Gardening: fix CLoop build.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-08-20  Mark Lam  <mark.lam@apple.com>
2
3         Gardening: fix CLoop build.
4         https://bugs.webkit.org/show_bug.cgi?id=175688
5         <rdar://problem/33436870>
6
7         Not reviewed.
8
9         Make these files dependent on ENABLE(MASM_PROBE).
10
11         * assembler/ProbeContext.cpp:
12         * assembler/ProbeContext.h:
13         * assembler/ProbeStack.cpp:
14         * assembler/ProbeStack.h:
15
16 2017-08-20  Mark Lam  <mark.lam@apple.com>
17
18         Enhance MacroAssembler::probe() to allow the probe function to resize the stack frame and alter stack data in one pass.
19         https://bugs.webkit.org/show_bug.cgi?id=175688
20         <rdar://problem/33436870>
21
22         Reviewed by JF Bastien.
23
24         With this patch, the clients of the MacroAssembler::probe() can now change
25         stack values without having to worry about whether there is enough room in the
26         current stack frame for it or not.  This is done using the Probe::Context's stack
27         member like so:
28
29             jit.probe([] (Probe::Context& context) {
30                 auto cpu = context.cpu;
31                 auto stack = context.stack();
32                 uintptr_t* currentSP = cpu.sp<uintptr_t*>();
33
34                 // Get a value at the current stack pointer location.
35                 auto value = stack.get<uintptr_t>(currentSP);
36
37                 // Set a value above the current stack pointer (within current frame).
38                 stack.set<uintptr_t>(currentSP + 10, value);
39
40                 // Set a value below the current stack pointer (out of current frame).
41                 stack.set<uintptr_t>(currentSP - 10, value);
42
43                 // Set the new stack pointer.
44                 cpu.sp() = currentSP - 20;
45             });
46
47         What happens behind the scene:
48
49         1. the generated JIT probe code will now call Probe::executeProbe(), and
50            Probe::executeProbe() will in turn call the client's probe function.
51
52            Probe::executeProbe() receives the Probe::State on the machine stack passed
53            to it by the probe trampoline.  Probe::executeProbe() will instantiate a
54            Probe::Context to be passed to the client's probe function.  The client will
55            no longer see the Probe::State directly.
56
57         2. The Probe::Context comes with a Probe::Stack which serves as a manager of
58            stack pages.  Currently, each page is 1K in size.
59            Probe::Context::stack() returns a reference to an instance of Probe::Stack.
60
61         3. Invoking get() of set() on Probe::Stack with an address will lead to the
62            following:
63
64            a. the address will be decoded to a baseAddress that points to the 1K page
65               that contains that address.
66
67            b. the Probe::Stack will check if it already has a cached 1K page for that baseAddress.
68               If so, go to step (f).  Else, continue with step (c).
69
70            c. the Probe::Stack will malloc a 1K mirror page, and memcpy the 1K stack page
71               for that specified baseAddress to this mirror page.
72
73            d. the mirror page will be added to the ProbeStack's m_pages HashMap,
74               keyed on the baseAddress.
75
76            e. the ProbeStack will also cache the last baseAddress and its corresponding
77               mirror page in use.  With memory accesses tending to be localized, this
78               will save us from having to look up the page in the HashMap.
79
80            f. get() will map the requested address to a physical address in the mirror
81               page, and return the value at that location.
82
83            g. set() will map the requested address to a physical address in the mirror
84               page, and set the value at that location in the mirror page.
85
86               set() will also set a dirty bit corresponding to the "cache line" that
87               was modified in the mirror page.
88
89         4. When the client's probe function returns, Probe::executeProbe() will check if
90            there are stack changes that need to be applied.  If stack changes are needed:
91
92            a. Probe::executeProbe() will adjust the stack pointer to ensure enough stack
93               space is available to flush the dirty stack pages.  It will also register a
94               flushStackDirtyPages callback function in the Probe::State.  Thereafter,
95               Probe::executeProbe() returns to the probe trampoline.
96
97            b. the probe trampoline adjusts the stack pointer, moves the Probe::State to
98               a safe place if needed, and then calls the flushStackDirtyPages callback
99               if needed.
100
101            c. the flushStackDirtyPages() callback iterates the Probe::Stack's m_pages
102               HashMap and flush all dirty "cache lines" to the machine stack.
103               Thereafter, flushStackDirtyPages() returns to the probe trampoline.
104
105            d. lastly, the probe trampoline will restore all register values and return
106               to the pc set in the Probe::State.
107
108         To make this patch work, I also had to do the following work:
109
110         5. Refactor MacroAssembler::CPUState into Probe::CPUState.
111            Mainly, this means moving the code over to ProbeContext.h.
112            I also added some convenience accessor methods for spr registers. 
113
114            Moved Probe::Context over to its own file ProbeContext.h/cpp.
115
116         6. Fix all probe trampolines to pass the address of Probe::executeProbe in
117            addition to the client's probe function and arg.
118
119            I also took this opportunity to optimize the generated JIT probe code to
120            minimize the amount of memory stores needed. 
121
122         7. Simplified the ARM64 probe trampoline.  The ARM64 probe only supports changing
123            either lr or pc (or neither), but not both at in the same probe invocation.
124            The ARM64 probe trampoline used to have to check for this invariant in the
125            assembly trampoline code.  With the introduction of Probe::executeProbe(),
126            we can now do it there and simplify the trampoline.
127
128         8. Fix a bug in the old  ARM64 probe trampoline for the case where the client
129            changes lr.  That code path never worked before, but has now been fixed.
130
131         9. Removed trustedImm32FromPtr() helper functions in MacroAssemblerARM and
132            MacroAssemblerARMv7.
133
134            We can now use move() with TrustedImmPtr, and it does the same thing but in a
135            more generic way.
136
137        10. ARMv7's move() emitter may encode a T1 move instruction, which happens to have
138            the same semantics as movs (according to the Thumb spec).  This means these
139            instructions may trash the APSR flags before we have a chance to preserve them.
140
141            This patch changes MacroAssemblerARMv7's probe() to preserve the APSR register
142            early on.  This entails adding support for the mrs instruction in the
143            ARMv7Assembler.
144
145        10. Change testmasm's testProbeModifiesStackValues() to now modify stack values
146            the easy way.
147
148            Also fixed testmasm tests which check flag registers to only compare the
149            portions that are modifiable by the client i.e. some masking is applied.
150
151         This patch has passed the testmasm tests on x86, x86_64, arm64, and armv7.
152
153         * CMakeLists.txt:
154         * JavaScriptCore.xcodeproj/project.pbxproj:
155         * assembler/ARMv7Assembler.h:
156         (JSC::ARMv7Assembler::mrs):
157         * assembler/AbstractMacroAssembler.h:
158         * assembler/MacroAssembler.cpp:
159         (JSC::stdFunctionCallback):
160         (JSC::MacroAssembler::probe):
161         * assembler/MacroAssembler.h:
162         (JSC::MacroAssembler::CPUState::gprName): Deleted.
163         (JSC::MacroAssembler::CPUState::sprName): Deleted.
164         (JSC::MacroAssembler::CPUState::fprName): Deleted.
165         (JSC::MacroAssembler::CPUState::gpr): Deleted.
166         (JSC::MacroAssembler::CPUState::spr): Deleted.
167         (JSC::MacroAssembler::CPUState::fpr): Deleted.
168         (JSC:: const): Deleted.
169         (JSC::MacroAssembler::CPUState::fpr const): Deleted.
170         (JSC::MacroAssembler::CPUState::pc): Deleted.
171         (JSC::MacroAssembler::CPUState::fp): Deleted.
172         (JSC::MacroAssembler::CPUState::sp): Deleted.
173         (JSC::MacroAssembler::CPUState::pc const): Deleted.
174         (JSC::MacroAssembler::CPUState::fp const): Deleted.
175         (JSC::MacroAssembler::CPUState::sp const): Deleted.
176         (JSC::Probe::State::gpr): Deleted.
177         (JSC::Probe::State::spr): Deleted.
178         (JSC::Probe::State::fpr): Deleted.
179         (JSC::Probe::State::gprName): Deleted.
180         (JSC::Probe::State::sprName): Deleted.
181         (JSC::Probe::State::fprName): Deleted.
182         (JSC::Probe::State::pc): Deleted.
183         (JSC::Probe::State::fp): Deleted.
184         (JSC::Probe::State::sp): Deleted.
185         * assembler/MacroAssemblerARM.cpp:
186         (JSC::MacroAssembler::probe):
187         * assembler/MacroAssemblerARM.h:
188         (JSC::MacroAssemblerARM::trustedImm32FromPtr): Deleted.
189         * assembler/MacroAssemblerARM64.cpp:
190         (JSC::MacroAssembler::probe):
191         (JSC::arm64ProbeError): Deleted.
192         * assembler/MacroAssemblerARMv7.cpp:
193         (JSC::MacroAssembler::probe):
194         * assembler/MacroAssemblerARMv7.h:
195         (JSC::MacroAssemblerARMv7::armV7Condition):
196         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr): Deleted.
197         * assembler/MacroAssemblerPrinter.cpp:
198         (JSC::Printer::printCallback):
199         * assembler/MacroAssemblerPrinter.h:
200         * assembler/MacroAssemblerX86Common.cpp:
201         (JSC::ctiMasmProbeTrampoline):
202         (JSC::MacroAssembler::probe):
203         * assembler/Printer.h:
204         (JSC::Printer::Context::Context):
205         * assembler/ProbeContext.cpp: Added.
206         (JSC::Probe::executeProbe):
207         (JSC::Probe::handleProbeStackInitialization):
208         (JSC::Probe::probeStateForContext):
209         * assembler/ProbeContext.h: Added.
210         (JSC::Probe::CPUState::gprName):
211         (JSC::Probe::CPUState::sprName):
212         (JSC::Probe::CPUState::fprName):
213         (JSC::Probe::CPUState::gpr):
214         (JSC::Probe::CPUState::spr):
215         (JSC::Probe::CPUState::fpr):
216         (JSC::Probe:: const):
217         (JSC::Probe::CPUState::fpr const):
218         (JSC::Probe::CPUState::pc):
219         (JSC::Probe::CPUState::fp):
220         (JSC::Probe::CPUState::sp):
221         (JSC::Probe::CPUState::pc const):
222         (JSC::Probe::CPUState::fp const):
223         (JSC::Probe::CPUState::sp const):
224         (JSC::Probe::Context::Context):
225         (JSC::Probe::Context::gpr):
226         (JSC::Probe::Context::spr):
227         (JSC::Probe::Context::fpr):
228         (JSC::Probe::Context::gprName):
229         (JSC::Probe::Context::sprName):
230         (JSC::Probe::Context::fprName):
231         (JSC::Probe::Context::pc):
232         (JSC::Probe::Context::fp):
233         (JSC::Probe::Context::sp):
234         (JSC::Probe::Context::stack):
235         (JSC::Probe::Context::hasWritesToFlush):
236         (JSC::Probe::Context::releaseStack):
237         * assembler/ProbeStack.cpp: Added.
238         (JSC::Probe::Page::Page):
239         (JSC::Probe::Page::flushWrites):
240         (JSC::Probe::Stack::Stack):
241         (JSC::Probe::Stack::hasWritesToFlush):
242         (JSC::Probe::Stack::flushWrites):
243         (JSC::Probe::Stack::ensurePageFor):
244         * assembler/ProbeStack.h: Added.
245         (JSC::Probe::Page::baseAddressFor):
246         (JSC::Probe::Page::chunkAddressFor):
247         (JSC::Probe::Page::baseAddress):
248         (JSC::Probe::Page::get):
249         (JSC::Probe::Page::set):
250         (JSC::Probe::Page::hasWritesToFlush const):
251         (JSC::Probe::Page::flushWritesIfNeeded):
252         (JSC::Probe::Page::dirtyBitFor):
253         (JSC::Probe::Page::physicalAddressFor):
254         (JSC::Probe::Stack::Stack):
255         (JSC::Probe::Stack::lowWatermark):
256         (JSC::Probe::Stack::get):
257         (JSC::Probe::Stack::set):
258         (JSC::Probe::Stack::newStackPointer const):
259         (JSC::Probe::Stack::setNewStackPointer):
260         (JSC::Probe::Stack::isValid):
261         (JSC::Probe::Stack::pageFor):
262         * assembler/testmasm.cpp:
263         (JSC::testProbeReadsArgumentRegisters):
264         (JSC::testProbeWritesArgumentRegisters):
265         (JSC::testProbePreservesGPRS):
266         (JSC::testProbeModifiesStackPointer):
267         (JSC::testProbeModifiesStackPointerToInsideProbeStateOnStack):
268         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
269         (JSC::testProbeModifiesProgramCounter):
270         (JSC::testProbeModifiesStackValues):
271         (JSC::run):
272         (): Deleted.
273         (JSC::fillStack): Deleted.
274         (JSC::testProbeModifiesStackWithCallback): Deleted.
275
276 2017-08-19  Andy Estes  <aestes@apple.com>
277
278         [Payment Request] Add interface stubs
279         https://bugs.webkit.org/show_bug.cgi?id=175730
280
281         Reviewed by Youenn Fablet.
282
283         * runtime/CommonIdentifiers.h:
284
285 2017-08-18  Per Arne Vollan  <pvollan@apple.com>
286
287         Implement 32-bit MacroAssembler::probe support for Windows.
288         https://bugs.webkit.org/show_bug.cgi?id=175449
289
290         Reviewed by Mark Lam.
291
292         This is needed to enable the DFG.
293
294         * assembler/MacroAssemblerX86Common.cpp:
295         * assembler/testmasm.cpp:
296         (JSC::run):
297         (dllLauncherEntryPoint):
298         * shell/CMakeLists.txt:
299         * shell/PlatformWin.cmake:
300
301 2017-08-18  Mark Lam  <mark.lam@apple.com>
302
303         Rename ProbeContext and ProbeFunction to Probe::State and Probe::Function.
304         https://bugs.webkit.org/show_bug.cgi?id=175725
305         <rdar://problem/33965477>
306
307         Rubber-stamped by JF Bastien.
308
309         This is purely a refactoring patch (in preparation for the introduction of a
310         Probe::Context data structure in https://bugs.webkit.org/show_bug.cgi?id=175688
311         later).  This patch does not change any semantics / behavior.
312
313         * assembler/AbstractMacroAssembler.h:
314         * assembler/MacroAssembler.cpp:
315         (JSC::stdFunctionCallback):
316         (JSC::MacroAssembler::probe):
317         * assembler/MacroAssembler.h:
318         (JSC::ProbeContext::gpr): Deleted.
319         (JSC::ProbeContext::spr): Deleted.
320         (JSC::ProbeContext::fpr): Deleted.
321         (JSC::ProbeContext::gprName): Deleted.
322         (JSC::ProbeContext::sprName): Deleted.
323         (JSC::ProbeContext::fprName): Deleted.
324         (JSC::ProbeContext::pc): Deleted.
325         (JSC::ProbeContext::fp): Deleted.
326         (JSC::ProbeContext::sp): Deleted.
327         * assembler/MacroAssemblerARM.cpp:
328         (JSC::MacroAssembler::probe):
329         * assembler/MacroAssemblerARM.h:
330         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
331         * assembler/MacroAssemblerARM64.cpp:
332         (JSC::arm64ProbeError):
333         (JSC::MacroAssembler::probe):
334         * assembler/MacroAssemblerARMv7.cpp:
335         (JSC::MacroAssembler::probe):
336         * assembler/MacroAssemblerARMv7.h:
337         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr):
338         * assembler/MacroAssemblerPrinter.cpp:
339         (JSC::Printer::printCallback):
340         * assembler/MacroAssemblerPrinter.h:
341         * assembler/MacroAssemblerX86Common.cpp:
342         (JSC::MacroAssembler::probe):
343         * assembler/Printer.h:
344         (JSC::Printer::Context::Context):
345         * assembler/testmasm.cpp:
346         (JSC::testProbeReadsArgumentRegisters):
347         (JSC::testProbeWritesArgumentRegisters):
348         (JSC::testProbePreservesGPRS):
349         (JSC::testProbeModifiesStackPointer):
350         (JSC::testProbeModifiesStackPointerToInsideProbeStateOnStack):
351         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
352         (JSC::testProbeModifiesProgramCounter):
353         (JSC::fillStack):
354         (JSC::testProbeModifiesStackWithCallback):
355         (JSC::run):
356         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack): Deleted.
357
358 2017-08-17  JF Bastien  <jfbastien@apple.com>
359
360         WebAssembly: const in unreachable code decoded incorrectly, erroneously rejects binary as invalid
361         https://bugs.webkit.org/show_bug.cgi?id=175693
362         <rdar://problem/33952443>
363
364         Reviewed by Saam Barati.
365
366         64-bit constants in an unreachable context were being decoded as
367         32-bit constants. This is pretty benign because unreachable code
368         shouldn't occur often. The effect is that 64-bit constants which
369         can't be encoded as 32-bit constants would cause the binary to be
370         rejected.
371
372         At the same time, 32-bit integer constants should be decoded as signed.
373
374         * wasm/WasmFunctionParser.h:
375         (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
376
377 2017-08-17  Robin Morisset  <rmorisset@apple.com>
378
379         Teach DFGFixupPhase.cpp that the current scope is always a cell
380         https://bugs.webkit.org/show_bug.cgi?id=175610
381
382         Reviewed by Keith Miller.
383
384         Also teach it that the argument to with can usually be speculated to be an object,
385         since toObject() is called on it.
386
387         * dfg/DFGFixupPhase.cpp:
388         (JSC::DFG::FixupPhase::fixupNode):
389         * dfg/DFGSpeculativeJIT.cpp:
390         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
391         * dfg/DFGSpeculativeJIT.h:
392         (JSC::DFG::SpeculativeJIT::callOperation):
393         * ftl/FTLLowerDFGToB3.cpp:
394         (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
395         * jit/JITOperations.cpp:
396         * jit/JITOperations.h:
397
398 2017-08-17  Matt Baker  <mattbaker@apple.com>
399
400         Web Inspector: remove unused private struct from InspectorScriptProfilerAgent
401         https://bugs.webkit.org/show_bug.cgi?id=175644
402
403         Reviewed by Brian Burg.
404
405         * inspector/agents/InspectorScriptProfilerAgent.h:
406
407 2017-08-17  Mark Lam  <mark.lam@apple.com>
408
409         Only use 16 VFP registers if !CPU(ARM_NEON).
410         https://bugs.webkit.org/show_bug.cgi?id=175514
411
412         Reviewed by JF Bastien.
413
414         Deleted q16-q31 FPQuadRegisterID enums in ARMv7Assembler.h.  The NEON spec
415         says that there are only 16 128-bit NEON registers.  This change is merely to
416         correct the code documentation of these registers.  The FPQuadRegisterID are
417         currently unused.
418
419         * assembler/ARMAssembler.h:
420         (JSC::ARMAssembler::lastFPRegister):
421         (JSC::ARMAssembler::fprName):
422         * assembler/ARMv7Assembler.h:
423         (JSC::ARMv7Assembler::lastFPRegister):
424         (JSC::ARMv7Assembler::fprName):
425         * assembler/MacroAssemblerARM.cpp:
426         * assembler/MacroAssemblerARMv7.cpp:
427
428 2017-08-17  Andreas Kling  <akling@apple.com>
429
430         Disable CSS regions at compile time
431         https://bugs.webkit.org/show_bug.cgi?id=175630
432
433         Reviewed by Antti Koivisto.
434
435         * Configurations/FeatureDefines.xcconfig:
436
437 2017-08-17  Jacobo Aragunde Pérez  <jaragunde@igalia.com>
438
439         [WPE][GTK] Ensure proper casting of data in gvariants
440         https://bugs.webkit.org/show_bug.cgi?id=175667
441
442         Reviewed by Michael Catanzaro.
443
444         g_variant_new requires data to have the correct width for their types, using
445         casting if necessary. Some data of type `unsigned` were being saved to `guint64`
446         types without explicit casting, leading to undefined behavior in some platforms.
447
448         * inspector/remote/glib/RemoteInspectorGlib.cpp:
449         (Inspector::RemoteInspector::listingForInspectionTarget const):
450         (Inspector::RemoteInspector::listingForAutomationTarget const):
451         (Inspector::RemoteInspector::sendMessageToRemote):
452
453 2017-08-17  Yusuke Suzuki  <utatane.tea@gmail.com>
454
455         [JSC] Avoid code bloating for iteration if block does not have "break"
456         https://bugs.webkit.org/show_bug.cgi?id=173228
457
458         Reviewed by Keith Miller.
459
460         Currently, we always emit code for breaked path when emitting for-of iteration.
461         But we can know that this breaked path can be used when emitting the bytecode.
462
463         This patch adds LabelScope::breakTargetMayBeBound(), which returns true if
464         the break label may be bound. We emit a breaked path only when it returns
465         true. This reduces bytecode bloating when using for-of iteration.
466
467         * bytecompiler/BytecodeGenerator.cpp:
468         (JSC::Label::setLocation):
469         (JSC::BytecodeGenerator::newLabel):
470         (JSC::BytecodeGenerator::emitLabel):
471         (JSC::BytecodeGenerator::pushFinallyControlFlowScope):
472         (JSC::BytecodeGenerator::breakTarget):
473         (JSC::BytecodeGenerator::continueTarget):
474         (JSC::BytecodeGenerator::emitEnumeration):
475         * bytecompiler/BytecodeGenerator.h:
476         * bytecompiler/Label.h:
477         (JSC::Label::bind const):
478         (JSC::Label::hasOneRef const):
479         (JSC::Label::isBound const):
480         (JSC::Label::Label): Deleted.
481         * bytecompiler/LabelScope.h:
482         (JSC::LabelScope::hasOneRef const):
483         (JSC::LabelScope::breakTargetMayBeBound const):
484         * bytecompiler/NodesCodegen.cpp:
485         (JSC::ContinueNode::trivialTarget):
486         (JSC::ContinueNode::emitBytecode):
487         (JSC::BreakNode::trivialTarget):
488         (JSC::BreakNode::emitBytecode):
489
490 2017-08-17  Csaba Osztrogonác  <ossy@webkit.org>
491
492         ARM build fix after r220807 and r220834.
493         https://bugs.webkit.org/show_bug.cgi?id=175617
494
495         Unreviewed typo fix.
496
497         * assembler/MacroAssemblerARM.cpp:
498
499 2017-08-17  Mark Lam  <mark.lam@apple.com>
500
501         Gardening: build fix for ARM_TRADITIONAL after r220807.
502         https://bugs.webkit.org/show_bug.cgi?id=175617
503
504         Not reviewed.
505
506         * assembler/MacroAssemblerARM.cpp:
507
508 2017-08-16  Mark Lam  <mark.lam@apple.com>
509
510         Add back the ability to disable MASM_PROBE from the build.
511         https://bugs.webkit.org/show_bug.cgi?id=175656
512         <rdar://problem/33933720>
513
514         Reviewed by Yusuke Suzuki.
515
516         This is needed for ports that the existing MASM_PROBE implementation doesn't work
517         well with e.g. GTK with ARM_THUMB2.  Note that if the DFG_JIT will be disabled by
518         default if !ENABLE(MASM_PROBE).
519
520         * assembler/AbstractMacroAssembler.h:
521         * assembler/MacroAssembler.cpp:
522         * assembler/MacroAssembler.h:
523         * assembler/MacroAssemblerARM.cpp:
524         * assembler/MacroAssemblerARM64.cpp:
525         * assembler/MacroAssemblerARMv7.cpp:
526         * assembler/MacroAssemblerPrinter.cpp:
527         * assembler/MacroAssemblerPrinter.h:
528         * assembler/MacroAssemblerX86Common.cpp:
529         * assembler/testmasm.cpp:
530         (JSC::run):
531         * b3/B3LowerToAir.cpp:
532         * b3/air/AirPrintSpecial.cpp:
533         * b3/air/AirPrintSpecial.h:
534
535 2017-08-16  Dan Bernstein  <mitz@apple.com>
536
537         [Cocoa] Older-iOS install name symbols are being exported on other platforms
538         https://bugs.webkit.org/show_bug.cgi?id=175654
539
540         Reviewed by Tim Horton.
541
542         * API/JSBase.cpp: Define the symbols only when targeting iOS.
543
544 2017-08-16  Matt Baker  <mattbaker@apple.com>
545
546         Web Inspector: capture async stack trace when workers/main context posts a message
547         https://bugs.webkit.org/show_bug.cgi?id=167084
548         <rdar://problem/30033673>
549
550         Reviewed by Brian Burg.
551
552         * inspector/agents/InspectorDebuggerAgent.h:
553         Add `PostMessage` async call type.
554
555 2017-08-16  Mark Lam  <mark.lam@apple.com>
556
557         Enhance MacroAssembler::probe() to support an initializeStackFunction callback.
558         https://bugs.webkit.org/show_bug.cgi?id=175617
559         <rdar://problem/33912104>
560
561         Reviewed by JF Bastien.
562
563         This patch adds a new feature to MacroAssembler::probe() where the probe function
564         can provide a ProbeFunction callback to fill in stack values after the stack
565         pointer has been adjusted.  The probe function can use this feature as follows:
566
567         1. Set the new sp value in the ProbeContext's CPUState.
568
569         2. Set the ProbeContext's initializeStackFunction to a ProbeFunction callback
570            which will do the work of filling in the stack values after the probe
571            trampoline has adjusted the machine stack pointer.
572
573         3. Set the ProbeContext's initializeStackArgs to any value that the client wants
574            to pass to the initializeStackFunction callback.
575
576         4. Return from the probe function.
577
578         Upon returning from the probe function, the probe trampoline will adjust the
579         the stack pointer based on the sp value in CPUState.  If initializeStackFunction
580         is not set, the probe trampoline will restore registers and return to its caller.
581
582         If initializeStackFunction is set, the trampoline will move the ProbeContext
583         beyond the range of the stack pointer i.e. it will place the new ProbeContext at
584         an address lower than where CPUState.sp() points.  This ensures that the
585         ProbeContext will not be trashed by the initializeStackFunction when it writes to
586         the stack.  Then, the trampoline will call back to the initializeStackFunction
587         ProbeFunction to let it fill in the stack values as desired.  The
588         initializeStackFunction ProbeFunction will be passed the moved ProbeContext at
589         the new location.
590
591         initializeStackFunction may now write to the stack at addresses greater or
592         equal to CPUState.sp(), but not below that.  initializeStackFunction is also
593         not allowed to change CPUState.sp().  If the initializeStackFunction does not
594         abide by these rules, then behavior is undefined, and bad things may happen.
595
596         For future reference, some implementation details that this patch needed to
597         be mindful of:
598
599         1. When the probe trampoline allocates stack space for the ProbeContext, it
600            should include OUT_SIZE as well.  This ensures that it doesn't have to move
601            the ProbeContext on exit if the probe function didn't change the sp.
602
603         2. If the trampoline has to move the ProbeContext, it needs to point the machine
604            sp to new ProbeContext first before copying over the ProbeContext data.  This
605            protects the new ProbeContext from possibly being trashed by interrupts.
606
607         3. When computing the new address of ProbeContext to move to, we need to make
608            sure that it is properly aligned in accordance with stack ABI requirements
609            (just like we did when we allocated the ProbeContext on entry to the
610            probe trampoline).
611
612         4. When copying the ProbeContext to its new location, the trampoline should
613            always copy words from low addresses to high addresses.  This is because if
614            we're moving the ProbeContext, we'll always be moving it to a lower address.
615
616         * assembler/MacroAssembler.h:
617         * assembler/MacroAssemblerARM.cpp:
618         * assembler/MacroAssemblerARM64.cpp:
619         * assembler/MacroAssemblerARMv7.cpp:
620         * assembler/MacroAssemblerX86Common.cpp:
621         * assembler/testmasm.cpp:
622         (JSC::testProbePreservesGPRS):
623         (JSC::testProbeModifiesStackPointer):
624         (JSC::fillStack):
625         (JSC::testProbeModifiesStackWithCallback):
626         (JSC::run):
627
628 2017-08-16  Csaba Osztrogonác  <ossy@webkit.org>
629
630         Fix JSCOnly ARM buildbots after r220047 and r220184
631         https://bugs.webkit.org/show_bug.cgi?id=174993
632
633         Reviewed by Carlos Alberto Lopez Perez.
634
635         * CMakeLists.txt: Generate only one backend on Linux to save build time.
636
637 2017-08-16  Andy Estes  <aestes@apple.com>
638
639         [Payment Request] Add an ENABLE flag and an experimental feature preference
640         https://bugs.webkit.org/show_bug.cgi?id=175622
641
642         Reviewed by Tim Horton.
643
644         * Configurations/FeatureDefines.xcconfig:
645
646 2017-08-15  Robin Morisset  <rmorisset@apple.com>
647
648         We are too conservative about the effects of PushWithScope
649         https://bugs.webkit.org/show_bug.cgi?id=175584
650
651         Reviewed by Saam Barati.
652
653         PushWithScope converts its argument to an object (this can throw a type error,
654         but has no other observable effect), and allocates a new scope, that it then
655         makes the new current scope. We were a bit too
656         conservative in saying that it clobbers the world.
657
658         * dfg/DFGAbstractInterpreterInlines.h:
659         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
660         * dfg/DFGClobberize.h:
661         (JSC::DFG::clobberize):
662         * dfg/DFGDoesGC.cpp:
663         (JSC::DFG::doesGC):
664
665 2017-08-15  Ryosuke Niwa  <rniwa@webkit.org>
666
667         Make DataTransferItemList work with plain text entries
668         https://bugs.webkit.org/show_bug.cgi?id=175596
669
670         Reviewed by Wenson Hsieh.
671
672         Added DataTransferItem as a common identifier since it's a runtime enabled feature.
673
674         * runtime/CommonIdentifiers.h:
675
676 2017-08-15  Robin Morisset  <rmorisset@apple.com>
677
678         Support the 'with' keyword in FTL
679         https://bugs.webkit.org/show_bug.cgi?id=175585
680
681         Reviewed by Saam Barati.
682
683         Also makes sure that the order of arguments of PushWithScope, op_push_with_scope, JSWithScope::create()
684         and so on is consistent (always parentScope first, the new scopeObject second). We used to go from one
685         to the other at different step which was quite confusing. I picked this order for consistency with CreateActivation
686         that takes its parentScope argument first.
687
688         * bytecompiler/BytecodeGenerator.cpp:
689         (JSC::BytecodeGenerator::emitPushWithScope):
690         * debugger/DebuggerCallFrame.cpp:
691         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
692         * dfg/DFGByteCodeParser.cpp:
693         (JSC::DFG::ByteCodeParser::parseBlock):
694         * dfg/DFGFixupPhase.cpp:
695         (JSC::DFG::FixupPhase::fixupNode):
696         * dfg/DFGSpeculativeJIT.cpp:
697         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
698         * ftl/FTLCapabilities.cpp:
699         (JSC::FTL::canCompile):
700         * ftl/FTLLowerDFGToB3.cpp:
701         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
702         (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
703         * jit/JITOperations.cpp:
704         * runtime/CommonSlowPaths.cpp:
705         (JSC::SLOW_PATH_DECL):
706         * runtime/Completion.cpp:
707         (JSC::evaluateWithScopeExtension):
708         * runtime/JSWithScope.cpp:
709         (JSC::JSWithScope::create):
710         * runtime/JSWithScope.h:
711
712 2017-08-15  Saam Barati  <sbarati@apple.com>
713
714         Make VM::scratchBufferForSize thread safe
715         https://bugs.webkit.org/show_bug.cgi?id=175604
716
717         Reviewed by Geoffrey Garen and Mark Lam.
718
719         I want to use the VM::scratchBufferForSize in another patch I'm writing.
720         The use case for my other patch is to call it from the compiler thread.
721         When reading the code, I saw that this API was not thread safe. This patch
722         makes it thread safe. It actually turns out we were calling this API from
723         the compiler thread already when we created FTL::State for an FTL OSR entry
724         compilation, and from FTLLowerDFGToB3. That code was racy and wrong, but
725         is now correct with this patch.
726
727         * runtime/VM.cpp:
728         (JSC::VM::VM):
729         (JSC::VM::~VM):
730         (JSC::VM::gatherConservativeRoots):
731         (JSC::VM::scratchBufferForSize):
732         * runtime/VM.h:
733         (JSC::VM::scratchBufferForSize): Deleted.
734
735 2017-08-15  Keith Miller  <keith_miller@apple.com>
736
737         JSC named bytecode offsets should use references rather than pointers
738         https://bugs.webkit.org/show_bug.cgi?id=175601
739
740         Reviewed by Saam Barati.
741
742         * dfg/DFGByteCodeParser.cpp:
743         (JSC::DFG::ByteCodeParser::parseBlock):
744         * jit/JITOpcodes.cpp:
745         (JSC::JIT::emit_op_overrides_has_instance):
746         (JSC::JIT::emit_op_instanceof):
747         (JSC::JIT::emitSlow_op_instanceof):
748         (JSC::JIT::emitSlow_op_instanceof_custom):
749         * jit/JITOpcodes32_64.cpp:
750         (JSC::JIT::emit_op_overrides_has_instance):
751         (JSC::JIT::emit_op_instanceof):
752         (JSC::JIT::emitSlow_op_instanceof):
753         (JSC::JIT::emitSlow_op_instanceof_custom):
754
755 2017-08-15  Keith Miller  <keith_miller@apple.com>
756
757         Enable named offsets into JSC bytecodes
758         https://bugs.webkit.org/show_bug.cgi?id=175561
759
760         Reviewed by Mark Lam.
761
762         This patch adds the ability to add named offsets into JSC's
763         bytecodes.  In the bytecode json file, instead of listing a
764         length, you can now list a set of names and their types. Each
765         opcode with an offsets property will have a struct named after the
766         opcode by in our C++ naming style. For example,
767         op_overrides_has_instance would become OpOverridesHasInstance. The
768         struct has the same memory layout as the instruction list has but
769         comes with handy named accessors.
770
771         As a first cut I converted the various instanceof bytecodes to use
772         named offsets.
773
774         As an example op_overrides_has_instance produces the following struct:
775
776         struct OpOverridesHasInstance {
777         public:
778             Opcode& opcode() { return *reinterpret_cast<Opcode*>(&m_opcode); }
779             const Opcode& opcode() const { return *reinterpret_cast<const Opcode*>(&m_opcode); }
780             int& dst() { return *reinterpret_cast<int*>(&m_dst); }
781             const int& dst() const { return *reinterpret_cast<const int*>(&m_dst); }
782             int& constructor() { return *reinterpret_cast<int*>(&m_constructor); }
783             const int& constructor() const { return *reinterpret_cast<const int*>(&m_constructor); }
784             int& hasInstanceValue() { return *reinterpret_cast<int*>(&m_hasInstanceValue); }
785             const int& hasInstanceValue() const { return *reinterpret_cast<const int*>(&m_hasInstanceValue); }
786
787         private:
788             friend class LLIntOffsetsExtractor;
789             std::aligned_storage<sizeof(Opcode), sizeof(Instruction)>::type m_opcode;
790             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_dst;
791             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_constructor;
792             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_hasInstanceValue;
793         };
794
795         * CMakeLists.txt:
796         * DerivedSources.make:
797         * JavaScriptCore.xcodeproj/project.pbxproj:
798         * bytecode/BytecodeList.json:
799         * dfg/DFGByteCodeParser.cpp:
800         (JSC::DFG::ByteCodeParser::parseBlock):
801         * generate-bytecode-files:
802         * jit/JITOpcodes.cpp:
803         (JSC::JIT::emit_op_overrides_has_instance):
804         (JSC::JIT::emit_op_instanceof):
805         (JSC::JIT::emitSlow_op_instanceof):
806         (JSC::JIT::emitSlow_op_instanceof_custom):
807         * jit/JITOpcodes32_64.cpp:
808         (JSC::JIT::emit_op_overrides_has_instance):
809         (JSC::JIT::emit_op_instanceof):
810         (JSC::JIT::emitSlow_op_instanceof):
811         (JSC::JIT::emitSlow_op_instanceof_custom):
812         * llint/LLIntOffsetsExtractor.cpp:
813         * llint/LowLevelInterpreter.asm:
814         * llint/LowLevelInterpreter32_64.asm:
815         * llint/LowLevelInterpreter64.asm:
816
817 2017-08-15  Mark Lam  <mark.lam@apple.com>
818
819         Update testmasm to use new CPUState APIs.
820         https://bugs.webkit.org/show_bug.cgi?id=175573
821
822         Reviewed by Keith Miller.
823
824         1. Applied convenience CPUState accessors to minimize casting.
825         2. Converted the CHECK macro to CHECK_EQ to get more friendly failure debugging
826            messages.
827         3. Removed the CHECK_DOUBLE_BITWISE_EQ macro.  We can just use CHECK_EQ now since
828            casting is (mostly) no longer an issue.
829         4. Replaced the use of testDoubleWord(id) with bitwise_cast<double>(testWord64(id))
830            to make it clear that we're comparing against the bit values of testWord64(id).
831         5. Added a "Completed N tests" message at the end of running all tests.
832            This makes it easy to tell at a glance that testmasm completed successfully
833            versus when it crashed midway in a test.  The number of tests also serves as
834            a quick checksum to confirm that we ran the number of tests we expected.
835
836         * assembler/testmasm.cpp:
837         (WTF::printInternal):
838         (JSC::testSimple):
839         (JSC::testProbeReadsArgumentRegisters):
840         (JSC::testProbeWritesArgumentRegisters):
841         (JSC::testProbePreservesGPRS):
842         (JSC::testProbeModifiesStackPointer):
843         (JSC::testProbeModifiesProgramCounter):
844         (JSC::run):
845
846 2017-08-14  Keith Miller  <keith_miller@apple.com>
847
848         Add testing tool to lie to the DFG about profiles
849         https://bugs.webkit.org/show_bug.cgi?id=175487
850
851         Reviewed by Saam Barati.
852
853         This patch adds a new bytecode identity_with_profile that lets
854         us lie to the DFG about what profiles it has seen as the input to
855         another bytecode. Previously, there was no reliable way to force
856         a given profile when we tired up.
857
858         * bytecode/BytecodeDumper.cpp:
859         (JSC::BytecodeDumper<Block>::dumpBytecode):
860         * bytecode/BytecodeIntrinsicRegistry.h:
861         * bytecode/BytecodeList.json:
862         * bytecode/BytecodeUseDef.h:
863         (JSC::computeUsesForBytecodeOffset):
864         (JSC::computeDefsForBytecodeOffset):
865         * bytecode/SpeculatedType.cpp:
866         (JSC::speculationFromString):
867         * bytecode/SpeculatedType.h:
868         * bytecompiler/BytecodeGenerator.cpp:
869         (JSC::BytecodeGenerator::emitIdWithProfile):
870         * bytecompiler/BytecodeGenerator.h:
871         * bytecompiler/NodesCodegen.cpp:
872         (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
873         * dfg/DFGAbstractInterpreterInlines.h:
874         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
875         * dfg/DFGByteCodeParser.cpp:
876         (JSC::DFG::ByteCodeParser::parseBlock):
877         * dfg/DFGCapabilities.cpp:
878         (JSC::DFG::capabilityLevel):
879         * dfg/DFGClobberize.h:
880         (JSC::DFG::clobberize):
881         * dfg/DFGDoesGC.cpp:
882         (JSC::DFG::doesGC):
883         * dfg/DFGFixupPhase.cpp:
884         (JSC::DFG::FixupPhase::fixupNode):
885         * dfg/DFGMayExit.cpp:
886         * dfg/DFGNode.h:
887         (JSC::DFG::Node::getForcedPrediction):
888         * dfg/DFGNodeType.h:
889         * dfg/DFGPredictionPropagationPhase.cpp:
890         * dfg/DFGSafeToExecute.h:
891         (JSC::DFG::safeToExecute):
892         * dfg/DFGSpeculativeJIT32_64.cpp:
893         (JSC::DFG::SpeculativeJIT::compile):
894         * dfg/DFGSpeculativeJIT64.cpp:
895         (JSC::DFG::SpeculativeJIT::compile):
896         * dfg/DFGValidate.cpp:
897         * jit/JIT.cpp:
898         (JSC::JIT::privateCompileMainPass):
899         * jit/JIT.h:
900         * jit/JITOpcodes.cpp:
901         (JSC::JIT::emit_op_identity_with_profile):
902         * jit/JITOpcodes32_64.cpp:
903         (JSC::JIT::emit_op_identity_with_profile):
904         * llint/LowLevelInterpreter.asm:
905
906 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
907
908         Remove Proximity Events and related code
909         https://bugs.webkit.org/show_bug.cgi?id=175545
910
911         Reviewed by Daniel Bates.
912
913         No platform enables Proximity Events, so remove code inside ENABLE(PROXIMITY_EVENTS)
914         and other related code.
915
916         * Configurations/FeatureDefines.xcconfig:
917
918 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
919
920         Remove ENABLE(REQUEST_AUTOCOMPLETE) code, which was disabled everywhere
921         https://bugs.webkit.org/show_bug.cgi?id=175504
922
923         Reviewed by Sam Weinig.
924
925         * Configurations/FeatureDefines.xcconfig:
926
927 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
928
929         Remove ENABLE_VIEW_MODE_CSS_MEDIA and related code
930         https://bugs.webkit.org/show_bug.cgi?id=175557
931
932         Reviewed by Jon Lee.
933
934         No port cares about the ENABLE(VIEW_MODE_CSS_MEDIA) feature, so remove it.
935
936         * Configurations/FeatureDefines.xcconfig:
937
938 2017-08-14  Robin Morisset  <rmorisset@apple.com>
939
940         Support the 'with' keyword in DFG
941         https://bugs.webkit.org/show_bug.cgi?id=175470
942
943         Reviewed by Saam Barati.
944
945         Not particularly optimized at the moment, the goal is just to avoid
946         the DFG bailing out of any function with this keyword.
947
948         * dfg/DFGAbstractInterpreterInlines.h:
949         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
950         * dfg/DFGByteCodeParser.cpp:
951         (JSC::DFG::ByteCodeParser::parseBlock):
952         * dfg/DFGCapabilities.cpp:
953         (JSC::DFG::capabilityLevel):
954         * dfg/DFGClobberize.h:
955         (JSC::DFG::clobberize):
956         * dfg/DFGDoesGC.cpp:
957         (JSC::DFG::doesGC):
958         * dfg/DFGFixupPhase.cpp:
959         (JSC::DFG::FixupPhase::fixupNode):
960         * dfg/DFGNodeType.h:
961         * dfg/DFGPredictionPropagationPhase.cpp:
962         * dfg/DFGSafeToExecute.h:
963         (JSC::DFG::safeToExecute):
964         * dfg/DFGSpeculativeJIT.cpp:
965         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
966         * dfg/DFGSpeculativeJIT.h:
967         (JSC::DFG::SpeculativeJIT::callOperation):
968         * dfg/DFGSpeculativeJIT32_64.cpp:
969         (JSC::DFG::SpeculativeJIT::compile):
970         * dfg/DFGSpeculativeJIT64.cpp:
971         (JSC::DFG::SpeculativeJIT::compile):
972         * jit/JITOperations.cpp:
973         * jit/JITOperations.h:
974
975 2017-08-14  Mark Lam  <mark.lam@apple.com>
976
977         Add some convenience utility accessor methods to MacroAssembler::CPUState.
978         https://bugs.webkit.org/show_bug.cgi?id=175549
979         <rdar://problem/33884868>
980
981         Reviewed by Saam Barati.
982
983         Previously, in order to read ProbeContext CPUState registers, we used to need to
984         do it this way:
985
986             ExecState* exec = reinterpret_cast<ExecState*>(cpu.fp());
987             uint32_t i32 = static_cast<uint32_t>(cpu.gpr(GPRInfo::regT0));
988             void* p = reinterpret_cast<void*>(cpu.gpr(GPRInfo::regT1));
989             uint64_t u64 = bitwise_cast<uint64_t>(cpu.fpr(FPRInfo::fpRegT0));
990
991         With this patch, we can now read them this way instead:
992         
993             ExecState* exec = cpu.fp<ExecState*>();
994             uint32_t i32 = cpu.gpr<uint32_t>(GPRInfo::regT0);
995             void* p = cpu.gpr<void*>(GPRInfo::regT1);
996             uint64_t u64 = cpu.fpr<uint64_t>(FPRInfo::fpRegT0);
997
998         * assembler/MacroAssembler.h:
999         (JSC:: const):
1000         (JSC::MacroAssembler::CPUState::fpr const):
1001         (JSC::MacroAssembler::CPUState::pc const):
1002         (JSC::MacroAssembler::CPUState::fp const):
1003         (JSC::MacroAssembler::CPUState::sp const):
1004         (JSC::ProbeContext::pc):
1005         (JSC::ProbeContext::fp):
1006         (JSC::ProbeContext::sp):
1007
1008 2017-08-12  Filip Pizlo  <fpizlo@apple.com>
1009
1010         Put the ScopedArgumentsTable's ScopeOffset array in some gigacage
1011         https://bugs.webkit.org/show_bug.cgi?id=174921
1012
1013         Reviewed by Mark Lam.
1014         
1015         Uses CagedUniquePtr<> to cage the ScopeOffset array.
1016
1017         * dfg/DFGSpeculativeJIT.cpp:
1018         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1019         * ftl/FTLLowerDFGToB3.cpp:
1020         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1021         * jit/JITPropertyAccess.cpp:
1022         (JSC::JIT::emitScopedArgumentsGetByVal):
1023         * runtime/ScopedArgumentsTable.cpp:
1024         (JSC::ScopedArgumentsTable::create):
1025         (JSC::ScopedArgumentsTable::setLength):
1026         * runtime/ScopedArgumentsTable.h:
1027
1028 2017-08-14  Mark Lam  <mark.lam@apple.com>
1029
1030         Gardening: fix Windows build.
1031         https://bugs.webkit.org/show_bug.cgi?id=175446
1032
1033         Not reviewed.
1034
1035         * assembler/MacroAssemblerX86Common.cpp:
1036         (JSC::booleanTrueForAvoidingNoReturnDeclaration):
1037         (JSC::ctiMasmProbeTrampoline):
1038
1039 2017-08-12  Csaba Osztrogonác  <ossy@webkit.org>
1040
1041         [ARM64] Use x29 and x30 instead of fp and lr to make GCC happy
1042         https://bugs.webkit.org/show_bug.cgi?id=175512
1043         <rdar://problem/33863584>
1044
1045         Reviewed by Mark Lam.
1046
1047         * CMakeLists.txt: Added MacroAssemblerARM64.cpp.
1048         * assembler/MacroAssemblerARM64.cpp: Use x29 and x30 instead of fp and lr to make GCC happy.
1049
1050 2017-08-12  Csaba Osztrogonác  <ossy@webkit.org>
1051
1052         ARM_TRADITIONAL: static assertion failed: ProbeContext_size_matches_ctiMasmProbeTrampoline
1053         https://bugs.webkit.org/show_bug.cgi?id=175513
1054
1055         Reviewed by Mark Lam.
1056
1057         * assembler/MacroAssemblerARM.cpp: Added d16-d31 FP registers too.
1058
1059 2017-08-12  Filip Pizlo  <fpizlo@apple.com>
1060
1061         FTL's compileGetTypedArrayByteOffset needs to do caging
1062         https://bugs.webkit.org/show_bug.cgi?id=175366
1063
1064         Reviewed by Saam Barati.
1065         
1066         While implementing boxing in the DFG, I noticed that there was some missing boxing in the FTL. This
1067         fixes the case in GetTypedArrayByteOffset, and files FIXMEs for more such cases.
1068
1069         * dfg/DFGSpeculativeJIT.cpp:
1070         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
1071         * ftl/FTLLowerDFGToB3.cpp:
1072         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
1073         (JSC::FTL::DFG::LowerDFGToB3::cagedMayBeNull):
1074         * runtime/ArrayBuffer.h:
1075         * runtime/ArrayBufferView.h:
1076         * runtime/JSArrayBufferView.h:
1077
1078 2017-08-11  Ryosuke Niwa  <rniwa@webkit.org>
1079
1080         Replace DATA_TRANSFER_ITEMS by a runtime flag and add a stub implementation
1081         https://bugs.webkit.org/show_bug.cgi?id=175474
1082         <rdar://problem/33844628>
1083
1084         Reviewed by Wenson Hsieh.
1085
1086         * Configurations/FeatureDefines.xcconfig:
1087         * runtime/CommonIdentifiers.h:
1088
1089 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1090
1091         Caging shouldn't have to use a patchpoint for adding
1092         https://bugs.webkit.org/show_bug.cgi?id=175483
1093
1094         Reviewed by Mark Lam.
1095
1096         Caging involves doing a Add(ptr, largeConstant). All of B3's heuristics for how to deal with
1097         constants and associative operations dictate that you always want to sink constants. For example,
1098         Add(Add(a, constant), b) always becomes Add(Add(a, b), constant). This is profitable because in
1099         typical code, it reveals downstream optimizations. But it's terrible in the case of caging, because
1100         we want the large constant (which is shared by all caging operations) to be hoisted. Reassociating to
1101         sink constants obscures the constant in this case. Currently, moveConstants is not smart enough to
1102         reassociate, so instead of sinking largeConstant, it tries (and often fails) to sink some other
1103         constants instead. Without some hacks, this is a 5% Kraken regression and a 1.6% Octane regression.
1104         It's not clear that moveConstants could ever be smart enough to rematerialize that constant and then
1105         hoist it - that would require quite a bit of algebraic reasoning. But the only case we know of where
1106         our current constant reassociation heuristics are wrong is caging. So, we can get away with some
1107         hacks for just stopping B3's reassociation only in this specific case.
1108         
1109         Previously, we achieved this by concealing the Add(ptr, largeConstant) inside a patchpoint. That's
1110         OK, but patchpoints are expensive. They require a SharedTask instance. They require callbacks from
1111         the backend, including during register allocation. And they cannot be CSE'd. We do want B3 to know
1112         that if we cage the same pointer in two places, both places will compute the same value.
1113         
1114         This patch improves the situation by introducing the Opaque opcode. This is handled by LowerToAir as
1115         if it was Identity, but all prior phases treat it as an unknown pure unary idempotent operation. I.e.
1116         they know that Opaque(x) == Opaque(x) and that Opaque(Opaque(x)) == Opaque(x). But they don't know
1117         that Opaque(x) == x until LowerToAir. So, you can use Opaque exactly when you know that B3 will mess
1118         up your code but Air won't. (Currently we know of no cases where Air messes things up on a large
1119         enough scale to warrant new opcodes.)
1120         
1121         This change is perf-neutral, but may start to help as I add more uses of caged() in the FTL. It also
1122         makes the code a bit less ugly.
1123
1124         * b3/B3LowerToAir.cpp:
1125         (JSC::B3::Air::LowerToAir::shouldCopyPropagate):
1126         (JSC::B3::Air::LowerToAir::lower):
1127         * b3/B3Opcode.cpp:
1128         (WTF::printInternal):
1129         * b3/B3Opcode.h:
1130         * b3/B3ReduceStrength.cpp:
1131         * b3/B3Validate.cpp:
1132         * b3/B3Value.cpp:
1133         (JSC::B3::Value::effects const):
1134         (JSC::B3::Value::key const):
1135         (JSC::B3::Value::isFree const):
1136         (JSC::B3::Value::typeFor):
1137         * b3/B3Value.h:
1138         * b3/B3ValueKey.cpp:
1139         (JSC::B3::ValueKey::materialize const):
1140         * ftl/FTLLowerDFGToB3.cpp:
1141         (JSC::FTL::DFG::LowerDFGToB3::caged):
1142         * ftl/FTLOutput.cpp:
1143         (JSC::FTL::Output::opaque):
1144         * ftl/FTLOutput.h:
1145
1146 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1147
1148         ScopedArguments overflow storage needs to be in the JSValue gigacage
1149         https://bugs.webkit.org/show_bug.cgi?id=174923
1150
1151         Reviewed by Saam Barati.
1152         
1153         ScopedArguments overflow storage sits at the end of the ScopedArguments object, so we put that
1154         object into the JSValue gigacage.
1155
1156         * dfg/DFGSpeculativeJIT.cpp:
1157         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1158         * ftl/FTLLowerDFGToB3.cpp:
1159         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1160         * jit/JITPropertyAccess.cpp:
1161         (JSC::JIT::emitScopedArgumentsGetByVal):
1162         * runtime/ScopedArguments.h:
1163         (JSC::ScopedArguments::subspaceFor):
1164         (JSC::ScopedArguments::overflowStorage const):
1165
1166 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1167
1168         JSLexicalEnvironment needs to be in the JSValue gigacage
1169         https://bugs.webkit.org/show_bug.cgi?id=174922
1170
1171         Reviewed by Michael Saboff.
1172         
1173         We can sorta random access the JSLexicalEnvironment. So, we put it in the JSValue gigacage and make
1174         the only random accesses use pointer caging.
1175         
1176         We don't need to do anything to normal lexical environment accesses.
1177
1178         * dfg/DFGSpeculativeJIT.cpp:
1179         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1180         * ftl/FTLLowerDFGToB3.cpp:
1181         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1182         * runtime/JSEnvironmentRecord.h:
1183         (JSC::JSEnvironmentRecord::subspaceFor):
1184         (JSC::JSEnvironmentRecord::variables):
1185
1186 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1187
1188         DirectArguments should be in the JSValue gigacage
1189         https://bugs.webkit.org/show_bug.cgi?id=174920
1190
1191         Reviewed by Michael Saboff.
1192         
1193         This puts DirectArguments in a new subspace for cells that want to be in the JSValue gigacage. All
1194         indexed accesses to DirectArguments now do caging. get_from_arguments/put_to_arguments are exempted
1195         because they always operate on a DirectArguments that is pointed to directly from the stack, they are
1196         required to use fixed offsets, and you can only store JSValues.
1197
1198         * dfg/DFGSpeculativeJIT.cpp:
1199         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
1200         * ftl/FTLLowerDFGToB3.cpp:
1201         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1202         * jit/JITPropertyAccess.cpp:
1203         (JSC::JIT::emitDirectArgumentsGetByVal):
1204         * runtime/DirectArguments.h:
1205         (JSC::DirectArguments::subspaceFor):
1206         (JSC::DirectArguments::storage):
1207         * runtime/VM.cpp:
1208         (JSC::VM::VM):
1209         * runtime/VM.h:
1210
1211 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1212
1213         Unreviewed, add a FIXME.
1214
1215         * ftl/FTLLowerDFGToB3.cpp:
1216         (JSC::FTL::DFG::LowerDFGToB3::caged):
1217
1218 2017-08-10  Sam Weinig  <sam@webkit.org>
1219
1220         WTF::Function does not allow for reference / non-default constructible return types
1221         https://bugs.webkit.org/show_bug.cgi?id=175244
1222
1223         Reviewed by Chris Dumez.
1224
1225         * runtime/ArrayBuffer.cpp:
1226         (JSC::ArrayBufferContents::transferTo):
1227         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
1228         destroy call needed to be a no-op anyway, since the data is being moved.
1229
1230 2017-08-11  Mark Lam  <mark.lam@apple.com>
1231
1232         Gardening: fix CLoop build.
1233         https://bugs.webkit.org/show_bug.cgi?id=175446
1234         <rdar://problem/33836545>
1235
1236         Not reviewed.
1237
1238         * assembler/MacroAssemblerPrinter.cpp:
1239
1240 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
1241
1242         DFG should do caging
1243         https://bugs.webkit.org/show_bug.cgi?id=174918
1244
1245         Reviewed by Saam Barati.
1246         
1247         Adds the appropriate cage() calls to the DFG, including a cageTypedArrayStorage() helper that does
1248         the conditional caging with a watchpoint.
1249         
1250         This might be a 1% SunSpider slow-down, but it's not clear.
1251
1252         * dfg/DFGSpeculativeJIT.cpp:
1253         (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
1254         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
1255         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
1256         (JSC::DFG::SpeculativeJIT::compileCreateRest):
1257         (JSC::DFG::SpeculativeJIT::compileSpread):
1258         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
1259         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1260         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
1261         * dfg/DFGSpeculativeJIT.h:
1262         * dfg/DFGSpeculativeJIT64.cpp:
1263         (JSC::DFG::SpeculativeJIT::compile):
1264
1265 2017-08-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1266
1267         Unreviewed, build fix for x86 GTK port
1268         https://bugs.webkit.org/show_bug.cgi?id=175446
1269
1270         Use pushfl/popfl instead of pushfd/popfd.
1271
1272         * assembler/MacroAssemblerX86Common.cpp:
1273
1274 2017-08-10  Mark Lam  <mark.lam@apple.com>
1275
1276         Make the MASM_PROBE mechanism mandatory for DFG and FTL builds.
1277         https://bugs.webkit.org/show_bug.cgi?id=175446
1278         <rdar://problem/33836545>
1279
1280         Reviewed by Saam Barati.
1281
1282         * assembler/AbstractMacroAssembler.h:
1283         * assembler/MacroAssembler.cpp:
1284         (JSC::MacroAssembler::probe):
1285         * assembler/MacroAssembler.h:
1286         * assembler/MacroAssemblerARM.cpp:
1287         (JSC::MacroAssembler::probe):
1288         * assembler/MacroAssemblerARM.h:
1289         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
1290         * assembler/MacroAssemblerARM64.cpp:
1291         (JSC::MacroAssembler::probe):
1292         * assembler/MacroAssemblerARMv7.cpp:
1293         (JSC::MacroAssembler::probe):
1294         * assembler/MacroAssemblerARMv7.h:
1295         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr):
1296         * assembler/MacroAssemblerPrinter.cpp:
1297         * assembler/MacroAssemblerPrinter.h:
1298         * assembler/MacroAssemblerX86Common.cpp:
1299         * assembler/testmasm.cpp:
1300         (JSC::isSpecialGPR):
1301         (JSC::testProbeModifiesProgramCounter):
1302         (JSC::run):
1303         * b3/B3LowerToAir.cpp:
1304         (JSC::B3::Air::LowerToAir::print):
1305         * b3/air/AirPrintSpecial.cpp:
1306         * b3/air/AirPrintSpecial.h:
1307
1308 2017-08-10  Mark Lam  <mark.lam@apple.com>
1309
1310         Apply the UNLIKELY macro to some unlikely things.
1311         https://bugs.webkit.org/show_bug.cgi?id=175440
1312         <rdar://problem/33834767>
1313
1314         Reviewed by Yusuke Suzuki.
1315
1316         * bytecode/CodeBlock.cpp:
1317         (JSC::CodeBlock::~CodeBlock):
1318         (JSC::CodeBlock::jettison):
1319         * dfg/DFGByteCodeParser.cpp:
1320         (JSC::DFG::ByteCodeParser::handleCall):
1321         (JSC::DFG::ByteCodeParser::handleVarargsCall):
1322         (JSC::DFG::ByteCodeParser::handleGetById):
1323         (JSC::DFG::ByteCodeParser::handlePutById):
1324         (JSC::DFG::ByteCodeParser::parseBlock):
1325         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1326         * dfg/DFGJITCompiler.cpp:
1327         (JSC::DFG::JITCompiler::JITCompiler):
1328         (JSC::DFG::JITCompiler::linkOSRExits):
1329         (JSC::DFG::JITCompiler::link):
1330         (JSC::DFG::JITCompiler::disassemble):
1331         * dfg/DFGJITFinalizer.cpp:
1332         (JSC::DFG::JITFinalizer::finalizeCommon):
1333         * dfg/DFGOSRExit.cpp:
1334         (JSC::DFG::OSRExit::compileOSRExit):
1335         * dfg/DFGPlan.cpp:
1336         (JSC::DFG::Plan::Plan):
1337         * ftl/FTLJITFinalizer.cpp:
1338         (JSC::FTL::JITFinalizer::finalizeCommon):
1339         * ftl/FTLLink.cpp:
1340         (JSC::FTL::link):
1341         * ftl/FTLOSRExitCompiler.cpp:
1342         (JSC::FTL::compileStub):
1343         * jit/JIT.cpp:
1344         (JSC::JIT::privateCompileMainPass):
1345         (JSC::JIT::compileWithoutLinking):
1346         (JSC::JIT::link):
1347         * runtime/ScriptExecutable.cpp:
1348         (JSC::ScriptExecutable::installCode):
1349         * runtime/VM.cpp:
1350         (JSC::VM::VM):
1351
1352 2017-08-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1353
1354         [WTF] ThreadSpecific should not introduce additional indirection
1355         https://bugs.webkit.org/show_bug.cgi?id=175187
1356
1357         Reviewed by Mark Lam.
1358
1359         * runtime/Identifier.cpp:
1360
1361 2017-08-10  Tim Horton  <timothy_horton@apple.com>
1362
1363         Remove some unused lambda captures so that WebKit builds with -Wunused-lambda-capture
1364         https://bugs.webkit.org/show_bug.cgi?id=175436
1365         <rdar://problem/33667497>
1366
1367         Reviewed by Simon Fraser.
1368
1369         * interpreter/Interpreter.cpp:
1370         (JSC::Interpreter::Interpreter):
1371
1372 2017-08-10  Michael Catanzaro  <mcatanzaro@igalia.com>
1373
1374         Remove ENABLE_GAMEPAD_DEPRECATED
1375         https://bugs.webkit.org/show_bug.cgi?id=175361
1376
1377         Reviewed by Carlos Garcia Campos.
1378
1379         * Configurations/FeatureDefines.xcconfig:
1380
1381 2017-08-09  Caio Lima  <ticaiolima@gmail.com>
1382
1383         [JSC] Create JSSet constructor that accepts it's size as parameter
1384         https://bugs.webkit.org/show_bug.cgi?id=173297
1385
1386         Reviewed by Saam Barati.
1387
1388         This patch is adding a new constructor to JSSet that gives its
1389         expected initial size. It is important to avoid re-hashing and mutiple
1390         allocations when we know the final size of JSSet, such as in
1391         CodeBlock::setConstantIdentifierSetRegisters.
1392
1393         * bytecode/CodeBlock.cpp:
1394         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
1395         * runtime/HashMapImpl.h:
1396         (JSC::HashMapImpl::HashMapImpl):
1397         * runtime/JSSet.h:
1398
1399 2017-08-09  Commit Queue  <commit-queue@webkit.org>
1400
1401         Unreviewed, rolling out r220466, r220477, and r220487.
1402         https://bugs.webkit.org/show_bug.cgi?id=175411
1403
1404         This change broke existing API tests and follow up fixes did
1405         not resolve all the issues. (Requested by ryanhaddad on
1406         #webkit).
1407
1408         Reverted changesets:
1409
1410         https://bugs.webkit.org/show_bug.cgi?id=175244
1411         http://trac.webkit.org/changeset/220466
1412
1413         "WTF::Function does not allow for reference / non-default
1414         constructible return types"
1415         https://bugs.webkit.org/show_bug.cgi?id=175244
1416         http://trac.webkit.org/changeset/220477
1417
1418         https://bugs.webkit.org/show_bug.cgi?id=175244
1419         http://trac.webkit.org/changeset/220487
1420
1421 2017-08-09  Caitlin Potter  <caitp@igalia.com>
1422
1423         Early error on ANY operator before new.target
1424         https://bugs.webkit.org/show_bug.cgi?id=157970
1425
1426         Reviewed by Saam Barati.
1427
1428         Instead of throwing if any unary operator precedes new.target, only
1429         throw if the unary operator updates the reference.
1430
1431         The following become legal in JSC:
1432
1433         ```
1434         !new.target
1435         ~new.target
1436         typeof new.target
1437         delete new.target
1438         void new.target
1439         ```
1440
1441         All of which are legal in v8 and SpiderMonkey in strict and sloppy mode
1442
1443         * parser/Parser.cpp:
1444         (JSC::Parser<LexerType>::parseUnaryExpression):
1445
1446 2017-08-09  Sam Weinig  <sam@webkit.org>
1447
1448         WTF::Function does not allow for reference / non-default constructible return types
1449         https://bugs.webkit.org/show_bug.cgi?id=175244
1450
1451         Reviewed by Chris Dumez.
1452
1453         * runtime/ArrayBuffer.cpp:
1454         (JSC::ArrayBufferContents::transferTo):
1455         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
1456         destroy call needed to be a no-op anyway, since the data is being moved.
1457
1458 2017-08-09  Wenson Hsieh  <wenson_hsieh@apple.com>
1459
1460         [iOS DnD] ENABLE_DRAG_SUPPORT should be turned off for iOS 10 and enabled by default
1461         https://bugs.webkit.org/show_bug.cgi?id=175392
1462         <rdar://problem/33783207>
1463
1464         Reviewed by Tim Horton and Megan Gardner.
1465
1466         Tweak FeatureDefines to enable drag and drop by default, and disable only on unsupported platforms (i.e. iOS 10).
1467
1468         * Configurations/FeatureDefines.xcconfig:
1469
1470 2017-08-09  Robin Morisset  <rmorisset@apple.com>
1471
1472         Make JSC_validateExceptionChecks=1 succeed on JSTests/stress/v8-deltablue-strict.js.
1473         https://bugs.webkit.org/show_bug.cgi?id=175358
1474
1475         Reviewed by Mark Lam.
1476
1477         * jit/JITOperations.cpp:
1478         * runtime/JSObjectInlines.h:
1479         (JSC::JSObject::putInlineForJSObject):
1480
1481 2017-08-09  Ryan Haddad  <ryanhaddad@apple.com>
1482
1483         Unreviewed, rolling out r220457.
1484
1485         This change introduced API test failures.
1486
1487         Reverted changeset:
1488
1489         "WTF::Function does not allow for reference / non-default
1490         constructible return types"
1491         https://bugs.webkit.org/show_bug.cgi?id=175244
1492         http://trac.webkit.org/changeset/220457
1493
1494 2017-08-09  Sam Weinig  <sam@webkit.org>
1495
1496         WTF::Function does not allow for reference / non-default constructible return types
1497         https://bugs.webkit.org/show_bug.cgi?id=175244
1498
1499         Reviewed by Chris Dumez.
1500
1501         * runtime/ArrayBuffer.cpp:
1502         (JSC::ArrayBufferContents::transferTo):
1503         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
1504         destroy call needed to be a no-op anyway, since the data is being moved.
1505
1506 2017-08-09  Oleksandr Skachkov  <gskachkov@gmail.com>
1507
1508         REGRESSION: 2 test262/test/language/statements/async-function failures
1509         https://bugs.webkit.org/show_bug.cgi?id=175334
1510
1511         Reviewed by Yusuke Suzuki.
1512
1513         Switch off useAsyncIterator by default
1514
1515         * runtime/Options.h:
1516
1517 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
1518
1519         ICs should do caging
1520         https://bugs.webkit.org/show_bug.cgi?id=175295
1521
1522         Reviewed by Saam Barati.
1523         
1524         Adds the appropriate cage() calls in our inline caches.
1525
1526         * bytecode/AccessCase.cpp:
1527         (JSC::AccessCase::generateImpl):
1528         * bytecode/InlineAccess.cpp:
1529         (JSC::InlineAccess::dumpCacheSizesAndCrash):
1530         (JSC::InlineAccess::generateSelfPropertyAccess):
1531         (JSC::InlineAccess::generateSelfPropertyReplace):
1532         (JSC::InlineAccess::generateArrayLength):
1533
1534 2017-08-08  Devin Rousso  <drousso@apple.com>
1535
1536         Web Inspector: Canvas: support editing WebGL shaders
1537         https://bugs.webkit.org/show_bug.cgi?id=124211
1538         <rdar://problem/15448958>
1539
1540         Reviewed by Matt Baker.
1541
1542         * inspector/protocol/Canvas.json:
1543         Add `updateShader` command that will change the given shader's source to the provided string,
1544         recompile, and relink it to its associated program.
1545         Drive-by: add description to `requestShaderSource` command.
1546
1547 2017-08-08  Robin Morisset  <rmorisset@apple.com>
1548
1549         Make JSC_validateExceptionChecks=1 succeed on JSTests/slowMicrobenchmarks/spread-small-array.js.
1550         https://bugs.webkit.org/show_bug.cgi?id=175347
1551
1552         Reviewed by Saam Barati.
1553
1554         This is done by making finishCreation explicitely check for exceptions after setConstantRegister and setConstantIdentifiersSetRegisters.
1555         I chose to have this check replace the boolean returned previously by these functions for readability. The performance impact should be
1556         negligible considering how much more finishCreation does.
1557         This fix then caused another issue to appear as it was now clear that finishCreation can throw. And since it is called by ProgramCodeBlock::create(),
1558         FunctionCodeBlock::create() and friends, that are in turn called by ScriptExecutable::newCodeBlockFor, this last function also required a few tweaks.
1559
1560         * bytecode/CodeBlock.cpp:
1561         (JSC::CodeBlock::finishCreation):
1562         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
1563         (JSC::CodeBlock::setConstantRegisters):
1564         * bytecode/CodeBlock.h:
1565         * runtime/ScriptExecutable.cpp:
1566         (JSC::ScriptExecutable::newCodeBlockFor):
1567
1568 2017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
1569
1570         Unreviewed, fix Ubuntu LTS build
1571         https://bugs.webkit.org/show_bug.cgi?id=174490
1572
1573         * inspector/remote/glib/RemoteInspectorGlib.cpp:
1574         * inspector/remote/glib/RemoteInspectorServer.cpp:
1575
1576 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
1577
1578         Baseline JIT should do caging
1579         https://bugs.webkit.org/show_bug.cgi?id=175037
1580
1581         Reviewed by Mark Lam.
1582         
1583         Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
1584         
1585         Also modifies FTL caging to be more defensive when caging is disabled.
1586         
1587         Relanded with fixed AssemblyHelpers::cageConditionally().
1588
1589         * bytecode/AccessCase.cpp:
1590         (JSC::AccessCase::generateImpl):
1591         * bytecode/InlineAccess.cpp:
1592         (JSC::InlineAccess::dumpCacheSizesAndCrash):
1593         (JSC::InlineAccess::generateSelfPropertyAccess):
1594         (JSC::InlineAccess::generateSelfPropertyReplace):
1595         (JSC::InlineAccess::generateArrayLength):
1596         * ftl/FTLLowerDFGToB3.cpp:
1597         (JSC::FTL::DFG::LowerDFGToB3::caged):
1598         * jit/AssemblyHelpers.h:
1599         (JSC::AssemblyHelpers::cage):
1600         (JSC::AssemblyHelpers::cageConditionally):
1601         * jit/JITPropertyAccess.cpp:
1602         (JSC::JIT::emitDoubleLoad):
1603         (JSC::JIT::emitContiguousLoad):
1604         (JSC::JIT::emitArrayStorageLoad):
1605         (JSC::JIT::emitGenericContiguousPutByVal):
1606         (JSC::JIT::emitArrayStoragePutByVal):
1607         (JSC::JIT::emit_op_get_from_scope):
1608         (JSC::JIT::emit_op_put_to_scope):
1609         (JSC::JIT::emitIntTypedArrayGetByVal):
1610         (JSC::JIT::emitFloatTypedArrayGetByVal):
1611         (JSC::JIT::emitIntTypedArrayPutByVal):
1612         (JSC::JIT::emitFloatTypedArrayPutByVal):
1613         * jsc.cpp:
1614         (jscmain):
1615         (primitiveGigacageDisabled): Deleted.
1616
1617 2017-08-08  Ryan Haddad  <ryanhaddad@apple.com>
1618
1619         Unreviewed, rolling out r220368.
1620
1621         This change caused WK1 tests to exit early with crashes.
1622
1623         Reverted changeset:
1624
1625         "Baseline JIT should do caging"
1626         https://bugs.webkit.org/show_bug.cgi?id=175037
1627         http://trac.webkit.org/changeset/220368
1628
1629 2017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
1630
1631         [CMake] Properly test if compiler supports compiler flags
1632         https://bugs.webkit.org/show_bug.cgi?id=174490
1633
1634         Reviewed by Konstantin Tokarev.
1635
1636         * API/tests/PingPongStackOverflowTest.cpp:
1637         (testPingPongStackOverflow):
1638         * API/tests/testapi.c:
1639         * b3/testb3.cpp:
1640         (JSC::B3::testPatchpointLotsOfLateAnys):
1641
1642 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1643
1644         [Linux] Clear WasmMemory with madvice instead of memset
1645         https://bugs.webkit.org/show_bug.cgi?id=175150
1646
1647         Reviewed by Filip Pizlo.
1648
1649         In Linux, zeroing pages with memset populates backing store.
1650         Instead, we should use madvise with MADV_DONTNEED. It discards
1651         pages. And if you access these pages, on-demand-zero-pages will
1652         be shown.
1653
1654         We also commit grown pages in all OSes.
1655
1656         * wasm/WasmMemory.cpp:
1657         (JSC::Wasm::commitZeroPages):
1658         (JSC::Wasm::Memory::create):
1659         (JSC::Wasm::Memory::grow):
1660
1661 2017-08-07  Robin Morisset  <rmorisset@apple.com>
1662
1663         GetOwnProperty of TypedArray indexed fields is wrongly configurable
1664         https://bugs.webkit.org/show_bug.cgi?id=175307
1665
1666         Reviewed by Saam Barati.
1667
1668         ```
1669         let a = new Uint8Array(10);
1670         let b = Object.getOwnPropertyDescriptor(a, 0);
1671         assert(b.configurable === false);
1672         ```
1673         should not fail: by section 9.4.5.1 (https://tc39.github.io/ecma262/#sec-integer-indexed-exotic-objects-getownproperty-p) 
1674         that applies to integer indexed exotic objects, and section 22.2.7 (https://tc39.github.io/ecma262/#sec-properties-of-typedarray-instances)
1675         that says that typed arrays are integer indexed exotic objects.
1676
1677         * runtime/JSGenericTypedArrayViewInlines.h:
1678         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
1679
1680 2017-08-07  Filip Pizlo  <fpizlo@apple.com>
1681
1682         Baseline JIT should do caging
1683         https://bugs.webkit.org/show_bug.cgi?id=175037
1684
1685         Reviewed by Mark Lam.
1686         
1687         Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
1688         
1689         Also modifies FTL caging to be more defensive when caging is disabled.
1690
1691         * ftl/FTLLowerDFGToB3.cpp:
1692         (JSC::FTL::DFG::LowerDFGToB3::caged):
1693         * jit/AssemblyHelpers.h:
1694         (JSC::AssemblyHelpers::cage):
1695         (JSC::AssemblyHelpers::cageConditionally):
1696         * jit/JITPropertyAccess.cpp:
1697         (JSC::JIT::emitDoubleLoad):
1698         (JSC::JIT::emitContiguousLoad):
1699         (JSC::JIT::emitArrayStorageLoad):
1700         (JSC::JIT::emitGenericContiguousPutByVal):
1701         (JSC::JIT::emitArrayStoragePutByVal):
1702         (JSC::JIT::emit_op_get_from_scope):
1703         (JSC::JIT::emit_op_put_to_scope):
1704         (JSC::JIT::emitIntTypedArrayGetByVal):
1705         (JSC::JIT::emitFloatTypedArrayGetByVal):
1706         (JSC::JIT::emitIntTypedArrayPutByVal):
1707         (JSC::JIT::emitFloatTypedArrayPutByVal):
1708         * jsc.cpp:
1709         (jscmain):
1710         (primitiveGigacageDisabled): Deleted.
1711
1712 2017-08-06  Filip Pizlo  <fpizlo@apple.com>
1713
1714         Primitive auxiliaries and JSValue auxiliaries should have separate gigacages
1715         https://bugs.webkit.org/show_bug.cgi?id=174919
1716
1717         Reviewed by Keith Miller.
1718         
1719         This adapts JSC to there being two gigacages.
1720         
1721         To make matters simpler, this turns AlignedMemoryAllocators into per-VM instances rather than
1722         singletons. I don't think we were gaining anything by making them be singletons.
1723         
1724         This makes it easy to teach GigacageAlignedMemoryAllocator that there are multiple kinds of
1725         gigacages. We'll have one of those allocators per cage.
1726         
1727         From there, this change teaches everyone who previously knew about cages that there are two cages.
1728         This means having to specify either Gigacage::Primitive or Gigacage::JSValue. In most places, this is
1729         easy: typed arrays are Primitive and butterflies are JSValue. But there are a few places where it's
1730         not so obvious, so this change introduces some helpers to make it easy to define what cage you want
1731         to use in one place and refer to it abstractly. We do this in DirectArguments and GenericArguments.h
1732         
1733         A lot of the magic of this change is due to CagedBarrierPtr, which combines AuxiliaryBarrier and
1734         CagedPtr. This removes one layer of "get()" calls from a bunch of places.
1735
1736         * JavaScriptCore.xcodeproj/project.pbxproj:
1737         * bytecode/AccessCase.cpp:
1738         (JSC::AccessCase::generateImpl):
1739         * dfg/DFGSpeculativeJIT.cpp:
1740         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1741         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1742         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1743         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
1744         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
1745         * ftl/FTLLowerDFGToB3.cpp:
1746         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
1747         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
1748         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
1749         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
1750         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1751         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
1752         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
1753         (JSC::FTL::DFG::LowerDFGToB3::caged):
1754         * heap/FastMallocAlignedMemoryAllocator.cpp:
1755         (JSC::FastMallocAlignedMemoryAllocator::instance): Deleted.
1756         * heap/FastMallocAlignedMemoryAllocator.h:
1757         * heap/GigacageAlignedMemoryAllocator.cpp:
1758         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
1759         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
1760         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
1761         (JSC::GigacageAlignedMemoryAllocator::dump const):
1762         (JSC::GigacageAlignedMemoryAllocator::instance): Deleted.
1763         * heap/GigacageAlignedMemoryAllocator.h:
1764         * jsc.cpp:
1765         (primitiveGigacageDisabled):
1766         (jscmain):
1767         (gigacageDisabled): Deleted.
1768         * llint/LowLevelInterpreter64.asm:
1769         * runtime/ArrayBuffer.cpp:
1770         (JSC::ArrayBufferContents::tryAllocate):
1771         (JSC::ArrayBuffer::createAdopted):
1772         (JSC::ArrayBuffer::createFromBytes):
1773         * runtime/AuxiliaryBarrier.h:
1774         * runtime/ButterflyInlines.h:
1775         (JSC::Butterfly::createUninitialized):
1776         (JSC::Butterfly::tryCreate):
1777         (JSC::Butterfly::growArrayRight):
1778         * runtime/CagedBarrierPtr.h: Added.
1779         (JSC::CagedBarrierPtr::CagedBarrierPtr):
1780         (JSC::CagedBarrierPtr::clear):
1781         (JSC::CagedBarrierPtr::set):
1782         (JSC::CagedBarrierPtr::get const):
1783         (JSC::CagedBarrierPtr::getMayBeNull const):
1784         (JSC::CagedBarrierPtr::operator== const):
1785         (JSC::CagedBarrierPtr::operator!= const):
1786         (JSC::CagedBarrierPtr::operator bool const):
1787         (JSC::CagedBarrierPtr::setWithoutBarrier):
1788         (JSC::CagedBarrierPtr::operator* const):
1789         (JSC::CagedBarrierPtr::operator-> const):
1790         (JSC::CagedBarrierPtr::operator[] const):
1791         * runtime/DirectArguments.cpp:
1792         (JSC::DirectArguments::overrideThings):
1793         (JSC::DirectArguments::unmapArgument):
1794         * runtime/DirectArguments.h:
1795         (JSC::DirectArguments::isMappedArgument const):
1796         * runtime/GenericArguments.h:
1797         * runtime/GenericArgumentsInlines.h:
1798         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
1799         (JSC::GenericArguments<Type>::setModifiedArgumentDescriptor):
1800         (JSC::GenericArguments<Type>::isModifiedArgumentDescriptor):
1801         * runtime/HashMapImpl.cpp:
1802         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
1803         * runtime/HashMapImpl.h:
1804         (JSC::HashMapBuffer::create):
1805         (JSC::HashMapImpl::buffer const):
1806         (JSC::HashMapImpl::rehash):
1807         * runtime/JSArray.cpp:
1808         (JSC::JSArray::tryCreateUninitializedRestricted):
1809         (JSC::JSArray::unshiftCountSlowCase):
1810         (JSC::JSArray::setLength):
1811         (JSC::JSArray::pop):
1812         (JSC::JSArray::push):
1813         (JSC::JSArray::fastSlice):
1814         (JSC::JSArray::shiftCountWithArrayStorage):
1815         (JSC::JSArray::shiftCountWithAnyIndexingType):
1816         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1817         (JSC::JSArray::fillArgList):
1818         (JSC::JSArray::copyToArguments):
1819         * runtime/JSArray.h:
1820         (JSC::JSArray::tryCreate):
1821         * runtime/JSArrayBufferView.cpp:
1822         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1823         (JSC::JSArrayBufferView::finalize):
1824         * runtime/JSLock.cpp:
1825         (JSC::JSLock::didAcquireLock):
1826         * runtime/JSObject.cpp:
1827         (JSC::JSObject::heapSnapshot):
1828         (JSC::JSObject::getOwnPropertySlotByIndex):
1829         (JSC::JSObject::putByIndex):
1830         (JSC::JSObject::enterDictionaryIndexingMode):
1831         (JSC::JSObject::createInitialIndexedStorage):
1832         (JSC::JSObject::createArrayStorage):
1833         (JSC::JSObject::convertUndecidedToInt32):
1834         (JSC::JSObject::convertUndecidedToDouble):
1835         (JSC::JSObject::convertUndecidedToContiguous):
1836         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
1837         (JSC::JSObject::convertUndecidedToArrayStorage):
1838         (JSC::JSObject::convertInt32ToDouble):
1839         (JSC::JSObject::convertInt32ToContiguous):
1840         (JSC::JSObject::convertInt32ToArrayStorage):
1841         (JSC::JSObject::convertDoubleToContiguous):
1842         (JSC::JSObject::convertDoubleToArrayStorage):
1843         (JSC::JSObject::convertContiguousToArrayStorage):
1844         (JSC::JSObject::setIndexQuicklyToUndecided):
1845         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
1846         (JSC::JSObject::deletePropertyByIndex):
1847         (JSC::JSObject::getOwnPropertyNames):
1848         (JSC::JSObject::putIndexedDescriptor):
1849         (JSC::JSObject::defineOwnIndexedProperty):
1850         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1851         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
1852         (JSC::JSObject::getNewVectorLength):
1853         (JSC::JSObject::ensureLengthSlow):
1854         (JSC::JSObject::reallocateAndShrinkButterfly):
1855         (JSC::JSObject::allocateMoreOutOfLineStorage):
1856         (JSC::JSObject::getEnumerableLength):
1857         * runtime/JSObject.h:
1858         (JSC::JSObject::getArrayLength const):
1859         (JSC::JSObject::getVectorLength):
1860         (JSC::JSObject::putDirectIndex):
1861         (JSC::JSObject::canGetIndexQuickly):
1862         (JSC::JSObject::getIndexQuickly):
1863         (JSC::JSObject::tryGetIndexQuickly const):
1864         (JSC::JSObject::canSetIndexQuickly):
1865         (JSC::JSObject::setIndexQuickly):
1866         (JSC::JSObject::initializeIndex):
1867         (JSC::JSObject::initializeIndexWithoutBarrier):
1868         (JSC::JSObject::hasSparseMap):
1869         (JSC::JSObject::inSparseIndexingMode):
1870         (JSC::JSObject::butterfly const):
1871         (JSC::JSObject::butterfly):
1872         (JSC::JSObject::outOfLineStorage const):
1873         (JSC::JSObject::outOfLineStorage):
1874         (JSC::JSObject::ensureInt32):
1875         (JSC::JSObject::ensureDouble):
1876         (JSC::JSObject::ensureContiguous):
1877         (JSC::JSObject::ensureArrayStorage):
1878         (JSC::JSObject::arrayStorage):
1879         (JSC::JSObject::arrayStorageOrNull):
1880         (JSC::JSObject::ensureLength):
1881         * runtime/RegExpMatchesArray.h:
1882         (JSC::tryCreateUninitializedRegExpMatchesArray):
1883         * runtime/VM.cpp:
1884         (JSC::VM::VM):
1885         (JSC::VM::~VM):
1886         (JSC::VM::primitiveGigacageDisabledCallback):
1887         (JSC::VM::primitiveGigacageDisabled):
1888         (JSC::VM::gigacageDisabledCallback): Deleted.
1889         (JSC::VM::gigacageDisabled): Deleted.
1890         * runtime/VM.h:
1891         (JSC::VM::gigacageAuxiliarySpace):
1892         (JSC::VM::firePrimitiveGigacageEnabledIfNecessary):
1893         (JSC::VM::primitiveGigacageEnabled):
1894         (JSC::VM::fireGigacageEnabledIfNecessary): Deleted.
1895         (JSC::VM::gigacageEnabled): Deleted.
1896         * wasm/WasmMemory.cpp:
1897         (JSC::Wasm::Memory::create):
1898         (JSC::Wasm::Memory::~Memory):
1899         (JSC::Wasm::Memory::grow):
1900
1901 2017-08-07  Commit Queue  <commit-queue@webkit.org>
1902
1903         Unreviewed, rolling out r220144.
1904         https://bugs.webkit.org/show_bug.cgi?id=175276
1905
1906         "It did not actually speed things up in the way I expected"
1907         (Requested by saamyjoon on #webkit).
1908
1909         Reverted changeset:
1910
1911         "On memory-constrained iOS devices, reduce the rate at which
1912         the JS heap grows before a GC to try to keep more memory
1913         available for the system"
1914         https://bugs.webkit.org/show_bug.cgi?id=175041
1915         http://trac.webkit.org/changeset/220144
1916
1917 2017-08-07  Ryan Haddad  <ryanhaddad@apple.com>
1918
1919         Unreviewed, rolling out r220299.
1920
1921         This change caused LayoutTest inspector/dom-debugger/dom-
1922         breakpoints.html to fail.
1923
1924         Reverted changeset:
1925
1926         "Web Inspector: capture async stack trace when workers/main
1927         context posts a message"
1928         https://bugs.webkit.org/show_bug.cgi?id=167084
1929         http://trac.webkit.org/changeset/220299
1930
1931 2017-08-07  Brian Burg  <bburg@apple.com>
1932
1933         Remove CANVAS_PATH compilation guard
1934         https://bugs.webkit.org/show_bug.cgi?id=175207
1935
1936         Reviewed by Sam Weinig.
1937
1938         * Configurations/FeatureDefines.xcconfig:
1939
1940 2017-08-07  Keith Miller  <keith_miller@apple.com>
1941
1942         REGRESSION: wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js failing on JSC Debug bots
1943         https://bugs.webkit.org/show_bug.cgi?id=175256
1944
1945         Reviewed by Saam Barati.
1946
1947         The check in createFromBytes just needed to check that the buffer was not null before
1948         calling isCaged.
1949
1950         * runtime/ArrayBuffer.cpp:
1951         (JSC::ArrayBuffer::createFromBytes):
1952
1953 2017-08-05  Carlos Garcia Campos  <cgarcia@igalia.com>
1954
1955         [GTK][WPE] Add API to provide browser information required by automation
1956         https://bugs.webkit.org/show_bug.cgi?id=175130
1957
1958         Reviewed by Brian Burg.
1959
1960         Add browserName and browserVersion to RemoteInspector::Client::Capabilities and virtual methods to the Client to
1961         get them.
1962
1963         * inspector/remote/RemoteInspector.cpp:
1964         (Inspector::RemoteInspector::updateClientCapabilities): Update also browserName and browserVersion.
1965         * inspector/remote/RemoteInspector.h:
1966         * inspector/remote/glib/RemoteInspectorGlib.cpp:
1967         (Inspector::RemoteInspector::requestAutomationSession): Call updateClientCapabilities() after the session is
1968         requested to ensure they are updated before StartAutomationSession reply is sent.
1969         * inspector/remote/glib/RemoteInspectorServer.cpp: Add browserName and browserVersion as return values of
1970         StartAutomationSession mesasage.
1971
1972 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1973
1974         Promise resolve and reject function should have length = 1
1975         https://bugs.webkit.org/show_bug.cgi?id=175242
1976
1977         Reviewed by Saam Barati.
1978
1979         Previously we have separate system for "length" and "name" for builtin functions.
1980         The builtin functions do not use lazy reifying system. Instead, they have direct
1981         properties when instantiating it. While the function created for properties (like
1982         Array.prototype.filter) is created by JSFunction::createBuiltin(), function inside
1983         these builtin functions are just created by JSFunction::create(). Since it does
1984         not set any values for "length", these functions do not have "length" property.
1985         So, the resolve and reject functions passed to Promise's executor do not have
1986         "length" property.
1987
1988         This patch make builtin functions use standard lazy reifying system for "length".
1989         So, "length" property of the builtin function just works as if the normal functions
1990         do.
1991
1992         * runtime/JSFunction.cpp:
1993         (JSC::JSFunction::createBuiltinFunction):
1994         (JSC::JSFunction::getOwnPropertySlot):
1995         (JSC::JSFunction::getOwnNonIndexPropertyNames):
1996         (JSC::JSFunction::put):
1997         (JSC::JSFunction::deleteProperty):
1998         (JSC::JSFunction::defineOwnProperty):
1999         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
2000         (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
2001         (JSC::JSFunction::reifyLazyLengthIfNeeded):
2002         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
2003         (JSC::JSFunction::reifyBoundNameIfNeeded): Deleted.
2004         * runtime/JSFunction.h:
2005
2006 2017-08-06  Oleksandr Skachkov  <gskachkov@gmail.com>
2007
2008         [ESNext] Async iteration - Implement Async Generator - parser
2009         https://bugs.webkit.org/show_bug.cgi?id=175210
2010
2011         Reviewed by Yusuke Suzuki.
2012
2013         Current implementation is draft version of Async Iteration. 
2014         Link to spec https://tc39.github.io/proposal-async-iteration/
2015
2016         Current patch implement only parser part of the Async generator
2017         Runtime part will be in next ptches
2018
2019         * parser/ASTBuilder.h:
2020         (JSC::ASTBuilder::createFunctionMetadata):
2021         * parser/Parser.cpp:
2022         (JSC::getAsynFunctionBodyParseMode):
2023         (JSC::Parser<LexerType>::parseInner):
2024         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
2025         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
2026         (JSC::stringArticleForFunctionMode):
2027         (JSC::stringForFunctionMode):
2028         (JSC::Parser<LexerType>::parseFunctionInfo):
2029         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
2030         (JSC::Parser<LexerType>::parseClass):
2031         (JSC::Parser<LexerType>::parseProperty):
2032         (JSC::Parser<LexerType>::parsePropertyMethod):
2033         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
2034         * parser/Parser.h:
2035         (JSC::Scope::setSourceParseMode):
2036         * parser/ParserModes.h:
2037         (JSC::isFunctionParseMode):
2038         (JSC::isAsyncFunctionParseMode):
2039         (JSC::isAsyncArrowFunctionParseMode):
2040         (JSC::isAsyncGeneratorFunctionParseMode):
2041         (JSC::isAsyncFunctionOrAsyncGeneratorWrapperParseMode):
2042         (JSC::isAsyncFunctionWrapperParseMode):
2043         (JSC::isAsyncFunctionBodyParseMode):
2044         (JSC::isGeneratorMethodParseMode):
2045         (JSC::isAsyncMethodParseMode):
2046         (JSC::isAsyncGeneratorMethodParseMode):
2047         (JSC::isMethodParseMode):
2048         (JSC::isGeneratorOrAsyncFunctionBodyParseMode):
2049         (JSC::isGeneratorOrAsyncFunctionWrapperParseMode):
2050
2051 2017-08-05  Filip Pizlo  <fpizlo@apple.com>
2052
2053         REGRESSION (r219895-219897): Number of leaks on Open Source went from 9240 to 235983 and is now at 302372
2054         https://bugs.webkit.org/show_bug.cgi?id=175083
2055
2056         Reviewed by Oliver Hunt.
2057         
2058         This fixes the leak by making MarkedBlock::specializedSweep call destructors when the block is empty,
2059         even if we are using the pop path.
2060         
2061         Also, this fixes HeapCellInlines.h to no longer include MarkedBlockInlines.h. That's pretty
2062         important, since MarkedBlockInlines.h is the GC's internal guts - we don't want to have to recompile
2063         the world just because we changed it.
2064         
2065         Finally, this adds a new testing SPI for waiting for all VMs to finish destructing. This makes it
2066         easier to debug leaks.
2067
2068         * bytecode/AccessCase.cpp:
2069         * bytecode/PolymorphicAccess.cpp:
2070         * heap/HeapCell.cpp:
2071         (JSC::HeapCell::isLive):
2072         * heap/HeapCellInlines.h:
2073         (JSC::HeapCell::isLive): Deleted.
2074         * heap/MarkedAllocator.cpp:
2075         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2076         (JSC::MarkedAllocator::endMarking):
2077         * heap/MarkedBlockInlines.h:
2078         (JSC::MarkedBlock::Handle::specializedSweep):
2079         * jit/AssemblyHelpers.cpp:
2080         * jit/Repatch.cpp:
2081         * runtime/TestRunnerUtils.h:
2082         * runtime/VM.cpp:
2083         (JSC::waitForVMDestruction):
2084         (JSC::VM::~VM):
2085
2086 2017-08-05  Mark Lam  <mark.lam@apple.com>
2087
2088         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 3].
2089         https://bugs.webkit.org/show_bug.cgi?id=175228
2090         <rdar://problem/33735737>
2091
2092         Reviewed by Saam Barati.
2093
2094         Merge the 32-bit OSRExit::compileExit() method into the 64-bit version, and
2095         delete OSRExit32_64.cpp.
2096
2097         * CMakeLists.txt:
2098         * JavaScriptCore.xcodeproj/project.pbxproj:
2099         * dfg/DFGOSRExit.cpp:
2100         (JSC::DFG::OSRExit::compileExit):
2101         * dfg/DFGOSRExit32_64.cpp: Removed.
2102         * jit/GPRInfo.h:
2103         (JSC::JSValueSource::payloadGPR const):
2104
2105 2017-08-04  Youenn Fablet  <youenn@apple.com>
2106
2107         [Cache API] Add Cache and CacheStorage IDL definitions
2108         https://bugs.webkit.org/show_bug.cgi?id=175201
2109
2110         Reviewed by Brady Eidson.
2111
2112         * runtime/CommonIdentifiers.h:
2113
2114 2017-08-04  Mark Lam  <mark.lam@apple.com>
2115
2116         Fix typo in testmasm.cpp: ENABLE(JSVALUE64) should be USE(JSVALUE64).
2117         https://bugs.webkit.org/show_bug.cgi?id=175230
2118         <rdar://problem/33735857>
2119
2120         Reviewed by Saam Barati.
2121
2122         * assembler/testmasm.cpp:
2123         (JSC::testProbeReadsArgumentRegisters):
2124         (JSC::testProbeWritesArgumentRegisters):
2125
2126 2017-08-04  Mark Lam  <mark.lam@apple.com>
2127
2128         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 2].
2129         https://bugs.webkit.org/show_bug.cgi?id=175214
2130         <rdar://problem/33733308>
2131
2132         Rubber-stamped by Michael Saboff.
2133
2134         Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused
2135         DFGOSRExitCompiler files.
2136
2137         Also renamed DFGOSRExitCompiler32_64.cpp to DFGOSRExit32_64.cpp.
2138
2139         Also move debugOperationPrintSpeculationFailure() into DFGOSRExit.cpp.  It's only
2140         used by compileOSRExit(), and will be changed to not be a DFG operation function
2141         when we use JIT probes for DFG OSR exits later in
2142         https://bugs.webkit.org/show_bug.cgi?id=175144.
2143
2144         * CMakeLists.txt:
2145         * JavaScriptCore.xcodeproj/project.pbxproj:
2146         * dfg/DFGJITCompiler.cpp:
2147         * dfg/DFGOSRExit.cpp:
2148         (JSC::DFG::OSRExit::emitRestoreArguments):
2149         (JSC::DFG::OSRExit::compileOSRExit):
2150         (JSC::DFG::OSRExit::compileExit):
2151         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
2152         * dfg/DFGOSRExit.h:
2153         * dfg/DFGOSRExit32_64.cpp: Copied from Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp.
2154         * dfg/DFGOSRExitCompiler.cpp: Removed.
2155         * dfg/DFGOSRExitCompiler.h: Removed.
2156         * dfg/DFGOSRExitCompiler32_64.cpp: Removed.
2157         * dfg/DFGOSRExitCompiler64.cpp: Removed.
2158         * dfg/DFGOperations.cpp:
2159         * dfg/DFGOperations.h:
2160         * dfg/DFGThunks.cpp:
2161
2162 2017-08-04  Matt Baker  <mattbaker@apple.com>
2163
2164         Web Inspector: capture async stack trace when workers/main context posts a message
2165         https://bugs.webkit.org/show_bug.cgi?id=167084
2166         <rdar://problem/30033673>
2167
2168         Reviewed by Brian Burg.
2169
2170         * inspector/agents/InspectorDebuggerAgent.h:
2171         Add `PostMessage` async call type.
2172
2173 2017-08-04  Mark Lam  <mark.lam@apple.com>
2174
2175         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 1].
2176         https://bugs.webkit.org/show_bug.cgi?id=175208
2177         <rdar://problem/33732402>
2178
2179         Reviewed by Saam Barati.
2180
2181         This will minimize the code diff and make it easier to review the patch for
2182         https://bugs.webkit.org/show_bug.cgi?id=175144 later.  We'll do this patch in 3
2183         steps:
2184
2185         1. Do the code changes to move methods into OSRExit.
2186         2. Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused DFGOSRExitCompiler files.
2187         3. Merge the 32-bit OSRExitCompiler methods into the 64-bit version, and delete DFGOSRExitCompiler32_64.cpp.
2188
2189         Splitting this refactoring into these 3 steps also makes it easier to review this
2190         patch and understand what is being changed.
2191
2192         * dfg/DFGOSRExit.h:
2193         * dfg/DFGOSRExitCompiler.cpp:
2194         (JSC::DFG::OSRExit::emitRestoreArguments):
2195         (JSC::DFG::OSRExit::compileOSRExit):
2196         (JSC::DFG::OSRExitCompiler::emitRestoreArguments): Deleted.
2197         (): Deleted.
2198         * dfg/DFGOSRExitCompiler.h:
2199         (JSC::DFG::OSRExitCompiler::OSRExitCompiler): Deleted.
2200         (): Deleted.
2201         * dfg/DFGOSRExitCompiler32_64.cpp:
2202         (JSC::DFG::OSRExit::compileExit):
2203         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
2204         * dfg/DFGOSRExitCompiler64.cpp:
2205         (JSC::DFG::OSRExit::compileExit):
2206         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
2207         * dfg/DFGThunks.cpp:
2208         (JSC::DFG::osrExitGenerationThunkGenerator):
2209
2210 2017-08-04  Devin Rousso  <drousso@apple.com>
2211
2212         Web Inspector: add source view for WebGL shader programs
2213         https://bugs.webkit.org/show_bug.cgi?id=138593
2214         <rdar://problem/18936194>
2215
2216         Reviewed by Matt Baker.
2217
2218         * inspector/protocol/Canvas.json:
2219          - Add `ShaderType` enum that contains "vertex" and "fragment".
2220          - Add `requestShaderSource` command that will return the original source code for a given
2221            shader program and shader type.
2222
2223 2017-08-03  Filip Pizlo  <fpizlo@apple.com>
2224
2225         The allocator used to allocate memory for MarkedBlocks and LargeAllocations should not be the Subspace itself
2226         https://bugs.webkit.org/show_bug.cgi?id=175141
2227
2228         Reviewed by Mark Lam.
2229         
2230         To make it easier to have multiple gigacages and maybe even fancier methods of allocating, this
2231         decouples the allocator used to allocate memory from the GC Subspace. This means we no longer have
2232         to create a new Subspace subclass to allocate memory a different way. Instead, the allocator is now
2233         determined by the AlignedMemoryAllocator object.
2234         
2235         This also simplifies trading of blocks. Before, Subspaces had to determine if other Subspaces could
2236         trade blocks with them using canTradeBlocksWith(). This makes it difficult for two different
2237         Subspaces that both use the same underlying allocator to realize that they can trade blocks with
2238         each other. Now, you just need to ask the block being stolen and the subspace doing the stealing if
2239         they use the same AlignedMemoryAllocator.
2240
2241         * CMakeLists.txt:
2242         * JavaScriptCore.xcodeproj/project.pbxproj:
2243         * heap/AlignedMemoryAllocator.cpp: Added.
2244         (JSC::AlignedMemoryAllocator::AlignedMemoryAllocator):
2245         (JSC::AlignedMemoryAllocator::~AlignedMemoryAllocator):
2246         * heap/AlignedMemoryAllocator.h: Added.
2247         * heap/FastMallocAlignedMemoryAllocator.cpp: Added.
2248         (JSC::FastMallocAlignedMemoryAllocator::singleton):
2249         (JSC::FastMallocAlignedMemoryAllocator::FastMallocAlignedMemoryAllocator):
2250         (JSC::FastMallocAlignedMemoryAllocator::~FastMallocAlignedMemoryAllocator):
2251         (JSC::FastMallocAlignedMemoryAllocator::tryAllocateAlignedMemory):
2252         (JSC::FastMallocAlignedMemoryAllocator::freeAlignedMemory):
2253         (JSC::FastMallocAlignedMemoryAllocator::dump const):
2254         * heap/FastMallocAlignedMemoryAllocator.h: Added.
2255         * heap/GigacageAlignedMemoryAllocator.cpp: Added.
2256         (JSC::GigacageAlignedMemoryAllocator::singleton):
2257         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
2258         (JSC::GigacageAlignedMemoryAllocator::~GigacageAlignedMemoryAllocator):
2259         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
2260         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
2261         (JSC::GigacageAlignedMemoryAllocator::dump const):
2262         * heap/GigacageAlignedMemoryAllocator.h: Added.
2263         * heap/GigacageSubspace.cpp: Removed.
2264         * heap/GigacageSubspace.h: Removed.
2265         * heap/LargeAllocation.cpp:
2266         (JSC::LargeAllocation::tryCreate):
2267         (JSC::LargeAllocation::destroy):
2268         * heap/MarkedAllocator.cpp:
2269         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2270         * heap/MarkedBlock.cpp:
2271         (JSC::MarkedBlock::tryCreate):
2272         (JSC::MarkedBlock::Handle::Handle):
2273         (JSC::MarkedBlock::Handle::~Handle):
2274         (JSC::MarkedBlock::Handle::didAddToAllocator):
2275         (JSC::MarkedBlock::Handle::subspace const):
2276         * heap/MarkedBlock.h:
2277         (JSC::MarkedBlock::Handle::alignedMemoryAllocator const):
2278         (JSC::MarkedBlock::Handle::subspace const): Deleted.
2279         * heap/Subspace.cpp:
2280         (JSC::Subspace::Subspace):
2281         (JSC::Subspace::findEmptyBlockToSteal):
2282         (JSC::Subspace::canTradeBlocksWith): Deleted.
2283         (JSC::Subspace::tryAllocateAlignedMemory): Deleted.
2284         (JSC::Subspace::freeAlignedMemory): Deleted.
2285         * heap/Subspace.h:
2286         (JSC::Subspace::name const):
2287         (JSC::Subspace::alignedMemoryAllocator const):
2288         * runtime/JSDestructibleObjectSubspace.cpp:
2289         (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace):
2290         * runtime/JSDestructibleObjectSubspace.h:
2291         * runtime/JSSegmentedVariableObjectSubspace.cpp:
2292         (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace):
2293         * runtime/JSSegmentedVariableObjectSubspace.h:
2294         * runtime/JSStringSubspace.cpp:
2295         (JSC::JSStringSubspace::JSStringSubspace):
2296         * runtime/JSStringSubspace.h:
2297         * runtime/VM.cpp:
2298         (JSC::VM::VM):
2299         * runtime/VM.h:
2300         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp:
2301         (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace):
2302         * wasm/js/JSWebAssemblyCodeBlockSubspace.h:
2303
2304 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
2305
2306         [ESNext] Async iteration - update feature.json
2307         https://bugs.webkit.org/show_bug.cgi?id=175197
2308
2309         Reviewed by Yusuke Suzuki.
2310
2311         Update feature.json to add status of the Async Iteration
2312
2313         * features.json:
2314
2315 2017-08-04  Matt Lewis  <jlewis3@apple.com>
2316
2317         Unreviewed, rolling out r220271.
2318
2319         Rolling out due to Layout Test failing on iOS Simulator.
2320
2321         Reverted changeset:
2322
2323         "Remove STREAMS_API compilation guard"
2324         https://bugs.webkit.org/show_bug.cgi?id=175165
2325         http://trac.webkit.org/changeset/220271
2326
2327 2017-08-04  Youenn Fablet  <youenn@apple.com>
2328
2329         Remove STREAMS_API compilation guard
2330         https://bugs.webkit.org/show_bug.cgi?id=175165
2331
2332         Reviewed by Darin Adler.
2333
2334         * Configurations/FeatureDefines.xcconfig:
2335
2336 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
2337
2338         [EsNext] Async iteration - Add feature flag
2339         https://bugs.webkit.org/show_bug.cgi?id=166694
2340
2341         Reviewed by Yusuke Suzuki.
2342
2343         Add feature flag to JSC to switch on/off Async Iterator
2344
2345         * runtime/Options.h:
2346
2347 2017-08-03  Brian Burg  <bburg@apple.com>
2348
2349         Remove ENABLE(WEB_SOCKET) guards
2350         https://bugs.webkit.org/show_bug.cgi?id=167044
2351
2352         Reviewed by Joseph Pecoraro.
2353
2354         * Configurations/FeatureDefines.xcconfig:
2355
2356 2017-08-03  Youenn Fablet  <youenn@apple.com>
2357
2358         Remove FETCH_API compilation guard
2359         https://bugs.webkit.org/show_bug.cgi?id=175154
2360
2361         Reviewed by Chris Dumez.
2362
2363         * Configurations/FeatureDefines.xcconfig:
2364
2365 2017-08-03  Matt Baker  <mattbaker@apple.com>
2366
2367         Web Inspector: Instrument WebGLProgram created/deleted
2368         https://bugs.webkit.org/show_bug.cgi?id=175059
2369
2370         Reviewed by Devin Rousso.
2371
2372         Extend the Canvas protocol with types/events for tracking WebGLPrograms.
2373
2374         * inspector/protocol/Canvas.json:
2375
2376 2017-08-03  Brady Eidson  <beidson@apple.com>
2377
2378         Add SW IDLs and stub out basic functionality.
2379         https://bugs.webkit.org/show_bug.cgi?id=175115
2380
2381         Reviewed by Chris Dumez.
2382
2383         * Configurations/FeatureDefines.xcconfig:
2384
2385         * runtime/CommonIdentifiers.h:
2386
2387 2017-08-03  Mark Lam  <mark.lam@apple.com>
2388
2389         Rename ScratchBuffer::activeLengthPtr to addressOfActiveLength.
2390         https://bugs.webkit.org/show_bug.cgi?id=175142
2391         <rdar://problem/33704528>
2392
2393         Reviewed by Filip Pizlo.
2394
2395         The convention in the rest of of JSC for such methods which return the address of
2396         a field is to name them "addressOf<field name>".  We'll rename
2397         ScratchBuffer::activeLengthPtr to be consistent with this convention.
2398
2399         * dfg/DFGSpeculativeJIT.cpp:
2400         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
2401         * dfg/DFGSpeculativeJIT32_64.cpp:
2402         (JSC::DFG::SpeculativeJIT::compile):
2403         * dfg/DFGSpeculativeJIT64.cpp:
2404         (JSC::DFG::SpeculativeJIT::compile):
2405         * dfg/DFGThunks.cpp:
2406         (JSC::DFG::osrExitGenerationThunkGenerator):
2407         * ftl/FTLLowerDFGToB3.cpp:
2408         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
2409         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
2410         * ftl/FTLThunks.cpp:
2411         (JSC::FTL::genericGenerationThunkGenerator):
2412         * jit/AssemblyHelpers.cpp:
2413         (JSC::AssemblyHelpers::debugCall):
2414         * jit/ScratchRegisterAllocator.cpp:
2415         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
2416         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
2417         * runtime/VM.h:
2418         (JSC::ScratchBuffer::addressOfActiveLength):
2419         (JSC::ScratchBuffer::activeLengthPtr): Deleted.
2420         * wasm/WasmBinding.cpp:
2421         (JSC::Wasm::wasmToJs):
2422
2423 2017-08-02  Devin Rousso  <drousso@apple.com>
2424
2425         Web Inspector: add stack trace information for each RecordingAction
2426         https://bugs.webkit.org/show_bug.cgi?id=174663
2427
2428         Reviewed by Joseph Pecoraro.
2429
2430         * inspector/ScriptCallFrame.h:
2431         Add `operator==` so that when a ScriptCallFrame object is held in a Vector, calling `find`
2432         with an existing value doesn't need require a functor and can use existing code.
2433
2434         * interpreter/StackVisitor.h:
2435         * interpreter/StackVisitor.cpp:
2436         (JSC::StackVisitor::Frame::isWasmFrame const): Inlined in header.
2437
2438 2017-08-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2439
2440         Merge WTFThreadData to Thread::current
2441         https://bugs.webkit.org/show_bug.cgi?id=174716
2442
2443         Reviewed by Mark Lam.
2444
2445         Use Thread::current() instead.
2446
2447         * API/JSContext.mm:
2448         (+[JSContext currentContext]):
2449         (+[JSContext currentThis]):
2450         (+[JSContext currentCallee]):
2451         (+[JSContext currentArguments]):
2452         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
2453         (-[JSContext endCallbackWithData:]):
2454         * heap/Heap.cpp:
2455         (JSC::Heap::requestCollection):
2456         * runtime/Completion.cpp:
2457         (JSC::checkSyntax):
2458         (JSC::checkModuleSyntax):
2459         (JSC::evaluate):
2460         (JSC::loadAndEvaluateModule):
2461         (JSC::loadModule):
2462         (JSC::linkAndEvaluateModule):
2463         (JSC::importModule):
2464         * runtime/Identifier.cpp:
2465         (JSC::Identifier::checkCurrentAtomicStringTable):
2466         * runtime/InitializeThreading.cpp:
2467         (JSC::initializeThreading):
2468         * runtime/JSLock.cpp:
2469         (JSC::JSLock::didAcquireLock):
2470         (JSC::JSLock::willReleaseLock):
2471         (JSC::JSLock::dropAllLocks):
2472         (JSC::JSLock::grabAllLocks):
2473         * runtime/JSLock.h:
2474         * runtime/VM.cpp:
2475         (JSC::VM::VM):
2476         (JSC::VM::updateStackLimits):
2477         (JSC::VM::committedStackByteCount):
2478         * runtime/VM.h:
2479         (JSC::VM::isSafeToRecurse const):
2480         * runtime/VMEntryScope.cpp:
2481         (JSC::VMEntryScope::VMEntryScope):
2482         * runtime/VMInlines.h:
2483         (JSC::VM::ensureStackCapacityFor):
2484         * yarr/YarrPattern.cpp:
2485         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
2486
2487 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
2488
2489         LLInt should do pointer caging
2490         https://bugs.webkit.org/show_bug.cgi?id=175036
2491
2492         Reviewed by Keith Miller.
2493
2494         Implementing this in the LLInt was challenging because offlineasm did not previously know
2495         how to load from globals. This teaches it how to do that on Darwin/x86_64, which happens
2496         to be where the Gigacage is enabled right now.
2497
2498         * llint/LLIntOfflineAsmConfig.h:
2499         * llint/LowLevelInterpreter64.asm:
2500         * offlineasm/ast.rb:
2501         * offlineasm/x86.rb:
2502
2503 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
2504
2505         Sweeping should only scribble when sweeping to free list
2506         https://bugs.webkit.org/show_bug.cgi?id=175105
2507
2508         Reviewed by Saam Barati.
2509         
2510         I just saw a crash on the bots where a destructor call attempt dereferenced scribbled memory. This
2511         can happen because the bump path of specializedSweep will scribble in SweepOnly, which replaces the
2512         zap word (i.e. 0) with the scribble word (i.e. 0xbadbeef0). This is a recent regression, since we
2513         didn't used to do destruction on the bump path. No destruction, no zapping. Looking at the pop
2514         path, we only scribble when we SweepToFreeList. This ensures that we only overwrite the zap word
2515         when it doesn't matter anyway because we're building a free list.
2516         
2517         This is a fix for those crashes on the bots because it means that we'll no longer scribble over the
2518         zap.
2519
2520         * heap/MarkedBlockInlines.h:
2521         (JSC::MarkedBlock::Handle::specializedSweep):
2522
2523 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
2524
2525         All C++ accesses to JSObject::m_butterfly should do caging
2526         https://bugs.webkit.org/show_bug.cgi?id=175039
2527
2528         Reviewed by Keith Miller.
2529         
2530         Makes JSObject::m_butterfly a AuxiliaryBarrier<CagedPtr<Butterfly>> and adopts the CagedPtr<> API.
2531         This ensures that you can't cause C++ code to access a butterfly that has been rewired to point
2532         outside the gigacage.
2533
2534         * runtime/JSArray.cpp:
2535         (JSC::JSArray::setLength):
2536         (JSC::JSArray::pop):
2537         (JSC::JSArray::push):
2538         (JSC::JSArray::shiftCountWithAnyIndexingType):
2539         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2540         (JSC::JSArray::fillArgList):
2541         (JSC::JSArray::copyToArguments):
2542         * runtime/JSObject.cpp:
2543         (JSC::JSObject::heapSnapshot):
2544         (JSC::JSObject::createInitialIndexedStorage):
2545         (JSC::JSObject::createArrayStorage):
2546         (JSC::JSObject::convertUndecidedToInt32):
2547         (JSC::JSObject::convertUndecidedToDouble):
2548         (JSC::JSObject::convertUndecidedToContiguous):
2549         (JSC::JSObject::convertInt32ToDouble):
2550         (JSC::JSObject::convertInt32ToArrayStorage):
2551         (JSC::JSObject::convertDoubleToContiguous):
2552         (JSC::JSObject::convertDoubleToArrayStorage):
2553         (JSC::JSObject::convertContiguousToArrayStorage):
2554         (JSC::JSObject::defineOwnIndexedProperty):
2555         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2556         (JSC::JSObject::ensureLengthSlow):
2557         (JSC::JSObject::allocateMoreOutOfLineStorage):
2558         * runtime/JSObject.h:
2559         (JSC::JSObject::canGetIndexQuickly):
2560         (JSC::JSObject::getIndexQuickly):
2561         (JSC::JSObject::tryGetIndexQuickly const):
2562         (JSC::JSObject::canSetIndexQuickly):
2563         (JSC::JSObject::setIndexQuickly):
2564         (JSC::JSObject::initializeIndex):
2565         (JSC::JSObject::initializeIndexWithoutBarrier):
2566         (JSC::JSObject::butterfly const):
2567         (JSC::JSObject::butterfly):
2568
2569 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
2570
2571         We should be OK with the gigacage being disabled on gmalloc
2572         https://bugs.webkit.org/show_bug.cgi?id=175082
2573
2574         Reviewed by Michael Saboff.
2575
2576         * jsc.cpp:
2577         (jscmain):
2578
2579 2017-08-02  Saam Barati  <sbarati@apple.com>
2580
2581         On memory-constrained iOS devices, reduce the rate at which the JS heap grows before a GC to try to keep more memory available for the system
2582         https://bugs.webkit.org/show_bug.cgi?id=175041
2583         <rdar://problem/33659370>
2584
2585         Reviewed by Filip Pizlo.
2586
2587         The testing I have done shows that this new function is a ~10%
2588         progression running JetStream on 1GB iOS devices. I've also tried
2589         this on a few > 1GB iOS devices, and the testing shows this is either neutral
2590         or a regression. Right now, we'll just enable this for <= 1GB devices
2591         since it's a win. In the future, we might want to either look into
2592         tweaking these parameters or coming up with a new function for > 1GB
2593         devices.
2594
2595         * heap/Heap.cpp:
2596         * runtime/Options.h:
2597
2598 2017-08-01  Filip Pizlo  <fpizlo@apple.com>
2599
2600         Bmalloc and GC should put auxiliaries (butterflies, typed array backing stores) in a gigacage (separate multi-GB VM region)
2601         https://bugs.webkit.org/show_bug.cgi?id=174727
2602
2603         Reviewed by Mark Lam.
2604         
2605         This adopts the Gigacage for the GigacageSubspace, which we use for Auxiliary allocations. Also, in
2606         one place in the code - the FTL codegen for butterfly and typed array access - we "cage" the accesses
2607         themselves. Basically, we do masking to ensure that the pointer points into the gigacage.
2608         
2609         This is neutral on JetStream.
2610
2611         * CMakeLists.txt:
2612         * JavaScriptCore.xcodeproj/project.pbxproj:
2613         * b3/B3InsertionSet.cpp:
2614         (JSC::B3::InsertionSet::execute):
2615         * dfg/DFGAbstractInterpreterInlines.h:
2616         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2617         * dfg/DFGArgumentsEliminationPhase.cpp:
2618         * dfg/DFGClobberize.cpp:
2619         (JSC::DFG::readsOverlap):
2620         * dfg/DFGClobberize.h:
2621         (JSC::DFG::clobberize):
2622         * dfg/DFGDoesGC.cpp:
2623         (JSC::DFG::doesGC):
2624         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Added.
2625         (JSC::DFG::performFixedButterflyAccessUncaging):
2626         * dfg/DFGFixedButterflyAccessUncagingPhase.h: Added.
2627         * dfg/DFGFixupPhase.cpp:
2628         (JSC::DFG::FixupPhase::fixupNode):
2629         * dfg/DFGHeapLocation.cpp:
2630         (WTF::printInternal):
2631         * dfg/DFGHeapLocation.h:
2632         * dfg/DFGNodeType.h:
2633         * dfg/DFGPlan.cpp:
2634         (JSC::DFG::Plan::compileInThreadImpl):
2635         * dfg/DFGPredictionPropagationPhase.cpp:
2636         * dfg/DFGSafeToExecute.h:
2637         (JSC::DFG::safeToExecute):
2638         * dfg/DFGSpeculativeJIT.cpp:
2639         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
2640         * dfg/DFGSpeculativeJIT32_64.cpp:
2641         (JSC::DFG::SpeculativeJIT::compile):
2642         * dfg/DFGSpeculativeJIT64.cpp:
2643         (JSC::DFG::SpeculativeJIT::compile):
2644         * dfg/DFGTypeCheckHoistingPhase.cpp:
2645         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2646         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
2647         * ftl/FTLCapabilities.cpp:
2648         (JSC::FTL::canCompile):
2649         * ftl/FTLLowerDFGToB3.cpp:
2650         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2651         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
2652         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
2653         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2654         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
2655         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
2656         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
2657         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
2658         (JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase):
2659         (JSC::FTL::DFG::LowerDFGToB3::caged):
2660         * heap/GigacageSubspace.cpp: Added.
2661         (JSC::GigacageSubspace::GigacageSubspace):
2662         (JSC::GigacageSubspace::~GigacageSubspace):
2663         (JSC::GigacageSubspace::tryAllocateAlignedMemory):
2664         (JSC::GigacageSubspace::freeAlignedMemory):
2665         (JSC::GigacageSubspace::canTradeBlocksWith):
2666         * heap/GigacageSubspace.h: Added.
2667         * heap/Heap.cpp:
2668         (JSC::Heap::Heap):
2669         (JSC::Heap::lastChanceToFinalize):
2670         (JSC::Heap::finalize):
2671         (JSC::Heap::sweepInFinalize):
2672         (JSC::Heap::updateAllocationLimits):
2673         (JSC::Heap::shouldDoFullCollection):
2674         (JSC::Heap::collectIfNecessaryOrDefer):
2675         (JSC::Heap::reportWebAssemblyFastMemoriesAllocated): Deleted.
2676         (JSC::Heap::webAssemblyFastMemoriesThisCycleAtThreshold const): Deleted.
2677         (JSC::Heap::sweepLargeAllocations): Deleted.
2678         (JSC::Heap::didAllocateWebAssemblyFastMemories): Deleted.
2679         * heap/Heap.h:
2680         * heap/LargeAllocation.cpp:
2681         (JSC::LargeAllocation::tryCreate):
2682         (JSC::LargeAllocation::destroy):
2683         * heap/MarkedAllocator.cpp:
2684         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2685         (JSC::MarkedAllocator::tryAllocateBlock):
2686         * heap/MarkedBlock.cpp:
2687         (JSC::MarkedBlock::tryCreate):
2688         (JSC::MarkedBlock::Handle::Handle):
2689         (JSC::MarkedBlock::Handle::~Handle):
2690         (JSC::MarkedBlock::Handle::didAddToAllocator):
2691         (JSC::MarkedBlock::Handle::subspace const): Deleted.
2692         * heap/MarkedBlock.h:
2693         (JSC::MarkedBlock::Handle::subspace const):
2694         * heap/MarkedSpace.cpp:
2695         (JSC::MarkedSpace::~MarkedSpace):
2696         (JSC::MarkedSpace::freeMemory):
2697         (JSC::MarkedSpace::prepareForAllocation):
2698         (JSC::MarkedSpace::addMarkedAllocator):
2699         (JSC::MarkedSpace::findEmptyBlockToSteal): Deleted.
2700         * heap/MarkedSpace.h:
2701         (JSC::MarkedSpace::firstAllocator const):
2702         (JSC::MarkedSpace::allocatorForEmptyAllocation const): Deleted.
2703         * heap/Subspace.cpp:
2704         (JSC::Subspace::Subspace):
2705         (JSC::Subspace::canTradeBlocksWith):
2706         (JSC::Subspace::tryAllocateAlignedMemory):
2707         (JSC::Subspace::freeAlignedMemory):
2708         (JSC::Subspace::prepareForAllocation):
2709         (JSC::Subspace::findEmptyBlockToSteal):
2710         * heap/Subspace.h:
2711         (JSC::Subspace::didCreateFirstAllocator):
2712         * heap/SubspaceInlines.h:
2713         (JSC::Subspace::forEachAllocator):
2714         (JSC::Subspace::forEachMarkedBlock):
2715         (JSC::Subspace::forEachNotEmptyMarkedBlock):
2716         * jit/JITPropertyAccess.cpp:
2717         (JSC::JIT::emitDoubleLoad):
2718         (JSC::JIT::emitContiguousLoad):
2719         (JSC::JIT::emitArrayStorageLoad):
2720         (JSC::JIT::emitGenericContiguousPutByVal):
2721         (JSC::JIT::emitArrayStoragePutByVal):
2722         (JSC::JIT::emit_op_get_from_scope):
2723         (JSC::JIT::emit_op_put_to_scope):
2724         (JSC::JIT::emitIntTypedArrayGetByVal):
2725         (JSC::JIT::emitFloatTypedArrayGetByVal):
2726         (JSC::JIT::emitIntTypedArrayPutByVal):
2727         (JSC::JIT::emitFloatTypedArrayPutByVal):
2728         * jsc.cpp:
2729         (fillBufferWithContentsOfFile):
2730         (functionReadFile):
2731         (gigacageDisabled):
2732         (jscmain):
2733         * llint/LowLevelInterpreter64.asm:
2734         * runtime/ArrayBuffer.cpp:
2735         (JSC::ArrayBufferContents::tryAllocate):
2736         (JSC::ArrayBuffer::createAdopted):
2737         (JSC::ArrayBuffer::createFromBytes):
2738         (JSC::ArrayBuffer::tryCreate):
2739         * runtime/IndexingHeader.h:
2740         * runtime/InitializeThreading.cpp:
2741         (JSC::initializeThreading):
2742         * runtime/JSArrayBuffer.cpp:
2743         * runtime/JSArrayBufferView.cpp:
2744         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2745         (JSC::JSArrayBufferView::finalize):
2746         * runtime/JSLock.cpp:
2747         (JSC::JSLock::didAcquireLock):
2748         * runtime/JSObject.h:
2749         * runtime/Options.cpp:
2750         (JSC::recomputeDependentOptions):
2751         * runtime/Options.h:
2752         * runtime/ScopedArgumentsTable.h:
2753         * runtime/VM.cpp:
2754         (JSC::VM::VM):
2755         (JSC::VM::~VM):
2756         (JSC::VM::gigacageDisabledCallback):
2757         (JSC::VM::gigacageDisabled):
2758         * runtime/VM.h:
2759         (JSC::VM::fireGigacageEnabledIfNecessary):
2760         (JSC::VM::gigacageEnabled):
2761         * wasm/WasmB3IRGenerator.cpp:
2762         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2763         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
2764         * wasm/WasmCodeBlock.cpp:
2765         (JSC::Wasm::CodeBlock::isSafeToRun):
2766         * wasm/WasmMemory.cpp:
2767         (JSC::Wasm::makeString):
2768         (JSC::Wasm::Memory::create):
2769         (JSC::Wasm::Memory::~Memory):
2770         (JSC::Wasm::Memory::addressIsInActiveFastMemory):
2771         (JSC::Wasm::Memory::grow):
2772         (JSC::Wasm::Memory::initializePreallocations): Deleted.
2773         (JSC::Wasm::Memory::maxFastMemoryCount): Deleted.
2774         * wasm/WasmMemory.h:
2775         * wasm/js/JSWebAssemblyInstance.cpp:
2776         (JSC::JSWebAssemblyInstance::create):
2777         * wasm/js/JSWebAssemblyMemory.cpp:
2778         (JSC::JSWebAssemblyMemory::grow):
2779         (JSC::JSWebAssemblyMemory::finishCreation):
2780         * wasm/js/JSWebAssemblyMemory.h:
2781         (JSC::JSWebAssemblyMemory::subspaceFor):
2782
2783 2017-07-31  Mark Lam  <mark.lam@apple.com>
2784
2785         Added some UNLIKELYs to operationOptimize().
2786         https://bugs.webkit.org/show_bug.cgi?id=174976
2787
2788         Reviewed by JF Bastien.
2789
2790         * jit/JITOperations.cpp:
2791
2792 2017-07-31  Keith Miller  <keith_miller@apple.com>
2793
2794         Make more things LLInt constexprs
2795         https://bugs.webkit.org/show_bug.cgi?id=174994
2796
2797         Reviewed by Saam Barati.
2798
2799         This patch makes more const values in the LLInt constexprs.
2800         It also deletes all of the no longer necessary static_asserts in
2801         LLIntData.cpp. Finally, it fixes a typo in parser.rb.
2802
2803         * interpreter/ShadowChicken.h:
2804         (JSC::ShadowChicken::Packet::tailMarker):
2805         * llint/LLIntData.cpp:
2806         (JSC::LLInt::Data::performAssertions):
2807         * llint/LowLevelInterpreter.asm:
2808         * offlineasm/generate_offset_extractor.rb:
2809         * offlineasm/parser.rb:
2810
2811 2017-07-31  Matt Lewis  <jlewis3@apple.com>
2812
2813         Unreviewed, rolling out r220060.
2814
2815         This broke our internal builds. Contact reviewer of patch for
2816         more information.
2817
2818         Reverted changeset:
2819
2820         "Merge WTFThreadData to Thread::current"
2821         https://bugs.webkit.org/show_bug.cgi?id=174716
2822         http://trac.webkit.org/changeset/220060
2823
2824 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2825
2826         [JSC] Support optional catch binding
2827         https://bugs.webkit.org/show_bug.cgi?id=174981
2828
2829         Reviewed by Saam Barati.
2830
2831         This patch implements optional catch binding proposal[1], which is now stage 3.
2832         This proposal adds a new `catch` brace with no error value binding.
2833
2834             ```
2835                 try {
2836                     ...
2837                 } catch {
2838                     ...
2839                 }
2840             ```
2841
2842         Sometimes we do not need to get error value actually. For example, the function returns
2843         boolean which means whether the function succeeds.
2844
2845             ```
2846             function parse(result) // -> bool
2847             {
2848                  try {
2849                      parseInner(result);
2850                  } catch {
2851                      return false;
2852                  }
2853                  return true;
2854             }
2855             ```
2856
2857         In the above case, we are not interested in the actual error value. Without this syntax,
2858         we always need to introduce a binding for an error value that is just ignored.
2859
2860         [1]: https://michaelficarra.github.io/optional-catch-binding-proposal/
2861
2862         * bytecompiler/NodesCodegen.cpp:
2863         (JSC::TryNode::emitBytecode):
2864         * parser/Parser.cpp:
2865         (JSC::Parser<LexerType>::parseTryStatement):
2866
2867 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2868
2869         Merge WTFThreadData to Thread::current
2870         https://bugs.webkit.org/show_bug.cgi?id=174716
2871
2872         Reviewed by Sam Weinig.
2873
2874         Use Thread::current() instead.
2875
2876         * API/JSContext.mm:
2877         (+[JSContext currentContext]):
2878         (+[JSContext currentThis]):
2879         (+[JSContext currentCallee]):
2880         (+[JSContext currentArguments]):
2881         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
2882         (-[JSContext endCallbackWithData:]):
2883         * heap/Heap.cpp:
2884         (JSC::Heap::requestCollection):
2885         * runtime/Completion.cpp:
2886         (JSC::checkSyntax):
2887         (JSC::checkModuleSyntax):
2888         (JSC::evaluate):
2889         (JSC::loadAndEvaluateModule):
2890         (JSC::loadModule):
2891         (JSC::linkAndEvaluateModule):
2892         (JSC::importModule):
2893         * runtime/Identifier.cpp:
2894         (JSC::Identifier::checkCurrentAtomicStringTable):
2895         * runtime/InitializeThreading.cpp:
2896         (JSC::initializeThreading):
2897         * runtime/JSLock.cpp:
2898         (JSC::JSLock::didAcquireLock):
2899         (JSC::JSLock::willReleaseLock):
2900         (JSC::JSLock::dropAllLocks):
2901         (JSC::JSLock::grabAllLocks):
2902         * runtime/JSLock.h:
2903         * runtime/VM.cpp:
2904         (JSC::VM::VM):
2905         (JSC::VM::updateStackLimits):
2906         (JSC::VM::committedStackByteCount):
2907         * runtime/VM.h:
2908         (JSC::VM::isSafeToRecurse const):
2909         * runtime/VMEntryScope.cpp:
2910         (JSC::VMEntryScope::VMEntryScope):
2911         * runtime/VMInlines.h:
2912         (JSC::VM::ensureStackCapacityFor):
2913         * yarr/YarrPattern.cpp:
2914         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
2915
2916 2017-07-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2917
2918         [WTF] Introduce Private Symbols
2919         https://bugs.webkit.org/show_bug.cgi?id=174935
2920
2921         Reviewed by Darin Adler.
2922
2923         Use SymbolImpl::isPrivate().
2924
2925         * builtins/BuiltinNames.cpp:
2926         * builtins/BuiltinNames.h:
2927         (JSC::BuiltinNames::isPrivateName): Deleted.
2928         * builtins/BuiltinUtils.h:
2929         * bytecode/BytecodeIntrinsicRegistry.cpp:
2930         (JSC::BytecodeIntrinsicRegistry::lookup):
2931         * runtime/CommonIdentifiers.cpp:
2932         (JSC::CommonIdentifiers::isPrivateName): Deleted.
2933         * runtime/CommonIdentifiers.h:
2934         * runtime/ExceptionHelpers.cpp:
2935         (JSC::createUndefinedVariableError):
2936         * runtime/Identifier.h:
2937         (JSC::Identifier::isPrivateName):
2938         * runtime/IdentifierInlines.h:
2939         (JSC::identifierToSafePublicJSValue):
2940         * runtime/ObjectConstructor.cpp:
2941         (JSC::objectConstructorAssign):
2942         (JSC::defineProperties):
2943         (JSC::setIntegrityLevel):
2944         (JSC::testIntegrityLevel):
2945         (JSC::ownPropertyKeys):
2946         * runtime/PrivateName.h:
2947         (JSC::PrivateName::PrivateName):
2948         * runtime/PropertyName.h:
2949         (JSC::PropertyName::isPrivateName):
2950         * runtime/ProxyObject.cpp:
2951         (JSC::performProxyGet):
2952         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2953         (JSC::ProxyObject::performHasProperty):
2954         (JSC::ProxyObject::performPut):
2955         (JSC::ProxyObject::performDelete):
2956         (JSC::ProxyObject::performDefineOwnProperty):
2957
2958 2017-07-29  Keith Miller  <keith_miller@apple.com>
2959
2960         LLInt offsets extractor should be able to handle C++ constexprs
2961         https://bugs.webkit.org/show_bug.cgi?id=174964
2962
2963         Reviewed by Saam Barati.
2964
2965         This patch adds new syntax to the offline asm language. The new keyword,
2966         constexpr, takes the subsequent identifier and maps it to a C++ constexpr
2967         expression. Additionally, if the value is not an identifier you can wrap it in
2968         parentheses. e.g. constexpr (myConstexprFunction() + OBJECT_OFFSET(Foo, bar)),
2969         which will get converted into:
2970         static_cast<int64_t>(myConstexprFunction() + OBJECT_OFFSET(Foo, bar));
2971
2972         This patch also changes the data format the LLIntOffsetsExtractor
2973         binary produces.  Previously, it would produce unsigned values,
2974         after this patch every value is an int64_t.  Using an int64_t is
2975         useful because it means that we can represent any constant needed.
2976         int32_t masks are sign extended then passed then converted to a
2977         negative literal sting in the assembler so it will be the constant
2978         expected.
2979
2980         * llint/LLIntOffsetsExtractor.cpp:
2981         (JSC::LLIntOffsetsExtractor::dummy):
2982         * llint/LowLevelInterpreter.asm:
2983         * llint/LowLevelInterpreter64.asm:
2984         * offlineasm/asm.rb:
2985         * offlineasm/ast.rb:
2986         * offlineasm/generate_offset_extractor.rb:
2987         * offlineasm/offsets.rb:
2988         * offlineasm/parser.rb:
2989         * offlineasm/transform.rb:
2990
2991 2017-07-28  Matt Baker  <mattbaker@apple.com>
2992
2993         Web Inspector: capture an async stack trace when web content calls addEventListener
2994         https://bugs.webkit.org/show_bug.cgi?id=174739
2995         <rdar://problem/33468197>
2996
2997         Reviewed by Brian Burg.
2998
2999         Allow debugger agents to perform custom logic when asynchronous stack
3000         trace data is cleared. For example, the PageDebuggerAgent would clear
3001         its list of registered listeners for which call stacks have been recorded.
3002
3003         * inspector/agents/InspectorDebuggerAgent.cpp:
3004         (Inspector::InspectorDebuggerAgent::clearAsyncStackTraceData):
3005         * inspector/agents/InspectorDebuggerAgent.h:
3006
3007 2017-07-28  Mark Lam  <mark.lam@apple.com>
3008
3009         ObjectToStringAdaptiveStructureWatchpoint should not fire if it's dying imminently.
3010         https://bugs.webkit.org/show_bug.cgi?id=174948
3011         <rdar://problem/33495680>
3012
3013         Reviewed by Filip Pizlo.
3014
3015         ObjectToStringAdaptiveStructureWatchpoint is owned by StructureRareData.  If its
3016         owner StructureRareData is already known to be dead (in terms of GC liveness) but
3017         hasn't been destructed yet (i.e. not swept by the GC yet), we should ignore all
3018         requests to fire this watchpoint.
3019
3020         If the GC had the chance to sweep the StructureRareData, thereby destructing the
3021         ObjectToStringAdaptiveStructureWatchpoint, it (the watchpoint) would have removed
3022         itself from the WatchpointSet it was on.  Hence, it would not have been fired.
3023
3024         But since the watchpoint hasn't been destructed yet, it still remains on the
3025         WatchpointSet and needs to guard against being fired in this state.  The fix is
3026         to simply return early if its owner StructureRareData is not live.  This has the
3027         effect of the watchpoint fire being a no-op, which is equivalent to the watchpoint
3028         not firing as we would expect.
3029
3030         This patch also removes some cargo cult copying of watchpoint code which
3031         instantiates a StringFireDetail.  In a few cases, that StringFireDetail is never
3032         used.  This patch removes these unnecessary instantiations.
3033
3034         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
3035         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
3036         * runtime/StructureRareData.cpp:
3037         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
3038         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
3039
3040 2017-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
3041
3042         ASSERTION FAILED: candidate->op() == PhantomCreateRest || candidate->op() == PhantomDirectArguments || candidate->op() == PhantomClonedArguments || candidate->op() == PhantomSpread || candidate->op() == PhantomNewArrayWithSpread
3043         https://bugs.webkit.org/show_bug.cgi?id=174900
3044
3045         Reviewed by Saam Barati.
3046
3047         In the arguments elimination phase, due to high cost of AI, we intentionally do not run AI.
3048         Instead, we use ForceOSRExit etc. (pseudo terminals) not to look into unreachable nodes.
3049         The problem is that even transforming phase also checks this pseudo terminals.
3050
3051             BB1
3052             1: ForceOSRExit
3053             2: CreateDirectArguments
3054
3055             BB2
3056             3: GetButterfly(@2)
3057             4: ForceOSRExit
3058
3059         In the above case, @2 is not converted to PhantomDirectArguments. But @3 is processed. And the assertion fires.
3060
3061         In this patch, we do not list candidates up after seeing pseudo terminals in basic blocks.
3062
3063         * dfg/DFGArgumentsEliminationPhase.cpp:
3064
3065 2017-07-27  Oleksandr Skachkov  <gskachkov@gmail.com>
3066
3067         [ES] Add support finally to Promise
3068         https://bugs.webkit.org/show_bug.cgi?id=174503
3069
3070         Reviewed by Yusuke Suzuki.
3071
3072         Add support `finally` method to Promise according
3073         to the https://bugs.webkit.org/show_bug.cgi?id=174503
3074         Current spec on STAGE 3 
3075         https://github.com/tc39/proposal-promise-finally
3076
3077         * builtins/PromisePrototype.js:
3078         (finally):
3079         (const.valueThunk):
3080         (globalPrivate.getThenFinally):
3081         (const.thrower):
3082         (globalPrivate.getCatchFinally):
3083         * runtime/JSPromisePrototype.cpp:
3084
3085 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3086
3087         Unreviewed, build fix for CLoop
3088         https://bugs.webkit.org/show_bug.cgi?id=171637
3089
3090         * domjit/DOMJITGetterSetter.h:
3091
3092 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3093
3094         Hoist DOM binding attribute getter prologue into JavaScriptCore taking advantage of DOMJIT / CheckSubClass
3095         https://bugs.webkit.org/show_bug.cgi?id=171637
3096
3097         Reviewed by Darin Adler.
3098
3099         Each DOM attribute getter has the code to perform ClassInfo check. But it is largely duplicate and causes code bloating.
3100         In this patch, we move ClassInfo check from WebCore to JSC and reduce code size.
3101
3102         We introduce DOMAnnotation which has ClassInfo* and DOMJIT::GetterSetter*. If the getter is not DOMJIT getter, this
3103         DOMJIT::GetterSetter becomes nullptr. We support such a CustomAccessorGetter in all the JIT tiers.
3104
3105         In IC, we drop CheckSubClass completely since IC's Structure check subsumes it. We do not enable this optimization for
3106         op_get_by_id_with_this case yet.
3107         In DFG and FTL, we emit CheckSubClass node. Which is typically removed by CheckStructure leading to CheckSubClass.
3108
3109         And we add DOMAttributeGetterSetter, which is derived class of CustomGetterSetter. It holds DOMAnnotation and perform
3110         ClassInfo check.
3111
3112         * CMakeLists.txt:
3113         * JavaScriptCore.xcodeproj/project.pbxproj:
3114         * bytecode/AccessCase.cpp:
3115         (JSC::AccessCase::generateImpl):
3116         * bytecode/GetByIdStatus.cpp:
3117         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
3118         * bytecode/GetByIdVariant.cpp:
3119         (JSC::GetByIdVariant::GetByIdVariant):
3120         (JSC::GetByIdVariant::operator=):
3121         (JSC::GetByIdVariant::attemptToMerge):
3122         (JSC::GetByIdVariant::dumpInContext):
3123         * bytecode/GetByIdVariant.h:
3124         (JSC::GetByIdVariant::customAccessorGetter):
3125         (JSC::GetByIdVariant::domAttribute):
3126         (JSC::GetByIdVariant::domJIT): Deleted.
3127         * bytecode/GetterSetterAccessCase.cpp:
3128         (JSC::GetterSetterAccessCase::create):
3129         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
3130         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
3131         * bytecode/GetterSetterAccessCase.h:
3132         (JSC::GetterSetterAccessCase::domAttribute):
3133         (JSC::GetterSetterAccessCase::customAccessor):
3134         (JSC::GetterSetterAccessCase::domJIT): Deleted.
3135         * bytecompiler/BytecodeGenerator.cpp:
3136         (JSC::BytecodeGenerator::instantiateLexicalVariables):
3137         * create_hash_table:
3138         * dfg/DFGAbstractInterpreterInlines.h:
3139         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3140         * dfg/DFGByteCodeParser.cpp:
3141         (JSC::DFG::blessCallDOMGetter):
3142         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
3143         (JSC::DFG::ByteCodeParser::handleGetById):
3144         * dfg/DFGClobberize.h:
3145         (JSC::DFG::clobberize):
3146         * dfg/DFGFixupPhase.cpp:
3147         (JSC::DFG::FixupPhase::fixupNode):
3148         * dfg/DFGNode.h:
3149         * dfg/DFGSpeculativeJIT.cpp:
3150         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
3151         * dfg/DFGSpeculativeJIT.h:
3152         (JSC::DFG::SpeculativeJIT::callCustomGetter):
3153         * domjit/DOMJITGetterSetter.h:
3154         (JSC::DOMJIT::GetterSetter::GetterSetter):
3155         (JSC::DOMJIT::GetterSetter::getter):
3156         (JSC::DOMJIT::GetterSetter::compiler):
3157         (JSC::DOMJIT::GetterSetter::resultType):
3158         (JSC::DOMJIT::GetterSetter::~GetterSetter): Deleted.
3159         (JSC::DOMJIT::GetterSetter::setter): Deleted.
3160         (JSC::DOMJIT::GetterSetter::thisClassInfo): Deleted.
3161         * ftl/FTLLowerDFGToB3.cpp:
3162         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
3163         * jit/Repatch.cpp:
3164         (JSC::tryCacheGetByID):
3165         * jsc.cpp:
3166         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
3167         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
3168         (WTF::DOMJITGetter::customGetter):
3169         (WTF::DOMJITGetter::finishCreation):
3170         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
3171         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
3172         (WTF::DOMJITGetterComplex::customGetter):
3173         (WTF::DOMJITGetterComplex::finishCreation):
3174         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
3175         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::slowCall): Deleted.
3176         (WTF::DOMJITGetter::domJITNodeGetterSetter): Deleted.
3177         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
3178         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::slowCall): Deleted.
3179         (WTF::DOMJITGetterComplex::domJITNodeGetterSetter): Deleted.
3180         * runtime/CustomGetterSetter.h:
3181         (JSC::CustomGetterSetter::create):
3182         (JSC::CustomGetterSetter::setter):
3183         (JSC::CustomGetterSetter::CustomGetterSetter):
3184         (): Deleted.
3185         * runtime/DOMAnnotation.h: Added.
3186         (JSC::operator==):
3187         (JSC::operator!=):
3188         * runtime/DOMAttributeGetterSetter.cpp: Added.
3189         * runtime/DOMAttributeGetterSetter.h: Copied from Source/JavaScriptCore/runtime/CustomGetterSetter.h.
3190         (JSC::isDOMAttributeGetterSetter):
3191         * runtime/Error.cpp:
3192         (JSC::throwDOMAttributeGetterTypeError):
3193         * runtime/Error.h:
3194         (JSC::throwVMDOMAttributeGetterTypeError):
3195         * runtime/JSCustomGetterSetterFunction.cpp:
3196         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
3197         * runtime/JSObject.cpp:
3198         (JSC::JSObject::putInlineSlow):
3199         (JSC::JSObject::deleteProperty):
3200         (JSC::JSObject::getOwnStaticPropertySlot):
3201         (JSC::JSObject::reifyAllStaticProperties):
3202         (JSC::JSObject::fillGetterPropertySlot):
3203         (JSC::JSObject::findPropertyHashEntry): Deleted.
3204         * runtime/JSObject.h:
3205         (JSC::JSObject::getOwnNonIndexPropertySlot):
3206         (JSC::JSObject::fillCustomGetterPropertySlot):
3207         * runtime/Lookup.cpp:
3208         (JSC::setUpStaticFunctionSlot):
3209         * runtime/Lookup.h:
3210         (JSC::HashTableValue::domJIT):
3211         (JSC::getStaticPropertySlotFromTable):
3212         (JSC::putEntry):
3213         (JSC::lookupPut):
3214         (JSC::reifyStaticProperty):
3215         (JSC::reifyStaticProperties):
3216         Each static property table has a new field ClassInfo*. It indicates that which ClassInfo check DOMAttribute registered in
3217         this static property table requires.
3218
3219         * runtime/ProgramExecutable.cpp:
3220         (JSC::ProgramExecutable::initializeGlobalProperties):
3221         * runtime/PropertyName.h:
3222         * runtime/PropertySlot.cpp:
3223         (JSC::PropertySlot::customGetter):
3224         (JSC::PropertySlot::customAccessorGetter):
3225         * runtime/PropertySlot.h:
3226         (JSC::PropertySlot::domAttribute):
3227         (JSC::PropertySlot::setCustom):
3228         (JSC::PropertySlot::setCacheableCustom):
3229         (JSC::PropertySlot::getValue):
3230         (JSC::PropertySlot::domJIT): Deleted.
3231         * runtime/VM.cpp:
3232         (JSC::VM::VM):
3233         * runtime/VM.h:
3234
3235 2017-07-26  Devin Rousso  <drousso@apple.com>
3236
3237         Web Inspector: create protocol for recording Canvas contexts
3238         https://bugs.webkit.org/show_bug.cgi?id=174481
3239
3240         Reviewed by Joseph Pecoraro.
3241
3242         * inspector/protocol/Canvas.json:
3243          - Add `requestRecording` command to mark the provided canvas as having requested a recording.
3244          - Add `cancelRecording` command to clear a previously marked canvas and flush any recorded data.
3245          - Add `recordingFinished` event that is fired once a recording is finished.
3246
3247         * CMakeLists.txt:
3248         * DerivedSources.make:
3249         * inspector/protocol/Recording.json: Added.
3250          - Add `Type` enum that lists the types of recordings
3251          - Add `InitialState` type that contains information about the canvas context at the
3252            beginning of the recording.
3253          - Add `Frame` type that holds a list of actions that were recorded.
3254          - Add `Recording` type as the container object of recording data.
3255
3256         * inspector/scripts/codegen/generate_js_backend_commands.py:
3257         (JSBackendCommandsGenerator.generate_domain):
3258         Create an agent for domains with no events or commands.
3259
3260         * inspector/InspectorValues.h:
3261         Make Array `get` public so that values can be retrieved if needed.
3262
3263 2017-07-26  Brian Burg  <bburg@apple.com>
3264
3265         Remove WEB_TIMING feature flag
3266         https://bugs.webkit.org/show_bug.cgi?id=174795
3267
3268         Reviewed by Alex Christensen.
3269
3270         * Configurations/FeatureDefines.xcconfig:
3271
3272 2017-07-26  Mark Lam  <mark.lam@apple.com>
3273
3274         Add the ability to change sp and pc to the ARM64 JIT probe.
3275         https://bugs.webkit.org/show_bug.cgi?id=174697
3276         <rdar://problem/33436965>
3277
3278         Reviewed by JF Bastien.
3279
3280         This patch implements the following:
3281
3282         1. The ARM64 probe now supports modifying the pc and sp.
3283
3284            However, lr is not preserved when modifying the pc because it is used as the
3285            scratch register for the indirect jump. Hence, the probe handler function
3286            may not modify both lr and pc in the same probe invocation.
3287
3288         2. Fix probe tests to use bitwise comparison when comparing double register
3289            values. Otherwise, equivalent nan values will be interpreted as not equivalent.
3290
3291         3. Change the minimum offset increment in testProbeModifiesStackPointer to be
3292            16 bytes for ARM64.  This is because the ARM64 probe now uses the ldp and stp
3293            instructions which require 16 byte alignment for their memory access.
3294
3295         * assembler/MacroAssemblerARM64.cpp:
3296         (JSC::arm64ProbeError):
3297         (JSC::MacroAssembler::probe):
3298         (JSC::arm64ProbeTrampoline): Deleted.
3299         * assembler/testmasm.cpp:
3300         (JSC::isSpecialGPR):
3301         (JSC::testProbeReadsArgumentRegisters):
3302         (JSC::testProbeWritesArgumentRegisters):
3303         (JSC::testProbePreservesGPRS):
3304         (JSC::testProbeModifiesStackPointer):
3305         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
3306         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
3307
3308 2017-07-25  JF Bastien  <jfbastien@apple.com>
3309
3310         WebAssembly: generate smaller binaries
3311         https://bugs.webkit.org/show_bug.cgi?id=174818
3312
3313         Reviewed by Filip Pizlo.
3314
3315         This patch reduces generated code size for WebAssembly in 2 ways:
3316
3317         1. Use the ZR register when storing zero on ARM64.
3318         2. Synthesize wasm context lazily.
3319
3320         This leads to a modest size reduction on both x86-64 and ARM64 for
3321         large WebAssembly games, without any performance loss on WasmBench
3322         and TitzerBench.
3323
3324         The reason this works is that these games, using Emscripten,
3325         generate 100k+ tiny functions, and our JIT allocation granule
3326         rounds all allocations up to 32 bytes. There are plenty of other
3327         simple gains to be had, I've filed a follow-up bug at
3328         webkit.org/b/174819
3329
3330         We should further avoid the per-function cost of tiering, which
3331         represents the bulk of code generated for small functions.
3332
3333         * assembler/MacroAssemblerARM64.h:
3334         (JSC::MacroAssemblerARM64::storeZero64):
3335         * assembler/MacroAssemblerX86_64.h:
3336         (JSC::MacroAssemblerX86_64::storeZero64):
3337         * b3/B3LowerToAir.cpp:
3338         (JSC::B3::Air::LowerToAir::createStore): this doesn't make sense
3339         for x86 because it constrains register reuse and codegen in a way
3340         that doesn't affect ARM64 because it has a dedicated zero
3341         register.
3342         * b3/air/AirOpcode.opcodes: add the storeZero64 opcode.
3343         * wasm/WasmB3IRGenerator.cpp:
3344         (JSC::Wasm::B3IRGenerator::instanceValue):
3345         (JSC::Wasm::B3IRGenerator::restoreWasmContext):
3346         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3347         (JSC::Wasm::B3IRGenerator::materializeWasmContext): Deleted.
3348
3349 2017-07-23  Filip Pizlo  <fpizlo@apple.com>
3350
3351         B3 should do LICM
3352         https://bugs.webkit.org/show_bug.cgi?id=174750
3353
3354         Reviewed by Keith Miller and Saam Barati.
3355         
3356         Added a LICM phase to B3. This phase is called hoistLoopInvariantValues, to conform to the B3 naming
3357         convention for phases (it has to be an imperative). The phase uses NaturalLoops and BackwardsDominators,
3358         so this adds those analyses to B3. BackwardsDominators was already available in templatized form. This
3359         change templatizes DFG::NaturalLoops so that we can just use it.
3360         
3361         The LICM phase itself is really simple. We are decently precise with our handling of everything except
3362         the relationship between control dependence and side exits.
3363         
3364         Also added a bunch of tests.
3365         
3366         This isn't super important. It's perf-neutral on JS benchmarks. FTL already does LICM on DFG SSA IR, and
3367         probably all current WebAssembly content has had LICM done to it. That being said, this is a cheap phase
3368         so it doesn't hurt to have it.
3369         
3370         I wrote it because I thought I needed it for bug 174727. It turns out that there's a better way to
3371         handle the problem I had, so I ended up not needed it - but by then I had already written it. I think
3372         it's good to have it because LICM is one of those core compiler phases; every compiler has it
3373         eventually.
3374
3375         * CMakeLists.txt:
3376         * JavaScriptCore.xcodeproj/project.pbxproj:
3377         * b3/B3BackwardsCFG.h: Added.
3378         (JSC::B3::BackwardsCFG::BackwardsCFG):
3379         * b3/B3BackwardsDominators.h: Added.
3380         (JSC::B3::BackwardsDominators::BackwardsDominators):
3381         * b3/B3BasicBlock.cpp:
3382         (JSC::B3::BasicBlock::appendNonTerminal):
3383         * b3/B3Effects.h:
3384         * b3/B3EnsureLoopPreHeaders.cpp: Added.
3385         (JSC::B3::ensureLoopPreHeaders):
3386         * b3/B3EnsureLoopPreHeaders.h: Added.
3387         * b3/B3Generate.cpp:
3388         (JSC::B3::generateToAir):
3389         * b3/B3HoistLoopInvariantValues.cpp: Added.
3390         (JSC::B3::hoistLoopInvariantValues):
3391         * b3/B3HoistLoopInvariantValues.h: Added.
3392         * b3/B3NaturalLoops.h: Added.
3393         (JSC::B3::NaturalLoops::NaturalLoops):
3394         * b3/B3Procedure.cpp: