Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 3].
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-08-05  Mark Lam  <mark.lam@apple.com>
2
3         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 3].
4         https://bugs.webkit.org/show_bug.cgi?id=175228
5         <rdar://problem/33735737>
6
7         Reviewed by Saam Barati.
8
9         Merge the 32-bit OSRExit::compileExit() method into the 64-bit version, and
10         delete OSRExit32_64.cpp.
11
12         * CMakeLists.txt:
13         * JavaScriptCore.xcodeproj/project.pbxproj:
14         * dfg/DFGOSRExit.cpp:
15         (JSC::DFG::OSRExit::compileExit):
16         * dfg/DFGOSRExit32_64.cpp: Removed.
17         * jit/GPRInfo.h:
18         (JSC::JSValueSource::payloadGPR const):
19
20 2017-08-04  Youenn Fablet  <youenn@apple.com>
21
22         [Cache API] Add Cache and CacheStorage IDL definitions
23         https://bugs.webkit.org/show_bug.cgi?id=175201
24
25         Reviewed by Brady Eidson.
26
27         * runtime/CommonIdentifiers.h:
28
29 2017-08-04  Mark Lam  <mark.lam@apple.com>
30
31         Fix typo in testmasm.cpp: ENABLE(JSVALUE64) should be USE(JSVALUE64).
32         https://bugs.webkit.org/show_bug.cgi?id=175230
33         <rdar://problem/33735857>
34
35         Reviewed by Saam Barati.
36
37         * assembler/testmasm.cpp:
38         (JSC::testProbeReadsArgumentRegisters):
39         (JSC::testProbeWritesArgumentRegisters):
40
41 2017-08-04  Mark Lam  <mark.lam@apple.com>
42
43         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 2].
44         https://bugs.webkit.org/show_bug.cgi?id=175214
45         <rdar://problem/33733308>
46
47         Rubber-stamped by Michael Saboff.
48
49         Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused
50         DFGOSRExitCompiler files.
51
52         Also renamed DFGOSRExitCompiler32_64.cpp to DFGOSRExit32_64.cpp.
53
54         Also move debugOperationPrintSpeculationFailure() into DFGOSRExit.cpp.  It's only
55         used by compileOSRExit(), and will be changed to not be a DFG operation function
56         when we use JIT probes for DFG OSR exits later in
57         https://bugs.webkit.org/show_bug.cgi?id=175144.
58
59         * CMakeLists.txt:
60         * JavaScriptCore.xcodeproj/project.pbxproj:
61         * dfg/DFGJITCompiler.cpp:
62         * dfg/DFGOSRExit.cpp:
63         (JSC::DFG::OSRExit::emitRestoreArguments):
64         (JSC::DFG::OSRExit::compileOSRExit):
65         (JSC::DFG::OSRExit::compileExit):
66         (JSC::DFG::OSRExit::debugOperationPrintSpeculationFailure):
67         * dfg/DFGOSRExit.h:
68         * dfg/DFGOSRExit32_64.cpp: Copied from Source/JavaScriptCore/dfg/DFGOSRExitCompiler32_64.cpp.
69         * dfg/DFGOSRExitCompiler.cpp: Removed.
70         * dfg/DFGOSRExitCompiler.h: Removed.
71         * dfg/DFGOSRExitCompiler32_64.cpp: Removed.
72         * dfg/DFGOSRExitCompiler64.cpp: Removed.
73         * dfg/DFGOperations.cpp:
74         * dfg/DFGOperations.h:
75         * dfg/DFGThunks.cpp:
76
77 2017-08-04  Matt Baker  <mattbaker@apple.com>
78
79         Web Inspector: capture async stack trace when workers/main context posts a message
80         https://bugs.webkit.org/show_bug.cgi?id=167084
81         <rdar://problem/30033673>
82
83         Reviewed by Brian Burg.
84
85         * inspector/agents/InspectorDebuggerAgent.h:
86         Add `PostMessage` async call type.
87
88 2017-08-04  Mark Lam  <mark.lam@apple.com>
89
90         Move DFG::OSRExitCompiler methods into DFG::OSRExit [step 1].
91         https://bugs.webkit.org/show_bug.cgi?id=175208
92         <rdar://problem/33732402>
93
94         Reviewed by Saam Barati.
95
96         This will minimize the code diff and make it easier to review the patch for
97         https://bugs.webkit.org/show_bug.cgi?id=175144 later.  We'll do this patch in 3
98         steps:
99
100         1. Do the code changes to move methods into OSRExit.
101         2. Copy the 64-bit and common methods into DFGOSRExit.cpp, and delete the unused DFGOSRExitCompiler files.
102         3. Merge the 32-bit OSRExitCompiler methods into the 64-bit version, and delete DFGOSRExitCompiler32_64.cpp.
103
104         Splitting this refactoring into these 3 steps also makes it easier to review this
105         patch and understand what is being changed.
106
107         * dfg/DFGOSRExit.h:
108         * dfg/DFGOSRExitCompiler.cpp:
109         (JSC::DFG::OSRExit::emitRestoreArguments):
110         (JSC::DFG::OSRExit::compileOSRExit):
111         (JSC::DFG::OSRExitCompiler::emitRestoreArguments): Deleted.
112         (): Deleted.
113         * dfg/DFGOSRExitCompiler.h:
114         (JSC::DFG::OSRExitCompiler::OSRExitCompiler): Deleted.
115         (): Deleted.
116         * dfg/DFGOSRExitCompiler32_64.cpp:
117         (JSC::DFG::OSRExit::compileExit):
118         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
119         * dfg/DFGOSRExitCompiler64.cpp:
120         (JSC::DFG::OSRExit::compileExit):
121         (JSC::DFG::OSRExitCompiler::compileExit): Deleted.
122         * dfg/DFGThunks.cpp:
123         (JSC::DFG::osrExitGenerationThunkGenerator):
124
125 2017-08-04  Devin Rousso  <drousso@apple.com>
126
127         Web Inspector: add source view for WebGL shader programs
128         https://bugs.webkit.org/show_bug.cgi?id=138593
129         <rdar://problem/18936194>
130
131         Reviewed by Matt Baker.
132
133         * inspector/protocol/Canvas.json:
134          - Add `ShaderType` enum that contains "vertex" and "fragment".
135          - Add `requestShaderSource` command that will return the original source code for a given
136            shader program and shader type.
137
138 2017-08-03  Filip Pizlo  <fpizlo@apple.com>
139
140         The allocator used to allocate memory for MarkedBlocks and LargeAllocations should not be the Subspace itself
141         https://bugs.webkit.org/show_bug.cgi?id=175141
142
143         Reviewed by Mark Lam.
144         
145         To make it easier to have multiple gigacages and maybe even fancier methods of allocating, this
146         decouples the allocator used to allocate memory from the GC Subspace. This means we no longer have
147         to create a new Subspace subclass to allocate memory a different way. Instead, the allocator is now
148         determined by the AlignedMemoryAllocator object.
149         
150         This also simplifies trading of blocks. Before, Subspaces had to determine if other Subspaces could
151         trade blocks with them using canTradeBlocksWith(). This makes it difficult for two different
152         Subspaces that both use the same underlying allocator to realize that they can trade blocks with
153         each other. Now, you just need to ask the block being stolen and the subspace doing the stealing if
154         they use the same AlignedMemoryAllocator.
155
156         * CMakeLists.txt:
157         * JavaScriptCore.xcodeproj/project.pbxproj:
158         * heap/AlignedMemoryAllocator.cpp: Added.
159         (JSC::AlignedMemoryAllocator::AlignedMemoryAllocator):
160         (JSC::AlignedMemoryAllocator::~AlignedMemoryAllocator):
161         * heap/AlignedMemoryAllocator.h: Added.
162         * heap/FastMallocAlignedMemoryAllocator.cpp: Added.
163         (JSC::FastMallocAlignedMemoryAllocator::singleton):
164         (JSC::FastMallocAlignedMemoryAllocator::FastMallocAlignedMemoryAllocator):
165         (JSC::FastMallocAlignedMemoryAllocator::~FastMallocAlignedMemoryAllocator):
166         (JSC::FastMallocAlignedMemoryAllocator::tryAllocateAlignedMemory):
167         (JSC::FastMallocAlignedMemoryAllocator::freeAlignedMemory):
168         (JSC::FastMallocAlignedMemoryAllocator::dump const):
169         * heap/FastMallocAlignedMemoryAllocator.h: Added.
170         * heap/GigacageAlignedMemoryAllocator.cpp: Added.
171         (JSC::GigacageAlignedMemoryAllocator::singleton):
172         (JSC::GigacageAlignedMemoryAllocator::GigacageAlignedMemoryAllocator):
173         (JSC::GigacageAlignedMemoryAllocator::~GigacageAlignedMemoryAllocator):
174         (JSC::GigacageAlignedMemoryAllocator::tryAllocateAlignedMemory):
175         (JSC::GigacageAlignedMemoryAllocator::freeAlignedMemory):
176         (JSC::GigacageAlignedMemoryAllocator::dump const):
177         * heap/GigacageAlignedMemoryAllocator.h: Added.
178         * heap/GigacageSubspace.cpp: Removed.
179         * heap/GigacageSubspace.h: Removed.
180         * heap/LargeAllocation.cpp:
181         (JSC::LargeAllocation::tryCreate):
182         (JSC::LargeAllocation::destroy):
183         * heap/MarkedAllocator.cpp:
184         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
185         * heap/MarkedBlock.cpp:
186         (JSC::MarkedBlock::tryCreate):
187         (JSC::MarkedBlock::Handle::Handle):
188         (JSC::MarkedBlock::Handle::~Handle):
189         (JSC::MarkedBlock::Handle::didAddToAllocator):
190         (JSC::MarkedBlock::Handle::subspace const):
191         * heap/MarkedBlock.h:
192         (JSC::MarkedBlock::Handle::alignedMemoryAllocator const):
193         (JSC::MarkedBlock::Handle::subspace const): Deleted.
194         * heap/Subspace.cpp:
195         (JSC::Subspace::Subspace):
196         (JSC::Subspace::findEmptyBlockToSteal):
197         (JSC::Subspace::canTradeBlocksWith): Deleted.
198         (JSC::Subspace::tryAllocateAlignedMemory): Deleted.
199         (JSC::Subspace::freeAlignedMemory): Deleted.
200         * heap/Subspace.h:
201         (JSC::Subspace::name const):
202         (JSC::Subspace::alignedMemoryAllocator const):
203         * runtime/JSDestructibleObjectSubspace.cpp:
204         (JSC::JSDestructibleObjectSubspace::JSDestructibleObjectSubspace):
205         * runtime/JSDestructibleObjectSubspace.h:
206         * runtime/JSSegmentedVariableObjectSubspace.cpp:
207         (JSC::JSSegmentedVariableObjectSubspace::JSSegmentedVariableObjectSubspace):
208         * runtime/JSSegmentedVariableObjectSubspace.h:
209         * runtime/JSStringSubspace.cpp:
210         (JSC::JSStringSubspace::JSStringSubspace):
211         * runtime/JSStringSubspace.h:
212         * runtime/VM.cpp:
213         (JSC::VM::VM):
214         * runtime/VM.h:
215         * wasm/js/JSWebAssemblyCodeBlockSubspace.cpp:
216         (JSC::JSWebAssemblyCodeBlockSubspace::JSWebAssemblyCodeBlockSubspace):
217         * wasm/js/JSWebAssemblyCodeBlockSubspace.h:
218
219 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
220
221         [ESNext] Async iteration - update feature.json
222         https://bugs.webkit.org/show_bug.cgi?id=175197
223
224         Reviewed by Yusuke Suzuki.
225
226         Update feature.json to add status of the Async Iteration
227
228         * features.json:
229
230 2017-08-04  Matt Lewis  <jlewis3@apple.com>
231
232         Unreviewed, rolling out r220271.
233
234         Rolling out due to Layout Test failing on iOS Simulator.
235
236         Reverted changeset:
237
238         "Remove STREAMS_API compilation guard"
239         https://bugs.webkit.org/show_bug.cgi?id=175165
240         http://trac.webkit.org/changeset/220271
241
242 2017-08-04  Youenn Fablet  <youenn@apple.com>
243
244         Remove STREAMS_API compilation guard
245         https://bugs.webkit.org/show_bug.cgi?id=175165
246
247         Reviewed by Darin Adler.
248
249         * Configurations/FeatureDefines.xcconfig:
250
251 2017-08-04  Oleksandr Skachkov  <gskachkov@gmail.com>
252
253         [EsNext] Async iteration - Add feature flag
254         https://bugs.webkit.org/show_bug.cgi?id=166694
255
256         Reviewed by Yusuke Suzuki.
257
258         Add feature flag to JSC to switch on/off Async Iterator
259
260         * runtime/Options.h:
261
262 2017-08-03  Brian Burg  <bburg@apple.com>
263
264         Remove ENABLE(WEB_SOCKET) guards
265         https://bugs.webkit.org/show_bug.cgi?id=167044
266
267         Reviewed by Joseph Pecoraro.
268
269         * Configurations/FeatureDefines.xcconfig:
270
271 2017-08-03  Youenn Fablet  <youenn@apple.com>
272
273         Remove FETCH_API compilation guard
274         https://bugs.webkit.org/show_bug.cgi?id=175154
275
276         Reviewed by Chris Dumez.
277
278         * Configurations/FeatureDefines.xcconfig:
279
280 2017-08-03  Matt Baker  <mattbaker@apple.com>
281
282         Web Inspector: Instrument WebGLProgram created/deleted
283         https://bugs.webkit.org/show_bug.cgi?id=175059
284
285         Reviewed by Devin Rousso.
286
287         Extend the Canvas protocol with types/events for tracking WebGLPrograms.
288
289         * inspector/protocol/Canvas.json:
290
291 2017-08-03  Brady Eidson  <beidson@apple.com>
292
293         Add SW IDLs and stub out basic functionality.
294         https://bugs.webkit.org/show_bug.cgi?id=175115
295
296         Reviewed by Chris Dumez.
297
298         * Configurations/FeatureDefines.xcconfig:
299
300         * runtime/CommonIdentifiers.h:
301
302 2017-08-03  Mark Lam  <mark.lam@apple.com>
303
304         Rename ScratchBuffer::activeLengthPtr to addressOfActiveLength.
305         https://bugs.webkit.org/show_bug.cgi?id=175142
306         <rdar://problem/33704528>
307
308         Reviewed by Filip Pizlo.
309
310         The convention in the rest of of JSC for such methods which return the address of
311         a field is to name them "addressOf<field name>".  We'll rename
312         ScratchBuffer::activeLengthPtr to be consistent with this convention.
313
314         * dfg/DFGSpeculativeJIT.cpp:
315         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
316         * dfg/DFGSpeculativeJIT32_64.cpp:
317         (JSC::DFG::SpeculativeJIT::compile):
318         * dfg/DFGSpeculativeJIT64.cpp:
319         (JSC::DFG::SpeculativeJIT::compile):
320         * dfg/DFGThunks.cpp:
321         (JSC::DFG::osrExitGenerationThunkGenerator):
322         * ftl/FTLLowerDFGToB3.cpp:
323         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
324         (JSC::FTL::DFG::LowerDFGToB3::compileNewArrayWithSpread):
325         * ftl/FTLThunks.cpp:
326         (JSC::FTL::genericGenerationThunkGenerator):
327         * jit/AssemblyHelpers.cpp:
328         (JSC::AssemblyHelpers::debugCall):
329         * jit/ScratchRegisterAllocator.cpp:
330         (JSC::ScratchRegisterAllocator::preserveUsedRegistersToScratchBufferForCall):
331         (JSC::ScratchRegisterAllocator::restoreUsedRegistersFromScratchBufferForCall):
332         * runtime/VM.h:
333         (JSC::ScratchBuffer::addressOfActiveLength):
334         (JSC::ScratchBuffer::activeLengthPtr): Deleted.
335         * wasm/WasmBinding.cpp:
336         (JSC::Wasm::wasmToJs):
337
338 2017-08-02  Devin Rousso  <drousso@apple.com>
339
340         Web Inspector: add stack trace information for each RecordingAction
341         https://bugs.webkit.org/show_bug.cgi?id=174663
342
343         Reviewed by Joseph Pecoraro.
344
345         * inspector/ScriptCallFrame.h:
346         Add `operator==` so that when a ScriptCallFrame object is held in a Vector, calling `find`
347         with an existing value doesn't need require a functor and can use existing code.
348
349         * interpreter/StackVisitor.h:
350         * interpreter/StackVisitor.cpp:
351         (JSC::StackVisitor::Frame::isWasmFrame const): Inlined in header.
352
353 2017-08-02  Yusuke Suzuki  <utatane.tea@gmail.com>
354
355         Merge WTFThreadData to Thread::current
356         https://bugs.webkit.org/show_bug.cgi?id=174716
357
358         Reviewed by Mark Lam.
359
360         Use Thread::current() instead.
361
362         * API/JSContext.mm:
363         (+[JSContext currentContext]):
364         (+[JSContext currentThis]):
365         (+[JSContext currentCallee]):
366         (+[JSContext currentArguments]):
367         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
368         (-[JSContext endCallbackWithData:]):
369         * heap/Heap.cpp:
370         (JSC::Heap::requestCollection):
371         * runtime/Completion.cpp:
372         (JSC::checkSyntax):
373         (JSC::checkModuleSyntax):
374         (JSC::evaluate):
375         (JSC::loadAndEvaluateModule):
376         (JSC::loadModule):
377         (JSC::linkAndEvaluateModule):
378         (JSC::importModule):
379         * runtime/Identifier.cpp:
380         (JSC::Identifier::checkCurrentAtomicStringTable):
381         * runtime/InitializeThreading.cpp:
382         (JSC::initializeThreading):
383         * runtime/JSLock.cpp:
384         (JSC::JSLock::didAcquireLock):
385         (JSC::JSLock::willReleaseLock):
386         (JSC::JSLock::dropAllLocks):
387         (JSC::JSLock::grabAllLocks):
388         * runtime/JSLock.h:
389         * runtime/VM.cpp:
390         (JSC::VM::VM):
391         (JSC::VM::updateStackLimits):
392         (JSC::VM::committedStackByteCount):
393         * runtime/VM.h:
394         (JSC::VM::isSafeToRecurse const):
395         * runtime/VMEntryScope.cpp:
396         (JSC::VMEntryScope::VMEntryScope):
397         * runtime/VMInlines.h:
398         (JSC::VM::ensureStackCapacityFor):
399         * yarr/YarrPattern.cpp:
400         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
401
402 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
403
404         LLInt should do pointer caging
405         https://bugs.webkit.org/show_bug.cgi?id=175036
406
407         Reviewed by Keith Miller.
408
409         Implementing this in the LLInt was challenging because offlineasm did not previously know
410         how to load from globals. This teaches it how to do that on Darwin/x86_64, which happens
411         to be where the Gigacage is enabled right now.
412
413         * llint/LLIntOfflineAsmConfig.h:
414         * llint/LowLevelInterpreter64.asm:
415         * offlineasm/ast.rb:
416         * offlineasm/x86.rb:
417
418 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
419
420         Sweeping should only scribble when sweeping to free list
421         https://bugs.webkit.org/show_bug.cgi?id=175105
422
423         Reviewed by Saam Barati.
424         
425         I just saw a crash on the bots where a destructor call attempt dereferenced scribbled memory. This
426         can happen because the bump path of specializedSweep will scribble in SweepOnly, which replaces the
427         zap word (i.e. 0) with the scribble word (i.e. 0xbadbeef0). This is a recent regression, since we
428         didn't used to do destruction on the bump path. No destruction, no zapping. Looking at the pop
429         path, we only scribble when we SweepToFreeList. This ensures that we only overwrite the zap word
430         when it doesn't matter anyway because we're building a free list.
431         
432         This is a fix for those crashes on the bots because it means that we'll no longer scribble over the
433         zap.
434
435         * heap/MarkedBlockInlines.h:
436         (JSC::MarkedBlock::Handle::specializedSweep):
437
438 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
439
440         All C++ accesses to JSObject::m_butterfly should do caging
441         https://bugs.webkit.org/show_bug.cgi?id=175039
442
443         Reviewed by Keith Miller.
444         
445         Makes JSObject::m_butterfly a AuxiliaryBarrier<CagedPtr<Butterfly>> and adopts the CagedPtr<> API.
446         This ensures that you can't cause C++ code to access a butterfly that has been rewired to point
447         outside the gigacage.
448
449         * runtime/JSArray.cpp:
450         (JSC::JSArray::setLength):
451         (JSC::JSArray::pop):
452         (JSC::JSArray::push):
453         (JSC::JSArray::shiftCountWithAnyIndexingType):
454         (JSC::JSArray::unshiftCountWithAnyIndexingType):
455         (JSC::JSArray::fillArgList):
456         (JSC::JSArray::copyToArguments):
457         * runtime/JSObject.cpp:
458         (JSC::JSObject::heapSnapshot):
459         (JSC::JSObject::createInitialIndexedStorage):
460         (JSC::JSObject::createArrayStorage):
461         (JSC::JSObject::convertUndecidedToInt32):
462         (JSC::JSObject::convertUndecidedToDouble):
463         (JSC::JSObject::convertUndecidedToContiguous):
464         (JSC::JSObject::convertInt32ToDouble):
465         (JSC::JSObject::convertInt32ToArrayStorage):
466         (JSC::JSObject::convertDoubleToContiguous):
467         (JSC::JSObject::convertDoubleToArrayStorage):
468         (JSC::JSObject::convertContiguousToArrayStorage):
469         (JSC::JSObject::defineOwnIndexedProperty):
470         (JSC::JSObject::putByIndexBeyondVectorLengthWithoutAttributes):
471         (JSC::JSObject::ensureLengthSlow):
472         (JSC::JSObject::allocateMoreOutOfLineStorage):
473         * runtime/JSObject.h:
474         (JSC::JSObject::canGetIndexQuickly):
475         (JSC::JSObject::getIndexQuickly):
476         (JSC::JSObject::tryGetIndexQuickly const):
477         (JSC::JSObject::canSetIndexQuickly):
478         (JSC::JSObject::setIndexQuickly):
479         (JSC::JSObject::initializeIndex):
480         (JSC::JSObject::initializeIndexWithoutBarrier):
481         (JSC::JSObject::butterfly const):
482         (JSC::JSObject::butterfly):
483
484 2017-08-02  Filip Pizlo  <fpizlo@apple.com>
485
486         We should be OK with the gigacage being disabled on gmalloc
487         https://bugs.webkit.org/show_bug.cgi?id=175082
488
489         Reviewed by Michael Saboff.
490
491         * jsc.cpp:
492         (jscmain):
493
494 2017-08-02  Saam Barati  <sbarati@apple.com>
495
496         On memory-constrained iOS devices, reduce the rate at which the JS heap grows before a GC to try to keep more memory available for the system
497         https://bugs.webkit.org/show_bug.cgi?id=175041
498         <rdar://problem/33659370>
499
500         Reviewed by Filip Pizlo.
501
502         The testing I have done shows that this new function is a ~10%
503         progression running JetStream on 1GB iOS devices. I've also tried
504         this on a few > 1GB iOS devices, and the testing shows this is either neutral
505         or a regression. Right now, we'll just enable this for <= 1GB devices
506         since it's a win. In the future, we might want to either look into
507         tweaking these parameters or coming up with a new function for > 1GB
508         devices.
509
510         * heap/Heap.cpp:
511         * runtime/Options.h:
512
513 2017-08-01  Filip Pizlo  <fpizlo@apple.com>
514
515         Bmalloc and GC should put auxiliaries (butterflies, typed array backing stores) in a gigacage (separate multi-GB VM region)
516         https://bugs.webkit.org/show_bug.cgi?id=174727
517
518         Reviewed by Mark Lam.
519         
520         This adopts the Gigacage for the GigacageSubspace, which we use for Auxiliary allocations. Also, in
521         one place in the code - the FTL codegen for butterfly and typed array access - we "cage" the accesses
522         themselves. Basically, we do masking to ensure that the pointer points into the gigacage.
523         
524         This is neutral on JetStream.
525
526         * CMakeLists.txt:
527         * JavaScriptCore.xcodeproj/project.pbxproj:
528         * b3/B3InsertionSet.cpp:
529         (JSC::B3::InsertionSet::execute):
530         * dfg/DFGAbstractInterpreterInlines.h:
531         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
532         * dfg/DFGArgumentsEliminationPhase.cpp:
533         * dfg/DFGClobberize.cpp:
534         (JSC::DFG::readsOverlap):
535         * dfg/DFGClobberize.h:
536         (JSC::DFG::clobberize):
537         * dfg/DFGDoesGC.cpp:
538         (JSC::DFG::doesGC):
539         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp: Added.
540         (JSC::DFG::performFixedButterflyAccessUncaging):
541         * dfg/DFGFixedButterflyAccessUncagingPhase.h: Added.
542         * dfg/DFGFixupPhase.cpp:
543         (JSC::DFG::FixupPhase::fixupNode):
544         * dfg/DFGHeapLocation.cpp:
545         (WTF::printInternal):
546         * dfg/DFGHeapLocation.h:
547         * dfg/DFGNodeType.h:
548         * dfg/DFGPlan.cpp:
549         (JSC::DFG::Plan::compileInThreadImpl):
550         * dfg/DFGPredictionPropagationPhase.cpp:
551         * dfg/DFGSafeToExecute.h:
552         (JSC::DFG::safeToExecute):
553         * dfg/DFGSpeculativeJIT.cpp:
554         (JSC::DFG::SpeculativeJIT::compileGetButterfly):
555         * dfg/DFGSpeculativeJIT32_64.cpp:
556         (JSC::DFG::SpeculativeJIT::compile):
557         * dfg/DFGSpeculativeJIT64.cpp:
558         (JSC::DFG::SpeculativeJIT::compile):
559         * dfg/DFGTypeCheckHoistingPhase.cpp:
560         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantStructureChecks):
561         (JSC::DFG::TypeCheckHoistingPhase::identifyRedundantArrayChecks):
562         * ftl/FTLCapabilities.cpp:
563         (JSC::FTL::canCompile):
564         * ftl/FTLLowerDFGToB3.cpp:
565         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
566         (JSC::FTL::DFG::LowerDFGToB3::compileGetButterfly):
567         (JSC::FTL::DFG::LowerDFGToB3::compileGetIndexedPropertyStorage):
568         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
569         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharAt):
570         (JSC::FTL::DFG::LowerDFGToB3::compileStringCharCodeAt):
571         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucket):
572         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
573         (JSC::FTL::DFG::LowerDFGToB3::compileToLowerCase):
574         (JSC::FTL::DFG::LowerDFGToB3::caged):
575         * heap/GigacageSubspace.cpp: Added.
576         (JSC::GigacageSubspace::GigacageSubspace):
577         (JSC::GigacageSubspace::~GigacageSubspace):
578         (JSC::GigacageSubspace::tryAllocateAlignedMemory):
579         (JSC::GigacageSubspace::freeAlignedMemory):
580         (JSC::GigacageSubspace::canTradeBlocksWith):
581         * heap/GigacageSubspace.h: Added.
582         * heap/Heap.cpp:
583         (JSC::Heap::Heap):
584         (JSC::Heap::lastChanceToFinalize):
585         (JSC::Heap::finalize):
586         (JSC::Heap::sweepInFinalize):
587         (JSC::Heap::updateAllocationLimits):
588         (JSC::Heap::shouldDoFullCollection):
589         (JSC::Heap::collectIfNecessaryOrDefer):
590         (JSC::Heap::reportWebAssemblyFastMemoriesAllocated): Deleted.
591         (JSC::Heap::webAssemblyFastMemoriesThisCycleAtThreshold const): Deleted.
592         (JSC::Heap::sweepLargeAllocations): Deleted.
593         (JSC::Heap::didAllocateWebAssemblyFastMemories): Deleted.
594         * heap/Heap.h:
595         * heap/LargeAllocation.cpp:
596         (JSC::LargeAllocation::tryCreate):
597         (JSC::LargeAllocation::destroy):
598         * heap/MarkedAllocator.cpp:
599         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
600         (JSC::MarkedAllocator::tryAllocateBlock):
601         * heap/MarkedBlock.cpp:
602         (JSC::MarkedBlock::tryCreate):
603         (JSC::MarkedBlock::Handle::Handle):
604         (JSC::MarkedBlock::Handle::~Handle):
605         (JSC::MarkedBlock::Handle::didAddToAllocator):
606         (JSC::MarkedBlock::Handle::subspace const): Deleted.
607         * heap/MarkedBlock.h:
608         (JSC::MarkedBlock::Handle::subspace const):
609         * heap/MarkedSpace.cpp:
610         (JSC::MarkedSpace::~MarkedSpace):
611         (JSC::MarkedSpace::freeMemory):
612         (JSC::MarkedSpace::prepareForAllocation):
613         (JSC::MarkedSpace::addMarkedAllocator):
614         (JSC::MarkedSpace::findEmptyBlockToSteal): Deleted.
615         * heap/MarkedSpace.h:
616         (JSC::MarkedSpace::firstAllocator const):
617         (JSC::MarkedSpace::allocatorForEmptyAllocation const): Deleted.
618         * heap/Subspace.cpp:
619         (JSC::Subspace::Subspace):
620         (JSC::Subspace::canTradeBlocksWith):
621         (JSC::Subspace::tryAllocateAlignedMemory):
622         (JSC::Subspace::freeAlignedMemory):
623         (JSC::Subspace::prepareForAllocation):
624         (JSC::Subspace::findEmptyBlockToSteal):
625         * heap/Subspace.h:
626         (JSC::Subspace::didCreateFirstAllocator):
627         * heap/SubspaceInlines.h:
628         (JSC::Subspace::forEachAllocator):
629         (JSC::Subspace::forEachMarkedBlock):
630         (JSC::Subspace::forEachNotEmptyMarkedBlock):
631         * jit/JITPropertyAccess.cpp:
632         (JSC::JIT::emitDoubleLoad):
633         (JSC::JIT::emitContiguousLoad):
634         (JSC::JIT::emitArrayStorageLoad):
635         (JSC::JIT::emitGenericContiguousPutByVal):
636         (JSC::JIT::emitArrayStoragePutByVal):
637         (JSC::JIT::emit_op_get_from_scope):
638         (JSC::JIT::emit_op_put_to_scope):
639         (JSC::JIT::emitIntTypedArrayGetByVal):
640         (JSC::JIT::emitFloatTypedArrayGetByVal):
641         (JSC::JIT::emitIntTypedArrayPutByVal):
642         (JSC::JIT::emitFloatTypedArrayPutByVal):
643         * jsc.cpp:
644         (fillBufferWithContentsOfFile):
645         (functionReadFile):
646         (gigacageDisabled):
647         (jscmain):
648         * llint/LowLevelInterpreter64.asm:
649         * runtime/ArrayBuffer.cpp:
650         (JSC::ArrayBufferContents::tryAllocate):
651         (JSC::ArrayBuffer::createAdopted):
652         (JSC::ArrayBuffer::createFromBytes):
653         (JSC::ArrayBuffer::tryCreate):
654         * runtime/IndexingHeader.h:
655         * runtime/InitializeThreading.cpp:
656         (JSC::initializeThreading):
657         * runtime/JSArrayBuffer.cpp:
658         * runtime/JSArrayBufferView.cpp:
659         (JSC::JSArrayBufferView::ConstructionContext::ConstructionContext):
660         (JSC::JSArrayBufferView::finalize):
661         * runtime/JSLock.cpp:
662         (JSC::JSLock::didAcquireLock):
663         * runtime/JSObject.h:
664         * runtime/Options.cpp:
665         (JSC::recomputeDependentOptions):
666         * runtime/Options.h:
667         * runtime/ScopedArgumentsTable.h:
668         * runtime/VM.cpp:
669         (JSC::VM::VM):
670         (JSC::VM::~VM):
671         (JSC::VM::gigacageDisabledCallback):
672         (JSC::VM::gigacageDisabled):
673         * runtime/VM.h:
674         (JSC::VM::fireGigacageEnabledIfNecessary):
675         (JSC::VM::gigacageEnabled):
676         * wasm/WasmB3IRGenerator.cpp:
677         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
678         (JSC::Wasm::B3IRGenerator::emitCheckAndPreparePointer):
679         * wasm/WasmCodeBlock.cpp:
680         (JSC::Wasm::CodeBlock::isSafeToRun):
681         * wasm/WasmMemory.cpp:
682         (JSC::Wasm::makeString):
683         (JSC::Wasm::Memory::create):
684         (JSC::Wasm::Memory::~Memory):
685         (JSC::Wasm::Memory::addressIsInActiveFastMemory):
686         (JSC::Wasm::Memory::grow):
687         (JSC::Wasm::Memory::initializePreallocations): Deleted.
688         (JSC::Wasm::Memory::maxFastMemoryCount): Deleted.
689         * wasm/WasmMemory.h:
690         * wasm/js/JSWebAssemblyInstance.cpp:
691         (JSC::JSWebAssemblyInstance::create):
692         * wasm/js/JSWebAssemblyMemory.cpp:
693         (JSC::JSWebAssemblyMemory::grow):
694         (JSC::JSWebAssemblyMemory::finishCreation):
695         * wasm/js/JSWebAssemblyMemory.h:
696         (JSC::JSWebAssemblyMemory::subspaceFor):
697
698 2017-07-31  Mark Lam  <mark.lam@apple.com>
699
700         Added some UNLIKELYs to operationOptimize().
701         https://bugs.webkit.org/show_bug.cgi?id=174976
702
703         Reviewed by JF Bastien.
704
705         * jit/JITOperations.cpp:
706
707 2017-07-31  Keith Miller  <keith_miller@apple.com>
708
709         Make more things LLInt constexprs
710         https://bugs.webkit.org/show_bug.cgi?id=174994
711
712         Reviewed by Saam Barati.
713
714         This patch makes more const values in the LLInt constexprs.
715         It also deletes all of the no longer necessary static_asserts in
716         LLIntData.cpp. Finally, it fixes a typo in parser.rb.
717
718         * interpreter/ShadowChicken.h:
719         (JSC::ShadowChicken::Packet::tailMarker):
720         * llint/LLIntData.cpp:
721         (JSC::LLInt::Data::performAssertions):
722         * llint/LowLevelInterpreter.asm:
723         * offlineasm/generate_offset_extractor.rb:
724         * offlineasm/parser.rb:
725
726 2017-07-31  Matt Lewis  <jlewis3@apple.com>
727
728         Unreviewed, rolling out r220060.
729
730         This broke our internal builds. Contact reviewer of patch for
731         more information.
732
733         Reverted changeset:
734
735         "Merge WTFThreadData to Thread::current"
736         https://bugs.webkit.org/show_bug.cgi?id=174716
737         http://trac.webkit.org/changeset/220060
738
739 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
740
741         [JSC] Support optional catch binding
742         https://bugs.webkit.org/show_bug.cgi?id=174981
743
744         Reviewed by Saam Barati.
745
746         This patch implements optional catch binding proposal[1], which is now stage 3.
747         This proposal adds a new `catch` brace with no error value binding.
748
749             ```
750                 try {
751                     ...
752                 } catch {
753                     ...
754                 }
755             ```
756
757         Sometimes we do not need to get error value actually. For example, the function returns
758         boolean which means whether the function succeeds.
759
760             ```
761             function parse(result) // -> bool
762             {
763                  try {
764                      parseInner(result);
765                  } catch {
766                      return false;
767                  }
768                  return true;
769             }
770             ```
771
772         In the above case, we are not interested in the actual error value. Without this syntax,
773         we always need to introduce a binding for an error value that is just ignored.
774
775         [1]: https://michaelficarra.github.io/optional-catch-binding-proposal/
776
777         * bytecompiler/NodesCodegen.cpp:
778         (JSC::TryNode::emitBytecode):
779         * parser/Parser.cpp:
780         (JSC::Parser<LexerType>::parseTryStatement):
781
782 2017-07-31  Yusuke Suzuki  <utatane.tea@gmail.com>
783
784         Merge WTFThreadData to Thread::current
785         https://bugs.webkit.org/show_bug.cgi?id=174716
786
787         Reviewed by Sam Weinig.
788
789         Use Thread::current() instead.
790
791         * API/JSContext.mm:
792         (+[JSContext currentContext]):
793         (+[JSContext currentThis]):
794         (+[JSContext currentCallee]):
795         (+[JSContext currentArguments]):
796         (-[JSContext beginCallbackWithData:calleeValue:thisValue:argumentCount:arguments:]):
797         (-[JSContext endCallbackWithData:]):
798         * heap/Heap.cpp:
799         (JSC::Heap::requestCollection):
800         * runtime/Completion.cpp:
801         (JSC::checkSyntax):
802         (JSC::checkModuleSyntax):
803         (JSC::evaluate):
804         (JSC::loadAndEvaluateModule):
805         (JSC::loadModule):
806         (JSC::linkAndEvaluateModule):
807         (JSC::importModule):
808         * runtime/Identifier.cpp:
809         (JSC::Identifier::checkCurrentAtomicStringTable):
810         * runtime/InitializeThreading.cpp:
811         (JSC::initializeThreading):
812         * runtime/JSLock.cpp:
813         (JSC::JSLock::didAcquireLock):
814         (JSC::JSLock::willReleaseLock):
815         (JSC::JSLock::dropAllLocks):
816         (JSC::JSLock::grabAllLocks):
817         * runtime/JSLock.h:
818         * runtime/VM.cpp:
819         (JSC::VM::VM):
820         (JSC::VM::updateStackLimits):
821         (JSC::VM::committedStackByteCount):
822         * runtime/VM.h:
823         (JSC::VM::isSafeToRecurse const):
824         * runtime/VMEntryScope.cpp:
825         (JSC::VMEntryScope::VMEntryScope):
826         * runtime/VMInlines.h:
827         (JSC::VM::ensureStackCapacityFor):
828         * yarr/YarrPattern.cpp:
829         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse const):
830
831 2017-07-30  Yusuke Suzuki  <utatane.tea@gmail.com>
832
833         [WTF] Introduce Private Symbols
834         https://bugs.webkit.org/show_bug.cgi?id=174935
835
836         Reviewed by Darin Adler.
837
838         Use SymbolImpl::isPrivate().
839
840         * builtins/BuiltinNames.cpp:
841         * builtins/BuiltinNames.h:
842         (JSC::BuiltinNames::isPrivateName): Deleted.
843         * builtins/BuiltinUtils.h:
844         * bytecode/BytecodeIntrinsicRegistry.cpp:
845         (JSC::BytecodeIntrinsicRegistry::lookup):
846         * runtime/CommonIdentifiers.cpp:
847         (JSC::CommonIdentifiers::isPrivateName): Deleted.
848         * runtime/CommonIdentifiers.h:
849         * runtime/ExceptionHelpers.cpp:
850         (JSC::createUndefinedVariableError):
851         * runtime/Identifier.h:
852         (JSC::Identifier::isPrivateName):
853         * runtime/IdentifierInlines.h:
854         (JSC::identifierToSafePublicJSValue):
855         * runtime/ObjectConstructor.cpp:
856         (JSC::objectConstructorAssign):
857         (JSC::defineProperties):
858         (JSC::setIntegrityLevel):
859         (JSC::testIntegrityLevel):
860         (JSC::ownPropertyKeys):
861         * runtime/PrivateName.h:
862         (JSC::PrivateName::PrivateName):
863         * runtime/PropertyName.h:
864         (JSC::PropertyName::isPrivateName):
865         * runtime/ProxyObject.cpp:
866         (JSC::performProxyGet):
867         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
868         (JSC::ProxyObject::performHasProperty):
869         (JSC::ProxyObject::performPut):
870         (JSC::ProxyObject::performDelete):
871         (JSC::ProxyObject::performDefineOwnProperty):
872
873 2017-07-29  Keith Miller  <keith_miller@apple.com>
874
875         LLInt offsets extractor should be able to handle C++ constexprs
876         https://bugs.webkit.org/show_bug.cgi?id=174964
877
878         Reviewed by Saam Barati.
879
880         This patch adds new syntax to the offline asm language. The new keyword,
881         constexpr, takes the subsequent identifier and maps it to a C++ constexpr
882         expression. Additionally, if the value is not an identifier you can wrap it in
883         parentheses. e.g. constexpr (myConstexprFunction() + OBJECT_OFFSET(Foo, bar)),
884         which will get converted into:
885         static_cast<int64_t>(myConstexprFunction() + OBJECT_OFFSET(Foo, bar));
886
887         This patch also changes the data format the LLIntOffsetsExtractor
888         binary produces.  Previously, it would produce unsigned values,
889         after this patch every value is an int64_t.  Using an int64_t is
890         useful because it means that we can represent any constant needed.
891         int32_t masks are sign extended then passed then converted to a
892         negative literal sting in the assembler so it will be the constant
893         expected.
894
895         * llint/LLIntOffsetsExtractor.cpp:
896         (JSC::LLIntOffsetsExtractor::dummy):
897         * llint/LowLevelInterpreter.asm:
898         * llint/LowLevelInterpreter64.asm:
899         * offlineasm/asm.rb:
900         * offlineasm/ast.rb:
901         * offlineasm/generate_offset_extractor.rb:
902         * offlineasm/offsets.rb:
903         * offlineasm/parser.rb:
904         * offlineasm/transform.rb:
905
906 2017-07-28  Matt Baker  <mattbaker@apple.com>
907
908         Web Inspector: capture an async stack trace when web content calls addEventListener
909         https://bugs.webkit.org/show_bug.cgi?id=174739
910         <rdar://problem/33468197>
911
912         Reviewed by Brian Burg.
913
914         Allow debugger agents to perform custom logic when asynchronous stack
915         trace data is cleared. For example, the PageDebuggerAgent would clear
916         its list of registered listeners for which call stacks have been recorded.
917
918         * inspector/agents/InspectorDebuggerAgent.cpp:
919         (Inspector::InspectorDebuggerAgent::clearAsyncStackTraceData):
920         * inspector/agents/InspectorDebuggerAgent.h:
921
922 2017-07-28  Mark Lam  <mark.lam@apple.com>
923
924         ObjectToStringAdaptiveStructureWatchpoint should not fire if it's dying imminently.
925         https://bugs.webkit.org/show_bug.cgi?id=174948
926         <rdar://problem/33495680>
927
928         Reviewed by Filip Pizlo.
929
930         ObjectToStringAdaptiveStructureWatchpoint is owned by StructureRareData.  If its
931         owner StructureRareData is already known to be dead (in terms of GC liveness) but
932         hasn't been destructed yet (i.e. not swept by the GC yet), we should ignore all
933         requests to fire this watchpoint.
934
935         If the GC had the chance to sweep the StructureRareData, thereby destructing the
936         ObjectToStringAdaptiveStructureWatchpoint, it (the watchpoint) would have removed
937         itself from the WatchpointSet it was on.  Hence, it would not have been fired.
938
939         But since the watchpoint hasn't been destructed yet, it still remains on the
940         WatchpointSet and needs to guard against being fired in this state.  The fix is
941         to simply return early if its owner StructureRareData is not live.  This has the
942         effect of the watchpoint fire being a no-op, which is equivalent to the watchpoint
943         not firing as we would expect.
944
945         This patch also removes some cargo cult copying of watchpoint code which
946         instantiates a StringFireDetail.  In a few cases, that StringFireDetail is never
947         used.  This patch removes these unnecessary instantiations.
948
949         * bytecode/LLIntPrototypeLoadAdaptiveStructureWatchpoint.cpp:
950         (JSC::LLIntPrototypeLoadAdaptiveStructureWatchpoint::fireInternal):
951         * runtime/StructureRareData.cpp:
952         (JSC::ObjectToStringAdaptiveStructureWatchpoint::fireInternal):
953         (JSC::ObjectToStringAdaptiveInferredPropertyValueWatchpoint::handleFire):
954
955 2017-07-28  Yusuke Suzuki  <utatane.tea@gmail.com>
956
957         ASSERTION FAILED: candidate->op() == PhantomCreateRest || candidate->op() == PhantomDirectArguments || candidate->op() == PhantomClonedArguments || candidate->op() == PhantomSpread || candidate->op() == PhantomNewArrayWithSpread
958         https://bugs.webkit.org/show_bug.cgi?id=174900
959
960         Reviewed by Saam Barati.
961
962         In the arguments elimination phase, due to high cost of AI, we intentionally do not run AI.
963         Instead, we use ForceOSRExit etc. (pseudo terminals) not to look into unreachable nodes.
964         The problem is that even transforming phase also checks this pseudo terminals.
965
966             BB1
967             1: ForceOSRExit
968             2: CreateDirectArguments
969
970             BB2
971             3: GetButterfly(@2)
972             4: ForceOSRExit
973
974         In the above case, @2 is not converted to PhantomDirectArguments. But @3 is processed. And the assertion fires.
975
976         In this patch, we do not list candidates up after seeing pseudo terminals in basic blocks.
977
978         * dfg/DFGArgumentsEliminationPhase.cpp:
979
980 2017-07-27  Oleksandr Skachkov  <gskachkov@gmail.com>
981
982         [ES] Add support finally to Promise
983         https://bugs.webkit.org/show_bug.cgi?id=174503
984
985         Reviewed by Yusuke Suzuki.
986
987         Add support `finally` method to Promise according
988         to the https://bugs.webkit.org/show_bug.cgi?id=174503
989         Current spec on STAGE 3 
990         https://github.com/tc39/proposal-promise-finally
991
992         * builtins/PromisePrototype.js:
993         (finally):
994         (const.valueThunk):
995         (globalPrivate.getThenFinally):
996         (const.thrower):
997         (globalPrivate.getCatchFinally):
998         * runtime/JSPromisePrototype.cpp:
999
1000 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1001
1002         Unreviewed, build fix for CLoop
1003         https://bugs.webkit.org/show_bug.cgi?id=171637
1004
1005         * domjit/DOMJITGetterSetter.h:
1006
1007 2017-07-27  Yusuke Suzuki  <utatane.tea@gmail.com>
1008
1009         Hoist DOM binding attribute getter prologue into JavaScriptCore taking advantage of DOMJIT / CheckSubClass
1010         https://bugs.webkit.org/show_bug.cgi?id=171637
1011
1012         Reviewed by Darin Adler.
1013
1014         Each DOM attribute getter has the code to perform ClassInfo check. But it is largely duplicate and causes code bloating.
1015         In this patch, we move ClassInfo check from WebCore to JSC and reduce code size.
1016
1017         We introduce DOMAnnotation which has ClassInfo* and DOMJIT::GetterSetter*. If the getter is not DOMJIT getter, this
1018         DOMJIT::GetterSetter becomes nullptr. We support such a CustomAccessorGetter in all the JIT tiers.
1019
1020         In IC, we drop CheckSubClass completely since IC's Structure check subsumes it. We do not enable this optimization for
1021         op_get_by_id_with_this case yet.
1022         In DFG and FTL, we emit CheckSubClass node. Which is typically removed by CheckStructure leading to CheckSubClass.
1023
1024         And we add DOMAttributeGetterSetter, which is derived class of CustomGetterSetter. It holds DOMAnnotation and perform
1025         ClassInfo check.
1026
1027         * CMakeLists.txt:
1028         * JavaScriptCore.xcodeproj/project.pbxproj:
1029         * bytecode/AccessCase.cpp:
1030         (JSC::AccessCase::generateImpl):
1031         * bytecode/GetByIdStatus.cpp:
1032         (JSC::GetByIdStatus::computeForStubInfoWithoutExitSiteFeedback):
1033         * bytecode/GetByIdVariant.cpp:
1034         (JSC::GetByIdVariant::GetByIdVariant):
1035         (JSC::GetByIdVariant::operator=):
1036         (JSC::GetByIdVariant::attemptToMerge):
1037         (JSC::GetByIdVariant::dumpInContext):
1038         * bytecode/GetByIdVariant.h:
1039         (JSC::GetByIdVariant::customAccessorGetter):
1040         (JSC::GetByIdVariant::domAttribute):
1041         (JSC::GetByIdVariant::domJIT): Deleted.
1042         * bytecode/GetterSetterAccessCase.cpp:
1043         (JSC::GetterSetterAccessCase::create):
1044         (JSC::GetterSetterAccessCase::GetterSetterAccessCase):
1045         (JSC::GetterSetterAccessCase::emitDOMJITGetter):
1046         * bytecode/GetterSetterAccessCase.h:
1047         (JSC::GetterSetterAccessCase::domAttribute):
1048         (JSC::GetterSetterAccessCase::customAccessor):
1049         (JSC::GetterSetterAccessCase::domJIT): Deleted.
1050         * bytecompiler/BytecodeGenerator.cpp:
1051         (JSC::BytecodeGenerator::instantiateLexicalVariables):
1052         * create_hash_table:
1053         * dfg/DFGAbstractInterpreterInlines.h:
1054         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1055         * dfg/DFGByteCodeParser.cpp:
1056         (JSC::DFG::blessCallDOMGetter):
1057         (JSC::DFG::ByteCodeParser::handleDOMJITGetter):
1058         (JSC::DFG::ByteCodeParser::handleGetById):
1059         * dfg/DFGClobberize.h:
1060         (JSC::DFG::clobberize):
1061         * dfg/DFGFixupPhase.cpp:
1062         (JSC::DFG::FixupPhase::fixupNode):
1063         * dfg/DFGNode.h:
1064         * dfg/DFGSpeculativeJIT.cpp:
1065         (JSC::DFG::SpeculativeJIT::compileCallDOMGetter):
1066         * dfg/DFGSpeculativeJIT.h:
1067         (JSC::DFG::SpeculativeJIT::callCustomGetter):
1068         * domjit/DOMJITGetterSetter.h:
1069         (JSC::DOMJIT::GetterSetter::GetterSetter):
1070         (JSC::DOMJIT::GetterSetter::getter):
1071         (JSC::DOMJIT::GetterSetter::compiler):
1072         (JSC::DOMJIT::GetterSetter::resultType):
1073         (JSC::DOMJIT::GetterSetter::~GetterSetter): Deleted.
1074         (JSC::DOMJIT::GetterSetter::setter): Deleted.
1075         (JSC::DOMJIT::GetterSetter::thisClassInfo): Deleted.
1076         * ftl/FTLLowerDFGToB3.cpp:
1077         (JSC::FTL::DFG::LowerDFGToB3::compileCallDOMGetter):
1078         * jit/Repatch.cpp:
1079         (JSC::tryCacheGetByID):
1080         * jsc.cpp:
1081         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
1082         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
1083         (WTF::DOMJITGetter::customGetter):
1084         (WTF::DOMJITGetter::finishCreation):
1085         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
1086         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
1087         (WTF::DOMJITGetterComplex::customGetter):
1088         (WTF::DOMJITGetterComplex::finishCreation):
1089         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
1090         (WTF::DOMJITGetter::DOMJITNodeDOMJIT::slowCall): Deleted.
1091         (WTF::DOMJITGetter::domJITNodeGetterSetter): Deleted.
1092         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::DOMJITNodeDOMJIT): Deleted.
1093         (WTF::DOMJITGetterComplex::DOMJITNodeDOMJIT::slowCall): Deleted.
1094         (WTF::DOMJITGetterComplex::domJITNodeGetterSetter): Deleted.
1095         * runtime/CustomGetterSetter.h:
1096         (JSC::CustomGetterSetter::create):
1097         (JSC::CustomGetterSetter::setter):
1098         (JSC::CustomGetterSetter::CustomGetterSetter):
1099         (): Deleted.
1100         * runtime/DOMAnnotation.h: Added.
1101         (JSC::operator==):
1102         (JSC::operator!=):
1103         * runtime/DOMAttributeGetterSetter.cpp: Added.
1104         * runtime/DOMAttributeGetterSetter.h: Copied from Source/JavaScriptCore/runtime/CustomGetterSetter.h.
1105         (JSC::isDOMAttributeGetterSetter):
1106         * runtime/Error.cpp:
1107         (JSC::throwDOMAttributeGetterTypeError):
1108         * runtime/Error.h:
1109         (JSC::throwVMDOMAttributeGetterTypeError):
1110         * runtime/JSCustomGetterSetterFunction.cpp:
1111         (JSC::JSCustomGetterSetterFunction::customGetterSetterFunctionCall):
1112         * runtime/JSObject.cpp:
1113         (JSC::JSObject::putInlineSlow):
1114         (JSC::JSObject::deleteProperty):
1115         (JSC::JSObject::getOwnStaticPropertySlot):
1116         (JSC::JSObject::reifyAllStaticProperties):
1117         (JSC::JSObject::fillGetterPropertySlot):
1118         (JSC::JSObject::findPropertyHashEntry): Deleted.
1119         * runtime/JSObject.h:
1120         (JSC::JSObject::getOwnNonIndexPropertySlot):
1121         (JSC::JSObject::fillCustomGetterPropertySlot):
1122         * runtime/Lookup.cpp:
1123         (JSC::setUpStaticFunctionSlot):
1124         * runtime/Lookup.h:
1125         (JSC::HashTableValue::domJIT):
1126         (JSC::getStaticPropertySlotFromTable):
1127         (JSC::putEntry):
1128         (JSC::lookupPut):
1129         (JSC::reifyStaticProperty):
1130         (JSC::reifyStaticProperties):
1131         Each static property table has a new field ClassInfo*. It indicates that which ClassInfo check DOMAttribute registered in
1132         this static property table requires.
1133
1134         * runtime/ProgramExecutable.cpp:
1135         (JSC::ProgramExecutable::initializeGlobalProperties):
1136         * runtime/PropertyName.h:
1137         * runtime/PropertySlot.cpp:
1138         (JSC::PropertySlot::customGetter):
1139         (JSC::PropertySlot::customAccessorGetter):
1140         * runtime/PropertySlot.h:
1141         (JSC::PropertySlot::domAttribute):
1142         (JSC::PropertySlot::setCustom):
1143         (JSC::PropertySlot::setCacheableCustom):
1144         (JSC::PropertySlot::getValue):
1145         (JSC::PropertySlot::domJIT): Deleted.
1146         * runtime/VM.cpp:
1147         (JSC::VM::VM):
1148         * runtime/VM.h:
1149
1150 2017-07-26  Devin Rousso  <drousso@apple.com>
1151
1152         Web Inspector: create protocol for recording Canvas contexts
1153         https://bugs.webkit.org/show_bug.cgi?id=174481
1154
1155         Reviewed by Joseph Pecoraro.
1156
1157         * inspector/protocol/Canvas.json:
1158          - Add `requestRecording` command to mark the provided canvas as having requested a recording.
1159          - Add `cancelRecording` command to clear a previously marked canvas and flush any recorded data.
1160          - Add `recordingFinished` event that is fired once a recording is finished.
1161
1162         * CMakeLists.txt:
1163         * DerivedSources.make:
1164         * inspector/protocol/Recording.json: Added.
1165          - Add `Type` enum that lists the types of recordings
1166          - Add `InitialState` type that contains information about the canvas context at the
1167            beginning of the recording.
1168          - Add `Frame` type that holds a list of actions that were recorded.
1169          - Add `Recording` type as the container object of recording data.
1170
1171         * inspector/scripts/codegen/generate_js_backend_commands.py:
1172         (JSBackendCommandsGenerator.generate_domain):
1173         Create an agent for domains with no events or commands.
1174
1175         * inspector/InspectorValues.h:
1176         Make Array `get` public so that values can be retrieved if needed.
1177
1178 2017-07-26  Brian Burg  <bburg@apple.com>
1179
1180         Remove WEB_TIMING feature flag
1181         https://bugs.webkit.org/show_bug.cgi?id=174795
1182
1183         Reviewed by Alex Christensen.
1184
1185         * Configurations/FeatureDefines.xcconfig:
1186
1187 2017-07-26  Mark Lam  <mark.lam@apple.com>
1188
1189         Add the ability to change sp and pc to the ARM64 JIT probe.
1190         https://bugs.webkit.org/show_bug.cgi?id=174697
1191         <rdar://problem/33436965>
1192
1193         Reviewed by JF Bastien.
1194
1195         This patch implements the following:
1196
1197         1. The ARM64 probe now supports modifying the pc and sp.
1198
1199            However, lr is not preserved when modifying the pc because it is used as the
1200            scratch register for the indirect jump. Hence, the probe handler function
1201            may not modify both lr and pc in the same probe invocation.
1202
1203         2. Fix probe tests to use bitwise comparison when comparing double register
1204            values. Otherwise, equivalent nan values will be interpreted as not equivalent.
1205
1206         3. Change the minimum offset increment in testProbeModifiesStackPointer to be
1207            16 bytes for ARM64.  This is because the ARM64 probe now uses the ldp and stp
1208            instructions which require 16 byte alignment for their memory access.
1209
1210         * assembler/MacroAssemblerARM64.cpp:
1211         (JSC::arm64ProbeError):
1212         (JSC::MacroAssembler::probe):
1213         (JSC::arm64ProbeTrampoline): Deleted.
1214         * assembler/testmasm.cpp:
1215         (JSC::isSpecialGPR):
1216         (JSC::testProbeReadsArgumentRegisters):
1217         (JSC::testProbeWritesArgumentRegisters):
1218         (JSC::testProbePreservesGPRS):
1219         (JSC::testProbeModifiesStackPointer):
1220         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
1221         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
1222
1223 2017-07-25  JF Bastien  <jfbastien@apple.com>
1224
1225         WebAssembly: generate smaller binaries
1226         https://bugs.webkit.org/show_bug.cgi?id=174818
1227
1228         Reviewed by Filip Pizlo.
1229
1230         This patch reduces generated code size for WebAssembly in 2 ways:
1231
1232         1. Use the ZR register when storing zero on ARM64.
1233         2. Synthesize wasm context lazily.
1234
1235         This leads to a modest size reduction on both x86-64 and ARM64 for
1236         large WebAssembly games, without any performance loss on WasmBench
1237         and TitzerBench.
1238
1239         The reason this works is that these games, using Emscripten,
1240         generate 100k+ tiny functions, and our JIT allocation granule
1241         rounds all allocations up to 32 bytes. There are plenty of other
1242         simple gains to be had, I've filed a follow-up bug at
1243         webkit.org/b/174819
1244
1245         We should further avoid the per-function cost of tiering, which
1246         represents the bulk of code generated for small functions.
1247
1248         * assembler/MacroAssemblerARM64.h:
1249         (JSC::MacroAssemblerARM64::storeZero64):
1250         * assembler/MacroAssemblerX86_64.h:
1251         (JSC::MacroAssemblerX86_64::storeZero64):
1252         * b3/B3LowerToAir.cpp:
1253         (JSC::B3::Air::LowerToAir::createStore): this doesn't make sense
1254         for x86 because it constrains register reuse and codegen in a way
1255         that doesn't affect ARM64 because it has a dedicated zero
1256         register.
1257         * b3/air/AirOpcode.opcodes: add the storeZero64 opcode.
1258         * wasm/WasmB3IRGenerator.cpp:
1259         (JSC::Wasm::B3IRGenerator::instanceValue):
1260         (JSC::Wasm::B3IRGenerator::restoreWasmContext):
1261         (JSC::Wasm::B3IRGenerator::B3IRGenerator):
1262         (JSC::Wasm::B3IRGenerator::materializeWasmContext): Deleted.
1263
1264 2017-07-23  Filip Pizlo  <fpizlo@apple.com>
1265
1266         B3 should do LICM
1267         https://bugs.webkit.org/show_bug.cgi?id=174750
1268
1269         Reviewed by Keith Miller and Saam Barati.
1270         
1271         Added a LICM phase to B3. This phase is called hoistLoopInvariantValues, to conform to the B3 naming
1272         convention for phases (it has to be an imperative). The phase uses NaturalLoops and BackwardsDominators,
1273         so this adds those analyses to B3. BackwardsDominators was already available in templatized form. This
1274         change templatizes DFG::NaturalLoops so that we can just use it.
1275         
1276         The LICM phase itself is really simple. We are decently precise with our handling of everything except
1277         the relationship between control dependence and side exits.
1278         
1279         Also added a bunch of tests.
1280         
1281         This isn't super important. It's perf-neutral on JS benchmarks. FTL already does LICM on DFG SSA IR, and
1282         probably all current WebAssembly content has had LICM done to it. That being said, this is a cheap phase
1283         so it doesn't hurt to have it.
1284         
1285         I wrote it because I thought I needed it for bug 174727. It turns out that there's a better way to
1286         handle the problem I had, so I ended up not needed it - but by then I had already written it. I think
1287         it's good to have it because LICM is one of those core compiler phases; every compiler has it
1288         eventually.
1289
1290         * CMakeLists.txt:
1291         * JavaScriptCore.xcodeproj/project.pbxproj:
1292         * b3/B3BackwardsCFG.h: Added.
1293         (JSC::B3::BackwardsCFG::BackwardsCFG):
1294         * b3/B3BackwardsDominators.h: Added.
1295         (JSC::B3::BackwardsDominators::BackwardsDominators):
1296         * b3/B3BasicBlock.cpp:
1297         (JSC::B3::BasicBlock::appendNonTerminal):
1298         * b3/B3Effects.h:
1299         * b3/B3EnsureLoopPreHeaders.cpp: Added.
1300         (JSC::B3::ensureLoopPreHeaders):
1301         * b3/B3EnsureLoopPreHeaders.h: Added.
1302         * b3/B3Generate.cpp:
1303         (JSC::B3::generateToAir):
1304         * b3/B3HoistLoopInvariantValues.cpp: Added.
1305         (JSC::B3::hoistLoopInvariantValues):
1306         * b3/B3HoistLoopInvariantValues.h: Added.
1307         * b3/B3NaturalLoops.h: Added.
1308         (JSC::B3::NaturalLoops::NaturalLoops):
1309         * b3/B3Procedure.cpp:
1310         (JSC::B3::Procedure::invalidateCFG):
1311         (JSC::B3::Procedure::naturalLoops):
1312         (JSC::B3::Procedure::backwardsCFG):
1313         (JSC::B3::Procedure::backwardsDominators):
1314         * b3/B3Procedure.h:
1315         * b3/testb3.cpp:
1316         (JSC::B3::generateLoop):
1317         (JSC::B3::makeArrayForLoops):
1318         (JSC::B3::generateLoopNotBackwardsDominant):
1319         (JSC::B3::oneFunction):
1320         (JSC::B3::noOpFunction):
1321         (JSC::B3::testLICMPure):
1322         (JSC::B3::testLICMPureSideExits):
1323         (JSC::B3::testLICMPureWritesPinned):
1324         (JSC::B3::testLICMPureWrites):
1325         (JSC::B3::testLICMReadsLocalState):
1326         (JSC::B3::testLICMReadsPinned):
1327         (JSC::B3::testLICMReads):
1328         (JSC::B3::testLICMPureNotBackwardsDominant):
1329         (JSC::B3::testLICMPureFoiledByChild):
1330         (JSC::B3::testLICMPureNotBackwardsDominantFoiledByChild):
1331         (JSC::B3::testLICMExitsSideways):
1332         (JSC::B3::testLICMWritesLocalState):
1333         (JSC::B3::testLICMWrites):
1334         (JSC::B3::testLICMFence):
1335         (JSC::B3::testLICMWritesPinned):
1336         (JSC::B3::testLICMControlDependent):
1337         (JSC::B3::testLICMControlDependentNotBackwardsDominant):
1338         (JSC::B3::testLICMControlDependentSideExits):
1339         (JSC::B3::testLICMReadsPinnedWritesPinned):
1340         (JSC::B3::testLICMReadsWritesDifferentHeaps):
1341         (JSC::B3::testLICMReadsWritesOverlappingHeaps):
1342         (JSC::B3::testLICMDefaultCall):
1343         (JSC::B3::run):
1344         * dfg/DFGBasicBlock.h:
1345         * dfg/DFGCFG.h:
1346         * dfg/DFGNaturalLoops.cpp: Removed.
1347         * dfg/DFGNaturalLoops.h:
1348         (JSC::DFG::NaturalLoops::NaturalLoops):
1349         (JSC::DFG::NaturalLoop::NaturalLoop): Deleted.
1350         (JSC::DFG::NaturalLoop::header): Deleted.
1351         (JSC::DFG::NaturalLoop::size): Deleted.
1352         (JSC::DFG::NaturalLoop::at): Deleted.
1353         (JSC::DFG::NaturalLoop::operator[]): Deleted.
1354         (JSC::DFG::NaturalLoop::contains): Deleted.
1355         (JSC::DFG::NaturalLoop::index): Deleted.
1356         (JSC::DFG::NaturalLoop::isOuterMostLoop): Deleted.
1357         (JSC::DFG::NaturalLoop::addBlock): Deleted.
1358         (JSC::DFG::NaturalLoops::numLoops): Deleted.
1359         (JSC::DFG::NaturalLoops::loop): Deleted.
1360         (JSC::DFG::NaturalLoops::headerOf): Deleted.
1361         (JSC::DFG::NaturalLoops::innerMostLoopOf): Deleted.
1362         (JSC::DFG::NaturalLoops::innerMostOuterLoop): Deleted.
1363         (JSC::DFG::NaturalLoops::belongsTo): Deleted.
1364         (JSC::DFG::NaturalLoops::loopDepth): Deleted.
1365
1366 2017-07-24  Filip Pizlo  <fpizlo@apple.com>
1367
1368         GC should be fine with trading blocks between destructor and non-destructor blocks
1369         https://bugs.webkit.org/show_bug.cgi?id=174811
1370
1371         Reviewed by Mark Lam.
1372         
1373         Our GC has the ability to trade blocks between MarkedAllocators. A MarkedAllocator is a
1374         size-class-within-a-Subspace. The ability to trade helps reduce memory wastage due to
1375         fragmentation. Prior to this change, this only worked between blocks that did not have destructors.
1376         This was partly a policy decision. But mostly, it was fallout from the way we use the `empty` block
1377         set.
1378         
1379         Here's how `empty` used to work. If a block is empty, we don't run destructors. We say that a block
1380         is empty if:
1381         
1382         A) It has no live objects and its a non-destructor block, or
1383         B) We just allocated it (so it has no destructors even if it's a destructor block), or
1384         C) We just stole it from another allocator (so it also has no destructors), or
1385         D) We just swept the block and ran all destructors.
1386         
1387         Case (A) is for trading blocks. That's how a different MarkedAllocator would know that this is a
1388         block that could be stolen.
1389
1390         Cases (B) and (C) need to be detected for correctness, since otherwise we might try to run
1391         destructors in blocks that have garbage bits. In that case, the isZapped check won't detect that
1392         cells don't need destruction, so without having the `empty` bit we would try to destruct garbage
1393         and crash. Currently, we know that we have cases (B) and (C) when the block is empty.
1394         
1395         Case (D) is necessary for detecting which blocks can be removed when we `shrink` the heap.
1396         
1397         If we tried to enable trading of blocks between allocators without making any changes to how
1398         `empty` works, then it just would not work. We have to set the `empty` bits of blocks that have no
1399         live objects in order for those bits to be candidates for trading. But if we do that, then our
1400         logic for cases (B-D) will think that the block has no destructible objects. That's bad, since then
1401         our destructors won't run and we'll leak memory.
1402         
1403         This change fixes this issue by decoupling the "do I have destructors" question from the "do I have
1404         live objects" question by introducing a new `destructible` bitvector. The GC flags all live blocks
1405         as being destructible at the end. We clear the destructible bit in cases (B-D). Cases (B-C) are
1406         handled entirely by the new destrictible bit, while case (D) is detected by looking for blocks that
1407         are (empty & ~destructible).
1408         
1409         Then we can simply remove all destructor-oriented special-casing of the `empty` bit. And we can
1410         remove destructor-oriented special-casing of block trading.
1411
1412         This is a perf-neutral change. We expect most free memory to be in non-destructor blocks anyway,
1413         so this change is more about clean-up than perf. But, this could reduce memory usage in some
1414         pathological cases.
1415         
1416         * heap/MarkedAllocator.cpp:
1417         (JSC::MarkedAllocator::findEmptyBlockToSteal):
1418         (JSC::MarkedAllocator::tryAllocateWithoutCollecting):
1419         (JSC::MarkedAllocator::endMarking):
1420         (JSC::MarkedAllocator::shrink):
1421         (JSC::MarkedAllocator::shouldStealEmptyBlocksFromOtherAllocators): Deleted.
1422         * heap/MarkedAllocator.h:
1423         * heap/MarkedBlock.cpp:
1424         (JSC::MarkedBlock::Handle::lastChanceToFinalize):
1425         (JSC::MarkedBlock::Handle::sweep):
1426         * heap/MarkedBlockInlines.h:
1427         (JSC::MarkedBlock::Handle::specializedSweep):
1428         (JSC::MarkedBlock::Handle::finishSweepKnowingSubspace):
1429         (JSC::MarkedBlock::Handle::emptyMode):
1430
1431 2017-07-25  Keith Miller  <keith_miller@apple.com>
1432
1433         Remove Broken CompareEq constant folding phase.
1434         https://bugs.webkit.org/show_bug.cgi?id=174846
1435         <rdar://problem/32978808>
1436
1437         Reviewed by Saam Barati.
1438
1439         This bug happened when we would get code like the following:
1440
1441         a: JSConst(Undefined)
1442         b: GetLocal(SomeObjectOrUndefined)
1443         ...
1444         c: CompareEq(Check:ObjectOrOther:b, Check:ObjectOrOther:a)
1445
1446         constant folding will turn this into:
1447
1448         a: JSConst(Undefined)
1449         b: GetLocal(SomeObjectOrUndefined)
1450         ...
1451         c: CompareEq(Check:ObjectOrOther:b, Other:a)
1452
1453         But the SpeculativeJIT/FTL lowering will fail to check b
1454         properly which leads to an assertion failure in the AI.
1455
1456         I'll follow up with a more robust fix later. For now, I'll remove the
1457         case that generates the code. Removing the code appears to be perf
1458         neutral.
1459
1460         * dfg/DFGConstantFoldingPhase.cpp:
1461         (JSC::DFG::ConstantFoldingPhase::foldConstants):
1462
1463 2017-07-25  Matt Baker  <mattbaker@apple.com>
1464
1465         Web Inspector: Refactoring: extract async stack trace logic from InspectorInstrumentation
1466         https://bugs.webkit.org/show_bug.cgi?id=174738
1467
1468         Reviewed by Brian Burg.
1469
1470         Move AsyncCallType enum to InspectorDebuggerAgent, which manages async
1471         stack traces. This preserves the call type in JSC, makes the range of
1472         possible call types explicit, and is safer than passing ints.
1473
1474         * inspector/agents/InspectorDebuggerAgent.cpp:
1475         (Inspector::InspectorDebuggerAgent::asyncCallIdentifier):
1476         (Inspector::InspectorDebuggerAgent::didScheduleAsyncCall):
1477         (Inspector::InspectorDebuggerAgent::didCancelAsyncCall):
1478         (Inspector::InspectorDebuggerAgent::willDispatchAsyncCall):
1479         * inspector/agents/InspectorDebuggerAgent.h:
1480
1481 2017-07-25  Mark Lam  <mark.lam@apple.com>
1482
1483         Fix bugs in probe code to change sp on x86, x86_64 and 32-bit ARM.
1484         https://bugs.webkit.org/show_bug.cgi?id=174809
1485         <rdar://problem/33504759>
1486
1487         Reviewed by Filip Pizlo.
1488
1489         1. When the probe handler function changes the sp register to point to the
1490            region of stack in the middle of the ProbeContext on the stack, there is a
1491            bug where the ProbeContext's register values to be restored can be over-written
1492            before they can be restored.  This is now fixed.
1493
1494         2. Added more robust probe tests for changing the sp register.
1495
1496         3. Made existing probe tests to ensure that probe handlers were actually called.
1497
1498         4. Added some verification to testProbePreservesGPRS().
1499
1500         5. Change all the probe tests to fail early on discovering an error instead of
1501            batching till the end of the test.  This helps point a finger to the failing
1502            issue earlier.
1503
1504         This patch was tested on x86, x86_64, and ARMv7.  ARM64 probe code will be fixed
1505         next in https://bugs.webkit.org/show_bug.cgi?id=174697.
1506
1507         * assembler/MacroAssemblerARM.cpp:
1508         * assembler/MacroAssemblerARMv7.cpp:
1509         * assembler/MacroAssemblerX86Common.cpp:
1510         * assembler/testmasm.cpp:
1511         (JSC::testProbeReadsArgumentRegisters):
1512         (JSC::testProbeWritesArgumentRegisters):
1513         (JSC::testProbePreservesGPRS):
1514         (JSC::testProbeModifiesStackPointer):
1515         (JSC::testProbeModifiesStackPointerToInsideProbeContextOnStack):
1516         (JSC::testProbeModifiesStackPointerToNBytesBelowSP):
1517         (JSC::testProbeModifiesProgramCounter):
1518         (JSC::run):
1519
1520 2017-07-25  Brian Burg  <bburg@apple.com>
1521
1522         Web Automation: add support for uploading files
1523         https://bugs.webkit.org/show_bug.cgi?id=174797
1524         <rdar://problem/28485063>
1525
1526         Reviewed by Joseph Pecoraro.
1527
1528         * inspector/scripts/generate-inspector-protocol-bindings.py:
1529         (generate_from_specification):
1530         Start generating frontend dispatcher code if the target framework is 'WebKit'.
1531
1532         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
1533         (CppFrontendDispatcherImplementationGenerator.generate_output):
1534         Use a framework include for InspectorFrontendRouter.h since this generated code
1535         will be compiled outside of WebCore.framework.
1536
1537         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
1538         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1539         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1540         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
1541         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
1542         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
1543         * inspector/scripts/tests/generic/expected/enum-values.json-result:
1544         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
1545         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
1546         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
1547         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
1548         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
1549         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
1550         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
1551         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1552         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1553         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
1554         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
1555         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
1556         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
1557         Rebaseline code generator tests.
1558
1559 2017-07-24  Mark Lam  <mark.lam@apple.com>
1560
1561         Gardening: fixed C Loop build after r219790.
1562         https://bugs.webkit.org/show_bug.cgi?id=174696
1563
1564         Not reviewed.
1565
1566         * assembler/testmasm.cpp:
1567
1568 2017-07-23  Mark Lam  <mark.lam@apple.com>
1569
1570         Create regression tests for the JIT probe.
1571         https://bugs.webkit.org/show_bug.cgi?id=174696
1572         <rdar://problem/33436922>
1573
1574         Reviewed by Saam Barati.
1575
1576         The new testmasm will test the following:
1577         1. the probe is able to read the value of CPU registers.
1578         2. the probe is able to write the value of CPU registers.
1579         3. the probe is able to preserve all CPU registers.
1580         4. special case of (2): the probe is able to change the value of the stack pointer.
1581         5. special case of (2): the probe is able to change the value of the program counter
1582            i.e. the probe can change where the code continues executing upon returning from
1583            the probe.
1584
1585         Currently, the x86, x86_64, and ARMv7 ports passes the test.  ARM64 does not
1586         because it does not support changing the sp and pc yet.  The ARM64 probe
1587         implementation will be fixed in https://bugs.webkit.org/show_bug.cgi?id=174697
1588         later.
1589
1590         * Configurations/ToolExecutable.xcconfig:
1591         * JavaScriptCore.xcodeproj/project.pbxproj:
1592         * assembler/MacroAssembler.h:
1593         (JSC::MacroAssembler::CPUState::pc):
1594         (JSC::MacroAssembler::CPUState::fp):
1595         (JSC::MacroAssembler::CPUState::sp):
1596         (JSC::ProbeContext::pc):
1597         (JSC::ProbeContext::fp):
1598         (JSC::ProbeContext::sp):
1599         * assembler/MacroAssemblerARM64.cpp:
1600         (JSC::arm64ProbeTrampoline):
1601         * assembler/MacroAssemblerPrinter.cpp:
1602         (JSC::Printer::printPCRegister):
1603         * assembler/testmasm.cpp: Added.
1604         (hiddenTruthBecauseNoReturnIsStupid):
1605         (usage):
1606         (JSC::nextID):
1607         (JSC::isPC):
1608         (JSC::isSP):
1609         (JSC::isFP):
1610         (JSC::compile):
1611         (JSC::invoke):
1612         (JSC::compileAndRun):
1613         (JSC::testSimple):
1614         (JSC::testProbeReadsArgumentRegisters):
1615         (JSC::testProbeWritesArgumentRegisters):
1616         (JSC::testFunctionToTrashRegisters):
1617         (JSC::testProbePreservesGPRS):
1618         (JSC::testProbeModifiesStackPointer):
1619         (JSC::testProbeModifiesProgramCounter):
1620         (JSC::run):
1621         (run):
1622         (main):
1623         * b3/air/testair.cpp:
1624         (usage):
1625         * shell/CMakeLists.txt:
1626
1627 2017-07-14  Filip Pizlo  <fpizlo@apple.com>
1628
1629         It should be easy to decide how WebKit yields
1630         https://bugs.webkit.org/show_bug.cgi?id=174298
1631
1632         Reviewed by Saam Barati.
1633         
1634         Use the new WTF::Thread::yield() function for yielding instead of the C++ function.
1635
1636         * heap/Heap.cpp:
1637         (JSC::Heap::resumeThePeriphery):
1638         * heap/VisitingTimeout.h:
1639         * runtime/JSCell.cpp:
1640         (JSC::JSCell::lockSlow):
1641         (JSC::JSCell::unlockSlow):
1642         * runtime/JSCell.h:
1643         * runtime/JSCellInlines.h:
1644         (JSC::JSCell::lock):
1645         (JSC::JSCell::unlock):
1646         * runtime/JSLock.cpp:
1647         (JSC::JSLock::grabAllLocks):
1648         * runtime/SamplingProfiler.cpp:
1649
1650 2017-07-21  Mark Lam  <mark.lam@apple.com>
1651
1652         Refactor MASM probe CPUState to use arrays for register storage.
1653         https://bugs.webkit.org/show_bug.cgi?id=174694
1654
1655         Reviewed by Keith Miller.
1656
1657         Using arrays for register storage in CPUState allows us to do away with the
1658         huge switch statements to decode each register id.  We can now simply index into
1659         the arrays.
1660
1661         With this patch, we now:
1662
1663         1. Remove the need for macros for defining the list of CPU registers.
1664            We can go back to simple enums.  This makes the code easier to read.
1665
1666         2. Make the assembler the authority on register names.
1667            Most of this code is moved into the assembler from GPRInfo and FPRInfo.
1668            GPRInfo and FPRInfo now forwards to the assembler.
1669
1670         3. Make the assembler the authority on the number of registers of each type.
1671
1672         4. Fix a "bug" in ARMv7's lastRegister().  It was previously omitting lr and pc.
1673            This is inconsistent with how every other CPU architecture implements
1674            lastRegister().  This patch fixes it to return the true last GPR i.e. pc, but
1675            updates RegisterSet::reservedHardwareRegisters() to exclude those registers.
1676
1677         * assembler/ARM64Assembler.h:
1678         (JSC::ARM64Assembler::numberOfRegisters):
1679         (JSC::ARM64Assembler::firstSPRegister):
1680         (JSC::ARM64Assembler::lastSPRegister):
1681         (JSC::ARM64Assembler::numberOfSPRegisters):
1682         (JSC::ARM64Assembler::numberOfFPRegisters):
1683         (JSC::ARM64Assembler::gprName):
1684         (JSC::ARM64Assembler::sprName):
1685         (JSC::ARM64Assembler::fprName):
1686         * assembler/ARMAssembler.h:
1687         (JSC::ARMAssembler::numberOfRegisters):
1688         (JSC::ARMAssembler::firstSPRegister):
1689         (JSC::ARMAssembler::lastSPRegister):
1690         (JSC::ARMAssembler::numberOfSPRegisters):
1691         (JSC::ARMAssembler::numberOfFPRegisters):
1692         (JSC::ARMAssembler::gprName):
1693         (JSC::ARMAssembler::sprName):
1694         (JSC::ARMAssembler::fprName):
1695         * assembler/ARMv7Assembler.h:
1696         (JSC::ARMv7Assembler::lastRegister):
1697         (JSC::ARMv7Assembler::numberOfRegisters):
1698         (JSC::ARMv7Assembler::firstSPRegister):
1699         (JSC::ARMv7Assembler::lastSPRegister):
1700         (JSC::ARMv7Assembler::numberOfSPRegisters):
1701         (JSC::ARMv7Assembler::numberOfFPRegisters):
1702         (JSC::ARMv7Assembler::gprName):
1703         (JSC::ARMv7Assembler::sprName):
1704         (JSC::ARMv7Assembler::fprName):
1705         * assembler/AbstractMacroAssembler.h:
1706         (JSC::AbstractMacroAssembler::numberOfRegisters):
1707         (JSC::AbstractMacroAssembler::gprName):
1708         (JSC::AbstractMacroAssembler::firstSPRegister):
1709         (JSC::AbstractMacroAssembler::lastSPRegister):
1710         (JSC::AbstractMacroAssembler::numberOfSPRegisters):
1711         (JSC::AbstractMacroAssembler::sprName):
1712         (JSC::AbstractMacroAssembler::numberOfFPRegisters):
1713         (JSC::AbstractMacroAssembler::fprName):
1714         * assembler/MIPSAssembler.h:
1715         (JSC::MIPSAssembler::numberOfRegisters):
1716         (JSC::MIPSAssembler::firstSPRegister):
1717         (JSC::MIPSAssembler::lastSPRegister):
1718         (JSC::MIPSAssembler::numberOfSPRegisters):
1719         (JSC::MIPSAssembler::numberOfFPRegisters):
1720         (JSC::MIPSAssembler::gprName):
1721         (JSC::MIPSAssembler::sprName):
1722         (JSC::MIPSAssembler::fprName):
1723         * assembler/MacroAssembler.h:
1724         (JSC::MacroAssembler::CPUState::gprName):
1725         (JSC::MacroAssembler::CPUState::sprName):
1726         (JSC::MacroAssembler::CPUState::fprName):
1727         (JSC::MacroAssembler::CPUState::gpr):
1728         (JSC::MacroAssembler::CPUState::spr):
1729         (JSC::MacroAssembler::CPUState::fpr):
1730         (JSC::MacroAssembler::CPUState::pc):
1731         (JSC::MacroAssembler::CPUState::fp):
1732         (JSC::MacroAssembler::CPUState::sp):
1733         (JSC::ProbeContext::gpr):
1734         (JSC::ProbeContext::spr):
1735         (JSC::ProbeContext::fpr):
1736         (JSC::ProbeContext::gprName):
1737         (JSC::ProbeContext::sprName):
1738         (JSC::ProbeContext::fprName):
1739         (JSC::MacroAssembler::numberOfRegisters): Deleted.
1740         (JSC::MacroAssembler::numberOfFPRegisters): Deleted.
1741         * assembler/MacroAssemblerARM.cpp:
1742         * assembler/MacroAssemblerARM64.cpp:
1743         (JSC::arm64ProbeTrampoline):
1744         * assembler/MacroAssemblerARMv7.cpp:
1745         * assembler/MacroAssemblerPrinter.cpp:
1746         (JSC::Printer::nextID):
1747         (JSC::Printer::printAllRegisters):
1748         (JSC::Printer::printPCRegister):
1749         (JSC::Printer::printRegisterID):
1750         (JSC::Printer::printAddress):
1751         * assembler/MacroAssemblerX86Common.cpp:
1752         * assembler/X86Assembler.h:
1753         (JSC::X86Assembler::numberOfRegisters):
1754         (JSC::X86Assembler::firstSPRegister):
1755         (JSC::X86Assembler::lastSPRegister):
1756         (JSC::X86Assembler::numberOfSPRegisters):
1757         (JSC::X86Assembler::numberOfFPRegisters):
1758         (JSC::X86Assembler::gprName):
1759         (JSC::X86Assembler::sprName):
1760         (JSC::X86Assembler::fprName):
1761         * jit/FPRInfo.h:
1762         (JSC::FPRInfo::debugName):
1763         * jit/GPRInfo.h:
1764         (JSC::GPRInfo::debugName):
1765         * jit/RegisterSet.cpp:
1766         (JSC::RegisterSet::reservedHardwareRegisters):
1767
1768 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1769
1770         [JSC] Introduce static symbols
1771         https://bugs.webkit.org/show_bug.cgi?id=158863
1772
1773         Reviewed by Darin Adler.
1774
1775         We use StaticSymbolImpl to initialize PrivateNames and builtin Symbols.
1776         As a result, we can share the same Symbol values between VMs and threads.
1777         And we do not need to allocate Ref<SymbolImpl> for these symbols at runtime.
1778
1779         * CMakeLists.txt:
1780         * JavaScriptCore.xcodeproj/project.pbxproj:
1781         * builtins/BuiltinNames.cpp: Added.
1782         Suppress warning C4307, integral constant overflow. It is intentional in constexpr hash value calculation.
1783
1784         * builtins/BuiltinNames.h:
1785         (JSC::BuiltinNames::BuiltinNames):
1786         * builtins/BuiltinUtils.h:
1787
1788 2017-07-21  Yusuke Suzuki  <utatane.tea@gmail.com>
1789
1790         [FTL] Arguments elimination is suppressed by unreachable blocks
1791         https://bugs.webkit.org/show_bug.cgi?id=174352
1792
1793         Reviewed by Filip Pizlo.
1794
1795         If we do not execute `op_get_by_id`, our value profiling tells us unpredictable and DFG emits ForceOSRExit.
1796         The problem is that arguments elimination phase checks escaping even when ForceOSRExit preceeds.
1797         Since GetById without information can escape arguments if it is specified, non-executed code including
1798         op_get_by_id with arguments can escape arguments.
1799
1800         For example,
1801
1802             function test(flag)
1803             {
1804                 if (flag) {
1805                     // This is not executed, but emits GetById with arguments.
1806                     // It prevents us from eliminating materialization.
1807                     return arguments.length;
1808                 }
1809                 return arguments.length;
1810             }
1811             noInline(test);
1812             while (true)
1813                 test(false);
1814
1815         We do not perform CFA and dead-node clipping yet when performing arguments elimination phase.
1816         So this GetById exists and escapes arguments.
1817
1818         To solve this problem, our arguments elimination phase checks preceding pseudo-terminal nodes.
1819         If it is shown, following GetById does not escape arguments. Compared to performing AI, it is
1820         lightweight. But it catches much of typical cases we failed to perform arguments elimination.
1821
1822         * dfg/DFGArgumentsEliminationPhase.cpp:
1823         * dfg/DFGNode.h:
1824         (JSC::DFG::Node::isPseudoTerminal):
1825         * dfg/DFGValidate.cpp:
1826
1827 2017-07-20  Chris Dumez  <cdumez@apple.com>
1828
1829         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable
1830         https://bugs.webkit.org/show_bug.cgi?id=174660
1831
1832         Reviewed by Geoffrey Garen.
1833
1834         Replace calls to Vector::resize() with calls to more efficient shrink() / grow() when applicable.
1835         This essentially replaces a branch to figure out if the new size is less or greater than the
1836         current size by an assertion.
1837
1838         * b3/B3BasicBlockUtils.h:
1839         (JSC::B3::clearPredecessors):
1840         * b3/B3InferSwitches.cpp:
1841         * b3/B3LowerToAir.cpp:
1842         (JSC::B3::Air::LowerToAir::finishAppendingInstructions):
1843         * b3/B3ReduceStrength.cpp:
1844         * b3/B3SparseCollection.h:
1845         (JSC::B3::SparseCollection::packIndices):
1846         * b3/B3UseCounts.cpp:
1847         (JSC::B3::UseCounts::UseCounts):
1848         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
1849         * b3/air/AirEmitShuffle.cpp:
1850         (JSC::B3::Air::emitShuffle):
1851         * b3/air/AirLowerAfterRegAlloc.cpp:
1852         (JSC::B3::Air::lowerAfterRegAlloc):
1853         * b3/air/AirOptimizeBlockOrder.cpp:
1854         (JSC::B3::Air::optimizeBlockOrder):
1855         * bytecode/Operands.h:
1856         (JSC::Operands::ensureLocals):
1857         * bytecode/PreciseJumpTargets.cpp:
1858         (JSC::computePreciseJumpTargetsInternal):
1859         * dfg/DFGBlockInsertionSet.cpp:
1860         (JSC::DFG::BlockInsertionSet::execute):
1861         * dfg/DFGBlockMapInlines.h:
1862         (JSC::DFG::BlockMap<T>::BlockMap):
1863         * dfg/DFGByteCodeParser.cpp:
1864         (JSC::DFG::ByteCodeParser::processSetLocalQueue):
1865         (JSC::DFG::ByteCodeParser::clearCaches):
1866         * dfg/DFGDisassembler.cpp:
1867         (JSC::DFG::Disassembler::Disassembler):
1868         * dfg/DFGFlowIndexing.cpp:
1869         (JSC::DFG::FlowIndexing::recompute):
1870         * dfg/DFGGraph.cpp:
1871         (JSC::DFG::Graph::registerFrozenValues):
1872         * dfg/DFGInPlaceAbstractState.cpp:
1873         (JSC::DFG::setLiveValues):
1874         * dfg/DFGLICMPhase.cpp:
1875         (JSC::DFG::LICMPhase::run):
1876         * dfg/DFGLivenessAnalysisPhase.cpp:
1877         * dfg/DFGNaturalLoops.cpp:
1878         (JSC::DFG::NaturalLoops::NaturalLoops):
1879         * dfg/DFGStoreBarrierClusteringPhase.cpp:
1880         * ftl/FTLLowerDFGToB3.cpp:
1881         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1882         * heap/CodeBlockSet.cpp:
1883         (JSC::CodeBlockSet::deleteUnmarkedAndUnreferenced):
1884         * heap/MarkedSpace.cpp:
1885         (JSC::MarkedSpace::sweepLargeAllocations):
1886         * inspector/ContentSearchUtilities.cpp:
1887         (Inspector::ContentSearchUtilities::findMagicComment):
1888         * interpreter/ShadowChicken.cpp:
1889         (JSC::ShadowChicken::update):
1890         * parser/ASTBuilder.h:
1891         (JSC::ASTBuilder::shrinkOperandStackBy):
1892         * parser/Lexer.h:
1893         (JSC::Lexer::setOffset):
1894         * runtime/RegExpInlines.h:
1895         (JSC::RegExp::matchInline):
1896         * runtime/RegExpPrototype.cpp:
1897         (JSC::genericSplit):
1898         * yarr/RegularExpression.cpp:
1899         (JSC::Yarr::RegularExpression::match):
1900
1901 2017-07-20  Yusuke Suzuki  <utatane.tea@gmail.com>
1902
1903         [WTF] Use ThreadGroup to bookkeep active threads for Mach exception
1904         https://bugs.webkit.org/show_bug.cgi?id=174678
1905
1906         Reviewed by Mark Lam.
1907
1908         Use Thread& instead.
1909
1910         * runtime/JSLock.cpp:
1911         (JSC::JSLock::didAcquireLock):
1912
1913 2017-07-19  Yusuke Suzuki  <utatane.tea@gmail.com>
1914
1915         [WTF] Implement WTF::ThreadGroup
1916         https://bugs.webkit.org/show_bug.cgi?id=174081
1917
1918         Reviewed by Mark Lam.
1919
1920         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
1921         And SamplingProfiler and others interact with WTF::Thread directly.
1922
1923         * API/tests/ExecutionTimeLimitTest.cpp:
1924         * heap/MachineStackMarker.cpp:
1925         (JSC::MachineThreads::MachineThreads):
1926         (JSC::captureStack):
1927         (JSC::MachineThreads::tryCopyOtherThreadStack):
1928         (JSC::MachineThreads::tryCopyOtherThreadStacks):
1929         (JSC::MachineThreads::gatherConservativeRoots):
1930         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
1931         (JSC::ActiveMachineThreadsManager::add): Deleted.
1932         (JSC::ActiveMachineThreadsManager::remove): Deleted.
1933         (JSC::ActiveMachineThreadsManager::contains): Deleted.
1934         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
1935         (JSC::activeMachineThreadsManager): Deleted.
1936         (JSC::MachineThreads::~MachineThreads): Deleted.
1937         (JSC::MachineThreads::addCurrentThread): Deleted.
1938         (): Deleted.
1939         (JSC::MachineThreads::removeThread): Deleted.
1940         (JSC::MachineThreads::removeThreadIfFound): Deleted.
1941         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
1942         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
1943         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
1944         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
1945         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
1946         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
1947         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
1948         * heap/MachineStackMarker.h:
1949         (JSC::MachineThreads::addCurrentThread):
1950         (JSC::MachineThreads::getLock):
1951         (JSC::MachineThreads::threads):
1952         (JSC::MachineThreads::MachineThread::suspend): Deleted.
1953         (JSC::MachineThreads::MachineThread::resume): Deleted.
1954         (JSC::MachineThreads::MachineThread::threadID): Deleted.
1955         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
1956         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
1957         (JSC::MachineThreads::threadsListHead): Deleted.
1958         * runtime/SamplingProfiler.cpp:
1959         (JSC::FrameWalker::isValidFramePointer):
1960         (JSC::SamplingProfiler::SamplingProfiler):
1961         (JSC::SamplingProfiler::takeSample):
1962         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
1963         * runtime/SamplingProfiler.h:
1964         * wasm/WasmMachineThreads.cpp:
1965         (JSC::Wasm::resetInstructionCacheOnAllThreads):
1966
1967 2017-07-18  Andy Estes  <aestes@apple.com>
1968
1969         [Xcode] Enable CLANG_WARN_RANGE_LOOP_ANALYSIS
1970         https://bugs.webkit.org/show_bug.cgi?id=174631
1971
1972         Reviewed by Tim Horton.
1973
1974         * Configurations/Base.xcconfig:
1975         * b3/B3FoldPathConstants.cpp:
1976         * b3/B3LowerMacros.cpp:
1977         * b3/air/AirAllocateRegistersByGraphColoring.cpp:
1978         * dfg/DFGByteCodeParser.cpp:
1979         (JSC::DFG::ByteCodeParser::check):
1980         (JSC::DFG::ByteCodeParser::planLoad):
1981
1982 2017-07-18  Yusuke Suzuki  <utatane.tea@gmail.com>
1983
1984         WTF::Thread should have the threads stack bounds.
1985         https://bugs.webkit.org/show_bug.cgi?id=173975
1986
1987         Reviewed by Mark Lam.
1988
1989         There is a site in JSC that try to walk another thread's stack.
1990         Currently, stack bounds are stored in WTFThreadData which is located
1991         in TLS. Thus, only the thread itself can access its own WTFThreadData.
1992         We workaround this situation by holding StackBounds in MachineThread in JSC,
1993         but StackBounds should be put in WTF::Thread instead.
1994
1995         This patch adds StackBounds to WTF::Thread. StackBounds information is tightly
1996         coupled with Thread. Thus putting it in WTF::Thread is natural choice.
1997
1998         * heap/MachineStackMarker.cpp:
1999         (JSC::MachineThreads::MachineThread::MachineThread):
2000         (JSC::MachineThreads::MachineThread::captureStack):
2001         * heap/MachineStackMarker.h:
2002         (JSC::MachineThreads::MachineThread::stackBase):
2003         (JSC::MachineThreads::MachineThread::stackEnd):
2004         * runtime/VMTraps.cpp:
2005
2006 2017-07-18  Andy Estes  <aestes@apple.com>
2007
2008         [Xcode] Enable CLANG_WARN_OBJC_LITERAL_CONVERSION
2009         https://bugs.webkit.org/show_bug.cgi?id=174631
2010
2011         Reviewed by Sam Weinig.
2012
2013         * Configurations/Base.xcconfig:
2014
2015 2017-07-18  Joseph Pecoraro  <pecoraro@apple.com>
2016
2017         Web Inspector: Modernize InjectedScriptSource
2018         https://bugs.webkit.org/show_bug.cgi?id=173890
2019
2020         Reviewed by Brian Burg.
2021
2022         * inspector/InjectedScript.h:
2023         Reorder functions to be slightly better.
2024
2025         * inspector/InjectedScriptSource.js:
2026         - Convert to classes named InjectedScript and RemoteObject
2027         - Align InjectedScript's API with the wrapper C++ interfaces
2028         - Move some code to RemoteObject where appropriate (subtype, describe)
2029         - Move some code to helper functions (isPrimitiveValue, isDefined)
2030         - Refactor for readability and modern features
2031         - Remove some unused / unnecessary code
2032
2033 2017-07-18  Mark Lam  <mark.lam@apple.com>
2034
2035         Butterfly storage need not be initialized for indexing type Undecided.
2036         https://bugs.webkit.org/show_bug.cgi?id=174516
2037
2038         Reviewed by Saam Barati.
2039
2040         While it's not incorrect to initialize the butterfly storage when the
2041         indexingType is Undecided, it is inefficient as we'll end up initializing
2042         it again later when we convert the storage to a different indexingType.
2043         Some of our code already skips initializing Undecided butterflies.
2044         This patch makes it the consistent behavior everywhere.
2045
2046         * dfg/DFGSpeculativeJIT.cpp:
2047         (JSC::DFG::SpeculativeJIT::emitAllocateRawObject):
2048         * runtime/JSArray.cpp:
2049         (JSC::JSArray::tryCreateUninitializedRestricted):
2050         * runtime/JSArray.h:
2051         (JSC::JSArray::tryCreate):
2052         * runtime/JSObject.cpp:
2053         (JSC::JSObject::ensureLengthSlow):
2054
2055 2017-07-18  Saam Barati  <sbarati@apple.com>
2056
2057         AirLowerAfterRegAlloc may incorrectly use a callee save that's live as a scratch register
2058         https://bugs.webkit.org/show_bug.cgi?id=174515
2059         <rdar://problem/33358092>
2060
2061         Reviewed by Filip Pizlo.
2062
2063         AirLowerAfterRegAlloc was computing the set of available scratch
2064         registers incorrectly. It was always excluding callee save registers
2065         from the set of live registers. It did not guarantee that live callee save
2066         registers were not in the set of scratch registers that could
2067         get clobbered. That's incorrect as the shuffling code is free
2068         to overwrite whatever is in the scratch register it gets passed.
2069
2070         * b3/air/AirLowerAfterRegAlloc.cpp:
2071         (JSC::B3::Air::lowerAfterRegAlloc):
2072         * b3/testb3.cpp:
2073         (JSC::B3::functionNineArgs):
2074         (JSC::B3::testShuffleDoesntTrashCalleeSaves):
2075         (JSC::B3::run):
2076         * jit/RegisterSet.h:
2077
2078 2017-07-18  Andy Estes  <aestes@apple.com>
2079
2080         [Xcode] Enable CLANG_WARN_NON_LITERAL_NULL_CONVERSION
2081         https://bugs.webkit.org/show_bug.cgi?id=174631
2082
2083         Reviewed by Dan Bernstein.
2084
2085         * Configurations/Base.xcconfig:
2086
2087 2017-07-18  Devin Rousso  <drousso@apple.com>
2088
2089         Web Inspector: Add memoryCost to Inspector Protocol objects
2090         https://bugs.webkit.org/show_bug.cgi?id=174478
2091
2092         Reviewed by Joseph Pecoraro.
2093
2094         For non-array and non-object InspectorValue, calculate memoryCost as the sizeof the object,
2095         plus the memoryCost of the data if it is a string.
2096
2097         For array InspectorValue, calculate memoryCost as the sum of the memoryCost of all items.
2098
2099         For object InspectorValue, calculate memoryCost as the sum of the memoryCost of the string
2100         key plus the memoryCost of the InspectorValue for each entry.
2101
2102         Test: TestWebKitAPI/Tests/JavaScriptCore/InspectorValue.cpp
2103
2104         * inspector/InspectorValues.h:
2105         * inspector/InspectorValues.cpp:
2106         (Inspector::InspectorValue::memoryCost):
2107         (Inspector::InspectorObjectBase::memoryCost):
2108         (Inspector::InspectorArrayBase::memoryCost):
2109
2110 2017-07-18  Andy Estes  <aestes@apple.com>
2111
2112         [Xcode] Enable CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING
2113         https://bugs.webkit.org/show_bug.cgi?id=174631
2114
2115         Reviewed by Darin Adler.
2116
2117         * Configurations/Base.xcconfig:
2118
2119 2017-07-18  Michael Saboff  <msaboff@apple.com>
2120
2121         [JSC] There should be a debug option to dump a compiled RegExp Pattern
2122         https://bugs.webkit.org/show_bug.cgi?id=174601
2123
2124         Reviewed by Alex Christensen.
2125
2126         Added the debug option dumpCompiledRegExpPatterns which will dump the YarrPattern and related
2127         objects after a regular expression has been compiled.
2128
2129         * runtime/Options.h:
2130         * yarr/YarrPattern.cpp:
2131         (JSC::Yarr::YarrPattern::compile):
2132         (JSC::Yarr::indentForNestingLevel):
2133         (JSC::Yarr::dumpUChar32):
2134         (JSC::Yarr::PatternAlternative::dump):
2135         (JSC::Yarr::PatternTerm::dumpQuantifier):
2136         (JSC::Yarr::PatternTerm::dump):
2137         (JSC::Yarr::PatternDisjunction::dump):
2138         (JSC::Yarr::YarrPattern::dumpPattern):
2139         * yarr/YarrPattern.h:
2140         (JSC::Yarr::YarrPattern::global):
2141
2142 2017-07-17  Darin Adler  <darin@apple.com>
2143
2144         Improve use of NeverDestroyed
2145         https://bugs.webkit.org/show_bug.cgi?id=174348
2146
2147         Reviewed by Sam Weinig.
2148
2149         * heap/MachineStackMarker.cpp:
2150         * wasm/WasmMemory.cpp:
2151         Removed unneeded includes of NeverDestroyed.h in files that do not make use
2152         of NeverDestroyed.
2153
2154 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
2155
2156         [CMake] Macros in WebKitMacros.cmake should be prefixed with WEBKIT_ namespace
2157         https://bugs.webkit.org/show_bug.cgi?id=174547
2158
2159         Reviewed by Alex Christensen.
2160
2161         * CMakeLists.txt:
2162         * shell/CMakeLists.txt:
2163
2164 2017-07-17  Saam Barati  <sbarati@apple.com>
2165
2166         Remove custom defined RELEASE_ASSERT in DFGObjectAllocationSinkingPhase
2167         https://bugs.webkit.org/show_bug.cgi?id=174584
2168
2169         Rubber stamped by Keith Miller.
2170
2171         I used it to diagnose a bug. The bug is now fixed. This custom
2172         RELEASE_ASSERT is no longer needed.
2173
2174         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2175
2176 2017-07-17  Michael Catanzaro  <mcatanzaro@igalia.com>
2177
2178         -Wformat-truncation warning in ConfigFile.cpp
2179         https://bugs.webkit.org/show_bug.cgi?id=174506
2180
2181         Reviewed by Darin Adler.
2182
2183         Check if the JSC config filename would be truncated due to exceeding max path length. If so,
2184         return ParseError.
2185
2186         * runtime/ConfigFile.cpp:
2187         (JSC::ConfigFile::parse):
2188
2189 2017-07-17  Konstantin Tokarev  <annulen@yandex.ru>
2190
2191         [CMake] Create targets before WEBKIT_INCLUDE_CONFIG_FILES_IF_EXISTS is called
2192         https://bugs.webkit.org/show_bug.cgi?id=174557
2193
2194         Reviewed by Michael Catanzaro.
2195
2196         * CMakeLists.txt:
2197
2198 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2199
2200         [WTF] Use std::unique_ptr for StackTrace
2201         https://bugs.webkit.org/show_bug.cgi?id=174495
2202
2203         Reviewed by Alex Christensen.
2204
2205         * runtime/ExceptionScope.cpp:
2206         (JSC::ExceptionScope::unexpectedExceptionMessage):
2207         * runtime/VM.cpp:
2208         (JSC::VM::throwException):
2209
2210 2017-07-14  Yusuke Suzuki  <utatane.tea@gmail.com>
2211
2212         [JSC] Use WTFMove to prune liveness in DFGAvailabilityMap
2213         https://bugs.webkit.org/show_bug.cgi?id=174423
2214
2215         Reviewed by Saam Barati.
2216
2217         * dfg/DFGAvailabilityMap.cpp:
2218         (JSC::DFG::AvailabilityMap::pruneHeap):
2219         (JSC::DFG::AvailabilityMap::pruneByLiveness):
2220
2221 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
2222
2223         Fix compiler warnings when building with GCC 7
2224         https://bugs.webkit.org/show_bug.cgi?id=174463
2225
2226         Reviewed by Darin Adler.
2227
2228         * disassembler/udis86/udis86_decode.c:
2229         (decode_operand):
2230
2231 2017-07-13  Michael Catanzaro  <mcatanzaro@igalia.com>
2232
2233         Incorrect assertion in JSC::CallLinkInfo::callTypeFor
2234         https://bugs.webkit.org/show_bug.cgi?id=174467
2235
2236         Reviewed by Saam Barati.
2237
2238         * bytecode/CallLinkInfo.cpp:
2239         (JSC::CallLinkInfo::callTypeFor):
2240
2241 2017-07-13  Joseph Pecoraro  <pecoraro@apple.com>
2242
2243         Web Inspector: Remove unused and untested Page domain commands
2244         https://bugs.webkit.org/show_bug.cgi?id=174429
2245
2246         Reviewed by Timothy Hatcher.
2247
2248         * inspector/protocol/Page.json:
2249
2250 2017-07-13  Saam Barati  <sbarati@apple.com>
2251
2252         Missing exception check in JSObject::hasInstance
2253         https://bugs.webkit.org/show_bug.cgi?id=174455
2254         <rdar://problem/31384608>
2255
2256         Reviewed by Mark Lam.
2257
2258         * runtime/JSObject.cpp:
2259         (JSC::JSObject::hasInstance):
2260
2261 2017-07-13  Caio Lima  <ticaiolima@gmail.com>
2262
2263         [ESnext] Implement Object Spread
2264         https://bugs.webkit.org/show_bug.cgi?id=167963
2265
2266         Reviewed by Saam Barati.
2267
2268         This patch implements ECMA262 stage 3 Object Spread proposal [1].
2269         It's implemented using CopyDataPropertiesNoExclusions to copy
2270         all enumerable keys from object being spreaded. The implementation of
2271         CopyDataPropertiesNoExclusions follows the CopyDataProperties
2272         implementation, however we don't receive excludedNames as parameter.
2273
2274         [1] - https://github.com/tc39/proposal-object-rest-spread
2275
2276         * builtins/GlobalOperations.js:
2277         (globalPrivate.copyDataPropertiesNoExclusions):
2278         * bytecompiler/BytecodeGenerator.cpp:
2279         (JSC::BytecodeGenerator::emitLoad):
2280         * bytecompiler/NodesCodegen.cpp:
2281         (JSC::PropertyListNode::emitBytecode):
2282         (JSC::ObjectSpreadExpressionNode::emitBytecode):
2283         * parser/ASTBuilder.h:
2284         (JSC::ASTBuilder::createObjectSpreadExpression):
2285         (JSC::ASTBuilder::createProperty):
2286         * parser/NodeConstructors.h:
2287         (JSC::PropertyNode::PropertyNode):
2288         (JSC::ObjectSpreadExpressionNode::ObjectSpreadExpressionNode):
2289         * parser/Nodes.h:
2290         (JSC::ObjectSpreadExpressionNode::expression):
2291         * parser/Parser.cpp:
2292         (JSC::Parser<LexerType>::parseProperty):
2293         * parser/SyntaxChecker.h:
2294         (JSC::SyntaxChecker::createObjectSpreadExpression):
2295         (JSC::SyntaxChecker::createProperty):
2296
2297 2017-07-12  Mark Lam  <mark.lam@apple.com>
2298
2299         Gardening: build fix after r219434.
2300         https://bugs.webkit.org/show_bug.cgi?id=174441
2301
2302         Not reviewed.
2303
2304         Make public some MacroAssembler functions that are needed by the probe implementationq.
2305
2306         * assembler/MacroAssemblerARM.h:
2307         (JSC::MacroAssemblerARM::trustedImm32FromPtr):
2308         * assembler/MacroAssemblerARMv7.h:
2309         (JSC::MacroAssemblerARMv7::linkCall):
2310
2311 2017-07-12  Mark Lam  <mark.lam@apple.com>
2312
2313         Move Probe code from AbstractMacroAssembler to MacroAssembler.
2314         https://bugs.webkit.org/show_bug.cgi?id=174441
2315
2316         Reviewed by Saam Barati.
2317
2318         This is a pure refactoring patch for moving probe code from the AbstractMacroAssembler
2319         to MacroAssembler.  There is no code behavior change.
2320
2321         * assembler/AbstractMacroAssembler.h:
2322         (JSC::AbstractMacroAssembler<AssemblerType>::Address::indexedBy):
2323         (JSC::AbstractMacroAssembler::CPUState::gprName): Deleted.
2324         (JSC::AbstractMacroAssembler::CPUState::fprName): Deleted.
2325         (JSC::AbstractMacroAssembler::CPUState::gpr): Deleted.
2326         (JSC::AbstractMacroAssembler::CPUState::fpr): Deleted.
2327         (JSC::MacroAssemblerType>::Address::indexedBy): Deleted.
2328         * assembler/MacroAssembler.h:
2329         (JSC::MacroAssembler::CPUState::gprName):
2330         (JSC::MacroAssembler::CPUState::fprName):
2331         (JSC::MacroAssembler::CPUState::gpr):
2332         (JSC::MacroAssembler::CPUState::fpr):
2333         * assembler/MacroAssemblerARM.cpp:
2334         (JSC::MacroAssembler::probe):
2335         (JSC::MacroAssemblerARM::probe): Deleted.
2336         * assembler/MacroAssemblerARM.h:
2337         * assembler/MacroAssemblerARM64.cpp:
2338         (JSC::MacroAssembler::probe):
2339         (JSC::MacroAssemblerARM64::probe): Deleted.
2340         * assembler/MacroAssemblerARM64.h:
2341         * assembler/MacroAssemblerARMv7.cpp:
2342         (JSC::MacroAssembler::probe):
2343         (JSC::MacroAssemblerARMv7::probe): Deleted.
2344         * assembler/MacroAssemblerARMv7.h:
2345         * assembler/MacroAssemblerMIPS.h:
2346         * assembler/MacroAssemblerX86Common.cpp:
2347         (JSC::MacroAssembler::probe):
2348         (JSC::MacroAssemblerX86Common::probe): Deleted.
2349         * assembler/MacroAssemblerX86Common.h:
2350
2351 2017-07-12  Saam Barati  <sbarati@apple.com>
2352
2353         GenericArguments consults the wrong state when tracking modified argument descriptors and mapped arguments
2354         https://bugs.webkit.org/show_bug.cgi?id=174411
2355         <rdar://problem/31696186>
2356
2357         Reviewed by Mark Lam.
2358
2359         The code for deleting an argument was incorrectly referencing state
2360         when it decided if it should unmap or mark a property as having its
2361         descriptor modified. This patch fixes the bug where if we delete a
2362         property, we would sometimes not unmap an argument when deleting it.
2363
2364         * runtime/GenericArgumentsInlines.h:
2365         (JSC::GenericArguments<Type>::getOwnPropertySlot):
2366         (JSC::GenericArguments<Type>::getOwnPropertySlotByIndex):
2367         (JSC::GenericArguments<Type>::deleteProperty):
2368         (JSC::GenericArguments<Type>::deletePropertyByIndex):
2369
2370 2017-07-12  Commit Queue  <commit-queue@webkit.org>
2371
2372         Unreviewed, rolling out r219176.
2373         https://bugs.webkit.org/show_bug.cgi?id=174436
2374
2375         "Can cause infinite recursion on iOS" (Requested by mlam on
2376         #webkit).
2377
2378         Reverted changeset:
2379
2380         "WTF::Thread should have the threads stack bounds."
2381         https://bugs.webkit.org/show_bug.cgi?id=173975
2382         http://trac.webkit.org/changeset/219176
2383
2384 2017-07-12  Matt Lewis  <jlewis3@apple.com>
2385
2386         Unreviewed, rolling out r219401.
2387
2388         This revision rolled out the previous patch, but after talking
2389         with reviewer, a rebaseline is what was needed.Rolling back in
2390         before rebaseline.
2391
2392         Reverted changeset:
2393
2394         "Unreviewed, rolling out r219379."
2395         https://bugs.webkit.org/show_bug.cgi?id=174400
2396         http://trac.webkit.org/changeset/219401
2397
2398 2017-07-12  Matt Lewis  <jlewis3@apple.com>
2399
2400         Unreviewed, rolling out r219379.
2401
2402         This revision caused a consistent failure in the test
2403         fast/dom/Window/property-access-on-cached-window-after-frame-
2404         removed.html.
2405
2406         Reverted changeset:
2407
2408         "Remove NAVIGATOR_HWCONCURRENCY"
2409         https://bugs.webkit.org/show_bug.cgi?id=174400
2410         http://trac.webkit.org/changeset/219379
2411
2412 2017-07-12  Tooru Fujisawa [:arai]  <arai.unmht@gmail.com>
2413
2414         Wrong radix used in Unicode Escape in invalid character error message
2415         https://bugs.webkit.org/show_bug.cgi?id=174419
2416
2417         Reviewed by Alex Christensen.
2418
2419         * parser/Lexer.cpp:
2420         (JSC::Lexer<T>::invalidCharacterMessage):
2421
2422 2017-07-11  Dean Jackson  <dino@apple.com>
2423
2424         Remove NAVIGATOR_HWCONCURRENCY
2425         https://bugs.webkit.org/show_bug.cgi?id=174400
2426
2427         Reviewed by Sam Weinig.
2428
2429         * Configurations/FeatureDefines.xcconfig:
2430
2431 2017-07-11  Dean Jackson  <dino@apple.com>
2432
2433         Rolling out r219372.
2434
2435         * Configurations/FeatureDefines.xcconfig:
2436
2437 2017-07-11  Dean Jackson  <dino@apple.com>
2438
2439         Remove NAVIGATOR_HWCONCURRENCY
2440         https://bugs.webkit.org/show_bug.cgi?id=174400
2441
2442         Reviewed by Sam Weinig.
2443
2444         * Configurations/FeatureDefines.xcconfig:
2445
2446 2017-07-11  Saam Barati  <sbarati@apple.com>
2447
2448         remove the empty JavaScriptCore/wasm/js/WebAssemblyFunctionCell.* files
2449         https://bugs.webkit.org/show_bug.cgi?id=174397
2450
2451         Rubber stamped by David Kilzer.
2452
2453         * wasm/js/WebAssemblyFunctionCell.cpp: Removed.
2454         * wasm/js/WebAssemblyFunctionCell.h: Removed.
2455
2456 2017-07-10  Saam Barati  <sbarati@apple.com>
2457
2458         Allocation sinking phase should consider a CheckStructure that would fail as an escape
2459         https://bugs.webkit.org/show_bug.cgi?id=174321
2460         <rdar://problem/32604963>
2461
2462         Reviewed by Filip Pizlo.
2463
2464         When the allocation sinking phase was generating stores to materialize
2465         objects in a cycle with each other, it would assume that each materialized
2466         object had a valid, non empty, set of structures. This is an OK assumption for
2467         the phase to make because how do you materialize an object with no structure?
2468         
2469         The abstract interpretation part of the phase will model what's in the heap.
2470         However, it would sometimes model that a CheckStructure would fail. The phase
2471         did nothing special for this; it just stored the empty set of structures for
2472         its representation of a particular allocation. However, what the phase proved
2473         in such a scenario is that, had the CheckStructure executed, it would have exited.
2474         
2475         This patch treats such CheckStructures and MultiGetByOffsets as escape points.
2476         This will cause the allocation in question to be materialized just before
2477         the CheckStructure, and then at execution time, the CheckStructure will exit.
2478         
2479         I wasn't able to write a test case for this. However, I was able to reproduce
2480         this crash by manually editing the IR. I've opened a separate bug to help us
2481         create a testing framework for writing tests for hard to reproduce bugs like this:
2482         https://bugs.webkit.org/show_bug.cgi?id=174322
2483
2484         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2485
2486 2017-07-10  Devin Rousso  <drousso@apple.com>
2487
2488         Web Inspector: Highlight matching CSS canvas clients when hovering contexts in the Resources tab
2489         https://bugs.webkit.org/show_bug.cgi?id=174279
2490
2491         Reviewed by Matt Baker.
2492
2493         * inspector/protocol/DOM.json:
2494         Add `highlightNodeList` command that will highlight each node in the given list.
2495
2496 2017-07-03  Brian Burg  <bburg@apple.com>
2497
2498         Web Replay: remove some unused code
2499         https://bugs.webkit.org/show_bug.cgi?id=173903
2500
2501         Rubber-stamped by Joseph Pecoraro.
2502
2503         * CMakeLists.txt:
2504         * Configurations/FeatureDefines.xcconfig:
2505         * DerivedSources.make:
2506         * JavaScriptCore.xcodeproj/project.pbxproj:
2507         * inspector/protocol/Replay.json: Removed.
2508         * replay/EmptyInputCursor.h: Removed.
2509         * replay/EncodedValue.cpp: Removed.
2510         * replay/EncodedValue.h: Removed.
2511         * replay/InputCursor.h: Removed.
2512         * replay/JSInputs.json: Removed.
2513         * replay/NondeterministicInput.h: Removed.
2514         * replay/scripts/CodeGeneratorReplayInputs.py: Removed.
2515         * replay/scripts/CodeGeneratorReplayInputsTemplates.py: Removed.
2516         * replay/scripts/tests/expected/fail-on-c-style-enum-no-storage.json-error: Removed.
2517         * replay/scripts/tests/expected/fail-on-duplicate-enum-type.json-error: Removed.
2518         * replay/scripts/tests/expected/fail-on-duplicate-input-names.json-error: Removed.
2519         * replay/scripts/tests/expected/fail-on-duplicate-type-names.json-error: Removed.
2520         * replay/scripts/tests/expected/fail-on-enum-type-missing-values.json-error: Removed.
2521         * replay/scripts/tests/expected/fail-on-missing-input-member-name.json-error: Removed.
2522         * replay/scripts/tests/expected/fail-on-missing-input-name.json-error: Removed.
2523         * replay/scripts/tests/expected/fail-on-missing-input-queue.json-error: Removed.
2524         * replay/scripts/tests/expected/fail-on-missing-type-mode.json-error: Removed.
2525         * replay/scripts/tests/expected/fail-on-missing-type-name.json-error: Removed.
2526         * replay/scripts/tests/expected/fail-on-unknown-input-queue.json-error: Removed.
2527         * replay/scripts/tests/expected/fail-on-unknown-member-type.json-error: Removed.
2528         * replay/scripts/tests/expected/fail-on-unknown-type-mode.json-error: Removed.
2529         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.cpp: Removed.
2530         * replay/scripts/tests/expected/generate-enum-encoding-helpers-with-guarded-values.json-TestReplayInputs.h: Removed.
2531         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.cpp: Removed.
2532         * replay/scripts/tests/expected/generate-enum-encoding-helpers.json-TestReplayInputs.h: Removed.
2533         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.cpp: Removed.
2534         * replay/scripts/tests/expected/generate-enum-with-guard.json-TestReplayInputs.h: Removed.
2535         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.cpp: Removed.
2536         * replay/scripts/tests/expected/generate-enums-with-same-base-name.json-TestReplayInputs.h: Removed.
2537         * replay/scripts/tests/expected/generate-event-loop-shape-types.json-error: Removed.
2538         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.cpp: Removed.
2539         * replay/scripts/tests/expected/generate-input-with-guard.json-TestReplayInputs.h: Removed.
2540         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.cpp: Removed.
2541         * replay/scripts/tests/expected/generate-input-with-vector-members.json-TestReplayInputs.h: Removed.
2542         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.cpp: Removed.
2543         * replay/scripts/tests/expected/generate-inputs-with-flags.json-TestReplayInputs.h: Removed.
2544         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.cpp: Removed.
2545         * replay/scripts/tests/expected/generate-memoized-type-modes.json-TestReplayInputs.h: Removed.
2546         * replay/scripts/tests/fail-on-c-style-enum-no-storage.json: Removed.
2547         * replay/scripts/tests/fail-on-duplicate-enum-type.json: Removed.
2548         * replay/scripts/tests/fail-on-duplicate-input-names.json: Removed.
2549         * replay/scripts/tests/fail-on-duplicate-type-names.json: Removed.
2550         * replay/scripts/tests/fail-on-enum-type-missing-values.json: Removed.
2551         * replay/scripts/tests/fail-on-missing-input-member-name.json: Removed.
2552         * replay/scripts/tests/fail-on-missing-input-name.json: Removed.
2553         * replay/scripts/tests/fail-on-missing-input-queue.json: Removed.
2554         * replay/scripts/tests/fail-on-missing-type-mode.json: Removed.
2555         * replay/scripts/tests/fail-on-missing-type-name.json: Removed.
2556         * replay/scripts/tests/fail-on-unknown-input-queue.json: Removed.
2557         * replay/scripts/tests/fail-on-unknown-member-type.json: Removed.
2558         * replay/scripts/tests/fail-on-unknown-type-mode.json: Removed.
2559         * replay/scripts/tests/generate-enum-encoding-helpers-with-guarded-values.json: Removed.
2560         * replay/scripts/tests/generate-enum-encoding-helpers.json: Removed.
2561         * replay/scripts/tests/generate-enum-with-guard.json: Removed.
2562         * replay/scripts/tests/generate-enums-with-same-base-name.json: Removed.
2563         * replay/scripts/tests/generate-event-loop-shape-types.json: Removed.
2564         * replay/scripts/tests/generate-input-with-guard.json: Removed.
2565         * replay/scripts/tests/generate-input-with-vector-members.json: Removed.
2566         * replay/scripts/tests/generate-inputs-with-flags.json: Removed.
2567         * replay/scripts/tests/generate-memoized-type-modes.json: Removed.
2568         * runtime/DateConstructor.cpp:
2569         (JSC::constructDate):
2570         (JSC::dateNow):
2571         (JSC::deterministicCurrentTime): Deleted.
2572         * runtime/JSGlobalObject.cpp:
2573         (JSC::JSGlobalObject::JSGlobalObject):
2574         (JSC::JSGlobalObject::setInputCursor): Deleted.
2575         * runtime/JSGlobalObject.h:
2576         (JSC::JSGlobalObject::inputCursor): Deleted.
2577
2578 2017-07-10  Carlos Garcia Campos  <cgarcia@igalia.com>
2579
2580         Move make-js-file-arrays.py from WebCore to JavaScriptCore
2581         https://bugs.webkit.org/show_bug.cgi?id=174024
2582
2583         Reviewed by Michael Catanzaro.
2584
2585         It's currently used only by WebCore, but it depends on other JavaScriptCore scripts and it's not WebCore
2586         specific at all. I plan to use it to compile the JavaScript atoms used by the WebDriver implementation.
2587         Added command line option to pass the namespace to use instead of using WebCore.
2588
2589         * JavaScriptCore.xcodeproj/project.pbxproj:
2590         * Scripts/make-js-file-arrays.py: Renamed from Source/WebCore/Scripts/make-js-file-arrays.py.
2591         (main):
2592
2593 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2594
2595         [JSC] Drop LineNumberAdder since we no longer treat <LF><CR> (not <CR><LF>) as one line terminator
2596         https://bugs.webkit.org/show_bug.cgi?id=174296
2597
2598         Reviewed by Mark Lam.
2599
2600         Previously, we treat <LF><CR> as one line terminator. So we increase line number by one.
2601         It caused a problem in scanning template literals. While template literals normalize
2602         <LF><CR> to <LF><LF>, we still needed to increase line number by only one.
2603         To handle it correctly, LineNumberAdder is introduced.
2604
2605         As of r219263, <LF><CR> is counted as two line terminators. So we do not need to have
2606         LineNumberAdder. Let's just use shiftLineTerminator() instead.
2607
2608         * parser/Lexer.cpp:
2609         (JSC::Lexer<T>::parseTemplateLiteral):
2610         (JSC::LineNumberAdder::LineNumberAdder): Deleted.
2611         (JSC::LineNumberAdder::clear): Deleted.
2612         (JSC::LineNumberAdder::add): Deleted.
2613
2614 2017-07-09  Dan Bernstein  <mitz@apple.com>
2615
2616         [Xcode] ICU headers aren’t treated as system headers after r219155
2617         https://bugs.webkit.org/show_bug.cgi?id=174299
2618
2619         Reviewed by Sam Weinig.
2620
2621         * Configurations/JavaScriptCore.xcconfig: Pass --system-header-prefix=unicode/ to the C and
2622           C++ compilers.
2623
2624 * runtime/IntlCollator.cpp: Removed documentation warning suppression.
2625         * runtime/IntlDateTimeFormat.cpp: Ditto.
2626         * runtime/JSGlobalObject.cpp: Ditto.
2627         * runtime/StringPrototype.cpp: Ditto.
2628
2629 2017-07-09  Yusuke Suzuki  <utatane.tea@gmail.com>
2630
2631         [JSC] Use fastMalloc / fastFree for STL containers
2632         https://bugs.webkit.org/show_bug.cgi?id=174297
2633
2634         Reviewed by Sam Weinig.
2635
2636         In some places, we intentionally use STL containers over WTF containers.
2637         For example, we sometimes use std::unordered_{set,map} instead of WTF::Hash{Set,Map}
2638         because we do not have effective empty / deleted representations in the space of key's value.
2639         But just using STL container means using libc's malloc instead of our fast malloc (bmalloc if it is enabled).
2640
2641         We introduce WTF::FastAllocator. This is C++ allocator implementation using fastMalloc and fastFree.
2642         We specify this allocator to STL containers' template parameter to allocate memory from fastMalloc.
2643
2644         This WTF::FastAllocator gives us a chance to use STL containers if it is necessary
2645         without compromising memory allocation throughput.
2646
2647         * dfg/DFGGraph.h:
2648         * dfg/DFGIntegerCheckCombiningPhase.cpp:
2649         * ftl/FTLLowerDFGToB3.cpp:
2650         (JSC::FTL::DFG::LowerDFGToB3::switchStringSlow):
2651         * runtime/FunctionHasExecutedCache.h:
2652         * runtime/TypeLocationCache.h:
2653
2654 2017-07-08  Yusuke Suzuki  <utatane.tea@gmail.com>
2655
2656         Drop NOSNIFF compile flag
2657         https://bugs.webkit.org/show_bug.cgi?id=174289
2658
2659         Reviewed by Michael Catanzaro.
2660
2661         * Configurations/FeatureDefines.xcconfig:
2662
2663 2017-07-07  AJ Ringer  <aringer@apple.com>
2664
2665         Lower the max_protection for the separated heap
2666         https://bugs.webkit.org/show_bug.cgi?id=174281
2667
2668         Reviewed by Oliver Hunt.
2669
2670         Switch to vm_protect so we can set maximum page protection.
2671
2672         * jit/ExecutableAllocator.cpp:
2673         (JSC::FixedVMPoolExecutableAllocator::initializeSeparatedWXHeaps):
2674         (JSC::ExecutableAllocator::allocate):
2675
2676 2017-07-07  Devin Rousso  <drousso@apple.com>
2677
2678         Web Inspector: Show all elements currently using a given CSS Canvas
2679         https://bugs.webkit.org/show_bug.cgi?id=173965
2680
2681         Reviewed by Joseph Pecoraro.
2682
2683         * inspector/protocol/Canvas.json:
2684          - Add `requestCSSCanvasClientNodes` command for getting the node IDs all nodes using this
2685            canvas via -webkit-canvas.
2686          - Add `cssCanvasClientNodesChanged` event that is dispatched whenever a node is
2687            added/removed from the list of -webkit-canvas clients.
2688
2689 2017-07-07  Mark Lam  <mark.lam@apple.com>
2690
2691         \n\r is not the same as \r\n.
2692         https://bugs.webkit.org/show_bug.cgi?id=173053
2693
2694         Reviewed by Keith Miller.
2695
2696         * parser/Lexer.cpp:
2697         (JSC::Lexer<T>::shiftLineTerminator):
2698         (JSC::LineNumberAdder::add):
2699
2700 2017-07-07  Commit Queue  <commit-queue@webkit.org>
2701
2702         Unreviewed, rolling out r219238, r219239, and r219241.
2703         https://bugs.webkit.org/show_bug.cgi?id=174265
2704
2705         "fast/workers/dedicated-worker-lifecycle.html is flaky"
2706         (Requested by yusukesuzuki on #webkit).
2707
2708         Reverted changesets:
2709
2710         "[WTF] Implement WTF::ThreadGroup"
2711         https://bugs.webkit.org/show_bug.cgi?id=174081
2712         http://trac.webkit.org/changeset/219238
2713
2714         "Unreviewed, build fix after r219238"
2715         https://bugs.webkit.org/show_bug.cgi?id=174081
2716         http://trac.webkit.org/changeset/219239
2717
2718         "Unreviewed, CLoop build fix after r219238"
2719         https://bugs.webkit.org/show_bug.cgi?id=174081
2720         http://trac.webkit.org/changeset/219241
2721
2722 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2723
2724         Unreviewed, CLoop build fix after r219238
2725         https://bugs.webkit.org/show_bug.cgi?id=174081
2726
2727         * heap/MachineStackMarker.cpp:
2728
2729 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2730
2731         [WTF] Implement WTF::ThreadGroup
2732         https://bugs.webkit.org/show_bug.cgi?id=174081
2733
2734         Reviewed by Mark Lam.
2735
2736         Large part of MachineThreads are now removed and replaced with WTF::ThreadGroup.
2737         And SamplingProfiler and others interact with WTF::Thread directly.
2738
2739         * API/tests/ExecutionTimeLimitTest.cpp:
2740         * heap/MachineStackMarker.cpp:
2741         (JSC::MachineThreads::MachineThreads):
2742         (JSC::captureStack):
2743         (JSC::MachineThreads::tryCopyOtherThreadStack):
2744         (JSC::MachineThreads::tryCopyOtherThreadStacks):
2745         (JSC::MachineThreads::gatherConservativeRoots):
2746         (JSC::ActiveMachineThreadsManager::Locker::Locker): Deleted.
2747         (JSC::ActiveMachineThreadsManager::add): Deleted.
2748         (JSC::ActiveMachineThreadsManager::remove): Deleted.
2749         (JSC::ActiveMachineThreadsManager::contains): Deleted.
2750         (JSC::ActiveMachineThreadsManager::ActiveMachineThreadsManager): Deleted.
2751         (JSC::activeMachineThreadsManager): Deleted.
2752         (JSC::MachineThreads::~MachineThreads): Deleted.
2753         (JSC::MachineThreads::addCurrentThread): Deleted.
2754         (): Deleted.
2755         (JSC::MachineThreads::removeThread): Deleted.
2756         (JSC::MachineThreads::removeThreadIfFound): Deleted.
2757         (JSC::MachineThreads::MachineThread::MachineThread): Deleted.
2758         (JSC::MachineThreads::MachineThread::getRegisters): Deleted.
2759         (JSC::MachineThreads::MachineThread::Registers::stackPointer): Deleted.
2760         (JSC::MachineThreads::MachineThread::Registers::framePointer): Deleted.
2761         (JSC::MachineThreads::MachineThread::Registers::instructionPointer): Deleted.
2762         (JSC::MachineThreads::MachineThread::Registers::llintPC): Deleted.
2763         (JSC::MachineThreads::MachineThread::captureStack): Deleted.
2764         * heap/MachineStackMarker.h:
2765         (JSC::MachineThreads::addCurrentThread):
2766         (JSC::MachineThreads::getLock):
2767         (JSC::MachineThreads::threads):
2768         (JSC::MachineThreads::MachineThread::suspend): Deleted.
2769         (JSC::MachineThreads::MachineThread::resume): Deleted.
2770         (JSC::MachineThreads::MachineThread::threadID): Deleted.
2771         (JSC::MachineThreads::MachineThread::stackBase): Deleted.
2772         (JSC::MachineThreads::MachineThread::stackEnd): Deleted.
2773         (JSC::MachineThreads::threadsListHead): Deleted.
2774         * runtime/SamplingProfiler.cpp:
2775         (JSC::FrameWalker::isValidFramePointer):
2776         (JSC::SamplingProfiler::SamplingProfiler):
2777         (JSC::SamplingProfiler::takeSample):
2778         (JSC::SamplingProfiler::noticeCurrentThreadAsJSCExecutionThread):
2779         * runtime/SamplingProfiler.h:
2780         * wasm/WasmMachineThreads.cpp:
2781         (JSC::Wasm::resetInstructionCacheOnAllThreads):
2782
2783 2017-07-06  Saam Barati  <sbarati@apple.com>
2784
2785         We are missing places where we invalidate the for-in context
2786         https://bugs.webkit.org/show_bug.cgi?id=174184
2787
2788         Reviewed by Geoffrey Garen.
2789
2790         * bytecompiler/BytecodeGenerator.cpp:
2791         (JSC::BytecodeGenerator::invalidateForInContextForLocal):
2792         * bytecompiler/NodesCodegen.cpp:
2793         (JSC::EmptyLetExpression::emitBytecode):
2794         (JSC::ForInNode::emitLoopHeader):
2795         (JSC::ForOfNode::emitBytecode):
2796         (JSC::BindingNode::bindValue):
2797
2798 2017-07-06  Yusuke Suzuki  <utatane.tea@gmail.com>
2799
2800         Unreviewed, suppress warnings in GCC environment
2801
2802         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2803         * runtime/IntlCollator.cpp:
2804         * runtime/IntlDateTimeFormat.cpp:
2805         * runtime/JSGlobalObject.cpp:
2806         * runtime/StringPrototype.cpp:
2807
2808 2017-07-05  Saam Barati  <sbarati@apple.com>
2809
2810         NewArray in FTLLowerDFGToB3 does not handle speculating on doubles when having a bad time
2811         https://bugs.webkit.org/show_bug.cgi?id=174188
2812         <rdar://problem/30581423>
2813
2814         Reviewed by Mark Lam.
2815
2816         We were calling lowJSValue(edge) when we were speculating the
2817         edge as double. This isn't allowed. We should have been using
2818         lowDouble.
2819         
2820         This patch also adds a new option, called useArrayAllocationProfiling,
2821         which defaults to true. When false, it will make the array allocation
2822         profile not actually sample seen arrays. It'll force the allocation
2823         profile's predicted indexing type to be ArrayWithUndecided. Adding
2824         this option made it trivial to write a test for this bug.
2825
2826         * bytecode/ArrayAllocationProfile.cpp:
2827         (JSC::ArrayAllocationProfile::updateIndexingType):
2828         * ftl/FTLLowerDFGToB3.cpp:
2829         (JSC::FTL::DFG::LowerDFGToB3::compileNewArray):
2830         * runtime/Options.h:
2831
2832 2017-07-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2833
2834         WTF::Thread should have the threads stack bounds.
2835         https://bugs.webkit.org/show_bug.cgi?id=173975
2836
2837         Reviewed by Keith Miller.
2838
2839         There is a site in JSC that try to walk another thread's stack.
2840         Currently, stack bounds are stored in WTFThreadData which is located
2841         in TLS. Thus, only the thread itself can access its own WTFThreadData.
2842         We workaround this situation by holding StackBounds in MachineThread in JSC,
2843         but StackBounds should be put in WTF::Thread instead.
2844
2845         This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
2846         information is tightly coupled with Thread. Thus putting it in WTF::Thread
2847         is natural choice.
2848
2849         * heap/MachineStackMarker.cpp:
2850         (JSC::MachineThreads::MachineThread::MachineThread):
2851         (JSC::MachineThreads::MachineThread::captureStack):
2852         * heap/MachineStackMarker.h:
2853         (JSC::MachineThreads::MachineThread::stackBase):
2854         (JSC::MachineThreads::MachineThread::stackEnd):
2855         * runtime/InitializeThreading.cpp:
2856         (JSC::initializeThreading):
2857         * runtime/VM.cpp:
2858         (JSC::VM::VM):
2859         (JSC::VM::updateStackLimits):
2860         (JSC::VM::committedStackByteCount):
2861         * runtime/VM.h:
2862         (JSC::VM::isSafeToRecurse):
2863         * runtime/VMEntryScope.cpp:
2864         (JSC::VMEntryScope::VMEntryScope):
2865         * runtime/VMInlines.h:
2866         (JSC::VM::ensureStackCapacityFor):
2867         * runtime/VMTraps.cpp:
2868         * yarr/YarrPattern.cpp:
2869         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
2870
2871 2017-07-05  Keith Miller  <keith_miller@apple.com>
2872
2873         Crashing with information should have an abort reason
2874         https://bugs.webkit.org/show_bug.cgi?id=174185
2875
2876         Reviewed by Saam Barati.
2877
2878         Add crash information for the abstract interpreter and add an enum
2879         value for object allocation sinking.
2880
2881         * assembler/AbortReason.h:
2882         * dfg/DFGAbstractInterpreterInlines.h:
2883         (JSC::DFG::AbstractInterpreter<AbstractStateType>::verifyEdge):
2884         * dfg/DFGGraph.cpp:
2885         (JSC::DFG::logDFGAssertionFailure):
2886         * dfg/DFGObjectAllocationSinkingPhase.cpp:
2887
2888 2017-07-03  Myles C. Maxfield  <mmaxfield@apple.com>
2889
2890         Remove copy of ICU headers from WebKit
2891         https://bugs.webkit.org/show_bug.cgi?id=116407
2892
2893         Reviewed by Alex Christensen.
2894
2895         Use WTF's copy of ICU headers.
2896
2897         * Configurations/Base.xcconfig:
2898         * icu/unicode/localpointer.h: Removed.
2899         * icu/unicode/parseerr.h: Removed.
2900         * icu/unicode/platform.h: Removed.
2901         * icu/unicode/ptypes.h: Removed.
2902         * icu/unicode/putil.h: Removed.
2903         * icu/unicode/uchar.h: Removed.
2904         * icu/unicode/ucnv.h: Removed.
2905         * icu/unicode/ucnv_err.h: Removed.
2906         * icu/unicode/ucol.h: Removed.
2907         * icu/unicode/uconfig.h: Removed.
2908         * icu/unicode/ucurr.h: Removed.
2909         * icu/unicode/uenum.h: Removed.
2910         * icu/unicode/uiter.h: Removed.
2911         * icu/unicode/uloc.h: Removed.
2912         * icu/unicode/umachine.h: Removed.
2913         * icu/unicode/unorm.h: Removed.
2914         * icu/unicode/unorm2.h: Removed.
2915         * icu/unicode/urename.h: Removed.
2916         * icu/unicode/uscript.h: Removed.
2917         * icu/unicode/uset.h: Removed.
2918         * icu/unicode/ustring.h: Removed.
2919         * icu/unicode/utf.h: Removed.
2920         * icu/unicode/utf16.h: Removed.
2921         * icu/unicode/utf8.h: Removed.
2922         * icu/unicode/utf_old.h: Removed.
2923         * icu/unicode/utypes.h: Removed.
2924         * icu/unicode/uvernum.h: Removed.
2925         * icu/unicode/uversion.h: Removed.
2926         * runtime/IntlCollator.cpp:
2927         * runtime/IntlDateTimeFormat.cpp:
2928         (JSC::IntlDateTimeFormat::partTypeString):
2929         * runtime/JSGlobalObject.cpp:
2930         * runtime/StringPrototype.cpp:
2931         (JSC::normalize):
2932         (JSC::stringProtoFuncNormalize):
2933
2934 2017-07-05  Devin Rousso  <drousso@apple.com>
2935
2936         Web Inspector: Allow users to log any tracked canvas context
2937         https://bugs.webkit.org/show_bug.cgi?id=173397
2938         <rdar://problem/33111581>
2939
2940         Reviewed by Joseph Pecoraro.
2941
2942         * inspector/protocol/Canvas.json:
2943         Add `resolveCanvasContext` command that returns a RemoteObject for the given canvas context.
2944
2945 2017-07-05  Jonathan Bedard  <jbedard@apple.com>
2946
2947         Add WebKitPrivateFrameworkStubs for iOS 11
2948         https://bugs.webkit.org/show_bug.cgi?id=173988
2949
2950         Reviewed by David Kilzer.
2951
2952         * Configurations/Base.xcconfig: iphoneos and iphonesimulator should use the
2953         same directory for private framework stubs.
2954
2955 2017-07-05  JF Bastien  <jfbastien@apple.com>
2956
2957         WebAssembly: implement name section's module name, skip unknown sections
2958         https://bugs.webkit.org/show_bug.cgi?id=172008
2959
2960         Reviewed by Keith Miller.
2961
2962         Parse the WebAssembly module name properly, and skip unknown
2963         sections. This is useful because as toolchains support new types
2964         of names we want to keep displaying the information we know about
2965         and simply ignore new information. That capability was designed
2966         into WebAssembly's name section.
2967
2968         Failure to commit this patch would mean that WebKit won't display
2969         stack trace information, which would make developers sad.
2970
2971         Module names were added here: https://github.com/WebAssembly/design/pull/1055
2972
2973         Note that this patch doesn't do anything with the parsed name! Two
2974         reasons for this: module names aren't supported in binaryen yet,
2975         so I can't write a simple binary test; and using the name is a
2976         slightly riskier change because it requires changing StackVisitor
2977         + StackFrame (where they print "[wasm code]") which requires
2978         figuring out the frame's Module. The latter bit isn't trivial
2979         because we only know wasm frames from their tag bits, and
2980         CodeBlocks are always nullptr.
2981
2982         Binaryen bug: https://github.com/WebAssembly/binaryen/issues/1010
2983
2984         I filed #174098 to use the module name.
2985
2986         * wasm/WasmFormat.h:
2987         (JSC::Wasm::isValidNameType):
2988         * wasm/WasmNameSectionParser.cpp:
2989
2990 2017-07-04  Joseph Pecoraro  <pecoraro@apple.com>
2991
2992         Cleanup some StringBuilder use
2993         https://bugs.webkit.org/show_bug.cgi?id=174118
2994
2995         Reviewed by Andreas Kling.
2996
2997         * runtime/FunctionConstructor.cpp:
2998         (JSC::constructFunctionSkippingEvalEnabledCheck):
2999         * tools/FunctionOverrides.cpp:
3000         (JSC::parseClause):
3001         * wasm/WasmOMGPlan.cpp:
3002         * wasm/WasmPlan.cpp:
3003         * wasm/WasmValidate.cpp:
3004
3005 2017-07-03  Saam Barati  <sbarati@apple.com>
3006
3007         LayoutTest workers/bomb.html is a Crash
3008         https://bugs.webkit.org/show_bug.cgi?id=167757
3009         <rdar://problem/33086462>
3010
3011         Reviewed by Keith Miller.
3012
3013         VMTraps::SignalSender was accessing VM fields even after
3014         the VM was destroyed. This happened when the SignalSender
3015         thread was in the middle of its work() function while VMTraps
3016         was notified that the VM was shutting down. The VM would proceed
3017         to run its destructor even after the SignalSender thread finished
3018         doing its work. This means that the SignalSender thread was accessing
3019         VM field eve after VM was destructed (including itself, since it is
3020         transitively owned by the VM). The VM must wait for the SignalSender
3021         thread to shutdown before it can continue to destruct itself.
3022
3023         * runtime/VMTraps.cpp:
3024         (JSC::VMTraps::willDestroyVM):
3025
3026 2017-07-03  Saam Barati  <sbarati@apple.com>
3027
3028         DFGBytecodeParser op_to_this does not access the correct instruction offset for to this status
3029         https://bugs.webkit.org/show_bug.cgi?id=174110
3030
3031         Reviewed by Michael Saboff.
3032
3033         * dfg/DFGByteCodeParser.cpp:
3034         (JSC::DFG::ByteCodeParser::parseBlock):
3035
3036 2017-07-03  Saam Barati  <sbarati@apple.com>
3037
3038         Add a new assertion to object allocation sinking phase
3039         https://bugs.webkit.org/show_bug.cgi?id=174107
3040
3041         Rubber stamped by Filip Pizlo.
3042
3043         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3044
3045 2017-07-03  Commit Queue  <commit-queue@webkit.org>
3046
3047         Unreviewed, rolling out r219060.
3048         https://bugs.webkit.org/show_bug.cgi?id=174108
3049
3050         crashing constantly when initializing UIWebView (Requested by
3051         thorton on #webkit).
3052
3053         Reverted changeset:
3054
3055         "WTF::Thread should have the threads stack bounds."
3056         https://bugs.webkit.org/show_bug.cgi?id=173975
3057         http://trac.webkit.org/changeset/219060
3058
3059 2017-07-03  Matt Lewis  <jlewis3@apple.com>
3060
3061         Unreviewed, rolling out r219103.
3062
3063         Caused multiple build failures.
3064
3065         Reverted changeset:
3066
3067         "Remove copy of ICU headers from WebKit"
3068         https://bugs.webkit.org/show_bug.cgi?id=116407
3069         http://trac.webkit.org/changeset/219103
3070
3071 2017-07-03  Myles C. Maxfield  <mmaxfield@apple.com>
3072
3073         Remove copy of ICU headers from WebKit
3074         https://bugs.webkit.org/show_bug.cgi?id=116407
3075
3076         Reviewed by Alex Christensen.
3077
3078         Use WTF's copy of ICU headers.
3079
3080         * Configurations/Base.xcconfig:
3081         * icu/unicode/localpointer.h: Removed.
3082         * icu/unicode/parseerr.h: Removed.
3083         * icu/unicode/platform.h: Removed.
3084         * icu/unicode/ptypes.h: Removed.
3085         * icu/unicode/putil.h: Removed.
3086         * icu/unicode/uchar.h: Removed.
3087         * icu/unicode/ucnv.h: Removed.
3088         * icu/unicode/ucnv_err.h: Removed.
3089         * icu/unicode/ucol.h: Removed.
3090         * icu/unicode/uconfig.h: Removed.
3091         * icu/unicode/ucurr.h: Removed.
3092         * icu/unicode/uenum.h: Removed.
3093         * icu/unicode/uiter.h: Removed.
3094         * icu/unicode/uloc.h: Removed.
3095         * icu/unicode/umachine.h: Removed.
3096         * icu/unicode/unorm.h: Removed.
3097         * icu/unicode/unorm2.h: Removed.
3098         * icu/unicode/urename.h: Removed.
3099         * icu/unicode/uscript.h: Removed.
3100         * icu/unicode/uset.h: Removed.
3101         * icu/unicode/ustring.h: Removed.
3102         * icu/unicode/utf.h: Removed.
3103         * icu/unicode/utf16.h: Removed.
3104         * icu/unicode/utf8.h: Removed.
3105         * icu/unicode/utf_old.h: Removed.
3106         * icu/unicode/utypes.h: Removed.
3107         * icu/unicode/uvernum.h: Removed.
3108         * icu/unicode/uversion.h: Removed.
3109         * runtime/IntlCollator.cpp:
3110         * runtime/IntlDateTimeFormat.cpp:
3111         * runtime/JSGlobalObject.cpp:
3112         * runtime/StringPrototype.cpp:
3113
3114 2017-07-03  Saam Barati  <sbarati@apple.com>
3115
3116         Add better crash logging for allocation sinking phase
3117         https://bugs.webkit.org/show_bug.cgi?id=174102
3118         <rdar://problem/33112092>
3119
3120         Rubber stamped by Filip Pizlo.
3121
3122         I'm trying to gather better information from crashlogs about why
3123         we're crashing in the allocation sinking phase. I'm adding a allocation
3124         sinking specific RELEASE_ASSERT as well as marking a few functions as
3125         NEVER_INLINE to have the stack traces in the crash trace contain more
3126         actionable information.
3127
3128         * dfg/DFGObjectAllocationSinkingPhase.cpp:
3129
3130 2017-07-03  Sam Weinig  <sam@webkit.org>
3131
3132         [WebIDL] Remove more unnecessary uses of the preprocessor in idl files
3133         https://bugs.webkit.org/show_bug.cgi?id=174083
3134
3135         Reviewed by Alex Christensen.
3136
3137         * Configurations/FeatureDefines.xcconfig:
3138         Add ENABLE_NAVIGATOR_STANDALONE.
3139
3140 2017-07-03  Andy Estes  <aestes@apple.com>
3141
3142         [Xcode] Add an experimental setting to build with ccache
3143         https://bugs.webkit.org/show_bug.cgi?id=173875
3144
3145         Reviewed by Tim Horton.
3146
3147         * Configurations/DebugRelease.xcconfig: Included ccache.xcconfig.
3148
3149 2017-07-03  Devin Rousso  <drousso@apple.com>
3150
3151         Web Inspector: Support listing WebGL2 and WebGPU contexts
3152         https://bugs.webkit.org/show_bug.cgi?id=173396
3153
3154         Reviewed by Joseph Pecoraro.
3155
3156         * inspector/protocol/Canvas.json:
3157         * inspector/scripts/codegen/generator.py:
3158         (Generator.stylized_name_for_enum_value):
3159         Add cases for handling new Canvas.ContextType protocol enumerations:
3160          - "webgl2" maps to `WebGL2`
3161          - "webgpu" maps to `WebGPU`
3162
3163 2017-07-02  Yusuke Suzuki  <utatane.tea@gmail.com>
3164
3165         WTF::Thread should have the threads stack bounds.
3166         https://bugs.webkit.org/show_bug.cgi?id=173975
3167
3168         Reviewed by Mark Lam.
3169
3170         There is a site in JSC that try to walk another thread's stack.
3171         Currently, stack bounds are stored in WTFThreadData which is located
3172         in TLS. Thus, only the thread itself can access its own WTFThreadData.
3173         We workaround this situation by holding StackBounds in MachineThread in JSC,
3174         but StackBounds should be put in WTF::Thread instead.
3175
3176         This patch moves StackBounds from WTFThreadData to WTF::Thread. StackBounds
3177         information is tightly coupled with Thread. Thus putting it in WTF::Thread
3178         is natural choice.
3179
3180         * heap/MachineStackMarker.cpp:
3181         (JSC::MachineThreads::MachineThread::MachineThread):
3182         (JSC::MachineThreads::MachineThread::captureStack):
3183         * heap/MachineStackMarker.h:
3184         (JSC::MachineThreads::MachineThread::stackBase):
3185         (JSC::MachineThreads::MachineThread::stackEnd):
3186         * runtime/InitializeThreading.cpp:
3187         (JSC::initializeThreading):
3188         * runtime/VM.cpp:
3189         (JSC::VM::VM):
3190         (JSC::VM::updateStackLimits):
3191         (JSC::VM::committedStackByteCount):
3192         * runtime/VM.h:
3193         (JSC::VM::isSafeToRecurse):
3194         * runtime/VMEntryScope.cpp:
3195         (JSC::VMEntryScope::VMEntryScope):
3196         * runtime/VMInlines.h:
3197         (JSC::VM::ensureStackCapacityFor):
3198         * runtime/VMTraps.cpp:
3199         * yarr/YarrPattern.cpp:
3200         (JSC::Yarr::YarrPatternConstructor::isSafeToRecurse):
3201
3202 2017-07-01  Dan Bernstein  <mitz@apple.com>
3203
3204         [iOS] Remove code only needed when building for iOS 9.x
3205         https://bugs.webkit.org/show_bug.cgi?id=174068
3206
3207         Reviewed by Tim Horton.
3208
3209         * Configurations/FeatureDefines.xcconfig:
3210         * jit/ExecutableAllocator.cpp:
3211         * runtime/Options.cpp:
3212         (JSC::recomputeDependentOptions):
3213
3214 2017-07-01  Dan Bernstein  <mitz@apple.com>
3215
3216         [macOS] Remove code only needed when building for OS X Yosemite
3217         https://bugs.webkit.org/show_bug.cgi?id=174067
3218
3219         Reviewed by Tim Horton.
3220
3221         * API/WebKitAvailability.h:
3222         * Configurations/Base.xcconfig:
3223         * Configurations/DebugRelease.xcconfig:
3224         * Configurations/FeatureDefines.xcconfig:
3225         * Configurations/Version.xcconfig:
3226
3227 2017-07-01  Yusuke Suzuki  <utatane.tea@gmail.com>
3228
3229         Unreviewed, build fix for GCC
3230         https://bugs.webkit.org/show_bug.cgi?id=174034
3231
3232         * b3/testb3.cpp:
3233         (JSC::B3::testDoubleLiteralComparison):
3234
3235 2017-06-30  Keith Miller  <keith_miller@apple.com>
3236
3237         Force crashWithInfo to be out of line.
3238         https://bugs.webkit.org/show_bug.cgi?id=174028
3239
3240         Reviewed by Filip Pizlo.
3241
3242         Update DFG_ASSERT macro to call CRASH_WITH_SECURITY_IMPLICATION_AND_INFO.
3243
3244         * dfg/DFGGraph.cpp:
3245         (JSC::DFG::logDFGAssertionFailure):
3246         (JSC::DFG::Graph::logAssertionFailure):
3247         (JSC::DFG::crash): Deleted.
3248         (JSC::DFG::Graph::handleAssertionFailure): Deleted.
3249         * dfg/DFGGraph.h:
3250
3251 2017-06-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3252
3253         [JSC] Use AbstractMacroAssembler::random instead of holding WeakRandom in JIT
3254         https://bugs.webkit.org/show_bug.cgi?id=174053
3255
3256         Reviewed by Geoffrey Garen.
3257
3258         We already have AbstractMacroAssembler::random() function. Use it instead.
3259
3260         * jit/JIT.cpp:
3261         (JSC::JIT::JIT):
3262         (JSC::JIT::compileWithoutLinking):
3263         * jit/JIT.h:
3264
3265 2017-06-30  Yusuke Suzuki  <utatane.tea@gmail.com>
3266
3267         [WTF] Drop SymbolRegistry::keyForSymbol
3268         https://bugs.webkit.org/show_bug.cgi?id=174052
3269
3270         Reviewed by Sam Weinig.
3271
3272         * runtime/SymbolConstructor.cpp:
3273         (JSC::symbolConstructorKeyFor):
3274
3275 2017-06-30  Saam Barati  <sbarati@apple.com>
3276
3277         B3ReduceStrength should reduce EqualOrUnordered over const float input
3278         https://bugs.webkit.org/show_bug.cgi?id=174039
3279
3280         Reviewed by Michael Saboff.
3281
3282         We perform this folding for ConstDoubleValue. It is simply
3283         an oversight that we didn't do it for ConstFloatValue.
3284
3285         * b3/B3ConstFloatValue.cpp:
3286         (JSC::B3::ConstFloatValue::equalOrUnorderedConstant):
3287         * b3/B3ConstFloatValue.h:
3288         * b3/testb3.cpp:
3289         (JSC::B3::testFloatEqualOrUnorderedFolding):
3290         (JSC::B3::testFloatEqualOrUnorderedFoldingNaN):
3291         (JSC::B3::testFloatEqualOrUnorderedDontFold):
3292         (JSC::B3::run):
3293
3294 2017-06-30  Matt Baker  <mattbaker@apple.com>
3295
3296         Web Inspector: AsyncStackTrace nodes can be corrupted when truncating
3297         https://bugs.webkit.org/show_bug.cgi?id=173840
3298         <rdar://problem/30840820>
3299
3300         Reviewed by Joseph Pecoraro.
3301
3302         When truncating an asynchronous stack trace, the parent chain is traversed
3303         until a locked node is found. The path from this node to the root is shared
3304         by more than one stack trace, and cannot be safely modified. Starting at
3305         the first locked node, the path is cloned and becomes a new stack trace tree.
3306
3307         However, the clone operation initialized each new AsyncStackTrace node with
3308         the original node's parent. This would increment the child count of the original
3309         node. When cloning nodes, new nodes should not have their parent set until the
3310         next node up the parent chain is cloned.
3311
3312         * inspector/AsyncStackTrace.cpp:
3313         (Inspector::AsyncStackTrace::truncate):
3314
3315 2017-06-30  Michael Saboff  <msaboff@apple.com>
3316
3317         RegExp's  anchored with .* with \g flag can return wrong match start for strings with multiple matches
3318         https://bugs.webkit.org/show_bug.cgi?id=174044
3319
3320         Reviewed by Oliver Hunt.
3321
3322         The .* enclosure optimization didn't respect that we can start matching from a non-zero
3323         index.  This optimization treats /.*<some-terms>.*/ by first matching the <some-terms> and
3324         then finding the extent of the match by going back to the beginning of the line and going
3325         forward to the end of the line.  The code that went back to the beginning of the line
3326         checked for an index of 0 instead of comparing the index to the start position.  This start
3327         position is passed as the initial index.
3328
3329         Added another temporary register to the YARR JIT to contain the start position for
3330         platforms that have spare registers.
3331
3332         * yarr/Yarr.h:
3333         * yarr/YarrInterpreter.cpp:
3334         (JSC::Yarr::Interpreter::matchDotStarEnclosure):
3335         (JSC::Yarr::Interpreter::Interpreter):
3336         * yarr/YarrJIT.cpp:
3337         (JSC::Yarr::YarrGenerator::generateDotStarEnclosure):
3338         (JSC::Yarr::YarrGenerator::compile):
3339         * yarr/YarrPattern.cpp:
3340         (JSC::Yarr::YarrPattern::YarrPattern):
3341         * yarr/YarrPattern.h:
3342         (JSC::Yarr::YarrPattern::reset):
3343
3344 2017-06-30  Saam Barati  <sbarati@apple.com>
3345
3346         B3MoveConstants floatZero() returns the wrong ValueKey
3347         https://bugs.webkit.org/show_bug.cgi?id=174040
3348
3349         Reviewed by Filip Pizlo.
3350
3351         It had a typo where the ValueKey for floatZero() produces a Double
3352         instead of a Float.
3353
3354         * b3/B3MoveConstants.cpp:
3355
3356 2017-06-30  Saam Barati  <sbarati@apple.com>
3357
3358         B3ReduceDoubleToFloat incorrectly reduces operations over two double constants
3359         https://bugs.webkit.org/show_bug.cgi?id=174034
3360         <rdar://problem/30793007>
3361
3362         Reviewed by Filip Pizlo.
3363
3364         B3ReduceDoubleToFloat had a bug in it where it would incorrectly
3365         reduce binary operations over double constants into the same binary
3366         operation over the double constants casted to floats. This is clearly
3367         incorrect as these two things will produce different values. For example:
3368         
3369         a = DoubleConst(bitwise_cast<double>(0x8000000000000001ull))
3370         b = DoubleConst(bitwise_cast<double>(0x0000000000000000ull))
3371         c = EqualOrUnordered(@a, @b) // produces 0
3372         
3373         into:
3374         
3375         a = FloatConst(static_cast<float>(bitwise_cast<double>(0x8000000000000001ull)))
3376         b = FloatConst(static_cast<float>(bitwise_cast<double>(0x0000000000000000ull)))
3377         c = EqualOrUnordered(@a, @b) // produces 1
3378         
3379         Which produces a different value for @c.
3380
3381         * b3/B3ReduceDoubleToFloat.cpp:
3382         * b3/testb3.cpp:
3383         (JSC::B3::doubleEq):
3384         (JSC::B3::doubleNeq):
3385         (JSC::B3::doubleGt):
3386         (JSC::B3::doubleGte):
3387         (JSC::B3::doubleLt):
3388         (JSC::B3::doubleLte):
3389         (JSC::B3::testDoubleLiteralComparison):
3390         (JSC::B3::run):
3391
3392 2017-06-29  Jer Noble  <jer.noble@apple.com>
3393
3394         Make Legacy EME API controlled by RuntimeEnabled setting.
3395         https://bugs.webkit.org/show_bug.cgi?id=173994
3396
3397         Reviewed by Sam Weinig.
3398
3399         * Configurations/FeatureDefines.xcconfig:
3400         * runtime/CommonIdentifiers.h:
3401
3402 2017-06-30  Ryosuke Niwa  <rniwa@webkit.org>
3403
3404         Ran sort-Xcode-project-file.
3405
3406         * JavaScriptCore.xcodeproj/project.pbxproj:
3407
3408 2017-06-30  Matt Lewis  <jlewis3@apple.com>
3409