c7e158df3b4ac3a8d8bd9f10696715a87702c50e
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-08-07  Ryan Haddad  <ryanhaddad@apple.com>
2
3         Unreviewed, rolling out r220299.
4
5         This change caused LayoutTest inspector/dom-debugger/dom-
6         breakpoints.html to fail.
7
8         Reverted changeset:
9
10         "Web Inspector: capture async stack trace when workers/main
11         context posts a message"
12         https://bugs.webkit.org/show_bug.cgi?id=167084
13         http://trac.webkit.org/changeset/220299
14
15 2017-08-07  Brian Burg  <bburg@apple.com>
16
17         Remove CANVAS_PATH compilation guard
18         https://bugs.webkit.org/show_bug.cgi?id=175207
19
20         Reviewed by Sam Weinig.
21
22         * Configurations/FeatureDefines.xcconfig:
23
24 2017-08-07  Keith Miller  <keith_miller@apple.com>
25
26         REGRESSION: wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js failing on JSC Debug bots
27         https://bugs.webkit.org/show_bug.cgi?id=175256
28
29         Reviewed by Saam Barati.
30
31         The check in createFromBytes just needed to check that the buffer was not null before
32         calling isCaged.
33
34         * runtime/ArrayBuffer.cpp:
35         (JSC::ArrayBuffer::createFromBytes):
36
37 2017-08-05  Carlos Garcia Campos  <cgarcia@igalia.com>
38
39         [GTK][WPE] Add API to provide browser information required by automation
40         https://bugs.webkit.org/show_bug.cgi?id=175130
41
42         Reviewed by Brian Burg.
43
44         Add browserName and browserVersion to RemoteInspector::Client::Capabilities and virtual methods to the Client to
45         get them.
46
47         * inspector/remote/RemoteInspector.cpp:
48         (Inspector::RemoteInspector::updateClientCapabilities): Update also browserName and browserVersion.
49         * inspector/remote/RemoteInspector.h:
50         * inspector/remote/glib/RemoteInspectorGlib.cpp:
51         (Inspector::RemoteInspector::requestAutomationSession): Call updateClientCapabilities() after the session is
52         requested to ensure they are updated before StartAutomationSession reply is sent.
53         * inspector/remote/glib/RemoteInspectorServer.cpp: Add browserName and browserVersion as return values of
54         StartAutomationSession mesasage.
55
56 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
57
58         Promise resolve and reject function should have length = 1
59         https://bugs.webkit.org/show_bug.cgi?id=175242
60
61         Reviewed by Saam Barati.
62
63         Previously we have separate system for "length" and "name" for builtin functions.
64         The builtin functions do not use lazy reifying system. Instead, they have direct
65         properties when instantiating it. While the function created for properties (like
66         Array.prototype.filter) is created by JSFunction::createBuiltin(), function inside
67         these builtin functions are just created by JSFunction::create(). Since it does
68         not set any values for "length", these functions do not have "length" property.
69         So, the resolve and reject functions passed to Promise's executor do not have
70         "length" property.
71
72         This patch make builtin functions use standard lazy reifying system for "length".
73         So, "length" property of the builtin function just works as if the normal functions
74         do.
75
76         * runtime/JSFunction.cpp:
77         (JSC::JSFunction::createBuiltinFunction):
78         (JSC::JSFunction::getOwnPropertySlot):
79         (JSC::JSFunction::getOwnNonIndexPropertyNames):
80         (JSC::JSFunction::put):
81         (JSC::JSFunction::deleteProperty):
82         (JSC::JSFunction::defineOwnProperty):
83         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
84         (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
85         (JSC::JSFunction::reifyLazyLengthIfNeeded):
86         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
87         (JSC::JSFunction::reifyBoundNameIfNeeded): Deleted.
88         * runtime/JSFunction.h:
89
90 2017-08-06  Oleksandr Skachkov  <gskachkov@gmail.com>
91
92         [ESNext] Async iteration - Implement Async Generator - parser
93         https://bugs.webkit.org/show_bug.cgi?id=175210
94
95         Reviewed by Yusuke Suzuki.
96
97         Current implementation is draft version of Async Iteration. 
98         Link to spec https://tc39.github.io/proposal-async-iteration/
99
100         Current patch implement only parser part of the Async generator
101         Runtime part will be in next ptches
102
103         * parser/ASTBuilder.h:
104         (JSC::ASTBuilder::createFunctionMetadata):
105         * parser/Parser.cpp:
106         (JSC::getAsynFunctionBodyParseMode):
107         (JSC::Parser<LexerType>::parseInner):
108         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
109         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
110         (JSC::stringArticleForFunctionMode):
111         (JSC::stringForFunctionMode):
112         (JSC::Parser<LexerType>::parseFunctionInfo):
113         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
114         (JSC::Parser<LexerType>::parseClass):
115         (JSC::Parser<LexerType>::parseProperty):
116         (JSC::Parser<LexerType>::parsePropertyMethod):
117         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
118         * parser/Parser.h:
119         (JSC::Scope::setSourceParseMode):
120         * parser/ParserModes.h:
121         (JSC::isFunctionParseMode):
122         (JSC::isAsyncFunctionParseMode):
123         (JSC::isAsyncArrowFunctionParseMode):
124         (JSC::isAsyncGeneratorFunctionParseMode):
125         (JSC::isAsyncFunctionOrAsyncGeneratorWrapperParseMode):
126         (JSC::isAsyncFunctionWrapperParseMode):
127         (JSC::isAsyncFunctionBodyParseMode):
128         (JSC::isGeneratorMethodParseMode):
129         (JSC::isAsyncMethodParseMode):
130         (JSC::isAsyncGeneratorMethodParseMode):
131         (JSC::isMethodParseMode):
132         (JSC::isGeneratorOrAsyncFunctionBodyParseMode):
133         (JSC::isGeneratorOrAsyncFunctionWrapperParseMode):
134
135 2017-08-05  Filip Pizlo  <fpizlo@apple.com>
136
137         REGRESSION (r219895-219897): Number of leaks on Open Source went from 9240 to 235983 and is now at 302372
138         https://bugs.webkit.org/show_bug.cgi?id=175083
139
140         Reviewed by Oliver Hunt.
141         
142         This fixes the leak by making MarkedBlock::specializedSweep call destructors when the block is empty,
143         even if we are using the pop path.
144         
145         Also, this fixes HeapCellInlines.h to no longer include MarkedBlockInlines.h. That's pretty
146         important, since MarkedBlockInlines.h is the GC's internal guts - we don't want to have to recompile
147         the world just because we changed it.
148         
149         Finally, this adds a new testing SPI for waiting for all VMs to finish destructing. This makes it
150         easier to debug leaks.
151
152         * bytecode/AccessCase.cpp:
153         * bytecode/PolymorphicAccess.cpp:
154         * heap/HeapCell.cpp:
155         (JSC::HeapCell::isLive):
156         * heap/HeapCellInlines.h:
157         (JSC::HeapCell::isLive): Deleted.
158         * heap/MarkedAllocator.cpp:
159         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
160         (JSC::MarkedAllocator::endMarking):
161         * heap/MarkedBlockInlines.h:
162         (JSC::MarkedBlock::Handle::specializedSweep):
163         * jit/AssemblyHelpers.cpp:
164         * jit/Repatch.cpp:
165         * runtime/TestRunnerUtils.h:
166         * runtime/VM.cpp:
167         (JSC::waitForVMDestruction):
168         (JSC::VM::~VM):
169
170 2017-08-05  Mark Lam  <mark.lam@apple.com>
171
172         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 3].
173         https://bugs.webkit.org/show_bug.cgi?id=175228
174         <rdar://problem/33735737>
175
176         Reviewed by Saam Barati.
177
178         Merge the 32-bit OSRExit::compileExit() method into the 64-bit version, and
179         delete OSRExit32_64.cpp.
180
181         * CMakeLists.txt:
182         * JavaScriptCore.xcodeproj/project.pbxproj:
183         * dfg/DFGOSRExit.cpp:
184         (JSC::DFG::OSRExit::compileExit):
185         * dfg/DFGOSRExit32_64.cpp: Removed.
186         * jit/GPRInfo.h:
187         (JSC::JSValueSource::payloadGPR const):
188
189 2017-08-04  Youenn Fablet  <youenn@apple.com>
190
191         [Cache API] Add Cache and CacheStorage IDL definitions
192         https://bugs.webkit.org/show_bug.cgi?id=175201
193
194         Reviewed by Brady Eidson.
195
196         * runtime/CommonIdentifiers.h:
197
198 2017-08-04  Mark Lam  <mark.lam@apple.com>
199
200         Fix typo in testmasm.cpp: ENABLE(JSVALUE64) should be USE(JSVALUE64).
201         https://bugs.webkit.org/show_bug.cgi?id=175230
202         <rdar://problem/33735857>
203
204         Reviewed by Saam Barati.
205
206         * assembler/testmasm.cpp:
207         (JSC::testProbeReadsArgumentRegisters):
208         (JSC::testProbeWritesArgumentRegisters):
209
210 2017-08-04  Mark Lam  <mark.lam@apple.com>
211
212         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 2].
213         https://bugs.webkit.org/show_bug.cgi?id=175214
214         <rdar://problem/33733308>
215
216         Rubber-stamped by Michael Saboff.
217
218         Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused
219         DFGOSRExitCompiler files.
220
221         Also renamed DFGOSRExitCompiler32_64.cpp to DFGOSRExit32_64.cpp.
222
223         Also move debugOperationPrintSpeculationFailure() into DFGOSRExit.cpp.  It's only
224         used by compileOSRExit(), and will be changed to not be a DFG operation function
225         when we use JIT probes for DFG OSR exits later in
226         https://bugs.webkit.org/show_bug.cgi?id=175144.
227
228         * CMakeLists.txt:
229         * JavaScriptCore.xcodeproj/project.pbxproj:
230         * dfg/DFGJITCompiler.cpp:
231         * dfg/DFGOSRExit.cpp:
232         (JSC::DFG::OSRExit::emitRestoreArguments):
233         (JSC::DFG::OSRExit::compileOSRExit):
234         (JSC::DFG::OSRExit::compileExit):
235         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
236         * dfg/DFGOSRExit.h:
237         * dfg/DFGOSRExit32_64.cpp: Copied from Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp.
238         * dfg/DFGOSRExitCompiler.cpp: Removed.
239         * dfg/DFGOSRExitCompiler.h: Removed.
240         * dfg/DFGOSRExitCompiler32_64.cpp: Removed.
241         * dfg/DFGOSRExitCompiler64.cpp: Removed.
242         * dfg/DFGOperations.cpp:
243         * dfg/DFGOperations.h:
244         * dfg/DFGThunks.cpp:
245
246 2017-08-04  Matt Baker  <mattbaker@apple.com>
247
248         Web Inspector: capture async stack trace when workers/main context posts a message
249         https://bugs.webkit.org/show_bug.cgi?id=167084
250         <rdar://problem/30033673>
251
252         Reviewed by Brian Burg.
253
254         * inspector/agents/InspectorDebuggerAgent.h:
255         Add `PostMessage` async call type.
256
257 2017-08-04  Mark Lam  <mark.lam@apple.com>
258
259         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 1].
260         https://bugs.webkit.org/show_bug.cgi?id=175208
261         <rdar://problem/33732402>
262
263         Reviewed by Saam Barati.
264
265         This will minimize the code diff and make it easier to review the patch for
266         https://bugs.webkit.org/show_bug.cgi?id=175144 later.  We'll do this patch in 3
267         steps:
268
269         1. Do the code changes to move methods into OSRExit.
270         2. Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused DFGOSRExitCompiler files.
271         3. Merge the 32-bit OSRExitCompiler methods into the 64-bit version, and delete DFGOSRExitCompiler32_64.cpp.
272
273         Splitting this refactoring into these 3 steps also makes it easier to review this
274         patch and understand what is being changed.
275
276         * dfg/DFGOSRExit.h:
277         * dfg/DFGOSRExitCompiler.cpp:
278         (JSC::DFG::OSRExit::emitRestoreArguments):
279         (JSC::DFG::OSRExit::compileOSRExit):
280         (JSC::DFG::OSRExitCompiler::emitRestoreArguments): Deleted.
281         (): Deleted.
282         * dfg/DFGOSRExitCompiler.h:
283         (JSC::DFG::OSRExitCompiler::OSRExitCompiler): Deleted.
284         (): Deleted.
285         * dfg/DFGOSRExitCompiler32_64.cpp:
286         (JSC::DFG::OSRExit::compileExit):
287         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
288         * dfg/DFGOSRExitCompiler64.cpp:
289         (JSC::DFG::OSRExit::compileExit):
290         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
291         * dfg/DFGThunks.cpp:
292         (JSC::DFG::osrExitGenerationThunkGenerator):
293
294 2017-08-04  Devin Rousso  <drousso@apple.com>
295
296         Web Inspector: add source view for WebGL shader programs
297         https://bugs.webkit.org/show_bug.cgi?id=138593
298         <rdar://problem/18936194>
299
300         Reviewed by Matt Baker.
301
302         * inspector/protocol/Canvas.json:
303          - Add `ShaderType` enum that contains "vertex" and "fragment".
304          - Add `requestShaderSource` command that will return the original source code for a given
305            shader program and shader type.
306
307 2017-08-03  Filip Pizlo  <fpizlo@apple.com>
308
309         The allocator used to allocate memory for MarkedBlocks and LargeAllocations should not be the Subspace itself
310         https://bugs.webkit.org/show_bug.cgi?id=175141
311
312         Reviewed by Mark Lam.
313         
314         To make it easier to have multiple gigacages and maybe even fancier methods of allocating, this
315         decouples the allocator used to allocate memory from the GC Subspace. This means we no longer have
316         to create a new Subspace subclass to allocate memory a different way. Instead, the allocator is now
317         determined by the AlignedMemoryAllocator object.
318         
319         This also simplifies trading of blocks. Before, Subspaces had to determine if other Subspaces could
320         trade blocks with them using canTradeBlocksWith(). This makes it difficult for two different
321         Subspaces that both use the same underlying allocator to realize that they can trade blocks with
322         each other. Now, you just need to ask the block being stolen and the subspace doing the stealing if
323         they use the same AlignedMemoryAllocator.
324
325         * CMakeLists.txt:
326         * JavaScriptCore.xcodeproj/project.pbxproj:
327         * heap/AlignedMemoryAllocator.cpp: Added.
328         (JSC::AlignedMemoryAllocator::AlignedMemoryAllocator):
329         (JSC::AlignedMemoryAllocator::~AlignedMemoryAllocator):
330         * heap/AlignedMemoryAllocator.h: Added.
331         * heap/FastMallocAlignedMemoryAllocator.cpp: Added.
332         (JSC::FastMallocAlignedMemoryAllocator::singleton):
333         (JSC::FastMallocAlignedMemoryAllocator::FastMallocAlignedMemoryAllocator):
334         (JSC::FastMallocAlignedMemoryAllocator::~FastMallocAlignedMemoryAllocator):
335         (JSC::FastMallocAlignedMemoryAllocator::tryAllocateAlignedMemory):
336         (JSC::FastMallocAlignedMemoryAllocator::freeAlignedMemory):
337         (JSC::FastMallocAlignedMemoryAllocator::dump const):
338         * heap/FastMallocAlignedMemoryAllocator.h: Added.
339         * heap/GigacageAlignedMemoryAllocator.cpp: Added.
340         (JSC::GigacageAlignedMemoryAllocator::singleton):
341         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
342         (JSC::GigacageAlignedMemoryAllocator::~GigacageAlignedMemoryAllocator):
343         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
344         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
345         (JSC::GigacageAlignedMemoryAllocator::dump const):
346         * heap/GigacageAlignedMemoryAllocator.h: Added.
347         * heap/GigacageSubspace.cpp: Removed.
348         * heap/GigacageSubspace.h: Removed.
349         * heap/LargeAllocation.cpp:
350         (JSC::LargeAllocation::tryCreate):
351         (JSC::LargeAllocation::destroy):
352         * heap/MarkedAllocator.cpp:
353         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
354         * heap/MarkedBlock.cpp:
355         (JSC::MarkedBlock::tryCreate):
356         (JSC::MarkedBlock::Handle::Handle):
357         (JSC::MarkedBlock::Handle::~Handle):
358         (JSC::MarkedBlock::Handle::didAddToAllocator):
359         (JSC::MarkedBlock::Handle::subspace const):
360         * heap/MarkedBlock.h:
361         (JSC::MarkedBlock::Handle::alignedMemoryAllocator const):
362         (JSC::MarkedBlock::Handle::subspace const): Deleted.
363         * heap/Subspace.cpp:
364         (JSC::Subspace::Subspace):
365         (JSC::Subspace::findEmptyBlockToSteal):
366         (JSC::Subspace::canTradeBlocksWith): Deleted.
367         (JSC::Subspace::tryAllocateAlignedMemory): Deleted.
368         (JSC::Subspace::freeAlignedMemory): Deleted.
369         * heap/Subspace.h:
370         (JSC::Subspace::name const):
371         (JSC::Subspace::alignedMemoryAllocator const):
372         * runtime/JSDestructibleObjectSubspace.cpp:
373         (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace):
374         * runtime/JSDestructibleObjectSubspace.h:
375         * runtime/JSSegmentedVariableObjectSubspace.cpp:
376         (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace):
377         * runtime/JSSegmentedVariableObjectSubspace.h:
378         * runtime/JSStringSubspace.cpp:
379         (JSC::JSStringSubspace::JSStringSubspace):
380         * runtime/JSStringSubspace.h:
381         * runtime/VM.cpp:
382         (JSC::VM::VM):
383         * runtime/VM.h:
384         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp:
385         (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace):
386         * wasm/js/JSWebAssemblyCodeBlockSubspace.h:
387
388 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
389
390         [ESNext] Async iteration - update feature.json
391         https://bugs.webkit.org/show_bug.cgi?id=175197
392
393         Reviewed by Yusuke Suzuki.
394
395         Update feature.json to add status of the Async Iteration
396
397         * features.json:
398
399 2017-08-04  Matt Lewis  <jlewis3@apple.com>
400
401         Unreviewed, rolling out r220271.
402
403         Rolling out due to Layout Test failing on iOS Simulator.
404
405         Reverted changeset:
406
407         "Remove STREAMS_API compilation guard"
408         https://bugs.webkit.org/show_bug.cgi?id=175165
409         http://trac.webkit.org/changeset/220271
410
411 2017-08-04  Youenn Fablet  <youenn@apple.com>
412
413         Remove STREAMS_API compilation guard
414         https://bugs.webkit.org/show_bug.cgi?id=175165
415
416         Reviewed by Darin Adler.
417
418         * Configurations/FeatureDefines.xcconfig:
419
420 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
421
422         [EsNext] Async iteration - Add feature flag
423         https://bugs.webkit.org/show_bug.cgi?id=166694
424
425         Reviewed by Yusuke Suzuki.
426
427         Add feature flag to JSC to switch on/off Async Iterator
428
429         * runtime/Options.h:
430
431 2017-08-03  Brian Burg  <bburg@apple.com>
432
433         Remove ENABLE(WEB_SOCKET) guards
434         https://bugs.webkit.org/show_bug.cgi?id=167044
435
436         Reviewed by Joseph Pecoraro.
437
438         * Configurations/FeatureDefines.xcconfig:
439
440 2017-08-03  Youenn Fablet  <youenn@apple.com>
441
442         Remove FETCH_API compilation guard
443         https://bugs.webkit.org/show_bug.cgi?id=175154
444
445         Reviewed by Chris Dumez.
446
447         * Configurations/FeatureDefines.xcconfig:
448
449 2017-08-03  Matt Baker  <mattbaker@apple.com>
450
451         Web Inspector: Instrument WebGLProgram created/deleted
452         https://bugs.webkit.org/show_bug.cgi?id=175059
453
454         Reviewed by Devin Rousso.
455
456         Extend the Canvas protocol with types/events for tracking WebGLPrograms.
457
458         * inspector/protocol/Canvas.json:
459
460 2017-08-03  Brady Eidson  <beidson@apple.com>
461
462         Add SW IDLs and stub out basic functionality.
463         https://bugs.webkit.org/show_bug.cgi?id=175115
464
465         Reviewed by Chris Dumez.
466
467         * Configurations/FeatureDefines.xcconfig:
468
469         * runtime/CommonIdentifiers.h:
470
471 2017-08-03  Mark Lam  <mark.lam@apple.com>
472
473         Rename ScratchBuffer::activeLengthPtr to addressOfActiveLength.
474         https://bugs.webkit.org/show_bug.cgi?id=175142
475         <rdar://problem/33704528>
476
477         Reviewed by Filip Pizlo.
478
479         The convention in the rest of of JSC for such methods which return the address of
480         a field is to name them "addressOf<field name>".  We'll rename
481         ScratchBuffer::activeLengthPtr to be consistent with this convention.
482
483         * dfg/DFGSpeculativeJIT.cpp:
484         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
485         * dfg/DFGSpeculativeJIT32_64.cpp:
486         (JSC::DFG::SpeculativeJIT::compile):
487         * dfg/DFGSpeculativeJIT64.cpp:
488         (JSC::DFG::SpeculativeJIT::compile):
489         * dfg/DFGThunks.cpp:
490         (JSC::DFG::osrExitGenerationThunkGenerator):
491         * ftl/FTLLowerDFGToB3.cpp:
492         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
493         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
494         * ftl/FTLThunks.cpp:
495         (JSC::FTL::genericGenerationThunkGenerator):
496         * jit/AssemblyHelpers.cpp:
497         (JSC::AssemblyHelpers::debugCall):
498         * jit/ScratchRegisterAllocator.cpp:
499         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
500         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
501         * runtime/VM.h:
502         (JSC::ScratchBuffer::addressOfActiveLength):
503         (JSC::ScratchBuffer::activeLengthPtr): Deleted.
504         * wasm/WasmBinding.cpp:
505         (JSC::Wasm::wasmToJs):
506
507 2017-08-02  Devin Rousso  <drousso@apple.com>
508
509         Web Inspector: add stack trace information for each RecordingAction
510         https://bugs.webkit.org/show_bug.cgi?id=174663
511
512         Reviewed by Joseph Pecoraro.
513
514         * inspector/ScriptCallFrame.h:
515         Add `operator==` so that when a ScriptCallFrame object is held in a Vector, calling `find`
516         with an existing value doesn't need require a functor and can use existing code.
517
518         * interpreter/StackVisitor.h:
519         * interpreter/StackVisitor.cpp:
520         (JSC::StackVisitor::Frame::isWasmFrame const): Inlined in header.
521
522 2017-08-02  Yusuke Suzuki  <utatane.tea@gmail.com>
523
524         Merge WTFThreadData to Thread::current
525         https://bugs.webkit.org/show_bug.cgi?id=174716
526
527         Reviewed by Mark Lam.
528
529         Use Thread::current() instead.
530
531         * API/JSContext.mm:
532         (+[JSContext currentContext]):
533         (+[JSContext currentThis]):
534         (+[JSContext currentCallee]):
535         (+[JSContext currentArguments]):
536         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
537         (-[JSContext endCallbackWithData:]):
538         * heap/Heap.cpp:
539         (JSC::Heap::requestCollection):
540         * runtime/Completion.cpp:
541         (JSC::checkSyntax):
542         (JSC::checkModuleSyntax):
543         (JSC::evaluate):
544         (JSC::loadAndEvaluateModule):
545         (JSC::loadModule):
546         (JSC::linkAndEvaluateModule):
547         (JSC::importModule):
548         * runtime/Identifier.cpp:
549         (JSC::Identifier::checkCurrentAtomicStringTable):
550         * runtime/InitializeThreading.cpp:
551         (JSC::initializeThreading):
552         * runtime/JSLock.cpp:
553         (JSC::JSLock::didAcquireLock):
554         (JSC::JSLock::willReleaseLock):
555         (JSC::JSLock::dropAllLocks):
556         (JSC::JSLock::grabAllLocks):
557         * runtime/JSLock.h:
558         * runtime/VM.cpp:
559         (JSC::VM::VM):
560         (JSC::VM::updateStackLimits):
561         (JSC::VM::committedStackByteCount):
562         * runtime/VM.h:
563         (JSC::VM::isSafeToRecurse const):
564         * runtime/VMEntryScope.cpp:
565         (JSC::VMEntryScope::VMEntryScope):
566         * runtime/VMInlines.h:
567         (JSC::VM::ensureStackCapacityFor):
568         * yarr/YarrPattern.cpp:
569         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
570
571 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
572
573         LLInt should do pointer caging
574         https://bugs.webkit.org/show_bug.cgi?id=175036
575
576         Reviewed by Keith Miller.
577
578         Implementing this in the LLInt was challenging because offlineasm did not previously know
579         how to load from globals. This teaches it how to do that on Darwin/x86_64, which happens
580         to be where the Gigacage is enabled right now.
581
582         * llint/LLIntOfflineAsmConfig.h:
583         * llint/LowLevelInterpreter64.asm:
584         * offlineasm/ast.rb:
585         * offlineasm/x86.rb:
586
587 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
588
589         Sweeping should only scribble when sweeping to free list
590         https://bugs.webkit.org/show_bug.cgi?id=175105
591
592         Reviewed by Saam Barati.
593         
594         I just saw a crash on the bots where a destructor call attempt dereferenced scribbled memory. This
595         can happen because the bump path of specializedSweep will scribble in SweepOnly, which replaces the
596         zap word (i.e. 0) with the scribble word (i.e. 0xbadbeef0). This is a recent regression, since we
597         didn't used to do destruction on the bump path. No destruction, no zapping. Looking at the pop
598         path, we only scribble when we SweepToFreeList. This ensures that we only overwrite the zap word
599         when it doesn't matter anyway because we're building a free list.
600         
601         This is a fix for those crashes on the bots because it means that we'll no longer scribble over the
602         zap.
603
604         * heap/MarkedBlockInlines.h:
605         (JSC::MarkedBlock::Handle::specializedSweep):
606
607 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
608
609         All C++ accesses to JSObject::m_butterfly should do caging
610         https://bugs.webkit.org/show_bug.cgi?id=175039
611
612         Reviewed by Keith Miller.
613         
614         Makes JSObject::m_butterfly a AuxiliaryBarrier<CagedPtr<Butterfly>> and adopts the CagedPtr<> API.
615         This ensures that you can't cause C++ code to access a butterfly that has been rewired to point
616         outside the gigacage.
617
618         * runtime/JSArray.cpp:
619         (JSC::JSArray::setLength):
620         (JSC::JSArray::pop):
621         (JSC::JSArray::push):
622         (JSC::JSArray::shiftCountWithAnyIndexingType):
623         (JSC::JSArray::unshiftCountWithAnyIndexingType):
624         (JSC::JSArray::fillArgList):
625         (JSC::JSArray::copyToArguments):
626         * runtime/JSObject.cpp:
627         (JSC::JSObject::heapSnapshot):
628         (JSC::JSObject::createInitialIndexedStorage):
629         (JSC::JSObject::createArrayStorage):
630         (JSC::JSObject::convertUndecidedToInt32):
631         (JSC::JSObject::convertUndecidedToDouble):
632         (JSC::JSObject::convertUndecidedToContiguous):
633         (JSC::JSObject::convertInt32ToDouble):
634         (JSC::JSObject::convertInt32ToArrayStorage):
635         (JSC::JSObject::convertDoubleToContiguous):
636         (JSC::JSObject::convertDoubleToArrayStorage):
637         (JSC::JSObject::convertContiguousToArrayStorage):
638         (JSC::JSObject::defineOwnIndexedProperty):
639         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
640         (JSC::JSObject::ensureLengthSlow):
641         (JSC::JSObject::allocateMoreOutOfLineStorage):
642         * runtime/JSObject.h:
643         (JSC::JSObject::canGetIndexQuickly):
644         (JSC::JSObject::getIndexQuickly):
645         (JSC::JSObject::tryGetIndexQuickly const):
646         (JSC::JSObject::canSetIndexQuickly):
647         (JSC::JSObject::setIndexQuickly):
648         (JSC::JSObject::initializeIndex):
649         (JSC::JSObject::initializeIndexWithoutBarrier):
650         (JSC::JSObject::butterfly const):
651         (JSC::JSObject::butterfly):
652
653 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
654
655         We should be OK with the gigacage being disabled on gmalloc
656         https://bugs.webkit.org/show_bug.cgi?id=175082
657
658         Reviewed by Michael Saboff.
659
660         * jsc.cpp:
661         (jscmain):
662
663 2017-08-02  Saam Barati  <sbarati@apple.com>
664
665         On memory-constrained iOS devices, reduce the rate at which the JS heap grows before a GC to try to keep more memory available for the system
666         https://bugs.webkit.org/show_bug.cgi?id=175041
667         <rdar://problem/33659370>
668
669         Reviewed by Filip Pizlo.
670
671         The testing I have done shows that this new function is a ~10%
672         progression running JetStream on 1GB iOS devices. I've also tried
673         this on a few > 1GB iOS devices, and the testing shows this is either neutral
674         or a regression. Right now, we'll just enable this for <= 1GB devices
675         since it's a win. In the future, we might want to either look into
676         tweaking these parameters or coming up with a new function for > 1GB
677         devices.
678
679         * heap/Heap.cpp:
680         * runtime/Options.h:
681
682 2017-08-01  Filip Pizlo  <fpizlo@apple.com>
683
684         Bmalloc and GC should put auxiliaries (butterflies, typed array backing stores) in a gigacage (separate multi-GB VM region)
685         https://bugs.webkit.org/show_bug.cgi?id=174727
686
687         Reviewed by Mark Lam.
688         
689         This adopts the Gigacage for the GigacageSubspace, which we use for Auxiliary allocations. Also, in
690         one place in the code - the FTL codegen for butterfly and typed array access - we "cage" the accesses
691         themselves. Basically, we do masking to ensure that the pointer points into the gigacage.
692         
693         This is neutral on JetStream.
694
695         * CMakeLists.txt:
696         * JavaScriptCore.xcodeproj/project.pbxproj:
697         * b3/B3InsertionSet.cpp:
698         (JSC::B3::InsertionSet::execute):
699         * dfg/DFGAbstractInterpreterInlines.h:
700         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
701         * dfg/DFGArgumentsEliminationPhase.cpp:
702         * dfg/DFGClobberize.cpp:
703         (JSC::DFG::readsOverlap):
704         * dfg/DFGClobberize.h:
705         (JSC::DFG::clobberize):
706         * dfg/DFGDoesGC.cpp:
707         (JSC::DFG::doesGC):
708         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Added.
709         (JSC::DFG::performFixedButterflyAccessUncaging):
710         * dfg/DFGFixedButterflyAccessUncagingPhase.h: Added.
711         * dfg/DFGFixupPhase.cpp:
712         (JSC::DFG::FixupPhase::fixupNode):
713         * dfg/DFGHeapLocation.cpp:
714         (WTF::printInternal):
715         * dfg/DFGHeapLocation.h:
716         * dfg/DFGNodeType.h:
717         * dfg/DFGPlan.cpp:
718         (JSC::DFG::Plan::compileInThreadImpl):
719         * dfg/DFGPredictionPropagationPhase.cpp:
720         * dfg/DFGSafeToExecute.h:
721         (JSC::DFG::safeToExecute):
722         * dfg/DFGSpeculativeJIT.cpp:
723         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
724         * dfg/DFGSpeculativeJIT32_64.cpp:
725         (JSC::DFG::SpeculativeJIT::compile):
726         * dfg/DFGSpeculativeJIT64.cpp:
727         (JSC::DFG::SpeculativeJIT::compile):
728         * dfg/DFGTypeCheckHoistingPhase.cpp:
729         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
730         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
731         * ftl/FTLCapabilities.cpp:
732         (JSC::FTL::canCompile):
733         * ftl/FTLLowerDFGToB3.cpp:
734         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
735         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
736         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
737         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
738         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
739         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
740         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
741         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
742         (JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase):
743         (JSC::FTL::DFG::LowerDFGToB3::caged):
744         * heap/GigacageSubspace.cpp: Added.
745         (JSC::GigacageSubspace::GigacageSubspace):
746         (JSC::GigacageSubspace::~GigacageSubspace):
747         (JSC::GigacageSubspace::tryAllocateAlignedMemory):
748         (JSC::GigacageSubspace::freeAlignedMemory):
749         (JSC::GigacageSubspace::canTradeBlocksWith):
750         * heap/GigacageSubspace.h: Added.
751         * heap/Heap.cpp:
752         (JSC::Heap::Heap):
753         (JSC::Heap::lastChanceToFinalize):
754         (JSC::Heap::finalize):
755         (JSC::Heap::sweepInFinalize):
756         (JSC::Heap::updateAllocationLimits):
757         (JSC::Heap::shouldDoFullCollection):
758         (JSC::Heap::collectIfNecessaryOrDefer):
759         (JSC::Heap::reportWebAssemblyFastMemoriesAllocated): Deleted.
760         (JSC::Heap::webAssemblyFastMemoriesThisCycleAtThreshold const): Deleted.
761         (JSC::Heap::sweepLargeAllocations): Deleted.
762         (JSC::Heap::didAllocateWebAssemblyFastMemories): Deleted.
763         * heap/Heap.h:
764         * heap/LargeAllocation.cpp:
765         (JSC::LargeAllocation::tryCreate):
766         (JSC::LargeAllocation::destroy):
767         * heap/MarkedAllocator.cpp:
768         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
769         (JSC::MarkedAllocator::tryAllocateBlock):
770         * heap/MarkedBlock.cpp:
771         (JSC::MarkedBlock::tryCreate):
772         (JSC::MarkedBlock::Handle::Handle):
773         (JSC::MarkedBlock::Handle::~Handle):
774         (JSC::MarkedBlock::Handle::didAddToAllocator):
775         (JSC::MarkedBlock::Handle::subspace const): Deleted.
776         * heap/MarkedBlock.h:
777         (JSC::MarkedBlock::Handle::subspace const):
778         * heap/MarkedSpace.cpp:
779         (JSC::MarkedSpace::~MarkedSpace):
780         (JSC::MarkedSpace::freeMemory):
781         (JSC::MarkedSpace::prepareForAllocation):
782         (JSC::MarkedSpace::addMarkedAllocator):
783         (JSC::MarkedSpace::findEmptyBlockToSteal): Deleted.
784         * heap/MarkedSpace.h:
785         (JSC::MarkedSpace::firstAllocator const):
786         (JSC::MarkedSpace::allocatorForEmptyAllocation const): Deleted.
787         * heap/Subspace.cpp:
788         (JSC::Subspace::Subspace):
789         (JSC::Subspace::canTradeBlocksWith):
790         (JSC::Subspace::tryAllocateAlignedMemory):
791         (JSC::Subspace::freeAlignedMemory):
792         (JSC::Subspace::prepareForAllocation):
793         (JSC::Subspace::findEmptyBlockToSteal):
794         * heap/Subspace.h:
795         (JSC::Subspace::didCreateFirstAllocator):
796         * heap/SubspaceInlines.h:
797         (JSC::Subspace::forEachAllocator):
798         (JSC::Subspace::forEachMarkedBlock):
799         (JSC::Subspace::forEachNotEmptyMarkedBlock):
800         * jit/JITPropertyAccess.cpp:
801         (JSC::JIT::emitDoubleLoad):
802         (JSC::JIT::emitContiguousLoad):
803         (JSC::JIT::emitArrayStorageLoad):
804         (JSC::JIT::emitGenericContiguousPutByVal):
805         (JSC::JIT::emitArrayStoragePutByVal):
806         (JSC::JIT::emit_op_get_from_scope):
807         (JSC::JIT::emit_op_put_to_scope):
808         (JSC::JIT::emitIntTypedArrayGetByVal):
809         (JSC::JIT::emitFloatTypedArrayGetByVal):
810         (JSC::JIT::emitIntTypedArrayPutByVal):
811         (JSC::JIT::emitFloatTypedArrayPutByVal):
812         * jsc.cpp:
813         (fillBufferWithContentsOfFile):
814         (functionReadFile):
815         (gigacageDisabled):
816         (jscmain):
817         * llint/LowLevelInterpreter64.asm:
818         * runtime/ArrayBuffer.cpp:
819         (JSC::ArrayBufferContents::tryAllocate):
820         (JSC::ArrayBuffer::createAdopted):
821         (JSC::ArrayBuffer::createFromBytes):
822         (JSC::ArrayBuffer::tryCreate):
823         * runtime/IndexingHeader.h:
824         * runtime/InitializeThreading.cpp:
825         (JSC::initializeThreading):
826         * runtime/JSArrayBuffer.cpp:
827         * runtime/JSArrayBufferView.cpp:
828         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
829         (JSC::JSArrayBufferView::finalize):
830         * runtime/JSLock.cpp:
831         (JSC::JSLock::didAcquireLock):
832         * runtime/JSObject.h:
833         * runtime/Options.cpp:
834         (JSC::recomputeDependentOptions):
835         * runtime/Options.h:
836         * runtime/ScopedArgumentsTable.h:
837         * runtime/VM.cpp:
838         (JSC::VM::VM):
839         (JSC::VM::~VM):
840         (JSC::VM::gigacageDisabledCallback):
841         (JSC::VM::gigacageDisabled):
842         * runtime/VM.h:
843         (JSC::VM::fireGigacageEnabledIfNecessary):
844         (JSC::VM::gigacageEnabled):
845         * wasm/WasmB3IRGenerator.cpp:
846         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
847         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
848         * wasm/WasmCodeBlock.cpp:
849         (JSC::Wasm::CodeBlock::isSafeToRun):
850         * wasm/WasmMemory.cpp:
851         (JSC::Wasm::makeString):
852         (JSC::Wasm::Memory::create):
853         (JSC::Wasm::Memory::~Memory):
854         (JSC::Wasm::Memory::addressIsInActiveFastMemory):
855         (JSC::Wasm::Memory::grow):
856         (JSC::Wasm::Memory::initializePreallocations): Deleted.
857         (JSC::Wasm::Memory::maxFastMemoryCount): Deleted.
858         * wasm/WasmMemory.h:
859         * wasm/js/JSWebAssemblyInstance.cpp:
860         (JSC::JSWebAssemblyInstance::create):
861         * wasm/js/JSWebAssemblyMemory.cpp:
862         (JSC::JSWebAssemblyMemory::grow):
863         (JSC::JSWebAssemblyMemory::finishCreation):
864         * wasm/js/JSWebAssemblyMemory.h:
865         (JSC::JSWebAssemblyMemory::subspaceFor):
866
867 2017-07-31  Mark Lam  <mark.lam@apple.com>
868
869         Added some UNLIKELYs to operationOptimize().
870         https://bugs.webkit.org/show_bug.cgi?id=174976
871
872         Reviewed by JF Bastien.
873
874         * jit/JITOperations.cpp:
875
876 2017-07-31  Keith Miller  <keith_miller@apple.com>
877
878         Make more things LLInt constexprs
879         https://bugs.webkit.org/show_bug.cgi?id=174994
880
881         Reviewed by Saam Barati.
882
883         This patch makes more const values in the LLInt constexprs.
884         It also deletes all of the no longer necessary static_asserts in
885         LLIntData.cpp. Finally, it fixes a typo in parser.rb.
886
887         * interpreter/ShadowChicken.h:
888         (JSC::ShadowChicken::Packet::tailMarker):
889         * llint/LLIntData.cpp:
890         (JSC::LLInt::Data::performAssertions):
891         * llint/LowLevelInterpreter.asm:
892         * offlineasm/generate_offset_extractor.rb:
893         * offlineasm/parser.rb:
894
895 2017-07-31  Matt Lewis  <jlewis3@apple.com>
896
897         Unreviewed, rolling out r220060.
898
899         This broke our internal builds. Contact reviewer of patch for
900         more information.
901
902         Reverted changeset:
903
904         "Merge WTFThreadData to Thread::current"
905         https://bugs.webkit.org/show_bug.cgi?id=174716
906         http://trac.webkit.org/changeset/220060
907
908 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
909
910         [JSC] Support optional catch binding
911         https://bugs.webkit.org/show_bug.cgi?id=174981
912
913         Reviewed by Saam Barati.
914
915         This patch implements optional catch binding proposal[1], which is now stage 3.
916         This proposal adds a new `catch` brace with no error value binding.
917
918             ```
919                 try {
920                     ...
921                 } catch {
922                     ...
923                 }
924             ```
925
926         Sometimes we do not need to get error value actually. For example, the function returns
927         boolean which means whether the function succeeds.
928
929             ```
930             function parse(result) // -> bool
931             {
932                  try {
933                      parseInner(result);
934                  } catch {
935                      return false;
936                  }
937                  return true;
938             }
939             ```
940
941         In the above case, we are not interested in the actual error value. Without this syntax,
942         we always need to introduce a binding for an error value that is just ignored.
943
944         [1]: https://michaelficarra.github.io/optional-catch-binding-proposal/
945
946         * bytecompiler/NodesCodegen.cpp:
947         (JSC::TryNode::emitBytecode):
948         * parser/Parser.cpp:
949         (JSC::Parser<LexerType>::parseTryStatement):
950
951 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
952
953         Merge WTFThreadData to Thread::current
954         https://bugs.webkit.org/show_bug.cgi?id=174716
955
956         Reviewed by Sam Weinig.
957
958         Use Thread::current() instead.
959
960         * API/JSContext.mm:
961         (+[JSContext currentContext]):
962         (+[JSContext currentThis]):
963         (+[JSContext currentCallee]):
964         (+[JSContext currentArguments]):
965         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
966         (-[JSContext endCallbackWithData:]):
967         * heap/Heap.cpp:
968         (JSC::Heap::requestCollection):
969         * runtime/Completion.cpp:
970         (JSC::checkSyntax):
971         (JSC::checkModuleSyntax):
972         (JSC::evaluate):
973         (JSC::loadAndEvaluateModule):
974         (JSC::loadModule):
975         (JSC::linkAndEvaluateModule):
976         (JSC::importModule):
977         * runtime/Identifier.cpp:
978         (JSC::Identifier::checkCurrentAtomicStringTable):
979         * runtime/InitializeThreading.cpp:
980         (JSC::initializeThreading):
981         * runtime/JSLock.cpp:
982         (JSC::JSLock::didAcquireLock):
983         (JSC::JSLock::willReleaseLock):
984         (JSC::JSLock::dropAllLocks):
985         (JSC::JSLock::grabAllLocks):
986         * runtime/JSLock.h:
987         * runtime/VM.cpp:
988         (JSC::VM::VM):
989         (JSC::VM::updateStackLimits):
990         (JSC::VM::committedStackByteCount):
991         * runtime/VM.h:
992         (JSC::VM::isSafeToRecurse const):
993         * runtime/VMEntryScope.cpp:
994         (JSC::VMEntryScope::VMEntryScope):
995         * runtime/VMInlines.h:
996         (JSC::VM::ensureStackCapacityFor):
997         * yarr/YarrPattern.cpp:
998         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
999
1000 2017-07-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1001
1002         [WTF] Introduce Private Symbols
1003         https://bugs.webkit.org/show_bug.cgi?id=174935
1004
1005         Reviewed by Darin Adler.
1006
1007         Use SymbolImpl::isPrivate().
1008
1009         * builtins/BuiltinNames.cpp:
1010         * builtins/BuiltinNames.h:
1011         (JSC::BuiltinNames::isPrivateName): Deleted.
1012         * builtins/BuiltinUtils.h:
1013         * bytecode/BytecodeIntrinsicRegistry.cpp:
1014         (JSC::BytecodeIntrinsicRegistry::lookup):
1015         * runtime/CommonIdentifiers.cpp:
1016         (JSC::CommonIdentifiers::isPrivateName): Deleted.
1017         * runtime/CommonIdentifiers.h:
1018         * runtime/ExceptionHelpers.cpp:
1019         (JSC::createUndefinedVariableError):
1020         * runtime/Identifier.h:
1021         (JSC::Identifier::isPrivateName):
1022         * runtime/IdentifierInlines.h:
1023         (JSC::identifierToSafePublicJSValue):
1024         * runtime/ObjectConstructor.cpp:
1025         (JSC::objectConstructorAssign):
1026         (JSC::defineProperties):
1027         (JSC::setIntegrityLevel):
1028         (JSC::testIntegrityLevel):
1029         (JSC::ownPropertyKeys):
1030         * runtime/PrivateName.h:
1031         (JSC::PrivateName::PrivateName):
1032         * runtime/PropertyName.h:
1033         (JSC::PropertyName::isPrivateName):
1034         * runtime/ProxyObject.cpp:
1035         (JSC::performProxyGet):
1036         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1037         (JSC::ProxyObject::performHasProperty):
1038         (JSC::ProxyObject::performPut):
1039         (JSC::ProxyObject::performDelete):
1040         (JSC::ProxyObject::performDefineOwnProperty):
1041
1042 2017-07-29  Keith Miller  <keith_miller@apple.com>
1043
1044         LLInt offsets extractor should be able to handle C++ constexprs
1045         https://bugs.webkit.org/show_bug.cgi?id=174964
1046
1047         Reviewed by Saam Barati.
1048
1049         This patch adds new syntax to the offline asm language. The new keyword,
1050         constexpr, takes the subsequent identifier and maps it to a C++ constexpr
1051         expression. Additionally, if the value is not an identifier you can wrap it in
1052         parentheses. e.g. constexpr (myConstexprFunction() + OBJECT_OFFSET(Foo, bar)),
1053         which will get converted into:
1054         static_cast<int64_t>(myConstexprFunction() + OBJECT_OFFSET(Foo, bar));
1055
1056         This patch also changes the data format the LLIntOffsetsExtractor
1057         binary produces.  Previously, it would produce unsigned values,
1058         after this patch every value is an int64_t.  Using an int64_t is
1059         useful because it means that we can represent any constant needed.
1060         int32_t masks are sign extended then passed then converted to a
1061         negative literal sting in the assembler so it will be the constant
1062         expected.
1063
1064         * llint/LLIntOffsetsExtractor.cpp:
1065         (JSC::LLIntOffsetsExtractor::dummy):
1066         * llint/LowLevelInterpreter.asm:
1067         * llint/LowLevelInterpreter64.asm:
1068         * offlineasm/asm.rb:
1069         * offlineasm/ast.rb:
1070         * offlineasm/generate_offset_extractor.rb:
1071         * offlineasm/offsets.rb:
1072         * offlineasm/parser.rb:
1073         * offlineasm/transform.rb:
1074
1075 2017-07-28  Matt Baker  <mattbaker@apple.com>
1076
1077         Web Inspector: capture an async stack trace when web content calls addEventListener
1078         https://bugs.webkit.org/show_bug.cgi?id=174739
1079         <rdar://problem/33468197>
1080
1081         Reviewed by Brian Burg.
1082
1083         Allow debugger agents to perform custom logic when asynchronous stack
1084         trace data is cleared. For example, the PageDebuggerAgent would clear
1085         its list of registered listeners for which call stacks have been recorded.
1086
1087         * inspector/agents/InspectorDebuggerAgent.cpp:
1088         (Inspector::InspectorDebuggerAgent::clearAsyncStackTraceData):
1089         * inspector/agents/InspectorDebuggerAgent.h:
1090
1091 2017-07-28  Mark Lam  <mark.lam@apple.com>
1092
1093         ObjectToStringAdaptiveStructureWatchpoint should not fire if it's dying imminently.
1094         https://bugs.webkit.org/show_bug.cgi?id=174948
1095         <rdar://problem/33495680>
1096
1097         Reviewed by Filip Pizlo.
1098
1099         ObjectToStringAdaptiveStructureWatchpoint is owned by StructureRareData.  If its
1100         owner StructureRareData is already known to be dead (in terms of GC liveness) but
1101         hasn't been destructed yet (i.e. not swept by the GC yet), we should ignore all
1102         requests to fire this watchpoint.
1103
1104         If the GC had the chance to sweep the StructureRareData, thereby destructing the
1105         ObjectToStringAdaptiveStructureWatchpoint, it (the watchpoint) would have removed
1106         itself from the WatchpointSet it was on.  Hence, it would not have been fired.
1107
1108         But since the watchpoint hasn't been destructed yet, it still remains on the
1109         WatchpointSet and needs to guard against being fired in this state.  The fix is
1110         to simply return early if its owner StructureRareData is not live.  This has the
1111         effect of the watchpoint fire being a no-op, which is equivalent to the watchpoint
1112         not firing as we would expect.
1113
1114         This patch also removes some cargo cult copying of watchpoint code which
1115         instantiates a StringFireDetail.  In a few cases, that StringFireDetail is never
1116         used.  This patch removes these unnecessary instantiations.
1117
1118         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
1119         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
1120         * runtime/StructureRareData.cpp:
1121         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
1122         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
1123
1124 2017-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
1125
1126         ASSERTION FAILED: candidate->op() == PhantomCreateRest || candidate->op() == PhantomDirectArguments || candidate->op() == PhantomClonedArguments || candidate->op() == PhantomSpread || candidate->op() == PhantomNewArrayWithSpread
1127         https://bugs.webkit.org/show_bug.cgi?id=174900
1128
1129         Reviewed by Saam Barati.
1130
1131         In the arguments elimination phase, due to high cost of AI, we intentionally do not run AI.
1132         Instead, we use ForceOSRExit etc. (pseudo terminals) not to look into unreachable nodes.
1133         The problem is that even transforming phase also checks this pseudo terminals.
1134
1135             BB1
1136             1: ForceOSRExit
1137             2: CreateDirectArguments
1138
1139             BB2
1140             3: GetButterfly(@2)
1141             4: ForceOSRExit
1142
1143         In the above case, @2 is not converted to PhantomDirectArguments. But @3 is processed. And the assertion fires.
1144
1145         In this patch, we do not list candidates up after seeing pseudo terminals in basic blocks.
1146
1147         * dfg/DFGArgumentsEliminationPhase.cpp:
1148
1149 2017-07-27  Oleksandr Skachkov  <gskachkov@gmail.com>
1150
1151         [ES] Add support finally to Promise
1152         https://bugs.webkit.org/show_bug.cgi?id=174503
1153
1154         Reviewed by Yusuke Suzuki.
1155
1156         Add support `finally` method to Promise according
1157         to the https://bugs.webkit.org/show_bug.cgi?id=174503
1158         Current spec on STAGE 3 
1159         https://github.com/tc39/proposal-promise-finally
1160
1161         * builtins/PromisePrototype.js:
1162         (finally):
1163         (const.valueThunk):
1164         (globalPrivate.getThenFinally):
1165         (const.thrower):
1166         (globalPrivate.getCatchFinally):
1167         * runtime/JSPromisePrototype.cpp:
1168
1169 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1170
1171         Unreviewed, build fix for CLoop
1172         https://bugs.webkit.org/show_bug.cgi?id=171637
1173
1174         * domjit/DOMJITGetterSetter.h:
1175
1176 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1177
1178         Hoist DOM binding attribute getter prologue into JavaScriptCore taking advantage of DOMJIT / CheckSubClass
1179         https://bugs.webkit.org/show_bug.cgi?id=171637
1180
1181         Reviewed by Darin Adler.
1182
1183         Each DOM attribute getter has the code to perform ClassInfo check. But it is largely duplicate and causes code bloating.
1184         In this patch, we move ClassInfo check from WebCore to JSC and reduce code size.
1185
1186         We introduce DOMAnnotation which has ClassInfo* and DOMJIT::GetterSetter*. If the getter is not DOMJIT getter, this
1187         DOMJIT::GetterSetter becomes nullptr. We support such a CustomAccessorGetter in all the JIT tiers.
1188
1189         In IC, we drop CheckSubClass completely since IC's Structure check subsumes it. We do not enable this optimization for
1190         op_get_by_id_with_this case yet.
1191         In DFG and FTL, we emit CheckSubClass node. Which is typically removed by CheckStructure leading to CheckSubClass.
1192
1193         And we add DOMAttributeGetterSetter, which is derived class of CustomGetterSetter. It holds DOMAnnotation and perform
1194         ClassInfo check.
1195
1196         * CMakeLists.txt:
1197         * JavaScriptCore.xcodeproj/project.pbxproj:
1198         * bytecode/AccessCase.cpp:
1199         (JSC::AccessCase::generateImpl):
1200         * bytecode/GetByIdStatus.cpp:
1201         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
1202         * bytecode/GetByIdVariant.cpp:
1203         (JSC::GetByIdVariant::GetByIdVariant):
1204         (JSC::GetByIdVariant::operator=):
1205         (JSC::GetByIdVariant::attemptToMerge):
1206         (JSC::GetByIdVariant::dumpInContext):
1207         * bytecode/GetByIdVariant.h:
1208         (JSC::GetByIdVariant::customAccessorGetter):
1209         (JSC::GetByIdVariant::domAttribute):
1210         (JSC::GetByIdVariant::domJIT): Deleted.
1211         * bytecode/GetterSetterAccessCase.cpp:
1212         (JSC::GetterSetterAccessCase::create):
1213         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
1214         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
1215         * bytecode/GetterSetterAccessCase.h:
1216         (JSC::GetterSetterAccessCase::domAttribute):
1217         (JSC::GetterSetterAccessCase::customAccessor):
1218         (JSC::GetterSetterAccessCase::domJIT): Deleted.
1219         * bytecompiler/BytecodeGenerator.cpp:
1220         (JSC::BytecodeGenerator::instantiateLexicalVariables):
1221         * create_hash_table:
1222         * dfg/DFGAbstractInterpreterInlines.h:
1223         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1224         * dfg/DFGByteCodeParser.cpp:
1225         (JSC::DFG::blessCallDOMGetter):
1226         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
1227         (JSC::DFG::ByteCodeParser::handleGetById):
1228         * dfg/DFGClobberize.h:
1229         (JSC::DFG::clobberize):
1230         * dfg/DFGFixupPhase.cpp:
1231         (JSC::DFG::FixupPhase::fixupNode):
1232         * dfg/DFGNode.h:
1233         * dfg/DFGSpeculativeJIT.cpp:
1234         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
1235         * dfg/DFGSpeculativeJIT.h:
1236         (JSC::DFG::SpeculativeJIT::callCustomGetter):
1237         * domjit/DOMJITGetterSetter.h:
1238         (JSC::DOMJIT::GetterSetter::GetterSetter):
1239         (JSC::DOMJIT::GetterSetter::getter):
1240         (JSC::DOMJIT::GetterSetter::compiler):
1241         (JSC::DOMJIT::GetterSetter::resultType):
1242         (JSC::DOMJIT::GetterSetter::~GetterSetter): Deleted.
1243         (JSC::DOMJIT::GetterSetter::setter): Deleted.
1244         (JSC::DOMJIT::GetterSetter::thisClassInfo): Deleted.
1245         * ftl/FTLLowerDFGToB3.cpp:
1246         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
1247         * jit/Repatch.cpp:
1248         (JSC::tryCacheGetByID):
1249         * jsc.cpp:
1250         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
1251         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
1252         (WTF::DOMJITGetter::customGetter):
1253         (WTF::DOMJITGetter::finishCreation):
1254         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
1255         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
1256         (WTF::DOMJITGetterComplex::customGetter):
1257         (WTF::DOMJITGetterComplex::finishCreation):
1258         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
1259         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::slowCall): Deleted.
1260         (WTF::DOMJITGetter::domJITNodeGetterSetter): Deleted.
1261         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
1262         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::slowCall): Deleted.
1263         (WTF::DOMJITGetterComplex::domJITNodeGetterSetter): Deleted.
1264         * runtime/CustomGetterSetter.h:
1265         (JSC::CustomGetterSetter::create):
1266         (JSC::CustomGetterSetter::setter):
1267         (JSC::CustomGetterSetter::CustomGetterSetter):
1268         (): Deleted.
1269         * runtime/DOMAnnotation.h: Added.
1270         (JSC::operator==):
1271         (JSC::operator!=):
1272         * runtime/DOMAttributeGetterSetter.cpp: Added.
1273         * runtime/DOMAttributeGetterSetter.h: Copied from Source/JavaScriptCore/runtime/CustomGetterSetter.h.
1274         (JSC::isDOMAttributeGetterSetter):
1275         * runtime/Error.cpp:
1276         (JSC::throwDOMAttributeGetterTypeError):
1277         * runtime/Error.h:
1278         (JSC::throwVMDOMAttributeGetterTypeError):
1279         * runtime/JSCustomGetterSetterFunction.cpp:
1280         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
1281         * runtime/JSObject.cpp:
1282         (JSC::JSObject::putInlineSlow):
1283         (JSC::JSObject::deleteProperty):
1284         (JSC::JSObject::getOwnStaticPropertySlot):
1285         (JSC::JSObject::reifyAllStaticProperties):
1286         (JSC::JSObject::fillGetterPropertySlot):
1287         (JSC::JSObject::findPropertyHashEntry): Deleted.
1288         * runtime/JSObject.h:
1289         (JSC::JSObject::getOwnNonIndexPropertySlot):
1290         (JSC::JSObject::fillCustomGetterPropertySlot):
1291         * runtime/Lookup.cpp:
1292         (JSC::setUpStaticFunctionSlot):
1293         * runtime/Lookup.h:
1294         (JSC::HashTableValue::domJIT):
1295         (JSC::getStaticPropertySlotFromTable):
1296         (JSC::putEntry):
1297         (JSC::lookupPut):
1298         (JSC::reifyStaticProperty):
1299         (JSC::reifyStaticProperties):
1300         Each static property table has a new field ClassInfo*. It indicates that which ClassInfo check DOMAttribute registered in
1301         this static property table requires.
1302
1303         * runtime/ProgramExecutable.cpp:
1304         (JSC::ProgramExecutable::initializeGlobalProperties):
1305         * runtime/PropertyName.h:
1306         * runtime/PropertySlot.cpp:
1307         (JSC::PropertySlot::customGetter):
1308         (JSC::PropertySlot::customAccessorGetter):
1309         * runtime/PropertySlot.h:
1310         (JSC::PropertySlot::domAttribute):
1311         (JSC::PropertySlot::setCustom):
1312         (JSC::PropertySlot::setCacheableCustom):
1313         (JSC::PropertySlot::getValue):
1314         (JSC::PropertySlot::domJIT): Deleted.
1315         * runtime/VM.cpp:
1316         (JSC::VM::VM):
1317         * runtime/VM.h:
1318
1319 2017-07-26  Devin Rousso  <drousso@apple.com>
1320
1321         Web Inspector: create protocol for recording Canvas contexts
1322         https://bugs.webkit.org/show_bug.cgi?id=174481
1323
1324         Reviewed by Joseph Pecoraro.
1325
1326         * inspector/protocol/Canvas.json:
1327          - Add `requestRecording` command to mark the provided canvas as having requested a recording.
1328          - Add `cancelRecording` command to clear a previously marked canvas and flush any recorded data.
1329          - Add `recordingFinished` event that is fired once a recording is finished.
1330
1331         * CMakeLists.txt:
1332         * DerivedSources.make:
1333         * inspector/protocol/Recording.json: Added.
1334          - Add `Type` enum that lists the types of recordings
1335          - Add `InitialState` type that contains information about the canvas context at the
1336            beginning of the recording.
1337          - Add `Frame` type that holds a list of actions that were recorded.
1338          - Add `Recording` type as the container object of recording data.
1339
1340         * inspector/scripts/codegen/generate_js_backend_commands.py:
1341         (JSBackendCommandsGenerator.generate_domain):
1342         Create an agent for domains with no events or commands.
1343
1344         * inspector/InspectorValues.h:
1345         Make Array `get` public so that values can be retrieved if needed.
1346
1347 2017-07-26  Brian Burg  <bburg@apple.com>
1348
1349         Remove WEB_TIMING feature flag
1350         https://bugs.webkit.org/show_bug.cgi?id=174795
1351
1352         Reviewed by Alex Christensen.
1353
1354         * Configurations/FeatureDefines.xcconfig:
1355
1356 2017-07-26  Mark Lam  <mark.lam@apple.com>
1357
1358         Add the ability to change sp and pc to the ARM64 JIT probe.
1359         https://bugs.webkit.org/show_bug.cgi?id=174697
1360         <rdar://problem/33436965>
1361
1362         Reviewed by JF Bastien.
1363
1364         This patch implements the following:
1365
1366         1. The ARM64 probe now supports modifying the pc and sp.
1367
1368            However, lr is not preserved when modifying the pc because it is used as the
1369            scratch register for the indirect jump. Hence, the probe handler function
1370            may not modify both lr and pc in the same probe invocation.
1371
1372         2. Fix probe tests to use bitwise comparison when comparing double register
1373            values. Otherwise, equivalent nan values will be interpreted as not equivalent.
1374
1375         3. Change the minimum offset increment in testProbeModifiesStackPointer to be
1376            16 bytes for ARM64.  This is because the ARM64 probe now uses the ldp and stp
1377            instructions which require 16 byte alignment for their memory access.
1378
1379         * assembler/MacroAssemblerARM64.cpp:
1380         (JSC::arm64ProbeError):
1381         (JSC::MacroAssembler::probe):
1382         (JSC::arm64ProbeTrampoline): Deleted.
1383         * assembler/testmasm.cpp:
1384         (JSC::isSpecialGPR):
1385         (JSC::testProbeReadsArgumentRegisters):
1386         (JSC::testProbeWritesArgumentRegisters):
1387         (JSC::testProbePreservesGPRS):
1388         (JSC::testProbeModifiesStackPointer):
1389         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
1390         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
1391
1392 2017-07-25  JF Bastien  <jfbastien@apple.com>
1393
1394         WebAssembly: generate smaller binaries
1395         https://bugs.webkit.org/show_bug.cgi?id=174818
1396
1397         Reviewed by Filip Pizlo.
1398
1399         This patch reduces generated code size for WebAssembly in 2 ways:
1400
1401         1. Use the ZR register when storing zero on ARM64.
1402         2. Synthesize wasm context lazily.
1403
1404         This leads to a modest size reduction on both x86-64 and ARM64 for
1405         large WebAssembly games, without any performance loss on WasmBench
1406         and TitzerBench.
1407
1408         The reason this works is that these games, using Emscripten,
1409         generate 100k+ tiny functions, and our JIT allocation granule
1410         rounds all allocations up to 32 bytes. There are plenty of other
1411         simple gains to be had, I've filed a follow-up bug at
1412         webkit.org/b/174819
1413
1414         We should further avoid the per-function cost of tiering, which
1415         represents the bulk of code generated for small functions.
1416
1417         * assembler/MacroAssemblerARM64.h:
1418         (JSC::MacroAssemblerARM64::storeZero64):
1419         * assembler/MacroAssemblerX86_64.h:
1420         (JSC::MacroAssemblerX86_64::storeZero64):
1421         * b3/B3LowerToAir.cpp:
1422         (JSC::B3::Air::LowerToAir::createStore): this doesn't make sense
1423         for x86 because it constrains register reuse and codegen in a way
1424         that doesn't affect ARM64 because it has a dedicated zero
1425         register.
1426         * b3/air/AirOpcode.opcodes: add the storeZero64 opcode.
1427         * wasm/WasmB3IRGenerator.cpp:
1428         (JSC::Wasm::B3IRGenerator::instanceValue):
1429         (JSC::Wasm::B3IRGenerator::restoreWasmContext):
1430         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1431         (JSC::Wasm::B3IRGenerator::materializeWasmContext): Deleted.
1432
1433 2017-07-23  Filip Pizlo  <fpizlo@apple.com>
1434
1435         B3 should do LICM
1436         https://bugs.webkit.org/show_bug.cgi?id=174750
1437
1438         Reviewed by Keith Miller and Saam Barati.
1439         
1440         Added a LICM phase to B3. This phase is called hoistLoopInvariantValues, to conform to the B3 naming
1441         convention for phases (it has to be an imperative). The phase uses NaturalLoops and BackwardsDominators,
1442         so this adds those analyses to B3. BackwardsDominators was already available in templatized form. This
1443         change templatizes DFG::NaturalLoops so that we can just use it.
1444         
1445         The LICM phase itself is really simple. We are decently precise with our handling of everything except
1446         the relationship between control dependence and side exits.
1447         
1448         Also added a bunch of tests.
1449         
1450         This isn't super important. It's perf-neutral on JS benchmarks. FTL already does LICM on DFG SSA IR, and
1451         probably all current WebAssembly content has had LICM done to it. That being said, this is a cheap phase
1452         so it doesn't hurt to have it.
1453         
1454         I wrote it because I thought I needed it for bug 174727. It turns out that there's a better way to
1455         handle the problem I had, so I ended up not needed it - but by then I had already written it. I think
1456         it's good to have it because LICM is one of those core compiler phases; every compiler has it
1457         eventually.
1458
1459         * CMakeLists.txt:
1460         * JavaScriptCore.xcodeproj/project.pbxproj:
1461         * b3/B3BackwardsCFG.h: Added.
1462         (JSC::B3::BackwardsCFG::BackwardsCFG):
1463         * b3/B3BackwardsDominators.h: Added.
1464         (JSC::B3::BackwardsDominators::BackwardsDominators):
1465         * b3/B3BasicBlock.cpp:
1466         (JSC::B3::BasicBlock::appendNonTerminal):
1467         * b3/B3Effects.h:
1468         * b3/B3EnsureLoopPreHeaders.cpp: Added.
1469         (JSC::B3::ensureLoopPreHeaders):
1470         * b3/B3EnsureLoopPreHeaders.h: Added.
1471         * b3/B3Generate.cpp:
1472         (JSC::B3::generateToAir):
1473         * b3/B3HoistLoopInvariantValues.cpp: Added.
1474         (JSC::B3::hoistLoopInvariantValues):
1475         * b3/B3HoistLoopInvariantValues.h: Added.
1476         * b3/B3NaturalLoops.h: Added.
1477         (JSC::B3::NaturalLoops::NaturalLoops):
1478         * b3/B3Procedure.cpp:
1479         (JSC::B3::Procedure::invalidateCFG):
1480         (JSC::B3::Procedure::naturalLoops):
1481         (JSC::B3::Procedure::backwardsCFG):
1482         (JSC::B3::Procedure::backwardsDominators):
1483         * b3/B3Procedure.h:
1484         * b3/testb3.cpp:
1485         (JSC::B3::generateLoop):
1486         (JSC::B3::makeArrayForLoops):
1487         (JSC::B3::generateLoopNotBackwardsDominant):
1488         (JSC::B3::oneFunction):
1489         (JSC::B3::noOpFunction):
1490         (JSC::B3::testLICMPure):
1491         (JSC::B3::testLICMPureSideExits):
1492         (JSC::B3::testLICMPureWritesPinned):
1493         (JSC::B3::testLICMPureWrites):
1494         (JSC::B3::testLICMReadsLocalState):
1495         (JSC::B3::testLICMReadsPinned):
1496         (JSC::B3::testLICMReads):
1497         (JSC::B3::testLICMPureNotBackwardsDominant):
1498         (JSC::B3::testLICMPureFoiledByChild):
1499         (JSC::B3::testLICMPureNotBackwardsDominantFoiledByChild):
1500         (JSC::B3::testLICMExitsSideways):
1501         (JSC::B3::testLICMWritesLocalState):
1502         (JSC::B3::testLICMWrites):
1503         (JSC::B3::testLICMFence):
1504         (JSC::B3::testLICMWritesPinned):
1505         (JSC::B3::testLICMControlDependent):
1506         (JSC::B3::testLICMControlDependentNotBackwardsDominant):
1507         (JSC::B3::testLICMControlDependentSideExits):
1508         (JSC::B3::testLICMReadsPinnedWritesPinned):
1509         (JSC::B3::testLICMReadsWritesDifferentHeaps):
1510         (JSC::B3::testLICMReadsWritesOverlappingHeaps):
1511         (JSC::B3::testLICMDefaultCall):
1512         (JSC::B3::run):
1513         * dfg/DFGBasicBlock.h:
1514         * dfg/DFGCFG.h:
1515         * dfg/DFGNaturalLoops.cpp: Removed.
1516         * dfg/DFGNaturalLoops.h:
1517         (JSC::DFG::NaturalLoops::NaturalLoops):
1518         (JSC::DFG::NaturalLoop::NaturalLoop): Deleted.
1519         (JSC::DFG::NaturalLoop::header): Deleted.
1520         (JSC::DFG::NaturalLoop::size): Deleted.
1521         (JSC::DFG::NaturalLoop::at): Deleted.
1522         (JSC::DFG::NaturalLoop::operator[]): Deleted.
1523         (JSC::DFG::NaturalLoop::contains): Deleted.
1524         (JSC::DFG::NaturalLoop::index): Deleted.
1525         (JSC::DFG::NaturalLoop::isOuterMostLoop): Deleted.
1526         (JSC::DFG::NaturalLoop::addBlock): Deleted.
1527         (JSC::DFG::NaturalLoops::numLoops): Deleted.
1528         (JSC::DFG::NaturalLoops::loop): Deleted.
1529         (JSC::DFG::NaturalLoops::headerOf): Deleted.
1530         (JSC::DFG::NaturalLoops::innerMostLoopOf): Deleted.
1531         (JSC::DFG::NaturalLoops::innerMostOuterLoop): Deleted.
1532         (JSC::DFG::NaturalLoops::belongsTo): Deleted.
1533         (JSC::DFG::NaturalLoops::loopDepth): Deleted.
1534
1535 2017-07-24  Filip Pizlo  <fpizlo@apple.com>
1536
1537         GC should be fine with trading blocks between destructor and non-destructor blocks
1538         https://bugs.webkit.org/show_bug.cgi?id=174811
1539
1540         Reviewed by Mark Lam.
1541         
1542         Our GC has the ability to trade blocks between MarkedAllocators. A MarkedAllocator is a
1543         size-class-within-a-Subspace. The ability to trade helps reduce memory wastage due to
1544         fragmentation. Prior to this change, this only worked between blocks that did not have destructors.
1545         This was partly a policy decision. But mostly, it was fallout from the way we use the `empty` block
1546         set.
1547         
1548         Here's how `empty` used to work. If a block is empty, we don't run destructors. We say that a block
1549         is empty if:
1550         
1551         A) It has no live objects and its a non-destructor block, or
1552         B) We just allocated it (so it has no destructors even if it's a destructor block), or
1553         C) We just stole it from another allocator (so it also has no destructors), or
1554         D) We just swept the block and ran all destructors.
1555         
1556         Case (A) is for trading blocks. That's how a different MarkedAllocator would know that this is a
1557         block that could be stolen.
1558
1559         Cases (B) and (C) need to be detected for correctness, since otherwise we might try to run
1560         destructors in blocks that have garbage bits. In that case, the isZapped check won't detect that
1561         cells don't need destruction, so without having the `empty` bit we would try to destruct garbage
1562         and crash. Currently, we know that we have cases (B) and (C) when the block is empty.
1563         
1564         Case (D) is necessary for detecting which blocks can be removed when we `shrink` the heap.
1565         
1566         If we tried to enable trading of blocks between allocators without making any changes to how
1567         `empty` works, then it just would not work. We have to set the `empty` bits of blocks that have no
1568         live objects in order for those bits to be candidates for trading. But if we do that, then our
1569         logic for cases (B-D) will think that the block has no destructible objects. That's bad, since then
1570         our destructors won't run and we'll leak memory.
1571         
1572         This change fixes this issue by decoupling the "do I have destructors" question from the "do I have
1573         live objects" question by introducing a new `destructible` bitvector. The GC flags all live blocks
1574         as being destructible at the end. We clear the destructible bit in cases (B-D). Cases (B-C) are
1575         handled entirely by the new destrictible bit, while case (D) is detected by looking for blocks that
1576         are (empty & ~destructible).
1577         
1578         Then we can simply remove all destructor-oriented special-casing of the `empty` bit. And we can
1579         remove destructor-oriented special-casing of block trading.
1580
1581         This is a perf-neutral change. We expect most free memory to be in non-destructor blocks anyway,
1582         so this change is more about clean-up than perf. But, this could reduce memory usage in some
1583         pathological cases.
1584         
1585         * heap/MarkedAllocator.cpp:
1586         (JSC::MarkedAllocator::findEmptyBlockToSteal):
1587         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
1588         (JSC::MarkedAllocator::endMarking):
1589         (JSC::MarkedAllocator::shrink):
1590         (JSC::MarkedAllocator::shouldStealEmptyBlocksFromOtherAllocators): Deleted.
1591         * heap/MarkedAllocator.h:
1592         * heap/MarkedBlock.cpp:
1593         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
1594         (JSC::MarkedBlock::Handle::sweep):
1595         * heap/MarkedBlockInlines.h:
1596         (JSC::MarkedBlock::Handle::specializedSweep):
1597         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace):
1598         (JSC::MarkedBlock::Handle::emptyMode):
1599
1600 2017-07-25  Keith Miller  <keith_miller@apple.com>
1601
1602         Remove Broken CompareEq constant folding phase.
1603         https://bugs.webkit.org/show_bug.cgi?id=174846
1604         <rdar://problem/32978808>
1605
1606         Reviewed by Saam Barati.
1607
1608         This bug happened when we would get code like the following:
1609
1610         a: JSConst(Undefined)
1611         b: GetLocal(SomeObjectOrUndefined)
1612         ...
1613         c: CompareEq(Check:ObjectOrOther:b, Check:ObjectOrOther:a)
1614
1615         constant folding will turn this into:
1616
1617         a: JSConst(Undefined)
1618         b: GetLocal(SomeObjectOrUndefined)
1619         ...
1620         c: CompareEq(Check:ObjectOrOther:b, Other:a)
1621
1622         But the SpeculativeJIT/FTL lowering will fail to check b
1623         properly which leads to an assertion failure in the AI.
1624
1625         I'll follow up with a more robust fix later. For now, I'll remove the
1626         case that generates the code. Removing the code appears to be perf
1627         neutral.
1628
1629         * dfg/DFGConstantFoldingPhase.cpp:
1630         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1631
1632 2017-07-25  Matt Baker  <mattbaker@apple.com>
1633
1634         Web Inspector: Refactoring: extract async stack trace logic from InspectorInstrumentation
1635         https://bugs.webkit.org/show_bug.cgi?id=174738
1636
1637         Reviewed by Brian Burg.
1638
1639         Move AsyncCallType enum to InspectorDebuggerAgent, which manages async
1640         stack traces. This preserves the call type in JSC, makes the range of
1641         possible call types explicit, and is safer than passing ints.
1642
1643         * inspector/agents/InspectorDebuggerAgent.cpp:
1644         (Inspector::InspectorDebuggerAgent::asyncCallIdentifier):
1645         (Inspector::InspectorDebuggerAgent::didScheduleAsyncCall):
1646         (Inspector::InspectorDebuggerAgent::didCancelAsyncCall):
1647         (Inspector::InspectorDebuggerAgent::willDispatchAsyncCall):
1648         * inspector/agents/InspectorDebuggerAgent.h:
1649
1650 2017-07-25  Mark Lam  <mark.lam@apple.com>
1651
1652         Fix bugs in probe code to change sp on x86, x86_64 and 32-bit ARM.
1653         https://bugs.webkit.org/show_bug.cgi?id=174809
1654         <rdar://problem/33504759>
1655
1656         Reviewed by Filip Pizlo.
1657
1658         1. When the probe handler function changes the sp register to point to the
1659            region of stack in the middle of the ProbeContext on the stack, there is a
1660            bug where the ProbeContext's register values to be restored can be over-written
1661            before they can be restored.  This is now fixed.
1662
1663         2. Added more robust probe tests for changing the sp register.
1664
1665         3. Made existing probe tests to ensure that probe handlers were actually called.
1666
1667         4. Added some verification to testProbePreservesGPRS().
1668
1669         5. Change all the probe tests to fail early on discovering an error instead of
1670            batching till the end of the test.  This helps point a finger to the failing
1671            issue earlier.
1672
1673         This patch was tested on x86, x86_64, and ARMv7.  ARM64 probe code will be fixed
1674         next in https://bugs.webkit.org/show_bug.cgi?id=174697.
1675
1676         * assembler/MacroAssemblerARM.cpp:
1677         * assembler/MacroAssemblerARMv7.cpp:
1678         * assembler/MacroAssemblerX86Common.cpp:
1679         * assembler/testmasm.cpp:
1680         (JSC::testProbeReadsArgumentRegisters):
1681         (JSC::testProbeWritesArgumentRegisters):
1682         (JSC::testProbePreservesGPRS):
1683         (JSC::testProbeModifiesStackPointer):
1684         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
1685         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
1686         (JSC::testProbeModifiesProgramCounter):
1687         (JSC::run):
1688
1689 2017-07-25  Brian Burg  <bburg@apple.com>
1690
1691         Web Automation: add support for uploading files
1692         https://bugs.webkit.org/show_bug.cgi?id=174797
1693         <rdar://problem/28485063>
1694
1695         Reviewed by Joseph Pecoraro.
1696
1697         * inspector/scripts/generate-inspector-protocol-bindings.py:
1698         (generate_from_specification):
1699         Start generating frontend dispatcher code if the target framework is 'WebKit'.
1700
1701         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
1702         (CppFrontendDispatcherImplementationGenerator.generate_output):
1703         Use a framework include for InspectorFrontendRouter.h since this generated code
1704         will be compiled outside of WebCore.framework.
1705
1706         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
1707         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1708         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1709         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
1710         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
1711         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
1712         * inspector/scripts/tests/generic/expected/enum-values.json-result:
1713         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
1714         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
1715         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
1716         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
1717         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
1718         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
1719         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
1720         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1721         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1722         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
1723         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
1724         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
1725         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
1726         Rebaseline code generator tests.
1727
1728 2017-07-24  Mark Lam  <mark.lam@apple.com>
1729
1730         Gardening: fixed C Loop build after r219790.
1731         https://bugs.webkit.org/show_bug.cgi?id=174696
1732
1733         Not reviewed.
1734
1735         * assembler/testmasm.cpp:
1736
1737 2017-07-23  Mark Lam  <mark.lam@apple.com>
1738
1739         Create regression tests for the JIT probe.
1740         https://bugs.webkit.org/show_bug.cgi?id=174696
1741         <rdar://problem/33436922>
1742
1743         Reviewed by Saam Barati.
1744
1745         The new testmasm will test the following:
1746         1. the probe is able to read the value of CPU registers.
1747         2. the probe is able to write the value of CPU registers.
1748         3. the probe is able to preserve all CPU registers.
1749         4. special case of (2): the probe is able to change the value of the stack pointer.
1750         5. special case of (2): the probe is able to change the value of the program counter
1751            i.e. the probe can change where the code continues executing upon returning from
1752            the probe.
1753
1754         Currently, the x86, x86_64, and ARMv7 ports passes the test.  ARM64 does not
1755         because it does not support changing the sp and pc yet.  The ARM64 probe
1756         implementation will be fixed in https://bugs.webkit.org/show_bug.cgi?id=174697
1757         later.
1758
1759         * Configurations/ToolExecutable.xcconfig:
1760         * JavaScriptCore.xcodeproj/project.pbxproj:
1761         * assembler/MacroAssembler.h:
1762         (JSC::MacroAssembler::CPUState::pc):
1763         (JSC::MacroAssembler::CPUState::fp):
1764         (JSC::MacroAssembler::CPUState::sp):
1765         (JSC::ProbeContext::pc):
1766         (JSC::ProbeContext::fp):
1767         (JSC::ProbeContext::sp):
1768         * assembler/MacroAssemblerARM64.cpp:
1769         (JSC::arm64ProbeTrampoline):
1770         * assembler/MacroAssemblerPrinter.cpp:
1771         (JSC::Printer::printPCRegister):
1772         * assembler/testmasm.cpp: Added.
1773         (hiddenTruthBecauseNoReturnIsStupid):
1774         (usage):
1775         (JSC::nextID):
1776         (JSC::isPC):
1777         (JSC::isSP):
1778         (JSC::isFP):
1779         (JSC::compile):
1780         (JSC::invoke):
1781         (JSC::compileAndRun):
1782         (JSC::testSimple):
1783         (JSC::testProbeReadsArgumentRegisters):
1784         (JSC::testProbeWritesArgumentRegisters):
1785         (JSC::testFunctionToTrashRegisters):
1786         (JSC::testProbePreservesGPRS):
1787         (JSC::testProbeModifiesStackPointer):
1788         (JSC::testProbeModifiesProgramCounter):
1789         (JSC::run):
1790         (run):
1791         (main):
1792         * b3/air/testair.cpp:
1793         (usage):
1794         * shell/CMakeLists.txt:
1795
1796 2017-07-14  Filip Pizlo  <fpizlo@apple.com>
1797
1798         It should be easy to decide how WebKit yields
1799         https://bugs.webkit.org/show_bug.cgi?id=174298
1800
1801         Reviewed by Saam Barati.
1802         
1803         Use the new WTF::Thread::yield() function for yielding instead of the C++ function.
1804
1805         * heap/Heap.cpp:
1806         (JSC::Heap::resumeThePeriphery):
1807         * heap/VisitingTimeout.h:
1808         * runtime/JSCell.cpp:
1809         (JSC::JSCell::lockSlow):
1810         (JSC::JSCell::unlockSlow):
1811         * runtime/JSCell.h:
1812         * runtime/JSCellInlines.h:
1813         (JSC::JSCell::lock):
1814         (JSC::JSCell::unlock):
1815         * runtime/JSLock.cpp:
1816         (JSC::JSLock::grabAllLocks):
1817         * runtime/SamplingProfiler.cpp:
1818
1819 2017-07-21  Mark Lam  <mark.lam@apple.com>
1820
1821         Refactor MASM probe CPUState to use arrays for register storage.
1822         https://bugs.webkit.org/show_bug.cgi?id=174694
1823
1824         Reviewed by Keith Miller.
1825
1826         Using arrays for register storage in CPUState allows us to do away with the
1827         huge switch statements to decode each register id.  We can now simply index into
1828         the arrays.
1829
1830         With this patch, we now:
1831
1832         1. Remove the need for macros for defining the list of CPU registers.
1833            We can go back to simple enums.  This makes the code easier to read.
1834
1835         2. Make the assembler the authority on register names.
1836            Most of this code is moved into the assembler from GPRInfo and FPRInfo.
1837            GPRInfo and FPRInfo now forwards to the assembler.
1838
1839         3. Make the assembler the authority on the number of registers of each type.
1840
1841         4. Fix a "bug" in ARMv7's lastRegister().  It was previously omitting lr and pc.
1842            This is inconsistent with how every other CPU architecture implements
1843            lastRegister().  This patch fixes it to return the true last GPR i.e. pc, but
1844            updates RegisterSet::reservedHardwareRegisters() to exclude those registers.
1845
1846         * assembler/ARM64Assembler.h:
1847         (JSC::ARM64Assembler::numberOfRegisters):
1848         (JSC::ARM64Assembler::firstSPRegister):
1849         (JSC::ARM64Assembler::lastSPRegister):
1850         (JSC::ARM64Assembler::numberOfSPRegisters):
1851         (JSC::ARM64Assembler::numberOfFPRegisters):
1852         (JSC::ARM64Assembler::gprName):
1853         (JSC::ARM64Assembler::sprName):
1854         (JSC::ARM64Assembler::fprName):
1855         * assembler/ARMAssembler.h:
1856         (JSC::ARMAssembler::numberOfRegisters):
1857         (JSC::ARMAssembler::firstSPRegister):
1858         (JSC::ARMAssembler::lastSPRegister):
1859         (JSC::ARMAssembler::numberOfSPRegisters):
1860         (JSC::ARMAssembler::numberOfFPRegisters):
1861         (JSC::ARMAssembler::gprName):
1862         (JSC::ARMAssembler::sprName):
1863         (JSC::ARMAssembler::fprName):
1864         * assembler/ARMv7Assembler.h:
1865         (JSC::ARMv7Assembler::lastRegister):
1866         (JSC::ARMv7Assembler::numberOfRegisters):
1867         (JSC::ARMv7Assembler::firstSPRegister):
1868         (JSC::ARMv7Assembler::lastSPRegister):
1869         (JSC::ARMv7Assembler::numberOfSPRegisters):
1870         (JSC::ARMv7Assembler::numberOfFPRegisters):
1871         (JSC::ARMv7Assembler::gprName):
1872         (JSC::ARMv7Assembler::sprName):
1873         (JSC::ARMv7Assembler::fprName):
1874         * assembler/AbstractMacroAssembler.h:
1875         (JSC::AbstractMacroAssembler::numberOfRegisters):
1876         (JSC::AbstractMacroAssembler::gprName):
1877         (JSC::AbstractMacroAssembler::firstSPRegister):
1878         (JSC::AbstractMacroAssembler::lastSPRegister):
1879         (JSC::AbstractMacroAssembler::numberOfSPRegisters):
1880         (JSC::AbstractMacroAssembler::sprName):
1881         (JSC::AbstractMacroAssembler::numberOfFPRegisters):
1882         (JSC::AbstractMacroAssembler::fprName):
1883         * assembler/MIPSAssembler.h:
1884         (JSC::MIPSAssembler::numberOfRegisters):
1885         (JSC::MIPSAssembler::firstSPRegister):
1886         (JSC::MIPSAssembler::lastSPRegister):
1887         (JSC::MIPSAssembler::numberOfSPRegisters):
1888         (JSC::MIPSAssembler::numberOfFPRegisters):
1889         (JSC::MIPSAssembler::gprName):
1890         (JSC::MIPSAssembler::sprName):
1891         (JSC::MIPSAssembler::fprName):
1892         * assembler/MacroAssembler.h:
1893         (JSC::MacroAssembler::CPUState::gprName):
1894         (JSC::MacroAssembler::CPUState::sprName):
1895         (JSC::MacroAssembler::CPUState::fprName):
1896         (JSC::MacroAssembler::CPUState::gpr):
1897         (JSC::MacroAssembler::CPUState::spr):
1898         (JSC::MacroAssembler::CPUState::fpr):
1899         (JSC::MacroAssembler::CPUState::pc):
1900         (JSC::MacroAssembler::CPUState::fp):
1901         (JSC::MacroAssembler::CPUState::sp):
1902         (JSC::ProbeContext::gpr):
1903         (JSC::ProbeContext::spr):
1904         (JSC::ProbeContext::fpr):
1905         (JSC::ProbeContext::gprName):
1906         (JSC::ProbeContext::sprName):
1907         (JSC::ProbeContext::fprName):
1908         (JSC::MacroAssembler::numberOfRegisters): Deleted.
1909         (JSC::MacroAssembler::numberOfFPRegisters): Deleted.
1910         * assembler/MacroAssemblerARM.cpp:
1911         * assembler/MacroAssemblerARM64.cpp:
1912         (JSC::arm64ProbeTrampoline):
1913         * assembler/MacroAssemblerARMv7.cpp:
1914         * assembler/MacroAssemblerPrinter.cpp:
1915         (JSC::Printer::nextID):
1916         (JSC::Printer::printAllRegisters):
1917         (JSC::Printer::printPCRegister):
1918         (JSC::Printer::printRegisterID):
1919         (JSC::Printer::printAddress):
1920         * assembler/MacroAssemblerX86Common.cpp:
1921         * assembler/X86Assembler.h:
1922         (JSC::X86Assembler::numberOfRegisters):
1923         (JSC::X86Assembler::firstSPRegister):
1924         (JSC::X86Assembler::lastSPRegister):
1925         (JSC::X86Assembler::numberOfSPRegisters):
1926         (JSC::X86Assembler::numberOfFPRegisters):
1927         (JSC::X86Assembler::gprName):
1928         (JSC::X86Assembler::sprName):
1929         (JSC::X86Assembler::fprName):
1930         * jit/FPRInfo.h:
1931         (JSC::FPRInfo::debugName):
1932         * jit/GPRInfo.h:
1933         (JSC::GPRInfo::debugName):
1934         * jit/RegisterSet.cpp:
1935         (JSC::RegisterSet::reservedHardwareRegisters):
1936
1937 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1938
1939         [JSC] Introduce static symbols
1940         https://bugs.webkit.org/show_bug.cgi?id=158863
1941
1942         Reviewed by Darin Adler.
1943
1944         We use StaticSymbolImpl to initialize PrivateNames and builtin Symbols.
1945         As a result, we can share the same Symbol values between VMs and threads.
1946         And we do not need to allocate Ref<SymbolImpl> for these symbols at runtime.
1947
1948         * CMakeLists.txt:
1949         * JavaScriptCore.xcodeproj/project.pbxproj:
1950         * builtins/BuiltinNames.cpp: Added.
1951         Suppress warning C4307, integral constant overflow. It is intentional in constexpr hash value calculation.
1952
1953         * builtins/BuiltinNames.h:
1954         (JSC::BuiltinNames::BuiltinNames):
1955         * builtins/BuiltinUtils.h:
1956
1957 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1958
1959         [FTL] Arguments elimination is suppressed by unreachable blocks
1960         https://bugs.webkit.org/show_bug.cgi?id=174352
1961
1962         Reviewed by Filip Pizlo.
1963
1964         If we do not execute `op_get_by_id`, our value profiling tells us unpredictable and DFG emits ForceOSRExit.
1965         The problem is that arguments elimination phase checks escaping even when ForceOSRExit preceeds.
1966         Since GetById without information can escape arguments if it is specified, non-executed code including
1967         op_get_by_id with arguments can escape arguments.
1968
1969         For example,
1970
1971             function test(flag)
1972             {
1973                 if (flag) {
1974                     // This is not executed, but emits GetById with arguments.
1975                     // It prevents us from eliminating materialization.
1976                     return arguments.length;
1977                 }
1978                 return arguments.length;
1979             }
1980             noInline(test);
1981             while (true)
1982                 test(false);
1983
1984         We do not perform CFA and dead-node clipping yet when performing arguments elimination phase.
1985         So this GetById exists and escapes arguments.
1986
1987         To solve this problem, our arguments elimination phase checks preceding pseudo-terminal nodes.
1988         If it is shown, following GetById does not escape arguments. Compared to performing AI, it is
1989         lightweight. But it catches much of typical cases we failed to perform arguments elimination.
1990
1991         * dfg/DFGArgumentsEliminationPhase.cpp:
1992         * dfg/DFGNode.h:
1993         (JSC::DFG::Node::isPseudoTerminal):
1994         * dfg/DFGValidate.cpp:
1995
1996 2017-07-20  Chris Dumez  <cdumez@apple.com>
1997
1998         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable
1999         https://bugs.webkit.org/show_bug.cgi?id=174660
2000
2001         Reviewed by Geoffrey Garen.
2002
2003         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable.
2004         This essentially replaces a branch to figure out if the new size is less or greater than the
2005         current size by an assertion.
2006
2007         * b3/B3BasicBlockUtils.h:
2008         (JSC::B3::clearPredecessors):
2009         * b3/B3InferSwitches.cpp:
2010         * b3/B3LowerToAir.cpp:
2011         (JSC::B3::Air::LowerToAir::finishAppendingInstructions):
2012         * b3/B3ReduceStrength.cpp:
2013         * b3/B3SparseCollection.h:
2014         (JSC::B3::SparseCollection::packIndices):
2015         * b3/B3UseCounts.cpp:
2016         (JSC::B3::UseCounts::UseCounts):
2017         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
2018         * b3/air/AirEmitShuffle.cpp:
2019         (JSC::B3::Air::emitShuffle):
2020         * b3/air/AirLowerAfterRegAlloc.cpp:
2021         (JSC::B3::Air::lowerAfterRegAlloc):
2022         * b3/air/AirOptimizeBlockOrder.cpp:
2023         (JSC::B3::Air::optimizeBlockOrder):
2024         * bytecode/Operands.h:
2025         (JSC::Operands::ensureLocals):
2026         * bytecode/PreciseJumpTargets.cpp:
2027         (JSC::computePreciseJumpTargetsInternal):
2028         * dfg/DFGBlockInsertionSet.cpp:
2029         (JSC::DFG::BlockInsertionSet::execute):
2030         * dfg/DFGBlockMapInlines.h:
2031         (JSC::DFG::BlockMap<T>::BlockMap):
2032         * dfg/DFGByteCodeParser.cpp:
2033         (JSC::DFG::ByteCodeParser::processSetLocalQueue):
2034         (JSC::DFG::ByteCodeParser::clearCaches):
2035         * dfg/DFGDisassembler.cpp:
2036         (JSC::DFG::Disassembler::Disassembler):
2037         * dfg/DFGFlowIndexing.cpp:
2038         (JSC::DFG::FlowIndexing::recompute):
2039         * dfg/DFGGraph.cpp:
2040         (JSC::DFG::Graph::registerFrozenValues):
2041         * dfg/DFGInPlaceAbstractState.cpp:
2042         (JSC::DFG::setLiveValues):
2043         * dfg/DFGLICMPhase.cpp:
2044         (JSC::DFG::LICMPhase::run):
2045         * dfg/DFGLivenessAnalysisPhase.cpp:
2046         * dfg/DFGNaturalLoops.cpp:
2047         (JSC::DFG::NaturalLoops::NaturalLoops):
2048         * dfg/DFGStoreBarrierClusteringPhase.cpp:
2049         * ftl/FTLLowerDFGToB3.cpp:
2050         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2051         * heap/CodeBlockSet.cpp:
2052         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
2053         * heap/MarkedSpace.cpp:
2054         (JSC::MarkedSpace::sweepLargeAllocations):
2055         * inspector/ContentSearchUtilities.cpp:
2056         (Inspector::ContentSearchUtilities::findMagicComment):
2057         * interpreter/ShadowChicken.cpp:
2058         (JSC::ShadowChicken::update):
2059         * parser/ASTBuilder.h:
2060         (JSC::ASTBuilder::shrinkOperandStackBy):
2061         * parser/Lexer.h:
2062         (JSC::Lexer::setOffset):
2063         * runtime/RegExpInlines.h:
2064         (JSC::RegExp::matchInline):
2065         * runtime/RegExpPrototype.cpp:
2066         (JSC::genericSplit):
2067         * yarr/RegularExpression.cpp:
2068         (JSC::Yarr::RegularExpression::match):
2069
2070 2017-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2071
2072         [WTF] Use ThreadGroup to bookkeep active threads for Mach exception
2073         https://bugs.webkit.org/show_bug.cgi?id=174678
2074
2075         Reviewed by Mark Lam.
2076
2077         Use Thread& instead.
2078
2079         * runtime/JSLock.cpp:
2080         (JSC::JSLock::didAcquireLock):
2081
2082 2017-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2083
2084         [WTF] Implement WTF::ThreadGroup
2085         https://bugs.webkit.org/show_bug.cgi?id=174081
2086
2087         Reviewed by Mark Lam.
2088
2089         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
2090         And SamplingProfiler and others interact with WTF::Thread directly.
2091
2092         * API/tests/ExecutionTimeLimitTest.cpp:
2093         * heap/MachineStackMarker.cpp:
2094         (JSC::MachineThreads::MachineThreads):
2095         (JSC::captureStack):
2096         (JSC::MachineThreads::tryCopyOtherThreadStack):
2097         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2098         (JSC::MachineThreads::gatherConservativeRoots):
2099         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
2100         (JSC::ActiveMachineThreadsManager::add): Deleted.
2101         (JSC::ActiveMachineThreadsManager::remove): Deleted.
2102         (JSC::ActiveMachineThreadsManager::contains): Deleted.
2103         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
2104         (JSC::activeMachineThreadsManager): Deleted.
2105         (JSC::MachineThreads::~MachineThreads): Deleted.
2106         (JSC::MachineThreads::addCurrentThread): Deleted.
2107         (): Deleted.
2108         (JSC::MachineThreads::removeThread): Deleted.
2109         (JSC::MachineThreads::removeThreadIfFound): Deleted.
2110         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
2111         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
2112         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
2113         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
2114         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
2115         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
2116         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
2117         * heap/MachineStackMarker.h:
2118         (JSC::MachineThreads::addCurrentThread):
2119         (JSC::MachineThreads::getLock):
2120         (JSC::MachineThreads::threads):
2121         (JSC::MachineThreads::MachineThread::suspend): Deleted.
2122         (JSC::MachineThreads::MachineThread::resume): Deleted.
2123         (JSC::MachineThreads::MachineThread::threadID): Deleted.
2124         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
2125         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
2126         (JSC::MachineThreads::threadsListHead): Deleted.
2127         * runtime/SamplingProfiler.cpp:
2128         (JSC::FrameWalker::isValidFramePointer):
2129         (JSC::SamplingProfiler::SamplingProfiler):
2130         (JSC::SamplingProfiler::takeSample):
2131         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
2132         * runtime/SamplingProfiler.h:
2133         * wasm/WasmMachineThreads.cpp:
2134         (JSC::Wasm::resetInstructionCacheOnAllThreads):
2135
2136 2017-07-18  Andy Estes  <aestes@apple.com>
2137
2138         [Xcode] Enable CLANG_WARN_RANGE_LOOP_ANALYSIS
2139         https://bugs.webkit.org/show_bug.cgi?id=174631
2140
2141         Reviewed by Tim Horton.
2142
2143         * Configurations/Base.xcconfig:
2144         * b3/B3FoldPathConstants.cpp:
2145         * b3/B3LowerMacros.cpp:
2146         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
2147         * dfg/DFGByteCodeParser.cpp:
2148         (JSC::DFG::ByteCodeParser::check):
2149         (JSC::DFG::ByteCodeParser::planLoad):
2150
2151 2017-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2152
2153         WTF::Thread should have the threads stack bounds.
2154         https://bugs.webkit.org/show_bug.cgi?id=173975
2155
2156         Reviewed by Mark Lam.
2157
2158         There is a site in JSC that try to walk another thread's stack.
2159         Currently, stack bounds are stored in WTFThreadData which is located
2160         in TLS. Thus, only the thread itself can access its own WTFThreadData.
2161         We workaround this situation by holding StackBounds in MachineThread in JSC,
2162         but StackBounds should be put in WTF::Thread instead.
2163
2164         This patch adds StackBounds to WTF::Thread. StackBounds information is tightly
2165         coupled with Thread. Thus putting it in WTF::Thread is natural choice.
2166
2167         * heap/MachineStackMarker.cpp:
2168         (JSC::MachineThreads::MachineThread::MachineThread):
2169         (JSC::MachineThreads::MachineThread::captureStack):
2170         * heap/MachineStackMarker.h:
2171         (JSC::MachineThreads::MachineThread::stackBase):
2172         (JSC::MachineThreads::MachineThread::stackEnd):
2173         * runtime/VMTraps.cpp:
2174
2175 2017-07-18  Andy Estes  <aestes@apple.com>
2176
2177         [Xcode] Enable CLANG_WARN_OBJC_LITERAL_CONVERSION
2178         https://bugs.webkit.org/show_bug.cgi?id=174631
2179
2180         Reviewed by Sam Weinig.
2181
2182         * Configurations/Base.xcconfig:
2183
2184 2017-07-18  Joseph Pecoraro  <pecoraro@apple.com>
2185
2186         Web Inspector: Modernize InjectedScriptSource
2187         https://bugs.webkit.org/show_bug.cgi?id=173890
2188
2189         Reviewed by Brian Burg.
2190
2191         * inspector/InjectedScript.h:
2192         Reorder functions to be slightly better.
2193
2194         * inspector/InjectedScriptSource.js:
2195         - Convert to classes named InjectedScript and RemoteObject
2196         - Align InjectedScript's API with the wrapper C++ interfaces
2197         - Move some code to RemoteObject where appropriate (subtype, describe)
2198         - Move some code to helper functions (isPrimitiveValue, isDefined)
2199         - Refactor for readability and modern features
2200         - Remove some unused / unnecessary code
2201
2202 2017-07-18  Mark Lam  <mark.lam@apple.com>
2203
2204         Butterfly storage need not be initialized for indexing type Undecided.
2205         https://bugs.webkit.org/show_bug.cgi?id=174516
2206
2207         Reviewed by Saam Barati.
2208
2209         While it's not incorrect to initialize the butterfly storage when the
2210         indexingType is Undecided, it is inefficient as we'll end up initializing
2211         it again later when we convert the storage to a different indexingType.
2212         Some of our code already skips initializing Undecided butterflies.
2213         This patch makes it the consistent behavior everywhere.
2214
2215         * dfg/DFGSpeculativeJIT.cpp:
2216         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2217         * runtime/JSArray.cpp:
2218         (JSC::JSArray::tryCreateUninitializedRestricted):
2219         * runtime/JSArray.h:
2220         (JSC::JSArray::tryCreate):
2221         * runtime/JSObject.cpp:
2222         (JSC::JSObject::ensureLengthSlow):
2223
2224 2017-07-18  Saam Barati  <sbarati@apple.com>
2225
2226         AirLowerAfterRegAlloc may incorrectly use a callee save that's live as a scratch register
2227         https://bugs.webkit.org/show_bug.cgi?id=174515
2228         <rdar://problem/33358092>
2229
2230         Reviewed by Filip Pizlo.
2231
2232         AirLowerAfterRegAlloc was computing the set of available scratch
2233         registers incorrectly. It was always excluding callee save registers
2234         from the set of live registers. It did not guarantee that live callee save
2235         registers were not in the set of scratch registers that could
2236         get clobbered. That's incorrect as the shuffling code is free
2237         to overwrite whatever is in the scratch register it gets passed.
2238
2239         * b3/air/AirLowerAfterRegAlloc.cpp:
2240         (JSC::B3::Air::lowerAfterRegAlloc):
2241         * b3/testb3.cpp:
2242         (JSC::B3::functionNineArgs):
2243         (JSC::B3::testShuffleDoesntTrashCalleeSaves):
2244         (JSC::B3::run):
2245         * jit/RegisterSet.h:
2246
2247 2017-07-18  Andy Estes  <aestes@apple.com>
2248
2249         [Xcode] Enable CLANG_WARN_NON_LITERAL_NULL_CONVERSION
2250         https://bugs.webkit.org/show_bug.cgi?id=174631
2251
2252         Reviewed by Dan Bernstein.
2253
2254         * Configurations/Base.xcconfig:
2255
2256 2017-07-18  Devin Rousso  <drousso@apple.com>
2257
2258         Web Inspector: Add memoryCost to Inspector Protocol objects
2259         https://bugs.webkit.org/show_bug.cgi?id=174478
2260
2261         Reviewed by Joseph Pecoraro.
2262
2263         For non-array and non-object InspectorValue, calculate memoryCost as the sizeof the object,
2264         plus the memoryCost of the data if it is a string.
2265
2266         For array InspectorValue, calculate memoryCost as the sum of the memoryCost of all items.
2267
2268         For object InspectorValue, calculate memoryCost as the sum of the memoryCost of the string
2269         key plus the memoryCost of the InspectorValue for each entry.
2270
2271         Test: TestWebKitAPI/Tests/JavaScriptCore/InspectorValue.cpp
2272
2273         * inspector/InspectorValues.h:
2274         * inspector/InspectorValues.cpp:
2275         (Inspector::InspectorValue::memoryCost):
2276         (Inspector::InspectorObjectBase::memoryCost):
2277         (Inspector::InspectorArrayBase::memoryCost):
2278
2279 2017-07-18  Andy Estes  <aestes@apple.com>
2280
2281         [Xcode] Enable CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING
2282         https://bugs.webkit.org/show_bug.cgi?id=174631
2283
2284         Reviewed by Darin Adler.
2285
2286         * Configurations/Base.xcconfig:
2287
2288 2017-07-18  Michael Saboff  <msaboff@apple.com>
2289
2290         [JSC] There should be a debug option to dump a compiled RegExp Pattern
2291         https://bugs.webkit.org/show_bug.cgi?id=174601
2292
2293         Reviewed by Alex Christensen.
2294
2295         Added the debug option dumpCompiledRegExpPatterns which will dump the YarrPattern and related
2296         objects after a regular expression has been compiled.
2297
2298         * runtime/Options.h:
2299         * yarr/YarrPattern.cpp:
2300         (JSC::Yarr::YarrPattern::compile):
2301         (JSC::Yarr::indentForNestingLevel):
2302         (JSC::Yarr::dumpUChar32):
2303         (JSC::Yarr::PatternAlternative::dump):
2304         (JSC::Yarr::PatternTerm::dumpQuantifier):
2305         (JSC::Yarr::PatternTerm::dump):
2306         (JSC::Yarr::PatternDisjunction::dump):
2307         (JSC::Yarr::YarrPattern::dumpPattern):
2308         * yarr/YarrPattern.h:
2309         (JSC::Yarr::YarrPattern::global):
2310
2311 2017-07-17  Darin Adler  <darin@apple.com>
2312
2313         Improve use of NeverDestroyed
2314         https://bugs.webkit.org/show_bug.cgi?id=174348
2315
2316         Reviewed by Sam Weinig.
2317
2318         * heap/MachineStackMarker.cpp:
2319         * wasm/WasmMemory.cpp:
2320         Removed unneeded includes of NeverDestroyed.h in files that do not make use
2321         of NeverDestroyed.
2322
2323 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
2324
2325         [CMake] Macros in WebKitMacros.cmake should be prefixed with WEBKIT_ namespace
2326         https://bugs.webkit.org/show_bug.cgi?id=174547
2327
2328         Reviewed by Alex Christensen.
2329
2330         * CMakeLists.txt:
2331         * shell/CMakeLists.txt:
2332
2333 2017-07-17  Saam Barati  <sbarati@apple.com>
2334
2335         Remove custom defined RELEASE_ASSERT in DFGObjectAllocationSinkingPhase
2336         https://bugs.webkit.org/show_bug.cgi?id=174584
2337
2338         Rubber stamped by Keith Miller.
2339
2340         I used it to diagnose a bug. The bug is now fixed. This custom
2341         RELEASE_ASSERT is no longer needed.
2342
2343         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2344
2345 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
2346
2347         -Wformat-truncation warning in ConfigFile.cpp
2348         https://bugs.webkit.org/show_bug.cgi?id=174506
2349
2350         Reviewed by Darin Adler.
2351
2352         Check if the JSC config filename would be truncated due to exceeding max path length. If so,
2353         return ParseError.
2354
2355         * runtime/ConfigFile.cpp:
2356         (JSC::ConfigFile::parse):
2357
2358 2017-07-17  Konstantin Tokarev  <annulen@yandex.ru>
2359
2360         [CMake] Create targets before WEBKIT_INCLUDE_CONFIG_FILES_IF_EXISTS is called
2361         https://bugs.webkit.org/show_bug.cgi?id=174557
2362
2363         Reviewed by Michael Catanzaro.
2364
2365         * CMakeLists.txt:
2366
2367 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2368
2369         [WTF] Use std::unique_ptr for StackTrace
2370         https://bugs.webkit.org/show_bug.cgi?id=174495
2371
2372         Reviewed by Alex Christensen.
2373
2374         * runtime/ExceptionScope.cpp:
2375         (JSC::ExceptionScope::unexpectedExceptionMessage):
2376         * runtime/VM.cpp:
2377         (JSC::VM::throwException):
2378
2379 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2380
2381         [JSC] Use WTFMove to prune liveness in DFGAvailabilityMap
2382         https://bugs.webkit.org/show_bug.cgi?id=174423
2383
2384         Reviewed by Saam Barati.
2385
2386         * dfg/DFGAvailabilityMap.cpp:
2387         (JSC::DFG::AvailabilityMap::pruneHeap):
2388         (JSC::DFG::AvailabilityMap::pruneByLiveness):
2389
2390 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
2391
2392         Fix compiler warnings when building with GCC 7
2393         https://bugs.webkit.org/show_bug.cgi?id=174463
2394
2395         Reviewed by Darin Adler.
2396
2397         * disassembler/udis86/udis86_decode.c:
2398         (decode_operand):
2399
2400 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
2401
2402         Incorrect assertion in JSC::CallLinkInfo::callTypeFor
2403         https://bugs.webkit.org/show_bug.cgi?id=174467
2404
2405         Reviewed by Saam Barati.
2406
2407         * bytecode/CallLinkInfo.cpp:
2408         (JSC::CallLinkInfo::callTypeFor):
2409
2410 2017-07-13  Joseph Pecoraro  <pecoraro@apple.com>
2411
2412         Web Inspector: Remove unused and untested Page domain commands
2413         https://bugs.webkit.org/show_bug.cgi?id=174429
2414
2415         Reviewed by Timothy Hatcher.
2416
2417         * inspector/protocol/Page.json:
2418
2419 2017-07-13  Saam Barati  <sbarati@apple.com>
2420
2421         Missing exception check in JSObject::hasInstance
2422         https://bugs.webkit.org/show_bug.cgi?id=174455
2423         <rdar://problem/31384608>
2424
2425         Reviewed by Mark Lam.
2426
2427         * runtime/JSObject.cpp:
2428         (JSC::JSObject::hasInstance):
2429
2430 2017-07-13  Caio Lima  <ticaiolima@gmail.com>
2431
2432         [ESnext] Implement Object Spread
2433         https://bugs.webkit.org/show_bug.cgi?id=167963
2434
2435         Reviewed by Saam Barati.
2436
2437         This patch implements ECMA262 stage 3 Object Spread proposal [1].
2438         It's implemented using CopyDataPropertiesNoExclusions to copy
2439         all enumerable keys from object being spreaded. The implementation of
2440         CopyDataPropertiesNoExclusions follows the CopyDataProperties
2441         implementation, however we don't receive excludedNames as parameter.
2442
2443         [1] - https://github.com/tc39/proposal-object-rest-spread
2444
2445         * builtins/GlobalOperations.js:
2446         (globalPrivate.copyDataPropertiesNoExclusions):
2447         * bytecompiler/BytecodeGenerator.cpp:
2448         (JSC::BytecodeGenerator::emitLoad):
2449         * bytecompiler/NodesCodegen.cpp:
2450         (JSC::PropertyListNode::emitBytecode):
2451         (JSC::ObjectSpreadExpressionNode::emitBytecode):
2452         * parser/ASTBuilder.h:
2453         (JSC::ASTBuilder::createObjectSpreadExpression):
2454         (JSC::ASTBuilder::createProperty):
2455         * parser/NodeConstructors.h:
2456         (JSC::PropertyNode::PropertyNode):
2457         (JSC::ObjectSpreadExpressionNode::ObjectSpreadExpressionNode):
2458         * parser/Nodes.h:
2459         (JSC::ObjectSpreadExpressionNode::expression):
2460         * parser/Parser.cpp:
2461         (JSC::Parser<LexerType>::parseProperty):
2462         * parser/SyntaxChecker.h:
2463         (JSC::SyntaxChecker::createObjectSpreadExpression):
2464         (JSC::SyntaxChecker::createProperty):
2465
2466 2017-07-12  Mark Lam  <mark.lam@apple.com>
2467
2468         Gardening: build fix after r219434.
2469         https://bugs.webkit.org/show_bug.cgi?id=174441
2470
2471         Not reviewed.
2472
2473         Make public some MacroAssembler functions that are needed by the probe implementationq.
2474
2475         * assembler/MacroAssemblerARM.h:
2476         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
2477         * assembler/MacroAssemblerARMv7.h:
2478         (JSC::MacroAssemblerARMv7::linkCall):
2479
2480 2017-07-12  Mark Lam  <mark.lam@apple.com>
2481
2482         Move Probe code from AbstractMacroAssembler to MacroAssembler.
2483         https://bugs.webkit.org/show_bug.cgi?id=174441
2484
2485         Reviewed by Saam Barati.
2486
2487         This is a pure refactoring patch for moving probe code from the AbstractMacroAssembler
2488         to MacroAssembler.  There is no code behavior change.
2489
2490         * assembler/AbstractMacroAssembler.h:
2491         (JSC::AbstractMacroAssembler<AssemblerType>::Address::indexedBy):
2492         (JSC::AbstractMacroAssembler::CPUState::gprName): Deleted.
2493         (JSC::AbstractMacroAssembler::CPUState::fprName): Deleted.
2494         (JSC::AbstractMacroAssembler::CPUState::gpr): Deleted.
2495         (JSC::AbstractMacroAssembler::CPUState::fpr): Deleted.
2496         (JSC::MacroAssemblerType>::Address::indexedBy): Deleted.
2497         * assembler/MacroAssembler.h:
2498         (JSC::MacroAssembler::CPUState::gprName):
2499         (JSC::MacroAssembler::CPUState::fprName):
2500         (JSC::MacroAssembler::CPUState::gpr):
2501         (JSC::MacroAssembler::CPUState::fpr):
2502         * assembler/MacroAssemblerARM.cpp:
2503         (JSC::MacroAssembler::probe):
2504         (JSC::MacroAssemblerARM::probe): Deleted.
2505         * assembler/MacroAssemblerARM.h:
2506         * assembler/MacroAssemblerARM64.cpp:
2507         (JSC::MacroAssembler::probe):
2508         (JSC::MacroAssemblerARM64::probe): Deleted.
2509         * assembler/MacroAssemblerARM64.h:
2510         * assembler/MacroAssemblerARMv7.cpp:
2511         (JSC::MacroAssembler::probe):
2512         (JSC::MacroAssemblerARMv7::probe): Deleted.
2513         * assembler/MacroAssemblerARMv7.h:
2514         * assembler/MacroAssemblerMIPS.h:
2515         * assembler/MacroAssemblerX86Common.cpp:
2516         (JSC::MacroAssembler::probe):
2517         (JSC::MacroAssemblerX86Common::probe): Deleted.
2518         * assembler/MacroAssemblerX86Common.h:
2519
2520 2017-07-12  Saam Barati  <sbarati@apple.com>
2521
2522         GenericArguments consults the wrong state when tracking modified argument descriptors and mapped arguments
2523         https://bugs.webkit.org/show_bug.cgi?id=174411
2524         <rdar://problem/31696186>
2525
2526         Reviewed by Mark Lam.
2527
2528         The code for deleting an argument was incorrectly referencing state
2529         when it decided if it should unmap or mark a property as having its
2530         descriptor modified. This patch fixes the bug where if we delete a
2531         property, we would sometimes not unmap an argument when deleting it.
2532
2533         * runtime/GenericArgumentsInlines.h:
2534         (JSC::GenericArguments<Type>::getOwnPropertySlot):
2535         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
2536         (JSC::GenericArguments<Type>::deleteProperty):
2537         (JSC::GenericArguments<Type>::deletePropertyByIndex):
2538
2539 2017-07-12  Commit Queue  <commit-queue@webkit.org>
2540
2541         Unreviewed, rolling out r219176.
2542         https://bugs.webkit.org/show_bug.cgi?id=174436
2543
2544         "Can cause infinite recursion on iOS" (Requested by mlam on
2545         #webkit).
2546
2547         Reverted changeset:
2548
2549         "WTF::Thread should have the threads stack bounds."
2550         https://bugs.webkit.org/show_bug.cgi?id=173975
2551         http://trac.webkit.org/changeset/219176
2552
2553 2017-07-12  Matt Lewis  <jlewis3@apple.com>
2554
2555         Unreviewed, rolling out r219401.
2556
2557         This revision rolled out the previous patch, but after talking
2558         with reviewer, a rebaseline is what was needed.Rolling back in
2559         before rebaseline.
2560
2561         Reverted changeset:
2562
2563         "Unreviewed, rolling out r219379."
2564         https://bugs.webkit.org/show_bug.cgi?id=174400
2565         http://trac.webkit.org/changeset/219401
2566
2567 2017-07-12  Matt Lewis  <jlewis3@apple.com>
2568
2569         Unreviewed, rolling out r219379.
2570
2571         This revision caused a consistent failure in the test
2572         fast/dom/Window/property-access-on-cached-window-after-frame-
2573         removed.html.
2574
2575         Reverted changeset:
2576
2577         "Remove NAVIGATOR_HWCONCURRENCY"
2578         https://bugs.webkit.org/show_bug.cgi?id=174400
2579         http://trac.webkit.org/changeset/219379
2580
2581 2017-07-12  Tooru Fujisawa [:arai]  <arai.unmht@gmail.com>
2582
2583         Wrong radix used in Unicode Escape in invalid character error message
2584         https://bugs.webkit.org/show_bug.cgi?id=174419
2585
2586         Reviewed by Alex Christensen.
2587
2588         * parser/Lexer.cpp:
2589         (JSC::Lexer<T>::invalidCharacterMessage):
2590
2591 2017-07-11  Dean Jackson  <dino@apple.com>
2592
2593         Remove NAVIGATOR_HWCONCURRENCY
2594         https://bugs.webkit.org/show_bug.cgi?id=174400
2595
2596         Reviewed by Sam Weinig.
2597
2598         * Configurations/FeatureDefines.xcconfig:
2599
2600 2017-07-11  Dean Jackson  <dino@apple.com>
2601
2602         Rolling out r219372.
2603
2604         * Configurations/FeatureDefines.xcconfig:
2605
2606 2017-07-11  Dean Jackson  <dino@apple.com>
2607
2608         Remove NAVIGATOR_HWCONCURRENCY
2609         https://bugs.webkit.org/show_bug.cgi?id=174400
2610
2611         Reviewed by Sam Weinig.
2612
2613         * Configurations/FeatureDefines.xcconfig:
2614
2615 2017-07-11  Saam Barati  <sbarati@apple.com>
2616
2617         remove the empty JavaScriptCore/wasm/js/WebAssemblyFunctionCell.* files
2618         https://bugs.webkit.org/show_bug.cgi?id=174397
2619
2620         Rubber stamped by David Kilzer.
2621
2622         * wasm/js/WebAssemblyFunctionCell.cpp: Removed.
2623         * wasm/js/WebAssemblyFunctionCell.h: Removed.
2624
2625 2017-07-10  Saam Barati  <sbarati@apple.com>
2626
2627         Allocation sinking phase should consider a CheckStructure that would fail as an escape
2628         https://bugs.webkit.org/show_bug.cgi?id=174321
2629         <rdar://problem/32604963>
2630
2631         Reviewed by Filip Pizlo.
2632
2633         When the allocation sinking phase was generating stores to materialize
2634         objects in a cycle with each other, it would assume that each materialized
2635         object had a valid, non empty, set of structures. This is an OK assumption for
2636         the phase to make because how do you materialize an object with no structure?
2637         
2638         The abstract interpretation part of the phase will model what's in the heap.
2639         However, it would sometimes model that a CheckStructure would fail. The phase
2640         did nothing special for this; it just stored the empty set of structures for
2641         its representation of a particular allocation. However, what the phase proved
2642         in such a scenario is that, had the CheckStructure executed, it would have exited.
2643         
2644         This patch treats such CheckStructures and MultiGetByOffsets as escape points.
2645         This will cause the allocation in question to be materialized just before
2646         the CheckStructure, and then at execution time, the CheckStructure will exit.
2647         
2648         I wasn't able to write a test case for this. However, I was able to reproduce
2649         this crash by manually editing the IR. I've opened a separate bug to help us
2650         create a testing framework for writing tests for hard to reproduce bugs like this:
2651         https://bugs.webkit.org/show_bug.cgi?id=174322
2652
2653         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2654
2655 2017-07-10  Devin Rousso  <drousso@apple.com>
2656
2657         Web Inspector: Highlight matching CSS canvas clients when hovering contexts in the Resources tab
2658         https://bugs.webkit.org/show_bug.cgi?id=174279
2659
2660         Reviewed by Matt Baker.
2661
2662         * inspector/protocol/DOM.json:
2663         Add `highlightNodeList` command that will highlight each node in the given list.
2664
2665 2017-07-03  Brian Burg  <bburg@apple.com>
2666
2667         Web Replay: remove some unused code
2668         https://bugs.webkit.org/show_bug.cgi?id=173903
2669
2670         Rubber-stamped by Joseph Pecoraro.
2671
2672         * CMakeLists.txt:
2673         * Configurations/FeatureDefines.xcconfig:
2674         * DerivedSources.make:
2675         * JavaScriptCore.xcodeproj/project.pbxproj:
2676         * inspector/protocol/Replay.json: Removed.
2677         * replay/EmptyInputCursor.h: Removed.
2678         * replay/EncodedValue.cpp: Removed.
2679         * replay/EncodedValue.h: Removed.
2680         * replay/InputCursor.h: Removed.
2681         * replay/JSInputs.json: Removed.
2682         * replay/NondeterministicInput.h: Removed.
2683         * replay/scripts/CodeGeneratorReplayInputs.py: Removed.
2684         * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Removed.
2685         * replay/scripts/tests/expected/fail-on-c-style-enum-no-storage.json-error: Removed.
2686         * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Removed.
2687         * replay/scripts/tests/expected/fail-on-duplicate-input-names.json-error: Removed.
2688         * replay/scripts/tests/expected/fail-on-duplicate-type-names.json-error: Removed.
2689         * replay/scripts/tests/expected/fail-on-enum-type-missing-values.json-error: Removed.
2690         * replay/scripts/tests/expected/fail-on-missing-input-member-name.json-error: Removed.
2691         * replay/scripts/tests/expected/fail-on-missing-input-name.json-error: Removed.
2692         * replay/scripts/tests/expected/fail-on-missing-input-queue.json-error: Removed.
2693         * replay/scripts/tests/expected/fail-on-missing-type-mode.json-error: Removed.
2694         * replay/scripts/tests/expected/fail-on-missing-type-name.json-error: Removed.
2695         * replay/scripts/tests/expected/fail-on-unknown-input-queue.json-error: Removed.
2696         * replay/scripts/tests/expected/fail-on-unknown-member-type.json-error: Removed.
2697         * replay/scripts/tests/expected/fail-on-unknown-type-mode.json-error: Removed.
2698         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp: Removed.
2699         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h: Removed.
2700         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp: Removed.
2701         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h: Removed.
2702         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Removed.
2703         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Removed.
2704         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Removed.
2705         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Removed.
2706         * replay/scripts/tests/expected/generate-event-loop-shape-types.json-error: Removed.
2707         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp: Removed.
2708         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h: Removed.
2709         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp: Removed.
2710         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Removed.
2711         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.cpp: Removed.
2712         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h: Removed.
2713         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp: Removed.
2714         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h: Removed.
2715         * replay/scripts/tests/fail-on-c-style-enum-no-storage.json: Removed.
2716         * replay/scripts/tests/fail-on-duplicate-enum-type.json: Removed.
2717         * replay/scripts/tests/fail-on-duplicate-input-names.json: Removed.
2718         * replay/scripts/tests/fail-on-duplicate-type-names.json: Removed.
2719         * replay/scripts/tests/fail-on-enum-type-missing-values.json: Removed.
2720         * replay/scripts/tests/fail-on-missing-input-member-name.json: Removed.
2721         * replay/scripts/tests/fail-on-missing-input-name.json: Removed.
2722         * replay/scripts/tests/fail-on-missing-input-queue.json: Removed.
2723         * replay/scripts/tests/fail-on-missing-type-mode.json: Removed.
2724         * replay/scripts/tests/fail-on-missing-type-name.json: Removed.
2725         * replay/scripts/tests/fail-on-unknown-input-queue.json: Removed.
2726         * replay/scripts/tests/fail-on-unknown-member-type.json: Removed.
2727         * replay/scripts/tests/fail-on-unknown-type-mode.json: Removed.
2728         * replay/scripts/tests/generate-enum-encoding-helpers-with-guarded-values.json: Removed.
2729         * replay/scripts/tests/generate-enum-encoding-helpers.json: Removed.
2730         * replay/scripts/tests/generate-enum-with-guard.json: Removed.
2731         * replay/scripts/tests/generate-enums-with-same-base-name.json: Removed.
2732         * replay/scripts/tests/generate-event-loop-shape-types.json: Removed.
2733         * replay/scripts/tests/generate-input-with-guard.json: Removed.
2734         * replay/scripts/tests/generate-input-with-vector-members.json: Removed.
2735         * replay/scripts/tests/generate-inputs-with-flags.json: Removed.
2736         * replay/scripts/tests/generate-memoized-type-modes.json: Removed.
2737         * runtime/DateConstructor.cpp:
2738         (JSC::constructDate):
2739         (JSC::dateNow):
2740         (JSC::deterministicCurrentTime): Deleted.
2741         * runtime/JSGlobalObject.cpp:
2742         (JSC::JSGlobalObject::JSGlobalObject):
2743         (JSC::JSGlobalObject::setInputCursor): Deleted.
2744         * runtime/JSGlobalObject.h:
2745         (JSC::JSGlobalObject::inputCursor): Deleted.
2746
2747 2017-07-10  Carlos Garcia Campos  <cgarcia@igalia.com>
2748
2749         Move make-js-file-arrays.py from WebCore to JavaScriptCore
2750         https://bugs.webkit.org/show_bug.cgi?id=174024
2751
2752         Reviewed by Michael Catanzaro.
2753
2754         It's currently used only by WebCore, but it depends on other JavaScriptCore scripts and it's not WebCore
2755         specific at all. I plan to use it to compile the JavaScript atoms used by the WebDriver implementation.
2756         Added command line option to pass the namespace to use instead of using WebCore.
2757
2758         * JavaScriptCore.xcodeproj/project.pbxproj:
2759         * Scripts/make-js-file-arrays.py: Renamed from Source/WebCore/Scripts/make-js-file-arrays.py.
2760         (main):
2761
2762 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2763
2764         [JSC] Drop LineNumberAdder since we no longer treat <LF><CR> (not <CR><LF>) as one line terminator
2765         https://bugs.webkit.org/show_bug.cgi?id=174296
2766
2767         Reviewed by Mark Lam.
2768
2769         Previously, we treat <LF><CR> as one line terminator. So we increase line number by one.
2770         It caused a problem in scanning template literals. While template literals normalize
2771         <LF><CR> to <LF><LF>, we still needed to increase line number by only one.
2772         To handle it correctly, LineNumberAdder is introduced.
2773
2774         As of r219263, <LF><CR> is counted as two line terminators. So we do not need to have
2775         LineNumberAdder. Let's just use shiftLineTerminator() instead.
2776
2777         * parser/Lexer.cpp:
2778         (JSC::Lexer<T>::parseTemplateLiteral):
2779         (JSC::LineNumberAdder::LineNumberAdder): Deleted.
2780         (JSC::LineNumberAdder::clear): Deleted.
2781         (JSC::LineNumberAdder::add): Deleted.
2782
2783 2017-07-09  Dan Bernstein  <mitz@apple.com>
2784
2785         [Xcode] ICU headers aren’t treated as system headers after r219155
2786         https://bugs.webkit.org/show_bug.cgi?id=174299
2787
2788         Reviewed by Sam Weinig.
2789
2790         * Configurations/JavaScriptCore.xcconfig: Pass --system-header-prefix=unicode/ to the C and
2791           C++ compilers.
2792
2793 * runtime/IntlCollator.cpp: Removed documentation warning suppression.
2794         * runtime/IntlDateTimeFormat.cpp: Ditto.
2795         * runtime/JSGlobalObject.cpp: Ditto.
2796         * runtime/StringPrototype.cpp: Ditto.
2797
2798 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2799
2800         [JSC] Use fastMalloc / fastFree for STL containers
2801         https://bugs.webkit.org/show_bug.cgi?id=174297
2802
2803         Reviewed by Sam Weinig.
2804
2805         In some places, we intentionally use STL containers over WTF containers.
2806         For example, we sometimes use std::unordered_{set,map} instead of WTF::Hash{Set,Map}
2807         because we do not have effective empty / deleted representations in the space of key's value.
2808         But just using STL container means using libc's malloc instead of our fast malloc (bmalloc if it is enabled).
2809
2810         We introduce WTF::FastAllocator. This is C++ allocator implementation using fastMalloc and fastFree.
2811         We specify this allocator to STL containers' template parameter to allocate memory from fastMalloc.
2812
2813         This WTF::FastAllocator gives us a chance to use STL containers if it is necessary
2814         without compromising memory allocation throughput.
2815
2816         * dfg/DFGGraph.h:
2817         * dfg/DFGIntegerCheckCombiningPhase.cpp:
2818         * ftl/FTLLowerDFGToB3.cpp:
2819         (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
2820         * runtime/FunctionHasExecutedCache.h:
2821         * runtime/TypeLocationCache.h:
2822
2823 2017-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2824
2825         Drop NOSNIFF compile flag
2826         https://bugs.webkit.org/show_bug.cgi?id=174289
2827
2828         Reviewed by Michael Catanzaro.
2829
2830         * Configurations/FeatureDefines.xcconfig:
2831
2832 2017-07-07  AJ Ringer  <aringer@apple.com>
2833
2834         Lower the max_protection for the separated heap
2835         https://bugs.webkit.org/show_bug.cgi?id=174281
2836
2837         Reviewed by Oliver Hunt.
2838
2839         Switch to vm_protect so we can set maximum page protection.
2840
2841         * jit/ExecutableAllocator.cpp:
2842         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
2843         (JSC::ExecutableAllocator::allocate):
2844
2845 2017-07-07  Devin Rousso  <drousso@apple.com>
2846
2847         Web Inspector: Show all elements currently using a given CSS Canvas
2848         https://bugs.webkit.org/show_bug.cgi?id=173965
2849
2850         Reviewed by Joseph Pecoraro.
2851
2852         * inspector/protocol/Canvas.json:
2853          - Add `requestCSSCanvasClientNodes` command for getting the node IDs all nodes using this
2854            canvas via -webkit-canvas.
2855          - Add `cssCanvasClientNodesChanged` event that is dispatched whenever a node is
2856            added/removed from the list of -webkit-canvas clients.
2857
2858 2017-07-07  Mark Lam  <mark.lam@apple.com>
2859
2860         \n\r is not the same as \r\n.
2861         https://bugs.webkit.org/show_bug.cgi?id=173053
2862
2863         Reviewed by Keith Miller.
2864
2865         * parser/Lexer.cpp:
2866         (JSC::Lexer<T>::shiftLineTerminator):
2867         (JSC::LineNumberAdder::add):
2868
2869 2017-07-07  Commit Queue  <commit-queue@webkit.org>
2870
2871         Unreviewed, rolling out r219238, r219239, and r219241.
2872         https://bugs.webkit.org/show_bug.cgi?id=174265
2873
2874         "fast/workers/dedicated-worker-lifecycle.html is flaky"
2875         (Requested by yusukesuzuki on #webkit).
2876
2877         Reverted changesets:
2878
2879         "[WTF] Implement WTF::ThreadGroup"
2880         https://bugs.webkit.org/show_bug.cgi?id=174081
2881         http://trac.webkit.org/changeset/219238
2882
2883         "Unreviewed, build fix after r219238"
2884         https://bugs.webkit.org/show_bug.cgi?id=174081
2885         http://trac.webkit.org/changeset/219239
2886
2887         "Unreviewed, CLoop build fix after r219238"
2888         https://bugs.webkit.org/show_bug.cgi?id=174081
2889         http://trac.webkit.org/changeset/219241
2890
2891 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2892
2893         Unreviewed, CLoop build fix after r219238
2894         https://bugs.webkit.org/show_bug.cgi?id=174081
2895
2896         * heap/MachineStackMarker.cpp:
2897
2898 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2899
2900         [WTF] Implement WTF::ThreadGroup
2901         https://bugs.webkit.org/show_bug.cgi?id=174081
2902
2903         Reviewed by Mark Lam.
2904
2905         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
2906         And SamplingProfiler and others interact with WTF::Thread directly.
2907
2908         * API/tests/ExecutionTimeLimitTest.cpp:
2909         * heap/MachineStackMarker.cpp:
2910         (JSC::MachineThreads::MachineThreads):
2911         (JSC::captureStack):
2912         (JSC::MachineThreads::tryCopyOtherThreadStack):
2913         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2914         (JSC::MachineThreads::gatherConservativeRoots):
2915         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
2916         (JSC::ActiveMachineThreadsManager::add): Deleted.
2917         (JSC::ActiveMachineThreadsManager::remove): Deleted.
2918         (JSC::ActiveMachineThreadsManager::contains): Deleted.
2919         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
2920         (JSC::activeMachineThreadsManager): Deleted.
2921         (JSC::MachineThreads::~MachineThreads): Deleted.
2922         (JSC::MachineThreads::addCurrentThread): Deleted.
2923         (): Deleted.
2924         (JSC::MachineThreads::removeThread): Deleted.
2925         (JSC::MachineThreads::removeThreadIfFound): Deleted.
2926         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
2927         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
2928         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
2929         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
2930         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
2931         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
2932         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
2933         * heap/MachineStackMarker.h:
2934         (JSC::MachineThreads::addCurrentThread):
2935         (JSC::MachineThreads::getLock):
2936         (JSC::MachineThreads::threads):
2937         (JSC::MachineThreads::MachineThread::suspend): Deleted.
2938         (JSC::MachineThreads::MachineThread::resume): Deleted.
2939         (JSC::MachineThreads::MachineThread::threadID): Deleted.
2940         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
2941         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
2942         (JSC::MachineThreads::threadsListHead): Deleted.
2943         * runtime/SamplingProfiler.cpp:
2944         (JSC::FrameWalker::isValidFramePointer):
2945         (JSC::SamplingProfiler::SamplingProfiler):
2946         (JSC::SamplingProfiler::takeSample):
2947         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
2948         * runtime/SamplingProfiler.h:
2949         * wasm/WasmMachineThreads.cpp:
2950         (JSC::Wasm::resetInstructionCacheOnAllThreads):
2951
2952 2017-07-06  Saam Barati  <sbarati@apple.com>
2953
2954         We are missing places where we invalidate the for-in context
2955         https://bugs.webkit.org/show_bug.cgi?id=174184
2956
2957         Reviewed by Geoffrey Garen.
2958
2959         * bytecompiler/BytecodeGenerator.cpp:
2960         (JSC::BytecodeGenerator::invalidateForInContextForLocal):
2961         * bytecompiler/NodesCodegen.cpp:
2962         (JSC::EmptyLetExpression::emitBytecode):
2963         (JSC::ForInNode::emitLoopHeader):
2964         (JSC::ForOfNode::emitBytecode):
2965         (JSC::BindingNode::bindValue):
2966
2967 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2968
2969         Unreviewed, suppress warnings in GCC environment
2970
2971         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2972         * runtime/IntlCollator.cpp:
2973         * runtime/IntlDateTimeFormat.cpp:
2974         * runtime/JSGlobalObject.cpp:
2975         * runtime/StringPrototype.cpp:
2976
2977 2017-07-05  Saam Barati  <sbarati@apple.com>
2978
2979         NewArray in FTLLowerDFGToB3 does not handle speculating on doubles when having a bad time
2980         https://bugs.webkit.org/show_bug.cgi?id=174188
2981         <rdar://problem/30581423>
2982
2983         Reviewed by Mark Lam.
2984
2985         We were calling lowJSValue(edge) when we were speculating the
2986         edge as double. This isn't allowed. We should have been using
2987         lowDouble.
2988         
2989         This patch also adds a new option, called useArrayAllocationProfiling,
2990         which defaults to true. When false, it will make the array allocation
2991         profile not actually sample seen arrays. It'll force the allocation
2992         profile's predicted indexing type to be ArrayWithUndecided. Adding
2993         this option made it trivial to write a test for this bug.
2994
2995         * bytecode/ArrayAllocationProfile.cpp:
2996         (JSC::ArrayAllocationProfile::updateIndexingType):
2997         * ftl/FTLLowerDFGToB3.cpp:
2998         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
2999         * runtime/Options.h:
3000
3001 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
3002
3003         WTF::Thread should have the threads stack bounds.
3004         https://bugs.webkit.org/show_bug.cgi?id=173975
3005
3006         Reviewed by Keith Miller.
3007
3008         There is a site in JSC that try to walk another thread's stack.
3009         Currently, stack bounds are stored in WTFThreadData which is located
3010         in TLS. Thus, only the thread itself can access its own WTFThreadData.
3011         We workaround this situation by holding StackBounds in MachineThread in JSC,
3012         but StackBounds should be put in WTF::Thread instead.
3013
3014         This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
3015         information is tightly coupled with Thread. Thus putting it in WTF::Thread
3016         is natural choice.
3017
3018         * heap/MachineStackMarker.cpp:
3019         (JSC::MachineThreads::MachineThread::MachineThread):
3020         (JSC::MachineThreads::MachineThread::captureStack):
3021         * heap/MachineStackMarker.h:
3022         (JSC::MachineThreads::MachineThread::stackBase):
3023         (JSC::MachineThreads::MachineThread::stackEnd):
3024         * runtime/InitializeThreading.cpp:
3025         (JSC::initializeThreading):
3026         * runtime/VM.cpp:
3027         (JSC::VM::VM):
3028         (JSC::VM::updateStackLimits):
3029         (JSC::VM::committedStackByteCount):
3030         * runtime/VM.h:
3031         (JSC::VM::isSafeToRecurse):
3032         * runtime/VMEntryScope.cpp:
3033         (JSC::VMEntryScope::VMEntryScope):
3034         * runtime/VMInlines.h:
3035         (JSC::VM::ensureStackCapacityFor):
3036         * runtime/VMTraps.cpp:
3037         * yarr/YarrPattern.cpp:
3038         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
3039
3040 2017-07-05  Keith Miller  <keith_miller@apple.com>
3041
3042         Crashing with information should have an abort reason
3043         https://bugs.webkit.org/show_bug.cgi?id=174185
3044
3045         Reviewed by Saam Barati.
3046
3047         Add crash information for the abstract interpreter and add an enum
3048         value for object allocation sinking.
3049
3050         * assembler/AbortReason.h:
3051         * dfg/DFGAbstractInterpreterInlines.h:
3052         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
3053         * dfg/DFGGraph.cpp:
3054         (JSC::DFG::logDFGAssertionFailure):
3055         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3056
3057 2017-07-03  Myles C. Maxfield  <mmaxfield@apple.com>
3058
3059         Remove copy of ICU headers from WebKit
3060         https://bugs.webkit.org/show_bug.cgi?id=116407
3061
3062         Reviewed by Alex Christensen.
3063
3064         Use WTF's copy of ICU headers.
3065
3066         * Configurations/Base.xcconfig:
3067         * icu/unicode/localpointer.h: Removed.
3068         * icu/unicode/parseerr.h: Removed.
3069         * icu/unicode/platform.h: Removed.
3070         * icu/unicode/ptypes.h: Removed.
3071         * icu/unicode/putil.h: Removed.
3072         * icu/unicode/uchar.h: Removed.
3073         * icu/unicode/ucnv.h: Removed.
3074         * icu/unicode/ucnv_err.h: Removed.
3075         * icu/unicode/ucol.h: Removed.
3076         * icu/unicode/uconfig.h: Removed.
3077         * icu/unicode/ucurr.h: Removed.
3078         * icu/unicode/uenum.h: Removed.
3079         * icu/unicode/uiter.h: Removed.
3080         * icu/unicode/uloc.h: Removed.
3081         * icu/unicode/umachine.h: Removed.
3082         * icu/unicode/unorm.h: Removed.
3083         * icu/unicode/unorm2.h: Removed.
3084         * icu/unicode/urename.h: Removed.
3085         * icu/unicode/uscript.h: Removed.
3086         * icu/unicode/uset.h: Removed.
3087         * icu/unicode/ustring.h: Removed.
3088         * icu/unicode/utf.h: Removed.
3089         * icu/unicode/utf16.h: Removed.
3090         * icu/unicode/utf8.h: Removed.
3091         * icu/unicode/utf_old.h: Removed.
3092         * icu/unicode/utypes.h: Removed.
3093         * icu/unicode/uvernum.h: Removed.
3094         * icu/unicode/uversion.h: Removed.
3095         * runtime/IntlCollator.cpp:
3096         * runtime/IntlDateTimeFormat.cpp:
3097         (JSC::IntlDateTimeFormat::partTypeString):
3098         * runtime/JSGlobalObject.cpp:
3099         * runtime/StringPrototype.cpp:
3100         (JSC::normalize):
3101         (JSC::stringProtoFuncNormalize):
3102
3103 2017-07-05  Devin Rousso  <drousso@apple.com>
3104
3105         Web Inspector: Allow users to log any tracked canvas context
3106         https://bugs.webkit.org/show_bug.cgi?id=173397
3107         <rdar://problem/33111581>
3108
3109         Reviewed by Joseph Pecoraro.
3110
3111         * inspector/protocol/Canvas.json:
3112         Add `resolveCanvasContext` command that returns a RemoteObject for the given canvas context.
3113
3114 2017-07-05  Jonathan Bedard  <jbedard@apple.com>
3115
3116         Add WebKitPrivateFrameworkStubs for iOS 11
3117         https://bugs.webkit.org/show_bug.cgi?id=173988
3118
3119         Reviewed by David Kilzer.
3120
3121         * Configurations/Base.xcconfig: iphoneos and iphonesimulator should use the
3122         same directory for private framework stubs.
3123
3124 2017-07-05  JF Bastien  <jfbastien@apple.com>
3125
3126         WebAssembly: implement name section's module name, skip unknown sections
3127         https://bugs.webkit.org/show_bug.cgi?id=172008
3128
3129         Reviewed by Keith Miller.
3130
3131         Parse the WebAssembly module name properly, and skip unknown
3132         sections. This is useful because as toolchains support new types
3133         of names we want to keep displaying the information we know about
3134         and simply ignore new information. That capability was designed
3135         into WebAssembly's name section.
3136
3137         Failure to commit this patch would mean that WebKit won't display
3138         stack trace information, which would make developers sad.
3139
3140         Module names were added here: https://github.com/WebAssembly/design/pull/1055
3141
3142         Note that this patch doesn't do anything with the parsed name! Two
3143         reasons for this: module names aren't supported in binaryen yet,
3144         so I can't write a simple binary test; and using the name is a
3145         slightly riskier change because it requires changing StackVisitor
3146         + StackFrame (where they print "[wasm code]") which requires
3147         figuring out the frame's Module. The latter bit isn't trivial
3148         because we only know wasm frames from their tag bits, and
3149         CodeBlocks are always nullptr.
3150
3151         Binaryen bug: https://github.com/WebAssembly/binaryen/issues/1010
3152
3153         I filed #174098 to use the module name.
3154
3155         * wasm/WasmFormat.h:
3156         (JSC::Wasm::isValidNameType):
3157         * wasm/WasmNameSectionParser.cpp:
3158
3159 2017-07-04  Joseph Pecoraro  <pecoraro@apple.com>
3160
3161         Cleanup some StringBuilder use
3162         https://bugs.webkit.org/show_bug.cgi?id=174118
3163
3164         Reviewed by Andreas Kling.
3165
3166         * runtime/FunctionConstructor.cpp:
3167         (JSC::constructFunctionSkippingEvalEnabledCheck):
3168         * tools/FunctionOverrides.cpp:
3169         (JSC::parseClause):
3170         * wasm/WasmOMGPlan.cpp:
3171         * wasm/WasmPlan.cpp:
3172         * wasm/WasmValidate.cpp:
3173
3174 2017-07-03  Saam Barati  <sbarati@apple.com>
3175
3176         LayoutTest workers/bomb.html is a Crash
3177         https://bugs.webkit.org/show_bug.cgi?id=167757
3178         <rdar://problem/33086462>
3179
3180         Reviewed by Keith Miller.
3181
3182         VMTraps::SignalSender was accessing VM fields even after
3183         the VM was destroyed. This happened when the SignalSender
3184         thread was in the middle of its work() function while VMTraps
3185         was notified that the VM was shutting down. The VM would proceed
3186         to run its destructor even after the SignalSender thread finished
3187         doing its work. This means that the SignalSender thread was accessing
3188         VM field eve after VM was destructed (including itself, since it is
3189         transitively owned by the VM). The VM must wait for the SignalSender
3190         thread to shutdown before it can continue to destruct itself.
3191
3192         * runtime/VMTraps.cpp:
3193         (JSC::VMTraps::willDestroyVM):
3194
3195 2017-07-03  Saam Barati  <sbarati@apple.com>
3196
3197         DFGBytecodeParser op_to_this does not access the correct instruction offset for to this status
3198         https://bugs.webkit.org/show_bug.cgi?id=174110
3199
3200         Reviewed by Michael Saboff.
3201
3202         * dfg/DFGByteCodeParser.cpp:
3203         (JSC::DFG::ByteCodeParser::parseBlock):
3204
3205 2017-07-03  Saam Barati  <sbarati@apple.com>
3206
3207         Add a new assertion to object allocation sinking phase
3208         https://bugs.webkit.org/show_bug.cgi?id=174107
3209
3210         Rubber stamped by Filip Pizlo.
3211
3212         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3213
3214 2017-07-03  Commit Queue  <commit-queue@webkit.org>
3215
3216         Unreviewed, rolling out r219060.
3217         https://bugs.webkit.org/show_bug.cgi?id=174108
3218
3219         crashing constantly when initializing UIWebView (Requested by
3220         thorton on #webkit).
3221
3222         Reverted changeset:
3223
3224         "WTF::Thread should have the threads stack bounds."
3225         https://bugs.webkit.org/show_bug.cgi?id=173975
3226         http://trac.webkit.org/changeset/219060
3227
3228 2017-07-03  Matt Lewis  <jlewis3@apple.com>
3229
3230         Unreviewed, rolling out r219103.
3231
3232         Caused multiple build failures.
3233
3234         Reverted changeset:
3235
3236         "Remove copy of ICU headers from WebKit"
3237         https://bugs.webkit.org/show_bug.cgi?id=116407
3238         http://trac.webkit.org/changeset/219103
3239
3240 2017-07-03  Myles C. Maxfield  <mmaxfield@apple.com>
3241
3242         Remove copy of ICU headers from WebKit
3243         https://bugs.webkit.org/show_bug.cgi?id=116407
3244
3245         Reviewed by Alex Christensen.
3246
3247         Use WTF's copy of ICU headers.
3248
3249         * Configurations/Base.xcconfig:
3250         * icu/unicode/localpointer.h: Removed.
3251         * icu/unicode/parseerr.h: Removed.
3252         * icu/unicode/platform.h: Removed.
3253         * icu/unicode/ptypes.h: Removed.
3254         * icu/unicode/putil.h: Removed.
3255         * icu/unicode/uchar.h: Removed.
3256         * icu/unicode/ucnv.h: Removed.
3257         * icu/unicode/ucnv_err.h: Removed.
3258         * icu/unicode/ucol.h: Removed.
3259         * icu/unicode/uconfig.h: Removed.
3260         * icu/unicode/ucurr.h: Removed.
3261         * icu/unicode/uenum.h: Removed.
3262         * icu/unicode/uiter.h: Removed.
3263         * icu/unicode/uloc.h: Removed.
3264         * icu/unicode/umachine.h: Removed.
3265         * icu/unicode/unorm.h: Removed.
3266         * icu/unicode/unorm2.h: Removed.
3267         * icu/unicode/urename.h: Removed.
3268         * icu/unicode/uscript.h: Removed.
3269         * icu/unicode/uset.h: Removed.
3270         * icu/unicode/ustring.h: Removed.
3271         * icu/unicode/utf.h: Removed.
3272         * icu/unicode/utf16.h: Removed.
3273         * icu/unicode/utf8.h: Removed.
3274         * icu/unicode/utf_old.h: Removed.
3275         * icu/unicode/utypes.h: Removed.
3276         * icu/unicode/uvernum.h: Removed.
3277         * icu/unicode/uversion.h: Removed.
3278         * runtime/IntlCollator.cpp:
3279         * runtime/IntlDateTimeFormat.cpp:
3280         * runtime/JSGlobalObject.cpp:
3281         * runtime/StringPrototype.cpp:
3282
3283 2017-07-03  Saam Barati  <sbarati@apple.com>
3284
3285         Add better crash logging for allocation sinking phase
3286         https://bugs.webkit.org/show_bug.cgi?id=174102
3287         <rdar://problem/33112092>
3288
3289         Rubber stamped by Filip Pizlo.
3290
3291         I'm trying to gather better information from crashlogs about why
3292         we're crashing in the allocation sinking phase. I'm adding a allocation
3293         sinking specific RELEASE_ASSERT as well as marking a few functions as
3294         NEVER_INLINE to have the stack traces in the crash trace contain more
3295         actionable information.
3296
3297         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3298
3299 2017-07-03  Sam Weinig  <sam@webkit.org>
3300
3301         [WebIDL] Remove more unnecessary uses of the preprocessor in idl files
3302         https://bugs.webkit.org/show_bug.cgi?id=174083
3303
3304         Reviewed by Alex Christensen.
3305
3306         * Configurations/FeatureDefines.xcconfig:
3307         Add ENABLE_NAVIGATOR_STANDALONE.
3308
3309 2017-07-03  Andy Estes  <aestes@apple.com>
3310
3311         [Xcode] Add an experimental setting to build with ccache
3312         https://bugs.webkit.org/show_bug.cgi?id=173875
3313
3314         Reviewed by Tim Horton.
3315
3316         * Configurations/DebugRelease.xcconfig: Included ccache.xcconfig.
3317
3318 2017-07-03  Devin Rousso  <drousso@apple.com>
3319
3320         Web Inspector: Support listing WebGL2 and WebGPU contexts
3321         https://bugs.webkit.org/show_bug.cgi?id=173396
3322
3323         Reviewed by Joseph Pecoraro.
3324
3325         * inspector/protocol/Canvas.json:
3326         * inspector/scripts/codegen/generator.py:
3327         (Generator.stylized_name_for_enum_value):
3328         Add cases for handling new Canvas.ContextType protocol enumerations:
3329          - "webgl2" maps to `WebGL2`
3330          - "webgpu" maps to `WebGPU`
3331
3332 2017-07-02  Yusuke Suzuki  <utatane.tea@gmail.com>
3333
3334         WTF::Thread should have the threads stack bounds.
3335         https://bugs.webkit.org/show_bug.cgi?id=173975
3336
3337         Reviewed by Mark Lam.
3338
3339         There is a site in JSC that try to walk another thread's stack.
3340         Currently, stack bounds are stored in WTFThreadData which is located
3341         in TLS. Thus, only the thread itself can access its own WTFThreadData.
3342         We workaround this situation by holding StackBounds in MachineThread in JSC,
3343         but StackBounds should be put in WTF::Thread instead.
3344
3345         This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
3346         information is tightly coupled with Thread. Thus putting it in WTF::Thread
3347         is natural choice.
3348
3349         * heap/MachineStackMarker.cpp:
3350         (JSC::MachineThreads::MachineThread::MachineThread):
3351         (JSC::MachineThreads::MachineThread::captureStack):
3352         * heap/MachineStackMarker.h:
3353         (JSC::MachineThreads::MachineThread::stackBase):
3354         (JSC::MachineThreads::MachineThread::stackEnd):
3355         * runtime/InitializeThreading.cpp:
3356         (JSC::initializeThreading):
3357         * runtime/VM.cpp:
3358         (JSC::VM::VM):
3359         (JSC::VM::updateStackLimits):
3360         (JSC::VM::committedStackByteCount):
3361         * runtime/VM.h:
3362         (JSC::VM::isSafeToRecurse):
3363         * runtime/VMEntryScope.cpp:
3364         (JSC::VMEntryScope::VMEntryScope):
3365         * runtime/VMInlines.h:
3366         (JSC::VM::ensureStackCapacityFor):
3367         * runtime/VMTraps.cpp:
3368         * yarr/YarrPattern.cpp:
3369         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
3370
3371 2017-07-01  Dan Bernstein  <mitz@apple.com>
3372
3373         [iOS] Remove code only needed when building for iOS 9.x
3374         https://bugs.webkit.org/show_bug.cgi?id=174068
3375
3376         Reviewed by Tim Horton.
3377
3378         * Configurations/FeatureDefines.xcconfig:
3379         * jit/ExecutableAllocator.cpp:
3380         * runtime/Options.cpp:
3381         (JSC::recomputeDependentOptions):
3382
3383 2017-07-01  Dan Bernstein  <mitz@apple.com>
3384
3385         [macOS] Remove code only needed when building for OS X Yosemite
3386         https://bugs.webkit.org/show_bug.cgi?id=174067
3387
3388         Reviewed by Tim Horton.
3389
3390         * API/WebKitAvailability.h:
3391         * Configurations/Base.xcconfig:
3392         * Configurations/DebugRelease.xcconfig:
3393         * Configurations/FeatureDefines.xcconfig:
3394         * Configurations/Version.xcconfig:
3395
3396 2017-07-01  Yusuke Suzuki  <utatane.tea@gmail.com>
3397
3398         Unreviewed, build fix for GCC
3399         https://bugs.webkit.org/show_bug.cgi?id=174034
3400
3401         * b3/testb3.cpp:
3402         (JSC::B3::testDoubleLiteralComparison):
3403
3404 2017-06-30  Keith Miller  <keith_miller@apple.com>
3405
3406         Force crashWithInfo to be out of line.
3407         https://bugs.webkit.org/show_bug.cgi?id=174028
3408
3409         Reviewed by Filip Pizlo.
3410
3411         Update DFG_ASSERT macro to call CRASH_WITH_SECURITY_IMPLICATION_AND_INFO.
3412
3413         * dfg/DFGGraph.cpp:
3414         (JSC::DFG::logDFGAssertionFailure):
3415         (JSC::DFG::Graph::logAssertionFailure):
3416         (JSC::DFG::crash): Deleted.
3417         (JSC::DFG::Graph::handleAssertionFailure): Deleted.
3418         * dfg/DFGGraph.h:
3419
3420 2017-06-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3421
3422         [JSC] Use AbstractMacroAssembler::random instead of holding WeakRandom in JIT
3423         https://bugs.webkit.org/show_bug.cgi?id=174053
3424
3425         Reviewed by Geoffrey Garen.
3426
3427         We already have AbstractMacroAssembler::random() function. Use it instead.
3428
3429         * jit/JIT.cpp:
3430         (JSC::JIT::JIT):
3431         (JSC::JIT::compileWithoutLinking):
3432         * jit/JIT.h:
3433
3434 2017-06-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3435
3436         [WTF] Drop SymbolRegistry::keyForSymbol
3437         https://bugs.webkit.org/show_bug.cgi?id=174052
3438
3439         Reviewed by Sam Weinig.
3440
3441         * runtime/SymbolConstructor.cpp:
3442         (JSC::symbolConstructorKeyFor):
3443
3444 2017-06-30  Saam Barati  <sbarati@apple.com>
3445
3446         B3ReduceStrength should reduce EqualOrUnordered over const float input
3447         https://bugs.webkit.org/show_bug.cgi?id=174039
3448
3449         Reviewed by Michael Saboff.
3450
3451         We perform this folding for ConstDoubleValue. It is simply
3452         an oversight that we didn't do it for ConstFloatValue.
3453
3454         * b3/B3ConstFloatValue.cpp:
3455         (JSC::B3::ConstFloatValue::equalOrUnorderedConstant):
3456         * b3/B3ConstFloatValue.h:
3457         * b3/testb3.cpp:
3458         (JSC::B3::testFloatEqualOrUnorderedFolding):
3459         (JSC::B3::testFloatEqualOrUnorderedFoldingNaN):
3460         (JSC::B3::testFloatEqualOrUnorderedDontFold):
3461         (JSC::B3::run):
3462
3463 2017-06-30  Matt Baker  <mattbaker@apple.com>
3464
3465         Web Inspector: AsyncStackTrace nodes can be corrupted when truncating
3466         https://bugs.webkit.org/show_bug.cgi?id=173840
3467         <rdar://problem/30840820>
3468
3469         Reviewed by Joseph Pecoraro.
3470
3471         When truncating an asynchronous stack trace, the parent chain is traversed
3472         until a locked node is found. The path from this node to the root is shared
3473         by more than one stack trace, and cannot be safely modified. Starting at
3474         the first locked node, the path is cloned and becomes a new stack trace tree.
3475
3476         However, the clone operation initialized each new AsyncStackTrace node with
3477         the original node's parent. This would increment the child count of the original
3478         node. When cloning nodes, new nodes should not have their parent set until the
3479         next node up the parent chain is cloned.
3480
3481         * inspector/AsyncStackTrace.cpp:
3482         (Inspector::AsyncStackTrace::truncate):
3483
3484 2017-06-30  Michael Saboff  <msaboff@apple.com>
3485
3486         RegExp's  anchored with .* with \g flag can return wrong match start for strings with multiple matches
3487         https://bugs.webkit.org/show_bug.cgi?id=174044
3488
3489         Reviewed by Oliver Hunt.
3490
3491         The .* enclosure optimization didn't respect that we can start matching from a non-zero
3492         index.  This optimization treats /.*<some-terms>.*/ by first matching the <some-terms> and
3493         then finding the extent of the match by going back to the beginning of the line and going
3494         forward to the end of the line.  The code that went back to the beginning of the line
3495         checked for an index of 0 instead of comparing the index to the start position.  This start
3496         position is passed as the initial index.
3497
3498         Added another temporary register to the YARR JIT to contain the start position for
3499         platforms that have spare registers.
3500
3501         * yarr/Yarr.h:
3502         * yarr/YarrInterpreter.cpp:
3503         (JSC::Yarr::Interpreter::matchDotStarEnclosure):
3504         (JSC::Yarr::Interpreter::Interpreter):
3505         * yarr/YarrJIT.cpp:
3506         (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
3507         (JSC::Yarr::YarrGenerator::compile):
3508         * yarr/YarrPattern.cpp:
3509         (JSC::Yarr::YarrPattern::YarrPattern):
3510         * yarr/YarrPattern.h:
3511         (JSC::Yarr::YarrPattern::reset):
3512
3513 2017-06-30  Saam Barati  <sbarati@apple.com>
3514
3515         B3MoveConstants floatZero() returns the wrong ValueKey
3516         https://bugs.webkit.org/show_bug.cgi?id=174040
3517
3518         Reviewed by Filip Pizlo.
3519
3520         It had a typo where the ValueKey for floatZero() produces a Double
3521         instead of a Float.
3522
3523         * b3/B3MoveConstants.cpp:
3524
3525 2017-06-30  Saam Barati  <sbarati@apple.com>
3526
3527         B3ReduceDoubleToFloat incorrectly reduces operations over two double constants
3528         https://bugs.webkit.org/show_bug.cgi?id=174034
3529         <rdar://problem/30793007>
3530
3531         Reviewed by Filip Pizlo.
3532
3533         B3ReduceDoubleToFloat had a bug in it where it would incorrectly
3534         reduce binary operations over double constants into the same binary
3535         operation over the double constants casted to floats. This is clearly
3536         incorrect as these two things will produce different values. For example:
3537         
3538         a = DoubleConst(bitwise_cast<double>(0x8000000000000001ull))
3539         b = DoubleConst(bitwise_cast<double>(0x0000000000000000ull))
3540         c = EqualOrUnordered(@a, @b) // produces 0
3541         
3542         into:
3543         
3544         a = FloatConst(static_cast<float>(bitwise_cast<double>(0x8000000000000001ull)))
3545         b = FloatConst(static_cast<float>(bitwise_cast<double>(0x0000000000000000ull)))
3546         c = EqualOrUnordered(@a, @b) // produces 1
3547         
3548         Which produces a different value for @c.
3549
3550         * b3/B3ReduceDoubleToFloat.cpp:
3551         * b3/testb3.cpp:
3552         (JSC::B3::doubleEq):
3553         (JSC::B3::doubleNeq):
3554         (JSC::B3::doubleGt):
3555         (JSC::B3::doubleGte):
3556         (JSC::B3::doubleLt):
3557         (JSC::B3::doubleLte):
3558         (JSC::B3::testDoubleLiteralComparison):
3559         (JSC::B3::run):
3560
3561 2017-06-29  Jer Noble  <jer.noble@apple.com>
3562
3563         Make Legacy EME API controlled by RuntimeEnabled setting.
3564         https://bugs.webkit.org/show_bug.cgi?id=173994
3565
3566         Reviewed by Sam Weinig.
3567
3568         * Configurations/FeatureDefines.xcconfig:
3569         * runtime/CommonIdentifiers.h:
3570
3571 2017-06-30  Ryosuke Niwa  <rniwa@webkit.org>
3572
3573         Ran sort-Xcode-project-file.
3574
3575         * JavaScriptCore.xcodeproj/project.pbxproj:
3576
3577 2017-06-30  Matt Lewis  <jlewis3@apple.com>
3578
3579         Unreviewed, rolling out r218992.
3580
3581         The patch broke the iOS device builds.
3582
3583         Reverted changeset:
3584
3585         "DFG_ASSERT should allow stuffing registers before trapping."
3586         https://bugs.webkit.org/show_bug.cgi?id=174005
3587         http://trac.webkit.org/changeset/218992
3588
3589 2017-06-30  Filip Pizlo  <fpizlo@apple.com>
3590
3591         RegExpCachedResult::setInput should reify left and right contexts
3592         https://bugs.webkit.org/show_bug.cgi?id=173818
3593
3594         Reviewed by Keith Miller.
3595         
3596         If you don't reify them in setInput, then when you later try to reify them, you'll end up
3597         using indices into an old input string to create a substring of a new input string. That
3598         never goes well.
3599
3600         * runtime/RegExpCachedResult.cpp:
3601         (JSC::RegExpCachedResult::setInput):
3602
3603 2017-06-30  Keith Miller  <keith_miller@apple.com>
3604
3605         DFG_ASSERT should allow stuffing registers before trapping.
3606         https://bugs.webkit.org/show_bug.cgi?id=174005
3607
3608         Reviewed by Mark Lam.
3609
3610         DFG_ASSERT currently prints error data to stderr before crashing,
3611         which is nice for local development. In the wild, however, we
3612         can't see this information in crash logs. This patch enables
3613         stuffing some of the most useful information from DFG_ASSERTS into
3614         up to five registers right before crashing. The values stuffed
3615         should not impact any logging during local development.
3616
3617         * assembler/AbortReason.h:
3618         * dfg/DFGAbstractInterpreterInlines.h:
3619         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
3620         * dfg/DFGGraph.cpp:
3621         (JSC::DFG::logForCrash):
3622         (JSC::DFG::Graph::logAssertionFailure):
3623         (JSC::DFG::crash): Deleted.
3624         (JSC::DFG::Graph::handleAssertionFailure): Deleted.
3625         * dfg/DFGGraph.h:
3626
3627 2017-06-29  Saam Barati  <sbarati@apple.com>
3628
3629         Calculating postCapacity in unshiftCountSlowCase is wrong
3630         https://bugs.webkit.org/show_bug.cgi?id=173992
3631         <rdar://problem/32283199>
3632
3633         Reviewed by Keith Miller.
3634
3635         This patch fixes a bug inside unshiftCountSlowCase where we would use
3636         more memory than we allocated. The bug was when deciding how much extra
3637         space we have after the vector we've allocated. This area is called the
3638         postCapacity. The largest legal postCapacity value we could use is the
3639         space we allocated minus the space we need:
3640         largestPossiblePostCapacity = newStorageCapacity - requiredVectorLength;
3641         However, the code was calculating the postCapacity as:
3642         postCapacity = max(newStorageCapacity - requiredVectorLength, count);
3643         
3644         where count is how many elements we're appending. Depending on the inputs,
3645         count could be larger than (newStorageCapacity - requiredVectorLength). This
3646         would cause us to use more memory than we actually allocated.
3647
3648         * runtime/JSArray.cpp:
3649         (JSC::JSArray::unshiftCountSlowCase):
3650
3651 2017-06-29  Commit Queue  <commit-queue@webkit.org>
3652
3653         Unreviewed, rolling out r218512.
3654         https://bugs.webkit.org/show_bug.cgi?id=173981
3655
3656         "It changes the behavior of the JS API's JSEvaluateScript
3657         which breaks TurboTax" (Requested by saamyjoon on #webkit).
3658
3659         Reverted changeset:
3660
3661         "test262: Completion values for control flow do not match the
3662         spec"
3663         https://bugs.webkit.org/show_bug.cgi?id=171265
3664         http://trac.webkit.org/changeset/218512
3665
3666 2017-06-29  JF Bastien  <jfbastien@apple.com>
3667
3668         WebAssembly: disable some APIs under CSP
3669         https://bugs.webkit.org/show_bug.cgi?id=173892
3670         <rdar://problem/32914613>
3671
3672         Reviewed by Daniel Bates.
3673
3674         We should disable parts of WebAssembly under Content Security
3675         Policy as discussed here:
3676
3677         https://github.com/WebAssembly/design/issues/1092
3678
3679         Exactly what should be disabled isn't super clear, so we may as
3680         well be conservative and disable many things if developers already
3681         opted into CSP. It's easy to loosen what we disable later.
3682
3683         This patch disables:
3684         - WebAssembly.Instance
3685         - WebAssembly.instantiate
3686         - WebAssembly.Memory
3687         - WebAssembly.Table
3688
3689         And leaves:
3690         - WebAssembly on the global object
3691         - WebAssembly.Module
3692         - WebAssembly.compile
3693         - WebAssembly.CompileError
3694         - WebAssembly.LinkError
3695
3696         Nothing because currently unimplmented:
3697         - WebAssembly.compileStreaming
3698         - WebAssembly.instantiateStreaming
3699
3700         That way it won't be possible to call WebAssembly-compiled code,
3701         or create memories (which use fancy 4GiB allocations
3702         sometimes). Table isn't really useful on its own, and eventually
3703         we may make them shareable so without more details it seems benign
3704         to disable them (and useless if we don't).
3705
3706         I haven't done anything with postMessage, so you can still
3707         postMessage a WebAssembly.Module cross-CSP, but you can't
3708         instantiate it so it's useless. Because of this I elected to leave
3709         WebAssembly.Module and friends available.
3710
3711         I haven't added any new directives. It's still unsafe-eval. We can
3712         add something else later, but it seems odd to add a WebAssembly as
3713         a new capability and tell developers "you should have been using
3714         this directive which we just implemented if you wanted to disable
3715         WebAssembly which didn't exist when you adopted CSP". So IMO we
3716         should keep unsafe-eval as it currently is, add WebAssembly to
3717         what it disables, and later consider having two new directives
3718         which do each individually or something.
3719
3720         In all cases I throw an EvalError *before* other WebAssembly
3721         errors would be produced.
3722
3723         Note that, as for eval, reporting doesn't work and is tracked by
3724         https://webkit.org/b/111869
3725
3726         * runtime/JSGlobalObject.cpp:
3727         (JSC::JSGlobalObject::JSGlobalObject):
3728         * runtime/JSGlobalObject.h:
3729         (JSC::JSGlobalObject::webAssemblyEnabled):
3730         (JSC::JSGlobalObject::webAssemblyDisabledErrorMessage):
3731         (JSC::JSGlobalObject::setWebAssemblyEnabled):
3732         * wasm/js/JSWebAssemblyInstance.cpp:
3733         (JSC::JSWebAssemblyInstance::create):
3734         * wasm/js/JSWebAssemblyMemory.cpp:
3735         (JSC::JSWebAssemblyMemory::create):
3736         * wasm/js/JSWebAssemblyMemory.h:
3737         * wasm/js/JSWebAssemblyTable.cpp:
3738         (JSC::JSWebAssemblyTable::create):
3739         * wasm/js/WebAssemblyMemoryConstructor.cpp:
3740         (JSC::constructJSWebAssemblyMemory):
3741
3742 2017-06-28  Keith Miller  <keith_miller@apple.com>
3743
3744         VMTraps has some races
3745         https://bugs.webkit.org/show_bug.cgi?id=173941
3746
3747         Reviewed by Michael Saboff.
3748
3749         This patch refactors much of the VMTraps API.
3750
3751         On the message sending side:
3752
3753         1) No longer uses the Yarr JIT check to determine if we are in
3754         RegExp code. That was unsound because RegExp JIT code can be run
3755         on compilation threads.  Instead it looks at the current frame's
3756         code block slot and checks if it is valid, which is the same as
3757         what it did for JIT code previously.
3758
3759         2) Only have one signal sender thread, previously, there could be
3760         many at once, which caused some data races. Additionally, the
3761         signal sender thread is an automatic thread so it will deallocate
3762         itself when not in use.
3763
3764         On the VMTraps breakpoint side:
3765
3766         1) We now have a true mapping of if we hit a breakpoint instead of
3767         a JIT assertion. So the exception handler won't eat JIT assertions
3768         anymore.
3769
3770         2) It jettisons all CodeBlocks that have VMTraps breakpoints on
3771         them instead of every CodeBlock on the stack. This both prevents
3772         us from hitting stale VMTraps breakpoints and also doesn't OSR
3773         codeblocks that otherwise don't need to be jettisoned.
3774
3775         3) The old exception handler could theoretically fail for a couple
3776         of reasons then resume execution with a clobbered instruction
3777         set. This patch will kill the program if the exception handler
3778         would fail.
3779
3780         This patch also refactors some of the jsc.cpp functions to take the
3781         CommandLine options object instead of individual options. Also, there
3782         is a new command line option that makes exceptions due to watchdog
3783         timeouts an acceptable result.
3784
3785         * API/tests/testapi.c:
3786         (main):
3787         * bytecode/CodeBlock.cpp:
3788         (JSC::CodeBlock::installVMTrapBreakpoints):
3789         * dfg/DFGCommonData.cpp:
3790         (JSC::DFG::pcCodeBlockMap):
3791         (JSC::DFG::CommonData::invalidate):
3792         (JSC::DFG::CommonData::~CommonData):
3793         (JSC::DFG::CommonData::installVMTrapBreakpoints):
3794         (JSC::DFG::codeBlockForVMTrapPC):
3795         * dfg/DFGCommonData.h:
3796         * jsc.cpp:
3797         (functionDollarAgentStart):
3798         (checkUncaughtException):
3799         (checkException):
3800         (runWithOptions):
3801         (printUsageStatement):
3802         (CommandLine::parseArguments):
3803         (jscmain):
3804         (runWithScripts): Deleted.
3805         * runtime/JSLock.cpp:
3806         (JSC::JSLock::didAcquireLock):
3807         * runtime/VMTraps.cpp:
3808         (JSC::sanitizedTopCallFrame):
3809         (JSC::VMTraps::tryInstallTrapBreakpoints):
3810         (JSC::VMTraps::willDestroyVM):
3811         (JSC::VMTraps::fireTrap):
3812         (JSC::VMTraps::handleTraps):
3813         (JSC::VMTraps::VMTraps):
3814         (JSC::VMTraps::~VMTraps):
3815         (JSC::findActiveVMAndStackBounds): Deleted.
3816         (JSC::installSignalHandler): Deleted.
3817         (JSC::VMTraps::addSignalSender): Deleted.
3818         (JSC::VMTraps::removeSignalSender): Deleted.
3819         (JSC::VMTraps::SignalSender::willDestroyVM): Deleted.
3820         (JSC::VMTraps::SignalSender::send): Deleted.
3821         * runtime/VMTraps.h:
3822         (JSC::VMTraps::~VMTraps): Deleted.
3823         (JSC::VMTraps::SignalSender::SignalSender): Deleted.
3824
3825 2017-06-28  Devin Rousso  <drousso@apple.com>
3826
3827         Web Inspector: Instrument active pixel memory used by canvases
3828         https://bugs.webkit.org/show_bug.cgi?id=173087
3829         <rdar://problem/32719261>
3830
3831         Reviewed by Joseph Pecoraro.
3832
3833         * inspector/protocol/Canvas.json:
3834          - Add optional `memoryCost` attribute to the `Canvas` type.
3835          - Add `canvasMemoryChanged` event that is dispatched when the `memoryCost` of a canvas changes.
3836
3837 2017-06-28  Joseph Pecoraro  <pecoraro@apple.com>
3838
3839         Web Inspector: Cleanup Protocol JSON files
3840         https://bugs.webkit.org/show_bug.cgi?id=173934
3841
3842         Reviewed by Matt Baker.
3843
3844         * inspector/protocol/ApplicationCache.json:
3845         * inspector/protocol/CSS.json:
3846         * inspector/protocol/Console.json:
3847         * inspector/protocol/DOM.json:
3848         * inspector/protocol/DOMDebugger.json:
3849         * inspector/protocol/Debugger.json:
3850         * inspector/protocol/LayerTree.json:
3851         * inspector/protocol/Network.json:
3852         * inspector/protocol/Page.json:
3853         * inspector/protocol/Runtime.json:
3854         Be more consistent about placement of `description` property.
3855
3856 2017-06-27  Joseph Pecoraro  <pecoraro@apple.com>
3857
3858         Web Inspector: Remove unused Inspector domain events
3859         https://bugs.webkit.org/show_bug.cgi?id=173905
3860
3861         Reviewed by Matt Baker.
3862
3863         * inspector/protocol/Inspector.json:
3864
3865 2017-06-28  JF Bastien  <jfbastien@apple.com>
3866
3867         Ensure that computed new stack pointer values do not underflow.
3868         https://bugs.webkit.org/show_bug.cgi?id=173700
3869         <rdar://problem/32926032>
3870
3871         Reviewed by Filip Pizlo and Saam Barati, update reviewed by Mark Lam.
3872
3873         Patch by Mark Lam, with the following fix:
3874
3875         Re-apply this patch, it originally broke the ARM build because the llint code
3876         generated `subs xzr, x3, sp` which isn't valid ARM64: the third operand cannot
3877         be SP (that encoding would be ZR instead, subtracting zero). Flip the comparison
3878         and operands to emit valid code (because the second operand can be SP).
3879
3880         1. Added a RELEASE_ASSERT to BytecodeGenerator::generate() to ensure that
3881            m_numCalleeLocals is sane.
3882
3883         2. Added underflow checks in LLInt code and VarargsFrame code.
3884
3885         3. Introduce minimumReservedZoneSize, which is hardcoded to 16K.
3886            Ensure that Options::reservedZoneSize() is at least minimumReservedZoneSize.
3887            Ensure that Options::softReservedZoneSize() is at least greater than
3888            Options::reservedZoneSize() by minimumReservedZoneSize.
3889
3890         4. Ensure that stack checks emitted by JIT tiers include an underflow check if
3891            and only if the max size of the frame is greater than Options::reservedZoneSize().
3892
3893            By design, we are guaranteed to have at least Options::reservedZoneSize() bytes
3894            of memory at the bottom (end) of the stack.  This means that, at any time, the
3895            frame pointer must be at least Options::reservedZoneSize() bytes away from the
3896            end of the stack.  Hence, if the max frame size is less than
3897            Options::reservedZoneSize(), there's no way that frame pointer - max
3898            frame size can underflow, and we can elide the underflow check.
3899
3900            Note that we use Options::reservedZoneSize() instead of
3901            Options::softReservedZoneSize() for determine if we need an underflow check.
3902            This is because the softStackLimit that is used for stack checks can be set
3903            based on Options::reservedZoneSize() during error handling (e.g. when creating
3904            strings for instantiating the Error object).  Hence, the guaranteed minimum of
3905            distance between the frame pointer and the end of the stack is
3906            Options::reservedZoneSize() and nor Options::softReservedZoneSize().
3907
3908            Note also that we ensure that Options::reservedZoneSize() is at least
3909            minimumReservedZoneSize (i.e. 16K).  In typical deployments,
3910            Options::reservedZoneSize() may be larger.  Using Options::reservedZoneSize()
3911            instead of minimumReservedZoneSize gives us more chances to elide underflow
3912            checks.
3913
3914         * JavaScriptCore.xcodeproj/project.pbxproj:
3915         * bytecompiler/BytecodeGenerator.cpp:
3916         (JSC::BytecodeGenerator::generate):
3917         * dfg/DFGGraph.cpp:
3918         (JSC::DFG::Graph::requiredRegisterCountForExecutionAndExit):
3919         * dfg/DFGJITCompiler.cpp:
3920         (JSC::DFG::emitStackOverflowCheck):
3921         (JSC::DFG::JITCompiler::compile):
3922         (JSC::DFG::JITCompiler::compileFunction):
3923         * ftl/FTLLowerDFGToB3.cpp:
3924         (JSC::FTL::DFG::LowerDFGToB3::lower):
3925         * jit/JIT.cpp:
3926         (JSC::JIT::compileWithoutLinking):
3927         * jit/SetupVarargsFrame.cpp:
3928         (JSC::emitSetupVarargsFrameFastCase):
3929         * llint/LLIntSlowPaths.cpp:
3930         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3931         * llint/LowLevelInterpreter.asm:
3932         * llint/LowLevelInterpreter32_64.asm:
3933         * llint/LowLevelInterpreter64.asm:
3934         * runtime/MinimumReservedZoneSize.h: Added.
3935         * runtime/Options.cpp:
3936         (JSC::recomputeDependentOptions):
3937         * runtime/VM.cpp:
3938         (JSC::VM::updateStackLimits):
3939         * wasm/WasmB3IRGenerator.cpp:
3940         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3941         * wasm/js/WebAssemblyFunction.cpp:
3942         (JSC::callWebAssemblyFunction):
3943
3944 2017-06-28  Chris Dumez  <cdumez@apple.com>
3945
3946         Unreviewed, rolling out r218869.
3947
3948         Broke the iOS build
3949
3950         Reverted changeset:
3951
3952         "Ensure that computed new stack pointer values do not
3953         underflow."
3954         https://bugs.webkit.org/show_bug.cgi?id=173700
3955         http://trac.webkit.org/changeset/218869
3956
3957 2017-06-28  Chris Dumez  <cdumez@apple.com>
3958
3959         Unreviewed, rolling out r218873.
3960
3961         Broke the iOS build
3962
3963         Reverted changeset:
3964
3965         "Gardening: CLoop build fix."
3966         https://bugs.webkit.org/show_bug.cgi?id=173700
3967         http://trac.webkit.org/changeset/218873
3968
3969 2017-06-28  Mark Lam  <mark.lam@apple.com>
3970
3971         Gardening: CLoop build fix.
3972         https://bugs.webkit.org/show_bug.cgi?id=173700
3973         <rdar://problem/32926032>
3974
3975         Not reviewed.
3976
3977         * llint/LLIntSlowPaths.cpp:
3978         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
3979