We are too conservative about the effects of PushWithScope
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-08-15  Robin Morisset  <rmorisset@apple.com>
2
3         We are too conservative about the effects of PushWithScope
4         https://bugs.webkit.org/show_bug.cgi?id=175584
5
6         Reviewed by Saam Barati.
7
8         PushWithScope converts its argument to an object (this can throw a type error,
9         but has no other observable effect), and allocates a new scope, that it then
10         makes the new current scope. We were a bit too
11         conservative in saying that it clobbers the world.
12
13         * dfg/DFGAbstractInterpreterInlines.h:
14         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
15         * dfg/DFGClobberize.h:
16         (JSC::DFG::clobberize):
17         * dfg/DFGDoesGC.cpp:
18         (JSC::DFG::doesGC):
19
20 2017-08-15  Ryosuke Niwa  <rniwa@webkit.org>
21
22         Make DataTransferItemList work with plain text entries
23         https://bugs.webkit.org/show_bug.cgi?id=175596
24
25         Reviewed by Wenson Hsieh.
26
27         Added DataTransferItem as a common identifier since it's a runtime enabled feature.
28
29         * runtime/CommonIdentifiers.h:
30
31 2017-08-15  Robin Morisset  <rmorisset@apple.com>
32
33         Support the 'with' keyword in FTL
34         https://bugs.webkit.org/show_bug.cgi?id=175585
35
36         Reviewed by Saam Barati.
37
38         Also makes sure that the order of arguments of PushWithScope, op_push_with_scope, JSWithScope::create()
39         and so on is consistent (always parentScope first, the new scopeObject second). We used to go from one
40         to the other at different step which was quite confusing. I picked this order for consistency with CreateActivation
41         that takes its parentScope argument first.
42
43         * bytecompiler/BytecodeGenerator.cpp:
44         (JSC::BytecodeGenerator::emitPushWithScope):
45         * debugger/DebuggerCallFrame.cpp:
46         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
47         * dfg/DFGByteCodeParser.cpp:
48         (JSC::DFG::ByteCodeParser::parseBlock):
49         * dfg/DFGFixupPhase.cpp:
50         (JSC::DFG::FixupPhase::fixupNode):
51         * dfg/DFGSpeculativeJIT.cpp:
52         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
53         * ftl/FTLCapabilities.cpp:
54         (JSC::FTL::canCompile):
55         * ftl/FTLLowerDFGToB3.cpp:
56         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
57         (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
58         * jit/JITOperations.cpp:
59         * runtime/CommonSlowPaths.cpp:
60         (JSC::SLOW_PATH_DECL):
61         * runtime/Completion.cpp:
62         (JSC::evaluateWithScopeExtension):
63         * runtime/JSWithScope.cpp:
64         (JSC::JSWithScope::create):
65         * runtime/JSWithScope.h:
66
67 2017-08-15  Saam Barati  <sbarati@apple.com>
68
69         Make VM::scratchBufferForSize thread safe
70         https://bugs.webkit.org/show_bug.cgi?id=175604
71
72         Reviewed by Geoffrey Garen and Mark Lam.
73
74         I want to use the VM::scratchBufferForSize in another patch I'm writing.
75         The use case for my other patch is to call it from the compiler thread.
76         When reading the code, I saw that this API was not thread safe. This patch
77         makes it thread safe. It actually turns out we were calling this API from
78         the compiler thread already when we created FTL::State for an FTL OSR entry
79         compilation, and from FTLLowerDFGToB3. That code was racy and wrong, but
80         is now correct with this patch.
81
82         * runtime/VM.cpp:
83         (JSC::VM::VM):
84         (JSC::VM::~VM):
85         (JSC::VM::gatherConservativeRoots):
86         (JSC::VM::scratchBufferForSize):
87         * runtime/VM.h:
88         (JSC::VM::scratchBufferForSize): Deleted.
89
90 2017-08-15  Keith Miller  <keith_miller@apple.com>
91
92         JSC named bytecode offsets should use references rather than pointers
93         https://bugs.webkit.org/show_bug.cgi?id=175601
94
95         Reviewed by Saam Barati.
96
97         * dfg/DFGByteCodeParser.cpp:
98         (JSC::DFG::ByteCodeParser::parseBlock):
99         * jit/JITOpcodes.cpp:
100         (JSC::JIT::emit_op_overrides_has_instance):
101         (JSC::JIT::emit_op_instanceof):
102         (JSC::JIT::emitSlow_op_instanceof):
103         (JSC::JIT::emitSlow_op_instanceof_custom):
104         * jit/JITOpcodes32_64.cpp:
105         (JSC::JIT::emit_op_overrides_has_instance):
106         (JSC::JIT::emit_op_instanceof):
107         (JSC::JIT::emitSlow_op_instanceof):
108         (JSC::JIT::emitSlow_op_instanceof_custom):
109
110 2017-08-15  Keith Miller  <keith_miller@apple.com>
111
112         Enable named offsets into JSC bytecodes
113         https://bugs.webkit.org/show_bug.cgi?id=175561
114
115         Reviewed by Mark Lam.
116
117         This patch adds the ability to add named offsets into JSC's
118         bytecodes.  In the bytecode json file, instead of listing a
119         length, you can now list a set of names and their types. Each
120         opcode with an offsets property will have a struct named after the
121         opcode by in our C++ naming style. For example,
122         op_overrides_has_instance would become OpOverridesHasInstance. The
123         struct has the same memory layout as the instruction list has but
124         comes with handy named accessors.
125
126         As a first cut I converted the various instanceof bytecodes to use
127         named offsets.
128
129         As an example op_overrides_has_instance produces the following struct:
130
131         struct OpOverridesHasInstance {
132         public:
133             Opcode& opcode() { return *reinterpret_cast<Opcode*>(&m_opcode); }
134             const Opcode& opcode() const { return *reinterpret_cast<const Opcode*>(&m_opcode); }
135             int& dst() { return *reinterpret_cast<int*>(&m_dst); }
136             const int& dst() const { return *reinterpret_cast<const int*>(&m_dst); }
137             int& constructor() { return *reinterpret_cast<int*>(&m_constructor); }
138             const int& constructor() const { return *reinterpret_cast<const int*>(&m_constructor); }
139             int& hasInstanceValue() { return *reinterpret_cast<int*>(&m_hasInstanceValue); }
140             const int& hasInstanceValue() const { return *reinterpret_cast<const int*>(&m_hasInstanceValue); }
141
142         private:
143             friend class LLIntOffsetsExtractor;
144             std::aligned_storage<sizeof(Opcode), sizeof(Instruction)>::type m_opcode;
145             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_dst;
146             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_constructor;
147             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_hasInstanceValue;
148         };
149
150         * CMakeLists.txt:
151         * DerivedSources.make:
152         * JavaScriptCore.xcodeproj/project.pbxproj:
153         * bytecode/BytecodeList.json:
154         * dfg/DFGByteCodeParser.cpp:
155         (JSC::DFG::ByteCodeParser::parseBlock):
156         * generate-bytecode-files:
157         * jit/JITOpcodes.cpp:
158         (JSC::JIT::emit_op_overrides_has_instance):
159         (JSC::JIT::emit_op_instanceof):
160         (JSC::JIT::emitSlow_op_instanceof):
161         (JSC::JIT::emitSlow_op_instanceof_custom):
162         * jit/JITOpcodes32_64.cpp:
163         (JSC::JIT::emit_op_overrides_has_instance):
164         (JSC::JIT::emit_op_instanceof):
165         (JSC::JIT::emitSlow_op_instanceof):
166         (JSC::JIT::emitSlow_op_instanceof_custom):
167         * llint/LLIntOffsetsExtractor.cpp:
168         * llint/LowLevelInterpreter.asm:
169         * llint/LowLevelInterpreter32_64.asm:
170         * llint/LowLevelInterpreter64.asm:
171
172 2017-08-15  Mark Lam  <mark.lam@apple.com>
173
174         Update testmasm to use new CPUState APIs.
175         https://bugs.webkit.org/show_bug.cgi?id=175573
176
177         Reviewed by Keith Miller.
178
179         1. Applied convenience CPUState accessors to minimize casting.
180         2. Converted the CHECK macro to CHECK_EQ to get more friendly failure debugging
181            messages.
182         3. Removed the CHECK_DOUBLE_BITWISE_EQ macro.  We can just use CHECK_EQ now since
183            casting is (mostly) no longer an issue.
184         4. Replaced the use of testDoubleWord(id) with bitwise_cast<double>(testWord64(id))
185            to make it clear that we're comparing against the bit values of testWord64(id).
186         5. Added a "Completed N tests" message at the end of running all tests.
187            This makes it easy to tell at a glance that testmasm completed successfully
188            versus when it crashed midway in a test.  The number of tests also serves as
189            a quick checksum to confirm that we ran the number of tests we expected.
190
191         * assembler/testmasm.cpp:
192         (WTF::printInternal):
193         (JSC::testSimple):
194         (JSC::testProbeReadsArgumentRegisters):
195         (JSC::testProbeWritesArgumentRegisters):
196         (JSC::testProbePreservesGPRS):
197         (JSC::testProbeModifiesStackPointer):
198         (JSC::testProbeModifiesProgramCounter):
199         (JSC::run):
200
201 2017-08-14  Keith Miller  <keith_miller@apple.com>
202
203         Add testing tool to lie to the DFG about profiles
204         https://bugs.webkit.org/show_bug.cgi?id=175487
205
206         Reviewed by Saam Barati.
207
208         This patch adds a new bytecode identity_with_profile that lets
209         us lie to the DFG about what profiles it has seen as the input to
210         another bytecode. Previously, there was no reliable way to force
211         a given profile when we tired up.
212
213         * bytecode/BytecodeDumper.cpp:
214         (JSC::BytecodeDumper<Block>::dumpBytecode):
215         * bytecode/BytecodeIntrinsicRegistry.h:
216         * bytecode/BytecodeList.json:
217         * bytecode/BytecodeUseDef.h:
218         (JSC::computeUsesForBytecodeOffset):
219         (JSC::computeDefsForBytecodeOffset):
220         * bytecode/SpeculatedType.cpp:
221         (JSC::speculationFromString):
222         * bytecode/SpeculatedType.h:
223         * bytecompiler/BytecodeGenerator.cpp:
224         (JSC::BytecodeGenerator::emitIdWithProfile):
225         * bytecompiler/BytecodeGenerator.h:
226         * bytecompiler/NodesCodegen.cpp:
227         (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
228         * dfg/DFGAbstractInterpreterInlines.h:
229         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
230         * dfg/DFGByteCodeParser.cpp:
231         (JSC::DFG::ByteCodeParser::parseBlock):
232         * dfg/DFGCapabilities.cpp:
233         (JSC::DFG::capabilityLevel):
234         * dfg/DFGClobberize.h:
235         (JSC::DFG::clobberize):
236         * dfg/DFGDoesGC.cpp:
237         (JSC::DFG::doesGC):
238         * dfg/DFGFixupPhase.cpp:
239         (JSC::DFG::FixupPhase::fixupNode):
240         * dfg/DFGMayExit.cpp:
241         * dfg/DFGNode.h:
242         (JSC::DFG::Node::getForcedPrediction):
243         * dfg/DFGNodeType.h:
244         * dfg/DFGPredictionPropagationPhase.cpp:
245         * dfg/DFGSafeToExecute.h:
246         (JSC::DFG::safeToExecute):
247         * dfg/DFGSpeculativeJIT32_64.cpp:
248         (JSC::DFG::SpeculativeJIT::compile):
249         * dfg/DFGSpeculativeJIT64.cpp:
250         (JSC::DFG::SpeculativeJIT::compile):
251         * dfg/DFGValidate.cpp:
252         * jit/JIT.cpp:
253         (JSC::JIT::privateCompileMainPass):
254         * jit/JIT.h:
255         * jit/JITOpcodes.cpp:
256         (JSC::JIT::emit_op_identity_with_profile):
257         * jit/JITOpcodes32_64.cpp:
258         (JSC::JIT::emit_op_identity_with_profile):
259         * llint/LowLevelInterpreter.asm:
260
261 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
262
263         Remove Proximity Events and related code
264         https://bugs.webkit.org/show_bug.cgi?id=175545
265
266         Reviewed by Daniel Bates.
267
268         No platform enables Proximity Events, so remove code inside ENABLE(PROXIMITY_EVENTS)
269         and other related code.
270
271         * Configurations/FeatureDefines.xcconfig:
272
273 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
274
275         Remove ENABLE(REQUEST_AUTOCOMPLETE) code, which was disabled everywhere
276         https://bugs.webkit.org/show_bug.cgi?id=175504
277
278         Reviewed by Sam Weinig.
279
280         * Configurations/FeatureDefines.xcconfig:
281
282 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
283
284         Remove ENABLE_VIEW_MODE_CSS_MEDIA and related code
285         https://bugs.webkit.org/show_bug.cgi?id=175557
286
287         Reviewed by Jon Lee.
288
289         No port cares about the ENABLE(VIEW_MODE_CSS_MEDIA) feature, so remove it.
290
291         * Configurations/FeatureDefines.xcconfig:
292
293 2017-08-14  Robin Morisset  <rmorisset@apple.com>
294
295         Support the 'with' keyword in DFG
296         https://bugs.webkit.org/show_bug.cgi?id=175470
297
298         Reviewed by Saam Barati.
299
300         Not particularly optimized at the moment, the goal is just to avoid
301         the DFG bailing out of any function with this keyword.
302
303         * dfg/DFGAbstractInterpreterInlines.h:
304         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
305         * dfg/DFGByteCodeParser.cpp:
306         (JSC::DFG::ByteCodeParser::parseBlock):
307         * dfg/DFGCapabilities.cpp:
308         (JSC::DFG::capabilityLevel):
309         * dfg/DFGClobberize.h:
310         (JSC::DFG::clobberize):
311         * dfg/DFGDoesGC.cpp:
312         (JSC::DFG::doesGC):
313         * dfg/DFGFixupPhase.cpp:
314         (JSC::DFG::FixupPhase::fixupNode):
315         * dfg/DFGNodeType.h:
316         * dfg/DFGPredictionPropagationPhase.cpp:
317         * dfg/DFGSafeToExecute.h:
318         (JSC::DFG::safeToExecute):
319         * dfg/DFGSpeculativeJIT.cpp:
320         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
321         * dfg/DFGSpeculativeJIT.h:
322         (JSC::DFG::SpeculativeJIT::callOperation):
323         * dfg/DFGSpeculativeJIT32_64.cpp:
324         (JSC::DFG::SpeculativeJIT::compile):
325         * dfg/DFGSpeculativeJIT64.cpp:
326         (JSC::DFG::SpeculativeJIT::compile):
327         * jit/JITOperations.cpp:
328         * jit/JITOperations.h:
329
330 2017-08-14  Mark Lam  <mark.lam@apple.com>
331
332         Add some convenience utility accessor methods to MacroAssembler::CPUState.
333         https://bugs.webkit.org/show_bug.cgi?id=175549
334         <rdar://problem/33884868>
335
336         Reviewed by Saam Barati.
337
338         Previously, in order to read ProbeContext CPUState registers, we used to need to
339         do it this way:
340
341             ExecState* exec = reinterpret_cast<ExecState*>(cpu.fp());
342             uint32_t i32 = static_cast<uint32_t>(cpu.gpr(GPRInfo::regT0));
343             void* p = reinterpret_cast<void*>(cpu.gpr(GPRInfo::regT1));
344             uint64_t u64 = bitwise_cast<uint64_t>(cpu.fpr(FPRInfo::fpRegT0));
345
346         With this patch, we can now read them this way instead:
347         
348             ExecState* exec = cpu.fp<ExecState*>();
349             uint32_t i32 = cpu.gpr<uint32_t>(GPRInfo::regT0);
350             void* p = cpu.gpr<void*>(GPRInfo::regT1);
351             uint64_t u64 = cpu.fpr<uint64_t>(FPRInfo::fpRegT0);
352
353         * assembler/MacroAssembler.h:
354         (JSC:: const):
355         (JSC::MacroAssembler::CPUState::fpr const):
356         (JSC::MacroAssembler::CPUState::pc const):
357         (JSC::MacroAssembler::CPUState::fp const):
358         (JSC::MacroAssembler::CPUState::sp const):
359         (JSC::ProbeContext::pc):
360         (JSC::ProbeContext::fp):
361         (JSC::ProbeContext::sp):
362
363 2017-08-12  Filip Pizlo  <fpizlo@apple.com>
364
365         Put the ScopedArgumentsTable's ScopeOffset array in some gigacage
366         https://bugs.webkit.org/show_bug.cgi?id=174921
367
368         Reviewed by Mark Lam.
369         
370         Uses CagedUniquePtr<> to cage the ScopeOffset array.
371
372         * dfg/DFGSpeculativeJIT.cpp:
373         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
374         * ftl/FTLLowerDFGToB3.cpp:
375         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
376         * jit/JITPropertyAccess.cpp:
377         (JSC::JIT::emitScopedArgumentsGetByVal):
378         * runtime/ScopedArgumentsTable.cpp:
379         (JSC::ScopedArgumentsTable::create):
380         (JSC::ScopedArgumentsTable::setLength):
381         * runtime/ScopedArgumentsTable.h:
382
383 2017-08-14  Mark Lam  <mark.lam@apple.com>
384
385         Gardening: fix Windows build.
386         https://bugs.webkit.org/show_bug.cgi?id=175446
387
388         Not reviewed.
389
390         * assembler/MacroAssemblerX86Common.cpp:
391         (JSC::booleanTrueForAvoidingNoReturnDeclaration):
392         (JSC::ctiMasmProbeTrampoline):
393
394 2017-08-12  Csaba Osztrogon√°c  <ossy@webkit.org>
395
396         [ARM64] Use x29 and x30 instead of fp and lr to make GCC happy
397         https://bugs.webkit.org/show_bug.cgi?id=175512
398         <rdar://problem/33863584>
399
400         Reviewed by Mark Lam.
401
402         * CMakeLists.txt: Added MacroAssemblerARM64.cpp.
403         * assembler/MacroAssemblerARM64.cpp: Use x29 and x30 instead of fp and lr to make GCC happy.
404
405 2017-08-12  Csaba Osztrogon√°c  <ossy@webkit.org>
406
407         ARM_TRADITIONAL: static assertion failed: ProbeContext_size_matches_ctiMasmProbeTrampoline
408         https://bugs.webkit.org/show_bug.cgi?id=175513
409
410         Reviewed by Mark Lam.
411
412         * assembler/MacroAssemblerARM.cpp: Added d16-d31 FP registers too.
413
414 2017-08-12  Filip Pizlo  <fpizlo@apple.com>
415
416         FTL's compileGetTypedArrayByteOffset needs to do caging
417         https://bugs.webkit.org/show_bug.cgi?id=175366
418
419         Reviewed by Saam Barati.
420         
421         While implementing boxing in the DFG, I noticed that there was some missing boxing in the FTL. This
422         fixes the case in GetTypedArrayByteOffset, and files FIXMEs for more such cases.
423
424         * dfg/DFGSpeculativeJIT.cpp:
425         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
426         * ftl/FTLLowerDFGToB3.cpp:
427         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
428         (JSC::FTL::DFG::LowerDFGToB3::cagedMayBeNull):
429         * runtime/ArrayBuffer.h:
430         * runtime/ArrayBufferView.h:
431         * runtime/JSArrayBufferView.h:
432
433 2017-08-11  Ryosuke Niwa  <rniwa@webkit.org>
434
435         Replace DATA_TRANSFER_ITEMS by a runtime flag and add a stub implementation
436         https://bugs.webkit.org/show_bug.cgi?id=175474
437         <rdar://problem/33844628>
438
439         Reviewed by Wenson Hsieh.
440
441         * Configurations/FeatureDefines.xcconfig:
442         * runtime/CommonIdentifiers.h:
443
444 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
445
446         Caging shouldn't have to use a patchpoint for adding
447         https://bugs.webkit.org/show_bug.cgi?id=175483
448
449         Reviewed by Mark Lam.
450
451         Caging involves doing a Add(ptr, largeConstant). All of B3's heuristics for how to deal with
452         constants and associative operations dictate that you always want to sink constants. For example,
453         Add(Add(a, constant), b) always becomes Add(Add(a, b), constant). This is profitable because in
454         typical code, it reveals downstream optimizations. But it's terrible in the case of caging, because
455         we want the large constant (which is shared by all caging operations) to be hoisted. Reassociating to
456         sink constants obscures the constant in this case. Currently, moveConstants is not smart enough to
457         reassociate, so instead of sinking largeConstant, it tries (and often fails) to sink some other
458         constants instead. Without some hacks, this is a 5% Kraken regression and a 1.6% Octane regression.
459         It's not clear that moveConstants could ever be smart enough to rematerialize that constant and then
460         hoist it - that would require quite a bit of algebraic reasoning. But the only case we know of where
461         our current constant reassociation heuristics are wrong is caging. So, we can get away with some
462         hacks for just stopping B3's reassociation only in this specific case.
463         
464         Previously, we achieved this by concealing the Add(ptr, largeConstant) inside a patchpoint. That's
465         OK, but patchpoints are expensive. They require a SharedTask instance. They require callbacks from
466         the backend, including during register allocation. And they cannot be CSE'd. We do want B3 to know
467         that if we cage the same pointer in two places, both places will compute the same value.
468         
469         This patch improves the situation by introducing the Opaque opcode. This is handled by LowerToAir as
470         if it was Identity, but all prior phases treat it as an unknown pure unary idempotent operation. I.e.
471         they know that Opaque(x) == Opaque(x) and that Opaque(Opaque(x)) == Opaque(x). But they don't know
472         that Opaque(x) == x until LowerToAir. So, you can use Opaque exactly when you know that B3 will mess
473         up your code but Air won't. (Currently we know of no cases where Air messes things up on a large
474         enough scale to warrant new opcodes.)
475         
476         This change is perf-neutral, but may start to help as I add more uses of caged() in the FTL. It also
477         makes the code a bit less ugly.
478
479         * b3/B3LowerToAir.cpp:
480         (JSC::B3::Air::LowerToAir::shouldCopyPropagate):
481         (JSC::B3::Air::LowerToAir::lower):
482         * b3/B3Opcode.cpp:
483         (WTF::printInternal):
484         * b3/B3Opcode.h:
485         * b3/B3ReduceStrength.cpp:
486         * b3/B3Validate.cpp:
487         * b3/B3Value.cpp:
488         (JSC::B3::Value::effects const):
489         (JSC::B3::Value::key const):
490         (JSC::B3::Value::isFree const):
491         (JSC::B3::Value::typeFor):
492         * b3/B3Value.h:
493         * b3/B3ValueKey.cpp:
494         (JSC::B3::ValueKey::materialize const):
495         * ftl/FTLLowerDFGToB3.cpp:
496         (JSC::FTL::DFG::LowerDFGToB3::caged):
497         * ftl/FTLOutput.cpp:
498         (JSC::FTL::Output::opaque):
499         * ftl/FTLOutput.h:
500
501 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
502
503         ScopedArguments overflow storage needs to be in the JSValue gigacage
504         https://bugs.webkit.org/show_bug.cgi?id=174923
505
506         Reviewed by Saam Barati.
507         
508         ScopedArguments overflow storage sits at the end of the ScopedArguments object, so we put that
509         object into the JSValue gigacage.
510
511         * dfg/DFGSpeculativeJIT.cpp:
512         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
513         * ftl/FTLLowerDFGToB3.cpp:
514         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
515         * jit/JITPropertyAccess.cpp:
516         (JSC::JIT::emitScopedArgumentsGetByVal):
517         * runtime/ScopedArguments.h:
518         (JSC::ScopedArguments::subspaceFor):
519         (JSC::ScopedArguments::overflowStorage const):
520
521 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
522
523         JSLexicalEnvironment needs to be in the JSValue gigacage
524         https://bugs.webkit.org/show_bug.cgi?id=174922
525
526         Reviewed by Michael Saboff.
527         
528         We can sorta random access the JSLexicalEnvironment. So, we put it in the JSValue gigacage and make
529         the only random accesses use pointer caging.
530         
531         We don't need to do anything to normal lexical environment accesses.
532
533         * dfg/DFGSpeculativeJIT.cpp:
534         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
535         * ftl/FTLLowerDFGToB3.cpp:
536         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
537         * runtime/JSEnvironmentRecord.h:
538         (JSC::JSEnvironmentRecord::subspaceFor):
539         (JSC::JSEnvironmentRecord::variables):
540
541 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
542
543         DirectArguments should be in the JSValue gigacage
544         https://bugs.webkit.org/show_bug.cgi?id=174920
545
546         Reviewed by Michael Saboff.
547         
548         This puts DirectArguments in a new subspace for cells that want to be in the JSValue gigacage. All
549         indexed accesses to DirectArguments now do caging. get_from_arguments/put_to_arguments are exempted
550         because they always operate on a DirectArguments that is pointed to directly from the stack, they are
551         required to use fixed offsets, and you can only store JSValues.
552
553         * dfg/DFGSpeculativeJIT.cpp:
554         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
555         * ftl/FTLLowerDFGToB3.cpp:
556         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
557         * jit/JITPropertyAccess.cpp:
558         (JSC::JIT::emitDirectArgumentsGetByVal):
559         * runtime/DirectArguments.h:
560         (JSC::DirectArguments::subspaceFor):
561         (JSC::DirectArguments::storage):
562         * runtime/VM.cpp:
563         (JSC::VM::VM):
564         * runtime/VM.h:
565
566 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
567
568         Unreviewed, add a FIXME.
569
570         * ftl/FTLLowerDFGToB3.cpp:
571         (JSC::FTL::DFG::LowerDFGToB3::caged):
572
573 2017-08-10  Sam Weinig  <sam@webkit.org>
574
575         WTF::Function does not allow for reference / non-default constructible return types
576         https://bugs.webkit.org/show_bug.cgi?id=175244
577
578         Reviewed by Chris Dumez.
579
580         * runtime/ArrayBuffer.cpp:
581         (JSC::ArrayBufferContents::transferTo):
582         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
583         destroy call needed to be a no-op anyway, since the data is being moved.
584
585 2017-08-11  Mark Lam  <mark.lam@apple.com>
586
587         Gardening: fix CLoop build.
588         https://bugs.webkit.org/show_bug.cgi?id=175446
589         <rdar://problem/33836545>
590
591         Not reviewed.
592
593         * assembler/MacroAssemblerPrinter.cpp:
594
595 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
596
597         DFG should do caging
598         https://bugs.webkit.org/show_bug.cgi?id=174918
599
600         Reviewed by Saam Barati.
601         
602         Adds the appropriate cage() calls to the DFG, including a cageTypedArrayStorage() helper that does
603         the conditional caging with a watchpoint.
604         
605         This might be a 1% SunSpider slow-down, but it's not clear.
606
607         * dfg/DFGSpeculativeJIT.cpp:
608         (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
609         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
610         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
611         (JSC::DFG::SpeculativeJIT::compileCreateRest):
612         (JSC::DFG::SpeculativeJIT::compileSpread):
613         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
614         (JSC::DFG::SpeculativeJIT::compileArraySlice):
615         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
616         * dfg/DFGSpeculativeJIT.h:
617         * dfg/DFGSpeculativeJIT64.cpp:
618         (JSC::DFG::SpeculativeJIT::compile):
619
620 2017-08-11  Yusuke Suzuki  <utatane.tea@gmail.com>
621
622         Unreviewed, build fix for x86 GTK port
623         https://bugs.webkit.org/show_bug.cgi?id=175446
624
625         Use pushfl/popfl instead of pushfd/popfd.
626
627         * assembler/MacroAssemblerX86Common.cpp:
628
629 2017-08-10  Mark Lam  <mark.lam@apple.com>
630
631         Make the MASM_PROBE mechanism mandatory for DFG and FTL builds.
632         https://bugs.webkit.org/show_bug.cgi?id=175446
633         <rdar://problem/33836545>
634
635         Reviewed by Saam Barati.
636
637         * assembler/AbstractMacroAssembler.h:
638         * assembler/MacroAssembler.cpp:
639         (JSC::MacroAssembler::probe):
640         * assembler/MacroAssembler.h:
641         * assembler/MacroAssemblerARM.cpp:
642         (JSC::MacroAssembler::probe):
643         * assembler/MacroAssemblerARM.h:
644         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
645         * assembler/MacroAssemblerARM64.cpp:
646         (JSC::MacroAssembler::probe):
647         * assembler/MacroAssemblerARMv7.cpp:
648         (JSC::MacroAssembler::probe):
649         * assembler/MacroAssemblerARMv7.h:
650         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr):
651         * assembler/MacroAssemblerPrinter.cpp:
652         * assembler/MacroAssemblerPrinter.h:
653         * assembler/MacroAssemblerX86Common.cpp:
654         * assembler/testmasm.cpp:
655         (JSC::isSpecialGPR):
656         (JSC::testProbeModifiesProgramCounter):
657         (JSC::run):
658         * b3/B3LowerToAir.cpp:
659         (JSC::B3::Air::LowerToAir::print):
660         * b3/air/AirPrintSpecial.cpp:
661         * b3/air/AirPrintSpecial.h:
662
663 2017-08-10  Mark Lam  <mark.lam@apple.com>
664
665         Apply the UNLIKELY macro to some unlikely things.
666         https://bugs.webkit.org/show_bug.cgi?id=175440
667         <rdar://problem/33834767>
668
669         Reviewed by Yusuke Suzuki.
670
671         * bytecode/CodeBlock.cpp:
672         (JSC::CodeBlock::~CodeBlock):
673         (JSC::CodeBlock::jettison):
674         * dfg/DFGByteCodeParser.cpp:
675         (JSC::DFG::ByteCodeParser::handleCall):
676         (JSC::DFG::ByteCodeParser::handleVarargsCall):
677         (JSC::DFG::ByteCodeParser::handleGetById):
678         (JSC::DFG::ByteCodeParser::handlePutById):
679         (JSC::DFG::ByteCodeParser::parseBlock):
680         (JSC::DFG::ByteCodeParser::parseCodeBlock):
681         * dfg/DFGJITCompiler.cpp:
682         (JSC::DFG::JITCompiler::JITCompiler):
683         (JSC::DFG::JITCompiler::linkOSRExits):
684         (JSC::DFG::JITCompiler::link):
685         (JSC::DFG::JITCompiler::disassemble):
686         * dfg/DFGJITFinalizer.cpp:
687         (JSC::DFG::JITFinalizer::finalizeCommon):
688         * dfg/DFGOSRExit.cpp:
689         (JSC::DFG::OSRExit::compileOSRExit):
690         * dfg/DFGPlan.cpp:
691         (JSC::DFG::Plan::Plan):
692         * ftl/FTLJITFinalizer.cpp:
693         (JSC::FTL::JITFinalizer::finalizeCommon):
694         * ftl/FTLLink.cpp:
695         (JSC::FTL::link):
696         * ftl/FTLOSRExitCompiler.cpp:
697         (JSC::FTL::compileStub):
698         * jit/JIT.cpp:
699         (JSC::JIT::privateCompileMainPass):
700         (JSC::JIT::compileWithoutLinking):
701         (JSC::JIT::link):
702         * runtime/ScriptExecutable.cpp:
703         (JSC::ScriptExecutable::installCode):
704         * runtime/VM.cpp:
705         (JSC::VM::VM):
706
707 2017-08-09  Yusuke Suzuki  <utatane.tea@gmail.com>
708
709         [WTF] ThreadSpecific should not introduce additional indirection
710         https://bugs.webkit.org/show_bug.cgi?id=175187
711
712         Reviewed by Mark Lam.
713
714         * runtime/Identifier.cpp:
715
716 2017-08-10  Tim Horton  <timothy_horton@apple.com>
717
718         Remove some unused lambda captures so that WebKit builds with -Wunused-lambda-capture
719         https://bugs.webkit.org/show_bug.cgi?id=175436
720         <rdar://problem/33667497>
721
722         Reviewed by Simon Fraser.
723
724         * interpreter/Interpreter.cpp:
725         (JSC::Interpreter::Interpreter):
726
727 2017-08-10  Michael Catanzaro  <mcatanzaro@igalia.com>
728
729         Remove ENABLE_GAMEPAD_DEPRECATED
730         https://bugs.webkit.org/show_bug.cgi?id=175361
731
732         Reviewed by Carlos Garcia Campos.
733
734         * Configurations/FeatureDefines.xcconfig:
735
736 2017-08-09  Caio Lima  <ticaiolima@gmail.com>
737
738         [JSC] Create JSSet constructor that accepts it's size as parameter
739         https://bugs.webkit.org/show_bug.cgi?id=173297
740
741         Reviewed by Saam Barati.
742
743         This patch is adding a new constructor to JSSet that gives its
744         expected initial size. It is important to avoid re-hashing and mutiple
745         allocations when we know the final size of JSSet, such as in
746         CodeBlock::setConstantIdentifierSetRegisters.
747
748         * bytecode/CodeBlock.cpp:
749         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
750         * runtime/HashMapImpl.h:
751         (JSC::HashMapImpl::HashMapImpl):
752         * runtime/JSSet.h:
753
754 2017-08-09  Commit Queue  <commit-queue@webkit.org>
755
756         Unreviewed, rolling out r220466, r220477, and r220487.
757         https://bugs.webkit.org/show_bug.cgi?id=175411
758
759         This change broke existing API tests and follow up fixes did
760         not resolve all the issues. (Requested by ryanhaddad on
761         #webkit).
762
763         Reverted changesets:
764
765         https://bugs.webkit.org/show_bug.cgi?id=175244
766         http://trac.webkit.org/changeset/220466
767
768         "WTF::Function does not allow for reference / non-default
769         constructible return types"
770         https://bugs.webkit.org/show_bug.cgi?id=175244
771         http://trac.webkit.org/changeset/220477
772
773         https://bugs.webkit.org/show_bug.cgi?id=175244
774         http://trac.webkit.org/changeset/220487
775
776 2017-08-09  Caitlin Potter  <caitp@igalia.com>
777
778         Early error on ANY operator before new.target
779         https://bugs.webkit.org/show_bug.cgi?id=157970
780
781         Reviewed by Saam Barati.
782
783         Instead of throwing if any unary operator precedes new.target, only
784         throw if the unary operator updates the reference.
785
786         The following become legal in JSC:
787
788         ```
789         !new.target
790         ~new.target
791         typeof new.target
792         delete new.target
793         void new.target
794         ```
795
796         All of which are legal in v8 and SpiderMonkey in strict and sloppy mode
797
798         * parser/Parser.cpp:
799         (JSC::Parser<LexerType>::parseUnaryExpression):
800
801 2017-08-09  Sam Weinig  <sam@webkit.org>
802
803         WTF::Function does not allow for reference / non-default constructible return types
804         https://bugs.webkit.org/show_bug.cgi?id=175244
805
806         Reviewed by Chris Dumez.
807
808         * runtime/ArrayBuffer.cpp:
809         (JSC::ArrayBufferContents::transferTo):
810         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
811         destroy call needed to be a no-op anyway, since the data is being moved.
812
813 2017-08-09  Wenson Hsieh  <wenson_hsieh@apple.com>
814
815         [iOS DnD] ENABLE_DRAG_SUPPORT should be turned off for iOS 10 and enabled by default
816         https://bugs.webkit.org/show_bug.cgi?id=175392
817         <rdar://problem/33783207>
818
819         Reviewed by Tim Horton and Megan Gardner.
820
821         Tweak FeatureDefines to enable drag and drop by default, and disable only on unsupported platforms (i.e. iOS 10).
822
823         * Configurations/FeatureDefines.xcconfig:
824
825 2017-08-09  Robin Morisset  <rmorisset@apple.com>
826
827         Make JSC_validateExceptionChecks=1 succeed on JSTests/stress/v8-deltablue-strict.js.
828         https://bugs.webkit.org/show_bug.cgi?id=175358
829
830         Reviewed by Mark Lam.
831
832         * jit/JITOperations.cpp:
833         * runtime/JSObjectInlines.h:
834         (JSC::JSObject::putInlineForJSObject):
835
836 2017-08-09  Ryan Haddad  <ryanhaddad@apple.com>
837
838         Unreviewed, rolling out r220457.
839
840         This change introduced API test failures.
841
842         Reverted changeset:
843
844         "WTF::Function does not allow for reference / non-default
845         constructible return types"
846         https://bugs.webkit.org/show_bug.cgi?id=175244
847         http://trac.webkit.org/changeset/220457
848
849 2017-08-09  Sam Weinig  <sam@webkit.org>
850
851         WTF::Function does not allow for reference / non-default constructible return types
852         https://bugs.webkit.org/show_bug.cgi?id=175244
853
854         Reviewed by Chris Dumez.
855
856         * runtime/ArrayBuffer.cpp:
857         (JSC::ArrayBufferContents::transferTo):
858         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
859         destroy call needed to be a no-op anyway, since the data is being moved.
860
861 2017-08-09  Oleksandr Skachkov  <gskachkov@gmail.com>
862
863         REGRESSION: 2 test262/test/language/statements/async-function failures
864         https://bugs.webkit.org/show_bug.cgi?id=175334
865
866         Reviewed by Yusuke Suzuki.
867
868         Switch off useAsyncIterator by default
869
870         * runtime/Options.h:
871
872 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
873
874         ICs should do caging
875         https://bugs.webkit.org/show_bug.cgi?id=175295
876
877         Reviewed by Saam Barati.
878         
879         Adds the appropriate cage() calls in our inline caches.
880
881         * bytecode/AccessCase.cpp:
882         (JSC::AccessCase::generateImpl):
883         * bytecode/InlineAccess.cpp:
884         (JSC::InlineAccess::dumpCacheSizesAndCrash):
885         (JSC::InlineAccess::generateSelfPropertyAccess):
886         (JSC::InlineAccess::generateSelfPropertyReplace):
887         (JSC::InlineAccess::generateArrayLength):
888
889 2017-08-08  Devin Rousso  <drousso@apple.com>
890
891         Web Inspector: Canvas: support editing WebGL shaders
892         https://bugs.webkit.org/show_bug.cgi?id=124211
893         <rdar://problem/15448958>
894
895         Reviewed by Matt Baker.
896
897         * inspector/protocol/Canvas.json:
898         Add `updateShader` command that will change the given shader's source to the provided string,
899         recompile, and relink it to its associated program.
900         Drive-by: add description to `requestShaderSource` command.
901
902 2017-08-08  Robin Morisset  <rmorisset@apple.com>
903
904         Make JSC_validateExceptionChecks=1 succeed on JSTests/slowMicrobenchmarks/spread-small-array.js.
905         https://bugs.webkit.org/show_bug.cgi?id=175347
906
907         Reviewed by Saam Barati.
908
909         This is done by making finishCreation explicitely check for exceptions after setConstantRegister and setConstantIdentifiersSetRegisters.
910         I chose to have this check replace the boolean returned previously by these functions for readability. The performance impact should be
911         negligible considering how much more finishCreation does.
912         This fix then caused another issue to appear as it was now clear that finishCreation can throw. And since it is called by ProgramCodeBlock::create(),
913         FunctionCodeBlock::create() and friends, that are in turn called by ScriptExecutable::newCodeBlockFor, this last function also required a few tweaks.
914
915         * bytecode/CodeBlock.cpp:
916         (JSC::CodeBlock::finishCreation):
917         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
918         (JSC::CodeBlock::setConstantRegisters):
919         * bytecode/CodeBlock.h:
920         * runtime/ScriptExecutable.cpp:
921         (JSC::ScriptExecutable::newCodeBlockFor):
922
923 2017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
924
925         Unreviewed, fix Ubuntu LTS build
926         https://bugs.webkit.org/show_bug.cgi?id=174490
927
928         * inspector/remote/glib/RemoteInspectorGlib.cpp:
929         * inspector/remote/glib/RemoteInspectorServer.cpp:
930
931 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
932
933         Baseline JIT should do caging
934         https://bugs.webkit.org/show_bug.cgi?id=175037
935
936         Reviewed by Mark Lam.
937         
938         Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
939         
940         Also modifies FTL caging to be more defensive when caging is disabled.
941         
942         Relanded with fixed AssemblyHelpers::cageConditionally().
943
944         * bytecode/AccessCase.cpp:
945         (JSC::AccessCase::generateImpl):
946         * bytecode/InlineAccess.cpp:
947         (JSC::InlineAccess::dumpCacheSizesAndCrash):
948         (JSC::InlineAccess::generateSelfPropertyAccess):
949         (JSC::InlineAccess::generateSelfPropertyReplace):
950         (JSC::InlineAccess::generateArrayLength):
951         * ftl/FTLLowerDFGToB3.cpp:
952         (JSC::FTL::DFG::LowerDFGToB3::caged):
953         * jit/AssemblyHelpers.h:
954         (JSC::AssemblyHelpers::cage):
955         (JSC::AssemblyHelpers::cageConditionally):
956         * jit/JITPropertyAccess.cpp:
957         (JSC::JIT::emitDoubleLoad):
958         (JSC::JIT::emitContiguousLoad):
959         (JSC::JIT::emitArrayStorageLoad):
960         (JSC::JIT::emitGenericContiguousPutByVal):
961         (JSC::JIT::emitArrayStoragePutByVal):
962         (JSC::JIT::emit_op_get_from_scope):
963         (JSC::JIT::emit_op_put_to_scope):
964         (JSC::JIT::emitIntTypedArrayGetByVal):
965         (JSC::JIT::emitFloatTypedArrayGetByVal):
966         (JSC::JIT::emitIntTypedArrayPutByVal):
967         (JSC::JIT::emitFloatTypedArrayPutByVal):
968         * jsc.cpp:
969         (jscmain):
970         (primitiveGigacageDisabled): Deleted.
971
972 2017-08-08  Ryan Haddad  <ryanhaddad@apple.com>
973
974         Unreviewed, rolling out r220368.
975
976         This change caused WK1 tests to exit early with crashes.
977
978         Reverted changeset:
979
980         "Baseline JIT should do caging"
981         https://bugs.webkit.org/show_bug.cgi?id=175037
982         http://trac.webkit.org/changeset/220368
983
984 2017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
985
986         [CMake] Properly test if compiler supports compiler flags
987         https://bugs.webkit.org/show_bug.cgi?id=174490
988
989         Reviewed by Konstantin Tokarev.
990
991         * API/tests/PingPongStackOverflowTest.cpp:
992         (testPingPongStackOverflow):
993         * API/tests/testapi.c:
994         * b3/testb3.cpp:
995         (JSC::B3::testPatchpointLotsOfLateAnys):
996
997 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
998
999         [Linux] Clear WasmMemory with madvice instead of memset
1000         https://bugs.webkit.org/show_bug.cgi?id=175150
1001
1002         Reviewed by Filip Pizlo.
1003
1004         In Linux, zeroing pages with memset populates backing store.
1005         Instead, we should use madvise with MADV_DONTNEED. It discards
1006         pages. And if you access these pages, on-demand-zero-pages will
1007         be shown.
1008
1009         We also commit grown pages in all OSes.
1010
1011         * wasm/WasmMemory.cpp:
1012         (JSC::Wasm::commitZeroPages):
1013         (JSC::Wasm::Memory::create):
1014         (JSC::Wasm::Memory::grow):
1015
1016 2017-08-07  Robin Morisset  <rmorisset@apple.com>
1017
1018         GetOwnProperty of TypedArray indexed fields is wrongly configurable
1019         https://bugs.webkit.org/show_bug.cgi?id=175307
1020
1021         Reviewed by Saam Barati.
1022
1023         ```
1024         let a = new Uint8Array(10);
1025         let b = Object.getOwnPropertyDescriptor(a, 0);
1026         assert(b.configurable === false);
1027         ```
1028         should not fail: by section 9.4.5.1 (https://tc39.github.io/ecma262/#sec-integer-indexed-exotic-objects-getownproperty-p) 
1029         that applies to integer indexed exotic objects, and section 22.2.7 (https://tc39.github.io/ecma262/#sec-properties-of-typedarray-instances)
1030         that says that typed arrays are integer indexed exotic objects.
1031
1032         * runtime/JSGenericTypedArrayViewInlines.h:
1033         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
1034
1035 2017-08-07  Filip Pizlo  <fpizlo@apple.com>
1036
1037         Baseline JIT should do caging
1038         https://bugs.webkit.org/show_bug.cgi?id=175037
1039
1040         Reviewed by Mark Lam.
1041         
1042         Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
1043         
1044         Also modifies FTL caging to be more defensive when caging is disabled.
1045
1046         * ftl/FTLLowerDFGToB3.cpp:
1047         (JSC::FTL::DFG::LowerDFGToB3::caged):
1048         * jit/AssemblyHelpers.h:
1049         (JSC::AssemblyHelpers::cage):
1050         (JSC::AssemblyHelpers::cageConditionally):
1051         * jit/JITPropertyAccess.cpp:
1052         (JSC::JIT::emitDoubleLoad):
1053         (JSC::JIT::emitContiguousLoad):
1054         (JSC::JIT::emitArrayStorageLoad):
1055         (JSC::JIT::emitGenericContiguousPutByVal):
1056         (JSC::JIT::emitArrayStoragePutByVal):
1057         (JSC::JIT::emit_op_get_from_scope):
1058         (JSC::JIT::emit_op_put_to_scope):
1059         (JSC::JIT::emitIntTypedArrayGetByVal):
1060         (JSC::JIT::emitFloatTypedArrayGetByVal):
1061         (JSC::JIT::emitIntTypedArrayPutByVal):
1062         (JSC::JIT::emitFloatTypedArrayPutByVal):
1063         * jsc.cpp:
1064         (jscmain):
1065         (primitiveGigacageDisabled): Deleted.
1066
1067 2017-08-06  Filip Pizlo  <fpizlo@apple.com>
1068
1069         Primitive auxiliaries and JSValue auxiliaries should have separate gigacages
1070         https://bugs.webkit.org/show_bug.cgi?id=174919
1071
1072         Reviewed by Keith Miller.
1073         
1074         This adapts JSC to there being two gigacages.
1075         
1076         To make matters simpler, this turns AlignedMemoryAllocators into per-VM instances rather than
1077         singletons. I don't think we were gaining anything by making them be singletons.
1078         
1079         This makes it easy to teach GigacageAlignedMemoryAllocator that there are multiple kinds of
1080         gigacages. We'll have one of those allocators per cage.
1081         
1082         From there, this change teaches everyone who previously knew about cages that there are two cages.
1083         This means having to specify either Gigacage::Primitive or Gigacage::JSValue. In most places, this is
1084         easy: typed arrays are Primitive and butterflies are JSValue. But there are a few places where it's
1085         not so obvious, so this change introduces some helpers to make it easy to define what cage you want
1086         to use in one place and refer to it abstractly. We do this in DirectArguments and GenericArguments.h
1087         
1088         A lot of the magic of this change is due to CagedBarrierPtr, which combines AuxiliaryBarrier and
1089         CagedPtr. This removes one layer of "get()" calls from a bunch of places.
1090
1091         * JavaScriptCore.xcodeproj/project.pbxproj:
1092         * bytecode/AccessCase.cpp:
1093         (JSC::AccessCase::generateImpl):
1094         * dfg/DFGSpeculativeJIT.cpp:
1095         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1096         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1097         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1098         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
1099         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
1100         * ftl/FTLLowerDFGToB3.cpp:
1101         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
1102         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
1103         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
1104         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
1105         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1106         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
1107         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
1108         (JSC::FTL::DFG::LowerDFGToB3::caged):
1109         * heap/FastMallocAlignedMemoryAllocator.cpp:
1110         (JSC::FastMallocAlignedMemoryAllocator::instance): Deleted.
1111         * heap/FastMallocAlignedMemoryAllocator.h:
1112         * heap/GigacageAlignedMemoryAllocator.cpp:
1113         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
1114         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
1115         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
1116         (JSC::GigacageAlignedMemoryAllocator::dump const):
1117         (JSC::GigacageAlignedMemoryAllocator::instance): Deleted.
1118         * heap/GigacageAlignedMemoryAllocator.h:
1119         * jsc.cpp:
1120         (primitiveGigacageDisabled):
1121         (jscmain):
1122         (gigacageDisabled): Deleted.
1123         * llint/LowLevelInterpreter64.asm:
1124         * runtime/ArrayBuffer.cpp:
1125         (JSC::ArrayBufferContents::tryAllocate):
1126         (JSC::ArrayBuffer::createAdopted):
1127         (JSC::ArrayBuffer::createFromBytes):
1128         * runtime/AuxiliaryBarrier.h:
1129         * runtime/ButterflyInlines.h:
1130         (JSC::Butterfly::createUninitialized):
1131         (JSC::Butterfly::tryCreate):
1132         (JSC::Butterfly::growArrayRight):
1133         * runtime/CagedBarrierPtr.h: Added.
1134         (JSC::CagedBarrierPtr::CagedBarrierPtr):
1135         (JSC::CagedBarrierPtr::clear):
1136         (JSC::CagedBarrierPtr::set):
1137         (JSC::CagedBarrierPtr::get const):
1138         (JSC::CagedBarrierPtr::getMayBeNull const):
1139         (JSC::CagedBarrierPtr::operator== const):
1140         (JSC::CagedBarrierPtr::operator!= const):
1141         (JSC::CagedBarrierPtr::operator bool const):
1142         (JSC::CagedBarrierPtr::setWithoutBarrier):
1143         (JSC::CagedBarrierPtr::operator* const):
1144         (JSC::CagedBarrierPtr::operator-> const):
1145         (JSC::CagedBarrierPtr::operator[] const):
1146         * runtime/DirectArguments.cpp:
1147         (JSC::DirectArguments::overrideThings):
1148         (JSC::DirectArguments::unmapArgument):
1149         * runtime/DirectArguments.h:
1150         (JSC::DirectArguments::isMappedArgument const):
1151         * runtime/GenericArguments.h:
1152         * runtime/GenericArgumentsInlines.h:
1153         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
1154         (JSC::GenericArguments<Type>::setModifiedArgumentDescriptor):
1155         (JSC::GenericArguments<Type>::isModifiedArgumentDescriptor):
1156         * runtime/HashMapImpl.cpp:
1157         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
1158         * runtime/HashMapImpl.h:
1159         (JSC::HashMapBuffer::create):
1160         (JSC::HashMapImpl::buffer const):
1161         (JSC::HashMapImpl::rehash):
1162         * runtime/JSArray.cpp:
1163         (JSC::JSArray::tryCreateUninitializedRestricted):
1164         (JSC::JSArray::unshiftCountSlowCase):
1165         (JSC::JSArray::setLength):
1166         (JSC::JSArray::pop):
1167         (JSC::JSArray::push):
1168         (JSC::JSArray::fastSlice):
1169         (JSC::JSArray::shiftCountWithArrayStorage):
1170         (JSC::JSArray::shiftCountWithAnyIndexingType):
1171         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1172         (JSC::JSArray::fillArgList):
1173         (JSC::JSArray::copyToArguments):
1174         * runtime/JSArray.h:
1175         (JSC::JSArray::tryCreate):
1176         * runtime/JSArrayBufferView.cpp:
1177         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1178         (JSC::JSArrayBufferView::finalize):
1179         * runtime/JSLock.cpp:
1180         (JSC::JSLock::didAcquireLock):
1181         * runtime/JSObject.cpp:
1182         (JSC::JSObject::heapSnapshot):
1183         (JSC::JSObject::getOwnPropertySlotByIndex):
1184         (JSC::JSObject::putByIndex):
1185         (JSC::JSObject::enterDictionaryIndexingMode):
1186         (JSC::JSObject::createInitialIndexedStorage):
1187         (JSC::JSObject::createArrayStorage):
1188         (JSC::JSObject::convertUndecidedToInt32):
1189         (JSC::JSObject::convertUndecidedToDouble):
1190         (JSC::JSObject::convertUndecidedToContiguous):
1191         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
1192         (JSC::JSObject::convertUndecidedToArrayStorage):
1193         (JSC::JSObject::convertInt32ToDouble):
1194         (JSC::JSObject::convertInt32ToContiguous):
1195         (JSC::JSObject::convertInt32ToArrayStorage):
1196         (JSC::JSObject::convertDoubleToContiguous):
1197         (JSC::JSObject::convertDoubleToArrayStorage):
1198         (JSC::JSObject::convertContiguousToArrayStorage):
1199         (JSC::JSObject::setIndexQuicklyToUndecided):
1200         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
1201         (JSC::JSObject::deletePropertyByIndex):
1202         (JSC::JSObject::getOwnPropertyNames):
1203         (JSC::JSObject::putIndexedDescriptor):
1204         (JSC::JSObject::defineOwnIndexedProperty):
1205         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1206         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
1207         (JSC::JSObject::getNewVectorLength):
1208         (JSC::JSObject::ensureLengthSlow):
1209         (JSC::JSObject::reallocateAndShrinkButterfly):
1210         (JSC::JSObject::allocateMoreOutOfLineStorage):
1211         (JSC::JSObject::getEnumerableLength):
1212         * runtime/JSObject.h:
1213         (JSC::JSObject::getArrayLength const):
1214         (JSC::JSObject::getVectorLength):
1215         (JSC::JSObject::putDirectIndex):
1216         (JSC::JSObject::canGetIndexQuickly):
1217         (JSC::JSObject::getIndexQuickly):
1218         (JSC::JSObject::tryGetIndexQuickly const):
1219         (JSC::JSObject::canSetIndexQuickly):
1220         (JSC::JSObject::setIndexQuickly):
1221         (JSC::JSObject::initializeIndex):
1222         (JSC::JSObject::initializeIndexWithoutBarrier):
1223         (JSC::JSObject::hasSparseMap):
1224         (JSC::JSObject::inSparseIndexingMode):
1225         (JSC::JSObject::butterfly const):
1226         (JSC::JSObject::butterfly):
1227         (JSC::JSObject::outOfLineStorage const):
1228         (JSC::JSObject::outOfLineStorage):
1229         (JSC::JSObject::ensureInt32):
1230         (JSC::JSObject::ensureDouble):
1231         (JSC::JSObject::ensureContiguous):
1232         (JSC::JSObject::ensureArrayStorage):
1233         (JSC::JSObject::arrayStorage):
1234         (JSC::JSObject::arrayStorageOrNull):
1235         (JSC::JSObject::ensureLength):
1236         * runtime/RegExpMatchesArray.h:
1237         (JSC::tryCreateUninitializedRegExpMatchesArray):
1238         * runtime/VM.cpp:
1239         (JSC::VM::VM):
1240         (JSC::VM::~VM):
1241         (JSC::VM::primitiveGigacageDisabledCallback):
1242         (JSC::VM::primitiveGigacageDisabled):
1243         (JSC::VM::gigacageDisabledCallback): Deleted.
1244         (JSC::VM::gigacageDisabled): Deleted.
1245         * runtime/VM.h:
1246         (JSC::VM::gigacageAuxiliarySpace):
1247         (JSC::VM::firePrimitiveGigacageEnabledIfNecessary):
1248         (JSC::VM::primitiveGigacageEnabled):
1249         (JSC::VM::fireGigacageEnabledIfNecessary): Deleted.
1250         (JSC::VM::gigacageEnabled): Deleted.
1251         * wasm/WasmMemory.cpp:
1252         (JSC::Wasm::Memory::create):
1253         (JSC::Wasm::Memory::~Memory):
1254         (JSC::Wasm::Memory::grow):
1255
1256 2017-08-07  Commit Queue  <commit-queue@webkit.org>
1257
1258         Unreviewed, rolling out r220144.
1259         https://bugs.webkit.org/show_bug.cgi?id=175276
1260
1261         "It did not actually speed things up in the way I expected"
1262         (Requested by saamyjoon on #webkit).
1263
1264         Reverted changeset:
1265
1266         "On memory-constrained iOS devices, reduce the rate at which
1267         the JS heap grows before a GC to try to keep more memory
1268         available for the system"
1269         https://bugs.webkit.org/show_bug.cgi?id=175041
1270         http://trac.webkit.org/changeset/220144
1271
1272 2017-08-07  Ryan Haddad  <ryanhaddad@apple.com>
1273
1274         Unreviewed, rolling out r220299.
1275
1276         This change caused LayoutTest inspector/dom-debugger/dom-
1277         breakpoints.html to fail.
1278
1279         Reverted changeset:
1280
1281         "Web Inspector: capture async stack trace when workers/main
1282         context posts a message"
1283         https://bugs.webkit.org/show_bug.cgi?id=167084
1284         http://trac.webkit.org/changeset/220299
1285
1286 2017-08-07  Brian Burg  <bburg@apple.com>
1287
1288         Remove CANVAS_PATH compilation guard
1289         https://bugs.webkit.org/show_bug.cgi?id=175207
1290
1291         Reviewed by Sam Weinig.
1292
1293         * Configurations/FeatureDefines.xcconfig:
1294
1295 2017-08-07  Keith Miller  <keith_miller@apple.com>
1296
1297         REGRESSION: wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js failing on JSC Debug bots
1298         https://bugs.webkit.org/show_bug.cgi?id=175256
1299
1300         Reviewed by Saam Barati.
1301
1302         The check in createFromBytes just needed to check that the buffer was not null before
1303         calling isCaged.
1304
1305         * runtime/ArrayBuffer.cpp:
1306         (JSC::ArrayBuffer::createFromBytes):
1307
1308 2017-08-05  Carlos Garcia Campos  <cgarcia@igalia.com>
1309
1310         [GTK][WPE] Add API to provide browser information required by automation
1311         https://bugs.webkit.org/show_bug.cgi?id=175130
1312
1313         Reviewed by Brian Burg.
1314
1315         Add browserName and browserVersion to RemoteInspector::Client::Capabilities and virtual methods to the Client to
1316         get them.
1317
1318         * inspector/remote/RemoteInspector.cpp:
1319         (Inspector::RemoteInspector::updateClientCapabilities): Update also browserName and browserVersion.
1320         * inspector/remote/RemoteInspector.h:
1321         * inspector/remote/glib/RemoteInspectorGlib.cpp:
1322         (Inspector::RemoteInspector::requestAutomationSession): Call updateClientCapabilities() after the session is
1323         requested to ensure they are updated before StartAutomationSession reply is sent.
1324         * inspector/remote/glib/RemoteInspectorServer.cpp: Add browserName and browserVersion as return values of
1325         StartAutomationSession mesasage.
1326
1327 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1328
1329         Promise resolve and reject function should have length = 1
1330         https://bugs.webkit.org/show_bug.cgi?id=175242
1331
1332         Reviewed by Saam Barati.
1333
1334         Previously we have separate system for "length" and "name" for builtin functions.
1335         The builtin functions do not use lazy reifying system. Instead, they have direct
1336         properties when instantiating it. While the function created for properties (like
1337         Array.prototype.filter) is created by JSFunction::createBuiltin(), function inside
1338         these builtin functions are just created by JSFunction::create(). Since it does
1339         not set any values for "length", these functions do not have "length" property.
1340         So, the resolve and reject functions passed to Promise's executor do not have
1341         "length" property.
1342
1343         This patch make builtin functions use standard lazy reifying system for "length".
1344         So, "length" property of the builtin function just works as if the normal functions
1345         do.
1346
1347         * runtime/JSFunction.cpp:
1348         (JSC::JSFunction::createBuiltinFunction):
1349         (JSC::JSFunction::getOwnPropertySlot):
1350         (JSC::JSFunction::getOwnNonIndexPropertyNames):
1351         (JSC::JSFunction::put):
1352         (JSC::JSFunction::deleteProperty):
1353         (JSC::JSFunction::defineOwnProperty):
1354         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
1355         (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
1356         (JSC::JSFunction::reifyLazyLengthIfNeeded):
1357         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
1358         (JSC::JSFunction::reifyBoundNameIfNeeded): Deleted.
1359         * runtime/JSFunction.h:
1360
1361 2017-08-06  Oleksandr Skachkov  <gskachkov@gmail.com>
1362
1363         [ESNext] Async iteration - Implement Async Generator - parser
1364         https://bugs.webkit.org/show_bug.cgi?id=175210
1365
1366         Reviewed by Yusuke Suzuki.
1367
1368         Current implementation is draft version of Async Iteration. 
1369         Link to spec https://tc39.github.io/proposal-async-iteration/
1370
1371         Current patch implement only parser part of the Async generator
1372         Runtime part will be in next ptches
1373
1374         * parser/ASTBuilder.h:
1375         (JSC::ASTBuilder::createFunctionMetadata):
1376         * parser/Parser.cpp:
1377         (JSC::getAsynFunctionBodyParseMode):
1378         (JSC::Parser<LexerType>::parseInner):
1379         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
1380         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
1381         (JSC::stringArticleForFunctionMode):
1382         (JSC::stringForFunctionMode):
1383         (JSC::Parser<LexerType>::parseFunctionInfo):
1384         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
1385         (JSC::Parser<LexerType>::parseClass):
1386         (JSC::Parser<LexerType>::parseProperty):
1387         (JSC::Parser<LexerType>::parsePropertyMethod):
1388         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
1389         * parser/Parser.h:
1390         (JSC::Scope::setSourceParseMode):
1391         * parser/ParserModes.h:
1392         (JSC::isFunctionParseMode):
1393         (JSC::isAsyncFunctionParseMode):
1394         (JSC::isAsyncArrowFunctionParseMode):
1395         (JSC::isAsyncGeneratorFunctionParseMode):
1396         (JSC::isAsyncFunctionOrAsyncGeneratorWrapperParseMode):
1397         (JSC::isAsyncFunctionWrapperParseMode):
1398         (JSC::isAsyncFunctionBodyParseMode):
1399         (JSC::isGeneratorMethodParseMode):
1400         (JSC::isAsyncMethodParseMode):
1401         (JSC::isAsyncGeneratorMethodParseMode):
1402         (JSC::isMethodParseMode):
1403         (JSC::isGeneratorOrAsyncFunctionBodyParseMode):
1404         (JSC::isGeneratorOrAsyncFunctionWrapperParseMode):
1405
1406 2017-08-05  Filip Pizlo  <fpizlo@apple.com>
1407
1408         REGRESSION (r219895-219897): Number of leaks on Open Source went from 9240 to 235983 and is now at 302372
1409         https://bugs.webkit.org/show_bug.cgi?id=175083
1410
1411         Reviewed by Oliver Hunt.
1412         
1413         This fixes the leak by making MarkedBlock::specializedSweep call destructors when the block is empty,
1414         even if we are using the pop path.
1415         
1416         Also, this fixes HeapCellInlines.h to no longer include MarkedBlockInlines.h. That's pretty
1417         important, since MarkedBlockInlines.h is the GC's internal guts - we don't want to have to recompile
1418         the world just because we changed it.
1419         
1420         Finally, this adds a new testing SPI for waiting for all VMs to finish destructing. This makes it
1421         easier to debug leaks.
1422
1423         * bytecode/AccessCase.cpp:
1424         * bytecode/PolymorphicAccess.cpp:
1425         * heap/HeapCell.cpp:
1426         (JSC::HeapCell::isLive):
1427         * heap/HeapCellInlines.h:
1428         (JSC::HeapCell::isLive): Deleted.
1429         * heap/MarkedAllocator.cpp:
1430         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
1431         (JSC::MarkedAllocator::endMarking):
1432         * heap/MarkedBlockInlines.h:
1433         (JSC::MarkedBlock::Handle::specializedSweep):
1434         * jit/AssemblyHelpers.cpp:
1435         * jit/Repatch.cpp:
1436         * runtime/TestRunnerUtils.h:
1437         * runtime/VM.cpp:
1438         (JSC::waitForVMDestruction):
1439         (JSC::VM::~VM):
1440
1441 2017-08-05  Mark Lam  <mark.lam@apple.com>
1442
1443         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 3].
1444         https://bugs.webkit.org/show_bug.cgi?id=175228
1445         <rdar://problem/33735737>
1446
1447         Reviewed by Saam Barati.
1448
1449         Merge the 32-bit OSRExit::compileExit() method into the 64-bit version, and
1450         delete OSRExit32_64.cpp.
1451
1452         * CMakeLists.txt:
1453         * JavaScriptCore.xcodeproj/project.pbxproj:
1454         * dfg/DFGOSRExit.cpp:
1455         (JSC::DFG::OSRExit::compileExit):
1456         * dfg/DFGOSRExit32_64.cpp: Removed.
1457         * jit/GPRInfo.h:
1458         (JSC::JSValueSource::payloadGPR const):
1459
1460 2017-08-04  Youenn Fablet  <youenn@apple.com>
1461
1462         [Cache API] Add Cache and CacheStorage IDL definitions
1463         https://bugs.webkit.org/show_bug.cgi?id=175201
1464
1465         Reviewed by Brady Eidson.
1466
1467         * runtime/CommonIdentifiers.h:
1468
1469 2017-08-04  Mark Lam  <mark.lam@apple.com>
1470
1471         Fix typo in testmasm.cpp: ENABLE(JSVALUE64) should be USE(JSVALUE64).
1472         https://bugs.webkit.org/show_bug.cgi?id=175230
1473         <rdar://problem/33735857>
1474
1475         Reviewed by Saam Barati.
1476
1477         * assembler/testmasm.cpp:
1478         (JSC::testProbeReadsArgumentRegisters):
1479         (JSC::testProbeWritesArgumentRegisters):
1480
1481 2017-08-04  Mark Lam  <mark.lam@apple.com>
1482
1483         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 2].
1484         https://bugs.webkit.org/show_bug.cgi?id=175214
1485         <rdar://problem/33733308>
1486
1487         Rubber-stamped by Michael Saboff.
1488
1489         Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused
1490         DFGOSRExitCompiler files.
1491
1492         Also renamed DFGOSRExitCompiler32_64.cpp to DFGOSRExit32_64.cpp.
1493
1494         Also move debugOperationPrintSpeculationFailure() into DFGOSRExit.cpp.  It's only
1495         used by compileOSRExit(), and will be changed to not be a DFG operation function
1496         when we use JIT probes for DFG OSR exits later in
1497         https://bugs.webkit.org/show_bug.cgi?id=175144.
1498
1499         * CMakeLists.txt:
1500         * JavaScriptCore.xcodeproj/project.pbxproj:
1501         * dfg/DFGJITCompiler.cpp:
1502         * dfg/DFGOSRExit.cpp:
1503         (JSC::DFG::OSRExit::emitRestoreArguments):
1504         (JSC::DFG::OSRExit::compileOSRExit):
1505         (JSC::DFG::OSRExit::compileExit):
1506         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
1507         * dfg/DFGOSRExit.h:
1508         * dfg/DFGOSRExit32_64.cpp: Copied from Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp.
1509         * dfg/DFGOSRExitCompiler.cpp: Removed.
1510         * dfg/DFGOSRExitCompiler.h: Removed.
1511         * dfg/DFGOSRExitCompiler32_64.cpp: Removed.
1512         * dfg/DFGOSRExitCompiler64.cpp: Removed.
1513         * dfg/DFGOperations.cpp:
1514         * dfg/DFGOperations.h:
1515         * dfg/DFGThunks.cpp:
1516
1517 2017-08-04  Matt Baker  <mattbaker@apple.com>
1518
1519         Web Inspector: capture async stack trace when workers/main context posts a message
1520         https://bugs.webkit.org/show_bug.cgi?id=167084
1521         <rdar://problem/30033673>
1522
1523         Reviewed by Brian Burg.
1524
1525         * inspector/agents/InspectorDebuggerAgent.h:
1526         Add `PostMessage` async call type.
1527
1528 2017-08-04  Mark Lam  <mark.lam@apple.com>
1529
1530         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 1].
1531         https://bugs.webkit.org/show_bug.cgi?id=175208
1532         <rdar://problem/33732402>
1533
1534         Reviewed by Saam Barati.
1535
1536         This will minimize the code diff and make it easier to review the patch for
1537         https://bugs.webkit.org/show_bug.cgi?id=175144 later.  We'll do this patch in 3
1538         steps:
1539
1540         1. Do the code changes to move methods into OSRExit.
1541         2. Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused DFGOSRExitCompiler files.
1542         3. Merge the 32-bit OSRExitCompiler methods into the 64-bit version, and delete DFGOSRExitCompiler32_64.cpp.
1543
1544         Splitting this refactoring into these 3 steps also makes it easier to review this
1545         patch and understand what is being changed.
1546
1547         * dfg/DFGOSRExit.h:
1548         * dfg/DFGOSRExitCompiler.cpp:
1549         (JSC::DFG::OSRExit::emitRestoreArguments):
1550         (JSC::DFG::OSRExit::compileOSRExit):
1551         (JSC::DFG::OSRExitCompiler::emitRestoreArguments): Deleted.
1552         (): Deleted.
1553         * dfg/DFGOSRExitCompiler.h:
1554         (JSC::DFG::OSRExitCompiler::OSRExitCompiler): Deleted.
1555         (): Deleted.
1556         * dfg/DFGOSRExitCompiler32_64.cpp:
1557         (JSC::DFG::OSRExit::compileExit):
1558         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
1559         * dfg/DFGOSRExitCompiler64.cpp:
1560         (JSC::DFG::OSRExit::compileExit):
1561         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
1562         * dfg/DFGThunks.cpp:
1563         (JSC::DFG::osrExitGenerationThunkGenerator):
1564
1565 2017-08-04  Devin Rousso  <drousso@apple.com>
1566
1567         Web Inspector: add source view for WebGL shader programs
1568         https://bugs.webkit.org/show_bug.cgi?id=138593
1569         <rdar://problem/18936194>
1570
1571         Reviewed by Matt Baker.
1572
1573         * inspector/protocol/Canvas.json:
1574          - Add `ShaderType` enum that contains "vertex" and "fragment".
1575          - Add `requestShaderSource` command that will return the original source code for a given
1576            shader program and shader type.
1577
1578 2017-08-03  Filip Pizlo  <fpizlo@apple.com>
1579
1580         The allocator used to allocate memory for MarkedBlocks and LargeAllocations should not be the Subspace itself
1581         https://bugs.webkit.org/show_bug.cgi?id=175141
1582
1583         Reviewed by Mark Lam.
1584         
1585         To make it easier to have multiple gigacages and maybe even fancier methods of allocating, this
1586         decouples the allocator used to allocate memory from the GC Subspace. This means we no longer have
1587         to create a new Subspace subclass to allocate memory a different way. Instead, the allocator is now
1588         determined by the AlignedMemoryAllocator object.
1589         
1590         This also simplifies trading of blocks. Before, Subspaces had to determine if other Subspaces could
1591         trade blocks with them using canTradeBlocksWith(). This makes it difficult for two different
1592         Subspaces that both use the same underlying allocator to realize that they can trade blocks with
1593         each other. Now, you just need to ask the block being stolen and the subspace doing the stealing if
1594         they use the same AlignedMemoryAllocator.
1595
1596         * CMakeLists.txt:
1597         * JavaScriptCore.xcodeproj/project.pbxproj:
1598         * heap/AlignedMemoryAllocator.cpp: Added.
1599         (JSC::AlignedMemoryAllocator::AlignedMemoryAllocator):
1600         (JSC::AlignedMemoryAllocator::~AlignedMemoryAllocator):
1601         * heap/AlignedMemoryAllocator.h: Added.
1602         * heap/FastMallocAlignedMemoryAllocator.cpp: Added.
1603         (JSC::FastMallocAlignedMemoryAllocator::singleton):
1604         (JSC::FastMallocAlignedMemoryAllocator::FastMallocAlignedMemoryAllocator):
1605         (JSC::FastMallocAlignedMemoryAllocator::~FastMallocAlignedMemoryAllocator):
1606         (JSC::FastMallocAlignedMemoryAllocator::tryAllocateAlignedMemory):
1607         (JSC::FastMallocAlignedMemoryAllocator::freeAlignedMemory):
1608         (JSC::FastMallocAlignedMemoryAllocator::dump const):
1609         * heap/FastMallocAlignedMemoryAllocator.h: Added.
1610         * heap/GigacageAlignedMemoryAllocator.cpp: Added.
1611         (JSC::GigacageAlignedMemoryAllocator::singleton):
1612         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
1613         (JSC::GigacageAlignedMemoryAllocator::~GigacageAlignedMemoryAllocator):
1614         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
1615         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
1616         (JSC::GigacageAlignedMemoryAllocator::dump const):
1617         * heap/GigacageAlignedMemoryAllocator.h: Added.
1618         * heap/GigacageSubspace.cpp: Removed.
1619         * heap/GigacageSubspace.h: Removed.
1620         * heap/LargeAllocation.cpp:
1621         (JSC::LargeAllocation::tryCreate):
1622         (JSC::LargeAllocation::destroy):
1623         * heap/MarkedAllocator.cpp:
1624         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
1625         * heap/MarkedBlock.cpp:
1626         (JSC::MarkedBlock::tryCreate):
1627         (JSC::MarkedBlock::Handle::Handle):
1628         (JSC::MarkedBlock::Handle::~Handle):
1629         (JSC::MarkedBlock::Handle::didAddToAllocator):
1630         (JSC::MarkedBlock::Handle::subspace const):
1631         * heap/MarkedBlock.h:
1632         (JSC::MarkedBlock::Handle::alignedMemoryAllocator const):
1633         (JSC::MarkedBlock::Handle::subspace const): Deleted.
1634         * heap/Subspace.cpp:
1635         (JSC::Subspace::Subspace):
1636         (JSC::Subspace::findEmptyBlockToSteal):
1637         (JSC::Subspace::canTradeBlocksWith): Deleted.
1638         (JSC::Subspace::tryAllocateAlignedMemory): Deleted.
1639         (JSC::Subspace::freeAlignedMemory): Deleted.
1640         * heap/Subspace.h:
1641         (JSC::Subspace::name const):
1642         (JSC::Subspace::alignedMemoryAllocator const):
1643         * runtime/JSDestructibleObjectSubspace.cpp:
1644         (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace):
1645         * runtime/JSDestructibleObjectSubspace.h:
1646         * runtime/JSSegmentedVariableObjectSubspace.cpp:
1647         (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace):
1648         * runtime/JSSegmentedVariableObjectSubspace.h:
1649         * runtime/JSStringSubspace.cpp:
1650         (JSC::JSStringSubspace::JSStringSubspace):
1651         * runtime/JSStringSubspace.h:
1652         * runtime/VM.cpp:
1653         (JSC::VM::VM):
1654         * runtime/VM.h:
1655         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp:
1656         (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace):
1657         * wasm/js/JSWebAssemblyCodeBlockSubspace.h:
1658
1659 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
1660
1661         [ESNext] Async iteration - update feature.json
1662         https://bugs.webkit.org/show_bug.cgi?id=175197
1663
1664         Reviewed by Yusuke Suzuki.
1665
1666         Update feature.json to add status of the Async Iteration
1667
1668         * features.json:
1669
1670 2017-08-04  Matt Lewis  <jlewis3@apple.com>
1671
1672         Unreviewed, rolling out r220271.
1673
1674         Rolling out due to Layout Test failing on iOS Simulator.
1675
1676         Reverted changeset:
1677
1678         "Remove STREAMS_API compilation guard"
1679         https://bugs.webkit.org/show_bug.cgi?id=175165
1680         http://trac.webkit.org/changeset/220271
1681
1682 2017-08-04  Youenn Fablet  <youenn@apple.com>
1683
1684         Remove STREAMS_API compilation guard
1685         https://bugs.webkit.org/show_bug.cgi?id=175165
1686
1687         Reviewed by Darin Adler.
1688
1689         * Configurations/FeatureDefines.xcconfig:
1690
1691 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
1692
1693         [EsNext] Async iteration - Add feature flag
1694         https://bugs.webkit.org/show_bug.cgi?id=166694
1695
1696         Reviewed by Yusuke Suzuki.
1697
1698         Add feature flag to JSC to switch on/off Async Iterator
1699
1700         * runtime/Options.h:
1701
1702 2017-08-03  Brian Burg  <bburg@apple.com>
1703
1704         Remove ENABLE(WEB_SOCKET) guards
1705         https://bugs.webkit.org/show_bug.cgi?id=167044
1706
1707         Reviewed by Joseph Pecoraro.
1708
1709         * Configurations/FeatureDefines.xcconfig:
1710
1711 2017-08-03  Youenn Fablet  <youenn@apple.com>
1712
1713         Remove FETCH_API compilation guard
1714         https://bugs.webkit.org/show_bug.cgi?id=175154
1715
1716         Reviewed by Chris Dumez.
1717
1718         * Configurations/FeatureDefines.xcconfig:
1719
1720 2017-08-03  Matt Baker  <mattbaker@apple.com>
1721
1722         Web Inspector: Instrument WebGLProgram created/deleted
1723         https://bugs.webkit.org/show_bug.cgi?id=175059
1724
1725         Reviewed by Devin Rousso.
1726
1727         Extend the Canvas protocol with types/events for tracking WebGLPrograms.
1728
1729         * inspector/protocol/Canvas.json:
1730
1731 2017-08-03  Brady Eidson  <beidson@apple.com>
1732
1733         Add SW IDLs and stub out basic functionality.
1734         https://bugs.webkit.org/show_bug.cgi?id=175115
1735
1736         Reviewed by Chris Dumez.
1737
1738         * Configurations/FeatureDefines.xcconfig:
1739
1740         * runtime/CommonIdentifiers.h:
1741
1742 2017-08-03  Mark Lam  <mark.lam@apple.com>
1743
1744         Rename ScratchBuffer::activeLengthPtr to addressOfActiveLength.
1745         https://bugs.webkit.org/show_bug.cgi?id=175142
1746         <rdar://problem/33704528>
1747
1748         Reviewed by Filip Pizlo.
1749
1750         The convention in the rest of of JSC for such methods which return the address of
1751         a field is to name them "addressOf<field name>".  We'll rename
1752         ScratchBuffer::activeLengthPtr to be consistent with this convention.
1753
1754         * dfg/DFGSpeculativeJIT.cpp:
1755         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
1756         * dfg/DFGSpeculativeJIT32_64.cpp:
1757         (JSC::DFG::SpeculativeJIT::compile):
1758         * dfg/DFGSpeculativeJIT64.cpp:
1759         (JSC::DFG::SpeculativeJIT::compile):
1760         * dfg/DFGThunks.cpp:
1761         (JSC::DFG::osrExitGenerationThunkGenerator):
1762         * ftl/FTLLowerDFGToB3.cpp:
1763         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
1764         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
1765         * ftl/FTLThunks.cpp:
1766         (JSC::FTL::genericGenerationThunkGenerator):
1767         * jit/AssemblyHelpers.cpp:
1768         (JSC::AssemblyHelpers::debugCall):
1769         * jit/ScratchRegisterAllocator.cpp:
1770         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
1771         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
1772         * runtime/VM.h:
1773         (JSC::ScratchBuffer::addressOfActiveLength):
1774         (JSC::ScratchBuffer::activeLengthPtr): Deleted.
1775         * wasm/WasmBinding.cpp:
1776         (JSC::Wasm::wasmToJs):
1777
1778 2017-08-02  Devin Rousso  <drousso@apple.com>
1779
1780         Web Inspector: add stack trace information for each RecordingAction
1781         https://bugs.webkit.org/show_bug.cgi?id=174663
1782
1783         Reviewed by Joseph Pecoraro.
1784
1785         * inspector/ScriptCallFrame.h:
1786         Add `operator==` so that when a ScriptCallFrame object is held in a Vector, calling `find`
1787         with an existing value doesn't need require a functor and can use existing code.
1788
1789         * interpreter/StackVisitor.h:
1790         * interpreter/StackVisitor.cpp:
1791         (JSC::StackVisitor::Frame::isWasmFrame const): Inlined in header.
1792
1793 2017-08-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1794
1795         Merge WTFThreadData to Thread::current
1796         https://bugs.webkit.org/show_bug.cgi?id=174716
1797
1798         Reviewed by Mark Lam.
1799
1800         Use Thread::current() instead.
1801
1802         * API/JSContext.mm:
1803         (+[JSContext currentContext]):
1804         (+[JSContext currentThis]):
1805         (+[JSContext currentCallee]):
1806         (+[JSContext currentArguments]):
1807         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
1808         (-[JSContext endCallbackWithData:]):
1809         * heap/Heap.cpp:
1810         (JSC::Heap::requestCollection):
1811         * runtime/Completion.cpp:
1812         (JSC::checkSyntax):
1813         (JSC::checkModuleSyntax):
1814         (JSC::evaluate):
1815         (JSC::loadAndEvaluateModule):
1816         (JSC::loadModule):
1817         (JSC::linkAndEvaluateModule):
1818         (JSC::importModule):
1819         * runtime/Identifier.cpp:
1820         (JSC::Identifier::checkCurrentAtomicStringTable):
1821         * runtime/InitializeThreading.cpp:
1822         (JSC::initializeThreading):
1823         * runtime/JSLock.cpp:
1824         (JSC::JSLock::didAcquireLock):
1825         (JSC::JSLock::willReleaseLock):
1826         (JSC::JSLock::dropAllLocks):
1827         (JSC::JSLock::grabAllLocks):
1828         * runtime/JSLock.h:
1829         * runtime/VM.cpp:
1830         (JSC::VM::VM):
1831         (JSC::VM::updateStackLimits):
1832         (JSC::VM::committedStackByteCount):
1833         * runtime/VM.h:
1834         (JSC::VM::isSafeToRecurse const):
1835         * runtime/VMEntryScope.cpp:
1836         (JSC::VMEntryScope::VMEntryScope):
1837         * runtime/VMInlines.h:
1838         (JSC::VM::ensureStackCapacityFor):
1839         * yarr/YarrPattern.cpp:
1840         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
1841
1842 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
1843
1844         LLInt should do pointer caging
1845         https://bugs.webkit.org/show_bug.cgi?id=175036
1846
1847         Reviewed by Keith Miller.
1848
1849         Implementing this in the LLInt was challenging because offlineasm did not previously know
1850         how to load from globals. This teaches it how to do that on Darwin/x86_64, which happens
1851         to be where the Gigacage is enabled right now.
1852
1853         * llint/LLIntOfflineAsmConfig.h:
1854         * llint/LowLevelInterpreter64.asm:
1855         * offlineasm/ast.rb:
1856         * offlineasm/x86.rb:
1857
1858 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
1859
1860         Sweeping should only scribble when sweeping to free list
1861         https://bugs.webkit.org/show_bug.cgi?id=175105
1862
1863         Reviewed by Saam Barati.
1864         
1865         I just saw a crash on the bots where a destructor call attempt dereferenced scribbled memory. This
1866         can happen because the bump path of specializedSweep will scribble in SweepOnly, which replaces the
1867         zap word (i.e. 0) with the scribble word (i.e. 0xbadbeef0). This is a recent regression, since we
1868         didn't used to do destruction on the bump path. No destruction, no zapping. Looking at the pop
1869         path, we only scribble when we SweepToFreeList. This ensures that we only overwrite the zap word
1870         when it doesn't matter anyway because we're building a free list.
1871         
1872         This is a fix for those crashes on the bots because it means that we'll no longer scribble over the
1873         zap.
1874
1875         * heap/MarkedBlockInlines.h:
1876         (JSC::MarkedBlock::Handle::specializedSweep):
1877
1878 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
1879
1880         All C++ accesses to JSObject::m_butterfly should do caging
1881         https://bugs.webkit.org/show_bug.cgi?id=175039
1882
1883         Reviewed by Keith Miller.
1884         
1885         Makes JSObject::m_butterfly a AuxiliaryBarrier<CagedPtr<Butterfly>> and adopts the CagedPtr<> API.
1886         This ensures that you can't cause C++ code to access a butterfly that has been rewired to point
1887         outside the gigacage.
1888
1889         * runtime/JSArray.cpp:
1890         (JSC::JSArray::setLength):
1891         (JSC::JSArray::pop):
1892         (JSC::JSArray::push):
1893         (JSC::JSArray::shiftCountWithAnyIndexingType):
1894         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1895         (JSC::JSArray::fillArgList):
1896         (JSC::JSArray::copyToArguments):
1897         * runtime/JSObject.cpp:
1898         (JSC::JSObject::heapSnapshot):
1899         (JSC::JSObject::createInitialIndexedStorage):
1900         (JSC::JSObject::createArrayStorage):
1901         (JSC::JSObject::convertUndecidedToInt32):
1902         (JSC::JSObject::convertUndecidedToDouble):
1903         (JSC::JSObject::convertUndecidedToContiguous):
1904         (JSC::JSObject::convertInt32ToDouble):
1905         (JSC::JSObject::convertInt32ToArrayStorage):
1906         (JSC::JSObject::convertDoubleToContiguous):
1907         (JSC::JSObject::convertDoubleToArrayStorage):
1908         (JSC::JSObject::convertContiguousToArrayStorage):
1909         (JSC::JSObject::defineOwnIndexedProperty):
1910         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1911         (JSC::JSObject::ensureLengthSlow):
1912         (JSC::JSObject::allocateMoreOutOfLineStorage):
1913         * runtime/JSObject.h:
1914         (JSC::JSObject::canGetIndexQuickly):
1915         (JSC::JSObject::getIndexQuickly):
1916         (JSC::JSObject::tryGetIndexQuickly const):
1917         (JSC::JSObject::canSetIndexQuickly):
1918         (JSC::JSObject::setIndexQuickly):
1919         (JSC::JSObject::initializeIndex):
1920         (JSC::JSObject::initializeIndexWithoutBarrier):
1921         (JSC::JSObject::butterfly const):
1922         (JSC::JSObject::butterfly):
1923
1924 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
1925
1926         We should be OK with the gigacage being disabled on gmalloc
1927         https://bugs.webkit.org/show_bug.cgi?id=175082
1928
1929         Reviewed by Michael Saboff.
1930
1931         * jsc.cpp:
1932         (jscmain):
1933
1934 2017-08-02  Saam Barati  <sbarati@apple.com>
1935
1936         On memory-constrained iOS devices, reduce the rate at which the JS heap grows before a GC to try to keep more memory available for the system
1937         https://bugs.webkit.org/show_bug.cgi?id=175041
1938         <rdar://problem/33659370>
1939
1940         Reviewed by Filip Pizlo.
1941
1942         The testing I have done shows that this new function is a ~10%
1943         progression running JetStream on 1GB iOS devices. I've also tried
1944         this on a few > 1GB iOS devices, and the testing shows this is either neutral
1945         or a regression. Right now, we'll just enable this for <= 1GB devices
1946         since it's a win. In the future, we might want to either look into
1947         tweaking these parameters or coming up with a new function for > 1GB
1948         devices.
1949
1950         * heap/Heap.cpp:
1951         * runtime/Options.h:
1952
1953 2017-08-01  Filip Pizlo  <fpizlo@apple.com>
1954
1955         Bmalloc and GC should put auxiliaries (butterflies, typed array backing stores) in a gigacage (separate multi-GB VM region)
1956         https://bugs.webkit.org/show_bug.cgi?id=174727
1957
1958         Reviewed by Mark Lam.
1959         
1960         This adopts the Gigacage for the GigacageSubspace, which we use for Auxiliary allocations. Also, in
1961         one place in the code - the FTL codegen for butterfly and typed array access - we "cage" the accesses
1962         themselves. Basically, we do masking to ensure that the pointer points into the gigacage.
1963         
1964         This is neutral on JetStream.
1965
1966         * CMakeLists.txt:
1967         * JavaScriptCore.xcodeproj/project.pbxproj:
1968         * b3/B3InsertionSet.cpp:
1969         (JSC::B3::InsertionSet::execute):
1970         * dfg/DFGAbstractInterpreterInlines.h:
1971         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1972         * dfg/DFGArgumentsEliminationPhase.cpp:
1973         * dfg/DFGClobberize.cpp:
1974         (JSC::DFG::readsOverlap):
1975         * dfg/DFGClobberize.h:
1976         (JSC::DFG::clobberize):
1977         * dfg/DFGDoesGC.cpp:
1978         (JSC::DFG::doesGC):
1979         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Added.
1980         (JSC::DFG::performFixedButterflyAccessUncaging):
1981         * dfg/DFGFixedButterflyAccessUncagingPhase.h: Added.
1982         * dfg/DFGFixupPhase.cpp:
1983         (JSC::DFG::FixupPhase::fixupNode):
1984         * dfg/DFGHeapLocation.cpp:
1985         (WTF::printInternal):
1986         * dfg/DFGHeapLocation.h:
1987         * dfg/DFGNodeType.h:
1988         * dfg/DFGPlan.cpp:
1989         (JSC::DFG::Plan::compileInThreadImpl):
1990         * dfg/DFGPredictionPropagationPhase.cpp:
1991         * dfg/DFGSafeToExecute.h:
1992         (JSC::DFG::safeToExecute):
1993         * dfg/DFGSpeculativeJIT.cpp:
1994         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
1995         * dfg/DFGSpeculativeJIT32_64.cpp:
1996         (JSC::DFG::SpeculativeJIT::compile):
1997         * dfg/DFGSpeculativeJIT64.cpp:
1998         (JSC::DFG::SpeculativeJIT::compile):
1999         * dfg/DFGTypeCheckHoistingPhase.cpp:
2000         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2001         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
2002         * ftl/FTLCapabilities.cpp:
2003         (JSC::FTL::canCompile):
2004         * ftl/FTLLowerDFGToB3.cpp:
2005         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2006         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
2007         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
2008         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2009         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
2010         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
2011         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
2012         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
2013         (JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase):
2014         (JSC::FTL::DFG::LowerDFGToB3::caged):
2015         * heap/GigacageSubspace.cpp: Added.
2016         (JSC::GigacageSubspace::GigacageSubspace):
2017         (JSC::GigacageSubspace::~GigacageSubspace):
2018         (JSC::GigacageSubspace::tryAllocateAlignedMemory):
2019         (JSC::GigacageSubspace::freeAlignedMemory):
2020         (JSC::GigacageSubspace::canTradeBlocksWith):
2021         * heap/GigacageSubspace.h: Added.
2022         * heap/Heap.cpp:
2023         (JSC::Heap::Heap):
2024         (JSC::Heap::lastChanceToFinalize):
2025         (JSC::Heap::finalize):
2026         (JSC::Heap::sweepInFinalize):
2027         (JSC::Heap::updateAllocationLimits):
2028         (JSC::Heap::shouldDoFullCollection):
2029         (JSC::Heap::collectIfNecessaryOrDefer):
2030         (JSC::Heap::reportWebAssemblyFastMemoriesAllocated): Deleted.
2031         (JSC::Heap::webAssemblyFastMemoriesThisCycleAtThreshold const): Deleted.
2032         (JSC::Heap::sweepLargeAllocations): Deleted.
2033         (JSC::Heap::didAllocateWebAssemblyFastMemories): Deleted.
2034         * heap/Heap.h:
2035         * heap/LargeAllocation.cpp:
2036         (JSC::LargeAllocation::tryCreate):
2037         (JSC::LargeAllocation::destroy):
2038         * heap/MarkedAllocator.cpp:
2039         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2040         (JSC::MarkedAllocator::tryAllocateBlock):
2041         * heap/MarkedBlock.cpp:
2042         (JSC::MarkedBlock::tryCreate):
2043         (JSC::MarkedBlock::Handle::Handle):
2044         (JSC::MarkedBlock::Handle::~Handle):
2045         (JSC::MarkedBlock::Handle::didAddToAllocator):
2046         (JSC::MarkedBlock::Handle::subspace const): Deleted.
2047         * heap/MarkedBlock.h:
2048         (JSC::MarkedBlock::Handle::subspace const):
2049         * heap/MarkedSpace.cpp:
2050         (JSC::MarkedSpace::~MarkedSpace):
2051         (JSC::MarkedSpace::freeMemory):
2052         (JSC::MarkedSpace::prepareForAllocation):
2053         (JSC::MarkedSpace::addMarkedAllocator):
2054         (JSC::MarkedSpace::findEmptyBlockToSteal): Deleted.
2055         * heap/MarkedSpace.h:
2056         (JSC::MarkedSpace::firstAllocator const):
2057         (JSC::MarkedSpace::allocatorForEmptyAllocation const): Deleted.
2058         * heap/Subspace.cpp:
2059         (JSC::Subspace::Subspace):
2060         (JSC::Subspace::canTradeBlocksWith):
2061         (JSC::Subspace::tryAllocateAlignedMemory):
2062         (JSC::Subspace::freeAlignedMemory):
2063         (JSC::Subspace::prepareForAllocation):
2064         (JSC::Subspace::findEmptyBlockToSteal):
2065         * heap/Subspace.h:
2066         (JSC::Subspace::didCreateFirstAllocator):
2067         * heap/SubspaceInlines.h:
2068         (JSC::Subspace::forEachAllocator):
2069         (JSC::Subspace::forEachMarkedBlock):
2070         (JSC::Subspace::forEachNotEmptyMarkedBlock):
2071         * jit/JITPropertyAccess.cpp:
2072         (JSC::JIT::emitDoubleLoad):
2073         (JSC::JIT::emitContiguousLoad):
2074         (JSC::JIT::emitArrayStorageLoad):
2075         (JSC::JIT::emitGenericContiguousPutByVal):
2076         (JSC::JIT::emitArrayStoragePutByVal):
2077         (JSC::JIT::emit_op_get_from_scope):
2078         (JSC::JIT::emit_op_put_to_scope):
2079         (JSC::JIT::emitIntTypedArrayGetByVal):
2080         (JSC::JIT::emitFloatTypedArrayGetByVal):
2081         (JSC::JIT::emitIntTypedArrayPutByVal):
2082         (JSC::JIT::emitFloatTypedArrayPutByVal):
2083         * jsc.cpp:
2084         (fillBufferWithContentsOfFile):
2085         (functionReadFile):
2086         (gigacageDisabled):
2087         (jscmain):
2088         * llint/LowLevelInterpreter64.asm:
2089         * runtime/ArrayBuffer.cpp:
2090         (JSC::ArrayBufferContents::tryAllocate):
2091         (JSC::ArrayBuffer::createAdopted):
2092         (JSC::ArrayBuffer::createFromBytes):
2093         (JSC::ArrayBuffer::tryCreate):
2094         * runtime/IndexingHeader.h:
2095         * runtime/InitializeThreading.cpp:
2096         (JSC::initializeThreading):
2097         * runtime/JSArrayBuffer.cpp:
2098         * runtime/JSArrayBufferView.cpp:
2099         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2100         (JSC::JSArrayBufferView::finalize):
2101         * runtime/JSLock.cpp:
2102         (JSC::JSLock::didAcquireLock):
2103         * runtime/JSObject.h:
2104         * runtime/Options.cpp:
2105         (JSC::recomputeDependentOptions):
2106         * runtime/Options.h:
2107         * runtime/ScopedArgumentsTable.h:
2108         * runtime/VM.cpp:
2109         (JSC::VM::VM):
2110         (JSC::VM::~VM):
2111         (JSC::VM::gigacageDisabledCallback):
2112         (JSC::VM::gigacageDisabled):
2113         * runtime/VM.h:
2114         (JSC::VM::fireGigacageEnabledIfNecessary):
2115         (JSC::VM::gigacageEnabled):
2116         * wasm/WasmB3IRGenerator.cpp:
2117         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2118         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
2119         * wasm/WasmCodeBlock.cpp:
2120         (JSC::Wasm::CodeBlock::isSafeToRun):
2121         * wasm/WasmMemory.cpp:
2122         (JSC::Wasm::makeString):
2123         (JSC::Wasm::Memory::create):
2124         (JSC::Wasm::Memory::~Memory):
2125         (JSC::Wasm::Memory::addressIsInActiveFastMemory):
2126         (JSC::Wasm::Memory::grow):
2127         (JSC::Wasm::Memory::initializePreallocations): Deleted.
2128         (JSC::Wasm::Memory::maxFastMemoryCount): Deleted.
2129         * wasm/WasmMemory.h:
2130         * wasm/js/JSWebAssemblyInstance.cpp:
2131         (JSC::JSWebAssemblyInstance::create):
2132         * wasm/js/JSWebAssemblyMemory.cpp:
2133         (JSC::JSWebAssemblyMemory::grow):
2134         (JSC::JSWebAssemblyMemory::finishCreation):
2135         * wasm/js/JSWebAssemblyMemory.h:
2136         (JSC::JSWebAssemblyMemory::subspaceFor):
2137
2138 2017-07-31  Mark Lam  <mark.lam@apple.com>
2139
2140         Added some UNLIKELYs to operationOptimize().
2141         https://bugs.webkit.org/show_bug.cgi?id=174976
2142
2143         Reviewed by JF Bastien.
2144
2145         * jit/JITOperations.cpp:
2146
2147 2017-07-31  Keith Miller  <keith_miller@apple.com>
2148
2149         Make more things LLInt constexprs
2150         https://bugs.webkit.org/show_bug.cgi?id=174994
2151
2152         Reviewed by Saam Barati.
2153
2154         This patch makes more const values in the LLInt constexprs.
2155         It also deletes all of the no longer necessary static_asserts in
2156         LLIntData.cpp. Finally, it fixes a typo in parser.rb.
2157
2158         * interpreter/ShadowChicken.h:
2159         (JSC::ShadowChicken::Packet::tailMarker):
2160         * llint/LLIntData.cpp:
2161         (JSC::LLInt::Data::performAssertions):
2162         * llint/LowLevelInterpreter.asm:
2163         * offlineasm/generate_offset_extractor.rb:
2164         * offlineasm/parser.rb:
2165
2166 2017-07-31  Matt Lewis  <jlewis3@apple.com>
2167
2168         Unreviewed, rolling out r220060.
2169
2170         This broke our internal builds. Contact reviewer of patch for
2171         more information.
2172
2173         Reverted changeset:
2174
2175         "Merge WTFThreadData to Thread::current"
2176         https://bugs.webkit.org/show_bug.cgi?id=174716
2177         http://trac.webkit.org/changeset/220060
2178
2179 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2180
2181         [JSC] Support optional catch binding
2182         https://bugs.webkit.org/show_bug.cgi?id=174981
2183
2184         Reviewed by Saam Barati.
2185
2186         This patch implements optional catch binding proposal[1], which is now stage 3.
2187         This proposal adds a new `catch` brace with no error value binding.
2188
2189             ```
2190                 try {
2191                     ...
2192                 } catch {
2193                     ...
2194                 }
2195             ```
2196
2197         Sometimes we do not need to get error value actually. For example, the function returns
2198         boolean which means whether the function succeeds.
2199
2200             ```
2201             function parse(result) // -> bool
2202             {
2203                  try {
2204                      parseInner(result);
2205                  } catch {
2206                      return false;
2207                  }
2208                  return true;
2209             }
2210             ```
2211
2212         In the above case, we are not interested in the actual error value. Without this syntax,
2213         we always need to introduce a binding for an error value that is just ignored.
2214
2215         [1]: https://michaelficarra.github.io/optional-catch-binding-proposal/
2216
2217         * bytecompiler/NodesCodegen.cpp:
2218         (JSC::TryNode::emitBytecode):
2219         * parser/Parser.cpp:
2220         (JSC::Parser<LexerType>::parseTryStatement):
2221
2222 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2223
2224         Merge WTFThreadData to Thread::current
2225         https://bugs.webkit.org/show_bug.cgi?id=174716
2226
2227         Reviewed by Sam Weinig.
2228
2229         Use Thread::current() instead.
2230
2231         * API/JSContext.mm:
2232         (+[JSContext currentContext]):
2233         (+[JSContext currentThis]):
2234         (+[JSContext currentCallee]):
2235         (+[JSContext currentArguments]):
2236         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
2237         (-[JSContext endCallbackWithData:]):
2238         * heap/Heap.cpp:
2239         (JSC::Heap::requestCollection):
2240         * runtime/Completion.cpp:
2241         (JSC::checkSyntax):
2242         (JSC::checkModuleSyntax):
2243         (JSC::evaluate):
2244         (JSC::loadAndEvaluateModule):
2245         (JSC::loadModule):
2246         (JSC::linkAndEvaluateModule):
2247         (JSC::importModule):
2248         * runtime/Identifier.cpp:
2249         (JSC::Identifier::checkCurrentAtomicStringTable):
2250         * runtime/InitializeThreading.cpp:
2251         (JSC::initializeThreading):
2252         * runtime/JSLock.cpp:
2253         (JSC::JSLock::didAcquireLock):
2254         (JSC::JSLock::willReleaseLock):
2255         (JSC::JSLock::dropAllLocks):
2256         (JSC::JSLock::grabAllLocks):
2257         * runtime/JSLock.h:
2258         * runtime/VM.cpp:
2259         (JSC::VM::VM):
2260         (JSC::VM::updateStackLimits):
2261         (JSC::VM::committedStackByteCount):
2262         * runtime/VM.h:
2263         (JSC::VM::isSafeToRecurse const):
2264         * runtime/VMEntryScope.cpp:
2265         (JSC::VMEntryScope::VMEntryScope):
2266         * runtime/VMInlines.h:
2267         (JSC::VM::ensureStackCapacityFor):
2268         * yarr/YarrPattern.cpp:
2269         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
2270
2271 2017-07-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2272
2273         [WTF] Introduce Private Symbols
2274         https://bugs.webkit.org/show_bug.cgi?id=174935
2275
2276         Reviewed by Darin Adler.
2277
2278         Use SymbolImpl::isPrivate().
2279
2280         * builtins/BuiltinNames.cpp:
2281         * builtins/BuiltinNames.h:
2282         (JSC::BuiltinNames::isPrivateName): Deleted.
2283         * builtins/BuiltinUtils.h:
2284         * bytecode/BytecodeIntrinsicRegistry.cpp:
2285         (JSC::BytecodeIntrinsicRegistry::lookup):
2286         * runtime/CommonIdentifiers.cpp:
2287         (JSC::CommonIdentifiers::isPrivateName): Deleted.
2288         * runtime/CommonIdentifiers.h:
2289         * runtime/ExceptionHelpers.cpp:
2290         (JSC::createUndefinedVariableError):
2291         * runtime/Identifier.h:
2292         (JSC::Identifier::isPrivateName):
2293         * runtime/IdentifierInlines.h:
2294         (JSC::identifierToSafePublicJSValue):
2295         * runtime/ObjectConstructor.cpp:
2296         (JSC::objectConstructorAssign):
2297         (JSC::defineProperties):
2298         (JSC::setIntegrityLevel):
2299         (JSC::testIntegrityLevel):
2300         (JSC::ownPropertyKeys):
2301         * runtime/PrivateName.h:
2302         (JSC::PrivateName::PrivateName):
2303         * runtime/PropertyName.h:
2304         (JSC::PropertyName::isPrivateName):
2305         * runtime/ProxyObject.cpp:
2306         (JSC::performProxyGet):
2307         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2308         (JSC::ProxyObject::performHasProperty):
2309         (JSC::ProxyObject::performPut):
2310         (JSC::ProxyObject::performDelete):
2311         (JSC::ProxyObject::performDefineOwnProperty):
2312
2313 2017-07-29  Keith Miller  <keith_miller@apple.com>
2314
2315         LLInt offsets extractor should be able to handle C++ constexprs
2316         https://bugs.webkit.org/show_bug.cgi?id=174964
2317
2318         Reviewed by Saam Barati.
2319
2320         This patch adds new syntax to the offline asm language. The new keyword,
2321         constexpr, takes the subsequent identifier and maps it to a C++ constexpr
2322         expression. Additionally, if the value is not an identifier you can wrap it in
2323         parentheses. e.g. constexpr (myConstexprFunction() + OBJECT_OFFSET(Foo, bar)),
2324         which will get converted into:
2325         static_cast<int64_t>(myConstexprFunction() + OBJECT_OFFSET(Foo, bar));
2326
2327         This patch also changes the data format the LLIntOffsetsExtractor
2328         binary produces.  Previously, it would produce unsigned values,
2329         after this patch every value is an int64_t.  Using an int64_t is
2330         useful because it means that we can represent any constant needed.
2331         int32_t masks are sign extended then passed then converted to a
2332         negative literal sting in the assembler so it will be the constant
2333         expected.
2334
2335         * llint/LLIntOffsetsExtractor.cpp:
2336         (JSC::LLIntOffsetsExtractor::dummy):
2337         * llint/LowLevelInterpreter.asm:
2338         * llint/LowLevelInterpreter64.asm:
2339         * offlineasm/asm.rb:
2340         * offlineasm/ast.rb:
2341         * offlineasm/generate_offset_extractor.rb:
2342         * offlineasm/offsets.rb:
2343         * offlineasm/parser.rb:
2344         * offlineasm/transform.rb:
2345
2346 2017-07-28  Matt Baker  <mattbaker@apple.com>
2347
2348         Web Inspector: capture an async stack trace when web content calls addEventListener
2349         https://bugs.webkit.org/show_bug.cgi?id=174739
2350         <rdar://problem/33468197>
2351
2352         Reviewed by Brian Burg.
2353
2354         Allow debugger agents to perform custom logic when asynchronous stack
2355         trace data is cleared. For example, the PageDebuggerAgent would clear
2356         its list of registered listeners for which call stacks have been recorded.
2357
2358         * inspector/agents/InspectorDebuggerAgent.cpp:
2359         (Inspector::InspectorDebuggerAgent::clearAsyncStackTraceData):
2360         * inspector/agents/InspectorDebuggerAgent.h:
2361
2362 2017-07-28  Mark Lam  <mark.lam@apple.com>
2363
2364         ObjectToStringAdaptiveStructureWatchpoint should not fire if it's dying imminently.
2365         https://bugs.webkit.org/show_bug.cgi?id=174948
2366         <rdar://problem/33495680>
2367
2368         Reviewed by Filip Pizlo.
2369
2370         ObjectToStringAdaptiveStructureWatchpoint is owned by StructureRareData.  If its
2371         owner StructureRareData is already known to be dead (in terms of GC liveness) but
2372         hasn't been destructed yet (i.e. not swept by the GC yet), we should ignore all
2373         requests to fire this watchpoint.
2374
2375         If the GC had the chance to sweep the StructureRareData, thereby destructing the
2376         ObjectToStringAdaptiveStructureWatchpoint, it (the watchpoint) would have removed
2377         itself from the WatchpointSet it was on.  Hence, it would not have been fired.
2378
2379         But since the watchpoint hasn't been destructed yet, it still remains on the
2380         WatchpointSet and needs to guard against being fired in this state.  The fix is
2381         to simply return early if its owner StructureRareData is not live.  This has the
2382         effect of the watchpoint fire being a no-op, which is equivalent to the watchpoint
2383         not firing as we would expect.
2384
2385         This patch also removes some cargo cult copying of watchpoint code which
2386         instantiates a StringFireDetail.  In a few cases, that StringFireDetail is never
2387         used.  This patch removes these unnecessary instantiations.
2388
2389         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2390         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
2391         * runtime/StructureRareData.cpp:
2392         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
2393         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
2394
2395 2017-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
2396
2397         ASSERTION FAILED: candidate->op() == PhantomCreateRest || candidate->op() == PhantomDirectArguments || candidate->op() == PhantomClonedArguments || candidate->op() == PhantomSpread || candidate->op() == PhantomNewArrayWithSpread
2398         https://bugs.webkit.org/show_bug.cgi?id=174900
2399
2400         Reviewed by Saam Barati.
2401
2402         In the arguments elimination phase, due to high cost of AI, we intentionally do not run AI.
2403         Instead, we use ForceOSRExit etc. (pseudo terminals) not to look into unreachable nodes.
2404         The problem is that even transforming phase also checks this pseudo terminals.
2405
2406             BB1
2407             1: ForceOSRExit
2408             2: CreateDirectArguments
2409
2410             BB2
2411             3: GetButterfly(@2)
2412             4: ForceOSRExit
2413
2414         In the above case, @2 is not converted to PhantomDirectArguments. But @3 is processed. And the assertion fires.
2415
2416         In this patch, we do not list candidates up after seeing pseudo terminals in basic blocks.
2417
2418         * dfg/DFGArgumentsEliminationPhase.cpp:
2419
2420 2017-07-27  Oleksandr Skachkov  <gskachkov@gmail.com>
2421
2422         [ES] Add support finally to Promise
2423         https://bugs.webkit.org/show_bug.cgi?id=174503
2424
2425         Reviewed by Yusuke Suzuki.
2426
2427         Add support `finally` method to Promise according
2428         to the https://bugs.webkit.org/show_bug.cgi?id=174503
2429         Current spec on STAGE 3 
2430         https://github.com/tc39/proposal-promise-finally
2431
2432         * builtins/PromisePrototype.js:
2433         (finally):
2434         (const.valueThunk):
2435         (globalPrivate.getThenFinally):
2436         (const.thrower):
2437         (globalPrivate.getCatchFinally):
2438         * runtime/JSPromisePrototype.cpp:
2439
2440 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2441
2442         Unreviewed, build fix for CLoop
2443         https://bugs.webkit.org/show_bug.cgi?id=171637
2444
2445         * domjit/DOMJITGetterSetter.h:
2446
2447 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2448
2449         Hoist DOM binding attribute getter prologue into JavaScriptCore taking advantage of DOMJIT / CheckSubClass
2450         https://bugs.webkit.org/show_bug.cgi?id=171637
2451
2452         Reviewed by Darin Adler.
2453
2454         Each DOM attribute getter has the code to perform ClassInfo check. But it is largely duplicate and causes code bloating.
2455         In this patch, we move ClassInfo check from WebCore to JSC and reduce code size.
2456
2457         We introduce DOMAnnotation which has ClassInfo* and DOMJIT::GetterSetter*. If the getter is not DOMJIT getter, this
2458         DOMJIT::GetterSetter becomes nullptr. We support such a CustomAccessorGetter in all the JIT tiers.
2459
2460         In IC, we drop CheckSubClass completely since IC's Structure check subsumes it. We do not enable this optimization for
2461         op_get_by_id_with_this case yet.
2462         In DFG and FTL, we emit CheckSubClass node. Which is typically removed by CheckStructure leading to CheckSubClass.
2463
2464         And we add DOMAttributeGetterSetter, which is derived class of CustomGetterSetter. It holds DOMAnnotation and perform
2465         ClassInfo check.
2466
2467         * CMakeLists.txt:
2468         * JavaScriptCore.xcodeproj/project.pbxproj:
2469         * bytecode/AccessCase.cpp:
2470         (JSC::AccessCase::generateImpl):
2471         * bytecode/GetByIdStatus.cpp:
2472         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
2473         * bytecode/GetByIdVariant.cpp:
2474         (JSC::GetByIdVariant::GetByIdVariant):
2475         (JSC::GetByIdVariant::operator=):
2476         (JSC::GetByIdVariant::attemptToMerge):
2477         (JSC::GetByIdVariant::dumpInContext):
2478         * bytecode/GetByIdVariant.h:
2479         (JSC::GetByIdVariant::customAccessorGetter):
2480         (JSC::GetByIdVariant::domAttribute):
2481         (JSC::GetByIdVariant::domJIT): Deleted.
2482         * bytecode/GetterSetterAccessCase.cpp:
2483         (JSC::GetterSetterAccessCase::create):
2484         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
2485         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
2486         * bytecode/GetterSetterAccessCase.h:
2487         (JSC::GetterSetterAccessCase::domAttribute):
2488         (JSC::GetterSetterAccessCase::customAccessor):
2489         (JSC::GetterSetterAccessCase::domJIT): Deleted.
2490         * bytecompiler/BytecodeGenerator.cpp:
2491         (JSC::BytecodeGenerator::instantiateLexicalVariables):
2492         * create_hash_table:
2493         * dfg/DFGAbstractInterpreterInlines.h:
2494         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2495         * dfg/DFGByteCodeParser.cpp:
2496         (JSC::DFG::blessCallDOMGetter):
2497         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
2498         (JSC::DFG::ByteCodeParser::handleGetById):
2499         * dfg/DFGClobberize.h:
2500         (JSC::DFG::clobberize):
2501         * dfg/DFGFixupPhase.cpp:
2502         (JSC::DFG::FixupPhase::fixupNode):
2503         * dfg/DFGNode.h:
2504         * dfg/DFGSpeculativeJIT.cpp:
2505         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
2506         * dfg/DFGSpeculativeJIT.h:
2507         (JSC::DFG::SpeculativeJIT::callCustomGetter):
2508         * domjit/DOMJITGetterSetter.h:
2509         (JSC::DOMJIT::GetterSetter::GetterSetter):
2510         (JSC::DOMJIT::GetterSetter::getter):
2511         (JSC::DOMJIT::GetterSetter::compiler):
2512         (JSC::DOMJIT::GetterSetter::resultType):
2513         (JSC::DOMJIT::GetterSetter::~GetterSetter): Deleted.
2514         (JSC::DOMJIT::GetterSetter::setter): Deleted.
2515         (JSC::DOMJIT::GetterSetter::thisClassInfo): Deleted.
2516         * ftl/FTLLowerDFGToB3.cpp:
2517         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
2518         * jit/Repatch.cpp:
2519         (JSC::tryCacheGetByID):
2520         * jsc.cpp:
2521         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
2522         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
2523         (WTF::DOMJITGetter::customGetter):
2524         (WTF::DOMJITGetter::finishCreation):
2525         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
2526         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
2527         (WTF::DOMJITGetterComplex::customGetter):
2528         (WTF::DOMJITGetterComplex::finishCreation):
2529         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
2530         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::slowCall): Deleted.
2531         (WTF::DOMJITGetter::domJITNodeGetterSetter): Deleted.
2532         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
2533         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::slowCall): Deleted.
2534         (WTF::DOMJITGetterComplex::domJITNodeGetterSetter): Deleted.
2535         * runtime/CustomGetterSetter.h:
2536         (JSC::CustomGetterSetter::create):
2537         (JSC::CustomGetterSetter::setter):
2538         (JSC::CustomGetterSetter::CustomGetterSetter):
2539         (): Deleted.
2540         * runtime/DOMAnnotation.h: Added.
2541         (JSC::operator==):
2542         (JSC::operator!=):
2543         * runtime/DOMAttributeGetterSetter.cpp: Added.
2544         * runtime/DOMAttributeGetterSetter.h: Copied from Source/JavaScriptCore/runtime/CustomGetterSetter.h.
2545         (JSC::isDOMAttributeGetterSetter):
2546         * runtime/Error.cpp:
2547         (JSC::throwDOMAttributeGetterTypeError):
2548         * runtime/Error.h:
2549         (JSC::throwVMDOMAttributeGetterTypeError):
2550         * runtime/JSCustomGetterSetterFunction.cpp:
2551         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
2552         * runtime/JSObject.cpp:
2553         (JSC::JSObject::putInlineSlow):
2554         (JSC::JSObject::deleteProperty):
2555         (JSC::JSObject::getOwnStaticPropertySlot):
2556         (JSC::JSObject::reifyAllStaticProperties):
2557         (JSC::JSObject::fillGetterPropertySlot):
2558         (JSC::JSObject::findPropertyHashEntry): Deleted.
2559         * runtime/JSObject.h:
2560         (JSC::JSObject::getOwnNonIndexPropertySlot):
2561         (JSC::JSObject::fillCustomGetterPropertySlot):
2562         * runtime/Lookup.cpp:
2563         (JSC::setUpStaticFunctionSlot):
2564         * runtime/Lookup.h:
2565         (JSC::HashTableValue::domJIT):
2566         (JSC::getStaticPropertySlotFromTable):
2567         (JSC::putEntry):
2568         (JSC::lookupPut):
2569         (JSC::reifyStaticProperty):
2570         (JSC::reifyStaticProperties):
2571         Each static property table has a new field ClassInfo*. It indicates that which ClassInfo check DOMAttribute registered in
2572         this static property table requires.
2573
2574         * runtime/ProgramExecutable.cpp:
2575         (JSC::ProgramExecutable::initializeGlobalProperties):
2576         * runtime/PropertyName.h:
2577         * runtime/PropertySlot.cpp:
2578         (JSC::PropertySlot::customGetter):
2579         (JSC::PropertySlot::customAccessorGetter):
2580         * runtime/PropertySlot.h:
2581         (JSC::PropertySlot::domAttribute):
2582         (JSC::PropertySlot::setCustom):
2583         (JSC::PropertySlot::setCacheableCustom):
2584         (JSC::PropertySlot::getValue):
2585         (JSC::PropertySlot::domJIT): Deleted.
2586         * runtime/VM.cpp:
2587         (JSC::VM::VM):
2588         * runtime/VM.h:
2589
2590 2017-07-26  Devin Rousso  <drousso@apple.com>
2591
2592         Web Inspector: create protocol for recording Canvas contexts
2593         https://bugs.webkit.org/show_bug.cgi?id=174481
2594
2595         Reviewed by Joseph Pecoraro.
2596
2597         * inspector/protocol/Canvas.json:
2598          - Add `requestRecording` command to mark the provided canvas as having requested a recording.
2599          - Add `cancelRecording` command to clear a previously marked canvas and flush any recorded data.
2600          - Add `recordingFinished` event that is fired once a recording is finished.
2601
2602         * CMakeLists.txt:
2603         * DerivedSources.make:
2604         * inspector/protocol/Recording.json: Added.
2605          - Add `Type` enum that lists the types of recordings
2606          - Add `InitialState` type that contains information about the canvas context at the
2607            beginning of the recording.
2608          - Add `Frame` type that holds a list of actions that were recorded.
2609          - Add `Recording` type as the container object of recording data.
2610
2611         * inspector/scripts/codegen/generate_js_backend_commands.py:
2612         (JSBackendCommandsGenerator.generate_domain):
2613         Create an agent for domains with no events or commands.
2614
2615         * inspector/InspectorValues.h:
2616         Make Array `get` public so that values can be retrieved if needed.
2617
2618 2017-07-26  Brian Burg  <bburg@apple.com>
2619
2620         Remove WEB_TIMING feature flag
2621         https://bugs.webkit.org/show_bug.cgi?id=174795
2622
2623         Reviewed by Alex Christensen.
2624
2625         * Configurations/FeatureDefines.xcconfig:
2626
2627 2017-07-26  Mark Lam  <mark.lam@apple.com>
2628
2629         Add the ability to change sp and pc to the ARM64 JIT probe.
2630         https://bugs.webkit.org/show_bug.cgi?id=174697
2631         <rdar://problem/33436965>
2632
2633         Reviewed by JF Bastien.
2634
2635         This patch implements the following:
2636
2637         1. The ARM64 probe now supports modifying the pc and sp.
2638
2639            However, lr is not preserved when modifying the pc because it is used as the
2640            scratch register for the indirect jump. Hence, the probe handler function
2641            may not modify both lr and pc in the same probe invocation.
2642
2643         2. Fix probe tests to use bitwise comparison when comparing double register
2644            values. Otherwise, equivalent nan values will be interpreted as not equivalent.
2645
2646         3. Change the minimum offset increment in testProbeModifiesStackPointer to be
2647            16 bytes for ARM64.  This is because the ARM64 probe now uses the ldp and stp
2648            instructions which require 16 byte alignment for their memory access.
2649
2650         * assembler/MacroAssemblerARM64.cpp:
2651         (JSC::arm64ProbeError):
2652         (JSC::MacroAssembler::probe):
2653         (JSC::arm64ProbeTrampoline): Deleted.
2654         * assembler/testmasm.cpp:
2655         (JSC::isSpecialGPR):
2656         (JSC::testProbeReadsArgumentRegisters):
2657         (JSC::testProbeWritesArgumentRegisters):
2658         (JSC::testProbePreservesGPRS):
2659         (JSC::testProbeModifiesStackPointer):
2660         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
2661         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
2662
2663 2017-07-25  JF Bastien  <jfbastien@apple.com>
2664
2665         WebAssembly: generate smaller binaries
2666         https://bugs.webkit.org/show_bug.cgi?id=174818
2667
2668         Reviewed by Filip Pizlo.
2669
2670         This patch reduces generated code size for WebAssembly in 2 ways:
2671
2672         1. Use the ZR register when storing zero on ARM64.
2673         2. Synthesize wasm context lazily.
2674
2675         This leads to a modest size reduction on both x86-64 and ARM64 for
2676         large WebAssembly games, without any performance loss on WasmBench
2677         and TitzerBench.
2678
2679         The reason this works is that these games, using Emscripten,
2680         generate 100k+ tiny functions, and our JIT allocation granule
2681         rounds all allocations up to 32 bytes. There are plenty of other
2682         simple gains to be had, I've filed a follow-up bug at
2683         webkit.org/b/174819
2684
2685         We should further avoid the per-function cost of tiering, which
2686         represents the bulk of code generated for small functions.
2687
2688         * assembler/MacroAssemblerARM64.h:
2689         (JSC::MacroAssemblerARM64::storeZero64):
2690         * assembler/MacroAssemblerX86_64.h:
2691         (JSC::MacroAssemblerX86_64::storeZero64):
2692         * b3/B3LowerToAir.cpp:
2693         (JSC::B3::Air::LowerToAir::createStore): this doesn't make sense
2694         for x86 because it constrains register reuse and codegen in a way
2695         that doesn't affect ARM64 because it has a dedicated zero
2696         register.
2697         * b3/air/AirOpcode.opcodes: add the storeZero64 opcode.
2698         * wasm/WasmB3IRGenerator.cpp:
2699         (JSC::Wasm::B3IRGenerator::instanceValue):
2700         (JSC::Wasm::B3IRGenerator::restoreWasmContext):
2701         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2702         (JSC::Wasm::B3IRGenerator::materializeWasmContext): Deleted.
2703
2704 2017-07-23  Filip Pizlo  <fpizlo@apple.com>
2705
2706         B3 should do LICM
2707         https://bugs.webkit.org/show_bug.cgi?id=174750
2708
2709         Reviewed by Keith Miller and Saam Barati.
2710         
2711         Added a LICM phase to B3. This phase is called hoistLoopInvariantValues, to conform to the B3 naming
2712         convention for phases (it has to be an imperative). The phase uses NaturalLoops and BackwardsDominators,
2713         so this adds those analyses to B3. BackwardsDominators was already available in templatized form. This
2714         change templatizes DFG::NaturalLoops so that we can just use it.
2715         
2716         The LICM phase itself is really simple. We are decently precise with our handling of everything except
2717         the relationship between control dependence and side exits.
2718         
2719         Also added a bunch of tests.
2720         
2721         This isn't super important. It's perf-neutral on JS benchmarks. FTL already does LICM on DFG SSA IR, and
2722         probably all current WebAssembly content has had LICM done to it. That being said, this is a cheap phase
2723         so it doesn't hurt to have it.
2724         
2725         I wrote it because I thought I needed it for bug 174727. It turns out that there's a better way to
2726         handle the problem I had, so I ended up not needed it - but by then I had already written it. I think
2727         it's good to have it because LICM is one of those core compiler phases; every compiler has it
2728         eventually.
2729
2730         * CMakeLists.txt:
2731         * JavaScriptCore.xcodeproj/project.pbxproj:
2732         * b3/B3BackwardsCFG.h: Added.
2733         (JSC::B3::BackwardsCFG::BackwardsCFG):
2734         * b3/B3BackwardsDominators.h: Added.
2735         (JSC::B3::BackwardsDominators::BackwardsDominators):
2736         * b3/B3BasicBlock.cpp:
2737         (JSC::B3::BasicBlock::appendNonTerminal):
2738         * b3/B3Effects.h:
2739         * b3/B3EnsureLoopPreHeaders.cpp: Added.
2740         (JSC::B3::ensureLoopPreHeaders):
2741         * b3/B3EnsureLoopPreHeaders.h: Added.
2742         * b3/B3Generate.cpp:
2743         (JSC::B3::generateToAir):
2744         * b3/B3HoistLoopInvariantValues.cpp: Added.
2745         (JSC::B3::hoistLoopInvariantValues):
2746         * b3/B3HoistLoopInvariantValues.h: Added.
2747         * b3/B3NaturalLoops.h: Added.
2748         (JSC::B3::NaturalLoops::NaturalLoops):
2749         * b3/B3Procedure.cpp:
2750         (JSC::B3::Procedure::invalidateCFG):
2751         (JSC::B3::Procedure::naturalLoops):
2752         (JSC::B3::Procedure::backwardsCFG):
2753         (JSC::B3::Procedure::backwardsDominators):
2754         * b3/B3Procedure.h:
2755         * b3/testb3.cpp:
2756         (JSC::B3::generateLoop):
2757         (JSC::B3::makeArrayForLoops):
2758         (JSC::B3::generateLoopNotBackwardsDominant):
2759         (JSC::B3::oneFunction):
2760         (JSC::B3::noOpFunction):
2761         (JSC::B3::testLICMPure):
2762         (JSC::B3::testLICMPureSideExits):
2763         (JSC::B3::testLICMPureWritesPinned):
2764         (JSC::B3::testLICMPureWrites):
2765         (JSC::B3::testLICMReadsLocalState):
2766         (JSC::B3::testLICMReadsPinned):
2767         (JSC::B3::testLICMReads):
2768         (JSC::B3::testLICMPureNotBackwardsDominant):
2769         (JSC::B3::testLICMPureFoiledByChild):
2770         (JSC::B3::testLICMPureNotBackwardsDominantFoiledByChild):
2771         (JSC::B3::testLICMExitsSideways):
2772         (JSC::B3::testLICMWritesLocalState):
2773         (JSC::B3::testLICMWrites):
2774         (JSC::B3::testLICMFence):
2775         (JSC::B3::testLICMWritesPinned):
2776         (JSC::B3::testLICMControlDependent):
2777         (JSC::B3::testLICMControlDependentNotBackwardsDominant):
2778         (JSC::B3::testLICMControlDependentSideExits):
2779         (JSC::B3::testLICMReadsPinnedWritesPinned):
2780         (JSC::B3::testLICMReadsWritesDifferentHeaps):
2781         (JSC::B3::testLICMReadsWritesOverlappingHeaps):
2782         (JSC::B3::testLICMDefaultCall):
2783         (JSC::B3::run):
2784         * dfg/DFGBasicBlock.h:
2785         * dfg/DFGCFG.h:
2786         * dfg/DFGNaturalLoops.cpp: Removed.
2787         * dfg/DFGNaturalLoops.h:
2788         (JSC::DFG::NaturalLoops::NaturalLoops):
2789         (JSC::DFG::NaturalLoop::NaturalLoop): Deleted.
2790         (JSC::DFG::NaturalLoop::header): Deleted.
2791         (JSC::DFG::NaturalLoop::size): Deleted.
2792         (JSC::DFG::NaturalLoop::at): Deleted.
2793         (JSC::DFG::NaturalLoop::operator[]): Deleted.
2794         (JSC::DFG::NaturalLoop::contains): Deleted.
2795         (JSC::DFG::NaturalLoop::index): Deleted.
2796         (JSC::DFG::NaturalLoop::isOuterMostLoop): Deleted.
2797         (JSC::DFG::NaturalLoop::addBlock): Deleted.
2798         (JSC::DFG::NaturalLoops::numLoops): Deleted.
2799         (JSC::DFG::NaturalLoops::loop): Deleted.
2800         (JSC::DFG::NaturalLoops::headerOf): Deleted.
2801         (JSC::DFG::NaturalLoops::innerMostLoopOf): Deleted.
2802         (JSC::DFG::NaturalLoops::innerMostOuterLoop): Deleted.
2803         (JSC::DFG::NaturalLoops::belongsTo): Deleted.
2804         (JSC::DFG::NaturalLoops::loopDepth): Deleted.
2805
2806 2017-07-24  Filip Pizlo  <fpizlo@apple.com>
2807
2808         GC should be fine with trading blocks between destructor and non-destructor blocks
2809         https://bugs.webkit.org/show_bug.cgi?id=174811
2810
2811         Reviewed by Mark Lam.
2812         
2813         Our GC has the ability to trade blocks between MarkedAllocators. A MarkedAllocator is a
2814         size-class-within-a-Subspace. The ability to trade helps reduce memory wastage due to
2815         fragmentation. Prior to this change, this only worked between blocks that did not have destructors.
2816         This was partly a policy decision. But mostly, it was fallout from the way we use the `empty` block
2817         set.
2818         
2819         Here's how `empty` used to work. If a block is empty, we don't run destructors. We say that a block
2820         is empty if:
2821         
2822         A) It has no live objects and its a non-destructor block, or
2823         B) We just allocated it (so it has no destructors even if it's a destructor block), or
2824         C) We just stole it from another allocator (so it also has no destructors), or
2825         D) We just swept the block and ran all destructors.
2826         
2827         Case (A) is for trading blocks. That's how a different MarkedAllocator would know that this is a
2828         block that could be stolen.
2829
2830         Cases (B) and (C) need to be detected for correctness, since otherwise we might try to run
2831         destructors in blocks that have garbage bits. In that case, the isZapped check won't detect that
2832         cells don't need destruction, so without having the `empty` bit we would try to destruct garbage
2833         and crash. Currently, we know that we have cases (B) and (C) when the block is empty.
2834         
2835         Case (D) is necessary for detecting which blocks can be removed when we `shrink` the heap.
2836         
2837         If we tried to enable trading of blocks between allocators without making any changes to how
2838         `empty` works, then it just would not work. We have to set the `empty` bits of blocks that have no
2839         live objects in order for those bits to be candidates for trading. But if we do that, then our
2840         logic for cases (B-D) will think that the block has no destructible objects. That's bad, since then
2841         our destructors won't run and we'll leak memory.
2842         
2843         This change fixes this issue by decoupling the "do I have destructors" question from the "do I have
2844         live objects" question by introducing a new `destructible` bitvector. The GC flags all live blocks
2845         as being destructible at the end. We clear the destructible bit in cases (B-D). Cases (B-C) are
2846         handled entirely by the new destrictible bit, while case (D) is detected by looking for blocks that
2847         are (empty & ~destructible).
2848         
2849         Then we can simply remove all destructor-oriented special-casing of the `empty` bit. And we can
2850         remove destructor-oriented special-casing of block trading.
2851
2852         This is a perf-neutral change. We expect most free memory to be in non-destructor blocks anyway,
2853         so this change is more about clean-up than perf. But, this could reduce memory usage in some
2854         pathological cases.
2855         
2856         * heap/MarkedAllocator.cpp:
2857         (JSC::MarkedAllocator::findEmptyBlockToSteal):
2858         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2859         (JSC::MarkedAllocator::endMarking):
2860         (JSC::MarkedAllocator::shrink):
2861         (JSC::MarkedAllocator::shouldStealEmptyBlocksFromOtherAllocators): Deleted.
2862         * heap/MarkedAllocator.h:
2863         * heap/MarkedBlock.cpp:
2864         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
2865         (JSC::MarkedBlock::Handle::sweep):
2866         * heap/MarkedBlockInlines.h:
2867         (JSC::MarkedBlock::Handle::specializedSweep):
2868         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace):
2869         (JSC::MarkedBlock::Handle::emptyMode):
2870
2871 2017-07-25  Keith Miller  <keith_miller@apple.com>
2872
2873         Remove Broken CompareEq constant folding phase.
2874         https://bugs.webkit.org/show_bug.cgi?id=174846
2875         <rdar://problem/32978808>
2876
2877         Reviewed by Saam Barati.
2878
2879         This bug happened when we would get code like the following:
2880
2881         a: JSConst(Undefined)
2882         b: GetLocal(SomeObjectOrUndefined)
2883         ...
2884         c: CompareEq(Check:ObjectOrOther:b, Check:ObjectOrOther:a)
2885
2886         constant folding will turn this into:
2887
2888         a: JSConst(Undefined)
2889         b: GetLocal(SomeObjectOrUndefined)
2890         ...
2891         c: CompareEq(Check:ObjectOrOther:b, Other:a)
2892
2893         But the SpeculativeJIT/FTL lowering will fail to check b
2894         properly which leads to an assertion failure in the AI.
2895
2896         I'll follow up with a more robust fix later. For now, I'll remove the
2897         case that generates the code. Removing the code appears to be perf
2898         neutral.
2899
2900         * dfg/DFGConstantFoldingPhase.cpp:
2901         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2902
2903 2017-07-25  Matt Baker  <mattbaker@apple.com>
2904
2905         Web Inspector: Refactoring: extract async stack trace logic from InspectorInstrumentation
2906         https://bugs.webkit.org/show_bug.cgi?id=174738
2907
2908         Reviewed by Brian Burg.
2909
2910         Move AsyncCallType enum to InspectorDebuggerAgent, which manages async
2911         stack traces. This preserves the call type in JSC, makes the range of
2912         possible call types explicit, and is safer than passing ints.
2913
2914         * inspector/agents/InspectorDebuggerAgent.cpp:
2915         (Inspector::InspectorDebuggerAgent::asyncCallIdentifier):
2916         (Inspector::InspectorDebuggerAgent::didScheduleAsyncCall):
2917         (Inspector::InspectorDebuggerAgent::didCancelAsyncCall):
2918         (Inspector::InspectorDebuggerAgent::willDispatchAsyncCall):
2919         * inspector/agents/InspectorDebuggerAgent.h:
2920
2921 2017-07-25  Mark Lam  <mark.lam@apple.com>
2922
2923         Fix bugs in probe code to change sp on x86, x86_64 and 32-bit ARM.
2924         https://bugs.webkit.org/show_bug.cgi?id=174809
2925         <rdar://problem/33504759>
2926
2927         Reviewed by Filip Pizlo.
2928
2929         1. When the probe handler function changes the sp register to point to the
2930            region of stack in the middle of the ProbeContext on the stack, there is a
2931            bug where the ProbeContext's register values to be restored can be over-written
2932            before they can be restored.  This is now fixed.
2933
2934         2. Added more robust probe tests for changing the sp register.
2935
2936         3. Made existing probe tests to ensure that probe handlers were actually called.
2937
2938         4. Added some verification to testProbePreservesGPRS().
2939
2940         5. Change all the probe tests to fail early on discovering an error instead of
2941            batching till the end of the test.  This helps point a finger to the failing
2942            issue earlier.
2943
2944         This patch was tested on x86, x86_64, and ARMv7.  ARM64 probe code will be fixed
2945         next in https://bugs.webkit.org/show_bug.cgi?id=174697.
2946
2947         * assembler/MacroAssemblerARM.cpp:
2948         * assembler/MacroAssemblerARMv7.cpp:
2949         * assembler/MacroAssemblerX86Common.cpp:
2950         * assembler/testmasm.cpp:
2951         (JSC::testProbeReadsArgumentRegisters):
2952         (JSC::testProbeWritesArgumentRegisters):
2953         (JSC::testProbePreservesGPRS):
2954         (JSC::testProbeModifiesStackPointer):
2955         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
2956         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
2957         (JSC::testProbeModifiesProgramCounter):
2958         (JSC::run):
2959
2960 2017-07-25  Brian Burg  <bburg@apple.com>
2961
2962         Web Automation: add support for uploading files
2963         https://bugs.webkit.org/show_bug.cgi?id=174797
2964         <rdar://problem/28485063>
2965
2966         Reviewed by Joseph Pecoraro.
2967
2968         * inspector/scripts/generate-inspector-protocol-bindings.py:
2969         (generate_from_specification):
2970         Start generating frontend dispatcher code if the target framework is 'WebKit'.
2971
2972         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
2973         (CppFrontendDispatcherImplementationGenerator.generate_output):
2974         Use a framework include for InspectorFrontendRouter.h since this generated code
2975         will be compiled outside of WebCore.framework.
2976
2977         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
2978         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2979         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2980         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
2981         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
2982         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
2983         * inspector/scripts/tests/generic/expected/enum-values.json-result:
2984         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2985         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
2986         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
2987         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
2988         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
2989         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
2990         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
2991         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2992         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
2993         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
2994         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
2995         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
2996         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
2997         Rebaseline code generator tests.
2998
2999 2017-07-24  Mark Lam  <mark.lam@apple.com>
3000
3001         Gardening: fixed C Loop build after r219790.
3002         https://bugs.webkit.org/show_bug.cgi?id=174696
3003
3004         Not reviewed.
3005
3006         * assembler/testmasm.cpp:
3007
3008 2017-07-23  Mark Lam  <mark.lam@apple.com>
3009
3010         Create regression tests for the JIT probe.
3011         https://bugs.webkit.org/show_bug.cgi?id=174696
3012         <rdar://problem/33436922>
3013
3014         Reviewed by Saam Barati.
3015
3016         The new testmasm will test the following:
3017         1. the probe is able to read the value of CPU registers.
3018         2. the probe is able to write the value of CPU registers.
3019         3. the probe is able to preserve all CPU registers.
3020         4. special case of (2): the probe is able to change the value of the stack pointer.
3021         5. special case of (2): the probe is able to change the value of the program counter
3022            i.e. the probe can change where the code continues executing upon returning from
3023            the probe.
3024
3025         Currently, the x86, x86_64, and ARMv7 ports passes the test.  ARM64 does not
3026         because it does not support changing the sp and pc yet.  The ARM64 probe
3027         implementation will be fixed in https://bugs.webkit.org/show_bug.cgi?id=174697
3028         later.
3029
3030         * Configurations/ToolExecutable.xcconfig:
3031         * JavaScriptCore.xcodeproj/project.pbxproj:
3032         * assembler/MacroAssembler.h:
3033         (JSC::MacroAssembler::CPUState::pc):
3034         (JSC::MacroAssembler::CPUState::fp):
3035         (JSC::MacroAssembler::CPUState::sp):
3036         (JSC::ProbeContext::pc):
3037         (JSC::ProbeContext::fp):
3038         (JSC::ProbeContext::sp):
3039         * assembler/MacroAssemblerARM64.cpp:
3040         (JSC::arm64ProbeTrampoline):
3041         * assembler/MacroAssemblerPrinter.cpp:
3042         (JSC::Printer::printPCRegister):
3043         * assembler/testmasm.cpp: Added.
3044         (hiddenTruthBecauseNoReturnIsStupid):
3045         (usage):
3046         (JSC::nextID):
3047         (JSC::isPC):
3048         (JSC::isSP):
3049         (JSC::isFP):
3050         (JSC::compile):
3051         (JSC::invoke):
3052         (JSC::compileAndRun):
3053         (JSC::testSimple):
3054         (JSC::testProbeReadsArgumentRegisters):
3055         (JSC::testProbeWritesArgumentRegisters):
3056         (JSC::testFunctionToTrashRegisters):
3057         (JSC::testProbePreservesGPRS):
3058         (JSC::testProbeModifiesStackPointer):
3059         (JSC::testProbeModifiesProgramCounter):
3060         (JSC::run):
3061         (run):
3062         (main):
3063         * b3/air/testair.cpp:
3064         (usage):
3065         * shell/CMakeLists.txt:
3066
3067 2017-07-14  Filip Pizlo  <fpizlo@apple.com>
3068
3069         It should be easy to decide how WebKit yields
3070         https://bugs.webkit.org/show_bug.cgi?id=174298
3071
3072         Reviewed by Saam Barati.
3073         
3074         Use the new WTF::Thread::yield() function for yielding instead of the C++ function.
3075
3076         * heap/Heap.cpp:
3077         (JSC::Heap::resumeThePeriphery):
3078         * heap/VisitingTimeout.h:
3079         * runtime/JSCell.cpp:
3080         (JSC::JSCell::lockSlow):
3081         (JSC::JSCell::unlockSlow):
3082         * runtime/JSCell.h:
3083         * runtime/JSCellInlines.h:
3084         (JSC::JSCell::lock):
3085         (JSC::JSCell::unlock):
3086         * runtime/JSLock.cpp:
3087         (JSC::JSLock::grabAllLocks):
3088         * runtime/SamplingProfiler.cpp:
3089
3090 2017-07-21  Mark Lam  <mark.lam@apple.com>
3091
3092         Refactor MASM probe CPUState to use arrays for register storage.
3093         https://bugs.webkit.org/show_bug.cgi?id=174694
3094
3095         Reviewed by Keith Miller.
3096
3097         Using arrays for register storage in CPUState allows us to do away with the
3098         huge switch statements to decode each register id.  We can now simply index into
3099         the arrays.
3100
3101         With this patch, we now:
3102
3103         1. Remove the need for macros for defining the list of CPU registers.
3104            We can go back to simple enums.  This makes the code easier to read.
3105
3106         2. Make the assembler the authority on register names.
3107            Most of this code is moved into the assembler from GPRInfo and FPRInfo.
3108            GPRInfo and FPRInfo now forwards to the assembler.
3109
3110         3. Make the assembler the authority on the number of registers of each type.
3111
3112         4. Fix a "bug" in ARMv7's lastRegister().  It was previously omitting lr and pc.
3113            This is inconsistent with how every other CPU architecture implements
3114            lastRegister().  This patch fixes it to return the true last GPR i.e. pc, but
3115            updates RegisterSet::reservedHardwareRegisters() to exclude those registers.
3116
3117         * assembler/ARM64Assembler.h:
3118         (JSC::ARM64Assembler::numberOfRegisters):
3119         (JSC::ARM64Assembler::firstSPRegister):
3120         (JSC::ARM64Assembler::lastSPRegister):
3121         (JSC::ARM64Assembler::numberOfSPRegisters):
3122         (JSC::ARM64Assembler::numberOfFPRegisters):
3123         (JSC::ARM64Assembler::gprName):
3124         (JSC::ARM64Assembler::sprName):
3125         (JSC::ARM64Assembler::fprName):
3126         * assembler/ARMAssembler.h:
3127         (JSC::ARMAssembler::numberOfRegisters):
3128         (JSC::ARMAssembler::firstSPRegister):
3129         (JSC::ARMAssembler::lastSPRegister):
3130         (JSC::ARMAssembler::numberOfSPRegisters):
3131         (JSC::ARMAssembler::numberOfFPRegisters):
3132         (JSC::ARMAssembler::gprName):
3133         (JSC::ARMAssembler::sprName):
3134         (JSC::ARMAssembler::fprName):
3135         * assembler/ARMv7Assembler.h:
3136         (JSC::ARMv7Assembler::lastRegister):
3137         (JSC::ARMv7Assembler::numberOfRegisters):
3138         (JSC::ARMv7Assembler::firstSPRegister):
3139         (JSC::ARMv7Assembler::lastSPRegister):
3140         (JSC::ARMv7Assembler::numberOfSPRegisters):
3141         (JSC::ARMv7Assembler::numberOfFPRegisters):
3142         (JSC::ARMv7Assembler::gprName):
3143         (JSC::ARMv7Assembler::sprName):
3144         (JSC::ARMv7Assembler::fprName):
3145         * assembler/AbstractMacroAssembler.h:
3146         (JSC::AbstractMacroAssembler::numberOfRegisters):
3147         (JSC::AbstractMacroAssembler::gprName):
3148         (JSC::AbstractMacroAssembler::firstSPRegister):
3149         (JSC::AbstractMacroAssembler::lastSPRegister):
3150         (JSC::AbstractMacroAssembler::numberOfSPRegisters):
3151         (JSC::AbstractMacroAssembler::sprName):
3152         (JSC::AbstractMacroAssembler::numberOfFPRegisters):
3153         (JSC::AbstractMacroAssembler::fprName):
3154         * assembler/MIPSAssembler.h:
3155         (JSC::MIPSAssembler::numberOfRegisters):
3156         (JSC::MIPSAssembler::firstSPRegister):
3157         (JSC::MIPSAssembler::lastSPRegister):
3158         (JSC::MIPSAssembler::numberOfSPRegisters):
3159         (JSC::MIPSAssembler::numberOfFPRegisters):
3160         (JSC::MIPSAssembler::gprName):
3161         (JSC::MIPSAssembler::sprName):
3162         (JSC::MIPSAssembler::fprName):
3163         * assembler/MacroAssembler.h:
3164         (JSC::MacroAssembler::CPUState::gprName):
3165         (JSC::MacroAssembler::CPUState::sprName):
3166         (JSC::MacroAssembler::CPUState::fprName):
3167         (JSC::MacroAssembler::CPUState::gpr):
3168         (JSC::MacroAssembler::CPUState::spr):
3169         (JSC::MacroAssembler::CPUState::fpr):
3170         (JSC::MacroAssembler::CPUState::pc):
3171         (JSC::MacroAssembler::CPUState::fp):
3172         (JSC::MacroAssembler::CPUState::sp):
3173         (JSC::ProbeContext::gpr):
3174         (JSC::ProbeContext::spr):
3175         (JSC::ProbeContext::fpr):
3176         (JSC::ProbeContext::gprName):
3177         (JSC::ProbeContext::sprName):
3178         (JSC::ProbeContext::fprName):
3179         (JSC::MacroAssembler::numberOfRegisters): Deleted.
3180         (JSC::MacroAssembler::numberOfFPRegisters): Deleted.
3181         * assembler/MacroAssemblerARM.cpp:
3182         * assembler/MacroAssemblerARM64.cpp:
3183         (JSC::arm64ProbeTrampoline):
3184         * assembler/MacroAssemblerARMv7.cpp:
3185         * assembler/MacroAssemblerPrinter.cpp:
3186         (JSC::Printer::nextID):
3187         (JSC::Printer::printAllRegisters):
3188         (JSC::Printer::printPCRegister):
3189         (JSC::Printer::printRegisterID):
3190         (JSC::Printer::printAddress):
3191         * assembler/MacroAssemblerX86Common.cpp:
3192         * assembler/X86Assembler.h:
3193         (JSC::X86Assembler::numberOfRegisters):
3194         (JSC::X86Assembler::firstSPRegister):
3195         (JSC::X86Assembler::lastSPRegister):
3196         (JSC::X86Assembler::numberOfSPRegisters):
3197         (JSC::X86Assembler::numberOfFPRegisters):
3198         (JSC::X86Assembler::gprName):
3199         (JSC::X86Assembler::sprName):
3200         (JSC::X86Assembler::fprName):
3201         * jit/FPRInfo.h:
3202         (JSC::FPRInfo::debugName):
3203         * jit/GPRInfo.h:
3204         (JSC::GPRInfo::debugName):
3205         * jit/RegisterSet.cpp:
3206         (JSC::RegisterSet::reservedHardwareRegisters):
3207
3208 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
3209
3210         [JSC] Introduce static symbols
3211         https://bugs.webkit.org/show_bug.cgi?id=158863
3212
3213         Reviewed by Darin Adler.
3214
3215         We use StaticSymbolImpl to initialize PrivateNames and builtin Symbols.
3216         As a result, we can share the same Symbol values between VMs and threads.
3217         And we do not need to allocate Ref<SymbolImpl> for these symbols at runtime.
3218
3219         * CMakeLists.txt:
3220         * JavaScriptCore.xcodeproj/project.pbxproj:
3221         * builtins/BuiltinNames.cpp: Added.
3222         Suppress warning C4307, integral constant overflow. It is intentional in constexpr hash value calculation.
3223
3224         * builtins/BuiltinNames.h:
3225         (JSC::BuiltinNames::BuiltinNames):
3226         * builtins/BuiltinUtils.h:
3227
3228 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
3229
3230         [FTL] Arguments elimination is suppressed by unreachable blocks
3231         https://bugs.webkit.org/show_bug.cgi?id=174352
3232
3233         Reviewed by Filip Pizlo.
3234
3235         If we do not execute `op_get_by_id`, our value profiling tells us unpredictable and DFG emits ForceOSRExit.
3236         The problem is that arguments elimination phase checks escaping even when ForceOSRExit preceeds.
3237         Since GetById without information can escape arguments if it is specified, non-executed code including
3238         op_get_by_id with arguments can escape arguments.
3239
3240         For example,
3241
3242             function test(flag)
3243             {
3244                 if (flag) {
3245                     // This is not executed, but emits GetById with arguments.
3246                     // It prevents us from eliminating materialization.
3247                     return arguments.length;
3248                 }
3249                 return arguments.length;
3250             }
3251             noInline(test);
3252             while (true)
3253                 test(false);
3254
3255         We do not perform CFA and dead-node clipping yet when performing arguments elimination phase.
3256         So this GetById exists and escapes arguments.
3257
3258         To solve this problem, our arguments elimination phase checks preceding pseudo-terminal nodes.
3259         If it is shown, following GetById does not escape arguments. Compared to performing AI, it is
3260         lightweight. But it catches much of typical cases we failed to perform arguments elimination.
3261
3262         * dfg/DFGArgumentsEliminationPhase.cpp:
3263         * dfg/DFGNode.h:
3264         (JSC::DFG::Node::isPseudoTerminal):
3265         * dfg/DFGValidate.cpp:
3266
3267 2017-07-20  Chris Dumez  <cdumez@apple.com>
3268
3269         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable
3270         https://bugs.webkit.org/show_bug.cgi?id=174660
3271
3272         Reviewed by Geoffrey Garen.
3273
3274         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable.
3275         This essentially replaces a branch to figure out if the new size is less or greater than the
3276         current size by an assertion.
3277
3278         * b3/B3BasicBlockUtils.h:
3279         (JSC::B3::clearPredecessors):
3280         * b3/B3InferSwitches.cpp:
3281         * b3/B3LowerToAir.cpp:
3282         (JSC::B3::Air::LowerToAir::finishAppendingInstructions):
3283         * b3/B3ReduceStrength.cpp:
3284         * b3/B3SparseCollection.h:
3285         (JSC::B3::SparseCollection::packIndices):
3286         * b3/B3UseCounts.cpp:
3287         (JSC::B3::UseCounts::UseCounts):
3288         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
3289         * b3/air/AirEmitShuffle.cpp:
3290         (JSC::B3::Air::emitShuffle):
3291         * b3/air/AirLowerAfterRegAlloc.cpp:
3292         (JSC::B3::Air::lowerAfterRegAlloc):
3293         * b3/air/AirOptimizeBlockOrder.cpp:
3294         (JSC::B3::Air::optimizeBlockOrder):
3295         * bytecode/Operands.h:
3296         (JSC::Operands::ensureLocals):
3297         * bytecode/PreciseJumpTargets.cpp:
3298         (JSC::computePreciseJumpTargetsInternal):
3299         * dfg/DFGBlockInsertionSet.cpp:
3300         (JSC::DFG::BlockInsertionSet::execute):
3301         * dfg/DFGBlockMapInlines.h:
3302         (JSC::DFG::BlockMap<T>::BlockMap):
3303         * dfg/DFGByteCodeParser.cpp:
3304         (JSC::DFG::ByteCodeParser::processSetLocalQueue):
3305         (JSC::DFG::ByteCodeParser::clearCaches):
3306         * dfg/DFGDisassembler.cpp:
3307         (JSC::DFG::Disassembler::Disassembler):
3308         * dfg/DFGFlowIndexing.cpp:
3309         (JSC::DFG::FlowIndexing::recompute):
3310         * dfg/DFGGraph.cpp:
3311         (JSC::DFG::Graph::registerFrozenValues):
3312         * dfg/DFGInPlaceAbstractState.cpp:
3313         (JSC::DFG::setLiveValues):
3314         * dfg/DFGLICMPhase.cpp:
3315         (JSC::DFG::LICMPhase::run):
3316         * dfg/DFGLivenessAnalysisPhase.cpp:
3317         * dfg/DFGNaturalLoops.cpp:
3318         (JSC::DFG::NaturalLoops::NaturalLoops):
3319         * dfg/DFGStoreBarrierClusteringPhase.cpp:
3320         * ftl/FTLLowerDFGToB3.cpp:
3321         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3322         * heap/CodeBlockSet.cpp:
3323         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
3324         * heap/MarkedSpace.cpp:
3325         (JSC::MarkedSpace::sweepLargeAllocations):
3326         * inspector/ContentSearchUtilities.cpp:
3327         (Inspector::ContentSearchUtilities::findMagicComment):
3328         * interpreter/ShadowChicken.cpp:
3329         (JSC::ShadowChicken::update):
3330         * parser/ASTBuilder.h:
3331         (JSC::ASTBuilder::shrinkOperandStackBy):
3332         * parser/Lexer.h:
3333         (JSC::Lexer::setOffset):
3334         * runtime/RegExpInlines.h:
3335         (JSC::RegExp::matchInline):
3336         * runtime/RegExpPrototype.cpp:
3337         (JSC::genericSplit):
3338         * yarr/RegularExpression.cpp:
3339         (JSC::Yarr::RegularExpression::match):
3340
3341 2017-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
3342
3343         [WTF] Use ThreadGroup to bookkeep active threads for Mach exception
3344         https://bugs.webkit.org/show_bug.cgi?id=174678
3345
3346         Reviewed by Mark Lam.
3347
3348         Use Thread& instead.
3349
3350         * runtime/JSLock.cpp:
3351         (JSC::JSLock::didAcquireLock):
3352
3353 2017-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
3354
3355         [WTF] Implement WTF::ThreadGroup
3356         https://bugs.webkit.org/show_bug.cgi?id=174081
3357
3358         Reviewed by Mark Lam.
3359
3360         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
3361         And SamplingProfiler and others interact with WTF::Thread directly.
3362
3363         * API/tests/ExecutionTimeLimitTest.cpp:
3364         * heap/MachineStackMarker.cpp:
3365         (JSC::MachineThreads::MachineThreads):
3366         (JSC::captureStack):
3367         (JSC::MachineThreads::tryCopyOtherThreadStack):
3368         (JSC::MachineThreads::tryCopyOtherThreadStacks):
3369         (JSC::MachineThreads::gatherConservativeRoots):
3370         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
3371         (JSC::ActiveMachineThreadsManager::add): Deleted.
3372         (JSC::ActiveMachineThreadsManager::remove): Deleted.
3373         (JSC::ActiveMachineThreadsManager::contains): Deleted.
3374         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
3375         (JSC::activeMachineThreadsManager): Deleted.
3376         (JSC::MachineThreads::~MachineThreads): Deleted.
3377         (JSC::MachineThreads::addCurrentThread): Deleted.
3378         (): Deleted.
3379         (JSC::MachineThreads::removeThread): Deleted.
3380         (JSC::MachineThreads::removeThreadIfFound): Deleted.
3381         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
3382         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
3383         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
3384         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
3385         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
3386         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
3387         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
3388         * heap/MachineStackMarker.h:
3389         (JSC::MachineThreads::addCurrentThread):
3390         (JSC::MachineThreads::getLock):
3391         (JSC::MachineThreads::threads):
3392         (JSC::MachineThreads::MachineThread::suspend): Deleted.