Unreviewed, rolling out r220144.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-08-07  Commit Queue  <commit-queue@webkit.org>
2
3         Unreviewed, rolling out r220144.
4         https://bugs.webkit.org/show_bug.cgi?id=175276
5
6         "It did not actually speed things up in the way I expected"
7         (Requested by saamyjoon on #webkit).
8
9         Reverted changeset:
10
11         "On memory-constrained iOS devices, reduce the rate at which
12         the JS heap grows before a GC to try to keep more memory
13         available for the system"
14         https://bugs.webkit.org/show_bug.cgi?id=175041
15         http://trac.webkit.org/changeset/220144
16
17 2017-08-07  Ryan Haddad  <ryanhaddad@apple.com>
18
19         Unreviewed, rolling out r220299.
20
21         This change caused LayoutTest inspector/dom-debugger/dom-
22         breakpoints.html to fail.
23
24         Reverted changeset:
25
26         "Web Inspector: capture async stack trace when workers/main
27         context posts a message"
28         https://bugs.webkit.org/show_bug.cgi?id=167084
29         http://trac.webkit.org/changeset/220299
30
31 2017-08-07  Brian Burg  <bburg@apple.com>
32
33         Remove CANVAS_PATH compilation guard
34         https://bugs.webkit.org/show_bug.cgi?id=175207
35
36         Reviewed by Sam Weinig.
37
38         * Configurations/FeatureDefines.xcconfig:
39
40 2017-08-07  Keith Miller  <keith_miller@apple.com>
41
42         REGRESSION: wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js failing on JSC Debug bots
43         https://bugs.webkit.org/show_bug.cgi?id=175256
44
45         Reviewed by Saam Barati.
46
47         The check in createFromBytes just needed to check that the buffer was not null before
48         calling isCaged.
49
50         * runtime/ArrayBuffer.cpp:
51         (JSC::ArrayBuffer::createFromBytes):
52
53 2017-08-05  Carlos Garcia Campos  <cgarcia@igalia.com>
54
55         [GTK][WPE] Add API to provide browser information required by automation
56         https://bugs.webkit.org/show_bug.cgi?id=175130
57
58         Reviewed by Brian Burg.
59
60         Add browserName and browserVersion to RemoteInspector::Client::Capabilities and virtual methods to the Client to
61         get them.
62
63         * inspector/remote/RemoteInspector.cpp:
64         (Inspector::RemoteInspector::updateClientCapabilities): Update also browserName and browserVersion.
65         * inspector/remote/RemoteInspector.h:
66         * inspector/remote/glib/RemoteInspectorGlib.cpp:
67         (Inspector::RemoteInspector::requestAutomationSession): Call updateClientCapabilities() after the session is
68         requested to ensure they are updated before StartAutomationSession reply is sent.
69         * inspector/remote/glib/RemoteInspectorServer.cpp: Add browserName and browserVersion as return values of
70         StartAutomationSession mesasage.
71
72 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
73
74         Promise resolve and reject function should have length = 1
75         https://bugs.webkit.org/show_bug.cgi?id=175242
76
77         Reviewed by Saam Barati.
78
79         Previously we have separate system for "length" and "name" for builtin functions.
80         The builtin functions do not use lazy reifying system. Instead, they have direct
81         properties when instantiating it. While the function created for properties (like
82         Array.prototype.filter) is created by JSFunction::createBuiltin(), function inside
83         these builtin functions are just created by JSFunction::create(). Since it does
84         not set any values for "length", these functions do not have "length" property.
85         So, the resolve and reject functions passed to Promise's executor do not have
86         "length" property.
87
88         This patch make builtin functions use standard lazy reifying system for "length".
89         So, "length" property of the builtin function just works as if the normal functions
90         do.
91
92         * runtime/JSFunction.cpp:
93         (JSC::JSFunction::createBuiltinFunction):
94         (JSC::JSFunction::getOwnPropertySlot):
95         (JSC::JSFunction::getOwnNonIndexPropertyNames):
96         (JSC::JSFunction::put):
97         (JSC::JSFunction::deleteProperty):
98         (JSC::JSFunction::defineOwnProperty):
99         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
100         (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
101         (JSC::JSFunction::reifyLazyLengthIfNeeded):
102         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
103         (JSC::JSFunction::reifyBoundNameIfNeeded): Deleted.
104         * runtime/JSFunction.h:
105
106 2017-08-06  Oleksandr Skachkov  <gskachkov@gmail.com>
107
108         [ESNext] Async iteration - Implement Async Generator - parser
109         https://bugs.webkit.org/show_bug.cgi?id=175210
110
111         Reviewed by Yusuke Suzuki.
112
113         Current implementation is draft version of Async Iteration. 
114         Link to spec https://tc39.github.io/proposal-async-iteration/
115
116         Current patch implement only parser part of the Async generator
117         Runtime part will be in next ptches
118
119         * parser/ASTBuilder.h:
120         (JSC::ASTBuilder::createFunctionMetadata):
121         * parser/Parser.cpp:
122         (JSC::getAsynFunctionBodyParseMode):
123         (JSC::Parser<LexerType>::parseInner):
124         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
125         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
126         (JSC::stringArticleForFunctionMode):
127         (JSC::stringForFunctionMode):
128         (JSC::Parser<LexerType>::parseFunctionInfo):
129         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
130         (JSC::Parser<LexerType>::parseClass):
131         (JSC::Parser<LexerType>::parseProperty):
132         (JSC::Parser<LexerType>::parsePropertyMethod):
133         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
134         * parser/Parser.h:
135         (JSC::Scope::setSourceParseMode):
136         * parser/ParserModes.h:
137         (JSC::isFunctionParseMode):
138         (JSC::isAsyncFunctionParseMode):
139         (JSC::isAsyncArrowFunctionParseMode):
140         (JSC::isAsyncGeneratorFunctionParseMode):
141         (JSC::isAsyncFunctionOrAsyncGeneratorWrapperParseMode):
142         (JSC::isAsyncFunctionWrapperParseMode):
143         (JSC::isAsyncFunctionBodyParseMode):
144         (JSC::isGeneratorMethodParseMode):
145         (JSC::isAsyncMethodParseMode):
146         (JSC::isAsyncGeneratorMethodParseMode):
147         (JSC::isMethodParseMode):
148         (JSC::isGeneratorOrAsyncFunctionBodyParseMode):
149         (JSC::isGeneratorOrAsyncFunctionWrapperParseMode):
150
151 2017-08-05  Filip Pizlo  <fpizlo@apple.com>
152
153         REGRESSION (r219895-219897): Number of leaks on Open Source went from 9240 to 235983 and is now at 302372
154         https://bugs.webkit.org/show_bug.cgi?id=175083
155
156         Reviewed by Oliver Hunt.
157         
158         This fixes the leak by making MarkedBlock::specializedSweep call destructors when the block is empty,
159         even if we are using the pop path.
160         
161         Also, this fixes HeapCellInlines.h to no longer include MarkedBlockInlines.h. That's pretty
162         important, since MarkedBlockInlines.h is the GC's internal guts - we don't want to have to recompile
163         the world just because we changed it.
164         
165         Finally, this adds a new testing SPI for waiting for all VMs to finish destructing. This makes it
166         easier to debug leaks.
167
168         * bytecode/AccessCase.cpp:
169         * bytecode/PolymorphicAccess.cpp:
170         * heap/HeapCell.cpp:
171         (JSC::HeapCell::isLive):
172         * heap/HeapCellInlines.h:
173         (JSC::HeapCell::isLive): Deleted.
174         * heap/MarkedAllocator.cpp:
175         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
176         (JSC::MarkedAllocator::endMarking):
177         * heap/MarkedBlockInlines.h:
178         (JSC::MarkedBlock::Handle::specializedSweep):
179         * jit/AssemblyHelpers.cpp:
180         * jit/Repatch.cpp:
181         * runtime/TestRunnerUtils.h:
182         * runtime/VM.cpp:
183         (JSC::waitForVMDestruction):
184         (JSC::VM::~VM):
185
186 2017-08-05  Mark Lam  <mark.lam@apple.com>
187
188         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 3].
189         https://bugs.webkit.org/show_bug.cgi?id=175228
190         <rdar://problem/33735737>
191
192         Reviewed by Saam Barati.
193
194         Merge the 32-bit OSRExit::compileExit() method into the 64-bit version, and
195         delete OSRExit32_64.cpp.
196
197         * CMakeLists.txt:
198         * JavaScriptCore.xcodeproj/project.pbxproj:
199         * dfg/DFGOSRExit.cpp:
200         (JSC::DFG::OSRExit::compileExit):
201         * dfg/DFGOSRExit32_64.cpp: Removed.
202         * jit/GPRInfo.h:
203         (JSC::JSValueSource::payloadGPR const):
204
205 2017-08-04  Youenn Fablet  <youenn@apple.com>
206
207         [Cache API] Add Cache and CacheStorage IDL definitions
208         https://bugs.webkit.org/show_bug.cgi?id=175201
209
210         Reviewed by Brady Eidson.
211
212         * runtime/CommonIdentifiers.h:
213
214 2017-08-04  Mark Lam  <mark.lam@apple.com>
215
216         Fix typo in testmasm.cpp: ENABLE(JSVALUE64) should be USE(JSVALUE64).
217         https://bugs.webkit.org/show_bug.cgi?id=175230
218         <rdar://problem/33735857>
219
220         Reviewed by Saam Barati.
221
222         * assembler/testmasm.cpp:
223         (JSC::testProbeReadsArgumentRegisters):
224         (JSC::testProbeWritesArgumentRegisters):
225
226 2017-08-04  Mark Lam  <mark.lam@apple.com>
227
228         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 2].
229         https://bugs.webkit.org/show_bug.cgi?id=175214
230         <rdar://problem/33733308>
231
232         Rubber-stamped by Michael Saboff.
233
234         Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused
235         DFGOSRExitCompiler files.
236
237         Also renamed DFGOSRExitCompiler32_64.cpp to DFGOSRExit32_64.cpp.
238
239         Also move debugOperationPrintSpeculationFailure() into DFGOSRExit.cpp.  It's only
240         used by compileOSRExit(), and will be changed to not be a DFG operation function
241         when we use JIT probes for DFG OSR exits later in
242         https://bugs.webkit.org/show_bug.cgi?id=175144.
243
244         * CMakeLists.txt:
245         * JavaScriptCore.xcodeproj/project.pbxproj:
246         * dfg/DFGJITCompiler.cpp:
247         * dfg/DFGOSRExit.cpp:
248         (JSC::DFG::OSRExit::emitRestoreArguments):
249         (JSC::DFG::OSRExit::compileOSRExit):
250         (JSC::DFG::OSRExit::compileExit):
251         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
252         * dfg/DFGOSRExit.h:
253         * dfg/DFGOSRExit32_64.cpp: Copied from Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp.
254         * dfg/DFGOSRExitCompiler.cpp: Removed.
255         * dfg/DFGOSRExitCompiler.h: Removed.
256         * dfg/DFGOSRExitCompiler32_64.cpp: Removed.
257         * dfg/DFGOSRExitCompiler64.cpp: Removed.
258         * dfg/DFGOperations.cpp:
259         * dfg/DFGOperations.h:
260         * dfg/DFGThunks.cpp:
261
262 2017-08-04  Matt Baker  <mattbaker@apple.com>
263
264         Web Inspector: capture async stack trace when workers/main context posts a message
265         https://bugs.webkit.org/show_bug.cgi?id=167084
266         <rdar://problem/30033673>
267
268         Reviewed by Brian Burg.
269
270         * inspector/agents/InspectorDebuggerAgent.h:
271         Add `PostMessage` async call type.
272
273 2017-08-04  Mark Lam  <mark.lam@apple.com>
274
275         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 1].
276         https://bugs.webkit.org/show_bug.cgi?id=175208
277         <rdar://problem/33732402>
278
279         Reviewed by Saam Barati.
280
281         This will minimize the code diff and make it easier to review the patch for
282         https://bugs.webkit.org/show_bug.cgi?id=175144 later.  We'll do this patch in 3
283         steps:
284
285         1. Do the code changes to move methods into OSRExit.
286         2. Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused DFGOSRExitCompiler files.
287         3. Merge the 32-bit OSRExitCompiler methods into the 64-bit version, and delete DFGOSRExitCompiler32_64.cpp.
288
289         Splitting this refactoring into these 3 steps also makes it easier to review this
290         patch and understand what is being changed.
291
292         * dfg/DFGOSRExit.h:
293         * dfg/DFGOSRExitCompiler.cpp:
294         (JSC::DFG::OSRExit::emitRestoreArguments):
295         (JSC::DFG::OSRExit::compileOSRExit):
296         (JSC::DFG::OSRExitCompiler::emitRestoreArguments): Deleted.
297         (): Deleted.
298         * dfg/DFGOSRExitCompiler.h:
299         (JSC::DFG::OSRExitCompiler::OSRExitCompiler): Deleted.
300         (): Deleted.
301         * dfg/DFGOSRExitCompiler32_64.cpp:
302         (JSC::DFG::OSRExit::compileExit):
303         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
304         * dfg/DFGOSRExitCompiler64.cpp:
305         (JSC::DFG::OSRExit::compileExit):
306         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
307         * dfg/DFGThunks.cpp:
308         (JSC::DFG::osrExitGenerationThunkGenerator):
309
310 2017-08-04  Devin Rousso  <drousso@apple.com>
311
312         Web Inspector: add source view for WebGL shader programs
313         https://bugs.webkit.org/show_bug.cgi?id=138593
314         <rdar://problem/18936194>
315
316         Reviewed by Matt Baker.
317
318         * inspector/protocol/Canvas.json:
319          - Add `ShaderType` enum that contains "vertex" and "fragment".
320          - Add `requestShaderSource` command that will return the original source code for a given
321            shader program and shader type.
322
323 2017-08-03  Filip Pizlo  <fpizlo@apple.com>
324
325         The allocator used to allocate memory for MarkedBlocks and LargeAllocations should not be the Subspace itself
326         https://bugs.webkit.org/show_bug.cgi?id=175141
327
328         Reviewed by Mark Lam.
329         
330         To make it easier to have multiple gigacages and maybe even fancier methods of allocating, this
331         decouples the allocator used to allocate memory from the GC Subspace. This means we no longer have
332         to create a new Subspace subclass to allocate memory a different way. Instead, the allocator is now
333         determined by the AlignedMemoryAllocator object.
334         
335         This also simplifies trading of blocks. Before, Subspaces had to determine if other Subspaces could
336         trade blocks with them using canTradeBlocksWith(). This makes it difficult for two different
337         Subspaces that both use the same underlying allocator to realize that they can trade blocks with
338         each other. Now, you just need to ask the block being stolen and the subspace doing the stealing if
339         they use the same AlignedMemoryAllocator.
340
341         * CMakeLists.txt:
342         * JavaScriptCore.xcodeproj/project.pbxproj:
343         * heap/AlignedMemoryAllocator.cpp: Added.
344         (JSC::AlignedMemoryAllocator::AlignedMemoryAllocator):
345         (JSC::AlignedMemoryAllocator::~AlignedMemoryAllocator):
346         * heap/AlignedMemoryAllocator.h: Added.
347         * heap/FastMallocAlignedMemoryAllocator.cpp: Added.
348         (JSC::FastMallocAlignedMemoryAllocator::singleton):
349         (JSC::FastMallocAlignedMemoryAllocator::FastMallocAlignedMemoryAllocator):
350         (JSC::FastMallocAlignedMemoryAllocator::~FastMallocAlignedMemoryAllocator):
351         (JSC::FastMallocAlignedMemoryAllocator::tryAllocateAlignedMemory):
352         (JSC::FastMallocAlignedMemoryAllocator::freeAlignedMemory):
353         (JSC::FastMallocAlignedMemoryAllocator::dump const):
354         * heap/FastMallocAlignedMemoryAllocator.h: Added.
355         * heap/GigacageAlignedMemoryAllocator.cpp: Added.
356         (JSC::GigacageAlignedMemoryAllocator::singleton):
357         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
358         (JSC::GigacageAlignedMemoryAllocator::~GigacageAlignedMemoryAllocator):
359         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
360         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
361         (JSC::GigacageAlignedMemoryAllocator::dump const):
362         * heap/GigacageAlignedMemoryAllocator.h: Added.
363         * heap/GigacageSubspace.cpp: Removed.
364         * heap/GigacageSubspace.h: Removed.
365         * heap/LargeAllocation.cpp:
366         (JSC::LargeAllocation::tryCreate):
367         (JSC::LargeAllocation::destroy):
368         * heap/MarkedAllocator.cpp:
369         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
370         * heap/MarkedBlock.cpp:
371         (JSC::MarkedBlock::tryCreate):
372         (JSC::MarkedBlock::Handle::Handle):
373         (JSC::MarkedBlock::Handle::~Handle):
374         (JSC::MarkedBlock::Handle::didAddToAllocator):
375         (JSC::MarkedBlock::Handle::subspace const):
376         * heap/MarkedBlock.h:
377         (JSC::MarkedBlock::Handle::alignedMemoryAllocator const):
378         (JSC::MarkedBlock::Handle::subspace const): Deleted.
379         * heap/Subspace.cpp:
380         (JSC::Subspace::Subspace):
381         (JSC::Subspace::findEmptyBlockToSteal):
382         (JSC::Subspace::canTradeBlocksWith): Deleted.
383         (JSC::Subspace::tryAllocateAlignedMemory): Deleted.
384         (JSC::Subspace::freeAlignedMemory): Deleted.
385         * heap/Subspace.h:
386         (JSC::Subspace::name const):
387         (JSC::Subspace::alignedMemoryAllocator const):
388         * runtime/JSDestructibleObjectSubspace.cpp:
389         (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace):
390         * runtime/JSDestructibleObjectSubspace.h:
391         * runtime/JSSegmentedVariableObjectSubspace.cpp:
392         (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace):
393         * runtime/JSSegmentedVariableObjectSubspace.h:
394         * runtime/JSStringSubspace.cpp:
395         (JSC::JSStringSubspace::JSStringSubspace):
396         * runtime/JSStringSubspace.h:
397         * runtime/VM.cpp:
398         (JSC::VM::VM):
399         * runtime/VM.h:
400         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp:
401         (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace):
402         * wasm/js/JSWebAssemblyCodeBlockSubspace.h:
403
404 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
405
406         [ESNext] Async iteration - update feature.json
407         https://bugs.webkit.org/show_bug.cgi?id=175197
408
409         Reviewed by Yusuke Suzuki.
410
411         Update feature.json to add status of the Async Iteration
412
413         * features.json:
414
415 2017-08-04  Matt Lewis  <jlewis3@apple.com>
416
417         Unreviewed, rolling out r220271.
418
419         Rolling out due to Layout Test failing on iOS Simulator.
420
421         Reverted changeset:
422
423         "Remove STREAMS_API compilation guard"
424         https://bugs.webkit.org/show_bug.cgi?id=175165
425         http://trac.webkit.org/changeset/220271
426
427 2017-08-04  Youenn Fablet  <youenn@apple.com>
428
429         Remove STREAMS_API compilation guard
430         https://bugs.webkit.org/show_bug.cgi?id=175165
431
432         Reviewed by Darin Adler.
433
434         * Configurations/FeatureDefines.xcconfig:
435
436 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
437
438         [EsNext] Async iteration - Add feature flag
439         https://bugs.webkit.org/show_bug.cgi?id=166694
440
441         Reviewed by Yusuke Suzuki.
442
443         Add feature flag to JSC to switch on/off Async Iterator
444
445         * runtime/Options.h:
446
447 2017-08-03  Brian Burg  <bburg@apple.com>
448
449         Remove ENABLE(WEB_SOCKET) guards
450         https://bugs.webkit.org/show_bug.cgi?id=167044
451
452         Reviewed by Joseph Pecoraro.
453
454         * Configurations/FeatureDefines.xcconfig:
455
456 2017-08-03  Youenn Fablet  <youenn@apple.com>
457
458         Remove FETCH_API compilation guard
459         https://bugs.webkit.org/show_bug.cgi?id=175154
460
461         Reviewed by Chris Dumez.
462
463         * Configurations/FeatureDefines.xcconfig:
464
465 2017-08-03  Matt Baker  <mattbaker@apple.com>
466
467         Web Inspector: Instrument WebGLProgram created/deleted
468         https://bugs.webkit.org/show_bug.cgi?id=175059
469
470         Reviewed by Devin Rousso.
471
472         Extend the Canvas protocol with types/events for tracking WebGLPrograms.
473
474         * inspector/protocol/Canvas.json:
475
476 2017-08-03  Brady Eidson  <beidson@apple.com>
477
478         Add SW IDLs and stub out basic functionality.
479         https://bugs.webkit.org/show_bug.cgi?id=175115
480
481         Reviewed by Chris Dumez.
482
483         * Configurations/FeatureDefines.xcconfig:
484
485         * runtime/CommonIdentifiers.h:
486
487 2017-08-03  Mark Lam  <mark.lam@apple.com>
488
489         Rename ScratchBuffer::activeLengthPtr to addressOfActiveLength.
490         https://bugs.webkit.org/show_bug.cgi?id=175142
491         <rdar://problem/33704528>
492
493         Reviewed by Filip Pizlo.
494
495         The convention in the rest of of JSC for such methods which return the address of
496         a field is to name them "addressOf<field name>".  We'll rename
497         ScratchBuffer::activeLengthPtr to be consistent with this convention.
498
499         * dfg/DFGSpeculativeJIT.cpp:
500         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
501         * dfg/DFGSpeculativeJIT32_64.cpp:
502         (JSC::DFG::SpeculativeJIT::compile):
503         * dfg/DFGSpeculativeJIT64.cpp:
504         (JSC::DFG::SpeculativeJIT::compile):
505         * dfg/DFGThunks.cpp:
506         (JSC::DFG::osrExitGenerationThunkGenerator):
507         * ftl/FTLLowerDFGToB3.cpp:
508         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
509         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
510         * ftl/FTLThunks.cpp:
511         (JSC::FTL::genericGenerationThunkGenerator):
512         * jit/AssemblyHelpers.cpp:
513         (JSC::AssemblyHelpers::debugCall):
514         * jit/ScratchRegisterAllocator.cpp:
515         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
516         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
517         * runtime/VM.h:
518         (JSC::ScratchBuffer::addressOfActiveLength):
519         (JSC::ScratchBuffer::activeLengthPtr): Deleted.
520         * wasm/WasmBinding.cpp:
521         (JSC::Wasm::wasmToJs):
522
523 2017-08-02  Devin Rousso  <drousso@apple.com>
524
525         Web Inspector: add stack trace information for each RecordingAction
526         https://bugs.webkit.org/show_bug.cgi?id=174663
527
528         Reviewed by Joseph Pecoraro.
529
530         * inspector/ScriptCallFrame.h:
531         Add `operator==` so that when a ScriptCallFrame object is held in a Vector, calling `find`
532         with an existing value doesn't need require a functor and can use existing code.
533
534         * interpreter/StackVisitor.h:
535         * interpreter/StackVisitor.cpp:
536         (JSC::StackVisitor::Frame::isWasmFrame const): Inlined in header.
537
538 2017-08-02  Yusuke Suzuki  <utatane.tea@gmail.com>
539
540         Merge WTFThreadData to Thread::current
541         https://bugs.webkit.org/show_bug.cgi?id=174716
542
543         Reviewed by Mark Lam.
544
545         Use Thread::current() instead.
546
547         * API/JSContext.mm:
548         (+[JSContext currentContext]):
549         (+[JSContext currentThis]):
550         (+[JSContext currentCallee]):
551         (+[JSContext currentArguments]):
552         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
553         (-[JSContext endCallbackWithData:]):
554         * heap/Heap.cpp:
555         (JSC::Heap::requestCollection):
556         * runtime/Completion.cpp:
557         (JSC::checkSyntax):
558         (JSC::checkModuleSyntax):
559         (JSC::evaluate):
560         (JSC::loadAndEvaluateModule):
561         (JSC::loadModule):
562         (JSC::linkAndEvaluateModule):
563         (JSC::importModule):
564         * runtime/Identifier.cpp:
565         (JSC::Identifier::checkCurrentAtomicStringTable):
566         * runtime/InitializeThreading.cpp:
567         (JSC::initializeThreading):
568         * runtime/JSLock.cpp:
569         (JSC::JSLock::didAcquireLock):
570         (JSC::JSLock::willReleaseLock):
571         (JSC::JSLock::dropAllLocks):
572         (JSC::JSLock::grabAllLocks):
573         * runtime/JSLock.h:
574         * runtime/VM.cpp:
575         (JSC::VM::VM):
576         (JSC::VM::updateStackLimits):
577         (JSC::VM::committedStackByteCount):
578         * runtime/VM.h:
579         (JSC::VM::isSafeToRecurse const):
580         * runtime/VMEntryScope.cpp:
581         (JSC::VMEntryScope::VMEntryScope):
582         * runtime/VMInlines.h:
583         (JSC::VM::ensureStackCapacityFor):
584         * yarr/YarrPattern.cpp:
585         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
586
587 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
588
589         LLInt should do pointer caging
590         https://bugs.webkit.org/show_bug.cgi?id=175036
591
592         Reviewed by Keith Miller.
593
594         Implementing this in the LLInt was challenging because offlineasm did not previously know
595         how to load from globals. This teaches it how to do that on Darwin/x86_64, which happens
596         to be where the Gigacage is enabled right now.
597
598         * llint/LLIntOfflineAsmConfig.h:
599         * llint/LowLevelInterpreter64.asm:
600         * offlineasm/ast.rb:
601         * offlineasm/x86.rb:
602
603 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
604
605         Sweeping should only scribble when sweeping to free list
606         https://bugs.webkit.org/show_bug.cgi?id=175105
607
608         Reviewed by Saam Barati.
609         
610         I just saw a crash on the bots where a destructor call attempt dereferenced scribbled memory. This
611         can happen because the bump path of specializedSweep will scribble in SweepOnly, which replaces the
612         zap word (i.e. 0) with the scribble word (i.e. 0xbadbeef0). This is a recent regression, since we
613         didn't used to do destruction on the bump path. No destruction, no zapping. Looking at the pop
614         path, we only scribble when we SweepToFreeList. This ensures that we only overwrite the zap word
615         when it doesn't matter anyway because we're building a free list.
616         
617         This is a fix for those crashes on the bots because it means that we'll no longer scribble over the
618         zap.
619
620         * heap/MarkedBlockInlines.h:
621         (JSC::MarkedBlock::Handle::specializedSweep):
622
623 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
624
625         All C++ accesses to JSObject::m_butterfly should do caging
626         https://bugs.webkit.org/show_bug.cgi?id=175039
627
628         Reviewed by Keith Miller.
629         
630         Makes JSObject::m_butterfly a AuxiliaryBarrier<CagedPtr<Butterfly>> and adopts the CagedPtr<> API.
631         This ensures that you can't cause C++ code to access a butterfly that has been rewired to point
632         outside the gigacage.
633
634         * runtime/JSArray.cpp:
635         (JSC::JSArray::setLength):
636         (JSC::JSArray::pop):
637         (JSC::JSArray::push):
638         (JSC::JSArray::shiftCountWithAnyIndexingType):
639         (JSC::JSArray::unshiftCountWithAnyIndexingType):
640         (JSC::JSArray::fillArgList):
641         (JSC::JSArray::copyToArguments):
642         * runtime/JSObject.cpp:
643         (JSC::JSObject::heapSnapshot):
644         (JSC::JSObject::createInitialIndexedStorage):
645         (JSC::JSObject::createArrayStorage):
646         (JSC::JSObject::convertUndecidedToInt32):
647         (JSC::JSObject::convertUndecidedToDouble):
648         (JSC::JSObject::convertUndecidedToContiguous):
649         (JSC::JSObject::convertInt32ToDouble):
650         (JSC::JSObject::convertInt32ToArrayStorage):
651         (JSC::JSObject::convertDoubleToContiguous):
652         (JSC::JSObject::convertDoubleToArrayStorage):
653         (JSC::JSObject::convertContiguousToArrayStorage):
654         (JSC::JSObject::defineOwnIndexedProperty):
655         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
656         (JSC::JSObject::ensureLengthSlow):
657         (JSC::JSObject::allocateMoreOutOfLineStorage):
658         * runtime/JSObject.h:
659         (JSC::JSObject::canGetIndexQuickly):
660         (JSC::JSObject::getIndexQuickly):
661         (JSC::JSObject::tryGetIndexQuickly const):
662         (JSC::JSObject::canSetIndexQuickly):
663         (JSC::JSObject::setIndexQuickly):
664         (JSC::JSObject::initializeIndex):
665         (JSC::JSObject::initializeIndexWithoutBarrier):
666         (JSC::JSObject::butterfly const):
667         (JSC::JSObject::butterfly):
668
669 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
670
671         We should be OK with the gigacage being disabled on gmalloc
672         https://bugs.webkit.org/show_bug.cgi?id=175082
673
674         Reviewed by Michael Saboff.
675
676         * jsc.cpp:
677         (jscmain):
678
679 2017-08-02  Saam Barati  <sbarati@apple.com>
680
681         On memory-constrained iOS devices, reduce the rate at which the JS heap grows before a GC to try to keep more memory available for the system
682         https://bugs.webkit.org/show_bug.cgi?id=175041
683         <rdar://problem/33659370>
684
685         Reviewed by Filip Pizlo.
686
687         The testing I have done shows that this new function is a ~10%
688         progression running JetStream on 1GB iOS devices. I've also tried
689         this on a few > 1GB iOS devices, and the testing shows this is either neutral
690         or a regression. Right now, we'll just enable this for <= 1GB devices
691         since it's a win. In the future, we might want to either look into
692         tweaking these parameters or coming up with a new function for > 1GB
693         devices.
694
695         * heap/Heap.cpp:
696         * runtime/Options.h:
697
698 2017-08-01  Filip Pizlo  <fpizlo@apple.com>
699
700         Bmalloc and GC should put auxiliaries (butterflies, typed array backing stores) in a gigacage (separate multi-GB VM region)
701         https://bugs.webkit.org/show_bug.cgi?id=174727
702
703         Reviewed by Mark Lam.
704         
705         This adopts the Gigacage for the GigacageSubspace, which we use for Auxiliary allocations. Also, in
706         one place in the code - the FTL codegen for butterfly and typed array access - we "cage" the accesses
707         themselves. Basically, we do masking to ensure that the pointer points into the gigacage.
708         
709         This is neutral on JetStream.
710
711         * CMakeLists.txt:
712         * JavaScriptCore.xcodeproj/project.pbxproj:
713         * b3/B3InsertionSet.cpp:
714         (JSC::B3::InsertionSet::execute):
715         * dfg/DFGAbstractInterpreterInlines.h:
716         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
717         * dfg/DFGArgumentsEliminationPhase.cpp:
718         * dfg/DFGClobberize.cpp:
719         (JSC::DFG::readsOverlap):
720         * dfg/DFGClobberize.h:
721         (JSC::DFG::clobberize):
722         * dfg/DFGDoesGC.cpp:
723         (JSC::DFG::doesGC):
724         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Added.
725         (JSC::DFG::performFixedButterflyAccessUncaging):
726         * dfg/DFGFixedButterflyAccessUncagingPhase.h: Added.
727         * dfg/DFGFixupPhase.cpp:
728         (JSC::DFG::FixupPhase::fixupNode):
729         * dfg/DFGHeapLocation.cpp:
730         (WTF::printInternal):
731         * dfg/DFGHeapLocation.h:
732         * dfg/DFGNodeType.h:
733         * dfg/DFGPlan.cpp:
734         (JSC::DFG::Plan::compileInThreadImpl):
735         * dfg/DFGPredictionPropagationPhase.cpp:
736         * dfg/DFGSafeToExecute.h:
737         (JSC::DFG::safeToExecute):
738         * dfg/DFGSpeculativeJIT.cpp:
739         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
740         * dfg/DFGSpeculativeJIT32_64.cpp:
741         (JSC::DFG::SpeculativeJIT::compile):
742         * dfg/DFGSpeculativeJIT64.cpp:
743         (JSC::DFG::SpeculativeJIT::compile):
744         * dfg/DFGTypeCheckHoistingPhase.cpp:
745         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
746         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
747         * ftl/FTLCapabilities.cpp:
748         (JSC::FTL::canCompile):
749         * ftl/FTLLowerDFGToB3.cpp:
750         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
751         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
752         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
753         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
754         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
755         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
756         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
757         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
758         (JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase):
759         (JSC::FTL::DFG::LowerDFGToB3::caged):
760         * heap/GigacageSubspace.cpp: Added.
761         (JSC::GigacageSubspace::GigacageSubspace):
762         (JSC::GigacageSubspace::~GigacageSubspace):
763         (JSC::GigacageSubspace::tryAllocateAlignedMemory):
764         (JSC::GigacageSubspace::freeAlignedMemory):
765         (JSC::GigacageSubspace::canTradeBlocksWith):
766         * heap/GigacageSubspace.h: Added.
767         * heap/Heap.cpp:
768         (JSC::Heap::Heap):
769         (JSC::Heap::lastChanceToFinalize):
770         (JSC::Heap::finalize):
771         (JSC::Heap::sweepInFinalize):
772         (JSC::Heap::updateAllocationLimits):
773         (JSC::Heap::shouldDoFullCollection):
774         (JSC::Heap::collectIfNecessaryOrDefer):
775         (JSC::Heap::reportWebAssemblyFastMemoriesAllocated): Deleted.
776         (JSC::Heap::webAssemblyFastMemoriesThisCycleAtThreshold const): Deleted.
777         (JSC::Heap::sweepLargeAllocations): Deleted.
778         (JSC::Heap::didAllocateWebAssemblyFastMemories): Deleted.
779         * heap/Heap.h:
780         * heap/LargeAllocation.cpp:
781         (JSC::LargeAllocation::tryCreate):
782         (JSC::LargeAllocation::destroy):
783         * heap/MarkedAllocator.cpp:
784         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
785         (JSC::MarkedAllocator::tryAllocateBlock):
786         * heap/MarkedBlock.cpp:
787         (JSC::MarkedBlock::tryCreate):
788         (JSC::MarkedBlock::Handle::Handle):
789         (JSC::MarkedBlock::Handle::~Handle):
790         (JSC::MarkedBlock::Handle::didAddToAllocator):
791         (JSC::MarkedBlock::Handle::subspace const): Deleted.
792         * heap/MarkedBlock.h:
793         (JSC::MarkedBlock::Handle::subspace const):
794         * heap/MarkedSpace.cpp:
795         (JSC::MarkedSpace::~MarkedSpace):
796         (JSC::MarkedSpace::freeMemory):
797         (JSC::MarkedSpace::prepareForAllocation):
798         (JSC::MarkedSpace::addMarkedAllocator):
799         (JSC::MarkedSpace::findEmptyBlockToSteal): Deleted.
800         * heap/MarkedSpace.h:
801         (JSC::MarkedSpace::firstAllocator const):
802         (JSC::MarkedSpace::allocatorForEmptyAllocation const): Deleted.
803         * heap/Subspace.cpp:
804         (JSC::Subspace::Subspace):
805         (JSC::Subspace::canTradeBlocksWith):
806         (JSC::Subspace::tryAllocateAlignedMemory):
807         (JSC::Subspace::freeAlignedMemory):
808         (JSC::Subspace::prepareForAllocation):
809         (JSC::Subspace::findEmptyBlockToSteal):
810         * heap/Subspace.h:
811         (JSC::Subspace::didCreateFirstAllocator):
812         * heap/SubspaceInlines.h:
813         (JSC::Subspace::forEachAllocator):
814         (JSC::Subspace::forEachMarkedBlock):
815         (JSC::Subspace::forEachNotEmptyMarkedBlock):
816         * jit/JITPropertyAccess.cpp:
817         (JSC::JIT::emitDoubleLoad):
818         (JSC::JIT::emitContiguousLoad):
819         (JSC::JIT::emitArrayStorageLoad):
820         (JSC::JIT::emitGenericContiguousPutByVal):
821         (JSC::JIT::emitArrayStoragePutByVal):
822         (JSC::JIT::emit_op_get_from_scope):
823         (JSC::JIT::emit_op_put_to_scope):
824         (JSC::JIT::emitIntTypedArrayGetByVal):
825         (JSC::JIT::emitFloatTypedArrayGetByVal):
826         (JSC::JIT::emitIntTypedArrayPutByVal):
827         (JSC::JIT::emitFloatTypedArrayPutByVal):
828         * jsc.cpp:
829         (fillBufferWithContentsOfFile):
830         (functionReadFile):
831         (gigacageDisabled):
832         (jscmain):
833         * llint/LowLevelInterpreter64.asm:
834         * runtime/ArrayBuffer.cpp:
835         (JSC::ArrayBufferContents::tryAllocate):
836         (JSC::ArrayBuffer::createAdopted):
837         (JSC::ArrayBuffer::createFromBytes):
838         (JSC::ArrayBuffer::tryCreate):
839         * runtime/IndexingHeader.h:
840         * runtime/InitializeThreading.cpp:
841         (JSC::initializeThreading):
842         * runtime/JSArrayBuffer.cpp:
843         * runtime/JSArrayBufferView.cpp:
844         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
845         (JSC::JSArrayBufferView::finalize):
846         * runtime/JSLock.cpp:
847         (JSC::JSLock::didAcquireLock):
848         * runtime/JSObject.h:
849         * runtime/Options.cpp:
850         (JSC::recomputeDependentOptions):
851         * runtime/Options.h:
852         * runtime/ScopedArgumentsTable.h:
853         * runtime/VM.cpp:
854         (JSC::VM::VM):
855         (JSC::VM::~VM):
856         (JSC::VM::gigacageDisabledCallback):
857         (JSC::VM::gigacageDisabled):
858         * runtime/VM.h:
859         (JSC::VM::fireGigacageEnabledIfNecessary):
860         (JSC::VM::gigacageEnabled):
861         * wasm/WasmB3IRGenerator.cpp:
862         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
863         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
864         * wasm/WasmCodeBlock.cpp:
865         (JSC::Wasm::CodeBlock::isSafeToRun):
866         * wasm/WasmMemory.cpp:
867         (JSC::Wasm::makeString):
868         (JSC::Wasm::Memory::create):
869         (JSC::Wasm::Memory::~Memory):
870         (JSC::Wasm::Memory::addressIsInActiveFastMemory):
871         (JSC::Wasm::Memory::grow):
872         (JSC::Wasm::Memory::initializePreallocations): Deleted.
873         (JSC::Wasm::Memory::maxFastMemoryCount): Deleted.
874         * wasm/WasmMemory.h:
875         * wasm/js/JSWebAssemblyInstance.cpp:
876         (JSC::JSWebAssemblyInstance::create):
877         * wasm/js/JSWebAssemblyMemory.cpp:
878         (JSC::JSWebAssemblyMemory::grow):
879         (JSC::JSWebAssemblyMemory::finishCreation):
880         * wasm/js/JSWebAssemblyMemory.h:
881         (JSC::JSWebAssemblyMemory::subspaceFor):
882
883 2017-07-31  Mark Lam  <mark.lam@apple.com>
884
885         Added some UNLIKELYs to operationOptimize().
886         https://bugs.webkit.org/show_bug.cgi?id=174976
887
888         Reviewed by JF Bastien.
889
890         * jit/JITOperations.cpp:
891
892 2017-07-31  Keith Miller  <keith_miller@apple.com>
893
894         Make more things LLInt constexprs
895         https://bugs.webkit.org/show_bug.cgi?id=174994
896
897         Reviewed by Saam Barati.
898
899         This patch makes more const values in the LLInt constexprs.
900         It also deletes all of the no longer necessary static_asserts in
901         LLIntData.cpp. Finally, it fixes a typo in parser.rb.
902
903         * interpreter/ShadowChicken.h:
904         (JSC::ShadowChicken::Packet::tailMarker):
905         * llint/LLIntData.cpp:
906         (JSC::LLInt::Data::performAssertions):
907         * llint/LowLevelInterpreter.asm:
908         * offlineasm/generate_offset_extractor.rb:
909         * offlineasm/parser.rb:
910
911 2017-07-31  Matt Lewis  <jlewis3@apple.com>
912
913         Unreviewed, rolling out r220060.
914
915         This broke our internal builds. Contact reviewer of patch for
916         more information.
917
918         Reverted changeset:
919
920         "Merge WTFThreadData to Thread::current"
921         https://bugs.webkit.org/show_bug.cgi?id=174716
922         http://trac.webkit.org/changeset/220060
923
924 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
925
926         [JSC] Support optional catch binding
927         https://bugs.webkit.org/show_bug.cgi?id=174981
928
929         Reviewed by Saam Barati.
930
931         This patch implements optional catch binding proposal[1], which is now stage 3.
932         This proposal adds a new `catch` brace with no error value binding.
933
934             ```
935                 try {
936                     ...
937                 } catch {
938                     ...
939                 }
940             ```
941
942         Sometimes we do not need to get error value actually. For example, the function returns
943         boolean which means whether the function succeeds.
944
945             ```
946             function parse(result) // -> bool
947             {
948                  try {
949                      parseInner(result);
950                  } catch {
951                      return false;
952                  }
953                  return true;
954             }
955             ```
956
957         In the above case, we are not interested in the actual error value. Without this syntax,
958         we always need to introduce a binding for an error value that is just ignored.
959
960         [1]: https://michaelficarra.github.io/optional-catch-binding-proposal/
961
962         * bytecompiler/NodesCodegen.cpp:
963         (JSC::TryNode::emitBytecode):
964         * parser/Parser.cpp:
965         (JSC::Parser<LexerType>::parseTryStatement):
966
967 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
968
969         Merge WTFThreadData to Thread::current
970         https://bugs.webkit.org/show_bug.cgi?id=174716
971
972         Reviewed by Sam Weinig.
973
974         Use Thread::current() instead.
975
976         * API/JSContext.mm:
977         (+[JSContext currentContext]):
978         (+[JSContext currentThis]):
979         (+[JSContext currentCallee]):
980         (+[JSContext currentArguments]):
981         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
982         (-[JSContext endCallbackWithData:]):
983         * heap/Heap.cpp:
984         (JSC::Heap::requestCollection):
985         * runtime/Completion.cpp:
986         (JSC::checkSyntax):
987         (JSC::checkModuleSyntax):
988         (JSC::evaluate):
989         (JSC::loadAndEvaluateModule):
990         (JSC::loadModule):
991         (JSC::linkAndEvaluateModule):
992         (JSC::importModule):
993         * runtime/Identifier.cpp:
994         (JSC::Identifier::checkCurrentAtomicStringTable):
995         * runtime/InitializeThreading.cpp:
996         (JSC::initializeThreading):
997         * runtime/JSLock.cpp:
998         (JSC::JSLock::didAcquireLock):
999         (JSC::JSLock::willReleaseLock):
1000         (JSC::JSLock::dropAllLocks):
1001         (JSC::JSLock::grabAllLocks):
1002         * runtime/JSLock.h:
1003         * runtime/VM.cpp:
1004         (JSC::VM::VM):
1005         (JSC::VM::updateStackLimits):
1006         (JSC::VM::committedStackByteCount):
1007         * runtime/VM.h:
1008         (JSC::VM::isSafeToRecurse const):
1009         * runtime/VMEntryScope.cpp:
1010         (JSC::VMEntryScope::VMEntryScope):
1011         * runtime/VMInlines.h:
1012         (JSC::VM::ensureStackCapacityFor):
1013         * yarr/YarrPattern.cpp:
1014         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
1015
1016 2017-07-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1017
1018         [WTF] Introduce Private Symbols
1019         https://bugs.webkit.org/show_bug.cgi?id=174935
1020
1021         Reviewed by Darin Adler.
1022
1023         Use SymbolImpl::isPrivate().
1024
1025         * builtins/BuiltinNames.cpp:
1026         * builtins/BuiltinNames.h:
1027         (JSC::BuiltinNames::isPrivateName): Deleted.
1028         * builtins/BuiltinUtils.h:
1029         * bytecode/BytecodeIntrinsicRegistry.cpp:
1030         (JSC::BytecodeIntrinsicRegistry::lookup):
1031         * runtime/CommonIdentifiers.cpp:
1032         (JSC::CommonIdentifiers::isPrivateName): Deleted.
1033         * runtime/CommonIdentifiers.h:
1034         * runtime/ExceptionHelpers.cpp:
1035         (JSC::createUndefinedVariableError):
1036         * runtime/Identifier.h:
1037         (JSC::Identifier::isPrivateName):
1038         * runtime/IdentifierInlines.h:
1039         (JSC::identifierToSafePublicJSValue):
1040         * runtime/ObjectConstructor.cpp:
1041         (JSC::objectConstructorAssign):
1042         (JSC::defineProperties):
1043         (JSC::setIntegrityLevel):
1044         (JSC::testIntegrityLevel):
1045         (JSC::ownPropertyKeys):
1046         * runtime/PrivateName.h:
1047         (JSC::PrivateName::PrivateName):
1048         * runtime/PropertyName.h:
1049         (JSC::PropertyName::isPrivateName):
1050         * runtime/ProxyObject.cpp:
1051         (JSC::performProxyGet):
1052         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1053         (JSC::ProxyObject::performHasProperty):
1054         (JSC::ProxyObject::performPut):
1055         (JSC::ProxyObject::performDelete):
1056         (JSC::ProxyObject::performDefineOwnProperty):
1057
1058 2017-07-29  Keith Miller  <keith_miller@apple.com>
1059
1060         LLInt offsets extractor should be able to handle C++ constexprs
1061         https://bugs.webkit.org/show_bug.cgi?id=174964
1062
1063         Reviewed by Saam Barati.
1064
1065         This patch adds new syntax to the offline asm language. The new keyword,
1066         constexpr, takes the subsequent identifier and maps it to a C++ constexpr
1067         expression. Additionally, if the value is not an identifier you can wrap it in
1068         parentheses. e.g. constexpr (myConstexprFunction() + OBJECT_OFFSET(Foo, bar)),
1069         which will get converted into:
1070         static_cast<int64_t>(myConstexprFunction() + OBJECT_OFFSET(Foo, bar));
1071
1072         This patch also changes the data format the LLIntOffsetsExtractor
1073         binary produces.  Previously, it would produce unsigned values,
1074         after this patch every value is an int64_t.  Using an int64_t is
1075         useful because it means that we can represent any constant needed.
1076         int32_t masks are sign extended then passed then converted to a
1077         negative literal sting in the assembler so it will be the constant
1078         expected.
1079
1080         * llint/LLIntOffsetsExtractor.cpp:
1081         (JSC::LLIntOffsetsExtractor::dummy):
1082         * llint/LowLevelInterpreter.asm:
1083         * llint/LowLevelInterpreter64.asm:
1084         * offlineasm/asm.rb:
1085         * offlineasm/ast.rb:
1086         * offlineasm/generate_offset_extractor.rb:
1087         * offlineasm/offsets.rb:
1088         * offlineasm/parser.rb:
1089         * offlineasm/transform.rb:
1090
1091 2017-07-28  Matt Baker  <mattbaker@apple.com>
1092
1093         Web Inspector: capture an async stack trace when web content calls addEventListener
1094         https://bugs.webkit.org/show_bug.cgi?id=174739
1095         <rdar://problem/33468197>
1096
1097         Reviewed by Brian Burg.
1098
1099         Allow debugger agents to perform custom logic when asynchronous stack
1100         trace data is cleared. For example, the PageDebuggerAgent would clear
1101         its list of registered listeners for which call stacks have been recorded.
1102
1103         * inspector/agents/InspectorDebuggerAgent.cpp:
1104         (Inspector::InspectorDebuggerAgent::clearAsyncStackTraceData):
1105         * inspector/agents/InspectorDebuggerAgent.h:
1106
1107 2017-07-28  Mark Lam  <mark.lam@apple.com>
1108
1109         ObjectToStringAdaptiveStructureWatchpoint should not fire if it's dying imminently.
1110         https://bugs.webkit.org/show_bug.cgi?id=174948
1111         <rdar://problem/33495680>
1112
1113         Reviewed by Filip Pizlo.
1114
1115         ObjectToStringAdaptiveStructureWatchpoint is owned by StructureRareData.  If its
1116         owner StructureRareData is already known to be dead (in terms of GC liveness) but
1117         hasn't been destructed yet (i.e. not swept by the GC yet), we should ignore all
1118         requests to fire this watchpoint.
1119
1120         If the GC had the chance to sweep the StructureRareData, thereby destructing the
1121         ObjectToStringAdaptiveStructureWatchpoint, it (the watchpoint) would have removed
1122         itself from the WatchpointSet it was on.  Hence, it would not have been fired.
1123
1124         But since the watchpoint hasn't been destructed yet, it still remains on the
1125         WatchpointSet and needs to guard against being fired in this state.  The fix is
1126         to simply return early if its owner StructureRareData is not live.  This has the
1127         effect of the watchpoint fire being a no-op, which is equivalent to the watchpoint
1128         not firing as we would expect.
1129
1130         This patch also removes some cargo cult copying of watchpoint code which
1131         instantiates a StringFireDetail.  In a few cases, that StringFireDetail is never
1132         used.  This patch removes these unnecessary instantiations.
1133
1134         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
1135         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
1136         * runtime/StructureRareData.cpp:
1137         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
1138         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
1139
1140 2017-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
1141
1142         ASSERTION FAILED: candidate->op() == PhantomCreateRest || candidate->op() == PhantomDirectArguments || candidate->op() == PhantomClonedArguments || candidate->op() == PhantomSpread || candidate->op() == PhantomNewArrayWithSpread
1143         https://bugs.webkit.org/show_bug.cgi?id=174900
1144
1145         Reviewed by Saam Barati.
1146
1147         In the arguments elimination phase, due to high cost of AI, we intentionally do not run AI.
1148         Instead, we use ForceOSRExit etc. (pseudo terminals) not to look into unreachable nodes.
1149         The problem is that even transforming phase also checks this pseudo terminals.
1150
1151             BB1
1152             1: ForceOSRExit
1153             2: CreateDirectArguments
1154
1155             BB2
1156             3: GetButterfly(@2)
1157             4: ForceOSRExit
1158
1159         In the above case, @2 is not converted to PhantomDirectArguments. But @3 is processed. And the assertion fires.
1160
1161         In this patch, we do not list candidates up after seeing pseudo terminals in basic blocks.
1162
1163         * dfg/DFGArgumentsEliminationPhase.cpp:
1164
1165 2017-07-27  Oleksandr Skachkov  <gskachkov@gmail.com>
1166
1167         [ES] Add support finally to Promise
1168         https://bugs.webkit.org/show_bug.cgi?id=174503
1169
1170         Reviewed by Yusuke Suzuki.
1171
1172         Add support `finally` method to Promise according
1173         to the https://bugs.webkit.org/show_bug.cgi?id=174503
1174         Current spec on STAGE 3 
1175         https://github.com/tc39/proposal-promise-finally
1176
1177         * builtins/PromisePrototype.js:
1178         (finally):
1179         (const.valueThunk):
1180         (globalPrivate.getThenFinally):
1181         (const.thrower):
1182         (globalPrivate.getCatchFinally):
1183         * runtime/JSPromisePrototype.cpp:
1184
1185 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1186
1187         Unreviewed, build fix for CLoop
1188         https://bugs.webkit.org/show_bug.cgi?id=171637
1189
1190         * domjit/DOMJITGetterSetter.h:
1191
1192 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1193
1194         Hoist DOM binding attribute getter prologue into JavaScriptCore taking advantage of DOMJIT / CheckSubClass
1195         https://bugs.webkit.org/show_bug.cgi?id=171637
1196
1197         Reviewed by Darin Adler.
1198
1199         Each DOM attribute getter has the code to perform ClassInfo check. But it is largely duplicate and causes code bloating.
1200         In this patch, we move ClassInfo check from WebCore to JSC and reduce code size.
1201
1202         We introduce DOMAnnotation which has ClassInfo* and DOMJIT::GetterSetter*. If the getter is not DOMJIT getter, this
1203         DOMJIT::GetterSetter becomes nullptr. We support such a CustomAccessorGetter in all the JIT tiers.
1204
1205         In IC, we drop CheckSubClass completely since IC's Structure check subsumes it. We do not enable this optimization for
1206         op_get_by_id_with_this case yet.
1207         In DFG and FTL, we emit CheckSubClass node. Which is typically removed by CheckStructure leading to CheckSubClass.
1208
1209         And we add DOMAttributeGetterSetter, which is derived class of CustomGetterSetter. It holds DOMAnnotation and perform
1210         ClassInfo check.
1211
1212         * CMakeLists.txt:
1213         * JavaScriptCore.xcodeproj/project.pbxproj:
1214         * bytecode/AccessCase.cpp:
1215         (JSC::AccessCase::generateImpl):
1216         * bytecode/GetByIdStatus.cpp:
1217         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
1218         * bytecode/GetByIdVariant.cpp:
1219         (JSC::GetByIdVariant::GetByIdVariant):
1220         (JSC::GetByIdVariant::operator=):
1221         (JSC::GetByIdVariant::attemptToMerge):
1222         (JSC::GetByIdVariant::dumpInContext):
1223         * bytecode/GetByIdVariant.h:
1224         (JSC::GetByIdVariant::customAccessorGetter):
1225         (JSC::GetByIdVariant::domAttribute):
1226         (JSC::GetByIdVariant::domJIT): Deleted.
1227         * bytecode/GetterSetterAccessCase.cpp:
1228         (JSC::GetterSetterAccessCase::create):
1229         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
1230         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
1231         * bytecode/GetterSetterAccessCase.h:
1232         (JSC::GetterSetterAccessCase::domAttribute):
1233         (JSC::GetterSetterAccessCase::customAccessor):
1234         (JSC::GetterSetterAccessCase::domJIT): Deleted.
1235         * bytecompiler/BytecodeGenerator.cpp:
1236         (JSC::BytecodeGenerator::instantiateLexicalVariables):
1237         * create_hash_table:
1238         * dfg/DFGAbstractInterpreterInlines.h:
1239         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1240         * dfg/DFGByteCodeParser.cpp:
1241         (JSC::DFG::blessCallDOMGetter):
1242         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
1243         (JSC::DFG::ByteCodeParser::handleGetById):
1244         * dfg/DFGClobberize.h:
1245         (JSC::DFG::clobberize):
1246         * dfg/DFGFixupPhase.cpp:
1247         (JSC::DFG::FixupPhase::fixupNode):
1248         * dfg/DFGNode.h:
1249         * dfg/DFGSpeculativeJIT.cpp:
1250         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
1251         * dfg/DFGSpeculativeJIT.h:
1252         (JSC::DFG::SpeculativeJIT::callCustomGetter):
1253         * domjit/DOMJITGetterSetter.h:
1254         (JSC::DOMJIT::GetterSetter::GetterSetter):
1255         (JSC::DOMJIT::GetterSetter::getter):
1256         (JSC::DOMJIT::GetterSetter::compiler):
1257         (JSC::DOMJIT::GetterSetter::resultType):
1258         (JSC::DOMJIT::GetterSetter::~GetterSetter): Deleted.
1259         (JSC::DOMJIT::GetterSetter::setter): Deleted.
1260         (JSC::DOMJIT::GetterSetter::thisClassInfo): Deleted.
1261         * ftl/FTLLowerDFGToB3.cpp:
1262         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
1263         * jit/Repatch.cpp:
1264         (JSC::tryCacheGetByID):
1265         * jsc.cpp:
1266         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
1267         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
1268         (WTF::DOMJITGetter::customGetter):
1269         (WTF::DOMJITGetter::finishCreation):
1270         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
1271         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
1272         (WTF::DOMJITGetterComplex::customGetter):
1273         (WTF::DOMJITGetterComplex::finishCreation):
1274         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
1275         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::slowCall): Deleted.
1276         (WTF::DOMJITGetter::domJITNodeGetterSetter): Deleted.
1277         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
1278         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::slowCall): Deleted.
1279         (WTF::DOMJITGetterComplex::domJITNodeGetterSetter): Deleted.
1280         * runtime/CustomGetterSetter.h:
1281         (JSC::CustomGetterSetter::create):
1282         (JSC::CustomGetterSetter::setter):
1283         (JSC::CustomGetterSetter::CustomGetterSetter):
1284         (): Deleted.
1285         * runtime/DOMAnnotation.h: Added.
1286         (JSC::operator==):
1287         (JSC::operator!=):
1288         * runtime/DOMAttributeGetterSetter.cpp: Added.
1289         * runtime/DOMAttributeGetterSetter.h: Copied from Source/JavaScriptCore/runtime/CustomGetterSetter.h.
1290         (JSC::isDOMAttributeGetterSetter):
1291         * runtime/Error.cpp:
1292         (JSC::throwDOMAttributeGetterTypeError):
1293         * runtime/Error.h:
1294         (JSC::throwVMDOMAttributeGetterTypeError):
1295         * runtime/JSCustomGetterSetterFunction.cpp:
1296         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
1297         * runtime/JSObject.cpp:
1298         (JSC::JSObject::putInlineSlow):
1299         (JSC::JSObject::deleteProperty):
1300         (JSC::JSObject::getOwnStaticPropertySlot):
1301         (JSC::JSObject::reifyAllStaticProperties):
1302         (JSC::JSObject::fillGetterPropertySlot):
1303         (JSC::JSObject::findPropertyHashEntry): Deleted.
1304         * runtime/JSObject.h:
1305         (JSC::JSObject::getOwnNonIndexPropertySlot):
1306         (JSC::JSObject::fillCustomGetterPropertySlot):
1307         * runtime/Lookup.cpp:
1308         (JSC::setUpStaticFunctionSlot):
1309         * runtime/Lookup.h:
1310         (JSC::HashTableValue::domJIT):
1311         (JSC::getStaticPropertySlotFromTable):
1312         (JSC::putEntry):
1313         (JSC::lookupPut):
1314         (JSC::reifyStaticProperty):
1315         (JSC::reifyStaticProperties):
1316         Each static property table has a new field ClassInfo*. It indicates that which ClassInfo check DOMAttribute registered in
1317         this static property table requires.
1318
1319         * runtime/ProgramExecutable.cpp:
1320         (JSC::ProgramExecutable::initializeGlobalProperties):
1321         * runtime/PropertyName.h:
1322         * runtime/PropertySlot.cpp:
1323         (JSC::PropertySlot::customGetter):
1324         (JSC::PropertySlot::customAccessorGetter):
1325         * runtime/PropertySlot.h:
1326         (JSC::PropertySlot::domAttribute):
1327         (JSC::PropertySlot::setCustom):
1328         (JSC::PropertySlot::setCacheableCustom):
1329         (JSC::PropertySlot::getValue):
1330         (JSC::PropertySlot::domJIT): Deleted.
1331         * runtime/VM.cpp:
1332         (JSC::VM::VM):
1333         * runtime/VM.h:
1334
1335 2017-07-26  Devin Rousso  <drousso@apple.com>
1336
1337         Web Inspector: create protocol for recording Canvas contexts
1338         https://bugs.webkit.org/show_bug.cgi?id=174481
1339
1340         Reviewed by Joseph Pecoraro.
1341
1342         * inspector/protocol/Canvas.json:
1343          - Add `requestRecording` command to mark the provided canvas as having requested a recording.
1344          - Add `cancelRecording` command to clear a previously marked canvas and flush any recorded data.
1345          - Add `recordingFinished` event that is fired once a recording is finished.
1346
1347         * CMakeLists.txt:
1348         * DerivedSources.make:
1349         * inspector/protocol/Recording.json: Added.
1350          - Add `Type` enum that lists the types of recordings
1351          - Add `InitialState` type that contains information about the canvas context at the
1352            beginning of the recording.
1353          - Add `Frame` type that holds a list of actions that were recorded.
1354          - Add `Recording` type as the container object of recording data.
1355
1356         * inspector/scripts/codegen/generate_js_backend_commands.py:
1357         (JSBackendCommandsGenerator.generate_domain):
1358         Create an agent for domains with no events or commands.
1359
1360         * inspector/InspectorValues.h:
1361         Make Array `get` public so that values can be retrieved if needed.
1362
1363 2017-07-26  Brian Burg  <bburg@apple.com>
1364
1365         Remove WEB_TIMING feature flag
1366         https://bugs.webkit.org/show_bug.cgi?id=174795
1367
1368         Reviewed by Alex Christensen.
1369
1370         * Configurations/FeatureDefines.xcconfig:
1371
1372 2017-07-26  Mark Lam  <mark.lam@apple.com>
1373
1374         Add the ability to change sp and pc to the ARM64 JIT probe.
1375         https://bugs.webkit.org/show_bug.cgi?id=174697
1376         <rdar://problem/33436965>
1377
1378         Reviewed by JF Bastien.
1379
1380         This patch implements the following:
1381
1382         1. The ARM64 probe now supports modifying the pc and sp.
1383
1384            However, lr is not preserved when modifying the pc because it is used as the
1385            scratch register for the indirect jump. Hence, the probe handler function
1386            may not modify both lr and pc in the same probe invocation.
1387
1388         2. Fix probe tests to use bitwise comparison when comparing double register
1389            values. Otherwise, equivalent nan values will be interpreted as not equivalent.
1390
1391         3. Change the minimum offset increment in testProbeModifiesStackPointer to be
1392            16 bytes for ARM64.  This is because the ARM64 probe now uses the ldp and stp
1393            instructions which require 16 byte alignment for their memory access.
1394
1395         * assembler/MacroAssemblerARM64.cpp:
1396         (JSC::arm64ProbeError):
1397         (JSC::MacroAssembler::probe):
1398         (JSC::arm64ProbeTrampoline): Deleted.
1399         * assembler/testmasm.cpp:
1400         (JSC::isSpecialGPR):
1401         (JSC::testProbeReadsArgumentRegisters):
1402         (JSC::testProbeWritesArgumentRegisters):
1403         (JSC::testProbePreservesGPRS):
1404         (JSC::testProbeModifiesStackPointer):
1405         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
1406         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
1407
1408 2017-07-25  JF Bastien  <jfbastien@apple.com>
1409
1410         WebAssembly: generate smaller binaries
1411         https://bugs.webkit.org/show_bug.cgi?id=174818
1412
1413         Reviewed by Filip Pizlo.
1414
1415         This patch reduces generated code size for WebAssembly in 2 ways:
1416
1417         1. Use the ZR register when storing zero on ARM64.
1418         2. Synthesize wasm context lazily.
1419
1420         This leads to a modest size reduction on both x86-64 and ARM64 for
1421         large WebAssembly games, without any performance loss on WasmBench
1422         and TitzerBench.
1423
1424         The reason this works is that these games, using Emscripten,
1425         generate 100k+ tiny functions, and our JIT allocation granule
1426         rounds all allocations up to 32 bytes. There are plenty of other
1427         simple gains to be had, I've filed a follow-up bug at
1428         webkit.org/b/174819
1429
1430         We should further avoid the per-function cost of tiering, which
1431         represents the bulk of code generated for small functions.
1432
1433         * assembler/MacroAssemblerARM64.h:
1434         (JSC::MacroAssemblerARM64::storeZero64):
1435         * assembler/MacroAssemblerX86_64.h:
1436         (JSC::MacroAssemblerX86_64::storeZero64):
1437         * b3/B3LowerToAir.cpp:
1438         (JSC::B3::Air::LowerToAir::createStore): this doesn't make sense
1439         for x86 because it constrains register reuse and codegen in a way
1440         that doesn't affect ARM64 because it has a dedicated zero
1441         register.
1442         * b3/air/AirOpcode.opcodes: add the storeZero64 opcode.
1443         * wasm/WasmB3IRGenerator.cpp:
1444         (JSC::Wasm::B3IRGenerator::instanceValue):
1445         (JSC::Wasm::B3IRGenerator::restoreWasmContext):
1446         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1447         (JSC::Wasm::B3IRGenerator::materializeWasmContext): Deleted.
1448
1449 2017-07-23  Filip Pizlo  <fpizlo@apple.com>
1450
1451         B3 should do LICM
1452         https://bugs.webkit.org/show_bug.cgi?id=174750
1453
1454         Reviewed by Keith Miller and Saam Barati.
1455         
1456         Added a LICM phase to B3. This phase is called hoistLoopInvariantValues, to conform to the B3 naming
1457         convention for phases (it has to be an imperative). The phase uses NaturalLoops and BackwardsDominators,
1458         so this adds those analyses to B3. BackwardsDominators was already available in templatized form. This
1459         change templatizes DFG::NaturalLoops so that we can just use it.
1460         
1461         The LICM phase itself is really simple. We are decently precise with our handling of everything except
1462         the relationship between control dependence and side exits.
1463         
1464         Also added a bunch of tests.
1465         
1466         This isn't super important. It's perf-neutral on JS benchmarks. FTL already does LICM on DFG SSA IR, and
1467         probably all current WebAssembly content has had LICM done to it. That being said, this is a cheap phase
1468         so it doesn't hurt to have it.
1469         
1470         I wrote it because I thought I needed it for bug 174727. It turns out that there's a better way to
1471         handle the problem I had, so I ended up not needed it - but by then I had already written it. I think
1472         it's good to have it because LICM is one of those core compiler phases; every compiler has it
1473         eventually.
1474
1475         * CMakeLists.txt:
1476         * JavaScriptCore.xcodeproj/project.pbxproj:
1477         * b3/B3BackwardsCFG.h: Added.
1478         (JSC::B3::BackwardsCFG::BackwardsCFG):
1479         * b3/B3BackwardsDominators.h: Added.
1480         (JSC::B3::BackwardsDominators::BackwardsDominators):
1481         * b3/B3BasicBlock.cpp:
1482         (JSC::B3::BasicBlock::appendNonTerminal):
1483         * b3/B3Effects.h:
1484         * b3/B3EnsureLoopPreHeaders.cpp: Added.
1485         (JSC::B3::ensureLoopPreHeaders):
1486         * b3/B3EnsureLoopPreHeaders.h: Added.
1487         * b3/B3Generate.cpp:
1488         (JSC::B3::generateToAir):
1489         * b3/B3HoistLoopInvariantValues.cpp: Added.
1490         (JSC::B3::hoistLoopInvariantValues):
1491         * b3/B3HoistLoopInvariantValues.h: Added.
1492         * b3/B3NaturalLoops.h: Added.
1493         (JSC::B3::NaturalLoops::NaturalLoops):
1494         * b3/B3Procedure.cpp:
1495         (JSC::B3::Procedure::invalidateCFG):
1496         (JSC::B3::Procedure::naturalLoops):
1497         (JSC::B3::Procedure::backwardsCFG):
1498         (JSC::B3::Procedure::backwardsDominators):
1499         * b3/B3Procedure.h:
1500         * b3/testb3.cpp:
1501         (JSC::B3::generateLoop):
1502         (JSC::B3::makeArrayForLoops):
1503         (JSC::B3::generateLoopNotBackwardsDominant):
1504         (JSC::B3::oneFunction):
1505         (JSC::B3::noOpFunction):
1506         (JSC::B3::testLICMPure):
1507         (JSC::B3::testLICMPureSideExits):
1508         (JSC::B3::testLICMPureWritesPinned):
1509         (JSC::B3::testLICMPureWrites):
1510         (JSC::B3::testLICMReadsLocalState):
1511         (JSC::B3::testLICMReadsPinned):
1512         (JSC::B3::testLICMReads):
1513         (JSC::B3::testLICMPureNotBackwardsDominant):
1514         (JSC::B3::testLICMPureFoiledByChild):
1515         (JSC::B3::testLICMPureNotBackwardsDominantFoiledByChild):
1516         (JSC::B3::testLICMExitsSideways):
1517         (JSC::B3::testLICMWritesLocalState):
1518         (JSC::B3::testLICMWrites):
1519         (JSC::B3::testLICMFence):
1520         (JSC::B3::testLICMWritesPinned):
1521         (JSC::B3::testLICMControlDependent):
1522         (JSC::B3::testLICMControlDependentNotBackwardsDominant):
1523         (JSC::B3::testLICMControlDependentSideExits):
1524         (JSC::B3::testLICMReadsPinnedWritesPinned):
1525         (JSC::B3::testLICMReadsWritesDifferentHeaps):
1526         (JSC::B3::testLICMReadsWritesOverlappingHeaps):
1527         (JSC::B3::testLICMDefaultCall):
1528         (JSC::B3::run):
1529         * dfg/DFGBasicBlock.h:
1530         * dfg/DFGCFG.h:
1531         * dfg/DFGNaturalLoops.cpp: Removed.
1532         * dfg/DFGNaturalLoops.h:
1533         (JSC::DFG::NaturalLoops::NaturalLoops):
1534         (JSC::DFG::NaturalLoop::NaturalLoop): Deleted.
1535         (JSC::DFG::NaturalLoop::header): Deleted.
1536         (JSC::DFG::NaturalLoop::size): Deleted.
1537         (JSC::DFG::NaturalLoop::at): Deleted.
1538         (JSC::DFG::NaturalLoop::operator[]): Deleted.
1539         (JSC::DFG::NaturalLoop::contains): Deleted.
1540         (JSC::DFG::NaturalLoop::index): Deleted.
1541         (JSC::DFG::NaturalLoop::isOuterMostLoop): Deleted.
1542         (JSC::DFG::NaturalLoop::addBlock): Deleted.
1543         (JSC::DFG::NaturalLoops::numLoops): Deleted.
1544         (JSC::DFG::NaturalLoops::loop): Deleted.
1545         (JSC::DFG::NaturalLoops::headerOf): Deleted.
1546         (JSC::DFG::NaturalLoops::innerMostLoopOf): Deleted.
1547         (JSC::DFG::NaturalLoops::innerMostOuterLoop): Deleted.
1548         (JSC::DFG::NaturalLoops::belongsTo): Deleted.
1549         (JSC::DFG::NaturalLoops::loopDepth): Deleted.
1550
1551 2017-07-24  Filip Pizlo  <fpizlo@apple.com>
1552
1553         GC should be fine with trading blocks between destructor and non-destructor blocks
1554         https://bugs.webkit.org/show_bug.cgi?id=174811
1555
1556         Reviewed by Mark Lam.
1557         
1558         Our GC has the ability to trade blocks between MarkedAllocators. A MarkedAllocator is a
1559         size-class-within-a-Subspace. The ability to trade helps reduce memory wastage due to
1560         fragmentation. Prior to this change, this only worked between blocks that did not have destructors.
1561         This was partly a policy decision. But mostly, it was fallout from the way we use the `empty` block
1562         set.
1563         
1564         Here's how `empty` used to work. If a block is empty, we don't run destructors. We say that a block
1565         is empty if:
1566         
1567         A) It has no live objects and its a non-destructor block, or
1568         B) We just allocated it (so it has no destructors even if it's a destructor block), or
1569         C) We just stole it from another allocator (so it also has no destructors), or
1570         D) We just swept the block and ran all destructors.
1571         
1572         Case (A) is for trading blocks. That's how a different MarkedAllocator would know that this is a
1573         block that could be stolen.
1574
1575         Cases (B) and (C) need to be detected for correctness, since otherwise we might try to run
1576         destructors in blocks that have garbage bits. In that case, the isZapped check won't detect that
1577         cells don't need destruction, so without having the `empty` bit we would try to destruct garbage
1578         and crash. Currently, we know that we have cases (B) and (C) when the block is empty.
1579         
1580         Case (D) is necessary for detecting which blocks can be removed when we `shrink` the heap.
1581         
1582         If we tried to enable trading of blocks between allocators without making any changes to how
1583         `empty` works, then it just would not work. We have to set the `empty` bits of blocks that have no
1584         live objects in order for those bits to be candidates for trading. But if we do that, then our
1585         logic for cases (B-D) will think that the block has no destructible objects. That's bad, since then
1586         our destructors won't run and we'll leak memory.
1587         
1588         This change fixes this issue by decoupling the "do I have destructors" question from the "do I have
1589         live objects" question by introducing a new `destructible` bitvector. The GC flags all live blocks
1590         as being destructible at the end. We clear the destructible bit in cases (B-D). Cases (B-C) are
1591         handled entirely by the new destrictible bit, while case (D) is detected by looking for blocks that
1592         are (empty & ~destructible).
1593         
1594         Then we can simply remove all destructor-oriented special-casing of the `empty` bit. And we can
1595         remove destructor-oriented special-casing of block trading.
1596
1597         This is a perf-neutral change. We expect most free memory to be in non-destructor blocks anyway,
1598         so this change is more about clean-up than perf. But, this could reduce memory usage in some
1599         pathological cases.
1600         
1601         * heap/MarkedAllocator.cpp:
1602         (JSC::MarkedAllocator::findEmptyBlockToSteal):
1603         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
1604         (JSC::MarkedAllocator::endMarking):
1605         (JSC::MarkedAllocator::shrink):
1606         (JSC::MarkedAllocator::shouldStealEmptyBlocksFromOtherAllocators): Deleted.
1607         * heap/MarkedAllocator.h:
1608         * heap/MarkedBlock.cpp:
1609         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
1610         (JSC::MarkedBlock::Handle::sweep):
1611         * heap/MarkedBlockInlines.h:
1612         (JSC::MarkedBlock::Handle::specializedSweep):
1613         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace):
1614         (JSC::MarkedBlock::Handle::emptyMode):
1615
1616 2017-07-25  Keith Miller  <keith_miller@apple.com>
1617
1618         Remove Broken CompareEq constant folding phase.
1619         https://bugs.webkit.org/show_bug.cgi?id=174846
1620         <rdar://problem/32978808>
1621
1622         Reviewed by Saam Barati.
1623
1624         This bug happened when we would get code like the following:
1625
1626         a: JSConst(Undefined)
1627         b: GetLocal(SomeObjectOrUndefined)
1628         ...
1629         c: CompareEq(Check:ObjectOrOther:b, Check:ObjectOrOther:a)
1630
1631         constant folding will turn this into:
1632
1633         a: JSConst(Undefined)
1634         b: GetLocal(SomeObjectOrUndefined)
1635         ...
1636         c: CompareEq(Check:ObjectOrOther:b, Other:a)
1637
1638         But the SpeculativeJIT/FTL lowering will fail to check b
1639         properly which leads to an assertion failure in the AI.
1640
1641         I'll follow up with a more robust fix later. For now, I'll remove the
1642         case that generates the code. Removing the code appears to be perf
1643         neutral.
1644
1645         * dfg/DFGConstantFoldingPhase.cpp:
1646         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1647
1648 2017-07-25  Matt Baker  <mattbaker@apple.com>
1649
1650         Web Inspector: Refactoring: extract async stack trace logic from InspectorInstrumentation
1651         https://bugs.webkit.org/show_bug.cgi?id=174738
1652
1653         Reviewed by Brian Burg.
1654
1655         Move AsyncCallType enum to InspectorDebuggerAgent, which manages async
1656         stack traces. This preserves the call type in JSC, makes the range of
1657         possible call types explicit, and is safer than passing ints.
1658
1659         * inspector/agents/InspectorDebuggerAgent.cpp:
1660         (Inspector::InspectorDebuggerAgent::asyncCallIdentifier):
1661         (Inspector::InspectorDebuggerAgent::didScheduleAsyncCall):
1662         (Inspector::InspectorDebuggerAgent::didCancelAsyncCall):
1663         (Inspector::InspectorDebuggerAgent::willDispatchAsyncCall):
1664         * inspector/agents/InspectorDebuggerAgent.h:
1665
1666 2017-07-25  Mark Lam  <mark.lam@apple.com>
1667
1668         Fix bugs in probe code to change sp on x86, x86_64 and 32-bit ARM.
1669         https://bugs.webkit.org/show_bug.cgi?id=174809
1670         <rdar://problem/33504759>
1671
1672         Reviewed by Filip Pizlo.
1673
1674         1. When the probe handler function changes the sp register to point to the
1675            region of stack in the middle of the ProbeContext on the stack, there is a
1676            bug where the ProbeContext's register values to be restored can be over-written
1677            before they can be restored.  This is now fixed.
1678
1679         2. Added more robust probe tests for changing the sp register.
1680
1681         3. Made existing probe tests to ensure that probe handlers were actually called.
1682
1683         4. Added some verification to testProbePreservesGPRS().
1684
1685         5. Change all the probe tests to fail early on discovering an error instead of
1686            batching till the end of the test.  This helps point a finger to the failing
1687            issue earlier.
1688
1689         This patch was tested on x86, x86_64, and ARMv7.  ARM64 probe code will be fixed
1690         next in https://bugs.webkit.org/show_bug.cgi?id=174697.
1691
1692         * assembler/MacroAssemblerARM.cpp:
1693         * assembler/MacroAssemblerARMv7.cpp:
1694         * assembler/MacroAssemblerX86Common.cpp:
1695         * assembler/testmasm.cpp:
1696         (JSC::testProbeReadsArgumentRegisters):
1697         (JSC::testProbeWritesArgumentRegisters):
1698         (JSC::testProbePreservesGPRS):
1699         (JSC::testProbeModifiesStackPointer):
1700         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
1701         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
1702         (JSC::testProbeModifiesProgramCounter):
1703         (JSC::run):
1704
1705 2017-07-25  Brian Burg  <bburg@apple.com>
1706
1707         Web Automation: add support for uploading files
1708         https://bugs.webkit.org/show_bug.cgi?id=174797
1709         <rdar://problem/28485063>
1710
1711         Reviewed by Joseph Pecoraro.
1712
1713         * inspector/scripts/generate-inspector-protocol-bindings.py:
1714         (generate_from_specification):
1715         Start generating frontend dispatcher code if the target framework is 'WebKit'.
1716
1717         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
1718         (CppFrontendDispatcherImplementationGenerator.generate_output):
1719         Use a framework include for InspectorFrontendRouter.h since this generated code
1720         will be compiled outside of WebCore.framework.
1721
1722         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
1723         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1724         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1725         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
1726         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
1727         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
1728         * inspector/scripts/tests/generic/expected/enum-values.json-result:
1729         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
1730         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
1731         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
1732         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
1733         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
1734         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
1735         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
1736         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1737         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1738         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
1739         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
1740         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
1741         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
1742         Rebaseline code generator tests.
1743
1744 2017-07-24  Mark Lam  <mark.lam@apple.com>
1745
1746         Gardening: fixed C Loop build after r219790.
1747         https://bugs.webkit.org/show_bug.cgi?id=174696
1748
1749         Not reviewed.
1750
1751         * assembler/testmasm.cpp:
1752
1753 2017-07-23  Mark Lam  <mark.lam@apple.com>
1754
1755         Create regression tests for the JIT probe.
1756         https://bugs.webkit.org/show_bug.cgi?id=174696
1757         <rdar://problem/33436922>
1758
1759         Reviewed by Saam Barati.
1760
1761         The new testmasm will test the following:
1762         1. the probe is able to read the value of CPU registers.
1763         2. the probe is able to write the value of CPU registers.
1764         3. the probe is able to preserve all CPU registers.
1765         4. special case of (2): the probe is able to change the value of the stack pointer.
1766         5. special case of (2): the probe is able to change the value of the program counter
1767            i.e. the probe can change where the code continues executing upon returning from
1768            the probe.
1769
1770         Currently, the x86, x86_64, and ARMv7 ports passes the test.  ARM64 does not
1771         because it does not support changing the sp and pc yet.  The ARM64 probe
1772         implementation will be fixed in https://bugs.webkit.org/show_bug.cgi?id=174697
1773         later.
1774
1775         * Configurations/ToolExecutable.xcconfig:
1776         * JavaScriptCore.xcodeproj/project.pbxproj:
1777         * assembler/MacroAssembler.h:
1778         (JSC::MacroAssembler::CPUState::pc):
1779         (JSC::MacroAssembler::CPUState::fp):
1780         (JSC::MacroAssembler::CPUState::sp):
1781         (JSC::ProbeContext::pc):
1782         (JSC::ProbeContext::fp):
1783         (JSC::ProbeContext::sp):
1784         * assembler/MacroAssemblerARM64.cpp:
1785         (JSC::arm64ProbeTrampoline):
1786         * assembler/MacroAssemblerPrinter.cpp:
1787         (JSC::Printer::printPCRegister):
1788         * assembler/testmasm.cpp: Added.
1789         (hiddenTruthBecauseNoReturnIsStupid):
1790         (usage):
1791         (JSC::nextID):
1792         (JSC::isPC):
1793         (JSC::isSP):
1794         (JSC::isFP):
1795         (JSC::compile):
1796         (JSC::invoke):
1797         (JSC::compileAndRun):
1798         (JSC::testSimple):
1799         (JSC::testProbeReadsArgumentRegisters):
1800         (JSC::testProbeWritesArgumentRegisters):
1801         (JSC::testFunctionToTrashRegisters):
1802         (JSC::testProbePreservesGPRS):
1803         (JSC::testProbeModifiesStackPointer):
1804         (JSC::testProbeModifiesProgramCounter):
1805         (JSC::run):
1806         (run):
1807         (main):
1808         * b3/air/testair.cpp:
1809         (usage):
1810         * shell/CMakeLists.txt:
1811
1812 2017-07-14  Filip Pizlo  <fpizlo@apple.com>
1813
1814         It should be easy to decide how WebKit yields
1815         https://bugs.webkit.org/show_bug.cgi?id=174298
1816
1817         Reviewed by Saam Barati.
1818         
1819         Use the new WTF::Thread::yield() function for yielding instead of the C++ function.
1820
1821         * heap/Heap.cpp:
1822         (JSC::Heap::resumeThePeriphery):
1823         * heap/VisitingTimeout.h:
1824         * runtime/JSCell.cpp:
1825         (JSC::JSCell::lockSlow):
1826         (JSC::JSCell::unlockSlow):
1827         * runtime/JSCell.h:
1828         * runtime/JSCellInlines.h:
1829         (JSC::JSCell::lock):
1830         (JSC::JSCell::unlock):
1831         * runtime/JSLock.cpp:
1832         (JSC::JSLock::grabAllLocks):
1833         * runtime/SamplingProfiler.cpp:
1834
1835 2017-07-21  Mark Lam  <mark.lam@apple.com>
1836
1837         Refactor MASM probe CPUState to use arrays for register storage.
1838         https://bugs.webkit.org/show_bug.cgi?id=174694
1839
1840         Reviewed by Keith Miller.
1841
1842         Using arrays for register storage in CPUState allows us to do away with the
1843         huge switch statements to decode each register id.  We can now simply index into
1844         the arrays.
1845
1846         With this patch, we now:
1847
1848         1. Remove the need for macros for defining the list of CPU registers.
1849            We can go back to simple enums.  This makes the code easier to read.
1850
1851         2. Make the assembler the authority on register names.
1852            Most of this code is moved into the assembler from GPRInfo and FPRInfo.
1853            GPRInfo and FPRInfo now forwards to the assembler.
1854
1855         3. Make the assembler the authority on the number of registers of each type.
1856
1857         4. Fix a "bug" in ARMv7's lastRegister().  It was previously omitting lr and pc.
1858            This is inconsistent with how every other CPU architecture implements
1859            lastRegister().  This patch fixes it to return the true last GPR i.e. pc, but
1860            updates RegisterSet::reservedHardwareRegisters() to exclude those registers.
1861
1862         * assembler/ARM64Assembler.h:
1863         (JSC::ARM64Assembler::numberOfRegisters):
1864         (JSC::ARM64Assembler::firstSPRegister):
1865         (JSC::ARM64Assembler::lastSPRegister):
1866         (JSC::ARM64Assembler::numberOfSPRegisters):
1867         (JSC::ARM64Assembler::numberOfFPRegisters):
1868         (JSC::ARM64Assembler::gprName):
1869         (JSC::ARM64Assembler::sprName):
1870         (JSC::ARM64Assembler::fprName):
1871         * assembler/ARMAssembler.h:
1872         (JSC::ARMAssembler::numberOfRegisters):
1873         (JSC::ARMAssembler::firstSPRegister):
1874         (JSC::ARMAssembler::lastSPRegister):
1875         (JSC::ARMAssembler::numberOfSPRegisters):
1876         (JSC::ARMAssembler::numberOfFPRegisters):
1877         (JSC::ARMAssembler::gprName):
1878         (JSC::ARMAssembler::sprName):
1879         (JSC::ARMAssembler::fprName):
1880         * assembler/ARMv7Assembler.h:
1881         (JSC::ARMv7Assembler::lastRegister):
1882         (JSC::ARMv7Assembler::numberOfRegisters):
1883         (JSC::ARMv7Assembler::firstSPRegister):
1884         (JSC::ARMv7Assembler::lastSPRegister):
1885         (JSC::ARMv7Assembler::numberOfSPRegisters):
1886         (JSC::ARMv7Assembler::numberOfFPRegisters):
1887         (JSC::ARMv7Assembler::gprName):
1888         (JSC::ARMv7Assembler::sprName):
1889         (JSC::ARMv7Assembler::fprName):
1890         * assembler/AbstractMacroAssembler.h:
1891         (JSC::AbstractMacroAssembler::numberOfRegisters):
1892         (JSC::AbstractMacroAssembler::gprName):
1893         (JSC::AbstractMacroAssembler::firstSPRegister):
1894         (JSC::AbstractMacroAssembler::lastSPRegister):
1895         (JSC::AbstractMacroAssembler::numberOfSPRegisters):
1896         (JSC::AbstractMacroAssembler::sprName):
1897         (JSC::AbstractMacroAssembler::numberOfFPRegisters):
1898         (JSC::AbstractMacroAssembler::fprName):
1899         * assembler/MIPSAssembler.h:
1900         (JSC::MIPSAssembler::numberOfRegisters):
1901         (JSC::MIPSAssembler::firstSPRegister):
1902         (JSC::MIPSAssembler::lastSPRegister):
1903         (JSC::MIPSAssembler::numberOfSPRegisters):
1904         (JSC::MIPSAssembler::numberOfFPRegisters):
1905         (JSC::MIPSAssembler::gprName):
1906         (JSC::MIPSAssembler::sprName):
1907         (JSC::MIPSAssembler::fprName):
1908         * assembler/MacroAssembler.h:
1909         (JSC::MacroAssembler::CPUState::gprName):
1910         (JSC::MacroAssembler::CPUState::sprName):
1911         (JSC::MacroAssembler::CPUState::fprName):
1912         (JSC::MacroAssembler::CPUState::gpr):
1913         (JSC::MacroAssembler::CPUState::spr):
1914         (JSC::MacroAssembler::CPUState::fpr):
1915         (JSC::MacroAssembler::CPUState::pc):
1916         (JSC::MacroAssembler::CPUState::fp):
1917         (JSC::MacroAssembler::CPUState::sp):
1918         (JSC::ProbeContext::gpr):
1919         (JSC::ProbeContext::spr):
1920         (JSC::ProbeContext::fpr):
1921         (JSC::ProbeContext::gprName):
1922         (JSC::ProbeContext::sprName):
1923         (JSC::ProbeContext::fprName):
1924         (JSC::MacroAssembler::numberOfRegisters): Deleted.
1925         (JSC::MacroAssembler::numberOfFPRegisters): Deleted.
1926         * assembler/MacroAssemblerARM.cpp:
1927         * assembler/MacroAssemblerARM64.cpp:
1928         (JSC::arm64ProbeTrampoline):
1929         * assembler/MacroAssemblerARMv7.cpp:
1930         * assembler/MacroAssemblerPrinter.cpp:
1931         (JSC::Printer::nextID):
1932         (JSC::Printer::printAllRegisters):
1933         (JSC::Printer::printPCRegister):
1934         (JSC::Printer::printRegisterID):
1935         (JSC::Printer::printAddress):
1936         * assembler/MacroAssemblerX86Common.cpp:
1937         * assembler/X86Assembler.h:
1938         (JSC::X86Assembler::numberOfRegisters):
1939         (JSC::X86Assembler::firstSPRegister):
1940         (JSC::X86Assembler::lastSPRegister):
1941         (JSC::X86Assembler::numberOfSPRegisters):
1942         (JSC::X86Assembler::numberOfFPRegisters):
1943         (JSC::X86Assembler::gprName):
1944         (JSC::X86Assembler::sprName):
1945         (JSC::X86Assembler::fprName):
1946         * jit/FPRInfo.h:
1947         (JSC::FPRInfo::debugName):
1948         * jit/GPRInfo.h:
1949         (JSC::GPRInfo::debugName):
1950         * jit/RegisterSet.cpp:
1951         (JSC::RegisterSet::reservedHardwareRegisters):
1952
1953 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1954
1955         [JSC] Introduce static symbols
1956         https://bugs.webkit.org/show_bug.cgi?id=158863
1957
1958         Reviewed by Darin Adler.
1959
1960         We use StaticSymbolImpl to initialize PrivateNames and builtin Symbols.
1961         As a result, we can share the same Symbol values between VMs and threads.
1962         And we do not need to allocate Ref<SymbolImpl> for these symbols at runtime.
1963
1964         * CMakeLists.txt:
1965         * JavaScriptCore.xcodeproj/project.pbxproj:
1966         * builtins/BuiltinNames.cpp: Added.
1967         Suppress warning C4307, integral constant overflow. It is intentional in constexpr hash value calculation.
1968
1969         * builtins/BuiltinNames.h:
1970         (JSC::BuiltinNames::BuiltinNames):
1971         * builtins/BuiltinUtils.h:
1972
1973 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1974
1975         [FTL] Arguments elimination is suppressed by unreachable blocks
1976         https://bugs.webkit.org/show_bug.cgi?id=174352
1977
1978         Reviewed by Filip Pizlo.
1979
1980         If we do not execute `op_get_by_id`, our value profiling tells us unpredictable and DFG emits ForceOSRExit.
1981         The problem is that arguments elimination phase checks escaping even when ForceOSRExit preceeds.
1982         Since GetById without information can escape arguments if it is specified, non-executed code including
1983         op_get_by_id with arguments can escape arguments.
1984
1985         For example,
1986
1987             function test(flag)
1988             {
1989                 if (flag) {
1990                     // This is not executed, but emits GetById with arguments.
1991                     // It prevents us from eliminating materialization.
1992                     return arguments.length;
1993                 }
1994                 return arguments.length;
1995             }
1996             noInline(test);
1997             while (true)
1998                 test(false);
1999
2000         We do not perform CFA and dead-node clipping yet when performing arguments elimination phase.
2001         So this GetById exists and escapes arguments.
2002
2003         To solve this problem, our arguments elimination phase checks preceding pseudo-terminal nodes.
2004         If it is shown, following GetById does not escape arguments. Compared to performing AI, it is
2005         lightweight. But it catches much of typical cases we failed to perform arguments elimination.
2006
2007         * dfg/DFGArgumentsEliminationPhase.cpp:
2008         * dfg/DFGNode.h:
2009         (JSC::DFG::Node::isPseudoTerminal):
2010         * dfg/DFGValidate.cpp:
2011
2012 2017-07-20  Chris Dumez  <cdumez@apple.com>
2013
2014         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable
2015         https://bugs.webkit.org/show_bug.cgi?id=174660
2016
2017         Reviewed by Geoffrey Garen.
2018
2019         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable.
2020         This essentially replaces a branch to figure out if the new size is less or greater than the
2021         current size by an assertion.
2022
2023         * b3/B3BasicBlockUtils.h:
2024         (JSC::B3::clearPredecessors):
2025         * b3/B3InferSwitches.cpp:
2026         * b3/B3LowerToAir.cpp:
2027         (JSC::B3::Air::LowerToAir::finishAppendingInstructions):
2028         * b3/B3ReduceStrength.cpp:
2029         * b3/B3SparseCollection.h:
2030         (JSC::B3::SparseCollection::packIndices):
2031         * b3/B3UseCounts.cpp:
2032         (JSC::B3::UseCounts::UseCounts):
2033         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
2034         * b3/air/AirEmitShuffle.cpp:
2035         (JSC::B3::Air::emitShuffle):
2036         * b3/air/AirLowerAfterRegAlloc.cpp:
2037         (JSC::B3::Air::lowerAfterRegAlloc):
2038         * b3/air/AirOptimizeBlockOrder.cpp:
2039         (JSC::B3::Air::optimizeBlockOrder):
2040         * bytecode/Operands.h:
2041         (JSC::Operands::ensureLocals):
2042         * bytecode/PreciseJumpTargets.cpp:
2043         (JSC::computePreciseJumpTargetsInternal):
2044         * dfg/DFGBlockInsertionSet.cpp:
2045         (JSC::DFG::BlockInsertionSet::execute):
2046         * dfg/DFGBlockMapInlines.h:
2047         (JSC::DFG::BlockMap<T>::BlockMap):
2048         * dfg/DFGByteCodeParser.cpp:
2049         (JSC::DFG::ByteCodeParser::processSetLocalQueue):
2050         (JSC::DFG::ByteCodeParser::clearCaches):
2051         * dfg/DFGDisassembler.cpp:
2052         (JSC::DFG::Disassembler::Disassembler):
2053         * dfg/DFGFlowIndexing.cpp:
2054         (JSC::DFG::FlowIndexing::recompute):
2055         * dfg/DFGGraph.cpp:
2056         (JSC::DFG::Graph::registerFrozenValues):
2057         * dfg/DFGInPlaceAbstractState.cpp:
2058         (JSC::DFG::setLiveValues):
2059         * dfg/DFGLICMPhase.cpp:
2060         (JSC::DFG::LICMPhase::run):
2061         * dfg/DFGLivenessAnalysisPhase.cpp:
2062         * dfg/DFGNaturalLoops.cpp:
2063         (JSC::DFG::NaturalLoops::NaturalLoops):
2064         * dfg/DFGStoreBarrierClusteringPhase.cpp:
2065         * ftl/FTLLowerDFGToB3.cpp:
2066         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2067         * heap/CodeBlockSet.cpp:
2068         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
2069         * heap/MarkedSpace.cpp:
2070         (JSC::MarkedSpace::sweepLargeAllocations):
2071         * inspector/ContentSearchUtilities.cpp:
2072         (Inspector::ContentSearchUtilities::findMagicComment):
2073         * interpreter/ShadowChicken.cpp:
2074         (JSC::ShadowChicken::update):
2075         * parser/ASTBuilder.h:
2076         (JSC::ASTBuilder::shrinkOperandStackBy):
2077         * parser/Lexer.h:
2078         (JSC::Lexer::setOffset):
2079         * runtime/RegExpInlines.h:
2080         (JSC::RegExp::matchInline):
2081         * runtime/RegExpPrototype.cpp:
2082         (JSC::genericSplit):
2083         * yarr/RegularExpression.cpp:
2084         (JSC::Yarr::RegularExpression::match):
2085
2086 2017-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2087
2088         [WTF] Use ThreadGroup to bookkeep active threads for Mach exception
2089         https://bugs.webkit.org/show_bug.cgi?id=174678
2090
2091         Reviewed by Mark Lam.
2092
2093         Use Thread& instead.
2094
2095         * runtime/JSLock.cpp:
2096         (JSC::JSLock::didAcquireLock):
2097
2098 2017-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2099
2100         [WTF] Implement WTF::ThreadGroup
2101         https://bugs.webkit.org/show_bug.cgi?id=174081
2102
2103         Reviewed by Mark Lam.
2104
2105         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
2106         And SamplingProfiler and others interact with WTF::Thread directly.
2107
2108         * API/tests/ExecutionTimeLimitTest.cpp:
2109         * heap/MachineStackMarker.cpp:
2110         (JSC::MachineThreads::MachineThreads):
2111         (JSC::captureStack):
2112         (JSC::MachineThreads::tryCopyOtherThreadStack):
2113         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2114         (JSC::MachineThreads::gatherConservativeRoots):
2115         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
2116         (JSC::ActiveMachineThreadsManager::add): Deleted.
2117         (JSC::ActiveMachineThreadsManager::remove): Deleted.
2118         (JSC::ActiveMachineThreadsManager::contains): Deleted.
2119         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
2120         (JSC::activeMachineThreadsManager): Deleted.
2121         (JSC::MachineThreads::~MachineThreads): Deleted.
2122         (JSC::MachineThreads::addCurrentThread): Deleted.
2123         (): Deleted.
2124         (JSC::MachineThreads::removeThread): Deleted.
2125         (JSC::MachineThreads::removeThreadIfFound): Deleted.
2126         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
2127         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
2128         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
2129         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
2130         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
2131         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
2132         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
2133         * heap/MachineStackMarker.h:
2134         (JSC::MachineThreads::addCurrentThread):
2135         (JSC::MachineThreads::getLock):
2136         (JSC::MachineThreads::threads):
2137         (JSC::MachineThreads::MachineThread::suspend): Deleted.
2138         (JSC::MachineThreads::MachineThread::resume): Deleted.
2139         (JSC::MachineThreads::MachineThread::threadID): Deleted.
2140         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
2141         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
2142         (JSC::MachineThreads::threadsListHead): Deleted.
2143         * runtime/SamplingProfiler.cpp:
2144         (JSC::FrameWalker::isValidFramePointer):
2145         (JSC::SamplingProfiler::SamplingProfiler):
2146         (JSC::SamplingProfiler::takeSample):
2147         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
2148         * runtime/SamplingProfiler.h:
2149         * wasm/WasmMachineThreads.cpp:
2150         (JSC::Wasm::resetInstructionCacheOnAllThreads):
2151
2152 2017-07-18  Andy Estes  <aestes@apple.com>
2153
2154         [Xcode] Enable CLANG_WARN_RANGE_LOOP_ANALYSIS
2155         https://bugs.webkit.org/show_bug.cgi?id=174631
2156
2157         Reviewed by Tim Horton.
2158
2159         * Configurations/Base.xcconfig:
2160         * b3/B3FoldPathConstants.cpp:
2161         * b3/B3LowerMacros.cpp:
2162         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
2163         * dfg/DFGByteCodeParser.cpp:
2164         (JSC::DFG::ByteCodeParser::check):
2165         (JSC::DFG::ByteCodeParser::planLoad):
2166
2167 2017-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2168
2169         WTF::Thread should have the threads stack bounds.
2170         https://bugs.webkit.org/show_bug.cgi?id=173975
2171
2172         Reviewed by Mark Lam.
2173
2174         There is a site in JSC that try to walk another thread's stack.
2175         Currently, stack bounds are stored in WTFThreadData which is located
2176         in TLS. Thus, only the thread itself can access its own WTFThreadData.
2177         We workaround this situation by holding StackBounds in MachineThread in JSC,
2178         but StackBounds should be put in WTF::Thread instead.
2179
2180         This patch adds StackBounds to WTF::Thread. StackBounds information is tightly
2181         coupled with Thread. Thus putting it in WTF::Thread is natural choice.
2182
2183         * heap/MachineStackMarker.cpp:
2184         (JSC::MachineThreads::MachineThread::MachineThread):
2185         (JSC::MachineThreads::MachineThread::captureStack):
2186         * heap/MachineStackMarker.h:
2187         (JSC::MachineThreads::MachineThread::stackBase):
2188         (JSC::MachineThreads::MachineThread::stackEnd):
2189         * runtime/VMTraps.cpp:
2190
2191 2017-07-18  Andy Estes  <aestes@apple.com>
2192
2193         [Xcode] Enable CLANG_WARN_OBJC_LITERAL_CONVERSION
2194         https://bugs.webkit.org/show_bug.cgi?id=174631
2195
2196         Reviewed by Sam Weinig.
2197
2198         * Configurations/Base.xcconfig:
2199
2200 2017-07-18  Joseph Pecoraro  <pecoraro@apple.com>
2201
2202         Web Inspector: Modernize InjectedScriptSource
2203         https://bugs.webkit.org/show_bug.cgi?id=173890
2204
2205         Reviewed by Brian Burg.
2206
2207         * inspector/InjectedScript.h:
2208         Reorder functions to be slightly better.
2209
2210         * inspector/InjectedScriptSource.js:
2211         - Convert to classes named InjectedScript and RemoteObject
2212         - Align InjectedScript's API with the wrapper C++ interfaces
2213         - Move some code to RemoteObject where appropriate (subtype, describe)
2214         - Move some code to helper functions (isPrimitiveValue, isDefined)
2215         - Refactor for readability and modern features
2216         - Remove some unused / unnecessary code
2217
2218 2017-07-18  Mark Lam  <mark.lam@apple.com>
2219
2220         Butterfly storage need not be initialized for indexing type Undecided.
2221         https://bugs.webkit.org/show_bug.cgi?id=174516
2222
2223         Reviewed by Saam Barati.
2224
2225         While it's not incorrect to initialize the butterfly storage when the
2226         indexingType is Undecided, it is inefficient as we'll end up initializing
2227         it again later when we convert the storage to a different indexingType.
2228         Some of our code already skips initializing Undecided butterflies.
2229         This patch makes it the consistent behavior everywhere.
2230
2231         * dfg/DFGSpeculativeJIT.cpp:
2232         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2233         * runtime/JSArray.cpp:
2234         (JSC::JSArray::tryCreateUninitializedRestricted):
2235         * runtime/JSArray.h:
2236         (JSC::JSArray::tryCreate):
2237         * runtime/JSObject.cpp:
2238         (JSC::JSObject::ensureLengthSlow):
2239
2240 2017-07-18  Saam Barati  <sbarati@apple.com>
2241
2242         AirLowerAfterRegAlloc may incorrectly use a callee save that's live as a scratch register
2243         https://bugs.webkit.org/show_bug.cgi?id=174515
2244         <rdar://problem/33358092>
2245
2246         Reviewed by Filip Pizlo.
2247
2248         AirLowerAfterRegAlloc was computing the set of available scratch
2249         registers incorrectly. It was always excluding callee save registers
2250         from the set of live registers. It did not guarantee that live callee save
2251         registers were not in the set of scratch registers that could
2252         get clobbered. That's incorrect as the shuffling code is free
2253         to overwrite whatever is in the scratch register it gets passed.
2254
2255         * b3/air/AirLowerAfterRegAlloc.cpp:
2256         (JSC::B3::Air::lowerAfterRegAlloc):
2257         * b3/testb3.cpp:
2258         (JSC::B3::functionNineArgs):
2259         (JSC::B3::testShuffleDoesntTrashCalleeSaves):
2260         (JSC::B3::run):
2261         * jit/RegisterSet.h:
2262
2263 2017-07-18  Andy Estes  <aestes@apple.com>
2264
2265         [Xcode] Enable CLANG_WARN_NON_LITERAL_NULL_CONVERSION
2266         https://bugs.webkit.org/show_bug.cgi?id=174631
2267
2268         Reviewed by Dan Bernstein.
2269
2270         * Configurations/Base.xcconfig:
2271
2272 2017-07-18  Devin Rousso  <drousso@apple.com>
2273
2274         Web Inspector: Add memoryCost to Inspector Protocol objects
2275         https://bugs.webkit.org/show_bug.cgi?id=174478
2276
2277         Reviewed by Joseph Pecoraro.
2278
2279         For non-array and non-object InspectorValue, calculate memoryCost as the sizeof the object,
2280         plus the memoryCost of the data if it is a string.
2281
2282         For array InspectorValue, calculate memoryCost as the sum of the memoryCost of all items.
2283
2284         For object InspectorValue, calculate memoryCost as the sum of the memoryCost of the string
2285         key plus the memoryCost of the InspectorValue for each entry.
2286
2287         Test: TestWebKitAPI/Tests/JavaScriptCore/InspectorValue.cpp
2288
2289         * inspector/InspectorValues.h:
2290         * inspector/InspectorValues.cpp:
2291         (Inspector::InspectorValue::memoryCost):
2292         (Inspector::InspectorObjectBase::memoryCost):
2293         (Inspector::InspectorArrayBase::memoryCost):
2294
2295 2017-07-18  Andy Estes  <aestes@apple.com>
2296
2297         [Xcode] Enable CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING
2298         https://bugs.webkit.org/show_bug.cgi?id=174631
2299
2300         Reviewed by Darin Adler.
2301
2302         * Configurations/Base.xcconfig:
2303
2304 2017-07-18  Michael Saboff  <msaboff@apple.com>
2305
2306         [JSC] There should be a debug option to dump a compiled RegExp Pattern
2307         https://bugs.webkit.org/show_bug.cgi?id=174601
2308
2309         Reviewed by Alex Christensen.
2310
2311         Added the debug option dumpCompiledRegExpPatterns which will dump the YarrPattern and related
2312         objects after a regular expression has been compiled.
2313
2314         * runtime/Options.h:
2315         * yarr/YarrPattern.cpp:
2316         (JSC::Yarr::YarrPattern::compile):
2317         (JSC::Yarr::indentForNestingLevel):
2318         (JSC::Yarr::dumpUChar32):
2319         (JSC::Yarr::PatternAlternative::dump):
2320         (JSC::Yarr::PatternTerm::dumpQuantifier):
2321         (JSC::Yarr::PatternTerm::dump):
2322         (JSC::Yarr::PatternDisjunction::dump):
2323         (JSC::Yarr::YarrPattern::dumpPattern):
2324         * yarr/YarrPattern.h:
2325         (JSC::Yarr::YarrPattern::global):
2326
2327 2017-07-17  Darin Adler  <darin@apple.com>
2328
2329         Improve use of NeverDestroyed
2330         https://bugs.webkit.org/show_bug.cgi?id=174348
2331
2332         Reviewed by Sam Weinig.
2333
2334         * heap/MachineStackMarker.cpp:
2335         * wasm/WasmMemory.cpp:
2336         Removed unneeded includes of NeverDestroyed.h in files that do not make use
2337         of NeverDestroyed.
2338
2339 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
2340
2341         [CMake] Macros in WebKitMacros.cmake should be prefixed with WEBKIT_ namespace
2342         https://bugs.webkit.org/show_bug.cgi?id=174547
2343
2344         Reviewed by Alex Christensen.
2345
2346         * CMakeLists.txt:
2347         * shell/CMakeLists.txt:
2348
2349 2017-07-17  Saam Barati  <sbarati@apple.com>
2350
2351         Remove custom defined RELEASE_ASSERT in DFGObjectAllocationSinkingPhase
2352         https://bugs.webkit.org/show_bug.cgi?id=174584
2353
2354         Rubber stamped by Keith Miller.
2355
2356         I used it to diagnose a bug. The bug is now fixed. This custom
2357         RELEASE_ASSERT is no longer needed.
2358
2359         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2360
2361 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
2362
2363         -Wformat-truncation warning in ConfigFile.cpp
2364         https://bugs.webkit.org/show_bug.cgi?id=174506
2365
2366         Reviewed by Darin Adler.
2367
2368         Check if the JSC config filename would be truncated due to exceeding max path length. If so,
2369         return ParseError.
2370
2371         * runtime/ConfigFile.cpp:
2372         (JSC::ConfigFile::parse):
2373
2374 2017-07-17  Konstantin Tokarev  <annulen@yandex.ru>
2375
2376         [CMake] Create targets before WEBKIT_INCLUDE_CONFIG_FILES_IF_EXISTS is called
2377         https://bugs.webkit.org/show_bug.cgi?id=174557
2378
2379         Reviewed by Michael Catanzaro.
2380
2381         * CMakeLists.txt:
2382
2383 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2384
2385         [WTF] Use std::unique_ptr for StackTrace
2386         https://bugs.webkit.org/show_bug.cgi?id=174495
2387
2388         Reviewed by Alex Christensen.
2389
2390         * runtime/ExceptionScope.cpp:
2391         (JSC::ExceptionScope::unexpectedExceptionMessage):
2392         * runtime/VM.cpp:
2393         (JSC::VM::throwException):
2394
2395 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2396
2397         [JSC] Use WTFMove to prune liveness in DFGAvailabilityMap
2398         https://bugs.webkit.org/show_bug.cgi?id=174423
2399
2400         Reviewed by Saam Barati.
2401
2402         * dfg/DFGAvailabilityMap.cpp:
2403         (JSC::DFG::AvailabilityMap::pruneHeap):
2404         (JSC::DFG::AvailabilityMap::pruneByLiveness):
2405
2406 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
2407
2408         Fix compiler warnings when building with GCC 7
2409         https://bugs.webkit.org/show_bug.cgi?id=174463
2410
2411         Reviewed by Darin Adler.
2412
2413         * disassembler/udis86/udis86_decode.c:
2414         (decode_operand):
2415
2416 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
2417
2418         Incorrect assertion in JSC::CallLinkInfo::callTypeFor
2419         https://bugs.webkit.org/show_bug.cgi?id=174467
2420
2421         Reviewed by Saam Barati.
2422
2423         * bytecode/CallLinkInfo.cpp:
2424         (JSC::CallLinkInfo::callTypeFor):
2425
2426 2017-07-13  Joseph Pecoraro  <pecoraro@apple.com>
2427
2428         Web Inspector: Remove unused and untested Page domain commands
2429         https://bugs.webkit.org/show_bug.cgi?id=174429
2430
2431         Reviewed by Timothy Hatcher.
2432
2433         * inspector/protocol/Page.json:
2434
2435 2017-07-13  Saam Barati  <sbarati@apple.com>
2436
2437         Missing exception check in JSObject::hasInstance
2438         https://bugs.webkit.org/show_bug.cgi?id=174455
2439         <rdar://problem/31384608>
2440
2441         Reviewed by Mark Lam.
2442
2443         * runtime/JSObject.cpp:
2444         (JSC::JSObject::hasInstance):
2445
2446 2017-07-13  Caio Lima  <ticaiolima@gmail.com>
2447
2448         [ESnext] Implement Object Spread
2449         https://bugs.webkit.org/show_bug.cgi?id=167963
2450
2451         Reviewed by Saam Barati.
2452
2453         This patch implements ECMA262 stage 3 Object Spread proposal [1].
2454         It's implemented using CopyDataPropertiesNoExclusions to copy
2455         all enumerable keys from object being spreaded. The implementation of
2456         CopyDataPropertiesNoExclusions follows the CopyDataProperties
2457         implementation, however we don't receive excludedNames as parameter.
2458
2459         [1] - https://github.com/tc39/proposal-object-rest-spread
2460
2461         * builtins/GlobalOperations.js:
2462         (globalPrivate.copyDataPropertiesNoExclusions):
2463         * bytecompiler/BytecodeGenerator.cpp:
2464         (JSC::BytecodeGenerator::emitLoad):
2465         * bytecompiler/NodesCodegen.cpp:
2466         (JSC::PropertyListNode::emitBytecode):
2467         (JSC::ObjectSpreadExpressionNode::emitBytecode):
2468         * parser/ASTBuilder.h:
2469         (JSC::ASTBuilder::createObjectSpreadExpression):
2470         (JSC::ASTBuilder::createProperty):
2471         * parser/NodeConstructors.h:
2472         (JSC::PropertyNode::PropertyNode):
2473         (JSC::ObjectSpreadExpressionNode::ObjectSpreadExpressionNode):
2474         * parser/Nodes.h:
2475         (JSC::ObjectSpreadExpressionNode::expression):
2476         * parser/Parser.cpp:
2477         (JSC::Parser<LexerType>::parseProperty):
2478         * parser/SyntaxChecker.h:
2479         (JSC::SyntaxChecker::createObjectSpreadExpression):
2480         (JSC::SyntaxChecker::createProperty):
2481
2482 2017-07-12  Mark Lam  <mark.lam@apple.com>
2483
2484         Gardening: build fix after r219434.
2485         https://bugs.webkit.org/show_bug.cgi?id=174441
2486
2487         Not reviewed.
2488
2489         Make public some MacroAssembler functions that are needed by the probe implementationq.
2490
2491         * assembler/MacroAssemblerARM.h:
2492         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
2493         * assembler/MacroAssemblerARMv7.h:
2494         (JSC::MacroAssemblerARMv7::linkCall):
2495
2496 2017-07-12  Mark Lam  <mark.lam@apple.com>
2497
2498         Move Probe code from AbstractMacroAssembler to MacroAssembler.
2499         https://bugs.webkit.org/show_bug.cgi?id=174441
2500
2501         Reviewed by Saam Barati.
2502
2503         This is a pure refactoring patch for moving probe code from the AbstractMacroAssembler
2504         to MacroAssembler.  There is no code behavior change.
2505
2506         * assembler/AbstractMacroAssembler.h:
2507         (JSC::AbstractMacroAssembler<AssemblerType>::Address::indexedBy):
2508         (JSC::AbstractMacroAssembler::CPUState::gprName): Deleted.
2509         (JSC::AbstractMacroAssembler::CPUState::fprName): Deleted.
2510         (JSC::AbstractMacroAssembler::CPUState::gpr): Deleted.
2511         (JSC::AbstractMacroAssembler::CPUState::fpr): Deleted.
2512         (JSC::MacroAssemblerType>::Address::indexedBy): Deleted.
2513         * assembler/MacroAssembler.h:
2514         (JSC::MacroAssembler::CPUState::gprName):
2515         (JSC::MacroAssembler::CPUState::fprName):
2516         (JSC::MacroAssembler::CPUState::gpr):
2517         (JSC::MacroAssembler::CPUState::fpr):
2518         * assembler/MacroAssemblerARM.cpp:
2519         (JSC::MacroAssembler::probe):
2520         (JSC::MacroAssemblerARM::probe): Deleted.
2521         * assembler/MacroAssemblerARM.h:
2522         * assembler/MacroAssemblerARM64.cpp:
2523         (JSC::MacroAssembler::probe):
2524         (JSC::MacroAssemblerARM64::probe): Deleted.
2525         * assembler/MacroAssemblerARM64.h:
2526         * assembler/MacroAssemblerARMv7.cpp:
2527         (JSC::MacroAssembler::probe):
2528         (JSC::MacroAssemblerARMv7::probe): Deleted.
2529         * assembler/MacroAssemblerARMv7.h:
2530         * assembler/MacroAssemblerMIPS.h:
2531         * assembler/MacroAssemblerX86Common.cpp:
2532         (JSC::MacroAssembler::probe):
2533         (JSC::MacroAssemblerX86Common::probe): Deleted.
2534         * assembler/MacroAssemblerX86Common.h:
2535
2536 2017-07-12  Saam Barati  <sbarati@apple.com>
2537
2538         GenericArguments consults the wrong state when tracking modified argument descriptors and mapped arguments
2539         https://bugs.webkit.org/show_bug.cgi?id=174411
2540         <rdar://problem/31696186>
2541
2542         Reviewed by Mark Lam.
2543
2544         The code for deleting an argument was incorrectly referencing state
2545         when it decided if it should unmap or mark a property as having its
2546         descriptor modified. This patch fixes the bug where if we delete a
2547         property, we would sometimes not unmap an argument when deleting it.
2548
2549         * runtime/GenericArgumentsInlines.h:
2550         (JSC::GenericArguments<Type>::getOwnPropertySlot):
2551         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
2552         (JSC::GenericArguments<Type>::deleteProperty):
2553         (JSC::GenericArguments<Type>::deletePropertyByIndex):
2554
2555 2017-07-12  Commit Queue  <commit-queue@webkit.org>
2556
2557         Unreviewed, rolling out r219176.
2558         https://bugs.webkit.org/show_bug.cgi?id=174436
2559
2560         "Can cause infinite recursion on iOS" (Requested by mlam on
2561         #webkit).
2562
2563         Reverted changeset:
2564
2565         "WTF::Thread should have the threads stack bounds."
2566         https://bugs.webkit.org/show_bug.cgi?id=173975
2567         http://trac.webkit.org/changeset/219176
2568
2569 2017-07-12  Matt Lewis  <jlewis3@apple.com>
2570
2571         Unreviewed, rolling out r219401.
2572
2573         This revision rolled out the previous patch, but after talking
2574         with reviewer, a rebaseline is what was needed.Rolling back in
2575         before rebaseline.
2576
2577         Reverted changeset:
2578
2579         "Unreviewed, rolling out r219379."
2580         https://bugs.webkit.org/show_bug.cgi?id=174400
2581         http://trac.webkit.org/changeset/219401
2582
2583 2017-07-12  Matt Lewis  <jlewis3@apple.com>
2584
2585         Unreviewed, rolling out r219379.
2586
2587         This revision caused a consistent failure in the test
2588         fast/dom/Window/property-access-on-cached-window-after-frame-
2589         removed.html.
2590
2591         Reverted changeset:
2592
2593         "Remove NAVIGATOR_HWCONCURRENCY"
2594         https://bugs.webkit.org/show_bug.cgi?id=174400
2595         http://trac.webkit.org/changeset/219379
2596
2597 2017-07-12  Tooru Fujisawa [:arai]  <arai.unmht@gmail.com>
2598
2599         Wrong radix used in Unicode Escape in invalid character error message
2600         https://bugs.webkit.org/show_bug.cgi?id=174419
2601
2602         Reviewed by Alex Christensen.
2603
2604         * parser/Lexer.cpp:
2605         (JSC::Lexer<T>::invalidCharacterMessage):
2606
2607 2017-07-11  Dean Jackson  <dino@apple.com>
2608
2609         Remove NAVIGATOR_HWCONCURRENCY
2610         https://bugs.webkit.org/show_bug.cgi?id=174400
2611
2612         Reviewed by Sam Weinig.
2613
2614         * Configurations/FeatureDefines.xcconfig:
2615
2616 2017-07-11  Dean Jackson  <dino@apple.com>
2617
2618         Rolling out r219372.
2619
2620         * Configurations/FeatureDefines.xcconfig:
2621
2622 2017-07-11  Dean Jackson  <dino@apple.com>
2623
2624         Remove NAVIGATOR_HWCONCURRENCY
2625         https://bugs.webkit.org/show_bug.cgi?id=174400
2626
2627         Reviewed by Sam Weinig.
2628
2629         * Configurations/FeatureDefines.xcconfig:
2630
2631 2017-07-11  Saam Barati  <sbarati@apple.com>
2632
2633         remove the empty JavaScriptCore/wasm/js/WebAssemblyFunctionCell.* files
2634         https://bugs.webkit.org/show_bug.cgi?id=174397
2635
2636         Rubber stamped by David Kilzer.
2637
2638         * wasm/js/WebAssemblyFunctionCell.cpp: Removed.
2639         * wasm/js/WebAssemblyFunctionCell.h: Removed.
2640
2641 2017-07-10  Saam Barati  <sbarati@apple.com>
2642
2643         Allocation sinking phase should consider a CheckStructure that would fail as an escape
2644         https://bugs.webkit.org/show_bug.cgi?id=174321
2645         <rdar://problem/32604963>
2646
2647         Reviewed by Filip Pizlo.
2648
2649         When the allocation sinking phase was generating stores to materialize
2650         objects in a cycle with each other, it would assume that each materialized
2651         object had a valid, non empty, set of structures. This is an OK assumption for
2652         the phase to make because how do you materialize an object with no structure?
2653         
2654         The abstract interpretation part of the phase will model what's in the heap.
2655         However, it would sometimes model that a CheckStructure would fail. The phase
2656         did nothing special for this; it just stored the empty set of structures for
2657         its representation of a particular allocation. However, what the phase proved
2658         in such a scenario is that, had the CheckStructure executed, it would have exited.
2659         
2660         This patch treats such CheckStructures and MultiGetByOffsets as escape points.
2661         This will cause the allocation in question to be materialized just before
2662         the CheckStructure, and then at execution time, the CheckStructure will exit.
2663         
2664         I wasn't able to write a test case for this. However, I was able to reproduce
2665         this crash by manually editing the IR. I've opened a separate bug to help us
2666         create a testing framework for writing tests for hard to reproduce bugs like this:
2667         https://bugs.webkit.org/show_bug.cgi?id=174322
2668
2669         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2670
2671 2017-07-10  Devin Rousso  <drousso@apple.com>
2672
2673         Web Inspector: Highlight matching CSS canvas clients when hovering contexts in the Resources tab
2674         https://bugs.webkit.org/show_bug.cgi?id=174279
2675
2676         Reviewed by Matt Baker.
2677
2678         * inspector/protocol/DOM.json:
2679         Add `highlightNodeList` command that will highlight each node in the given list.
2680
2681 2017-07-03  Brian Burg  <bburg@apple.com>
2682
2683         Web Replay: remove some unused code
2684         https://bugs.webkit.org/show_bug.cgi?id=173903
2685
2686         Rubber-stamped by Joseph Pecoraro.
2687
2688         * CMakeLists.txt:
2689         * Configurations/FeatureDefines.xcconfig:
2690         * DerivedSources.make:
2691         * JavaScriptCore.xcodeproj/project.pbxproj:
2692         * inspector/protocol/Replay.json: Removed.
2693         * replay/EmptyInputCursor.h: Removed.
2694         * replay/EncodedValue.cpp: Removed.
2695         * replay/EncodedValue.h: Removed.
2696         * replay/InputCursor.h: Removed.
2697         * replay/JSInputs.json: Removed.
2698         * replay/NondeterministicInput.h: Removed.
2699         * replay/scripts/CodeGeneratorReplayInputs.py: Removed.
2700         * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Removed.
2701         * replay/scripts/tests/expected/fail-on-c-style-enum-no-storage.json-error: Removed.
2702         * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Removed.
2703         * replay/scripts/tests/expected/fail-on-duplicate-input-names.json-error: Removed.
2704         * replay/scripts/tests/expected/fail-on-duplicate-type-names.json-error: Removed.
2705         * replay/scripts/tests/expected/fail-on-enum-type-missing-values.json-error: Removed.
2706         * replay/scripts/tests/expected/fail-on-missing-input-member-name.json-error: Removed.
2707         * replay/scripts/tests/expected/fail-on-missing-input-name.json-error: Removed.
2708         * replay/scripts/tests/expected/fail-on-missing-input-queue.json-error: Removed.
2709         * replay/scripts/tests/expected/fail-on-missing-type-mode.json-error: Removed.
2710         * replay/scripts/tests/expected/fail-on-missing-type-name.json-error: Removed.
2711         * replay/scripts/tests/expected/fail-on-unknown-input-queue.json-error: Removed.
2712         * replay/scripts/tests/expected/fail-on-unknown-member-type.json-error: Removed.
2713         * replay/scripts/tests/expected/fail-on-unknown-type-mode.json-error: Removed.
2714         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp: Removed.
2715         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h: Removed.
2716         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp: Removed.
2717         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h: Removed.
2718         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Removed.
2719         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Removed.
2720         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Removed.
2721         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Removed.
2722         * replay/scripts/tests/expected/generate-event-loop-shape-types.json-error: Removed.
2723         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp: Removed.
2724         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h: Removed.
2725         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp: Removed.
2726         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Removed.
2727         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.cpp: Removed.
2728         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h: Removed.
2729         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp: Removed.
2730         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h: Removed.
2731         * replay/scripts/tests/fail-on-c-style-enum-no-storage.json: Removed.
2732         * replay/scripts/tests/fail-on-duplicate-enum-type.json: Removed.
2733         * replay/scripts/tests/fail-on-duplicate-input-names.json: Removed.
2734         * replay/scripts/tests/fail-on-duplicate-type-names.json: Removed.
2735         * replay/scripts/tests/fail-on-enum-type-missing-values.json: Removed.
2736         * replay/scripts/tests/fail-on-missing-input-member-name.json: Removed.
2737         * replay/scripts/tests/fail-on-missing-input-name.json: Removed.
2738         * replay/scripts/tests/fail-on-missing-input-queue.json: Removed.
2739         * replay/scripts/tests/fail-on-missing-type-mode.json: Removed.
2740         * replay/scripts/tests/fail-on-missing-type-name.json: Removed.
2741         * replay/scripts/tests/fail-on-unknown-input-queue.json: Removed.
2742         * replay/scripts/tests/fail-on-unknown-member-type.json: Removed.
2743         * replay/scripts/tests/fail-on-unknown-type-mode.json: Removed.
2744         * replay/scripts/tests/generate-enum-encoding-helpers-with-guarded-values.json: Removed.
2745         * replay/scripts/tests/generate-enum-encoding-helpers.json: Removed.
2746         * replay/scripts/tests/generate-enum-with-guard.json: Removed.
2747         * replay/scripts/tests/generate-enums-with-same-base-name.json: Removed.
2748         * replay/scripts/tests/generate-event-loop-shape-types.json: Removed.
2749         * replay/scripts/tests/generate-input-with-guard.json: Removed.
2750         * replay/scripts/tests/generate-input-with-vector-members.json: Removed.
2751         * replay/scripts/tests/generate-inputs-with-flags.json: Removed.
2752         * replay/scripts/tests/generate-memoized-type-modes.json: Removed.
2753         * runtime/DateConstructor.cpp:
2754         (JSC::constructDate):
2755         (JSC::dateNow):
2756         (JSC::deterministicCurrentTime): Deleted.
2757         * runtime/JSGlobalObject.cpp:
2758         (JSC::JSGlobalObject::JSGlobalObject):
2759         (JSC::JSGlobalObject::setInputCursor): Deleted.
2760         * runtime/JSGlobalObject.h:
2761         (JSC::JSGlobalObject::inputCursor): Deleted.
2762
2763 2017-07-10  Carlos Garcia Campos  <cgarcia@igalia.com>
2764
2765         Move make-js-file-arrays.py from WebCore to JavaScriptCore
2766         https://bugs.webkit.org/show_bug.cgi?id=174024
2767
2768         Reviewed by Michael Catanzaro.
2769
2770         It's currently used only by WebCore, but it depends on other JavaScriptCore scripts and it's not WebCore
2771         specific at all. I plan to use it to compile the JavaScript atoms used by the WebDriver implementation.
2772         Added command line option to pass the namespace to use instead of using WebCore.
2773
2774         * JavaScriptCore.xcodeproj/project.pbxproj:
2775         * Scripts/make-js-file-arrays.py: Renamed from Source/WebCore/Scripts/make-js-file-arrays.py.
2776         (main):
2777
2778 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2779
2780         [JSC] Drop LineNumberAdder since we no longer treat <LF><CR> (not <CR><LF>) as one line terminator
2781         https://bugs.webkit.org/show_bug.cgi?id=174296
2782
2783         Reviewed by Mark Lam.
2784
2785         Previously, we treat <LF><CR> as one line terminator. So we increase line number by one.
2786         It caused a problem in scanning template literals. While template literals normalize
2787         <LF><CR> to <LF><LF>, we still needed to increase line number by only one.
2788         To handle it correctly, LineNumberAdder is introduced.
2789
2790         As of r219263, <LF><CR> is counted as two line terminators. So we do not need to have
2791         LineNumberAdder. Let's just use shiftLineTerminator() instead.
2792
2793         * parser/Lexer.cpp:
2794         (JSC::Lexer<T>::parseTemplateLiteral):
2795         (JSC::LineNumberAdder::LineNumberAdder): Deleted.
2796         (JSC::LineNumberAdder::clear): Deleted.
2797         (JSC::LineNumberAdder::add): Deleted.
2798
2799 2017-07-09  Dan Bernstein  <mitz@apple.com>
2800
2801         [Xcode] ICU headers aren’t treated as system headers after r219155
2802         https://bugs.webkit.org/show_bug.cgi?id=174299
2803
2804         Reviewed by Sam Weinig.
2805
2806         * Configurations/JavaScriptCore.xcconfig: Pass --system-header-prefix=unicode/ to the C and
2807           C++ compilers.
2808
2809 * runtime/IntlCollator.cpp: Removed documentation warning suppression.
2810         * runtime/IntlDateTimeFormat.cpp: Ditto.
2811         * runtime/JSGlobalObject.cpp: Ditto.
2812         * runtime/StringPrototype.cpp: Ditto.
2813
2814 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2815
2816         [JSC] Use fastMalloc / fastFree for STL containers
2817         https://bugs.webkit.org/show_bug.cgi?id=174297
2818
2819         Reviewed by Sam Weinig.
2820
2821         In some places, we intentionally use STL containers over WTF containers.
2822         For example, we sometimes use std::unordered_{set,map} instead of WTF::Hash{Set,Map}
2823         because we do not have effective empty / deleted representations in the space of key's value.
2824         But just using STL container means using libc's malloc instead of our fast malloc (bmalloc if it is enabled).
2825
2826         We introduce WTF::FastAllocator. This is C++ allocator implementation using fastMalloc and fastFree.
2827         We specify this allocator to STL containers' template parameter to allocate memory from fastMalloc.
2828
2829         This WTF::FastAllocator gives us a chance to use STL containers if it is necessary
2830         without compromising memory allocation throughput.
2831
2832         * dfg/DFGGraph.h:
2833         * dfg/DFGIntegerCheckCombiningPhase.cpp:
2834         * ftl/FTLLowerDFGToB3.cpp:
2835         (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
2836         * runtime/FunctionHasExecutedCache.h:
2837         * runtime/TypeLocationCache.h:
2838
2839 2017-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2840
2841         Drop NOSNIFF compile flag
2842         https://bugs.webkit.org/show_bug.cgi?id=174289
2843
2844         Reviewed by Michael Catanzaro.
2845
2846         * Configurations/FeatureDefines.xcconfig:
2847
2848 2017-07-07  AJ Ringer  <aringer@apple.com>
2849
2850         Lower the max_protection for the separated heap
2851         https://bugs.webkit.org/show_bug.cgi?id=174281
2852
2853         Reviewed by Oliver Hunt.
2854
2855         Switch to vm_protect so we can set maximum page protection.
2856
2857         * jit/ExecutableAllocator.cpp:
2858         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
2859         (JSC::ExecutableAllocator::allocate):
2860
2861 2017-07-07  Devin Rousso  <drousso@apple.com>
2862
2863         Web Inspector: Show all elements currently using a given CSS Canvas
2864         https://bugs.webkit.org/show_bug.cgi?id=173965
2865
2866         Reviewed by Joseph Pecoraro.
2867
2868         * inspector/protocol/Canvas.json:
2869          - Add `requestCSSCanvasClientNodes` command for getting the node IDs all nodes using this
2870            canvas via -webkit-canvas.
2871          - Add `cssCanvasClientNodesChanged` event that is dispatched whenever a node is
2872            added/removed from the list of -webkit-canvas clients.
2873
2874 2017-07-07  Mark Lam  <mark.lam@apple.com>
2875
2876         \n\r is not the same as \r\n.
2877         https://bugs.webkit.org/show_bug.cgi?id=173053
2878
2879         Reviewed by Keith Miller.
2880
2881         * parser/Lexer.cpp:
2882         (JSC::Lexer<T>::shiftLineTerminator):
2883         (JSC::LineNumberAdder::add):
2884
2885 2017-07-07  Commit Queue  <commit-queue@webkit.org>
2886
2887         Unreviewed, rolling out r219238, r219239, and r219241.
2888         https://bugs.webkit.org/show_bug.cgi?id=174265
2889
2890         "fast/workers/dedicated-worker-lifecycle.html is flaky"
2891         (Requested by yusukesuzuki on #webkit).
2892
2893         Reverted changesets:
2894
2895         "[WTF] Implement WTF::ThreadGroup"
2896         https://bugs.webkit.org/show_bug.cgi?id=174081
2897         http://trac.webkit.org/changeset/219238
2898
2899         "Unreviewed, build fix after r219238"
2900         https://bugs.webkit.org/show_bug.cgi?id=174081
2901         http://trac.webkit.org/changeset/219239
2902
2903         "Unreviewed, CLoop build fix after r219238"
2904         https://bugs.webkit.org/show_bug.cgi?id=174081
2905         http://trac.webkit.org/changeset/219241
2906
2907 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2908
2909         Unreviewed, CLoop build fix after r219238
2910         https://bugs.webkit.org/show_bug.cgi?id=174081
2911
2912         * heap/MachineStackMarker.cpp:
2913
2914 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2915
2916         [WTF] Implement WTF::ThreadGroup
2917         https://bugs.webkit.org/show_bug.cgi?id=174081
2918
2919         Reviewed by Mark Lam.
2920
2921         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
2922         And SamplingProfiler and others interact with WTF::Thread directly.
2923
2924         * API/tests/ExecutionTimeLimitTest.cpp:
2925         * heap/MachineStackMarker.cpp:
2926         (JSC::MachineThreads::MachineThreads):
2927         (JSC::captureStack):
2928         (JSC::MachineThreads::tryCopyOtherThreadStack):
2929         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2930         (JSC::MachineThreads::gatherConservativeRoots):
2931         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
2932         (JSC::ActiveMachineThreadsManager::add): Deleted.
2933         (JSC::ActiveMachineThreadsManager::remove): Deleted.
2934         (JSC::ActiveMachineThreadsManager::contains): Deleted.
2935         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
2936         (JSC::activeMachineThreadsManager): Deleted.
2937         (JSC::MachineThreads::~MachineThreads): Deleted.
2938         (JSC::MachineThreads::addCurrentThread): Deleted.
2939         (): Deleted.
2940         (JSC::MachineThreads::removeThread): Deleted.
2941         (JSC::MachineThreads::removeThreadIfFound): Deleted.
2942         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
2943         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
2944         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
2945         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
2946         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
2947         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
2948         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
2949         * heap/MachineStackMarker.h:
2950         (JSC::MachineThreads::addCurrentThread):
2951         (JSC::MachineThreads::getLock):
2952         (JSC::MachineThreads::threads):
2953         (JSC::MachineThreads::MachineThread::suspend): Deleted.
2954         (JSC::MachineThreads::MachineThread::resume): Deleted.
2955         (JSC::MachineThreads::MachineThread::threadID): Deleted.
2956         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
2957         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
2958         (JSC::MachineThreads::threadsListHead): Deleted.
2959         * runtime/SamplingProfiler.cpp:
2960         (JSC::FrameWalker::isValidFramePointer):
2961         (JSC::SamplingProfiler::SamplingProfiler):
2962         (JSC::SamplingProfiler::takeSample):
2963         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
2964         * runtime/SamplingProfiler.h:
2965         * wasm/WasmMachineThreads.cpp:
2966         (JSC::Wasm::resetInstructionCacheOnAllThreads):
2967
2968 2017-07-06  Saam Barati  <sbarati@apple.com>
2969
2970         We are missing places where we invalidate the for-in context
2971         https://bugs.webkit.org/show_bug.cgi?id=174184
2972
2973         Reviewed by Geoffrey Garen.
2974
2975         * bytecompiler/BytecodeGenerator.cpp:
2976         (JSC::BytecodeGenerator::invalidateForInContextForLocal):
2977         * bytecompiler/NodesCodegen.cpp:
2978         (JSC::EmptyLetExpression::emitBytecode):
2979         (JSC::ForInNode::emitLoopHeader):
2980         (JSC::ForOfNode::emitBytecode):
2981         (JSC::BindingNode::bindValue):
2982
2983 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2984
2985         Unreviewed, suppress warnings in GCC environment
2986
2987         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2988         * runtime/IntlCollator.cpp:
2989         * runtime/IntlDateTimeFormat.cpp:
2990         * runtime/JSGlobalObject.cpp:
2991         * runtime/StringPrototype.cpp:
2992
2993 2017-07-05  Saam Barati  <sbarati@apple.com>
2994
2995         NewArray in FTLLowerDFGToB3 does not handle speculating on doubles when having a bad time
2996         https://bugs.webkit.org/show_bug.cgi?id=174188
2997         <rdar://problem/30581423>
2998
2999         Reviewed by Mark Lam.
3000
3001         We were calling lowJSValue(edge) when we were speculating the
3002         edge as double. This isn't allowed. We should have been using
3003         lowDouble.
3004         
3005         This patch also adds a new option, called useArrayAllocationProfiling,
3006         which defaults to true. When false, it will make the array allocation
3007         profile not actually sample seen arrays. It'll force the allocation
3008         profile's predicted indexing type to be ArrayWithUndecided. Adding
3009         this option made it trivial to write a test for this bug.
3010
3011         * bytecode/ArrayAllocationProfile.cpp:
3012         (JSC::ArrayAllocationProfile::updateIndexingType):
3013         * ftl/FTLLowerDFGToB3.cpp:
3014         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
3015         * runtime/Options.h:
3016
3017 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
3018
3019         WTF::Thread should have the threads stack bounds.
3020         https://bugs.webkit.org/show_bug.cgi?id=173975
3021
3022         Reviewed by Keith Miller.
3023
3024         There is a site in JSC that try to walk another thread's stack.
3025         Currently, stack bounds are stored in WTFThreadData which is located
3026         in TLS. Thus, only the thread itself can access its own WTFThreadData.
3027         We workaround this situation by holding StackBounds in MachineThread in JSC,
3028         but StackBounds should be put in WTF::Thread instead.
3029
3030         This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
3031         information is tightly coupled with Thread. Thus putting it in WTF::Thread
3032         is natural choice.
3033
3034         * heap/MachineStackMarker.cpp:
3035         (JSC::MachineThreads::MachineThread::MachineThread):
3036         (JSC::MachineThreads::MachineThread::captureStack):
3037         * heap/MachineStackMarker.h:
3038         (JSC::MachineThreads::MachineThread::stackBase):
3039         (JSC::MachineThreads::MachineThread::stackEnd):
3040         * runtime/InitializeThreading.cpp:
3041         (JSC::initializeThreading):
3042         * runtime/VM.cpp:
3043         (JSC::VM::VM):
3044         (JSC::VM::updateStackLimits):
3045         (JSC::VM::committedStackByteCount):
3046         * runtime/VM.h:
3047         (JSC::VM::isSafeToRecurse):
3048         * runtime/VMEntryScope.cpp:
3049         (JSC::VMEntryScope::VMEntryScope):
3050         * runtime/VMInlines.h:
3051         (JSC::VM::ensureStackCapacityFor):
3052         * runtime/VMTraps.cpp:
3053         * yarr/YarrPattern.cpp:
3054         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
3055
3056 2017-07-05  Keith Miller  <keith_miller@apple.com>
3057
3058         Crashing with information should have an abort reason
3059         https://bugs.webkit.org/show_bug.cgi?id=174185
3060
3061         Reviewed by Saam Barati.
3062
3063         Add crash information for the abstract interpreter and add an enum
3064         value for object allocation sinking.
3065
3066         * assembler/AbortReason.h:
3067         * dfg/DFGAbstractInterpreterInlines.h:
3068         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
3069         * dfg/DFGGraph.cpp:
3070         (JSC::DFG::logDFGAssertionFailure):
3071         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3072
3073 2017-07-03  Myles C. Maxfield  <mmaxfield@apple.com>
3074
3075         Remove copy of ICU headers from WebKit
3076         https://bugs.webkit.org/show_bug.cgi?id=116407
3077
3078         Reviewed by Alex Christensen.
3079
3080         Use WTF's copy of ICU headers.
3081
3082         * Configurations/Base.xcconfig:
3083         * icu/unicode/localpointer.h: Removed.
3084         * icu/unicode/parseerr.h: Removed.
3085         * icu/unicode/platform.h: Removed.
3086         * icu/unicode/ptypes.h: Removed.
3087         * icu/unicode/putil.h: Removed.
3088         * icu/unicode/uchar.h: Removed.
3089         * icu/unicode/ucnv.h: Removed.
3090         * icu/unicode/ucnv_err.h: Removed.
3091         * icu/unicode/ucol.h: Removed.
3092         * icu/unicode/uconfig.h: Removed.
3093         * icu/unicode/ucurr.h: Removed.
3094         * icu/unicode/uenum.h: Removed.
3095         * icu/unicode/uiter.h: Removed.
3096         * icu/unicode/uloc.h: Removed.
3097         * icu/unicode/umachine.h: Removed.
3098         * icu/unicode/unorm.h: Removed.
3099         * icu/unicode/unorm2.h: Removed.
3100         * icu/unicode/urename.h: Removed.
3101         * icu/unicode/uscript.h: Removed.
3102         * icu/unicode/uset.h: Removed.
3103         * icu/unicode/ustring.h: Removed.
3104         * icu/unicode/utf.h: Removed.
3105         * icu/unicode/utf16.h: Removed.
3106         * icu/unicode/utf8.h: Removed.
3107         * icu/unicode/utf_old.h: Removed.
3108         * icu/unicode/utypes.h: Removed.
3109         * icu/unicode/uvernum.h: Removed.
3110         * icu/unicode/uversion.h: Removed.
3111         * runtime/IntlCollator.cpp:
3112         * runtime/IntlDateTimeFormat.cpp:
3113         (JSC::IntlDateTimeFormat::partTypeString):
3114         * runtime/JSGlobalObject.cpp:
3115         * runtime/StringPrototype.cpp:
3116         (JSC::normalize):
3117         (JSC::stringProtoFuncNormalize):
3118
3119 2017-07-05  Devin Rousso  <drousso@apple.com>
3120
3121         Web Inspector: Allow users to log any tracked canvas context
3122         https://bugs.webkit.org/show_bug.cgi?id=173397
3123         <rdar://problem/33111581>
3124
3125         Reviewed by Joseph Pecoraro.
3126
3127         * inspector/protocol/Canvas.json:
3128         Add `resolveCanvasContext` command that returns a RemoteObject for the given canvas context.
3129
3130 2017-07-05  Jonathan Bedard  <jbedard@apple.com>
3131
3132         Add WebKitPrivateFrameworkStubs for iOS 11
3133         https://bugs.webkit.org/show_bug.cgi?id=173988
3134
3135         Reviewed by David Kilzer.
3136
3137         * Configurations/Base.xcconfig: iphoneos and iphonesimulator should use the
3138         same directory for private framework stubs.
3139
3140 2017-07-05  JF Bastien  <jfbastien@apple.com>
3141
3142         WebAssembly: implement name section's module name, skip unknown sections
3143         https://bugs.webkit.org/show_bug.cgi?id=172008
3144
3145         Reviewed by Keith Miller.
3146
3147         Parse the WebAssembly module name properly, and skip unknown
3148         sections. This is useful because as toolchains support new types
3149         of names we want to keep displaying the information we know about
3150         and simply ignore new information. That capability was designed
3151         into WebAssembly's name section.
3152
3153         Failure to commit this patch would mean that WebKit won't display
3154         stack trace information, which would make developers sad.
3155
3156         Module names were added here: https://github.com/WebAssembly/design/pull/1055
3157
3158         Note that this patch doesn't do anything with the parsed name! Two
3159         reasons for this: module names aren't supported in binaryen yet,
3160         so I can't write a simple binary test; and using the name is a
3161         slightly riskier change because it requires changing StackVisitor
3162         + StackFrame (where they print "[wasm code]") which requires
3163         figuring out the frame's Module. The latter bit isn't trivial
3164         because we only know wasm frames from their tag bits, and
3165         CodeBlocks are always nullptr.
3166
3167         Binaryen bug: https://github.com/WebAssembly/binaryen/issues/1010
3168
3169         I filed #174098 to use the module name.
3170
3171         * wasm/WasmFormat.h:
3172         (JSC::Wasm::isValidNameType):
3173         * wasm/WasmNameSectionParser.cpp:
3174
3175 2017-07-04  Joseph Pecoraro  <pecoraro@apple.com>
3176
3177         Cleanup some StringBuilder use
3178         https://bugs.webkit.org/show_bug.cgi?id=174118
3179
3180         Reviewed by Andreas Kling.
3181
3182         * runtime/FunctionConstructor.cpp:
3183         (JSC::constructFunctionSkippingEvalEnabledCheck):
3184         * tools/FunctionOverrides.cpp:
3185         (JSC::parseClause):
3186         * wasm/WasmOMGPlan.cpp:
3187         * wasm/WasmPlan.cpp:
3188         * wasm/WasmValidate.cpp:
3189
3190 2017-07-03  Saam Barati  <sbarati@apple.com>
3191
3192         LayoutTest workers/bomb.html is a Crash
3193         https://bugs.webkit.org/show_bug.cgi?id=167757
3194         <rdar://problem/33086462>
3195
3196         Reviewed by Keith Miller.
3197
3198         VMTraps::SignalSender was accessing VM fields even after
3199         the VM was destroyed. This happened when the SignalSender
3200         thread was in the middle of its work() function while VMTraps
3201         was notified that the VM was shutting down. The VM would proceed
3202         to run its destructor even after the SignalSender thread finished
3203         doing its work. This means that the SignalSender thread was accessing
3204         VM field eve after VM was destructed (including itself, since it is
3205         transitively owned by the VM). The VM must wait for the SignalSender
3206         thread to shutdown before it can continue to destruct itself.
3207
3208         * runtime/VMTraps.cpp:
3209         (JSC::VMTraps::willDestroyVM):
3210
3211 2017-07-03  Saam Barati  <sbarati@apple.com>
3212
3213         DFGBytecodeParser op_to_this does not access the correct instruction offset for to this status
3214         https://bugs.webkit.org/show_bug.cgi?id=174110
3215
3216         Reviewed by Michael Saboff.
3217
3218         * dfg/DFGByteCodeParser.cpp:
3219         (JSC::DFG::ByteCodeParser::parseBlock):
3220
3221 2017-07-03  Saam Barati  <sbarati@apple.com>
3222
3223         Add a new assertion to object allocation sinking phase
3224         https://bugs.webkit.org/show_bug.cgi?id=174107
3225
3226         Rubber stamped by Filip Pizlo.
3227
3228         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3229
3230 2017-07-03  Commit Queue  <commit-queue@webkit.org>
3231
3232         Unreviewed, rolling out r219060.
3233         https://bugs.webkit.org/show_bug.cgi?id=174108
3234
3235         crashing constantly when initializing UIWebView (Requested by
3236         thorton on #webkit).
3237
3238         Reverted changeset:
3239
3240         "WTF::Thread should have the threads stack bounds."
3241         https://bugs.webkit.org/show_bug.cgi?id=173975
3242         http://trac.webkit.org/changeset/219060
3243
3244 2017-07-03  Matt Lewis  <jlewis3@apple.com>
3245
3246         Unreviewed, rolling out r219103.
3247
3248         Caused multiple build failures.
3249
3250         Reverted changeset:
3251
3252         "Remove copy of ICU headers from WebKit"
3253         https://bugs.webkit.org/show_bug.cgi?id=116407
3254         http://trac.webkit.org/changeset/219103
3255
3256 2017-07-03  Myles C. Maxfield  <mmaxfield@apple.com>
3257
3258         Remove copy of ICU headers from WebKit
3259         https://bugs.webkit.org/show_bug.cgi?id=116407
3260
3261         Reviewed by Alex Christensen.
3262
3263         Use WTF's copy of ICU headers.
3264
3265         * Configurations/Base.xcconfig:
3266         * icu/unicode/localpointer.h: Removed.
3267         * icu/unicode/parseerr.h: Removed.
3268         * icu/unicode/platform.h: Removed.
3269         * icu/unicode/ptypes.h: Removed.
3270         * icu/unicode/putil.h: Removed.
3271         * icu/unicode/uchar.h: Removed.
3272         * icu/unicode/ucnv.h: Removed.
3273         * icu/unicode/ucnv_err.h: Removed.
3274         * icu/unicode/ucol.h: Removed.
3275         * icu/unicode/uconfig.h: Removed.
3276         * icu/unicode/ucurr.h: Removed.
3277         * icu/unicode/uenum.h: Removed.
3278         * icu/unicode/uiter.h: Removed.
3279         * icu/unicode/uloc.h: Removed.
3280         * icu/unicode/umachine.h: Removed.
3281         * icu/unicode/unorm.h: Removed.
3282         * icu/unicode/unorm2.h: Removed.
3283         * icu/unicode/urename.h: Removed.
3284         * icu/unicode/uscript.h: Removed.
3285         * icu/unicode/uset.h: Removed.
3286         * icu/unicode/ustring.h: Removed.
3287         * icu/unicode/utf.h: Removed.
3288         * icu/unicode/utf16.h: Removed.
3289         * icu/unicode/utf8.h: Removed.
3290         * icu/unicode/utf_old.h: Removed.
3291         * icu/unicode/utypes.h: Removed.
3292         * icu/unicode/uvernum.h: Removed.
3293         * icu/unicode/uversion.h: Removed.
3294         * runtime/IntlCollator.cpp:
3295         * runtime/IntlDateTimeFormat.cpp:
3296         * runtime/JSGlobalObject.cpp:
3297         * runtime/StringPrototype.cpp:
3298
3299 2017-07-03  Saam Barati  <sbarati@apple.com>
3300
3301         Add better crash logging for allocation sinking phase
3302         https://bugs.webkit.org/show_bug.cgi?id=174102
3303         <rdar://problem/33112092>
3304
3305         Rubber stamped by Filip Pizlo.
3306
3307         I'm trying to gather better information from crashlogs about why
3308         we're crashing in the allocation sinking phase. I'm adding a allocation
3309         sinking specific RELEASE_ASSERT as well as marking a few functions as
3310         NEVER_INLINE to have the stack traces in the crash trace contain more
3311         actionable information.
3312
3313         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3314
3315 2017-07-03  Sam Weinig  <sam@webkit.org>
3316
3317         [WebIDL] Remove more unnecessary uses of the preprocessor in idl files
3318         https://bugs.webkit.org/show_bug.cgi?id=174083
3319
3320         Reviewed by Alex Christensen.
3321
3322         * Configurations/FeatureDefines.xcconfig:
3323         Add ENABLE_NAVIGATOR_STANDALONE.
3324
3325 2017-07-03  Andy Estes  <aestes@apple.com>
3326
3327         [Xcode] Add an experimental setting to build with ccache
3328         https://bugs.webkit.org/show_bug.cgi?id=173875
3329
3330         Reviewed by Tim Horton.
3331
3332         * Configurations/DebugRelease.xcconfig: Included ccache.xcconfig.
3333
3334 2017-07-03  Devin Rousso  <drousso@apple.com>
3335
3336         Web Inspector: Support listing WebGL2 and WebGPU contexts
3337         https://bugs.webkit.org/show_bug.cgi?id=173396
3338
3339         Reviewed by Joseph Pecoraro.
3340
3341         * inspector/protocol/Canvas.json:
3342         * inspector/scripts/codegen/generator.py:
3343         (Generator.stylized_name_for_enum_value):
3344         Add cases for handling new Canvas.ContextType protocol enumerations:
3345          - "webgl2" maps to `WebGL2`
3346          - "webgpu" maps to `WebGPU`
3347
3348 2017-07-02  Yusuke Suzuki  <utatane.tea@gmail.com>
3349
3350         WTF::Thread should have the threads stack bounds.
3351         https://bugs.webkit.org/show_bug.cgi?id=173975
3352
3353         Reviewed by Mark Lam.
3354
3355         There is a site in JSC that try to walk another thread's stack.
3356         Currently, stack bounds are stored in WTFThreadData which is located
3357         in TLS. Thus, only the thread itself can access its own WTFThreadData.
3358         We workaround this situation by holding StackBounds in MachineThread in JSC,
3359         but StackBounds should be put in WTF::Thread instead.
3360
3361         This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
3362         information is tightly coupled with Thread. Thus putting it in WTF::Thread
3363         is natural choice.
3364
3365         * heap/MachineStackMarker.cpp:
3366         (JSC::MachineThreads::MachineThread::MachineThread):
3367         (JSC::MachineThreads::MachineThread::captureStack):
3368         * heap/MachineStackMarker.h:
3369         (JSC::MachineThreads::MachineThread::stackBase):
3370         (JSC::MachineThreads::MachineThread::stackEnd):
3371         * runtime/InitializeThreading.cpp:
3372         (JSC::initializeThreading):
3373         * runtime/VM.cpp:
3374         (JSC::VM::VM):
3375         (JSC::VM::updateStackLimits):
3376         (JSC::VM::committedStackByteCount):
3377         * runtime/VM.h:
3378         (JSC::VM::isSafeToRecurse):
3379         * runtime/VMEntryScope.cpp:
3380         (JSC::VMEntryScope::VMEntryScope):
3381         * runtime/VMInlines.h:
3382         (JSC::VM::ensureStackCapacityFor):
3383         * runtime/VMTraps.cpp:
3384         * yarr/YarrPattern.cpp:
3385         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
3386
3387 2017-07-01  Dan Bernstein  <mitz@apple.com>
3388
3389         [iOS] Remove code only needed when building for iOS 9.x
3390         https://bugs.webkit.org/show_bug.cgi?id=174068
3391
3392         Reviewed by Tim Horton.
3393
3394         * Configurations/FeatureDefines.xcconfig:
3395         * jit/ExecutableAllocator.cpp:
3396         * runtime/Options.cpp:
3397         (JSC::recomputeDependentOptions):
3398
3399 2017-07-01  Dan Bernstein  <mitz@apple.com>
3400
3401         [macOS] Remove code only needed when building for OS X Yosemite
3402         https://bugs.webkit.org/show_bug.cgi?id=174067
3403
3404         Reviewed by Tim Horton.