Change probe code to use static_assert instead of COMPILE_ASSERT.
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-08-21  Mark Lam  <mark.lam@apple.com>
2
3         Change probe code to use static_assert instead of COMPILE_ASSERT.
4         https://bugs.webkit.org/show_bug.cgi?id=175762
5
6         Reviewed by JF Bastien.
7
8         * assembler/MacroAssemblerARM.cpp:
9         * assembler/MacroAssemblerARM64.cpp:
10         (JSC::MacroAssembler::probe): Deleted.
11         * assembler/MacroAssemblerARMv7.cpp:
12         * assembler/MacroAssemblerX86Common.cpp:
13
14 2017-08-21  Keith Miller  <keith_miller@apple.com>
15
16         Make generate_offset_extractor.rb architectures argument more robust
17         https://bugs.webkit.org/show_bug.cgi?id=175809
18
19         Reviewed by Joseph Pecoraro.
20
21         It turns out that some of our builders pass their architectures as
22         space separated lists.  I decided to just make the splitting of
23         our list robust to any reasonable combination of spaces and
24         commas.
25
26         * offlineasm/generate_offset_extractor.rb:
27
28 2017-08-21  Keith Miller  <keith_miller@apple.com>
29
30         Only generate offline asm for the ARCHS (xcodebuild) or the current system (CMake)
31         https://bugs.webkit.org/show_bug.cgi?id=175690
32
33         Reviewed by Michael Saboff.
34
35         This should reduce some of the time we spend building offline asm
36         in our builds (except for linux since they already did this).
37
38         * CMakeLists.txt:
39         * JavaScriptCore.xcodeproj/project.pbxproj:
40         * offlineasm/backends.rb:
41         * offlineasm/generate_offset_extractor.rb:
42
43 2017-08-20  Mark Lam  <mark.lam@apple.com>
44
45         Gardening: fix CLoop build.
46         https://bugs.webkit.org/show_bug.cgi?id=175688
47         <rdar://problem/33436870>
48
49         Not reviewed.
50
51         Make these files dependent on ENABLE(MASM_PROBE).
52
53         * assembler/ProbeContext.cpp:
54         * assembler/ProbeContext.h:
55         * assembler/ProbeStack.cpp:
56         * assembler/ProbeStack.h:
57
58 2017-08-20  Mark Lam  <mark.lam@apple.com>
59
60         Enhance MacroAssembler::probe() to allow the probe function to resize the stack frame and alter stack data in one pass.
61         https://bugs.webkit.org/show_bug.cgi?id=175688
62         <rdar://problem/33436870>
63
64         Reviewed by JF Bastien.
65
66         With this patch, the clients of the MacroAssembler::probe() can now change
67         stack values without having to worry about whether there is enough room in the
68         current stack frame for it or not.  This is done using the Probe::Context's stack
69         member like so:
70
71             jit.probe([] (Probe::Context& context) {
72                 auto cpu = context.cpu;
73                 auto stack = context.stack();
74                 uintptr_t* currentSP = cpu.sp<uintptr_t*>();
75
76                 // Get a value at the current stack pointer location.
77                 auto value = stack.get<uintptr_t>(currentSP);
78
79                 // Set a value above the current stack pointer (within current frame).
80                 stack.set<uintptr_t>(currentSP + 10, value);
81
82                 // Set a value below the current stack pointer (out of current frame).
83                 stack.set<uintptr_t>(currentSP - 10, value);
84
85                 // Set the new stack pointer.
86                 cpu.sp() = currentSP - 20;
87             });
88
89         What happens behind the scene:
90
91         1. the generated JIT probe code will now call Probe::executeProbe(), and
92            Probe::executeProbe() will in turn call the client's probe function.
93
94            Probe::executeProbe() receives the Probe::State on the machine stack passed
95            to it by the probe trampoline.  Probe::executeProbe() will instantiate a
96            Probe::Context to be passed to the client's probe function.  The client will
97            no longer see the Probe::State directly.
98
99         2. The Probe::Context comes with a Probe::Stack which serves as a manager of
100            stack pages.  Currently, each page is 1K in size.
101            Probe::Context::stack() returns a reference to an instance of Probe::Stack.
102
103         3. Invoking get() of set() on Probe::Stack with an address will lead to the
104            following:
105
106            a. the address will be decoded to a baseAddress that points to the 1K page
107               that contains that address.
108
109            b. the Probe::Stack will check if it already has a cached 1K page for that baseAddress.
110               If so, go to step (f).  Else, continue with step (c).
111
112            c. the Probe::Stack will malloc a 1K mirror page, and memcpy the 1K stack page
113               for that specified baseAddress to this mirror page.
114
115            d. the mirror page will be added to the ProbeStack's m_pages HashMap,
116               keyed on the baseAddress.
117
118            e. the ProbeStack will also cache the last baseAddress and its corresponding
119               mirror page in use.  With memory accesses tending to be localized, this
120               will save us from having to look up the page in the HashMap.
121
122            f. get() will map the requested address to a physical address in the mirror
123               page, and return the value at that location.
124
125            g. set() will map the requested address to a physical address in the mirror
126               page, and set the value at that location in the mirror page.
127
128               set() will also set a dirty bit corresponding to the "cache line" that
129               was modified in the mirror page.
130
131         4. When the client's probe function returns, Probe::executeProbe() will check if
132            there are stack changes that need to be applied.  If stack changes are needed:
133
134            a. Probe::executeProbe() will adjust the stack pointer to ensure enough stack
135               space is available to flush the dirty stack pages.  It will also register a
136               flushStackDirtyPages callback function in the Probe::State.  Thereafter,
137               Probe::executeProbe() returns to the probe trampoline.
138
139            b. the probe trampoline adjusts the stack pointer, moves the Probe::State to
140               a safe place if needed, and then calls the flushStackDirtyPages callback
141               if needed.
142
143            c. the flushStackDirtyPages() callback iterates the Probe::Stack's m_pages
144               HashMap and flush all dirty "cache lines" to the machine stack.
145               Thereafter, flushStackDirtyPages() returns to the probe trampoline.
146
147            d. lastly, the probe trampoline will restore all register values and return
148               to the pc set in the Probe::State.
149
150         To make this patch work, I also had to do the following work:
151
152         5. Refactor MacroAssembler::CPUState into Probe::CPUState.
153            Mainly, this means moving the code over to ProbeContext.h.
154            I also added some convenience accessor methods for spr registers. 
155
156            Moved Probe::Context over to its own file ProbeContext.h/cpp.
157
158         6. Fix all probe trampolines to pass the address of Probe::executeProbe in
159            addition to the client's probe function and arg.
160
161            I also took this opportunity to optimize the generated JIT probe code to
162            minimize the amount of memory stores needed. 
163
164         7. Simplified the ARM64 probe trampoline.  The ARM64 probe only supports changing
165            either lr or pc (or neither), but not both at in the same probe invocation.
166            The ARM64 probe trampoline used to have to check for this invariant in the
167            assembly trampoline code.  With the introduction of Probe::executeProbe(),
168            we can now do it there and simplify the trampoline.
169
170         8. Fix a bug in the old  ARM64 probe trampoline for the case where the client
171            changes lr.  That code path never worked before, but has now been fixed.
172
173         9. Removed trustedImm32FromPtr() helper functions in MacroAssemblerARM and
174            MacroAssemblerARMv7.
175
176            We can now use move() with TrustedImmPtr, and it does the same thing but in a
177            more generic way.
178
179        10. ARMv7's move() emitter may encode a T1 move instruction, which happens to have
180            the same semantics as movs (according to the Thumb spec).  This means these
181            instructions may trash the APSR flags before we have a chance to preserve them.
182
183            This patch changes MacroAssemblerARMv7's probe() to preserve the APSR register
184            early on.  This entails adding support for the mrs instruction in the
185            ARMv7Assembler.
186
187        10. Change testmasm's testProbeModifiesStackValues() to now modify stack values
188            the easy way.
189
190            Also fixed testmasm tests which check flag registers to only compare the
191            portions that are modifiable by the client i.e. some masking is applied.
192
193         This patch has passed the testmasm tests on x86, x86_64, arm64, and armv7.
194
195         * CMakeLists.txt:
196         * JavaScriptCore.xcodeproj/project.pbxproj:
197         * assembler/ARMv7Assembler.h:
198         (JSC::ARMv7Assembler::mrs):
199         * assembler/AbstractMacroAssembler.h:
200         * assembler/MacroAssembler.cpp:
201         (JSC::stdFunctionCallback):
202         (JSC::MacroAssembler::probe):
203         * assembler/MacroAssembler.h:
204         (JSC::MacroAssembler::CPUState::gprName): Deleted.
205         (JSC::MacroAssembler::CPUState::sprName): Deleted.
206         (JSC::MacroAssembler::CPUState::fprName): Deleted.
207         (JSC::MacroAssembler::CPUState::gpr): Deleted.
208         (JSC::MacroAssembler::CPUState::spr): Deleted.
209         (JSC::MacroAssembler::CPUState::fpr): Deleted.
210         (JSC:: const): Deleted.
211         (JSC::MacroAssembler::CPUState::fpr const): Deleted.
212         (JSC::MacroAssembler::CPUState::pc): Deleted.
213         (JSC::MacroAssembler::CPUState::fp): Deleted.
214         (JSC::MacroAssembler::CPUState::sp): Deleted.
215         (JSC::MacroAssembler::CPUState::pc const): Deleted.
216         (JSC::MacroAssembler::CPUState::fp const): Deleted.
217         (JSC::MacroAssembler::CPUState::sp const): Deleted.
218         (JSC::Probe::State::gpr): Deleted.
219         (JSC::Probe::State::spr): Deleted.
220         (JSC::Probe::State::fpr): Deleted.
221         (JSC::Probe::State::gprName): Deleted.
222         (JSC::Probe::State::sprName): Deleted.
223         (JSC::Probe::State::fprName): Deleted.
224         (JSC::Probe::State::pc): Deleted.
225         (JSC::Probe::State::fp): Deleted.
226         (JSC::Probe::State::sp): Deleted.
227         * assembler/MacroAssemblerARM.cpp:
228         (JSC::MacroAssembler::probe):
229         * assembler/MacroAssemblerARM.h:
230         (JSC::MacroAssemblerARM::trustedImm32FromPtr): Deleted.
231         * assembler/MacroAssemblerARM64.cpp:
232         (JSC::MacroAssembler::probe):
233         (JSC::arm64ProbeError): Deleted.
234         * assembler/MacroAssemblerARMv7.cpp:
235         (JSC::MacroAssembler::probe):
236         * assembler/MacroAssemblerARMv7.h:
237         (JSC::MacroAssemblerARMv7::armV7Condition):
238         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr): Deleted.
239         * assembler/MacroAssemblerPrinter.cpp:
240         (JSC::Printer::printCallback):
241         * assembler/MacroAssemblerPrinter.h:
242         * assembler/MacroAssemblerX86Common.cpp:
243         (JSC::ctiMasmProbeTrampoline):
244         (JSC::MacroAssembler::probe):
245         * assembler/Printer.h:
246         (JSC::Printer::Context::Context):
247         * assembler/ProbeContext.cpp: Added.
248         (JSC::Probe::executeProbe):
249         (JSC::Probe::handleProbeStackInitialization):
250         (JSC::Probe::probeStateForContext):
251         * assembler/ProbeContext.h: Added.
252         (JSC::Probe::CPUState::gprName):
253         (JSC::Probe::CPUState::sprName):
254         (JSC::Probe::CPUState::fprName):
255         (JSC::Probe::CPUState::gpr):
256         (JSC::Probe::CPUState::spr):
257         (JSC::Probe::CPUState::fpr):
258         (JSC::Probe:: const):
259         (JSC::Probe::CPUState::fpr const):
260         (JSC::Probe::CPUState::pc):
261         (JSC::Probe::CPUState::fp):
262         (JSC::Probe::CPUState::sp):
263         (JSC::Probe::CPUState::pc const):
264         (JSC::Probe::CPUState::fp const):
265         (JSC::Probe::CPUState::sp const):
266         (JSC::Probe::Context::Context):
267         (JSC::Probe::Context::gpr):
268         (JSC::Probe::Context::spr):
269         (JSC::Probe::Context::fpr):
270         (JSC::Probe::Context::gprName):
271         (JSC::Probe::Context::sprName):
272         (JSC::Probe::Context::fprName):
273         (JSC::Probe::Context::pc):
274         (JSC::Probe::Context::fp):
275         (JSC::Probe::Context::sp):
276         (JSC::Probe::Context::stack):
277         (JSC::Probe::Context::hasWritesToFlush):
278         (JSC::Probe::Context::releaseStack):
279         * assembler/ProbeStack.cpp: Added.
280         (JSC::Probe::Page::Page):
281         (JSC::Probe::Page::flushWrites):
282         (JSC::Probe::Stack::Stack):
283         (JSC::Probe::Stack::hasWritesToFlush):
284         (JSC::Probe::Stack::flushWrites):
285         (JSC::Probe::Stack::ensurePageFor):
286         * assembler/ProbeStack.h: Added.
287         (JSC::Probe::Page::baseAddressFor):
288         (JSC::Probe::Page::chunkAddressFor):
289         (JSC::Probe::Page::baseAddress):
290         (JSC::Probe::Page::get):
291         (JSC::Probe::Page::set):
292         (JSC::Probe::Page::hasWritesToFlush const):
293         (JSC::Probe::Page::flushWritesIfNeeded):
294         (JSC::Probe::Page::dirtyBitFor):
295         (JSC::Probe::Page::physicalAddressFor):
296         (JSC::Probe::Stack::Stack):
297         (JSC::Probe::Stack::lowWatermark):
298         (JSC::Probe::Stack::get):
299         (JSC::Probe::Stack::set):
300         (JSC::Probe::Stack::newStackPointer const):
301         (JSC::Probe::Stack::setNewStackPointer):
302         (JSC::Probe::Stack::isValid):
303         (JSC::Probe::Stack::pageFor):
304         * assembler/testmasm.cpp:
305         (JSC::testProbeReadsArgumentRegisters):
306         (JSC::testProbeWritesArgumentRegisters):
307         (JSC::testProbePreservesGPRS):
308         (JSC::testProbeModifiesStackPointer):
309         (JSC::testProbeModifiesStackPointerToInsideProbeStateOnStack):
310         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
311         (JSC::testProbeModifiesProgramCounter):
312         (JSC::testProbeModifiesStackValues):
313         (JSC::run):
314         (): Deleted.
315         (JSC::fillStack): Deleted.
316         (JSC::testProbeModifiesStackWithCallback): Deleted.
317
318 2017-08-19  Andy Estes  <aestes@apple.com>
319
320         [Payment Request] Add interface stubs
321         https://bugs.webkit.org/show_bug.cgi?id=175730
322
323         Reviewed by Youenn Fablet.
324
325         * runtime/CommonIdentifiers.h:
326
327 2017-08-18  Per Arne Vollan  <pvollan@apple.com>
328
329         Implement 32-bit MacroAssembler::probe support for Windows.
330         https://bugs.webkit.org/show_bug.cgi?id=175449
331
332         Reviewed by Mark Lam.
333
334         This is needed to enable the DFG.
335
336         * assembler/MacroAssemblerX86Common.cpp:
337         * assembler/testmasm.cpp:
338         (JSC::run):
339         (dllLauncherEntryPoint):
340         * shell/CMakeLists.txt:
341         * shell/PlatformWin.cmake:
342
343 2017-08-18  Mark Lam  <mark.lam@apple.com>
344
345         Rename ProbeContext and ProbeFunction to Probe::State and Probe::Function.
346         https://bugs.webkit.org/show_bug.cgi?id=175725
347         <rdar://problem/33965477>
348
349         Rubber-stamped by JF Bastien.
350
351         This is purely a refactoring patch (in preparation for the introduction of a
352         Probe::Context data structure in https://bugs.webkit.org/show_bug.cgi?id=175688
353         later).  This patch does not change any semantics / behavior.
354
355         * assembler/AbstractMacroAssembler.h:
356         * assembler/MacroAssembler.cpp:
357         (JSC::stdFunctionCallback):
358         (JSC::MacroAssembler::probe):
359         * assembler/MacroAssembler.h:
360         (JSC::ProbeContext::gpr): Deleted.
361         (JSC::ProbeContext::spr): Deleted.
362         (JSC::ProbeContext::fpr): Deleted.
363         (JSC::ProbeContext::gprName): Deleted.
364         (JSC::ProbeContext::sprName): Deleted.
365         (JSC::ProbeContext::fprName): Deleted.
366         (JSC::ProbeContext::pc): Deleted.
367         (JSC::ProbeContext::fp): Deleted.
368         (JSC::ProbeContext::sp): Deleted.
369         * assembler/MacroAssemblerARM.cpp:
370         (JSC::MacroAssembler::probe):
371         * assembler/MacroAssemblerARM.h:
372         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
373         * assembler/MacroAssemblerARM64.cpp:
374         (JSC::arm64ProbeError):
375         (JSC::MacroAssembler::probe):
376         * assembler/MacroAssemblerARMv7.cpp:
377         (JSC::MacroAssembler::probe):
378         * assembler/MacroAssemblerARMv7.h:
379         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr):
380         * assembler/MacroAssemblerPrinter.cpp:
381         (JSC::Printer::printCallback):
382         * assembler/MacroAssemblerPrinter.h:
383         * assembler/MacroAssemblerX86Common.cpp:
384         (JSC::MacroAssembler::probe):
385         * assembler/Printer.h:
386         (JSC::Printer::Context::Context):
387         * assembler/testmasm.cpp:
388         (JSC::testProbeReadsArgumentRegisters):
389         (JSC::testProbeWritesArgumentRegisters):
390         (JSC::testProbePreservesGPRS):
391         (JSC::testProbeModifiesStackPointer):
392         (JSC::testProbeModifiesStackPointerToInsideProbeStateOnStack):
393         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
394         (JSC::testProbeModifiesProgramCounter):
395         (JSC::fillStack):
396         (JSC::testProbeModifiesStackWithCallback):
397         (JSC::run):
398         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack): Deleted.
399
400 2017-08-17  JF Bastien  <jfbastien@apple.com>
401
402         WebAssembly: const in unreachable code decoded incorrectly, erroneously rejects binary as invalid
403         https://bugs.webkit.org/show_bug.cgi?id=175693
404         <rdar://problem/33952443>
405
406         Reviewed by Saam Barati.
407
408         64-bit constants in an unreachable context were being decoded as
409         32-bit constants. This is pretty benign because unreachable code
410         shouldn't occur often. The effect is that 64-bit constants which
411         can't be encoded as 32-bit constants would cause the binary to be
412         rejected.
413
414         At the same time, 32-bit integer constants should be decoded as signed.
415
416         * wasm/WasmFunctionParser.h:
417         (JSC::Wasm::FunctionParser<Context>::parseUnreachableExpression):
418
419 2017-08-17  Robin Morisset  <rmorisset@apple.com>
420
421         Teach DFGFixupPhase.cpp that the current scope is always a cell
422         https://bugs.webkit.org/show_bug.cgi?id=175610
423
424         Reviewed by Keith Miller.
425
426         Also teach it that the argument to with can usually be speculated to be an object,
427         since toObject() is called on it.
428
429         * dfg/DFGFixupPhase.cpp:
430         (JSC::DFG::FixupPhase::fixupNode):
431         * dfg/DFGSpeculativeJIT.cpp:
432         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
433         * dfg/DFGSpeculativeJIT.h:
434         (JSC::DFG::SpeculativeJIT::callOperation):
435         * ftl/FTLLowerDFGToB3.cpp:
436         (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
437         * jit/JITOperations.cpp:
438         * jit/JITOperations.h:
439
440 2017-08-17  Matt Baker  <mattbaker@apple.com>
441
442         Web Inspector: remove unused private struct from InspectorScriptProfilerAgent
443         https://bugs.webkit.org/show_bug.cgi?id=175644
444
445         Reviewed by Brian Burg.
446
447         * inspector/agents/InspectorScriptProfilerAgent.h:
448
449 2017-08-17  Mark Lam  <mark.lam@apple.com>
450
451         Only use 16 VFP registers if !CPU(ARM_NEON).
452         https://bugs.webkit.org/show_bug.cgi?id=175514
453
454         Reviewed by JF Bastien.
455
456         Deleted q16-q31 FPQuadRegisterID enums in ARMv7Assembler.h.  The NEON spec
457         says that there are only 16 128-bit NEON registers.  This change is merely to
458         correct the code documentation of these registers.  The FPQuadRegisterID are
459         currently unused.
460
461         * assembler/ARMAssembler.h:
462         (JSC::ARMAssembler::lastFPRegister):
463         (JSC::ARMAssembler::fprName):
464         * assembler/ARMv7Assembler.h:
465         (JSC::ARMv7Assembler::lastFPRegister):
466         (JSC::ARMv7Assembler::fprName):
467         * assembler/MacroAssemblerARM.cpp:
468         * assembler/MacroAssemblerARMv7.cpp:
469
470 2017-08-17  Andreas Kling  <akling@apple.com>
471
472         Disable CSS regions at compile time
473         https://bugs.webkit.org/show_bug.cgi?id=175630
474
475         Reviewed by Antti Koivisto.
476
477         * Configurations/FeatureDefines.xcconfig:
478
479 2017-08-17  Jacobo Aragunde Pérez  <jaragunde@igalia.com>
480
481         [WPE][GTK] Ensure proper casting of data in gvariants
482         https://bugs.webkit.org/show_bug.cgi?id=175667
483
484         Reviewed by Michael Catanzaro.
485
486         g_variant_new requires data to have the correct width for their types, using
487         casting if necessary. Some data of type `unsigned` were being saved to `guint64`
488         types without explicit casting, leading to undefined behavior in some platforms.
489
490         * inspector/remote/glib/RemoteInspectorGlib.cpp:
491         (Inspector::RemoteInspector::listingForInspectionTarget const):
492         (Inspector::RemoteInspector::listingForAutomationTarget const):
493         (Inspector::RemoteInspector::sendMessageToRemote):
494
495 2017-08-17  Yusuke Suzuki  <utatane.tea@gmail.com>
496
497         [JSC] Avoid code bloating for iteration if block does not have "break"
498         https://bugs.webkit.org/show_bug.cgi?id=173228
499
500         Reviewed by Keith Miller.
501
502         Currently, we always emit code for breaked path when emitting for-of iteration.
503         But we can know that this breaked path can be used when emitting the bytecode.
504
505         This patch adds LabelScope::breakTargetMayBeBound(), which returns true if
506         the break label may be bound. We emit a breaked path only when it returns
507         true. This reduces bytecode bloating when using for-of iteration.
508
509         * bytecompiler/BytecodeGenerator.cpp:
510         (JSC::Label::setLocation):
511         (JSC::BytecodeGenerator::newLabel):
512         (JSC::BytecodeGenerator::emitLabel):
513         (JSC::BytecodeGenerator::pushFinallyControlFlowScope):
514         (JSC::BytecodeGenerator::breakTarget):
515         (JSC::BytecodeGenerator::continueTarget):
516         (JSC::BytecodeGenerator::emitEnumeration):
517         * bytecompiler/BytecodeGenerator.h:
518         * bytecompiler/Label.h:
519         (JSC::Label::bind const):
520         (JSC::Label::hasOneRef const):
521         (JSC::Label::isBound const):
522         (JSC::Label::Label): Deleted.
523         * bytecompiler/LabelScope.h:
524         (JSC::LabelScope::hasOneRef const):
525         (JSC::LabelScope::breakTargetMayBeBound const):
526         * bytecompiler/NodesCodegen.cpp:
527         (JSC::ContinueNode::trivialTarget):
528         (JSC::ContinueNode::emitBytecode):
529         (JSC::BreakNode::trivialTarget):
530         (JSC::BreakNode::emitBytecode):
531
532 2017-08-17  Csaba Osztrogonác  <ossy@webkit.org>
533
534         ARM build fix after r220807 and r220834.
535         https://bugs.webkit.org/show_bug.cgi?id=175617
536
537         Unreviewed typo fix.
538
539         * assembler/MacroAssemblerARM.cpp:
540
541 2017-08-17  Mark Lam  <mark.lam@apple.com>
542
543         Gardening: build fix for ARM_TRADITIONAL after r220807.
544         https://bugs.webkit.org/show_bug.cgi?id=175617
545
546         Not reviewed.
547
548         * assembler/MacroAssemblerARM.cpp:
549
550 2017-08-16  Mark Lam  <mark.lam@apple.com>
551
552         Add back the ability to disable MASM_PROBE from the build.
553         https://bugs.webkit.org/show_bug.cgi?id=175656
554         <rdar://problem/33933720>
555
556         Reviewed by Yusuke Suzuki.
557
558         This is needed for ports that the existing MASM_PROBE implementation doesn't work
559         well with e.g. GTK with ARM_THUMB2.  Note that if the DFG_JIT will be disabled by
560         default if !ENABLE(MASM_PROBE).
561
562         * assembler/AbstractMacroAssembler.h:
563         * assembler/MacroAssembler.cpp:
564         * assembler/MacroAssembler.h:
565         * assembler/MacroAssemblerARM.cpp:
566         * assembler/MacroAssemblerARM64.cpp:
567         * assembler/MacroAssemblerARMv7.cpp:
568         * assembler/MacroAssemblerPrinter.cpp:
569         * assembler/MacroAssemblerPrinter.h:
570         * assembler/MacroAssemblerX86Common.cpp:
571         * assembler/testmasm.cpp:
572         (JSC::run):
573         * b3/B3LowerToAir.cpp:
574         * b3/air/AirPrintSpecial.cpp:
575         * b3/air/AirPrintSpecial.h:
576
577 2017-08-16  Dan Bernstein  <mitz@apple.com>
578
579         [Cocoa] Older-iOS install name symbols are being exported on other platforms
580         https://bugs.webkit.org/show_bug.cgi?id=175654
581
582         Reviewed by Tim Horton.
583
584         * API/JSBase.cpp: Define the symbols only when targeting iOS.
585
586 2017-08-16  Matt Baker  <mattbaker@apple.com>
587
588         Web Inspector: capture async stack trace when workers/main context posts a message
589         https://bugs.webkit.org/show_bug.cgi?id=167084
590         <rdar://problem/30033673>
591
592         Reviewed by Brian Burg.
593
594         * inspector/agents/InspectorDebuggerAgent.h:
595         Add `PostMessage` async call type.
596
597 2017-08-16  Mark Lam  <mark.lam@apple.com>
598
599         Enhance MacroAssembler::probe() to support an initializeStackFunction callback.
600         https://bugs.webkit.org/show_bug.cgi?id=175617
601         <rdar://problem/33912104>
602
603         Reviewed by JF Bastien.
604
605         This patch adds a new feature to MacroAssembler::probe() where the probe function
606         can provide a ProbeFunction callback to fill in stack values after the stack
607         pointer has been adjusted.  The probe function can use this feature as follows:
608
609         1. Set the new sp value in the ProbeContext's CPUState.
610
611         2. Set the ProbeContext's initializeStackFunction to a ProbeFunction callback
612            which will do the work of filling in the stack values after the probe
613            trampoline has adjusted the machine stack pointer.
614
615         3. Set the ProbeContext's initializeStackArgs to any value that the client wants
616            to pass to the initializeStackFunction callback.
617
618         4. Return from the probe function.
619
620         Upon returning from the probe function, the probe trampoline will adjust the
621         the stack pointer based on the sp value in CPUState.  If initializeStackFunction
622         is not set, the probe trampoline will restore registers and return to its caller.
623
624         If initializeStackFunction is set, the trampoline will move the ProbeContext
625         beyond the range of the stack pointer i.e. it will place the new ProbeContext at
626         an address lower than where CPUState.sp() points.  This ensures that the
627         ProbeContext will not be trashed by the initializeStackFunction when it writes to
628         the stack.  Then, the trampoline will call back to the initializeStackFunction
629         ProbeFunction to let it fill in the stack values as desired.  The
630         initializeStackFunction ProbeFunction will be passed the moved ProbeContext at
631         the new location.
632
633         initializeStackFunction may now write to the stack at addresses greater or
634         equal to CPUState.sp(), but not below that.  initializeStackFunction is also
635         not allowed to change CPUState.sp().  If the initializeStackFunction does not
636         abide by these rules, then behavior is undefined, and bad things may happen.
637
638         For future reference, some implementation details that this patch needed to
639         be mindful of:
640
641         1. When the probe trampoline allocates stack space for the ProbeContext, it
642            should include OUT_SIZE as well.  This ensures that it doesn't have to move
643            the ProbeContext on exit if the probe function didn't change the sp.
644
645         2. If the trampoline has to move the ProbeContext, it needs to point the machine
646            sp to new ProbeContext first before copying over the ProbeContext data.  This
647            protects the new ProbeContext from possibly being trashed by interrupts.
648
649         3. When computing the new address of ProbeContext to move to, we need to make
650            sure that it is properly aligned in accordance with stack ABI requirements
651            (just like we did when we allocated the ProbeContext on entry to the
652            probe trampoline).
653
654         4. When copying the ProbeContext to its new location, the trampoline should
655            always copy words from low addresses to high addresses.  This is because if
656            we're moving the ProbeContext, we'll always be moving it to a lower address.
657
658         * assembler/MacroAssembler.h:
659         * assembler/MacroAssemblerARM.cpp:
660         * assembler/MacroAssemblerARM64.cpp:
661         * assembler/MacroAssemblerARMv7.cpp:
662         * assembler/MacroAssemblerX86Common.cpp:
663         * assembler/testmasm.cpp:
664         (JSC::testProbePreservesGPRS):
665         (JSC::testProbeModifiesStackPointer):
666         (JSC::fillStack):
667         (JSC::testProbeModifiesStackWithCallback):
668         (JSC::run):
669
670 2017-08-16  Csaba Osztrogonác  <ossy@webkit.org>
671
672         Fix JSCOnly ARM buildbots after r220047 and r220184
673         https://bugs.webkit.org/show_bug.cgi?id=174993
674
675         Reviewed by Carlos Alberto Lopez Perez.
676
677         * CMakeLists.txt: Generate only one backend on Linux to save build time.
678
679 2017-08-16  Andy Estes  <aestes@apple.com>
680
681         [Payment Request] Add an ENABLE flag and an experimental feature preference
682         https://bugs.webkit.org/show_bug.cgi?id=175622
683
684         Reviewed by Tim Horton.
685
686         * Configurations/FeatureDefines.xcconfig:
687
688 2017-08-15  Robin Morisset  <rmorisset@apple.com>
689
690         We are too conservative about the effects of PushWithScope
691         https://bugs.webkit.org/show_bug.cgi?id=175584
692
693         Reviewed by Saam Barati.
694
695         PushWithScope converts its argument to an object (this can throw a type error,
696         but has no other observable effect), and allocates a new scope, that it then
697         makes the new current scope. We were a bit too
698         conservative in saying that it clobbers the world.
699
700         * dfg/DFGAbstractInterpreterInlines.h:
701         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
702         * dfg/DFGClobberize.h:
703         (JSC::DFG::clobberize):
704         * dfg/DFGDoesGC.cpp:
705         (JSC::DFG::doesGC):
706
707 2017-08-15  Ryosuke Niwa  <rniwa@webkit.org>
708
709         Make DataTransferItemList work with plain text entries
710         https://bugs.webkit.org/show_bug.cgi?id=175596
711
712         Reviewed by Wenson Hsieh.
713
714         Added DataTransferItem as a common identifier since it's a runtime enabled feature.
715
716         * runtime/CommonIdentifiers.h:
717
718 2017-08-15  Robin Morisset  <rmorisset@apple.com>
719
720         Support the 'with' keyword in FTL
721         https://bugs.webkit.org/show_bug.cgi?id=175585
722
723         Reviewed by Saam Barati.
724
725         Also makes sure that the order of arguments of PushWithScope, op_push_with_scope, JSWithScope::create()
726         and so on is consistent (always parentScope first, the new scopeObject second). We used to go from one
727         to the other at different step which was quite confusing. I picked this order for consistency with CreateActivation
728         that takes its parentScope argument first.
729
730         * bytecompiler/BytecodeGenerator.cpp:
731         (JSC::BytecodeGenerator::emitPushWithScope):
732         * debugger/DebuggerCallFrame.cpp:
733         (JSC::DebuggerCallFrame::evaluateWithScopeExtension):
734         * dfg/DFGByteCodeParser.cpp:
735         (JSC::DFG::ByteCodeParser::parseBlock):
736         * dfg/DFGFixupPhase.cpp:
737         (JSC::DFG::FixupPhase::fixupNode):
738         * dfg/DFGSpeculativeJIT.cpp:
739         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
740         * ftl/FTLCapabilities.cpp:
741         (JSC::FTL::canCompile):
742         * ftl/FTLLowerDFGToB3.cpp:
743         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
744         (JSC::FTL::DFG::LowerDFGToB3::compilePushWithScope):
745         * jit/JITOperations.cpp:
746         * runtime/CommonSlowPaths.cpp:
747         (JSC::SLOW_PATH_DECL):
748         * runtime/Completion.cpp:
749         (JSC::evaluateWithScopeExtension):
750         * runtime/JSWithScope.cpp:
751         (JSC::JSWithScope::create):
752         * runtime/JSWithScope.h:
753
754 2017-08-15  Saam Barati  <sbarati@apple.com>
755
756         Make VM::scratchBufferForSize thread safe
757         https://bugs.webkit.org/show_bug.cgi?id=175604
758
759         Reviewed by Geoffrey Garen and Mark Lam.
760
761         I want to use the VM::scratchBufferForSize in another patch I'm writing.
762         The use case for my other patch is to call it from the compiler thread.
763         When reading the code, I saw that this API was not thread safe. This patch
764         makes it thread safe. It actually turns out we were calling this API from
765         the compiler thread already when we created FTL::State for an FTL OSR entry
766         compilation, and from FTLLowerDFGToB3. That code was racy and wrong, but
767         is now correct with this patch.
768
769         * runtime/VM.cpp:
770         (JSC::VM::VM):
771         (JSC::VM::~VM):
772         (JSC::VM::gatherConservativeRoots):
773         (JSC::VM::scratchBufferForSize):
774         * runtime/VM.h:
775         (JSC::VM::scratchBufferForSize): Deleted.
776
777 2017-08-15  Keith Miller  <keith_miller@apple.com>
778
779         JSC named bytecode offsets should use references rather than pointers
780         https://bugs.webkit.org/show_bug.cgi?id=175601
781
782         Reviewed by Saam Barati.
783
784         * dfg/DFGByteCodeParser.cpp:
785         (JSC::DFG::ByteCodeParser::parseBlock):
786         * jit/JITOpcodes.cpp:
787         (JSC::JIT::emit_op_overrides_has_instance):
788         (JSC::JIT::emit_op_instanceof):
789         (JSC::JIT::emitSlow_op_instanceof):
790         (JSC::JIT::emitSlow_op_instanceof_custom):
791         * jit/JITOpcodes32_64.cpp:
792         (JSC::JIT::emit_op_overrides_has_instance):
793         (JSC::JIT::emit_op_instanceof):
794         (JSC::JIT::emitSlow_op_instanceof):
795         (JSC::JIT::emitSlow_op_instanceof_custom):
796
797 2017-08-15  Keith Miller  <keith_miller@apple.com>
798
799         Enable named offsets into JSC bytecodes
800         https://bugs.webkit.org/show_bug.cgi?id=175561
801
802         Reviewed by Mark Lam.
803
804         This patch adds the ability to add named offsets into JSC's
805         bytecodes.  In the bytecode json file, instead of listing a
806         length, you can now list a set of names and their types. Each
807         opcode with an offsets property will have a struct named after the
808         opcode by in our C++ naming style. For example,
809         op_overrides_has_instance would become OpOverridesHasInstance. The
810         struct has the same memory layout as the instruction list has but
811         comes with handy named accessors.
812
813         As a first cut I converted the various instanceof bytecodes to use
814         named offsets.
815
816         As an example op_overrides_has_instance produces the following struct:
817
818         struct OpOverridesHasInstance {
819         public:
820             Opcode& opcode() { return *reinterpret_cast<Opcode*>(&m_opcode); }
821             const Opcode& opcode() const { return *reinterpret_cast<const Opcode*>(&m_opcode); }
822             int& dst() { return *reinterpret_cast<int*>(&m_dst); }
823             const int& dst() const { return *reinterpret_cast<const int*>(&m_dst); }
824             int& constructor() { return *reinterpret_cast<int*>(&m_constructor); }
825             const int& constructor() const { return *reinterpret_cast<const int*>(&m_constructor); }
826             int& hasInstanceValue() { return *reinterpret_cast<int*>(&m_hasInstanceValue); }
827             const int& hasInstanceValue() const { return *reinterpret_cast<const int*>(&m_hasInstanceValue); }
828
829         private:
830             friend class LLIntOffsetsExtractor;
831             std::aligned_storage<sizeof(Opcode), sizeof(Instruction)>::type m_opcode;
832             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_dst;
833             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_constructor;
834             std::aligned_storage<sizeof(int), sizeof(Instruction)>::type m_hasInstanceValue;
835         };
836
837         * CMakeLists.txt:
838         * DerivedSources.make:
839         * JavaScriptCore.xcodeproj/project.pbxproj:
840         * bytecode/BytecodeList.json:
841         * dfg/DFGByteCodeParser.cpp:
842         (JSC::DFG::ByteCodeParser::parseBlock):
843         * generate-bytecode-files:
844         * jit/JITOpcodes.cpp:
845         (JSC::JIT::emit_op_overrides_has_instance):
846         (JSC::JIT::emit_op_instanceof):
847         (JSC::JIT::emitSlow_op_instanceof):
848         (JSC::JIT::emitSlow_op_instanceof_custom):
849         * jit/JITOpcodes32_64.cpp:
850         (JSC::JIT::emit_op_overrides_has_instance):
851         (JSC::JIT::emit_op_instanceof):
852         (JSC::JIT::emitSlow_op_instanceof):
853         (JSC::JIT::emitSlow_op_instanceof_custom):
854         * llint/LLIntOffsetsExtractor.cpp:
855         * llint/LowLevelInterpreter.asm:
856         * llint/LowLevelInterpreter32_64.asm:
857         * llint/LowLevelInterpreter64.asm:
858
859 2017-08-15  Mark Lam  <mark.lam@apple.com>
860
861         Update testmasm to use new CPUState APIs.
862         https://bugs.webkit.org/show_bug.cgi?id=175573
863
864         Reviewed by Keith Miller.
865
866         1. Applied convenience CPUState accessors to minimize casting.
867         2. Converted the CHECK macro to CHECK_EQ to get more friendly failure debugging
868            messages.
869         3. Removed the CHECK_DOUBLE_BITWISE_EQ macro.  We can just use CHECK_EQ now since
870            casting is (mostly) no longer an issue.
871         4. Replaced the use of testDoubleWord(id) with bitwise_cast<double>(testWord64(id))
872            to make it clear that we're comparing against the bit values of testWord64(id).
873         5. Added a "Completed N tests" message at the end of running all tests.
874            This makes it easy to tell at a glance that testmasm completed successfully
875            versus when it crashed midway in a test.  The number of tests also serves as
876            a quick checksum to confirm that we ran the number of tests we expected.
877
878         * assembler/testmasm.cpp:
879         (WTF::printInternal):
880         (JSC::testSimple):
881         (JSC::testProbeReadsArgumentRegisters):
882         (JSC::testProbeWritesArgumentRegisters):
883         (JSC::testProbePreservesGPRS):
884         (JSC::testProbeModifiesStackPointer):
885         (JSC::testProbeModifiesProgramCounter):
886         (JSC::run):
887
888 2017-08-14  Keith Miller  <keith_miller@apple.com>
889
890         Add testing tool to lie to the DFG about profiles
891         https://bugs.webkit.org/show_bug.cgi?id=175487
892
893         Reviewed by Saam Barati.
894
895         This patch adds a new bytecode identity_with_profile that lets
896         us lie to the DFG about what profiles it has seen as the input to
897         another bytecode. Previously, there was no reliable way to force
898         a given profile when we tired up.
899
900         * bytecode/BytecodeDumper.cpp:
901         (JSC::BytecodeDumper<Block>::dumpBytecode):
902         * bytecode/BytecodeIntrinsicRegistry.h:
903         * bytecode/BytecodeList.json:
904         * bytecode/BytecodeUseDef.h:
905         (JSC::computeUsesForBytecodeOffset):
906         (JSC::computeDefsForBytecodeOffset):
907         * bytecode/SpeculatedType.cpp:
908         (JSC::speculationFromString):
909         * bytecode/SpeculatedType.h:
910         * bytecompiler/BytecodeGenerator.cpp:
911         (JSC::BytecodeGenerator::emitIdWithProfile):
912         * bytecompiler/BytecodeGenerator.h:
913         * bytecompiler/NodesCodegen.cpp:
914         (JSC::BytecodeIntrinsicNode::emit_intrinsic_idWithProfile):
915         * dfg/DFGAbstractInterpreterInlines.h:
916         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
917         * dfg/DFGByteCodeParser.cpp:
918         (JSC::DFG::ByteCodeParser::parseBlock):
919         * dfg/DFGCapabilities.cpp:
920         (JSC::DFG::capabilityLevel):
921         * dfg/DFGClobberize.h:
922         (JSC::DFG::clobberize):
923         * dfg/DFGDoesGC.cpp:
924         (JSC::DFG::doesGC):
925         * dfg/DFGFixupPhase.cpp:
926         (JSC::DFG::FixupPhase::fixupNode):
927         * dfg/DFGMayExit.cpp:
928         * dfg/DFGNode.h:
929         (JSC::DFG::Node::getForcedPrediction):
930         * dfg/DFGNodeType.h:
931         * dfg/DFGPredictionPropagationPhase.cpp:
932         * dfg/DFGSafeToExecute.h:
933         (JSC::DFG::safeToExecute):
934         * dfg/DFGSpeculativeJIT32_64.cpp:
935         (JSC::DFG::SpeculativeJIT::compile):
936         * dfg/DFGSpeculativeJIT64.cpp:
937         (JSC::DFG::SpeculativeJIT::compile):
938         * dfg/DFGValidate.cpp:
939         * jit/JIT.cpp:
940         (JSC::JIT::privateCompileMainPass):
941         * jit/JIT.h:
942         * jit/JITOpcodes.cpp:
943         (JSC::JIT::emit_op_identity_with_profile):
944         * jit/JITOpcodes32_64.cpp:
945         (JSC::JIT::emit_op_identity_with_profile):
946         * llint/LowLevelInterpreter.asm:
947
948 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
949
950         Remove Proximity Events and related code
951         https://bugs.webkit.org/show_bug.cgi?id=175545
952
953         Reviewed by Daniel Bates.
954
955         No platform enables Proximity Events, so remove code inside ENABLE(PROXIMITY_EVENTS)
956         and other related code.
957
958         * Configurations/FeatureDefines.xcconfig:
959
960 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
961
962         Remove ENABLE(REQUEST_AUTOCOMPLETE) code, which was disabled everywhere
963         https://bugs.webkit.org/show_bug.cgi?id=175504
964
965         Reviewed by Sam Weinig.
966
967         * Configurations/FeatureDefines.xcconfig:
968
969 2017-08-14  Simon Fraser  <simon.fraser@apple.com>
970
971         Remove ENABLE_VIEW_MODE_CSS_MEDIA and related code
972         https://bugs.webkit.org/show_bug.cgi?id=175557
973
974         Reviewed by Jon Lee.
975
976         No port cares about the ENABLE(VIEW_MODE_CSS_MEDIA) feature, so remove it.
977
978         * Configurations/FeatureDefines.xcconfig:
979
980 2017-08-14  Robin Morisset  <rmorisset@apple.com>
981
982         Support the 'with' keyword in DFG
983         https://bugs.webkit.org/show_bug.cgi?id=175470
984
985         Reviewed by Saam Barati.
986
987         Not particularly optimized at the moment, the goal is just to avoid
988         the DFG bailing out of any function with this keyword.
989
990         * dfg/DFGAbstractInterpreterInlines.h:
991         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
992         * dfg/DFGByteCodeParser.cpp:
993         (JSC::DFG::ByteCodeParser::parseBlock):
994         * dfg/DFGCapabilities.cpp:
995         (JSC::DFG::capabilityLevel):
996         * dfg/DFGClobberize.h:
997         (JSC::DFG::clobberize):
998         * dfg/DFGDoesGC.cpp:
999         (JSC::DFG::doesGC):
1000         * dfg/DFGFixupPhase.cpp:
1001         (JSC::DFG::FixupPhase::fixupNode):
1002         * dfg/DFGNodeType.h:
1003         * dfg/DFGPredictionPropagationPhase.cpp:
1004         * dfg/DFGSafeToExecute.h:
1005         (JSC::DFG::safeToExecute):
1006         * dfg/DFGSpeculativeJIT.cpp:
1007         (JSC::DFG::SpeculativeJIT::compilePushWithScope):
1008         * dfg/DFGSpeculativeJIT.h:
1009         (JSC::DFG::SpeculativeJIT::callOperation):
1010         * dfg/DFGSpeculativeJIT32_64.cpp:
1011         (JSC::DFG::SpeculativeJIT::compile):
1012         * dfg/DFGSpeculativeJIT64.cpp:
1013         (JSC::DFG::SpeculativeJIT::compile):
1014         * jit/JITOperations.cpp:
1015         * jit/JITOperations.h:
1016
1017 2017-08-14  Mark Lam  <mark.lam@apple.com>
1018
1019         Add some convenience utility accessor methods to MacroAssembler::CPUState.
1020         https://bugs.webkit.org/show_bug.cgi?id=175549
1021         <rdar://problem/33884868>
1022
1023         Reviewed by Saam Barati.
1024
1025         Previously, in order to read ProbeContext CPUState registers, we used to need to
1026         do it this way:
1027
1028             ExecState* exec = reinterpret_cast<ExecState*>(cpu.fp());
1029             uint32_t i32 = static_cast<uint32_t>(cpu.gpr(GPRInfo::regT0));
1030             void* p = reinterpret_cast<void*>(cpu.gpr(GPRInfo::regT1));
1031             uint64_t u64 = bitwise_cast<uint64_t>(cpu.fpr(FPRInfo::fpRegT0));
1032
1033         With this patch, we can now read them this way instead:
1034         
1035             ExecState* exec = cpu.fp<ExecState*>();
1036             uint32_t i32 = cpu.gpr<uint32_t>(GPRInfo::regT0);
1037             void* p = cpu.gpr<void*>(GPRInfo::regT1);
1038             uint64_t u64 = cpu.fpr<uint64_t>(FPRInfo::fpRegT0);
1039
1040         * assembler/MacroAssembler.h:
1041         (JSC:: const):
1042         (JSC::MacroAssembler::CPUState::fpr const):
1043         (JSC::MacroAssembler::CPUState::pc const):
1044         (JSC::MacroAssembler::CPUState::fp const):
1045         (JSC::MacroAssembler::CPUState::sp const):
1046         (JSC::ProbeContext::pc):
1047         (JSC::ProbeContext::fp):
1048         (JSC::ProbeContext::sp):
1049
1050 2017-08-12  Filip Pizlo  <fpizlo@apple.com>
1051
1052         Put the ScopedArgumentsTable's ScopeOffset array in some gigacage
1053         https://bugs.webkit.org/show_bug.cgi?id=174921
1054
1055         Reviewed by Mark Lam.
1056         
1057         Uses CagedUniquePtr<> to cage the ScopeOffset array.
1058
1059         * dfg/DFGSpeculativeJIT.cpp:
1060         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1061         * ftl/FTLLowerDFGToB3.cpp:
1062         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1063         * jit/JITPropertyAccess.cpp:
1064         (JSC::JIT::emitScopedArgumentsGetByVal):
1065         * runtime/ScopedArgumentsTable.cpp:
1066         (JSC::ScopedArgumentsTable::create):
1067         (JSC::ScopedArgumentsTable::setLength):
1068         * runtime/ScopedArgumentsTable.h:
1069
1070 2017-08-14  Mark Lam  <mark.lam@apple.com>
1071
1072         Gardening: fix Windows build.
1073         https://bugs.webkit.org/show_bug.cgi?id=175446
1074
1075         Not reviewed.
1076
1077         * assembler/MacroAssemblerX86Common.cpp:
1078         (JSC::booleanTrueForAvoidingNoReturnDeclaration):
1079         (JSC::ctiMasmProbeTrampoline):
1080
1081 2017-08-12  Csaba Osztrogonác  <ossy@webkit.org>
1082
1083         [ARM64] Use x29 and x30 instead of fp and lr to make GCC happy
1084         https://bugs.webkit.org/show_bug.cgi?id=175512
1085         <rdar://problem/33863584>
1086
1087         Reviewed by Mark Lam.
1088
1089         * CMakeLists.txt: Added MacroAssemblerARM64.cpp.
1090         * assembler/MacroAssemblerARM64.cpp: Use x29 and x30 instead of fp and lr to make GCC happy.
1091
1092 2017-08-12  Csaba Osztrogonác  <ossy@webkit.org>
1093
1094         ARM_TRADITIONAL: static assertion failed: ProbeContext_size_matches_ctiMasmProbeTrampoline
1095         https://bugs.webkit.org/show_bug.cgi?id=175513
1096
1097         Reviewed by Mark Lam.
1098
1099         * assembler/MacroAssemblerARM.cpp: Added d16-d31 FP registers too.
1100
1101 2017-08-12  Filip Pizlo  <fpizlo@apple.com>
1102
1103         FTL's compileGetTypedArrayByteOffset needs to do caging
1104         https://bugs.webkit.org/show_bug.cgi?id=175366
1105
1106         Reviewed by Saam Barati.
1107         
1108         While implementing boxing in the DFG, I noticed that there was some missing boxing in the FTL. This
1109         fixes the case in GetTypedArrayByteOffset, and files FIXMEs for more such cases.
1110
1111         * dfg/DFGSpeculativeJIT.cpp:
1112         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
1113         * ftl/FTLLowerDFGToB3.cpp:
1114         (JSC::FTL::DFG::LowerDFGToB3::compileGetTypedArrayByteOffset):
1115         (JSC::FTL::DFG::LowerDFGToB3::cagedMayBeNull):
1116         * runtime/ArrayBuffer.h:
1117         * runtime/ArrayBufferView.h:
1118         * runtime/JSArrayBufferView.h:
1119
1120 2017-08-11  Ryosuke Niwa  <rniwa@webkit.org>
1121
1122         Replace DATA_TRANSFER_ITEMS by a runtime flag and add a stub implementation
1123         https://bugs.webkit.org/show_bug.cgi?id=175474
1124         <rdar://problem/33844628>
1125
1126         Reviewed by Wenson Hsieh.
1127
1128         * Configurations/FeatureDefines.xcconfig:
1129         * runtime/CommonIdentifiers.h:
1130
1131 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1132
1133         Caging shouldn't have to use a patchpoint for adding
1134         https://bugs.webkit.org/show_bug.cgi?id=175483
1135
1136         Reviewed by Mark Lam.
1137
1138         Caging involves doing a Add(ptr, largeConstant). All of B3's heuristics for how to deal with
1139         constants and associative operations dictate that you always want to sink constants. For example,
1140         Add(Add(a, constant), b) always becomes Add(Add(a, b), constant). This is profitable because in
1141         typical code, it reveals downstream optimizations. But it's terrible in the case of caging, because
1142         we want the large constant (which is shared by all caging operations) to be hoisted. Reassociating to
1143         sink constants obscures the constant in this case. Currently, moveConstants is not smart enough to
1144         reassociate, so instead of sinking largeConstant, it tries (and often fails) to sink some other
1145         constants instead. Without some hacks, this is a 5% Kraken regression and a 1.6% Octane regression.
1146         It's not clear that moveConstants could ever be smart enough to rematerialize that constant and then
1147         hoist it - that would require quite a bit of algebraic reasoning. But the only case we know of where
1148         our current constant reassociation heuristics are wrong is caging. So, we can get away with some
1149         hacks for just stopping B3's reassociation only in this specific case.
1150         
1151         Previously, we achieved this by concealing the Add(ptr, largeConstant) inside a patchpoint. That's
1152         OK, but patchpoints are expensive. They require a SharedTask instance. They require callbacks from
1153         the backend, including during register allocation. And they cannot be CSE'd. We do want B3 to know
1154         that if we cage the same pointer in two places, both places will compute the same value.
1155         
1156         This patch improves the situation by introducing the Opaque opcode. This is handled by LowerToAir as
1157         if it was Identity, but all prior phases treat it as an unknown pure unary idempotent operation. I.e.
1158         they know that Opaque(x) == Opaque(x) and that Opaque(Opaque(x)) == Opaque(x). But they don't know
1159         that Opaque(x) == x until LowerToAir. So, you can use Opaque exactly when you know that B3 will mess
1160         up your code but Air won't. (Currently we know of no cases where Air messes things up on a large
1161         enough scale to warrant new opcodes.)
1162         
1163         This change is perf-neutral, but may start to help as I add more uses of caged() in the FTL. It also
1164         makes the code a bit less ugly.
1165
1166         * b3/B3LowerToAir.cpp:
1167         (JSC::B3::Air::LowerToAir::shouldCopyPropagate):
1168         (JSC::B3::Air::LowerToAir::lower):
1169         * b3/B3Opcode.cpp:
1170         (WTF::printInternal):
1171         * b3/B3Opcode.h:
1172         * b3/B3ReduceStrength.cpp:
1173         * b3/B3Validate.cpp:
1174         * b3/B3Value.cpp:
1175         (JSC::B3::Value::effects const):
1176         (JSC::B3::Value::key const):
1177         (JSC::B3::Value::isFree const):
1178         (JSC::B3::Value::typeFor):
1179         * b3/B3Value.h:
1180         * b3/B3ValueKey.cpp:
1181         (JSC::B3::ValueKey::materialize const):
1182         * ftl/FTLLowerDFGToB3.cpp:
1183         (JSC::FTL::DFG::LowerDFGToB3::caged):
1184         * ftl/FTLOutput.cpp:
1185         (JSC::FTL::Output::opaque):
1186         * ftl/FTLOutput.h:
1187
1188 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1189
1190         ScopedArguments overflow storage needs to be in the JSValue gigacage
1191         https://bugs.webkit.org/show_bug.cgi?id=174923
1192
1193         Reviewed by Saam Barati.
1194         
1195         ScopedArguments overflow storage sits at the end of the ScopedArguments object, so we put that
1196         object into the JSValue gigacage.
1197
1198         * dfg/DFGSpeculativeJIT.cpp:
1199         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1200         * ftl/FTLLowerDFGToB3.cpp:
1201         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1202         * jit/JITPropertyAccess.cpp:
1203         (JSC::JIT::emitScopedArgumentsGetByVal):
1204         * runtime/ScopedArguments.h:
1205         (JSC::ScopedArguments::subspaceFor):
1206         (JSC::ScopedArguments::overflowStorage const):
1207
1208 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1209
1210         JSLexicalEnvironment needs to be in the JSValue gigacage
1211         https://bugs.webkit.org/show_bug.cgi?id=174922
1212
1213         Reviewed by Michael Saboff.
1214         
1215         We can sorta random access the JSLexicalEnvironment. So, we put it in the JSValue gigacage and make
1216         the only random accesses use pointer caging.
1217         
1218         We don't need to do anything to normal lexical environment accesses.
1219
1220         * dfg/DFGSpeculativeJIT.cpp:
1221         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1222         * ftl/FTLLowerDFGToB3.cpp:
1223         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1224         * runtime/JSEnvironmentRecord.h:
1225         (JSC::JSEnvironmentRecord::subspaceFor):
1226         (JSC::JSEnvironmentRecord::variables):
1227
1228 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1229
1230         DirectArguments should be in the JSValue gigacage
1231         https://bugs.webkit.org/show_bug.cgi?id=174920
1232
1233         Reviewed by Michael Saboff.
1234         
1235         This puts DirectArguments in a new subspace for cells that want to be in the JSValue gigacage. All
1236         indexed accesses to DirectArguments now do caging. get_from_arguments/put_to_arguments are exempted
1237         because they always operate on a DirectArguments that is pointed to directly from the stack, they are
1238         required to use fixed offsets, and you can only store JSValues.
1239
1240         * dfg/DFGSpeculativeJIT.cpp:
1241         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
1242         * ftl/FTLLowerDFGToB3.cpp:
1243         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1244         * jit/JITPropertyAccess.cpp:
1245         (JSC::JIT::emitDirectArgumentsGetByVal):
1246         * runtime/DirectArguments.h:
1247         (JSC::DirectArguments::subspaceFor):
1248         (JSC::DirectArguments::storage):
1249         * runtime/VM.cpp:
1250         (JSC::VM::VM):
1251         * runtime/VM.h:
1252
1253 2017-08-11  Filip Pizlo  <fpizlo@apple.com>
1254
1255         Unreviewed, add a FIXME.
1256
1257         * ftl/FTLLowerDFGToB3.cpp:
1258         (JSC::FTL::DFG::LowerDFGToB3::caged):
1259
1260 2017-08-10  Sam Weinig  <sam@webkit.org>
1261
1262         WTF::Function does not allow for reference / non-default constructible return types
1263         https://bugs.webkit.org/show_bug.cgi?id=175244
1264
1265         Reviewed by Chris Dumez.
1266
1267         * runtime/ArrayBuffer.cpp:
1268         (JSC::ArrayBufferContents::transferTo):
1269         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
1270         destroy call needed to be a no-op anyway, since the data is being moved.
1271
1272 2017-08-11  Mark Lam  <mark.lam@apple.com>
1273
1274         Gardening: fix CLoop build.
1275         https://bugs.webkit.org/show_bug.cgi?id=175446
1276         <rdar://problem/33836545>
1277
1278         Not reviewed.
1279
1280         * assembler/MacroAssemblerPrinter.cpp:
1281
1282 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
1283
1284         DFG should do caging
1285         https://bugs.webkit.org/show_bug.cgi?id=174918
1286
1287         Reviewed by Saam Barati.
1288         
1289         Adds the appropriate cage() calls to the DFG, including a cageTypedArrayStorage() helper that does
1290         the conditional caging with a watchpoint.
1291         
1292         This might be a 1% SunSpider slow-down, but it's not clear.
1293
1294         * dfg/DFGSpeculativeJIT.cpp:
1295         (JSC::DFG::SpeculativeJIT::cageTypedArrayStorage):
1296         (JSC::DFG::SpeculativeJIT::compileGetIndexedPropertyStorage):
1297         (JSC::DFG::SpeculativeJIT::compileGetTypedArrayByteOffset):
1298         (JSC::DFG::SpeculativeJIT::compileCreateRest):
1299         (JSC::DFG::SpeculativeJIT::compileSpread):
1300         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
1301         (JSC::DFG::SpeculativeJIT::compileArraySlice):
1302         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
1303         * dfg/DFGSpeculativeJIT.h:
1304         * dfg/DFGSpeculativeJIT64.cpp:
1305         (JSC::DFG::SpeculativeJIT::compile):
1306
1307 2017-08-11  Yusuke Suzuki  <utatane.tea@gmail.com>
1308
1309         Unreviewed, build fix for x86 GTK port
1310         https://bugs.webkit.org/show_bug.cgi?id=175446
1311
1312         Use pushfl/popfl instead of pushfd/popfd.
1313
1314         * assembler/MacroAssemblerX86Common.cpp:
1315
1316 2017-08-10  Mark Lam  <mark.lam@apple.com>
1317
1318         Make the MASM_PROBE mechanism mandatory for DFG and FTL builds.
1319         https://bugs.webkit.org/show_bug.cgi?id=175446
1320         <rdar://problem/33836545>
1321
1322         Reviewed by Saam Barati.
1323
1324         * assembler/AbstractMacroAssembler.h:
1325         * assembler/MacroAssembler.cpp:
1326         (JSC::MacroAssembler::probe):
1327         * assembler/MacroAssembler.h:
1328         * assembler/MacroAssemblerARM.cpp:
1329         (JSC::MacroAssembler::probe):
1330         * assembler/MacroAssemblerARM.h:
1331         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
1332         * assembler/MacroAssemblerARM64.cpp:
1333         (JSC::MacroAssembler::probe):
1334         * assembler/MacroAssemblerARMv7.cpp:
1335         (JSC::MacroAssembler::probe):
1336         * assembler/MacroAssemblerARMv7.h:
1337         (JSC::MacroAssemblerARMv7::trustedImm32FromPtr):
1338         * assembler/MacroAssemblerPrinter.cpp:
1339         * assembler/MacroAssemblerPrinter.h:
1340         * assembler/MacroAssemblerX86Common.cpp:
1341         * assembler/testmasm.cpp:
1342         (JSC::isSpecialGPR):
1343         (JSC::testProbeModifiesProgramCounter):
1344         (JSC::run):
1345         * b3/B3LowerToAir.cpp:
1346         (JSC::B3::Air::LowerToAir::print):
1347         * b3/air/AirPrintSpecial.cpp:
1348         * b3/air/AirPrintSpecial.h:
1349
1350 2017-08-10  Mark Lam  <mark.lam@apple.com>
1351
1352         Apply the UNLIKELY macro to some unlikely things.
1353         https://bugs.webkit.org/show_bug.cgi?id=175440
1354         <rdar://problem/33834767>
1355
1356         Reviewed by Yusuke Suzuki.
1357
1358         * bytecode/CodeBlock.cpp:
1359         (JSC::CodeBlock::~CodeBlock):
1360         (JSC::CodeBlock::jettison):
1361         * dfg/DFGByteCodeParser.cpp:
1362         (JSC::DFG::ByteCodeParser::handleCall):
1363         (JSC::DFG::ByteCodeParser::handleVarargsCall):
1364         (JSC::DFG::ByteCodeParser::handleGetById):
1365         (JSC::DFG::ByteCodeParser::handlePutById):
1366         (JSC::DFG::ByteCodeParser::parseBlock):
1367         (JSC::DFG::ByteCodeParser::parseCodeBlock):
1368         * dfg/DFGJITCompiler.cpp:
1369         (JSC::DFG::JITCompiler::JITCompiler):
1370         (JSC::DFG::JITCompiler::linkOSRExits):
1371         (JSC::DFG::JITCompiler::link):
1372         (JSC::DFG::JITCompiler::disassemble):
1373         * dfg/DFGJITFinalizer.cpp:
1374         (JSC::DFG::JITFinalizer::finalizeCommon):
1375         * dfg/DFGOSRExit.cpp:
1376         (JSC::DFG::OSRExit::compileOSRExit):
1377         * dfg/DFGPlan.cpp:
1378         (JSC::DFG::Plan::Plan):
1379         * ftl/FTLJITFinalizer.cpp:
1380         (JSC::FTL::JITFinalizer::finalizeCommon):
1381         * ftl/FTLLink.cpp:
1382         (JSC::FTL::link):
1383         * ftl/FTLOSRExitCompiler.cpp:
1384         (JSC::FTL::compileStub):
1385         * jit/JIT.cpp:
1386         (JSC::JIT::privateCompileMainPass):
1387         (JSC::JIT::compileWithoutLinking):
1388         (JSC::JIT::link):
1389         * runtime/ScriptExecutable.cpp:
1390         (JSC::ScriptExecutable::installCode):
1391         * runtime/VM.cpp:
1392         (JSC::VM::VM):
1393
1394 2017-08-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1395
1396         [WTF] ThreadSpecific should not introduce additional indirection
1397         https://bugs.webkit.org/show_bug.cgi?id=175187
1398
1399         Reviewed by Mark Lam.
1400
1401         * runtime/Identifier.cpp:
1402
1403 2017-08-10  Tim Horton  <timothy_horton@apple.com>
1404
1405         Remove some unused lambda captures so that WebKit builds with -Wunused-lambda-capture
1406         https://bugs.webkit.org/show_bug.cgi?id=175436
1407         <rdar://problem/33667497>
1408
1409         Reviewed by Simon Fraser.
1410
1411         * interpreter/Interpreter.cpp:
1412         (JSC::Interpreter::Interpreter):
1413
1414 2017-08-10  Michael Catanzaro  <mcatanzaro@igalia.com>
1415
1416         Remove ENABLE_GAMEPAD_DEPRECATED
1417         https://bugs.webkit.org/show_bug.cgi?id=175361
1418
1419         Reviewed by Carlos Garcia Campos.
1420
1421         * Configurations/FeatureDefines.xcconfig:
1422
1423 2017-08-09  Caio Lima  <ticaiolima@gmail.com>
1424
1425         [JSC] Create JSSet constructor that accepts it's size as parameter
1426         https://bugs.webkit.org/show_bug.cgi?id=173297
1427
1428         Reviewed by Saam Barati.
1429
1430         This patch is adding a new constructor to JSSet that gives its
1431         expected initial size. It is important to avoid re-hashing and mutiple
1432         allocations when we know the final size of JSSet, such as in
1433         CodeBlock::setConstantIdentifierSetRegisters.
1434
1435         * bytecode/CodeBlock.cpp:
1436         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
1437         * runtime/HashMapImpl.h:
1438         (JSC::HashMapImpl::HashMapImpl):
1439         * runtime/JSSet.h:
1440
1441 2017-08-09  Commit Queue  <commit-queue@webkit.org>
1442
1443         Unreviewed, rolling out r220466, r220477, and r220487.
1444         https://bugs.webkit.org/show_bug.cgi?id=175411
1445
1446         This change broke existing API tests and follow up fixes did
1447         not resolve all the issues. (Requested by ryanhaddad on
1448         #webkit).
1449
1450         Reverted changesets:
1451
1452         https://bugs.webkit.org/show_bug.cgi?id=175244
1453         http://trac.webkit.org/changeset/220466
1454
1455         "WTF::Function does not allow for reference / non-default
1456         constructible return types"
1457         https://bugs.webkit.org/show_bug.cgi?id=175244
1458         http://trac.webkit.org/changeset/220477
1459
1460         https://bugs.webkit.org/show_bug.cgi?id=175244
1461         http://trac.webkit.org/changeset/220487
1462
1463 2017-08-09  Caitlin Potter  <caitp@igalia.com>
1464
1465         Early error on ANY operator before new.target
1466         https://bugs.webkit.org/show_bug.cgi?id=157970
1467
1468         Reviewed by Saam Barati.
1469
1470         Instead of throwing if any unary operator precedes new.target, only
1471         throw if the unary operator updates the reference.
1472
1473         The following become legal in JSC:
1474
1475         ```
1476         !new.target
1477         ~new.target
1478         typeof new.target
1479         delete new.target
1480         void new.target
1481         ```
1482
1483         All of which are legal in v8 and SpiderMonkey in strict and sloppy mode
1484
1485         * parser/Parser.cpp:
1486         (JSC::Parser<LexerType>::parseUnaryExpression):
1487
1488 2017-08-09  Sam Weinig  <sam@webkit.org>
1489
1490         WTF::Function does not allow for reference / non-default constructible return types
1491         https://bugs.webkit.org/show_bug.cgi?id=175244
1492
1493         Reviewed by Chris Dumez.
1494
1495         * runtime/ArrayBuffer.cpp:
1496         (JSC::ArrayBufferContents::transferTo):
1497         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
1498         destroy call needed to be a no-op anyway, since the data is being moved.
1499
1500 2017-08-09  Wenson Hsieh  <wenson_hsieh@apple.com>
1501
1502         [iOS DnD] ENABLE_DRAG_SUPPORT should be turned off for iOS 10 and enabled by default
1503         https://bugs.webkit.org/show_bug.cgi?id=175392
1504         <rdar://problem/33783207>
1505
1506         Reviewed by Tim Horton and Megan Gardner.
1507
1508         Tweak FeatureDefines to enable drag and drop by default, and disable only on unsupported platforms (i.e. iOS 10).
1509
1510         * Configurations/FeatureDefines.xcconfig:
1511
1512 2017-08-09  Robin Morisset  <rmorisset@apple.com>
1513
1514         Make JSC_validateExceptionChecks=1 succeed on JSTests/stress/v8-deltablue-strict.js.
1515         https://bugs.webkit.org/show_bug.cgi?id=175358
1516
1517         Reviewed by Mark Lam.
1518
1519         * jit/JITOperations.cpp:
1520         * runtime/JSObjectInlines.h:
1521         (JSC::JSObject::putInlineForJSObject):
1522
1523 2017-08-09  Ryan Haddad  <ryanhaddad@apple.com>
1524
1525         Unreviewed, rolling out r220457.
1526
1527         This change introduced API test failures.
1528
1529         Reverted changeset:
1530
1531         "WTF::Function does not allow for reference / non-default
1532         constructible return types"
1533         https://bugs.webkit.org/show_bug.cgi?id=175244
1534         http://trac.webkit.org/changeset/220457
1535
1536 2017-08-09  Sam Weinig  <sam@webkit.org>
1537
1538         WTF::Function does not allow for reference / non-default constructible return types
1539         https://bugs.webkit.org/show_bug.cgi?id=175244
1540
1541         Reviewed by Chris Dumez.
1542
1543         * runtime/ArrayBuffer.cpp:
1544         (JSC::ArrayBufferContents::transferTo):
1545         Call reset(), rather than clear() to avoid the call to destroy() in clear(). The
1546         destroy call needed to be a no-op anyway, since the data is being moved.
1547
1548 2017-08-09  Oleksandr Skachkov  <gskachkov@gmail.com>
1549
1550         REGRESSION: 2 test262/test/language/statements/async-function failures
1551         https://bugs.webkit.org/show_bug.cgi?id=175334
1552
1553         Reviewed by Yusuke Suzuki.
1554
1555         Switch off useAsyncIterator by default
1556
1557         * runtime/Options.h:
1558
1559 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
1560
1561         ICs should do caging
1562         https://bugs.webkit.org/show_bug.cgi?id=175295
1563
1564         Reviewed by Saam Barati.
1565         
1566         Adds the appropriate cage() calls in our inline caches.
1567
1568         * bytecode/AccessCase.cpp:
1569         (JSC::AccessCase::generateImpl):
1570         * bytecode/InlineAccess.cpp:
1571         (JSC::InlineAccess::dumpCacheSizesAndCrash):
1572         (JSC::InlineAccess::generateSelfPropertyAccess):
1573         (JSC::InlineAccess::generateSelfPropertyReplace):
1574         (JSC::InlineAccess::generateArrayLength):
1575
1576 2017-08-08  Devin Rousso  <drousso@apple.com>
1577
1578         Web Inspector: Canvas: support editing WebGL shaders
1579         https://bugs.webkit.org/show_bug.cgi?id=124211
1580         <rdar://problem/15448958>
1581
1582         Reviewed by Matt Baker.
1583
1584         * inspector/protocol/Canvas.json:
1585         Add `updateShader` command that will change the given shader's source to the provided string,
1586         recompile, and relink it to its associated program.
1587         Drive-by: add description to `requestShaderSource` command.
1588
1589 2017-08-08  Robin Morisset  <rmorisset@apple.com>
1590
1591         Make JSC_validateExceptionChecks=1 succeed on JSTests/slowMicrobenchmarks/spread-small-array.js.
1592         https://bugs.webkit.org/show_bug.cgi?id=175347
1593
1594         Reviewed by Saam Barati.
1595
1596         This is done by making finishCreation explicitely check for exceptions after setConstantRegister and setConstantIdentifiersSetRegisters.
1597         I chose to have this check replace the boolean returned previously by these functions for readability. The performance impact should be
1598         negligible considering how much more finishCreation does.
1599         This fix then caused another issue to appear as it was now clear that finishCreation can throw. And since it is called by ProgramCodeBlock::create(),
1600         FunctionCodeBlock::create() and friends, that are in turn called by ScriptExecutable::newCodeBlockFor, this last function also required a few tweaks.
1601
1602         * bytecode/CodeBlock.cpp:
1603         (JSC::CodeBlock::finishCreation):
1604         (JSC::CodeBlock::setConstantIdentifierSetRegisters):
1605         (JSC::CodeBlock::setConstantRegisters):
1606         * bytecode/CodeBlock.h:
1607         * runtime/ScriptExecutable.cpp:
1608         (JSC::ScriptExecutable::newCodeBlockFor):
1609
1610 2017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
1611
1612         Unreviewed, fix Ubuntu LTS build
1613         https://bugs.webkit.org/show_bug.cgi?id=174490
1614
1615         * inspector/remote/glib/RemoteInspectorGlib.cpp:
1616         * inspector/remote/glib/RemoteInspectorServer.cpp:
1617
1618 2017-08-08  Filip Pizlo  <fpizlo@apple.com>
1619
1620         Baseline JIT should do caging
1621         https://bugs.webkit.org/show_bug.cgi?id=175037
1622
1623         Reviewed by Mark Lam.
1624         
1625         Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
1626         
1627         Also modifies FTL caging to be more defensive when caging is disabled.
1628         
1629         Relanded with fixed AssemblyHelpers::cageConditionally().
1630
1631         * bytecode/AccessCase.cpp:
1632         (JSC::AccessCase::generateImpl):
1633         * bytecode/InlineAccess.cpp:
1634         (JSC::InlineAccess::dumpCacheSizesAndCrash):
1635         (JSC::InlineAccess::generateSelfPropertyAccess):
1636         (JSC::InlineAccess::generateSelfPropertyReplace):
1637         (JSC::InlineAccess::generateArrayLength):
1638         * ftl/FTLLowerDFGToB3.cpp:
1639         (JSC::FTL::DFG::LowerDFGToB3::caged):
1640         * jit/AssemblyHelpers.h:
1641         (JSC::AssemblyHelpers::cage):
1642         (JSC::AssemblyHelpers::cageConditionally):
1643         * jit/JITPropertyAccess.cpp:
1644         (JSC::JIT::emitDoubleLoad):
1645         (JSC::JIT::emitContiguousLoad):
1646         (JSC::JIT::emitArrayStorageLoad):
1647         (JSC::JIT::emitGenericContiguousPutByVal):
1648         (JSC::JIT::emitArrayStoragePutByVal):
1649         (JSC::JIT::emit_op_get_from_scope):
1650         (JSC::JIT::emit_op_put_to_scope):
1651         (JSC::JIT::emitIntTypedArrayGetByVal):
1652         (JSC::JIT::emitFloatTypedArrayGetByVal):
1653         (JSC::JIT::emitIntTypedArrayPutByVal):
1654         (JSC::JIT::emitFloatTypedArrayPutByVal):
1655         * jsc.cpp:
1656         (jscmain):
1657         (primitiveGigacageDisabled): Deleted.
1658
1659 2017-08-08  Ryan Haddad  <ryanhaddad@apple.com>
1660
1661         Unreviewed, rolling out r220368.
1662
1663         This change caused WK1 tests to exit early with crashes.
1664
1665         Reverted changeset:
1666
1667         "Baseline JIT should do caging"
1668         https://bugs.webkit.org/show_bug.cgi?id=175037
1669         http://trac.webkit.org/changeset/220368
1670
1671 2017-08-08  Michael Catanzaro  <mcatanzaro@igalia.com>
1672
1673         [CMake] Properly test if compiler supports compiler flags
1674         https://bugs.webkit.org/show_bug.cgi?id=174490
1675
1676         Reviewed by Konstantin Tokarev.
1677
1678         * API/tests/PingPongStackOverflowTest.cpp:
1679         (testPingPongStackOverflow):
1680         * API/tests/testapi.c:
1681         * b3/testb3.cpp:
1682         (JSC::B3::testPatchpointLotsOfLateAnys):
1683
1684 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
1685
1686         [Linux] Clear WasmMemory with madvice instead of memset
1687         https://bugs.webkit.org/show_bug.cgi?id=175150
1688
1689         Reviewed by Filip Pizlo.
1690
1691         In Linux, zeroing pages with memset populates backing store.
1692         Instead, we should use madvise with MADV_DONTNEED. It discards
1693         pages. And if you access these pages, on-demand-zero-pages will
1694         be shown.
1695
1696         We also commit grown pages in all OSes.
1697
1698         * wasm/WasmMemory.cpp:
1699         (JSC::Wasm::commitZeroPages):
1700         (JSC::Wasm::Memory::create):
1701         (JSC::Wasm::Memory::grow):
1702
1703 2017-08-07  Robin Morisset  <rmorisset@apple.com>
1704
1705         GetOwnProperty of TypedArray indexed fields is wrongly configurable
1706         https://bugs.webkit.org/show_bug.cgi?id=175307
1707
1708         Reviewed by Saam Barati.
1709
1710         ```
1711         let a = new Uint8Array(10);
1712         let b = Object.getOwnPropertyDescriptor(a, 0);
1713         assert(b.configurable === false);
1714         ```
1715         should not fail: by section 9.4.5.1 (https://tc39.github.io/ecma262/#sec-integer-indexed-exotic-objects-getownproperty-p) 
1716         that applies to integer indexed exotic objects, and section 22.2.7 (https://tc39.github.io/ecma262/#sec-properties-of-typedarray-instances)
1717         that says that typed arrays are integer indexed exotic objects.
1718
1719         * runtime/JSGenericTypedArrayViewInlines.h:
1720         (JSC::JSGenericTypedArrayView<Adaptor>::getOwnPropertySlotByIndex):
1721
1722 2017-08-07  Filip Pizlo  <fpizlo@apple.com>
1723
1724         Baseline JIT should do caging
1725         https://bugs.webkit.org/show_bug.cgi?id=175037
1726
1727         Reviewed by Mark Lam.
1728         
1729         Adds a AssemblyHelpers::cage and cageConditionally. Uses it in the baseline JIT.
1730         
1731         Also modifies FTL caging to be more defensive when caging is disabled.
1732
1733         * ftl/FTLLowerDFGToB3.cpp:
1734         (JSC::FTL::DFG::LowerDFGToB3::caged):
1735         * jit/AssemblyHelpers.h:
1736         (JSC::AssemblyHelpers::cage):
1737         (JSC::AssemblyHelpers::cageConditionally):
1738         * jit/JITPropertyAccess.cpp:
1739         (JSC::JIT::emitDoubleLoad):
1740         (JSC::JIT::emitContiguousLoad):
1741         (JSC::JIT::emitArrayStorageLoad):
1742         (JSC::JIT::emitGenericContiguousPutByVal):
1743         (JSC::JIT::emitArrayStoragePutByVal):
1744         (JSC::JIT::emit_op_get_from_scope):
1745         (JSC::JIT::emit_op_put_to_scope):
1746         (JSC::JIT::emitIntTypedArrayGetByVal):
1747         (JSC::JIT::emitFloatTypedArrayGetByVal):
1748         (JSC::JIT::emitIntTypedArrayPutByVal):
1749         (JSC::JIT::emitFloatTypedArrayPutByVal):
1750         * jsc.cpp:
1751         (jscmain):
1752         (primitiveGigacageDisabled): Deleted.
1753
1754 2017-08-06  Filip Pizlo  <fpizlo@apple.com>
1755
1756         Primitive auxiliaries and JSValue auxiliaries should have separate gigacages
1757         https://bugs.webkit.org/show_bug.cgi?id=174919
1758
1759         Reviewed by Keith Miller.
1760         
1761         This adapts JSC to there being two gigacages.
1762         
1763         To make matters simpler, this turns AlignedMemoryAllocators into per-VM instances rather than
1764         singletons. I don't think we were gaining anything by making them be singletons.
1765         
1766         This makes it easy to teach GigacageAlignedMemoryAllocator that there are multiple kinds of
1767         gigacages. We'll have one of those allocators per cage.
1768         
1769         From there, this change teaches everyone who previously knew about cages that there are two cages.
1770         This means having to specify either Gigacage::Primitive or Gigacage::JSValue. In most places, this is
1771         easy: typed arrays are Primitive and butterflies are JSValue. But there are a few places where it's
1772         not so obvious, so this change introduces some helpers to make it easy to define what cage you want
1773         to use in one place and refer to it abstractly. We do this in DirectArguments and GenericArguments.h
1774         
1775         A lot of the magic of this change is due to CagedBarrierPtr, which combines AuxiliaryBarrier and
1776         CagedPtr. This removes one layer of "get()" calls from a bunch of places.
1777
1778         * JavaScriptCore.xcodeproj/project.pbxproj:
1779         * bytecode/AccessCase.cpp:
1780         (JSC::AccessCase::generateImpl):
1781         * dfg/DFGSpeculativeJIT.cpp:
1782         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
1783         (JSC::DFG::SpeculativeJIT::compileAllocatePropertyStorage):
1784         (JSC::DFG::SpeculativeJIT::compileReallocatePropertyStorage):
1785         (JSC::DFG::SpeculativeJIT::compileNewTypedArray):
1786         (JSC::DFG::SpeculativeJIT::emitAllocateButterfly):
1787         * ftl/FTLLowerDFGToB3.cpp:
1788         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
1789         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
1790         (JSC::FTL::DFG::LowerDFGToB3::compileNewTypedArray):
1791         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
1792         (JSC::FTL::DFG::LowerDFGToB3::compileMaterializeNewObject):
1793         (JSC::FTL::DFG::LowerDFGToB3::allocatePropertyStorageWithSizeImpl):
1794         (JSC::FTL::DFG::LowerDFGToB3::allocateJSArray):
1795         (JSC::FTL::DFG::LowerDFGToB3::caged):
1796         * heap/FastMallocAlignedMemoryAllocator.cpp:
1797         (JSC::FastMallocAlignedMemoryAllocator::instance): Deleted.
1798         * heap/FastMallocAlignedMemoryAllocator.h:
1799         * heap/GigacageAlignedMemoryAllocator.cpp:
1800         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
1801         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
1802         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
1803         (JSC::GigacageAlignedMemoryAllocator::dump const):
1804         (JSC::GigacageAlignedMemoryAllocator::instance): Deleted.
1805         * heap/GigacageAlignedMemoryAllocator.h:
1806         * jsc.cpp:
1807         (primitiveGigacageDisabled):
1808         (jscmain):
1809         (gigacageDisabled): Deleted.
1810         * llint/LowLevelInterpreter64.asm:
1811         * runtime/ArrayBuffer.cpp:
1812         (JSC::ArrayBufferContents::tryAllocate):
1813         (JSC::ArrayBuffer::createAdopted):
1814         (JSC::ArrayBuffer::createFromBytes):
1815         * runtime/AuxiliaryBarrier.h:
1816         * runtime/ButterflyInlines.h:
1817         (JSC::Butterfly::createUninitialized):
1818         (JSC::Butterfly::tryCreate):
1819         (JSC::Butterfly::growArrayRight):
1820         * runtime/CagedBarrierPtr.h: Added.
1821         (JSC::CagedBarrierPtr::CagedBarrierPtr):
1822         (JSC::CagedBarrierPtr::clear):
1823         (JSC::CagedBarrierPtr::set):
1824         (JSC::CagedBarrierPtr::get const):
1825         (JSC::CagedBarrierPtr::getMayBeNull const):
1826         (JSC::CagedBarrierPtr::operator== const):
1827         (JSC::CagedBarrierPtr::operator!= const):
1828         (JSC::CagedBarrierPtr::operator bool const):
1829         (JSC::CagedBarrierPtr::setWithoutBarrier):
1830         (JSC::CagedBarrierPtr::operator* const):
1831         (JSC::CagedBarrierPtr::operator-> const):
1832         (JSC::CagedBarrierPtr::operator[] const):
1833         * runtime/DirectArguments.cpp:
1834         (JSC::DirectArguments::overrideThings):
1835         (JSC::DirectArguments::unmapArgument):
1836         * runtime/DirectArguments.h:
1837         (JSC::DirectArguments::isMappedArgument const):
1838         * runtime/GenericArguments.h:
1839         * runtime/GenericArgumentsInlines.h:
1840         (JSC::GenericArguments<Type>::initModifiedArgumentsDescriptor):
1841         (JSC::GenericArguments<Type>::setModifiedArgumentDescriptor):
1842         (JSC::GenericArguments<Type>::isModifiedArgumentDescriptor):
1843         * runtime/HashMapImpl.cpp:
1844         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
1845         * runtime/HashMapImpl.h:
1846         (JSC::HashMapBuffer::create):
1847         (JSC::HashMapImpl::buffer const):
1848         (JSC::HashMapImpl::rehash):
1849         * runtime/JSArray.cpp:
1850         (JSC::JSArray::tryCreateUninitializedRestricted):
1851         (JSC::JSArray::unshiftCountSlowCase):
1852         (JSC::JSArray::setLength):
1853         (JSC::JSArray::pop):
1854         (JSC::JSArray::push):
1855         (JSC::JSArray::fastSlice):
1856         (JSC::JSArray::shiftCountWithArrayStorage):
1857         (JSC::JSArray::shiftCountWithAnyIndexingType):
1858         (JSC::JSArray::unshiftCountWithAnyIndexingType):
1859         (JSC::JSArray::fillArgList):
1860         (JSC::JSArray::copyToArguments):
1861         * runtime/JSArray.h:
1862         (JSC::JSArray::tryCreate):
1863         * runtime/JSArrayBufferView.cpp:
1864         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
1865         (JSC::JSArrayBufferView::finalize):
1866         * runtime/JSLock.cpp:
1867         (JSC::JSLock::didAcquireLock):
1868         * runtime/JSObject.cpp:
1869         (JSC::JSObject::heapSnapshot):
1870         (JSC::JSObject::getOwnPropertySlotByIndex):
1871         (JSC::JSObject::putByIndex):
1872         (JSC::JSObject::enterDictionaryIndexingMode):
1873         (JSC::JSObject::createInitialIndexedStorage):
1874         (JSC::JSObject::createArrayStorage):
1875         (JSC::JSObject::convertUndecidedToInt32):
1876         (JSC::JSObject::convertUndecidedToDouble):
1877         (JSC::JSObject::convertUndecidedToContiguous):
1878         (JSC::JSObject::constructConvertedArrayStorageWithoutCopyingElements):
1879         (JSC::JSObject::convertUndecidedToArrayStorage):
1880         (JSC::JSObject::convertInt32ToDouble):
1881         (JSC::JSObject::convertInt32ToContiguous):
1882         (JSC::JSObject::convertInt32ToArrayStorage):
1883         (JSC::JSObject::convertDoubleToContiguous):
1884         (JSC::JSObject::convertDoubleToArrayStorage):
1885         (JSC::JSObject::convertContiguousToArrayStorage):
1886         (JSC::JSObject::setIndexQuicklyToUndecided):
1887         (JSC::JSObject::ensureArrayStorageExistsAndEnterDictionaryIndexingMode):
1888         (JSC::JSObject::deletePropertyByIndex):
1889         (JSC::JSObject::getOwnPropertyNames):
1890         (JSC::JSObject::putIndexedDescriptor):
1891         (JSC::JSObject::defineOwnIndexedProperty):
1892         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
1893         (JSC::JSObject::putDirectIndexSlowOrBeyondVectorLength):
1894         (JSC::JSObject::getNewVectorLength):
1895         (JSC::JSObject::ensureLengthSlow):
1896         (JSC::JSObject::reallocateAndShrinkButterfly):
1897         (JSC::JSObject::allocateMoreOutOfLineStorage):
1898         (JSC::JSObject::getEnumerableLength):
1899         * runtime/JSObject.h:
1900         (JSC::JSObject::getArrayLength const):
1901         (JSC::JSObject::getVectorLength):
1902         (JSC::JSObject::putDirectIndex):
1903         (JSC::JSObject::canGetIndexQuickly):
1904         (JSC::JSObject::getIndexQuickly):
1905         (JSC::JSObject::tryGetIndexQuickly const):
1906         (JSC::JSObject::canSetIndexQuickly):
1907         (JSC::JSObject::setIndexQuickly):
1908         (JSC::JSObject::initializeIndex):
1909         (JSC::JSObject::initializeIndexWithoutBarrier):
1910         (JSC::JSObject::hasSparseMap):
1911         (JSC::JSObject::inSparseIndexingMode):
1912         (JSC::JSObject::butterfly const):
1913         (JSC::JSObject::butterfly):
1914         (JSC::JSObject::outOfLineStorage const):
1915         (JSC::JSObject::outOfLineStorage):
1916         (JSC::JSObject::ensureInt32):
1917         (JSC::JSObject::ensureDouble):
1918         (JSC::JSObject::ensureContiguous):
1919         (JSC::JSObject::ensureArrayStorage):
1920         (JSC::JSObject::arrayStorage):
1921         (JSC::JSObject::arrayStorageOrNull):
1922         (JSC::JSObject::ensureLength):
1923         * runtime/RegExpMatchesArray.h:
1924         (JSC::tryCreateUninitializedRegExpMatchesArray):
1925         * runtime/VM.cpp:
1926         (JSC::VM::VM):
1927         (JSC::VM::~VM):
1928         (JSC::VM::primitiveGigacageDisabledCallback):
1929         (JSC::VM::primitiveGigacageDisabled):
1930         (JSC::VM::gigacageDisabledCallback): Deleted.
1931         (JSC::VM::gigacageDisabled): Deleted.
1932         * runtime/VM.h:
1933         (JSC::VM::gigacageAuxiliarySpace):
1934         (JSC::VM::firePrimitiveGigacageEnabledIfNecessary):
1935         (JSC::VM::primitiveGigacageEnabled):
1936         (JSC::VM::fireGigacageEnabledIfNecessary): Deleted.
1937         (JSC::VM::gigacageEnabled): Deleted.
1938         * wasm/WasmMemory.cpp:
1939         (JSC::Wasm::Memory::create):
1940         (JSC::Wasm::Memory::~Memory):
1941         (JSC::Wasm::Memory::grow):
1942
1943 2017-08-07  Commit Queue  <commit-queue@webkit.org>
1944
1945         Unreviewed, rolling out r220144.
1946         https://bugs.webkit.org/show_bug.cgi?id=175276
1947
1948         "It did not actually speed things up in the way I expected"
1949         (Requested by saamyjoon on #webkit).
1950
1951         Reverted changeset:
1952
1953         "On memory-constrained iOS devices, reduce the rate at which
1954         the JS heap grows before a GC to try to keep more memory
1955         available for the system"
1956         https://bugs.webkit.org/show_bug.cgi?id=175041
1957         http://trac.webkit.org/changeset/220144
1958
1959 2017-08-07  Ryan Haddad  <ryanhaddad@apple.com>
1960
1961         Unreviewed, rolling out r220299.
1962
1963         This change caused LayoutTest inspector/dom-debugger/dom-
1964         breakpoints.html to fail.
1965
1966         Reverted changeset:
1967
1968         "Web Inspector: capture async stack trace when workers/main
1969         context posts a message"
1970         https://bugs.webkit.org/show_bug.cgi?id=167084
1971         http://trac.webkit.org/changeset/220299
1972
1973 2017-08-07  Brian Burg  <bburg@apple.com>
1974
1975         Remove CANVAS_PATH compilation guard
1976         https://bugs.webkit.org/show_bug.cgi?id=175207
1977
1978         Reviewed by Sam Weinig.
1979
1980         * Configurations/FeatureDefines.xcconfig:
1981
1982 2017-08-07  Keith Miller  <keith_miller@apple.com>
1983
1984         REGRESSION: wasm.yaml/wasm/js-api/dont-mmap-zero-byte-memory.js failing on JSC Debug bots
1985         https://bugs.webkit.org/show_bug.cgi?id=175256
1986
1987         Reviewed by Saam Barati.
1988
1989         The check in createFromBytes just needed to check that the buffer was not null before
1990         calling isCaged.
1991
1992         * runtime/ArrayBuffer.cpp:
1993         (JSC::ArrayBuffer::createFromBytes):
1994
1995 2017-08-05  Carlos Garcia Campos  <cgarcia@igalia.com>
1996
1997         [GTK][WPE] Add API to provide browser information required by automation
1998         https://bugs.webkit.org/show_bug.cgi?id=175130
1999
2000         Reviewed by Brian Burg.
2001
2002         Add browserName and browserVersion to RemoteInspector::Client::Capabilities and virtual methods to the Client to
2003         get them.
2004
2005         * inspector/remote/RemoteInspector.cpp:
2006         (Inspector::RemoteInspector::updateClientCapabilities): Update also browserName and browserVersion.
2007         * inspector/remote/RemoteInspector.h:
2008         * inspector/remote/glib/RemoteInspectorGlib.cpp:
2009         (Inspector::RemoteInspector::requestAutomationSession): Call updateClientCapabilities() after the session is
2010         requested to ensure they are updated before StartAutomationSession reply is sent.
2011         * inspector/remote/glib/RemoteInspectorServer.cpp: Add browserName and browserVersion as return values of
2012         StartAutomationSession mesasage.
2013
2014 2017-08-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2015
2016         Promise resolve and reject function should have length = 1
2017         https://bugs.webkit.org/show_bug.cgi?id=175242
2018
2019         Reviewed by Saam Barati.
2020
2021         Previously we have separate system for "length" and "name" for builtin functions.
2022         The builtin functions do not use lazy reifying system. Instead, they have direct
2023         properties when instantiating it. While the function created for properties (like
2024         Array.prototype.filter) is created by JSFunction::createBuiltin(), function inside
2025         these builtin functions are just created by JSFunction::create(). Since it does
2026         not set any values for "length", these functions do not have "length" property.
2027         So, the resolve and reject functions passed to Promise's executor do not have
2028         "length" property.
2029
2030         This patch make builtin functions use standard lazy reifying system for "length".
2031         So, "length" property of the builtin function just works as if the normal functions
2032         do.
2033
2034         * runtime/JSFunction.cpp:
2035         (JSC::JSFunction::createBuiltinFunction):
2036         (JSC::JSFunction::getOwnPropertySlot):
2037         (JSC::JSFunction::getOwnNonIndexPropertyNames):
2038         (JSC::JSFunction::put):
2039         (JSC::JSFunction::deleteProperty):
2040         (JSC::JSFunction::defineOwnProperty):
2041         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
2042         (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
2043         (JSC::JSFunction::reifyLazyLengthIfNeeded):
2044         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
2045         (JSC::JSFunction::reifyBoundNameIfNeeded): Deleted.
2046         * runtime/JSFunction.h:
2047
2048 2017-08-06  Oleksandr Skachkov  <gskachkov@gmail.com>
2049
2050         [ESNext] Async iteration - Implement Async Generator - parser
2051         https://bugs.webkit.org/show_bug.cgi?id=175210
2052
2053         Reviewed by Yusuke Suzuki.
2054
2055         Current implementation is draft version of Async Iteration. 
2056         Link to spec https://tc39.github.io/proposal-async-iteration/
2057
2058         Current patch implement only parser part of the Async generator
2059         Runtime part will be in next ptches
2060
2061         * parser/ASTBuilder.h:
2062         (JSC::ASTBuilder::createFunctionMetadata):
2063         * parser/Parser.cpp:
2064         (JSC::getAsynFunctionBodyParseMode):
2065         (JSC::Parser<LexerType>::parseInner):
2066         (JSC::Parser<LexerType>::parseAsyncFunctionSourceElements):
2067         (JSC::Parser<LexerType>::parseAsyncGeneratorFunctionSourceElements):
2068         (JSC::stringArticleForFunctionMode):
2069         (JSC::stringForFunctionMode):
2070         (JSC::Parser<LexerType>::parseFunctionInfo):
2071         (JSC::Parser<LexerType>::parseAsyncFunctionDeclaration):
2072         (JSC::Parser<LexerType>::parseClass):
2073         (JSC::Parser<LexerType>::parseProperty):
2074         (JSC::Parser<LexerType>::parsePropertyMethod):
2075         (JSC::Parser<LexerType>::parseAsyncFunctionExpression):
2076         * parser/Parser.h:
2077         (JSC::Scope::setSourceParseMode):
2078         * parser/ParserModes.h:
2079         (JSC::isFunctionParseMode):
2080         (JSC::isAsyncFunctionParseMode):
2081         (JSC::isAsyncArrowFunctionParseMode):
2082         (JSC::isAsyncGeneratorFunctionParseMode):
2083         (JSC::isAsyncFunctionOrAsyncGeneratorWrapperParseMode):
2084         (JSC::isAsyncFunctionWrapperParseMode):
2085         (JSC::isAsyncFunctionBodyParseMode):
2086         (JSC::isGeneratorMethodParseMode):
2087         (JSC::isAsyncMethodParseMode):
2088         (JSC::isAsyncGeneratorMethodParseMode):
2089         (JSC::isMethodParseMode):
2090         (JSC::isGeneratorOrAsyncFunctionBodyParseMode):
2091         (JSC::isGeneratorOrAsyncFunctionWrapperParseMode):
2092
2093 2017-08-05  Filip Pizlo  <fpizlo@apple.com>
2094
2095         REGRESSION (r219895-219897): Number of leaks on Open Source went from 9240 to 235983 and is now at 302372
2096         https://bugs.webkit.org/show_bug.cgi?id=175083
2097
2098         Reviewed by Oliver Hunt.
2099         
2100         This fixes the leak by making MarkedBlock::specializedSweep call destructors when the block is empty,
2101         even if we are using the pop path.
2102         
2103         Also, this fixes HeapCellInlines.h to no longer include MarkedBlockInlines.h. That's pretty
2104         important, since MarkedBlockInlines.h is the GC's internal guts - we don't want to have to recompile
2105         the world just because we changed it.
2106         
2107         Finally, this adds a new testing SPI for waiting for all VMs to finish destructing. This makes it
2108         easier to debug leaks.
2109
2110         * bytecode/AccessCase.cpp:
2111         * bytecode/PolymorphicAccess.cpp:
2112         * heap/HeapCell.cpp:
2113         (JSC::HeapCell::isLive):
2114         * heap/HeapCellInlines.h:
2115         (JSC::HeapCell::isLive): Deleted.
2116         * heap/MarkedAllocator.cpp:
2117         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2118         (JSC::MarkedAllocator::endMarking):
2119         * heap/MarkedBlockInlines.h:
2120         (JSC::MarkedBlock::Handle::specializedSweep):
2121         * jit/AssemblyHelpers.cpp:
2122         * jit/Repatch.cpp:
2123         * runtime/TestRunnerUtils.h:
2124         * runtime/VM.cpp:
2125         (JSC::waitForVMDestruction):
2126         (JSC::VM::~VM):
2127
2128 2017-08-05  Mark Lam  <mark.lam@apple.com>
2129
2130         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 3].
2131         https://bugs.webkit.org/show_bug.cgi?id=175228
2132         <rdar://problem/33735737>
2133
2134         Reviewed by Saam Barati.
2135
2136         Merge the 32-bit OSRExit::compileExit() method into the 64-bit version, and
2137         delete OSRExit32_64.cpp.
2138
2139         * CMakeLists.txt:
2140         * JavaScriptCore.xcodeproj/project.pbxproj:
2141         * dfg/DFGOSRExit.cpp:
2142         (JSC::DFG::OSRExit::compileExit):
2143         * dfg/DFGOSRExit32_64.cpp: Removed.
2144         * jit/GPRInfo.h:
2145         (JSC::JSValueSource::payloadGPR const):
2146
2147 2017-08-04  Youenn Fablet  <youenn@apple.com>
2148
2149         [Cache API] Add Cache and CacheStorage IDL definitions
2150         https://bugs.webkit.org/show_bug.cgi?id=175201
2151
2152         Reviewed by Brady Eidson.
2153
2154         * runtime/CommonIdentifiers.h:
2155
2156 2017-08-04  Mark Lam  <mark.lam@apple.com>
2157
2158         Fix typo in testmasm.cpp: ENABLE(JSVALUE64) should be USE(JSVALUE64).
2159         https://bugs.webkit.org/show_bug.cgi?id=175230
2160         <rdar://problem/33735857>
2161
2162         Reviewed by Saam Barati.
2163
2164         * assembler/testmasm.cpp:
2165         (JSC::testProbeReadsArgumentRegisters):
2166         (JSC::testProbeWritesArgumentRegisters):
2167
2168 2017-08-04  Mark Lam  <mark.lam@apple.com>
2169
2170         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 2].
2171         https://bugs.webkit.org/show_bug.cgi?id=175214
2172         <rdar://problem/33733308>
2173
2174         Rubber-stamped by Michael Saboff.
2175
2176         Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused
2177         DFGOSRExitCompiler files.
2178
2179         Also renamed DFGOSRExitCompiler32_64.cpp to DFGOSRExit32_64.cpp.
2180
2181         Also move debugOperationPrintSpeculationFailure() into DFGOSRExit.cpp.  It's only
2182         used by compileOSRExit(), and will be changed to not be a DFG operation function
2183         when we use JIT probes for DFG OSR exits later in
2184         https://bugs.webkit.org/show_bug.cgi?id=175144.
2185
2186         * CMakeLists.txt:
2187         * JavaScriptCore.xcodeproj/project.pbxproj:
2188         * dfg/DFGJITCompiler.cpp:
2189         * dfg/DFGOSRExit.cpp:
2190         (JSC::DFG::OSRExit::emitRestoreArguments):
2191         (JSC::DFG::OSRExit::compileOSRExit):
2192         (JSC::DFG::OSRExit::compileExit):
2193         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
2194         * dfg/DFGOSRExit.h:
2195         * dfg/DFGOSRExit32_64.cpp: Copied from Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp.
2196         * dfg/DFGOSRExitCompiler.cpp: Removed.
2197         * dfg/DFGOSRExitCompiler.h: Removed.
2198         * dfg/DFGOSRExitCompiler32_64.cpp: Removed.
2199         * dfg/DFGOSRExitCompiler64.cpp: Removed.
2200         * dfg/DFGOperations.cpp:
2201         * dfg/DFGOperations.h:
2202         * dfg/DFGThunks.cpp:
2203
2204 2017-08-04  Matt Baker  <mattbaker@apple.com>
2205
2206         Web Inspector: capture async stack trace when workers/main context posts a message
2207         https://bugs.webkit.org/show_bug.cgi?id=167084
2208         <rdar://problem/30033673>
2209
2210         Reviewed by Brian Burg.
2211
2212         * inspector/agents/InspectorDebuggerAgent.h:
2213         Add `PostMessage` async call type.
2214
2215 2017-08-04  Mark Lam  <mark.lam@apple.com>
2216
2217         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 1].
2218         https://bugs.webkit.org/show_bug.cgi?id=175208
2219         <rdar://problem/33732402>
2220
2221         Reviewed by Saam Barati.
2222
2223         This will minimize the code diff and make it easier to review the patch for
2224         https://bugs.webkit.org/show_bug.cgi?id=175144 later.  We'll do this patch in 3
2225         steps:
2226
2227         1. Do the code changes to move methods into OSRExit.
2228         2. Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused DFGOSRExitCompiler files.
2229         3. Merge the 32-bit OSRExitCompiler methods into the 64-bit version, and delete DFGOSRExitCompiler32_64.cpp.
2230
2231         Splitting this refactoring into these 3 steps also makes it easier to review this
2232         patch and understand what is being changed.
2233
2234         * dfg/DFGOSRExit.h:
2235         * dfg/DFGOSRExitCompiler.cpp:
2236         (JSC::DFG::OSRExit::emitRestoreArguments):
2237         (JSC::DFG::OSRExit::compileOSRExit):
2238         (JSC::DFG::OSRExitCompiler::emitRestoreArguments): Deleted.
2239         (): Deleted.
2240         * dfg/DFGOSRExitCompiler.h:
2241         (JSC::DFG::OSRExitCompiler::OSRExitCompiler): Deleted.
2242         (): Deleted.
2243         * dfg/DFGOSRExitCompiler32_64.cpp:
2244         (JSC::DFG::OSRExit::compileExit):
2245         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
2246         * dfg/DFGOSRExitCompiler64.cpp:
2247         (JSC::DFG::OSRExit::compileExit):
2248         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
2249         * dfg/DFGThunks.cpp:
2250         (JSC::DFG::osrExitGenerationThunkGenerator):
2251
2252 2017-08-04  Devin Rousso  <drousso@apple.com>
2253
2254         Web Inspector: add source view for WebGL shader programs
2255         https://bugs.webkit.org/show_bug.cgi?id=138593
2256         <rdar://problem/18936194>
2257
2258         Reviewed by Matt Baker.
2259
2260         * inspector/protocol/Canvas.json:
2261          - Add `ShaderType` enum that contains "vertex" and "fragment".
2262          - Add `requestShaderSource` command that will return the original source code for a given
2263            shader program and shader type.
2264
2265 2017-08-03  Filip Pizlo  <fpizlo@apple.com>
2266
2267         The allocator used to allocate memory for MarkedBlocks and LargeAllocations should not be the Subspace itself
2268         https://bugs.webkit.org/show_bug.cgi?id=175141
2269
2270         Reviewed by Mark Lam.
2271         
2272         To make it easier to have multiple gigacages and maybe even fancier methods of allocating, this
2273         decouples the allocator used to allocate memory from the GC Subspace. This means we no longer have
2274         to create a new Subspace subclass to allocate memory a different way. Instead, the allocator is now
2275         determined by the AlignedMemoryAllocator object.
2276         
2277         This also simplifies trading of blocks. Before, Subspaces had to determine if other Subspaces could
2278         trade blocks with them using canTradeBlocksWith(). This makes it difficult for two different
2279         Subspaces that both use the same underlying allocator to realize that they can trade blocks with
2280         each other. Now, you just need to ask the block being stolen and the subspace doing the stealing if
2281         they use the same AlignedMemoryAllocator.
2282
2283         * CMakeLists.txt:
2284         * JavaScriptCore.xcodeproj/project.pbxproj:
2285         * heap/AlignedMemoryAllocator.cpp: Added.
2286         (JSC::AlignedMemoryAllocator::AlignedMemoryAllocator):
2287         (JSC::AlignedMemoryAllocator::~AlignedMemoryAllocator):
2288         * heap/AlignedMemoryAllocator.h: Added.
2289         * heap/FastMallocAlignedMemoryAllocator.cpp: Added.
2290         (JSC::FastMallocAlignedMemoryAllocator::singleton):
2291         (JSC::FastMallocAlignedMemoryAllocator::FastMallocAlignedMemoryAllocator):
2292         (JSC::FastMallocAlignedMemoryAllocator::~FastMallocAlignedMemoryAllocator):
2293         (JSC::FastMallocAlignedMemoryAllocator::tryAllocateAlignedMemory):
2294         (JSC::FastMallocAlignedMemoryAllocator::freeAlignedMemory):
2295         (JSC::FastMallocAlignedMemoryAllocator::dump const):
2296         * heap/FastMallocAlignedMemoryAllocator.h: Added.
2297         * heap/GigacageAlignedMemoryAllocator.cpp: Added.
2298         (JSC::GigacageAlignedMemoryAllocator::singleton):
2299         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
2300         (JSC::GigacageAlignedMemoryAllocator::~GigacageAlignedMemoryAllocator):
2301         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
2302         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
2303         (JSC::GigacageAlignedMemoryAllocator::dump const):
2304         * heap/GigacageAlignedMemoryAllocator.h: Added.
2305         * heap/GigacageSubspace.cpp: Removed.
2306         * heap/GigacageSubspace.h: Removed.
2307         * heap/LargeAllocation.cpp:
2308         (JSC::LargeAllocation::tryCreate):
2309         (JSC::LargeAllocation::destroy):
2310         * heap/MarkedAllocator.cpp:
2311         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2312         * heap/MarkedBlock.cpp:
2313         (JSC::MarkedBlock::tryCreate):
2314         (JSC::MarkedBlock::Handle::Handle):
2315         (JSC::MarkedBlock::Handle::~Handle):
2316         (JSC::MarkedBlock::Handle::didAddToAllocator):
2317         (JSC::MarkedBlock::Handle::subspace const):
2318         * heap/MarkedBlock.h:
2319         (JSC::MarkedBlock::Handle::alignedMemoryAllocator const):
2320         (JSC::MarkedBlock::Handle::subspace const): Deleted.
2321         * heap/Subspace.cpp:
2322         (JSC::Subspace::Subspace):
2323         (JSC::Subspace::findEmptyBlockToSteal):
2324         (JSC::Subspace::canTradeBlocksWith): Deleted.
2325         (JSC::Subspace::tryAllocateAlignedMemory): Deleted.
2326         (JSC::Subspace::freeAlignedMemory): Deleted.
2327         * heap/Subspace.h:
2328         (JSC::Subspace::name const):
2329         (JSC::Subspace::alignedMemoryAllocator const):
2330         * runtime/JSDestructibleObjectSubspace.cpp:
2331         (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace):
2332         * runtime/JSDestructibleObjectSubspace.h:
2333         * runtime/JSSegmentedVariableObjectSubspace.cpp:
2334         (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace):
2335         * runtime/JSSegmentedVariableObjectSubspace.h:
2336         * runtime/JSStringSubspace.cpp:
2337         (JSC::JSStringSubspace::JSStringSubspace):
2338         * runtime/JSStringSubspace.h:
2339         * runtime/VM.cpp:
2340         (JSC::VM::VM):
2341         * runtime/VM.h:
2342         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp:
2343         (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace):
2344         * wasm/js/JSWebAssemblyCodeBlockSubspace.h:
2345
2346 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
2347
2348         [ESNext] Async iteration - update feature.json
2349         https://bugs.webkit.org/show_bug.cgi?id=175197
2350
2351         Reviewed by Yusuke Suzuki.
2352
2353         Update feature.json to add status of the Async Iteration
2354
2355         * features.json:
2356
2357 2017-08-04  Matt Lewis  <jlewis3@apple.com>
2358
2359         Unreviewed, rolling out r220271.
2360
2361         Rolling out due to Layout Test failing on iOS Simulator.
2362
2363         Reverted changeset:
2364
2365         "Remove STREAMS_API compilation guard"
2366         https://bugs.webkit.org/show_bug.cgi?id=175165
2367         http://trac.webkit.org/changeset/220271
2368
2369 2017-08-04  Youenn Fablet  <youenn@apple.com>
2370
2371         Remove STREAMS_API compilation guard
2372         https://bugs.webkit.org/show_bug.cgi?id=175165
2373
2374         Reviewed by Darin Adler.
2375
2376         * Configurations/FeatureDefines.xcconfig:
2377
2378 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
2379
2380         [EsNext] Async iteration - Add feature flag
2381         https://bugs.webkit.org/show_bug.cgi?id=166694
2382
2383         Reviewed by Yusuke Suzuki.
2384
2385         Add feature flag to JSC to switch on/off Async Iterator
2386
2387         * runtime/Options.h:
2388
2389 2017-08-03  Brian Burg  <bburg@apple.com>
2390
2391         Remove ENABLE(WEB_SOCKET) guards
2392         https://bugs.webkit.org/show_bug.cgi?id=167044
2393
2394         Reviewed by Joseph Pecoraro.
2395
2396         * Configurations/FeatureDefines.xcconfig:
2397
2398 2017-08-03  Youenn Fablet  <youenn@apple.com>
2399
2400         Remove FETCH_API compilation guard
2401         https://bugs.webkit.org/show_bug.cgi?id=175154
2402
2403         Reviewed by Chris Dumez.
2404
2405         * Configurations/FeatureDefines.xcconfig:
2406
2407 2017-08-03  Matt Baker  <mattbaker@apple.com>
2408
2409         Web Inspector: Instrument WebGLProgram created/deleted
2410         https://bugs.webkit.org/show_bug.cgi?id=175059
2411
2412         Reviewed by Devin Rousso.
2413
2414         Extend the Canvas protocol with types/events for tracking WebGLPrograms.
2415
2416         * inspector/protocol/Canvas.json:
2417
2418 2017-08-03  Brady Eidson  <beidson@apple.com>
2419
2420         Add SW IDLs and stub out basic functionality.
2421         https://bugs.webkit.org/show_bug.cgi?id=175115
2422
2423         Reviewed by Chris Dumez.
2424
2425         * Configurations/FeatureDefines.xcconfig:
2426
2427         * runtime/CommonIdentifiers.h:
2428
2429 2017-08-03  Mark Lam  <mark.lam@apple.com>
2430
2431         Rename ScratchBuffer::activeLengthPtr to addressOfActiveLength.
2432         https://bugs.webkit.org/show_bug.cgi?id=175142
2433         <rdar://problem/33704528>
2434
2435         Reviewed by Filip Pizlo.
2436
2437         The convention in the rest of of JSC for such methods which return the address of
2438         a field is to name them "addressOf<field name>".  We'll rename
2439         ScratchBuffer::activeLengthPtr to be consistent with this convention.
2440
2441         * dfg/DFGSpeculativeJIT.cpp:
2442         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
2443         * dfg/DFGSpeculativeJIT32_64.cpp:
2444         (JSC::DFG::SpeculativeJIT::compile):
2445         * dfg/DFGSpeculativeJIT64.cpp:
2446         (JSC::DFG::SpeculativeJIT::compile):
2447         * dfg/DFGThunks.cpp:
2448         (JSC::DFG::osrExitGenerationThunkGenerator):
2449         * ftl/FTLLowerDFGToB3.cpp:
2450         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
2451         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
2452         * ftl/FTLThunks.cpp:
2453         (JSC::FTL::genericGenerationThunkGenerator):
2454         * jit/AssemblyHelpers.cpp:
2455         (JSC::AssemblyHelpers::debugCall):
2456         * jit/ScratchRegisterAllocator.cpp:
2457         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
2458         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
2459         * runtime/VM.h:
2460         (JSC::ScratchBuffer::addressOfActiveLength):
2461         (JSC::ScratchBuffer::activeLengthPtr): Deleted.
2462         * wasm/WasmBinding.cpp:
2463         (JSC::Wasm::wasmToJs):
2464
2465 2017-08-02  Devin Rousso  <drousso@apple.com>
2466
2467         Web Inspector: add stack trace information for each RecordingAction
2468         https://bugs.webkit.org/show_bug.cgi?id=174663
2469
2470         Reviewed by Joseph Pecoraro.
2471
2472         * inspector/ScriptCallFrame.h:
2473         Add `operator==` so that when a ScriptCallFrame object is held in a Vector, calling `find`
2474         with an existing value doesn't need require a functor and can use existing code.
2475
2476         * interpreter/StackVisitor.h:
2477         * interpreter/StackVisitor.cpp:
2478         (JSC::StackVisitor::Frame::isWasmFrame const): Inlined in header.
2479
2480 2017-08-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2481
2482         Merge WTFThreadData to Thread::current
2483         https://bugs.webkit.org/show_bug.cgi?id=174716
2484
2485         Reviewed by Mark Lam.
2486
2487         Use Thread::current() instead.
2488
2489         * API/JSContext.mm:
2490         (+[JSContext currentContext]):
2491         (+[JSContext currentThis]):
2492         (+[JSContext currentCallee]):
2493         (+[JSContext currentArguments]):
2494         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
2495         (-[JSContext endCallbackWithData:]):
2496         * heap/Heap.cpp:
2497         (JSC::Heap::requestCollection):
2498         * runtime/Completion.cpp:
2499         (JSC::checkSyntax):
2500         (JSC::checkModuleSyntax):
2501         (JSC::evaluate):
2502         (JSC::loadAndEvaluateModule):
2503         (JSC::loadModule):
2504         (JSC::linkAndEvaluateModule):
2505         (JSC::importModule):
2506         * runtime/Identifier.cpp:
2507         (JSC::Identifier::checkCurrentAtomicStringTable):
2508         * runtime/InitializeThreading.cpp:
2509         (JSC::initializeThreading):
2510         * runtime/JSLock.cpp:
2511         (JSC::JSLock::didAcquireLock):
2512         (JSC::JSLock::willReleaseLock):
2513         (JSC::JSLock::dropAllLocks):
2514         (JSC::JSLock::grabAllLocks):
2515         * runtime/JSLock.h:
2516         * runtime/VM.cpp:
2517         (JSC::VM::VM):
2518         (JSC::VM::updateStackLimits):
2519         (JSC::VM::committedStackByteCount):
2520         * runtime/VM.h:
2521         (JSC::VM::isSafeToRecurse const):
2522         * runtime/VMEntryScope.cpp:
2523         (JSC::VMEntryScope::VMEntryScope):
2524         * runtime/VMInlines.h:
2525         (JSC::VM::ensureStackCapacityFor):
2526         * yarr/YarrPattern.cpp:
2527         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
2528
2529 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
2530
2531         LLInt should do pointer caging
2532         https://bugs.webkit.org/show_bug.cgi?id=175036
2533
2534         Reviewed by Keith Miller.
2535
2536         Implementing this in the LLInt was challenging because offlineasm did not previously know
2537         how to load from globals. This teaches it how to do that on Darwin/x86_64, which happens
2538         to be where the Gigacage is enabled right now.
2539
2540         * llint/LLIntOfflineAsmConfig.h:
2541         * llint/LowLevelInterpreter64.asm:
2542         * offlineasm/ast.rb:
2543         * offlineasm/x86.rb:
2544
2545 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
2546
2547         Sweeping should only scribble when sweeping to free list
2548         https://bugs.webkit.org/show_bug.cgi?id=175105
2549
2550         Reviewed by Saam Barati.
2551         
2552         I just saw a crash on the bots where a destructor call attempt dereferenced scribbled memory. This
2553         can happen because the bump path of specializedSweep will scribble in SweepOnly, which replaces the
2554         zap word (i.e. 0) with the scribble word (i.e. 0xbadbeef0). This is a recent regression, since we
2555         didn't used to do destruction on the bump path. No destruction, no zapping. Looking at the pop
2556         path, we only scribble when we SweepToFreeList. This ensures that we only overwrite the zap word
2557         when it doesn't matter anyway because we're building a free list.
2558         
2559         This is a fix for those crashes on the bots because it means that we'll no longer scribble over the
2560         zap.
2561
2562         * heap/MarkedBlockInlines.h:
2563         (JSC::MarkedBlock::Handle::specializedSweep):
2564
2565 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
2566
2567         All C++ accesses to JSObject::m_butterfly should do caging
2568         https://bugs.webkit.org/show_bug.cgi?id=175039
2569
2570         Reviewed by Keith Miller.
2571         
2572         Makes JSObject::m_butterfly a AuxiliaryBarrier<CagedPtr<Butterfly>> and adopts the CagedPtr<> API.
2573         This ensures that you can't cause C++ code to access a butterfly that has been rewired to point
2574         outside the gigacage.
2575
2576         * runtime/JSArray.cpp:
2577         (JSC::JSArray::setLength):
2578         (JSC::JSArray::pop):
2579         (JSC::JSArray::push):
2580         (JSC::JSArray::shiftCountWithAnyIndexingType):
2581         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2582         (JSC::JSArray::fillArgList):
2583         (JSC::JSArray::copyToArguments):
2584         * runtime/JSObject.cpp:
2585         (JSC::JSObject::heapSnapshot):
2586         (JSC::JSObject::createInitialIndexedStorage):
2587         (JSC::JSObject::createArrayStorage):
2588         (JSC::JSObject::convertUndecidedToInt32):
2589         (JSC::JSObject::convertUndecidedToDouble):
2590         (JSC::JSObject::convertUndecidedToContiguous):
2591         (JSC::JSObject::convertInt32ToDouble):
2592         (JSC::JSObject::convertInt32ToArrayStorage):
2593         (JSC::JSObject::convertDoubleToContiguous):
2594         (JSC::JSObject::convertDoubleToArrayStorage):
2595         (JSC::JSObject::convertContiguousToArrayStorage):
2596         (JSC::JSObject::defineOwnIndexedProperty):
2597         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
2598         (JSC::JSObject::ensureLengthSlow):
2599         (JSC::JSObject::allocateMoreOutOfLineStorage):
2600         * runtime/JSObject.h:
2601         (JSC::JSObject::canGetIndexQuickly):
2602         (JSC::JSObject::getIndexQuickly):
2603         (JSC::JSObject::tryGetIndexQuickly const):
2604         (JSC::JSObject::canSetIndexQuickly):
2605         (JSC::JSObject::setIndexQuickly):
2606         (JSC::JSObject::initializeIndex):
2607         (JSC::JSObject::initializeIndexWithoutBarrier):
2608         (JSC::JSObject::butterfly const):
2609         (JSC::JSObject::butterfly):
2610
2611 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
2612
2613         We should be OK with the gigacage being disabled on gmalloc
2614         https://bugs.webkit.org/show_bug.cgi?id=175082
2615
2616         Reviewed by Michael Saboff.
2617
2618         * jsc.cpp:
2619         (jscmain):
2620
2621 2017-08-02  Saam Barati  <sbarati@apple.com>
2622
2623         On memory-constrained iOS devices, reduce the rate at which the JS heap grows before a GC to try to keep more memory available for the system
2624         https://bugs.webkit.org/show_bug.cgi?id=175041
2625         <rdar://problem/33659370>
2626
2627         Reviewed by Filip Pizlo.
2628
2629         The testing I have done shows that this new function is a ~10%
2630         progression running JetStream on 1GB iOS devices. I've also tried
2631         this on a few > 1GB iOS devices, and the testing shows this is either neutral
2632         or a regression. Right now, we'll just enable this for <= 1GB devices
2633         since it's a win. In the future, we might want to either look into
2634         tweaking these parameters or coming up with a new function for > 1GB
2635         devices.
2636
2637         * heap/Heap.cpp:
2638         * runtime/Options.h:
2639
2640 2017-08-01  Filip Pizlo  <fpizlo@apple.com>
2641
2642         Bmalloc and GC should put auxiliaries (butterflies, typed array backing stores) in a gigacage (separate multi-GB VM region)
2643         https://bugs.webkit.org/show_bug.cgi?id=174727
2644
2645         Reviewed by Mark Lam.
2646         
2647         This adopts the Gigacage for the GigacageSubspace, which we use for Auxiliary allocations. Also, in
2648         one place in the code - the FTL codegen for butterfly and typed array access - we "cage" the accesses
2649         themselves. Basically, we do masking to ensure that the pointer points into the gigacage.
2650         
2651         This is neutral on JetStream.
2652
2653         * CMakeLists.txt:
2654         * JavaScriptCore.xcodeproj/project.pbxproj:
2655         * b3/B3InsertionSet.cpp:
2656         (JSC::B3::InsertionSet::execute):
2657         * dfg/DFGAbstractInterpreterInlines.h:
2658         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2659         * dfg/DFGArgumentsEliminationPhase.cpp:
2660         * dfg/DFGClobberize.cpp:
2661         (JSC::DFG::readsOverlap):
2662         * dfg/DFGClobberize.h:
2663         (JSC::DFG::clobberize):
2664         * dfg/DFGDoesGC.cpp:
2665         (JSC::DFG::doesGC):
2666         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Added.
2667         (JSC::DFG::performFixedButterflyAccessUncaging):
2668         * dfg/DFGFixedButterflyAccessUncagingPhase.h: Added.
2669         * dfg/DFGFixupPhase.cpp:
2670         (JSC::DFG::FixupPhase::fixupNode):
2671         * dfg/DFGHeapLocation.cpp:
2672         (WTF::printInternal):
2673         * dfg/DFGHeapLocation.h:
2674         * dfg/DFGNodeType.h:
2675         * dfg/DFGPlan.cpp:
2676         (JSC::DFG::Plan::compileInThreadImpl):
2677         * dfg/DFGPredictionPropagationPhase.cpp:
2678         * dfg/DFGSafeToExecute.h:
2679         (JSC::DFG::safeToExecute):
2680         * dfg/DFGSpeculativeJIT.cpp:
2681         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
2682         * dfg/DFGSpeculativeJIT32_64.cpp:
2683         (JSC::DFG::SpeculativeJIT::compile):
2684         * dfg/DFGSpeculativeJIT64.cpp:
2685         (JSC::DFG::SpeculativeJIT::compile):
2686         * dfg/DFGTypeCheckHoistingPhase.cpp:
2687         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
2688         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
2689         * ftl/FTLCapabilities.cpp:
2690         (JSC::FTL::canCompile):
2691         * ftl/FTLLowerDFGToB3.cpp:
2692         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2693         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
2694         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
2695         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
2696         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
2697         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
2698         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
2699         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
2700         (JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase):
2701         (JSC::FTL::DFG::LowerDFGToB3::caged):
2702         * heap/GigacageSubspace.cpp: Added.
2703         (JSC::GigacageSubspace::GigacageSubspace):
2704         (JSC::GigacageSubspace::~GigacageSubspace):
2705         (JSC::GigacageSubspace::tryAllocateAlignedMemory):
2706         (JSC::GigacageSubspace::freeAlignedMemory):
2707         (JSC::GigacageSubspace::canTradeBlocksWith):
2708         * heap/GigacageSubspace.h: Added.
2709         * heap/Heap.cpp:
2710         (JSC::Heap::Heap):
2711         (JSC::Heap::lastChanceToFinalize):
2712         (JSC::Heap::finalize):
2713         (JSC::Heap::sweepInFinalize):
2714         (JSC::Heap::updateAllocationLimits):
2715         (JSC::Heap::shouldDoFullCollection):
2716         (JSC::Heap::collectIfNecessaryOrDefer):
2717         (JSC::Heap::reportWebAssemblyFastMemoriesAllocated): Deleted.
2718         (JSC::Heap::webAssemblyFastMemoriesThisCycleAtThreshold const): Deleted.
2719         (JSC::Heap::sweepLargeAllocations): Deleted.
2720         (JSC::Heap::didAllocateWebAssemblyFastMemories): Deleted.
2721         * heap/Heap.h:
2722         * heap/LargeAllocation.cpp:
2723         (JSC::LargeAllocation::tryCreate):
2724         (JSC::LargeAllocation::destroy):
2725         * heap/MarkedAllocator.cpp:
2726         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
2727         (JSC::MarkedAllocator::tryAllocateBlock):
2728         * heap/MarkedBlock.cpp:
2729         (JSC::MarkedBlock::tryCreate):
2730         (JSC::MarkedBlock::Handle::Handle):
2731         (JSC::MarkedBlock::Handle::~Handle):
2732         (JSC::MarkedBlock::Handle::didAddToAllocator):
2733         (JSC::MarkedBlock::Handle::subspace const): Deleted.
2734         * heap/MarkedBlock.h:
2735         (JSC::MarkedBlock::Handle::subspace const):
2736         * heap/MarkedSpace.cpp:
2737         (JSC::MarkedSpace::~MarkedSpace):
2738         (JSC::MarkedSpace::freeMemory):
2739         (JSC::MarkedSpace::prepareForAllocation):
2740         (JSC::MarkedSpace::addMarkedAllocator):
2741         (JSC::MarkedSpace::findEmptyBlockToSteal): Deleted.
2742         * heap/MarkedSpace.h:
2743         (JSC::MarkedSpace::firstAllocator const):
2744         (JSC::MarkedSpace::allocatorForEmptyAllocation const): Deleted.
2745         * heap/Subspace.cpp:
2746         (JSC::Subspace::Subspace):
2747         (JSC::Subspace::canTradeBlocksWith):
2748         (JSC::Subspace::tryAllocateAlignedMemory):
2749         (JSC::Subspace::freeAlignedMemory):
2750         (JSC::Subspace::prepareForAllocation):
2751         (JSC::Subspace::findEmptyBlockToSteal):
2752         * heap/Subspace.h:
2753         (JSC::Subspace::didCreateFirstAllocator):
2754         * heap/SubspaceInlines.h:
2755         (JSC::Subspace::forEachAllocator):
2756         (JSC::Subspace::forEachMarkedBlock):
2757         (JSC::Subspace::forEachNotEmptyMarkedBlock):
2758         * jit/JITPropertyAccess.cpp:
2759         (JSC::JIT::emitDoubleLoad):
2760         (JSC::JIT::emitContiguousLoad):
2761         (JSC::JIT::emitArrayStorageLoad):
2762         (JSC::JIT::emitGenericContiguousPutByVal):
2763         (JSC::JIT::emitArrayStoragePutByVal):
2764         (JSC::JIT::emit_op_get_from_scope):
2765         (JSC::JIT::emit_op_put_to_scope):
2766         (JSC::JIT::emitIntTypedArrayGetByVal):
2767         (JSC::JIT::emitFloatTypedArrayGetByVal):
2768         (JSC::JIT::emitIntTypedArrayPutByVal):
2769         (JSC::JIT::emitFloatTypedArrayPutByVal):
2770         * jsc.cpp:
2771         (fillBufferWithContentsOfFile):
2772         (functionReadFile):
2773         (gigacageDisabled):
2774         (jscmain):
2775         * llint/LowLevelInterpreter64.asm:
2776         * runtime/ArrayBuffer.cpp:
2777         (JSC::ArrayBufferContents::tryAllocate):
2778         (JSC::ArrayBuffer::createAdopted):
2779         (JSC::ArrayBuffer::createFromBytes):
2780         (JSC::ArrayBuffer::tryCreate):
2781         * runtime/IndexingHeader.h:
2782         * runtime/InitializeThreading.cpp:
2783         (JSC::initializeThreading):
2784         * runtime/JSArrayBuffer.cpp:
2785         * runtime/JSArrayBufferView.cpp:
2786         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
2787         (JSC::JSArrayBufferView::finalize):
2788         * runtime/JSLock.cpp:
2789         (JSC::JSLock::didAcquireLock):
2790         * runtime/JSObject.h:
2791         * runtime/Options.cpp:
2792         (JSC::recomputeDependentOptions):
2793         * runtime/Options.h:
2794         * runtime/ScopedArgumentsTable.h:
2795         * runtime/VM.cpp:
2796         (JSC::VM::VM):
2797         (JSC::VM::~VM):
2798         (JSC::VM::gigacageDisabledCallback):
2799         (JSC::VM::gigacageDisabled):
2800         * runtime/VM.h:
2801         (JSC::VM::fireGigacageEnabledIfNecessary):
2802         (JSC::VM::gigacageEnabled):
2803         * wasm/WasmB3IRGenerator.cpp:
2804         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
2805         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
2806         * wasm/WasmCodeBlock.cpp:
2807         (JSC::Wasm::CodeBlock::isSafeToRun):
2808         * wasm/WasmMemory.cpp:
2809         (JSC::Wasm::makeString):
2810         (JSC::Wasm::Memory::create):
2811         (JSC::Wasm::Memory::~Memory):
2812         (JSC::Wasm::Memory::addressIsInActiveFastMemory):
2813         (JSC::Wasm::Memory::grow):
2814         (JSC::Wasm::Memory::initializePreallocations): Deleted.
2815         (JSC::Wasm::Memory::maxFastMemoryCount): Deleted.
2816         * wasm/WasmMemory.h:
2817         * wasm/js/JSWebAssemblyInstance.cpp:
2818         (JSC::JSWebAssemblyInstance::create):
2819         * wasm/js/JSWebAssemblyMemory.cpp:
2820         (JSC::JSWebAssemblyMemory::grow):
2821         (JSC::JSWebAssemblyMemory::finishCreation):
2822         * wasm/js/JSWebAssemblyMemory.h:
2823         (JSC::JSWebAssemblyMemory::subspaceFor):
2824
2825 2017-07-31  Mark Lam  <mark.lam@apple.com>
2826
2827         Added some UNLIKELYs to operationOptimize().
2828         https://bugs.webkit.org/show_bug.cgi?id=174976
2829
2830         Reviewed by JF Bastien.
2831
2832         * jit/JITOperations.cpp:
2833
2834 2017-07-31  Keith Miller  <keith_miller@apple.com>
2835
2836         Make more things LLInt constexprs
2837         https://bugs.webkit.org/show_bug.cgi?id=174994
2838
2839         Reviewed by Saam Barati.
2840
2841         This patch makes more const values in the LLInt constexprs.
2842         It also deletes all of the no longer necessary static_asserts in
2843         LLIntData.cpp. Finally, it fixes a typo in parser.rb.
2844
2845         * interpreter/ShadowChicken.h:
2846         (JSC::ShadowChicken::Packet::tailMarker):
2847         * llint/LLIntData.cpp:
2848         (JSC::LLInt::Data::performAssertions):
2849         * llint/LowLevelInterpreter.asm:
2850         * offlineasm/generate_offset_extractor.rb:
2851         * offlineasm/parser.rb:
2852
2853 2017-07-31  Matt Lewis  <jlewis3@apple.com>
2854
2855         Unreviewed, rolling out r220060.
2856
2857         This broke our internal builds. Contact reviewer of patch for
2858         more information.
2859
2860         Reverted changeset:
2861
2862         "Merge WTFThreadData to Thread::current"
2863         https://bugs.webkit.org/show_bug.cgi?id=174716
2864         http://trac.webkit.org/changeset/220060
2865
2866 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2867
2868         [JSC] Support optional catch binding
2869         https://bugs.webkit.org/show_bug.cgi?id=174981
2870
2871         Reviewed by Saam Barati.
2872
2873         This patch implements optional catch binding proposal[1], which is now stage 3.
2874         This proposal adds a new `catch` brace with no error value binding.
2875
2876             ```
2877                 try {
2878                     ...
2879                 } catch {
2880                     ...
2881                 }
2882             ```
2883
2884         Sometimes we do not need to get error value actually. For example, the function returns
2885         boolean which means whether the function succeeds.
2886
2887             ```
2888             function parse(result) // -> bool
2889             {
2890                  try {
2891                      parseInner(result);
2892                  } catch {
2893                      return false;
2894                  }
2895                  return true;
2896             }
2897             ```
2898
2899         In the above case, we are not interested in the actual error value. Without this syntax,
2900         we always need to introduce a binding for an error value that is just ignored.
2901
2902         [1]: https://michaelficarra.github.io/optional-catch-binding-proposal/
2903
2904         * bytecompiler/NodesCodegen.cpp:
2905         (JSC::TryNode::emitBytecode):
2906         * parser/Parser.cpp:
2907         (JSC::Parser<LexerType>::parseTryStatement):
2908
2909 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
2910
2911         Merge WTFThreadData to Thread::current
2912         https://bugs.webkit.org/show_bug.cgi?id=174716
2913
2914         Reviewed by Sam Weinig.
2915
2916         Use Thread::current() instead.
2917
2918         * API/JSContext.mm:
2919         (+[JSContext currentContext]):
2920         (+[JSContext currentThis]):
2921         (+[JSContext currentCallee]):
2922         (+[JSContext currentArguments]):
2923         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
2924         (-[JSContext endCallbackWithData:]):
2925         * heap/Heap.cpp:
2926         (JSC::Heap::requestCollection):
2927         * runtime/Completion.cpp:
2928         (JSC::checkSyntax):
2929         (JSC::checkModuleSyntax):
2930         (JSC::evaluate):
2931         (JSC::loadAndEvaluateModule):
2932         (JSC::loadModule):
2933         (JSC::linkAndEvaluateModule):
2934         (JSC::importModule):
2935         * runtime/Identifier.cpp:
2936         (JSC::Identifier::checkCurrentAtomicStringTable):
2937         * runtime/InitializeThreading.cpp:
2938         (JSC::initializeThreading):
2939         * runtime/JSLock.cpp:
2940         (JSC::JSLock::didAcquireLock):
2941         (JSC::JSLock::willReleaseLock):
2942         (JSC::JSLock::dropAllLocks):
2943         (JSC::JSLock::grabAllLocks):
2944         * runtime/JSLock.h:
2945         * runtime/VM.cpp:
2946         (JSC::VM::VM):
2947         (JSC::VM::updateStackLimits):
2948         (JSC::VM::committedStackByteCount):
2949         * runtime/VM.h:
2950         (JSC::VM::isSafeToRecurse const):
2951         * runtime/VMEntryScope.cpp:
2952         (JSC::VMEntryScope::VMEntryScope):
2953         * runtime/VMInlines.h:
2954         (JSC::VM::ensureStackCapacityFor):
2955         * yarr/YarrPattern.cpp:
2956         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
2957
2958 2017-07-30  Yusuke Suzuki  <utatane.tea@gmail.com>
2959
2960         [WTF] Introduce Private Symbols
2961         https://bugs.webkit.org/show_bug.cgi?id=174935
2962
2963         Reviewed by Darin Adler.
2964
2965         Use SymbolImpl::isPrivate().
2966
2967         * builtins/BuiltinNames.cpp:
2968         * builtins/BuiltinNames.h:
2969         (JSC::BuiltinNames::isPrivateName): Deleted.
2970         * builtins/BuiltinUtils.h:
2971         * bytecode/BytecodeIntrinsicRegistry.cpp:
2972         (JSC::BytecodeIntrinsicRegistry::lookup):
2973         * runtime/CommonIdentifiers.cpp:
2974         (JSC::CommonIdentifiers::isPrivateName): Deleted.
2975         * runtime/CommonIdentifiers.h:
2976         * runtime/ExceptionHelpers.cpp:
2977         (JSC::createUndefinedVariableError):
2978         * runtime/Identifier.h:
2979         (JSC::Identifier::isPrivateName):
2980         * runtime/IdentifierInlines.h:
2981         (JSC::identifierToSafePublicJSValue):
2982         * runtime/ObjectConstructor.cpp:
2983         (JSC::objectConstructorAssign):
2984         (JSC::defineProperties):
2985         (JSC::setIntegrityLevel):
2986         (JSC::testIntegrityLevel):
2987         (JSC::ownPropertyKeys):
2988         * runtime/PrivateName.h:
2989         (JSC::PrivateName::PrivateName):
2990         * runtime/PropertyName.h:
2991         (JSC::PropertyName::isPrivateName):
2992         * runtime/ProxyObject.cpp:
2993         (JSC::performProxyGet):
2994         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2995         (JSC::ProxyObject::performHasProperty):
2996         (JSC::ProxyObject::performPut):
2997         (JSC::ProxyObject::performDelete):
2998         (JSC::ProxyObject::performDefineOwnProperty):
2999
3000 2017-07-29  Keith Miller  <keith_miller@apple.com>
3001
3002         LLInt offsets extractor should be able to handle C++ constexprs
3003         https://bugs.webkit.org/show_bug.cgi?id=174964
3004
3005         Reviewed by Saam Barati.
3006
3007         This patch adds new syntax to the offline asm language. The new keyword,
3008         constexpr, takes the subsequent identifier and maps it to a C++ constexpr
3009         expression. Additionally, if the value is not an identifier you can wrap it in
3010         parentheses. e.g. constexpr (myConstexprFunction() + OBJECT_OFFSET(Foo, bar)),
3011         which will get converted into:
3012         static_cast<int64_t>(myConstexprFunction() + OBJECT_OFFSET(Foo, bar));
3013
3014         This patch also changes the data format the LLIntOffsetsExtractor
3015         binary produces.  Previously, it would produce unsigned values,
3016         after this patch every value is an int64_t.  Using an int64_t is
3017         useful because it means that we can represent any constant needed.
3018         int32_t masks are sign extended then passed then converted to a
3019         negative literal sting in the assembler so it will be the constant
3020         expected.
3021
3022         * llint/LLIntOffsetsExtractor.cpp:
3023         (JSC::LLIntOffsetsExtractor::dummy):
3024         * llint/LowLevelInterpreter.asm:
3025         * llint/LowLevelInterpreter64.asm:
3026         * offlineasm/asm.rb:
3027         * offlineasm/ast.rb:
3028         * offlineasm/generate_offset_extractor.rb:
3029         * offlineasm/offsets.rb:
3030         * offlineasm/parser.rb:
3031         * offlineasm/transform.rb:
3032
3033 2017-07-28  Matt Baker  <mattbaker@apple.com>
3034
3035         Web Inspector: capture an async stack trace when web content calls addEventListener
3036         https://bugs.webkit.org/show_bug.cgi?id=174739
3037         <rdar://problem/33468197>
3038
3039         Reviewed by Brian Burg.
3040
3041         Allow debugger agents to perform custom logic when asynchronous stack
3042         trace data is cleared. For example, the PageDebuggerAgent would clear
3043         its list of registered listeners for which call stacks have been recorded.
3044
3045         * inspector/agents/InspectorDebuggerAgent.cpp:
3046         (Inspector::InspectorDebuggerAgent::clearAsyncStackTraceData):
3047         * inspector/agents/InspectorDebuggerAgent.h:
3048
3049 2017-07-28  Mark Lam  <mark.lam@apple.com>
3050
3051         ObjectToStringAdaptiveStructureWatchpoint should not fire if it's dying imminently.
3052         https://bugs.webkit.org/show_bug.cgi?id=174948
3053         <rdar://problem/33495680>
3054
3055         Reviewed by Filip Pizlo.
3056
3057         ObjectToStringAdaptiveStructureWatchpoint is owned by StructureRareData.  If its
3058         owner StructureRareData is already known to be dead (in terms of GC liveness) but
3059         hasn't been destructed yet (i.e. not swept by the GC yet), we should ignore all
3060         requests to fire this watchpoint.
3061
3062         If the GC had the chance to sweep the StructureRareData, thereby destructing the
3063         ObjectToStringAdaptiveStructureWatchpoint, it (the watchpoint) would have removed
3064         itself from the WatchpointSet it was on.  Hence, it would not have been fired.
3065
3066         But since the watchpoint hasn't been destructed yet, it still remains on the
3067         WatchpointSet and needs to guard against being fired in this state.  The fix is
3068         to simply return early if its owner StructureRareData is not live.  This has the
3069         effect of the watchpoint fire being a no-op, which is equivalent to the watchpoint
3070         not firing as we would expect.
3071
3072         This patch also removes some cargo cult copying of watchpoint code which
3073         instantiates a StringFireDetail.  In a few cases, that StringFireDetail is never
3074         used.  This patch removes these unnecessary instantiations.
3075
3076         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
3077         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
3078         * runtime/StructureRareData.cpp:
3079         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
3080         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
3081
3082 2017-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
3083
3084         ASSERTION FAILED: candidate->op() == PhantomCreateRest || candidate->op() == PhantomDirectArguments || candidate->op() == PhantomClonedArguments || candidate->op() == PhantomSpread || candidate->op() == PhantomNewArrayWithSpread
3085         https://bugs.webkit.org/show_bug.cgi?id=174900
3086
3087         Reviewed by Saam Barati.
3088
3089         In the arguments elimination phase, due to high cost of AI, we intentionally do not run AI.
3090         Instead, we use ForceOSRExit etc. (pseudo terminals) not to look into unreachable nodes.
3091         The problem is that even transforming phase also checks this pseudo terminals.
3092
3093             BB1
3094             1: ForceOSRExit
3095             2: CreateDirectArguments
3096
3097             BB2
3098             3: GetButterfly(@2)
3099             4: ForceOSRExit
3100
3101         In the above case, @2 is not converted to PhantomDirectArguments. But @3 is processed. And the assertion fires.
3102
3103         In this patch, we do not list candidates up after seeing pseudo terminals in basic blocks.
3104
3105         * dfg/DFGArgumentsEliminationPhase.cpp:
3106
3107 2017-07-27  Oleksandr Skachkov  <gskachkov@gmail.com>
3108
3109         [ES] Add support finally to Promise
3110         https://bugs.webkit.org/show_bug.cgi?id=174503
3111
3112         Reviewed by Yusuke Suzuki.
3113
3114         Add support `finally` method to Promise according
3115         to the https://bugs.webkit.org/show_bug.cgi?id=174503
3116         Current spec on STAGE 3 
3117         https://github.com/tc39/proposal-promise-finally
3118
3119         * builtins/PromisePrototype.js:
3120         (finally):
3121         (const.valueThunk):
3122         (globalPrivate.getThenFinally):
3123         (const.thrower):
3124         (globalPrivate.getCatchFinally):
3125         * runtime/JSPromisePrototype.cpp:
3126
3127 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3128
3129         Unreviewed, build fix for CLoop
3130         https://bugs.webkit.org/show_bug.cgi?id=171637
3131
3132         * domjit/DOMJITGetterSetter.h:
3133
3134 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3135
3136         Hoist DOM binding attribute getter prologue into JavaScriptCore taking advantage of DOMJIT / CheckSubClass
3137         https://bugs.webkit.org/show_bug.cgi?id=171637
3138
3139         Reviewed by Darin Adler.
3140
3141         Each DOM attribute getter has the code to perform ClassInfo check. But it is largely duplicate and causes code bloating.
3142         In this patch, we move ClassInfo check from WebCore to JSC and reduce code size.
3143
3144         We introduce DOMAnnotation which has ClassInfo* and DOMJIT::GetterSetter*. If the getter is not DOMJIT getter, this
3145         DOMJIT::GetterSetter becomes nullptr. We support such a CustomAccessorGetter in all the JIT tiers.
3146
3147         In IC, we drop CheckSubClass completely since IC's Structure check subsumes it. We do not enable this optimization for
3148         op_get_by_id_with_this case yet.
3149         In DFG and FTL, we emit CheckSubClass node. Which is typically removed by CheckStructure leading to CheckSubClass.
3150
3151         And we add DOMAttributeGetterSetter, which is derived class of CustomGetterSetter. It holds DOMAnnotation and perform
3152         ClassInfo check.
3153
3154         * CMakeLists.txt:
3155         * JavaScriptCore.xcodeproj/project.pbxproj:
3156         * bytecode/AccessCase.cpp:
3157         (JSC::AccessCase::generateImpl):
3158         * bytecode/GetByIdStatus.cpp:
3159         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
3160         * bytecode/GetByIdVariant.cpp:
3161         (JSC::GetByIdVariant::GetByIdVariant):
3162         (JSC::GetByIdVariant::operator=):
3163         (JSC::GetByIdVariant::attemptToMerge):
3164         (JSC::GetByIdVariant::dumpInContext):
3165         * bytecode/GetByIdVariant.h:
3166         (JSC::GetByIdVariant::customAccessorGetter):
3167         (JSC::GetByIdVariant::domAttribute):
3168         (JSC::GetByIdVariant::domJIT): Deleted.
3169         * bytecode/GetterSetterAccessCase.cpp:
3170         (JSC::GetterSetterAccessCase::create):
3171         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
3172         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
3173         * bytecode/GetterSetterAccessCase.h:
3174         (JSC::GetterSetterAccessCase::domAttribute):
3175         (JSC::GetterSetterAccessCase::customAccessor):
3176         (JSC::GetterSetterAccessCase::domJIT): Deleted.
3177         * bytecompiler/BytecodeGenerator.cpp:
3178         (JSC::BytecodeGenerator::instantiateLexicalVariables):
3179         * create_hash_table:
3180         * dfg/DFGAbstractInterpreterInlines.h:
3181         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
3182         * dfg/DFGByteCodeParser.cpp:
3183         (JSC::DFG::blessCallDOMGetter):
3184         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
3185         (JSC::DFG::ByteCodeParser::handleGetById):
3186         * dfg/DFGClobberize.h:
3187         (JSC::DFG::clobberize):
3188         * dfg/DFGFixupPhase.cpp:
3189         (JSC::DFG::FixupPhase::fixupNode):
3190         * dfg/DFGNode.h:
3191         * dfg/DFGSpeculativeJIT.cpp:
3192         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
3193         * dfg/DFGSpeculativeJIT.h:
3194         (JSC::DFG::SpeculativeJIT::callCustomGetter):
3195         * domjit/DOMJITGetterSetter.h:
3196         (JSC::DOMJIT::GetterSetter::GetterSetter):
3197         (JSC::DOMJIT::GetterSetter::getter):
3198         (JSC::DOMJIT::GetterSetter::compiler):
3199         (JSC::DOMJIT::GetterSetter::resultType):
3200         (JSC::DOMJIT::GetterSetter::~GetterSetter): Deleted.
3201         (JSC::DOMJIT::GetterSetter::setter): Deleted.
3202         (JSC::DOMJIT::GetterSetter::thisClassInfo): Deleted.
3203         * ftl/FTLLowerDFGToB3.cpp:
3204         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
3205         * jit/Repatch.cpp:
3206         (JSC::tryCacheGetByID):
3207         * jsc.cpp:
3208         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
3209         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
3210         (WTF::DOMJITGetter::customGetter):
3211         (WTF::DOMJITGetter::finishCreation):
3212         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
3213         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
3214         (WTF::DOMJITGetterComplex::customGetter):
3215         (WTF::DOMJITGetterComplex::finishCreation):
3216         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
3217         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::slowCall): Deleted.
3218         (WTF::DOMJITGetter::domJITNodeGetterSetter): Deleted.
3219         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
3220         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::slowCall): Deleted.
3221         (WTF::DOMJITGetterComplex::domJITNodeGetterSetter): Deleted.
3222         * runtime/CustomGetterSetter.h:
3223         (JSC::CustomGetterSetter::create):
3224         (JSC::CustomGetterSetter::setter):
3225         (JSC::CustomGetterSetter::CustomGetterSetter):
3226         (): Deleted.
3227         * runtime/DOMAnnotation.h: Added.
3228         (JSC::operator==):
3229         (JSC::operator!=):
3230         * runtime/DOMAttributeGetterSetter.cpp: Added.
3231         * runtime/DOMAttributeGetterSetter.h: Copied from Source/JavaScriptCore/runtime/CustomGetterSetter.h.
3232         (JSC::isDOMAttributeGetterSetter):
3233         * runtime/Error.cpp:
3234         (JSC::throwDOMAttributeGetterTypeError):
3235         * runtime/Error.h:
3236         (JSC::throwVMDOMAttributeGetterTypeError):
3237         * runtime/JSCustomGetterSetterFunction.cpp:
3238         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
3239         * runtime/JSObject.cpp:
3240         (JSC::JSObject::putInlineSlow):
3241         (JSC::JSObject::deleteProperty):
3242         (JSC::JSObject::getOwnStaticPropertySlot):
3243         (JSC::JSObject::reifyAllStaticProperties):
3244         (JSC::JSObject::fillGetterPropertySlot):
3245         (JSC::JSObject::findPropertyHashEntry): Deleted.
3246         * runtime/JSObject.h:
3247         (JSC::JSObject::getOwnNonIndexPropertySlot):
3248         (JSC::JSObject::fillCustomGetterPropertySlot):
3249         * runtime/Lookup.cpp:
3250         (JSC::setUpStaticFunctionSlot):
3251         * runtime/Lookup.h:
3252         (JSC::HashTableValue::domJIT):
3253         (JSC::getStaticPropertySlotFromTable):
3254         (JSC::putEntry):
3255         (JSC::lookupPut):
3256         (JSC::reifyStaticProperty):
3257         (JSC::reifyStaticProperties):
3258         Each static property table has a new field ClassInfo*. It indicates that which ClassInfo check DOMAttribute registered in
3259         this static property table requires.
3260
3261         * runtime/ProgramExecutable.cpp:
3262         (JSC::ProgramExecutable::initializeGlobalProperties):
3263         * runtime/PropertyName.h:
3264         * runtime/PropertySlot.cpp:
3265         (JSC::PropertySlot::customGetter):
3266         (JSC::PropertySlot::customAccessorGetter):
3267         * runtime/PropertySlot.h:
3268         (JSC::PropertySlot::domAttribute):
3269         (JSC::PropertySlot::setCustom):
3270         (JSC::PropertySlot::setCacheableCustom):
3271         (JSC::PropertySlot::getValue):
3272         (JSC::PropertySlot::domJIT): Deleted.
3273         * runtime/VM.cpp:
3274         (JSC::VM::VM):
3275         * runtime/VM.h:
3276
3277 2017-07-26  Devin Rousso  <drousso@apple.com>
3278
3279         Web Inspector: create protocol for recording Canvas contexts
3280         https://bugs.webkit.org/show_bug.cgi?id=174481
3281
3282         Reviewed by Joseph Pecoraro.
3283
3284         * inspector/protocol/Canvas.json:
3285          - Add `requestRecording` command to mark the provided canvas as having requested a recording.
3286          - Add `cancelRecording` command to clear a previously marked canvas and flush any recorded data.
3287          - Add `recordingFinished` event that is fired once a recording is finished.
3288
3289         * CMakeLists.txt:
3290         * DerivedSources.make:
3291         * inspector/protocol/Recording.json: Added.
3292          - Add `Type` enum that lists the types of recordings
3293          - Add `InitialState` type that contains information about the canvas context at the
3294            beginning of the recording.
3295          - Add `Frame` type that holds a list of actions that were recorded.
3296          - Add `Recording` type as the container object of recording data.
3297
3298         * inspector/scripts/codegen/generate_js_backend_commands.py:
3299         (JSBackendCommandsGenerator.generate_domain):
3300         Create an agent for domains with no events or commands.
3301
3302         * inspector/InspectorValues.h:
3303         Make Array `get` public so that values can be retrieved if needed.
3304
3305 2017-07-26  Brian Burg  <bburg@apple.com>
3306
3307         Remove WEB_TIMING feature flag
3308         https://bugs.webkit.org/show_bug.cgi?id=174795
3309
3310         Reviewed by Alex Christensen.
3311
3312         * Configurations/FeatureDefines.xcconfig:
3313
3314 2017-07-26  Mark Lam  <mark.lam@apple.com>
3315
3316         Add the ability to change sp and pc to the ARM64 JIT probe.
3317         https://bugs.webkit.org/show_bug.cgi?id=174697
3318         <rdar://problem/33436965>
3319
3320         Reviewed by JF Bastien.
3321
3322         This patch implements the following:
3323
3324         1. The ARM64 probe now supports modifying the pc and sp.
3325
3326            However, lr is not preserved when modifying the pc because it is used as the
3327            scratch register for the indirect jump. Hence, the probe handler function
3328            may not modify both lr and pc in the same probe invocation.
3329
3330         2. Fix probe tests to use bitwise comparison when comparing double register
3331            values. Otherwise, equivalent nan values will be interpreted as not equivalent.
3332
3333         3. Change the minimum offset increment in testProbeModifiesStackPointer to be
3334            16 bytes for ARM64.  This is because the ARM64 probe now uses the ldp and stp
3335            instructions which require 16 byte alignment for their memory access.
3336
3337         * assembler/MacroAssemblerARM64.cpp:
3338         (JSC::arm64ProbeError):
3339         (JSC::MacroAssembler::probe):
3340         (JSC::arm64ProbeTrampoline): Deleted.
3341         * assembler/testmasm.cpp:
3342         (JSC::isSpecialGPR):
3343         (JSC::testProbeReadsArgumentRegisters):
3344         (JSC::testProbeWritesArgumentRegisters):
3345         (JSC::testProbePreservesGPRS):
3346         (JSC::testProbeModifiesStackPointer):
3347         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
3348         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
3349
3350 2017-07-25  JF Bastien  <jfbastien@apple.com>
3351
3352         WebAssembly: generate smaller binaries
3353         https://bugs.webkit.org/show_bug.cgi?id=174818
3354
3355         Reviewed by Filip Pizlo.
3356
3357         This patch reduces generated code size for WebAssembly in 2 ways:
3358
3359         1. Use the ZR register when storing zero on ARM64.
3360         2. Synthesize wasm context lazily.
3361
3362         This leads to a modest size reduction on both x86-64 and ARM64 for
3363         large WebAssembly games, without any performance loss on WasmBench
3364         and TitzerBench.
3365
3366         The reason this works is that these games, using Emscripten,
3367         generate 100k+ tiny functions, and our JIT allocation granule
3368         rounds all allocations up to 32 bytes. There are plenty of other
3369         simple gains to be had, I've filed a follow-up bug at
3370         webkit.org/b/174819
3371
3372         We should further avoid the per-function cost of tiering, which
3373         represents the bulk of code generated for small functions.
3374
3375         * assembler/MacroAssemblerARM64.h:
3376         (JSC::MacroAssemblerARM64::storeZero64):
3377         * assembler/MacroAssemblerX86_64.h:
3378         (JSC::MacroAssemblerX86_64::storeZero64):
3379         * b3/B3LowerToAir.cpp:
3380         (JSC::B3::Air::LowerToAir::createStore): this doesn't make sense
3381         for x86 because it constrains register reuse and codegen in a way
3382         that doesn't affect ARM64 because it has a dedicated zero
3383         register.
3384         * b3/air/AirOpcode.opcodes: add the storeZero64 opcode.
3385         * wasm/WasmB3IRGenerator.cpp:
3386         (JSC::Wasm::B3IRGenerator::instanceValue):
3387         (JSC::Wasm::B3IRGenerator::restoreWasmContext):
3388         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
3389         (JSC::Wasm::B3IRGenerator::materializeWasmContext): Deleted.
3390
3391 2017-07-23  Filip Pizlo  <fpizlo@apple.com>
3392
3393         B3 should do LICM
3394         https://bugs.webkit.org/show_bug.cgi?id=174750
3395
3396         Reviewed by Keith Miller and Saam Barati.
3397         
3398         Added a LICM phase to B3. This phase is called hoistLoopInvariantValues, to conform to the B3 naming
3399         convention for phases (it has to be an imperative). The phase uses NaturalLoops and BackwardsDominators,
3400 &nb