a8a8e5b689d4dd4baa9b808cb3b74355aace1af1
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-08-09  Oleksandr Skachkov  <gskachkov@gmail.com>
2
3         REGRESSION: 2 test262/test/language/statements/async-function failures
4         https://bugs.webkit.org/show_bug.cgi?id=175334
5
6         Reviewed by Yusuke Suzuki.
7
8         Switch off useAsyncIterator by default
9
10         * runtime/Options.h:
11
12 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
13
14         ICs should do caging
15         https://bugs.webkit.org/show_bug.cgi?id=175295
16
17         Reviewed by Saam Barati.
18         
19         Adds the appropriate cage() calls in our inline caches.
20
21         * bytecode/AccessCase.cpp:
22         (JSC::AccessCase::generateImpl):
23         * bytecode/InlineAccess.cpp:
24         (JSC::InlineAccess::dumpCacheSizesAndCrash):
25         (JSC::InlineAccess::generateSelfPropertyAccess):
26         (JSC::InlineAccess::generateSelfPropertyReplace):
27         (JSC::InlineAccess::generateArrayLength):
28
29 2017-08-08  Devin Rousso  <drousso@apple.com>
30
31         Web Inspector: Canvas: support editing WebGL shaders
32         https://bugs.webkit.org/show_bug.cgi?id=124211
33         <rdar://problem/15448958>
34
35         Reviewed by Matt Baker.
36
37         * inspector/protocol/Canvas.json:
38         Add `updateShader` command that will change the given shader's source to the provided string,
39         recompile, and relink it to its associated program.
40         Drive-by: add description to `requestShaderSource` command.
41
42 2017-08-08  Robin Morisset  <rmorisset@apple.com>
43
44         Make JSC_validateExceptionChecks=1 succeed on JSTests/slowMicrobenchmarks/spread-small-array.js.
45         https://bugs.webkit.org/show_bug.cgi?id=175347
46
47         Reviewed by Saam Barati.
48
49         This is done by making finishCreation explicitely check for exceptions after setConstantRegister and setConstantIdentifiersSetRegisters.
50         I chose to have this check replace the boolean returned previously by these functions for readability. The performance impact should be
51         negligible considering how much more finishCreation does.
52         This fix then caused another issue to appear as it was now clear that finishCreation can throw. And since it is called by ProgramCodeBlock::create(),
53         FunctionCodeBlock::create() and friends, that are in turn called by ScriptExecutable::newCodeBlockFor, this last function also required a few tweaks.
54
55         * bytecode/CodeBlock.cpp:
56         (JSC::CodeBlock::finishCreation):
57         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
58         (JSC::CodeBlock::setConstantRegisters):
59         * bytecode/CodeBlock.h:
60         * runtime/ScriptExecutable.cpp:
61         (JSC::ScriptExecutable::newCodeBlockFor):
62
63 2017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
64
65         Unreviewed, fix Ubuntu LTS build
66         https://bugs.webkit.org/show_bug.cgi?id=174490
67
68         * inspector/remote/glib/RemoteInspectorGlib.cpp:
69         * inspector/remote/glib/RemoteInspectorServer.cpp:
70
71 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
72
73         Baseline JIT should do caging
74         https://bugs.webkit.org/show_bug.cgi?id=175037
75
76         Reviewed by Mark Lam.
77         
78         Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
79         
80         Also modifies FTL caging to be more defensive when caging is disabled.
81         
82         Relanded with fixed AssemblyHelpers::cageConditionally().
83
84         * bytecode/AccessCase.cpp:
85         (JSC::AccessCase::generateImpl):
86         * bytecode/InlineAccess.cpp:
87         (JSC::InlineAccess::dumpCacheSizesAndCrash):
88         (JSC::InlineAccess::generateSelfPropertyAccess):
89         (JSC::InlineAccess::generateSelfPropertyReplace):
90         (JSC::InlineAccess::generateArrayLength):
91         * ftl/FTLLowerDFGToB3.cpp:
92         (JSC::FTL::DFG::LowerDFGToB3::caged):
93         * jit/AssemblyHelpers.h:
94         (JSC::AssemblyHelpers::cage):
95         (JSC::AssemblyHelpers::cageConditionally):
96         * jit/JITPropertyAccess.cpp:
97         (JSC::JIT::emitDoubleLoad):
98         (JSC::JIT::emitContiguousLoad):
99         (JSC::JIT::emitArrayStorageLoad):
100         (JSC::JIT::emitGenericContiguousPutByVal):
101         (JSC::JIT::emitArrayStoragePutByVal):
102         (JSC::JIT::emit_op_get_from_scope):
103         (JSC::JIT::emit_op_put_to_scope):
104         (JSC::JIT::emitIntTypedArrayGetByVal):
105         (JSC::JIT::emitFloatTypedArrayGetByVal):
106         (JSC::JIT::emitIntTypedArrayPutByVal):
107         (JSC::JIT::emitFloatTypedArrayPutByVal):
108         * jsc.cpp:
109         (jscmain):
110         (primitiveGigacageDisabled): Deleted.
111
112 2017-08-08  Ryan Haddad  <ryanhaddad@apple.com>
113
114         Unreviewed, rolling out r220368.
115
116         This change caused WK1 tests to exit early with crashes.
117
118         Reverted changeset:
119
120         "Baseline JIT should do caging"
121         https://bugs.webkit.org/show_bug.cgi?id=175037
122         http://trac.webkit.org/changeset/220368
123
124 2017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
125
126         [CMake] Properly test if compiler supports compiler flags
127         https://bugs.webkit.org/show_bug.cgi?id=174490
128
129         Reviewed by Konstantin Tokarev.
130
131         * API/tests/PingPongStackOverflowTest.cpp:
132         (testPingPongStackOverflow):
133         * API/tests/testapi.c:
134         * b3/testb3.cpp:
135         (JSC::B3::testPatchpointLotsOfLateAnys):
136
137 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
138
139         [Linux] Clear WasmMemory with madvice instead of memset
140         https://bugs.webkit.org/show_bug.cgi?id=175150
141
142         Reviewed by Filip Pizlo.
143
144         In Linux, zeroing pages with memset populates backing store.
145         Instead, we should use madvise with MADV_DONTNEED. It discards
146         pages. And if you access these pages, on-demand-zero-pages will
147         be shown.
148
149         We also commit grown pages in all OSes.
150
151         * wasm/WasmMemory.cpp:
152         (JSC::Wasm::commitZeroPages):
153         (JSC::Wasm::Memory::create):
154         (JSC::Wasm::Memory::grow):
155
156 2017-08-07  Robin Morisset  <rmorisset@apple.com>
157
158         GetOwnProperty of TypedArray indexed fields is wrongly configurable
159         https://bugs.webkit.org/show_bug.cgi?id=175307
160
161         Reviewed by Saam Barati.
162
163         ```
164         let a = new Uint8Array(10);
165         let b = Object.getOwnPropertyDescriptor(a, 0);
166         assert(b.configurable === false);
167         ```
168         should not fail: by section 9.4.5.1 (https://tc39.github.io/ecma262/#sec-integer-indexed-exotic-objects-getownproperty-p) 
169         that applies to integer indexed exotic objects, and section 22.2.7 (https://tc39.github.io/ecma262/#sec-properties-of-typedarray-instances)
170         that says that typed arrays are integer indexed exotic objects.
171
172         * runtime/JSGenericTypedArrayViewInlines.h:
173         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
174
175 2017-08-07  Filip Pizlo  <fpizlo@apple.com>
176
177         Baseline JIT should do caging
178         https://bugs.webkit.org/show_bug.cgi?id=175037
179
180         Reviewed by Mark Lam.
181         
182         Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
183         
184         Also modifies FTL caging to be more defensive when caging is disabled.
185
186         * ftl/FTLLowerDFGToB3.cpp:
187         (JSC::FTL::DFG::LowerDFGToB3::caged):
188         * jit/AssemblyHelpers.h:
189         (JSC::AssemblyHelpers::cage):
190         (JSC::AssemblyHelpers::cageConditionally):
191         * jit/JITPropertyAccess.cpp:
192         (JSC::JIT::emitDoubleLoad):
193         (JSC::JIT::emitContiguousLoad):
194         (JSC::JIT::emitArrayStorageLoad):
195         (JSC::JIT::emitGenericContiguousPutByVal):
196         (JSC::JIT::emitArrayStoragePutByVal):
197         (JSC::JIT::emit_op_get_from_scope):
198         (JSC::JIT::emit_op_put_to_scope):
199         (JSC::JIT::emitIntTypedArrayGetByVal):
200         (JSC::JIT::emitFloatTypedArrayGetByVal):
201         (JSC::JIT::emitIntTypedArrayPutByVal):
202         (JSC::JIT::emitFloatTypedArrayPutByVal):
203         * jsc.cpp:
204         (jscmain):
205         (primitiveGigacageDisabled): Deleted.
206
207 2017-08-06  Filip Pizlo  <fpizlo@apple.com>
208
209         Primitive auxiliaries and JSValue auxiliaries should have separate gigacages
210         https://bugs.webkit.org/show_bug.cgi?id=174919
211
212         Reviewed by Keith Miller.
213         
214         This adapts JSC to there being two gigacages.
215         
216         To make matters simpler, this turns AlignedMemoryAllocators into per-VM instances rather than
217         singletons. I don't think we were gaining anything by making them be singletons.
218         
219         This makes it easy to teach GigacageAlignedMemoryAllocator that there are multiple kinds of
220         gigacages. We'll have one of those allocators per cage.
221         
222         From there, this change teaches everyone who previously knew about cages that there are two cages.
223         This means having to specify either Gigacage::Primitive or Gigacage::JSValue. In most places, this is
224         easy: typed arrays are Primitive and butterflies are JSValue. But there are a few places where it's
225         not so obvious, so this change introduces some helpers to make it easy to define what cage you want
226         to use in one place and refer to it abstractly. We do this in DirectArguments and GenericArguments.h
227         
228         A lot of the magic of this change is due to CagedBarrierPtr, which combines AuxiliaryBarrier and
229         CagedPtr. This removes one layer of "get()" calls from a bunch of places.
230
231         * JavaScriptCore.xcodeproj/project.pbxproj:
232         * bytecode/AccessCase.cpp:
233         (JSC::AccessCase::generateImpl):
234         * dfg/DFGSpeculativeJIT.cpp:
235         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
236         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
237         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
238         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
239         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
240         * ftl/FTLLowerDFGToB3.cpp:
241         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
242         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
243         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
244         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
245         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
246         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
247         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
248         (JSC::FTL::DFG::LowerDFGToB3::caged):
249         * heap/FastMallocAlignedMemoryAllocator.cpp:
250         (JSC::FastMallocAlignedMemoryAllocator::instance): Deleted.
251         * heap/FastMallocAlignedMemoryAllocator.h:
252         * heap/GigacageAlignedMemoryAllocator.cpp:
253         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
254         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
255         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
256         (JSC::GigacageAlignedMemoryAllocator::dump const):
257         (JSC::GigacageAlignedMemoryAllocator::instance): Deleted.
258         * heap/GigacageAlignedMemoryAllocator.h:
259         * jsc.cpp:
260         (primitiveGigacageDisabled):
261         (jscmain):
262         (gigacageDisabled): Deleted.
263         * llint/LowLevelInterpreter64.asm:
264         * runtime/ArrayBuffer.cpp:
265         (JSC::ArrayBufferContents::tryAllocate):
266         (JSC::ArrayBuffer::createAdopted):
267         (JSC::ArrayBuffer::createFromBytes):
268         * runtime/AuxiliaryBarrier.h:
269         * runtime/ButterflyInlines.h:
270         (JSC::Butterfly::createUninitialized):
271         (JSC::Butterfly::tryCreate):
272         (JSC::Butterfly::growArrayRight):
273         * runtime/CagedBarrierPtr.h: Added.
274         (JSC::CagedBarrierPtr::CagedBarrierPtr):
275         (JSC::CagedBarrierPtr::clear):
276         (JSC::CagedBarrierPtr::set):
277         (JSC::CagedBarrierPtr::get const):
278         (JSC::CagedBarrierPtr::getMayBeNull const):
279         (JSC::CagedBarrierPtr::operator== const):
280         (JSC::CagedBarrierPtr::operator!= const):
281         (JSC::CagedBarrierPtr::operator bool const):
282         (JSC::CagedBarrierPtr::setWithoutBarrier):
283         (JSC::CagedBarrierPtr::operator* const):
284         (JSC::CagedBarrierPtr::operator-> const):
285         (JSC::CagedBarrierPtr::operator[] const):
286         * runtime/DirectArguments.cpp:
287         (JSC::DirectArguments::overrideThings):
288         (JSC::DirectArguments::unmapArgument):
289         * runtime/DirectArguments.h:
290         (JSC::DirectArguments::isMappedArgument const):
291         * runtime/GenericArguments.h:
292         * runtime/GenericArgumentsInlines.h:
293         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
294         (JSC::GenericArguments<Type>::setModifiedArgumentDescriptor):
295         (JSC::GenericArguments<Type>::isModifiedArgumentDescriptor):
296         * runtime/HashMapImpl.cpp:
297         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
298         * runtime/HashMapImpl.h:
299         (JSC::HashMapBuffer::create):
300         (JSC::HashMapImpl::buffer const):
301         (JSC::HashMapImpl::rehash):
302         * runtime/JSArray.cpp:
303         (JSC::JSArray::tryCreateUninitializedRestricted):
304         (JSC::JSArray::unshiftCountSlowCase):
305         (JSC::JSArray::setLength):
306         (JSC::JSArray::pop):
307         (JSC::JSArray::push):
308         (JSC::JSArray::fastSlice):
309         (JSC::JSArray::shiftCountWithArrayStorage):
310         (JSC::JSArray::shiftCountWithAnyIndexingType):
311         (JSC::JSArray::unshiftCountWithAnyIndexingType):
312         (JSC::JSArray::fillArgList):
313         (JSC::JSArray::copyToArguments):
314         * runtime/JSArray.h:
315         (JSC::JSArray::tryCreate):
316         * runtime/JSArrayBufferView.cpp:
317         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
318         (JSC::JSArrayBufferView::finalize):
319         * runtime/JSLock.cpp:
320         (JSC::JSLock::didAcquireLock):
321         * runtime/JSObject.cpp:
322         (JSC::JSObject::heapSnapshot):
323         (JSC::JSObject::getOwnPropertySlotByIndex):
324         (JSC::JSObject::putByIndex):
325         (JSC::JSObject::enterDictionaryIndexingMode):
326         (JSC::JSObject::createInitialIndexedStorage):
327         (JSC::JSObject::createArrayStorage):
328         (JSC::JSObject::convertUndecidedToInt32):
329         (JSC::JSObject::convertUndecidedToDouble):
330         (JSC::JSObject::convertUndecidedToContiguous):
331         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
332         (JSC::JSObject::convertUndecidedToArrayStorage):
333         (JSC::JSObject::convertInt32ToDouble):
334         (JSC::JSObject::convertInt32ToContiguous):
335         (JSC::JSObject::convertInt32ToArrayStorage):
336         (JSC::JSObject::convertDoubleToContiguous):
337         (JSC::JSObject::convertDoubleToArrayStorage):
338         (JSC::JSObject::convertContiguousToArrayStorage):
339         (JSC::JSObject::setIndexQuicklyToUndecided):
340         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
341         (JSC::JSObject::deletePropertyByIndex):
342         (JSC::JSObject::getOwnPropertyNames):
343         (JSC::JSObject::putIndexedDescriptor):
344         (JSC::JSObject::defineOwnIndexedProperty):
345         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
346         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
347         (JSC::JSObject::getNewVectorLength):
348         (JSC::JSObject::ensureLengthSlow):
349         (JSC::JSObject::reallocateAndShrinkButterfly):
350         (JSC::JSObject::allocateMoreOutOfLineStorage):
351         (JSC::JSObject::getEnumerableLength):
352         * runtime/JSObject.h:
353         (JSC::JSObject::getArrayLength const):
354         (JSC::JSObject::getVectorLength):
355         (JSC::JSObject::putDirectIndex):
356         (JSC::JSObject::canGetIndexQuickly):
357         (JSC::JSObject::getIndexQuickly):
358         (JSC::JSObject::tryGetIndexQuickly const):
359         (JSC::JSObject::canSetIndexQuickly):
360         (JSC::JSObject::setIndexQuickly):
361         (JSC::JSObject::initializeIndex):
362         (JSC::JSObject::initializeIndexWithoutBarrier):
363         (JSC::JSObject::hasSparseMap):
364         (JSC::JSObject::inSparseIndexingMode):
365         (JSC::JSObject::butterfly const):
366         (JSC::JSObject::butterfly):
367         (JSC::JSObject::outOfLineStorage const):
368         (JSC::JSObject::outOfLineStorage):
369         (JSC::JSObject::ensureInt32):
370         (JSC::JSObject::ensureDouble):
371         (JSC::JSObject::ensureContiguous):
372         (JSC::JSObject::ensureArrayStorage):
373         (JSC::JSObject::arrayStorage):
374         (JSC::JSObject::arrayStorageOrNull):
375         (JSC::JSObject::ensureLength):
376         * runtime/RegExpMatchesArray.h:
377         (JSC::tryCreateUninitializedRegExpMatchesArray):
378         * runtime/VM.cpp:
379         (JSC::VM::VM):
380         (JSC::VM::~VM):
381         (JSC::VM::primitiveGigacageDisabledCallback):
382         (JSC::VM::primitiveGigacageDisabled):
383         (JSC::VM::gigacageDisabledCallback): Deleted.
384         (JSC::VM::gigacageDisabled): Deleted.
385         * runtime/VM.h:
386         (JSC::VM::gigacageAuxiliarySpace):
387         (JSC::VM::firePrimitiveGigacageEnabledIfNecessary):
388         (JSC::VM::primitiveGigacageEnabled):
389         (JSC::VM::fireGigacageEnabledIfNecessary): Deleted.
390         (JSC::VM::gigacageEnabled): Deleted.
391         * wasm/WasmMemory.cpp:
392         (JSC::Wasm::Memory::create):
393         (JSC::Wasm::Memory::~Memory):
394         (JSC::Wasm::Memory::grow):
395
396 2017-08-07  Commit Queue  <commit-queue@webkit.org>
397
398         Unreviewed, rolling out r220144.
399         https://bugs.webkit.org/show_bug.cgi?id=175276
400
401         "It did not actually speed things up in the way I expected"
402         (Requested by saamyjoon on #webkit).
403
404         Reverted changeset:
405
406         "On memory-constrained iOS devices, reduce the rate at which
407         the JS heap grows before a GC to try to keep more memory
408         available for the system"
409         https://bugs.webkit.org/show_bug.cgi?id=175041
410         http://trac.webkit.org/changeset/220144
411
412 2017-08-07  Ryan Haddad  <ryanhaddad@apple.com>
413
414         Unreviewed, rolling out r220299.
415
416         This change caused LayoutTest inspector/dom-debugger/dom-
417         breakpoints.html to fail.
418
419         Reverted changeset:
420
421         "Web Inspector: capture async stack trace when workers/main
422         context posts a message"
423         https://bugs.webkit.org/show_bug.cgi?id=167084
424         http://trac.webkit.org/changeset/220299
425
426 2017-08-07  Brian Burg  <bburg@apple.com>
427
428         Remove CANVAS_PATH compilation guard
429         https://bugs.webkit.org/show_bug.cgi?id=175207
430
431         Reviewed by Sam Weinig.
432
433         * Configurations/FeatureDefines.xcconfig:
434
435 2017-08-07  Keith Miller  <keith_miller@apple.com>
436
437         REGRESSION: wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js failing on JSC Debug bots
438         https://bugs.webkit.org/show_bug.cgi?id=175256
439
440         Reviewed by Saam Barati.
441
442         The check in createFromBytes just needed to check that the buffer was not null before
443         calling isCaged.
444
445         * runtime/ArrayBuffer.cpp:
446         (JSC::ArrayBuffer::createFromBytes):
447
448 2017-08-05  Carlos Garcia Campos  <cgarcia@igalia.com>
449
450         [GTK][WPE] Add API to provide browser information required by automation
451         https://bugs.webkit.org/show_bug.cgi?id=175130
452
453         Reviewed by Brian Burg.
454
455         Add browserName and browserVersion to RemoteInspector::Client::Capabilities and virtual methods to the Client to
456         get them.
457
458         * inspector/remote/RemoteInspector.cpp:
459         (Inspector::RemoteInspector::updateClientCapabilities): Update also browserName and browserVersion.
460         * inspector/remote/RemoteInspector.h:
461         * inspector/remote/glib/RemoteInspectorGlib.cpp:
462         (Inspector::RemoteInspector::requestAutomationSession): Call updateClientCapabilities() after the session is
463         requested to ensure they are updated before StartAutomationSession reply is sent.
464         * inspector/remote/glib/RemoteInspectorServer.cpp: Add browserName and browserVersion as return values of
465         StartAutomationSession mesasage.
466
467 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
468
469         Promise resolve and reject function should have length = 1
470         https://bugs.webkit.org/show_bug.cgi?id=175242
471
472         Reviewed by Saam Barati.
473
474         Previously we have separate system for "length" and "name" for builtin functions.
475         The builtin functions do not use lazy reifying system. Instead, they have direct
476         properties when instantiating it. While the function created for properties (like
477         Array.prototype.filter) is created by JSFunction::createBuiltin(), function inside
478         these builtin functions are just created by JSFunction::create(). Since it does
479         not set any values for "length", these functions do not have "length" property.
480         So, the resolve and reject functions passed to Promise's executor do not have
481         "length" property.
482
483         This patch make builtin functions use standard lazy reifying system for "length".
484         So, "length" property of the builtin function just works as if the normal functions
485         do.
486
487         * runtime/JSFunction.cpp:
488         (JSC::JSFunction::createBuiltinFunction):
489         (JSC::JSFunction::getOwnPropertySlot):
490         (JSC::JSFunction::getOwnNonIndexPropertyNames):
491         (JSC::JSFunction::put):
492         (JSC::JSFunction::deleteProperty):
493         (JSC::JSFunction::defineOwnProperty):
494         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
495         (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
496         (JSC::JSFunction::reifyLazyLengthIfNeeded):
497         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
498         (JSC::JSFunction::reifyBoundNameIfNeeded): Deleted.
499         * runtime/JSFunction.h:
500
501 2017-08-06  Oleksandr Skachkov  <gskachkov@gmail.com>
502
503         [ESNext] Async iteration - Implement Async Generator - parser
504         https://bugs.webkit.org/show_bug.cgi?id=175210
505
506         Reviewed by Yusuke Suzuki.
507
508         Current implementation is draft version of Async Iteration. 
509         Link to spec https://tc39.github.io/proposal-async-iteration/
510
511         Current patch implement only parser part of the Async generator
512         Runtime part will be in next ptches
513
514         * parser/ASTBuilder.h:
515         (JSC::ASTBuilder::createFunctionMetadata):
516         * parser/Parser.cpp:
517         (JSC::getAsynFunctionBodyParseMode):
518         (JSC::Parser<LexerType>::parseInner):
519         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
520         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
521         (JSC::stringArticleForFunctionMode):
522         (JSC::stringForFunctionMode):
523         (JSC::Parser<LexerType>::parseFunctionInfo):
524         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
525         (JSC::Parser<LexerType>::parseClass):
526         (JSC::Parser<LexerType>::parseProperty):
527         (JSC::Parser<LexerType>::parsePropertyMethod):
528         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
529         * parser/Parser.h:
530         (JSC::Scope::setSourceParseMode):
531         * parser/ParserModes.h:
532         (JSC::isFunctionParseMode):
533         (JSC::isAsyncFunctionParseMode):
534         (JSC::isAsyncArrowFunctionParseMode):
535         (JSC::isAsyncGeneratorFunctionParseMode):
536         (JSC::isAsyncFunctionOrAsyncGeneratorWrapperParseMode):
537         (JSC::isAsyncFunctionWrapperParseMode):
538         (JSC::isAsyncFunctionBodyParseMode):
539         (JSC::isGeneratorMethodParseMode):
540         (JSC::isAsyncMethodParseMode):
541         (JSC::isAsyncGeneratorMethodParseMode):
542         (JSC::isMethodParseMode):
543         (JSC::isGeneratorOrAsyncFunctionBodyParseMode):
544         (JSC::isGeneratorOrAsyncFunctionWrapperParseMode):
545
546 2017-08-05  Filip Pizlo  <fpizlo@apple.com>
547
548         REGRESSION (r219895-219897): Number of leaks on Open Source went from 9240 to 235983 and is now at 302372
549         https://bugs.webkit.org/show_bug.cgi?id=175083
550
551         Reviewed by Oliver Hunt.
552         
553         This fixes the leak by making MarkedBlock::specializedSweep call destructors when the block is empty,
554         even if we are using the pop path.
555         
556         Also, this fixes HeapCellInlines.h to no longer include MarkedBlockInlines.h. That's pretty
557         important, since MarkedBlockInlines.h is the GC's internal guts - we don't want to have to recompile
558         the world just because we changed it.
559         
560         Finally, this adds a new testing SPI for waiting for all VMs to finish destructing. This makes it
561         easier to debug leaks.
562
563         * bytecode/AccessCase.cpp:
564         * bytecode/PolymorphicAccess.cpp:
565         * heap/HeapCell.cpp:
566         (JSC::HeapCell::isLive):
567         * heap/HeapCellInlines.h:
568         (JSC::HeapCell::isLive): Deleted.
569         * heap/MarkedAllocator.cpp:
570         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
571         (JSC::MarkedAllocator::endMarking):
572         * heap/MarkedBlockInlines.h:
573         (JSC::MarkedBlock::Handle::specializedSweep):
574         * jit/AssemblyHelpers.cpp:
575         * jit/Repatch.cpp:
576         * runtime/TestRunnerUtils.h:
577         * runtime/VM.cpp:
578         (JSC::waitForVMDestruction):
579         (JSC::VM::~VM):
580
581 2017-08-05  Mark Lam  <mark.lam@apple.com>
582
583         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 3].
584         https://bugs.webkit.org/show_bug.cgi?id=175228
585         <rdar://problem/33735737>
586
587         Reviewed by Saam Barati.
588
589         Merge the 32-bit OSRExit::compileExit() method into the 64-bit version, and
590         delete OSRExit32_64.cpp.
591
592         * CMakeLists.txt:
593         * JavaScriptCore.xcodeproj/project.pbxproj:
594         * dfg/DFGOSRExit.cpp:
595         (JSC::DFG::OSRExit::compileExit):
596         * dfg/DFGOSRExit32_64.cpp: Removed.
597         * jit/GPRInfo.h:
598         (JSC::JSValueSource::payloadGPR const):
599
600 2017-08-04  Youenn Fablet  <youenn@apple.com>
601
602         [Cache API] Add Cache and CacheStorage IDL definitions
603         https://bugs.webkit.org/show_bug.cgi?id=175201
604
605         Reviewed by Brady Eidson.
606
607         * runtime/CommonIdentifiers.h:
608
609 2017-08-04  Mark Lam  <mark.lam@apple.com>
610
611         Fix typo in testmasm.cpp: ENABLE(JSVALUE64) should be USE(JSVALUE64).
612         https://bugs.webkit.org/show_bug.cgi?id=175230
613         <rdar://problem/33735857>
614
615         Reviewed by Saam Barati.
616
617         * assembler/testmasm.cpp:
618         (JSC::testProbeReadsArgumentRegisters):
619         (JSC::testProbeWritesArgumentRegisters):
620
621 2017-08-04  Mark Lam  <mark.lam@apple.com>
622
623         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 2].
624         https://bugs.webkit.org/show_bug.cgi?id=175214
625         <rdar://problem/33733308>
626
627         Rubber-stamped by Michael Saboff.
628
629         Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused
630         DFGOSRExitCompiler files.
631
632         Also renamed DFGOSRExitCompiler32_64.cpp to DFGOSRExit32_64.cpp.
633
634         Also move debugOperationPrintSpeculationFailure() into DFGOSRExit.cpp.  It's only
635         used by compileOSRExit(), and will be changed to not be a DFG operation function
636         when we use JIT probes for DFG OSR exits later in
637         https://bugs.webkit.org/show_bug.cgi?id=175144.
638
639         * CMakeLists.txt:
640         * JavaScriptCore.xcodeproj/project.pbxproj:
641         * dfg/DFGJITCompiler.cpp:
642         * dfg/DFGOSRExit.cpp:
643         (JSC::DFG::OSRExit::emitRestoreArguments):
644         (JSC::DFG::OSRExit::compileOSRExit):
645         (JSC::DFG::OSRExit::compileExit):
646         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
647         * dfg/DFGOSRExit.h:
648         * dfg/DFGOSRExit32_64.cpp: Copied from Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp.
649         * dfg/DFGOSRExitCompiler.cpp: Removed.
650         * dfg/DFGOSRExitCompiler.h: Removed.
651         * dfg/DFGOSRExitCompiler32_64.cpp: Removed.
652         * dfg/DFGOSRExitCompiler64.cpp: Removed.
653         * dfg/DFGOperations.cpp:
654         * dfg/DFGOperations.h:
655         * dfg/DFGThunks.cpp:
656
657 2017-08-04  Matt Baker  <mattbaker@apple.com>
658
659         Web Inspector: capture async stack trace when workers/main context posts a message
660         https://bugs.webkit.org/show_bug.cgi?id=167084
661         <rdar://problem/30033673>
662
663         Reviewed by Brian Burg.
664
665         * inspector/agents/InspectorDebuggerAgent.h:
666         Add `PostMessage` async call type.
667
668 2017-08-04  Mark Lam  <mark.lam@apple.com>
669
670         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 1].
671         https://bugs.webkit.org/show_bug.cgi?id=175208
672         <rdar://problem/33732402>
673
674         Reviewed by Saam Barati.
675
676         This will minimize the code diff and make it easier to review the patch for
677         https://bugs.webkit.org/show_bug.cgi?id=175144 later.  We'll do this patch in 3
678         steps:
679
680         1. Do the code changes to move methods into OSRExit.
681         2. Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused DFGOSRExitCompiler files.
682         3. Merge the 32-bit OSRExitCompiler methods into the 64-bit version, and delete DFGOSRExitCompiler32_64.cpp.
683
684         Splitting this refactoring into these 3 steps also makes it easier to review this
685         patch and understand what is being changed.
686
687         * dfg/DFGOSRExit.h:
688         * dfg/DFGOSRExitCompiler.cpp:
689         (JSC::DFG::OSRExit::emitRestoreArguments):
690         (JSC::DFG::OSRExit::compileOSRExit):
691         (JSC::DFG::OSRExitCompiler::emitRestoreArguments): Deleted.
692         (): Deleted.
693         * dfg/DFGOSRExitCompiler.h:
694         (JSC::DFG::OSRExitCompiler::OSRExitCompiler): Deleted.
695         (): Deleted.
696         * dfg/DFGOSRExitCompiler32_64.cpp:
697         (JSC::DFG::OSRExit::compileExit):
698         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
699         * dfg/DFGOSRExitCompiler64.cpp:
700         (JSC::DFG::OSRExit::compileExit):
701         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
702         * dfg/DFGThunks.cpp:
703         (JSC::DFG::osrExitGenerationThunkGenerator):
704
705 2017-08-04  Devin Rousso  <drousso@apple.com>
706
707         Web Inspector: add source view for WebGL shader programs
708         https://bugs.webkit.org/show_bug.cgi?id=138593
709         <rdar://problem/18936194>
710
711         Reviewed by Matt Baker.
712
713         * inspector/protocol/Canvas.json:
714          - Add `ShaderType` enum that contains "vertex" and "fragment".
715          - Add `requestShaderSource` command that will return the original source code for a given
716            shader program and shader type.
717
718 2017-08-03  Filip Pizlo  <fpizlo@apple.com>
719
720         The allocator used to allocate memory for MarkedBlocks and LargeAllocations should not be the Subspace itself
721         https://bugs.webkit.org/show_bug.cgi?id=175141
722
723         Reviewed by Mark Lam.
724         
725         To make it easier to have multiple gigacages and maybe even fancier methods of allocating, this
726         decouples the allocator used to allocate memory from the GC Subspace. This means we no longer have
727         to create a new Subspace subclass to allocate memory a different way. Instead, the allocator is now
728         determined by the AlignedMemoryAllocator object.
729         
730         This also simplifies trading of blocks. Before, Subspaces had to determine if other Subspaces could
731         trade blocks with them using canTradeBlocksWith(). This makes it difficult for two different
732         Subspaces that both use the same underlying allocator to realize that they can trade blocks with
733         each other. Now, you just need to ask the block being stolen and the subspace doing the stealing if
734         they use the same AlignedMemoryAllocator.
735
736         * CMakeLists.txt:
737         * JavaScriptCore.xcodeproj/project.pbxproj:
738         * heap/AlignedMemoryAllocator.cpp: Added.
739         (JSC::AlignedMemoryAllocator::AlignedMemoryAllocator):
740         (JSC::AlignedMemoryAllocator::~AlignedMemoryAllocator):
741         * heap/AlignedMemoryAllocator.h: Added.
742         * heap/FastMallocAlignedMemoryAllocator.cpp: Added.
743         (JSC::FastMallocAlignedMemoryAllocator::singleton):
744         (JSC::FastMallocAlignedMemoryAllocator::FastMallocAlignedMemoryAllocator):
745         (JSC::FastMallocAlignedMemoryAllocator::~FastMallocAlignedMemoryAllocator):
746         (JSC::FastMallocAlignedMemoryAllocator::tryAllocateAlignedMemory):
747         (JSC::FastMallocAlignedMemoryAllocator::freeAlignedMemory):
748         (JSC::FastMallocAlignedMemoryAllocator::dump const):
749         * heap/FastMallocAlignedMemoryAllocator.h: Added.
750         * heap/GigacageAlignedMemoryAllocator.cpp: Added.
751         (JSC::GigacageAlignedMemoryAllocator::singleton):
752         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
753         (JSC::GigacageAlignedMemoryAllocator::~GigacageAlignedMemoryAllocator):
754         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
755         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
756         (JSC::GigacageAlignedMemoryAllocator::dump const):
757         * heap/GigacageAlignedMemoryAllocator.h: Added.
758         * heap/GigacageSubspace.cpp: Removed.
759         * heap/GigacageSubspace.h: Removed.
760         * heap/LargeAllocation.cpp:
761         (JSC::LargeAllocation::tryCreate):
762         (JSC::LargeAllocation::destroy):
763         * heap/MarkedAllocator.cpp:
764         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
765         * heap/MarkedBlock.cpp:
766         (JSC::MarkedBlock::tryCreate):
767         (JSC::MarkedBlock::Handle::Handle):
768         (JSC::MarkedBlock::Handle::~Handle):
769         (JSC::MarkedBlock::Handle::didAddToAllocator):
770         (JSC::MarkedBlock::Handle::subspace const):
771         * heap/MarkedBlock.h:
772         (JSC::MarkedBlock::Handle::alignedMemoryAllocator const):
773         (JSC::MarkedBlock::Handle::subspace const): Deleted.
774         * heap/Subspace.cpp:
775         (JSC::Subspace::Subspace):
776         (JSC::Subspace::findEmptyBlockToSteal):
777         (JSC::Subspace::canTradeBlocksWith): Deleted.
778         (JSC::Subspace::tryAllocateAlignedMemory): Deleted.
779         (JSC::Subspace::freeAlignedMemory): Deleted.
780         * heap/Subspace.h:
781         (JSC::Subspace::name const):
782         (JSC::Subspace::alignedMemoryAllocator const):
783         * runtime/JSDestructibleObjectSubspace.cpp:
784         (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace):
785         * runtime/JSDestructibleObjectSubspace.h:
786         * runtime/JSSegmentedVariableObjectSubspace.cpp:
787         (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace):
788         * runtime/JSSegmentedVariableObjectSubspace.h:
789         * runtime/JSStringSubspace.cpp:
790         (JSC::JSStringSubspace::JSStringSubspace):
791         * runtime/JSStringSubspace.h:
792         * runtime/VM.cpp:
793         (JSC::VM::VM):
794         * runtime/VM.h:
795         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp:
796         (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace):
797         * wasm/js/JSWebAssemblyCodeBlockSubspace.h:
798
799 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
800
801         [ESNext] Async iteration - update feature.json
802         https://bugs.webkit.org/show_bug.cgi?id=175197
803
804         Reviewed by Yusuke Suzuki.
805
806         Update feature.json to add status of the Async Iteration
807
808         * features.json:
809
810 2017-08-04  Matt Lewis  <jlewis3@apple.com>
811
812         Unreviewed, rolling out r220271.
813
814         Rolling out due to Layout Test failing on iOS Simulator.
815
816         Reverted changeset:
817
818         "Remove STREAMS_API compilation guard"
819         https://bugs.webkit.org/show_bug.cgi?id=175165
820         http://trac.webkit.org/changeset/220271
821
822 2017-08-04  Youenn Fablet  <youenn@apple.com>
823
824         Remove STREAMS_API compilation guard
825         https://bugs.webkit.org/show_bug.cgi?id=175165
826
827         Reviewed by Darin Adler.
828
829         * Configurations/FeatureDefines.xcconfig:
830
831 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
832
833         [EsNext] Async iteration - Add feature flag
834         https://bugs.webkit.org/show_bug.cgi?id=166694
835
836         Reviewed by Yusuke Suzuki.
837
838         Add feature flag to JSC to switch on/off Async Iterator
839
840         * runtime/Options.h:
841
842 2017-08-03  Brian Burg  <bburg@apple.com>
843
844         Remove ENABLE(WEB_SOCKET) guards
845         https://bugs.webkit.org/show_bug.cgi?id=167044
846
847         Reviewed by Joseph Pecoraro.
848
849         * Configurations/FeatureDefines.xcconfig:
850
851 2017-08-03  Youenn Fablet  <youenn@apple.com>
852
853         Remove FETCH_API compilation guard
854         https://bugs.webkit.org/show_bug.cgi?id=175154
855
856         Reviewed by Chris Dumez.
857
858         * Configurations/FeatureDefines.xcconfig:
859
860 2017-08-03  Matt Baker  <mattbaker@apple.com>
861
862         Web Inspector: Instrument WebGLProgram created/deleted
863         https://bugs.webkit.org/show_bug.cgi?id=175059
864
865         Reviewed by Devin Rousso.
866
867         Extend the Canvas protocol with types/events for tracking WebGLPrograms.
868
869         * inspector/protocol/Canvas.json:
870
871 2017-08-03  Brady Eidson  <beidson@apple.com>
872
873         Add SW IDLs and stub out basic functionality.
874         https://bugs.webkit.org/show_bug.cgi?id=175115
875
876         Reviewed by Chris Dumez.
877
878         * Configurations/FeatureDefines.xcconfig:
879
880         * runtime/CommonIdentifiers.h:
881
882 2017-08-03  Mark Lam  <mark.lam@apple.com>
883
884         Rename ScratchBuffer::activeLengthPtr to addressOfActiveLength.
885         https://bugs.webkit.org/show_bug.cgi?id=175142
886         <rdar://problem/33704528>
887
888         Reviewed by Filip Pizlo.
889
890         The convention in the rest of of JSC for such methods which return the address of
891         a field is to name them "addressOf<field name>".  We'll rename
892         ScratchBuffer::activeLengthPtr to be consistent with this convention.
893
894         * dfg/DFGSpeculativeJIT.cpp:
895         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
896         * dfg/DFGSpeculativeJIT32_64.cpp:
897         (JSC::DFG::SpeculativeJIT::compile):
898         * dfg/DFGSpeculativeJIT64.cpp:
899         (JSC::DFG::SpeculativeJIT::compile):
900         * dfg/DFGThunks.cpp:
901         (JSC::DFG::osrExitGenerationThunkGenerator):
902         * ftl/FTLLowerDFGToB3.cpp:
903         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
904         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
905         * ftl/FTLThunks.cpp:
906         (JSC::FTL::genericGenerationThunkGenerator):
907         * jit/AssemblyHelpers.cpp:
908         (JSC::AssemblyHelpers::debugCall):
909         * jit/ScratchRegisterAllocator.cpp:
910         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
911         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
912         * runtime/VM.h:
913         (JSC::ScratchBuffer::addressOfActiveLength):
914         (JSC::ScratchBuffer::activeLengthPtr): Deleted.
915         * wasm/WasmBinding.cpp:
916         (JSC::Wasm::wasmToJs):
917
918 2017-08-02  Devin Rousso  <drousso@apple.com>
919
920         Web Inspector: add stack trace information for each RecordingAction
921         https://bugs.webkit.org/show_bug.cgi?id=174663
922
923         Reviewed by Joseph Pecoraro.
924
925         * inspector/ScriptCallFrame.h:
926         Add `operator==` so that when a ScriptCallFrame object is held in a Vector, calling `find`
927         with an existing value doesn't need require a functor and can use existing code.
928
929         * interpreter/StackVisitor.h:
930         * interpreter/StackVisitor.cpp:
931         (JSC::StackVisitor::Frame::isWasmFrame const): Inlined in header.
932
933 2017-08-02  Yusuke Suzuki  <utatane.tea@gmail.com>
934
935         Merge WTFThreadData to Thread::current
936         https://bugs.webkit.org/show_bug.cgi?id=174716
937
938         Reviewed by Mark Lam.
939
940         Use Thread::current() instead.
941
942         * API/JSContext.mm:
943         (+[JSContext currentContext]):
944         (+[JSContext currentThis]):
945         (+[JSContext currentCallee]):
946         (+[JSContext currentArguments]):
947         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
948         (-[JSContext endCallbackWithData:]):
949         * heap/Heap.cpp:
950         (JSC::Heap::requestCollection):
951         * runtime/Completion.cpp:
952         (JSC::checkSyntax):
953         (JSC::checkModuleSyntax):
954         (JSC::evaluate):
955         (JSC::loadAndEvaluateModule):
956         (JSC::loadModule):
957         (JSC::linkAndEvaluateModule):
958         (JSC::importModule):
959         * runtime/Identifier.cpp:
960         (JSC::Identifier::checkCurrentAtomicStringTable):
961         * runtime/InitializeThreading.cpp:
962         (JSC::initializeThreading):
963         * runtime/JSLock.cpp:
964         (JSC::JSLock::didAcquireLock):
965         (JSC::JSLock::willReleaseLock):
966         (JSC::JSLock::dropAllLocks):
967         (JSC::JSLock::grabAllLocks):
968         * runtime/JSLock.h:
969         * runtime/VM.cpp:
970         (JSC::VM::VM):
971         (JSC::VM::updateStackLimits):
972         (JSC::VM::committedStackByteCount):
973         * runtime/VM.h:
974         (JSC::VM::isSafeToRecurse const):
975         * runtime/VMEntryScope.cpp:
976         (JSC::VMEntryScope::VMEntryScope):
977         * runtime/VMInlines.h:
978         (JSC::VM::ensureStackCapacityFor):
979         * yarr/YarrPattern.cpp:
980         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
981
982 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
983
984         LLInt should do pointer caging
985         https://bugs.webkit.org/show_bug.cgi?id=175036
986
987         Reviewed by Keith Miller.
988
989         Implementing this in the LLInt was challenging because offlineasm did not previously know
990         how to load from globals. This teaches it how to do that on Darwin/x86_64, which happens
991         to be where the Gigacage is enabled right now.
992
993         * llint/LLIntOfflineAsmConfig.h:
994         * llint/LowLevelInterpreter64.asm:
995         * offlineasm/ast.rb:
996         * offlineasm/x86.rb:
997
998 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
999
1000         Sweeping should only scribble when sweeping to free list
1001         https://bugs.webkit.org/show_bug.cgi?id=175105
1002
1003         Reviewed by Saam Barati.
1004         
1005         I just saw a crash on the bots where a destructor call attempt dereferenced scribbled memory. This
1006         can happen because the bump path of specializedSweep will scribble in SweepOnly, which replaces the
1007         zap word (i.e. 0) with the scribble word (i.e. 0xbadbeef0). This is a recent regression, since we
1008         didn't used to do destruction on the bump path. No destruction, no zapping. Looking at the pop
1009         path, we only scribble when we SweepToFreeList. This ensures that we only overwrite the zap word
1010         when it doesn't matter anyway because we're building a free list.
1011         
1012         This is a fix for those crashes on the bots because it means that we'll no longer scribble over the
1013         zap.
1014
1015         * heap/MarkedBlockInlines.h:
1016         (JSC::MarkedBlock::Handle::specializedSweep):
1017
1018 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
1019
1020         All C++ accesses to JSObject::m_butterfly should do caging
1021         https://bugs.webkit.org/show_bug.cgi?id=175039
1022
1023         Reviewed by Keith Miller.
1024         
1025         Makes JSObject::m_butterfly a AuxiliaryBarrier<CagedPtr<Butterfly>> and adopts the CagedPtr<> API.
1026         This ensures that you can't cause C++ code to access a butterfly that has been rewired to point
1027         outside the gigacage.
1028
1029         * runtime/JSArray.cpp:
1030         (JSC::JSArray::setLength):
1031         (JSC::JSArray::pop):
1032         (JSC::JSArray::push):
1033         (JSC::JSArray::shiftCountWithAnyIndexingType):
1034         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1035         (JSC::JSArray::fillArgList):
1036         (JSC::JSArray::copyToArguments):
1037         * runtime/JSObject.cpp:
1038         (JSC::JSObject::heapSnapshot):
1039         (JSC::JSObject::createInitialIndexedStorage):
1040         (JSC::JSObject::createArrayStorage):
1041         (JSC::JSObject::convertUndecidedToInt32):
1042         (JSC::JSObject::convertUndecidedToDouble):
1043         (JSC::JSObject::convertUndecidedToContiguous):
1044         (JSC::JSObject::convertInt32ToDouble):
1045         (JSC::JSObject::convertInt32ToArrayStorage):
1046         (JSC::JSObject::convertDoubleToContiguous):
1047         (JSC::JSObject::convertDoubleToArrayStorage):
1048         (JSC::JSObject::convertContiguousToArrayStorage):
1049         (JSC::JSObject::defineOwnIndexedProperty):
1050         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1051         (JSC::JSObject::ensureLengthSlow):
1052         (JSC::JSObject::allocateMoreOutOfLineStorage):
1053         * runtime/JSObject.h:
1054         (JSC::JSObject::canGetIndexQuickly):
1055         (JSC::JSObject::getIndexQuickly):
1056         (JSC::JSObject::tryGetIndexQuickly const):
1057         (JSC::JSObject::canSetIndexQuickly):
1058         (JSC::JSObject::setIndexQuickly):
1059         (JSC::JSObject::initializeIndex):
1060         (JSC::JSObject::initializeIndexWithoutBarrier):
1061         (JSC::JSObject::butterfly const):
1062         (JSC::JSObject::butterfly):
1063
1064 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
1065
1066         We should be OK with the gigacage being disabled on gmalloc
1067         https://bugs.webkit.org/show_bug.cgi?id=175082
1068
1069         Reviewed by Michael Saboff.
1070
1071         * jsc.cpp:
1072         (jscmain):
1073
1074 2017-08-02  Saam Barati  <sbarati@apple.com>
1075
1076         On memory-constrained iOS devices, reduce the rate at which the JS heap grows before a GC to try to keep more memory available for the system
1077         https://bugs.webkit.org/show_bug.cgi?id=175041
1078         <rdar://problem/33659370>
1079
1080         Reviewed by Filip Pizlo.
1081
1082         The testing I have done shows that this new function is a ~10%
1083         progression running JetStream on 1GB iOS devices. I've also tried
1084         this on a few > 1GB iOS devices, and the testing shows this is either neutral
1085         or a regression. Right now, we'll just enable this for <= 1GB devices
1086         since it's a win. In the future, we might want to either look into
1087         tweaking these parameters or coming up with a new function for > 1GB
1088         devices.
1089
1090         * heap/Heap.cpp:
1091         * runtime/Options.h:
1092
1093 2017-08-01  Filip Pizlo  <fpizlo@apple.com>
1094
1095         Bmalloc and GC should put auxiliaries (butterflies, typed array backing stores) in a gigacage (separate multi-GB VM region)
1096         https://bugs.webkit.org/show_bug.cgi?id=174727
1097
1098         Reviewed by Mark Lam.
1099         
1100         This adopts the Gigacage for the GigacageSubspace, which we use for Auxiliary allocations. Also, in
1101         one place in the code - the FTL codegen for butterfly and typed array access - we "cage" the accesses
1102         themselves. Basically, we do masking to ensure that the pointer points into the gigacage.
1103         
1104         This is neutral on JetStream.
1105
1106         * CMakeLists.txt:
1107         * JavaScriptCore.xcodeproj/project.pbxproj:
1108         * b3/B3InsertionSet.cpp:
1109         (JSC::B3::InsertionSet::execute):
1110         * dfg/DFGAbstractInterpreterInlines.h:
1111         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1112         * dfg/DFGArgumentsEliminationPhase.cpp:
1113         * dfg/DFGClobberize.cpp:
1114         (JSC::DFG::readsOverlap):
1115         * dfg/DFGClobberize.h:
1116         (JSC::DFG::clobberize):
1117         * dfg/DFGDoesGC.cpp:
1118         (JSC::DFG::doesGC):
1119         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Added.
1120         (JSC::DFG::performFixedButterflyAccessUncaging):
1121         * dfg/DFGFixedButterflyAccessUncagingPhase.h: Added.
1122         * dfg/DFGFixupPhase.cpp:
1123         (JSC::DFG::FixupPhase::fixupNode):
1124         * dfg/DFGHeapLocation.cpp:
1125         (WTF::printInternal):
1126         * dfg/DFGHeapLocation.h:
1127         * dfg/DFGNodeType.h:
1128         * dfg/DFGPlan.cpp:
1129         (JSC::DFG::Plan::compileInThreadImpl):
1130         * dfg/DFGPredictionPropagationPhase.cpp:
1131         * dfg/DFGSafeToExecute.h:
1132         (JSC::DFG::safeToExecute):
1133         * dfg/DFGSpeculativeJIT.cpp:
1134         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
1135         * dfg/DFGSpeculativeJIT32_64.cpp:
1136         (JSC::DFG::SpeculativeJIT::compile):
1137         * dfg/DFGSpeculativeJIT64.cpp:
1138         (JSC::DFG::SpeculativeJIT::compile):
1139         * dfg/DFGTypeCheckHoistingPhase.cpp:
1140         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
1141         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
1142         * ftl/FTLCapabilities.cpp:
1143         (JSC::FTL::canCompile):
1144         * ftl/FTLLowerDFGToB3.cpp:
1145         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1146         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
1147         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
1148         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1149         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1150         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
1151         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
1152         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
1153         (JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase):
1154         (JSC::FTL::DFG::LowerDFGToB3::caged):
1155         * heap/GigacageSubspace.cpp: Added.
1156         (JSC::GigacageSubspace::GigacageSubspace):
1157         (JSC::GigacageSubspace::~GigacageSubspace):
1158         (JSC::GigacageSubspace::tryAllocateAlignedMemory):
1159         (JSC::GigacageSubspace::freeAlignedMemory):
1160         (JSC::GigacageSubspace::canTradeBlocksWith):
1161         * heap/GigacageSubspace.h: Added.
1162         * heap/Heap.cpp:
1163         (JSC::Heap::Heap):
1164         (JSC::Heap::lastChanceToFinalize):
1165         (JSC::Heap::finalize):
1166         (JSC::Heap::sweepInFinalize):
1167         (JSC::Heap::updateAllocationLimits):
1168         (JSC::Heap::shouldDoFullCollection):
1169         (JSC::Heap::collectIfNecessaryOrDefer):
1170         (JSC::Heap::reportWebAssemblyFastMemoriesAllocated): Deleted.
1171         (JSC::Heap::webAssemblyFastMemoriesThisCycleAtThreshold const): Deleted.
1172         (JSC::Heap::sweepLargeAllocations): Deleted.
1173         (JSC::Heap::didAllocateWebAssemblyFastMemories): Deleted.
1174         * heap/Heap.h:
1175         * heap/LargeAllocation.cpp:
1176         (JSC::LargeAllocation::tryCreate):
1177         (JSC::LargeAllocation::destroy):
1178         * heap/MarkedAllocator.cpp:
1179         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
1180         (JSC::MarkedAllocator::tryAllocateBlock):
1181         * heap/MarkedBlock.cpp:
1182         (JSC::MarkedBlock::tryCreate):
1183         (JSC::MarkedBlock::Handle::Handle):
1184         (JSC::MarkedBlock::Handle::~Handle):
1185         (JSC::MarkedBlock::Handle::didAddToAllocator):
1186         (JSC::MarkedBlock::Handle::subspace const): Deleted.
1187         * heap/MarkedBlock.h:
1188         (JSC::MarkedBlock::Handle::subspace const):
1189         * heap/MarkedSpace.cpp:
1190         (JSC::MarkedSpace::~MarkedSpace):
1191         (JSC::MarkedSpace::freeMemory):
1192         (JSC::MarkedSpace::prepareForAllocation):
1193         (JSC::MarkedSpace::addMarkedAllocator):
1194         (JSC::MarkedSpace::findEmptyBlockToSteal): Deleted.
1195         * heap/MarkedSpace.h:
1196         (JSC::MarkedSpace::firstAllocator const):
1197         (JSC::MarkedSpace::allocatorForEmptyAllocation const): Deleted.
1198         * heap/Subspace.cpp:
1199         (JSC::Subspace::Subspace):
1200         (JSC::Subspace::canTradeBlocksWith):
1201         (JSC::Subspace::tryAllocateAlignedMemory):
1202         (JSC::Subspace::freeAlignedMemory):
1203         (JSC::Subspace::prepareForAllocation):
1204         (JSC::Subspace::findEmptyBlockToSteal):
1205         * heap/Subspace.h:
1206         (JSC::Subspace::didCreateFirstAllocator):
1207         * heap/SubspaceInlines.h:
1208         (JSC::Subspace::forEachAllocator):
1209         (JSC::Subspace::forEachMarkedBlock):
1210         (JSC::Subspace::forEachNotEmptyMarkedBlock):
1211         * jit/JITPropertyAccess.cpp:
1212         (JSC::JIT::emitDoubleLoad):
1213         (JSC::JIT::emitContiguousLoad):
1214         (JSC::JIT::emitArrayStorageLoad):
1215         (JSC::JIT::emitGenericContiguousPutByVal):
1216         (JSC::JIT::emitArrayStoragePutByVal):
1217         (JSC::JIT::emit_op_get_from_scope):
1218         (JSC::JIT::emit_op_put_to_scope):
1219         (JSC::JIT::emitIntTypedArrayGetByVal):
1220         (JSC::JIT::emitFloatTypedArrayGetByVal):
1221         (JSC::JIT::emitIntTypedArrayPutByVal):
1222         (JSC::JIT::emitFloatTypedArrayPutByVal):
1223         * jsc.cpp:
1224         (fillBufferWithContentsOfFile):
1225         (functionReadFile):
1226         (gigacageDisabled):
1227         (jscmain):
1228         * llint/LowLevelInterpreter64.asm:
1229         * runtime/ArrayBuffer.cpp:
1230         (JSC::ArrayBufferContents::tryAllocate):
1231         (JSC::ArrayBuffer::createAdopted):
1232         (JSC::ArrayBuffer::createFromBytes):
1233         (JSC::ArrayBuffer::tryCreate):
1234         * runtime/IndexingHeader.h:
1235         * runtime/InitializeThreading.cpp:
1236         (JSC::initializeThreading):
1237         * runtime/JSArrayBuffer.cpp:
1238         * runtime/JSArrayBufferView.cpp:
1239         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1240         (JSC::JSArrayBufferView::finalize):
1241         * runtime/JSLock.cpp:
1242         (JSC::JSLock::didAcquireLock):
1243         * runtime/JSObject.h:
1244         * runtime/Options.cpp:
1245         (JSC::recomputeDependentOptions):
1246         * runtime/Options.h:
1247         * runtime/ScopedArgumentsTable.h:
1248         * runtime/VM.cpp:
1249         (JSC::VM::VM):
1250         (JSC::VM::~VM):
1251         (JSC::VM::gigacageDisabledCallback):
1252         (JSC::VM::gigacageDisabled):
1253         * runtime/VM.h:
1254         (JSC::VM::fireGigacageEnabledIfNecessary):
1255         (JSC::VM::gigacageEnabled):
1256         * wasm/WasmB3IRGenerator.cpp:
1257         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1258         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
1259         * wasm/WasmCodeBlock.cpp:
1260         (JSC::Wasm::CodeBlock::isSafeToRun):
1261         * wasm/WasmMemory.cpp:
1262         (JSC::Wasm::makeString):
1263         (JSC::Wasm::Memory::create):
1264         (JSC::Wasm::Memory::~Memory):
1265         (JSC::Wasm::Memory::addressIsInActiveFastMemory):
1266         (JSC::Wasm::Memory::grow):
1267         (JSC::Wasm::Memory::initializePreallocations): Deleted.
1268         (JSC::Wasm::Memory::maxFastMemoryCount): Deleted.
1269         * wasm/WasmMemory.h:
1270         * wasm/js/JSWebAssemblyInstance.cpp:
1271         (JSC::JSWebAssemblyInstance::create):
1272         * wasm/js/JSWebAssemblyMemory.cpp:
1273         (JSC::JSWebAssemblyMemory::grow):
1274         (JSC::JSWebAssemblyMemory::finishCreation):
1275         * wasm/js/JSWebAssemblyMemory.h:
1276         (JSC::JSWebAssemblyMemory::subspaceFor):
1277
1278 2017-07-31  Mark Lam  <mark.lam@apple.com>
1279
1280         Added some UNLIKELYs to operationOptimize().
1281         https://bugs.webkit.org/show_bug.cgi?id=174976
1282
1283         Reviewed by JF Bastien.
1284
1285         * jit/JITOperations.cpp:
1286
1287 2017-07-31  Keith Miller  <keith_miller@apple.com>
1288
1289         Make more things LLInt constexprs
1290         https://bugs.webkit.org/show_bug.cgi?id=174994
1291
1292         Reviewed by Saam Barati.
1293
1294         This patch makes more const values in the LLInt constexprs.
1295         It also deletes all of the no longer necessary static_asserts in
1296         LLIntData.cpp. Finally, it fixes a typo in parser.rb.
1297
1298         * interpreter/ShadowChicken.h:
1299         (JSC::ShadowChicken::Packet::tailMarker):
1300         * llint/LLIntData.cpp:
1301         (JSC::LLInt::Data::performAssertions):
1302         * llint/LowLevelInterpreter.asm:
1303         * offlineasm/generate_offset_extractor.rb:
1304         * offlineasm/parser.rb:
1305
1306 2017-07-31  Matt Lewis  <jlewis3@apple.com>
1307
1308         Unreviewed, rolling out r220060.
1309
1310         This broke our internal builds. Contact reviewer of patch for
1311         more information.
1312
1313         Reverted changeset:
1314
1315         "Merge WTFThreadData to Thread::current"
1316         https://bugs.webkit.org/show_bug.cgi?id=174716
1317         http://trac.webkit.org/changeset/220060
1318
1319 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1320
1321         [JSC] Support optional catch binding
1322         https://bugs.webkit.org/show_bug.cgi?id=174981
1323
1324         Reviewed by Saam Barati.
1325
1326         This patch implements optional catch binding proposal[1], which is now stage 3.
1327         This proposal adds a new `catch` brace with no error value binding.
1328
1329             ```
1330                 try {
1331                     ...
1332                 } catch {
1333                     ...
1334                 }
1335             ```
1336
1337         Sometimes we do not need to get error value actually. For example, the function returns
1338         boolean which means whether the function succeeds.
1339
1340             ```
1341             function parse(result) // -> bool
1342             {
1343                  try {
1344                      parseInner(result);
1345                  } catch {
1346                      return false;
1347                  }
1348                  return true;
1349             }
1350             ```
1351
1352         In the above case, we are not interested in the actual error value. Without this syntax,
1353         we always need to introduce a binding for an error value that is just ignored.
1354
1355         [1]: https://michaelficarra.github.io/optional-catch-binding-proposal/
1356
1357         * bytecompiler/NodesCodegen.cpp:
1358         (JSC::TryNode::emitBytecode):
1359         * parser/Parser.cpp:
1360         (JSC::Parser<LexerType>::parseTryStatement):
1361
1362 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1363
1364         Merge WTFThreadData to Thread::current
1365         https://bugs.webkit.org/show_bug.cgi?id=174716
1366
1367         Reviewed by Sam Weinig.
1368
1369         Use Thread::current() instead.
1370
1371         * API/JSContext.mm:
1372         (+[JSContext currentContext]):
1373         (+[JSContext currentThis]):
1374         (+[JSContext currentCallee]):
1375         (+[JSContext currentArguments]):
1376         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
1377         (-[JSContext endCallbackWithData:]):
1378         * heap/Heap.cpp:
1379         (JSC::Heap::requestCollection):
1380         * runtime/Completion.cpp:
1381         (JSC::checkSyntax):
1382         (JSC::checkModuleSyntax):
1383         (JSC::evaluate):
1384         (JSC::loadAndEvaluateModule):
1385         (JSC::loadModule):
1386         (JSC::linkAndEvaluateModule):
1387         (JSC::importModule):
1388         * runtime/Identifier.cpp:
1389         (JSC::Identifier::checkCurrentAtomicStringTable):
1390         * runtime/InitializeThreading.cpp:
1391         (JSC::initializeThreading):
1392         * runtime/JSLock.cpp:
1393         (JSC::JSLock::didAcquireLock):
1394         (JSC::JSLock::willReleaseLock):
1395         (JSC::JSLock::dropAllLocks):
1396         (JSC::JSLock::grabAllLocks):
1397         * runtime/JSLock.h:
1398         * runtime/VM.cpp:
1399         (JSC::VM::VM):
1400         (JSC::VM::updateStackLimits):
1401         (JSC::VM::committedStackByteCount):
1402         * runtime/VM.h:
1403         (JSC::VM::isSafeToRecurse const):
1404         * runtime/VMEntryScope.cpp:
1405         (JSC::VMEntryScope::VMEntryScope):
1406         * runtime/VMInlines.h:
1407         (JSC::VM::ensureStackCapacityFor):
1408         * yarr/YarrPattern.cpp:
1409         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
1410
1411 2017-07-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1412
1413         [WTF] Introduce Private Symbols
1414         https://bugs.webkit.org/show_bug.cgi?id=174935
1415
1416         Reviewed by Darin Adler.
1417
1418         Use SymbolImpl::isPrivate().
1419
1420         * builtins/BuiltinNames.cpp:
1421         * builtins/BuiltinNames.h:
1422         (JSC::BuiltinNames::isPrivateName): Deleted.
1423         * builtins/BuiltinUtils.h:
1424         * bytecode/BytecodeIntrinsicRegistry.cpp:
1425         (JSC::BytecodeIntrinsicRegistry::lookup):
1426         * runtime/CommonIdentifiers.cpp:
1427         (JSC::CommonIdentifiers::isPrivateName): Deleted.
1428         * runtime/CommonIdentifiers.h:
1429         * runtime/ExceptionHelpers.cpp:
1430         (JSC::createUndefinedVariableError):
1431         * runtime/Identifier.h:
1432         (JSC::Identifier::isPrivateName):
1433         * runtime/IdentifierInlines.h:
1434         (JSC::identifierToSafePublicJSValue):
1435         * runtime/ObjectConstructor.cpp:
1436         (JSC::objectConstructorAssign):
1437         (JSC::defineProperties):
1438         (JSC::setIntegrityLevel):
1439         (JSC::testIntegrityLevel):
1440         (JSC::ownPropertyKeys):
1441         * runtime/PrivateName.h:
1442         (JSC::PrivateName::PrivateName):
1443         * runtime/PropertyName.h:
1444         (JSC::PropertyName::isPrivateName):
1445         * runtime/ProxyObject.cpp:
1446         (JSC::performProxyGet):
1447         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1448         (JSC::ProxyObject::performHasProperty):
1449         (JSC::ProxyObject::performPut):
1450         (JSC::ProxyObject::performDelete):
1451         (JSC::ProxyObject::performDefineOwnProperty):
1452
1453 2017-07-29  Keith Miller  <keith_miller@apple.com>
1454
1455         LLInt offsets extractor should be able to handle C++ constexprs
1456         https://bugs.webkit.org/show_bug.cgi?id=174964
1457
1458         Reviewed by Saam Barati.
1459
1460         This patch adds new syntax to the offline asm language. The new keyword,
1461         constexpr, takes the subsequent identifier and maps it to a C++ constexpr
1462         expression. Additionally, if the value is not an identifier you can wrap it in
1463         parentheses. e.g. constexpr (myConstexprFunction() + OBJECT_OFFSET(Foo, bar)),
1464         which will get converted into:
1465         static_cast<int64_t>(myConstexprFunction() + OBJECT_OFFSET(Foo, bar));
1466
1467         This patch also changes the data format the LLIntOffsetsExtractor
1468         binary produces.  Previously, it would produce unsigned values,
1469         after this patch every value is an int64_t.  Using an int64_t is
1470         useful because it means that we can represent any constant needed.
1471         int32_t masks are sign extended then passed then converted to a
1472         negative literal sting in the assembler so it will be the constant
1473         expected.
1474
1475         * llint/LLIntOffsetsExtractor.cpp:
1476         (JSC::LLIntOffsetsExtractor::dummy):
1477         * llint/LowLevelInterpreter.asm:
1478         * llint/LowLevelInterpreter64.asm:
1479         * offlineasm/asm.rb:
1480         * offlineasm/ast.rb:
1481         * offlineasm/generate_offset_extractor.rb:
1482         * offlineasm/offsets.rb:
1483         * offlineasm/parser.rb:
1484         * offlineasm/transform.rb:
1485
1486 2017-07-28  Matt Baker  <mattbaker@apple.com>
1487
1488         Web Inspector: capture an async stack trace when web content calls addEventListener
1489         https://bugs.webkit.org/show_bug.cgi?id=174739
1490         <rdar://problem/33468197>
1491
1492         Reviewed by Brian Burg.
1493
1494         Allow debugger agents to perform custom logic when asynchronous stack
1495         trace data is cleared. For example, the PageDebuggerAgent would clear
1496         its list of registered listeners for which call stacks have been recorded.
1497
1498         * inspector/agents/InspectorDebuggerAgent.cpp:
1499         (Inspector::InspectorDebuggerAgent::clearAsyncStackTraceData):
1500         * inspector/agents/InspectorDebuggerAgent.h:
1501
1502 2017-07-28  Mark Lam  <mark.lam@apple.com>
1503
1504         ObjectToStringAdaptiveStructureWatchpoint should not fire if it's dying imminently.
1505         https://bugs.webkit.org/show_bug.cgi?id=174948
1506         <rdar://problem/33495680>
1507
1508         Reviewed by Filip Pizlo.
1509
1510         ObjectToStringAdaptiveStructureWatchpoint is owned by StructureRareData.  If its
1511         owner StructureRareData is already known to be dead (in terms of GC liveness) but
1512         hasn't been destructed yet (i.e. not swept by the GC yet), we should ignore all
1513         requests to fire this watchpoint.
1514
1515         If the GC had the chance to sweep the StructureRareData, thereby destructing the
1516         ObjectToStringAdaptiveStructureWatchpoint, it (the watchpoint) would have removed
1517         itself from the WatchpointSet it was on.  Hence, it would not have been fired.
1518
1519         But since the watchpoint hasn't been destructed yet, it still remains on the
1520         WatchpointSet and needs to guard against being fired in this state.  The fix is
1521         to simply return early if its owner StructureRareData is not live.  This has the
1522         effect of the watchpoint fire being a no-op, which is equivalent to the watchpoint
1523         not firing as we would expect.
1524
1525         This patch also removes some cargo cult copying of watchpoint code which
1526         instantiates a StringFireDetail.  In a few cases, that StringFireDetail is never
1527         used.  This patch removes these unnecessary instantiations.
1528
1529         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
1530         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
1531         * runtime/StructureRareData.cpp:
1532         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
1533         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
1534
1535 2017-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
1536
1537         ASSERTION FAILED: candidate->op() == PhantomCreateRest || candidate->op() == PhantomDirectArguments || candidate->op() == PhantomClonedArguments || candidate->op() == PhantomSpread || candidate->op() == PhantomNewArrayWithSpread
1538         https://bugs.webkit.org/show_bug.cgi?id=174900
1539
1540         Reviewed by Saam Barati.
1541
1542         In the arguments elimination phase, due to high cost of AI, we intentionally do not run AI.
1543         Instead, we use ForceOSRExit etc. (pseudo terminals) not to look into unreachable nodes.
1544         The problem is that even transforming phase also checks this pseudo terminals.
1545
1546             BB1
1547             1: ForceOSRExit
1548             2: CreateDirectArguments
1549
1550             BB2
1551             3: GetButterfly(@2)
1552             4: ForceOSRExit
1553
1554         In the above case, @2 is not converted to PhantomDirectArguments. But @3 is processed. And the assertion fires.
1555
1556         In this patch, we do not list candidates up after seeing pseudo terminals in basic blocks.
1557
1558         * dfg/DFGArgumentsEliminationPhase.cpp:
1559
1560 2017-07-27  Oleksandr Skachkov  <gskachkov@gmail.com>
1561
1562         [ES] Add support finally to Promise
1563         https://bugs.webkit.org/show_bug.cgi?id=174503
1564
1565         Reviewed by Yusuke Suzuki.
1566
1567         Add support `finally` method to Promise according
1568         to the https://bugs.webkit.org/show_bug.cgi?id=174503
1569         Current spec on STAGE 3 
1570         https://github.com/tc39/proposal-promise-finally
1571
1572         * builtins/PromisePrototype.js:
1573         (finally):
1574         (const.valueThunk):
1575         (globalPrivate.getThenFinally):
1576         (const.thrower):
1577         (globalPrivate.getCatchFinally):
1578         * runtime/JSPromisePrototype.cpp:
1579
1580 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1581
1582         Unreviewed, build fix for CLoop
1583         https://bugs.webkit.org/show_bug.cgi?id=171637
1584
1585         * domjit/DOMJITGetterSetter.h:
1586
1587 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1588
1589         Hoist DOM binding attribute getter prologue into JavaScriptCore taking advantage of DOMJIT / CheckSubClass
1590         https://bugs.webkit.org/show_bug.cgi?id=171637
1591
1592         Reviewed by Darin Adler.
1593
1594         Each DOM attribute getter has the code to perform ClassInfo check. But it is largely duplicate and causes code bloating.
1595         In this patch, we move ClassInfo check from WebCore to JSC and reduce code size.
1596
1597         We introduce DOMAnnotation which has ClassInfo* and DOMJIT::GetterSetter*. If the getter is not DOMJIT getter, this
1598         DOMJIT::GetterSetter becomes nullptr. We support such a CustomAccessorGetter in all the JIT tiers.
1599
1600         In IC, we drop CheckSubClass completely since IC's Structure check subsumes it. We do not enable this optimization for
1601         op_get_by_id_with_this case yet.
1602         In DFG and FTL, we emit CheckSubClass node. Which is typically removed by CheckStructure leading to CheckSubClass.
1603
1604         And we add DOMAttributeGetterSetter, which is derived class of CustomGetterSetter. It holds DOMAnnotation and perform
1605         ClassInfo check.
1606
1607         * CMakeLists.txt:
1608         * JavaScriptCore.xcodeproj/project.pbxproj:
1609         * bytecode/AccessCase.cpp:
1610         (JSC::AccessCase::generateImpl):
1611         * bytecode/GetByIdStatus.cpp:
1612         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
1613         * bytecode/GetByIdVariant.cpp:
1614         (JSC::GetByIdVariant::GetByIdVariant):
1615         (JSC::GetByIdVariant::operator=):
1616         (JSC::GetByIdVariant::attemptToMerge):
1617         (JSC::GetByIdVariant::dumpInContext):
1618         * bytecode/GetByIdVariant.h:
1619         (JSC::GetByIdVariant::customAccessorGetter):
1620         (JSC::GetByIdVariant::domAttribute):
1621         (JSC::GetByIdVariant::domJIT): Deleted.
1622         * bytecode/GetterSetterAccessCase.cpp:
1623         (JSC::GetterSetterAccessCase::create):
1624         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
1625         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
1626         * bytecode/GetterSetterAccessCase.h:
1627         (JSC::GetterSetterAccessCase::domAttribute):
1628         (JSC::GetterSetterAccessCase::customAccessor):
1629         (JSC::GetterSetterAccessCase::domJIT): Deleted.
1630         * bytecompiler/BytecodeGenerator.cpp:
1631         (JSC::BytecodeGenerator::instantiateLexicalVariables):
1632         * create_hash_table:
1633         * dfg/DFGAbstractInterpreterInlines.h:
1634         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1635         * dfg/DFGByteCodeParser.cpp:
1636         (JSC::DFG::blessCallDOMGetter):
1637         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
1638         (JSC::DFG::ByteCodeParser::handleGetById):
1639         * dfg/DFGClobberize.h:
1640         (JSC::DFG::clobberize):
1641         * dfg/DFGFixupPhase.cpp:
1642         (JSC::DFG::FixupPhase::fixupNode):
1643         * dfg/DFGNode.h:
1644         * dfg/DFGSpeculativeJIT.cpp:
1645         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
1646         * dfg/DFGSpeculativeJIT.h:
1647         (JSC::DFG::SpeculativeJIT::callCustomGetter):
1648         * domjit/DOMJITGetterSetter.h:
1649         (JSC::DOMJIT::GetterSetter::GetterSetter):
1650         (JSC::DOMJIT::GetterSetter::getter):
1651         (JSC::DOMJIT::GetterSetter::compiler):
1652         (JSC::DOMJIT::GetterSetter::resultType):
1653         (JSC::DOMJIT::GetterSetter::~GetterSetter): Deleted.
1654         (JSC::DOMJIT::GetterSetter::setter): Deleted.
1655         (JSC::DOMJIT::GetterSetter::thisClassInfo): Deleted.
1656         * ftl/FTLLowerDFGToB3.cpp:
1657         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
1658         * jit/Repatch.cpp:
1659         (JSC::tryCacheGetByID):
1660         * jsc.cpp:
1661         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
1662         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
1663         (WTF::DOMJITGetter::customGetter):
1664         (WTF::DOMJITGetter::finishCreation):
1665         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
1666         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
1667         (WTF::DOMJITGetterComplex::customGetter):
1668         (WTF::DOMJITGetterComplex::finishCreation):
1669         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
1670         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::slowCall): Deleted.
1671         (WTF::DOMJITGetter::domJITNodeGetterSetter): Deleted.
1672         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
1673         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::slowCall): Deleted.
1674         (WTF::DOMJITGetterComplex::domJITNodeGetterSetter): Deleted.
1675         * runtime/CustomGetterSetter.h:
1676         (JSC::CustomGetterSetter::create):
1677         (JSC::CustomGetterSetter::setter):
1678         (JSC::CustomGetterSetter::CustomGetterSetter):
1679         (): Deleted.
1680         * runtime/DOMAnnotation.h: Added.
1681         (JSC::operator==):
1682         (JSC::operator!=):
1683         * runtime/DOMAttributeGetterSetter.cpp: Added.
1684         * runtime/DOMAttributeGetterSetter.h: Copied from Source/JavaScriptCore/runtime/CustomGetterSetter.h.
1685         (JSC::isDOMAttributeGetterSetter):
1686         * runtime/Error.cpp:
1687         (JSC::throwDOMAttributeGetterTypeError):
1688         * runtime/Error.h:
1689         (JSC::throwVMDOMAttributeGetterTypeError):
1690         * runtime/JSCustomGetterSetterFunction.cpp:
1691         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
1692         * runtime/JSObject.cpp:
1693         (JSC::JSObject::putInlineSlow):
1694         (JSC::JSObject::deleteProperty):
1695         (JSC::JSObject::getOwnStaticPropertySlot):
1696         (JSC::JSObject::reifyAllStaticProperties):
1697         (JSC::JSObject::fillGetterPropertySlot):
1698         (JSC::JSObject::findPropertyHashEntry): Deleted.
1699         * runtime/JSObject.h:
1700         (JSC::JSObject::getOwnNonIndexPropertySlot):
1701         (JSC::JSObject::fillCustomGetterPropertySlot):
1702         * runtime/Lookup.cpp:
1703         (JSC::setUpStaticFunctionSlot):
1704         * runtime/Lookup.h:
1705         (JSC::HashTableValue::domJIT):
1706         (JSC::getStaticPropertySlotFromTable):
1707         (JSC::putEntry):
1708         (JSC::lookupPut):
1709         (JSC::reifyStaticProperty):
1710         (JSC::reifyStaticProperties):
1711         Each static property table has a new field ClassInfo*. It indicates that which ClassInfo check DOMAttribute registered in
1712         this static property table requires.
1713
1714         * runtime/ProgramExecutable.cpp:
1715         (JSC::ProgramExecutable::initializeGlobalProperties):
1716         * runtime/PropertyName.h:
1717         * runtime/PropertySlot.cpp:
1718         (JSC::PropertySlot::customGetter):
1719         (JSC::PropertySlot::customAccessorGetter):
1720         * runtime/PropertySlot.h:
1721         (JSC::PropertySlot::domAttribute):
1722         (JSC::PropertySlot::setCustom):
1723         (JSC::PropertySlot::setCacheableCustom):
1724         (JSC::PropertySlot::getValue):
1725         (JSC::PropertySlot::domJIT): Deleted.
1726         * runtime/VM.cpp:
1727         (JSC::VM::VM):
1728         * runtime/VM.h:
1729
1730 2017-07-26  Devin Rousso  <drousso@apple.com>
1731
1732         Web Inspector: create protocol for recording Canvas contexts
1733         https://bugs.webkit.org/show_bug.cgi?id=174481
1734
1735         Reviewed by Joseph Pecoraro.
1736
1737         * inspector/protocol/Canvas.json:
1738          - Add `requestRecording` command to mark the provided canvas as having requested a recording.
1739          - Add `cancelRecording` command to clear a previously marked canvas and flush any recorded data.
1740          - Add `recordingFinished` event that is fired once a recording is finished.
1741
1742         * CMakeLists.txt:
1743         * DerivedSources.make:
1744         * inspector/protocol/Recording.json: Added.
1745          - Add `Type` enum that lists the types of recordings
1746          - Add `InitialState` type that contains information about the canvas context at the
1747            beginning of the recording.
1748          - Add `Frame` type that holds a list of actions that were recorded.
1749          - Add `Recording` type as the container object of recording data.
1750
1751         * inspector/scripts/codegen/generate_js_backend_commands.py:
1752         (JSBackendCommandsGenerator.generate_domain):
1753         Create an agent for domains with no events or commands.
1754
1755         * inspector/InspectorValues.h:
1756         Make Array `get` public so that values can be retrieved if needed.
1757
1758 2017-07-26  Brian Burg  <bburg@apple.com>
1759
1760         Remove WEB_TIMING feature flag
1761         https://bugs.webkit.org/show_bug.cgi?id=174795
1762
1763         Reviewed by Alex Christensen.
1764
1765         * Configurations/FeatureDefines.xcconfig:
1766
1767 2017-07-26  Mark Lam  <mark.lam@apple.com>
1768
1769         Add the ability to change sp and pc to the ARM64 JIT probe.
1770         https://bugs.webkit.org/show_bug.cgi?id=174697
1771         <rdar://problem/33436965>
1772
1773         Reviewed by JF Bastien.
1774
1775         This patch implements the following:
1776
1777         1. The ARM64 probe now supports modifying the pc and sp.
1778
1779            However, lr is not preserved when modifying the pc because it is used as the
1780            scratch register for the indirect jump. Hence, the probe handler function
1781            may not modify both lr and pc in the same probe invocation.
1782
1783         2. Fix probe tests to use bitwise comparison when comparing double register
1784            values. Otherwise, equivalent nan values will be interpreted as not equivalent.
1785
1786         3. Change the minimum offset increment in testProbeModifiesStackPointer to be
1787            16 bytes for ARM64.  This is because the ARM64 probe now uses the ldp and stp
1788            instructions which require 16 byte alignment for their memory access.
1789
1790         * assembler/MacroAssemblerARM64.cpp:
1791         (JSC::arm64ProbeError):
1792         (JSC::MacroAssembler::probe):
1793         (JSC::arm64ProbeTrampoline): Deleted.
1794         * assembler/testmasm.cpp:
1795         (JSC::isSpecialGPR):
1796         (JSC::testProbeReadsArgumentRegisters):
1797         (JSC::testProbeWritesArgumentRegisters):
1798         (JSC::testProbePreservesGPRS):
1799         (JSC::testProbeModifiesStackPointer):
1800         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
1801         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
1802
1803 2017-07-25  JF Bastien  <jfbastien@apple.com>
1804
1805         WebAssembly: generate smaller binaries
1806         https://bugs.webkit.org/show_bug.cgi?id=174818
1807
1808         Reviewed by Filip Pizlo.
1809
1810         This patch reduces generated code size for WebAssembly in 2 ways:
1811
1812         1. Use the ZR register when storing zero on ARM64.
1813         2. Synthesize wasm context lazily.
1814
1815         This leads to a modest size reduction on both x86-64 and ARM64 for
1816         large WebAssembly games, without any performance loss on WasmBench
1817         and TitzerBench.
1818
1819         The reason this works is that these games, using Emscripten,
1820         generate 100k+ tiny functions, and our JIT allocation granule
1821         rounds all allocations up to 32 bytes. There are plenty of other
1822         simple gains to be had, I've filed a follow-up bug at
1823         webkit.org/b/174819
1824
1825         We should further avoid the per-function cost of tiering, which
1826         represents the bulk of code generated for small functions.
1827
1828         * assembler/MacroAssemblerARM64.h:
1829         (JSC::MacroAssemblerARM64::storeZero64):
1830         * assembler/MacroAssemblerX86_64.h:
1831         (JSC::MacroAssemblerX86_64::storeZero64):
1832         * b3/B3LowerToAir.cpp:
1833         (JSC::B3::Air::LowerToAir::createStore): this doesn't make sense
1834         for x86 because it constrains register reuse and codegen in a way
1835         that doesn't affect ARM64 because it has a dedicated zero
1836         register.
1837         * b3/air/AirOpcode.opcodes: add the storeZero64 opcode.
1838         * wasm/WasmB3IRGenerator.cpp:
1839         (JSC::Wasm::B3IRGenerator::instanceValue):
1840         (JSC::Wasm::B3IRGenerator::restoreWasmContext):
1841         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1842         (JSC::Wasm::B3IRGenerator::materializeWasmContext): Deleted.
1843
1844 2017-07-23  Filip Pizlo  <fpizlo@apple.com>
1845
1846         B3 should do LICM
1847         https://bugs.webkit.org/show_bug.cgi?id=174750
1848
1849         Reviewed by Keith Miller and Saam Barati.
1850         
1851         Added a LICM phase to B3. This phase is called hoistLoopInvariantValues, to conform to the B3 naming
1852         convention for phases (it has to be an imperative). The phase uses NaturalLoops and BackwardsDominators,
1853         so this adds those analyses to B3. BackwardsDominators was already available in templatized form. This
1854         change templatizes DFG::NaturalLoops so that we can just use it.
1855         
1856         The LICM phase itself is really simple. We are decently precise with our handling of everything except
1857         the relationship between control dependence and side exits.
1858         
1859         Also added a bunch of tests.
1860         
1861         This isn't super important. It's perf-neutral on JS benchmarks. FTL already does LICM on DFG SSA IR, and
1862         probably all current WebAssembly content has had LICM done to it. That being said, this is a cheap phase
1863         so it doesn't hurt to have it.
1864         
1865         I wrote it because I thought I needed it for bug 174727. It turns out that there's a better way to
1866         handle the problem I had, so I ended up not needed it - but by then I had already written it. I think
1867         it's good to have it because LICM is one of those core compiler phases; every compiler has it
1868         eventually.
1869
1870         * CMakeLists.txt:
1871         * JavaScriptCore.xcodeproj/project.pbxproj:
1872         * b3/B3BackwardsCFG.h: Added.
1873         (JSC::B3::BackwardsCFG::BackwardsCFG):
1874         * b3/B3BackwardsDominators.h: Added.
1875         (JSC::B3::BackwardsDominators::BackwardsDominators):
1876         * b3/B3BasicBlock.cpp:
1877         (JSC::B3::BasicBlock::appendNonTerminal):
1878         * b3/B3Effects.h:
1879         * b3/B3EnsureLoopPreHeaders.cpp: Added.
1880         (JSC::B3::ensureLoopPreHeaders):
1881         * b3/B3EnsureLoopPreHeaders.h: Added.
1882         * b3/B3Generate.cpp:
1883         (JSC::B3::generateToAir):
1884         * b3/B3HoistLoopInvariantValues.cpp: Added.
1885         (JSC::B3::hoistLoopInvariantValues):
1886         * b3/B3HoistLoopInvariantValues.h: Added.
1887         * b3/B3NaturalLoops.h: Added.
1888         (JSC::B3::NaturalLoops::NaturalLoops):
1889         * b3/B3Procedure.cpp:
1890         (JSC::B3::Procedure::invalidateCFG):
1891         (JSC::B3::Procedure::naturalLoops):
1892         (JSC::B3::Procedure::backwardsCFG):
1893         (JSC::B3::Procedure::backwardsDominators):
1894         * b3/B3Procedure.h:
1895         * b3/testb3.cpp:
1896         (JSC::B3::generateLoop):
1897         (JSC::B3::makeArrayForLoops):
1898         (JSC::B3::generateLoopNotBackwardsDominant):
1899         (JSC::B3::oneFunction):
1900         (JSC::B3::noOpFunction):
1901         (JSC::B3::testLICMPure):
1902         (JSC::B3::testLICMPureSideExits):
1903         (JSC::B3::testLICMPureWritesPinned):
1904         (JSC::B3::testLICMPureWrites):
1905         (JSC::B3::testLICMReadsLocalState):
1906         (JSC::B3::testLICMReadsPinned):
1907         (JSC::B3::testLICMReads):
1908         (JSC::B3::testLICMPureNotBackwardsDominant):
1909         (JSC::B3::testLICMPureFoiledByChild):
1910         (JSC::B3::testLICMPureNotBackwardsDominantFoiledByChild):
1911         (JSC::B3::testLICMExitsSideways):
1912         (JSC::B3::testLICMWritesLocalState):
1913         (JSC::B3::testLICMWrites):
1914         (JSC::B3::testLICMFence):
1915         (JSC::B3::testLICMWritesPinned):
1916         (JSC::B3::testLICMControlDependent):
1917         (JSC::B3::testLICMControlDependentNotBackwardsDominant):
1918         (JSC::B3::testLICMControlDependentSideExits):
1919         (JSC::B3::testLICMReadsPinnedWritesPinned):
1920         (JSC::B3::testLICMReadsWritesDifferentHeaps):
1921         (JSC::B3::testLICMReadsWritesOverlappingHeaps):
1922         (JSC::B3::testLICMDefaultCall):
1923         (JSC::B3::run):
1924         * dfg/DFGBasicBlock.h:
1925         * dfg/DFGCFG.h:
1926         * dfg/DFGNaturalLoops.cpp: Removed.
1927         * dfg/DFGNaturalLoops.h:
1928         (JSC::DFG::NaturalLoops::NaturalLoops):
1929         (JSC::DFG::NaturalLoop::NaturalLoop): Deleted.
1930         (JSC::DFG::NaturalLoop::header): Deleted.
1931         (JSC::DFG::NaturalLoop::size): Deleted.
1932         (JSC::DFG::NaturalLoop::at): Deleted.
1933         (JSC::DFG::NaturalLoop::operator[]): Deleted.
1934         (JSC::DFG::NaturalLoop::contains): Deleted.
1935         (JSC::DFG::NaturalLoop::index): Deleted.
1936         (JSC::DFG::NaturalLoop::isOuterMostLoop): Deleted.
1937         (JSC::DFG::NaturalLoop::addBlock): Deleted.
1938         (JSC::DFG::NaturalLoops::numLoops): Deleted.
1939         (JSC::DFG::NaturalLoops::loop): Deleted.
1940         (JSC::DFG::NaturalLoops::headerOf): Deleted.
1941         (JSC::DFG::NaturalLoops::innerMostLoopOf): Deleted.
1942         (JSC::DFG::NaturalLoops::innerMostOuterLoop): Deleted.
1943         (JSC::DFG::NaturalLoops::belongsTo): Deleted.
1944         (JSC::DFG::NaturalLoops::loopDepth): Deleted.
1945
1946 2017-07-24  Filip Pizlo  <fpizlo@apple.com>
1947
1948         GC should be fine with trading blocks between destructor and non-destructor blocks
1949         https://bugs.webkit.org/show_bug.cgi?id=174811
1950
1951         Reviewed by Mark Lam.
1952         
1953         Our GC has the ability to trade blocks between MarkedAllocators. A MarkedAllocator is a
1954         size-class-within-a-Subspace. The ability to trade helps reduce memory wastage due to
1955         fragmentation. Prior to this change, this only worked between blocks that did not have destructors.
1956         This was partly a policy decision. But mostly, it was fallout from the way we use the `empty` block
1957         set.
1958         
1959         Here's how `empty` used to work. If a block is empty, we don't run destructors. We say that a block
1960         is empty if:
1961         
1962         A) It has no live objects and its a non-destructor block, or
1963         B) We just allocated it (so it has no destructors even if it's a destructor block), or
1964         C) We just stole it from another allocator (so it also has no destructors), or
1965         D) We just swept the block and ran all destructors.
1966         
1967         Case (A) is for trading blocks. That's how a different MarkedAllocator would know that this is a
1968         block that could be stolen.
1969
1970         Cases (B) and (C) need to be detected for correctness, since otherwise we might try to run
1971         destructors in blocks that have garbage bits. In that case, the isZapped check won't detect that
1972         cells don't need destruction, so without having the `empty` bit we would try to destruct garbage
1973         and crash. Currently, we know that we have cases (B) and (C) when the block is empty.
1974         
1975         Case (D) is necessary for detecting which blocks can be removed when we `shrink` the heap.
1976         
1977         If we tried to enable trading of blocks between allocators without making any changes to how
1978         `empty` works, then it just would not work. We have to set the `empty` bits of blocks that have no
1979         live objects in order for those bits to be candidates for trading. But if we do that, then our
1980         logic for cases (B-D) will think that the block has no destructible objects. That's bad, since then
1981         our destructors won't run and we'll leak memory.
1982         
1983         This change fixes this issue by decoupling the "do I have destructors" question from the "do I have
1984         live objects" question by introducing a new `destructible` bitvector. The GC flags all live blocks
1985         as being destructible at the end. We clear the destructible bit in cases (B-D). Cases (B-C) are
1986         handled entirely by the new destrictible bit, while case (D) is detected by looking for blocks that
1987         are (empty & ~destructible).
1988         
1989         Then we can simply remove all destructor-oriented special-casing of the `empty` bit. And we can
1990         remove destructor-oriented special-casing of block trading.
1991
1992         This is a perf-neutral change. We expect most free memory to be in non-destructor blocks anyway,
1993         so this change is more about clean-up than perf. But, this could reduce memory usage in some
1994         pathological cases.
1995         
1996         * heap/MarkedAllocator.cpp:
1997         (JSC::MarkedAllocator::findEmptyBlockToSteal):
1998         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
1999         (JSC::MarkedAllocator::endMarking):
2000         (JSC::MarkedAllocator::shrink):
2001         (JSC::MarkedAllocator::shouldStealEmptyBlocksFromOtherAllocators): Deleted.
2002         * heap/MarkedAllocator.h:
2003         * heap/MarkedBlock.cpp:
2004         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
2005         (JSC::MarkedBlock::Handle::sweep):
2006         * heap/MarkedBlockInlines.h:
2007         (JSC::MarkedBlock::Handle::specializedSweep):
2008         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace):
2009         (JSC::MarkedBlock::Handle::emptyMode):
2010
2011 2017-07-25  Keith Miller  <keith_miller@apple.com>
2012
2013         Remove Broken CompareEq constant folding phase.
2014         https://bugs.webkit.org/show_bug.cgi?id=174846
2015         <rdar://problem/32978808>
2016
2017         Reviewed by Saam Barati.
2018
2019         This bug happened when we would get code like the following:
2020
2021         a: JSConst(Undefined)
2022         b: GetLocal(SomeObjectOrUndefined)
2023         ...
2024         c: CompareEq(Check:ObjectOrOther:b, Check:ObjectOrOther:a)
2025
2026         constant folding will turn this into:
2027
2028         a: JSConst(Undefined)
2029         b: GetLocal(SomeObjectOrUndefined)
2030         ...
2031         c: CompareEq(Check:ObjectOrOther:b, Other:a)
2032
2033         But the SpeculativeJIT/FTL lowering will fail to check b
2034         properly which leads to an assertion failure in the AI.
2035
2036         I'll follow up with a more robust fix later. For now, I'll remove the
2037         case that generates the code. Removing the code appears to be perf
2038         neutral.
2039
2040         * dfg/DFGConstantFoldingPhase.cpp:
2041         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2042
2043 2017-07-25  Matt Baker  <mattbaker@apple.com>
2044
2045         Web Inspector: Refactoring: extract async stack trace logic from InspectorInstrumentation
2046         https://bugs.webkit.org/show_bug.cgi?id=174738
2047
2048         Reviewed by Brian Burg.
2049
2050         Move AsyncCallType enum to InspectorDebuggerAgent, which manages async
2051         stack traces. This preserves the call type in JSC, makes the range of
2052         possible call types explicit, and is safer than passing ints.
2053
2054         * inspector/agents/InspectorDebuggerAgent.cpp:
2055         (Inspector::InspectorDebuggerAgent::asyncCallIdentifier):
2056         (Inspector::InspectorDebuggerAgent::didScheduleAsyncCall):
2057         (Inspector::InspectorDebuggerAgent::didCancelAsyncCall):
2058         (Inspector::InspectorDebuggerAgent::willDispatchAsyncCall):
2059         * inspector/agents/InspectorDebuggerAgent.h:
2060
2061 2017-07-25  Mark Lam  <mark.lam@apple.com>
2062
2063         Fix bugs in probe code to change sp on x86, x86_64 and 32-bit ARM.
2064         https://bugs.webkit.org/show_bug.cgi?id=174809
2065         <rdar://problem/33504759>
2066
2067         Reviewed by Filip Pizlo.
2068
2069         1. When the probe handler function changes the sp register to point to the
2070            region of stack in the middle of the ProbeContext on the stack, there is a
2071            bug where the ProbeContext's register values to be restored can be over-written
2072            before they can be restored.  This is now fixed.
2073
2074         2. Added more robust probe tests for changing the sp register.
2075
2076         3. Made existing probe tests to ensure that probe handlers were actually called.
2077
2078         4. Added some verification to testProbePreservesGPRS().
2079
2080         5. Change all the probe tests to fail early on discovering an error instead of
2081            batching till the end of the test.  This helps point a finger to the failing
2082            issue earlier.
2083
2084         This patch was tested on x86, x86_64, and ARMv7.  ARM64 probe code will be fixed
2085         next in https://bugs.webkit.org/show_bug.cgi?id=174697.
2086
2087         * assembler/MacroAssemblerARM.cpp:
2088         * assembler/MacroAssemblerARMv7.cpp:
2089         * assembler/MacroAssemblerX86Common.cpp:
2090         * assembler/testmasm.cpp:
2091         (JSC::testProbeReadsArgumentRegisters):
2092         (JSC::testProbeWritesArgumentRegisters):
2093         (JSC::testProbePreservesGPRS):
2094         (JSC::testProbeModifiesStackPointer):
2095         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
2096         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
2097         (JSC::testProbeModifiesProgramCounter):
2098         (JSC::run):
2099
2100 2017-07-25  Brian Burg  <bburg@apple.com>
2101
2102         Web Automation: add support for uploading files
2103         https://bugs.webkit.org/show_bug.cgi?id=174797
2104         <rdar://problem/28485063>
2105
2106         Reviewed by Joseph Pecoraro.
2107
2108         * inspector/scripts/generate-inspector-protocol-bindings.py:
2109         (generate_from_specification):
2110         Start generating frontend dispatcher code if the target framework is 'WebKit'.
2111
2112         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
2113         (CppFrontendDispatcherImplementationGenerator.generate_output):
2114         Use a framework include for InspectorFrontendRouter.h since this generated code
2115         will be compiled outside of WebCore.framework.
2116
2117         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
2118         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2119         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2120         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
2121         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
2122         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
2123         * inspector/scripts/tests/generic/expected/enum-values.json-result:
2124         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2125         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
2126         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
2127         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
2128         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
2129         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
2130         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
2131         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2132         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
2133         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
2134         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
2135         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
2136         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
2137         Rebaseline code generator tests.
2138
2139 2017-07-24  Mark Lam  <mark.lam@apple.com>
2140
2141         Gardening: fixed C Loop build after r219790.
2142         https://bugs.webkit.org/show_bug.cgi?id=174696
2143
2144         Not reviewed.
2145
2146         * assembler/testmasm.cpp:
2147
2148 2017-07-23  Mark Lam  <mark.lam@apple.com>
2149
2150         Create regression tests for the JIT probe.
2151         https://bugs.webkit.org/show_bug.cgi?id=174696
2152         <rdar://problem/33436922>
2153
2154         Reviewed by Saam Barati.
2155
2156         The new testmasm will test the following:
2157         1. the probe is able to read the value of CPU registers.
2158         2. the probe is able to write the value of CPU registers.
2159         3. the probe is able to preserve all CPU registers.
2160         4. special case of (2): the probe is able to change the value of the stack pointer.
2161         5. special case of (2): the probe is able to change the value of the program counter
2162            i.e. the probe can change where the code continues executing upon returning from
2163            the probe.
2164
2165         Currently, the x86, x86_64, and ARMv7 ports passes the test.  ARM64 does not
2166         because it does not support changing the sp and pc yet.  The ARM64 probe
2167         implementation will be fixed in https://bugs.webkit.org/show_bug.cgi?id=174697
2168         later.
2169
2170         * Configurations/ToolExecutable.xcconfig:
2171         * JavaScriptCore.xcodeproj/project.pbxproj:
2172         * assembler/MacroAssembler.h:
2173         (JSC::MacroAssembler::CPUState::pc):
2174         (JSC::MacroAssembler::CPUState::fp):
2175         (JSC::MacroAssembler::CPUState::sp):
2176         (JSC::ProbeContext::pc):
2177         (JSC::ProbeContext::fp):
2178         (JSC::ProbeContext::sp):
2179         * assembler/MacroAssemblerARM64.cpp:
2180         (JSC::arm64ProbeTrampoline):
2181         * assembler/MacroAssemblerPrinter.cpp:
2182         (JSC::Printer::printPCRegister):
2183         * assembler/testmasm.cpp: Added.
2184         (hiddenTruthBecauseNoReturnIsStupid):
2185         (usage):
2186         (JSC::nextID):
2187         (JSC::isPC):
2188         (JSC::isSP):
2189         (JSC::isFP):
2190         (JSC::compile):
2191         (JSC::invoke):
2192         (JSC::compileAndRun):
2193         (JSC::testSimple):
2194         (JSC::testProbeReadsArgumentRegisters):
2195         (JSC::testProbeWritesArgumentRegisters):
2196         (JSC::testFunctionToTrashRegisters):
2197         (JSC::testProbePreservesGPRS):
2198         (JSC::testProbeModifiesStackPointer):
2199         (JSC::testProbeModifiesProgramCounter):
2200         (JSC::run):
2201         (run):
2202         (main):
2203         * b3/air/testair.cpp:
2204         (usage):
2205         * shell/CMakeLists.txt:
2206
2207 2017-07-14  Filip Pizlo  <fpizlo@apple.com>
2208
2209         It should be easy to decide how WebKit yields
2210         https://bugs.webkit.org/show_bug.cgi?id=174298
2211
2212         Reviewed by Saam Barati.
2213         
2214         Use the new WTF::Thread::yield() function for yielding instead of the C++ function.
2215
2216         * heap/Heap.cpp:
2217         (JSC::Heap::resumeThePeriphery):
2218         * heap/VisitingTimeout.h:
2219         * runtime/JSCell.cpp:
2220         (JSC::JSCell::lockSlow):
2221         (JSC::JSCell::unlockSlow):
2222         * runtime/JSCell.h:
2223         * runtime/JSCellInlines.h:
2224         (JSC::JSCell::lock):
2225         (JSC::JSCell::unlock):
2226         * runtime/JSLock.cpp:
2227         (JSC::JSLock::grabAllLocks):
2228         * runtime/SamplingProfiler.cpp:
2229
2230 2017-07-21  Mark Lam  <mark.lam@apple.com>
2231
2232         Refactor MASM probe CPUState to use arrays for register storage.
2233         https://bugs.webkit.org/show_bug.cgi?id=174694
2234
2235         Reviewed by Keith Miller.
2236
2237         Using arrays for register storage in CPUState allows us to do away with the
2238         huge switch statements to decode each register id.  We can now simply index into
2239         the arrays.
2240
2241         With this patch, we now:
2242
2243         1. Remove the need for macros for defining the list of CPU registers.
2244            We can go back to simple enums.  This makes the code easier to read.
2245
2246         2. Make the assembler the authority on register names.
2247            Most of this code is moved into the assembler from GPRInfo and FPRInfo.
2248            GPRInfo and FPRInfo now forwards to the assembler.
2249
2250         3. Make the assembler the authority on the number of registers of each type.
2251
2252         4. Fix a "bug" in ARMv7's lastRegister().  It was previously omitting lr and pc.
2253            This is inconsistent with how every other CPU architecture implements
2254            lastRegister().  This patch fixes it to return the true last GPR i.e. pc, but
2255            updates RegisterSet::reservedHardwareRegisters() to exclude those registers.
2256
2257         * assembler/ARM64Assembler.h:
2258         (JSC::ARM64Assembler::numberOfRegisters):
2259         (JSC::ARM64Assembler::firstSPRegister):
2260         (JSC::ARM64Assembler::lastSPRegister):
2261         (JSC::ARM64Assembler::numberOfSPRegisters):
2262         (JSC::ARM64Assembler::numberOfFPRegisters):
2263         (JSC::ARM64Assembler::gprName):
2264         (JSC::ARM64Assembler::sprName):
2265         (JSC::ARM64Assembler::fprName):
2266         * assembler/ARMAssembler.h:
2267         (JSC::ARMAssembler::numberOfRegisters):
2268         (JSC::ARMAssembler::firstSPRegister):
2269         (JSC::ARMAssembler::lastSPRegister):
2270         (JSC::ARMAssembler::numberOfSPRegisters):
2271         (JSC::ARMAssembler::numberOfFPRegisters):
2272         (JSC::ARMAssembler::gprName):
2273         (JSC::ARMAssembler::sprName):
2274         (JSC::ARMAssembler::fprName):
2275         * assembler/ARMv7Assembler.h:
2276         (JSC::ARMv7Assembler::lastRegister):
2277         (JSC::ARMv7Assembler::numberOfRegisters):
2278         (JSC::ARMv7Assembler::firstSPRegister):
2279         (JSC::ARMv7Assembler::lastSPRegister):
2280         (JSC::ARMv7Assembler::numberOfSPRegisters):
2281         (JSC::ARMv7Assembler::numberOfFPRegisters):
2282         (JSC::ARMv7Assembler::gprName):
2283         (JSC::ARMv7Assembler::sprName):
2284         (JSC::ARMv7Assembler::fprName):
2285         * assembler/AbstractMacroAssembler.h:
2286         (JSC::AbstractMacroAssembler::numberOfRegisters):
2287         (JSC::AbstractMacroAssembler::gprName):
2288         (JSC::AbstractMacroAssembler::firstSPRegister):
2289         (JSC::AbstractMacroAssembler::lastSPRegister):
2290         (JSC::AbstractMacroAssembler::numberOfSPRegisters):
2291         (JSC::AbstractMacroAssembler::sprName):
2292         (JSC::AbstractMacroAssembler::numberOfFPRegisters):
2293         (JSC::AbstractMacroAssembler::fprName):
2294         * assembler/MIPSAssembler.h:
2295         (JSC::MIPSAssembler::numberOfRegisters):
2296         (JSC::MIPSAssembler::firstSPRegister):
2297         (JSC::MIPSAssembler::lastSPRegister):
2298         (JSC::MIPSAssembler::numberOfSPRegisters):
2299         (JSC::MIPSAssembler::numberOfFPRegisters):
2300         (JSC::MIPSAssembler::gprName):
2301         (JSC::MIPSAssembler::sprName):
2302         (JSC::MIPSAssembler::fprName):
2303         * assembler/MacroAssembler.h:
2304         (JSC::MacroAssembler::CPUState::gprName):
2305         (JSC::MacroAssembler::CPUState::sprName):
2306         (JSC::MacroAssembler::CPUState::fprName):
2307         (JSC::MacroAssembler::CPUState::gpr):
2308         (JSC::MacroAssembler::CPUState::spr):
2309         (JSC::MacroAssembler::CPUState::fpr):
2310         (JSC::MacroAssembler::CPUState::pc):
2311         (JSC::MacroAssembler::CPUState::fp):
2312         (JSC::MacroAssembler::CPUState::sp):
2313         (JSC::ProbeContext::gpr):
2314         (JSC::ProbeContext::spr):
2315         (JSC::ProbeContext::fpr):
2316         (JSC::ProbeContext::gprName):
2317         (JSC::ProbeContext::sprName):
2318         (JSC::ProbeContext::fprName):
2319         (JSC::MacroAssembler::numberOfRegisters): Deleted.
2320         (JSC::MacroAssembler::numberOfFPRegisters): Deleted.
2321         * assembler/MacroAssemblerARM.cpp:
2322         * assembler/MacroAssemblerARM64.cpp:
2323         (JSC::arm64ProbeTrampoline):
2324         * assembler/MacroAssemblerARMv7.cpp:
2325         * assembler/MacroAssemblerPrinter.cpp:
2326         (JSC::Printer::nextID):
2327         (JSC::Printer::printAllRegisters):
2328         (JSC::Printer::printPCRegister):
2329         (JSC::Printer::printRegisterID):
2330         (JSC::Printer::printAddress):
2331         * assembler/MacroAssemblerX86Common.cpp:
2332         * assembler/X86Assembler.h:
2333         (JSC::X86Assembler::numberOfRegisters):
2334         (JSC::X86Assembler::firstSPRegister):
2335         (JSC::X86Assembler::lastSPRegister):
2336         (JSC::X86Assembler::numberOfSPRegisters):
2337         (JSC::X86Assembler::numberOfFPRegisters):
2338         (JSC::X86Assembler::gprName):
2339         (JSC::X86Assembler::sprName):
2340         (JSC::X86Assembler::fprName):
2341         * jit/FPRInfo.h:
2342         (JSC::FPRInfo::debugName):
2343         * jit/GPRInfo.h:
2344         (JSC::GPRInfo::debugName):
2345         * jit/RegisterSet.cpp:
2346         (JSC::RegisterSet::reservedHardwareRegisters):
2347
2348 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2349
2350         [JSC] Introduce static symbols
2351         https://bugs.webkit.org/show_bug.cgi?id=158863
2352
2353         Reviewed by Darin Adler.
2354
2355         We use StaticSymbolImpl to initialize PrivateNames and builtin Symbols.
2356         As a result, we can share the same Symbol values between VMs and threads.
2357         And we do not need to allocate Ref<SymbolImpl> for these symbols at runtime.
2358
2359         * CMakeLists.txt:
2360         * JavaScriptCore.xcodeproj/project.pbxproj:
2361         * builtins/BuiltinNames.cpp: Added.
2362         Suppress warning C4307, integral constant overflow. It is intentional in constexpr hash value calculation.
2363
2364         * builtins/BuiltinNames.h:
2365         (JSC::BuiltinNames::BuiltinNames):
2366         * builtins/BuiltinUtils.h:
2367
2368 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2369
2370         [FTL] Arguments elimination is suppressed by unreachable blocks
2371         https://bugs.webkit.org/show_bug.cgi?id=174352
2372
2373         Reviewed by Filip Pizlo.
2374
2375         If we do not execute `op_get_by_id`, our value profiling tells us unpredictable and DFG emits ForceOSRExit.
2376         The problem is that arguments elimination phase checks escaping even when ForceOSRExit preceeds.
2377         Since GetById without information can escape arguments if it is specified, non-executed code including
2378         op_get_by_id with arguments can escape arguments.
2379
2380         For example,
2381
2382             function test(flag)
2383             {
2384                 if (flag) {
2385                     // This is not executed, but emits GetById with arguments.
2386                     // It prevents us from eliminating materialization.
2387                     return arguments.length;
2388                 }
2389                 return arguments.length;
2390             }
2391             noInline(test);
2392             while (true)
2393                 test(false);
2394
2395         We do not perform CFA and dead-node clipping yet when performing arguments elimination phase.
2396         So this GetById exists and escapes arguments.
2397
2398         To solve this problem, our arguments elimination phase checks preceding pseudo-terminal nodes.
2399         If it is shown, following GetById does not escape arguments. Compared to performing AI, it is
2400         lightweight. But it catches much of typical cases we failed to perform arguments elimination.
2401
2402         * dfg/DFGArgumentsEliminationPhase.cpp:
2403         * dfg/DFGNode.h:
2404         (JSC::DFG::Node::isPseudoTerminal):
2405         * dfg/DFGValidate.cpp:
2406
2407 2017-07-20  Chris Dumez  <cdumez@apple.com>
2408
2409         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable
2410         https://bugs.webkit.org/show_bug.cgi?id=174660
2411
2412         Reviewed by Geoffrey Garen.
2413
2414         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable.
2415         This essentially replaces a branch to figure out if the new size is less or greater than the
2416         current size by an assertion.
2417
2418         * b3/B3BasicBlockUtils.h:
2419         (JSC::B3::clearPredecessors):
2420         * b3/B3InferSwitches.cpp:
2421         * b3/B3LowerToAir.cpp:
2422         (JSC::B3::Air::LowerToAir::finishAppendingInstructions):
2423         * b3/B3ReduceStrength.cpp:
2424         * b3/B3SparseCollection.h:
2425         (JSC::B3::SparseCollection::packIndices):
2426         * b3/B3UseCounts.cpp:
2427         (JSC::B3::UseCounts::UseCounts):
2428         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
2429         * b3/air/AirEmitShuffle.cpp:
2430         (JSC::B3::Air::emitShuffle):
2431         * b3/air/AirLowerAfterRegAlloc.cpp:
2432         (JSC::B3::Air::lowerAfterRegAlloc):
2433         * b3/air/AirOptimizeBlockOrder.cpp:
2434         (JSC::B3::Air::optimizeBlockOrder):
2435         * bytecode/Operands.h:
2436         (JSC::Operands::ensureLocals):
2437         * bytecode/PreciseJumpTargets.cpp:
2438         (JSC::computePreciseJumpTargetsInternal):
2439         * dfg/DFGBlockInsertionSet.cpp:
2440         (JSC::DFG::BlockInsertionSet::execute):
2441         * dfg/DFGBlockMapInlines.h:
2442         (JSC::DFG::BlockMap<T>::BlockMap):
2443         * dfg/DFGByteCodeParser.cpp:
2444         (JSC::DFG::ByteCodeParser::processSetLocalQueue):
2445         (JSC::DFG::ByteCodeParser::clearCaches):
2446         * dfg/DFGDisassembler.cpp:
2447         (JSC::DFG::Disassembler::Disassembler):
2448         * dfg/DFGFlowIndexing.cpp:
2449         (JSC::DFG::FlowIndexing::recompute):
2450         * dfg/DFGGraph.cpp:
2451         (JSC::DFG::Graph::registerFrozenValues):
2452         * dfg/DFGInPlaceAbstractState.cpp:
2453         (JSC::DFG::setLiveValues):
2454         * dfg/DFGLICMPhase.cpp:
2455         (JSC::DFG::LICMPhase::run):
2456         * dfg/DFGLivenessAnalysisPhase.cpp:
2457         * dfg/DFGNaturalLoops.cpp:
2458         (JSC::DFG::NaturalLoops::NaturalLoops):
2459         * dfg/DFGStoreBarrierClusteringPhase.cpp:
2460         * ftl/FTLLowerDFGToB3.cpp:
2461         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2462         * heap/CodeBlockSet.cpp:
2463         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
2464         * heap/MarkedSpace.cpp:
2465         (JSC::MarkedSpace::sweepLargeAllocations):
2466         * inspector/ContentSearchUtilities.cpp:
2467         (Inspector::ContentSearchUtilities::findMagicComment):
2468         * interpreter/ShadowChicken.cpp:
2469         (JSC::ShadowChicken::update):
2470         * parser/ASTBuilder.h:
2471         (JSC::ASTBuilder::shrinkOperandStackBy):
2472         * parser/Lexer.h:
2473         (JSC::Lexer::setOffset):
2474         * runtime/RegExpInlines.h:
2475         (JSC::RegExp::matchInline):
2476         * runtime/RegExpPrototype.cpp:
2477         (JSC::genericSplit):
2478         * yarr/RegularExpression.cpp:
2479         (JSC::Yarr::RegularExpression::match):
2480
2481 2017-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2482
2483         [WTF] Use ThreadGroup to bookkeep active threads for Mach exception
2484         https://bugs.webkit.org/show_bug.cgi?id=174678
2485
2486         Reviewed by Mark Lam.
2487
2488         Use Thread& instead.
2489
2490         * runtime/JSLock.cpp:
2491         (JSC::JSLock::didAcquireLock):
2492
2493 2017-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2494
2495         [WTF] Implement WTF::ThreadGroup
2496         https://bugs.webkit.org/show_bug.cgi?id=174081
2497
2498         Reviewed by Mark Lam.
2499
2500         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
2501         And SamplingProfiler and others interact with WTF::Thread directly.
2502
2503         * API/tests/ExecutionTimeLimitTest.cpp:
2504         * heap/MachineStackMarker.cpp:
2505         (JSC::MachineThreads::MachineThreads):
2506         (JSC::captureStack):
2507         (JSC::MachineThreads::tryCopyOtherThreadStack):
2508         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2509         (JSC::MachineThreads::gatherConservativeRoots):
2510         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
2511         (JSC::ActiveMachineThreadsManager::add): Deleted.
2512         (JSC::ActiveMachineThreadsManager::remove): Deleted.
2513         (JSC::ActiveMachineThreadsManager::contains): Deleted.
2514         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
2515         (JSC::activeMachineThreadsManager): Deleted.
2516         (JSC::MachineThreads::~MachineThreads): Deleted.
2517         (JSC::MachineThreads::addCurrentThread): Deleted.
2518         (): Deleted.
2519         (JSC::MachineThreads::removeThread): Deleted.
2520         (JSC::MachineThreads::removeThreadIfFound): Deleted.
2521         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
2522         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
2523         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
2524         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
2525         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
2526         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
2527         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
2528         * heap/MachineStackMarker.h:
2529         (JSC::MachineThreads::addCurrentThread):
2530         (JSC::MachineThreads::getLock):
2531         (JSC::MachineThreads::threads):
2532         (JSC::MachineThreads::MachineThread::suspend): Deleted.
2533         (JSC::MachineThreads::MachineThread::resume): Deleted.
2534         (JSC::MachineThreads::MachineThread::threadID): Deleted.
2535         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
2536         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
2537         (JSC::MachineThreads::threadsListHead): Deleted.
2538         * runtime/SamplingProfiler.cpp:
2539         (JSC::FrameWalker::isValidFramePointer):
2540         (JSC::SamplingProfiler::SamplingProfiler):
2541         (JSC::SamplingProfiler::takeSample):
2542         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
2543         * runtime/SamplingProfiler.h:
2544         * wasm/WasmMachineThreads.cpp:
2545         (JSC::Wasm::resetInstructionCacheOnAllThreads):
2546
2547 2017-07-18  Andy Estes  <aestes@apple.com>
2548
2549         [Xcode] Enable CLANG_WARN_RANGE_LOOP_ANALYSIS
2550         https://bugs.webkit.org/show_bug.cgi?id=174631
2551
2552         Reviewed by Tim Horton.
2553
2554         * Configurations/Base.xcconfig:
2555         * b3/B3FoldPathConstants.cpp:
2556         * b3/B3LowerMacros.cpp:
2557         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
2558         * dfg/DFGByteCodeParser.cpp:
2559         (JSC::DFG::ByteCodeParser::check):
2560         (JSC::DFG::ByteCodeParser::planLoad):
2561
2562 2017-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2563
2564         WTF::Thread should have the threads stack bounds.
2565         https://bugs.webkit.org/show_bug.cgi?id=173975
2566
2567         Reviewed by Mark Lam.
2568
2569         There is a site in JSC that try to walk another thread's stack.
2570         Currently, stack bounds are stored in WTFThreadData which is located
2571         in TLS. Thus, only the thread itself can access its own WTFThreadData.
2572         We workaround this situation by holding StackBounds in MachineThread in JSC,
2573         but StackBounds should be put in WTF::Thread instead.
2574
2575         This patch adds StackBounds to WTF::Thread. StackBounds information is tightly
2576         coupled with Thread. Thus putting it in WTF::Thread is natural choice.
2577
2578         * heap/MachineStackMarker.cpp:
2579         (JSC::MachineThreads::MachineThread::MachineThread):
2580         (JSC::MachineThreads::MachineThread::captureStack):
2581         * heap/MachineStackMarker.h:
2582         (JSC::MachineThreads::MachineThread::stackBase):
2583         (JSC::MachineThreads::MachineThread::stackEnd):
2584         * runtime/VMTraps.cpp:
2585
2586 2017-07-18  Andy Estes  <aestes@apple.com>
2587
2588         [Xcode] Enable CLANG_WARN_OBJC_LITERAL_CONVERSION
2589         https://bugs.webkit.org/show_bug.cgi?id=174631
2590
2591         Reviewed by Sam Weinig.
2592
2593         * Configurations/Base.xcconfig:
2594
2595 2017-07-18  Joseph Pecoraro  <pecoraro@apple.com>
2596
2597         Web Inspector: Modernize InjectedScriptSource
2598         https://bugs.webkit.org/show_bug.cgi?id=173890
2599
2600         Reviewed by Brian Burg.
2601
2602         * inspector/InjectedScript.h:
2603         Reorder functions to be slightly better.
2604
2605         * inspector/InjectedScriptSource.js:
2606         - Convert to classes named InjectedScript and RemoteObject
2607         - Align InjectedScript's API with the wrapper C++ interfaces
2608         - Move some code to RemoteObject where appropriate (subtype, describe)
2609         - Move some code to helper functions (isPrimitiveValue, isDefined)
2610         - Refactor for readability and modern features
2611         - Remove some unused / unnecessary code
2612
2613 2017-07-18  Mark Lam  <mark.lam@apple.com>
2614
2615         Butterfly storage need not be initialized for indexing type Undecided.
2616         https://bugs.webkit.org/show_bug.cgi?id=174516
2617
2618         Reviewed by Saam Barati.
2619
2620         While it's not incorrect to initialize the butterfly storage when the
2621         indexingType is Undecided, it is inefficient as we'll end up initializing
2622         it again later when we convert the storage to a different indexingType.
2623         Some of our code already skips initializing Undecided butterflies.
2624         This patch makes it the consistent behavior everywhere.
2625
2626         * dfg/DFGSpeculativeJIT.cpp:
2627         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2628         * runtime/JSArray.cpp:
2629         (JSC::JSArray::tryCreateUninitializedRestricted):
2630         * runtime/JSArray.h:
2631         (JSC::JSArray::tryCreate):
2632         * runtime/JSObject.cpp:
2633         (JSC::JSObject::ensureLengthSlow):
2634
2635 2017-07-18  Saam Barati  <sbarati@apple.com>
2636
2637         AirLowerAfterRegAlloc may incorrectly use a callee save that's live as a scratch register
2638         https://bugs.webkit.org/show_bug.cgi?id=174515
2639         <rdar://problem/33358092>
2640
2641         Reviewed by Filip Pizlo.
2642
2643         AirLowerAfterRegAlloc was computing the set of available scratch
2644         registers incorrectly. It was always excluding callee save registers
2645         from the set of live registers. It did not guarantee that live callee save
2646         registers were not in the set of scratch registers that could
2647         get clobbered. That's incorrect as the shuffling code is free
2648         to overwrite whatever is in the scratch register it gets passed.
2649
2650         * b3/air/AirLowerAfterRegAlloc.cpp:
2651         (JSC::B3::Air::lowerAfterRegAlloc):
2652         * b3/testb3.cpp:
2653         (JSC::B3::functionNineArgs):
2654         (JSC::B3::testShuffleDoesntTrashCalleeSaves):
2655         (JSC::B3::run):
2656         * jit/RegisterSet.h:
2657
2658 2017-07-18  Andy Estes  <aestes@apple.com>
2659
2660         [Xcode] Enable CLANG_WARN_NON_LITERAL_NULL_CONVERSION
2661         https://bugs.webkit.org/show_bug.cgi?id=174631
2662
2663         Reviewed by Dan Bernstein.
2664
2665         * Configurations/Base.xcconfig:
2666
2667 2017-07-18  Devin Rousso  <drousso@apple.com>
2668
2669         Web Inspector: Add memoryCost to Inspector Protocol objects
2670         https://bugs.webkit.org/show_bug.cgi?id=174478
2671
2672         Reviewed by Joseph Pecoraro.
2673
2674         For non-array and non-object InspectorValue, calculate memoryCost as the sizeof the object,
2675         plus the memoryCost of the data if it is a string.
2676
2677         For array InspectorValue, calculate memoryCost as the sum of the memoryCost of all items.
2678
2679         For object InspectorValue, calculate memoryCost as the sum of the memoryCost of the string
2680         key plus the memoryCost of the InspectorValue for each entry.
2681
2682         Test: TestWebKitAPI/Tests/JavaScriptCore/InspectorValue.cpp
2683
2684         * inspector/InspectorValues.h:
2685         * inspector/InspectorValues.cpp:
2686         (Inspector::InspectorValue::memoryCost):
2687         (Inspector::InspectorObjectBase::memoryCost):
2688         (Inspector::InspectorArrayBase::memoryCost):
2689
2690 2017-07-18  Andy Estes  <aestes@apple.com>
2691
2692         [Xcode] Enable CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING
2693         https://bugs.webkit.org/show_bug.cgi?id=174631
2694
2695         Reviewed by Darin Adler.
2696
2697         * Configurations/Base.xcconfig:
2698
2699 2017-07-18  Michael Saboff  <msaboff@apple.com>
2700
2701         [JSC] There should be a debug option to dump a compiled RegExp Pattern
2702         https://bugs.webkit.org/show_bug.cgi?id=174601
2703
2704         Reviewed by Alex Christensen.
2705
2706         Added the debug option dumpCompiledRegExpPatterns which will dump the YarrPattern and related
2707         objects after a regular expression has been compiled.
2708
2709         * runtime/Options.h:
2710         * yarr/YarrPattern.cpp:
2711         (JSC::Yarr::YarrPattern::compile):
2712         (JSC::Yarr::indentForNestingLevel):
2713         (JSC::Yarr::dumpUChar32):
2714         (JSC::Yarr::PatternAlternative::dump):
2715         (JSC::Yarr::PatternTerm::dumpQuantifier):
2716         (JSC::Yarr::PatternTerm::dump):
2717         (JSC::Yarr::PatternDisjunction::dump):
2718         (JSC::Yarr::YarrPattern::dumpPattern):
2719         * yarr/YarrPattern.h:
2720         (JSC::Yarr::YarrPattern::global):
2721
2722 2017-07-17  Darin Adler  <darin@apple.com>
2723
2724         Improve use of NeverDestroyed
2725         https://bugs.webkit.org/show_bug.cgi?id=174348
2726
2727         Reviewed by Sam Weinig.
2728
2729         * heap/MachineStackMarker.cpp:
2730         * wasm/WasmMemory.cpp:
2731         Removed unneeded includes of NeverDestroyed.h in files that do not make use
2732         of NeverDestroyed.
2733
2734 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
2735
2736         [CMake] Macros in WebKitMacros.cmake should be prefixed with WEBKIT_ namespace
2737         https://bugs.webkit.org/show_bug.cgi?id=174547
2738
2739         Reviewed by Alex Christensen.
2740
2741         * CMakeLists.txt:
2742         * shell/CMakeLists.txt:
2743
2744 2017-07-17  Saam Barati  <sbarati@apple.com>
2745
2746         Remove custom defined RELEASE_ASSERT in DFGObjectAllocationSinkingPhase
2747         https://bugs.webkit.org/show_bug.cgi?id=174584
2748
2749         Rubber stamped by Keith Miller.
2750
2751         I used it to diagnose a bug. The bug is now fixed. This custom
2752         RELEASE_ASSERT is no longer needed.
2753
2754         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2755
2756 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
2757
2758         -Wformat-truncation warning in ConfigFile.cpp
2759         https://bugs.webkit.org/show_bug.cgi?id=174506
2760
2761         Reviewed by Darin Adler.
2762
2763         Check if the JSC config filename would be truncated due to exceeding max path length. If so,
2764         return ParseError.
2765
2766         * runtime/ConfigFile.cpp:
2767         (JSC::ConfigFile::parse):
2768
2769 2017-07-17  Konstantin Tokarev  <annulen@yandex.ru>
2770
2771         [CMake] Create targets before WEBKIT_INCLUDE_CONFIG_FILES_IF_EXISTS is called
2772         https://bugs.webkit.org/show_bug.cgi?id=174557
2773
2774         Reviewed by Michael Catanzaro.
2775
2776         * CMakeLists.txt:
2777
2778 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2779
2780         [WTF] Use std::unique_ptr for StackTrace
2781         https://bugs.webkit.org/show_bug.cgi?id=174495
2782
2783         Reviewed by Alex Christensen.
2784
2785         * runtime/ExceptionScope.cpp:
2786         (JSC::ExceptionScope::unexpectedExceptionMessage):
2787         * runtime/VM.cpp:
2788         (JSC::VM::throwException):
2789
2790 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2791
2792         [JSC] Use WTFMove to prune liveness in DFGAvailabilityMap
2793         https://bugs.webkit.org/show_bug.cgi?id=174423
2794
2795         Reviewed by Saam Barati.
2796
2797         * dfg/DFGAvailabilityMap.cpp:
2798         (JSC::DFG::AvailabilityMap::pruneHeap):
2799         (JSC::DFG::AvailabilityMap::pruneByLiveness):
2800
2801 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
2802
2803         Fix compiler warnings when building with GCC 7
2804         https://bugs.webkit.org/show_bug.cgi?id=174463
2805
2806         Reviewed by Darin Adler.
2807
2808         * disassembler/udis86/udis86_decode.c:
2809         (decode_operand):
2810
2811 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
2812
2813         Incorrect assertion in JSC::CallLinkInfo::callTypeFor
2814         https://bugs.webkit.org/show_bug.cgi?id=174467
2815
2816         Reviewed by Saam Barati.
2817
2818         * bytecode/CallLinkInfo.cpp:
2819         (JSC::CallLinkInfo::callTypeFor):
2820
2821 2017-07-13  Joseph Pecoraro  <pecoraro@apple.com>
2822
2823         Web Inspector: Remove unused and untested Page domain commands
2824         https://bugs.webkit.org/show_bug.cgi?id=174429
2825
2826         Reviewed by Timothy Hatcher.
2827
2828         * inspector/protocol/Page.json:
2829
2830 2017-07-13  Saam Barati  <sbarati@apple.com>
2831
2832         Missing exception check in JSObject::hasInstance
2833         https://bugs.webkit.org/show_bug.cgi?id=174455
2834         <rdar://problem/31384608>
2835
2836         Reviewed by Mark Lam.
2837
2838         * runtime/JSObject.cpp:
2839         (JSC::JSObject::hasInstance):
2840
2841 2017-07-13  Caio Lima  <ticaiolima@gmail.com>
2842
2843         [ESnext] Implement Object Spread
2844         https://bugs.webkit.org/show_bug.cgi?id=167963
2845
2846         Reviewed by Saam Barati.
2847
2848         This patch implements ECMA262 stage 3 Object Spread proposal [1].
2849         It's implemented using CopyDataPropertiesNoExclusions to copy
2850         all enumerable keys from object being spreaded. The implementation of
2851         CopyDataPropertiesNoExclusions follows the CopyDataProperties
2852         implementation, however we don't receive excludedNames as parameter.
2853
2854         [1] - https://github.com/tc39/proposal-object-rest-spread
2855
2856         * builtins/GlobalOperations.js:
2857         (globalPrivate.copyDataPropertiesNoExclusions):
2858         * bytecompiler/BytecodeGenerator.cpp:
2859         (JSC::BytecodeGenerator::emitLoad):
2860         * bytecompiler/NodesCodegen.cpp:
2861         (JSC::PropertyListNode::emitBytecode):
2862         (JSC::ObjectSpreadExpressionNode::emitBytecode):
2863         * parser/ASTBuilder.h:
2864         (JSC::ASTBuilder::createObjectSpreadExpression):
2865         (JSC::ASTBuilder::createProperty):
2866         * parser/NodeConstructors.h:
2867         (JSC::PropertyNode::PropertyNode):
2868         (JSC::ObjectSpreadExpressionNode::ObjectSpreadExpressionNode):
2869         * parser/Nodes.h:
2870         (JSC::ObjectSpreadExpressionNode::expression):
2871         * parser/Parser.cpp:
2872         (JSC::Parser<LexerType>::parseProperty):
2873         * parser/SyntaxChecker.h:
2874         (JSC::SyntaxChecker::createObjectSpreadExpression):
2875         (JSC::SyntaxChecker::createProperty):
2876
2877 2017-07-12  Mark Lam  <mark.lam@apple.com>
2878
2879         Gardening: build fix after r219434.
2880         https://bugs.webkit.org/show_bug.cgi?id=174441
2881
2882         Not reviewed.
2883
2884         Make public some MacroAssembler functions that are needed by the probe implementationq.
2885
2886         * assembler/MacroAssemblerARM.h:
2887         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
2888         * assembler/MacroAssemblerARMv7.h:
2889         (JSC::MacroAssemblerARMv7::linkCall):
2890
2891 2017-07-12  Mark Lam  <mark.lam@apple.com>
2892
2893         Move Probe code from AbstractMacroAssembler to MacroAssembler.
2894         https://bugs.webkit.org/show_bug.cgi?id=174441
2895
2896         Reviewed by Saam Barati.
2897
2898         This is a pure refactoring patch for moving probe code from the AbstractMacroAssembler
2899         to MacroAssembler.  There is no code behavior change.
2900
2901         * assembler/AbstractMacroAssembler.h:
2902         (JSC::AbstractMacroAssembler<AssemblerType>::Address::indexedBy):
2903         (JSC::AbstractMacroAssembler::CPUState::gprName): Deleted.
2904         (JSC::AbstractMacroAssembler::CPUState::fprName): Deleted.
2905         (JSC::AbstractMacroAssembler::CPUState::gpr): Deleted.
2906         (JSC::AbstractMacroAssembler::CPUState::fpr): Deleted.
2907         (JSC::MacroAssemblerType>::Address::indexedBy): Deleted.
2908         * assembler/MacroAssembler.h:
2909         (JSC::MacroAssembler::CPUState::gprName):
2910         (JSC::MacroAssembler::CPUState::fprName):
2911         (JSC::MacroAssembler::CPUState::gpr):
2912         (JSC::MacroAssembler::CPUState::fpr):
2913         * assembler/MacroAssemblerARM.cpp:
2914         (JSC::MacroAssembler::probe):
2915         (JSC::MacroAssemblerARM::probe): Deleted.
2916         * assembler/MacroAssemblerARM.h:
2917         * assembler/MacroAssemblerARM64.cpp:
2918         (JSC::MacroAssembler::probe):
2919         (JSC::MacroAssemblerARM64::probe): Deleted.
2920         * assembler/MacroAssemblerARM64.h:
2921         * assembler/MacroAssemblerARMv7.cpp:
2922         (JSC::MacroAssembler::probe):
2923         (JSC::MacroAssemblerARMv7::probe): Deleted.
2924         * assembler/MacroAssemblerARMv7.h:
2925         * assembler/MacroAssemblerMIPS.h:
2926         * assembler/MacroAssemblerX86Common.cpp:
2927         (JSC::MacroAssembler::probe):
2928         (JSC::MacroAssemblerX86Common::probe): Deleted.
2929         * assembler/MacroAssemblerX86Common.h:
2930
2931 2017-07-12  Saam Barati  <sbarati@apple.com>
2932
2933         GenericArguments consults the wrong state when tracking modified argument descriptors and mapped arguments
2934         https://bugs.webkit.org/show_bug.cgi?id=174411
2935         <rdar://problem/31696186>
2936
2937         Reviewed by Mark Lam.
2938
2939         The code for deleting an argument was incorrectly referencing state
2940         when it decided if it should unmap or mark a property as having its
2941         descriptor modified. This patch fixes the bug where if we delete a
2942         property, we would sometimes not unmap an argument when deleting it.
2943
2944         * runtime/GenericArgumentsInlines.h:
2945         (JSC::GenericArguments<Type>::getOwnPropertySlot):
2946         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
2947         (JSC::GenericArguments<Type>::deleteProperty):
2948         (JSC::GenericArguments<Type>::deletePropertyByIndex):
2949
2950 2017-07-12  Commit Queue  <commit-queue@webkit.org>
2951
2952         Unreviewed, rolling out r219176.
2953         https://bugs.webkit.org/show_bug.cgi?id=174436
2954
2955         "Can cause infinite recursion on iOS" (Requested by mlam on
2956         #webkit).
2957
2958         Reverted changeset:
2959
2960         "WTF::Thread should have the threads stack bounds."
2961         https://bugs.webkit.org/show_bug.cgi?id=173975
2962         http://trac.webkit.org/changeset/219176
2963
2964 2017-07-12  Matt Lewis  <jlewis3@apple.com>
2965
2966         Unreviewed, rolling out r219401.
2967
2968         This revision rolled out the previous patch, but after talking
2969         with reviewer, a rebaseline is what was needed.Rolling back in
2970         before rebaseline.
2971
2972         Reverted changeset:
2973
2974         "Unreviewed, rolling out r219379."
2975         https://bugs.webkit.org/show_bug.cgi?id=174400
2976         http://trac.webkit.org/changeset/219401
2977
2978 2017-07-12  Matt Lewis  <jlewis3@apple.com>
2979
2980         Unreviewed, rolling out r219379.
2981
2982         This revision caused a consistent failure in the test
2983         fast/dom/Window/property-access-on-cached-window-after-frame-
2984         removed.html.
2985
2986         Reverted changeset:
2987
2988         "Remove NAVIGATOR_HWCONCURRENCY"
2989         https://bugs.webkit.org/show_bug.cgi?id=174400
2990         http://trac.webkit.org/changeset/219379
2991
2992 2017-07-12  Tooru Fujisawa [:arai]  <arai.unmht@gmail.com>
2993
2994         Wrong radix used in Unicode Escape in invalid character error message
2995         https://bugs.webkit.org/show_bug.cgi?id=174419
2996
2997         Reviewed by Alex Christensen.
2998
2999         * parser/Lexer.cpp:
3000         (JSC::Lexer<T>::invalidCharacterMessage):
3001
3002 2017-07-11  Dean Jackson  <dino@apple.com>
3003
3004         Remove NAVIGATOR_HWCONCURRENCY
3005         https://bugs.webkit.org/show_bug.cgi?id=174400
3006
3007         Reviewed by Sam Weinig.
3008
3009         * Configurations/FeatureDefines.xcconfig:
3010
3011 2017-07-11  Dean Jackson  <dino@apple.com>
3012
3013         Rolling out r219372.
3014
3015         * Configurations/FeatureDefines.xcconfig:
3016
3017 2017-07-11  Dean Jackson  <dino@apple.com>
3018
3019         Remove NAVIGATOR_HWCONCURRENCY
3020         https://bugs.webkit.org/show_bug.cgi?id=174400
3021
3022         Reviewed by Sam Weinig.
3023
3024         * Configurations/FeatureDefines.xcconfig:
3025
3026 2017-07-11  Saam Barati  <sbarati@apple.com>
3027
3028         remove the empty JavaScriptCore/wasm/js/WebAssemblyFunctionCell.* files
3029         https://bugs.webkit.org/show_bug.cgi?id=174397
3030
3031         Rubber stamped by David Kilzer.
3032
3033         * wasm/js/WebAssemblyFunctionCell.cpp: Removed.
3034         * wasm/js/WebAssemblyFunctionCell.h: Removed.
3035
3036 2017-07-10  Saam Barati  <sbarati@apple.com>
3037
3038         Allocation sinking phase should consider a CheckStructure that would fail as an escape
3039         https://bugs.webkit.org/show_bug.cgi?id=174321
3040         <rdar://problem/32604963>
3041
3042         Reviewed by Filip Pizlo.
3043
3044         When the allocation sinking phase was generating stores to materialize
3045         objects in a cycle with each other, it would assume that each materialized
3046         object had a valid, non empty, set of structures. This is an OK assumption for
3047         the phase to make because how do you materialize an object with no structure?
3048         
3049         The abstract interpretation part of the phase will model what's in the heap.
3050         However, it would sometimes model that a CheckStructure would fail. The phase
3051         did nothing special for this; it just stored the empty set of structures for
3052         its representation of a particular allocation. However, what the phase proved
3053         in such a scenario is that, had the CheckStructure executed, it would have exited.
3054         
3055         This patch treats such CheckStructures and MultiGetByOffsets as escape points.
3056         This will cause the allocation in question to be materialized just before
3057         the CheckStructure, and then at execution time, the CheckStructure will exit.
3058         
3059         I wasn't able to write a test case for this. However, I was able to reproduce
3060         this crash by manually editing the IR. I've opened a separate bug to help us
3061         create a testing framework for writing tests for hard to reproduce bugs like this:
3062         https://bugs.webkit.org/show_bug.cgi?id=174322
3063
3064         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3065
3066 2017-07-10  Devin Rousso  <drousso@apple.com>
3067
3068         Web Inspector: Highlight matching CSS canvas clients when hovering contexts in the Resources tab
3069         https://bugs.webkit.org/show_bug.cgi?id=174279
3070
3071         Reviewed by Matt Baker.
3072
3073         * inspector/protocol/DOM.json:
3074         Add `highlightNodeList` command that will highlight each node in the given list.
3075
3076 2017-07-03  Brian Burg  <bburg@apple.com>
3077
3078         Web Replay: remove some unused code
3079         https://bugs.webkit.org/show_bug.cgi?id=173903
3080
3081         Rubber-stamped by Joseph Pecoraro.
3082
3083         * CMakeLists.txt:
3084         * Configurations/FeatureDefines.xcconfig:
3085         * DerivedSources.make:
3086         * JavaScriptCore.xcodeproj/project.pbxproj:
3087         * inspector/protocol/Replay.json: Removed.
3088         * replay/EmptyInputCursor.h: Removed.
3089         * replay/EncodedValue.cpp: Removed.
3090         * replay/EncodedValue.h: Removed.
3091         * replay/InputCursor.h: Removed.
3092         * replay/JSInputs.json: Removed.
3093         * replay/NondeterministicInput.h: Removed.
3094         * replay/scripts/CodeGeneratorReplayInputs.py: Removed.
3095         * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Removed.
3096         * replay/scripts/tests/expected/fail-on-c-style-enum-no-storage.json-error: Removed.
3097         * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Removed.
3098         * replay/scripts/tests/expected/fail-on-duplicate-input-names.json-error: Removed.
3099         * replay/scripts/tests/expected/fail-on-duplicate-type-names.json-error: Removed.
3100         * replay/scripts/tests/expected/fail-on-enum-type-missing-values.json-error: Removed.
3101         * replay/scripts/tests/expected/fail-on-missing-input-member-name.json-error: Removed.
3102         * replay/scripts/tests/expected/fail-on-missing-input-name.json-error: Removed.
3103         * replay/scripts/tests/expected/fail-on-missing-input-queue.json-error: Removed.
3104         * replay/scripts/tests/expected/fail-on-missing-type-mode.json-error: Removed.
3105         * replay/scripts/tests/expected/fail-on-missing-type-name.json-error: Removed.
3106         * replay/scripts/tests/expected/fail-on-unknown-input-queue.json-error: Removed.
3107         * replay/scripts/tests/expected/fail-on-unknown-member-type.json-error: Removed.
3108         * replay/scripts/tests/expected/fail-on-unknown-type-mode.json-error: Removed.
3109         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp: Removed.
3110         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h: Removed.
3111         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp: Removed.
3112         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h: Removed.
3113         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Removed.
3114         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Removed.
3115         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Removed.
3116         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Removed.
3117         * replay/scripts/tests/expected/generate-event-loop-shape-types.json-error: Removed.
3118         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp: Removed.
3119         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h: Removed.
3120         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp: Removed.
3121         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Removed.
3122         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.cpp: Removed.
3123         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h: Removed.
3124         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp: Removed.
3125         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h: Removed.
3126         * replay/scripts/tests/fail-on-c-style-enum-no-storage.json: Removed.
3127         * replay/scripts/tests/fail-on-duplicate-enum-type.json: Removed.
3128         * replay/scripts/tests/fail-on-duplicate-input-names.json: Removed.
3129         * replay/scripts/tests/fail-on-duplicate-type-names.json: Removed.
3130         * replay/scripts/tests/fail-on-enum-type-missing-values.json: Removed.
3131         * replay/scripts/tests/fail-on-missing-input-member-name.json: Removed.
3132         * replay/scripts/tests/fail-on-missing-input-name.json: Removed.
3133         * replay/scripts/tests/fail-on-missing-input-queue.json: Removed.
3134         * replay/scripts/tests/fail-on-missing-type-mode.json: Removed.
3135         * replay/scripts/tests/fail-on-missing-type-name.json: Removed.
3136         * replay/scripts/tests/fail-on-unknown-input-queue.json: Removed.
3137         * replay/scripts/tests/fail-on-unknown-member-type.json: Removed.
3138         * replay/scripts/tests/fail-on-unknown-type-mode.json: Removed.
3139         * replay/scripts/tests/generate-enum-encoding-helpers-with-guarded-values.json: Removed.
3140         * replay/scripts/tests/generate-enum-encoding-helpers.json: Removed.
3141         * replay/scripts/tests/generate-enum-with-guard.json: Removed.
3142         * replay/scripts/tests/generate-enums-with-same-base-name.json: Removed.
3143         * replay/scripts/tests/generate-event-loop-shape-types.json: Removed.
3144         * replay/scripts/tests/generate-input-with-guard.json: Removed.
3145         * replay/scripts/tests/generate-input-with-vector-members.json: Removed.
3146         * replay/scripts/tests/generate-inputs-with-flags.json: Removed.
3147         * replay/scripts/tests/generate-memoized-type-modes.json: Removed.
3148         * runtime/DateConstructor.cpp:
3149         (JSC::constructDate):
3150         (JSC::dateNow):
3151         (JSC::deterministicCurrentTime): Deleted.
3152         * runtime/JSGlobalObject.cpp:
3153         (JSC::JSGlobalObject::JSGlobalObject):
3154         (JSC::JSGlobalObject::setInputCursor): Deleted.
3155         * runtime/JSGlobalObject.h:
3156         (JSC::JSGlobalObject::inputCursor): Deleted.
3157
3158 2017-07-10  Carlos Garcia Campos  <cgarcia@igalia.com>
3159
3160         Move make-js-file-arrays.py from WebCore to JavaScriptCore
3161         https://bugs.webkit.org/show_bug.cgi?id=174024
3162
3163         Reviewed by Michael Catanzaro.
3164
3165         It's currently used only by WebCore, but it depends on other JavaScriptCore scripts and it's not WebCore
3166         specific at all. I plan to use it to compile the JavaScript atoms used by the WebDriver implementation.
3167         Added command line option to pass the namespace to use instead of using WebCore.
3168
3169         * JavaScriptCore.xcodeproj/project.pbxproj:
3170         * Scripts/make-js-file-arrays.py: Renamed from Source/WebCore/Scripts/make-js-file-arrays.py.
3171         (main):
3172
3173 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3174
3175         [JSC] Drop LineNumberAdder since we no longer treat <LF><CR> (not <CR><LF>) as one line terminator
3176         https://bugs.webkit.org/show_bug.cgi?id=174296
3177
3178         Reviewed by Mark Lam.
3179
3180         Previously, we treat <LF><CR> as one line terminator. So we increase line number by one.
3181         It caused a problem in scanning template literals. While template literals normalize
3182         <LF><CR> to <LF><LF>, we still needed to increase line number by only one.
3183         To handle it correctly, LineNumberAdder is introduced.
3184
3185         As of r219263, <LF><CR> is counted as two line terminators. So we do not need to have
3186         LineNumberAdder. Let's just use shiftLineTerminator() instead.
3187
3188         * parser/Lexer.cpp:
3189         (JSC::Lexer<T>::parseTemplateLiteral):
3190         (JSC::LineNumberAdder::LineNumberAdder): Deleted.
3191         (JSC::LineNumberAdder::clear): Deleted.
3192         (JSC::LineNumberAdder::add): Deleted.
3193
3194 2017-07-09  Dan Bernstein  <mitz@apple.com>
3195
3196         [Xcode] ICU headers aren’t treated as system headers after r219155
3197         https://bugs.webkit.org/show_bug.cgi?id=174299
3198
3199         Reviewed by Sam Weinig.
3200
3201         * Configurations/JavaScriptCore.xcconfig: Pass --system-header-prefix=unicode/ to the C and
3202           C++ compilers.
3203
3204 * runtime/IntlCollator.cpp: Removed documentation warning suppression.
3205         * runtime/IntlDateTimeFormat.cpp: Ditto.
3206         * runtime/JSGlobalObject.cpp: Ditto.
3207         * runtime/StringPrototype.cpp: Ditto.
3208
3209 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3210
3211         [JSC] Use fastMalloc / fastFree for STL containers
3212         https://bugs.webkit.org/show_bug.cgi?id=174297
3213
3214         Reviewed by Sam Weinig.
3215
3216         In some places, we intentionally use STL containers over WTF containers.
3217         For example, we sometimes use std::unordered_{set,map} instead of WTF::Hash{Set,Map}
3218         because we do not have effective empty / deleted representations in the space of key's value.
3219         But just using STL container means using libc's malloc instead of our fast malloc (bmalloc if it is enabled).
3220
3221         We introduce WTF::FastAllocator. This is C++ allocator implementation using fastMalloc and fastFree.
3222         We specify this allocator to STL containers' template parameter to allocate memory from fastMalloc.
3223
3224         This WTF::FastAllocator gives us a chance to use STL containers if it is necessary
3225         without compromising memory allocation throughput.
3226
3227         * dfg/DFGGraph.h:
3228         * dfg/DFGIntegerCheckCombiningPhase.cpp:
3229         * ftl/FTLLowerDFGToB3.cpp:
3230         (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
3231         * runtime/FunctionHasExecutedCache.h:
3232         * runtime/TypeLocationCache.h:
3233
3234 2017-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3235
3236         Drop NOSNIFF compile flag
3237         https://bugs.webkit.org/show_bug.cgi?id=174289
3238
3239         Reviewed by Michael Catanzaro.
3240
3241         * Configurations/FeatureDefines.xcconfig:
3242
3243 2017-07-07  AJ Ringer  <aringer@apple.com>
3244
3245         Lower the max_protection for the separated heap
3246         https://bugs.webkit.org/show_bug.cgi?id=174281
3247
3248         Reviewed by Oliver Hunt.
3249
3250         Switch to vm_protect so we can set maximum page protection.
3251
3252         * jit/ExecutableAllocator.cpp:
3253         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
3254         (JSC::ExecutableAllocator::allocate):
3255
3256 2017-07-07  Devin Rousso  <drousso@apple.com>
3257
3258         Web Inspector: Show all elements currently using a given CSS Canvas
3259         https://bugs.webkit.org/show_bug.cgi?id=173965
3260
3261         Reviewed by Joseph Pecoraro.
3262
3263         * inspector/protocol/Canvas.json:
3264          - Add `requestCSSCanvasClientNodes` command for getting the node IDs all nodes using this
3265            canvas via -webkit-canvas.
3266          - Add `cssCanvasClientNodesChanged` event that is dispatched whenever a node is
3267            added/removed from the list of -webkit-canvas clients.
3268
3269 2017-07-07  Mark Lam  <mark.lam@apple.com>
3270
3271         \n\r is not the same as \r\n.
3272         https://bugs.webkit.org/show_bug.cgi?id=173053
3273
3274         Reviewed by Keith Miller.
3275
3276         * parser/Lexer.cpp:
3277         (JSC::Lexer<T>::shiftLineTerminator):
3278         (JSC::LineNumberAdder::add):
3279
3280 2017-07-07  Commit Queue  <commit-queue@webkit.org>
3281
3282         Unreviewed, rolling out r219238, r219239, and r219241.
3283         https://bugs.webkit.org/show_bug.cgi?id=174265
3284
3285         "fast/workers/dedicated-worker-lifecycle.html is flaky"
3286         (Requested by yusukesuzuki on #webkit).
3287
3288         Reverted changesets:
3289
3290         "[WTF] Implement WTF::ThreadGroup"
3291         https://bugs.webkit.org/show_bug.cgi?id=174081
3292         http://trac.webkit.org/changeset/219238
3293
3294         "Unreviewed, build fix after r219238"
3295         https://bugs.webkit.org/show_bug.cgi?id=174081
3296         http://trac.webkit.org/changeset/219239
3297
3298         "Unreviewed, CLoop build fix after r219238"
3299         https://bugs.webkit.org/show_bug.cgi?id=174081
3300         http://trac.webkit.org/changeset/219241
3301
3302 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
3303
3304         Unreviewed, CLoop build fix after r219238
3305         https://bugs.webkit.org/show_bug.cgi?id=174081
3306
3307         * heap/MachineStackMarker.cpp:
3308
3309 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
3310
3311         [WTF] Implement WTF::ThreadGroup
3312         https://bugs.webkit.org/show_bug.cgi?id=174081
3313
3314         Reviewed by Mark Lam.
3315
3316         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
3317         And SamplingProfiler and others interact with WTF::Thread directly.
3318
3319         * API/tests/ExecutionTimeLimitTest.cpp:
3320         * heap/MachineStackMarker.cpp:
3321         (JSC::MachineThreads::MachineThreads):
3322         (JSC::captureStack):
3323         (JSC::MachineThreads::tryCopyOtherThreadStack):
3324         (JSC::MachineThreads::tryCopyOtherThreadStacks):
3325         (JSC::MachineThreads::gatherConservativeRoots):
3326         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
3327         (JSC::ActiveMachineThreadsManager::add): Deleted.
3328         (JSC::ActiveMachineThreadsManager::remove): Deleted.
3329         (JSC::ActiveMachineThreadsManager::contains): Deleted.
3330         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
3331         (JSC::activeMachineThreadsManager): Deleted.
3332         (JSC::MachineThreads::~MachineThreads): Deleted.
3333         (JSC::MachineThreads::addCurrentThread): Deleted.
3334         (): Deleted.
3335         (JSC::MachineThreads::removeThread): Deleted.
3336         (JSC::MachineThreads::removeThreadIfFound): Deleted.
3337         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
3338         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
3339         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
3340         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
3341         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
3342         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
3343         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
3344         * heap/MachineStackMarker.h:
3345         (JSC::MachineThreads::addCurrentThread):
3346         (JSC::MachineThreads::getLock):
3347         (JSC::MachineThreads::threads):
3348         (JSC::MachineThreads::MachineThread::suspend): Deleted.
3349         (JSC::MachineThreads::MachineThread::resume): Deleted.
3350         (JSC::MachineThreads::MachineThread::threadID): Deleted.
3351         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
3352         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
3353         (JSC::MachineThreads::threadsListHead): Deleted.
3354         * runtime/SamplingProfiler.cpp:
3355         (JSC::FrameWalker::isValidFramePointer):
3356         (JSC::SamplingProfiler::SamplingProfiler):
3357         (JSC::SamplingProfiler::takeSample):
3358         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
3359         * runtime/SamplingProfiler.h:
3360         * wasm/WasmMachineThreads.cpp:
3361         (JSC::Wasm::resetInstructionCacheOnAllThreads):
3362
3363 2017-07-06  Saam Barati  <sbarati@apple.com>
3364
3365         We are missing places where we invalidate the for-in context
3366         https://bugs.webkit.org/show_bug.cgi?id=174184
3367
3368         Reviewed by Geoffrey Garen.
3369
3370         * bytecompiler/BytecodeGenerator.cpp:
3371         (JSC::BytecodeGenerator::invalidateForInContextForLocal):
3372         * bytecompiler/NodesCodegen.cpp:
3373         (JSC::EmptyLetExpression::emitBytecode):
3374         (JSC::ForInNode::emitLoopHeader):
3375         (JSC::ForOfNode::emitBytecode):
3376         (JSC::BindingNode::bindValue):
3377
3378 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
3379
3380         Unreviewed, suppress warnings in GCC environment
3381
3382         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3383         * runtime/IntlCollator.cpp:
3384         * runtime/IntlDateTimeFormat.cpp:
3385         * runtime/JSGlobalObject.cpp:
3386         * runtime/StringPrototype.cpp:
3387
3388 2017-07-05  Saam Barati  <sbarati@apple.com>
3389
3390         NewArray in FTLLowerDFGToB3 does not handle speculating on doubles when having a bad time
3391         https://bugs.webkit.org/show_bug.cgi?id=174188
3392         <rdar://problem/30581423>
3393
3394         Reviewed by Mark Lam.
3395
3396         We were calling lowJSValue(edge) when we were speculating the
3397         edge as double. This isn't allowed. We should have been using
3398         lowDouble.
3399         
3400         This patch also adds a new option, called useArrayAllocationProfiling,
3401         which defaults to true. When false, it will make the array allocation
3402         profile not actually sample seen arrays. It'll force the allocation
3403         profile's predicted indexing type to be ArrayWithUndecided. Adding
3404         this option made it trivial to write a test for this bug.
3405
3406         * bytecode/ArrayAllocationProfile.cpp:
3407         (JSC::ArrayAllocationProfile::updateIndexingType):
3408         * ftl/FTLLowerDFGToB3.cpp:
3409         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
3410         * runtime/Options.h:
3411
3412 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
3413
3414         WTF::Thread should have the threads stack bounds.
3415         https://bugs.webkit.org/show_bug.cgi?id=173975
3416
3417         Reviewed by Keith Miller.
3418
3419         There is a site in JSC that try to walk another thread's stack.
3420         Currently, stack bounds are stored in WTFThreadData which is located
3421         in TLS. Thus, only the thread itself can access its own WTFThreadData.
3422         We workaround this situation by holding StackBounds in MachineThread in JSC,
3423         but StackBounds should be put in WTF::Thread instead.
3424
3425         This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
3426         information is tightly coupled with Thread. Thus putting it in WTF::Thread
3427         is natural choice.
3428
3429         * heap/MachineStackMarker.cpp:
3430         (JSC::MachineThreads::MachineThread::MachineThread):
3431         (JSC::MachineThreads::MachineThread::captureStack):
3432         * heap/MachineStackMarker.h:
3433         (JSC::MachineThreads::MachineThread::stackBase):
3434         (JSC::MachineThreads::MachineThread::stackEnd):
3435         * runtime/InitializeThreading.cpp:
3436         (JSC::initializeThreading):
3437         * runtime/VM.cpp:
3438         (JSC::VM::VM):
3439         (JSC::VM::updateStackLimits):
3440         (JSC::VM::committedStackByteCount):
3441         * runtime/VM.h:
3442         (JSC::VM::isSafeToRecurse):
3443         * runtime/VMEntryScope.cpp:
3444         (JSC::VMEntryScope::VMEntryScope):
3445         * runtime/VMInlines.h:
3446         (JSC::VM::ensureStackCapacityFor):
3447         * runtime/VMTraps.cpp:
3448         * yarr/YarrPattern.cpp:
3449         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
3450
3451 2017-07-05  Keith Miller  <keith_miller@apple.com>
3452
3453         Crashing with information should have an abort reason
3454         https://bugs.webkit.org/show_bug.cgi?id=174185
3455
3456         Reviewed by Saam Barati.
3457
3458         Add crash information for the abstract interpreter and add an enum
3459         value for object allocation sinking.
3460
3461         * assembler/AbortReason.h:
3462         * dfg/DFGAbstractInterpreterInlines.h:
3463         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
3464         * dfg/DFGGraph.cpp:
3465         (JSC::DFG::logDFGAssertionFailure):
3466         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3467
3468 2017-07-03  Myles C. Maxfield  <mmaxfield@apple.com>
3469
3470         Remove copy of ICU headers from WebKit
3471         https://bugs.webkit.org/show_bug.cgi?id=116407
3472
3473         Reviewed by Alex Christensen.
3474
3475         Use WTF's copy of ICU headers.
3476
3477         * Configurations/Base.xcconfig:
3478         * icu/unicode/localpointer.h: Removed.
3479         * icu/unicode/parseerr.h: Removed.
3480         * icu/unicode/platform.h: Removed.
3481         * icu/unicode/ptypes.h: Removed.
3482         * icu/unicode/putil.h: Removed.
3483         * icu/unicode/uchar.h: Removed.
3484         * icu/unicode/ucnv.h: Removed.
3485         * icu/unicode/ucnv_err.h: Removed.
3486         * icu/unicode/ucol.h: Removed.
3487         * icu/unicode/uconfig.h: Removed.
3488         * icu/unicode/ucurr.h: Removed.
3489         * icu/unicode/uenum.h: Removed.
3490         * icu/unicode/uiter.h: Removed.
3491         * icu/unicode/uloc.h: Removed.
3492         * icu/unicode/umachine.h: Removed.
3493         * icu/unicode/unorm.h: Removed.
3494         * icu/unicode/unorm2.h: Removed.
3495         * icu/unicode/urename.h: Removed.
3496         * icu/unicode/uscript.h: Removed.
3497         * icu/unicode/uset.h: Removed.
3498         * icu/unicode/ustring.h: Removed.
3499         * icu/unicode/utf.h: Removed.
3500         * icu/unicode/utf16.h: Removed.
3501         * icu/unicode/utf8.h: Removed.
3502         * icu/unicode/utf_old.h: Removed.
3503         * icu/unicode/utypes.h: Removed.
3504         * icu/unicode/uvernum.h: Removed.
3505         * icu/unicode/uversion.h: Removed.
3506         * runtime/IntlCollator.cpp:
3507         * runtime/IntlDateTimeFormat.cpp:
3508         (JSC::IntlDateTimeFormat::partTypeString):
3509         * runtime/JSGlobalObject.cpp:
3510         * runtime/StringPrototype.cpp:
3511         (JSC::normalize):
3512         (JSC::stringProtoFuncNormalize):
3513
3514 2017-07-05  Devin Rousso  <drousso@apple.com>
3515
3516         Web Inspector: Allow users to log any tracked canvas context
3517         https://bugs.webkit.org/show_bug.cgi?id=173397
3518         <rdar://problem/33111581>
3519
3520         Reviewed by Joseph Pecoraro.
3521
3522         * inspector/protocol/Canvas.json:
3523         Add `resolveCanvasContext` command that returns a RemoteObject for the given canvas context.
3524
3525 2017-07-05  Jonathan Bedard  <jbedard@apple.com>
3526
3527         Add WebKitPrivateFrameworkStubs for iOS 11
3528         https://bugs.webkit.org/show_bug.cgi?id=173988
3529
3530         Reviewed by David Kilzer.
3531
3532         * Configurations/Base.xcconfig: iphoneos and iphonesimulator should use the
3533         same directory for private framework stubs.
3534
3535 2017-07-05  JF Bastien  <jfbastien@apple.com>
3536
3537         WebAssembly: implement name section's module name, skip unknown sections
3538         https://bugs.webkit.org/show_bug.cgi?id=172008
3539
3540         Reviewed by Keith Miller.
3541
3542         Parse the WebAssembly module name properly, and skip unknown
3543         sections. This is useful because as toolchains support new types
3544         of names we want to keep displaying the information we know about
3545         and simply ignore new information. That capability was designed
3546         into WebAssembly's name section.
3547
3548         Failure to commit this patch would mean that WebKit won't display
3549         stack trace information, which would make developers sad.
3550
3551         Module names were added here: https://github.com/WebAssembly/design/pull/1055
3552
3553         Note that this patch doesn't do anything with the parsed name! Two
3554         reasons for this: module names aren't supported in binaryen yet,
3555         so I can't write a simple binary test; and using the name is a
3556         slightly riskier change because it requires changing StackVisitor
3557         + StackFrame (where they print "[wasm code]") which requires
3558         figuring out the frame's Module. The latter bit isn't trivial
3559         because we only know wasm frames from their tag bits, and
3560         CodeBlocks are always nullptr.
3561
3562         Binaryen bug: https://github.com/WebAssembly/binaryen/issues/1010
3563
3564         I filed #174098 to use the module name.
3565
3566         * wasm/WasmFormat.h:
3567         (JSC::Wasm::isValidNameType):
3568         * wasm/WasmNameSectionParser.cpp:
3569
3570 2017-07-04  Joseph Pecoraro  <pecoraro@apple.com>
3571
3572         Cleanup some StringBuilder use
3573         https://bugs.webkit.org/show_bug.cgi?id=174118
3574
3575         Reviewed by Andreas Kling.
3576
3577         * runtime/FunctionConstructor.cpp:
3578         (JSC::constructFunctionSkippingEvalEnabledCheck):
3579         * tools/FunctionOverrides.cpp:
3580         (JSC::parseClause):
3581         * wasm/WasmOMGPlan.cpp:
3582         * wasm/WasmPlan.cpp:
3583         * wasm/WasmValidate.cpp:
3584
3585 2017-07-03  Saam Barati  <sbarati@apple.com>
3586
3587         LayoutTest workers/bomb.html is a Crash
3588         https://bugs.webkit.org/show_bug.cgi?id=167757
3589         <rdar://problem/33086462>
3590
3591         Reviewed by Keith Miller.
3592
3593         VMTraps::SignalSender was accessing VM fields even after
3594         the VM was destroyed. This happened when the SignalSender
3595         thread was in the middle of its work() function while VMTraps
3596         was notified that the VM was shutting down. The VM would proceed
3597         to run its destructor even after the SignalSender thread finished
3598         doing its work. This means that the SignalSender thread was accessing
3599         VM field eve after VM was destructed (including itself, since it is
3600         transitively owned by the VM). The VM must wait for the SignalSender
3601         thread to shutdown before it can continue to destruct itself.
3602
3603         * runtime/VMTraps.cpp:
3604         (JSC::VMTraps::willDestroyVM):
3605
3606 2017-07-03  Saam Barati  <sbarati@apple.com>
3607
3608         DFGBytecodeParser op_to_this does not access the correct instruction offset for to this status
3609         https://bugs.webkit.org/show_bug.cgi?id=174110
3610
3611         Reviewed by Michael Saboff.
3612
3613         * dfg/DFGByteCodeParser.cpp:
3614         (JSC::DFG::ByteCodeParser::parseBlock):
3615
3616 2017-07-03  Saam Barati  <sbarati@apple.com>
3617
3618         Add a new assertion to object allocation sinking phase
3619         https://bugs.webkit.org/show_bug.cgi?id=174107
3620
3621         Rubber stamped by Filip Pizlo.
3622
3623         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3624
3625 2017-07-03  Commit Queue  <commit-queue@webkit.org>
3626
3627         Unreviewed, rolling out r219060.
3628         https://bugs.webkit.org/show_bug.cgi?id=174108
3629
3630         crashing constantly when initializing UIWebView (Requested by
3631         thorton on #webkit).
3632
3633         Reverted changeset:
3634
3635         "WTF::Thread should have the threads stack bounds."
3636         https://bugs.webkit.org/show_bug.cgi?id=173975
3637         http://trac.webkit.org/changeset/219060
3638
3639 2017-07-03  Matt Lewis  <jlewis3@apple.com>
3640
3641         Unreviewed, rolling out r219103.
3642
3643         Caused multiple build failures.
3644
3645         Reverted changeset:
3646
3647         "Remove copy of ICU headers from WebKit"
3648         https://bugs.webkit.org/show_bug.cgi?id=116407
3649         http://trac.webkit.org/changeset/219103
3650
3651 2017-07-03  Myles C. Maxfield  <mmaxfield@apple.com>
3652
3653         Remove copy of ICU headers from WebKit
3654         https://bugs.webkit.org/show_bug.cgi?id=116407
3655
3656         Reviewed by Alex Christensen.
3657
3658         Use WTF's copy of ICU headers.
3659
3660         * Configurations/Base.xcconfig:
3661         * icu/unicode/localpointer.h: Removed.
3662         * icu/unicode/parseerr.h: Removed.
3663         * icu/unicode/platform.h: Removed.
3664         * icu/unicode/ptypes.h: Removed.
3665         * icu/unicode/putil.h: Removed.
3666         * icu/unicode/uchar.h: Removed.
3667         * icu/unicode/ucnv.h: Removed.
3668         * icu/unicode/ucnv_err.h: Removed.
3669         * icu/unicode/ucol.h: Removed.
3670         * icu/unicode/uconfig.h: Removed.
3671         * icu/unicode/ucurr.h: Removed.
3672         * icu/unicode/uenum.h: Removed.
3673         * icu/unicode/uiter.h: Removed.
3674         * icu/unicode/uloc.h: Removed.
3675         * icu/unicode/umachine.h: Removed.
3676         * icu/unicode/unorm.h: Removed.
3677         * icu/unicode/unorm2.h: Removed.
3678         * icu/unicode/urename.h: Removed.
3679         * icu/unicode/uscript.h: Removed.
3680         * icu/unicode/uset.h: Removed.
3681         * icu/unicode/ustring.h: Removed.
3682         * icu/unicode/utf.h: Removed.
3683         * icu/unicode/utf16.h: Removed.
3684         * icu/unicode/utf8.h: Removed.
3685         * icu/unicode/utf_old.h: Removed.
3686         * icu/unicode/utypes.h: Removed.
3687         * icu/unicode/uvernum.h: Removed.
3688         * icu/unicode/uversion.h: Removed.
3689         * runtime/IntlCollator.cpp:
3690         * runtime/IntlDateTimeFormat.cpp:
3691         * runtime/JSGlobalObject.cpp:
3692         * runtime/StringPrototype.cpp:
3693
3694 2017-07-03  Saam Barati  <sbarati@apple.com>
3695
3696         Add better crash logging for allocation sinking phase
3697         https://bugs.webkit.org/show_bug.cgi?id=174102
3698         <rdar://problem/33112092>
3699
3700         Rubber stamped by Filip Pizlo.
3701
3702         I'm trying to gather better information from crashlogs about why
3703         we're crashing in the allocation sinking phase. I'm adding a allocation
3704         sinking specific RELEASE_ASSERT as well as marking a few functions as
3705         NEVER_INLINE to have the stack traces in the crash trace contain more
3706         actionable information.
3707
3708         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3709
3710 2017-07-03  Sam Weinig  <sam@webkit.org>
3711
3712         [WebIDL] Remove more unnecessary uses of the preprocessor in idl files
3713         https://bugs.webkit.org/show_bug.cgi?id=174083
3714
3715         Reviewed by Alex Christensen.
3716
3717         * Configurations/FeatureDefines.xcconfig:
3718         Add ENABLE_NAVIGATOR_STANDALONE.
3719
3720 2017-07-03  Andy Estes  <aestes@apple.com>
3721
3722         [Xcode] Add an experimental setting to build with ccache
3723         https://bugs.webkit.org/show_bug.cgi?id=173875
3724
3725         Reviewed by Tim Horton.
3726
3727         * Configurations/DebugRelease.xcconfig: Included ccache.xcconfig.
3728
3729 2017-07-03  Devin Rousso  <drousso@apple.com>
3730
3731         Web Inspector: Support listing WebGL2 and WebGPU contexts
3732         https://bugs.webkit.org/show_bug.cgi?id=173396
3733
3734         Reviewed by Joseph Pecoraro.
3735
3736         * inspector/protocol/Canvas.json:
3737         * inspector/scripts/codegen/generator.py:
3738         (Generator.stylized_name_for_enum_value):
3739         Add cases for handling new Canvas.ContextType protocol enumerations:
3740          - "webgl2" maps to `WebGL2`
3741          - "webgpu" maps to `WebGPU`
3742
3743 2017-07-02  Yusuke Suzuki  <utatane.tea@gmail.com>
3744
3745         WTF::Thread should have the threads stack bounds.
3746         https://bugs.webkit.org/show_bug.cgi?id=173975
3747
3748         Reviewed by Mark Lam.
3749
3750         There is a site in JSC that try to walk another thread's stack.
3751         Currently, stack bounds are stored in WTFThreadData which is located
3752         in TLS. Thus, only the thread itself can access its own WTFThreadData.
3753         We workaround this situation by holding StackBounds in MachineThread in JSC,
3754         but StackBounds should be put in WTF::Thread instead.
3755
3756         This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
3757         information is tightly coupled with Thread. Thus putting it in WTF::Thread
3758         is natural choice.
3759
3760         * heap/MachineStackMarker.cpp:
3761         (JSC::MachineThreads::MachineThread::MachineThread):
3762         (JSC::MachineThreads::MachineThread::captureStack):
3763         * heap/MachineStackMarker.h:
3764         (JSC::MachineThreads::MachineThread::stackBase):
3765         (JSC::MachineThreads::MachineThread::stackEnd):
3766         * runtime/InitializeThreading.cpp:
3767         (JSC::initializeThreading):
3768         * runtime/VM.cpp:
3769         (JSC::VM::VM):
3770         (JSC::VM::updateStackLimits):
3771         (JSC::VM::committedStackByteCount):
3772         * runtime/VM.h:
3773         (JSC::VM::isSafeToRecurse):
3774         * runtime/VMEntryScope.cpp:
3775         (JSC::VMEntryScope::VMEntryScope):
3776         * runtime/VMInlines.h:
3777         (JSC::VM::ensureStackCapacityFor):
3778         * runtime/VMTraps.cpp:
3779         * yarr/YarrPattern.cpp:
3780         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
3781
3782 2017-07-01  Dan Bernstein  <mitz@apple.com>
3783
3784         [iOS] Remove code only needed when building for iOS 9.x
3785         https://bugs.webkit.org/show_bug.cgi?id=174068
3786
3787         Reviewed by Tim Horton.
3788
3789         * Configurations/FeatureDefines.xcconfig:
3790         * jit/ExecutableAllocator.cpp:
3791         * runtime/Options.cpp:
3792         (JSC::recomputeDependentOptions):
3793
3794 2017-07-01  Dan Bernstein  <mitz@apple.com>
3795
3796         [macOS] Remove code only needed when building for OS X Yosemite
3797         https://bugs.webkit.org/show_bug.cgi?id=174067
3798
3799         Reviewed by Tim Horton.
3800
3801         * API/WebKitAvailability.h:
3802         * Configurations/Base.xcconfig:
3803         * Configurations/DebugRelease.xcconfig:
3804         * Configurations/FeatureDefines.xcconfig:
3805         * Configurations/Version.xcconfig:
3806
3807 2017-07-01  Yusuke Suzuki  <utatane.tea@gmail.com>
3808
3809         Unreviewed, build fix for GCC
3810         https://bugs.webkit.org/show_bug.cgi?id=174034
3811
3812         * b3/testb3.cpp:
3813         (JSC::B3::testDoubleLiteralComparison):
3814
3815 2017-06-30  Keith Miller  <keith_miller@apple.com>
3816
3817         Force crashWithInfo to be out of line.
3818         https://bugs.webkit.org/show_bug.cgi?id=174028
3819
3820         Reviewed by Filip Pizlo.
3821
3822         Update DFG_ASSERT macro to call CRASH_WITH_SECURITY_IMPLICATION_AND_INFO.
3823
3824         * dfg/DFGGraph.cpp:
3825         (JSC::DFG::logDFGAssertionFailure):
3826         (JSC::DFG::Graph::logAssertionFailure):
3827         (JSC::DFG::crash): Deleted.
3828         (JSC::DFG::Graph::handleAssertionFailure): Deleted.
3829         * dfg/DFGGraph.h:
3830
3831 2017-06-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3832
3833         [JSC] Use AbstractMacroAssembler::random instead of holding WeakRandom in JIT
3834         https://bugs.webkit.org/show_bug.cgi?id=174053
3835
3836         Reviewed by Geoffrey Garen.
3837
3838         We already have AbstractMacroAssembler::random() function. Use it instead.
3839
3840         * jit/JIT.cpp:
3841         (JSC::JIT::JIT):
3842         (JSC::JIT::compileWithoutLinking):
3843         * jit/JIT.h:
3844
3845 2017-06-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3846
3847         [WTF] Drop SymbolRegistry::keyForSymbol
3848         https://bugs.webkit.org/show_bug.cgi?id=174052
3849
3850         Reviewed by Sam Weinig.
3851
3852         * runtime/SymbolConstructor.cpp:
3853         (JSC::symbolConstructorKeyFor):
3854
3855 2017-06-30  Saam Barati  <sbarati@apple.com>
3856
3857         B3ReduceStrength should reduce EqualOrUnordered over const float input
3858         https://bugs.webkit.org/show_bug.cgi?id=174039
3859
3860         Reviewed by Michael Saboff.
3861
3862         We perform this folding for ConstDoubleValue. It is simply
3863         an oversight that we didn't do it for ConstFloatValue.
3864
3865         * b3/B3ConstFloatValue.cpp:
3866         (JSC::B3::ConstFloatValue::equalOrUnorderedConstant):
3867         * b3/B3ConstFloatValue.h:
3868         * b3/testb3.cpp:
3869         (JSC::B3::testFloatEqualOrUnorderedFolding):
3870         (JSC::B3::testFloatEqualOrUnorderedFoldingNaN):
3871         (JSC::B3::testFloatEqualOrUnorderedDontFold):
3872         (JSC::B3::run):
3873
3874 2017-06-30  Matt Baker  <mattbaker@apple.com>
3875
3876         Web Inspector: AsyncStackTrace nodes can be corrupted when truncating
3877         https://bugs.webkit.org/show_bug.cgi?id=173840
3878         <rdar://problem/30840820>
3879
3880         Reviewed by Joseph Pecoraro.
3881
3882         When truncating an asynchronous stack trace, the parent chain is traversed
3883         until a locked node is found. The path from this node to the root is shared
3884         by more than one stack trace, and cannot be safely modified. Starting at
3885         the first locked node, the path is cloned and becomes a new stack trace tree.
3886
3887         However, the clone operation initialized each new AsyncStackTrace node with
3888         the original node's parent. This would increment the child count of the original
3889         node. When cloning nodes, new nodes should not have their parent set until the
3890         next node up the parent chain is cloned.
3891
3892         * inspector/AsyncStackTrace.cpp:
3893         (Inspector::AsyncStackTrace::truncate):
3894
3895 2017-06-30  Michael Saboff  <msaboff@apple.com>
3896
3897         RegExp's  anchored with .* with \g flag can return wrong match start for strings with multiple matches
3898         https://bugs.webkit.org/show_bug.cgi?id=174044
3899
3900         Reviewed by Oliver Hunt.
3901
3902         The .* enclosure optimization didn't respect that we can start matching from a non-zero
3903         index.  This optimization treats /.*<some-terms>.*/ by first matching the <some-terms> and
3904         then finding the extent of the match by going back to the beginning of the line and going
3905         forward to the end of the line.  The code that went back to the beginning of the line
3906         checked for an index of 0 instead of comparing the index to the start position.  This start
3907         position is passed as the initial index.
3908
3909         Added another temporary register to the YARR JIT to contain the start position for
3910         platforms that have spare registers.
3911
3912         * yarr/Yarr.h:
3913         * yarr/YarrInterpreter.cpp:
3914         (JSC::Yarr::Interpreter::matchDotStarEnclosure):
3915         (JSC::Yarr::Interpreter::Interpreter):
3916         * yarr/YarrJIT.cpp:
3917         (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
3918         (JSC::Yarr::YarrGenerator::compile):
3919         * yarr/YarrPattern.cpp:
3920         (JSC::Yarr::YarrPattern::YarrPattern):
3921         * yarr/YarrPattern.h:
3922         (JSC::Yarr::YarrPattern::reset):
3923
3924 2017-06-30  Saam Barati  <sbarati@apple.com>
3925
3926         B3MoveConstants floatZero() returns the wrong ValueKey
3927         https://bugs.webkit.org/show_bug.cgi?id=174040
3928
3929         Reviewed by Filip Pizlo.
3930
3931         It had a typo where the ValueKey for floatZero() produces a Double
3932         instead of a Float.
3933
3934         * b3/B3MoveConstants.cpp:
3935
3936 2017-06-30  Saam Barati  <sbarati@apple.com>
3937
3938         B3ReduceDoubleToFloat incorrectly reduces operations over two double constants
3939         https://bugs.webkit.org/show_bug.cgi?id=174034
3940         <rdar://problem/30793007>
3941
3942         Reviewed by Filip Pizlo.
3943
3944         B3ReduceDoubleToFloat had a bug in it where it would incorrectly
3945         reduce binary operations over double constants into the same binary
3946         operation over the double constants casted to floats. This is clearly
3947         incorrect as these two things will produce different values. For example:
3948         
3949         a = DoubleConst(bitwise_cast<double>(0x8000000000000001ull))
3950         b = DoubleConst(bitwise_cast<double>(0x0000000000000000ull))
3951         c = EqualOrUnordered(@a, @b) // produces 0
3952         
3953         into:
3954         
3955         a = FloatConst(static_cast<float>(bitwise_cast<double>(0x8000000000000001ull)))
3956         b = FloatConst(static_cast<float>(bitwise_cast<double>(0x0000000000000000ull)))
3957         c = EqualOrUnordered(@a, @b) // produces 1
3958         
3959         Which produces a different value for @c.
3960
3961         * b3/B3ReduceDoubleToFloat.cpp:
3962         * b3/testb3.cpp:
3963         (JSC::B3::doubleEq):
3964         (JSC::B3::doubleNeq):
3965         (JSC::B3::doubleGt):
3966         (JSC::B3::doubleGte):
3967         (JSC::B3::doubleLt):
3968         (JSC::B3::doubleLte):
3969         (JSC::B3::testDoubleLiteralComparison):
3970         (JSC::B3::run):
3971
3972 2017-06-29  Jer Noble  <jer.noble@apple.com>
3973
3974         Make Legacy EME API controlled by RuntimeEnabled setting.
3975         https://bugs.webkit.org/show_bug.cgi?id=173994
3976
3977         Reviewed by Sam Weinig.
3978
3979         * Configurations/FeatureDefines.xcconfig:
3980         * runtime/CommonIdentifiers.h:
3981
3982 2017-06-30  Ryosuke Niwa  <rniwa@webkit.org>