[iOS DnD] ENABLE_DRAG_SUPPORT should be turned off for iOS 10 and enabled by default
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-08-09  Wenson Hsieh  <wenson_hsieh@apple.com>
2
3         [iOS DnD] ENABLE_DRAG_SUPPORT should be turned off for iOS 10 and enabled by default
4         https://bugs.webkit.org/show_bug.cgi?id=175392
5         <rdar://problem/33783207>
6
7         Reviewed by Tim Horton and Megan Gardner.
8
9         Tweak FeatureDefines to enable drag and drop by default, and disable only on unsupported platforms (i.e. iOS 10).
10
11         * Configurations/FeatureDefines.xcconfig:
12
13 2017-08-09  Robin Morisset  <rmorisset@apple.com>
14
15         Make JSC_validateExceptionChecks=1 succeed on JSTests/stress/v8-deltablue-strict.js.
16         https://bugs.webkit.org/show_bug.cgi?id=175358
17
18         Reviewed by Mark Lam.
19
20         * jit/JITOperations.cpp:
21         * runtime/JSObjectInlines.h:
22         (JSC::JSObject::putInlineForJSObject):
23
24 2017-08-09  Ryan Haddad  <ryanhaddad@apple.com>
25
26         Unreviewed, rolling out r220457.
27
28         This change introduced API test failures.
29
30         Reverted changeset:
31
32         "WTF::Function does not allow for reference / non-default
33         constructible return types"
34         https://bugs.webkit.org/show_bug.cgi?id=175244
35         http://trac.webkit.org/changeset/220457
36
37 2017-08-09  Sam Weinig  <sam@webkit.org>
38
39         WTF::Function does not allow for reference / non-default constructible return types
40         https://bugs.webkit.org/show_bug.cgi?id=175244
41
42         Reviewed by Chris Dumez.
43
44         * runtime/ArrayBuffer.cpp:
45         (JSC::ArrayBufferContents::transferTo):
46         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
47         destroy call needed to be a no-op anyway, since the data is being moved.
48
49 2017-08-09  Oleksandr Skachkov  <gskachkov@gmail.com>
50
51         REGRESSION: 2 test262/test/language/statements/async-function failures
52         https://bugs.webkit.org/show_bug.cgi?id=175334
53
54         Reviewed by Yusuke Suzuki.
55
56         Switch off useAsyncIterator by default
57
58         * runtime/Options.h:
59
60 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
61
62         ICs should do caging
63         https://bugs.webkit.org/show_bug.cgi?id=175295
64
65         Reviewed by Saam Barati.
66         
67         Adds the appropriate cage() calls in our inline caches.
68
69         * bytecode/AccessCase.cpp:
70         (JSC::AccessCase::generateImpl):
71         * bytecode/InlineAccess.cpp:
72         (JSC::InlineAccess::dumpCacheSizesAndCrash):
73         (JSC::InlineAccess::generateSelfPropertyAccess):
74         (JSC::InlineAccess::generateSelfPropertyReplace):
75         (JSC::InlineAccess::generateArrayLength):
76
77 2017-08-08  Devin Rousso  <drousso@apple.com>
78
79         Web Inspector: Canvas: support editing WebGL shaders
80         https://bugs.webkit.org/show_bug.cgi?id=124211
81         <rdar://problem/15448958>
82
83         Reviewed by Matt Baker.
84
85         * inspector/protocol/Canvas.json:
86         Add `updateShader` command that will change the given shader's source to the provided string,
87         recompile, and relink it to its associated program.
88         Drive-by: add description to `requestShaderSource` command.
89
90 2017-08-08  Robin Morisset  <rmorisset@apple.com>
91
92         Make JSC_validateExceptionChecks=1 succeed on JSTests/slowMicrobenchmarks/spread-small-array.js.
93         https://bugs.webkit.org/show_bug.cgi?id=175347
94
95         Reviewed by Saam Barati.
96
97         This is done by making finishCreation explicitely check for exceptions after setConstantRegister and setConstantIdentifiersSetRegisters.
98         I chose to have this check replace the boolean returned previously by these functions for readability. The performance impact should be
99         negligible considering how much more finishCreation does.
100         This fix then caused another issue to appear as it was now clear that finishCreation can throw. And since it is called by ProgramCodeBlock::create(),
101         FunctionCodeBlock::create() and friends, that are in turn called by ScriptExecutable::newCodeBlockFor, this last function also required a few tweaks.
102
103         * bytecode/CodeBlock.cpp:
104         (JSC::CodeBlock::finishCreation):
105         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
106         (JSC::CodeBlock::setConstantRegisters):
107         * bytecode/CodeBlock.h:
108         * runtime/ScriptExecutable.cpp:
109         (JSC::ScriptExecutable::newCodeBlockFor):
110
111 2017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
112
113         Unreviewed, fix Ubuntu LTS build
114         https://bugs.webkit.org/show_bug.cgi?id=174490
115
116         * inspector/remote/glib/RemoteInspectorGlib.cpp:
117         * inspector/remote/glib/RemoteInspectorServer.cpp:
118
119 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
120
121         Baseline JIT should do caging
122         https://bugs.webkit.org/show_bug.cgi?id=175037
123
124         Reviewed by Mark Lam.
125         
126         Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
127         
128         Also modifies FTL caging to be more defensive when caging is disabled.
129         
130         Relanded with fixed AssemblyHelpers::cageConditionally().
131
132         * bytecode/AccessCase.cpp:
133         (JSC::AccessCase::generateImpl):
134         * bytecode/InlineAccess.cpp:
135         (JSC::InlineAccess::dumpCacheSizesAndCrash):
136         (JSC::InlineAccess::generateSelfPropertyAccess):
137         (JSC::InlineAccess::generateSelfPropertyReplace):
138         (JSC::InlineAccess::generateArrayLength):
139         * ftl/FTLLowerDFGToB3.cpp:
140         (JSC::FTL::DFG::LowerDFGToB3::caged):
141         * jit/AssemblyHelpers.h:
142         (JSC::AssemblyHelpers::cage):
143         (JSC::AssemblyHelpers::cageConditionally):
144         * jit/JITPropertyAccess.cpp:
145         (JSC::JIT::emitDoubleLoad):
146         (JSC::JIT::emitContiguousLoad):
147         (JSC::JIT::emitArrayStorageLoad):
148         (JSC::JIT::emitGenericContiguousPutByVal):
149         (JSC::JIT::emitArrayStoragePutByVal):
150         (JSC::JIT::emit_op_get_from_scope):
151         (JSC::JIT::emit_op_put_to_scope):
152         (JSC::JIT::emitIntTypedArrayGetByVal):
153         (JSC::JIT::emitFloatTypedArrayGetByVal):
154         (JSC::JIT::emitIntTypedArrayPutByVal):
155         (JSC::JIT::emitFloatTypedArrayPutByVal):
156         * jsc.cpp:
157         (jscmain):
158         (primitiveGigacageDisabled): Deleted.
159
160 2017-08-08  Ryan Haddad  <ryanhaddad@apple.com>
161
162         Unreviewed, rolling out r220368.
163
164         This change caused WK1 tests to exit early with crashes.
165
166         Reverted changeset:
167
168         "Baseline JIT should do caging"
169         https://bugs.webkit.org/show_bug.cgi?id=175037
170         http://trac.webkit.org/changeset/220368
171
172 2017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
173
174         [CMake] Properly test if compiler supports compiler flags
175         https://bugs.webkit.org/show_bug.cgi?id=174490
176
177         Reviewed by Konstantin Tokarev.
178
179         * API/tests/PingPongStackOverflowTest.cpp:
180         (testPingPongStackOverflow):
181         * API/tests/testapi.c:
182         * b3/testb3.cpp:
183         (JSC::B3::testPatchpointLotsOfLateAnys):
184
185 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
186
187         [Linux] Clear WasmMemory with madvice instead of memset
188         https://bugs.webkit.org/show_bug.cgi?id=175150
189
190         Reviewed by Filip Pizlo.
191
192         In Linux, zeroing pages with memset populates backing store.
193         Instead, we should use madvise with MADV_DONTNEED. It discards
194         pages. And if you access these pages, on-demand-zero-pages will
195         be shown.
196
197         We also commit grown pages in all OSes.
198
199         * wasm/WasmMemory.cpp:
200         (JSC::Wasm::commitZeroPages):
201         (JSC::Wasm::Memory::create):
202         (JSC::Wasm::Memory::grow):
203
204 2017-08-07  Robin Morisset  <rmorisset@apple.com>
205
206         GetOwnProperty of TypedArray indexed fields is wrongly configurable
207         https://bugs.webkit.org/show_bug.cgi?id=175307
208
209         Reviewed by Saam Barati.
210
211         ```
212         let a = new Uint8Array(10);
213         let b = Object.getOwnPropertyDescriptor(a, 0);
214         assert(b.configurable === false);
215         ```
216         should not fail: by section 9.4.5.1 (https://tc39.github.io/ecma262/#sec-integer-indexed-exotic-objects-getownproperty-p) 
217         that applies to integer indexed exotic objects, and section 22.2.7 (https://tc39.github.io/ecma262/#sec-properties-of-typedarray-instances)
218         that says that typed arrays are integer indexed exotic objects.
219
220         * runtime/JSGenericTypedArrayViewInlines.h:
221         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
222
223 2017-08-07  Filip Pizlo  <fpizlo@apple.com>
224
225         Baseline JIT should do caging
226         https://bugs.webkit.org/show_bug.cgi?id=175037
227
228         Reviewed by Mark Lam.
229         
230         Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
231         
232         Also modifies FTL caging to be more defensive when caging is disabled.
233
234         * ftl/FTLLowerDFGToB3.cpp:
235         (JSC::FTL::DFG::LowerDFGToB3::caged):
236         * jit/AssemblyHelpers.h:
237         (JSC::AssemblyHelpers::cage):
238         (JSC::AssemblyHelpers::cageConditionally):
239         * jit/JITPropertyAccess.cpp:
240         (JSC::JIT::emitDoubleLoad):
241         (JSC::JIT::emitContiguousLoad):
242         (JSC::JIT::emitArrayStorageLoad):
243         (JSC::JIT::emitGenericContiguousPutByVal):
244         (JSC::JIT::emitArrayStoragePutByVal):
245         (JSC::JIT::emit_op_get_from_scope):
246         (JSC::JIT::emit_op_put_to_scope):
247         (JSC::JIT::emitIntTypedArrayGetByVal):
248         (JSC::JIT::emitFloatTypedArrayGetByVal):
249         (JSC::JIT::emitIntTypedArrayPutByVal):
250         (JSC::JIT::emitFloatTypedArrayPutByVal):
251         * jsc.cpp:
252         (jscmain):
253         (primitiveGigacageDisabled): Deleted.
254
255 2017-08-06  Filip Pizlo  <fpizlo@apple.com>
256
257         Primitive auxiliaries and JSValue auxiliaries should have separate gigacages
258         https://bugs.webkit.org/show_bug.cgi?id=174919
259
260         Reviewed by Keith Miller.
261         
262         This adapts JSC to there being two gigacages.
263         
264         To make matters simpler, this turns AlignedMemoryAllocators into per-VM instances rather than
265         singletons. I don't think we were gaining anything by making them be singletons.
266         
267         This makes it easy to teach GigacageAlignedMemoryAllocator that there are multiple kinds of
268         gigacages. We'll have one of those allocators per cage.
269         
270         From there, this change teaches everyone who previously knew about cages that there are two cages.
271         This means having to specify either Gigacage::Primitive or Gigacage::JSValue. In most places, this is
272         easy: typed arrays are Primitive and butterflies are JSValue. But there are a few places where it's
273         not so obvious, so this change introduces some helpers to make it easy to define what cage you want
274         to use in one place and refer to it abstractly. We do this in DirectArguments and GenericArguments.h
275         
276         A lot of the magic of this change is due to CagedBarrierPtr, which combines AuxiliaryBarrier and
277         CagedPtr. This removes one layer of "get()" calls from a bunch of places.
278
279         * JavaScriptCore.xcodeproj/project.pbxproj:
280         * bytecode/AccessCase.cpp:
281         (JSC::AccessCase::generateImpl):
282         * dfg/DFGSpeculativeJIT.cpp:
283         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
284         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
285         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
286         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
287         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
288         * ftl/FTLLowerDFGToB3.cpp:
289         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
290         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
291         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
292         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
293         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
294         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
295         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
296         (JSC::FTL::DFG::LowerDFGToB3::caged):
297         * heap/FastMallocAlignedMemoryAllocator.cpp:
298         (JSC::FastMallocAlignedMemoryAllocator::instance): Deleted.
299         * heap/FastMallocAlignedMemoryAllocator.h:
300         * heap/GigacageAlignedMemoryAllocator.cpp:
301         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
302         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
303         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
304         (JSC::GigacageAlignedMemoryAllocator::dump const):
305         (JSC::GigacageAlignedMemoryAllocator::instance): Deleted.
306         * heap/GigacageAlignedMemoryAllocator.h:
307         * jsc.cpp:
308         (primitiveGigacageDisabled):
309         (jscmain):
310         (gigacageDisabled): Deleted.
311         * llint/LowLevelInterpreter64.asm:
312         * runtime/ArrayBuffer.cpp:
313         (JSC::ArrayBufferContents::tryAllocate):
314         (JSC::ArrayBuffer::createAdopted):
315         (JSC::ArrayBuffer::createFromBytes):
316         * runtime/AuxiliaryBarrier.h:
317         * runtime/ButterflyInlines.h:
318         (JSC::Butterfly::createUninitialized):
319         (JSC::Butterfly::tryCreate):
320         (JSC::Butterfly::growArrayRight):
321         * runtime/CagedBarrierPtr.h: Added.
322         (JSC::CagedBarrierPtr::CagedBarrierPtr):
323         (JSC::CagedBarrierPtr::clear):
324         (JSC::CagedBarrierPtr::set):
325         (JSC::CagedBarrierPtr::get const):
326         (JSC::CagedBarrierPtr::getMayBeNull const):
327         (JSC::CagedBarrierPtr::operator== const):
328         (JSC::CagedBarrierPtr::operator!= const):
329         (JSC::CagedBarrierPtr::operator bool const):
330         (JSC::CagedBarrierPtr::setWithoutBarrier):
331         (JSC::CagedBarrierPtr::operator* const):
332         (JSC::CagedBarrierPtr::operator-> const):
333         (JSC::CagedBarrierPtr::operator[] const):
334         * runtime/DirectArguments.cpp:
335         (JSC::DirectArguments::overrideThings):
336         (JSC::DirectArguments::unmapArgument):
337         * runtime/DirectArguments.h:
338         (JSC::DirectArguments::isMappedArgument const):
339         * runtime/GenericArguments.h:
340         * runtime/GenericArgumentsInlines.h:
341         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
342         (JSC::GenericArguments<Type>::setModifiedArgumentDescriptor):
343         (JSC::GenericArguments<Type>::isModifiedArgumentDescriptor):
344         * runtime/HashMapImpl.cpp:
345         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
346         * runtime/HashMapImpl.h:
347         (JSC::HashMapBuffer::create):
348         (JSC::HashMapImpl::buffer const):
349         (JSC::HashMapImpl::rehash):
350         * runtime/JSArray.cpp:
351         (JSC::JSArray::tryCreateUninitializedRestricted):
352         (JSC::JSArray::unshiftCountSlowCase):
353         (JSC::JSArray::setLength):
354         (JSC::JSArray::pop):
355         (JSC::JSArray::push):
356         (JSC::JSArray::fastSlice):
357         (JSC::JSArray::shiftCountWithArrayStorage):
358         (JSC::JSArray::shiftCountWithAnyIndexingType):
359         (JSC::JSArray::unshiftCountWithAnyIndexingType):
360         (JSC::JSArray::fillArgList):
361         (JSC::JSArray::copyToArguments):
362         * runtime/JSArray.h:
363         (JSC::JSArray::tryCreate):
364         * runtime/JSArrayBufferView.cpp:
365         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
366         (JSC::JSArrayBufferView::finalize):
367         * runtime/JSLock.cpp:
368         (JSC::JSLock::didAcquireLock):
369         * runtime/JSObject.cpp:
370         (JSC::JSObject::heapSnapshot):
371         (JSC::JSObject::getOwnPropertySlotByIndex):
372         (JSC::JSObject::putByIndex):
373         (JSC::JSObject::enterDictionaryIndexingMode):
374         (JSC::JSObject::createInitialIndexedStorage):
375         (JSC::JSObject::createArrayStorage):
376         (JSC::JSObject::convertUndecidedToInt32):
377         (JSC::JSObject::convertUndecidedToDouble):
378         (JSC::JSObject::convertUndecidedToContiguous):
379         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
380         (JSC::JSObject::convertUndecidedToArrayStorage):
381         (JSC::JSObject::convertInt32ToDouble):
382         (JSC::JSObject::convertInt32ToContiguous):
383         (JSC::JSObject::convertInt32ToArrayStorage):
384         (JSC::JSObject::convertDoubleToContiguous):
385         (JSC::JSObject::convertDoubleToArrayStorage):
386         (JSC::JSObject::convertContiguousToArrayStorage):
387         (JSC::JSObject::setIndexQuicklyToUndecided):
388         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
389         (JSC::JSObject::deletePropertyByIndex):
390         (JSC::JSObject::getOwnPropertyNames):
391         (JSC::JSObject::putIndexedDescriptor):
392         (JSC::JSObject::defineOwnIndexedProperty):
393         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
394         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
395         (JSC::JSObject::getNewVectorLength):
396         (JSC::JSObject::ensureLengthSlow):
397         (JSC::JSObject::reallocateAndShrinkButterfly):
398         (JSC::JSObject::allocateMoreOutOfLineStorage):
399         (JSC::JSObject::getEnumerableLength):
400         * runtime/JSObject.h:
401         (JSC::JSObject::getArrayLength const):
402         (JSC::JSObject::getVectorLength):
403         (JSC::JSObject::putDirectIndex):
404         (JSC::JSObject::canGetIndexQuickly):
405         (JSC::JSObject::getIndexQuickly):
406         (JSC::JSObject::tryGetIndexQuickly const):
407         (JSC::JSObject::canSetIndexQuickly):
408         (JSC::JSObject::setIndexQuickly):
409         (JSC::JSObject::initializeIndex):
410         (JSC::JSObject::initializeIndexWithoutBarrier):
411         (JSC::JSObject::hasSparseMap):
412         (JSC::JSObject::inSparseIndexingMode):
413         (JSC::JSObject::butterfly const):
414         (JSC::JSObject::butterfly):
415         (JSC::JSObject::outOfLineStorage const):
416         (JSC::JSObject::outOfLineStorage):
417         (JSC::JSObject::ensureInt32):
418         (JSC::JSObject::ensureDouble):
419         (JSC::JSObject::ensureContiguous):
420         (JSC::JSObject::ensureArrayStorage):
421         (JSC::JSObject::arrayStorage):
422         (JSC::JSObject::arrayStorageOrNull):
423         (JSC::JSObject::ensureLength):
424         * runtime/RegExpMatchesArray.h:
425         (JSC::tryCreateUninitializedRegExpMatchesArray):
426         * runtime/VM.cpp:
427         (JSC::VM::VM):
428         (JSC::VM::~VM):
429         (JSC::VM::primitiveGigacageDisabledCallback):
430         (JSC::VM::primitiveGigacageDisabled):
431         (JSC::VM::gigacageDisabledCallback): Deleted.
432         (JSC::VM::gigacageDisabled): Deleted.
433         * runtime/VM.h:
434         (JSC::VM::gigacageAuxiliarySpace):
435         (JSC::VM::firePrimitiveGigacageEnabledIfNecessary):
436         (JSC::VM::primitiveGigacageEnabled):
437         (JSC::VM::fireGigacageEnabledIfNecessary): Deleted.
438         (JSC::VM::gigacageEnabled): Deleted.
439         * wasm/WasmMemory.cpp:
440         (JSC::Wasm::Memory::create):
441         (JSC::Wasm::Memory::~Memory):
442         (JSC::Wasm::Memory::grow):
443
444 2017-08-07  Commit Queue  <commit-queue@webkit.org>
445
446         Unreviewed, rolling out r220144.
447         https://bugs.webkit.org/show_bug.cgi?id=175276
448
449         "It did not actually speed things up in the way I expected"
450         (Requested by saamyjoon on #webkit).
451
452         Reverted changeset:
453
454         "On memory-constrained iOS devices, reduce the rate at which
455         the JS heap grows before a GC to try to keep more memory
456         available for the system"
457         https://bugs.webkit.org/show_bug.cgi?id=175041
458         http://trac.webkit.org/changeset/220144
459
460 2017-08-07  Ryan Haddad  <ryanhaddad@apple.com>
461
462         Unreviewed, rolling out r220299.
463
464         This change caused LayoutTest inspector/dom-debugger/dom-
465         breakpoints.html to fail.
466
467         Reverted changeset:
468
469         "Web Inspector: capture async stack trace when workers/main
470         context posts a message"
471         https://bugs.webkit.org/show_bug.cgi?id=167084
472         http://trac.webkit.org/changeset/220299
473
474 2017-08-07  Brian Burg  <bburg@apple.com>
475
476         Remove CANVAS_PATH compilation guard
477         https://bugs.webkit.org/show_bug.cgi?id=175207
478
479         Reviewed by Sam Weinig.
480
481         * Configurations/FeatureDefines.xcconfig:
482
483 2017-08-07  Keith Miller  <keith_miller@apple.com>
484
485         REGRESSION: wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js failing on JSC Debug bots
486         https://bugs.webkit.org/show_bug.cgi?id=175256
487
488         Reviewed by Saam Barati.
489
490         The check in createFromBytes just needed to check that the buffer was not null before
491         calling isCaged.
492
493         * runtime/ArrayBuffer.cpp:
494         (JSC::ArrayBuffer::createFromBytes):
495
496 2017-08-05  Carlos Garcia Campos  <cgarcia@igalia.com>
497
498         [GTK][WPE] Add API to provide browser information required by automation
499         https://bugs.webkit.org/show_bug.cgi?id=175130
500
501         Reviewed by Brian Burg.
502
503         Add browserName and browserVersion to RemoteInspector::Client::Capabilities and virtual methods to the Client to
504         get them.
505
506         * inspector/remote/RemoteInspector.cpp:
507         (Inspector::RemoteInspector::updateClientCapabilities): Update also browserName and browserVersion.
508         * inspector/remote/RemoteInspector.h:
509         * inspector/remote/glib/RemoteInspectorGlib.cpp:
510         (Inspector::RemoteInspector::requestAutomationSession): Call updateClientCapabilities() after the session is
511         requested to ensure they are updated before StartAutomationSession reply is sent.
512         * inspector/remote/glib/RemoteInspectorServer.cpp: Add browserName and browserVersion as return values of
513         StartAutomationSession mesasage.
514
515 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
516
517         Promise resolve and reject function should have length = 1
518         https://bugs.webkit.org/show_bug.cgi?id=175242
519
520         Reviewed by Saam Barati.
521
522         Previously we have separate system for "length" and "name" for builtin functions.
523         The builtin functions do not use lazy reifying system. Instead, they have direct
524         properties when instantiating it. While the function created for properties (like
525         Array.prototype.filter) is created by JSFunction::createBuiltin(), function inside
526         these builtin functions are just created by JSFunction::create(). Since it does
527         not set any values for "length", these functions do not have "length" property.
528         So, the resolve and reject functions passed to Promise's executor do not have
529         "length" property.
530
531         This patch make builtin functions use standard lazy reifying system for "length".
532         So, "length" property of the builtin function just works as if the normal functions
533         do.
534
535         * runtime/JSFunction.cpp:
536         (JSC::JSFunction::createBuiltinFunction):
537         (JSC::JSFunction::getOwnPropertySlot):
538         (JSC::JSFunction::getOwnNonIndexPropertyNames):
539         (JSC::JSFunction::put):
540         (JSC::JSFunction::deleteProperty):
541         (JSC::JSFunction::defineOwnProperty):
542         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
543         (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
544         (JSC::JSFunction::reifyLazyLengthIfNeeded):
545         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
546         (JSC::JSFunction::reifyBoundNameIfNeeded): Deleted.
547         * runtime/JSFunction.h:
548
549 2017-08-06  Oleksandr Skachkov  <gskachkov@gmail.com>
550
551         [ESNext] Async iteration - Implement Async Generator - parser
552         https://bugs.webkit.org/show_bug.cgi?id=175210
553
554         Reviewed by Yusuke Suzuki.
555
556         Current implementation is draft version of Async Iteration. 
557         Link to spec https://tc39.github.io/proposal-async-iteration/
558
559         Current patch implement only parser part of the Async generator
560         Runtime part will be in next ptches
561
562         * parser/ASTBuilder.h:
563         (JSC::ASTBuilder::createFunctionMetadata):
564         * parser/Parser.cpp:
565         (JSC::getAsynFunctionBodyParseMode):
566         (JSC::Parser<LexerType>::parseInner):
567         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
568         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
569         (JSC::stringArticleForFunctionMode):
570         (JSC::stringForFunctionMode):
571         (JSC::Parser<LexerType>::parseFunctionInfo):
572         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
573         (JSC::Parser<LexerType>::parseClass):
574         (JSC::Parser<LexerType>::parseProperty):
575         (JSC::Parser<LexerType>::parsePropertyMethod):
576         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
577         * parser/Parser.h:
578         (JSC::Scope::setSourceParseMode):
579         * parser/ParserModes.h:
580         (JSC::isFunctionParseMode):
581         (JSC::isAsyncFunctionParseMode):
582         (JSC::isAsyncArrowFunctionParseMode):
583         (JSC::isAsyncGeneratorFunctionParseMode):
584         (JSC::isAsyncFunctionOrAsyncGeneratorWrapperParseMode):
585         (JSC::isAsyncFunctionWrapperParseMode):
586         (JSC::isAsyncFunctionBodyParseMode):
587         (JSC::isGeneratorMethodParseMode):
588         (JSC::isAsyncMethodParseMode):
589         (JSC::isAsyncGeneratorMethodParseMode):
590         (JSC::isMethodParseMode):
591         (JSC::isGeneratorOrAsyncFunctionBodyParseMode):
592         (JSC::isGeneratorOrAsyncFunctionWrapperParseMode):
593
594 2017-08-05  Filip Pizlo  <fpizlo@apple.com>
595
596         REGRESSION (r219895-219897): Number of leaks on Open Source went from 9240 to 235983 and is now at 302372
597         https://bugs.webkit.org/show_bug.cgi?id=175083
598
599         Reviewed by Oliver Hunt.
600         
601         This fixes the leak by making MarkedBlock::specializedSweep call destructors when the block is empty,
602         even if we are using the pop path.
603         
604         Also, this fixes HeapCellInlines.h to no longer include MarkedBlockInlines.h. That's pretty
605         important, since MarkedBlockInlines.h is the GC's internal guts - we don't want to have to recompile
606         the world just because we changed it.
607         
608         Finally, this adds a new testing SPI for waiting for all VMs to finish destructing. This makes it
609         easier to debug leaks.
610
611         * bytecode/AccessCase.cpp:
612         * bytecode/PolymorphicAccess.cpp:
613         * heap/HeapCell.cpp:
614         (JSC::HeapCell::isLive):
615         * heap/HeapCellInlines.h:
616         (JSC::HeapCell::isLive): Deleted.
617         * heap/MarkedAllocator.cpp:
618         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
619         (JSC::MarkedAllocator::endMarking):
620         * heap/MarkedBlockInlines.h:
621         (JSC::MarkedBlock::Handle::specializedSweep):
622         * jit/AssemblyHelpers.cpp:
623         * jit/Repatch.cpp:
624         * runtime/TestRunnerUtils.h:
625         * runtime/VM.cpp:
626         (JSC::waitForVMDestruction):
627         (JSC::VM::~VM):
628
629 2017-08-05  Mark Lam  <mark.lam@apple.com>
630
631         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 3].
632         https://bugs.webkit.org/show_bug.cgi?id=175228
633         <rdar://problem/33735737>
634
635         Reviewed by Saam Barati.
636
637         Merge the 32-bit OSRExit::compileExit() method into the 64-bit version, and
638         delete OSRExit32_64.cpp.
639
640         * CMakeLists.txt:
641         * JavaScriptCore.xcodeproj/project.pbxproj:
642         * dfg/DFGOSRExit.cpp:
643         (JSC::DFG::OSRExit::compileExit):
644         * dfg/DFGOSRExit32_64.cpp: Removed.
645         * jit/GPRInfo.h:
646         (JSC::JSValueSource::payloadGPR const):
647
648 2017-08-04  Youenn Fablet  <youenn@apple.com>
649
650         [Cache API] Add Cache and CacheStorage IDL definitions
651         https://bugs.webkit.org/show_bug.cgi?id=175201
652
653         Reviewed by Brady Eidson.
654
655         * runtime/CommonIdentifiers.h:
656
657 2017-08-04  Mark Lam  <mark.lam@apple.com>
658
659         Fix typo in testmasm.cpp: ENABLE(JSVALUE64) should be USE(JSVALUE64).
660         https://bugs.webkit.org/show_bug.cgi?id=175230
661         <rdar://problem/33735857>
662
663         Reviewed by Saam Barati.
664
665         * assembler/testmasm.cpp:
666         (JSC::testProbeReadsArgumentRegisters):
667         (JSC::testProbeWritesArgumentRegisters):
668
669 2017-08-04  Mark Lam  <mark.lam@apple.com>
670
671         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 2].
672         https://bugs.webkit.org/show_bug.cgi?id=175214
673         <rdar://problem/33733308>
674
675         Rubber-stamped by Michael Saboff.
676
677         Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused
678         DFGOSRExitCompiler files.
679
680         Also renamed DFGOSRExitCompiler32_64.cpp to DFGOSRExit32_64.cpp.
681
682         Also move debugOperationPrintSpeculationFailure() into DFGOSRExit.cpp.  It's only
683         used by compileOSRExit(), and will be changed to not be a DFG operation function
684         when we use JIT probes for DFG OSR exits later in
685         https://bugs.webkit.org/show_bug.cgi?id=175144.
686
687         * CMakeLists.txt:
688         * JavaScriptCore.xcodeproj/project.pbxproj:
689         * dfg/DFGJITCompiler.cpp:
690         * dfg/DFGOSRExit.cpp:
691         (JSC::DFG::OSRExit::emitRestoreArguments):
692         (JSC::DFG::OSRExit::compileOSRExit):
693         (JSC::DFG::OSRExit::compileExit):
694         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
695         * dfg/DFGOSRExit.h:
696         * dfg/DFGOSRExit32_64.cpp: Copied from Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp.
697         * dfg/DFGOSRExitCompiler.cpp: Removed.
698         * dfg/DFGOSRExitCompiler.h: Removed.
699         * dfg/DFGOSRExitCompiler32_64.cpp: Removed.
700         * dfg/DFGOSRExitCompiler64.cpp: Removed.
701         * dfg/DFGOperations.cpp:
702         * dfg/DFGOperations.h:
703         * dfg/DFGThunks.cpp:
704
705 2017-08-04  Matt Baker  <mattbaker@apple.com>
706
707         Web Inspector: capture async stack trace when workers/main context posts a message
708         https://bugs.webkit.org/show_bug.cgi?id=167084
709         <rdar://problem/30033673>
710
711         Reviewed by Brian Burg.
712
713         * inspector/agents/InspectorDebuggerAgent.h:
714         Add `PostMessage` async call type.
715
716 2017-08-04  Mark Lam  <mark.lam@apple.com>
717
718         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 1].
719         https://bugs.webkit.org/show_bug.cgi?id=175208
720         <rdar://problem/33732402>
721
722         Reviewed by Saam Barati.
723
724         This will minimize the code diff and make it easier to review the patch for
725         https://bugs.webkit.org/show_bug.cgi?id=175144 later.  We'll do this patch in 3
726         steps:
727
728         1. Do the code changes to move methods into OSRExit.
729         2. Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused DFGOSRExitCompiler files.
730         3. Merge the 32-bit OSRExitCompiler methods into the 64-bit version, and delete DFGOSRExitCompiler32_64.cpp.
731
732         Splitting this refactoring into these 3 steps also makes it easier to review this
733         patch and understand what is being changed.
734
735         * dfg/DFGOSRExit.h:
736         * dfg/DFGOSRExitCompiler.cpp:
737         (JSC::DFG::OSRExit::emitRestoreArguments):
738         (JSC::DFG::OSRExit::compileOSRExit):
739         (JSC::DFG::OSRExitCompiler::emitRestoreArguments): Deleted.
740         (): Deleted.
741         * dfg/DFGOSRExitCompiler.h:
742         (JSC::DFG::OSRExitCompiler::OSRExitCompiler): Deleted.
743         (): Deleted.
744         * dfg/DFGOSRExitCompiler32_64.cpp:
745         (JSC::DFG::OSRExit::compileExit):
746         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
747         * dfg/DFGOSRExitCompiler64.cpp:
748         (JSC::DFG::OSRExit::compileExit):
749         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
750         * dfg/DFGThunks.cpp:
751         (JSC::DFG::osrExitGenerationThunkGenerator):
752
753 2017-08-04  Devin Rousso  <drousso@apple.com>
754
755         Web Inspector: add source view for WebGL shader programs
756         https://bugs.webkit.org/show_bug.cgi?id=138593
757         <rdar://problem/18936194>
758
759         Reviewed by Matt Baker.
760
761         * inspector/protocol/Canvas.json:
762          - Add `ShaderType` enum that contains "vertex" and "fragment".
763          - Add `requestShaderSource` command that will return the original source code for a given
764            shader program and shader type.
765
766 2017-08-03  Filip Pizlo  <fpizlo@apple.com>
767
768         The allocator used to allocate memory for MarkedBlocks and LargeAllocations should not be the Subspace itself
769         https://bugs.webkit.org/show_bug.cgi?id=175141
770
771         Reviewed by Mark Lam.
772         
773         To make it easier to have multiple gigacages and maybe even fancier methods of allocating, this
774         decouples the allocator used to allocate memory from the GC Subspace. This means we no longer have
775         to create a new Subspace subclass to allocate memory a different way. Instead, the allocator is now
776         determined by the AlignedMemoryAllocator object.
777         
778         This also simplifies trading of blocks. Before, Subspaces had to determine if other Subspaces could
779         trade blocks with them using canTradeBlocksWith(). This makes it difficult for two different
780         Subspaces that both use the same underlying allocator to realize that they can trade blocks with
781         each other. Now, you just need to ask the block being stolen and the subspace doing the stealing if
782         they use the same AlignedMemoryAllocator.
783
784         * CMakeLists.txt:
785         * JavaScriptCore.xcodeproj/project.pbxproj:
786         * heap/AlignedMemoryAllocator.cpp: Added.
787         (JSC::AlignedMemoryAllocator::AlignedMemoryAllocator):
788         (JSC::AlignedMemoryAllocator::~AlignedMemoryAllocator):
789         * heap/AlignedMemoryAllocator.h: Added.
790         * heap/FastMallocAlignedMemoryAllocator.cpp: Added.
791         (JSC::FastMallocAlignedMemoryAllocator::singleton):
792         (JSC::FastMallocAlignedMemoryAllocator::FastMallocAlignedMemoryAllocator):
793         (JSC::FastMallocAlignedMemoryAllocator::~FastMallocAlignedMemoryAllocator):
794         (JSC::FastMallocAlignedMemoryAllocator::tryAllocateAlignedMemory):
795         (JSC::FastMallocAlignedMemoryAllocator::freeAlignedMemory):
796         (JSC::FastMallocAlignedMemoryAllocator::dump const):
797         * heap/FastMallocAlignedMemoryAllocator.h: Added.
798         * heap/GigacageAlignedMemoryAllocator.cpp: Added.
799         (JSC::GigacageAlignedMemoryAllocator::singleton):
800         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
801         (JSC::GigacageAlignedMemoryAllocator::~GigacageAlignedMemoryAllocator):
802         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
803         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
804         (JSC::GigacageAlignedMemoryAllocator::dump const):
805         * heap/GigacageAlignedMemoryAllocator.h: Added.
806         * heap/GigacageSubspace.cpp: Removed.
807         * heap/GigacageSubspace.h: Removed.
808         * heap/LargeAllocation.cpp:
809         (JSC::LargeAllocation::tryCreate):
810         (JSC::LargeAllocation::destroy):
811         * heap/MarkedAllocator.cpp:
812         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
813         * heap/MarkedBlock.cpp:
814         (JSC::MarkedBlock::tryCreate):
815         (JSC::MarkedBlock::Handle::Handle):
816         (JSC::MarkedBlock::Handle::~Handle):
817         (JSC::MarkedBlock::Handle::didAddToAllocator):
818         (JSC::MarkedBlock::Handle::subspace const):
819         * heap/MarkedBlock.h:
820         (JSC::MarkedBlock::Handle::alignedMemoryAllocator const):
821         (JSC::MarkedBlock::Handle::subspace const): Deleted.
822         * heap/Subspace.cpp:
823         (JSC::Subspace::Subspace):
824         (JSC::Subspace::findEmptyBlockToSteal):
825         (JSC::Subspace::canTradeBlocksWith): Deleted.
826         (JSC::Subspace::tryAllocateAlignedMemory): Deleted.
827         (JSC::Subspace::freeAlignedMemory): Deleted.
828         * heap/Subspace.h:
829         (JSC::Subspace::name const):
830         (JSC::Subspace::alignedMemoryAllocator const):
831         * runtime/JSDestructibleObjectSubspace.cpp:
832         (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace):
833         * runtime/JSDestructibleObjectSubspace.h:
834         * runtime/JSSegmentedVariableObjectSubspace.cpp:
835         (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace):
836         * runtime/JSSegmentedVariableObjectSubspace.h:
837         * runtime/JSStringSubspace.cpp:
838         (JSC::JSStringSubspace::JSStringSubspace):
839         * runtime/JSStringSubspace.h:
840         * runtime/VM.cpp:
841         (JSC::VM::VM):
842         * runtime/VM.h:
843         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp:
844         (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace):
845         * wasm/js/JSWebAssemblyCodeBlockSubspace.h:
846
847 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
848
849         [ESNext] Async iteration - update feature.json
850         https://bugs.webkit.org/show_bug.cgi?id=175197
851
852         Reviewed by Yusuke Suzuki.
853
854         Update feature.json to add status of the Async Iteration
855
856         * features.json:
857
858 2017-08-04  Matt Lewis  <jlewis3@apple.com>
859
860         Unreviewed, rolling out r220271.
861
862         Rolling out due to Layout Test failing on iOS Simulator.
863
864         Reverted changeset:
865
866         "Remove STREAMS_API compilation guard"
867         https://bugs.webkit.org/show_bug.cgi?id=175165
868         http://trac.webkit.org/changeset/220271
869
870 2017-08-04  Youenn Fablet  <youenn@apple.com>
871
872         Remove STREAMS_API compilation guard
873         https://bugs.webkit.org/show_bug.cgi?id=175165
874
875         Reviewed by Darin Adler.
876
877         * Configurations/FeatureDefines.xcconfig:
878
879 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
880
881         [EsNext] Async iteration - Add feature flag
882         https://bugs.webkit.org/show_bug.cgi?id=166694
883
884         Reviewed by Yusuke Suzuki.
885
886         Add feature flag to JSC to switch on/off Async Iterator
887
888         * runtime/Options.h:
889
890 2017-08-03  Brian Burg  <bburg@apple.com>
891
892         Remove ENABLE(WEB_SOCKET) guards
893         https://bugs.webkit.org/show_bug.cgi?id=167044
894
895         Reviewed by Joseph Pecoraro.
896
897         * Configurations/FeatureDefines.xcconfig:
898
899 2017-08-03  Youenn Fablet  <youenn@apple.com>
900
901         Remove FETCH_API compilation guard
902         https://bugs.webkit.org/show_bug.cgi?id=175154
903
904         Reviewed by Chris Dumez.
905
906         * Configurations/FeatureDefines.xcconfig:
907
908 2017-08-03  Matt Baker  <mattbaker@apple.com>
909
910         Web Inspector: Instrument WebGLProgram created/deleted
911         https://bugs.webkit.org/show_bug.cgi?id=175059
912
913         Reviewed by Devin Rousso.
914
915         Extend the Canvas protocol with types/events for tracking WebGLPrograms.
916
917         * inspector/protocol/Canvas.json:
918
919 2017-08-03  Brady Eidson  <beidson@apple.com>
920
921         Add SW IDLs and stub out basic functionality.
922         https://bugs.webkit.org/show_bug.cgi?id=175115
923
924         Reviewed by Chris Dumez.
925
926         * Configurations/FeatureDefines.xcconfig:
927
928         * runtime/CommonIdentifiers.h:
929
930 2017-08-03  Mark Lam  <mark.lam@apple.com>
931
932         Rename ScratchBuffer::activeLengthPtr to addressOfActiveLength.
933         https://bugs.webkit.org/show_bug.cgi?id=175142
934         <rdar://problem/33704528>
935
936         Reviewed by Filip Pizlo.
937
938         The convention in the rest of of JSC for such methods which return the address of
939         a field is to name them "addressOf<field name>".  We'll rename
940         ScratchBuffer::activeLengthPtr to be consistent with this convention.
941
942         * dfg/DFGSpeculativeJIT.cpp:
943         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
944         * dfg/DFGSpeculativeJIT32_64.cpp:
945         (JSC::DFG::SpeculativeJIT::compile):
946         * dfg/DFGSpeculativeJIT64.cpp:
947         (JSC::DFG::SpeculativeJIT::compile):
948         * dfg/DFGThunks.cpp:
949         (JSC::DFG::osrExitGenerationThunkGenerator):
950         * ftl/FTLLowerDFGToB3.cpp:
951         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
952         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
953         * ftl/FTLThunks.cpp:
954         (JSC::FTL::genericGenerationThunkGenerator):
955         * jit/AssemblyHelpers.cpp:
956         (JSC::AssemblyHelpers::debugCall):
957         * jit/ScratchRegisterAllocator.cpp:
958         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
959         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
960         * runtime/VM.h:
961         (JSC::ScratchBuffer::addressOfActiveLength):
962         (JSC::ScratchBuffer::activeLengthPtr): Deleted.
963         * wasm/WasmBinding.cpp:
964         (JSC::Wasm::wasmToJs):
965
966 2017-08-02  Devin Rousso  <drousso@apple.com>
967
968         Web Inspector: add stack trace information for each RecordingAction
969         https://bugs.webkit.org/show_bug.cgi?id=174663
970
971         Reviewed by Joseph Pecoraro.
972
973         * inspector/ScriptCallFrame.h:
974         Add `operator==` so that when a ScriptCallFrame object is held in a Vector, calling `find`
975         with an existing value doesn't need require a functor and can use existing code.
976
977         * interpreter/StackVisitor.h:
978         * interpreter/StackVisitor.cpp:
979         (JSC::StackVisitor::Frame::isWasmFrame const): Inlined in header.
980
981 2017-08-02  Yusuke Suzuki  <utatane.tea@gmail.com>
982
983         Merge WTFThreadData to Thread::current
984         https://bugs.webkit.org/show_bug.cgi?id=174716
985
986         Reviewed by Mark Lam.
987
988         Use Thread::current() instead.
989
990         * API/JSContext.mm:
991         (+[JSContext currentContext]):
992         (+[JSContext currentThis]):
993         (+[JSContext currentCallee]):
994         (+[JSContext currentArguments]):
995         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
996         (-[JSContext endCallbackWithData:]):
997         * heap/Heap.cpp:
998         (JSC::Heap::requestCollection):
999         * runtime/Completion.cpp:
1000         (JSC::checkSyntax):
1001         (JSC::checkModuleSyntax):
1002         (JSC::evaluate):
1003         (JSC::loadAndEvaluateModule):
1004         (JSC::loadModule):
1005         (JSC::linkAndEvaluateModule):
1006         (JSC::importModule):
1007         * runtime/Identifier.cpp:
1008         (JSC::Identifier::checkCurrentAtomicStringTable):
1009         * runtime/InitializeThreading.cpp:
1010         (JSC::initializeThreading):
1011         * runtime/JSLock.cpp:
1012         (JSC::JSLock::didAcquireLock):
1013         (JSC::JSLock::willReleaseLock):
1014         (JSC::JSLock::dropAllLocks):
1015         (JSC::JSLock::grabAllLocks):
1016         * runtime/JSLock.h:
1017         * runtime/VM.cpp:
1018         (JSC::VM::VM):
1019         (JSC::VM::updateStackLimits):
1020         (JSC::VM::committedStackByteCount):
1021         * runtime/VM.h:
1022         (JSC::VM::isSafeToRecurse const):
1023         * runtime/VMEntryScope.cpp:
1024         (JSC::VMEntryScope::VMEntryScope):
1025         * runtime/VMInlines.h:
1026         (JSC::VM::ensureStackCapacityFor):
1027         * yarr/YarrPattern.cpp:
1028         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
1029
1030 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
1031
1032         LLInt should do pointer caging
1033         https://bugs.webkit.org/show_bug.cgi?id=175036
1034
1035         Reviewed by Keith Miller.
1036
1037         Implementing this in the LLInt was challenging because offlineasm did not previously know
1038         how to load from globals. This teaches it how to do that on Darwin/x86_64, which happens
1039         to be where the Gigacage is enabled right now.
1040
1041         * llint/LLIntOfflineAsmConfig.h:
1042         * llint/LowLevelInterpreter64.asm:
1043         * offlineasm/ast.rb:
1044         * offlineasm/x86.rb:
1045
1046 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
1047
1048         Sweeping should only scribble when sweeping to free list
1049         https://bugs.webkit.org/show_bug.cgi?id=175105
1050
1051         Reviewed by Saam Barati.
1052         
1053         I just saw a crash on the bots where a destructor call attempt dereferenced scribbled memory. This
1054         can happen because the bump path of specializedSweep will scribble in SweepOnly, which replaces the
1055         zap word (i.e. 0) with the scribble word (i.e. 0xbadbeef0). This is a recent regression, since we
1056         didn't used to do destruction on the bump path. No destruction, no zapping. Looking at the pop
1057         path, we only scribble when we SweepToFreeList. This ensures that we only overwrite the zap word
1058         when it doesn't matter anyway because we're building a free list.
1059         
1060         This is a fix for those crashes on the bots because it means that we'll no longer scribble over the
1061         zap.
1062
1063         * heap/MarkedBlockInlines.h:
1064         (JSC::MarkedBlock::Handle::specializedSweep):
1065
1066 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
1067
1068         All C++ accesses to JSObject::m_butterfly should do caging
1069         https://bugs.webkit.org/show_bug.cgi?id=175039
1070
1071         Reviewed by Keith Miller.
1072         
1073         Makes JSObject::m_butterfly a AuxiliaryBarrier<CagedPtr<Butterfly>> and adopts the CagedPtr<> API.
1074         This ensures that you can't cause C++ code to access a butterfly that has been rewired to point
1075         outside the gigacage.
1076
1077         * runtime/JSArray.cpp:
1078         (JSC::JSArray::setLength):
1079         (JSC::JSArray::pop):
1080         (JSC::JSArray::push):
1081         (JSC::JSArray::shiftCountWithAnyIndexingType):
1082         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1083         (JSC::JSArray::fillArgList):
1084         (JSC::JSArray::copyToArguments):
1085         * runtime/JSObject.cpp:
1086         (JSC::JSObject::heapSnapshot):
1087         (JSC::JSObject::createInitialIndexedStorage):
1088         (JSC::JSObject::createArrayStorage):
1089         (JSC::JSObject::convertUndecidedToInt32):
1090         (JSC::JSObject::convertUndecidedToDouble):
1091         (JSC::JSObject::convertUndecidedToContiguous):
1092         (JSC::JSObject::convertInt32ToDouble):
1093         (JSC::JSObject::convertInt32ToArrayStorage):
1094         (JSC::JSObject::convertDoubleToContiguous):
1095         (JSC::JSObject::convertDoubleToArrayStorage):
1096         (JSC::JSObject::convertContiguousToArrayStorage):
1097         (JSC::JSObject::defineOwnIndexedProperty):
1098         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1099         (JSC::JSObject::ensureLengthSlow):
1100         (JSC::JSObject::allocateMoreOutOfLineStorage):
1101         * runtime/JSObject.h:
1102         (JSC::JSObject::canGetIndexQuickly):
1103         (JSC::JSObject::getIndexQuickly):
1104         (JSC::JSObject::tryGetIndexQuickly const):
1105         (JSC::JSObject::canSetIndexQuickly):
1106         (JSC::JSObject::setIndexQuickly):
1107         (JSC::JSObject::initializeIndex):
1108         (JSC::JSObject::initializeIndexWithoutBarrier):
1109         (JSC::JSObject::butterfly const):
1110         (JSC::JSObject::butterfly):
1111
1112 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
1113
1114         We should be OK with the gigacage being disabled on gmalloc
1115         https://bugs.webkit.org/show_bug.cgi?id=175082
1116
1117         Reviewed by Michael Saboff.
1118
1119         * jsc.cpp:
1120         (jscmain):
1121
1122 2017-08-02  Saam Barati  <sbarati@apple.com>
1123
1124         On memory-constrained iOS devices, reduce the rate at which the JS heap grows before a GC to try to keep more memory available for the system
1125         https://bugs.webkit.org/show_bug.cgi?id=175041
1126         <rdar://problem/33659370>
1127
1128         Reviewed by Filip Pizlo.
1129
1130         The testing I have done shows that this new function is a ~10%
1131         progression running JetStream on 1GB iOS devices. I've also tried
1132         this on a few > 1GB iOS devices, and the testing shows this is either neutral
1133         or a regression. Right now, we'll just enable this for <= 1GB devices
1134         since it's a win. In the future, we might want to either look into
1135         tweaking these parameters or coming up with a new function for > 1GB
1136         devices.
1137
1138         * heap/Heap.cpp:
1139         * runtime/Options.h:
1140
1141 2017-08-01  Filip Pizlo  <fpizlo@apple.com>
1142
1143         Bmalloc and GC should put auxiliaries (butterflies, typed array backing stores) in a gigacage (separate multi-GB VM region)
1144         https://bugs.webkit.org/show_bug.cgi?id=174727
1145
1146         Reviewed by Mark Lam.
1147         
1148         This adopts the Gigacage for the GigacageSubspace, which we use for Auxiliary allocations. Also, in
1149         one place in the code - the FTL codegen for butterfly and typed array access - we "cage" the accesses
1150         themselves. Basically, we do masking to ensure that the pointer points into the gigacage.
1151         
1152         This is neutral on JetStream.
1153
1154         * CMakeLists.txt:
1155         * JavaScriptCore.xcodeproj/project.pbxproj:
1156         * b3/B3InsertionSet.cpp:
1157         (JSC::B3::InsertionSet::execute):
1158         * dfg/DFGAbstractInterpreterInlines.h:
1159         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1160         * dfg/DFGArgumentsEliminationPhase.cpp:
1161         * dfg/DFGClobberize.cpp:
1162         (JSC::DFG::readsOverlap):
1163         * dfg/DFGClobberize.h:
1164         (JSC::DFG::clobberize):
1165         * dfg/DFGDoesGC.cpp:
1166         (JSC::DFG::doesGC):
1167         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Added.
1168         (JSC::DFG::performFixedButterflyAccessUncaging):
1169         * dfg/DFGFixedButterflyAccessUncagingPhase.h: Added.
1170         * dfg/DFGFixupPhase.cpp:
1171         (JSC::DFG::FixupPhase::fixupNode):
1172         * dfg/DFGHeapLocation.cpp:
1173         (WTF::printInternal):
1174         * dfg/DFGHeapLocation.h:
1175         * dfg/DFGNodeType.h:
1176         * dfg/DFGPlan.cpp:
1177         (JSC::DFG::Plan::compileInThreadImpl):
1178         * dfg/DFGPredictionPropagationPhase.cpp:
1179         * dfg/DFGSafeToExecute.h:
1180         (JSC::DFG::safeToExecute):
1181         * dfg/DFGSpeculativeJIT.cpp:
1182         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
1183         * dfg/DFGSpeculativeJIT32_64.cpp:
1184         (JSC::DFG::SpeculativeJIT::compile):
1185         * dfg/DFGSpeculativeJIT64.cpp:
1186         (JSC::DFG::SpeculativeJIT::compile):
1187         * dfg/DFGTypeCheckHoistingPhase.cpp:
1188         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
1189         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
1190         * ftl/FTLCapabilities.cpp:
1191         (JSC::FTL::canCompile):
1192         * ftl/FTLLowerDFGToB3.cpp:
1193         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1194         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
1195         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
1196         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1197         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
1198         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
1199         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
1200         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
1201         (JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase):
1202         (JSC::FTL::DFG::LowerDFGToB3::caged):
1203         * heap/GigacageSubspace.cpp: Added.
1204         (JSC::GigacageSubspace::GigacageSubspace):
1205         (JSC::GigacageSubspace::~GigacageSubspace):
1206         (JSC::GigacageSubspace::tryAllocateAlignedMemory):
1207         (JSC::GigacageSubspace::freeAlignedMemory):
1208         (JSC::GigacageSubspace::canTradeBlocksWith):
1209         * heap/GigacageSubspace.h: Added.
1210         * heap/Heap.cpp:
1211         (JSC::Heap::Heap):
1212         (JSC::Heap::lastChanceToFinalize):
1213         (JSC::Heap::finalize):
1214         (JSC::Heap::sweepInFinalize):
1215         (JSC::Heap::updateAllocationLimits):
1216         (JSC::Heap::shouldDoFullCollection):
1217         (JSC::Heap::collectIfNecessaryOrDefer):
1218         (JSC::Heap::reportWebAssemblyFastMemoriesAllocated): Deleted.
1219         (JSC::Heap::webAssemblyFastMemoriesThisCycleAtThreshold const): Deleted.
1220         (JSC::Heap::sweepLargeAllocations): Deleted.
1221         (JSC::Heap::didAllocateWebAssemblyFastMemories): Deleted.
1222         * heap/Heap.h:
1223         * heap/LargeAllocation.cpp:
1224         (JSC::LargeAllocation::tryCreate):
1225         (JSC::LargeAllocation::destroy):
1226         * heap/MarkedAllocator.cpp:
1227         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
1228         (JSC::MarkedAllocator::tryAllocateBlock):
1229         * heap/MarkedBlock.cpp:
1230         (JSC::MarkedBlock::tryCreate):
1231         (JSC::MarkedBlock::Handle::Handle):
1232         (JSC::MarkedBlock::Handle::~Handle):
1233         (JSC::MarkedBlock::Handle::didAddToAllocator):
1234         (JSC::MarkedBlock::Handle::subspace const): Deleted.
1235         * heap/MarkedBlock.h:
1236         (JSC::MarkedBlock::Handle::subspace const):
1237         * heap/MarkedSpace.cpp:
1238         (JSC::MarkedSpace::~MarkedSpace):
1239         (JSC::MarkedSpace::freeMemory):
1240         (JSC::MarkedSpace::prepareForAllocation):
1241         (JSC::MarkedSpace::addMarkedAllocator):
1242         (JSC::MarkedSpace::findEmptyBlockToSteal): Deleted.
1243         * heap/MarkedSpace.h:
1244         (JSC::MarkedSpace::firstAllocator const):
1245         (JSC::MarkedSpace::allocatorForEmptyAllocation const): Deleted.
1246         * heap/Subspace.cpp:
1247         (JSC::Subspace::Subspace):
1248         (JSC::Subspace::canTradeBlocksWith):
1249         (JSC::Subspace::tryAllocateAlignedMemory):
1250         (JSC::Subspace::freeAlignedMemory):
1251         (JSC::Subspace::prepareForAllocation):
1252         (JSC::Subspace::findEmptyBlockToSteal):
1253         * heap/Subspace.h:
1254         (JSC::Subspace::didCreateFirstAllocator):
1255         * heap/SubspaceInlines.h:
1256         (JSC::Subspace::forEachAllocator):
1257         (JSC::Subspace::forEachMarkedBlock):
1258         (JSC::Subspace::forEachNotEmptyMarkedBlock):
1259         * jit/JITPropertyAccess.cpp:
1260         (JSC::JIT::emitDoubleLoad):
1261         (JSC::JIT::emitContiguousLoad):
1262         (JSC::JIT::emitArrayStorageLoad):
1263         (JSC::JIT::emitGenericContiguousPutByVal):
1264         (JSC::JIT::emitArrayStoragePutByVal):
1265         (JSC::JIT::emit_op_get_from_scope):
1266         (JSC::JIT::emit_op_put_to_scope):
1267         (JSC::JIT::emitIntTypedArrayGetByVal):
1268         (JSC::JIT::emitFloatTypedArrayGetByVal):
1269         (JSC::JIT::emitIntTypedArrayPutByVal):
1270         (JSC::JIT::emitFloatTypedArrayPutByVal):
1271         * jsc.cpp:
1272         (fillBufferWithContentsOfFile):
1273         (functionReadFile):
1274         (gigacageDisabled):
1275         (jscmain):
1276         * llint/LowLevelInterpreter64.asm:
1277         * runtime/ArrayBuffer.cpp:
1278         (JSC::ArrayBufferContents::tryAllocate):
1279         (JSC::ArrayBuffer::createAdopted):
1280         (JSC::ArrayBuffer::createFromBytes):
1281         (JSC::ArrayBuffer::tryCreate):
1282         * runtime/IndexingHeader.h:
1283         * runtime/InitializeThreading.cpp:
1284         (JSC::initializeThreading):
1285         * runtime/JSArrayBuffer.cpp:
1286         * runtime/JSArrayBufferView.cpp:
1287         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1288         (JSC::JSArrayBufferView::finalize):
1289         * runtime/JSLock.cpp:
1290         (JSC::JSLock::didAcquireLock):
1291         * runtime/JSObject.h:
1292         * runtime/Options.cpp:
1293         (JSC::recomputeDependentOptions):
1294         * runtime/Options.h:
1295         * runtime/ScopedArgumentsTable.h:
1296         * runtime/VM.cpp:
1297         (JSC::VM::VM):
1298         (JSC::VM::~VM):
1299         (JSC::VM::gigacageDisabledCallback):
1300         (JSC::VM::gigacageDisabled):
1301         * runtime/VM.h:
1302         (JSC::VM::fireGigacageEnabledIfNecessary):
1303         (JSC::VM::gigacageEnabled):
1304         * wasm/WasmB3IRGenerator.cpp:
1305         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1306         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
1307         * wasm/WasmCodeBlock.cpp:
1308         (JSC::Wasm::CodeBlock::isSafeToRun):
1309         * wasm/WasmMemory.cpp:
1310         (JSC::Wasm::makeString):
1311         (JSC::Wasm::Memory::create):
1312         (JSC::Wasm::Memory::~Memory):
1313         (JSC::Wasm::Memory::addressIsInActiveFastMemory):
1314         (JSC::Wasm::Memory::grow):
1315         (JSC::Wasm::Memory::initializePreallocations): Deleted.
1316         (JSC::Wasm::Memory::maxFastMemoryCount): Deleted.
1317         * wasm/WasmMemory.h:
1318         * wasm/js/JSWebAssemblyInstance.cpp:
1319         (JSC::JSWebAssemblyInstance::create):
1320         * wasm/js/JSWebAssemblyMemory.cpp:
1321         (JSC::JSWebAssemblyMemory::grow):
1322         (JSC::JSWebAssemblyMemory::finishCreation):
1323         * wasm/js/JSWebAssemblyMemory.h:
1324         (JSC::JSWebAssemblyMemory::subspaceFor):
1325
1326 2017-07-31  Mark Lam  <mark.lam@apple.com>
1327
1328         Added some UNLIKELYs to operationOptimize().
1329         https://bugs.webkit.org/show_bug.cgi?id=174976
1330
1331         Reviewed by JF Bastien.
1332
1333         * jit/JITOperations.cpp:
1334
1335 2017-07-31  Keith Miller  <keith_miller@apple.com>
1336
1337         Make more things LLInt constexprs
1338         https://bugs.webkit.org/show_bug.cgi?id=174994
1339
1340         Reviewed by Saam Barati.
1341
1342         This patch makes more const values in the LLInt constexprs.
1343         It also deletes all of the no longer necessary static_asserts in
1344         LLIntData.cpp. Finally, it fixes a typo in parser.rb.
1345
1346         * interpreter/ShadowChicken.h:
1347         (JSC::ShadowChicken::Packet::tailMarker):
1348         * llint/LLIntData.cpp:
1349         (JSC::LLInt::Data::performAssertions):
1350         * llint/LowLevelInterpreter.asm:
1351         * offlineasm/generate_offset_extractor.rb:
1352         * offlineasm/parser.rb:
1353
1354 2017-07-31  Matt Lewis  <jlewis3@apple.com>
1355
1356         Unreviewed, rolling out r220060.
1357
1358         This broke our internal builds. Contact reviewer of patch for
1359         more information.
1360
1361         Reverted changeset:
1362
1363         "Merge WTFThreadData to Thread::current"
1364         https://bugs.webkit.org/show_bug.cgi?id=174716
1365         http://trac.webkit.org/changeset/220060
1366
1367 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1368
1369         [JSC] Support optional catch binding
1370         https://bugs.webkit.org/show_bug.cgi?id=174981
1371
1372         Reviewed by Saam Barati.
1373
1374         This patch implements optional catch binding proposal[1], which is now stage 3.
1375         This proposal adds a new `catch` brace with no error value binding.
1376
1377             ```
1378                 try {
1379                     ...
1380                 } catch {
1381                     ...
1382                 }
1383             ```
1384
1385         Sometimes we do not need to get error value actually. For example, the function returns
1386         boolean which means whether the function succeeds.
1387
1388             ```
1389             function parse(result) // -> bool
1390             {
1391                  try {
1392                      parseInner(result);
1393                  } catch {
1394                      return false;
1395                  }
1396                  return true;
1397             }
1398             ```
1399
1400         In the above case, we are not interested in the actual error value. Without this syntax,
1401         we always need to introduce a binding for an error value that is just ignored.
1402
1403         [1]: https://michaelficarra.github.io/optional-catch-binding-proposal/
1404
1405         * bytecompiler/NodesCodegen.cpp:
1406         (JSC::TryNode::emitBytecode):
1407         * parser/Parser.cpp:
1408         (JSC::Parser<LexerType>::parseTryStatement):
1409
1410 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
1411
1412         Merge WTFThreadData to Thread::current
1413         https://bugs.webkit.org/show_bug.cgi?id=174716
1414
1415         Reviewed by Sam Weinig.
1416
1417         Use Thread::current() instead.
1418
1419         * API/JSContext.mm:
1420         (+[JSContext currentContext]):
1421         (+[JSContext currentThis]):
1422         (+[JSContext currentCallee]):
1423         (+[JSContext currentArguments]):
1424         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
1425         (-[JSContext endCallbackWithData:]):
1426         * heap/Heap.cpp:
1427         (JSC::Heap::requestCollection):
1428         * runtime/Completion.cpp:
1429         (JSC::checkSyntax):
1430         (JSC::checkModuleSyntax):
1431         (JSC::evaluate):
1432         (JSC::loadAndEvaluateModule):
1433         (JSC::loadModule):
1434         (JSC::linkAndEvaluateModule):
1435         (JSC::importModule):
1436         * runtime/Identifier.cpp:
1437         (JSC::Identifier::checkCurrentAtomicStringTable):
1438         * runtime/InitializeThreading.cpp:
1439         (JSC::initializeThreading):
1440         * runtime/JSLock.cpp:
1441         (JSC::JSLock::didAcquireLock):
1442         (JSC::JSLock::willReleaseLock):
1443         (JSC::JSLock::dropAllLocks):
1444         (JSC::JSLock::grabAllLocks):
1445         * runtime/JSLock.h:
1446         * runtime/VM.cpp:
1447         (JSC::VM::VM):
1448         (JSC::VM::updateStackLimits):
1449         (JSC::VM::committedStackByteCount):
1450         * runtime/VM.h:
1451         (JSC::VM::isSafeToRecurse const):
1452         * runtime/VMEntryScope.cpp:
1453         (JSC::VMEntryScope::VMEntryScope):
1454         * runtime/VMInlines.h:
1455         (JSC::VM::ensureStackCapacityFor):
1456         * yarr/YarrPattern.cpp:
1457         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
1458
1459 2017-07-30  Yusuke Suzuki  <utatane.tea@gmail.com>
1460
1461         [WTF] Introduce Private Symbols
1462         https://bugs.webkit.org/show_bug.cgi?id=174935
1463
1464         Reviewed by Darin Adler.
1465
1466         Use SymbolImpl::isPrivate().
1467
1468         * builtins/BuiltinNames.cpp:
1469         * builtins/BuiltinNames.h:
1470         (JSC::BuiltinNames::isPrivateName): Deleted.
1471         * builtins/BuiltinUtils.h:
1472         * bytecode/BytecodeIntrinsicRegistry.cpp:
1473         (JSC::BytecodeIntrinsicRegistry::lookup):
1474         * runtime/CommonIdentifiers.cpp:
1475         (JSC::CommonIdentifiers::isPrivateName): Deleted.
1476         * runtime/CommonIdentifiers.h:
1477         * runtime/ExceptionHelpers.cpp:
1478         (JSC::createUndefinedVariableError):
1479         * runtime/Identifier.h:
1480         (JSC::Identifier::isPrivateName):
1481         * runtime/IdentifierInlines.h:
1482         (JSC::identifierToSafePublicJSValue):
1483         * runtime/ObjectConstructor.cpp:
1484         (JSC::objectConstructorAssign):
1485         (JSC::defineProperties):
1486         (JSC::setIntegrityLevel):
1487         (JSC::testIntegrityLevel):
1488         (JSC::ownPropertyKeys):
1489         * runtime/PrivateName.h:
1490         (JSC::PrivateName::PrivateName):
1491         * runtime/PropertyName.h:
1492         (JSC::PropertyName::isPrivateName):
1493         * runtime/ProxyObject.cpp:
1494         (JSC::performProxyGet):
1495         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
1496         (JSC::ProxyObject::performHasProperty):
1497         (JSC::ProxyObject::performPut):
1498         (JSC::ProxyObject::performDelete):
1499         (JSC::ProxyObject::performDefineOwnProperty):
1500
1501 2017-07-29  Keith Miller  <keith_miller@apple.com>
1502
1503         LLInt offsets extractor should be able to handle C++ constexprs
1504         https://bugs.webkit.org/show_bug.cgi?id=174964
1505
1506         Reviewed by Saam Barati.
1507
1508         This patch adds new syntax to the offline asm language. The new keyword,
1509         constexpr, takes the subsequent identifier and maps it to a C++ constexpr
1510         expression. Additionally, if the value is not an identifier you can wrap it in
1511         parentheses. e.g. constexpr (myConstexprFunction() + OBJECT_OFFSET(Foo, bar)),
1512         which will get converted into:
1513         static_cast<int64_t>(myConstexprFunction() + OBJECT_OFFSET(Foo, bar));
1514
1515         This patch also changes the data format the LLIntOffsetsExtractor
1516         binary produces.  Previously, it would produce unsigned values,
1517         after this patch every value is an int64_t.  Using an int64_t is
1518         useful because it means that we can represent any constant needed.
1519         int32_t masks are sign extended then passed then converted to a
1520         negative literal sting in the assembler so it will be the constant
1521         expected.
1522
1523         * llint/LLIntOffsetsExtractor.cpp:
1524         (JSC::LLIntOffsetsExtractor::dummy):
1525         * llint/LowLevelInterpreter.asm:
1526         * llint/LowLevelInterpreter64.asm:
1527         * offlineasm/asm.rb:
1528         * offlineasm/ast.rb:
1529         * offlineasm/generate_offset_extractor.rb:
1530         * offlineasm/offsets.rb:
1531         * offlineasm/parser.rb:
1532         * offlineasm/transform.rb:
1533
1534 2017-07-28  Matt Baker  <mattbaker@apple.com>
1535
1536         Web Inspector: capture an async stack trace when web content calls addEventListener
1537         https://bugs.webkit.org/show_bug.cgi?id=174739
1538         <rdar://problem/33468197>
1539
1540         Reviewed by Brian Burg.
1541
1542         Allow debugger agents to perform custom logic when asynchronous stack
1543         trace data is cleared. For example, the PageDebuggerAgent would clear
1544         its list of registered listeners for which call stacks have been recorded.
1545
1546         * inspector/agents/InspectorDebuggerAgent.cpp:
1547         (Inspector::InspectorDebuggerAgent::clearAsyncStackTraceData):
1548         * inspector/agents/InspectorDebuggerAgent.h:
1549
1550 2017-07-28  Mark Lam  <mark.lam@apple.com>
1551
1552         ObjectToStringAdaptiveStructureWatchpoint should not fire if it's dying imminently.
1553         https://bugs.webkit.org/show_bug.cgi?id=174948
1554         <rdar://problem/33495680>
1555
1556         Reviewed by Filip Pizlo.
1557
1558         ObjectToStringAdaptiveStructureWatchpoint is owned by StructureRareData.  If its
1559         owner StructureRareData is already known to be dead (in terms of GC liveness) but
1560         hasn't been destructed yet (i.e. not swept by the GC yet), we should ignore all
1561         requests to fire this watchpoint.
1562
1563         If the GC had the chance to sweep the StructureRareData, thereby destructing the
1564         ObjectToStringAdaptiveStructureWatchpoint, it (the watchpoint) would have removed
1565         itself from the WatchpointSet it was on.  Hence, it would not have been fired.
1566
1567         But since the watchpoint hasn't been destructed yet, it still remains on the
1568         WatchpointSet and needs to guard against being fired in this state.  The fix is
1569         to simply return early if its owner StructureRareData is not live.  This has the
1570         effect of the watchpoint fire being a no-op, which is equivalent to the watchpoint
1571         not firing as we would expect.
1572
1573         This patch also removes some cargo cult copying of watchpoint code which
1574         instantiates a StringFireDetail.  In a few cases, that StringFireDetail is never
1575         used.  This patch removes these unnecessary instantiations.
1576
1577         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
1578         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
1579         * runtime/StructureRareData.cpp:
1580         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
1581         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
1582
1583 2017-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
1584
1585         ASSERTION FAILED: candidate->op() == PhantomCreateRest || candidate->op() == PhantomDirectArguments || candidate->op() == PhantomClonedArguments || candidate->op() == PhantomSpread || candidate->op() == PhantomNewArrayWithSpread
1586         https://bugs.webkit.org/show_bug.cgi?id=174900
1587
1588         Reviewed by Saam Barati.
1589
1590         In the arguments elimination phase, due to high cost of AI, we intentionally do not run AI.
1591         Instead, we use ForceOSRExit etc. (pseudo terminals) not to look into unreachable nodes.
1592         The problem is that even transforming phase also checks this pseudo terminals.
1593
1594             BB1
1595             1: ForceOSRExit
1596             2: CreateDirectArguments
1597
1598             BB2
1599             3: GetButterfly(@2)
1600             4: ForceOSRExit
1601
1602         In the above case, @2 is not converted to PhantomDirectArguments. But @3 is processed. And the assertion fires.
1603
1604         In this patch, we do not list candidates up after seeing pseudo terminals in basic blocks.
1605
1606         * dfg/DFGArgumentsEliminationPhase.cpp:
1607
1608 2017-07-27  Oleksandr Skachkov  <gskachkov@gmail.com>
1609
1610         [ES] Add support finally to Promise
1611         https://bugs.webkit.org/show_bug.cgi?id=174503
1612
1613         Reviewed by Yusuke Suzuki.
1614
1615         Add support `finally` method to Promise according
1616         to the https://bugs.webkit.org/show_bug.cgi?id=174503
1617         Current spec on STAGE 3 
1618         https://github.com/tc39/proposal-promise-finally
1619
1620         * builtins/PromisePrototype.js:
1621         (finally):
1622         (const.valueThunk):
1623         (globalPrivate.getThenFinally):
1624         (const.thrower):
1625         (globalPrivate.getCatchFinally):
1626         * runtime/JSPromisePrototype.cpp:
1627
1628 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1629
1630         Unreviewed, build fix for CLoop
1631         https://bugs.webkit.org/show_bug.cgi?id=171637
1632
1633         * domjit/DOMJITGetterSetter.h:
1634
1635 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1636
1637         Hoist DOM binding attribute getter prologue into JavaScriptCore taking advantage of DOMJIT / CheckSubClass
1638         https://bugs.webkit.org/show_bug.cgi?id=171637
1639
1640         Reviewed by Darin Adler.
1641
1642         Each DOM attribute getter has the code to perform ClassInfo check. But it is largely duplicate and causes code bloating.
1643         In this patch, we move ClassInfo check from WebCore to JSC and reduce code size.
1644
1645         We introduce DOMAnnotation which has ClassInfo* and DOMJIT::GetterSetter*. If the getter is not DOMJIT getter, this
1646         DOMJIT::GetterSetter becomes nullptr. We support such a CustomAccessorGetter in all the JIT tiers.
1647
1648         In IC, we drop CheckSubClass completely since IC's Structure check subsumes it. We do not enable this optimization for
1649         op_get_by_id_with_this case yet.
1650         In DFG and FTL, we emit CheckSubClass node. Which is typically removed by CheckStructure leading to CheckSubClass.
1651
1652         And we add DOMAttributeGetterSetter, which is derived class of CustomGetterSetter. It holds DOMAnnotation and perform
1653         ClassInfo check.
1654
1655         * CMakeLists.txt:
1656         * JavaScriptCore.xcodeproj/project.pbxproj:
1657         * bytecode/AccessCase.cpp:
1658         (JSC::AccessCase::generateImpl):
1659         * bytecode/GetByIdStatus.cpp:
1660         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
1661         * bytecode/GetByIdVariant.cpp:
1662         (JSC::GetByIdVariant::GetByIdVariant):
1663         (JSC::GetByIdVariant::operator=):
1664         (JSC::GetByIdVariant::attemptToMerge):
1665         (JSC::GetByIdVariant::dumpInContext):
1666         * bytecode/GetByIdVariant.h:
1667         (JSC::GetByIdVariant::customAccessorGetter):
1668         (JSC::GetByIdVariant::domAttribute):
1669         (JSC::GetByIdVariant::domJIT): Deleted.
1670         * bytecode/GetterSetterAccessCase.cpp:
1671         (JSC::GetterSetterAccessCase::create):
1672         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
1673         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
1674         * bytecode/GetterSetterAccessCase.h:
1675         (JSC::GetterSetterAccessCase::domAttribute):
1676         (JSC::GetterSetterAccessCase::customAccessor):
1677         (JSC::GetterSetterAccessCase::domJIT): Deleted.
1678         * bytecompiler/BytecodeGenerator.cpp:
1679         (JSC::BytecodeGenerator::instantiateLexicalVariables):
1680         * create_hash_table:
1681         * dfg/DFGAbstractInterpreterInlines.h:
1682         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1683         * dfg/DFGByteCodeParser.cpp:
1684         (JSC::DFG::blessCallDOMGetter):
1685         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
1686         (JSC::DFG::ByteCodeParser::handleGetById):
1687         * dfg/DFGClobberize.h:
1688         (JSC::DFG::clobberize):
1689         * dfg/DFGFixupPhase.cpp:
1690         (JSC::DFG::FixupPhase::fixupNode):
1691         * dfg/DFGNode.h:
1692         * dfg/DFGSpeculativeJIT.cpp:
1693         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
1694         * dfg/DFGSpeculativeJIT.h:
1695         (JSC::DFG::SpeculativeJIT::callCustomGetter):
1696         * domjit/DOMJITGetterSetter.h:
1697         (JSC::DOMJIT::GetterSetter::GetterSetter):
1698         (JSC::DOMJIT::GetterSetter::getter):
1699         (JSC::DOMJIT::GetterSetter::compiler):
1700         (JSC::DOMJIT::GetterSetter::resultType):
1701         (JSC::DOMJIT::GetterSetter::~GetterSetter): Deleted.
1702         (JSC::DOMJIT::GetterSetter::setter): Deleted.
1703         (JSC::DOMJIT::GetterSetter::thisClassInfo): Deleted.
1704         * ftl/FTLLowerDFGToB3.cpp:
1705         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
1706         * jit/Repatch.cpp:
1707         (JSC::tryCacheGetByID):
1708         * jsc.cpp:
1709         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
1710         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
1711         (WTF::DOMJITGetter::customGetter):
1712         (WTF::DOMJITGetter::finishCreation):
1713         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
1714         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
1715         (WTF::DOMJITGetterComplex::customGetter):
1716         (WTF::DOMJITGetterComplex::finishCreation):
1717         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
1718         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::slowCall): Deleted.
1719         (WTF::DOMJITGetter::domJITNodeGetterSetter): Deleted.
1720         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
1721         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::slowCall): Deleted.
1722         (WTF::DOMJITGetterComplex::domJITNodeGetterSetter): Deleted.
1723         * runtime/CustomGetterSetter.h:
1724         (JSC::CustomGetterSetter::create):
1725         (JSC::CustomGetterSetter::setter):
1726         (JSC::CustomGetterSetter::CustomGetterSetter):
1727         (): Deleted.
1728         * runtime/DOMAnnotation.h: Added.
1729         (JSC::operator==):
1730         (JSC::operator!=):
1731         * runtime/DOMAttributeGetterSetter.cpp: Added.
1732         * runtime/DOMAttributeGetterSetter.h: Copied from Source/JavaScriptCore/runtime/CustomGetterSetter.h.
1733         (JSC::isDOMAttributeGetterSetter):
1734         * runtime/Error.cpp:
1735         (JSC::throwDOMAttributeGetterTypeError):
1736         * runtime/Error.h:
1737         (JSC::throwVMDOMAttributeGetterTypeError):
1738         * runtime/JSCustomGetterSetterFunction.cpp:
1739         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
1740         * runtime/JSObject.cpp:
1741         (JSC::JSObject::putInlineSlow):
1742         (JSC::JSObject::deleteProperty):
1743         (JSC::JSObject::getOwnStaticPropertySlot):
1744         (JSC::JSObject::reifyAllStaticProperties):
1745         (JSC::JSObject::fillGetterPropertySlot):
1746         (JSC::JSObject::findPropertyHashEntry): Deleted.
1747         * runtime/JSObject.h:
1748         (JSC::JSObject::getOwnNonIndexPropertySlot):
1749         (JSC::JSObject::fillCustomGetterPropertySlot):
1750         * runtime/Lookup.cpp:
1751         (JSC::setUpStaticFunctionSlot):
1752         * runtime/Lookup.h:
1753         (JSC::HashTableValue::domJIT):
1754         (JSC::getStaticPropertySlotFromTable):
1755         (JSC::putEntry):
1756         (JSC::lookupPut):
1757         (JSC::reifyStaticProperty):
1758         (JSC::reifyStaticProperties):
1759         Each static property table has a new field ClassInfo*. It indicates that which ClassInfo check DOMAttribute registered in
1760         this static property table requires.
1761
1762         * runtime/ProgramExecutable.cpp:
1763         (JSC::ProgramExecutable::initializeGlobalProperties):
1764         * runtime/PropertyName.h:
1765         * runtime/PropertySlot.cpp:
1766         (JSC::PropertySlot::customGetter):
1767         (JSC::PropertySlot::customAccessorGetter):
1768         * runtime/PropertySlot.h:
1769         (JSC::PropertySlot::domAttribute):
1770         (JSC::PropertySlot::setCustom):
1771         (JSC::PropertySlot::setCacheableCustom):
1772         (JSC::PropertySlot::getValue):
1773         (JSC::PropertySlot::domJIT): Deleted.
1774         * runtime/VM.cpp:
1775         (JSC::VM::VM):
1776         * runtime/VM.h:
1777
1778 2017-07-26  Devin Rousso  <drousso@apple.com>
1779
1780         Web Inspector: create protocol for recording Canvas contexts
1781         https://bugs.webkit.org/show_bug.cgi?id=174481
1782
1783         Reviewed by Joseph Pecoraro.
1784
1785         * inspector/protocol/Canvas.json:
1786          - Add `requestRecording` command to mark the provided canvas as having requested a recording.
1787          - Add `cancelRecording` command to clear a previously marked canvas and flush any recorded data.
1788          - Add `recordingFinished` event that is fired once a recording is finished.
1789
1790         * CMakeLists.txt:
1791         * DerivedSources.make:
1792         * inspector/protocol/Recording.json: Added.
1793          - Add `Type` enum that lists the types of recordings
1794          - Add `InitialState` type that contains information about the canvas context at the
1795            beginning of the recording.
1796          - Add `Frame` type that holds a list of actions that were recorded.
1797          - Add `Recording` type as the container object of recording data.
1798
1799         * inspector/scripts/codegen/generate_js_backend_commands.py:
1800         (JSBackendCommandsGenerator.generate_domain):
1801         Create an agent for domains with no events or commands.
1802
1803         * inspector/InspectorValues.h:
1804         Make Array `get` public so that values can be retrieved if needed.
1805
1806 2017-07-26  Brian Burg  <bburg@apple.com>
1807
1808         Remove WEB_TIMING feature flag
1809         https://bugs.webkit.org/show_bug.cgi?id=174795
1810
1811         Reviewed by Alex Christensen.
1812
1813         * Configurations/FeatureDefines.xcconfig:
1814
1815 2017-07-26  Mark Lam  <mark.lam@apple.com>
1816
1817         Add the ability to change sp and pc to the ARM64 JIT probe.
1818         https://bugs.webkit.org/show_bug.cgi?id=174697
1819         <rdar://problem/33436965>
1820
1821         Reviewed by JF Bastien.
1822
1823         This patch implements the following:
1824
1825         1. The ARM64 probe now supports modifying the pc and sp.
1826
1827            However, lr is not preserved when modifying the pc because it is used as the
1828            scratch register for the indirect jump. Hence, the probe handler function
1829            may not modify both lr and pc in the same probe invocation.
1830
1831         2. Fix probe tests to use bitwise comparison when comparing double register
1832            values. Otherwise, equivalent nan values will be interpreted as not equivalent.
1833
1834         3. Change the minimum offset increment in testProbeModifiesStackPointer to be
1835            16 bytes for ARM64.  This is because the ARM64 probe now uses the ldp and stp
1836            instructions which require 16 byte alignment for their memory access.
1837
1838         * assembler/MacroAssemblerARM64.cpp:
1839         (JSC::arm64ProbeError):
1840         (JSC::MacroAssembler::probe):
1841         (JSC::arm64ProbeTrampoline): Deleted.
1842         * assembler/testmasm.cpp:
1843         (JSC::isSpecialGPR):
1844         (JSC::testProbeReadsArgumentRegisters):
1845         (JSC::testProbeWritesArgumentRegisters):
1846         (JSC::testProbePreservesGPRS):
1847         (JSC::testProbeModifiesStackPointer):
1848         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
1849         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
1850
1851 2017-07-25  JF Bastien  <jfbastien@apple.com>
1852
1853         WebAssembly: generate smaller binaries
1854         https://bugs.webkit.org/show_bug.cgi?id=174818
1855
1856         Reviewed by Filip Pizlo.
1857
1858         This patch reduces generated code size for WebAssembly in 2 ways:
1859
1860         1. Use the ZR register when storing zero on ARM64.
1861         2. Synthesize wasm context lazily.
1862
1863         This leads to a modest size reduction on both x86-64 and ARM64 for
1864         large WebAssembly games, without any performance loss on WasmBench
1865         and TitzerBench.
1866
1867         The reason this works is that these games, using Emscripten,
1868         generate 100k+ tiny functions, and our JIT allocation granule
1869         rounds all allocations up to 32 bytes. There are plenty of other
1870         simple gains to be had, I've filed a follow-up bug at
1871         webkit.org/b/174819
1872
1873         We should further avoid the per-function cost of tiering, which
1874         represents the bulk of code generated for small functions.
1875
1876         * assembler/MacroAssemblerARM64.h:
1877         (JSC::MacroAssemblerARM64::storeZero64):
1878         * assembler/MacroAssemblerX86_64.h:
1879         (JSC::MacroAssemblerX86_64::storeZero64):
1880         * b3/B3LowerToAir.cpp:
1881         (JSC::B3::Air::LowerToAir::createStore): this doesn't make sense
1882         for x86 because it constrains register reuse and codegen in a way
1883         that doesn't affect ARM64 because it has a dedicated zero
1884         register.
1885         * b3/air/AirOpcode.opcodes: add the storeZero64 opcode.
1886         * wasm/WasmB3IRGenerator.cpp:
1887         (JSC::Wasm::B3IRGenerator::instanceValue):
1888         (JSC::Wasm::B3IRGenerator::restoreWasmContext):
1889         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1890         (JSC::Wasm::B3IRGenerator::materializeWasmContext): Deleted.
1891
1892 2017-07-23  Filip Pizlo  <fpizlo@apple.com>
1893
1894         B3 should do LICM
1895         https://bugs.webkit.org/show_bug.cgi?id=174750
1896
1897         Reviewed by Keith Miller and Saam Barati.
1898         
1899         Added a LICM phase to B3. This phase is called hoistLoopInvariantValues, to conform to the B3 naming
1900         convention for phases (it has to be an imperative). The phase uses NaturalLoops and BackwardsDominators,
1901         so this adds those analyses to B3. BackwardsDominators was already available in templatized form. This
1902         change templatizes DFG::NaturalLoops so that we can just use it.
1903         
1904         The LICM phase itself is really simple. We are decently precise with our handling of everything except
1905         the relationship between control dependence and side exits.
1906         
1907         Also added a bunch of tests.
1908         
1909         This isn't super important. It's perf-neutral on JS benchmarks. FTL already does LICM on DFG SSA IR, and
1910         probably all current WebAssembly content has had LICM done to it. That being said, this is a cheap phase
1911         so it doesn't hurt to have it.
1912         
1913         I wrote it because I thought I needed it for bug 174727. It turns out that there's a better way to
1914         handle the problem I had, so I ended up not needed it - but by then I had already written it. I think
1915         it's good to have it because LICM is one of those core compiler phases; every compiler has it
1916         eventually.
1917
1918         * CMakeLists.txt:
1919         * JavaScriptCore.xcodeproj/project.pbxproj:
1920         * b3/B3BackwardsCFG.h: Added.
1921         (JSC::B3::BackwardsCFG::BackwardsCFG):
1922         * b3/B3BackwardsDominators.h: Added.
1923         (JSC::B3::BackwardsDominators::BackwardsDominators):
1924         * b3/B3BasicBlock.cpp:
1925         (JSC::B3::BasicBlock::appendNonTerminal):
1926         * b3/B3Effects.h:
1927         * b3/B3EnsureLoopPreHeaders.cpp: Added.
1928         (JSC::B3::ensureLoopPreHeaders):
1929         * b3/B3EnsureLoopPreHeaders.h: Added.
1930         * b3/B3Generate.cpp:
1931         (JSC::B3::generateToAir):
1932         * b3/B3HoistLoopInvariantValues.cpp: Added.
1933         (JSC::B3::hoistLoopInvariantValues):
1934         * b3/B3HoistLoopInvariantValues.h: Added.
1935         * b3/B3NaturalLoops.h: Added.
1936         (JSC::B3::NaturalLoops::NaturalLoops):
1937         * b3/B3Procedure.cpp:
1938         (JSC::B3::Procedure::invalidateCFG):
1939         (JSC::B3::Procedure::naturalLoops):
1940         (JSC::B3::Procedure::backwardsCFG):
1941         (JSC::B3::Procedure::backwardsDominators):
1942         * b3/B3Procedure.h:
1943         * b3/testb3.cpp:
1944         (JSC::B3::generateLoop):
1945         (JSC::B3::makeArrayForLoops):
1946         (JSC::B3::generateLoopNotBackwardsDominant):
1947         (JSC::B3::oneFunction):
1948         (JSC::B3::noOpFunction):
1949         (JSC::B3::testLICMPure):
1950         (JSC::B3::testLICMPureSideExits):
1951         (JSC::B3::testLICMPureWritesPinned):
1952         (JSC::B3::testLICMPureWrites):
1953         (JSC::B3::testLICMReadsLocalState):
1954         (JSC::B3::testLICMReadsPinned):
1955         (JSC::B3::testLICMReads):
1956         (JSC::B3::testLICMPureNotBackwardsDominant):
1957         (JSC::B3::testLICMPureFoiledByChild):
1958         (JSC::B3::testLICMPureNotBackwardsDominantFoiledByChild):
1959         (JSC::B3::testLICMExitsSideways):
1960         (JSC::B3::testLICMWritesLocalState):
1961         (JSC::B3::testLICMWrites):
1962         (JSC::B3::testLICMFence):
1963         (JSC::B3::testLICMWritesPinned):
1964         (JSC::B3::testLICMControlDependent):
1965         (JSC::B3::testLICMControlDependentNotBackwardsDominant):
1966         (JSC::B3::testLICMControlDependentSideExits):
1967         (JSC::B3::testLICMReadsPinnedWritesPinned):
1968         (JSC::B3::testLICMReadsWritesDifferentHeaps):
1969         (JSC::B3::testLICMReadsWritesOverlappingHeaps):
1970         (JSC::B3::testLICMDefaultCall):
1971         (JSC::B3::run):
1972         * dfg/DFGBasicBlock.h:
1973         * dfg/DFGCFG.h:
1974         * dfg/DFGNaturalLoops.cpp: Removed.
1975         * dfg/DFGNaturalLoops.h:
1976         (JSC::DFG::NaturalLoops::NaturalLoops):
1977         (JSC::DFG::NaturalLoop::NaturalLoop): Deleted.
1978         (JSC::DFG::NaturalLoop::header): Deleted.
1979         (JSC::DFG::NaturalLoop::size): Deleted.
1980         (JSC::DFG::NaturalLoop::at): Deleted.
1981         (JSC::DFG::NaturalLoop::operator[]): Deleted.
1982         (JSC::DFG::NaturalLoop::contains): Deleted.
1983         (JSC::DFG::NaturalLoop::index): Deleted.
1984         (JSC::DFG::NaturalLoop::isOuterMostLoop): Deleted.
1985         (JSC::DFG::NaturalLoop::addBlock): Deleted.
1986         (JSC::DFG::NaturalLoops::numLoops): Deleted.
1987         (JSC::DFG::NaturalLoops::loop): Deleted.
1988         (JSC::DFG::NaturalLoops::headerOf): Deleted.
1989         (JSC::DFG::NaturalLoops::innerMostLoopOf): Deleted.
1990         (JSC::DFG::NaturalLoops::innerMostOuterLoop): Deleted.
1991         (JSC::DFG::NaturalLoops::belongsTo): Deleted.
1992         (JSC::DFG::NaturalLoops::loopDepth): Deleted.
1993
1994 2017-07-24  Filip Pizlo  <fpizlo@apple.com>
1995
1996         GC should be fine with trading blocks between destructor and non-destructor blocks
1997         https://bugs.webkit.org/show_bug.cgi?id=174811
1998
1999         Reviewed by Mark Lam.
2000         
2001         Our GC has the ability to trade blocks between MarkedAllocators. A MarkedAllocator is a
2002         size-class-within-a-Subspace. The ability to trade helps reduce memory wastage due to
2003         fragmentation. Prior to this change, this only worked between blocks that did not have destructors.
2004         This was partly a policy decision. But mostly, it was fallout from the way we use the `empty` block
2005         set.
2006         
2007         Here's how `empty` used to work. If a block is empty, we don't run destructors. We say that a block
2008         is empty if:
2009         
2010         A) It has no live objects and its a non-destructor block, or
2011         B) We just allocated it (so it has no destructors even if it's a destructor block), or
2012         C) We just stole it from another allocator (so it also has no destructors), or
2013         D) We just swept the block and ran all destructors.
2014         
2015         Case (A) is for trading blocks. That's how a different MarkedAllocator would know that this is a
2016         block that could be stolen.
2017
2018         Cases (B) and (C) need to be detected for correctness, since otherwise we might try to run
2019         destructors in blocks that have garbage bits. In that case, the isZapped check won't detect that
2020         cells don't need destruction, so without having the `empty` bit we would try to destruct garbage
2021         and crash. Currently, we know that we have cases (B) and (C) when the block is empty.
2022         
2023         Case (D) is necessary for detecting which blocks can be removed when we `shrink` the heap.
2024         
2025         If we tried to enable trading of blocks between allocators without making any changes to how
2026         `empty` works, then it just would not work. We have to set the `empty` bits of blocks that have no
2027         live objects in order for those bits to be candidates for trading. But if we do that, then our
2028         logic for cases (B-D) will think that the block has no destructible objects. That's bad, since then
2029         our destructors won't run and we'll leak memory.
2030         
2031         This change fixes this issue by decoupling the "do I have destructors" question from the "do I have
2032         live objects" question by introducing a new `destructible` bitvector. The GC flags all live blocks
2033         as being destructible at the end. We clear the destructible bit in cases (B-D). Cases (B-C) are
2034         handled entirely by the new destrictible bit, while case (D) is detected by looking for blocks that
2035         are (empty & ~destructible).
2036         
2037         Then we can simply remove all destructor-oriented special-casing of the `empty` bit. And we can
2038         remove destructor-oriented special-casing of block trading.
2039
2040         This is a perf-neutral change. We expect most free memory to be in non-destructor blocks anyway,
2041         so this change is more about clean-up than perf. But, this could reduce memory usage in some
2042         pathological cases.
2043         
2044         * heap/MarkedAllocator.cpp:
2045         (JSC::MarkedAllocator::findEmptyBlockToSteal):
2046         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2047         (JSC::MarkedAllocator::endMarking):
2048         (JSC::MarkedAllocator::shrink):
2049         (JSC::MarkedAllocator::shouldStealEmptyBlocksFromOtherAllocators): Deleted.
2050         * heap/MarkedAllocator.h:
2051         * heap/MarkedBlock.cpp:
2052         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
2053         (JSC::MarkedBlock::Handle::sweep):
2054         * heap/MarkedBlockInlines.h:
2055         (JSC::MarkedBlock::Handle::specializedSweep):
2056         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace):
2057         (JSC::MarkedBlock::Handle::emptyMode):
2058
2059 2017-07-25  Keith Miller  <keith_miller@apple.com>
2060
2061         Remove Broken CompareEq constant folding phase.
2062         https://bugs.webkit.org/show_bug.cgi?id=174846
2063         <rdar://problem/32978808>
2064
2065         Reviewed by Saam Barati.
2066
2067         This bug happened when we would get code like the following:
2068
2069         a: JSConst(Undefined)
2070         b: GetLocal(SomeObjectOrUndefined)
2071         ...
2072         c: CompareEq(Check:ObjectOrOther:b, Check:ObjectOrOther:a)
2073
2074         constant folding will turn this into:
2075
2076         a: JSConst(Undefined)
2077         b: GetLocal(SomeObjectOrUndefined)
2078         ...
2079         c: CompareEq(Check:ObjectOrOther:b, Other:a)
2080
2081         But the SpeculativeJIT/FTL lowering will fail to check b
2082         properly which leads to an assertion failure in the AI.
2083
2084         I'll follow up with a more robust fix later. For now, I'll remove the
2085         case that generates the code. Removing the code appears to be perf
2086         neutral.
2087
2088         * dfg/DFGConstantFoldingPhase.cpp:
2089         (JSC::DFG::ConstantFoldingPhase::foldConstants):
2090
2091 2017-07-25  Matt Baker  <mattbaker@apple.com>
2092
2093         Web Inspector: Refactoring: extract async stack trace logic from InspectorInstrumentation
2094         https://bugs.webkit.org/show_bug.cgi?id=174738
2095
2096         Reviewed by Brian Burg.
2097
2098         Move AsyncCallType enum to InspectorDebuggerAgent, which manages async
2099         stack traces. This preserves the call type in JSC, makes the range of
2100         possible call types explicit, and is safer than passing ints.
2101
2102         * inspector/agents/InspectorDebuggerAgent.cpp:
2103         (Inspector::InspectorDebuggerAgent::asyncCallIdentifier):
2104         (Inspector::InspectorDebuggerAgent::didScheduleAsyncCall):
2105         (Inspector::InspectorDebuggerAgent::didCancelAsyncCall):
2106         (Inspector::InspectorDebuggerAgent::willDispatchAsyncCall):
2107         * inspector/agents/InspectorDebuggerAgent.h:
2108
2109 2017-07-25  Mark Lam  <mark.lam@apple.com>
2110
2111         Fix bugs in probe code to change sp on x86, x86_64 and 32-bit ARM.
2112         https://bugs.webkit.org/show_bug.cgi?id=174809
2113         <rdar://problem/33504759>
2114
2115         Reviewed by Filip Pizlo.
2116
2117         1. When the probe handler function changes the sp register to point to the
2118            region of stack in the middle of the ProbeContext on the stack, there is a
2119            bug where the ProbeContext's register values to be restored can be over-written
2120            before they can be restored.  This is now fixed.
2121
2122         2. Added more robust probe tests for changing the sp register.
2123
2124         3. Made existing probe tests to ensure that probe handlers were actually called.
2125
2126         4. Added some verification to testProbePreservesGPRS().
2127
2128         5. Change all the probe tests to fail early on discovering an error instead of
2129            batching till the end of the test.  This helps point a finger to the failing
2130            issue earlier.
2131
2132         This patch was tested on x86, x86_64, and ARMv7.  ARM64 probe code will be fixed
2133         next in https://bugs.webkit.org/show_bug.cgi?id=174697.
2134
2135         * assembler/MacroAssemblerARM.cpp:
2136         * assembler/MacroAssemblerARMv7.cpp:
2137         * assembler/MacroAssemblerX86Common.cpp:
2138         * assembler/testmasm.cpp:
2139         (JSC::testProbeReadsArgumentRegisters):
2140         (JSC::testProbeWritesArgumentRegisters):
2141         (JSC::testProbePreservesGPRS):
2142         (JSC::testProbeModifiesStackPointer):
2143         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
2144         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
2145         (JSC::testProbeModifiesProgramCounter):
2146         (JSC::run):
2147
2148 2017-07-25  Brian Burg  <bburg@apple.com>
2149
2150         Web Automation: add support for uploading files
2151         https://bugs.webkit.org/show_bug.cgi?id=174797
2152         <rdar://problem/28485063>
2153
2154         Reviewed by Joseph Pecoraro.
2155
2156         * inspector/scripts/generate-inspector-protocol-bindings.py:
2157         (generate_from_specification):
2158         Start generating frontend dispatcher code if the target framework is 'WebKit'.
2159
2160         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
2161         (CppFrontendDispatcherImplementationGenerator.generate_output):
2162         Use a framework include for InspectorFrontendRouter.h since this generated code
2163         will be compiled outside of WebCore.framework.
2164
2165         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
2166         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
2167         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
2168         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
2169         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
2170         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
2171         * inspector/scripts/tests/generic/expected/enum-values.json-result:
2172         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
2173         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
2174         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
2175         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
2176         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
2177         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
2178         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
2179         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
2180         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
2181         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
2182         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
2183         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
2184         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
2185         Rebaseline code generator tests.
2186
2187 2017-07-24  Mark Lam  <mark.lam@apple.com>
2188
2189         Gardening: fixed C Loop build after r219790.
2190         https://bugs.webkit.org/show_bug.cgi?id=174696
2191
2192         Not reviewed.
2193
2194         * assembler/testmasm.cpp:
2195
2196 2017-07-23  Mark Lam  <mark.lam@apple.com>
2197
2198         Create regression tests for the JIT probe.
2199         https://bugs.webkit.org/show_bug.cgi?id=174696
2200         <rdar://problem/33436922>
2201
2202         Reviewed by Saam Barati.
2203
2204         The new testmasm will test the following:
2205         1. the probe is able to read the value of CPU registers.
2206         2. the probe is able to write the value of CPU registers.
2207         3. the probe is able to preserve all CPU registers.
2208         4. special case of (2): the probe is able to change the value of the stack pointer.
2209         5. special case of (2): the probe is able to change the value of the program counter
2210            i.e. the probe can change where the code continues executing upon returning from
2211            the probe.
2212
2213         Currently, the x86, x86_64, and ARMv7 ports passes the test.  ARM64 does not
2214         because it does not support changing the sp and pc yet.  The ARM64 probe
2215         implementation will be fixed in https://bugs.webkit.org/show_bug.cgi?id=174697
2216         later.
2217
2218         * Configurations/ToolExecutable.xcconfig:
2219         * JavaScriptCore.xcodeproj/project.pbxproj:
2220         * assembler/MacroAssembler.h:
2221         (JSC::MacroAssembler::CPUState::pc):
2222         (JSC::MacroAssembler::CPUState::fp):
2223         (JSC::MacroAssembler::CPUState::sp):
2224         (JSC::ProbeContext::pc):
2225         (JSC::ProbeContext::fp):
2226         (JSC::ProbeContext::sp):
2227         * assembler/MacroAssemblerARM64.cpp:
2228         (JSC::arm64ProbeTrampoline):
2229         * assembler/MacroAssemblerPrinter.cpp:
2230         (JSC::Printer::printPCRegister):
2231         * assembler/testmasm.cpp: Added.
2232         (hiddenTruthBecauseNoReturnIsStupid):
2233         (usage):
2234         (JSC::nextID):
2235         (JSC::isPC):
2236         (JSC::isSP):
2237         (JSC::isFP):
2238         (JSC::compile):
2239         (JSC::invoke):
2240         (JSC::compileAndRun):
2241         (JSC::testSimple):
2242         (JSC::testProbeReadsArgumentRegisters):
2243         (JSC::testProbeWritesArgumentRegisters):
2244         (JSC::testFunctionToTrashRegisters):
2245         (JSC::testProbePreservesGPRS):
2246         (JSC::testProbeModifiesStackPointer):
2247         (JSC::testProbeModifiesProgramCounter):
2248         (JSC::run):
2249         (run):
2250         (main):
2251         * b3/air/testair.cpp:
2252         (usage):
2253         * shell/CMakeLists.txt:
2254
2255 2017-07-14  Filip Pizlo  <fpizlo@apple.com>
2256
2257         It should be easy to decide how WebKit yields
2258         https://bugs.webkit.org/show_bug.cgi?id=174298
2259
2260         Reviewed by Saam Barati.
2261         
2262         Use the new WTF::Thread::yield() function for yielding instead of the C++ function.
2263
2264         * heap/Heap.cpp:
2265         (JSC::Heap::resumeThePeriphery):
2266         * heap/VisitingTimeout.h:
2267         * runtime/JSCell.cpp:
2268         (JSC::JSCell::lockSlow):
2269         (JSC::JSCell::unlockSlow):
2270         * runtime/JSCell.h:
2271         * runtime/JSCellInlines.h:
2272         (JSC::JSCell::lock):
2273         (JSC::JSCell::unlock):
2274         * runtime/JSLock.cpp:
2275         (JSC::JSLock::grabAllLocks):
2276         * runtime/SamplingProfiler.cpp:
2277
2278 2017-07-21  Mark Lam  <mark.lam@apple.com>
2279
2280         Refactor MASM probe CPUState to use arrays for register storage.
2281         https://bugs.webkit.org/show_bug.cgi?id=174694
2282
2283         Reviewed by Keith Miller.
2284
2285         Using arrays for register storage in CPUState allows us to do away with the
2286         huge switch statements to decode each register id.  We can now simply index into
2287         the arrays.
2288
2289         With this patch, we now:
2290
2291         1. Remove the need for macros for defining the list of CPU registers.
2292            We can go back to simple enums.  This makes the code easier to read.
2293
2294         2. Make the assembler the authority on register names.
2295            Most of this code is moved into the assembler from GPRInfo and FPRInfo.
2296            GPRInfo and FPRInfo now forwards to the assembler.
2297
2298         3. Make the assembler the authority on the number of registers of each type.
2299
2300         4. Fix a "bug" in ARMv7's lastRegister().  It was previously omitting lr and pc.
2301            This is inconsistent with how every other CPU architecture implements
2302            lastRegister().  This patch fixes it to return the true last GPR i.e. pc, but
2303            updates RegisterSet::reservedHardwareRegisters() to exclude those registers.
2304
2305         * assembler/ARM64Assembler.h:
2306         (JSC::ARM64Assembler::numberOfRegisters):
2307         (JSC::ARM64Assembler::firstSPRegister):
2308         (JSC::ARM64Assembler::lastSPRegister):
2309         (JSC::ARM64Assembler::numberOfSPRegisters):
2310         (JSC::ARM64Assembler::numberOfFPRegisters):
2311         (JSC::ARM64Assembler::gprName):
2312         (JSC::ARM64Assembler::sprName):
2313         (JSC::ARM64Assembler::fprName):
2314         * assembler/ARMAssembler.h:
2315         (JSC::ARMAssembler::numberOfRegisters):
2316         (JSC::ARMAssembler::firstSPRegister):
2317         (JSC::ARMAssembler::lastSPRegister):
2318         (JSC::ARMAssembler::numberOfSPRegisters):
2319         (JSC::ARMAssembler::numberOfFPRegisters):
2320         (JSC::ARMAssembler::gprName):
2321         (JSC::ARMAssembler::sprName):
2322         (JSC::ARMAssembler::fprName):
2323         * assembler/ARMv7Assembler.h:
2324         (JSC::ARMv7Assembler::lastRegister):
2325         (JSC::ARMv7Assembler::numberOfRegisters):
2326         (JSC::ARMv7Assembler::firstSPRegister):
2327         (JSC::ARMv7Assembler::lastSPRegister):
2328         (JSC::ARMv7Assembler::numberOfSPRegisters):
2329         (JSC::ARMv7Assembler::numberOfFPRegisters):
2330         (JSC::ARMv7Assembler::gprName):
2331         (JSC::ARMv7Assembler::sprName):
2332         (JSC::ARMv7Assembler::fprName):
2333         * assembler/AbstractMacroAssembler.h:
2334         (JSC::AbstractMacroAssembler::numberOfRegisters):
2335         (JSC::AbstractMacroAssembler::gprName):
2336         (JSC::AbstractMacroAssembler::firstSPRegister):
2337         (JSC::AbstractMacroAssembler::lastSPRegister):
2338         (JSC::AbstractMacroAssembler::numberOfSPRegisters):
2339         (JSC::AbstractMacroAssembler::sprName):
2340         (JSC::AbstractMacroAssembler::numberOfFPRegisters):
2341         (JSC::AbstractMacroAssembler::fprName):
2342         * assembler/MIPSAssembler.h:
2343         (JSC::MIPSAssembler::numberOfRegisters):
2344         (JSC::MIPSAssembler::firstSPRegister):
2345         (JSC::MIPSAssembler::lastSPRegister):
2346         (JSC::MIPSAssembler::numberOfSPRegisters):
2347         (JSC::MIPSAssembler::numberOfFPRegisters):
2348         (JSC::MIPSAssembler::gprName):
2349         (JSC::MIPSAssembler::sprName):
2350         (JSC::MIPSAssembler::fprName):
2351         * assembler/MacroAssembler.h:
2352         (JSC::MacroAssembler::CPUState::gprName):
2353         (JSC::MacroAssembler::CPUState::sprName):
2354         (JSC::MacroAssembler::CPUState::fprName):
2355         (JSC::MacroAssembler::CPUState::gpr):
2356         (JSC::MacroAssembler::CPUState::spr):
2357         (JSC::MacroAssembler::CPUState::fpr):
2358         (JSC::MacroAssembler::CPUState::pc):
2359         (JSC::MacroAssembler::CPUState::fp):
2360         (JSC::MacroAssembler::CPUState::sp):
2361         (JSC::ProbeContext::gpr):
2362         (JSC::ProbeContext::spr):
2363         (JSC::ProbeContext::fpr):
2364         (JSC::ProbeContext::gprName):
2365         (JSC::ProbeContext::sprName):
2366         (JSC::ProbeContext::fprName):
2367         (JSC::MacroAssembler::numberOfRegisters): Deleted.
2368         (JSC::MacroAssembler::numberOfFPRegisters): Deleted.
2369         * assembler/MacroAssemblerARM.cpp:
2370         * assembler/MacroAssemblerARM64.cpp:
2371         (JSC::arm64ProbeTrampoline):
2372         * assembler/MacroAssemblerARMv7.cpp:
2373         * assembler/MacroAssemblerPrinter.cpp:
2374         (JSC::Printer::nextID):
2375         (JSC::Printer::printAllRegisters):
2376         (JSC::Printer::printPCRegister):
2377         (JSC::Printer::printRegisterID):
2378         (JSC::Printer::printAddress):
2379         * assembler/MacroAssemblerX86Common.cpp:
2380         * assembler/X86Assembler.h:
2381         (JSC::X86Assembler::numberOfRegisters):
2382         (JSC::X86Assembler::firstSPRegister):
2383         (JSC::X86Assembler::lastSPRegister):
2384         (JSC::X86Assembler::numberOfSPRegisters):
2385         (JSC::X86Assembler::numberOfFPRegisters):
2386         (JSC::X86Assembler::gprName):
2387         (JSC::X86Assembler::sprName):
2388         (JSC::X86Assembler::fprName):
2389         * jit/FPRInfo.h:
2390         (JSC::FPRInfo::debugName):
2391         * jit/GPRInfo.h:
2392         (JSC::GPRInfo::debugName):
2393         * jit/RegisterSet.cpp:
2394         (JSC::RegisterSet::reservedHardwareRegisters):
2395
2396 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2397
2398         [JSC] Introduce static symbols
2399         https://bugs.webkit.org/show_bug.cgi?id=158863
2400
2401         Reviewed by Darin Adler.
2402
2403         We use StaticSymbolImpl to initialize PrivateNames and builtin Symbols.
2404         As a result, we can share the same Symbol values between VMs and threads.
2405         And we do not need to allocate Ref<SymbolImpl> for these symbols at runtime.
2406
2407         * CMakeLists.txt:
2408         * JavaScriptCore.xcodeproj/project.pbxproj:
2409         * builtins/BuiltinNames.cpp: Added.
2410         Suppress warning C4307, integral constant overflow. It is intentional in constexpr hash value calculation.
2411
2412         * builtins/BuiltinNames.h:
2413         (JSC::BuiltinNames::BuiltinNames):
2414         * builtins/BuiltinUtils.h:
2415
2416 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
2417
2418         [FTL] Arguments elimination is suppressed by unreachable blocks
2419         https://bugs.webkit.org/show_bug.cgi?id=174352
2420
2421         Reviewed by Filip Pizlo.
2422
2423         If we do not execute `op_get_by_id`, our value profiling tells us unpredictable and DFG emits ForceOSRExit.
2424         The problem is that arguments elimination phase checks escaping even when ForceOSRExit preceeds.
2425         Since GetById without information can escape arguments if it is specified, non-executed code including
2426         op_get_by_id with arguments can escape arguments.
2427
2428         For example,
2429
2430             function test(flag)
2431             {
2432                 if (flag) {
2433                     // This is not executed, but emits GetById with arguments.
2434                     // It prevents us from eliminating materialization.
2435                     return arguments.length;
2436                 }
2437                 return arguments.length;
2438             }
2439             noInline(test);
2440             while (true)
2441                 test(false);
2442
2443         We do not perform CFA and dead-node clipping yet when performing arguments elimination phase.
2444         So this GetById exists and escapes arguments.
2445
2446         To solve this problem, our arguments elimination phase checks preceding pseudo-terminal nodes.
2447         If it is shown, following GetById does not escape arguments. Compared to performing AI, it is
2448         lightweight. But it catches much of typical cases we failed to perform arguments elimination.
2449
2450         * dfg/DFGArgumentsEliminationPhase.cpp:
2451         * dfg/DFGNode.h:
2452         (JSC::DFG::Node::isPseudoTerminal):
2453         * dfg/DFGValidate.cpp:
2454
2455 2017-07-20  Chris Dumez  <cdumez@apple.com>
2456
2457         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable
2458         https://bugs.webkit.org/show_bug.cgi?id=174660
2459
2460         Reviewed by Geoffrey Garen.
2461
2462         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable.
2463         This essentially replaces a branch to figure out if the new size is less or greater than the
2464         current size by an assertion.
2465
2466         * b3/B3BasicBlockUtils.h:
2467         (JSC::B3::clearPredecessors):
2468         * b3/B3InferSwitches.cpp:
2469         * b3/B3LowerToAir.cpp:
2470         (JSC::B3::Air::LowerToAir::finishAppendingInstructions):
2471         * b3/B3ReduceStrength.cpp:
2472         * b3/B3SparseCollection.h:
2473         (JSC::B3::SparseCollection::packIndices):
2474         * b3/B3UseCounts.cpp:
2475         (JSC::B3::UseCounts::UseCounts):
2476         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
2477         * b3/air/AirEmitShuffle.cpp:
2478         (JSC::B3::Air::emitShuffle):
2479         * b3/air/AirLowerAfterRegAlloc.cpp:
2480         (JSC::B3::Air::lowerAfterRegAlloc):
2481         * b3/air/AirOptimizeBlockOrder.cpp:
2482         (JSC::B3::Air::optimizeBlockOrder):
2483         * bytecode/Operands.h:
2484         (JSC::Operands::ensureLocals):
2485         * bytecode/PreciseJumpTargets.cpp:
2486         (JSC::computePreciseJumpTargetsInternal):
2487         * dfg/DFGBlockInsertionSet.cpp:
2488         (JSC::DFG::BlockInsertionSet::execute):
2489         * dfg/DFGBlockMapInlines.h:
2490         (JSC::DFG::BlockMap<T>::BlockMap):
2491         * dfg/DFGByteCodeParser.cpp:
2492         (JSC::DFG::ByteCodeParser::processSetLocalQueue):
2493         (JSC::DFG::ByteCodeParser::clearCaches):
2494         * dfg/DFGDisassembler.cpp:
2495         (JSC::DFG::Disassembler::Disassembler):
2496         * dfg/DFGFlowIndexing.cpp:
2497         (JSC::DFG::FlowIndexing::recompute):
2498         * dfg/DFGGraph.cpp:
2499         (JSC::DFG::Graph::registerFrozenValues):
2500         * dfg/DFGInPlaceAbstractState.cpp:
2501         (JSC::DFG::setLiveValues):
2502         * dfg/DFGLICMPhase.cpp:
2503         (JSC::DFG::LICMPhase::run):
2504         * dfg/DFGLivenessAnalysisPhase.cpp:
2505         * dfg/DFGNaturalLoops.cpp:
2506         (JSC::DFG::NaturalLoops::NaturalLoops):
2507         * dfg/DFGStoreBarrierClusteringPhase.cpp:
2508         * ftl/FTLLowerDFGToB3.cpp:
2509         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2510         * heap/CodeBlockSet.cpp:
2511         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
2512         * heap/MarkedSpace.cpp:
2513         (JSC::MarkedSpace::sweepLargeAllocations):
2514         * inspector/ContentSearchUtilities.cpp:
2515         (Inspector::ContentSearchUtilities::findMagicComment):
2516         * interpreter/ShadowChicken.cpp:
2517         (JSC::ShadowChicken::update):
2518         * parser/ASTBuilder.h:
2519         (JSC::ASTBuilder::shrinkOperandStackBy):
2520         * parser/Lexer.h:
2521         (JSC::Lexer::setOffset):
2522         * runtime/RegExpInlines.h:
2523         (JSC::RegExp::matchInline):
2524         * runtime/RegExpPrototype.cpp:
2525         (JSC::genericSplit):
2526         * yarr/RegularExpression.cpp:
2527         (JSC::Yarr::RegularExpression::match):
2528
2529 2017-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
2530
2531         [WTF] Use ThreadGroup to bookkeep active threads for Mach exception
2532         https://bugs.webkit.org/show_bug.cgi?id=174678
2533
2534         Reviewed by Mark Lam.
2535
2536         Use Thread& instead.
2537
2538         * runtime/JSLock.cpp:
2539         (JSC::JSLock::didAcquireLock):
2540
2541 2017-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
2542
2543         [WTF] Implement WTF::ThreadGroup
2544         https://bugs.webkit.org/show_bug.cgi?id=174081
2545
2546         Reviewed by Mark Lam.
2547
2548         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
2549         And SamplingProfiler and others interact with WTF::Thread directly.
2550
2551         * API/tests/ExecutionTimeLimitTest.cpp:
2552         * heap/MachineStackMarker.cpp:
2553         (JSC::MachineThreads::MachineThreads):
2554         (JSC::captureStack):
2555         (JSC::MachineThreads::tryCopyOtherThreadStack):
2556         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2557         (JSC::MachineThreads::gatherConservativeRoots):
2558         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
2559         (JSC::ActiveMachineThreadsManager::add): Deleted.
2560         (JSC::ActiveMachineThreadsManager::remove): Deleted.
2561         (JSC::ActiveMachineThreadsManager::contains): Deleted.
2562         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
2563         (JSC::activeMachineThreadsManager): Deleted.
2564         (JSC::MachineThreads::~MachineThreads): Deleted.
2565         (JSC::MachineThreads::addCurrentThread): Deleted.
2566         (): Deleted.
2567         (JSC::MachineThreads::removeThread): Deleted.
2568         (JSC::MachineThreads::removeThreadIfFound): Deleted.
2569         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
2570         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
2571         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
2572         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
2573         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
2574         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
2575         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
2576         * heap/MachineStackMarker.h:
2577         (JSC::MachineThreads::addCurrentThread):
2578         (JSC::MachineThreads::getLock):
2579         (JSC::MachineThreads::threads):
2580         (JSC::MachineThreads::MachineThread::suspend): Deleted.
2581         (JSC::MachineThreads::MachineThread::resume): Deleted.
2582         (JSC::MachineThreads::MachineThread::threadID): Deleted.
2583         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
2584         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
2585         (JSC::MachineThreads::threadsListHead): Deleted.
2586         * runtime/SamplingProfiler.cpp:
2587         (JSC::FrameWalker::isValidFramePointer):
2588         (JSC::SamplingProfiler::SamplingProfiler):
2589         (JSC::SamplingProfiler::takeSample):
2590         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
2591         * runtime/SamplingProfiler.h:
2592         * wasm/WasmMachineThreads.cpp:
2593         (JSC::Wasm::resetInstructionCacheOnAllThreads):
2594
2595 2017-07-18  Andy Estes  <aestes@apple.com>
2596
2597         [Xcode] Enable CLANG_WARN_RANGE_LOOP_ANALYSIS
2598         https://bugs.webkit.org/show_bug.cgi?id=174631
2599
2600         Reviewed by Tim Horton.
2601
2602         * Configurations/Base.xcconfig:
2603         * b3/B3FoldPathConstants.cpp:
2604         * b3/B3LowerMacros.cpp:
2605         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
2606         * dfg/DFGByteCodeParser.cpp:
2607         (JSC::DFG::ByteCodeParser::check):
2608         (JSC::DFG::ByteCodeParser::planLoad):
2609
2610 2017-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
2611
2612         WTF::Thread should have the threads stack bounds.
2613         https://bugs.webkit.org/show_bug.cgi?id=173975
2614
2615         Reviewed by Mark Lam.
2616
2617         There is a site in JSC that try to walk another thread's stack.
2618         Currently, stack bounds are stored in WTFThreadData which is located
2619         in TLS. Thus, only the thread itself can access its own WTFThreadData.
2620         We workaround this situation by holding StackBounds in MachineThread in JSC,
2621         but StackBounds should be put in WTF::Thread instead.
2622
2623         This patch adds StackBounds to WTF::Thread. StackBounds information is tightly
2624         coupled with Thread. Thus putting it in WTF::Thread is natural choice.
2625
2626         * heap/MachineStackMarker.cpp:
2627         (JSC::MachineThreads::MachineThread::MachineThread):
2628         (JSC::MachineThreads::MachineThread::captureStack):
2629         * heap/MachineStackMarker.h:
2630         (JSC::MachineThreads::MachineThread::stackBase):
2631         (JSC::MachineThreads::MachineThread::stackEnd):
2632         * runtime/VMTraps.cpp:
2633
2634 2017-07-18  Andy Estes  <aestes@apple.com>
2635
2636         [Xcode] Enable CLANG_WARN_OBJC_LITERAL_CONVERSION
2637         https://bugs.webkit.org/show_bug.cgi?id=174631
2638
2639         Reviewed by Sam Weinig.
2640
2641         * Configurations/Base.xcconfig:
2642
2643 2017-07-18  Joseph Pecoraro  <pecoraro@apple.com>
2644
2645         Web Inspector: Modernize InjectedScriptSource
2646         https://bugs.webkit.org/show_bug.cgi?id=173890
2647
2648         Reviewed by Brian Burg.
2649
2650         * inspector/InjectedScript.h:
2651         Reorder functions to be slightly better.
2652
2653         * inspector/InjectedScriptSource.js:
2654         - Convert to classes named InjectedScript and RemoteObject
2655         - Align InjectedScript's API with the wrapper C++ interfaces
2656         - Move some code to RemoteObject where appropriate (subtype, describe)
2657         - Move some code to helper functions (isPrimitiveValue, isDefined)
2658         - Refactor for readability and modern features
2659         - Remove some unused / unnecessary code
2660
2661 2017-07-18  Mark Lam  <mark.lam@apple.com>
2662
2663         Butterfly storage need not be initialized for indexing type Undecided.
2664         https://bugs.webkit.org/show_bug.cgi?id=174516
2665
2666         Reviewed by Saam Barati.
2667
2668         While it's not incorrect to initialize the butterfly storage when the
2669         indexingType is Undecided, it is inefficient as we'll end up initializing
2670         it again later when we convert the storage to a different indexingType.
2671         Some of our code already skips initializing Undecided butterflies.
2672         This patch makes it the consistent behavior everywhere.
2673
2674         * dfg/DFGSpeculativeJIT.cpp:
2675         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2676         * runtime/JSArray.cpp:
2677         (JSC::JSArray::tryCreateUninitializedRestricted):
2678         * runtime/JSArray.h:
2679         (JSC::JSArray::tryCreate):
2680         * runtime/JSObject.cpp:
2681         (JSC::JSObject::ensureLengthSlow):
2682
2683 2017-07-18  Saam Barati  <sbarati@apple.com>
2684
2685         AirLowerAfterRegAlloc may incorrectly use a callee save that's live as a scratch register
2686         https://bugs.webkit.org/show_bug.cgi?id=174515
2687         <rdar://problem/33358092>
2688
2689         Reviewed by Filip Pizlo.
2690
2691         AirLowerAfterRegAlloc was computing the set of available scratch
2692         registers incorrectly. It was always excluding callee save registers
2693         from the set of live registers. It did not guarantee that live callee save
2694         registers were not in the set of scratch registers that could
2695         get clobbered. That's incorrect as the shuffling code is free
2696         to overwrite whatever is in the scratch register it gets passed.
2697
2698         * b3/air/AirLowerAfterRegAlloc.cpp:
2699         (JSC::B3::Air::lowerAfterRegAlloc):
2700         * b3/testb3.cpp:
2701         (JSC::B3::functionNineArgs):
2702         (JSC::B3::testShuffleDoesntTrashCalleeSaves):
2703         (JSC::B3::run):
2704         * jit/RegisterSet.h:
2705
2706 2017-07-18  Andy Estes  <aestes@apple.com>
2707
2708         [Xcode] Enable CLANG_WARN_NON_LITERAL_NULL_CONVERSION
2709         https://bugs.webkit.org/show_bug.cgi?id=174631
2710
2711         Reviewed by Dan Bernstein.
2712
2713         * Configurations/Base.xcconfig:
2714
2715 2017-07-18  Devin Rousso  <drousso@apple.com>
2716
2717         Web Inspector: Add memoryCost to Inspector Protocol objects
2718         https://bugs.webkit.org/show_bug.cgi?id=174478
2719
2720         Reviewed by Joseph Pecoraro.
2721
2722         For non-array and non-object InspectorValue, calculate memoryCost as the sizeof the object,
2723         plus the memoryCost of the data if it is a string.
2724
2725         For array InspectorValue, calculate memoryCost as the sum of the memoryCost of all items.
2726
2727         For object InspectorValue, calculate memoryCost as the sum of the memoryCost of the string
2728         key plus the memoryCost of the InspectorValue for each entry.
2729
2730         Test: TestWebKitAPI/Tests/JavaScriptCore/InspectorValue.cpp
2731
2732         * inspector/InspectorValues.h:
2733         * inspector/InspectorValues.cpp:
2734         (Inspector::InspectorValue::memoryCost):
2735         (Inspector::InspectorObjectBase::memoryCost):
2736         (Inspector::InspectorArrayBase::memoryCost):
2737
2738 2017-07-18  Andy Estes  <aestes@apple.com>
2739
2740         [Xcode] Enable CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING
2741         https://bugs.webkit.org/show_bug.cgi?id=174631
2742
2743         Reviewed by Darin Adler.
2744
2745         * Configurations/Base.xcconfig:
2746
2747 2017-07-18  Michael Saboff  <msaboff@apple.com>
2748
2749         [JSC] There should be a debug option to dump a compiled RegExp Pattern
2750         https://bugs.webkit.org/show_bug.cgi?id=174601
2751
2752         Reviewed by Alex Christensen.
2753
2754         Added the debug option dumpCompiledRegExpPatterns which will dump the YarrPattern and related
2755         objects after a regular expression has been compiled.
2756
2757         * runtime/Options.h:
2758         * yarr/YarrPattern.cpp:
2759         (JSC::Yarr::YarrPattern::compile):
2760         (JSC::Yarr::indentForNestingLevel):
2761         (JSC::Yarr::dumpUChar32):
2762         (JSC::Yarr::PatternAlternative::dump):
2763         (JSC::Yarr::PatternTerm::dumpQuantifier):
2764         (JSC::Yarr::PatternTerm::dump):
2765         (JSC::Yarr::PatternDisjunction::dump):
2766         (JSC::Yarr::YarrPattern::dumpPattern):
2767         * yarr/YarrPattern.h:
2768         (JSC::Yarr::YarrPattern::global):
2769
2770 2017-07-17  Darin Adler  <darin@apple.com>
2771
2772         Improve use of NeverDestroyed
2773         https://bugs.webkit.org/show_bug.cgi?id=174348
2774
2775         Reviewed by Sam Weinig.
2776
2777         * heap/MachineStackMarker.cpp:
2778         * wasm/WasmMemory.cpp:
2779         Removed unneeded includes of NeverDestroyed.h in files that do not make use
2780         of NeverDestroyed.
2781
2782 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
2783
2784         [CMake] Macros in WebKitMacros.cmake should be prefixed with WEBKIT_ namespace
2785         https://bugs.webkit.org/show_bug.cgi?id=174547
2786
2787         Reviewed by Alex Christensen.
2788
2789         * CMakeLists.txt:
2790         * shell/CMakeLists.txt:
2791
2792 2017-07-17  Saam Barati  <sbarati@apple.com>
2793
2794         Remove custom defined RELEASE_ASSERT in DFGObjectAllocationSinkingPhase
2795         https://bugs.webkit.org/show_bug.cgi?id=174584
2796
2797         Rubber stamped by Keith Miller.
2798
2799         I used it to diagnose a bug. The bug is now fixed. This custom
2800         RELEASE_ASSERT is no longer needed.
2801
2802         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2803
2804 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
2805
2806         -Wformat-truncation warning in ConfigFile.cpp
2807         https://bugs.webkit.org/show_bug.cgi?id=174506
2808
2809         Reviewed by Darin Adler.
2810
2811         Check if the JSC config filename would be truncated due to exceeding max path length. If so,
2812         return ParseError.
2813
2814         * runtime/ConfigFile.cpp:
2815         (JSC::ConfigFile::parse):
2816
2817 2017-07-17  Konstantin Tokarev  <annulen@yandex.ru>
2818
2819         [CMake] Create targets before WEBKIT_INCLUDE_CONFIG_FILES_IF_EXISTS is called
2820         https://bugs.webkit.org/show_bug.cgi?id=174557
2821
2822         Reviewed by Michael Catanzaro.
2823
2824         * CMakeLists.txt:
2825
2826 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2827
2828         [WTF] Use std::unique_ptr for StackTrace
2829         https://bugs.webkit.org/show_bug.cgi?id=174495
2830
2831         Reviewed by Alex Christensen.
2832
2833         * runtime/ExceptionScope.cpp:
2834         (JSC::ExceptionScope::unexpectedExceptionMessage):
2835         * runtime/VM.cpp:
2836         (JSC::VM::throwException):
2837
2838 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2839
2840         [JSC] Use WTFMove to prune liveness in DFGAvailabilityMap
2841         https://bugs.webkit.org/show_bug.cgi?id=174423
2842
2843         Reviewed by Saam Barati.
2844
2845         * dfg/DFGAvailabilityMap.cpp:
2846         (JSC::DFG::AvailabilityMap::pruneHeap):
2847         (JSC::DFG::AvailabilityMap::pruneByLiveness):
2848
2849 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
2850
2851         Fix compiler warnings when building with GCC 7
2852         https://bugs.webkit.org/show_bug.cgi?id=174463
2853
2854         Reviewed by Darin Adler.
2855
2856         * disassembler/udis86/udis86_decode.c:
2857         (decode_operand):
2858
2859 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
2860
2861         Incorrect assertion in JSC::CallLinkInfo::callTypeFor
2862         https://bugs.webkit.org/show_bug.cgi?id=174467
2863
2864         Reviewed by Saam Barati.
2865
2866         * bytecode/CallLinkInfo.cpp:
2867         (JSC::CallLinkInfo::callTypeFor):
2868
2869 2017-07-13  Joseph Pecoraro  <pecoraro@apple.com>
2870
2871         Web Inspector: Remove unused and untested Page domain commands
2872         https://bugs.webkit.org/show_bug.cgi?id=174429
2873
2874         Reviewed by Timothy Hatcher.
2875
2876         * inspector/protocol/Page.json:
2877
2878 2017-07-13  Saam Barati  <sbarati@apple.com>
2879
2880         Missing exception check in JSObject::hasInstance
2881         https://bugs.webkit.org/show_bug.cgi?id=174455
2882         <rdar://problem/31384608>
2883
2884         Reviewed by Mark Lam.
2885
2886         * runtime/JSObject.cpp:
2887         (JSC::JSObject::hasInstance):
2888
2889 2017-07-13  Caio Lima  <ticaiolima@gmail.com>
2890
2891         [ESnext] Implement Object Spread
2892         https://bugs.webkit.org/show_bug.cgi?id=167963
2893
2894         Reviewed by Saam Barati.
2895
2896         This patch implements ECMA262 stage 3 Object Spread proposal [1].
2897         It's implemented using CopyDataPropertiesNoExclusions to copy
2898         all enumerable keys from object being spreaded. The implementation of
2899         CopyDataPropertiesNoExclusions follows the CopyDataProperties
2900         implementation, however we don't receive excludedNames as parameter.
2901
2902         [1] - https://github.com/tc39/proposal-object-rest-spread
2903
2904         * builtins/GlobalOperations.js:
2905         (globalPrivate.copyDataPropertiesNoExclusions):
2906         * bytecompiler/BytecodeGenerator.cpp:
2907         (JSC::BytecodeGenerator::emitLoad):
2908         * bytecompiler/NodesCodegen.cpp:
2909         (JSC::PropertyListNode::emitBytecode):
2910         (JSC::ObjectSpreadExpressionNode::emitBytecode):
2911         * parser/ASTBuilder.h:
2912         (JSC::ASTBuilder::createObjectSpreadExpression):
2913         (JSC::ASTBuilder::createProperty):
2914         * parser/NodeConstructors.h:
2915         (JSC::PropertyNode::PropertyNode):
2916         (JSC::ObjectSpreadExpressionNode::ObjectSpreadExpressionNode):
2917         * parser/Nodes.h:
2918         (JSC::ObjectSpreadExpressionNode::expression):
2919         * parser/Parser.cpp:
2920         (JSC::Parser<LexerType>::parseProperty):
2921         * parser/SyntaxChecker.h:
2922         (JSC::SyntaxChecker::createObjectSpreadExpression):
2923         (JSC::SyntaxChecker::createProperty):
2924
2925 2017-07-12  Mark Lam  <mark.lam@apple.com>
2926
2927         Gardening: build fix after r219434.
2928         https://bugs.webkit.org/show_bug.cgi?id=174441
2929
2930         Not reviewed.
2931
2932         Make public some MacroAssembler functions that are needed by the probe implementationq.
2933
2934         * assembler/MacroAssemblerARM.h:
2935         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
2936         * assembler/MacroAssemblerARMv7.h:
2937         (JSC::MacroAssemblerARMv7::linkCall):
2938
2939 2017-07-12  Mark Lam  <mark.lam@apple.com>
2940
2941         Move Probe code from AbstractMacroAssembler to MacroAssembler.
2942         https://bugs.webkit.org/show_bug.cgi?id=174441
2943
2944         Reviewed by Saam Barati.
2945
2946         This is a pure refactoring patch for moving probe code from the AbstractMacroAssembler
2947         to MacroAssembler.  There is no code behavior change.
2948
2949         * assembler/AbstractMacroAssembler.h:
2950         (JSC::AbstractMacroAssembler<AssemblerType>::Address::indexedBy):
2951         (JSC::AbstractMacroAssembler::CPUState::gprName): Deleted.
2952         (JSC::AbstractMacroAssembler::CPUState::fprName): Deleted.
2953         (JSC::AbstractMacroAssembler::CPUState::gpr): Deleted.
2954         (JSC::AbstractMacroAssembler::CPUState::fpr): Deleted.
2955         (JSC::MacroAssemblerType>::Address::indexedBy): Deleted.
2956         * assembler/MacroAssembler.h:
2957         (JSC::MacroAssembler::CPUState::gprName):
2958         (JSC::MacroAssembler::CPUState::fprName):
2959         (JSC::MacroAssembler::CPUState::gpr):
2960         (JSC::MacroAssembler::CPUState::fpr):
2961         * assembler/MacroAssemblerARM.cpp:
2962         (JSC::MacroAssembler::probe):
2963         (JSC::MacroAssemblerARM::probe): Deleted.
2964         * assembler/MacroAssemblerARM.h:
2965         * assembler/MacroAssemblerARM64.cpp:
2966         (JSC::MacroAssembler::probe):
2967         (JSC::MacroAssemblerARM64::probe): Deleted.
2968         * assembler/MacroAssemblerARM64.h:
2969         * assembler/MacroAssemblerARMv7.cpp:
2970         (JSC::MacroAssembler::probe):
2971         (JSC::MacroAssemblerARMv7::probe): Deleted.
2972         * assembler/MacroAssemblerARMv7.h:
2973         * assembler/MacroAssemblerMIPS.h:
2974         * assembler/MacroAssemblerX86Common.cpp:
2975         (JSC::MacroAssembler::probe):
2976         (JSC::MacroAssemblerX86Common::probe): Deleted.
2977         * assembler/MacroAssemblerX86Common.h:
2978
2979 2017-07-12  Saam Barati  <sbarati@apple.com>
2980
2981         GenericArguments consults the wrong state when tracking modified argument descriptors and mapped arguments
2982         https://bugs.webkit.org/show_bug.cgi?id=174411
2983         <rdar://problem/31696186>
2984
2985         Reviewed by Mark Lam.
2986
2987         The code for deleting an argument was incorrectly referencing state
2988         when it decided if it should unmap or mark a property as having its
2989         descriptor modified. This patch fixes the bug where if we delete a
2990         property, we would sometimes not unmap an argument when deleting it.
2991
2992         * runtime/GenericArgumentsInlines.h:
2993         (JSC::GenericArguments<Type>::getOwnPropertySlot):
2994         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
2995         (JSC::GenericArguments<Type>::deleteProperty):
2996         (JSC::GenericArguments<Type>::deletePropertyByIndex):
2997
2998 2017-07-12  Commit Queue  <commit-queue@webkit.org>
2999
3000         Unreviewed, rolling out r219176.
3001         https://bugs.webkit.org/show_bug.cgi?id=174436
3002
3003         "Can cause infinite recursion on iOS" (Requested by mlam on
3004         #webkit).
3005
3006         Reverted changeset:
3007
3008         "WTF::Thread should have the threads stack bounds."
3009         https://bugs.webkit.org/show_bug.cgi?id=173975
3010         http://trac.webkit.org/changeset/219176
3011
3012 2017-07-12  Matt Lewis  <jlewis3@apple.com>
3013
3014         Unreviewed, rolling out r219401.
3015
3016         This revision rolled out the previous patch, but after talking
3017         with reviewer, a rebaseline is what was needed.Rolling back in
3018         before rebaseline.
3019
3020         Reverted changeset:
3021
3022         "Unreviewed, rolling out r219379."
3023         https://bugs.webkit.org/show_bug.cgi?id=174400
3024         http://trac.webkit.org/changeset/219401
3025
3026 2017-07-12  Matt Lewis  <jlewis3@apple.com>
3027
3028         Unreviewed, rolling out r219379.
3029
3030         This revision caused a consistent failure in the test
3031         fast/dom/Window/property-access-on-cached-window-after-frame-
3032         removed.html.
3033
3034         Reverted changeset:
3035
3036         "Remove NAVIGATOR_HWCONCURRENCY"
3037         https://bugs.webkit.org/show_bug.cgi?id=174400
3038         http://trac.webkit.org/changeset/219379
3039
3040 2017-07-12  Tooru Fujisawa [:arai]  <arai.unmht@gmail.com>
3041
3042         Wrong radix used in Unicode Escape in invalid character error message
3043         https://bugs.webkit.org/show_bug.cgi?id=174419
3044
3045         Reviewed by Alex Christensen.
3046
3047         * parser/Lexer.cpp:
3048         (JSC::Lexer<T>::invalidCharacterMessage):
3049
3050 2017-07-11  Dean Jackson  <dino@apple.com>
3051
3052         Remove NAVIGATOR_HWCONCURRENCY
3053         https://bugs.webkit.org/show_bug.cgi?id=174400
3054
3055         Reviewed by Sam Weinig.
3056
3057         * Configurations/FeatureDefines.xcconfig:
3058
3059 2017-07-11  Dean Jackson  <dino@apple.com>
3060
3061         Rolling out r219372.
3062
3063         * Configurations/FeatureDefines.xcconfig:
3064
3065 2017-07-11  Dean Jackson  <dino@apple.com>
3066
3067         Remove NAVIGATOR_HWCONCURRENCY
3068         https://bugs.webkit.org/show_bug.cgi?id=174400
3069
3070         Reviewed by Sam Weinig.
3071
3072         * Configurations/FeatureDefines.xcconfig:
3073
3074 2017-07-11  Saam Barati  <sbarati@apple.com>
3075
3076         remove the empty JavaScriptCore/wasm/js/WebAssemblyFunctionCell.* files
3077         https://bugs.webkit.org/show_bug.cgi?id=174397
3078
3079         Rubber stamped by David Kilzer.
3080
3081         * wasm/js/WebAssemblyFunctionCell.cpp: Removed.
3082         * wasm/js/WebAssemblyFunctionCell.h: Removed.
3083
3084 2017-07-10  Saam Barati  <sbarati@apple.com>
3085
3086         Allocation sinking phase should consider a CheckStructure that would fail as an escape
3087         https://bugs.webkit.org/show_bug.cgi?id=174321
3088         <rdar://problem/32604963>
3089
3090         Reviewed by Filip Pizlo.
3091
3092         When the allocation sinking phase was generating stores to materialize
3093         objects in a cycle with each other, it would assume that each materialized
3094         object had a valid, non empty, set of structures. This is an OK assumption for
3095         the phase to make because how do you materialize an object with no structure?
3096         
3097         The abstract interpretation part of the phase will model what's in the heap.
3098         However, it would sometimes model that a CheckStructure would fail. The phase
3099         did nothing special for this; it just stored the empty set of structures for
3100         its representation of a particular allocation. However, what the phase proved
3101         in such a scenario is that, had the CheckStructure executed, it would have exited.
3102         
3103         This patch treats such CheckStructures and MultiGetByOffsets as escape points.
3104         This will cause the allocation in question to be materialized just before
3105         the CheckStructure, and then at execution time, the CheckStructure will exit.
3106         
3107         I wasn't able to write a test case for this. However, I was able to reproduce
3108         this crash by manually editing the IR. I've opened a separate bug to help us
3109         create a testing framework for writing tests for hard to reproduce bugs like this:
3110         https://bugs.webkit.org/show_bug.cgi?id=174322
3111
3112         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3113
3114 2017-07-10  Devin Rousso  <drousso@apple.com>
3115
3116         Web Inspector: Highlight matching CSS canvas clients when hovering contexts in the Resources tab
3117         https://bugs.webkit.org/show_bug.cgi?id=174279
3118
3119         Reviewed by Matt Baker.
3120
3121         * inspector/protocol/DOM.json:
3122         Add `highlightNodeList` command that will highlight each node in the given list.
3123
3124 2017-07-03  Brian Burg  <bburg@apple.com>
3125
3126         Web Replay: remove some unused code
3127         https://bugs.webkit.org/show_bug.cgi?id=173903
3128
3129         Rubber-stamped by Joseph Pecoraro.
3130
3131         * CMakeLists.txt:
3132         * Configurations/FeatureDefines.xcconfig:
3133         * DerivedSources.make:
3134         * JavaScriptCore.xcodeproj/project.pbxproj:
3135         * inspector/protocol/Replay.json: Removed.
3136         * replay/EmptyInputCursor.h: Removed.
3137         * replay/EncodedValue.cpp: Removed.
3138         * replay/EncodedValue.h: Removed.
3139         * replay/InputCursor.h: Removed.
3140         * replay/JSInputs.json: Removed.
3141         * replay/NondeterministicInput.h: Removed.
3142         * replay/scripts/CodeGeneratorReplayInputs.py: Removed.
3143         * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Removed.
3144         * replay/scripts/tests/expected/fail-on-c-style-enum-no-storage.json-error: Removed.
3145         * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Removed.
3146         * replay/scripts/tests/expected/fail-on-duplicate-input-names.json-error: Removed.
3147         * replay/scripts/tests/expected/fail-on-duplicate-type-names.json-error: Removed.
3148         * replay/scripts/tests/expected/fail-on-enum-type-missing-values.json-error: Removed.
3149         * replay/scripts/tests/expected/fail-on-missing-input-member-name.json-error: Removed.
3150         * replay/scripts/tests/expected/fail-on-missing-input-name.json-error: Removed.
3151         * replay/scripts/tests/expected/fail-on-missing-input-queue.json-error: Removed.
3152         * replay/scripts/tests/expected/fail-on-missing-type-mode.json-error: Removed.
3153         * replay/scripts/tests/expected/fail-on-missing-type-name.json-error: Removed.
3154         * replay/scripts/tests/expected/fail-on-unknown-input-queue.json-error: Removed.
3155         * replay/scripts/tests/expected/fail-on-unknown-member-type.json-error: Removed.
3156         * replay/scripts/tests/expected/fail-on-unknown-type-mode.json-error: Removed.
3157         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp: Removed.
3158         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h: Removed.
3159         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp: Removed.
3160         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h: Removed.
3161         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Removed.
3162         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Removed.
3163         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Removed.
3164         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Removed.
3165         * replay/scripts/tests/expected/generate-event-loop-shape-types.json-error: Removed.
3166         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp: Removed.
3167         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h: Removed.
3168         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp: Removed.
3169         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Removed.
3170         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.cpp: Removed.
3171         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h: Removed.
3172         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp: Removed.
3173         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h: Removed.
3174         * replay/scripts/tests/fail-on-c-style-enum-no-storage.json: Removed.
3175         * replay/scripts/tests/fail-on-duplicate-enum-type.json: Removed.
3176         * replay/scripts/tests/fail-on-duplicate-input-names.json: Removed.
3177         * replay/scripts/tests/fail-on-duplicate-type-names.json: Removed.
3178         * replay/scripts/tests/fail-on-enum-type-missing-values.json: Removed.
3179         * replay/scripts/tests/fail-on-missing-input-member-name.json: Removed.
3180         * replay/scripts/tests/fail-on-missing-input-name.json: Removed.
3181         * replay/scripts/tests/fail-on-missing-input-queue.json: Removed.
3182         * replay/scripts/tests/fail-on-missing-type-mode.json: Removed.
3183         * replay/scripts/tests/fail-on-missing-type-name.json: Removed.
3184         * replay/scripts/tests/fail-on-unknown-input-queue.json: Removed.
3185         * replay/scripts/tests/fail-on-unknown-member-type.json: Removed.
3186         * replay/scripts/tests/fail-on-unknown-type-mode.json: Removed.
3187         * replay/scripts/tests/generate-enum-encoding-helpers-with-guarded-values.json: Removed.
3188         * replay/scripts/tests/generate-enum-encoding-helpers.json: Removed.
3189         * replay/scripts/tests/generate-enum-with-guard.json: Removed.
3190         * replay/scripts/tests/generate-enums-with-same-base-name.json: Removed.
3191         * replay/scripts/tests/generate-event-loop-shape-types.json: Removed.
3192         * replay/scripts/tests/generate-input-with-guard.json: Removed.
3193         * replay/scripts/tests/generate-input-with-vector-members.json: Removed.
3194         * replay/scripts/tests/generate-inputs-with-flags.json: Removed.
3195         * replay/scripts/tests/generate-memoized-type-modes.json: Removed.
3196         * runtime/DateConstructor.cpp:
3197         (JSC::constructDate):
3198         (JSC::dateNow):
3199         (JSC::deterministicCurrentTime): Deleted.
3200         * runtime/JSGlobalObject.cpp:
3201         (JSC::JSGlobalObject::JSGlobalObject):
3202         (JSC::JSGlobalObject::setInputCursor): Deleted.
3203         * runtime/JSGlobalObject.h:
3204         (JSC::JSGlobalObject::inputCursor): Deleted.
3205
3206 2017-07-10  Carlos Garcia Campos  <cgarcia@igalia.com>
3207
3208         Move make-js-file-arrays.py from WebCore to JavaScriptCore
3209         https://bugs.webkit.org/show_bug.cgi?id=174024
3210
3211         Reviewed by Michael Catanzaro.
3212
3213         It's currently used only by WebCore, but it depends on other JavaScriptCore scripts and it's not WebCore
3214         specific at all. I plan to use it to compile the JavaScript atoms used by the WebDriver implementation.
3215         Added command line option to pass the namespace to use instead of using WebCore.
3216
3217         * JavaScriptCore.xcodeproj/project.pbxproj:
3218         * Scripts/make-js-file-arrays.py: Renamed from Source/WebCore/Scripts/make-js-file-arrays.py.
3219         (main):
3220
3221 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3222
3223         [JSC] Drop LineNumberAdder since we no longer treat <LF><CR> (not <CR><LF>) as one line terminator
3224         https://bugs.webkit.org/show_bug.cgi?id=174296
3225
3226         Reviewed by Mark Lam.
3227
3228         Previously, we treat <LF><CR> as one line terminator. So we increase line number by one.
3229         It caused a problem in scanning template literals. While template literals normalize
3230         <LF><CR> to <LF><LF>, we still needed to increase line number by only one.
3231         To handle it correctly, LineNumberAdder is introduced.
3232
3233         As of r219263, <LF><CR> is counted as two line terminators. So we do not need to have
3234         LineNumberAdder. Let's just use shiftLineTerminator() instead.
3235
3236         * parser/Lexer.cpp:
3237         (JSC::Lexer<T>::parseTemplateLiteral):
3238         (JSC::LineNumberAdder::LineNumberAdder): Deleted.
3239         (JSC::LineNumberAdder::clear): Deleted.
3240         (JSC::LineNumberAdder::add): Deleted.
3241
3242 2017-07-09  Dan Bernstein  <mitz@apple.com>
3243
3244         [Xcode] ICU headers aren’t treated as system headers after r219155
3245         https://bugs.webkit.org/show_bug.cgi?id=174299
3246
3247         Reviewed by Sam Weinig.
3248
3249         * Configurations/JavaScriptCore.xcconfig: Pass --system-header-prefix=unicode/ to the C and
3250           C++ compilers.
3251
3252 * runtime/IntlCollator.cpp: Removed documentation warning suppression.
3253         * runtime/IntlDateTimeFormat.cpp: Ditto.
3254         * runtime/JSGlobalObject.cpp: Ditto.
3255         * runtime/StringPrototype.cpp: Ditto.
3256
3257 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
3258
3259         [JSC] Use fastMalloc / fastFree for STL containers
3260         https://bugs.webkit.org/show_bug.cgi?id=174297
3261
3262         Reviewed by Sam Weinig.
3263
3264         In some places, we intentionally use STL containers over WTF containers.
3265         For example, we sometimes use std::unordered_{set,map} instead of WTF::Hash{Set,Map}
3266         because we do not have effective empty / deleted representations in the space of key's value.
3267         But just using STL container means using libc's malloc instead of our fast malloc (bmalloc if it is enabled).
3268
3269         We introduce WTF::FastAllocator. This is C++ allocator implementation using fastMalloc and fastFree.
3270         We specify this allocator to STL containers' template parameter to allocate memory from fastMalloc.
3271
3272         This WTF::FastAllocator gives us a chance to use STL containers if it is necessary
3273         without compromising memory allocation throughput.
3274
3275         * dfg/DFGGraph.h:
3276         * dfg/DFGIntegerCheckCombiningPhase.cpp:
3277         * ftl/FTLLowerDFGToB3.cpp:
3278         (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
3279         * runtime/FunctionHasExecutedCache.h:
3280         * runtime/TypeLocationCache.h:
3281
3282 2017-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
3283
3284         Drop NOSNIFF compile flag
3285         https://bugs.webkit.org/show_bug.cgi?id=174289
3286
3287         Reviewed by Michael Catanzaro.
3288
3289         * Configurations/FeatureDefines.xcconfig:
3290
3291 2017-07-07  AJ Ringer  <aringer@apple.com>
3292
3293         Lower the max_protection for the separated heap
3294         https://bugs.webkit.org/show_bug.cgi?id=174281
3295
3296         Reviewed by Oliver Hunt.
3297
3298         Switch to vm_protect so we can set maximum page protection.
3299
3300         * jit/ExecutableAllocator.cpp:
3301         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
3302         (JSC::ExecutableAllocator::allocate):
3303
3304 2017-07-07  Devin Rousso  <drousso@apple.com>
3305
3306         Web Inspector: Show all elements currently using a given CSS Canvas
3307         https://bugs.webkit.org/show_bug.cgi?id=173965
3308
3309         Reviewed by Joseph Pecoraro.
3310
3311         * inspector/protocol/Canvas.json:
3312          - Add `requestCSSCanvasClientNodes` command for getting the node IDs all nodes using this
3313            canvas via -webkit-canvas.
3314          - Add `cssCanvasClientNodesChanged` event that is dispatched whenever a node is
3315            added/removed from the list of -webkit-canvas clients.
3316
3317 2017-07-07  Mark Lam  <mark.lam@apple.com>
3318
3319         \n\r is not the same as \r\n.
3320         https://bugs.webkit.org/show_bug.cgi?id=173053
3321
3322         Reviewed by Keith Miller.
3323
3324         * parser/Lexer.cpp:
3325         (JSC::Lexer<T>::shiftLineTerminator):
3326         (JSC::LineNumberAdder::add):
3327
3328 2017-07-07  Commit Queue  <commit-queue@webkit.org>
3329
3330         Unreviewed, rolling out r219238, r219239, and r219241.
3331         https://bugs.webkit.org/show_bug.cgi?id=174265
3332
3333         "fast/workers/dedicated-worker-lifecycle.html is flaky"
3334         (Requested by yusukesuzuki on #webkit).
3335
3336         Reverted changesets:
3337
3338         "[WTF] Implement WTF::ThreadGroup"
3339         https://bugs.webkit.org/show_bug.cgi?id=174081
3340         http://trac.webkit.org/changeset/219238
3341
3342         "Unreviewed, build fix after r219238"
3343         https://bugs.webkit.org/show_bug.cgi?id=174081
3344         http://trac.webkit.org/changeset/219239
3345
3346         "Unreviewed, CLoop build fix after r219238"
3347         https://bugs.webkit.org/show_bug.cgi?id=174081
3348         http://trac.webkit.org/changeset/219241
3349
3350 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
3351
3352         Unreviewed, CLoop build fix after r219238
3353         https://bugs.webkit.org/show_bug.cgi?id=174081
3354
3355         * heap/MachineStackMarker.cpp:
3356
3357 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
3358
3359         [WTF] Implement WTF::ThreadGroup
3360         https://bugs.webkit.org/show_bug.cgi?id=174081
3361
3362         Reviewed by Mark Lam.
3363
3364         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
3365         And SamplingProfiler and others interact with WTF::Thread directly.
3366
3367         * API/tests/ExecutionTimeLimitTest.cpp:
3368         * heap/MachineStackMarker.cpp:
3369         (JSC::MachineThreads::MachineThreads):
3370         (JSC::captureStack):
3371         (JSC::MachineThreads::tryCopyOtherThreadStack):
3372         (JSC::MachineThreads::tryCopyOtherThreadStacks):
3373         (JSC::MachineThreads::gatherConservativeRoots):
3374         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
3375         (JSC::ActiveMachineThreadsManager::add): Deleted.
3376         (JSC::ActiveMachineThreadsManager::remove): Deleted.
3377         (JSC::ActiveMachineThreadsManager::contains): Deleted.
3378         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
3379         (JSC::activeMachineThreadsManager): Deleted.
3380         (JSC::MachineThreads::~MachineThreads): Deleted.
3381         (JSC::MachineThreads::addCurrentThread): Deleted.
3382         (): Deleted.
3383         (JSC::MachineThreads::removeThread): Deleted.
3384         (JSC::MachineThreads::removeThreadIfFound): Deleted.
3385         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
3386         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
3387         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
3388         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
3389         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
3390         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
3391         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
3392         * heap/MachineStackMarker.h:
3393         (JSC::MachineThreads::addCurrentThread):
3394         (JSC::MachineThreads::getLock):
3395         (JSC::MachineThreads::threads):
3396         (JSC::MachineThreads::MachineThread::suspend): Deleted.
3397         (JSC::MachineThreads::MachineThread::resume): Deleted.