a0aba9c7dbdd5a6d075f978e36bd783726e01fd0
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-12-15  Ryan Haddad  <ryanhaddad@apple.com>
2
3         Unreviewed, rolling out r225941.
4
5         This change introduced LayoutTest crashes and assertion
6         failures.
7
8         Reverted changeset:
9
10         "Web Inspector: replace HTMLCanvasElement with
11         CanvasRenderingContext for instrumentation logic"
12         https://bugs.webkit.org/show_bug.cgi?id=180770
13         https://trac.webkit.org/changeset/225941
14
15 2017-12-15  Yusuke Suzuki  <utatane.tea@gmail.com>
16
17         Unreviewed, 32bit JSEmpty is not nullptr + CellTag
18         https://bugs.webkit.org/show_bug.cgi?id=180804
19
20         Add 32bit path for WeakMapGet.
21
22         * dfg/DFGSpeculativeJIT.cpp:
23         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
24
25 2017-12-14  Saam Barati  <sbarati@apple.com>
26
27         The CleanUp after LICM is erroneously removing a Check
28         https://bugs.webkit.org/show_bug.cgi?id=180852
29         <rdar://problem/36063494>
30
31         Reviewed by Filip Pizlo.
32
33         There was a bug where CleanUp phase relied on isProved() bits and LICM
34         changed them in an invalid way. The bug is as follows:
35         
36         We have two loops, L1 and L2, and two preheaders, P1 and P2. L2 is nested
37         inside of L1. We have a Check inside a node inside L1, say in basic block BB,
38         and that Check dominates all of L2. This is also a hoisting candidate, so we
39         hoist it outside of L1 and put it inside P1. Then, when we run AI, we look at
40         the preheader for each loop inside L1, so P1 and P2. When considering P2,
41         we execute the Check. Inside P2, before any hoisting is done, this Check
42         is dead code, because BB dominates P2. When we use AI to "execute" the
43         Check, it'll set its proof status to proved. This is because inside P2,
44         in the program before LICM runs, the Check is indeed proven at P2. But
45         it is not proven inside P1. This "execute" call will set our proof status
46         for the node inside *P1*, hence, we crash.
47         
48         The fix here is to make LICM precise when updating the ProofStatus of an edge.
49         It can trust the AI state at the preheader it hoists the node to, but it can't
50         trust the state when executing effects inside inner loops's preheaders.
51
52         * dfg/DFGPlan.cpp:
53         (JSC::DFG::Plan::compileInThreadImpl):
54
55 2017-12-14  David Kilzer  <ddkilzer@apple.com>
56
57         Enable -Wstrict-prototypes for WebKit
58         <https://webkit.org/b/180757>
59         <rdar://problem/36024132>
60
61         Rubber-stamped by Joseph Pecoraro.
62
63         * API/tests/CompareAndSwapTest.h:
64         (testCompareAndSwap): Add 'void' to C function declaration.
65         * API/tests/ExecutionTimeLimitTest.h:
66         (testExecutionTimeLimit): Ditto.
67         * API/tests/FunctionOverridesTest.h:
68         (testFunctionOverrides): Ditto.
69         * API/tests/GlobalContextWithFinalizerTest.h:
70         (testGlobalContextWithFinalizer): Ditto.
71         * API/tests/JSONParseTest.h:
72         (testJSONParse): Ditto.
73         * API/tests/MultithreadedMultiVMExecutionTest.h:
74         (startMultithreadedMultiVMExecutionTest): Ditto.
75         (finalizeMultithreadedMultiVMExecutionTest): Ditto.
76         * API/tests/PingPongStackOverflowTest.h:
77         (testPingPongStackOverflow): Ditto.
78         * Configurations/Base.xcconfig:
79         (CLANG_WARN_STRICT_PROTOTYPES): Add. Set to YES.
80
81 2017-12-14  Yusuke Suzuki  <utatane.tea@gmail.com>
82
83         [DFG] Reduce register pressure of WeakMapGet to be used for 32bit
84         https://bugs.webkit.org/show_bug.cgi?id=180804
85
86         Reviewed by Saam Barati.
87
88         This fixes 32bit failures of JSC by reducing register pressure of WeakMapGet.
89
90         * dfg/DFGRegisterBank.h:
91         (JSC::DFG::RegisterBank::lockedCount const):
92         * dfg/DFGSpeculativeJIT.cpp:
93         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
94
95 2017-12-14  Keith Miller  <keith_miller@apple.com>
96
97         Unreviewed, forgot to add { }
98
99         * runtime/JSObject.h:
100         (JSC::JSObject::setButterfly):
101         (JSC::JSObject::nukeStructureAndSetButterfly):
102
103 2017-12-14  Devin Rousso  <webkit@devinrousso.com>
104
105         Web Inspector: replace HTMLCanvasElement with CanvasRenderingContext for instrumentation logic
106         https://bugs.webkit.org/show_bug.cgi?id=180770
107
108         Reviewed by Joseph Pecoraro.
109
110         * inspector/protocol/Canvas.json:
111
112 2017-12-14  Keith Miller  <keith_miller@apple.com>
113
114         Fix assertion in JSObject's structure setting methods
115         https://bugs.webkit.org/show_bug.cgi?id=180840
116
117         Reviewed by Mark Lam.
118
119         I forgot that when Typed Arrays have non-indexed properties
120         added to them, they call the generic code. The generic code
121         in turn calls the regular structure setting methods. Thus,
122         these assertions were invalid and we should just avoid setting
123         the indexing mask if we have a Typed Array.
124
125         * runtime/JSObject.h:
126         (JSC::JSObject::setButterfly):
127         (JSC::JSObject::nukeStructureAndSetButterfly):
128
129 2017-12-14  Michael Saboff  <msaboff@apple.com>
130
131         REGRESSION (r225695): Repro crash on yahoo login page
132         https://bugs.webkit.org/show_bug.cgi?id=180761
133
134         Reviewed by JF Bastien.
135
136         Relanding r225695 with a fix.
137
138         The fix is that we need to save the return address for a parentheses in
139         the ParenContext because it is actually used by any immediately contained
140         alternatives.
141
142         Also did a little refactoring, changing occurances of PatternContext to
143         ParenContext since that is the name of the structure.
144
145         * runtime/RegExp.cpp:
146         (JSC::byteCodeCompilePattern):
147         (JSC::RegExp::byteCodeCompileIfNecessary):
148         (JSC::RegExp::compile):
149         (JSC::RegExp::compileMatchOnly):
150         * runtime/RegExp.h:
151         * runtime/RegExpInlines.h:
152         (JSC::RegExp::matchInline):
153         * testRegExp.cpp:
154         (parseRegExpLine):
155         (runFromFiles):
156         * yarr/Yarr.h:
157         * yarr/YarrInterpreter.cpp:
158         (JSC::Yarr::ByteCompiler::compile):
159         (JSC::Yarr::ByteCompiler::dumpDisjunction):
160         * yarr/YarrJIT.cpp:
161         (JSC::Yarr::YarrGenerator::ParenContextSizes::ParenContextSizes):
162         (JSC::Yarr::YarrGenerator::ParenContextSizes::numSubpatterns):
163         (JSC::Yarr::YarrGenerator::ParenContextSizes::frameSlots):
164         (JSC::Yarr::YarrGenerator::ParenContext::sizeFor):
165         (JSC::Yarr::YarrGenerator::ParenContext::nextOffset):
166         (JSC::Yarr::YarrGenerator::ParenContext::beginOffset):
167         (JSC::Yarr::YarrGenerator::ParenContext::matchAmountOffset):
168         (JSC::Yarr::YarrGenerator::ParenContext::returnAddressOffset):
169         (JSC::Yarr::YarrGenerator::ParenContext::subpatternOffset):
170         (JSC::Yarr::YarrGenerator::ParenContext::savedFrameOffset):
171         (JSC::Yarr::YarrGenerator::initParenContextFreeList):
172         (JSC::Yarr::YarrGenerator::allocateParenContext):
173         (JSC::Yarr::YarrGenerator::freeParenContext):
174         (JSC::Yarr::YarrGenerator::saveParenContext):
175         (JSC::Yarr::YarrGenerator::restoreParenContext):
176         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
177         (JSC::Yarr::YarrGenerator::storeToFrame):
178         (JSC::Yarr::YarrGenerator::generateJITFailReturn):
179         (JSC::Yarr::YarrGenerator::clearMatches):
180         (JSC::Yarr::YarrGenerator::generate):
181         (JSC::Yarr::YarrGenerator::backtrack):
182         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
183         (JSC::Yarr::YarrGenerator::generateEnter):
184         (JSC::Yarr::YarrGenerator::generateReturn):
185         (JSC::Yarr::YarrGenerator::YarrGenerator):
186         (JSC::Yarr::YarrGenerator::compile):
187         * yarr/YarrJIT.h:
188         (JSC::Yarr::YarrCodeBlock::execute):
189         * yarr/YarrPattern.cpp:
190         (JSC::Yarr::indentForNestingLevel):
191         (JSC::Yarr::dumpUChar32):
192         (JSC::Yarr::dumpCharacterClass):
193         (JSC::Yarr::PatternTerm::dump):
194         (JSC::Yarr::YarrPattern::dumpPattern):
195         * yarr/YarrPattern.h:
196         (JSC::Yarr::PatternTerm::containsAnyCaptures):
197         (JSC::Yarr::BackTrackInfoParenthesesOnce::returnAddressIndex):
198         (JSC::Yarr::BackTrackInfoParentheses::beginIndex):
199         (JSC::Yarr::BackTrackInfoParentheses::returnAddressIndex):
200         (JSC::Yarr::BackTrackInfoParentheses::matchAmountIndex):
201         (JSC::Yarr::BackTrackInfoParentheses::parenContextHeadIndex):
202         (JSC::Yarr::BackTrackInfoAlternative::offsetIndex): Deleted.
203
204 2017-12-13  Keith Miller  <keith_miller@apple.com>
205
206         JSObjects should have a mask for loading indexed properties
207         https://bugs.webkit.org/show_bug.cgi?id=180768
208
209         Reviewed by Mark Lam.
210
211         This patch adds a new member to JSObject that holds an indexing
212         mask.  The indexing mask is bitwise anded with the index used to
213         load a property.  If for whatever reason an attacker is able to
214         clobber the vectorLength of our butterfly they still won't be able
215         to read substantially past the end of the buttefly. For
216         performance reasons we don't use the indexing masking for
217         TypedArrays. Since TypedArrays are already gigacaged the risk of
218         wild reads is still restricted.
219
220         This patch is a <1% regression on Speedometer and ~3% regression
221         on JetStream in my testing.
222
223         * assembler/MacroAssembler.h:
224         (JSC::MacroAssembler::urshiftPtr):
225         * bytecode/AccessCase.cpp:
226         (JSC::AccessCase::generateImpl):
227         * dfg/DFGAbstractHeap.h:
228         * dfg/DFGClobberize.h:
229         (JSC::DFG::clobberize):
230         * dfg/DFGSpeculativeJIT.cpp:
231         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
232         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
233         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
234         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
235         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
236         (JSC::DFG::SpeculativeJIT::compileArraySlice):
237         (JSC::DFG::SpeculativeJIT::compileNukeStructureAndSetButterfly):
238         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
239         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
240         * dfg/DFGSpeculativeJIT.h:
241         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
242         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
243         * dfg/DFGSpeculativeJIT32_64.cpp:
244         (JSC::DFG::SpeculativeJIT::compile):
245         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
246         * dfg/DFGSpeculativeJIT64.cpp:
247         (JSC::DFG::SpeculativeJIT::compile):
248         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
249         * ftl/FTLAbstractHeap.cpp:
250         (JSC::FTL::IndexedAbstractHeap::baseIndex):
251         * ftl/FTLAbstractHeap.h:
252         * ftl/FTLAbstractHeapRepository.h:
253         * ftl/FTLLowerDFGToB3.cpp:
254         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
255         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
256         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
257         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
258         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
259         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
260         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
261         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
262         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
263         (JSC::FTL::DFG::LowerDFGToB3::maskedIndex):
264         (JSC::FTL::DFG::LowerDFGToB3::computeButterflyIndexingMask):
265         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
266         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
267         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
268         (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
269         * ftl/FTLOutput.h:
270         (JSC::FTL::Output::baseIndex):
271         * jit/AssemblyHelpers.h:
272         (JSC::AssemblyHelpers::emitComputeButterflyIndexingMask):
273         (JSC::AssemblyHelpers::nukeStructureAndStoreButterfly):
274         (JSC::AssemblyHelpers::emitAllocateJSObject):
275         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
276         (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
277         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
278         (JSC::AssemblyHelpers::storeButterfly): Deleted.
279         * jit/JITOpcodes.cpp:
280         (JSC::JIT::emit_op_new_object):
281         (JSC::JIT::emit_op_create_this):
282         * jit/JITOpcodes32_64.cpp:
283         (JSC::JIT::emit_op_new_object):
284         (JSC::JIT::emit_op_create_this):
285         * jit/JITPropertyAccess.cpp:
286         (JSC::JIT::emitDoubleLoad):
287         (JSC::JIT::emitContiguousLoad):
288         (JSC::JIT::emitArrayStorageLoad):
289         * llint/LowLevelInterpreter32_64.asm:
290         * llint/LowLevelInterpreter64.asm:
291         * runtime/ArrayStorage.h:
292         (JSC::ArrayStorage::availableVectorLength):
293         * runtime/Butterfly.h:
294         (JSC::ContiguousData::ContiguousData):
295         (JSC::ContiguousData::at const):
296         (JSC::ContiguousData::at):
297         (JSC::Butterfly::publicLength const):
298         (JSC::Butterfly::vectorLength const):
299         (JSC::Butterfly::computeIndexingMaskForVectorLength):
300         (JSC::Butterfly::computeIndexingMask):
301         (JSC::Butterfly::contiguousInt32):
302         (JSC::ContiguousData::operator[] const): Deleted.
303         (JSC::ContiguousData::operator[]): Deleted.
304         (JSC::Butterfly::publicLength): Deleted.
305         (JSC::Butterfly::vectorLength): Deleted.
306         * runtime/ButterflyInlines.h:
307         (JSC::ContiguousData<T>::at const):
308         (JSC::ContiguousData<T>::at):
309         * runtime/ClonedArguments.cpp:
310         (JSC::ClonedArguments::createEmpty):
311         * runtime/JSArray.cpp:
312         (JSC::JSArray::tryCreateUninitializedRestricted):
313         (JSC::JSArray::appendMemcpy):
314         (JSC::JSArray::setLength):
315         (JSC::JSArray::pop):
316         (JSC::JSArray::fastSlice):
317         (JSC::JSArray::shiftCountWithArrayStorage):
318         (JSC::JSArray::shiftCountWithAnyIndexingType):
319         (JSC::JSArray::unshiftCountWithAnyIndexingType):
320         (JSC::JSArray::fillArgList):
321         (JSC::JSArray::copyToArguments):
322         * runtime/JSArrayBufferView.cpp:
323         (JSC::JSArrayBufferView::JSArrayBufferView):
324         * runtime/JSArrayInlines.h:
325         (JSC::JSArray::pushInline):
326         * runtime/JSFixedArray.h:
327         (JSC::JSFixedArray::createFromArray):
328         * runtime/JSGenericTypedArrayViewInlines.h:
329         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
330         * runtime/JSObject.cpp:
331         (JSC::JSObject::getOwnPropertySlotByIndex):
332         (JSC::JSObject::putByIndex):
333         (JSC::JSObject::createInitialInt32):
334         (JSC::JSObject::createInitialDouble):
335         (JSC::JSObject::createInitialContiguous):
336         (JSC::JSObject::convertUndecidedToInt32):
337         (JSC::JSObject::convertUndecidedToDouble):
338         (JSC::JSObject::convertUndecidedToContiguous):
339         (JSC::JSObject::convertInt32ToDouble):
340         (JSC::JSObject::convertInt32ToArrayStorage):
341         (JSC::JSObject::convertDoubleToContiguous):
342         (JSC::JSObject::convertDoubleToArrayStorage):
343         (JSC::JSObject::convertContiguousToArrayStorage):
344         (JSC::JSObject::createInitialForValueAndSet):
345         (JSC::JSObject::deletePropertyByIndex):
346         (JSC::JSObject::getOwnPropertyNames):
347         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
348         (JSC::JSObject::countElements):
349         (JSC::JSObject::ensureLengthSlow):
350         (JSC::JSObject::reallocateAndShrinkButterfly):
351         (JSC::JSObject::getEnumerableLength):
352         * runtime/JSObject.h:
353         (JSC::JSObject::canGetIndexQuickly):
354         (JSC::JSObject::getIndexQuickly):
355         (JSC::JSObject::tryGetIndexQuickly const):
356         (JSC::JSObject::setIndexQuickly):
357         (JSC::JSObject::initializeIndex):
358         (JSC::JSObject::initializeIndexWithoutBarrier):
359         (JSC::JSObject::butterflyIndexingMaskOffset):
360         (JSC::JSObject::butterflyIndexingMask const):
361         (JSC::JSObject::setButterflyWithIndexingMask):
362         (JSC::JSObject::setButterfly):
363         (JSC::JSObject::nukeStructureAndSetButterfly):
364         (JSC::JSObject::JSObject):
365         * runtime/RegExpMatchesArray.h:
366         (JSC::tryCreateUninitializedRegExpMatchesArray):
367         * runtime/Structure.cpp:
368         (JSC::Structure::flattenDictionaryStructure):
369
370 2017-12-14  David Kilzer  <ddkilzer@apple.com>
371
372         REGRESSION (r225799/r225887): Remove duplicate entries for JSCPoisonedPtr.h in Xcode project
373
374         Fixes the following warning during builds:
375
376             Warning: Multiple build commands for output file WebKitBuild/Release/JavaScriptCore.framework/Versions/A/PrivateHeaders/JSCPoisonedPtr.h
377
378         * JavaScriptCore.xcodeproj/project.pbxproj: Remove duplicate
379         entries for JSCPoisonedPtr.h.
380
381 2017-12-14  David Kilzer  <ddkilzer@apple.com>
382
383         REGRESSION (r225887): Build broke due to missing includes in InferredValue.h
384         <https://bugs.webkit.org/show_bug.cgi?id=180738>
385
386         * runtime/InferredValue.h: Attempt to fix build by adding
387         missing #include statements.
388
389 2017-12-13  Filip Pizlo  <fpizlo@apple.com>
390
391         Octane/richards regressed by a whopping 20% because eliminateCommonSubexpressions has a weird fixpoint requirement
392         https://bugs.webkit.org/show_bug.cgi?id=180783
393
394         Reviewed by Saam Barati.
395         
396         This fixes the regression by fixpointing CSE. We need to fixpoint CSE because of this case:
397         
398             BB#1:
399                 a: Load(@x)
400                 b: Load(@x)
401                 c: Load(@b)
402             BB#2:
403                 d: Load(@b)
404             BB#3:
405                 e: Load(@b)
406         
407         Lets assume that #3 loops around to #2, so to eliminate @d, we need to prove that it's redundant
408         with both @c and @e. The problem is that by the time we get to @d, the CSE state will look like
409         this:
410
411             BB#1:
412                 a: Load(@x)
413                 b: Load(@x)
414                 c: Load(@a)
415                 memoryAtTail: {@x=>@a, @a=>@c}
416             BB#2:
417                 d: Load(@a) [sic]
418                 memoryAtTail: {@b=>@d}
419             BB#3:
420                 e: Load(@b)
421                 memoryAtTail: {@b=>@e} [sic]
422         
423         Note that #3's atTail map is keyed on @b, which was the old (no longer canonical) version of @a.
424         But @d's children were already substituted, so it refers to @a. Since @a is not in #3's atTail
425         map, we don't find it and leave the redundancy.
426         
427         I think that the cleanest solution is to fixpoint. CSE is pretty cheap, so hopefully we can afford
428         this. It fixes the richards regression, since richards is super dependent on B3 CSE.
429
430         * b3/B3EliminateCommonSubexpressions.cpp: Logging.
431         * b3/B3Generate.cpp:
432         (JSC::B3::generateToAir): Fix the bug.
433         * b3/air/AirReportUsedRegisters.cpp:
434         (JSC::B3::Air::reportUsedRegisters): Logging.
435         * dfg/DFGByteCodeParser.cpp:
436         * dfg/DFGSSAConversionPhase.cpp:
437         (JSC::DFG::SSAConversionPhase::run): Don't generate EntrySwitch if we don't need it (makes IR easier to read).
438         * ftl/FTLLowerDFGToB3.cpp:
439         (JSC::FTL::DFG::LowerDFGToB3::lower): Don't generate EntrySwitch if we don't need it (makes IR easier to read).
440
441 2017-12-13  Joseph Pecoraro  <pecoraro@apple.com>
442
443         REGRESSION: Web Inspector: Opening inspector crashes page if there are empty resources
444         https://bugs.webkit.org/show_bug.cgi?id=180787
445         <rdar://problem/35934838>
446
447         Reviewed by Brian Burg.
448
449         * inspector/ContentSearchUtilities.cpp:
450         (Inspector::ContentSearchUtilities::findMagicComment):
451         For empty / null strings just return. There is no use
452         trying to search them for a long common syntax.
453
454 2017-12-13  Saam Barati  <sbarati@apple.com>
455
456         Arrow functions need their own structure because they have different properties than sloppy functions
457         https://bugs.webkit.org/show_bug.cgi?id=180779
458         <rdar://problem/35814591>
459
460         Reviewed by Mark Lam.
461
462         We were using the same structure for sloppy functions and
463         arrow functions. This broke our IC caching machinery because
464         these two types of functions actually have different properties.
465         This patch gives them different structures.
466
467         * dfg/DFGAbstractInterpreterInlines.h:
468         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
469         * dfg/DFGSpeculativeJIT.cpp:
470         (JSC::DFG::SpeculativeJIT::compileNewFunction):
471         * ftl/FTLLowerDFGToB3.cpp:
472         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
473         * runtime/FunctionConstructor.cpp:
474         (JSC::constructFunctionSkippingEvalEnabledCheck):
475         * runtime/JSFunction.cpp:
476         (JSC::JSFunction::selectStructureForNewFuncExp):
477         (JSC::JSFunction::create):
478         * runtime/JSFunction.h:
479         * runtime/JSFunctionInlines.h:
480         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
481         * runtime/JSGlobalObject.cpp:
482         (JSC::JSGlobalObject::init):
483         (JSC::JSGlobalObject::visitChildren):
484         * runtime/JSGlobalObject.h:
485         (JSC::JSGlobalObject::arrowFunctionStructure const):
486
487 2017-12-12  Filip Pizlo  <fpizlo@apple.com>
488
489         InferredValue should use IsoSubspace
490         https://bugs.webkit.org/show_bug.cgi?id=180738
491
492         Reviewed by Keith Miller.
493         
494         This moves InferredValue into an IsoSubspace and then takes advantage of this to get rid of
495         its UnconditionalFinalizer.
496
497         * JavaScriptCore.xcodeproj/project.pbxproj:
498         * heap/Heap.cpp:
499         (JSC::Heap::finalizeUnconditionalFinalizers):
500         * runtime/InferredValue.cpp:
501         (JSC::InferredValue::visitChildren):
502         (JSC::InferredValue::ValueCleanup::ValueCleanup): Deleted.
503         (JSC::InferredValue::ValueCleanup::~ValueCleanup): Deleted.
504         (JSC::InferredValue::ValueCleanup::finalizeUnconditionally): Deleted.
505         * runtime/InferredValue.h:
506         (JSC::InferredValue::subspaceFor):
507         * runtime/InferredValueInlines.h: Added.
508         (JSC::InferredValue::finalizeUnconditionally):
509         * runtime/VM.cpp:
510         (JSC::VM::VM):
511         * runtime/VM.h:
512
513 2017-12-13  Devin Rousso  <webkit@devinrousso.com>
514
515         Web Inspector: add instrumentation for ImageBitmapRenderingContext
516         https://bugs.webkit.org/show_bug.cgi?id=180736
517
518         Reviewed by Joseph Pecoraro.
519
520         * inspector/protocol/Canvas.json:
521         * inspector/scripts/codegen/generator.py:
522
523 2017-12-13  Saam Barati  <sbarati@apple.com>
524
525         Take a value driven approach to how we emit structure checks in TypeCheckHoistingPhase to obviate the need for static_assert guards
526         https://bugs.webkit.org/show_bug.cgi?id=180771
527
528         Reviewed by JF Bastien.
529
530         * dfg/DFGTypeCheckHoistingPhase.cpp:
531         (JSC::DFG::TypeCheckHoistingPhase::run):
532
533 2017-12-13  Saam Barati  <sbarati@apple.com>
534
535         REGRESSION(r225844): Around 850 new JSC failures on 32-bit
536         https://bugs.webkit.org/show_bug.cgi?id=180764
537
538         Unreviewed. We should only emit CheckStructureOrEmpty on 64 bit platforms.
539
540         * dfg/DFGTypeCheckHoistingPhase.cpp:
541         (JSC::DFG::TypeCheckHoistingPhase::run):
542
543 2017-12-13  Michael Saboff  <msaboff@apple.com>
544
545         Unreviewed rollout of r225695. Caused a crash on yahoo login page.
546
547         That bug tracked in https://bugs.webkit.org/show_bug.cgi?id=180761.
548
549         * runtime/RegExp.cpp:
550         (JSC::RegExp::compile):
551         (JSC::RegExp::compileMatchOnly):
552         (JSC::byteCodeCompilePattern): Deleted.
553         (JSC::RegExp::byteCodeCompileIfNecessary): Deleted.
554         * runtime/RegExp.h:
555         * runtime/RegExpInlines.h:
556         (JSC::RegExp::matchInline):
557         * testRegExp.cpp:
558         (parseRegExpLine):
559         (runFromFiles):
560         * yarr/Yarr.h:
561         * yarr/YarrInterpreter.cpp:
562         (JSC::Yarr::ByteCompiler::compile):
563         (JSC::Yarr::ByteCompiler::dumpDisjunction):
564         (JSC::Yarr::ByteCompiler::emitDisjunction):
565         * yarr/YarrJIT.cpp:
566         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
567         (JSC::Yarr::YarrGenerator::generate):
568         (JSC::Yarr::YarrGenerator::backtrack):
569         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
570         (JSC::Yarr::YarrGenerator::generateEnter):
571         (JSC::Yarr::YarrGenerator::generateReturn):
572         (JSC::Yarr::YarrGenerator::YarrGenerator):
573         (JSC::Yarr::YarrGenerator::compile):
574         (JSC::Yarr::YarrGenerator::ParenContextSizes::ParenContextSizes): Deleted.
575         (JSC::Yarr::YarrGenerator::ParenContextSizes::numSubpatterns): Deleted.
576         (JSC::Yarr::YarrGenerator::ParenContextSizes::frameSlots): Deleted.
577         (JSC::Yarr::YarrGenerator::ParenContext::sizeFor): Deleted.
578         (JSC::Yarr::YarrGenerator::ParenContext::nextOffset): Deleted.
579         (JSC::Yarr::YarrGenerator::ParenContext::beginOffset): Deleted.
580         (JSC::Yarr::YarrGenerator::ParenContext::matchAmountOffset): Deleted.
581         (JSC::Yarr::YarrGenerator::ParenContext::subpatternOffset): Deleted.
582         (JSC::Yarr::YarrGenerator::ParenContext::savedFrameOffset): Deleted.
583         (JSC::Yarr::YarrGenerator::initParenContextFreeList): Deleted.
584         (JSC::Yarr::YarrGenerator::allocatePatternContext): Deleted.
585         (JSC::Yarr::YarrGenerator::freePatternContext): Deleted.
586         (JSC::Yarr::YarrGenerator::savePatternContext): Deleted.
587         (JSC::Yarr::YarrGenerator::restorePatternContext): Deleted.
588         (JSC::Yarr::YarrGenerator::generateJITFailReturn): Deleted.
589         (JSC::Yarr::YarrGenerator::clearMatches): Deleted.
590         * yarr/YarrJIT.h:
591         (JSC::Yarr::YarrCodeBlock::execute):
592         * yarr/YarrPattern.cpp:
593         (JSC::Yarr::indentForNestingLevel):
594         (JSC::Yarr::dumpUChar32):
595         (JSC::Yarr::PatternTerm::dump):
596         (JSC::Yarr::YarrPattern::dumpPattern):
597         (JSC::Yarr::dumpCharacterClass): Deleted.
598         * yarr/YarrPattern.h:
599         (JSC::Yarr::BackTrackInfoAlternative::offsetIndex):
600         (JSC::Yarr::BackTrackInfoParenthesesOnce::beginIndex):
601         (JSC::Yarr::PatternTerm::containsAnyCaptures): Deleted.
602         (JSC::Yarr::BackTrackInfoParenthesesOnce::returnAddressIndex): Deleted.
603         (JSC::Yarr::BackTrackInfoParentheses::beginIndex): Deleted.
604         (JSC::Yarr::BackTrackInfoParentheses::returnAddressIndex): Deleted.
605         (JSC::Yarr::BackTrackInfoParentheses::matchAmountIndex): Deleted.
606         (JSC::Yarr::BackTrackInfoParentheses::patternContextHeadIndex): Deleted.
607
608 2017-12-13  Mark Lam  <mark.lam@apple.com>
609
610         Fill out some Poisoned APIs, fix some bugs, and add some tests.
611         https://bugs.webkit.org/show_bug.cgi?id=180724
612         <rdar://problem/36006884>
613
614         Reviewed by JF Bastien.
615
616         * runtime/StructureTransitionTable.h:
617
618 2017-12-13  Caio Lima  <ticaiolima@gmail.com>
619
620         [ESNext][BigInt] Breking tests on Debug build and 32-bits due to missing Exception check
621         https://bugs.webkit.org/show_bug.cgi?id=180746
622
623         Reviewed by Saam Barati.
624
625         We have some uncatched exceptions that could happen due to OOM into
626         JSBigInt::allocateFor and JSBigInt::toStringGeneric. This patching is
627         catching such exceptions properly.
628
629         * runtime/JSBigInt.cpp:
630         (JSC::JSBigInt::allocateFor):
631         (JSC::JSBigInt::parseInt):
632         * runtime/JSCJSValue.cpp:
633         (JSC::JSValue::toStringSlowCase const):
634
635 2017-12-13  Saam Barati  <sbarati@apple.com>
636
637         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
638         https://bugs.webkit.org/show_bug.cgi?id=163579
639         <rdar://problem/35455798>
640
641         Reviewed by Mark Lam.
642
643         Some functions in JavaScript do not have the "caller" and "arguments" properties.
644         For example, strict functions do not. When reading our code that dealt with these
645         types of functions, it was simply all wrong. We were doing weird things depending
646         on the method table hook. This patch fixes this by doing what we should've been
647         doing all along: when the JSFunction does not own the "caller"/"arguments" property,
648         it should defer to its base class implementation for the various method table hooks.
649
650         * runtime/JSFunction.cpp:
651         (JSC::JSFunction::put):
652         (JSC::JSFunction::deleteProperty):
653         (JSC::JSFunction::defineOwnProperty):
654
655 2017-12-13  Saam Barati  <sbarati@apple.com>
656
657         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
658         https://bugs.webkit.org/show_bug.cgi?id=180734
659         <rdar://problem/35640547>
660
661         Reviewed by Yusuke Suzuki.
662
663         The |this| value may be TDZ. If type check hoisting phase
664         hoists a CheckStructure to it, it will crash. This patch
665         makes it so we emit CheckStructureOrEmpty for |this|.
666
667         * dfg/DFGTypeCheckHoistingPhase.cpp:
668         (JSC::DFG::TypeCheckHoistingPhase::run):
669
670 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
671
672         [JSC] Optimize Object.assign by single transition acceleration
673         https://bugs.webkit.org/show_bug.cgi?id=180644
674
675         Reviewed by Saam Barati.
676
677         Handling single transition is critical. Since this get() function is only used
678         in Structure.cpp's 2 functions and it is quite small, we can annotate `inline`
679         to accelerate it.
680
681         This improves SixSpeed/object-assign.es6 by 2.8%.
682
683                                     baseline                  patched
684
685         object-assign.es6      382.3548+-8.0461          371.6496+-5.7439          might be 1.0288x faster
686
687         * runtime/Structure.cpp:
688         (JSC::StructureTransitionTable::get const):
689
690 2017-12-12  Filip Pizlo  <fpizlo@apple.com>
691
692         Structure, StructureRareData, and PropertyTable should be in IsoSubspaces
693         https://bugs.webkit.org/show_bug.cgi?id=180732
694
695         Rubber stamped by Mark Lam.
696         
697         We should eventually move all fixed-size cells into IsoSubspaces. I don't know if they are
698         scalable enough to support that, so we should do it carefully.
699
700         * heap/MarkedSpace.cpp:
701         * runtime/PropertyMapHashTable.h:
702         * runtime/Structure.h:
703         * runtime/StructureRareData.h:
704         * runtime/VM.cpp:
705         (JSC::VM::VM):
706         * runtime/VM.h:
707
708 2017-12-12  Saam Barati  <sbarati@apple.com>
709
710         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
711         https://bugs.webkit.org/show_bug.cgi?id=180725
712         <rdar://problem/35970511>
713
714         Reviewed by Michael Saboff.
715
716         * dfg/DFGClobberize.h:
717         (JSC::DFG::clobberize):
718         * dfg/DFGPreciseLocalClobberize.h:
719         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
720
721 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
722
723         [JSC] Implement optimized WeakMap and WeakSet
724         https://bugs.webkit.org/show_bug.cgi?id=179929
725
726         Reviewed by Saam Barati.
727
728         This patch introduces WeakMapImpl to optimize WeakMap and WeakSet.
729         This is similar to HashMapImpl. But,
730
731         1. WeakMapImpl's bucket is not allocated in GC heap since WeakMap
732         do not need to have iterators.
733
734         2. WeakMapImpl's buffer is allocated in JSValue Gigacage instead
735         of auxiliary buffer. This is because we would like to allocate buffer
736         when finalizing GC. At that time, WeakMapImpl prunes dead entries and
737         shrink it if necessary. However, allocating from the GC heap during
738         finalization is not allowed.
739
740         In particular, (2) is important since it ensures any WeakMap operations
741         do not cause GC. Since GC may collect dead keys in WeakMap, rehash WeakMap,
742         and reallocate/change WeakMap's buffer, ensuring that any WeakMap operations
743         do not cause GC makes our implementation simple. To ensure this, we place
744         DisallowGC for each WeakMap's interface.
745
746         In DFG, we introduce WeakMapGet and ExtractValueFromWeakMapGet nodes.
747         WeakMapGet looks up entry in WeakMapImpl and returns value. If it is
748         WeakMap, it returns value. And it returns key if it is WeakSet. If it
749         does not find a corresponding entry, it returns JSEmpty.
750         ExtractValueFromWeakMapGet converts JSEmpty to JSUndefined.
751
752         This patch improves WeakMap and WeakSet operations.
753
754                                      baseline                  patched
755
756             weak-set-key        240.6932+-10.4923    ^    148.7606+-6.1784        ^ definitely 1.6180x faster
757             weak-map-key        174.3176+-8.2680     ^    151.7053+-6.8723        ^ definitely 1.1491x faster
758
759         * JavaScriptCore.xcodeproj/project.pbxproj:
760         * Sources.txt:
761         * dfg/DFGAbstractHeap.h:
762         * dfg/DFGAbstractInterpreterInlines.h:
763         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
764         * dfg/DFGByteCodeParser.cpp:
765         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
766         * dfg/DFGClobberize.h:
767         (JSC::DFG::clobberize):
768         * dfg/DFGDoesGC.cpp:
769         (JSC::DFG::doesGC):
770         * dfg/DFGFixupPhase.cpp:
771         (JSC::DFG::FixupPhase::fixupNode):
772         * dfg/DFGNode.h:
773         (JSC::DFG::Node::hasHeapPrediction):
774         * dfg/DFGNodeType.h:
775         * dfg/DFGOperations.cpp:
776         * dfg/DFGOperations.h:
777         * dfg/DFGPredictionPropagationPhase.cpp:
778         * dfg/DFGSafeToExecute.h:
779         (JSC::DFG::safeToExecute):
780         * dfg/DFGSpeculativeJIT.cpp:
781         (JSC::DFG::SpeculativeJIT::compileExtractValueFromWeakMapGet):
782         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
783         * dfg/DFGSpeculativeJIT.h:
784         * dfg/DFGSpeculativeJIT32_64.cpp:
785         (JSC::DFG::SpeculativeJIT::compile):
786         * dfg/DFGSpeculativeJIT64.cpp:
787         (JSC::DFG::SpeculativeJIT::compile):
788         * ftl/FTLAbstractHeapRepository.h:
789         * ftl/FTLCapabilities.cpp:
790         (JSC::FTL::canCompile):
791         * ftl/FTLLowerDFGToB3.cpp:
792         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
793         (JSC::FTL::DFG::LowerDFGToB3::compileExtractValueFromWeakMapGet):
794         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
795         * inspector/JSInjectedScriptHost.cpp:
796         (Inspector::JSInjectedScriptHost::weakMapEntries):
797         (Inspector::JSInjectedScriptHost::weakSetEntries):
798         Existing code is incorrect. They can run GC and break WeakMap's iterator.
799         We introduce takeSnapshot function to WeakMapImpl, which retrieves live
800         entries without causing any GC.
801
802         * runtime/HashMapImpl.h:
803         (JSC::shouldShrink):
804         (JSC::shouldRehashAfterAdd):
805         (JSC::nextCapacity):
806         (JSC::HashMapImpl::shouldRehashAfterAdd const):
807         (JSC::HashMapImpl::shouldShrink const):
808         (JSC::HashMapImpl::rehash):
809         (JSC::WeakMapHash::hash): Deleted.
810         (JSC::WeakMapHash::equal): Deleted.
811         * runtime/Intrinsic.cpp:
812         (JSC::intrinsicName):
813         * runtime/Intrinsic.h:
814         * runtime/JSWeakMap.cpp:
815         * runtime/JSWeakMap.h:
816         * runtime/JSWeakSet.cpp:
817         * runtime/JSWeakSet.h:
818         * runtime/VM.cpp:
819         * runtime/WeakGCMap.h:
820         (JSC::WeakGCMap::forEach): Deleted.
821         * runtime/WeakMapBase.cpp: Removed.
822         * runtime/WeakMapBase.h: Removed.
823         * runtime/WeakMapConstructor.cpp:
824         (JSC::constructWeakMap):
825         * runtime/WeakMapImpl.cpp: Added.
826         (JSC::WeakMapImpl<WeakMapBucket>::destroy):
827         (JSC::WeakMapImpl<WeakMapBucket>::visitChildren):
828         (JSC::WeakMapImpl<WeakMapBucket>::estimatedSize):
829         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::visitWeakReferences):
830         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitWeakReferences):
831         (JSC::WeakMapImpl<WeakMapBucket>::finalizeUnconditionally):
832         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::takeSnapshot):
833         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::takeSnapshot):
834         * runtime/WeakMapImpl.h: Added.
835         (JSC::jsWeakMapHash):
836         (JSC::nextCapacityAfterRemoveBatching):
837         (JSC::WeakMapBucket::setKey):
838         (JSC::WeakMapBucket::setValue):
839         (JSC::WeakMapBucket::key const):
840         (JSC::WeakMapBucket::value const):
841         (JSC::WeakMapBucket::copyFrom):
842         (JSC::WeakMapBucket::offsetOfKey):
843         (JSC::WeakMapBucket::offsetOfValue):
844         (JSC::WeakMapBucket::extractValue):
845         (JSC::WeakMapBucket::isEmpty):
846         (JSC::WeakMapBucket::deletedKey):
847         (JSC::WeakMapBucket::isDeleted):
848         (JSC::WeakMapBucket::makeDeleted):
849         (JSC::WeakMapBucket::visitAggregate):
850         (JSC::WeakMapBucket::clearValue):
851         (JSC::WeakMapBuffer::allocationSize):
852         (JSC::WeakMapBuffer::buffer const):
853         (JSC::WeakMapBuffer::create):
854         (JSC::WeakMapBuffer::reset):
855         (JSC::WeakMapImpl::WeakMapImpl):
856         (JSC::WeakMapImpl::finishCreation):
857         (JSC::WeakMapImpl::get):
858         (JSC::WeakMapImpl::has):
859         (JSC::WeakMapImpl::add):
860         (JSC::WeakMapImpl::remove):
861         (JSC::WeakMapImpl::size const):
862         (JSC::WeakMapImpl::offsetOfBuffer):
863         (JSC::WeakMapImpl::offsetOfCapacity):
864         (JSC::WeakMapImpl::findBucket):
865         (JSC::WeakMapImpl::buffer const):
866         (JSC::WeakMapImpl::forEach):
867         (JSC::WeakMapImpl::shouldRehashAfterAdd const):
868         (JSC::WeakMapImpl::shouldShrink const):
869         (JSC::WeakMapImpl::canUseBucket):
870         (JSC::WeakMapImpl::addInternal):
871         (JSC::WeakMapImpl::findBucketAlreadyHashed):
872         (JSC::WeakMapImpl::rehash):
873         (JSC::WeakMapImpl::checkConsistency const):
874         (JSC::WeakMapImpl::makeAndSetNewBuffer):
875         (JSC::WeakMapImpl::assertBufferIsEmpty const):
876         (JSC::WeakMapImpl::DeadKeyCleaner::target):
877         * runtime/WeakMapPrototype.cpp:
878         (JSC::WeakMapPrototype::finishCreation):
879         (JSC::protoFuncWeakMapGet):
880         (JSC::protoFuncWeakMapHas):
881         * runtime/WeakSetConstructor.cpp:
882         (JSC::constructWeakSet):
883         * runtime/WeakSetPrototype.cpp:
884         (JSC::WeakSetPrototype::finishCreation):
885         (JSC::protoFuncWeakSetHas):
886         (JSC::protoFuncWeakSetAdd):
887
888 2017-12-11  Filip Pizlo  <fpizlo@apple.com>
889
890         It should be possible to flag a cell for unconditional finalization
891         https://bugs.webkit.org/show_bug.cgi?id=180636
892
893         Reviewed by Saam Barati.
894         
895         UnconditionalFinalizers were annoying - you had to allocate them and you had to manage a
896         global linked list - but they had some nice properties:
897         
898         - You only did the hardest work (creating the UnconditionalFinalizer) on first GC where you
899           survived and needed it.
900             -> Just needing it wasn't enough.
901             -> Just surviving wasn't enough.
902         
903         The new API based on IsoSubspaces meant that just surviving was enough to cause unconditional
904         finalizer logic to be invoked. I think that's not great. InferredType got around this by
905         making InferredStructure a cell, but this was a gross hack. For one, it meant that
906         InferredStructure would survive during the GC in which its finalizer obviated the need for its
907         existence. It's not really an idiom I want us to repeat because it sounds like the sort of
908         thing that turns out to be subtly broken.
909         
910         We really need to have a way of indicating when you have entered into the state that requires
911         your unconditional finalizer to be invoked. Basically, we want to be able to track the set of
912         objects that need unconditional finalizers. Only the subset of that set that overlaps with the
913         set of marked objects needs to be accurate. The easiest way to do this is a hierarchy of
914         bitvectors: one to say which MarkedBlocks have objects that have unconditional finalizers, and
915         another level to say which atoms within a MarkedBlock have unconditional finalizers.
916         
917         This change introduces IsoCellSet, which couples itself to the MarkedAllocator of some
918         IsoSubspace to allow maintaining a set of objects (well, cells - you could do this with
919         auxiliaries) that belong to that IsoSubspace. It'll have undefined behavior if you try to
920         add/remove/contains an object that isn't in that IsoSubspace. For objects in that subspace,
921         you can add/remove/contains and forEachMarkedCell. The cost of each IsoCellSet is at worst
922         about 0.8% increase in size to every object in the subspace that the set is attached to. So,
923         it makes sense to have a handful per subspace max. This change only needs one per subspace,
924         but you could imagine more if we do this for WeakReferenceHarvester.
925         
926         To absolutely minimize the possibility that this incurs costs, the add/remove/contains
927         functions can be used from any thread so long as forEachMarkedCell isn't running. This means
928         that InferredType only needs to add itself to the set during visitChildren. Thus, it needs to
929         both survive and need it for the hardest work to take place. The work of adding does involve
930         a gnarly load chain that ends in a CAS: load block handle from block, load index, load
931         segment, load bitvector, load bit -> if not set, then CAS. That's five dependent loads!
932         However, it's perfect for running in parallel since the only write operations are to widely
933         dispersed cache lines that contain the bits underlying the set.
934         
935         The best part is how forEachMarkedCell works. That skips blocks that don't have any objects
936         that need unconditional finalizers, and only touches the memory of marked objects that have
937         the unconditional finalizer bit set. It will walk those objects in roughly address order. I
938         previously found that this speeds up walking over a lot of objects when I made similar changes
939         for DOM GC (calling visitAdditionalChildren via forEachMarkedCell rather than by walking a
940         HashSet).
941         
942         This change makes InferredStructure be a malloc object again, but now it's in an IsoHeap.
943         
944         My expectation for this change is that it's perf-neutral. Long-term, it gives us a path
945         forward for eliminating UnconditionalFinalizer and WeakReferenceHarvester while using
946         IsoSubspace in more places.
947
948         * JavaScriptCore.xcodeproj/project.pbxproj:
949         * Sources.txt:
950         * heap/AtomIndices.h: Added.
951         (JSC::AtomIndices::AtomIndices):
952         * heap/Heap.cpp:
953         (JSC::Heap::finalizeUnconditionalFinalizers):
954         * heap/Heap.h:
955         * heap/IsoCellSet.cpp: Added.
956         (JSC::IsoCellSet::IsoCellSet):
957         (JSC::IsoCellSet::~IsoCellSet):
958         (JSC::IsoCellSet::addSlow):
959         (JSC::IsoCellSet::didResizeBits):
960         (JSC::IsoCellSet::didRemoveBlock):
961         (JSC::IsoCellSet::sweepToFreeList):
962         * heap/IsoCellSet.h: Added.
963         * heap/IsoCellSetInlines.h: Added.
964         (JSC::IsoCellSet::add):
965         (JSC::IsoCellSet::remove):
966         (JSC::IsoCellSet::contains const):
967         (JSC::IsoCellSet::forEachMarkedCell):
968         * heap/IsoSubspace.cpp:
969         (JSC::IsoSubspace::didResizeBits):
970         (JSC::IsoSubspace::didRemoveBlock):
971         (JSC::IsoSubspace::didBeginSweepingToFreeList):
972         * heap/IsoSubspace.h:
973         * heap/MarkedAllocator.cpp:
974         (JSC::MarkedAllocator::addBlock):
975         (JSC::MarkedAllocator::removeBlock):
976         * heap/MarkedAllocator.h:
977         * heap/MarkedAllocatorInlines.h:
978         * heap/MarkedBlock.cpp:
979         (JSC::MarkedBlock::Handle::sweep):
980         (JSC::MarkedBlock::Handle::isEmpty): Deleted.
981         * heap/MarkedBlock.h:
982         (JSC::MarkedBlock::marks const):
983         (JSC::MarkedBlock::Handle::newlyAllocated const):
984         * heap/MarkedBlockInlines.h:
985         (JSC::MarkedBlock::Handle::isAllocated):
986         (JSC::MarkedBlock::Handle::isEmpty):
987         (JSC::MarkedBlock::Handle::emptyMode):
988         (JSC::MarkedBlock::Handle::forEachMarkedCell):
989         * heap/Subspace.cpp:
990         (JSC::Subspace::didResizeBits):
991         (JSC::Subspace::didRemoveBlock):
992         (JSC::Subspace::didBeginSweepingToFreeList):
993         * heap/Subspace.h:
994         * heap/SubspaceInlines.h:
995         (JSC::Subspace::forEachMarkedCell):
996         * runtime/InferredStructure.cpp:
997         (JSC::InferredStructure::InferredStructure):
998         (JSC::InferredStructure::create): Deleted.
999         (JSC::InferredStructure::destroy): Deleted.
1000         (JSC::InferredStructure::createStructure): Deleted.
1001         (JSC::InferredStructure::visitChildren): Deleted.
1002         (JSC::InferredStructure::finalizeUnconditionally): Deleted.
1003         (JSC::InferredStructure::finishCreation): Deleted.
1004         * runtime/InferredStructure.h:
1005         * runtime/InferredStructureWatchpoint.cpp:
1006         (JSC::InferredStructureWatchpoint::fireInternal):
1007         * runtime/InferredType.cpp:
1008         (JSC::InferredType::visitChildren):
1009         (JSC::InferredType::willStoreValueSlow):
1010         (JSC::InferredType::makeTopSlow):
1011         (JSC::InferredType::set):
1012         (JSC::InferredType::removeStructure):
1013         (JSC::InferredType::finalizeUnconditionally):
1014         * runtime/InferredType.h:
1015         * runtime/VM.cpp:
1016         (JSC::VM::VM):
1017         * runtime/VM.h:
1018
1019 2017-12-12  Saam Barati  <sbarati@apple.com>
1020
1021         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
1022         https://bugs.webkit.org/show_bug.cgi?id=180723
1023         <rdar://problem/35859726>
1024
1025         Reviewed by JF Bastien.
1026
1027         * dfg/DFGConstantFoldingPhase.cpp:
1028         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1029
1030 2017-12-04  Brian Burg  <bburg@apple.com>
1031
1032         Web Inspector: modernize InjectedScript a bit
1033         https://bugs.webkit.org/show_bug.cgi?id=180367
1034
1035         Reviewed by Timothy Hatcher.
1036
1037         Stop using out parameters passed by pointer, use references instead.
1038         Stop using OptOutput<T> in favor of std::optional where possible.
1039         If there is only one out-parameter and a void return type, then return the value.
1040
1041         * inspector/InjectedScript.h:
1042         * inspector/InjectedScript.cpp:
1043         (Inspector::InjectedScript::evaluate):
1044         (Inspector::InjectedScript::callFunctionOn):
1045         (Inspector::InjectedScript::evaluateOnCallFrame):
1046         (Inspector::InjectedScript::getFunctionDetails):
1047         (Inspector::InjectedScript::functionDetails):
1048         (Inspector::InjectedScript::getPreview):
1049         (Inspector::InjectedScript::getProperties):
1050         (Inspector::InjectedScript::getDisplayableProperties):
1051         (Inspector::InjectedScript::getInternalProperties):
1052         (Inspector::InjectedScript::getCollectionEntries):
1053         (Inspector::InjectedScript::saveResult):
1054         (Inspector::InjectedScript::setExceptionValue):
1055         (Inspector::InjectedScript::clearExceptionValue):
1056         (Inspector::InjectedScript::inspectObject):
1057         (Inspector::InjectedScript::releaseObject):
1058
1059         * inspector/InjectedScriptBase.h:
1060         * inspector/InjectedScriptBase.cpp:
1061         (Inspector::InjectedScriptBase::InjectedScriptBase):
1062         Declare m_environment with a default initializer.
1063
1064         (Inspector::InjectedScriptBase::makeCall):
1065         (Inspector::InjectedScriptBase::makeEvalCall):
1066         Just return the result, no need for an out-parameter.
1067         Rearrange some code paths now that we can just return a result.
1068         Return a Ref<JSON::Value> since it is either a result value or error value.
1069         Use out_ prefixes in a few places to improve readability.
1070
1071         * inspector/agents/InspectorDebuggerAgent.cpp:
1072         (Inspector::InspectorDebuggerAgent::getFunctionDetails):
1073         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
1074         * inspector/agents/InspectorHeapAgent.cpp:
1075         (Inspector::InspectorHeapAgent::getPreview):
1076         * inspector/agents/InspectorRuntimeAgent.cpp:
1077         (Inspector::InspectorRuntimeAgent::evaluate):
1078         (Inspector::InspectorRuntimeAgent::callFunctionOn):
1079         (Inspector::InspectorRuntimeAgent::getPreview):
1080         (Inspector::InspectorRuntimeAgent::getProperties):
1081         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
1082         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
1083         (Inspector::InspectorRuntimeAgent::saveResult):
1084         Adapt to InjectedScript changes. In some cases we need to bridge OptOutput<T>
1085         and std::optional until the former is removed from generated method signatures.
1086
1087 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
1088
1089         [ESNext][BigInt] Implement BigInt literals and JSBigInt
1090         https://bugs.webkit.org/show_bug.cgi?id=179000
1091
1092         Reviewed by Darin Adler and Yusuke Suzuki.
1093
1094         This patch starts the implementation of BigInt primitive on
1095         JavaScriptCore. We are introducing BigInt primitive and
1096         implementing it on JSBigInt as a subclass of JSCell with [[BigIntData]]
1097         field implemented contiguosly on memory as inline storage of JSBigInt to
1098         take advantages on performance due to cache locality. The
1099         implementation allows 64 or 32 bitwise arithmetic operations.
1100         JSBigInt also has m_sign to store the sign of [[BigIntData]] and
1101         m_length that keeps track of BigInt length.
1102         The implementation is following the V8 one. [[BigIntData]] is manipulated
1103         by JSBigInt::setDigit(index, value) and JSBigInt::digit(index) operations.
1104         We also have some operations to support arithmetics over digits.
1105
1106         It is important to notice that on our representation,
1107         JSBigInt::dataStorage()[0] represents the least significant digit and
1108         JSBigInt::dataStorage()[m_length - 1] represents the most siginificant digit.
1109
1110         We are also introducing into this Patch the BigInt literals lexer and
1111         syntax parsing support. The operation Strict Equals on BigInts is also being
1112         implemented to enable tests.
1113         These features are being implemented behind a runtime flage "--useBigInt" and
1114         are disabled by default.
1115
1116         * JavaScriptCore.xcodeproj/project.pbxproj:
1117         * Sources.txt:
1118         * bytecode/CodeBlock.cpp:
1119         * bytecompiler/BytecodeGenerator.cpp:
1120         (JSC::BytecodeGenerator::emitEqualityOp):
1121         (JSC::BytecodeGenerator::addBigIntConstant):
1122         * bytecompiler/BytecodeGenerator.h:
1123         (JSC::BytecodeGenerator::BigIntEntryHash::hash):
1124         (JSC::BytecodeGenerator::BigIntEntryHash::equal):
1125         * bytecompiler/NodesCodegen.cpp:
1126         (JSC::BigIntNode::jsValue const):
1127         * dfg/DFGAbstractInterpreterInlines.h:
1128         (JSC::DFG::isToThisAnIdentity):
1129         * interpreter/Interpreter.cpp:
1130         (JSC::sizeOfVarargs):
1131         * llint/LLIntData.cpp:
1132         (JSC::LLInt::Data::performAssertions):
1133         * llint/LowLevelInterpreter.asm:
1134         * parser/ASTBuilder.h:
1135         (JSC::ASTBuilder::createBigInt):
1136         * parser/Lexer.cpp:
1137         (JSC::Lexer<T>::parseBinary):
1138         (JSC::Lexer<T>::parseOctal):
1139         (JSC::Lexer<T>::parseDecimal):
1140         (JSC::Lexer<T>::lex):
1141         (JSC::Lexer<T>::parseHex): Deleted.
1142         * parser/Lexer.h:
1143         * parser/NodeConstructors.h:
1144         (JSC::BigIntNode::BigIntNode):
1145         * parser/Nodes.h:
1146         (JSC::ExpressionNode::isBigInt const):
1147         (JSC::BigIntNode::value):
1148         * parser/Parser.cpp:
1149         (JSC::Parser<LexerType>::parsePrimaryExpression):
1150         * parser/ParserTokens.h:
1151         * parser/ResultType.h:
1152         (JSC::ResultType::definitelyIsBigInt const):
1153         (JSC::ResultType::mightBeBigInt const):
1154         (JSC::ResultType::isNotBigInt const):
1155         (JSC::ResultType::addResultType):
1156         (JSC::ResultType::bigIntType):
1157         (JSC::ResultType::forAdd):
1158         (JSC::ResultType::forLogicalOp):
1159         * parser/SyntaxChecker.h:
1160         (JSC::SyntaxChecker::createBigInt):
1161         * runtime/CommonIdentifiers.h:
1162         * runtime/JSBigInt.cpp: Added.
1163         (JSC::JSBigInt::visitChildren):
1164         (JSC::JSBigInt::JSBigInt):
1165         (JSC::JSBigInt::initialize):
1166         (JSC::JSBigInt::createStructure):
1167         (JSC::JSBigInt::createZero):
1168         (JSC::JSBigInt::allocationSize):
1169         (JSC::JSBigInt::createWithLength):
1170         (JSC::JSBigInt::finishCreation):
1171         (JSC::JSBigInt::toPrimitive const):
1172         (JSC::JSBigInt::singleDigitValueForString):
1173         (JSC::JSBigInt::parseInt):
1174         (JSC::JSBigInt::toString):
1175         (JSC::JSBigInt::isZero):
1176         (JSC::JSBigInt::inplaceMultiplyAdd):
1177         (JSC::JSBigInt::digitAdd):
1178         (JSC::JSBigInt::digitSub):
1179         (JSC::JSBigInt::digitMul):
1180         (JSC::JSBigInt::digitPow):
1181         (JSC::JSBigInt::digitDiv):
1182         (JSC::JSBigInt::internalMultiplyAdd):
1183         (JSC::JSBigInt::equalToBigInt):
1184         (JSC::JSBigInt::absoluteDivSmall):
1185         (JSC::JSBigInt::calculateMaximumCharactersRequired):
1186         (JSC::JSBigInt::toStringGeneric):
1187         (JSC::JSBigInt::rightTrim):
1188         (JSC::JSBigInt::allocateFor):
1189         (JSC::JSBigInt::estimatedSize):
1190         (JSC::JSBigInt::toNumber const):
1191         (JSC::JSBigInt::getPrimitiveNumber const):
1192         * runtime/JSBigInt.h: Added.
1193         (JSC::JSBigInt::setSign):
1194         (JSC::JSBigInt::sign const):
1195         (JSC::JSBigInt::setLength):
1196         (JSC::JSBigInt::length const):
1197         (JSC::JSBigInt::parseInt):
1198         (JSC::JSBigInt::offsetOfData):
1199         (JSC::JSBigInt::dataStorage):
1200         (JSC::JSBigInt::digit):
1201         (JSC::JSBigInt::setDigit):
1202         (JSC::asBigInt):
1203         * runtime/JSCJSValue.cpp:
1204         (JSC::JSValue::synthesizePrototype const):
1205         (JSC::JSValue::toStringSlowCase const):
1206         * runtime/JSCJSValue.h:
1207         * runtime/JSCJSValueInlines.h:
1208         (JSC::JSValue::isBigInt const):
1209         (JSC::JSValue::strictEqualSlowCaseInline):
1210         * runtime/JSCell.cpp:
1211         (JSC::JSCell::put):
1212         (JSC::JSCell::putByIndex):
1213         (JSC::JSCell::toPrimitive const):
1214         (JSC::JSCell::getPrimitiveNumber const):
1215         (JSC::JSCell::toNumber const):
1216         (JSC::JSCell::toObjectSlow const):
1217         * runtime/JSCell.h:
1218         * runtime/JSCellInlines.h:
1219         (JSC::JSCell::isBigInt const):
1220         * runtime/JSType.h:
1221         * runtime/MathCommon.h:
1222         (JSC::clz64):
1223         * runtime/NumberPrototype.cpp:
1224         * runtime/Operations.cpp:
1225         (JSC::jsTypeStringForValue):
1226         (JSC::jsIsObjectTypeOrNull):
1227         * runtime/Options.h:
1228         * runtime/ParseInt.h:
1229         * runtime/SmallStrings.h:
1230         (JSC::SmallStrings::typeString const):
1231         * runtime/StructureInlines.h:
1232         (JSC::prototypeForLookupPrimitiveImpl):
1233         * runtime/TypeofType.cpp:
1234         (WTF::printInternal):
1235         * runtime/TypeofType.h:
1236         * runtime/VM.cpp:
1237         (JSC::VM::VM):
1238         * runtime/VM.h:
1239
1240 2017-12-12  Guillaume Emont  <guijemont@igalia.com>
1241
1242         LLInt: reserve 16 bytes of stack on MIPS for native calls
1243         https://bugs.webkit.org/show_bug.cgi?id=180653
1244
1245         Reviewed by Carlos Alberto Lopez Perez.
1246
1247         * llint/LowLevelInterpreter32_64.asm:
1248         On MIPS, substract 24 from the stack pointer (16 for calling
1249         convention + 8 to be 16-aligned) instead of the 8 on other platforms
1250         (for alignment).
1251
1252 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1253
1254         [WTF] Thread::create should have Thread::tryCreate
1255         https://bugs.webkit.org/show_bug.cgi?id=180333
1256
1257         Reviewed by Darin Adler.
1258
1259         * assembler/testmasm.cpp:
1260         (JSC::run):
1261         * b3/air/testair.cpp:
1262         * b3/testb3.cpp:
1263         (JSC::B3::run):
1264         * jsc.cpp:
1265         (functionDollarAgentStart):
1266
1267 2017-12-11  Michael Saboff  <msaboff@apple.com>
1268
1269         REGRESSION(r225683): Chakra test failure in es6/regex-unicode.js for 32bit builds
1270         https://bugs.webkit.org/show_bug.cgi?id=180685
1271
1272         Reviewed by Saam Barati.
1273
1274         The characterClass->m_anyCharacter check at the top of checkCharacterClass() caused
1275         the character class check to return true without reading the character.  Given that
1276         the character could be a surrogate pair, we need to read the character even if we
1277         don't have the check it.
1278
1279         * yarr/YarrInterpreter.cpp:
1280         (JSC::Yarr::Interpreter::testCharacterClass):
1281         (JSC::Yarr::Interpreter::checkCharacterClass):
1282
1283 2017-12-11  Saam Barati  <sbarati@apple.com>
1284
1285         We need to disableCaching() in ErrorInstance when we materialize properties
1286         https://bugs.webkit.org/show_bug.cgi?id=180343
1287         <rdar://problem/35833002>
1288
1289         Reviewed by Mark Lam.
1290
1291         This patch fixes a bug in ErrorInstance where we forgot to call PutPropertySlot::disableCaching
1292         on puts() to a property that we lazily materialized. Forgetting to do this goes against the
1293         PutPropertySlot's caching API. This lazy materialization caused the ErrorInstance to transition
1294         from a Structure A to a Structure B. However, we were telling the IC that we were caching an
1295         existing property only found on Structure B. This is obviously wrong as it would lead to an
1296         OOB store if we didn't already crash when generating the IC.
1297
1298         * jit/Repatch.cpp:
1299         (JSC::tryCachePutByID):
1300         * runtime/ErrorInstance.cpp:
1301         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
1302         (JSC::ErrorInstance::put):
1303         * runtime/ErrorInstance.h:
1304         * runtime/Structure.cpp:
1305         (JSC::Structure::didCachePropertyReplacement):
1306
1307 2017-12-11  Fujii Hironori  <Hironori.Fujii@sony.com>
1308
1309         [WinCairo] DLLLauncherMain should use SetDllDirectory
1310         https://bugs.webkit.org/show_bug.cgi?id=180642
1311
1312         Reviewed by Alex Christensen.
1313
1314         Windows have icuuc.dll in the system directory. WebKit should find
1315         one in WebKitLibraries directory, not one in the system directory.
1316
1317         * shell/DLLLauncherMain.cpp:
1318         (modifyPath): Use SetDllDirectory for WebKitLibraries directory instead of modifying path.
1319
1320 2017-12-11  Eric Carlson  <eric.carlson@apple.com>
1321
1322         Web Inspector: Optionally log WebKit log parameters as JSON
1323         https://bugs.webkit.org/show_bug.cgi?id=180529
1324         <rdar://problem/35909462>
1325
1326         Reviewed by Joseph Pecoraro.
1327
1328         * inspector/ConsoleMessage.cpp:
1329         (Inspector::ConsoleMessage::ConsoleMessage): New constructor that takes a vector of JSON log
1330         values. Concatenate all adjacent strings to make logging cleaner.
1331         (Inspector::ConsoleMessage::addToFrontend): Process WebKit logging arguments.
1332         (Inspector::ConsoleMessage::scriptState const):
1333         * inspector/ConsoleMessage.h:
1334
1335         * inspector/InjectedScript.cpp:
1336         (Inspector::InjectedScript::wrapJSONString const): Wrap JSON string log arguments.
1337         * inspector/InjectedScript.h:
1338         * inspector/InjectedScriptSource.js:
1339         (let.InjectedScript.prototype.wrapJSONString):
1340
1341 2017-12-11  Joseph Pecoraro  <pecoraro@apple.com>
1342
1343         Remove unused builtin names
1344         https://bugs.webkit.org/show_bug.cgi?id=180673
1345
1346         Reviewed by Keith Miller.
1347
1348         * builtins/BuiltinNames.h:
1349
1350 2017-12-11  David Quesada  <david_quesada@apple.com>
1351
1352         Turn on ENABLE_APPLICATION_MANIFEST
1353         https://bugs.webkit.org/show_bug.cgi?id=180562
1354         rdar://problem/35924737
1355
1356         Reviewed by Geoffrey Garen.
1357
1358         * Configurations/FeatureDefines.xcconfig:
1359
1360 2017-12-10  Filip Pizlo  <fpizlo@apple.com>
1361
1362         Harden a few assertions in GC sweep
1363         https://bugs.webkit.org/show_bug.cgi?id=180634
1364
1365         Reviewed by Saam Barati.
1366         
1367         This turns one dynamic check into a release assertion and upgrades another assertion to a release
1368         assertion.
1369
1370         * heap/MarkedBlock.cpp:
1371         (JSC::MarkedBlock::Handle::sweep):
1372
1373 2017-12-10  Konstantin Tokarev  <annulen@yandex.ru>
1374
1375         [python] Modernize "except" usage for python3 compatibility
1376         https://bugs.webkit.org/show_bug.cgi?id=180612
1377
1378         Reviewed by Michael Catanzaro.
1379
1380         * inspector/scripts/generate-inspector-protocol-bindings.py:
1381
1382 2017-12-05  Filip Pizlo  <fpizlo@apple.com>
1383
1384         InferredType should not use UnconditionalFinalizer
1385         https://bugs.webkit.org/show_bug.cgi?id=180456
1386
1387         Reviewed by Saam Barati.
1388         
1389         This turns InferredStructure into a cell so that we can unconditionally finalize them without
1390         having to add things to the UnconditionalFinalizer list. I'm removing all uses of
1391         UnconditionalFinalizers and WeakReferenceHarvesters because the data structures used to manage
1392         them are a top cause of lock contention in the parallel GC. Also, we don't need those data
1393         structures if we use IsoSubspaces, subspace iteration, and marking constraints.
1394
1395         * JavaScriptCore.xcodeproj/project.pbxproj:
1396         * Sources.txt:
1397         * heap/Heap.cpp:
1398         (JSC::Heap::finalizeUnconditionalFinalizers):
1399         * heap/Heap.h:
1400         * runtime/InferredStructure.cpp: Added.
1401         (JSC::InferredStructure::create):
1402         (JSC::InferredStructure::destroy):
1403         (JSC::InferredStructure::createStructure):
1404         (JSC::InferredStructure::visitChildren):
1405         (JSC::InferredStructure::finalizeUnconditionally):
1406         (JSC::InferredStructure::InferredStructure):
1407         (JSC::InferredStructure::finishCreation):
1408         * runtime/InferredStructure.h: Added.
1409         * runtime/InferredStructureWatchpoint.cpp: Added.
1410         (JSC::InferredStructureWatchpoint::fireInternal):
1411         * runtime/InferredStructureWatchpoint.h: Added.
1412         * runtime/InferredType.cpp:
1413         (JSC::InferredType::visitChildren):
1414         (JSC::InferredType::willStoreValueSlow):
1415         (JSC::InferredType::makeTopSlow):
1416         (JSC::InferredType::set):
1417         (JSC::InferredType::removeStructure):
1418         (JSC::InferredType::InferredStructureWatchpoint::fireInternal): Deleted.
1419         (JSC::InferredType::InferredStructureFinalizer::finalizeUnconditionally): Deleted.
1420         (JSC::InferredType::InferredStructure::InferredStructure): Deleted.
1421         * runtime/InferredType.h:
1422         * runtime/VM.cpp:
1423         (JSC::VM::VM):
1424         * runtime/VM.h:
1425
1426 2017-12-09  Konstantin Tokarev  <annulen@yandex.ru>
1427
1428         [python] Replace print >> operator with print() function for python3 compatibility
1429         https://bugs.webkit.org/show_bug.cgi?id=180611
1430
1431         Reviewed by Michael Catanzaro.
1432
1433         * Scripts/make-js-file-arrays.py:
1434         (main):
1435
1436 2017-12-08  Joseph Pecoraro  <pecoraro@apple.com>
1437
1438         ServiceWorker Inspector: Various issues inspecting service worker on mobile.twitter.com
1439         https://bugs.webkit.org/show_bug.cgi?id=180520
1440         <rdar://problem/35900764>
1441
1442         Reviewed by Brian Burg.
1443
1444         * inspector/protocol/ServiceWorker.json:
1445         Include content script content in the initialization info.
1446
1447 2017-12-08  Konstantin Tokarev  <annulen@yandex.ru>
1448
1449         [python] Replace print operator with print() function for python3 compatibility
1450         https://bugs.webkit.org/show_bug.cgi?id=180592
1451
1452         Reviewed by Michael Catanzaro.
1453
1454         * Scripts/generateYarrUnicodePropertyTables.py:
1455         (openOrExit):
1456         (verifyUCDFilesExist):
1457         (Aliases.parsePropertyAliasesFile):
1458         (Aliases.parsePropertyValueAliasesFile):
1459         * Scripts/make-js-file-arrays.py:
1460         (main):
1461         * generate-bytecode-files:
1462
1463 2017-12-08  Mark Lam  <mark.lam@apple.com>
1464
1465         Need to unpoison native function pointers for CLoop.
1466         https://bugs.webkit.org/show_bug.cgi?id=180601
1467         <rdar://problem/35942028>
1468
1469         Reviewed by JF Bastien.
1470
1471         * llint/LowLevelInterpreter64.asm:
1472
1473 2017-12-08  Michael Saboff  <msaboff@apple.com>
1474
1475         YARR: JIT RegExps with greedy parenthesized sub patterns
1476         https://bugs.webkit.org/show_bug.cgi?id=180538
1477
1478         Reviewed by JF Bastien.
1479
1480         This patch adds JIT support for regular expressions containing greedy counted
1481         parenthesis.  An example expression that couldn't be JIT'ed before is /q(a|b)*q/.
1482
1483         Just like in the interpreter, expressions with nested parenthetical subpatterns
1484         require saving the results of previous matches of the parentheses contents along
1485         with any associated state.  This saved state is needed in the case that we need
1486         to backtrack.  This state is called ParenContext within the code space allocated
1487         for this ParenContext is managed using a simple block allocator within the JIT'ed
1488         code.  The raw space managed by this allocator is passed into the JIT'ed function.
1489
1490         Since this fixed sized space may be exceeded, this patch adds a fallback mechanism.
1491         If the JIT'ed code exhausts all its ParenContext space, it returns a new error
1492         JSRegExpJITCodeFailure.  The caller will then bytecompile and interpret the
1493         expression.
1494
1495         Due to increased register usage by the parenthesis handling code, the use of
1496         registers by the JIT engine was restructured, with registers used for Unicode
1497         pattern matching replaced with constants.
1498
1499         Reworked some of the context structures that are used across the interpreter
1500         and JIT implementations to make them a little more uniform and to handle the
1501         needs of JIT'ing the new parentheses forms.
1502
1503         To help with development and debugging of this code, compiled patterns dumping
1504         code was enhanced.  Also added the ability to also dump interpreter ByteCodes.
1505
1506         * runtime/RegExp.cpp:
1507         (JSC::byteCodeCompilePattern):
1508         (JSC::RegExp::byteCodeCompileIfNecessary):
1509         (JSC::RegExp::compile):
1510         (JSC::RegExp::compileMatchOnly):
1511         * runtime/RegExp.h:
1512         * runtime/RegExpInlines.h:
1513         (JSC::RegExp::matchInline):
1514         * testRegExp.cpp:
1515         (parseRegExpLine):
1516         (runFromFiles):
1517         * yarr/Yarr.h:
1518         * yarr/YarrInterpreter.cpp:
1519         (JSC::Yarr::ByteCompiler::compile):
1520         (JSC::Yarr::ByteCompiler::dumpDisjunction):
1521         * yarr/YarrJIT.cpp:
1522         (JSC::Yarr::YarrGenerator::ParenContextSizes::ParenContextSizes):
1523         (JSC::Yarr::YarrGenerator::ParenContextSizes::numSubpatterns):
1524         (JSC::Yarr::YarrGenerator::ParenContextSizes::frameSlots):
1525         (JSC::Yarr::YarrGenerator::ParenContext::sizeFor):
1526         (JSC::Yarr::YarrGenerator::ParenContext::nextOffset):
1527         (JSC::Yarr::YarrGenerator::ParenContext::beginOffset):
1528         (JSC::Yarr::YarrGenerator::ParenContext::matchAmountOffset):
1529         (JSC::Yarr::YarrGenerator::ParenContext::subpatternOffset):
1530         (JSC::Yarr::YarrGenerator::ParenContext::savedFrameOffset):
1531         (JSC::Yarr::YarrGenerator::initParenContextFreeList):
1532         (JSC::Yarr::YarrGenerator::allocatePatternContext):
1533         (JSC::Yarr::YarrGenerator::freePatternContext):
1534         (JSC::Yarr::YarrGenerator::savePatternContext):
1535         (JSC::Yarr::YarrGenerator::restorePatternContext):
1536         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
1537         (JSC::Yarr::YarrGenerator::storeToFrame):
1538         (JSC::Yarr::YarrGenerator::generateJITFailReturn):
1539         (JSC::Yarr::YarrGenerator::clearMatches):
1540         (JSC::Yarr::YarrGenerator::generate):
1541         (JSC::Yarr::YarrGenerator::backtrack):
1542         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
1543         (JSC::Yarr::YarrGenerator::generateEnter):
1544         (JSC::Yarr::YarrGenerator::generateReturn):
1545         (JSC::Yarr::YarrGenerator::YarrGenerator):
1546         (JSC::Yarr::YarrGenerator::compile):
1547         * yarr/YarrJIT.h:
1548         (JSC::Yarr::YarrCodeBlock::execute):
1549         * yarr/YarrPattern.cpp:
1550         (JSC::Yarr::indentForNestingLevel):
1551         (JSC::Yarr::dumpUChar32):
1552         (JSC::Yarr::dumpCharacterClass):
1553         (JSC::Yarr::PatternTerm::dump):
1554         (JSC::Yarr::YarrPattern::dumpPattern):
1555         * yarr/YarrPattern.h:
1556         (JSC::Yarr::PatternTerm::containsAnyCaptures):
1557         (JSC::Yarr::BackTrackInfoParenthesesOnce::returnAddressIndex):
1558         (JSC::Yarr::BackTrackInfoParentheses::beginIndex):
1559         (JSC::Yarr::BackTrackInfoParentheses::returnAddressIndex):
1560         (JSC::Yarr::BackTrackInfoParentheses::matchAmountIndex):
1561         (JSC::Yarr::BackTrackInfoParentheses::patternContextHeadIndex):
1562         (JSC::Yarr::BackTrackInfoAlternative::offsetIndex): Deleted.
1563
1564 2017-12-08  Joseph Pecoraro  <pecoraro@apple.com>
1565
1566         Web Inspector: CRASH at InspectorConsoleAgent::enable when iterating mutable list of buffered console messages
1567         https://bugs.webkit.org/show_bug.cgi?id=180590
1568         <rdar://problem/35882767>
1569
1570         Reviewed by Mark Lam.
1571
1572         * inspector/agents/InspectorConsoleAgent.cpp:
1573         (Inspector::InspectorConsoleAgent::enable):
1574         Swap the messages to a Vector that won't change during iteration.
1575
1576 2017-12-08  Michael Saboff  <msaboff@apple.com>
1577
1578         YARR: Coalesce constructed character classes
1579         https://bugs.webkit.org/show_bug.cgi?id=180537
1580
1581         Reviewed by JF Bastien.
1582
1583         When adding characters or character ranges to a character class being constructed,
1584         we now coalesce adjacent characters and character ranges.  When we create a
1585         character class after construction is complete, we do a final coalescing pass
1586         across the character list and ranges to catch any remaining coalescing
1587         opportunities.
1588
1589         Added an optimization for character classes that will match any character.
1590         This is somewhat common in code created before the /s (dotAll) flag was added
1591         to the engine.
1592
1593         * yarr/YarrInterpreter.cpp:
1594         (JSC::Yarr::Interpreter::checkCharacterClass):
1595         * yarr/YarrJIT.cpp:
1596         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
1597         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
1598         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
1599         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
1600         * yarr/YarrPattern.cpp:
1601         (JSC::Yarr::CharacterClassConstructor::CharacterClassConstructor):
1602         (JSC::Yarr::CharacterClassConstructor::reset):
1603         (JSC::Yarr::CharacterClassConstructor::charClass):
1604         (JSC::Yarr::CharacterClassConstructor::addSorted):
1605         (JSC::Yarr::CharacterClassConstructor::addSortedRange):
1606         (JSC::Yarr::CharacterClassConstructor::mergeRangesFrom):
1607         (JSC::Yarr::CharacterClassConstructor::coalesceTables):
1608         (JSC::Yarr::CharacterClassConstructor::anyCharacter):
1609         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassEnd):
1610         (JSC::Yarr::PatternTerm::dump):
1611         (JSC::Yarr::anycharCreate):
1612         * yarr/YarrPattern.h:
1613         (JSC::Yarr::CharacterClass::CharacterClass):
1614
1615 2017-12-07  Saam Barati  <sbarati@apple.com>
1616
1617         Modify our dollar VM clflush intrinsic to aid in some perf testing
1618         https://bugs.webkit.org/show_bug.cgi?id=180559
1619
1620         Reviewed by Mark Lam.
1621
1622         * tools/JSDollarVM.cpp:
1623         (JSC::functionCpuClflush):
1624         (JSC::functionDeltaBetweenButterflies):
1625         (JSC::JSDollarVM::finishCreation):
1626
1627 2017-12-07  Eric Carlson  <eric.carlson@apple.com>
1628
1629         Simplify log channel configuration UI
1630         https://bugs.webkit.org/show_bug.cgi?id=180527
1631         <rdar://problem/35908382>
1632
1633         Reviewed by Joseph Pecoraro.
1634
1635         * inspector/protocol/Console.json:
1636
1637 2017-12-07  Mark Lam  <mark.lam@apple.com>
1638
1639         Apply poisoning to some native code pointers.
1640         https://bugs.webkit.org/show_bug.cgi?id=180541
1641         <rdar://problem/35916875>
1642
1643         Reviewed by Filip Pizlo.
1644
1645         Renamed g_classInfoPoison to g_globalDataPoison.
1646         Renamed g_masmPoison to g_jitCodePoison.
1647         Introduced g_nativeCodePoison.
1648         Applied g_nativeCodePoison to poisoning some native code pointers.
1649
1650         Introduced non-random Int32 poison values (in JSCPoison.h) for use with pointers
1651         to malloc allocated data structures (where needed).
1652
1653         * API/JSCallbackFunction.h:
1654         (JSC::JSCallbackFunction::functionCallback):
1655         * JavaScriptCore.xcodeproj/project.pbxproj:
1656         * jit/ThunkGenerators.cpp:
1657         (JSC::nativeForGenerator):
1658         * llint/LowLevelInterpreter64.asm:
1659         * runtime/CustomGetterSetter.h:
1660         (JSC::CustomGetterSetter::getter const):
1661         (JSC::CustomGetterSetter::setter const):
1662         * runtime/InternalFunction.cpp:
1663         (JSC::InternalFunction::getCallData):
1664         (JSC::InternalFunction::getConstructData):
1665         * runtime/InternalFunction.h:
1666         (JSC::InternalFunction::nativeFunctionFor):
1667         * runtime/JSCPoison.h: Added.
1668         * runtime/JSCPoisonedPtr.cpp:
1669         (JSC::initializePoison):
1670         * runtime/JSCPoisonedPtr.h:
1671         * runtime/Lookup.h:
1672         * runtime/NativeExecutable.cpp:
1673         (JSC::NativeExecutable::hashFor const):
1674         * runtime/NativeExecutable.h:
1675         * runtime/Structure.cpp:
1676         (JSC::StructureTransitionTable::setSingleTransition):
1677         * runtime/StructureTransitionTable.h:
1678         (JSC::StructureTransitionTable::StructureTransitionTable):
1679         (JSC::StructureTransitionTable::isUsingSingleSlot const):
1680         (JSC::StructureTransitionTable::map const):
1681         (JSC::StructureTransitionTable::weakImpl const):
1682         (JSC::StructureTransitionTable::setMap):
1683
1684 2017-12-07  Joseph Pecoraro  <pecoraro@apple.com>
1685
1686         Web Inspector: Fix style in remote inspector classes
1687         https://bugs.webkit.org/show_bug.cgi?id=180545
1688
1689         Reviewed by Youenn Fablet.
1690
1691         * inspector/remote/RemoteControllableTarget.h:
1692         * inspector/remote/RemoteInspectionTarget.h:
1693         * runtime/JSGlobalObjectDebuggable.h:
1694
1695 2017-12-07  Per Arne Vollan  <pvollan@apple.com>
1696
1697         Use fastAlignedFree to free aligned memory.
1698         https://bugs.webkit.org/show_bug.cgi?id=180540
1699
1700         Reviewed by Saam Barati.
1701
1702         * heap/IsoAlignedMemoryAllocator.cpp:
1703         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
1704
1705 2017-12-07  Matt Lewis  <jlewis3@apple.com>
1706
1707         Unreviewed, rolling out r225634.
1708
1709         This caused layout tests to time out.
1710
1711         Reverted changeset:
1712
1713         "Simplify log channel configuration UI"
1714         https://bugs.webkit.org/show_bug.cgi?id=180527
1715         https://trac.webkit.org/changeset/225634
1716
1717 2017-12-07  Eric Carlson  <eric.carlson@apple.com>
1718
1719         Simplify log channel configuration UI
1720         https://bugs.webkit.org/show_bug.cgi?id=180527
1721         <rdar://problem/35908382>
1722
1723         Reviewed by Joseph Pecoraro.
1724
1725         * inspector/protocol/Console.json:
1726
1727 2017-12-07  Mark Lam  <mark.lam@apple.com>
1728
1729         [Re-landing r225620] Refactoring: Rename ScrambledPtr to Poisoned.
1730         https://bugs.webkit.org/show_bug.cgi?id=180514
1731
1732         Reviewed by Saam Barati and JF Bastien.
1733
1734         Re-landing r225620 with speculative build fix for GCC 7.
1735
1736         * API/JSCallbackObject.h:
1737         * API/JSObjectRef.cpp:
1738         (classInfoPrivate):
1739         * JavaScriptCore.xcodeproj/project.pbxproj:
1740         * Sources.txt:
1741         * assembler/MacroAssemblerCodeRef.h:
1742         (JSC::FunctionPtr::FunctionPtr):
1743         (JSC::FunctionPtr::value const):
1744         (JSC::FunctionPtr::executableAddress const):
1745         (JSC::ReturnAddressPtr::ReturnAddressPtr):
1746         (JSC::ReturnAddressPtr::value const):
1747         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
1748         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
1749         (JSC::MacroAssemblerCodePtr::poisonedPtr const):
1750         (JSC::MacroAssemblerCodePtr:: const):
1751         (JSC::MacroAssemblerCodePtr::operator! const):
1752         (JSC::MacroAssemblerCodePtr::operator== const):
1753         (JSC::MacroAssemblerCodePtr::emptyValue):
1754         (JSC::MacroAssemblerCodePtr::deletedValue):
1755         (JSC::MacroAssemblerCodePtr::scrambledPtr const): Deleted.
1756         * b3/B3LowerMacros.cpp:
1757         * b3/testb3.cpp:
1758         (JSC::B3::testInterpreter):
1759         * dfg/DFGSpeculativeJIT.cpp:
1760         (JSC::DFG::SpeculativeJIT::checkArray):
1761         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
1762         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1763         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1764         * ftl/FTLLowerDFGToB3.cpp:
1765         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
1766         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1767         * jit/AssemblyHelpers.h:
1768         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
1769         * jit/SpecializedThunkJIT.h:
1770         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
1771         * jit/ThunkGenerators.cpp:
1772         (JSC::virtualThunkFor):
1773         (JSC::boundThisNoArgsFunctionCallGenerator):
1774         * llint/LLIntSlowPaths.cpp:
1775         (JSC::LLInt::handleHostCall):
1776         (JSC::LLInt::setUpCall):
1777         * llint/LowLevelInterpreter64.asm:
1778         * runtime/InitializeThreading.cpp:
1779         (JSC::initializeThreading):
1780         * runtime/JSCPoisonedPtr.cpp: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.cpp.
1781         (JSC::initializePoison):
1782         (JSC::initializeScrambledPtrKeys): Deleted.
1783         * runtime/JSCPoisonedPtr.h: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.h.
1784         * runtime/JSCScrambledPtr.cpp: Removed.
1785         * runtime/JSCScrambledPtr.h: Removed.
1786         * runtime/JSDestructibleObject.h:
1787         (JSC::JSDestructibleObject::classInfo const):
1788         * runtime/JSSegmentedVariableObject.h:
1789         (JSC::JSSegmentedVariableObject::classInfo const):
1790         * runtime/Structure.h:
1791         * runtime/VM.h:
1792
1793 2017-12-07  Michael Catanzaro  <mcatanzaro@igalia.com>
1794
1795         Unreviewed, rolling out r225620
1796         https://bugs.webkit.org/show_bug.cgi?id=180514
1797         <rdar://problem/35901694>
1798
1799         It broke the build with GCC 7, and I don't know how to fix it.
1800
1801         * API/JSCallbackObject.h:
1802         * API/JSObjectRef.cpp:
1803         (classInfoPrivate):
1804         * JavaScriptCore.xcodeproj/project.pbxproj:
1805         * Sources.txt:
1806         * assembler/MacroAssemblerCodeRef.h:
1807         (JSC::FunctionPtr::FunctionPtr):
1808         (JSC::FunctionPtr::value const):
1809         (JSC::FunctionPtr::executableAddress const):
1810         (JSC::ReturnAddressPtr::ReturnAddressPtr):
1811         (JSC::ReturnAddressPtr::value const):
1812         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
1813         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
1814         (JSC::MacroAssemblerCodePtr::scrambledPtr const):
1815         (JSC::MacroAssemblerCodePtr:: const):
1816         (JSC::MacroAssemblerCodePtr::operator! const):
1817         (JSC::MacroAssemblerCodePtr::operator== const):
1818         (JSC::MacroAssemblerCodePtr::emptyValue):
1819         (JSC::MacroAssemblerCodePtr::deletedValue):
1820         (JSC::MacroAssemblerCodePtr::poisonedPtr const): Deleted.
1821         * b3/B3LowerMacros.cpp:
1822         * b3/testb3.cpp:
1823         (JSC::B3::testInterpreter):
1824         * dfg/DFGSpeculativeJIT.cpp:
1825         (JSC::DFG::SpeculativeJIT::checkArray):
1826         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
1827         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1828         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1829         * ftl/FTLLowerDFGToB3.cpp:
1830         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
1831         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1832         * jit/AssemblyHelpers.h:
1833         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
1834         * jit/SpecializedThunkJIT.h:
1835         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
1836         * jit/ThunkGenerators.cpp:
1837         (JSC::virtualThunkFor):
1838         (JSC::boundThisNoArgsFunctionCallGenerator):
1839         * llint/LLIntSlowPaths.cpp:
1840         (JSC::LLInt::handleHostCall):
1841         (JSC::LLInt::setUpCall):
1842         * llint/LowLevelInterpreter64.asm:
1843         * runtime/InitializeThreading.cpp:
1844         (JSC::initializeThreading):
1845         * runtime/JSCScrambledPtr.cpp: Renamed from Source/JavaScriptCore/runtime/JSCPoisonedPtr.cpp.
1846         (JSC::initializeScrambledPtrKeys):
1847         * runtime/JSCScrambledPtr.h: Renamed from Source/JavaScriptCore/runtime/JSCPoisonedPtr.h.
1848         * runtime/JSDestructibleObject.h:
1849         (JSC::JSDestructibleObject::classInfo const):
1850         * runtime/JSSegmentedVariableObject.h:
1851         (JSC::JSSegmentedVariableObject::classInfo const):
1852         * runtime/Structure.h:
1853         * runtime/VM.h:
1854
1855 2017-12-06  Mark Lam  <mark.lam@apple.com>
1856
1857         Refactoring: Rename ScrambledPtr to Poisoned.
1858         https://bugs.webkit.org/show_bug.cgi?id=180514
1859
1860         Reviewed by Saam Barati.
1861
1862         * API/JSCallbackObject.h:
1863         * API/JSObjectRef.cpp:
1864         (classInfoPrivate):
1865         * JavaScriptCore.xcodeproj/project.pbxproj:
1866         * Sources.txt:
1867         * assembler/MacroAssemblerCodeRef.h:
1868         (JSC::FunctionPtr::FunctionPtr):
1869         (JSC::FunctionPtr::value const):
1870         (JSC::FunctionPtr::executableAddress const):
1871         (JSC::ReturnAddressPtr::ReturnAddressPtr):
1872         (JSC::ReturnAddressPtr::value const):
1873         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
1874         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
1875         (JSC::MacroAssemblerCodePtr::poisonedPtr const):
1876         (JSC::MacroAssemblerCodePtr:: const):
1877         (JSC::MacroAssemblerCodePtr::operator! const):
1878         (JSC::MacroAssemblerCodePtr::operator== const):
1879         (JSC::MacroAssemblerCodePtr::emptyValue):
1880         (JSC::MacroAssemblerCodePtr::deletedValue):
1881         (JSC::MacroAssemblerCodePtr::scrambledPtr const): Deleted.
1882         * b3/B3LowerMacros.cpp:
1883         * b3/testb3.cpp:
1884         (JSC::B3::testInterpreter):
1885         * dfg/DFGSpeculativeJIT.cpp:
1886         (JSC::DFG::SpeculativeJIT::checkArray):
1887         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
1888         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1889         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
1890         * ftl/FTLLowerDFGToB3.cpp:
1891         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
1892         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
1893         * jit/AssemblyHelpers.h:
1894         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
1895         * jit/SpecializedThunkJIT.h:
1896         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
1897         * jit/ThunkGenerators.cpp:
1898         (JSC::virtualThunkFor):
1899         (JSC::boundThisNoArgsFunctionCallGenerator):
1900         * llint/LLIntSlowPaths.cpp:
1901         (JSC::LLInt::handleHostCall):
1902         (JSC::LLInt::setUpCall):
1903         * llint/LowLevelInterpreter64.asm:
1904         * runtime/InitializeThreading.cpp:
1905         (JSC::initializeThreading):
1906         * runtime/JSCPoisonedPtr.cpp: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.cpp.
1907         (JSC::initializePoison):
1908         (JSC::initializeScrambledPtrKeys): Deleted.
1909         * runtime/JSCPoisonedPtr.h: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.h.
1910         * runtime/JSCScrambledPtr.cpp: Removed.
1911         * runtime/JSCScrambledPtr.h: Removed.
1912         * runtime/JSDestructibleObject.h:
1913         (JSC::JSDestructibleObject::classInfo const):
1914         * runtime/JSSegmentedVariableObject.h:
1915         (JSC::JSSegmentedVariableObject::classInfo const):
1916         * runtime/Structure.h:
1917         * runtime/VM.h:
1918
1919 2017-12-02  Darin Adler  <darin@apple.com>
1920
1921         Modernize some aspects of text codecs, eliminate WebKit use of strcasecmp
1922         https://bugs.webkit.org/show_bug.cgi?id=180009
1923
1924         Reviewed by Alex Christensen.
1925
1926         * bytecode/ArrayProfile.cpp: Removed include of StringExtras.h.
1927         * bytecode/CodeBlock.cpp: Ditto.
1928         * bytecode/ExecutionCounter.cpp: Ditto.
1929         * runtime/ConfigFile.cpp: Ditto.
1930         * runtime/DatePrototype.cpp: Ditto.
1931         * runtime/IndexingType.cpp: Ditto.
1932         * runtime/JSCJSValue.cpp: Ditto.
1933         * runtime/JSDateMath.cpp: Ditto.
1934         * runtime/JSGlobalObjectFunctions.cpp: Ditto.
1935         * runtime/Options.cpp: Ditto.
1936         (JSC::parse): Use equalLettersIgnoringASCIICase instead of strcasecmp.
1937
1938 2017-12-06  Saam Barati  <sbarati@apple.com>
1939
1940         ASSERTION FAILED: vm->currentThreadIsHoldingAPILock() in void JSC::sanitizeStackForVM(JSC::VM *)
1941         https://bugs.webkit.org/show_bug.cgi?id=180438
1942         <rdar://problem/35862342>
1943
1944         Reviewed by Yusuke Suzuki.
1945
1946         A couple inspector methods that take stacktraces need
1947         to grab the JSLock.
1948
1949         * inspector/ScriptCallStackFactory.cpp:
1950         (Inspector::createScriptCallStack):
1951         (Inspector::createScriptCallStackForConsole):
1952
1953 2017-12-05  Stephan Szabo  <stephan.szabo@sony.com>
1954
1955         Switch windows build to Visual Studio 2017
1956         https://bugs.webkit.org/show_bug.cgi?id=172412
1957
1958         Reviewed by Per Arne Vollan.
1959
1960         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
1961
1962 2017-12-05  JF Bastien  <jfbastien@apple.com>
1963
1964         WebAssembly: don't eagerly checksum
1965         https://bugs.webkit.org/show_bug.cgi?id=180441
1966         <rdar://problem/35156628>
1967
1968         Reviewed by Saam Barati.
1969
1970         Make checksumming of module optional for now. The bots think the
1971         checksum hurt compile-time. I'd measured it and couldn't see a
1972         difference, and still can't at this point in time, but we'll see
1973         if disabling it fixes the bots. If so then I can make it lazy upon
1974         first backtrace construction, or I can try out MD5 instead of
1975         SHA1.
1976
1977         * runtime/Options.h:
1978         * wasm/WasmModuleInformation.cpp:
1979         (JSC::Wasm::ModuleInformation::ModuleInformation):
1980         * wasm/WasmModuleInformation.h:
1981         * wasm/WasmNameSection.h:
1982         (JSC::Wasm::NameSection::NameSection):
1983
1984 2017-12-05  Filip Pizlo  <fpizlo@apple.com>
1985
1986         IsoAlignedMemoryAllocator needs to free all of its memory when the VM destructs
1987         https://bugs.webkit.org/show_bug.cgi?id=180425
1988
1989         Reviewed by Saam Barati.
1990         
1991         Failure to do so causes leaks after starting workers.
1992
1993         * heap/IsoAlignedMemoryAllocator.cpp:
1994         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
1995         (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
1996
1997 2017-12-05  Per Arne Vollan  <pvollan@apple.com>
1998
1999         [Win64] Compile error in testmasm.cpp.
2000         https://bugs.webkit.org/show_bug.cgi?id=180436
2001
2002         Reviewed by Mark Lam.
2003
2004         Fix MSVC warning (32-bit shift implicitly converted to 64 bits).
2005         
2006         * assembler/testmasm.cpp:
2007         (JSC::testGetEffectiveAddress):
2008
2009 2017-12-01  Filip Pizlo  <fpizlo@apple.com>
2010
2011         GC constraint solving should be parallel
2012         https://bugs.webkit.org/show_bug.cgi?id=179934
2013
2014         Reviewed by JF Bastien.
2015         
2016         This makes it possible to do constraint solving in parallel. This looks like a 1% Speedometer
2017         speed-up. It's more than 1% on trunk-Speedometer.
2018         
2019         The constraint solver supports running constraints in parallel in two different ways:
2020         
2021         - Run multiple constraints in parallel to each other. This only works for constraints that can
2022           tolerate other constraints running concurrently to them (constraint.concurrency() ==
2023           ConstraintConcurrency::Concurrent). This is the most basic kind of parallelism that the
2024           constraint solver supports. All constraints except the JSC SPI constraints are concurrent. We
2025           could probably make them concurrent, but I'm playing it safe for now.
2026         
2027         - A constraint can create parallel work for itself, which the constraint solver will interleave
2028           with other stuff. A constraint can report that it has parallel work by returning
2029           ConstraintParallelism::Parallel from its executeImpl() function. Then the solver will allow that
2030           constraint's doParallelWorkImpl() function to run on as many GC marker threads as are available,
2031           for as long as that function wants to run.
2032         
2033         It's not possible to have a non-concurrent constraint that creates parallel work.
2034         
2035         The parallelism is implemented in terms of the existing GC marker threads. This turns out to be
2036         most natural for two reasons:
2037         
2038         - No need to start any other threads.
2039         
2040         - The constraints all want to be passed a SlotVisitor. Running on the marker threads means having
2041           access to those threads' SlotVisitors. Also, it means less load balancing. The solver will
2042           create work on each marking thread's SlotVisitor. When the solver is done "stealing" a marker
2043           thread, that thread will have work it can start doing immediately. Before this change, we had to
2044           contribute the work found by the constraint solver to the global worklist so that it could be
2045           distributed to the marker threads by load balancing. This change probably helps to avoid that
2046           load balancing step.
2047         
2048         A lot of this change is about making it easy to iterate GC data structures in parallel. This
2049         change makes almost all constraints parallel-enabled, but only the DOM's output constraint uses
2050         the parallel work API. That constraint iterates the marked cells in two subspaces. This change
2051         makes it very easy to compose parallel iterators over subspaces, allocators, blocks, and cells.
2052         The marked cell parallel iterator is composed out of parallel iterators for the others. A parallel
2053         iterator is just an iterator that can do an atomic next() very quickly. We abstract them using
2054         RefPtr<SharedTask<...()>>, where ... is the type returned from the iterator. We know it's done
2055         when it returns a falsish version of ... (in the current code, that's always a pointer type, so
2056         done is indicated by null).
2057         
2058         * API/JSMarkingConstraintPrivate.cpp:
2059         (JSContextGroupAddMarkingConstraint):
2060         * API/JSVirtualMachine.mm:
2061         (scanExternalObjectGraph):
2062         (scanExternalRememberedSet):
2063         * JavaScriptCore.xcodeproj/project.pbxproj:
2064         * Sources.txt:
2065         * bytecode/AccessCase.cpp:
2066         (JSC::AccessCase::propagateTransitions const):
2067         * bytecode/CodeBlock.cpp:
2068         (JSC::CodeBlock::visitWeakly):
2069         (JSC::CodeBlock::shouldJettisonDueToOldAge):
2070         (JSC::shouldMarkTransition):
2071         (JSC::CodeBlock::propagateTransitions):
2072         (JSC::CodeBlock::determineLiveness):
2073         * dfg/DFGWorklist.cpp:
2074         * ftl/FTLCompile.cpp:
2075         (JSC::FTL::compile):
2076         * heap/ConstraintParallelism.h: Added.
2077         (WTF::printInternal):
2078         * heap/Heap.cpp:
2079         (JSC::Heap::Heap):
2080         (JSC::Heap::addToRememberedSet):
2081         (JSC::Heap::runFixpointPhase):
2082         (JSC::Heap::stopThePeriphery):
2083         (JSC::Heap::resumeThePeriphery):
2084         (JSC::Heap::addCoreConstraints):
2085         (JSC::Heap::setBonusVisitorTask):
2086         (JSC::Heap::runTaskInParallel):
2087         (JSC::Heap::forEachSlotVisitor): Deleted.
2088         * heap/Heap.h:
2089         (JSC::Heap::worldIsRunning const):
2090         (JSC::Heap::runFunctionInParallel):
2091         * heap/HeapInlines.h:
2092         (JSC::Heap::worldIsStopped const):
2093         (JSC::Heap::isMarked):
2094         (JSC::Heap::incrementDeferralDepth):
2095         (JSC::Heap::decrementDeferralDepth):
2096         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
2097         (JSC::Heap::forEachSlotVisitor):
2098         (JSC::Heap::collectorBelievesThatTheWorldIsStopped const): Deleted.
2099         (JSC::Heap::isMarkedConcurrently): Deleted.
2100         * heap/HeapSnapshotBuilder.cpp:
2101         (JSC::HeapSnapshotBuilder::appendNode):
2102         * heap/LargeAllocation.h:
2103         (JSC::LargeAllocation::isMarked):
2104         (JSC::LargeAllocation::isMarkedConcurrently): Deleted.
2105         * heap/LockDuringMarking.h:
2106         (JSC::lockDuringMarking):
2107         * heap/MarkedAllocator.cpp:
2108         (JSC::MarkedAllocator::parallelNotEmptyBlockSource):
2109         * heap/MarkedAllocator.h:
2110         * heap/MarkedBlock.h:
2111         (JSC::MarkedBlock::aboutToMark):
2112         (JSC::MarkedBlock::isMarked):
2113         (JSC::MarkedBlock::areMarksStaleWithDependency): Deleted.
2114         (JSC::MarkedBlock::isMarkedConcurrently): Deleted.
2115         * heap/MarkedSpace.h:
2116         (JSC::MarkedSpace::activeWeakSetsBegin):
2117         (JSC::MarkedSpace::activeWeakSetsEnd):
2118         (JSC::MarkedSpace::newActiveWeakSetsBegin):
2119         (JSC::MarkedSpace::newActiveWeakSetsEnd):
2120         * heap/MarkingConstraint.cpp:
2121         (JSC::MarkingConstraint::MarkingConstraint):
2122         (JSC::MarkingConstraint::execute):
2123         (JSC::MarkingConstraint::quickWorkEstimate):
2124         (JSC::MarkingConstraint::workEstimate):
2125         (JSC::MarkingConstraint::doParallelWork):
2126         (JSC::MarkingConstraint::finishParallelWork):
2127         (JSC::MarkingConstraint::doParallelWorkImpl):
2128         (JSC::MarkingConstraint::finishParallelWorkImpl):
2129         * heap/MarkingConstraint.h:
2130         (JSC::MarkingConstraint::lastExecuteParallelism const):
2131         (JSC::MarkingConstraint::parallelism const):
2132         (JSC::MarkingConstraint::quickWorkEstimate): Deleted.
2133         (JSC::MarkingConstraint::workEstimate): Deleted.
2134         * heap/MarkingConstraintSet.cpp:
2135         (JSC::MarkingConstraintSet::MarkingConstraintSet):
2136         (JSC::MarkingConstraintSet::add):
2137         (JSC::MarkingConstraintSet::executeConvergence):
2138         (JSC::MarkingConstraintSet::executeConvergenceImpl):
2139         (JSC::MarkingConstraintSet::executeAll):
2140         (JSC::MarkingConstraintSet::ExecutionContext::ExecutionContext): Deleted.
2141         (JSC::MarkingConstraintSet::ExecutionContext::didVisitSomething const): Deleted.
2142         (JSC::MarkingConstraintSet::ExecutionContext::shouldTimeOut const): Deleted.
2143         (JSC::MarkingConstraintSet::ExecutionContext::drain): Deleted.
2144         (JSC::MarkingConstraintSet::ExecutionContext::didExecute const): Deleted.
2145         (JSC::MarkingConstraintSet::ExecutionContext::execute): Deleted.
2146         (): Deleted.
2147         * heap/MarkingConstraintSet.h:
2148         * heap/MarkingConstraintSolver.cpp: Added.
2149         (JSC::MarkingConstraintSolver::MarkingConstraintSolver):
2150         (JSC::MarkingConstraintSolver::~MarkingConstraintSolver):
2151         (JSC::MarkingConstraintSolver::didVisitSomething const):
2152         (JSC::MarkingConstraintSolver::execute):
2153         (JSC::MarkingConstraintSolver::drain):
2154         (JSC::MarkingConstraintSolver::converge):
2155         (JSC::MarkingConstraintSolver::runExecutionThread):
2156         (JSC::MarkingConstraintSolver::didExecute):
2157         * heap/MarkingConstraintSolver.h: Added.
2158         * heap/OpaqueRootSet.h: Removed.
2159         * heap/ParallelSourceAdapter.h: Added.
2160         (JSC::ParallelSourceAdapter::ParallelSourceAdapter):
2161         (JSC::createParallelSourceAdapter):
2162         * heap/SimpleMarkingConstraint.cpp: Added.
2163         (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
2164         (JSC::SimpleMarkingConstraint::~SimpleMarkingConstraint):
2165         (JSC::SimpleMarkingConstraint::quickWorkEstimate):
2166         (JSC::SimpleMarkingConstraint::executeImpl):
2167         * heap/SimpleMarkingConstraint.h: Added.
2168         * heap/SlotVisitor.cpp:
2169         (JSC::SlotVisitor::didStartMarking):
2170         (JSC::SlotVisitor::reset):
2171         (JSC::SlotVisitor::appendToMarkStack):
2172         (JSC::SlotVisitor::visitChildren):
2173         (JSC::SlotVisitor::updateMutatorIsStopped):
2174         (JSC::SlotVisitor::mutatorIsStoppedIsUpToDate const):
2175         (JSC::SlotVisitor::drain):
2176         (JSC::SlotVisitor::performIncrementOfDraining):
2177         (JSC::SlotVisitor::didReachTermination):
2178         (JSC::SlotVisitor::hasWork):
2179         (JSC::SlotVisitor::drainFromShared):
2180         (JSC::SlotVisitor::drainInParallelPassively):
2181         (JSC::SlotVisitor::waitForTermination):
2182         (JSC::SlotVisitor::addOpaqueRoot): Deleted.
2183         (JSC::SlotVisitor::containsOpaqueRoot const): Deleted.
2184         (JSC::SlotVisitor::containsOpaqueRootTriState const): Deleted.
2185         (JSC::SlotVisitor::mergeIfNecessary): Deleted.
2186         (JSC::SlotVisitor::mergeOpaqueRootsIfProfitable): Deleted.
2187         (JSC::SlotVisitor::mergeOpaqueRoots): Deleted.
2188         * heap/SlotVisitor.h:
2189         * heap/SlotVisitorInlines.h:
2190         (JSC::SlotVisitor::addOpaqueRoot):
2191         (JSC::SlotVisitor::containsOpaqueRoot const):
2192         (JSC::SlotVisitor::vm):
2193         (JSC::SlotVisitor::vm const):
2194         * heap/Subspace.cpp:
2195         (JSC::Subspace::parallelAllocatorSource):
2196         (JSC::Subspace::parallelNotEmptyMarkedBlockSource):
2197         * heap/Subspace.h:
2198         * heap/SubspaceInlines.h:
2199         (JSC::Subspace::forEachMarkedCellInParallel):
2200         * heap/VisitCounter.h: Added.
2201         (JSC::VisitCounter::VisitCounter):
2202         (JSC::VisitCounter::visitCount const):
2203         * heap/VisitingTimeout.h: Removed.
2204         * heap/WeakBlock.cpp:
2205         (JSC::WeakBlock::specializedVisit):
2206         * runtime/Structure.cpp:
2207         (JSC::Structure::isCheapDuringGC):
2208         (JSC::Structure::markIfCheap):
2209
2210 2017-12-04  JF Bastien  <jfbastien@apple.com>
2211
2212         Math: don't redundantly check for exceptions, just release scope
2213         https://bugs.webkit.org/show_bug.cgi?id=180395
2214
2215         Rubber stamped by Mark Lam.
2216
2217         Two of the exceptions checks could just have been exception scope
2218         releases before the return, which is ever-so-slightly more
2219         efficient. The same technically applies where we have loops over
2220         parameters, but doing the scope release there isn't really more
2221         efficient and is way harder to read.
2222
2223         * runtime/MathObject.cpp:
2224         (JSC::mathProtoFuncATan2):
2225         (JSC::mathProtoFuncPow):
2226
2227 2017-12-04  David Quesada  <david_quesada@apple.com>
2228
2229         Add a class for parsing application manifests
2230         https://bugs.webkit.org/show_bug.cgi?id=177973
2231         rdar://problem/34747949
2232
2233         Reviewed by Geoffrey Garen.
2234
2235         * Configurations/FeatureDefines.xcconfig: Add ENABLE_APPLICATION_MANIFEST feature flag.
2236
2237 2017-12-04  JF Bastien  <jfbastien@apple.com>
2238
2239         Update std::expected to match libc++ coding style
2240         https://bugs.webkit.org/show_bug.cgi?id=180264
2241
2242         Reviewed by Alex Christensen.
2243
2244         Update various uses of Expected.
2245
2246         * wasm/WasmModule.h:
2247         * wasm/WasmModuleParser.cpp:
2248         (JSC::Wasm::ModuleParser::parseImport):
2249         (JSC::Wasm::ModuleParser::parseTableHelper):
2250         (JSC::Wasm::ModuleParser::parseTable):
2251         (JSC::Wasm::ModuleParser::parseMemoryHelper):
2252         * wasm/WasmParser.h:
2253         * wasm/generateWasmValidateInlinesHeader.py:
2254         (loadMacro):
2255         (storeMacro):
2256         * wasm/js/JSWebAssemblyModule.cpp:
2257         (JSC::JSWebAssemblyModule::createStub):
2258         * wasm/js/JSWebAssemblyModule.h:
2259
2260 2017-12-04  Saam Barati  <sbarati@apple.com>
2261
2262         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
2263         https://bugs.webkit.org/show_bug.cgi?id=180366
2264         <rdar://problem/35685877>
2265
2266         Reviewed by Michael Saboff.
2267
2268         On the TailCall slow path, the CallFrameShuffler will build the frame with
2269         respect to SP instead of FP. However, this may overwrite slots on the stack
2270         that are needed if the slow path C call does a stack walk. The slow path
2271         C call does a stack walk when it throws an exception. This patch fixes
2272         this bug by ensuring that the top of the stack in the FTL always has enough
2273         space to allow CallFrameShuffler to build a frame without overwriting any
2274         items on the stack that are needed when doing a stack walk.
2275
2276         * ftl/FTLLowerDFGToB3.cpp:
2277         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
2278
2279 2017-12-04  Devin Rousso  <webkit@devinrousso.com>
2280
2281         Web Inspector: provide method for recording CanvasRenderingContext2D from JavaScript
2282         https://bugs.webkit.org/show_bug.cgi?id=175166
2283         <rdar://problem/34040740>
2284
2285         Reviewed by Joseph Pecoraro.
2286
2287         * inspector/protocol/Recording.json:
2288         Add optional `name` that will be used by the frontend for uniquely identifying the Recording.
2289
2290         * inspector/JSGlobalObjectConsoleClient.h:
2291         * inspector/JSGlobalObjectConsoleClient.cpp:
2292         (Inspector::JSGlobalObjectConsoleClient::record):
2293         (Inspector::JSGlobalObjectConsoleClient::recordEnd):
2294
2295         * runtime/ConsoleClient.h:
2296         * runtime/ConsoleObject.cpp:
2297         (JSC::ConsoleObject::finishCreation):
2298         (JSC::consoleProtoFuncRecord):
2299         (JSC::consoleProtoFuncRecordEnd):
2300
2301 2017-12-03  Yusuke Suzuki  <utatane.tea@gmail.com>
2302
2303         WTF shouldn't have both Thread and ThreadIdentifier
2304         https://bugs.webkit.org/show_bug.cgi?id=180308
2305
2306         Reviewed by Darin Adler.
2307
2308         * heap/MachineStackMarker.cpp:
2309         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2310         * llint/LLIntSlowPaths.cpp:
2311         (JSC::LLInt::llint_trace_operand):
2312         (JSC::LLInt::llint_trace_value):
2313         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2314         (JSC::LLInt::traceFunctionPrologue):
2315         * runtime/ExceptionScope.cpp:
2316         (JSC::ExceptionScope::unexpectedExceptionMessage):
2317         * runtime/JSLock.h:
2318         (JSC::JSLock::currentThreadIsHoldingLock):
2319         * runtime/VM.cpp:
2320         (JSC::VM::throwException):
2321         * runtime/VM.h:
2322         (JSC::VM::throwingThread const):
2323         (JSC::VM::clearException):
2324         * tools/HeapVerifier.cpp:
2325         (JSC::HeapVerifier::printVerificationHeader):
2326
2327 2017-12-03  Caio Lima  <ticaiolima@gmail.com>
2328
2329         Rename DestroyFunc to avoid redefinition on unified build
2330         https://bugs.webkit.org/show_bug.cgi?id=180335
2331
2332         Reviewed by Filip Pizlo.
2333
2334         Changing DestroyFunc structures to more specific names to avoid
2335         conflits on unified builds.
2336
2337         * heap/HeapCellType.cpp:
2338         (JSC::HeapCellType::finishSweep):
2339         (JSC::HeapCellType::destroy):
2340         * runtime/JSDestructibleObjectHeapCellType.cpp:
2341         (JSC::JSDestructibleObjectHeapCellType::finishSweep):
2342         (JSC::JSDestructibleObjectHeapCellType::destroy):
2343         * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
2344         (JSC::JSSegmentedVariableObjectHeapCellType::finishSweep):
2345         (JSC::JSSegmentedVariableObjectHeapCellType::destroy):
2346         * runtime/JSStringHeapCellType.cpp:
2347         (JSC::JSStringHeapCellType::finishSweep):
2348         (JSC::JSStringHeapCellType::destroy):
2349         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
2350         (JSC::JSWebAssemblyCodeBlockHeapCellType::finishSweep):
2351         (JSC::JSWebAssemblyCodeBlockHeapCellType::destroy):
2352
2353 2017-12-01  JF Bastien  <jfbastien@apple.com>
2354
2355         JavaScriptCore: missing exception checks in Math functions that take more than one argument
2356         https://bugs.webkit.org/show_bug.cgi?id=180297
2357         <rdar://problem/35745556>
2358
2359         Reviewed by Mark Lam.
2360
2361         * runtime/MathObject.cpp:
2362         (JSC::mathProtoFuncATan2):
2363         (JSC::mathProtoFuncMax):
2364         (JSC::mathProtoFuncMin):
2365         (JSC::mathProtoFuncPow):
2366
2367 2017-12-01  Mark Lam  <mark.lam@apple.com>
2368
2369         Let's scramble ClassInfo pointers in cells.
2370         https://bugs.webkit.org/show_bug.cgi?id=180291
2371         <rdar://problem/35807620>
2372
2373         Reviewed by JF Bastien.
2374
2375         * API/JSCallbackObject.h:
2376         * API/JSObjectRef.cpp:
2377         (classInfoPrivate):
2378         * JavaScriptCore.xcodeproj/project.pbxproj:
2379         * Sources.txt:
2380         * assembler/MacroAssemblerCodeRef.cpp:
2381         (JSC::MacroAssemblerCodePtr::initialize): Deleted.
2382         * assembler/MacroAssemblerCodeRef.h:
2383         (JSC::MacroAssemblerCodePtr:: const):
2384         (JSC::MacroAssemblerCodePtr::hash const):
2385         * dfg/DFGSpeculativeJIT.cpp:
2386         (JSC::DFG::SpeculativeJIT::checkArray):
2387         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
2388         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
2389         * ftl/FTLLowerDFGToB3.cpp:
2390         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
2391         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
2392         * jit/AssemblyHelpers.h:
2393         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
2394         * jit/SpecializedThunkJIT.h:
2395         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
2396         * runtime/InitializeThreading.cpp:
2397         (JSC::initializeThreading):
2398         * runtime/JSCScrambledPtr.cpp: Added.
2399         (JSC::initializeScrambledPtrKeys):
2400         * runtime/JSCScrambledPtr.h: Added.
2401         * runtime/JSDestructibleObject.h:
2402         (JSC::JSDestructibleObject::classInfo const):
2403         * runtime/JSSegmentedVariableObject.h:
2404         (JSC::JSSegmentedVariableObject::classInfo const):
2405         * runtime/Structure.h:
2406         * runtime/VM.h:
2407
2408 2017-12-01  Brian Burg  <bburg@apple.com>
2409
2410         Web Inspector: move Inspector::Protocol::Array<T> to JSON namespace
2411         https://bugs.webkit.org/show_bug.cgi?id=173662
2412
2413         Reviewed by Joseph Pecoraro.
2414
2415         Adopt new type names. Fix protocol generator to use correct type names.
2416
2417         * inspector/ConsoleMessage.cpp:
2418         (Inspector::ConsoleMessage::addToFrontend):
2419         Improve namings and use 'auto' when the type is obvious and repeated.
2420
2421         * inspector/ContentSearchUtilities.cpp:
2422         (Inspector::ContentSearchUtilities::searchInTextByLines):
2423         * inspector/ContentSearchUtilities.h:
2424         * inspector/InjectedScript.cpp:
2425         (Inspector::InjectedScript::getProperties):
2426         (Inspector::InjectedScript::getDisplayableProperties):
2427         (Inspector::InjectedScript::getInternalProperties):
2428         (Inspector::InjectedScript::getCollectionEntries):
2429         (Inspector::InjectedScript::wrapCallFrames const):
2430         * inspector/InjectedScript.h:
2431         * inspector/InspectorProtocolTypes.h:
2432         (Inspector::Protocol::BindingTraits<JSON::ArrayOf<T>>::runtimeCast):
2433         (Inspector::Protocol::Array::Array): Deleted.
2434         (Inspector::Protocol::Array::openAccessors): Deleted.
2435         (Inspector::Protocol::Array::addItem): Deleted.
2436         (Inspector::Protocol::Array::create): Deleted.
2437         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast): Deleted.
2438         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType): Deleted.
2439         Move the implementation out of this file.
2440
2441         * inspector/ScriptCallStack.cpp:
2442         (Inspector::ScriptCallStack::buildInspectorArray const):
2443         * inspector/ScriptCallStack.h:
2444         * inspector/agents/InspectorAgent.cpp:
2445         (Inspector::InspectorAgent::activateExtraDomain):
2446         (Inspector::InspectorAgent::activateExtraDomains):
2447         * inspector/agents/InspectorAgent.h:
2448         * inspector/agents/InspectorConsoleAgent.cpp:
2449         (Inspector::InspectorConsoleAgent::getLoggingChannels):
2450         * inspector/agents/InspectorConsoleAgent.h:
2451         * inspector/agents/InspectorDebuggerAgent.cpp:
2452         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
2453         (Inspector::InspectorDebuggerAgent::searchInContent):
2454         (Inspector::InspectorDebuggerAgent::currentCallFrames):
2455         * inspector/agents/InspectorDebuggerAgent.h:
2456         * inspector/agents/InspectorRuntimeAgent.cpp:
2457         (Inspector::InspectorRuntimeAgent::getProperties):
2458         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
2459         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
2460         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
2461         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
2462         * inspector/agents/InspectorRuntimeAgent.h:
2463         * inspector/agents/InspectorScriptProfilerAgent.cpp:
2464         (Inspector::buildSamples):
2465         Use more 'auto' and rename a variable.
2466
2467         * inspector/scripts/codegen/cpp_generator.py:
2468         (CppGenerator.cpp_protocol_type_for_type):
2469         Adopt new type names. This exposed a latent bug where we should have been
2470         unwrapping an AliasedType prior to generating a C++ type for it. The aliased
2471         type may be an array, in which case we would have generated the wrong type.
2472
2473         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2474         (_generate_typedefs_for_domain.JSON):
2475         (_generate_typedefs_for_domain.Inspector): Deleted.
2476         * inspector/scripts/codegen/objc_generator.py:
2477         (ObjCGenerator.protocol_type_for_type):
2478         (ObjCGenerator.objc_protocol_export_expression_for_variable):
2479         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2480         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2481         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2482         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
2483         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
2484         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2485         Rebaseline.
2486
2487         * runtime/TypeSet.cpp:
2488         (JSC::TypeSet::allStructureRepresentations const):
2489         (JSC::StructureShape::inspectorRepresentation):
2490         * runtime/TypeSet.h:
2491
2492 2017-12-01  Saam Barati  <sbarati@apple.com>
2493
2494         Having a bad time needs to handle ArrayClass indexing type as well
2495         https://bugs.webkit.org/show_bug.cgi?id=180274
2496         <rdar://problem/35667869>
2497
2498         Reviewed by Keith Miller and Mark Lam.
2499
2500         We need to make sure to transition ArrayClass to SlowPutArrayStorage as well.
2501         Otherwise, we'll end up with the wrong Structure, which will lead us to not
2502         adhere to the spec. The bug was that we were not considering ArrayClass inside 
2503         hasBrokenIndexing. This patch rewrites that function to automatically opt
2504         in non-empty indexing types as broken, instead of having to opt out all
2505         non-empty indexing types besides SlowPutArrayStorage.
2506
2507         * runtime/IndexingType.h:
2508         (JSC::hasSlowPutArrayStorage):
2509         (JSC::shouldUseSlowPut):
2510         * runtime/JSGlobalObject.cpp:
2511         * runtime/JSObject.cpp:
2512         (JSC::JSObject::switchToSlowPutArrayStorage):
2513
2514 2017-12-01  JF Bastien  <jfbastien@apple.com>
2515
2516         WebAssembly: stack trace improvement follow-ups
2517         https://bugs.webkit.org/show_bug.cgi?id=180273
2518
2519         Reviewed by Saam Barati.
2520
2521         * wasm/WasmIndexOrName.cpp:
2522         (JSC::Wasm::makeString):
2523         * wasm/WasmIndexOrName.h:
2524         (JSC::Wasm::IndexOrName::nameSection const):
2525         * wasm/WasmNameSection.h:
2526         (JSC::Wasm::NameSection::NameSection):
2527         (JSC::Wasm::NameSection::get):
2528
2529 2017-12-01  JF Bastien  <jfbastien@apple.com>
2530
2531         WebAssembly: restore cached stack limit after out-call
2532         https://bugs.webkit.org/show_bug.cgi?id=179106
2533         <rdar://problem/35337525>
2534
2535         Reviewed by Saam Barati.
2536
2537         We cache the stack limit on the Instance so that we can do fast
2538         stack checks where required. In regular usage the stack limit
2539         never changes because we always run on the same thread, but in
2540         rare cases an API user can totally migrate which thread (and
2541         therefore stack) is used for execution between WebAssembly
2542         traces. For that reason we set the cached stack limit to
2543         UINTPTR_MAX on the outgoing Instance when transitioning back into
2544         a different Instance. We usually restore the cached stack limit in
2545         Context::store, but this wasn't called on all code paths. We had a
2546         bug where an Instance calling into itself indirectly would
2547         therefore fail to restore its cached stack limit properly.
2548
2549         This patch therefore restores the cached stack limit after direct
2550         calls which could be to imports (both wasm->wasm and
2551         wasm->embedder). We have to do all of them because we have no way
2552         of knowing what imports will do (they're known at instantiation
2553         time, not compilation time, and different instances can have
2554         different imports). To make this efficient we also add a pointer
2555         to the canonical location of the stack limit (i.e. the extra
2556         indirection we're trying to save by caching the stack limit on the
2557         Instance in the first place). This is potentially a small perf hit
2558         on imported direct calls.
2559
2560         It's hard to say what the performance cost will be because we
2561         haven't seen much code in the wild which does this. We're adding
2562         two dependent loads and a store of the loaded value, which is
2563         unlikely to get used soon after. It's more code, but on an
2564         out-of-order processor it doesn't contribute to the critical path.
2565
2566         * wasm/WasmB3IRGenerator.cpp:
2567         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
2568         (JSC::Wasm::B3IRGenerator::addGrowMemory):
2569         (JSC::Wasm::B3IRGenerator::addCall):
2570         (JSC::Wasm::B3IRGenerator::addCallIndirect):
2571         * wasm/WasmInstance.cpp:
2572         (JSC::Wasm::Instance::Instance):
2573         (JSC::Wasm::Instance::create):
2574         * wasm/WasmInstance.h:
2575         (JSC::Wasm::Instance::offsetOfPointerToActualStackLimit):
2576         (JSC::Wasm::Instance::cachedStackLimit const):
2577         (JSC::Wasm::Instance::setCachedStackLimit):
2578         * wasm/js/JSWebAssemblyInstance.cpp:
2579         (JSC::JSWebAssemblyInstance::create):
2580         * wasm/js/WebAssemblyFunction.cpp:
2581         (JSC::callWebAssemblyFunction):
2582
2583 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2584
2585         [JSC] Use JSFixedArray for op_new_array_buffer
2586         https://bugs.webkit.org/show_bug.cgi?id=180084
2587
2588         Reviewed by Saam Barati.
2589
2590         For op_new_array_buffer, we have a special constant buffer in CodeBlock.
2591         But using JSFixedArray is better because,
2592
2593         1. In DFG, we have special hashing mechanism to avoid duplicating constant buffer from the same CodeBlock.
2594            If we use JSFixedArray, this is unnecessary since JSFixedArray is handled just as JS constant.
2595
2596         2. In a subsequent patch[1], we would like to support Spread(PhantomNewArrayBuffer). If NewArrayBuffer
2597            has JSFixedArray, we can just emit a held JSFixedArray.
2598
2599         3. We can reduce length of op_new_array_buffer since JSFixedArray holds this.
2600
2601         4. We can fold NewArrayBufferData into uint64_t. No need to maintain a bag of NewArrayBufferData in DFG.
2602
2603         5. We do not need to look up constant buffer from CodeBlock if buffer data is necessary. Our NewArrayBuffer
2604            DFG node has JSFixedArray as its cellOperand. This makes materializing PhantomNewArrayBuffer easy, which
2605            will be introduced in [1].
2606
2607         [1]: https://bugs.webkit.org/show_bug.cgi?id=179762
2608
2609         * bytecode/BytecodeDumper.cpp:
2610         (JSC::BytecodeDumper<Block>::dumpBytecode):
2611         * bytecode/BytecodeList.json:
2612         * bytecode/BytecodeUseDef.h:
2613         (JSC::computeUsesForBytecodeOffset):
2614         * bytecode/CodeBlock.cpp:
2615         (JSC::CodeBlock::finishCreation):
2616         * bytecode/CodeBlock.h:
2617         (JSC::CodeBlock::numberOfConstantBuffers const): Deleted.
2618         (JSC::CodeBlock::addConstantBuffer): Deleted.
2619         (JSC::CodeBlock::constantBufferAsVector): Deleted.
2620         (JSC::CodeBlock::constantBuffer): Deleted.
2621         * bytecode/UnlinkedCodeBlock.cpp:
2622         (JSC::UnlinkedCodeBlock::shrinkToFit):
2623         * bytecode/UnlinkedCodeBlock.h:
2624         (JSC::UnlinkedCodeBlock::constantBufferCount): Deleted.
2625         (JSC::UnlinkedCodeBlock::addConstantBuffer): Deleted.
2626         (JSC::UnlinkedCodeBlock::constantBuffer const): Deleted.
2627         (JSC::UnlinkedCodeBlock::constantBuffer): Deleted.
2628         * bytecompiler/BytecodeGenerator.cpp:
2629         (JSC::BytecodeGenerator::emitNewArray):
2630         (JSC::BytecodeGenerator::addConstantBuffer): Deleted.
2631         * bytecompiler/BytecodeGenerator.h:
2632         * dfg/DFGByteCodeParser.cpp:
2633         (JSC::DFG::ByteCodeParser::parseBlock):
2634         (JSC::DFG::ByteCodeParser::InlineStackEntry::InlineStackEntry):
2635         (JSC::DFG::ConstantBufferKey::ConstantBufferKey): Deleted.
2636         (JSC::DFG::ConstantBufferKey::operator== const): Deleted.
2637         (JSC::DFG::ConstantBufferKey::hash const): Deleted.
2638         (JSC::DFG::ConstantBufferKey::isHashTableDeletedValue const): Deleted.
2639         (JSC::DFG::ConstantBufferKey::codeBlock const): Deleted.
2640         (JSC::DFG::ConstantBufferKey::index const): Deleted.
2641         (JSC::DFG::ConstantBufferKeyHash::hash): Deleted.
2642         (JSC::DFG::ConstantBufferKeyHash::equal): Deleted.
2643         * dfg/DFGClobberize.h:
2644         (JSC::DFG::clobberize):
2645         * dfg/DFGGraph.cpp:
2646         (JSC::DFG::Graph::dump):
2647         * dfg/DFGGraph.h:
2648         * dfg/DFGNode.h:
2649         (JSC::DFG::Node::hasNewArrayBufferData):
2650         (JSC::DFG::Node::newArrayBufferData):
2651         (JSC::DFG::Node::hasVectorLengthHint):
2652         (JSC::DFG::Node::vectorLengthHint):
2653         (JSC::DFG::Node::indexingType):
2654         (JSC::DFG::Node::hasCellOperand):
2655         (JSC::DFG::Node::OpInfoWrapper::operator=):
2656         (JSC::DFG::Node::OpInfoWrapper::asNewArrayBufferData const):
2657         (JSC::DFG::Node::hasConstantBuffer): Deleted.
2658         (JSC::DFG::Node::startConstant): Deleted.
2659         (JSC::DFG::Node::numConstants): Deleted.
2660         * dfg/DFGOperations.cpp:
2661         * dfg/DFGOperations.h:
2662         * dfg/DFGSpeculativeJIT.h:
2663         (JSC::DFG::SpeculativeJIT::callOperation):
2664         * dfg/DFGSpeculativeJIT32_64.cpp:
2665         (JSC::DFG::SpeculativeJIT::compile):
2666         * dfg/DFGSpeculativeJIT64.cpp:
2667         (JSC::DFG::SpeculativeJIT::compile):
2668         * ftl/FTLLowerDFGToB3.cpp:
2669         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayBuffer):
2670         * jit/JIT.cpp:
2671         (JSC::JIT::privateCompileMainPass):
2672         * jit/JIT.h:
2673         * jit/JITOpcodes.cpp:
2674         (JSC::JIT::emit_op_new_array_buffer): Deleted.
2675         * jit/JITOperations.cpp:
2676         * jit/JITOperations.h:
2677         * llint/LLIntSlowPaths.cpp:
2678         * llint/LLIntSlowPaths.h:
2679         * llint/LowLevelInterpreter.asm:
2680         * runtime/CommonSlowPaths.cpp:
2681         (JSC::SLOW_PATH_DECL):
2682         * runtime/CommonSlowPaths.h:
2683         * runtime/JSFixedArray.cpp:
2684         (JSC::JSFixedArray::dumpToStream):
2685         * runtime/JSFixedArray.h:
2686         (JSC::JSFixedArray::create):
2687         (JSC::JSFixedArray::get const):
2688         (JSC::JSFixedArray::set):
2689         (JSC::JSFixedArray::buffer const):
2690         (JSC::JSFixedArray::values const):
2691         (JSC::JSFixedArray::length const):
2692         (JSC::JSFixedArray::get): Deleted.
2693
2694 2017-11-30  JF Bastien  <jfbastien@apple.com>
2695
2696         WebAssembly: improve stack trace
2697         https://bugs.webkit.org/show_bug.cgi?id=179343
2698
2699         Reviewed by Saam Barati.
2700
2701         Stack traces now include:
2702
2703           - Module name, if provided by the name section.
2704           - Module SHA1 hash if no name was provided
2705           - Stub identification, to differentiate from user code
2706           - Slightly different naming to match design from:
2707               https://github.com/WebAssembly/design/blob/master/Web.md#developer-facing-display-conventions
2708
2709         * interpreter/StackVisitor.cpp:
2710         (JSC::StackVisitor::Frame::functionName const):
2711         * runtime/StackFrame.cpp:
2712         (JSC::StackFrame::functionName const):
2713         (JSC::StackFrame::visitChildren):
2714         * wasm/WasmIndexOrName.cpp:
2715         (JSC::Wasm::IndexOrName::IndexOrName):
2716         (JSC::Wasm::makeString):
2717         * wasm/WasmIndexOrName.h:
2718         (JSC::Wasm::IndexOrName::nameSection const):
2719         * wasm/WasmModuleInformation.cpp:
2720         (JSC::Wasm::ModuleInformation::ModuleInformation):
2721         * wasm/WasmModuleInformation.h:
2722         * wasm/WasmNameSection.h:
2723         (JSC::Wasm::NameSection::NameSection):
2724         (JSC::Wasm::NameSection::get):
2725         * wasm/WasmNameSectionParser.cpp:
2726         (JSC::Wasm::NameSectionParser::parse):
2727
2728 2017-11-30  Stephan Szabo  <stephan.szabo@sony.com>
2729
2730         Make LegacyCustomProtocolManager optional for network process
2731         https://bugs.webkit.org/show_bug.cgi?id=176230
2732
2733         Reviewed by Alex Christensen.
2734
2735         * Configurations/FeatureDefines.xcconfig:
2736
2737 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2738
2739         [JSC] Remove easy toRemove & map.remove() use in OAS phase
2740         https://bugs.webkit.org/show_bug.cgi?id=180208
2741
2742         Reviewed by Mark Lam.
2743
2744         In this patch, we replace Vector<> toRemove & map.remove loop with removeIf,
2745         to optimize this common pattern. This patch only modifies apparent ones.
2746         But we can apply this refactoring further to OAS phase in the future.
2747
2748         One thing we should care is that predicate of removeIf should not touch the
2749         removing set itself. In this patch, we apply this change to (1) apparently
2750         correct one and (2) things in DFG OAS phase since it is very slow.
2751
2752         * b3/B3MoveConstants.cpp:
2753         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2754
2755 2017-11-30  Commit Queue  <commit-queue@webkit.org>
2756
2757         Unreviewed, rolling out r225362.
2758         https://bugs.webkit.org/show_bug.cgi?id=180225
2759
2760         removeIf predicate function can touch remove target set
2761         (Requested by yusukesuzuki on #webkit).
2762
2763         Reverted changeset:
2764
2765         "[JSC] Remove easy toRemove & map.remove() use"
2766         https://bugs.webkit.org/show_bug.cgi?id=180208
2767         https://trac.webkit.org/changeset/225362
2768
2769 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2770
2771         [JSC] Use AllocatorIfExists for MaterializeNewObject
2772         https://bugs.webkit.org/show_bug.cgi?id=180189
2773
2774         Reviewed by Filip Pizlo.
2775
2776         I don't think anyone guarantees this allocator exists at this phase.
2777         And nullptr allocator just works here. We change AllocatorForMode
2778         to AllocatorIfExists to accept nullptr for allocator.
2779
2780         * ftl/FTLLowerDFGToB3.cpp:
2781         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
2782
2783 2017-11-30  Mark Lam  <mark.lam@apple.com>
2784
2785         Let's scramble MacroAssemblerCodePtr values.
2786         https://bugs.webkit.org/show_bug.cgi?id=180169
2787         <rdar://problem/35758340>
2788
2789         Reviewed by Filip Pizlo, Saam Barati, and JF Bastien.
2790
2791         1. MacroAssemblerCodePtr now stores a ScrambledPtr instead of a void*.
2792
2793         2. MacroAssemblerCodePtr's executableAddress() and dataLocation() now take a
2794            template argument type that will be used to cast the result.  This makes the
2795            client code that uses these functions a little less verbose.
2796
2797         3. Change the code base in general to minimize passing void* code pointers around.
2798            We now pass MacroAssemblerCodePtr as much as possible, and descramble it only
2799            at the last moment when we need the underlying code pointer.
2800
2801         4. Added some MasmScrambledPtr paranoid asserts that are disabled (not built) by
2802            default.  I'm leaving them in because they are instrumental in finding bugs
2803            where not all MacroAssemblerCodePtr values were not scrambled as expected.
2804            I expect them to be useful in the near future as we add more scrambling.
2805
2806         5. Also disable the casting operator on MacroAssemblerCodePtr (except for
2807            explicit casts to a boolean).  This ensures that clients will always explicitly
2808            use scrambledBits() or executableAddress() to get a value based on which value
2809            they actually need.
2810
2811         5. Added currentThread() id to the logging in LLIntSlowPath trace functions.
2812            This was helpful when debugging tests that ran multiple VMs concurrently on
2813            different threads.
2814
2815         MacroAssemblerCodePtr is currently supported on 64-bit builds (including the
2816         CLoop).  It is not yet supported in 32-bit and Windows because we don't
2817         currently have a way to read a global variable from their LLInt code.
2818
2819         * assembler/AbstractMacroAssembler.h:
2820         (JSC::AbstractMacroAssembler::differenceBetweenCodePtr):
2821         (JSC::AbstractMacroAssembler::linkPointer):
2822         * assembler/CodeLocation.h:
2823         (JSC::CodeLocationCommon::instructionAtOffset):
2824         (JSC::CodeLocationCommon::labelAtOffset):
2825         (JSC::CodeLocationCommon::jumpAtOffset):
2826         (JSC::CodeLocationCommon::callAtOffset):
2827         (JSC::CodeLocationCommon::nearCallAtOffset):
2828         (JSC::CodeLocationCommon::dataLabelPtrAtOffset):
2829         (JSC::CodeLocationCommon::dataLabel32AtOffset):
2830         (JSC::CodeLocationCommon::dataLabelCompactAtOffset):
2831         (JSC::CodeLocationCommon::convertibleLoadAtOffset):
2832         * assembler/LinkBuffer.cpp:
2833         (JSC::LinkBuffer::finalizeCodeWithDisassembly):
2834         * assembler/LinkBuffer.h:
2835         (JSC::LinkBuffer::link):
2836         (JSC::LinkBuffer::patch):
2837         * assembler/MacroAssemblerCodeRef.cpp:
2838         (JSC::MacroAssemblerCodePtr::initialize):
2839         * assembler/MacroAssemblerCodeRef.h:
2840         (JSC::FunctionPtr::FunctionPtr):
2841         (JSC::FunctionPtr::value const):
2842         (JSC::FunctionPtr::executableAddress const):
2843         (JSC::ReturnAddressPtr::ReturnAddressPtr):
2844         (JSC::ReturnAddressPtr::value const):
2845         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
2846         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
2847         (JSC::MacroAssemblerCodePtr::scrambledPtr const):
2848         (JSC::MacroAssemblerCodePtr:: const):
2849         (JSC::MacroAssemblerCodePtr::operator! const):
2850         (JSC::MacroAssemblerCodePtr::operator bool const):
2851         (JSC::MacroAssemblerCodePtr::operator== const):
2852         (JSC::MacroAssemblerCodePtr::hash const):
2853         (JSC::MacroAssemblerCodePtr::emptyValue):
2854         (JSC::MacroAssemblerCodePtr::deletedValue):
2855         (JSC::MacroAssemblerCodePtr::executableAddress const): Deleted.
2856         (JSC::MacroAssemblerCodePtr::dataLocation const): Deleted.
2857         * b3/B3LowerMacros.cpp:
2858         * b3/testb3.cpp:
2859         (JSC::B3::testInterpreter):
2860         * dfg/DFGDisassembler.cpp:
2861         (JSC::DFG::Disassembler::dumpDisassembly):
2862         * dfg/DFGJITCompiler.cpp:
2863         (JSC::DFG::JITCompiler::link):
2864         (JSC::DFG::JITCompiler::compileFunction):
2865         * dfg/DFGOperations.cpp:
2866         * dfg/DFGSpeculativeJIT.cpp:
2867         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
2868         (JSC::DFG::SpeculativeJIT::emitSwitchImm):
2869         (JSC::DFG::SpeculativeJIT::emitSwitchCharStringJump):
2870         (JSC::DFG::SpeculativeJIT::emitSwitchChar):
2871         * dfg/DFGSpeculativeJIT.h:
2872         * disassembler/Disassembler.cpp:
2873         (JSC::disassemble):
2874         * disassembler/UDis86Disassembler.cpp:
2875         (JSC::tryToDisassembleWithUDis86):
2876         * ftl/FTLCompile.cpp:
2877         (JSC::FTL::compile):
2878         * ftl/FTLJITCode.cpp:
2879         (JSC::FTL::JITCode::executableAddressAtOffset):
2880         * ftl/FTLLink.cpp:
2881         (JSC::FTL::link):
2882         * ftl/FTLLowerDFGToB3.cpp:
2883         (JSC::FTL::DFG::LowerDFGToB3::compileMathIC):
2884         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstruct):
2885         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
2886         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2887         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
2888         * interpreter/InterpreterInlines.h:
2889         (JSC::Interpreter::getOpcodeID):
2890         * jit/JITArithmetic.cpp:
2891         (JSC::JIT::emitMathICFast):
2892         (JSC::JIT::emitMathICSlow):
2893         * jit/JITCode.cpp:
2894         (JSC::JITCodeWithCodeRef::executableAddressAtOffset):
2895         (JSC::JITCodeWithCodeRef::dataAddressAtOffset):
2896         (JSC::JITCodeWithCodeRef::offsetOf):
2897         * jit/JITDisassembler.cpp:
2898         (JSC::JITDisassembler::dumpDisassembly):
2899         * jit/PCToCodeOriginMap.cpp:
2900         (JSC::PCToCodeOriginMap::PCToCodeOriginMap):
2901         * jit/Repatch.cpp:
2902         (JSC::ftlThunkAwareRepatchCall):
2903         * jit/ThunkGenerators.cpp:
2904         (JSC::virtualThunkFor):
2905         (JSC::boundThisNoArgsFunctionCallGenerator):
2906         * llint/LLIntSlowPaths.cpp:
2907         (JSC::LLInt::llint_trace_operand):
2908         (JSC::LLInt::llint_trace_value):
2909         (JSC::LLInt::handleHostCall):
2910         (JSC::LLInt::setUpCall):
2911         * llint/LowLevelInterpreter64.asm:
2912         * offlineasm/cloop.rb:
2913         * runtime/InitializeThreading.cpp:
2914         (JSC::initializeThreading):
2915         * wasm/WasmBBQPlan.cpp:
2916         (JSC::Wasm::BBQPlan::complete):
2917         * wasm/WasmCallee.h:
2918         (JSC::Wasm::Callee::entrypoint const):
2919         * wasm/WasmCodeBlock.cpp:
2920         (JSC::Wasm::CodeBlock::CodeBlock):
2921         * wasm/WasmOMGPlan.cpp:
2922         (JSC::Wasm::OMGPlan::work):
2923         * wasm/js/WasmToJS.cpp:
2924         (JSC::Wasm::wasmToJS):
2925         * wasm/js/WebAssemblyFunction.cpp:
2926         (JSC::callWebAssemblyFunction):
2927         * wasm/js/WebAssemblyFunction.h:
2928         * wasm/js/WebAssemblyWrapperFunction.cpp:
2929         (JSC::WebAssemblyWrapperFunction::create):
2930
2931 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2932
2933         [JSC] Remove easy toRemove & map.remove() use
2934         https://bugs.webkit.org/show_bug.cgi?id=180208
2935
2936         Reviewed by Mark Lam.
2937
2938         In this patch, we replace Vector<> toRemove & map.remove loop with removeIf,
2939         to optimize this common pattern. This patch only modifies apparent ones.
2940         But we can apply this refactoring further to OAS phase in the future.
2941
2942         * b3/B3MoveConstants.cpp:
2943         * dfg/DFGArgumentsEliminationPhase.cpp:
2944         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2945         * wasm/WasmSignature.cpp:
2946         (JSC::Wasm::SignatureInformation::tryCleanup):
2947
2948 2017-11-29  Yusuke Suzuki  <utatane.tea@gmail.com>
2949
2950         [JSC] Use getEffectiveAddress more in JSC
2951         https://bugs.webkit.org/show_bug.cgi?id=180154
2952
2953         Reviewed by Mark Lam.
2954
2955         We can use MacroAssembler::getEffectiveAddress for stack height calculation.
2956         And we also add MacroAssembler::negPtr(src, dest) variation.
2957
2958         * assembler/MacroAssembler.h:
2959         (JSC::MacroAssembler::negPtr):
2960         * assembler/MacroAssemblerARM.h:
2961         (JSC::MacroAssemblerARM::neg32):
2962         * assembler/MacroAssemblerARM64.h:
2963         (JSC::MacroAssemblerARM64::neg32):
2964         (JSC::MacroAssemblerARM64::neg64):
2965         * assembler/MacroAssemblerARMv7.h:
2966         (JSC::MacroAssemblerARMv7::neg32):
2967         * assembler/MacroAssemblerMIPS.h:
2968         (JSC::MacroAssemblerMIPS::neg32):
2969         * assembler/MacroAssemblerX86Common.h:
2970         (JSC::MacroAssemblerX86Common::neg32):
2971         * assembler/MacroAssemblerX86_64.h:
2972         (JSC::MacroAssemblerX86_64::neg64):
2973         * dfg/DFGThunks.cpp:
2974         (JSC::DFG::osrEntryThunkGenerator):
2975         * ftl/FTLLowerDFGToB3.cpp:
2976         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2977         * jit/SetupVarargsFrame.cpp:
2978         (JSC::emitSetVarargsFrame):
2979
2980 2017-11-30  Mark Lam  <mark.lam@apple.com>
2981
2982         jsc shell's flashHeapAccess() should not do JS work after releasing access to the heap.
2983         https://bugs.webkit.org/show_bug.cgi?id=180219
2984         <rdar://problem/35696536>
2985
2986         Reviewed by Filip Pizlo.
2987
2988         * jsc.cpp:
2989         (functionFlashHeapAccess):
2990
2991 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2992
2993         [DFG][FTL] operationHasIndexedProperty does not consider negative int32_t
2994         https://bugs.webkit.org/show_bug.cgi?id=180190
2995
2996         Reviewed by Mark Lam.
2997
2998         If DFG HasIndexedProperty node observes negative index, it goes to a slow
2999         path by calling operationHasIndexedProperty. The problem is that
3000         operationHasIndexedProperty does not account negative index. Negative index
3001         was used as uint32 array index.
3002
3003         In this patch we add a path for negative index in operationHasIndexedProperty.
3004         And rename it to operationHasIndexedPropertyByInt to make intension clear.
3005         We also move operationHasIndexedPropertyByInt from JITOperations to DFGOperations
3006         since it is only used in DFG and FTL.
3007
3008         While fixing this bug, we found that our op_in does not record OutOfBound feedback.
3009         This causes repeated OSR exit and significantly regresses the performance. We opened
3010         a bug to track this issue[1].
3011
3012         [1]: https://bugs.webkit.org/show_bug.cgi?id=180192
3013
3014         * dfg/DFGOperations.cpp:
3015         * dfg/DFGOperations.h:
3016         * dfg/DFGSpeculativeJIT32_64.cpp:
3017         (JSC::DFG::SpeculativeJIT::compile):
3018         * dfg/DFGSpeculativeJIT64.cpp:
3019         (JSC::DFG::SpeculativeJIT::compile):
3020         * ftl/FTLLowerDFGToB3.cpp:
3021         (JSC::FTL::DFG::LowerDFGToB3::compileHasIndexedProperty):
3022         * jit/JITOperations.cpp:
3023         * jit/JITOperations.h:
3024
3025 2017-11-30  Michael Saboff  <msaboff@apple.com>
3026
3027         Allow JSC command line tool to accept UTF8
3028         https://bugs.webkit.org/show_bug.cgi?id=180205
3029
3030         Reviewed by Keith Miller.
3031
3032         This unifies the UTF8 handling of interactive mode with that of source files.
3033
3034         * jsc.cpp:
3035         (runInteractive):
3036
3037 2017-11-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3038
3039         REGRESSION(r225314): [Linux] More than 2000 jsc tests are failing after r225314
3040         https://bugs.webkit.org/show_bug.cgi?id=180185
3041
3042         Reviewed by Carlos Garcia Campos.
3043
3044         After r225314, we start using AllocatorForMode::MustAlreadyHaveAllocator for JSRopeString's allocatorFor.
3045         But it is different from the original code used before r225314. Since DFGSpeculativeJIT::emitAllocateJSCell
3046         can accept nullptr allocator, the behavior of the original code is AllocatorForMode::AllocatorIfExists.
3047         And JSRopeString's allocator may not exist at this point if any JSRopeString is not allocated. But MakeRope
3048         DFG node can be emitted if we see untaken path includes String + String code.
3049
3050         This patch fixes Linux JSC crashes by changing JSRopeString's AllocatorForMode to AllocatorIfExists.
3051         As a result, only one user of AllocatorForMode::MustAlreadyHaveAllocator is MaterializeNewObject in FTL.
3052         I'm not sure why this condition (MustAlreadyHaveAllocator) is ensured. But this code is the same to the
3053         original code used before r225314.
3054
3055         * dfg/DFGSpeculativeJIT.cpp:
3056         (JSC::DFG::SpeculativeJIT::compileMakeRope):
3057         * ftl/FTLLowerDFGToB3.cpp:
3058         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
3059
3060 2017-11-28  Filip Pizlo  <fpizlo@apple.com>
3061
3062         CodeBlockSet::deleteUnmarkedAndUnreferenced can be a little more efficient
3063         https://bugs.webkit.org/show_bug.cgi?id=180108
3064
3065         Reviewed by Saam Barati.
3066         
3067         This was creating a vector of things to remove and then removing them. I think I remember writing
3068         this code, and I did that because at the time we did not have removeAllMatching, which is
3069         definitely better. This is a minuscule optimization for Speedometer. I wanted to land this
3070         obvious improvement before I did more fundamental things to this code.
3071
3072         * heap/CodeBlockSet.cpp:
3073         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
3074
3075 2017-11-29  Filip Pizlo  <fpizlo@apple.com>
3076
3077         GC should support isoheaps
3078         https://bugs.webkit.org/show_bug.cgi?id=179288
3079
3080         Reviewed by Saam Barati.
3081         
3082         This expands the power of the Subspace API in JSC:
3083         
3084         - Everything associated with describing the types of objects is now part of the HeapCellType class.
3085           We have different HeapCellTypes for different destruction strategies. Any Subspace can use any
3086           HeapCellType; these are orthogonal things.
3087         
3088         - There are now two variants of Subspace: CompleteSubspace, which can allocate any size objects using
3089           any AlignedMemoryAllocator; and IsoSubspace, which can allocate just one size of object and uses a
3090           special virtual memory pool for that purpose. Like bmalloc's IsoHeap, IsoSubspace hoards virtual
3091           pages but releases the physical pages as part of the respective allocator's scavenging policy
3092           (the Scavenger in bmalloc for IsoHeap and the incremental sweep and full sweep in Riptide for
3093           IsoSubspace).
3094         
3095         So far, this patch just puts subtypes of ExecutableBase in IsoSubspaces. If it works, we can use it
3096         for more things.
3097         
3098         This does not have any effect on JetStream (0.18% faster with p = 0.69).
3099
3100         * JavaScriptCore.xcodeproj/project.pbxproj:
3101         * Sources.txt:
3102         * bytecode/AccessCase.cpp:
3103         (JSC::AccessCase::generateImpl):
3104         * bytecode/ObjectAllocationProfileInlines.h:
3105         (JSC::ObjectAllocationProfile::initializeProfile):
3106         * dfg/DFGSpeculativeJIT.cpp:
3107         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
3108         (JSC::DFG::SpeculativeJIT::compileMakeRope):
3109         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
3110         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
3111         * dfg/DFGSpeculativeJIT64.cpp:
3112         (JSC::DFG::SpeculativeJIT::compile):
3113         * ftl/FTLAbstractHeapRepository.h:
3114         * ftl/FTLLowerDFGToB3.cpp:
3115         (JSC::FTL::DFG::LowerDFGToB3::compileMakeRope):
3116         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
3117         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
3118         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
3119         (JSC::FTL::DFG::LowerDFGToB3::allocatorForSize):
3120         * heap/AlignedMemoryAllocator.cpp:
3121         (JSC::AlignedMemoryAllocator::registerAllocator):
3122         (JSC::AlignedMemoryAllocator::registerSubspace):
3123         * heap/AlignedMemoryAllocator.h:
3124         (JSC::AlignedMemoryAllocator::firstAllocator const):
3125         * heap/AllocationFailureMode.h: Added.
3126         * heap/CompleteSubspace.cpp: Added.
3127         (JSC::CompleteSubspace::CompleteSubspace):
3128         (JSC::CompleteSubspace::~CompleteSubspace):
3129         (JSC::CompleteSubspace::allocatorFor):
3130         (JSC::CompleteSubspace::allocate):
3131         (JSC::CompleteSubspace::allocateNonVirtual):
3132         (JSC::CompleteSubspace::allocatorForSlow):
3133         (JSC::CompleteSubspace::allocateSlow):
3134         (JSC::CompleteSubspace::tryAllocateSlow):
3135         * heap/CompleteSubspace.h: Added.
3136         (JSC::CompleteSubspace::offsetOfAllocatorForSizeStep):
3137         (JSC::CompleteSubspace::allocatorForSizeStep):
3138         (JSC::CompleteSubspace::allocatorForNonVirtual):
3139         * heap/HeapCellType.cpp: Added.
3140         (JSC::HeapCellType::HeapCellType):
3141         (JSC::HeapCellType::~HeapCellType):
3142         (JSC::HeapCellType::finishSweep):
3143         (JSC::HeapCellType::destroy):
3144         * heap/HeapCellType.h: Added.
3145         (JSC::HeapCellType::attributes const):
3146         * heap/IsoAlignedMemoryAllocator.cpp: Added.
3147         (JSC::IsoAlignedMemoryAllocator::IsoAlignedMemoryAllocator):
3148         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
3149         (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
3150         (JSC::IsoAlignedMemoryAllocator::freeAlignedMemory):
3151         (JSC::IsoAlignedMemoryAllocator::dump const):
3152         * heap/IsoAlignedMemoryAllocator.h: Added.
3153         * heap/IsoSubspace.cpp: Added.
3154         (JSC::IsoSubspace::IsoSubspace):
3155         (JSC::IsoSubspace::~IsoSubspace):
3156         (JSC::IsoSubspace::allocatorFor):
3157         (JSC::IsoSubspace::allocatorForNonVirtual):
3158         (JSC::IsoSubspace::allocate):
3159         (JSC::IsoSubspace::allocateNonVirtual):
3160         * heap/IsoSubspace.h: Added.
3161         (JSC::IsoSubspace::size const):
3162         * heap/MarkedAllocator.cpp:
3163         (JSC::MarkedAllocator::MarkedAllocator):
3164         (JSC::MarkedAllocator::setSubspace):
3165         (JSC::MarkedAllocator::allocateSlowCase):
3166         (JSC::MarkedAllocator::tryAllocateSlowCase): Deleted.
3167         (JSC::MarkedAllocator::allocateSlowCaseImpl): Deleted.
3168         * heap/MarkedAllocator.h:
3169         (JSC::MarkedAllocator::nextAllocatorInAlignedMemoryAllocator const):
3170         (JSC::MarkedAllocator::setNextAllocatorInAlignedMemoryAllocator):
3171         * heap/MarkedAllocatorInlines.h:
3172         (JSC::MarkedAllocator::allocate):
3173         (JSC::MarkedAllocator::tryAllocate): Deleted.
3174         * heap/MarkedBlock.h:
3175         * heap/MarkedBlockInlines.h:
3176         (JSC::MarkedBlock::Handle::finishSweepKnowingHeapCellType):
3177         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace): Deleted.
3178         * heap/MarkedSpace.cpp:
3179         (JSC::MarkedSpace::addMarkedAllocator):
3180         * heap/MarkedSpace.h:
3181         * heap/Subspace.cpp:
3182         (JSC::Subspace::Subspace):
3183         (JSC::Subspace::initialize):
3184         (JSC::Subspace::finishSweep):
3185         (JSC::Subspace::destroy):
3186         (JSC::Subspace::prepareForAllocation):
3187         (JSC::Subspace::findEmptyBlockToSteal):
3188         (): Deleted.
3189         (JSC::Subspace::allocate): Deleted.
3190         (JSC::Subspace::tryAllocate): Deleted.
3191         (JSC::Subspace::allocatorForSlow): Deleted.
3192         (JSC::Subspace::allocateSlow): Deleted.
3193         (JSC::Subspace::tryAllocateSlow): Deleted.
3194         (JSC::Subspace::didAllocate): Deleted.
3195         * heap/Subspace.h:
3196         (JSC::Subspace::heapCellType const):
3197         (JSC::Subspace::nextSubspaceInAlignedMemoryAllocator const):
3198         (JSC::Subspace::setNextSubspaceInAlignedMemoryAllocator):
3199         (JSC::Subspace::offsetOfAllocatorForSizeStep): Deleted.
3200         (JSC::Subspace::allocatorForSizeStep): Deleted.
3201         (JSC::Subspace::tryAllocatorFor): Deleted.
3202         (JSC::Subspace::allocatorFor): Deleted.
3203         * jit/AssemblyHelpers.h:
3204         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
3205         (JSC::AssemblyHelpers::emitAllocateVariableSized):
3206         (JSC::AssemblyHelpers::emitAllocateVariableSizedCell):
3207         * jit/JITOpcodes.cpp:
3208         (JSC::JIT::emit_op_new_object):
3209         * runtime/ButterflyInlines.h:
3210         (JSC::Butterfly::createUninitialized):
3211         (JSC::Butterfly::tryCreate):
3212         (JSC::Butterfly::growArrayRight):
3213         * runtime/DirectArguments.cpp:
3214         (JSC::DirectArguments::overrideThings):
3215         * runtime/DirectArguments.h:
3216         (JSC::DirectArguments::subspaceFor):
3217         * runtime/DirectEvalExecutable.h:
3218         * runtime/EvalExecutable.h:
3219         * runtime/ExecutableBase.h:
3220         (JSC::ExecutableBase::subspaceFor):
3221         * runtime/FunctionExecutable.h:
3222         * runtime/GenericArgumentsInlines.h:
3223         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
3224         * runtime/HashMapImpl.h:
3225         (JSC::HashMapBuffer::create):
3226         * runtime/IndirectEvalExecutable.h:
3227         * runtime/JSArray.cpp:
3228         (JSC::JSArray::tryCreateUninitializedRestricted):
3229         (JSC::JSArray::unshiftCountSlowCase):
3230         * runtime/JSArray.h:
3231         (JSC::JSArray::tryCreate):
3232         * runtime/JSArrayBufferView.cpp:
3233         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
3234         * runtime/JSCell.h:
3235         (JSC::subspaceFor):
3236         * runtime/JSCellInlines.h:
3237         (JSC::JSCell::subspaceFor):
3238         (JSC::tryAllocateCellHelper):
3239         (JSC::allocateCell):
3240         (JSC::tryAllocateCell):
3241         * runtime/JSDestructibleObject.h:
3242         (JSC::JSDestructibleObject::subspaceFor):
3243         * runtime/JSDestructibleObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.cpp.
3244         (JSC::JSDestructibleObjectHeapCellType::JSDestructibleObjectHeapCellType):
3245         (JSC::JSDestructibleObjectHeapCellType::~JSDestructibleObjectHeapCellType):
3246         (JSC::JSDestructibleObjectHeapCellType::finishSweep):
3247         (JSC::JSDestructibleObjectHeapCellType::destroy):
3248         (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace): Deleted.
3249         (JSC::JSDestructibleObjectSubspace::~JSDestructibleObjectSubspace): Deleted.
3250         (JSC::JSDestructibleObjectSubspace::finishSweep): Deleted.
3251         (JSC::JSDestructibleObjectSubspace::destroy): Deleted.
3252         * runtime/JSDestructibleObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSDestructibleObjectSubspace.h.
3253         * runtime/JSDestructibleObjectSubspace.cpp: Removed.
3254         * runtime/JSDestructibleObjectSubspace.h: Removed.
3255         * runtime/JSLexicalEnvironment.h:
3256         (JSC::JSLexicalEnvironment::subspaceFor):
3257         * runtime/JSSegmentedVariableObject.h:
3258         (JSC::JSSegmentedVariableObject::subspaceFor):
3259         * runtime/JSSegmentedVariableObjectHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.cpp.
3260         (JSC::JSSegmentedVariableObjectHeapCellType::JSSegmentedVariableObjectHeapCellType):
3261         (JSC::JSSegmentedVariableObjectHeapCellType::~JSSegmentedVariableObjectHeapCellType):
3262         (JSC::JSSegmentedVariableObjectHeapCellType::finishSweep):
3263         (JSC::JSSegmentedVariableObjectHeapCellType::destroy):
3264         (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace): Deleted.
3265         (JSC::JSSegmentedVariableObjectSubspace::~JSSegmentedVariableObjectSubspace): Deleted.
3266         (JSC::JSSegmentedVariableObjectSubspace::finishSweep): Deleted.
3267         (JSC::JSSegmentedVariableObjectSubspace::destroy): Deleted.
3268         * runtime/JSSegmentedVariableObjectHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSSegmentedVariableObjectSubspace.h.
3269         * runtime/JSSegmentedVariableObjectSubspace.cpp: Removed.
3270         * runtime/JSSegmentedVariableObjectSubspace.h: Removed.
3271         * runtime/JSString.h:
3272         (JSC::JSString::subspaceFor):
3273         * runtime/JSStringHeapCellType.cpp: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.cpp.
3274         (JSC::JSStringHeapCellType::JSStringHeapCellType):
3275         (JSC::JSStringHeapCellType::~JSStringHeapCellType):
3276         (JSC::JSStringHeapCellType::finishSweep):
3277         (JSC::JSStringHeapCellType::destroy):
3278         (JSC::JSStringSubspace::JSStringSubspace): Deleted.
3279         (JSC::JSStringSubspace::~JSStringSubspace): Deleted.
3280         (JSC::JSStringSubspace::finishSweep): Deleted.
3281         (JSC::JSStringSubspace::destroy): Deleted.
3282         * runtime/JSStringHeapCellType.h: Copied from Source/JavaScriptCore/runtime/JSStringSubspace.h.
3283         * runtime/JSStringSubspace.cpp: Removed.
3284         * runtime/JSStringSubspace.h: Removed.
3285         * runtime/ModuleProgramExecutable.h:
3286         * runtime/NativeExecutable.h:
3287         * runtime/ProgramExecutable.h:
3288         * runtime/RegExpMatchesArray.h:
3289         (JSC::tryCreateUninitializedRegExpMatchesArray):
3290         * runtime/ScopedArguments.h:
3291         (JSC::ScopedArguments::subspaceFor):
3292         * runtime/VM.cpp:
3293         (JSC::VM::VM):
3294         * runtime/VM.h:
3295         (JSC::VM::gigacageAuxiliarySpace):
3296         * wasm/js/JSWebAssemblyCodeBlock.h:
3297         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.cpp.
3298         (JSC::JSWebAssemblyCodeBlockHeapCellType::JSWebAssemblyCodeBlockHeapCellType):
3299         (JSC::JSWebAssemblyCodeBlockHeapCellType::~JSWebAssemblyCodeBlockHeapCellType):
3300         (JSC::JSWebAssemblyCodeBlockHeapCellType::finishSweep):
3301         (JSC::JSWebAssemblyCodeBlockHeapCellType::destroy):
3302         (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace): Deleted.
3303         (JSC::JSWebAssemblyCodeBlockSubspace::~JSWebAssemblyCodeBlockSubspace): Deleted.
3304         (JSC::JSWebAssemblyCodeBlockSubspace::finishSweep): Deleted.
3305         (JSC::JSWebAssemblyCodeBlockSubspace::destroy): Deleted.
3306         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCodeBlockSubspace.h.
3307         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp: Removed.
3308         * wasm/js/JSWebAssemblyCodeBlockSubspace.h: Removed.
3309         * wasm/js/JSWebAssemblyMemory.h:
3310         (JSC::JSWebAssemblyMemory::subspaceFor):
3311
3312 2017-11-29  Saam Barati  <sbarati@apple.com>
3313
3314         Remove pointer caging for double arrays
3315         https://bugs.webkit.org/show_bug.cgi?id=180163
3316
3317         Reviewed by Mark Lam.
3318
3319         This patch removes pointer caging from double arrays. Like
3320         my previous removals of pointer caging, this is a security vs
3321         performance tradeoff. We believe that butterflies being allocated
3322         in the cage and with a 32GB runway gives us enough security that
3323         pointer caging the butterfly just for double arrays does not add
3324         enough security benefit for the performance hit it incurs.
3325         
3326         This patch also removes the GetButterflyWithoutCaging node and
3327         the FixedButterflyAccessUncaging phase. The node is no longer needed
3328         because now all GetButterfly nodes are not caged. The phase is removed
3329         since we no longer have two nodes.
3330
3331         * dfg/DFGAbstractInterpreterInlines.h:
3332         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3333         * dfg/DFGArgumentsEliminationPhase.cpp:
3334         * dfg/DFGClobberize.h:
3335         (JSC::DFG::clobberize):
3336         * dfg/DFGDoesGC.cpp:
3337         (JSC::DFG::doesGC):
3338         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Removed.
3339         * dfg/DFGFixedButterflyAccessUncagingPhase.h: Removed.
3340         * dfg/DFGFixupPhase.cpp:
3341         (JSC::DFG::FixupPhase::fixupNode):
3342         * dfg/DFGHeapLocation.cpp:
3343         (WTF::printInternal):
3344         * dfg/DFGHeapLocation.h:
3345         * dfg/DFGNodeType.h:
3346         * dfg/DFGPlan.cpp:
3347         (JSC::DFG::Plan::compileInThreadImpl):
3348         * dfg/DFGPredictionPropagationPhase.cpp:
3349         * dfg/DFGSafeToExecute.h:
3350         (JSC::DFG::safeToExecute):
3351         * dfg/DFGSpeculativeJIT.cpp:
3352         (JSC::DFG::SpeculativeJIT::compileSpread):
3353         (JSC::DFG::SpeculativeJIT::compileArraySlice):
3354         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
3355         * dfg/DFGSpeculativeJIT32_64.cpp:
3356         (JSC::DFG::SpeculativeJIT::compile):
3357         * dfg/DFGSpeculativeJIT64.cpp:
3358         (JSC::DFG::SpeculativeJIT::compile):
3359         * dfg/DFGTypeCheckHoistingPhase.cpp:
3360         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
3361         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
3362         * ftl/FTLCapabilities.cpp:
3363         (JSC::FTL::canCompile):
3364         * ftl/FTLLowerDFGToB3.cpp:
3365         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3366         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
3367         * jit/JITPropertyAccess.cpp:
3368         (JSC::JIT::emitDoubleLoad):
3369         (JSC::JIT::emitGenericContiguousPutByVal):
3370         * runtime/Butterfly.h:
3371         (JSC::Butterfly::pointer):
3372         (JSC::Butterfly::contiguousDouble):
3373         (JSC::Butterfly::caged): Deleted.
3374         * runtime/ButterflyInlines.h:
3375         (JSC::Butterfly::createOrGrowPropertyStorage):
3376         * runtime/JSObject.cpp:
3377         (JSC::JSObject::ensureLengthSlow):
3378         (JSC::JSObject::reallocateAndShrinkButterfly):
3379
3380 2017-11-29  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
3381
3382         [MIPS][JSC] Implement MacroAssembler::probe support on MIPS
3383         https://bugs.webkit.org/show_bug.cgi?id=175447
3384
3385         Reviewed by Carlos Alberto Lopez Perez.
3386
3387         This patch allows DFG JIT to be enabled on MIPS platforms.
3388
3389         * Sources.txt:
3390         * assembler/MIPSAssembler.h:
3391         (JSC::MIPSAssembler::lastSPRegister):
3392         (JSC::MIPSAssembler::numberOfSPRegisters):
3393         (JSC::MIPSAssembler::sprName):
3394         * assembler/MacroAssemblerMIPS.cpp: Added.
3395         (JSC::MacroAssembler::probe):
3396         * assembler/ProbeContext.cpp:
3397         (JSC::Probe::executeProbe):
3398         * assembler/ProbeContext.h:
3399         (JSC::Probe::CPUState::pc):
3400         * assembler/testmasm.cpp:
3401         (JSC::isSpecialGPR):
3402         (JSC::testProbePreservesGPRS):
3403         (JSC::testProbeModifiesStackPointer):
3404         (JSC::testProbeModifiesStackValues):
3405
3406 2017-11-29  Matt Lewis  <jlewis3@apple.com>
3407
3408         Unreviewed, rolling out r225286.
3409
3410         The source files within this patch have been marked as
3411         executable.
3412
3413         Reverted changeset:
3414
3415         "[MIPS][JSC] Implement MacroAssembler::probe support on MIPS"
3416         https://bugs.webkit.org/show_bug.cgi?id=175447
3417         https://trac.webkit.org/changeset/225286
3418
3419 2017-11-29  Alex Christensen  <achristensen@webkit.org>
3420
3421         Fix Mac CMake build.
3422
3423         * PlatformMac.cmake:
3424
3425 2017-11-29  Stanislav Ocovaj  <stanislav.ocovaj@rt-rk.com>
3426
3427         [MIPS][JSC] Implement MacroAssembler::probe support on MIPS
3428         https://bugs.webkit.org/show_bug.cgi?id=175447
3429
3430         Reviewed by Carlos Alberto Lopez Perez.
3431
3432         This patch allows DFG JIT to be enabled on MIPS platforms.
3433
3434         * Sources.txt:
3435         * assembler/MIPSAssembler.h:
3436         (JSC::MIPSAssembler::lastSPRegister):
3437         (JSC::MIPSAssembler::numberOfSPRegisters):
3438         (JSC::MIPSAssembler::sprName):
3439         * assembler/MacroAssemblerMIPS.cpp: Added.
3440         (JSC::MacroAssembler::probe):
3441         * assembler/ProbeContext.cpp:
3442         (JSC::Probe::executeProbe):
3443         * assembler/ProbeContext.h:
3444         (JSC::Probe::CPUState::pc):
3445         * assembler/testmasm.cpp:
3446         (JSC::isSpecialGPR):
3447         (JSC::testProbePreservesGPRS):
3448         (JSC::testProbeModifiesStackPointer):
3449         (JSC::testProbeModifiesStackValues):
3450
3451 2017-11-28  JF Bastien  <jfbastien@apple.com>
3452
3453         Strict and sloppy functions shouldn't share structure
3454         https://bugs.webkit.org/show_bug.cgi?id=180103
3455         <rdar://problem/35667847>
3456
3457         Reviewed by Saam Barati.
3458
3459         Sloppy and strict functions don't act the same when it comes to
3460         arguments, caller, and callee. Sharing a structure means that
3461         anything that is cached gets shared, and that's incorrect.
3462
3463         * dfg/DFGAbstractInterpreterInlines.h:
3464         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3465         * dfg/DFGSpeculativeJIT.cpp:
3466         (JSC::DFG::SpeculativeJIT::compileNewFunction):
3467         * ftl/FTLLowerDFGToB3.cpp:
3468         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
3469         * runtime/FunctionConstructor.cpp:
3470         (JSC::constructFunctionSkippingEvalEnabledCheck):
3471         * runtime/JSFunction.cpp:
3472         (JSC::JSFunction::create): the second ::create is always strict
3473         because it applies to native functions.
3474         * runtime/JSFunctionInlines.h:
3475         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
3476         * runtime/JSGlobalObject.cpp:
3477         (JSC::JSGlobalObject::init):
3478         (JSC::JSGlobalObject::visitChildren):
3479         * runtime/JSGlobalObject.h:
3480         (JSC::JSGlobalObject::strictFunctionStructure const):
3481         (JSC::JSGlobalObject::sloppyFunctionStructure const):
3482         (JSC::JSGlobalObject::nativeStdFunctionStructure const):
3483         (JSC::JSGlobalObject::functionStructure const): Deleted. Renamed.
3484         (JSC::JSGlobalObject::namedFunctionStructure const): Deleted. Drive-by, unused.
3485
3486 2017-11-29  Yusuke Suzuki  <utatane.tea@gmail.com>
3487
3488         [JSC] Add MacroAssembler::getEffectiveAddress in all platforms
3489         https://bugs.webkit.org/show_bug.cgi?id=180070
3490
3491         Reviewed by Saam Barati.
3492
3493         This patch adds getEffectiveAddress in all JIT platforms.
3494         This is abstracted version of x86 lea.
3495
3496         We also fix a bug in Yarr that uses branch32 instead of branchPtr for addresses.
3497
3498         * assembler/MacroAssemblerARM.h:
3499         (JSC::MacroAssemblerARM::getEffectiveAddress):
3500         * assembler/MacroAssemblerARM64.h:
3501         (JSC::MacroAssemblerARM64::getEffectiveAddress):
3502         (JSC::MacroAssemblerARM64::getEffectiveAddress64): Deleted.
3503         * assembler/MacroAssemblerARMv7.h:
3504         (JSC::MacroAssemblerARMv7::getEffectiveAddress):
3505         * assembler/MacroAssemblerMIPS.h:
3506         (JSC::MacroAssemblerMIPS::getEffectiveAddress):
3507         * assembler/MacroAssemblerX86.h:
3508         (JSC::MacroAssemblerX86::getEffectiveAddress):
3509         * assembler/MacroAssemblerX86_64.h:
3510         (JSC::MacroAssemblerX86_64::getEffectiveAddress):
3511         (JSC::MacroAssemblerX86_64::getEffectiveAddress64): Deleted.
3512         * assembler/testmasm.cpp:
3513         (JSC::testGetEffectiveAddress):
3514         (JSC::run):
3515         * dfg/DFGSpeculativeJIT.cpp:
3516         (JSC::DFG::SpeculativeJIT::compileArrayPush):
3517         * yarr/YarrJIT.cpp:
3518         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
3519         (JSC::Yarr::YarrGenerator::tryReadUnicodeChar):
3520
3521 2017-11-29  Robin Morisset  <rmorisset@apple.com>
3522
3523         The recursive tail call optimisation is wrong on closures
3524         https://bugs.webkit.org/show_bug.cgi?id=179835
3525
3526         Reviewed by Saam Barati.
3527
3528         The problem is that we only check the executable of the callee, not whatever variables might have been captured.
3529         As a stopgap measure this patch just does not do the optimisation for closures.
3530
3531         * dfg/DFGByteCodeParser.cpp:
3532         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
3533
3534 2017-11-28  Joseph Pecoraro  <pecoraro@apple.com>
3535
3536         Web Inspector: Cleanup Inspector classes be more consistent about using fast malloc / noncopyable
3537         https://bugs.webkit.org/show_bug.cgi?id=180119
3538
3539         Reviewed by Devin Rousso.
3540
3541         * inspector/InjectedScriptManager.h:
3542         * inspector/JSGlobalObjectScriptDebugServer.h:
3543         * inspector/agents/InspectorHeapAgent.h:
3544         * inspector/agents/InspectorRuntimeAgent.h:
3545         * inspector/agents/InspectorScriptProfilerAgent.h:
3546         * inspector/agents/JSGlobalObjectRuntimeAgent.h:
3547
3548 2017-11-28  Joseph Pecoraro  <pecoraro@apple.com>
3549
3550         ServiceWorker Inspector: Frontend changes to support Network tab and sub resources
3551         https://bugs.webkit.org/show_bug.cgi?id=179642
3552         <rdar://problem/35517704>
3553
3554         Reviewed by Brian Burg.
3555
3556         * inspector/protocol/Network.json:
3557         Expose the NetworkAgent for a Service Worker inspector.
3558
3559  2017-11-28  Brian Burg  <bburg@apple.com>
3560
3561         [Cocoa] Clean up names of conversion methods after renaming InspectorValue to JSON::Value
3562         https://bugs.webkit.org/show_bug.cgi?id=179696
3563
3564         Reviewed by Timothy Hatcher.
3565
3566         * inspector/scripts/codegen/generate_objc_header.py:
3567         (ObjCHeaderGenerator._generate_type_interface):
3568         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
3569         (ObjCProtocolTypesImplementationGenerator.generate_type_implementation):
3570         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_protocol_object):
3571         (ObjCProtocolTypesImplementationGenerator._generate_init_method_for_json_object): Deleted.
3572         * inspector/scripts/codegen/objc_generator.py:
3573         (ObjCGenerator.protocol_type_for_raw_name):
3574         (ObjCGenerator.objc_protocol_export_expression_for_variable):
3575         (ObjCGenerator.objc_protocol_export_expression_for_variable.is):
3576         (ObjCGenerator.objc_protocol_import_expression_for_variable):
3577         (ObjCGenerator.objc_protocol_import_expression_for_variable.is):
3578         (ObjCGenerator.objc_to_protocol_expression_for_member.is):
3579         (ObjCGenerator.objc_to_protocol_expression_for_member):
3580         (ObjCGenerator.protocol_to_objc_expression_for_member.is):
3581         (ObjCGenerator.protocol_to_objc_expression_for_member):
3582         (ObjCGenerator.protocol_to_objc_code_block_for_object_member):
3583         (ObjCGenerator.objc_setter_method_for_member_internal):
3584         (ObjCGenerator.objc_getter_method_for_member_internal):
3585         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
3586         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
3587         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
3588         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
3589         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
3590         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
3591         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
3592         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
3593         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
3594         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
3595
3596 2017-11-27  JF Bastien  <jfbastien@apple.com>
3597
3598         JavaScript rest function parameter with negative index leads to bad DFG abstract interpretation
3599         https://bugs.webkit.org/show_bug.cgi?id=180051
3600         <rdar://problem/35614371>
3601
3602         Reviewed by Saam Barati.
3603
3604         Checking for int32 isn't sufficient when uint32 is expected
3605         afterwards. While we're here, also use Checked<>.
3606
3607         * dfg/DFGAbstractInterpreterInlines.h:
3608         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3609
3610 2017-11-14  Carlos Garcia Campos  <cgarcia@igalia.com>
3611
3612         Move JSONValues to WTF and convert uses of InspectorValues.h to JSONValues.h
3613         https://bugs.webkit.org/show_bug.cgi?id=173793
3614
3615         Reviewed by Joseph Pecoraro.
3616
3617         Based on patch by Brian Burg.
3618
3619         * JavaScriptCore.xcodeproj/project.pbxproj:
3620         * Sources.txt:
3621         * bindings/ScriptValue.cpp:
3622         (Inspector::jsToInspectorValue):
3623         (Inspector::toInspectorValue):
3624         (Deprecated::ScriptValue::toInspectorValue const):
3625         * bindings/ScriptValue.h:
3626         * inspector/AsyncStackTrace.cpp:
3627         * inspector/ConsoleMessage.cpp:
3628         * inspector/ContentSearchUtilities.cpp:
3629         * inspector/DeprecatedInspectorValues.cpp: Added.
3630         * inspector/DeprecatedInspectorValues.h: Added.
3631         Keep the old symbols around in JavaScriptCore so that builds with the
3632         public iOS SDK continue to work. These older SDKs include a version of
3633         WebInspector.framework that expects to find InspectorArray and other
3634         symbols in JavaScriptCore.framework.
3635
3636         * inspector/InjectedScript.cpp:
3637         (Inspector::InjectedScript::getFunctionDetails):
3638         (Inspector::InjectedScript::functionDetails):
3639         (Inspector::InjectedScript::getPreview):
3640         (Inspector::InjectedScript::getProperties):
3641         (Inspector::InjectedScript::getDisplayableProperties):
3642         (Inspector::InjectedScript::getInternalProperties):
3643         (Inspector::InjectedScript::getCollectionEntries):
3644         (Inspector::InjectedScript::saveResult):
3645         (Inspector::InjectedScript::wrapCallFrames const):
3646         (Inspector::InjectedScript::wrapObject const):
3647         (Inspector::InjectedScript::wrapTable const):
3648         (Inspector::InjectedScript::previewValue const):
3649         (Inspector::InjectedScript::setExceptionValue):
3650         (Inspector::InjectedScript::clearExceptionValue):
3651         (Inspector::InjectedScript::inspectObject):
3652         (Inspector::InjectedScript::releaseObject):
3653         * inspector/InjectedScriptBase.cpp:
3654         (Inspector::InjectedScriptBase::makeCall):
3655         (Inspector::InjectedScriptBase::makeEvalCall):
3656         * inspector/InjectedScriptBase.h:
3657         * inspector/InjectedScriptManager.cpp:
3658         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
3659         * inspector/InspectorBackendDispatcher.cpp:
3660         (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
3661         (Inspector::BackendDispatcher::dispatch):
3662         (Inspector::BackendDispatcher::sendResponse):
3663         (Inspector::BackendDispatcher::sendPendingErrors):
3664         (Inspector::BackendDispatcher::getPropertyValue):
3665         (Inspector::castToInteger):
3666         (Inspector::castToNumber):
3667         (Inspector::BackendDispatcher::getInteger):
3668         (Inspector::BackendDispatcher::getDouble):
3669         (Inspector::BackendDispatcher::getString):
3670         (Inspector::BackendDispatcher::getBoolean):
3671         (Inspector::BackendDispatcher::getObject):
3672         (Inspector::BackendDispatcher::getArray):
3673         (Inspector::BackendDispatcher::getValue):
3674         * inspector/InspectorBackendDispatcher.h:
3675         We need to keep around the sendResponse() variant with a parameter that
3676         has the InspectorObject type, as older WebInspector.framework versions
3677         expect this symbol to exist. Introduce a variant with arity 3 that can
3678         be used in TOT so as to avoid having two methods with the same name, arity, and
3679         different parameter types.
3680
3681         When system WebInspector.framework is updated, we can remove the legacy
3682         method variant that uses the InspectorObject type. At that point, we can
3683         transition TOT to use the 2-arity variant, and delete the 3-arity variant
3684         when system WebInspector.framework is updated once more to use the 2-arity one.
3685
3686         * inspector/InspectorProtocolTypes.h:
3687         (Inspector::Protocol::Array::openAccessors):
3688         (Inspector::Protocol::PrimitiveBindingTraits::assertValueHasExpectedType):
3689         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast):
3690         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType):
3691         (Inspector::Protocol::BindingTraits<JSON::Value>::assertValueHasExpectedType):
3692         * inspector/ScriptCallFrame.cpp:
3693         * inspector/ScriptCallStack.cpp:
3694         * inspector/agents/InspectorAgent.cpp:
3695         (Inspector::InspectorAgent::inspect):
3696         * inspector/agents/InspectorAgent.h:
3697         * inspector/agents/InspectorDebuggerAgent.cpp:
3698         (Inspector::buildAssertPauseReason):
3699         (Inspector::buildCSPViolationPauseReason):
3700         (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
3701         (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
3702         (Inspector::buildObjectForBreakpointCookie):
3703         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
3704         (Inspector::parseLocation):
3705         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
3706         (Inspector::InspectorDebuggerAgent::setBreakpoint):
3707         (Inspector::InspectorDebuggerAgent::continueToLocation):
3708         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
3709         (Inspector::InspectorDebuggerAgent::didParseSource):
3710         (Inspector::InspectorDebuggerAgent::breakProgram):
3711         * inspector/agents/InspectorDebuggerAgent.h:
3712         * inspector/agents/InspectorRuntimeAgent.cpp:
3713         (Inspector::InspectorRuntimeAgent::callFunctionOn):
3714         (Inspector::InspectorRuntimeAgent::saveResult):
3715         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
3716         * inspector/agents/InspectorRuntimeAgent.h:
3717         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
3718         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
3719         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
3720         (CppBackendDispatcherImplementationGenerator.generate_output):
3721         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
3722         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
3723         (CppFrontendDispatcherHeaderGenerator.generate_output):
3724         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
3725         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
3726         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
3727         (_generate_unchecked_setter_for_member):
3728         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
3729         (CppProtocolTypesImplementationGenerator):
3730         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
3731         (ObjCBackendDispatcherImplementationGenerator.generate_output):
3732         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
3733         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
3734         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
3735         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
3736         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
3737         * inspector/scripts/codegen/generate_objc_internal_header.py:
3738         (ObjCInternalHeaderGenerator.generate_output):
3739         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
3740         (ObjCProtocolTypesImplementationGenerator.generate_output):
3741         * inspector/scripts/codegen/generator.py:
3742         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
3743         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
3744         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
3745         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
3746         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
3747         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
3748         * inspector/scripts/tests/generic/expected/enum-values.json-result:
3749         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
3750         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
3751         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
3752         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
3753         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
3754         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
3755         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
3756         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
3757         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
3758         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
3759         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
3760         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
3761         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
3762
3763 2017-11-28  Robin Morisset  <rmorisset@apple.com>
3764
3765         Support recursive tail call optimization for polymorphic calls
3766         https://bugs.webkit.org/show_bug.cgi?id=178390
3767
3768         Reviewed by Saam Barati.
3769
3770         Comes with a large but fairly simple refactoring: the inlining path for varargs and non-varargs calls now converge a lot later,
3771         eliminating some redundant checks, and simplifying a few parts of the inlining pipeline.
3772
3773         Also removes some dead code from inlineCall(): there was a special path for when m_continuationBlock is null, but it should never be (now checked with RELEASE_ASSERT).
3774
3775         * dfg/DFGByteCodeParser.cpp:
3776         (JSC::DFG::ByteCodeParser::handleCall):
3777         (JSC::DFG::ByteCodeParser::handleVarargsCall):
3778         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
3779         (JSC::DFG::ByteCodeParser::inlineCall):
3780         (JSC::DFG::ByteCodeParser::handleCallVariant):
3781         (JSC::DFG::ByteCodeParser::handleVarargsInlining):
3782         (JSC::DFG::ByteCodeParser::getInliningBalance):
3783         (JSC::DFG::ByteCodeParser::handleInlining):
3784         (JSC::DFG::ByteCodeParser::attemptToInlineCall): Deleted.
3785
3786 2017-11-27  Saam Barati  <sbarati@apple.com>
3787
3788         Spread can escape when CreateRest does not
3789         https://bugs.webkit.org/show_bug.cgi?id=180057
3790         <rdar://problem/35676119>
3791
3792         Reviewed by JF Bastien.
3793
3794         We previously did not handle Spread(PhantomCreateRest) only because I did not
3795         think it was possible to generate this IR. I was wrong. We can generate
3796         such IR when we have a PutStack(Spread) but nothing escapes the CreateRest.
3797         This IR is rare to generate since we normally don't PutStack(Spread) because
3798         the SetLocal almost always gets eliminated because of how our bytecode generates
3799         op_spread. However, there exists a test case showing it is possible. Supporting
3800         this IR pattern in FTLLower is trivial. This patch implements it and rewrites
3801         the Validation rule for Spread.
3802
3803         * dfg/DFGOperations.cpp:
3804         * dfg/DFGOperations.h:
3805         * dfg/DFGValidate.cpp:
3806         * ftl/FTLLowerDFGToB3.cpp:
3807         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
3808         * runtime/JSFixedArray.h:
3809         (JSC::JSFixedArray::tryCreate):
3810
3811 2017-11-27  Don Olmstead  <don.olmstead@sony.com>
3812
3813         [CMake][Win] Conditionally select DLL CRT or static CRT
3814         https://bugs.webkit.org/show_bug.cgi?id=170594
3815
3816         Reviewed by Alex Christensen.
3817
3818         * shell/PlatformWin.cmake:
3819
3820 2017-11-27  Saam Barati  <sbarati@apple.com>
3821
3822         Having a bad time watchpoint firing during compilation revealed a racy assertion
3823         https://bugs.webkit.org/show_bug.cgi?id=180048
3824         <rdar://problem/35700009>
3825
3826         Reviewed by Mark Lam.
3827
3828         While a DFG compilation is watching the having a bad time watchpoint, it was
3829         asserting that the rest parameter structure has indexing type ArrayWithContiguous.
3830         However, if the having a bad time watchpoint fires during the compilation,
3831         this particular structure will no longer have ArrayWithContiguous indexing type.
3832         This patch fixes this racy assertion to be aware that the watchpoint may fire
3833         during compilation.
3834
3835         * dfg/DFGSpeculativeJIT.cpp:
3836         (JSC::DFG::SpeculativeJIT::compileCreateRest):
3837         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
3838
3839 2017-11-27  Tim Horton  <timothy_horton@apple.com>
3840
3841         One too many zeroes in macOS version number in FeatureDefines
3842         https://bugs.webkit.org/show_bug.cgi?id=180011
3843
3844         Reviewed by Dan Bernstein.
3845
3846         * Configurations/FeatureDefines.xcconfig:
3847
3848 2017-11-27  Robin Morisset  <rmorisset@apple.com>
3849
3850         Update DFGSafeToExecute to be aware that ArrayPush is now a varargs node
3851         https://bugs.webkit.org/show_bug.cgi?id=179821
3852
3853         Reviewed by Saam Barati.
3854
3855         * dfg/DFGSafeToExecute.h:
3856         (JSC::DFG::safeToExecute):
3857
3858 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
3859
3860         [DFG] Add NormalizeMapKey DFG IR
3861         https://bugs.webkit.org/show_bug.cgi?id=179912
3862
3863         Reviewed by Saam Barati.
3864
3865         This patch introduces NormalizeMapKey DFG node. It executes what normalizeMapKey does in inlined manner.
3866         By separating this from MapHash and Map/Set related operations, we can perform CSE onto that, and we
3867         do not need to call normalizeMapKey conservatively in DFG operations.
3868         This can reduce slow path case in Untyped GetMapBucket since we can normalize keys in DFG/FTL.
3869
3870         * dfg/DFGAbstractInterpreterInlines.h:
3871         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3872         * dfg/DFGByteCodeParser.cpp:
3873         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3874         * dfg/DFGClobberize.h:
3875         (JSC::DFG::clobberize):
3876         * dfg/DFGDoesGC.cpp:
3877         (JSC::DFG::doesGC):
3878         * dfg/DFGFixupPhase.cpp:
3879         (JSC::DFG::FixupPhase::fixupNode):
3880         (JSC::DFG::FixupPhase::fixupNormalizeMapKey):
3881         * dfg/DFGNodeType.h:
3882         * dfg/DFGOperations.cpp:
3883         * dfg/DFGPredictionPropagationPhase.cpp:
3884         * dfg/DFGSafeToExecute.h:
3885         (JSC::DFG::safeToExecute):
3886         * dfg/DFGSpeculativeJIT.cpp:
3887         (JSC::DFG::SpeculativeJIT::compileNormalizeMapKey):
3888         * dfg/DFGSpeculativeJIT.h:
3889         * dfg/DFGSpeculativeJIT32_64.cpp:
3890         (JSC::DFG::SpeculativeJIT::compile):
3891         * dfg/DFGSpeculativeJIT64.cpp:
3892         (JSC::DFG::SpeculativeJIT::compile):
3893         * ftl/FTLCapabilities.cpp:
3894         (JSC::FTL::canCompile):
3895         * ftl/FTLLowerDFGToB3.cpp:
3896         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3897         (JSC::FTL::DFG::LowerDFGToB3::compileMapHash):
3898         (JSC::FTL::DFG::LowerDFGToB3::compileNormalizeMapKey):
3899         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
3900         * runtime/HashMapImpl.h:
3901
3902 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
3903
3904         [FTL] Support DeleteById and DeleteByVal
3905         https://bugs.webkit.org/show_bug.cgi?id=180022
3906
3907        &nbs