Add some convenience utility accessor methods to MacroAssembler::CPUState.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-08-14  Mark Lam  <mark.lam@apple.com>
2
3         Add some convenience utility accessor methods to MacroAssembler::CPUState.
4         https://bugs.webkit.org/show_bug.cgi?id=175549
5         <rdar://problem/33884868>
6
7         Reviewed by Saam Barati.
8
9         Previously, in order to read ProbeContext CPUState registers, we used to need to
10         do it this way:
11
12             ExecState* exec = reinterpret_cast<ExecState*>(cpu.fp());
13             uint32_t i32 = static_cast<uint32_t>(cpu.gpr(GPRInfo::regT0));
14             void* p = reinterpret_cast<void*>(cpu.gpr(GPRInfo::regT1));
15             uint64_t u64 = bitwise_cast<uint64_t>(cpu.fpr(FPRInfo::fpRegT0));
16
17         With this patch, we can now read them this way instead:
18         
19             ExecState* exec = cpu.fp<ExecState*>();
20             uint32_t i32 = cpu.gpr<uint32_t>(GPRInfo::regT0);
21             void* p = cpu.gpr<void*>(GPRInfo::regT1);
22             uint64_t u64 = cpu.fpr<uint64_t>(FPRInfo::fpRegT0);
23
24         * assembler/MacroAssembler.h:
25         (JSC:: const):
26         (JSC::MacroAssembler::CPUState::fpr const):
27         (JSC::MacroAssembler::CPUState::pc const):
28         (JSC::MacroAssembler::CPUState::fp const):
29         (JSC::MacroAssembler::CPUState::sp const):
30         (JSC::ProbeContext::pc):
31         (JSC::ProbeContext::fp):
32         (JSC::ProbeContext::sp):
33
34 2017-08-12  Filip Pizlo  <fpizlo@apple.com>
35
36         Put the ScopedArgumentsTable's ScopeOffset array in some gigacage
37         https://bugs.webkit.org/show_bug.cgi?id=174921
38
39         Reviewed by Mark Lam.
40         
41         Uses CagedUniquePtr<> to cage the ScopeOffset array.
42
43         * dfg/DFGSpeculativeJIT.cpp:
44         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
45         * ftl/FTLLowerDFGToB3.cpp:
46         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
47         * jit/JITPropertyAccess.cpp:
48         (JSC::JIT::emitScopedArgumentsGetByVal):
49         * runtime/ScopedArgumentsTable.cpp:
50         (JSC::ScopedArgumentsTable::create):
51         (JSC::ScopedArgumentsTable::setLength):
52         * runtime/ScopedArgumentsTable.h:
53
54 2017-08-14  Mark Lam  <mark.lam@apple.com>
55
56         Gardening: fix Windows build.
57         https://bugs.webkit.org/show_bug.cgi?id=175446
58
59         Not reviewed.
60
61         * assembler/MacroAssemblerX86Common.cpp:
62         (JSC::booleanTrueForAvoidingNoReturnDeclaration):
63         (JSC::ctiMasmProbeTrampoline):
64
65 2017-08-12  Csaba Osztrogon√°c  <ossy@webkit.org>
66
67         [ARM64] Use x29 and x30 instead of fp and lr to make GCC happy
68         https://bugs.webkit.org/show_bug.cgi?id=175512
69         <rdar://problem/33863584>
70
71         Reviewed by Mark Lam.
72
73         * CMakeLists.txt: Added MacroAssemblerARM64.cpp.
74         * assembler/MacroAssemblerARM64.cpp: Use x29 and x30 instead of fp and lr to make GCC happy.
75
76 2017-08-12  Csaba Osztrogon√°c  <ossy@webkit.org>
77
78         ARM_TRADITIONAL: static assertion failed: ProbeContext_size_matches_ctiMasmProbeTrampoline
79         https://bugs.webkit.org/show_bug.cgi?id=175513
80
81         Reviewed by Mark Lam.
82
83         * assembler/MacroAssemblerARM.cpp: Added d16-d31 FP registers too.
84
85 2017-08-12  Filip Pizlo  <fpizlo@apple.com>
86
87         FTL's compileGetTypedArrayByteOffset needs to do caging
88         https://bugs.webkit.org/show_bug.cgi?id=175366
89
90         Reviewed by Saam Barati.
91         
92         While implementing boxing in the DFG, I noticed that there was some missing boxing in the FTL. This
93         fixes the case in GetTypedArrayByteOffset, and files FIXMEs for more such cases.
94
95         * dfg/DFGSpeculativeJIT.cpp:
96         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
97         * ftl/FTLLowerDFGToB3.cpp:
98         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
99         (JSC::FTL::DFG::LowerDFGToB3::cagedMayBeNull):
100         * runtime/ArrayBuffer.h:
101         * runtime/ArrayBufferView.h:
102         * runtime/JSArrayBufferView.h:
103
104 2017-08-11  Ryosuke Niwa  <rniwa@webkit.org>
105
106         Replace DATA_TRANSFER_ITEMS by a runtime flag and add a stub implementation
107         https://bugs.webkit.org/show_bug.cgi?id=175474
108         <rdar://problem/33844628>
109
110         Reviewed by Wenson Hsieh.
111
112         * Configurations/FeatureDefines.xcconfig:
113         * runtime/CommonIdentifiers.h:
114
115 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
116
117         Caging shouldn't have to use a patchpoint for adding
118         https://bugs.webkit.org/show_bug.cgi?id=175483
119
120         Reviewed by Mark Lam.
121
122         Caging involves doing a Add(ptr, largeConstant). All of B3's heuristics for how to deal with
123         constants and associative operations dictate that you always want to sink constants. For example,
124         Add(Add(a, constant), b) always becomes Add(Add(a, b), constant). This is profitable because in
125         typical code, it reveals downstream optimizations. But it's terrible in the case of caging, because
126         we want the large constant (which is shared by all caging operations) to be hoisted. Reassociating to
127         sink constants obscures the constant in this case. Currently, moveConstants is not smart enough to
128         reassociate, so instead of sinking largeConstant, it tries (and often fails) to sink some other
129         constants instead. Without some hacks, this is a 5% Kraken regression and a 1.6% Octane regression.
130         It's not clear that moveConstants could ever be smart enough to rematerialize that constant and then
131         hoist it - that would require quite a bit of algebraic reasoning. But the only case we know of where
132         our current constant reassociation heuristics are wrong is caging. So, we can get away with some
133         hacks for just stopping B3's reassociation only in this specific case.
134         
135         Previously, we achieved this by concealing the Add(ptr, largeConstant) inside a patchpoint. That's
136         OK, but patchpoints are expensive. They require a SharedTask instance. They require callbacks from
137         the backend, including during register allocation. And they cannot be CSE'd. We do want B3 to know
138         that if we cage the same pointer in two places, both places will compute the same value.
139         
140         This patch improves the situation by introducing the Opaque opcode. This is handled by LowerToAir as
141         if it was Identity, but all prior phases treat it as an unknown pure unary idempotent operation. I.e.
142         they know that Opaque(x) == Opaque(x) and that Opaque(Opaque(x)) == Opaque(x). But they don't know
143         that Opaque(x) == x until LowerToAir. So, you can use Opaque exactly when you know that B3 will mess
144         up your code but Air won't. (Currently we know of no cases where Air messes things up on a large
145         enough scale to warrant new opcodes.)
146         
147         This change is perf-neutral, but may start to help as I add more uses of caged() in the FTL. It also
148         makes the code a bit less ugly.
149
150         * b3/B3LowerToAir.cpp:
151         (JSC::B3::Air::LowerToAir::shouldCopyPropagate):
152         (JSC::B3::Air::LowerToAir::lower):
153         * b3/B3Opcode.cpp:
154         (WTF::printInternal):
155         * b3/B3Opcode.h:
156         * b3/B3ReduceStrength.cpp:
157         * b3/B3Validate.cpp:
158         * b3/B3Value.cpp:
159         (JSC::B3::Value::effects const):
160         (JSC::B3::Value::key const):
161         (JSC::B3::Value::isFree const):
162         (JSC::B3::Value::typeFor):
163         * b3/B3Value.h:
164         * b3/B3ValueKey.cpp:
165         (JSC::B3::ValueKey::materialize const):
166         * ftl/FTLLowerDFGToB3.cpp:
167         (JSC::FTL::DFG::LowerDFGToB3::caged):
168         * ftl/FTLOutput.cpp:
169         (JSC::FTL::Output::opaque):
170         * ftl/FTLOutput.h:
171
172 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
173
174         ScopedArguments overflow storage needs to be in the JSValue gigacage
175         https://bugs.webkit.org/show_bug.cgi?id=174923
176
177         Reviewed by Saam Barati.
178         
179         ScopedArguments overflow storage sits at the end of the ScopedArguments object, so we put that
180         object into the JSValue gigacage.
181
182         * dfg/DFGSpeculativeJIT.cpp:
183         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
184         * ftl/FTLLowerDFGToB3.cpp:
185         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
186         * jit/JITPropertyAccess.cpp:
187         (JSC::JIT::emitScopedArgumentsGetByVal):
188         * runtime/ScopedArguments.h:
189         (JSC::ScopedArguments::subspaceFor):
190         (JSC::ScopedArguments::overflowStorage const):
191
192 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
193
194         JSLexicalEnvironment needs to be in the JSValue gigacage
195         https://bugs.webkit.org/show_bug.cgi?id=174922
196
197         Reviewed by Michael Saboff.
198         
199         We can sorta random access the JSLexicalEnvironment. So, we put it in the JSValue gigacage and make
200         the only random accesses use pointer caging.
201         
202         We don't need to do anything to normal lexical environment accesses.
203
204         * dfg/DFGSpeculativeJIT.cpp:
205         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
206         * ftl/FTLLowerDFGToB3.cpp:
207         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
208         * runtime/JSEnvironmentRecord.h:
209         (JSC::JSEnvironmentRecord::subspaceFor):
210         (JSC::JSEnvironmentRecord::variables):
211
212 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
213
214         DirectArguments should be in the JSValue gigacage
215         https://bugs.webkit.org/show_bug.cgi?id=174920
216
217         Reviewed by Michael Saboff.
218         
219         This puts DirectArguments in a new subspace for cells that want to be in the JSValue gigacage. All
220         indexed accesses to DirectArguments now do caging. get_from_arguments/put_to_arguments are exempted
221         because they always operate on a DirectArguments that is pointed to directly from the stack, they are
222         required to use fixed offsets, and you can only store JSValues.
223
224         * dfg/DFGSpeculativeJIT.cpp:
225         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
226         * ftl/FTLLowerDFGToB3.cpp:
227         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
228         * jit/JITPropertyAccess.cpp:
229         (JSC::JIT::emitDirectArgumentsGetByVal):
230         * runtime/DirectArguments.h:
231         (JSC::DirectArguments::subspaceFor):
232         (JSC::DirectArguments::storage):
233         * runtime/VM.cpp:
234         (JSC::VM::VM):
235         * runtime/VM.h:
236
237 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
238
239         Unreviewed, add a FIXME.
240
241         * ftl/FTLLowerDFGToB3.cpp:
242         (JSC::FTL::DFG::LowerDFGToB3::caged):
243
244 2017-08-10  Sam Weinig  <sam@webkit.org>
245
246         WTF::Function does not allow for reference / non-default constructible return types
247         https://bugs.webkit.org/show_bug.cgi?id=175244
248
249         Reviewed by Chris Dumez.
250
251         * runtime/ArrayBuffer.cpp:
252         (JSC::ArrayBufferContents::transferTo):
253         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
254         destroy call needed to be a no-op anyway, since the data is being moved.
255
256 2017-08-11  Mark Lam  <mark.lam@apple.com>
257
258         Gardening: fix CLoop build.
259         https://bugs.webkit.org/show_bug.cgi?id=175446
260         <rdar://problem/33836545>
261
262         Not reviewed.
263
264         * assembler/MacroAssemblerPrinter.cpp:
265
266 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
267
268         DFG should do caging
269         https://bugs.webkit.org/show_bug.cgi?id=174918
270
271         Reviewed by Saam Barati.
272         
273         Adds the appropriate cage() calls to the DFG, including a cageTypedArrayStorage() helper that does
274         the conditional caging with a watchpoint.
275         
276         This might be a 1% SunSpider slow-down, but it's not clear.
277
278         * dfg/DFGSpeculativeJIT.cpp:
279         (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
280         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
281         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
282         (JSC::DFG::SpeculativeJIT::compileCreateRest):
283         (JSC::DFG::SpeculativeJIT::compileSpread):
284         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
285         (JSC::DFG::SpeculativeJIT::compileArraySlice):
286         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
287         * dfg/DFGSpeculativeJIT.h:
288         * dfg/DFGSpeculativeJIT64.cpp:
289         (JSC::DFG::SpeculativeJIT::compile):
290
291 2017-08-11  Yusuke Suzuki  <utatane.tea@gmail.com>
292
293         Unreviewed, build fix for x86 GTK port
294         https://bugs.webkit.org/show_bug.cgi?id=175446
295
296         Use pushfl/popfl instead of pushfd/popfd.
297
298         * assembler/MacroAssemblerX86Common.cpp:
299
300 2017-08-10  Mark Lam  <mark.lam@apple.com>
301
302         Make the MASM_PROBE mechanism mandatory for DFG and FTL builds.
303         https://bugs.webkit.org/show_bug.cgi?id=175446
304         <rdar://problem/33836545>
305
306         Reviewed by Saam Barati.
307
308         * assembler/AbstractMacroAssembler.h:
309         * assembler/MacroAssembler.cpp:
310         (JSC::MacroAssembler::probe):
311         * assembler/MacroAssembler.h:
312         * assembler/MacroAssemblerARM.cpp:
313         (JSC::MacroAssembler::probe):
314         * assembler/MacroAssemblerARM.h:
315         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
316         * assembler/MacroAssemblerARM64.cpp:
317         (JSC::MacroAssembler::probe):
318         * assembler/MacroAssemblerARMv7.cpp:
319         (JSC::MacroAssembler::probe):
320         * assembler/MacroAssemblerARMv7.h:
321         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr):
322         * assembler/MacroAssemblerPrinter.cpp:
323         * assembler/MacroAssemblerPrinter.h:
324         * assembler/MacroAssemblerX86Common.cpp:
325         * assembler/testmasm.cpp:
326         (JSC::isSpecialGPR):
327         (JSC::testProbeModifiesProgramCounter):
328         (JSC::run):
329         * b3/B3LowerToAir.cpp:
330         (JSC::B3::Air::LowerToAir::print):
331         * b3/air/AirPrintSpecial.cpp:
332         * b3/air/AirPrintSpecial.h:
333
334 2017-08-10  Mark Lam  <mark.lam@apple.com>
335
336         Apply the UNLIKELY macro to some unlikely things.
337         https://bugs.webkit.org/show_bug.cgi?id=175440
338         <rdar://problem/33834767>
339
340         Reviewed by Yusuke Suzuki.
341
342         * bytecode/CodeBlock.cpp:
343         (JSC::CodeBlock::~CodeBlock):
344         (JSC::CodeBlock::jettison):
345         * dfg/DFGByteCodeParser.cpp:
346         (JSC::DFG::ByteCodeParser::handleCall):
347         (JSC::DFG::ByteCodeParser::handleVarargsCall):
348         (JSC::DFG::ByteCodeParser::handleGetById):
349         (JSC::DFG::ByteCodeParser::handlePutById):
350         (JSC::DFG::ByteCodeParser::parseBlock):
351         (JSC::DFG::ByteCodeParser::parseCodeBlock):
352         * dfg/DFGJITCompiler.cpp:
353         (JSC::DFG::JITCompiler::JITCompiler):
354         (JSC::DFG::JITCompiler::linkOSRExits):
355         (JSC::DFG::JITCompiler::link):
356         (JSC::DFG::JITCompiler::disassemble):
357         * dfg/DFGJITFinalizer.cpp:
358         (JSC::DFG::JITFinalizer::finalizeCommon):
359         * dfg/DFGOSRExit.cpp:
360         (JSC::DFG::OSRExit::compileOSRExit):
361         * dfg/DFGPlan.cpp:
362         (JSC::DFG::Plan::Plan):
363         * ftl/FTLJITFinalizer.cpp:
364         (JSC::FTL::JITFinalizer::finalizeCommon):
365         * ftl/FTLLink.cpp:
366         (JSC::FTL::link):
367         * ftl/FTLOSRExitCompiler.cpp:
368         (JSC::FTL::compileStub):
369         * jit/JIT.cpp:
370         (JSC::JIT::privateCompileMainPass):
371         (JSC::JIT::compileWithoutLinking):
372         (JSC::JIT::link):
373         * runtime/ScriptExecutable.cpp:
374         (JSC::ScriptExecutable::installCode):
375         * runtime/VM.cpp:
376         (JSC::VM::VM):
377
378 2017-08-09  Yusuke Suzuki  <utatane.tea@gmail.com>
379
380         [WTF] ThreadSpecific should not introduce additional indirection
381         https://bugs.webkit.org/show_bug.cgi?id=175187
382
383         Reviewed by Mark Lam.
384
385         * runtime/Identifier.cpp:
386
387 2017-08-10  Tim Horton  <timothy_horton@apple.com>
388
389         Remove some unused lambda captures so that WebKit builds with -Wunused-lambda-capture
390         https://bugs.webkit.org/show_bug.cgi?id=175436
391         <rdar://problem/33667497>
392
393         Reviewed by Simon Fraser.
394
395         * interpreter/Interpreter.cpp:
396         (JSC::Interpreter::Interpreter):
397
398 2017-08-10  Michael Catanzaro  <mcatanzaro@igalia.com>
399
400         Remove ENABLE_GAMEPAD_DEPRECATED
401         https://bugs.webkit.org/show_bug.cgi?id=175361
402
403         Reviewed by Carlos Garcia Campos.
404
405         * Configurations/FeatureDefines.xcconfig:
406
407 2017-08-09  Caio Lima  <ticaiolima@gmail.com>
408
409         [JSC] Create JSSet constructor that accepts it's size as parameter
410         https://bugs.webkit.org/show_bug.cgi?id=173297
411
412         Reviewed by Saam Barati.
413
414         This patch is adding a new constructor to JSSet that gives its
415         expected initial size. It is important to avoid re-hashing and mutiple
416         allocations when we know the final size of JSSet, such as in
417         CodeBlock::setConstantIdentifierSetRegisters.
418
419         * bytecode/CodeBlock.cpp:
420         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
421         * runtime/HashMapImpl.h:
422         (JSC::HashMapImpl::HashMapImpl):
423         * runtime/JSSet.h:
424
425 2017-08-09  Commit Queue  <commit-queue@webkit.org>
426
427         Unreviewed, rolling out r220466, r220477, and r220487.
428         https://bugs.webkit.org/show_bug.cgi?id=175411
429
430         This change broke existing API tests and follow up fixes did
431         not resolve all the issues. (Requested by ryanhaddad on
432         #webkit).
433
434         Reverted changesets:
435
436         https://bugs.webkit.org/show_bug.cgi?id=175244
437         http://trac.webkit.org/changeset/220466
438
439         "WTF::Function does not allow for reference / non-default
440         constructible return types"
441         https://bugs.webkit.org/show_bug.cgi?id=175244
442         http://trac.webkit.org/changeset/220477
443
444         https://bugs.webkit.org/show_bug.cgi?id=175244
445         http://trac.webkit.org/changeset/220487
446
447 2017-08-09  Caitlin Potter  <caitp@igalia.com>
448
449         Early error on ANY operator before new.target
450         https://bugs.webkit.org/show_bug.cgi?id=157970
451
452         Reviewed by Saam Barati.
453
454         Instead of throwing if any unary operator precedes new.target, only
455         throw if the unary operator updates the reference.
456
457         The following become legal in JSC:
458
459         ```
460         !new.target
461         ~new.target
462         typeof new.target
463         delete new.target
464         void new.target
465         ```
466
467         All of which are legal in v8 and SpiderMonkey in strict and sloppy mode
468
469         * parser/Parser.cpp:
470         (JSC::Parser<LexerType>::parseUnaryExpression):
471
472 2017-08-09  Sam Weinig  <sam@webkit.org>
473
474         WTF::Function does not allow for reference / non-default constructible return types
475         https://bugs.webkit.org/show_bug.cgi?id=175244
476
477         Reviewed by Chris Dumez.
478
479         * runtime/ArrayBuffer.cpp:
480         (JSC::ArrayBufferContents::transferTo):
481         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
482         destroy call needed to be a no-op anyway, since the data is being moved.
483
484 2017-08-09  Wenson Hsieh  <wenson_hsieh@apple.com>
485
486         [iOS DnD] ENABLE_DRAG_SUPPORT should be turned off for iOS 10 and enabled by default
487         https://bugs.webkit.org/show_bug.cgi?id=175392
488         <rdar://problem/33783207>
489
490         Reviewed by Tim Horton and Megan Gardner.
491
492         Tweak FeatureDefines to enable drag and drop by default, and disable only on unsupported platforms (i.e. iOS 10).
493
494         * Configurations/FeatureDefines.xcconfig:
495
496 2017-08-09  Robin Morisset  <rmorisset@apple.com>
497
498         Make JSC_validateExceptionChecks=1 succeed on JSTests/stress/v8-deltablue-strict.js.
499         https://bugs.webkit.org/show_bug.cgi?id=175358
500
501         Reviewed by Mark Lam.
502
503         * jit/JITOperations.cpp:
504         * runtime/JSObjectInlines.h:
505         (JSC::JSObject::putInlineForJSObject):
506
507 2017-08-09  Ryan Haddad  <ryanhaddad@apple.com>
508
509         Unreviewed, rolling out r220457.
510
511         This change introduced API test failures.
512
513         Reverted changeset:
514
515         "WTF::Function does not allow for reference / non-default
516         constructible return types"
517         https://bugs.webkit.org/show_bug.cgi?id=175244
518         http://trac.webkit.org/changeset/220457
519
520 2017-08-09  Sam Weinig  <sam@webkit.org>
521
522         WTF::Function does not allow for reference / non-default constructible return types
523         https://bugs.webkit.org/show_bug.cgi?id=175244
524
525         Reviewed by Chris Dumez.
526
527         * runtime/ArrayBuffer.cpp:
528         (JSC::ArrayBufferContents::transferTo):
529         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
530         destroy call needed to be a no-op anyway, since the data is being moved.
531
532 2017-08-09  Oleksandr Skachkov  <gskachkov@gmail.com>
533
534         REGRESSION: 2 test262/test/language/statements/async-function failures
535         https://bugs.webkit.org/show_bug.cgi?id=175334
536
537         Reviewed by Yusuke Suzuki.
538
539         Switch off useAsyncIterator by default
540
541         * runtime/Options.h:
542
543 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
544
545         ICs should do caging
546         https://bugs.webkit.org/show_bug.cgi?id=175295
547
548         Reviewed by Saam Barati.
549         
550         Adds the appropriate cage() calls in our inline caches.
551
552         * bytecode/AccessCase.cpp:
553         (JSC::AccessCase::generateImpl):
554         * bytecode/InlineAccess.cpp:
555         (JSC::InlineAccess::dumpCacheSizesAndCrash):
556         (JSC::InlineAccess::generateSelfPropertyAccess):
557         (JSC::InlineAccess::generateSelfPropertyReplace):
558         (JSC::InlineAccess::generateArrayLength):
559
560 2017-08-08  Devin Rousso  <drousso@apple.com>
561
562         Web Inspector: Canvas: support editing WebGL shaders
563         https://bugs.webkit.org/show_bug.cgi?id=124211
564         <rdar://problem/15448958>
565
566         Reviewed by Matt Baker.
567
568         * inspector/protocol/Canvas.json:
569         Add `updateShader` command that will change the given shader's source to the provided string,
570         recompile, and relink it to its associated program.
571         Drive-by: add description to `requestShaderSource` command.
572
573 2017-08-08  Robin Morisset  <rmorisset@apple.com>
574
575         Make JSC_validateExceptionChecks=1 succeed on JSTests/slowMicrobenchmarks/spread-small-array.js.
576         https://bugs.webkit.org/show_bug.cgi?id=175347
577
578         Reviewed by Saam Barati.
579
580         This is done by making finishCreation explicitely check for exceptions after setConstantRegister and setConstantIdentifiersSetRegisters.
581         I chose to have this check replace the boolean returned previously by these functions for readability. The performance impact should be
582         negligible considering how much more finishCreation does.
583         This fix then caused another issue to appear as it was now clear that finishCreation can throw. And since it is called by ProgramCodeBlock::create(),
584         FunctionCodeBlock::create() and friends, that are in turn called by ScriptExecutable::newCodeBlockFor, this last function also required a few tweaks.
585
586         * bytecode/CodeBlock.cpp:
587         (JSC::CodeBlock::finishCreation):
588         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
589         (JSC::CodeBlock::setConstantRegisters):
590         * bytecode/CodeBlock.h:
591         * runtime/ScriptExecutable.cpp:
592         (JSC::ScriptExecutable::newCodeBlockFor):
593
594 2017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
595
596         Unreviewed, fix Ubuntu LTS build
597         https://bugs.webkit.org/show_bug.cgi?id=174490
598
599         * inspector/remote/glib/RemoteInspectorGlib.cpp:
600         * inspector/remote/glib/RemoteInspectorServer.cpp:
601
602 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
603
604         Baseline JIT should do caging
605         https://bugs.webkit.org/show_bug.cgi?id=175037
606
607         Reviewed by Mark Lam.
608         
609         Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
610         
611         Also modifies FTL caging to be more defensive when caging is disabled.
612         
613         Relanded with fixed AssemblyHelpers::cageConditionally().
614
615         * bytecode/AccessCase.cpp:
616         (JSC::AccessCase::generateImpl):
617         * bytecode/InlineAccess.cpp:
618         (JSC::InlineAccess::dumpCacheSizesAndCrash):
619         (JSC::InlineAccess::generateSelfPropertyAccess):
620         (JSC::InlineAccess::generateSelfPropertyReplace):
621         (JSC::InlineAccess::generateArrayLength):
622         * ftl/FTLLowerDFGToB3.cpp:
623         (JSC::FTL::DFG::LowerDFGToB3::caged):
624         * jit/AssemblyHelpers.h:
625         (JSC::AssemblyHelpers::cage):
626         (JSC::AssemblyHelpers::cageConditionally):
627         * jit/JITPropertyAccess.cpp:
628         (JSC::JIT::emitDoubleLoad):
629         (JSC::JIT::emitContiguousLoad):
630         (JSC::JIT::emitArrayStorageLoad):
631         (JSC::JIT::emitGenericContiguousPutByVal):
632         (JSC::JIT::emitArrayStoragePutByVal):
633         (JSC::JIT::emit_op_get_from_scope):
634         (JSC::JIT::emit_op_put_to_scope):
635         (JSC::JIT::emitIntTypedArrayGetByVal):
636         (JSC::JIT::emitFloatTypedArrayGetByVal):
637         (JSC::JIT::emitIntTypedArrayPutByVal):
638         (JSC::JIT::emitFloatTypedArrayPutByVal):
639         * jsc.cpp:
640         (jscmain):
641         (primitiveGigacageDisabled): Deleted.
642
643 2017-08-08  Ryan Haddad  <ryanhaddad@apple.com>
644
645         Unreviewed, rolling out r220368.
646
647         This change caused WK1 tests to exit early with crashes.
648
649         Reverted changeset:
650
651         "Baseline JIT should do caging"
652         https://bugs.webkit.org/show_bug.cgi?id=175037
653         http://trac.webkit.org/changeset/220368
654
655 2017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
656
657         [CMake] Properly test if compiler supports compiler flags
658         https://bugs.webkit.org/show_bug.cgi?id=174490
659
660         Reviewed by Konstantin Tokarev.
661
662         * API/tests/PingPongStackOverflowTest.cpp:
663         (testPingPongStackOverflow):
664         * API/tests/testapi.c:
665         * b3/testb3.cpp:
666         (JSC::B3::testPatchpointLotsOfLateAnys):
667
668 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
669
670         [Linux] Clear WasmMemory with madvice instead of memset
671         https://bugs.webkit.org/show_bug.cgi?id=175150
672
673         Reviewed by Filip Pizlo.
674
675         In Linux, zeroing pages with memset populates backing store.
676         Instead, we should use madvise with MADV_DONTNEED. It discards
677         pages. And if you access these pages, on-demand-zero-pages will
678         be shown.
679
680         We also commit grown pages in all OSes.
681
682         * wasm/WasmMemory.cpp:
683         (JSC::Wasm::commitZeroPages):
684         (JSC::Wasm::Memory::create):
685         (JSC::Wasm::Memory::grow):
686
687 2017-08-07  Robin Morisset  <rmorisset@apple.com>
688
689         GetOwnProperty of TypedArray indexed fields is wrongly configurable
690         https://bugs.webkit.org/show_bug.cgi?id=175307
691
692         Reviewed by Saam Barati.
693
694         ```
695         let a = new Uint8Array(10);
696         let b = Object.getOwnPropertyDescriptor(a, 0);
697         assert(b.configurable === false);
698         ```
699         should not fail: by section 9.4.5.1 (https://tc39.github.io/ecma262/#sec-integer-indexed-exotic-objects-getownproperty-p) 
700         that applies to integer indexed exotic objects, and section 22.2.7 (https://tc39.github.io/ecma262/#sec-properties-of-typedarray-instances)
701         that says that typed arrays are integer indexed exotic objects.
702
703         * runtime/JSGenericTypedArrayViewInlines.h:
704         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
705
706 2017-08-07  Filip Pizlo  <fpizlo@apple.com>
707
708         Baseline JIT should do caging
709         https://bugs.webkit.org/show_bug.cgi?id=175037
710
711         Reviewed by Mark Lam.
712         
713         Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
714         
715         Also modifies FTL caging to be more defensive when caging is disabled.
716
717         * ftl/FTLLowerDFGToB3.cpp:
718         (JSC::FTL::DFG::LowerDFGToB3::caged):
719         * jit/AssemblyHelpers.h:
720         (JSC::AssemblyHelpers::cage):
721         (JSC::AssemblyHelpers::cageConditionally):
722         * jit/JITPropertyAccess.cpp:
723         (JSC::JIT::emitDoubleLoad):
724         (JSC::JIT::emitContiguousLoad):
725         (JSC::JIT::emitArrayStorageLoad):
726         (JSC::JIT::emitGenericContiguousPutByVal):
727         (JSC::JIT::emitArrayStoragePutByVal):
728         (JSC::JIT::emit_op_get_from_scope):
729         (JSC::JIT::emit_op_put_to_scope):
730         (JSC::JIT::emitIntTypedArrayGetByVal):
731         (JSC::JIT::emitFloatTypedArrayGetByVal):
732         (JSC::JIT::emitIntTypedArrayPutByVal):
733         (JSC::JIT::emitFloatTypedArrayPutByVal):
734         * jsc.cpp:
735         (jscmain):
736         (primitiveGigacageDisabled): Deleted.
737
738 2017-08-06  Filip Pizlo  <fpizlo@apple.com>
739
740         Primitive auxiliaries and JSValue auxiliaries should have separate gigacages
741         https://bugs.webkit.org/show_bug.cgi?id=174919
742
743         Reviewed by Keith Miller.
744         
745         This adapts JSC to there being two gigacages.
746         
747         To make matters simpler, this turns AlignedMemoryAllocators into per-VM instances rather than
748         singletons. I don't think we were gaining anything by making them be singletons.
749         
750         This makes it easy to teach GigacageAlignedMemoryAllocator that there are multiple kinds of
751         gigacages. We'll have one of those allocators per cage.
752         
753         From there, this change teaches everyone who previously knew about cages that there are two cages.
754         This means having to specify either Gigacage::Primitive or Gigacage::JSValue. In most places, this is
755         easy: typed arrays are Primitive and butterflies are JSValue. But there are a few places where it's
756         not so obvious, so this change introduces some helpers to make it easy to define what cage you want
757         to use in one place and refer to it abstractly. We do this in DirectArguments and GenericArguments.h
758         
759         A lot of the magic of this change is due to CagedBarrierPtr, which combines AuxiliaryBarrier and
760         CagedPtr. This removes one layer of "get()" calls from a bunch of places.
761
762         * JavaScriptCore.xcodeproj/project.pbxproj:
763         * bytecode/AccessCase.cpp:
764         (JSC::AccessCase::generateImpl):
765         * dfg/DFGSpeculativeJIT.cpp:
766         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
767         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
768         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
769         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
770         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
771         * ftl/FTLLowerDFGToB3.cpp:
772         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
773         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
774         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
775         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
776         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
777         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
778         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
779         (JSC::FTL::DFG::LowerDFGToB3::caged):
780         * heap/FastMallocAlignedMemoryAllocator.cpp:
781         (JSC::FastMallocAlignedMemoryAllocator::instance): Deleted.
782         * heap/FastMallocAlignedMemoryAllocator.h:
783         * heap/GigacageAlignedMemoryAllocator.cpp:
784         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
785         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
786         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
787         (JSC::GigacageAlignedMemoryAllocator::dump const):
788         (JSC::GigacageAlignedMemoryAllocator::instance): Deleted.
789         * heap/GigacageAlignedMemoryAllocator.h:
790         * jsc.cpp:
791         (primitiveGigacageDisabled):
792         (jscmain):
793         (gigacageDisabled): Deleted.
794         * llint/LowLevelInterpreter64.asm:
795         * runtime/ArrayBuffer.cpp:
796         (JSC::ArrayBufferContents::tryAllocate):
797         (JSC::ArrayBuffer::createAdopted):
798         (JSC::ArrayBuffer::createFromBytes):
799         * runtime/AuxiliaryBarrier.h:
800         * runtime/ButterflyInlines.h:
801         (JSC::Butterfly::createUninitialized):
802         (JSC::Butterfly::tryCreate):
803         (JSC::Butterfly::growArrayRight):
804         * runtime/CagedBarrierPtr.h: Added.
805         (JSC::CagedBarrierPtr::CagedBarrierPtr):
806         (JSC::CagedBarrierPtr::clear):
807         (JSC::CagedBarrierPtr::set):
808         (JSC::CagedBarrierPtr::get const):
809         (JSC::CagedBarrierPtr::getMayBeNull const):
810         (JSC::CagedBarrierPtr::operator== const):
811         (JSC::CagedBarrierPtr::operator!= const):
812         (JSC::CagedBarrierPtr::operator bool const):
813         (JSC::CagedBarrierPtr::setWithoutBarrier):
814         (JSC::CagedBarrierPtr::operator* const):
815         (JSC::CagedBarrierPtr::operator-> const):
816         (JSC::CagedBarrierPtr::operator[] const):
817         * runtime/DirectArguments.cpp:
818         (JSC::DirectArguments::overrideThings):
819         (JSC::DirectArguments::unmapArgument):
820         * runtime/DirectArguments.h:
821         (JSC::DirectArguments::isMappedArgument const):
822         * runtime/GenericArguments.h:
823         * runtime/GenericArgumentsInlines.h:
824         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
825         (JSC::GenericArguments<Type>::setModifiedArgumentDescriptor):
826         (JSC::GenericArguments<Type>::isModifiedArgumentDescriptor):
827         * runtime/HashMapImpl.cpp:
828         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
829         * runtime/HashMapImpl.h:
830         (JSC::HashMapBuffer::create):
831         (JSC::HashMapImpl::buffer const):
832         (JSC::HashMapImpl::rehash):
833         * runtime/JSArray.cpp:
834         (JSC::JSArray::tryCreateUninitializedRestricted):
835         (JSC::JSArray::unshiftCountSlowCase):
836         (JSC::JSArray::setLength):
837         (JSC::JSArray::pop):
838         (JSC::JSArray::push):
839         (JSC::JSArray::fastSlice):
840         (JSC::JSArray::shiftCountWithArrayStorage):
841         (JSC::JSArray::shiftCountWithAnyIndexingType):
842         (JSC::JSArray::unshiftCountWithAnyIndexingType):
843         (JSC::JSArray::fillArgList):
844         (JSC::JSArray::copyToArguments):
845         * runtime/JSArray.h:
846         (JSC::JSArray::tryCreate):
847         * runtime/JSArrayBufferView.cpp:
848         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
849         (JSC::JSArrayBufferView::finalize):
850         * runtime/JSLock.cpp:
851         (JSC::JSLock::didAcquireLock):
852         * runtime/JSObject.cpp:
853         (JSC::JSObject::heapSnapshot):
854         (JSC::JSObject::getOwnPropertySlotByIndex):
855         (JSC::JSObject::putByIndex):
856         (JSC::JSObject::enterDictionaryIndexingMode):
857         (JSC::JSObject::createInitialIndexedStorage):
858         (JSC::JSObject::createArrayStorage):
859         (JSC::JSObject::convertUndecidedToInt32):
860         (JSC::JSObject::convertUndecidedToDouble):
861         (JSC::JSObject::convertUndecidedToContiguous):
862         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
863         (JSC::JSObject::convertUndecidedToArrayStorage):
864         (JSC::JSObject::convertInt32ToDouble):
865         (JSC::JSObject::convertInt32ToContiguous):
866         (JSC::JSObject::convertInt32ToArrayStorage):
867         (JSC::JSObject::convertDoubleToContiguous):
868         (JSC::JSObject::convertDoubleToArrayStorage):
869         (JSC::JSObject::convertContiguousToArrayStorage):
870         (JSC::JSObject::setIndexQuicklyToUndecided):
871         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
872         (JSC::JSObject::deletePropertyByIndex):
873         (JSC::JSObject::getOwnPropertyNames):
874         (JSC::JSObject::putIndexedDescriptor):
875         (JSC::JSObject::defineOwnIndexedProperty):
876         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
877         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
878         (JSC::JSObject::getNewVectorLength):
879         (JSC::JSObject::ensureLengthSlow):
880         (JSC::JSObject::reallocateAndShrinkButterfly):
881         (JSC::JSObject::allocateMoreOutOfLineStorage):
882         (JSC::JSObject::getEnumerableLength):
883         * runtime/JSObject.h:
884         (JSC::JSObject::getArrayLength const):
885         (JSC::JSObject::getVectorLength):
886         (JSC::JSObject::putDirectIndex):
887         (JSC::JSObject::canGetIndexQuickly):
888         (JSC::JSObject::getIndexQuickly):
889         (JSC::JSObject::tryGetIndexQuickly const):
890         (JSC::JSObject::canSetIndexQuickly):
891         (JSC::JSObject::setIndexQuickly):
892         (JSC::JSObject::initializeIndex):
893         (JSC::JSObject::initializeIndexWithoutBarrier):
894         (JSC::JSObject::hasSparseMap):
895         (JSC::JSObject::inSparseIndexingMode):
896         (JSC::JSObject::butterfly const):
897         (JSC::JSObject::butterfly):
898         (JSC::JSObject::outOfLineStorage const):
899         (JSC::JSObject::outOfLineStorage):
900         (JSC::JSObject::ensureInt32):
901         (JSC::JSObject::ensureDouble):
902         (JSC::JSObject::ensureContiguous):
903         (JSC::JSObject::ensureArrayStorage):
904         (JSC::JSObject::arrayStorage):
905         (JSC::JSObject::arrayStorageOrNull):
906         (JSC::JSObject::ensureLength):
907         * runtime/RegExpMatchesArray.h:
908         (JSC::tryCreateUninitializedRegExpMatchesArray):
909         * runtime/VM.cpp:
910         (JSC::VM::VM):
911         (JSC::VM::~VM):
912         (JSC::VM::primitiveGigacageDisabledCallback):
913         (JSC::VM::primitiveGigacageDisabled):
914         (JSC::VM::gigacageDisabledCallback): Deleted.
915         (JSC::VM::gigacageDisabled): Deleted.
916         * runtime/VM.h:
917         (JSC::VM::gigacageAuxiliarySpace):
918         (JSC::VM::firePrimitiveGigacageEnabledIfNecessary):
919         (JSC::VM::primitiveGigacageEnabled):
920         (JSC::VM::fireGigacageEnabledIfNecessary): Deleted.
921         (JSC::VM::gigacageEnabled): Deleted.
922         * wasm/WasmMemory.cpp:
923         (JSC::Wasm::Memory::create):
924         (JSC::Wasm::Memory::~Memory):
925         (JSC::Wasm::Memory::grow):
926
927 2017-08-07  Commit Queue  <commit-queue@webkit.org>
928
929         Unreviewed, rolling out r220144.
930         https://bugs.webkit.org/show_bug.cgi?id=175276
931
932         "It did not actually speed things up in the way I expected"
933         (Requested by saamyjoon on #webkit).
934
935         Reverted changeset:
936
937         "On memory-constrained iOS devices, reduce the rate at which
938         the JS heap grows before a GC to try to keep more memory
939         available for the system"
940         https://bugs.webkit.org/show_bug.cgi?id=175041
941         http://trac.webkit.org/changeset/220144
942
943 2017-08-07  Ryan Haddad  <ryanhaddad@apple.com>
944
945         Unreviewed, rolling out r220299.
946
947         This change caused LayoutTest inspector/dom-debugger/dom-
948         breakpoints.html to fail.
949
950         Reverted changeset:
951
952         "Web Inspector: capture async stack trace when workers/main
953         context posts a message"
954         https://bugs.webkit.org/show_bug.cgi?id=167084
955         http://trac.webkit.org/changeset/220299
956
957 2017-08-07  Brian Burg  <bburg@apple.com>
958
959         Remove CANVAS_PATH compilation guard
960         https://bugs.webkit.org/show_bug.cgi?id=175207
961
962         Reviewed by Sam Weinig.
963
964         * Configurations/FeatureDefines.xcconfig:
965
966 2017-08-07  Keith Miller  <keith_miller@apple.com>
967
968         REGRESSION: wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js failing on JSC Debug bots
969         https://bugs.webkit.org/show_bug.cgi?id=175256
970
971         Reviewed by Saam Barati.
972
973         The check in createFromBytes just needed to check that the buffer was not null before
974         calling isCaged.
975
976         * runtime/ArrayBuffer.cpp:
977         (JSC::ArrayBuffer::createFromBytes):
978
979 2017-08-05  Carlos Garcia Campos  <cgarcia@igalia.com>
980
981         [GTK][WPE] Add API to provide browser information required by automation
982         https://bugs.webkit.org/show_bug.cgi?id=175130
983
984         Reviewed by Brian Burg.
985
986         Add browserName and browserVersion to RemoteInspector::Client::Capabilities and virtual methods to the Client to
987         get them.
988
989         * inspector/remote/RemoteInspector.cpp:
990         (Inspector::RemoteInspector::updateClientCapabilities): Update also browserName and browserVersion.
991         * inspector/remote/RemoteInspector.h:
992         * inspector/remote/glib/RemoteInspectorGlib.cpp:
993         (Inspector::RemoteInspector::requestAutomationSession): Call updateClientCapabilities() after the session is
994         requested to ensure they are updated before StartAutomationSession reply is sent.
995         * inspector/remote/glib/RemoteInspectorServer.cpp: Add browserName and browserVersion as return values of
996         StartAutomationSession mesasage.
997
998 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
999
1000         Promise resolve and reject function should have length = 1
1001         https://bugs.webkit.org/show_bug.cgi?id=175242
1002
1003         Reviewed by Saam Barati.
1004
1005         Previously we have separate system for "length" and "name" for builtin functions.
1006         The builtin functions do not use lazy reifying system. Instead, they have direct
1007         properties when instantiating it. While the function created for properties (like
1008         Array.prototype.filter) is created by JSFunction::createBuiltin(), function inside
1009         these builtin functions are just created by JSFunction::create(). Since it does
1010         not set any values for "length", these functions do not have "length" property.
1011         So, the resolve and reject functions passed to Promise's executor do not have
1012         "length" property.
1013
1014         This patch make builtin functions use standard lazy reifying system for "length".
1015         So, "length" property of the builtin function just works as if the normal functions
1016         do.
1017
1018         * runtime/JSFunction.cpp:
1019         (JSC::JSFunction::createBuiltinFunction):
1020         (JSC::JSFunction::getOwnPropertySlot):
1021         (JSC::JSFunction::getOwnNonIndexPropertyNames):
1022         (JSC::JSFunction::put):
1023         (JSC::JSFunction::deleteProperty):
1024         (JSC::JSFunction::defineOwnProperty):
1025         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
1026         (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
1027         (JSC::JSFunction::reifyLazyLengthIfNeeded):
1028         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
1029         (JSC::JSFunction::reifyBoundNameIfNeeded): Deleted.
1030         * runtime/JSFunction.h:
1031
1032 2017-08-06  Oleksandr Skachkov  <gskachkov@gmail.com>
1033
1034         [ESNext] Async iteration - Implement Async Generator - parser
1035         https://bugs.webkit.org/show_bug.cgi?id=175210
1036
1037         Reviewed by Yusuke Suzuki.
1038
1039         Current implementation is draft version of Async Iteration. 
1040         Link to spec https://tc39.github.io/proposal-async-iteration/
1041
1042         Current patch implement only parser part of the Async generator
1043         Runtime part will be in next ptches
1044
1045         * parser/ASTBuilder.h:
1046         (JSC::ASTBuilder::createFunctionMetadata):
1047         * parser/Parser.cpp:
1048         (JSC::getAsynFunctionBodyParseMode):
1049         (JSC::Parser<LexerType>::parseInner):
1050         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
1051         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
1052         (JSC::stringArticleForFunctionMode):
1053         (JSC::stringForFunctionMode):
1054         (JSC::Parser<LexerType>::parseFunctionInfo):
1055         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
1056         (JSC::Parser<LexerType>::parseClass):
1057         (JSC::Parser<LexerType>::parseProperty):
1058         (JSC::Parser<LexerType>::parsePropertyMethod):
1059         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
1060         * parser/Parser.h:
1061         (JSC::Scope::setSourceParseMode):
1062         * parser/ParserModes.h:
1063         (JSC::isFunctionParseMode):
1064         (JSC::isAsyncFunctionParseMode):
1065         (JSC::isAsyncArrowFunctionParseMode):
1066         (JSC::isAsyncGeneratorFunctionParseMode):
1067         (JSC::isAsyncFunctionOrAsyncGeneratorWrapperParseMode):
1068         (JSC::isAsyncFunctionWrapperParseMode):
1069         (JSC::isAsyncFunctionBodyParseMode):
1070         (JSC::isGeneratorMethodParseMode):
1071         (JSC::isAsyncMethodParseMode):
1072         (JSC::isAsyncGeneratorMethodParseMode):
1073         (JSC::isMethodParseMode):
1074         (JSC::isGeneratorOrAsyncFunctionBodyParseMode):
1075         (JSC::isGeneratorOrAsyncFunctionWrapperParseMode):
1076
1077 2017-08-05  Filip Pizlo  <fpizlo@apple.com>
1078
1079         REGRESSION (r219895-219897): Number of leaks on Open Source went from 9240 to 235983 and is now at 302372
1080         https://bugs.webkit.org/show_bug.cgi?id=175083
1081
1082         Reviewed by Oliver Hunt.
1083         
1084         This fixes the leak by making MarkedBlock::specializedSweep call destructors when the block is empty,
1085         even if we are using the pop path.
1086         
1087         Also, this fixes HeapCellInlines.h to no longer include MarkedBlockInlines.h. That's pretty
1088         important, since MarkedBlockInlines.h is the GC's internal guts - we don't want to have to recompile
1089         the world just because we changed it.
1090         
1091         Finally, this adds a new testing SPI for waiting for all VMs to finish destructing. This makes it
1092         easier to debug leaks.
1093
1094         * bytecode/AccessCase.cpp:
1095         * bytecode/PolymorphicAccess.cpp:
1096         * heap/HeapCell.cpp:
1097         (JSC::HeapCell::isLive):
1098         * heap/HeapCellInlines.h:
1099         (JSC::HeapCell::isLive): Deleted.
1100         * heap/MarkedAllocator.cpp:
1101         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
1102         (JSC::MarkedAllocator::endMarking):
1103         * heap/MarkedBlockInlines.h:
1104         (JSC::MarkedBlock::Handle::specializedSweep):
1105         * jit/AssemblyHelpers.cpp:
1106         * jit/Repatch.cpp:
1107         * runtime/TestRunnerUtils.h:
1108         * runtime/VM.cpp:
1109         (JSC::waitForVMDestruction):
1110         (JSC::VM::~VM):
1111
1112 2017-08-05  Mark Lam  <mark.lam@apple.com>
1113
1114         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 3].
1115         https://bugs.webkit.org/show_bug.cgi?id=175228
1116         <rdar://problem/33735737>
1117
1118         Reviewed by Saam Barati.
1119
1120         Merge the 32-bit OSRExit::compileExit() method into the 64-bit version, and
1121         delete OSRExit32_64.cpp.
1122
1123         * CMakeLists.txt:
1124         * JavaScriptCore.xcodeproj/project.pbxproj:
1125         * dfg/DFGOSRExit.cpp:
1126         (JSC::DFG::OSRExit::compileExit):
1127         * dfg/DFGOSRExit32_64.cpp: Removed.
1128         * jit/GPRInfo.h:
1129         (JSC::JSValueSource::payloadGPR const):
1130
1131 2017-08-04  Youenn Fablet  <youenn@apple.com>
1132
1133         [Cache API] Add Cache and CacheStorage IDL definitions
1134         https://bugs.webkit.org/show_bug.cgi?id=175201
1135
1136         Reviewed by Brady Eidson.
1137
1138         * runtime/CommonIdentifiers.h:
1139
1140 2017-08-04  Mark Lam  <mark.lam@apple.com>
1141
1142         Fix typo in testmasm.cpp: ENABLE(JSVALUE64) should be USE(JSVALUE64).
1143         https://bugs.webkit.org/show_bug.cgi?id=175230
1144         <rdar://problem/33735857>
1145
1146         Reviewed by Saam Barati.
1147
1148         * assembler/testmasm.cpp:
1149         (JSC::testProbeReadsArgumentRegisters):
1150         (JSC::testProbeWritesArgumentRegisters):
1151
1152 2017-08-04  Mark Lam  <mark.lam@apple.com>
1153
1154         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 2].
1155         https://bugs.webkit.org/show_bug.cgi?id=175214
1156         <rdar://problem/33733308>
1157
1158         Rubber-stamped by Michael Saboff.
1159
1160         Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused
1161         DFGOSRExitCompiler files.
1162
1163         Also renamed DFGOSRExitCompiler32_64.cpp to DFGOSRExit32_64.cpp.
1164
1165         Also move debugOperationPrintSpeculationFailure() into DFGOSRExit.cpp.  It's only
1166         used by compileOSRExit(), and will be changed to not be a DFG operation function
1167         when we use JIT probes for DFG OSR exits later in
1168         https://bugs.webkit.org/show_bug.cgi?id=175144.
1169
1170         * CMakeLists.txt:
1171         * JavaScriptCore.xcodeproj/project.pbxproj:
1172         * dfg/DFGJITCompiler.cpp:
1173         * dfg/DFGOSRExit.cpp:
1174         (JSC::DFG::OSRExit::emitRestoreArguments):
1175         (JSC::DFG::OSRExit::compileOSRExit):
1176         (JSC::DFG::OSRExit::compileExit):
1177         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
1178         * dfg/DFGOSRExit.h:
1179         * dfg/DFGOSRExit32_64.cpp: Copied from Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp.
1180         * dfg/DFGOSRExitCompiler.cpp: Removed.
1181         * dfg/DFGOSRExitCompiler.h: Removed.
1182         * dfg/DFGOSRExitCompiler32_64.cpp: Removed.
1183         * dfg/DFGOSRExitCompiler64.cpp: Removed.
1184         * dfg/DFGOperations.cpp:
1185         * dfg/DFGOperations.h:
1186         * dfg/DFGThunks.cpp:
1187
1188 2017-08-04  Matt Baker  <mattbaker@apple.com>
1189
1190         Web Inspector: capture async stack trace when workers/main context posts a message
1191         https://bugs.webkit.org/show_bug.cgi?id=167084
1192         <rdar://problem/30033673>
1193
1194         Reviewed by Brian Burg.
1195
1196         * inspector/agents/InspectorDebuggerAgent.h:
1197         Add `PostMessage` async call type.
1198
1199 2017-08-04  Mark Lam  <mark.lam@apple.com>
1200
1201         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 1].
1202         https://bugs.webkit.org/show_bug.cgi?id=175208
1203         <rdar://problem/33732402>
1204
1205         Reviewed by Saam Barati.
1206
1207         This will minimize the code diff and make it easier to review the patch for
1208         https://bugs.webkit.org/show_bug.cgi?id=175144 later.  We'll do this patch in 3
1209         steps:
1210
1211         1. Do the code changes to move methods into OSRExit.
1212         2. Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused DFGOSRExitCompiler files.
1213         3. Merge the 32-bit OSRExitCompiler methods into the 64-bit version, and delete DFGOSRExitCompiler32_64.cpp.
1214
1215         Splitting this refactoring into these 3 steps also makes it easier to review this
1216         patch and understand what is being changed.
1217
1218         * dfg/DFGOSRExit.h:
1219         * dfg/DFGOSRExitCompiler.cpp:
1220         (JSC::DFG::OSRExit::emitRestoreArguments):
1221         (JSC::DFG::OSRExit::compileOSRExit):
1222         (JSC::DFG::OSRExitCompiler::emitRestoreArguments): Deleted.
1223         (): Deleted.
1224         * dfg/DFGOSRExitCompiler.h:
1225         (JSC::DFG::OSRExitCompiler::OSRExitCompiler): Deleted.
1226         (): Deleted.
1227         * dfg/DFGOSRExitCompiler32_64.cpp:
1228         (JSC::DFG::OSRExit::compileExit):
1229         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
1230         * dfg/DFGOSRExitCompiler64.cpp:
1231         (JSC::DFG::OSRExit::compileExit):
1232         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
1233         * dfg/DFGThunks.cpp:
1234         (JSC::DFG::osrExitGenerationThunkGenerator):
1235
1236 2017-08-04  Devin Rousso  <drousso@apple.com>
1237
1238         Web Inspector: add source view for WebGL shader programs
1239         https://bugs.webkit.org/show_bug.cgi?id=138593
1240         <rdar://problem/18936194>
1241
1242         Reviewed by Matt Baker.
1243
1244         * inspector/protocol/Canvas.json:
1245          - Add `ShaderType` enum that contains "vertex" and "fragment".
1246          - Add `requestShaderSource` command that will return the original source code for a given
1247            shader program and shader type.
1248
1249 2017-08-03  Filip Pizlo  <fpizlo@apple.com>
1250
1251         The allocator used to allocate memory for MarkedBlocks and LargeAllocations should not be the Subspace itself
1252         https://bugs.webkit.org/show_bug.cgi?id=175141
1253
1254         Reviewed by Mark Lam.
1255         
1256         To make it easier to have multiple gigacages and maybe even fancier methods of allocating, this
1257         decouples the allocator used to allocate memory from the GC Subspace. This means we no longer have
1258         to create a new Subspace subclass to allocate memory a different way. Instead, the allocator is now
1259         determined by the AlignedMemoryAllocator object.
1260         
1261         This also simplifies trading of blocks. Before, Subspaces had to determine if other Subspaces could
1262         trade blocks with them using canTradeBlocksWith(). This makes it difficult for two different
1263         Subspaces that both use the same underlying allocator to realize that they can trade blocks with
1264         each other. Now, you just need to ask the block being stolen and the subspace doing the stealing if
1265         they use the same AlignedMemoryAllocator.
1266
1267         * CMakeLists.txt:
1268         * JavaScriptCore.xcodeproj/project.pbxproj:
1269         * heap/AlignedMemoryAllocator.cpp: Added.
1270         (JSC::AlignedMemoryAllocator::AlignedMemoryAllocator):
1271         (JSC::AlignedMemoryAllocator::~AlignedMemoryAllocator):
1272         * heap/AlignedMemoryAllocator.h: Added.
1273         * heap/FastMallocAlignedMemoryAllocator.cpp: Added.
1274         (JSC::FastMallocAlignedMemoryAllocator::singleton):
1275         (JSC::FastMallocAlignedMemoryAllocator::FastMallocAlignedMemoryAllocator):
1276         (JSC::FastMallocAlignedMemoryAllocator::~FastMallocAlignedMemoryAllocator):
1277         (JSC::FastMallocAlignedMemoryAllocator::tryAllocateAlignedMemory):
1278         (JSC::FastMallocAlignedMemoryAllocator::freeAlignedMemory):
1279         (JSC::FastMallocAlignedMemoryAllocator::dump const):
1280         * heap/FastMallocAlignedMemoryAllocator.h: Added.
1281         * heap/GigacageAlignedMemoryAllocator.cpp: Added.
1282         (JSC::GigacageAlignedMemoryAllocator::singleton):
1283         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
1284         (JSC::GigacageAlignedMemoryAllocator::~GigacageAlignedMemoryAllocator):
1285         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
1286         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
1287         (JSC::GigacageAlignedMemoryAllocator::dump const):
1288         * heap/GigacageAlignedMemoryAllocator.h: Added.
1289         * heap/GigacageSubspace.cpp: Removed.
1290         * heap/GigacageSubspace.h: Removed.
1291         * heap/LargeAllocation.cpp:
1292         (JSC::LargeAllocation::tryCreate):
1293         (JSC::LargeAllocation::destroy):
1294         * heap/MarkedAllocator.cpp:
1295         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
1296         * heap/MarkedBlock.cpp:
1297         (JSC::MarkedBlock::tryCreate):
1298         (JSC::MarkedBlock::Handle::Handle):
1299         (JSC::MarkedBlock::Handle::~Handle):
1300         (JSC::MarkedBlock::Handle::didAddToAllocator):
1301         (JSC::MarkedBlock::Handle::subspace const):
1302         * heap/MarkedBlock.h:
1303         (JSC::MarkedBlock::Handle::alignedMemoryAllocator const):
1304         (JSC::MarkedBlock::Handle::subspace const): Deleted.
1305         * heap/Subspace.cpp:
1306         (JSC::Subspace::Subspace):
1307         (JSC::Subspace::findEmptyBlockToSteal):
1308         (JSC::Subspace::canTradeBlocksWith): Deleted.
1309         (JSC::Subspace::tryAllocateAlignedMemory): Deleted.
1310         (JSC::Subspace::freeAlignedMemory): Deleted.
1311         * heap/Subspace.h:
1312         (JSC::Subspace::name const):
1313         (JSC::Subspace::alignedMemoryAllocator const):
1314         * runtime/JSDestructibleObjectSubspace.cpp:
1315         (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace):
1316         * runtime/JSDestructibleObjectSubspace.h:
1317         * runtime/JSSegmentedVariableObjectSubspace.cpp:
1318         (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace):
1319         * runtime/JSSegmentedVariableObjectSubspace.h:
1320         * runtime/JSStringSubspace.cpp:
1321         (JSC::JSStringSubspace::JSStringSubspace):
1322         * runtime/JSStringSubspace.h:
1323         * runtime/VM.cpp:
1324         (JSC::VM::VM):
1325         * runtime/VM.h:
1326         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp:
1327         (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace):
1328         * wasm/js/JSWebAssemblyCodeBlockSubspace.h:
1329
1330 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
1331
1332         [ESNext] Async iteration - update feature.json
1333         https://bugs.webkit.org/show_bug.cgi?id=175197
1334
1335         Reviewed by Yusuke Suzuki.
1336
1337         Update feature.json to add status of the Async Iteration
1338
1339         * features.json:
1340
1341 2017-08-04  Matt Lewis  <jlewis3@apple.com>
1342
1343         Unreviewed, rolling out r220271.
1344
1345         Rolling out due to Layout Test failing on iOS Simulator.
1346
1347         Reverted changeset:
1348
1349         "Remove STREAMS_API compilation guard"
1350         https://bugs.webkit.org/show_bug.cgi?id=175165
1351         http://trac.webkit.org/changeset/220271
1352
1353 2017-08-04  Youenn Fablet  <youenn@apple.com>
1354
1355         Remove STREAMS_API compilation guard
1356         https://bugs.webkit.org/show_bug.cgi?id=175165
1357
1358         Reviewed by Darin Adler.
1359
1360         * Configurations/FeatureDefines.xcconfig:
1361
1362 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
1363
1364         [EsNext] Async iteration - Add feature flag
1365         https://bugs.webkit.org/show_bug.cgi?id=166694
1366
1367         Reviewed by Yusuke Suzuki.
1368
1369         Add feature flag to JSC to switch on/off Async Iterator
1370
1371         * runtime/Options.h:
1372
1373 2017-08-03  Brian Burg  <bburg@apple.com>
1374
1375         Remove ENABLE(WEB_SOCKET) guards
1376         https://bugs.webkit.org/show_bug.cgi?id=167044
1377
1378         Reviewed by Joseph Pecoraro.
1379
1380         * Configurations/FeatureDefines.xcconfig:
1381
1382 2017-08-03  Youenn Fablet  <youenn@apple.com>
1383
1384         Remove FETCH_API compilation guard
1385         https://bugs.webkit.org/show_bug.cgi?id=175154
1386
1387         Reviewed by Chris Dumez.
1388
1389         * Configurations/FeatureDefines.xcconfig:
1390
1391 2017-08-03  Matt Baker  <mattbaker@apple.com>
1392
1393         Web Inspector: Instrument WebGLProgram created/deleted
1394         https://bugs.webkit.org/show_bug.cgi?id=175059
1395
1396         Reviewed by Devin Rousso.
1397
1398         Extend the Canvas protocol with types/events for tracking WebGLPrograms.
1399
1400         * inspector/protocol/Canvas.json:
1401
1402 2017-08-03  Brady Eidson  <beidson@apple.com>
1403
1404         Add SW IDLs and stub out basic functionality.
1405         https://bugs.webkit.org/show_bug.cgi?id=175115
1406
1407         Reviewed by Chris Dumez.
1408
1409         * Configurations/FeatureDefines.xcconfig:
1410
1411         * runtime/CommonIdentifiers.h:
1412
1413 2017-08-03  Mark Lam  <mark.lam@apple.com>
1414
1415         Rename ScratchBuffer::activeLengthPtr to addressOfActiveLength.
1416         https://bugs.webkit.org/show_bug.cgi?id=175142
1417         <rdar://problem/33704528>
1418
1419         Reviewed by Filip Pizlo.
1420
1421         The convention in the rest of of JSC for such methods which return the address of
1422         a field is to name them "addressOf<field name>".  We'll rename
1423         ScratchBuffer::activeLengthPtr to be consistent with this convention.
1424
1425         * dfg/DFGSpeculativeJIT.cpp:
1426         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
1427         * dfg/DFGSpeculativeJIT32_64.cpp:
1428         (JSC::DFG::SpeculativeJIT::compile):
1429         * dfg/DFGSpeculativeJIT64.cpp:
1430         (JSC::DFG::SpeculativeJIT::compile):
1431         * dfg/DFGThunks.cpp:
1432         (JSC::DFG::osrExitGenerationThunkGenerator):
1433         * ftl/FTLLowerDFGToB3.cpp:
1434         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
1435         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
1436         * ftl/FTLThunks.cpp:
1437         (JSC::FTL::genericGenerationThunkGenerator):
1438         * jit/AssemblyHelpers.cpp:
1439         (JSC::AssemblyHelpers::debugCall):
1440         * jit/ScratchRegisterAllocator.cpp:
1441         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
1442         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
1443         * runtime/VM.h:
1444         (JSC::ScratchBuffer::addressOfActiveLength):
1445         (JSC::ScratchBuffer::activeLengthPtr): Deleted.
1446         * wasm/WasmBinding.cpp:
1447         (JSC::Wasm::wasmToJs):
1448
1449 2017-08-02  Devin Rousso  <drousso@apple.com>
1450
1451         Web Inspector: add stack trace information for each RecordingAction
1452         https://bugs.webkit.org/show_bug.cgi?id=174663
1453
1454         Reviewed by Joseph Pecoraro.
1455
1456         * inspector/ScriptCallFrame.h:
1457         Add `operator==` so that when a ScriptCallFrame object is held in a Vector, calling `find`
1458         with an existing value doesn't need require a functor and can use existing code.
1459
1460         * interpreter/StackVisitor.h:
1461         * interpreter/StackVisitor.cpp:
1462         (JSC::StackVisitor::Frame::isWasmFrame const): Inlined in header.
1463
1464 2017-08-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1465
1466         Merge WTFThreadData to Thread::current
1467         https://bugs.webkit.org/show_bug.cgi?id=174716
1468
1469         Reviewed by Mark Lam.
1470
1471         Use Thread::current() instead.
1472
1473         * API/JSContext.mm:
1474         (+[JSContext currentContext]):
1475         (+[JSContext currentThis]):
1476         (+[JSContext currentCallee]):
1477         (+[JSContext currentArguments]):
1478         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
1479         (-[JSContext endCallbackWithData:]):
1480         * heap/Heap.cpp:
1481         (JSC::Heap::requestCollection):
1482         * runtime/Completion.cpp:
1483         (JSC::checkSyntax):
1484         (JSC::checkModuleSyntax):
1485         (JSC::evaluate):
1486         (JSC::loadAndEvaluateModule):
1487         (JSC::loadModule):
1488         (JSC::linkAndEvaluateModule):
1489         (JSC::importModule):
1490         * runtime/Identifier.cpp:
1491         (JSC::Identifier::checkCurrentAtomicStringTable):
1492         * runtime/InitializeThreading.cpp:
1493         (JSC::initializeThreading):
1494         * runtime/JSLock.cpp:
1495         (JSC::JSLock::didAcquireLock):
1496         (JSC::JSLock::willReleaseLock):
1497         (JSC::JSLock::dropAllLocks):
1498         (JSC::JSLock::grabAllLocks):
1499         * runtime/JSLock.h:
1500         * runtime/VM.cpp:
1501         (JSC::VM::VM):
1502         (JSC::VM::updateStackLimits):
1503         (JSC::VM::committedStackByteCount):
1504         * runtime/VM.h:
1505         (JSC::VM::isSafeToRecurse const):
1506         * runtime/VMEntryScope.cpp:
1507         (JSC::VMEntryScope::VMEntryScope):
1508         * runtime/VMInlines.h:
1509         (JSC::VM::ensureStackCapacityFor):
1510         * yarr/YarrPattern.cpp:
1511         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
1512
1513 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
1514
1515         LLInt should do pointer caging
1516         https://bugs.webkit.org/show_bug.cgi?id=175036
1517
1518         Reviewed by Keith Miller.
1519
1520         Implementing this in the LLInt was challenging because offlineasm did not previously know
1521         how to load from globals. This teaches it how to do that on Darwin/x86_64, which happens
1522         to be where the Gigacage is enabled right now.
1523
1524         * llint/LLIntOfflineAsmConfig.h:
1525         * llint/LowLevelInterpreter64.asm:
1526         * offlineasm/ast.rb:
1527         * offlineasm/x86.rb:
1528
1529 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
1530
1531         Sweeping should only scribble when sweeping to free list
1532         https://bugs.webkit.org/show_bug.cgi?id=175105
1533
1534         Reviewed by Saam Barati.
1535         
1536         I just saw a crash on the bots where a destructor call attempt dereferenced scribbled memory. This
1537         can happen because the bump path of specializedSweep will scribble in SweepOnly, which replaces the
1538         zap word (i.e. 0) with the scribble word (i.e. 0xbadbeef0). This is a recent regression, since we
1539         didn't used to do destruction on the bump path. No destruction, no zapping. Looking at the pop
1540         path, we only scribble when we SweepToFreeList. This ensures that we only overwrite the zap word
1541         when it doesn't matter anyway because we're building a free list.
1542         
1543         This is a fix for those crashes on the bots because it means that we'll no longer scribble over the
1544         zap.
1545
1546         * heap/MarkedBlockInlines.h:
1547         (JSC::MarkedBlock::Handle::specializedSweep):
1548
1549 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
1550
1551         All C++ accesses to JSObject::m_butterfly should do caging
1552         https://bugs.webkit.org/show_bug.cgi?id=175039
1553
1554         Reviewed by Keith Miller.
1555         
1556         Makes JSObject::m_butterfly a AuxiliaryBarrier<CagedPtr<Butterfly>> and adopts the CagedPtr<> API.
1557         This ensures that you can't cause C++ code to access a butterfly that has been rewired to point
1558         outside the gigacage.
1559
1560         * runtime/JSArray.cpp:
1561         (JSC::JSArray::setLength):
1562         (JSC::JSArray::pop):
1563         (JSC::JSArray::push):
1564         (JSC::JSArray::shiftCountWithAnyIndexingType):
1565         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1566         (JSC::JSArray::fillArgList):
1567         (JSC::JSArray::copyToArguments):
1568         * runtime/JSObject.cpp:
1569         (JSC::JSObject::heapSnapshot):
1570         (JSC::JSObject::createInitialIndexedStorage):
1571         (JSC::JSObject::createArrayStorage):
1572         (JSC::JSObject::convertUndecidedToInt32):
1573         (JSC::JSObject::convertUndecidedToDouble):
1574         (JSC::JSObject::convertUndecidedToContiguous):
1575         (JSC::JSObject::convertInt32ToDouble):
1576         (JSC::JSObject::convertInt32ToArrayStorage):
1577         (JSC::JSObject::convertDoubleToContiguous):
1578         (JSC::JSObject::convertDoubleToArrayStorage):
1579         (JSC::JSObject::convertContiguousToArrayStorage):
1580         (JSC::JSObject::defineOwnIndexedProperty):
1581         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1582         (JSC::JSObject::ensureLengthSlow):
1583         (JSC::JSObject::allocateMoreOutOfLineStorage):
1584         * runtime/JSObject.h:
1585         (JSC::JSObject::canGetIndexQuickly):
1586         (JSC::JSObject::getIndexQuickly):
1587         (JSC::JSObject::tryGetIndexQuickly const):
1588         (JSC::JSObject::canSetIndexQuickly):
1589         (JSC::JSObject::setIndexQuickly):
1590         (JSC::JSObject::initializeIndex):
1591         (JSC::JSObject::initializeIndexWithoutBarrier):
1592         (JSC::JSObject::butterfly const):
1593         (JSC::JSObject::butterfly):
1594
1595 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
1596
1597         We should be OK with the gigacage being disabled on gmalloc
1598         https://bugs.webkit.org/show_bug.cgi?id=175082
1599
1600         Reviewed by Michael Saboff.
1601
1602         * jsc.cpp:
1603         (jscmain):
1604
1605 2017-08-02  Saam Barati  <sbarati@apple.com>
1606
1607         On memory-constrained iOS devices, reduce the rate at which the JS heap grows before a GC to try to keep more memory available for the system
1608         https://bugs.webkit.org/show_bug.cgi?id=175041
1609         <rdar://problem/33659370>
1610
1611         Reviewed by Filip Pizlo.
1612
1613         The testing I have done shows that this new function is a ~10%
1614         progression running JetStream on 1GB iOS devices. I've also tried
1615         this on a few > 1GB iOS devices, and the testing shows this is either neutral
1616         or a regression. Right now, we'll just enable this for <= 1GB devices
1617         since it's a win. In the future, we might want to either look into
1618         tweaking these parameters or coming up with a new function for > 1GB
1619         devices.
1620
1621         * heap/Heap.cpp:
1622         * runtime/Options.h:
1623
1624 2017-08-01  Filip Pizlo  <fpizlo@apple.com>
1625
1626         Bmalloc and GC should put auxiliaries (butterflies, typed array backing stores) in a gigacage (separate multi-GB VM region)
1627         https://bugs.webkit.org/show_bug.cgi?id=174727
1628
1629         Reviewed by Mark Lam.
1630         
1631         This adopts the Gigacage for the GigacageSubspace, which we use for Auxiliary allocations. Also, in
1632         one place in the code - the FTL codegen for butterfly and typed array access - we "cage" the accesses
1633         themselves. Basically, we do masking to ensure that the pointer points into the gigacage.
1634         
1635         This is neutral on JetStream.
1636
1637         * CMakeLists.txt:
1638         * JavaScriptCore.xcodeproj/project.pbxproj:
1639         * b3/B3InsertionSet.cpp:
1640         (JSC::B3::InsertionSet::execute):
1641         * dfg/DFGAbstractInterpreterInlines.h:
1642         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1643         * dfg/DFGArgumentsEliminationPhase.cpp:
1644         * dfg/DFGClobberize.cpp:
1645         (JSC::DFG::readsOverlap):
1646         * dfg/DFGClobberize.h:
1647         (JSC::DFG::clobberize):
1648         * dfg/DFGDoesGC.cpp:
1649         (JSC::DFG::doesGC):
1650         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Added.
1651         (JSC::DFG::performFixedButterflyAccessUncaging):
1652         * dfg/DFGFixedButterflyAccessUncagingPhase.h: Added.
1653         * dfg/DFGFixupPhase.cpp:
1654         (JSC::DFG::FixupPhase::fixupNode):
1655         * dfg/DFGHeapLocation.cpp:
1656         (WTF::printInternal):
1657         * dfg/DFGHeapLocation.h:
1658         * dfg/DFGNodeType.h:
1659         * dfg/DFGPlan.cpp:
1660         (JSC::DFG::Plan::compileInThreadImpl):
1661         * dfg/DFGPredictionPropagationPhase.cpp:
1662         * dfg/DFGSafeToExecute.h:
1663         (JSC::DFG::safeToExecute):
1664         * dfg/DFGSpeculativeJIT.cpp:
1665         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
1666         * dfg/DFGSpeculativeJIT32_64.cpp:
1667         (JSC::DFG::SpeculativeJIT::compile):
1668         * dfg/DFGSpeculativeJIT64.cpp:
1669         (JSC::DFG::SpeculativeJIT::compile):
1670         * dfg/DFGTypeCheckHoistingPhase.cpp:
1671         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
1672         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
1673         * ftl/FTLCapabilities.cpp:
1674         (JSC::FTL::canCompile):
1675         * ftl/FTLLowerDFGToB3.cpp:
1676         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1677         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
1678         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
1679         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1680         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1681         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
1682         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
1683         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
1684         (JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase):
1685         (JSC::FTL::DFG::LowerDFGToB3::caged):
1686         * heap/GigacageSubspace.cpp: Added.
1687         (JSC::GigacageSubspace::GigacageSubspace):
1688         (JSC::GigacageSubspace::~GigacageSubspace):
1689         (JSC::GigacageSubspace::tryAllocateAlignedMemory):
1690         (JSC::GigacageSubspace::freeAlignedMemory):
1691         (JSC::GigacageSubspace::canTradeBlocksWith):
1692         * heap/GigacageSubspace.h: Added.
1693         * heap/Heap.cpp:
1694         (JSC::Heap::Heap):
1695         (JSC::Heap::lastChanceToFinalize):
1696         (JSC::Heap::finalize):
1697         (JSC::Heap::sweepInFinalize):
1698         (JSC::Heap::updateAllocationLimits):
1699         (JSC::Heap::shouldDoFullCollection):
1700         (JSC::Heap::collectIfNecessaryOrDefer):
1701         (JSC::Heap::reportWebAssemblyFastMemoriesAllocated): Deleted.
1702         (JSC::Heap::webAssemblyFastMemoriesThisCycleAtThreshold const): Deleted.
1703         (JSC::Heap::sweepLargeAllocations): Deleted.
1704         (JSC::Heap::didAllocateWebAssemblyFastMemories): Deleted.
1705         * heap/Heap.h:
1706         * heap/LargeAllocation.cpp:
1707         (JSC::LargeAllocation::tryCreate):
1708         (JSC::LargeAllocation::destroy):
1709         * heap/MarkedAllocator.cpp:
1710         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
1711         (JSC::MarkedAllocator::tryAllocateBlock):
1712         * heap/MarkedBlock.cpp:
1713         (JSC::MarkedBlock::tryCreate):
1714         (JSC::MarkedBlock::Handle::Handle):
1715         (JSC::MarkedBlock::Handle::~Handle):
1716         (JSC::MarkedBlock::Handle::didAddToAllocator):
1717         (JSC::MarkedBlock::Handle::subspace const): Deleted.
1718         * heap/MarkedBlock.h:
1719         (JSC::MarkedBlock::Handle::subspace const):
1720         * heap/MarkedSpace.cpp:
1721         (JSC::MarkedSpace::~MarkedSpace):
1722         (JSC::MarkedSpace::freeMemory):
1723         (JSC::MarkedSpace::prepareForAllocation):
1724         (JSC::MarkedSpace::addMarkedAllocator):
1725         (JSC::MarkedSpace::findEmptyBlockToSteal): Deleted.
1726         * heap/MarkedSpace.h:
1727         (JSC::MarkedSpace::firstAllocator const):
1728         (JSC::MarkedSpace::allocatorForEmptyAllocation const): Deleted.
1729         * heap/Subspace.cpp:
1730         (JSC::Subspace::Subspace):
1731         (JSC::Subspace::canTradeBlocksWith):
1732         (JSC::Subspace::tryAllocateAlignedMemory):
1733         (JSC::Subspace::freeAlignedMemory):
1734         (JSC::Subspace::prepareForAllocation):
1735         (JSC::Subspace::findEmptyBlockToSteal):
1736         * heap/Subspace.h:
1737         (JSC::Subspace::didCreateFirstAllocator):
1738         * heap/SubspaceInlines.h:
1739         (JSC::Subspace::forEachAllocator):
1740         (JSC::Subspace::forEachMarkedBlock):
1741         (JSC::Subspace::forEachNotEmptyMarkedBlock):
1742         * jit/JITPropertyAccess.cpp:
1743         (JSC::JIT::emitDoubleLoad):
1744         (JSC::JIT::emitContiguousLoad):
1745         (JSC::JIT::emitArrayStorageLoad):
1746         (JSC::JIT::emitGenericContiguousPutByVal):
1747         (JSC::JIT::emitArrayStoragePutByVal):
1748         (JSC::JIT::emit_op_get_from_scope):
1749         (JSC::JIT::emit_op_put_to_scope):
1750         (JSC::JIT::emitIntTypedArrayGetByVal):
1751         (JSC::JIT::emitFloatTypedArrayGetByVal):
1752         (JSC::JIT::emitIntTypedArrayPutByVal):
1753         (JSC::JIT::emitFloatTypedArrayPutByVal):
1754         * jsc.cpp:
1755         (fillBufferWithContentsOfFile):
1756         (functionReadFile):
1757         (gigacageDisabled):
1758         (jscmain):
1759         * llint/LowLevelInterpreter64.asm:
1760         * runtime/ArrayBuffer.cpp:
1761         (JSC::ArrayBufferContents::tryAllocate):
1762         (JSC::ArrayBuffer::createAdopted):
1763         (JSC::ArrayBuffer::createFromBytes):
1764         (JSC::ArrayBuffer::tryCreate):
1765         * runtime/IndexingHeader.h:
1766         * runtime/InitializeThreading.cpp:
1767         (JSC::initializeThreading):
1768         * runtime/JSArrayBuffer.cpp:
1769         * runtime/JSArrayBufferView.cpp:
1770         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1771         (JSC::JSArrayBufferView::finalize):
1772         * runtime/JSLock.cpp:
1773         (JSC::JSLock::didAcquireLock):
1774         * runtime/JSObject.h:
1775         * runtime/Options.cpp:
1776         (JSC::recomputeDependentOptions):
1777         * runtime/Options.h:
1778         * runtime/ScopedArgumentsTable.h:
1779         * runtime/VM.cpp:
1780         (JSC::VM::VM):
1781         (JSC::VM::~VM):
1782         (JSC::VM::gigacageDisabledCallback):
1783         (JSC::VM::gigacageDisabled):
1784         * runtime/VM.h:
1785         (JSC::VM::fireGigacageEnabledIfNecessary):
1786         (JSC::VM::gigacageEnabled):
1787         * wasm/WasmB3IRGenerator.cpp:
1788         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1789         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
1790         * wasm/WasmCodeBlock.cpp:
1791         (JSC::Wasm::CodeBlock::isSafeToRun):
1792         * wasm/WasmMemory.cpp:
1793         (JSC::Wasm::makeString):
1794         (JSC::Wasm::Memory::create):
1795         (JSC::Wasm::Memory::~Memory):
1796         (JSC::Wasm::Memory::addressIsInActiveFastMemory):
1797         (JSC::Wasm::Memory::grow):
1798         (JSC::Wasm::Memory::initializePreallocations): Deleted.
1799         (JSC::Wasm::Memory::maxFastMemoryCount): Deleted.
1800         * wasm/WasmMemory.h:
1801         * wasm/js/JSWebAssemblyInstance.cpp:
1802         (JSC::JSWebAssemblyInstance::create):
1803         * wasm/js/JSWebAssemblyMemory.cpp:
1804         (JSC::JSWebAssemblyMemory::grow):
1805         (JSC::JSWebAssemblyMemory::finishCreation):
1806         * wasm/js/JSWebAssemblyMemory.h:
1807         (JSC::JSWebAssemblyMemory::subspaceFor):
1808
1809 2017-07-31  Mark Lam  <mark.lam@apple.com>
1810
1811         Added some UNLIKELYs to operationOptimize().
1812         https://bugs.webkit.org/show_bug.cgi?id=174976
1813
1814         Reviewed by JF Bastien.
1815
1816         * jit/JITOperations.cpp:
1817
1818 2017-07-31  Keith Miller  <keith_miller@apple.com>
1819
1820         Make more things LLInt constexprs
1821         https://bugs.webkit.org/show_bug.cgi?id=174994
1822
1823         Reviewed by Saam Barati.
1824
1825         This patch makes more const values in the LLInt constexprs.
1826         It also deletes all of the no longer necessary static_asserts in
1827         LLIntData.cpp. Finally, it fixes a typo in parser.rb.
1828
1829         * interpreter/ShadowChicken.h:
1830         (JSC::ShadowChicken::Packet::tailMarker):
1831         * llint/LLIntData.cpp:
1832         (JSC::LLInt::Data::performAssertions):
1833         * llint/LowLevelInterpreter.asm:
1834         * offlineasm/generate_offset_extractor.rb:
1835         * offlineasm/parser.rb:
1836
1837 2017-07-31  Matt Lewis  <jlewis3@apple.com>
1838
1839         Unreviewed, rolling out r220060.
1840
1841         This broke our internal builds. Contact reviewer of patch for
1842         more information.
1843
1844         Reverted changeset:
1845
1846         "Merge WTFThreadData to Thread::current"
1847         https://bugs.webkit.org/show_bug.cgi?id=174716
1848         http://trac.webkit.org/changeset/220060
1849
1850 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1851
1852         [JSC] Support optional catch binding
1853         https://bugs.webkit.org/show_bug.cgi?id=174981
1854
1855         Reviewed by Saam Barati.
1856
1857         This patch implements optional catch binding proposal[1], which is now stage 3.
1858         This proposal adds a new `catch` brace with no error value binding.
1859
1860             ```
1861                 try {
1862                     ...
1863                 } catch {
1864                     ...
1865                 }
1866             ```
1867
1868         Sometimes we do not need to get error value actually. For example, the function returns
1869         boolean which means whether the function succeeds.
1870
1871             ```
1872             function parse(result) // -> bool
1873             {
1874                  try {
1875                      parseInner(result);
1876                  } catch {
1877                      return false;
1878                  }
1879                  return true;
1880             }
1881             ```
1882
1883         In the above case, we are not interested in the actual error value. Without this syntax,
1884         we always need to introduce a binding for an error value that is just ignored.
1885
1886         [1]: https://michaelficarra.github.io/optional-catch-binding-proposal/
1887
1888         * bytecompiler/NodesCodegen.cpp:
1889         (JSC::TryNode::emitBytecode):
1890         * parser/Parser.cpp:
1891         (JSC::Parser<LexerType>::parseTryStatement):
1892
1893 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1894
1895         Merge WTFThreadData to Thread::current
1896         https://bugs.webkit.org/show_bug.cgi?id=174716
1897
1898         Reviewed by Sam Weinig.
1899
1900         Use Thread::current() instead.
1901
1902         * API/JSContext.mm:
1903         (+[JSContext currentContext]):
1904         (+[JSContext currentThis]):
1905         (+[JSContext currentCallee]):
1906         (+[JSContext currentArguments]):
1907         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
1908         (-[JSContext endCallbackWithData:]):
1909         * heap/Heap.cpp:
1910         (JSC::Heap::requestCollection):
1911         * runtime/Completion.cpp:
1912         (JSC::checkSyntax):
1913         (JSC::checkModuleSyntax):
1914         (JSC::evaluate):
1915         (JSC::loadAndEvaluateModule):
1916         (JSC::loadModule):
1917         (JSC::linkAndEvaluateModule):
1918         (JSC::importModule):
1919         * runtime/Identifier.cpp:
1920         (JSC::Identifier::checkCurrentAtomicStringTable):
1921         * runtime/InitializeThreading.cpp:
1922         (JSC::initializeThreading):
1923         * runtime/JSLock.cpp:
1924         (JSC::JSLock::didAcquireLock):
1925         (JSC::JSLock::willReleaseLock):
1926         (JSC::JSLock::dropAllLocks):
1927         (JSC::JSLock::grabAllLocks):
1928         * runtime/JSLock.h:
1929         * runtime/VM.cpp:
1930         (JSC::VM::VM):
1931         (JSC::VM::updateStackLimits):
1932         (JSC::VM::committedStackByteCount):
1933         * runtime/VM.h:
1934         (JSC::VM::isSafeToRecurse const):
1935         * runtime/VMEntryScope.cpp:
1936         (JSC::VMEntryScope::VMEntryScope):
1937         * runtime/VMInlines.h:
1938         (JSC::VM::ensureStackCapacityFor):
1939         * yarr/YarrPattern.cpp:
1940         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
1941
1942 2017-07-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1943
1944         [WTF] Introduce Private Symbols
1945         https://bugs.webkit.org/show_bug.cgi?id=174935
1946
1947         Reviewed by Darin Adler.
1948
1949         Use SymbolImpl::isPrivate().
1950
1951         * builtins/BuiltinNames.cpp:
1952         * builtins/BuiltinNames.h:
1953         (JSC::BuiltinNames::isPrivateName): Deleted.
1954         * builtins/BuiltinUtils.h:
1955         * bytecode/BytecodeIntrinsicRegistry.cpp:
1956         (JSC::BytecodeIntrinsicRegistry::lookup):
1957         * runtime/CommonIdentifiers.cpp:
1958         (JSC::CommonIdentifiers::isPrivateName): Deleted.
1959         * runtime/CommonIdentifiers.h:
1960         * runtime/ExceptionHelpers.cpp:
1961         (JSC::createUndefinedVariableError):
1962         * runtime/Identifier.h:
1963         (JSC::Identifier::isPrivateName):
1964         * runtime/IdentifierInlines.h:
1965         (JSC::identifierToSafePublicJSValue):
1966         * runtime/ObjectConstructor.cpp:
1967         (JSC::objectConstructorAssign):
1968         (JSC::defineProperties):
1969         (JSC::setIntegrityLevel):
1970         (JSC::testIntegrityLevel):
1971         (JSC::ownPropertyKeys):
1972         * runtime/PrivateName.h:
1973         (JSC::PrivateName::PrivateName):
1974         * runtime/PropertyName.h:
1975         (JSC::PropertyName::isPrivateName):
1976         * runtime/ProxyObject.cpp:
1977         (JSC::performProxyGet):
1978         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1979         (JSC::ProxyObject::performHasProperty):
1980         (JSC::ProxyObject::performPut):
1981         (JSC::ProxyObject::performDelete):
1982         (JSC::ProxyObject::performDefineOwnProperty):
1983
1984 2017-07-29  Keith Miller  <keith_miller@apple.com>
1985
1986         LLInt offsets extractor should be able to handle C++ constexprs
1987         https://bugs.webkit.org/show_bug.cgi?id=174964
1988
1989         Reviewed by Saam Barati.
1990
1991         This patch adds new syntax to the offline asm language. The new keyword,
1992         constexpr, takes the subsequent identifier and maps it to a C++ constexpr
1993         expression. Additionally, if the value is not an identifier you can wrap it in
1994         parentheses. e.g. constexpr (myConstexprFunction() + OBJECT_OFFSET(Foo, bar)),
1995         which will get converted into:
1996         static_cast<int64_t>(myConstexprFunction() + OBJECT_OFFSET(Foo, bar));
1997
1998         This patch also changes the data format the LLIntOffsetsExtractor
1999         binary produces.  Previously, it would produce unsigned values,
2000         after this patch every value is an int64_t.  Using an int64_t is
2001         useful because it means that we can represent any constant needed.
2002         int32_t masks are sign extended then passed then converted to a
2003         negative literal sting in the assembler so it will be the constant
2004         expected.
2005
2006         * llint/LLIntOffsetsExtractor.cpp:
2007         (JSC::LLIntOffsetsExtractor::dummy):
2008         * llint/LowLevelInterpreter.asm:
2009         * llint/LowLevelInterpreter64.asm:
2010         * offlineasm/asm.rb:
2011         * offlineasm/ast.rb:
2012         * offlineasm/generate_offset_extractor.rb:
2013         * offlineasm/offsets.rb:
2014         * offlineasm/parser.rb:
2015         * offlineasm/transform.rb:
2016
2017 2017-07-28  Matt Baker  <mattbaker@apple.com>
2018
2019         Web Inspector: capture an async stack trace when web content calls addEventListener
2020         https://bugs.webkit.org/show_bug.cgi?id=174739
2021         <rdar://problem/33468197>
2022
2023         Reviewed by Brian Burg.
2024
2025         Allow debugger agents to perform custom logic when asynchronous stack
2026         trace data is cleared. For example, the PageDebuggerAgent would clear
2027         its list of registered listeners for which call stacks have been recorded.
2028
2029         * inspector/agents/InspectorDebuggerAgent.cpp:
2030         (Inspector::InspectorDebuggerAgent::clearAsyncStackTraceData):
2031         * inspector/agents/InspectorDebuggerAgent.h:
2032
2033 2017-07-28  Mark Lam  <mark.lam@apple.com>
2034
2035         ObjectToStringAdaptiveStructureWatchpoint should not fire if it's dying imminently.
2036         https://bugs.webkit.org/show_bug.cgi?id=174948
2037         <rdar://problem/33495680>
2038
2039         Reviewed by Filip Pizlo.
2040
2041         ObjectToStringAdaptiveStructureWatchpoint is owned by StructureRareData.  If its
2042         owner StructureRareData is already known to be dead (in terms of GC liveness) but
2043         hasn't been destructed yet (i.e. not swept by the GC yet), we should ignore all
2044         requests to fire this watchpoint.
2045
2046         If the GC had the chance to sweep the StructureRareData, thereby destructing the
2047         ObjectToStringAdaptiveStructureWatchpoint, it (the watchpoint) would have removed
2048         itself from the WatchpointSet it was on.  Hence, it would not have been fired.
2049
2050         But since the watchpoint hasn't been destructed yet, it still remains on the
2051         WatchpointSet and needs to guard against being fired in this state.  The fix is
2052         to simply return early if its owner StructureRareData is not live.  This has the
2053         effect of the watchpoint fire being a no-op, which is equivalent to the watchpoint
2054         not firing as we would expect.
2055
2056         This patch also removes some cargo cult copying of watchpoint code which
2057         instantiates a StringFireDetail.  In a few cases, that StringFireDetail is never
2058         used.  This patch removes these unnecessary instantiations.
2059
2060         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
2061         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
2062         * runtime/StructureRareData.cpp:
2063         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
2064         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
2065
2066 2017-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
2067
2068         ASSERTION FAILED: candidate->op() == PhantomCreateRest || candidate->op() == PhantomDirectArguments || candidate->op() == PhantomClonedArguments || candidate->op() == PhantomSpread || candidate->op() == PhantomNewArrayWithSpread
2069         https://bugs.webkit.org/show_bug.cgi?id=174900
2070
2071         Reviewed by Saam Barati.
2072
2073         In the arguments elimination phase, due to high cost of AI, we intentionally do not run AI.
2074         Instead, we use ForceOSRExit etc. (pseudo terminals) not to look into unreachable nodes.
2075         The problem is that even transforming phase also checks this pseudo terminals.
2076
2077             BB1
2078             1: ForceOSRExit
2079             2: CreateDirectArguments
2080
2081             BB2
2082             3: GetButterfly(@2)
2083             4: ForceOSRExit
2084
2085         In the above case, @2 is not converted to PhantomDirectArguments. But @3 is processed. And the assertion fires.
2086
2087         In this patch, we do not list candidates up after seeing pseudo terminals in basic blocks.
2088
2089         * dfg/DFGArgumentsEliminationPhase.cpp:
2090
2091 2017-07-27  Oleksandr Skachkov  <gskachkov@gmail.com>
2092
2093         [ES] Add support finally to Promise
2094         https://bugs.webkit.org/show_bug.cgi?id=174503
2095
2096         Reviewed by Yusuke Suzuki.
2097
2098         Add support `finally` method to Promise according
2099         to the https://bugs.webkit.org/show_bug.cgi?id=174503
2100         Current spec on STAGE 3 
2101         https://github.com/tc39/proposal-promise-finally
2102
2103         * builtins/PromisePrototype.js:
2104         (finally):
2105         (const.valueThunk):
2106         (globalPrivate.getThenFinally):
2107         (const.thrower):
2108         (globalPrivate.getCatchFinally):
2109         * runtime/JSPromisePrototype.cpp:
2110
2111 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2112
2113         Unreviewed, build fix for CLoop
2114         https://bugs.webkit.org/show_bug.cgi?id=171637
2115
2116         * domjit/DOMJITGetterSetter.h:
2117
2118 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2119
2120         Hoist DOM binding attribute getter prologue into JavaScriptCore taking advantage of DOMJIT / CheckSubClass
2121         https://bugs.webkit.org/show_bug.cgi?id=171637
2122
2123         Reviewed by Darin Adler.
2124
2125         Each DOM attribute getter has the code to perform ClassInfo check. But it is largely duplicate and causes code bloating.
2126         In this patch, we move ClassInfo check from WebCore to JSC and reduce code size.
2127
2128         We introduce DOMAnnotation which has ClassInfo* and DOMJIT::GetterSetter*. If the getter is not DOMJIT getter, this
2129         DOMJIT::GetterSetter becomes nullptr. We support such a CustomAccessorGetter in all the JIT tiers.
2130
2131         In IC, we drop CheckSubClass completely since IC's Structure check subsumes it. We do not enable this optimization for
2132         op_get_by_id_with_this case yet.
2133         In DFG and FTL, we emit CheckSubClass node. Which is typically removed by CheckStructure leading to CheckSubClass.
2134
2135         And we add DOMAttributeGetterSetter, which is derived class of CustomGetterSetter. It holds DOMAnnotation and perform
2136         ClassInfo check.
2137
2138         * CMakeLists.txt:
2139         * JavaScriptCore.xcodeproj/project.pbxproj:
2140         * bytecode/AccessCase.cpp:
2141         (JSC::AccessCase::generateImpl):
2142         * bytecode/GetByIdStatus.cpp:
2143         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
2144         * bytecode/GetByIdVariant.cpp:
2145         (JSC::GetByIdVariant::GetByIdVariant):
2146         (JSC::GetByIdVariant::operator=):
2147         (JSC::GetByIdVariant::attemptToMerge):
2148         (JSC::GetByIdVariant::dumpInContext):
2149         * bytecode/GetByIdVariant.h:
2150         (JSC::GetByIdVariant::customAccessorGetter):
2151         (JSC::GetByIdVariant::domAttribute):
2152         (JSC::GetByIdVariant::domJIT): Deleted.
2153         * bytecode/GetterSetterAccessCase.cpp:
2154         (JSC::GetterSetterAccessCase::create):
2155         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
2156         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
2157         * bytecode/GetterSetterAccessCase.h:
2158         (JSC::GetterSetterAccessCase::domAttribute):
2159         (JSC::GetterSetterAccessCase::customAccessor):
2160         (JSC::GetterSetterAccessCase::domJIT): Deleted.
2161         * bytecompiler/BytecodeGenerator.cpp:
2162         (JSC::BytecodeGenerator::instantiateLexicalVariables):
2163         * create_hash_table:
2164         * dfg/DFGAbstractInterpreterInlines.h:
2165         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2166         * dfg/DFGByteCodeParser.cpp:
2167         (JSC::DFG::blessCallDOMGetter):
2168         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
2169         (JSC::DFG::ByteCodeParser::handleGetById):
2170         * dfg/DFGClobberize.h:
2171         (JSC::DFG::clobberize):
2172         * dfg/DFGFixupPhase.cpp:
2173         (JSC::DFG::FixupPhase::fixupNode):
2174         * dfg/DFGNode.h:
2175         * dfg/DFGSpeculativeJIT.cpp:
2176         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
2177         * dfg/DFGSpeculativeJIT.h:
2178         (JSC::DFG::SpeculativeJIT::callCustomGetter):
2179         * domjit/DOMJITGetterSetter.h:
2180         (JSC::DOMJIT::GetterSetter::GetterSetter):
2181         (JSC::DOMJIT::GetterSetter::getter):
2182         (JSC::DOMJIT::GetterSetter::compiler):
2183         (JSC::DOMJIT::GetterSetter::resultType):
2184         (JSC::DOMJIT::GetterSetter::~GetterSetter): Deleted.
2185         (JSC::DOMJIT::GetterSetter::setter): Deleted.
2186         (JSC::DOMJIT::GetterSetter::thisClassInfo): Deleted.
2187         * ftl/FTLLowerDFGToB3.cpp:
2188         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
2189         * jit/Repatch.cpp:
2190         (JSC::tryCacheGetByID):
2191         * jsc.cpp:
2192         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
2193         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
2194         (WTF::DOMJITGetter::customGetter):
2195         (WTF::DOMJITGetter::finishCreation):
2196         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
2197         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
2198         (WTF::DOMJITGetterComplex::customGetter):
2199         (WTF::DOMJITGetterComplex::finishCreation):
2200         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
2201         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::slowCall): Deleted.
2202         (WTF::DOMJITGetter::domJITNodeGetterSetter): Deleted.
2203         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
2204         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::slowCall): Deleted.
2205         (WTF::DOMJITGetterComplex::domJITNodeGetterSetter): Deleted.
2206         * runtime/CustomGetterSetter.h:
2207         (JSC::CustomGetterSetter::create):
2208         (JSC::CustomGetterSetter::setter):
2209         (JSC::CustomGetterSetter::CustomGetterSetter):
2210         (): Deleted.
2211         * runtime/DOMAnnotation.h: Added.
2212         (JSC::operator==):
2213         (JSC::operator!=):
2214         * runtime/DOMAttributeGetterSetter.cpp: Added.
2215         * runtime/DOMAttributeGetterSetter.h: Copied from Source/JavaScriptCore/runtime/CustomGetterSetter.h.
2216         (JSC::isDOMAttributeGetterSetter):
2217         * runtime/Error.cpp:
2218         (JSC::throwDOMAttributeGetterTypeError):
2219         * runtime/Error.h:
2220         (JSC::throwVMDOMAttributeGetterTypeError):
2221         * runtime/JSCustomGetterSetterFunction.cpp:
2222         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
2223         * runtime/JSObject.cpp:
2224         (JSC::JSObject::putInlineSlow):
2225         (JSC::JSObject::deleteProperty):
2226         (JSC::JSObject::getOwnStaticPropertySlot):
2227         (JSC::JSObject::reifyAllStaticProperties):
2228         (JSC::JSObject::fillGetterPropertySlot):
2229         (JSC::JSObject::findPropertyHashEntry): Deleted.
2230         * runtime/JSObject.h:
2231         (JSC::JSObject::getOwnNonIndexPropertySlot):
2232         (JSC::JSObject::fillCustomGetterPropertySlot):
2233         * runtime/Lookup.cpp:
2234         (JSC::setUpStaticFunctionSlot):
2235         * runtime/Lookup.h:
2236         (JSC::HashTableValue::domJIT):
2237         (JSC::getStaticPropertySlotFromTable):
2238         (JSC::putEntry):
2239         (JSC::lookupPut):
2240         (JSC::reifyStaticProperty):
2241         (JSC::reifyStaticProperties):
2242         Each static property table has a new field ClassInfo*. It indicates that which ClassInfo check DOMAttribute registered in
2243         this static property table requires.
2244
2245         * runtime/ProgramExecutable.cpp:
2246         (JSC::ProgramExecutable::initializeGlobalProperties):
2247         * runtime/PropertyName.h:
2248         * runtime/PropertySlot.cpp:
2249         (JSC::PropertySlot::customGetter):
2250         (JSC::PropertySlot::customAccessorGetter):
2251         * runtime/PropertySlot.h:
2252         (JSC::PropertySlot::domAttribute):
2253         (JSC::PropertySlot::setCustom):
2254         (JSC::PropertySlot::setCacheableCustom):
2255         (JSC::PropertySlot::getValue):
2256         (JSC::PropertySlot::domJIT): Deleted.
2257         * runtime/VM.cpp:
2258         (JSC::VM::VM):
2259         * runtime/VM.h:
2260
2261 2017-07-26  Devin Rousso  <drousso@apple.com>
2262
2263         Web Inspector: create protocol for recording Canvas contexts
2264         https://bugs.webkit.org/show_bug.cgi?id=174481
2265
2266         Reviewed by Joseph Pecoraro.
2267
2268         * inspector/protocol/Canvas.json:
2269          - Add `requestRecording` command to mark the provided canvas as having requested a recording.
2270          - Add `cancelRecording` command to clear a previously marked canvas and flush any recorded data.
2271          - Add `recordingFinished` event that is fired once a recording is finished.
2272
2273         * CMakeLists.txt:
2274         * DerivedSources.make:
2275         * inspector/protocol/Recording.json: Added.
2276          - Add `Type` enum that lists the types of recordings
2277          - Add `InitialState` type that contains information about the canvas context at the
2278            beginning of the recording.
2279          - Add `Frame` type that holds a list of actions that were recorded.
2280          - Add `Recording` type as the container object of recording data.
2281
2282         * inspector/scripts/codegen/generate_js_backend_commands.py:
2283         (JSBackendCommandsGenerator.generate_domain):
2284         Create an agent for domains with no events or commands.
2285
2286         * inspector/InspectorValues.h:
2287         Make Array `get` public so that values can be retrieved if needed.
2288
2289 2017-07-26  Brian Burg  <bburg@apple.com>
2290
2291         Remove WEB_TIMING feature flag
2292         https://bugs.webkit.org/show_bug.cgi?id=174795
2293
2294         Reviewed by Alex Christensen.
2295
2296         * Configurations/FeatureDefines.xcconfig:
2297
2298 2017-07-26  Mark Lam  <mark.lam@apple.com>
2299
2300         Add the ability to change sp and pc to the ARM64 JIT probe.
2301         https://bugs.webkit.org/show_bug.cgi?id=174697
2302         <rdar://problem/33436965>
2303
2304         Reviewed by JF Bastien.
2305
2306         This patch implements the following:
2307
2308         1. The ARM64 probe now supports modifying the pc and sp.
2309
2310            However, lr is not preserved when modifying the pc because it is used as the
2311            scratch register for the indirect jump. Hence, the probe handler function
2312            may not modify both lr and pc in the same probe invocation.
2313
2314         2. Fix probe tests to use bitwise comparison when comparing double register
2315            values. Otherwise, equivalent nan values will be interpreted as not equivalent.
2316
2317         3. Change the minimum offset increment in testProbeModifiesStackPointer to be
2318            16 bytes for ARM64.  This is because the ARM64 probe now uses the ldp and stp
2319            instructions which require 16 byte alignment for their memory access.
2320
2321         * assembler/MacroAssemblerARM64.cpp:
2322         (JSC::arm64ProbeError):
2323         (JSC::MacroAssembler::probe):
2324         (JSC::arm64ProbeTrampoline): Deleted.
2325         * assembler/testmasm.cpp:
2326         (JSC::isSpecialGPR):
2327         (JSC::testProbeReadsArgumentRegisters):
2328         (JSC::testProbeWritesArgumentRegisters):
2329         (JSC::testProbePreservesGPRS):
2330         (JSC::testProbeModifiesStackPointer):
2331         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
2332         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
2333
2334 2017-07-25  JF Bastien  <jfbastien@apple.com>
2335
2336         WebAssembly: generate smaller binaries
2337         https://bugs.webkit.org/show_bug.cgi?id=174818
2338
2339         Reviewed by Filip Pizlo.
2340
2341         This patch reduces generated code size for WebAssembly in 2 ways:
2342
2343         1. Use the ZR register when storing zero on ARM64.
2344         2. Synthesize wasm context lazily.
2345
2346         This leads to a modest size reduction on both x86-64 and ARM64 for
2347         large WebAssembly games, without any performance loss on WasmBench
2348         and TitzerBench.
2349
2350         The reason this works is that these games, using Emscripten,
2351         generate 100k+ tiny functions, and our JIT allocation granule
2352         rounds all allocations up to 32 bytes. There are plenty of other
2353         simple gains to be had, I've filed a follow-up bug at
2354         webkit.org/b/174819
2355
2356         We should further avoid the per-function cost of tiering, which
2357         represents the bulk of code generated for small functions.
2358
2359         * assembler/MacroAssemblerARM64.h:
2360         (JSC::MacroAssemblerARM64::storeZero64):
2361         * assembler/MacroAssemblerX86_64.h:
2362         (JSC::MacroAssemblerX86_64::storeZero64):
2363         * b3/B3LowerToAir.cpp:
2364         (JSC::B3::Air::LowerToAir::createStore): this doesn't make sense
2365         for x86 because it constrains register reuse and codegen in a way
2366         that doesn't affect ARM64 because it has a dedicated zero
2367         register.
2368         * b3/air/AirOpcode.opcodes: add the storeZero64 opcode.
2369         * wasm/WasmB3IRGenerator.cpp:
2370         (JSC::Wasm::B3IRGenerator::instanceValue):
2371         (JSC::Wasm::B3IRGenerator::restoreWasmContext):
2372         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2373         (JSC::Wasm::B3IRGenerator::materializeWasmContext): Deleted.
2374
2375 2017-07-23  Filip Pizlo  <fpizlo@apple.com>
2376
2377         B3 should do LICM
2378         https://bugs.webkit.org/show_bug.cgi?id=174750
2379
2380         Reviewed by Keith Miller and Saam Barati.
2381         
2382         Added a LICM phase to B3. This phase is called hoistLoopInvariantValues, to conform to the B3 naming
2383         convention for phases (it has to be an imperative). The phase uses NaturalLoops and BackwardsDominators,
2384         so this adds those analyses to B3. BackwardsDominators was already available in templatized form. This
2385         change templatizes DFG::NaturalLoops so that we can just use it.
2386         
2387         The LICM phase itself is really simple. We are decently precise with our handling of everything except
2388         the relationship between control dependence and side exits.
2389         
2390         Also added a bunch of tests.
2391         
2392         This isn't super important. It's perf-neutral on JS benchmarks. FTL already does LICM on DFG SSA IR, and
2393         probably all current WebAssembly content has had LICM done to it. That being said, this is a cheap phase
2394         so it doesn't hurt to have it.
2395         
2396         I wrote it because I thought I needed it for bug 174727. It turns out that there's a better way to
2397         handle the problem I had, so I ended up not needed it - but by then I had already written it. I think
2398         it's good to have it because LICM is one of those core compiler phases; every compiler has it
2399         eventually.
2400
2401         * CMakeLists.txt:
2402         * JavaScriptCore.xcodeproj/project.pbxproj:
2403         * b3/B3BackwardsCFG.h: Added.
2404         (JSC::B3::BackwardsCFG::BackwardsCFG):
2405         * b3/B3BackwardsDominators.h: Added.
2406         (JSC::B3::BackwardsDominators::BackwardsDominators):
2407         * b3/B3BasicBlock.cpp:
2408         (JSC::B3::BasicBlock::appendNonTerminal):
2409         * b3/B3Effects.h:
2410         * b3/B3EnsureLoopPreHeaders.cpp: Added.
2411         (JSC::B3::ensureLoopPreHeaders):
2412         * b3/B3EnsureLoopPreHeaders.h: Added.
2413         * b3/B3Generate.cpp:
2414         (JSC::B3::generateToAir):
2415         * b3/B3HoistLoopInvariantValues.cpp: Added.
2416         (JSC::B3::hoistLoopInvariantValues):
2417         * b3/B3HoistLoopInvariantValues.h: Added.
2418         * b3/B3NaturalLoops.h: Added.
2419         (JSC::B3::NaturalLoops::NaturalLoops):
2420         * b3/B3Procedure.cpp:
2421         (JSC::B3::Procedure::invalidateCFG):
2422         (JSC::B3::Procedure::naturalLoops):
2423         (JSC::B3::Procedure::backwardsCFG):
2424         (JSC::B3::Procedure::backwardsDominators):
2425         * b3/B3Procedure.h:
2426         * b3/testb3.cpp:
2427         (JSC::B3::generateLoop):
2428         (JSC::B3::makeArrayForLoops):
2429         (JSC::B3::generateLoopNotBackwardsDominant):
2430         (JSC::B3::oneFunction):
2431         (JSC::B3::noOpFunction):
2432         (JSC::B3::testLICMPure):
2433         (JSC::B3::testLICMPureSideExits):
2434         (JSC::B3::testLICMPureWritesPinned):
2435         (JSC::B3::testLICMPureWrites):
2436         (JSC::B3::testLICMReadsLocalState):
2437         (JSC::B3::testLICMReadsPinned):
2438         (JSC::B3::testLICMReads):
2439         (JSC::B3::testLICMPureNotBackwardsDominant):
2440         (JSC::B3::testLICMPureFoiledByChild):
2441         (JSC::B3::testLICMPureNotBackwardsDominantFoiledByChild):
2442         (JSC::B3::testLICMExitsSideways):
2443         (JSC::B3::testLICMWritesLocalState):
2444         (JSC::B3::testLICMWrites):
2445         (JSC::B3::testLICMFence):
2446         (JSC::B3::testLICMWritesPinned):
2447         (JSC::B3::testLICMControlDependent):
2448         (JSC::B3::testLICMControlDependentNotBackwardsDominant):
2449         (JSC::B3::testLICMControlDependentSideExits):
2450         (JSC::B3::testLICMReadsPinnedWritesPinned):
2451         (JSC::B3::testLICMReadsWritesDifferentHeaps):
2452         (JSC::B3::testLICMReadsWritesOverlappingHeaps):
2453         (JSC::B3::testLICMDefaultCall):
2454         (JSC::B3::run):
2455         * dfg/DFGBasicBlock.h:
2456         * dfg/DFGCFG.h:
2457         * dfg/DFGNaturalLoops.cpp: Removed.
2458         * dfg/DFGNaturalLoops.h:
2459         (JSC::DFG::NaturalLoops::NaturalLoops):
2460         (JSC::DFG::NaturalLoop::NaturalLoop): Deleted.
2461         (JSC::DFG::NaturalLoop::header): Deleted.
2462         (JSC::DFG::NaturalLoop::size): Deleted.
2463         (JSC::DFG::NaturalLoop::at): Deleted.
2464         (JSC::DFG::NaturalLoop::operator[]): Deleted.
2465         (JSC::DFG::NaturalLoop::contains): Deleted.
2466         (JSC::DFG::NaturalLoop::index): Deleted.
2467         (JSC::DFG::NaturalLoop::isOuterMostLoop): Deleted.
2468         (JSC::DFG::NaturalLoop::addBlock): Deleted.
2469         (JSC::DFG::NaturalLoops::numLoops): Deleted.
2470         (JSC::DFG::NaturalLoops::loop): Deleted.
2471         (JSC::DFG::NaturalLoops::headerOf): Deleted.
2472         (JSC::DFG::NaturalLoops::innerMostLoopOf): Deleted.
2473         (JSC::DFG::NaturalLoops::innerMostOuterLoop): Deleted.
2474         (JSC::DFG::NaturalLoops::belongsTo): Deleted.
2475         (JSC::DFG::NaturalLoops::loopDepth): Deleted.
2476
2477 2017-07-24  Filip Pizlo  <fpizlo@apple.com>
2478
2479         GC should be fine with trading blocks between destructor and non-destructor blocks
2480         https://bugs.webkit.org/show_bug.cgi?id=174811
2481
2482         Reviewed by Mark Lam.
2483         
2484         Our GC has the ability to trade blocks between MarkedAllocators. A MarkedAllocator is a
2485         size-class-within-a-Subspace. The ability to trade helps reduce memory wastage due to
2486         fragmentation. Prior to this change, this only worked between blocks that did not have destructors.
2487         This was partly a policy decision. But mostly, it was fallout from the way we use the `empty` block
2488         set.
2489         
2490         Here's how `empty` used to work. If a block is empty, we don't run destructors. We say that a block
2491         is empty if:
2492         
2493         A) It has no live objects and its a non-destructor block, or
2494         B) We just allocated it (so it has no destructors even if it's a destructor block), or
2495         C) We just stole it from another allocator (so it also has no destructors), or
2496         D) We just swept the block and ran all destructors.
2497         
2498         Case (A) is for trading blocks. That's how a different MarkedAllocator would know that this is a
2499         block that could be stolen.
2500
2501         Cases (B) and (C) need to be detected for correctness, since otherwise we might try to run
2502         destructors in blocks that have garbage bits. In that case, the isZapped check won't detect that
2503         cells don't need destruction, so without having the `empty` bit we would try to destruct garbage
2504         and crash. Currently, we know that we have cases (B) and (C) when the block is empty.
2505         
2506         Case (D) is necessary for detecting which blocks can be removed when we `shrink` the heap.
2507         
2508         If we tried to enable trading of blocks between allocators without making any changes to how
2509         `empty` works, then it just would not work. We have to set the `empty` bits of blocks that have no
2510         live objects in order for those bits to be candidates for trading. But if we do that, then our
2511         logic for cases (B-D) will think that the block has no destructible objects. That's bad, since then
2512         our destructors won't run and we'll leak memory.
2513         
2514         This change fixes this issue by decoupling the "do I have destructors" question from the "do I have
2515         live objects" question by introducing a new `destructible` bitvector. The GC flags all live blocks
2516         as being destructible at the end. We clear the destructible bit in cases (B-D). Cases (B-C) are
2517         handled entirely by the new destrictible bit, while case (D) is detected by looking for blocks that
2518         are (empty & ~destructible).
2519         
2520         Then we can simply remove all destructor-oriented special-casing of the `empty` bit. And we can
2521         remove destructor-oriented special-casing of block trading.
2522
2523         This is a perf-neutral change. We expect most free memory to be in non-destructor blocks anyway,
2524         so this change is more about clean-up than perf. But, this could reduce memory usage in some
2525         pathological cases.
2526         
2527         * heap/MarkedAllocator.cpp:
2528         (JSC::MarkedAllocator::findEmptyBlockToSteal):
2529         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2530         (JSC::MarkedAllocator::endMarking):
2531         (JSC::MarkedAllocator::shrink):
2532         (JSC::MarkedAllocator::shouldStealEmptyBlocksFromOtherAllocators): Deleted.
2533         * heap/MarkedAllocator.h:
2534         * heap/MarkedBlock.cpp:
2535         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
2536         (JSC::MarkedBlock::Handle::sweep):
2537         * heap/MarkedBlockInlines.h:
2538         (JSC::MarkedBlock::Handle::specializedSweep):
2539         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace):
2540         (JSC::MarkedBlock::Handle::emptyMode):
2541
2542 2017-07-25  Keith Miller  <keith_miller@apple.com>
2543
2544         Remove Broken CompareEq constant folding phase.
2545         https://bugs.webkit.org/show_bug.cgi?id=174846
2546         <rdar://problem/32978808>
2547
2548         Reviewed by Saam Barati.
2549
2550         This bug happened when we would get code like the following:
2551
2552         a: JSConst(Undefined)
2553         b: GetLocal(SomeObjectOrUndefined)
2554         ...
2555         c: CompareEq(Check:ObjectOrOther:b, Check:ObjectOrOther:a)
2556
2557         constant folding will turn this into:
2558
2559         a: JSConst(Undefined)
2560         b: GetLocal(SomeObjectOrUndefined)
2561         ...
2562         c: CompareEq(Check:ObjectOrOther:b, Other:a)
2563
2564         But the SpeculativeJIT/FTL lowering will fail to check b
2565         properly which leads to an assertion failure in the AI.
2566
2567         I'll follow up with a more robust fix later. For now, I'll remove the
2568         case that generates the code. Removing the code appears to be perf
2569         neutral.
2570
2571         * dfg/DFGConstantFoldingPhase.cpp:
2572         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2573
2574 2017-07-25  Matt Baker  <mattbaker@apple.com>
2575
2576         Web Inspector: Refactoring: extract async stack trace logic from InspectorInstrumentation
2577         https://bugs.webkit.org/show_bug.cgi?id=174738
2578
2579         Reviewed by Brian Burg.
2580
2581         Move AsyncCallType enum to InspectorDebuggerAgent, which manages async
2582         stack traces. This preserves the call type in JSC, makes the range of
2583         possible call types explicit, and is safer than passing ints.
2584
2585         * inspector/agents/InspectorDebuggerAgent.cpp:
2586         (Inspector::InspectorDebuggerAgent::asyncCallIdentifier):
2587         (Inspector::InspectorDebuggerAgent::didScheduleAsyncCall):
2588         (Inspector::InspectorDebuggerAgent::didCancelAsyncCall):
2589         (Inspector::InspectorDebuggerAgent::willDispatchAsyncCall):
2590         * inspector/agents/InspectorDebuggerAgent.h:
2591
2592 2017-07-25  Mark Lam  <mark.lam@apple.com>
2593
2594         Fix bugs in probe code to change sp on x86, x86_64 and 32-bit ARM.
2595         https://bugs.webkit.org/show_bug.cgi?id=174809
2596         <rdar://problem/33504759>
2597
2598         Reviewed by Filip Pizlo.
2599
2600         1. When the probe handler function changes the sp register to point to the
2601            region of stack in the middle of the ProbeContext on the stack, there is a
2602            bug where the ProbeContext's register values to be restored can be over-written
2603            before they can be restored.  This is now fixed.
2604
2605         2. Added more robust probe tests for changing the sp register.
2606
2607         3. Made existing probe tests to ensure that probe handlers were actually called.
2608
2609         4. Added some verification to testProbePreservesGPRS().
2610
2611         5. Change all the probe tests to fail early on discovering an error instead of
2612            batching till the end of the test.  This helps point a finger to the failing
2613            issue earlier.
2614
2615         This patch was tested on x86, x86_64, and ARMv7.  ARM64 probe code will be fixed
2616         next in https://bugs.webkit.org/show_bug.cgi?id=174697.
2617
2618         * assembler/MacroAssemblerARM.cpp:
2619         * assembler/MacroAssemblerARMv7.cpp:
2620         * assembler/MacroAssemblerX86Common.cpp:
2621         * assembler/testmasm.cpp:
2622         (JSC::testProbeReadsArgumentRegisters):
2623         (JSC::testProbeWritesArgumentRegisters):
2624         (JSC::testProbePreservesGPRS):
2625         (JSC::testProbeModifiesStackPointer):
2626         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
2627         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
2628         (JSC::testProbeModifiesProgramCounter):
2629         (JSC::run):
2630
2631 2017-07-25  Brian Burg  <bburg@apple.com>
2632
2633         Web Automation: add support for uploading files
2634         https://bugs.webkit.org/show_bug.cgi?id=174797
2635         <rdar://problem/28485063>
2636
2637         Reviewed by Joseph Pecoraro.
2638
2639         * inspector/scripts/generate-inspector-protocol-bindings.py:
2640         (generate_from_specification):
2641         Start generating frontend dispatcher code if the target framework is 'WebKit'.
2642
2643         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
2644         (CppFrontendDispatcherImplementationGenerator.generate_output):
2645         Use a framework include for InspectorFrontendRouter.h since this generated code
2646         will be compiled outside of WebCore.framework.
2647
2648         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
2649         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2650         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2651         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
2652         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
2653         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
2654         * inspector/scripts/tests/generic/expected/enum-values.json-result:
2655         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2656         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
2657         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
2658         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
2659         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
2660         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
2661         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
2662         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2663         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
2664         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
2665         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
2666         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
2667         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
2668         Rebaseline code generator tests.
2669
2670 2017-07-24  Mark Lam  <mark.lam@apple.com>
2671
2672         Gardening: fixed C Loop build after r219790.
2673         https://bugs.webkit.org/show_bug.cgi?id=174696
2674
2675         Not reviewed.
2676
2677         * assembler/testmasm.cpp:
2678
2679 2017-07-23  Mark Lam  <mark.lam@apple.com>
2680
2681         Create regression tests for the JIT probe.
2682         https://bugs.webkit.org/show_bug.cgi?id=174696
2683         <rdar://problem/33436922>
2684
2685         Reviewed by Saam Barati.
2686
2687         The new testmasm will test the following:
2688         1. the probe is able to read the value of CPU registers.
2689         2. the probe is able to write the value of CPU registers.
2690         3. the probe is able to preserve all CPU registers.
2691         4. special case of (2): the probe is able to change the value of the stack pointer.
2692         5. special case of (2): the probe is able to change the value of the program counter
2693            i.e. the probe can change where the code continues executing upon returning from
2694            the probe.
2695
2696         Currently, the x86, x86_64, and ARMv7 ports passes the test.  ARM64 does not
2697         because it does not support changing the sp and pc yet.  The ARM64 probe
2698         implementation will be fixed in https://bugs.webkit.org/show_bug.cgi?id=174697
2699         later.
2700
2701         * Configurations/ToolExecutable.xcconfig:
2702         * JavaScriptCore.xcodeproj/project.pbxproj:
2703         * assembler/MacroAssembler.h:
2704         (JSC::MacroAssembler::CPUState::pc):
2705         (JSC::MacroAssembler::CPUState::fp):
2706         (JSC::MacroAssembler::CPUState::sp):
2707         (JSC::ProbeContext::pc):
2708         (JSC::ProbeContext::fp):
2709         (JSC::ProbeContext::sp):
2710         * assembler/MacroAssemblerARM64.cpp:
2711         (JSC::arm64ProbeTrampoline):
2712         * assembler/MacroAssemblerPrinter.cpp:
2713         (JSC::Printer::printPCRegister):
2714         * assembler/testmasm.cpp: Added.
2715         (hiddenTruthBecauseNoReturnIsStupid):
2716         (usage):
2717         (JSC::nextID):
2718         (JSC::isPC):
2719         (JSC::isSP):
2720         (JSC::isFP):
2721         (JSC::compile):
2722         (JSC::invoke):
2723         (JSC::compileAndRun):
2724         (JSC::testSimple):
2725         (JSC::testProbeReadsArgumentRegisters):
2726         (JSC::testProbeWritesArgumentRegisters):
2727         (JSC::testFunctionToTrashRegisters):
2728         (JSC::testProbePreservesGPRS):
2729         (JSC::testProbeModifiesStackPointer):
2730         (JSC::testProbeModifiesProgramCounter):
2731         (JSC::run):
2732         (run):
2733         (main):
2734         * b3/air/testair.cpp:
2735         (usage):
2736         * shell/CMakeLists.txt:
2737
2738 2017-07-14  Filip Pizlo  <fpizlo@apple.com>
2739
2740         It should be easy to decide how WebKit yields
2741         https://bugs.webkit.org/show_bug.cgi?id=174298
2742
2743         Reviewed by Saam Barati.
2744         
2745         Use the new WTF::Thread::yield() function for yielding instead of the C++ function.
2746
2747         * heap/Heap.cpp:
2748         (JSC::Heap::resumeThePeriphery):
2749         * heap/VisitingTimeout.h:
2750         * runtime/JSCell.cpp:
2751         (JSC::JSCell::lockSlow):
2752         (JSC::JSCell::unlockSlow):
2753         * runtime/JSCell.h:
2754         * runtime/JSCellInlines.h:
2755         (JSC::JSCell::lock):
2756         (JSC::JSCell::unlock):
2757         * runtime/JSLock.cpp:
2758         (JSC::JSLock::grabAllLocks):
2759         * runtime/SamplingProfiler.cpp:
2760
2761 2017-07-21  Mark Lam  <mark.lam@apple.com>
2762
2763         Refactor MASM probe CPUState to use arrays for register storage.
2764         https://bugs.webkit.org/show_bug.cgi?id=174694
2765
2766         Reviewed by Keith Miller.
2767
2768         Using arrays for register storage in CPUState allows us to do away with the
2769         huge switch statements to decode each register id.  We can now simply index into
2770         the arrays.
2771
2772         With this patch, we now:
2773
2774         1. Remove the need for macros for defining the list of CPU registers.
2775            We can go back to simple enums.  This makes the code easier to read.
2776
2777         2. Make the assembler the authority on register names.
2778            Most of this code is moved into the assembler from GPRInfo and FPRInfo.
2779            GPRInfo and FPRInfo now forwards to the assembler.
2780
2781         3. Make the assembler the authority on the number of registers of each type.
2782
2783         4. Fix a "bug" in ARMv7's lastRegister().  It was previously omitting lr and pc.
2784            This is inconsistent with how every other CPU architecture implements
2785            lastRegister().  This patch fixes it to return the true last GPR i.e. pc, but
2786            updates RegisterSet::reservedHardwareRegisters() to exclude those registers.
2787
2788         * assembler/ARM64Assembler.h:
2789         (JSC::ARM64Assembler::numberOfRegisters):
2790         (JSC::ARM64Assembler::firstSPRegister):
2791         (JSC::ARM64Assembler::lastSPRegister):
2792         (JSC::ARM64Assembler::numberOfSPRegisters):
2793         (JSC::ARM64Assembler::numberOfFPRegisters):
2794         (JSC::ARM64Assembler::gprName):
2795         (JSC::ARM64Assembler::sprName):
2796         (JSC::ARM64Assembler::fprName):
2797         * assembler/ARMAssembler.h:
2798         (JSC::ARMAssembler::numberOfRegisters):
2799         (JSC::ARMAssembler::firstSPRegister):
2800         (JSC::ARMAssembler::lastSPRegister):
2801         (JSC::ARMAssembler::numberOfSPRegisters):
2802         (JSC::ARMAssembler::numberOfFPRegisters):
2803         (JSC::ARMAssembler::gprName):
2804         (JSC::ARMAssembler::sprName):
2805         (JSC::ARMAssembler::fprName):
2806         * assembler/ARMv7Assembler.h:
2807         (JSC::ARMv7Assembler::lastRegister):
2808         (JSC::ARMv7Assembler::numberOfRegisters):
2809         (JSC::ARMv7Assembler::firstSPRegister):
2810         (JSC::ARMv7Assembler::lastSPRegister):
2811         (JSC::ARMv7Assembler::numberOfSPRegisters):
2812         (JSC::ARMv7Assembler::numberOfFPRegisters):
2813         (JSC::ARMv7Assembler::gprName):
2814         (JSC::ARMv7Assembler::sprName):
2815         (JSC::ARMv7Assembler::fprName):
2816         * assembler/AbstractMacroAssembler.h:
2817         (JSC::AbstractMacroAssembler::numberOfRegisters):
2818         (JSC::AbstractMacroAssembler::gprName):
2819         (JSC::AbstractMacroAssembler::firstSPRegister):
2820         (JSC::AbstractMacroAssembler::lastSPRegister):
2821         (JSC::AbstractMacroAssembler::numberOfSPRegisters):
2822         (JSC::AbstractMacroAssembler::sprName):
2823         (JSC::AbstractMacroAssembler::numberOfFPRegisters):
2824         (JSC::AbstractMacroAssembler::fprName):
2825         * assembler/MIPSAssembler.h:
2826         (JSC::MIPSAssembler::numberOfRegisters):
2827         (JSC::MIPSAssembler::firstSPRegister):
2828         (JSC::MIPSAssembler::lastSPRegister):
2829         (JSC::MIPSAssembler::numberOfSPRegisters):
2830         (JSC::MIPSAssembler::numberOfFPRegisters):
2831         (JSC::MIPSAssembler::gprName):
2832         (JSC::MIPSAssembler::sprName):
2833         (JSC::MIPSAssembler::fprName):
2834         * assembler/MacroAssembler.h:
2835         (JSC::MacroAssembler::CPUState::gprName):
2836         (JSC::MacroAssembler::CPUState::sprName):
2837         (JSC::MacroAssembler::CPUState::fprName):
2838         (JSC::MacroAssembler::CPUState::gpr):
2839         (JSC::MacroAssembler::CPUState::spr):
2840         (JSC::MacroAssembler::CPUState::fpr):
2841         (JSC::MacroAssembler::CPUState::pc):
2842         (JSC::MacroAssembler::CPUState::fp):
2843         (JSC::MacroAssembler::CPUState::sp):
2844         (JSC::ProbeContext::gpr):
2845         (JSC::ProbeContext::spr):
2846         (JSC::ProbeContext::fpr):
2847         (JSC::ProbeContext::gprName):
2848         (JSC::ProbeContext::sprName):
2849         (JSC::ProbeContext::fprName):
2850         (JSC::MacroAssembler::numberOfRegisters): Deleted.
2851         (JSC::MacroAssembler::numberOfFPRegisters): Deleted.
2852         * assembler/MacroAssemblerARM.cpp:
2853         * assembler/MacroAssemblerARM64.cpp:
2854         (JSC::arm64ProbeTrampoline):
2855         * assembler/MacroAssemblerARMv7.cpp:
2856         * assembler/MacroAssemblerPrinter.cpp:
2857         (JSC::Printer::nextID):
2858         (JSC::Printer::printAllRegisters):
2859         (JSC::Printer::printPCRegister):
2860         (JSC::Printer::printRegisterID):
2861         (JSC::Printer::printAddress):
2862         * assembler/MacroAssemblerX86Common.cpp:
2863         * assembler/X86Assembler.h:
2864         (JSC::X86Assembler::numberOfRegisters):
2865         (JSC::X86Assembler::firstSPRegister):
2866         (JSC::X86Assembler::lastSPRegister):
2867         (JSC::X86Assembler::numberOfSPRegisters):
2868         (JSC::X86Assembler::numberOfFPRegisters):
2869         (JSC::X86Assembler::gprName):
2870         (JSC::X86Assembler::sprName):
2871         (JSC::X86Assembler::fprName):
2872         * jit/FPRInfo.h:
2873         (JSC::FPRInfo::debugName):
2874         * jit/GPRInfo.h:
2875         (JSC::GPRInfo::debugName):
2876         * jit/RegisterSet.cpp:
2877         (JSC::RegisterSet::reservedHardwareRegisters):
2878
2879 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2880
2881         [JSC] Introduce static symbols
2882         https://bugs.webkit.org/show_bug.cgi?id=158863
2883
2884         Reviewed by Darin Adler.
2885
2886         We use StaticSymbolImpl to initialize PrivateNames and builtin Symbols.
2887         As a result, we can share the same Symbol values between VMs and threads.
2888         And we do not need to allocate Ref<SymbolImpl> for these symbols at runtime.
2889
2890         * CMakeLists.txt:
2891         * JavaScriptCore.xcodeproj/project.pbxproj:
2892         * builtins/BuiltinNames.cpp: Added.
2893         Suppress warning C4307, integral constant overflow. It is intentional in constexpr hash value calculation.
2894
2895         * builtins/BuiltinNames.h:
2896         (JSC::BuiltinNames::BuiltinNames):
2897         * builtins/BuiltinUtils.h:
2898
2899 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2900
2901         [FTL] Arguments elimination is suppressed by unreachable blocks
2902         https://bugs.webkit.org/show_bug.cgi?id=174352
2903
2904         Reviewed by Filip Pizlo.
2905
2906         If we do not execute `op_get_by_id`, our value profiling tells us unpredictable and DFG emits ForceOSRExit.
2907         The problem is that arguments elimination phase checks escaping even when ForceOSRExit preceeds.
2908         Since GetById without information can escape arguments if it is specified, non-executed code including
2909         op_get_by_id with arguments can escape arguments.
2910
2911         For example,
2912
2913             function test(flag)
2914             {
2915                 if (flag) {
2916                     // This is not executed, but emits GetById with arguments.
2917                     // It prevents us from eliminating materialization.
2918                     return arguments.length;
2919                 }
2920                 return arguments.length;
2921             }
2922             noInline(test);
2923             while (true)
2924                 test(false);
2925
2926         We do not perform CFA and dead-node clipping yet when performing arguments elimination phase.
2927         So this GetById exists and escapes arguments.
2928
2929         To solve this problem, our arguments elimination phase checks preceding pseudo-terminal nodes.
2930         If it is shown, following GetById does not escape arguments. Compared to performing AI, it is
2931         lightweight. But it catches much of typical cases we failed to perform arguments elimination.
2932
2933         * dfg/DFGArgumentsEliminationPhase.cpp:
2934         * dfg/DFGNode.h:
2935         (JSC::DFG::Node::isPseudoTerminal):
2936         * dfg/DFGValidate.cpp:
2937
2938 2017-07-20  Chris Dumez  <cdumez@apple.com>
2939
2940         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable
2941         https://bugs.webkit.org/show_bug.cgi?id=174660
2942
2943         Reviewed by Geoffrey Garen.
2944
2945         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable.
2946         This essentially replaces a branch to figure out if the new size is less or greater than the
2947         current size by an assertion.
2948
2949         * b3/B3BasicBlockUtils.h:
2950         (JSC::B3::clearPredecessors):
2951         * b3/B3InferSwitches.cpp:
2952         * b3/B3LowerToAir.cpp:
2953         (JSC::B3::Air::LowerToAir::finishAppendingInstructions):
2954         * b3/B3ReduceStrength.cpp:
2955         * b3/B3SparseCollection.h:
2956         (JSC::B3::SparseCollection::packIndices):
2957         * b3/B3UseCounts.cpp:
2958         (JSC::B3::UseCounts::UseCounts):
2959         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
2960         * b3/air/AirEmitShuffle.cpp:
2961         (JSC::B3::Air::emitShuffle):
2962         * b3/air/AirLowerAfterRegAlloc.cpp:
2963         (JSC::B3::Air::lowerAfterRegAlloc):
2964         * b3/air/AirOptimizeBlockOrder.cpp:
2965         (JSC::B3::Air::optimizeBlockOrder):
2966         * bytecode/Operands.h:
2967         (JSC::Operands::ensureLocals):
2968         * bytecode/PreciseJumpTargets.cpp:
2969         (JSC::computePreciseJumpTargetsInternal):
2970         * dfg/DFGBlockInsertionSet.cpp:
2971         (JSC::DFG::BlockInsertionSet::execute):
2972         * dfg/DFGBlockMapInlines.h:
2973         (JSC::DFG::BlockMap<T>::BlockMap):
2974         * dfg/DFGByteCodeParser.cpp:
2975         (JSC::DFG::ByteCodeParser::processSetLocalQueue):
2976         (JSC::DFG::ByteCodeParser::clearCaches):
2977         * dfg/DFGDisassembler.cpp:
2978         (JSC::DFG::Disassembler::Disassembler):
2979         * dfg/DFGFlowIndexing.cpp:
2980         (JSC::DFG::FlowIndexing::recompute):
2981         * dfg/DFGGraph.cpp:
2982         (JSC::DFG::Graph::registerFrozenValues):
2983         * dfg/DFGInPlaceAbstractState.cpp:
2984         (JSC::DFG::setLiveValues):
2985         * dfg/DFGLICMPhase.cpp:
2986         (JSC::DFG::LICMPhase::run):
2987         * dfg/DFGLivenessAnalysisPhase.cpp:
2988         * dfg/DFGNaturalLoops.cpp:
2989         (JSC::DFG::NaturalLoops::NaturalLoops):
2990         * dfg/DFGStoreBarrierClusteringPhase.cpp:
2991         * ftl/FTLLowerDFGToB3.cpp:
2992         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2993         * heap/CodeBlockSet.cpp:
2994         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
2995         * heap/MarkedSpace.cpp:
2996         (JSC::MarkedSpace::sweepLargeAllocations):
2997         * inspector/ContentSearchUtilities.cpp:
2998         (Inspector::ContentSearchUtilities::findMagicComment):
2999         * interpreter/ShadowChicken.cpp:
3000         (JSC::ShadowChicken::update):
3001         * parser/ASTBuilder.h:
3002         (JSC::ASTBuilder::shrinkOperandStackBy):
3003         * parser/Lexer.h:
3004         (JSC::Lexer::setOffset):
3005         * runtime/RegExpInlines.h:
3006         (JSC::RegExp::matchInline):
3007         * runtime/RegExpPrototype.cpp:
3008         (JSC::genericSplit):
3009         * yarr/RegularExpression.cpp:
3010         (JSC::Yarr::RegularExpression::match):
3011
3012 2017-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
3013
3014         [WTF] Use ThreadGroup to bookkeep active threads for Mach exception
3015         https://bugs.webkit.org/show_bug.cgi?id=174678
3016
3017         Reviewed by Mark Lam.
3018
3019         Use Thread& instead.
3020
3021         * runtime/JSLock.cpp:
3022         (JSC::JSLock::didAcquireLock):
3023
3024 2017-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
3025
3026         [WTF] Implement WTF::ThreadGroup
3027         https://bugs.webkit.org/show_bug.cgi?id=174081
3028
3029         Reviewed by Mark Lam.
3030
3031         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
3032         And SamplingProfiler and others interact with WTF::Thread directly.
3033
3034         * API/tests/ExecutionTimeLimitTest.cpp:
3035         * heap/MachineStackMarker.cpp:
3036         (JSC::MachineThreads::MachineThreads):
3037         (JSC::captureStack):
3038         (JSC::MachineThreads::tryCopyOtherThreadStack):
3039         (JSC::MachineThreads::tryCopyOtherThreadStacks):
3040         (JSC::MachineThreads::gatherConservativeRoots):
3041         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
3042         (JSC::ActiveMachineThreadsManager::add): Deleted.
3043         (JSC::ActiveMachineThreadsManager::remove): Deleted.
3044         (JSC::ActiveMachineThreadsManager::contains): Deleted.
3045         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
3046         (JSC::activeMachineThreadsManager): Deleted.
3047         (JSC::MachineThreads::~MachineThreads): Deleted.
3048         (JSC::MachineThreads::addCurrentThread): Deleted.
3049         (): Deleted.
3050         (JSC::MachineThreads::removeThread): Deleted.
3051         (JSC::MachineThreads::removeThreadIfFound): Deleted.
3052         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
3053         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
3054         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
3055         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
3056         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
3057         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
3058         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
3059         * heap/MachineStackMarker.h:
3060         (JSC::MachineThreads::addCurrentThread):
3061         (JSC::MachineThreads::getLock):
3062         (JSC::MachineThreads::threads):
3063         (JSC::MachineThreads::MachineThread::suspend): Deleted.
3064         (JSC::MachineThreads::MachineThread::resume): Deleted.
3065         (JSC::MachineThreads::MachineThread::threadID): Deleted.
3066         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
3067         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
3068         (JSC::MachineThreads::threadsListHead): Deleted.
3069         * runtime/SamplingProfiler.cpp:
3070         (JSC::FrameWalker::isValidFramePointer):
3071         (JSC::SamplingProfiler::SamplingProfiler):
3072         (JSC::SamplingProfiler::takeSample):
3073         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
3074         * runtime/SamplingProfiler.h:
3075         * wasm/WasmMachineThreads.cpp:
3076         (JSC::Wasm::resetInstructionCacheOnAllThreads):
3077
3078 2017-07-18  Andy Estes  <aestes@apple.com>
3079
3080         [Xcode] Enable CLANG_WARN_RANGE_LOOP_ANALYSIS
3081         https://bugs.webkit.org/show_bug.cgi?id=174631
3082
3083         Reviewed by Tim Horton.
3084
3085         * Configurations/Base.xcconfig:
3086         * b3/B3FoldPathConstants.cpp:
3087         * b3/B3LowerMacros.cpp:
3088         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
3089         * dfg/DFGByteCodeParser.cpp:
3090         (JSC::DFG::ByteCodeParser::check):
3091         (JSC::DFG::ByteCodeParser::planLoad):
3092
3093 2017-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
3094
3095         WTF::Thread should have the threads stack bounds.
3096         https://bugs.webkit.org/show_bug.cgi?id=173975
3097
3098         Reviewed by Mark Lam.
3099
3100         There is a site in JSC that try to walk another thread's stack.
3101         Currently, stack bounds are stored in WTFThreadData which is located
3102         in TLS. Thus, only the thread itself can access its own WTFThreadData.
3103         We workaround this situation by holding StackBounds in MachineThread in JSC,
3104         but StackBounds should be put in WTF::Thread instead.
3105
3106         This patch adds StackBounds to WTF::Thread. StackBounds information is tightly
3107         coupled with Thread. Thus putting it in WTF::Thread is natural choice.
3108
3109         * heap/MachineStackMarker.cpp:
3110         (JSC::MachineThreads::MachineThread::MachineThread):
3111         (JSC::MachineThreads::MachineThread::captureStack):
3112         * heap/MachineStackMarker.h:
3113         (JSC::MachineThreads::MachineThread::stackBase):
3114         (JSC::MachineThreads::MachineThread::stackEnd):
3115         * runtime/VMTraps.cpp:
3116
3117 2017-07-18  Andy Estes  <aestes@apple.com>
3118
3119         [Xcode] Enable CLANG_WARN_OBJC_LITERAL_CONVERSION
3120         https://bugs.webkit.org/show_bug.cgi?id=174631
3121
3122         Reviewed by Sam Weinig.
3123
3124         * Configurations/Base.xcconfig:
3125
3126 2017-07-18  Joseph Pecoraro  <pecoraro@apple.com>
3127
3128         Web Inspector: Modernize InjectedScriptSource
3129         https://bugs.webkit.org/show_bug.cgi?id=173890
3130
3131         Reviewed by Brian Burg.
3132
3133         * inspector/InjectedScript.h:
3134         Reorder functions to be slightly better.
3135
3136         * inspector/InjectedScriptSource.js:
3137         - Convert to classes named InjectedScript and RemoteObject
3138         - Align InjectedScript's API with the wrapper C++ interfaces
3139         - Move some code to RemoteObject where appropriate (subtype, describe)
3140         - Move some code to helper functions (isPrimitiveValue, isDefined)
3141         - Refactor for readability and modern features
3142         - Remove some unused / unnecessary code
3143
3144 2017-07-18  Mark Lam  <mark.lam@apple.com>
3145
3146         Butterfly storage need not be initialized for indexing type Undecided.
3147         https://bugs.webkit.org/show_bug.cgi?id=174516
3148
3149         Reviewed by Saam Barati.
3150
3151         While it's not incorrect to initialize the butterfly storage when the
3152         indexingType is Undecided, it is inefficient as we'll end up initializing
3153         it again later when we convert the storage to a different indexingType.
3154         Some of our code already skips initializing Undecided butterflies.
3155         This patch makes it the consistent behavior everywhere.
3156
3157         * dfg/DFGSpeculativeJIT.cpp:
3158         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
3159         * runtime/JSArray.cpp:
3160         (JSC::JSArray::tryCreateUninitializedRestricted):
3161         * runtime/JSArray.h:
3162         (JSC::JSArray::tryCreate):
3163         * runtime/JSObject.cpp:
3164         (JSC::JSObject::ensureLengthSlow):
3165
3166 2017-07-18  Saam Barati  <sbarati@apple.com>
3167
3168         AirLowerAfterRegAlloc may incorrectly use a callee save that's live as a scratch register
3169         https://bugs.webkit.org/show_bug.cgi?id=174515
3170         <rdar://problem/33358092>
3171
3172         Reviewed by Filip Pizlo.
3173
3174         AirLowerAfterRegAlloc was computing the set of available scratch
3175         registers incorrectly. It was always excluding callee save registers
3176         from the set of live registers. It did not guarantee that live callee save
3177         registers were not in the set of scratch registers that could
3178         get clobbered. That's incorrect as the shuffling code is free
3179         to overwrite whatever is in the scratch register it gets passed.
3180
3181         * b3/air/AirLowerAfterRegAlloc.cpp:
3182         (JSC::B3::Air::lowerAfterRegAlloc):
3183         * b3/testb3.cpp:
3184         (JSC::B3::functionNineArgs):
3185         (JSC::B3::testShuffleDoesntTrashCalleeSaves):
3186         (JSC::B3::run):
3187         * jit/RegisterSet.h:
3188
3189 2017-07-18  Andy Estes  <aestes@apple.com>
3190
3191         [Xcode] Enable CLANG_WARN_NON_LITERAL_NULL_CONVERSION
3192         https://bugs.webkit.org/show_bug.cgi?id=174631
3193
3194         Reviewed by Dan Bernstein.
3195
3196         * Configurations/Base.xcconfig:
3197
3198 2017-07-18  Devin Rousso  <drousso@apple.com>
3199
3200         Web Inspector: Add memoryCost to Inspector Protocol objects
3201         https://bugs.webkit.org/show_bug.cgi?id=174478
3202
3203         Reviewed by Joseph Pecoraro.
3204
3205         For non-array and non-object InspectorValue, calculate memoryCost as the sizeof the object,
3206         plus the memoryCost of the data if it is a string.
3207
3208         For array InspectorValue, calculate memoryCost as the sum of the memoryCost of all items.
3209
3210         For object InspectorValue, calculate memoryCost as the sum of the memoryCost of the string
3211         key plus the memoryCost of the InspectorValue for each entry.
3212
3213         Test: TestWebKitAPI/Tests/JavaScriptCore/InspectorValue.cpp
3214
3215         * inspector/InspectorValues.h:
3216         * inspector/InspectorValues.cpp:
3217         (Inspector::InspectorValue::memoryCost):
3218         (Inspector::InspectorObjectBase::memoryCost):
3219         (Inspector::InspectorArrayBase::memoryCost):
3220
3221 2017-07-18  Andy Estes  <aestes@apple.com>
3222
3223         [Xcode] Enable CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING
3224         https://bugs.webkit.org/show_bug.cgi?id=174631
3225
3226         Reviewed by Darin Adler.
3227
3228         * Configurations/Base.xcconfig:
3229
3230 2017-07-18  Michael Saboff  <msaboff@apple.com>
3231
3232         [JSC] There should be a debug option to dump a compiled RegExp Pattern
3233         https://bugs.webkit.org/show_bug.cgi?id=174601
3234
3235         Reviewed by Alex Christensen.
3236
3237         Added the debug option dumpCompiledRegExpPatterns which will dump the YarrPattern and related
3238         objects after a regular expression has been compiled.
3239
3240         * runtime/Options.h:
3241         * yarr/YarrPattern.cpp:
3242         (JSC::Yarr::YarrPattern::compile):
3243         (JSC::Yarr::indentForNestingLevel):
3244         (JSC::Yarr::dumpUChar32):
3245         (JSC::Yarr::PatternAlternative::dump):
3246         (JSC::Yarr::PatternTerm::dumpQuantifier):
3247         (JSC::Yarr::PatternTerm::dump):
3248         (JSC::Yarr::PatternDisjunction::dump):
3249         (JSC::Yarr::YarrPattern::dumpPattern):
3250         * yarr/YarrPattern.h:
3251         (JSC::Yarr::YarrPattern::global):
3252
3253 2017-07-17  Darin Adler  <darin@apple.com>
3254
3255         Improve use of NeverDestroyed
3256         https://bugs.webkit.org/show_bug.cgi?id=174348
3257
3258         Reviewed by Sam Weinig.
3259
3260         * heap/MachineStackMarker.cpp:
3261         * wasm/WasmMemory.cpp:
3262         Removed unneeded includes of NeverDestroyed.h in files that do not make use
3263         of NeverDestroyed.
3264
3265 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
3266
3267         [CMake] Macros in WebKitMacros.cmake should be prefixed with WEBKIT_ namespace
3268         https://bugs.webkit.org/show_bug.cgi?id=174547
3269
3270         Reviewed by Alex Christensen.
3271
3272         * CMakeLists.txt:
3273         * shell/CMakeLists.txt:
3274
3275 2017-07-17  Saam Barati  <sbarati@apple.com>
3276
3277         Remove custom defined RELEASE_ASSERT in DFGObjectAllocationSinkingPhase
3278         https://bugs.webkit.org/show_bug.cgi?id=174584
3279
3280         Rubber stamped by Keith Miller.
3281
3282         I used it to diagnose a bug. The bug is now fixed. This custom
3283         RELEASE_ASSERT is no longer needed.
3284
3285         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3286
3287 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
3288
3289         -Wformat-truncation warning in ConfigFile.cpp
3290         https://bugs.webkit.org/show_bug.cgi?id=174506
3291
3292         Reviewed by Darin Adler.
3293
3294         Check if the JSC config filename would be truncated due to exceeding max path length. If so,
3295         return ParseError.
3296
3297         * runtime/ConfigFile.cpp:
3298         (JSC::ConfigFile::parse):
3299
3300 2017-07-17  Konstantin Tokarev  <annulen@yandex.ru>
3301
3302         [CMake] Create targets before WEBKIT_INCLUDE_CONFIG_FILES_IF_EXISTS is called
3303         https://bugs.webkit.org/show_bug.cgi?id=174557
3304
3305         Reviewed by Michael Catanzaro.
3306
3307         * CMakeLists.txt:
3308
3309 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3310
3311         [WTF] Use std::unique_ptr for StackTrace
3312         https://bugs.webkit.org/show_bug.cgi?id=174495
3313
3314         Reviewed by Alex Christensen.
3315
3316         * runtime/ExceptionScope.cpp:
3317         (JSC::ExceptionScope::unexpectedExceptionMessage):
3318         * runtime/VM.cpp:
3319         (JSC::VM::throwException):
3320
3321 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
3322
3323         [JSC] Use WTFMove to prune liveness in DFGAvailabilityMap
3324         https://bugs.webkit.org/show_bug.cgi?id=174423
3325
3326         Reviewed by Saam Barati.
3327
3328         * dfg/DFGAvailabilityMap.cpp:
3329         (JSC::DFG::AvailabilityMap::pruneHeap):
3330         (JSC::DFG::AvailabilityMap::pruneByLiveness):
3331
3332 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
3333
3334         Fix compiler warnings when building with GCC 7
3335         https://bugs.webkit.org/show_bug.cgi?id=174463
3336
3337         Reviewed by Darin Adler.
3338
3339         * disassembler/udis86/udis86_decode.c:
3340         (decode_operand):
3341
3342 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
3343
3344         Incorrect assertion in JSC::CallLinkInfo::callTypeFor
3345         https://bugs.webkit.org/show_bug.cgi?id=174467
3346
3347         Reviewed by Saam Barati.
3348
3349         * bytecode/CallLinkInfo.cpp:
3350         (JSC::CallLinkInfo::callTypeFor):
3351
3352 2017-07-13  Joseph Pecoraro  <pecoraro@apple.com>
3353
3354         Web Inspector: Remove unused and untested Page domain commands
3355         https://bugs.webkit.org/show_bug.cgi?id=174429
3356
3357         Reviewed by Timothy Hatcher.
3358
3359         * inspector/protocol/Page.json:
3360
3361 2017-07-13  Saam Barati  <sbarati@apple.com>
3362
3363         Missing exception check in JSObject::hasInstance
3364         https://bugs.webkit.org/show_bug.cgi?id=174455
3365         <rdar://problem/31384608>
3366
3367         Reviewed by Mark Lam.
3368
3369         * runtime/JSObject.cpp:
3370         (JSC::JSObject::hasInstance):
3371
3372 2017-07-13  Caio Lima  <ticaiolima@gmail.com>
3373
3374         [ESnext] Implement Object Spread
3375         https://bugs.webkit.org/show_bug.cgi?id=167963
3376
3377         Reviewed by Saam Barati.
3378
3379         This patch implements ECMA262 stage 3 Object Spread proposal [1].
3380         It's implemented using CopyDataPropertiesNoExclusions to copy
3381         all enumerable keys from object being spreaded. The implementation of
3382         CopyDataPropertiesNoExclusions follows the CopyDataProperties
3383         implementation, however we don't receive excludedNames as parameter.
3384
3385         [1] - https://github.com/tc39/proposal-object-rest-spread
3386
3387         * builtins/GlobalOperations.js:
3388         (globalPrivate.copyDataPropertiesNoExclusions):
3389         * bytecompiler/BytecodeGenerator.cpp:
3390         (JSC::BytecodeGenerator::emitLoad):
3391         * bytecompiler/NodesCodegen.cpp:
3392         (JSC::PropertyListNode::emitBytecode):
3393         (JSC::ObjectSpreadExpressionNode::emitBytecode):
3394         * parser/ASTBuilder.h:
3395         (JSC::ASTBuilder::createObjectSpreadExpression):
3396         (JSC::ASTBuilder::createProperty):
3397         * parser/NodeConstructors.h:
3398         (JSC::PropertyNode::PropertyNode):
3399         (JSC::ObjectSpreadExpressionNode::ObjectSpreadExpressionNode):
3400         * parser/Nodes.h:
3401         (JSC::ObjectSpreadExpressionNode::expression):
3402         * parser/Parser.cpp:
3403         (JSC::Parser<LexerType>::parseProperty):
3404         * parser/SyntaxChecker.h:
3405         (JSC::SyntaxChecker::createObjectSpreadExpression):
3406         (JSC::SyntaxChecker::createProperty):