The DFG Integer Check Combining phase should force an OSR exit for CheckInBounds...
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-03-21  Mark Lam  <mark.lam@apple.com>
2
3         The DFG Integer Check Combining phase should force an OSR exit for CheckInBounds on a negative constant min bound.
4         https://bugs.webkit.org/show_bug.cgi?id=169933
5         <rdar://problem/31105125>
6
7         Reviewed by Filip Pizlo and Geoffrey Garen.
8
9         Also fixed the bit-rotted RangeKey::dump() function.
10
11         * dfg/DFGIntegerCheckCombiningPhase.cpp:
12         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
13
14 2017-03-21  Csaba Osztrogonác  <ossy@webkit.org>
15
16         [ARM] Add missing MacroAssembler functions after r214187
17         https://bugs.webkit.org/show_bug.cgi?id=169912
18
19         Reviewed by Yusuke Suzuki.
20
21         * assembler/MacroAssemblerARM.h:
22         (JSC::MacroAssemblerARM::loadFloat):
23         (JSC::MacroAssemblerARM::storeFloat):
24
25 2017-03-21  Yusuke Suzuki  <utatane.tea@gmail.com>
26
27         [JSC] Optimize Number.prototype.toString on Int32 / Int52 / Double
28         https://bugs.webkit.org/show_bug.cgi?id=167454
29
30         Reviewed by Saam Barati.
31
32         This patch improves Number.toString(radix) performance
33         by introducing NumberToStringWithRadix DFG node. It directly
34         calls the operation and it always returns String.
35
36                                                        baseline                  patched
37
38             stanford-crypto-sha256-iterative        45.130+-0.928             44.032+-1.184           might be 1.0250x faster
39
40 2017-03-21  Yusuke Suzuki  <utatane.tea@gmail.com>
41
42         [JSC] Add JSPromiseDeferred::reject(ExecState*, Exception*) interface
43         https://bugs.webkit.org/show_bug.cgi?id=169908
44
45         Reviewed by Sam Weinig.
46
47         To avoid calling reject(ExecState*, JSValue) with Exception* accidentally,
48         we add a new interface reject(ExecState*, Exception*).
49         Such an interface is already added in DOMPromise in WebCore.
50
51         * runtime/JSInternalPromiseDeferred.cpp:
52         (JSC::JSInternalPromiseDeferred::reject):
53         * runtime/JSInternalPromiseDeferred.h:
54         * runtime/JSPromiseDeferred.cpp:
55         (JSC::JSPromiseDeferred::reject):
56         * runtime/JSPromiseDeferred.h:
57
58 2017-03-21  Zan Dobersek  <zdobersek@igalia.com>
59
60         [jsc] MacroAssemblerMIPS: implement the branchPtr(RelationalCondition, BaseIndex, RegisterID) overload.
61         https://bugs.webkit.org/show_bug.cgi?id=169717
62
63         Reviewed by Yusuke Suzuki.
64
65         * assembler/MacroAssembler.h: Expose branchPtr() on MIPS as well.
66         * assembler/MacroAssemblerMIPS.h:
67         (JSC::MacroAssemblerMIPS::branchPtr): Added.
68
69         * dfg/DFGAbstractInterpreterInlines.h:
70         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
71         * dfg/DFGByteCodeParser.cpp:
72         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
73         * dfg/DFGClobberize.h:
74         (JSC::DFG::clobberize):
75         * dfg/DFGDoesGC.cpp:
76         (JSC::DFG::doesGC):
77         * dfg/DFGFixupPhase.cpp:
78         (JSC::DFG::FixupPhase::fixupNode):
79         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
80         * dfg/DFGNodeType.h:
81         * dfg/DFGOperations.cpp:
82         * dfg/DFGOperations.h:
83         * dfg/DFGPredictionPropagationPhase.cpp:
84         * dfg/DFGSafeToExecute.h:
85         (JSC::DFG::safeToExecute):
86         * dfg/DFGSpeculativeJIT.cpp:
87         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructor):
88         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnNumber):
89         (JSC::DFG::SpeculativeJIT::compileNumberToStringWithRadix):
90         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnCell): Deleted.
91         * dfg/DFGSpeculativeJIT.h:
92         (JSC::DFG::SpeculativeJIT::callOperation):
93         * dfg/DFGSpeculativeJIT32_64.cpp:
94         (JSC::DFG::SpeculativeJIT::compile):
95         * dfg/DFGSpeculativeJIT64.cpp:
96         (JSC::DFG::SpeculativeJIT::compile):
97         * dfg/DFGStrengthReductionPhase.cpp:
98         (JSC::DFG::StrengthReductionPhase::handleNode):
99         * ftl/FTLCapabilities.cpp:
100         (JSC::FTL::canCompile):
101         * ftl/FTLLowerDFGToB3.cpp:
102         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
103         (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructor):
104         (JSC::FTL::DFG::LowerDFGToB3::compileNumberToStringWithRadix):
105         * jit/CCallHelpers.h:
106         (JSC::CCallHelpers::setupArgumentsWithExecState):
107         * jit/JITOperations.h:
108         * runtime/Intrinsic.h:
109         * runtime/NumberPrototype.cpp:
110         (JSC::int52ToStringWithRadix):
111         (JSC::int32ToStringInternal):
112         (JSC::numberToStringInternal):
113         (JSC::int32ToString):
114         (JSC::int52ToString):
115         (JSC::numberToString):
116         (JSC::numberProtoFuncToString):
117         (JSC::integerValueToString): Deleted.
118         * runtime/NumberPrototype.h:
119         * runtime/StringPrototype.cpp:
120         (JSC::StringPrototype::finishCreation):
121
122 2017-03-20  Filip Pizlo  <fpizlo@apple.com>
123
124         Graph coloring should use coalescable moves when spilling
125         https://bugs.webkit.org/show_bug.cgi?id=169820
126
127         Reviewed by Michael Saboff.
128         
129         This makes our graph coloring register allocator use a new family of move instructions when
130         spilling both operands of the move. It's a three-operand move:
131         
132             Move (src), (dst), %scratch
133         
134         Previously, if both operands got spilled, we would emit a new instruction to load or store that
135         spill slot. But this made it hard for allocateStack to see that the two spill locations are
136         coalescable. This new kind of instruction makes it obvious that it's a coalescable move.
137         
138         This change implements the coalescing of spill slots inside allocateStack.
139         
140         This is an outrageous speed-up on the tsf_ir_speed benchmark from http://filpizlo.com/tsf/. This
141         is an interesting benchmark because it has a super ugly interpreter loop with ~20 live variables
142         carried around the loop back edge. This change makes that interpreter run 5x faster.
143         
144         This isn't a speed-up on any other benchmarks. It also doesn't regress anything. Compile time is
145         neither progressed or regressed, since the coalescing is super cheap, and this does not add any
146         significant new machinery to the register allocator (it's just a small change to spill codegen).
147         Overall on our wasm benchmarks, this is a 16% throughput progression.
148         
149         * assembler/MacroAssembler.h:
150         (JSC::MacroAssembler::move):
151         (JSC::MacroAssembler::move32):
152         (JSC::MacroAssembler::moveFloat):
153         (JSC::MacroAssembler::moveDouble):
154         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
155         (JSC::B3::Air::allocateRegistersByGraphColoring):
156         * b3/air/AirAllocateStack.cpp:
157         (JSC::B3::Air::allocateStack):
158         * b3/air/AirInst.cpp:
159         (JSC::B3::Air::Inst::hasEarlyDef):
160         (JSC::B3::Air::Inst::hasLateUseOrDef):
161         (JSC::B3::Air::Inst::needsPadding):
162         * b3/air/AirInst.h:
163         * b3/air/AirOpcode.opcodes:
164         * b3/air/AirPadInterference.cpp:
165         (JSC::B3::Air::padInterference):
166         * runtime/Options.h:
167
168 2017-03-19  Chris Dumez  <cdumez@apple.com>
169
170         `const location = "foo"` throws in a worker
171         https://bugs.webkit.org/show_bug.cgi?id=169839
172
173         Reviewed by Mark Lam.
174
175         Our HasRestrictedGlobalProperty check in JSC was slightly wrong, causing us
176         to sometimes throw a Syntax exception when we shouldn't when declaring a
177         const/let variable and sometimes not throw an exception when we should have.
178
179         This aligns our behavior with ES6, Firefox and Chrome.
180
181         * runtime/ProgramExecutable.cpp:
182         (JSC::hasRestrictedGlobalProperty):
183         (JSC::ProgramExecutable::initializeGlobalProperties):
184         Rewrite hasRestrictedGlobalProperty logic as per the EcmaScript spec:
185         - http://www.ecma-international.org/ecma-262/6.0/index.html#sec-hasproperty
186         In particular, they were 2 issues:
187         - We should throw a SyntaxError if hasProperty() returned true but getOwnProperty()
188           would fail to return a descriptor. This would happen for properties that are
189           not OWN properties, but defined somewhere in the prototype chain. The spec does
190           not say to use hasProperty(), only getOwnProperty() and says we should return
191           false if getOwnProperty() does not return a descriptor. This is what we do now.
192         - We would fail to throw when declaring a let/const variable that shadows an own
193           property whose value is undefined. This is because the previous code was
194           explicitly checking for this case. I believe this was a misinterpretation of
195           ES6 which says:
196           """
197           Let desc be O.[[GetOwnProperty]](P).
198           If desc is undefined, return false.
199           """
200           We should check that desc is undefined, not desc.value. This is now fixed.
201
202 2017-03-19  Yusuke Suzuki  <utatane.tea@gmail.com>
203
204         import(arg) crashes when ToString(arg) throws
205         https://bugs.webkit.org/show_bug.cgi?id=169778
206
207         Reviewed by Saam Barati.
208
209         JSPromiseDeferred should not be rejected with Exception*.
210
211         * runtime/JSGlobalObjectFunctions.cpp:
212         (JSC::globalFuncImportModule):
213
214 2017-03-18  Oleksandr Skachkov  <gskachkov@gmail.com>
215
216         [JSC] Remove unnecessary condition from needsDerivedConstructorInArrowFunctionLexicalEnvironment in BytecodeGenerator.cpp 
217         https://bugs.webkit.org/show_bug.cgi?id=169832
218
219         Reviewed by Mark Lam.
220
221         Remove already covered condition in needsDerivedConstructorInArrowFunctionLexicalEnvironment 
222         function. Condition isConstructor() && constructorKind() == ConstructorKind::Extends is already
223         isClassContext.
224
225          * bytecompiler/BytecodeGenerator.cpp:
226         (JSC::BytecodeGenerator::needsDerivedConstructorInArrowFunctionLexicalEnvironment):
227
228 2017-03-18  Chris Dumez  <cdumez@apple.com>
229
230         Allow setting the prototype of cross-origin objects, as long as they don't change
231         https://bugs.webkit.org/show_bug.cgi?id=169787
232
233         Reviewed by Mark Lam.
234
235         * runtime/JSGlobalObject.h:
236         Mark JS global object as an immutable prototype exotic object to match Window.
237
238         * runtime/JSObject.cpp:
239         (JSC::JSObject::setPrototypeWithCycleCheck):
240         Update setPrototypeWithCycleCheck() for immutable prototype exotic objects in order
241         to align with:
242         - https://tc39.github.io/ecma262/#sec-set-immutable-prototype
243
244         In particular, we need to call [[GetPrototypeOf]] and return true if it returns the same
245         value as the new prototype. We really need to call [[GetPrototypeOf]] and not merely
246         getting the prototype slot via getPrototypeDirect() since Location and Window override
247         [[GetPrototypeOf]] to return null in the cross-origin case.
248
249         * runtime/JSProxy.cpp:
250         (JSC::JSProxy::setPrototype):
251         Update JSProxy::setPrototype() to forward such calls to its target. This is needed so
252         we end up calling JSObject::setPrototypeWithCycleCheck() for the Window object.
253         Handling immutable prototype exotic objects in that method does the right thing for
254         Window.
255
256 2017-03-17  Michael Saboff  <msaboff@apple.com>
257
258         Use USE_INTERNAL_SDK to compute ENABLE_FAST_JIT_PERMISSIONS instead of HAVE_INTERNAL_SDK
259         https://bugs.webkit.org/show_bug.cgi?id=169817
260
261         Reviewed by Filip Pizlo.
262
263         * Configurations/FeatureDefines.xcconfig:
264
265 2017-03-11  Filip Pizlo  <fpizlo@apple.com>
266
267         Air should be powerful enough to support Tmp-splitting
268         https://bugs.webkit.org/show_bug.cgi?id=169515
269
270         Reviewed by Saam Barati.
271         
272         In the process of implementing the Tmp-splitting optimization, I made some small
273         clean-ups. They don't affect anything - it's basically moving code around and adding
274         utility functions.
275
276         * CMakeLists.txt:
277         * JavaScriptCore.xcodeproj/project.pbxproj:
278         * assembler/LinkBuffer.cpp:
279         (JSC::LinkBuffer::allocate): testb3 was sometimes failing its checkDoesNotUseInstruction check because of uninitialized memory. This initializes the internal fragmentation slop of every JIT allocation.
280         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
281         * b3/air/AirAllocateRegistersByGraphColoring.h:
282         (JSC::B3::Air::useIRC): It's useful to be able to query which register allocator we're using.
283         * b3/air/AirArg.cpp:
284         (WTF::printInternal):
285         * b3/air/AirArg.h:
286         (JSC::B3::Air::Arg::temperature): The temperature of a role is a useful concept to have factored out.
287         * b3/air/AirBreakCriticalEdges.cpp: Added.
288         (JSC::B3::Air::breakCriticalEdges): I was surprised that we didn't have this already. It's a pretty fundamental CFG utility.
289         * b3/air/AirBreakCriticalEdges.h: Added.
290         * b3/air/AirGenerate.cpp:
291         * b3/air/AirInsertionSet.h: You can't use & if you want copy-constructibility, which seems to be a prerequisite to IndexMap<BasicBlock, InsertionSet>.
292         (JSC::B3::Air::InsertionSet::InsertionSet):
293         (JSC::B3::Air::InsertionSet::code):
294         * b3/air/AirLiveness.h: Teach Liveness to track only warm liveness.
295         (JSC::B3::Air::TmpLivenessAdapter::acceptsRole):
296         (JSC::B3::Air::StackSlotLivenessAdapter::acceptsRole):
297         (JSC::B3::Air::RegLivenessAdapter::acceptsRole):
298         (JSC::B3::Air::AbstractLiveness::AbstractLiveness):
299         (JSC::B3::Air::AbstractLiveness::LocalCalc::execute):
300
301 2017-03-16  Mark Lam  <mark.lam@apple.com>
302
303         Fix exception scope verification failures in GenericArgumentsInlines.h.
304         https://bugs.webkit.org/show_bug.cgi?id=165012
305
306         Reviewed by Saam Barati.
307
308         * runtime/GenericArgumentsInlines.h:
309         (JSC::GenericArguments<Type>::defineOwnProperty):
310
311 2017-03-16  Simon Fraser  <simon.fraser@apple.com>
312
313         Improve the system tracing points
314         https://bugs.webkit.org/show_bug.cgi?id=169790
315
316         Reviewed by Zalan Bujtas.
317
318         Use a more cohesive set of system trace points that give a good overview of what
319         WebKit is doing. Added points for resource loading, render tree building, sync messages
320         to the web process, async image decode, WASM and fetching cookies.
321
322         * wasm/WasmPlan.cpp:
323         (JSC::Wasm::Plan::run):
324         * wasm/js/WebAssemblyFunction.cpp:
325         (JSC::callWebAssemblyFunction):
326
327 2017-03-16  Mark Lam  <mark.lam@apple.com>
328
329         Array concat operation should check for length overflows.
330         https://bugs.webkit.org/show_bug.cgi?id=169796
331         <rdar://problem/31095276>
332
333         Reviewed by Keith Miller.
334
335         * runtime/ArrayPrototype.cpp:
336         (JSC::concatAppendOne):
337         (JSC::arrayProtoPrivateFuncConcatMemcpy):
338
339 2017-03-16  Mark Lam  <mark.lam@apple.com>
340
341         The new array with spread operation needs to check for length overflows.
342         https://bugs.webkit.org/show_bug.cgi?id=169780
343         <rdar://problem/31072182>
344
345         Reviewed by Filip Pizlo.
346
347         * dfg/DFGOperations.cpp:
348         * dfg/DFGSpeculativeJIT.cpp:
349         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
350         * ftl/FTLLowerDFGToB3.cpp:
351         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
352         * ftl/FTLOperations.cpp:
353         (JSC::FTL::operationMaterializeObjectInOSR):
354         * llint/LLIntSlowPaths.cpp:
355         * runtime/CommonSlowPaths.cpp:
356         (JSC::SLOW_PATH_DECL):
357         * runtime/JSGlobalObject.cpp:
358
359 2017-03-16  Filip Pizlo  <fpizlo@apple.com>
360
361         FTL should support global and eval code
362         https://bugs.webkit.org/show_bug.cgi?id=169656
363
364         Reviewed by Geoffrey Garen and Saam Barati.
365         
366         Turned off the restriction against global and eval code running in the FTL, and then fixed all of
367         the things that didn't work.
368         
369         This is a big speed-up on microbenchmarks that I wrote for this patch. One of the reasons why we
370         hadn't done this earlier is that we've never seen a benchmark that needed it. Global and eval
371         code rarely gets FTL-hot. Still, this seems like possibly a small JetStream speed-up.
372
373         * dfg/DFGJITCode.cpp:
374         (JSC::DFG::JITCode::setOSREntryBlock): I outlined this for better debugging.
375         * dfg/DFGJITCode.h:
376         (JSC::DFG::JITCode::setOSREntryBlock): Deleted.
377         * dfg/DFGNode.h:
378         (JSC::DFG::Node::isSemanticallySkippable): It turns out that global code often has InvalidationPoints before LoopHints. They are also skippable from the standpoint of OSR entrypoint analysis.
379         * dfg/DFGOperations.cpp: Don't do any normal compiles of global code - just do OSR compiles.
380         * ftl/FTLCapabilities.cpp: Enable FTL for global and eval code.
381         (JSC::FTL::canCompile):
382         * ftl/FTLCompile.cpp: Just debugging clean-ups.
383         (JSC::FTL::compile):
384         * ftl/FTLJITFinalizer.cpp: Implement finalize() and ensure that we only do things with the entrypoint buffer if we have one. We won't have one for eval code that we aren't OSR entering into.
385         (JSC::FTL::JITFinalizer::finalize):
386         (JSC::FTL::JITFinalizer::finalizeFunction):
387         (JSC::FTL::JITFinalizer::finalizeCommon):
388         * ftl/FTLJITFinalizer.h:
389         * ftl/FTLLink.cpp: When entering a function normally, we need the "entrypoint" to put the arity check code. Global and eval code don't need this.
390         (JSC::FTL::link):
391         * ftl/FTLOSREntry.cpp: Fix a dataLog statement.
392         (JSC::FTL::prepareOSREntry):
393         * ftl/FTLOSRExitCompiler.cpp: Remove dead code that happened to assert that we're exiting from a function.
394         (JSC::FTL::compileStub):
395
396 2017-03-16  Michael Saboff  <msaboff@apple.com>
397
398         WebAssembly: function-tests/load-offset.js fails on ARM64
399         https://bugs.webkit.org/show_bug.cgi?id=169724
400
401         Reviewed by Keith Miller.
402
403         We need to use the two source version of Add64 to create a Wasm address with the
404         other source the first child.
405
406         * b3/B3LowerToAir.cpp:
407         (JSC::B3::Air::LowerToAir::lower):
408
409 2017-03-16  Jon Lee  <jonlee@apple.com>
410
411         Add FIXMEs to update WebRTC
412         https://bugs.webkit.org/show_bug.cgi?id=169735
413
414         Reviewed by Youenn Fablet.
415
416         * runtime/CommonIdentifiers.h: Add RTCIceTransport.
417
418 2017-03-16  Yusuke Suzuki  <utatane.tea@gmail.com>
419
420         Unreviewed, copy m_numberOfArgumentsToSkip
421         https://bugs.webkit.org/show_bug.cgi?id=164582
422
423         * bytecode/CodeBlock.cpp:
424         (JSC::CodeBlock::CodeBlock):
425
426 2017-03-16  Yusuke Suzuki  <utatane.tea@gmail.com>
427
428         Unreviewed, fix numParameter() - 1 OSRExit materialization
429         https://bugs.webkit.org/show_bug.cgi?id=164582
430
431         When materializing rest parameters, we rely on that numParameter() - 1 equals to
432         the numberOfArgumentsToSkip. But this assumption is broken in r214029.
433
434         * bytecode/CodeBlock.cpp:
435         (JSC::CodeBlock::finishCreation):
436         * bytecode/CodeBlock.h:
437         (JSC::CodeBlock::numberOfArgumentsToSkip):
438         * ftl/FTLOperations.cpp:
439         (JSC::FTL::operationMaterializeObjectInOSR):
440
441 2017-03-16  Caio Lima  <ticaiolima@gmail.com>
442
443         [ESnext] Implement Object Spread
444         https://bugs.webkit.org/show_bug.cgi?id=167963
445
446         Reviewed by Yusuke Suzuki.
447
448         This patch implements ECMA262 stage 3 Object Spread proposal [1].
449         It's implemented using CopyDataProperties to copy all enumerable keys
450         from object being spreaded.
451
452         It's also fixing CopyDataProperties that was using
453         Object.getOwnPropertyNames to list all keys to be copied, and now is
454         using Relect.ownKeys.
455
456         [1] - https://github.com/sebmarkbage/ecmascript-rest-spread
457
458         * builtins/GlobalOperations.js:
459         (globalPrivate.copyDataProperties):
460         * bytecode/CodeBlock.cpp:
461         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
462         * bytecode/UnlinkedCodeBlock.h:
463         (JSC::UnlinkedCodeBlock::addSetConstant):
464         * bytecompiler/BytecodeGenerator.cpp:
465         (JSC::BytecodeGenerator::emitLoad):
466         * bytecompiler/BytecodeGenerator.h:
467         * bytecompiler/NodesCodegen.cpp:
468         (JSC::PropertyListNode::emitBytecode):
469         (JSC::ObjectPatternNode::bindValue):
470         (JSC::ObjectSpreadExpressionNode::emitBytecode):
471         * parser/ASTBuilder.h:
472         (JSC::ASTBuilder::createObjectSpreadExpression):
473         (JSC::ASTBuilder::createProperty):
474         * parser/NodeConstructors.h:
475         (JSC::PropertyNode::PropertyNode):
476         (JSC::ObjectSpreadExpressionNode::ObjectSpreadExpressionNode):
477         * parser/Nodes.h:
478         (JSC::ObjectSpreadExpressionNode::expression):
479         * parser/Parser.cpp:
480         (JSC::Parser<LexerType>::parseProperty):
481         * parser/SyntaxChecker.h:
482         (JSC::SyntaxChecker::createObjectSpreadExpression):
483         (JSC::SyntaxChecker::createProperty):
484         * runtime/JSGlobalObject.cpp:
485         (JSC::JSGlobalObject::init):
486         * runtime/JSGlobalObjectFunctions.cpp:
487         (JSC::privateToObject): Deleted.
488         * runtime/JSGlobalObjectFunctions.h:
489
490 2017-03-15  Yusuke Suzuki  <utatane.tea@gmail.com>
491
492         [JSC] Default parameter part should be retrieved by op_get_argument opcode instead of changing arity
493         https://bugs.webkit.org/show_bug.cgi?id=164582
494
495         Reviewed by Saam Barati.
496
497         Previously we implement the default parameters as follows.
498
499             1. We count the default parameters as the usual parameters.
500             2. We just get the argument register.
501             3. Check it with op_is_undefined.
502             4. And fill the binding with either the argument register or default value.
503
504         The above is simple. However, it has the side effect that it always increase the arity of the function.
505         While `function.length` does not increase, internally, the number of parameters of CodeBlock increases.
506         This effectively prevent our DFG / FTL to perform inlining: currently we only allows DFG to inline
507         the function with the arity less than or equal the number of passing arguments. It is OK. But when using
508         default parameters, we frequently do not pass the argument for the parameter with the default value.
509         Thus, in our current implementation, we frequently need to fixup the arity. And we frequently fail
510         to inline the function.
511
512         This patch fixes the above problem by not increasing the arity of the function. When we encounter the
513         parameter with the default value, we use `op_argument` to get the argument instead of using the argument
514         registers.
515
516         This improves six-speed defaults.es6 performance by 4.45x.
517
518             defaults.es6        968.4126+-101.2350   ^    217.6602+-14.8831       ^ definitely 4.4492x faster
519
520         * bytecode/UnlinkedFunctionExecutable.cpp:
521         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
522         * bytecode/UnlinkedFunctionExecutable.h:
523         * bytecompiler/BytecodeGenerator.cpp:
524         (JSC::BytecodeGenerator::BytecodeGenerator):
525         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
526         (JSC::BytecodeGenerator::initializeNextParameter):
527         (JSC::BytecodeGenerator::initializeParameters):
528         * bytecompiler/BytecodeGenerator.h:
529         * bytecompiler/NodesCodegen.cpp:
530         (JSC::FunctionNode::emitBytecode):
531         * dfg/DFGByteCodeParser.cpp:
532         (JSC::DFG::ByteCodeParser::inliningCost):
533         * parser/ASTBuilder.h:
534         (JSC::ASTBuilder::createFunctionMetadata):
535         * parser/Nodes.cpp:
536         (JSC::FunctionMetadataNode::FunctionMetadataNode):
537         * parser/Nodes.h:
538         (JSC::FunctionParameters::size):
539         (JSC::FunctionParameters::at):
540         (JSC::FunctionParameters::append):
541         (JSC::FunctionParameters::isSimpleParameterList):
542         * parser/Parser.cpp:
543         (JSC::Parser<LexerType>::isArrowFunctionParameters):
544         (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
545         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
546         (JSC::Parser<LexerType>::parseFormalParameters):
547         (JSC::Parser<LexerType>::parseFunctionBody):
548         (JSC::Parser<LexerType>::parseFunctionParameters):
549         (JSC::Parser<LexerType>::parseFunctionInfo):
550         * parser/Parser.h:
551         * parser/SyntaxChecker.h:
552         (JSC::SyntaxChecker::createFunctionMetadata):
553         * runtime/FunctionExecutable.h:
554         * runtime/JSFunction.cpp:
555         (JSC::JSFunction::createBuiltinFunction):
556         (JSC::JSFunction::reifyLength):
557
558 2017-03-15  Yusuke Suzuki  <utatane.tea@gmail.com>
559
560         [DFG] ToString operation should have fixup for primitives to say this node does not have side effects
561         https://bugs.webkit.org/show_bug.cgi?id=169544
562
563         Reviewed by Saam Barati.
564
565         Our DFG ToString only considers well about String operands. While ToString(non cell operand) does not have
566         any side effect, it is not modeled well in DFG.
567
568         This patch introduces a fixup for ToString with NonCellUse edge. If this edge is set, ToString does not
569         clobber things (like ToLowerCase, producing String). And ToString(NonCellUse) allows us to perform CSE!
570
571         Our microbenchmark shows 32.9% improvement due to dropped GetButterfly and CSE for ToString().
572
573                                             baseline                  patched
574
575             template-string-array       12.6284+-0.2766     ^      9.4998+-0.2295        ^ definitely 1.3293x faster
576
577         And SixSpeed template_string.es6 shows 16.68x performance improvement due to LICM onto this non-side-effectful ToString().
578
579                                           baseline                  patched
580
581             template_string.es6     3229.7343+-40.5705    ^    193.6077+-36.3349       ^ definitely 16.6818x faster
582
583         * dfg/DFGAbstractInterpreterInlines.h:
584         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
585         * dfg/DFGClobberize.h:
586         (JSC::DFG::clobberize):
587         * dfg/DFGFixupPhase.cpp:
588         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
589         * dfg/DFGSpeculativeJIT.cpp:
590         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnCell):
591         (JSC::DFG::SpeculativeJIT::speculateNotCell):
592         * dfg/DFGSpeculativeJIT.h:
593         * dfg/DFGSpeculativeJIT32_64.cpp:
594         (JSC::DFG::SpeculativeJIT::compile):
595         * dfg/DFGSpeculativeJIT64.cpp:
596         (JSC::DFG::SpeculativeJIT::compile):
597         * ftl/FTLLowerDFGToB3.cpp:
598         (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructor):
599         (JSC::FTL::DFG::LowerDFGToB3::lowNotCell):
600         (JSC::FTL::DFG::LowerDFGToB3::speculateNotCell):
601
602 2017-03-15  Ryan Haddad  <ryanhaddad@apple.com>
603
604         Revert part of r213978 to see if it resolves LayoutTest crashes.
605         https://bugs.webkit.org/show_bug.cgi?id=169729
606
607         Reviewed by Alexey Proskuryakov.
608
609         * JavaScriptCore.xcodeproj/project.pbxproj:
610
611 2017-03-15  Guillaume Emont  <guijemont@igalia.com>
612
613         [jsc][mips] Fix compilation error introduced in r213652
614         https://bugs.webkit.org/show_bug.cgi?id=169723
615
616         Reviewed by Mark Lam.
617
618         The new replaceWithBkpt() contains a lapsus in it
619         (s/code/instructionStart) and won't compile.
620
621         * assembler/MIPSAssembler.h:
622         (JSC::MIPSAssembler::replaceWithBkpt):
623
624 2017-03-15  Daniel Ehrenberg  <littledan@chromium.org>
625
626         Switch back to ISO 4217 for Intl CurrencyDigits data
627         https://bugs.webkit.org/show_bug.cgi?id=169182
628     
629         Previously, a patch switched Intl.NumberFormat to use CLDR data through
630         ICU to get the default number of decimal digits for a currency.
631         However, that change actually violated the ECMA 402 specification,
632         which references ISO 4217 as the data source. This patch reverts to
633         an in-line implementation of that data.
634
635         Reviewed by Saam Barati.
636
637         * runtime/IntlNumberFormat.cpp:
638         (JSC::computeCurrencySortKey):
639         (JSC::extractCurrencySortKey):
640         (JSC::computeCurrencyDigits):
641
642 2017-03-15  Saam Barati  <sbarati@apple.com>
643
644         WebAssembly: When we GC to try to get a fast memory, we should call collectAllGarbage(), not collectSync()
645         https://bugs.webkit.org/show_bug.cgi?id=169704
646
647         Reviewed by Mark Lam.
648
649         We weren't always sweeping the memory needed to free
650         the WasmMemory we wanted to use. collectAllGarbage()
651         will do this if the JS objects wrapping WasmMemory
652         are dead.
653
654         This patch also moves the increment of the allocatedFastMemories
655         integer to be thread safe.
656
657         * wasm/WasmMemory.cpp:
658         (JSC::Wasm::tryGetFastMemory):
659
660 2017-03-15  Mark Lam  <mark.lam@apple.com>
661
662         Fix exception scope verification failures in jsc.cpp.
663         https://bugs.webkit.org/show_bug.cgi?id=164968
664
665         Reviewed by Saam Barati.
666
667         * jsc.cpp:
668         (WTF::CustomGetter::customGetter):
669
670         (GlobalObject::moduleLoaderResolve):
671         (GlobalObject::moduleLoaderFetch):
672         - The only way modules would throw an exception is if we encounter an OutOfMemory
673           error.  This should be extremely rare.  At this point, I don't think it's worth
674           doing the dance to propagate the exception when this happens.  Instead, we'll
675           simply do a RELEASE_ASSERT that we don't see any exceptions here.
676
677         (functionRun):
678         (functionRunString):
679         (functionLoadModule):
680         (functionCheckModuleSyntax):
681         (box):
682         (dumpException):
683         (runWithScripts):
684
685 2017-03-15  Mark Lam  <mark.lam@apple.com>
686
687         Fix missing exception checks in Interpreter.cpp.
688         https://bugs.webkit.org/show_bug.cgi?id=164964
689
690         Reviewed by Saam Barati.
691
692         * interpreter/Interpreter.cpp:
693         (JSC::eval):
694         (JSC::sizeOfVarargs):
695         (JSC::sizeFrameForVarargs):
696         (JSC::Interpreter::executeProgram):
697         (JSC::Interpreter::executeCall):
698         (JSC::Interpreter::executeConstruct):
699         (JSC::Interpreter::prepareForRepeatCall):
700         (JSC::Interpreter::execute):
701
702 2017-03-15  Dean Jackson  <dino@apple.com>
703
704         Sort Xcode project files
705         https://bugs.webkit.org/show_bug.cgi?id=169669
706
707         Reviewed by Antoine Quint.
708
709         * JavaScriptCore.xcodeproj/project.pbxproj:
710
711 2017-03-14  Tomas Popela  <tpopela@redhat.com>
712
713         Wrong condition in offlineasm/risc.rb
714         https://bugs.webkit.org/show_bug.cgi?id=169597
715
716         Reviewed by Mark Lam.
717
718         It's missing the 'and' operator between the conditions.
719
720         * offlineasm/risc.rb:
721
722 2017-03-14  Mark Lam  <mark.lam@apple.com>
723
724         BytecodeGenerator should use the same function to determine if it needs to store the DerivedConstructor in an ArrowFunction lexical environment.
725         https://bugs.webkit.org/show_bug.cgi?id=169647
726         <rdar://problem/31051832>
727
728         Reviewed by Michael Saboff.
729
730         * bytecompiler/BytecodeGenerator.cpp:
731         (JSC::BytecodeGenerator::usesDerivedConstructorInArrowFunctionLexicalEnvironment):
732         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
733         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
734         * bytecompiler/BytecodeGenerator.h:
735
736 2017-03-14  Brian Burg  <bburg@apple.com>
737
738         [Cocoa] Web Inspector: generated code for parsing an array of primitive-type enums from payload does not work
739         https://bugs.webkit.org/show_bug.cgi?id=169629
740
741         Reviewed by Joseph Pecoraro.
742
743         This was encountered while trying to compile new protocol definitions that support the Actions API.
744
745         * inspector/scripts/codegen/models.py:
746         (EnumType.__repr__): Improve debug logging so fields match the class member names.
747
748         * inspector/scripts/codegen/objc_generator.py:
749         (ObjCGenerator.payload_to_objc_expression_for_member):
750         If the array elements are actually a primitive type, then there's no need to do any
751         conversion from a payload. This happens for free since the payload is a tree of
752         NSDictionary, NSString, NSNumber, etc. 
753
754         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
755         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
756         Rebaseline.
757
758         * inspector/scripts/tests/generic/type-declaration-object-type.json:
759         Add new cases for properties that contain an array with enum type references and an array of anonymous enums.
760
761 2017-03-14  Filip Pizlo  <fpizlo@apple.com>
762
763         Record the HashSet/HashMap operations in DFG/FTL/B3 and replay them in a benchmark
764         https://bugs.webkit.org/show_bug.cgi?id=169590
765
766         Reviewed by Saam Barati.
767         
768         Adds code to support logging some hashtable stuff in the DFG.
769
770         * dfg/DFGAvailabilityMap.cpp:
771         (JSC::DFG::AvailabilityMap::pruneHeap):
772         * dfg/DFGCombinedLiveness.cpp:
773         (JSC::DFG::liveNodesAtHead):
774         (JSC::DFG::CombinedLiveness::CombinedLiveness):
775         * dfg/DFGCombinedLiveness.h:
776         * dfg/DFGLivenessAnalysisPhase.cpp:
777         (JSC::DFG::LivenessAnalysisPhase::run):
778         (JSC::DFG::LivenessAnalysisPhase::processBlock):
779         * dfg/DFGNode.cpp:
780         * dfg/DFGNode.h:
781         * dfg/DFGObjectAllocationSinkingPhase.cpp:
782
783 2017-03-14  Joseph Pecoraro  <pecoraro@apple.com>
784
785         Web Inspector: Remove unused Network protocol event
786         https://bugs.webkit.org/show_bug.cgi?id=169619
787
788         Reviewed by Mark Lam.
789
790         * inspector/protocol/Network.json:
791         This became unused in r213621 and should have been removed
792         from the protocol file then.
793
794 2017-03-14  Mark Lam  <mark.lam@apple.com>
795
796         Add a null check in VMTraps::willDestroyVM() to handle a race condition.
797         https://bugs.webkit.org/show_bug.cgi?id=169620
798
799         Reviewed by Filip Pizlo.
800
801         There exists a race between VMTraps::willDestroyVM() (which removed SignalSenders
802         from its m_signalSenders list) and SignalSender::send() (which removes itself
803         from the list).  In the event that SignalSender::send() removes itself between
804         the time that VMTraps::willDestroyVM() checks if m_signalSenders is empty and the
805         time it takes a sender from m_signalSenders, VMTraps::willDestroyVM() may end up
806         with a NULL sender pointer.  The fix is to add the missing null check before using
807         the sender pointer.
808
809         * runtime/VMTraps.cpp:
810         (JSC::VMTraps::willDestroyVM):
811         (JSC::VMTraps::fireTrap):
812         * runtime/VMTraps.h:
813
814 2017-03-14  Mark Lam  <mark.lam@apple.com>
815
816         Gardening: Speculative build fix for CLoop after r213886.
817         https://bugs.webkit.org/show_bug.cgi?id=169436
818
819         Not reviewed.
820
821         * runtime/MachineContext.h:
822
823 2017-03-14  Yusuke Suzuki  <utatane.tea@gmail.com>
824
825         [JSC] Drop unnecessary pthread_attr_t for JIT enabled Linux / FreeBSD environment
826         https://bugs.webkit.org/show_bug.cgi?id=169592
827
828         Reviewed by Carlos Garcia Campos.
829
830         Since suspended mcontext_t has all the necessary information, we can drop
831         pthread_attr_t allocation and destroy for JIT enabled Linux / FreeBSD environment.
832
833         * heap/MachineStackMarker.cpp:
834         (JSC::MachineThreads::Thread::getRegisters):
835         (JSC::MachineThreads::Thread::Registers::stackPointer):
836         (JSC::MachineThreads::Thread::Registers::framePointer):
837         (JSC::MachineThreads::Thread::Registers::instructionPointer):
838         (JSC::MachineThreads::Thread::Registers::llintPC):
839         (JSC::MachineThreads::Thread::freeRegisters):
840         * heap/MachineStackMarker.h:
841
842 2017-03-14  Zan Dobersek  <zdobersek@igalia.com>
843
844         [GLib] Use USE(GLIB) guards in JavaScriptCore/inspector/EventLoop.cpp
845         https://bugs.webkit.org/show_bug.cgi?id=169594
846
847         Reviewed by Carlos Garcia Campos.
848
849         Instead of PLATFORM(GTK) guards, utilize the USE(GLIB) build guards
850         to guard the GLib-specific includes and invocations in the JSC
851         inspector's EventLoop class implementation.
852
853         * inspector/EventLoop.cpp:
854         (Inspector::EventLoop::cycle):
855
856 2017-03-13  Yusuke Suzuki  <utatane.tea@gmail.com>
857
858         [JSC][Linux] Implement VMTrap in Linux ports
859         https://bugs.webkit.org/show_bug.cgi?id=169436
860
861         Reviewed by Mark Lam.
862
863         This patch port VMTrap to Linux ports.
864         We extract MachineContext accessors from various places (wasm/, heap/ and tools/)
865         and use them in all the JSC code.
866
867         * JavaScriptCore.xcodeproj/project.pbxproj:
868         * heap/MachineStackMarker.cpp:
869         (JSC::MachineThreads::Thread::Registers::stackPointer):
870         (JSC::MachineThreads::Thread::Registers::framePointer):
871         (JSC::MachineThreads::Thread::Registers::instructionPointer):
872         (JSC::MachineThreads::Thread::Registers::llintPC):
873         * heap/MachineStackMarker.h:
874         * runtime/MachineContext.h: Added.
875         (JSC::MachineContext::stackPointer):
876         (JSC::MachineContext::framePointer):
877         (JSC::MachineContext::instructionPointer):
878         (JSC::MachineContext::argumentPointer<1>):
879         (JSC::MachineContext::argumentPointer):
880         (JSC::MachineContext::llintInstructionPointer):
881         * runtime/PlatformThread.h:
882         (JSC::platformThreadSignal):
883         * runtime/VMTraps.cpp:
884         (JSC::SignalContext::SignalContext):
885         (JSC::SignalContext::adjustPCToPointToTrappingInstruction):
886         * tools/CodeProfiling.cpp:
887         (JSC::profilingTimer):
888         * tools/SigillCrashAnalyzer.cpp:
889         (JSC::SignalContext::SignalContext):
890         (JSC::SignalContext::dump):
891         * tools/VMInspector.cpp:
892         * wasm/WasmFaultSignalHandler.cpp:
893         (JSC::Wasm::trapHandler):
894
895 2017-03-13  Mark Lam  <mark.lam@apple.com>
896
897         Make the HeapVerifier useful again.
898         https://bugs.webkit.org/show_bug.cgi?id=161752
899
900         Reviewed by Filip Pizlo.
901
902         Resurrect the HeapVerifier.  Here's what the verifier now offers:
903
904         1. It captures the list of cells before and after GCs up to N GC cycles.
905            N is set by JSC_numberOfGCCyclesToRecordForVerification.
906            Currently, N defaults to 3.
907
908            This is useful if we're debugging in lldb and want to check if a candidate
909            cell pointer was observed by the GC during the last N GC cycles.  We can do
910            this check buy calling HeapVerifier::checkIfRecorded() with the cell address.
911
912            HeapVerifier::checkIfRecorded() is robust and can be used on bogus addresses.
913            If the candidate cell was previously recorded by the HeapVerifier during a
914            GC cycle, checkIfRecorded() will dump any useful info it has on that cell.
915
916         2. The HeapVerifier will verify that cells in its captured list after a GC are
917            sane.  Some examples of cell insanity are:
918            - the cell claims to belong to a different VM.
919            - the cell has a NULL structureID.
920            - the cell has a NULL structure.
921            - the cell's structure has a NULL structureID.
922            - the cell's structure has a NULL structure.
923            - the cell's structure's structure has a NULL structureID.
924            - the cell's structure's structure has a NULL structure.
925
926            These are all signs of corruption or a GC bug.  The verifier will report any
927            insanity it finds, and then crash with a RELEASE_ASSERT.
928
929         3. Since the HeapVerifier captures list of cells in the heap before and after GCs
930            for the last N GCs, it will also automatically "trim" dead cells those list
931            after the most recent GC.
932
933            "trim" here means that the CellProfile in the HeapVerifier's lists will be
934            updated to reflect that the cell is now dead.  It still keeps a record of the
935            dead cell pointer and the meta data collected about it back when it was alive.
936            As a result, checkIfRecorded() will also report if the candidate cell passed
937            to it is a dead object from a previous GC cycle. 
938
939         4. Each CellProfile captured by the HeapVerifier now track the following info:
940            - the cell's HeapCell::Kind.
941            - the cell's liveness.
942            - if is JSCell, the cell's classInfo()->className.
943            - an associated timestamp.
944            - an associated stack trace.
945
946            Currently, the timestamp is only used for the time when the cell was recorded
947            by the HeapVerifier during GC.  The stack trace is currently unused.
948
949            However, these fields are kept there so that we can instrument the VM (during
950            a debugging session, which requires rebuilding the VM) and record interesting
951            stack traces like that of the time of allocation of the cell.  Since
952            capturing the stack traces for each cell is a very heavy weight operation,
953            the HeapVerifier code does not do this by default.  Instead, we just leave
954            the building blocks for doing so in place to ease future debugging efforts.
955
956         * heap/Heap.cpp:
957         (JSC::Heap::runBeginPhase):
958         (JSC::Heap::runEndPhase):
959         (JSC::Heap::didFinishCollection):
960         * heap/Heap.h:
961         (JSC::Heap::verifier):
962         * heap/MarkedAllocator.h:
963         (JSC::MarkedAllocator::takeLastActiveBlock): Deleted.
964         * heap/MarkedSpace.h:
965         * heap/MarkedSpaceInlines.h:
966         (JSC::MarkedSpace::forEachLiveCell):
967         * tools/CellList.cpp:
968         (JSC::CellList::find):
969         (JSC::CellList::reset):
970         (JSC::CellList::findCell): Deleted.
971         * tools/CellList.h:
972         (JSC::CellList::CellList):
973         (JSC::CellList::name):
974         (JSC::CellList::size):
975         (JSC::CellList::cells):
976         (JSC::CellList::add):
977         (JSC::CellList::reset): Deleted.
978         * tools/CellProfile.h:
979         (JSC::CellProfile::CellProfile):
980         (JSC::CellProfile::cell):
981         (JSC::CellProfile::jsCell):
982         (JSC::CellProfile::isJSCell):
983         (JSC::CellProfile::kind):
984         (JSC::CellProfile::isLive):
985         (JSC::CellProfile::isDead):
986         (JSC::CellProfile::setIsLive):
987         (JSC::CellProfile::setIsDead):
988         (JSC::CellProfile::timestamp):
989         (JSC::CellProfile::className):
990         (JSC::CellProfile::stackTrace):
991         (JSC::CellProfile::setStackTrace):
992         * tools/HeapVerifier.cpp:
993         (JSC::HeapVerifier::startGC):
994         (JSC::HeapVerifier::endGC):
995         (JSC::HeapVerifier::gatherLiveCells):
996         (JSC::trimDeadCellsFromList):
997         (JSC::HeapVerifier::trimDeadCells):
998         (JSC::HeapVerifier::printVerificationHeader):
999         (JSC::HeapVerifier::verifyCellList):
1000         (JSC::HeapVerifier::validateCell):
1001         (JSC::HeapVerifier::validateJSCell):
1002         (JSC::HeapVerifier::verify):
1003         (JSC::HeapVerifier::reportCell):
1004         (JSC::HeapVerifier::checkIfRecorded):
1005         (JSC::HeapVerifier::initializeGCCycle): Deleted.
1006         (JSC::GatherCellFunctor::GatherCellFunctor): Deleted.
1007         (JSC::GatherCellFunctor::visit): Deleted.
1008         (JSC::GatherCellFunctor::operator()): Deleted.
1009         (JSC::HeapVerifier::verifyButterflyIsInStorageSpace): Deleted.
1010         * tools/HeapVerifier.h:
1011         (JSC::HeapVerifier::GCCycle::reset):
1012
1013 2017-03-13  SKumarMetro  <s.kumar@metrological.com>
1014
1015         JSC: fix compilation errors for MIPS
1016         https://bugs.webkit.org/show_bug.cgi?id=168402
1017
1018         Reviewed by Mark Lam.
1019
1020         * assembler/MIPSAssembler.h:
1021         (JSC::MIPSAssembler::fillNops):
1022         Added.
1023         * assembler/MacroAssemblerMIPS.h:
1024         Added MacroAssemblerMIPS::numGPRs and MacroAssemblerMIPS::numFPRs .
1025         * bytecode/InlineAccess.h:
1026         (JSC::InlineAccess::sizeForPropertyAccess):
1027         (JSC::InlineAccess::sizeForPropertyReplace):
1028         (JSC::InlineAccess::sizeForLengthAccess):
1029         Added MIPS cases.
1030
1031 2017-03-13  Filip Pizlo  <fpizlo@apple.com>
1032
1033         FTL should not flush strict arguments unless it really needs to
1034         https://bugs.webkit.org/show_bug.cgi?id=169519
1035
1036         Reviewed by Mark Lam.
1037         
1038         This is a refinement that we should have done ages ago. This kills some pointless PutStacks
1039         in DFG SSA IR. It can sometimes unlock other optimizations.
1040         
1041         Relanding after I fixed the special cases for CreateArguments-style nodes. 
1042
1043         * dfg/DFGPreciseLocalClobberize.h:
1044         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1045
1046 2017-03-13  Devin Rousso  <webkit@devinrousso.com>
1047
1048         Web Inspector: Event Listeners section is missing 'once', 'passive' event listener flags
1049         https://bugs.webkit.org/show_bug.cgi?id=167080
1050
1051         Reviewed by Joseph Pecoraro.
1052
1053         * inspector/protocol/DOM.json:
1054         Add "passive" and "once" items to the EventListener type.
1055
1056 2017-03-13  Mark Lam  <mark.lam@apple.com>
1057
1058         Remove obsolete experimental ObjC SPI.
1059         https://bugs.webkit.org/show_bug.cgi?id=169569
1060
1061         Reviewed by Saam Barati.
1062
1063         * API/JSVirtualMachine.mm:
1064         (-[JSVirtualMachine enableSigillCrashAnalyzer]): Deleted.
1065         * API/JSVirtualMachinePrivate.h: Removed.
1066         * JavaScriptCore.xcodeproj/project.pbxproj:
1067
1068 2017-03-13  Commit Queue  <commit-queue@webkit.org>
1069
1070         Unreviewed, rolling out r213856.
1071         https://bugs.webkit.org/show_bug.cgi?id=169562
1072
1073         Breaks JSC stress test stress/super-property-access.js.ftl-
1074         eager failing (Requested by mlam|g on #webkit).
1075
1076         Reverted changeset:
1077
1078         "FTL should not flush strict arguments unless it really needs
1079         to"
1080         https://bugs.webkit.org/show_bug.cgi?id=169519
1081         http://trac.webkit.org/changeset/213856
1082
1083 2017-03-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1084
1085         [JSC][Linux] Allow profilers to demangle C++ names
1086         https://bugs.webkit.org/show_bug.cgi?id=169559
1087
1088         Reviewed by Michael Catanzaro.
1089
1090         Linux also offers dladdr & demangling feature.
1091         Thus, we can use it to show the names in profilers.
1092         For example, SamplingProfiler tells us the C function names.
1093
1094         * runtime/SamplingProfiler.cpp:
1095         (JSC::SamplingProfiler::StackFrame::displayName):
1096         * tools/CodeProfile.cpp:
1097         (JSC::symbolName):
1098
1099 2017-03-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1100
1101         [WTF] Clean up RunLoop and WorkQueue with Seconds and Function
1102         https://bugs.webkit.org/show_bug.cgi?id=169537
1103
1104         Reviewed by Sam Weinig.
1105
1106         * runtime/Watchdog.cpp:
1107         (JSC::Watchdog::startTimer):
1108
1109 2017-03-11  Filip Pizlo  <fpizlo@apple.com>
1110
1111         FTL should not flush strict arguments unless it really needs to
1112         https://bugs.webkit.org/show_bug.cgi?id=169519
1113
1114         Reviewed by Mark Lam.
1115         
1116         This is a refinement that we should have done ages ago. This kills some pointless PutStacks
1117         in DFG SSA IR. It can sometimes unlock other optimizations.
1118
1119         * dfg/DFGPreciseLocalClobberize.h:
1120         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1121
1122 2017-03-13  Caio Lima  <ticaiolima@gmail.com>
1123
1124         [JSC] It should be possible create a label named let when parsing Statement in non strict mode
1125         https://bugs.webkit.org/show_bug.cgi?id=168684
1126
1127         Reviewed by Saam Barati.
1128
1129         This patch is fixing a Parser bug to allow define a label named
1130         ```let``` in sloppy mode when parsing a Statement.
1131
1132         * parser/Parser.cpp:
1133         (JSC::Parser<LexerType>::parseStatement):
1134
1135 2017-03-11  Filip Pizlo  <fpizlo@apple.com>
1136
1137         Structure::willStoreValueSlow needs to keep the property table alive until the end
1138         https://bugs.webkit.org/show_bug.cgi?id=169520
1139
1140         Reviewed by Michael Saboff.
1141
1142         We use pointers logically interior to `propertyTable` after doing a GC. We need to prevent the
1143         compiler from optimizing away pointers to `propertyTable`.
1144         
1145         * heap/HeapCell.cpp:
1146         (JSC::HeapCell::use):
1147         * heap/HeapCell.h:
1148         (JSC::HeapCell::use): Introduce API for keeping a pointer alive until some point in execution.
1149         * runtime/Structure.cpp:
1150         (JSC::Structure::willStoreValueSlow): Use HeapCell::use() to keep the pointer alive.
1151
1152 2017-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1153
1154         Unreviewed, suprress warnings in JSC B3
1155
1156         * b3/B3Opcode.cpp:
1157
1158 2017-03-11  Michael Saboff  <msaboff@apple.com>
1159
1160         Allow regular expressions to be used when selecting a process name in JSC config file
1161         https://bugs.webkit.org/show_bug.cgi?id=169495
1162
1163         Reviewed by Saam Barati.
1164
1165         Only added regular expression selectors for unix like platforms.
1166
1167         * runtime/ConfigFile.cpp:
1168         (JSC::ConfigFileScanner::tryConsumeRegExPattern):
1169         (JSC::ConfigFile::parse):
1170
1171 2017-03-11  Jon Lee  <jonlee@apple.com>
1172
1173         WebGPU prototype - Front-End
1174         https://bugs.webkit.org/show_bug.cgi?id=167952
1175
1176         Reviewed by Dean Jackson.
1177
1178         * runtime/CommonIdentifiers.h: Add WebGPU objects.
1179
1180 2017-03-10  Filip Pizlo  <fpizlo@apple.com>
1181
1182         The JITs should be able to emit fast TLS loads
1183         https://bugs.webkit.org/show_bug.cgi?id=169483
1184
1185         Reviewed by Keith Miller.
1186         
1187         Added loadFromTLS32/64/Ptr to the MacroAssembler and added a B3 test for this.
1188
1189         * assembler/ARM64Assembler.h:
1190         (JSC::ARM64Assembler::mrs_TPIDRRO_EL0):
1191         * assembler/MacroAssembler.h:
1192         (JSC::MacroAssembler::loadFromTLSPtr):
1193         * assembler/MacroAssemblerARM64.h:
1194         (JSC::MacroAssemblerARM64::loadFromTLS32):
1195         (JSC::MacroAssemblerARM64::loadFromTLS64):
1196         * assembler/MacroAssemblerX86Common.h:
1197         (JSC::MacroAssemblerX86Common::loadFromTLS32):
1198         * assembler/MacroAssemblerX86_64.h:
1199         (JSC::MacroAssemblerX86_64::loadFromTLS64):
1200         * assembler/X86Assembler.h:
1201         (JSC::X86Assembler::adcl_im):
1202         (JSC::X86Assembler::addl_mr):
1203         (JSC::X86Assembler::addl_im):
1204         (JSC::X86Assembler::andl_im):
1205         (JSC::X86Assembler::orl_im):
1206         (JSC::X86Assembler::orl_rm):
1207         (JSC::X86Assembler::subl_im):
1208         (JSC::X86Assembler::cmpb_im):
1209         (JSC::X86Assembler::cmpl_rm):
1210         (JSC::X86Assembler::cmpl_im):
1211         (JSC::X86Assembler::testb_im):
1212         (JSC::X86Assembler::movb_i8m):
1213         (JSC::X86Assembler::movb_rm):
1214         (JSC::X86Assembler::movl_mr):
1215         (JSC::X86Assembler::movq_mr):
1216         (JSC::X86Assembler::movsxd_rr):
1217         (JSC::X86Assembler::gs):
1218         (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
1219         * b3/testb3.cpp:
1220         (JSC::B3::testFastTLS):
1221         (JSC::B3::run):
1222
1223 2017-03-10  Alex Christensen  <achristensen@webkit.org>
1224
1225         Fix watch and tv builds after r213294
1226         https://bugs.webkit.org/show_bug.cgi?id=169508
1227
1228         Reviewed by Dan Bernstein.
1229
1230         * Configurations/FeatureDefines.xcconfig:
1231
1232 2017-03-10  Saam Barati  <sbarati@apple.com>
1233
1234         WebAssembly: Make more demos run
1235         https://bugs.webkit.org/show_bug.cgi?id=165510
1236         <rdar://problem/29760310>
1237
1238         Reviewed by Keith Miller.
1239
1240         This patch makes another Wasm demo run:
1241         https://kripken.github.io/BananaBread/cube2/bb.html
1242         
1243         This patch fixes two bugs:
1244         1. When WebAssemblyFunctionType was added, we did not properly
1245         update the last JS type value.
1246         2. Our code for our JS -> Wasm entrypoint was wrong. It lead to bad
1247         code generation where we would emit B3 that would write over r12
1248         and rbx (on x86) which is invalid since those are our pinned registers.
1249         This patch just rewrites the entrypoint to use hand written assembler
1250         code. I was planning on doing this anyways because it's a compile
1251         time speed boost.
1252         
1253         Also, this patch adds support for some new API features:
1254         We can now export an import, either via a direct export, or via a Table and the
1255         Element section. I've added a new class called WebAssemblyWrapperFunction that
1256         just wraps over a JSObject that is a function. Wrapper functions have types
1257         associated with them, so if they're re-imported, or called via call_indirect,
1258         they can be type checked.
1259
1260         * CMakeLists.txt:
1261         * JavaScriptCore.xcodeproj/project.pbxproj:
1262         * runtime/JSGlobalObject.cpp:
1263         (JSC::JSGlobalObject::init):
1264         (JSC::JSGlobalObject::visitChildren):
1265         * runtime/JSGlobalObject.h:
1266         (JSC::JSGlobalObject::webAssemblyWrapperFunctionStructure):
1267         * runtime/JSType.h:
1268         * wasm/JSWebAssemblyCodeBlock.h:
1269         (JSC::JSWebAssemblyCodeBlock::wasmToJsCallStubForImport):
1270         * wasm/WasmB3IRGenerator.cpp:
1271         (JSC::Wasm::createJSToWasmWrapper):
1272         * wasm/WasmCallingConvention.h:
1273         (JSC::Wasm::CallingConvention::headerSizeInBytes):
1274         * wasm/js/JSWebAssemblyHelpers.h:
1275         (JSC::isWebAssemblyHostFunction):
1276         * wasm/js/JSWebAssemblyInstance.cpp:
1277         (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
1278         * wasm/js/JSWebAssemblyInstance.h:
1279         (JSC::JSWebAssemblyInstance::importFunction):
1280         (JSC::JSWebAssemblyInstance::importFunctions):
1281         (JSC::JSWebAssemblyInstance::setImportFunction):
1282         * wasm/js/JSWebAssemblyTable.cpp:
1283         (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
1284         (JSC::JSWebAssemblyTable::grow):
1285         (JSC::JSWebAssemblyTable::clearFunction):
1286         (JSC::JSWebAssemblyTable::setFunction):
1287         * wasm/js/JSWebAssemblyTable.h:
1288         (JSC::JSWebAssemblyTable::getFunction):
1289         * wasm/js/WebAssemblyFunction.cpp:
1290         (JSC::callWebAssemblyFunction):
1291         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1292         (JSC::WebAssemblyInstanceConstructor::createInstance):
1293         * wasm/js/WebAssemblyModuleRecord.cpp:
1294         (JSC::WebAssemblyModuleRecord::link):
1295         (JSC::WebAssemblyModuleRecord::evaluate):
1296         * wasm/js/WebAssemblyModuleRecord.h:
1297         * wasm/js/WebAssemblyTablePrototype.cpp:
1298         (JSC::webAssemblyTableProtoFuncGet):
1299         (JSC::webAssemblyTableProtoFuncSet):
1300         * wasm/js/WebAssemblyWrapperFunction.cpp: Added.
1301         (JSC::callWebAssemblyWrapperFunction):
1302         (JSC::WebAssemblyWrapperFunction::WebAssemblyWrapperFunction):
1303         (JSC::WebAssemblyWrapperFunction::create):
1304         (JSC::WebAssemblyWrapperFunction::finishCreation):
1305         (JSC::WebAssemblyWrapperFunction::createStructure):
1306         (JSC::WebAssemblyWrapperFunction::visitChildren):
1307         * wasm/js/WebAssemblyWrapperFunction.h: Added.
1308         (JSC::WebAssemblyWrapperFunction::signatureIndex):
1309         (JSC::WebAssemblyWrapperFunction::wasmEntrypoint):
1310         (JSC::WebAssemblyWrapperFunction::function):
1311
1312 2017-03-10  Mark Lam  <mark.lam@apple.com>
1313
1314         JSC: BindingNode::bindValue doesn't increase the scope's reference count.
1315         https://bugs.webkit.org/show_bug.cgi?id=168546
1316         <rdar://problem/30589551>
1317
1318         Reviewed by Saam Barati.
1319
1320         We should protect the scope RegisterID with a RefPtr while it is still needed.
1321
1322         * bytecompiler/NodesCodegen.cpp:
1323         (JSC::ForInNode::emitLoopHeader):
1324         (JSC::ForOfNode::emitBytecode):
1325         (JSC::BindingNode::bindValue):
1326
1327 2017-03-10  Alex Christensen  <achristensen@webkit.org>
1328
1329         Fix CMake build.
1330
1331         * CMakeLists.txt:
1332         Make more forwarding headers so we can find WasmFaultSignalHandler.h from WebProcess.cpp.
1333
1334 2017-03-10  Mark Lam  <mark.lam@apple.com>
1335
1336         [Re-landing] Implement a StackTrace utility object that can capture stack traces for debugging.
1337         https://bugs.webkit.org/show_bug.cgi?id=169454
1338
1339         Reviewed by Michael Saboff.
1340
1341         The underlying implementation is hoisted right out of Assertions.cpp from the
1342         implementations of WTFPrintBacktrace().
1343
1344         The reason we need this StackTrace object is because during heap debugging, we
1345         sometimes want to capture the stack trace that allocated the objects of interest.
1346         Dumping the stack trace directly to stdout (using WTFReportBacktrace()) may
1347         perturb the execution profile sufficiently that an issue may not reproduce,
1348         while alternatively, just capturing the stack trace and deferring printing it
1349         till we actually need it later perturbs the execution profile less.
1350
1351         In addition, just capturing the stack traces (instead of printing them
1352         immediately at each capture site) allows us to avoid polluting stdout with tons
1353         of stack traces that may be irrelevant.
1354
1355         For now, we only capture the native stack trace.  We'll leave capturing and
1356         integrating the JS stack trace as an exercise for the future if we need it then.
1357
1358         Here's an example of how to use this StackTrace utility:
1359
1360             // Capture a stack trace of the top 10 frames.
1361             std::unique_ptr<StackTrace> trace(StackTrace::captureStackTrace(10));
1362             // Print the trace.
1363             dataLog(*trace);
1364
1365         * CMakeLists.txt:
1366         * JavaScriptCore.xcodeproj/project.pbxproj:
1367         * tools/StackTrace.cpp: Added.
1368         (JSC::StackTrace::instanceSize):
1369         (JSC::StackTrace::captureStackTrace):
1370         (JSC::StackTrace::dump):
1371         * tools/StackTrace.h: Added.
1372         (JSC::StackTrace::size):
1373         (JSC::StackTrace::StackTrace):
1374
1375 2017-03-04  Filip Pizlo  <fpizlo@apple.com>
1376
1377         B3 should have comprehensive support for atomic operations
1378         https://bugs.webkit.org/show_bug.cgi?id=162349
1379
1380         Reviewed by Keith Miller.
1381         
1382         This adds the following capabilities to B3:
1383         
1384         - Atomic weak/strong unfenced/fenced compare-and-swap
1385         - Atomic add/sub/or/and/xor/xchg
1386         - Acquire/release fencing on loads/stores
1387         - Fenceless load-load dependencies
1388         
1389         This adds lowering to the following instructions on x86:
1390         
1391         - lock cmpxchg
1392         - lock xadd
1393         - lock add/sub/or/and/xor/xchg
1394         
1395         This adds lowering to the following instructions on ARM64:
1396         
1397         - ldar and friends
1398         - stlr and friends
1399         - ldxr and friends (unfenced LL)
1400         - stxr and friends (unfended SC)
1401         - ldaxr and friends (fenced LL)
1402         - stlxr and friends (fenced SC)
1403         - eor as a fenceless load-load dependency
1404         
1405         This does instruction selection pattern matching to ensure that weak/strong CAS and all of the
1406         variants of fences and atomic math ops get lowered to the best possible instruction sequence.
1407         For example, we support the Equal(AtomicStrongCAS(expected, ...), expected) pattern and a bunch
1408         of its friends. You can say Branch(Equal(AtomicStrongCAS(expected, ...), expected)) and it will
1409         generate the best possible branch sequence on x86 and ARM64.
1410         
1411         B3 now knows how to model all of the kinds of fencing. It knows that acq loads are ordered with
1412         respect to each other and with respect to rel stores, creating sequential consistency that
1413         transcends just the acq/rel fences themselves (see Effects::fence). It knows that the phantom
1414         fence effects may only target some abstract heaps but not others, so that load elimination and
1415         store sinking can still operate across fences if you just tell B3 that the fence does not alias
1416         those accesses. This makes it super easy to teach B3 that some of your heap is thread-local.
1417         Even better, it lets you express fine-grained dependencies where the atomics that affect one
1418         property in shared memory do not clobber non-atomics that ffect some other property in shared
1419         memory.
1420         
1421         One of my favorite features is Depend, which allows you to express load-load dependencies. On
1422         x86 it lowers to nothing, while on ARM64 it lowers to eor.
1423         
1424         This also exposes a common atomicWeakCAS API to the x86_64/ARM64 MacroAssemblers. Same for
1425         acq/rel. JSC's 64-bit JITs are now a happy concurrency playground.
1426         
1427         This doesn't yet expose the functionality to JS or wasm. SAB still uses the non-intrinsic
1428         implementations of the Atomics object, for now.
1429         
1430         * CMakeLists.txt:
1431         * JavaScriptCore.xcodeproj/project.pbxproj:
1432         * assembler/ARM64Assembler.h:
1433         (JSC::ARM64Assembler::ldar):
1434         (JSC::ARM64Assembler::ldxr):
1435         (JSC::ARM64Assembler::ldaxr):
1436         (JSC::ARM64Assembler::stxr):
1437         (JSC::ARM64Assembler::stlr):
1438         (JSC::ARM64Assembler::stlxr):
1439         (JSC::ARM64Assembler::excepnGenerationImmMask):
1440         (JSC::ARM64Assembler::exoticLoad):
1441         (JSC::ARM64Assembler::storeRelease):
1442         (JSC::ARM64Assembler::exoticStore):
1443         * assembler/AbstractMacroAssembler.cpp: Added.
1444         (WTF::printInternal):
1445         * assembler/AbstractMacroAssembler.h:
1446         (JSC::AbstractMacroAssemblerBase::invert):
1447         * assembler/MacroAssembler.h:
1448         * assembler/MacroAssemblerARM64.h:
1449         (JSC::MacroAssemblerARM64::loadAcq8SignedExtendTo32):
1450         (JSC::MacroAssemblerARM64::loadAcq8):
1451         (JSC::MacroAssemblerARM64::storeRel8):
1452         (JSC::MacroAssemblerARM64::loadAcq16SignedExtendTo32):
1453         (JSC::MacroAssemblerARM64::loadAcq16):
1454         (JSC::MacroAssemblerARM64::storeRel16):
1455         (JSC::MacroAssemblerARM64::loadAcq32):
1456         (JSC::MacroAssemblerARM64::loadAcq64):
1457         (JSC::MacroAssemblerARM64::storeRel32):
1458         (JSC::MacroAssemblerARM64::storeRel64):
1459         (JSC::MacroAssemblerARM64::loadLink8):
1460         (JSC::MacroAssemblerARM64::loadLinkAcq8):
1461         (JSC::MacroAssemblerARM64::storeCond8):
1462         (JSC::MacroAssemblerARM64::storeCondRel8):
1463         (JSC::MacroAssemblerARM64::loadLink16):
1464         (JSC::MacroAssemblerARM64::loadLinkAcq16):
1465         (JSC::MacroAssemblerARM64::storeCond16):
1466         (JSC::MacroAssemblerARM64::storeCondRel16):
1467         (JSC::MacroAssemblerARM64::loadLink32):
1468         (JSC::MacroAssemblerARM64::loadLinkAcq32):
1469         (JSC::MacroAssemblerARM64::storeCond32):
1470         (JSC::MacroAssemblerARM64::storeCondRel32):
1471         (JSC::MacroAssemblerARM64::loadLink64):
1472         (JSC::MacroAssemblerARM64::loadLinkAcq64):
1473         (JSC::MacroAssemblerARM64::storeCond64):
1474         (JSC::MacroAssemblerARM64::storeCondRel64):
1475         (JSC::MacroAssemblerARM64::atomicStrongCAS8):
1476         (JSC::MacroAssemblerARM64::atomicStrongCAS16):
1477         (JSC::MacroAssemblerARM64::atomicStrongCAS32):
1478         (JSC::MacroAssemblerARM64::atomicStrongCAS64):
1479         (JSC::MacroAssemblerARM64::atomicRelaxedStrongCAS8):
1480         (JSC::MacroAssemblerARM64::atomicRelaxedStrongCAS16):
1481         (JSC::MacroAssemblerARM64::atomicRelaxedStrongCAS32):
1482         (JSC::MacroAssemblerARM64::atomicRelaxedStrongCAS64):
1483         (JSC::MacroAssemblerARM64::branchAtomicWeakCAS8):
1484         (JSC::MacroAssemblerARM64::branchAtomicWeakCAS16):
1485         (JSC::MacroAssemblerARM64::branchAtomicWeakCAS32):
1486         (JSC::MacroAssemblerARM64::branchAtomicWeakCAS64):
1487         (JSC::MacroAssemblerARM64::branchAtomicRelaxedWeakCAS8):
1488         (JSC::MacroAssemblerARM64::branchAtomicRelaxedWeakCAS16):
1489         (JSC::MacroAssemblerARM64::branchAtomicRelaxedWeakCAS32):
1490         (JSC::MacroAssemblerARM64::branchAtomicRelaxedWeakCAS64):
1491         (JSC::MacroAssemblerARM64::depend32):
1492         (JSC::MacroAssemblerARM64::depend64):
1493         (JSC::MacroAssemblerARM64::loadLink):
1494         (JSC::MacroAssemblerARM64::loadLinkAcq):
1495         (JSC::MacroAssemblerARM64::storeCond):
1496         (JSC::MacroAssemblerARM64::storeCondRel):
1497         (JSC::MacroAssemblerARM64::signExtend):
1498         (JSC::MacroAssemblerARM64::branch):
1499         (JSC::MacroAssemblerARM64::atomicStrongCAS):
1500         (JSC::MacroAssemblerARM64::atomicRelaxedStrongCAS):
1501         (JSC::MacroAssemblerARM64::branchAtomicWeakCAS):
1502         (JSC::MacroAssemblerARM64::branchAtomicRelaxedWeakCAS):
1503         (JSC::MacroAssemblerARM64::extractSimpleAddress):
1504         (JSC::MacroAssemblerARM64::signExtend<8>):
1505         (JSC::MacroAssemblerARM64::signExtend<16>):
1506         (JSC::MacroAssemblerARM64::branch<64>):
1507         * assembler/MacroAssemblerX86Common.h:
1508         (JSC::MacroAssemblerX86Common::add32):
1509         (JSC::MacroAssemblerX86Common::and32):
1510         (JSC::MacroAssemblerX86Common::and16):
1511         (JSC::MacroAssemblerX86Common::and8):
1512         (JSC::MacroAssemblerX86Common::neg32):
1513         (JSC::MacroAssemblerX86Common::neg16):
1514         (JSC::MacroAssemblerX86Common::neg8):
1515         (JSC::MacroAssemblerX86Common::or32):
1516         (JSC::MacroAssemblerX86Common::or16):
1517         (JSC::MacroAssemblerX86Common::or8):
1518         (JSC::MacroAssemblerX86Common::sub16):
1519         (JSC::MacroAssemblerX86Common::sub8):
1520         (JSC::MacroAssemblerX86Common::sub32):
1521         (JSC::MacroAssemblerX86Common::xor32):
1522         (JSC::MacroAssemblerX86Common::xor16):
1523         (JSC::MacroAssemblerX86Common::xor8):
1524         (JSC::MacroAssemblerX86Common::not32):
1525         (JSC::MacroAssemblerX86Common::not16):
1526         (JSC::MacroAssemblerX86Common::not8):
1527         (JSC::MacroAssemblerX86Common::store16):
1528         (JSC::MacroAssemblerX86Common::atomicStrongCAS8):
1529         (JSC::MacroAssemblerX86Common::atomicStrongCAS16):
1530         (JSC::MacroAssemblerX86Common::atomicStrongCAS32):
1531         (JSC::MacroAssemblerX86Common::branchAtomicStrongCAS8):
1532         (JSC::MacroAssemblerX86Common::branchAtomicStrongCAS16):
1533         (JSC::MacroAssemblerX86Common::branchAtomicStrongCAS32):
1534         (JSC::MacroAssemblerX86Common::atomicWeakCAS8):
1535         (JSC::MacroAssemblerX86Common::atomicWeakCAS16):
1536         (JSC::MacroAssemblerX86Common::atomicWeakCAS32):
1537         (JSC::MacroAssemblerX86Common::branchAtomicWeakCAS8):
1538         (JSC::MacroAssemblerX86Common::branchAtomicWeakCAS16):
1539         (JSC::MacroAssemblerX86Common::branchAtomicWeakCAS32):
1540         (JSC::MacroAssemblerX86Common::atomicRelaxedWeakCAS8):
1541         (JSC::MacroAssemblerX86Common::atomicRelaxedWeakCAS16):
1542         (JSC::MacroAssemblerX86Common::atomicRelaxedWeakCAS32):
1543         (JSC::MacroAssemblerX86Common::branchAtomicRelaxedWeakCAS8):
1544         (JSC::MacroAssemblerX86Common::branchAtomicRelaxedWeakCAS16):
1545         (JSC::MacroAssemblerX86Common::branchAtomicRelaxedWeakCAS32):
1546         (JSC::MacroAssemblerX86Common::atomicAdd8):
1547         (JSC::MacroAssemblerX86Common::atomicAdd16):
1548         (JSC::MacroAssemblerX86Common::atomicAdd32):
1549         (JSC::MacroAssemblerX86Common::atomicSub8):
1550         (JSC::MacroAssemblerX86Common::atomicSub16):
1551         (JSC::MacroAssemblerX86Common::atomicSub32):
1552         (JSC::MacroAssemblerX86Common::atomicAnd8):
1553         (JSC::MacroAssemblerX86Common::atomicAnd16):
1554         (JSC::MacroAssemblerX86Common::atomicAnd32):
1555         (JSC::MacroAssemblerX86Common::atomicOr8):
1556         (JSC::MacroAssemblerX86Common::atomicOr16):
1557         (JSC::MacroAssemblerX86Common::atomicOr32):
1558         (JSC::MacroAssemblerX86Common::atomicXor8):
1559         (JSC::MacroAssemblerX86Common::atomicXor16):
1560         (JSC::MacroAssemblerX86Common::atomicXor32):
1561         (JSC::MacroAssemblerX86Common::atomicNeg8):
1562         (JSC::MacroAssemblerX86Common::atomicNeg16):
1563         (JSC::MacroAssemblerX86Common::atomicNeg32):
1564         (JSC::MacroAssemblerX86Common::atomicNot8):
1565         (JSC::MacroAssemblerX86Common::atomicNot16):
1566         (JSC::MacroAssemblerX86Common::atomicNot32):
1567         (JSC::MacroAssemblerX86Common::atomicXchgAdd8):
1568         (JSC::MacroAssemblerX86Common::atomicXchgAdd16):
1569         (JSC::MacroAssemblerX86Common::atomicXchgAdd32):
1570         (JSC::MacroAssemblerX86Common::atomicXchg8):
1571         (JSC::MacroAssemblerX86Common::atomicXchg16):
1572         (JSC::MacroAssemblerX86Common::atomicXchg32):
1573         (JSC::MacroAssemblerX86Common::loadAcq8):
1574         (JSC::MacroAssemblerX86Common::loadAcq8SignedExtendTo32):
1575         (JSC::MacroAssemblerX86Common::loadAcq16):
1576         (JSC::MacroAssemblerX86Common::loadAcq16SignedExtendTo32):
1577         (JSC::MacroAssemblerX86Common::loadAcq32):
1578         (JSC::MacroAssemblerX86Common::storeRel8):
1579         (JSC::MacroAssemblerX86Common::storeRel16):
1580         (JSC::MacroAssemblerX86Common::storeRel32):
1581         (JSC::MacroAssemblerX86Common::storeFence):
1582         (JSC::MacroAssemblerX86Common::loadFence):
1583         (JSC::MacroAssemblerX86Common::replaceWithJump):
1584         (JSC::MacroAssemblerX86Common::maxJumpReplacementSize):
1585         (JSC::MacroAssemblerX86Common::patchableJumpSize):
1586         (JSC::MacroAssemblerX86Common::supportsFloatingPointRounding):
1587         (JSC::MacroAssemblerX86Common::supportsAVX):
1588         (JSC::MacroAssemblerX86Common::updateEax1EcxFlags):
1589         (JSC::MacroAssemblerX86Common::x86Condition):
1590         (JSC::MacroAssemblerX86Common::atomicStrongCAS):
1591         (JSC::MacroAssemblerX86Common::branchAtomicStrongCAS):
1592         * assembler/MacroAssemblerX86_64.h:
1593         (JSC::MacroAssemblerX86_64::add64):
1594         (JSC::MacroAssemblerX86_64::and64):
1595         (JSC::MacroAssemblerX86_64::neg64):
1596         (JSC::MacroAssemblerX86_64::or64):
1597         (JSC::MacroAssemblerX86_64::sub64):
1598         (JSC::MacroAssemblerX86_64::xor64):
1599         (JSC::MacroAssemblerX86_64::not64):
1600         (JSC::MacroAssemblerX86_64::store64):
1601         (JSC::MacroAssemblerX86_64::atomicStrongCAS64):
1602         (JSC::MacroAssemblerX86_64::branchAtomicStrongCAS64):
1603         (JSC::MacroAssemblerX86_64::atomicWeakCAS64):
1604         (JSC::MacroAssemblerX86_64::branchAtomicWeakCAS64):
1605         (JSC::MacroAssemblerX86_64::atomicRelaxedWeakCAS64):
1606         (JSC::MacroAssemblerX86_64::branchAtomicRelaxedWeakCAS64):
1607         (JSC::MacroAssemblerX86_64::atomicAdd64):
1608         (JSC::MacroAssemblerX86_64::atomicSub64):
1609         (JSC::MacroAssemblerX86_64::atomicAnd64):
1610         (JSC::MacroAssemblerX86_64::atomicOr64):
1611         (JSC::MacroAssemblerX86_64::atomicXor64):
1612         (JSC::MacroAssemblerX86_64::atomicNeg64):
1613         (JSC::MacroAssemblerX86_64::atomicNot64):
1614         (JSC::MacroAssemblerX86_64::atomicXchgAdd64):
1615         (JSC::MacroAssemblerX86_64::atomicXchg64):
1616         (JSC::MacroAssemblerX86_64::loadAcq64):
1617         (JSC::MacroAssemblerX86_64::storeRel64):
1618         * assembler/X86Assembler.h:
1619         (JSC::X86Assembler::addl_mr):
1620         (JSC::X86Assembler::addq_mr):
1621         (JSC::X86Assembler::addq_rm):
1622         (JSC::X86Assembler::addq_im):
1623         (JSC::X86Assembler::andl_mr):
1624         (JSC::X86Assembler::andl_rm):
1625         (JSC::X86Assembler::andw_rm):
1626         (JSC::X86Assembler::andb_rm):
1627         (JSC::X86Assembler::andl_im):
1628         (JSC::X86Assembler::andw_im):
1629         (JSC::X86Assembler::andb_im):
1630         (JSC::X86Assembler::andq_mr):
1631         (JSC::X86Assembler::andq_rm):
1632         (JSC::X86Assembler::andq_im):
1633         (JSC::X86Assembler::incq_m):
1634         (JSC::X86Assembler::negq_m):
1635         (JSC::X86Assembler::negl_m):
1636         (JSC::X86Assembler::negw_m):
1637         (JSC::X86Assembler::negb_m):
1638         (JSC::X86Assembler::notl_m):
1639         (JSC::X86Assembler::notw_m):
1640         (JSC::X86Assembler::notb_m):
1641         (JSC::X86Assembler::notq_m):
1642         (JSC::X86Assembler::orl_mr):
1643         (JSC::X86Assembler::orl_rm):
1644         (JSC::X86Assembler::orw_rm):
1645         (JSC::X86Assembler::orb_rm):
1646         (JSC::X86Assembler::orl_im):
1647         (JSC::X86Assembler::orw_im):
1648         (JSC::X86Assembler::orb_im):
1649         (JSC::X86Assembler::orq_mr):
1650         (JSC::X86Assembler::orq_rm):
1651         (JSC::X86Assembler::orq_im):
1652         (JSC::X86Assembler::subl_mr):
1653         (JSC::X86Assembler::subl_rm):
1654         (JSC::X86Assembler::subw_rm):
1655         (JSC::X86Assembler::subb_rm):
1656         (JSC::X86Assembler::subl_im):
1657         (JSC::X86Assembler::subw_im):
1658         (JSC::X86Assembler::subb_im):
1659         (JSC::X86Assembler::subq_mr):
1660         (JSC::X86Assembler::subq_rm):
1661         (JSC::X86Assembler::subq_im):
1662         (JSC::X86Assembler::xorl_mr):
1663         (JSC::X86Assembler::xorl_rm):
1664         (JSC::X86Assembler::xorl_im):
1665         (JSC::X86Assembler::xorw_rm):
1666         (JSC::X86Assembler::xorw_im):
1667         (JSC::X86Assembler::xorb_rm):
1668         (JSC::X86Assembler::xorb_im):
1669         (JSC::X86Assembler::xorq_im):
1670         (JSC::X86Assembler::xorq_rm):
1671         (JSC::X86Assembler::xorq_mr):
1672         (JSC::X86Assembler::xchgb_rm):
1673         (JSC::X86Assembler::xchgw_rm):
1674         (JSC::X86Assembler::xchgl_rm):
1675         (JSC::X86Assembler::xchgq_rm):
1676         (JSC::X86Assembler::movw_im):
1677         (JSC::X86Assembler::movq_i32m):
1678         (JSC::X86Assembler::cmpxchgb_rm):
1679         (JSC::X86Assembler::cmpxchgw_rm):
1680         (JSC::X86Assembler::cmpxchgl_rm):
1681         (JSC::X86Assembler::cmpxchgq_rm):
1682         (JSC::X86Assembler::xaddb_rm):
1683         (JSC::X86Assembler::xaddw_rm):
1684         (JSC::X86Assembler::xaddl_rm):
1685         (JSC::X86Assembler::xaddq_rm):
1686         (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
1687         * b3/B3AtomicValue.cpp: Added.
1688         (JSC::B3::AtomicValue::~AtomicValue):
1689         (JSC::B3::AtomicValue::dumpMeta):
1690         (JSC::B3::AtomicValue::cloneImpl):
1691         (JSC::B3::AtomicValue::AtomicValue):
1692         * b3/B3AtomicValue.h: Added.
1693         * b3/B3BasicBlock.h:
1694         * b3/B3BlockInsertionSet.cpp:
1695         (JSC::B3::BlockInsertionSet::BlockInsertionSet):
1696         (JSC::B3::BlockInsertionSet::insert): Deleted.
1697         (JSC::B3::BlockInsertionSet::insertBefore): Deleted.
1698         (JSC::B3::BlockInsertionSet::insertAfter): Deleted.
1699         (JSC::B3::BlockInsertionSet::execute): Deleted.
1700         * b3/B3BlockInsertionSet.h:
1701         * b3/B3Effects.cpp:
1702         (JSC::B3::Effects::interferes):
1703         (JSC::B3::Effects::operator==):
1704         (JSC::B3::Effects::dump):
1705         * b3/B3Effects.h:
1706         (JSC::B3::Effects::forCall):
1707         (JSC::B3::Effects::mustExecute):
1708         * b3/B3EliminateCommonSubexpressions.cpp:
1709         * b3/B3Generate.cpp:
1710         (JSC::B3::generateToAir):
1711         * b3/B3GenericBlockInsertionSet.h: Added.
1712         (JSC::B3::GenericBlockInsertionSet::GenericBlockInsertionSet):
1713         (JSC::B3::GenericBlockInsertionSet::insert):
1714         (JSC::B3::GenericBlockInsertionSet::insertBefore):
1715         (JSC::B3::GenericBlockInsertionSet::insertAfter):
1716         (JSC::B3::GenericBlockInsertionSet::execute):
1717         * b3/B3HeapRange.h:
1718         (JSC::B3::HeapRange::operator|):
1719         * b3/B3InsertionSet.cpp:
1720         (JSC::B3::InsertionSet::insertClone):
1721         * b3/B3InsertionSet.h:
1722         * b3/B3LegalizeMemoryOffsets.cpp:
1723         * b3/B3LowerMacros.cpp:
1724         (JSC::B3::lowerMacros):
1725         * b3/B3LowerMacrosAfterOptimizations.cpp:
1726         * b3/B3LowerToAir.cpp:
1727         (JSC::B3::Air::LowerToAir::LowerToAir):
1728         (JSC::B3::Air::LowerToAir::run):
1729         (JSC::B3::Air::LowerToAir::effectiveAddr):
1730         (JSC::B3::Air::LowerToAir::addr):
1731         (JSC::B3::Air::LowerToAir::loadPromiseAnyOpcode):
1732         (JSC::B3::Air::LowerToAir::appendShift):
1733         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp):
1734         (JSC::B3::Air::LowerToAir::storeOpcode):
1735         (JSC::B3::Air::LowerToAir::createStore):
1736         (JSC::B3::Air::LowerToAir::finishAppendingInstructions):
1737         (JSC::B3::Air::LowerToAir::newBlock):
1738         (JSC::B3::Air::LowerToAir::splitBlock):
1739         (JSC::B3::Air::LowerToAir::fillStackmap):
1740         (JSC::B3::Air::LowerToAir::appendX86Div):
1741         (JSC::B3::Air::LowerToAir::appendX86UDiv):
1742         (JSC::B3::Air::LowerToAir::loadLinkOpcode):
1743         (JSC::B3::Air::LowerToAir::storeCondOpcode):
1744         (JSC::B3::Air::LowerToAir::appendCAS):
1745         (JSC::B3::Air::LowerToAir::appendVoidAtomic):
1746         (JSC::B3::Air::LowerToAir::appendGeneralAtomic):
1747         (JSC::B3::Air::LowerToAir::lower):
1748         (JSC::B3::Air::LowerToAir::lowerX86Div): Deleted.
1749         (JSC::B3::Air::LowerToAir::lowerX86UDiv): Deleted.
1750         * b3/B3LowerToAir.h:
1751         * b3/B3MemoryValue.cpp:
1752         (JSC::B3::MemoryValue::isLegalOffset):
1753         (JSC::B3::MemoryValue::accessType):
1754         (JSC::B3::MemoryValue::accessBank):
1755         (JSC::B3::MemoryValue::accessByteSize):
1756         (JSC::B3::MemoryValue::dumpMeta):
1757         (JSC::B3::MemoryValue::MemoryValue):
1758         (JSC::B3::MemoryValue::accessWidth): Deleted.
1759         * b3/B3MemoryValue.h:
1760         * b3/B3MemoryValueInlines.h: Added.
1761         (JSC::B3::MemoryValue::isLegalOffset):
1762         (JSC::B3::MemoryValue::requiresSimpleAddr):
1763         (JSC::B3::MemoryValue::accessWidth):
1764         * b3/B3MoveConstants.cpp:
1765         * b3/B3NativeTraits.h: Added.
1766         * b3/B3Opcode.cpp:
1767         (JSC::B3::storeOpcode):
1768         (WTF::printInternal):
1769         * b3/B3Opcode.h:
1770         (JSC::B3::isLoad):
1771         (JSC::B3::isStore):
1772         (JSC::B3::isLoadStore):
1773         (JSC::B3::isAtomic):
1774         (JSC::B3::isAtomicCAS):
1775         (JSC::B3::isAtomicXchg):
1776         (JSC::B3::isMemoryAccess):
1777         (JSC::B3::signExtendOpcode):
1778         * b3/B3Procedure.cpp:
1779         (JSC::B3::Procedure::dump):
1780         * b3/B3Procedure.h:
1781         (JSC::B3::Procedure::hasQuirks):
1782         (JSC::B3::Procedure::setHasQuirks):
1783         * b3/B3PureCSE.cpp:
1784         (JSC::B3::pureCSE):
1785         * b3/B3PureCSE.h:
1786         * b3/B3ReduceStrength.cpp:
1787         * b3/B3Validate.cpp:
1788         * b3/B3Value.cpp:
1789         (JSC::B3::Value::returnsBool):
1790         (JSC::B3::Value::effects):
1791         (JSC::B3::Value::key):
1792         (JSC::B3::Value::performSubstitution):
1793         (JSC::B3::Value::typeFor):
1794         * b3/B3Value.h:
1795         * b3/B3Width.cpp:
1796         (JSC::B3::bestType):
1797         * b3/B3Width.h:
1798         (JSC::B3::canonicalWidth):
1799         (JSC::B3::isCanonicalWidth):
1800         (JSC::B3::mask):
1801         * b3/air/AirArg.cpp:
1802         (JSC::B3::Air::Arg::jsHash):
1803         (JSC::B3::Air::Arg::dump):
1804         (WTF::printInternal):
1805         * b3/air/AirArg.h:
1806         (JSC::B3::Air::Arg::isAnyUse):
1807         (JSC::B3::Air::Arg::isColdUse):
1808         (JSC::B3::Air::Arg::cooled):
1809         (JSC::B3::Air::Arg::isEarlyUse):
1810         (JSC::B3::Air::Arg::isLateUse):
1811         (JSC::B3::Air::Arg::isAnyDef):
1812         (JSC::B3::Air::Arg::isEarlyDef):
1813         (JSC::B3::Air::Arg::isLateDef):
1814         (JSC::B3::Air::Arg::isZDef):
1815         (JSC::B3::Air::Arg::simpleAddr):
1816         (JSC::B3::Air::Arg::statusCond):
1817         (JSC::B3::Air::Arg::isSimpleAddr):
1818         (JSC::B3::Air::Arg::isMemory):
1819         (JSC::B3::Air::Arg::isStatusCond):
1820         (JSC::B3::Air::Arg::isCondition):
1821         (JSC::B3::Air::Arg::ptr):
1822         (JSC::B3::Air::Arg::base):
1823         (JSC::B3::Air::Arg::isGP):
1824         (JSC::B3::Air::Arg::isFP):
1825         (JSC::B3::Air::Arg::isValidForm):
1826         (JSC::B3::Air::Arg::forEachTmpFast):
1827         (JSC::B3::Air::Arg::forEachTmp):
1828         (JSC::B3::Air::Arg::asAddress):
1829         (JSC::B3::Air::Arg::asStatusCondition):
1830         (JSC::B3::Air::Arg::isInvertible):
1831         (JSC::B3::Air::Arg::inverted):
1832         * b3/air/AirBasicBlock.cpp:
1833         (JSC::B3::Air::BasicBlock::setSuccessors):
1834         * b3/air/AirBasicBlock.h:
1835         * b3/air/AirBlockInsertionSet.cpp: Added.
1836         (JSC::B3::Air::BlockInsertionSet::BlockInsertionSet):
1837         (JSC::B3::Air::BlockInsertionSet::~BlockInsertionSet):
1838         * b3/air/AirBlockInsertionSet.h: Added.
1839         * b3/air/AirDumpAsJS.cpp: Removed.
1840         * b3/air/AirDumpAsJS.h: Removed.
1841         * b3/air/AirEliminateDeadCode.cpp:
1842         (JSC::B3::Air::eliminateDeadCode):
1843         * b3/air/AirGenerate.cpp:
1844         (JSC::B3::Air::prepareForGeneration):
1845         * b3/air/AirInstInlines.h:
1846         (JSC::B3::Air::isAtomicStrongCASValid):
1847         (JSC::B3::Air::isBranchAtomicStrongCASValid):
1848         (JSC::B3::Air::isAtomicStrongCAS8Valid):
1849         (JSC::B3::Air::isAtomicStrongCAS16Valid):
1850         (JSC::B3::Air::isAtomicStrongCAS32Valid):
1851         (JSC::B3::Air::isAtomicStrongCAS64Valid):
1852         (JSC::B3::Air::isBranchAtomicStrongCAS8Valid):
1853         (JSC::B3::Air::isBranchAtomicStrongCAS16Valid):
1854         (JSC::B3::Air::isBranchAtomicStrongCAS32Valid):
1855         (JSC::B3::Air::isBranchAtomicStrongCAS64Valid):
1856         * b3/air/AirOpcode.opcodes:
1857         * b3/air/AirOptimizeBlockOrder.cpp:
1858         (JSC::B3::Air::optimizeBlockOrder):
1859         * b3/air/AirPadInterference.cpp:
1860         (JSC::B3::Air::padInterference):
1861         * b3/air/AirSpillEverything.cpp:
1862         (JSC::B3::Air::spillEverything):
1863         * b3/air/opcode_generator.rb:
1864         * b3/testb3.cpp:
1865         (JSC::B3::testLoadAcq42):
1866         (JSC::B3::testStoreRelAddLoadAcq32):
1867         (JSC::B3::testStoreRelAddLoadAcq8):
1868         (JSC::B3::testStoreRelAddFenceLoadAcq8):
1869         (JSC::B3::testStoreRelAddLoadAcq16):
1870         (JSC::B3::testStoreRelAddLoadAcq64):
1871         (JSC::B3::testTrappingStoreElimination):
1872         (JSC::B3::testX86LeaAddAdd):
1873         (JSC::B3::testX86LeaAddShlLeftScale1):
1874         (JSC::B3::testAtomicWeakCAS):
1875         (JSC::B3::testAtomicStrongCAS):
1876         (JSC::B3::testAtomicXchg):
1877         (JSC::B3::testDepend32):
1878         (JSC::B3::testDepend64):
1879         (JSC::B3::run):
1880         * runtime/Options.h:
1881
1882 2017-03-10  Csaba Osztrogonác  <ossy@webkit.org>
1883
1884         Unreviewed typo fixes after r213652.
1885         https://bugs.webkit.org/show_bug.cgi?id=168920
1886
1887         * assembler/MacroAssemblerARM.h:
1888         (JSC::MacroAssemblerARM::replaceWithBreakpoint):
1889         * assembler/MacroAssemblerMIPS.h:
1890         (JSC::MacroAssemblerMIPS::replaceWithBreakpoint):
1891
1892 2017-03-10  Csaba Osztrogonác  <ossy@webkit.org>
1893
1894         Unreviewed ARM buildfix after r213652.
1895         https://bugs.webkit.org/show_bug.cgi?id=168920
1896
1897         r213652 used replaceWithBrk and replaceWithBkpt names for the same
1898         function, which was inconsistent and caused build error in ARMAssembler.
1899
1900         * assembler/ARM64Assembler.h:
1901         (JSC::ARM64Assembler::replaceWithBkpt): Renamed replaceWithBrk to replaceWithBkpt.
1902         (JSC::ARM64Assembler::replaceWithBrk): Deleted.
1903         * assembler/ARMAssembler.h:
1904         (JSC::ARMAssembler::replaceWithBkpt): Renamed replaceWithBrk to replaceWithBkpt.
1905         (JSC::ARMAssembler::replaceWithBrk): Deleted.
1906         * assembler/MacroAssemblerARM64.h:
1907         (JSC::MacroAssemblerARM64::replaceWithBreakpoint):
1908
1909 2017-03-10  Alex Christensen  <achristensen@webkit.org>
1910
1911         Win64 build fix.
1912
1913         * b3/B3FenceValue.h:
1914         * b3/B3Value.h:
1915         Putting JS_EXPORT_PRIVATE on member functions in classes that are declared with JS_EXPORT_PRIVATE
1916         doesn't accomplish anything except making Visual Studio mad.
1917         * b3/air/opcode_generator.rb:
1918         winnt.h has naming collisions with enum values from AirOpcode.h.
1919         For example, MemoryFence is #defined to be _mm_mfence, which is declared to be a function in emmintrin.h.
1920         RotateLeft32 is #defined to be _rotl, which is declared to be a function in <stdlib.h>
1921         A clean solution is just to put Opcode:: before the references to the opcode names to tell Visual Studio
1922         that it is referring to the enum value in AirOpcode.h and not the function declaration elsewhere.
1923
1924 2017-03-09  Ryan Haddad  <ryanhaddad@apple.com>
1925
1926         Unreviewed, rolling out r213695.
1927
1928         This change broke the Windows build.
1929
1930         Reverted changeset:
1931
1932         "Implement a StackTrace utility object that can capture stack
1933         traces for debugging."
1934         https://bugs.webkit.org/show_bug.cgi?id=169454
1935         http://trac.webkit.org/changeset/213695
1936
1937 2017-03-09  Caio Lima  <ticaiolima@gmail.com>
1938
1939         [ESnext] Implement Object Rest - Implementing Object Rest Destructuring
1940         https://bugs.webkit.org/show_bug.cgi?id=167962
1941
1942         Reviewed by Keith Miller.
1943
1944         Object Rest/Spread Destructing proposal is in stage 3[1] and this
1945         Patch is a prototype implementation of it. A simple change over the
1946         parser was necessary to support the new '...' token on Object Pattern
1947         destruction rule. In the bytecode generator side, We changed the
1948         bytecode generated on ObjectPatternNode::bindValue to store in an
1949         array identifiers of already destructed properties, following spec draft
1950         section[2], and then pass it as excludedNames to CopyDataProperties.
1951         The rest destruction the calls copyDataProperties to perform the
1952         copy of rest properties in rhs.
1953
1954         We also implemented CopyDataProperties as private JS global operation
1955         on builtins/GlobalOperations.js following it's specification on [3].
1956         It is implemented using Set object to verify if a property is on
1957         excludedNames to keep this algorithm with O(n + m) complexity, where n
1958         = number of source's own properties and m = excludedNames.length. 
1959
1960         As a requirement to use JSSets as constants, a change in
1961         CodeBlock::create API was necessary, because JSSet creation can throws OOM
1962         exception. Now, CodeBlock::finishCreation returns ```false``` if an
1963         execption is throwed by
1964         CodeBlock::setConstantIdentifierSetRegisters and then we return
1965         nullptr to ScriptExecutable::newCodeBlockFor. It is responsible to
1966         check if CodeBlock was constructed properly and then, throw OOM
1967         exception to the correct scope.
1968
1969         [1] - https://github.com/sebmarkbage/ecmascript-rest-spread
1970         [2] - http://sebmarkbage.github.io/ecmascript-rest-spread/#Rest-RuntimeSemantics-PropertyDestructuringAssignmentEvaluation
1971         [3] - http://sebmarkbage.github.io/ecmascript-rest-spread/#AbstractOperations-CopyDataProperties
1972
1973         * builtins/BuiltinNames.h:
1974         * builtins/GlobalOperations.js:
1975         (globalPrivate.copyDataProperties):
1976         * bytecode/CodeBlock.cpp:
1977         (JSC::CodeBlock::finishCreation):
1978         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
1979         * bytecode/CodeBlock.h:
1980         * bytecode/EvalCodeBlock.h:
1981         (JSC::EvalCodeBlock::create):
1982         * bytecode/FunctionCodeBlock.h:
1983         (JSC::FunctionCodeBlock::create):
1984         * bytecode/ModuleProgramCodeBlock.h:
1985         (JSC::ModuleProgramCodeBlock::create):
1986         * bytecode/ProgramCodeBlock.h:
1987         (JSC::ProgramCodeBlock::create):
1988         * bytecode/UnlinkedCodeBlock.h:
1989         (JSC::UnlinkedCodeBlock::addSetConstant):
1990         (JSC::UnlinkedCodeBlock::constantIdentifierSets):
1991         * bytecompiler/BytecodeGenerator.cpp:
1992         (JSC::BytecodeGenerator::emitLoad):
1993         * bytecompiler/BytecodeGenerator.h:
1994         * bytecompiler/NodesCodegen.cpp:
1995         (JSC::ObjectPatternNode::bindValue):
1996         * parser/ASTBuilder.h:
1997         (JSC::ASTBuilder::appendObjectPatternEntry):
1998         (JSC::ASTBuilder::appendObjectPatternRestEntry):
1999         (JSC::ASTBuilder::setContainsObjectRestElement):
2000         * parser/Nodes.h:
2001         (JSC::ObjectPatternNode::appendEntry):
2002         (JSC::ObjectPatternNode::setContainsRestElement):
2003         * parser/Parser.cpp:
2004         (JSC::Parser<LexerType>::parseDestructuringPattern):
2005         (JSC::Parser<LexerType>::parseProperty):
2006         * parser/SyntaxChecker.h:
2007         (JSC::SyntaxChecker::operatorStackPop):
2008         * runtime/JSGlobalObject.cpp:
2009         (JSC::JSGlobalObject::init):
2010         * runtime/JSGlobalObjectFunctions.cpp:
2011         (JSC::privateToObject):
2012         * runtime/JSGlobalObjectFunctions.h:
2013         * runtime/ScriptExecutable.cpp:
2014         (JSC::ScriptExecutable::newCodeBlockFor):
2015
2016 2017-03-09  Mark Lam  <mark.lam@apple.com>
2017
2018         Implement a StackTrace utility object that can capture stack traces for debugging.
2019         https://bugs.webkit.org/show_bug.cgi?id=169454
2020
2021         Reviewed by Michael Saboff.
2022
2023         The underlying implementation is hoisted right out of Assertions.cpp from the
2024         implementations of WTFPrintBacktrace().
2025
2026         The reason we need this StackTrace object is because during heap debugging, we
2027         sometimes want to capture the stack trace that allocated the objects of interest.
2028         Dumping the stack trace directly to stdout (using WTFReportBacktrace()) may
2029         perturb the execution profile sufficiently that an issue may not reproduce,
2030         while alternatively, just capturing the stack trace and deferring printing it
2031         till we actually need it later perturbs the execution profile less.
2032
2033         In addition, just capturing the stack traces (instead of printing them
2034         immediately at each capture site) allows us to avoid polluting stdout with tons
2035         of stack traces that may be irrelevant.
2036
2037         For now, we only capture the native stack trace.  We'll leave capturing and
2038         integrating the JS stack trace as an exercise for the future if we need it then.
2039
2040         Here's an example of how to use this StackTrace utility:
2041
2042             // Capture a stack trace of the top 10 frames.
2043             std::unique_ptr<StackTrace> trace(StackTrace::captureStackTrace(10));
2044             // Print the trace.
2045             dataLog(*trace);
2046
2047         * CMakeLists.txt:
2048         * JavaScriptCore.xcodeproj/project.pbxproj:
2049         * tools/StackTrace.cpp: Added.
2050         (JSC::StackTrace::instanceSize):
2051         (JSC::StackTrace::captureStackTrace):
2052         (JSC::StackTrace::dump):
2053         * tools/StackTrace.h: Added.
2054         (JSC::StackTrace::StackTrace):
2055         (JSC::StackTrace::size):
2056
2057 2017-03-09  Keith Miller  <keith_miller@apple.com>
2058
2059         WebAssembly: Enable fast memory for WK2
2060         https://bugs.webkit.org/show_bug.cgi?id=169437
2061
2062         Reviewed by Tim Horton.
2063
2064         * JavaScriptCore.xcodeproj/project.pbxproj:
2065
2066 2017-03-09  Matt Baker  <mattbaker@apple.com>
2067
2068         Web Inspector: Add XHR breakpoints UI
2069         https://bugs.webkit.org/show_bug.cgi?id=168763
2070         <rdar://problem/30952439>
2071
2072         Reviewed by Joseph Pecoraro.
2073
2074         * inspector/protocol/DOMDebugger.json:
2075         Added clarifying comments to command descriptions.
2076
2077 2017-03-09  Michael Saboff  <msaboff@apple.com>
2078
2079         Add plumbing to WebProcess to enable JavaScriptCore configuration and logging
2080         https://bugs.webkit.org/show_bug.cgi?id=169387
2081
2082         Reviewed by Filip Pizlo.
2083
2084         Added a helper function, processConfigFile(), to process configuration file.
2085         Changed jsc.cpp to use that function in lieu of processing the config file
2086         manually.
2087
2088         * JavaScriptCore.xcodeproj/project.pbxproj: Made ConfigFile.h a private header file.
2089         * jsc.cpp:
2090         (jscmain):
2091         * runtime/ConfigFile.cpp:
2092         (JSC::processConfigFile):
2093         * runtime/ConfigFile.h:
2094
2095 2017-03-09  Joseph Pecoraro  <pecoraro@apple.com>
2096
2097         Web Inspector: Show HTTP protocol version and other Network Load Metrics (IP Address, Priority, Connection ID)
2098         https://bugs.webkit.org/show_bug.cgi?id=29687
2099         <rdar://problem/19281586>
2100
2101         Reviewed by Matt Baker and Brian Burg.
2102
2103         * inspector/protocol/Network.json:
2104         Add metrics object with optional properties to loadingFinished event.
2105
2106 2017-03-09  Youenn Fablet  <youenn@apple.com>
2107
2108         Minimal build is broken
2109         https://bugs.webkit.org/show_bug.cgi?id=169416
2110
2111         Reviewed by Chris Dumez.
2112
2113         Since we now have some JS built-ins that are not tied to a compilation flag, we can remove compilation guards around m_vm.
2114         We could probably remove m_vm by ensuring m_jsDOMBindingInternals appear first but this might break very easily.
2115
2116         * Scripts/builtins/builtins_generate_internals_wrapper_header.py:
2117         (generate_members):
2118         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
2119         (BuiltinsInternalsWrapperImplementationGenerator.generate_constructor):
2120         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
2121
2122 2017-03-09  Daniel Bates  <dabates@apple.com>
2123
2124         Guard Credential Management implementation behind a runtime enabled feature flag
2125         https://bugs.webkit.org/show_bug.cgi?id=169364
2126         <rdar://problem/30957425>
2127
2128         Reviewed by Brent Fulgham.
2129
2130         Add common identifiers for Credential, PasswordCredential, and SiteBoundCredential that are
2131         needed to guard these interfaces behind a runtime enabled feature flag.
2132
2133         * runtime/CommonIdentifiers.h:
2134
2135 2017-03-09  Mark Lam  <mark.lam@apple.com>
2136
2137         Refactoring some HeapVerifier code.
2138         https://bugs.webkit.org/show_bug.cgi?id=169443
2139
2140         Reviewed by Filip Pizlo.
2141
2142         Renamed LiveObjectData to CellProfile.
2143         Renamed LiveObjectList to CellList.
2144         Moved CellProfile.*, CellList.*, and HeapVerifier.* from the heap folder to the tools folder.
2145         Updated the HeapVerifier to handle JSCells instead of just JSObjects.
2146
2147         This is in preparation for subsequent patches to fix up the HeapVerifier for service again.
2148
2149         * CMakeLists.txt:
2150         * JavaScriptCore.xcodeproj/project.pbxproj:
2151         * heap/Heap.cpp:
2152         (JSC::Heap::runBeginPhase):
2153         (JSC::Heap::runEndPhase):
2154         * heap/HeapVerifier.cpp: Removed.
2155         * heap/HeapVerifier.h: Removed.
2156         * heap/LiveObjectData.h: Removed.
2157         * heap/LiveObjectList.cpp: Removed.
2158         * heap/LiveObjectList.h: Removed.
2159         * tools/CellList.cpp: Copied from Source/JavaScriptCore/heap/LiveObjectList.cpp.
2160         (JSC::CellList::findCell):
2161         (JSC::LiveObjectList::findObject): Deleted.
2162         * tools/CellList.h: Copied from Source/JavaScriptCore/heap/LiveObjectList.h.
2163         (JSC::CellList::CellList):
2164         (JSC::CellList::reset):
2165         (JSC::LiveObjectList::LiveObjectList): Deleted.
2166         (JSC::LiveObjectList::reset): Deleted.
2167         * tools/CellProfile.h: Copied from Source/JavaScriptCore/heap/LiveObjectData.h.
2168         (JSC::CellProfile::CellProfile):
2169         (JSC::LiveObjectData::LiveObjectData): Deleted.
2170         * tools/HeapVerifier.cpp: Copied from Source/JavaScriptCore/heap/HeapVerifier.cpp.
2171         (JSC::GatherCellFunctor::GatherCellFunctor):
2172         (JSC::GatherCellFunctor::visit):
2173         (JSC::GatherCellFunctor::operator()):
2174         (JSC::HeapVerifier::gatherLiveCells):
2175         (JSC::HeapVerifier::cellListForGathering):
2176         (JSC::trimDeadCellsFromList):
2177         (JSC::HeapVerifier::trimDeadCells):
2178         (JSC::HeapVerifier::verifyButterflyIsInStorageSpace):
2179         (JSC::HeapVerifier::reportCell):
2180         (JSC::HeapVerifier::checkIfRecorded):
2181         (JSC::GatherLiveObjFunctor::GatherLiveObjFunctor): Deleted.
2182         (JSC::GatherLiveObjFunctor::visit): Deleted.
2183         (JSC::GatherLiveObjFunctor::operator()): Deleted.
2184         (JSC::HeapVerifier::gatherLiveObjects): Deleted.
2185         (JSC::HeapVerifier::liveObjectListForGathering): Deleted.
2186         (JSC::trimDeadObjectsFromList): Deleted.
2187         (JSC::HeapVerifier::trimDeadObjects): Deleted.
2188         (JSC::HeapVerifier::reportObject): Deleted.
2189         * tools/HeapVerifier.h: Copied from Source/JavaScriptCore/heap/HeapVerifier.h.
2190
2191 2017-03-09  Anders Carlsson  <andersca@apple.com>
2192
2193         Add delegate support to WebCore
2194         https://bugs.webkit.org/show_bug.cgi?id=169427
2195         Part of rdar://problem/28880714.
2196
2197         Reviewed by Geoffrey Garen.
2198
2199         * Configurations/FeatureDefines.xcconfig:
2200         Add feature define.
2201
2202 2017-03-09  Nikita Vasilyev  <nvasilyev@apple.com>
2203
2204         Web Inspector: Show individual messages in the content pane for a WebSocket
2205         https://bugs.webkit.org/show_bug.cgi?id=169011
2206
2207         Reviewed by Joseph Pecoraro.
2208
2209         Add walltime parameter and correct the description of Timestamp type.
2210
2211         * inspector/protocol/Network.json:
2212
2213 2017-03-09  Filip Pizlo  <fpizlo@apple.com>
2214
2215         Unreviewed, fix weak external symbol error.
2216
2217         * heap/SlotVisitor.h:
2218
2219 2017-03-09  Filip Pizlo  <fpizlo@apple.com>
2220
2221         std::isnan/isinf should work with WTF time classes
2222         https://bugs.webkit.org/show_bug.cgi?id=164991
2223
2224         Reviewed by Darin Adler.
2225         
2226         Changes AtomicsObject to use std::isnan() instead of operator== to detect NaN.
2227
2228         * runtime/AtomicsObject.cpp:
2229         (JSC::atomicsFuncWait):
2230
2231 2017-03-09  Mark Lam  <mark.lam@apple.com>
2232
2233         Use const AbstractLocker& (instead of const LockHolder&) in more places.
2234         https://bugs.webkit.org/show_bug.cgi?id=169424
2235
2236         Reviewed by Filip Pizlo.
2237
2238         * heap/CodeBlockSet.cpp:
2239         (JSC::CodeBlockSet::promoteYoungCodeBlocks):
2240         * heap/CodeBlockSet.h:
2241         * heap/CodeBlockSetInlines.h:
2242         (JSC::CodeBlockSet::mark):
2243         * heap/ConservativeRoots.cpp:
2244         (JSC::CompositeMarkHook::CompositeMarkHook):
2245         * heap/MachineStackMarker.cpp:
2246         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2247         * heap/MachineStackMarker.h:
2248         * profiler/ProfilerDatabase.cpp:
2249         (JSC::Profiler::Database::ensureBytecodesFor):
2250         * profiler/ProfilerDatabase.h:
2251         * runtime/SamplingProfiler.cpp:
2252         (JSC::FrameWalker::FrameWalker):
2253         (JSC::CFrameWalker::CFrameWalker):
2254         (JSC::SamplingProfiler::createThreadIfNecessary):
2255         (JSC::SamplingProfiler::takeSample):
2256         (JSC::SamplingProfiler::start):
2257         (JSC::SamplingProfiler::pause):
2258         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
2259         (JSC::SamplingProfiler::clearData):
2260         (JSC::SamplingProfiler::releaseStackTraces):
2261         * runtime/SamplingProfiler.h:
2262         (JSC::SamplingProfiler::setStopWatch):
2263         * wasm/WasmMemory.cpp:
2264         (JSC::Wasm::availableFastMemories):
2265         (JSC::Wasm::activeFastMemories):
2266         (JSC::Wasm::viewActiveFastMemories):
2267         * wasm/WasmMemory.h:
2268
2269 2017-03-09  Saam Barati  <sbarati@apple.com>
2270
2271         WebAssembly: Make the Unity AngryBots demo run
2272         https://bugs.webkit.org/show_bug.cgi?id=169268
2273
2274         Reviewed by Keith Miller.
2275
2276         This patch fixes three bugs:
2277         1. The WasmBinding code for making a JS call was off
2278         by 1 in its stack layout code.
2279         2. The WasmBinding code had a "<" comparison instead
2280         of a ">=" comparison. This would cause us to calculate
2281         the wrong frame pointer offset.
2282         3. The code to reload wasm state inside B3IRGenerator didn't
2283         properly represent its effects.
2284
2285         * wasm/WasmB3IRGenerator.cpp:
2286         (JSC::Wasm::restoreWebAssemblyGlobalState):
2287         (JSC::Wasm::parseAndCompile):
2288         * wasm/WasmBinding.cpp:
2289         (JSC::Wasm::wasmToJs):
2290         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2291         (JSC::WebAssemblyInstanceConstructor::createInstance):
2292
2293 2017-03-09  Mark Lam  <mark.lam@apple.com>
2294
2295         Make the VM Traps mechanism non-polling for the DFG and FTL.
2296         https://bugs.webkit.org/show_bug.cgi?id=168920
2297         <rdar://problem/30738588>
2298
2299         Reviewed by Filip Pizlo.
2300
2301         1. Added a ENABLE(SIGNAL_BASED_VM_TRAPS) configuration in Platform.h.
2302            This is currently only enabled for OS(DARWIN) and ENABLE(JIT). 
2303         2. Added assembler functions for overwriting an instruction with a breakpoint.
2304         3. Added a new JettisonDueToVMTraps jettison reason.
2305         4. Added CodeBlock and DFG::CommonData utility functions for over-writing
2306            invalidation points with breakpoint instructions.
2307         5. The BytecodeGenerator now emits the op_check_traps bytecode unconditionally.
2308         6. Remove the JSC_alwaysCheckTraps option because of (4) above.
2309            For ports that don't ENABLE(SIGNAL_BASED_VM_TRAPS), we'll force
2310            Options::usePollingTraps() to always be true.  This makes the VMTraps
2311            implementation fall back to using polling based traps only.
2312
2313         7. Make VMTraps support signal based traps.
2314
2315         Some design and implementation details of signal based VM traps:
2316
2317         - The implementation makes use of 2 signal handlers for SIGUSR1 and SIGTRAP.
2318
2319         - VMTraps::fireTrap() will set the flag for the requested trap and instantiate
2320           a SignalSender.  The SignalSender will send SIGUSR1 to the mutator thread that
2321           we want to trap, and check for the occurence of one of the following events:
2322
2323           a. VMTraps::handleTraps() has been called for the requested trap, or
2324
2325           b. the VM is inactive and is no longer executing any JS code.  We determine
2326              this to be the case if the thread no longer owns the JSLock and the VM's
2327              entryScope is null.
2328
2329              Note: the thread can relinquish the JSLock while the VM's entryScope is not
2330              null.  This happens when the thread calls JSLock::dropAllLocks() before
2331              calling a host function that may block on IO (or whatever).  For our purpose,
2332              this counts as the VM still running JS code, and VM::fireTrap() will still
2333              be waiting.
2334
2335           If the SignalSender does not see either of these events, it will sleep for a
2336           while and then re-send SIGUSR1 and check for the events again.  When it sees
2337           one of these events, it will consider the mutator to have received the trap
2338           request.
2339
2340         - The SIGUSR1 handler will try to insert breakpoints at the invalidation points
2341           in the DFG/FTL codeBlock at the top of the stack.  This allows the mutator
2342           thread to break (with a SIGTRAP) exactly at an invalidation point, where it's
2343           safe to jettison the codeBlock.
2344
2345           Note: we cannot have the requester thread (that called VMTraps::fireTrap())
2346           insert the breakpoint instructions itself.  This is because we need the
2347           register state of the the mutator thread (that we want to trap in) in order to
2348           find the codeBlocks that we wish to insert the breakpoints in.  Currently,
2349           we don't have a generic way for the requester thread to get the register state
2350           of another thread.
2351
2352         - The SIGTRAP handler will check to see if it is trapping on a breakpoint at an
2353           invalidation point.  If so, it will jettison the codeBlock and adjust the PC
2354           to re-execute the invalidation OSR exit off-ramp.  After the OSR exit, the
2355           baseline JIT code will eventually reach an op_check_traps and call
2356           VMTraps::handleTraps().
2357
2358           If the handler is not trapping at an invalidation point, then it must be
2359           observing an assertion failure (which also uses the breakpoint instruction).
2360           In this case, the handler will defer to the default SIGTRAP handler and crash.
2361
2362         - The reason we need the SignalSender is because SignalSender::send() is called
2363           from another thread in a loop, so that VMTraps::fireTrap() can return sooner.
2364           send() needs to make use of the VM pointer, and it is not guaranteed that the
2365           VM will outlive the thread.  SignalSender provides the mechanism by which we
2366           can nullify the VM pointer when the VM dies so that the thread does not
2367           continue to use it.
2368
2369         * assembler/ARM64Assembler.h:
2370         (JSC::ARM64Assembler::replaceWithBrk):
2371         * assembler/ARMAssembler.h:
2372         (JSC::ARMAssembler::replaceWithBrk):
2373         * assembler/ARMv7Assembler.h:
2374         (JSC::ARMv7Assembler::replaceWithBkpt):
2375         * assembler/MIPSAssembler.h:
2376         (JSC::MIPSAssembler::replaceWithBkpt):
2377         * assembler/MacroAssemblerARM.h:
2378         (JSC::MacroAssemblerARM::replaceWithJump):
2379         * assembler/MacroAssemblerARM64.h:
2380         (JSC::MacroAssemblerARM64::replaceWithBreakpoint):
2381         * assembler/MacroAssemblerARMv7.h:
2382         (JSC::MacroAssemblerARMv7::replaceWithBreakpoint):
2383         * assembler/MacroAssemblerMIPS.h:
2384         (JSC::MacroAssemblerMIPS::replaceWithJump):
2385         * assembler/MacroAssemblerX86Common.h:
2386         (JSC::MacroAssemblerX86Common::replaceWithBreakpoint):
2387         * assembler/X86Assembler.h:
2388         (JSC::X86Assembler::replaceWithInt3):
2389         * bytecode/CodeBlock.cpp:
2390         (JSC::CodeBlock::jettison):
2391         (JSC::CodeBlock::hasInstalledVMTrapBreakpoints):
2392         (JSC::CodeBlock::installVMTrapBreakpoints):
2393         * bytecode/CodeBlock.h:
2394         * bytecompiler/BytecodeGenerator.cpp:
2395         (JSC::BytecodeGenerator::emitCheckTraps):
2396         * dfg/DFGCommonData.cpp:
2397         (JSC::DFG::CommonData::installVMTrapBreakpoints):
2398         (JSC::DFG::CommonData::isVMTrapBreakpoint):
2399         * dfg/DFGCommonData.h:
2400         (JSC::DFG::CommonData::hasInstalledVMTrapsBreakpoints):
2401         * dfg/DFGJumpReplacement.cpp:
2402         (JSC::DFG::JumpReplacement::installVMTrapBreakpoint):
2403         * dfg/DFGJumpReplacement.h:
2404         (JSC::DFG::JumpReplacement::dataLocation):
2405         * dfg/DFGNodeType.h:
2406         * heap/CodeBlockSet.cpp:
2407         (JSC::CodeBlockSet::contains):
2408         * heap/CodeBlockSet.h:
2409         * heap/CodeBlockSetInlines.h:
2410         (JSC::CodeBlockSet::iterate):
2411         * heap/Heap.cpp:
2412         (JSC::Heap::forEachCodeBlockIgnoringJITPlansImpl):
2413         * heap/Heap.h:
2414         * heap/HeapInlines.h:
2415         (JSC::Heap::forEachCodeBlockIgnoringJITPlans):
2416         * heap/MachineStackMarker.h:
2417         (JSC::MachineThreads::threadsListHead):
2418         * jit/ExecutableAllocator.cpp:
2419         (JSC::ExecutableAllocator::isValidExecutableMemory):
2420         * jit/ExecutableAllocator.h:
2421         * profiler/ProfilerJettisonReason.cpp:
2422         (WTF::printInternal):
2423         * profiler/ProfilerJettisonReason.h:
2424         * runtime/JSLock.cpp:
2425         (JSC::JSLock::didAcquireLock):
2426         * runtime/Options.cpp:
2427         (JSC::overrideDefaults):
2428         * runtime/Options.h:
2429         * runtime/PlatformThread.h:
2430         (JSC::platformThreadSignal):
2431         * runtime/VM.cpp:
2432         (JSC::VM::~VM):
2433         (JSC::VM::ensureWatchdog):
2434         (JSC::VM::handleTraps): Deleted.
2435         (JSC::VM::setNeedAsynchronousTerminationSupport): Deleted.
2436         * runtime/VM.h:
2437         (JSC::VM::ownerThread):
2438         (JSC::VM::traps):
2439         (JSC::VM::handleTraps):
2440         (JSC::VM::needTrapHandling):
2441         (JSC::VM::needAsynchronousTerminationSupport): Deleted.
2442         * runtime/VMTraps.cpp:
2443         (JSC::VMTraps::vm):
2444         (JSC::SignalContext::SignalContext):
2445         (JSC::SignalContext::adjustPCToPointToTrappingInstruction):
2446         (JSC::vmIsInactive):
2447         (JSC::findActiveVMAndStackBounds):
2448         (JSC::handleSigusr1):
2449         (JSC::handleSigtrap):
2450         (JSC::installSignalHandlers):
2451         (JSC::sanitizedTopCallFrame):
2452         (JSC::isSaneFrame):
2453         (JSC::VMTraps::tryInstallTrapBreakpoints):
2454         (JSC::VMTraps::invalidateCodeBlocksOnStack):
2455         (JSC::VMTraps::VMTraps):
2456         (JSC::VMTraps::willDestroyVM):
2457         (JSC::VMTraps::addSignalSender):
2458         (JSC::VMTraps::removeSignalSender):
2459         (JSC::VMTraps::SignalSender::willDestroyVM):
2460         (JSC::VMTraps::SignalSender::send):
2461         (JSC::VMTraps::fireTrap):
2462         (JSC::VMTraps::handleTraps):
2463         * runtime/VMTraps.h:
2464         (JSC::VMTraps::~VMTraps):
2465         (JSC::VMTraps::needTrapHandling):
2466         (JSC::VMTraps::notifyGrabAllLocks):
2467         (JSC::VMTraps::SignalSender::SignalSender):
2468         (JSC::VMTraps::invalidateCodeBlocksOnStack):
2469         * tools/VMInspector.cpp:
2470         * tools/VMInspector.h:
2471         (JSC::VMInspector::getLock):
2472         (JSC::VMInspector::iterate):
2473
2474 2017-03-09  Filip Pizlo  <fpizlo@apple.com>
2475
2476         WebKit: JSC: JSObject::ensureLength doesn't check if ensureLengthSlow failed
2477         https://bugs.webkit.org/show_bug.cgi?id=169215
2478
2479         Reviewed by Mark Lam.
2480         
2481         This doesn't have a test because it would be a very complicated test.
2482
2483         * runtime/JSObject.h:
2484         (JSC::JSObject::ensureLength): If ensureLengthSlow returns false, we need to return false.
2485
2486 2017-03-07  Filip Pizlo  <fpizlo@apple.com>
2487
2488         WTF should make it super easy to do ARM concurrency tricks
2489         https://bugs.webkit.org/show_bug.cgi?id=169300
2490
2491         Reviewed by Mark Lam.
2492         
2493         This changes a bunch of GC hot paths to use new concurrency APIs that lead to optimal
2494         code on both x86 (fully leverage TSO, transactions become CAS loops) and ARM (use
2495         dependency chains for fencing, transactions become LL/SC loops). While inspecting the
2496         machine code, I found other opportunities for improvement, like inlining the "am I
2497         marked" part of the marking functions.
2498
2499         * heap/Heap.cpp:
2500         (JSC::Heap::setGCDidJIT):
2501         * heap/HeapInlines.h:
2502         (JSC::Heap::testAndSetMarked):
2503         * heap/LargeAllocation.h:
2504         (JSC::LargeAllocation::isMarked):
2505         (JSC::LargeAllocation::isMarkedConcurrently):
2506         (JSC::LargeAllocation::aboutToMark):
2507         (JSC::LargeAllocation::testAndSetMarked):
2508         * heap/MarkedBlock.h:
2509         (JSC::MarkedBlock::areMarksStaleWithDependency):
2510         (JSC::MarkedBlock::aboutToMark):
2511         (JSC::MarkedBlock::isMarkedConcurrently):
2512         (JSC::MarkedBlock::isMarked):
2513         (JSC::MarkedBlock::testAndSetMarked):
2514         * heap/SlotVisitor.cpp:
2515         (JSC::SlotVisitor::appendSlow):
2516         (JSC::SlotVisitor::appendHiddenSlow):
2517         (JSC::SlotVisitor::appendHiddenSlowImpl):
2518         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
2519         (JSC::SlotVisitor::appendUnbarriered): Deleted.
2520         (JSC::SlotVisitor::appendHidden): Deleted.
2521         * heap/SlotVisitor.h:
2522         * heap/SlotVisitorInlines.h:
2523         (JSC::SlotVisitor::appendUnbarriered):
2524         (JSC::SlotVisitor::appendHidden):
2525         (JSC::SlotVisitor::append):
2526         (JSC::SlotVisitor::appendValues):
2527         (JSC::SlotVisitor::appendValuesHidden):
2528         * runtime/CustomGetterSetter.cpp:
2529         * runtime/JSObject.cpp:
2530         (JSC::JSObject::visitButterflyImpl):
2531         * runtime/JSObject.h:
2532
2533 2017-03-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2534
2535         [GTK] JSC test stress/arity-check-ftl-throw.js.ftl-no-cjit-validate-sampling-profiler crashing on GTK bot
2536         https://bugs.webkit.org/show_bug.cgi?id=160124
2537
2538         Reviewed by Mark Lam.
2539
2540         When performing CallVarargs, we will copy values to the stack.
2541         Before actually copying values, we need to adjust the stackPointerRegister
2542         to ensure copied values are in the allocated stack area.
2543         If we do not that, OS can break the values that is stored beyond the stack
2544         pointer. For example, signal stack can be constructed on these area, and
2545         breaks values.
2546
2547         This patch fixes the crash in stress/spread-forward-call-varargs-stack-overflow.js
2548         in Linux port. Since Linux ports use signal to suspend and resume threads,
2549         signal handler is frequently called when enabling sampling profiler. Thus this
2550         crash occurs.
2551
2552         * dfg/DFGSpeculativeJIT32_64.cpp:
2553         (JSC::DFG::SpeculativeJIT::emitCall):
2554         * dfg/DFGSpeculativeJIT64.cpp:
2555         (JSC::DFG::SpeculativeJIT::emitCall):
2556         * ftl/FTLLowerDFGToB3.cpp:
2557         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2558         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
2559         * jit/SetupVarargsFrame.cpp:
2560         (JSC::emitSetupVarargsFrameFastCase):
2561         * jit/SetupVarargsFrame.h:
2562
2563 2017-03-08  Joseph Pecoraro  <pecoraro@apple.com>
2564
2565         Web Inspector: Should be able to see where Resources came from (Memory Cache, Disk Cache)
2566         https://bugs.webkit.org/show_bug.cgi?id=164892
2567         <rdar://problem/29320562>
2568
2569         Reviewed by Brian Burg.
2570
2571         * inspector/protocol/Network.json:
2572         Replace "fromDiskCache" property with "source" property which includes
2573         more complete information about the source of this response (network,
2574         memory cache, disk cache, or unknown).
2575
2576         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2577         (_generate_class_for_object_declaration):
2578         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2579         (CppProtocolTypesImplementationGenerator._generate_open_field_names):
2580         * inspector/scripts/codegen/generator.py:
2581         (Generator):
2582         (Generator.open_fields):
2583         To avoid conflicts between the Inspector::Protocol::Network::Response::Source
2584         enum and open accessor string symbol that would have the same name, only generate
2585         a specific list of open accessor strings. This reduces the list of exported
2586         symbols from all properties to just the ones that are needed. This can be
2587         cleaned up later if needed.
2588
2589         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result: Added.
2590         * inspector/scripts/tests/generic/type-with-open-parameters.json: Added.
2591         Test for open accessors generation.
2592
2593 2017-03-08  Keith Miller  <keith_miller@apple.com>
2594
2595         WebAssembly: Make OOB for fast memory do an extra safety check by ensuring the faulting address is in the range we allocated for fast memory
2596         https://bugs.webkit.org/show_bug.cgi?id=169290
2597
2598         Reviewed by Saam Barati.
2599
2600         This patch adds an extra sanity check by ensuring that the the memory address we faulting trying to load is in range
2601         of some wasm fast memory.
2602
2603         * wasm/WasmFaultSignalHandler.cpp:
2604         (JSC::Wasm::trapHandler):
2605         (JSC::Wasm::enableFastMemory):
2606         * wasm/WasmMemory.cpp:
2607         (JSC::Wasm::activeFastMemories):
2608         (JSC::Wasm::viewActiveFastMemories):
2609         (JSC::Wasm::tryGetFastMemory):
2610         (JSC::Wasm::releaseFastMemory):
2611         * wasm/WasmMemory.h:
2612
2613 2017-03-07  Dean Jackson  <dino@apple.com>
2614
2615         Some platforms won't be able to create a GPUDevice
2616         https://bugs.webkit.org/show_bug.cgi?id=169314
2617         <rdar://problems/30907521>
2618
2619         Reviewed by Jon Lee.
2620
2621         Disable WEB_GPU on the iOS Simulator.
2622
2623         * Configurations/FeatureDefines.xcconfig:
2624
2625 2017-03-06  Saam Barati  <sbarati@apple.com>
2626
2627         WebAssembly: Implement the WebAssembly.instantiate API
2628         https://bugs.webkit.org/show_bug.cgi?id=165982
2629         <rdar://problem/29760110>
2630
2631         Reviewed by Keith Miller.
2632
2633         This patch is a straight forward implementation of the WebAssembly.instantiate
2634         API: https://github.com/WebAssembly/design/blob/master/JS.md#webassemblyinstantiate
2635         
2636         I implemented the API in a synchronous manner. We should make it
2637         asynchronous: https://bugs.webkit.org/show_bug.cgi?id=169187
2638
2639         * wasm/JSWebAssembly.cpp:
2640         (JSC::webAssemblyCompileFunc):
2641         (JSC::webAssemblyInstantiateFunc):
2642         (JSC::JSWebAssembly::finishCreation):
2643         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2644         (JSC::constructJSWebAssemblyInstance):
2645         (JSC::WebAssemblyInstanceConstructor::createInstance):
2646         * wasm/js/WebAssemblyInstanceConstructor.h:
2647         * wasm/js/WebAssemblyModuleConstructor.cpp:
2648         (JSC::constructJSWebAssemblyModule):
2649         (JSC::WebAssemblyModuleConstructor::createModule):
2650         * wasm/js/WebAssemblyModuleConstructor.h:
2651
2652 2017-03-06  Michael Saboff  <msaboff@apple.com>
2653
2654         Take advantage of fast permissions switching of JIT memory for devices that support it
2655         https://bugs.webkit.org/show_bug.cgi?id=169155
2656
2657         Reviewed by Saam Barati.
2658
2659         Start using the os_thread_self_restrict_rwx_to_XX() SPIs when available to
2660         control access to JIT memory.
2661
2662         Had to update the Xcode config files to handle various build variations of
2663         public and internal SDKs.
2664
2665         * Configurations/Base.xcconfig:
2666         * Configurations/FeatureDefines.xcconfig:
2667         * jit/ExecutableAllocator.cpp:
2668         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
2669         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
2670         * jit/ExecutableAllocator.h:
2671         (JSC::performJITMemcpy):
2672
2673 2017-03-06  Csaba Osztrogonác  <ossy@webkit.org>
2674
2675         REGRESSION(r212778): It made 400 tests crash on AArch64 Linux
2676         https://bugs.webkit.org/show_bug.cgi?id=168502
2677
2678         Reviewed by Filip Pizlo.
2679
2680         * heap/RegisterState.h: Use setjmp code path on AArch64 Linux too to fix crashes.
2681
2682 2017-03-06  Caio Lima  <ticaiolima@gmail.com>
2683
2684         op_get_by_id_with_this should use inline caching
2685         https://bugs.webkit.org/show_bug.cgi?id=162124
2686
2687         Reviewed by Saam Barati.
2688
2689         This patch is enabling inline cache for op_get_by_id_with_this in all
2690         tiers. It means that operations using ```super.member``` are going to
2691         be able to be optimized by PIC. To enable it, we introduced a new
2692         member of StructureStubInfo.patch named thisGPR, created a new class
2693         to manage the IC named JITGetByIdWithThisGenerator and changed
2694         PolymorphicAccess.regenerate that uses StructureStubInfo.patch.thisGPR
2695         to decide the correct this value on inline caches.
2696         With inline cached enabled, ```super.member``` are ~4.5x faster,
2697         according microbenchmarks.
2698
2699         * bytecode/AccessCase.cpp:
2700         (JSC::AccessCase::generateImpl):
2701         * bytecode/PolymorphicAccess.cpp:
2702         (JSC::PolymorphicAccess::regenerate):
2703         * bytecode/PolymorphicAccess.h:
2704         * bytecode/StructureStubInfo.cpp:
2705         (JSC::StructureStubInfo::reset):
2706         * bytecode/StructureStubInfo.h:
2707         * dfg/DFGFixupPhase.cpp:
2708         (JSC::DFG::FixupPhase::fixupNode):
2709         * dfg/DFGJITCompiler.cpp:
2710         (JSC::DFG::JITCompiler::link):
2711         * dfg/DFGJITCompiler.h:
2712         (JSC::DFG::JITCompiler::addGetByIdWithThis):
2713         * dfg/DFGSpeculativeJIT.cpp:
2714         (JSC::DFG::SpeculativeJIT::compileIn):
2715         * dfg/DFGSpeculativeJIT.h:
2716         (JSC::DFG::SpeculativeJIT::callOperation):
2717         * dfg/DFGSpeculativeJIT32_64.cpp:
2718         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
2719         (JSC::DFG::SpeculativeJIT::compile):
2720         * dfg/DFGSpeculativeJIT64.cpp:
2721         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
2722         (JSC::DFG::SpeculativeJIT::compile):
2723         * ftl/FTLLowerDFGToB3.cpp:
2724         (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis):
2725         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
2726         (JSC::FTL::DFG::LowerDFGToB3::getByIdWithThis):
2727         * jit/CCallHelpers.h:
2728         (JSC::CCallHelpers::setupArgumentsWithExecState):
2729         * jit/ICStats.h:
2730         * jit/JIT.cpp:
2731         (JSC::JIT::JIT):
2732         (JSC::JIT::privateCompileSlowCases):
2733         (JSC::JIT::link):
2734         * jit/JIT.h:
2735         * jit/JITInlineCacheGenerator.cpp:
2736         (JSC::JITByIdGenerator::JITByIdGenerator):
2737         (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator):
2738         (JSC::JITGetByIdWithThisGenerator::generateFastPath):
2739         * jit/JITInlineCacheGenerator.h:
2740         (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator):
2741         * jit/JITInlines.h:
2742         (JSC::JIT::callOperation):
2743         * jit/JITOperations.cpp:
2744         * jit/JITOperations.h:
2745         * jit/JITPropertyAccess.cpp:
2746         (JSC::JIT::emit_op_get_by_id_with_this):
2747         (JSC::JIT::emitSlow_op_get_by_id_with_this):
2748         * jit/JITPropertyAccess32_64.cpp:
2749         (JSC::JIT::emit_op_get_by_id_with_this):
2750         (JSC::JIT::emitSlow_op_get_by_id_with_this):
2751         * jit/Repatch.cpp:
2752         (JSC::appropriateOptimizingGetByIdFunction):
2753         (JSC::appropriateGenericGetByIdFunction):
2754         (JSC::tryCacheGetByID):
2755         * jit/Repatch.h:
2756         * jsc.cpp:
2757         (WTF::CustomGetter::getOwnPropertySlot):
2758         (WTF::CustomGetter::customGetterAcessor):
2759
2760 2017-03-06  Saam Barati  <sbarati@apple.com>
2761
2762         WebAssembly: implement init_expr for Element
2763         https://bugs.webkit.org/show_bug.cgi?id=165888
2764         <rdar://problem/29760199>
2765
2766         Reviewed by Keith Miller.
2767
2768         This patch fixes a few bugs. The main change is allowing init_expr
2769         for the Element's offset. To do this, I had to fix a couple of
2770         other bugs:
2771         
2772         - I removed our invalid early module-parse-time invalidation
2773         of out of bound Element sections. This is not in the spec because
2774         it can't be validated in the general case when the offset is a
2775         get_global.
2776         
2777         - Our get_global validation inside our init_expr parsing code was simply wrong.
2778         It thought that the index operand to get_global went into the pool of imports,
2779         but it does not. It indexes into the pool of globals. I changed the code to
2780         refer to the global pool instead.
2781
2782         * wasm/WasmFormat.h:
2783         (JSC::Wasm::Element::Element):
2784         * wasm/WasmModuleParser.cpp:
2785         * wasm/js/WebAssemblyModuleRecord.cpp:
2786         (JSC::WebAssemblyModuleRecord::evaluate):
2787
2788 2017-03-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2789
2790         [JSC] Allow indexed module namespace object fields
2791         https://bugs.webkit.org/show_bug.cgi?id=168870
2792
2793         Reviewed by Saam Barati.
2794
2795         While JS modules cannot expose any indexed bindings,
2796         Wasm modules can expose them. However, module namespace
2797         object currently does not support indexed properties.
2798         This patch allows module namespace objects to offer
2799         indexed binding accesses.
2800
2801         * runtime/JSModuleNamespaceObject.cpp:
2802         (JSC::JSModuleNamespaceObject::getOwnPropertySlotCommon):
2803         (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
2804         (JSC::JSModuleNamespaceObject::getOwnPropertySlotByIndex):
2805         * runtime/JSModuleNamespaceObject.h:
2806
2807 2017-03-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2808
2809         Null pointer crash when loading module with unresolved import also as a script file
2810         https://bugs.webkit.org/show_bug.cgi?id=168971
2811
2812         Reviewed by Saam Barati.
2813
2814         If linking throws an error, this error should be re-thrown
2815         when requesting the same module.
2816
2817         * builtins/ModuleLoaderPrototype.js:
2818         (globalPrivate.newRegistryEntry):
2819         * runtime/JSModuleRecord.cpp:
2820         (JSC::JSModuleRecord::link):
2821
2822 2017-03-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2823
2824         [GTK][JSCOnly] Enable WebAssembly on Linux environment
2825         https://bugs.webkit.org/show_bug.cgi?id=164032
2826
2827         Reviewed by Michael Catanzaro.
2828
2829         This patch enables WebAssembly on JSCOnly and GTK ports.
2830         Basically, almost all the WASM code is portable to Linux.
2831         One platform-dependent part is faster memory load using SIGBUS
2832         signal handler. This patch ports this part to Linux.
2833
2834         * CMakeLists.txt:
2835         * llint/LLIntSlowPaths.cpp:
2836         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2837         * wasm/WasmFaultSignalHandler.cpp:
2838         (JSC::Wasm::trapHandler):
2839         (JSC::Wasm::enableFastMemory):
2840
2841 2017-03-06  Daniel Ehrenberg  <littledan@igalia.com>
2842
2843         Currency digits calculation in Intl.NumberFormat should call out to ICU
2844         https://bugs.webkit.org/show_bug.cgi?id=169182
2845
2846         Reviewed by Yusuke Suzuki.
2847
2848         * runtime/IntlNumberFormat.cpp:
2849         (JSC::computeCurrencyDigits):
2850         (JSC::computeCurrencySortKey): Deleted.
2851         (JSC::extractCurrencySortKey): Deleted.
2852
2853 2017-03-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2854
2855         [JSCOnly][GTK] Suppress warnings on return type in B3 and WASM
2856         https://bugs.webkit.org/show_bug.cgi?id=168869
2857
2858         Reviewed by Keith Miller.
2859
2860         * b3/B3Width.h:
2861         * wasm/WasmSections.h:
2862
2863 2017-03-04  Csaba Osztrogonác  <ossy@webkit.org>
2864
2865         [ARM] Unreviewed buildfix after r213376.
2866
2867         * assembler/ARMAssembler.h:
2868         (JSC::ARMAssembler::isBkpt): Typo fixed.
2869
2870 2017-03-03  Carlos Alberto Lopez Perez  <clopez@igalia.com>
2871
2872         [JSC] build fix after r213399
2873         https://bugs.webkit.org/show_bug.cgi?id=169154
2874
2875         Unreviewed.
2876
2877         * runtime/ConfigFile.cpp: Include unistd.h since its where getcwd() is defined.
2878
2879 2017-03-03  Dean Jackson  <dino@apple.com>
2880
2881         Add WebGPU compile flag and experimental feature flag
2882         https://bugs.webkit.org/show_bug.cgi?id=169161
2883         <rdar://problem/30846689>
2884
2885         Reviewed by Tim Horton.
2886
2887         Add ENABLE_WEBGPU, an experimental feature flag, a RuntimeEnabledFeature,
2888         and an InternalSetting.
2889
2890         * Configurations/FeatureDefines.xcconfig:
2891
2892 2017-03-03  Michael Saboff  <msaboff@apple.com>
2893
2894         Add support for relative pathnames to JSC config files
2895         https://bugs.webkit.org/show_bug.cgi?id=169154
2896
2897         Reviewed by Saam Barati.
2898
2899         If the config file is a relative path, prepend the current working directory.
2900         After canonicalizing the config file path, we extract its directory path and
2901         use that for the directory for a relative log pathname.
2902
2903         * runtime/ConfigFile.cpp:
2904         (JSC::ConfigFile::ConfigFile):
2905         (JSC::ConfigFile::parse):
2906         (JSC::ConfigFile::canonicalizePaths):
2907         * runtime/ConfigFile.h:
2908
2909 2017-03-03  Michael Saboff  <msaboff@apple.com>
2910
2911         Add load / store exclusive instruction group to ARM64 disassembler
2912         https://bugs.webkit.org/show_bug.cgi?id=169152
2913
2914         Reviewed by Filip Pizlo.
2915
2916         * disassembler/ARM64/A64DOpcode.cpp:
2917         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreExclusive::format):
2918         * disassembler/ARM64/A64DOpcode.h:
2919         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreExclusive::opName):
2920         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreExclusive::rs):
2921         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreExclusive::rt2):
2922         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreExclusive::o0):
2923         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreExclusive::o1):
2924         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreExclusive::o2):
2925         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreExclusive::loadBit):
2926         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreExclusive::opNumber):
2927         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreExclusive::isPairOp):
2928
2929 2017-03-03  Keith Miller  <keith_miller@apple.com>
2930
2931         WASM should support faster loads.
2932         https://bugs.webkit.org/show_bug.cgi?id=162693
2933
2934         Reviewed by Saam Barati.
2935
2936         This patch adds support for WebAssembly using a 32-bit address
2937         space for memory (along with some extra space for offset
2938         overflow). With a 32-bit address space (we call them
2939         Signaling/fast memories), we reserve the virtual address space for
2940         2^32 + offset bytes of memory and only mark the usable section as
2941         read/write. If wasm code would read/write out of bounds we use a
2942         custom signal handler to catch the SIGBUS. The signal handler then
2943         checks if the faulting instruction is wasm code and tells the
2944         thread to resume executing from the wasm exception
2945         handler. Otherwise, the signal handler crashes the process, as
2946         usual.
2947
2948         All of the allocations of these memories are managed by the
2949         Wasm::Memory class. In order to avoid TLB churn in the OS we cache
2950         old Signaling memories that are no longer in use. Since getting
2951         the wrong memory can cause recompiles, we try to reserve a memory
2952         for modules that do not import a memory. If a module does import a
2953         memory, we try to guess the type of memory we are going to get
2954         based on the last one allocated.
2955
2956         This patch also changes how the wasm JS-api manages objects. Since
2957         we can compile different versions of code, this patch adds a new
2958         JSWebAssemblyCodeBlock class that holds all the information
2959         specific to running a module in a particular bounds checking
2960         mode. Additionally, the Wasm::Memory object is now a reference
2961         counted class that is shared between the JSWebAssemblyMemory
2962         object and the ArrayBuffer that also views it.
2963
2964         * JavaScriptCore.xcodeproj/project.pbxproj:
2965         * jit/JITThunks.cpp:
2966         (JSC::JITThunks::existingCTIStub):
2967         * jit/JITThunks.h:
2968         * jsc.cpp:
2969         (jscmain):
2970         * runtime/Options.h:
2971         * runtime/VM.cpp:
2972         (JSC::VM::VM):
2973         * runtime/VM.h:
2974         * wasm/JSWebAssemblyCodeBlock.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyModule.h.
2975         (JSC::JSWebAssemblyCodeBlock::create):
2976         (JSC::JSWebAssemblyCodeBlock::createStructure):
2977         (JSC::JSWebAssemblyCodeBlock::functionImportCount):
2978         (JSC::JSWebAssemblyCodeBlock::mode):
2979         (JSC::JSWebAssemblyCodeBlock::module):
2980         (JSC::JSWebAssemblyCodeBlock::jsEntrypointCalleeFromFunctionIndexSpace):
2981         (JSC::JSWebAssemblyCodeBlock::wasmEntrypointCalleeFromFunctionIndexSpace):
2982         (JSC::JSWebAssemblyCodeBlock::setJSEntrypointCallee):
2983         (JSC::JSWebAssemblyCodeBlock::setWasmEntrypointCallee):
2984         (JSC::JSWebAssemblyCodeBlock::callees):
2985         (JSC::JSWebAssemblyCodeBlock::offsetOfCallees):
2986         (JSC::JSWebAssemblyCodeBlock::allocationSize):
2987         * wasm/WasmB3IRGenerator.cpp:
2988         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2989         (JSC::Wasm::getMemoryBaseAndSize):
2990         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
2991         (JSC::Wasm::B3IRGenerator::emitLoadOp):
2992         (JSC::Wasm::B3IRGenerator::emitStoreOp):
2993         * wasm/WasmCallingConvention.h:
2994         * wasm/WasmFaultSignalHandler.cpp: Added.
2995         (JSC::Wasm::trapHandler):
2996         (JSC::Wasm::registerCode):
2997         (JSC::Wasm::unregisterCode):
2998         (JSC::Wasm::fastMemoryEnabled):
2999         (JSC::Wasm::enableFastMemory):
3000         * wasm/WasmFaultSignalHandler.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCallee.cpp.
3001         * wasm/WasmFormat.h:
3002         (JSC::Wasm::ModuleInformation::importFunctionCount):
3003         (JSC::Wasm::ModuleInformation::hasMemory): Deleted.
3004         * wasm/WasmMemory.cpp:
3005         (JSC::Wasm::mmapBytes):
3006         (JSC::Wasm::Memory::lastAllocatedMode):
3007         (JSC::Wasm::availableFastMemories):
3008         (JSC::Wasm::tryGetFastMemory):
3009         (JSC::Wasm::releaseFastMemory):
3010         (JSC::Wasm::Memory::Memory):
3011         (JSC::Wasm::Memory::createImpl):
3012         (JSC::Wasm::Memory::create):
3013         (JSC::Wasm::Memory::~Memory):
3014         (JSC::Wasm::Memory::grow):
3015         (JSC::Wasm::Memory::dump):
3016         (JSC::Wasm::Memory::makeString):
3017         * wasm/WasmMemory.h:
3018         (JSC::Wasm::Memory::operator bool):
3019         (JSC::Wasm::Memory::size):
3020         (JSC::Wasm::Memory::check):
3021         (JSC::Wasm::Memory::Memory): Deleted.
3022         (JSC::Wasm::Memory::offsetOfMemory): Deleted.
3023         (JSC::Wasm::Memory::offsetOfSize): Deleted.
3024         * wasm/WasmMemoryInformation.cpp:
3025         (JSC::Wasm::MemoryInformation::MemoryInformation):
3026         * wasm/WasmMemoryInformation.h:
3027         (JSC::Wasm::MemoryInformation::hasReservedMemory):
3028         (JSC::Wasm::MemoryInformation::takeReservedMemory):
3029         (JSC::Wasm::MemoryInformation::mode):
3030         * wasm/WasmModuleParser.cpp:
3031         * wasm/WasmModuleParser.h:
3032         (JSC::Wasm::ModuleParser::ModuleParser):
3033         * wasm/WasmPlan.cpp:
3034         (JSC::Wasm::Plan::parseAndValidateModule):
3035         (JSC::Wasm::Plan::run):
3036         * wasm/WasmPlan.h:
3037         (JSC::Wasm::Plan::mode):
3038         * wasm/js/JSWebAssemblyCallee.cpp:
3039         (JSC::JSWebAssemblyCallee::finishCreation):
3040         (JSC::JSWebAssemblyCallee::destroy):
3041         * wasm/js/JSWebAssemblyCodeBlock.cpp: Added.
3042         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
3043         (JSC::JSWebAssemblyCodeBlock::destroy):
3044         (JSC::JSWebAssemblyCodeBlock::isSafeToRun):
3045         (JSC::JSWebAssemblyCodeBlock::visitChildren):
3046         (JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally):
3047         * wasm/js/JSWebAssemblyInstance.cpp:
3048         (JSC::JSWebAssemblyInstance::setMemory):
3049         (JSC::JSWebAssemblyInstance::finishCreation):
3050         (JSC::JSWebAssemblyInstance::visitChildren):
3051         * wasm/js/JSWebAssemblyInstance.h:
3052         (JSC::JSWebAssemblyInstance::module):
3053         (JSC::JSWebAssemblyInstance::codeBlock):
3054         (JSC::JSWebAssemblyInstance::memoryMode):
3055         (JSC::JSWebAssemblyInstance::setMemory): Deleted.
3056         * wasm/js/JSWebAssemblyMemory.cpp:
3057         (JSC::JSWebAssemblyMemory::create):
3058         (JSC::JSWebAssemblyMemory::JSWebAssemblyMemory):
3059         (JSC::JSWebAssemblyMemory::buffer):
3060         (JSC::JSWebAssemblyMemory::grow):
3061         (JSC::JSWebAssemblyMemory::destroy):
3062         * wasm/js/JSWebAssemblyMemory.h:
3063         (JSC::JSWebAssemblyMemory::memory):
3064         (JSC::JSWebAssemblyMemory::offsetOfMemory):
3065         (JSC::JSWebAssemblyMemory::offsetOfSize):
3066         * wasm/js/JSWebAssemblyModule.cpp:
3067         (JSC::JSWebAssemblyModule::buildCodeBlock):
3068         (JSC::JSWebAssemblyModule::create):
3069         (JSC::JSWebAssemblyModule::JSWebAssemblyModule):
3070         (JSC::JSWebAssemblyModule::codeBlock):
3071         (JSC::JSWebAssemblyModule::finishCreation):
3072         (JSC::JSWebAssemblyModule::visitChildren):
3073         (JSC::JSWebAssemblyModule::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
3074         * wasm/js/JSWebAssemblyModule.h:
3075         (JSC::JSWebAssemblyModule::takeReservedMemory):
3076         (JSC::JSWebAssemblyModule::signatureIndexFromFunctionIndexSpace):
3077         (JSC::JSWebAssemblyModule::codeBlock):
3078         (JSC::JSWebAssemblyModule::functionImportCount): Deleted.
3079         (JSC::JSWebAssemblyModule::jsEntrypointCalleeFromFunctionIndexSpace): Deleted.
3080         (JSC::JSWebAssemblyModule::wasmEntrypointCalleeFromFunctionIndexSpace): Deleted.
3081         (JSC::JSWebAssemblyModule::setJSEntrypointCallee): Deleted.
3082         (JSC::JSWebAssemblyModule::setWasmEntrypointCallee): Deleted.
3083         (JSC::JSWebAssemblyModule::callees): Deleted.
3084         (JSC::JSWebAssemblyModule::offsetOfCallees): Deleted.
3085         (JSC::JSWebAssemblyModule::allocationSize): Deleted.
3086         * wasm/js/WebAssemblyFunction.cpp:
3087         (JSC::callWebAssemblyFunction):
3088         * wasm/js/WebAssemblyInstanceConstructor.cpp:
3089         (JSC::constructJSWebAssemblyInstance):
3090         * wasm/js/WebAssemblyMemoryConstructor.cpp:
3091         (JSC::constructJSWebAssemblyMemory):
3092         * wasm/js/WebAssemblyModuleConstructor.cpp:
3093         (JSC::WebAssemblyModuleConstructor::createModule):
3094         * wasm/js/WebAssemblyModuleRecord.cpp:
3095         (JSC::WebAssemblyModuleRecord::link):
3096         (JSC::WebAssemblyModuleRecord::evaluate):
3097
3098 2017-03-03  Mark Lam  <mark.lam@apple.com>
3099
3100         Gardening: fix broken ARM64 build.
3101         https://bugs.webkit.org/show_bug.cgi?id=169139
3102
3103         Not reviewed.
3104
3105         * assembler/ARM64Assembler.h:
3106         (JSC::ARM64Assembler::excepnGenerationImmMask):
3107
3108 2017-03-03  Mark Lam  <mark.lam@apple.com>
3109
3110         Add MacroAssembler::isBreakpoint() query function.
3111         https://bugs.webkit.org/show_bug.cgi?id=169139
3112
3113         Reviewed by Michael Saboff.
3114
3115         This will be needed soon when we use breakpoint instructions to implement
3116         non-polling VM traps, and need to discern between a VM trap signal and a genuine
3117         assertion breakpoint.
3118
3119         * assembler/ARM64Assembler.h:
3120         (JSC::ARM64Assembler::isBrk):
3121         (JSC::ARM64Assembler::excepnGenerationImmMask):
3122         * assembler/ARMAssembler.h:
3123         (JSC::ARMAssembler::isBkpt):
3124         * assembler/ARMv7Assembler.h:
3125         (JSC::ARMv7Assembler::isBkpt):
3126         * assembler/MIPSAssembler.h:
3127         (JSC::MIPSAssembler::isBkpt):
3128         * assembler/MacroAssemblerARM.h:
3129         (JSC::MacroAssemblerARM::isBreakpoint):
3130         * assembler/MacroAssemblerARM64.h:
3131         (JSC::MacroAssemblerARM64::isBreakpoint):
3132         * assembler/MacroAssemblerARMv7.h:
3133         (JSC::MacroAssemblerARMv7::isBreakpoint):
3134         * assembler/MacroAssemblerMIPS.h:
3135         (JSC::MacroAssemblerMIPS::isBreakpoint):
3136         * assembler/MacroAssemblerX86Common.h:
3137         (JSC::MacroAssemblerX86Common::isBreakpoint):
3138         * assembler/X86Assembler.h:
3139         (JSC::X86Assembler::isInt3):
3140
3141 2017-03-03  Mark Lam  <mark.lam@apple.com>
3142
3143         We should only check for traps that we're able to handle.
3144         https://bugs.webkit.org/show_bug.cgi?id=169136
3145
3146         Reviewed by Michael Saboff.
3147
3148         The execute methods in interpreter were checking for the existence of any traps
3149         (without masking) and only handling a subset of those via a mask.  This can
3150         result in a failed assertion on debug builds.
3151
3152         This patch fixes this by applying the same mask for both the needTrapHandling()
3153         check and the handleTraps() call.  Also added a few assertions.
3154
3155         * interpreter/Interpreter.cpp:
3156         (JSC::Interpreter::executeProgram):
3157         (JSC::Interpreter::executeCall):
3158         (JSC::Interpreter::executeConstruct):
3159         (JSC::Interpreter::execute):
3160         * jit/JITOperations.cpp:
3161         * llint/LLIntSlowPaths.cpp:
3162         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3163
3164 2017-03-02  Carlos Garcia Campos  <cgarcia@igalia.com>
3165
3166         Remote Inspector: Move updateTargetListing() methods to RemoteInspector.cpp
3167         https://bugs.webkit.org/show_bug.cgi?id=169074
3168
3169         Reviewed by Joseph Pecoraro.
3170
3171         They are not actually cocoa specific.
3172
3173         * inspector/remote/RemoteInspector.cpp:
3174         (Inspector::RemoteInspector::updateTargetListing):
3175         * inspector/remote/RemoteInspector.h:
3176         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
3177
3178 2017-03-02  Mark Lam  <mark.lam@apple.com>
3179
3180         Add WebKit2 hooks to notify the VM that the user has requested a debugger break.
3181         https://bugs.webkit.org/show_bug.cgi?id=169089
3182
3183         Reviewed by Tim Horton and Joseph Pecoraro.
3184
3185         * runtime/VM.cpp:
3186         (JSC::VM::handleTraps):
3187         * runtime/VM.h:
3188         (JSC::VM::notifyNeedDebuggerBreak):
3189
3190 2017-03-02  Michael Saboff  <msaboff@apple.com>
3191
3192         Add JSC identity when code signing to allow debugging on iOS
3193         https://bugs.webkit.org/show_bug.cgi?id=169099
3194
3195         Reviewed by Filip Pizlo.
3196
3197         * Configurations/JSC.xcconfig:
3198         * Configurations/ToolExecutable.xcconfig:
3199
3200 2017-03-02  Keith Miller  <keith_miller@apple.com>
3201
3202         WebAssemblyFunction should have Function.prototype as its prototype
3203         https://bugs.webkit.org/show_bug.cgi?id=169101
3204
3205         Reviewed by Filip Pizlo.
3206
3207         Per https://github.com/WebAssembly/design/blob/master/JS.md#exported-function-exotic-objects our JSWebAssemblyFunction
3208         objects should have Function.prototype as their prototype.
3209
3210         * runtime/JSGlobalObject.cpp:
3211         (JSC::JSGlobalObject::init):
3212
3213 2017-03-02  Mark Lam  <mark.lam@apple.com>
3214
3215         Add Options::alwaysCheckTraps() and Options::usePollingTraps() options.
3216         https://bugs.webkit.org/show_bug.cgi?id=169088
3217
3218         Reviewed by Keith Miller.
3219
3220         Options::alwaysCheckTraps() forces the op_check_traps bytecode to always be
3221         generated.  This is useful for testing purposes until we have signal based
3222         traps, at which point, we will always emit the op_check_traps bytecode and remove
3223         this option.
3224
3225         Options::usePollingTraps() enables the use of polling VM traps all the time.
3226         This will be useful for benchmark comparisons, (between polling and non-polling
3227         traps), as well as for forcing polling traps later for ports that don't support
3228         signal based traps.
3229
3230         Note: signal based traps are not fully implemented yet.  As a result, if the VM
3231         watchdog is in use, we will force Options::usePollingTraps() to be true.
3232
3233         * bytecompiler/BytecodeGenerator.cpp:
3234         (JSC::BytecodeGenerator::emitCheckTraps):
3235         * dfg/DFGClobberize.h:
3236         (JSC::DFG::clobberize):
3237         * dfg/DFGSpeculativeJIT.cpp:
3238         (JSC::DFG::SpeculativeJIT::compileCheckTraps):
3239         * dfg/DFGSpeculativeJIT32_64.cpp:
3240         (JSC::DFG::SpeculativeJIT::compile):
3241         * dfg/DFGSpeculativeJIT64.cpp:
3242         (JSC::DFG::SpeculativeJIT::compile):
3243         * ftl/FTLLowerDFGToB3.cpp:
3244         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3245         (JSC::FTL::DFG::LowerDFGToB3::compileCheckTraps):
3246         * runtime/Options.cpp:
3247         (JSC::recomputeDependentOptions):
3248         * runtime/Options.h:
3249
3250 2017-03-02  Keith Miller  <keith_miller@apple.com>
3251
3252         Fix addressing mode for B3WasmAddress
3253         https://bugs.webkit.org/show_bug.cgi?id=169092
3254
3255         Reviewed by Filip Pizlo.
3256
3257         Fix the potential addressing modes for B3WasmAddress. ARM does not
3258         support a base + index*1 + offset addressing mode. I think when I
3259         read it the first time I assumed it would always work on both ARM
3260         and X86. While true for X86 it's not true for ARM.
3261
3262         * b3/B3LowerToAir.cpp:
3263         (JSC::B3::Air::LowerToAir::effectiveAddr):
3264
3265 2017-03-02  Mark Lam  <mark.lam@apple.com>
3266
3267         Add support for selective handling of VM traps.
3268         https://bugs.webkit.org/show_bug.cgi?id=169087
3269
3270         Reviewed by Keith Miller.
3271
3272         This is needed because there are some places in the VM where it's appropriate to
3273         handle some types of VM traps but not others.
3274
3275         We implement this selection by using a VMTraps::Mask that allows the user to
3276         specify which traps should be serviced.
3277
3278         * interpreter/Interpreter.cpp:
3279         (JSC::Interpreter::executeProgram):
3280         (JSC::Interpreter::executeCall):
3281         (JSC::Interpreter::executeConstruct):
3282         (JSC::Interpreter::execute):
3283         * runtime/VM.cpp:
3284         (JSC::VM::handleTraps):
3285         * runtime/VM.h:
3286         * runtime/VMTraps.cpp:
3287         (JSC::VMTraps::takeTrap): Deleted.
3288         * runtime/VMTraps.h:
3289         (JSC::VMTraps::Mask::Mask):
3290         (JSC::VMTraps::Mask::allEventTypes):
3291         (JSC::VMTraps::Mask::bits):
3292         (JSC::VMTraps::Mask::init):
3293         (JSC::VMTraps::needTrapHandling):
3294         (JSC::VMTraps::hasTrapForEvent):
3295
3296 2017-03-02  Alex Christensen  <achristensen@webkit.org>
3297
3298         Continue enabling WebRTC
3299         https://bugs.webkit.org/show_bug.cgi?id=169056
3300
3301         Reviewed by Jon Lee.
3302
3303         * Configurations/FeatureDefines.xcconfig:
3304
3305 2017-03-02  Tomas Popela  <tpopela@redhat.com>
3306
3307         Incorrect RELEASE_ASSERT in JSGlobalObject::addStaticGlobals()
3308         https://bugs.webkit.org/show_bug.cgi?id=169034
3309
3310         Reviewed by Mark Lam.
3311
3312         It should not assign to offset, but compare to offset.
3313
3314         * runtime/JSGlobalObject.cpp:
3315         (JSC::JSGlobalObject::addStaticGlobals):
3316
3317 2017-03-01  Alex Christensen  <achristensen@webkit.org>
3318
3319         Unreviewed, rolling out r213259.
3320
3321         Broke an internal build
3322
3323         Reverted changeset:
3324
3325         "Continue enabling WebRTC"
3326         https://bugs.webkit.org/show_bug.cgi?id=169056
3327         http://trac.webkit.org/changeset/213259
3328
3329 2017-03-01  Alex Christensen  <achristensen@webkit.org>
3330
3331         Continue enabling WebRTC
3332         https://bugs.webkit.org/show_bug.cgi?id=169056
3333
3334         Reviewed by Jon Lee.
3335
3336         * Configurations/FeatureDefines.xcconfig:
3337
3338 2017-03-01  Michael Saboff  <msaboff@apple.com>
3339
3340         Source/JavaScriptCore/ChangeLog
3341         https://bugs.webkit.org/show_bug.cgi?id=169055
3342
3343         Reviewed by Mark Lam.
3344
3345         Made local copies of options strings for OptionRange and string typed options.
3346
3347         * runtime/Options.cpp:
3348         (JSC::parse):
3349         (JSC::OptionRange::init):
3350
3351 2017-03-01  Mark Lam  <mark.lam@apple.com>
3352
3353         [Re-landing] Change JSLock to stash PlatformThread instead of std::thread::id.
3354         https://bugs.webkit.org/show_bug.cgi?id=168996
3355
3356         Reviewed by Filip Pizlo and Saam Barati.
3357
3358         PlatformThread is more useful because it allows us to:
3359         1. find the MachineThreads::Thread which is associated with it.
3360         2. suspend / resume threads.
3361         3. send a signal to a thread.
3362
3363         We can't do those with std::thread::id.  We will need one or more of these
3364         capabilities to implement non-polling VM traps later.
3365
3366         Update: Since we don't have a canonical "uninitialized" value for PlatformThread,
3367         we now have a JSLock::m_hasOwnerThread flag that is set to true if and only the
3368         m_ownerThread value is valid.  JSLock::currentThreadIsHoldingLock() now checks
3369         JSLock::m_hasOwnerThread before doing the thread identity comparison.
3370
3371         * JavaScriptCore.xcodeproj/project.pbxproj:
3372         * heap/MachineStackMarker.cpp:
3373         (JSC::MachineThreads::Thread::createForCurrentThread):
3374         (JSC::MachineThreads::machineThreadForCurrentThread):
3375         (JSC::MachineThreads::removeThread):
3376         (JSC::MachineThreads::Thread::suspend):
3377         (JSC::MachineThreads::tryCopyOtherThreadStacks):
3378         (JSC::getCurrentPlatformThread): Deleted.
3379         * heap/MachineStackMarker.h: