WebAssembly: name ExecState consistently
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-03-22  JF Bastien  <jfbastien@apple.com>
2
3         WebAssembly: name ExecState consistently
4         https://bugs.webkit.org/show_bug.cgi?id=169954
5
6         Reviewed by Saam Barati.
7
8         No functional change.
9
10         * wasm/js/JSWebAssemblyCompileError.cpp:
11         (JSC::JSWebAssemblyCompileError::create):
12         (JSC::createJSWebAssemblyCompileError):
13         * wasm/js/JSWebAssemblyCompileError.h:
14         (JSC::JSWebAssemblyCompileError::create):
15         * wasm/js/JSWebAssemblyLinkError.cpp:
16         (JSC::JSWebAssemblyLinkError::create):
17         (JSC::createJSWebAssemblyLinkError):
18         * wasm/js/JSWebAssemblyLinkError.h:
19         (JSC::JSWebAssemblyLinkError::create):
20         * wasm/js/JSWebAssemblyRuntimeError.cpp:
21         (JSC::JSWebAssemblyRuntimeError::create):
22         * wasm/js/JSWebAssemblyRuntimeError.h:
23         (JSC::JSWebAssemblyRuntimeError::create):
24         * wasm/js/WebAssemblyInstanceConstructor.cpp:
25         (JSC::callJSWebAssemblyInstance):
26         * wasm/js/WebAssemblyMemoryConstructor.cpp:
27         (JSC::callJSWebAssemblyMemory):
28         * wasm/js/WebAssemblyModuleConstructor.cpp:
29         (JSC::callJSWebAssemblyModule):
30         (JSC::WebAssemblyModuleConstructor::createModule):
31         * wasm/js/WebAssemblyModuleRecord.cpp:
32         (JSC::WebAssemblyModuleRecord::link):
33         (JSC::dataSegmentFail):
34         (JSC::WebAssemblyModuleRecord::evaluate):
35         * wasm/js/WebAssemblyPrototype.cpp:
36         (JSC::webAssemblyFunctionValidate):
37         (JSC::webAssemblyFunctionCompile):
38         * wasm/js/WebAssemblyTableConstructor.cpp:
39         (JSC::callJSWebAssemblyTable):
40
41 2017-03-22  JF Bastien  <jfbastien@apple.com>
42
43         WebAssembly: constructors without new don't throw
44         https://bugs.webkit.org/show_bug.cgi?id=165995
45
46         Reviewed by Saam Barati.
47
48         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
49         (JSC::constructJSWebAssemblyCompileError):
50         (JSC::callJSWebAssemblyCompileError):
51         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
52         (JSC::constructJSWebAssemblyLinkError):
53         (JSC::callJSWebAssemblyLinkError):
54         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
55         (JSC::constructJSWebAssemblyRuntimeError):
56         (JSC::callJSWebAssemblyRuntimeError):
57
58 2017-03-22  Guillaume Emont  <guijemont@igalia.com>
59
60         [DFG] Don't use ArraySlice intrinsic on MIPS
61         https://bugs.webkit.org/show_bug.cgi?id=169721
62
63         Reviewed by Yusuke Suzuki.
64
65         Like on x86, we don't have enough registers available for this.
66
67         * assembler/CPU.h:
68         (JSC::isMIPS): Added.
69         * dfg/DFGByteCodeParser.cpp:
70         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
71         Don't use the ArraySlice intrinsic on MIPS.
72
73 2017-03-21  Mark Lam  <mark.lam@apple.com>
74
75         The DFG Integer Check Combining phase should force an OSR exit for CheckInBounds on a negative constant min bound.
76         https://bugs.webkit.org/show_bug.cgi?id=169933
77         <rdar://problem/31105125>
78
79         Reviewed by Filip Pizlo and Geoffrey Garen.
80
81         Also fixed the bit-rotted RangeKey::dump() function.
82
83         * dfg/DFGIntegerCheckCombiningPhase.cpp:
84         (JSC::DFG::IntegerCheckCombiningPhase::handleBlock):
85
86 2017-03-21  Csaba Osztrogonác  <ossy@webkit.org>
87
88         [ARM] Add missing MacroAssembler functions after r214187
89         https://bugs.webkit.org/show_bug.cgi?id=169912
90
91         Reviewed by Yusuke Suzuki.
92
93         * assembler/MacroAssemblerARM.h:
94         (JSC::MacroAssemblerARM::loadFloat):
95         (JSC::MacroAssemblerARM::storeFloat):
96
97 2017-03-21  Yusuke Suzuki  <utatane.tea@gmail.com>
98
99         [JSC] Optimize Number.prototype.toString on Int32 / Int52 / Double
100         https://bugs.webkit.org/show_bug.cgi?id=167454
101
102         Reviewed by Saam Barati.
103
104         This patch improves Number.toString(radix) performance
105         by introducing NumberToStringWithRadix DFG node. It directly
106         calls the operation and it always returns String.
107
108                                                        baseline                  patched
109
110             stanford-crypto-sha256-iterative        45.130+-0.928             44.032+-1.184           might be 1.0250x faster
111
112 2017-03-21  Yusuke Suzuki  <utatane.tea@gmail.com>
113
114         [JSC] Add JSPromiseDeferred::reject(ExecState*, Exception*) interface
115         https://bugs.webkit.org/show_bug.cgi?id=169908
116
117         Reviewed by Sam Weinig.
118
119         To avoid calling reject(ExecState*, JSValue) with Exception* accidentally,
120         we add a new interface reject(ExecState*, Exception*).
121         Such an interface is already added in DOMPromise in WebCore.
122
123         * runtime/JSInternalPromiseDeferred.cpp:
124         (JSC::JSInternalPromiseDeferred::reject):
125         * runtime/JSInternalPromiseDeferred.h:
126         * runtime/JSPromiseDeferred.cpp:
127         (JSC::JSPromiseDeferred::reject):
128         * runtime/JSPromiseDeferred.h:
129
130 2017-03-21  Zan Dobersek  <zdobersek@igalia.com>
131
132         [jsc] MacroAssemblerMIPS: implement the branchPtr(RelationalCondition, BaseIndex, RegisterID) overload.
133         https://bugs.webkit.org/show_bug.cgi?id=169717
134
135         Reviewed by Yusuke Suzuki.
136
137         * assembler/MacroAssembler.h: Expose branchPtr() on MIPS as well.
138         * assembler/MacroAssemblerMIPS.h:
139         (JSC::MacroAssemblerMIPS::branchPtr): Added.
140
141         * dfg/DFGAbstractInterpreterInlines.h:
142         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
143         * dfg/DFGByteCodeParser.cpp:
144         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
145         * dfg/DFGClobberize.h:
146         (JSC::DFG::clobberize):
147         * dfg/DFGDoesGC.cpp:
148         (JSC::DFG::doesGC):
149         * dfg/DFGFixupPhase.cpp:
150         (JSC::DFG::FixupPhase::fixupNode):
151         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
152         * dfg/DFGNodeType.h:
153         * dfg/DFGOperations.cpp:
154         * dfg/DFGOperations.h:
155         * dfg/DFGPredictionPropagationPhase.cpp:
156         * dfg/DFGSafeToExecute.h:
157         (JSC::DFG::safeToExecute):
158         * dfg/DFGSpeculativeJIT.cpp:
159         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructor):
160         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnNumber):
161         (JSC::DFG::SpeculativeJIT::compileNumberToStringWithRadix):
162         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnCell): Deleted.
163         * dfg/DFGSpeculativeJIT.h:
164         (JSC::DFG::SpeculativeJIT::callOperation):
165         * dfg/DFGSpeculativeJIT32_64.cpp:
166         (JSC::DFG::SpeculativeJIT::compile):
167         * dfg/DFGSpeculativeJIT64.cpp:
168         (JSC::DFG::SpeculativeJIT::compile):
169         * dfg/DFGStrengthReductionPhase.cpp:
170         (JSC::DFG::StrengthReductionPhase::handleNode):
171         * ftl/FTLCapabilities.cpp:
172         (JSC::FTL::canCompile):
173         * ftl/FTLLowerDFGToB3.cpp:
174         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
175         (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructor):
176         (JSC::FTL::DFG::LowerDFGToB3::compileNumberToStringWithRadix):
177         * jit/CCallHelpers.h:
178         (JSC::CCallHelpers::setupArgumentsWithExecState):
179         * jit/JITOperations.h:
180         * runtime/Intrinsic.h:
181         * runtime/NumberPrototype.cpp:
182         (JSC::int52ToStringWithRadix):
183         (JSC::int32ToStringInternal):
184         (JSC::numberToStringInternal):
185         (JSC::int32ToString):
186         (JSC::int52ToString):
187         (JSC::numberToString):
188         (JSC::numberProtoFuncToString):
189         (JSC::integerValueToString): Deleted.
190         * runtime/NumberPrototype.h:
191         * runtime/StringPrototype.cpp:
192         (JSC::StringPrototype::finishCreation):
193
194 2017-03-20  Filip Pizlo  <fpizlo@apple.com>
195
196         Graph coloring should use coalescable moves when spilling
197         https://bugs.webkit.org/show_bug.cgi?id=169820
198
199         Reviewed by Michael Saboff.
200         
201         This makes our graph coloring register allocator use a new family of move instructions when
202         spilling both operands of the move. It's a three-operand move:
203         
204             Move (src), (dst), %scratch
205         
206         Previously, if both operands got spilled, we would emit a new instruction to load or store that
207         spill slot. But this made it hard for allocateStack to see that the two spill locations are
208         coalescable. This new kind of instruction makes it obvious that it's a coalescable move.
209         
210         This change implements the coalescing of spill slots inside allocateStack.
211         
212         This is an outrageous speed-up on the tsf_ir_speed benchmark from http://filpizlo.com/tsf/. This
213         is an interesting benchmark because it has a super ugly interpreter loop with ~20 live variables
214         carried around the loop back edge. This change makes that interpreter run 5x faster.
215         
216         This isn't a speed-up on any other benchmarks. It also doesn't regress anything. Compile time is
217         neither progressed or regressed, since the coalescing is super cheap, and this does not add any
218         significant new machinery to the register allocator (it's just a small change to spill codegen).
219         Overall on our wasm benchmarks, this is a 16% throughput progression.
220         
221         * assembler/MacroAssembler.h:
222         (JSC::MacroAssembler::move):
223         (JSC::MacroAssembler::move32):
224         (JSC::MacroAssembler::moveFloat):
225         (JSC::MacroAssembler::moveDouble):
226         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
227         (JSC::B3::Air::allocateRegistersByGraphColoring):
228         * b3/air/AirAllocateStack.cpp:
229         (JSC::B3::Air::allocateStack):
230         * b3/air/AirInst.cpp:
231         (JSC::B3::Air::Inst::hasEarlyDef):
232         (JSC::B3::Air::Inst::hasLateUseOrDef):
233         (JSC::B3::Air::Inst::needsPadding):
234         * b3/air/AirInst.h:
235         * b3/air/AirOpcode.opcodes:
236         * b3/air/AirPadInterference.cpp:
237         (JSC::B3::Air::padInterference):
238         * runtime/Options.h:
239
240 2017-03-19  Chris Dumez  <cdumez@apple.com>
241
242         `const location = "foo"` throws in a worker
243         https://bugs.webkit.org/show_bug.cgi?id=169839
244
245         Reviewed by Mark Lam.
246
247         Our HasRestrictedGlobalProperty check in JSC was slightly wrong, causing us
248         to sometimes throw a Syntax exception when we shouldn't when declaring a
249         const/let variable and sometimes not throw an exception when we should have.
250
251         This aligns our behavior with ES6, Firefox and Chrome.
252
253         * runtime/ProgramExecutable.cpp:
254         (JSC::hasRestrictedGlobalProperty):
255         (JSC::ProgramExecutable::initializeGlobalProperties):
256         Rewrite hasRestrictedGlobalProperty logic as per the EcmaScript spec:
257         - http://www.ecma-international.org/ecma-262/6.0/index.html#sec-hasproperty
258         In particular, they were 2 issues:
259         - We should throw a SyntaxError if hasProperty() returned true but getOwnProperty()
260           would fail to return a descriptor. This would happen for properties that are
261           not OWN properties, but defined somewhere in the prototype chain. The spec does
262           not say to use hasProperty(), only getOwnProperty() and says we should return
263           false if getOwnProperty() does not return a descriptor. This is what we do now.
264         - We would fail to throw when declaring a let/const variable that shadows an own
265           property whose value is undefined. This is because the previous code was
266           explicitly checking for this case. I believe this was a misinterpretation of
267           ES6 which says:
268           """
269           Let desc be O.[[GetOwnProperty]](P).
270           If desc is undefined, return false.
271           """
272           We should check that desc is undefined, not desc.value. This is now fixed.
273
274 2017-03-19  Yusuke Suzuki  <utatane.tea@gmail.com>
275
276         import(arg) crashes when ToString(arg) throws
277         https://bugs.webkit.org/show_bug.cgi?id=169778
278
279         Reviewed by Saam Barati.
280
281         JSPromiseDeferred should not be rejected with Exception*.
282
283         * runtime/JSGlobalObjectFunctions.cpp:
284         (JSC::globalFuncImportModule):
285
286 2017-03-18  Oleksandr Skachkov  <gskachkov@gmail.com>
287
288         [JSC] Remove unnecessary condition from needsDerivedConstructorInArrowFunctionLexicalEnvironment in BytecodeGenerator.cpp 
289         https://bugs.webkit.org/show_bug.cgi?id=169832
290
291         Reviewed by Mark Lam.
292
293         Remove already covered condition in needsDerivedConstructorInArrowFunctionLexicalEnvironment 
294         function. Condition isConstructor() && constructorKind() == ConstructorKind::Extends is already
295         isClassContext.
296
297          * bytecompiler/BytecodeGenerator.cpp:
298         (JSC::BytecodeGenerator::needsDerivedConstructorInArrowFunctionLexicalEnvironment):
299
300 2017-03-18  Chris Dumez  <cdumez@apple.com>
301
302         Allow setting the prototype of cross-origin objects, as long as they don't change
303         https://bugs.webkit.org/show_bug.cgi?id=169787
304
305         Reviewed by Mark Lam.
306
307         * runtime/JSGlobalObject.h:
308         Mark JS global object as an immutable prototype exotic object to match Window.
309
310         * runtime/JSObject.cpp:
311         (JSC::JSObject::setPrototypeWithCycleCheck):
312         Update setPrototypeWithCycleCheck() for immutable prototype exotic objects in order
313         to align with:
314         - https://tc39.github.io/ecma262/#sec-set-immutable-prototype
315
316         In particular, we need to call [[GetPrototypeOf]] and return true if it returns the same
317         value as the new prototype. We really need to call [[GetPrototypeOf]] and not merely
318         getting the prototype slot via getPrototypeDirect() since Location and Window override
319         [[GetPrototypeOf]] to return null in the cross-origin case.
320
321         * runtime/JSProxy.cpp:
322         (JSC::JSProxy::setPrototype):
323         Update JSProxy::setPrototype() to forward such calls to its target. This is needed so
324         we end up calling JSObject::setPrototypeWithCycleCheck() for the Window object.
325         Handling immutable prototype exotic objects in that method does the right thing for
326         Window.
327
328 2017-03-17  Michael Saboff  <msaboff@apple.com>
329
330         Use USE_INTERNAL_SDK to compute ENABLE_FAST_JIT_PERMISSIONS instead of HAVE_INTERNAL_SDK
331         https://bugs.webkit.org/show_bug.cgi?id=169817
332
333         Reviewed by Filip Pizlo.
334
335         * Configurations/FeatureDefines.xcconfig:
336
337 2017-03-11  Filip Pizlo  <fpizlo@apple.com>
338
339         Air should be powerful enough to support Tmp-splitting
340         https://bugs.webkit.org/show_bug.cgi?id=169515
341
342         Reviewed by Saam Barati.
343         
344         In the process of implementing the Tmp-splitting optimization, I made some small
345         clean-ups. They don't affect anything - it's basically moving code around and adding
346         utility functions.
347
348         * CMakeLists.txt:
349         * JavaScriptCore.xcodeproj/project.pbxproj:
350         * assembler/LinkBuffer.cpp:
351         (JSC::LinkBuffer::allocate): testb3 was sometimes failing its checkDoesNotUseInstruction check because of uninitialized memory. This initializes the internal fragmentation slop of every JIT allocation.
352         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
353         * b3/air/AirAllocateRegistersByGraphColoring.h:
354         (JSC::B3::Air::useIRC): It's useful to be able to query which register allocator we're using.
355         * b3/air/AirArg.cpp:
356         (WTF::printInternal):
357         * b3/air/AirArg.h:
358         (JSC::B3::Air::Arg::temperature): The temperature of a role is a useful concept to have factored out.
359         * b3/air/AirBreakCriticalEdges.cpp: Added.
360         (JSC::B3::Air::breakCriticalEdges): I was surprised that we didn't have this already. It's a pretty fundamental CFG utility.
361         * b3/air/AirBreakCriticalEdges.h: Added.
362         * b3/air/AirGenerate.cpp:
363         * b3/air/AirInsertionSet.h: You can't use & if you want copy-constructibility, which seems to be a prerequisite to IndexMap<BasicBlock, InsertionSet>.
364         (JSC::B3::Air::InsertionSet::InsertionSet):
365         (JSC::B3::Air::InsertionSet::code):
366         * b3/air/AirLiveness.h: Teach Liveness to track only warm liveness.
367         (JSC::B3::Air::TmpLivenessAdapter::acceptsRole):
368         (JSC::B3::Air::StackSlotLivenessAdapter::acceptsRole):
369         (JSC::B3::Air::RegLivenessAdapter::acceptsRole):
370         (JSC::B3::Air::AbstractLiveness::AbstractLiveness):
371         (JSC::B3::Air::AbstractLiveness::LocalCalc::execute):
372
373 2017-03-16  Mark Lam  <mark.lam@apple.com>
374
375         Fix exception scope verification failures in GenericArgumentsInlines.h.
376         https://bugs.webkit.org/show_bug.cgi?id=165012
377
378         Reviewed by Saam Barati.
379
380         * runtime/GenericArgumentsInlines.h:
381         (JSC::GenericArguments<Type>::defineOwnProperty):
382
383 2017-03-16  Simon Fraser  <simon.fraser@apple.com>
384
385         Improve the system tracing points
386         https://bugs.webkit.org/show_bug.cgi?id=169790
387
388         Reviewed by Zalan Bujtas.
389
390         Use a more cohesive set of system trace points that give a good overview of what
391         WebKit is doing. Added points for resource loading, render tree building, sync messages
392         to the web process, async image decode, WASM and fetching cookies.
393
394         * wasm/WasmPlan.cpp:
395         (JSC::Wasm::Plan::run):
396         * wasm/js/WebAssemblyFunction.cpp:
397         (JSC::callWebAssemblyFunction):
398
399 2017-03-16  Mark Lam  <mark.lam@apple.com>
400
401         Array concat operation should check for length overflows.
402         https://bugs.webkit.org/show_bug.cgi?id=169796
403         <rdar://problem/31095276>
404
405         Reviewed by Keith Miller.
406
407         * runtime/ArrayPrototype.cpp:
408         (JSC::concatAppendOne):
409         (JSC::arrayProtoPrivateFuncConcatMemcpy):
410
411 2017-03-16  Mark Lam  <mark.lam@apple.com>
412
413         The new array with spread operation needs to check for length overflows.
414         https://bugs.webkit.org/show_bug.cgi?id=169780
415         <rdar://problem/31072182>
416
417         Reviewed by Filip Pizlo.
418
419         * dfg/DFGOperations.cpp:
420         * dfg/DFGSpeculativeJIT.cpp:
421         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
422         * ftl/FTLLowerDFGToB3.cpp:
423         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
424         * ftl/FTLOperations.cpp:
425         (JSC::FTL::operationMaterializeObjectInOSR):
426         * llint/LLIntSlowPaths.cpp:
427         * runtime/CommonSlowPaths.cpp:
428         (JSC::SLOW_PATH_DECL):
429         * runtime/JSGlobalObject.cpp:
430
431 2017-03-16  Filip Pizlo  <fpizlo@apple.com>
432
433         FTL should support global and eval code
434         https://bugs.webkit.org/show_bug.cgi?id=169656
435
436         Reviewed by Geoffrey Garen and Saam Barati.
437         
438         Turned off the restriction against global and eval code running in the FTL, and then fixed all of
439         the things that didn't work.
440         
441         This is a big speed-up on microbenchmarks that I wrote for this patch. One of the reasons why we
442         hadn't done this earlier is that we've never seen a benchmark that needed it. Global and eval
443         code rarely gets FTL-hot. Still, this seems like possibly a small JetStream speed-up.
444
445         * dfg/DFGJITCode.cpp:
446         (JSC::DFG::JITCode::setOSREntryBlock): I outlined this for better debugging.
447         * dfg/DFGJITCode.h:
448         (JSC::DFG::JITCode::setOSREntryBlock): Deleted.
449         * dfg/DFGNode.h:
450         (JSC::DFG::Node::isSemanticallySkippable): It turns out that global code often has InvalidationPoints before LoopHints. They are also skippable from the standpoint of OSR entrypoint analysis.
451         * dfg/DFGOperations.cpp: Don't do any normal compiles of global code - just do OSR compiles.
452         * ftl/FTLCapabilities.cpp: Enable FTL for global and eval code.
453         (JSC::FTL::canCompile):
454         * ftl/FTLCompile.cpp: Just debugging clean-ups.
455         (JSC::FTL::compile):
456         * ftl/FTLJITFinalizer.cpp: Implement finalize() and ensure that we only do things with the entrypoint buffer if we have one. We won't have one for eval code that we aren't OSR entering into.
457         (JSC::FTL::JITFinalizer::finalize):
458         (JSC::FTL::JITFinalizer::finalizeFunction):
459         (JSC::FTL::JITFinalizer::finalizeCommon):
460         * ftl/FTLJITFinalizer.h:
461         * ftl/FTLLink.cpp: When entering a function normally, we need the "entrypoint" to put the arity check code. Global and eval code don't need this.
462         (JSC::FTL::link):
463         * ftl/FTLOSREntry.cpp: Fix a dataLog statement.
464         (JSC::FTL::prepareOSREntry):
465         * ftl/FTLOSRExitCompiler.cpp: Remove dead code that happened to assert that we're exiting from a function.
466         (JSC::FTL::compileStub):
467
468 2017-03-16  Michael Saboff  <msaboff@apple.com>
469
470         WebAssembly: function-tests/load-offset.js fails on ARM64
471         https://bugs.webkit.org/show_bug.cgi?id=169724
472
473         Reviewed by Keith Miller.
474
475         We need to use the two source version of Add64 to create a Wasm address with the
476         other source the first child.
477
478         * b3/B3LowerToAir.cpp:
479         (JSC::B3::Air::LowerToAir::lower):
480
481 2017-03-16  Jon Lee  <jonlee@apple.com>
482
483         Add FIXMEs to update WebRTC
484         https://bugs.webkit.org/show_bug.cgi?id=169735
485
486         Reviewed by Youenn Fablet.
487
488         * runtime/CommonIdentifiers.h: Add RTCIceTransport.
489
490 2017-03-16  Yusuke Suzuki  <utatane.tea@gmail.com>
491
492         Unreviewed, copy m_numberOfArgumentsToSkip
493         https://bugs.webkit.org/show_bug.cgi?id=164582
494
495         * bytecode/CodeBlock.cpp:
496         (JSC::CodeBlock::CodeBlock):
497
498 2017-03-16  Yusuke Suzuki  <utatane.tea@gmail.com>
499
500         Unreviewed, fix numParameter() - 1 OSRExit materialization
501         https://bugs.webkit.org/show_bug.cgi?id=164582
502
503         When materializing rest parameters, we rely on that numParameter() - 1 equals to
504         the numberOfArgumentsToSkip. But this assumption is broken in r214029.
505
506         * bytecode/CodeBlock.cpp:
507         (JSC::CodeBlock::finishCreation):
508         * bytecode/CodeBlock.h:
509         (JSC::CodeBlock::numberOfArgumentsToSkip):
510         * ftl/FTLOperations.cpp:
511         (JSC::FTL::operationMaterializeObjectInOSR):
512
513 2017-03-16  Caio Lima  <ticaiolima@gmail.com>
514
515         [ESnext] Implement Object Spread
516         https://bugs.webkit.org/show_bug.cgi?id=167963
517
518         Reviewed by Yusuke Suzuki.
519
520         This patch implements ECMA262 stage 3 Object Spread proposal [1].
521         It's implemented using CopyDataProperties to copy all enumerable keys
522         from object being spreaded.
523
524         It's also fixing CopyDataProperties that was using
525         Object.getOwnPropertyNames to list all keys to be copied, and now is
526         using Relect.ownKeys.
527
528         [1] - https://github.com/sebmarkbage/ecmascript-rest-spread
529
530         * builtins/GlobalOperations.js:
531         (globalPrivate.copyDataProperties):
532         * bytecode/CodeBlock.cpp:
533         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
534         * bytecode/UnlinkedCodeBlock.h:
535         (JSC::UnlinkedCodeBlock::addSetConstant):
536         * bytecompiler/BytecodeGenerator.cpp:
537         (JSC::BytecodeGenerator::emitLoad):
538         * bytecompiler/BytecodeGenerator.h:
539         * bytecompiler/NodesCodegen.cpp:
540         (JSC::PropertyListNode::emitBytecode):
541         (JSC::ObjectPatternNode::bindValue):
542         (JSC::ObjectSpreadExpressionNode::emitBytecode):
543         * parser/ASTBuilder.h:
544         (JSC::ASTBuilder::createObjectSpreadExpression):
545         (JSC::ASTBuilder::createProperty):
546         * parser/NodeConstructors.h:
547         (JSC::PropertyNode::PropertyNode):
548         (JSC::ObjectSpreadExpressionNode::ObjectSpreadExpressionNode):
549         * parser/Nodes.h:
550         (JSC::ObjectSpreadExpressionNode::expression):
551         * parser/Parser.cpp:
552         (JSC::Parser<LexerType>::parseProperty):
553         * parser/SyntaxChecker.h:
554         (JSC::SyntaxChecker::createObjectSpreadExpression):
555         (JSC::SyntaxChecker::createProperty):
556         * runtime/JSGlobalObject.cpp:
557         (JSC::JSGlobalObject::init):
558         * runtime/JSGlobalObjectFunctions.cpp:
559         (JSC::privateToObject): Deleted.
560         * runtime/JSGlobalObjectFunctions.h:
561
562 2017-03-15  Yusuke Suzuki  <utatane.tea@gmail.com>
563
564         [JSC] Default parameter part should be retrieved by op_get_argument opcode instead of changing arity
565         https://bugs.webkit.org/show_bug.cgi?id=164582
566
567         Reviewed by Saam Barati.
568
569         Previously we implement the default parameters as follows.
570
571             1. We count the default parameters as the usual parameters.
572             2. We just get the argument register.
573             3. Check it with op_is_undefined.
574             4. And fill the binding with either the argument register or default value.
575
576         The above is simple. However, it has the side effect that it always increase the arity of the function.
577         While `function.length` does not increase, internally, the number of parameters of CodeBlock increases.
578         This effectively prevent our DFG / FTL to perform inlining: currently we only allows DFG to inline
579         the function with the arity less than or equal the number of passing arguments. It is OK. But when using
580         default parameters, we frequently do not pass the argument for the parameter with the default value.
581         Thus, in our current implementation, we frequently need to fixup the arity. And we frequently fail
582         to inline the function.
583
584         This patch fixes the above problem by not increasing the arity of the function. When we encounter the
585         parameter with the default value, we use `op_argument` to get the argument instead of using the argument
586         registers.
587
588         This improves six-speed defaults.es6 performance by 4.45x.
589
590             defaults.es6        968.4126+-101.2350   ^    217.6602+-14.8831       ^ definitely 4.4492x faster
591
592         * bytecode/UnlinkedFunctionExecutable.cpp:
593         (JSC::UnlinkedFunctionExecutable::UnlinkedFunctionExecutable):
594         * bytecode/UnlinkedFunctionExecutable.h:
595         * bytecompiler/BytecodeGenerator.cpp:
596         (JSC::BytecodeGenerator::BytecodeGenerator):
597         (JSC::BytecodeGenerator::initializeDefaultParameterValuesAndSetupFunctionScopeStack):
598         (JSC::BytecodeGenerator::initializeNextParameter):
599         (JSC::BytecodeGenerator::initializeParameters):
600         * bytecompiler/BytecodeGenerator.h:
601         * bytecompiler/NodesCodegen.cpp:
602         (JSC::FunctionNode::emitBytecode):
603         * dfg/DFGByteCodeParser.cpp:
604         (JSC::DFG::ByteCodeParser::inliningCost):
605         * parser/ASTBuilder.h:
606         (JSC::ASTBuilder::createFunctionMetadata):
607         * parser/Nodes.cpp:
608         (JSC::FunctionMetadataNode::FunctionMetadataNode):
609         * parser/Nodes.h:
610         (JSC::FunctionParameters::size):
611         (JSC::FunctionParameters::at):
612         (JSC::FunctionParameters::append):
613         (JSC::FunctionParameters::isSimpleParameterList):
614         * parser/Parser.cpp:
615         (JSC::Parser<LexerType>::isArrowFunctionParameters):
616         (JSC::Parser<LexerType>::parseGeneratorFunctionSourceElements):
617         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
618         (JSC::Parser<LexerType>::parseFormalParameters):
619         (JSC::Parser<LexerType>::parseFunctionBody):
620         (JSC::Parser<LexerType>::parseFunctionParameters):
621         (JSC::Parser<LexerType>::parseFunctionInfo):
622         * parser/Parser.h:
623         * parser/SyntaxChecker.h:
624         (JSC::SyntaxChecker::createFunctionMetadata):
625         * runtime/FunctionExecutable.h:
626         * runtime/JSFunction.cpp:
627         (JSC::JSFunction::createBuiltinFunction):
628         (JSC::JSFunction::reifyLength):
629
630 2017-03-15  Yusuke Suzuki  <utatane.tea@gmail.com>
631
632         [DFG] ToString operation should have fixup for primitives to say this node does not have side effects
633         https://bugs.webkit.org/show_bug.cgi?id=169544
634
635         Reviewed by Saam Barati.
636
637         Our DFG ToString only considers well about String operands. While ToString(non cell operand) does not have
638         any side effect, it is not modeled well in DFG.
639
640         This patch introduces a fixup for ToString with NonCellUse edge. If this edge is set, ToString does not
641         clobber things (like ToLowerCase, producing String). And ToString(NonCellUse) allows us to perform CSE!
642
643         Our microbenchmark shows 32.9% improvement due to dropped GetButterfly and CSE for ToString().
644
645                                             baseline                  patched
646
647             template-string-array       12.6284+-0.2766     ^      9.4998+-0.2295        ^ definitely 1.3293x faster
648
649         And SixSpeed template_string.es6 shows 16.68x performance improvement due to LICM onto this non-side-effectful ToString().
650
651                                           baseline                  patched
652
653             template_string.es6     3229.7343+-40.5705    ^    193.6077+-36.3349       ^ definitely 16.6818x faster
654
655         * dfg/DFGAbstractInterpreterInlines.h:
656         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
657         * dfg/DFGClobberize.h:
658         (JSC::DFG::clobberize):
659         * dfg/DFGFixupPhase.cpp:
660         (JSC::DFG::FixupPhase::fixupToStringOrCallStringConstructor):
661         * dfg/DFGSpeculativeJIT.cpp:
662         (JSC::DFG::SpeculativeJIT::compileToStringOrCallStringConstructorOnCell):
663         (JSC::DFG::SpeculativeJIT::speculateNotCell):
664         * dfg/DFGSpeculativeJIT.h:
665         * dfg/DFGSpeculativeJIT32_64.cpp:
666         (JSC::DFG::SpeculativeJIT::compile):
667         * dfg/DFGSpeculativeJIT64.cpp:
668         (JSC::DFG::SpeculativeJIT::compile):
669         * ftl/FTLLowerDFGToB3.cpp:
670         (JSC::FTL::DFG::LowerDFGToB3::compileToStringOrCallStringConstructor):
671         (JSC::FTL::DFG::LowerDFGToB3::lowNotCell):
672         (JSC::FTL::DFG::LowerDFGToB3::speculateNotCell):
673
674 2017-03-15  Ryan Haddad  <ryanhaddad@apple.com>
675
676         Revert part of r213978 to see if it resolves LayoutTest crashes.
677         https://bugs.webkit.org/show_bug.cgi?id=169729
678
679         Reviewed by Alexey Proskuryakov.
680
681         * JavaScriptCore.xcodeproj/project.pbxproj:
682
683 2017-03-15  Guillaume Emont  <guijemont@igalia.com>
684
685         [jsc][mips] Fix compilation error introduced in r213652
686         https://bugs.webkit.org/show_bug.cgi?id=169723
687
688         Reviewed by Mark Lam.
689
690         The new replaceWithBkpt() contains a lapsus in it
691         (s/code/instructionStart) and won't compile.
692
693         * assembler/MIPSAssembler.h:
694         (JSC::MIPSAssembler::replaceWithBkpt):
695
696 2017-03-15  Daniel Ehrenberg  <littledan@chromium.org>
697
698         Switch back to ISO 4217 for Intl CurrencyDigits data
699         https://bugs.webkit.org/show_bug.cgi?id=169182
700     
701         Previously, a patch switched Intl.NumberFormat to use CLDR data through
702         ICU to get the default number of decimal digits for a currency.
703         However, that change actually violated the ECMA 402 specification,
704         which references ISO 4217 as the data source. This patch reverts to
705         an in-line implementation of that data.
706
707         Reviewed by Saam Barati.
708
709         * runtime/IntlNumberFormat.cpp:
710         (JSC::computeCurrencySortKey):
711         (JSC::extractCurrencySortKey):
712         (JSC::computeCurrencyDigits):
713
714 2017-03-15  Saam Barati  <sbarati@apple.com>
715
716         WebAssembly: When we GC to try to get a fast memory, we should call collectAllGarbage(), not collectSync()
717         https://bugs.webkit.org/show_bug.cgi?id=169704
718
719         Reviewed by Mark Lam.
720
721         We weren't always sweeping the memory needed to free
722         the WasmMemory we wanted to use. collectAllGarbage()
723         will do this if the JS objects wrapping WasmMemory
724         are dead.
725
726         This patch also moves the increment of the allocatedFastMemories
727         integer to be thread safe.
728
729         * wasm/WasmMemory.cpp:
730         (JSC::Wasm::tryGetFastMemory):
731
732 2017-03-15  Mark Lam  <mark.lam@apple.com>
733
734         Fix exception scope verification failures in jsc.cpp.
735         https://bugs.webkit.org/show_bug.cgi?id=164968
736
737         Reviewed by Saam Barati.
738
739         * jsc.cpp:
740         (WTF::CustomGetter::customGetter):
741
742         (GlobalObject::moduleLoaderResolve):
743         (GlobalObject::moduleLoaderFetch):
744         - The only way modules would throw an exception is if we encounter an OutOfMemory
745           error.  This should be extremely rare.  At this point, I don't think it's worth
746           doing the dance to propagate the exception when this happens.  Instead, we'll
747           simply do a RELEASE_ASSERT that we don't see any exceptions here.
748
749         (functionRun):
750         (functionRunString):
751         (functionLoadModule):
752         (functionCheckModuleSyntax):
753         (box):
754         (dumpException):
755         (runWithScripts):
756
757 2017-03-15  Mark Lam  <mark.lam@apple.com>
758
759         Fix missing exception checks in Interpreter.cpp.
760         https://bugs.webkit.org/show_bug.cgi?id=164964
761
762         Reviewed by Saam Barati.
763
764         * interpreter/Interpreter.cpp:
765         (JSC::eval):
766         (JSC::sizeOfVarargs):
767         (JSC::sizeFrameForVarargs):
768         (JSC::Interpreter::executeProgram):
769         (JSC::Interpreter::executeCall):
770         (JSC::Interpreter::executeConstruct):
771         (JSC::Interpreter::prepareForRepeatCall):
772         (JSC::Interpreter::execute):
773
774 2017-03-15  Dean Jackson  <dino@apple.com>
775
776         Sort Xcode project files
777         https://bugs.webkit.org/show_bug.cgi?id=169669
778
779         Reviewed by Antoine Quint.
780
781         * JavaScriptCore.xcodeproj/project.pbxproj:
782
783 2017-03-14  Tomas Popela  <tpopela@redhat.com>
784
785         Wrong condition in offlineasm/risc.rb
786         https://bugs.webkit.org/show_bug.cgi?id=169597
787
788         Reviewed by Mark Lam.
789
790         It's missing the 'and' operator between the conditions.
791
792         * offlineasm/risc.rb:
793
794 2017-03-14  Mark Lam  <mark.lam@apple.com>
795
796         BytecodeGenerator should use the same function to determine if it needs to store the DerivedConstructor in an ArrowFunction lexical environment.
797         https://bugs.webkit.org/show_bug.cgi?id=169647
798         <rdar://problem/31051832>
799
800         Reviewed by Michael Saboff.
801
802         * bytecompiler/BytecodeGenerator.cpp:
803         (JSC::BytecodeGenerator::usesDerivedConstructorInArrowFunctionLexicalEnvironment):
804         (JSC::BytecodeGenerator::initializeArrowFunctionContextScopeIfNeeded):
805         (JSC::BytecodeGenerator::emitPutDerivedConstructorToArrowFunctionContextScope):
806         * bytecompiler/BytecodeGenerator.h:
807
808 2017-03-14  Brian Burg  <bburg@apple.com>
809
810         [Cocoa] Web Inspector: generated code for parsing an array of primitive-type enums from payload does not work
811         https://bugs.webkit.org/show_bug.cgi?id=169629
812
813         Reviewed by Joseph Pecoraro.
814
815         This was encountered while trying to compile new protocol definitions that support the Actions API.
816
817         * inspector/scripts/codegen/models.py:
818         (EnumType.__repr__): Improve debug logging so fields match the class member names.
819
820         * inspector/scripts/codegen/objc_generator.py:
821         (ObjCGenerator.payload_to_objc_expression_for_member):
822         If the array elements are actually a primitive type, then there's no need to do any
823         conversion from a payload. This happens for free since the payload is a tree of
824         NSDictionary, NSString, NSNumber, etc. 
825
826         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
827         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
828         Rebaseline.
829
830         * inspector/scripts/tests/generic/type-declaration-object-type.json:
831         Add new cases for properties that contain an array with enum type references and an array of anonymous enums.
832
833 2017-03-14  Filip Pizlo  <fpizlo@apple.com>
834
835         Record the HashSet/HashMap operations in DFG/FTL/B3 and replay them in a benchmark
836         https://bugs.webkit.org/show_bug.cgi?id=169590
837
838         Reviewed by Saam Barati.
839         
840         Adds code to support logging some hashtable stuff in the DFG.
841
842         * dfg/DFGAvailabilityMap.cpp:
843         (JSC::DFG::AvailabilityMap::pruneHeap):
844         * dfg/DFGCombinedLiveness.cpp:
845         (JSC::DFG::liveNodesAtHead):
846         (JSC::DFG::CombinedLiveness::CombinedLiveness):
847         * dfg/DFGCombinedLiveness.h:
848         * dfg/DFGLivenessAnalysisPhase.cpp:
849         (JSC::DFG::LivenessAnalysisPhase::run):
850         (JSC::DFG::LivenessAnalysisPhase::processBlock):
851         * dfg/DFGNode.cpp:
852         * dfg/DFGNode.h:
853         * dfg/DFGObjectAllocationSinkingPhase.cpp:
854
855 2017-03-14  Joseph Pecoraro  <pecoraro@apple.com>
856
857         Web Inspector: Remove unused Network protocol event
858         https://bugs.webkit.org/show_bug.cgi?id=169619
859
860         Reviewed by Mark Lam.
861
862         * inspector/protocol/Network.json:
863         This became unused in r213621 and should have been removed
864         from the protocol file then.
865
866 2017-03-14  Mark Lam  <mark.lam@apple.com>
867
868         Add a null check in VMTraps::willDestroyVM() to handle a race condition.
869         https://bugs.webkit.org/show_bug.cgi?id=169620
870
871         Reviewed by Filip Pizlo.
872
873         There exists a race between VMTraps::willDestroyVM() (which removed SignalSenders
874         from its m_signalSenders list) and SignalSender::send() (which removes itself
875         from the list).  In the event that SignalSender::send() removes itself between
876         the time that VMTraps::willDestroyVM() checks if m_signalSenders is empty and the
877         time it takes a sender from m_signalSenders, VMTraps::willDestroyVM() may end up
878         with a NULL sender pointer.  The fix is to add the missing null check before using
879         the sender pointer.
880
881         * runtime/VMTraps.cpp:
882         (JSC::VMTraps::willDestroyVM):
883         (JSC::VMTraps::fireTrap):
884         * runtime/VMTraps.h:
885
886 2017-03-14  Mark Lam  <mark.lam@apple.com>
887
888         Gardening: Speculative build fix for CLoop after r213886.
889         https://bugs.webkit.org/show_bug.cgi?id=169436
890
891         Not reviewed.
892
893         * runtime/MachineContext.h:
894
895 2017-03-14  Yusuke Suzuki  <utatane.tea@gmail.com>
896
897         [JSC] Drop unnecessary pthread_attr_t for JIT enabled Linux / FreeBSD environment
898         https://bugs.webkit.org/show_bug.cgi?id=169592
899
900         Reviewed by Carlos Garcia Campos.
901
902         Since suspended mcontext_t has all the necessary information, we can drop
903         pthread_attr_t allocation and destroy for JIT enabled Linux / FreeBSD environment.
904
905         * heap/MachineStackMarker.cpp:
906         (JSC::MachineThreads::Thread::getRegisters):
907         (JSC::MachineThreads::Thread::Registers::stackPointer):
908         (JSC::MachineThreads::Thread::Registers::framePointer):
909         (JSC::MachineThreads::Thread::Registers::instructionPointer):
910         (JSC::MachineThreads::Thread::Registers::llintPC):
911         (JSC::MachineThreads::Thread::freeRegisters):
912         * heap/MachineStackMarker.h:
913
914 2017-03-14  Zan Dobersek  <zdobersek@igalia.com>
915
916         [GLib] Use USE(GLIB) guards in JavaScriptCore/inspector/EventLoop.cpp
917         https://bugs.webkit.org/show_bug.cgi?id=169594
918
919         Reviewed by Carlos Garcia Campos.
920
921         Instead of PLATFORM(GTK) guards, utilize the USE(GLIB) build guards
922         to guard the GLib-specific includes and invocations in the JSC
923         inspector's EventLoop class implementation.
924
925         * inspector/EventLoop.cpp:
926         (Inspector::EventLoop::cycle):
927
928 2017-03-13  Yusuke Suzuki  <utatane.tea@gmail.com>
929
930         [JSC][Linux] Implement VMTrap in Linux ports
931         https://bugs.webkit.org/show_bug.cgi?id=169436
932
933         Reviewed by Mark Lam.
934
935         This patch port VMTrap to Linux ports.
936         We extract MachineContext accessors from various places (wasm/, heap/ and tools/)
937         and use them in all the JSC code.
938
939         * JavaScriptCore.xcodeproj/project.pbxproj:
940         * heap/MachineStackMarker.cpp:
941         (JSC::MachineThreads::Thread::Registers::stackPointer):
942         (JSC::MachineThreads::Thread::Registers::framePointer):
943         (JSC::MachineThreads::Thread::Registers::instructionPointer):
944         (JSC::MachineThreads::Thread::Registers::llintPC):
945         * heap/MachineStackMarker.h:
946         * runtime/MachineContext.h: Added.
947         (JSC::MachineContext::stackPointer):
948         (JSC::MachineContext::framePointer):
949         (JSC::MachineContext::instructionPointer):
950         (JSC::MachineContext::argumentPointer<1>):
951         (JSC::MachineContext::argumentPointer):
952         (JSC::MachineContext::llintInstructionPointer):
953         * runtime/PlatformThread.h:
954         (JSC::platformThreadSignal):
955         * runtime/VMTraps.cpp:
956         (JSC::SignalContext::SignalContext):
957         (JSC::SignalContext::adjustPCToPointToTrappingInstruction):
958         * tools/CodeProfiling.cpp:
959         (JSC::profilingTimer):
960         * tools/SigillCrashAnalyzer.cpp:
961         (JSC::SignalContext::SignalContext):
962         (JSC::SignalContext::dump):
963         * tools/VMInspector.cpp:
964         * wasm/WasmFaultSignalHandler.cpp:
965         (JSC::Wasm::trapHandler):
966
967 2017-03-13  Mark Lam  <mark.lam@apple.com>
968
969         Make the HeapVerifier useful again.
970         https://bugs.webkit.org/show_bug.cgi?id=161752
971
972         Reviewed by Filip Pizlo.
973
974         Resurrect the HeapVerifier.  Here's what the verifier now offers:
975
976         1. It captures the list of cells before and after GCs up to N GC cycles.
977            N is set by JSC_numberOfGCCyclesToRecordForVerification.
978            Currently, N defaults to 3.
979
980            This is useful if we're debugging in lldb and want to check if a candidate
981            cell pointer was observed by the GC during the last N GC cycles.  We can do
982            this check buy calling HeapVerifier::checkIfRecorded() with the cell address.
983
984            HeapVerifier::checkIfRecorded() is robust and can be used on bogus addresses.
985            If the candidate cell was previously recorded by the HeapVerifier during a
986            GC cycle, checkIfRecorded() will dump any useful info it has on that cell.
987
988         2. The HeapVerifier will verify that cells in its captured list after a GC are
989            sane.  Some examples of cell insanity are:
990            - the cell claims to belong to a different VM.
991            - the cell has a NULL structureID.
992            - the cell has a NULL structure.
993            - the cell's structure has a NULL structureID.
994            - the cell's structure has a NULL structure.
995            - the cell's structure's structure has a NULL structureID.
996            - the cell's structure's structure has a NULL structure.
997
998            These are all signs of corruption or a GC bug.  The verifier will report any
999            insanity it finds, and then crash with a RELEASE_ASSERT.
1000
1001         3. Since the HeapVerifier captures list of cells in the heap before and after GCs
1002            for the last N GCs, it will also automatically "trim" dead cells those list
1003            after the most recent GC.
1004
1005            "trim" here means that the CellProfile in the HeapVerifier's lists will be
1006            updated to reflect that the cell is now dead.  It still keeps a record of the
1007            dead cell pointer and the meta data collected about it back when it was alive.
1008            As a result, checkIfRecorded() will also report if the candidate cell passed
1009            to it is a dead object from a previous GC cycle. 
1010
1011         4. Each CellProfile captured by the HeapVerifier now track the following info:
1012            - the cell's HeapCell::Kind.
1013            - the cell's liveness.
1014            - if is JSCell, the cell's classInfo()->className.
1015            - an associated timestamp.
1016            - an associated stack trace.
1017
1018            Currently, the timestamp is only used for the time when the cell was recorded
1019            by the HeapVerifier during GC.  The stack trace is currently unused.
1020
1021            However, these fields are kept there so that we can instrument the VM (during
1022            a debugging session, which requires rebuilding the VM) and record interesting
1023            stack traces like that of the time of allocation of the cell.  Since
1024            capturing the stack traces for each cell is a very heavy weight operation,
1025            the HeapVerifier code does not do this by default.  Instead, we just leave
1026            the building blocks for doing so in place to ease future debugging efforts.
1027
1028         * heap/Heap.cpp:
1029         (JSC::Heap::runBeginPhase):
1030         (JSC::Heap::runEndPhase):
1031         (JSC::Heap::didFinishCollection):
1032         * heap/Heap.h:
1033         (JSC::Heap::verifier):
1034         * heap/MarkedAllocator.h:
1035         (JSC::MarkedAllocator::takeLastActiveBlock): Deleted.
1036         * heap/MarkedSpace.h:
1037         * heap/MarkedSpaceInlines.h:
1038         (JSC::MarkedSpace::forEachLiveCell):
1039         * tools/CellList.cpp:
1040         (JSC::CellList::find):
1041         (JSC::CellList::reset):
1042         (JSC::CellList::findCell): Deleted.
1043         * tools/CellList.h:
1044         (JSC::CellList::CellList):
1045         (JSC::CellList::name):
1046         (JSC::CellList::size):
1047         (JSC::CellList::cells):
1048         (JSC::CellList::add):
1049         (JSC::CellList::reset): Deleted.
1050         * tools/CellProfile.h:
1051         (JSC::CellProfile::CellProfile):
1052         (JSC::CellProfile::cell):
1053         (JSC::CellProfile::jsCell):
1054         (JSC::CellProfile::isJSCell):
1055         (JSC::CellProfile::kind):
1056         (JSC::CellProfile::isLive):
1057         (JSC::CellProfile::isDead):
1058         (JSC::CellProfile::setIsLive):
1059         (JSC::CellProfile::setIsDead):
1060         (JSC::CellProfile::timestamp):
1061         (JSC::CellProfile::className):
1062         (JSC::CellProfile::stackTrace):
1063         (JSC::CellProfile::setStackTrace):
1064         * tools/HeapVerifier.cpp:
1065         (JSC::HeapVerifier::startGC):
1066         (JSC::HeapVerifier::endGC):
1067         (JSC::HeapVerifier::gatherLiveCells):
1068         (JSC::trimDeadCellsFromList):
1069         (JSC::HeapVerifier::trimDeadCells):
1070         (JSC::HeapVerifier::printVerificationHeader):
1071         (JSC::HeapVerifier::verifyCellList):
1072         (JSC::HeapVerifier::validateCell):
1073         (JSC::HeapVerifier::validateJSCell):
1074         (JSC::HeapVerifier::verify):
1075         (JSC::HeapVerifier::reportCell):
1076         (JSC::HeapVerifier::checkIfRecorded):
1077         (JSC::HeapVerifier::initializeGCCycle): Deleted.
1078         (JSC::GatherCellFunctor::GatherCellFunctor): Deleted.
1079         (JSC::GatherCellFunctor::visit): Deleted.
1080         (JSC::GatherCellFunctor::operator()): Deleted.
1081         (JSC::HeapVerifier::verifyButterflyIsInStorageSpace): Deleted.
1082         * tools/HeapVerifier.h:
1083         (JSC::HeapVerifier::GCCycle::reset):
1084
1085 2017-03-13  SKumarMetro  <s.kumar@metrological.com>
1086
1087         JSC: fix compilation errors for MIPS
1088         https://bugs.webkit.org/show_bug.cgi?id=168402
1089
1090         Reviewed by Mark Lam.
1091
1092         * assembler/MIPSAssembler.h:
1093         (JSC::MIPSAssembler::fillNops):
1094         Added.
1095         * assembler/MacroAssemblerMIPS.h:
1096         Added MacroAssemblerMIPS::numGPRs and MacroAssemblerMIPS::numFPRs .
1097         * bytecode/InlineAccess.h:
1098         (JSC::InlineAccess::sizeForPropertyAccess):
1099         (JSC::InlineAccess::sizeForPropertyReplace):
1100         (JSC::InlineAccess::sizeForLengthAccess):
1101         Added MIPS cases.
1102
1103 2017-03-13  Filip Pizlo  <fpizlo@apple.com>
1104
1105         FTL should not flush strict arguments unless it really needs to
1106         https://bugs.webkit.org/show_bug.cgi?id=169519
1107
1108         Reviewed by Mark Lam.
1109         
1110         This is a refinement that we should have done ages ago. This kills some pointless PutStacks
1111         in DFG SSA IR. It can sometimes unlock other optimizations.
1112         
1113         Relanding after I fixed the special cases for CreateArguments-style nodes. 
1114
1115         * dfg/DFGPreciseLocalClobberize.h:
1116         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1117
1118 2017-03-13  Devin Rousso  <webkit@devinrousso.com>
1119
1120         Web Inspector: Event Listeners section is missing 'once', 'passive' event listener flags
1121         https://bugs.webkit.org/show_bug.cgi?id=167080
1122
1123         Reviewed by Joseph Pecoraro.
1124
1125         * inspector/protocol/DOM.json:
1126         Add "passive" and "once" items to the EventListener type.
1127
1128 2017-03-13  Mark Lam  <mark.lam@apple.com>
1129
1130         Remove obsolete experimental ObjC SPI.
1131         https://bugs.webkit.org/show_bug.cgi?id=169569
1132
1133         Reviewed by Saam Barati.
1134
1135         * API/JSVirtualMachine.mm:
1136         (-[JSVirtualMachine enableSigillCrashAnalyzer]): Deleted.
1137         * API/JSVirtualMachinePrivate.h: Removed.
1138         * JavaScriptCore.xcodeproj/project.pbxproj:
1139
1140 2017-03-13  Commit Queue  <commit-queue@webkit.org>
1141
1142         Unreviewed, rolling out r213856.
1143         https://bugs.webkit.org/show_bug.cgi?id=169562
1144
1145         Breaks JSC stress test stress/super-property-access.js.ftl-
1146         eager failing (Requested by mlam|g on #webkit).
1147
1148         Reverted changeset:
1149
1150         "FTL should not flush strict arguments unless it really needs
1151         to"
1152         https://bugs.webkit.org/show_bug.cgi?id=169519
1153         http://trac.webkit.org/changeset/213856
1154
1155 2017-03-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1156
1157         [JSC][Linux] Allow profilers to demangle C++ names
1158         https://bugs.webkit.org/show_bug.cgi?id=169559
1159
1160         Reviewed by Michael Catanzaro.
1161
1162         Linux also offers dladdr & demangling feature.
1163         Thus, we can use it to show the names in profilers.
1164         For example, SamplingProfiler tells us the C function names.
1165
1166         * runtime/SamplingProfiler.cpp:
1167         (JSC::SamplingProfiler::StackFrame::displayName):
1168         * tools/CodeProfile.cpp:
1169         (JSC::symbolName):
1170
1171 2017-03-13  Yusuke Suzuki  <utatane.tea@gmail.com>
1172
1173         [WTF] Clean up RunLoop and WorkQueue with Seconds and Function
1174         https://bugs.webkit.org/show_bug.cgi?id=169537
1175
1176         Reviewed by Sam Weinig.
1177
1178         * runtime/Watchdog.cpp:
1179         (JSC::Watchdog::startTimer):
1180
1181 2017-03-11  Filip Pizlo  <fpizlo@apple.com>
1182
1183         FTL should not flush strict arguments unless it really needs to
1184         https://bugs.webkit.org/show_bug.cgi?id=169519
1185
1186         Reviewed by Mark Lam.
1187         
1188         This is a refinement that we should have done ages ago. This kills some pointless PutStacks
1189         in DFG SSA IR. It can sometimes unlock other optimizations.
1190
1191         * dfg/DFGPreciseLocalClobberize.h:
1192         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1193
1194 2017-03-13  Caio Lima  <ticaiolima@gmail.com>
1195
1196         [JSC] It should be possible create a label named let when parsing Statement in non strict mode
1197         https://bugs.webkit.org/show_bug.cgi?id=168684
1198
1199         Reviewed by Saam Barati.
1200
1201         This patch is fixing a Parser bug to allow define a label named
1202         ```let``` in sloppy mode when parsing a Statement.
1203
1204         * parser/Parser.cpp:
1205         (JSC::Parser<LexerType>::parseStatement):
1206
1207 2017-03-11  Filip Pizlo  <fpizlo@apple.com>
1208
1209         Structure::willStoreValueSlow needs to keep the property table alive until the end
1210         https://bugs.webkit.org/show_bug.cgi?id=169520
1211
1212         Reviewed by Michael Saboff.
1213
1214         We use pointers logically interior to `propertyTable` after doing a GC. We need to prevent the
1215         compiler from optimizing away pointers to `propertyTable`.
1216         
1217         * heap/HeapCell.cpp:
1218         (JSC::HeapCell::use):
1219         * heap/HeapCell.h:
1220         (JSC::HeapCell::use): Introduce API for keeping a pointer alive until some point in execution.
1221         * runtime/Structure.cpp:
1222         (JSC::Structure::willStoreValueSlow): Use HeapCell::use() to keep the pointer alive.
1223
1224 2017-03-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1225
1226         Unreviewed, suprress warnings in JSC B3
1227
1228         * b3/B3Opcode.cpp:
1229
1230 2017-03-11  Michael Saboff  <msaboff@apple.com>
1231
1232         Allow regular expressions to be used when selecting a process name in JSC config file
1233         https://bugs.webkit.org/show_bug.cgi?id=169495
1234
1235         Reviewed by Saam Barati.
1236
1237         Only added regular expression selectors for unix like platforms.
1238
1239         * runtime/ConfigFile.cpp:
1240         (JSC::ConfigFileScanner::tryConsumeRegExPattern):
1241         (JSC::ConfigFile::parse):
1242
1243 2017-03-11  Jon Lee  <jonlee@apple.com>
1244
1245         WebGPU prototype - Front-End
1246         https://bugs.webkit.org/show_bug.cgi?id=167952
1247
1248         Reviewed by Dean Jackson.
1249
1250         * runtime/CommonIdentifiers.h: Add WebGPU objects.
1251
1252 2017-03-10  Filip Pizlo  <fpizlo@apple.com>
1253
1254         The JITs should be able to emit fast TLS loads
1255         https://bugs.webkit.org/show_bug.cgi?id=169483
1256
1257         Reviewed by Keith Miller.
1258         
1259         Added loadFromTLS32/64/Ptr to the MacroAssembler and added a B3 test for this.
1260
1261         * assembler/ARM64Assembler.h:
1262         (JSC::ARM64Assembler::mrs_TPIDRRO_EL0):
1263         * assembler/MacroAssembler.h:
1264         (JSC::MacroAssembler::loadFromTLSPtr):
1265         * assembler/MacroAssemblerARM64.h:
1266         (JSC::MacroAssemblerARM64::loadFromTLS32):
1267         (JSC::MacroAssemblerARM64::loadFromTLS64):
1268         * assembler/MacroAssemblerX86Common.h:
1269         (JSC::MacroAssemblerX86Common::loadFromTLS32):
1270         * assembler/MacroAssemblerX86_64.h:
1271         (JSC::MacroAssemblerX86_64::loadFromTLS64):
1272         * assembler/X86Assembler.h:
1273         (JSC::X86Assembler::adcl_im):
1274         (JSC::X86Assembler::addl_mr):
1275         (JSC::X86Assembler::addl_im):
1276         (JSC::X86Assembler::andl_im):
1277         (JSC::X86Assembler::orl_im):
1278         (JSC::X86Assembler::orl_rm):
1279         (JSC::X86Assembler::subl_im):
1280         (JSC::X86Assembler::cmpb_im):
1281         (JSC::X86Assembler::cmpl_rm):
1282         (JSC::X86Assembler::cmpl_im):
1283         (JSC::X86Assembler::testb_im):
1284         (JSC::X86Assembler::movb_i8m):
1285         (JSC::X86Assembler::movb_rm):
1286         (JSC::X86Assembler::movl_mr):
1287         (JSC::X86Assembler::movq_mr):
1288         (JSC::X86Assembler::movsxd_rr):
1289         (JSC::X86Assembler::gs):
1290         (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
1291         * b3/testb3.cpp:
1292         (JSC::B3::testFastTLS):
1293         (JSC::B3::run):
1294
1295 2017-03-10  Alex Christensen  <achristensen@webkit.org>
1296
1297         Fix watch and tv builds after r213294
1298         https://bugs.webkit.org/show_bug.cgi?id=169508
1299
1300         Reviewed by Dan Bernstein.
1301
1302         * Configurations/FeatureDefines.xcconfig:
1303
1304 2017-03-10  Saam Barati  <sbarati@apple.com>
1305
1306         WebAssembly: Make more demos run
1307         https://bugs.webkit.org/show_bug.cgi?id=165510
1308         <rdar://problem/29760310>
1309
1310         Reviewed by Keith Miller.
1311
1312         This patch makes another Wasm demo run:
1313         https://kripken.github.io/BananaBread/cube2/bb.html
1314         
1315         This patch fixes two bugs:
1316         1. When WebAssemblyFunctionType was added, we did not properly
1317         update the last JS type value.
1318         2. Our code for our JS -> Wasm entrypoint was wrong. It lead to bad
1319         code generation where we would emit B3 that would write over r12
1320         and rbx (on x86) which is invalid since those are our pinned registers.
1321         This patch just rewrites the entrypoint to use hand written assembler
1322         code. I was planning on doing this anyways because it's a compile
1323         time speed boost.
1324         
1325         Also, this patch adds support for some new API features:
1326         We can now export an import, either via a direct export, or via a Table and the
1327         Element section. I've added a new class called WebAssemblyWrapperFunction that
1328         just wraps over a JSObject that is a function. Wrapper functions have types
1329         associated with them, so if they're re-imported, or called via call_indirect,
1330         they can be type checked.
1331
1332         * CMakeLists.txt:
1333         * JavaScriptCore.xcodeproj/project.pbxproj:
1334         * runtime/JSGlobalObject.cpp:
1335         (JSC::JSGlobalObject::init):
1336         (JSC::JSGlobalObject::visitChildren):
1337         * runtime/JSGlobalObject.h:
1338         (JSC::JSGlobalObject::webAssemblyWrapperFunctionStructure):
1339         * runtime/JSType.h:
1340         * wasm/JSWebAssemblyCodeBlock.h:
1341         (JSC::JSWebAssemblyCodeBlock::wasmToJsCallStubForImport):
1342         * wasm/WasmB3IRGenerator.cpp:
1343         (JSC::Wasm::createJSToWasmWrapper):
1344         * wasm/WasmCallingConvention.h:
1345         (JSC::Wasm::CallingConvention::headerSizeInBytes):
1346         * wasm/js/JSWebAssemblyHelpers.h:
1347         (JSC::isWebAssemblyHostFunction):
1348         * wasm/js/JSWebAssemblyInstance.cpp:
1349         (JSC::JSWebAssemblyInstance::JSWebAssemblyInstance):
1350         * wasm/js/JSWebAssemblyInstance.h:
1351         (JSC::JSWebAssemblyInstance::importFunction):
1352         (JSC::JSWebAssemblyInstance::importFunctions):
1353         (JSC::JSWebAssemblyInstance::setImportFunction):
1354         * wasm/js/JSWebAssemblyTable.cpp:
1355         (JSC::JSWebAssemblyTable::JSWebAssemblyTable):
1356         (JSC::JSWebAssemblyTable::grow):
1357         (JSC::JSWebAssemblyTable::clearFunction):
1358         (JSC::JSWebAssemblyTable::setFunction):
1359         * wasm/js/JSWebAssemblyTable.h:
1360         (JSC::JSWebAssemblyTable::getFunction):
1361         * wasm/js/WebAssemblyFunction.cpp:
1362         (JSC::callWebAssemblyFunction):
1363         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1364         (JSC::WebAssemblyInstanceConstructor::createInstance):
1365         * wasm/js/WebAssemblyModuleRecord.cpp:
1366         (JSC::WebAssemblyModuleRecord::link):
1367         (JSC::WebAssemblyModuleRecord::evaluate):
1368         * wasm/js/WebAssemblyModuleRecord.h:
1369         * wasm/js/WebAssemblyTablePrototype.cpp:
1370         (JSC::webAssemblyTableProtoFuncGet):
1371         (JSC::webAssemblyTableProtoFuncSet):
1372         * wasm/js/WebAssemblyWrapperFunction.cpp: Added.
1373         (JSC::callWebAssemblyWrapperFunction):
1374         (JSC::WebAssemblyWrapperFunction::WebAssemblyWrapperFunction):
1375         (JSC::WebAssemblyWrapperFunction::create):
1376         (JSC::WebAssemblyWrapperFunction::finishCreation):
1377         (JSC::WebAssemblyWrapperFunction::createStructure):
1378         (JSC::WebAssemblyWrapperFunction::visitChildren):
1379         * wasm/js/WebAssemblyWrapperFunction.h: Added.
1380         (JSC::WebAssemblyWrapperFunction::signatureIndex):
1381         (JSC::WebAssemblyWrapperFunction::wasmEntrypoint):
1382         (JSC::WebAssemblyWrapperFunction::function):
1383
1384 2017-03-10  Mark Lam  <mark.lam@apple.com>
1385
1386         JSC: BindingNode::bindValue doesn't increase the scope's reference count.
1387         https://bugs.webkit.org/show_bug.cgi?id=168546
1388         <rdar://problem/30589551>
1389
1390         Reviewed by Saam Barati.
1391
1392         We should protect the scope RegisterID with a RefPtr while it is still needed.
1393
1394         * bytecompiler/NodesCodegen.cpp:
1395         (JSC::ForInNode::emitLoopHeader):
1396         (JSC::ForOfNode::emitBytecode):
1397         (JSC::BindingNode::bindValue):
1398
1399 2017-03-10  Alex Christensen  <achristensen@webkit.org>
1400
1401         Fix CMake build.
1402
1403         * CMakeLists.txt:
1404         Make more forwarding headers so we can find WasmFaultSignalHandler.h from WebProcess.cpp.
1405
1406 2017-03-10  Mark Lam  <mark.lam@apple.com>
1407
1408         [Re-landing] Implement a StackTrace utility object that can capture stack traces for debugging.
1409         https://bugs.webkit.org/show_bug.cgi?id=169454
1410
1411         Reviewed by Michael Saboff.
1412
1413         The underlying implementation is hoisted right out of Assertions.cpp from the
1414         implementations of WTFPrintBacktrace().
1415
1416         The reason we need this StackTrace object is because during heap debugging, we
1417         sometimes want to capture the stack trace that allocated the objects of interest.
1418         Dumping the stack trace directly to stdout (using WTFReportBacktrace()) may
1419         perturb the execution profile sufficiently that an issue may not reproduce,
1420         while alternatively, just capturing the stack trace and deferring printing it
1421         till we actually need it later perturbs the execution profile less.
1422
1423         In addition, just capturing the stack traces (instead of printing them
1424         immediately at each capture site) allows us to avoid polluting stdout with tons
1425         of stack traces that may be irrelevant.
1426
1427         For now, we only capture the native stack trace.  We'll leave capturing and
1428         integrating the JS stack trace as an exercise for the future if we need it then.
1429
1430         Here's an example of how to use this StackTrace utility:
1431
1432             // Capture a stack trace of the top 10 frames.
1433             std::unique_ptr<StackTrace> trace(StackTrace::captureStackTrace(10));
1434             // Print the trace.
1435             dataLog(*trace);
1436
1437         * CMakeLists.txt:
1438         * JavaScriptCore.xcodeproj/project.pbxproj:
1439         * tools/StackTrace.cpp: Added.
1440         (JSC::StackTrace::instanceSize):
1441         (JSC::StackTrace::captureStackTrace):
1442         (JSC::StackTrace::dump):
1443         * tools/StackTrace.h: Added.
1444         (JSC::StackTrace::size):
1445         (JSC::StackTrace::StackTrace):
1446
1447 2017-03-04  Filip Pizlo  <fpizlo@apple.com>
1448
1449         B3 should have comprehensive support for atomic operations
1450         https://bugs.webkit.org/show_bug.cgi?id=162349
1451
1452         Reviewed by Keith Miller.
1453         
1454         This adds the following capabilities to B3:
1455         
1456         - Atomic weak/strong unfenced/fenced compare-and-swap
1457         - Atomic add/sub/or/and/xor/xchg
1458         - Acquire/release fencing on loads/stores
1459         - Fenceless load-load dependencies
1460         
1461         This adds lowering to the following instructions on x86:
1462         
1463         - lock cmpxchg
1464         - lock xadd
1465         - lock add/sub/or/and/xor/xchg
1466         
1467         This adds lowering to the following instructions on ARM64:
1468         
1469         - ldar and friends
1470         - stlr and friends
1471         - ldxr and friends (unfenced LL)
1472         - stxr and friends (unfended SC)
1473         - ldaxr and friends (fenced LL)
1474         - stlxr and friends (fenced SC)
1475         - eor as a fenceless load-load dependency
1476         
1477         This does instruction selection pattern matching to ensure that weak/strong CAS and all of the
1478         variants of fences and atomic math ops get lowered to the best possible instruction sequence.
1479         For example, we support the Equal(AtomicStrongCAS(expected, ...), expected) pattern and a bunch
1480         of its friends. You can say Branch(Equal(AtomicStrongCAS(expected, ...), expected)) and it will
1481         generate the best possible branch sequence on x86 and ARM64.
1482         
1483         B3 now knows how to model all of the kinds of fencing. It knows that acq loads are ordered with
1484         respect to each other and with respect to rel stores, creating sequential consistency that
1485         transcends just the acq/rel fences themselves (see Effects::fence). It knows that the phantom
1486         fence effects may only target some abstract heaps but not others, so that load elimination and
1487         store sinking can still operate across fences if you just tell B3 that the fence does not alias
1488         those accesses. This makes it super easy to teach B3 that some of your heap is thread-local.
1489         Even better, it lets you express fine-grained dependencies where the atomics that affect one
1490         property in shared memory do not clobber non-atomics that ffect some other property in shared
1491         memory.
1492         
1493         One of my favorite features is Depend, which allows you to express load-load dependencies. On
1494         x86 it lowers to nothing, while on ARM64 it lowers to eor.
1495         
1496         This also exposes a common atomicWeakCAS API to the x86_64/ARM64 MacroAssemblers. Same for
1497         acq/rel. JSC's 64-bit JITs are now a happy concurrency playground.
1498         
1499         This doesn't yet expose the functionality to JS or wasm. SAB still uses the non-intrinsic
1500         implementations of the Atomics object, for now.
1501         
1502         * CMakeLists.txt:
1503         * JavaScriptCore.xcodeproj/project.pbxproj:
1504         * assembler/ARM64Assembler.h:
1505         (JSC::ARM64Assembler::ldar):
1506         (JSC::ARM64Assembler::ldxr):
1507         (JSC::ARM64Assembler::ldaxr):
1508         (JSC::ARM64Assembler::stxr):
1509         (JSC::ARM64Assembler::stlr):
1510         (JSC::ARM64Assembler::stlxr):
1511         (JSC::ARM64Assembler::excepnGenerationImmMask):
1512         (JSC::ARM64Assembler::exoticLoad):
1513         (JSC::ARM64Assembler::storeRelease):
1514         (JSC::ARM64Assembler::exoticStore):
1515         * assembler/AbstractMacroAssembler.cpp: Added.
1516         (WTF::printInternal):
1517         * assembler/AbstractMacroAssembler.h:
1518         (JSC::AbstractMacroAssemblerBase::invert):
1519         * assembler/MacroAssembler.h:
1520         * assembler/MacroAssemblerARM64.h:
1521         (JSC::MacroAssemblerARM64::loadAcq8SignedExtendTo32):
1522         (JSC::MacroAssemblerARM64::loadAcq8):
1523         (JSC::MacroAssemblerARM64::storeRel8):
1524         (JSC::MacroAssemblerARM64::loadAcq16SignedExtendTo32):
1525         (JSC::MacroAssemblerARM64::loadAcq16):
1526         (JSC::MacroAssemblerARM64::storeRel16):
1527         (JSC::MacroAssemblerARM64::loadAcq32):
1528         (JSC::MacroAssemblerARM64::loadAcq64):
1529         (JSC::MacroAssemblerARM64::storeRel32):
1530         (JSC::MacroAssemblerARM64::storeRel64):
1531         (JSC::MacroAssemblerARM64::loadLink8):
1532         (JSC::MacroAssemblerARM64::loadLinkAcq8):
1533         (JSC::MacroAssemblerARM64::storeCond8):
1534         (JSC::MacroAssemblerARM64::storeCondRel8):
1535         (JSC::MacroAssemblerARM64::loadLink16):
1536         (JSC::MacroAssemblerARM64::loadLinkAcq16):
1537         (JSC::MacroAssemblerARM64::storeCond16):
1538         (JSC::MacroAssemblerARM64::storeCondRel16):
1539         (JSC::MacroAssemblerARM64::loadLink32):
1540         (JSC::MacroAssemblerARM64::loadLinkAcq32):
1541         (JSC::MacroAssemblerARM64::storeCond32):
1542         (JSC::MacroAssemblerARM64::storeCondRel32):
1543         (JSC::MacroAssemblerARM64::loadLink64):
1544         (JSC::MacroAssemblerARM64::loadLinkAcq64):
1545         (JSC::MacroAssemblerARM64::storeCond64):
1546         (JSC::MacroAssemblerARM64::storeCondRel64):
1547         (JSC::MacroAssemblerARM64::atomicStrongCAS8):
1548         (JSC::MacroAssemblerARM64::atomicStrongCAS16):
1549         (JSC::MacroAssemblerARM64::atomicStrongCAS32):
1550         (JSC::MacroAssemblerARM64::atomicStrongCAS64):
1551         (JSC::MacroAssemblerARM64::atomicRelaxedStrongCAS8):
1552         (JSC::MacroAssemblerARM64::atomicRelaxedStrongCAS16):
1553         (JSC::MacroAssemblerARM64::atomicRelaxedStrongCAS32):
1554         (JSC::MacroAssemblerARM64::atomicRelaxedStrongCAS64):
1555         (JSC::MacroAssemblerARM64::branchAtomicWeakCAS8):
1556         (JSC::MacroAssemblerARM64::branchAtomicWeakCAS16):
1557         (JSC::MacroAssemblerARM64::branchAtomicWeakCAS32):
1558         (JSC::MacroAssemblerARM64::branchAtomicWeakCAS64):
1559         (JSC::MacroAssemblerARM64::branchAtomicRelaxedWeakCAS8):
1560         (JSC::MacroAssemblerARM64::branchAtomicRelaxedWeakCAS16):
1561         (JSC::MacroAssemblerARM64::branchAtomicRelaxedWeakCAS32):
1562         (JSC::MacroAssemblerARM64::branchAtomicRelaxedWeakCAS64):
1563         (JSC::MacroAssemblerARM64::depend32):
1564         (JSC::MacroAssemblerARM64::depend64):
1565         (JSC::MacroAssemblerARM64::loadLink):
1566         (JSC::MacroAssemblerARM64::loadLinkAcq):
1567         (JSC::MacroAssemblerARM64::storeCond):
1568         (JSC::MacroAssemblerARM64::storeCondRel):
1569         (JSC::MacroAssemblerARM64::signExtend):
1570         (JSC::MacroAssemblerARM64::branch):
1571         (JSC::MacroAssemblerARM64::atomicStrongCAS):
1572         (JSC::MacroAssemblerARM64::atomicRelaxedStrongCAS):
1573         (JSC::MacroAssemblerARM64::branchAtomicWeakCAS):
1574         (JSC::MacroAssemblerARM64::branchAtomicRelaxedWeakCAS):
1575         (JSC::MacroAssemblerARM64::extractSimpleAddress):
1576         (JSC::MacroAssemblerARM64::signExtend<8>):
1577         (JSC::MacroAssemblerARM64::signExtend<16>):
1578         (JSC::MacroAssemblerARM64::branch<64>):
1579         * assembler/MacroAssemblerX86Common.h:
1580         (JSC::MacroAssemblerX86Common::add32):
1581         (JSC::MacroAssemblerX86Common::and32):
1582         (JSC::MacroAssemblerX86Common::and16):
1583         (JSC::MacroAssemblerX86Common::and8):
1584         (JSC::MacroAssemblerX86Common::neg32):
1585         (JSC::MacroAssemblerX86Common::neg16):
1586         (JSC::MacroAssemblerX86Common::neg8):
1587         (JSC::MacroAssemblerX86Common::or32):
1588         (JSC::MacroAssemblerX86Common::or16):
1589         (JSC::MacroAssemblerX86Common::or8):
1590         (JSC::MacroAssemblerX86Common::sub16):
1591         (JSC::MacroAssemblerX86Common::sub8):
1592         (JSC::MacroAssemblerX86Common::sub32):
1593         (JSC::MacroAssemblerX86Common::xor32):
1594         (JSC::MacroAssemblerX86Common::xor16):
1595         (JSC::MacroAssemblerX86Common::xor8):
1596         (JSC::MacroAssemblerX86Common::not32):
1597         (JSC::MacroAssemblerX86Common::not16):
1598         (JSC::MacroAssemblerX86Common::not8):
1599         (JSC::MacroAssemblerX86Common::store16):
1600         (JSC::MacroAssemblerX86Common::atomicStrongCAS8):
1601         (JSC::MacroAssemblerX86Common::atomicStrongCAS16):
1602         (JSC::MacroAssemblerX86Common::atomicStrongCAS32):
1603         (JSC::MacroAssemblerX86Common::branchAtomicStrongCAS8):
1604         (JSC::MacroAssemblerX86Common::branchAtomicStrongCAS16):
1605         (JSC::MacroAssemblerX86Common::branchAtomicStrongCAS32):
1606         (JSC::MacroAssemblerX86Common::atomicWeakCAS8):
1607         (JSC::MacroAssemblerX86Common::atomicWeakCAS16):
1608         (JSC::MacroAssemblerX86Common::atomicWeakCAS32):
1609         (JSC::MacroAssemblerX86Common::branchAtomicWeakCAS8):
1610         (JSC::MacroAssemblerX86Common::branchAtomicWeakCAS16):
1611         (JSC::MacroAssemblerX86Common::branchAtomicWeakCAS32):
1612         (JSC::MacroAssemblerX86Common::atomicRelaxedWeakCAS8):
1613         (JSC::MacroAssemblerX86Common::atomicRelaxedWeakCAS16):
1614         (JSC::MacroAssemblerX86Common::atomicRelaxedWeakCAS32):
1615         (JSC::MacroAssemblerX86Common::branchAtomicRelaxedWeakCAS8):
1616         (JSC::MacroAssemblerX86Common::branchAtomicRelaxedWeakCAS16):
1617         (JSC::MacroAssemblerX86Common::branchAtomicRelaxedWeakCAS32):
1618         (JSC::MacroAssemblerX86Common::atomicAdd8):
1619         (JSC::MacroAssemblerX86Common::atomicAdd16):
1620         (JSC::MacroAssemblerX86Common::atomicAdd32):
1621         (JSC::MacroAssemblerX86Common::atomicSub8):
1622         (JSC::MacroAssemblerX86Common::atomicSub16):
1623         (JSC::MacroAssemblerX86Common::atomicSub32):
1624         (JSC::MacroAssemblerX86Common::atomicAnd8):
1625         (JSC::MacroAssemblerX86Common::atomicAnd16):
1626         (JSC::MacroAssemblerX86Common::atomicAnd32):
1627         (JSC::MacroAssemblerX86Common::atomicOr8):
1628         (JSC::MacroAssemblerX86Common::atomicOr16):
1629         (JSC::MacroAssemblerX86Common::atomicOr32):
1630         (JSC::MacroAssemblerX86Common::atomicXor8):
1631         (JSC::MacroAssemblerX86Common::atomicXor16):
1632         (JSC::MacroAssemblerX86Common::atomicXor32):
1633         (JSC::MacroAssemblerX86Common::atomicNeg8):
1634         (JSC::MacroAssemblerX86Common::atomicNeg16):
1635         (JSC::MacroAssemblerX86Common::atomicNeg32):
1636         (JSC::MacroAssemblerX86Common::atomicNot8):
1637         (JSC::MacroAssemblerX86Common::atomicNot16):
1638         (JSC::MacroAssemblerX86Common::atomicNot32):
1639         (JSC::MacroAssemblerX86Common::atomicXchgAdd8):
1640         (JSC::MacroAssemblerX86Common::atomicXchgAdd16):
1641         (JSC::MacroAssemblerX86Common::atomicXchgAdd32):
1642         (JSC::MacroAssemblerX86Common::atomicXchg8):
1643         (JSC::MacroAssemblerX86Common::atomicXchg16):
1644         (JSC::MacroAssemblerX86Common::atomicXchg32):
1645         (JSC::MacroAssemblerX86Common::loadAcq8):
1646         (JSC::MacroAssemblerX86Common::loadAcq8SignedExtendTo32):
1647         (JSC::MacroAssemblerX86Common::loadAcq16):
1648         (JSC::MacroAssemblerX86Common::loadAcq16SignedExtendTo32):
1649         (JSC::MacroAssemblerX86Common::loadAcq32):
1650         (JSC::MacroAssemblerX86Common::storeRel8):
1651         (JSC::MacroAssemblerX86Common::storeRel16):
1652         (JSC::MacroAssemblerX86Common::storeRel32):
1653         (JSC::MacroAssemblerX86Common::storeFence):
1654         (JSC::MacroAssemblerX86Common::loadFence):
1655         (JSC::MacroAssemblerX86Common::replaceWithJump):
1656         (JSC::MacroAssemblerX86Common::maxJumpReplacementSize):
1657         (JSC::MacroAssemblerX86Common::patchableJumpSize):
1658         (JSC::MacroAssemblerX86Common::supportsFloatingPointRounding):
1659         (JSC::MacroAssemblerX86Common::supportsAVX):
1660         (JSC::MacroAssemblerX86Common::updateEax1EcxFlags):
1661         (JSC::MacroAssemblerX86Common::x86Condition):
1662         (JSC::MacroAssemblerX86Common::atomicStrongCAS):
1663         (JSC::MacroAssemblerX86Common::branchAtomicStrongCAS):
1664         * assembler/MacroAssemblerX86_64.h:
1665         (JSC::MacroAssemblerX86_64::add64):
1666         (JSC::MacroAssemblerX86_64::and64):
1667         (JSC::MacroAssemblerX86_64::neg64):
1668         (JSC::MacroAssemblerX86_64::or64):
1669         (JSC::MacroAssemblerX86_64::sub64):
1670         (JSC::MacroAssemblerX86_64::xor64):
1671         (JSC::MacroAssemblerX86_64::not64):
1672         (JSC::MacroAssemblerX86_64::store64):
1673         (JSC::MacroAssemblerX86_64::atomicStrongCAS64):
1674         (JSC::MacroAssemblerX86_64::branchAtomicStrongCAS64):
1675         (JSC::MacroAssemblerX86_64::atomicWeakCAS64):
1676         (JSC::MacroAssemblerX86_64::branchAtomicWeakCAS64):
1677         (JSC::MacroAssemblerX86_64::atomicRelaxedWeakCAS64):
1678         (JSC::MacroAssemblerX86_64::branchAtomicRelaxedWeakCAS64):
1679         (JSC::MacroAssemblerX86_64::atomicAdd64):
1680         (JSC::MacroAssemblerX86_64::atomicSub64):
1681         (JSC::MacroAssemblerX86_64::atomicAnd64):
1682         (JSC::MacroAssemblerX86_64::atomicOr64):
1683         (JSC::MacroAssemblerX86_64::atomicXor64):
1684         (JSC::MacroAssemblerX86_64::atomicNeg64):
1685         (JSC::MacroAssemblerX86_64::atomicNot64):
1686         (JSC::MacroAssemblerX86_64::atomicXchgAdd64):
1687         (JSC::MacroAssemblerX86_64::atomicXchg64):
1688         (JSC::MacroAssemblerX86_64::loadAcq64):
1689         (JSC::MacroAssemblerX86_64::storeRel64):
1690         * assembler/X86Assembler.h:
1691         (JSC::X86Assembler::addl_mr):
1692         (JSC::X86Assembler::addq_mr):
1693         (JSC::X86Assembler::addq_rm):
1694         (JSC::X86Assembler::addq_im):
1695         (JSC::X86Assembler::andl_mr):
1696         (JSC::X86Assembler::andl_rm):
1697         (JSC::X86Assembler::andw_rm):
1698         (JSC::X86Assembler::andb_rm):
1699         (JSC::X86Assembler::andl_im):
1700         (JSC::X86Assembler::andw_im):
1701         (JSC::X86Assembler::andb_im):
1702         (JSC::X86Assembler::andq_mr):
1703         (JSC::X86Assembler::andq_rm):
1704         (JSC::X86Assembler::andq_im):
1705         (JSC::X86Assembler::incq_m):
1706         (JSC::X86Assembler::negq_m):
1707         (JSC::X86Assembler::negl_m):
1708         (JSC::X86Assembler::negw_m):
1709         (JSC::X86Assembler::negb_m):
1710         (JSC::X86Assembler::notl_m):
1711         (JSC::X86Assembler::notw_m):
1712         (JSC::X86Assembler::notb_m):
1713         (JSC::X86Assembler::notq_m):
1714         (JSC::X86Assembler::orl_mr):
1715         (JSC::X86Assembler::orl_rm):
1716         (JSC::X86Assembler::orw_rm):
1717         (JSC::X86Assembler::orb_rm):
1718         (JSC::X86Assembler::orl_im):
1719         (JSC::X86Assembler::orw_im):
1720         (JSC::X86Assembler::orb_im):
1721         (JSC::X86Assembler::orq_mr):
1722         (JSC::X86Assembler::orq_rm):
1723         (JSC::X86Assembler::orq_im):
1724         (JSC::X86Assembler::subl_mr):
1725         (JSC::X86Assembler::subl_rm):
1726         (JSC::X86Assembler::subw_rm):
1727         (JSC::X86Assembler::subb_rm):
1728         (JSC::X86Assembler::subl_im):
1729         (JSC::X86Assembler::subw_im):
1730         (JSC::X86Assembler::subb_im):
1731         (JSC::X86Assembler::subq_mr):
1732         (JSC::X86Assembler::subq_rm):
1733         (JSC::X86Assembler::subq_im):
1734         (JSC::X86Assembler::xorl_mr):
1735         (JSC::X86Assembler::xorl_rm):
1736         (JSC::X86Assembler::xorl_im):
1737         (JSC::X86Assembler::xorw_rm):
1738         (JSC::X86Assembler::xorw_im):
1739         (JSC::X86Assembler::xorb_rm):
1740         (JSC::X86Assembler::xorb_im):
1741         (JSC::X86Assembler::xorq_im):
1742         (JSC::X86Assembler::xorq_rm):
1743         (JSC::X86Assembler::xorq_mr):
1744         (JSC::X86Assembler::xchgb_rm):
1745         (JSC::X86Assembler::xchgw_rm):
1746         (JSC::X86Assembler::xchgl_rm):
1747         (JSC::X86Assembler::xchgq_rm):
1748         (JSC::X86Assembler::movw_im):
1749         (JSC::X86Assembler::movq_i32m):
1750         (JSC::X86Assembler::cmpxchgb_rm):
1751         (JSC::X86Assembler::cmpxchgw_rm):
1752         (JSC::X86Assembler::cmpxchgl_rm):
1753         (JSC::X86Assembler::cmpxchgq_rm):
1754         (JSC::X86Assembler::xaddb_rm):
1755         (JSC::X86Assembler::xaddw_rm):
1756         (JSC::X86Assembler::xaddl_rm):
1757         (JSC::X86Assembler::xaddq_rm):
1758         (JSC::X86Assembler::X86InstructionFormatter::SingleInstructionBufferWriter::memoryModRM):
1759         * b3/B3AtomicValue.cpp: Added.
1760         (JSC::B3::AtomicValue::~AtomicValue):
1761         (JSC::B3::AtomicValue::dumpMeta):
1762         (JSC::B3::AtomicValue::cloneImpl):
1763         (JSC::B3::AtomicValue::AtomicValue):
1764         * b3/B3AtomicValue.h: Added.
1765         * b3/B3BasicBlock.h:
1766         * b3/B3BlockInsertionSet.cpp:
1767         (JSC::B3::BlockInsertionSet::BlockInsertionSet):
1768         (JSC::B3::BlockInsertionSet::insert): Deleted.
1769         (JSC::B3::BlockInsertionSet::insertBefore): Deleted.
1770         (JSC::B3::BlockInsertionSet::insertAfter): Deleted.
1771         (JSC::B3::BlockInsertionSet::execute): Deleted.
1772         * b3/B3BlockInsertionSet.h:
1773         * b3/B3Effects.cpp:
1774         (JSC::B3::Effects::interferes):
1775         (JSC::B3::Effects::operator==):
1776         (JSC::B3::Effects::dump):
1777         * b3/B3Effects.h:
1778         (JSC::B3::Effects::forCall):
1779         (JSC::B3::Effects::mustExecute):
1780         * b3/B3EliminateCommonSubexpressions.cpp:
1781         * b3/B3Generate.cpp:
1782         (JSC::B3::generateToAir):
1783         * b3/B3GenericBlockInsertionSet.h: Added.
1784         (JSC::B3::GenericBlockInsertionSet::GenericBlockInsertionSet):
1785         (JSC::B3::GenericBlockInsertionSet::insert):
1786         (JSC::B3::GenericBlockInsertionSet::insertBefore):
1787         (JSC::B3::GenericBlockInsertionSet::insertAfter):
1788         (JSC::B3::GenericBlockInsertionSet::execute):
1789         * b3/B3HeapRange.h:
1790         (JSC::B3::HeapRange::operator|):
1791         * b3/B3InsertionSet.cpp:
1792         (JSC::B3::InsertionSet::insertClone):
1793         * b3/B3InsertionSet.h:
1794         * b3/B3LegalizeMemoryOffsets.cpp:
1795         * b3/B3LowerMacros.cpp:
1796         (JSC::B3::lowerMacros):
1797         * b3/B3LowerMacrosAfterOptimizations.cpp:
1798         * b3/B3LowerToAir.cpp:
1799         (JSC::B3::Air::LowerToAir::LowerToAir):
1800         (JSC::B3::Air::LowerToAir::run):
1801         (JSC::B3::Air::LowerToAir::effectiveAddr):
1802         (JSC::B3::Air::LowerToAir::addr):
1803         (JSC::B3::Air::LowerToAir::loadPromiseAnyOpcode):
1804         (JSC::B3::Air::LowerToAir::appendShift):
1805         (JSC::B3::Air::LowerToAir::tryAppendStoreBinOp):
1806         (JSC::B3::Air::LowerToAir::storeOpcode):
1807         (JSC::B3::Air::LowerToAir::createStore):
1808         (JSC::B3::Air::LowerToAir::finishAppendingInstructions):
1809         (JSC::B3::Air::LowerToAir::newBlock):
1810         (JSC::B3::Air::LowerToAir::splitBlock):
1811         (JSC::B3::Air::LowerToAir::fillStackmap):
1812         (JSC::B3::Air::LowerToAir::appendX86Div):
1813         (JSC::B3::Air::LowerToAir::appendX86UDiv):
1814         (JSC::B3::Air::LowerToAir::loadLinkOpcode):
1815         (JSC::B3::Air::LowerToAir::storeCondOpcode):
1816         (JSC::B3::Air::LowerToAir::appendCAS):
1817         (JSC::B3::Air::LowerToAir::appendVoidAtomic):
1818         (JSC::B3::Air::LowerToAir::appendGeneralAtomic):
1819         (JSC::B3::Air::LowerToAir::lower):
1820         (JSC::B3::Air::LowerToAir::lowerX86Div): Deleted.
1821         (JSC::B3::Air::LowerToAir::lowerX86UDiv): Deleted.
1822         * b3/B3LowerToAir.h:
1823         * b3/B3MemoryValue.cpp:
1824         (JSC::B3::MemoryValue::isLegalOffset):
1825         (JSC::B3::MemoryValue::accessType):
1826         (JSC::B3::MemoryValue::accessBank):
1827         (JSC::B3::MemoryValue::accessByteSize):
1828         (JSC::B3::MemoryValue::dumpMeta):
1829         (JSC::B3::MemoryValue::MemoryValue):
1830         (JSC::B3::MemoryValue::accessWidth): Deleted.
1831         * b3/B3MemoryValue.h:
1832         * b3/B3MemoryValueInlines.h: Added.
1833         (JSC::B3::MemoryValue::isLegalOffset):
1834         (JSC::B3::MemoryValue::requiresSimpleAddr):
1835         (JSC::B3::MemoryValue::accessWidth):
1836         * b3/B3MoveConstants.cpp:
1837         * b3/B3NativeTraits.h: Added.
1838         * b3/B3Opcode.cpp:
1839         (JSC::B3::storeOpcode):
1840         (WTF::printInternal):
1841         * b3/B3Opcode.h:
1842         (JSC::B3::isLoad):
1843         (JSC::B3::isStore):
1844         (JSC::B3::isLoadStore):
1845         (JSC::B3::isAtomic):
1846         (JSC::B3::isAtomicCAS):
1847         (JSC::B3::isAtomicXchg):
1848         (JSC::B3::isMemoryAccess):
1849         (JSC::B3::signExtendOpcode):
1850         * b3/B3Procedure.cpp:
1851         (JSC::B3::Procedure::dump):
1852         * b3/B3Procedure.h:
1853         (JSC::B3::Procedure::hasQuirks):
1854         (JSC::B3::Procedure::setHasQuirks):
1855         * b3/B3PureCSE.cpp:
1856         (JSC::B3::pureCSE):
1857         * b3/B3PureCSE.h:
1858         * b3/B3ReduceStrength.cpp:
1859         * b3/B3Validate.cpp:
1860         * b3/B3Value.cpp:
1861         (JSC::B3::Value::returnsBool):
1862         (JSC::B3::Value::effects):
1863         (JSC::B3::Value::key):
1864         (JSC::B3::Value::performSubstitution):
1865         (JSC::B3::Value::typeFor):
1866         * b3/B3Value.h:
1867         * b3/B3Width.cpp:
1868         (JSC::B3::bestType):
1869         * b3/B3Width.h:
1870         (JSC::B3::canonicalWidth):
1871         (JSC::B3::isCanonicalWidth):
1872         (JSC::B3::mask):
1873         * b3/air/AirArg.cpp:
1874         (JSC::B3::Air::Arg::jsHash):
1875         (JSC::B3::Air::Arg::dump):
1876         (WTF::printInternal):
1877         * b3/air/AirArg.h:
1878         (JSC::B3::Air::Arg::isAnyUse):
1879         (JSC::B3::Air::Arg::isColdUse):
1880         (JSC::B3::Air::Arg::cooled):
1881         (JSC::B3::Air::Arg::isEarlyUse):
1882         (JSC::B3::Air::Arg::isLateUse):
1883         (JSC::B3::Air::Arg::isAnyDef):
1884         (JSC::B3::Air::Arg::isEarlyDef):
1885         (JSC::B3::Air::Arg::isLateDef):
1886         (JSC::B3::Air::Arg::isZDef):
1887         (JSC::B3::Air::Arg::simpleAddr):
1888         (JSC::B3::Air::Arg::statusCond):
1889         (JSC::B3::Air::Arg::isSimpleAddr):
1890         (JSC::B3::Air::Arg::isMemory):
1891         (JSC::B3::Air::Arg::isStatusCond):
1892         (JSC::B3::Air::Arg::isCondition):
1893         (JSC::B3::Air::Arg::ptr):
1894         (JSC::B3::Air::Arg::base):
1895         (JSC::B3::Air::Arg::isGP):
1896         (JSC::B3::Air::Arg::isFP):
1897         (JSC::B3::Air::Arg::isValidForm):
1898         (JSC::B3::Air::Arg::forEachTmpFast):
1899         (JSC::B3::Air::Arg::forEachTmp):
1900         (JSC::B3::Air::Arg::asAddress):
1901         (JSC::B3::Air::Arg::asStatusCondition):
1902         (JSC::B3::Air::Arg::isInvertible):
1903         (JSC::B3::Air::Arg::inverted):
1904         * b3/air/AirBasicBlock.cpp:
1905         (JSC::B3::Air::BasicBlock::setSuccessors):
1906         * b3/air/AirBasicBlock.h:
1907         * b3/air/AirBlockInsertionSet.cpp: Added.
1908         (JSC::B3::Air::BlockInsertionSet::BlockInsertionSet):
1909         (JSC::B3::Air::BlockInsertionSet::~BlockInsertionSet):
1910         * b3/air/AirBlockInsertionSet.h: Added.
1911         * b3/air/AirDumpAsJS.cpp: Removed.
1912         * b3/air/AirDumpAsJS.h: Removed.
1913         * b3/air/AirEliminateDeadCode.cpp:
1914         (JSC::B3::Air::eliminateDeadCode):
1915         * b3/air/AirGenerate.cpp:
1916         (JSC::B3::Air::prepareForGeneration):
1917         * b3/air/AirInstInlines.h:
1918         (JSC::B3::Air::isAtomicStrongCASValid):
1919         (JSC::B3::Air::isBranchAtomicStrongCASValid):
1920         (JSC::B3::Air::isAtomicStrongCAS8Valid):
1921         (JSC::B3::Air::isAtomicStrongCAS16Valid):
1922         (JSC::B3::Air::isAtomicStrongCAS32Valid):
1923         (JSC::B3::Air::isAtomicStrongCAS64Valid):
1924         (JSC::B3::Air::isBranchAtomicStrongCAS8Valid):
1925         (JSC::B3::Air::isBranchAtomicStrongCAS16Valid):
1926         (JSC::B3::Air::isBranchAtomicStrongCAS32Valid):
1927         (JSC::B3::Air::isBranchAtomicStrongCAS64Valid):
1928         * b3/air/AirOpcode.opcodes:
1929         * b3/air/AirOptimizeBlockOrder.cpp:
1930         (JSC::B3::Air::optimizeBlockOrder):
1931         * b3/air/AirPadInterference.cpp:
1932         (JSC::B3::Air::padInterference):
1933         * b3/air/AirSpillEverything.cpp:
1934         (JSC::B3::Air::spillEverything):
1935         * b3/air/opcode_generator.rb:
1936         * b3/testb3.cpp:
1937         (JSC::B3::testLoadAcq42):
1938         (JSC::B3::testStoreRelAddLoadAcq32):
1939         (JSC::B3::testStoreRelAddLoadAcq8):
1940         (JSC::B3::testStoreRelAddFenceLoadAcq8):
1941         (JSC::B3::testStoreRelAddLoadAcq16):
1942         (JSC::B3::testStoreRelAddLoadAcq64):
1943         (JSC::B3::testTrappingStoreElimination):
1944         (JSC::B3::testX86LeaAddAdd):
1945         (JSC::B3::testX86LeaAddShlLeftScale1):
1946         (JSC::B3::testAtomicWeakCAS):
1947         (JSC::B3::testAtomicStrongCAS):
1948         (JSC::B3::testAtomicXchg):
1949         (JSC::B3::testDepend32):
1950         (JSC::B3::testDepend64):
1951         (JSC::B3::run):
1952         * runtime/Options.h:
1953
1954 2017-03-10  Csaba Osztrogonác  <ossy@webkit.org>
1955
1956         Unreviewed typo fixes after r213652.
1957         https://bugs.webkit.org/show_bug.cgi?id=168920
1958
1959         * assembler/MacroAssemblerARM.h:
1960         (JSC::MacroAssemblerARM::replaceWithBreakpoint):
1961         * assembler/MacroAssemblerMIPS.h:
1962         (JSC::MacroAssemblerMIPS::replaceWithBreakpoint):
1963
1964 2017-03-10  Csaba Osztrogonác  <ossy@webkit.org>
1965
1966         Unreviewed ARM buildfix after r213652.
1967         https://bugs.webkit.org/show_bug.cgi?id=168920
1968
1969         r213652 used replaceWithBrk and replaceWithBkpt names for the same
1970         function, which was inconsistent and caused build error in ARMAssembler.
1971
1972         * assembler/ARM64Assembler.h:
1973         (JSC::ARM64Assembler::replaceWithBkpt): Renamed replaceWithBrk to replaceWithBkpt.
1974         (JSC::ARM64Assembler::replaceWithBrk): Deleted.
1975         * assembler/ARMAssembler.h:
1976         (JSC::ARMAssembler::replaceWithBkpt): Renamed replaceWithBrk to replaceWithBkpt.
1977         (JSC::ARMAssembler::replaceWithBrk): Deleted.
1978         * assembler/MacroAssemblerARM64.h:
1979         (JSC::MacroAssemblerARM64::replaceWithBreakpoint):
1980
1981 2017-03-10  Alex Christensen  <achristensen@webkit.org>
1982
1983         Win64 build fix.
1984
1985         * b3/B3FenceValue.h:
1986         * b3/B3Value.h:
1987         Putting JS_EXPORT_PRIVATE on member functions in classes that are declared with JS_EXPORT_PRIVATE
1988         doesn't accomplish anything except making Visual Studio mad.
1989         * b3/air/opcode_generator.rb:
1990         winnt.h has naming collisions with enum values from AirOpcode.h.
1991         For example, MemoryFence is #defined to be _mm_mfence, which is declared to be a function in emmintrin.h.
1992         RotateLeft32 is #defined to be _rotl, which is declared to be a function in <stdlib.h>
1993         A clean solution is just to put Opcode:: before the references to the opcode names to tell Visual Studio
1994         that it is referring to the enum value in AirOpcode.h and not the function declaration elsewhere.
1995
1996 2017-03-09  Ryan Haddad  <ryanhaddad@apple.com>
1997
1998         Unreviewed, rolling out r213695.
1999
2000         This change broke the Windows build.
2001
2002         Reverted changeset:
2003
2004         "Implement a StackTrace utility object that can capture stack
2005         traces for debugging."
2006         https://bugs.webkit.org/show_bug.cgi?id=169454
2007         http://trac.webkit.org/changeset/213695
2008
2009 2017-03-09  Caio Lima  <ticaiolima@gmail.com>
2010
2011         [ESnext] Implement Object Rest - Implementing Object Rest Destructuring
2012         https://bugs.webkit.org/show_bug.cgi?id=167962
2013
2014         Reviewed by Keith Miller.
2015
2016         Object Rest/Spread Destructing proposal is in stage 3[1] and this
2017         Patch is a prototype implementation of it. A simple change over the
2018         parser was necessary to support the new '...' token on Object Pattern
2019         destruction rule. In the bytecode generator side, We changed the
2020         bytecode generated on ObjectPatternNode::bindValue to store in an
2021         array identifiers of already destructed properties, following spec draft
2022         section[2], and then pass it as excludedNames to CopyDataProperties.
2023         The rest destruction the calls copyDataProperties to perform the
2024         copy of rest properties in rhs.
2025
2026         We also implemented CopyDataProperties as private JS global operation
2027         on builtins/GlobalOperations.js following it's specification on [3].
2028         It is implemented using Set object to verify if a property is on
2029         excludedNames to keep this algorithm with O(n + m) complexity, where n
2030         = number of source's own properties and m = excludedNames.length. 
2031
2032         As a requirement to use JSSets as constants, a change in
2033         CodeBlock::create API was necessary, because JSSet creation can throws OOM
2034         exception. Now, CodeBlock::finishCreation returns ```false``` if an
2035         execption is throwed by
2036         CodeBlock::setConstantIdentifierSetRegisters and then we return
2037         nullptr to ScriptExecutable::newCodeBlockFor. It is responsible to
2038         check if CodeBlock was constructed properly and then, throw OOM
2039         exception to the correct scope.
2040
2041         [1] - https://github.com/sebmarkbage/ecmascript-rest-spread
2042         [2] - http://sebmarkbage.github.io/ecmascript-rest-spread/#Rest-RuntimeSemantics-PropertyDestructuringAssignmentEvaluation
2043         [3] - http://sebmarkbage.github.io/ecmascript-rest-spread/#AbstractOperations-CopyDataProperties
2044
2045         * builtins/BuiltinNames.h:
2046         * builtins/GlobalOperations.js:
2047         (globalPrivate.copyDataProperties):
2048         * bytecode/CodeBlock.cpp:
2049         (JSC::CodeBlock::finishCreation):
2050         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
2051         * bytecode/CodeBlock.h:
2052         * bytecode/EvalCodeBlock.h:
2053         (JSC::EvalCodeBlock::create):
2054         * bytecode/FunctionCodeBlock.h:
2055         (JSC::FunctionCodeBlock::create):
2056         * bytecode/ModuleProgramCodeBlock.h:
2057         (JSC::ModuleProgramCodeBlock::create):
2058         * bytecode/ProgramCodeBlock.h:
2059         (JSC::ProgramCodeBlock::create):
2060         * bytecode/UnlinkedCodeBlock.h:
2061         (JSC::UnlinkedCodeBlock::addSetConstant):
2062         (JSC::UnlinkedCodeBlock::constantIdentifierSets):
2063         * bytecompiler/BytecodeGenerator.cpp:
2064         (JSC::BytecodeGenerator::emitLoad):
2065         * bytecompiler/BytecodeGenerator.h:
2066         * bytecompiler/NodesCodegen.cpp:
2067         (JSC::ObjectPatternNode::bindValue):
2068         * parser/ASTBuilder.h:
2069         (JSC::ASTBuilder::appendObjectPatternEntry):
2070         (JSC::ASTBuilder::appendObjectPatternRestEntry):
2071         (JSC::ASTBuilder::setContainsObjectRestElement):
2072         * parser/Nodes.h:
2073         (JSC::ObjectPatternNode::appendEntry):
2074         (JSC::ObjectPatternNode::setContainsRestElement):
2075         * parser/Parser.cpp:
2076         (JSC::Parser<LexerType>::parseDestructuringPattern):
2077         (JSC::Parser<LexerType>::parseProperty):
2078         * parser/SyntaxChecker.h:
2079         (JSC::SyntaxChecker::operatorStackPop):
2080         * runtime/JSGlobalObject.cpp:
2081         (JSC::JSGlobalObject::init):
2082         * runtime/JSGlobalObjectFunctions.cpp:
2083         (JSC::privateToObject):
2084         * runtime/JSGlobalObjectFunctions.h:
2085         * runtime/ScriptExecutable.cpp:
2086         (JSC::ScriptExecutable::newCodeBlockFor):
2087
2088 2017-03-09  Mark Lam  <mark.lam@apple.com>
2089
2090         Implement a StackTrace utility object that can capture stack traces for debugging.
2091         https://bugs.webkit.org/show_bug.cgi?id=169454
2092
2093         Reviewed by Michael Saboff.
2094
2095         The underlying implementation is hoisted right out of Assertions.cpp from the
2096         implementations of WTFPrintBacktrace().
2097
2098         The reason we need this StackTrace object is because during heap debugging, we
2099         sometimes want to capture the stack trace that allocated the objects of interest.
2100         Dumping the stack trace directly to stdout (using WTFReportBacktrace()) may
2101         perturb the execution profile sufficiently that an issue may not reproduce,
2102         while alternatively, just capturing the stack trace and deferring printing it
2103         till we actually need it later perturbs the execution profile less.
2104
2105         In addition, just capturing the stack traces (instead of printing them
2106         immediately at each capture site) allows us to avoid polluting stdout with tons
2107         of stack traces that may be irrelevant.
2108
2109         For now, we only capture the native stack trace.  We'll leave capturing and
2110         integrating the JS stack trace as an exercise for the future if we need it then.
2111
2112         Here's an example of how to use this StackTrace utility:
2113
2114             // Capture a stack trace of the top 10 frames.
2115             std::unique_ptr<StackTrace> trace(StackTrace::captureStackTrace(10));
2116             // Print the trace.
2117             dataLog(*trace);
2118
2119         * CMakeLists.txt:
2120         * JavaScriptCore.xcodeproj/project.pbxproj:
2121         * tools/StackTrace.cpp: Added.
2122         (JSC::StackTrace::instanceSize):
2123         (JSC::StackTrace::captureStackTrace):
2124         (JSC::StackTrace::dump):
2125         * tools/StackTrace.h: Added.
2126         (JSC::StackTrace::StackTrace):
2127         (JSC::StackTrace::size):
2128
2129 2017-03-09  Keith Miller  <keith_miller@apple.com>
2130
2131         WebAssembly: Enable fast memory for WK2
2132         https://bugs.webkit.org/show_bug.cgi?id=169437
2133
2134         Reviewed by Tim Horton.
2135
2136         * JavaScriptCore.xcodeproj/project.pbxproj:
2137
2138 2017-03-09  Matt Baker  <mattbaker@apple.com>
2139
2140         Web Inspector: Add XHR breakpoints UI
2141         https://bugs.webkit.org/show_bug.cgi?id=168763
2142         <rdar://problem/30952439>
2143
2144         Reviewed by Joseph Pecoraro.
2145
2146         * inspector/protocol/DOMDebugger.json:
2147         Added clarifying comments to command descriptions.
2148
2149 2017-03-09  Michael Saboff  <msaboff@apple.com>
2150
2151         Add plumbing to WebProcess to enable JavaScriptCore configuration and logging
2152         https://bugs.webkit.org/show_bug.cgi?id=169387
2153
2154         Reviewed by Filip Pizlo.
2155
2156         Added a helper function, processConfigFile(), to process configuration file.
2157         Changed jsc.cpp to use that function in lieu of processing the config file
2158         manually.
2159
2160         * JavaScriptCore.xcodeproj/project.pbxproj: Made ConfigFile.h a private header file.
2161         * jsc.cpp:
2162         (jscmain):
2163         * runtime/ConfigFile.cpp:
2164         (JSC::processConfigFile):
2165         * runtime/ConfigFile.h:
2166
2167 2017-03-09  Joseph Pecoraro  <pecoraro@apple.com>
2168
2169         Web Inspector: Show HTTP protocol version and other Network Load Metrics (IP Address, Priority, Connection ID)
2170         https://bugs.webkit.org/show_bug.cgi?id=29687
2171         <rdar://problem/19281586>
2172
2173         Reviewed by Matt Baker and Brian Burg.
2174
2175         * inspector/protocol/Network.json:
2176         Add metrics object with optional properties to loadingFinished event.
2177
2178 2017-03-09  Youenn Fablet  <youenn@apple.com>
2179
2180         Minimal build is broken
2181         https://bugs.webkit.org/show_bug.cgi?id=169416
2182
2183         Reviewed by Chris Dumez.
2184
2185         Since we now have some JS built-ins that are not tied to a compilation flag, we can remove compilation guards around m_vm.
2186         We could probably remove m_vm by ensuring m_jsDOMBindingInternals appear first but this might break very easily.
2187
2188         * Scripts/builtins/builtins_generate_internals_wrapper_header.py:
2189         (generate_members):
2190         * Scripts/builtins/builtins_generate_internals_wrapper_implementation.py:
2191         (BuiltinsInternalsWrapperImplementationGenerator.generate_constructor):
2192         * Scripts/tests/builtins/expected/WebCoreJSBuiltins.h-result:
2193
2194 2017-03-09  Daniel Bates  <dabates@apple.com>
2195
2196         Guard Credential Management implementation behind a runtime enabled feature flag
2197         https://bugs.webkit.org/show_bug.cgi?id=169364
2198         <rdar://problem/30957425>
2199
2200         Reviewed by Brent Fulgham.
2201
2202         Add common identifiers for Credential, PasswordCredential, and SiteBoundCredential that are
2203         needed to guard these interfaces behind a runtime enabled feature flag.
2204
2205         * runtime/CommonIdentifiers.h:
2206
2207 2017-03-09  Mark Lam  <mark.lam@apple.com>
2208
2209         Refactoring some HeapVerifier code.
2210         https://bugs.webkit.org/show_bug.cgi?id=169443
2211
2212         Reviewed by Filip Pizlo.
2213
2214         Renamed LiveObjectData to CellProfile.
2215         Renamed LiveObjectList to CellList.
2216         Moved CellProfile.*, CellList.*, and HeapVerifier.* from the heap folder to the tools folder.
2217         Updated the HeapVerifier to handle JSCells instead of just JSObjects.
2218
2219         This is in preparation for subsequent patches to fix up the HeapVerifier for service again.
2220
2221         * CMakeLists.txt:
2222         * JavaScriptCore.xcodeproj/project.pbxproj:
2223         * heap/Heap.cpp:
2224         (JSC::Heap::runBeginPhase):
2225         (JSC::Heap::runEndPhase):
2226         * heap/HeapVerifier.cpp: Removed.
2227         * heap/HeapVerifier.h: Removed.
2228         * heap/LiveObjectData.h: Removed.
2229         * heap/LiveObjectList.cpp: Removed.
2230         * heap/LiveObjectList.h: Removed.
2231         * tools/CellList.cpp: Copied from Source/JavaScriptCore/heap/LiveObjectList.cpp.
2232         (JSC::CellList::findCell):
2233         (JSC::LiveObjectList::findObject): Deleted.
2234         * tools/CellList.h: Copied from Source/JavaScriptCore/heap/LiveObjectList.h.
2235         (JSC::CellList::CellList):
2236         (JSC::CellList::reset):
2237         (JSC::LiveObjectList::LiveObjectList): Deleted.
2238         (JSC::LiveObjectList::reset): Deleted.
2239         * tools/CellProfile.h: Copied from Source/JavaScriptCore/heap/LiveObjectData.h.
2240         (JSC::CellProfile::CellProfile):
2241         (JSC::LiveObjectData::LiveObjectData): Deleted.
2242         * tools/HeapVerifier.cpp: Copied from Source/JavaScriptCore/heap/HeapVerifier.cpp.
2243         (JSC::GatherCellFunctor::GatherCellFunctor):
2244         (JSC::GatherCellFunctor::visit):
2245         (JSC::GatherCellFunctor::operator()):
2246         (JSC::HeapVerifier::gatherLiveCells):
2247         (JSC::HeapVerifier::cellListForGathering):
2248         (JSC::trimDeadCellsFromList):
2249         (JSC::HeapVerifier::trimDeadCells):
2250         (JSC::HeapVerifier::verifyButterflyIsInStorageSpace):
2251         (JSC::HeapVerifier::reportCell):
2252         (JSC::HeapVerifier::checkIfRecorded):
2253         (JSC::GatherLiveObjFunctor::GatherLiveObjFunctor): Deleted.
2254         (JSC::GatherLiveObjFunctor::visit): Deleted.
2255         (JSC::GatherLiveObjFunctor::operator()): Deleted.
2256         (JSC::HeapVerifier::gatherLiveObjects): Deleted.
2257         (JSC::HeapVerifier::liveObjectListForGathering): Deleted.
2258         (JSC::trimDeadObjectsFromList): Deleted.
2259         (JSC::HeapVerifier::trimDeadObjects): Deleted.
2260         (JSC::HeapVerifier::reportObject): Deleted.
2261         * tools/HeapVerifier.h: Copied from Source/JavaScriptCore/heap/HeapVerifier.h.
2262
2263 2017-03-09  Anders Carlsson  <andersca@apple.com>
2264
2265         Add delegate support to WebCore
2266         https://bugs.webkit.org/show_bug.cgi?id=169427
2267         Part of rdar://problem/28880714.
2268
2269         Reviewed by Geoffrey Garen.
2270
2271         * Configurations/FeatureDefines.xcconfig:
2272         Add feature define.
2273
2274 2017-03-09  Nikita Vasilyev  <nvasilyev@apple.com>
2275
2276         Web Inspector: Show individual messages in the content pane for a WebSocket
2277         https://bugs.webkit.org/show_bug.cgi?id=169011
2278
2279         Reviewed by Joseph Pecoraro.
2280
2281         Add walltime parameter and correct the description of Timestamp type.
2282
2283         * inspector/protocol/Network.json:
2284
2285 2017-03-09  Filip Pizlo  <fpizlo@apple.com>
2286
2287         Unreviewed, fix weak external symbol error.
2288
2289         * heap/SlotVisitor.h:
2290
2291 2017-03-09  Filip Pizlo  <fpizlo@apple.com>
2292
2293         std::isnan/isinf should work with WTF time classes
2294         https://bugs.webkit.org/show_bug.cgi?id=164991
2295
2296         Reviewed by Darin Adler.
2297         
2298         Changes AtomicsObject to use std::isnan() instead of operator== to detect NaN.
2299
2300         * runtime/AtomicsObject.cpp:
2301         (JSC::atomicsFuncWait):
2302
2303 2017-03-09  Mark Lam  <mark.lam@apple.com>
2304
2305         Use const AbstractLocker& (instead of const LockHolder&) in more places.
2306         https://bugs.webkit.org/show_bug.cgi?id=169424
2307
2308         Reviewed by Filip Pizlo.
2309
2310         * heap/CodeBlockSet.cpp:
2311         (JSC::CodeBlockSet::promoteYoungCodeBlocks):
2312         * heap/CodeBlockSet.h:
2313         * heap/CodeBlockSetInlines.h:
2314         (JSC::CodeBlockSet::mark):
2315         * heap/ConservativeRoots.cpp:
2316         (JSC::CompositeMarkHook::CompositeMarkHook):
2317         * heap/MachineStackMarker.cpp:
2318         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2319         * heap/MachineStackMarker.h:
2320         * profiler/ProfilerDatabase.cpp:
2321         (JSC::Profiler::Database::ensureBytecodesFor):
2322         * profiler/ProfilerDatabase.h:
2323         * runtime/SamplingProfiler.cpp:
2324         (JSC::FrameWalker::FrameWalker):
2325         (JSC::CFrameWalker::CFrameWalker):
2326         (JSC::SamplingProfiler::createThreadIfNecessary):
2327         (JSC::SamplingProfiler::takeSample):
2328         (JSC::SamplingProfiler::start):
2329         (JSC::SamplingProfiler::pause):
2330         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
2331         (JSC::SamplingProfiler::clearData):
2332         (JSC::SamplingProfiler::releaseStackTraces):
2333         * runtime/SamplingProfiler.h:
2334         (JSC::SamplingProfiler::setStopWatch):
2335         * wasm/WasmMemory.cpp:
2336         (JSC::Wasm::availableFastMemories):
2337         (JSC::Wasm::activeFastMemories):
2338         (JSC::Wasm::viewActiveFastMemories):
2339         * wasm/WasmMemory.h:
2340
2341 2017-03-09  Saam Barati  <sbarati@apple.com>
2342
2343         WebAssembly: Make the Unity AngryBots demo run
2344         https://bugs.webkit.org/show_bug.cgi?id=169268
2345
2346         Reviewed by Keith Miller.
2347
2348         This patch fixes three bugs:
2349         1. The WasmBinding code for making a JS call was off
2350         by 1 in its stack layout code.
2351         2. The WasmBinding code had a "<" comparison instead
2352         of a ">=" comparison. This would cause us to calculate
2353         the wrong frame pointer offset.
2354         3. The code to reload wasm state inside B3IRGenerator didn't
2355         properly represent its effects.
2356
2357         * wasm/WasmB3IRGenerator.cpp:
2358         (JSC::Wasm::restoreWebAssemblyGlobalState):
2359         (JSC::Wasm::parseAndCompile):
2360         * wasm/WasmBinding.cpp:
2361         (JSC::Wasm::wasmToJs):
2362         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2363         (JSC::WebAssemblyInstanceConstructor::createInstance):
2364
2365 2017-03-09  Mark Lam  <mark.lam@apple.com>
2366
2367         Make the VM Traps mechanism non-polling for the DFG and FTL.
2368         https://bugs.webkit.org/show_bug.cgi?id=168920
2369         <rdar://problem/30738588>
2370
2371         Reviewed by Filip Pizlo.
2372
2373         1. Added a ENABLE(SIGNAL_BASED_VM_TRAPS) configuration in Platform.h.
2374            This is currently only enabled for OS(DARWIN) and ENABLE(JIT). 
2375         2. Added assembler functions for overwriting an instruction with a breakpoint.
2376         3. Added a new JettisonDueToVMTraps jettison reason.
2377         4. Added CodeBlock and DFG::CommonData utility functions for over-writing
2378            invalidation points with breakpoint instructions.
2379         5. The BytecodeGenerator now emits the op_check_traps bytecode unconditionally.
2380         6. Remove the JSC_alwaysCheckTraps option because of (4) above.
2381            For ports that don't ENABLE(SIGNAL_BASED_VM_TRAPS), we'll force
2382            Options::usePollingTraps() to always be true.  This makes the VMTraps
2383            implementation fall back to using polling based traps only.
2384
2385         7. Make VMTraps support signal based traps.
2386
2387         Some design and implementation details of signal based VM traps:
2388
2389         - The implementation makes use of 2 signal handlers for SIGUSR1 and SIGTRAP.
2390
2391         - VMTraps::fireTrap() will set the flag for the requested trap and instantiate
2392           a SignalSender.  The SignalSender will send SIGUSR1 to the mutator thread that
2393           we want to trap, and check for the occurence of one of the following events:
2394
2395           a. VMTraps::handleTraps() has been called for the requested trap, or
2396
2397           b. the VM is inactive and is no longer executing any JS code.  We determine
2398              this to be the case if the thread no longer owns the JSLock and the VM's
2399              entryScope is null.
2400
2401              Note: the thread can relinquish the JSLock while the VM's entryScope is not
2402              null.  This happens when the thread calls JSLock::dropAllLocks() before
2403              calling a host function that may block on IO (or whatever).  For our purpose,
2404              this counts as the VM still running JS code, and VM::fireTrap() will still
2405              be waiting.
2406
2407           If the SignalSender does not see either of these events, it will sleep for a
2408           while and then re-send SIGUSR1 and check for the events again.  When it sees
2409           one of these events, it will consider the mutator to have received the trap
2410           request.
2411
2412         - The SIGUSR1 handler will try to insert breakpoints at the invalidation points
2413           in the DFG/FTL codeBlock at the top of the stack.  This allows the mutator
2414           thread to break (with a SIGTRAP) exactly at an invalidation point, where it's
2415           safe to jettison the codeBlock.
2416
2417           Note: we cannot have the requester thread (that called VMTraps::fireTrap())
2418           insert the breakpoint instructions itself.  This is because we need the
2419           register state of the the mutator thread (that we want to trap in) in order to
2420           find the codeBlocks that we wish to insert the breakpoints in.  Currently,
2421           we don't have a generic way for the requester thread to get the register state
2422           of another thread.
2423
2424         - The SIGTRAP handler will check to see if it is trapping on a breakpoint at an
2425           invalidation point.  If so, it will jettison the codeBlock and adjust the PC
2426           to re-execute the invalidation OSR exit off-ramp.  After the OSR exit, the
2427           baseline JIT code will eventually reach an op_check_traps and call
2428           VMTraps::handleTraps().
2429
2430           If the handler is not trapping at an invalidation point, then it must be
2431           observing an assertion failure (which also uses the breakpoint instruction).
2432           In this case, the handler will defer to the default SIGTRAP handler and crash.
2433
2434         - The reason we need the SignalSender is because SignalSender::send() is called
2435           from another thread in a loop, so that VMTraps::fireTrap() can return sooner.
2436           send() needs to make use of the VM pointer, and it is not guaranteed that the
2437           VM will outlive the thread.  SignalSender provides the mechanism by which we
2438           can nullify the VM pointer when the VM dies so that the thread does not
2439           continue to use it.
2440
2441         * assembler/ARM64Assembler.h:
2442         (JSC::ARM64Assembler::replaceWithBrk):
2443         * assembler/ARMAssembler.h:
2444         (JSC::ARMAssembler::replaceWithBrk):
2445         * assembler/ARMv7Assembler.h:
2446         (JSC::ARMv7Assembler::replaceWithBkpt):
2447         * assembler/MIPSAssembler.h:
2448         (JSC::MIPSAssembler::replaceWithBkpt):
2449         * assembler/MacroAssemblerARM.h:
2450         (JSC::MacroAssemblerARM::replaceWithJump):
2451         * assembler/MacroAssemblerARM64.h:
2452         (JSC::MacroAssemblerARM64::replaceWithBreakpoint):
2453         * assembler/MacroAssemblerARMv7.h:
2454         (JSC::MacroAssemblerARMv7::replaceWithBreakpoint):
2455         * assembler/MacroAssemblerMIPS.h:
2456         (JSC::MacroAssemblerMIPS::replaceWithJump):
2457         * assembler/MacroAssemblerX86Common.h:
2458         (JSC::MacroAssemblerX86Common::replaceWithBreakpoint):
2459         * assembler/X86Assembler.h:
2460         (JSC::X86Assembler::replaceWithInt3):
2461         * bytecode/CodeBlock.cpp:
2462         (JSC::CodeBlock::jettison):
2463         (JSC::CodeBlock::hasInstalledVMTrapBreakpoints):
2464         (JSC::CodeBlock::installVMTrapBreakpoints):
2465         * bytecode/CodeBlock.h:
2466         * bytecompiler/BytecodeGenerator.cpp:
2467         (JSC::BytecodeGenerator::emitCheckTraps):
2468         * dfg/DFGCommonData.cpp:
2469         (JSC::DFG::CommonData::installVMTrapBreakpoints):
2470         (JSC::DFG::CommonData::isVMTrapBreakpoint):
2471         * dfg/DFGCommonData.h:
2472         (JSC::DFG::CommonData::hasInstalledVMTrapsBreakpoints):
2473         * dfg/DFGJumpReplacement.cpp:
2474         (JSC::DFG::JumpReplacement::installVMTrapBreakpoint):
2475         * dfg/DFGJumpReplacement.h:
2476         (JSC::DFG::JumpReplacement::dataLocation):
2477         * dfg/DFGNodeType.h:
2478         * heap/CodeBlockSet.cpp:
2479         (JSC::CodeBlockSet::contains):
2480         * heap/CodeBlockSet.h:
2481         * heap/CodeBlockSetInlines.h:
2482         (JSC::CodeBlockSet::iterate):
2483         * heap/Heap.cpp:
2484         (JSC::Heap::forEachCodeBlockIgnoringJITPlansImpl):
2485         * heap/Heap.h:
2486         * heap/HeapInlines.h:
2487         (JSC::Heap::forEachCodeBlockIgnoringJITPlans):
2488         * heap/MachineStackMarker.h:
2489         (JSC::MachineThreads::threadsListHead):
2490         * jit/ExecutableAllocator.cpp:
2491         (JSC::ExecutableAllocator::isValidExecutableMemory):
2492         * jit/ExecutableAllocator.h:
2493         * profiler/ProfilerJettisonReason.cpp:
2494         (WTF::printInternal):
2495         * profiler/ProfilerJettisonReason.h:
2496         * runtime/JSLock.cpp:
2497         (JSC::JSLock::didAcquireLock):
2498         * runtime/Options.cpp:
2499         (JSC::overrideDefaults):
2500         * runtime/Options.h:
2501         * runtime/PlatformThread.h:
2502         (JSC::platformThreadSignal):
2503         * runtime/VM.cpp:
2504         (JSC::VM::~VM):
2505         (JSC::VM::ensureWatchdog):
2506         (JSC::VM::handleTraps): Deleted.
2507         (JSC::VM::setNeedAsynchronousTerminationSupport): Deleted.
2508         * runtime/VM.h:
2509         (JSC::VM::ownerThread):
2510         (JSC::VM::traps):
2511         (JSC::VM::handleTraps):
2512         (JSC::VM::needTrapHandling):
2513         (JSC::VM::needAsynchronousTerminationSupport): Deleted.
2514         * runtime/VMTraps.cpp:
2515         (JSC::VMTraps::vm):
2516         (JSC::SignalContext::SignalContext):
2517         (JSC::SignalContext::adjustPCToPointToTrappingInstruction):
2518         (JSC::vmIsInactive):
2519         (JSC::findActiveVMAndStackBounds):
2520         (JSC::handleSigusr1):
2521         (JSC::handleSigtrap):
2522         (JSC::installSignalHandlers):
2523         (JSC::sanitizedTopCallFrame):
2524         (JSC::isSaneFrame):
2525         (JSC::VMTraps::tryInstallTrapBreakpoints):
2526         (JSC::VMTraps::invalidateCodeBlocksOnStack):
2527         (JSC::VMTraps::VMTraps):
2528         (JSC::VMTraps::willDestroyVM):
2529         (JSC::VMTraps::addSignalSender):
2530         (JSC::VMTraps::removeSignalSender):
2531         (JSC::VMTraps::SignalSender::willDestroyVM):
2532         (JSC::VMTraps::SignalSender::send):
2533         (JSC::VMTraps::fireTrap):
2534         (JSC::VMTraps::handleTraps):
2535         * runtime/VMTraps.h:
2536         (JSC::VMTraps::~VMTraps):
2537         (JSC::VMTraps::needTrapHandling):
2538         (JSC::VMTraps::notifyGrabAllLocks):
2539         (JSC::VMTraps::SignalSender::SignalSender):
2540         (JSC::VMTraps::invalidateCodeBlocksOnStack):
2541         * tools/VMInspector.cpp:
2542         * tools/VMInspector.h:
2543         (JSC::VMInspector::getLock):
2544         (JSC::VMInspector::iterate):
2545
2546 2017-03-09  Filip Pizlo  <fpizlo@apple.com>
2547
2548         WebKit: JSC: JSObject::ensureLength doesn't check if ensureLengthSlow failed
2549         https://bugs.webkit.org/show_bug.cgi?id=169215
2550
2551         Reviewed by Mark Lam.
2552         
2553         This doesn't have a test because it would be a very complicated test.
2554
2555         * runtime/JSObject.h:
2556         (JSC::JSObject::ensureLength): If ensureLengthSlow returns false, we need to return false.
2557
2558 2017-03-07  Filip Pizlo  <fpizlo@apple.com>
2559
2560         WTF should make it super easy to do ARM concurrency tricks
2561         https://bugs.webkit.org/show_bug.cgi?id=169300
2562
2563         Reviewed by Mark Lam.
2564         
2565         This changes a bunch of GC hot paths to use new concurrency APIs that lead to optimal
2566         code on both x86 (fully leverage TSO, transactions become CAS loops) and ARM (use
2567         dependency chains for fencing, transactions become LL/SC loops). While inspecting the
2568         machine code, I found other opportunities for improvement, like inlining the "am I
2569         marked" part of the marking functions.
2570
2571         * heap/Heap.cpp:
2572         (JSC::Heap::setGCDidJIT):
2573         * heap/HeapInlines.h:
2574         (JSC::Heap::testAndSetMarked):
2575         * heap/LargeAllocation.h:
2576         (JSC::LargeAllocation::isMarked):
2577         (JSC::LargeAllocation::isMarkedConcurrently):
2578         (JSC::LargeAllocation::aboutToMark):
2579         (JSC::LargeAllocation::testAndSetMarked):
2580         * heap/MarkedBlock.h:
2581         (JSC::MarkedBlock::areMarksStaleWithDependency):
2582         (JSC::MarkedBlock::aboutToMark):
2583         (JSC::MarkedBlock::isMarkedConcurrently):
2584         (JSC::MarkedBlock::isMarked):
2585         (JSC::MarkedBlock::testAndSetMarked):
2586         * heap/SlotVisitor.cpp:
2587         (JSC::SlotVisitor::appendSlow):
2588         (JSC::SlotVisitor::appendHiddenSlow):
2589         (JSC::SlotVisitor::appendHiddenSlowImpl):
2590         (JSC::SlotVisitor::setMarkedAndAppendToMarkStack):
2591         (JSC::SlotVisitor::appendUnbarriered): Deleted.
2592         (JSC::SlotVisitor::appendHidden): Deleted.
2593         * heap/SlotVisitor.h:
2594         * heap/SlotVisitorInlines.h:
2595         (JSC::SlotVisitor::appendUnbarriered):
2596         (JSC::SlotVisitor::appendHidden):
2597         (JSC::SlotVisitor::append):
2598         (JSC::SlotVisitor::appendValues):
2599         (JSC::SlotVisitor::appendValuesHidden):
2600         * runtime/CustomGetterSetter.cpp:
2601         * runtime/JSObject.cpp:
2602         (JSC::JSObject::visitButterflyImpl):
2603         * runtime/JSObject.h:
2604
2605 2017-03-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2606
2607         [GTK] JSC test stress/arity-check-ftl-throw.js.ftl-no-cjit-validate-sampling-profiler crashing on GTK bot
2608         https://bugs.webkit.org/show_bug.cgi?id=160124
2609
2610         Reviewed by Mark Lam.
2611
2612         When performing CallVarargs, we will copy values to the stack.
2613         Before actually copying values, we need to adjust the stackPointerRegister
2614         to ensure copied values are in the allocated stack area.
2615         If we do not that, OS can break the values that is stored beyond the stack
2616         pointer. For example, signal stack can be constructed on these area, and
2617         breaks values.
2618
2619         This patch fixes the crash in stress/spread-forward-call-varargs-stack-overflow.js
2620         in Linux port. Since Linux ports use signal to suspend and resume threads,
2621         signal handler is frequently called when enabling sampling profiler. Thus this
2622         crash occurs.
2623
2624         * dfg/DFGSpeculativeJIT32_64.cpp:
2625         (JSC::DFG::SpeculativeJIT::emitCall):
2626         * dfg/DFGSpeculativeJIT64.cpp:
2627         (JSC::DFG::SpeculativeJIT::emitCall):
2628         * ftl/FTLLowerDFGToB3.cpp:
2629         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
2630         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
2631         * jit/SetupVarargsFrame.cpp:
2632         (JSC::emitSetupVarargsFrameFastCase):
2633         * jit/SetupVarargsFrame.h:
2634
2635 2017-03-08  Joseph Pecoraro  <pecoraro@apple.com>
2636
2637         Web Inspector: Should be able to see where Resources came from (Memory Cache, Disk Cache)
2638         https://bugs.webkit.org/show_bug.cgi?id=164892
2639         <rdar://problem/29320562>
2640
2641         Reviewed by Brian Burg.
2642
2643         * inspector/protocol/Network.json:
2644         Replace "fromDiskCache" property with "source" property which includes
2645         more complete information about the source of this response (network,
2646         memory cache, disk cache, or unknown).
2647
2648         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
2649         (_generate_class_for_object_declaration):
2650         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
2651         (CppProtocolTypesImplementationGenerator._generate_open_field_names):
2652         * inspector/scripts/codegen/generator.py:
2653         (Generator):
2654         (Generator.open_fields):
2655         To avoid conflicts between the Inspector::Protocol::Network::Response::Source
2656         enum and open accessor string symbol that would have the same name, only generate
2657         a specific list of open accessor strings. This reduces the list of exported
2658         symbols from all properties to just the ones that are needed. This can be
2659         cleaned up later if needed.
2660
2661         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result: Added.
2662         * inspector/scripts/tests/generic/type-with-open-parameters.json: Added.
2663         Test for open accessors generation.
2664
2665 2017-03-08  Keith Miller  <keith_miller@apple.com>
2666
2667         WebAssembly: Make OOB for fast memory do an extra safety check by ensuring the faulting address is in the range we allocated for fast memory
2668         https://bugs.webkit.org/show_bug.cgi?id=169290
2669
2670         Reviewed by Saam Barati.
2671
2672         This patch adds an extra sanity check by ensuring that the the memory address we faulting trying to load is in range
2673         of some wasm fast memory.
2674
2675         * wasm/WasmFaultSignalHandler.cpp:
2676         (JSC::Wasm::trapHandler):
2677         (JSC::Wasm::enableFastMemory):
2678         * wasm/WasmMemory.cpp:
2679         (JSC::Wasm::activeFastMemories):
2680         (JSC::Wasm::viewActiveFastMemories):
2681         (JSC::Wasm::tryGetFastMemory):
2682         (JSC::Wasm::releaseFastMemory):
2683         * wasm/WasmMemory.h:
2684
2685 2017-03-07  Dean Jackson  <dino@apple.com>
2686
2687         Some platforms won't be able to create a GPUDevice
2688         https://bugs.webkit.org/show_bug.cgi?id=169314
2689         <rdar://problems/30907521>
2690
2691         Reviewed by Jon Lee.
2692
2693         Disable WEB_GPU on the iOS Simulator.
2694
2695         * Configurations/FeatureDefines.xcconfig:
2696
2697 2017-03-06  Saam Barati  <sbarati@apple.com>
2698
2699         WebAssembly: Implement the WebAssembly.instantiate API
2700         https://bugs.webkit.org/show_bug.cgi?id=165982
2701         <rdar://problem/29760110>
2702
2703         Reviewed by Keith Miller.
2704
2705         This patch is a straight forward implementation of the WebAssembly.instantiate
2706         API: https://github.com/WebAssembly/design/blob/master/JS.md#webassemblyinstantiate
2707         
2708         I implemented the API in a synchronous manner. We should make it
2709         asynchronous: https://bugs.webkit.org/show_bug.cgi?id=169187
2710
2711         * wasm/JSWebAssembly.cpp:
2712         (JSC::webAssemblyCompileFunc):
2713         (JSC::webAssemblyInstantiateFunc):
2714         (JSC::JSWebAssembly::finishCreation):
2715         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2716         (JSC::constructJSWebAssemblyInstance):
2717         (JSC::WebAssemblyInstanceConstructor::createInstance):
2718         * wasm/js/WebAssemblyInstanceConstructor.h:
2719         * wasm/js/WebAssemblyModuleConstructor.cpp:
2720         (JSC::constructJSWebAssemblyModule):
2721         (JSC::WebAssemblyModuleConstructor::createModule):
2722         * wasm/js/WebAssemblyModuleConstructor.h:
2723
2724 2017-03-06  Michael Saboff  <msaboff@apple.com>
2725
2726         Take advantage of fast permissions switching of JIT memory for devices that support it
2727         https://bugs.webkit.org/show_bug.cgi?id=169155
2728
2729         Reviewed by Saam Barati.
2730
2731         Start using the os_thread_self_restrict_rwx_to_XX() SPIs when available to
2732         control access to JIT memory.
2733
2734         Had to update the Xcode config files to handle various build variations of
2735         public and internal SDKs.
2736
2737         * Configurations/Base.xcconfig:
2738         * Configurations/FeatureDefines.xcconfig:
2739         * jit/ExecutableAllocator.cpp:
2740         (JSC::FixedVMPoolExecutableAllocator::FixedVMPoolExecutableAllocator):
2741         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
2742         * jit/ExecutableAllocator.h:
2743         (JSC::performJITMemcpy):
2744
2745 2017-03-06  Csaba Osztrogonác  <ossy@webkit.org>
2746
2747         REGRESSION(r212778): It made 400 tests crash on AArch64 Linux
2748         https://bugs.webkit.org/show_bug.cgi?id=168502
2749
2750         Reviewed by Filip Pizlo.
2751
2752         * heap/RegisterState.h: Use setjmp code path on AArch64 Linux too to fix crashes.
2753
2754 2017-03-06  Caio Lima  <ticaiolima@gmail.com>
2755
2756         op_get_by_id_with_this should use inline caching
2757         https://bugs.webkit.org/show_bug.cgi?id=162124
2758
2759         Reviewed by Saam Barati.
2760
2761         This patch is enabling inline cache for op_get_by_id_with_this in all
2762         tiers. It means that operations using ```super.member``` are going to
2763         be able to be optimized by PIC. To enable it, we introduced a new
2764         member of StructureStubInfo.patch named thisGPR, created a new class
2765         to manage the IC named JITGetByIdWithThisGenerator and changed
2766         PolymorphicAccess.regenerate that uses StructureStubInfo.patch.thisGPR
2767         to decide the correct this value on inline caches.
2768         With inline cached enabled, ```super.member``` are ~4.5x faster,
2769         according microbenchmarks.
2770
2771         * bytecode/AccessCase.cpp:
2772         (JSC::AccessCase::generateImpl):
2773         * bytecode/PolymorphicAccess.cpp:
2774         (JSC::PolymorphicAccess::regenerate):
2775         * bytecode/PolymorphicAccess.h:
2776         * bytecode/StructureStubInfo.cpp:
2777         (JSC::StructureStubInfo::reset):
2778         * bytecode/StructureStubInfo.h:
2779         * dfg/DFGFixupPhase.cpp:
2780         (JSC::DFG::FixupPhase::fixupNode):
2781         * dfg/DFGJITCompiler.cpp:
2782         (JSC::DFG::JITCompiler::link):
2783         * dfg/DFGJITCompiler.h:
2784         (JSC::DFG::JITCompiler::addGetByIdWithThis):
2785         * dfg/DFGSpeculativeJIT.cpp:
2786         (JSC::DFG::SpeculativeJIT::compileIn):
2787         * dfg/DFGSpeculativeJIT.h:
2788         (JSC::DFG::SpeculativeJIT::callOperation):
2789         * dfg/DFGSpeculativeJIT32_64.cpp:
2790         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
2791         (JSC::DFG::SpeculativeJIT::compile):
2792         * dfg/DFGSpeculativeJIT64.cpp:
2793         (JSC::DFG::SpeculativeJIT::cachedGetByIdWithThis):
2794         (JSC::DFG::SpeculativeJIT::compile):
2795         * ftl/FTLLowerDFGToB3.cpp:
2796         (JSC::FTL::DFG::LowerDFGToB3::compileGetByIdWithThis):
2797         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
2798         (JSC::FTL::DFG::LowerDFGToB3::getByIdWithThis):
2799         * jit/CCallHelpers.h:
2800         (JSC::CCallHelpers::setupArgumentsWithExecState):
2801         * jit/ICStats.h:
2802         * jit/JIT.cpp:
2803         (JSC::JIT::JIT):
2804         (JSC::JIT::privateCompileSlowCases):
2805         (JSC::JIT::link):
2806         * jit/JIT.h:
2807         * jit/JITInlineCacheGenerator.cpp:
2808         (JSC::JITByIdGenerator::JITByIdGenerator):
2809         (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator):
2810         (JSC::JITGetByIdWithThisGenerator::generateFastPath):
2811         * jit/JITInlineCacheGenerator.h:
2812         (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator):
2813         * jit/JITInlines.h:
2814         (JSC::JIT::callOperation):
2815         * jit/JITOperations.cpp:
2816         * jit/JITOperations.h:
2817         * jit/JITPropertyAccess.cpp:
2818         (JSC::JIT::emit_op_get_by_id_with_this):
2819         (JSC::JIT::emitSlow_op_get_by_id_with_this):
2820         * jit/JITPropertyAccess32_64.cpp:
2821         (JSC::JIT::emit_op_get_by_id_with_this):
2822         (JSC::JIT::emitSlow_op_get_by_id_with_this):
2823         * jit/Repatch.cpp:
2824         (JSC::appropriateOptimizingGetByIdFunction):
2825         (JSC::appropriateGenericGetByIdFunction):
2826         (JSC::tryCacheGetByID):
2827         * jit/Repatch.h:
2828         * jsc.cpp:
2829         (WTF::CustomGetter::getOwnPropertySlot):
2830         (WTF::CustomGetter::customGetterAcessor):
2831
2832 2017-03-06  Saam Barati  <sbarati@apple.com>
2833
2834         WebAssembly: implement init_expr for Element
2835         https://bugs.webkit.org/show_bug.cgi?id=165888
2836         <rdar://problem/29760199>
2837
2838         Reviewed by Keith Miller.
2839
2840         This patch fixes a few bugs. The main change is allowing init_expr
2841         for the Element's offset. To do this, I had to fix a couple of
2842         other bugs:
2843         
2844         - I removed our invalid early module-parse-time invalidation
2845         of out of bound Element sections. This is not in the spec because
2846         it can't be validated in the general case when the offset is a
2847         get_global.
2848         
2849         - Our get_global validation inside our init_expr parsing code was simply wrong.
2850         It thought that the index operand to get_global went into the pool of imports,
2851         but it does not. It indexes into the pool of globals. I changed the code to
2852         refer to the global pool instead.
2853
2854         * wasm/WasmFormat.h:
2855         (JSC::Wasm::Element::Element):
2856         * wasm/WasmModuleParser.cpp:
2857         * wasm/js/WebAssemblyModuleRecord.cpp:
2858         (JSC::WebAssemblyModuleRecord::evaluate):
2859
2860 2017-03-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2861
2862         [JSC] Allow indexed module namespace object fields
2863         https://bugs.webkit.org/show_bug.cgi?id=168870
2864
2865         Reviewed by Saam Barati.
2866
2867         While JS modules cannot expose any indexed bindings,
2868         Wasm modules can expose them. However, module namespace
2869         object currently does not support indexed properties.
2870         This patch allows module namespace objects to offer
2871         indexed binding accesses.
2872
2873         * runtime/JSModuleNamespaceObject.cpp:
2874         (JSC::JSModuleNamespaceObject::getOwnPropertySlotCommon):
2875         (JSC::JSModuleNamespaceObject::getOwnPropertySlot):
2876         (JSC::JSModuleNamespaceObject::getOwnPropertySlotByIndex):
2877         * runtime/JSModuleNamespaceObject.h:
2878
2879 2017-03-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2880
2881         Null pointer crash when loading module with unresolved import also as a script file
2882         https://bugs.webkit.org/show_bug.cgi?id=168971
2883
2884         Reviewed by Saam Barati.
2885
2886         If linking throws an error, this error should be re-thrown
2887         when requesting the same module.
2888
2889         * builtins/ModuleLoaderPrototype.js:
2890         (globalPrivate.newRegistryEntry):
2891         * runtime/JSModuleRecord.cpp:
2892         (JSC::JSModuleRecord::link):
2893
2894 2017-03-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2895
2896         [GTK][JSCOnly] Enable WebAssembly on Linux environment
2897         https://bugs.webkit.org/show_bug.cgi?id=164032
2898
2899         Reviewed by Michael Catanzaro.
2900
2901         This patch enables WebAssembly on JSCOnly and GTK ports.
2902         Basically, almost all the WASM code is portable to Linux.
2903         One platform-dependent part is faster memory load using SIGBUS
2904         signal handler. This patch ports this part to Linux.
2905
2906         * CMakeLists.txt:
2907         * llint/LLIntSlowPaths.cpp:
2908         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
2909         * wasm/WasmFaultSignalHandler.cpp:
2910         (JSC::Wasm::trapHandler):
2911         (JSC::Wasm::enableFastMemory):
2912
2913 2017-03-06  Daniel Ehrenberg  <littledan@igalia.com>
2914
2915         Currency digits calculation in Intl.NumberFormat should call out to ICU
2916         https://bugs.webkit.org/show_bug.cgi?id=169182
2917
2918         Reviewed by Yusuke Suzuki.
2919
2920         * runtime/IntlNumberFormat.cpp:
2921         (JSC::computeCurrencyDigits):
2922         (JSC::computeCurrencySortKey): Deleted.
2923         (JSC::extractCurrencySortKey): Deleted.
2924
2925 2017-03-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2926
2927         [JSCOnly][GTK] Suppress warnings on return type in B3 and WASM
2928         https://bugs.webkit.org/show_bug.cgi?id=168869
2929
2930         Reviewed by Keith Miller.
2931
2932         * b3/B3Width.h:
2933         * wasm/WasmSections.h:
2934
2935 2017-03-04  Csaba Osztrogonác  <ossy@webkit.org>
2936
2937         [ARM] Unreviewed buildfix after r213376.
2938
2939         * assembler/ARMAssembler.h:
2940         (JSC::ARMAssembler::isBkpt): Typo fixed.
2941
2942 2017-03-03  Carlos Alberto Lopez Perez  <clopez@igalia.com>
2943
2944         [JSC] build fix after r213399
2945         https://bugs.webkit.org/show_bug.cgi?id=169154
2946
2947         Unreviewed.
2948
2949         * runtime/ConfigFile.cpp: Include unistd.h since its where getcwd() is defined.
2950
2951 2017-03-03  Dean Jackson  <dino@apple.com>
2952
2953         Add WebGPU compile flag and experimental feature flag
2954         https://bugs.webkit.org/show_bug.cgi?id=169161
2955         <rdar://problem/30846689>
2956
2957         Reviewed by Tim Horton.
2958
2959         Add ENABLE_WEBGPU, an experimental feature flag, a RuntimeEnabledFeature,
2960         and an InternalSetting.
2961
2962         * Configurations/FeatureDefines.xcconfig:
2963
2964 2017-03-03  Michael Saboff  <msaboff@apple.com>
2965
2966         Add support for relative pathnames to JSC config files
2967         https://bugs.webkit.org/show_bug.cgi?id=169154
2968
2969         Reviewed by Saam Barati.
2970
2971         If the config file is a relative path, prepend the current working directory.
2972         After canonicalizing the config file path, we extract its directory path and
2973         use that for the directory for a relative log pathname.
2974
2975         * runtime/ConfigFile.cpp:
2976         (JSC::ConfigFile::ConfigFile):
2977         (JSC::ConfigFile::parse):
2978         (JSC::ConfigFile::canonicalizePaths):
2979         * runtime/ConfigFile.h:
2980
2981 2017-03-03  Michael Saboff  <msaboff@apple.com>
2982
2983         Add load / store exclusive instruction group to ARM64 disassembler
2984         https://bugs.webkit.org/show_bug.cgi?id=169152
2985
2986         Reviewed by Filip Pizlo.
2987
2988         * disassembler/ARM64/A64DOpcode.cpp:
2989         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreExclusive::format):
2990         * disassembler/ARM64/A64DOpcode.h:
2991         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreExclusive::opName):
2992         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreExclusive::rs):
2993         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreExclusive::rt2):
2994         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreExclusive::o0):
2995         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreExclusive::o1):
2996         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreExclusive::o2):
2997         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreExclusive::loadBit):
2998         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreExclusive::opNumber):
2999         (JSC::ARM64Disassembler::A64DOpcodeLoadStoreExclusive::isPairOp):
3000
3001 2017-03-03  Keith Miller  <keith_miller@apple.com>
3002
3003         WASM should support faster loads.
3004         https://bugs.webkit.org/show_bug.cgi?id=162693
3005
3006         Reviewed by Saam Barati.
3007
3008         This patch adds support for WebAssembly using a 32-bit address
3009         space for memory (along with some extra space for offset
3010         overflow). With a 32-bit address space (we call them
3011         Signaling/fast memories), we reserve the virtual address space for
3012         2^32 + offset bytes of memory and only mark the usable section as
3013         read/write. If wasm code would read/write out of bounds we use a
3014         custom signal handler to catch the SIGBUS. The signal handler then
3015         checks if the faulting instruction is wasm code and tells the
3016         thread to resume executing from the wasm exception
3017         handler. Otherwise, the signal handler crashes the process, as
3018         usual.
3019
3020         All of the allocations of these memories are managed by the
3021         Wasm::Memory class. In order to avoid TLB churn in the OS we cache
3022         old Signaling memories that are no longer in use. Since getting
3023         the wrong memory can cause recompiles, we try to reserve a memory
3024         for modules that do not import a memory. If a module does import a
3025         memory, we try to guess the type of memory we are going to get
3026         based on the last one allocated.
3027
3028         This patch also changes how the wasm JS-api manages objects. Since
3029         we can compile different versions of code, this patch adds a new
3030         JSWebAssemblyCodeBlock class that holds all the information
3031         specific to running a module in a particular bounds checking
3032         mode. Additionally, the Wasm::Memory object is now a reference
3033         counted class that is shared between the JSWebAssemblyMemory
3034         object and the ArrayBuffer that also views it.
3035
3036         * JavaScriptCore.xcodeproj/project.pbxproj:
3037         * jit/JITThunks.cpp:
3038         (JSC::JITThunks::existingCTIStub):
3039         * jit/JITThunks.h:
3040         * jsc.cpp:
3041         (jscmain):
3042         * runtime/Options.h:
3043         * runtime/VM.cpp:
3044         (JSC::VM::VM):
3045         * runtime/VM.h:
3046         * wasm/JSWebAssemblyCodeBlock.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyModule.h.
3047         (JSC::JSWebAssemblyCodeBlock::create):
3048         (JSC::JSWebAssemblyCodeBlock::createStructure):
3049         (JSC::JSWebAssemblyCodeBlock::functionImportCount):
3050         (JSC::JSWebAssemblyCodeBlock::mode):
3051         (JSC::JSWebAssemblyCodeBlock::module):
3052         (JSC::JSWebAssemblyCodeBlock::jsEntrypointCalleeFromFunctionIndexSpace):
3053         (JSC::JSWebAssemblyCodeBlock::wasmEntrypointCalleeFromFunctionIndexSpace):
3054         (JSC::JSWebAssemblyCodeBlock::setJSEntrypointCallee):
3055         (JSC::JSWebAssemblyCodeBlock::setWasmEntrypointCallee):
3056         (JSC::JSWebAssemblyCodeBlock::callees):
3057         (JSC::JSWebAssemblyCodeBlock::offsetOfCallees):
3058         (JSC::JSWebAssemblyCodeBlock::allocationSize):
3059         * wasm/WasmB3IRGenerator.cpp:
3060         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3061         (JSC::Wasm::getMemoryBaseAndSize):
3062         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
3063         (JSC::Wasm::B3IRGenerator::emitLoadOp):
3064         (JSC::Wasm::B3IRGenerator::emitStoreOp):
3065         * wasm/WasmCallingConvention.h:
3066         * wasm/WasmFaultSignalHandler.cpp: Added.
3067         (JSC::Wasm::trapHandler):
3068         (JSC::Wasm::registerCode):
3069         (JSC::Wasm::unregisterCode):
3070         (JSC::Wasm::fastMemoryEnabled):
3071         (JSC::Wasm::enableFastMemory):
3072         * wasm/WasmFaultSignalHandler.h: Copied from Source/JavaScriptCore/wasm/js/JSWebAssemblyCallee.cpp.
3073         * wasm/WasmFormat.h:
3074         (JSC::Wasm::ModuleInformation::importFunctionCount):
3075         (JSC::Wasm::ModuleInformation::hasMemory): Deleted.
3076         * wasm/WasmMemory.cpp:
3077         (JSC::Wasm::mmapBytes):
3078         (JSC::Wasm::Memory::lastAllocatedMode):
3079         (JSC::Wasm::availableFastMemories):
3080         (JSC::Wasm::tryGetFastMemory):
3081         (JSC::Wasm::releaseFastMemory):
3082         (JSC::Wasm::Memory::Memory):
3083         (JSC::Wasm::Memory::createImpl):
3084         (JSC::Wasm::Memory::create):
3085         (JSC::Wasm::Memory::~Memory):
3086         (JSC::Wasm::Memory::grow):
3087         (JSC::Wasm::Memory::dump):
3088         (JSC::Wasm::Memory::makeString):
3089         * wasm/WasmMemory.h:
3090         (JSC::Wasm::Memory::operator bool):
3091         (JSC::Wasm::Memory::size):
3092         (JSC::Wasm::Memory::check):
3093         (JSC::Wasm::Memory::Memory): Deleted.
3094         (JSC::Wasm::Memory::offsetOfMemory): Deleted.
3095         (JSC::Wasm::Memory::offsetOfSize): Deleted.
3096         * wasm/WasmMemoryInformation.cpp:
3097         (JSC::Wasm::MemoryInformation::MemoryInformation):
3098         * wasm/WasmMemoryInformation.h:
3099         (JSC::Wasm::MemoryInformation::hasReservedMemory):
3100         (JSC::Wasm::MemoryInformation::takeReservedMemory):
3101         (JSC::Wasm::MemoryInformation::mode):
3102         * wasm/WasmModuleParser.cpp:
3103         * wasm/WasmModuleParser.h:
3104         (JSC::Wasm::ModuleParser::ModuleParser):
3105         * wasm/WasmPlan.cpp:
3106         (JSC::Wasm::Plan::parseAndValidateModule):
3107         (JSC::Wasm::Plan::run):
3108         * wasm/WasmPlan.h:
3109         (JSC::Wasm::Plan::mode):
3110         * wasm/js/JSWebAssemblyCallee.cpp:
3111         (JSC::JSWebAssemblyCallee::finishCreation):
3112         (JSC::JSWebAssemblyCallee::destroy):
3113         * wasm/js/JSWebAssemblyCodeBlock.cpp: Added.
3114         (JSC::JSWebAssemblyCodeBlock::JSWebAssemblyCodeBlock):
3115         (JSC::JSWebAssemblyCodeBlock::destroy):
3116         (JSC::JSWebAssemblyCodeBlock::isSafeToRun):
3117         (JSC::JSWebAssemblyCodeBlock::visitChildren):
3118         (JSC::JSWebAssemblyCodeBlock::UnconditionalFinalizer::finalizeUnconditionally):
3119         * wasm/js/JSWebAssemblyInstance.cpp:
3120         (JSC::JSWebAssemblyInstance::setMemory):
3121         (JSC::JSWebAssemblyInstance::finishCreation):
3122         (JSC::JSWebAssemblyInstance::visitChildren):
3123         * wasm/js/JSWebAssemblyInstance.h:
3124         (JSC::JSWebAssemblyInstance::module):
3125         (JSC::JSWebAssemblyInstance::codeBlock):
3126         (JSC::JSWebAssemblyInstance::memoryMode):
3127         (JSC::JSWebAssemblyInstance::setMemory): Deleted.
3128         * wasm/js/JSWebAssemblyMemory.cpp:
3129         (JSC::JSWebAssemblyMemory::create):
3130         (JSC::JSWebAssemblyMemory::JSWebAssemblyMemory):
3131         (JSC::JSWebAssemblyMemory::buffer):
3132         (JSC::JSWebAssemblyMemory::grow):
3133         (JSC::JSWebAssemblyMemory::destroy):
3134         * wasm/js/JSWebAssemblyMemory.h:
3135         (JSC::JSWebAssemblyMemory::memory):
3136         (JSC::JSWebAssemblyMemory::offsetOfMemory):
3137         (JSC::JSWebAssemblyMemory::offsetOfSize):
3138         * wasm/js/JSWebAssemblyModule.cpp:
3139         (JSC::JSWebAssemblyModule::buildCodeBlock):
3140         (JSC::JSWebAssemblyModule::create):
3141         (JSC::JSWebAssemblyModule::JSWebAssemblyModule):
3142         (JSC::JSWebAssemblyModule::codeBlock):
3143         (JSC::JSWebAssemblyModule::finishCreation):
3144         (JSC::JSWebAssemblyModule::visitChildren):
3145         (JSC::JSWebAssemblyModule::UnconditionalFinalizer::finalizeUnconditionally): Deleted.
3146         * wasm/js/JSWebAssemblyModule.h:
3147         (JSC::JSWebAssemblyModule::takeReservedMemory):
3148         (JSC::JSWebAssemblyModule::signatureIndexFromFunctionIndexSpace):
3149         (JSC::JSWebAssemblyModule::codeBlock):
3150         (JSC::JSWebAssemblyModule::functionImportCount): Deleted.
3151         (JSC::JSWebAssemblyModule::jsEntrypointCalleeFromFunctionIndexSpace): Deleted.
3152         (JSC::JSWebAssemblyModule::wasmEntrypointCalleeFromFunctionIndexSpace): Deleted.
3153         (JSC::JSWebAssemblyModule::setJSEntrypointCallee): Deleted.
3154         (JSC::JSWebAssemblyModule::setWasmEntrypointCallee): Deleted.
3155         (JSC::JSWebAssemblyModule::callees): Deleted.
3156         (JSC::JSWebAssemblyModule::offsetOfCallees): Deleted.
3157         (JSC::JSWebAssemblyModule::allocationSize): Deleted.
3158         * wasm/js/WebAssemblyFunction.cpp:
3159         (JSC::callWebAssemblyFunction):
3160         * wasm/js/WebAssemblyInstanceConstructor.cpp:
3161         (JSC::constructJSWebAssemblyInstance):
3162         * wasm/js/WebAssemblyMemoryConstructor.cpp:
3163         (JSC::constructJSWebAssemblyMemory):
3164         * wasm/js/WebAssemblyModuleConstructor.cpp:
3165         (JSC::WebAssemblyModuleConstructor::createModule):
3166         * wasm/js/WebAssemblyModuleRecord.cpp:
3167         (JSC::WebAssemblyModuleRecord::link):
3168         (JSC::WebAssemblyModuleRecord::evaluate):
3169
3170 2017-03-03  Mark Lam  <mark.lam@apple.com>
3171
3172         Gardening: fix broken ARM64 build.
3173         https://bugs.webkit.org/show_bug.cgi?id=169139
3174
3175         Not reviewed.
3176
3177         * assembler/ARM64Assembler.h:
3178         (JSC::ARM64Assembler::excepnGenerationImmMask):
3179
3180 2017-03-03  Mark Lam  <mark.lam@apple.com>
3181
3182         Add MacroAssembler::isBreakpoint() query function.
3183         https://bugs.webkit.org/show_bug.cgi?id=169139
3184
3185         Reviewed by Michael Saboff.
3186
3187         This will be needed soon when we use breakpoint instructions to implement
3188         non-polling VM traps, and need to discern between a VM trap signal and a genuine
3189         assertion breakpoint.
3190
3191         * assembler/ARM64Assembler.h:
3192         (JSC::ARM64Assembler::isBrk):
3193         (JSC::ARM64Assembler::excepnGenerationImmMask):
3194         * assembler/ARMAssembler.h:
3195         (JSC::ARMAssembler::isBkpt):
3196         * assembler/ARMv7Assembler.h:
3197         (JSC::ARMv7Assembler::isBkpt):
3198         * assembler/MIPSAssembler.h:
3199         (JSC::MIPSAssembler::isBkpt):
3200         * assembler/MacroAssemblerARM.h:
3201         (JSC::MacroAssemblerARM::isBreakpoint):
3202         * assembler/MacroAssemblerARM64.h:
3203         (JSC::MacroAssemblerARM64::isBreakpoint):
3204         * assembler/MacroAssemblerARMv7.h:
3205         (JSC::MacroAssemblerARMv7::isBreakpoint):
3206         * assembler/MacroAssemblerMIPS.h:
3207         (JSC::MacroAssemblerMIPS::isBreakpoint):
3208         * assembler/MacroAssemblerX86Common.h:
3209         (JSC::MacroAssemblerX86Common::isBreakpoint):
3210         * assembler/X86Assembler.h:
3211         (JSC::X86Assembler::isInt3):
3212
3213 2017-03-03  Mark Lam  <mark.lam@apple.com>
3214
3215         We should only check for traps that we're able to handle.
3216         https://bugs.webkit.org/show_bug.cgi?id=169136
3217
3218         Reviewed by Michael Saboff.
3219
3220         The execute methods in interpreter were checking for the existence of any traps
3221         (without masking) and only handling a subset of those via a mask.  This can
3222         result in a failed assertion on debug builds.
3223
3224         This patch fixes this by applying the same mask for both the needTrapHandling()
3225         check and the handleTraps() call.  Also added a few assertions.
3226
3227         * interpreter/Interpreter.cpp:
3228         (JSC::Interpreter::executeProgram):
3229         (JSC::Interpreter::executeCall):
3230         (JSC::Interpreter::executeConstruct):
3231         (JSC::Interpreter::execute):
3232         * jit/JITOperations.cpp:
3233         * llint/LLIntSlowPaths.cpp:
3234         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3235
3236 2017-03-02  Carlos Garcia Campos  <cgarcia@igalia.com>
3237
3238         Remote Inspector: Move updateTargetListing() methods to RemoteInspector.cpp
3239         https://bugs.webkit.org/show_bug.cgi?id=169074
3240
3241         Reviewed by Joseph Pecoraro.
3242
3243         They are not actually cocoa specific.
3244
3245         * inspector/remote/RemoteInspector.cpp:
3246         (Inspector::RemoteInspector::updateTargetListing):
3247         * inspector/remote/RemoteInspector.h:
3248         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
3249
3250 2017-03-02  Mark Lam  <mark.lam@apple.com>
3251
3252         Add WebKit2 hooks to notify the VM that the user has requested a debugger break.
3253         https://bugs.webkit.org/show_bug.cgi?id=169089
3254
3255         Reviewed by Tim Horton and Joseph Pecoraro.
3256
3257         * runtime/VM.cpp:
3258         (JSC::VM::handleTraps):
3259         * runtime/VM.h:
3260         (JSC::VM::notifyNeedDebuggerBreak):
3261
3262 2017-03-02  Michael Saboff  <msaboff@apple.com>
3263
3264         Add JSC identity when code signing to allow debugging on iOS
3265         https://bugs.webkit.org/show_bug.cgi?id=169099
3266
3267         Reviewed by Filip Pizlo.
3268
3269         * Configurations/JSC.xcconfig:
3270         * Configurations/ToolExecutable.xcconfig:
3271
3272 2017-03-02  Keith Miller  <keith_miller@apple.com>
3273
3274         WebAssemblyFunction should have Function.prototype as its prototype
3275         https://bugs.webkit.org/show_bug.cgi?id=169101
3276
3277         Reviewed by Filip Pizlo.
3278
3279         Per https://github.com/WebAssembly/design/blob/master/JS.md#exported-function-exotic-objects our JSWebAssemblyFunction
3280         objects should have Function.prototype as their prototype.
3281
3282         * runtime/JSGlobalObject.cpp:
3283         (JSC::JSGlobalObject::init):
3284
3285 2017-03-02  Mark Lam  <mark.lam@apple.com>
3286
3287         Add Options::alwaysCheckTraps() and Options::usePollingTraps() options.
3288         https://bugs.webkit.org/show_bug.cgi?id=169088
3289
3290         Reviewed by Keith Miller.
3291
3292         Options::alwaysCheckTraps() forces the op_check_traps bytecode to always be
3293         generated.  This is useful for testing purposes until we have signal based
3294         traps, at which point, we will always emit the op_check_traps bytecode and remove
3295         this option.
3296
3297         Options::usePollingTraps() enables the use of polling VM traps all the time.
3298         This will be useful for benchmark comparisons, (between polling and non-polling
3299         traps), as well as for forcing polling traps later for ports that don't support
3300         signal based traps.
3301
3302         Note: signal based traps are not fully implemented yet.  As a result, if the VM
3303         watchdog is in use, we will force Options::usePollingTraps() to be true.
3304
3305         * bytecompiler/BytecodeGenerator.cpp:
3306         (JSC::BytecodeGenerator::emitCheckTraps):
3307         * dfg/DFGClobberize.h:
3308         (JSC::DFG::clobberize):
3309         * dfg/DFGSpeculativeJIT.cpp:
3310         (JSC::DFG::SpeculativeJIT::compileCheckTraps):
3311         * dfg/DFGSpeculativeJIT32_64.cpp:
3312         (JSC::DFG::SpeculativeJIT::compile):
3313         * dfg/DFGSpeculativeJIT64.cpp:
3314         (JSC::DFG::SpeculativeJIT::compile):
3315         * ftl/FTLLowerDFGToB3.cpp:
3316         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
3317         (JSC::FTL::DFG::LowerDFGToB3::compileCheckTraps):
3318         * runtime/Options.cpp:
3319         (JSC::recomputeDependentOptions):
3320         * runtime/Options.h:
3321
3322 2017-03-02  Keith Miller  <keith_miller@apple.com>
3323
3324         Fix addressing mode for B3WasmAddress
3325         https://bugs.webkit.org/show_bug.cgi?id=169092
3326
3327         Reviewed by Filip Pizlo.
3328
3329         Fix the potential addressing modes for B3WasmAddress. ARM does not
3330         support a base + index*1 + offset addressing mode. I think when I
3331         read it the first time I assumed it would always work on both ARM
3332         and X86. While true for X86 it's not true for ARM.
3333
3334         * b3/B3LowerToAir.cpp:
3335         (JSC::B3::Air::LowerToAir::effectiveAddr):
3336
3337 2017-03-02  Mark Lam  <mark.lam@apple.com>
3338
3339         Add support for selective handling of VM traps.
3340         https://bugs.webkit.org/show_bug.cgi?id=169087
3341
3342         Reviewed by Keith Miller.
3343
3344         This is needed because there are some places in the VM where it's appropriate to
3345         handle some types of VM traps but not others.
3346
3347         We implement this selection by using a VMTraps::Mask that allows the user to
3348         specify which traps should be serviced.
3349
3350         * interpreter/Interpreter.cpp:
3351         (JSC::Interpreter::executeProgram):
3352         (JSC::Interpreter::executeCall):
3353         (JSC::Interpreter::executeConstruct):
3354         (JSC::Interpreter::execute):
3355         * runtime/VM.cpp:
3356         (JSC::VM::handleTraps):
3357         * runtime/VM.h:
3358         * runtime/VMTraps.cpp:
3359         (JSC::VMTraps::takeTrap): Deleted.
3360         * runtime/VMTraps.h:
3361         (JSC::VMTraps::Mask::Mask):
3362         (JSC::VMTraps::Mask::allEventTypes):
3363         (JSC::VMTraps::Mask::bits):
3364         (JSC::VMTraps::Mask::init):
3365         (JSC::VMTraps::needTrapHandling):
3366         (JSC::VMTraps::hasTrapForEvent):
3367
3368 2017-03-02  Alex Christensen  <achristensen@webkit.org>
3369
3370         Continue enabling WebRTC
3371         https://bugs.webkit.org/show_bug.cgi?id=169056
3372
3373         Reviewed by Jon Lee.
3374
3375         * Configurations/FeatureDefines.xcconfig:
3376
3377 2017-03-02  Tomas Popela  <tpopela@redhat.com>
3378
3379         Incorrect RELEASE_ASSERT in JSGlobalObject::addStaticGlobals()