Pressing the Escape key should not be a valid user gesture to enter fullscreen
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-07-25  JF Bastien  <jfbastien@apple.com>
2
3         WebAssembly: generate smaller binaries
4         https://bugs.webkit.org/show_bug.cgi?id=174818
5
6         Reviewed by Filip Pizlo.
7
8         This patch reduces generated code size for WebAssembly in 2 ways:
9
10         1. Use the ZR register when storing zero on ARM64.
11         2. Synthesize wasm context lazily.
12
13         This leads to a modest size reduction on both x86-64 and ARM64 for
14         large WebAssembly games, without any performance loss on WasmBench
15         and TitzerBench.
16
17         The reason this works is that these games, using Emscripten,
18         generate 100k+ tiny functions, and our JIT allocation granule
19         rounds all allocations up to 32 bytes. There are plenty of other
20         simple gains to be had, I've filed a follow-up bug at
21         webkit.org/b/174819
22
23         We should further avoid the per-function cost of tiering, which
24         represents the bulk of code generated for small functions.
25
26         * assembler/MacroAssemblerARM64.h:
27         (JSC::MacroAssemblerARM64::storeZero64):
28         * assembler/MacroAssemblerX86_64.h:
29         (JSC::MacroAssemblerX86_64::storeZero64):
30         * b3/B3LowerToAir.cpp:
31         (JSC::B3::Air::LowerToAir::createStore): this doesn't make sense
32         for x86 because it constrains register reuse and codegen in a way
33         that doesn't affect ARM64 because it has a dedicated zero
34         register.
35         * b3/air/AirOpcode.opcodes: add the storeZero64 opcode.
36         * wasm/WasmB3IRGenerator.cpp:
37         (JSC::Wasm::B3IRGenerator::instanceValue):
38         (JSC::Wasm::B3IRGenerator::restoreWasmContext):
39         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
40         (JSC::Wasm::B3IRGenerator::materializeWasmContext): Deleted.
41
42 2017-07-23  Filip Pizlo  <fpizlo@apple.com>
43
44         B3 should do LICM
45         https://bugs.webkit.org/show_bug.cgi?id=174750
46
47         Reviewed by Keith Miller and Saam Barati.
48         
49         Added a LICM phase to B3. This phase is called hoistLoopInvariantValues, to conform to the B3 naming
50         convention for phases (it has to be an imperative). The phase uses NaturalLoops and BackwardsDominators,
51         so this adds those analyses to B3. BackwardsDominators was already available in templatized form. This
52         change templatizes DFG::NaturalLoops so that we can just use it.
53         
54         The LICM phase itself is really simple. We are decently precise with our handling of everything except
55         the relationship between control dependence and side exits.
56         
57         Also added a bunch of tests.
58         
59         This isn't super important. It's perf-neutral on JS benchmarks. FTL already does LICM on DFG SSA IR, and
60         probably all current WebAssembly content has had LICM done to it. That being said, this is a cheap phase
61         so it doesn't hurt to have it.
62         
63         I wrote it because I thought I needed it for bug 174727. It turns out that there's a better way to
64         handle the problem I had, so I ended up not needed it - but by then I had already written it. I think
65         it's good to have it because LICM is one of those core compiler phases; every compiler has it
66         eventually.
67
68         * CMakeLists.txt:
69         * JavaScriptCore.xcodeproj/project.pbxproj:
70         * b3/B3BackwardsCFG.h: Added.
71         (JSC::B3::BackwardsCFG::BackwardsCFG):
72         * b3/B3BackwardsDominators.h: Added.
73         (JSC::B3::BackwardsDominators::BackwardsDominators):
74         * b3/B3BasicBlock.cpp:
75         (JSC::B3::BasicBlock::appendNonTerminal):
76         * b3/B3Effects.h:
77         * b3/B3EnsureLoopPreHeaders.cpp: Added.
78         (JSC::B3::ensureLoopPreHeaders):
79         * b3/B3EnsureLoopPreHeaders.h: Added.
80         * b3/B3Generate.cpp:
81         (JSC::B3::generateToAir):
82         * b3/B3HoistLoopInvariantValues.cpp: Added.
83         (JSC::B3::hoistLoopInvariantValues):
84         * b3/B3HoistLoopInvariantValues.h: Added.
85         * b3/B3NaturalLoops.h: Added.
86         (JSC::B3::NaturalLoops::NaturalLoops):
87         * b3/B3Procedure.cpp:
88         (JSC::B3::Procedure::invalidateCFG):
89         (JSC::B3::Procedure::naturalLoops):
90         (JSC::B3::Procedure::backwardsCFG):
91         (JSC::B3::Procedure::backwardsDominators):
92         * b3/B3Procedure.h:
93         * b3/testb3.cpp:
94         (JSC::B3::generateLoop):
95         (JSC::B3::makeArrayForLoops):
96         (JSC::B3::generateLoopNotBackwardsDominant):
97         (JSC::B3::oneFunction):
98         (JSC::B3::noOpFunction):
99         (JSC::B3::testLICMPure):
100         (JSC::B3::testLICMPureSideExits):
101         (JSC::B3::testLICMPureWritesPinned):
102         (JSC::B3::testLICMPureWrites):
103         (JSC::B3::testLICMReadsLocalState):
104         (JSC::B3::testLICMReadsPinned):
105         (JSC::B3::testLICMReads):
106         (JSC::B3::testLICMPureNotBackwardsDominant):
107         (JSC::B3::testLICMPureFoiledByChild):
108         (JSC::B3::testLICMPureNotBackwardsDominantFoiledByChild):
109         (JSC::B3::testLICMExitsSideways):
110         (JSC::B3::testLICMWritesLocalState):
111         (JSC::B3::testLICMWrites):
112         (JSC::B3::testLICMFence):
113         (JSC::B3::testLICMWritesPinned):
114         (JSC::B3::testLICMControlDependent):
115         (JSC::B3::testLICMControlDependentNotBackwardsDominant):
116         (JSC::B3::testLICMControlDependentSideExits):
117         (JSC::B3::testLICMReadsPinnedWritesPinned):
118         (JSC::B3::testLICMReadsWritesDifferentHeaps):
119         (JSC::B3::testLICMReadsWritesOverlappingHeaps):
120         (JSC::B3::testLICMDefaultCall):
121         (JSC::B3::run):
122         * dfg/DFGBasicBlock.h:
123         * dfg/DFGCFG.h:
124         * dfg/DFGNaturalLoops.cpp: Removed.
125         * dfg/DFGNaturalLoops.h:
126         (JSC::DFG::NaturalLoops::NaturalLoops):
127         (JSC::DFG::NaturalLoop::NaturalLoop): Deleted.
128         (JSC::DFG::NaturalLoop::header): Deleted.
129         (JSC::DFG::NaturalLoop::size): Deleted.
130         (JSC::DFG::NaturalLoop::at): Deleted.
131         (JSC::DFG::NaturalLoop::operator[]): Deleted.
132         (JSC::DFG::NaturalLoop::contains): Deleted.
133         (JSC::DFG::NaturalLoop::index): Deleted.
134         (JSC::DFG::NaturalLoop::isOuterMostLoop): Deleted.
135         (JSC::DFG::NaturalLoop::addBlock): Deleted.
136         (JSC::DFG::NaturalLoops::numLoops): Deleted.
137         (JSC::DFG::NaturalLoops::loop): Deleted.
138         (JSC::DFG::NaturalLoops::headerOf): Deleted.
139         (JSC::DFG::NaturalLoops::innerMostLoopOf): Deleted.
140         (JSC::DFG::NaturalLoops::innerMostOuterLoop): Deleted.
141         (JSC::DFG::NaturalLoops::belongsTo): Deleted.
142         (JSC::DFG::NaturalLoops::loopDepth): Deleted.
143
144 2017-07-24  Filip Pizlo  <fpizlo@apple.com>
145
146         GC should be fine with trading blocks between destructor and non-destructor blocks
147         https://bugs.webkit.org/show_bug.cgi?id=174811
148
149         Reviewed by Mark Lam.
150         
151         Our GC has the ability to trade blocks between MarkedAllocators. A MarkedAllocator is a
152         size-class-within-a-Subspace. The ability to trade helps reduce memory wastage due to
153         fragmentation. Prior to this change, this only worked between blocks that did not have destructors.
154         This was partly a policy decision. But mostly, it was fallout from the way we use the `empty` block
155         set.
156         
157         Here's how `empty` used to work. If a block is empty, we don't run destructors. We say that a block
158         is empty if:
159         
160         A) It has no live objects and its a non-destructor block, or
161         B) We just allocated it (so it has no destructors even if it's a destructor block), or
162         C) We just stole it from another allocator (so it also has no destructors), or
163         D) We just swept the block and ran all destructors.
164         
165         Case (A) is for trading blocks. That's how a different MarkedAllocator would know that this is a
166         block that could be stolen.
167
168         Cases (B) and (C) need to be detected for correctness, since otherwise we might try to run
169         destructors in blocks that have garbage bits. In that case, the isZapped check won't detect that
170         cells don't need destruction, so without having the `empty` bit we would try to destruct garbage
171         and crash. Currently, we know that we have cases (B) and (C) when the block is empty.
172         
173         Case (D) is necessary for detecting which blocks can be removed when we `shrink` the heap.
174         
175         If we tried to enable trading of blocks between allocators without making any changes to how
176         `empty` works, then it just would not work. We have to set the `empty` bits of blocks that have no
177         live objects in order for those bits to be candidates for trading. But if we do that, then our
178         logic for cases (B-D) will think that the block has no destructible objects. That's bad, since then
179         our destructors won't run and we'll leak memory.
180         
181         This change fixes this issue by decoupling the "do I have destructors" question from the "do I have
182         live objects" question by introducing a new `destructible` bitvector. The GC flags all live blocks
183         as being destructible at the end. We clear the destructible bit in cases (B-D). Cases (B-C) are
184         handled entirely by the new destrictible bit, while case (D) is detected by looking for blocks that
185         are (empty & ~destructible).
186         
187         Then we can simply remove all destructor-oriented special-casing of the `empty` bit. And we can
188         remove destructor-oriented special-casing of block trading.
189
190         This is a perf-neutral change. We expect most free memory to be in non-destructor blocks anyway,
191         so this change is more about clean-up than perf. But, this could reduce memory usage in some
192         pathological cases.
193         
194         * heap/MarkedAllocator.cpp:
195         (JSC::MarkedAllocator::findEmptyBlockToSteal):
196         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
197         (JSC::MarkedAllocator::endMarking):
198         (JSC::MarkedAllocator::shrink):
199         (JSC::MarkedAllocator::shouldStealEmptyBlocksFromOtherAllocators): Deleted.
200         * heap/MarkedAllocator.h:
201         * heap/MarkedBlock.cpp:
202         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
203         (JSC::MarkedBlock::Handle::sweep):
204         * heap/MarkedBlockInlines.h:
205         (JSC::MarkedBlock::Handle::specializedSweep):
206         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace):
207         (JSC::MarkedBlock::Handle::emptyMode):
208
209 2017-07-25  Keith Miller  <keith_miller@apple.com>
210
211         Remove Broken CompareEq constant folding phase.
212         https://bugs.webkit.org/show_bug.cgi?id=174846
213         <rdar://problem/32978808>
214
215         Reviewed by Saam Barati.
216
217         This bug happened when we would get code like the following:
218
219         a: JSConst(Undefined)
220         b: GetLocal(SomeObjectOrUndefined)
221         ...
222         c: CompareEq(Check:ObjectOrOther:b, Check:ObjectOrOther:a)
223
224         constant folding will turn this into:
225
226         a: JSConst(Undefined)
227         b: GetLocal(SomeObjectOrUndefined)
228         ...
229         c: CompareEq(Check:ObjectOrOther:b, Other:a)
230
231         But the SpeculativeJIT/FTL lowering will fail to check b
232         properly which leads to an assertion failure in the AI.
233
234         I'll follow up with a more robust fix later. For now, I'll remove the
235         case that generates the code. Removing the code appears to be perf
236         neutral.
237
238         * dfg/DFGConstantFoldingPhase.cpp:
239         (JSC::DFG::ConstantFoldingPhase::foldConstants):
240
241 2017-07-25  Matt Baker  <mattbaker@apple.com>
242
243         Web Inspector: Refactoring: extract async stack trace logic from InspectorInstrumentation
244         https://bugs.webkit.org/show_bug.cgi?id=174738
245
246         Reviewed by Brian Burg.
247
248         Move AsyncCallType enum to InspectorDebuggerAgent, which manages async
249         stack traces. This preserves the call type in JSC, makes the range of
250         possible call types explicit, and is safer than passing ints.
251
252         * inspector/agents/InspectorDebuggerAgent.cpp:
253         (Inspector::InspectorDebuggerAgent::asyncCallIdentifier):
254         (Inspector::InspectorDebuggerAgent::didScheduleAsyncCall):
255         (Inspector::InspectorDebuggerAgent::didCancelAsyncCall):
256         (Inspector::InspectorDebuggerAgent::willDispatchAsyncCall):
257         * inspector/agents/InspectorDebuggerAgent.h:
258
259 2017-07-25  Mark Lam  <mark.lam@apple.com>
260
261         Fix bugs in probe code to change sp on x86, x86_64 and 32-bit ARM.
262         https://bugs.webkit.org/show_bug.cgi?id=174809
263         <rdar://problem/33504759>
264
265         Reviewed by Filip Pizlo.
266
267         1. When the probe handler function changes the sp register to point to the
268            region of stack in the middle of the ProbeContext on the stack, there is a
269            bug where the ProbeContext's register values to be restored can be over-written
270            before they can be restored.  This is now fixed.
271
272         2. Added more robust probe tests for changing the sp register.
273
274         3. Made existing probe tests to ensure that probe handlers were actually called.
275
276         4. Added some verification to testProbePreservesGPRS().
277
278         5. Change all the probe tests to fail early on discovering an error instead of
279            batching till the end of the test.  This helps point a finger to the failing
280            issue earlier.
281
282         This patch was tested on x86, x86_64, and ARMv7.  ARM64 probe code will be fixed
283         next in https://bugs.webkit.org/show_bug.cgi?id=174697.
284
285         * assembler/MacroAssemblerARM.cpp:
286         * assembler/MacroAssemblerARMv7.cpp:
287         * assembler/MacroAssemblerX86Common.cpp:
288         * assembler/testmasm.cpp:
289         (JSC::testProbeReadsArgumentRegisters):
290         (JSC::testProbeWritesArgumentRegisters):
291         (JSC::testProbePreservesGPRS):
292         (JSC::testProbeModifiesStackPointer):
293         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
294         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
295         (JSC::testProbeModifiesProgramCounter):
296         (JSC::run):
297
298 2017-07-25  Brian Burg  <bburg@apple.com>
299
300         Web Automation: add support for uploading files
301         https://bugs.webkit.org/show_bug.cgi?id=174797
302         <rdar://problem/28485063>
303
304         Reviewed by Joseph Pecoraro.
305
306         * inspector/scripts/generate-inspector-protocol-bindings.py:
307         (generate_from_specification):
308         Start generating frontend dispatcher code if the target framework is 'WebKit'.
309
310         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
311         (CppFrontendDispatcherImplementationGenerator.generate_output):
312         Use a framework include for InspectorFrontendRouter.h since this generated code
313         will be compiled outside of WebCore.framework.
314
315         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
316         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
317         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
318         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
319         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
320         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
321         * inspector/scripts/tests/generic/expected/enum-values.json-result:
322         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
323         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
324         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
325         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
326         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
327         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
328         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
329         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
330         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
331         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
332         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
333         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
334         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
335         Rebaseline code generator tests.
336
337 2017-07-24  Mark Lam  <mark.lam@apple.com>
338
339         Gardening: fixed C Loop build after r219790.
340         https://bugs.webkit.org/show_bug.cgi?id=174696
341
342         Not reviewed.
343
344         * assembler/testmasm.cpp:
345
346 2017-07-23  Mark Lam  <mark.lam@apple.com>
347
348         Create regression tests for the JIT probe.
349         https://bugs.webkit.org/show_bug.cgi?id=174696
350         <rdar://problem/33436922>
351
352         Reviewed by Saam Barati.
353
354         The new testmasm will test the following:
355         1. the probe is able to read the value of CPU registers.
356         2. the probe is able to write the value of CPU registers.
357         3. the probe is able to preserve all CPU registers.
358         4. special case of (2): the probe is able to change the value of the stack pointer.
359         5. special case of (2): the probe is able to change the value of the program counter
360            i.e. the probe can change where the code continues executing upon returning from
361            the probe.
362
363         Currently, the x86, x86_64, and ARMv7 ports passes the test.  ARM64 does not
364         because it does not support changing the sp and pc yet.  The ARM64 probe
365         implementation will be fixed in https://bugs.webkit.org/show_bug.cgi?id=174697
366         later.
367
368         * Configurations/ToolExecutable.xcconfig:
369         * JavaScriptCore.xcodeproj/project.pbxproj:
370         * assembler/MacroAssembler.h:
371         (JSC::MacroAssembler::CPUState::pc):
372         (JSC::MacroAssembler::CPUState::fp):
373         (JSC::MacroAssembler::CPUState::sp):
374         (JSC::ProbeContext::pc):
375         (JSC::ProbeContext::fp):
376         (JSC::ProbeContext::sp):
377         * assembler/MacroAssemblerARM64.cpp:
378         (JSC::arm64ProbeTrampoline):
379         * assembler/MacroAssemblerPrinter.cpp:
380         (JSC::Printer::printPCRegister):
381         * assembler/testmasm.cpp: Added.
382         (hiddenTruthBecauseNoReturnIsStupid):
383         (usage):
384         (JSC::nextID):
385         (JSC::isPC):
386         (JSC::isSP):
387         (JSC::isFP):
388         (JSC::compile):
389         (JSC::invoke):
390         (JSC::compileAndRun):
391         (JSC::testSimple):
392         (JSC::testProbeReadsArgumentRegisters):
393         (JSC::testProbeWritesArgumentRegisters):
394         (JSC::testFunctionToTrashRegisters):
395         (JSC::testProbePreservesGPRS):
396         (JSC::testProbeModifiesStackPointer):
397         (JSC::testProbeModifiesProgramCounter):
398         (JSC::run):
399         (run):
400         (main):
401         * b3/air/testair.cpp:
402         (usage):
403         * shell/CMakeLists.txt:
404
405 2017-07-14  Filip Pizlo  <fpizlo@apple.com>
406
407         It should be easy to decide how WebKit yields
408         https://bugs.webkit.org/show_bug.cgi?id=174298
409
410         Reviewed by Saam Barati.
411         
412         Use the new WTF::Thread::yield() function for yielding instead of the C++ function.
413
414         * heap/Heap.cpp:
415         (JSC::Heap::resumeThePeriphery):
416         * heap/VisitingTimeout.h:
417         * runtime/JSCell.cpp:
418         (JSC::JSCell::lockSlow):
419         (JSC::JSCell::unlockSlow):
420         * runtime/JSCell.h:
421         * runtime/JSCellInlines.h:
422         (JSC::JSCell::lock):
423         (JSC::JSCell::unlock):
424         * runtime/JSLock.cpp:
425         (JSC::JSLock::grabAllLocks):
426         * runtime/SamplingProfiler.cpp:
427
428 2017-07-21  Mark Lam  <mark.lam@apple.com>
429
430         Refactor MASM probe CPUState to use arrays for register storage.
431         https://bugs.webkit.org/show_bug.cgi?id=174694
432
433         Reviewed by Keith Miller.
434
435         Using arrays for register storage in CPUState allows us to do away with the
436         huge switch statements to decode each register id.  We can now simply index into
437         the arrays.
438
439         With this patch, we now:
440
441         1. Remove the need for macros for defining the list of CPU registers.
442            We can go back to simple enums.  This makes the code easier to read.
443
444         2. Make the assembler the authority on register names.
445            Most of this code is moved into the assembler from GPRInfo and FPRInfo.
446            GPRInfo and FPRInfo now forwards to the assembler.
447
448         3. Make the assembler the authority on the number of registers of each type.
449
450         4. Fix a "bug" in ARMv7's lastRegister().  It was previously omitting lr and pc.
451            This is inconsistent with how every other CPU architecture implements
452            lastRegister().  This patch fixes it to return the true last GPR i.e. pc, but
453            updates RegisterSet::reservedHardwareRegisters() to exclude those registers.
454
455         * assembler/ARM64Assembler.h:
456         (JSC::ARM64Assembler::numberOfRegisters):
457         (JSC::ARM64Assembler::firstSPRegister):
458         (JSC::ARM64Assembler::lastSPRegister):
459         (JSC::ARM64Assembler::numberOfSPRegisters):
460         (JSC::ARM64Assembler::numberOfFPRegisters):
461         (JSC::ARM64Assembler::gprName):
462         (JSC::ARM64Assembler::sprName):
463         (JSC::ARM64Assembler::fprName):
464         * assembler/ARMAssembler.h:
465         (JSC::ARMAssembler::numberOfRegisters):
466         (JSC::ARMAssembler::firstSPRegister):
467         (JSC::ARMAssembler::lastSPRegister):
468         (JSC::ARMAssembler::numberOfSPRegisters):
469         (JSC::ARMAssembler::numberOfFPRegisters):
470         (JSC::ARMAssembler::gprName):
471         (JSC::ARMAssembler::sprName):
472         (JSC::ARMAssembler::fprName):
473         * assembler/ARMv7Assembler.h:
474         (JSC::ARMv7Assembler::lastRegister):
475         (JSC::ARMv7Assembler::numberOfRegisters):
476         (JSC::ARMv7Assembler::firstSPRegister):
477         (JSC::ARMv7Assembler::lastSPRegister):
478         (JSC::ARMv7Assembler::numberOfSPRegisters):
479         (JSC::ARMv7Assembler::numberOfFPRegisters):
480         (JSC::ARMv7Assembler::gprName):
481         (JSC::ARMv7Assembler::sprName):
482         (JSC::ARMv7Assembler::fprName):
483         * assembler/AbstractMacroAssembler.h:
484         (JSC::AbstractMacroAssembler::numberOfRegisters):
485         (JSC::AbstractMacroAssembler::gprName):
486         (JSC::AbstractMacroAssembler::firstSPRegister):
487         (JSC::AbstractMacroAssembler::lastSPRegister):
488         (JSC::AbstractMacroAssembler::numberOfSPRegisters):
489         (JSC::AbstractMacroAssembler::sprName):
490         (JSC::AbstractMacroAssembler::numberOfFPRegisters):
491         (JSC::AbstractMacroAssembler::fprName):
492         * assembler/MIPSAssembler.h:
493         (JSC::MIPSAssembler::numberOfRegisters):
494         (JSC::MIPSAssembler::firstSPRegister):
495         (JSC::MIPSAssembler::lastSPRegister):
496         (JSC::MIPSAssembler::numberOfSPRegisters):
497         (JSC::MIPSAssembler::numberOfFPRegisters):
498         (JSC::MIPSAssembler::gprName):
499         (JSC::MIPSAssembler::sprName):
500         (JSC::MIPSAssembler::fprName):
501         * assembler/MacroAssembler.h:
502         (JSC::MacroAssembler::CPUState::gprName):
503         (JSC::MacroAssembler::CPUState::sprName):
504         (JSC::MacroAssembler::CPUState::fprName):
505         (JSC::MacroAssembler::CPUState::gpr):
506         (JSC::MacroAssembler::CPUState::spr):
507         (JSC::MacroAssembler::CPUState::fpr):
508         (JSC::MacroAssembler::CPUState::pc):
509         (JSC::MacroAssembler::CPUState::fp):
510         (JSC::MacroAssembler::CPUState::sp):
511         (JSC::ProbeContext::gpr):
512         (JSC::ProbeContext::spr):
513         (JSC::ProbeContext::fpr):
514         (JSC::ProbeContext::gprName):
515         (JSC::ProbeContext::sprName):
516         (JSC::ProbeContext::fprName):
517         (JSC::MacroAssembler::numberOfRegisters): Deleted.
518         (JSC::MacroAssembler::numberOfFPRegisters): Deleted.
519         * assembler/MacroAssemblerARM.cpp:
520         * assembler/MacroAssemblerARM64.cpp:
521         (JSC::arm64ProbeTrampoline):
522         * assembler/MacroAssemblerARMv7.cpp:
523         * assembler/MacroAssemblerPrinter.cpp:
524         (JSC::Printer::nextID):
525         (JSC::Printer::printAllRegisters):
526         (JSC::Printer::printPCRegister):
527         (JSC::Printer::printRegisterID):
528         (JSC::Printer::printAddress):
529         * assembler/MacroAssemblerX86Common.cpp:
530         * assembler/X86Assembler.h:
531         (JSC::X86Assembler::numberOfRegisters):
532         (JSC::X86Assembler::firstSPRegister):
533         (JSC::X86Assembler::lastSPRegister):
534         (JSC::X86Assembler::numberOfSPRegisters):
535         (JSC::X86Assembler::numberOfFPRegisters):
536         (JSC::X86Assembler::gprName):
537         (JSC::X86Assembler::sprName):
538         (JSC::X86Assembler::fprName):
539         * jit/FPRInfo.h:
540         (JSC::FPRInfo::debugName):
541         * jit/GPRInfo.h:
542         (JSC::GPRInfo::debugName):
543         * jit/RegisterSet.cpp:
544         (JSC::RegisterSet::reservedHardwareRegisters):
545
546 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
547
548         [JSC] Introduce static symbols
549         https://bugs.webkit.org/show_bug.cgi?id=158863
550
551         Reviewed by Darin Adler.
552
553         We use StaticSymbolImpl to initialize PrivateNames and builtin Symbols.
554         As a result, we can share the same Symbol values between VMs and threads.
555         And we do not need to allocate Ref<SymbolImpl> for these symbols at runtime.
556
557         * CMakeLists.txt:
558         * JavaScriptCore.xcodeproj/project.pbxproj:
559         * builtins/BuiltinNames.cpp: Added.
560         Suppress warning C4307, integral constant overflow. It is intentional in constexpr hash value calculation.
561
562         * builtins/BuiltinNames.h:
563         (JSC::BuiltinNames::BuiltinNames):
564         * builtins/BuiltinUtils.h:
565
566 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
567
568         [FTL] Arguments elimination is suppressed by unreachable blocks
569         https://bugs.webkit.org/show_bug.cgi?id=174352
570
571         Reviewed by Filip Pizlo.
572
573         If we do not execute `op_get_by_id`, our value profiling tells us unpredictable and DFG emits ForceOSRExit.
574         The problem is that arguments elimination phase checks escaping even when ForceOSRExit preceeds.
575         Since GetById without information can escape arguments if it is specified, non-executed code including
576         op_get_by_id with arguments can escape arguments.
577
578         For example,
579
580             function test(flag)
581             {
582                 if (flag) {
583                     // This is not executed, but emits GetById with arguments.
584                     // It prevents us from eliminating materialization.
585                     return arguments.length;
586                 }
587                 return arguments.length;
588             }
589             noInline(test);
590             while (true)
591                 test(false);
592
593         We do not perform CFA and dead-node clipping yet when performing arguments elimination phase.
594         So this GetById exists and escapes arguments.
595
596         To solve this problem, our arguments elimination phase checks preceding pseudo-terminal nodes.
597         If it is shown, following GetById does not escape arguments. Compared to performing AI, it is
598         lightweight. But it catches much of typical cases we failed to perform arguments elimination.
599
600         * dfg/DFGArgumentsEliminationPhase.cpp:
601         * dfg/DFGNode.h:
602         (JSC::DFG::Node::isPseudoTerminal):
603         * dfg/DFGValidate.cpp:
604
605 2017-07-20  Chris Dumez  <cdumez@apple.com>
606
607         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable
608         https://bugs.webkit.org/show_bug.cgi?id=174660
609
610         Reviewed by Geoffrey Garen.
611
612         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable.
613         This essentially replaces a branch to figure out if the new size is less or greater than the
614         current size by an assertion.
615
616         * b3/B3BasicBlockUtils.h:
617         (JSC::B3::clearPredecessors):
618         * b3/B3InferSwitches.cpp:
619         * b3/B3LowerToAir.cpp:
620         (JSC::B3::Air::LowerToAir::finishAppendingInstructions):
621         * b3/B3ReduceStrength.cpp:
622         * b3/B3SparseCollection.h:
623         (JSC::B3::SparseCollection::packIndices):
624         * b3/B3UseCounts.cpp:
625         (JSC::B3::UseCounts::UseCounts):
626         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
627         * b3/air/AirEmitShuffle.cpp:
628         (JSC::B3::Air::emitShuffle):
629         * b3/air/AirLowerAfterRegAlloc.cpp:
630         (JSC::B3::Air::lowerAfterRegAlloc):
631         * b3/air/AirOptimizeBlockOrder.cpp:
632         (JSC::B3::Air::optimizeBlockOrder):
633         * bytecode/Operands.h:
634         (JSC::Operands::ensureLocals):
635         * bytecode/PreciseJumpTargets.cpp:
636         (JSC::computePreciseJumpTargetsInternal):
637         * dfg/DFGBlockInsertionSet.cpp:
638         (JSC::DFG::BlockInsertionSet::execute):
639         * dfg/DFGBlockMapInlines.h:
640         (JSC::DFG::BlockMap<T>::BlockMap):
641         * dfg/DFGByteCodeParser.cpp:
642         (JSC::DFG::ByteCodeParser::processSetLocalQueue):
643         (JSC::DFG::ByteCodeParser::clearCaches):
644         * dfg/DFGDisassembler.cpp:
645         (JSC::DFG::Disassembler::Disassembler):
646         * dfg/DFGFlowIndexing.cpp:
647         (JSC::DFG::FlowIndexing::recompute):
648         * dfg/DFGGraph.cpp:
649         (JSC::DFG::Graph::registerFrozenValues):
650         * dfg/DFGInPlaceAbstractState.cpp:
651         (JSC::DFG::setLiveValues):
652         * dfg/DFGLICMPhase.cpp:
653         (JSC::DFG::LICMPhase::run):
654         * dfg/DFGLivenessAnalysisPhase.cpp:
655         * dfg/DFGNaturalLoops.cpp:
656         (JSC::DFG::NaturalLoops::NaturalLoops):
657         * dfg/DFGStoreBarrierClusteringPhase.cpp:
658         * ftl/FTLLowerDFGToB3.cpp:
659         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
660         * heap/CodeBlockSet.cpp:
661         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
662         * heap/MarkedSpace.cpp:
663         (JSC::MarkedSpace::sweepLargeAllocations):
664         * inspector/ContentSearchUtilities.cpp:
665         (Inspector::ContentSearchUtilities::findMagicComment):
666         * interpreter/ShadowChicken.cpp:
667         (JSC::ShadowChicken::update):
668         * parser/ASTBuilder.h:
669         (JSC::ASTBuilder::shrinkOperandStackBy):
670         * parser/Lexer.h:
671         (JSC::Lexer::setOffset):
672         * runtime/RegExpInlines.h:
673         (JSC::RegExp::matchInline):
674         * runtime/RegExpPrototype.cpp:
675         (JSC::genericSplit):
676         * yarr/RegularExpression.cpp:
677         (JSC::Yarr::RegularExpression::match):
678
679 2017-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
680
681         [WTF] Use ThreadGroup to bookkeep active threads for Mach exception
682         https://bugs.webkit.org/show_bug.cgi?id=174678
683
684         Reviewed by Mark Lam.
685
686         Use Thread& instead.
687
688         * runtime/JSLock.cpp:
689         (JSC::JSLock::didAcquireLock):
690
691 2017-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
692
693         [WTF] Implement WTF::ThreadGroup
694         https://bugs.webkit.org/show_bug.cgi?id=174081
695
696         Reviewed by Mark Lam.
697
698         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
699         And SamplingProfiler and others interact with WTF::Thread directly.
700
701         * API/tests/ExecutionTimeLimitTest.cpp:
702         * heap/MachineStackMarker.cpp:
703         (JSC::MachineThreads::MachineThreads):
704         (JSC::captureStack):
705         (JSC::MachineThreads::tryCopyOtherThreadStack):
706         (JSC::MachineThreads::tryCopyOtherThreadStacks):
707         (JSC::MachineThreads::gatherConservativeRoots):
708         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
709         (JSC::ActiveMachineThreadsManager::add): Deleted.
710         (JSC::ActiveMachineThreadsManager::remove): Deleted.
711         (JSC::ActiveMachineThreadsManager::contains): Deleted.
712         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
713         (JSC::activeMachineThreadsManager): Deleted.
714         (JSC::MachineThreads::~MachineThreads): Deleted.
715         (JSC::MachineThreads::addCurrentThread): Deleted.
716         (): Deleted.
717         (JSC::MachineThreads::removeThread): Deleted.
718         (JSC::MachineThreads::removeThreadIfFound): Deleted.
719         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
720         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
721         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
722         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
723         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
724         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
725         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
726         * heap/MachineStackMarker.h:
727         (JSC::MachineThreads::addCurrentThread):
728         (JSC::MachineThreads::getLock):
729         (JSC::MachineThreads::threads):
730         (JSC::MachineThreads::MachineThread::suspend): Deleted.
731         (JSC::MachineThreads::MachineThread::resume): Deleted.
732         (JSC::MachineThreads::MachineThread::threadID): Deleted.
733         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
734         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
735         (JSC::MachineThreads::threadsListHead): Deleted.
736         * runtime/SamplingProfiler.cpp:
737         (JSC::FrameWalker::isValidFramePointer):
738         (JSC::SamplingProfiler::SamplingProfiler):
739         (JSC::SamplingProfiler::takeSample):
740         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
741         * runtime/SamplingProfiler.h:
742         * wasm/WasmMachineThreads.cpp:
743         (JSC::Wasm::resetInstructionCacheOnAllThreads):
744
745 2017-07-18  Andy Estes  <aestes@apple.com>
746
747         [Xcode] Enable CLANG_WARN_RANGE_LOOP_ANALYSIS
748         https://bugs.webkit.org/show_bug.cgi?id=174631
749
750         Reviewed by Tim Horton.
751
752         * Configurations/Base.xcconfig:
753         * b3/B3FoldPathConstants.cpp:
754         * b3/B3LowerMacros.cpp:
755         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
756         * dfg/DFGByteCodeParser.cpp:
757         (JSC::DFG::ByteCodeParser::check):
758         (JSC::DFG::ByteCodeParser::planLoad):
759
760 2017-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
761
762         WTF::Thread should have the threads stack bounds.
763         https://bugs.webkit.org/show_bug.cgi?id=173975
764
765         Reviewed by Mark Lam.
766
767         There is a site in JSC that try to walk another thread's stack.
768         Currently, stack bounds are stored in WTFThreadData which is located
769         in TLS. Thus, only the thread itself can access its own WTFThreadData.
770         We workaround this situation by holding StackBounds in MachineThread in JSC,
771         but StackBounds should be put in WTF::Thread instead.
772
773         This patch adds StackBounds to WTF::Thread. StackBounds information is tightly
774         coupled with Thread. Thus putting it in WTF::Thread is natural choice.
775
776         * heap/MachineStackMarker.cpp:
777         (JSC::MachineThreads::MachineThread::MachineThread):
778         (JSC::MachineThreads::MachineThread::captureStack):
779         * heap/MachineStackMarker.h:
780         (JSC::MachineThreads::MachineThread::stackBase):
781         (JSC::MachineThreads::MachineThread::stackEnd):
782         * runtime/VMTraps.cpp:
783
784 2017-07-18  Andy Estes  <aestes@apple.com>
785
786         [Xcode] Enable CLANG_WARN_OBJC_LITERAL_CONVERSION
787         https://bugs.webkit.org/show_bug.cgi?id=174631
788
789         Reviewed by Sam Weinig.
790
791         * Configurations/Base.xcconfig:
792
793 2017-07-18  Joseph Pecoraro  <pecoraro@apple.com>
794
795         Web Inspector: Modernize InjectedScriptSource
796         https://bugs.webkit.org/show_bug.cgi?id=173890
797
798         Reviewed by Brian Burg.
799
800         * inspector/InjectedScript.h:
801         Reorder functions to be slightly better.
802
803         * inspector/InjectedScriptSource.js:
804         - Convert to classes named InjectedScript and RemoteObject
805         - Align InjectedScript's API with the wrapper C++ interfaces
806         - Move some code to RemoteObject where appropriate (subtype, describe)
807         - Move some code to helper functions (isPrimitiveValue, isDefined)
808         - Refactor for readability and modern features
809         - Remove some unused / unnecessary code
810
811 2017-07-18  Mark Lam  <mark.lam@apple.com>
812
813         Butterfly storage need not be initialized for indexing type Undecided.
814         https://bugs.webkit.org/show_bug.cgi?id=174516
815
816         Reviewed by Saam Barati.
817
818         While it's not incorrect to initialize the butterfly storage when the
819         indexingType is Undecided, it is inefficient as we'll end up initializing
820         it again later when we convert the storage to a different indexingType.
821         Some of our code already skips initializing Undecided butterflies.
822         This patch makes it the consistent behavior everywhere.
823
824         * dfg/DFGSpeculativeJIT.cpp:
825         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
826         * runtime/JSArray.cpp:
827         (JSC::JSArray::tryCreateUninitializedRestricted):
828         * runtime/JSArray.h:
829         (JSC::JSArray::tryCreate):
830         * runtime/JSObject.cpp:
831         (JSC::JSObject::ensureLengthSlow):
832
833 2017-07-18  Saam Barati  <sbarati@apple.com>
834
835         AirLowerAfterRegAlloc may incorrectly use a callee save that's live as a scratch register
836         https://bugs.webkit.org/show_bug.cgi?id=174515
837         <rdar://problem/33358092>
838
839         Reviewed by Filip Pizlo.
840
841         AirLowerAfterRegAlloc was computing the set of available scratch
842         registers incorrectly. It was always excluding callee save registers
843         from the set of live registers. It did not guarantee that live callee save
844         registers were not in the set of scratch registers that could
845         get clobbered. That's incorrect as the shuffling code is free
846         to overwrite whatever is in the scratch register it gets passed.
847
848         * b3/air/AirLowerAfterRegAlloc.cpp:
849         (JSC::B3::Air::lowerAfterRegAlloc):
850         * b3/testb3.cpp:
851         (JSC::B3::functionNineArgs):
852         (JSC::B3::testShuffleDoesntTrashCalleeSaves):
853         (JSC::B3::run):
854         * jit/RegisterSet.h:
855
856 2017-07-18  Andy Estes  <aestes@apple.com>
857
858         [Xcode] Enable CLANG_WARN_NON_LITERAL_NULL_CONVERSION
859         https://bugs.webkit.org/show_bug.cgi?id=174631
860
861         Reviewed by Dan Bernstein.
862
863         * Configurations/Base.xcconfig:
864
865 2017-07-18  Devin Rousso  <drousso@apple.com>
866
867         Web Inspector: Add memoryCost to Inspector Protocol objects
868         https://bugs.webkit.org/show_bug.cgi?id=174478
869
870         Reviewed by Joseph Pecoraro.
871
872         For non-array and non-object InspectorValue, calculate memoryCost as the sizeof the object,
873         plus the memoryCost of the data if it is a string.
874
875         For array InspectorValue, calculate memoryCost as the sum of the memoryCost of all items.
876
877         For object InspectorValue, calculate memoryCost as the sum of the memoryCost of the string
878         key plus the memoryCost of the InspectorValue for each entry.
879
880         Test: TestWebKitAPI/Tests/JavaScriptCore/InspectorValue.cpp
881
882         * inspector/InspectorValues.h:
883         * inspector/InspectorValues.cpp:
884         (Inspector::InspectorValue::memoryCost):
885         (Inspector::InspectorObjectBase::memoryCost):
886         (Inspector::InspectorArrayBase::memoryCost):
887
888 2017-07-18  Andy Estes  <aestes@apple.com>
889
890         [Xcode] Enable CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING
891         https://bugs.webkit.org/show_bug.cgi?id=174631
892
893         Reviewed by Darin Adler.
894
895         * Configurations/Base.xcconfig:
896
897 2017-07-18  Michael Saboff  <msaboff@apple.com>
898
899         [JSC] There should be a debug option to dump a compiled RegExp Pattern
900         https://bugs.webkit.org/show_bug.cgi?id=174601
901
902         Reviewed by Alex Christensen.
903
904         Added the debug option dumpCompiledRegExpPatterns which will dump the YarrPattern and related
905         objects after a regular expression has been compiled.
906
907         * runtime/Options.h:
908         * yarr/YarrPattern.cpp:
909         (JSC::Yarr::YarrPattern::compile):
910         (JSC::Yarr::indentForNestingLevel):
911         (JSC::Yarr::dumpUChar32):
912         (JSC::Yarr::PatternAlternative::dump):
913         (JSC::Yarr::PatternTerm::dumpQuantifier):
914         (JSC::Yarr::PatternTerm::dump):
915         (JSC::Yarr::PatternDisjunction::dump):
916         (JSC::Yarr::YarrPattern::dumpPattern):
917         * yarr/YarrPattern.h:
918         (JSC::Yarr::YarrPattern::global):
919
920 2017-07-17  Darin Adler  <darin@apple.com>
921
922         Improve use of NeverDestroyed
923         https://bugs.webkit.org/show_bug.cgi?id=174348
924
925         Reviewed by Sam Weinig.
926
927         * heap/MachineStackMarker.cpp:
928         * wasm/WasmMemory.cpp:
929         Removed unneeded includes of NeverDestroyed.h in files that do not make use
930         of NeverDestroyed.
931
932 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
933
934         [CMake] Macros in WebKitMacros.cmake should be prefixed with WEBKIT_ namespace
935         https://bugs.webkit.org/show_bug.cgi?id=174547
936
937         Reviewed by Alex Christensen.
938
939         * CMakeLists.txt:
940         * shell/CMakeLists.txt:
941
942 2017-07-17  Saam Barati  <sbarati@apple.com>
943
944         Remove custom defined RELEASE_ASSERT in DFGObjectAllocationSinkingPhase
945         https://bugs.webkit.org/show_bug.cgi?id=174584
946
947         Rubber stamped by Keith Miller.
948
949         I used it to diagnose a bug. The bug is now fixed. This custom
950         RELEASE_ASSERT is no longer needed.
951
952         * dfg/DFGObjectAllocationSinkingPhase.cpp:
953
954 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
955
956         -Wformat-truncation warning in ConfigFile.cpp
957         https://bugs.webkit.org/show_bug.cgi?id=174506
958
959         Reviewed by Darin Adler.
960
961         Check if the JSC config filename would be truncated due to exceeding max path length. If so,
962         return ParseError.
963
964         * runtime/ConfigFile.cpp:
965         (JSC::ConfigFile::parse):
966
967 2017-07-17  Konstantin Tokarev  <annulen@yandex.ru>
968
969         [CMake] Create targets before WEBKIT_INCLUDE_CONFIG_FILES_IF_EXISTS is called
970         https://bugs.webkit.org/show_bug.cgi?id=174557
971
972         Reviewed by Michael Catanzaro.
973
974         * CMakeLists.txt:
975
976 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
977
978         [WTF] Use std::unique_ptr for StackTrace
979         https://bugs.webkit.org/show_bug.cgi?id=174495
980
981         Reviewed by Alex Christensen.
982
983         * runtime/ExceptionScope.cpp:
984         (JSC::ExceptionScope::unexpectedExceptionMessage):
985         * runtime/VM.cpp:
986         (JSC::VM::throwException):
987
988 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
989
990         [JSC] Use WTFMove to prune liveness in DFGAvailabilityMap
991         https://bugs.webkit.org/show_bug.cgi?id=174423
992
993         Reviewed by Saam Barati.
994
995         * dfg/DFGAvailabilityMap.cpp:
996         (JSC::DFG::AvailabilityMap::pruneHeap):
997         (JSC::DFG::AvailabilityMap::pruneByLiveness):
998
999 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
1000
1001         Fix compiler warnings when building with GCC 7
1002         https://bugs.webkit.org/show_bug.cgi?id=174463
1003
1004         Reviewed by Darin Adler.
1005
1006         * disassembler/udis86/udis86_decode.c:
1007         (decode_operand):
1008
1009 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
1010
1011         Incorrect assertion in JSC::CallLinkInfo::callTypeFor
1012         https://bugs.webkit.org/show_bug.cgi?id=174467
1013
1014         Reviewed by Saam Barati.
1015
1016         * bytecode/CallLinkInfo.cpp:
1017         (JSC::CallLinkInfo::callTypeFor):
1018
1019 2017-07-13  Joseph Pecoraro  <pecoraro@apple.com>
1020
1021         Web Inspector: Remove unused and untested Page domain commands
1022         https://bugs.webkit.org/show_bug.cgi?id=174429
1023
1024         Reviewed by Timothy Hatcher.
1025
1026         * inspector/protocol/Page.json:
1027
1028 2017-07-13  Saam Barati  <sbarati@apple.com>
1029
1030         Missing exception check in JSObject::hasInstance
1031         https://bugs.webkit.org/show_bug.cgi?id=174455
1032         <rdar://problem/31384608>
1033
1034         Reviewed by Mark Lam.
1035
1036         * runtime/JSObject.cpp:
1037         (JSC::JSObject::hasInstance):
1038
1039 2017-07-13  Caio Lima  <ticaiolima@gmail.com>
1040
1041         [ESnext] Implement Object Spread
1042         https://bugs.webkit.org/show_bug.cgi?id=167963
1043
1044         Reviewed by Saam Barati.
1045
1046         This patch implements ECMA262 stage 3 Object Spread proposal [1].
1047         It's implemented using CopyDataPropertiesNoExclusions to copy
1048         all enumerable keys from object being spreaded. The implementation of
1049         CopyDataPropertiesNoExclusions follows the CopyDataProperties
1050         implementation, however we don't receive excludedNames as parameter.
1051
1052         [1] - https://github.com/tc39/proposal-object-rest-spread
1053
1054         * builtins/GlobalOperations.js:
1055         (globalPrivate.copyDataPropertiesNoExclusions):
1056         * bytecompiler/BytecodeGenerator.cpp:
1057         (JSC::BytecodeGenerator::emitLoad):
1058         * bytecompiler/NodesCodegen.cpp:
1059         (JSC::PropertyListNode::emitBytecode):
1060         (JSC::ObjectSpreadExpressionNode::emitBytecode):
1061         * parser/ASTBuilder.h:
1062         (JSC::ASTBuilder::createObjectSpreadExpression):
1063         (JSC::ASTBuilder::createProperty):
1064         * parser/NodeConstructors.h:
1065         (JSC::PropertyNode::PropertyNode):
1066         (JSC::ObjectSpreadExpressionNode::ObjectSpreadExpressionNode):
1067         * parser/Nodes.h:
1068         (JSC::ObjectSpreadExpressionNode::expression):
1069         * parser/Parser.cpp:
1070         (JSC::Parser<LexerType>::parseProperty):
1071         * parser/SyntaxChecker.h:
1072         (JSC::SyntaxChecker::createObjectSpreadExpression):
1073         (JSC::SyntaxChecker::createProperty):
1074
1075 2017-07-12  Mark Lam  <mark.lam@apple.com>
1076
1077         Gardening: build fix after r219434.
1078         https://bugs.webkit.org/show_bug.cgi?id=174441
1079
1080         Not reviewed.
1081
1082         Make public some MacroAssembler functions that are needed by the probe implementationq.
1083
1084         * assembler/MacroAssemblerARM.h:
1085         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
1086         * assembler/MacroAssemblerARMv7.h:
1087         (JSC::MacroAssemblerARMv7::linkCall):
1088
1089 2017-07-12  Mark Lam  <mark.lam@apple.com>
1090
1091         Move Probe code from AbstractMacroAssembler to MacroAssembler.
1092         https://bugs.webkit.org/show_bug.cgi?id=174441
1093
1094         Reviewed by Saam Barati.
1095
1096         This is a pure refactoring patch for moving probe code from the AbstractMacroAssembler
1097         to MacroAssembler.  There is no code behavior change.
1098
1099         * assembler/AbstractMacroAssembler.h:
1100         (JSC::AbstractMacroAssembler<AssemblerType>::Address::indexedBy):
1101         (JSC::AbstractMacroAssembler::CPUState::gprName): Deleted.
1102         (JSC::AbstractMacroAssembler::CPUState::fprName): Deleted.
1103         (JSC::AbstractMacroAssembler::CPUState::gpr): Deleted.
1104         (JSC::AbstractMacroAssembler::CPUState::fpr): Deleted.
1105         (JSC::MacroAssemblerType>::Address::indexedBy): Deleted.
1106         * assembler/MacroAssembler.h:
1107         (JSC::MacroAssembler::CPUState::gprName):
1108         (JSC::MacroAssembler::CPUState::fprName):
1109         (JSC::MacroAssembler::CPUState::gpr):
1110         (JSC::MacroAssembler::CPUState::fpr):
1111         * assembler/MacroAssemblerARM.cpp:
1112         (JSC::MacroAssembler::probe):
1113         (JSC::MacroAssemblerARM::probe): Deleted.
1114         * assembler/MacroAssemblerARM.h:
1115         * assembler/MacroAssemblerARM64.cpp:
1116         (JSC::MacroAssembler::probe):
1117         (JSC::MacroAssemblerARM64::probe): Deleted.
1118         * assembler/MacroAssemblerARM64.h:
1119         * assembler/MacroAssemblerARMv7.cpp:
1120         (JSC::MacroAssembler::probe):
1121         (JSC::MacroAssemblerARMv7::probe): Deleted.
1122         * assembler/MacroAssemblerARMv7.h:
1123         * assembler/MacroAssemblerMIPS.h:
1124         * assembler/MacroAssemblerX86Common.cpp:
1125         (JSC::MacroAssembler::probe):
1126         (JSC::MacroAssemblerX86Common::probe): Deleted.
1127         * assembler/MacroAssemblerX86Common.h:
1128
1129 2017-07-12  Saam Barati  <sbarati@apple.com>
1130
1131         GenericArguments consults the wrong state when tracking modified argument descriptors and mapped arguments
1132         https://bugs.webkit.org/show_bug.cgi?id=174411
1133         <rdar://problem/31696186>
1134
1135         Reviewed by Mark Lam.
1136
1137         The code for deleting an argument was incorrectly referencing state
1138         when it decided if it should unmap or mark a property as having its
1139         descriptor modified. This patch fixes the bug where if we delete a
1140         property, we would sometimes not unmap an argument when deleting it.
1141
1142         * runtime/GenericArgumentsInlines.h:
1143         (JSC::GenericArguments<Type>::getOwnPropertySlot):
1144         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
1145         (JSC::GenericArguments<Type>::deleteProperty):
1146         (JSC::GenericArguments<Type>::deletePropertyByIndex):
1147
1148 2017-07-12  Commit Queue  <commit-queue@webkit.org>
1149
1150         Unreviewed, rolling out r219176.
1151         https://bugs.webkit.org/show_bug.cgi?id=174436
1152
1153         "Can cause infinite recursion on iOS" (Requested by mlam on
1154         #webkit).
1155
1156         Reverted changeset:
1157
1158         "WTF::Thread should have the threads stack bounds."
1159         https://bugs.webkit.org/show_bug.cgi?id=173975
1160         http://trac.webkit.org/changeset/219176
1161
1162 2017-07-12  Matt Lewis  <jlewis3@apple.com>
1163
1164         Unreviewed, rolling out r219401.
1165
1166         This revision rolled out the previous patch, but after talking
1167         with reviewer, a rebaseline is what was needed.Rolling back in
1168         before rebaseline.
1169
1170         Reverted changeset:
1171
1172         "Unreviewed, rolling out r219379."
1173         https://bugs.webkit.org/show_bug.cgi?id=174400
1174         http://trac.webkit.org/changeset/219401
1175
1176 2017-07-12  Matt Lewis  <jlewis3@apple.com>
1177
1178         Unreviewed, rolling out r219379.
1179
1180         This revision caused a consistent failure in the test
1181         fast/dom/Window/property-access-on-cached-window-after-frame-
1182         removed.html.
1183
1184         Reverted changeset:
1185
1186         "Remove NAVIGATOR_HWCONCURRENCY"
1187         https://bugs.webkit.org/show_bug.cgi?id=174400
1188         http://trac.webkit.org/changeset/219379
1189
1190 2017-07-12  Tooru Fujisawa [:arai]  <arai.unmht@gmail.com>
1191
1192         Wrong radix used in Unicode Escape in invalid character error message
1193         https://bugs.webkit.org/show_bug.cgi?id=174419
1194
1195         Reviewed by Alex Christensen.
1196
1197         * parser/Lexer.cpp:
1198         (JSC::Lexer<T>::invalidCharacterMessage):
1199
1200 2017-07-11  Dean Jackson  <dino@apple.com>
1201
1202         Remove NAVIGATOR_HWCONCURRENCY
1203         https://bugs.webkit.org/show_bug.cgi?id=174400
1204
1205         Reviewed by Sam Weinig.
1206
1207         * Configurations/FeatureDefines.xcconfig:
1208
1209 2017-07-11  Dean Jackson  <dino@apple.com>
1210
1211         Rolling out r219372.
1212
1213         * Configurations/FeatureDefines.xcconfig:
1214
1215 2017-07-11  Dean Jackson  <dino@apple.com>
1216
1217         Remove NAVIGATOR_HWCONCURRENCY
1218         https://bugs.webkit.org/show_bug.cgi?id=174400
1219
1220         Reviewed by Sam Weinig.
1221
1222         * Configurations/FeatureDefines.xcconfig:
1223
1224 2017-07-11  Saam Barati  <sbarati@apple.com>
1225
1226         remove the empty JavaScriptCore/wasm/js/WebAssemblyFunctionCell.* files
1227         https://bugs.webkit.org/show_bug.cgi?id=174397
1228
1229         Rubber stamped by David Kilzer.
1230
1231         * wasm/js/WebAssemblyFunctionCell.cpp: Removed.
1232         * wasm/js/WebAssemblyFunctionCell.h: Removed.
1233
1234 2017-07-10  Saam Barati  <sbarati@apple.com>
1235
1236         Allocation sinking phase should consider a CheckStructure that would fail as an escape
1237         https://bugs.webkit.org/show_bug.cgi?id=174321
1238         <rdar://problem/32604963>
1239
1240         Reviewed by Filip Pizlo.
1241
1242         When the allocation sinking phase was generating stores to materialize
1243         objects in a cycle with each other, it would assume that each materialized
1244         object had a valid, non empty, set of structures. This is an OK assumption for
1245         the phase to make because how do you materialize an object with no structure?
1246         
1247         The abstract interpretation part of the phase will model what's in the heap.
1248         However, it would sometimes model that a CheckStructure would fail. The phase
1249         did nothing special for this; it just stored the empty set of structures for
1250         its representation of a particular allocation. However, what the phase proved
1251         in such a scenario is that, had the CheckStructure executed, it would have exited.
1252         
1253         This patch treats such CheckStructures and MultiGetByOffsets as escape points.
1254         This will cause the allocation in question to be materialized just before
1255         the CheckStructure, and then at execution time, the CheckStructure will exit.
1256         
1257         I wasn't able to write a test case for this. However, I was able to reproduce
1258         this crash by manually editing the IR. I've opened a separate bug to help us
1259         create a testing framework for writing tests for hard to reproduce bugs like this:
1260         https://bugs.webkit.org/show_bug.cgi?id=174322
1261
1262         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1263
1264 2017-07-10  Devin Rousso  <drousso@apple.com>
1265
1266         Web Inspector: Highlight matching CSS canvas clients when hovering contexts in the Resources tab
1267         https://bugs.webkit.org/show_bug.cgi?id=174279
1268
1269         Reviewed by Matt Baker.
1270
1271         * inspector/protocol/DOM.json:
1272         Add `highlightNodeList` command that will highlight each node in the given list.
1273
1274 2017-07-03  Brian Burg  <bburg@apple.com>
1275
1276         Web Replay: remove some unused code
1277         https://bugs.webkit.org/show_bug.cgi?id=173903
1278
1279         Rubber-stamped by Joseph Pecoraro.
1280
1281         * CMakeLists.txt:
1282         * Configurations/FeatureDefines.xcconfig:
1283         * DerivedSources.make:
1284         * JavaScriptCore.xcodeproj/project.pbxproj:
1285         * inspector/protocol/Replay.json: Removed.
1286         * replay/EmptyInputCursor.h: Removed.
1287         * replay/EncodedValue.cpp: Removed.
1288         * replay/EncodedValue.h: Removed.
1289         * replay/InputCursor.h: Removed.
1290         * replay/JSInputs.json: Removed.
1291         * replay/NondeterministicInput.h: Removed.
1292         * replay/scripts/CodeGeneratorReplayInputs.py: Removed.
1293         * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Removed.
1294         * replay/scripts/tests/expected/fail-on-c-style-enum-no-storage.json-error: Removed.
1295         * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Removed.
1296         * replay/scripts/tests/expected/fail-on-duplicate-input-names.json-error: Removed.
1297         * replay/scripts/tests/expected/fail-on-duplicate-type-names.json-error: Removed.
1298         * replay/scripts/tests/expected/fail-on-enum-type-missing-values.json-error: Removed.
1299         * replay/scripts/tests/expected/fail-on-missing-input-member-name.json-error: Removed.
1300         * replay/scripts/tests/expected/fail-on-missing-input-name.json-error: Removed.
1301         * replay/scripts/tests/expected/fail-on-missing-input-queue.json-error: Removed.
1302         * replay/scripts/tests/expected/fail-on-missing-type-mode.json-error: Removed.
1303         * replay/scripts/tests/expected/fail-on-missing-type-name.json-error: Removed.
1304         * replay/scripts/tests/expected/fail-on-unknown-input-queue.json-error: Removed.
1305         * replay/scripts/tests/expected/fail-on-unknown-member-type.json-error: Removed.
1306         * replay/scripts/tests/expected/fail-on-unknown-type-mode.json-error: Removed.
1307         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp: Removed.
1308         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h: Removed.
1309         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp: Removed.
1310         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h: Removed.
1311         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Removed.
1312         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Removed.
1313         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Removed.
1314         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Removed.
1315         * replay/scripts/tests/expected/generate-event-loop-shape-types.json-error: Removed.
1316         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp: Removed.
1317         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h: Removed.
1318         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp: Removed.
1319         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Removed.
1320         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.cpp: Removed.
1321         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h: Removed.
1322         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp: Removed.
1323         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h: Removed.
1324         * replay/scripts/tests/fail-on-c-style-enum-no-storage.json: Removed.
1325         * replay/scripts/tests/fail-on-duplicate-enum-type.json: Removed.
1326         * replay/scripts/tests/fail-on-duplicate-input-names.json: Removed.
1327         * replay/scripts/tests/fail-on-duplicate-type-names.json: Removed.
1328         * replay/scripts/tests/fail-on-enum-type-missing-values.json: Removed.
1329         * replay/scripts/tests/fail-on-missing-input-member-name.json: Removed.
1330         * replay/scripts/tests/fail-on-missing-input-name.json: Removed.
1331         * replay/scripts/tests/fail-on-missing-input-queue.json: Removed.
1332         * replay/scripts/tests/fail-on-missing-type-mode.json: Removed.
1333         * replay/scripts/tests/fail-on-missing-type-name.json: Removed.
1334         * replay/scripts/tests/fail-on-unknown-input-queue.json: Removed.
1335         * replay/scripts/tests/fail-on-unknown-member-type.json: Removed.
1336         * replay/scripts/tests/fail-on-unknown-type-mode.json: Removed.
1337         * replay/scripts/tests/generate-enum-encoding-helpers-with-guarded-values.json: Removed.
1338         * replay/scripts/tests/generate-enum-encoding-helpers.json: Removed.
1339         * replay/scripts/tests/generate-enum-with-guard.json: Removed.
1340         * replay/scripts/tests/generate-enums-with-same-base-name.json: Removed.
1341         * replay/scripts/tests/generate-event-loop-shape-types.json: Removed.
1342         * replay/scripts/tests/generate-input-with-guard.json: Removed.
1343         * replay/scripts/tests/generate-input-with-vector-members.json: Removed.
1344         * replay/scripts/tests/generate-inputs-with-flags.json: Removed.
1345         * replay/scripts/tests/generate-memoized-type-modes.json: Removed.
1346         * runtime/DateConstructor.cpp:
1347         (JSC::constructDate):
1348         (JSC::dateNow):
1349         (JSC::deterministicCurrentTime): Deleted.
1350         * runtime/JSGlobalObject.cpp:
1351         (JSC::JSGlobalObject::JSGlobalObject):
1352         (JSC::JSGlobalObject::setInputCursor): Deleted.
1353         * runtime/JSGlobalObject.h:
1354         (JSC::JSGlobalObject::inputCursor): Deleted.
1355
1356 2017-07-10  Carlos Garcia Campos  <cgarcia@igalia.com>
1357
1358         Move make-js-file-arrays.py from WebCore to JavaScriptCore
1359         https://bugs.webkit.org/show_bug.cgi?id=174024
1360
1361         Reviewed by Michael Catanzaro.
1362
1363         It's currently used only by WebCore, but it depends on other JavaScriptCore scripts and it's not WebCore
1364         specific at all. I plan to use it to compile the JavaScript atoms used by the WebDriver implementation.
1365         Added command line option to pass the namespace to use instead of using WebCore.
1366
1367         * JavaScriptCore.xcodeproj/project.pbxproj:
1368         * Scripts/make-js-file-arrays.py: Renamed from Source/WebCore/Scripts/make-js-file-arrays.py.
1369         (main):
1370
1371 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1372
1373         [JSC] Drop LineNumberAdder since we no longer treat <LF><CR> (not <CR><LF>) as one line terminator
1374         https://bugs.webkit.org/show_bug.cgi?id=174296
1375
1376         Reviewed by Mark Lam.
1377
1378         Previously, we treat <LF><CR> as one line terminator. So we increase line number by one.
1379         It caused a problem in scanning template literals. While template literals normalize
1380         <LF><CR> to <LF><LF>, we still needed to increase line number by only one.
1381         To handle it correctly, LineNumberAdder is introduced.
1382
1383         As of r219263, <LF><CR> is counted as two line terminators. So we do not need to have
1384         LineNumberAdder. Let's just use shiftLineTerminator() instead.
1385
1386         * parser/Lexer.cpp:
1387         (JSC::Lexer<T>::parseTemplateLiteral):
1388         (JSC::LineNumberAdder::LineNumberAdder): Deleted.
1389         (JSC::LineNumberAdder::clear): Deleted.
1390         (JSC::LineNumberAdder::add): Deleted.
1391
1392 2017-07-09  Dan Bernstein  <mitz@apple.com>
1393
1394         [Xcode] ICU headers aren’t treated as system headers after r219155
1395         https://bugs.webkit.org/show_bug.cgi?id=174299
1396
1397         Reviewed by Sam Weinig.
1398
1399         * Configurations/JavaScriptCore.xcconfig: Pass --system-header-prefix=unicode/ to the C and
1400           C++ compilers.
1401
1402 * runtime/IntlCollator.cpp: Removed documentation warning suppression.
1403         * runtime/IntlDateTimeFormat.cpp: Ditto.
1404         * runtime/JSGlobalObject.cpp: Ditto.
1405         * runtime/StringPrototype.cpp: Ditto.
1406
1407 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1408
1409         [JSC] Use fastMalloc / fastFree for STL containers
1410         https://bugs.webkit.org/show_bug.cgi?id=174297
1411
1412         Reviewed by Sam Weinig.
1413
1414         In some places, we intentionally use STL containers over WTF containers.
1415         For example, we sometimes use std::unordered_{set,map} instead of WTF::Hash{Set,Map}
1416         because we do not have effective empty / deleted representations in the space of key's value.
1417         But just using STL container means using libc's malloc instead of our fast malloc (bmalloc if it is enabled).
1418
1419         We introduce WTF::FastAllocator. This is C++ allocator implementation using fastMalloc and fastFree.
1420         We specify this allocator to STL containers' template parameter to allocate memory from fastMalloc.
1421
1422         This WTF::FastAllocator gives us a chance to use STL containers if it is necessary
1423         without compromising memory allocation throughput.
1424
1425         * dfg/DFGGraph.h:
1426         * dfg/DFGIntegerCheckCombiningPhase.cpp:
1427         * ftl/FTLLowerDFGToB3.cpp:
1428         (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
1429         * runtime/FunctionHasExecutedCache.h:
1430         * runtime/TypeLocationCache.h:
1431
1432 2017-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
1433
1434         Drop NOSNIFF compile flag
1435         https://bugs.webkit.org/show_bug.cgi?id=174289
1436
1437         Reviewed by Michael Catanzaro.
1438
1439         * Configurations/FeatureDefines.xcconfig:
1440
1441 2017-07-07  AJ Ringer  <aringer@apple.com>
1442
1443         Lower the max_protection for the separated heap
1444         https://bugs.webkit.org/show_bug.cgi?id=174281
1445
1446         Reviewed by Oliver Hunt.
1447
1448         Switch to vm_protect so we can set maximum page protection.
1449
1450         * jit/ExecutableAllocator.cpp:
1451         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
1452         (JSC::ExecutableAllocator::allocate):
1453
1454 2017-07-07  Devin Rousso  <drousso@apple.com>
1455
1456         Web Inspector: Show all elements currently using a given CSS Canvas
1457         https://bugs.webkit.org/show_bug.cgi?id=173965
1458
1459         Reviewed by Joseph Pecoraro.
1460
1461         * inspector/protocol/Canvas.json:
1462          - Add `requestCSSCanvasClientNodes` command for getting the node IDs all nodes using this
1463            canvas via -webkit-canvas.
1464          - Add `cssCanvasClientNodesChanged` event that is dispatched whenever a node is
1465            added/removed from the list of -webkit-canvas clients.
1466
1467 2017-07-07  Mark Lam  <mark.lam@apple.com>
1468
1469         \n\r is not the same as \r\n.
1470         https://bugs.webkit.org/show_bug.cgi?id=173053
1471
1472         Reviewed by Keith Miller.
1473
1474         * parser/Lexer.cpp:
1475         (JSC::Lexer<T>::shiftLineTerminator):
1476         (JSC::LineNumberAdder::add):
1477
1478 2017-07-07  Commit Queue  <commit-queue@webkit.org>
1479
1480         Unreviewed, rolling out r219238, r219239, and r219241.
1481         https://bugs.webkit.org/show_bug.cgi?id=174265
1482
1483         "fast/workers/dedicated-worker-lifecycle.html is flaky"
1484         (Requested by yusukesuzuki on #webkit).
1485
1486         Reverted changesets:
1487
1488         "[WTF] Implement WTF::ThreadGroup"
1489         https://bugs.webkit.org/show_bug.cgi?id=174081
1490         http://trac.webkit.org/changeset/219238
1491
1492         "Unreviewed, build fix after r219238"
1493         https://bugs.webkit.org/show_bug.cgi?id=174081
1494         http://trac.webkit.org/changeset/219239
1495
1496         "Unreviewed, CLoop build fix after r219238"
1497         https://bugs.webkit.org/show_bug.cgi?id=174081
1498         http://trac.webkit.org/changeset/219241
1499
1500 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1501
1502         Unreviewed, CLoop build fix after r219238
1503         https://bugs.webkit.org/show_bug.cgi?id=174081
1504
1505         * heap/MachineStackMarker.cpp:
1506
1507 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
1508
1509         [WTF] Implement WTF::ThreadGroup
1510         https://bugs.webkit.org/show_bug.cgi?id=174081
1511
1512         Reviewed by Mark Lam.
1513
1514         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
1515         And SamplingProfiler and others interact with WTF::Thread directly.
1516
1517         * API/tests/ExecutionTimeLimitTest.cpp:
1518         * heap/MachineStackMarker.cpp:
1519         (JSC::MachineThreads::MachineThreads):
1520         (JSC::captureStack):
1521         (JSC::MachineThreads::tryCopyOtherThreadStack):
1522         (JSC::MachineThreads::tryCopyOtherThreadStacks):
1523         (JSC::MachineThreads::gatherConservativeRoots):
1524         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
1525         (JSC::ActiveMachineThreadsManager::add): Deleted.
1526         (JSC::ActiveMachineThreadsManager::remove): Deleted.
1527         (JSC::ActiveMachineThreadsManager::contains): Deleted.
1528         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
1529         (JSC::activeMachineThreadsManager): Deleted.
1530         (JSC::MachineThreads::~MachineThreads): Deleted.
1531         (JSC::MachineThreads::addCurrentThread): Deleted.
1532         (): Deleted.
1533         (JSC::MachineThreads::removeThread): Deleted.
1534         (JSC::MachineThreads::removeThreadIfFound): Deleted.
1535         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
1536         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
1537         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
1538         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
1539         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
1540         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
1541         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
1542         * heap/MachineStackMarker.h:
1543         (JSC::MachineThreads::addCurrentThread):
1544         (JSC::MachineThreads::getLock):
1545         (JSC::MachineThreads::threads):
1546         (JSC::MachineThreads::MachineThread::suspend): Deleted.
1547         (JSC::MachineThreads::MachineThread::resume): Deleted.
1548         (JSC::MachineThreads::MachineThread::threadID): Deleted.
1549         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
1550         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
1551         (JSC::MachineThreads::threadsListHead): Deleted.
1552         * runtime/SamplingProfiler.cpp:
1553         (JSC::FrameWalker::isValidFramePointer):
1554         (JSC::SamplingProfiler::SamplingProfiler):
1555         (JSC::SamplingProfiler::takeSample):
1556         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
1557         * runtime/SamplingProfiler.h:
1558         * wasm/WasmMachineThreads.cpp:
1559         (JSC::Wasm::resetInstructionCacheOnAllThreads):
1560
1561 2017-07-06  Saam Barati  <sbarati@apple.com>
1562
1563         We are missing places where we invalidate the for-in context
1564         https://bugs.webkit.org/show_bug.cgi?id=174184
1565
1566         Reviewed by Geoffrey Garen.
1567
1568         * bytecompiler/BytecodeGenerator.cpp:
1569         (JSC::BytecodeGenerator::invalidateForInContextForLocal):
1570         * bytecompiler/NodesCodegen.cpp:
1571         (JSC::EmptyLetExpression::emitBytecode):
1572         (JSC::ForInNode::emitLoopHeader):
1573         (JSC::ForOfNode::emitBytecode):
1574         (JSC::BindingNode::bindValue):
1575
1576 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1577
1578         Unreviewed, suppress warnings in GCC environment
1579
1580         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1581         * runtime/IntlCollator.cpp:
1582         * runtime/IntlDateTimeFormat.cpp:
1583         * runtime/JSGlobalObject.cpp:
1584         * runtime/StringPrototype.cpp:
1585
1586 2017-07-05  Saam Barati  <sbarati@apple.com>
1587
1588         NewArray in FTLLowerDFGToB3 does not handle speculating on doubles when having a bad time
1589         https://bugs.webkit.org/show_bug.cgi?id=174188
1590         <rdar://problem/30581423>
1591
1592         Reviewed by Mark Lam.
1593
1594         We were calling lowJSValue(edge) when we were speculating the
1595         edge as double. This isn't allowed. We should have been using
1596         lowDouble.
1597         
1598         This patch also adds a new option, called useArrayAllocationProfiling,
1599         which defaults to true. When false, it will make the array allocation
1600         profile not actually sample seen arrays. It'll force the allocation
1601         profile's predicted indexing type to be ArrayWithUndecided. Adding
1602         this option made it trivial to write a test for this bug.
1603
1604         * bytecode/ArrayAllocationProfile.cpp:
1605         (JSC::ArrayAllocationProfile::updateIndexingType):
1606         * ftl/FTLLowerDFGToB3.cpp:
1607         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
1608         * runtime/Options.h:
1609
1610 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
1611
1612         WTF::Thread should have the threads stack bounds.
1613         https://bugs.webkit.org/show_bug.cgi?id=173975
1614
1615         Reviewed by Keith Miller.
1616
1617         There is a site in JSC that try to walk another thread's stack.
1618         Currently, stack bounds are stored in WTFThreadData which is located
1619         in TLS. Thus, only the thread itself can access its own WTFThreadData.
1620         We workaround this situation by holding StackBounds in MachineThread in JSC,
1621         but StackBounds should be put in WTF::Thread instead.
1622
1623         This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
1624         information is tightly coupled with Thread. Thus putting it in WTF::Thread
1625         is natural choice.
1626
1627         * heap/MachineStackMarker.cpp:
1628         (JSC::MachineThreads::MachineThread::MachineThread):
1629         (JSC::MachineThreads::MachineThread::captureStack):
1630         * heap/MachineStackMarker.h:
1631         (JSC::MachineThreads::MachineThread::stackBase):
1632         (JSC::MachineThreads::MachineThread::stackEnd):
1633         * runtime/InitializeThreading.cpp:
1634         (JSC::initializeThreading):
1635         * runtime/VM.cpp:
1636         (JSC::VM::VM):
1637         (JSC::VM::updateStackLimits):
1638         (JSC::VM::committedStackByteCount):
1639         * runtime/VM.h:
1640         (JSC::VM::isSafeToRecurse):
1641         * runtime/VMEntryScope.cpp:
1642         (JSC::VMEntryScope::VMEntryScope):
1643         * runtime/VMInlines.h:
1644         (JSC::VM::ensureStackCapacityFor):
1645         * runtime/VMTraps.cpp:
1646         * yarr/YarrPattern.cpp:
1647         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
1648
1649 2017-07-05  Keith Miller  <keith_miller@apple.com>
1650
1651         Crashing with information should have an abort reason
1652         https://bugs.webkit.org/show_bug.cgi?id=174185
1653
1654         Reviewed by Saam Barati.
1655
1656         Add crash information for the abstract interpreter and add an enum
1657         value for object allocation sinking.
1658
1659         * assembler/AbortReason.h:
1660         * dfg/DFGAbstractInterpreterInlines.h:
1661         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
1662         * dfg/DFGGraph.cpp:
1663         (JSC::DFG::logDFGAssertionFailure):
1664         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1665
1666 2017-07-03  Myles C. Maxfield  <mmaxfield@apple.com>
1667
1668         Remove copy of ICU headers from WebKit
1669         https://bugs.webkit.org/show_bug.cgi?id=116407
1670
1671         Reviewed by Alex Christensen.
1672
1673         Use WTF's copy of ICU headers.
1674
1675         * Configurations/Base.xcconfig:
1676         * icu/unicode/localpointer.h: Removed.
1677         * icu/unicode/parseerr.h: Removed.
1678         * icu/unicode/platform.h: Removed.
1679         * icu/unicode/ptypes.h: Removed.
1680         * icu/unicode/putil.h: Removed.
1681         * icu/unicode/uchar.h: Removed.
1682         * icu/unicode/ucnv.h: Removed.
1683         * icu/unicode/ucnv_err.h: Removed.
1684         * icu/unicode/ucol.h: Removed.
1685         * icu/unicode/uconfig.h: Removed.
1686         * icu/unicode/ucurr.h: Removed.
1687         * icu/unicode/uenum.h: Removed.
1688         * icu/unicode/uiter.h: Removed.
1689         * icu/unicode/uloc.h: Removed.
1690         * icu/unicode/umachine.h: Removed.
1691         * icu/unicode/unorm.h: Removed.
1692         * icu/unicode/unorm2.h: Removed.
1693         * icu/unicode/urename.h: Removed.
1694         * icu/unicode/uscript.h: Removed.
1695         * icu/unicode/uset.h: Removed.
1696         * icu/unicode/ustring.h: Removed.
1697         * icu/unicode/utf.h: Removed.
1698         * icu/unicode/utf16.h: Removed.
1699         * icu/unicode/utf8.h: Removed.
1700         * icu/unicode/utf_old.h: Removed.
1701         * icu/unicode/utypes.h: Removed.
1702         * icu/unicode/uvernum.h: Removed.
1703         * icu/unicode/uversion.h: Removed.
1704         * runtime/IntlCollator.cpp:
1705         * runtime/IntlDateTimeFormat.cpp:
1706         (JSC::IntlDateTimeFormat::partTypeString):
1707         * runtime/JSGlobalObject.cpp:
1708         * runtime/StringPrototype.cpp:
1709         (JSC::normalize):
1710         (JSC::stringProtoFuncNormalize):
1711
1712 2017-07-05  Devin Rousso  <drousso@apple.com>
1713
1714         Web Inspector: Allow users to log any tracked canvas context
1715         https://bugs.webkit.org/show_bug.cgi?id=173397
1716         <rdar://problem/33111581>
1717
1718         Reviewed by Joseph Pecoraro.
1719
1720         * inspector/protocol/Canvas.json:
1721         Add `resolveCanvasContext` command that returns a RemoteObject for the given canvas context.
1722
1723 2017-07-05  Jonathan Bedard  <jbedard@apple.com>
1724
1725         Add WebKitPrivateFrameworkStubs for iOS 11
1726         https://bugs.webkit.org/show_bug.cgi?id=173988
1727
1728         Reviewed by David Kilzer.
1729
1730         * Configurations/Base.xcconfig: iphoneos and iphonesimulator should use the
1731         same directory for private framework stubs.
1732
1733 2017-07-05  JF Bastien  <jfbastien@apple.com>
1734
1735         WebAssembly: implement name section's module name, skip unknown sections
1736         https://bugs.webkit.org/show_bug.cgi?id=172008
1737
1738         Reviewed by Keith Miller.
1739
1740         Parse the WebAssembly module name properly, and skip unknown
1741         sections. This is useful because as toolchains support new types
1742         of names we want to keep displaying the information we know about
1743         and simply ignore new information. That capability was designed
1744         into WebAssembly's name section.
1745
1746         Failure to commit this patch would mean that WebKit won't display
1747         stack trace information, which would make developers sad.
1748
1749         Module names were added here: https://github.com/WebAssembly/design/pull/1055
1750
1751         Note that this patch doesn't do anything with the parsed name! Two
1752         reasons for this: module names aren't supported in binaryen yet,
1753         so I can't write a simple binary test; and using the name is a
1754         slightly riskier change because it requires changing StackVisitor
1755         + StackFrame (where they print "[wasm code]") which requires
1756         figuring out the frame's Module. The latter bit isn't trivial
1757         because we only know wasm frames from their tag bits, and
1758         CodeBlocks are always nullptr.
1759
1760         Binaryen bug: https://github.com/WebAssembly/binaryen/issues/1010
1761
1762         I filed #174098 to use the module name.
1763
1764         * wasm/WasmFormat.h:
1765         (JSC::Wasm::isValidNameType):
1766         * wasm/WasmNameSectionParser.cpp:
1767
1768 2017-07-04  Joseph Pecoraro  <pecoraro@apple.com>
1769
1770         Cleanup some StringBuilder use
1771         https://bugs.webkit.org/show_bug.cgi?id=174118
1772
1773         Reviewed by Andreas Kling.
1774
1775         * runtime/FunctionConstructor.cpp:
1776         (JSC::constructFunctionSkippingEvalEnabledCheck):
1777         * tools/FunctionOverrides.cpp:
1778         (JSC::parseClause):
1779         * wasm/WasmOMGPlan.cpp:
1780         * wasm/WasmPlan.cpp:
1781         * wasm/WasmValidate.cpp:
1782
1783 2017-07-03  Saam Barati  <sbarati@apple.com>
1784
1785         LayoutTest workers/bomb.html is a Crash
1786         https://bugs.webkit.org/show_bug.cgi?id=167757
1787         <rdar://problem/33086462>
1788
1789         Reviewed by Keith Miller.
1790
1791         VMTraps::SignalSender was accessing VM fields even after
1792         the VM was destroyed. This happened when the SignalSender
1793         thread was in the middle of its work() function while VMTraps
1794         was notified that the VM was shutting down. The VM would proceed
1795         to run its destructor even after the SignalSender thread finished
1796         doing its work. This means that the SignalSender thread was accessing
1797         VM field eve after VM was destructed (including itself, since it is
1798         transitively owned by the VM). The VM must wait for the SignalSender
1799         thread to shutdown before it can continue to destruct itself.
1800
1801         * runtime/VMTraps.cpp:
1802         (JSC::VMTraps::willDestroyVM):
1803
1804 2017-07-03  Saam Barati  <sbarati@apple.com>
1805
1806         DFGBytecodeParser op_to_this does not access the correct instruction offset for to this status
1807         https://bugs.webkit.org/show_bug.cgi?id=174110
1808
1809         Reviewed by Michael Saboff.
1810
1811         * dfg/DFGByteCodeParser.cpp:
1812         (JSC::DFG::ByteCodeParser::parseBlock):
1813
1814 2017-07-03  Saam Barati  <sbarati@apple.com>
1815
1816         Add a new assertion to object allocation sinking phase
1817         https://bugs.webkit.org/show_bug.cgi?id=174107
1818
1819         Rubber stamped by Filip Pizlo.
1820
1821         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1822
1823 2017-07-03  Commit Queue  <commit-queue@webkit.org>
1824
1825         Unreviewed, rolling out r219060.
1826         https://bugs.webkit.org/show_bug.cgi?id=174108
1827
1828         crashing constantly when initializing UIWebView (Requested by
1829         thorton on #webkit).
1830
1831         Reverted changeset:
1832
1833         "WTF::Thread should have the threads stack bounds."
1834         https://bugs.webkit.org/show_bug.cgi?id=173975
1835         http://trac.webkit.org/changeset/219060
1836
1837 2017-07-03  Matt Lewis  <jlewis3@apple.com>
1838
1839         Unreviewed, rolling out r219103.
1840
1841         Caused multiple build failures.
1842
1843         Reverted changeset:
1844
1845         "Remove copy of ICU headers from WebKit"
1846         https://bugs.webkit.org/show_bug.cgi?id=116407
1847         http://trac.webkit.org/changeset/219103
1848
1849 2017-07-03  Myles C. Maxfield  <mmaxfield@apple.com>
1850
1851         Remove copy of ICU headers from WebKit
1852         https://bugs.webkit.org/show_bug.cgi?id=116407
1853
1854         Reviewed by Alex Christensen.
1855
1856         Use WTF's copy of ICU headers.
1857
1858         * Configurations/Base.xcconfig:
1859         * icu/unicode/localpointer.h: Removed.
1860         * icu/unicode/parseerr.h: Removed.
1861         * icu/unicode/platform.h: Removed.
1862         * icu/unicode/ptypes.h: Removed.
1863         * icu/unicode/putil.h: Removed.
1864         * icu/unicode/uchar.h: Removed.
1865         * icu/unicode/ucnv.h: Removed.
1866         * icu/unicode/ucnv_err.h: Removed.
1867         * icu/unicode/ucol.h: Removed.
1868         * icu/unicode/uconfig.h: Removed.
1869         * icu/unicode/ucurr.h: Removed.
1870         * icu/unicode/uenum.h: Removed.
1871         * icu/unicode/uiter.h: Removed.
1872         * icu/unicode/uloc.h: Removed.
1873         * icu/unicode/umachine.h: Removed.
1874         * icu/unicode/unorm.h: Removed.
1875         * icu/unicode/unorm2.h: Removed.
1876         * icu/unicode/urename.h: Removed.
1877         * icu/unicode/uscript.h: Removed.
1878         * icu/unicode/uset.h: Removed.
1879         * icu/unicode/ustring.h: Removed.
1880         * icu/unicode/utf.h: Removed.
1881         * icu/unicode/utf16.h: Removed.
1882         * icu/unicode/utf8.h: Removed.
1883         * icu/unicode/utf_old.h: Removed.
1884         * icu/unicode/utypes.h: Removed.
1885         * icu/unicode/uvernum.h: Removed.
1886         * icu/unicode/uversion.h: Removed.
1887         * runtime/IntlCollator.cpp:
1888         * runtime/IntlDateTimeFormat.cpp:
1889         * runtime/JSGlobalObject.cpp:
1890         * runtime/StringPrototype.cpp:
1891
1892 2017-07-03  Saam Barati  <sbarati@apple.com>
1893
1894         Add better crash logging for allocation sinking phase
1895         https://bugs.webkit.org/show_bug.cgi?id=174102
1896         <rdar://problem/33112092>
1897
1898         Rubber stamped by Filip Pizlo.
1899
1900         I'm trying to gather better information from crashlogs about why
1901         we're crashing in the allocation sinking phase. I'm adding a allocation
1902         sinking specific RELEASE_ASSERT as well as marking a few functions as
1903         NEVER_INLINE to have the stack traces in the crash trace contain more
1904         actionable information.
1905
1906         * dfg/DFGObjectAllocationSinkingPhase.cpp:
1907
1908 2017-07-03  Sam Weinig  <sam@webkit.org>
1909
1910         [WebIDL] Remove more unnecessary uses of the preprocessor in idl files
1911         https://bugs.webkit.org/show_bug.cgi?id=174083
1912
1913         Reviewed by Alex Christensen.
1914
1915         * Configurations/FeatureDefines.xcconfig:
1916         Add ENABLE_NAVIGATOR_STANDALONE.
1917
1918 2017-07-03  Andy Estes  <aestes@apple.com>
1919
1920         [Xcode] Add an experimental setting to build with ccache
1921         https://bugs.webkit.org/show_bug.cgi?id=173875
1922
1923         Reviewed by Tim Horton.
1924
1925         * Configurations/DebugRelease.xcconfig: Included ccache.xcconfig.
1926
1927 2017-07-03  Devin Rousso  <drousso@apple.com>
1928
1929         Web Inspector: Support listing WebGL2 and WebGPU contexts
1930         https://bugs.webkit.org/show_bug.cgi?id=173396
1931
1932         Reviewed by Joseph Pecoraro.
1933
1934         * inspector/protocol/Canvas.json:
1935         * inspector/scripts/codegen/generator.py:
1936         (Generator.stylized_name_for_enum_value):
1937         Add cases for handling new Canvas.ContextType protocol enumerations:
1938          - "webgl2" maps to `WebGL2`
1939          - "webgpu" maps to `WebGPU`
1940
1941 2017-07-02  Yusuke Suzuki  <utatane.tea@gmail.com>
1942
1943         WTF::Thread should have the threads stack bounds.
1944         https://bugs.webkit.org/show_bug.cgi?id=173975
1945
1946         Reviewed by Mark Lam.
1947
1948         There is a site in JSC that try to walk another thread's stack.
1949         Currently, stack bounds are stored in WTFThreadData which is located
1950         in TLS. Thus, only the thread itself can access its own WTFThreadData.
1951         We workaround this situation by holding StackBounds in MachineThread in JSC,
1952         but StackBounds should be put in WTF::Thread instead.
1953
1954         This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
1955         information is tightly coupled with Thread. Thus putting it in WTF::Thread
1956         is natural choice.
1957
1958         * heap/MachineStackMarker.cpp:
1959         (JSC::MachineThreads::MachineThread::MachineThread):
1960         (JSC::MachineThreads::MachineThread::captureStack):
1961         * heap/MachineStackMarker.h:
1962         (JSC::MachineThreads::MachineThread::stackBase):
1963         (JSC::MachineThreads::MachineThread::stackEnd):
1964         * runtime/InitializeThreading.cpp:
1965         (JSC::initializeThreading):
1966         * runtime/VM.cpp:
1967         (JSC::VM::VM):
1968         (JSC::VM::updateStackLimits):
1969         (JSC::VM::committedStackByteCount):
1970         * runtime/VM.h:
1971         (JSC::VM::isSafeToRecurse):
1972         * runtime/VMEntryScope.cpp:
1973         (JSC::VMEntryScope::VMEntryScope):
1974         * runtime/VMInlines.h:
1975         (JSC::VM::ensureStackCapacityFor):
1976         * runtime/VMTraps.cpp:
1977         * yarr/YarrPattern.cpp:
1978         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
1979
1980 2017-07-01  Dan Bernstein  <mitz@apple.com>
1981
1982         [iOS] Remove code only needed when building for iOS 9.x
1983         https://bugs.webkit.org/show_bug.cgi?id=174068
1984
1985         Reviewed by Tim Horton.
1986
1987         * Configurations/FeatureDefines.xcconfig:
1988         * jit/ExecutableAllocator.cpp:
1989         * runtime/Options.cpp:
1990         (JSC::recomputeDependentOptions):
1991
1992 2017-07-01  Dan Bernstein  <mitz@apple.com>
1993
1994         [macOS] Remove code only needed when building for OS X Yosemite
1995         https://bugs.webkit.org/show_bug.cgi?id=174067
1996
1997         Reviewed by Tim Horton.
1998
1999         * API/WebKitAvailability.h:
2000         * Configurations/Base.xcconfig:
2001         * Configurations/DebugRelease.xcconfig:
2002         * Configurations/FeatureDefines.xcconfig:
2003         * Configurations/Version.xcconfig:
2004
2005 2017-07-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2006
2007         Unreviewed, build fix for GCC
2008         https://bugs.webkit.org/show_bug.cgi?id=174034
2009
2010         * b3/testb3.cpp:
2011         (JSC::B3::testDoubleLiteralComparison):
2012
2013 2017-06-30  Keith Miller  <keith_miller@apple.com>
2014
2015         Force crashWithInfo to be out of line.
2016         https://bugs.webkit.org/show_bug.cgi?id=174028
2017
2018         Reviewed by Filip Pizlo.
2019
2020         Update DFG_ASSERT macro to call CRASH_WITH_SECURITY_IMPLICATION_AND_INFO.
2021
2022         * dfg/DFGGraph.cpp:
2023         (JSC::DFG::logDFGAssertionFailure):
2024         (JSC::DFG::Graph::logAssertionFailure):
2025         (JSC::DFG::crash): Deleted.
2026         (JSC::DFG::Graph::handleAssertionFailure): Deleted.
2027         * dfg/DFGGraph.h:
2028
2029 2017-06-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2030
2031         [JSC] Use AbstractMacroAssembler::random instead of holding WeakRandom in JIT
2032         https://bugs.webkit.org/show_bug.cgi?id=174053
2033
2034         Reviewed by Geoffrey Garen.
2035
2036         We already have AbstractMacroAssembler::random() function. Use it instead.
2037
2038         * jit/JIT.cpp:
2039         (JSC::JIT::JIT):
2040         (JSC::JIT::compileWithoutLinking):
2041         * jit/JIT.h:
2042
2043 2017-06-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2044
2045         [WTF] Drop SymbolRegistry::keyForSymbol
2046         https://bugs.webkit.org/show_bug.cgi?id=174052
2047
2048         Reviewed by Sam Weinig.
2049
2050         * runtime/SymbolConstructor.cpp:
2051         (JSC::symbolConstructorKeyFor):
2052
2053 2017-06-30  Saam Barati  <sbarati@apple.com>
2054
2055         B3ReduceStrength should reduce EqualOrUnordered over const float input
2056         https://bugs.webkit.org/show_bug.cgi?id=174039
2057
2058         Reviewed by Michael Saboff.
2059
2060         We perform this folding for ConstDoubleValue. It is simply
2061         an oversight that we didn't do it for ConstFloatValue.
2062
2063         * b3/B3ConstFloatValue.cpp:
2064         (JSC::B3::ConstFloatValue::equalOrUnorderedConstant):
2065         * b3/B3ConstFloatValue.h:
2066         * b3/testb3.cpp:
2067         (JSC::B3::testFloatEqualOrUnorderedFolding):
2068         (JSC::B3::testFloatEqualOrUnorderedFoldingNaN):
2069         (JSC::B3::testFloatEqualOrUnorderedDontFold):
2070         (JSC::B3::run):
2071
2072 2017-06-30  Matt Baker  <mattbaker@apple.com>
2073
2074         Web Inspector: AsyncStackTrace nodes can be corrupted when truncating
2075         https://bugs.webkit.org/show_bug.cgi?id=173840
2076         <rdar://problem/30840820>
2077
2078         Reviewed by Joseph Pecoraro.
2079
2080         When truncating an asynchronous stack trace, the parent chain is traversed
2081         until a locked node is found. The path from this node to the root is shared
2082         by more than one stack trace, and cannot be safely modified. Starting at
2083         the first locked node, the path is cloned and becomes a new stack trace tree.
2084
2085         However, the clone operation initialized each new AsyncStackTrace node with
2086         the original node's parent. This would increment the child count of the original
2087         node. When cloning nodes, new nodes should not have their parent set until the
2088         next node up the parent chain is cloned.
2089
2090         * inspector/AsyncStackTrace.cpp:
2091         (Inspector::AsyncStackTrace::truncate):
2092
2093 2017-06-30  Michael Saboff  <msaboff@apple.com>
2094
2095         RegExp's  anchored with .* with \g flag can return wrong match start for strings with multiple matches
2096         https://bugs.webkit.org/show_bug.cgi?id=174044
2097
2098         Reviewed by Oliver Hunt.
2099
2100         The .* enclosure optimization didn't respect that we can start matching from a non-zero
2101         index.  This optimization treats /.*<some-terms>.*/ by first matching the <some-terms> and
2102         then finding the extent of the match by going back to the beginning of the line and going
2103         forward to the end of the line.  The code that went back to the beginning of the line
2104         checked for an index of 0 instead of comparing the index to the start position.  This start
2105         position is passed as the initial index.
2106
2107         Added another temporary register to the YARR JIT to contain the start position for
2108         platforms that have spare registers.
2109
2110         * yarr/Yarr.h:
2111         * yarr/YarrInterpreter.cpp:
2112         (JSC::Yarr::Interpreter::matchDotStarEnclosure):
2113         (JSC::Yarr::Interpreter::Interpreter):
2114         * yarr/YarrJIT.cpp:
2115         (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
2116         (JSC::Yarr::YarrGenerator::compile):
2117         * yarr/YarrPattern.cpp:
2118         (JSC::Yarr::YarrPattern::YarrPattern):
2119         * yarr/YarrPattern.h:
2120         (JSC::Yarr::YarrPattern::reset):
2121
2122 2017-06-30  Saam Barati  <sbarati@apple.com>
2123
2124         B3MoveConstants floatZero() returns the wrong ValueKey
2125         https://bugs.webkit.org/show_bug.cgi?id=174040
2126
2127         Reviewed by Filip Pizlo.
2128
2129         It had a typo where the ValueKey for floatZero() produces a Double
2130         instead of a Float.
2131
2132         * b3/B3MoveConstants.cpp:
2133
2134 2017-06-30  Saam Barati  <sbarati@apple.com>
2135
2136         B3ReduceDoubleToFloat incorrectly reduces operations over two double constants
2137         https://bugs.webkit.org/show_bug.cgi?id=174034
2138         <rdar://problem/30793007>
2139
2140         Reviewed by Filip Pizlo.
2141
2142         B3ReduceDoubleToFloat had a bug in it where it would incorrectly
2143         reduce binary operations over double constants into the same binary
2144         operation over the double constants casted to floats. This is clearly
2145         incorrect as these two things will produce different values. For example:
2146         
2147         a = DoubleConst(bitwise_cast<double>(0x8000000000000001ull))
2148         b = DoubleConst(bitwise_cast<double>(0x0000000000000000ull))
2149         c = EqualOrUnordered(@a, @b) // produces 0
2150         
2151         into:
2152         
2153         a = FloatConst(static_cast<float>(bitwise_cast<double>(0x8000000000000001ull)))
2154         b = FloatConst(static_cast<float>(bitwise_cast<double>(0x0000000000000000ull)))
2155         c = EqualOrUnordered(@a, @b) // produces 1
2156         
2157         Which produces a different value for @c.
2158
2159         * b3/B3ReduceDoubleToFloat.cpp:
2160         * b3/testb3.cpp:
2161         (JSC::B3::doubleEq):
2162         (JSC::B3::doubleNeq):
2163         (JSC::B3::doubleGt):
2164         (JSC::B3::doubleGte):
2165         (JSC::B3::doubleLt):
2166         (JSC::B3::doubleLte):
2167         (JSC::B3::testDoubleLiteralComparison):
2168         (JSC::B3::run):
2169
2170 2017-06-29  Jer Noble  <jer.noble@apple.com>
2171
2172         Make Legacy EME API controlled by RuntimeEnabled setting.
2173         https://bugs.webkit.org/show_bug.cgi?id=173994
2174
2175         Reviewed by Sam Weinig.
2176
2177         * Configurations/FeatureDefines.xcconfig:
2178         * runtime/CommonIdentifiers.h:
2179
2180 2017-06-30  Ryosuke Niwa  <rniwa@webkit.org>
2181
2182         Ran sort-Xcode-project-file.
2183
2184         * JavaScriptCore.xcodeproj/project.pbxproj:
2185
2186 2017-06-30  Matt Lewis  <jlewis3@apple.com>
2187
2188         Unreviewed, rolling out r218992.
2189
2190         The patch broke the iOS device builds.
2191
2192         Reverted changeset:
2193
2194         "DFG_ASSERT should allow stuffing registers before trapping."
2195         https://bugs.webkit.org/show_bug.cgi?id=174005
2196         http://trac.webkit.org/changeset/218992
2197
2198 2017-06-30  Filip Pizlo  <fpizlo@apple.com>
2199
2200         RegExpCachedResult::setInput should reify left and right contexts
2201         https://bugs.webkit.org/show_bug.cgi?id=173818
2202
2203         Reviewed by Keith Miller.
2204         
2205         If you don't reify them in setInput, then when you later try to reify them, you'll end up
2206         using indices into an old input string to create a substring of a new input string. That
2207         never goes well.
2208
2209         * runtime/RegExpCachedResult.cpp:
2210         (JSC::RegExpCachedResult::setInput):
2211
2212 2017-06-30  Keith Miller  <keith_miller@apple.com>
2213
2214         DFG_ASSERT should allow stuffing registers before trapping.
2215         https://bugs.webkit.org/show_bug.cgi?id=174005
2216
2217         Reviewed by Mark Lam.
2218
2219         DFG_ASSERT currently prints error data to stderr before crashing,
2220         which is nice for local development. In the wild, however, we
2221         can't see this information in crash logs. This patch enables
2222         stuffing some of the most useful information from DFG_ASSERTS into
2223         up to five registers right before crashing. The values stuffed
2224         should not impact any logging during local development.
2225
2226         * assembler/AbortReason.h:
2227         * dfg/DFGAbstractInterpreterInlines.h:
2228         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
2229         * dfg/DFGGraph.cpp:
2230         (JSC::DFG::logForCrash):
2231         (JSC::DFG::Graph::logAssertionFailure):
2232         (JSC::DFG::crash): Deleted.
2233         (JSC::DFG::Graph::handleAssertionFailure): Deleted.
2234         * dfg/DFGGraph.h:
2235
2236 2017-06-29  Saam Barati  <sbarati@apple.com>
2237
2238         Calculating postCapacity in unshiftCountSlowCase is wrong
2239         https://bugs.webkit.org/show_bug.cgi?id=173992
2240         <rdar://problem/32283199>
2241
2242         Reviewed by Keith Miller.
2243
2244         This patch fixes a bug inside unshiftCountSlowCase where we would use
2245         more memory than we allocated. The bug was when deciding how much extra
2246         space we have after the vector we've allocated. This area is called the
2247         postCapacity. The largest legal postCapacity value we could use is the
2248         space we allocated minus the space we need:
2249         largestPossiblePostCapacity = newStorageCapacity - requiredVectorLength;
2250         However, the code was calculating the postCapacity as:
2251         postCapacity = max(newStorageCapacity - requiredVectorLength, count);
2252         
2253         where count is how many elements we're appending. Depending on the inputs,
2254         count could be larger than (newStorageCapacity - requiredVectorLength). This
2255         would cause us to use more memory than we actually allocated.
2256
2257         * runtime/JSArray.cpp:
2258         (JSC::JSArray::unshiftCountSlowCase):
2259
2260 2017-06-29  Commit Queue  <commit-queue@webkit.org>
2261
2262         Unreviewed, rolling out r218512.
2263         https://bugs.webkit.org/show_bug.cgi?id=173981
2264
2265         "It changes the behavior of the JS API's JSEvaluateScript
2266         which breaks TurboTax" (Requested by saamyjoon on #webkit).
2267
2268         Reverted changeset:
2269
2270         "test262: Completion values for control flow do not match the
2271         spec"
2272         https://bugs.webkit.org/show_bug.cgi?id=171265
2273         http://trac.webkit.org/changeset/218512
2274
2275 2017-06-29  JF Bastien  <jfbastien@apple.com>
2276
2277         WebAssembly: disable some APIs under CSP
2278         https://bugs.webkit.org/show_bug.cgi?id=173892
2279         <rdar://problem/32914613>
2280
2281         Reviewed by Daniel Bates.
2282
2283         We should disable parts of WebAssembly under Content Security
2284         Policy as discussed here:
2285
2286         https://github.com/WebAssembly/design/issues/1092
2287
2288         Exactly what should be disabled isn't super clear, so we may as
2289         well be conservative and disable many things if developers already
2290         opted into CSP. It's easy to loosen what we disable later.
2291
2292         This patch disables:
2293         - WebAssembly.Instance
2294         - WebAssembly.instantiate
2295         - WebAssembly.Memory
2296         - WebAssembly.Table
2297
2298         And leaves:
2299         - WebAssembly on the global object
2300         - WebAssembly.Module
2301         - WebAssembly.compile
2302         - WebAssembly.CompileError
2303         - WebAssembly.LinkError
2304
2305         Nothing because currently unimplmented:
2306         - WebAssembly.compileStreaming
2307         - WebAssembly.instantiateStreaming
2308
2309         That way it won't be possible to call WebAssembly-compiled code,
2310         or create memories (which use fancy 4GiB allocations
2311         sometimes). Table isn't really useful on its own, and eventually
2312         we may make them shareable so without more details it seems benign
2313         to disable them (and useless if we don't).
2314
2315         I haven't done anything with postMessage, so you can still
2316         postMessage a WebAssembly.Module cross-CSP, but you can't
2317         instantiate it so it's useless. Because of this I elected to leave
2318         WebAssembly.Module and friends available.
2319
2320         I haven't added any new directives. It's still unsafe-eval. We can
2321         add something else later, but it seems odd to add a WebAssembly as
2322         a new capability and tell developers "you should have been using
2323         this directive which we just implemented if you wanted to disable
2324         WebAssembly which didn't exist when you adopted CSP". So IMO we
2325         should keep unsafe-eval as it currently is, add WebAssembly to
2326         what it disables, and later consider having two new directives
2327         which do each individually or something.
2328
2329         In all cases I throw an EvalError *before* other WebAssembly
2330         errors would be produced.
2331
2332         Note that, as for eval, reporting doesn't work and is tracked by
2333         https://webkit.org/b/111869
2334
2335         * runtime/JSGlobalObject.cpp:
2336         (JSC::JSGlobalObject::JSGlobalObject):
2337         * runtime/JSGlobalObject.h:
2338         (JSC::JSGlobalObject::webAssemblyEnabled):
2339         (JSC::JSGlobalObject::webAssemblyDisabledErrorMessage):
2340         (JSC::JSGlobalObject::setWebAssemblyEnabled):
2341         * wasm/js/JSWebAssemblyInstance.cpp:
2342         (JSC::JSWebAssemblyInstance::create):
2343         * wasm/js/JSWebAssemblyMemory.cpp:
2344         (JSC::JSWebAssemblyMemory::create):
2345         * wasm/js/JSWebAssemblyMemory.h:
2346         * wasm/js/JSWebAssemblyTable.cpp:
2347         (JSC::JSWebAssemblyTable::create):
2348         * wasm/js/WebAssemblyMemoryConstructor.cpp:
2349         (JSC::constructJSWebAssemblyMemory):
2350
2351 2017-06-28  Keith Miller  <keith_miller@apple.com>
2352
2353         VMTraps has some races
2354         https://bugs.webkit.org/show_bug.cgi?id=173941
2355
2356         Reviewed by Michael Saboff.
2357
2358         This patch refactors much of the VMTraps API.
2359
2360         On the message sending side:
2361
2362         1) No longer uses the Yarr JIT check to determine if we are in
2363         RegExp code. That was unsound because RegExp JIT code can be run
2364         on compilation threads.  Instead it looks at the current frame's
2365         code block slot and checks if it is valid, which is the same as
2366         what it did for JIT code previously.
2367
2368         2) Only have one signal sender thread, previously, there could be
2369         many at once, which caused some data races. Additionally, the
2370         signal sender thread is an automatic thread so it will deallocate
2371         itself when not in use.
2372
2373         On the VMTraps breakpoint side:
2374
2375         1) We now have a true mapping of if we hit a breakpoint instead of
2376         a JIT assertion. So the exception handler won't eat JIT assertions
2377         anymore.
2378
2379         2) It jettisons all CodeBlocks that have VMTraps breakpoints on
2380         them instead of every CodeBlock on the stack. This both prevents
2381         us from hitting stale VMTraps breakpoints and also doesn't OSR
2382         codeblocks that otherwise don't need to be jettisoned.
2383
2384         3) The old exception handler could theoretically fail for a couple
2385         of reasons then resume execution with a clobbered instruction
2386         set. This patch will kill the program if the exception handler
2387         would fail.
2388
2389         This patch also refactors some of the jsc.cpp functions to take the
2390         CommandLine options object instead of individual options. Also, there
2391         is a new command line option that makes exceptions due to watchdog
2392         timeouts an acceptable result.
2393
2394         * API/tests/testapi.c:
2395         (main):
2396         * bytecode/CodeBlock.cpp:
2397         (JSC::CodeBlock::installVMTrapBreakpoints):
2398         * dfg/DFGCommonData.cpp:
2399         (JSC::DFG::pcCodeBlockMap):
2400         (JSC::DFG::CommonData::invalidate):
2401         (JSC::DFG::CommonData::~CommonData):
2402         (JSC::DFG::CommonData::installVMTrapBreakpoints):
2403         (JSC::DFG::codeBlockForVMTrapPC):
2404         * dfg/DFGCommonData.h:
2405         * jsc.cpp:
2406         (functionDollarAgentStart):
2407         (checkUncaughtException):
2408         (checkException):
2409         (runWithOptions):
2410         (printUsageStatement):
2411         (CommandLine::parseArguments):
2412         (jscmain):
2413         (runWithScripts): Deleted.
2414         * runtime/JSLock.cpp:
2415         (JSC::JSLock::didAcquireLock):
2416         * runtime/VMTraps.cpp:
2417         (JSC::sanitizedTopCallFrame):
2418         (JSC::VMTraps::tryInstallTrapBreakpoints):
2419         (JSC::VMTraps::willDestroyVM):
2420         (JSC::VMTraps::fireTrap):
2421         (JSC::VMTraps::handleTraps):
2422         (JSC::VMTraps::VMTraps):
2423         (JSC::VMTraps::~VMTraps):
2424         (JSC::findActiveVMAndStackBounds): Deleted.
2425         (JSC::installSignalHandler): Deleted.
2426         (JSC::VMTraps::addSignalSender): Deleted.
2427         (JSC::VMTraps::removeSignalSender): Deleted.
2428         (JSC::VMTraps::SignalSender::willDestroyVM): Deleted.
2429         (JSC::VMTraps::SignalSender::send): Deleted.
2430         * runtime/VMTraps.h:
2431         (JSC::VMTraps::~VMTraps): Deleted.
2432         (JSC::VMTraps::SignalSender::SignalSender): Deleted.
2433
2434 2017-06-28  Devin Rousso  <drousso@apple.com>
2435
2436         Web Inspector: Instrument active pixel memory used by canvases
2437         https://bugs.webkit.org/show_bug.cgi?id=173087
2438         <rdar://problem/32719261>
2439
2440         Reviewed by Joseph Pecoraro.
2441
2442         * inspector/protocol/Canvas.json:
2443          - Add optional `memoryCost` attribute to the `Canvas` type.
2444          - Add `canvasMemoryChanged` event that is dispatched when the `memoryCost` of a canvas changes.
2445
2446 2017-06-28  Joseph Pecoraro  <pecoraro@apple.com>
2447
2448         Web Inspector: Cleanup Protocol JSON files
2449         https://bugs.webkit.org/show_bug.cgi?id=173934
2450
2451         Reviewed by Matt Baker.
2452
2453         * inspector/protocol/ApplicationCache.json:
2454         * inspector/protocol/CSS.json:
2455         * inspector/protocol/Console.json:
2456         * inspector/protocol/DOM.json:
2457         * inspector/protocol/DOMDebugger.json:
2458         * inspector/protocol/Debugger.json:
2459         * inspector/protocol/LayerTree.json:
2460         * inspector/protocol/Network.json:
2461         * inspector/protocol/Page.json:
2462         * inspector/protocol/Runtime.json:
2463         Be more consistent about placement of `description` property.
2464
2465 2017-06-27  Joseph Pecoraro  <pecoraro@apple.com>
2466
2467         Web Inspector: Remove unused Inspector domain events
2468         https://bugs.webkit.org/show_bug.cgi?id=173905
2469
2470         Reviewed by Matt Baker.
2471
2472         * inspector/protocol/Inspector.json:
2473
2474 2017-06-28  JF Bastien  <jfbastien@apple.com>
2475
2476         Ensure that computed new stack pointer values do not underflow.
2477         https://bugs.webkit.org/show_bug.cgi?id=173700
2478         <rdar://problem/32926032>
2479
2480         Reviewed by Filip Pizlo and Saam Barati, update reviewed by Mark Lam.
2481
2482         Patch by Mark Lam, with the following fix:
2483
2484         Re-apply this patch, it originally broke the ARM build because the llint code
2485         generated `subs xzr, x3, sp` which isn't valid ARM64: the third operand cannot
2486         be SP (that encoding would be ZR instead, subtracting zero). Flip the comparison
2487         and operands to emit valid code (because the second operand can be SP).
2488
2489         1. Added a RELEASE_ASSERT to BytecodeGenerator::generate() to ensure that
2490            m_numCalleeLocals is sane.
2491
2492         2. Added underflow checks in LLInt code and VarargsFrame code.
2493
2494         3. Introduce minimumReservedZoneSize, which is hardcoded to 16K.
2495            Ensure that Options::reservedZoneSize() is at least minimumReservedZoneSize.
2496            Ensure that Options::softReservedZoneSize() is at least greater than
2497            Options::reservedZoneSize() by minimumReservedZoneSize.
2498
2499         4. Ensure that stack checks emitted by JIT tiers include an underflow check if
2500            and only if the max size of the frame is greater than Options::reservedZoneSize().
2501
2502            By design, we are guaranteed to have at least Options::reservedZoneSize() bytes
2503            of memory at the bottom (end) of the stack.  This means that, at any time, the
2504            frame pointer must be at least Options::reservedZoneSize() bytes away from the
2505            end of the stack.  Hence, if the max frame size is less than
2506            Options::reservedZoneSize(), there's no way that frame pointer - max
2507            frame size can underflow, and we can elide the underflow check.
2508
2509            Note that we use Options::reservedZoneSize() instead of
2510            Options::softReservedZoneSize() for determine if we need an underflow check.
2511            This is because the softStackLimit that is used for stack checks can be set
2512            based on Options::reservedZoneSize() during error handling (e.g. when creating
2513            strings for instantiating the Error object).  Hence, the guaranteed minimum of
2514            distance between the frame pointer and the end of the stack is
2515            Options::reservedZoneSize() and nor Options::softReservedZoneSize().
2516
2517            Note also that we ensure that Options::reservedZoneSize() is at least
2518            minimumReservedZoneSize (i.e. 16K).  In typical deployments,
2519            Options::reservedZoneSize() may be larger.  Using Options::reservedZoneSize()
2520            instead of minimumReservedZoneSize gives us more chances to elide underflow
2521            checks.
2522
2523         * JavaScriptCore.xcodeproj/project.pbxproj:
2524         * bytecompiler/BytecodeGenerator.cpp:
2525         (JSC::BytecodeGenerator::generate):
2526         * dfg/DFGGraph.cpp:
2527         (JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit):
2528         * dfg/DFGJITCompiler.cpp:
2529         (JSC::DFG::emitStackOverflowCheck):
2530         (JSC::DFG::JITCompiler::compile):
2531         (JSC::DFG::JITCompiler::compileFunction):
2532         * ftl/FTLLowerDFGToB3.cpp:
2533         (JSC::FTL::DFG::LowerDFGToB3::lower):
2534         * jit/JIT.cpp:
2535         (JSC::JIT::compileWithoutLinking):
2536         * jit/SetupVarargsFrame.cpp:
2537         (JSC::emitSetupVarargsFrameFastCase):
2538         * llint/LLIntSlowPaths.cpp:
2539         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2540         * llint/LowLevelInterpreter.asm:
2541         * llint/LowLevelInterpreter32_64.asm:
2542         * llint/LowLevelInterpreter64.asm:
2543         * runtime/MinimumReservedZoneSize.h: Added.
2544         * runtime/Options.cpp:
2545         (JSC::recomputeDependentOptions):
2546         * runtime/VM.cpp:
2547         (JSC::VM::updateStackLimits):
2548         * wasm/WasmB3IRGenerator.cpp:
2549         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2550         * wasm/js/WebAssemblyFunction.cpp:
2551         (JSC::callWebAssemblyFunction):
2552
2553 2017-06-28  Chris Dumez  <cdumez@apple.com>
2554
2555         Unreviewed, rolling out r218869.
2556
2557         Broke the iOS build
2558
2559         Reverted changeset:
2560
2561         "Ensure that computed new stack pointer values do not
2562         underflow."
2563         https://bugs.webkit.org/show_bug.cgi?id=173700
2564         http://trac.webkit.org/changeset/218869
2565
2566 2017-06-28  Chris Dumez  <cdumez@apple.com>
2567
2568         Unreviewed, rolling out r218873.
2569
2570         Broke the iOS build
2571
2572         Reverted changeset:
2573
2574         "Gardening: CLoop build fix."
2575         https://bugs.webkit.org/show_bug.cgi?id=173700
2576         http://trac.webkit.org/changeset/218873
2577
2578 2017-06-28  Mark Lam  <mark.lam@apple.com>
2579
2580         Gardening: CLoop build fix.
2581         https://bugs.webkit.org/show_bug.cgi?id=173700
2582         <rdar://problem/32926032>
2583
2584         Not reviewed.
2585
2586         * llint/LLIntSlowPaths.cpp:
2587         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2588
2589 2017-06-28  Mark Lam  <mark.lam@apple.com>
2590
2591         Ensure that computed new stack pointer values do not underflow.
2592         https://bugs.webkit.org/show_bug.cgi?id=173700
2593         <rdar://problem/32926032>
2594
2595         Reviewed by Filip Pizlo and Saam Barati.
2596
2597         1. Added a RELEASE_ASSERT to BytecodeGenerator::generate() to ensure that
2598            m_numCalleeLocals is sane.
2599
2600         2. Added underflow checks in LLInt code and VarargsFrame code.
2601
2602         3. Introduce minimumReservedZoneSize, which is hardcoded to 16K.
2603            Ensure that Options::reservedZoneSize() is at least minimumReservedZoneSize.
2604            Ensure that Options::softReservedZoneSize() is at least greater than
2605            Options::reservedZoneSize() by minimumReservedZoneSize.
2606
2607         4. Ensure that stack checks emitted by JIT tiers include an underflow check if
2608            and only if the max size of the frame is greater than Options::reservedZoneSize().
2609
2610            By design, we are guaranteed to have at least Options::reservedZoneSize() bytes
2611            of memory at the bottom (end) of the stack.  This means that, at any time, the
2612            frame pointer must be at least Options::reservedZoneSize() bytes away from the
2613            end of the stack.  Hence, if the max frame size is less than
2614            Options::reservedZoneSize(), there's no way that frame pointer - max
2615            frame size can underflow, and we can elide the underflow check.
2616
2617            Note that we use Options::reservedZoneSize() instead of
2618            Options::softReservedZoneSize() for determine if we need an underflow check.
2619            This is because the softStackLimit that is used for stack checks can be set
2620            based on Options::reservedZoneSize() during error handling (e.g. when creating
2621            strings for instantiating the Error object).  Hence, the guaranteed minimum of
2622            distance between the frame pointer and the end of the stack is
2623            Options::reservedZoneSize() and nor Options::softReservedZoneSize().
2624
2625            Note also that we ensure that Options::reservedZoneSize() is at least
2626            minimumReservedZoneSize (i.e. 16K).  In typical deployments,
2627            Options::reservedZoneSize() may be larger.  Using Options::reservedZoneSize()
2628            instead of minimumReservedZoneSize gives us more chances to elide underflow
2629            checks.
2630
2631         * JavaScriptCore.xcodeproj/project.pbxproj:
2632         * bytecompiler/BytecodeGenerator.cpp:
2633         (JSC::BytecodeGenerator::generate):
2634         * dfg/DFGGraph.cpp:
2635         (JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit):
2636         * dfg/DFGJITCompiler.cpp:
2637         (JSC::DFG::JITCompiler::compile):
2638         (JSC::DFG::JITCompiler::compileFunction):
2639         * ftl/FTLLowerDFGToB3.cpp:
2640         (JSC::FTL::DFG::LowerDFGToB3::lower):
2641         * jit/JIT.cpp:
2642         (JSC::JIT::compileWithoutLinking):
2643         * jit/SetupVarargsFrame.cpp:
2644         (JSC::emitSetupVarargsFrameFastCase):
2645         * llint/LLIntSlowPaths.cpp:
2646         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2647         * llint/LowLevelInterpreter.asm:
2648         * llint/LowLevelInterpreter32_64.asm:
2649         * llint/LowLevelInterpreter64.asm:
2650         * runtime/MinimumReservedZoneSize.h: Added.
2651         * runtime/Options.cpp:
2652         (JSC::recomputeDependentOptions):
2653         * runtime/VM.cpp:
2654         (JSC::VM::updateStackLimits):
2655         * wasm/WasmB3IRGenerator.cpp:
2656         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2657         * wasm/js/WebAssemblyFunction.cpp:
2658         (JSC::callWebAssemblyFunction):
2659
2660 2017-06-27  JF Bastien  <jfbastien@apple.com>
2661
2662         WebAssembly: running out of executable memory should throw OoM
2663         https://bugs.webkit.org/show_bug.cgi?id=171537
2664         <rdar://problem/32963338>
2665
2666         Reviewed by Saam Barati.
2667
2668         Both on first compile with BBQ as well as on tier-up with OMG,
2669         running out of X memory shouldn't cause the entire program to
2670         terminate. An exception will do when compiling initial code (since
2671         we don't have any other fallback at the moment), and refusal to
2672         tier up will do as well (it'll just be slower).
2673
2674         This is useful because programs which generate huge amounts of
2675         code simply look like crashes, which developers report to
2676         us. Getting a JavaScript exception instead is much clearer.
2677
2678         * jit/ExecutableAllocator.cpp:
2679         (JSC::ExecutableAllocator::allocate):
2680         * llint/LLIntSlowPaths.cpp:
2681         (JSC::LLInt::shouldJIT):
2682         * runtime/Options.h:
2683         * wasm/WasmBBQPlan.cpp:
2684         (JSC::Wasm::BBQPlan::prepare):
2685         (JSC::Wasm::BBQPlan::complete):
2686         * wasm/WasmBinding.cpp:
2687         (JSC::Wasm::wasmToJs):
2688         (JSC::Wasm::wasmToWasm):
2689         * wasm/WasmBinding.h:
2690         * wasm/WasmOMGPlan.cpp:
2691         (JSC::Wasm::OMGPlan::work):
2692         * wasm/js/JSWebAssemblyCodeBlock.cpp:
2693         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
2694         * wasm/js/JSWebAssemblyCodeBlock.h:
2695         * wasm/js/JSWebAssemblyInstance.cpp:
2696         (JSC::JSWebAssemblyInstance::finalizeCreation):
2697
2698 2017-06-27  Saam Barati  <sbarati@apple.com>
2699
2700         JITStubRoutine::passesFilter should use isJITPC
2701         https://bugs.webkit.org/show_bug.cgi?id=173906
2702
2703         Reviewed by JF Bastien.
2704
2705         This patch makes JITStubRoutine use the isJITPC abstraction defined
2706         inside ExecutableAllocator.h. Before, JITStubRoutine was using a
2707         hardcoded platform size constant. This means it'd do the wrong thing
2708         if Options::jitMemoryReservationSize() was larger than the defined
2709         constant for that platform. This patch also removes a bunch of
2710         dead code in that file.
2711
2712         * jit/ExecutableAllocator.cpp:
2713         * jit/ExecutableAllocator.h:
2714         * jit/JITStubRoutine.h:
2715         (JSC::JITStubRoutine::passesFilter):
2716         (JSC::JITStubRoutine::canPerformRangeFilter): Deleted.
2717         (JSC::JITStubRoutine::filteringStartAddress): Deleted.
2718         (JSC::JITStubRoutine::filteringExtentSize): Deleted.
2719
2720 2017-06-27  Saam Barati  <sbarati@apple.com>
2721
2722         Fix some stale comments in Wasm code base
2723         https://bugs.webkit.org/show_bug.cgi?id=173814
2724
2725         Reviewed by Mark Lam.
2726
2727         * wasm/WasmBinding.cpp:
2728         (JSC::Wasm::wasmToJs):
2729         * wasm/WasmOMGPlan.cpp:
2730         (JSC::Wasm::runOMGPlanForIndex):
2731
2732 2017-06-27  Caio Lima  <ticaiolima@gmail.com>
2733
2734         [ESnext] Implement Object Rest - Implementing Object Rest Destructuring
2735         https://bugs.webkit.org/show_bug.cgi?id=167962
2736
2737         Reviewed by Saam Barati.
2738
2739         Object Rest/Spread Destructing proposal is in stage 3[1] and this
2740         Patch is a prototype implementation of it. A simple change over the
2741         parser was necessary to support the new '...' token on Object Pattern
2742         destruction rule. In the bytecode generator side, We changed the
2743         bytecode generated on ObjectPatternNode::bindValue to store in an
2744         set the identifiers of already destructured properties, following spec draft
2745         section[2], and then pass it as excludedNames to CopyDataProperties.
2746         The rest destructuring calls copyDataProperties to perform the
2747         copy of rest properties in rhs.
2748
2749         We also implemented CopyDataProperties as private JS global operation
2750         on builtins/GlobalOperations.js following it's specification on [3].
2751         It is implemented using Set object to verify if a property is on
2752         excludedNames to keep this algorithm with O(n + m) complexity, where n
2753         = number of source's own properties and m = excludedNames.length.
2754
2755         In this implementation we aren't using excludeList as constant if
2756         destructuring pattern contains computed property, i.e. we can
2757         just determine the key to be excluded at runtime. If we can define all
2758         identifiers in the pattern in compile time, we then create a
2759         constant JSSet. This approach gives a good performance improvement,
2760         since we allocate the excludeSet just once, reducing GC pressure.
2761
2762         [1] - https://github.com/tc39/proposal-object-rest-spread
2763         [2] - https://tc39.github.io/proposal-object-rest-spread/#Rest-RuntimeSemantics-PropertyDestructuringAssignmentEvaluation
2764         [3] - https://tc39.github.io/proposal-object-rest-spread/#AbstractOperations-CopyDataProperties
2765
2766         * builtins/BuiltinNames.h:
2767         * builtins/GlobalOperations.js:
2768         (globalPrivate.copyDataProperties):
2769         * bytecode/CodeBlock.cpp:
2770         (JSC::CodeBlock::finishCreation):
2771         * bytecompiler/NodesCodegen.cpp:
2772         (JSC::ObjectPatternNode::bindValue):
2773         * parser/ASTBuilder.h:
2774         (JSC::ASTBuilder::appendObjectPatternEntry):
2775         (JSC::ASTBuilder::appendObjectPatternRestEntry):
2776         (JSC::ASTBuilder::setContainsObjectRestElement):
2777         * parser/Nodes.h:
2778         (JSC::ObjectPatternNode::appendEntry):
2779         (JSC::ObjectPatternNode::setContainsRestElement):
2780         * parser/Parser.cpp:
2781         (JSC::Parser<LexerType>::parseDestructuringPattern):
2782         (JSC::Parser<LexerType>::parseProperty):
2783         * parser/SyntaxChecker.h:
2784         (JSC::SyntaxChecker::operatorStackPop):
2785         * runtime/JSGlobalObject.cpp:
2786         (JSC::JSGlobalObject::init):
2787         * runtime/JSGlobalObject.h:
2788         (JSC::JSGlobalObject::asyncFunctionStructure):
2789         (JSC::JSGlobalObject::setStructure): Deleted.
2790         * runtime/JSGlobalObjectFunctions.cpp:
2791         (JSC::privateToObject):
2792         * runtime/JSGlobalObjectFunctions.h:
2793         * runtime/ObjectConstructor.cpp:
2794         (JSC::ObjectConstructor::finishCreation):
2795         * runtime/SetPrototype.cpp:
2796         (JSC::SetPrototype::finishCreation):
2797
2798 2017-06-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2799
2800         [JSC] Do not touch VM after notifying Ready in DFG::Worklist
2801         https://bugs.webkit.org/show_bug.cgi?id=173888
2802
2803         Reviewed by Saam Barati.
2804
2805         After notifying Plan::Ready and releasing Worklist lock, VM can be destroyed.
2806         Thus, Plan::vm() can return a destroyed VM. Do not touch it.
2807         This causes occasional SEGV / assertion failures in workers/bomb test.
2808
2809         * dfg/DFGWorklist.cpp:
2810
2811 2017-06-27  Saam Barati  <sbarati@apple.com>
2812
2813         Remove an inaccurate comment inside DFGClobberize.h
2814         https://bugs.webkit.org/show_bug.cgi?id=163874
2815
2816         Reviewed by Filip Pizlo.
2817
2818         The comment said that Clobberize may or may not be sound if run prior to
2819         doing type inference. This is not correct, though. Clobberize *must* be sound
2820         prior do doing type inference since we use it inside the BytecodeParser, which
2821         is the very first thing the DFG does.
2822
2823         * dfg/DFGClobberize.h:
2824         (JSC::DFG::clobberize):
2825
2826 2017-06-27  Saam Barati  <sbarati@apple.com>
2827
2828         Function constructor needs to follow the spec and validate parameters and body independently
2829         https://bugs.webkit.org/show_bug.cgi?id=173303
2830         <rdar://problem/32732526>
2831
2832         Reviewed by Keith Miller.
2833
2834         The Function constructor must check the arguments and body strings
2835         independently for syntax errors. People rely on this specified behavior
2836         to verify that a particular string is a valid function body. We used
2837         to check these things strings concatenated together, instead of
2838         independently. For example, this used to be valid: `Function("/*", "*/){")`.
2839         However, we should throw a syntax error here since "(/*)" is not a valid
2840         parameter list, and "*/){" is not a valid body.
2841         
2842         To implement the specified behavior, we check the syntax independently of
2843         both the body and the parameter list. To check that the parameter list has
2844         valid syntax, we check that it is valid if in a function with an empty body.
2845         To check that the body has valid syntax, we check it is valid in a function
2846         with an empty parameter list.
2847
2848         * runtime/FunctionConstructor.cpp:
2849         (JSC::constructFunctionSkippingEvalEnabledCheck):
2850
2851 2017-06-27  Ting-Wei Lan  <lantw44@gmail.com>
2852
2853         Add missing includes to fix compilation error on FreeBSD
2854         https://bugs.webkit.org/show_bug.cgi?id=172919
2855
2856         Reviewed by Mark Lam.
2857
2858         * API/JSRemoteInspector.h:
2859         * API/tests/GlobalContextWithFinalizerTest.cpp:
2860         * API/tests/TypedArrayCTest.cpp:
2861
2862 2017-06-27  Joseph Pecoraro  <pecoraro@apple.com>
2863
2864         Web Inspector: Crash generating object preview for ArrayIterator
2865         https://bugs.webkit.org/show_bug.cgi?id=173754
2866         <rdar://problem/32859012>
2867
2868         Reviewed by Saam Barati.
2869
2870         When Inspector generates an object preview for an ArrayIterator instance it made
2871         a "clone" of the original ArrayIterator instance by constructing a new object with
2872         the instance's structure. However, user code could have modified that instance's
2873         structure, such as adding / removing properties. The `return` property had special
2874         meaning, and our clone did not fill that slot. This approach is brittle in that
2875         we weren't satisfying the expectations of an object with a particular Structure,
2876         and the original goal of having Web Inspector peek values of built-in Iterators
2877         was to avoid observable behavior.
2878
2879         This tightens Web Inspector's Iterator preview to only peek values if the
2880         Iterators would actually be non-observable. It also builds an ArrayIterator
2881         clone like a regular object construction.
2882
2883         * inspector/JSInjectedScriptHost.cpp:
2884         (Inspector::cloneArrayIteratorObject):
2885         Build up the Object from scratch with a new ArrayIterator prototype.
2886
2887         (Inspector::JSInjectedScriptHost::iteratorEntries):
2888         Only clone and peek iterators if it would not be observable.
2889         Also update iteration to be more in line with IterationOperations, such as when
2890         we call iteratorClose.
2891
2892         * runtime/JSGlobalObject.cpp:
2893         (JSC::JSGlobalObject::JSGlobalObject):
2894         (JSC::JSGlobalObject::init):
2895         * runtime/JSGlobalObject.h:
2896         (JSC::JSGlobalObject::stringIteratorProtocolWatchpoint):
2897         * runtime/JSGlobalObjectInlines.h:
2898         (JSC::JSGlobalObject::isStringPrototypeIteratorProtocolFastAndNonObservable):
2899         Add a StringIterator WatchPoint in line with the Array/Map/Set iterator watchpoints.
2900
2901         * runtime/JSMap.cpp:
2902         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
2903         (JSC::JSMap::canCloneFastAndNonObservable):
2904         * runtime/JSMap.h:
2905         * runtime/JSSet.cpp:
2906         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
2907         (JSC::JSSet::canCloneFastAndNonObservable):
2908         * runtime/JSSet.h:
2909         Promote isIteratorProtocolFastAndNonObservable to a method.
2910
2911         * runtime/JSObject.cpp:
2912         (JSC::canDoFastPutDirectIndex):
2913         * runtime/JSTypeInfo.h:
2914         (JSC::TypeInfo::isArgumentsType):
2915         Helper to detect if an Object is an Arguments type.
2916
2917 2017-06-26  Saam Barati  <sbarati@apple.com>
2918
2919         RegExpPrototype.js builtin uses for-of iteration which is almost certainly incorrect
2920         https://bugs.webkit.org/show_bug.cgi?id=173740
2921
2922         Reviewed by Mark Lam.
2923
2924         The builtin was using for-of iteration to iterate over an internal
2925         list in its algorithm. For-of iteration is observable via user code
2926         in the global object, so this approach was wrong as it would break if
2927         a user changed the Array iteration protocol in some way.
2928
2929         * builtins/RegExpPrototype.js:
2930         (replace):
2931
2932 2017-06-26  Mark Lam  <mark.lam@apple.com>
2933
2934         Renamed DumpRegisterFunctor to DumpReturnVirtualPCFunctor.
2935         https://bugs.webkit.org/show_bug.cgi?id=173848
2936
2937         Reviewed by JF Bastien.
2938
2939         This functor only dumps the return VirtualPC.
2940
2941         * interpreter/Interpreter.cpp:
2942         (JSC::DumpReturnVirtualPCFunctor::DumpReturnVirtualPCFunctor):
2943         (JSC::Interpreter::dumpRegisters):
2944         (JSC::DumpRegisterFunctor::DumpRegisterFunctor): Deleted.
2945         (JSC::DumpRegisterFunctor::operator()): Deleted.
2946
2947 2017-06-26  Saam Barati  <sbarati@apple.com>
2948
2949         Crash in JSC::Lexer<unsigned char>::setCode
2950         https://bugs.webkit.org/show_bug.cgi?id=172754
2951
2952         Reviewed by Mark Lam.
2953
2954         The lexer was asking one of its buffers to reserve initial space that
2955         was O(text size in bytes). For large sources, this would end up causing
2956         the vector to overflow and crash. This patch changes this code be like
2957         the Lexer's other buffers and to only reserve a small starting buffer.
2958
2959         * parser/Lexer.cpp:
2960         (JSC::Lexer<T>::setCode):
2961
2962 2017-06-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2963
2964         [WTF] Drop Thread::create(obsolete things) API since we can use lambda
2965         https://bugs.webkit.org/show_bug.cgi?id=173825
2966
2967         Reviewed by Saam Barati.
2968
2969         * jsc.cpp:
2970         (startTimeoutThreadIfNeeded):
2971         (timeoutThreadMain): Deleted.
2972
2973 2017-06-26  Konstantin Tokarev  <annulen@yandex.ru>
2974
2975         Unreviewed, add missing header for CLoop
2976
2977         * runtime/SymbolTable.cpp:
2978
2979 2017-06-26  Konstantin Tokarev  <annulen@yandex.ru>
2980
2981         Unreviewed, add missing header icncludes
2982
2983         * parser/Lexer.h:
2984
2985 2017-06-25  Konstantin Tokarev  <annulen@yandex.ru>
2986
2987         Remove excessive headers from JavaScriptCore
2988         https://bugs.webkit.org/show_bug.cgi?id=173812
2989
2990         Reviewed by Darin Adler.
2991
2992         * API/APIUtils.h:
2993         * assembler/LinkBuffer.cpp:
2994         * assembler/MacroAssemblerCodeRef.cpp:
2995         * b3/air/AirLiveness.h:
2996         * b3/air/AirLowerAfterRegAlloc.cpp:
2997         * bindings/ScriptValue.cpp:
2998         * bindings/ScriptValue.h:
2999         * bytecode/AccessCase.cpp:
3000         * bytecode/AccessCase.h:
3001         * bytecode/ArrayProfile.h:
3002         * bytecode/BytecodeDumper.h:
3003         * bytecode/BytecodeIntrinsicRegistry.cpp:
3004         * bytecode/BytecodeKills.h:
3005         * bytecode/BytecodeLivenessAnalysis.h:
3006         * bytecode/BytecodeUseDef.h:
3007         * bytecode/CallLinkStatus.h:
3008         * bytecode/CodeBlock.h:
3009         * bytecode/CodeOrigin.h:
3010         * bytecode/ComplexGetStatus.h:
3011         * bytecode/GetByIdStatus.h:
3012         * bytecode/GetByIdVariant.h:
3013         * bytecode/InlineCallFrame.h:
3014         * bytecode/InlineCallFrameSet.h:
3015         * bytecode/Instruction.h:
3016         * bytecode/InternalFunctionAllocationProfile.h:
3017         * bytecode/JumpTable.h:
3018         * bytecode/MethodOfGettingAValueProfile.h:
3019         * bytecode/ObjectPropertyConditionSet.h:
3020         * bytecode/Operands.h:
3021         * bytecode/PolymorphicAccess.h:
3022         * bytecode/PutByIdStatus.h:
3023         * bytecode/SpeculatedType.cpp:
3024         * bytecode/StructureSet.h:
3025         * bytecode/StructureStubInfo.h:
3026         * bytecode/UnlinkedCodeBlock.h:
3027         * bytecode/UnlinkedFunctionExecutable.h:
3028         * bytecode/ValueProfile.h:
3029         * bytecompiler/BytecodeGenerator.cpp:
3030         * bytecompiler/BytecodeGenerator.h:
3031         * bytecompiler/Label.h:
3032         * bytecompiler/StaticPropertyAnalysis.h:
3033         * debugger/DebuggerCallFrame.cpp:
3034         * dfg/DFGAbstractInterpreter.h:
3035         * dfg/DFGAdjacencyList.h:
3036         * dfg/DFGArgumentsUtilities.h:
3037         * dfg/DFGArrayMode.h:
3038         * dfg/DFGArrayifySlowPathGenerator.h:
3039         * dfg/DFGBackwardsPropagationPhase.h:
3040         * dfg/DFGBasicBlock.h:
3041         * dfg/DFGCallArrayAllocatorSlowPathGenerator.h:
3042         * dfg/DFGCallCreateDirectArgumentsSlowPathGenerator.h:
3043         * dfg/DFGCapabilities.h:
3044         * dfg/DFGCommon.h:
3045         * dfg/DFGCommonData.h:
3046         * dfg/DFGDesiredIdentifiers.h:
3047         * dfg/DFGDesiredWatchpoints.h:
3048         * dfg/DFGDisassembler.cpp:
3049         * dfg/DFGDominators.h:
3050         * dfg/DFGDriver.cpp:
3051         * dfg/DFGDriver.h:
3052         * dfg/DFGEdgeDominates.h:
3053         * dfg/DFGFinalizer.h:
3054         * dfg/DFGGenerationInfo.h:
3055         * dfg/DFGJITCompiler.cpp:
3056         * dfg/DFGJITCompiler.h:
3057         * dfg/DFGJITFinalizer.h:
3058         * dfg/DFGLivenessAnalysisPhase.h:
3059         * dfg/DFGMinifiedNode.h:
3060         * dfg/DFGMultiGetByOffsetData.h:
3061         * dfg/DFGNaturalLoops.cpp:
3062         * dfg/DFGNaturalLoops.h:
3063         * dfg/DFGNode.h:
3064         * dfg/DFGOSRAvailabilityAnalysisPhase.h:
3065         * dfg/DFGOSRExit.h:
3066         * dfg/DFGOSRExitCompilationInfo.h:
3067         * dfg/DFGOSRExitCompiler.cpp:
3068         * dfg/DFGOSRExitCompiler.h:
3069         * dfg/DFGOSRExitJumpPlaceholder.h:
3070         * dfg/DFGOperations.cpp:
3071         * dfg/DFGOperations.h:
3072         * dfg/DFGPlan.h:
3073         * dfg/DFGPreciseLocalClobberize.h:
3074         * dfg/DFGPromotedHeapLocation.h:
3075         * dfg/DFGRegisteredStructure.h:
3076         * dfg/DFGRegisteredStructureSet.h:
3077         * dfg/DFGSaneStringGetByValSlowPathGenerator.h:
3078         * dfg/DFGSlowPathGenerator.h:
3079         * dfg/DFGSnippetParams.h:
3080         * dfg/DFGSpeculativeJIT.h:
3081         * dfg/DFGToFTLDeferredCompilationCallback.h:
3082         * dfg/DFGToFTLForOSREntryDeferredCompilationCallback.h:
3083         * dfg/DFGValidate.h:
3084         * dfg/DFGValueSource.h:
3085         * dfg/DFGVariableEvent.h:
3086         * dfg/DFGVariableEventStream.h:
3087         * dfg/DFGWorklist.h:
3088         * domjit/DOMJITCallDOMGetterSnippet.h:
3089         * domjit/DOMJITEffect.h:
3090         * ftl/FTLLink.cpp:
3091         * ftl/FTLLowerDFGToB3.cpp:
3092         * ftl/FTLPatchpointExceptionHandle.h:
3093         * heap/AllocatorAttributes.h:
3094         * heap/CodeBlockSet.h:
3095         * heap/DeferGC.h:
3096         * heap/GCSegmentedArray.h:
3097         * heap/Heap.cpp:
3098         * heap/Heap.h:
3099         * heap/IncrementalSweeper.h:
3100         * heap/ListableHandler.h:
3101         * heap/MachineStackMarker.h:
3102         * heap/MarkedAllocator.h:
3103         * heap/MarkedBlock.cpp:
3104         * heap/MarkedBlock.h:
3105         * heap/MarkingConstraint.h:
3106         * heap/SlotVisitor.cpp:
3107         * heap/SlotVisitor.h:
3108         * inspector/ConsoleMessage.cpp:
3109         * inspector/ConsoleMessage.h:
3110         * inspector/InjectedScript.h:
3111         * inspector/InjectedScriptHost.h:
3112         * inspector/InjectedScriptManager.cpp:
3113         * inspector/JSGlobalObjectInspectorController.cpp:
3114         * inspector/JavaScriptCallFrame.h:
3115         * inspector/ScriptCallStack.h:
3116         * inspector/ScriptCallStackFactory.cpp:
3117         * inspector/ScriptDebugServer.h:
3118         * inspector/agents/InspectorConsoleAgent.h:
3119         * inspector/agents/InspectorDebuggerAgent.cpp:
3120         * inspector/agents/InspectorDebuggerAgent.h:
3121         * inspector/agents/InspectorHeapAgent.cpp:
3122         * inspector/agents/InspectorHeapAgent.h:
3123         * inspector/agents/InspectorRuntimeAgent.h:
3124         * inspector/agents/InspectorScriptProfilerAgent.cpp:
3125         * inspector/agents/InspectorScriptProfilerAgent.h:
3126         * inspector/agents/JSGlobalObjectConsoleAgent.h:
3127         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
3128         * inspector/agents/JSGlobalObjectDebuggerAgent.h:
3129         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
3130         * inspector/augmentable/AlternateDispatchableAgent.h:
3131         * interpreter/CLoopStack.h:
3132         * interpreter/CachedCall.h:
3133         * interpreter/CallFrame.h:
3134         * interpreter/Interpreter.cpp:
3135         * interpreter/Interpreter.h:
3136         * jit/AssemblyHelpers.cpp:
3137         * jit/AssemblyHelpers.h:
3138         * jit/CCallHelpers.h:
3139         * jit/CallFrameShuffler.h:
3140         * jit/ExecutableAllocator.h:
3141         * jit/GCAwareJITStubRoutine.h:
3142         * jit/HostCallReturnValue.h:
3143         * jit/ICStats.h:
3144         * jit/JIT.cpp:
3145         * jit/JIT.h:
3146         * jit/JITAddGenerator.h:
3147         * jit/JITCall32_64.cpp:
3148         * jit/JITCode.h:
3149         * jit/JITDisassembler.cpp:
3150         * jit/JITExceptions.cpp:
3151         * jit/JITMathIC.h:
3152         * jit/JITOpcodes.cpp:
3153         * jit/JITOperations.cpp:
3154         * jit/JITOperations.h:
3155         * jit/JITThunks.cpp:
3156         * jit/JITThunks.h:
3157         * jit/JSInterfaceJIT.h:
3158         * jit/PCToCodeOriginMap.h:
3159         * jit/PolymorphicCallStubRoutine.h:
3160         * jit/RegisterSet.h:
3161         * jit/Repatch.h:
3162         * jit/SetupVarargsFrame.h:
3163         * jit/Snippet.h:
3164         * jit/SnippetParams.h:
3165         * jit/ThunkGenerators.h:
3166         * jsc.cpp:
3167         * llint/LLIntCLoop.h:
3168         * llint/LLIntEntrypoint.h:
3169         * llint/LLIntExceptions.h:
3170         * llint/LLIntOfflineAsmConfig.h:
3171         * llint/LLIntSlowPaths.cpp:
3172         * parser/NodeConstructors.h:
3173         * parser/Nodes.cpp:
3174         * parser/Nodes.h:
3175         * parser/Parser.cpp:
3176         * parser/Parser.h:
3177         * parser/ParserTokens.h:
3178         * parser/SourceProviderCacheItem.h:
3179         * profiler/ProfilerBytecodeSequence.h:
3180         * profiler/ProfilerDatabase.cpp:
3181         * profiler/ProfilerDatabase.h:
3182         * profiler/ProfilerOrigin.h:
3183         * profiler/ProfilerOriginStack.h:
3184         * profiler/ProfilerProfiledBytecodes.h:
3185         * profiler/ProfilerUID.h:
3186         * runtime/AbstractModuleRecord.h:
3187         * runtime/ArrayConstructor.h:
3188         * runtime/ArrayConventions.h:
3189         * runtime/ArrayIteratorPrototype.h:
3190         * runtime/ArrayPrototype.h:
3191         * runtime/BasicBlockLocation.h:
3192         * runtime/Butterfly.h:
3193         * runtime/CallData.cpp:
3194         * runtime/CodeCache.h:
3195         * runtime/CommonSlowPaths.cpp:
3196         * runtime/CommonSlowPaths.h:
3197         * runtime/CommonSlowPathsExceptions.cpp:
3198         * runtime/Completion.cpp:
3199         * runtime/ControlFlowProfiler.h:
3200         * runtime/DateInstanceCache.h:
3201         * runtime/ErrorConstructor.h:
3202         * runtime/ErrorInstance.h:
3203         * runtime/ExceptionHelpers.cpp:
3204         * runtime/ExceptionHelpers.h:
3205         * runtime/ExecutableBase.h:
3206         * runtime/FunctionExecutable.h:
3207         * runtime/HasOwnPropertyCache.h:
3208         * runtime/Identifier.h:
3209         * runtime/InternalFunction.h:
3210         * runtime/IntlCollator.cpp:
3211         * runtime/IntlCollatorPrototype.h:
3212         * runtime/IntlDateTimeFormatPrototype.h:
3213         * runtime/IntlNumberFormat.cpp:
3214         * runtime/IntlNumberFormatPrototype.h:
3215         * runtime/IteratorOperations.cpp:
3216         * runtime/JSArray.h:
3217         * runtime/JSArrayBufferPrototype.h:
3218         * runtime/JSCJSValue.h:
3219         * runtime/JSCJSValueInlines.h:
3220         * runtime/JSCell.h:
3221         * runtime/JSFunction.cpp:
3222         * runtime/JSFunction.h:
3223         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
3224         * runtime/JSGlobalObject.cpp:
3225         * runtime/JSGlobalObject.h:
3226         * runtime/JSGlobalObjectDebuggable.cpp:
3227         * runtime/JSGlobalObjectDebuggable.h:
3228         * runtime/JSGlobalObjectFunctions.cpp:
3229         * runtime/JSGlobalObjectFunctions.h:
3230         * runtime/JSJob.cpp:
3231         * runtime/JSLock.h:
3232         * runtime/JSModuleLoader.cpp:
3233         * runtime/JSModuleNamespaceObject.h:
3234         * runtime/JSModuleRecord.h:
3235         * runtime/JSObject.cpp:
3236         * runtime/JSObject.h:
3237         * runtime/JSRunLoopTimer.h:
3238         * runtime/JSTemplateRegistryKey.h:
3239         * runtime/JSTypedArrayPrototypes.cpp:
3240         * runtime/JSTypedArrayPrototypes.h:
3241         * runtime/JSTypedArrays.h:
3242         * runtime/LiteralParser.h:
3243         * runtime/MatchResult.h:
3244         * runtime/MemoryStatistics.h:
3245         * runtime/PrivateName.h:
3246         * runtime/PromiseDeferredTimer.h:
3247         * runtime/ProxyObject.h:
3248         * runtime/RegExp.h:
3249         * runtime/SamplingProfiler.cpp:
3250         * runtime/SmallStrings.h:
3251         * runtime/StringPrototype.cpp:
3252         * runtime/StringRecursionChecker.h:
3253         * runtime/Structure.h:
3254         * runtime/SymbolConstructor.h:
3255         * runtime/SymbolPrototype.cpp:
3256         * runtime/SymbolPrototype.h:
3257         * runtime/TypeProfiler.h:
3258         * runtime/TypeProfilerLog.h:
3259         * runtime/TypedArrayType.h:
3260         * runtime/VM.cpp:
3261         * runtime/VM.h:
3262         * runtime/VMEntryScope.h:
3263         * runtime/WeakMapData.h:
3264         * runtime/WriteBarrier.h:
3265         * tools/FunctionOverrides.cpp:
3266         * tools/FunctionOverrides.h:
3267         * wasm/WasmBinding.cpp:
3268         * wasm/js/JSWebAssemblyCodeBlock.h:
3269         * wasm/js/WebAssemblyPrototype.cpp:
3270         * yarr/Yarr.h:
3271         * yarr/YarrJIT.cpp:
3272         * yarr/YarrJIT.h:
3273         * yarr/YarrParser.h:
3274
3275 2017-06-24  Yusuke Suzuki  <utatane.tea@gmail.com>
3276
3277         [JSC] Clean up Object.entries implementation
3278         https://bugs.webkit.org/show_bug.cgi?id=173759
3279
3280         Reviewed by Sam Weinig.
3281
3282         This patch cleans up Object.entries implementation.
3283         We drop unused private functions. And we merge the
3284         implementation into Object.entries.
3285
3286         It slightly speeds up Object.entries speed.
3287
3288                                      baseline                  patched
3289
3290             object-entries      148.0101+-5.6627          142.1877+-4.8661          might be 1.0409x faster
3291
3292
3293         * builtins/BuiltinNames.h:
3294         * builtins/ObjectConstructor.js:
3295         (entries):
3296         (globalPrivate.enumerableOwnProperties): Deleted.
3297         * runtime/JSGlobalObject.cpp:
3298         (JSC::JSGlobalObject::init):
3299         * runtime/ObjectConstructor.cpp:
3300         (JSC::ownEnumerablePropertyKeys): Deleted.
3301         * runtime/ObjectConstructor.h:
3302
3303 2017-06-24  Joseph Pecoraro  <pecoraro@apple.com>
3304
3305         Remove Reflect.enumerate
3306         https://bugs.webkit.org/show_bug.cgi?id=173806
3307
3308         Reviewed by Yusuke Suzuki.
3309
3310         * CMakeLists.txt:
3311         * JavaScriptCore.xcodeproj/project.pbxproj:
3312         * inspector/JSInjectedScriptHost.cpp:
3313         (Inspector::JSInjectedScriptHost::subtype):
3314         (Inspector::JSInjectedScriptHost::getInternalProperties):
3315         (Inspector::JSInjectedScriptHost::iteratorEntries):
3316         * runtime/JSGlobalObject.cpp:
3317         (JSC::JSGlobalObject::init):
3318         (JSC::JSGlobalObject::visitChildren):
3319         * runtime/JSPropertyNameIterator.cpp: Removed.
3320         * runtime/JSPropertyNameIterator.h: Removed.
3321         * runtime/ReflectObject.cpp:
3322         (JSC::reflectObjectEnumerate): Deleted.
3323
3324 2017-06-23  Keith Miller  <keith_miller@apple.com>
3325
3326         Switch VMTraps to use halt instructions rather than breakpoint instructions
3327         https://bugs.webkit.org/show_bug.cgi?id=173677
3328         <rdar://problem/32178892>
3329
3330         Reviewed by JF Bastien.
3331
3332         Using the breakpoint instruction for VMTraps caused issues with lldb.
3333         Since we only need some way to stop execution we can, in theory, use
3334         any exceptioning instruction we want. I went with the halt instruction
3335         on X86 since that is the only one byte instruction that does not
3336         breakpoint (in my tests both 0xf1 and 0xd6 produced EXC_BREAKPOINT).
3337         On ARM we use the data cache clearing instruction with the zero register,
3338         which triggers a segmentation fault.
3339
3340         Also, update the platform code to only use signaling VMTraps
3341         on where we have an appropriate instruction (x86 and ARM64).
3342
3343         * API/tests/ExecutionTimeLimitTest.cpp:
3344         (testExecutionTimeLimit):
3345         * assembler/ARM64Assembler.h:
3346         (JSC::ARM64Assembler::replaceWithVMHalt):
3347         (JSC::ARM64Assembler::dataCacheZeroVirtualAddress):
3348         (JSC::ARM64Assembler::replaceWithBkpt): Deleted.
3349         * assembler/ARMAssembler.h:
3350         (JSC::ARMAssembler::replaceWithBkpt): Deleted.
3351         * assembler/ARMv7Assembler.h:
3352         (JSC::ARMv7Assembler::replaceWithBkpt): Deleted.
3353         * assembler/MIPSAssembler.h:
3354         (JSC::MIPSAssembler::replaceWithBkpt): Deleted.
3355         * assembler/MacroAssemblerARM.h:
3356         (JSC::MacroAssemblerARM::replaceWithBreakpoint): Deleted.
3357         * assembler/MacroAssemblerARM64.h:
3358         (JSC::MacroAssemblerARM64::replaceWithVMHalt):
3359         (JSC::MacroAssemblerARM64::replaceWithBreakpoint): Deleted.
3360         * assembler/MacroAssemblerARMv7.h:
3361         (JSC::MacroAssemblerARMv7::storeFence):
3362         (JSC::MacroAssemblerARMv7::replaceWithBreakpoint): Deleted.
3363         * assembler/MacroAssemblerMIPS.h:
3364         (JSC::MacroAssemblerMIPS::replaceWithBreakpoint): Deleted.
3365         * assembler/MacroAssemblerX86Common.h:
3366         (JSC::MacroAssemblerX86Common::replaceWithVMHalt):
3367         (JSC::MacroAssemblerX86Common::replaceWithBreakpoint): Deleted.
3368         * assembler/X86Assembler.h:
3369         (JSC::X86Assembler::replaceWithHlt):
3370         (JSC::X86Assembler::replaceWithInt3): Deleted.
3371         * dfg/DFGJumpReplacement.cpp:
3372         (JSC::DFG::JumpReplacement::installVMTrapBreakpoint):
3373         * runtime/VMTraps.cpp:
3374         (JSC::SignalContext::SignalContext):
3375         (JSC::installSignalHandler):
3376         (JSC::SignalContext::adjustPCToPointToTrappingInstruction): Deleted.
3377         * wasm/WasmFaultSignalHandler.cpp:
3378         (JSC::Wasm::enableFastMemory):
3379
3380 2017-06-22  Saam Barati  <sbarati@apple.com>
3381
3382         The lowering of Identity in the DFG backend needs to use ManualOperandSpeculation
3383         https://bugs.webkit.org/show_bug.cgi?id=173743
3384         <rdar://problem/32932536>
3385
3386         Reviewed by Mark Lam.
3387
3388         The code always manually speculates, however, we weren't specifying
3389         ManualOperandSpeculation when creating a JSValueOperand. This would
3390         fire an assertion in JSValueOperand construction for a node like:
3391         Identity(String:@otherNode)
3392         
3393         I spent about 45 minutes trying to craft a test and came up
3394         empty. However, this fixes a debug assertion on an internal
3395         Apple website.
3396
3397         * dfg/DFGSpeculativeJIT32_64.cpp:
3398         (JSC::DFG::SpeculativeJI