Only cage double butterfly accesses
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-11-07  Saam Barati  <sbarati@apple.com>
2
3         Only cage double butterfly accesses
4         https://bugs.webkit.org/show_bug.cgi?id=179202
5
6         Reviewed by Mark Lam.
7
8         This patch removes caging from all butterfly accesses except double loads/stores.
9         This is a performance vs security tradeoff. Double loads/stores are the only butterfly
10         loads/stores that can write arbitrary bit patterns, so we choose to keep them safe
11         by caging. The other load/stores we are no longer caging to get back performance on
12         various benchmarks.
13
14         * bytecode/AccessCase.cpp:
15         (JSC::AccessCase::generateImpl):
16         * bytecode/InlineAccess.cpp:
17         (JSC::InlineAccess::dumpCacheSizesAndCrash):
18         (JSC::InlineAccess::generateSelfPropertyAccess):
19         (JSC::InlineAccess::generateSelfPropertyReplace):
20         (JSC::InlineAccess::generateArrayLength):
21         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp:
22         * dfg/DFGSpeculativeJIT.cpp:
23         (JSC::DFG::SpeculativeJIT::compileCreateRest):
24         (JSC::DFG::SpeculativeJIT::compileSpread):
25         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
26         * dfg/DFGSpeculativeJIT64.cpp:
27         (JSC::DFG::SpeculativeJIT::compile):
28         * ftl/FTLLowerDFGToB3.cpp:
29         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
30         * jit/JITPropertyAccess.cpp:
31         (JSC::JIT::emitContiguousLoad):
32         (JSC::JIT::emitArrayStorageLoad):
33         (JSC::JIT::emitGenericContiguousPutByVal):
34         (JSC::JIT::emitArrayStoragePutByVal):
35         (JSC::JIT::emit_op_get_from_scope):
36         (JSC::JIT::emit_op_put_to_scope):
37         * llint/LowLevelInterpreter64.asm:
38         * runtime/AuxiliaryBarrier.h:
39         (JSC::AuxiliaryBarrier::operator-> const):
40         * runtime/Butterfly.h:
41         (JSC::Butterfly::caged):
42         (JSC::Butterfly::contiguousDouble):
43         * runtime/JSArray.cpp:
44         (JSC::JSArray::setLength):
45         (JSC::JSArray::pop):
46         (JSC::JSArray::shiftCountWithAnyIndexingType):
47         (JSC::JSArray::unshiftCountWithAnyIndexingType):
48         (JSC::JSArray::fillArgList):
49         (JSC::JSArray::copyToArguments):
50         * runtime/JSArrayInlines.h:
51         (JSC::JSArray::pushInline):
52         * runtime/JSObject.cpp:
53         (JSC::JSObject::heapSnapshot):
54         (JSC::JSObject::createInitialIndexedStorage):
55         (JSC::JSObject::createArrayStorage):
56         (JSC::JSObject::convertUndecidedToInt32):
57         (JSC::JSObject::ensureLengthSlow):
58         (JSC::JSObject::reallocateAndShrinkButterfly):
59         (JSC::JSObject::allocateMoreOutOfLineStorage):
60         * runtime/JSObject.h:
61         (JSC::JSObject::canGetIndexQuickly):
62         (JSC::JSObject::getIndexQuickly):
63         (JSC::JSObject::tryGetIndexQuickly const):
64         (JSC::JSObject::canSetIndexQuickly):
65         (JSC::JSObject::butterfly const):
66         (JSC::JSObject::butterfly):
67
68 2017-11-07  Mark Lam  <mark.lam@apple.com>
69
70         Introduce a default RegisterSet constructor so that we can use { } notation.
71         https://bugs.webkit.org/show_bug.cgi?id=179389
72
73         Reviewed by Saam Barati.
74
75         I also replaced uses of "RegisterSet()" with "{ }" where the use of "RegisterSet()"
76         does not add any code documentation value.
77
78         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
79         * b3/air/AirCode.cpp:
80         (JSC::B3::Air::Code::setRegsInPriorityOrder):
81         * b3/air/AirPrintSpecial.cpp:
82         (JSC::B3::Air::PrintSpecial::extraEarlyClobberedRegs):
83         (JSC::B3::Air::PrintSpecial::extraClobberedRegs):
84         * b3/air/testair.cpp:
85         * bytecode/PolymorphicAccess.h:
86         (JSC::AccessGenerationState::preserveLiveRegistersToStackForCall):
87         (JSC::AccessGenerationState::restoreLiveRegistersFromStackForCall):
88         * dfg/DFGJITCode.cpp:
89         (JSC::DFG::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
90         * ftl/FTLJITCode.cpp:
91         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
92         * jit/JITCode.cpp:
93         (JSC::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
94         * jit/RegisterSet.cpp:
95         (JSC::RegisterSet::reservedHardwareRegisters):
96         (JSC::RegisterSet::runtimeRegisters):
97         (JSC::RegisterSet::macroScratchRegisters):
98         * jit/RegisterSet.h:
99         (JSC::RegisterSet::RegisterSet):
100         * wasm/WasmB3IRGenerator.cpp:
101         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
102
103 2017-11-07  Mark Lam  <mark.lam@apple.com>
104
105         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
106         https://bugs.webkit.org/show_bug.cgi?id=179355
107         <rdar://problem/35263053>
108
109         Reviewed by Saam Barati.
110
111         In the Transition case in AccessCase::generateImpl(), we were restoring registers
112         using restoreLiveRegistersFromStackForCall() without excluding the scratchGPR
113         where we previously stashed the reallocated butterfly.  If the generated code is
114         under heavy register pressure, scratchGPR could have been from the set of preserved
115         registers, and hence, would be restored by restoreLiveRegistersFromStackForCall().
116         As a result, the restoration would trash the butterfly result we stored there.
117         This patch fixes the issue by excluding the scratchGPR in the restoration.
118
119         * bytecode/AccessCase.cpp:
120         (JSC::AccessCase::generateImpl):
121
122 2017-11-06  Robin Morisset  <rmorisset@apple.com>
123
124         CodeBlock::usesOpcode() is dead code
125         https://bugs.webkit.org/show_bug.cgi?id=179316
126
127         Reviewed by Yusuke Suzuki.
128
129         Remove CodeBlock::usesOpcode which is dead code
130
131         * bytecode/CodeBlock.cpp:
132         * bytecode/CodeBlock.h:
133
134 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
135
136         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
137         https://bugs.webkit.org/show_bug.cgi?id=144458
138
139         Reviewed by Saam Barati.
140
141         Previously only JSFunction is handled by CallLinkInfo's caching mechanism. This means that
142         InternalFunction calls are not cached and they always go to the slow path. This is not good because
143
144         1. We need to query getCallData/getConstructData every time in the slow path.
145         2. CallLinkInfo tells nothing in the higher tier JITs.
146
147         This patch starts handling InternalFunction in CallLinkInfo's caching mechanism. We change InternalFunction
148         to hold pointers to the functions for call and construct. We have new stubs that can call/construct
149         InternalFunction. And we return this code pointer as a result of setup call to use CallLinkInfo mechanism.
150
151         This patch is critical to optimizing derived Array construction[1] since it starts using CallLinkInfo
152         for InternalFunction. Previously we did not record any information to CallLinkInfo. Except for the
153         case that DFGByteCodeParser figures out InternalFunction constant, we cannot attempt to emit DFG
154         nodes for these InternalFunctions since CallLinkInfo tells us nothing.
155
156         Attached microbenchmarks show performance improvement.
157
158                                                            baseline                  patched
159
160         dfg-internal-function-construct                 1.6439+-0.0826     ^      1.2829+-0.0727        ^ definitely 1.2813x faster
161         dfg-internal-function-not-handled-construct     2.1862+-0.1361            2.0696+-0.1201          might be 1.0564x faster
162         dfg-internal-function-not-handled-call         20.7592+-0.9085           19.7369+-0.7921          might be 1.0518x faster
163         dfg-internal-function-call                      1.6856+-0.0967     ^      1.2771+-0.0744        ^ definitely 1.3198x faster
164
165         [1]: https://bugs.webkit.org/show_bug.cgi?id=178064
166
167         * API/JSCallbackFunction.cpp:
168         (JSC::JSCallbackFunction::JSCallbackFunction):
169         (JSC::JSCallbackFunction::getCallData): Deleted.
170         * API/JSCallbackFunction.h:
171         (JSC::JSCallbackFunction::createStructure):
172         * API/ObjCCallbackFunction.h:
173         (JSC::ObjCCallbackFunction::createStructure):
174         * API/ObjCCallbackFunction.mm:
175         (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
176         (JSC::ObjCCallbackFunction::getCallData): Deleted.
177         (JSC::ObjCCallbackFunction::getConstructData): Deleted.
178         * bytecode/BytecodeDumper.cpp:
179         (JSC::BytecodeDumper<Block>::printCallOp):
180         * bytecode/BytecodeList.json:
181         * bytecode/CallLinkInfo.cpp:
182         (JSC::CallLinkInfo::setCallee):
183         (JSC::CallLinkInfo::callee):
184         (JSC::CallLinkInfo::setLastSeenCallee):
185         (JSC::CallLinkInfo::lastSeenCallee):
186         (JSC::CallLinkInfo::visitWeak):
187         * bytecode/CallLinkInfo.h:
188         * bytecode/CallLinkStatus.cpp:
189         (JSC::CallLinkStatus::computeFromCallLinkInfo):
190         * bytecode/LLIntCallLinkInfo.h:
191         * jit/JITOperations.cpp:
192         * jit/JITThunks.cpp:
193         (JSC::JITThunks::ctiInternalFunctionCall):
194         (JSC::JITThunks::ctiInternalFunctionConstruct):
195         * jit/JITThunks.h:
196         * jit/Repatch.cpp:
197         (JSC::linkFor):
198         (JSC::linkPolymorphicCall):
199         * jit/Repatch.h:
200         * jit/ThunkGenerators.cpp:
201         (JSC::virtualThunkFor):
202         (JSC::nativeForGenerator):
203         (JSC::nativeCallGenerator):
204         (JSC::nativeTailCallGenerator):
205         (JSC::nativeTailCallWithoutSavedTagsGenerator):
206         (JSC::nativeConstructGenerator):
207         (JSC::internalFunctionCallGenerator):
208         (JSC::internalFunctionConstructGenerator):
209         * jit/ThunkGenerators.h:
210         * llint/LLIntSlowPaths.cpp:
211         (JSC::LLInt::setUpCall):
212         * llint/LowLevelInterpreter.asm:
213         * llint/LowLevelInterpreter32_64.asm:
214         * llint/LowLevelInterpreter64.asm:
215         * runtime/ArrayConstructor.cpp:
216         (JSC::ArrayConstructor::ArrayConstructor):
217         (JSC::ArrayConstructor::getConstructData): Deleted.
218         (JSC::ArrayConstructor::getCallData): Deleted.
219         * runtime/ArrayConstructor.h:
220         (JSC::ArrayConstructor::createStructure):
221         * runtime/AsyncFunctionConstructor.cpp:
222         (JSC::AsyncFunctionConstructor::AsyncFunctionConstructor):
223         (JSC::AsyncFunctionConstructor::finishCreation):
224         (JSC::AsyncFunctionConstructor::getCallData): Deleted.
225         (JSC::AsyncFunctionConstructor::getConstructData): Deleted.
226         * runtime/AsyncFunctionConstructor.h:
227         (JSC::AsyncFunctionConstructor::createStructure):
228         * runtime/AsyncGeneratorFunctionConstructor.cpp:
229         (JSC::AsyncGeneratorFunctionConstructor::AsyncGeneratorFunctionConstructor):
230         (JSC::AsyncGeneratorFunctionConstructor::finishCreation):
231         (JSC::AsyncGeneratorFunctionConstructor::getCallData): Deleted.
232         (JSC::AsyncGeneratorFunctionConstructor::getConstructData): Deleted.
233         * runtime/AsyncGeneratorFunctionConstructor.h:
234         (JSC::AsyncGeneratorFunctionConstructor::createStructure):
235         * runtime/BooleanConstructor.cpp:
236         (JSC::callBooleanConstructor):
237         (JSC::BooleanConstructor::BooleanConstructor):
238         (JSC::BooleanConstructor::finishCreation):
239         (JSC::BooleanConstructor::getConstructData): Deleted.
240         (JSC::BooleanConstructor::getCallData): Deleted.
241         * runtime/BooleanConstructor.h:
242         (JSC::BooleanConstructor::createStructure):
243         * runtime/DateConstructor.cpp:
244         (JSC::DateConstructor::DateConstructor):
245         (JSC::DateConstructor::getConstructData): Deleted.
246         (JSC::DateConstructor::getCallData): Deleted.
247         * runtime/DateConstructor.h:
248         (JSC::DateConstructor::createStructure):
249         * runtime/Error.h:
250         (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
251         (JSC::StrictModeTypeErrorFunction::createStructure):
252         (JSC::StrictModeTypeErrorFunction::getConstructData): Deleted.
253         (JSC::StrictModeTypeErrorFunction::getCallData): Deleted.
254         * runtime/ErrorConstructor.cpp:
255         (JSC::ErrorConstructor::ErrorConstructor):
256         (JSC::ErrorConstructor::getConstructData): Deleted.
257         (JSC::ErrorConstructor::getCallData): Deleted.
258         * runtime/ErrorConstructor.h:
259         (JSC::ErrorConstructor::createStructure):
260         * runtime/FunctionConstructor.cpp:
261         (JSC::FunctionConstructor::FunctionConstructor):
262         (JSC::FunctionConstructor::finishCreation):
263         (JSC::FunctionConstructor::getConstructData): Deleted.
264         (JSC::FunctionConstructor::getCallData): Deleted.
265         * runtime/FunctionConstructor.h:
266         (JSC::FunctionConstructor::createStructure):
267         * runtime/FunctionPrototype.cpp:
268         (JSC::callFunctionPrototype):
269         (JSC::FunctionPrototype::FunctionPrototype):
270         (JSC::FunctionPrototype::getCallData): Deleted.
271         * runtime/FunctionPrototype.h:
272         (JSC::FunctionPrototype::createStructure):
273         * runtime/GeneratorFunctionConstructor.cpp:
274         (JSC::GeneratorFunctionConstructor::GeneratorFunctionConstructor):
275         (JSC::GeneratorFunctionConstructor::finishCreation):
276         (JSC::GeneratorFunctionConstructor::getCallData): Deleted.
277         (JSC::GeneratorFunctionConstructor::getConstructData): Deleted.
278         * runtime/GeneratorFunctionConstructor.h:
279         (JSC::GeneratorFunctionConstructor::createStructure):
280         * runtime/InternalFunction.cpp:
281         (JSC::InternalFunction::InternalFunction):
282         (JSC::InternalFunction::finishCreation):
283         (JSC::InternalFunction::getCallData):
284         (JSC::InternalFunction::getConstructData):
285         * runtime/InternalFunction.h:
286         (JSC::InternalFunction::createStructure):
287         (JSC::InternalFunction::nativeFunctionFor):
288         (JSC::InternalFunction::offsetOfNativeFunctionFor):
289         * runtime/IntlCollatorConstructor.cpp:
290         (JSC::IntlCollatorConstructor::createStructure):
291         (JSC::IntlCollatorConstructor::IntlCollatorConstructor):
292         (JSC::IntlCollatorConstructor::getConstructData): Deleted.
293         (JSC::IntlCollatorConstructor::getCallData): Deleted.
294         * runtime/IntlCollatorConstructor.h:
295         * runtime/IntlDateTimeFormatConstructor.cpp:
296         (JSC::IntlDateTimeFormatConstructor::createStructure):
297         (JSC::IntlDateTimeFormatConstructor::IntlDateTimeFormatConstructor):
298         (JSC::IntlDateTimeFormatConstructor::getConstructData): Deleted.
299         (JSC::IntlDateTimeFormatConstructor::getCallData): Deleted.
300         * runtime/IntlDateTimeFormatConstructor.h:
301         * runtime/IntlNumberFormatConstructor.cpp:
302         (JSC::IntlNumberFormatConstructor::createStructure):
303         (JSC::IntlNumberFormatConstructor::IntlNumberFormatConstructor):
304         (JSC::IntlNumberFormatConstructor::getConstructData): Deleted.
305         (JSC::IntlNumberFormatConstructor::getCallData): Deleted.
306         * runtime/IntlNumberFormatConstructor.h:
307         * runtime/JSArrayBufferConstructor.cpp:
308         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
309         (JSC::JSArrayBufferConstructor::createStructure):
310         (JSC::JSArrayBufferConstructor::getConstructData): Deleted.
311         (JSC::JSArrayBufferConstructor::getCallData): Deleted.
312         * runtime/JSArrayBufferConstructor.h:
313         * runtime/JSGenericTypedArrayViewConstructor.h:
314         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
315         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::JSGenericTypedArrayViewConstructor):
316         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::createStructure):
317         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getConstructData): Deleted.
318         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData): Deleted.
319         * runtime/JSInternalPromiseConstructor.cpp:
320         (JSC::JSInternalPromiseConstructor::createStructure):
321         (JSC::JSInternalPromiseConstructor::JSInternalPromiseConstructor):
322         (JSC::JSInternalPromiseConstructor::getConstructData): Deleted.
323         (JSC::JSInternalPromiseConstructor::getCallData): Deleted.
324         * runtime/JSInternalPromiseConstructor.h:
325         * runtime/JSPromiseConstructor.cpp:
326         (JSC::JSPromiseConstructor::createStructure):
327         (JSC::JSPromiseConstructor::JSPromiseConstructor):
328         (JSC::JSPromiseConstructor::getConstructData): Deleted.
329         (JSC::JSPromiseConstructor::getCallData): Deleted.
330         * runtime/JSPromiseConstructor.h:
331         * runtime/JSType.h:
332         * runtime/JSTypedArrayViewConstructor.cpp:
333         (JSC::JSTypedArrayViewConstructor::JSTypedArrayViewConstructor):
334         (JSC::JSTypedArrayViewConstructor::createStructure):
335         (JSC::JSTypedArrayViewConstructor::getConstructData): Deleted.
336         (JSC::JSTypedArrayViewConstructor::getCallData): Deleted.
337         * runtime/JSTypedArrayViewConstructor.h:
338         * runtime/MapConstructor.cpp:
339         (JSC::MapConstructor::MapConstructor):
340         (JSC::MapConstructor::getConstructData): Deleted.
341         (JSC::MapConstructor::getCallData): Deleted.
342         * runtime/MapConstructor.h:
343         (JSC::MapConstructor::createStructure):
344         (JSC::MapConstructor::MapConstructor): Deleted.
345         * runtime/NativeErrorConstructor.cpp:
346         (JSC::NativeErrorConstructor::NativeErrorConstructor):
347         (JSC::NativeErrorConstructor::getConstructData): Deleted.
348         (JSC::NativeErrorConstructor::getCallData): Deleted.
349         * runtime/NativeErrorConstructor.h:
350         (JSC::NativeErrorConstructor::createStructure):
351         * runtime/NullGetterFunction.cpp:
352         (JSC::NullGetterFunction::NullGetterFunction):
353         (JSC::NullGetterFunction::getCallData): Deleted.
354         (JSC::NullGetterFunction::getConstructData): Deleted.
355         * runtime/NullGetterFunction.h:
356         (JSC::NullGetterFunction::createStructure):
357         (JSC::NullGetterFunction::NullGetterFunction): Deleted.
358         * runtime/NullSetterFunction.cpp:
359         (JSC::NullSetterFunction::NullSetterFunction):
360         (JSC::NullSetterFunction::getCallData): Deleted.
361         (JSC::NullSetterFunction::getConstructData): Deleted.
362         * runtime/NullSetterFunction.h:
363         (JSC::NullSetterFunction::createStructure):
364         (JSC::NullSetterFunction::NullSetterFunction): Deleted.
365         * runtime/NumberConstructor.cpp:
366         (JSC::NumberConstructor::NumberConstructor):
367         (JSC::constructNumberConstructor):
368         (JSC::constructWithNumberConstructor): Deleted.
369         (JSC::NumberConstructor::getConstructData): Deleted.
370         (JSC::NumberConstructor::getCallData): Deleted.
371         * runtime/NumberConstructor.h:
372         (JSC::NumberConstructor::createStructure):
373         * runtime/ObjectConstructor.cpp:
374         (JSC::ObjectConstructor::ObjectConstructor):
375         (JSC::ObjectConstructor::getConstructData): Deleted.
376         (JSC::ObjectConstructor::getCallData): Deleted.
377         * runtime/ObjectConstructor.h:
378         (JSC::ObjectConstructor::createStructure):
379         * runtime/ProxyConstructor.cpp:
380         (JSC::ProxyConstructor::ProxyConstructor):
381         (JSC::ProxyConstructor::getConstructData): Deleted.
382         (JSC::ProxyConstructor::getCallData): Deleted.
383         * runtime/ProxyConstructor.h:
384         (JSC::ProxyConstructor::createStructure):
385         * runtime/ProxyRevoke.cpp:
386         (JSC::ProxyRevoke::ProxyRevoke):
387         (JSC::ProxyRevoke::getCallData): Deleted.
388         * runtime/ProxyRevoke.h:
389         (JSC::ProxyRevoke::createStructure):
390         * runtime/RegExpConstructor.cpp:
391         (JSC::RegExpConstructor::RegExpConstructor):
392         (JSC::RegExpConstructor::getConstructData): Deleted.
393         (JSC::RegExpConstructor::getCallData): Deleted.
394         * runtime/RegExpConstructor.h:
395         (JSC::RegExpConstructor::createStructure):
396         * runtime/SetConstructor.cpp:
397         (JSC::SetConstructor::SetConstructor):
398         (JSC::SetConstructor::getConstructData): Deleted.
399         (JSC::SetConstructor::getCallData): Deleted.
400         * runtime/SetConstructor.h:
401         (JSC::SetConstructor::createStructure):
402         (JSC::SetConstructor::SetConstructor): Deleted.
403         * runtime/StringConstructor.cpp:
404         (JSC::StringConstructor::StringConstructor):
405         (JSC::StringConstructor::getConstructData): Deleted.
406         (JSC::StringConstructor::getCallData): Deleted.
407         * runtime/StringConstructor.h:
408         (JSC::StringConstructor::createStructure):
409         * runtime/SymbolConstructor.cpp:
410         (JSC::SymbolConstructor::SymbolConstructor):
411         (JSC::SymbolConstructor::getConstructData): Deleted.
412         (JSC::SymbolConstructor::getCallData): Deleted.
413         * runtime/SymbolConstructor.h:
414         (JSC::SymbolConstructor::createStructure):
415         * runtime/VM.cpp:
416         (JSC::VM::VM):
417         (JSC::VM::getCTIInternalFunctionTrampolineFor):
418         * runtime/VM.h:
419         * runtime/WeakMapConstructor.cpp:
420         (JSC::WeakMapConstructor::WeakMapConstructor):
421         (JSC::WeakMapConstructor::getConstructData): Deleted.
422         (JSC::WeakMapConstructor::getCallData): Deleted.
423         * runtime/WeakMapConstructor.h:
424         (JSC::WeakMapConstructor::createStructure):
425         (JSC::WeakMapConstructor::WeakMapConstructor): Deleted.
426         * runtime/WeakSetConstructor.cpp:
427         (JSC::WeakSetConstructor::WeakSetConstructor):
428         (JSC::WeakSetConstructor::getConstructData): Deleted.
429         (JSC::WeakSetConstructor::getCallData): Deleted.
430         * runtime/WeakSetConstructor.h:
431         (JSC::WeakSetConstructor::createStructure):
432         (JSC::WeakSetConstructor::WeakSetConstructor): Deleted.
433         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
434         (JSC::WebAssemblyCompileErrorConstructor::createStructure):
435         (JSC::WebAssemblyCompileErrorConstructor::WebAssemblyCompileErrorConstructor):
436         (JSC::WebAssemblyCompileErrorConstructor::getConstructData): Deleted.
437         (JSC::WebAssemblyCompileErrorConstructor::getCallData): Deleted.
438         * wasm/js/WebAssemblyCompileErrorConstructor.h:
439         * wasm/js/WebAssemblyInstanceConstructor.cpp:
440         (JSC::WebAssemblyInstanceConstructor::createStructure):
441         (JSC::WebAssemblyInstanceConstructor::WebAssemblyInstanceConstructor):
442         (JSC::WebAssemblyInstanceConstructor::getConstructData): Deleted.
443         (JSC::WebAssemblyInstanceConstructor::getCallData): Deleted.
444         * wasm/js/WebAssemblyInstanceConstructor.h:
445         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
446         (JSC::WebAssemblyLinkErrorConstructor::createStructure):
447         (JSC::WebAssemblyLinkErrorConstructor::WebAssemblyLinkErrorConstructor):
448         (JSC::WebAssemblyLinkErrorConstructor::getConstructData): Deleted.
449         (JSC::WebAssemblyLinkErrorConstructor::getCallData): Deleted.
450         * wasm/js/WebAssemblyLinkErrorConstructor.h:
451         * wasm/js/WebAssemblyMemoryConstructor.cpp:
452         (JSC::WebAssemblyMemoryConstructor::createStructure):
453         (JSC::WebAssemblyMemoryConstructor::WebAssemblyMemoryConstructor):
454         (JSC::WebAssemblyMemoryConstructor::getConstructData): Deleted.
455         (JSC::WebAssemblyMemoryConstructor::getCallData): Deleted.
456         * wasm/js/WebAssemblyMemoryConstructor.h:
457         * wasm/js/WebAssemblyModuleConstructor.cpp:
458         (JSC::WebAssemblyModuleConstructor::createStructure):
459         (JSC::WebAssemblyModuleConstructor::WebAssemblyModuleConstructor):
460         (JSC::WebAssemblyModuleConstructor::getConstructData): Deleted.
461         (JSC::WebAssemblyModuleConstructor::getCallData): Deleted.
462         * wasm/js/WebAssemblyModuleConstructor.h:
463         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
464         (JSC::WebAssemblyRuntimeErrorConstructor::createStructure):
465         (JSC::WebAssemblyRuntimeErrorConstructor::WebAssemblyRuntimeErrorConstructor):
466         (JSC::WebAssemblyRuntimeErrorConstructor::getConstructData): Deleted.
467         (JSC::WebAssemblyRuntimeErrorConstructor::getCallData): Deleted.
468         * wasm/js/WebAssemblyRuntimeErrorConstructor.h:
469         * wasm/js/WebAssemblyTableConstructor.cpp:
470         (JSC::WebAssemblyTableConstructor::createStructure):
471         (JSC::WebAssemblyTableConstructor::WebAssemblyTableConstructor):
472         (JSC::WebAssemblyTableConstructor::getConstructData): Deleted.
473         (JSC::WebAssemblyTableConstructor::getCallData): Deleted.
474         * wasm/js/WebAssemblyTableConstructor.h:
475
476 2017-11-03  Michael Saboff  <msaboff@apple.com>
477
478         The Abstract Interpreter needs to change similar to clobberize() in r224366
479         https://bugs.webkit.org/show_bug.cgi?id=179267
480
481         Reviewed by Saam Barati.
482
483         Add clobberWorld() to HasGenericProperty, HasStructureProperty & GetPropertyEnumerator
484         cases in the abstract interpreter to match what was done for r224366.
485
486         * dfg/DFGAbstractInterpreterInlines.h:
487         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
488
489 2017-11-03  Keith Miller  <keith_miller@apple.com>
490
491         PutProperytSlot should inform the IC about the property before effects.
492         https://bugs.webkit.org/show_bug.cgi?id=179262
493
494         Reviewed by Mark Lam.
495
496         This patch fixes an issue where we choose to cache setters based on
497         incorrect information. If we did so we might end up OSR exiting
498         more than we would otherwise need to. The new model is that the
499         PutPropertySlot should inform the IC of what the property looked
500         like before any potential side effects might have occurred.
501
502         * runtime/JSObject.cpp:
503         (JSC::JSObject::putInlineSlow):
504         * runtime/Lookup.h:
505         (JSC::putEntry):
506
507 2017-11-03  Mark Lam  <mark.lam@apple.com>
508
509         CachedCall (and its clients) needs overflow checks.
510         https://bugs.webkit.org/show_bug.cgi?id=179185
511
512         Reviewed by JF Bastien.
513
514         * interpreter/CachedCall.h:
515         (JSC::CachedCall::CachedCall):
516         (JSC::CachedCall::hasOverflowedArguments):
517         * runtime/ArgList.h:
518         (JSC::MarkedArgumentBuffer::clear):
519         * runtime/StringPrototype.cpp:
520         (JSC::replaceUsingRegExpSearch):
521
522 2017-11-03  Devin Rousso  <webkit@devinrousso.com>
523
524         Web Inspector: Canvas2D Profiling: highlight expensive context commands in the captured command log
525         https://bugs.webkit.org/show_bug.cgi?id=178302
526         <rdar://problem/33158849>
527
528         Reviewed by Brian Burg.
529
530         * inspector/protocol/Recording.json:
531         Add `duration` to each Frame that represents the total time of all the recorded actions.
532
533 2017-11-02  Devin Rousso  <webkit@devinrousso.com>
534
535         Web Inspector: Canvas Tab: show supported GL extensions for selected canvas
536         https://bugs.webkit.org/show_bug.cgi?id=179070
537         <rdar://problem/35278276>
538
539         Reviewed by Brian Burg.
540
541         * inspector/protocol/Canvas.json:
542         Add `extensionEnabled` event that is fired each time `getExtension` is called with a
543         different string on a WebGL context.
544
545 2017-11-02  Joseph Pecoraro  <pecoraro@apple.com>
546
547         Make ServiceWorker a Remote Inspector debuggable target
548         https://bugs.webkit.org/show_bug.cgi?id=179043
549         <rdar://problem/34126008>
550
551         Reviewed by Brian Burg.
552
553         * inspector/remote/RemoteControllableTarget.h:
554         * inspector/remote/RemoteInspectionTarget.h:
555         * inspector/remote/RemoteInspectorConstants.h:
556         Include a new ServiceWorker remote inspector target type.
557
558         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
559         (Inspector::RemoteInspector::listingForInspectionTarget const):
560         Implement listing for a ServiceWorker to include a URL like a page.
561
562         * inspector/remote/glib/RemoteInspectorGlib.cpp:
563         (Inspector::RemoteInspector::listingForInspectionTarget const):
564         Bail for ServiceWorker support in glib. They will need to implement their support.
565
566 2017-11-02  Michael Saboff  <msaboff@apple.com>
567
568         DFG needs to handle code motion of code in for..in loop bodies
569         https://bugs.webkit.org/show_bug.cgi?id=179212
570
571         Reviewed by Keith Miller.
572
573         The processing of the DFG nodes HasGenericProperty, HasStructureProperty & GetPropertyEnumerator
574         make calls with side effects.  Updated clobberize() for those nodes to take that into account.
575
576         * dfg/DFGClobberize.h:
577         (JSC::DFG::clobberize):
578
579 2017-11-02  Joseph Pecoraro  <pecoraro@apple.com>
580
581         Inspector should display service worker served responses properly
582         https://bugs.webkit.org/show_bug.cgi?id=178597
583         <rdar://problem/35186111>
584
585         Reviewed by Brian Burg.
586
587         * inspector/protocol/Network.json:
588         Expose a new "service-worker" response source.
589
590 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
591
592         AI does not correctly model the clobber case of ArithClz32
593         https://bugs.webkit.org/show_bug.cgi?id=179188
594
595         Reviewed by Michael Saboff.
596
597         The non-Int32 case clobbers the world because it may call valueOf.
598
599         * dfg/DFGAbstractInterpreterInlines.h:
600         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
601
602 2017-11-02  Yusuke Suzuki  <utatane.tea@gmail.com>
603
604         Unreviewed, release throw scope
605         https://bugs.webkit.org/show_bug.cgi?id=178726
606
607         * dfg/DFGOperations.cpp:
608
609 2017-11-02  Frederic Wang  <fwang@igalia.com>
610
611         Add references to bug 179167 in FIXME comments
612         https://bugs.webkit.org/show_bug.cgi?id=179168
613
614         Reviewed by Daniel Bates.
615
616         * Configurations/FeatureDefines.xcconfig:
617
618 2017-11-01  Jeremy Jones  <jeremyj@apple.com>
619
620         Implement WKFullscreenWindowController for iOS.
621         https://bugs.webkit.org/show_bug.cgi?id=178924
622         rdar://problem/34697120
623
624         Reviewed by Simon Fraser.
625
626         Enable ENABLE_FULLSCREEN_API for iOS.
627
628         * Configurations/FeatureDefines.xcconfig:
629
630 2017-11-01  Mark Lam  <mark.lam@apple.com>
631
632         Add support to throw OOM if MarkedArgumentBuffer may overflow.
633         https://bugs.webkit.org/show_bug.cgi?id=179092
634         <rdar://problem/35116160>
635
636         Reviewed by Saam Barati.
637
638         The test for overflowing a MarkedArgumentBuffer will run for a ridiculously long
639         time, which renders it unsuitable for automated tests.  Instead, I've run a
640         test manually to verify that an OutOfMemoryError will be thrown when an overflow
641         occurs.
642
643         The MarkedArgumentBuffer's destructor will now assert that the client has indeed
644         checked for an overflow after invoking methods that may result in an overflow i.e.
645         the destructor checks that MarkedArgumentBuffer::hasOverflowed() has been called.
646         This is only done on debug builds.
647
648         * API/JSObjectRef.cpp:
649         (JSObjectMakeFunction):
650         (JSObjectMakeArray):
651         (JSObjectMakeDate):
652         (JSObjectMakeRegExp):
653         (JSObjectCallAsFunction):
654         (JSObjectCallAsConstructor):
655         * dfg/DFGOperations.cpp:
656         * inspector/InjectedScriptManager.cpp:
657         (Inspector::InjectedScriptManager::createInjectedScript):
658         * inspector/JSJavaScriptCallFrame.cpp:
659         (Inspector::JSJavaScriptCallFrame::scopeChain const):
660         * interpreter/Interpreter.cpp:
661         (JSC::Interpreter::executeProgram):
662         * jsc.cpp:
663         (functionDollarAgentReceiveBroadcast):
664         * runtime/ArgList.cpp:
665         (JSC::MarkedArgumentBuffer::slowEnsureCapacity):
666         (JSC::MarkedArgumentBuffer::expandCapacity):
667         (JSC::MarkedArgumentBuffer::slowAppend):
668         * runtime/ArgList.h:
669         (JSC::MarkedArgumentBuffer::~MarkedArgumentBuffer):
670         (JSC::MarkedArgumentBuffer::appendWithAction):
671         (JSC::MarkedArgumentBuffer::append):
672         (JSC::MarkedArgumentBuffer::appendWithCrashOnOverflow):
673         (JSC::MarkedArgumentBuffer::hasOverflowed):
674         (JSC::MarkedArgumentBuffer::setNeedsOverflowCheck):
675         (JSC::MarkedArgumentBuffer::clearNeedsOverflowCheck):
676         * runtime/ArrayPrototype.cpp:
677         * runtime/CommonSlowPaths.cpp:
678         (JSC::SLOW_PATH_DECL):
679         * runtime/GetterSetter.cpp:
680         (JSC::callSetter):
681         * runtime/IteratorOperations.cpp:
682         (JSC::iteratorNext):
683         (JSC::iteratorClose):
684         * runtime/JSBoundFunction.cpp:
685         (JSC::boundThisNoArgsFunctionCall):
686         (JSC::boundFunctionCall):
687         (JSC::boundThisNoArgsFunctionConstruct):
688         (JSC::boundFunctionConstruct):
689         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
690         (JSC::constructGenericTypedArrayViewFromIterator):
691         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
692         (JSC::genericTypedArrayViewProtoFuncSlice):
693         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
694         * runtime/JSGlobalObject.cpp:
695         (JSC::JSGlobalObject::haveABadTime):
696         * runtime/JSInternalPromise.cpp:
697         (JSC::JSInternalPromise::then):
698         * runtime/JSJob.cpp:
699         (JSC::JSJobMicrotask::run):
700         * runtime/JSMapIterator.cpp:
701         (JSC::JSMapIterator::createPair):
702         * runtime/JSModuleLoader.cpp:
703         (JSC::JSModuleLoader::provideFetch):
704         (JSC::JSModuleLoader::loadAndEvaluateModule):
705         (JSC::JSModuleLoader::loadModule):
706         (JSC::JSModuleLoader::linkAndEvaluateModule):
707         (JSC::JSModuleLoader::requestImportModule):
708         * runtime/JSONObject.cpp:
709         (JSC::Stringifier::toJSONImpl):
710         (JSC::Stringifier::appendStringifiedValue):
711         (JSC::Walker::callReviver):
712         * runtime/JSObject.cpp:
713         (JSC::ordinarySetSlow):
714         (JSC::callToPrimitiveFunction):
715         (JSC::JSObject::hasInstance):
716         * runtime/JSPromise.cpp:
717         (JSC::JSPromise::initialize):
718         (JSC::JSPromise::resolve):
719         * runtime/JSPromiseDeferred.cpp:
720         (JSC::newPromiseCapability):
721         (JSC::callFunction):
722         * runtime/JSSetIterator.cpp:
723         (JSC::JSSetIterator::createPair):
724         * runtime/LiteralParser.cpp:
725         (JSC::LiteralParser<CharType>::parse):
726         * runtime/MapConstructor.cpp:
727         (JSC::constructMap):
728         * runtime/ObjectConstructor.cpp:
729         (JSC::defineProperties):
730         * runtime/ProxyObject.cpp:
731         (JSC::performProxyGet):
732         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
733         (JSC::ProxyObject::performHasProperty):
734         (JSC::ProxyObject::performPut):
735         (JSC::performProxyCall):
736         (JSC::performProxyConstruct):
737         (JSC::ProxyObject::performDelete):
738         (JSC::ProxyObject::performPreventExtensions):
739         (JSC::ProxyObject::performIsExtensible):
740         (JSC::ProxyObject::performDefineOwnProperty):
741         (JSC::ProxyObject::performGetOwnPropertyNames):
742         (JSC::ProxyObject::performSetPrototype):
743         (JSC::ProxyObject::performGetPrototype):
744         * runtime/ReflectObject.cpp:
745         (JSC::reflectObjectConstruct):
746         * runtime/SetConstructor.cpp:
747         (JSC::constructSet):
748         * runtime/StringPrototype.cpp:
749         (JSC::replaceUsingRegExpSearch):
750         (JSC::replaceUsingStringSearch):
751         * runtime/WeakMapConstructor.cpp:
752         (JSC::constructWeakMap):
753         * runtime/WeakSetConstructor.cpp:
754         (JSC::constructWeakSet):
755         * wasm/js/WasmToJS.cpp:
756         (JSC::Wasm::wasmToJS):
757
758 2017-11-01  Michael Saboff  <msaboff@apple.com>
759
760         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
761         https://bugs.webkit.org/show_bug.cgi?id=179140
762
763         Reviewed by Saam Barati.
764
765         Added overflow checks to computation of arg count plus this.
766
767         * dfg/DFGSpeculativeJIT32_64.cpp:
768         (JSC::DFG::SpeculativeJIT::compile):
769         * dfg/DFGSpeculativeJIT64.cpp:
770         (JSC::DFG::SpeculativeJIT::compile):
771         * ftl/FTLLowerDFGToB3.cpp:
772         (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs):
773
774 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
775
776         Unreviewed, use weakPointer instead of FTLOutput::weakPointer
777         https://bugs.webkit.org/show_bug.cgi?id=178934
778
779         * ftl/FTLLowerDFGToB3.cpp:
780         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
781
782 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
783
784         [JSC] Introduce @toObject
785         https://bugs.webkit.org/show_bug.cgi?id=178726
786
787         Reviewed by Saam Barati.
788
789         This patch introduces @toObject intrinsic. And we introduce op_to_object bytecode and DFG ToObject node.
790         Previously we emulated @toObject behavior in builtin JS. But it consumes much bytecode size while @toObject
791         is frequently seen and defined clearly in the spec. Furthermore, the emulated @toObject always calls
792         ObjectConstructor in LLInt and Baseline.
793
794         We add a new intrinsic `@toObject(target, "error message")`. It takes an error message string constant to
795         offer understandable messages in builtin JS. We can change the frequently seen "emulated ToObject" operation
796
797             if (this === @undefined || this === null)
798                 @throwTypeError("error message");
799             var object = @Object(this);
800
801         with
802
803             var object = @toObject(this, "error message");
804
805         And we handle op_to_object in DFG as ToObject node. While CallObjectConstructor does not throw an error for null/undefined,
806         ToObject needs to throw an error for null/undefined. So it is marked as MustGenerate and it clobbers the world.
807         In fixup phase, we attempt to convert ToObject to CallObjectConstructor with edge filters to relax its side effect.
808
809         It also fixes a bug that CallObjectConstructor DFG node uses Node's semantic GlobalObject instead of function's one.
810
811         * builtins/ArrayConstructor.js:
812         (from):
813         * builtins/ArrayPrototype.js:
814         (values):
815         (keys):
816         (entries):
817         (reduce):
818         (reduceRight):
819         (every):
820         (forEach):
821         (filter):
822         (map):
823         (some):
824         (fill):
825         (find):
826         (findIndex):
827         (includes):
828         (sort):
829         (globalPrivate.concatSlowPath):
830         (copyWithin):
831         * builtins/DatePrototype.js:
832         (toLocaleString.toDateTimeOptionsAnyAll):
833         (toLocaleString):
834         (toLocaleDateString.toDateTimeOptionsDateDate):
835         (toLocaleDateString):
836         (toLocaleTimeString.toDateTimeOptionsTimeTime):
837         (toLocaleTimeString):
838         * builtins/GlobalOperations.js:
839         (globalPrivate.copyDataProperties):
840         (globalPrivate.copyDataPropertiesNoExclusions):
841         * builtins/ObjectConstructor.js:
842         (entries):
843         * builtins/StringConstructor.js:
844         (raw):
845         * builtins/TypedArrayConstructor.js:
846         (from):
847         * builtins/TypedArrayPrototype.js:
848         (map):
849         (filter):
850         * bytecode/BytecodeDumper.cpp:
851         (JSC::BytecodeDumper<Block>::dumpBytecode):
852         * bytecode/BytecodeIntrinsicRegistry.h:
853         * bytecode/BytecodeList.json:
854         * bytecode/BytecodeUseDef.h:
855         (JSC::computeUsesForBytecodeOffset):
856         (JSC::computeDefsForBytecodeOffset):
857         * bytecode/CodeBlock.cpp:
858         (JSC::CodeBlock::finishCreation):
859         * bytecompiler/BytecodeGenerator.cpp:
860         (JSC::BytecodeGenerator::emitToObject):
861         * bytecompiler/BytecodeGenerator.h:
862         * bytecompiler/NodesCodegen.cpp:
863         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toObject):
864         * dfg/DFGAbstractInterpreterInlines.h:
865         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
866         * dfg/DFGByteCodeParser.cpp:
867         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
868         (JSC::DFG::ByteCodeParser::parseBlock):
869         * dfg/DFGCapabilities.cpp:
870         (JSC::DFG::capabilityLevel):
871         * dfg/DFGClobberize.h:
872         (JSC::DFG::clobberize):
873         * dfg/DFGDoesGC.cpp:
874         (JSC::DFG::doesGC):
875         * dfg/DFGFixupPhase.cpp:
876         (JSC::DFG::FixupPhase::fixupNode):
877         (JSC::DFG::FixupPhase::fixupToObject):
878         (JSC::DFG::FixupPhase::fixupCallObjectConstructor):
879         * dfg/DFGNode.h:
880         (JSC::DFG::Node::convertToCallObjectConstructor):
881         (JSC::DFG::Node::convertToNewStringObject):
882         (JSC::DFG::Node::convertToNewObject):
883         (JSC::DFG::Node::hasIdentifier):
884         (JSC::DFG::Node::hasHeapPrediction):
885         (JSC::DFG::Node::hasCellOperand):
886         * dfg/DFGNodeType.h:
887         * dfg/DFGOperations.cpp:
888         * dfg/DFGOperations.h:
889         * dfg/DFGPredictionPropagationPhase.cpp:
890         * dfg/DFGSafeToExecute.h:
891         (JSC::DFG::safeToExecute):
892         * dfg/DFGSpeculativeJIT.cpp:
893         (JSC::DFG::SpeculativeJIT::compileToObjectOrCallObjectConstructor):
894         (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor): Deleted.
895         * dfg/DFGSpeculativeJIT.h:
896         (JSC::DFG::SpeculativeJIT::callOperation):
897         * dfg/DFGSpeculativeJIT32_64.cpp:
898         (JSC::DFG::SpeculativeJIT::compile):
899         * dfg/DFGSpeculativeJIT64.cpp:
900         (JSC::DFG::SpeculativeJIT::compile):
901         * ftl/FTLCapabilities.cpp:
902         (JSC::FTL::canCompile):
903         * ftl/FTLLowerDFGToB3.cpp:
904         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
905         (JSC::FTL::DFG::LowerDFGToB3::compileToObjectOrCallObjectConstructor):
906         (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor): Deleted.
907         * jit/JIT.cpp:
908         (JSC::JIT::privateCompileMainPass):
909         (JSC::JIT::privateCompileSlowCases):
910         * jit/JIT.h:
911         * jit/JITOpcodes.cpp:
912         (JSC::JIT::emit_op_to_object):
913         (JSC::JIT::emitSlow_op_to_object):
914         * jit/JITOpcodes32_64.cpp:
915         (JSC::JIT::emit_op_to_object):
916         (JSC::JIT::emitSlow_op_to_object):
917         * jit/JITOperations.cpp:
918         * jit/JITOperations.h:
919         * llint/LowLevelInterpreter32_64.asm:
920         * llint/LowLevelInterpreter64.asm:
921         * runtime/CommonSlowPaths.cpp:
922         (JSC::SLOW_PATH_DECL):
923         * runtime/CommonSlowPaths.h:
924
925 2017-11-01  Fujii Hironori  <Hironori.Fujii@sony.com>
926
927         Use LazyNeverDestroyed instead of DEFINE_GLOBAL
928         https://bugs.webkit.org/show_bug.cgi?id=174979
929
930         Reviewed by Yusuke Suzuki.
931
932         * config.h: Removed definitions of SKIP_STATIC_CONSTRUCTORS_ON_MSVC and SKIP_STATIC_CONSTRUCTORS_ON_GCC.
933
934 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
935
936         [DFG][FTL] Introduce StringSlice
937         https://bugs.webkit.org/show_bug.cgi?id=178934
938
939         Reviewed by Saam Barati.
940
941         String.prototype.slice is one of the most frequently called function in ARES-6/Babylon.
942         This patch introduces StringSlice DFG node to optimize it in DFG and FTL.
943
944         This patch's StringSlice node optimizes the following things.
945
946         1. Empty string generation is accelerated. It is fully executed inline.
947         2. One char string generation is accelerated. `< 0x100` character is supported right now.
948         It is the same to charAt acceleration.
949         3. We calculate start and end index in DFG/FTL with Int32Use information and call optimized
950         operation.
951
952         We do not inline (3)'s operation right now since we do not have a way to call bmalloc allocation from DFG / FTL.
953         And we do not optimize String.prototype.{substring,substr} right now. But they can be optimized based on this change
954         in subsequent changes.
955
956         This patch improves ARES-6/Babylon performance by 3% in steady state.
957
958         Baseline:
959             Running... Babylon ( 1  to go)
960             firstIteration:     50.05 +- 13.68 ms
961             averageWorstCase:   16.80 +- 1.27 ms
962             steadyState:        7.53 +- 0.22 ms
963
964         Patched:
965             Running... Babylon ( 1  to go)
966             firstIteration:     50.91 +- 13.41 ms
967             averageWorstCase:   16.12 +- 0.99 ms
968             steadyState:        7.30 +- 0.29 ms
969
970         * dfg/DFGAbstractInterpreterInlines.h:
971         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
972         * dfg/DFGBackwardsPropagationPhase.cpp:
973         (JSC::DFG::BackwardsPropagationPhase::propagate):
974         * dfg/DFGByteCodeParser.cpp:
975         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
976         * dfg/DFGClobberize.h:
977         (JSC::DFG::clobberize):
978         * dfg/DFGDoesGC.cpp:
979         (JSC::DFG::doesGC):
980         * dfg/DFGFixupPhase.cpp:
981         (JSC::DFG::FixupPhase::fixupNode):
982         * dfg/DFGNodeType.h:
983         * dfg/DFGOperations.cpp:
984         * dfg/DFGOperations.h:
985         * dfg/DFGPredictionPropagationPhase.cpp:
986         * dfg/DFGSafeToExecute.h:
987         (JSC::DFG::safeToExecute):
988         * dfg/DFGSpeculativeJIT.cpp:
989         (JSC::DFG::SpeculativeJIT::compileStringSlice):
990         (JSC::DFG::SpeculativeJIT::emitPopulateSliceIndex):
991         (JSC::DFG::SpeculativeJIT::compileArraySlice):
992         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
993         * dfg/DFGSpeculativeJIT.h:
994         (JSC::DFG::SpeculativeJIT::callOperation):
995         * dfg/DFGSpeculativeJIT32_64.cpp:
996         (JSC::DFG::SpeculativeJIT::compile):
997         * dfg/DFGSpeculativeJIT64.cpp:
998         (JSC::DFG::SpeculativeJIT::compile):
999         * ftl/FTLCapabilities.cpp:
1000         (JSC::FTL::canCompile):
1001         * ftl/FTLLowerDFGToB3.cpp:
1002         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1003         (JSC::FTL::DFG::LowerDFGToB3::populateSliceRange):
1004         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
1005         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
1006         * jit/JITOperations.h:
1007         * runtime/Intrinsic.cpp:
1008         (JSC::intrinsicName):
1009         * runtime/Intrinsic.h:
1010         * runtime/StringPrototype.cpp:
1011         (JSC::StringPrototype::finishCreation):
1012
1013 2017-10-31  JF Bastien  <jfbastien@apple.com>
1014
1015         WebAssembly: Wasm::IndexOrName has a raw pointer to Name
1016         https://bugs.webkit.org/show_bug.cgi?id=176644
1017
1018         Reviewed by Michael Saboff.
1019
1020         IndexOrName now keeps a RefPtr to its original NameSection, which
1021         holds the Name (or references nullptr if Index). Holding onto the
1022         entire section seems like the better thing to do, since backtraces
1023         probably contain multiple names from the same Module.
1024
1025         * JavaScriptCore.xcodeproj/project.pbxproj:
1026         * interpreter/Interpreter.cpp:
1027         (JSC::GetStackTraceFunctor::operator() const):
1028         * interpreter/StackVisitor.h: Frame is no longer POD because of the
1029         RefPtr.
1030         * runtime/StackFrame.cpp:
1031         (JSC::StackFrame::StackFrame):
1032         * runtime/StackFrame.h: Drop the union, size is now 40 bytes.
1033         (JSC::StackFrame::StackFrame): Deleted. Initialized in class instead.
1034         (JSC::StackFrame::wasm): Deleted. Make it a ctor instead.
1035         * wasm/WasmBBQPlanInlines.h:
1036         (JSC::Wasm::BBQPlan::initializeCallees):
1037         * wasm/WasmCallee.cpp:
1038         (JSC::Wasm::Callee::Callee):
1039         * wasm/WasmCallee.h:
1040         (JSC::Wasm::Callee::create):
1041         * wasm/WasmFormat.h: Move NameSection to its own header.
1042         (JSC::Wasm::isValidNameType):
1043         (JSC::Wasm::NameSection::get): Deleted.
1044         * wasm/WasmIndexOrName.cpp:
1045         (JSC::Wasm::IndexOrName::IndexOrName):
1046         (JSC::Wasm::makeString):
1047         * wasm/WasmIndexOrName.h:
1048         (JSC::Wasm::IndexOrName::IndexOrName):
1049         (JSC::Wasm::IndexOrName::isEmpty const):
1050         (JSC::Wasm::IndexOrName::isIndex const):
1051         * wasm/WasmModuleInformation.cpp:
1052         (JSC::Wasm::ModuleInformation::ModuleInformation):
1053         * wasm/WasmModuleInformation.h:
1054         (JSC::Wasm::ModuleInformation::ModuleInformation): Deleted.
1055         * wasm/WasmNameSection.h:
1056         (JSC::Wasm::NameSection::get):
1057         (JSC::Wasm::NameSection::create): Deleted.
1058         * wasm/WasmNameSectionParser.cpp:
1059         (JSC::Wasm::NameSectionParser::parse):
1060         * wasm/WasmNameSectionParser.h:
1061         * wasm/WasmOMGPlan.cpp:
1062         (JSC::Wasm::OMGPlan::work):
1063
1064 2017-10-31  Tim Horton  <timothy_horton@apple.com>
1065
1066         Clean up some drag and drop feature flags
1067         https://bugs.webkit.org/show_bug.cgi?id=179082
1068
1069         Reviewed by Simon Fraser.
1070
1071         * Configurations/FeatureDefines.xcconfig:
1072
1073 2017-10-31  Commit Queue  <commit-queue@webkit.org>
1074
1075         Unreviewed, rolling out r224243, r224246, and r224248.
1076         https://bugs.webkit.org/show_bug.cgi?id=179083
1077
1078         The patch and fix broke the Windows build. (Requested by
1079         mlewis13 on #webkit).
1080
1081         Reverted changesets:
1082
1083         "StructureStubInfo should have GPRReg members not int8_ts"
1084         https://bugs.webkit.org/show_bug.cgi?id=179071
1085         https://trac.webkit.org/changeset/224243
1086
1087         "Make all register enums be backed by uint8_t."
1088         https://bugs.webkit.org/show_bug.cgi?id=179074
1089         https://trac.webkit.org/changeset/224246
1090
1091         "Unreviewed, windows build fix."
1092         https://trac.webkit.org/changeset/224248
1093
1094 2017-10-31  Tim Horton  <timothy_horton@apple.com>
1095
1096         Fix up some content filtering feature flags
1097         https://bugs.webkit.org/show_bug.cgi?id=179079
1098
1099         Reviewed by Simon Fraser.
1100
1101         * Configurations/FeatureDefines.xcconfig:
1102
1103 2017-10-31  Keith Miller  <keith_miller@apple.com>
1104
1105         Unreviewed, windows build fix.
1106
1107         * assembler/X86Assembler.h:
1108         (JSC::X86Assembler::numberOfRegisters):
1109         (JSC::X86Assembler::numberOfSPRegisters):
1110         (JSC::X86Assembler::numberOfFPRegisters):
1111
1112 2017-10-31  Keith Miller  <keith_miller@apple.com>
1113
1114         Make all register enums be backed by uint8_t.
1115         https://bugs.webkit.org/show_bug.cgi?id=179074
1116
1117         Reviewed by Mark Lam.
1118
1119         * assembler/ARM64Assembler.h:
1120         * assembler/ARMAssembler.h:
1121         * assembler/ARMv7Assembler.h:
1122         * assembler/MIPSAssembler.h:
1123         * assembler/MacroAssembler.h:
1124         * assembler/X86Assembler.h:
1125
1126 2017-10-31  Keith Miller  <keith_miller@apple.com>
1127
1128         StructureStubInfo should have GPRReg members not int8_ts
1129         https://bugs.webkit.org/show_bug.cgi?id=179071
1130
1131         Reviewed by Michael Saboff.
1132
1133         This patch makes the various RegisterID enums be backed by
1134         uint8_t. This means that we can remove the old int8_t members in
1135         StructureStubInfo and replace them with the correct enum types.
1136
1137         Also, this fixes an indentation issue in ARMv7Assembler.h.
1138
1139         * assembler/ARM64Assembler.h:
1140         * assembler/ARMAssembler.h:
1141         * assembler/ARMv7Assembler.h:
1142         (JSC::ARMRegisters::asSingle):
1143         (JSC::ARMRegisters::asDouble):
1144         * assembler/MIPSAssembler.h:
1145         * assembler/X86Assembler.h:
1146         * bytecode/InlineAccess.cpp:
1147         (JSC::InlineAccess::generateSelfPropertyAccess):
1148         (JSC::getScratchRegister):
1149         * bytecode/PolymorphicAccess.cpp:
1150         (JSC::PolymorphicAccess::regenerate):
1151         * bytecode/StructureStubInfo.h:
1152         (JSC::StructureStubInfo::valueRegs const):
1153         * dfg/DFGSpeculativeJIT.cpp:
1154         (JSC::DFG::SpeculativeJIT::compileIn):
1155         * ftl/FTLLowerDFGToB3.cpp:
1156         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
1157         * jit/JITInlineCacheGenerator.cpp:
1158         (JSC::JITByIdGenerator::JITByIdGenerator):
1159         (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator):
1160
1161 2017-10-31  Devin Rousso  <webkit@devinrousso.com>
1162
1163         Web Inspector: make ScriptCallStack::maxCallStackSizeToCapture the default value when capturing backtraces
1164         https://bugs.webkit.org/show_bug.cgi?id=179048
1165
1166         Reviewed by Mark Lam.
1167
1168         * inspector/ScriptCallStackFactory.h:
1169         * inspector/ScriptCallStackFactory.cpp:
1170         (createScriptCallStack):
1171         (createScriptCallStackForConsole):
1172         (createScriptCallStackFromException):
1173
1174         * inspector/ConsoleMessage.cpp:
1175         (Inspector::ConsoleMessage::autogenerateMetadata):
1176         * inspector/JSGlobalObjectInspectorController.cpp:
1177         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
1178         * inspector/agents/InspectorConsoleAgent.cpp:
1179         (Inspector::InspectorConsoleAgent::count):
1180         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
1181         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
1182
1183 2017-10-31  Carlos Garcia Campos  <cgarcia@igalia.com>
1184
1185         Unreviewed. Fix GTK+ make distcheck.
1186
1187         Ensure DERIVED_SOURCES_JAVASCRIPTCORE_DIR/yarr is created before scripts generating files there are run.
1188
1189         * CMakeLists.txt:
1190
1191 2017-10-30  Saam Barati  <sbarati@apple.com>
1192
1193         We need a storeStoreFence before storing to the instruction stream's live variable catch data
1194         https://bugs.webkit.org/show_bug.cgi?id=178649
1195
1196         Reviewed by Keith Miller.
1197
1198         * bytecode/CodeBlock.cpp:
1199         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
1200
1201 2017-10-30  Michael Catanzaro  <mcatanzaro@igalia.com>
1202
1203         [WPE] Fix build warnings
1204         https://bugs.webkit.org/show_bug.cgi?id=178899
1205
1206         Reviewed by Carlos Alberto Lopez Perez.
1207
1208         * PlatformWPE.cmake:
1209
1210 2017-10-30  Zan Dobersek  <zdobersek@igalia.com>
1211
1212         [ARMv7] Fix initial start register support in YarrJIT
1213         https://bugs.webkit.org/show_bug.cgi?id=178641
1214
1215         Reviewed by Saam Barati.
1216
1217         * yarr/YarrJIT.cpp: On ARMv7, use r8 as the initialStart register in the
1218         YarrGenerator class. r6 should be avoided since it's already used inside
1219         MacroAssemblerARMv7 as addressTempRegister. r7 isn't picked because it
1220         can be used as the frame pointer register when targetting ARM Thumb2.
1221
1222 2017-10-30  Zan Dobersek  <zdobersek@igalia.com>
1223
1224         [ARM64][Linux] Re-enable Gigacage
1225         https://bugs.webkit.org/show_bug.cgi?id=178130
1226
1227         Reviewed by Michael Catanzaro.
1228
1229         Guard the current globaladdr opcode implementation for ARM64 with
1230         OS(DARWIN) as it's only usable for Mach-O.
1231
1232         For OS(LINUX), ELF-supported :got: and :got_lo12: relocation specifiers
1233         have to be used. The .loh directive can't be used as it's not supported
1234         in GCC or the ld linker.
1235
1236         On every other OS target, a compilation error is thrown.
1237
1238         * offlineasm/arm64.rb:
1239
1240 2017-10-27  Devin Rousso  <webkit@devinrousso.com>
1241
1242         Web Inspector: Canvas Tab: no way to see backtrace of where a canvas context was created
1243         https://bugs.webkit.org/show_bug.cgi?id=178799
1244         <rdar://problem/35175805>
1245
1246         Reviewed by Brian Burg.
1247
1248         * inspector/protocol/Canvas.json:
1249         Add optional `backtrace` to Canvas type that is an array of Console.CallFrame.
1250
1251 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1252
1253         [JSC] Tweak ES6 generator function to allow inlining
1254         https://bugs.webkit.org/show_bug.cgi?id=178935
1255
1256         Reviewed by Saam Barati.
1257
1258         We optimize builtins' generator helper functions to allow them inlined in the caller side.
1259         This patch adjust the layer between @generatorResume, next(), throw(), and return() to allow
1260         them inlined in DFG.
1261
1262                                        baseline                  patched
1263
1264         spread-generator.es6      301.2637+-11.1011    ^    260.5905+-14.2258       ^ definitely 1.1561x faster
1265         generator.es6             269.6030+-13.2435    ^    148.8840+-6.7614        ^ definitely 1.8108x faster
1266
1267         * builtins/GeneratorPrototype.js:
1268         (globalPrivate.generatorResume):
1269         (next):
1270         (return):
1271         (throw):
1272
1273 2017-10-27  Saam Barati  <sbarati@apple.com>
1274
1275         Bytecode liveness should live on UnlinkedCodeBlock so it can be shared amongst CodeBlocks
1276         https://bugs.webkit.org/show_bug.cgi?id=178949
1277
1278         Reviewed by Keith Miller.
1279
1280         This patch stores BytecodeLiveness on UnlinkedCodeBlock instead of CodeBlock
1281         so that we don't need to recompute liveness for the same UnlinkedCodeBlock
1282         more than once. To do this, this patch solidifies the invariant that CodeBlock
1283         linking can't do anything that would change the result of liveness. For example,
1284         it can't introduce new locals. This invariant was met my JSC before, because we
1285         didn't do anything in bytecode linking that would change liveness. However, it is
1286         now a correctness requirement that we don't do anything that would change the
1287         result of running liveness. To support this change, I've refactored BytecodeGraph
1288         to not be tied to a CodeBlockType*. Things that perform liveness will pass in
1289         CodeBlockType* and the instruction stream as needed. This means that we may
1290         compute liveness with one CodeBlock*'s instruction stream, and then perform
1291         queries on that analysis with a different CodeBlock*'s instruction stream.
1292
1293         This seems to be a 2% JSBench progression.
1294
1295         * bytecode/BytecodeGeneratorification.cpp:
1296         (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
1297         (JSC::BytecodeGeneratorification::graph):
1298         (JSC::BytecodeGeneratorification::storageForGeneratorLocal):
1299         (JSC::GeneratorLivenessAnalysis::run):
1300         (JSC::BytecodeGeneratorification::run):
1301         * bytecode/BytecodeGraph.h:
1302         (JSC::BytecodeGraph::BytecodeGraph):
1303         (JSC::BytecodeGraph::codeBlock const): Deleted.
1304         (JSC::BytecodeGraph::instructions): Deleted.
1305         (JSC::BytecodeGraph<Block>::BytecodeGraph): Deleted.
1306         * bytecode/BytecodeLivenessAnalysis.cpp:
1307         (JSC::BytecodeLivenessAnalysis::BytecodeLivenessAnalysis):
1308         (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
1309         (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
1310         (JSC::BytecodeLivenessAnalysis::computeKills):
1311         (JSC::BytecodeLivenessAnalysis::dumpResults):
1312         (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset): Deleted.
1313         (JSC::BytecodeLivenessAnalysis::compute): Deleted.
1314         * bytecode/BytecodeLivenessAnalysis.h:
1315         * bytecode/BytecodeLivenessAnalysisInlines.h:
1316         (JSC::BytecodeLivenessPropagation::stepOverInstruction):
1317         (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBytecodeOffset):
1318         (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBlock):
1319         (JSC::BytecodeLivenessPropagation::getLivenessInfoAtBytecodeOffset):
1320         (JSC::BytecodeLivenessPropagation::runLivenessFixpoint):
1321         * bytecode/BytecodeRewriter.cpp:
1322         (JSC::BytecodeRewriter::applyModification):
1323         (JSC::BytecodeRewriter::execute):
1324         (JSC::BytecodeRewriter::adjustJumpTargetsInFragment):
1325         * bytecode/BytecodeRewriter.h:
1326         (JSC::BytecodeRewriter::BytecodeRewriter):
1327         (JSC::BytecodeRewriter::removeBytecode):
1328         (JSC::BytecodeRewriter::graph):
1329         * bytecode/CodeBlock.cpp:
1330         (JSC::CodeBlock::finishCreation):
1331         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
1332         (JSC::CodeBlock::validate):
1333         (JSC::CodeBlock::livenessAnalysisSlow): Deleted.
1334         * bytecode/CodeBlock.h:
1335         (JSC::CodeBlock::livenessAnalysis):
1336         * bytecode/UnlinkedCodeBlock.cpp:
1337         (JSC::UnlinkedCodeBlock::applyModification):
1338         (JSC::UnlinkedCodeBlock::livenessAnalysisSlow):
1339         * bytecode/UnlinkedCodeBlock.h:
1340         (JSC::UnlinkedCodeBlock::livenessAnalysis):
1341         * dfg/DFGGraph.cpp:
1342         (JSC::DFG::Graph::livenessFor):
1343         (JSC::DFG::Graph::killsFor):
1344         * dfg/DFGPlan.cpp:
1345         (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
1346         * jit/JIT.cpp:
1347         (JSC::JIT::privateCompileMainPass):
1348
1349 2017-10-27  Keith Miller  <keith_miller@apple.com>
1350
1351         Add unified source list files and build scripts to Xcode project navigator
1352         https://bugs.webkit.org/show_bug.cgi?id=178959
1353
1354         Reviewed by Andy Estes.
1355
1356         Also, Add some extra source files for so new .cpp/.mm files don't cause the build
1357         to fail right away. We already do this in WebCore.
1358
1359         * JavaScriptCore.xcodeproj/project.pbxproj:
1360         * PlatformMac.cmake:
1361         * SourcesCocoa.txt: Renamed from Source/JavaScriptCore/SourcesMac.txt.
1362
1363 2017-10-27  JF Bastien  <jfbastien@apple.com>
1364
1365         WebAssembly: update arbitrary limits to what browsers use
1366         https://bugs.webkit.org/show_bug.cgi?id=178946
1367         <rdar://problem/34257412>
1368         <rdar://problem/34501154>
1369
1370         Reviewed by Saam Barati.
1371
1372         https://github.com/WebAssembly/design/issues/1138 discusses the
1373         arbitrary function size limit, which it turns out Chrome and
1374         Firefox didn't enforce. We didn't use it because it was
1375         ridiculously low and actual programs ran into that limit (bummer
1376         for Edge which just shipped it...). Now that we agree on a high
1377         arbitrary program limit, let's update it! While I'm doing this
1378         there are a few other spots that I polished to use Checked or
1379         better check limits overall.
1380
1381         * wasm/WasmB3IRGenerator.cpp:
1382         (JSC::Wasm::B3IRGenerator::addLocal):
1383         * wasm/WasmFormat.cpp:
1384         (JSC::Wasm::Segment::create):
1385         * wasm/WasmFunctionParser.h:
1386         (JSC::Wasm::FunctionParser<Context>::parse):
1387         * wasm/WasmInstance.cpp:
1388         * wasm/WasmLimits.h:
1389         * wasm/WasmModuleParser.cpp:
1390         (JSC::Wasm::ModuleParser::parseGlobal):
1391         (JSC::Wasm::ModuleParser::parseCode):
1392         (JSC::Wasm::ModuleParser::parseData):
1393         * wasm/WasmSignature.h:
1394         (JSC::Wasm::Signature::allocatedSize):
1395         * wasm/WasmTable.cpp:
1396         (JSC::Wasm::Table::Table):
1397         * wasm/js/JSWebAssemblyTable.cpp:
1398         (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
1399         (JSC::JSWebAssemblyTable::grow):
1400
1401 2017-10-26  Michael Saboff  <msaboff@apple.com>
1402
1403         REGRESSION(r222601): We fail to properly backtrack into a sub pattern of a parenthesis with non-zero minimum
1404         https://bugs.webkit.org/show_bug.cgi?id=178890
1405
1406         Reviewed by Keith Miller.
1407
1408         We need to let a contained subpattern backtrack before declaring that the containing
1409         parenthesis doesn't match.  If the subpattern fails to match backtracking, then we
1410         can check to see if we trying to backtrack below the minimum match count.
1411         
1412         * yarr/YarrInterpreter.cpp:
1413         (JSC::Yarr::Interpreter::backtrackParentheses):
1414
1415 2017-10-26  Mark Lam  <mark.lam@apple.com>
1416
1417         JSRopeString::RopeBuilder::append() should check for overflows.
1418         https://bugs.webkit.org/show_bug.cgi?id=178385
1419         <rdar://problem/35027468>
1420
1421         Reviewed by Saam Barati.
1422
1423         1. Made RopeString check for overflow like the Checked class does.
1424         2. Added a missing overflow check in objectProtoFuncToString().
1425
1426         * runtime/JSString.cpp:
1427         (JSC::JSRopeString::RopeBuilder<RecordOverflow>::expand):
1428         (JSC::JSRopeString::RopeBuilder::expand): Deleted.
1429         * runtime/JSString.h:
1430         * runtime/ObjectPrototype.cpp:
1431         (JSC::objectProtoFuncToString):
1432         * runtime/Operations.h:
1433         (JSC::jsStringFromRegisterArray):
1434         (JSC::jsStringFromArguments):
1435
1436 2017-10-26  JF Bastien  <jfbastien@apple.com>
1437
1438         WebAssembly: no VM / JS version of our implementation
1439         https://bugs.webkit.org/show_bug.cgi?id=177472
1440
1441         Reviewed by Michael Saboff.
1442
1443         This patch removes all appearances of "JS" and "VM" in the wasm
1444         directory. These now only appear in the wasm/js directory, which
1445         is only used in a JS embedding of wasm. It should therefore now be
1446         possible to create non-JS embeddings of wasm through JSC, though
1447         it'll still require:
1448
1449           - Mild codegen for wasm<->embedder calls;
1450           - A strategy for trap handling (no need for full unwind! Could kill).
1451           - Creation of the Wasm::* objects.
1452           - Calling convention handling to call the embedder.
1453           - Handling of multiple embedders (see #177475, this is optional).
1454
1455         Most of the patch consists in renaming JSWebAssemblyInstance to
1456         Instance, and removing temporary copies which I'd added to make
1457         this specific patch very simple.
1458
1459         * interpreter/CallFrame.cpp:
1460         (JSC::CallFrame::wasmAwareLexicalGlobalObject): this one place
1461         which needs to know about who "owns" the Wasm::Instance. In a JS
1462         embedding it's the JSWebAssemblyInstance.
1463         * wasm/WasmB3IRGenerator.cpp:
1464         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1465         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
1466         (JSC::Wasm::B3IRGenerator::addGrowMemory):
1467         (JSC::Wasm::B3IRGenerator::addCurrentMemory):
1468         (JSC::Wasm::B3IRGenerator::getGlobal):
1469         (JSC::Wasm::B3IRGenerator::setGlobal):
1470         (JSC::Wasm::B3IRGenerator::addCall):
1471         (JSC::Wasm::B3IRGenerator::addCallIndirect):
1472         * wasm/WasmBinding.cpp:
1473         (JSC::Wasm::wasmToWasm):
1474         * wasm/WasmContext.cpp:
1475         (JSC::Wasm::Context::load const):
1476         (JSC::Wasm::Context::store):
1477         * wasm/WasmContext.h:
1478         * wasm/WasmEmbedder.h:
1479         * wasm/WasmInstance.cpp:
1480         (JSC::Wasm::Instance::Instance):
1481         (JSC::Wasm::Instance::create):
1482         (JSC::Wasm::Instance::extraMemoryAllocated const):
1483         * wasm/WasmInstance.h: add an "owner", the Wasm::Context, move the
1484         "tail" import information from JSWebAssemblyInstance over to here.
1485         (JSC::Wasm::Instance::finalizeCreation):
1486         (JSC::Wasm::Instance::owner const):
1487         (JSC::Wasm::Instance::offsetOfOwner):
1488         (JSC::Wasm::Instance::context const):
1489         (JSC::Wasm::Instance::setMemory):
1490         (JSC::Wasm::Instance::setTable):
1491         (JSC::Wasm::Instance::offsetOfMemory):
1492         (JSC::Wasm::Instance::offsetOfGlobals):
1493         (JSC::Wasm::Instance::offsetOfTable):
1494         (JSC::Wasm::Instance::offsetOfTail):
1495         (JSC::Wasm::Instance::numImportFunctions const):
1496         (JSC::Wasm::Instance::importFunctionInfo):
1497         (JSC::Wasm::Instance::offsetOfTargetInstance):
1498         (JSC::Wasm::Instance::offsetOfWasmEntrypoint):
1499         (JSC::Wasm::Instance::offsetOfWasmToEmbedderStubExecutableAddress):
1500         (JSC::Wasm::Instance::offsetOfImportFunction):
1501         (JSC::Wasm::Instance::importFunction):
1502         (JSC::Wasm::Instance::allocationSize):
1503         (JSC::Wasm::Instance::create): Deleted.
1504         * wasm/WasmOMGPlan.cpp:
1505         (JSC::Wasm::OMGPlan::runForIndex):
1506         * wasm/WasmOMGPlan.h:
1507         * wasm/WasmTable.cpp:
1508         (JSC::Wasm::Table::Table):
1509         (JSC::Wasm::Table::setFunction):
1510         * wasm/WasmTable.h:
1511         * wasm/WasmThunks.cpp:
1512         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
1513         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
1514         * wasm/js/JSToWasm.cpp:
1515         (JSC::Wasm::createJSToWasmWrapper):
1516         * wasm/js/JSWebAssemblyInstance.cpp: delete code that is now on Wasm::Instance
1517         (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance): The embedder
1518         decides what the import function is. Here we must properly
1519         placement-new it to what we've elected (and initialize it later).
1520         (JSC::JSWebAssemblyInstance::visitChildren):
1521         (JSC::JSWebAssemblyInstance::finalizeCreation):
1522         (JSC::JSWebAssemblyInstance::create):
1523         * wasm/js/JSWebAssemblyInstance.h: delete code that is now on Wasm::Instance
1524         (JSC::JSWebAssemblyInstance::instance):
1525         (JSC::JSWebAssemblyInstance::moduleNamespaceObject):
1526         (JSC::JSWebAssemblyInstance::setMemory):
1527         (JSC::JSWebAssemblyInstance::table):
1528         (JSC::JSWebAssemblyInstance::setTable):
1529         (JSC::JSWebAssemblyInstance::offsetOfInstance):
1530         (JSC::JSWebAssemblyInstance::offsetOfCallee):
1531         (JSC::JSWebAssemblyInstance::context const): Deleted.
1532         (JSC::JSWebAssemblyInstance::offsetOfTail): Deleted.
1533         (): Deleted.
1534         (JSC::JSWebAssemblyInstance::importFunctionInfo): Deleted.
1535         (JSC::JSWebAssemblyInstance::offsetOfTargetInstance): Deleted.
1536         (JSC::JSWebAssemblyInstance::offsetOfWasmEntrypoint): Deleted.
1537         (JSC::JSWebAssemblyInstance::offsetOfWasmToEmbedderStubExecutableAddress): Deleted.
1538         (JSC::JSWebAssemblyInstance::offsetOfImportFunction): Deleted.
1539         (JSC::JSWebAssemblyInstance::importFunction): Deleted.
1540         (JSC::JSWebAssemblyInstance::internalMemory): Deleted.
1541         (JSC::JSWebAssemblyInstance::wasmCodeBlock const): Deleted.
1542         (JSC::JSWebAssemblyInstance::offsetOfWasmTable): Deleted.
1543         (JSC::JSWebAssemblyInstance::offsetOfGlobals): Deleted.
1544         (JSC::JSWebAssemblyInstance::offsetOfCodeBlock): Deleted.
1545         (JSC::JSWebAssemblyInstance::offsetOfWasmCodeBlock): Deleted.
1546         (JSC::JSWebAssemblyInstance::offsetOfCachedStackLimit): Deleted.
1547         (JSC::JSWebAssemblyInstance::offsetOfWasmMemory): Deleted.
1548         (JSC::JSWebAssemblyInstance::offsetOfTopEntryFramePointer): Deleted.
1549         (JSC::JSWebAssemblyInstance::cachedStackLimit const): Deleted.
1550         (JSC::JSWebAssemblyInstance::setCachedStackLimit): Deleted.
1551         (JSC::JSWebAssemblyInstance::wasmMemory): Deleted.
1552         (JSC::JSWebAssemblyInstance::wasmModule): Deleted.
1553         (JSC::JSWebAssemblyInstance::allocationSize): Deleted.
1554         * wasm/js/JSWebAssemblyTable.cpp:
1555         (JSC::JSWebAssemblyTable::setFunction):
1556         * wasm/js/WasmToJS.cpp: One extra indirection to find the JSWebAssemblyInstance.
1557         (JSC::Wasm::materializeImportJSCell):
1558         (JSC::Wasm::handleBadI64Use):
1559         (JSC::Wasm::wasmToJS):
1560         (JSC::Wasm::wasmToJSException):
1561         * wasm/js/WasmToJS.h:
1562         * wasm/js/WebAssemblyFunction.cpp:
1563         (JSC::callWebAssemblyFunction):
1564         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1565         (JSC::constructJSWebAssemblyInstance):
1566         * wasm/js/WebAssemblyModuleRecord.cpp:
1567         (JSC::WebAssemblyModuleRecord::link):
1568         (JSC::WebAssemblyModuleRecord::evaluate):
1569         * wasm/js/WebAssemblyPrototype.cpp:
1570         (JSC::instantiate):
1571         * wasm/js/WebAssemblyWrapperFunction.cpp:
1572         (JSC::WebAssemblyWrapperFunction::create):
1573
1574 2017-10-25  Devin Rousso  <webkit@devinrousso.com>
1575
1576         Web Inspector: provide a way to enable/disable event listeners
1577         https://bugs.webkit.org/show_bug.cgi?id=177451
1578         <rdar://problem/34994925>
1579
1580         Reviewed by Joseph Pecoraro.
1581
1582         * inspector/protocol/DOM.json:
1583         Add `setEventListenerDisabled` command that enables/disables a specific event listener
1584         during event dispatch. When a disabled event listener is fired, the listener's callback will
1585         not be called.
1586
1587 2017-10-25  Commit Queue  <commit-queue@webkit.org>
1588
1589         Unreviewed, rolling out r223691 and r223729.
1590         https://bugs.webkit.org/show_bug.cgi?id=178834
1591
1592         Broke Speedometer 2 React-Redux-TodoMVC test case (Requested
1593         by rniwa on #webkit).
1594
1595         Reverted changesets:
1596
1597         "Turn recursive tail calls into loops"
1598         https://bugs.webkit.org/show_bug.cgi?id=176601
1599         https://trac.webkit.org/changeset/223691
1600
1601         "REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning:
1602         comparison is always false due to limited range of data type
1603         [-Wtype-limits]"
1604         https://bugs.webkit.org/show_bug.cgi?id=178543
1605         https://trac.webkit.org/changeset/223729
1606
1607 2017-10-25  Michael Saboff  <msaboff@apple.com>
1608
1609         REGRESSION(r223937): Use of -fobjc-weak causes build failures with older compilers
1610         https://bugs.webkit.org/show_bug.cgi?id=178825
1611
1612         Reviewed by Mark Lam.
1613
1614         Enable ARC for ARM64_32.  This eliminate the need for setting CLANG_ENABLE_OBJC_WEAK.
1615
1616         * Configurations/ToolExecutable.xcconfig:
1617
1618 2017-10-25  Keith Miller  <keith_miller@apple.com>
1619
1620         Fix implicit cast of enum, which seems to break the windows build of unified sources.
1621         https://bugs.webkit.org/show_bug.cgi?id=178822
1622
1623         Reviewed by Saam Barati.
1624
1625         * bytecode/DFGExitProfile.h:
1626         (JSC::DFG::FrequentExitSite::hash const):
1627
1628 2017-10-24  Michael Saboff  <msaboff@apple.com>
1629
1630         Allow OjbC Weak References when building TestAPI
1631         https://bugs.webkit.org/show_bug.cgi?id=178748
1632
1633         Reviewed by Dan Bernstein.
1634
1635         Set TestAPI build flag Weak References in Manual Retain Release to true.
1636
1637         * JavaScriptCore.xcodeproj/project.pbxproj: Reverted.
1638         * Configurations/ToolExecutable.xcconfig: Changed the flag here instead.
1639
1640 2017-10-24  Eric Carlson  <eric.carlson@apple.com>
1641
1642         Web Inspector: Enable WebKit logging configuration and display
1643         https://bugs.webkit.org/show_bug.cgi?id=177027
1644         <rdar://problem/33964767>
1645
1646         Reviewed by Joseph Pecoraro.
1647
1648         * inspector/ConsoleMessage.cpp:
1649         (Inspector::messageSourceValue): Inspector::Protocol::Console::ConsoleMessage -> 
1650             Inspector::Protocol::Console::ChannelSource.
1651         * inspector/agents/JSGlobalObjectConsoleAgent.cpp:
1652         (Inspector::JSGlobalObjectConsoleAgent::getLoggingChannels): There are no logging channels
1653             specific to a JSContext yet, so return an empty channel array.
1654         (Inspector::JSGlobalObjectConsoleAgent::setLoggingChannelLevel): No channels, return an error.
1655         * inspector/agents/JSGlobalObjectConsoleAgent.h:
1656
1657         * inspector/protocol/Console.json: Add ChannelSource, ChannelLevel, and Channel. Add getLoggingChannels
1658             and setLoggingChannelLevel.
1659
1660         * inspector/scripts/codegen/generator.py: Special case "webrtc"-> "WebRTC".
1661         * inspector/scripts/tests/generic/expected/enum-values.json-result:
1662         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
1663         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
1664         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1665         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1666
1667         * runtime/ConsoleTypes.h: Add Media and WebRTC.
1668
1669 2017-10-24  Michael Saboff  <msaboff@apple.com>
1670
1671         Allow OjbC Weak References when building TestAPI
1672         https://bugs.webkit.org/show_bug.cgi?id=178748
1673
1674         Reviewed by Saam Barati.
1675
1676         Set TestAPI build flag Weak References in Manual Retain Release to true.
1677
1678         * JavaScriptCore.xcodeproj/project.pbxproj:
1679
1680 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1681
1682         [FTL] Support NewStringObject
1683         https://bugs.webkit.org/show_bug.cgi?id=178737
1684
1685         Reviewed by Saam Barati.
1686
1687         FTL should support NewStringObject and encourage use of NewStringObject in DFG pipeline.
1688         After this change, we can convert `CallObjectConstructor(String)` to `NewStringObject(String)`.
1689
1690         * ftl/FTLAbstractHeapRepository.h:
1691         * ftl/FTLCapabilities.cpp:
1692         (JSC::FTL::canCompile):
1693         * ftl/FTLLowerDFGToB3.cpp:
1694         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1695         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
1696
1697 2017-10-24  Guillaume Emont  <guijemont@igalia.com>
1698
1699         [mips] fix offsets of branches that have to go over a jump
1700         https://bugs.webkit.org/show_bug.cgi?id=153464
1701
1702         The jump() function creates 8 instructions, but the offsets of branches
1703         meant to go over them only account for 6. In most cases, this is not an
1704         issue as the last two instructions of jump() would be nops, but in the
1705         rarer case where the jump destination is in a different 256 MB segment,
1706         MIPSAssembler::linkWithOffset() will rewrite the code in a way in which
1707         the last 4 instructions would be a 2 instruction load (lui/ori) into
1708         $t9, a "j $t9" and then a nop. The wrong offset will mean that the
1709         previous branches meant to go over the whole jump will branch to the
1710         "j $t9" instruction, which would jump to whatever is currently in $t9
1711         (since lui/ori would not be executed).
1712
1713         Reviewed by Michael Catanzaro.
1714
1715         * assembler/MacroAssemblerMIPS.h:
1716         (JSC::MacroAssemblerMIPS::branchAdd32):
1717         (JSC::MacroAssemblerMIPS::branchMul32):
1718         (JSC::MacroAssemblerMIPS::branchSub32):
1719         Fix the offsets of branches meant to go over code generated by jump().
1720
1721 2017-10-24  JF Bastien  <jfbastien@apple.com>
1722
1723         WebAssembly: NFC renames of things that aren't JS-specific
1724         https://bugs.webkit.org/show_bug.cgi?id=178738
1725
1726         Reviewed by Saam Barati.
1727
1728         * wasm/WasmB3IRGenerator.cpp:
1729         (JSC::Wasm::parseAndCompile):
1730         * wasm/WasmB3IRGenerator.h:
1731         * wasm/WasmBBQPlan.cpp:
1732         (JSC::Wasm::BBQPlan::complete):
1733         * wasm/WasmCodeBlock.cpp:
1734         (JSC::Wasm::CodeBlock::CodeBlock):
1735         * wasm/WasmCodeBlock.h:
1736         (JSC::Wasm::CodeBlock::embedderEntrypointCalleeFromFunctionIndexSpace):
1737         (JSC::Wasm::CodeBlock::jsEntrypointCalleeFromFunctionIndexSpace): Deleted.
1738         * wasm/WasmFormat.h:
1739         * wasm/js/JSToWasm.cpp:
1740         (JSC::Wasm::createJSToWasmWrapper):
1741         * wasm/js/WebAssemblyModuleRecord.cpp:
1742         (JSC::WebAssemblyModuleRecord::link):
1743         (JSC::WebAssemblyModuleRecord::evaluate):
1744
1745 2017-10-24  Stephan Szabo  <stephan.szabo@sony.com>
1746
1747         [Win][JSCOnly] Make jsconly build testapi and dlls and copy dlls when running tests
1748         https://bugs.webkit.org/show_bug.cgi?id=177279
1749
1750         Reviewed by Yusuke Suzuki.
1751
1752         * shell/PlatformJSCOnly.cmake: Added.
1753
1754 2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
1755
1756         [JSC] modules can be visited more than once when resolving bindings through "star" exports as long as the exportName is different each time
1757         https://bugs.webkit.org/show_bug.cgi?id=178308
1758
1759         Reviewed by Mark Lam.
1760
1761         With the change of the spec[1], we now do not need to remember star resolution modules.
1762         We reflect this change to our implementation. Since this change is covered by test262,
1763         this patch improves the score of test262.
1764
1765         We also add logging to ResolveExport to debug it easily.
1766
1767         [1]: https://github.com/tc39/ecma262/commit/a865e778ff0fc60e26e3e1c589635103710766a1
1768
1769         * runtime/AbstractModuleRecord.cpp:
1770         (JSC::AbstractModuleRecord::ResolveQuery::dump const):
1771         (JSC::AbstractModuleRecord::resolveExportImpl):
1772
1773 2017-10-24  Yusuke Suzuki  <utatane.tea@gmail.com>
1774
1775         [JSC] Use emitDumbVirtualCall in 32bit JIT
1776         https://bugs.webkit.org/show_bug.cgi?id=178644
1777
1778         Reviewed by Mark Lam.
1779
1780         This patch aligns 32bit JIT op_call_eval slow case to 64bit version by using emitDumbVirtualCall.
1781
1782         * jit/JITCall32_64.cpp:
1783         (JSC::JIT::compileCallEvalSlowCase):
1784
1785 2017-10-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1786
1787         [JSC] Drop ArityCheckData
1788         https://bugs.webkit.org/show_bug.cgi?id=178648
1789
1790         Reviewed by Mark Lam.
1791
1792         ArityCheckData is used to return a pair of `slotsToAdd` and `thunkToCall`.
1793         However, use of `thunkToCall` is removed in 64bit environment at r189575.
1794
1795         We remove `thunkToCall` and align 32bit implementation to 64bit implementation.
1796         Since we no longer need to have the above pair, we can remove ArityCheckData too.
1797
1798         * llint/LowLevelInterpreter32_64.asm:
1799         * llint/LowLevelInterpreter64.asm:
1800         * runtime/CommonSlowPaths.cpp:
1801         (JSC::SLOW_PATH_DECL):
1802         (JSC::setupArityCheckData): Deleted.
1803         * runtime/CommonSlowPaths.h:
1804         * runtime/VM.cpp:
1805         (JSC::VM::VM):
1806         * runtime/VM.h:
1807
1808 2017-10-23  Keith Miller  <keith_miller@apple.com>
1809
1810         Unreviewed, reland r223866
1811
1812         Didn't break the windows build...
1813
1814         Restored changeset:
1815
1816         "WebAssembly: topEntryFrame on Wasm::Instance"
1817         https://bugs.webkit.org/show_bug.cgi?id=178690
1818         https://trac.webkit.org/changeset/223866
1819
1820
1821 2017-10-23  Commit Queue  <commit-queue@webkit.org>
1822
1823         Unreviewed, rolling out r223866.
1824         https://bugs.webkit.org/show_bug.cgi?id=178699
1825
1826         Probably broke the windows build (Requested by keith_miller on
1827         #webkit).
1828
1829         Reverted changeset:
1830
1831         "WebAssembly: topEntryFrame on Wasm::Instance"
1832         https://bugs.webkit.org/show_bug.cgi?id=178690
1833         https://trac.webkit.org/changeset/223866
1834
1835 2017-10-23  Joseph Pecoraro  <pecoraro@apple.com>
1836
1837         Web Inspector: Remove unused Console.setMonitoringXHREnabled
1838         https://bugs.webkit.org/show_bug.cgi?id=178617
1839
1840         Reviewed by Sam Weinig.
1841
1842         * JavaScriptCore.xcodeproj/project.pbxproj:
1843         * Sources.txt:
1844         * inspector/agents/InspectorConsoleAgent.h:
1845         * inspector/agents/JSGlobalObjectConsoleAgent.cpp: Removed.
1846         * inspector/agents/JSGlobalObjectConsoleAgent.h: Removed.
1847         * inspector/protocol/Console.json:
1848         Removed files and method.
1849
1850         * inspector/JSGlobalObjectInspectorController.cpp:
1851         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
1852         This can use the base ConsoleAgent now.
1853
1854 2017-10-23  JF Bastien  <jfbastien@apple.com>
1855
1856         WebAssembly: topEntryFrame on Wasm::Instance
1857         https://bugs.webkit.org/show_bug.cgi?id=178690
1858
1859         Reviewed by Saam Barati.
1860
1861         topEntryFrame is usually on VM, but for a no-VM WebAssembly we
1862         need to hold topEntryFrame elsewhere, and generated code cannot
1863         hard-code where topEntryFrame live. Do this at creation time of
1864         Wasm::Instance, and then generated code will just load from
1865         wherever Wasm::Instance was told topEntryFrame is. In a JavaScript
1866         embedding this is still from VM, so all of the unwinding machinery
1867         stays the same.
1868
1869         * dfg/DFGOSREntry.cpp:
1870         (JSC::DFG::prepareOSREntry):
1871         * dfg/DFGOSRExit.cpp:
1872         (JSC::DFG::restoreCalleeSavesFromVMEntryFrameCalleeSavesBuffer):
1873         (JSC::DFG::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
1874         * ftl/FTLOSRExitCompiler.cpp:
1875         (JSC::FTL::compileStub):
1876         * interpreter/Interpreter.cpp:
1877         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
1878         * jit/AssemblyHelpers.cpp:
1879         (JSC::AssemblyHelpers::restoreCalleeSavesFromEntryFrameCalleeSavesBuffer):
1880         (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBufferImpl):
1881         * jit/AssemblyHelpers.h:
1882         (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBuffer):
1883         The default parameter was never non-defaulted from any of the
1884         callers. The new version calls the impl directly because it
1885         doesn't have VM and doesn't hard-code the address of
1886         topEntryFrame.
1887         * jit/RegisterSet.cpp:
1888         (JSC::RegisterSet::vmCalleeSaveRegisterOffsets): This was weird on
1889         VM because it's not really VM-specific.
1890         * jit/RegisterSet.h:
1891         * runtime/VM.cpp:
1892         (JSC::VM::getAllCalleeSaveRegisterOffsets): Deleted.
1893         * runtime/VM.h:
1894         (JSC::VM::getCTIStub):
1895         * wasm/WasmB3IRGenerator.cpp:
1896         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1897         (JSC::Wasm::B3IRGenerator::addCall):
1898         (JSC::Wasm::B3IRGenerator::addCallIndirect):
1899         * wasm/WasmInstance.cpp:
1900         (JSC::Wasm::Instance::Instance):
1901         * wasm/WasmInstance.h: topEntryFramePointer will eventually live
1902         here for real. Right now it's mirrored in JSWebAssemblyInstance
1903         because that's the acting Context.
1904         (JSC::Wasm::Instance::create):
1905         (JSC::Wasm::Instance::offsetOfTopEntryFramePointer):
1906         * wasm/WasmThunks.cpp:
1907         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
1908         * wasm/js/JSWebAssemblyInstance.cpp:
1909         (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
1910         * wasm/js/JSWebAssemblyInstance.h: Mirror Wasm::Instance temporarily.
1911         (JSC::JSWebAssemblyInstance::offsetOfCallee):
1912         (JSC::JSWebAssemblyInstance::offsetOfTopEntryFramePointer):
1913         (JSC::JSWebAssemblyInstance::offsetOfVM): Deleted.
1914         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1915         (JSC::constructJSWebAssemblyInstance):
1916         * wasm/js/WebAssemblyPrototype.cpp:
1917         (JSC::instantiate):
1918
1919 2017-10-23  Joseph Pecoraro  <pecoraro@apple.com>
1920
1921         Web Inspector: Please support HAR Export for network traffic
1922         https://bugs.webkit.org/show_bug.cgi?id=146692
1923         <rdar://problem/7463672>
1924
1925         Reviewed by Brian Burg.
1926
1927         * inspector/protocol/Network.json:
1928         Add a walltime to each send request.
1929
1930 2017-10-23  Matt Lewis  <jlewis3@apple.com>
1931
1932         Unreviewed, rolling out r223820.
1933
1934         This caused a build break on Windows.
1935
1936         Reverted changeset:
1937
1938         "Web Inspector: Remove unused Console.setMonitoringXHREnabled"
1939         https://bugs.webkit.org/show_bug.cgi?id=178617
1940         https://trac.webkit.org/changeset/223820
1941
1942 2017-10-23  Yusuke Suzuki  <utatane.tea@gmail.com>
1943
1944         [JSC] Use fastJoin in Array#toString
1945         https://bugs.webkit.org/show_bug.cgi?id=178062
1946
1947         Reviewed by Darin Adler.
1948
1949         Array#toString()'s fast path uses original join operation.
1950         But this should use fastJoin if possible.
1951         This patch adds a fast path using fastJoin in Array#toString.
1952         And we also extend fastJoin to perform fast joining for int32
1953         arrays.
1954
1955                                              baseline                  patched
1956
1957         double-array-to-string          126.6157+-5.8625     ^    103.7343+-4.4968        ^ definitely 1.2206x faster
1958         int32-array-to-string            64.7792+-2.6524           61.2390+-2.1749          might be 1.0578x faster
1959         contiguous-array-to-string       62.6224+-2.6388     ^     56.9899+-2.0852        ^ definitely 1.0988x faster
1960
1961
1962         * runtime/ArrayPrototype.cpp:
1963         (JSC::fastJoin):
1964         (JSC::arrayProtoFuncToString):
1965         (JSC::arrayProtoFuncToLocaleString):
1966         * runtime/JSStringJoiner.h:
1967         (JSC::JSStringJoiner::appendWithoutSideEffects):
1968         (JSC::JSStringJoiner::appendInt32):
1969         (JSC::JSStringJoiner::appendDouble):
1970
1971 2017-10-22  Zan Dobersek  <zdobersek@igalia.com>
1972
1973         [JSC] Remove !(OS(LINUX) && CPU(ARM64)) guards in RegisterState.h
1974         https://bugs.webkit.org/show_bug.cgi?id=178452
1975
1976         Reviewed by Yusuke Suzuki.
1977
1978         * heap/RegisterState.h: Re-enable the custom RegisterState and
1979         ALLOCATE_AND_GET_REGISTER_STATE definitions on ARM64 Linux. These don't
1980         cause any crashes nowadays.
1981
1982 2017-10-22  Yusuke Suzuki  <utatane.tea@gmail.com>
1983
1984         [JSC][Baseline] Use linkAllSlowCasesForBytecodeOffset as much as possible to simplify slow cases handling
1985         https://bugs.webkit.org/show_bug.cgi?id=178647
1986
1987         Reviewed by Saam Barati.
1988
1989         There is much code counting slow cases in fast paths to call `linkSlowCase` carefully. This is really error-prone
1990         since the number of slow cases depends on values of instruction's metadata. We have linkAllSlowCasesForBytecodeOffset,
1991         which drains all slow cases for a specified bytecode offset. In typical cases like just calling a slow path function,
1992         this is enough. We use linkAllSlowCasesForBytecodeOffset as much as possible. It significantly simplifies the code.
1993
1994         * jit/JIT.h:
1995         (JSC::JIT::linkAllSlowCases):
1996         * jit/JITArithmetic.cpp:
1997         (JSC::JIT::emitSlow_op_unsigned):
1998         (JSC::JIT::emit_compareAndJump):
1999         (JSC::JIT::emit_compareAndJumpSlow):
2000         (JSC::JIT::emitSlow_op_inc):
2001         (JSC::JIT::emitSlow_op_dec):
2002         (JSC::JIT::emitSlow_op_mod):
2003         (JSC::JIT::emitSlow_op_negate):
2004         (JSC::JIT::emitSlow_op_bitand):
2005         (JSC::JIT::emitSlow_op_bitor):
2006         (JSC::JIT::emitSlow_op_bitxor):
2007         (JSC::JIT::emitSlow_op_lshift):
2008         (JSC::JIT::emitSlow_op_rshift):
2009         (JSC::JIT::emitSlow_op_urshift):
2010         (JSC::JIT::emitSlow_op_add):
2011         (JSC::JIT::emitSlow_op_div):
2012         (JSC::JIT::emitSlow_op_mul):
2013         (JSC::JIT::emitSlow_op_sub):
2014         * jit/JITArithmetic32_64.cpp:
2015         (JSC::JIT::emit_compareAndJumpSlow):
2016         (JSC::JIT::emitSlow_op_unsigned):
2017         (JSC::JIT::emitSlow_op_inc):
2018         (JSC::JIT::emitSlow_op_dec):
2019         (JSC::JIT::emitSlow_op_mod):
2020         * jit/JITCall.cpp:
2021         (JSC::JIT::compileCallEvalSlowCase):
2022         (JSC::JIT::compileOpCallSlowCase):
2023         * jit/JITCall32_64.cpp:
2024         (JSC::JIT::compileCallEvalSlowCase):
2025         (JSC::JIT::compileOpCallSlowCase):
2026         * jit/JITInlines.h:
2027         (JSC::JIT::linkAllSlowCasesForBytecodeOffset):
2028         * jit/JITOpcodes.cpp:
2029         (JSC::JIT::emitSlow_op_new_object):
2030         (JSC::JIT::emitSlow_op_create_this):
2031         (JSC::JIT::emitSlow_op_check_tdz):
2032         (JSC::JIT::emitSlow_op_to_this):
2033         (JSC::JIT::emitSlow_op_to_primitive):
2034         (JSC::JIT::emitSlow_op_not):
2035         (JSC::JIT::emitSlow_op_eq):
2036         (JSC::JIT::emitSlow_op_neq):
2037         (JSC::JIT::emitSlow_op_stricteq):
2038         (JSC::JIT::emitSlow_op_nstricteq):
2039         (JSC::JIT::emitSlow_op_instanceof):
2040         (JSC::JIT::emitSlow_op_instanceof_custom):
2041         (JSC::JIT::emitSlow_op_to_number):
2042         (JSC::JIT::emitSlow_op_to_string):
2043         (JSC::JIT::emitSlow_op_loop_hint):
2044         (JSC::JIT::emitSlow_op_check_traps):
2045         (JSC::JIT::emitSlow_op_has_indexed_property):
2046         (JSC::JIT::emitSlow_op_get_direct_pname):
2047         (JSC::JIT::emitSlow_op_has_structure_property):
2048         * jit/JITOpcodes32_64.cpp:
2049         (JSC::JIT::emitSlow_op_new_object):
2050         (JSC::JIT::emitSlow_op_instanceof):
2051         (JSC::JIT::emitSlow_op_instanceof_custom):
2052         (JSC::JIT::emitSlow_op_to_primitive):
2053         (JSC::JIT::emitSlow_op_not):
2054         (JSC::JIT::emitSlow_op_stricteq):
2055         (JSC::JIT::emitSlow_op_nstricteq):
2056         (JSC::JIT::emitSlow_op_to_number):
2057         (JSC::JIT::emitSlow_op_to_string):
2058         (JSC::JIT::emitSlow_op_create_this):
2059         (JSC::JIT::emitSlow_op_to_this):
2060         (JSC::JIT::emitSlow_op_check_tdz):
2061         (JSC::JIT::emitSlow_op_has_indexed_property):
2062         (JSC::JIT::emitSlow_op_get_direct_pname):
2063         * jit/JITPropertyAccess.cpp:
2064         (JSC::JIT::emitSlow_op_try_get_by_id):
2065         (JSC::JIT::emitSlow_op_get_by_id):
2066         (JSC::JIT::emitSlow_op_get_by_id_with_this):
2067         (JSC::JIT::emitSlow_op_put_by_id):
2068         (JSC::JIT::emitSlow_op_resolve_scope):
2069         (JSC::JIT::emitSlow_op_get_from_scope):
2070         (JSC::JIT::emitSlow_op_put_to_scope):
2071         * jit/JITPropertyAccess32_64.cpp:
2072         (JSC::JIT::emitSlow_op_try_get_by_id):
2073         (JSC::JIT::emitSlow_op_get_by_id):
2074         (JSC::JIT::emitSlow_op_get_by_id_with_this):
2075         (JSC::JIT::emitSlow_op_put_by_id):
2076         (JSC::JIT::emitSlow_op_resolve_scope):
2077         (JSC::JIT::emitSlow_op_get_from_scope):
2078         (JSC::JIT::emitSlow_op_put_to_scope):
2079
2080 2017-10-22  Yusuke Suzuki  <utatane.tea@gmail.com>
2081
2082         [JSC] Clean up baseline slow path
2083         https://bugs.webkit.org/show_bug.cgi?id=178646
2084
2085         Reviewed by Saam Barati.
2086
2087         If the given op is just calling a slow path function, we should use DEFINE_SLOW_OP instead.
2088         It is good since (1) we can reduce the manual emitting code and (2) it can clarify which
2089         function is implemented as a slow path call. This patch is an attempt to reduce 32bit specific
2090         code in baseline JIT.
2091
2092         * jit/JIT.cpp:
2093         (JSC::JIT::privateCompileMainPass):
2094         * jit/JIT.h:
2095         * jit/JITArithmetic.cpp:
2096         (JSC::JIT::emit_op_pow): Deleted.
2097         * jit/JITArithmetic32_64.cpp:
2098         (JSC::JIT::emitSlow_op_mod):
2099         * jit/JITOpcodes.cpp:
2100         (JSC::JIT::emit_op_strcat): Deleted.
2101         (JSC::JIT::emit_op_push_with_scope): Deleted.
2102         (JSC::JIT::emit_op_assert): Deleted.
2103         (JSC::JIT::emit_op_create_lexical_environment): Deleted.
2104         (JSC::JIT::emit_op_throw_static_error): Deleted.
2105         (JSC::JIT::emit_op_new_array_with_spread): Deleted.
2106         (JSC::JIT::emit_op_spread): Deleted.
2107         (JSC::JIT::emit_op_get_enumerable_length): Deleted.
2108         (JSC::JIT::emit_op_has_generic_property): Deleted.
2109         (JSC::JIT::emit_op_get_property_enumerator): Deleted.
2110         (JSC::JIT::emit_op_to_index_string): Deleted.
2111         (JSC::JIT::emit_op_create_direct_arguments): Deleted.
2112         (JSC::JIT::emit_op_create_scoped_arguments): Deleted.
2113         (JSC::JIT::emit_op_create_cloned_arguments): Deleted.
2114         (JSC::JIT::emit_op_create_rest): Deleted.
2115         (JSC::JIT::emit_op_unreachable): Deleted.
2116         * jit/JITOpcodes32_64.cpp:
2117         (JSC::JIT::emit_op_strcat): Deleted.
2118         (JSC::JIT::emit_op_push_with_scope): Deleted.
2119         (JSC::JIT::emit_op_assert): Deleted.
2120         (JSC::JIT::emit_op_create_lexical_environment): Deleted.
2121         * jit/JITPropertyAccess.cpp:
2122         (JSC::JIT::emit_op_put_by_val_with_this): Deleted.
2123         (JSC::JIT::emit_op_get_by_val_with_this): Deleted.
2124         (JSC::JIT::emit_op_put_by_id_with_this): Deleted.
2125         (JSC::JIT::emit_op_resolve_scope_for_hoisting_func_decl_in_eval): Deleted.
2126         (JSC::JIT::emit_op_define_data_property): Deleted.
2127         (JSC::JIT::emit_op_define_accessor_property): Deleted.
2128         * jit/JITPropertyAccess32_64.cpp:
2129         (JSC::JIT::emit_op_resolve_scope_for_hoisting_func_decl_in_eval): Deleted.
2130         (JSC::JIT::emit_op_get_by_val_with_this): Deleted.
2131         (JSC::JIT::emit_op_put_by_id_with_this): Deleted.
2132         (JSC::JIT::emit_op_put_by_val_with_this): Deleted.
2133
2134 2017-10-21  Joseph Pecoraro  <pecoraro@apple.com>
2135
2136         Web Inspector: Remove unused Console.setMonitoringXHREnabled
2137         https://bugs.webkit.org/show_bug.cgi?id=178617
2138
2139         Reviewed by Sam Weinig.
2140
2141         * JavaScriptCore.xcodeproj/project.pbxproj:
2142         * Sources.txt:
2143         * inspector/agents/InspectorConsoleAgent.h:
2144         * inspector/agents/JSGlobalObjectConsoleAgent.cpp: Removed.
2145         * inspector/agents/JSGlobalObjectConsoleAgent.h: Removed.
2146         * inspector/protocol/Console.json:
2147         Removed files and method.
2148
2149         * inspector/JSGlobalObjectInspectorController.cpp:
2150         (Inspector::JSGlobalObjectInspectorController::JSGlobalObjectInspectorController):
2151         This can use the base ConsoleAgent now.
2152
2153 2017-10-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2154
2155         [JSC] Remove per-host-function CTI stub in 32bit environment
2156         https://bugs.webkit.org/show_bug.cgi?id=178581
2157
2158         Reviewed by Saam Barati.
2159
2160         JIT::privateCompileCTINativeCall only exists in 32bit environment and it is almost the same to native call CTI stub.
2161         The only difference is that it embed the address of the host function directly in the generated stub. This means
2162         that we have per-host-function CTI stub only in 32bit environment.
2163
2164         This patch just removes it and use one CTI stub instead. This design is the same to the current 64bit implementation.
2165
2166         * jit/JIT.cpp:
2167         (JSC::JIT::compileCTINativeCall): Deleted.
2168         * jit/JIT.h:
2169         * jit/JITOpcodes.cpp:
2170         (JSC::JIT::privateCompileCTINativeCall): Deleted.
2171         * jit/JITOpcodes32_64.cpp:
2172         (JSC::JIT::privateCompileCTINativeCall): Deleted.
2173         * jit/JITThunks.cpp:
2174         (JSC::JITThunks::hostFunctionStub):
2175
2176 2017-10-20  Antoine Quint  <graouts@apple.com>
2177
2178         [Web Animations] Provide basic timeline and animation interfaces
2179         https://bugs.webkit.org/show_bug.cgi?id=178526
2180
2181         Reviewed by Dean Jackson.
2182
2183         Remove the WEB_ANIMATIONS compile-time flag.
2184
2185         * Configurations/FeatureDefines.xcconfig:
2186
2187 2017-10-20  Commit Queue  <commit-queue@webkit.org>
2188
2189         Unreviewed, rolling out r223744, r223750, and r223751.
2190         https://bugs.webkit.org/show_bug.cgi?id=178594
2191
2192         These caused consistent failures in test that existed and were
2193         added in the patches. (Requested by mlewis13 on #webkit).
2194
2195         Reverted changesets:
2196
2197         "[JSC] ScriptFetcher should be notified directly from module
2198         pipeline"
2199         https://bugs.webkit.org/show_bug.cgi?id=178340
2200         https://trac.webkit.org/changeset/223744
2201
2202         "Unreviewed, fix changed line number in test expect files"
2203         https://bugs.webkit.org/show_bug.cgi?id=178340
2204         https://trac.webkit.org/changeset/223750
2205
2206         "Unreviewed, follow up to reflect comments"
2207         https://bugs.webkit.org/show_bug.cgi?id=178340
2208         https://trac.webkit.org/changeset/223751
2209
2210 2017-10-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2211
2212         Unreviewed, follow up to reflect comments
2213         https://bugs.webkit.org/show_bug.cgi?id=178340
2214
2215         * runtime/JSModuleLoader.cpp:
2216         (JSC::JSModuleLoader::notifyCompleted):
2217
2218 2017-10-20  Saam Barati  <sbarati@apple.com>
2219
2220         Optimize accesses to how we get the direct prototype
2221         https://bugs.webkit.org/show_bug.cgi?id=178548
2222
2223         Reviewed by Yusuke Suzuki.
2224
2225         This patch makes JSObject::getPrototypeDirect take VM& as a parameter
2226         so it can use the faster version of the structure accessor function.
2227         The reason for making this change is that JSObjet::getPrototypeDirect
2228         is called on the hot path in property lookup.
2229
2230         * API/JSObjectRef.cpp:
2231         (JSObjectGetPrototype):
2232         * jsc.cpp:
2233         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
2234         (WTF::DOMJITGetterBaseJSObject::customGetter):
2235         (functionCreateProxy):
2236         * runtime/ArrayPrototype.cpp:
2237         (JSC::speciesWatchpointIsValid):
2238         * runtime/ErrorInstance.cpp:
2239         (JSC::ErrorInstance::sanitizedToString):
2240         * runtime/JSArray.cpp:
2241         (JSC::JSArray::isIteratorProtocolFastAndNonObservable):
2242         * runtime/JSGlobalObject.cpp:
2243         (JSC::JSGlobalObject::init):
2244         (JSC::lastInPrototypeChain):
2245         (JSC::JSGlobalObject::resetPrototype):
2246         (JSC::JSGlobalObject::finishCreation):
2247         * runtime/JSGlobalObjectInlines.h:
2248         (JSC::JSGlobalObject::objectPrototypeIsSane):
2249         (JSC::JSGlobalObject::arrayPrototypeChainIsSane):
2250         (JSC::JSGlobalObject::stringPrototypeChainIsSane):
2251         * runtime/JSLexicalEnvironment.cpp:
2252         (JSC::JSLexicalEnvironment::getOwnPropertySlot):
2253         * runtime/JSMap.cpp:
2254         (JSC::JSMap::isIteratorProtocolFastAndNonObservable):
2255         * runtime/JSObject.cpp:
2256         (JSC::JSObject::calculatedClassName):
2257         (JSC::JSObject::setPrototypeWithCycleCheck):
2258         (JSC::JSObject::getPrototype):
2259         (JSC::JSObject::attemptToInterceptPutByIndexOnHoleForPrototype):
2260         (JSC::JSObject::attemptToInterceptPutByIndexOnHole):
2261         (JSC::JSObject::anyObjectInChainMayInterceptIndexedAccesses const):
2262         (JSC::JSObject::prototypeChainMayInterceptStoreTo):
2263         * runtime/JSObject.h:
2264         (JSC::JSObject::finishCreation):
2265         (JSC::JSObject::getPrototypeDirect const):
2266         (JSC::JSObject::getPrototype):
2267         * runtime/JSObjectInlines.h:
2268         (JSC::JSObject::canPerformFastPutInline):
2269         (JSC::JSObject::getPropertySlot):
2270         (JSC::JSObject::getNonIndexPropertySlot):
2271         * runtime/JSProxy.cpp:
2272         (JSC::JSProxy::setTarget):
2273         * runtime/JSSet.cpp:
2274         (JSC::JSSet::isIteratorProtocolFastAndNonObservable):
2275         * runtime/ProgramExecutable.cpp:
2276         (JSC::ProgramExecutable::initializeGlobalProperties):
2277         * runtime/StructureInlines.h:
2278         (JSC::Structure::isValid const):
2279
2280 2017-10-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2281
2282         [ARM64] static_cast<int32_t>() in BinaryOpNode::emitBytecode() prevents op_unsigned emission
2283         https://bugs.webkit.org/show_bug.cgi?id=178379
2284
2285         Reviewed by Saam Barati.
2286
2287         We reuse jsNumber's checking mechanism here to precisely check the generated number is within uint32_t
2288         in bytecode compiler. This is reasonable since the NumberNode will generate the exact this JSValue.
2289
2290         * bytecompiler/NodesCodegen.cpp:
2291         (JSC::BinaryOpNode::emitBytecode):
2292
2293 2017-10-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2294
2295         [JSC] ScriptFetcher should be notified directly from module pipeline
2296         https://bugs.webkit.org/show_bug.cgi?id=178340
2297
2298         Reviewed by Sam Weinig.
2299
2300         Previously, we use JSStdFunction to let WebCore inform the module pipeline results.
2301         We setup JSStdFunction to the resulted promise of the module pipeline. It is super
2302         ad-hoc since JSStdFunction's lambda need extra-careful to make it non-cyclic-referenced.
2303         JSStdFunction's lambda can capture variables, but they are not able to be marked by GC.
2304
2305         But now, we have ScriptFetcher. It is introduced after we implemented the module pipeline
2306         notification mechanism by using JSStdFunction. But it is appropriate one to receive notification
2307         from the module pipeline by observer style.
2308
2309         This patch removes the above ad-hoc JSStdFunction use. And now ScriptFetcher receives
2310         completion/failure notifications from the module pipeline.
2311
2312         * builtins/ModuleLoaderPrototype.js:
2313         (loadModule):
2314         (loadAndEvaluateModule):
2315         * runtime/Completion.cpp:
2316         (JSC::loadModule):
2317         * runtime/Completion.h:
2318         * runtime/JSModuleLoader.cpp:
2319         (JSC::jsValueToModuleKey):
2320         (JSC::JSModuleLoader::notifyCompleted):
2321         (JSC::JSModuleLoader::notifyFailed):
2322         * runtime/JSModuleLoader.h:
2323         * runtime/ModuleLoaderPrototype.cpp:
2324         (JSC::moduleLoaderPrototypeNotifyCompleted):
2325         (JSC::moduleLoaderPrototypeNotifyFailed):
2326         * runtime/ScriptFetcher.h:
2327         (JSC::ScriptFetcher::notifyLoadCompleted):
2328         (JSC::ScriptFetcher::notifyLoadFailed):
2329
2330 2017-10-19  JF Bastien  <jfbastien@apple.com>
2331
2332         WebAssembly: no VM / JS version of everything but Instance
2333         https://bugs.webkit.org/show_bug.cgi?id=177473
2334
2335         Reviewed by Filip Pizlo, Saam Barati.
2336
2337         This change entails cleaning up and splitting a bunch of code which we had
2338         intertwined between C++ classes which represent JS objects, and pure C++
2339         implementation objects. This specific change goes most of the way towards
2340         allowing JSC's WebAssembly to work without VM / JS, up to but excluding
2341         JSWebAssemblyInstance (there's Wasm::Instance, but it's not *the* thing
2342         yet). Because of this we still have a few FIXME identifying places that need to
2343         change. A follow-up change will go the rest of the way.
2344
2345         I went about this change in the simplest way possible: grep the
2346         JavaScriptCore/wasm directory for "JS[^C_]" as well as "VM" and exclude the /js/
2347         sub-directory (which contains the JS implementation of WebAssembly).
2348
2349         None of this change removes the need for a JIT entitlement to be able to use
2350         WebAssembly. We don't have an interpreter, the process therefore still needs to
2351         be allowed to JIT to use these pure-C++ APIs.
2352
2353         Interesting things to note:
2354
2355           - Remove VM from Plan and associated places. It can just live as a capture in
2356             the callback lambda if it's needed.
2357           - Wasm::Memory shouldn't require a VM. It was only used to ask the GC to
2358             collect. We now instead pass two lambdas at construction time for this
2359             purpose: one to notify of memory pressure, and the other to ask for
2360             syncrhonous memory reclamation. This allows whoever creates the memory to
2361             dictate how to react to both these cases, and for a JS embedding that's to
2362             call the GC (async or sync, respectively).
2363           - Move grow logic from JSWebAssemblyMemory to Wasm::Memory::grow. Use Expected
2364             there, with an enum class for failure types.
2365           - Exceeding max on memory growth now returns a range error as per spec. This
2366             is a (very minor) breaking change: it used to throw OOM error. Update the
2367             corresponding test.
2368           - When generating the grow_memory opcode, no need to get the VM. Instead,
2369             reach directly for Wasm::Memory and grow it.
2370           - JSWebAssemblyMemory::grow can now always throw on failure, because it's only
2371             ever called from JS (not from grow_memory as before).
2372           - Wasm::Memory now takes a callback for successful growth. This allows JS
2373             wrappers to register themselves when growth succeeds without Wasm::Memory
2374             knowning anything about JS. It'll also allow creating a list of callbacks
2375             for when we add thread support (we'll want to notify many wrappers, all
2376             under a lock).
2377           - Wasm::Memory is now back to being the source of truth about address / size,
2378             used directly by generated code instead of JSWebAssemblyMemory.
2379           - Move wasmToJS from the general WasmBinding header to its own header under
2380             wasm/js. It's only used by wasm/js/JSWebAssemblyCodeBlock.cpp, and uses VM,
2381             and therefore isn't general WebAssembly.
2382           - Make Wasm::Context an actual type (just a struct holding a
2383             JSWebAssemlyInstance for now) instead of an alias for that. Notably this
2384             doesn't add anything to the Context and doesn't change what actually gets
2385             passed around in JIT code (fast TLS or registers) because these changes
2386             potentially impact performance. The entire purpose of this change is to
2387             allow passing Wasm::Context around without having to know about VM. Since VM
2388             contains a Wasm::Context the JS embedding is effectively the same, but with
2389             this setup a non-JS embedding is much better off.
2390           - Move JSWebAssembly into the JS folder.
2391           - OMGPlan: use Wasm::CodeBlock directly instead of JSWebAssemblyCodeBlock.
2392           - wasm->JS stubs are now on the instance's tail as raw pointers, instead of
2393             being on JSWebAssemblyCodeBlock, and are now called wasm->Embedder
2394             stubs. The owned reference is still on JSWebAssemblyCodeBlock, and is still
2395             called wasm->JS stub. This move means that the embedder must, after creating
2396             a Wasm::CodeBlock, somehow create the stubs to call back into the
2397             embedder. This removes an indirection in the generated code because
2398             the B3 IR generator now reaches into the instance instead of
2399             JSWebAssemblyCodeBlock.
2400           - Move more CodeBlock things. Compilation completion is now marked by its own
2401             atomic<bool> flag instead of a nullptr plan: that required using a lock, and
2402             was causing a deadlock in stack-trace.js because before my changes
2403             JSWebAssemblyCodeBlock did its own completion checking separately from
2404             Wasm::CodeBlock, without getting the lock. Now that everything points to
2405             Wasm::CodeBlock and there's no cached completion marker, the lock was being
2406             acquired in a sanity-check assertion.
2407           - Embedder -> Wasm wrappers are now generated through a function that's passed
2408             in at compilation time, instead of being hard-coded as a JS -> Wasm wrapper.
2409           - WasmMemory doens't need to know about fault handling thunks. Only the IR
2410             generator should know, and should make sure that the exception throwing
2411             thunk is generated if any memory is present (note: with signal handling not
2412             all of them generate an exception check).
2413           - Make exception throwing pluggable: instead of having a hard-coded
2414             JS-specific lambda we now have a regular C++ function being called from JIT
2415             code when a WebAssembly exception is thrown. This allows any embedder to get
2416             called as they wish. For now a process can only have a single of these
2417             functions (i.e. only one embedder per process) because the trap handler is a
2418             singleton. That can be fixed in in #177475.
2419           - Create WasmEmbedder.h where all embedder plugging will live.
2420           - Split up JSWebAssemblyTable into Wasm::Table which is
2421             refcounted. JSWebAssemblyTable now only contains the JS functions in the
2422             table, and Wasm::Table is what's used by the JIT code to lookup where to
2423             call and do the instance check (for context switch). Note that this creates
2424             an extra allocation for all the instances in Wasm::Table, and in exchange
2425             removes an indirection in JIT code because the instance used to be obtained
2426             off of the JS function. Also note that it's the embedder than keeps the
2427             instances alive, not Wasm::Table (which holds a dumb pointer to the
2428             instance), because doing otherwise would cause reference cycles.
2429            - Add WasmInstance. It doesn't do much for now, owns globals.
2430            - JSWebAssembly instance now doesn't just contain the imported functions as
2431              JSObjects, it also has the corresponding import's instance and wasm
2432              entrypoint. This triples the space allocated per instance's imported
2433              function, but there shouldn't be that many imports. This has two upsides: it
2434              creates smaller and faster code, and makes is easier to disassociate
2435              embedder-specific things from embedder-neutral things. The small / faster
2436              win is in two places: B3 IR generator only needs offsetOfImportFunction for
2437              the call opcode (when the called index is an import) to know whether the
2438              import is wasm->wasm or wasm->embedder (this isn't known at compile-time
2439              because it's dependent on the import object), this is now done by seeing if
2440              that import function has an associated target instance (only wasm->wasm
2441              does); the other place is wasmBinding which uses offsetOfImportFunction to
2442              figure out the wasm->wasm target instance, and then gets
2443              WebAssemblyFunction::offsetOfWasmEntrypointLoadLocation to do a tail
2444              call. The disassociation comes because the target instance can be
2445              Wasm::Instance once we change what the Context is, and
2446              WasmEntrypointLoadLocation is already embedder-independent. As a next step I
2447              can move this tail allocation from JSWebAssemblyInstance to Wasm::Instance,
2448              and leave importFunction in as an opaque pointer which is embedder-specific,
2449              and in JS will remain WriteBarrier<JSObject>.
2450            - Rename VMEntryFrame to EntryFrame, and in many places pass a pointer to it
2451              around instead of VM. This is a first step in allowing entry frames which
2452              aren't stored on VM, but which are instead stored in an embedder-specific
2453              location. That change won't really affect JS except through code churn, but
2454              will allow WebAssembly to use some machinery in a generic manner without
2455              having a VM.
2456
2457         * JavaScriptCore.xcodeproj/project.pbxproj:
2458         * Sources.txt:
2459         * bytecode/PolymorphicAccess.cpp:
2460         (JSC::AccessGenerationState::emitExplicitExceptionHandler):
2461         * debugger/Debugger.cpp:
2462         (JSC::Debugger::stepOutOfFunction):
2463         (JSC::Debugger::returnEvent):
2464         (JSC::Debugger::unwindEvent):
2465         (JSC::Debugger::didExecuteProgram):
2466         * dfg/DFGJITCompiler.cpp:
2467         (JSC::DFG::JITCompiler::compileExceptionHandlers):
2468         * dfg/DFGOSREntry.cpp:
2469         (JSC::DFG::prepareOSREntry):
2470         * dfg/DFGOSRExit.cpp:
2471         (JSC::DFG::OSRExit::compileOSRExit):
2472         (JSC::DFG::OSRExit::compileExit):
2473         * dfg/DFGThunks.cpp:
2474         (JSC::DFG::osrEntryThunkGenerator):
2475         * ftl/FTLCompile.cpp:
2476         (JSC::FTL::compile):
2477         * ftl/FTLLink.cpp:
2478         (JSC::FTL::link):
2479         * ftl/FTLLowerDFGToB3.cpp:
2480         (JSC::FTL::DFG::LowerDFGToB3::lower):
2481         * ftl/FTLOSRExitCompiler.cpp:
2482         (JSC::FTL::compileStub):
2483         * interpreter/CallFrame.cpp:
2484         (JSC::CallFrame::wasmAwareLexicalGlobalObject):
2485         (JSC::CallFrame::callerFrame):
2486         (JSC::CallFrame::unsafeCallerFrame):
2487         * interpreter/CallFrame.h:
2488         (JSC::ExecState::callerFrame const):
2489         (JSC::ExecState::callerFrameOrEntryFrame const):
2490         (JSC::ExecState::unsafeCallerFrameOrEntryFrame const):
2491         * interpreter/FrameTracers.h:
2492         (JSC::NativeCallFrameTracer::NativeCallFrameTracer):
2493         (JSC::NativeCallFrameTracerWithRestore::NativeCallFrameTracerWithRestore):
2494         (JSC::NativeCallFrameTracerWithRestore::~NativeCallFrameTracerWithRestore):
2495         * interpreter/Interpreter.cpp:
2496         (JSC::UnwindFunctor::operator() const):
2497         (JSC::UnwindFunctor::copyCalleeSavesToEntryFrameCalleeSavesBuffer const):
2498         (JSC::Interpreter::unwind):
2499         * interpreter/StackVisitor.cpp:
2500         (JSC::StackVisitor::StackVisitor):
2501         (JSC::StackVisitor::gotoNextFrame):
2502         (JSC::StackVisitor::readNonInlinedFrame):
2503         (JSC::StackVisitor::Frame::dump const):
2504         * interpreter/StackVisitor.h:
2505         (JSC::StackVisitor::Frame::callerIsEntryFrame const):
2506         * interpreter/VMEntryRecord.h:
2507         (JSC::VMEntryRecord::prevTopEntryFrame):
2508         (JSC::VMEntryRecord::unsafePrevTopEntryFrame):
2509         (JSC::EntryFrame::vmEntryRecordOffset):
2510         * jit/AssemblyHelpers.cpp:
2511         (JSC::AssemblyHelpers::restoreCalleeSavesFromEntryFrameCalleeSavesBuffer):
2512         (JSC::AssemblyHelpers::loadWasmContextInstance):
2513         (JSC::AssemblyHelpers::storeWasmContextInstance):
2514         (JSC::AssemblyHelpers::loadWasmContextInstanceNeedsMacroScratchRegister):
2515         (JSC::AssemblyHelpers::storeWasmContextInstanceNeedsMacroScratchRegister):
2516         (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBufferImpl):
2517         * jit/AssemblyHelpers.h:
2518         (JSC::AssemblyHelpers::copyCalleeSavesToVMEntryFrameCalleeSavesBuffer):
2519         (JSC::AssemblyHelpers::copyCalleeSavesToEntryFrameCalleeSavesBuffer):
2520         (JSC::AssemblyHelpers::copyCalleeSavesFromFrameOrRegisterToEntryFrameCalleeSavesBuffer):
2521         * jit/JIT.cpp:
2522         (JSC::JIT::emitEnterOptimizationCheck):
2523         (JSC::JIT::privateCompileExceptionHandlers):
2524         * jit/JITExceptions.cpp:
2525         (JSC::genericUnwind):
2526         * jit/JITOpcodes.cpp:
2527         (JSC::JIT::emit_op_throw):
2528         (JSC::JIT::emit_op_catch):
2529         (JSC::JIT::emitSlow_op_loop_hint):
2530         * jit/JITOpcodes32_64.cpp:
2531         (JSC::JIT::emit_op_throw):
2532         (JSC::JIT::emit_op_catch):
2533         * jit/JITOperations.cpp:
2534         * jit/ThunkGenerators.cpp:
2535         (JSC::throwExceptionFromCallSlowPathGenerator):
2536         (JSC::nativeForGenerator):
2537         * jsc.cpp:
2538         (functionDumpCallFrame):
2539         * llint/LLIntSlowPaths.cpp:
2540         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2541         * llint/LLIntThunks.cpp:
2542         (JSC::vmEntryRecord):
2543         * llint/LowLevelInterpreter.asm:
2544         * llint/LowLevelInterpreter32_64.asm:
2545         * llint/LowLevelInterpreter64.asm:
2546         * runtime/Options.cpp:
2547         (JSC::recomputeDependentOptions):
2548         * runtime/Options.h:
2549         * runtime/SamplingProfiler.cpp:
2550         (JSC::FrameWalker::FrameWalker):
2551         (JSC::FrameWalker::advanceToParentFrame):
2552         (JSC::SamplingProfiler::processUnverifiedStackTraces):
2553         * runtime/ThrowScope.cpp:
2554         (JSC::ThrowScope::~ThrowScope):
2555         * runtime/VM.cpp:
2556         (JSC::VM::VM):
2557         (JSC::VM::~VM):
2558         * runtime/VM.h:
2559         (JSC::VM::topEntryFrameOffset):
2560         * runtime/VMTraps.cpp:
2561         (JSC::isSaneFrame):
2562         (JSC::VMTraps::tryInstallTrapBreakpoints):
2563         (JSC::VMTraps::invalidateCodeBlocksOnStack):
2564         * wasm/WasmB3IRGenerator.cpp:
2565         (JSC::Wasm::B3IRGenerator::restoreWasmContextInstance):
2566         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2567         (JSC::Wasm::B3IRGenerator::restoreWebAssemblyGlobalState):
2568         (JSC::Wasm::B3IRGenerator::addGrowMemory):
2569         (JSC::Wasm::B3IRGenerator::addCurrentMemory):
2570         (JSC::Wasm::B3IRGenerator::addCall):
2571         (JSC::Wasm::B3IRGenerator::addCallIndirect):
2572         (JSC::Wasm::parseAndCompile):
2573         * wasm/WasmB3IRGenerator.h:
2574         * wasm/WasmBBQPlan.cpp:
2575         (JSC::Wasm::BBQPlan::BBQPlan):
2576         (JSC::Wasm::BBQPlan::compileFunctions):
2577         (JSC::Wasm::BBQPlan::complete):
2578         * wasm/WasmBBQPlan.h:
2579         * wasm/WasmBBQPlanInlines.h:
2580         (JSC::Wasm::BBQPlan::initializeCallees):
2581         * wasm/WasmBinding.cpp:
2582         (JSC::Wasm::wasmToWasm):
2583         * wasm/WasmBinding.h:
2584         * wasm/WasmCodeBlock.cpp:
2585         (JSC::Wasm::CodeBlock::create):
2586         (JSC::Wasm::CodeBlock::CodeBlock):
2587         (JSC::Wasm::CodeBlock::compileAsync):
2588         (JSC::Wasm::CodeBlock::setCompilationFinished):
2589         * wasm/WasmCodeBlock.h:
2590         (JSC::Wasm::CodeBlock::offsetOfImportStubs):
2591         (JSC::Wasm::CodeBlock::allocationSize):
2592         (JSC::Wasm::CodeBlock::importWasmToEmbedderStub):
2593         (JSC::Wasm::CodeBlock::offsetOfImportWasmToEmbedderStub):
2594         (JSC::Wasm::CodeBlock::wasmToJSCallStubForImport):
2595         (JSC::Wasm::CodeBlock::compilationFinished):
2596         (JSC::Wasm::CodeBlock::jsEntrypointCalleeFromFunctionIndexSpace):
2597         (JSC::Wasm::CodeBlock::wasmEntrypointCalleeFromFunctionIndexSpace):
2598         * wasm/WasmContext.cpp:
2599         (JSC::Wasm::Context::useFastTLS):
2600         (JSC::Wasm::Context::load const):
2601         (JSC::Wasm::Context::store):
2602         * wasm/WasmContext.h:
2603         * wasm/WasmEmbedder.h: Copied from Source/JavaScriptCore/wasm/WasmContext.h.
2604         * wasm/WasmFaultSignalHandler.cpp:
2605         * wasm/WasmFaultSignalHandler.h:
2606         * wasm/WasmFormat.h:
2607         * wasm/WasmInstance.cpp: Copied from Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h.
2608         (JSC::Wasm::Instance::Instance):
2609         (JSC::Wasm::Instance::~Instance):
2610         (JSC::Wasm::Instance::extraMemoryAllocated const):
2611         * wasm/WasmInstance.h: Added.
2612         (JSC::Wasm::Instance::create):
2613         (JSC::Wasm::Instance::finalizeCreation):
2614         (JSC::Wasm::Instance::module):
2615         (JSC::Wasm::Instance::codeBlock):
2616         (JSC::Wasm::Instance::memory):
2617         (JSC::Wasm::Instance::table):
2618         (JSC::Wasm::Instance::loadI32Global const):
2619         (JSC::Wasm::Instance::loadI64Global const):
2620         (JSC::Wasm::Instance::loadF32Global const):
2621         (JSC::Wasm::Instance::loadF64Global const):
2622         (JSC::Wasm::Instance::setGlobal):
2623         (JSC::Wasm::Instance::offsetOfCachedStackLimit):
2624         (JSC::Wasm::Instance::cachedStackLimit const):
2625         (JSC::Wasm::Instance::setCachedStackLimit):
2626         * wasm/WasmMemory.cpp:
2627         (JSC::Wasm::Memory::Memory):
2628         (JSC::Wasm::Memory::create):
2629         (JSC::Wasm::Memory::~Memory):
2630         (JSC::Wasm::Memory::grow):
2631         * wasm/WasmMemory.h:
2632         (JSC::Wasm::Memory::offsetOfMemory):
2633         (JSC::Wasm::Memory::offsetOfSize):
2634         * wasm/WasmMemoryInformation.cpp:
2635         (JSC::Wasm::PinnedRegisterInfo::get):
2636         (JSC::Wasm::PinnedRegisterInfo::PinnedRegisterInfo):
2637         * wasm/WasmMemoryInformation.h:
2638         (JSC::Wasm::PinnedRegisterInfo::toSave const):
2639         * wasm/WasmMemoryMode.cpp: Copied from Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h.
2640         (JSC::Wasm::makeString):
2641         * wasm/WasmMemoryMode.h: Copied from Source/JavaScriptCore/wasm/WasmFaultSignalHandler.h.
2642         * wasm/WasmModule.cpp:
2643         (JSC::Wasm::makeValidationCallback):
2644         (JSC::Wasm::Module::validateSync):
2645         (JSC::Wasm::Module::validateAsync):
2646         (JSC::Wasm::Module::getOrCreateCodeBlock):
2647         (JSC::Wasm::Module::compileSync):
2648         (JSC::Wasm::Module::compileAsync):
2649         * wasm/WasmModule.h:
2650         * wasm/WasmModuleParser.cpp:
2651         (JSC::Wasm::ModuleParser::parseTableHelper):
2652         * wasm/WasmOMGPlan.cpp:
2653         (JSC::Wasm::OMGPlan::OMGPlan):
2654         (JSC::Wasm::OMGPlan::runForIndex):
2655         * wasm/WasmOMGPlan.h:
2656         * wasm/WasmPageCount.h:
2657         (JSC::Wasm::PageCount::isValid const):
2658         * wasm/WasmPlan.cpp:
2659         (JSC::Wasm::Plan::Plan):
2660         (JSC::Wasm::Plan::runCompletionTasks):
2661         (JSC::Wasm::Plan::addCompletionTask):
2662         (JSC::Wasm::Plan::tryRemoveContextAndCancelIfLast):
2663         * wasm/WasmPlan.h:
2664         (JSC::Wasm::Plan::dontFinalize):
2665         * wasm/WasmSignature.cpp:
2666         * wasm/WasmSignature.h:
2667         * wasm/WasmTable.cpp: Added.
2668         (JSC::Wasm::Table::create):
2669         (JSC::Wasm::Table::~Table):
2670         (JSC::Wasm::Table::Table):
2671         (JSC::Wasm::Table::grow):
2672         (JSC::Wasm::Table::clearFunction):
2673         (JSC::Wasm::Table::setFunction):
2674         * wasm/WasmTable.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyTable.h.
2675         (JSC::Wasm::Table::maximum const):
2676         (JSC::Wasm::Table::size const):
2677         (JSC::Wasm::Table::offsetOfSize):
2678         (JSC::Wasm::Table::offsetOfFunctions):
2679         (JSC::Wasm::Table::offsetOfInstances):
2680         (JSC::Wasm::Table::isValidSize):
2681         * wasm/WasmThunks.cpp:
2682         (JSC::Wasm::throwExceptionFromWasmThunkGenerator):
2683         (JSC::Wasm::triggerOMGTierUpThunkGenerator):
2684         (JSC::Wasm::Thunks::setThrowWasmException):
2685         (JSC::Wasm::Thunks::throwWasmException):
2686         * wasm/WasmThunks.h:
2687         * wasm/WasmWorklist.cpp:
2688         (JSC::Wasm::Worklist::stopAllPlansForContext):
2689         * wasm/WasmWorklist.h:
2690         * wasm/js/JSToWasm.cpp: Added.
2691         (JSC::Wasm::createJSToWasmWrapper):
2692         * wasm/js/JSToWasm.h: Copied from Source/JavaScriptCore/wasm/WasmBinding.h.
2693         * wasm/js/JSWebAssembly.cpp: Renamed from Source/JavaScriptCore/wasm/JSWebAssembly.cpp.
2694         * wasm/js/JSWebAssembly.h: Renamed from Source/JavaScriptCore/wasm/JSWebAssembly.h.
2695         * wasm/js/JSWebAssemblyCodeBlock.cpp:
2696         (JSC::JSWebAssemblyCodeBlock::create):
2697         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
2698         * wasm/js/JSWebAssemblyCodeBlock.h:
2699         * wasm/js/JSWebAssemblyInstance.cpp:
2700         (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
2701         (JSC::JSWebAssemblyInstance::finishCreation):
2702         (JSC::JSWebAssemblyInstance::visitChildren):
2703         (JSC::JSWebAssemblyInstance::finalizeCreation):
2704         (JSC::JSWebAssemblyInstance::create):
2705         * wasm/js/JSWebAssemblyInstance.h:
2706         (JSC::JSWebAssemblyInstance::instance):
2707         (JSC::JSWebAssemblyInstance::context const):
2708         (JSC::JSWebAssemblyInstance::table):
2709         (JSC::JSWebAssemblyInstance::webAssemblyToJSCallee):
2710         (JSC::JSWebAssemblyInstance::setMemory):
2711         (JSC::JSWebAssemblyInstance::offsetOfTail):
2712         (JSC::JSWebAssemblyInstance::importFunctionInfo):
2713         (JSC::JSWebAssemblyInstance::offsetOfTargetInstance):
2714         (JSC::JSWebAssemblyInstance::offsetOfWasmEntrypoint):
2715         (JSC::JSWebAssemblyInstance::offsetOfImportFunction):
2716         (JSC::JSWebAssemblyInstance::importFunction):
2717         (JSC::JSWebAssemblyInstance::internalMemory):
2718         (JSC::JSWebAssemblyInstance::wasmCodeBlock const):
2719         (JSC::JSWebAssemblyInstance::offsetOfWasmTable):
2720         (JSC::JSWebAssemblyInstance::offsetOfCallee):
2721         (JSC::JSWebAssemblyInstance::offsetOfGlobals):
2722         (JSC::JSWebAssemblyInstance::offsetOfWasmCodeBlock):
2723         (JSC::JSWebAssemblyInstance::offsetOfWasmMemory):
2724         (JSC::JSWebAssemblyInstance::cachedStackLimit const):
2725         (JSC::JSWebAssemblyInstance::setCachedStackLimit):
2726         (JSC::JSWebAssemblyInstance::wasmMemory):
2727         (JSC::JSWebAssemblyInstance::wasmModule):
2728         (JSC::JSWebAssemblyInstance::allocationSize):
2729         (JSC::JSWebAssemblyInstance::module const):
2730         * wasm/js/JSWebAssemblyMemory.cpp:
2731         (JSC::JSWebAssemblyMemory::create):
2732         (JSC::JSWebAssemblyMemory::adopt):
2733         (JSC::JSWebAssemblyMemory::JSWebAssemblyMemory):
2734         (JSC::JSWebAssemblyMemory::grow):
2735         (JSC::JSWebAssemblyMemory::growSuccessCallback):
2736         * wasm/js/JSWebAssemblyMemory.h:
2737         * wasm/js/JSWebAssemblyModule.cpp:
2738         (JSC::JSWebAssemblyModule::moduleInformation const):
2739         (JSC::JSWebAssemblyModule::exportSymbolTable const):
2740         (JSC::JSWebAssemblyModule::signatureIndexFromFunctionIndexSpace const):
2741         (JSC::JSWebAssemblyModule::callee const):
2742         (JSC::JSWebAssemblyModule::codeBlock):
2743         (JSC::JSWebAssemblyModule::module):
2744         * wasm/js/JSWebAssemblyModule.h:
2745         * wasm/js/JSWebAssemblyTable.cpp:
2746         (JSC::JSWebAssemblyTable::create):
2747         (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
2748         (JSC::JSWebAssemblyTable::visitChildren):
2749         (JSC::JSWebAssemblyTable::grow):
2750         (JSC::JSWebAssemblyTable::getFunction):
2751         (JSC::JSWebAssemblyTable::clearFunction):
2752         (JSC::JSWebAssemblyTable::setFunction):
2753         * wasm/js/JSWebAssemblyTable.h:
2754         (JSC::JSWebAssemblyTable::isValidSize):
2755         (JSC::JSWebAssemblyTable::maximum const):
2756         (JSC::JSWebAssemblyTable::size const):
2757         (JSC::JSWebAssemblyTable::table):
2758         * wasm/js/WasmToJS.cpp: Copied from Source/JavaScriptCore/wasm/WasmBinding.cpp.
2759         (JSC::Wasm::materializeImportJSCell):
2760         (JSC::Wasm::wasmToJS):
2761         (JSC::Wasm::wasmToJSException):
2762         * wasm/js/WasmToJS.h: Copied from Source/JavaScriptCore/wasm/WasmBinding.h.
2763         * wasm/js/WebAssemblyFunction.cpp:
2764         (JSC::callWebAssemblyFunction):
2765         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2766         (JSC::constructJSWebAssemblyInstance):
2767         * wasm/js/WebAssemblyMemoryConstructor.cpp:
2768         (JSC::constructJSWebAssemblyMemory):
2769         * wasm/js/WebAssemblyMemoryPrototype.cpp:
2770         (JSC::webAssemblyMemoryProtoFuncGrow):
2771         * wasm/js/WebAssemblyModuleConstructor.cpp:
2772         (JSC::constructJSWebAssemblyModule):
2773         (JSC::WebAssemblyModuleConstructor::createModule):
2774         * wasm/js/WebAssemblyModuleConstructor.h:
2775         * wasm/js/WebAssemblyModuleRecord.cpp:
2776         (JSC::WebAssemblyModuleRecord::link):
2777         (JSC::WebAssemblyModuleRecord::evaluate):
2778         * wasm/js/WebAssemblyPrototype.cpp:
2779         (JSC::webAssemblyCompileFunc):
2780         (JSC::instantiate):
2781         (JSC::compileAndInstantiate):
2782         (JSC::webAssemblyValidateFunc):
2783         * wasm/js/WebAssemblyTableConstructor.cpp:
2784         (JSC::constructJSWebAssemblyTable):
2785         * wasm/js/WebAssemblyWrapperFunction.cpp:
2786         (JSC::WebAssemblyWrapperFunction::create):
2787
2788 2017-10-19  Mark Lam  <mark.lam@apple.com>
2789
2790         Stringifier::appendStringifiedValue() is missing an exception check.
2791         https://bugs.webkit.org/show_bug.cgi?id=178386
2792         <rdar://problem/35027610>
2793
2794         Reviewed by Saam Barati.
2795
2796         * runtime/JSONObject.cpp:
2797         (JSC::Stringifier::appendStringifiedValue):
2798
2799 2017-10-19  Saam Barati  <sbarati@apple.com>
2800
2801         REGRESSION(r223691): DFGByteCodeParser.cpp:1483:83: warning: comparison is always false due to limited range of data type [-Wtype-limits]
2802         https://bugs.webkit.org/show_bug.cgi?id=178543
2803
2804         Reviewed by Filip Pizlo.
2805
2806         * dfg/DFGByteCodeParser.cpp:
2807         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
2808
2809 2017-10-19  Saam Barati  <sbarati@apple.com>
2810
2811         re-inline ObjectAllocationProfile::initializeProfile
2812         https://bugs.webkit.org/show_bug.cgi?id=178532
2813
2814         Rubber stamped by Michael Saboff.
2815
2816         I un-inlined this function when implementing poly proto.
2817         This patch re-inlines it. In my testing, it looks like it
2818         might be a 0.5% speedometer progression to inline it.
2819
2820         * JavaScriptCore.xcodeproj/project.pbxproj:
2821         * Sources.txt:
2822         * bytecode/CodeBlock.cpp:
2823         * bytecode/ObjectAllocationProfile.cpp: Removed.
2824         * bytecode/ObjectAllocationProfileInlines.h: Copied from Source/JavaScriptCore/bytecode/ObjectAllocationProfile.cpp.
2825         (JSC::ObjectAllocationProfile::initializeProfile):
2826         (JSC::ObjectAllocationProfile::possibleDefaultPropertyCount):
2827         * runtime/FunctionRareData.cpp:
2828
2829 2017-10-19  Michael Saboff  <msaboff@apple.com>
2830
2831         Test262: RegExp/property-escapes/generated/Emoji_Component.js fails with current RegExp Unicode Properties implementation
2832         https://bugs.webkit.org/show_bug.cgi?id=178521
2833
2834         Reviewed by JF Bastien.
2835
2836         * ucd/emoji-data.txt: Replaced with the Unicode Emoji 5.0 version of the file as that is the most recent
2837         standard version.  The prior version was the draft 6.0 version.
2838
2839 2017-10-19  Saam Barati  <sbarati@apple.com>
2840
2841         We should hard code the poly proto offset
2842         https://bugs.webkit.org/show_bug.cgi?id=178531
2843
2844         Reviewed by Filip Pizlo.
2845
2846         This patch embraces that the poly proto offset is always zero. It's already
2847         the case that we would always get the inline offset zero for poly proto just
2848         by construction. This just hardcodes this assumption throughout the codebase.
2849         This appears to be a 1% speedometer progression in my testing.
2850         
2851         The downside of this patch is that it may require changing how we do
2852         things when we implement poly proto when inheriting from builtin
2853         types. I think we can face this problem when we decide to implement
2854         that.
2855
2856         * bytecode/AccessCase.cpp:
2857         (JSC::AccessCase::generateWithGuard):
2858         * dfg/DFGOperations.cpp:
2859         * dfg/DFGSpeculativeJIT.cpp:
2860         (JSC::DFG::SpeculativeJIT::compileInstanceOfForObject):
2861         (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
2862         * ftl/FTLLowerDFGToB3.cpp:
2863         (JSC::FTL::DFG::LowerDFGToB3::compileGetPrototypeOf):
2864         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
2865         * jit/JITOpcodes.cpp:
2866         (JSC::JIT::emit_op_instanceof):
2867         * jit/JITOpcodes32_64.cpp:
2868         (JSC::JIT::emit_op_instanceof):
2869         * runtime/CommonSlowPaths.cpp:
2870         (JSC::SLOW_PATH_DECL):
2871         * runtime/JSObject.cpp:
2872         (JSC::JSObject::setPrototypeDirect):
2873         * runtime/JSObject.h:
2874         (JSC::JSObject::locationForOffset const):
2875         (JSC::JSObject::locationForOffset):
2876         (JSC::JSObject::getDirect const):
2877         * runtime/PropertyOffset.h:
2878         * runtime/Structure.cpp:
2879         (JSC::Structure::create):
2880         (JSC::Structure::dump const):
2881         * runtime/Structure.h:
2882         * runtime/StructureInlines.h:
2883         (JSC::Structure::storedPrototype const):
2884         (JSC::Structure::storedPrototypeObject const):
2885
2886 2017-10-19  Saam Barati  <sbarati@apple.com>
2887
2888         Turn various poly proto RELEASE_ASSERTs into ASSERTs because they're on the hot path in speedometer
2889         https://bugs.webkit.org/show_bug.cgi?id=178529
2890
2891         Reviewed by Mark Lam.
2892
2893         * runtime/Structure.h:
2894         * runtime/StructureInlines.h:
2895         (JSC::Structure::storedPrototypeObject const):
2896         (JSC::Structure::storedPrototypeStructure const):
2897         (JSC::Structure::storedPrototype const):
2898         (JSC::Structure::prototypeForLookup const):
2899         (JSC::Structure::prototypeChain const):
2900
2901 2017-10-19  Saam Barati  <sbarati@apple.com>
2902
2903         Turn poly proto back on by default and remove the option
2904         https://bugs.webkit.org/show_bug.cgi?id=178525
2905
2906         Reviewed by Mark Lam.
2907
2908         I added this option because I thought it'd speed speedometer up because the
2909         original poly proto patch slowed speedometer down. It turns out that
2910         allocating poly proto objects is not what slows speedometer down. It's
2911         other code I added in the runtime that needs to be poly proto aware. I'll
2912         be addressing these in follow up patches.
2913
2914         * runtime/Options.h:
2915         * runtime/StructureInlines.h:
2916         (JSC::Structure::shouldConvertToPolyProto):
2917
2918 2017-10-19  Robin Morisset  <rmorisset@apple.com>
2919
2920         Turn recursive tail calls into loops
2921         https://bugs.webkit.org/show_bug.cgi?id=176601
2922
2923         Reviewed by Saam Barati.
2924
2925         We want to turn recursive tail calls into loops early in the pipeline, so that the loops can then be optimized.
2926         One difficulty is that we need to split the entry block of the function we are jumping to in order to have somewhere to jump to.
2927         Worse: it is not necessarily the first block of the codeBlock, because of inlining! So we must do the splitting in the DFGByteCodeParser, at the same time as inlining.
2928         We do this part through modifying the computation of the jump targets.
2929         Importantly, we only do this splitting for functions that have tail calls.
2930         It is the only case where the optimisation is sound, and doing the splitting unconditionnaly destroys performance on Octane/raytrace.
2931
2932         We must then do the actual transformation also in DFGByteCodeParser, to avoid code motion moving code out of the body of what will become a loop.
2933         The transformation is entirely contained in handleRecursiveTailCall, which is hooked to the inlining machinery.
2934
2935         * bytecode/CodeBlock.h:
2936         (JSC::CodeBlock::hasTailCalls const):
2937         * bytecode/PreciseJumpTargets.cpp:
2938         (JSC::getJumpTargetsForBytecodeOffset):
2939         (JSC::computePreciseJumpTargetsInternal):
2940         * bytecode/UnlinkedCodeBlock.cpp:
2941         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
2942         * bytecode/UnlinkedCodeBlock.h:
2943         (JSC::UnlinkedCodeBlock::hasTailCalls const):
2944         (JSC::UnlinkedCodeBlock::setHasTailCalls):
2945         * bytecompiler/BytecodeGenerator.cpp:
2946         (JSC::BytecodeGenerator::emitEnter):
2947         (JSC::BytecodeGenerator::emitCallInTailPosition):
2948         * dfg/DFGByteCodeParser.cpp:
2949         (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
2950         (JSC::DFG::ByteCodeParser::makeBlockTargetable):
2951         (JSC::DFG::ByteCodeParser::handleCall):
2952         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
2953         (JSC::DFG::ByteCodeParser::parseBlock):
2954         (JSC::DFG::ByteCodeParser::parse):
2955
2956 2017-10-18  Mark Lam  <mark.lam@apple.com>
2957
2958         RegExpObject::defineOwnProperty() does not need to compare values if no descriptor value is specified.
2959         https://bugs.webkit.org/show_bug.cgi?id=177600
2960         <rdar://problem/34710985>
2961
2962         Reviewed by Saam Barati.
2963
2964         According to http://www.ecma-international.org/ecma-262/8.0/#sec-validateandapplypropertydescriptor,
2965         section 9.1.6.3-7.a.ii, we should only check if the value is the same if the
2966         descriptor value is present.
2967
2968         * runtime/RegExpObject.cpp:
2969         (JSC::RegExpObject::defineOwnProperty):
2970
2971 2017-10-18  Keith Miller  <keith_miller@apple.com>
2972
2973         Setup WebCore build to start using unified sources.
2974         https://bugs.webkit.org/show_bug.cgi?id=178362
2975
2976         Reviewed by Tim Horton.
2977
2978         Change comments in source list files. Also, pass explicit names for build files.
2979
2980         * CMakeLists.txt:
2981         * PlatformGTK.cmake:
2982         * PlatformMac.cmake:
2983         * Sources.txt:
2984         * SourcesGTK.txt:
2985         * SourcesMac.txt:
2986
2987 2017-10-18  Commit Queue  <commit-queue@webkit.org>
2988
2989         Unreviewed, rolling out r223321.
2990         https://bugs.webkit.org/show_bug.cgi?id=178476
2991
2992         This protocol change broke some internal builds (Requested by
2993         brrian__ on #webkit).
2994
2995         Reverted changeset:
2996
2997         "Web Inspector: provide a way to enable/disable event
2998         listeners"
2999         https://bugs.webkit.org/show_bug.cgi?id=177451
3000         https://trac.webkit.org/changeset/223321
3001
3002 2017-10-18  Mark Lam  <mark.lam@apple.com>
3003
3004         The compiler should always register a structure when it adds its transitionWatchPointSet.
3005         https://bugs.webkit.org/show_bug.cgi?id=178420
3006         <rdar://problem/34814024>
3007
3008         Reviewed by Saam Barati and Filip Pizlo.
3009
3010         Instead of invoking addLazily() to add a structure's transitionWatchpointSet, we
3011         now invoke Graph::registerAndWatchStructureTransition() on the structure.
3012         registerAndWatchStructureTransition() both registers the structure and add its
3013         transitionWatchpointSet to the plan desired watchpoints.
3014
3015         Graph::registerAndWatchStructureTransition() is based on Graph::registerStructure()
3016         except registerAndWatchStructureTransition() adds the structure's
3017         transitionWatchpointSet unconditionally.
3018
3019         * dfg/DFGArgumentsEliminationPhase.cpp:
3020         * dfg/DFGArrayMode.cpp:
3021         (JSC::DFG::ArrayMode::refine const):
3022         * dfg/DFGByteCodeParser.cpp:
3023         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3024         * dfg/DFGFixupPhase.cpp:
3025         (JSC::DFG::FixupPhase::fixupNode):
3026
3027         * dfg/DFGGraph.cpp:
3028         (JSC::DFG::Graph::registerAndWatchStructureTransition):
3029         * dfg/DFGGraph.h:
3030
3031         * dfg/DFGSpeculativeJIT.cpp:
3032         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
3033         - The second set of addLazily()s is redundant.  This set is executed only when
3034           prototypeChainIsSane is true, and prototypeChainIsSane can only be true if and
3035           only if we've executed the if statement above it.  That preceding if statement
3036           already registerAndWatchStructureTransition() the same 2 structures.  Hence,
3037           this second set can be deleted.
3038
3039         * dfg/DFGWatchpointCollectionPhase.cpp:
3040         (JSC::DFG::WatchpointCollectionPhase::addLazily):
3041         - Deleted an unused function.
3042
3043         * ftl/FTLLowerDFGToB3.cpp:
3044         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
3045
3046 2017-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
3047
3048         [JSC] Remove unused private name structure
3049         https://bugs.webkit.org/show_bug.cgi?id=178436
3050
3051         Reviewed by Sam Weinig.
3052
3053         It is no longer used. This patch just removes it.
3054
3055         * runtime/JSGlobalObject.h:
3056         (JSC::JSGlobalObject::numberObjectStructure const):
3057         (JSC::JSGlobalObject::privateNameStructure const): Deleted.
3058
3059 2017-10-18  Ryosuke Niwa  <rniwa@webkit.org>
3060
3061         Fix macOS and iOS builds after r223594.
3062
3063         * JavaScriptCore.xcodeproj/project.pbxproj:
3064
3065 2017-10-18  Yusuke Suzuki  <utatane.tea@gmail.com>
3066
3067         [JSC] __proto__ getter should be fast
3068         https://bugs.webkit.org/show_bug.cgi?id=178067
3069
3070         Reviewed by Saam Barati.
3071
3072         In our ES6 class implementation, we access __proto__ field to retrieve super constructor.
3073         Currently, it is handled as an usual getter call to a generic function. And DFG just emits
3074         Call node for this. It is inefficient since typically we know the `prototype` of the given
3075         object when accessing `object.__proto__` since we emit CheckStructure for this `object`.
3076         If Structure has mono proto, we can immediately fold it to constant value. If it is poly proto,
3077         we can still change this to efficient access to poly proto slot.
3078
3079         This patch implements GetPrototypeOf DFG node. This node efficiently accesses to prototype of
3080         the given object. And in AI and ByteCodeParser phase, we attempt to fold it to constant.
3081         ByteCodeParser's folding is a bit important since we have `callee.__proto__` code to get super
3082         constructor. If we can change this to constant, we can reify CallLinkInfo with this constant.
3083         This paves the way to optimizing ArrayConstructor super calls[1], which is particularly important
3084         for ARES-6 ML.
3085
3086         And we also optimize Reflect.getPrototypeOf and Object.getPrototypeOf with this GetPrototypeOf node.
3087
3088         Currently, __proto__ access for poly proto object is not handled well in IC. But we add code handling
3089         poly proto in GetPrototypeOf since Reflect.getPrototypeOf and Object.getPrototypeOf can use it.
3090         Once IC starts handling poly proto & intrinsic getter well, this code will be used for that too.
3091
3092         This patch improves SixSpeed super.es6 by 3.42x.
3093
3094                                  baseline                  patched
3095
3096         super.es6           123.6666+-3.9917     ^     36.1684+-1.0351        ^ definitely 3.4192x faster
3097
3098         [1]: https://bugs.webkit.org/show_bug.cgi?id=178064
3099
3100         * dfg/DFGAbstractInterpreterInlines.h:
3101         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3102         * dfg/DFGByteCodeParser.cpp:
3103         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3104         (JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
3105         (JSC::DFG::ByteCodeParser::handleGetById):
3106         * dfg/DFGClobberize.h:
3107         (JSC::DFG::clobberize):
3108         * dfg/DFGDoesGC.cpp:
3109         (JSC::DFG::doesGC):
3110         * dfg/DFGFixupPhase.cpp:
3111         (JSC::DFG::FixupPhase::fixupNode):
3112         (JSC::DFG::FixupPhase::fixupGetPrototypeOf):
3113         * dfg/DFGHeapLocation.cpp:
3114         (WTF::printInternal):
3115         * dfg/DFGHeapLocation.h:
3116         * dfg/DFGNode.h:
3117         (JSC::DFG::Node::hasHeapPrediction):
3118         (JSC::DFG::Node::shouldSpeculateFunction):
3119         * dfg/DFGNodeType.h:
3120         * dfg/DFGOperations.cpp:
3121         * dfg/DFGOperations.h:
3122         * dfg/DFGPredictionPropagationPhase.cpp:
3123         * dfg/DFGSafeToExecute.h:
3124         (JSC::DFG::safeToExecute):
3125         * dfg/DFGSpeculativeJIT.cpp:
3126         (JSC::DFG::SpeculativeJIT::speculateFunction):
3127         (JSC::DFG::SpeculativeJIT::speculateFinalObject):
3128         (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
3129         * dfg/DFGSpeculativeJIT.h:
3130         (JSC::DFG::SpeculativeJIT::callOperation):
3131         * dfg/DFGSpeculativeJIT32_64.cpp:
3132         (JSC::DFG::SpeculativeJIT::compile):
3133         * dfg/DFGSpeculativeJIT64.cpp:
3134         (JSC::DFG::SpeculativeJIT::compile):
3135         * ftl/FTLCapabilities.cpp:
3136         (JSC::FTL::canCompile):
3137         * ftl/FTLLowerDFGToB3.cpp:
3138         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3139         (JSC::FTL::DFG::LowerDFGToB3::compileGetPrototypeOf):
3140         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
3141         * jit/IntrinsicEmitter.cpp:
3142         (JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
3143         (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
3144         * jit/JITOperations.h:
3145         * runtime/Intrinsic.cpp:
3146         (JSC::intrinsicName):
3147         * runtime/Intrinsic.h:
3148         * runtime/JSGlobalObject.cpp:
3149         (JSC::JSGlobalObject::init):
3150         * runtime/JSGlobalObject.h:
3151         (JSC::JSGlobalObject::booleanPrototype const):
3152         (JSC::JSGlobalObject::numberPrototype const):
3153         (JSC::JSGlobalObject::booleanObjectStructure const):
3154         * runtime/JSGlobalObjectFunctions.cpp:
3155         (JSC::globalFuncProtoGetter):
3156         * runtime/JSGlobalObjectFunctions.h:
3157         * runtime/ObjectConstructor.cpp:
3158         * runtime/ReflectObject.cpp:
3159
3160 2017-10-17  Ryan Haddad  <ryanhaddad@apple.com>
3161
3162         Unreviewed, rolling out r223523.
3163
3164         A test for this change is failing on debug JSC bots.
3165
3166         Reverted changeset:
3167
3168         "[JSC] __proto__ getter should be fast"
3169         https://bugs.webkit.org/show_bug.cgi?id=178067
3170         https://trac.webkit.org/changeset/223523
3171
3172 2017-10-17  Youenn Fablet  <youenn@apple.com>
3173
3174         Add preliminary support for fetch event
3175         https://bugs.webkit.org/show_bug.cgi?id=178171
3176
3177         Reviewed by Chris Dumez.
3178
3179         Adding events
3180
3181         * runtime/JSPromise.h:
3182
3183 2017-10-10  Yusuke Suzuki  <utatane.tea@gmail.com>
3184
3185         [JSC] __proto__ getter should be fast
3186         https://bugs.webkit.org/show_bug.cgi?id=178067
3187
3188         Reviewed by Saam Barati.
3189
3190         In our ES6 class implementation, we access __proto__ field to retrieve super constructor.
3191         Currently, it is handled as an usual getter call to a generic function. And DFG just emits
3192         Call node for this. It is inefficient since typically we know the `prototype` of the given
3193         object when accessing `object.__proto__` since we emit CheckStructure for this `object`.
3194         If Structure has mono proto, we can immediately fold it to constant value. If it is poly proto,
3195         we can still change this to efficient access to poly proto slot.
3196
3197         This patch implements GetPrototypeOf DFG node. This node efficiently accesses to prototype of
3198         the given object. And in AI and ByteCodeParser phase, we attempt to fold it to constant.
3199         ByteCodeParser's folding is a bit important since we have `callee.__proto__` code to get super
3200         constructor. If we can change this to constant, we can reify CallLinkInfo with this constant.
3201         This paves the way to optimizing ArrayConstructor super calls[1], which is particularly important
3202         for ARES-6 ML.
3203
3204         And we also optimize Reflect.getPrototypeOf and Object.getPrototypeOf with this GetPrototypeOf node.
3205
3206         Currently, __proto__ access for poly proto object is not handled well in IC. But we add code handling
3207         poly proto in GetPrototypeOf since Reflect.getPrototypeOf and Object.getPrototypeOf can use it.
3208         Once IC starts handling poly proto & intrinsic getter well, this code will be used for that too.
3209
3210         This patch improves SixSpeed super.es6 by 3.42x.
3211
3212                                  baseline                  patched
3213
3214         super.es6           123.6666+-3.9917     ^     36.1684+-1.0351        ^ definitely 3.4192x faster
3215
3216         [1]: https://bugs.webkit.org/show_bug.cgi?id=178064
3217
3218         * dfg/DFGAbstractInterpreterInlines.h:
3219         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3220         * dfg/DFGByteCodeParser.cpp:
3221         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
3222         (JSC::DFG::ByteCodeParser::handleIntrinsicGetter):
3223         (JSC::DFG::ByteCodeParser::handleGetById):
3224         * dfg/DFGClobberize.h:
3225         (JSC::DFG::clobberize):
3226         * dfg/DFGDoesGC.cpp:
3227         (JSC::DFG::doesGC):
3228         * dfg/DFGFixupPhase.cpp:
3229         (JSC::DFG::FixupPhase::fixupNode):
3230         (JSC::DFG::FixupPhase::fixupGetPrototypeOf):
3231         * dfg/DFGHeapLocation.cpp:
3232         (WTF::printInternal):
3233         * dfg/DFGHeapLocation.h:
3234         * dfg/DFGNode.h:
3235         (JSC::DFG::Node::hasHeapPrediction):
3236         (JSC::DFG::Node::shouldSpeculateFunction):
3237         * dfg/DFGNodeType.h:
3238         * dfg/DFGOperations.cpp:
3239         * dfg/DFGOperations.h:
3240         * dfg/DFGPredictionPropagationPhase.cpp:
3241         * dfg/DFGSafeToExecute.h:
3242         (JSC::DFG::safeToExecute):
3243         * dfg/DFGSpeculativeJIT.cpp:
3244         (JSC::DFG::SpeculativeJIT::speculateFunction):
3245         (JSC::DFG::SpeculativeJIT::speculateFinalObject):
3246         (JSC::DFG::SpeculativeJIT::compileGetPrototypeOf):
3247         * dfg/DFGSpeculativeJIT.h:
3248         * dfg/DFGSpeculativeJIT32_64.cpp:
3249         (JSC::DFG::SpeculativeJIT::compile):
3250         * dfg/DFGSpeculativeJIT64.cpp:
3251         (JSC::DFG::SpeculativeJIT::compile):
3252         * ftl/FTLCapabilities.cpp:
3253         (JSC::FTL::canCompile):
3254         * ftl/FTLLowerDFGToB3.cpp:
3255         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3256         (JSC::FTL::DFG::LowerDFGToB3::compileGetPrototypeOf):
3257         (JSC::FTL::DFG::LowerDFGToB3::compileInstanceOf):
3258         * jit/IntrinsicEmitter.cpp:
3259         (JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
3260         (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
3261         * runtime/Intrinsic.cpp:
3262         (JSC::intrinsicName):
3263         * runtime/Intrinsic.h:
3264         * runtime/JSGlobalObject.cpp:
3265         (JSC::JSGlobalObject::init):
3266         * runtime/JSGlobalObjectFunctions.cpp:
3267         (JSC::globalFuncProtoGetter):
3268         * runtime/JSGlobalObjectFunctions.h:
3269         * runtime/ObjectConstructor.cpp:
3270         * runtime/ReflectObject.cpp:
3271
3272 2017-10-17  Keith Miller  <keith_miller@apple.com>
3273
3274         Change WebCore sources to work with unified source builds
3275         https://bugs.webkit.org/show_bug.cgi?id=178229
3276
3277         Rubber stamped by Tim Horton.
3278
3279         * Configurations/FeatureDefines.xcconfig:
3280
3281 2017-10-15  Filip Pizlo  <fpizlo@apple.com>
3282
3283         Make some asserts into release asserts
3284         https://bugs.webkit.org/show_bug.cgi?id=178324
3285
3286         Reviewed by Saam Barati.
3287         
3288         These asserts are not on perf critical paths, so they might as well be release asserts.
3289
3290         * runtime/DataView.h:
3291         (JSC::DataView::get):
3292         (JSC::DataView::set):
3293
3294 2017-10-16  JF Bastien  <jfbastien@apple.com>
3295
3296         JSRunLoopTimer: reduce likely race when used improperly
3297         https://bugs.webkit.org/show_bug.cgi?id=178298
3298         <rdar://problem/32899816>
3299
3300         Reviewed by Saam Barati.
3301
3302         If an API user sets a timer on JSRunLoopTimer, and then racily
3303         destroys the JSRunLoopTimer while the timer is firing then it's
3304         possible for timerDidFire to cause a use-after-free and / or crash
3305         because e.g. m_apiLock becomes a nullptr while timerDidFire is
3306         executing. That results from an invalid use of JSRunLoopTimer, but
3307         we should try to be more resilient for that type of misuse because
3308         it's not necessarily easy to catch by inspection.
3309
3310         With this change the only remaining race is if the timer fires,
3311         and then only timerDidFire's prologue executes, but not the load
3312         of the m_apiLock pointer from `this`. It's a much smaller race.
3313
3314         Separately, I'll reach out to API users who are seemingly misusing
3315         the API.
3316
3317         * runtime/JSRunLoopTimer.cpp:
3318         (JSC::JSRunLoopTimer::timerDidFire): put m_apiLock on the stack,
3319         and checks for nullptr. This prevents loading it twice off of
3320         `this` and turns a nullptr deref into "just" a use-after-free.
3321         (JSC::JSRunLoopTimer::~JSRunLoopTimer): acquire m_apiLock before
3322         calling m_vm->unregisterRunLoopTimer(this), which in turn does
3323         CFRunLoopRemoveTimer / CFRunLoopTimerInvalidate. This prevents
3324         timerDidFire from doing much while the timers are un-registered.
3325         ~JSRunLoopTimer also needs to set m_apiLock to nullptr before
3326         releasing the lock, so it needs its own local copy.
3327
3328 2017-10-15  Yusuke Suzuki  <utatane.tea@gmail.com>
3329
3330         [JSC] Perform module specifier validation at parsing time
3331         https://bugs.webkit.org/show_bug.cgi?id=178256
3332
3333         Reviewed by Darin Adler.
3334
3335         This patch make module loader's `resolve` operation synchronous. And we validate
3336         module's requested module names when instantiating the module instead of satisfying
3337         module's dependencies. This change is not observable to users. But this is precise
3338         to the spec and this optimizes & simplifies the current module loader a bit by
3339         reducing object allocations.
3340
3341         Previously, we have an object called pair in the module loader. This is pair of