Assertion used to determine if something is an async generator is wrong
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-12-28  Saam Barati  <sbarati@apple.com>
2
3         Assertion used to determine if something is an async generator is wrong
4         https://bugs.webkit.org/show_bug.cgi?id=181168
5         <rdar://problem/35640560>
6
7         Reviewed by Yusuke Suzuki.
8
9         Previous assertions were doing a get on the base value for @@asyncIterator.
10         This symbol is defined on AsyncGeneratorPrototype. The base value may change
11         its prototype, but it's still an async generator as far as our system is
12         concerned. This patch updates the assertion to check for a private property
13         on the base value.
14
15         * builtins/AsyncGeneratorPrototype.js:
16         (globalPrivate.asyncGeneratorReject):
17         (globalPrivate.asyncGeneratorResolve):
18         (globalPrivate.asyncGeneratorResumeNext):
19
20 2017-12-27  Carlos Alberto Lopez Perez  <clopez@igalia.com>
21
22         Build fix after r226299 (3)
23         https://bugs.webkit.org/show_bug.cgi?id=181160
24
25         Unreviewed build fix.
26
27         * API/tests/TypedArrayCTest.cpp: fix typo in header name.
28
29 2017-12-27  Carlos Alberto Lopez Perez  <clopez@igalia.com>
30
31         Build fix after r226299 (2)
32         https://bugs.webkit.org/show_bug.cgi?id=181160
33
34         Unreviewed build fix.
35
36         * API/tests/TypedArrayCTest.cpp: Add missing header include.
37
38 2017-12-27  Carlos Alberto Lopez Perez  <clopez@igalia.com>
39
40         Build fix after r226299
41         https://bugs.webkit.org/show_bug.cgi?id=181160
42
43         Unreviewed build fix.
44
45         * API/tests/TypedArrayCTest.cpp:
46         (assertEqualsAsNumber): Disambiguate usage of isnan.
47
48 2017-12-26  Carlos Alberto Lopez Perez  <clopez@igalia.com>
49
50         REGRESSION(r225769): Build error with constexpr std::max // std::min in libdstdc++4
51         https://bugs.webkit.org/show_bug.cgi?id=181160
52
53         Reviewed by Myles C. Maxfield.
54
55         Disambiguate usage of min and max (Use the version from stdlib).
56
57         * runtime/JSArray.cpp:
58         (JSC::JSArray::unshiftCountSlowCase):
59         (JSC::JSArray::setLengthWithArrayStorage):
60         (JSC::JSArray::shiftCountWithArrayStorage):
61         (JSC::JSArray::fillArgList):
62         (JSC::JSArray::copyToArguments):
63
64 2017-12-27  Zan Dobersek  <zdobersek@igalia.com>
65
66         REGRESSION(r225913): about 30 JSC test failures on ARMv7
67         https://bugs.webkit.org/show_bug.cgi?id=181162
68
69         Reviewed by Michael Catanzaro.
70
71         Fast case in DFG::SpeculativeJIT::compileArraySlice() was enabled in
72         r225913 on all but 32-bit x86 platform. Other 32-bit platforms have the
73         same lack of GP registers, so the conditional is changed here to only
74         enable this optimization explicitly on ARM64 and x86-64.
75
76         * dfg/DFGSpeculativeJIT.cpp:
77         (JSC::DFG::SpeculativeJIT::compileArraySlice):
78
79 2017-12-26  Yusuke Suzuki  <utatane.tea@gmail.com>
80
81         [JSC] Remove std::chrono completely
82         https://bugs.webkit.org/show_bug.cgi?id=181165
83
84         Reviewed by Konstantin Tokarev.
85
86         This patch removes std::chrono use completely from JSC.
87
88         * API/JSContextRef.cpp:
89         (JSContextGroupSetExecutionTimeLimit):
90         * API/tests/ExecutionTimeLimitTest.cpp:
91         (currentCPUTimeAsJSFunctionCallback):
92         (testExecutionTimeLimit):
93         * bytecode/CodeBlock.cpp:
94         (JSC::CodeBlock::CodeBlock):
95         (JSC::timeToLive):
96         * bytecode/CodeBlock.h:
97         (JSC::CodeBlock::timeSinceCreation):
98         * runtime/SamplingProfiler.cpp:
99         (JSC::SamplingProfiler::SamplingProfiler):
100         (JSC::SamplingProfiler::timerLoop):
101         (JSC::SamplingProfiler::takeSample):
102         (JSC::SamplingProfiler::reportTopFunctions):
103         (JSC::SamplingProfiler::reportTopBytecodes):
104         * runtime/SamplingProfiler.h:
105         (JSC::SamplingProfiler::setTimingInterval):
106         * runtime/VM.cpp:
107         (JSC::VM::VM):
108         * runtime/Watchdog.cpp:
109         (JSC::Watchdog::Watchdog):
110         (JSC::Watchdog::setTimeLimit):
111         (JSC::Watchdog::shouldTerminate):
112         (JSC::Watchdog::startTimer):
113         (JSC::currentWallClockTime): Deleted.
114         * runtime/Watchdog.h:
115
116 2017-12-26  Zan Dobersek  <zdobersek@igalia.com>
117
118         REGRESSION(r226269): 60 JSC test failures on ARMv7
119         https://bugs.webkit.org/show_bug.cgi?id=181163
120
121         Reviewed by Yusuke Suzuki.
122
123         In r226269, DFG::SpeculativeJIT::compile() changed behavior for the
124         GetDirectPname operation on non-x86 platforms, switching to using
125         GPRFlushedCallResult registers for the payload and tag pair of the
126         return value (through the JSValueRegsFlushedCallResult struct). This
127         tripped about 60 test cases on ARMv7.
128
129         As before this change, GPRTemporary registers should be used, but this
130         can now be done through a JSValueRegsTemporary object.
131
132         * dfg/DFGSpeculativeJIT32_64.cpp:
133         (JSC::DFG::SpeculativeJIT::compile):
134
135 2017-12-22  Caio Lima  <ticaiolima@gmail.com>
136
137         [JSC] IntlCollator and IntlNumberFormat has static fields with same name
138         https://bugs.webkit.org/show_bug.cgi?id=181128
139
140         Reviewed by Yusuke Suzuki.
141
142         Minor fixes into IntlNumberFormat::initializeNumberFormat and
143         IntlCollator::initializeCollator that makes JSC unified sources
144         compile. These files were generating compilation error when placed at
145         the same UnifiedSource.cpp, because they had static variables with same name.
146
147         * runtime/IntlCollator.cpp:
148         (JSC::IntlCollator::initializeCollator):
149         * runtime/IntlNumberFormat.cpp:
150         (JSC::IntlNumberFormat::initializeNumberFormat):
151
152 2017-12-22  Michael Catanzaro  <mcatanzaro@igalia.com>
153
154         generate_offset_extractor.rb should not print to stderr by default
155         https://bugs.webkit.org/show_bug.cgi?id=181133
156
157         Reviewed by Mark Lam.
158
159         Remove unneeded print output.
160
161         * offlineasm/generate_offset_extractor.rb:
162
163 2017-12-22  Yusuke Suzuki  <utatane.tea@gmail.com>
164
165         [DFG] Cleaning up and unifying 32bit code more
166         https://bugs.webkit.org/show_bug.cgi?id=181124
167
168         Reviewed by Mark Lam.
169
170         This patch unifies DFG 32bit code into 64bit code more. In this patch, we move RegExp DFG nodes
171         from 32bit / 64bit code to the common code. We change some RegExp operations to returning JSCell*
172         instead of EncodedJSValue. This simplifies DFG implementation.
173
174         And we also move HasGenericProperty since we now have JSValueRegsFlushedCallResult. ToPrimive,
175         LogShadowChickenPrologue, and LogShadowChickenTail are almost the same in 32bit and 64bit.
176         Thus, it is unified easily.
177
178         And we also move some GPRFlushedCallResult from the original places to the places just after
179         `flushRegisters()` not to spill unnecessary registers.
180
181         * dfg/DFGOperations.cpp:
182         * dfg/DFGOperations.h:
183         * dfg/DFGSpeculativeJIT.cpp:
184         (JSC::DFG::SpeculativeJIT::compileRegExpExec):
185         (JSC::DFG::SpeculativeJIT::compileRegExpTest):
186         (JSC::DFG::SpeculativeJIT::compileStringReplace):
187         (JSC::DFG::SpeculativeJIT::compileHasGenericProperty):
188         (JSC::DFG::SpeculativeJIT::compileToPrimitive):
189         (JSC::DFG::SpeculativeJIT::compileLogShadowChickenPrologue):
190         (JSC::DFG::SpeculativeJIT::compileLogShadowChickenTail):
191         * dfg/DFGSpeculativeJIT.h:
192         (JSC::DFG::SpeculativeJIT::callOperation):
193         * dfg/DFGSpeculativeJIT32_64.cpp:
194         (JSC::DFG::SpeculativeJIT::emitCall):
195         (JSC::DFG::SpeculativeJIT::compile):
196         * dfg/DFGSpeculativeJIT64.cpp:
197         (JSC::DFG::SpeculativeJIT::compile):
198         (JSC::DFG::SpeculativeJIT::speculateDoubleRepAnyInt):
199         * ftl/FTLLowerDFGToB3.cpp:
200         (JSC::FTL::DFG::LowerDFGToB3::compileStringReplace):
201         * jit/JITOperations.cpp:
202         * jit/JITOperations.h:
203         * runtime/StringPrototype.cpp:
204         (JSC::jsSpliceSubstrings):
205         (JSC::jsSpliceSubstringsWithSeparators):
206         (JSC::removeUsingRegExpSearch):
207         (JSC::replaceUsingRegExpSearch):
208         (JSC::operationStringProtoFuncReplaceRegExpEmptyStr):
209         (JSC::operationStringProtoFuncReplaceRegExpString):
210         (JSC::replaceUsingStringSearch):
211         (JSC::replace):
212         (JSC::stringProtoFuncReplaceUsingRegExp):
213         (JSC::stringProtoFuncReplaceUsingStringSearch):
214         (JSC::operationStringProtoFuncReplaceGeneric):
215         * runtime/StringPrototype.h:
216
217 2017-12-22  Michael Catanzaro  <mcatanzaro@igalia.com>
218
219         [GTK] Duplicated symbols in libjavascriptcoregtk and libwebkit2gtk can cause crashes in production builds
220         https://bugs.webkit.org/show_bug.cgi?id=179914
221         <rdar://problem/36196039>
222
223         Unreviewed.
224
225         * PlatformGTK.cmake:
226
227 2017-12-22  Michael Catanzaro  <mcatanzaro@igalia.com>
228
229         [GTK] Duplicated symbols in libjavascriptcoregtk and libwebkit2gtk can cause crashes in production builds
230         https://bugs.webkit.org/show_bug.cgi?id=179914
231
232         Reviewed by Carlos Garcia Campos.
233
234         Add a new JavaScriptCoreGTK build target, to build JSC as a shared library. Link the
235         original JavaScriptCore build target, which is now a static library, to it. Use
236         --whole-archive to prevent all the JavaScriptCore symbols from being dropped, since none are
237         used directly by JavaScriptCoreGTK.
238
239         The installed libjavascriptcoregtk-4.0 now corresponds to the JavaScriptCoreGTK target,
240         instead of the JavaScriptCore target. There is almost no difference on the installed system,
241         except that we now use a version script when linking, to hide private symbols, since they're
242         no longer needed by libwebkit2gtk-4.0.so.
243
244         Also, move the symbols map here.
245
246         * PlatformGTK.cmake:
247         * javascriptcoregtk-symbols.map: Added.
248
249 2017-12-22  Yusuke Suzuki  <utatane.tea@gmail.com>
250
251         [DFG] Unify bunch of DFG 32bit code into 64bit code
252         https://bugs.webkit.org/show_bug.cgi?id=181083
253
254         Reviewed by Mark Lam.
255
256         There are bunch of the completely same code in 32bit and 64bit DFG.
257         This is largely because of the old DFG code. At that time, we do not
258         have enough abstraction to describe them in one code. But now, we have
259         JSValueRegs, JSValueRegsTemporary etc. They allow DFG to write 32bit and
260         64bit handling in one code.
261
262         This patch unifies easy ones. This is nice since basically 32bit code is
263         a bit old and not maintained so much compared to 64bit. If we can drop
264         32bit specific code as much as possible, it would be nice. Furthermore,
265         we can find various mistakes in 32bit: For example, NewObject does not have
266         mutatorFence in 32bit while 64bit has it. This unification is a chance
267         to fix miscellaneous bugs in 32bit while reducing maintenance burden.
268
269         * dfg/DFGSpeculativeJIT.cpp:
270         (JSC::DFG::SpeculativeJIT::compileNewTypedArrayWithSize):
271         (JSC::DFG::SpeculativeJIT::compileGetEnumerableLength):
272         (JSC::DFG::SpeculativeJIT::compileToIndexString):
273         (JSC::DFG::SpeculativeJIT::compilePutByIdWithThis):
274         (JSC::DFG::SpeculativeJIT::compileHasStructureProperty):
275         (JSC::DFG::SpeculativeJIT::compileGetPropertyEnumerator):
276         (JSC::DFG::SpeculativeJIT::compileGetEnumeratorPname):
277         (JSC::DFG::SpeculativeJIT::compileGetGetter):
278         (JSC::DFG::SpeculativeJIT::compileGetSetter):
279         (JSC::DFG::SpeculativeJIT::compileGetCallee):
280         (JSC::DFG::SpeculativeJIT::compileGetArgumentCountIncludingThis):
281         (JSC::DFG::SpeculativeJIT::compileStrCat):
282         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSize):
283         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
284         (JSC::DFG::SpeculativeJIT::compileCreateThis):
285         (JSC::DFG::SpeculativeJIT::compileNewObject):
286         * dfg/DFGSpeculativeJIT.h:
287         (JSC::DFG::SpeculativeJIT::callOperation):
288         * dfg/DFGSpeculativeJIT32_64.cpp:
289         (JSC::DFG::SpeculativeJIT::compile):
290         * dfg/DFGSpeculativeJIT64.cpp:
291         (JSC::DFG::SpeculativeJIT::compile):
292
293 2017-12-22  Yusuke Suzuki  <utatane.tea@gmail.com>
294
295         [DFG] Add JSValueRegsFlushedCallResult
296         https://bugs.webkit.org/show_bug.cgi?id=181075
297
298         Reviewed by Mark Lam.
299
300         Add JSValueRegsFlushedCallResult, which is appropriate for the JSValueRegs result
301         of the function call after flushing. We can remove bunch of `#if USE(JSVALUE32_64)`
302         code and simplify them.
303
304         * dfg/DFGSpeculativeJIT.cpp:
305         (JSC::DFG::SpeculativeJIT::compileFromCharCode):
306         (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithString):
307         (JSC::DFG::SpeculativeJIT::compileGetByValForObjectWithSymbol):
308         (JSC::DFG::SpeculativeJIT::compileParseInt):
309         (JSC::DFG::SpeculativeJIT::emitUntypedBitOp):
310         (JSC::DFG::SpeculativeJIT::emitUntypedRightShiftBitOp):
311         (JSC::DFG::SpeculativeJIT::compileValueAdd):
312         (JSC::DFG::SpeculativeJIT::compileArithMul):
313         (JSC::DFG::SpeculativeJIT::compileArithDiv):
314         (JSC::DFG::SpeculativeJIT::compileArithRounding):
315         (JSC::DFG::SpeculativeJIT::compileResolveScopeForHoistingFuncDeclInEval):
316         (JSC::DFG::SpeculativeJIT::compileGetDynamicVar):
317         * dfg/DFGSpeculativeJIT.h:
318         (JSC::DFG::SpeculativeJIT::callOperation):
319         (JSC::DFG::JSValueRegsFlushedCallResult::JSValueRegsFlushedCallResult):
320         (JSC::DFG::JSValueRegsFlushedCallResult::regs):
321
322 2017-12-21  Saam Barati  <sbarati@apple.com>
323
324         lowering get_by_val to GetById inside bytecode parser should check for BadType exit kind
325         https://bugs.webkit.org/show_bug.cgi?id=181112
326
327         Reviewed by Mark Lam.
328
329         The React subtest in Speedometer has a get_by_val it always converts
330         into a GetById in the DFG. This GetById always exits because of the incoming
331         identifier is a rope. This patch fixes this infinite exit loop
332         by only doing this transformation if we haven't exited due to BadType.
333
334         * dfg/DFGByteCodeParser.cpp:
335         (JSC::DFG::ByteCodeParser::parseBlock):
336
337 2017-12-21  Mark Lam  <mark.lam@apple.com>
338
339         Add WTF::PoisonedUniquePtr to replace std::unique_ptr when poisoning is desired.
340         https://bugs.webkit.org/show_bug.cgi?id=181062
341         <rdar://problem/36167040>
342
343         Reviewed by Chris Dumez.
344
345         * runtime/JSCPoisonedPtr.cpp:
346         - Added a needed #include.
347
348 2017-12-21  Jeremy Jones  <jeremyj@apple.com>
349
350         Update FULLSCREEN_API feature defines.
351         https://bugs.webkit.org/show_bug.cgi?id=181015
352
353         Reviewed by Tim Horton.
354
355         Change enabled iphone sdk for FULLSCREEN_API.
356
357         * Configurations/FeatureDefines.xcconfig:
358
359 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
360
361         [JSC] Do not check isValid() in op_new_regexp
362         https://bugs.webkit.org/show_bug.cgi?id=180970
363
364         Reviewed by Saam Barati.
365
366         We should not check `isValid()` inside op_new_regexp.
367         This simplifies the semantics of NewRegexp node in DFG.
368
369         * bytecompiler/NodesCodegen.cpp:
370         (JSC::RegExpNode::emitBytecode):
371         * dfg/DFGMayExit.cpp:
372         * dfg/DFGSpeculativeJIT.cpp:
373         (JSC::DFG::SpeculativeJIT::compileNewRegexp):
374         * ftl/FTLLowerDFGToB3.cpp:
375         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
376         * jit/JITOperations.cpp:
377         * llint/LLIntSlowPaths.cpp:
378         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
379
380 2017-12-20  Saam Barati  <sbarati@apple.com>
381
382         GetPropertyEnumerator in DFG/FTL should not unconditionally speculate cell
383         https://bugs.webkit.org/show_bug.cgi?id=181054
384
385         Reviewed by Mark Lam.
386
387         Speedometer's react subtest has a function that is in an OSR exit loop because
388         we used to unconditionally speculate cell for the operand to GetPropertyEnumerator.
389         This fix doesn't seem to speed up Speedometer at all, but it's good hygiene 
390         for our compiler to not have this pathology. This patch adds a generic
391         GetPropertyEnumerator to prevent the exit loop.
392
393         * dfg/DFGFixupPhase.cpp:
394         (JSC::DFG::FixupPhase::fixupNode):
395         * dfg/DFGSpeculativeJIT32_64.cpp:
396         (JSC::DFG::SpeculativeJIT::compile):
397         * dfg/DFGSpeculativeJIT64.cpp:
398         (JSC::DFG::SpeculativeJIT::compile):
399         * ftl/FTLLowerDFGToB3.cpp:
400         (JSC::FTL::DFG::LowerDFGToB3::compileGetPropertyEnumerator):
401         * jit/JITOperations.cpp:
402         * jit/JITOperations.h:
403
404 2017-12-20  Daniel Bates  <dabates@apple.com>
405
406         Remove Alternative Presentation Button
407         https://bugs.webkit.org/show_bug.cgi?id=180500
408         <rdar://problem/35891047>
409
410         Reviewed by Simon Fraser.
411
412         We no longer need the alternative presentation button.
413
414         * Configurations/FeatureDefines.xcconfig:
415
416 2017-12-19  Saam Barati  <sbarati@apple.com>
417
418         We forgot to do index masking for in bounds int32 arrays in the FTL
419         https://bugs.webkit.org/show_bug.cgi?id=180987
420
421         Reviewed by Keith Miller.
422
423         * ftl/FTLLowerDFGToB3.cpp:
424         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
425
426 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
427
428         [DFG][FTL] NewRegexp shoud be fast
429         https://bugs.webkit.org/show_bug.cgi?id=180960
430
431         Reviewed by Michael Saboff.
432
433         When we encounter RegExp literal like /AAA/g, we need to create a RegExp object.
434         Typical idiom like `string.match(/regexp/)` requires RegExp object creation
435         every time.
436
437         As a first step, this patch accelerates RegExp object creation by handling it
438         in DFG and FTL. In a subsequent patch, we would like to introduce PhantomNewRegexp
439         to remove unnecessary RegExp object creations.
440
441         This patch improves SixSpeed/regex-u.{es5,es6}.
442
443                                      baseline                  patched
444
445             regex-u.es5          69.6759+-3.1951     ^     53.1425+-2.0292        ^ definitely 1.3111x faster
446             regex-u.es6         129.5413+-5.4437     ^    107.2105+-7.7775        ^ definitely 1.2083x faster
447
448         * dfg/DFGSpeculativeJIT.cpp:
449         (JSC::DFG::SpeculativeJIT::compileNewRegexp):
450         * dfg/DFGSpeculativeJIT.h:
451         * dfg/DFGSpeculativeJIT32_64.cpp:
452         (JSC::DFG::SpeculativeJIT::compile):
453         * dfg/DFGSpeculativeJIT64.cpp:
454         (JSC::DFG::SpeculativeJIT::compile):
455         * ftl/FTLAbstractHeapRepository.h:
456         * ftl/FTLLowerDFGToB3.cpp:
457         (JSC::FTL::DFG::LowerDFGToB3::compileNewRegexp):
458         * jit/JIT.h:
459         * jit/JITInlines.h:
460         (JSC::JIT::callOperation):
461         * jit/JITOpcodes.cpp:
462         (JSC::JIT::emit_op_new_regexp):
463         * jit/JITOperations.cpp:
464         * jit/JITOperations.h:
465         * llint/LLIntSlowPaths.cpp:
466         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
467         * runtime/RegExpObject.h:
468         (JSC::RegExpObject::offsetOfRegExp):
469         (JSC::RegExpObject::allocationSize):
470
471 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
472
473         Unreviewed, include YarrErrorCode.h in Yarr.h
474         https://bugs.webkit.org/show_bug.cgi?id=180966
475
476         * yarr/Yarr.h:
477
478 2017-12-19  Yusuke Suzuki  <utatane.tea@gmail.com>
479
480         [YARR] Yarr should return ErrorCode instead of error messages (const char*)
481         https://bugs.webkit.org/show_bug.cgi?id=180966
482
483         Reviewed by Mark Lam.
484
485         Currently, Yarr returns const char*` for an error message when needed.
486         But it is easier to handle error status if Yarr returns an error code
487         instead of `const char*`.
488
489         In this patch, we introduce Yarr::ErrorCode. Yarr returns it instead of
490         `const char*`. `std::expected<void, Yarr::ErrorCode>` would be appropriate
491         for the Yarr API interface. But it requires substantial changes removing
492         ErrorCode::NoError, so this patch just uses the current Yarr::ErrorCode as
493         a first step.
494
495         * JavaScriptCore.xcodeproj/project.pbxproj:
496         * Sources.txt:
497         * inspector/ContentSearchUtilities.cpp:
498         (Inspector::ContentSearchUtilities::findMagicComment):
499         * parser/ASTBuilder.h:
500         (JSC::ASTBuilder::createRegExp):
501         * parser/Parser.cpp:
502         (JSC::Parser<LexerType>::parsePrimaryExpression):
503         * parser/SyntaxChecker.h:
504         (JSC::SyntaxChecker::createRegExp):
505         * runtime/RegExp.cpp:
506         (JSC::RegExp::RegExp):
507         (JSC::RegExp::byteCodeCompileIfNecessary):
508         (JSC::RegExp::compile):
509         (JSC::RegExp::compileMatchOnly):
510         * runtime/RegExp.h:
511         * yarr/RegularExpression.cpp:
512         (JSC::Yarr::RegularExpression::Private::Private):
513         (JSC::Yarr::RegularExpression::Private::compile):
514         * yarr/YarrErrorCode.cpp: Added.
515         (JSC::Yarr::errorMessage):
516         * yarr/YarrErrorCode.h: Copied from Source/JavaScriptCore/yarr/YarrSyntaxChecker.h.
517         (JSC::Yarr::hasError):
518         * yarr/YarrParser.h:
519         (JSC::Yarr::Parser::CharacterClassParserDelegate::CharacterClassParserDelegate):
520         (JSC::Yarr::Parser::CharacterClassParserDelegate::atomPatternCharacter):
521         (JSC::Yarr::Parser::Parser):
522         (JSC::Yarr::Parser::isIdentityEscapeAnError):
523         (JSC::Yarr::Parser::parseEscape):
524         (JSC::Yarr::Parser::parseCharacterClass):
525         (JSC::Yarr::Parser::parseParenthesesBegin):
526         (JSC::Yarr::Parser::parseParenthesesEnd):
527         (JSC::Yarr::Parser::parseQuantifier):
528         (JSC::Yarr::Parser::parseTokens):
529         (JSC::Yarr::Parser::parse):
530         (JSC::Yarr::Parser::tryConsumeUnicodeEscape):
531         (JSC::Yarr::Parser::tryConsumeUnicodePropertyExpression):
532         (JSC::Yarr::parse):
533         * yarr/YarrPattern.cpp:
534         (JSC::Yarr::YarrPatternConstructor::YarrPatternConstructor):
535         (JSC::Yarr::YarrPatternConstructor::setupDisjunctionOffsets):
536         (JSC::Yarr::YarrPatternConstructor::setupOffsets):
537         (JSC::Yarr::YarrPattern::compile):
538         (JSC::Yarr::YarrPattern::YarrPattern):
539         (JSC::Yarr::YarrPattern::errorMessage): Deleted.
540         * yarr/YarrPattern.h:
541         (JSC::Yarr::YarrPattern::reset):
542         * yarr/YarrSyntaxChecker.cpp:
543         (JSC::Yarr::checkSyntax):
544         * yarr/YarrSyntaxChecker.h:
545
546 2017-12-18  Saam Barati  <sbarati@apple.com>
547
548         Follow up to bug#179762. Fix PreciseLocalClobberize to handle Spread/PhantomSpread(PhantomNewArrayBuffer)
549
550         * dfg/DFGPreciseLocalClobberize.h:
551         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
552
553 2017-12-16  Filip Pizlo  <fpizlo@apple.com>
554
555         Vector index masking
556         https://bugs.webkit.org/show_bug.cgi?id=180909
557
558         Reviewed by Keith Miller.
559         
560         Adopt index masking for strings.
561
562         * dfg/DFGSpeculativeJIT.cpp:
563         (JSC::DFG::SpeculativeJIT::compileGetCharCodeAt):
564         (JSC::DFG::SpeculativeJIT::compileGetByValOnString):
565         * ftl/FTLAbstractHeapRepository.h:
566         * ftl/FTLLowerDFGToB3.cpp:
567         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
568         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
569         * jit/ThunkGenerators.cpp:
570         (JSC::stringCharLoad):
571
572 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
573
574         [FTL] NewArrayBuffer should be sinked if it is only used for spreading
575         https://bugs.webkit.org/show_bug.cgi?id=179762
576
577         Reviewed by Saam Barati.
578
579         This patch extends arguments elimination phase to accept NewArrayBuffer.
580         We can convert NewArrayBuffer to PhantomNewArrayBuffer if it is only
581         used by spreading nodes.
582
583         This improves SixSpeed spread.es6 by 3.5x.
584
585             spread.es6           79.1496+-3.5665     ^     23.6204+-1.8526        ^ definitely 3.3509x faster
586
587         * dfg/DFGAbstractInterpreterInlines.h:
588         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
589         * dfg/DFGArgumentsEliminationPhase.cpp:
590         * dfg/DFGClobberize.h:
591         (JSC::DFG::clobberize):
592         * dfg/DFGDoesGC.cpp:
593         (JSC::DFG::doesGC):
594         * dfg/DFGFixupPhase.cpp:
595         (JSC::DFG::FixupPhase::fixupNode):
596         * dfg/DFGNode.h:
597         (JSC::DFG::Node::hasNewArrayBufferData):
598         (JSC::DFG::Node::hasVectorLengthHint):
599         (JSC::DFG::Node::hasIndexingType):
600         (JSC::DFG::Node::indexingType):
601         (JSC::DFG::Node::hasCellOperand):
602         (JSC::DFG::Node::isPhantomAllocation):
603         * dfg/DFGNodeType.h:
604         * dfg/DFGOSRAvailabilityAnalysisPhase.cpp:
605         (JSC::DFG::LocalOSRAvailabilityCalculator::executeNode):
606         * dfg/DFGPredictionPropagationPhase.cpp:
607         * dfg/DFGPromotedHeapLocation.cpp:
608         (WTF::printInternal):
609         * dfg/DFGPromotedHeapLocation.h:
610         * dfg/DFGSafeToExecute.h:
611         (JSC::DFG::safeToExecute):
612         * dfg/DFGSpeculativeJIT32_64.cpp:
613         (JSC::DFG::SpeculativeJIT::compile):
614         * dfg/DFGSpeculativeJIT64.cpp:
615         (JSC::DFG::SpeculativeJIT::compile):
616         * dfg/DFGValidate.cpp:
617         * ftl/FTLCapabilities.cpp:
618         (JSC::FTL::canCompile):
619         * ftl/FTLLowerDFGToB3.cpp:
620         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
621         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
622         (JSC::FTL::DFG::LowerDFGToB3::compileSpread):
623         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargsSpread):
624         (JSC::FTL::DFG::LowerDFGToB3::compileCallOrConstructVarargs):
625         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargs):
626         (JSC::FTL::DFG::LowerDFGToB3::compileForwardVarargsWithSpread):
627         * ftl/FTLOperations.cpp:
628         (JSC::FTL::operationPopulateObjectInOSR):
629         (JSC::FTL::operationMaterializeObjectInOSR):
630
631 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
632
633         [JSC] Use IsoSpace for JSWeakMap and JSWeakSet to use finalizeUnconditionally
634         https://bugs.webkit.org/show_bug.cgi?id=180916
635
636         Reviewed by Darin Adler.
637
638         This patch drops UnconditionalFinalizer for JSWeakMap and JSWeakSetby using IsoSpace.
639         Since these cells always require calling finalizeUnconditionally, we do not need to
640         track cells by using IsoCellSet.
641
642         Currently we still have WeakReferenceHarvester in JSWeakMap and JSWeakSet. We should
643         avoid using a global linked-list for this in the future.
644
645         * JavaScriptCore.xcodeproj/project.pbxproj:
646         * heap/Heap.cpp:
647         (JSC::Heap::finalizeUnconditionalFinalizersInIsoSubspace):
648         (JSC::Heap::finalizeUnconditionalFinalizers):
649         * heap/Heap.h:
650         * runtime/VM.cpp:
651         (JSC::VM::VM):
652         * runtime/VM.h:
653         * runtime/WeakMapImpl.cpp:
654         (JSC::WeakMapImpl<WeakMapBucket>::visitChildren):
655         (JSC::WeakMapImpl<WeakMapBucket>::finalizeUnconditionally): Deleted.
656         * runtime/WeakMapImpl.h:
657         (JSC::WeakMapImpl::isWeakMap):
658         (JSC::WeakMapImpl::isWeakSet):
659         (JSC::WeakMapImpl::subspaceFor):
660         * runtime/WeakMapImplInlines.h: Added.
661         (JSC::WeakMapImpl<WeakMapBucket>::finalizeUnconditionally):
662
663 2017-12-17  Mark Lam  <mark.lam@apple.com>
664
665         Hollow out stub implementation of InspectorBackendDispatcher::sendResponse().
666         https://bugs.webkit.org/show_bug.cgi?id=180901
667         <rdar://problem/36087649>
668
669         Reviewed by Darin Adler.
670
671         We only need to keep a deprecated implementation of InspectorValues,
672         InspectorObjects, and InspectorBackendDispatcher::sendResponse() around so that
673         older versions of Safari can link against and run with a build of the latest code
674         in WebKit trunk. Older versions of System Safari used InspectorValues (via
675         WebInspector.framework) for two things:
676
677         1. Augmented JSContexts SPIs (via WebInspector.framework).
678         2. maybe WebDriver.
679
680         Neither of these are used when running SafariForWebKitDevelopment.  Since neither
681         are used, we can stub out the symbols (InspectorValues, InspectorObjects,
682         InspectorBackendDispatcher::sendResponse) to do nothing, and
683         SafariForWebKitDevelopment will still continue to launch with trunk WebKit, and
684         run without any observable bad behavior.
685
686         * JavaScriptCore.xcodeproj/project.pbxproj:
687         * SourcesCocoa.txt:
688         * inspector/InspectorBackendDispatcher.cpp:
689         * inspector/InspectorBackendDispatcher.h:
690         * inspector/cocoa/DeprecatedInspectorValues.cpp:
691         (Inspector::InspectorValue::null):
692         (Inspector::InspectorValue::create):
693         (Inspector::InspectorValue::asValue):
694         (Inspector::InspectorValue::asObject):
695         (Inspector::InspectorValue::asArray):
696         (Inspector::InspectorValue::parseJSON):
697         (Inspector::InspectorValue::toJSONString const):
698         (Inspector::InspectorValue::asBoolean const):
699         (Inspector::InspectorValue::asDouble const):
700         (Inspector::InspectorValue::asInteger const):
701         (Inspector::InspectorValue::asString const):
702         (Inspector::InspectorValue::writeJSON const):
703         (Inspector::InspectorValue::memoryCost const):
704         (Inspector::InspectorObjectBase::openAccessors):
705         (Inspector::InspectorObjectBase::memoryCost const):
706         (Inspector::InspectorObjectBase::getBoolean const):
707         (Inspector::InspectorObjectBase::getString const):
708         (Inspector::InspectorObjectBase::getObject const):
709         (Inspector::InspectorObjectBase::getArray const):
710         (Inspector::InspectorObjectBase::getValue const):
711         (Inspector::InspectorObjectBase::remove):
712         (Inspector::InspectorObject::create):
713         (Inspector::InspectorArrayBase::get const):
714         (Inspector::InspectorArrayBase::memoryCost const):
715         (Inspector::InspectorArray::create):
716         (Inspector::BackendDispatcher::sendResponse):
717         (Inspector::InspectorObjectBase::~InspectorObjectBase): Deleted.
718         (Inspector::InspectorObjectBase::asObject): Deleted.
719         (Inspector::InspectorObjectBase::writeJSON const): Deleted.
720         (Inspector::InspectorObjectBase::InspectorObjectBase): Deleted.
721         (Inspector::InspectorArrayBase::~InspectorArrayBase): Deleted.
722         (Inspector::InspectorArrayBase::asArray): Deleted.
723         (Inspector::InspectorArrayBase::writeJSON const): Deleted.
724         (Inspector::InspectorArrayBase::InspectorArrayBase): Deleted.
725         * inspector/cocoa/DeprecatedInspectorValues.h: Removed.
726
727 2017-12-17  Yusuke Suzuki  <utatane.tea@gmail.com>
728
729         [JSC][WebCore][CSSJIT] Remove VM reference in CSSJIT
730         https://bugs.webkit.org/show_bug.cgi?id=180917
731
732         Reviewed by Sam Weinig.
733
734         We do not need to hold JIT flags in VM. We add
735         static VM::{canUseJIT,canUseAssembler,canUseRegExpJIT} functions.
736
737         * interpreter/AbstractPC.cpp:
738         (JSC::AbstractPC::AbstractPC):
739         * jit/JITThunks.cpp:
740         (JSC::JITThunks::ctiNativeCall):
741         (JSC::JITThunks::ctiNativeConstruct):
742         (JSC::JITThunks::ctiNativeTailCall):
743         (JSC::JITThunks::ctiNativeTailCallWithoutSavedTags):
744         (JSC::JITThunks::ctiInternalFunctionCall):
745         (JSC::JITThunks::ctiInternalFunctionConstruct):
746         (JSC::JITThunks::hostFunctionStub):
747         * llint/LLIntEntrypoint.cpp:
748         (JSC::LLInt::setFunctionEntrypoint):
749         (JSC::LLInt::setEvalEntrypoint):
750         (JSC::LLInt::setProgramEntrypoint):
751         (JSC::LLInt::setModuleProgramEntrypoint):
752         * llint/LLIntSlowPaths.cpp:
753         (JSC::LLInt::shouldJIT):
754         (JSC::LLInt::entryOSR):
755         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
756         * runtime/RegExp.cpp:
757         (JSC::RegExp::compile):
758         (JSC::RegExp::compileMatchOnly):
759         * runtime/VM.cpp:
760         (JSC::VM::canUseAssembler):
761         (JSC::VM::canUseJIT):
762         (JSC::VM::canUseRegExpJIT):
763         (JSC::VM::VM):
764         * runtime/VM.h:
765         (JSC::VM::canUseJIT): Deleted.
766         (JSC::VM::canUseRegExpJIT): Deleted.
767
768 2017-12-16  Yusuke Suzuki  <utatane.tea@gmail.com>
769
770         [JSC] Number of SlotVisitors can increase after setting up m_visitCounters
771         https://bugs.webkit.org/show_bug.cgi?id=180906
772
773         Reviewed by Filip Pizlo.
774
775         The number of SlotVisitors can increase after setting up m_visitCounters.
776         If it happens, our m_visitCounters misses the visit count of newly added
777         SlotVisitors. It accidentally decides that constraints are converged.
778         This leads to random assertion hits in Linux environment.
779
780         In this patch, we compare the number of SlotVisitors in didVisitSomething().
781         If the number of SlotVisitors is changed, we conservatively say we did
782         visit something.
783
784         * heap/Heap.h:
785         * heap/HeapInlines.h:
786         (JSC::Heap::numberOfSlotVisitors):
787         * heap/MarkingConstraintSet.h:
788         * heap/MarkingConstraintSolver.cpp:
789         (JSC::MarkingConstraintSolver::didVisitSomething const):
790
791 2017-12-16  Keith Miller  <keith_miller@apple.com>
792
793         Indexing should only be computed when the new structure has an indexing header.
794         https://bugs.webkit.org/show_bug.cgi?id=180895
795
796         Reviewed by Saam Barati.
797
798         If we don't have an indexing header then we point the butterfly
799         sizeof(IndexingHeader) past the end of the butterfly. This makes
800         the computation of the offset simpler since it doesn't depend on
801         the indexing headeriness of the butterfly.
802
803         * jit/JITOperations.cpp:
804         * runtime/JSObject.cpp:
805         (JSC::JSObject::createInitialUndecided):
806         (JSC::JSObject::createInitialInt32):
807         (JSC::JSObject::createInitialDouble):
808         (JSC::JSObject::createInitialContiguous):
809         (JSC::JSObject::createArrayStorage):
810         (JSC::JSObject::convertUndecidedToArrayStorage):
811         (JSC::JSObject::convertInt32ToArrayStorage):
812         (JSC::JSObject::convertDoubleToArrayStorage):
813         * runtime/JSObject.h:
814         (JSC::JSObject::setButterfly):
815         (JSC::JSObject::nukeStructureAndSetButterfly):
816         * runtime/JSObjectInlines.h:
817         (JSC::JSObject::prepareToPutDirectWithoutTransition):
818         (JSC::JSObject::putDirectInternal):
819
820 2017-12-15  Ryan Haddad  <ryanhaddad@apple.com>
821
822         Unreviewed, rolling out r225941.
823
824         This change introduced LayoutTest crashes and assertion
825         failures.
826
827         Reverted changeset:
828
829         "Web Inspector: replace HTMLCanvasElement with
830         CanvasRenderingContext for instrumentation logic"
831         https://bugs.webkit.org/show_bug.cgi?id=180770
832         https://trac.webkit.org/changeset/225941
833
834 2017-12-15  Yusuke Suzuki  <utatane.tea@gmail.com>
835
836         Unreviewed, 32bit JSEmpty is not nullptr + CellTag
837         https://bugs.webkit.org/show_bug.cgi?id=180804
838
839         Add 32bit path for WeakMapGet.
840
841         * dfg/DFGSpeculativeJIT.cpp:
842         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
843
844 2017-12-14  Saam Barati  <sbarati@apple.com>
845
846         The CleanUp after LICM is erroneously removing a Check
847         https://bugs.webkit.org/show_bug.cgi?id=180852
848         <rdar://problem/36063494>
849
850         Reviewed by Filip Pizlo.
851
852         There was a bug where CleanUp phase relied on isProved() bits and LICM
853         changed them in an invalid way. The bug is as follows:
854         
855         We have two loops, L1 and L2, and two preheaders, P1 and P2. L2 is nested
856         inside of L1. We have a Check inside a node inside L1, say in basic block BB,
857         and that Check dominates all of L2. This is also a hoisting candidate, so we
858         hoist it outside of L1 and put it inside P1. Then, when we run AI, we look at
859         the preheader for each loop inside L1, so P1 and P2. When considering P2,
860         we execute the Check. Inside P2, before any hoisting is done, this Check
861         is dead code, because BB dominates P2. When we use AI to "execute" the
862         Check, it'll set its proof status to proved. This is because inside P2,
863         in the program before LICM runs, the Check is indeed proven at P2. But
864         it is not proven inside P1. This "execute" call will set our proof status
865         for the node inside *P1*, hence, we crash.
866         
867         The fix here is to make LICM precise when updating the ProofStatus of an edge.
868         It can trust the AI state at the preheader it hoists the node to, but it can't
869         trust the state when executing effects inside inner loops's preheaders.
870
871         * dfg/DFGPlan.cpp:
872         (JSC::DFG::Plan::compileInThreadImpl):
873
874 2017-12-14  David Kilzer  <ddkilzer@apple.com>
875
876         Enable -Wstrict-prototypes for WebKit
877         <https://webkit.org/b/180757>
878         <rdar://problem/36024132>
879
880         Rubber-stamped by Joseph Pecoraro.
881
882         * API/tests/CompareAndSwapTest.h:
883         (testCompareAndSwap): Add 'void' to C function declaration.
884         * API/tests/ExecutionTimeLimitTest.h:
885         (testExecutionTimeLimit): Ditto.
886         * API/tests/FunctionOverridesTest.h:
887         (testFunctionOverrides): Ditto.
888         * API/tests/GlobalContextWithFinalizerTest.h:
889         (testGlobalContextWithFinalizer): Ditto.
890         * API/tests/JSONParseTest.h:
891         (testJSONParse): Ditto.
892         * API/tests/MultithreadedMultiVMExecutionTest.h:
893         (startMultithreadedMultiVMExecutionTest): Ditto.
894         (finalizeMultithreadedMultiVMExecutionTest): Ditto.
895         * API/tests/PingPongStackOverflowTest.h:
896         (testPingPongStackOverflow): Ditto.
897         * Configurations/Base.xcconfig:
898         (CLANG_WARN_STRICT_PROTOTYPES): Add. Set to YES.
899
900 2017-12-14  Yusuke Suzuki  <utatane.tea@gmail.com>
901
902         [DFG] Reduce register pressure of WeakMapGet to be used for 32bit
903         https://bugs.webkit.org/show_bug.cgi?id=180804
904
905         Reviewed by Saam Barati.
906
907         This fixes 32bit failures of JSC by reducing register pressure of WeakMapGet.
908
909         * dfg/DFGRegisterBank.h:
910         (JSC::DFG::RegisterBank::lockedCount const):
911         * dfg/DFGSpeculativeJIT.cpp:
912         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
913
914 2017-12-14  Keith Miller  <keith_miller@apple.com>
915
916         Unreviewed, forgot to add { }
917
918         * runtime/JSObject.h:
919         (JSC::JSObject::setButterfly):
920         (JSC::JSObject::nukeStructureAndSetButterfly):
921
922 2017-12-14  Devin Rousso  <webkit@devinrousso.com>
923
924         Web Inspector: replace HTMLCanvasElement with CanvasRenderingContext for instrumentation logic
925         https://bugs.webkit.org/show_bug.cgi?id=180770
926
927         Reviewed by Joseph Pecoraro.
928
929         * inspector/protocol/Canvas.json:
930
931 2017-12-14  Keith Miller  <keith_miller@apple.com>
932
933         Fix assertion in JSObject's structure setting methods
934         https://bugs.webkit.org/show_bug.cgi?id=180840
935
936         Reviewed by Mark Lam.
937
938         I forgot that when Typed Arrays have non-indexed properties
939         added to them, they call the generic code. The generic code
940         in turn calls the regular structure setting methods. Thus,
941         these assertions were invalid and we should just avoid setting
942         the indexing mask if we have a Typed Array.
943
944         * runtime/JSObject.h:
945         (JSC::JSObject::setButterfly):
946         (JSC::JSObject::nukeStructureAndSetButterfly):
947
948 2017-12-14  Michael Saboff  <msaboff@apple.com>
949
950         REGRESSION (r225695): Repro crash on yahoo login page
951         https://bugs.webkit.org/show_bug.cgi?id=180761
952
953         Reviewed by JF Bastien.
954
955         Relanding r225695 with a fix.
956
957         The fix is that we need to save the return address for a parentheses in
958         the ParenContext because it is actually used by any immediately contained
959         alternatives.
960
961         Also did a little refactoring, changing occurances of PatternContext to
962         ParenContext since that is the name of the structure.
963
964         * runtime/RegExp.cpp:
965         (JSC::byteCodeCompilePattern):
966         (JSC::RegExp::byteCodeCompileIfNecessary):
967         (JSC::RegExp::compile):
968         (JSC::RegExp::compileMatchOnly):
969         * runtime/RegExp.h:
970         * runtime/RegExpInlines.h:
971         (JSC::RegExp::matchInline):
972         * testRegExp.cpp:
973         (parseRegExpLine):
974         (runFromFiles):
975         * yarr/Yarr.h:
976         * yarr/YarrInterpreter.cpp:
977         (JSC::Yarr::ByteCompiler::compile):
978         (JSC::Yarr::ByteCompiler::dumpDisjunction):
979         * yarr/YarrJIT.cpp:
980         (JSC::Yarr::YarrGenerator::ParenContextSizes::ParenContextSizes):
981         (JSC::Yarr::YarrGenerator::ParenContextSizes::numSubpatterns):
982         (JSC::Yarr::YarrGenerator::ParenContextSizes::frameSlots):
983         (JSC::Yarr::YarrGenerator::ParenContext::sizeFor):
984         (JSC::Yarr::YarrGenerator::ParenContext::nextOffset):
985         (JSC::Yarr::YarrGenerator::ParenContext::beginOffset):
986         (JSC::Yarr::YarrGenerator::ParenContext::matchAmountOffset):
987         (JSC::Yarr::YarrGenerator::ParenContext::returnAddressOffset):
988         (JSC::Yarr::YarrGenerator::ParenContext::subpatternOffset):
989         (JSC::Yarr::YarrGenerator::ParenContext::savedFrameOffset):
990         (JSC::Yarr::YarrGenerator::initParenContextFreeList):
991         (JSC::Yarr::YarrGenerator::allocateParenContext):
992         (JSC::Yarr::YarrGenerator::freeParenContext):
993         (JSC::Yarr::YarrGenerator::saveParenContext):
994         (JSC::Yarr::YarrGenerator::restoreParenContext):
995         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
996         (JSC::Yarr::YarrGenerator::storeToFrame):
997         (JSC::Yarr::YarrGenerator::generateJITFailReturn):
998         (JSC::Yarr::YarrGenerator::clearMatches):
999         (JSC::Yarr::YarrGenerator::generate):
1000         (JSC::Yarr::YarrGenerator::backtrack):
1001         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
1002         (JSC::Yarr::YarrGenerator::generateEnter):
1003         (JSC::Yarr::YarrGenerator::generateReturn):
1004         (JSC::Yarr::YarrGenerator::YarrGenerator):
1005         (JSC::Yarr::YarrGenerator::compile):
1006         * yarr/YarrJIT.h:
1007         (JSC::Yarr::YarrCodeBlock::execute):
1008         * yarr/YarrPattern.cpp:
1009         (JSC::Yarr::indentForNestingLevel):
1010         (JSC::Yarr::dumpUChar32):
1011         (JSC::Yarr::dumpCharacterClass):
1012         (JSC::Yarr::PatternTerm::dump):
1013         (JSC::Yarr::YarrPattern::dumpPattern):
1014         * yarr/YarrPattern.h:
1015         (JSC::Yarr::PatternTerm::containsAnyCaptures):
1016         (JSC::Yarr::BackTrackInfoParenthesesOnce::returnAddressIndex):
1017         (JSC::Yarr::BackTrackInfoParentheses::beginIndex):
1018         (JSC::Yarr::BackTrackInfoParentheses::returnAddressIndex):
1019         (JSC::Yarr::BackTrackInfoParentheses::matchAmountIndex):
1020         (JSC::Yarr::BackTrackInfoParentheses::parenContextHeadIndex):
1021         (JSC::Yarr::BackTrackInfoAlternative::offsetIndex): Deleted.
1022
1023 2017-12-13  Keith Miller  <keith_miller@apple.com>
1024
1025         JSObjects should have a mask for loading indexed properties
1026         https://bugs.webkit.org/show_bug.cgi?id=180768
1027
1028         Reviewed by Mark Lam.
1029
1030         This patch adds a new member to JSObject that holds an indexing
1031         mask.  The indexing mask is bitwise anded with the index used to
1032         load a property.  If for whatever reason an attacker is able to
1033         clobber the vectorLength of our butterfly they still won't be able
1034         to read substantially past the end of the buttefly. For
1035         performance reasons we don't use the indexing masking for
1036         TypedArrays. Since TypedArrays are already gigacaged the risk of
1037         wild reads is still restricted.
1038
1039         This patch is a <1% regression on Speedometer and ~3% regression
1040         on JetStream in my testing.
1041
1042         * assembler/MacroAssembler.h:
1043         (JSC::MacroAssembler::urshiftPtr):
1044         * bytecode/AccessCase.cpp:
1045         (JSC::AccessCase::generateImpl):
1046         * dfg/DFGAbstractHeap.h:
1047         * dfg/DFGClobberize.h:
1048         (JSC::DFG::clobberize):
1049         * dfg/DFGSpeculativeJIT.cpp:
1050         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1051         (JSC::DFG::SpeculativeJIT::compileDoublePutByVal):
1052         (JSC::DFG::SpeculativeJIT::compileNewFunctionCommon):
1053         (JSC::DFG::SpeculativeJIT::compileCreateActivation):
1054         (JSC::DFG::SpeculativeJIT::compileCreateDirectArguments):
1055         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1056         (JSC::DFG::SpeculativeJIT::compileNukeStructureAndSetButterfly):
1057         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
1058         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
1059         * dfg/DFGSpeculativeJIT.h:
1060         (JSC::DFG::SpeculativeJIT::emitAllocateJSObject):
1061         (JSC::DFG::SpeculativeJIT::emitAllocateJSObjectWithKnownSize):
1062         * dfg/DFGSpeculativeJIT32_64.cpp:
1063         (JSC::DFG::SpeculativeJIT::compile):
1064         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
1065         * dfg/DFGSpeculativeJIT64.cpp:
1066         (JSC::DFG::SpeculativeJIT::compile):
1067         (JSC::DFG::SpeculativeJIT::compileAllocateNewArrayWithSize):
1068         * ftl/FTLAbstractHeap.cpp:
1069         (JSC::FTL::IndexedAbstractHeap::baseIndex):
1070         * ftl/FTLAbstractHeap.h:
1071         * ftl/FTLAbstractHeapRepository.h:
1072         * ftl/FTLLowerDFGToB3.cpp:
1073         (JSC::FTL::DFG::LowerDFGToB3::compileAtomicsReadModifyWrite):
1074         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1075         (JSC::FTL::DFG::LowerDFGToB3::compileCreateActivation):
1076         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
1077         (JSC::FTL::DFG::LowerDFGToB3::compileCreateDirectArguments):
1078         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
1079         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
1080         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1081         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeCreateActivation):
1082         (JSC::FTL::DFG::LowerDFGToB3::maskedIndex):
1083         (JSC::FTL::DFG::LowerDFGToB3::computeButterflyIndexingMask):
1084         (JSC::FTL::DFG::LowerDFGToB3::allocateObject):
1085         (JSC::FTL::DFG::LowerDFGToB3::allocateVariableSizedObject):
1086         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
1087         (JSC::FTL::DFG::LowerDFGToB3::pointerIntoTypedArray):
1088         * ftl/FTLOutput.h:
1089         (JSC::FTL::Output::baseIndex):
1090         * jit/AssemblyHelpers.h:
1091         (JSC::AssemblyHelpers::emitComputeButterflyIndexingMask):
1092         (JSC::AssemblyHelpers::nukeStructureAndStoreButterfly):
1093         (JSC::AssemblyHelpers::emitAllocateJSObject):
1094         (JSC::AssemblyHelpers::emitAllocateJSObjectWithKnownSize):
1095         (JSC::AssemblyHelpers::emitAllocateVariableSizedJSObject):
1096         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
1097         (JSC::AssemblyHelpers::storeButterfly): Deleted.
1098         * jit/JITOpcodes.cpp:
1099         (JSC::JIT::emit_op_new_object):
1100         (JSC::JIT::emit_op_create_this):
1101         * jit/JITOpcodes32_64.cpp:
1102         (JSC::JIT::emit_op_new_object):
1103         (JSC::JIT::emit_op_create_this):
1104         * jit/JITPropertyAccess.cpp:
1105         (JSC::JIT::emitDoubleLoad):
1106         (JSC::JIT::emitContiguousLoad):
1107         (JSC::JIT::emitArrayStorageLoad):
1108         * llint/LowLevelInterpreter32_64.asm:
1109         * llint/LowLevelInterpreter64.asm:
1110         * runtime/ArrayStorage.h:
1111         (JSC::ArrayStorage::availableVectorLength):
1112         * runtime/Butterfly.h:
1113         (JSC::ContiguousData::ContiguousData):
1114         (JSC::ContiguousData::at const):
1115         (JSC::ContiguousData::at):
1116         (JSC::Butterfly::publicLength const):
1117         (JSC::Butterfly::vectorLength const):
1118         (JSC::Butterfly::computeIndexingMaskForVectorLength):
1119         (JSC::Butterfly::computeIndexingMask):
1120         (JSC::Butterfly::contiguousInt32):
1121         (JSC::ContiguousData::operator[] const): Deleted.
1122         (JSC::ContiguousData::operator[]): Deleted.
1123         (JSC::Butterfly::publicLength): Deleted.
1124         (JSC::Butterfly::vectorLength): Deleted.
1125         * runtime/ButterflyInlines.h:
1126         (JSC::ContiguousData<T>::at const):
1127         (JSC::ContiguousData<T>::at):
1128         * runtime/ClonedArguments.cpp:
1129         (JSC::ClonedArguments::createEmpty):
1130         * runtime/JSArray.cpp:
1131         (JSC::JSArray::tryCreateUninitializedRestricted):
1132         (JSC::JSArray::appendMemcpy):
1133         (JSC::JSArray::setLength):
1134         (JSC::JSArray::pop):
1135         (JSC::JSArray::fastSlice):
1136         (JSC::JSArray::shiftCountWithArrayStorage):
1137         (JSC::JSArray::shiftCountWithAnyIndexingType):
1138         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1139         (JSC::JSArray::fillArgList):
1140         (JSC::JSArray::copyToArguments):
1141         * runtime/JSArrayBufferView.cpp:
1142         (JSC::JSArrayBufferView::JSArrayBufferView):
1143         * runtime/JSArrayInlines.h:
1144         (JSC::JSArray::pushInline):
1145         * runtime/JSFixedArray.h:
1146         (JSC::JSFixedArray::createFromArray):
1147         * runtime/JSGenericTypedArrayViewInlines.h:
1148         (JSC::JSGenericTypedArrayView<Adaptor>::slowDownAndWasteMemory):
1149         * runtime/JSObject.cpp:
1150         (JSC::JSObject::getOwnPropertySlotByIndex):
1151         (JSC::JSObject::putByIndex):
1152         (JSC::JSObject::createInitialInt32):
1153         (JSC::JSObject::createInitialDouble):
1154         (JSC::JSObject::createInitialContiguous):
1155         (JSC::JSObject::convertUndecidedToInt32):
1156         (JSC::JSObject::convertUndecidedToDouble):
1157         (JSC::JSObject::convertUndecidedToContiguous):
1158         (JSC::JSObject::convertInt32ToDouble):
1159         (JSC::JSObject::convertInt32ToArrayStorage):
1160         (JSC::JSObject::convertDoubleToContiguous):
1161         (JSC::JSObject::convertDoubleToArrayStorage):
1162         (JSC::JSObject::convertContiguousToArrayStorage):
1163         (JSC::JSObject::createInitialForValueAndSet):
1164         (JSC::JSObject::deletePropertyByIndex):
1165         (JSC::JSObject::getOwnPropertyNames):
1166         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1167         (JSC::JSObject::countElements):
1168         (JSC::JSObject::ensureLengthSlow):
1169         (JSC::JSObject::reallocateAndShrinkButterfly):
1170         (JSC::JSObject::getEnumerableLength):
1171         * runtime/JSObject.h:
1172         (JSC::JSObject::canGetIndexQuickly):
1173         (JSC::JSObject::getIndexQuickly):
1174         (JSC::JSObject::tryGetIndexQuickly const):
1175         (JSC::JSObject::setIndexQuickly):
1176         (JSC::JSObject::initializeIndex):
1177         (JSC::JSObject::initializeIndexWithoutBarrier):
1178         (JSC::JSObject::butterflyIndexingMaskOffset):
1179         (JSC::JSObject::butterflyIndexingMask const):
1180         (JSC::JSObject::setButterflyWithIndexingMask):
1181         (JSC::JSObject::setButterfly):
1182         (JSC::JSObject::nukeStructureAndSetButterfly):
1183         (JSC::JSObject::JSObject):
1184         * runtime/RegExpMatchesArray.h:
1185         (JSC::tryCreateUninitializedRegExpMatchesArray):
1186         * runtime/Structure.cpp:
1187         (JSC::Structure::flattenDictionaryStructure):
1188
1189 2017-12-14  David Kilzer  <ddkilzer@apple.com>
1190
1191         REGRESSION (r225799/r225887): Remove duplicate entries for JSCPoisonedPtr.h in Xcode project
1192
1193         Fixes the following warning during builds:
1194
1195             Warning: Multiple build commands for output file WebKitBuild/Release/JavaScriptCore.framework/Versions/A/PrivateHeaders/JSCPoisonedPtr.h
1196
1197         * JavaScriptCore.xcodeproj/project.pbxproj: Remove duplicate
1198         entries for JSCPoisonedPtr.h.
1199
1200 2017-12-14  David Kilzer  <ddkilzer@apple.com>
1201
1202         REGRESSION (r225887): Build broke due to missing includes in InferredValue.h
1203         <https://bugs.webkit.org/show_bug.cgi?id=180738>
1204
1205         * runtime/InferredValue.h: Attempt to fix build by adding
1206         missing #include statements.
1207
1208 2017-12-13  Filip Pizlo  <fpizlo@apple.com>
1209
1210         Octane/richards regressed by a whopping 20% because eliminateCommonSubexpressions has a weird fixpoint requirement
1211         https://bugs.webkit.org/show_bug.cgi?id=180783
1212
1213         Reviewed by Saam Barati.
1214         
1215         This fixes the regression by fixpointing CSE. We need to fixpoint CSE because of this case:
1216         
1217             BB#1:
1218                 a: Load(@x)
1219                 b: Load(@x)
1220                 c: Load(@b)
1221             BB#2:
1222                 d: Load(@b)
1223             BB#3:
1224                 e: Load(@b)
1225         
1226         Lets assume that #3 loops around to #2, so to eliminate @d, we need to prove that it's redundant
1227         with both @c and @e. The problem is that by the time we get to @d, the CSE state will look like
1228         this:
1229
1230             BB#1:
1231                 a: Load(@x)
1232                 b: Load(@x)
1233                 c: Load(@a)
1234                 memoryAtTail: {@x=>@a, @a=>@c}
1235             BB#2:
1236                 d: Load(@a) [sic]
1237                 memoryAtTail: {@b=>@d}
1238             BB#3:
1239                 e: Load(@b)
1240                 memoryAtTail: {@b=>@e} [sic]
1241         
1242         Note that #3's atTail map is keyed on @b, which was the old (no longer canonical) version of @a.
1243         But @d's children were already substituted, so it refers to @a. Since @a is not in #3's atTail
1244         map, we don't find it and leave the redundancy.
1245         
1246         I think that the cleanest solution is to fixpoint. CSE is pretty cheap, so hopefully we can afford
1247         this. It fixes the richards regression, since richards is super dependent on B3 CSE.
1248
1249         * b3/B3EliminateCommonSubexpressions.cpp: Logging.
1250         * b3/B3Generate.cpp:
1251         (JSC::B3::generateToAir): Fix the bug.
1252         * b3/air/AirReportUsedRegisters.cpp:
1253         (JSC::B3::Air::reportUsedRegisters): Logging.
1254         * dfg/DFGByteCodeParser.cpp:
1255         * dfg/DFGSSAConversionPhase.cpp:
1256         (JSC::DFG::SSAConversionPhase::run): Don't generate EntrySwitch if we don't need it (makes IR easier to read).
1257         * ftl/FTLLowerDFGToB3.cpp:
1258         (JSC::FTL::DFG::LowerDFGToB3::lower): Don't generate EntrySwitch if we don't need it (makes IR easier to read).
1259
1260 2017-12-13  Joseph Pecoraro  <pecoraro@apple.com>
1261
1262         REGRESSION: Web Inspector: Opening inspector crashes page if there are empty resources
1263         https://bugs.webkit.org/show_bug.cgi?id=180787
1264         <rdar://problem/35934838>
1265
1266         Reviewed by Brian Burg.
1267
1268         * inspector/ContentSearchUtilities.cpp:
1269         (Inspector::ContentSearchUtilities::findMagicComment):
1270         For empty / null strings just return. There is no use
1271         trying to search them for a long common syntax.
1272
1273 2017-12-13  Saam Barati  <sbarati@apple.com>
1274
1275         Arrow functions need their own structure because they have different properties than sloppy functions
1276         https://bugs.webkit.org/show_bug.cgi?id=180779
1277         <rdar://problem/35814591>
1278
1279         Reviewed by Mark Lam.
1280
1281         We were using the same structure for sloppy functions and
1282         arrow functions. This broke our IC caching machinery because
1283         these two types of functions actually have different properties.
1284         This patch gives them different structures.
1285
1286         * dfg/DFGAbstractInterpreterInlines.h:
1287         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1288         * dfg/DFGSpeculativeJIT.cpp:
1289         (JSC::DFG::SpeculativeJIT::compileNewFunction):
1290         * ftl/FTLLowerDFGToB3.cpp:
1291         (JSC::FTL::DFG::LowerDFGToB3::compileNewFunction):
1292         * runtime/FunctionConstructor.cpp:
1293         (JSC::constructFunctionSkippingEvalEnabledCheck):
1294         * runtime/JSFunction.cpp:
1295         (JSC::JSFunction::selectStructureForNewFuncExp):
1296         (JSC::JSFunction::create):
1297         * runtime/JSFunction.h:
1298         * runtime/JSFunctionInlines.h:
1299         (JSC::JSFunction::createWithInvalidatedReallocationWatchpoint):
1300         * runtime/JSGlobalObject.cpp:
1301         (JSC::JSGlobalObject::init):
1302         (JSC::JSGlobalObject::visitChildren):
1303         * runtime/JSGlobalObject.h:
1304         (JSC::JSGlobalObject::arrowFunctionStructure const):
1305
1306 2017-12-12  Filip Pizlo  <fpizlo@apple.com>
1307
1308         InferredValue should use IsoSubspace
1309         https://bugs.webkit.org/show_bug.cgi?id=180738
1310
1311         Reviewed by Keith Miller.
1312         
1313         This moves InferredValue into an IsoSubspace and then takes advantage of this to get rid of
1314         its UnconditionalFinalizer.
1315
1316         * JavaScriptCore.xcodeproj/project.pbxproj:
1317         * heap/Heap.cpp:
1318         (JSC::Heap::finalizeUnconditionalFinalizers):
1319         * runtime/InferredValue.cpp:
1320         (JSC::InferredValue::visitChildren):
1321         (JSC::InferredValue::ValueCleanup::ValueCleanup): Deleted.
1322         (JSC::InferredValue::ValueCleanup::~ValueCleanup): Deleted.
1323         (JSC::InferredValue::ValueCleanup::finalizeUnconditionally): Deleted.
1324         * runtime/InferredValue.h:
1325         (JSC::InferredValue::subspaceFor):
1326         * runtime/InferredValueInlines.h: Added.
1327         (JSC::InferredValue::finalizeUnconditionally):
1328         * runtime/VM.cpp:
1329         (JSC::VM::VM):
1330         * runtime/VM.h:
1331
1332 2017-12-13  Devin Rousso  <webkit@devinrousso.com>
1333
1334         Web Inspector: add instrumentation for ImageBitmapRenderingContext
1335         https://bugs.webkit.org/show_bug.cgi?id=180736
1336
1337         Reviewed by Joseph Pecoraro.
1338
1339         * inspector/protocol/Canvas.json:
1340         * inspector/scripts/codegen/generator.py:
1341
1342 2017-12-13  Saam Barati  <sbarati@apple.com>
1343
1344         Take a value driven approach to how we emit structure checks in TypeCheckHoistingPhase to obviate the need for static_assert guards
1345         https://bugs.webkit.org/show_bug.cgi?id=180771
1346
1347         Reviewed by JF Bastien.
1348
1349         * dfg/DFGTypeCheckHoistingPhase.cpp:
1350         (JSC::DFG::TypeCheckHoistingPhase::run):
1351
1352 2017-12-13  Saam Barati  <sbarati@apple.com>
1353
1354         REGRESSION(r225844): Around 850 new JSC failures on 32-bit
1355         https://bugs.webkit.org/show_bug.cgi?id=180764
1356
1357         Unreviewed. We should only emit CheckStructureOrEmpty on 64 bit platforms.
1358
1359         * dfg/DFGTypeCheckHoistingPhase.cpp:
1360         (JSC::DFG::TypeCheckHoistingPhase::run):
1361
1362 2017-12-13  Michael Saboff  <msaboff@apple.com>
1363
1364         Unreviewed rollout of r225695. Caused a crash on yahoo login page.
1365
1366         That bug tracked in https://bugs.webkit.org/show_bug.cgi?id=180761.
1367
1368         * runtime/RegExp.cpp:
1369         (JSC::RegExp::compile):
1370         (JSC::RegExp::compileMatchOnly):
1371         (JSC::byteCodeCompilePattern): Deleted.
1372         (JSC::RegExp::byteCodeCompileIfNecessary): Deleted.
1373         * runtime/RegExp.h:
1374         * runtime/RegExpInlines.h:
1375         (JSC::RegExp::matchInline):
1376         * testRegExp.cpp:
1377         (parseRegExpLine):
1378         (runFromFiles):
1379         * yarr/Yarr.h:
1380         * yarr/YarrInterpreter.cpp:
1381         (JSC::Yarr::ByteCompiler::compile):
1382         (JSC::Yarr::ByteCompiler::dumpDisjunction):
1383         (JSC::Yarr::ByteCompiler::emitDisjunction):
1384         * yarr/YarrJIT.cpp:
1385         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
1386         (JSC::Yarr::YarrGenerator::generate):
1387         (JSC::Yarr::YarrGenerator::backtrack):
1388         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
1389         (JSC::Yarr::YarrGenerator::generateEnter):
1390         (JSC::Yarr::YarrGenerator::generateReturn):
1391         (JSC::Yarr::YarrGenerator::YarrGenerator):
1392         (JSC::Yarr::YarrGenerator::compile):
1393         (JSC::Yarr::YarrGenerator::ParenContextSizes::ParenContextSizes): Deleted.
1394         (JSC::Yarr::YarrGenerator::ParenContextSizes::numSubpatterns): Deleted.
1395         (JSC::Yarr::YarrGenerator::ParenContextSizes::frameSlots): Deleted.
1396         (JSC::Yarr::YarrGenerator::ParenContext::sizeFor): Deleted.
1397         (JSC::Yarr::YarrGenerator::ParenContext::nextOffset): Deleted.
1398         (JSC::Yarr::YarrGenerator::ParenContext::beginOffset): Deleted.
1399         (JSC::Yarr::YarrGenerator::ParenContext::matchAmountOffset): Deleted.
1400         (JSC::Yarr::YarrGenerator::ParenContext::subpatternOffset): Deleted.
1401         (JSC::Yarr::YarrGenerator::ParenContext::savedFrameOffset): Deleted.
1402         (JSC::Yarr::YarrGenerator::initParenContextFreeList): Deleted.
1403         (JSC::Yarr::YarrGenerator::allocatePatternContext): Deleted.
1404         (JSC::Yarr::YarrGenerator::freePatternContext): Deleted.
1405         (JSC::Yarr::YarrGenerator::savePatternContext): Deleted.
1406         (JSC::Yarr::YarrGenerator::restorePatternContext): Deleted.
1407         (JSC::Yarr::YarrGenerator::generateJITFailReturn): Deleted.
1408         (JSC::Yarr::YarrGenerator::clearMatches): Deleted.
1409         * yarr/YarrJIT.h:
1410         (JSC::Yarr::YarrCodeBlock::execute):
1411         * yarr/YarrPattern.cpp:
1412         (JSC::Yarr::indentForNestingLevel):
1413         (JSC::Yarr::dumpUChar32):
1414         (JSC::Yarr::PatternTerm::dump):
1415         (JSC::Yarr::YarrPattern::dumpPattern):
1416         (JSC::Yarr::dumpCharacterClass): Deleted.
1417         * yarr/YarrPattern.h:
1418         (JSC::Yarr::BackTrackInfoAlternative::offsetIndex):
1419         (JSC::Yarr::BackTrackInfoParenthesesOnce::beginIndex):
1420         (JSC::Yarr::PatternTerm::containsAnyCaptures): Deleted.
1421         (JSC::Yarr::BackTrackInfoParenthesesOnce::returnAddressIndex): Deleted.
1422         (JSC::Yarr::BackTrackInfoParentheses::beginIndex): Deleted.
1423         (JSC::Yarr::BackTrackInfoParentheses::returnAddressIndex): Deleted.
1424         (JSC::Yarr::BackTrackInfoParentheses::matchAmountIndex): Deleted.
1425         (JSC::Yarr::BackTrackInfoParentheses::patternContextHeadIndex): Deleted.
1426
1427 2017-12-13  Mark Lam  <mark.lam@apple.com>
1428
1429         Fill out some Poisoned APIs, fix some bugs, and add some tests.
1430         https://bugs.webkit.org/show_bug.cgi?id=180724
1431         <rdar://problem/36006884>
1432
1433         Reviewed by JF Bastien.
1434
1435         * runtime/StructureTransitionTable.h:
1436
1437 2017-12-13  Caio Lima  <ticaiolima@gmail.com>
1438
1439         [ESNext][BigInt] Breking tests on Debug build and 32-bits due to missing Exception check
1440         https://bugs.webkit.org/show_bug.cgi?id=180746
1441
1442         Reviewed by Saam Barati.
1443
1444         We have some uncatched exceptions that could happen due to OOM into
1445         JSBigInt::allocateFor and JSBigInt::toStringGeneric. This patching is
1446         catching such exceptions properly.
1447
1448         * runtime/JSBigInt.cpp:
1449         (JSC::JSBigInt::allocateFor):
1450         (JSC::JSBigInt::parseInt):
1451         * runtime/JSCJSValue.cpp:
1452         (JSC::JSValue::toStringSlowCase const):
1453
1454 2017-12-13  Saam Barati  <sbarati@apple.com>
1455
1456         Fix how JSFunction handles "caller" and "arguments" for functions that don't have those properties
1457         https://bugs.webkit.org/show_bug.cgi?id=163579
1458         <rdar://problem/35455798>
1459
1460         Reviewed by Mark Lam.
1461
1462         Some functions in JavaScript do not have the "caller" and "arguments" properties.
1463         For example, strict functions do not. When reading our code that dealt with these
1464         types of functions, it was simply all wrong. We were doing weird things depending
1465         on the method table hook. This patch fixes this by doing what we should've been
1466         doing all along: when the JSFunction does not own the "caller"/"arguments" property,
1467         it should defer to its base class implementation for the various method table hooks.
1468
1469         * runtime/JSFunction.cpp:
1470         (JSC::JSFunction::put):
1471         (JSC::JSFunction::deleteProperty):
1472         (JSC::JSFunction::defineOwnProperty):
1473
1474 2017-12-13  Saam Barati  <sbarati@apple.com>
1475
1476         TypeCheckHoistingPhase needs to emit a CheckStructureOrEmpty if it's doing it for |this|
1477         https://bugs.webkit.org/show_bug.cgi?id=180734
1478         <rdar://problem/35640547>
1479
1480         Reviewed by Yusuke Suzuki.
1481
1482         The |this| value may be TDZ. If type check hoisting phase
1483         hoists a CheckStructure to it, it will crash. This patch
1484         makes it so we emit CheckStructureOrEmpty for |this|.
1485
1486         * dfg/DFGTypeCheckHoistingPhase.cpp:
1487         (JSC::DFG::TypeCheckHoistingPhase::run):
1488
1489 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1490
1491         [JSC] Optimize Object.assign by single transition acceleration
1492         https://bugs.webkit.org/show_bug.cgi?id=180644
1493
1494         Reviewed by Saam Barati.
1495
1496         Handling single transition is critical. Since this get() function is only used
1497         in Structure.cpp's 2 functions and it is quite small, we can annotate `inline`
1498         to accelerate it.
1499
1500         This improves SixSpeed/object-assign.es6 by 2.8%.
1501
1502                                     baseline                  patched
1503
1504         object-assign.es6      382.3548+-8.0461          371.6496+-5.7439          might be 1.0288x faster
1505
1506         * runtime/Structure.cpp:
1507         (JSC::StructureTransitionTable::get const):
1508
1509 2017-12-12  Filip Pizlo  <fpizlo@apple.com>
1510
1511         Structure, StructureRareData, and PropertyTable should be in IsoSubspaces
1512         https://bugs.webkit.org/show_bug.cgi?id=180732
1513
1514         Rubber stamped by Mark Lam.
1515         
1516         We should eventually move all fixed-size cells into IsoSubspaces. I don't know if they are
1517         scalable enough to support that, so we should do it carefully.
1518
1519         * heap/MarkedSpace.cpp:
1520         * runtime/PropertyMapHashTable.h:
1521         * runtime/Structure.h:
1522         * runtime/StructureRareData.h:
1523         * runtime/VM.cpp:
1524         (JSC::VM::VM):
1525         * runtime/VM.h:
1526
1527 2017-12-12  Saam Barati  <sbarati@apple.com>
1528
1529         We need to model effects of Spread(@PhantomCreateRest) in Clobberize/PreciseLocalClobberize
1530         https://bugs.webkit.org/show_bug.cgi?id=180725
1531         <rdar://problem/35970511>
1532
1533         Reviewed by Michael Saboff.
1534
1535         * dfg/DFGClobberize.h:
1536         (JSC::DFG::clobberize):
1537         * dfg/DFGPreciseLocalClobberize.h:
1538         (JSC::DFG::PreciseLocalClobberizeAdaptor::readTop):
1539
1540 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
1541
1542         [JSC] Implement optimized WeakMap and WeakSet
1543         https://bugs.webkit.org/show_bug.cgi?id=179929
1544
1545         Reviewed by Saam Barati.
1546
1547         This patch introduces WeakMapImpl to optimize WeakMap and WeakSet.
1548         This is similar to HashMapImpl. But,
1549
1550         1. WeakMapImpl's bucket is not allocated in GC heap since WeakMap
1551         do not need to have iterators.
1552
1553         2. WeakMapImpl's buffer is allocated in JSValue Gigacage instead
1554         of auxiliary buffer. This is because we would like to allocate buffer
1555         when finalizing GC. At that time, WeakMapImpl prunes dead entries and
1556         shrink it if necessary. However, allocating from the GC heap during
1557         finalization is not allowed.
1558
1559         In particular, (2) is important since it ensures any WeakMap operations
1560         do not cause GC. Since GC may collect dead keys in WeakMap, rehash WeakMap,
1561         and reallocate/change WeakMap's buffer, ensuring that any WeakMap operations
1562         do not cause GC makes our implementation simple. To ensure this, we place
1563         DisallowGC for each WeakMap's interface.
1564
1565         In DFG, we introduce WeakMapGet and ExtractValueFromWeakMapGet nodes.
1566         WeakMapGet looks up entry in WeakMapImpl and returns value. If it is
1567         WeakMap, it returns value. And it returns key if it is WeakSet. If it
1568         does not find a corresponding entry, it returns JSEmpty.
1569         ExtractValueFromWeakMapGet converts JSEmpty to JSUndefined.
1570
1571         This patch improves WeakMap and WeakSet operations.
1572
1573                                      baseline                  patched
1574
1575             weak-set-key        240.6932+-10.4923    ^    148.7606+-6.1784        ^ definitely 1.6180x faster
1576             weak-map-key        174.3176+-8.2680     ^    151.7053+-6.8723        ^ definitely 1.1491x faster
1577
1578         * JavaScriptCore.xcodeproj/project.pbxproj:
1579         * Sources.txt:
1580         * dfg/DFGAbstractHeap.h:
1581         * dfg/DFGAbstractInterpreterInlines.h:
1582         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1583         * dfg/DFGByteCodeParser.cpp:
1584         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
1585         * dfg/DFGClobberize.h:
1586         (JSC::DFG::clobberize):
1587         * dfg/DFGDoesGC.cpp:
1588         (JSC::DFG::doesGC):
1589         * dfg/DFGFixupPhase.cpp:
1590         (JSC::DFG::FixupPhase::fixupNode):
1591         * dfg/DFGNode.h:
1592         (JSC::DFG::Node::hasHeapPrediction):
1593         * dfg/DFGNodeType.h:
1594         * dfg/DFGOperations.cpp:
1595         * dfg/DFGOperations.h:
1596         * dfg/DFGPredictionPropagationPhase.cpp:
1597         * dfg/DFGSafeToExecute.h:
1598         (JSC::DFG::safeToExecute):
1599         * dfg/DFGSpeculativeJIT.cpp:
1600         (JSC::DFG::SpeculativeJIT::compileExtractValueFromWeakMapGet):
1601         (JSC::DFG::SpeculativeJIT::compileWeakMapGet):
1602         * dfg/DFGSpeculativeJIT.h:
1603         * dfg/DFGSpeculativeJIT32_64.cpp:
1604         (JSC::DFG::SpeculativeJIT::compile):
1605         * dfg/DFGSpeculativeJIT64.cpp:
1606         (JSC::DFG::SpeculativeJIT::compile):
1607         * ftl/FTLAbstractHeapRepository.h:
1608         * ftl/FTLCapabilities.cpp:
1609         (JSC::FTL::canCompile):
1610         * ftl/FTLLowerDFGToB3.cpp:
1611         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1612         (JSC::FTL::DFG::LowerDFGToB3::compileExtractValueFromWeakMapGet):
1613         (JSC::FTL::DFG::LowerDFGToB3::compileWeakMapGet):
1614         * inspector/JSInjectedScriptHost.cpp:
1615         (Inspector::JSInjectedScriptHost::weakMapEntries):
1616         (Inspector::JSInjectedScriptHost::weakSetEntries):
1617         Existing code is incorrect. They can run GC and break WeakMap's iterator.
1618         We introduce takeSnapshot function to WeakMapImpl, which retrieves live
1619         entries without causing any GC.
1620
1621         * runtime/HashMapImpl.h:
1622         (JSC::shouldShrink):
1623         (JSC::shouldRehashAfterAdd):
1624         (JSC::nextCapacity):
1625         (JSC::HashMapImpl::shouldRehashAfterAdd const):
1626         (JSC::HashMapImpl::shouldShrink const):
1627         (JSC::HashMapImpl::rehash):
1628         (JSC::WeakMapHash::hash): Deleted.
1629         (JSC::WeakMapHash::equal): Deleted.
1630         * runtime/Intrinsic.cpp:
1631         (JSC::intrinsicName):
1632         * runtime/Intrinsic.h:
1633         * runtime/JSWeakMap.cpp:
1634         * runtime/JSWeakMap.h:
1635         * runtime/JSWeakSet.cpp:
1636         * runtime/JSWeakSet.h:
1637         * runtime/VM.cpp:
1638         * runtime/WeakGCMap.h:
1639         (JSC::WeakGCMap::forEach): Deleted.
1640         * runtime/WeakMapBase.cpp: Removed.
1641         * runtime/WeakMapBase.h: Removed.
1642         * runtime/WeakMapConstructor.cpp:
1643         (JSC::constructWeakMap):
1644         * runtime/WeakMapImpl.cpp: Added.
1645         (JSC::WeakMapImpl<WeakMapBucket>::destroy):
1646         (JSC::WeakMapImpl<WeakMapBucket>::visitChildren):
1647         (JSC::WeakMapImpl<WeakMapBucket>::estimatedSize):
1648         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::visitWeakReferences):
1649         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::visitWeakReferences):
1650         (JSC::WeakMapImpl<WeakMapBucket>::finalizeUnconditionally):
1651         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKey>>::takeSnapshot):
1652         (JSC::WeakMapImpl<WeakMapBucket<WeakMapBucketDataKeyValue>>::takeSnapshot):
1653         * runtime/WeakMapImpl.h: Added.
1654         (JSC::jsWeakMapHash):
1655         (JSC::nextCapacityAfterRemoveBatching):
1656         (JSC::WeakMapBucket::setKey):
1657         (JSC::WeakMapBucket::setValue):
1658         (JSC::WeakMapBucket::key const):
1659         (JSC::WeakMapBucket::value const):
1660         (JSC::WeakMapBucket::copyFrom):
1661         (JSC::WeakMapBucket::offsetOfKey):
1662         (JSC::WeakMapBucket::offsetOfValue):
1663         (JSC::WeakMapBucket::extractValue):
1664         (JSC::WeakMapBucket::isEmpty):
1665         (JSC::WeakMapBucket::deletedKey):
1666         (JSC::WeakMapBucket::isDeleted):
1667         (JSC::WeakMapBucket::makeDeleted):
1668         (JSC::WeakMapBucket::visitAggregate):
1669         (JSC::WeakMapBucket::clearValue):
1670         (JSC::WeakMapBuffer::allocationSize):
1671         (JSC::WeakMapBuffer::buffer const):
1672         (JSC::WeakMapBuffer::create):
1673         (JSC::WeakMapBuffer::reset):
1674         (JSC::WeakMapImpl::WeakMapImpl):
1675         (JSC::WeakMapImpl::finishCreation):
1676         (JSC::WeakMapImpl::get):
1677         (JSC::WeakMapImpl::has):
1678         (JSC::WeakMapImpl::add):
1679         (JSC::WeakMapImpl::remove):
1680         (JSC::WeakMapImpl::size const):
1681         (JSC::WeakMapImpl::offsetOfBuffer):
1682         (JSC::WeakMapImpl::offsetOfCapacity):
1683         (JSC::WeakMapImpl::findBucket):
1684         (JSC::WeakMapImpl::buffer const):
1685         (JSC::WeakMapImpl::forEach):
1686         (JSC::WeakMapImpl::shouldRehashAfterAdd const):
1687         (JSC::WeakMapImpl::shouldShrink const):
1688         (JSC::WeakMapImpl::canUseBucket):
1689         (JSC::WeakMapImpl::addInternal):
1690         (JSC::WeakMapImpl::findBucketAlreadyHashed):
1691         (JSC::WeakMapImpl::rehash):
1692         (JSC::WeakMapImpl::checkConsistency const):
1693         (JSC::WeakMapImpl::makeAndSetNewBuffer):
1694         (JSC::WeakMapImpl::assertBufferIsEmpty const):
1695         (JSC::WeakMapImpl::DeadKeyCleaner::target):
1696         * runtime/WeakMapPrototype.cpp:
1697         (JSC::WeakMapPrototype::finishCreation):
1698         (JSC::protoFuncWeakMapGet):
1699         (JSC::protoFuncWeakMapHas):
1700         * runtime/WeakSetConstructor.cpp:
1701         (JSC::constructWeakSet):
1702         * runtime/WeakSetPrototype.cpp:
1703         (JSC::WeakSetPrototype::finishCreation):
1704         (JSC::protoFuncWeakSetHas):
1705         (JSC::protoFuncWeakSetAdd):
1706
1707 2017-12-11  Filip Pizlo  <fpizlo@apple.com>
1708
1709         It should be possible to flag a cell for unconditional finalization
1710         https://bugs.webkit.org/show_bug.cgi?id=180636
1711
1712         Reviewed by Saam Barati.
1713         
1714         UnconditionalFinalizers were annoying - you had to allocate them and you had to manage a
1715         global linked list - but they had some nice properties:
1716         
1717         - You only did the hardest work (creating the UnconditionalFinalizer) on first GC where you
1718           survived and needed it.
1719             -> Just needing it wasn't enough.
1720             -> Just surviving wasn't enough.
1721         
1722         The new API based on IsoSubspaces meant that just surviving was enough to cause unconditional
1723         finalizer logic to be invoked. I think that's not great. InferredType got around this by
1724         making InferredStructure a cell, but this was a gross hack. For one, it meant that
1725         InferredStructure would survive during the GC in which its finalizer obviated the need for its
1726         existence. It's not really an idiom I want us to repeat because it sounds like the sort of
1727         thing that turns out to be subtly broken.
1728         
1729         We really need to have a way of indicating when you have entered into the state that requires
1730         your unconditional finalizer to be invoked. Basically, we want to be able to track the set of
1731         objects that need unconditional finalizers. Only the subset of that set that overlaps with the
1732         set of marked objects needs to be accurate. The easiest way to do this is a hierarchy of
1733         bitvectors: one to say which MarkedBlocks have objects that have unconditional finalizers, and
1734         another level to say which atoms within a MarkedBlock have unconditional finalizers.
1735         
1736         This change introduces IsoCellSet, which couples itself to the MarkedAllocator of some
1737         IsoSubspace to allow maintaining a set of objects (well, cells - you could do this with
1738         auxiliaries) that belong to that IsoSubspace. It'll have undefined behavior if you try to
1739         add/remove/contains an object that isn't in that IsoSubspace. For objects in that subspace,
1740         you can add/remove/contains and forEachMarkedCell. The cost of each IsoCellSet is at worst
1741         about 0.8% increase in size to every object in the subspace that the set is attached to. So,
1742         it makes sense to have a handful per subspace max. This change only needs one per subspace,
1743         but you could imagine more if we do this for WeakReferenceHarvester.
1744         
1745         To absolutely minimize the possibility that this incurs costs, the add/remove/contains
1746         functions can be used from any thread so long as forEachMarkedCell isn't running. This means
1747         that InferredType only needs to add itself to the set during visitChildren. Thus, it needs to
1748         both survive and need it for the hardest work to take place. The work of adding does involve
1749         a gnarly load chain that ends in a CAS: load block handle from block, load index, load
1750         segment, load bitvector, load bit -> if not set, then CAS. That's five dependent loads!
1751         However, it's perfect for running in parallel since the only write operations are to widely
1752         dispersed cache lines that contain the bits underlying the set.
1753         
1754         The best part is how forEachMarkedCell works. That skips blocks that don't have any objects
1755         that need unconditional finalizers, and only touches the memory of marked objects that have
1756         the unconditional finalizer bit set. It will walk those objects in roughly address order. I
1757         previously found that this speeds up walking over a lot of objects when I made similar changes
1758         for DOM GC (calling visitAdditionalChildren via forEachMarkedCell rather than by walking a
1759         HashSet).
1760         
1761         This change makes InferredStructure be a malloc object again, but now it's in an IsoHeap.
1762         
1763         My expectation for this change is that it's perf-neutral. Long-term, it gives us a path
1764         forward for eliminating UnconditionalFinalizer and WeakReferenceHarvester while using
1765         IsoSubspace in more places.
1766
1767         * JavaScriptCore.xcodeproj/project.pbxproj:
1768         * Sources.txt:
1769         * heap/AtomIndices.h: Added.
1770         (JSC::AtomIndices::AtomIndices):
1771         * heap/Heap.cpp:
1772         (JSC::Heap::finalizeUnconditionalFinalizers):
1773         * heap/Heap.h:
1774         * heap/IsoCellSet.cpp: Added.
1775         (JSC::IsoCellSet::IsoCellSet):
1776         (JSC::IsoCellSet::~IsoCellSet):
1777         (JSC::IsoCellSet::addSlow):
1778         (JSC::IsoCellSet::didResizeBits):
1779         (JSC::IsoCellSet::didRemoveBlock):
1780         (JSC::IsoCellSet::sweepToFreeList):
1781         * heap/IsoCellSet.h: Added.
1782         * heap/IsoCellSetInlines.h: Added.
1783         (JSC::IsoCellSet::add):
1784         (JSC::IsoCellSet::remove):
1785         (JSC::IsoCellSet::contains const):
1786         (JSC::IsoCellSet::forEachMarkedCell):
1787         * heap/IsoSubspace.cpp:
1788         (JSC::IsoSubspace::didResizeBits):
1789         (JSC::IsoSubspace::didRemoveBlock):
1790         (JSC::IsoSubspace::didBeginSweepingToFreeList):
1791         * heap/IsoSubspace.h:
1792         * heap/MarkedAllocator.cpp:
1793         (JSC::MarkedAllocator::addBlock):
1794         (JSC::MarkedAllocator::removeBlock):
1795         * heap/MarkedAllocator.h:
1796         * heap/MarkedAllocatorInlines.h:
1797         * heap/MarkedBlock.cpp:
1798         (JSC::MarkedBlock::Handle::sweep):
1799         (JSC::MarkedBlock::Handle::isEmpty): Deleted.
1800         * heap/MarkedBlock.h:
1801         (JSC::MarkedBlock::marks const):
1802         (JSC::MarkedBlock::Handle::newlyAllocated const):
1803         * heap/MarkedBlockInlines.h:
1804         (JSC::MarkedBlock::Handle::isAllocated):
1805         (JSC::MarkedBlock::Handle::isEmpty):
1806         (JSC::MarkedBlock::Handle::emptyMode):
1807         (JSC::MarkedBlock::Handle::forEachMarkedCell):
1808         * heap/Subspace.cpp:
1809         (JSC::Subspace::didResizeBits):
1810         (JSC::Subspace::didRemoveBlock):
1811         (JSC::Subspace::didBeginSweepingToFreeList):
1812         * heap/Subspace.h:
1813         * heap/SubspaceInlines.h:
1814         (JSC::Subspace::forEachMarkedCell):
1815         * runtime/InferredStructure.cpp:
1816         (JSC::InferredStructure::InferredStructure):
1817         (JSC::InferredStructure::create): Deleted.
1818         (JSC::InferredStructure::destroy): Deleted.
1819         (JSC::InferredStructure::createStructure): Deleted.
1820         (JSC::InferredStructure::visitChildren): Deleted.
1821         (JSC::InferredStructure::finalizeUnconditionally): Deleted.
1822         (JSC::InferredStructure::finishCreation): Deleted.
1823         * runtime/InferredStructure.h:
1824         * runtime/InferredStructureWatchpoint.cpp:
1825         (JSC::InferredStructureWatchpoint::fireInternal):
1826         * runtime/InferredType.cpp:
1827         (JSC::InferredType::visitChildren):
1828         (JSC::InferredType::willStoreValueSlow):
1829         (JSC::InferredType::makeTopSlow):
1830         (JSC::InferredType::set):
1831         (JSC::InferredType::removeStructure):
1832         (JSC::InferredType::finalizeUnconditionally):
1833         * runtime/InferredType.h:
1834         * runtime/VM.cpp:
1835         (JSC::VM::VM):
1836         * runtime/VM.h:
1837
1838 2017-12-12  Saam Barati  <sbarati@apple.com>
1839
1840         ConstantFoldingPhase rule for GetMyArgumentByVal must check for negative indices
1841         https://bugs.webkit.org/show_bug.cgi?id=180723
1842         <rdar://problem/35859726>
1843
1844         Reviewed by JF Bastien.
1845
1846         * dfg/DFGConstantFoldingPhase.cpp:
1847         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1848
1849 2017-12-04  Brian Burg  <bburg@apple.com>
1850
1851         Web Inspector: modernize InjectedScript a bit
1852         https://bugs.webkit.org/show_bug.cgi?id=180367
1853
1854         Reviewed by Timothy Hatcher.
1855
1856         Stop using out parameters passed by pointer, use references instead.
1857         Stop using OptOutput<T> in favor of std::optional where possible.
1858         If there is only one out-parameter and a void return type, then return the value.
1859
1860         * inspector/InjectedScript.h:
1861         * inspector/InjectedScript.cpp:
1862         (Inspector::InjectedScript::evaluate):
1863         (Inspector::InjectedScript::callFunctionOn):
1864         (Inspector::InjectedScript::evaluateOnCallFrame):
1865         (Inspector::InjectedScript::getFunctionDetails):
1866         (Inspector::InjectedScript::functionDetails):
1867         (Inspector::InjectedScript::getPreview):
1868         (Inspector::InjectedScript::getProperties):
1869         (Inspector::InjectedScript::getDisplayableProperties):
1870         (Inspector::InjectedScript::getInternalProperties):
1871         (Inspector::InjectedScript::getCollectionEntries):
1872         (Inspector::InjectedScript::saveResult):
1873         (Inspector::InjectedScript::setExceptionValue):
1874         (Inspector::InjectedScript::clearExceptionValue):
1875         (Inspector::InjectedScript::inspectObject):
1876         (Inspector::InjectedScript::releaseObject):
1877
1878         * inspector/InjectedScriptBase.h:
1879         * inspector/InjectedScriptBase.cpp:
1880         (Inspector::InjectedScriptBase::InjectedScriptBase):
1881         Declare m_environment with a default initializer.
1882
1883         (Inspector::InjectedScriptBase::makeCall):
1884         (Inspector::InjectedScriptBase::makeEvalCall):
1885         Just return the result, no need for an out-parameter.
1886         Rearrange some code paths now that we can just return a result.
1887         Return a Ref<JSON::Value> since it is either a result value or error value.
1888         Use out_ prefixes in a few places to improve readability.
1889
1890         * inspector/agents/InspectorDebuggerAgent.cpp:
1891         (Inspector::InspectorDebuggerAgent::getFunctionDetails):
1892         (Inspector::InspectorDebuggerAgent::evaluateOnCallFrame):
1893         * inspector/agents/InspectorHeapAgent.cpp:
1894         (Inspector::InspectorHeapAgent::getPreview):
1895         * inspector/agents/InspectorRuntimeAgent.cpp:
1896         (Inspector::InspectorRuntimeAgent::evaluate):
1897         (Inspector::InspectorRuntimeAgent::callFunctionOn):
1898         (Inspector::InspectorRuntimeAgent::getPreview):
1899         (Inspector::InspectorRuntimeAgent::getProperties):
1900         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
1901         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
1902         (Inspector::InspectorRuntimeAgent::saveResult):
1903         Adapt to InjectedScript changes. In some cases we need to bridge OptOutput<T>
1904         and std::optional until the former is removed from generated method signatures.
1905
1906 2017-12-12  Caio Lima  <ticaiolima@gmail.com>
1907
1908         [ESNext][BigInt] Implement BigInt literals and JSBigInt
1909         https://bugs.webkit.org/show_bug.cgi?id=179000
1910
1911         Reviewed by Darin Adler and Yusuke Suzuki.
1912
1913         This patch starts the implementation of BigInt primitive on
1914         JavaScriptCore. We are introducing BigInt primitive and
1915         implementing it on JSBigInt as a subclass of JSCell with [[BigIntData]]
1916         field implemented contiguosly on memory as inline storage of JSBigInt to
1917         take advantages on performance due to cache locality. The
1918         implementation allows 64 or 32 bitwise arithmetic operations.
1919         JSBigInt also has m_sign to store the sign of [[BigIntData]] and
1920         m_length that keeps track of BigInt length.
1921         The implementation is following the V8 one. [[BigIntData]] is manipulated
1922         by JSBigInt::setDigit(index, value) and JSBigInt::digit(index) operations.
1923         We also have some operations to support arithmetics over digits.
1924
1925         It is important to notice that on our representation,
1926         JSBigInt::dataStorage()[0] represents the least significant digit and
1927         JSBigInt::dataStorage()[m_length - 1] represents the most siginificant digit.
1928
1929         We are also introducing into this Patch the BigInt literals lexer and
1930         syntax parsing support. The operation Strict Equals on BigInts is also being
1931         implemented to enable tests.
1932         These features are being implemented behind a runtime flage "--useBigInt" and
1933         are disabled by default.
1934
1935         * JavaScriptCore.xcodeproj/project.pbxproj:
1936         * Sources.txt:
1937         * bytecode/CodeBlock.cpp:
1938         * bytecompiler/BytecodeGenerator.cpp:
1939         (JSC::BytecodeGenerator::emitEqualityOp):
1940         (JSC::BytecodeGenerator::addBigIntConstant):
1941         * bytecompiler/BytecodeGenerator.h:
1942         (JSC::BytecodeGenerator::BigIntEntryHash::hash):
1943         (JSC::BytecodeGenerator::BigIntEntryHash::equal):
1944         * bytecompiler/NodesCodegen.cpp:
1945         (JSC::BigIntNode::jsValue const):
1946         * dfg/DFGAbstractInterpreterInlines.h:
1947         (JSC::DFG::isToThisAnIdentity):
1948         * interpreter/Interpreter.cpp:
1949         (JSC::sizeOfVarargs):
1950         * llint/LLIntData.cpp:
1951         (JSC::LLInt::Data::performAssertions):
1952         * llint/LowLevelInterpreter.asm:
1953         * parser/ASTBuilder.h:
1954         (JSC::ASTBuilder::createBigInt):
1955         * parser/Lexer.cpp:
1956         (JSC::Lexer<T>::parseBinary):
1957         (JSC::Lexer<T>::parseOctal):
1958         (JSC::Lexer<T>::parseDecimal):
1959         (JSC::Lexer<T>::lex):
1960         (JSC::Lexer<T>::parseHex): Deleted.
1961         * parser/Lexer.h:
1962         * parser/NodeConstructors.h:
1963         (JSC::BigIntNode::BigIntNode):
1964         * parser/Nodes.h:
1965         (JSC::ExpressionNode::isBigInt const):
1966         (JSC::BigIntNode::value):
1967         * parser/Parser.cpp:
1968         (JSC::Parser<LexerType>::parsePrimaryExpression):
1969         * parser/ParserTokens.h:
1970         * parser/ResultType.h:
1971         (JSC::ResultType::definitelyIsBigInt const):
1972         (JSC::ResultType::mightBeBigInt const):
1973         (JSC::ResultType::isNotBigInt const):
1974         (JSC::ResultType::addResultType):
1975         (JSC::ResultType::bigIntType):
1976         (JSC::ResultType::forAdd):
1977         (JSC::ResultType::forLogicalOp):
1978         * parser/SyntaxChecker.h:
1979         (JSC::SyntaxChecker::createBigInt):
1980         * runtime/CommonIdentifiers.h:
1981         * runtime/JSBigInt.cpp: Added.
1982         (JSC::JSBigInt::visitChildren):
1983         (JSC::JSBigInt::JSBigInt):
1984         (JSC::JSBigInt::initialize):
1985         (JSC::JSBigInt::createStructure):
1986         (JSC::JSBigInt::createZero):
1987         (JSC::JSBigInt::allocationSize):
1988         (JSC::JSBigInt::createWithLength):
1989         (JSC::JSBigInt::finishCreation):
1990         (JSC::JSBigInt::toPrimitive const):
1991         (JSC::JSBigInt::singleDigitValueForString):
1992         (JSC::JSBigInt::parseInt):
1993         (JSC::JSBigInt::toString):
1994         (JSC::JSBigInt::isZero):
1995         (JSC::JSBigInt::inplaceMultiplyAdd):
1996         (JSC::JSBigInt::digitAdd):
1997         (JSC::JSBigInt::digitSub):
1998         (JSC::JSBigInt::digitMul):
1999         (JSC::JSBigInt::digitPow):
2000         (JSC::JSBigInt::digitDiv):
2001         (JSC::JSBigInt::internalMultiplyAdd):
2002         (JSC::JSBigInt::equalToBigInt):
2003         (JSC::JSBigInt::absoluteDivSmall):
2004         (JSC::JSBigInt::calculateMaximumCharactersRequired):
2005         (JSC::JSBigInt::toStringGeneric):
2006         (JSC::JSBigInt::rightTrim):
2007         (JSC::JSBigInt::allocateFor):
2008         (JSC::JSBigInt::estimatedSize):
2009         (JSC::JSBigInt::toNumber const):
2010         (JSC::JSBigInt::getPrimitiveNumber const):
2011         * runtime/JSBigInt.h: Added.
2012         (JSC::JSBigInt::setSign):
2013         (JSC::JSBigInt::sign const):
2014         (JSC::JSBigInt::setLength):
2015         (JSC::JSBigInt::length const):
2016         (JSC::JSBigInt::parseInt):
2017         (JSC::JSBigInt::offsetOfData):
2018         (JSC::JSBigInt::dataStorage):
2019         (JSC::JSBigInt::digit):
2020         (JSC::JSBigInt::setDigit):
2021         (JSC::asBigInt):
2022         * runtime/JSCJSValue.cpp:
2023         (JSC::JSValue::synthesizePrototype const):
2024         (JSC::JSValue::toStringSlowCase const):
2025         * runtime/JSCJSValue.h:
2026         * runtime/JSCJSValueInlines.h:
2027         (JSC::JSValue::isBigInt const):
2028         (JSC::JSValue::strictEqualSlowCaseInline):
2029         * runtime/JSCell.cpp:
2030         (JSC::JSCell::put):
2031         (JSC::JSCell::putByIndex):
2032         (JSC::JSCell::toPrimitive const):
2033         (JSC::JSCell::getPrimitiveNumber const):
2034         (JSC::JSCell::toNumber const):
2035         (JSC::JSCell::toObjectSlow const):
2036         * runtime/JSCell.h:
2037         * runtime/JSCellInlines.h:
2038         (JSC::JSCell::isBigInt const):
2039         * runtime/JSType.h:
2040         * runtime/MathCommon.h:
2041         (JSC::clz64):
2042         * runtime/NumberPrototype.cpp:
2043         * runtime/Operations.cpp:
2044         (JSC::jsTypeStringForValue):
2045         (JSC::jsIsObjectTypeOrNull):
2046         * runtime/Options.h:
2047         * runtime/ParseInt.h:
2048         * runtime/SmallStrings.h:
2049         (JSC::SmallStrings::typeString const):
2050         * runtime/StructureInlines.h:
2051         (JSC::prototypeForLookupPrimitiveImpl):
2052         * runtime/TypeofType.cpp:
2053         (WTF::printInternal):
2054         * runtime/TypeofType.h:
2055         * runtime/VM.cpp:
2056         (JSC::VM::VM):
2057         * runtime/VM.h:
2058
2059 2017-12-12  Guillaume Emont  <guijemont@igalia.com>
2060
2061         LLInt: reserve 16 bytes of stack on MIPS for native calls
2062         https://bugs.webkit.org/show_bug.cgi?id=180653
2063
2064         Reviewed by Carlos Alberto Lopez Perez.
2065
2066         * llint/LowLevelInterpreter32_64.asm:
2067         On MIPS, substract 24 from the stack pointer (16 for calling
2068         convention + 8 to be 16-aligned) instead of the 8 on other platforms
2069         (for alignment).
2070
2071 2017-12-12  Yusuke Suzuki  <utatane.tea@gmail.com>
2072
2073         [WTF] Thread::create should have Thread::tryCreate
2074         https://bugs.webkit.org/show_bug.cgi?id=180333
2075
2076         Reviewed by Darin Adler.
2077
2078         * assembler/testmasm.cpp:
2079         (JSC::run):
2080         * b3/air/testair.cpp:
2081         * b3/testb3.cpp:
2082         (JSC::B3::run):
2083         * jsc.cpp:
2084         (functionDollarAgentStart):
2085
2086 2017-12-11  Michael Saboff  <msaboff@apple.com>
2087
2088         REGRESSION(r225683): Chakra test failure in es6/regex-unicode.js for 32bit builds
2089         https://bugs.webkit.org/show_bug.cgi?id=180685
2090
2091         Reviewed by Saam Barati.
2092
2093         The characterClass->m_anyCharacter check at the top of checkCharacterClass() caused
2094         the character class check to return true without reading the character.  Given that
2095         the character could be a surrogate pair, we need to read the character even if we
2096         don't have the check it.
2097
2098         * yarr/YarrInterpreter.cpp:
2099         (JSC::Yarr::Interpreter::testCharacterClass):
2100         (JSC::Yarr::Interpreter::checkCharacterClass):
2101
2102 2017-12-11  Saam Barati  <sbarati@apple.com>
2103
2104         We need to disableCaching() in ErrorInstance when we materialize properties
2105         https://bugs.webkit.org/show_bug.cgi?id=180343
2106         <rdar://problem/35833002>
2107
2108         Reviewed by Mark Lam.
2109
2110         This patch fixes a bug in ErrorInstance where we forgot to call PutPropertySlot::disableCaching
2111         on puts() to a property that we lazily materialized. Forgetting to do this goes against the
2112         PutPropertySlot's caching API. This lazy materialization caused the ErrorInstance to transition
2113         from a Structure A to a Structure B. However, we were telling the IC that we were caching an
2114         existing property only found on Structure B. This is obviously wrong as it would lead to an
2115         OOB store if we didn't already crash when generating the IC.
2116
2117         * jit/Repatch.cpp:
2118         (JSC::tryCachePutByID):
2119         * runtime/ErrorInstance.cpp:
2120         (JSC::ErrorInstance::materializeErrorInfoIfNeeded):
2121         (JSC::ErrorInstance::put):
2122         * runtime/ErrorInstance.h:
2123         * runtime/Structure.cpp:
2124         (JSC::Structure::didCachePropertyReplacement):
2125
2126 2017-12-11  Fujii Hironori  <Hironori.Fujii@sony.com>
2127
2128         [WinCairo] DLLLauncherMain should use SetDllDirectory
2129         https://bugs.webkit.org/show_bug.cgi?id=180642
2130
2131         Reviewed by Alex Christensen.
2132
2133         Windows have icuuc.dll in the system directory. WebKit should find
2134         one in WebKitLibraries directory, not one in the system directory.
2135
2136         * shell/DLLLauncherMain.cpp:
2137         (modifyPath): Use SetDllDirectory for WebKitLibraries directory instead of modifying path.
2138
2139 2017-12-11  Eric Carlson  <eric.carlson@apple.com>
2140
2141         Web Inspector: Optionally log WebKit log parameters as JSON
2142         https://bugs.webkit.org/show_bug.cgi?id=180529
2143         <rdar://problem/35909462>
2144
2145         Reviewed by Joseph Pecoraro.
2146
2147         * inspector/ConsoleMessage.cpp:
2148         (Inspector::ConsoleMessage::ConsoleMessage): New constructor that takes a vector of JSON log
2149         values. Concatenate all adjacent strings to make logging cleaner.
2150         (Inspector::ConsoleMessage::addToFrontend): Process WebKit logging arguments.
2151         (Inspector::ConsoleMessage::scriptState const):
2152         * inspector/ConsoleMessage.h:
2153
2154         * inspector/InjectedScript.cpp:
2155         (Inspector::InjectedScript::wrapJSONString const): Wrap JSON string log arguments.
2156         * inspector/InjectedScript.h:
2157         * inspector/InjectedScriptSource.js:
2158         (let.InjectedScript.prototype.wrapJSONString):
2159
2160 2017-12-11  Joseph Pecoraro  <pecoraro@apple.com>
2161
2162         Remove unused builtin names
2163         https://bugs.webkit.org/show_bug.cgi?id=180673
2164
2165         Reviewed by Keith Miller.
2166
2167         * builtins/BuiltinNames.h:
2168
2169 2017-12-11  David Quesada  <david_quesada@apple.com>
2170
2171         Turn on ENABLE_APPLICATION_MANIFEST
2172         https://bugs.webkit.org/show_bug.cgi?id=180562
2173         rdar://problem/35924737
2174
2175         Reviewed by Geoffrey Garen.
2176
2177         * Configurations/FeatureDefines.xcconfig:
2178
2179 2017-12-10  Filip Pizlo  <fpizlo@apple.com>
2180
2181         Harden a few assertions in GC sweep
2182         https://bugs.webkit.org/show_bug.cgi?id=180634
2183
2184         Reviewed by Saam Barati.
2185         
2186         This turns one dynamic check into a release assertion and upgrades another assertion to a release
2187         assertion.
2188
2189         * heap/MarkedBlock.cpp:
2190         (JSC::MarkedBlock::Handle::sweep):
2191
2192 2017-12-10  Konstantin Tokarev  <annulen@yandex.ru>
2193
2194         [python] Modernize "except" usage for python3 compatibility
2195         https://bugs.webkit.org/show_bug.cgi?id=180612
2196
2197         Reviewed by Michael Catanzaro.
2198
2199         * inspector/scripts/generate-inspector-protocol-bindings.py:
2200
2201 2017-12-05  Filip Pizlo  <fpizlo@apple.com>
2202
2203         InferredType should not use UnconditionalFinalizer
2204         https://bugs.webkit.org/show_bug.cgi?id=180456
2205
2206         Reviewed by Saam Barati.
2207         
2208         This turns InferredStructure into a cell so that we can unconditionally finalize them without
2209         having to add things to the UnconditionalFinalizer list. I'm removing all uses of
2210         UnconditionalFinalizers and WeakReferenceHarvesters because the data structures used to manage
2211         them are a top cause of lock contention in the parallel GC. Also, we don't need those data
2212         structures if we use IsoSubspaces, subspace iteration, and marking constraints.
2213
2214         * JavaScriptCore.xcodeproj/project.pbxproj:
2215         * Sources.txt:
2216         * heap/Heap.cpp:
2217         (JSC::Heap::finalizeUnconditionalFinalizers):
2218         * heap/Heap.h:
2219         * runtime/InferredStructure.cpp: Added.
2220         (JSC::InferredStructure::create):
2221         (JSC::InferredStructure::destroy):
2222         (JSC::InferredStructure::createStructure):
2223         (JSC::InferredStructure::visitChildren):
2224         (JSC::InferredStructure::finalizeUnconditionally):
2225         (JSC::InferredStructure::InferredStructure):
2226         (JSC::InferredStructure::finishCreation):
2227         * runtime/InferredStructure.h: Added.
2228         * runtime/InferredStructureWatchpoint.cpp: Added.
2229         (JSC::InferredStructureWatchpoint::fireInternal):
2230         * runtime/InferredStructureWatchpoint.h: Added.
2231         * runtime/InferredType.cpp:
2232         (JSC::InferredType::visitChildren):
2233         (JSC::InferredType::willStoreValueSlow):
2234         (JSC::InferredType::makeTopSlow):
2235         (JSC::InferredType::set):
2236         (JSC::InferredType::removeStructure):
2237         (JSC::InferredType::InferredStructureWatchpoint::fireInternal): Deleted.
2238         (JSC::InferredType::InferredStructureFinalizer::finalizeUnconditionally): Deleted.
2239         (JSC::InferredType::InferredStructure::InferredStructure): Deleted.
2240         * runtime/InferredType.h:
2241         * runtime/VM.cpp:
2242         (JSC::VM::VM):
2243         * runtime/VM.h:
2244
2245 2017-12-09  Konstantin Tokarev  <annulen@yandex.ru>
2246
2247         [python] Replace print >> operator with print() function for python3 compatibility
2248         https://bugs.webkit.org/show_bug.cgi?id=180611
2249
2250         Reviewed by Michael Catanzaro.
2251
2252         * Scripts/make-js-file-arrays.py:
2253         (main):
2254
2255 2017-12-08  Joseph Pecoraro  <pecoraro@apple.com>
2256
2257         ServiceWorker Inspector: Various issues inspecting service worker on mobile.twitter.com
2258         https://bugs.webkit.org/show_bug.cgi?id=180520
2259         <rdar://problem/35900764>
2260
2261         Reviewed by Brian Burg.
2262
2263         * inspector/protocol/ServiceWorker.json:
2264         Include content script content in the initialization info.
2265
2266 2017-12-08  Konstantin Tokarev  <annulen@yandex.ru>
2267
2268         [python] Replace print operator with print() function for python3 compatibility
2269         https://bugs.webkit.org/show_bug.cgi?id=180592
2270
2271         Reviewed by Michael Catanzaro.
2272
2273         * Scripts/generateYarrUnicodePropertyTables.py:
2274         (openOrExit):
2275         (verifyUCDFilesExist):
2276         (Aliases.parsePropertyAliasesFile):
2277         (Aliases.parsePropertyValueAliasesFile):
2278         * Scripts/make-js-file-arrays.py:
2279         (main):
2280         * generate-bytecode-files:
2281
2282 2017-12-08  Mark Lam  <mark.lam@apple.com>
2283
2284         Need to unpoison native function pointers for CLoop.
2285         https://bugs.webkit.org/show_bug.cgi?id=180601
2286         <rdar://problem/35942028>
2287
2288         Reviewed by JF Bastien.
2289
2290         * llint/LowLevelInterpreter64.asm:
2291
2292 2017-12-08  Michael Saboff  <msaboff@apple.com>
2293
2294         YARR: JIT RegExps with greedy parenthesized sub patterns
2295         https://bugs.webkit.org/show_bug.cgi?id=180538
2296
2297         Reviewed by JF Bastien.
2298
2299         This patch adds JIT support for regular expressions containing greedy counted
2300         parenthesis.  An example expression that couldn't be JIT'ed before is /q(a|b)*q/.
2301
2302         Just like in the interpreter, expressions with nested parenthetical subpatterns
2303         require saving the results of previous matches of the parentheses contents along
2304         with any associated state.  This saved state is needed in the case that we need
2305         to backtrack.  This state is called ParenContext within the code space allocated
2306         for this ParenContext is managed using a simple block allocator within the JIT'ed
2307         code.  The raw space managed by this allocator is passed into the JIT'ed function.
2308
2309         Since this fixed sized space may be exceeded, this patch adds a fallback mechanism.
2310         If the JIT'ed code exhausts all its ParenContext space, it returns a new error
2311         JSRegExpJITCodeFailure.  The caller will then bytecompile and interpret the
2312         expression.
2313
2314         Due to increased register usage by the parenthesis handling code, the use of
2315         registers by the JIT engine was restructured, with registers used for Unicode
2316         pattern matching replaced with constants.
2317
2318         Reworked some of the context structures that are used across the interpreter
2319         and JIT implementations to make them a little more uniform and to handle the
2320         needs of JIT'ing the new parentheses forms.
2321
2322         To help with development and debugging of this code, compiled patterns dumping
2323         code was enhanced.  Also added the ability to also dump interpreter ByteCodes.
2324
2325         * runtime/RegExp.cpp:
2326         (JSC::byteCodeCompilePattern):
2327         (JSC::RegExp::byteCodeCompileIfNecessary):
2328         (JSC::RegExp::compile):
2329         (JSC::RegExp::compileMatchOnly):
2330         * runtime/RegExp.h:
2331         * runtime/RegExpInlines.h:
2332         (JSC::RegExp::matchInline):
2333         * testRegExp.cpp:
2334         (parseRegExpLine):
2335         (runFromFiles):
2336         * yarr/Yarr.h:
2337         * yarr/YarrInterpreter.cpp:
2338         (JSC::Yarr::ByteCompiler::compile):
2339         (JSC::Yarr::ByteCompiler::dumpDisjunction):
2340         * yarr/YarrJIT.cpp:
2341         (JSC::Yarr::YarrGenerator::ParenContextSizes::ParenContextSizes):
2342         (JSC::Yarr::YarrGenerator::ParenContextSizes::numSubpatterns):
2343         (JSC::Yarr::YarrGenerator::ParenContextSizes::frameSlots):
2344         (JSC::Yarr::YarrGenerator::ParenContext::sizeFor):
2345         (JSC::Yarr::YarrGenerator::ParenContext::nextOffset):
2346         (JSC::Yarr::YarrGenerator::ParenContext::beginOffset):
2347         (JSC::Yarr::YarrGenerator::ParenContext::matchAmountOffset):
2348         (JSC::Yarr::YarrGenerator::ParenContext::subpatternOffset):
2349         (JSC::Yarr::YarrGenerator::ParenContext::savedFrameOffset):
2350         (JSC::Yarr::YarrGenerator::initParenContextFreeList):
2351         (JSC::Yarr::YarrGenerator::allocatePatternContext):
2352         (JSC::Yarr::YarrGenerator::freePatternContext):
2353         (JSC::Yarr::YarrGenerator::savePatternContext):
2354         (JSC::Yarr::YarrGenerator::restorePatternContext):
2355         (JSC::Yarr::YarrGenerator::tryReadUnicodeCharImpl):
2356         (JSC::Yarr::YarrGenerator::storeToFrame):
2357         (JSC::Yarr::YarrGenerator::generateJITFailReturn):
2358         (JSC::Yarr::YarrGenerator::clearMatches):
2359         (JSC::Yarr::YarrGenerator::generate):
2360         (JSC::Yarr::YarrGenerator::backtrack):
2361         (JSC::Yarr::YarrGenerator::opCompileParenthesesSubpattern):
2362         (JSC::Yarr::YarrGenerator::generateEnter):
2363         (JSC::Yarr::YarrGenerator::generateReturn):
2364         (JSC::Yarr::YarrGenerator::YarrGenerator):
2365         (JSC::Yarr::YarrGenerator::compile):
2366         * yarr/YarrJIT.h:
2367         (JSC::Yarr::YarrCodeBlock::execute):
2368         * yarr/YarrPattern.cpp:
2369         (JSC::Yarr::indentForNestingLevel):
2370         (JSC::Yarr::dumpUChar32):
2371         (JSC::Yarr::dumpCharacterClass):
2372         (JSC::Yarr::PatternTerm::dump):
2373         (JSC::Yarr::YarrPattern::dumpPattern):
2374         * yarr/YarrPattern.h:
2375         (JSC::Yarr::PatternTerm::containsAnyCaptures):
2376         (JSC::Yarr::BackTrackInfoParenthesesOnce::returnAddressIndex):
2377         (JSC::Yarr::BackTrackInfoParentheses::beginIndex):
2378         (JSC::Yarr::BackTrackInfoParentheses::returnAddressIndex):
2379         (JSC::Yarr::BackTrackInfoParentheses::matchAmountIndex):
2380         (JSC::Yarr::BackTrackInfoParentheses::patternContextHeadIndex):
2381         (JSC::Yarr::BackTrackInfoAlternative::offsetIndex): Deleted.
2382
2383 2017-12-08  Joseph Pecoraro  <pecoraro@apple.com>
2384
2385         Web Inspector: CRASH at InspectorConsoleAgent::enable when iterating mutable list of buffered console messages
2386         https://bugs.webkit.org/show_bug.cgi?id=180590
2387         <rdar://problem/35882767>
2388
2389         Reviewed by Mark Lam.
2390
2391         * inspector/agents/InspectorConsoleAgent.cpp:
2392         (Inspector::InspectorConsoleAgent::enable):
2393         Swap the messages to a Vector that won't change during iteration.
2394
2395 2017-12-08  Michael Saboff  <msaboff@apple.com>
2396
2397         YARR: Coalesce constructed character classes
2398         https://bugs.webkit.org/show_bug.cgi?id=180537
2399
2400         Reviewed by JF Bastien.
2401
2402         When adding characters or character ranges to a character class being constructed,
2403         we now coalesce adjacent characters and character ranges.  When we create a
2404         character class after construction is complete, we do a final coalescing pass
2405         across the character list and ranges to catch any remaining coalescing
2406         opportunities.
2407
2408         Added an optimization for character classes that will match any character.
2409         This is somewhat common in code created before the /s (dotAll) flag was added
2410         to the engine.
2411
2412         * yarr/YarrInterpreter.cpp:
2413         (JSC::Yarr::Interpreter::checkCharacterClass):
2414         * yarr/YarrJIT.cpp:
2415         (JSC::Yarr::YarrGenerator::generateCharacterClassOnce):
2416         (JSC::Yarr::YarrGenerator::generateCharacterClassFixed):
2417         (JSC::Yarr::YarrGenerator::generateCharacterClassGreedy):
2418         (JSC::Yarr::YarrGenerator::backtrackCharacterClassNonGreedy):
2419         * yarr/YarrPattern.cpp:
2420         (JSC::Yarr::CharacterClassConstructor::CharacterClassConstructor):
2421         (JSC::Yarr::CharacterClassConstructor::reset):
2422         (JSC::Yarr::CharacterClassConstructor::charClass):
2423         (JSC::Yarr::CharacterClassConstructor::addSorted):
2424         (JSC::Yarr::CharacterClassConstructor::addSortedRange):
2425         (JSC::Yarr::CharacterClassConstructor::mergeRangesFrom):
2426         (JSC::Yarr::CharacterClassConstructor::coalesceTables):
2427         (JSC::Yarr::CharacterClassConstructor::anyCharacter):
2428         (JSC::Yarr::YarrPatternConstructor::atomCharacterClassEnd):
2429         (JSC::Yarr::PatternTerm::dump):
2430         (JSC::Yarr::anycharCreate):
2431         * yarr/YarrPattern.h:
2432         (JSC::Yarr::CharacterClass::CharacterClass):
2433
2434 2017-12-07  Saam Barati  <sbarati@apple.com>
2435
2436         Modify our dollar VM clflush intrinsic to aid in some perf testing
2437         https://bugs.webkit.org/show_bug.cgi?id=180559
2438
2439         Reviewed by Mark Lam.
2440
2441         * tools/JSDollarVM.cpp:
2442         (JSC::functionCpuClflush):
2443         (JSC::functionDeltaBetweenButterflies):
2444         (JSC::JSDollarVM::finishCreation):
2445
2446 2017-12-07  Eric Carlson  <eric.carlson@apple.com>
2447
2448         Simplify log channel configuration UI
2449         https://bugs.webkit.org/show_bug.cgi?id=180527
2450         <rdar://problem/35908382>
2451
2452         Reviewed by Joseph Pecoraro.
2453
2454         * inspector/protocol/Console.json:
2455
2456 2017-12-07  Mark Lam  <mark.lam@apple.com>
2457
2458         Apply poisoning to some native code pointers.
2459         https://bugs.webkit.org/show_bug.cgi?id=180541
2460         <rdar://problem/35916875>
2461
2462         Reviewed by Filip Pizlo.
2463
2464         Renamed g_classInfoPoison to g_globalDataPoison.
2465         Renamed g_masmPoison to g_jitCodePoison.
2466         Introduced g_nativeCodePoison.
2467         Applied g_nativeCodePoison to poisoning some native code pointers.
2468
2469         Introduced non-random Int32 poison values (in JSCPoison.h) for use with pointers
2470         to malloc allocated data structures (where needed).
2471
2472         * API/JSCallbackFunction.h:
2473         (JSC::JSCallbackFunction::functionCallback):
2474         * JavaScriptCore.xcodeproj/project.pbxproj:
2475         * jit/ThunkGenerators.cpp:
2476         (JSC::nativeForGenerator):
2477         * llint/LowLevelInterpreter64.asm:
2478         * runtime/CustomGetterSetter.h:
2479         (JSC::CustomGetterSetter::getter const):
2480         (JSC::CustomGetterSetter::setter const):
2481         * runtime/InternalFunction.cpp:
2482         (JSC::InternalFunction::getCallData):
2483         (JSC::InternalFunction::getConstructData):
2484         * runtime/InternalFunction.h:
2485         (JSC::InternalFunction::nativeFunctionFor):
2486         * runtime/JSCPoison.h: Added.
2487         * runtime/JSCPoisonedPtr.cpp:
2488         (JSC::initializePoison):
2489         * runtime/JSCPoisonedPtr.h:
2490         * runtime/Lookup.h:
2491         * runtime/NativeExecutable.cpp:
2492         (JSC::NativeExecutable::hashFor const):
2493         * runtime/NativeExecutable.h:
2494         * runtime/Structure.cpp:
2495         (JSC::StructureTransitionTable::setSingleTransition):
2496         * runtime/StructureTransitionTable.h:
2497         (JSC::StructureTransitionTable::StructureTransitionTable):
2498         (JSC::StructureTransitionTable::isUsingSingleSlot const):
2499         (JSC::StructureTransitionTable::map const):
2500         (JSC::StructureTransitionTable::weakImpl const):
2501         (JSC::StructureTransitionTable::setMap):
2502
2503 2017-12-07  Joseph Pecoraro  <pecoraro@apple.com>
2504
2505         Web Inspector: Fix style in remote inspector classes
2506         https://bugs.webkit.org/show_bug.cgi?id=180545
2507
2508         Reviewed by Youenn Fablet.
2509
2510         * inspector/remote/RemoteControllableTarget.h:
2511         * inspector/remote/RemoteInspectionTarget.h:
2512         * runtime/JSGlobalObjectDebuggable.h:
2513
2514 2017-12-07  Per Arne Vollan  <pvollan@apple.com>
2515
2516         Use fastAlignedFree to free aligned memory.
2517         https://bugs.webkit.org/show_bug.cgi?id=180540
2518
2519         Reviewed by Saam Barati.
2520
2521         * heap/IsoAlignedMemoryAllocator.cpp:
2522         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
2523
2524 2017-12-07  Matt Lewis  <jlewis3@apple.com>
2525
2526         Unreviewed, rolling out r225634.
2527
2528         This caused layout tests to time out.
2529
2530         Reverted changeset:
2531
2532         "Simplify log channel configuration UI"
2533         https://bugs.webkit.org/show_bug.cgi?id=180527
2534         https://trac.webkit.org/changeset/225634
2535
2536 2017-12-07  Eric Carlson  <eric.carlson@apple.com>
2537
2538         Simplify log channel configuration UI
2539         https://bugs.webkit.org/show_bug.cgi?id=180527
2540         <rdar://problem/35908382>
2541
2542         Reviewed by Joseph Pecoraro.
2543
2544         * inspector/protocol/Console.json:
2545
2546 2017-12-07  Mark Lam  <mark.lam@apple.com>
2547
2548         [Re-landing r225620] Refactoring: Rename ScrambledPtr to Poisoned.
2549         https://bugs.webkit.org/show_bug.cgi?id=180514
2550
2551         Reviewed by Saam Barati and JF Bastien.
2552
2553         Re-landing r225620 with speculative build fix for GCC 7.
2554
2555         * API/JSCallbackObject.h:
2556         * API/JSObjectRef.cpp:
2557         (classInfoPrivate):
2558         * JavaScriptCore.xcodeproj/project.pbxproj:
2559         * Sources.txt:
2560         * assembler/MacroAssemblerCodeRef.h:
2561         (JSC::FunctionPtr::FunctionPtr):
2562         (JSC::FunctionPtr::value const):
2563         (JSC::FunctionPtr::executableAddress const):
2564         (JSC::ReturnAddressPtr::ReturnAddressPtr):
2565         (JSC::ReturnAddressPtr::value const):
2566         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
2567         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
2568         (JSC::MacroAssemblerCodePtr::poisonedPtr const):
2569         (JSC::MacroAssemblerCodePtr:: const):
2570         (JSC::MacroAssemblerCodePtr::operator! const):
2571         (JSC::MacroAssemblerCodePtr::operator== const):
2572         (JSC::MacroAssemblerCodePtr::emptyValue):
2573         (JSC::MacroAssemblerCodePtr::deletedValue):
2574         (JSC::MacroAssemblerCodePtr::scrambledPtr const): Deleted.
2575         * b3/B3LowerMacros.cpp:
2576         * b3/testb3.cpp:
2577         (JSC::B3::testInterpreter):
2578         * dfg/DFGSpeculativeJIT.cpp:
2579         (JSC::DFG::SpeculativeJIT::checkArray):
2580         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
2581         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
2582         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
2583         * ftl/FTLLowerDFGToB3.cpp:
2584         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
2585         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
2586         * jit/AssemblyHelpers.h:
2587         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
2588         * jit/SpecializedThunkJIT.h:
2589         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
2590         * jit/ThunkGenerators.cpp:
2591         (JSC::virtualThunkFor):
2592         (JSC::boundThisNoArgsFunctionCallGenerator):
2593         * llint/LLIntSlowPaths.cpp:
2594         (JSC::LLInt::handleHostCall):
2595         (JSC::LLInt::setUpCall):
2596         * llint/LowLevelInterpreter64.asm:
2597         * runtime/InitializeThreading.cpp:
2598         (JSC::initializeThreading):
2599         * runtime/JSCPoisonedPtr.cpp: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.cpp.
2600         (JSC::initializePoison):
2601         (JSC::initializeScrambledPtrKeys): Deleted.
2602         * runtime/JSCPoisonedPtr.h: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.h.
2603         * runtime/JSCScrambledPtr.cpp: Removed.
2604         * runtime/JSCScrambledPtr.h: Removed.
2605         * runtime/JSDestructibleObject.h:
2606         (JSC::JSDestructibleObject::classInfo const):
2607         * runtime/JSSegmentedVariableObject.h:
2608         (JSC::JSSegmentedVariableObject::classInfo const):
2609         * runtime/Structure.h:
2610         * runtime/VM.h:
2611
2612 2017-12-07  Michael Catanzaro  <mcatanzaro@igalia.com>
2613
2614         Unreviewed, rolling out r225620
2615         https://bugs.webkit.org/show_bug.cgi?id=180514
2616         <rdar://problem/35901694>
2617
2618         It broke the build with GCC 7, and I don't know how to fix it.
2619
2620         * API/JSCallbackObject.h:
2621         * API/JSObjectRef.cpp:
2622         (classInfoPrivate):
2623         * JavaScriptCore.xcodeproj/project.pbxproj:
2624         * Sources.txt:
2625         * assembler/MacroAssemblerCodeRef.h:
2626         (JSC::FunctionPtr::FunctionPtr):
2627         (JSC::FunctionPtr::value const):
2628         (JSC::FunctionPtr::executableAddress const):
2629         (JSC::ReturnAddressPtr::ReturnAddressPtr):
2630         (JSC::ReturnAddressPtr::value const):
2631         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
2632         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
2633         (JSC::MacroAssemblerCodePtr::scrambledPtr const):
2634         (JSC::MacroAssemblerCodePtr:: const):
2635         (JSC::MacroAssemblerCodePtr::operator! const):
2636         (JSC::MacroAssemblerCodePtr::operator== const):
2637         (JSC::MacroAssemblerCodePtr::emptyValue):
2638         (JSC::MacroAssemblerCodePtr::deletedValue):
2639         (JSC::MacroAssemblerCodePtr::poisonedPtr const): Deleted.
2640         * b3/B3LowerMacros.cpp:
2641         * b3/testb3.cpp:
2642         (JSC::B3::testInterpreter):
2643         * dfg/DFGSpeculativeJIT.cpp:
2644         (JSC::DFG::SpeculativeJIT::checkArray):
2645         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
2646         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
2647         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
2648         * ftl/FTLLowerDFGToB3.cpp:
2649         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
2650         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
2651         * jit/AssemblyHelpers.h:
2652         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
2653         * jit/SpecializedThunkJIT.h:
2654         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
2655         * jit/ThunkGenerators.cpp:
2656         (JSC::virtualThunkFor):
2657         (JSC::boundThisNoArgsFunctionCallGenerator):
2658         * llint/LLIntSlowPaths.cpp:
2659         (JSC::LLInt::handleHostCall):
2660         (JSC::LLInt::setUpCall):
2661         * llint/LowLevelInterpreter64.asm:
2662         * runtime/InitializeThreading.cpp:
2663         (JSC::initializeThreading):
2664         * runtime/JSCScrambledPtr.cpp: Renamed from Source/JavaScriptCore/runtime/JSCPoisonedPtr.cpp.
2665         (JSC::initializeScrambledPtrKeys):
2666         * runtime/JSCScrambledPtr.h: Renamed from Source/JavaScriptCore/runtime/JSCPoisonedPtr.h.
2667         * runtime/JSDestructibleObject.h:
2668         (JSC::JSDestructibleObject::classInfo const):
2669         * runtime/JSSegmentedVariableObject.h:
2670         (JSC::JSSegmentedVariableObject::classInfo const):
2671         * runtime/Structure.h:
2672         * runtime/VM.h:
2673
2674 2017-12-06  Mark Lam  <mark.lam@apple.com>
2675
2676         Refactoring: Rename ScrambledPtr to Poisoned.
2677         https://bugs.webkit.org/show_bug.cgi?id=180514
2678
2679         Reviewed by Saam Barati.
2680
2681         * API/JSCallbackObject.h:
2682         * API/JSObjectRef.cpp:
2683         (classInfoPrivate):
2684         * JavaScriptCore.xcodeproj/project.pbxproj:
2685         * Sources.txt:
2686         * assembler/MacroAssemblerCodeRef.h:
2687         (JSC::FunctionPtr::FunctionPtr):
2688         (JSC::FunctionPtr::value const):
2689         (JSC::FunctionPtr::executableAddress const):
2690         (JSC::ReturnAddressPtr::ReturnAddressPtr):
2691         (JSC::ReturnAddressPtr::value const):
2692         (JSC::MacroAssemblerCodePtr::MacroAssemblerCodePtr):
2693         (JSC::MacroAssemblerCodePtr::createFromExecutableAddress):
2694         (JSC::MacroAssemblerCodePtr::poisonedPtr const):
2695         (JSC::MacroAssemblerCodePtr:: const):
2696         (JSC::MacroAssemblerCodePtr::operator! const):
2697         (JSC::MacroAssemblerCodePtr::operator== const):
2698         (JSC::MacroAssemblerCodePtr::emptyValue):
2699         (JSC::MacroAssemblerCodePtr::deletedValue):
2700         (JSC::MacroAssemblerCodePtr::scrambledPtr const): Deleted.
2701         * b3/B3LowerMacros.cpp:
2702         * b3/testb3.cpp:
2703         (JSC::B3::testInterpreter):
2704         * dfg/DFGSpeculativeJIT.cpp:
2705         (JSC::DFG::SpeculativeJIT::checkArray):
2706         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
2707         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
2708         (JSC::DFG::SpeculativeJIT::emitSwitchIntJump):
2709         * ftl/FTLLowerDFGToB3.cpp:
2710         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
2711         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
2712         * jit/AssemblyHelpers.h:
2713         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
2714         * jit/SpecializedThunkJIT.h:
2715         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
2716         * jit/ThunkGenerators.cpp:
2717         (JSC::virtualThunkFor):
2718         (JSC::boundThisNoArgsFunctionCallGenerator):
2719         * llint/LLIntSlowPaths.cpp:
2720         (JSC::LLInt::handleHostCall):
2721         (JSC::LLInt::setUpCall):
2722         * llint/LowLevelInterpreter64.asm:
2723         * runtime/InitializeThreading.cpp:
2724         (JSC::initializeThreading):
2725         * runtime/JSCPoisonedPtr.cpp: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.cpp.
2726         (JSC::initializePoison):
2727         (JSC::initializeScrambledPtrKeys): Deleted.
2728         * runtime/JSCPoisonedPtr.h: Copied from Source/JavaScriptCore/runtime/JSCScrambledPtr.h.
2729         * runtime/JSCScrambledPtr.cpp: Removed.
2730         * runtime/JSCScrambledPtr.h: Removed.
2731         * runtime/JSDestructibleObject.h:
2732         (JSC::JSDestructibleObject::classInfo const):
2733         * runtime/JSSegmentedVariableObject.h:
2734         (JSC::JSSegmentedVariableObject::classInfo const):
2735         * runtime/Structure.h:
2736         * runtime/VM.h:
2737
2738 2017-12-02  Darin Adler  <darin@apple.com>
2739
2740         Modernize some aspects of text codecs, eliminate WebKit use of strcasecmp
2741         https://bugs.webkit.org/show_bug.cgi?id=180009
2742
2743         Reviewed by Alex Christensen.
2744
2745         * bytecode/ArrayProfile.cpp: Removed include of StringExtras.h.
2746         * bytecode/CodeBlock.cpp: Ditto.
2747         * bytecode/ExecutionCounter.cpp: Ditto.
2748         * runtime/ConfigFile.cpp: Ditto.
2749         * runtime/DatePrototype.cpp: Ditto.
2750         * runtime/IndexingType.cpp: Ditto.
2751         * runtime/JSCJSValue.cpp: Ditto.
2752         * runtime/JSDateMath.cpp: Ditto.
2753         * runtime/JSGlobalObjectFunctions.cpp: Ditto.
2754         * runtime/Options.cpp: Ditto.
2755         (JSC::parse): Use equalLettersIgnoringASCIICase instead of strcasecmp.
2756
2757 2017-12-06  Saam Barati  <sbarati@apple.com>
2758
2759         ASSERTION FAILED: vm->currentThreadIsHoldingAPILock() in void JSC::sanitizeStackForVM(JSC::VM *)
2760         https://bugs.webkit.org/show_bug.cgi?id=180438
2761         <rdar://problem/35862342>
2762
2763         Reviewed by Yusuke Suzuki.
2764
2765         A couple inspector methods that take stacktraces need
2766         to grab the JSLock.
2767
2768         * inspector/ScriptCallStackFactory.cpp:
2769         (Inspector::createScriptCallStack):
2770         (Inspector::createScriptCallStackForConsole):
2771
2772 2017-12-05  Stephan Szabo  <stephan.szabo@sony.com>
2773
2774         Switch windows build to Visual Studio 2017
2775         https://bugs.webkit.org/show_bug.cgi?id=172412
2776
2777         Reviewed by Per Arne Vollan.
2778
2779         * JavaScriptCore.vcxproj/JavaScriptCore.proj:
2780
2781 2017-12-05  JF Bastien  <jfbastien@apple.com>
2782
2783         WebAssembly: don't eagerly checksum
2784         https://bugs.webkit.org/show_bug.cgi?id=180441
2785         <rdar://problem/35156628>
2786
2787         Reviewed by Saam Barati.
2788
2789         Make checksumming of module optional for now. The bots think the
2790         checksum hurt compile-time. I'd measured it and couldn't see a
2791         difference, and still can't at this point in time, but we'll see
2792         if disabling it fixes the bots. If so then I can make it lazy upon
2793         first backtrace construction, or I can try out MD5 instead of
2794         SHA1.
2795
2796         * runtime/Options.h:
2797         * wasm/WasmModuleInformation.cpp:
2798         (JSC::Wasm::ModuleInformation::ModuleInformation):
2799         * wasm/WasmModuleInformation.h:
2800         * wasm/WasmNameSection.h:
2801         (JSC::Wasm::NameSection::NameSection):
2802
2803 2017-12-05  Filip Pizlo  <fpizlo@apple.com>
2804
2805         IsoAlignedMemoryAllocator needs to free all of its memory when the VM destructs
2806         https://bugs.webkit.org/show_bug.cgi?id=180425
2807
2808         Reviewed by Saam Barati.
2809         
2810         Failure to do so causes leaks after starting workers.
2811
2812         * heap/IsoAlignedMemoryAllocator.cpp:
2813         (JSC::IsoAlignedMemoryAllocator::~IsoAlignedMemoryAllocator):
2814         (JSC::IsoAlignedMemoryAllocator::tryAllocateAlignedMemory):
2815
2816 2017-12-05  Per Arne Vollan  <pvollan@apple.com>
2817
2818         [Win64] Compile error in testmasm.cpp.
2819         https://bugs.webkit.org/show_bug.cgi?id=180436
2820
2821         Reviewed by Mark Lam.
2822
2823         Fix MSVC warning (32-bit shift implicitly converted to 64 bits).
2824         
2825         * assembler/testmasm.cpp:
2826         (JSC::testGetEffectiveAddress):
2827
2828 2017-12-01  Filip Pizlo  <fpizlo@apple.com>
2829
2830         GC constraint solving should be parallel
2831         https://bugs.webkit.org/show_bug.cgi?id=179934
2832
2833         Reviewed by JF Bastien.
2834         
2835         This makes it possible to do constraint solving in parallel. This looks like a 1% Speedometer
2836         speed-up. It's more than 1% on trunk-Speedometer.
2837         
2838         The constraint solver supports running constraints in parallel in two different ways:
2839         
2840         - Run multiple constraints in parallel to each other. This only works for constraints that can
2841           tolerate other constraints running concurrently to them (constraint.concurrency() ==
2842           ConstraintConcurrency::Concurrent). This is the most basic kind of parallelism that the
2843           constraint solver supports. All constraints except the JSC SPI constraints are concurrent. We
2844           could probably make them concurrent, but I'm playing it safe for now.
2845         
2846         - A constraint can create parallel work for itself, which the constraint solver will interleave
2847           with other stuff. A constraint can report that it has parallel work by returning
2848           ConstraintParallelism::Parallel from its executeImpl() function. Then the solver will allow that
2849           constraint's doParallelWorkImpl() function to run on as many GC marker threads as are available,
2850           for as long as that function wants to run.
2851         
2852         It's not possible to have a non-concurrent constraint that creates parallel work.
2853         
2854         The parallelism is implemented in terms of the existing GC marker threads. This turns out to be
2855         most natural for two reasons:
2856         
2857         - No need to start any other threads.
2858         
2859         - The constraints all want to be passed a SlotVisitor. Running on the marker threads means having
2860           access to those threads' SlotVisitors. Also, it means less load balancing. The solver will
2861           create work on each marking thread's SlotVisitor. When the solver is done "stealing" a marker
2862           thread, that thread will have work it can start doing immediately. Before this change, we had to
2863           contribute the work found by the constraint solver to the global worklist so that it could be
2864           distributed to the marker threads by load balancing. This change probably helps to avoid that
2865           load balancing step.
2866         
2867         A lot of this change is about making it easy to iterate GC data structures in parallel. This
2868         change makes almost all constraints parallel-enabled, but only the DOM's output constraint uses
2869         the parallel work API. That constraint iterates the marked cells in two subspaces. This change
2870         makes it very easy to compose parallel iterators over subspaces, allocators, blocks, and cells.
2871         The marked cell parallel iterator is composed out of parallel iterators for the others. A parallel
2872         iterator is just an iterator that can do an atomic next() very quickly. We abstract them using
2873         RefPtr<SharedTask<...()>>, where ... is the type returned from the iterator. We know it's done
2874         when it returns a falsish version of ... (in the current code, that's always a pointer type, so
2875         done is indicated by null).
2876         
2877         * API/JSMarkingConstraintPrivate.cpp:
2878         (JSContextGroupAddMarkingConstraint):
2879         * API/JSVirtualMachine.mm:
2880         (scanExternalObjectGraph):
2881         (scanExternalRememberedSet):
2882         * JavaScriptCore.xcodeproj/project.pbxproj:
2883         * Sources.txt:
2884         * bytecode/AccessCase.cpp:
2885         (JSC::AccessCase::propagateTransitions const):
2886         * bytecode/CodeBlock.cpp:
2887         (JSC::CodeBlock::visitWeakly):
2888         (JSC::CodeBlock::shouldJettisonDueToOldAge):
2889         (JSC::shouldMarkTransition):
2890         (JSC::CodeBlock::propagateTransitions):
2891         (JSC::CodeBlock::determineLiveness):
2892         * dfg/DFGWorklist.cpp:
2893         * ftl/FTLCompile.cpp:
2894         (JSC::FTL::compile):
2895         * heap/ConstraintParallelism.h: Added.
2896         (WTF::printInternal):
2897         * heap/Heap.cpp:
2898         (JSC::Heap::Heap):
2899         (JSC::Heap::addToRememberedSet):
2900         (JSC::Heap::runFixpointPhase):
2901         (JSC::Heap::stopThePeriphery):
2902         (JSC::Heap::resumeThePeriphery):
2903         (JSC::Heap::addCoreConstraints):
2904         (JSC::Heap::setBonusVisitorTask):
2905         (JSC::Heap::runTaskInParallel):
2906         (JSC::Heap::forEachSlotVisitor): Deleted.
2907         * heap/Heap.h:
2908         (JSC::Heap::worldIsRunning const):
2909         (JSC::Heap::runFunctionInParallel):
2910         * heap/HeapInlines.h:
2911         (JSC::Heap::worldIsStopped const):
2912         (JSC::Heap::isMarked):
2913         (JSC::Heap::incrementDeferralDepth):
2914         (JSC::Heap::decrementDeferralDepth):
2915         (JSC::Heap::decrementDeferralDepthAndGCIfNeeded):
2916         (JSC::Heap::forEachSlotVisitor):
2917         (JSC::Heap::collectorBelievesThatTheWorldIsStopped const): Deleted.
2918         (JSC::Heap::isMarkedConcurrently): Deleted.
2919         * heap/HeapSnapshotBuilder.cpp:
2920         (JSC::HeapSnapshotBuilder::appendNode):
2921         * heap/LargeAllocation.h:
2922         (JSC::LargeAllocation::isMarked):
2923         (JSC::LargeAllocation::isMarkedConcurrently): Deleted.
2924         * heap/LockDuringMarking.h:
2925         (JSC::lockDuringMarking):
2926         * heap/MarkedAllocator.cpp:
2927         (JSC::MarkedAllocator::parallelNotEmptyBlockSource):
2928         * heap/MarkedAllocator.h:
2929         * heap/MarkedBlock.h:
2930         (JSC::MarkedBlock::aboutToMark):
2931         (JSC::MarkedBlock::isMarked):
2932         (JSC::MarkedBlock::areMarksStaleWithDependency): Deleted.
2933         (JSC::MarkedBlock::isMarkedConcurrently): Deleted.
2934         * heap/MarkedSpace.h:
2935         (JSC::MarkedSpace::activeWeakSetsBegin):
2936         (JSC::MarkedSpace::activeWeakSetsEnd):
2937         (JSC::MarkedSpace::newActiveWeakSetsBegin):
2938         (JSC::MarkedSpace::newActiveWeakSetsEnd):
2939         * heap/MarkingConstraint.cpp:
2940         (JSC::MarkingConstraint::MarkingConstraint):
2941         (JSC::MarkingConstraint::execute):
2942         (JSC::MarkingConstraint::quickWorkEstimate):
2943         (JSC::MarkingConstraint::workEstimate):
2944         (JSC::MarkingConstraint::doParallelWork):
2945         (JSC::MarkingConstraint::finishParallelWork):
2946         (JSC::MarkingConstraint::doParallelWorkImpl):
2947         (JSC::MarkingConstraint::finishParallelWorkImpl):
2948         * heap/MarkingConstraint.h:
2949         (JSC::MarkingConstraint::lastExecuteParallelism const):
2950         (JSC::MarkingConstraint::parallelism const):
2951         (JSC::MarkingConstraint::quickWorkEstimate): Deleted.
2952         (JSC::MarkingConstraint::workEstimate): Deleted.
2953         * heap/MarkingConstraintSet.cpp:
2954         (JSC::MarkingConstraintSet::MarkingConstraintSet):
2955         (JSC::MarkingConstraintSet::add):
2956         (JSC::MarkingConstraintSet::executeConvergence):
2957         (JSC::MarkingConstraintSet::executeConvergenceImpl):
2958         (JSC::MarkingConstraintSet::executeAll):
2959         (JSC::MarkingConstraintSet::ExecutionContext::ExecutionContext): Deleted.
2960         (JSC::MarkingConstraintSet::ExecutionContext::didVisitSomething const): Deleted.
2961         (JSC::MarkingConstraintSet::ExecutionContext::shouldTimeOut const): Deleted.
2962         (JSC::MarkingConstraintSet::ExecutionContext::drain): Deleted.
2963         (JSC::MarkingConstraintSet::ExecutionContext::didExecute const): Deleted.
2964         (JSC::MarkingConstraintSet::ExecutionContext::execute): Deleted.
2965         (): Deleted.
2966         * heap/MarkingConstraintSet.h:
2967         * heap/MarkingConstraintSolver.cpp: Added.
2968         (JSC::MarkingConstraintSolver::MarkingConstraintSolver):
2969         (JSC::MarkingConstraintSolver::~MarkingConstraintSolver):
2970         (JSC::MarkingConstraintSolver::didVisitSomething const):
2971         (JSC::MarkingConstraintSolver::execute):
2972         (JSC::MarkingConstraintSolver::drain):
2973         (JSC::MarkingConstraintSolver::converge):
2974         (JSC::MarkingConstraintSolver::runExecutionThread):
2975         (JSC::MarkingConstraintSolver::didExecute):
2976         * heap/MarkingConstraintSolver.h: Added.
2977         * heap/OpaqueRootSet.h: Removed.
2978         * heap/ParallelSourceAdapter.h: Added.
2979         (JSC::ParallelSourceAdapter::ParallelSourceAdapter):
2980         (JSC::createParallelSourceAdapter):
2981         * heap/SimpleMarkingConstraint.cpp: Added.
2982         (JSC::SimpleMarkingConstraint::SimpleMarkingConstraint):
2983         (JSC::SimpleMarkingConstraint::~SimpleMarkingConstraint):
2984         (JSC::SimpleMarkingConstraint::quickWorkEstimate):
2985         (JSC::SimpleMarkingConstraint::executeImpl):
2986         * heap/SimpleMarkingConstraint.h: Added.
2987         * heap/SlotVisitor.cpp:
2988         (JSC::SlotVisitor::didStartMarking):
2989         (JSC::SlotVisitor::reset):
2990         (JSC::SlotVisitor::appendToMarkStack):
2991         (JSC::SlotVisitor::visitChildren):
2992         (JSC::SlotVisitor::updateMutatorIsStopped):
2993         (JSC::SlotVisitor::mutatorIsStoppedIsUpToDate const):
2994         (JSC::SlotVisitor::drain):
2995         (JSC::SlotVisitor::performIncrementOfDraining):
2996         (JSC::SlotVisitor::didReachTermination):
2997         (JSC::SlotVisitor::hasWork):
2998         (JSC::SlotVisitor::drainFromShared):
2999         (JSC::SlotVisitor::drainInParallelPassively):
3000         (JSC::SlotVisitor::waitForTermination):
3001         (JSC::SlotVisitor::addOpaqueRoot): Deleted.
3002         (JSC::SlotVisitor::containsOpaqueRoot const): Deleted.
3003         (JSC::SlotVisitor::containsOpaqueRootTriState const): Deleted.
3004         (JSC::SlotVisitor::mergeIfNecessary): Deleted.
3005         (JSC::SlotVisitor::mergeOpaqueRootsIfProfitable): Deleted.
3006         (JSC::SlotVisitor::mergeOpaqueRoots): Deleted.
3007         * heap/SlotVisitor.h:
3008         * heap/SlotVisitorInlines.h:
3009         (JSC::SlotVisitor::addOpaqueRoot):
3010         (JSC::SlotVisitor::containsOpaqueRoot const):
3011         (JSC::SlotVisitor::vm):
3012         (JSC::SlotVisitor::vm const):
3013         * heap/Subspace.cpp:
3014         (JSC::Subspace::parallelAllocatorSource):
3015         (JSC::Subspace::parallelNotEmptyMarkedBlockSource):
3016         * heap/Subspace.h:
3017         * heap/SubspaceInlines.h:
3018         (JSC::Subspace::forEachMarkedCellInParallel):
3019         * heap/VisitCounter.h: Added.
3020         (JSC::VisitCounter::VisitCounter):
3021         (JSC::VisitCounter::visitCount const):
3022         * heap/VisitingTimeout.h: Removed.
3023         * heap/WeakBlock.cpp:
3024         (JSC::WeakBlock::specializedVisit):
3025         * runtime/Structure.cpp:
3026         (JSC::Structure::isCheapDuringGC):
3027         (JSC::Structure::markIfCheap):
3028
3029 2017-12-04  JF Bastien  <jfbastien@apple.com>
3030
3031         Math: don't redundantly check for exceptions, just release scope
3032         https://bugs.webkit.org/show_bug.cgi?id=180395
3033
3034         Rubber stamped by Mark Lam.
3035
3036         Two of the exceptions checks could just have been exception scope
3037         releases before the return, which is ever-so-slightly more
3038         efficient. The same technically applies where we have loops over
3039         parameters, but doing the scope release there isn't really more
3040         efficient and is way harder to read.
3041
3042         * runtime/MathObject.cpp:
3043         (JSC::mathProtoFuncATan2):
3044         (JSC::mathProtoFuncPow):
3045
3046 2017-12-04  David Quesada  <david_quesada@apple.com>
3047
3048         Add a class for parsing application manifests
3049         https://bugs.webkit.org/show_bug.cgi?id=177973
3050         rdar://problem/34747949
3051
3052         Reviewed by Geoffrey Garen.
3053
3054         * Configurations/FeatureDefines.xcconfig: Add ENABLE_APPLICATION_MANIFEST feature flag.
3055
3056 2017-12-04  JF Bastien  <jfbastien@apple.com>
3057
3058         Update std::expected to match libc++ coding style
3059         https://bugs.webkit.org/show_bug.cgi?id=180264
3060
3061         Reviewed by Alex Christensen.
3062
3063         Update various uses of Expected.
3064
3065         * wasm/WasmModule.h:
3066         * wasm/WasmModuleParser.cpp:
3067         (JSC::Wasm::ModuleParser::parseImport):
3068         (JSC::Wasm::ModuleParser::parseTableHelper):
3069         (JSC::Wasm::ModuleParser::parseTable):
3070         (JSC::Wasm::ModuleParser::parseMemoryHelper):
3071         * wasm/WasmParser.h:
3072         * wasm/generateWasmValidateInlinesHeader.py:
3073         (loadMacro):
3074         (storeMacro):
3075         * wasm/js/JSWebAssemblyModule.cpp:
3076         (JSC::JSWebAssemblyModule::createStub):
3077         * wasm/js/JSWebAssemblyModule.h:
3078
3079 2017-12-04  Saam Barati  <sbarati@apple.com>
3080
3081         We need to leave room on the top of the stack for the FTL TailCall slow path so it doesn't overwrite things we want to retrieve when doing a stack walk when throwing an exception
3082         https://bugs.webkit.org/show_bug.cgi?id=180366
3083         <rdar://problem/35685877>
3084
3085         Reviewed by Michael Saboff.
3086
3087         On the TailCall slow path, the CallFrameShuffler will build the frame with
3088         respect to SP instead of FP. However, this may overwrite slots on the stack
3089         that are needed if the slow path C call does a stack walk. The slow path
3090         C call does a stack walk when it throws an exception. This patch fixes
3091         this bug by ensuring that the top of the stack in the FTL always has enough
3092         space to allow CallFrameShuffler to build a frame without overwriting any
3093         items on the stack that are needed when doing a stack walk.
3094
3095         * ftl/FTLLowerDFGToB3.cpp:
3096         (JSC::FTL::DFG::LowerDFGToB3::compileTailCall):
3097
3098 2017-12-04  Devin Rousso  <webkit@devinrousso.com>
3099
3100         Web Inspector: provide method for recording CanvasRenderingContext2D from JavaScript
3101         https://bugs.webkit.org/show_bug.cgi?id=175166
3102         <rdar://problem/34040740>
3103
3104         Reviewed by Joseph Pecoraro.
3105
3106         * inspector/protocol/Recording.json:
3107         Add optional `name` that will be used by the frontend for uniquely identifying the Recording.
3108
3109         * inspector/JSGlobalObjectConsoleClient.h:
3110         * inspector/JSGlobalObjectConsoleClient.cpp:
3111         (Inspector::JSGlobalObjectConsoleClient::record):
3112         (Inspector::JSGlobalObjectConsoleClient::recordEnd):
3113
3114         * runtime/ConsoleClient.h:
3115         * runtime/ConsoleObject.cpp:
3116         (JSC::ConsoleObject::finishCreation):
3117         (JSC::consoleProtoFuncRecord):
3118         (JSC::consoleProtoFuncRecordEnd):
3119
3120 2017-12-03  Yusuke Suzuki  <utatane.tea@gmail.com>
3121
3122         WTF shouldn't have both Thread and ThreadIdentifier
3123         https://bugs.webkit.org/show_bug.cgi?id=180308
3124
3125         Reviewed by Darin Adler.
3126
3127         * heap/MachineStackMarker.cpp:
3128         (JSC::MachineThreads::tryCopyOtherThreadStacks):
3129         * llint/LLIntSlowPaths.cpp:
3130         (JSC::LLInt::llint_trace_operand):
3131         (JSC::LLInt::llint_trace_value):
3132         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3133         (JSC::LLInt::traceFunctionPrologue):
3134         * runtime/ExceptionScope.cpp:
3135         (JSC::ExceptionScope::unexpectedExceptionMessage):
3136         * runtime/JSLock.h:
3137         (JSC::JSLock::currentThreadIsHoldingLock):
3138         * runtime/VM.cpp:
3139         (JSC::VM::throwException):
3140         * runtime/VM.h:
3141         (JSC::VM::throwingThread const):
3142         (JSC::VM::clearException):
3143         * tools/HeapVerifier.cpp:
3144         (JSC::HeapVerifier::printVerificationHeader):
3145
3146 2017-12-03  Caio Lima  <ticaiolima@gmail.com>
3147
3148         Rename DestroyFunc to avoid redefinition on unified build
3149         https://bugs.webkit.org/show_bug.cgi?id=180335
3150
3151         Reviewed by Filip Pizlo.
3152
3153         Changing DestroyFunc structures to more specific names to avoid
3154         conflits on unified builds.
3155
3156         * heap/HeapCellType.cpp:
3157         (JSC::HeapCellType::finishSweep):
3158         (JSC::HeapCellType::destroy):
3159         * runtime/JSDestructibleObjectHeapCellType.cpp:
3160         (JSC::JSDestructibleObjectHeapCellType::finishSweep):
3161         (JSC::JSDestructibleObjectHeapCellType::destroy):
3162         * runtime/JSSegmentedVariableObjectHeapCellType.cpp:
3163         (JSC::JSSegmentedVariableObjectHeapCellType::finishSweep):
3164         (JSC::JSSegmentedVariableObjectHeapCellType::destroy):
3165         * runtime/JSStringHeapCellType.cpp:
3166         (JSC::JSStringHeapCellType::finishSweep):
3167         (JSC::JSStringHeapCellType::destroy):
3168         * wasm/js/JSWebAssemblyCodeBlockHeapCellType.cpp:
3169         (JSC::JSWebAssemblyCodeBlockHeapCellType::finishSweep):
3170         (JSC::JSWebAssemblyCodeBlockHeapCellType::destroy):
3171
3172 2017-12-01  JF Bastien  <jfbastien@apple.com>
3173
3174         JavaScriptCore: missing exception checks in Math functions that take more than one argument
3175         https://bugs.webkit.org/show_bug.cgi?id=180297
3176         <rdar://problem/35745556>
3177
3178         Reviewed by Mark Lam.
3179
3180         * runtime/MathObject.cpp:
3181         (JSC::mathProtoFuncATan2):
3182         (JSC::mathProtoFuncMax):
3183         (JSC::mathProtoFuncMin):
3184         (JSC::mathProtoFuncPow):
3185
3186 2017-12-01  Mark Lam  <mark.lam@apple.com>
3187
3188         Let's scramble ClassInfo pointers in cells.
3189         https://bugs.webkit.org/show_bug.cgi?id=180291
3190         <rdar://problem/35807620>
3191
3192         Reviewed by JF Bastien.
3193
3194         * API/JSCallbackObject.h:
3195         * API/JSObjectRef.cpp:
3196         (classInfoPrivate):
3197         * JavaScriptCore.xcodeproj/project.pbxproj:
3198         * Sources.txt:
3199         * assembler/MacroAssemblerCodeRef.cpp:
3200         (JSC::MacroAssemblerCodePtr::initialize): Deleted.
3201         * assembler/MacroAssemblerCodeRef.h:
3202         (JSC::MacroAssemblerCodePtr:: const):
3203         (JSC::MacroAssemblerCodePtr::hash const):
3204         * dfg/DFGSpeculativeJIT.cpp:
3205         (JSC::DFG::SpeculativeJIT::checkArray):
3206         (JSC::DFG::SpeculativeJIT::compileCheckSubClass):
3207         (JSC::DFG::SpeculativeJIT::compileNewStringObject):
3208         * ftl/FTLLowerDFGToB3.cpp:
3209         (JSC::FTL::DFG::LowerDFGToB3::compileNewStringObject):
3210         (JSC::FTL::DFG::LowerDFGToB3::compileCheckSubClass):
3211         * jit/AssemblyHelpers.h:
3212         (JSC::AssemblyHelpers::emitAllocateDestructibleObject):
3213         * jit/SpecializedThunkJIT.h:
3214         (JSC::SpecializedThunkJIT::loadArgumentWithSpecificClass):
3215         * runtime/InitializeThreading.cpp:
3216         (JSC::initializeThreading):
3217         * runtime/JSCScrambledPtr.cpp: Added.
3218         (JSC::initializeScrambledPtrKeys):
3219         * runtime/JSCScrambledPtr.h: Added.
3220         * runtime/JSDestructibleObject.h:
3221         (JSC::JSDestructibleObject::classInfo const):
3222         * runtime/JSSegmentedVariableObject.h:
3223         (JSC::JSSegmentedVariableObject::classInfo const):
3224         * runtime/Structure.h:
3225         * runtime/VM.h:
3226
3227 2017-12-01  Brian Burg  <bburg@apple.com>
3228
3229         Web Inspector: move Inspector::Protocol::Array<T> to JSON namespace
3230         https://bugs.webkit.org/show_bug.cgi?id=173662
3231
3232         Reviewed by Joseph Pecoraro.
3233
3234         Adopt new type names. Fix protocol generator to use correct type names.
3235
3236         * inspector/ConsoleMessage.cpp:
3237         (Inspector::ConsoleMessage::addToFrontend):
3238         Improve namings and use 'auto' when the type is obvious and repeated.
3239
3240         * inspector/ContentSearchUtilities.cpp:
3241         (Inspector::ContentSearchUtilities::searchInTextByLines):
3242         * inspector/ContentSearchUtilities.h:
3243         * inspector/InjectedScript.cpp:
3244         (Inspector::InjectedScript::getProperties):
3245         (Inspector::InjectedScript::getDisplayableProperties):
3246         (Inspector::InjectedScript::getInternalProperties):
3247         (Inspector::InjectedScript::getCollectionEntries):
3248         (Inspector::InjectedScript::wrapCallFrames const):
3249         * inspector/InjectedScript.h:
3250         * inspector/InspectorProtocolTypes.h:
3251         (Inspector::Protocol::BindingTraits<JSON::ArrayOf<T>>::runtimeCast):
3252         (Inspector::Protocol::Array::Array): Deleted.
3253         (Inspector::Protocol::Array::openAccessors): Deleted.
3254         (Inspector::Protocol::Array::addItem): Deleted.
3255         (Inspector::Protocol::Array::create): Deleted.
3256         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast): Deleted.
3257         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType): Deleted.
3258         Move the implementation out of this file.
3259
3260         * inspector/ScriptCallStack.cpp:
3261         (Inspector::ScriptCallStack::buildInspectorArray const):
3262         * inspector/ScriptCallStack.h:
3263         * inspector/agents/InspectorAgent.cpp:
3264         (Inspector::InspectorAgent::activateExtraDomain):
3265         (Inspector::InspectorAgent::activateExtraDomains):
3266         * inspector/agents/InspectorAgent.h:
3267         * inspector/agents/InspectorConsoleAgent.cpp:
3268         (Inspector::InspectorConsoleAgent::getLoggingChannels):
3269         * inspector/agents/InspectorConsoleAgent.h:
3270         * inspector/agents/InspectorDebuggerAgent.cpp:
3271         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
3272         (Inspector::InspectorDebuggerAgent::searchInContent):
3273         (Inspector::InspectorDebuggerAgent::currentCallFrames):
3274         * inspector/agents/InspectorDebuggerAgent.h:
3275         * inspector/agents/InspectorRuntimeAgent.cpp:
3276         (Inspector::InspectorRuntimeAgent::getProperties):
3277         (Inspector::InspectorRuntimeAgent::getDisplayableProperties):
3278         (Inspector::InspectorRuntimeAgent::getCollectionEntries):
3279         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
3280         (Inspector::InspectorRuntimeAgent::getBasicBlocks):
3281         * inspector/agents/InspectorRuntimeAgent.h:
3282         * inspector/agents/InspectorScriptProfilerAgent.cpp:
3283         (Inspector::buildSamples):
3284         Use more 'auto' and rename a variable.
3285
3286         * inspector/scripts/codegen/cpp_generator.py:
3287         (CppGenerator.cpp_protocol_type_for_type):
3288         Adopt new type names. This exposed a latent bug where we should have been
3289         unwrapping an AliasedType prior to generating a C++ type for it. The aliased
3290         type may be an array, in which case we would have generated the wrong type.
3291
3292         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
3293         (_generate_typedefs_for_domain.JSON):
3294         (_generate_typedefs_for_domain.Inspector): Deleted.
3295         * inspector/scripts/codegen/objc_generator.py:
3296         (ObjCGenerator.protocol_type_for_type):
3297         (ObjCGenerator.objc_protocol_export_expression_for_variable):
3298         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
3299         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
3300         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
3301         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
3302         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
3303         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
3304         Rebaseline.
3305
3306         * runtime/TypeSet.cpp:
3307         (JSC::TypeSet::allStructureRepresentations const):
3308         (JSC::StructureShape::inspectorRepresentation):
3309         * runtime/TypeSet.h:
3310
3311 2017-12-01  Saam Barati  <sbarati@apple.com>
3312
3313         Having a bad time needs to handle ArrayClass indexing type as well
3314         https://bugs.webkit.org/show_bug.cgi?id=180274
3315         <rdar://problem/35667869>
3316
3317         Reviewed by Keith Miller and Mark Lam.
3318
3319         We need to make sure to transition ArrayClass to SlowPutArrayStorage as well.
3320         Otherwise, we'll end up with the wrong Structure, which will lead us to not
3321         adhere to the spec. The bug was that we were not considering ArrayClass inside 
3322         hasBrokenIndexing. This patch rewrites that function to automatically opt
3323         in non-empty indexing types as broken, instead of having to opt out all
3324         non-empty indexing types besides SlowPutArrayStorage.
3325
3326         * runtime/IndexingType.h:
3327         (JSC::hasSlowPutArrayStorage):
3328         (JSC::shouldUseSlowPut):
3329         * runtime/JSGlobalObject.cpp:
3330         * runtime/JSObject.cpp:
3331         (JSC::JSObject::switchToSlowPutArrayStorage):
3332
3333 2017-12-01  JF Bastien  <jfbastien@apple.com>
3334
3335         WebAssembly: stack trace improvement follow-ups
3336         https://bugs.webkit.org/show_bug.cgi?id=180273
3337
3338         Reviewed by Saam Barati.
3339
3340         * wasm/WasmIndexOrName.cpp:
3341         (JSC::Wasm::makeString):
3342         * wasm/WasmIndexOrName.h:
3343         (JSC::Wasm::IndexOrName::nameSection const):
3344         * wasm/WasmNameSection.h:
3345         (JSC::Wasm::NameSection::NameSection):
3346         (JSC::Wasm::NameSection::get):
3347
3348 2017-12-01  JF Bastien  <jfbastien@apple.com>
3349
3350         WebAssembly: restore cached stack limit after out-call
3351         https://bugs.webkit.org/show_bug.cgi?id=179106
3352         <rdar://problem/35337525>
3353
3354         Reviewed by Saam Barati.
3355
3356         We cache the stack limit on the Instance so that we can do fast
3357         stack checks where required. In regular usage the stack limit
3358         never changes because we always run on the same thread, but in
3359         rare cases an API user can totally migrate which thread (and
3360         therefore stack) is used for execution between WebAssembly
3361         traces. For that reason we set the cached stack limit to
3362         UINTPTR_MAX on the outgoing Instance when transitioning back into
3363         a different Instance. We usually restore the cached stack limit in
3364         Context::store, but this wasn't called on all code paths. We had a
3365         bug where an Instance calling into itself indirectly would
3366         therefore fail to restore its cached stack limit properly.
3367
3368         This patch therefore restores the cached stack limit after direct
3369         calls which could be to imports (both wasm->wasm and
3370         wasm->embedder). We have to do all of them because we have no way
3371         of knowing what imports will do (they're known at instantiation
3372         time, not compilation time, and different instances can have
3373         different imports). To make this efficient we also add a pointer
3374         to the canonical location of the stack limit (i.e. the extra
3375         indirection we're trying to save by caching the stack limit on the