler.
2978
2979         Use SymbolImpl::isPrivate().
2980
2981         * builtins/BuiltinNames.cpp:
2982         * builtins/BuiltinNames.h:
2983         (JSC::BuiltinNames::isPrivateName): Deleted.
2984         * builtins/BuiltinUtils.h:
2985         * bytecode/BytecodeIntrinsicRegistry.cpp:
2986         (JSC::BytecodeIntrinsicRegistry::lookup):
2987         * runtime/CommonIdentifiers.cpp:
2988         (JSC::CommonIdentifiers::isPrivateName): Deleted.
2989         * runtime/CommonIdentifiers.h:
2990         * runtime/ExceptionHelpers.cpp:
2991         (JSC::createUndefinedVariableError):
2992         * runtime/Identifier.h:
2993         (JSC::Identifier::isPrivateName):
2994         * runtime/IdentifierInlines.h:
2995         (JSC::identifierToSafePublicJSValue):
2996         * runtime/ObjectConstructor.cpp:
2997         (JSC::objectConstructorAssign):
2998         (JSC::defineProperties):
2999         (JSC::setIntegrityLevel):
3000         (JSC::testIntegrityLevel):
3001         (JSC::ownPropertyKeys):
3002         * runtime/PrivateName.h:
3003         (JSC::PrivateName::PrivateName):
3004         * runtime/PropertyName.h:
3005         (JSC::PropertyName::isPrivateName):
3006         * runtime/ProxyObject.cpp:
3007         (JSC::performProxyGet):
3008         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
3009         (JSC::ProxyObject::performHasProperty):
3010         (JSC::ProxyObject::performPut):
3011         (JSC::ProxyObject::performDelete):
3012         (JSC::ProxyObject::performDefineOwnProperty):
3013
3014 2017-07-29  Keith Miller  <keith_miller@apple.com>
3015
3016         LLInt offsets extractor should be able to handle C++ constexprs
3017         https://bugs.webkit.org/show_bug.cgi?id=174964
3018
3019         Reviewed by Saam Barati.
3020
3021         This patch adds new syntax to the offline asm language. The new keyword,
3022         constexpr, takes the subsequent identifier and maps it to a C++ constexpr
3023         expression. Additionally, if the value is not an identifier you can wrap it in
3024         parentheses. e.g. constexpr (myConstexprFunction() + OBJECT_OFFSET(Foo, bar)),
3025         which will get converted into:
3026         static_cast<int64_t>(myConstexprFunction() + OBJECT_OFFSET(Foo, bar));
3027
3028         This patch also changes the data format the LLIntOffsetsExtractor
3029         binary produces.  Previously, it would produce unsigned values,
3030         after this patch every value is an int64_t.  Using an int64_t is
3031         useful because it means that we can represent any constant needed.
3032         int32_t masks are sign extended then passed then converted to a
3033         negative literal sting in the assembler so it will be the constant
3034         expected.
3035
3036         * llint/LLIntOffsetsExtractor.cpp:
3037         (JSC::LLIntOffsetsExtractor::dummy):
3038         * llint/LowLevelInterpreter.asm:
3039         * llint/LowLevelInterpreter64.asm:
3040         * offlineasm/asm.rb:
3041         * offlineasm/ast.rb:
3042         * offlineasm/generate_offset_extractor.rb:
3043         * offlineasm/offsets.rb:
3044         * offlineasm/parser.rb:
3045         * offlineasm/transform.rb:
3046
3047 2017-07-28  Matt Baker  <mattbaker@apple.com>
3048
3049         Web Inspector: capture an async stack trace when web content calls addEventListener
3050         https://bugs.webkit.org/show_bug.cgi?id=174739
3051         <rdar://problem/33468197>
3052
3053         Reviewed by Brian Burg.
3054
3055         Allow debugger agents to perform custom logic when asynchronous stack
3056         trace data is cleared. For example, the PageDebuggerAgent would clear
3057         its list of registered listeners for which call stacks have been recorded.
3058
3059         * inspector/agents/InspectorDebuggerAgent.cpp:
3060         (Inspector::InspectorDebuggerAgent::clearAsyncStackTraceData):
3061         * inspector/agents/InspectorDebuggerAgent.h:
3062
3063 2017-07-28  Mark Lam  <mark.lam@apple.com>
3064
3065         ObjectToStringAdaptiveStructureWatchpoint should not fire if it's dying imminently.
3066         https://bugs.webkit.org/show_bug.cgi?id=174948
3067         <rdar://problem/33495680>
3068
3069         Reviewed by Filip Pizlo.
3070
3071         ObjectToStringAdaptiveStructureWatchpoint is owned by StructureRareData.  If its
3072         owner StructureRareData is already known to be dead (in terms of GC liveness) but
3073         hasn't been destructed yet (i.e. not swept by the GC yet), we should ignore all
3074         requests to fire this watchpoint.
3075
3076         If the GC had the chance to sweep the StructureRareData, thereby destructing the
3077         ObjectToStringAdaptiveStructureWatchpoint, it (the watchpoint) would have removed
3078         itself from the WatchpointSet it was on.  Hence, it would not have been fired.
3079
3080         But since the watchpoint hasn't been destructed yet, it still remains on the
3081         WatchpointSet and needs to guard against being fired in this state.  The fix is
3082         to simply return early if its owner StructureRareData is not live.  This has the
3083         effect of the watchpoint fire being a no-op, which is equivalent to the watchpoint
3084         not firing as we would expect.
3085
3086         This patch also removes some cargo cult copying of watchpoint code which
3087         instantiates a StringFireDetail.  In a few cases, that StringFireDetail is never
3088         used.  This patch removes these unnecessary instantiations.
3089
3090         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
3091         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
3092         * runtime/StructureRareData.cpp:
3093         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
3094         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
3095
3096 2017-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
3097
3098         ASSERTION FAILED: candidate->op() == PhantomCreateRest || candidate->op() == PhantomDirectArguments || candidate->op() == PhantomClonedArguments || candidate->op() == PhantomSpread || candidate->op() == PhantomNewArrayWithSpread
3099         https://bugs.webkit.org/show_bug.cgi?id=174900
3100
3101         Reviewed by Saam Barati.
3102
3103         In the arguments elimination phase, due to high cost of AI, we intentionally do not run AI.
3104         Instead, we use ForceOSRExit etc. (pseudo terminals) not to look into unreachable nodes.
3105         The problem is that even transforming phase also checks this pseudo terminals.
3106
3107             BB1
3108             1: ForceOSRExit
3109             2: CreateDirectArguments
3110
3111             BB2
3112             3: GetButterfly(@2)
3113             4: ForceOSRExit
3114
3115         In the above case, @2 is not converted to PhantomDirectArguments. But @3 is processed. And the assertion fires.
3116
3117         In this patch, we do not list candidates up after seeing pseudo terminals in basic blocks.
3118
3119         * dfg/DFGArgumentsEliminationPhase.cpp:
3120
3121 2017-07-27  Oleksandr Skachkov  <gskachkov@gmail.com>
3122
3123         [ES] Add support finally to Promise
3124         https://bugs.webkit.org/show_bug.cgi?id=174503
3125
3126         Reviewed by Yusuke Suzuki.
3127
3128         Add support `finally` method to Promise according
3129         to the https://bugs.webkit.org/show_bug.cgi?id=174503
3130         Current spec on STAGE 3 
3131         https://github.com/tc39/proposal-promise-finally
3132
3133         * builtins/PromisePrototype.js:
3134         (finally):
3135         (const.valueThunk):
3136         (globalPrivate.getThenFinally):
3137         (const.thrower):
3138         (globalPrivate.getCatchFinally):
3139         * runtime/JSPromisePrototype.cpp:
3140
3141 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3142
3143         Unreviewed, build fix for CLoop
3144         https://bugs.webkit.org/show_bug.cgi?id=171637
3145
3146         * domjit/DOMJITGetterSetter.h:
3147
3148 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3149
3150         Hoist DOM binding attribute getter prologue into JavaScriptCore taking advantage of DOMJIT / CheckSubClass
3151         https://bugs.webkit.org/show_bug.cgi?id=171637
3152
3153         Reviewed by Darin Adler.
3154
3155         Each DOM attribute getter has the code to perform ClassInfo check. But it is largely duplicate and causes code bloating.
3156         In this patch, we move ClassInfo check from WebCore to JSC and reduce code size.
3157
3158         We introduce DOMAnnotation which has ClassInfo* and DOMJIT::GetterSetter*. If the getter is not DOMJIT getter, this
3159         DOMJIT::GetterSetter becomes nullptr. We support such a CustomAccessorGetter in all the JIT tiers.
3160
3161         In IC, we drop CheckSubClass completely since IC's Structure check subsumes it. We do not enable this optimization for
3162         op_get_by_id_with_this case yet.
3163         In DFG and FTL, we emit CheckSubClass node. Which is typically removed by CheckStructure leading to CheckSubClass.
3164
3165         And we add DOMAttributeGetterSetter, which is derived class of CustomGetterSetter. It holds DOMAnnotation and perform
3166         ClassInfo check.
3167
3168         * CMakeLists.txt:
3169         * JavaScriptCore.xcodeproj/project.pbxproj:
3170         * bytecode/AccessCase.cpp:
3171         (JSC::AccessCase::generateImpl):
3172         * bytecode/GetByIdStatus.cpp:
3173         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
3174         * bytecode/GetByIdVariant.cpp:
3175         (JSC::GetByIdVariant::GetByIdVariant):
3176         (JSC::GetByIdVariant::operator=):
3177         (JSC::GetByIdVariant::attemptToMerge):
3178         (JSC::GetByIdVariant::dumpInContext):
3179         * bytecode/GetByIdVariant.h:
3180         (JSC::GetByIdVariant::customAccessorGetter):
3181         (JSC::GetByIdVariant::domAttribute):
3182         (JSC::GetByIdVariant::domJIT): Deleted.
3183         * bytecode/GetterSetterAccessCase.cpp:
3184         (JSC::GetterSetterAccessCase::create):
3185         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
3186         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
3187         * bytecode/GetterSetterAccessCase.h:
3188         (JSC::GetterSetterAccessCase::domAttribute):
3189         (JSC::GetterSetterAccessCase::customAccessor):
3190         (JSC::GetterSetterAccessCase::domJIT): Deleted.
3191         * bytecompiler/BytecodeGenerator.cpp:
3192         (JSC::BytecodeGenerator::instantiateLexicalVariables):
3193         * create_hash_table:
3194         * dfg/DFGAbstractInterpreterInlines.h:
3195         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3196         * dfg/DFGByteCodeParser.cpp:
3197         (JSC::DFG::blessCallDOMGetter):
3198         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
3199         (JSC::DFG::ByteCodeParser::handleGetById):
3200         * dfg/DFGClobberize.h:
3201         (JSC::DFG::clobberize):
3202         * dfg/DFGFixupPhase.cpp:
3203         (JSC::DFG::FixupPhase::fixupNode):
3204         * dfg/DFGNode.h:
3205         * dfg/DFGSpeculativeJIT.cpp:
3206         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
3207         * dfg/DFGSpeculativeJIT.h:
3208         (JSC::DFG::SpeculativeJIT::callCustomGetter):
3209         * domjit/DOMJITGetterSetter.h:
3210         (JSC::DOMJIT::GetterSetter::GetterSetter):
3211         (JSC::DOMJIT::GetterSetter::getter):
3212         (JSC::DOMJIT::GetterSetter::compiler):
3213         (JSC::DOMJIT::GetterSetter::resultType):
3214         (JSC::DOMJIT::GetterSetter::~GetterSetter): Deleted.
3215         (JSC::DOMJIT::GetterSetter::setter): Deleted.
3216         (JSC::DOMJIT::GetterSetter::thisClassInfo): Deleted.
3217         * ftl/FTLLowerDFGToB3.cpp:
3218         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
3219         * jit/Repatch.cpp:
3220         (JSC::tryCacheGetByID):
3221         * jsc.cpp:
3222         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
3223         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
3224         (WTF::DOMJITGetter::customGetter):
3225         (WTF::DOMJITGetter::finishCreation):
3226         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
3227         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
3228         (WTF::DOMJITGetterComplex::customGetter):
3229         (WTF::DOMJITGetterComplex::finishCreation):
3230         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
3231         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::slowCall): Deleted.
3232         (WTF::DOMJITGetter::domJITNodeGetterSetter): Deleted.
3233         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
3234         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::slowCall): Deleted.
3235         (WTF::DOMJITGetterComplex::domJITNodeGetterSetter): Deleted.
3236         * runtime/CustomGetterSetter.h:
3237         (JSC::CustomGetterSetter::create):
3238         (JSC::CustomGetterSetter::setter):
3239         (JSC::CustomGetterSetter::CustomGetterSetter):
3240         (): Deleted.
3241         * runtime/DOMAnnotation.h: Added.
3242         (JSC::operator==):
3243         (JSC::operator!=):
3244         * runtime/DOMAttributeGetterSetter.cpp: Added.
3245         * runtime/DOMAttributeGetterSetter.h: Copied from Source/JavaScriptCore/runtime/CustomGetterSetter.h.
3246         (JSC::isDOMAttributeGetterSetter):
3247         * runtime/Error.cpp:
3248         (JSC::throwDOMAttributeGetterTypeError):
3249         * runtime/Error.h:
3250         (JSC::throwVMDOMAttributeGetterTypeError):
3251         * runtime/JSCustomGetterSetterFunction.cpp:
3252         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
3253         * runtime/JSObject.cpp:
3254         (JSC::JSObject::putInlineSlow):
3255         (JSC::JSObject::deleteProperty):
3256         (JSC::JSObject::getOwnStaticPropertySlot):
3257         (JSC::JSObject::reifyAllStaticProperties):
3258         (JSC::JSObject::fillGetterPropertySlot):
3259         (JSC::JSObject::findPropertyHashEntry): Deleted.
3260         * runtime/JSObject.h:
3261         (JSC::JSObject::getOwnNonIndexPropertySlot):
3262         (JSC::JSObject::fillCustomGetterPropertySlot):
3263         * runtime/Lookup.cpp:
3264         (JSC::setUpStaticFunctionSlot):
3265         * runtime/Lookup.h:
3266         (JSC::HashTableValue::domJIT):
3267         (JSC::getStaticPropertySlotFromTable):
3268         (JSC::putEntry):
3269         (JSC::lookupPut):
3270         (JSC::reifyStaticProperty):
3271         (JSC::reifyStaticProperties):
3272         Each static property table has a new field ClassInfo*. It indicates that which ClassInfo check DOMAttribute registered in
3273         this static property table requires.
3274
3275         * runtime/ProgramExecutable.cpp:
3276         (JSC::ProgramExecutable::initializeGlobalProperties):
3277         * runtime/PropertyName.h:
3278         * runtime/PropertySlot.cpp:
3279         (JSC::PropertySlot::customGetter):
3280         (JSC::PropertySlot::customAccessorGetter):
3281         * runtime/PropertySlot.h:
3282         (JSC::PropertySlot::domAttribute):
3283         (JSC::PropertySlot::setCustom):
3284         (JSC::PropertySlot::setCacheableCustom):
3285         (JSC::PropertySlot::getValue):
3286         (JSC::PropertySlot::domJIT): Deleted.
3287         * runtime/VM.cpp:
3288         (JSC::VM::VM):
3289         * runtime/VM.h:
3290
3291 2017-07-26  Devin Rousso  <drousso@apple.com>
3292
3293         Web Inspector: create protocol for recording Canvas contexts
3294         https://bugs.webkit.org/show_bug.cgi?id=174481
3295
3296         Reviewed by Joseph Pecoraro.
3297
3298         * inspector/protocol/Canvas.json:
3299          - Add `requestRecording` command to mark the provided canvas as having requested a recording.
3300          - Add `cancelRecording` command to clear a previously marked canvas and flush any recorded data.
3301          - Add `recordingFinished` event that is fired once a recording is finished.
3302
3303         * CMakeLists.txt:
3304         * DerivedSources.make:
3305         * inspector/protocol/Recording.json: Added.
3306          - Add `Type` enum that lists the types of recordings
3307          - Add `InitialState` type that contains information about the canvas context at the
3308            beginning of the recording.
3309          - Add `Frame` type that holds a list of actions that were recorded.
3310          - Add `Recording` type as the container object of recording data.
3311
3312         * inspector/scripts/codegen/generate_js_backend_commands.py:
3313         (JSBackendCommandsGenerator.generate_domain):
3314         Create an agent for domains with no events or commands.
3315
3316         * inspector/InspectorValues.h:
3317         Make Array `get` public so that values can be retrieved if needed.
3318
3319 2017-07-26  Brian Burg  <bburg@apple.com>
3320
3321         Remove WEB_TIMING feature flag
3322         https://bugs.webkit.org/show_bug.cgi?id=174795
3323
3324         Reviewed by Alex Christensen.
3325
3326         * Configurations/FeatureDefines.xcconfig:
3327
3328 2017-07-26  Mark Lam  <mark.lam@apple.com>
3329
3330         Add the ability to change sp and pc to the ARM64 JIT probe.
3331         https://bugs.webkit.org/show_bug.cgi?id=174697
3332         <rdar://problem/33436965>
3333
3334         Reviewed by JF Bastien.
3335
3336         This patch implements the following:
3337
3338         1. The ARM64 probe now supports modifying the pc and sp.
3339
3340            However, lr is not preserved when modifying the pc because it is used as the
3341            scratch register for the indirect jump. Hence, the probe handler function
3342            may not modify both lr and pc in the same probe invocation.
3343
3344         2. Fix probe tests to use bitwise comparison when comparing double register
3345            values. Otherwise, equivalent nan values will be interpreted as not equivalent.
3346
3347         3. Change the minimum offset increment in testProbeModifiesStackPointer to be
3348            16 bytes for ARM64.  This is because the ARM64 probe now uses the ldp and stp
3349            instructions which require 16 byte alignment for their memory access.
3350
3351         * assembler/MacroAssemblerARM64.cpp:
3352         (JSC::arm64ProbeError):
3353         (JSC::MacroAssembler::probe):
3354         (JSC::arm64ProbeTrampoline): Deleted.
3355         * assembler/testmasm.cpp:
3356         (JSC::isSpecialGPR):
3357         (JSC::testProbeReadsArgumentRegisters):
3358         (JSC::testProbeWritesArgumentRegisters):
3359         (JSC::testProbePreservesGPRS):
3360         (JSC::testProbeModifiesStackPointer):
3361         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
3362         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
3363
3364 2017-07-25  JF Bastien  <jfbastien@apple.com>
3365
3366         WebAssembly: generate smaller binaries
3367         https://bugs.webkit.org/show_bug.cgi?id=174818
3368
3369         Reviewed by Filip Pizlo.
3370
3371         This patch reduces generated code size for WebAssembly in 2 ways:
3372
3373         1. Use the ZR register when storing zero on ARM64.
3374         2. Synthesize wasm context lazily.
3375
3376         This leads to a modest size reduction on both x86-64 and ARM64 for
3377         large WebAssembly games, without any performance loss on WasmBench
3378         and TitzerBench.
3379
3380         The reason this works is that these games, using Emscripten,
3381         generate 100k+ tiny functions, and our JIT allocation granule
3382         rounds all allocations up to 32 bytes. There are plenty of other
3383         simple gains to be had, I've filed a follow-up bug at
3384         webkit.org/b/174819
3385
3386         We should further avoid the per-function cost of tiering, which
3387         represents the bulk of code generated for small functions.
3388
3389         * assembler/MacroAssemblerARM64.h:
3390         (JSC::MacroAssemblerARM64::storeZero64):
3391         * assembler/MacroAssemblerX86_64.h:
3392         (JSC::MacroAssemblerX86_64::storeZero64):
3393         * b3/B3LowerToAir.cpp:
3394         (JSC::B3::Air::LowerToAir::createStore): this doesn't make sense
3395         for x86 because it constrains register reuse and codegen in a way
3396         that doesn't affect ARM64 because it has a dedicated zero
3397         register.
3398         * b3/air/AirOpcode.opcodes: add the storeZero64 opcode.
3399         * wasm/WasmB3IRGenerator.cpp:
3400         (JSC::Wasm::B3IRGenerator::instanceValue):