[ESNext] Async iteration - update feature.json
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
2
3         [ESNext] Async iteration - update feature.json
4         https://bugs.webkit.org/show_bug.cgi?id=175197
5
6         Reviewed by Yusuke Suzuki.
7
8         Update feature.json to add status of the Async Iteration
9
10         * features.json:
11
12 2017-08-04  Matt Lewis  <jlewis3@apple.com>
13
14         Unreviewed, rolling out r220271.
15
16         Rolling out due to Layout Test failing on iOS Simulator.
17
18         Reverted changeset:
19
20         "Remove STREAMS_API compilation guard"
21         https://bugs.webkit.org/show_bug.cgi?id=175165
22         http://trac.webkit.org/changeset/220271
23
24 2017-08-04  Youenn Fablet  <youenn@apple.com>
25
26         Remove STREAMS_API compilation guard
27         https://bugs.webkit.org/show_bug.cgi?id=175165
28
29         Reviewed by Darin Adler.
30
31         * Configurations/FeatureDefines.xcconfig:
32
33 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
34
35         [EsNext] Async iteration - Add feature flag
36         https://bugs.webkit.org/show_bug.cgi?id=166694
37
38         Reviewed by Yusuke Suzuki.
39
40         Add feature flag to JSC to switch on/off Async Iterator
41
42         * runtime/Options.h:
43
44 2017-08-03  Brian Burg  <bburg@apple.com>
45
46         Remove ENABLE(WEB_SOCKET) guards
47         https://bugs.webkit.org/show_bug.cgi?id=167044
48
49         Reviewed by Joseph Pecoraro.
50
51         * Configurations/FeatureDefines.xcconfig:
52
53 2017-08-03  Youenn Fablet  <youenn@apple.com>
54
55         Remove FETCH_API compilation guard
56         https://bugs.webkit.org/show_bug.cgi?id=175154
57
58         Reviewed by Chris Dumez.
59
60         * Configurations/FeatureDefines.xcconfig:
61
62 2017-08-03  Matt Baker  <mattbaker@apple.com>
63
64         Web Inspector: Instrument WebGLProgram created/deleted
65         https://bugs.webkit.org/show_bug.cgi?id=175059
66
67         Reviewed by Devin Rousso.
68
69         Extend the Canvas protocol with types/events for tracking WebGLPrograms.
70
71         * inspector/protocol/Canvas.json:
72
73 2017-08-03  Brady Eidson  <beidson@apple.com>
74
75         Add SW IDLs and stub out basic functionality.
76         https://bugs.webkit.org/show_bug.cgi?id=175115
77
78         Reviewed by Chris Dumez.
79
80         * Configurations/FeatureDefines.xcconfig:
81
82         * runtime/CommonIdentifiers.h:
83
84 2017-08-03  Mark Lam  <mark.lam@apple.com>
85
86         Rename ScratchBuffer::activeLengthPtr to addressOfActiveLength.
87         https://bugs.webkit.org/show_bug.cgi?id=175142
88         <rdar://problem/33704528>
89
90         Reviewed by Filip Pizlo.
91
92         The convention in the rest of of JSC for such methods which return the address of
93         a field is to name them "addressOf<field name>".  We'll rename
94         ScratchBuffer::activeLengthPtr to be consistent with this convention.
95
96         * dfg/DFGSpeculativeJIT.cpp:
97         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
98         * dfg/DFGSpeculativeJIT32_64.cpp:
99         (JSC::DFG::SpeculativeJIT::compile):
100         * dfg/DFGSpeculativeJIT64.cpp:
101         (JSC::DFG::SpeculativeJIT::compile):
102         * dfg/DFGThunks.cpp:
103         (JSC::DFG::osrExitGenerationThunkGenerator):
104         * ftl/FTLLowerDFGToB3.cpp:
105         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
106         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
107         * ftl/FTLThunks.cpp:
108         (JSC::FTL::genericGenerationThunkGenerator):
109         * jit/AssemblyHelpers.cpp:
110         (JSC::AssemblyHelpers::debugCall):
111         * jit/ScratchRegisterAllocator.cpp:
112         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
113         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
114         * runtime/VM.h:
115         (JSC::ScratchBuffer::addressOfActiveLength):
116         (JSC::ScratchBuffer::activeLengthPtr): Deleted.
117         * wasm/WasmBinding.cpp:
118         (JSC::Wasm::wasmToJs):
119
120 2017-08-02  Devin Rousso  <drousso@apple.com>
121
122         Web Inspector: add stack trace information for each RecordingAction
123         https://bugs.webkit.org/show_bug.cgi?id=174663
124
125         Reviewed by Joseph Pecoraro.
126
127         * inspector/ScriptCallFrame.h:
128         Add `operator==` so that when a ScriptCallFrame object is held in a Vector, calling `find`
129         with an existing value doesn't need require a functor and can use existing code.
130
131         * interpreter/StackVisitor.h:
132         * interpreter/StackVisitor.cpp:
133         (JSC::StackVisitor::Frame::isWasmFrame const): Inlined in header.
134
135 2017-08-02  Yusuke Suzuki  <utatane.tea@gmail.com>
136
137         Merge WTFThreadData to Thread::current
138         https://bugs.webkit.org/show_bug.cgi?id=174716
139
140         Reviewed by Mark Lam.
141
142         Use Thread::current() instead.
143
144         * API/JSContext.mm:
145         (+[JSContext currentContext]):
146         (+[JSContext currentThis]):
147         (+[JSContext currentCallee]):
148         (+[JSContext currentArguments]):
149         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
150         (-[JSContext endCallbackWithData:]):
151         * heap/Heap.cpp:
152         (JSC::Heap::requestCollection):
153         * runtime/Completion.cpp:
154         (JSC::checkSyntax):
155         (JSC::checkModuleSyntax):
156         (JSC::evaluate):
157         (JSC::loadAndEvaluateModule):
158         (JSC::loadModule):
159         (JSC::linkAndEvaluateModule):
160         (JSC::importModule):
161         * runtime/Identifier.cpp:
162         (JSC::Identifier::checkCurrentAtomicStringTable):
163         * runtime/InitializeThreading.cpp:
164         (JSC::initializeThreading):
165         * runtime/JSLock.cpp:
166         (JSC::JSLock::didAcquireLock):
167         (JSC::JSLock::willReleaseLock):
168         (JSC::JSLock::dropAllLocks):
169         (JSC::JSLock::grabAllLocks):
170         * runtime/JSLock.h:
171         * runtime/VM.cpp:
172         (JSC::VM::VM):
173         (JSC::VM::updateStackLimits):
174         (JSC::VM::committedStackByteCount):
175         * runtime/VM.h:
176         (JSC::VM::isSafeToRecurse const):
177         * runtime/VMEntryScope.cpp:
178         (JSC::VMEntryScope::VMEntryScope):
179         * runtime/VMInlines.h:
180         (JSC::VM::ensureStackCapacityFor):
181         * yarr/YarrPattern.cpp:
182         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
183
184 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
185
186         LLInt should do pointer caging
187         https://bugs.webkit.org/show_bug.cgi?id=175036
188
189         Reviewed by Keith Miller.
190
191         Implementing this in the LLInt was challenging because offlineasm did not previously know
192         how to load from globals. This teaches it how to do that on Darwin/x86_64, which happens
193         to be where the Gigacage is enabled right now.
194
195         * llint/LLIntOfflineAsmConfig.h:
196         * llint/LowLevelInterpreter64.asm:
197         * offlineasm/ast.rb:
198         * offlineasm/x86.rb:
199
200 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
201
202         Sweeping should only scribble when sweeping to free list
203         https://bugs.webkit.org/show_bug.cgi?id=175105
204
205         Reviewed by Saam Barati.
206         
207         I just saw a crash on the bots where a destructor call attempt dereferenced scribbled memory. This
208         can happen because the bump path of specializedSweep will scribble in SweepOnly, which replaces the
209         zap word (i.e. 0) with the scribble word (i.e. 0xbadbeef0). This is a recent regression, since we
210         didn't used to do destruction on the bump path. No destruction, no zapping. Looking at the pop
211         path, we only scribble when we SweepToFreeList. This ensures that we only overwrite the zap word
212         when it doesn't matter anyway because we're building a free list.
213         
214         This is a fix for those crashes on the bots because it means that we'll no longer scribble over the
215         zap.
216
217         * heap/MarkedBlockInlines.h:
218         (JSC::MarkedBlock::Handle::specializedSweep):
219
220 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
221
222         All C++ accesses to JSObject::m_butterfly should do caging
223         https://bugs.webkit.org/show_bug.cgi?id=175039
224
225         Reviewed by Keith Miller.
226         
227         Makes JSObject::m_butterfly a AuxiliaryBarrier<CagedPtr<Butterfly>> and adopts the CagedPtr<> API.
228         This ensures that you can't cause C++ code to access a butterfly that has been rewired to point
229         outside the gigacage.
230
231         * runtime/JSArray.cpp:
232         (JSC::JSArray::setLength):
233         (JSC::JSArray::pop):
234         (JSC::JSArray::push):
235         (JSC::JSArray::shiftCountWithAnyIndexingType):
236         (JSC::JSArray::unshiftCountWithAnyIndexingType):
237         (JSC::JSArray::fillArgList):
238         (JSC::JSArray::copyToArguments):
239         * runtime/JSObject.cpp:
240         (JSC::JSObject::heapSnapshot):
241         (JSC::JSObject::createInitialIndexedStorage):
242         (JSC::JSObject::createArrayStorage):
243         (JSC::JSObject::convertUndecidedToInt32):
244         (JSC::JSObject::convertUndecidedToDouble):
245         (JSC::JSObject::convertUndecidedToContiguous):
246         (JSC::JSObject::convertInt32ToDouble):
247         (JSC::JSObject::convertInt32ToArrayStorage):
248         (JSC::JSObject::convertDoubleToContiguous):
249         (JSC::JSObject::convertDoubleToArrayStorage):
250         (JSC::JSObject::convertContiguousToArrayStorage):
251         (JSC::JSObject::defineOwnIndexedProperty):
252         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
253         (JSC::JSObject::ensureLengthSlow):
254         (JSC::JSObject::allocateMoreOutOfLineStorage):
255         * runtime/JSObject.h:
256         (JSC::JSObject::canGetIndexQuickly):
257         (JSC::JSObject::getIndexQuickly):
258         (JSC::JSObject::tryGetIndexQuickly const):
259         (JSC::JSObject::canSetIndexQuickly):
260         (JSC::JSObject::setIndexQuickly):
261         (JSC::JSObject::initializeIndex):
262         (JSC::JSObject::initializeIndexWithoutBarrier):
263         (JSC::JSObject::butterfly const):
264         (JSC::JSObject::butterfly):
265
266 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
267
268         We should be OK with the gigacage being disabled on gmalloc
269         https://bugs.webkit.org/show_bug.cgi?id=175082
270
271         Reviewed by Michael Saboff.
272
273         * jsc.cpp:
274         (jscmain):
275
276 2017-08-02  Saam Barati  <sbarati@apple.com>
277
278         On memory-constrained iOS devices, reduce the rate at which the JS heap grows before a GC to try to keep more memory available for the system
279         https://bugs.webkit.org/show_bug.cgi?id=175041
280         <rdar://problem/33659370>
281
282         Reviewed by Filip Pizlo.
283
284         The testing I have done shows that this new function is a ~10%
285         progression running JetStream on 1GB iOS devices. I've also tried
286         this on a few > 1GB iOS devices, and the testing shows this is either neutral
287         or a regression. Right now, we'll just enable this for <= 1GB devices
288         since it's a win. In the future, we might want to either look into
289         tweaking these parameters or coming up with a new function for > 1GB
290         devices.
291
292         * heap/Heap.cpp:
293         * runtime/Options.h:
294
295 2017-08-01  Filip Pizlo  <fpizlo@apple.com>
296
297         Bmalloc and GC should put auxiliaries (butterflies, typed array backing stores) in a gigacage (separate multi-GB VM region)
298         https://bugs.webkit.org/show_bug.cgi?id=174727
299
300         Reviewed by Mark Lam.
301         
302         This adopts the Gigacage for the GigacageSubspace, which we use for Auxiliary allocations. Also, in
303         one place in the code - the FTL codegen for butterfly and typed array access - we "cage" the accesses
304         themselves. Basically, we do masking to ensure that the pointer points into the gigacage.
305         
306         This is neutral on JetStream.
307
308         * CMakeLists.txt:
309         * JavaScriptCore.xcodeproj/project.pbxproj:
310         * b3/B3InsertionSet.cpp:
311         (JSC::B3::InsertionSet::execute):
312         * dfg/DFGAbstractInterpreterInlines.h:
313         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
314         * dfg/DFGArgumentsEliminationPhase.cpp:
315         * dfg/DFGClobberize.cpp:
316         (JSC::DFG::readsOverlap):
317         * dfg/DFGClobberize.h:
318         (JSC::DFG::clobberize):
319         * dfg/DFGDoesGC.cpp:
320         (JSC::DFG::doesGC):
321         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Added.
322         (JSC::DFG::performFixedButterflyAccessUncaging):
323         * dfg/DFGFixedButterflyAccessUncagingPhase.h: Added.
324         * dfg/DFGFixupPhase.cpp:
325         (JSC::DFG::FixupPhase::fixupNode):
326         * dfg/DFGHeapLocation.cpp:
327         (WTF::printInternal):
328         * dfg/DFGHeapLocation.h:
329         * dfg/DFGNodeType.h:
330         * dfg/DFGPlan.cpp:
331         (JSC::DFG::Plan::compileInThreadImpl):
332         * dfg/DFGPredictionPropagationPhase.cpp:
333         * dfg/DFGSafeToExecute.h:
334         (JSC::DFG::safeToExecute):
335         * dfg/DFGSpeculativeJIT.cpp:
336         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
337         * dfg/DFGSpeculativeJIT32_64.cpp:
338         (JSC::DFG::SpeculativeJIT::compile):
339         * dfg/DFGSpeculativeJIT64.cpp:
340         (JSC::DFG::SpeculativeJIT::compile):
341         * dfg/DFGTypeCheckHoistingPhase.cpp:
342         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
343         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
344         * ftl/FTLCapabilities.cpp:
345         (JSC::FTL::canCompile):
346         * ftl/FTLLowerDFGToB3.cpp:
347         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
348         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
349         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
350         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
351         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
352         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
353         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
354         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
355         (JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase):
356         (JSC::FTL::DFG::LowerDFGToB3::caged):
357         * heap/GigacageSubspace.cpp: Added.
358         (JSC::GigacageSubspace::GigacageSubspace):
359         (JSC::GigacageSubspace::~GigacageSubspace):
360         (JSC::GigacageSubspace::tryAllocateAlignedMemory):
361         (JSC::GigacageSubspace::freeAlignedMemory):
362         (JSC::GigacageSubspace::canTradeBlocksWith):
363         * heap/GigacageSubspace.h: Added.
364         * heap/Heap.cpp:
365         (JSC::Heap::Heap):
366         (JSC::Heap::lastChanceToFinalize):
367         (JSC::Heap::finalize):
368         (JSC::Heap::sweepInFinalize):
369         (JSC::Heap::updateAllocationLimits):
370         (JSC::Heap::shouldDoFullCollection):
371         (JSC::Heap::collectIfNecessaryOrDefer):
372         (JSC::Heap::reportWebAssemblyFastMemoriesAllocated): Deleted.
373         (JSC::Heap::webAssemblyFastMemoriesThisCycleAtThreshold const): Deleted.
374         (JSC::Heap::sweepLargeAllocations): Deleted.
375         (JSC::Heap::didAllocateWebAssemblyFastMemories): Deleted.
376         * heap/Heap.h:
377         * heap/LargeAllocation.cpp:
378         (JSC::LargeAllocation::tryCreate):
379         (JSC::LargeAllocation::destroy):
380         * heap/MarkedAllocator.cpp:
381         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
382         (JSC::MarkedAllocator::tryAllocateBlock):
383         * heap/MarkedBlock.cpp:
384         (JSC::MarkedBlock::tryCreate):
385         (JSC::MarkedBlock::Handle::Handle):
386         (JSC::MarkedBlock::Handle::~Handle):
387         (JSC::MarkedBlock::Handle::didAddToAllocator):
388         (JSC::MarkedBlock::Handle::subspace const): Deleted.
389         * heap/MarkedBlock.h:
390         (JSC::MarkedBlock::Handle::subspace const):
391         * heap/MarkedSpace.cpp:
392         (JSC::MarkedSpace::~MarkedSpace):
393         (JSC::MarkedSpace::freeMemory):
394         (JSC::MarkedSpace::prepareForAllocation):
395         (JSC::MarkedSpace::addMarkedAllocator):
396         (JSC::MarkedSpace::findEmptyBlockToSteal): Deleted.
397         * heap/MarkedSpace.h:
398         (JSC::MarkedSpace::firstAllocator const):
399         (JSC::MarkedSpace::allocatorForEmptyAllocation const): Deleted.
400         * heap/Subspace.cpp:
401         (JSC::Subspace::Subspace):
402         (JSC::Subspace::canTradeBlocksWith):
403         (JSC::Subspace::tryAllocateAlignedMemory):
404         (JSC::Subspace::freeAlignedMemory):
405         (JSC::Subspace::prepareForAllocation):
406         (JSC::Subspace::findEmptyBlockToSteal):
407         * heap/Subspace.h:
408         (JSC::Subspace::didCreateFirstAllocator):
409         * heap/SubspaceInlines.h:
410         (JSC::Subspace::forEachAllocator):
411         (JSC::Subspace::forEachMarkedBlock):
412         (JSC::Subspace::forEachNotEmptyMarkedBlock):
413         * jit/JITPropertyAccess.cpp:
414         (JSC::JIT::emitDoubleLoad):
415         (JSC::JIT::emitContiguousLoad):
416         (JSC::JIT::emitArrayStorageLoad):
417         (JSC::JIT::emitGenericContiguousPutByVal):
418         (JSC::JIT::emitArrayStoragePutByVal):
419         (JSC::JIT::emit_op_get_from_scope):
420         (JSC::JIT::emit_op_put_to_scope):
421         (JSC::JIT::emitIntTypedArrayGetByVal):
422         (JSC::JIT::emitFloatTypedArrayGetByVal):
423         (JSC::JIT::emitIntTypedArrayPutByVal):
424         (JSC::JIT::emitFloatTypedArrayPutByVal):
425         * jsc.cpp:
426         (fillBufferWithContentsOfFile):
427         (functionReadFile):
428         (gigacageDisabled):
429         (jscmain):
430         * llint/LowLevelInterpreter64.asm:
431         * runtime/ArrayBuffer.cpp:
432         (JSC::ArrayBufferContents::tryAllocate):
433         (JSC::ArrayBuffer::createAdopted):
434         (JSC::ArrayBuffer::createFromBytes):
435         (JSC::ArrayBuffer::tryCreate):
436         * runtime/IndexingHeader.h:
437         * runtime/InitializeThreading.cpp:
438         (JSC::initializeThreading):
439         * runtime/JSArrayBuffer.cpp:
440         * runtime/JSArrayBufferView.cpp:
441         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
442         (JSC::JSArrayBufferView::finalize):
443         * runtime/JSLock.cpp:
444         (JSC::JSLock::didAcquireLock):
445         * runtime/JSObject.h:
446         * runtime/Options.cpp:
447         (JSC::recomputeDependentOptions):
448         * runtime/Options.h:
449         * runtime/ScopedArgumentsTable.h:
450         * runtime/VM.cpp:
451         (JSC::VM::VM):
452         (JSC::VM::~VM):
453         (JSC::VM::gigacageDisabledCallback):
454         (JSC::VM::gigacageDisabled):
455         * runtime/VM.h:
456         (JSC::VM::fireGigacageEnabledIfNecessary):
457         (JSC::VM::gigacageEnabled):
458         * wasm/WasmB3IRGenerator.cpp:
459         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
460         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
461         * wasm/WasmCodeBlock.cpp:
462         (JSC::Wasm::CodeBlock::isSafeToRun):
463         * wasm/WasmMemory.cpp:
464         (JSC::Wasm::makeString):
465         (JSC::Wasm::Memory::create):
466         (JSC::Wasm::Memory::~Memory):
467         (JSC::Wasm::Memory::addressIsInActiveFastMemory):
468         (JSC::Wasm::Memory::grow):
469         (JSC::Wasm::Memory::initializePreallocations): Deleted.
470         (JSC::Wasm::Memory::maxFastMemoryCount): Deleted.
471         * wasm/WasmMemory.h:
472         * wasm/js/JSWebAssemblyInstance.cpp:
473         (JSC::JSWebAssemblyInstance::create):
474         * wasm/js/JSWebAssemblyMemory.cpp:
475         (JSC::JSWebAssemblyMemory::grow):
476         (JSC::JSWebAssemblyMemory::finishCreation):
477         * wasm/js/JSWebAssemblyMemory.h:
478         (JSC::JSWebAssemblyMemory::subspaceFor):
479
480 2017-07-31  Mark Lam  <mark.lam@apple.com>
481
482         Added some UNLIKELYs to operationOptimize().
483         https://bugs.webkit.org/show_bug.cgi?id=174976
484
485         Reviewed by JF Bastien.
486
487         * jit/JITOperations.cpp:
488
489 2017-07-31  Keith Miller  <keith_miller@apple.com>
490
491         Make more things LLInt constexprs
492         https://bugs.webkit.org/show_bug.cgi?id=174994
493
494         Reviewed by Saam Barati.
495
496         This patch makes more const values in the LLInt constexprs.
497         It also deletes all of the no longer necessary static_asserts in
498         LLIntData.cpp. Finally, it fixes a typo in parser.rb.
499
500         * interpreter/ShadowChicken.h:
501         (JSC::ShadowChicken::Packet::tailMarker):
502         * llint/LLIntData.cpp:
503         (JSC::LLInt::Data::performAssertions):
504         * llint/LowLevelInterpreter.asm:
505         * offlineasm/generate_offset_extractor.rb:
506         * offlineasm/parser.rb:
507
508 2017-07-31  Matt Lewis  <jlewis3@apple.com>
509
510         Unreviewed, rolling out r220060.
511
512         This broke our internal builds. Contact reviewer of patch for
513         more information.
514
515         Reverted changeset:
516
517         "Merge WTFThreadData to Thread::current"
518         https://bugs.webkit.org/show_bug.cgi?id=174716
519         http://trac.webkit.org/changeset/220060
520
521 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
522
523         [JSC] Support optional catch binding
524         https://bugs.webkit.org/show_bug.cgi?id=174981
525
526         Reviewed by Saam Barati.
527
528         This patch implements optional catch binding proposal[1], which is now stage 3.
529         This proposal adds a new `catch` brace with no error value binding.
530
531             ```
532                 try {
533                     ...
534                 } catch {
535                     ...
536                 }
537             ```
538
539         Sometimes we do not need to get error value actually. For example, the function returns
540         boolean which means whether the function succeeds.
541
542             ```
543             function parse(result) // -> bool
544             {
545                  try {
546                      parseInner(result);
547                  } catch {
548                      return false;
549                  }
550                  return true;
551             }
552             ```
553
554         In the above case, we are not interested in the actual error value. Without this syntax,
555         we always need to introduce a binding for an error value that is just ignored.
556
557         [1]: https://michaelficarra.github.io/optional-catch-binding-proposal/
558
559         * bytecompiler/NodesCodegen.cpp:
560         (JSC::TryNode::emitBytecode):
561         * parser/Parser.cpp:
562         (JSC::Parser<LexerType>::parseTryStatement):
563
564 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
565
566         Merge WTFThreadData to Thread::current
567         https://bugs.webkit.org/show_bug.cgi?id=174716
568
569         Reviewed by Sam Weinig.
570
571         Use Thread::current() instead.
572
573         * API/JSContext.mm:
574         (+[JSContext currentContext]):
575         (+[JSContext currentThis]):
576         (+[JSContext currentCallee]):
577         (+[JSContext currentArguments]):
578         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
579         (-[JSContext endCallbackWithData:]):
580         * heap/Heap.cpp:
581         (JSC::Heap::requestCollection):
582         * runtime/Completion.cpp:
583         (JSC::checkSyntax):
584         (JSC::checkModuleSyntax):
585         (JSC::evaluate):
586         (JSC::loadAndEvaluateModule):
587         (JSC::loadModule):
588         (JSC::linkAndEvaluateModule):
589         (JSC::importModule):
590         * runtime/Identifier.cpp:
591         (JSC::Identifier::checkCurrentAtomicStringTable):
592         * runtime/InitializeThreading.cpp:
593         (JSC::initializeThreading):
594         * runtime/JSLock.cpp:
595         (JSC::JSLock::didAcquireLock):
596         (JSC::JSLock::willReleaseLock):
597         (JSC::JSLock::dropAllLocks):
598         (JSC::JSLock::grabAllLocks):
599         * runtime/JSLock.h:
600         * runtime/VM.cpp:
601         (JSC::VM::VM):
602         (JSC::VM::updateStackLimits):
603         (JSC::VM::committedStackByteCount):
604         * runtime/VM.h:
605         (JSC::VM::isSafeToRecurse const):
606         * runtime/VMEntryScope.cpp:
607         (JSC::VMEntryScope::VMEntryScope):
608         * runtime/VMInlines.h:
609         (JSC::VM::ensureStackCapacityFor):
610         * yarr/YarrPattern.cpp:
611         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
612
613 2017-07-30  Yusuke Suzuki  <utatane.tea@gmail.com>
614
615         [WTF] Introduce Private Symbols
616         https://bugs.webkit.org/show_bug.cgi?id=174935
617
618         Reviewed by Darin Adler.
619
620         Use SymbolImpl::isPrivate().
621
622         * builtins/BuiltinNames.cpp:
623         * builtins/BuiltinNames.h:
624         (JSC::BuiltinNames::isPrivateName): Deleted.
625         * builtins/BuiltinUtils.h:
626         * bytecode/BytecodeIntrinsicRegistry.cpp:
627         (JSC::BytecodeIntrinsicRegistry::lookup):
628         * runtime/CommonIdentifiers.cpp:
629         (JSC::CommonIdentifiers::isPrivateName): Deleted.
630         * runtime/CommonIdentifiers.h:
631         * runtime/ExceptionHelpers.cpp:
632         (JSC::createUndefinedVariableError):
633         * runtime/Identifier.h:
634         (JSC::Identifier::isPrivateName):
635         * runtime/IdentifierInlines.h:
636         (JSC::identifierToSafePublicJSValue):
637         * runtime/ObjectConstructor.cpp:
638         (JSC::objectConstructorAssign):
639         (JSC::defineProperties):
640         (JSC::setIntegrityLevel):
641         (JSC::testIntegrityLevel):
642         (JSC::ownPropertyKeys):
643         * runtime/PrivateName.h:
644         (JSC::PrivateName::PrivateName):
645         * runtime/PropertyName.h:
646         (JSC::PropertyName::isPrivateName):
647         * runtime/ProxyObject.cpp:
648         (JSC::performProxyGet):
649         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
650         (JSC::ProxyObject::performHasProperty):
651         (JSC::ProxyObject::performPut):
652         (JSC::ProxyObject::performDelete):
653         (JSC::ProxyObject::performDefineOwnProperty):
654
655 2017-07-29  Keith Miller  <keith_miller@apple.com>
656
657         LLInt offsets extractor should be able to handle C++ constexprs
658         https://bugs.webkit.org/show_bug.cgi?id=174964
659
660         Reviewed by Saam Barati.
661
662         This patch adds new syntax to the offline asm language. The new keyword,
663         constexpr, takes the subsequent identifier and maps it to a C++ constexpr
664         expression. Additionally, if the value is not an identifier you can wrap it in
665         parentheses. e.g. constexpr (myConstexprFunction() + OBJECT_OFFSET(Foo, bar)),
666         which will get converted into:
667         static_cast<int64_t>(myConstexprFunction() + OBJECT_OFFSET(Foo, bar));
668
669         This patch also changes the data format the LLIntOffsetsExtractor
670         binary produces.  Previously, it would produce unsigned values,
671         after this patch every value is an int64_t.  Using an int64_t is
672         useful because it means that we can represent any constant needed.
673         int32_t masks are sign extended then passed then converted to a
674         negative literal sting in the assembler so it will be the constant
675         expected.
676
677         * llint/LLIntOffsetsExtractor.cpp:
678         (JSC::LLIntOffsetsExtractor::dummy):
679         * llint/LowLevelInterpreter.asm:
680         * llint/LowLevelInterpreter64.asm:
681         * offlineasm/asm.rb:
682         * offlineasm/ast.rb:
683         * offlineasm/generate_offset_extractor.rb:
684         * offlineasm/offsets.rb:
685         * offlineasm/parser.rb:
686         * offlineasm/transform.rb:
687
688 2017-07-28  Matt Baker  <mattbaker@apple.com>
689
690         Web Inspector: capture an async stack trace when web content calls addEventListener
691         https://bugs.webkit.org/show_bug.cgi?id=174739
692         <rdar://problem/33468197>
693
694         Reviewed by Brian Burg.
695
696         Allow debugger agents to perform custom logic when asynchronous stack
697         trace data is cleared. For example, the PageDebuggerAgent would clear
698         its list of registered listeners for which call stacks have been recorded.
699
700         * inspector/agents/InspectorDebuggerAgent.cpp:
701         (Inspector::InspectorDebuggerAgent::clearAsyncStackTraceData):
702         * inspector/agents/InspectorDebuggerAgent.h:
703
704 2017-07-28  Mark Lam  <mark.lam@apple.com>
705
706         ObjectToStringAdaptiveStructureWatchpoint should not fire if it's dying imminently.
707         https://bugs.webkit.org/show_bug.cgi?id=174948
708         <rdar://problem/33495680>
709
710         Reviewed by Filip Pizlo.
711
712         ObjectToStringAdaptiveStructureWatchpoint is owned by StructureRareData.  If its
713         owner StructureRareData is already known to be dead (in terms of GC liveness) but
714         hasn't been destructed yet (i.e. not swept by the GC yet), we should ignore all
715         requests to fire this watchpoint.
716
717         If the GC had the chance to sweep the StructureRareData, thereby destructing the
718         ObjectToStringAdaptiveStructureWatchpoint, it (the watchpoint) would have removed
719         itself from the WatchpointSet it was on.  Hence, it would not have been fired.
720
721         But since the watchpoint hasn't been destructed yet, it still remains on the
722         WatchpointSet and needs to guard against being fired in this state.  The fix is
723         to simply return early if its owner StructureRareData is not live.  This has the
724         effect of the watchpoint fire being a no-op, which is equivalent to the watchpoint
725         not firing as we would expect.
726
727         This patch also removes some cargo cult copying of watchpoint code which
728         instantiates a StringFireDetail.  In a few cases, that StringFireDetail is never
729         used.  This patch removes these unnecessary instantiations.
730
731         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
732         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
733         * runtime/StructureRareData.cpp:
734         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
735         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
736
737 2017-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
738
739         ASSERTION FAILED: candidate->op() == PhantomCreateRest || candidate->op() == PhantomDirectArguments || candidate->op() == PhantomClonedArguments || candidate->op() == PhantomSpread || candidate->op() == PhantomNewArrayWithSpread
740         https://bugs.webkit.org/show_bug.cgi?id=174900
741
742         Reviewed by Saam Barati.
743
744         In the arguments elimination phase, due to high cost of AI, we intentionally do not run AI.
745         Instead, we use ForceOSRExit etc. (pseudo terminals) not to look into unreachable nodes.
746         The problem is that even transforming phase also checks this pseudo terminals.
747
748             BB1
749             1: ForceOSRExit
750             2: CreateDirectArguments
751
752             BB2
753             3: GetButterfly(@2)
754             4: ForceOSRExit
755
756         In the above case, @2 is not converted to PhantomDirectArguments. But @3 is processed. And the assertion fires.
757
758         In this patch, we do not list candidates up after seeing pseudo terminals in basic blocks.
759
760         * dfg/DFGArgumentsEliminationPhase.cpp:
761
762 2017-07-27  Oleksandr Skachkov  <gskachkov@gmail.com>
763
764         [ES] Add support finally to Promise
765         https://bugs.webkit.org/show_bug.cgi?id=174503
766
767         Reviewed by Yusuke Suzuki.
768
769         Add support `finally` method to Promise according
770         to the https://bugs.webkit.org/show_bug.cgi?id=174503
771         Current spec on STAGE 3 
772         https://github.com/tc39/proposal-promise-finally
773
774         * builtins/PromisePrototype.js:
775         (finally):
776         (const.valueThunk):
777         (globalPrivate.getThenFinally):
778         (const.thrower):
779         (globalPrivate.getCatchFinally):
780         * runtime/JSPromisePrototype.cpp:
781
782 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
783
784         Unreviewed, build fix for CLoop
785         https://bugs.webkit.org/show_bug.cgi?id=171637
786
787         * domjit/DOMJITGetterSetter.h:
788
789 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
790
791         Hoist DOM binding attribute getter prologue into JavaScriptCore taking advantage of DOMJIT / CheckSubClass
792         https://bugs.webkit.org/show_bug.cgi?id=171637
793
794         Reviewed by Darin Adler.
795
796         Each DOM attribute getter has the code to perform ClassInfo check. But it is largely duplicate and causes code bloating.
797         In this patch, we move ClassInfo check from WebCore to JSC and reduce code size.
798
799         We introduce DOMAnnotation which has ClassInfo* and DOMJIT::GetterSetter*. If the getter is not DOMJIT getter, this
800         DOMJIT::GetterSetter becomes nullptr. We support such a CustomAccessorGetter in all the JIT tiers.
801
802         In IC, we drop CheckSubClass completely since IC's Structure check subsumes it. We do not enable this optimization for
803         op_get_by_id_with_this case yet.
804         In DFG and FTL, we emit CheckSubClass node. Which is typically removed by CheckStructure leading to CheckSubClass.
805
806         And we add DOMAttributeGetterSetter, which is derived class of CustomGetterSetter. It holds DOMAnnotation and perform
807         ClassInfo check.
808
809         * CMakeLists.txt:
810         * JavaScriptCore.xcodeproj/project.pbxproj:
811         * bytecode/AccessCase.cpp:
812         (JSC::AccessCase::generateImpl):
813         * bytecode/GetByIdStatus.cpp:
814         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
815         * bytecode/GetByIdVariant.cpp:
816         (JSC::GetByIdVariant::GetByIdVariant):
817         (JSC::GetByIdVariant::operator=):
818         (JSC::GetByIdVariant::attemptToMerge):
819         (JSC::GetByIdVariant::dumpInContext):
820         * bytecode/GetByIdVariant.h:
821         (JSC::GetByIdVariant::customAccessorGetter):
822         (JSC::GetByIdVariant::domAttribute):
823         (JSC::GetByIdVariant::domJIT): Deleted.
824         * bytecode/GetterSetterAccessCase.cpp:
825         (JSC::GetterSetterAccessCase::create):
826         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
827         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
828         * bytecode/GetterSetterAccessCase.h:
829         (JSC::GetterSetterAccessCase::domAttribute):
830         (JSC::GetterSetterAccessCase::customAccessor):
831         (JSC::GetterSetterAccessCase::domJIT): Deleted.
832         * bytecompiler/BytecodeGenerator.cpp:
833         (JSC::BytecodeGenerator::instantiateLexicalVariables):
834         * create_hash_table:
835         * dfg/DFGAbstractInterpreterInlines.h:
836         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
837         * dfg/DFGByteCodeParser.cpp:
838         (JSC::DFG::blessCallDOMGetter):
839         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
840         (JSC::DFG::ByteCodeParser::handleGetById):
841         * dfg/DFGClobberize.h:
842         (JSC::DFG::clobberize):
843         * dfg/DFGFixupPhase.cpp:
844         (JSC::DFG::FixupPhase::fixupNode):
845         * dfg/DFGNode.h:
846         * dfg/DFGSpeculativeJIT.cpp:
847         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
848         * dfg/DFGSpeculativeJIT.h:
849         (JSC::DFG::SpeculativeJIT::callCustomGetter):
850         * domjit/DOMJITGetterSetter.h:
851         (JSC::DOMJIT::GetterSetter::GetterSetter):
852         (JSC::DOMJIT::GetterSetter::getter):
853         (JSC::DOMJIT::GetterSetter::compiler):
854         (JSC::DOMJIT::GetterSetter::resultType):
855         (JSC::DOMJIT::GetterSetter::~GetterSetter): Deleted.
856         (JSC::DOMJIT::GetterSetter::setter): Deleted.
857         (JSC::DOMJIT::GetterSetter::thisClassInfo): Deleted.
858         * ftl/FTLLowerDFGToB3.cpp:
859         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
860         * jit/Repatch.cpp:
861         (JSC::tryCacheGetByID):
862         * jsc.cpp:
863         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
864         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
865         (WTF::DOMJITGetter::customGetter):
866         (WTF::DOMJITGetter::finishCreation):
867         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
868         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
869         (WTF::DOMJITGetterComplex::customGetter):
870         (WTF::DOMJITGetterComplex::finishCreation):
871         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
872         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::slowCall): Deleted.
873         (WTF::DOMJITGetter::domJITNodeGetterSetter): Deleted.
874         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
875         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::slowCall): Deleted.
876         (WTF::DOMJITGetterComplex::domJITNodeGetterSetter): Deleted.
877         * runtime/CustomGetterSetter.h:
878         (JSC::CustomGetterSetter::create):
879         (JSC::CustomGetterSetter::setter):
880         (JSC::CustomGetterSetter::CustomGetterSetter):
881         (): Deleted.
882         * runtime/DOMAnnotation.h: Added.
883         (JSC::operator==):
884         (JSC::operator!=):
885         * runtime/DOMAttributeGetterSetter.cpp: Added.
886         * runtime/DOMAttributeGetterSetter.h: Copied from Source/JavaScriptCore/runtime/CustomGetterSetter.h.
887         (JSC::isDOMAttributeGetterSetter):
888         * runtime/Error.cpp:
889         (JSC::throwDOMAttributeGetterTypeError):
890         * runtime/Error.h:
891         (JSC::throwVMDOMAttributeGetterTypeError):
892         * runtime/JSCustomGetterSetterFunction.cpp:
893         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
894         * runtime/JSObject.cpp:
895         (JSC::JSObject::putInlineSlow):
896         (JSC::JSObject::deleteProperty):
897         (JSC::JSObject::getOwnStaticPropertySlot):
898         (JSC::JSObject::reifyAllStaticProperties):
899         (JSC::JSObject::fillGetterPropertySlot):
900         (JSC::JSObject::findPropertyHashEntry): Deleted.
901         * runtime/JSObject.h:
902         (JSC::JSObject::getOwnNonIndexPropertySlot):
903         (JSC::JSObject::fillCustomGetterPropertySlot):
904         * runtime/Lookup.cpp:
905         (JSC::setUpStaticFunctionSlot):
906         * runtime/Lookup.h:
907         (JSC::HashTableValue::domJIT):
908         (JSC::getStaticPropertySlotFromTable):
909         (JSC::putEntry):
910         (JSC::lookupPut):
911         (JSC::reifyStaticProperty):
912         (JSC::reifyStaticProperties):
913         Each static property table has a new field ClassInfo*. It indicates that which ClassInfo check DOMAttribute registered in
914         this static property table requires.
915
916         * runtime/ProgramExecutable.cpp:
917         (JSC::ProgramExecutable::initializeGlobalProperties):
918         * runtime/PropertyName.h:
919         * runtime/PropertySlot.cpp:
920         (JSC::PropertySlot::customGetter):
921         (JSC::PropertySlot::customAccessorGetter):
922         * runtime/PropertySlot.h:
923         (JSC::PropertySlot::domAttribute):
924         (JSC::PropertySlot::setCustom):
925         (JSC::PropertySlot::setCacheableCustom):
926         (JSC::PropertySlot::getValue):
927         (JSC::PropertySlot::domJIT): Deleted.
928         * runtime/VM.cpp:
929         (JSC::VM::VM):
930         * runtime/VM.h:
931
932 2017-07-26  Devin Rousso  <drousso@apple.com>
933
934         Web Inspector: create protocol for recording Canvas contexts
935         https://bugs.webkit.org/show_bug.cgi?id=174481
936
937         Reviewed by Joseph Pecoraro.
938
939         * inspector/protocol/Canvas.json:
940          - Add `requestRecording` command to mark the provided canvas as having requested a recording.
941          - Add `cancelRecording` command to clear a previously marked canvas and flush any recorded data.
942          - Add `recordingFinished` event that is fired once a recording is finished.
943
944         * CMakeLists.txt:
945         * DerivedSources.make:
946         * inspector/protocol/Recording.json: Added.
947          - Add `Type` enum that lists the types of recordings
948          - Add `InitialState` type that contains information about the canvas context at the
949            beginning of the recording.
950          - Add `Frame` type that holds a list of actions that were recorded.
951          - Add `Recording` type as the container object of recording data.
952
953         * inspector/scripts/codegen/generate_js_backend_commands.py:
954         (JSBackendCommandsGenerator.generate_domain):
955         Create an agent for domains with no events or commands.
956
957         * inspector/InspectorValues.h:
958         Make Array `get` public so that values can be retrieved if needed.
959
960 2017-07-26  Brian Burg  <bburg@apple.com>
961
962         Remove WEB_TIMING feature flag
963         https://bugs.webkit.org/show_bug.cgi?id=174795
964
965         Reviewed by Alex Christensen.
966
967         * Configurations/FeatureDefines.xcconfig:
968
969 2017-07-26  Mark Lam  <mark.lam@apple.com>
970
971         Add the ability to change sp and pc to the ARM64 JIT probe.
972         https://bugs.webkit.org/show_bug.cgi?id=174697
973         <rdar://problem/33436965>
974
975         Reviewed by JF Bastien.
976
977         This patch implements the following:
978
979         1. The ARM64 probe now supports modifying the pc and sp.
980
981            However, lr is not preserved when modifying the pc because it is used as the
982            scratch register for the indirect jump. Hence, the probe handler function
983            may not modify both lr and pc in the same probe invocation.
984
985         2. Fix probe tests to use bitwise comparison when comparing double register
986            values. Otherwise, equivalent nan values will be interpreted as not equivalent.
987
988         3. Change the minimum offset increment in testProbeModifiesStackPointer to be
989            16 bytes for ARM64.  This is because the ARM64 probe now uses the ldp and stp
990            instructions which require 16 byte alignment for their memory access.
991
992         * assembler/MacroAssemblerARM64.cpp:
993         (JSC::arm64ProbeError):
994         (JSC::MacroAssembler::probe):
995         (JSC::arm64ProbeTrampoline): Deleted.
996         * assembler/testmasm.cpp:
997         (JSC::isSpecialGPR):
998         (JSC::testProbeReadsArgumentRegisters):
999         (JSC::testProbeWritesArgumentRegisters):
1000         (JSC::testProbePreservesGPRS):
1001         (JSC::testProbeModifiesStackPointer):
1002         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
1003         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
1004
1005 2017-07-25  JF Bastien  <jfbastien@apple.com>
1006
1007         WebAssembly: generate smaller binaries
1008         https://bugs.webkit.org/show_bug.cgi?id=174818
1009
1010         Reviewed by Filip Pizlo.
1011
1012         This patch reduces generated code size for WebAssembly in 2 ways:
1013
1014         1. Use the ZR register when storing zero on ARM64.
1015         2. Synthesize wasm context lazily.
1016
1017         This leads to a modest size reduction on both x86-64 and ARM64 for
1018         large WebAssembly games, without any performance loss on WasmBench
1019         and TitzerBench.
1020
1021         The reason this works is that these games, using Emscripten,
1022         generate 100k+ tiny functions, and our JIT allocation granule
1023         rounds all allocations up to 32 bytes. There are plenty of other
1024         simple gains to be had, I've filed a follow-up bug at
1025         webkit.org/b/174819
1026
1027         We should further avoid the per-function cost of tiering, which
1028         represents the bulk of code generated for small functions.
1029
1030         * assembler/MacroAssemblerARM64.h:
1031         (JSC::MacroAssemblerARM64::storeZero64):
1032         * assembler/MacroAssemblerX86_64.h:
1033         (JSC::MacroAssemblerX86_64::storeZero64):
1034         * b3/B3LowerToAir.cpp:
1035         (JSC::B3::Air::LowerToAir::createStore): this doesn't make sense
1036         for x86 because it constrains register reuse and codegen in a way
1037         that doesn't affect ARM64 because it has a dedicated zero
1038         register.
1039         * b3/air/AirOpcode.opcodes: add the storeZero64 opcode.
1040         * wasm/WasmB3IRGenerator.cpp:
1041         (JSC::Wasm::B3IRGenerator::instanceValue):
1042         (JSC::Wasm::B3IRGenerator::restoreWasmContext):
1043         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1044         (JSC::Wasm::B3IRGenerator::materializeWasmContext): Deleted.
1045
1046 2017-07-23  Filip Pizlo  <fpizlo@apple.com>
1047
1048         B3 should do LICM
1049         https://bugs.webkit.org/show_bug.cgi?id=174750
1050
1051         Reviewed by Keith Miller and Saam Barati.
1052         
1053         Added a LICM phase to B3. This phase is called hoistLoopInvariantValues, to conform to the B3 naming
1054         convention for phases (it has to be an imperative). The phase uses NaturalLoops and BackwardsDominators,
1055         so this adds those analyses to B3. BackwardsDominators was already available in templatized form. This
1056         change templatizes DFG::NaturalLoops so that we can just use it.
1057         
1058         The LICM phase itself is really simple. We are decently precise with our handling of everything except
1059         the relationship between control dependence and side exits.
1060         
1061         Also added a bunch of tests.
1062         
1063         This isn't super important. It's perf-neutral on JS benchmarks. FTL already does LICM on DFG SSA IR, and
1064         probably all current WebAssembly content has had LICM done to it. That being said, this is a cheap phase
1065         so it doesn't hurt to have it.
1066         
1067         I wrote it because I thought I needed it for bug 174727. It turns out that there's a better way to
1068         handle the problem I had, so I ended up not needed it - but by then I had already written it. I think
1069         it's good to have it because LICM is one of those core compiler phases; every compiler has it
1070         eventually.
1071
1072         * CMakeLists.txt:
1073         * JavaScriptCore.xcodeproj/project.pbxproj:
1074         * b3/B3BackwardsCFG.h: Added.
1075         (JSC::B3::BackwardsCFG::BackwardsCFG):
1076         * b3/B3BackwardsDominators.h: Added.
1077         (JSC::B3::BackwardsDominators::BackwardsDominators):
1078         * b3/B3BasicBlock.cpp:
1079         (JSC::B3::BasicBlock::appendNonTerminal):
1080         * b3/B3Effects.h:
1081         * b3/B3EnsureLoopPreHeaders.cpp: Added.
1082         (JSC::B3::ensureLoopPreHeaders):
1083         * b3/B3EnsureLoopPreHeaders.h: Added.
1084         * b3/B3Generate.cpp:
1085         (JSC::B3::generateToAir):
1086         * b3/B3HoistLoopInvariantValues.cpp: Added.
1087         (JSC::B3::hoistLoopInvariantValues):
1088         * b3/B3HoistLoopInvariantValues.h: Added.
1089         * b3/B3NaturalLoops.h: Added.
1090         (JSC::B3::NaturalLoops::NaturalLoops):
1091         * b3/B3Procedure.cpp:
1092         (JSC::B3::Procedure::invalidateCFG):
1093         (JSC::B3::Procedure::naturalLoops):
1094         (JSC::B3::Procedure::backwardsCFG):
1095         (JSC::B3::Procedure::backwardsDominators):
1096         * b3/B3Procedure.h:
1097         * b3/testb3.cpp:
1098         (JSC::B3::generateLoop):
1099         (JSC::B3::makeArrayForLoops):
1100         (JSC::B3::generateLoopNotBackwardsDominant):
1101         (JSC::B3::oneFunction):
1102         (JSC::B3::noOpFunction):
1103         (JSC::B3::testLICMPure):
1104         (JSC::B3::testLICMPureSideExits):
1105         (JSC::B3::testLICMPureWritesPinned):
1106         (JSC::B3::testLICMPureWrites):
1107         (JSC::B3::testLICMReadsLocalState):
1108         (JSC::B3::testLICMReadsPinned):
1109         (JSC::B3::testLICMReads):
1110         (JSC::B3::testLICMPureNotBackwardsDominant):
1111         (JSC::B3::testLICMPureFoiledByChild):
1112         (JSC::B3::testLICMPureNotBackwardsDominantFoiledByChild):
1113         (JSC::B3::testLICMExitsSideways):
1114         (JSC::B3::testLICMWritesLocalState):
1115         (JSC::B3::testLICMWrites):
1116         (JSC::B3::testLICMFence):
1117         (JSC::B3::testLICMWritesPinned):
1118         (JSC::B3::testLICMControlDependent):
1119         (JSC::B3::testLICMControlDependentNotBackwardsDominant):
1120         (JSC::B3::testLICMControlDependentSideExits):
1121         (JSC::B3::testLICMReadsPinnedWritesPinned):
1122         (JSC::B3::testLICMReadsWritesDifferentHeaps):
1123         (JSC::B3::testLICMReadsWritesOverlappingHeaps):
1124         (JSC::B3::testLICMDefaultCall):
1125         (JSC::B3::run):
1126         * dfg/DFGBasicBlock.h:
1127         * dfg/DFGCFG.h:
1128         * dfg/DFGNaturalLoops.cpp: Removed.
1129         * dfg/DFGNaturalLoops.h:
1130         (JSC::DFG::NaturalLoops::NaturalLoops):
1131         (JSC::DFG::NaturalLoop::NaturalLoop): Deleted.
1132         (JSC::DFG::NaturalLoop::header): Deleted.
1133         (JSC::DFG::NaturalLoop::size): Deleted.
1134         (JSC::DFG::NaturalLoop::at): Deleted.
1135         (JSC::DFG::NaturalLoop::operator[]): Deleted.
1136         (JSC::DFG::NaturalLoop::contains): Deleted.
1137         (JSC::DFG::NaturalLoop::index): Deleted.
1138         (JSC::DFG::NaturalLoop::isOuterMostLoop): Deleted.
1139         (JSC::DFG::NaturalLoop::addBlock): Deleted.
1140         (JSC::DFG::NaturalLoops::numLoops): Deleted.
1141         (JSC::DFG::NaturalLoops::loop): Deleted.
1142         (JSC::DFG::NaturalLoops::headerOf): Deleted.
1143         (JSC::DFG::NaturalLoops::innerMostLoopOf): Deleted.
1144         (JSC::DFG::NaturalLoops::innerMostOuterLoop): Deleted.
1145         (JSC::DFG::NaturalLoops::belongsTo): Deleted.
1146         (JSC::DFG::NaturalLoops::loopDepth): Deleted.
1147
1148 2017-07-24  Filip Pizlo  <fpizlo@apple.com>
1149
1150         GC should be fine with trading blocks between destructor and non-destructor blocks
1151         https://bugs.webkit.org/show_bug.cgi?id=174811
1152
1153         Reviewed by Mark Lam.
1154         
1155         Our GC has the ability to trade blocks between MarkedAllocators. A MarkedAllocator is a
1156         size-class-within-a-Subspace. The ability to trade helps reduce memory wastage due to
1157         fragmentation. Prior to this change, this only worked between blocks that did not have destructors.
1158         This was partly a policy decision. But mostly, it was fallout from the way we use the `empty` block
1159         set.
1160         
1161         Here's how `empty` used to work. If a block is empty, we don't run destructors. We say that a block
1162         is empty if:
1163         
1164         A) It has no live objects and its a non-destructor block, or
1165         B) We just allocated it (so it has no destructors even if it's a destructor block), or
1166         C) We just stole it from another allocator (so it also has no destructors), or
1167         D) We just swept the block and ran all destructors.
1168         
1169         Case (A) is for trading blocks. That's how a different MarkedAllocator would know that this is a
1170         block that could be stolen.
1171
1172         Cases (B) and (C) need to be detected for correctness, since otherwise we might try to run
1173         destructors in blocks that have garbage bits. In that case, the isZapped check won't detect that
1174         cells don't need destruction, so without having the `empty` bit we would try to destruct garbage
1175         and crash. Currently, we know that we have cases (B) and (C) when the block is empty.
1176         
1177         Case (D) is necessary for detecting which blocks can be removed when we `shrink` the heap.
1178         
1179         If we tried to enable trading of blocks between allocators without making any changes to how
1180         `empty` works, then it just would not work. We have to set the `empty` bits of blocks that have no
1181         live objects in order for those bits to be candidates for trading. But if we do that, then our
1182         logic for cases (B-D) will think that the block has no destructible objects. That's bad, since then
1183         our destructors won't run and we'll leak memory.
1184         
1185         This change fixes this issue by decoupling the "do I have destructors" question from the "do I have
1186         live objects" question by introducing a new `destructible` bitvector. The GC flags all live blocks
1187         as being destructible at the end. We clear the destructible bit in cases (B-D). Cases (B-C) are
1188         handled entirely by the new destrictible bit, while case (D) is detected by looking for blocks that
1189         are (empty & ~destructible).
1190         
1191         Then we can simply remove all destructor-oriented special-casing of the `empty` bit. And we can
1192         remove destructor-oriented special-casing of block trading.
1193
1194         This is a perf-neutral change. We expect most free memory to be in non-destructor blocks anyway,
1195         so this change is more about clean-up than perf. But, this could reduce memory usage in some
1196         pathological cases.
1197         
1198         * heap/MarkedAllocator.cpp:
1199         (JSC::MarkedAllocator::findEmptyBlockToSteal):
1200         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
1201         (JSC::MarkedAllocator::endMarking):
1202         (JSC::MarkedAllocator::shrink):
1203         (JSC::MarkedAllocator::shouldStealEmptyBlocksFromOtherAllocators): Deleted.
1204         * heap/MarkedAllocator.h:
1205         * heap/MarkedBlock.cpp:
1206         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
1207         (JSC::MarkedBlock::Handle::sweep):
1208         * heap/MarkedBlockInlines.h:
1209         (JSC::MarkedBlock::Handle::specializedSweep):
1210         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace):
1211         (JSC::MarkedBlock::Handle::emptyMode):
1212
1213 2017-07-25  Keith Miller  <keith_miller@apple.com>
1214
1215         Remove Broken CompareEq constant folding phase.
1216         https://bugs.webkit.org/show_bug.cgi?id=174846
1217         <rdar://problem/32978808>
1218
1219         Reviewed by Saam Barati.
1220
1221         This bug happened when we would get code like the following:
1222
1223         a: JSConst(Undefined)
1224         b: GetLocal(SomeObjectOrUndefined)
1225         ...
1226         c: CompareEq(Check:ObjectOrOther:b, Check:ObjectOrOther:a)
1227
1228         constant folding will turn this into:
1229
1230         a: JSConst(Undefined)
1231         b: GetLocal(SomeObjectOrUndefined)
1232         ...
1233         c: CompareEq(Check:ObjectOrOther:b, Other:a)
1234
1235         But the SpeculativeJIT/FTL lowering will fail to check b
1236         properly which leads to an assertion failure in the AI.
1237
1238         I'll follow up with a more robust fix later. For now, I'll remove the
1239         case that generates the code. Removing the code appears to be perf
1240         neutral.
1241
1242         * dfg/DFGConstantFoldingPhase.cpp:
1243         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1244
1245 2017-07-25  Matt Baker  <mattbaker@apple.com>
1246
1247         Web Inspector: Refactoring: extract async stack trace logic from InspectorInstrumentation
1248         https://bugs.webkit.org/show_bug.cgi?id=174738
1249
1250         Reviewed by Brian Burg.
1251
1252         Move AsyncCallType enum to InspectorDebuggerAgent, which manages async
1253         stack traces. This preserves the call type in JSC, makes the range of
1254         possible call types explicit, and is safer than passing ints.
1255
1256         * inspector/agents/InspectorDebuggerAgent.cpp:
1257         (Inspector::InspectorDebuggerAgent::asyncCallIdentifier):
1258         (Inspector::InspectorDebuggerAgent::didScheduleAsyncCall):
1259         (Inspector::InspectorDebuggerAgent::didCancelAsyncCall):
1260         (Inspector::InspectorDebuggerAgent::willDispatchAsyncCall):
1261         * inspector/agents/InspectorDebuggerAgent.h:
1262
1263 2017-07-25  Mark Lam  <mark.lam@apple.com>
1264
1265         Fix bugs in probe code to change sp on x86, x86_64 and 32-bit ARM.
1266         https://bugs.webkit.org/show_bug.cgi?id=174809
1267         <rdar://problem/33504759>
1268
1269         Reviewed by Filip Pizlo.
1270
1271         1. When the probe handler function changes the sp register to point to the
1272            region of stack in the middle of the ProbeContext on the stack, there is a
1273            bug where the ProbeContext's register values to be restored can be over-written
1274            before they can be restored.  This is now fixed.
1275
1276         2. Added more robust probe tests for changing the sp register.
1277
1278         3. Made existing probe tests to ensure that probe handlers were actually called.
1279
1280         4. Added some verification to testProbePreservesGPRS().
1281
1282         5. Change all the probe tests to fail early on discovering an error instead of
1283            batching till the end of the test.  This helps point a finger to the failing
1284            issue earlier.
1285
1286         This patch was tested on x86, x86_64, and ARMv7.  ARM64 probe code will be fixed
1287         next in https://bugs.webkit.org/show_bug.cgi?id=174697.
1288
1289         * assembler/MacroAssemblerARM.cpp:
1290         * assembler/MacroAssemblerARMv7.cpp:
1291         * assembler/MacroAssemblerX86Common.cpp:
1292         * assembler/testmasm.cpp:
1293         (JSC::testProbeReadsArgumentRegisters):
1294         (JSC::testProbeWritesArgumentRegisters):
1295         (JSC::testProbePreservesGPRS):
1296         (JSC::testProbeModifiesStackPointer):
1297         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
1298         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
1299         (JSC::testProbeModifiesProgramCounter):
1300         (JSC::run):
1301
1302 2017-07-25  Brian Burg  <bburg@apple.com>
1303
1304         Web Automation: add support for uploading files
1305         https://bugs.webkit.org/show_bug.cgi?id=174797
1306         <rdar://problem/28485063>
1307
1308         Reviewed by Joseph Pecoraro.
1309
1310         * inspector/scripts/generate-inspector-protocol-bindings.py:
1311         (generate_from_specification):
1312         Start generating frontend dispatcher code if the target framework is 'WebKit'.
1313
1314         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
1315         (CppFrontendDispatcherImplementationGenerator.generate_output):
1316         Use a framework include for InspectorFrontendRouter.h since this generated code
1317         will be compiled outside of WebCore.framework.
1318
1319         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
1320         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1321         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1322         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
1323         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
1324         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
1325         * inspector/scripts/tests/generic/expected/enum-values.json-result:
1326         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
1327         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
1328         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
1329         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
1330         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
1331         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
1332         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
1333         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1334         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1335         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
1336         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
1337         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
1338         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
1339         Rebaseline code generator tests.
1340
1341 2017-07-24  Mark Lam  <mark.lam@apple.com>
1342
1343         Gardening: fixed C Loop build after r219790.
1344         https://bugs.webkit.org/show_bug.cgi?id=174696
1345
1346         Not reviewed.
1347
1348         * assembler/testmasm.cpp:
1349
1350 2017-07-23  Mark Lam  <mark.lam@apple.com>
1351
1352         Create regression tests for the JIT probe.
1353         https://bugs.webkit.org/show_bug.cgi?id=174696
1354         <rdar://problem/33436922>
1355
1356         Reviewed by Saam Barati.
1357
1358         The new testmasm will test the following:
1359         1. the probe is able to read the value of CPU registers.
1360         2. the probe is able to write the value of CPU registers.
1361         3. the probe is able to preserve all CPU registers.
1362         4. special case of (2): the probe is able to change the value of the stack pointer.
1363         5. special case of (2): the probe is able to change the value of the program counter
1364            i.e. the probe can change where the code continues executing upon returning from
1365            the probe.
1366
1367         Currently, the x86, x86_64, and ARMv7 ports passes the test.  ARM64 does not
1368         because it does not support changing the sp and pc yet.  The ARM64 probe
1369         implementation will be fixed in https://bugs.webkit.org/show_bug.cgi?id=174697
1370         later.
1371
1372         * Configurations/ToolExecutable.xcconfig:
1373         * JavaScriptCore.xcodeproj/project.pbxproj:
1374         * assembler/MacroAssembler.h:
1375         (JSC::MacroAssembler::CPUState::pc):
1376         (JSC::MacroAssembler::CPUState::fp):
1377         (JSC::MacroAssembler::CPUState::sp):
1378         (JSC::ProbeContext::pc):
1379         (JSC::ProbeContext::fp):
1380         (JSC::ProbeContext::sp):
1381         * assembler/MacroAssemblerARM64.cpp:
1382         (JSC::arm64ProbeTrampoline):
1383         * assembler/MacroAssemblerPrinter.cpp:
1384         (JSC::Printer::printPCRegister):
1385         * assembler/testmasm.cpp: Added.
1386         (hiddenTruthBecauseNoReturnIsStupid):
1387         (usage):
1388         (JSC::nextID):
1389         (JSC::isPC):
1390         (JSC::isSP):
1391         (JSC::isFP):
1392         (JSC::compile):
1393         (JSC::invoke):
1394         (JSC::compileAndRun):
1395         (JSC::testSimple):
1396         (JSC::testProbeReadsArgumentRegisters):
1397         (JSC::testProbeWritesArgumentRegisters):
1398         (JSC::testFunctionToTrashRegisters):
1399         (JSC::testProbePreservesGPRS):
1400         (JSC::testProbeModifiesStackPointer):
1401         (JSC::testProbeModifiesProgramCounter):
1402         (JSC::run):
1403         (run):
1404         (main):
1405         * b3/air/testair.cpp:
1406         (usage):
1407         * shell/CMakeLists.txt:
1408
1409 2017-07-14  Filip Pizlo  <fpizlo@apple.com>
1410
1411         It should be easy to decide how WebKit yields
1412         https://bugs.webkit.org/show_bug.cgi?id=174298
1413
1414         Reviewed by Saam Barati.
1415         
1416         Use the new WTF::Thread::yield() function for yielding instead of the C++ function.
1417
1418         * heap/Heap.cpp:
1419         (JSC::Heap::resumeThePeriphery):
1420         * heap/VisitingTimeout.h:
1421         * runtime/JSCell.cpp:
1422         (JSC::JSCell::lockSlow):
1423         (JSC::JSCell::unlockSlow):
1424         * runtime/JSCell.h:
1425         * runtime/JSCellInlines.h:
1426         (JSC::JSCell::lock):
1427         (JSC::JSCell::unlock):
1428         * runtime/JSLock.cpp:
1429         (JSC::JSLock::grabAllLocks):
1430         * runtime/SamplingProfiler.cpp:
1431
1432 2017-07-21  Mark Lam  <mark.lam@apple.com>
1433
1434         Refactor MASM probe CPUState to use arrays for register storage.
1435         https://bugs.webkit.org/show_bug.cgi?id=174694
1436
1437         Reviewed by Keith Miller.
1438
1439         Using arrays for register storage in CPUState allows us to do away with the
1440         huge switch statements to decode each register id.  We can now simply index into
1441         the arrays.
1442
1443         With this patch, we now:
1444
1445         1. Remove the need for macros for defining the list of CPU registers.
1446            We can go back to simple enums.  This makes the code easier to read.
1447
1448         2. Make the assembler the authority on register names.
1449            Most of this code is moved into the assembler from GPRInfo and FPRInfo.
1450            GPRInfo and FPRInfo now forwards to the assembler.
1451
1452         3. Make the assembler the authority on the number of registers of each type.
1453
1454         4. Fix a "bug" in ARMv7's lastRegister().  It was previously omitting lr and pc.
1455            This is inconsistent with how every other CPU architecture implements
1456            lastRegister().  This patch fixes it to return the true last GPR i.e. pc, but
1457            updates RegisterSet::reservedHardwareRegisters() to exclude those registers.
1458
1459         * assembler/ARM64Assembler.h:
1460         (JSC::ARM64Assembler::numberOfRegisters):
1461         (JSC::ARM64Assembler::firstSPRegister):
1462         (JSC::ARM64Assembler::lastSPRegister):
1463         (JSC::ARM64Assembler::numberOfSPRegisters):
1464         (JSC::ARM64Assembler::numberOfFPRegisters):
1465         (JSC::ARM64Assembler::gprName):
1466         (JSC::ARM64Assembler::sprName):
1467         (JSC::ARM64Assembler::fprName):
1468         * assembler/ARMAssembler.h:
1469         (JSC::ARMAssembler::numberOfRegisters):
1470         (JSC::ARMAssembler::firstSPRegister):
1471         (JSC::ARMAssembler::lastSPRegister):
1472         (JSC::ARMAssembler::numberOfSPRegisters):
1473         (JSC::ARMAssembler::numberOfFPRegisters):
1474         (JSC::ARMAssembler::gprName):
1475         (JSC::ARMAssembler::sprName):
1476         (JSC::ARMAssembler::fprName):
1477         * assembler/ARMv7Assembler.h:
1478         (JSC::ARMv7Assembler::lastRegister):
1479         (JSC::ARMv7Assembler::numberOfRegisters):
1480         (JSC::ARMv7Assembler::firstSPRegister):
1481         (JSC::ARMv7Assembler::lastSPRegister):
1482         (JSC::ARMv7Assembler::numberOfSPRegisters):
1483         (JSC::ARMv7Assembler::numberOfFPRegisters):
1484         (JSC::ARMv7Assembler::gprName):
1485         (JSC::ARMv7Assembler::sprName):
1486         (JSC::ARMv7Assembler::fprName):
1487         * assembler/AbstractMacroAssembler.h:
1488         (JSC::AbstractMacroAssembler::numberOfRegisters):
1489         (JSC::AbstractMacroAssembler::gprName):
1490         (JSC::AbstractMacroAssembler::firstSPRegister):
1491         (JSC::AbstractMacroAssembler::lastSPRegister):
1492         (JSC::AbstractMacroAssembler::numberOfSPRegisters):
1493         (JSC::AbstractMacroAssembler::sprName):
1494         (JSC::AbstractMacroAssembler::numberOfFPRegisters):
1495         (JSC::AbstractMacroAssembler::fprName):
1496         * assembler/MIPSAssembler.h:
1497         (JSC::MIPSAssembler::numberOfRegisters):
1498         (JSC::MIPSAssembler::firstSPRegister):
1499         (JSC::MIPSAssembler::lastSPRegister):
1500         (JSC::MIPSAssembler::numberOfSPRegisters):
1501         (JSC::MIPSAssembler::numberOfFPRegisters):
1502         (JSC::MIPSAssembler::gprName):
1503         (JSC::MIPSAssembler::sprName):
1504         (JSC::MIPSAssembler::fprName):
1505         * assembler/MacroAssembler.h:
1506         (JSC::MacroAssembler::CPUState::gprName):
1507         (JSC::MacroAssembler::CPUState::sprName):
1508         (JSC::MacroAssembler::CPUState::fprName):
1509         (JSC::MacroAssembler::CPUState::gpr):
1510         (JSC::MacroAssembler::CPUState::spr):
1511         (JSC::MacroAssembler::CPUState::fpr):
1512         (JSC::MacroAssembler::CPUState::pc):
1513         (JSC::MacroAssembler::CPUState::fp):
1514         (JSC::MacroAssembler::CPUState::sp):
1515         (JSC::ProbeContext::gpr):
1516         (JSC::ProbeContext::spr):
1517         (JSC::ProbeContext::fpr):
1518         (JSC::ProbeContext::gprName):
1519         (JSC::ProbeContext::sprName):
1520         (JSC::ProbeContext::fprName):
1521         (JSC::MacroAssembler::numberOfRegisters): Deleted.
1522         (JSC::MacroAssembler::numberOfFPRegisters): Deleted.
1523         * assembler/MacroAssemblerARM.cpp:
1524         * assembler/MacroAssemblerARM64.cpp:
1525         (JSC::arm64ProbeTrampoline):
1526         * assembler/MacroAssemblerARMv7.cpp:
1527         * assembler/MacroAssemblerPrinter.cpp:
1528         (JSC::Printer::nextID):
1529         (JSC::Printer::printAllRegisters):
1530         (JSC::Printer::printPCRegister):
1531         (JSC::Printer::printRegisterID):
1532         (JSC::Printer::printAddress):
1533         * assembler/MacroAssemblerX86Common.cpp:
1534         * assembler/X86Assembler.h:
1535         (JSC::X86Assembler::numberOfRegisters):
1536         (JSC::X86Assembler::firstSPRegister):
1537         (JSC::X86Assembler::lastSPRegister):
1538         (JSC::X86Assembler::numberOfSPRegisters):
1539         (JSC::X86Assembler::numberOfFPRegisters):
1540         (JSC::X86Assembler::gprName):
1541         (JSC::X86Assembler::sprName):
1542         (JSC::X86Assembler::fprName):
1543         * jit/FPRInfo.h:
1544         (JSC::FPRInfo::debugName):
1545         * jit/GPRInfo.h:
1546         (JSC::GPRInfo::debugName):
1547         * jit/RegisterSet.cpp:
1548         (JSC::RegisterSet::reservedHardwareRegisters):
1549
1550 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1551
1552         [JSC] Introduce static symbols
1553         https://bugs.webkit.org/show_bug.cgi?id=158863
1554
1555         Reviewed by Darin Adler.
1556
1557         We use StaticSymbolImpl to initialize PrivateNames and builtin Symbols.
1558         As a result, we can share the same Symbol values between VMs and threads.
1559         And we do not need to allocate Ref<SymbolImpl> for these symbols at runtime.
1560
1561         * CMakeLists.txt:
1562         * JavaScriptCore.xcodeproj/project.pbxproj:
1563         * builtins/BuiltinNames.cpp: Added.
1564         Suppress warning C4307, integral constant overflow. It is intentional in constexpr hash value calculation.
1565
1566         * builtins/BuiltinNames.h:
1567         (JSC::BuiltinNames::BuiltinNames):
1568         * builtins/BuiltinUtils.h:
1569
1570 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1571
1572         [FTL] Arguments elimination is suppressed by unreachable blocks
1573         https://bugs.webkit.org/show_bug.cgi?id=174352
1574
1575         Reviewed by Filip Pizlo.
1576
1577         If we do not execute `op_get_by_id`, our value profiling tells us unpredictable and DFG emits ForceOSRExit.
1578         The problem is that arguments elimination phase checks escaping even when ForceOSRExit preceeds.
1579         Since GetById without information can escape arguments if it is specified, non-executed code including
1580         op_get_by_id with arguments can escape arguments.
1581
1582         For example,
1583
1584             function test(flag)
1585             {
1586                 if (flag) {
1587                     // This is not executed, but emits GetById with arguments.
1588                     // It prevents us from eliminating materialization.
1589                     return arguments.length;
1590                 }
1591                 return arguments.length;
1592             }
1593             noInline(test);
1594             while (true)
1595                 test(false);
1596
1597         We do not perform CFA and dead-node clipping yet when performing arguments elimination phase.
1598         So this GetById exists and escapes arguments.
1599
1600         To solve this problem, our arguments elimination phase checks preceding pseudo-terminal nodes.
1601         If it is shown, following GetById does not escape arguments. Compared to performing AI, it is
1602         lightweight. But it catches much of typical cases we failed to perform arguments elimination.
1603
1604         * dfg/DFGArgumentsEliminationPhase.cpp:
1605         * dfg/DFGNode.h:
1606         (JSC::DFG::Node::isPseudoTerminal):
1607         * dfg/DFGValidate.cpp:
1608
1609 2017-07-20  Chris Dumez  <cdumez@apple.com>
1610
1611         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable
1612         https://bugs.webkit.org/show_bug.cgi?id=174660
1613
1614         Reviewed by Geoffrey Garen.
1615
1616         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable.
1617         This essentially replaces a branch to figure out if the new size is less or greater than the
1618         current size by an assertion.
1619
1620         * b3/B3BasicBlockUtils.h:
1621         (JSC::B3::clearPredecessors):
1622         * b3/B3InferSwitches.cpp:
1623         * b3/B3LowerToAir.cpp:
1624         (JSC::B3::Air::LowerToAir::finishAppendingInstructions):
1625         * b3/B3ReduceStrength.cpp:
1626         * b3/B3SparseCollection.h:
1627         (JSC::B3::SparseCollection::packIndices):
1628         * b3/B3UseCounts.cpp:
1629         (JSC::B3::UseCounts::UseCounts):
1630         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
1631         * b3/air/AirEmitShuffle.cpp:
1632         (JSC::B3::Air::emitShuffle):
1633         * b3/air/AirLowerAfterRegAlloc.cpp:
1634         (JSC::B3::Air::lowerAfterRegAlloc):
1635         * b3/air/AirOptimizeBlockOrder.cpp:
1636         (JSC::B3::Air::optimizeBlockOrder):
1637         * bytecode/Operands.h:
1638         (JSC::Operands::ensureLocals):
1639         * bytecode/PreciseJumpTargets.cpp:
1640         (JSC::computePreciseJumpTargetsInternal):
1641         * dfg/DFGBlockInsertionSet.cpp:
1642         (JSC::DFG::BlockInsertionSet::execute):
1643         * dfg/DFGBlockMapInlines.h:
1644         (JSC::DFG::BlockMap<T>::BlockMap):
1645         * dfg/DFGByteCodeParser.cpp:
1646         (JSC::DFG::ByteCodeParser::processSetLocalQueue):
1647         (JSC::DFG::ByteCodeParser::clearCaches):
1648         * dfg/DFGDisassembler.cpp:
1649         (JSC::DFG::Disassembler::Disassembler):
1650         * dfg/DFGFlowIndexing.cpp:
1651         (JSC::DFG::FlowIndexing::recompute):
1652         * dfg/DFGGraph.cpp:
1653         (JSC::DFG::Graph::registerFrozenValues):
1654         * dfg/DFGInPlaceAbstractState.cpp:
1655         (JSC::DFG::setLiveValues):
1656         * dfg/DFGLICMPhase.cpp:
1657         (JSC::DFG::LICMPhase::run):
1658         * dfg/DFGLivenessAnalysisPhase.cpp:
1659         * dfg/DFGNaturalLoops.cpp:
1660         (JSC::DFG::NaturalLoops::NaturalLoops):
1661         * dfg/DFGStoreBarrierClusteringPhase.cpp:
1662         * ftl/FTLLowerDFGToB3.cpp:
1663         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1664         * heap/CodeBlockSet.cpp:
1665         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
1666         * heap/MarkedSpace.cpp:
1667         (JSC::MarkedSpace::sweepLargeAllocations):
1668         * inspector/ContentSearchUtilities.cpp:
1669         (Inspector::ContentSearchUtilities::findMagicComment):
1670         * interpreter/ShadowChicken.cpp:
1671         (JSC::ShadowChicken::update):
1672         * parser/ASTBuilder.h:
1673         (JSC::ASTBuilder::shrinkOperandStackBy):
1674         * parser/Lexer.h:
1675         (JSC::Lexer::setOffset):
1676         * runtime/RegExpInlines.h:
1677         (JSC::RegExp::matchInline):
1678         * runtime/RegExpPrototype.cpp:
1679         (JSC::genericSplit):
1680         * yarr/RegularExpression.cpp:
1681         (JSC::Yarr::RegularExpression::match):
1682
1683 2017-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1684
1685         [WTF] Use ThreadGroup to bookkeep active threads for Mach exception
1686         https://bugs.webkit.org/show_bug.cgi?id=174678
1687
1688         Reviewed by Mark Lam.
1689
1690         Use Thread& instead.
1691
1692         * runtime/JSLock.cpp:
1693         (JSC::JSLock::didAcquireLock):
1694
1695 2017-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1696
1697         [WTF] Implement WTF::ThreadGroup
1698         https://bugs.webkit.org/show_bug.cgi?id=174081
1699
1700         Reviewed by Mark Lam.
1701
1702         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
1703         And SamplingProfiler and others interact with WTF::Thread directly.
1704
1705         * API/tests/ExecutionTimeLimitTest.cpp:
1706         * heap/MachineStackMarker.cpp:
1707         (JSC::MachineThreads::MachineThreads):
1708         (JSC::captureStack):
1709         (JSC::MachineThreads::tryCopyOtherThreadStack):
1710         (JSC::MachineThreads::tryCopyOtherThreadStacks):
1711         (JSC::MachineThreads::gatherConservativeRoots):
1712         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
1713         (JSC::ActiveMachineThreadsManager::add): Deleted.
1714         (JSC::ActiveMachineThreadsManager::remove): Deleted.
1715         (JSC::ActiveMachineThreadsManager::contains): Deleted.
1716         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
1717         (JSC::activeMachineThreadsManager): Deleted.
1718         (JSC::MachineThreads::~MachineThreads): Deleted.
1719         (JSC::MachineThreads::addCurrentThread): Deleted.
1720         (): Deleted.
1721         (JSC::MachineThreads::removeThread): Deleted.
1722         (JSC::MachineThreads::removeThreadIfFound): Deleted.
1723         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
1724         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
1725         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
1726         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
1727         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
1728         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
1729         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
1730         * heap/MachineStackMarker.h:
1731         (JSC::MachineThreads::addCurrentThread):
1732         (JSC::MachineThreads::getLock):
1733         (JSC::MachineThreads::threads):
1734         (JSC::MachineThreads::MachineThread::suspend): Deleted.
1735         (JSC::MachineThreads::MachineThread::resume): Deleted.
1736         (JSC::MachineThreads::MachineThread::threadID): Deleted.
1737         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
1738         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
1739         (JSC::MachineThreads::threadsListHead): Deleted.
1740         * runtime/SamplingProfiler.cpp:
1741         (JSC::FrameWalker::isValidFramePointer):
1742         (JSC::SamplingProfiler::SamplingProfiler):
1743         (JSC::SamplingProfiler::takeSample):
1744         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
1745         * runtime/SamplingProfiler.h:
1746         * wasm/WasmMachineThreads.cpp:
1747         (JSC::Wasm::resetInstructionCacheOnAllThreads):
1748
1749 2017-07-18  Andy Estes  <aestes@apple.com>
1750
1751         [Xcode] Enable CLANG_WARN_RANGE_LOOP_ANALYSIS
1752         https://bugs.webkit.org/show_bug.cgi?id=174631
1753
1754         Reviewed by Tim Horton.
1755
1756         * Configurations/Base.xcconfig:
1757         * b3/B3FoldPathConstants.cpp:
1758         * b3/B3LowerMacros.cpp:
1759         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
1760         * dfg/DFGByteCodeParser.cpp:
1761         (JSC::DFG::ByteCodeParser::check):
1762         (JSC::DFG::ByteCodeParser::planLoad):
1763
1764 2017-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1765
1766         WTF::Thread should have the threads stack bounds.
1767         https://bugs.webkit.org/show_bug.cgi?id=173975
1768
1769         Reviewed by Mark Lam.
1770
1771         There is a site in JSC that try to walk another thread's stack.
1772         Currently, stack bounds are stored in WTFThreadData which is located
1773         in TLS. Thus, only the thread itself can access its own WTFThreadData.
1774         We workaround this situation by holding StackBounds in MachineThread in JSC,
1775         but StackBounds should be put in WTF::Thread instead.
1776
1777         This patch adds StackBounds to WTF::Thread. StackBounds information is tightly
1778         coupled with Thread. Thus putting it in WTF::Thread is natural choice.
1779
1780         * heap/MachineStackMarker.cpp:
1781         (JSC::MachineThreads::MachineThread::MachineThread):
1782         (JSC::MachineThreads::MachineThread::captureStack):
1783         * heap/MachineStackMarker.h:
1784         (JSC::MachineThreads::MachineThread::stackBase):
1785         (JSC::MachineThreads::MachineThread::stackEnd):
1786         * runtime/VMTraps.cpp:
1787
1788 2017-07-18  Andy Estes  <aestes@apple.com>
1789
1790         [Xcode] Enable CLANG_WARN_OBJC_LITERAL_CONVERSION
1791         https://bugs.webkit.org/show_bug.cgi?id=174631
1792
1793         Reviewed by Sam Weinig.
1794
1795         * Configurations/Base.xcconfig:
1796
1797 2017-07-18  Joseph Pecoraro  <pecoraro@apple.com>
1798
1799         Web Inspector: Modernize InjectedScriptSource
1800         https://bugs.webkit.org/show_bug.cgi?id=173890
1801
1802         Reviewed by Brian Burg.
1803
1804         * inspector/InjectedScript.h:
1805         Reorder functions to be slightly better.
1806
1807         * inspector/InjectedScriptSource.js:
1808         - Convert to classes named InjectedScript and RemoteObject
1809         - Align InjectedScript's API with the wrapper C++ interfaces
1810         - Move some code to RemoteObject where appropriate (subtype, describe)
1811         - Move some code to helper functions (isPrimitiveValue, isDefined)
1812         - Refactor for readability and modern features
1813         - Remove some unused / unnecessary code
1814
1815 2017-07-18  Mark Lam  <mark.lam@apple.com>
1816
1817         Butterfly storage need not be initialized for indexing type Undecided.
1818         https://bugs.webkit.org/show_bug.cgi?id=174516
1819
1820         Reviewed by Saam Barati.
1821
1822         While it's not incorrect to initialize the butterfly storage when the
1823         indexingType is Undecided, it is inefficient as we'll end up initializing
1824         it again later when we convert the storage to a different indexingType.
1825         Some of our code already skips initializing Undecided butterflies.
1826         This patch makes it the consistent behavior everywhere.
1827
1828         * dfg/DFGSpeculativeJIT.cpp:
1829         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1830         * runtime/JSArray.cpp:
1831         (JSC::JSArray::tryCreateUninitializedRestricted):
1832         * runtime/JSArray.h:
1833         (JSC::JSArray::tryCreate):
1834         * runtime/JSObject.cpp:
1835         (JSC::JSObject::ensureLengthSlow):
1836
1837 2017-07-18  Saam Barati  <sbarati@apple.com>
1838
1839         AirLowerAfterRegAlloc may incorrectly use a callee save that's live as a scratch register
1840         https://bugs.webkit.org/show_bug.cgi?id=174515
1841         <rdar://problem/33358092>
1842
1843         Reviewed by Filip Pizlo.
1844
1845         AirLowerAfterRegAlloc was computing the set of available scratch
1846         registers incorrectly. It was always excluding callee save registers
1847         from the set of live registers. It did not guarantee that live callee save
1848         registers were not in the set of scratch registers that could
1849         get clobbered. That's incorrect as the shuffling code is free
1850         to overwrite whatever is in the scratch register it gets passed.
1851
1852         * b3/air/AirLowerAfterRegAlloc.cpp:
1853         (JSC::B3::Air::lowerAfterRegAlloc):
1854         * b3/testb3.cpp:
1855         (JSC::B3::functionNineArgs):
1856         (JSC::B3::testShuffleDoesntTrashCalleeSaves):
1857         (JSC::B3::run):
1858         * jit/RegisterSet.h:
1859
1860 2017-07-18  Andy Estes  <aestes@apple.com>
1861
1862         [Xcode] Enable CLANG_WARN_NON_LITERAL_NULL_CONVERSION
1863         https://bugs.webkit.org/show_bug.cgi?id=174631
1864
1865         Reviewed by Dan Bernstein.
1866
1867         * Configurations/Base.xcconfig:
1868
1869 2017-07-18  Devin Rousso  <drousso@apple.com>
1870
1871         Web Inspector: Add memoryCost to Inspector Protocol objects
1872         https://bugs.webkit.org/show_bug.cgi?id=174478
1873
1874         Reviewed by Joseph Pecoraro.
1875
1876         For non-array and non-object InspectorValue, calculate memoryCost as the sizeof the object,
1877         plus the memoryCost of the data if it is a string.
1878
1879         For array InspectorValue, calculate memoryCost as the sum of the memoryCost of all items.
1880
1881         For object InspectorValue, calculate memoryCost as the sum of the memoryCost of the string
1882         key plus the memoryCost of the InspectorValue for each entry.
1883
1884         Test: TestWebKitAPI/Tests/JavaScriptCore/InspectorValue.cpp
1885
1886         * inspector/InspectorValues.h:
1887         * inspector/InspectorValues.cpp:
1888         (Inspector::InspectorValue::memoryCost):
1889         (Inspector::InspectorObjectBase::memoryCost):
1890         (Inspector::InspectorArrayBase::memoryCost):
1891
1892 2017-07-18  Andy Estes  <aestes@apple.com>
1893
1894         [Xcode] Enable CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING
1895         https://bugs.webkit.org/show_bug.cgi?id=174631
1896
1897         Reviewed by Darin Adler.
1898
1899         * Configurations/Base.xcconfig:
1900
1901 2017-07-18  Michael Saboff  <msaboff@apple.com>
1902
1903         [JSC] There should be a debug option to dump a compiled RegExp Pattern
1904         https://bugs.webkit.org/show_bug.cgi?id=174601
1905
1906         Reviewed by Alex Christensen.
1907
1908         Added the debug option dumpCompiledRegExpPatterns which will dump the YarrPattern and related
1909         objects after a regular expression has been compiled.
1910
1911         * runtime/Options.h:
1912         * yarr/YarrPattern.cpp:
1913         (JSC::Yarr::YarrPattern::compile):
1914         (JSC::Yarr::indentForNestingLevel):
1915         (JSC::Yarr::dumpUChar32):
1916         (JSC::Yarr::PatternAlternative::dump):
1917         (JSC::Yarr::PatternTerm::dumpQuantifier):
1918         (JSC::Yarr::PatternTerm::dump):
1919         (JSC::Yarr::PatternDisjunction::dump):
1920         (JSC::Yarr::YarrPattern::dumpPattern):
1921         * yarr/YarrPattern.h:
1922         (JSC::Yarr::YarrPattern::global):
1923
1924 2017-07-17  Darin Adler  <darin@apple.com>
1925
1926         Improve use of NeverDestroyed
1927         https://bugs.webkit.org/show_bug.cgi?id=174348
1928
1929         Reviewed by Sam Weinig.
1930
1931         * heap/MachineStackMarker.cpp:
1932         * wasm/WasmMemory.cpp:
1933         Removed unneeded includes of NeverDestroyed.h in files that do not make use
1934         of NeverDestroyed.
1935
1936 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
1937
1938         [CMake] Macros in WebKitMacros.cmake should be prefixed with WEBKIT_ namespace
1939         https://bugs.webkit.org/show_bug.cgi?id=174547
1940
1941         Reviewed by Alex Christensen.
1942
1943         * CMakeLists.txt:
1944         * shell/CMakeLists.txt:
1945
1946 2017-07-17  Saam Barati  <sbarati@apple.com>
1947
1948         Remove custom defined RELEASE_ASSERT in DFGObjectAllocationSinkingPhase
1949         https://bugs.webkit.org/show_bug.cgi?id=174584
1950
1951         Rubber stamped by Keith Miller.
1952
1953         I used it to diagnose a bug. The bug is now fixed. This custom
1954         RELEASE_ASSERT is no longer needed.
1955
1956         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1957
1958 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
1959
1960         -Wformat-truncation warning in ConfigFile.cpp
1961         https://bugs.webkit.org/show_bug.cgi?id=174506
1962
1963         Reviewed by Darin Adler.
1964
1965         Check if the JSC config filename would be truncated due to exceeding max path length. If so,
1966         return ParseError.
1967
1968         * runtime/ConfigFile.cpp:
1969         (JSC::ConfigFile::parse):
1970
1971 2017-07-17  Konstantin Tokarev  <annulen@yandex.ru>
1972
1973         [CMake] Create targets before WEBKIT_INCLUDE_CONFIG_FILES_IF_EXISTS is called
1974         https://bugs.webkit.org/show_bug.cgi?id=174557
1975
1976         Reviewed by Michael Catanzaro.
1977
1978         * CMakeLists.txt:
1979
1980 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1981
1982         [WTF] Use std::unique_ptr for StackTrace
1983         https://bugs.webkit.org/show_bug.cgi?id=174495
1984
1985         Reviewed by Alex Christensen.
1986
1987         * runtime/ExceptionScope.cpp:
1988         (JSC::ExceptionScope::unexpectedExceptionMessage):
1989         * runtime/VM.cpp:
1990         (JSC::VM::throwException):
1991
1992 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1993
1994         [JSC] Use WTFMove to prune liveness in DFGAvailabilityMap
1995         https://bugs.webkit.org/show_bug.cgi?id=174423
1996
1997         Reviewed by Saam Barati.
1998
1999         * dfg/DFGAvailabilityMap.cpp:
2000         (JSC::DFG::AvailabilityMap::pruneHeap):
2001         (JSC::DFG::AvailabilityMap::pruneByLiveness):
2002
2003 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
2004
2005         Fix compiler warnings when building with GCC 7
2006         https://bugs.webkit.org/show_bug.cgi?id=174463
2007
2008         Reviewed by Darin Adler.
2009
2010         * disassembler/udis86/udis86_decode.c:
2011         (decode_operand):
2012
2013 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
2014
2015         Incorrect assertion in JSC::CallLinkInfo::callTypeFor
2016         https://bugs.webkit.org/show_bug.cgi?id=174467
2017
2018         Reviewed by Saam Barati.
2019
2020         * bytecode/CallLinkInfo.cpp:
2021         (JSC::CallLinkInfo::callTypeFor):
2022
2023 2017-07-13  Joseph Pecoraro  <pecoraro@apple.com>
2024
2025         Web Inspector: Remove unused and untested Page domain commands
2026         https://bugs.webkit.org/show_bug.cgi?id=174429
2027
2028         Reviewed by Timothy Hatcher.
2029
2030         * inspector/protocol/Page.json:
2031
2032 2017-07-13  Saam Barati  <sbarati@apple.com>
2033
2034         Missing exception check in JSObject::hasInstance
2035         https://bugs.webkit.org/show_bug.cgi?id=174455
2036         <rdar://problem/31384608>
2037
2038         Reviewed by Mark Lam.
2039
2040         * runtime/JSObject.cpp:
2041         (JSC::JSObject::hasInstance):
2042
2043 2017-07-13  Caio Lima  <ticaiolima@gmail.com>
2044
2045         [ESnext] Implement Object Spread
2046         https://bugs.webkit.org/show_bug.cgi?id=167963
2047
2048         Reviewed by Saam Barati.
2049
2050         This patch implements ECMA262 stage 3 Object Spread proposal [1].
2051         It's implemented using CopyDataPropertiesNoExclusions to copy
2052         all enumerable keys from object being spreaded. The implementation of
2053         CopyDataPropertiesNoExclusions follows the CopyDataProperties
2054         implementation, however we don't receive excludedNames as parameter.
2055
2056         [1] - https://github.com/tc39/proposal-object-rest-spread
2057
2058         * builtins/GlobalOperations.js:
2059         (globalPrivate.copyDataPropertiesNoExclusions):
2060         * bytecompiler/BytecodeGenerator.cpp:
2061         (JSC::BytecodeGenerator::emitLoad):
2062         * bytecompiler/NodesCodegen.cpp:
2063         (JSC::PropertyListNode::emitBytecode):
2064         (JSC::ObjectSpreadExpressionNode::emitBytecode):
2065         * parser/ASTBuilder.h:
2066         (JSC::ASTBuilder::createObjectSpreadExpression):
2067         (JSC::ASTBuilder::createProperty):
2068         * parser/NodeConstructors.h:
2069         (JSC::PropertyNode::PropertyNode):
2070         (JSC::ObjectSpreadExpressionNode::ObjectSpreadExpressionNode):
2071         * parser/Nodes.h:
2072         (JSC::ObjectSpreadExpressionNode::expression):
2073         * parser/Parser.cpp:
2074         (JSC::Parser<LexerType>::parseProperty):
2075         * parser/SyntaxChecker.h:
2076         (JSC::SyntaxChecker::createObjectSpreadExpression):
2077         (JSC::SyntaxChecker::createProperty):
2078
2079 2017-07-12  Mark Lam  <mark.lam@apple.com>
2080
2081         Gardening: build fix after r219434.
2082         https://bugs.webkit.org/show_bug.cgi?id=174441
2083
2084         Not reviewed.
2085
2086         Make public some MacroAssembler functions that are needed by the probe implementationq.
2087
2088         * assembler/MacroAssemblerARM.h:
2089         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
2090         * assembler/MacroAssemblerARMv7.h:
2091         (JSC::MacroAssemblerARMv7::linkCall):
2092
2093 2017-07-12  Mark Lam  <mark.lam@apple.com>
2094
2095         Move Probe code from AbstractMacroAssembler to MacroAssembler.
2096         https://bugs.webkit.org/show_bug.cgi?id=174441
2097
2098         Reviewed by Saam Barati.
2099
2100         This is a pure refactoring patch for moving probe code from the AbstractMacroAssembler
2101         to MacroAssembler.  There is no code behavior change.
2102
2103         * assembler/AbstractMacroAssembler.h:
2104         (JSC::AbstractMacroAssembler<AssemblerType>::Address::indexedBy):
2105         (JSC::AbstractMacroAssembler::CPUState::gprName): Deleted.
2106         (JSC::AbstractMacroAssembler::CPUState::fprName): Deleted.
2107         (JSC::AbstractMacroAssembler::CPUState::gpr): Deleted.
2108         (JSC::AbstractMacroAssembler::CPUState::fpr): Deleted.
2109         (JSC::MacroAssemblerType>::Address::indexedBy): Deleted.
2110         * assembler/MacroAssembler.h:
2111         (JSC::MacroAssembler::CPUState::gprName):
2112         (JSC::MacroAssembler::CPUState::fprName):
2113         (JSC::MacroAssembler::CPUState::gpr):
2114         (JSC::MacroAssembler::CPUState::fpr):
2115         * assembler/MacroAssemblerARM.cpp:
2116         (JSC::MacroAssembler::probe):
2117         (JSC::MacroAssemblerARM::probe): Deleted.
2118         * assembler/MacroAssemblerARM.h:
2119         * assembler/MacroAssemblerARM64.cpp:
2120         (JSC::MacroAssembler::probe):
2121         (JSC::MacroAssemblerARM64::probe): Deleted.
2122         * assembler/MacroAssemblerARM64.h:
2123         * assembler/MacroAssemblerARMv7.cpp:
2124         (JSC::MacroAssembler::probe):
2125         (JSC::MacroAssemblerARMv7::probe): Deleted.
2126         * assembler/MacroAssemblerARMv7.h:
2127         * assembler/MacroAssemblerMIPS.h:
2128         * assembler/MacroAssemblerX86Common.cpp:
2129         (JSC::MacroAssembler::probe):
2130         (JSC::MacroAssemblerX86Common::probe): Deleted.
2131         * assembler/MacroAssemblerX86Common.h:
2132
2133 2017-07-12  Saam Barati  <sbarati@apple.com>
2134
2135         GenericArguments consults the wrong state when tracking modified argument descriptors and mapped arguments
2136         https://bugs.webkit.org/show_bug.cgi?id=174411
2137         <rdar://problem/31696186>
2138
2139         Reviewed by Mark Lam.
2140
2141         The code for deleting an argument was incorrectly referencing state
2142         when it decided if it should unmap or mark a property as having its
2143         descriptor modified. This patch fixes the bug where if we delete a
2144         property, we would sometimes not unmap an argument when deleting it.
2145
2146         * runtime/GenericArgumentsInlines.h:
2147         (JSC::GenericArguments<Type>::getOwnPropertySlot):
2148         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
2149         (JSC::GenericArguments<Type>::deleteProperty):
2150         (JSC::GenericArguments<Type>::deletePropertyByIndex):
2151
2152 2017-07-12  Commit Queue  <commit-queue@webkit.org>
2153
2154         Unreviewed, rolling out r219176.
2155         https://bugs.webkit.org/show_bug.cgi?id=174436
2156
2157         "Can cause infinite recursion on iOS" (Requested by mlam on
2158         #webkit).
2159
2160         Reverted changeset:
2161
2162         "WTF::Thread should have the threads stack bounds."
2163         https://bugs.webkit.org/show_bug.cgi?id=173975
2164         http://trac.webkit.org/changeset/219176
2165
2166 2017-07-12  Matt Lewis  <jlewis3@apple.com>
2167
2168         Unreviewed, rolling out r219401.
2169
2170         This revision rolled out the previous patch, but after talking
2171         with reviewer, a rebaseline is what was needed.Rolling back in
2172         before rebaseline.
2173
2174         Reverted changeset:
2175
2176         "Unreviewed, rolling out r219379."
2177         https://bugs.webkit.org/show_bug.cgi?id=174400
2178         http://trac.webkit.org/changeset/219401
2179
2180 2017-07-12  Matt Lewis  <jlewis3@apple.com>
2181
2182         Unreviewed, rolling out r219379.
2183
2184         This revision caused a consistent failure in the test
2185         fast/dom/Window/property-access-on-cached-window-after-frame-
2186         removed.html.
2187
2188         Reverted changeset:
2189
2190         "Remove NAVIGATOR_HWCONCURRENCY"
2191         https://bugs.webkit.org/show_bug.cgi?id=174400
2192         http://trac.webkit.org/changeset/219379
2193
2194 2017-07-12  Tooru Fujisawa [:arai]  <arai.unmht@gmail.com>
2195
2196         Wrong radix used in Unicode Escape in invalid character error message
2197         https://bugs.webkit.org/show_bug.cgi?id=174419
2198
2199         Reviewed by Alex Christensen.
2200
2201         * parser/Lexer.cpp:
2202         (JSC::Lexer<T>::invalidCharacterMessage):
2203
2204 2017-07-11  Dean Jackson  <dino@apple.com>
2205
2206         Remove NAVIGATOR_HWCONCURRENCY
2207         https://bugs.webkit.org/show_bug.cgi?id=174400
2208
2209         Reviewed by Sam Weinig.
2210
2211         * Configurations/FeatureDefines.xcconfig:
2212
2213 2017-07-11  Dean Jackson  <dino@apple.com>
2214
2215         Rolling out r219372.
2216
2217         * Configurations/FeatureDefines.xcconfig:
2218
2219 2017-07-11  Dean Jackson  <dino@apple.com>
2220
2221         Remove NAVIGATOR_HWCONCURRENCY
2222         https://bugs.webkit.org/show_bug.cgi?id=174400
2223
2224         Reviewed by Sam Weinig.
2225
2226         * Configurations/FeatureDefines.xcconfig:
2227
2228 2017-07-11  Saam Barati  <sbarati@apple.com>
2229
2230         remove the empty JavaScriptCore/wasm/js/WebAssemblyFunctionCell.* files
2231         https://bugs.webkit.org/show_bug.cgi?id=174397
2232
2233         Rubber stamped by David Kilzer.
2234
2235         * wasm/js/WebAssemblyFunctionCell.cpp: Removed.
2236         * wasm/js/WebAssemblyFunctionCell.h: Removed.
2237
2238 2017-07-10  Saam Barati  <sbarati@apple.com>
2239
2240         Allocation sinking phase should consider a CheckStructure that would fail as an escape
2241         https://bugs.webkit.org/show_bug.cgi?id=174321
2242         <rdar://problem/32604963>
2243
2244         Reviewed by Filip Pizlo.
2245
2246         When the allocation sinking phase was generating stores to materialize
2247         objects in a cycle with each other, it would assume that each materialized
2248         object had a valid, non empty, set of structures. This is an OK assumption for
2249         the phase to make because how do you materialize an object with no structure?
2250         
2251         The abstract interpretation part of the phase will model what's in the heap.
2252         However, it would sometimes model that a CheckStructure would fail. The phase
2253         did nothing special for this; it just stored the empty set of structures for
2254         its representation of a particular allocation. However, what the phase proved
2255         in such a scenario is that, had the CheckStructure executed, it would have exited.
2256         
2257         This patch treats such CheckStructures and MultiGetByOffsets as escape points.
2258         This will cause the allocation in question to be materialized just before
2259         the CheckStructure, and then at execution time, the CheckStructure will exit.
2260         
2261         I wasn't able to write a test case for this. However, I was able to reproduce
2262         this crash by manually editing the IR. I've opened a separate bug to help us
2263         create a testing framework for writing tests for hard to reproduce bugs like this:
2264         https://bugs.webkit.org/show_bug.cgi?id=174322
2265
2266         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2267
2268 2017-07-10  Devin Rousso  <drousso@apple.com>
2269
2270         Web Inspector: Highlight matching CSS canvas clients when hovering contexts in the Resources tab
2271         https://bugs.webkit.org/show_bug.cgi?id=174279
2272
2273         Reviewed by Matt Baker.
2274
2275         * inspector/protocol/DOM.json:
2276         Add `highlightNodeList` command that will highlight each node in the given list.
2277
2278 2017-07-03  Brian Burg  <bburg@apple.com>
2279
2280         Web Replay: remove some unused code
2281         https://bugs.webkit.org/show_bug.cgi?id=173903
2282
2283         Rubber-stamped by Joseph Pecoraro.
2284
2285         * CMakeLists.txt:
2286         * Configurations/FeatureDefines.xcconfig:
2287         * DerivedSources.make:
2288         * JavaScriptCore.xcodeproj/project.pbxproj:
2289         * inspector/protocol/Replay.json: Removed.
2290         * replay/EmptyInputCursor.h: Removed.
2291         * replay/EncodedValue.cpp: Removed.
2292         * replay/EncodedValue.h: Removed.
2293         * replay/InputCursor.h: Removed.
2294         * replay/JSInputs.json: Removed.
2295         * replay/NondeterministicInput.h: Removed.
2296         * replay/scripts/CodeGeneratorReplayInputs.py: Removed.
2297         * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Removed.
2298         * replay/scripts/tests/expected/fail-on-c-style-enum-no-storage.json-error: Removed.
2299         * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Removed.
2300         * replay/scripts/tests/expected/fail-on-duplicate-input-names.json-error: Removed.
2301         * replay/scripts/tests/expected/fail-on-duplicate-type-names.json-error: Removed.
2302         * replay/scripts/tests/expected/fail-on-enum-type-missing-values.json-error: Removed.
2303         * replay/scripts/tests/expected/fail-on-missing-input-member-name.json-error: Removed.
2304         * replay/scripts/tests/expected/fail-on-missing-input-name.json-error: Removed.
2305         * replay/scripts/tests/expected/fail-on-missing-input-queue.json-error: Removed.
2306         * replay/scripts/tests/expected/fail-on-missing-type-mode.json-error: Removed.
2307         * replay/scripts/tests/expected/fail-on-missing-type-name.json-error: Removed.
2308         * replay/scripts/tests/expected/fail-on-unknown-input-queue.json-error: Removed.
2309         * replay/scripts/tests/expected/fail-on-unknown-member-type.json-error: Removed.
2310         * replay/scripts/tests/expected/fail-on-unknown-type-mode.json-error: Removed.
2311         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp: Removed.
2312         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h: Removed.
2313         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp: Removed.
2314         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h: Removed.
2315         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Removed.
2316         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Removed.
2317         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Removed.
2318         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Removed.
2319         * replay/scripts/tests/expected/generate-event-loop-shape-types.json-error: Removed.
2320         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp: Removed.
2321         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h: Removed.
2322         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp: Removed.
2323         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Removed.
2324         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.cpp: Removed.
2325         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h: Removed.
2326         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp: Removed.
2327         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h: Removed.
2328         * replay/scripts/tests/fail-on-c-style-enum-no-storage.json: Removed.
2329         * replay/scripts/tests/fail-on-duplicate-enum-type.json: Removed.
2330         * replay/scripts/tests/fail-on-duplicate-input-names.json: Removed.
2331         * replay/scripts/tests/fail-on-duplicate-type-names.json: Removed.
2332         * replay/scripts/tests/fail-on-enum-type-missing-values.json: Removed.
2333         * replay/scripts/tests/fail-on-missing-input-member-name.json: Removed.
2334         * replay/scripts/tests/fail-on-missing-input-name.json: Removed.
2335         * replay/scripts/tests/fail-on-missing-input-queue.json: Removed.
2336         * replay/scripts/tests/fail-on-missing-type-mode.json: Removed.
2337         * replay/scripts/tests/fail-on-missing-type-name.json: Removed.
2338         * replay/scripts/tests/fail-on-unknown-input-queue.json: Removed.
2339         * replay/scripts/tests/fail-on-unknown-member-type.json: Removed.
2340         * replay/scripts/tests/fail-on-unknown-type-mode.json: Removed.
2341         * replay/scripts/tests/generate-enum-encoding-helpers-with-guarded-values.json: Removed.
2342         * replay/scripts/tests/generate-enum-encoding-helpers.json: Removed.
2343         * replay/scripts/tests/generate-enum-with-guard.json: Removed.
2344         * replay/scripts/tests/generate-enums-with-same-base-name.json: Removed.
2345         * replay/scripts/tests/generate-event-loop-shape-types.json: Removed.
2346         * replay/scripts/tests/generate-input-with-guard.json: Removed.
2347         * replay/scripts/tests/generate-input-with-vector-members.json: Removed.
2348         * replay/scripts/tests/generate-inputs-with-flags.json: Removed.
2349         * replay/scripts/tests/generate-memoized-type-modes.json: Removed.
2350         * runtime/DateConstructor.cpp:
2351         (JSC::constructDate):
2352         (JSC::dateNow):
2353         (JSC::deterministicCurrentTime): Deleted.
2354         * runtime/JSGlobalObject.cpp:
2355         (JSC::JSGlobalObject::JSGlobalObject):
2356         (JSC::JSGlobalObject::setInputCursor): Deleted.
2357         * runtime/JSGlobalObject.h:
2358         (JSC::JSGlobalObject::inputCursor): Deleted.
2359
2360 2017-07-10  Carlos Garcia Campos  <cgarcia@igalia.com>
2361
2362         Move make-js-file-arrays.py from WebCore to JavaScriptCore
2363         https://bugs.webkit.org/show_bug.cgi?id=174024
2364
2365         Reviewed by Michael Catanzaro.
2366
2367         It's currently used only by WebCore, but it depends on other JavaScriptCore scripts and it's not WebCore
2368         specific at all. I plan to use it to compile the JavaScript atoms used by the WebDriver implementation.
2369         Added command line option to pass the namespace to use instead of using WebCore.
2370
2371         * JavaScriptCore.xcodeproj/project.pbxproj:
2372         * Scripts/make-js-file-arrays.py: Renamed from Source/WebCore/Scripts/make-js-file-arrays.py.
2373         (main):
2374
2375 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2376
2377         [JSC] Drop LineNumberAdder since we no longer treat <LF><CR> (not <CR><LF>) as one line terminator
2378         https://bugs.webkit.org/show_bug.cgi?id=174296
2379
2380         Reviewed by Mark Lam.
2381
2382         Previously, we treat <LF><CR> as one line terminator. So we increase line number by one.
2383         It caused a problem in scanning template literals. While template literals normalize
2384         <LF><CR> to <LF><LF>, we still needed to increase line number by only one.
2385         To handle it correctly, LineNumberAdder is introduced.
2386
2387         As of r219263, <LF><CR> is counted as two line terminators. So we do not need to have
2388         LineNumberAdder. Let's just use shiftLineTerminator() instead.
2389
2390         * parser/Lexer.cpp:
2391         (JSC::Lexer<T>::parseTemplateLiteral):
2392         (JSC::LineNumberAdder::LineNumberAdder): Deleted.
2393         (JSC::LineNumberAdder::clear): Deleted.
2394         (JSC::LineNumberAdder::add): Deleted.
2395
2396 2017-07-09  Dan Bernstein  <mitz@apple.com>
2397
2398         [Xcode] ICU headers aren’t treated as system headers after r219155
2399         https://bugs.webkit.org/show_bug.cgi?id=174299
2400
2401         Reviewed by Sam Weinig.
2402
2403         * Configurations/JavaScriptCore.xcconfig: Pass --system-header-prefix=unicode/ to the C and
2404           C++ compilers.
2405
2406 * runtime/IntlCollator.cpp: Removed documentation warning suppression.
2407         * runtime/IntlDateTimeFormat.cpp: Ditto.
2408         * runtime/JSGlobalObject.cpp: Ditto.
2409         * runtime/StringPrototype.cpp: Ditto.
2410
2411 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2412
2413         [JSC] Use fastMalloc / fastFree for STL containers
2414         https://bugs.webkit.org/show_bug.cgi?id=174297
2415
2416         Reviewed by Sam Weinig.
2417
2418         In some places, we intentionally use STL containers over WTF containers.
2419         For example, we sometimes use std::unordered_{set,map} instead of WTF::Hash{Set,Map}
2420         because we do not have effective empty / deleted representations in the space of key's value.
2421         But just using STL container means using libc's malloc instead of our fast malloc (bmalloc if it is enabled).
2422
2423         We introduce WTF::FastAllocator. This is C++ allocator implementation using fastMalloc and fastFree.
2424         We specify this allocator to STL containers' template parameter to allocate memory from fastMalloc.
2425
2426         This WTF::FastAllocator gives us a chance to use STL containers if it is necessary
2427         without compromising memory allocation throughput.
2428
2429         * dfg/DFGGraph.h:
2430         * dfg/DFGIntegerCheckCombiningPhase.cpp:
2431         * ftl/FTLLowerDFGToB3.cpp:
2432         (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
2433         * runtime/FunctionHasExecutedCache.h:
2434         * runtime/TypeLocationCache.h:
2435
2436 2017-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2437
2438         Drop NOSNIFF compile flag
2439         https://bugs.webkit.org/show_bug.cgi?id=174289
2440
2441         Reviewed by Michael Catanzaro.
2442
2443         * Configurations/FeatureDefines.xcconfig:
2444
2445 2017-07-07  AJ Ringer  <aringer@apple.com>
2446
2447         Lower the max_protection for the separated heap
2448         https://bugs.webkit.org/show_bug.cgi?id=174281
2449
2450         Reviewed by Oliver Hunt.
2451
2452         Switch to vm_protect so we can set maximum page protection.
2453
2454         * jit/ExecutableAllocator.cpp:
2455         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
2456         (JSC::ExecutableAllocator::allocate):
2457
2458 2017-07-07  Devin Rousso  <drousso@apple.com>
2459
2460         Web Inspector: Show all elements currently using a given CSS Canvas
2461         https://bugs.webkit.org/show_bug.cgi?id=173965
2462
2463         Reviewed by Joseph Pecoraro.
2464
2465         * inspector/protocol/Canvas.json:
2466          - Add `requestCSSCanvasClientNodes` command for getting the node IDs all nodes using this
2467            canvas via -webkit-canvas.
2468          - Add `cssCanvasClientNodesChanged` event that is dispatched whenever a node is
2469            added/removed from the list of -webkit-canvas clients.
2470
2471 2017-07-07  Mark Lam  <mark.lam@apple.com>
2472
2473         \n\r is not the same as \r\n.
2474         https://bugs.webkit.org/show_bug.cgi?id=173053
2475
2476         Reviewed by Keith Miller.
2477
2478         * parser/Lexer.cpp:
2479         (JSC::Lexer<T>::shiftLineTerminator):
2480         (JSC::LineNumberAdder::add):
2481
2482 2017-07-07  Commit Queue  <commit-queue@webkit.org>
2483
2484         Unreviewed, rolling out r219238, r219239, and r219241.
2485         https://bugs.webkit.org/show_bug.cgi?id=174265
2486
2487         "fast/workers/dedicated-worker-lifecycle.html is flaky"
2488         (Requested by yusukesuzuki on #webkit).
2489
2490         Reverted changesets:
2491
2492         "[WTF] Implement WTF::ThreadGroup"
2493         https://bugs.webkit.org/show_bug.cgi?id=174081
2494         http://trac.webkit.org/changeset/219238
2495
2496         "Unreviewed, build fix after r219238"
2497         https://bugs.webkit.org/show_bug.cgi?id=174081
2498         http://trac.webkit.org/changeset/219239
2499
2500         "Unreviewed, CLoop build fix after r219238"
2501         https://bugs.webkit.org/show_bug.cgi?id=174081
2502         http://trac.webkit.org/changeset/219241
2503
2504 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2505
2506         Unreviewed, CLoop build fix after r219238
2507         https://bugs.webkit.org/show_bug.cgi?id=174081
2508
2509         * heap/MachineStackMarker.cpp:
2510
2511 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2512
2513         [WTF] Implement WTF::ThreadGroup
2514         https://bugs.webkit.org/show_bug.cgi?id=174081
2515
2516         Reviewed by Mark Lam.
2517
2518         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
2519         And SamplingProfiler and others interact with WTF::Thread directly.
2520
2521         * API/tests/ExecutionTimeLimitTest.cpp:
2522         * heap/MachineStackMarker.cpp:
2523         (JSC::MachineThreads::MachineThreads):
2524         (JSC::captureStack):
2525         (JSC::MachineThreads::tryCopyOtherThreadStack):
2526         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2527         (JSC::MachineThreads::gatherConservativeRoots):
2528         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
2529         (JSC::ActiveMachineThreadsManager::add): Deleted.
2530         (JSC::ActiveMachineThreadsManager::remove): Deleted.
2531         (JSC::ActiveMachineThreadsManager::contains): Deleted.
2532         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
2533         (JSC::activeMachineThreadsManager): Deleted.
2534         (JSC::MachineThreads::~MachineThreads): Deleted.
2535         (JSC::MachineThreads::addCurrentThread): Deleted.
2536         (): Deleted.
2537         (JSC::MachineThreads::removeThread): Deleted.
2538         (JSC::MachineThreads::removeThreadIfFound): Deleted.
2539         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
2540         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
2541         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
2542         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
2543         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
2544         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
2545         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
2546         * heap/MachineStackMarker.h:
2547         (JSC::MachineThreads::addCurrentThread):
2548         (JSC::MachineThreads::getLock):
2549         (JSC::MachineThreads::threads):
2550         (JSC::MachineThreads::MachineThread::suspend): Deleted.
2551         (JSC::MachineThreads::MachineThread::resume): Deleted.
2552         (JSC::MachineThreads::MachineThread::threadID): Deleted.
2553         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
2554         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
2555         (JSC::MachineThreads::threadsListHead): Deleted.
2556         * runtime/SamplingProfiler.cpp:
2557         (JSC::FrameWalker::isValidFramePointer):
2558         (JSC::SamplingProfiler::SamplingProfiler):
2559         (JSC::SamplingProfiler::takeSample):
2560         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
2561         * runtime/SamplingProfiler.h:
2562         * wasm/WasmMachineThreads.cpp:
2563         (JSC::Wasm::resetInstructionCacheOnAllThreads):
2564
2565 2017-07-06  Saam Barati  <sbarati@apple.com>
2566
2567         We are missing places where we invalidate the for-in context
2568         https://bugs.webkit.org/show_bug.cgi?id=174184
2569
2570         Reviewed by Geoffrey Garen.
2571
2572         * bytecompiler/BytecodeGenerator.cpp:
2573         (JSC::BytecodeGenerator::invalidateForInContextForLocal):
2574         * bytecompiler/NodesCodegen.cpp:
2575         (JSC::EmptyLetExpression::emitBytecode):
2576         (JSC::ForInNode::emitLoopHeader):
2577         (JSC::ForOfNode::emitBytecode):
2578         (JSC::BindingNode::bindValue):
2579
2580 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2581
2582         Unreviewed, suppress warnings in GCC environment
2583
2584         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2585         * runtime/IntlCollator.cpp:
2586         * runtime/IntlDateTimeFormat.cpp:
2587         * runtime/JSGlobalObject.cpp:
2588         * runtime/StringPrototype.cpp:
2589
2590 2017-07-05  Saam Barati  <sbarati@apple.com>
2591
2592         NewArray in FTLLowerDFGToB3 does not handle speculating on doubles when having a bad time
2593         https://bugs.webkit.org/show_bug.cgi?id=174188
2594         <rdar://problem/30581423>
2595
2596         Reviewed by Mark Lam.
2597
2598         We were calling lowJSValue(edge) when we were speculating the
2599         edge as double. This isn't allowed. We should have been using
2600         lowDouble.
2601         
2602         This patch also adds a new option, called useArrayAllocationProfiling,
2603         which defaults to true. When false, it will make the array allocation
2604         profile not actually sample seen arrays. It'll force the allocation
2605         profile's predicted indexing type to be ArrayWithUndecided. Adding
2606         this option made it trivial to write a test for this bug.
2607
2608         * bytecode/ArrayAllocationProfile.cpp:
2609         (JSC::ArrayAllocationProfile::updateIndexingType):
2610         * ftl/FTLLowerDFGToB3.cpp:
2611         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
2612         * runtime/Options.h:
2613
2614 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2615
2616         WTF::Thread should have the threads stack bounds.
2617         https://bugs.webkit.org/show_bug.cgi?id=173975
2618
2619         Reviewed by Keith Miller.
2620
2621         There is a site in JSC that try to walk another thread's stack.
2622         Currently, stack bounds are stored in WTFThreadData which is located
2623         in TLS. Thus, only the thread itself can access its own WTFThreadData.
2624         We workaround this situation by holding StackBounds in MachineThread in JSC,
2625         but StackBounds should be put in WTF::Thread instead.
2626
2627         This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
2628         information is tightly coupled with Thread. Thus putting it in WTF::Thread
2629         is natural choice.
2630
2631         * heap/MachineStackMarker.cpp:
2632         (JSC::MachineThreads::MachineThread::MachineThread):
2633         (JSC::MachineThreads::MachineThread::captureStack):
2634         * heap/MachineStackMarker.h:
2635         (JSC::MachineThreads::MachineThread::stackBase):
2636         (JSC::MachineThreads::MachineThread::stackEnd):
2637         * runtime/InitializeThreading.cpp:
2638         (JSC::initializeThreading):
2639         * runtime/VM.cpp:
2640         (JSC::VM::VM):
2641         (JSC::VM::updateStackLimits):
2642         (JSC::VM::committedStackByteCount):
2643         * runtime/VM.h:
2644         (JSC::VM::isSafeToRecurse):
2645         * runtime/VMEntryScope.cpp:
2646         (JSC::VMEntryScope::VMEntryScope):
2647         * runtime/VMInlines.h:
2648         (JSC::VM::ensureStackCapacityFor):
2649         * runtime/VMTraps.cpp:
2650         * yarr/YarrPattern.cpp:
2651         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
2652
2653 2017-07-05  Keith Miller  <keith_miller@apple.com>
2654
2655         Crashing with information should have an abort reason
2656         https://bugs.webkit.org/show_bug.cgi?id=174185
2657
2658         Reviewed by Saam Barati.
2659
2660         Add crash information for the abstract interpreter and add an enum
2661         value for object allocation sinking.
2662
2663         * assembler/AbortReason.h:
2664         * dfg/DFGAbstractInterpreterInlines.h:
2665         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
2666         * dfg/DFGGraph.cpp:
2667         (JSC::DFG::logDFGAssertionFailure):
2668         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2669
2670 2017-07-03  Myles C. Maxfield  <mmaxfield@apple.com>
2671
2672         Remove copy of ICU headers from WebKit
2673         https://bugs.webkit.org/show_bug.cgi?id=116407
2674
2675         Reviewed by Alex Christensen.
2676
2677         Use WTF's copy of ICU headers.
2678
2679         * Configurations/Base.xcconfig:
2680         * icu/unicode/localpointer.h: Removed.
2681         * icu/unicode/parseerr.h: Removed.
2682         * icu/unicode/platform.h: Removed.
2683         * icu/unicode/ptypes.h: Removed.
2684         * icu/unicode/putil.h: Removed.
2685         * icu/unicode/uchar.h: Removed.
2686         * icu/unicode/ucnv.h: Removed.
2687         * icu/unicode/ucnv_err.h: Removed.
2688         * icu/unicode/ucol.h: Removed.
2689         * icu/unicode/uconfig.h: Removed.
2690         * icu/unicode/ucurr.h: Removed.
2691         * icu/unicode/uenum.h: Removed.
2692         * icu/unicode/uiter.h: Removed.
2693         * icu/unicode/uloc.h: Removed.
2694         * icu/unicode/umachine.h: Removed.
2695         * icu/unicode/unorm.h: Removed.
2696         * icu/unicode/unorm2.h: Removed.
2697         * icu/unicode/urename.h: Removed.
2698         * icu/unicode/uscript.h: Removed.
2699         * icu/unicode/uset.h: Removed.
2700         * icu/unicode/ustring.h: Removed.
2701         * icu/unicode/utf.h: Removed.
2702         * icu/unicode/utf16.h: Removed.
2703         * icu/unicode/utf8.h: Removed.
2704         * icu/unicode/utf_old.h: Removed.
2705         * icu/unicode/utypes.h: Removed.
2706         * icu/unicode/uvernum.h: Removed.
2707         * icu/unicode/uversion.h: Removed.
2708         * runtime/IntlCollator.cpp:
2709         * runtime/IntlDateTimeFormat.cpp:
2710         (JSC::IntlDateTimeFormat::partTypeString):
2711         * runtime/JSGlobalObject.cpp:
2712         * runtime/StringPrototype.cpp:
2713         (JSC::normalize):
2714         (JSC::stringProtoFuncNormalize):
2715
2716 2017-07-05  Devin Rousso  <drousso@apple.com>
2717
2718         Web Inspector: Allow users to log any tracked canvas context
2719         https://bugs.webkit.org/show_bug.cgi?id=173397
2720         <rdar://problem/33111581>
2721
2722         Reviewed by Joseph Pecoraro.
2723
2724         * inspector/protocol/Canvas.json:
2725         Add `resolveCanvasContext` command that returns a RemoteObject for the given canvas context.
2726
2727 2017-07-05  Jonathan Bedard  <jbedard@apple.com>
2728
2729         Add WebKitPrivateFrameworkStubs for iOS 11
2730         https://bugs.webkit.org/show_bug.cgi?id=173988
2731
2732         Reviewed by David Kilzer.
2733
2734         * Configurations/Base.xcconfig: iphoneos and iphonesimulator should use the
2735         same directory for private framework stubs.
2736
2737 2017-07-05  JF Bastien  <jfbastien@apple.com>
2738
2739         WebAssembly: implement name section's module name, skip unknown sections
2740         https://bugs.webkit.org/show_bug.cgi?id=172008
2741
2742         Reviewed by Keith Miller.
2743
2744         Parse the WebAssembly module name properly, and skip unknown
2745         sections. This is useful because as toolchains support new types
2746         of names we want to keep displaying the information we know about
2747         and simply ignore new information. That capability was designed
2748         into WebAssembly's name section.
2749
2750         Failure to commit this patch would mean that WebKit won't display
2751         stack trace information, which would make developers sad.
2752
2753         Module names were added here: https://github.com/WebAssembly/design/pull/1055
2754
2755         Note that this patch doesn't do anything with the parsed name! Two
2756         reasons for this: module names aren't supported in binaryen yet,
2757         so I can't write a simple binary test; and using the name is a
2758         slightly riskier change because it requires changing StackVisitor
2759         + StackFrame (where they print "[wasm code]") which requires
2760         figuring out the frame's Module. The latter bit isn't trivial
2761         because we only know wasm frames from their tag bits, and
2762         CodeBlocks are always nullptr.
2763
2764         Binaryen bug: https://github.com/WebAssembly/binaryen/issues/1010
2765
2766         I filed #174098 to use the module name.
2767
2768         * wasm/WasmFormat.h:
2769         (JSC::Wasm::isValidNameType):
2770         * wasm/WasmNameSectionParser.cpp:
2771
2772 2017-07-04  Joseph Pecoraro  <pecoraro@apple.com>
2773
2774         Cleanup some StringBuilder use
2775         https://bugs.webkit.org/show_bug.cgi?id=174118
2776
2777         Reviewed by Andreas Kling.
2778
2779         * runtime/FunctionConstructor.cpp:
2780         (JSC::constructFunctionSkippingEvalEnabledCheck):
2781         * tools/FunctionOverrides.cpp:
2782         (JSC::parseClause):
2783         * wasm/WasmOMGPlan.cpp:
2784         * wasm/WasmPlan.cpp:
2785         * wasm/WasmValidate.cpp:
2786
2787 2017-07-03  Saam Barati  <sbarati@apple.com>
2788
2789         LayoutTest workers/bomb.html is a Crash
2790         https://bugs.webkit.org/show_bug.cgi?id=167757
2791         <rdar://problem/33086462>
2792
2793         Reviewed by Keith Miller.
2794
2795         VMTraps::SignalSender was accessing VM fields even after
2796         the VM was destroyed. This happened when the SignalSender
2797         thread was in the middle of its work() function while VMTraps
2798         was notified that the VM was shutting down. The VM would proceed
2799         to run its destructor even after the SignalSender thread finished
2800         doing its work. This means that the SignalSender thread was accessing
2801         VM field eve after VM was destructed (including itself, since it is
2802         transitively owned by the VM). The VM must wait for the SignalSender
2803         thread to shutdown before it can continue to destruct itself.
2804
2805         * runtime/VMTraps.cpp:
2806         (JSC::VMTraps::willDestroyVM):
2807
2808 2017-07-03  Saam Barati  <sbarati@apple.com>
2809
2810         DFGBytecodeParser op_to_this does not access the correct instruction offset for to this status
2811         https://bugs.webkit.org/show_bug.cgi?id=174110
2812
2813         Reviewed by Michael Saboff.
2814
2815         * dfg/DFGByteCodeParser.cpp:
2816         (JSC::DFG::ByteCodeParser::parseBlock):
2817
2818 2017-07-03  Saam Barati  <sbarati@apple.com>
2819
2820         Add a new assertion to object allocation sinking phase
2821         https://bugs.webkit.org/show_bug.cgi?id=174107
2822
2823         Rubber stamped by Filip Pizlo.
2824
2825         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2826
2827 2017-07-03  Commit Queue  <commit-queue@webkit.org>
2828
2829         Unreviewed, rolling out r219060.
2830         https://bugs.webkit.org/show_bug.cgi?id=174108
2831
2832         crashing constantly when initializing UIWebView (Requested by
2833         thorton on #webkit).
2834
2835         Reverted changeset:
2836
2837         "WTF::Thread should have the threads stack bounds."
2838         https://bugs.webkit.org/show_bug.cgi?id=173975
2839         http://trac.webkit.org/changeset/219060
2840
2841 2017-07-03  Matt Lewis  <jlewis3@apple.com>
2842
2843         Unreviewed, rolling out r219103.
2844
2845         Caused multiple build failures.
2846
2847         Reverted changeset:
2848
2849         "Remove copy of ICU headers from WebKit"
2850         https://bugs.webkit.org/show_bug.cgi?id=116407
2851         http://trac.webkit.org/changeset/219103
2852
2853 2017-07-03  Myles C. Maxfield  <mmaxfield@apple.com>
2854
2855         Remove copy of ICU headers from WebKit
2856         https://bugs.webkit.org/show_bug.cgi?id=116407
2857
2858         Reviewed by Alex Christensen.
2859
2860         Use WTF's copy of ICU headers.
2861
2862         * Configurations/Base.xcconfig:
2863         * icu/unicode/localpointer.h: Removed.
2864         * icu/unicode/parseerr.h: Removed.
2865         * icu/unicode/platform.h: Removed.
2866         * icu/unicode/ptypes.h: Removed.
2867         * icu/unicode/putil.h: Removed.
2868         * icu/unicode/uchar.h: Removed.
2869         * icu/unicode/ucnv.h: Removed.
2870         * icu/unicode/ucnv_err.h: Removed.
2871         * icu/unicode/ucol.h: Removed.
2872         * icu/unicode/uconfig.h: Removed.
2873         * icu/unicode/ucurr.h: Removed.
2874         * icu/unicode/uenum.h: Removed.
2875         * icu/unicode/uiter.h: Removed.
2876         * icu/unicode/uloc.h: Removed.
2877         * icu/unicode/umachine.h: Removed.
2878         * icu/unicode/unorm.h: Removed.
2879         * icu/unicode/unorm2.h: Removed.
2880         * icu/unicode/urename.h: Removed.
2881         * icu/unicode/uscript.h: Removed.
2882         * icu/unicode/uset.h: Removed.
2883         * icu/unicode/ustring.h: Removed.
2884         * icu/unicode/utf.h: Removed.
2885         * icu/unicode/utf16.h: Removed.
2886         * icu/unicode/utf8.h: Removed.
2887         * icu/unicode/utf_old.h: Removed.
2888         * icu/unicode/utypes.h: Removed.
2889         * icu/unicode/uvernum.h: Removed.
2890         * icu/unicode/uversion.h: Removed.
2891         * runtime/IntlCollator.cpp:
2892         * runtime/IntlDateTimeFormat.cpp:
2893         * runtime/JSGlobalObject.cpp:
2894         * runtime/StringPrototype.cpp:
2895
2896 2017-07-03  Saam Barati  <sbarati@apple.com>
2897
2898         Add better crash logging for allocation sinking phase
2899         https://bugs.webkit.org/show_bug.cgi?id=174102
2900         <rdar://problem/33112092>
2901
2902         Rubber stamped by Filip Pizlo.
2903
2904         I'm trying to gather better information from crashlogs about why
2905         we're crashing in the allocation sinking phase. I'm adding a allocation
2906         sinking specific RELEASE_ASSERT as well as marking a few functions as
2907         NEVER_INLINE to have the stack traces in the crash trace contain more
2908         actionable information.
2909
2910         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2911
2912 2017-07-03  Sam Weinig  <sam@webkit.org>
2913
2914         [WebIDL] Remove more unnecessary uses of the preprocessor in idl files
2915         https://bugs.webkit.org/show_bug.cgi?id=174083
2916
2917         Reviewed by Alex Christensen.
2918
2919         * Configurations/FeatureDefines.xcconfig:
2920         Add ENABLE_NAVIGATOR_STANDALONE.
2921
2922 2017-07-03  Andy Estes  <aestes@apple.com>
2923
2924         [Xcode] Add an experimental setting to build with ccache
2925         https://bugs.webkit.org/show_bug.cgi?id=173875
2926
2927         Reviewed by Tim Horton.
2928
2929         * Configurations/DebugRelease.xcconfig: Included ccache.xcconfig.
2930
2931 2017-07-03  Devin Rousso  <drousso@apple.com>
2932
2933         Web Inspector: Support listing WebGL2 and WebGPU contexts
2934         https://bugs.webkit.org/show_bug.cgi?id=173396
2935
2936         Reviewed by Joseph Pecoraro.
2937
2938         * inspector/protocol/Canvas.json:
2939         * inspector/scripts/codegen/generator.py:
2940         (Generator.stylized_name_for_enum_value):
2941         Add cases for handling new Canvas.ContextType protocol enumerations:
2942          - "webgl2" maps to `WebGL2`
2943          - "webgpu" maps to `WebGPU`
2944
2945 2017-07-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2946
2947         WTF::Thread should have the threads stack bounds.
2948         https://bugs.webkit.org/show_bug.cgi?id=173975
2949
2950         Reviewed by Mark Lam.
2951
2952         There is a site in JSC that try to walk another thread's stack.
2953         Currently, stack bounds are stored in WTFThreadData which is located
2954         in TLS. Thus, only the thread itself can access its own WTFThreadData.
2955         We workaround this situation by holding StackBounds in MachineThread in JSC,
2956         but StackBounds should be put in WTF::Thread instead.
2957
2958         This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
2959         information is tightly coupled with Thread. Thus putting it in WTF::Thread
2960         is natural choice.
2961
2962         * heap/MachineStackMarker.cpp:
2963         (JSC::MachineThreads::MachineThread::MachineThread):
2964         (JSC::MachineThreads::MachineThread::captureStack):
2965         * heap/MachineStackMarker.h:
2966         (JSC::MachineThreads::MachineThread::stackBase):
2967         (JSC::MachineThreads::MachineThread::stackEnd):
2968         * runtime/InitializeThreading.cpp:
2969         (JSC::initializeThreading):
2970         * runtime/VM.cpp:
2971         (JSC::VM::VM):
2972         (JSC::VM::updateStackLimits):
2973         (JSC::VM::committedStackByteCount):
2974         * runtime/VM.h:
2975         (JSC::VM::isSafeToRecurse):
2976         * runtime/VMEntryScope.cpp:
2977         (JSC::VMEntryScope::VMEntryScope):
2978         * runtime/VMInlines.h:
2979         (JSC::VM::ensureStackCapacityFor):
2980         * runtime/VMTraps.cpp:
2981         * yarr/YarrPattern.cpp:
2982         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
2983
2984 2017-07-01  Dan Bernstein  <mitz@apple.com>
2985
2986         [iOS] Remove code only needed when building for iOS 9.x
2987         https://bugs.webkit.org/show_bug.cgi?id=174068
2988
2989         Reviewed by Tim Horton.
2990
2991         * Configurations/FeatureDefines.xcconfig:
2992         * jit/ExecutableAllocator.cpp:
2993         * runtime/Options.cpp:
2994         (JSC::recomputeDependentOptions):
2995
2996 2017-07-01  Dan Bernstein  <mitz@apple.com>
2997
2998         [macOS] Remove code only needed when building for OS X Yosemite
2999         https://bugs.webkit.org/show_bug.cgi?id=174067
3000
3001         Reviewed by Tim Horton.
3002
3003         * API/WebKitAvailability.h:
3004         * Configurations/Base.xcconfig:
3005         * Configurations/DebugRelease.xcconfig:
3006         * Configurations/FeatureDefines.xcconfig:
3007         * Configurations/Version.xcconfig:
3008
3009 2017-07-01  Yusuke Suzuki  <utatane.tea@gmail.com>
3010
3011         Unreviewed, build fix for GCC
3012         https://bugs.webkit.org/show_bug.cgi?id=174034
3013
3014         * b3/testb3.cpp:
3015         (JSC::B3::testDoubleLiteralComparison):
3016
3017 2017-06-30  Keith Miller  <keith_miller@apple.com>
3018
3019         Force crashWithInfo to be out of line.
3020         https://bugs.webkit.org/show_bug.cgi?id=174028
3021
3022         Reviewed by Filip Pizlo.
3023
3024         Update DFG_ASSERT macro to call CRASH_WITH_SECURITY_IMPLICATION_AND_INFO.
3025
3026         * dfg/DFGGraph.cpp:
3027         (JSC::DFG::logDFGAssertionFailure):
3028         (JSC::DFG::Graph::logAssertionFailure):
3029         (JSC::DFG::crash): Deleted.
3030         (JSC::DFG::Graph::handleAssertionFailure): Deleted.
3031         * dfg/DFGGraph.h:
3032
3033 2017-06-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3034
3035         [JSC] Use AbstractMacroAssembler::random instead of holding WeakRandom in JIT
3036         https://bugs.webkit.org/show_bug.cgi?id=174053
3037
3038         Reviewed by Geoffrey Garen.
3039
3040         We already have AbstractMacroAssembler::random() function. Use it instead.
3041
3042         * jit/JIT.cpp:
3043         (JSC::JIT::JIT):
3044         (JSC::JIT::compileWithoutLinking):
3045         * jit/JIT.h:
3046
3047 2017-06-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3048
3049         [WTF] Drop SymbolRegistry::keyForSymbol
3050         https://bugs.webkit.org/show_bug.cgi?id=174052
3051
3052         Reviewed by Sam Weinig.
3053
3054         * runtime/SymbolConstructor.cpp:
3055         (JSC::symbolConstructorKeyFor):
3056
3057 2017-06-30  Saam Barati  <sbarati@apple.com>
3058
3059         B3ReduceStrength should reduce EqualOrUnordered over const float input
3060         https://bugs.webkit.org/show_bug.cgi?id=174039
3061
3062         Reviewed by Michael Saboff.
3063
3064         We perform this folding for ConstDoubleValue. It is simply
3065         an oversight that we didn't do it for ConstFloatValue.
3066
3067         * b3/B3ConstFloatValue.cpp:
3068         (JSC::B3::ConstFloatValue::equalOrUnorderedConstant):
3069         * b3/B3ConstFloatValue.h:
3070         * b3/testb3.cpp:
3071         (JSC::B3::testFloatEqualOrUnorderedFolding):
3072         (JSC::B3::testFloatEqualOrUnorderedFoldingNaN):
3073         (JSC::B3::testFloatEqualOrUnorderedDontFold):
3074         (JSC::B3::run):
3075
3076 2017-06-30  Matt Baker  <mattbaker@apple.com>
3077
3078         Web Inspector: AsyncStackTrace nodes can be corrupted when truncating
3079         https://bugs.webkit.org/show_bug.cgi?id=173840
3080         <rdar://problem/30840820>
3081
3082         Reviewed by Joseph Pecoraro.
3083
3084         When truncating an asynchronous stack trace, the parent chain is traversed
3085         until a locked node is found. The path from this node to the root is shared
3086         by more than one stack trace, and cannot be safely modified. Starting at
3087         the first locked node, the path is cloned and becomes a new stack trace tree.
3088
3089         However, the clone operation initialized each new AsyncStackTrace node with
3090         the original node's parent. This would increment the child count of the original
3091         node. When cloning nodes, new nodes should not have their parent set until the
3092         next node up the parent chain is cloned.
3093
3094         * inspector/AsyncStackTrace.cpp:
3095         (Inspector::AsyncStackTrace::truncate):
3096
3097 2017-06-30  Michael Saboff  <msaboff@apple.com>
3098
3099         RegExp's  anchored with .* with \g flag can return wrong match start for strings with multiple matches
3100         https://bugs.webkit.org/show_bug.cgi?id=174044
3101
3102         Reviewed by Oliver Hunt.
3103
3104         The .* enclosure optimization didn't respect that we can start matching from a non-zero
3105         index.  This optimization treats /.*<some-terms>.*/ by first matching the <some-terms> and
3106         then finding the extent of the match by going back to the beginning of the line and going
3107         forward to the end of the line.  The code that went back to the beginning of the line
3108         checked for an index of 0 instead of comparing the index to the start position.  This start
3109         position is passed as the initial index.
3110
3111         Added another temporary register to the YARR JIT to contain the start position for
3112         platforms that have spare registers.
3113
3114         * yarr/Yarr.h:
3115         * yarr/YarrInterpreter.cpp:
3116         (JSC::Yarr::Interpreter::matchDotStarEnclosure):
3117         (JSC::Yarr::Interpreter::Interpreter):
3118         * yarr/YarrJIT.cpp:
3119         (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
3120         (JSC::Yarr::YarrGenerator::compile):
3121         * yarr/YarrPattern.cpp:
3122         (JSC::Yarr::YarrPattern::YarrPattern):
3123         * yarr/YarrPattern.h:
3124         (JSC::Yarr::YarrPattern::reset):
3125
3126 2017-06-30  Saam Barati  <sbarati@apple.com>
3127
3128         B3MoveConstants floatZero() returns the wrong ValueKey
3129         https://bugs.webkit.org/show_bug.cgi?id=174040
3130
3131         Reviewed by Filip Pizlo.
3132
3133         It had a typo where the ValueKey for floatZero() produces a Double
3134         instead of a Float.
3135
3136         * b3/B3MoveConstants.cpp:
3137
3138 2017-06-30  Saam Barati  <sbarati@apple.com>
3139
3140         B3ReduceDoubleToFloat incorrectly reduces operations over two double constants
3141         https://bugs.webkit.org/show_bug.cgi?id=174034
3142         <rdar://problem/30793007>
3143
3144         Reviewed by Filip Pizlo.
3145
3146         B3ReduceDoubleToFloat had a bug in it where it would incorrectly
3147         reduce binary operations over double constants into the same binary
3148         operation over the double constants casted to floats. This is clearly
3149         incorrect as these two things will produce different values. For example:
3150         
3151         a = DoubleConst(bitwise_cast<double>(0x8000000000000001ull))
3152         b = DoubleConst(bitwise_cast<double>(0x0000000000000000ull))
3153         c = EqualOrUnordered(@a, @b) // produces 0
3154         
3155         into:
3156         
3157         a = FloatConst(static_cast<float>(bitwise_cast<double>(0x8000000000000001ull)))
3158         b = FloatConst(static_cast<float>(bitwise_cast<double>(0x0000000000000000ull)))
3159         c = EqualOrUnordered(@a, @b) // produces 1
3160         
3161         Which produces a different value for @c.
3162
3163         * b3/B3ReduceDoubleToFloat.cpp:
3164         * b3/testb3.cpp:
3165         (JSC::B3::doubleEq):
3166         (JSC::B3::doubleNeq):
3167         (JSC::B3::doubleGt):
3168         (JSC::B3::doubleGte):
3169         (JSC::B3::doubleLt):
3170         (JSC::B3::doubleLte):
3171         (JSC::B3::testDoubleLiteralComparison):
3172         (JSC::B3::run):
3173
3174 2017-06-29  Jer Noble  <jer.noble@apple.com>
3175
3176         Make Legacy EME API controlled by RuntimeEnabled setting.
3177         https://bugs.webkit.org/show_bug.cgi?id=173994
3178
3179         Reviewed by Sam Weinig.
3180
3181         * Configurations/FeatureDefines.xcconfig:
3182         * runtime/CommonIdentifiers.h:
3183
3184 2017-06-30  Ryosuke Niwa  <rniwa@webkit.org>
3185
3186         Ran sort-Xcode-project-file.
3187
3188         * JavaScriptCore.xcodeproj/project.pbxproj:
3189
3190 2017-06-30  Matt Lewis  <jlewis3@apple.com>
3191
3192         Unreviewed, rolling out r218992.
3193
3194         The patch broke the iOS device builds.
3195
3196         Reverted changeset:
3197
3198         "DFG_ASSERT should allow stuffing registers before trapping."
3199         https://bugs.webkit.org/show_bug.cgi?id=174005
3200         http://trac.webkit.org/changeset/218992
3201
3202 2017-06-30  Filip Pizlo  <fpizlo@apple.com>
3203
3204         RegExpCachedResult::setInput should reify left and right contexts
3205         https://bugs.webkit.org/show_bug.cgi?id=173818
3206
3207         Reviewed by Keith Miller.
3208         
3209         If you don't reify them in setInput, then when you later try to reify them, you'll end up
3210         using indices into an old input string to create a substring of a new input string. That
3211         never goes well.
3212
3213         * runtime/RegExpCachedResult.cpp:
3214         (JSC::RegExpCachedResult::setInput):
3215
3216 2017-06-30  Keith Miller  <keith_miller@apple.com>
3217
3218         DFG_ASSERT should allow stuffing registers before trapping.
3219         https://bugs.webkit.org/show_bug.cgi?id=174005
3220
3221         Reviewed by Mark Lam.
3222
3223         DFG_ASSERT currently prints error data to stderr before crashing,
3224         which is nice for local development. In the wild, however, we
3225         can't see this information in crash logs. This patch enables
3226         stuffing some of the most useful information from DFG_ASSERTS into
3227         up to five registers right before crashing. The values stuffed
3228         should not impact any logging during local development.
3229
3230         * assembler/AbortReason.h:
3231         * dfg/DFGAbstractInterpreterInlines.h:
3232         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
3233         * dfg/DFGGraph.cpp:
3234         (JSC::DFG::logForCrash):
3235         (JSC::DFG::Graph::logAssertionFailure):
3236         (JSC::DFG::crash): Deleted.
3237         (JSC::DFG::Graph::handleAssertionFailure): Deleted.
3238         * dfg/DFGGraph.h:
3239
3240 2017-06-29  Saam Barati  <sbarati@apple.com>
3241
3242         Calculating postCapacity in unshiftCountSlowCase is wrong
3243         https://bugs.webkit.org/show_bug.cgi?id=173992
3244         <rdar://problem/32283199>
3245
3246         Reviewed by Keith Miller.
3247
3248         This patch fixes a bug inside unshiftCountSlowCase where we would use
3249         more memory than we allocated. The bug was when deciding how much extra
3250         space we have after the vector we've allocated. This area is called the
3251         postCapacity. The largest legal postCapacity value we could use is the
3252         space we allocated minus the space we need:
3253         largestPossiblePostCapacity = newStorageCapacity - requiredVectorLength;
3254         However, the code was calculating the postCapacity as:
3255         postCapacity = max(newStorageCapacity - requiredVectorLength, count);
3256         
3257         where count is how many elements we're appending. Depending on the inputs,
3258         count could be larger than (newStorageCapacity - requiredVectorLength). This
3259         would cause us to use more memory than we actually allocated.
3260
3261         * runtime/JSArray.cpp:
3262         (JSC::JSArray::unshiftCountSlowCase):
3263
3264 2017-06-29  Commit Queue  <commit-queue@webkit.org>
3265
3266         Unreviewed, rolling out r218512.
3267         https://bugs.webkit.org/show_bug.cgi?id=173981
3268
3269         "It changes the behavior of the JS API's JSEvaluateScript
3270         which breaks TurboTax" (Requested by saamyjoon on #webkit).
3271
3272         Reverted changeset:
3273
3274         "test262: Completion values for control flow do not match the
3275         spec"
3276         https://bugs.webkit.org/show_bug.cgi?id=171265
3277         http://trac.webkit.org/changeset/218512
3278
3279 2017-06-29  JF Bastien  <jfbastien@apple.com>
3280
3281         WebAssembly: disable some APIs under CSP
3282         https://bugs.webkit.org/show_bug.cgi?id=173892
3283         <rdar://problem/32914613>
3284
3285         Reviewed by Daniel Bates.
3286
3287         We should disable parts of WebAssembly under Content Security
3288         Policy as discussed here:
3289
3290         https://github.com/WebAssembly/design/issues/1092
3291
3292         Exactly what should be disabled isn't super clear, so we may as
3293         well be conservative and disable many things if developers already
3294         opted into CSP. It's easy to loosen what we disable later.
3295
3296         This patch disables:
3297         - WebAssembly.Instance
3298         - WebAssembly.instantiate
3299         - WebAssembly.Memory
3300         - WebAssembly.Table
3301
3302         And leaves:
3303         - WebAssembly on the global object
3304         - WebAssembly.Module
3305         - WebAssembly.compile
3306         - WebAssembly.CompileError
3307         - WebAssembly.LinkError
3308
3309         Nothing because currently unimplmented:
3310         - WebAssembly.compileStreaming
3311         - WebAssembly.instantiateStreaming
3312
3313         That way it won't be possible to call WebAssembly-compiled code,
3314         or create memories (which use fancy 4GiB allocations
3315         sometimes). Table isn't really useful on its own, and eventually
3316         we may make them shareable so without more details it seems benign
3317         to disable them (and useless if we don't).
3318
3319         I haven't done anything with postMessage, so you can still
3320         postMessage a WebAssembly.Module cross-CSP, but you can't
3321         instantiate it so it's useless. Because of this I elected to leave
3322         WebAssembly.Module and friends available.
3323
3324         I haven't added any new directives. It's still unsafe-eval. We can
3325         add something else later, but it seems odd to add a WebAssembly as
3326         a new capability and tell developers "you should have been using
3327         this directive which we just implemented if you wanted to disable
3328         WebAssembly which didn't exist when you adopted CSP". So IMO we
3329         should keep unsafe-eval as it currently is, add WebAssembly to
3330         what it disables, and later consider having two new directives
3331         which do each individually or something.
3332
3333         In all cases I throw an EvalError *before* other WebAssembly
3334         errors would be produced.
3335
3336         Note that, as for eval, reporting doesn't work and is tracked by
3337         https://webkit.org/b/111869
3338
3339         * runtime/JSGlobalObject.cpp:
3340         (JSC::JSGlobalObject::JSGlobalObject):
3341         * runtime/JSGlobalObject.h:
3342         (JSC::JSGlobalObject::webAssemblyEnabled):
3343         (JSC::JSGlobalObject::webAssemblyDisabledErrorMessage):
3344         (JSC::JSGlobalObject::setWebAssemblyEnabled):
3345         * wasm/js/JSWebAssemblyInstance.cpp:
3346         (JSC::JSWebAssemblyInstance::create):
3347         * wasm/js/JSWebAssemblyMemory.cpp:
3348         (JSC::JSWebAssemblyMemory::create):
3349         * wasm/js/JSWebAssemblyMemory.h:
3350         * wasm/js/JSWebAssemblyTable.cpp:
3351         (JSC::JSWebAssemblyTable::create):
3352         * wasm/js/WebAssemblyMemoryConstructor.cpp:
3353         (JSC::constructJSWebAssemblyMemory):
3354
3355 2017-06-28  Keith Miller  <keith_miller@apple.com>
3356
3357         VMTraps has some races
3358         https://bugs.webkit.org/show_bug.cgi?id=173941
3359
3360         Reviewed by Michael Saboff.
3361
3362         This patch refactors much of the VMTraps API.
3363
3364         On the message sending side:
3365
3366         1) No longer uses the Yarr JIT check to determine if we are in
3367         RegExp code. That was unsound because RegExp JIT code can be run
3368         on compilation threads.  Instead it looks at the current frame's
3369         code block slot and checks if it is valid, which is the same as
3370         what it did for JIT code previously.
3371
3372         2) Only have one signal sender thread, previously, there could be
3373         many at once, which caused some data races. Additionally, the
3374         signal sender thread is an automatic thread so it will deallocate
3375         itself when not in use.
3376
3377         On the VMTraps breakpoint side:
3378
3379         1) We now have a true mapping of if we hit a breakpoint instead of
3380         a JIT assertion. So the exception handler won't eat JIT assertions
3381         anymore.
3382
3383         2) It jettisons all CodeBlocks that have VMTraps breakpoints on
3384         them instead of every CodeBlock on the stack. This both prevents
3385         us from hitting stale VMTraps breakpoints and also doesn't OSR
3386         codeblocks that otherwise don't need to be jettisoned.
3387
3388         3) The old exception handler could theoretically fail for a couple
3389         of reasons then resume execution with a clobbered instruction
3390         set. This patch will kill the program if the exception handler
3391         would fail.
3392
3393         This patch also refactors some of the jsc.cpp functions to take the
3394         CommandLine options object instead of individual options. Also, there
3395         is a new command line option that makes exceptions due to watchdog
3396         timeouts an acceptable result.
3397
3398         * API/tests/testapi.c:
3399         (main):
3400         * bytecode/CodeBlock.cpp:
3401         (JSC::CodeBlock::installVMTrapBreakpoints):
3402         * dfg/DFGCommonData.cpp:
3403         (JSC::DFG::pcCodeBlockMap):
3404         (JSC::DFG::CommonData::invalidate):
3405         (JSC::DFG::CommonData::~CommonData):
3406         (JSC::DFG::CommonData::installVMTrapBreakpoints):
3407         (JSC::DFG::codeBlockForVMTrapPC):
3408         * dfg/DFGCommonData.h: