Gardening: fixed C Loop build after r219790.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-07-24  Mark Lam  <mark.lam@apple.com>
2
3         Gardening: fixed C Loop build after r219790.
4         https://bugs.webkit.org/show_bug.cgi?id=174696
5
6         Not reviewed.
7
8         * assembler/testmasm.cpp:
9
10 2017-07-23  Mark Lam  <mark.lam@apple.com>
11
12         Create regression tests for the JIT probe.
13         https://bugs.webkit.org/show_bug.cgi?id=174696
14         <rdar://problem/33436922>
15
16         Reviewed by Saam Barati.
17
18         The new testmasm will test the following:
19         1. the probe is able to read the value of CPU registers.
20         2. the probe is able to write the value of CPU registers.
21         3. the probe is able to preserve all CPU registers.
22         4. special case of (2): the probe is able to change the value of the stack pointer.
23         5. special case of (2): the probe is able to change the value of the program counter
24            i.e. the probe can change where the code continues executing upon returning from
25            the probe.
26
27         Currently, the x86, x86_64, and ARMv7 ports passes the test.  ARM64 does not
28         because it does not support changing the sp and pc yet.  The ARM64 probe
29         implementation will be fixed in https://bugs.webkit.org/show_bug.cgi?id=174697
30         later.
31
32         * Configurations/ToolExecutable.xcconfig:
33         * JavaScriptCore.xcodeproj/project.pbxproj:
34         * assembler/MacroAssembler.h:
35         (JSC::MacroAssembler::CPUState::pc):
36         (JSC::MacroAssembler::CPUState::fp):
37         (JSC::MacroAssembler::CPUState::sp):
38         (JSC::ProbeContext::pc):
39         (JSC::ProbeContext::fp):
40         (JSC::ProbeContext::sp):
41         * assembler/MacroAssemblerARM64.cpp:
42         (JSC::arm64ProbeTrampoline):
43         * assembler/MacroAssemblerPrinter.cpp:
44         (JSC::Printer::printPCRegister):
45         * assembler/testmasm.cpp: Added.
46         (hiddenTruthBecauseNoReturnIsStupid):
47         (usage):
48         (JSC::nextID):
49         (JSC::isPC):
50         (JSC::isSP):
51         (JSC::isFP):
52         (JSC::compile):
53         (JSC::invoke):
54         (JSC::compileAndRun):
55         (JSC::testSimple):
56         (JSC::testProbeReadsArgumentRegisters):
57         (JSC::testProbeWritesArgumentRegisters):
58         (JSC::testFunctionToTrashRegisters):
59         (JSC::testProbePreservesGPRS):
60         (JSC::testProbeModifiesStackPointer):
61         (JSC::testProbeModifiesProgramCounter):
62         (JSC::run):
63         (run):
64         (main):
65         * b3/air/testair.cpp:
66         (usage):
67         * shell/CMakeLists.txt:
68
69 2017-07-14  Filip Pizlo  <fpizlo@apple.com>
70
71         It should be easy to decide how WebKit yields
72         https://bugs.webkit.org/show_bug.cgi?id=174298
73
74         Reviewed by Saam Barati.
75         
76         Use the new WTF::Thread::yield() function for yielding instead of the C++ function.
77
78         * heap/Heap.cpp:
79         (JSC::Heap::resumeThePeriphery):
80         * heap/VisitingTimeout.h:
81         * runtime/JSCell.cpp:
82         (JSC::JSCell::lockSlow):
83         (JSC::JSCell::unlockSlow):
84         * runtime/JSCell.h:
85         * runtime/JSCellInlines.h:
86         (JSC::JSCell::lock):
87         (JSC::JSCell::unlock):
88         * runtime/JSLock.cpp:
89         (JSC::JSLock::grabAllLocks):
90         * runtime/SamplingProfiler.cpp:
91
92 2017-07-21  Mark Lam  <mark.lam@apple.com>
93
94         Refactor MASM probe CPUState to use arrays for register storage.
95         https://bugs.webkit.org/show_bug.cgi?id=174694
96
97         Reviewed by Keith Miller.
98
99         Using arrays for register storage in CPUState allows us to do away with the
100         huge switch statements to decode each register id.  We can now simply index into
101         the arrays.
102
103         With this patch, we now:
104
105         1. Remove the need for macros for defining the list of CPU registers.
106            We can go back to simple enums.  This makes the code easier to read.
107
108         2. Make the assembler the authority on register names.
109            Most of this code is moved into the assembler from GPRInfo and FPRInfo.
110            GPRInfo and FPRInfo now forwards to the assembler.
111
112         3. Make the assembler the authority on the number of registers of each type.
113
114         4. Fix a "bug" in ARMv7's lastRegister().  It was previously omitting lr and pc.
115            This is inconsistent with how every other CPU architecture implements
116            lastRegister().  This patch fixes it to return the true last GPR i.e. pc, but
117            updates RegisterSet::reservedHardwareRegisters() to exclude those registers.
118
119         * assembler/ARM64Assembler.h:
120         (JSC::ARM64Assembler::numberOfRegisters):
121         (JSC::ARM64Assembler::firstSPRegister):
122         (JSC::ARM64Assembler::lastSPRegister):
123         (JSC::ARM64Assembler::numberOfSPRegisters):
124         (JSC::ARM64Assembler::numberOfFPRegisters):
125         (JSC::ARM64Assembler::gprName):
126         (JSC::ARM64Assembler::sprName):
127         (JSC::ARM64Assembler::fprName):
128         * assembler/ARMAssembler.h:
129         (JSC::ARMAssembler::numberOfRegisters):
130         (JSC::ARMAssembler::firstSPRegister):
131         (JSC::ARMAssembler::lastSPRegister):
132         (JSC::ARMAssembler::numberOfSPRegisters):
133         (JSC::ARMAssembler::numberOfFPRegisters):
134         (JSC::ARMAssembler::gprName):
135         (JSC::ARMAssembler::sprName):
136         (JSC::ARMAssembler::fprName):
137         * assembler/ARMv7Assembler.h:
138         (JSC::ARMv7Assembler::lastRegister):
139         (JSC::ARMv7Assembler::numberOfRegisters):
140         (JSC::ARMv7Assembler::firstSPRegister):
141         (JSC::ARMv7Assembler::lastSPRegister):
142         (JSC::ARMv7Assembler::numberOfSPRegisters):
143         (JSC::ARMv7Assembler::numberOfFPRegisters):
144         (JSC::ARMv7Assembler::gprName):
145         (JSC::ARMv7Assembler::sprName):
146         (JSC::ARMv7Assembler::fprName):
147         * assembler/AbstractMacroAssembler.h:
148         (JSC::AbstractMacroAssembler::numberOfRegisters):
149         (JSC::AbstractMacroAssembler::gprName):
150         (JSC::AbstractMacroAssembler::firstSPRegister):
151         (JSC::AbstractMacroAssembler::lastSPRegister):
152         (JSC::AbstractMacroAssembler::numberOfSPRegisters):
153         (JSC::AbstractMacroAssembler::sprName):
154         (JSC::AbstractMacroAssembler::numberOfFPRegisters):
155         (JSC::AbstractMacroAssembler::fprName):
156         * assembler/MIPSAssembler.h:
157         (JSC::MIPSAssembler::numberOfRegisters):
158         (JSC::MIPSAssembler::firstSPRegister):
159         (JSC::MIPSAssembler::lastSPRegister):
160         (JSC::MIPSAssembler::numberOfSPRegisters):
161         (JSC::MIPSAssembler::numberOfFPRegisters):
162         (JSC::MIPSAssembler::gprName):
163         (JSC::MIPSAssembler::sprName):
164         (JSC::MIPSAssembler::fprName):
165         * assembler/MacroAssembler.h:
166         (JSC::MacroAssembler::CPUState::gprName):
167         (JSC::MacroAssembler::CPUState::sprName):
168         (JSC::MacroAssembler::CPUState::fprName):
169         (JSC::MacroAssembler::CPUState::gpr):
170         (JSC::MacroAssembler::CPUState::spr):
171         (JSC::MacroAssembler::CPUState::fpr):
172         (JSC::MacroAssembler::CPUState::pc):
173         (JSC::MacroAssembler::CPUState::fp):
174         (JSC::MacroAssembler::CPUState::sp):
175         (JSC::ProbeContext::gpr):
176         (JSC::ProbeContext::spr):
177         (JSC::ProbeContext::fpr):
178         (JSC::ProbeContext::gprName):
179         (JSC::ProbeContext::sprName):
180         (JSC::ProbeContext::fprName):
181         (JSC::MacroAssembler::numberOfRegisters): Deleted.
182         (JSC::MacroAssembler::numberOfFPRegisters): Deleted.
183         * assembler/MacroAssemblerARM.cpp:
184         * assembler/MacroAssemblerARM64.cpp:
185         (JSC::arm64ProbeTrampoline):
186         * assembler/MacroAssemblerARMv7.cpp:
187         * assembler/MacroAssemblerPrinter.cpp:
188         (JSC::Printer::nextID):
189         (JSC::Printer::printAllRegisters):
190         (JSC::Printer::printPCRegister):
191         (JSC::Printer::printRegisterID):
192         (JSC::Printer::printAddress):
193         * assembler/MacroAssemblerX86Common.cpp:
194         * assembler/X86Assembler.h:
195         (JSC::X86Assembler::numberOfRegisters):
196         (JSC::X86Assembler::firstSPRegister):
197         (JSC::X86Assembler::lastSPRegister):
198         (JSC::X86Assembler::numberOfSPRegisters):
199         (JSC::X86Assembler::numberOfFPRegisters):
200         (JSC::X86Assembler::gprName):
201         (JSC::X86Assembler::sprName):
202         (JSC::X86Assembler::fprName):
203         * jit/FPRInfo.h:
204         (JSC::FPRInfo::debugName):
205         * jit/GPRInfo.h:
206         (JSC::GPRInfo::debugName):
207         * jit/RegisterSet.cpp:
208         (JSC::RegisterSet::reservedHardwareRegisters):
209
210 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
211
212         [JSC] Introduce static symbols
213         https://bugs.webkit.org/show_bug.cgi?id=158863
214
215         Reviewed by Darin Adler.
216
217         We use StaticSymbolImpl to initialize PrivateNames and builtin Symbols.
218         As a result, we can share the same Symbol values between VMs and threads.
219         And we do not need to allocate Ref<SymbolImpl> for these symbols at runtime.
220
221         * CMakeLists.txt:
222         * JavaScriptCore.xcodeproj/project.pbxproj:
223         * builtins/BuiltinNames.cpp: Added.
224         Suppress warning C4307, integral constant overflow. It is intentional in constexpr hash value calculation.
225
226         * builtins/BuiltinNames.h:
227         (JSC::BuiltinNames::BuiltinNames):
228         * builtins/BuiltinUtils.h:
229
230 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
231
232         [FTL] Arguments elimination is suppressed by unreachable blocks
233         https://bugs.webkit.org/show_bug.cgi?id=174352
234
235         Reviewed by Filip Pizlo.
236
237         If we do not execute `op_get_by_id`, our value profiling tells us unpredictable and DFG emits ForceOSRExit.
238         The problem is that arguments elimination phase checks escaping even when ForceOSRExit preceeds.
239         Since GetById without information can escape arguments if it is specified, non-executed code including
240         op_get_by_id with arguments can escape arguments.
241
242         For example,
243
244             function test(flag)
245             {
246                 if (flag) {
247                     // This is not executed, but emits GetById with arguments.
248                     // It prevents us from eliminating materialization.
249                     return arguments.length;
250                 }
251                 return arguments.length;
252             }
253             noInline(test);
254             while (true)
255                 test(false);
256
257         We do not perform CFA and dead-node clipping yet when performing arguments elimination phase.
258         So this GetById exists and escapes arguments.
259
260         To solve this problem, our arguments elimination phase checks preceding pseudo-terminal nodes.
261         If it is shown, following GetById does not escape arguments. Compared to performing AI, it is
262         lightweight. But it catches much of typical cases we failed to perform arguments elimination.
263
264         * dfg/DFGArgumentsEliminationPhase.cpp:
265         * dfg/DFGNode.h:
266         (JSC::DFG::Node::isPseudoTerminal):
267         * dfg/DFGValidate.cpp:
268
269 2017-07-20  Chris Dumez  <cdumez@apple.com>
270
271         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable
272         https://bugs.webkit.org/show_bug.cgi?id=174660
273
274         Reviewed by Geoffrey Garen.
275
276         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable.
277         This essentially replaces a branch to figure out if the new size is less or greater than the
278         current size by an assertion.
279
280         * b3/B3BasicBlockUtils.h:
281         (JSC::B3::clearPredecessors):
282         * b3/B3InferSwitches.cpp:
283         * b3/B3LowerToAir.cpp:
284         (JSC::B3::Air::LowerToAir::finishAppendingInstructions):
285         * b3/B3ReduceStrength.cpp:
286         * b3/B3SparseCollection.h:
287         (JSC::B3::SparseCollection::packIndices):
288         * b3/B3UseCounts.cpp:
289         (JSC::B3::UseCounts::UseCounts):
290         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
291         * b3/air/AirEmitShuffle.cpp:
292         (JSC::B3::Air::emitShuffle):
293         * b3/air/AirLowerAfterRegAlloc.cpp:
294         (JSC::B3::Air::lowerAfterRegAlloc):
295         * b3/air/AirOptimizeBlockOrder.cpp:
296         (JSC::B3::Air::optimizeBlockOrder):
297         * bytecode/Operands.h:
298         (JSC::Operands::ensureLocals):
299         * bytecode/PreciseJumpTargets.cpp:
300         (JSC::computePreciseJumpTargetsInternal):
301         * dfg/DFGBlockInsertionSet.cpp:
302         (JSC::DFG::BlockInsertionSet::execute):
303         * dfg/DFGBlockMapInlines.h:
304         (JSC::DFG::BlockMap<T>::BlockMap):
305         * dfg/DFGByteCodeParser.cpp:
306         (JSC::DFG::ByteCodeParser::processSetLocalQueue):
307         (JSC::DFG::ByteCodeParser::clearCaches):
308         * dfg/DFGDisassembler.cpp:
309         (JSC::DFG::Disassembler::Disassembler):
310         * dfg/DFGFlowIndexing.cpp:
311         (JSC::DFG::FlowIndexing::recompute):
312         * dfg/DFGGraph.cpp:
313         (JSC::DFG::Graph::registerFrozenValues):
314         * dfg/DFGInPlaceAbstractState.cpp:
315         (JSC::DFG::setLiveValues):
316         * dfg/DFGLICMPhase.cpp:
317         (JSC::DFG::LICMPhase::run):
318         * dfg/DFGLivenessAnalysisPhase.cpp:
319         * dfg/DFGNaturalLoops.cpp:
320         (JSC::DFG::NaturalLoops::NaturalLoops):
321         * dfg/DFGStoreBarrierClusteringPhase.cpp:
322         * ftl/FTLLowerDFGToB3.cpp:
323         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
324         * heap/CodeBlockSet.cpp:
325         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
326         * heap/MarkedSpace.cpp:
327         (JSC::MarkedSpace::sweepLargeAllocations):
328         * inspector/ContentSearchUtilities.cpp:
329         (Inspector::ContentSearchUtilities::findMagicComment):
330         * interpreter/ShadowChicken.cpp:
331         (JSC::ShadowChicken::update):
332         * parser/ASTBuilder.h:
333         (JSC::ASTBuilder::shrinkOperandStackBy):
334         * parser/Lexer.h:
335         (JSC::Lexer::setOffset):
336         * runtime/RegExpInlines.h:
337         (JSC::RegExp::matchInline):
338         * runtime/RegExpPrototype.cpp:
339         (JSC::genericSplit):
340         * yarr/RegularExpression.cpp:
341         (JSC::Yarr::RegularExpression::match):
342
343 2017-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
344
345         [WTF] Use ThreadGroup to bookkeep active threads for Mach exception
346         https://bugs.webkit.org/show_bug.cgi?id=174678
347
348         Reviewed by Mark Lam.
349
350         Use Thread& instead.
351
352         * runtime/JSLock.cpp:
353         (JSC::JSLock::didAcquireLock):
354
355 2017-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
356
357         [WTF] Implement WTF::ThreadGroup
358         https://bugs.webkit.org/show_bug.cgi?id=174081
359
360         Reviewed by Mark Lam.
361
362         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
363         And SamplingProfiler and others interact with WTF::Thread directly.
364
365         * API/tests/ExecutionTimeLimitTest.cpp:
366         * heap/MachineStackMarker.cpp:
367         (JSC::MachineThreads::MachineThreads):
368         (JSC::captureStack):
369         (JSC::MachineThreads::tryCopyOtherThreadStack):
370         (JSC::MachineThreads::tryCopyOtherThreadStacks):
371         (JSC::MachineThreads::gatherConservativeRoots):
372         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
373         (JSC::ActiveMachineThreadsManager::add): Deleted.
374         (JSC::ActiveMachineThreadsManager::remove): Deleted.
375         (JSC::ActiveMachineThreadsManager::contains): Deleted.
376         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
377         (JSC::activeMachineThreadsManager): Deleted.
378         (JSC::MachineThreads::~MachineThreads): Deleted.
379         (JSC::MachineThreads::addCurrentThread): Deleted.
380         (): Deleted.
381         (JSC::MachineThreads::removeThread): Deleted.
382         (JSC::MachineThreads::removeThreadIfFound): Deleted.
383         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
384         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
385         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
386         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
387         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
388         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
389         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
390         * heap/MachineStackMarker.h:
391         (JSC::MachineThreads::addCurrentThread):
392         (JSC::MachineThreads::getLock):
393         (JSC::MachineThreads::threads):
394         (JSC::MachineThreads::MachineThread::suspend): Deleted.
395         (JSC::MachineThreads::MachineThread::resume): Deleted.
396         (JSC::MachineThreads::MachineThread::threadID): Deleted.
397         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
398         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
399         (JSC::MachineThreads::threadsListHead): Deleted.
400         * runtime/SamplingProfiler.cpp:
401         (JSC::FrameWalker::isValidFramePointer):
402         (JSC::SamplingProfiler::SamplingProfiler):
403         (JSC::SamplingProfiler::takeSample):
404         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
405         * runtime/SamplingProfiler.h:
406         * wasm/WasmMachineThreads.cpp:
407         (JSC::Wasm::resetInstructionCacheOnAllThreads):
408
409 2017-07-18  Andy Estes  <aestes@apple.com>
410
411         [Xcode] Enable CLANG_WARN_RANGE_LOOP_ANALYSIS
412         https://bugs.webkit.org/show_bug.cgi?id=174631
413
414         Reviewed by Tim Horton.
415
416         * Configurations/Base.xcconfig:
417         * b3/B3FoldPathConstants.cpp:
418         * b3/B3LowerMacros.cpp:
419         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
420         * dfg/DFGByteCodeParser.cpp:
421         (JSC::DFG::ByteCodeParser::check):
422         (JSC::DFG::ByteCodeParser::planLoad):
423
424 2017-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
425
426         WTF::Thread should have the threads stack bounds.
427         https://bugs.webkit.org/show_bug.cgi?id=173975
428
429         Reviewed by Mark Lam.
430
431         There is a site in JSC that try to walk another thread's stack.
432         Currently, stack bounds are stored in WTFThreadData which is located
433         in TLS. Thus, only the thread itself can access its own WTFThreadData.
434         We workaround this situation by holding StackBounds in MachineThread in JSC,
435         but StackBounds should be put in WTF::Thread instead.
436
437         This patch adds StackBounds to WTF::Thread. StackBounds information is tightly
438         coupled with Thread. Thus putting it in WTF::Thread is natural choice.
439
440         * heap/MachineStackMarker.cpp:
441         (JSC::MachineThreads::MachineThread::MachineThread):
442         (JSC::MachineThreads::MachineThread::captureStack):
443         * heap/MachineStackMarker.h:
444         (JSC::MachineThreads::MachineThread::stackBase):
445         (JSC::MachineThreads::MachineThread::stackEnd):
446         * runtime/VMTraps.cpp:
447
448 2017-07-18  Andy Estes  <aestes@apple.com>
449
450         [Xcode] Enable CLANG_WARN_OBJC_LITERAL_CONVERSION
451         https://bugs.webkit.org/show_bug.cgi?id=174631
452
453         Reviewed by Sam Weinig.
454
455         * Configurations/Base.xcconfig:
456
457 2017-07-18  Joseph Pecoraro  <pecoraro@apple.com>
458
459         Web Inspector: Modernize InjectedScriptSource
460         https://bugs.webkit.org/show_bug.cgi?id=173890
461
462         Reviewed by Brian Burg.
463
464         * inspector/InjectedScript.h:
465         Reorder functions to be slightly better.
466
467         * inspector/InjectedScriptSource.js:
468         - Convert to classes named InjectedScript and RemoteObject
469         - Align InjectedScript's API with the wrapper C++ interfaces
470         - Move some code to RemoteObject where appropriate (subtype, describe)
471         - Move some code to helper functions (isPrimitiveValue, isDefined)
472         - Refactor for readability and modern features
473         - Remove some unused / unnecessary code
474
475 2017-07-18  Mark Lam  <mark.lam@apple.com>
476
477         Butterfly storage need not be initialized for indexing type Undecided.
478         https://bugs.webkit.org/show_bug.cgi?id=174516
479
480         Reviewed by Saam Barati.
481
482         While it's not incorrect to initialize the butterfly storage when the
483         indexingType is Undecided, it is inefficient as we'll end up initializing
484         it again later when we convert the storage to a different indexingType.
485         Some of our code already skips initializing Undecided butterflies.
486         This patch makes it the consistent behavior everywhere.
487
488         * dfg/DFGSpeculativeJIT.cpp:
489         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
490         * runtime/JSArray.cpp:
491         (JSC::JSArray::tryCreateUninitializedRestricted):
492         * runtime/JSArray.h:
493         (JSC::JSArray::tryCreate):
494         * runtime/JSObject.cpp:
495         (JSC::JSObject::ensureLengthSlow):
496
497 2017-07-18  Saam Barati  <sbarati@apple.com>
498
499         AirLowerAfterRegAlloc may incorrectly use a callee save that's live as a scratch register
500         https://bugs.webkit.org/show_bug.cgi?id=174515
501         <rdar://problem/33358092>
502
503         Reviewed by Filip Pizlo.
504
505         AirLowerAfterRegAlloc was computing the set of available scratch
506         registers incorrectly. It was always excluding callee save registers
507         from the set of live registers. It did not guarantee that live callee save
508         registers were not in the set of scratch registers that could
509         get clobbered. That's incorrect as the shuffling code is free
510         to overwrite whatever is in the scratch register it gets passed.
511
512         * b3/air/AirLowerAfterRegAlloc.cpp:
513         (JSC::B3::Air::lowerAfterRegAlloc):
514         * b3/testb3.cpp:
515         (JSC::B3::functionNineArgs):
516         (JSC::B3::testShuffleDoesntTrashCalleeSaves):
517         (JSC::B3::run):
518         * jit/RegisterSet.h:
519
520 2017-07-18  Andy Estes  <aestes@apple.com>
521
522         [Xcode] Enable CLANG_WARN_NON_LITERAL_NULL_CONVERSION
523         https://bugs.webkit.org/show_bug.cgi?id=174631
524
525         Reviewed by Dan Bernstein.
526
527         * Configurations/Base.xcconfig:
528
529 2017-07-18  Devin Rousso  <drousso@apple.com>
530
531         Web Inspector: Add memoryCost to Inspector Protocol objects
532         https://bugs.webkit.org/show_bug.cgi?id=174478
533
534         Reviewed by Joseph Pecoraro.
535
536         For non-array and non-object InspectorValue, calculate memoryCost as the sizeof the object,
537         plus the memoryCost of the data if it is a string.
538
539         For array InspectorValue, calculate memoryCost as the sum of the memoryCost of all items.
540
541         For object InspectorValue, calculate memoryCost as the sum of the memoryCost of the string
542         key plus the memoryCost of the InspectorValue for each entry.
543
544         Test: TestWebKitAPI/Tests/JavaScriptCore/InspectorValue.cpp
545
546         * inspector/InspectorValues.h:
547         * inspector/InspectorValues.cpp:
548         (Inspector::InspectorValue::memoryCost):
549         (Inspector::InspectorObjectBase::memoryCost):
550         (Inspector::InspectorArrayBase::memoryCost):
551
552 2017-07-18  Andy Estes  <aestes@apple.com>
553
554         [Xcode] Enable CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING
555         https://bugs.webkit.org/show_bug.cgi?id=174631
556
557         Reviewed by Darin Adler.
558
559         * Configurations/Base.xcconfig:
560
561 2017-07-18  Michael Saboff  <msaboff@apple.com>
562
563         [JSC] There should be a debug option to dump a compiled RegExp Pattern
564         https://bugs.webkit.org/show_bug.cgi?id=174601
565
566         Reviewed by Alex Christensen.
567
568         Added the debug option dumpCompiledRegExpPatterns which will dump the YarrPattern and related
569         objects after a regular expression has been compiled.
570
571         * runtime/Options.h:
572         * yarr/YarrPattern.cpp:
573         (JSC::Yarr::YarrPattern::compile):
574         (JSC::Yarr::indentForNestingLevel):
575         (JSC::Yarr::dumpUChar32):
576         (JSC::Yarr::PatternAlternative::dump):
577         (JSC::Yarr::PatternTerm::dumpQuantifier):
578         (JSC::Yarr::PatternTerm::dump):
579         (JSC::Yarr::PatternDisjunction::dump):
580         (JSC::Yarr::YarrPattern::dumpPattern):
581         * yarr/YarrPattern.h:
582         (JSC::Yarr::YarrPattern::global):
583
584 2017-07-17  Darin Adler  <darin@apple.com>
585
586         Improve use of NeverDestroyed
587         https://bugs.webkit.org/show_bug.cgi?id=174348
588
589         Reviewed by Sam Weinig.
590
591         * heap/MachineStackMarker.cpp:
592         * wasm/WasmMemory.cpp:
593         Removed unneeded includes of NeverDestroyed.h in files that do not make use
594         of NeverDestroyed.
595
596 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
597
598         [CMake] Macros in WebKitMacros.cmake should be prefixed with WEBKIT_ namespace
599         https://bugs.webkit.org/show_bug.cgi?id=174547
600
601         Reviewed by Alex Christensen.
602
603         * CMakeLists.txt:
604         * shell/CMakeLists.txt:
605
606 2017-07-17  Saam Barati  <sbarati@apple.com>
607
608         Remove custom defined RELEASE_ASSERT in DFGObjectAllocationSinkingPhase
609         https://bugs.webkit.org/show_bug.cgi?id=174584
610
611         Rubber stamped by Keith Miller.
612
613         I used it to diagnose a bug. The bug is now fixed. This custom
614         RELEASE_ASSERT is no longer needed.
615
616         * dfg/DFGObjectAllocationSinkingPhase.cpp:
617
618 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
619
620         -Wformat-truncation warning in ConfigFile.cpp
621         https://bugs.webkit.org/show_bug.cgi?id=174506
622
623         Reviewed by Darin Adler.
624
625         Check if the JSC config filename would be truncated due to exceeding max path length. If so,
626         return ParseError.
627
628         * runtime/ConfigFile.cpp:
629         (JSC::ConfigFile::parse):
630
631 2017-07-17  Konstantin Tokarev  <annulen@yandex.ru>
632
633         [CMake] Create targets before WEBKIT_INCLUDE_CONFIG_FILES_IF_EXISTS is called
634         https://bugs.webkit.org/show_bug.cgi?id=174557
635
636         Reviewed by Michael Catanzaro.
637
638         * CMakeLists.txt:
639
640 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
641
642         [WTF] Use std::unique_ptr for StackTrace
643         https://bugs.webkit.org/show_bug.cgi?id=174495
644
645         Reviewed by Alex Christensen.
646
647         * runtime/ExceptionScope.cpp:
648         (JSC::ExceptionScope::unexpectedExceptionMessage):
649         * runtime/VM.cpp:
650         (JSC::VM::throwException):
651
652 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
653
654         [JSC] Use WTFMove to prune liveness in DFGAvailabilityMap
655         https://bugs.webkit.org/show_bug.cgi?id=174423
656
657         Reviewed by Saam Barati.
658
659         * dfg/DFGAvailabilityMap.cpp:
660         (JSC::DFG::AvailabilityMap::pruneHeap):
661         (JSC::DFG::AvailabilityMap::pruneByLiveness):
662
663 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
664
665         Fix compiler warnings when building with GCC 7
666         https://bugs.webkit.org/show_bug.cgi?id=174463
667
668         Reviewed by Darin Adler.
669
670         * disassembler/udis86/udis86_decode.c:
671         (decode_operand):
672
673 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
674
675         Incorrect assertion in JSC::CallLinkInfo::callTypeFor
676         https://bugs.webkit.org/show_bug.cgi?id=174467
677
678         Reviewed by Saam Barati.
679
680         * bytecode/CallLinkInfo.cpp:
681         (JSC::CallLinkInfo::callTypeFor):
682
683 2017-07-13  Joseph Pecoraro  <pecoraro@apple.com>
684
685         Web Inspector: Remove unused and untested Page domain commands
686         https://bugs.webkit.org/show_bug.cgi?id=174429
687
688         Reviewed by Timothy Hatcher.
689
690         * inspector/protocol/Page.json:
691
692 2017-07-13  Saam Barati  <sbarati@apple.com>
693
694         Missing exception check in JSObject::hasInstance
695         https://bugs.webkit.org/show_bug.cgi?id=174455
696         <rdar://problem/31384608>
697
698         Reviewed by Mark Lam.
699
700         * runtime/JSObject.cpp:
701         (JSC::JSObject::hasInstance):
702
703 2017-07-13  Caio Lima  <ticaiolima@gmail.com>
704
705         [ESnext] Implement Object Spread
706         https://bugs.webkit.org/show_bug.cgi?id=167963
707
708         Reviewed by Saam Barati.
709
710         This patch implements ECMA262 stage 3 Object Spread proposal [1].
711         It's implemented using CopyDataPropertiesNoExclusions to copy
712         all enumerable keys from object being spreaded. The implementation of
713         CopyDataPropertiesNoExclusions follows the CopyDataProperties
714         implementation, however we don't receive excludedNames as parameter.
715
716         [1] - https://github.com/tc39/proposal-object-rest-spread
717
718         * builtins/GlobalOperations.js:
719         (globalPrivate.copyDataPropertiesNoExclusions):
720         * bytecompiler/BytecodeGenerator.cpp:
721         (JSC::BytecodeGenerator::emitLoad):
722         * bytecompiler/NodesCodegen.cpp:
723         (JSC::PropertyListNode::emitBytecode):
724         (JSC::ObjectSpreadExpressionNode::emitBytecode):
725         * parser/ASTBuilder.h:
726         (JSC::ASTBuilder::createObjectSpreadExpression):
727         (JSC::ASTBuilder::createProperty):
728         * parser/NodeConstructors.h:
729         (JSC::PropertyNode::PropertyNode):
730         (JSC::ObjectSpreadExpressionNode::ObjectSpreadExpressionNode):
731         * parser/Nodes.h:
732         (JSC::ObjectSpreadExpressionNode::expression):
733         * parser/Parser.cpp:
734         (JSC::Parser<LexerType>::parseProperty):
735         * parser/SyntaxChecker.h:
736         (JSC::SyntaxChecker::createObjectSpreadExpression):
737         (JSC::SyntaxChecker::createProperty):
738
739 2017-07-12  Mark Lam  <mark.lam@apple.com>
740
741         Gardening: build fix after r219434.
742         https://bugs.webkit.org/show_bug.cgi?id=174441
743
744         Not reviewed.
745
746         Make public some MacroAssembler functions that are needed by the probe implementationq.
747
748         * assembler/MacroAssemblerARM.h:
749         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
750         * assembler/MacroAssemblerARMv7.h:
751         (JSC::MacroAssemblerARMv7::linkCall):
752
753 2017-07-12  Mark Lam  <mark.lam@apple.com>
754
755         Move Probe code from AbstractMacroAssembler to MacroAssembler.
756         https://bugs.webkit.org/show_bug.cgi?id=174441
757
758         Reviewed by Saam Barati.
759
760         This is a pure refactoring patch for moving probe code from the AbstractMacroAssembler
761         to MacroAssembler.  There is no code behavior change.
762
763         * assembler/AbstractMacroAssembler.h:
764         (JSC::AbstractMacroAssembler<AssemblerType>::Address::indexedBy):
765         (JSC::AbstractMacroAssembler::CPUState::gprName): Deleted.
766         (JSC::AbstractMacroAssembler::CPUState::fprName): Deleted.
767         (JSC::AbstractMacroAssembler::CPUState::gpr): Deleted.
768         (JSC::AbstractMacroAssembler::CPUState::fpr): Deleted.
769         (JSC::MacroAssemblerType>::Address::indexedBy): Deleted.
770         * assembler/MacroAssembler.h:
771         (JSC::MacroAssembler::CPUState::gprName):
772         (JSC::MacroAssembler::CPUState::fprName):
773         (JSC::MacroAssembler::CPUState::gpr):
774         (JSC::MacroAssembler::CPUState::fpr):
775         * assembler/MacroAssemblerARM.cpp:
776         (JSC::MacroAssembler::probe):
777         (JSC::MacroAssemblerARM::probe): Deleted.
778         * assembler/MacroAssemblerARM.h:
779         * assembler/MacroAssemblerARM64.cpp:
780         (JSC::MacroAssembler::probe):
781         (JSC::MacroAssemblerARM64::probe): Deleted.
782         * assembler/MacroAssemblerARM64.h:
783         * assembler/MacroAssemblerARMv7.cpp:
784         (JSC::MacroAssembler::probe):
785         (JSC::MacroAssemblerARMv7::probe): Deleted.
786         * assembler/MacroAssemblerARMv7.h:
787         * assembler/MacroAssemblerMIPS.h:
788         * assembler/MacroAssemblerX86Common.cpp:
789         (JSC::MacroAssembler::probe):
790         (JSC::MacroAssemblerX86Common::probe): Deleted.
791         * assembler/MacroAssemblerX86Common.h:
792
793 2017-07-12  Saam Barati  <sbarati@apple.com>
794
795         GenericArguments consults the wrong state when tracking modified argument descriptors and mapped arguments
796         https://bugs.webkit.org/show_bug.cgi?id=174411
797         <rdar://problem/31696186>
798
799         Reviewed by Mark Lam.
800
801         The code for deleting an argument was incorrectly referencing state
802         when it decided if it should unmap or mark a property as having its
803         descriptor modified. This patch fixes the bug where if we delete a
804         property, we would sometimes not unmap an argument when deleting it.
805
806         * runtime/GenericArgumentsInlines.h:
807         (JSC::GenericArguments<Type>::getOwnPropertySlot):
808         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
809         (JSC::GenericArguments<Type>::deleteProperty):
810         (JSC::GenericArguments<Type>::deletePropertyByIndex):
811
812 2017-07-12  Commit Queue  <commit-queue@webkit.org>
813
814         Unreviewed, rolling out r219176.
815         https://bugs.webkit.org/show_bug.cgi?id=174436
816
817         "Can cause infinite recursion on iOS" (Requested by mlam on
818         #webkit).
819
820         Reverted changeset:
821
822         "WTF::Thread should have the threads stack bounds."
823         https://bugs.webkit.org/show_bug.cgi?id=173975
824         http://trac.webkit.org/changeset/219176
825
826 2017-07-12  Matt Lewis  <jlewis3@apple.com>
827
828         Unreviewed, rolling out r219401.
829
830         This revision rolled out the previous patch, but after talking
831         with reviewer, a rebaseline is what was needed.Rolling back in
832         before rebaseline.
833
834         Reverted changeset:
835
836         "Unreviewed, rolling out r219379."
837         https://bugs.webkit.org/show_bug.cgi?id=174400
838         http://trac.webkit.org/changeset/219401
839
840 2017-07-12  Matt Lewis  <jlewis3@apple.com>
841
842         Unreviewed, rolling out r219379.
843
844         This revision caused a consistent failure in the test
845         fast/dom/Window/property-access-on-cached-window-after-frame-
846         removed.html.
847
848         Reverted changeset:
849
850         "Remove NAVIGATOR_HWCONCURRENCY"
851         https://bugs.webkit.org/show_bug.cgi?id=174400
852         http://trac.webkit.org/changeset/219379
853
854 2017-07-12  Tooru Fujisawa [:arai]  <arai.unmht@gmail.com>
855
856         Wrong radix used in Unicode Escape in invalid character error message
857         https://bugs.webkit.org/show_bug.cgi?id=174419
858
859         Reviewed by Alex Christensen.
860
861         * parser/Lexer.cpp:
862         (JSC::Lexer<T>::invalidCharacterMessage):
863
864 2017-07-11  Dean Jackson  <dino@apple.com>
865
866         Remove NAVIGATOR_HWCONCURRENCY
867         https://bugs.webkit.org/show_bug.cgi?id=174400
868
869         Reviewed by Sam Weinig.
870
871         * Configurations/FeatureDefines.xcconfig:
872
873 2017-07-11  Dean Jackson  <dino@apple.com>
874
875         Rolling out r219372.
876
877         * Configurations/FeatureDefines.xcconfig:
878
879 2017-07-11  Dean Jackson  <dino@apple.com>
880
881         Remove NAVIGATOR_HWCONCURRENCY
882         https://bugs.webkit.org/show_bug.cgi?id=174400
883
884         Reviewed by Sam Weinig.
885
886         * Configurations/FeatureDefines.xcconfig:
887
888 2017-07-11  Saam Barati  <sbarati@apple.com>
889
890         remove the empty JavaScriptCore/wasm/js/WebAssemblyFunctionCell.* files
891         https://bugs.webkit.org/show_bug.cgi?id=174397
892
893         Rubber stamped by David Kilzer.
894
895         * wasm/js/WebAssemblyFunctionCell.cpp: Removed.
896         * wasm/js/WebAssemblyFunctionCell.h: Removed.
897
898 2017-07-10  Saam Barati  <sbarati@apple.com>
899
900         Allocation sinking phase should consider a CheckStructure that would fail as an escape
901         https://bugs.webkit.org/show_bug.cgi?id=174321
902         <rdar://problem/32604963>
903
904         Reviewed by Filip Pizlo.
905
906         When the allocation sinking phase was generating stores to materialize
907         objects in a cycle with each other, it would assume that each materialized
908         object had a valid, non empty, set of structures. This is an OK assumption for
909         the phase to make because how do you materialize an object with no structure?
910         
911         The abstract interpretation part of the phase will model what's in the heap.
912         However, it would sometimes model that a CheckStructure would fail. The phase
913         did nothing special for this; it just stored the empty set of structures for
914         its representation of a particular allocation. However, what the phase proved
915         in such a scenario is that, had the CheckStructure executed, it would have exited.
916         
917         This patch treats such CheckStructures and MultiGetByOffsets as escape points.
918         This will cause the allocation in question to be materialized just before
919         the CheckStructure, and then at execution time, the CheckStructure will exit.
920         
921         I wasn't able to write a test case for this. However, I was able to reproduce
922         this crash by manually editing the IR. I've opened a separate bug to help us
923         create a testing framework for writing tests for hard to reproduce bugs like this:
924         https://bugs.webkit.org/show_bug.cgi?id=174322
925
926         * dfg/DFGObjectAllocationSinkingPhase.cpp:
927
928 2017-07-10  Devin Rousso  <drousso@apple.com>
929
930         Web Inspector: Highlight matching CSS canvas clients when hovering contexts in the Resources tab
931         https://bugs.webkit.org/show_bug.cgi?id=174279
932
933         Reviewed by Matt Baker.
934
935         * inspector/protocol/DOM.json:
936         Add `highlightNodeList` command that will highlight each node in the given list.
937
938 2017-07-03  Brian Burg  <bburg@apple.com>
939
940         Web Replay: remove some unused code
941         https://bugs.webkit.org/show_bug.cgi?id=173903
942
943         Rubber-stamped by Joseph Pecoraro.
944
945         * CMakeLists.txt:
946         * Configurations/FeatureDefines.xcconfig:
947         * DerivedSources.make:
948         * JavaScriptCore.xcodeproj/project.pbxproj:
949         * inspector/protocol/Replay.json: Removed.
950         * replay/EmptyInputCursor.h: Removed.
951         * replay/EncodedValue.cpp: Removed.
952         * replay/EncodedValue.h: Removed.
953         * replay/InputCursor.h: Removed.
954         * replay/JSInputs.json: Removed.
955         * replay/NondeterministicInput.h: Removed.
956         * replay/scripts/CodeGeneratorReplayInputs.py: Removed.
957         * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Removed.
958         * replay/scripts/tests/expected/fail-on-c-style-enum-no-storage.json-error: Removed.
959         * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Removed.
960         * replay/scripts/tests/expected/fail-on-duplicate-input-names.json-error: Removed.
961         * replay/scripts/tests/expected/fail-on-duplicate-type-names.json-error: Removed.
962         * replay/scripts/tests/expected/fail-on-enum-type-missing-values.json-error: Removed.
963         * replay/scripts/tests/expected/fail-on-missing-input-member-name.json-error: Removed.
964         * replay/scripts/tests/expected/fail-on-missing-input-name.json-error: Removed.
965         * replay/scripts/tests/expected/fail-on-missing-input-queue.json-error: Removed.
966         * replay/scripts/tests/expected/fail-on-missing-type-mode.json-error: Removed.
967         * replay/scripts/tests/expected/fail-on-missing-type-name.json-error: Removed.
968         * replay/scripts/tests/expected/fail-on-unknown-input-queue.json-error: Removed.
969         * replay/scripts/tests/expected/fail-on-unknown-member-type.json-error: Removed.
970         * replay/scripts/tests/expected/fail-on-unknown-type-mode.json-error: Removed.
971         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp: Removed.
972         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h: Removed.
973         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp: Removed.
974         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h: Removed.
975         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Removed.
976         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Removed.
977         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Removed.
978         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Removed.
979         * replay/scripts/tests/expected/generate-event-loop-shape-types.json-error: Removed.
980         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp: Removed.
981         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h: Removed.
982         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp: Removed.
983         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Removed.
984         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.cpp: Removed.
985         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h: Removed.
986         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp: Removed.
987         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h: Removed.
988         * replay/scripts/tests/fail-on-c-style-enum-no-storage.json: Removed.
989         * replay/scripts/tests/fail-on-duplicate-enum-type.json: Removed.
990         * replay/scripts/tests/fail-on-duplicate-input-names.json: Removed.
991         * replay/scripts/tests/fail-on-duplicate-type-names.json: Removed.
992         * replay/scripts/tests/fail-on-enum-type-missing-values.json: Removed.
993         * replay/scripts/tests/fail-on-missing-input-member-name.json: Removed.
994         * replay/scripts/tests/fail-on-missing-input-name.json: Removed.
995         * replay/scripts/tests/fail-on-missing-input-queue.json: Removed.
996         * replay/scripts/tests/fail-on-missing-type-mode.json: Removed.
997         * replay/scripts/tests/fail-on-missing-type-name.json: Removed.
998         * replay/scripts/tests/fail-on-unknown-input-queue.json: Removed.
999         * replay/scripts/tests/fail-on-unknown-member-type.json: Removed.
1000         * replay/scripts/tests/fail-on-unknown-type-mode.json: Removed.
1001         * replay/scripts/tests/generate-enum-encoding-helpers-with-guarded-values.json: Removed.
1002         * replay/scripts/tests/generate-enum-encoding-helpers.json: Removed.
1003         * replay/scripts/tests/generate-enum-with-guard.json: Removed.
1004         * replay/scripts/tests/generate-enums-with-same-base-name.json: Removed.
1005         * replay/scripts/tests/generate-event-loop-shape-types.json: Removed.
1006         * replay/scripts/tests/generate-input-with-guard.json: Removed.
1007         * replay/scripts/tests/generate-input-with-vector-members.json: Removed.
1008         * replay/scripts/tests/generate-inputs-with-flags.json: Removed.
1009         * replay/scripts/tests/generate-memoized-type-modes.json: Removed.
1010         * runtime/DateConstructor.cpp:
1011         (JSC::constructDate):
1012         (JSC::dateNow):
1013         (JSC::deterministicCurrentTime): Deleted.
1014         * runtime/JSGlobalObject.cpp:
1015         (JSC::JSGlobalObject::JSGlobalObject):
1016         (JSC::JSGlobalObject::setInputCursor): Deleted.
1017         * runtime/JSGlobalObject.h:
1018         (JSC::JSGlobalObject::inputCursor): Deleted.
1019
1020 2017-07-10  Carlos Garcia Campos  <cgarcia@igalia.com>
1021
1022         Move make-js-file-arrays.py from WebCore to JavaScriptCore
1023         https://bugs.webkit.org/show_bug.cgi?id=174024
1024
1025         Reviewed by Michael Catanzaro.
1026
1027         It's currently used only by WebCore, but it depends on other JavaScriptCore scripts and it's not WebCore
1028         specific at all. I plan to use it to compile the JavaScript atoms used by the WebDriver implementation.
1029         Added command line option to pass the namespace to use instead of using WebCore.
1030
1031         * JavaScriptCore.xcodeproj/project.pbxproj:
1032         * Scripts/make-js-file-arrays.py: Renamed from Source/WebCore/Scripts/make-js-file-arrays.py.
1033         (main):
1034
1035 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1036
1037         [JSC] Drop LineNumberAdder since we no longer treat <LF><CR> (not <CR><LF>) as one line terminator
1038         https://bugs.webkit.org/show_bug.cgi?id=174296
1039
1040         Reviewed by Mark Lam.
1041
1042         Previously, we treat <LF><CR> as one line terminator. So we increase line number by one.
1043         It caused a problem in scanning template literals. While template literals normalize
1044         <LF><CR> to <LF><LF>, we still needed to increase line number by only one.
1045         To handle it correctly, LineNumberAdder is introduced.
1046
1047         As of r219263, <LF><CR> is counted as two line terminators. So we do not need to have
1048         LineNumberAdder. Let's just use shiftLineTerminator() instead.
1049
1050         * parser/Lexer.cpp:
1051         (JSC::Lexer<T>::parseTemplateLiteral):
1052         (JSC::LineNumberAdder::LineNumberAdder): Deleted.
1053         (JSC::LineNumberAdder::clear): Deleted.
1054         (JSC::LineNumberAdder::add): Deleted.
1055
1056 2017-07-09  Dan Bernstein  <mitz@apple.com>
1057
1058         [Xcode] ICU headers aren’t treated as system headers after r219155
1059         https://bugs.webkit.org/show_bug.cgi?id=174299
1060
1061         Reviewed by Sam Weinig.
1062
1063         * Configurations/JavaScriptCore.xcconfig: Pass --system-header-prefix=unicode/ to the C and
1064           C++ compilers.
1065
1066 * runtime/IntlCollator.cpp: Removed documentation warning suppression.
1067         * runtime/IntlDateTimeFormat.cpp: Ditto.
1068         * runtime/JSGlobalObject.cpp: Ditto.
1069         * runtime/StringPrototype.cpp: Ditto.
1070
1071 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1072
1073         [JSC] Use fastMalloc / fastFree for STL containers
1074         https://bugs.webkit.org/show_bug.cgi?id=174297
1075
1076         Reviewed by Sam Weinig.
1077
1078         In some places, we intentionally use STL containers over WTF containers.
1079         For example, we sometimes use std::unordered_{set,map} instead of WTF::Hash{Set,Map}
1080         because we do not have effective empty / deleted representations in the space of key's value.
1081         But just using STL container means using libc's malloc instead of our fast malloc (bmalloc if it is enabled).
1082
1083         We introduce WTF::FastAllocator. This is C++ allocator implementation using fastMalloc and fastFree.
1084         We specify this allocator to STL containers' template parameter to allocate memory from fastMalloc.
1085
1086         This WTF::FastAllocator gives us a chance to use STL containers if it is necessary
1087         without compromising memory allocation throughput.
1088
1089         * dfg/DFGGraph.h:
1090         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1091         * ftl/FTLLowerDFGToB3.cpp:
1092         (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
1093         * runtime/FunctionHasExecutedCache.h:
1094         * runtime/TypeLocationCache.h:
1095
1096 2017-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1097
1098         Drop NOSNIFF compile flag
1099         https://bugs.webkit.org/show_bug.cgi?id=174289
1100
1101         Reviewed by Michael Catanzaro.
1102
1103         * Configurations/FeatureDefines.xcconfig:
1104
1105 2017-07-07  AJ Ringer  <aringer@apple.com>
1106
1107         Lower the max_protection for the separated heap
1108         https://bugs.webkit.org/show_bug.cgi?id=174281
1109
1110         Reviewed by Oliver Hunt.
1111
1112         Switch to vm_protect so we can set maximum page protection.
1113
1114         * jit/ExecutableAllocator.cpp:
1115         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
1116         (JSC::ExecutableAllocator::allocate):
1117
1118 2017-07-07  Devin Rousso  <drousso@apple.com>
1119
1120         Web Inspector: Show all elements currently using a given CSS Canvas
1121         https://bugs.webkit.org/show_bug.cgi?id=173965
1122
1123         Reviewed by Joseph Pecoraro.
1124
1125         * inspector/protocol/Canvas.json:
1126          - Add `requestCSSCanvasClientNodes` command for getting the node IDs all nodes using this
1127            canvas via -webkit-canvas.
1128          - Add `cssCanvasClientNodesChanged` event that is dispatched whenever a node is
1129            added/removed from the list of -webkit-canvas clients.
1130
1131 2017-07-07  Mark Lam  <mark.lam@apple.com>
1132
1133         \n\r is not the same as \r\n.
1134         https://bugs.webkit.org/show_bug.cgi?id=173053
1135
1136         Reviewed by Keith Miller.
1137
1138         * parser/Lexer.cpp:
1139         (JSC::Lexer<T>::shiftLineTerminator):
1140         (JSC::LineNumberAdder::add):
1141
1142 2017-07-07  Commit Queue  <commit-queue@webkit.org>
1143
1144         Unreviewed, rolling out r219238, r219239, and r219241.
1145         https://bugs.webkit.org/show_bug.cgi?id=174265
1146
1147         "fast/workers/dedicated-worker-lifecycle.html is flaky"
1148         (Requested by yusukesuzuki on #webkit).
1149
1150         Reverted changesets:
1151
1152         "[WTF] Implement WTF::ThreadGroup"
1153         https://bugs.webkit.org/show_bug.cgi?id=174081
1154         http://trac.webkit.org/changeset/219238
1155
1156         "Unreviewed, build fix after r219238"
1157         https://bugs.webkit.org/show_bug.cgi?id=174081
1158         http://trac.webkit.org/changeset/219239
1159
1160         "Unreviewed, CLoop build fix after r219238"
1161         https://bugs.webkit.org/show_bug.cgi?id=174081
1162         http://trac.webkit.org/changeset/219241
1163
1164 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1165
1166         Unreviewed, CLoop build fix after r219238
1167         https://bugs.webkit.org/show_bug.cgi?id=174081
1168
1169         * heap/MachineStackMarker.cpp:
1170
1171 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
1172
1173         [WTF] Implement WTF::ThreadGroup
1174         https://bugs.webkit.org/show_bug.cgi?id=174081
1175
1176         Reviewed by Mark Lam.
1177
1178         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
1179         And SamplingProfiler and others interact with WTF::Thread directly.
1180
1181         * API/tests/ExecutionTimeLimitTest.cpp:
1182         * heap/MachineStackMarker.cpp:
1183         (JSC::MachineThreads::MachineThreads):
1184         (JSC::captureStack):
1185         (JSC::MachineThreads::tryCopyOtherThreadStack):
1186         (JSC::MachineThreads::tryCopyOtherThreadStacks):
1187         (JSC::MachineThreads::gatherConservativeRoots):
1188         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
1189         (JSC::ActiveMachineThreadsManager::add): Deleted.
1190         (JSC::ActiveMachineThreadsManager::remove): Deleted.
1191         (JSC::ActiveMachineThreadsManager::contains): Deleted.
1192         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
1193         (JSC::activeMachineThreadsManager): Deleted.
1194         (JSC::MachineThreads::~MachineThreads): Deleted.
1195         (JSC::MachineThreads::addCurrentThread): Deleted.
1196         (): Deleted.
1197         (JSC::MachineThreads::removeThread): Deleted.
1198         (JSC::MachineThreads::removeThreadIfFound): Deleted.
1199         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
1200         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
1201         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
1202         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
1203         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
1204         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
1205         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
1206         * heap/MachineStackMarker.h:
1207         (JSC::MachineThreads::addCurrentThread):
1208         (JSC::MachineThreads::getLock):
1209         (JSC::MachineThreads::threads):
1210         (JSC::MachineThreads::MachineThread::suspend): Deleted.
1211         (JSC::MachineThreads::MachineThread::resume): Deleted.
1212         (JSC::MachineThreads::MachineThread::threadID): Deleted.
1213         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
1214         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
1215         (JSC::MachineThreads::threadsListHead): Deleted.
1216         * runtime/SamplingProfiler.cpp:
1217         (JSC::FrameWalker::isValidFramePointer):
1218         (JSC::SamplingProfiler::SamplingProfiler):
1219         (JSC::SamplingProfiler::takeSample):
1220         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
1221         * runtime/SamplingProfiler.h:
1222         * wasm/WasmMachineThreads.cpp:
1223         (JSC::Wasm::resetInstructionCacheOnAllThreads):
1224
1225 2017-07-06  Saam Barati  <sbarati@apple.com>
1226
1227         We are missing places where we invalidate the for-in context
1228         https://bugs.webkit.org/show_bug.cgi?id=174184
1229
1230         Reviewed by Geoffrey Garen.
1231
1232         * bytecompiler/BytecodeGenerator.cpp:
1233         (JSC::BytecodeGenerator::invalidateForInContextForLocal):
1234         * bytecompiler/NodesCodegen.cpp:
1235         (JSC::EmptyLetExpression::emitBytecode):
1236         (JSC::ForInNode::emitLoopHeader):
1237         (JSC::ForOfNode::emitBytecode):
1238         (JSC::BindingNode::bindValue):
1239
1240 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1241
1242         Unreviewed, suppress warnings in GCC environment
1243
1244         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1245         * runtime/IntlCollator.cpp:
1246         * runtime/IntlDateTimeFormat.cpp:
1247         * runtime/JSGlobalObject.cpp:
1248         * runtime/StringPrototype.cpp:
1249
1250 2017-07-05  Saam Barati  <sbarati@apple.com>
1251
1252         NewArray in FTLLowerDFGToB3 does not handle speculating on doubles when having a bad time
1253         https://bugs.webkit.org/show_bug.cgi?id=174188
1254         <rdar://problem/30581423>
1255
1256         Reviewed by Mark Lam.
1257
1258         We were calling lowJSValue(edge) when we were speculating the
1259         edge as double. This isn't allowed. We should have been using
1260         lowDouble.
1261         
1262         This patch also adds a new option, called useArrayAllocationProfiling,
1263         which defaults to true. When false, it will make the array allocation
1264         profile not actually sample seen arrays. It'll force the allocation
1265         profile's predicted indexing type to be ArrayWithUndecided. Adding
1266         this option made it trivial to write a test for this bug.
1267
1268         * bytecode/ArrayAllocationProfile.cpp:
1269         (JSC::ArrayAllocationProfile::updateIndexingType):
1270         * ftl/FTLLowerDFGToB3.cpp:
1271         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
1272         * runtime/Options.h:
1273
1274 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
1275
1276         WTF::Thread should have the threads stack bounds.
1277         https://bugs.webkit.org/show_bug.cgi?id=173975
1278
1279         Reviewed by Keith Miller.
1280
1281         There is a site in JSC that try to walk another thread's stack.
1282         Currently, stack bounds are stored in WTFThreadData which is located
1283         in TLS. Thus, only the thread itself can access its own WTFThreadData.
1284         We workaround this situation by holding StackBounds in MachineThread in JSC,
1285         but StackBounds should be put in WTF::Thread instead.
1286
1287         This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
1288         information is tightly coupled with Thread. Thus putting it in WTF::Thread
1289         is natural choice.
1290
1291         * heap/MachineStackMarker.cpp:
1292         (JSC::MachineThreads::MachineThread::MachineThread):
1293         (JSC::MachineThreads::MachineThread::captureStack):
1294         * heap/MachineStackMarker.h:
1295         (JSC::MachineThreads::MachineThread::stackBase):
1296         (JSC::MachineThreads::MachineThread::stackEnd):
1297         * runtime/InitializeThreading.cpp:
1298         (JSC::initializeThreading):
1299         * runtime/VM.cpp:
1300         (JSC::VM::VM):
1301         (JSC::VM::updateStackLimits):
1302         (JSC::VM::committedStackByteCount):
1303         * runtime/VM.h:
1304         (JSC::VM::isSafeToRecurse):
1305         * runtime/VMEntryScope.cpp:
1306         (JSC::VMEntryScope::VMEntryScope):
1307         * runtime/VMInlines.h:
1308         (JSC::VM::ensureStackCapacityFor):
1309         * runtime/VMTraps.cpp:
1310         * yarr/YarrPattern.cpp:
1311         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
1312
1313 2017-07-05  Keith Miller  <keith_miller@apple.com>
1314
1315         Crashing with information should have an abort reason
1316         https://bugs.webkit.org/show_bug.cgi?id=174185
1317
1318         Reviewed by Saam Barati.
1319
1320         Add crash information for the abstract interpreter and add an enum
1321         value for object allocation sinking.
1322
1323         * assembler/AbortReason.h:
1324         * dfg/DFGAbstractInterpreterInlines.h:
1325         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
1326         * dfg/DFGGraph.cpp:
1327         (JSC::DFG::logDFGAssertionFailure):
1328         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1329
1330 2017-07-03  Myles C. Maxfield  <mmaxfield@apple.com>
1331
1332         Remove copy of ICU headers from WebKit
1333         https://bugs.webkit.org/show_bug.cgi?id=116407
1334
1335         Reviewed by Alex Christensen.
1336
1337         Use WTF's copy of ICU headers.
1338
1339         * Configurations/Base.xcconfig:
1340         * icu/unicode/localpointer.h: Removed.
1341         * icu/unicode/parseerr.h: Removed.
1342         * icu/unicode/platform.h: Removed.
1343         * icu/unicode/ptypes.h: Removed.
1344         * icu/unicode/putil.h: Removed.
1345         * icu/unicode/uchar.h: Removed.
1346         * icu/unicode/ucnv.h: Removed.
1347         * icu/unicode/ucnv_err.h: Removed.
1348         * icu/unicode/ucol.h: Removed.
1349         * icu/unicode/uconfig.h: Removed.
1350         * icu/unicode/ucurr.h: Removed.
1351         * icu/unicode/uenum.h: Removed.
1352         * icu/unicode/uiter.h: Removed.
1353         * icu/unicode/uloc.h: Removed.
1354         * icu/unicode/umachine.h: Removed.
1355         * icu/unicode/unorm.h: Removed.
1356         * icu/unicode/unorm2.h: Removed.
1357         * icu/unicode/urename.h: Removed.
1358         * icu/unicode/uscript.h: Removed.
1359         * icu/unicode/uset.h: Removed.
1360         * icu/unicode/ustring.h: Removed.
1361         * icu/unicode/utf.h: Removed.
1362         * icu/unicode/utf16.h: Removed.
1363         * icu/unicode/utf8.h: Removed.
1364         * icu/unicode/utf_old.h: Removed.
1365         * icu/unicode/utypes.h: Removed.
1366         * icu/unicode/uvernum.h: Removed.
1367         * icu/unicode/uversion.h: Removed.
1368         * runtime/IntlCollator.cpp:
1369         * runtime/IntlDateTimeFormat.cpp:
1370         (JSC::IntlDateTimeFormat::partTypeString):
1371         * runtime/JSGlobalObject.cpp:
1372         * runtime/StringPrototype.cpp:
1373         (JSC::normalize):
1374         (JSC::stringProtoFuncNormalize):
1375
1376 2017-07-05  Devin Rousso  <drousso@apple.com>
1377
1378         Web Inspector: Allow users to log any tracked canvas context
1379         https://bugs.webkit.org/show_bug.cgi?id=173397
1380         <rdar://problem/33111581>
1381
1382         Reviewed by Joseph Pecoraro.
1383
1384         * inspector/protocol/Canvas.json:
1385         Add `resolveCanvasContext` command that returns a RemoteObject for the given canvas context.
1386
1387 2017-07-05  Jonathan Bedard  <jbedard@apple.com>
1388
1389         Add WebKitPrivateFrameworkStubs for iOS 11
1390         https://bugs.webkit.org/show_bug.cgi?id=173988
1391
1392         Reviewed by David Kilzer.
1393
1394         * Configurations/Base.xcconfig: iphoneos and iphonesimulator should use the
1395         same directory for private framework stubs.
1396
1397 2017-07-05  JF Bastien  <jfbastien@apple.com>
1398
1399         WebAssembly: implement name section's module name, skip unknown sections
1400         https://bugs.webkit.org/show_bug.cgi?id=172008
1401
1402         Reviewed by Keith Miller.
1403
1404         Parse the WebAssembly module name properly, and skip unknown
1405         sections. This is useful because as toolchains support new types
1406         of names we want to keep displaying the information we know about
1407         and simply ignore new information. That capability was designed
1408         into WebAssembly's name section.
1409
1410         Failure to commit this patch would mean that WebKit won't display
1411         stack trace information, which would make developers sad.
1412
1413         Module names were added here: https://github.com/WebAssembly/design/pull/1055
1414
1415         Note that this patch doesn't do anything with the parsed name! Two
1416         reasons for this: module names aren't supported in binaryen yet,
1417         so I can't write a simple binary test; and using the name is a
1418         slightly riskier change because it requires changing StackVisitor
1419         + StackFrame (where they print "[wasm code]") which requires
1420         figuring out the frame's Module. The latter bit isn't trivial
1421         because we only know wasm frames from their tag bits, and
1422         CodeBlocks are always nullptr.
1423
1424         Binaryen bug: https://github.com/WebAssembly/binaryen/issues/1010
1425
1426         I filed #174098 to use the module name.
1427
1428         * wasm/WasmFormat.h:
1429         (JSC::Wasm::isValidNameType):
1430         * wasm/WasmNameSectionParser.cpp:
1431
1432 2017-07-04  Joseph Pecoraro  <pecoraro@apple.com>
1433
1434         Cleanup some StringBuilder use
1435         https://bugs.webkit.org/show_bug.cgi?id=174118
1436
1437         Reviewed by Andreas Kling.
1438
1439         * runtime/FunctionConstructor.cpp:
1440         (JSC::constructFunctionSkippingEvalEnabledCheck):
1441         * tools/FunctionOverrides.cpp:
1442         (JSC::parseClause):
1443         * wasm/WasmOMGPlan.cpp:
1444         * wasm/WasmPlan.cpp:
1445         * wasm/WasmValidate.cpp:
1446
1447 2017-07-03  Saam Barati  <sbarati@apple.com>
1448
1449         LayoutTest workers/bomb.html is a Crash
1450         https://bugs.webkit.org/show_bug.cgi?id=167757
1451         <rdar://problem/33086462>
1452
1453         Reviewed by Keith Miller.
1454
1455         VMTraps::SignalSender was accessing VM fields even after
1456         the VM was destroyed. This happened when the SignalSender
1457         thread was in the middle of its work() function while VMTraps
1458         was notified that the VM was shutting down. The VM would proceed
1459         to run its destructor even after the SignalSender thread finished
1460         doing its work. This means that the SignalSender thread was accessing
1461         VM field eve after VM was destructed (including itself, since it is
1462         transitively owned by the VM). The VM must wait for the SignalSender
1463         thread to shutdown before it can continue to destruct itself.
1464
1465         * runtime/VMTraps.cpp:
1466         (JSC::VMTraps::willDestroyVM):
1467
1468 2017-07-03  Saam Barati  <sbarati@apple.com>
1469
1470         DFGBytecodeParser op_to_this does not access the correct instruction offset for to this status
1471         https://bugs.webkit.org/show_bug.cgi?id=174110
1472
1473         Reviewed by Michael Saboff.
1474
1475         * dfg/DFGByteCodeParser.cpp:
1476         (JSC::DFG::ByteCodeParser::parseBlock):
1477
1478 2017-07-03  Saam Barati  <sbarati@apple.com>
1479
1480         Add a new assertion to object allocation sinking phase
1481         https://bugs.webkit.org/show_bug.cgi?id=174107
1482
1483         Rubber stamped by Filip Pizlo.
1484
1485         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1486
1487 2017-07-03  Commit Queue  <commit-queue@webkit.org>
1488
1489         Unreviewed, rolling out r219060.
1490         https://bugs.webkit.org/show_bug.cgi?id=174108
1491
1492         crashing constantly when initializing UIWebView (Requested by
1493         thorton on #webkit).
1494
1495         Reverted changeset:
1496
1497         "WTF::Thread should have the threads stack bounds."
1498         https://bugs.webkit.org/show_bug.cgi?id=173975
1499         http://trac.webkit.org/changeset/219060
1500
1501 2017-07-03  Matt Lewis  <jlewis3@apple.com>
1502
1503         Unreviewed, rolling out r219103.
1504
1505         Caused multiple build failures.
1506
1507         Reverted changeset:
1508
1509         "Remove copy of ICU headers from WebKit"
1510         https://bugs.webkit.org/show_bug.cgi?id=116407
1511         http://trac.webkit.org/changeset/219103
1512
1513 2017-07-03  Myles C. Maxfield  <mmaxfield@apple.com>
1514
1515         Remove copy of ICU headers from WebKit
1516         https://bugs.webkit.org/show_bug.cgi?id=116407
1517
1518         Reviewed by Alex Christensen.
1519
1520         Use WTF's copy of ICU headers.
1521
1522         * Configurations/Base.xcconfig:
1523         * icu/unicode/localpointer.h: Removed.
1524         * icu/unicode/parseerr.h: Removed.
1525         * icu/unicode/platform.h: Removed.
1526         * icu/unicode/ptypes.h: Removed.
1527         * icu/unicode/putil.h: Removed.
1528         * icu/unicode/uchar.h: Removed.
1529         * icu/unicode/ucnv.h: Removed.
1530         * icu/unicode/ucnv_err.h: Removed.
1531         * icu/unicode/ucol.h: Removed.
1532         * icu/unicode/uconfig.h: Removed.
1533         * icu/unicode/ucurr.h: Removed.
1534         * icu/unicode/uenum.h: Removed.
1535         * icu/unicode/uiter.h: Removed.
1536         * icu/unicode/uloc.h: Removed.
1537         * icu/unicode/umachine.h: Removed.
1538         * icu/unicode/unorm.h: Removed.
1539         * icu/unicode/unorm2.h: Removed.
1540         * icu/unicode/urename.h: Removed.
1541         * icu/unicode/uscript.h: Removed.
1542         * icu/unicode/uset.h: Removed.
1543         * icu/unicode/ustring.h: Removed.
1544         * icu/unicode/utf.h: Removed.
1545         * icu/unicode/utf16.h: Removed.
1546         * icu/unicode/utf8.h: Removed.
1547         * icu/unicode/utf_old.h: Removed.
1548         * icu/unicode/utypes.h: Removed.
1549         * icu/unicode/uvernum.h: Removed.
1550         * icu/unicode/uversion.h: Removed.
1551         * runtime/IntlCollator.cpp:
1552         * runtime/IntlDateTimeFormat.cpp:
1553         * runtime/JSGlobalObject.cpp:
1554         * runtime/StringPrototype.cpp:
1555
1556 2017-07-03  Saam Barati  <sbarati@apple.com>
1557
1558         Add better crash logging for allocation sinking phase
1559         https://bugs.webkit.org/show_bug.cgi?id=174102
1560         <rdar://problem/33112092>
1561
1562         Rubber stamped by Filip Pizlo.
1563
1564         I'm trying to gather better information from crashlogs about why
1565         we're crashing in the allocation sinking phase. I'm adding a allocation
1566         sinking specific RELEASE_ASSERT as well as marking a few functions as
1567         NEVER_INLINE to have the stack traces in the crash trace contain more
1568         actionable information.
1569
1570         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1571
1572 2017-07-03  Sam Weinig  <sam@webkit.org>
1573
1574         [WebIDL] Remove more unnecessary uses of the preprocessor in idl files
1575         https://bugs.webkit.org/show_bug.cgi?id=174083
1576
1577         Reviewed by Alex Christensen.
1578
1579         * Configurations/FeatureDefines.xcconfig:
1580         Add ENABLE_NAVIGATOR_STANDALONE.
1581
1582 2017-07-03  Andy Estes  <aestes@apple.com>
1583
1584         [Xcode] Add an experimental setting to build with ccache
1585         https://bugs.webkit.org/show_bug.cgi?id=173875
1586
1587         Reviewed by Tim Horton.
1588
1589         * Configurations/DebugRelease.xcconfig: Included ccache.xcconfig.
1590
1591 2017-07-03  Devin Rousso  <drousso@apple.com>
1592
1593         Web Inspector: Support listing WebGL2 and WebGPU contexts
1594         https://bugs.webkit.org/show_bug.cgi?id=173396
1595
1596         Reviewed by Joseph Pecoraro.
1597
1598         * inspector/protocol/Canvas.json:
1599         * inspector/scripts/codegen/generator.py:
1600         (Generator.stylized_name_for_enum_value):
1601         Add cases for handling new Canvas.ContextType protocol enumerations:
1602          - "webgl2" maps to `WebGL2`
1603          - "webgpu" maps to `WebGPU`
1604
1605 2017-07-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1606
1607         WTF::Thread should have the threads stack bounds.
1608         https://bugs.webkit.org/show_bug.cgi?id=173975
1609
1610         Reviewed by Mark Lam.
1611
1612         There is a site in JSC that try to walk another thread's stack.
1613         Currently, stack bounds are stored in WTFThreadData which is located
1614         in TLS. Thus, only the thread itself can access its own WTFThreadData.
1615         We workaround this situation by holding StackBounds in MachineThread in JSC,
1616         but StackBounds should be put in WTF::Thread instead.
1617
1618         This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
1619         information is tightly coupled with Thread. Thus putting it in WTF::Thread
1620         is natural choice.
1621
1622         * heap/MachineStackMarker.cpp:
1623         (JSC::MachineThreads::MachineThread::MachineThread):
1624         (JSC::MachineThreads::MachineThread::captureStack):
1625         * heap/MachineStackMarker.h:
1626         (JSC::MachineThreads::MachineThread::stackBase):
1627         (JSC::MachineThreads::MachineThread::stackEnd):
1628         * runtime/InitializeThreading.cpp:
1629         (JSC::initializeThreading):
1630         * runtime/VM.cpp:
1631         (JSC::VM::VM):
1632         (JSC::VM::updateStackLimits):
1633         (JSC::VM::committedStackByteCount):
1634         * runtime/VM.h:
1635         (JSC::VM::isSafeToRecurse):
1636         * runtime/VMEntryScope.cpp:
1637         (JSC::VMEntryScope::VMEntryScope):
1638         * runtime/VMInlines.h:
1639         (JSC::VM::ensureStackCapacityFor):
1640         * runtime/VMTraps.cpp:
1641         * yarr/YarrPattern.cpp:
1642         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
1643
1644 2017-07-01  Dan Bernstein  <mitz@apple.com>
1645
1646         [iOS] Remove code only needed when building for iOS 9.x
1647         https://bugs.webkit.org/show_bug.cgi?id=174068
1648
1649         Reviewed by Tim Horton.
1650
1651         * Configurations/FeatureDefines.xcconfig:
1652         * jit/ExecutableAllocator.cpp:
1653         * runtime/Options.cpp:
1654         (JSC::recomputeDependentOptions):
1655
1656 2017-07-01  Dan Bernstein  <mitz@apple.com>
1657
1658         [macOS] Remove code only needed when building for OS X Yosemite
1659         https://bugs.webkit.org/show_bug.cgi?id=174067
1660
1661         Reviewed by Tim Horton.
1662
1663         * API/WebKitAvailability.h:
1664         * Configurations/Base.xcconfig:
1665         * Configurations/DebugRelease.xcconfig:
1666         * Configurations/FeatureDefines.xcconfig:
1667         * Configurations/Version.xcconfig:
1668
1669 2017-07-01  Yusuke Suzuki  <utatane.tea@gmail.com>
1670
1671         Unreviewed, build fix for GCC
1672         https://bugs.webkit.org/show_bug.cgi?id=174034
1673
1674         * b3/testb3.cpp:
1675         (JSC::B3::testDoubleLiteralComparison):
1676
1677 2017-06-30  Keith Miller  <keith_miller@apple.com>
1678
1679         Force crashWithInfo to be out of line.
1680         https://bugs.webkit.org/show_bug.cgi?id=174028
1681
1682         Reviewed by Filip Pizlo.
1683
1684         Update DFG_ASSERT macro to call CRASH_WITH_SECURITY_IMPLICATION_AND_INFO.
1685
1686         * dfg/DFGGraph.cpp:
1687         (JSC::DFG::logDFGAssertionFailure):
1688         (JSC::DFG::Graph::logAssertionFailure):
1689         (JSC::DFG::crash): Deleted.
1690         (JSC::DFG::Graph::handleAssertionFailure): Deleted.
1691         * dfg/DFGGraph.h:
1692
1693 2017-06-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1694
1695         [JSC] Use AbstractMacroAssembler::random instead of holding WeakRandom in JIT
1696         https://bugs.webkit.org/show_bug.cgi?id=174053
1697
1698         Reviewed by Geoffrey Garen.
1699
1700         We already have AbstractMacroAssembler::random() function. Use it instead.
1701
1702         * jit/JIT.cpp:
1703         (JSC::JIT::JIT):
1704         (JSC::JIT::compileWithoutLinking):
1705         * jit/JIT.h:
1706
1707 2017-06-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1708
1709         [WTF] Drop SymbolRegistry::keyForSymbol
1710         https://bugs.webkit.org/show_bug.cgi?id=174052
1711
1712         Reviewed by Sam Weinig.
1713
1714         * runtime/SymbolConstructor.cpp:
1715         (JSC::symbolConstructorKeyFor):
1716
1717 2017-06-30  Saam Barati  <sbarati@apple.com>
1718
1719         B3ReduceStrength should reduce EqualOrUnordered over const float input
1720         https://bugs.webkit.org/show_bug.cgi?id=174039
1721
1722         Reviewed by Michael Saboff.
1723
1724         We perform this folding for ConstDoubleValue. It is simply
1725         an oversight that we didn't do it for ConstFloatValue.
1726
1727         * b3/B3ConstFloatValue.cpp:
1728         (JSC::B3::ConstFloatValue::equalOrUnorderedConstant):
1729         * b3/B3ConstFloatValue.h:
1730         * b3/testb3.cpp:
1731         (JSC::B3::testFloatEqualOrUnorderedFolding):
1732         (JSC::B3::testFloatEqualOrUnorderedFoldingNaN):
1733         (JSC::B3::testFloatEqualOrUnorderedDontFold):
1734         (JSC::B3::run):
1735
1736 2017-06-30  Matt Baker  <mattbaker@apple.com>
1737
1738         Web Inspector: AsyncStackTrace nodes can be corrupted when truncating
1739         https://bugs.webkit.org/show_bug.cgi?id=173840
1740         <rdar://problem/30840820>
1741
1742         Reviewed by Joseph Pecoraro.
1743
1744         When truncating an asynchronous stack trace, the parent chain is traversed
1745         until a locked node is found. The path from this node to the root is shared
1746         by more than one stack trace, and cannot be safely modified. Starting at
1747         the first locked node, the path is cloned and becomes a new stack trace tree.
1748
1749         However, the clone operation initialized each new AsyncStackTrace node with
1750         the original node's parent. This would increment the child count of the original
1751         node. When cloning nodes, new nodes should not have their parent set until the
1752         next node up the parent chain is cloned.
1753
1754         * inspector/AsyncStackTrace.cpp:
1755         (Inspector::AsyncStackTrace::truncate):
1756
1757 2017-06-30  Michael Saboff  <msaboff@apple.com>
1758
1759         RegExp's  anchored with .* with \g flag can return wrong match start for strings with multiple matches
1760         https://bugs.webkit.org/show_bug.cgi?id=174044
1761
1762         Reviewed by Oliver Hunt.
1763
1764         The .* enclosure optimization didn't respect that we can start matching from a non-zero
1765         index.  This optimization treats /.*<some-terms>.*/ by first matching the <some-terms> and
1766         then finding the extent of the match by going back to the beginning of the line and going
1767         forward to the end of the line.  The code that went back to the beginning of the line
1768         checked for an index of 0 instead of comparing the index to the start position.  This start
1769         position is passed as the initial index.
1770
1771         Added another temporary register to the YARR JIT to contain the start position for
1772         platforms that have spare registers.
1773
1774         * yarr/Yarr.h:
1775         * yarr/YarrInterpreter.cpp:
1776         (JSC::Yarr::Interpreter::matchDotStarEnclosure):
1777         (JSC::Yarr::Interpreter::Interpreter):
1778         * yarr/YarrJIT.cpp:
1779         (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
1780         (JSC::Yarr::YarrGenerator::compile):
1781         * yarr/YarrPattern.cpp:
1782         (JSC::Yarr::YarrPattern::YarrPattern):
1783         * yarr/YarrPattern.h:
1784         (JSC::Yarr::YarrPattern::reset):
1785
1786 2017-06-30  Saam Barati  <sbarati@apple.com>
1787
1788         B3MoveConstants floatZero() returns the wrong ValueKey
1789         https://bugs.webkit.org/show_bug.cgi?id=174040
1790
1791         Reviewed by Filip Pizlo.
1792
1793         It had a typo where the ValueKey for floatZero() produces a Double
1794         instead of a Float.
1795
1796         * b3/B3MoveConstants.cpp:
1797
1798 2017-06-30  Saam Barati  <sbarati@apple.com>
1799
1800         B3ReduceDoubleToFloat incorrectly reduces operations over two double constants
1801         https://bugs.webkit.org/show_bug.cgi?id=174034
1802         <rdar://problem/30793007>
1803
1804         Reviewed by Filip Pizlo.
1805
1806         B3ReduceDoubleToFloat had a bug in it where it would incorrectly
1807         reduce binary operations over double constants into the same binary
1808         operation over the double constants casted to floats. This is clearly
1809         incorrect as these two things will produce different values. For example:
1810         
1811         a = DoubleConst(bitwise_cast<double>(0x8000000000000001ull))
1812         b = DoubleConst(bitwise_cast<double>(0x0000000000000000ull))
1813         c = EqualOrUnordered(@a, @b) // produces 0
1814         
1815         into:
1816         
1817         a = FloatConst(static_cast<float>(bitwise_cast<double>(0x8000000000000001ull)))
1818         b = FloatConst(static_cast<float>(bitwise_cast<double>(0x0000000000000000ull)))
1819         c = EqualOrUnordered(@a, @b) // produces 1
1820         
1821         Which produces a different value for @c.
1822
1823         * b3/B3ReduceDoubleToFloat.cpp:
1824         * b3/testb3.cpp:
1825         (JSC::B3::doubleEq):
1826         (JSC::B3::doubleNeq):
1827         (JSC::B3::doubleGt):
1828         (JSC::B3::doubleGte):
1829         (JSC::B3::doubleLt):
1830         (JSC::B3::doubleLte):
1831         (JSC::B3::testDoubleLiteralComparison):
1832         (JSC::B3::run):
1833
1834 2017-06-29  Jer Noble  <jer.noble@apple.com>
1835
1836         Make Legacy EME API controlled by RuntimeEnabled setting.
1837         https://bugs.webkit.org/show_bug.cgi?id=173994
1838
1839         Reviewed by Sam Weinig.
1840
1841         * Configurations/FeatureDefines.xcconfig:
1842         * runtime/CommonIdentifiers.h:
1843
1844 2017-06-30  Ryosuke Niwa  <rniwa@webkit.org>
1845
1846         Ran sort-Xcode-project-file.
1847
1848         * JavaScriptCore.xcodeproj/project.pbxproj:
1849
1850 2017-06-30  Matt Lewis  <jlewis3@apple.com>
1851
1852         Unreviewed, rolling out r218992.
1853
1854         The patch broke the iOS device builds.
1855
1856         Reverted changeset:
1857
1858         "DFG_ASSERT should allow stuffing registers before trapping."
1859         https://bugs.webkit.org/show_bug.cgi?id=174005
1860         http://trac.webkit.org/changeset/218992
1861
1862 2017-06-30  Filip Pizlo  <fpizlo@apple.com>
1863
1864         RegExpCachedResult::setInput should reify left and right contexts
1865         https://bugs.webkit.org/show_bug.cgi?id=173818
1866
1867         Reviewed by Keith Miller.
1868         
1869         If you don't reify them in setInput, then when you later try to reify them, you'll end up
1870         using indices into an old input string to create a substring of a new input string. That
1871         never goes well.
1872
1873         * runtime/RegExpCachedResult.cpp:
1874         (JSC::RegExpCachedResult::setInput):
1875
1876 2017-06-30  Keith Miller  <keith_miller@apple.com>
1877
1878         DFG_ASSERT should allow stuffing registers before trapping.
1879         https://bugs.webkit.org/show_bug.cgi?id=174005
1880
1881         Reviewed by Mark Lam.
1882
1883         DFG_ASSERT currently prints error data to stderr before crashing,
1884         which is nice for local development. In the wild, however, we
1885         can't see this information in crash logs. This patch enables
1886         stuffing some of the most useful information from DFG_ASSERTS into
1887         up to five registers right before crashing. The values stuffed
1888         should not impact any logging during local development.
1889
1890         * assembler/AbortReason.h:
1891         * dfg/DFGAbstractInterpreterInlines.h:
1892         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
1893         * dfg/DFGGraph.cpp:
1894         (JSC::DFG::logForCrash):
1895         (JSC::DFG::Graph::logAssertionFailure):
1896         (JSC::DFG::crash): Deleted.
1897         (JSC::DFG::Graph::handleAssertionFailure): Deleted.
1898         * dfg/DFGGraph.h:
1899
1900 2017-06-29  Saam Barati  <sbarati@apple.com>
1901
1902         Calculating postCapacity in unshiftCountSlowCase is wrong
1903         https://bugs.webkit.org/show_bug.cgi?id=173992
1904         <rdar://problem/32283199>
1905
1906         Reviewed by Keith Miller.
1907
1908         This patch fixes a bug inside unshiftCountSlowCase where we would use
1909         more memory than we allocated. The bug was when deciding how much extra
1910         space we have after the vector we've allocated. This area is called the
1911         postCapacity. The largest legal postCapacity value we could use is the
1912         space we allocated minus the space we need:
1913         largestPossiblePostCapacity = newStorageCapacity - requiredVectorLength;
1914         However, the code was calculating the postCapacity as:
1915         postCapacity = max(newStorageCapacity - requiredVectorLength, count);
1916         
1917         where count is how many elements we're appending. Depending on the inputs,
1918         count could be larger than (newStorageCapacity - requiredVectorLength). This
1919         would cause us to use more memory than we actually allocated.
1920
1921         * runtime/JSArray.cpp:
1922         (JSC::JSArray::unshiftCountSlowCase):
1923
1924 2017-06-29  Commit Queue  <commit-queue@webkit.org>
1925
1926         Unreviewed, rolling out r218512.
1927         https://bugs.webkit.org/show_bug.cgi?id=173981
1928
1929         "It changes the behavior of the JS API's JSEvaluateScript
1930         which breaks TurboTax" (Requested by saamyjoon on #webkit).
1931
1932         Reverted changeset:
1933
1934         "test262: Completion values for control flow do not match the
1935         spec"
1936         https://bugs.webkit.org/show_bug.cgi?id=171265
1937         http://trac.webkit.org/changeset/218512
1938
1939 2017-06-29  JF Bastien  <jfbastien@apple.com>
1940
1941         WebAssembly: disable some APIs under CSP
1942         https://bugs.webkit.org/show_bug.cgi?id=173892
1943         <rdar://problem/32914613>
1944
1945         Reviewed by Daniel Bates.
1946
1947         We should disable parts of WebAssembly under Content Security
1948         Policy as discussed here:
1949
1950         https://github.com/WebAssembly/design/issues/1092
1951
1952         Exactly what should be disabled isn't super clear, so we may as
1953         well be conservative and disable many things if developers already
1954         opted into CSP. It's easy to loosen what we disable later.
1955
1956         This patch disables:
1957         - WebAssembly.Instance
1958         - WebAssembly.instantiate
1959         - WebAssembly.Memory
1960         - WebAssembly.Table
1961
1962         And leaves:
1963         - WebAssembly on the global object
1964         - WebAssembly.Module
1965         - WebAssembly.compile
1966         - WebAssembly.CompileError
1967         - WebAssembly.LinkError
1968
1969         Nothing because currently unimplmented:
1970         - WebAssembly.compileStreaming
1971         - WebAssembly.instantiateStreaming
1972
1973         That way it won't be possible to call WebAssembly-compiled code,
1974         or create memories (which use fancy 4GiB allocations
1975         sometimes). Table isn't really useful on its own, and eventually
1976         we may make them shareable so without more details it seems benign
1977         to disable them (and useless if we don't).
1978
1979         I haven't done anything with postMessage, so you can still
1980         postMessage a WebAssembly.Module cross-CSP, but you can't
1981         instantiate it so it's useless. Because of this I elected to leave
1982         WebAssembly.Module and friends available.
1983
1984         I haven't added any new directives. It's still unsafe-eval. We can
1985         add something else later, but it seems odd to add a WebAssembly as
1986         a new capability and tell developers "you should have been using
1987         this directive which we just implemented if you wanted to disable
1988         WebAssembly which didn't exist when you adopted CSP". So IMO we
1989         should keep unsafe-eval as it currently is, add WebAssembly to
1990         what it disables, and later consider having two new directives
1991         which do each individually or something.
1992
1993         In all cases I throw an EvalError *before* other WebAssembly
1994         errors would be produced.
1995
1996         Note that, as for eval, reporting doesn't work and is tracked by
1997         https://webkit.org/b/111869
1998
1999         * runtime/JSGlobalObject.cpp:
2000         (JSC::JSGlobalObject::JSGlobalObject):
2001         * runtime/JSGlobalObject.h:
2002         (JSC::JSGlobalObject::webAssemblyEnabled):
2003         (JSC::JSGlobalObject::webAssemblyDisabledErrorMessage):
2004         (JSC::JSGlobalObject::setWebAssemblyEnabled):
2005         * wasm/js/JSWebAssemblyInstance.cpp:
2006         (JSC::JSWebAssemblyInstance::create):
2007         * wasm/js/JSWebAssemblyMemory.cpp:
2008         (JSC::JSWebAssemblyMemory::create):
2009         * wasm/js/JSWebAssemblyMemory.h:
2010         * wasm/js/JSWebAssemblyTable.cpp:
2011         (JSC::JSWebAssemblyTable::create):
2012         * wasm/js/WebAssemblyMemoryConstructor.cpp:
2013         (JSC::constructJSWebAssemblyMemory):
2014
2015 2017-06-28  Keith Miller  <keith_miller@apple.com>
2016
2017         VMTraps has some races
2018         https://bugs.webkit.org/show_bug.cgi?id=173941
2019
2020         Reviewed by Michael Saboff.
2021
2022         This patch refactors much of the VMTraps API.
2023
2024         On the message sending side:
2025
2026         1) No longer uses the Yarr JIT check to determine if we are in
2027         RegExp code. That was unsound because RegExp JIT code can be run
2028         on compilation threads.  Instead it looks at the current frame's
2029         code block slot and checks if it is valid, which is the same as
2030         what it did for JIT code previously.
2031
2032         2) Only have one signal sender thread, previously, there could be
2033         many at once, which caused some data races. Additionally, the
2034         signal sender thread is an automatic thread so it will deallocate
2035         itself when not in use.
2036
2037         On the VMTraps breakpoint side:
2038
2039         1) We now have a true mapping of if we hit a breakpoint instead of
2040         a JIT assertion. So the exception handler won't eat JIT assertions
2041         anymore.
2042
2043         2) It jettisons all CodeBlocks that have VMTraps breakpoints on
2044         them instead of every CodeBlock on the stack. This both prevents
2045         us from hitting stale VMTraps breakpoints and also doesn't OSR
2046         codeblocks that otherwise don't need to be jettisoned.
2047
2048         3) The old exception handler could theoretically fail for a couple
2049         of reasons then resume execution with a clobbered instruction
2050         set. This patch will kill the program if the exception handler
2051         would fail.
2052
2053         This patch also refactors some of the jsc.cpp functions to take the
2054         CommandLine options object instead of individual options. Also, there
2055         is a new command line option that makes exceptions due to watchdog
2056         timeouts an acceptable result.
2057
2058         * API/tests/testapi.c:
2059         (main):
2060         * bytecode/CodeBlock.cpp:
2061         (JSC::CodeBlock::installVMTrapBreakpoints):
2062         * dfg/DFGCommonData.cpp:
2063         (JSC::DFG::pcCodeBlockMap):
2064         (JSC::DFG::CommonData::invalidate):
2065         (JSC::DFG::CommonData::~CommonData):
2066         (JSC::DFG::CommonData::installVMTrapBreakpoints):
2067         (JSC::DFG::codeBlockForVMTrapPC):
2068         * dfg/DFGCommonData.h:
2069         * jsc.cpp:
2070         (functionDollarAgentStart):
2071         (checkUncaughtException):
2072         (checkException):
2073         (runWithOptions):
2074         (printUsageStatement):
2075         (CommandLine::parseArguments):
2076         (jscmain):
2077         (runWithScripts): Deleted.
2078         * runtime/JSLock.cpp:
2079         (JSC::JSLock::didAcquireLock):
2080         * runtime/VMTraps.cpp:
2081         (JSC::sanitizedTopCallFrame):
2082         (JSC::VMTraps::tryInstallTrapBreakpoints):
2083         (JSC::VMTraps::willDestroyVM):
2084         (JSC::VMTraps::fireTrap):
2085         (JSC::VMTraps::handleTraps):
2086         (JSC::VMTraps::VMTraps):
2087         (JSC::VMTraps::~VMTraps):
2088         (JSC::findActiveVMAndStackBounds): Deleted.
2089         (JSC::installSignalHandler): Deleted.
2090         (JSC::VMTraps::addSignalSender): Deleted.
2091         (JSC::VMTraps::removeSignalSender): Deleted.
2092         (JSC::VMTraps::SignalSender::willDestroyVM): Deleted.
2093         (JSC::VMTraps::SignalSender::send): Deleted.
2094         * runtime/VMTraps.h:
2095         (JSC::VMTraps::~VMTraps): Deleted.
2096         (JSC::VMTraps::SignalSender::SignalSender): Deleted.
2097
2098 2017-06-28  Devin Rousso  <drousso@apple.com>
2099
2100         Web Inspector: Instrument active pixel memory used by canvases
2101         https://bugs.webkit.org/show_bug.cgi?id=173087
2102         <rdar://problem/32719261>
2103
2104         Reviewed by Joseph Pecoraro.
2105
2106         * inspector/protocol/Canvas.json:
2107          - Add optional `memoryCost` attribute to the `Canvas` type.
2108          - Add `canvasMemoryChanged` event that is dispatched when the `memoryCost` of a canvas changes.
2109
2110 2017-06-28  Joseph Pecoraro  <pecoraro@apple.com>
2111
2112         Web Inspector: Cleanup Protocol JSON files
2113         https://bugs.webkit.org/show_bug.cgi?id=173934
2114
2115         Reviewed by Matt Baker.
2116
2117         * inspector/protocol/ApplicationCache.json:
2118         * inspector/protocol/CSS.json:
2119         * inspector/protocol/Console.json:
2120         * inspector/protocol/DOM.json:
2121         * inspector/protocol/DOMDebugger.json:
2122         * inspector/protocol/Debugger.json:
2123         * inspector/protocol/LayerTree.json:
2124         * inspector/protocol/Network.json:
2125         * inspector/protocol/Page.json:
2126         * inspector/protocol/Runtime.json:
2127         Be more consistent about placement of `description` property.
2128
2129 2017-06-27  Joseph Pecoraro  <pecoraro@apple.com>
2130
2131         Web Inspector: Remove unused Inspector domain events
2132         https://bugs.webkit.org/show_bug.cgi?id=173905
2133
2134         Reviewed by Matt Baker.
2135
2136         * inspector/protocol/Inspector.json:
2137
2138 2017-06-28  JF Bastien  <jfbastien@apple.com>
2139
2140         Ensure that computed new stack pointer values do not underflow.
2141         https://bugs.webkit.org/show_bug.cgi?id=173700
2142         <rdar://problem/32926032>
2143
2144         Reviewed by Filip Pizlo and Saam Barati, update reviewed by Mark Lam.
2145
2146         Patch by Mark Lam, with the following fix:
2147
2148         Re-apply this patch, it originally broke the ARM build because the llint code
2149         generated `subs xzr, x3, sp` which isn't valid ARM64: the third operand cannot
2150         be SP (that encoding would be ZR instead, subtracting zero). Flip the comparison
2151         and operands to emit valid code (because the second operand can be SP).
2152
2153         1. Added a RELEASE_ASSERT to BytecodeGenerator::generate() to ensure that
2154            m_numCalleeLocals is sane.
2155
2156         2. Added underflow checks in LLInt code and VarargsFrame code.
2157
2158         3. Introduce minimumReservedZoneSize, which is hardcoded to 16K.
2159            Ensure that Options::reservedZoneSize() is at least minimumReservedZoneSize.
2160            Ensure that Options::softReservedZoneSize() is at least greater than
2161            Options::reservedZoneSize() by minimumReservedZoneSize.
2162
2163         4. Ensure that stack checks emitted by JIT tiers include an underflow check if
2164            and only if the max size of the frame is greater than Options::reservedZoneSize().
2165
2166            By design, we are guaranteed to have at least Options::reservedZoneSize() bytes
2167            of memory at the bottom (end) of the stack.  This means that, at any time, the
2168            frame pointer must be at least Options::reservedZoneSize() bytes away from the
2169            end of the stack.  Hence, if the max frame size is less than
2170            Options::reservedZoneSize(), there's no way that frame pointer - max
2171            frame size can underflow, and we can elide the underflow check.
2172
2173            Note that we use Options::reservedZoneSize() instead of
2174            Options::softReservedZoneSize() for determine if we need an underflow check.
2175            This is because the softStackLimit that is used for stack checks can be set
2176            based on Options::reservedZoneSize() during error handling (e.g. when creating
2177            strings for instantiating the Error object).  Hence, the guaranteed minimum of
2178            distance between the frame pointer and the end of the stack is
2179            Options::reservedZoneSize() and nor Options::softReservedZoneSize().
2180
2181            Note also that we ensure that Options::reservedZoneSize() is at least
2182            minimumReservedZoneSize (i.e. 16K).  In typical deployments,
2183            Options::reservedZoneSize() may be larger.  Using Options::reservedZoneSize()
2184            instead of minimumReservedZoneSize gives us more chances to elide underflow
2185            checks.
2186
2187         * JavaScriptCore.xcodeproj/project.pbxproj:
2188         * bytecompiler/BytecodeGenerator.cpp:
2189         (JSC::BytecodeGenerator::generate):
2190         * dfg/DFGGraph.cpp:
2191         (JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit):
2192         * dfg/DFGJITCompiler.cpp:
2193         (JSC::DFG::emitStackOverflowCheck):
2194         (JSC::DFG::JITCompiler::compile):
2195         (JSC::DFG::JITCompiler::compileFunction):
2196         * ftl/FTLLowerDFGToB3.cpp:
2197         (JSC::FTL::DFG::LowerDFGToB3::lower):
2198         * jit/JIT.cpp:
2199         (JSC::JIT::compileWithoutLinking):
2200         * jit/SetupVarargsFrame.cpp:
2201         (JSC::emitSetupVarargsFrameFastCase):
2202         * llint/LLIntSlowPaths.cpp:
2203         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2204         * llint/LowLevelInterpreter.asm:
2205         * llint/LowLevelInterpreter32_64.asm:
2206         * llint/LowLevelInterpreter64.asm:
2207         * runtime/MinimumReservedZoneSize.h: Added.
2208         * runtime/Options.cpp:
2209         (JSC::recomputeDependentOptions):
2210         * runtime/VM.cpp:
2211         (JSC::VM::updateStackLimits):
2212         * wasm/WasmB3IRGenerator.cpp:
2213         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2214         * wasm/js/WebAssemblyFunction.cpp:
2215         (JSC::callWebAssemblyFunction):
2216
2217 2017-06-28  Chris Dumez  <cdumez@apple.com>
2218
2219         Unreviewed, rolling out r218869.
2220
2221         Broke the iOS build
2222
2223         Reverted changeset:
2224
2225         "Ensure that computed new stack pointer values do not
2226         underflow."
2227         https://bugs.webkit.org/show_bug.cgi?id=173700
2228         http://trac.webkit.org/changeset/218869
2229
2230 2017-06-28  Chris Dumez  <cdumez@apple.com>
2231
2232         Unreviewed, rolling out r218873.
2233
2234         Broke the iOS build
2235
2236         Reverted changeset:
2237
2238         "Gardening: CLoop build fix."
2239         https://bugs.webkit.org/show_bug.cgi?id=173700
2240         http://trac.webkit.org/changeset/218873
2241
2242 2017-06-28  Mark Lam  <mark.lam@apple.com>
2243
2244         Gardening: CLoop build fix.
2245         https://bugs.webkit.org/show_bug.cgi?id=173700
2246         <rdar://problem/32926032>
2247
2248         Not reviewed.
2249
2250         * llint/LLIntSlowPaths.cpp:
2251         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2252
2253 2017-06-28  Mark Lam  <mark.lam@apple.com>
2254
2255         Ensure that computed new stack pointer values do not underflow.
2256         https://bugs.webkit.org/show_bug.cgi?id=173700
2257         <rdar://problem/32926032>
2258
2259         Reviewed by Filip Pizlo and Saam Barati.
2260
2261         1. Added a RELEASE_ASSERT to BytecodeGenerator::generate() to ensure that
2262            m_numCalleeLocals is sane.
2263
2264         2. Added underflow checks in LLInt code and VarargsFrame code.
2265
2266         3. Introduce minimumReservedZoneSize, which is hardcoded to 16K.
2267            Ensure that Options::reservedZoneSize() is at least minimumReservedZoneSize.
2268            Ensure that Options::softReservedZoneSize() is at least greater than
2269            Options::reservedZoneSize() by minimumReservedZoneSize.
2270
2271         4. Ensure that stack checks emitted by JIT tiers include an underflow check if
2272            and only if the max size of the frame is greater than Options::reservedZoneSize().
2273
2274            By design, we are guaranteed to have at least Options::reservedZoneSize() bytes
2275            of memory at the bottom (end) of the stack.  This means that, at any time, the
2276            frame pointer must be at least Options::reservedZoneSize() bytes away from the
2277            end of the stack.  Hence, if the max frame size is less than
2278            Options::reservedZoneSize(), there's no way that frame pointer - max
2279            frame size can underflow, and we can elide the underflow check.
2280
2281            Note that we use Options::reservedZoneSize() instead of
2282            Options::softReservedZoneSize() for determine if we need an underflow check.
2283            This is because the softStackLimit that is used for stack checks can be set
2284            based on Options::reservedZoneSize() during error handling (e.g. when creating
2285            strings for instantiating the Error object).  Hence, the guaranteed minimum of
2286            distance between the frame pointer and the end of the stack is
2287            Options::reservedZoneSize() and nor Options::softReservedZoneSize().
2288
2289            Note also that we ensure that Options::reservedZoneSize() is at least
2290            minimumReservedZoneSize (i.e. 16K).  In typical deployments,
2291            Options::reservedZoneSize() may be larger.  Using Options::reservedZoneSize()
2292            instead of minimumReservedZoneSize gives us more chances to elide underflow
2293            checks.
2294
2295         * JavaScriptCore.xcodeproj/project.pbxproj:
2296         * bytecompiler/BytecodeGenerator.cpp:
2297         (JSC::BytecodeGenerator::generate):
2298         * dfg/DFGGraph.cpp:
2299         (JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit):
2300         * dfg/DFGJITCompiler.cpp:
2301         (JSC::DFG::JITCompiler::compile):
2302         (JSC::DFG::JITCompiler::compileFunction):
2303         * ftl/FTLLowerDFGToB3.cpp:
2304         (JSC::FTL::DFG::LowerDFGToB3::lower):
2305         * jit/JIT.cpp:
2306         (JSC::JIT::compileWithoutLinking):
2307         * jit/SetupVarargsFrame.cpp:
2308         (JSC::emitSetupVarargsFrameFastCase):
2309         * llint/LLIntSlowPaths.cpp:
2310         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2311         * llint/LowLevelInterpreter.asm:
2312         * llint/LowLevelInterpreter32_64.asm:
2313         * llint/LowLevelInterpreter64.asm:
2314         * runtime/MinimumReservedZoneSize.h: Added.
2315         * runtime/Options.cpp:
2316         (JSC::recomputeDependentOptions):
2317         * runtime/VM.cpp:
2318         (JSC::VM::updateStackLimits):
2319         * wasm/WasmB3IRGenerator.cpp:
2320         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2321         * wasm/js/WebAssemblyFunction.cpp:
2322         (JSC::callWebAssemblyFunction):
2323
2324 2017-06-27  JF Bastien  <jfbastien@apple.com>
2325
2326         WebAssembly: running out of executable memory should throw OoM
2327         https://bugs.webkit.org/show_bug.cgi?id=171537
2328         <rdar://problem/32963338>
2329
2330         Reviewed by Saam Barati.
2331
2332         Both on first compile with BBQ as well as on tier-up with OMG,
2333         running out of X memory shouldn't cause the entire program to
2334         terminate. An exception will do when compiling initial code (since
2335         we don't have any other fallback at the moment), and refusal to
2336         tier up will do as well (it'll just be slower).
2337
2338         This is useful because programs which generate huge amounts of
2339         code simply look like crashes, which developers report to
2340         us. Getting a JavaScript exception instead is much clearer.
2341
2342         * jit/ExecutableAllocator.cpp:
2343         (JSC::ExecutableAllocator::allocate):
2344         * llint/LLIntSlowPaths.cpp:
2345         (JSC::LLInt::shouldJIT):
2346         * runtime/Options.h:
2347         * wasm/WasmBBQPlan.cpp:
2348         (JSC::Wasm::BBQPlan::prepare):
2349         (JSC::Wasm::BBQPlan::complete):
2350         * wasm/WasmBinding.cpp:
2351         (JSC::Wasm::wasmToJs):
2352         (JSC::Wasm::wasmToWasm):
2353         * wasm/WasmBinding.h:
2354         * wasm/WasmOMGPlan.cpp:
2355         (JSC::Wasm::OMGPlan::work):
2356         * wasm/js/JSWebAssemblyCodeBlock.cpp:
2357         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
2358         * wasm/js/JSWebAssemblyCodeBlock.h:
2359         * wasm/js/JSWebAssemblyInstance.cpp:
2360         (JSC::JSWebAssemblyInstance::finalizeCreation):
2361
2362 2017-06-27  Saam Barati  <sbarati@apple.com>
2363
2364         JITStubRoutine::passesFilter should use isJITPC
2365         https://bugs.webkit.org/show_bug.cgi?id=173906
2366
2367         Reviewed by JF Bastien.
2368
2369         This patch makes JITStubRoutine use the isJITPC abstraction defined
2370         inside ExecutableAllocator.h. Before, JITStubRoutine was using a
2371         hardcoded platform size constant. This means it'd do the wrong thing
2372         if Options::jitMemoryReservationSize() was larger than the defined
2373         constant for that platform. This patch also removes a bunch of
2374         dead code in that file.
2375
2376         * jit/ExecutableAllocator.cpp:
2377         * jit/ExecutableAllocator.h:
2378         * jit/JITStubRoutine.h:
2379         (JSC::JITStubRoutine::passesFilter):
2380         (JSC::JITStubRoutine::canPerformRangeFilter): Deleted.
2381         (JSC::JITStubRoutine::filteringStartAddress): Deleted.
2382         (JSC::JITStubRoutine::filteringExtentSize): Deleted.
2383
2384 2017-06-27  Saam Barati  <sbarati@apple.com>
2385
2386         Fix some stale comments in Wasm code base
2387         https://bugs.webkit.org/show_bug.cgi?id=173814
2388
2389         Reviewed by Mark Lam.
2390
2391         * wasm/WasmBinding.cpp:
2392         (JSC::Wasm::wasmToJs):
2393         * wasm/WasmOMGPlan.cpp:
2394         (JSC::Wasm::runOMGPlanForIndex):
2395
2396 2017-06-27  Caio Lima  <ticaiolima@gmail.com>
2397
2398         [ESnext] Implement Object Rest - Implementing Object Rest Destructuring
2399         https://bugs.webkit.org/show_bug.cgi?id=167962
2400
2401         Reviewed by Saam Barati.
2402
2403         Object Rest/Spread Destructing proposal is in stage 3[1] and this
2404         Patch is a prototype implementation of it. A simple change over the
2405         parser was necessary to support the new '...' token on Object Pattern
2406         destruction rule. In the bytecode generator side, We changed the
2407         bytecode generated on ObjectPatternNode::bindValue to store in an
2408         set the identifiers of already destructured properties, following spec draft
2409         section[2], and then pass it as excludedNames to CopyDataProperties.
2410         The rest destructuring calls copyDataProperties to perform the
2411         copy of rest properties in rhs.
2412
2413         We also implemented CopyDataProperties as private JS global operation
2414         on builtins/GlobalOperations.js following it's specification on [3].
2415         It is implemented using Set object to verify if a property is on
2416         excludedNames to keep this algorithm with O(n + m) complexity, where n
2417         = number of source's own properties and m = excludedNames.length.
2418
2419         In this implementation we aren't using excludeList as constant if
2420         destructuring pattern contains computed property, i.e. we can
2421         just determine the key to be excluded at runtime. If we can define all
2422         identifiers in the pattern in compile time, we then create a
2423         constant JSSet. This approach gives a good performance improvement,
2424         since we allocate the excludeSet just once, reducing GC pressure.
2425
2426         [1] - https://github.com/tc39/proposal-object-rest-spread
2427         [2] - https://tc39.github.io/proposal-object-rest-spread/#Rest-RuntimeSemantics-PropertyDestructuringAssignmentEvaluation
2428         [3] - https://tc39.github.io/proposal-object-rest-spread/#AbstractOperations-CopyDataProperties
2429
2430         * builtins/BuiltinNames.h:
2431         * builtins/GlobalOperations.js:
2432         (globalPrivate.copyDataProperties):
2433         * bytecode/CodeBlock.cpp:
2434         (JSC::CodeBlock::finishCreation):
2435         * bytecompiler/NodesCodegen.cpp:
2436         (JSC::ObjectPatternNode::bindValue):
2437         * parser/ASTBuilder.h:
2438         (JSC::ASTBuilder::appendObjectPatternEntry):
2439         (JSC::ASTBuilder::appendObjectPatternRestEntry):
2440         (JSC::ASTBuilder::setContainsObjectRestElement):
2441         * parser/Nodes.h:
2442         (JSC::ObjectPatternNode::appendEntry):
2443         (JSC::ObjectPatternNode::setContainsRestElement):
2444         * parser/Parser.cpp:
2445         (JSC::Parser<LexerType>::parseDestructuringPattern):
2446         (JSC::Parser<LexerType>::parseProperty):
2447         * parser/SyntaxChecker.h:
2448         (JSC::SyntaxChecker::operatorStackPop):
2449         * runtime/JSGlobalObject.cpp:
2450         (JSC::JSGlobalObject::init):
2451         * runtime/JSGlobalObject.h:
2452         (JSC::JSGlobalObject::asyncFunctionStructure):
2453         (JSC::JSGlobalObject::setStructure): Deleted.
2454         * runtime/JSGlobalObjectFunctions.cpp:
2455         (JSC::privateToObject):
2456         * runtime/JSGlobalObjectFunctions.h:
2457         * runtime/ObjectConstructor.cpp:
2458         (JSC::ObjectConstructor::finishCreation):
2459         * runtime/SetPrototype.cpp:
2460         (JSC::SetPrototype::finishCreation):
2461
2462 2017-06-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2463
2464         [JSC] Do not touch VM after notifying Ready in DFG::Worklist
2465         https://bugs.webkit.org/show_bug.cgi?id=173888
2466
2467         Reviewed by Saam Barati.
2468
2469         After notifying Plan::Ready and releasing Worklist lock, VM can be destroyed.
2470         Thus, Plan::vm() can return a destroyed VM. Do not touch it.
2471         This causes occasional SEGV / assertion failures in workers/bomb test.
2472
2473         * dfg/DFGWorklist.cpp:
2474
2475 2017-06-27  Saam Barati  <sbarati@apple.com>
2476
2477         Remove an inaccurate comment inside DFGClobberize.h
2478         https://bugs.webkit.org/show_bug.cgi?id=163874
2479
2480         Reviewed by Filip Pizlo.
2481
2482         The comment said that Clobberize may or may not be sound if run prior to
2483         doing type inference. This is not correct, though. Clobberize *must* be sound
2484         prior do doing type inference since we use it inside the BytecodeParser, which
2485         is the very first thing the DFG does.
2486
2487         * dfg/DFGClobberize.h:
2488         (JSC::DFG::clobberize):
2489
2490 2017-06-27  Saam Barati  <sbarati@apple.com>
2491
2492         Function constructor needs to follow the spec and validate parameters and body independently
2493         https://bugs.webkit.org/show_bug.cgi?id=173303
2494         <rdar://problem/32732526>
2495
2496         Reviewed by Keith Miller.
2497
2498         The Function constructor must check the arguments and body strings
2499         independently for syntax errors. People rely on this specified behavior
2500         to verify that a particular string is a valid function body. We used
2501         to check these things strings concatenated together, instead of
2502         independently. For example, this used to be valid: `Function("/*", "*/){")`.
2503         However, we should throw a syntax error here since "(/*)" is not a valid
2504         parameter list, and "*/){" is not a valid body.
2505         
2506         To implement the specified behavior, we check the syntax independently of
2507         both the body and the parameter list. To check that the parameter list has
2508         valid syntax, we check that it is valid if in a function with an empty body.
2509         To check that the body has valid syntax, we check it is valid in a function
2510         with an empty parameter list.
2511
2512         * runtime/FunctionConstructor.cpp:
2513         (JSC::constructFunctionSkippingEvalEnabledCheck):
2514
2515 2017-06-27  Ting-Wei Lan  <lantw44@gmail.com>
2516
2517         Add missing includes to fix compilation error on FreeBSD
2518         https://bugs.webkit.org/show_bug.cgi?id=172919
2519
2520         Reviewed by Mark Lam.
2521
2522         * API/JSRemoteInspector.h:
2523         * API/tests/GlobalContextWithFinalizerTest.cpp:
2524         * API/tests/TypedArrayCTest.cpp:
2525
2526 2017-06-27  Joseph Pecoraro  <pecoraro@apple.com>
2527
2528         Web Inspector: Crash generating object preview for ArrayIterator
2529         https://bugs.webkit.org/show_bug.cgi?id=173754
2530         <rdar://problem/32859012>
2531
2532         Reviewed by Saam Barati.
2533
2534         When Inspector generates an object preview for an ArrayIterator instance it made
2535         a "clone" of the original ArrayIterator instance by constructing a new object with
2536         the instance's structure. However, user code could have modified that instance's
2537         structure, such as adding / removing properties. The `return` property had special
2538         meaning, and our clone did not fill that slot. This approach is brittle in that
2539         we weren't satisfying the expectations of an object with a particular Structure,
2540         and the original goal of having Web Inspector peek values of built-in Iterators
2541         was to avoid observable behavior.
2542
2543         This tightens Web Inspector's Iterator preview to only peek values if the
2544         Iterators would actually be non-observable. It also builds an ArrayIterator
2545         clone like a regular object construction.
2546
2547         * inspector/JSInjectedScriptHost.cpp:
2548         (Inspector::cloneArrayIteratorObject):
2549         Build up the Object from scratch with a new ArrayIterator prototype.
2550
2551         (Inspector::JSInjectedScriptHost::iteratorEntries):
2552         Only clone and peek iterators if it would not be observable.
2553         Also update iteration to be more in line with IterationOperations, such as when
2554         we call iteratorClose.
2555
2556         * runtime/JSGlobalObject.cpp:
2557         (JSC::JSGlobalObject::JSGlobalObject):
2558         (JSC::JSGlobalObject::init):
2559         * runtime/JSGlobalObject.h:
2560         (JSC::JSGlobalObject::stringIteratorProtocolWatchpoint):
2561         * runtime/JSGlobalObjectInlines.h:
2562         (JSC::JSGlobalObject::isStringPrototypeIteratorProtocolFastAndNonObservable):
2563         Add a StringIterator WatchPoint in line with the Array/Map/Set iterator watchpoints.
2564
2565         * runtime/JSMap.cpp:
2566         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
2567         (JSC::JSMap::canCloneFastAndNonObservable):
2568         * runtime/JSMap.h:
2569         * runtime/JSSet.cpp:
2570         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
2571         (JSC::JSSet::canCloneFastAndNonObservable):
2572         * runtime/JSSet.h:
2573         Promote isIteratorProtocolFastAndNonObservable to a method.
2574
2575         * runtime/JSObject.cpp:
2576         (JSC::canDoFastPutDirectIndex):
2577         * runtime/JSTypeInfo.h:
2578         (JSC::TypeInfo::isArgumentsType):
2579         Helper to detect if an Object is an Arguments type.
2580
2581 2017-06-26  Saam Barati  <sbarati@apple.com>
2582
2583         RegExpPrototype.js builtin uses for-of iteration which is almost certainly incorrect
2584         https://bugs.webkit.org/show_bug.cgi?id=173740
2585
2586         Reviewed by Mark Lam.
2587
2588         The builtin was using for-of iteration to iterate over an internal
2589         list in its algorithm. For-of iteration is observable via user code
2590         in the global object, so this approach was wrong as it would break if
2591         a user changed the Array iteration protocol in some way.
2592
2593         * builtins/RegExpPrototype.js:
2594         (replace):
2595
2596 2017-06-26  Mark Lam  <mark.lam@apple.com>
2597
2598         Renamed DumpRegisterFunctor to DumpReturnVirtualPCFunctor.
2599         https://bugs.webkit.org/show_bug.cgi?id=173848
2600
2601         Reviewed by JF Bastien.
2602
2603         This functor only dumps the return VirtualPC.
2604
2605         * interpreter/Interpreter.cpp:
2606         (JSC::DumpReturnVirtualPCFunctor::DumpReturnVirtualPCFunctor):
2607         (JSC::Interpreter::dumpRegisters):
2608         (JSC::DumpRegisterFunctor::DumpRegisterFunctor): Deleted.
2609         (JSC::DumpRegisterFunctor::operator()): Deleted.
2610
2611 2017-06-26  Saam Barati  <sbarati@apple.com>
2612
2613         Crash in JSC::Lexer<unsigned char>::setCode
2614         https://bugs.webkit.org/show_bug.cgi?id=172754
2615
2616         Reviewed by Mark Lam.
2617
2618         The lexer was asking one of its buffers to reserve initial space that
2619         was O(text size in bytes). For large sources, this would end up causing
2620         the vector to overflow and crash. This patch changes this code be like
2621         the Lexer's other buffers and to only reserve a small starting buffer.
2622
2623         * parser/Lexer.cpp:
2624         (JSC::Lexer<T>::setCode):
2625
2626 2017-06-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2627
2628         [WTF] Drop Thread::create(obsolete things) API since we can use lambda
2629         https://bugs.webkit.org/show_bug.cgi?id=173825
2630
2631         Reviewed by Saam Barati.
2632
2633         * jsc.cpp:
2634         (startTimeoutThreadIfNeeded):
2635         (timeoutThreadMain): Deleted.
2636
2637 2017-06-26  Konstantin Tokarev  <annulen@yandex.ru>
2638
2639         Unreviewed, add missing header for CLoop
2640
2641         * runtime/SymbolTable.cpp:
2642
2643 2017-06-26  Konstantin Tokarev  <annulen@yandex.ru>
2644
2645         Unreviewed, add missing header icncludes
2646
2647         * parser/Lexer.h:
2648
2649 2017-06-25  Konstantin Tokarev  <annulen@yandex.ru>
2650
2651         Remove excessive headers from JavaScriptCore
2652         https://bugs.webkit.org/show_bug.cgi?id=173812
2653
2654         Reviewed by Darin Adler.
2655
2656         * API/APIUtils.h:
2657         * assembler/LinkBuffer.cpp:
2658         * assembler/MacroAssemblerCodeRef.cpp:
2659         * b3/air/AirLiveness.h:
2660         * b3/air/AirLowerAfterRegAlloc.cpp:
2661         * bindings/ScriptValue.cpp:
2662         * bindings/ScriptValue.h:
2663         * bytecode/AccessCase.cpp:
2664         * bytecode/AccessCase.h:
2665         * bytecode/ArrayProfile.h:
2666         * bytecode/BytecodeDumper.h:
2667         * bytecode/BytecodeIntrinsicRegistry.cpp:
2668         * bytecode/BytecodeKills.h:
2669         * bytecode/BytecodeLivenessAnalysis.h:
2670         * bytecode/BytecodeUseDef.h:
2671         * bytecode/CallLinkStatus.h:
2672         * bytecode/CodeBlock.h:
2673         * bytecode/CodeOrigin.h:
2674         * bytecode/ComplexGetStatus.h:
2675         * bytecode/GetByIdStatus.h:
2676         * bytecode/GetByIdVariant.h:
2677         * bytecode/InlineCallFrame.h:
2678         * bytecode/InlineCallFrameSet.h:
2679         * bytecode/Instruction.h:
2680         * bytecode/InternalFunctionAllocationProfile.h:
2681         * bytecode/JumpTable.h:
2682         * bytecode/MethodOfGettingAValueProfile.h:
2683         * bytecode/ObjectPropertyConditionSet.h:
2684         * bytecode/Operands.h:
2685         * bytecode/PolymorphicAccess.h:
2686         * bytecode/PutByIdStatus.h:
2687         * bytecode/SpeculatedType.cpp:
2688         * bytecode/StructureSet.h:
2689         * bytecode/StructureStubInfo.h:
2690         * bytecode/UnlinkedCodeBlock.h:
2691         * bytecode/UnlinkedFunctionExecutable.h:
2692         * bytecode/ValueProfile.h:
2693         * bytecompiler/BytecodeGenerator.cpp:
2694         * bytecompiler/BytecodeGenerator.h:
2695         * bytecompiler/Label.h:
2696         * bytecompiler/StaticPropertyAnalysis.h:
2697         * debugger/DebuggerCallFrame.cpp:
2698         * dfg/DFGAbstractInterpreter.h:
2699         * dfg/DFGAdjacencyList.h:
2700         * dfg/DFGArgumentsUtilities.h:
2701         * dfg/DFGArrayMode.h:
2702         * dfg/DFGArrayifySlowPathGenerator.h:
2703         * dfg/DFGBackwardsPropagationPhase.h:
2704         * dfg/DFGBasicBlock.h:
2705         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
2706         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
2707         * dfg/DFGCapabilities.h:
2708         * dfg/DFGCommon.h:
2709         * dfg/DFGCommonData.h:
2710         * dfg/DFGDesiredIdentifiers.h:
2711         * dfg/DFGDesiredWatchpoints.h:
2712         * dfg/DFGDisassembler.cpp:
2713         * dfg/DFGDominators.h:
2714         * dfg/DFGDriver.cpp:
2715         * dfg/DFGDriver.h:
2716         * dfg/DFGEdgeDominates.h:
2717         * dfg/DFGFinalizer.h:
2718         * dfg/DFGGenerationInfo.h:
2719         * dfg/DFGJITCompiler.cpp:
2720         * dfg/DFGJITCompiler.h:
2721         * dfg/DFGJITFinalizer.h:
2722         * dfg/DFGLivenessAnalysisPhase.h:
2723         * dfg/DFGMinifiedNode.h:
2724         * dfg/DFGMultiGetByOffsetData.h:
2725         * dfg/DFGNaturalLoops.cpp:
2726         * dfg/DFGNaturalLoops.h:
2727         * dfg/DFGNode.h:
2728         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
2729         * dfg/DFGOSRExit.h:
2730         * dfg/DFGOSRExitCompilationInfo.h:
2731         * dfg/DFGOSRExitCompiler.cpp:
2732         * dfg/DFGOSRExitCompiler.h:
2733         * dfg/DFGOSRExitJumpPlaceholder.h:
2734         * dfg/DFGOperations.cpp:
2735         * dfg/DFGOperations.h:
2736         * dfg/DFGPlan.h:
2737         * dfg/DFGPreciseLocalClobberize.h:
2738         * dfg/DFGPromotedHeapLocation.h:
2739         * dfg/DFGRegisteredStructure.h:
2740         * dfg/DFGRegisteredStructureSet.h:
2741         * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
2742         * dfg/DFGSlowPathGenerator.h:
2743         * dfg/DFGSnippetParams.h:
2744         * dfg/DFGSpeculativeJIT.h:
2745         * dfg/DFGToFTLDeferredCompilationCallback.h:
2746         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h:
2747         * dfg/DFGValidate.h:
2748         * dfg/DFGValueSource.h:
2749         * dfg/DFGVariableEvent.h:
2750         * dfg/DFGVariableEventStream.h:
2751         * dfg/DFGWorklist.h:
2752         * domjit/DOMJITCallDOMGetterSnippet.h:
2753         * domjit/DOMJITEffect.h:
2754         * ftl/FTLLink.cpp:
2755         * ftl/FTLLowerDFGToB3.cpp:
2756         * ftl/FTLPatchpointExceptionHandle.h:
2757         * heap/AllocatorAttributes.h:
2758         * heap/CodeBlockSet.h:
2759         * heap/DeferGC.h:
2760         * heap/GCSegmentedArray.h:
2761         * heap/Heap.cpp:
2762         * heap/Heap.h:
2763         * heap/IncrementalSweeper.h:
2764         * heap/ListableHandler.h:
2765         * heap/MachineStackMarker.h:
2766         * heap/MarkedAllocator.h:
2767         * heap/MarkedBlock.cpp:
2768         * heap/MarkedBlock.h:
2769         * heap/MarkingConstraint.h:
2770         * heap/SlotVisitor.cpp:
2771         * heap/SlotVisitor.h:
2772         * inspector/ConsoleMessage.cpp:
2773         * inspector/ConsoleMessage.h:
2774         * inspector/InjectedScript.h:
2775         * inspector/InjectedScriptHost.h:
2776         * inspector/InjectedScriptManager.cpp:
2777         * inspector/JSGlobalObjectInspectorController.cpp:
2778         * inspector/JavaScriptCallFrame.h:
2779         * inspector/ScriptCallStack.h:
2780         * inspector/ScriptCallStackFactory.cpp:
2781         * inspector/ScriptDebugServer.h:
2782         * inspector/agents/InspectorConsoleAgent.h:
2783         * inspector/agents/InspectorDebuggerAgent.cpp:
2784         * inspector/agents/InspectorDebuggerAgent.h:
2785         * inspector/agents/InspectorHeapAgent.cpp:
2786         * inspector/agents/InspectorHeapAgent.h:
2787         * inspector/agents/InspectorRuntimeAgent.h:
2788         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2789         * inspector/agents/InspectorScriptProfilerAgent.h:
2790         * inspector/agents/JSGlobalObjectConsoleAgent.h:
2791         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
2792         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
2793         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
2794         * inspector/augmentable/AlternateDispatchableAgent.h:
2795         * interpreter/CLoopStack.h:
2796         * interpreter/CachedCall.h:
2797         * interpreter/CallFrame.h:
2798         * interpreter/Interpreter.cpp:
2799         * interpreter/Interpreter.h:
2800         * jit/AssemblyHelpers.cpp:
2801         * jit/AssemblyHelpers.h:
2802         * jit/CCallHelpers.h:
2803         * jit/CallFrameShuffler.h:
2804         * jit/ExecutableAllocator.h:
2805         * jit/GCAwareJITStubRoutine.h:
2806         * jit/HostCallReturnValue.h:
2807         * jit/ICStats.h:
2808         * jit/JIT.cpp:
2809         * jit/JIT.h:
2810         * jit/JITAddGenerator.h:
2811         * jit/JITCall32_64.cpp:
2812         * jit/JITCode.h:
2813         * jit/JITDisassembler.cpp:
2814         * jit/JITExceptions.cpp:
2815         * jit/JITMathIC.h:
2816         * jit/JITOpcodes.cpp:
2817         * jit/JITOperations.cpp:
2818         * jit/JITOperations.h:
2819         * jit/JITThunks.cpp:
2820         * jit/JITThunks.h:
2821         * jit/JSInterfaceJIT.h:
2822         * jit/PCToCodeOriginMap.h:
2823         * jit/PolymorphicCallStubRoutine.h:
2824         * jit/RegisterSet.h:
2825         * jit/Repatch.h:
2826         * jit/SetupVarargsFrame.h:
2827         * jit/Snippet.h:
2828         * jit/SnippetParams.h:
2829         * jit/ThunkGenerators.h:
2830         * jsc.cpp:
2831         * llint/LLIntCLoop.h:
2832         * llint/LLIntEntrypoint.h:
2833         * llint/LLIntExceptions.h:
2834         * llint/LLIntOfflineAsmConfig.h:
2835         * llint/LLIntSlowPaths.cpp:
2836         * parser/NodeConstructors.h:
2837         * parser/Nodes.cpp:
2838         * parser/Nodes.h:
2839         * parser/Parser.cpp:
2840         * parser/Parser.h:
2841         * parser/ParserTokens.h:
2842         * parser/SourceProviderCacheItem.h:
2843         * profiler/ProfilerBytecodeSequence.h:
2844         * profiler/ProfilerDatabase.cpp:
2845         * profiler/ProfilerDatabase.h:
2846         * profiler/ProfilerOrigin.h:
2847         * profiler/ProfilerOriginStack.h:
2848         * profiler/ProfilerProfiledBytecodes.h:
2849         * profiler/ProfilerUID.h:
2850         * runtime/AbstractModuleRecord.h:
2851         * runtime/ArrayConstructor.h:
2852         * runtime/ArrayConventions.h:
2853         * runtime/ArrayIteratorPrototype.h:
2854         * runtime/ArrayPrototype.h:
2855         * runtime/BasicBlockLocation.h:
2856         * runtime/Butterfly.h:
2857         * runtime/CallData.cpp:
2858         * runtime/CodeCache.h:
2859         * runtime/CommonSlowPaths.cpp:
2860         * runtime/CommonSlowPaths.h:
2861         * runtime/CommonSlowPathsExceptions.cpp:
2862         * runtime/Completion.cpp:
2863         * runtime/ControlFlowProfiler.h:
2864         * runtime/DateInstanceCache.h:
2865         * runtime/ErrorConstructor.h:
2866         * runtime/ErrorInstance.h:
2867         * runtime/ExceptionHelpers.cpp:
2868         * runtime/ExceptionHelpers.h:
2869         * runtime/ExecutableBase.h:
2870         * runtime/FunctionExecutable.h:
2871         * runtime/HasOwnPropertyCache.h:
2872         * runtime/Identifier.h:
2873         * runtime/InternalFunction.h:
2874         * runtime/IntlCollator.cpp:
2875         * runtime/IntlCollatorPrototype.h:
2876         * runtime/IntlDateTimeFormatPrototype.h:
2877         * runtime/IntlNumberFormat.cpp:
2878         * runtime/IntlNumberFormatPrototype.h:
2879         * runtime/IteratorOperations.cpp:
2880         * runtime/JSArray.h:
2881         * runtime/JSArrayBufferPrototype.h:
2882         * runtime/JSCJSValue.h:
2883         * runtime/JSCJSValueInlines.h:
2884         * runtime/JSCell.h:
2885         * runtime/JSFunction.cpp:
2886         * runtime/JSFunction.h:
2887         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2888         * runtime/JSGlobalObject.cpp:
2889         * runtime/JSGlobalObject.h:
2890         * runtime/JSGlobalObjectDebuggable.cpp:
2891         * runtime/JSGlobalObjectDebuggable.h:
2892         * runtime/JSGlobalObjectFunctions.cpp:
2893         * runtime/JSGlobalObjectFunctions.h:
2894         * runtime/JSJob.cpp:
2895         * runtime/JSLock.h:
2896         * runtime/JSModuleLoader.cpp:
2897         * runtime/JSModuleNamespaceObject.h:
2898         * runtime/JSModuleRecord.h:
2899         * runtime/JSObject.cpp:
2900         * runtime/JSObject.h:
2901         * runtime/JSRunLoopTimer.h:
2902         * runtime/JSTemplateRegistryKey.h:
2903         * runtime/JSTypedArrayPrototypes.cpp:
2904         * runtime/JSTypedArrayPrototypes.h:
2905         * runtime/JSTypedArrays.h:
2906         * runtime/LiteralParser.h:
2907         * runtime/MatchResult.h:
2908         * runtime/MemoryStatistics.h:
2909         * runtime/PrivateName.h:
2910         * runtime/PromiseDeferredTimer.h:
2911         * runtime/ProxyObject.h:
2912         * runtime/RegExp.h:
2913         * runtime/SamplingProfiler.cpp:
2914         * runtime/SmallStrings.h:
2915         * runtime/StringPrototype.cpp:
2916         * runtime/StringRecursionChecker.h:
2917         * runtime/Structure.h:
2918         * runtime/SymbolConstructor.h:
2919         * runtime/SymbolPrototype.cpp:
2920         * runtime/SymbolPrototype.h:
2921         * runtime/TypeProfiler.h:
2922         * runtime/TypeProfilerLog.h:
2923         * runtime/TypedArrayType.h:
2924         * runtime/VM.cpp:
2925         * runtime/VM.h:
2926         * runtime/VMEntryScope.h:
2927         * runtime/WeakMapData.h:
2928         * runtime/WriteBarrier.h:
2929         * tools/FunctionOverrides.cpp:
2930         * tools/FunctionOverrides.h:
2931         * wasm/WasmBinding.cpp:
2932         * wasm/js/JSWebAssemblyCodeBlock.h:
2933         * wasm/js/WebAssemblyPrototype.cpp:
2934         * yarr/Yarr.h:
2935         * yarr/YarrJIT.cpp:
2936         * yarr/YarrJIT.h:
2937         * yarr/YarrParser.h:
2938
2939 2017-06-24  Yusuke Suzuki  <utatane.tea@gmail.com>
2940
2941         [JSC] Clean up Object.entries implementation
2942         https://bugs.webkit.org/show_bug.cgi?id=173759
2943
2944         Reviewed by Sam Weinig.
2945
2946         This patch cleans up Object.entries implementation.
2947         We drop unused private functions. And we merge the
2948         implementation into Object.entries.
2949
2950         It slightly speeds up Object.entries speed.
2951
2952                                      baseline                  patched
2953
2954             object-entries      148.0101+-5.6627          142.1877+-4.8661          might be 1.0409x faster
2955
2956
2957         * builtins/BuiltinNames.h:
2958         * builtins/ObjectConstructor.js:
2959         (entries):
2960         (globalPrivate.enumerableOwnProperties): Deleted.
2961         * runtime/JSGlobalObject.cpp:
2962         (JSC::JSGlobalObject::init):
2963         * runtime/ObjectConstructor.cpp:
2964         (JSC::ownEnumerablePropertyKeys): Deleted.
2965         * runtime/ObjectConstructor.h:
2966
2967 2017-06-24  Joseph Pecoraro  <pecoraro@apple.com>
2968
2969         Remove Reflect.enumerate
2970         https://bugs.webkit.org/show_bug.cgi?id=173806
2971
2972         Reviewed by Yusuke Suzuki.
2973
2974         * CMakeLists.txt:
2975         * JavaScriptCore.xcodeproj/project.pbxproj:
2976         * inspector/JSInjectedScriptHost.cpp:
2977         (Inspector::JSInjectedScriptHost::subtype):
2978         (Inspector::JSInjectedScriptHost::getInternalProperties):
2979         (Inspector::JSInjectedScriptHost::iteratorEntries):
2980         * runtime/JSGlobalObject.cpp:
2981         (JSC::JSGlobalObject::init):
2982         (JSC::JSGlobalObject::visitChildren):
2983         * runtime/JSPropertyNameIterator.cpp: Removed.
2984         * runtime/JSPropertyNameIterator.h: Removed.
2985         * runtime/ReflectObject.cpp:
2986         (JSC::reflectObjectEnumerate): Deleted.
2987
2988 2017-06-23  Keith Miller  <keith_miller@apple.com>
2989
2990         Switch VMTraps to use halt instructions rather than breakpoint instructions
2991         https://bugs.webkit.org/show_bug.cgi?id=173677
2992         <rdar://problem/32178892>
2993
2994         Reviewed by JF Bastien.
2995
2996         Using the breakpoint instruction for VMTraps caused issues with lldb.
2997         Since we only need some way to stop execution we can, in theory, use
2998         any exceptioning instruction we want. I went with the halt instruction
2999         on X86 since that is the only one byte instruction that does not
3000         breakpoint (in my tests both 0xf1 and 0xd6 produced EXC_BREAKPOINT).
3001         On ARM we use the data cache clearing instruction with the zero register,
3002         which triggers a segmentation fault.
3003
3004         Also, update the platform code to only use signaling VMTraps
3005         on where we have an appropriate instruction (x86 and ARM64).
3006
3007         * API/tests/ExecutionTimeLimitTest.cpp:
3008         (testExecutionTimeLimit):
3009         * assembler/ARM64Assembler.h:
3010         (JSC::ARM64Assembler::replaceWithVMHalt):
3011         (JSC::ARM64Assembler::dataCacheZeroVirtualAddress):
3012         (JSC::ARM64Assembler::replaceWithBkpt): Deleted.
3013         * assembler/ARMAssembler.h:
3014         (JSC::ARMAssembler::replaceWithBkpt): Deleted.
3015         * assembler/ARMv7Assembler.h:
3016         (JSC::ARMv7Assembler::replaceWithBkpt): Deleted.
3017         * assembler/MIPSAssembler.h:
3018         (JSC::MIPSAssembler::replaceWithBkpt): Deleted.
3019         * assembler/MacroAssemblerARM.h:
3020         (JSC::MacroAssemblerARM::replaceWithBreakpoint): Deleted.
3021         * assembler/MacroAssemblerARM64.h:
3022         (JSC::MacroAssemblerARM64::replaceWithVMHalt):
3023         (JSC::MacroAssemblerARM64::replaceWithBreakpoint): Deleted.
3024         * assembler/MacroAssemblerARMv7.h:
3025         (JSC::MacroAssemblerARMv7::storeFence):
3026         (JSC::MacroAssemblerARMv7::replaceWithBreakpoint): Deleted.
3027         * assembler/MacroAssemblerMIPS.h:
3028         (JSC::MacroAssemblerMIPS::replaceWithBreakpoint): Deleted.
3029         * assembler/MacroAssemblerX86Common.h:
3030         (JSC::MacroAssemblerX86Common::replaceWithVMHalt):
3031         (JSC::MacroAssemblerX86Common::replaceWithBreakpoint): Deleted.
3032         * assembler/X86Assembler.h:
3033         (JSC::X86Assembler::replaceWithHlt):
3034         (JSC::X86Assembler::replaceWithInt3): Deleted.
3035         * dfg/DFGJumpReplacement.cpp:
3036         (JSC::DFG::JumpReplacement::installVMTrapBreakpoint):
3037         * runtime/VMTraps.cpp:
3038         (JSC::SignalContext::SignalContext):
3039         (JSC::installSignalHandler):
3040         (JSC::SignalContext::adjustPCToPointToTrappingInstruction): Deleted.
3041         * wasm/WasmFaultSignalHandler.cpp:
3042         (JSC::Wasm::enableFastMemory):
3043
3044 2017-06-22  Saam Barati  <sbarati@apple.com>
3045
3046         The lowering of Identity in the DFG backend needs to use ManualOperandSpeculation
3047         https://bugs.webkit.org/show_bug.cgi?id=173743
3048         <rdar://problem/32932536>
3049
3050         Reviewed by Mark Lam.
3051
3052         The code always manually speculates, however, we weren't specifying
3053         ManualOperandSpeculation when creating a JSValueOperand. This would
3054         fire an assertion in JSValueOperand construction for a node like:
3055         Identity(String:@otherNode)
3056         
3057         I spent about 45 minutes trying to craft a test and came up
3058         empty. However, this fixes a debug assertion on an internal
3059         Apple website.
3060
3061         * dfg/DFGSpeculativeJIT32_64.cpp:
3062         (JSC::DFG::SpeculativeJIT::compile):
3063         * dfg/DFGSpeculativeJIT64.cpp:
3064         (JSC::DFG::SpeculativeJIT::compile):
3065
3066 2017-06-22  Saam Barati  <sbarati@apple.com>
3067
3068         ValueRep(DoubleRep(@v)) can not simply convert to @v
3069         https://bugs.webkit.org/show_bug.cgi?id=173687
3070         <rdar://problem/32855563>
3071
3072         Reviewed by Mark Lam.
3073
3074         Consider this IR:
3075          block#x
3076           p: Phi() // int32 and double flows into this phi from various control flow
3077           d: DoubleRep(@p)
3078           some uses of @d here
3079           v: ValueRep(DoubleRepUse:@d)
3080           a: NewArrayWithSize(Int32:@v)
3081           some more nodes here ...
3082         
3083         Because the flow of ValueRep(DoubleRep(@p)) will not produce an Int32,
3084         AI proves that the Int32 check will fail. Constant folding phase removes
3085         all nodes after @a and inserts an Unreachable after the NewArrayWithSize node.
3086         
3087         The IR then looks like this:
3088         block#x
3089           p: Phi() // int32 and double flows into this phi from various control flow
3090           d: DoubleRep(@p)
3091           some uses of @d here
3092           v: ValueRep(DoubleRepUse:@d)
3093           a: NewArrayWithSize(Int32:@v)
3094           Unreachable
3095         
3096         However, there was a strength reduction rule that tries eliminate redundant
3097         conversions. It used to convert the program to:
3098         block#x
3099           p: Phi() // int32 and double flows into this phi from various control flow
3100           d: DoubleRep(@p)
3101           some uses of @d here
3102           a: NewArrayWithSize(Int32:@p)
3103           Unreachable
3104         
3105         However, at runtime, @p will actually be an Int32, so @a will not OSR exit,
3106         and we'll crash. This patch removes this strength reduction rule since it
3107         does not maintain what would have happened if we executed the program before
3108         the rule.
3109         
3110         This rule is also wrong for other types of programs (I'm not sure we'd
3111         actually emit this code, but if such IR were generated, we would previously
3112         optimize it incorrectly):
3113         @a: Constant(JSTrue)
3114         @b: DoubleRep(@a)
3115         @c: ValueRep(@b)
3116         @d: use(@c)
3117         
3118         However, the strength reduction rule would've transformed this into:
3119         @a: Constant(JSTrue)
3120         @d: use(@a)
3121         
3122         And this would be wrong because node @c before the transformation would
3123         have produced the JSValue jsNumber(1.0).
3124         
3125         This patch was neutral in the benchmark run I did.
3126
3127         * dfg/DFGStrengthReductionPhase.cpp:
3128         (JSC::DFG::StrengthReductionPhase::handleNode):
3129
3130 2017-06-22  JF Bastien  <jfbastien@apple.com>
3131
3132         ARM64: doubled executable memory limit from 32MiB to 64MiB
3133         https://bugs.webkit.org/show_bug.cgi?id=173734
3134         <rdar://problem/32932407>
3135
3136         Reviewed by Oliver Hunt.
3137
3138         Some WebAssembly programs stress the amount of memory we have
3139         available, especially when we consider tiering (BBQ never dies,
3140         and is bigger that OMG). Tiering to OMG just piles on more memory,
3141         and we're also competing with JavaScript.
3142
3143         * jit/ExecutableAllocator.h:
3144
3145 2017-06-22  Joseph Pecoraro  <pecoraro@apple.com>
3146
3147         Web Inspector: Pausing with a deep call stack can be very slow, avoid eagerly generating object previews
3148         https://bugs.webkit.org/show_bug.cgi?id=173698
3149
3150         Reviewed by Matt Baker.
3151
3152         When pausing in a deep call stack the majority of the time spent in JavaScriptCore
3153         when preparing Inspector pause information is spent generating object previews for
3154         the `thisObject` of each of the call frames. In some cases, this could be more
3155         than 95% of the time generating pause information. In the common case, only one of
3156         these (the top frame) will ever be seen by users. This change avoids eagerly
3157         generating object previews up front and let the frontend request previews if they
3158         are needed.
3159
3160         This introduces the `Runtime.getPreview` protocol command. This can be used to:
3161
3162             - Get a preview for a RemoteObject that did not have a preview but could.
3163             - Update a preview for a RemoteObject that had a preview.
3164
3165         This patch only uses it for the first case, but the second is valid and may be
3166         something we want to do in the future.
3167
3168         * inspector/protocol/Runtime.json:
3169         A new command to get an up to date preview for an object.
3170
3171         * inspector/InjectedScript.h:
3172         * inspector/InjectedScript.cpp:
3173         (Inspector::InjectedScript::getPreview):
3174         * inspector/agents/InspectorRuntimeAgent.cpp:
3175         (Inspector::InspectorRuntimeAgent::getPreview):
3176         * inspector/agents/InspectorRuntimeAgent.h:
3177         Plumbing for the new command.
3178
3179         * inspector/InjectedScriptSource.js:
3180         (InjectedScript.prototype.getPreview):
3181         Implementation just uses the existing helper.
3182
3183         (InjectedScript.CallFrameProxy):
3184         Do not generate a preview for the this object as it may not be shown.
3185         Let the frontend request a preview if it wants or needs one.
3186
3187 2017-06-22  Joseph Pecoraro  <pecoraro@apple.com>
3188
3189         Web Inspector: Remove stale "rawScopes" concept that was never available in JSC
3190         https://bugs.webkit.org/show_bug.cgi?id=173686
3191
3192         Reviewed by Mark Lam.
3193
3194         * inspector/InjectedScript.cpp:
3195         (Inspector::InjectedScript::functionDetails):
3196         * inspector/InjectedScriptSource.js:
3197         (InjectedScript.prototype.functionDetails):
3198         * inspector/JSInjectedScriptHost.cpp:
3199         (Inspector::JSInjectedScriptHost::functionDetails):
3200
3201 2017-06-22  Yusuke Suzuki  <utatane.tea@gmail.com>
3202
3203         [JSC] Object.values should be implemented in C++
3204         https://bugs.webkit.org/show_bug.cgi?id=173703
3205
3206         Reviewed by Sam Weinig.
3207
3208         As the same to Object.assign, Object.values() is also inherently polymorphic.
3209         And allocating JSString / Symbol for Identifier and JSArray for Object.keys()
3210         result is costly.
3211
3212         In this patch, we implement Object.values() in C++. It can avoid above allocations.
3213         Furthermore, by using `slot.isTaintedByOpaqueObject()` information, we can skip
3214         non-observable JSObject::get() calls.
3215
3216         This improves performance by 2.49x. And also now Object.values() beats
3217         Object.keys(object).map(key => object[key]) implementation.
3218
3219                                              baseline                  patched
3220
3221             object-values               132.1551+-3.7209     ^     53.1254+-1.6139        ^ definitely 2.4876x faster
3222             object-keys-map-values       78.2008+-2.1378     ?     78.9078+-2.2121        ?
3223
3224         * builtins/ObjectConstructor.js:
3225         (values): Deleted.
3226         * runtime/ObjectConstructor.cpp:
3227         (JSC::objectConstructorValues):
3228
3229 2017-06-21  Saam Barati  <sbarati@apple.com>
3230
3231         ArrayPrototype.map builtin declares a var it does not use
3232         https://bugs.webkit.org/show_bug.cgi?id=173685
3233
3234         Reviewed by Keith Miller.
3235
3236         * builtins/ArrayPrototype.js:
3237         (map):
3238
3239 2017-06-21  Saam Barati  <sbarati@apple.com>
3240
3241         eval virtual call is incorrect in the baseline JIT
3242         https://bugs.webkit.org/show_bug.cgi?id=173587
3243         <rdar://problem/32867897>
3244
3245         Reviewed by Michael Saboff.
3246
3247         When making a virtual call for call_eval, e.g, when the thing
3248         we're calling isn't actually eval, we end up calling the caller
3249         instead of the callee. This is clearly wrong. The code ends up
3250         issuing a load for the Callee in the callers frame instead of
3251         the callee we're calling. The fix is simple, we just need to
3252         load the real callee. Only the 32-bit baseline JIT had this bug.
3253
3254         * jit/JITCall32_64.cpp:
3255         (JSC::JIT::compileCallEvalSlowCase):
3256
3257 2017-06-21  Joseph Pecoraro  <pecoraro@apple.com>
3258
3259         Web Inspector: Using "break on all exceptions" when throwing stack overflow hangs inspector
3260         https://bugs.webkit.org/show_bug.cgi?id=172432
3261         <rdar://problem/29870873>
3262
3263         Reviewed by Saam Barati.
3264
3265         Avoid pausing on StackOverflow and OutOfMemory errors to avoid a hang.
3266         We will proceed to improve debugging of these cases in the follow-up bugs.
3267
3268         * debugger/Debugger.cpp:
3269         (JSC::Debugger::exception):
3270         Ignore pausing on these errors.
3271
3272         * runtime/ErrorInstance.h:
3273         (JSC::ErrorInstance::setStackOverflowError):
3274         (JSC::ErrorInstance::isStackOverflowError):
3275         (JSC::ErrorInstance::setOutOfMemoryError):
3276         (JSC::ErrorInstance::isOutOfMemoryError):
3277         * runtime/ExceptionHelpers.cpp:
3278         (JSC::createStackOverflowError):
3279         * runtime/Error.cpp:
3280         (JSC::createOutOfMemoryError):
3281         Mark these kinds of errors.
3282
3283 2017-06-21  Saam Barati  <sbarati@apple.com>
3284
3285         Make it clear that regenerating ICs are holding the CodeBlock's lock by passing the locker as a parameter
3286         https://bugs.webkit.org/show_bug.cgi?id=173609
3287
3288         Reviewed by Keith Miller.
3289
3290         This patch makes many of the IC generating functions require a locker as
3291         a parameter. We do this in other places in JSC to indicate that
3292         a particular API is only valid while a particular lock is held.
3293         This is the case when generating ICs. This patch just makes it
3294         explicit in the IC generating interface.
3295
3296         * bytecode/PolymorphicAccess.cpp:
3297         (JSC::PolymorphicAccess::addCases):
3298         (JSC::PolymorphicAccess::addCase):
3299         (JSC::PolymorphicAccess::commit):
3300         (JSC::PolymorphicAccess::regenerate):
3301         * bytecode/PolymorphicAccess.h:
3302         * bytecode/StructureStubInfo.cpp:
3303         (JSC::StructureStubInfo::addAccessCase):
3304         (JSC::StructureStubInfo::initStub): Deleted.
3305         * bytecode/StructureStubInfo.h:
3306         * jit/Repatch.cpp:
3307         (JSC::tryCacheGetByID):
3308         (JSC::repatchGetByID):
3309         (JSC::tryCachePutByID):
3310         (JSC::repatchPutByID):
3311         (JSC::tryRepatchIn):
3312         (JSC::repatchIn):
3313
3314 2017-06-20  Myles C. Maxfield  <mmaxfield@apple.com>
3315
3316         Disable font variations on macOS Sierra and iOS 10
3317         https://bugs.webkit.org/show_bug.cgi?id=173618
3318         <rdar://problem/32879164>
3319
3320         Reviewed by Jon Lee.
3321
3322         * Configurations/FeatureDefines.xcconfig:
3323
3324 2017-06-20  Keith Miller  <keith_miller@apple.com>
3325
3326         Fix leak of ModuleInformations in BBQPlan constructors.
3327         https://bugs.webkit.org/show_bug.cgi?id=173577
3328
3329         Reviewed by Saam Barati.
3330
3331         This patch fixes a leak in the BBQPlan constructiors. Previously,
3332         the plans were calling makeRef on the newly constructed objects.
3333         This patch fixes the issue and uses adoptRef instead. Additionally,
3334         an old, incorrect, attempt to fix the leak is removed.
3335
3336         * inspector/remote/cocoa/RemoteInspectorXPCConnection.mm:
3337         (Inspector::RemoteInspectorXPCConnection::RemoteInspectorXPCConnection):
3338         * jit/JITWorklist.cpp:
3339         (JSC::JITWorklist::Thread::Thread):
3340         * runtime/PromiseDeferredTimer.cpp:
3341         (JSC::PromiseDeferredTimer::addPendingPromise):
3342         * runtime/VM.cpp:
3343         (JSC::VM::VM):
3344         * wasm/WasmBBQPlan.cpp:
3345         (JSC::Wasm::BBQPlan::BBQPlan):
3346         * wasm/WasmPlan.cpp:
3347         (JSC::Wasm::Plan::Plan):
3348
3349 2017-06-20  Devin Rousso  <drousso@apple.com>
3350
3351         Web Inspector: Send context attributes for tracked canvases
3352         https://bugs.webkit.org/show_bug.cgi?id=173327
3353
3354         Reviewed by Joseph Pecoraro.
3355
3356         * inspector/protocol/Canvas.json:
3357         Add ContextAttributes object type that is optionally used for WebGL canvases.
3358
3359 2017-06-20  Konstantin Tokarev  <annulen@yandex.ru>
3360
3361         Remove excessive include directives from WTF
3362         https://bugs.webkit.org/show_bug.cgi?id=173553
3363
3364         Reviewed by Saam Barati.
3365
3366         * profiler/ProfilerDatabase.cpp: Added missing include directive.
3367         * runtime/SamplingProfiler.cpp: Ditto.
3368
3369 2017-06-20  Oleksandr Skachkov  <gskachkov@gmail.com>
3370
3371         Revert changes in bug#160417 about extending `null` not being a derived class
3372         https://bugs.webkit.org/show_bug.cgi?id=169293
3373
3374         Reviewed by Saam Barati.
3375
3376         Reverted changes in bug#160417 about extending `null` not being a derived class 
3377         according to changes in spec:
3378         https://github.com/tc39/ecma262/commit/c57ef95c45a371f9c9485bb1c3881dbdc04524a2
3379
3380         * builtins/BuiltinNames.h:
3381         * bytecompiler/BytecodeGenerator.cpp:
3382         (JSC::BytecodeGenerator::BytecodeGenerator):
3383         (JSC::BytecodeGenerator::emitReturn):
3384         * bytecompiler/NodesCodegen.cpp:
3385         (JSC::ClassExprNode::emitBytecode):
3386
3387 2017-06-20  Saam Barati  <sbarati@apple.com>
3388
3389         repatchIn needs to lock the CodeBlock's lock
3390         https://bugs.webkit.org/show_bug.cgi?id=173573
3391
3392         Reviewed by Yusuke Suzuki.
3393
3394         CodeBlock::propagateTransitions and CodeBlock::visitWeakly grab the CodeBlock's
3395         lock before modifying the StructureStubInfo/PolymorphicAccess. When regenerating
3396         an IC, we must hold the CodeBlock's to prevent the executing thread from racing
3397         with the marking thread. repatchIn was not grabbing the lock. I haven't been
3398         able to get it to crash, but this is needed for the same reasons that get and put IC
3399         regeneration grab the lock.
3400
3401         * jit/Repatch.cpp:
3402         (JSC::repatchIn):
3403
3404 2017-06-19  Devin Rousso  <drousso@apple.com>
3405
3406         Web Inspector: create canvas content view and details sidebar panel
3407         https://bugs.webkit.org/show_bug.cgi?id=138941
3408         <rdar://problem/19051672>
3409
3410         Reviewed by Joseph Pecoraro.
3411
3412         * inspector/protocol/Canvas.json:
3413          - Add an optional `nodeId` attribute to the `Canvas` type.