[FTL] Support DeleteById and DeleteByVal
[WebKit-https.git] / Source / JavaScriptCore / ChangeLog
1 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
2
3         [FTL] Support DeleteById and DeleteByVal
4         https://bugs.webkit.org/show_bug.cgi?id=180022
5
6         Reviewed by Saam Barati.
7
8         We should increase the coverage of FTL. Even if the code includes DeleteById,
9         it does not mean that remaining part of the code should not be optimized in FTL.
10         Right now, even CallEval and `with` scope are handled in FTL.
11
12         This patch just adds DeleteById and DeleteByVal handling to FTL to allow optimizing
13         code including them.
14
15         * ftl/FTLCapabilities.cpp:
16         (JSC::FTL::canCompile):
17         * ftl/FTLLowerDFGToB3.cpp:
18         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
19         (JSC::FTL::DFG::LowerDFGToB3::compileDeleteById):
20         (JSC::FTL::DFG::LowerDFGToB3::compileDeleteByVal):
21
22 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
23
24         [DFG] Introduce {Set,Map,WeakMap}Fields
25         https://bugs.webkit.org/show_bug.cgi?id=179925
26
27         Reviewed by Saam Barati.
28
29         SetAdd and MapSet uses `write(MiscFields)`, but it is not correct. It accidentally
30         writes readonly MiscFields which is used by various nodes and make optimization
31         conservative.
32
33         We introduce JSSetFields, JSMapFields, and JSWeakMapFields to precisely model clobberizing of Map, Set, and WeakMap.
34
35         * dfg/DFGAbstractHeap.h:
36         * dfg/DFGByteCodeParser.cpp:
37         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
38         * dfg/DFGClobberize.h:
39         (JSC::DFG::clobberize):
40         * dfg/DFGHeapLocation.cpp:
41         (WTF::printInternal):
42         * dfg/DFGHeapLocation.h:
43         * dfg/DFGNode.h:
44         (JSC::DFG::Node::hasBucketOwnerType):
45
46 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
47
48         [JSC] Remove JSStringBuilder
49         https://bugs.webkit.org/show_bug.cgi?id=180016
50
51         Reviewed by Saam Barati.
52
53         JSStringBuilder is replaced with WTF::StringBuilder.
54         This patch removes remaning uses and drop JSStringBuilder.
55
56         * JavaScriptCore.xcodeproj/project.pbxproj:
57         * runtime/ArrayPrototype.cpp:
58         * runtime/AsyncFunctionPrototype.cpp:
59         * runtime/AsyncGeneratorFunctionPrototype.cpp:
60         * runtime/ErrorPrototype.cpp:
61         * runtime/FunctionPrototype.cpp:
62         * runtime/GeneratorFunctionPrototype.cpp:
63         * runtime/JSGlobalObjectFunctions.cpp:
64         (JSC::decode):
65         (JSC::globalFuncEscape):
66         * runtime/JSStringBuilder.h: Removed.
67         * runtime/JSStringInlines.h:
68         (JSC::jsMakeNontrivialString):
69         * runtime/RegExpPrototype.cpp:
70         * runtime/StringPrototype.cpp:
71
72 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
73
74         [DFG] Remove GetLocalUnlinked
75         https://bugs.webkit.org/show_bug.cgi?id=180017
76
77         Reviewed by Saam Barati.
78
79         Since DFGArgumentsSimplificationPhase is removed 2 years ago, GetLocalUnlinked is no longer used in DFG.
80         This patch just removes it.
81
82         * dfg/DFGAbstractInterpreterInlines.h:
83         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
84         * dfg/DFGClobberize.h:
85         (JSC::DFG::clobberize):
86         * dfg/DFGCommon.h:
87         * dfg/DFGDoesGC.cpp:
88         (JSC::DFG::doesGC):
89         * dfg/DFGFixupPhase.cpp:
90         (JSC::DFG::FixupPhase::fixupNode):
91         * dfg/DFGGraph.cpp:
92         (JSC::DFG::Graph::dump):
93         * dfg/DFGNode.h:
94         (JSC::DFG::Node::hasUnlinkedLocal):
95         (JSC::DFG::Node::convertToGetLocalUnlinked): Deleted.
96         (JSC::DFG::Node::convertToGetLocal): Deleted.
97         (JSC::DFG::Node::hasUnlinkedMachineLocal): Deleted.
98         (JSC::DFG::Node::setUnlinkedMachineLocal): Deleted.
99         (JSC::DFG::Node::unlinkedMachineLocal): Deleted.
100         * dfg/DFGNodeType.h:
101         * dfg/DFGPredictionPropagationPhase.cpp:
102         * dfg/DFGSafeToExecute.h:
103         (JSC::DFG::safeToExecute):
104         * dfg/DFGSpeculativeJIT32_64.cpp:
105         (JSC::DFG::SpeculativeJIT::compile):
106         * dfg/DFGSpeculativeJIT64.cpp:
107         (JSC::DFG::SpeculativeJIT::compile):
108         * dfg/DFGStackLayoutPhase.cpp:
109         (JSC::DFG::StackLayoutPhase::run):
110         * dfg/DFGValidate.cpp:
111
112 2017-11-26  Yusuke Suzuki  <utatane.tea@gmail.com>
113
114         Make ArgList::data() private again when we can remove callWasmFunction().
115         https://bugs.webkit.org/show_bug.cgi?id=168582
116
117         Reviewed by JF Bastien.
118
119         Make ArgList::data() private since we already removed callWasmFunction.
120
121         * runtime/ArgList.h:
122
123 2016-08-05  Darin Adler  <darin@apple.com>
124
125         Fix some minor problems in the StringImpl header
126         https://bugs.webkit.org/show_bug.cgi?id=160630
127
128         Reviewed by Brent Fulgham.
129
130         * inspector/ContentSearchUtilities.cpp: Removed a lot of unneeded explicit
131         Yarr namespacing since we use "using namespace" in this file.
132
133 2017-11-24  Mark Lam  <mark.lam@apple.com>
134
135         Fix CLoop::sanitizeStack() bug where it was clearing part of the JS stack in use.
136         https://bugs.webkit.org/show_bug.cgi?id=179936
137         <rdar://problem/35623998>
138
139         Reviewed by Saam Barati.
140
141         This issue was uncovered when we enabled --useDollarVM=true on the JSC tests.
142         See https://bugs.webkit.org/show_bug.cgi?id=179684.
143
144         Basically, in the case of the failing test we observed, op_tail_call_forward_arguments
145         was allocating stack space to stash arguments (to be forwarded) and new frame
146         info.  The location of this new stash space happens to lie beyond the top of frame
147         of the tail call caller frame.  After stashing the arguments, the code proceeded
148         to load the callee codeBlock.  This triggered an allocation, which in turn,
149         triggered stack sanitization.  The CLoop stack sanitizer was relying on
150         frame->topOfFrame() to tell it where the top of the used stack is.  In this case,
151         that turned out to be inadequate.  As a result, part of the stashed data was
152         zeroed out, and subsequently led to a crash.
153
154         This bug does not affect JIT builds (i.e. the ASM LLint) for 2 reasons:
155         1. JIT builds do stack sanitization in the LLInt code itself (different from the
156            CLoop implementation), and the sanitizer there is aware of the true top of
157            stack value (i.e. the stack pointer).
158         2. JIT builds don't use a parallel stack like the CLoop.  The presence of the
159            parallel stack is one condition necessary for reproducing this issue.
160
161         The fix is to make the CLoop record the stack pointer in CLoopStack::m_currentStackPointer
162         every time before it calls out to native C++ code.  This also brings the CLoop's
163         behavior closer to hardware behavior where we can know where the stack pointer
164         is after calling from JS back into native C++ code, which makes it easier to
165         reason about correctness.       
166
167         Also simplified the various stack boundary calculations (removed the +1 and -1
168         adjustments).  The CLoopStack bounds are now:
169
170             reservationTop(): the lowest reserved address that can be within stack bounds.
171             m_commitTop: the lowest address within stack bounds that has been committed.
172             lowAddress() aka m_end: the lowest stack address that JS code can use.
173             m_lastStackPointer: cache of the last m_currentStackPointer value.
174             m_currentStackPointer: the CLoopStack stack pointer value when calling from JS into C++ code.
175             highAddress(): the highest address just beyond the bounds of the stack.
176
177         Also deleted some unneeded code.
178
179         * interpreter/CLoopStack.cpp:
180         (JSC::CLoopStack::CLoopStack):
181         (JSC::CLoopStack::gatherConservativeRoots):
182         (JSC::CLoopStack::sanitizeStack):
183         (JSC::CLoopStack::setSoftReservedZoneSize):
184         * interpreter/CLoopStack.h:
185         (JSC::CLoopStack::setCurrentStackPointer):
186         (JSC::CLoopStack::lowAddress const):
187
188         (JSC::CLoopStack::baseOfStack const): Deleted.
189         - Not needed after we simplified the code and removed all the +1/-1 adjustments.
190           Now, it has the exact same value as highAddress() and can be removed.
191
192         * interpreter/CLoopStackInlines.h:
193         (JSC::CLoopStack::ensureCapacityFor):
194         (JSC::CLoopStack::currentStackPointer):
195         (JSC::CLoopStack::setCLoopStackLimit):
196
197         (JSC::CLoopStack::topOfFrameFor): Deleted.
198         - Not needed.
199
200         (JSC::CLoopStack::topOfStack): Deleted.
201         - Supplanted by currentStackPointer().
202
203         (JSC::CLoopStack::shrink): Deleted.
204         - This is unused.
205
206         * llint/LowLevelInterpreter.cpp:
207         (JSC::CLoop::execute):
208         - Introduce a StackPointerScope to restore the original CLoopStack::m_currentStackPointer
209           upon exitting the interpreter loop.
210
211         * offlineasm/cloop.rb:
212         - Added setting of CLoopStack::m_currentStackPointer at boundary points where we
213           call from JS into C++ code.
214
215         * tools/VMInspector.h:
216         - Added some default argument values. These were being used while debugging this
217           issue.
218
219 2017-11-24  Yusuke Suzuki  <utatane.tea@gmail.com>
220
221         [JSC] Make empty key as deleted mark in HashMapBucket and drop m_deleted field
222         https://bugs.webkit.org/show_bug.cgi?id=179923
223
224         Reviewed by Darin Adler.
225
226         We do not set empty as a key in HashMapBucket since JSMap / JSSet can expose it to users.
227         So we can use it as a marker of deleted bucket.
228
229         This patch uses empty key as a deleted flag, and drop m_deleted field of HashMapBucket.
230         It shrinks the size of HashMapBucket much.
231
232         * dfg/DFGSpeculativeJIT.cpp:
233         (JSC::DFG::SpeculativeJIT::compileGetMapBucketNext):
234         * ftl/FTLAbstractHeapRepository.h:
235         * ftl/FTLLowerDFGToB3.cpp:
236         (JSC::FTL::DFG::LowerDFGToB3::compileGetMapBucketNext):
237         * runtime/HashMapImpl.h:
238         (JSC::HashMapBucket::createSentinel):
239         We make sentinel bucket as (undefined, undefined) since DFG/FTL can load a value from sentinels.
240         While the sentinel's deleted flag becomes false since key is set, it is not a problem since deleted
241         flag of sentinel bucket is not used.
242
243         (JSC::HashMapBucket::HashMapBucket):
244         (JSC::HashMapBucket::deleted const):
245         (JSC::HashMapBucket::makeDeleted):
246         (JSC::HashMapImpl::remove):
247         (JSC::HashMapImpl::clear):
248         (JSC::HashMapImpl::setUpHeadAndTail):
249         (JSC::HashMapImpl::addNormalizedInternal):
250         (JSC::HashMapBucket::setDeleted): Deleted.
251         (JSC::HashMapBucket::offsetOfDeleted): Deleted.
252         (): Deleted.
253
254 2017-11-24  Mark Lam  <mark.lam@apple.com>
255
256         Move unsafe jsc shell test functions to the $vm object.
257         https://bugs.webkit.org/show_bug.cgi?id=179980
258
259         Reviewed by Yusuke Suzuki.
260
261         Also removed setElementRoot() which was not used.
262
263         * jsc.cpp:
264         (GlobalObject::finishCreation):
265         (WTF::Element::Element): Deleted.
266         (WTF::Element::root const): Deleted.
267         (WTF::Element::setRoot): Deleted.
268         (WTF::Element::create): Deleted.
269         (WTF::Element::visitChildren): Deleted.
270         (WTF::Element::createStructure): Deleted.
271         (WTF::Root::Root): Deleted.
272         (WTF::Root::element): Deleted.
273         (WTF::Root::setElement): Deleted.
274         (WTF::Root::create): Deleted.
275         (WTF::Root::createStructure): Deleted.
276         (WTF::Root::visitChildren): Deleted.
277         (WTF::ImpureGetter::ImpureGetter): Deleted.
278         (WTF::ImpureGetter::createStructure): Deleted.
279         (WTF::ImpureGetter::create): Deleted.
280         (WTF::ImpureGetter::finishCreation): Deleted.
281         (WTF::ImpureGetter::getOwnPropertySlot): Deleted.
282         (WTF::ImpureGetter::visitChildren): Deleted.
283         (WTF::ImpureGetter::setDelegate): Deleted.
284         (WTF::CustomGetter::CustomGetter): Deleted.
285         (WTF::CustomGetter::createStructure): Deleted.
286         (WTF::CustomGetter::create): Deleted.
287         (WTF::CustomGetter::getOwnPropertySlot): Deleted.
288         (WTF::CustomGetter::customGetter): Deleted.
289         (WTF::CustomGetter::customGetterAcessor): Deleted.
290         (WTF::RuntimeArray::create): Deleted.
291         (WTF::RuntimeArray::~RuntimeArray): Deleted.
292         (WTF::RuntimeArray::destroy): Deleted.
293         (WTF::RuntimeArray::getOwnPropertySlot): Deleted.
294         (WTF::RuntimeArray::getOwnPropertySlotByIndex): Deleted.
295         (WTF::RuntimeArray::put): Deleted.
296         (WTF::RuntimeArray::deleteProperty): Deleted.
297         (WTF::RuntimeArray::getLength const): Deleted.
298         (WTF::RuntimeArray::createPrototype): Deleted.
299         (WTF::RuntimeArray::createStructure): Deleted.
300         (WTF::RuntimeArray::finishCreation): Deleted.
301         (WTF::RuntimeArray::RuntimeArray): Deleted.
302         (WTF::RuntimeArray::lengthGetter): Deleted.
303         (WTF::SimpleObject::SimpleObject): Deleted.
304         (WTF::SimpleObject::create): Deleted.
305         (WTF::SimpleObject::visitChildren): Deleted.
306         (WTF::SimpleObject::createStructure): Deleted.
307         (WTF::SimpleObject::hiddenValue): Deleted.
308         (WTF::SimpleObject::setHiddenValue): Deleted.
309         (WTF::DOMJITNode::DOMJITNode): Deleted.
310         (WTF::DOMJITNode::createStructure): Deleted.
311         (WTF::DOMJITNode::checkSubClassSnippet): Deleted.
312         (WTF::DOMJITNode::create): Deleted.
313         (WTF::DOMJITNode::value const): Deleted.
314         (WTF::DOMJITNode::offsetOfValue): Deleted.
315         (WTF::DOMJITGetter::DOMJITGetter): Deleted.
316         (WTF::DOMJITGetter::createStructure): Deleted.
317         (WTF::DOMJITGetter::create): Deleted.
318         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute): Deleted.
319         (WTF::DOMJITGetter::DOMJITAttribute::slowCall): Deleted.
320         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter): Deleted.
321         (WTF::DOMJITGetter::customGetter): Deleted.
322         (WTF::DOMJITGetter::finishCreation): Deleted.
323         (WTF::DOMJITGetterComplex::DOMJITGetterComplex): Deleted.
324         (WTF::DOMJITGetterComplex::createStructure): Deleted.
325         (WTF::DOMJITGetterComplex::create): Deleted.
326         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute): Deleted.
327         (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall): Deleted.
328         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter): Deleted.
329         (WTF::DOMJITGetterComplex::functionEnableException): Deleted.
330         (WTF::DOMJITGetterComplex::customGetter): Deleted.
331         (WTF::DOMJITGetterComplex::finishCreation): Deleted.
332         (WTF::DOMJITFunctionObject::DOMJITFunctionObject): Deleted.
333         (WTF::DOMJITFunctionObject::createStructure): Deleted.
334         (WTF::DOMJITFunctionObject::create): Deleted.
335         (WTF::DOMJITFunctionObject::safeFunction): Deleted.
336         (WTF::DOMJITFunctionObject::unsafeFunction): Deleted.
337         (WTF::DOMJITFunctionObject::checkSubClassSnippet): Deleted.
338         (WTF::DOMJITFunctionObject::finishCreation): Deleted.
339         (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject): Deleted.
340         (WTF::DOMJITCheckSubClassObject::createStructure): Deleted.
341         (WTF::DOMJITCheckSubClassObject::create): Deleted.
342         (WTF::DOMJITCheckSubClassObject::safeFunction): Deleted.
343         (WTF::DOMJITCheckSubClassObject::unsafeFunction): Deleted.
344         (WTF::DOMJITCheckSubClassObject::finishCreation): Deleted.
345         (WTF::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject): Deleted.
346         (WTF::DOMJITGetterBaseJSObject::createStructure): Deleted.
347         (WTF::DOMJITGetterBaseJSObject::create): Deleted.
348         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute): Deleted.
349         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall): Deleted.
350         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter): Deleted.
351         (WTF::DOMJITGetterBaseJSObject::customGetter): Deleted.
352         (WTF::DOMJITGetterBaseJSObject::finishCreation): Deleted.
353         (WTF::Element::handleOwner): Deleted.
354         (WTF::Element::finishCreation): Deleted.
355         (JSTestCustomGetterSetter::JSTestCustomGetterSetter): Deleted.
356         (JSTestCustomGetterSetter::create): Deleted.
357         (JSTestCustomGetterSetter::createStructure): Deleted.
358         (customGetAccessor): Deleted.
359         (customGetValue): Deleted.
360         (customSetAccessor): Deleted.
361         (customSetValue): Deleted.
362         (JSTestCustomGetterSetter::finishCreation): Deleted.
363         (GlobalObject::addConstructableFunction): Deleted.
364         (functionCreateRoot): Deleted.
365         (functionCreateElement): Deleted.
366         (functionGetElement): Deleted.
367         (functionSetElementRoot): Deleted.
368         (functionCreateSimpleObject): Deleted.
369         (functionGetHiddenValue): Deleted.
370         (functionSetHiddenValue): Deleted.
371         (functionCreateProxy): Deleted.
372         (functionCreateRuntimeArray): Deleted.
373         (functionCreateImpureGetter): Deleted.
374         (functionCreateCustomGetterObject): Deleted.
375         (functionCreateDOMJITNodeObject): Deleted.
376         (functionCreateDOMJITGetterObject): Deleted.
377         (functionCreateDOMJITGetterComplexObject): Deleted.
378         (functionCreateDOMJITFunctionObject): Deleted.
379         (functionCreateDOMJITCheckSubClassObject): Deleted.
380         (functionCreateDOMJITGetterBaseJSObject): Deleted.
381         (functionSetImpureGetterDelegate): Deleted.
382         (functionGetGetterSetter): Deleted.
383         (functionShadowChickenFunctionsOnStack): Deleted.
384         (functionSetGlobalConstRedeclarationShouldNotThrow): Deleted.
385         (functionGlobalObjectForObject): Deleted.
386         (functionLoadGetterFromGetterSetter): Deleted.
387         (functionCreateCustomTestGetterSetter): Deleted.
388         (functionAbort): Deleted.
389         (functionFindTypeForExpression): Deleted.
390         (functionReturnTypeFor): Deleted.
391         (functionDumpBasicBlockExecutionRanges): Deleted.
392         (functionHasBasicBlockExecuted): Deleted.
393         (functionBasicBlockExecutionCount): Deleted.
394         (functionEnableExceptionFuzz): Deleted.
395         (functionCreateBuiltin): Deleted.
396         * runtime/JSGlobalObject.cpp:
397         (JSC::JSGlobalObject::init):
398         * tools/JSDollarVM.cpp:
399         (WTF::Element::Element):
400         (WTF::Element::root const):
401         (WTF::Element::setRoot):
402         (WTF::Element::create):
403         (WTF::Element::visitChildren):
404         (WTF::Element::createStructure):
405         (WTF::Root::Root):
406         (WTF::Root::element):
407         (WTF::Root::setElement):
408         (WTF::Root::create):
409         (WTF::Root::createStructure):
410         (WTF::Root::visitChildren):
411         (WTF::SimpleObject::SimpleObject):
412         (WTF::SimpleObject::create):
413         (WTF::SimpleObject::visitChildren):
414         (WTF::SimpleObject::createStructure):
415         (WTF::SimpleObject::hiddenValue):
416         (WTF::SimpleObject::setHiddenValue):
417         (WTF::ImpureGetter::ImpureGetter):
418         (WTF::ImpureGetter::createStructure):
419         (WTF::ImpureGetter::create):
420         (WTF::ImpureGetter::finishCreation):
421         (WTF::ImpureGetter::getOwnPropertySlot):
422         (WTF::ImpureGetter::visitChildren):
423         (WTF::ImpureGetter::setDelegate):
424         (WTF::CustomGetter::CustomGetter):
425         (WTF::CustomGetter::createStructure):
426         (WTF::CustomGetter::create):
427         (WTF::CustomGetter::getOwnPropertySlot):
428         (WTF::CustomGetter::customGetter):
429         (WTF::CustomGetter::customGetterAcessor):
430         (WTF::RuntimeArray::create):
431         (WTF::RuntimeArray::~RuntimeArray):
432         (WTF::RuntimeArray::destroy):
433         (WTF::RuntimeArray::getOwnPropertySlot):
434         (WTF::RuntimeArray::getOwnPropertySlotByIndex):
435         (WTF::RuntimeArray::put):
436         (WTF::RuntimeArray::deleteProperty):
437         (WTF::RuntimeArray::getLength const):
438         (WTF::RuntimeArray::createPrototype):
439         (WTF::RuntimeArray::createStructure):
440         (WTF::RuntimeArray::finishCreation):
441         (WTF::RuntimeArray::RuntimeArray):
442         (WTF::RuntimeArray::lengthGetter):
443         (WTF::DOMJITNode::DOMJITNode):
444         (WTF::DOMJITNode::createStructure):
445         (WTF::DOMJITNode::checkSubClassSnippet):
446         (WTF::DOMJITNode::create):
447         (WTF::DOMJITNode::value const):
448         (WTF::DOMJITNode::offsetOfValue):
449         (WTF::DOMJITGetter::DOMJITGetter):
450         (WTF::DOMJITGetter::createStructure):
451         (WTF::DOMJITGetter::create):
452         (WTF::DOMJITGetter::DOMJITAttribute::DOMJITAttribute):
453         (WTF::DOMJITGetter::DOMJITAttribute::slowCall):
454         (WTF::DOMJITGetter::DOMJITAttribute::callDOMGetter):
455         (WTF::DOMJITGetter::customGetter):
456         (WTF::DOMJITGetter::finishCreation):
457         (WTF::DOMJITGetterComplex::DOMJITGetterComplex):
458         (WTF::DOMJITGetterComplex::createStructure):
459         (WTF::DOMJITGetterComplex::create):
460         (WTF::DOMJITGetterComplex::DOMJITAttribute::DOMJITAttribute):
461         (WTF::DOMJITGetterComplex::DOMJITAttribute::slowCall):
462         (WTF::DOMJITGetterComplex::DOMJITAttribute::callDOMGetter):
463         (WTF::DOMJITGetterComplex::functionEnableException):
464         (WTF::DOMJITGetterComplex::customGetter):
465         (WTF::DOMJITGetterComplex::finishCreation):
466         (WTF::DOMJITFunctionObject::DOMJITFunctionObject):
467         (WTF::DOMJITFunctionObject::createStructure):
468         (WTF::DOMJITFunctionObject::create):
469         (WTF::DOMJITFunctionObject::safeFunction):
470         (WTF::DOMJITFunctionObject::unsafeFunction):
471         (WTF::DOMJITFunctionObject::checkSubClassSnippet):
472         (WTF::DOMJITFunctionObject::finishCreation):
473         (WTF::DOMJITCheckSubClassObject::DOMJITCheckSubClassObject):
474         (WTF::DOMJITCheckSubClassObject::createStructure):
475         (WTF::DOMJITCheckSubClassObject::create):
476         (WTF::DOMJITCheckSubClassObject::safeFunction):
477         (WTF::DOMJITCheckSubClassObject::unsafeFunction):
478         (WTF::DOMJITCheckSubClassObject::finishCreation):
479         (WTF::DOMJITGetterBaseJSObject::DOMJITGetterBaseJSObject):
480         (WTF::DOMJITGetterBaseJSObject::createStructure):
481         (WTF::DOMJITGetterBaseJSObject::create):
482         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::DOMJITAttribute):
483         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::slowCall):
484         (WTF::DOMJITGetterBaseJSObject::DOMJITAttribute::callDOMGetter):
485         (WTF::DOMJITGetterBaseJSObject::customGetter):
486         (WTF::DOMJITGetterBaseJSObject::finishCreation):
487         (WTF::Message::releaseContents):
488         (WTF::Message::index const):
489         (WTF::JSTestCustomGetterSetter::JSTestCustomGetterSetter):
490         (WTF::JSTestCustomGetterSetter::create):
491         (WTF::JSTestCustomGetterSetter::createStructure):
492         (WTF::customGetAccessor):
493         (WTF::customGetValue):
494         (WTF::customSetAccessor):
495         (WTF::customSetValue):
496         (WTF::JSTestCustomGetterSetter::finishCreation):
497         (WTF::Element::handleOwner):
498         (WTF::Element::finishCreation):
499         (JSC::functionCrash):
500         (JSC::functionCreateProxy):
501         (JSC::functionCreateRuntimeArray):
502         (JSC::functionCreateImpureGetter):
503         (JSC::functionCreateCustomGetterObject):
504         (JSC::functionCreateDOMJITNodeObject):
505         (JSC::functionCreateDOMJITGetterObject):
506         (JSC::functionCreateDOMJITGetterComplexObject):
507         (JSC::functionCreateDOMJITFunctionObject):
508         (JSC::functionCreateDOMJITCheckSubClassObject):
509         (JSC::functionCreateDOMJITGetterBaseJSObject):
510         (JSC::functionSetImpureGetterDelegate):
511         (JSC::functionCreateBuiltin):
512         (JSC::functionCreateRoot):
513         (JSC::functionCreateElement):
514         (JSC::functionGetElement):
515         (JSC::functionCreateSimpleObject):
516         (JSC::functionGetHiddenValue):
517         (JSC::functionSetHiddenValue):
518         (JSC::functionShadowChickenFunctionsOnStack):
519         (JSC::functionSetGlobalConstRedeclarationShouldNotThrow):
520         (JSC::functionFindTypeForExpression):
521         (JSC::functionReturnTypeFor):
522         (JSC::functionDumpBasicBlockExecutionRanges):
523         (JSC::functionHasBasicBlockExecuted):
524         (JSC::functionBasicBlockExecutionCount):
525         (JSC::functionEnableExceptionFuzz):
526         (JSC::functionGlobalObjectForObject):
527         (JSC::functionGetGetterSetter):
528         (JSC::functionLoadGetterFromGetterSetter):
529         (JSC::functionCreateCustomTestGetterSetter):
530         (JSC::JSDollarVM::finishCreation):
531         (JSC::JSDollarVM::addFunction):
532         (JSC::JSDollarVM::addConstructibleFunction):
533         * tools/JSDollarVM.h:
534         (JSC::JSDollarVM::create):
535
536 2017-11-23  Simon Fraser  <simon.fraser@apple.com>
537
538         Minor ArrayBufferView cleanup
539         https://bugs.webkit.org/show_bug.cgi?id=179966
540
541         Reviewed by Darin Adler.
542         
543         Use void* for data pointers when we don't need to do offset math. Use const for
544         source pointers.
545         
546         Prefer uint8_t* to char*.
547         
548         Add comments noting that the assertions should not be made release assertions
549         as recommended by the style checker, since the point is to avoid the virtual byteLength()
550         call in release.
551
552         * runtime/ArrayBufferView.h:
553         (JSC::ArrayBufferView::setImpl):
554         (JSC::ArrayBufferView::setRangeImpl):
555         (JSC::ArrayBufferView::getRangeImpl):
556         (JSC::ArrayBufferView::zeroRangeImpl):
557
558 2017-11-23  Darin Adler  <darin@apple.com>
559
560         Reduce WTF::String operations that do unnecessary Unicode operations instead of ASCII
561         https://bugs.webkit.org/show_bug.cgi?id=179907
562
563         Reviewed by Sam Weinig.
564
565         * inspector/agents/InspectorDebuggerAgent.cpp:
566         (Inspector::matches): Removed explicit TextCaseSensitive because RegularExpression now
567         defaults to that.
568
569         * runtime/StringPrototype.cpp:
570         (JSC::stringIncludesImpl): Use String::find since there is no overload of
571         String::contains that takes a start offset now that we removed the one that took a
572         caseSensitive boolean. We can add one later if we like, but this should do for now.
573
574         * yarr/RegularExpression.h: Moved the TextCaseSensitivity enumeration here from
575         the StringImpl.h header because it is only used here.
576
577 2017-11-22  Simon Fraser  <simon.fraser@apple.com>
578
579         Followup after r225084: if anyone called GenericTypedArrayView() it didn't compile,
580         because of a getRangeUnchecked/getRangeImpl name mismatch; fixed to use getRangeImpl().
581         
582         Also name the argument to zeroRange() to 'count' since it's an item count.
583
584         * runtime/GenericTypedArrayView.h:
585         (JSC::GenericTypedArrayView::zeroRange):
586         (JSC::GenericTypedArrayView::getRange):
587
588 2017-11-21  Simon Fraser  <simon.fraser@apple.com>
589
590         Allow for more efficient use of GenericTypedArrayView
591         https://bugs.webkit.org/show_bug.cgi?id=179899
592
593         Reviewed by Sam Weinig.
594         
595         Fix ArrayBufferView::setRange() to not make two virtual function calls to byteLength()
596         under setRangeImpl(). There is only one caller in GenericTypedArrayView, and it can pass
597         in a length.
598
599         Add GenericTypedArrayView::getRange() to fetch a range of elements, also without virtual
600         byteLength() calls.
601         
602         Renamed 'dataLength' to 'count' in setRange() to be clearer.
603         
604         Added setNative() for callers who don't need clamping of doubles.
605
606         * runtime/ArrayBufferView.h:
607         (JSC::ArrayBufferView::setRangeImpl):
608         (JSC::ArrayBufferView::getRangeImpl):
609         * runtime/GenericTypedArrayView.h:
610         (JSC::GenericTypedArrayView::setRange):
611         (JSC::GenericTypedArrayView::setNative const):
612         (JSC::GenericTypedArrayView::getRange):
613         (JSC::GenericTypedArrayView::checkInboundData const):
614         (JSC::GenericTypedArrayView::internalByteLength const):
615
616 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
617
618         [DFG][FTL] Support MapSet / SetAdd intrinsics
619         https://bugs.webkit.org/show_bug.cgi?id=179858
620
621         Reviewed by Saam Barati.
622
623         Map.prototype.set and Set.prototype.add uses MapHash value anyway.
624         By handling them as MapSet and SetAdd DFG nodes and decoupling
625         MapSet and SetAdd nodes from MapHash DFG node, we have a chance to
626         remove duplicate MapHash calculation for the same key.
627
628         One story is *set-if-not-exists*.
629
630             if (!map.has(key))
631                 map.set(key, value);
632
633         In the above code, both `has` and `set` require hash value for `key`.
634         If we can change `set` to the series of DFG nodes:
635
636             1: MapHash(key)
637             2: MapSet(MapObjectUse:map, Untyped:key, Untyped:value, Int32Use:@1)
638
639         we can remove duplicate @1 produced by `has` operation.
640
641         This patch improves SixSpeed map-set.es6 and map-set-object.es6 by 20.5% and 20.4% respectively,
642
643                                          baseline                  patched
644
645             map-set.es6             246.2413+-15.2084    ^    204.3679+-11.2408       ^ definitely 1.2049x faster
646             map-set-object.es6      266.5075+-17.2289    ^    221.2792+-12.2948       ^ definitely 1.2044x faster
647
648         Microbenchmarks
649
650             map-has-and-set         148.1522+-7.6665     ^    131.4552+-7.8846        ^ definitely 1.1270x faster
651
652         * dfg/DFGAbstractInterpreterInlines.h:
653         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
654         * dfg/DFGByteCodeParser.cpp:
655         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
656         * dfg/DFGClobberize.h:
657         (JSC::DFG::clobberize):
658         * dfg/DFGDoesGC.cpp:
659         (JSC::DFG::doesGC):
660         * dfg/DFGFixupPhase.cpp:
661         (JSC::DFG::FixupPhase::fixupNode):
662         * dfg/DFGNodeType.h:
663         * dfg/DFGOperations.cpp:
664         * dfg/DFGOperations.h:
665         * dfg/DFGPredictionPropagationPhase.cpp:
666         * dfg/DFGSafeToExecute.h:
667         (JSC::DFG::safeToExecute):
668         * dfg/DFGSpeculativeJIT.cpp:
669         (JSC::DFG::SpeculativeJIT::compileSetAdd):
670         (JSC::DFG::SpeculativeJIT::compileMapSet):
671         * dfg/DFGSpeculativeJIT.h:
672         (JSC::DFG::SpeculativeJIT::callOperation):
673         * dfg/DFGSpeculativeJIT32_64.cpp:
674         (JSC::DFG::SpeculativeJIT::compile):
675         * dfg/DFGSpeculativeJIT64.cpp:
676         (JSC::DFG::SpeculativeJIT::compile):
677         * ftl/FTLCapabilities.cpp:
678         (JSC::FTL::canCompile):
679         * ftl/FTLLowerDFGToB3.cpp:
680         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
681         (JSC::FTL::DFG::LowerDFGToB3::compileSetAdd):
682         (JSC::FTL::DFG::LowerDFGToB3::compileMapSet):
683         * jit/JITOperations.h:
684         * runtime/HashMapImpl.h:
685         (JSC::HashMapImpl::addNormalized):
686         (JSC::HashMapImpl::addNormalizedInternal):
687         * runtime/Intrinsic.cpp:
688         (JSC::intrinsicName):
689         * runtime/Intrinsic.h:
690         * runtime/MapPrototype.cpp:
691         (JSC::MapPrototype::finishCreation):
692         * runtime/SetPrototype.cpp:
693         (JSC::SetPrototype::finishCreation):
694
695 2017-11-21  Yusuke Suzuki  <utatane.tea@gmail.com>
696
697         [JSC] Allow poly proto for intrinsic getters
698         https://bugs.webkit.org/show_bug.cgi?id=179550
699
700         Reviewed by Saam Barati.
701
702         This patch allows intrinsic getters to accept poly proto.
703         We propagate PolyProtoAccessChain in IntrinsicGetterAccessCase to perform
704         poly proto checks. And we extend UnderscoreProtoIntrinsic to emit
705         code for poly proto case.
706
707         * bytecode/IntrinsicGetterAccessCase.cpp:
708         (JSC::IntrinsicGetterAccessCase::IntrinsicGetterAccessCase):
709         (JSC::IntrinsicGetterAccessCase::create):
710         * bytecode/IntrinsicGetterAccessCase.h:
711         * jit/IntrinsicEmitter.cpp:
712         (JSC::IntrinsicGetterAccessCase::canEmitIntrinsicGetter):
713         (JSC::IntrinsicGetterAccessCase::emitIntrinsicGetter):
714         * jit/Repatch.cpp:
715         (JSC::tryCacheGetByID):
716
717 2017-11-20  Don Olmstead  <don.olmstead@sony.com>
718
719         Detect __declspec within JSBase.h
720         https://bugs.webkit.org/show_bug.cgi?id=179892
721
722         Reviewed by Darin Adler.
723
724         * API/JSBase.h:
725
726 2017-11-19  Tim Horton  <timothy_horton@apple.com>
727
728         Remove unused TOUCH_ICON_LOADING feature flag
729         https://bugs.webkit.org/show_bug.cgi?id=179873
730
731         Reviewed by Simon Fraser.
732
733         * Configurations/FeatureDefines.xcconfig:
734
735 2017-11-19  Yusuke Suzuki  <utatane.tea@gmail.com>
736
737         Add CPU(UNKNOWN) to cover all the unknown CPU types
738         https://bugs.webkit.org/show_bug.cgi?id=179243
739
740         Reviewed by JF Bastien.
741
742         * CMakeLists.txt:
743
744 2017-11-19  Tim Horton  <timothy_horton@apple.com>
745
746         Remove unused LEGACY_VENDOR_PREFIXES feature flag
747         https://bugs.webkit.org/show_bug.cgi?id=179872
748
749         Reviewed by Darin Adler.
750
751         * Configurations/FeatureDefines.xcconfig:
752
753 2017-11-18  Tim Horton  <timothy_horton@apple.com>
754
755         Fix typos in closing ENABLE() comments
756         https://bugs.webkit.org/show_bug.cgi?id=179869
757
758         Unreviewed.
759
760         * wasm/WasmMemory.h:
761         * wasm/WasmMemoryMode.h:
762
763 2017-11-17  JF Bastien  <jfbastien@apple.com>
764
765         NFC update ClassInfo to C++14
766         https://bugs.webkit.org/show_bug.cgi?id=179783
767
768         Reviewed by Mark Lam.
769
770         Forked from #179734, use `using` instead of `typedef`. It's easier
771         to read.
772
773         * runtime/ClassInfo.h:
774
775 2017-11-17  JF Bastien  <jfbastien@apple.com>
776
777         WebAssembly JS API: throw when a promise can't be created
778         https://bugs.webkit.org/show_bug.cgi?id=179826
779         <rdar://problem/35455813>
780
781         Reviewed by Mark Lam.
782
783         Failure *in* a promise causes rejection, but failure to create a
784         promise (because of stack overflow) isn't really spec'd (as all
785         stack things JS). This applies to WebAssembly.compile and
786         WebAssembly.instantiate.
787
788         Dan's current proposal says:
789
790             https://littledan.github.io/spec/document/js-api/index.html#stack-overflow
791
792             Whenever a stack overflow occurs in WebAssembly code, the same
793             class of exception is thrown as for a stack overflow in
794             JavaScript. The particular exception here is
795             implementation-defined in both cases.
796
797             Note: ECMAScript doesn’t specify any sort of behavior on stack
798             overflow; implementations have been observed to throw RangeError,
799             InternalError or Error. Any is valid here.
800
801         This is for general stack overflow within WebAssembly, not
802         specifically for promise creation within JavaScript, but it seems
803         like a stack overflow in promise creation should follow the same
804         rule instead of, say, swallowing the overflow and returning
805         undefined.
806
807         * wasm/js/WebAssemblyPrototype.cpp:
808         (JSC::webAssemblyCompileFunc):
809         (JSC::webAssemblyInstantiateFunc):
810
811 2017-11-16  Daniel Bates  <dabates@apple.com>
812
813         Add feature define for alternative presentation button element
814         https://bugs.webkit.org/show_bug.cgi?id=179692
815         Part of <rdar://problem/34917108>
816
817         Reviewed by Andy Estes.
818
819         Only enabled on Cocoa platforms by default.
820
821         * Configurations/FeatureDefines.xcconfig:
822
823 2017-11-16  Saam Barati  <sbarati@apple.com>
824
825         Fix a bug with cpuid in the FTL.
826
827         Rubber stamped by Mark Lam.
828
829         Before uploading the previous patch, I tried to condense the code. I
830         accidentally removed a crucial line saying that CPUID clobbers various
831         registers.
832
833         * ftl/FTLLowerDFGToB3.cpp:
834         (JSC::FTL::DFG::LowerDFGToB3::compileCPUIntrinsic):
835
836 2017-11-16  Saam Barati  <sbarati@apple.com>
837
838         Add some X86 intrinsics to $vm to help with some perf testing
839         https://bugs.webkit.org/show_bug.cgi?id=179693
840
841         Reviewed by Mark Lam.
842
843         I've been doing some local perf testing of various ideas and have
844         had these come in handy. I'm going to land them to dollarVM to prevent
845         having to add them to my local build every time I do perf testing.
846
847         * assembler/MacroAssemblerX86Common.h:
848         (JSC::MacroAssemblerX86Common::mfence):
849         (JSC::MacroAssemblerX86Common::rdtsc):
850         (JSC::MacroAssemblerX86Common::pause):
851         (JSC::MacroAssemblerX86Common::cpuid):
852         * assembler/X86Assembler.h:
853         (JSC::X86Assembler::rdtsc):
854         (JSC::X86Assembler::pause):
855         (JSC::X86Assembler::cpuid):
856         * dfg/DFGAbstractInterpreterInlines.h:
857         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
858         * dfg/DFGByteCodeParser.cpp:
859         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
860         * dfg/DFGClobberize.h:
861         (JSC::DFG::clobberize):
862         * dfg/DFGDoesGC.cpp:
863         (JSC::DFG::doesGC):
864         * dfg/DFGFixupPhase.cpp:
865         (JSC::DFG::FixupPhase::fixupNode):
866         * dfg/DFGGraph.cpp:
867         (JSC::DFG::Graph::dump):
868         * dfg/DFGNode.h:
869         (JSC::DFG::Node::intrinsic):
870         * dfg/DFGNodeType.h:
871         * dfg/DFGPredictionPropagationPhase.cpp:
872         * dfg/DFGSafeToExecute.h:
873         (JSC::DFG::safeToExecute):
874         * dfg/DFGSpeculativeJIT32_64.cpp:
875         (JSC::DFG::SpeculativeJIT::compile):
876         * dfg/DFGSpeculativeJIT64.cpp:
877         (JSC::DFG::SpeculativeJIT::compile):
878         * dfg/DFGValidate.cpp:
879         * ftl/FTLCapabilities.cpp:
880         (JSC::FTL::canCompile):
881         * ftl/FTLLowerDFGToB3.cpp:
882         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
883         (JSC::FTL::DFG::LowerDFGToB3::compileCPUIntrinsic):
884         * runtime/Intrinsic.cpp:
885         (JSC::intrinsicName):
886         * runtime/Intrinsic.h:
887         * tools/JSDollarVM.cpp:
888         (JSC::functionCpuMfence):
889         (JSC::functionCpuRdtsc):
890         (JSC::functionCpuCpuid):
891         (JSC::functionCpuPause):
892         (JSC::functionCpuClflush):
893         (JSC::JSDollarVM::finishCreation):
894
895 2017-11-16  JF Bastien  <jfbastien@apple.com>
896
897         It should be easier to reify lazy property names
898         https://bugs.webkit.org/show_bug.cgi?id=179734
899         <rdar://problem/35492521>
900
901         Reviewed by Keith Miller.
902
903         We reify lazy property names in a few different ways, each
904         specific to the JSCell implementation, in put() instead of having
905         a special function to do reification. Let's make that simpler.
906
907         This patch makes it easier to reify property names in a uniform
908         manner, and does so in JSFunction. As a follow up I'll use the
909         same mechanics for:
910
911         ClonedArguments   callee, iteratorSymbol (Symbol.iterator)
912         ErrorConstructor  stackTraceLimit
913         ErrorInstance     line, column, sourceURL, stack
914         GenericArguments  length, callee, iteratorSymbol (Symbol.iterator)
915         GetterSetter      RELEASE_ASSERT_NOT_REACHED()
916         JSArray           length
917         RegExpObject      lastIndex
918         StringObject      length
919
920         * runtime/ClassInfo.h: Add reifyPropertyNameIfNeeded to method table.
921         * runtime/JSCell.cpp:
922         (JSC::JSCell::reifyPropertyNameIfNeeded): by default, don't reify.
923         * runtime/JSCell.h:
924         * runtime/JSFunction.cpp: `name` and `length` can be reified.
925         (JSC::JSFunction::reifyPropertyNameIfNeeded):
926         (JSC::JSFunction::put):
927         (JSC::JSFunction::reifyLength):
928         (JSC::JSFunction::reifyName):
929         (JSC::JSFunction::reifyLazyPropertyIfNeeded):
930         (JSC::JSFunction::reifyLazyPropertyForHostOrBuiltinIfNeeded):
931         (JSC::JSFunction::reifyLazyLengthIfNeeded):
932         (JSC::JSFunction::reifyLazyNameIfNeeded):
933         (JSC::JSFunction::reifyLazyBoundNameIfNeeded):
934         * runtime/JSFunction.h:
935         (JSC::JSFunction::isLazy):
936         (JSC::JSFunction::isReified):
937         * runtime/JSObjectInlines.h:
938         (JSC::JSObject::putDirectInternal): do the reification here.
939
940 2017-11-16  Robin Morisset  <rmorisset@apple.com>
941
942         Provide a runtime option for disabling the optimization of recursive tail calls
943         https://bugs.webkit.org/show_bug.cgi?id=179765
944
945         Reviewed by Mark Lam.
946
947         * bytecode/PreciseJumpTargets.cpp:
948         (JSC::getJumpTargetsForBytecodeOffset):
949         * bytecompiler/BytecodeGenerator.cpp:
950         (JSC::BytecodeGenerator::emitEnter):
951         * dfg/DFGByteCodeParser.cpp:
952         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
953         * runtime/Options.h:
954
955 2017-11-16  Robin Morisset  <rmorisset@apple.com>
956
957         Fix null pointer dereference in bytecodeDumper
958         https://bugs.webkit.org/show_bug.cgi?id=179764
959
960         Reviewed by Mark Lam.
961
962         The problem was just a call to lastSeenCallee() that was unguarded by haveLastSeenCallee().
963
964         * bytecode/BytecodeDumper.cpp:
965         (JSC::BytecodeDumper<Block>::printCallOp):
966
967 2017-11-16  Robin Morisset  <rmorisset@apple.com>
968
969         REGRESSION (r224592): oss-fuzz: jsc: Null-dereference READ in JSC::JSCell::isObject (4216)
970         https://bugs.webkit.org/show_bug.cgi?id=179763
971         <rdar://problem/35550513>
972
973         Reviewed by Keith Miller.
974
975         Fix null pointer dereference caused by an eliminated tdz_check
976
977         The problem was when doing an OSR entry in DFG while |this| was null
978         (because super() had not yet been called in the constructor of this
979         subclass), it would be marked as non-null, and the tdz_check eliminated.
980
981         * dfg/DFGInPlaceAbstractState.cpp:
982         (JSC::DFG::InPlaceAbstractState::initialize):
983
984 2017-11-15  Ryan Haddad  <ryanhaddad@apple.com>
985
986         Unreviewed, rolling out r224863.
987
988         Introduced LayoutTest crashes on iOS Simulator.
989
990         Reverted changeset:
991
992         "Move JSONValues to WTF and convert uses of InspectorValues.h
993         to JSONValues.h"
994         https://bugs.webkit.org/show_bug.cgi?id=173793
995         https://trac.webkit.org/changeset/224863
996
997 2017-11-14  Mark Lam  <mark.lam@apple.com>
998
999         Gardening: CLoop build fix after r224862.
1000         https://bugs.webkit.org/show_bug.cgi?id=179699
1001
1002         Not reviewed..
1003
1004         * bytecode/CodeBlock.h:
1005         (JSC::CodeBlock::calleeSaveSpaceAsVirtualRegisters):
1006
1007 2017-11-14  Carlos Garcia Campos  <cgarcia@igalia.com>
1008
1009         Move JSONValues to WTF and convert uses of InspectorValues.h to JSONValues.h
1010         https://bugs.webkit.org/show_bug.cgi?id=173793
1011
1012         Reviewed by Brian Burg.
1013
1014         Based on patch by Brian Burg.
1015
1016         * JavaScriptCore.xcodeproj/project.pbxproj:
1017         * Sources.txt:
1018         * bindings/ScriptValue.cpp:
1019         (Inspector::jsToInspectorValue):
1020         (Inspector::toInspectorValue):
1021         (Deprecated::ScriptValue::toInspectorValue const):
1022         * bindings/ScriptValue.h:
1023         * inspector/AsyncStackTrace.cpp:
1024         * inspector/ConsoleMessage.cpp:
1025         * inspector/ContentSearchUtilities.cpp:
1026         * inspector/InjectedScript.cpp:
1027         (Inspector::InjectedScript::getFunctionDetails):
1028         (Inspector::InjectedScript::functionDetails):
1029         (Inspector::InjectedScript::getPreview):
1030         (Inspector::InjectedScript::getProperties):
1031         (Inspector::InjectedScript::getDisplayableProperties):
1032         (Inspector::InjectedScript::getInternalProperties):
1033         (Inspector::InjectedScript::getCollectionEntries):
1034         (Inspector::InjectedScript::saveResult):
1035         (Inspector::InjectedScript::wrapCallFrames const):
1036         (Inspector::InjectedScript::wrapObject const):
1037         (Inspector::InjectedScript::wrapTable const):
1038         (Inspector::InjectedScript::previewValue const):
1039         (Inspector::InjectedScript::setExceptionValue):
1040         (Inspector::InjectedScript::clearExceptionValue):
1041         (Inspector::InjectedScript::inspectObject):
1042         (Inspector::InjectedScript::releaseObject):
1043         * inspector/InjectedScriptBase.cpp:
1044         (Inspector::InjectedScriptBase::makeCall):
1045         (Inspector::InjectedScriptBase::makeEvalCall):
1046         * inspector/InjectedScriptBase.h:
1047         * inspector/InjectedScriptManager.cpp:
1048         (Inspector::InjectedScriptManager::injectedScriptForObjectId):
1049         * inspector/InspectorBackendDispatcher.cpp:
1050         (Inspector::BackendDispatcher::CallbackBase::sendSuccess):
1051         (Inspector::BackendDispatcher::dispatch):
1052         (Inspector::BackendDispatcher::sendResponse):
1053         (Inspector::BackendDispatcher::sendPendingErrors):
1054         (Inspector::BackendDispatcher::getPropertyValue):
1055         (Inspector::castToInteger):
1056         (Inspector::castToNumber):
1057         (Inspector::BackendDispatcher::getInteger):
1058         (Inspector::BackendDispatcher::getDouble):
1059         (Inspector::BackendDispatcher::getString):
1060         (Inspector::BackendDispatcher::getBoolean):
1061         (Inspector::BackendDispatcher::getObject):
1062         (Inspector::BackendDispatcher::getArray):
1063         (Inspector::BackendDispatcher::getValue):
1064         * inspector/InspectorBackendDispatcher.h:
1065         * inspector/InspectorProtocolTypes.h:
1066         (Inspector::Protocol::Array::openAccessors):
1067         (Inspector::Protocol::PrimitiveBindingTraits::assertValueHasExpectedType):
1068         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::runtimeCast):
1069         (Inspector::Protocol::BindingTraits<Protocol::Array<T>>::assertValueHasExpectedType):
1070         (Inspector::Protocol::BindingTraits<JSON::Value>::assertValueHasExpectedType):
1071         * inspector/ScriptCallFrame.cpp:
1072         * inspector/ScriptCallStack.cpp:
1073         * inspector/agents/InspectorAgent.cpp:
1074         (Inspector::InspectorAgent::inspect):
1075         * inspector/agents/InspectorAgent.h:
1076         * inspector/agents/InspectorDebuggerAgent.cpp:
1077         (Inspector::buildAssertPauseReason):
1078         (Inspector::buildCSPViolationPauseReason):
1079         (Inspector::InspectorDebuggerAgent::buildBreakpointPauseReason):
1080         (Inspector::InspectorDebuggerAgent::buildExceptionPauseReason):
1081         (Inspector::buildObjectForBreakpointCookie):
1082         (Inspector::InspectorDebuggerAgent::breakpointActionsFromProtocol):
1083         (Inspector::parseLocation):
1084         (Inspector::InspectorDebuggerAgent::setBreakpointByUrl):
1085         (Inspector::InspectorDebuggerAgent::setBreakpoint):
1086         (Inspector::InspectorDebuggerAgent::continueToLocation):
1087         (Inspector::InspectorDebuggerAgent::schedulePauseOnNextStatement):
1088         (Inspector::InspectorDebuggerAgent::didParseSource):
1089         (Inspector::InspectorDebuggerAgent::breakProgram):
1090         * inspector/agents/InspectorDebuggerAgent.h:
1091         * inspector/agents/InspectorRuntimeAgent.cpp:
1092         (Inspector::InspectorRuntimeAgent::callFunctionOn):
1093         (Inspector::InspectorRuntimeAgent::saveResult):
1094         (Inspector::InspectorRuntimeAgent::getRuntimeTypesForVariablesAtOffsets):
1095         * inspector/agents/InspectorRuntimeAgent.h:
1096         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_header.py:
1097         (CppBackendDispatcherHeaderGenerator._generate_dispatcher_declaration_for_command):
1098         * inspector/scripts/codegen/generate_cpp_backend_dispatcher_implementation.py:
1099         (CppBackendDispatcherImplementationGenerator.generate_output):
1100         (CppBackendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_command):
1101         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_header.py:
1102         (CppFrontendDispatcherHeaderGenerator.generate_output):
1103         * inspector/scripts/codegen/generate_cpp_frontend_dispatcher_implementation.py:
1104         (CppFrontendDispatcherImplementationGenerator._generate_dispatcher_implementation_for_event):
1105         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
1106         (_generate_unchecked_setter_for_member):
1107         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
1108         (CppProtocolTypesImplementationGenerator):
1109         * inspector/scripts/codegen/generate_objc_backend_dispatcher_implementation.py:
1110         (ObjCBackendDispatcherImplementationGenerator.generate_output):
1111         (ObjCBackendDispatcherImplementationGenerator._generate_success_block_for_command):
1112         * inspector/scripts/codegen/generate_objc_frontend_dispatcher_implementation.py:
1113         (ObjCFrontendDispatcherImplementationGenerator.generate_output):
1114         (ObjCFrontendDispatcherImplementationGenerator._generate_event):
1115         (ObjCFrontendDispatcherImplementationGenerator._generate_event_out_parameters):
1116         * inspector/scripts/codegen/generate_objc_internal_header.py:
1117         (ObjCInternalHeaderGenerator.generate_output):
1118         * inspector/scripts/codegen/generate_objc_protocol_types_implementation.py:
1119         (ObjCProtocolTypesImplementationGenerator.generate_output):
1120         * inspector/scripts/codegen/generator.py:
1121         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
1122         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1123         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1124         * inspector/scripts/tests/generic/expected/definitions-with-mac-platform.json-result:
1125         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
1126         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
1127         * inspector/scripts/tests/generic/expected/enum-values.json-result:
1128         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
1129         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
1130         * inspector/scripts/tests/generic/expected/same-type-id-different-domain.json-result:
1131         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
1132         * inspector/scripts/tests/generic/expected/type-declaration-aliased-primitive-type.json-result:
1133         * inspector/scripts/tests/generic/expected/type-declaration-array-type.json-result:
1134         * inspector/scripts/tests/generic/expected/type-declaration-enum-type.json-result:
1135         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1136         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1137         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
1138         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
1139         * inspector/scripts/tests/ios/expected/definitions-with-mac-platform.json-result:
1140         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
1141
1142 2017-11-14  Mark Lam  <mark.lam@apple.com>
1143
1144         Fix a bit-rotted Interpreter::dumpRegisters() and make it more robust.
1145         https://bugs.webkit.org/show_bug.cgi?id=179699
1146         <rdar://problem/35462346>
1147
1148         Reviewed by Michael Saboff.
1149
1150         * interpreter/Interpreter.cpp:
1151         (JSC::Interpreter::dumpRegisters):
1152         - Need to skip the callee saved registers
1153
1154 2017-11-14  Guillaume Emont  <guijemont@igalia.com>
1155
1156         REGRESSION(r224623) [MIPS] branchTruncateDoubleToInt32() doesn't set return register when branching
1157         https://bugs.webkit.org/show_bug.cgi?id=179563
1158
1159         Reviewed by Carlos Alberto Lopez Perez.
1160
1161         When run with BranchIfTruncateSuccessful,
1162         branchTruncateDoubleToInt32() should set the destination register
1163         before branching.
1164         This change also removes branchTruncateDoubleToUInt32() as it is
1165         deprecated (see r160205), merges branchOnTruncateResult() into
1166         branchTruncateDoubleToInt32() and adds test cases in testmasm.
1167
1168         * assembler/MacroAssemblerMIPS.h:
1169         (JSC::MacroAssemblerMIPS::branchOnTruncateResult): Deleted.
1170         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
1171         Properly set dest before branching.
1172         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUInt32): Deleted.
1173         * assembler/testmasm.cpp:
1174         (JSC::testBranchTruncateDoubleToInt32):
1175         (JSC::run):
1176         Add tests for branchTruncateDoubleToInt32().
1177
1178 2017-11-14  Daniel Bates  <dabates@apple.com>
1179
1180         Update comment in FeatureDefines.xcconfig to reflect location of Visual Studio property files
1181         for feature defines
1182
1183         Following r195498 and r201917 the Visual Studio property files for feature defines have
1184         moved from directory WebKitLibraries/win/tools/vsprops to directory Source/cmake/tools/vsprops.
1185         Update the comment in FeatureDefines.xcconfig to reflect the new location and names of these
1186         files.
1187
1188         * Configurations/FeatureDefines.xcconfig:
1189
1190 2017-11-14  Mark Lam  <mark.lam@apple.com>
1191
1192         Remove JSDollarVMPrototype.
1193         https://bugs.webkit.org/show_bug.cgi?id=179685
1194
1195         Reviewed by Saam Barati.
1196
1197         1. Move the JSDollarVMPrototype C++ utility functions into VMInspector.cpp.
1198
1199            This allows us to call these functions during lldb debugging sessions using
1200            VMInspector::foo() instead of JSDollarVMPrototype::foo().  It makes sense that
1201            VMInspector provides VM debugging utility methods.  It doesn't make sense to
1202            have a JSDollarVMPrototype object provide these methods.
1203
1204            Plus, it's shorter to type VMInspector than JSDollarVMPrototype.
1205
1206         2. Move the JSDollarVMPrototype JS functions into JSDollarVM.cpp.
1207
1208            JSDollarVM is a special object used only for debugging purposes.  There's no
1209            gain in requiring its methods to be stored in a prototype object other than to
1210            conform to typical JS convention.  We can remove this complexity.
1211
1212         * JavaScriptCore.xcodeproj/project.pbxproj:
1213         * Sources.txt:
1214         * runtime/JSGlobalObject.cpp:
1215         (JSC::JSGlobalObject::init):
1216         * tools/JSDollarVM.cpp:
1217         (JSC::JSDollarVM::addFunction):
1218         (JSC::functionCrash):
1219         (JSC::functionDFGTrue):
1220         (JSC::CallerFrameJITTypeFunctor::CallerFrameJITTypeFunctor):
1221         (JSC::CallerFrameJITTypeFunctor::operator() const):
1222         (JSC::CallerFrameJITTypeFunctor::jitType):
1223         (JSC::functionLLintTrue):
1224         (JSC::functionJITTrue):
1225         (JSC::functionGC):
1226         (JSC::functionEdenGC):
1227         (JSC::functionCodeBlockForFrame):
1228         (JSC::codeBlockFromArg):
1229         (JSC::functionCodeBlockFor):
1230         (JSC::functionPrintSourceFor):
1231         (JSC::functionPrintBytecodeFor):
1232         (JSC::functionPrint):
1233         (JSC::functionPrintCallFrame):
1234         (JSC::functionPrintStack):
1235         (JSC::functionValue):
1236         (JSC::functionGetPID):
1237         (JSC::JSDollarVM::finishCreation):
1238         * tools/JSDollarVM.h:
1239         (JSC::JSDollarVM::create):
1240         * tools/JSDollarVMPrototype.cpp: Removed.
1241         * tools/JSDollarVMPrototype.h: Removed.
1242         * tools/VMInspector.cpp:
1243         (JSC::VMInspector::currentThreadOwnsJSLock):
1244         (JSC::ensureCurrentThreadOwnsJSLock):
1245         (JSC::VMInspector::gc):
1246         (JSC::VMInspector::edenGC):
1247         (JSC::VMInspector::isInHeap):
1248         (JSC::CellAddressCheckFunctor::CellAddressCheckFunctor):
1249         (JSC::CellAddressCheckFunctor::operator() const):
1250         (JSC::VMInspector::isValidCell):
1251         (JSC::VMInspector::isValidCodeBlock):
1252         (JSC::VMInspector::codeBlockForFrame):
1253         (JSC::PrintFrameFunctor::PrintFrameFunctor):
1254         (JSC::PrintFrameFunctor::operator() const):
1255         (JSC::VMInspector::printCallFrame):
1256         (JSC::VMInspector::printStack):
1257         (JSC::VMInspector::printValue):
1258         * tools/VMInspector.h:
1259
1260 2017-11-14  Joseph Pecoraro  <pecoraro@apple.com>
1261
1262         Web Inspector: Add a ServiceWorker domain to get information about an inspected ServiceWorker
1263         https://bugs.webkit.org/show_bug.cgi?id=179640
1264         <rdar://problem/35517361>
1265
1266         Reviewed by Devin Rousso.
1267
1268         * CMakeLists.txt:
1269         * DerivedSources.make:
1270         Gate the ServiceWorker domain on the ENABLE feature flag.
1271
1272         * inspector/protocol/ServiceWorker.json: Added.
1273         New domain to be made available inside of a ServiceWorker target.
1274
1275 2017-11-14  Yusuke Suzuki  <utatane.tea@gmail.com>
1276
1277         [DFG][FTL] Support Array::DirectArguments with OutOfBounds
1278         https://bugs.webkit.org/show_bug.cgi?id=179594
1279
1280         Reviewed by Saam Barati.
1281
1282         Currently we handle OOB access to DirectArguments as GetByVal(Array::Generic).
1283         If we can handle it as GetByVal(Array::DirectArguments+OutOfBounds), we can (1) optimize
1284         `arguments[i]` accesses if i is in bound, and (2) encourage arguments elimination phase
1285         to convert CreateDirectArguments and GetByVal(Array::DirectArguments+OutOfBounds) to
1286         PhantomDirectArguments and GetMyArgumentOutOfBounds respectively.
1287
1288         This patch introduces Array::DirectArguments+OutOfBounds array mode. GetByVal can
1289         accept this type, and emit optimized code compared to Array::Generic case.
1290
1291         We make OOB check failures in GetByVal(Array::DirectArguments+InBounds) as OutOfBounds
1292         exit instead of ExoticObjectMode.
1293
1294         This change significantly improves SixSpeed rest.es5 since it uses OOB access.
1295         Our arguments elimination phase can change CreateDirectArguments to PhantomDirectArguments.
1296
1297             rest.es5                       59.6719+-2.2440     ^      3.1634+-0.5507        ^ definitely 18.8635x faster
1298
1299         * dfg/DFGArgumentsEliminationPhase.cpp:
1300         * dfg/DFGArrayMode.cpp:
1301         (JSC::DFG::ArrayMode::refine const):
1302         * dfg/DFGClobberize.h:
1303         (JSC::DFG::clobberize):
1304         * dfg/DFGSpeculativeJIT.cpp:
1305         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
1306         * ftl/FTLLowerDFGToB3.cpp:
1307         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1308         (JSC::FTL::DFG::LowerDFGToB3::compileGetMyArgumentByVal):
1309
1310 2017-11-14  Saam Barati  <sbarati@apple.com>
1311
1312         We need to set topCallFrame when calling Wasm::Memory::grow from the JIT
1313         https://bugs.webkit.org/show_bug.cgi?id=179639
1314         <rdar://problem/35513018>
1315
1316         Reviewed by JF Bastien.
1317
1318         Calling Wasm::Memory::grow from the JIT may cause us to GC. When we GC, we will
1319         walk the stack for ShadowChicken (and maybe other things). We weren't updating
1320         topCallFrame when calling grow from the Wasm JIT. This would cause the GC to
1321         use stale topCallFrame bits in VM, often leading to crashes. This patch fixes
1322         this bug by giving Wasm::Instance a lambda that is called when we need to store
1323         the topCallFrame. Users of Wasm::Instance can provide a function to do this action.
1324         Currently, JSWebAssemblyInstance passes in a lambda that stores to
1325         VM.topCallFrame.
1326
1327         * wasm/WasmB3IRGenerator.cpp:
1328         (JSC::Wasm::B3IRGenerator::addGrowMemory):
1329         * wasm/WasmInstance.cpp:
1330         (JSC::Wasm::Instance::Instance):
1331         (JSC::Wasm::Instance::create):
1332         * wasm/WasmInstance.h:
1333         (JSC::Wasm::Instance::storeTopCallFrame):
1334         * wasm/js/JSWebAssemblyInstance.cpp:
1335         (JSC::JSWebAssemblyInstance::create):
1336         * wasm/js/JSWebAssemblyInstance.h:
1337         * wasm/js/WasmToJS.cpp:
1338         (JSC::Wasm::wasmToJSException):
1339         * wasm/js/WebAssemblyInstanceConstructor.cpp:
1340         (JSC::constructJSWebAssemblyInstance):
1341         * wasm/js/WebAssemblyPrototype.cpp:
1342         (JSC::instantiate):
1343
1344 2017-11-13  Saam Barati  <sbarati@apple.com>
1345
1346         Remove pointer caging for HashMapImpl, JSLexicalEnvironment, DirectArguments, ScopedArguments, and ScopedArgumentsTable
1347         https://bugs.webkit.org/show_bug.cgi?id=179203
1348
1349         Reviewed by Yusuke Suzuki.
1350
1351         This patch only removes the pointer caging for the described types in the title.
1352         These types still allocate out of the gigacage. This is a just a cost vs benefit
1353         tradeoff of performance vs security.
1354
1355         * dfg/DFGSpeculativeJIT.cpp:
1356         (JSC::DFG::SpeculativeJIT::compileGetByValOnDirectArguments):
1357         (JSC::DFG::SpeculativeJIT::compileGetByValOnScopedArguments):
1358         * ftl/FTLLowerDFGToB3.cpp:
1359         (JSC::FTL::DFG::LowerDFGToB3::compileGetByVal):
1360         * jit/JITPropertyAccess.cpp:
1361         (JSC::JIT::emitDirectArgumentsGetByVal):
1362         (JSC::JIT::emitScopedArgumentsGetByVal):
1363         * runtime/DirectArguments.h:
1364         (JSC::DirectArguments::storage):
1365         * runtime/HashMapImpl.cpp:
1366         (JSC::HashMapImpl<HashMapBucket>::visitChildren):
1367         * runtime/HashMapImpl.h:
1368         * runtime/JSLexicalEnvironment.h:
1369         (JSC::JSLexicalEnvironment::variables):
1370         * runtime/ScopedArguments.h:
1371         (JSC::ScopedArguments::overflowStorage const):
1372
1373 2017-11-08  Keith Miller  <keith_miller@apple.com>
1374
1375         Async iteration should only fetch the next method once and add feature flag
1376         https://bugs.webkit.org/show_bug.cgi?id=179451
1377
1378         Reviewed by Geoffrey Garen.
1379
1380         Add feature flag for Async iteration. Also, change async iteration to match
1381         the expected behavior of the proposal.
1382
1383         * Configurations/FeatureDefines.xcconfig:
1384         * builtins/AsyncFromSyncIteratorPrototype.js:
1385         (globalPrivate.createAsyncFromSyncIterator):
1386         (globalPrivate.AsyncFromSyncIteratorConstructor):
1387         * builtins/BuiltinNames.h:
1388         * bytecompiler/BytecodeGenerator.cpp:
1389         (JSC::BytecodeGenerator::emitGetAsyncIterator):
1390         * runtime/Options.h:
1391
1392 2017-11-13  Mark Lam  <mark.lam@apple.com>
1393
1394         Add more overflow check book-keeping for MarkedArgumentBuffer.
1395         https://bugs.webkit.org/show_bug.cgi?id=179634
1396         <rdar://problem/35492517>
1397
1398         Reviewed by Saam Barati.
1399
1400         * runtime/ArgList.h:
1401         (JSC::MarkedArgumentBuffer::overflowCheckNotNeeded):
1402         * runtime/JSJob.cpp:
1403         (JSC::JSJobMicrotask::run):
1404         * runtime/ObjectConstructor.cpp:
1405         (JSC::defineProperties):
1406         * runtime/ReflectObject.cpp:
1407         (JSC::reflectObjectConstruct):
1408
1409 2017-11-13  Guillaume Emont  <guijemont@igalia.com>
1410
1411         [JSC] Remove ARM implementation of branchTruncateDoubleToUInt32
1412         https://bugs.webkit.org/show_bug.cgi?id=179542
1413
1414         Reviewed by Alex Christensen.
1415
1416         * assembler/MacroAssemblerARM.h:
1417         (JSC::MacroAssemblerARM::branchTruncateDoubleToUint32): Removed.
1418
1419 2017-11-13  Mark Lam  <mark.lam@apple.com>
1420
1421         Make the jsc shell loadGetterFromGetterSetter() function more robust.
1422         https://bugs.webkit.org/show_bug.cgi?id=179619
1423         <rdar://problem/35492518>
1424
1425         Reviewed by Saam Barati.
1426
1427         * jsc.cpp:
1428         (functionLoadGetterFromGetterSetter):
1429
1430 2017-11-12  Darin Adler  <darin@apple.com>
1431
1432         More is<> and downcast<>, less static_cast<>
1433         https://bugs.webkit.org/show_bug.cgi?id=179600
1434
1435         Reviewed by Chris Dumez.
1436
1437         * runtime/JSString.h:
1438         (JSC::jsSubstring): Removed unneeded static_cast; length already returns unsigned.
1439         (JSC::jsSubstringOfResolved): Ditto.
1440
1441 2017-11-12  Mark Lam  <mark.lam@apple.com>
1442
1443         We should ensure that operationStrCat2 and operationStrCat3 are never passed Symbols as arguments.
1444         https://bugs.webkit.org/show_bug.cgi?id=179562
1445         <rdar://problem/35467022>
1446
1447         Reviewed by Saam Barati.
1448
1449         * dfg/DFGFixupPhase.cpp:
1450         (JSC::DFG::FixupPhase::fixupNode):
1451         * dfg/DFGOperations.cpp:
1452         * dfg/DFGSafeToExecute.h:
1453         (JSC::DFG::SafeToExecuteEdge::operator()):
1454         * dfg/DFGSpeculativeJIT.cpp:
1455         (JSC::DFG::SpeculativeJIT::speculateNotSymbol):
1456         (JSC::DFG::SpeculativeJIT::speculate):
1457         * dfg/DFGSpeculativeJIT.h:
1458         * dfg/DFGUseKind.cpp:
1459         (WTF::printInternal):
1460         * dfg/DFGUseKind.h:
1461         (JSC::DFG::typeFilterFor):
1462         * ftl/FTLCapabilities.cpp:
1463         (JSC::FTL::canCompile):
1464         * ftl/FTLLowerDFGToB3.cpp:
1465         (JSC::FTL::DFG::LowerDFGToB3::speculate):
1466         (JSC::FTL::DFG::LowerDFGToB3::speculateNotSymbol):
1467
1468 2017-11-11  Devin Rousso  <webkit@devinrousso.com>
1469
1470         Web Inspector: Canvas tab: show detailed status during canvas recording
1471         https://bugs.webkit.org/show_bug.cgi?id=178185
1472         <rdar://problem/34939862>
1473
1474         Reviewed by Brian Burg.
1475
1476         * inspector/protocol/Canvas.json:
1477         Add a `recordingProgress` event that is sent to the frontend that contains all the frame
1478         payloads since the last Canvas.recordingProgress event and the current buffer usage.
1479
1480         * inspector/protocol/Recording.json:
1481         Remove the required `frames` parameter from the Recording protocol object, as they will be
1482         sent in batches via the Canvas.recordingProgress event.
1483
1484 2017-11-10  Joseph Pecoraro  <pecoraro@apple.com>
1485
1486         Web Inspector: Make http status codes be "integer" instead of "number" in protocol
1487         https://bugs.webkit.org/show_bug.cgi?id=179543
1488
1489         Reviewed by Antoine Quint.
1490
1491         * inspector/protocol/Network.json:
1492         Use a better type for the status code.
1493
1494 2017-11-10  Robin Morisset  <rmorisset@apple.com>
1495
1496         The memory consumption of DFG::BasicBlock can be easily reduced a bit
1497         https://bugs.webkit.org/show_bug.cgi?id=179528
1498
1499         Reviewed by Saam Barati.
1500
1501         A few changes here:
1502         - Reordering some fields of DFG::BasicBlock to reduce padding
1503         - Making the enum fields that are glorified booleans fit into a u8
1504         - Make each Operands object have a single vector that holds all arguments followed by all locals, instead of two vectors.
1505           This change works because we never increase the number of arguments after allocating an Operands object.
1506           It lets us avoid one extra capacity field and one extra pointer field per Operands,
1507           and more importantly one allocation per Operands whenever both vectors would have overflowed their inlined buffer.
1508           Additionally, if a single vector would have overflowed its inline buffer, while the other would have had some free space,
1509           we have a chance to avoid an allocation.
1510         - Finally, the three methods argumentForIndex, variableForIndex and indexForOperand were deleted since they were dead code.
1511
1512         * bytecode/Operands.h:
1513         (JSC::Operands::Operands):
1514         (JSC::Operands::numberOfArguments const):
1515         (JSC::Operands::numberOfLocals const):
1516         (JSC::Operands::argument):
1517         (JSC::Operands::argument const):
1518         (JSC::Operands::local):
1519         (JSC::Operands::local const):
1520         (JSC::Operands::ensureLocals):
1521         (JSC::Operands::setLocal):
1522         (JSC::Operands::getLocal):
1523         (JSC::Operands::setArgumentFirstTime):
1524         (JSC::Operands::setLocalFirstTime):
1525         (JSC::Operands::operand):
1526         (JSC::Operands::setOperand):
1527         (JSC::Operands::size const):
1528         (JSC::Operands::at const):
1529         (JSC::Operands::at):
1530         (JSC::Operands::isArgument const):
1531         (JSC::Operands::isVariable const):
1532         (JSC::Operands::virtualRegisterForIndex const):
1533         (JSC::Operands::fill):
1534         (JSC::Operands::operator== const):
1535         (JSC::Operands::argumentForIndex const): Deleted.
1536         (JSC::Operands::variableForIndex const): Deleted.
1537         (JSC::Operands::indexForOperand const): Deleted.
1538         * dfg/DFGBasicBlock.cpp:
1539         (JSC::DFG::BasicBlock::BasicBlock):
1540         * dfg/DFGBasicBlock.h:
1541         * dfg/DFGBranchDirection.h:
1542         * dfg/DFGStructureClobberState.h:
1543
1544 2017-11-09  Yusuke Suzuki  <utatane.tea@gmail.com>
1545
1546         [JSC] Retry module fetching if previous request fails
1547         https://bugs.webkit.org/show_bug.cgi?id=178168
1548
1549         Reviewed by Saam Barati.
1550
1551         According to the latest spec, the failed fetching operation can be retried if it is requested again.
1552         For example,
1553
1554             <script type="module" integrity="shaXXX-bad" src="./A.js"></script>
1555             <script type="module" integrity="shaXXX-correct" src="./A.js"></script>
1556
1557         When performing the first module fetching, integrity check fails, and the load of this module becomes failed.
1558         But when loading the second module, we do not use the cached failure result in the first module loading.
1559         We retry fetching for "./A.js". In this case, we have a correct integrity and module fetching succeeds.
1560         This is specified in whatwg/HTML[1]. If the fetching fails, we do not cache it.
1561
1562         Interestingly, fetching result and instantiation result will be cached if they succeeds. This is because we would
1563         like to cache modules based on their URLs. As a result,
1564
1565             <script type="module" integrity="shaXXX-correct" src="./A.js"></script>
1566             <script type="module" integrity="shaXXX-bad" src="./A.js"></script>
1567
1568         In the above case, the first loading succeeds. And the second loading also succeeds since the succeeded fetching and
1569         instantiation are cached in the module pipeline.
1570
1571         This patch implements the above semantics. Previously, our module pipeline always caches the result. If the fetching
1572         failed, all the subsequent fetching for the same URL fails even if we have different integrity values. We retry fetching
1573         if the previous one fails. As an overview of our change,
1574
1575         1. Fetching result should be cached only if it succeeds. Two or more on-the-fly fetching requests to the same URLs should
1576            be unified. But if currently executing one fails, other attempts should retry fetching.
1577
1578         2. Instantiation should be cached if fetching succeeds.
1579
1580         3. Satisfying should be cached if it succeeds.
1581
1582         [1]: https://html.spec.whatwg.org/#fetch-a-single-module-script
1583
1584         * builtins/ModuleLoaderPrototype.js:
1585         (requestFetch):
1586         (requestInstantiate):
1587         (requestSatisfy):
1588         (link):
1589         (loadModule):
1590         * runtime/JSGlobalObject.cpp:
1591         (JSC::JSGlobalObject::init):
1592
1593 2017-11-09  Devin Rousso  <webkit@devinrousso.com>
1594
1595         Web Inspector: support undo/redo of insertAdjacentHTML
1596         https://bugs.webkit.org/show_bug.cgi?id=179283
1597
1598         Reviewed by Joseph Pecoraro.
1599
1600         * inspector/protocol/DOM.json:
1601         Add `insertAdjacentHTML` command that executes an undoable version of `insertAdjacentHTML`
1602         on the given node.
1603
1604 2017-11-09  Joseph Pecoraro  <pecoraro@apple.com>
1605
1606         Web Inspector: Make domain availability a list of types instead of a single type
1607         https://bugs.webkit.org/show_bug.cgi?id=179457
1608
1609         Reviewed by Brian Burg.
1610
1611         * inspector/scripts/codegen/generate_js_backend_commands.py:
1612         (JSBackendCommandsGenerator.generate_domain):
1613         Update output of `InspectorBackend.activateDomain` to include the list.
1614
1615         * inspector/scripts/codegen/models.py:
1616         (Protocol.parse_domain):
1617         Parse `availability` as a list and include a new supported value of "service-worker".
1618
1619         * inspector/protocol/ApplicationCache.json:
1620         * inspector/protocol/CSS.json:
1621         * inspector/protocol/Canvas.json:
1622         * inspector/protocol/DOM.json:
1623         * inspector/protocol/DOMDebugger.json:
1624         * inspector/protocol/DOMStorage.json:
1625         * inspector/protocol/Database.json:
1626         * inspector/protocol/IndexedDB.json:
1627         * inspector/protocol/LayerTree.json:
1628         * inspector/protocol/Memory.json:
1629         * inspector/protocol/Network.json:
1630         * inspector/protocol/Page.json:
1631         * inspector/protocol/Timeline.json:
1632         * inspector/protocol/Worker.json:
1633         Update `availability` to be a list.
1634
1635         * inspector/scripts/tests/generic/domain-availability.json:
1636         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
1637         * inspector/scripts/tests/generic/expected/fail-on-domain-availability-type.json-error: Added.
1638         * inspector/scripts/tests/generic/expected/fail-on-domain-availability-value.json-error: Added.
1639         * inspector/scripts/tests/generic/expected/fail-on-domain-availability.json-error:
1640         * inspector/scripts/tests/generic/fail-on-domain-availability-type.json: Copied from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-availability.json.
1641         * inspector/scripts/tests/generic/fail-on-domain-availability-value.json: Renamed from Source/JavaScriptCore/inspector/scripts/tests/generic/fail-on-domain-availability.json.
1642         Update tests to include a test for the type and an invalid value.
1643
1644 2017-11-03  Yusuke Suzuki  <utatane.tea@gmail.com>
1645
1646         [JSC][JIT] Clean up SlowPathCall stubs
1647         https://bugs.webkit.org/show_bug.cgi?id=179247
1648
1649         Reviewed by Saam Barati.
1650
1651         We have bunch of duplicate functions that just call a slow path function.
1652         This patch cleans up the above duplication.
1653
1654         * jit/JIT.cpp:
1655         (JSC::JIT::emitSlowCaseCall):
1656         (JSC::JIT::privateCompileSlowCases):
1657         * jit/JIT.h:
1658         * jit/JITArithmetic.cpp:
1659         (JSC::JIT::emitSlow_op_unsigned): Deleted.
1660         (JSC::JIT::emitSlow_op_inc): Deleted.
1661         (JSC::JIT::emitSlow_op_dec): Deleted.
1662         (JSC::JIT::emitSlow_op_bitand): Deleted.
1663         (JSC::JIT::emitSlow_op_bitor): Deleted.
1664         (JSC::JIT::emitSlow_op_bitxor): Deleted.
1665         (JSC::JIT::emitSlow_op_lshift): Deleted.
1666         (JSC::JIT::emitSlow_op_rshift): Deleted.
1667         (JSC::JIT::emitSlow_op_urshift): Deleted.
1668         (JSC::JIT::emitSlow_op_div): Deleted.
1669         * jit/JITArithmetic32_64.cpp:
1670         (JSC::JIT::emitSlow_op_unsigned): Deleted.
1671         (JSC::JIT::emitSlow_op_inc): Deleted.
1672         (JSC::JIT::emitSlow_op_dec): Deleted.
1673         * jit/JITOpcodes.cpp:
1674         (JSC::JIT::emitSlow_op_create_this): Deleted.
1675         (JSC::JIT::emitSlow_op_check_tdz): Deleted.
1676         (JSC::JIT::emitSlow_op_to_this): Deleted.
1677         (JSC::JIT::emitSlow_op_to_primitive): Deleted.
1678         (JSC::JIT::emitSlow_op_not): Deleted.
1679         (JSC::JIT::emitSlow_op_stricteq): Deleted.
1680         (JSC::JIT::emitSlow_op_nstricteq): Deleted.
1681         (JSC::JIT::emitSlow_op_to_number): Deleted.
1682         (JSC::JIT::emitSlow_op_to_string): Deleted.
1683         (JSC::JIT::emitSlow_op_to_object): Deleted.
1684         (JSC::JIT::emitSlow_op_get_direct_pname): Deleted.
1685         (JSC::JIT::emitSlow_op_has_structure_property): Deleted.
1686         * jit/JITOpcodes32_64.cpp:
1687         (JSC::JIT::emitSlow_op_to_primitive): Deleted.
1688         (JSC::JIT::emitSlow_op_not): Deleted.
1689         (JSC::JIT::emitSlow_op_stricteq): Deleted.
1690         (JSC::JIT::emitSlow_op_nstricteq): Deleted.
1691         (JSC::JIT::emitSlow_op_to_number): Deleted.
1692         (JSC::JIT::emitSlow_op_to_string): Deleted.
1693         (JSC::JIT::emitSlow_op_to_object): Deleted.
1694         (JSC::JIT::emitSlow_op_create_this): Deleted.
1695         (JSC::JIT::emitSlow_op_to_this): Deleted.
1696         (JSC::JIT::emitSlow_op_check_tdz): Deleted.
1697         (JSC::JIT::emitSlow_op_get_direct_pname): Deleted.
1698         * jit/JITPropertyAccess.cpp:
1699         (JSC::JIT::emitSlow_op_resolve_scope): Deleted.
1700         * jit/JITPropertyAccess32_64.cpp:
1701         (JSC::JIT::emit_op_resolve_scope):
1702         (JSC::JIT::emitSlow_op_resolve_scope): Deleted.
1703         * jit/SlowPathCall.h:
1704         (JSC::JITSlowPathCall::JITSlowPathCall):
1705         * runtime/CommonSlowPaths.cpp:
1706         (JSC::SLOW_PATH_DECL):
1707         * runtime/CommonSlowPaths.h:
1708
1709 2017-11-09  Guillaume Emont  <guijemont@igalia.com>
1710
1711         [JSC][MIPS] Use fcsr to check the validity of the result of trunc.w.d
1712         https://bugs.webkit.org/show_bug.cgi?id=179446
1713
1714         Reviewed by Žan Doberšek.
1715
1716         The trunc.w.d mips instruction should give a 0x7fffffff result when
1717         the source value is Infinity, NaN, or rounds to an integer outside the
1718         range -2^31 to 2^31 -1. This is what branchTruncateDoubleToInt32() and
1719         branchTruncateDoubleToUInt32() have been relying on. It turns out that
1720         this assumption is not true on some CPUs, including on the ci20 on
1721         which we run the testbot (we get 0x80000000 instead). We should the
1722         invalid operation cause bit instead to check whether the source value
1723         could be properly truncated. This requires the addition of the cfc1
1724         instruction, as well as the special registers that can be used with it
1725         (control registers of CP1).
1726
1727         * assembler/MIPSAssembler.h:
1728         (JSC::MIPSAssembler::firstSPRegister):
1729         (JSC::MIPSAssembler::lastSPRegister):
1730         (JSC::MIPSAssembler::numberOfSPRegisters):
1731         (JSC::MIPSAssembler::sprName):
1732         Added control registers of CP1.
1733         (JSC::MIPSAssembler::cfc1):
1734         Added.
1735         * assembler/MacroAssemblerMIPS.h:
1736         (JSC::MacroAssemblerMIPS::branchOnTruncateResult):
1737         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToInt32):
1738         (JSC::MacroAssemblerMIPS::branchTruncateDoubleToUint32):
1739         Use fcsr to check if the value could be properly truncated.
1740
1741 2017-11-08  Jeremy Jones  <jeremyj@apple.com>
1742
1743         HTMLMediaElement should not use element fullscreen on iOS
1744         https://bugs.webkit.org/show_bug.cgi?id=179418
1745         rdar://problem/35409277
1746
1747         Reviewed by Eric Carlson.
1748
1749         Add ENABLE_VIDEO_USES_ELEMENT_FULLSCREEN to determine if HTMLMediaElement should use element full screen or not.
1750
1751         * Configurations/FeatureDefines.xcconfig:
1752
1753 2017-11-08  Joseph Pecoraro  <pecoraro@apple.com>
1754
1755         Web Inspector: Show Internal properties of PaymentRequest in Web Inspector Console
1756         https://bugs.webkit.org/show_bug.cgi?id=179276
1757
1758         Reviewed by Andy Estes.
1759
1760         * inspector/InjectedScriptHost.h:
1761         * inspector/JSInjectedScriptHost.cpp:
1762         (Inspector::JSInjectedScriptHost::getInternalProperties):
1763         Call through to virtual implementation so that WebCore can provide custom
1764         internal properties for Web / DOM objects.
1765
1766 2017-11-08  Saam Barati  <sbarati@apple.com>
1767
1768         A JSFunction's ObjectAllocationProfile should watch the poly prototype watchpoint so it can clear its object allocation profile
1769         https://bugs.webkit.org/show_bug.cgi?id=177792
1770
1771         Reviewed by Yusuke Suzuki.
1772
1773         Before this patch, if a JSFunction's rare data initialized its allocation profile
1774         before its backing Executable's poly proto watchpoint was invalidated, that
1775         JSFunction would continue to allocate non-poly proto objects until its allocation
1776         profile was cleared (which essentially never happens in practice). This patch
1777         improves on this pathology. A JSFunction's rare data will now watch the poly
1778         proto watchpoint if it's still valid and clear its allocation profile when we
1779         detect that we should go poly proto.
1780
1781         * bytecode/ObjectAllocationProfile.h:
1782         * bytecode/ObjectAllocationProfileInlines.h:
1783         (JSC::ObjectAllocationProfile::initializeProfile):
1784         * runtime/FunctionRareData.cpp:
1785         (JSC::FunctionRareData::initializeObjectAllocationProfile):
1786         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::fireInternal):
1787         * runtime/FunctionRareData.h:
1788         (JSC::FunctionRareData::hasAllocationProfileClearingWatchpoint const):
1789         (JSC::FunctionRareData::createAllocationProfileClearingWatchpoint):
1790         (JSC::FunctionRareData::AllocationProfileClearingWatchpoint::AllocationProfileClearingWatchpoint):
1791
1792 2017-11-08  Keith Miller  <keith_miller@apple.com>
1793
1794         Add super sampler begin and end bytecodes.
1795         https://bugs.webkit.org/show_bug.cgi?id=179376
1796
1797         Reviewed by Filip Pizlo.
1798
1799         This patch adds a way to measure a narrow range of bytecodes for
1800         performance. This is done using the same infrastructure as the
1801         super sampler. I also added a class that helps do the bytecode
1802         checking with RAII. One problem with the current way this is done
1803         is that we don't handle decrementing early exits, either from
1804         branches or exceptions. So, when using this API users need to
1805         ensure that there are no early exits or that those exits don't
1806         occur on the measure code.
1807
1808         * JavaScriptCore.xcodeproj/project.pbxproj:
1809         * bytecode/BytecodeDumper.cpp:
1810         (JSC::BytecodeDumper<Block>::dumpBytecode):
1811         * bytecode/BytecodeList.json:
1812         * bytecode/BytecodeUseDef.h:
1813         (JSC::computeUsesForBytecodeOffset):
1814         (JSC::computeDefsForBytecodeOffset):
1815         * bytecompiler/BytecodeGenerator.cpp:
1816         (JSC::BytecodeGenerator::emitSuperSamplerBegin):
1817         (JSC::BytecodeGenerator::emitSuperSamplerEnd):
1818         * bytecompiler/BytecodeGenerator.h:
1819         * bytecompiler/SuperSamplerBytecodeScope.h: Added.
1820         (JSC::SuperSamplerBytecodeScope::SuperSamplerBytecodeScope):
1821         (JSC::SuperSamplerBytecodeScope::~SuperSamplerBytecodeScope):
1822         * dfg/DFGAbstractInterpreterInlines.h:
1823         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
1824         * dfg/DFGByteCodeParser.cpp:
1825         (JSC::DFG::ByteCodeParser::parseBlock):
1826         * dfg/DFGClobberize.h:
1827         (JSC::DFG::clobberize):
1828         * dfg/DFGClobbersExitState.cpp:
1829         (JSC::DFG::clobbersExitState):
1830         * dfg/DFGDoesGC.cpp:
1831         (JSC::DFG::doesGC):
1832         * dfg/DFGFixupPhase.cpp:
1833         (JSC::DFG::FixupPhase::fixupNode):
1834         * dfg/DFGMayExit.cpp:
1835         * dfg/DFGNodeType.h:
1836         * dfg/DFGPredictionPropagationPhase.cpp:
1837         * dfg/DFGSafeToExecute.h:
1838         (JSC::DFG::safeToExecute):
1839         * dfg/DFGSpeculativeJIT.cpp:
1840         * dfg/DFGSpeculativeJIT32_64.cpp:
1841         (JSC::DFG::SpeculativeJIT::compile):
1842         * dfg/DFGSpeculativeJIT64.cpp:
1843         (JSC::DFG::SpeculativeJIT::compile):
1844         * ftl/FTLCapabilities.cpp:
1845         (JSC::FTL::canCompile):
1846         * ftl/FTLLowerDFGToB3.cpp:
1847         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
1848         (JSC::FTL::DFG::LowerDFGToB3::compileSuperSamplerBegin):
1849         (JSC::FTL::DFG::LowerDFGToB3::compileSuperSamplerEnd):
1850         * jit/JIT.cpp:
1851         (JSC::JIT::privateCompileMainPass):
1852         * jit/JIT.h:
1853         * jit/JITOpcodes.cpp:
1854         (JSC::JIT::emit_op_super_sampler_begin):
1855         (JSC::JIT::emit_op_super_sampler_end):
1856         * llint/LLIntSlowPaths.cpp:
1857         (JSC::LLInt::LLINT_SLOW_PATH_DECL):
1858         * llint/LLIntSlowPaths.h:
1859         * llint/LowLevelInterpreter.asm:
1860
1861 2017-11-08  Robin Morisset  <rmorisset@apple.com>
1862
1863         Turn recursive tail calls into loops
1864         https://bugs.webkit.org/show_bug.cgi?id=176601
1865
1866         Reviewed by Saam Barati.
1867
1868         Relanding after https://bugs.webkit.org/show_bug.cgi?id=178834.
1869
1870         We want to turn recursive tail calls into loops early in the pipeline, so that the loops can then be optimized.
1871         One difficulty is that we need to split the entry block of the function we are jumping to in order to have somewhere to jump to.
1872         Worse: it is not necessarily the first block of the codeBlock, because of inlining! So we must do the splitting in the DFGByteCodeParser, at the same time as inlining.
1873         We do this part through modifying the computation of the jump targets.
1874         Importantly, we only do this splitting for functions that have tail calls.
1875         It is the only case where the optimisation is sound, and doing the splitting unconditionnaly destroys performance on Octane/raytrace.
1876
1877         We must then do the actual transformation also in DFGByteCodeParser, to avoid code motion moving code out of the body of what will become a loop.
1878         The transformation is entirely contained in handleRecursiveTailCall, which is hooked to the inlining machinery.
1879
1880         * bytecode/CodeBlock.h:
1881         (JSC::CodeBlock::hasTailCalls const):
1882         * bytecode/PreciseJumpTargets.cpp:
1883         (JSC::getJumpTargetsForBytecodeOffset):
1884         (JSC::computePreciseJumpTargetsInternal):
1885         * bytecode/UnlinkedCodeBlock.cpp:
1886         (JSC::UnlinkedCodeBlock::UnlinkedCodeBlock):
1887         * bytecode/UnlinkedCodeBlock.h:
1888         (JSC::UnlinkedCodeBlock::hasTailCalls const):
1889         (JSC::UnlinkedCodeBlock::setHasTailCalls):
1890         * bytecompiler/BytecodeGenerator.cpp:
1891         (JSC::BytecodeGenerator::emitEnter):
1892         (JSC::BytecodeGenerator::emitCallInTailPosition):
1893         * dfg/DFGByteCodeParser.cpp:
1894         (JSC::DFG::ByteCodeParser::allocateTargetableBlock):
1895         (JSC::DFG::ByteCodeParser::makeBlockTargetable):
1896         (JSC::DFG::ByteCodeParser::handleCall):
1897         (JSC::DFG::ByteCodeParser::handleRecursiveTailCall):
1898         (JSC::DFG::ByteCodeParser::parseBlock):
1899         (JSC::DFG::ByteCodeParser::parse):
1900
1901 2017-11-08  Joseph Pecoraro  <pecoraro@apple.com>
1902
1903         Web Inspector: Remove unused Page.ScriptIdentifier protocol type
1904         https://bugs.webkit.org/show_bug.cgi?id=179407
1905
1906         Reviewed by Matt Baker.
1907
1908         * inspector/protocol/Page.json:
1909         Remove unused protocol type.
1910
1911 2017-11-08  Carlos Garcia Campos  <cgarcia@igalia.com>
1912
1913         Web Inspector: use JSON::{Array,Object,Value} instead of Inspector{Array,Object,Value}
1914         https://bugs.webkit.org/show_bug.cgi?id=173619
1915
1916         Reviewed by Alex Christensen and Brian Burg.
1917
1918         Eventually all classes used for our JSON-RPC message passing should be outside
1919         of the Inspector namespace since the protocol is used outside of Inspector code.
1920         This will also allow us to unify the primitive JSON types with parameteric types
1921         like Inspector::Protocol::Array<T> and other protocol-related types which don't
1922         need to be in the Inspector namespace.
1923
1924         Start this refactoring off by making JSON::Value a typedef for InspectorValue. In following
1925         patches, other clients will move to use JSON::Value and friends. When all uses are
1926         changed, the actual implementation will be renamed. This patch just focuses on the typedef
1927         and making changes in generated protocol code.
1928
1929         Original patch by Brian Burg, rebased and updated by me.
1930
1931         * inspector/InspectorValues.cpp:
1932         * inspector/InspectorValues.h:
1933         * inspector/scripts/codegen/cpp_generator.py:
1934         (CppGenerator.cpp_protocol_type_for_type):
1935         (CppGenerator.cpp_type_for_unchecked_formal_in_parameter):
1936         (CppGenerator.cpp_type_for_type_with_name):
1937         (CppGenerator.cpp_type_for_stack_in_parameter):
1938         * inspector/scripts/codegen/cpp_generator_templates.py:
1939         (void):
1940         * inspector/scripts/codegen/generate_cpp_protocol_types_header.py:
1941         (_generate_class_for_object_declaration):
1942         (_generate_forward_declarations_for_binding_traits):
1943         * inspector/scripts/codegen/generate_cpp_protocol_types_implementation.py:
1944         (CppProtocolTypesImplementationGenerator._generate_assertion_for_object_declaration):
1945         (CppProtocolTypesImplementationGenerator._generate_assertion_for_enum):
1946         * inspector/scripts/tests/all/expected/definitions-with-mac-platform.json-result:
1947         * inspector/scripts/tests/generic/expected/commands-with-async-attribute.json-result:
1948         * inspector/scripts/tests/generic/expected/commands-with-optional-call-return-parameters.json-result:
1949         * inspector/scripts/tests/generic/expected/domain-availability.json-result:
1950         * inspector/scripts/tests/generic/expected/domains-with-varying-command-sizes.json-result:
1951         * inspector/scripts/tests/generic/expected/enum-values.json-result:
1952         * inspector/scripts/tests/generic/expected/events-with-optional-parameters.json-result:
1953         * inspector/scripts/tests/generic/expected/generate-domains-with-feature-guards.json-result:
1954         * inspector/scripts/tests/generic/expected/shadowed-optional-type-setters.json-result:
1955         * inspector/scripts/tests/generic/expected/type-declaration-object-type.json-result:
1956         * inspector/scripts/tests/generic/expected/type-requiring-runtime-casts.json-result:
1957         * inspector/scripts/tests/generic/expected/type-with-open-parameters.json-result:
1958         * inspector/scripts/tests/generic/expected/worker-supported-domains.json-result:
1959         * inspector/scripts/tests/mac/expected/definitions-with-mac-platform.json-result:
1960
1961 2017-11-07  Maciej Stachowiak  <mjs@apple.com>
1962
1963         Get rid of unsightly hex numbers from unified build object files
1964         https://bugs.webkit.org/show_bug.cgi?id=179410
1965
1966         Reviewed by Saam Barati.
1967
1968         * JavaScriptCore.xcodeproj/project.pbxproj: Rename UnifiedSource*.mm to UnifiedSource*-mm.mm for more readable build output.
1969
1970 2017-11-07  Saam Barati  <sbarati@apple.com>
1971
1972         Only cage double butterfly accesses
1973         https://bugs.webkit.org/show_bug.cgi?id=179202
1974
1975         Reviewed by Mark Lam.
1976
1977         This patch removes caging from all butterfly accesses except double loads/stores.
1978         This is a performance vs security tradeoff. Double loads/stores are the only butterfly
1979         loads/stores that can write arbitrary bit patterns, so we choose to keep them safe
1980         by caging. The other load/stores we are no longer caging to get back performance on
1981         various benchmarks.
1982
1983         * bytecode/AccessCase.cpp:
1984         (JSC::AccessCase::generateImpl):
1985         * bytecode/InlineAccess.cpp:
1986         (JSC::InlineAccess::dumpCacheSizesAndCrash):
1987         (JSC::InlineAccess::generateSelfPropertyAccess):
1988         (JSC::InlineAccess::generateSelfPropertyReplace):
1989         (JSC::InlineAccess::generateArrayLength):
1990         * dfg/DFGFixedButterflyAccessUncagingPhase.cpp:
1991         * dfg/DFGSpeculativeJIT.cpp:
1992         (JSC::DFG::SpeculativeJIT::compileCreateRest):
1993         (JSC::DFG::SpeculativeJIT::compileSpread):
1994         (JSC::DFG::SpeculativeJIT::compileNewArrayWithSpread):
1995         * dfg/DFGSpeculativeJIT64.cpp:
1996         (JSC::DFG::SpeculativeJIT::compile):
1997         * ftl/FTLLowerDFGToB3.cpp:
1998         (JSC::FTL::DFG::LowerDFGToB3::compileGetDirectPname):
1999         * jit/JITPropertyAccess.cpp:
2000         (JSC::JIT::emitContiguousLoad):
2001         (JSC::JIT::emitArrayStorageLoad):
2002         (JSC::JIT::emitGenericContiguousPutByVal):
2003         (JSC::JIT::emitArrayStoragePutByVal):
2004         (JSC::JIT::emit_op_get_from_scope):
2005         (JSC::JIT::emit_op_put_to_scope):
2006         * llint/LowLevelInterpreter64.asm:
2007         * runtime/AuxiliaryBarrier.h:
2008         (JSC::AuxiliaryBarrier::operator-> const):
2009         * runtime/Butterfly.h:
2010         (JSC::Butterfly::caged):
2011         (JSC::Butterfly::contiguousDouble):
2012         * runtime/JSArray.cpp:
2013         (JSC::JSArray::setLength):
2014         (JSC::JSArray::pop):
2015         (JSC::JSArray::shiftCountWithAnyIndexingType):
2016         (JSC::JSArray::unshiftCountWithAnyIndexingType):
2017         (JSC::JSArray::fillArgList):
2018         (JSC::JSArray::copyToArguments):
2019         * runtime/JSArrayInlines.h:
2020         (JSC::JSArray::pushInline):
2021         * runtime/JSObject.cpp:
2022         (JSC::JSObject::heapSnapshot):
2023         (JSC::JSObject::createInitialIndexedStorage):
2024         (JSC::JSObject::createArrayStorage):
2025         (JSC::JSObject::convertUndecidedToInt32):
2026         (JSC::JSObject::ensureLengthSlow):
2027         (JSC::JSObject::reallocateAndShrinkButterfly):
2028         (JSC::JSObject::allocateMoreOutOfLineStorage):
2029         * runtime/JSObject.h:
2030         (JSC::JSObject::canGetIndexQuickly):
2031         (JSC::JSObject::getIndexQuickly):
2032         (JSC::JSObject::tryGetIndexQuickly const):
2033         (JSC::JSObject::canSetIndexQuickly):
2034         (JSC::JSObject::butterfly const):
2035         (JSC::JSObject::butterfly):
2036
2037 2017-11-07  Mark Lam  <mark.lam@apple.com>
2038
2039         Introduce a default RegisterSet constructor so that we can use { } notation.
2040         https://bugs.webkit.org/show_bug.cgi?id=179389
2041
2042         Reviewed by Saam Barati.
2043
2044         I also replaced uses of "RegisterSet()" with "{ }" where the use of "RegisterSet()"
2045         does not add any code documentation value.
2046
2047         * b3/air/AirAllocateRegistersAndStackByLinearScan.cpp:
2048         * b3/air/AirCode.cpp:
2049         (JSC::B3::Air::Code::setRegsInPriorityOrder):
2050         * b3/air/AirPrintSpecial.cpp:
2051         (JSC::B3::Air::PrintSpecial::extraEarlyClobberedRegs):
2052         (JSC::B3::Air::PrintSpecial::extraClobberedRegs):
2053         * b3/air/testair.cpp:
2054         * bytecode/PolymorphicAccess.h:
2055         (JSC::AccessGenerationState::preserveLiveRegistersToStackForCall):
2056         (JSC::AccessGenerationState::restoreLiveRegistersFromStackForCall):
2057         * dfg/DFGJITCode.cpp:
2058         (JSC::DFG::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
2059         * ftl/FTLJITCode.cpp:
2060         (JSC::FTL::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
2061         * jit/JITCode.cpp:
2062         (JSC::JITCode::liveRegistersToPreserveAtExceptionHandlingCallSite):
2063         * jit/RegisterSet.cpp:
2064         (JSC::RegisterSet::reservedHardwareRegisters):
2065         (JSC::RegisterSet::runtimeRegisters):
2066         (JSC::RegisterSet::macroScratchRegisters):
2067         * jit/RegisterSet.h:
2068         (JSC::RegisterSet::RegisterSet):
2069         * wasm/WasmB3IRGenerator.cpp:
2070         (JSC::Wasm::B3IRGenerator::emitTierUpCheck):
2071
2072 2017-11-07  Mark Lam  <mark.lam@apple.com>
2073
2074         AccessCase::generateImpl() should exclude the result register when restoring registers after a call.
2075         https://bugs.webkit.org/show_bug.cgi?id=179355
2076         <rdar://problem/35263053>
2077
2078         Reviewed by Saam Barati.
2079
2080         In the Transition case in AccessCase::generateImpl(), we were restoring registers
2081         using restoreLiveRegistersFromStackForCall() without excluding the scratchGPR
2082         where we previously stashed the reallocated butterfly.  If the generated code is
2083         under heavy register pressure, scratchGPR could have been from the set of preserved
2084         registers, and hence, would be restored by restoreLiveRegistersFromStackForCall().
2085         As a result, the restoration would trash the butterfly result we stored there.
2086         This patch fixes the issue by excluding the scratchGPR in the restoration.
2087
2088         * bytecode/AccessCase.cpp:
2089         (JSC::AccessCase::generateImpl):
2090
2091 2017-11-06  Robin Morisset  <rmorisset@apple.com>
2092
2093         CodeBlock::usesOpcode() is dead code
2094         https://bugs.webkit.org/show_bug.cgi?id=179316
2095
2096         Reviewed by Yusuke Suzuki.
2097
2098         Remove CodeBlock::usesOpcode which is dead code
2099
2100         * bytecode/CodeBlock.cpp:
2101         * bytecode/CodeBlock.h:
2102
2103 2017-11-05  Yusuke Suzuki  <utatane.tea@gmail.com>
2104
2105         JIT call inline caches should cache calls to objects with getCallData/getConstructData traps
2106         https://bugs.webkit.org/show_bug.cgi?id=144458
2107
2108         Reviewed by Saam Barati.
2109
2110         Previously only JSFunction is handled by CallLinkInfo's caching mechanism. This means that
2111         InternalFunction calls are not cached and they always go to the slow path. This is not good because
2112
2113         1. We need to query getCallData/getConstructData every time in the slow path.
2114         2. CallLinkInfo tells nothing in the higher tier JITs.
2115
2116         This patch starts handling InternalFunction in CallLinkInfo's caching mechanism. We change InternalFunction
2117         to hold pointers to the functions for call and construct. We have new stubs that can call/construct
2118         InternalFunction. And we return this code pointer as a result of setup call to use CallLinkInfo mechanism.
2119
2120         This patch is critical to optimizing derived Array construction[1] since it starts using CallLinkInfo
2121         for InternalFunction. Previously we did not record any information to CallLinkInfo. Except for the
2122         case that DFGByteCodeParser figures out InternalFunction constant, we cannot attempt to emit DFG
2123         nodes for these InternalFunctions since CallLinkInfo tells us nothing.
2124
2125         Attached microbenchmarks show performance improvement.
2126
2127                                                            baseline                  patched
2128
2129         dfg-internal-function-construct                 1.6439+-0.0826     ^      1.2829+-0.0727        ^ definitely 1.2813x faster
2130         dfg-internal-function-not-handled-construct     2.1862+-0.1361            2.0696+-0.1201          might be 1.0564x faster
2131         dfg-internal-function-not-handled-call         20.7592+-0.9085           19.7369+-0.7921          might be 1.0518x faster
2132         dfg-internal-function-call                      1.6856+-0.0967     ^      1.2771+-0.0744        ^ definitely 1.3198x faster
2133
2134         [1]: https://bugs.webkit.org/show_bug.cgi?id=178064
2135
2136         * API/JSCallbackFunction.cpp:
2137         (JSC::JSCallbackFunction::JSCallbackFunction):
2138         (JSC::JSCallbackFunction::getCallData): Deleted.
2139         * API/JSCallbackFunction.h:
2140         (JSC::JSCallbackFunction::createStructure):
2141         * API/ObjCCallbackFunction.h:
2142         (JSC::ObjCCallbackFunction::createStructure):
2143         * API/ObjCCallbackFunction.mm:
2144         (JSC::ObjCCallbackFunction::ObjCCallbackFunction):
2145         (JSC::ObjCCallbackFunction::getCallData): Deleted.
2146         (JSC::ObjCCallbackFunction::getConstructData): Deleted.
2147         * bytecode/BytecodeDumper.cpp:
2148         (JSC::BytecodeDumper<Block>::printCallOp):
2149         * bytecode/BytecodeList.json:
2150         * bytecode/CallLinkInfo.cpp:
2151         (JSC::CallLinkInfo::setCallee):
2152         (JSC::CallLinkInfo::callee):
2153         (JSC::CallLinkInfo::setLastSeenCallee):
2154         (JSC::CallLinkInfo::lastSeenCallee):
2155         (JSC::CallLinkInfo::visitWeak):
2156         * bytecode/CallLinkInfo.h:
2157         * bytecode/CallLinkStatus.cpp:
2158         (JSC::CallLinkStatus::computeFromCallLinkInfo):
2159         * bytecode/LLIntCallLinkInfo.h:
2160         * jit/JITOperations.cpp:
2161         * jit/JITThunks.cpp:
2162         (JSC::JITThunks::ctiInternalFunctionCall):
2163         (JSC::JITThunks::ctiInternalFunctionConstruct):
2164         * jit/JITThunks.h:
2165         * jit/Repatch.cpp:
2166         (JSC::linkFor):
2167         (JSC::linkPolymorphicCall):
2168         * jit/Repatch.h:
2169         * jit/ThunkGenerators.cpp:
2170         (JSC::virtualThunkFor):
2171         (JSC::nativeForGenerator):
2172         (JSC::nativeCallGenerator):
2173         (JSC::nativeTailCallGenerator):
2174         (JSC::nativeTailCallWithoutSavedTagsGenerator):
2175         (JSC::nativeConstructGenerator):
2176         (JSC::internalFunctionCallGenerator):
2177         (JSC::internalFunctionConstructGenerator):
2178         * jit/ThunkGenerators.h:
2179         * llint/LLIntSlowPaths.cpp:
2180         (JSC::LLInt::setUpCall):
2181         * llint/LowLevelInterpreter.asm:
2182         * llint/LowLevelInterpreter32_64.asm:
2183         * llint/LowLevelInterpreter64.asm:
2184         * runtime/ArrayConstructor.cpp:
2185         (JSC::ArrayConstructor::ArrayConstructor):
2186         (JSC::ArrayConstructor::getConstructData): Deleted.
2187         (JSC::ArrayConstructor::getCallData): Deleted.
2188         * runtime/ArrayConstructor.h:
2189         (JSC::ArrayConstructor::createStructure):
2190         * runtime/AsyncFunctionConstructor.cpp:
2191         (JSC::AsyncFunctionConstructor::AsyncFunctionConstructor):
2192         (JSC::AsyncFunctionConstructor::finishCreation):
2193         (JSC::AsyncFunctionConstructor::getCallData): Deleted.
2194         (JSC::AsyncFunctionConstructor::getConstructData): Deleted.
2195         * runtime/AsyncFunctionConstructor.h:
2196         (JSC::AsyncFunctionConstructor::createStructure):
2197         * runtime/AsyncGeneratorFunctionConstructor.cpp:
2198         (JSC::AsyncGeneratorFunctionConstructor::AsyncGeneratorFunctionConstructor):
2199         (JSC::AsyncGeneratorFunctionConstructor::finishCreation):
2200         (JSC::AsyncGeneratorFunctionConstructor::getCallData): Deleted.
2201         (JSC::AsyncGeneratorFunctionConstructor::getConstructData): Deleted.
2202         * runtime/AsyncGeneratorFunctionConstructor.h:
2203         (JSC::AsyncGeneratorFunctionConstructor::createStructure):
2204         * runtime/BooleanConstructor.cpp:
2205         (JSC::callBooleanConstructor):
2206         (JSC::BooleanConstructor::BooleanConstructor):
2207         (JSC::BooleanConstructor::finishCreation):
2208         (JSC::BooleanConstructor::getConstructData): Deleted.
2209         (JSC::BooleanConstructor::getCallData): Deleted.
2210         * runtime/BooleanConstructor.h:
2211         (JSC::BooleanConstructor::createStructure):
2212         * runtime/DateConstructor.cpp:
2213         (JSC::DateConstructor::DateConstructor):
2214         (JSC::DateConstructor::getConstructData): Deleted.
2215         (JSC::DateConstructor::getCallData): Deleted.
2216         * runtime/DateConstructor.h:
2217         (JSC::DateConstructor::createStructure):
2218         * runtime/Error.h:
2219         (JSC::StrictModeTypeErrorFunction::StrictModeTypeErrorFunction):
2220         (JSC::StrictModeTypeErrorFunction::createStructure):
2221         (JSC::StrictModeTypeErrorFunction::getConstructData): Deleted.
2222         (JSC::StrictModeTypeErrorFunction::getCallData): Deleted.
2223         * runtime/ErrorConstructor.cpp:
2224         (JSC::ErrorConstructor::ErrorConstructor):
2225         (JSC::ErrorConstructor::getConstructData): Deleted.
2226         (JSC::ErrorConstructor::getCallData): Deleted.
2227         * runtime/ErrorConstructor.h:
2228         (JSC::ErrorConstructor::createStructure):
2229         * runtime/FunctionConstructor.cpp:
2230         (JSC::FunctionConstructor::FunctionConstructor):
2231         (JSC::FunctionConstructor::finishCreation):
2232         (JSC::FunctionConstructor::getConstructData): Deleted.
2233         (JSC::FunctionConstructor::getCallData): Deleted.
2234         * runtime/FunctionConstructor.h:
2235         (JSC::FunctionConstructor::createStructure):
2236         * runtime/FunctionPrototype.cpp:
2237         (JSC::callFunctionPrototype):
2238         (JSC::FunctionPrototype::FunctionPrototype):
2239         (JSC::FunctionPrototype::getCallData): Deleted.
2240         * runtime/FunctionPrototype.h:
2241         (JSC::FunctionPrototype::createStructure):
2242         * runtime/GeneratorFunctionConstructor.cpp:
2243         (JSC::GeneratorFunctionConstructor::GeneratorFunctionConstructor):
2244         (JSC::GeneratorFunctionConstructor::finishCreation):
2245         (JSC::GeneratorFunctionConstructor::getCallData): Deleted.
2246         (JSC::GeneratorFunctionConstructor::getConstructData): Deleted.
2247         * runtime/GeneratorFunctionConstructor.h:
2248         (JSC::GeneratorFunctionConstructor::createStructure):
2249         * runtime/InternalFunction.cpp:
2250         (JSC::InternalFunction::InternalFunction):
2251         (JSC::InternalFunction::finishCreation):
2252         (JSC::InternalFunction::getCallData):
2253         (JSC::InternalFunction::getConstructData):
2254         * runtime/InternalFunction.h:
2255         (JSC::InternalFunction::createStructure):
2256         (JSC::InternalFunction::nativeFunctionFor):
2257         (JSC::InternalFunction::offsetOfNativeFunctionFor):
2258         * runtime/IntlCollatorConstructor.cpp:
2259         (JSC::IntlCollatorConstructor::createStructure):
2260         (JSC::IntlCollatorConstructor::IntlCollatorConstructor):
2261         (JSC::IntlCollatorConstructor::getConstructData): Deleted.
2262         (JSC::IntlCollatorConstructor::getCallData): Deleted.
2263         * runtime/IntlCollatorConstructor.h:
2264         * runtime/IntlDateTimeFormatConstructor.cpp:
2265         (JSC::IntlDateTimeFormatConstructor::createStructure):
2266         (JSC::IntlDateTimeFormatConstructor::IntlDateTimeFormatConstructor):
2267         (JSC::IntlDateTimeFormatConstructor::getConstructData): Deleted.
2268         (JSC::IntlDateTimeFormatConstructor::getCallData): Deleted.
2269         * runtime/IntlDateTimeFormatConstructor.h:
2270         * runtime/IntlNumberFormatConstructor.cpp:
2271         (JSC::IntlNumberFormatConstructor::createStructure):
2272         (JSC::IntlNumberFormatConstructor::IntlNumberFormatConstructor):
2273         (JSC::IntlNumberFormatConstructor::getConstructData): Deleted.
2274         (JSC::IntlNumberFormatConstructor::getCallData): Deleted.
2275         * runtime/IntlNumberFormatConstructor.h:
2276         * runtime/JSArrayBufferConstructor.cpp:
2277         (JSC::JSArrayBufferConstructor::JSArrayBufferConstructor):
2278         (JSC::JSArrayBufferConstructor::createStructure):
2279         (JSC::JSArrayBufferConstructor::getConstructData): Deleted.
2280         (JSC::JSArrayBufferConstructor::getCallData): Deleted.
2281         * runtime/JSArrayBufferConstructor.h:
2282         * runtime/JSGenericTypedArrayViewConstructor.h:
2283         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2284         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::JSGenericTypedArrayViewConstructor):
2285         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::createStructure):
2286         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getConstructData): Deleted.
2287         (JSC::JSGenericTypedArrayViewConstructor<ViewClass>::getCallData): Deleted.
2288         * runtime/JSInternalPromiseConstructor.cpp:
2289         (JSC::JSInternalPromiseConstructor::createStructure):
2290         (JSC::JSInternalPromiseConstructor::JSInternalPromiseConstructor):
2291         (JSC::JSInternalPromiseConstructor::getConstructData): Deleted.
2292         (JSC::JSInternalPromiseConstructor::getCallData): Deleted.
2293         * runtime/JSInternalPromiseConstructor.h:
2294         * runtime/JSPromiseConstructor.cpp:
2295         (JSC::JSPromiseConstructor::createStructure):
2296         (JSC::JSPromiseConstructor::JSPromiseConstructor):
2297         (JSC::JSPromiseConstructor::getConstructData): Deleted.
2298         (JSC::JSPromiseConstructor::getCallData): Deleted.
2299         * runtime/JSPromiseConstructor.h:
2300         * runtime/JSType.h:
2301         * runtime/JSTypedArrayViewConstructor.cpp:
2302         (JSC::JSTypedArrayViewConstructor::JSTypedArrayViewConstructor):
2303         (JSC::JSTypedArrayViewConstructor::createStructure):
2304         (JSC::JSTypedArrayViewConstructor::getConstructData): Deleted.
2305         (JSC::JSTypedArrayViewConstructor::getCallData): Deleted.
2306         * runtime/JSTypedArrayViewConstructor.h:
2307         * runtime/MapConstructor.cpp:
2308         (JSC::MapConstructor::MapConstructor):
2309         (JSC::MapConstructor::getConstructData): Deleted.
2310         (JSC::MapConstructor::getCallData): Deleted.
2311         * runtime/MapConstructor.h:
2312         (JSC::MapConstructor::createStructure):
2313         (JSC::MapConstructor::MapConstructor): Deleted.
2314         * runtime/NativeErrorConstructor.cpp:
2315         (JSC::NativeErrorConstructor::NativeErrorConstructor):
2316         (JSC::NativeErrorConstructor::getConstructData): Deleted.
2317         (JSC::NativeErrorConstructor::getCallData): Deleted.
2318         * runtime/NativeErrorConstructor.h:
2319         (JSC::NativeErrorConstructor::createStructure):
2320         * runtime/NullGetterFunction.cpp:
2321         (JSC::NullGetterFunction::NullGetterFunction):
2322         (JSC::NullGetterFunction::getCallData): Deleted.
2323         (JSC::NullGetterFunction::getConstructData): Deleted.
2324         * runtime/NullGetterFunction.h:
2325         (JSC::NullGetterFunction::createStructure):
2326         (JSC::NullGetterFunction::NullGetterFunction): Deleted.
2327         * runtime/NullSetterFunction.cpp:
2328         (JSC::NullSetterFunction::NullSetterFunction):
2329         (JSC::NullSetterFunction::getCallData): Deleted.
2330         (JSC::NullSetterFunction::getConstructData): Deleted.
2331         * runtime/NullSetterFunction.h:
2332         (JSC::NullSetterFunction::createStructure):
2333         (JSC::NullSetterFunction::NullSetterFunction): Deleted.
2334         * runtime/NumberConstructor.cpp:
2335         (JSC::NumberConstructor::NumberConstructor):
2336         (JSC::constructNumberConstructor):
2337         (JSC::constructWithNumberConstructor): Deleted.
2338         (JSC::NumberConstructor::getConstructData): Deleted.
2339         (JSC::NumberConstructor::getCallData): Deleted.
2340         * runtime/NumberConstructor.h:
2341         (JSC::NumberConstructor::createStructure):
2342         * runtime/ObjectConstructor.cpp:
2343         (JSC::ObjectConstructor::ObjectConstructor):
2344         (JSC::ObjectConstructor::getConstructData): Deleted.
2345         (JSC::ObjectConstructor::getCallData): Deleted.
2346         * runtime/ObjectConstructor.h:
2347         (JSC::ObjectConstructor::createStructure):
2348         * runtime/ProxyConstructor.cpp:
2349         (JSC::ProxyConstructor::ProxyConstructor):
2350         (JSC::ProxyConstructor::getConstructData): Deleted.
2351         (JSC::ProxyConstructor::getCallData): Deleted.
2352         * runtime/ProxyConstructor.h:
2353         (JSC::ProxyConstructor::createStructure):
2354         * runtime/ProxyRevoke.cpp:
2355         (JSC::ProxyRevoke::ProxyRevoke):
2356         (JSC::ProxyRevoke::getCallData): Deleted.
2357         * runtime/ProxyRevoke.h:
2358         (JSC::ProxyRevoke::createStructure):
2359         * runtime/RegExpConstructor.cpp:
2360         (JSC::RegExpConstructor::RegExpConstructor):
2361         (JSC::RegExpConstructor::getConstructData): Deleted.
2362         (JSC::RegExpConstructor::getCallData): Deleted.
2363         * runtime/RegExpConstructor.h:
2364         (JSC::RegExpConstructor::createStructure):
2365         * runtime/SetConstructor.cpp:
2366         (JSC::SetConstructor::SetConstructor):
2367         (JSC::SetConstructor::getConstructData): Deleted.
2368         (JSC::SetConstructor::getCallData): Deleted.
2369         * runtime/SetConstructor.h:
2370         (JSC::SetConstructor::createStructure):
2371         (JSC::SetConstructor::SetConstructor): Deleted.
2372         * runtime/StringConstructor.cpp:
2373         (JSC::StringConstructor::StringConstructor):
2374         (JSC::StringConstructor::getConstructData): Deleted.
2375         (JSC::StringConstructor::getCallData): Deleted.
2376         * runtime/StringConstructor.h:
2377         (JSC::StringConstructor::createStructure):
2378         * runtime/SymbolConstructor.cpp:
2379         (JSC::SymbolConstructor::SymbolConstructor):
2380         (JSC::SymbolConstructor::getConstructData): Deleted.
2381         (JSC::SymbolConstructor::getCallData): Deleted.
2382         * runtime/SymbolConstructor.h:
2383         (JSC::SymbolConstructor::createStructure):
2384         * runtime/VM.cpp:
2385         (JSC::VM::VM):
2386         (JSC::VM::getCTIInternalFunctionTrampolineFor):
2387         * runtime/VM.h:
2388         * runtime/WeakMapConstructor.cpp:
2389         (JSC::WeakMapConstructor::WeakMapConstructor):
2390         (JSC::WeakMapConstructor::getConstructData): Deleted.
2391         (JSC::WeakMapConstructor::getCallData): Deleted.
2392         * runtime/WeakMapConstructor.h:
2393         (JSC::WeakMapConstructor::createStructure):
2394         (JSC::WeakMapConstructor::WeakMapConstructor): Deleted.
2395         * runtime/WeakSetConstructor.cpp:
2396         (JSC::WeakSetConstructor::WeakSetConstructor):
2397         (JSC::WeakSetConstructor::getConstructData): Deleted.
2398         (JSC::WeakSetConstructor::getCallData): Deleted.
2399         * runtime/WeakSetConstructor.h:
2400         (JSC::WeakSetConstructor::createStructure):
2401         (JSC::WeakSetConstructor::WeakSetConstructor): Deleted.
2402         * wasm/js/WebAssemblyCompileErrorConstructor.cpp:
2403         (JSC::WebAssemblyCompileErrorConstructor::createStructure):
2404         (JSC::WebAssemblyCompileErrorConstructor::WebAssemblyCompileErrorConstructor):
2405         (JSC::WebAssemblyCompileErrorConstructor::getConstructData): Deleted.
2406         (JSC::WebAssemblyCompileErrorConstructor::getCallData): Deleted.
2407         * wasm/js/WebAssemblyCompileErrorConstructor.h:
2408         * wasm/js/WebAssemblyInstanceConstructor.cpp:
2409         (JSC::WebAssemblyInstanceConstructor::createStructure):
2410         (JSC::WebAssemblyInstanceConstructor::WebAssemblyInstanceConstructor):
2411         (JSC::WebAssemblyInstanceConstructor::getConstructData): Deleted.
2412         (JSC::WebAssemblyInstanceConstructor::getCallData): Deleted.
2413         * wasm/js/WebAssemblyInstanceConstructor.h:
2414         * wasm/js/WebAssemblyLinkErrorConstructor.cpp:
2415         (JSC::WebAssemblyLinkErrorConstructor::createStructure):
2416         (JSC::WebAssemblyLinkErrorConstructor::WebAssemblyLinkErrorConstructor):
2417         (JSC::WebAssemblyLinkErrorConstructor::getConstructData): Deleted.
2418         (JSC::WebAssemblyLinkErrorConstructor::getCallData): Deleted.
2419         * wasm/js/WebAssemblyLinkErrorConstructor.h:
2420         * wasm/js/WebAssemblyMemoryConstructor.cpp:
2421         (JSC::WebAssemblyMemoryConstructor::createStructure):
2422         (JSC::WebAssemblyMemoryConstructor::WebAssemblyMemoryConstructor):
2423         (JSC::WebAssemblyMemoryConstructor::getConstructData): Deleted.
2424         (JSC::WebAssemblyMemoryConstructor::getCallData): Deleted.
2425         * wasm/js/WebAssemblyMemoryConstructor.h:
2426         * wasm/js/WebAssemblyModuleConstructor.cpp:
2427         (JSC::WebAssemblyModuleConstructor::createStructure):
2428         (JSC::WebAssemblyModuleConstructor::WebAssemblyModuleConstructor):
2429         (JSC::WebAssemblyModuleConstructor::getConstructData): Deleted.
2430         (JSC::WebAssemblyModuleConstructor::getCallData): Deleted.
2431         * wasm/js/WebAssemblyModuleConstructor.h:
2432         * wasm/js/WebAssemblyRuntimeErrorConstructor.cpp:
2433         (JSC::WebAssemblyRuntimeErrorConstructor::createStructure):
2434         (JSC::WebAssemblyRuntimeErrorConstructor::WebAssemblyRuntimeErrorConstructor):
2435         (JSC::WebAssemblyRuntimeErrorConstructor::getConstructData): Deleted.
2436         (JSC::WebAssemblyRuntimeErrorConstructor::getCallData): Deleted.
2437         * wasm/js/WebAssemblyRuntimeErrorConstructor.h:
2438         * wasm/js/WebAssemblyTableConstructor.cpp:
2439         (JSC::WebAssemblyTableConstructor::createStructure):
2440         (JSC::WebAssemblyTableConstructor::WebAssemblyTableConstructor):
2441         (JSC::WebAssemblyTableConstructor::getConstructData): Deleted.
2442         (JSC::WebAssemblyTableConstructor::getCallData): Deleted.
2443         * wasm/js/WebAssemblyTableConstructor.h:
2444
2445 2017-11-03  Michael Saboff  <msaboff@apple.com>
2446
2447         The Abstract Interpreter needs to change similar to clobberize() in r224366
2448         https://bugs.webkit.org/show_bug.cgi?id=179267
2449
2450         Reviewed by Saam Barati.
2451
2452         Add clobberWorld() to HasGenericProperty, HasStructureProperty & GetPropertyEnumerator
2453         cases in the abstract interpreter to match what was done for r224366.
2454
2455         * dfg/DFGAbstractInterpreterInlines.h:
2456         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2457
2458 2017-11-03  Keith Miller  <keith_miller@apple.com>
2459
2460         PutProperytSlot should inform the IC about the property before effects.
2461         https://bugs.webkit.org/show_bug.cgi?id=179262
2462
2463         Reviewed by Mark Lam.
2464
2465         This patch fixes an issue where we choose to cache setters based on
2466         incorrect information. If we did so we might end up OSR exiting
2467         more than we would otherwise need to. The new model is that the
2468         PutPropertySlot should inform the IC of what the property looked
2469         like before any potential side effects might have occurred.
2470
2471         * runtime/JSObject.cpp:
2472         (JSC::JSObject::putInlineSlow):
2473         * runtime/Lookup.h:
2474         (JSC::putEntry):
2475
2476 2017-11-03  Mark Lam  <mark.lam@apple.com>
2477
2478         CachedCall (and its clients) needs overflow checks.
2479         https://bugs.webkit.org/show_bug.cgi?id=179185
2480
2481         Reviewed by JF Bastien.
2482
2483         * interpreter/CachedCall.h:
2484         (JSC::CachedCall::CachedCall):
2485         (JSC::CachedCall::hasOverflowedArguments):
2486         * runtime/ArgList.h:
2487         (JSC::MarkedArgumentBuffer::clear):
2488         * runtime/StringPrototype.cpp:
2489         (JSC::replaceUsingRegExpSearch):
2490
2491 2017-11-03  Devin Rousso  <webkit@devinrousso.com>
2492
2493         Web Inspector: Canvas2D Profiling: highlight expensive context commands in the captured command log
2494         https://bugs.webkit.org/show_bug.cgi?id=178302
2495         <rdar://problem/33158849>
2496
2497         Reviewed by Brian Burg.
2498
2499         * inspector/protocol/Recording.json:
2500         Add `duration` to each Frame that represents the total time of all the recorded actions.
2501
2502 2017-11-02  Devin Rousso  <webkit@devinrousso.com>
2503
2504         Web Inspector: Canvas Tab: show supported GL extensions for selected canvas
2505         https://bugs.webkit.org/show_bug.cgi?id=179070
2506         <rdar://problem/35278276>
2507
2508         Reviewed by Brian Burg.
2509
2510         * inspector/protocol/Canvas.json:
2511         Add `extensionEnabled` event that is fired each time `getExtension` is called with a
2512         different string on a WebGL context.
2513
2514 2017-11-02  Joseph Pecoraro  <pecoraro@apple.com>
2515
2516         Make ServiceWorker a Remote Inspector debuggable target
2517         https://bugs.webkit.org/show_bug.cgi?id=179043
2518         <rdar://problem/34126008>
2519
2520         Reviewed by Brian Burg.
2521
2522         * inspector/remote/RemoteControllableTarget.h:
2523         * inspector/remote/RemoteInspectionTarget.h:
2524         * inspector/remote/RemoteInspectorConstants.h:
2525         Include a new ServiceWorker remote inspector target type.
2526
2527         * inspector/remote/cocoa/RemoteInspectorCocoa.mm:
2528         (Inspector::RemoteInspector::listingForInspectionTarget const):
2529         Implement listing for a ServiceWorker to include a URL like a page.
2530
2531         * inspector/remote/glib/RemoteInspectorGlib.cpp:
2532         (Inspector::RemoteInspector::listingForInspectionTarget const):
2533         Bail for ServiceWorker support in glib. They will need to implement their support.
2534
2535 2017-11-02  Michael Saboff  <msaboff@apple.com>
2536
2537         DFG needs to handle code motion of code in for..in loop bodies
2538         https://bugs.webkit.org/show_bug.cgi?id=179212
2539
2540         Reviewed by Keith Miller.
2541
2542         The processing of the DFG nodes HasGenericProperty, HasStructureProperty & GetPropertyEnumerator
2543         make calls with side effects.  Updated clobberize() for those nodes to take that into account.
2544
2545         * dfg/DFGClobberize.h:
2546         (JSC::DFG::clobberize):
2547
2548 2017-11-02  Joseph Pecoraro  <pecoraro@apple.com>
2549
2550         Inspector should display service worker served responses properly
2551         https://bugs.webkit.org/show_bug.cgi?id=178597
2552         <rdar://problem/35186111>
2553
2554         Reviewed by Brian Burg.
2555
2556         * inspector/protocol/Network.json:
2557         Expose a new "service-worker" response source.
2558
2559 2017-11-02  Filip Pizlo  <fpizlo@apple.com>
2560
2561         AI does not correctly model the clobber case of ArithClz32
2562         https://bugs.webkit.org/show_bug.cgi?id=179188
2563
2564         Reviewed by Michael Saboff.
2565
2566         The non-Int32 case clobbers the world because it may call valueOf.
2567
2568         * dfg/DFGAbstractInterpreterInlines.h:
2569         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2570
2571 2017-11-02  Yusuke Suzuki  <utatane.tea@gmail.com>
2572
2573         Unreviewed, release throw scope
2574         https://bugs.webkit.org/show_bug.cgi?id=178726
2575
2576         * dfg/DFGOperations.cpp:
2577
2578 2017-11-02  Frederic Wang  <fwang@igalia.com>
2579
2580         Add references to bug 179167 in FIXME comments
2581         https://bugs.webkit.org/show_bug.cgi?id=179168
2582
2583         Reviewed by Daniel Bates.
2584
2585         * Configurations/FeatureDefines.xcconfig:
2586
2587 2017-11-01  Jeremy Jones  <jeremyj@apple.com>
2588
2589         Implement WKFullscreenWindowController for iOS.
2590         https://bugs.webkit.org/show_bug.cgi?id=178924
2591         rdar://problem/34697120
2592
2593         Reviewed by Simon Fraser.
2594
2595         Enable ENABLE_FULLSCREEN_API for iOS.
2596
2597         * Configurations/FeatureDefines.xcconfig:
2598
2599 2017-11-01  Mark Lam  <mark.lam@apple.com>
2600
2601         Add support to throw OOM if MarkedArgumentBuffer may overflow.
2602         https://bugs.webkit.org/show_bug.cgi?id=179092
2603         <rdar://problem/35116160>
2604
2605         Reviewed by Saam Barati.
2606
2607         The test for overflowing a MarkedArgumentBuffer will run for a ridiculously long
2608         time, which renders it unsuitable for automated tests.  Instead, I've run a
2609         test manually to verify that an OutOfMemoryError will be thrown when an overflow
2610         occurs.
2611
2612         The MarkedArgumentBuffer's destructor will now assert that the client has indeed
2613         checked for an overflow after invoking methods that may result in an overflow i.e.
2614         the destructor checks that MarkedArgumentBuffer::hasOverflowed() has been called.
2615         This is only done on debug builds.
2616
2617         * API/JSObjectRef.cpp:
2618         (JSObjectMakeFunction):
2619         (JSObjectMakeArray):
2620         (JSObjectMakeDate):
2621         (JSObjectMakeRegExp):
2622         (JSObjectCallAsFunction):
2623         (JSObjectCallAsConstructor):
2624         * dfg/DFGOperations.cpp:
2625         * inspector/InjectedScriptManager.cpp:
2626         (Inspector::InjectedScriptManager::createInjectedScript):
2627         * inspector/JSJavaScriptCallFrame.cpp:
2628         (Inspector::JSJavaScriptCallFrame::scopeChain const):
2629         * interpreter/Interpreter.cpp:
2630         (JSC::Interpreter::executeProgram):
2631         * jsc.cpp:
2632         (functionDollarAgentReceiveBroadcast):
2633         * runtime/ArgList.cpp:
2634         (JSC::MarkedArgumentBuffer::slowEnsureCapacity):
2635         (JSC::MarkedArgumentBuffer::expandCapacity):
2636         (JSC::MarkedArgumentBuffer::slowAppend):
2637         * runtime/ArgList.h:
2638         (JSC::MarkedArgumentBuffer::~MarkedArgumentBuffer):
2639         (JSC::MarkedArgumentBuffer::appendWithAction):
2640         (JSC::MarkedArgumentBuffer::append):
2641         (JSC::MarkedArgumentBuffer::appendWithCrashOnOverflow):
2642         (JSC::MarkedArgumentBuffer::hasOverflowed):
2643         (JSC::MarkedArgumentBuffer::setNeedsOverflowCheck):
2644         (JSC::MarkedArgumentBuffer::clearNeedsOverflowCheck):
2645         * runtime/ArrayPrototype.cpp:
2646         * runtime/CommonSlowPaths.cpp:
2647         (JSC::SLOW_PATH_DECL):
2648         * runtime/GetterSetter.cpp:
2649         (JSC::callSetter):
2650         * runtime/IteratorOperations.cpp:
2651         (JSC::iteratorNext):
2652         (JSC::iteratorClose):
2653         * runtime/JSBoundFunction.cpp:
2654         (JSC::boundThisNoArgsFunctionCall):
2655         (JSC::boundFunctionCall):
2656         (JSC::boundThisNoArgsFunctionConstruct):
2657         (JSC::boundFunctionConstruct):
2658         * runtime/JSGenericTypedArrayViewConstructorInlines.h:
2659         (JSC::constructGenericTypedArrayViewFromIterator):
2660         * runtime/JSGenericTypedArrayViewPrototypeFunctions.h:
2661         (JSC::genericTypedArrayViewProtoFuncSlice):
2662         (JSC::genericTypedArrayViewPrivateFuncSubarrayCreate):
2663         * runtime/JSGlobalObject.cpp:
2664         (JSC::JSGlobalObject::haveABadTime):
2665         * runtime/JSInternalPromise.cpp:
2666         (JSC::JSInternalPromise::then):
2667         * runtime/JSJob.cpp:
2668         (JSC::JSJobMicrotask::run):
2669         * runtime/JSMapIterator.cpp:
2670         (JSC::JSMapIterator::createPair):
2671         * runtime/JSModuleLoader.cpp:
2672         (JSC::JSModuleLoader::provideFetch):
2673         (JSC::JSModuleLoader::loadAndEvaluateModule):
2674         (JSC::JSModuleLoader::loadModule):
2675         (JSC::JSModuleLoader::linkAndEvaluateModule):
2676         (JSC::JSModuleLoader::requestImportModule):
2677         * runtime/JSONObject.cpp:
2678         (JSC::Stringifier::toJSONImpl):
2679         (JSC::Stringifier::appendStringifiedValue):
2680         (JSC::Walker::callReviver):
2681         * runtime/JSObject.cpp:
2682         (JSC::ordinarySetSlow):
2683         (JSC::callToPrimitiveFunction):
2684         (JSC::JSObject::hasInstance):
2685         * runtime/JSPromise.cpp:
2686         (JSC::JSPromise::initialize):
2687         (JSC::JSPromise::resolve):
2688         * runtime/JSPromiseDeferred.cpp:
2689         (JSC::newPromiseCapability):
2690         (JSC::callFunction):
2691         * runtime/JSSetIterator.cpp:
2692         (JSC::JSSetIterator::createPair):
2693         * runtime/LiteralParser.cpp:
2694         (JSC::LiteralParser<CharType>::parse):
2695         * runtime/MapConstructor.cpp:
2696         (JSC::constructMap):
2697         * runtime/ObjectConstructor.cpp:
2698         (JSC::defineProperties):
2699         * runtime/ProxyObject.cpp:
2700         (JSC::performProxyGet):
2701         (JSC::ProxyObject::performInternalMethodGetOwnProperty):
2702         (JSC::ProxyObject::performHasProperty):
2703         (JSC::ProxyObject::performPut):
2704         (JSC::performProxyCall):
2705         (JSC::performProxyConstruct):
2706         (JSC::ProxyObject::performDelete):
2707         (JSC::ProxyObject::performPreventExtensions):
2708         (JSC::ProxyObject::performIsExtensible):
2709         (JSC::ProxyObject::performDefineOwnProperty):
2710         (JSC::ProxyObject::performGetOwnPropertyNames):
2711         (JSC::ProxyObject::performSetPrototype):
2712         (JSC::ProxyObject::performGetPrototype):
2713         * runtime/ReflectObject.cpp:
2714         (JSC::reflectObjectConstruct):
2715         * runtime/SetConstructor.cpp:
2716         (JSC::constructSet):
2717         * runtime/StringPrototype.cpp:
2718         (JSC::replaceUsingRegExpSearch):
2719         (JSC::replaceUsingStringSearch):
2720         * runtime/WeakMapConstructor.cpp:
2721         (JSC::constructWeakMap):
2722         * runtime/WeakSetConstructor.cpp:
2723         (JSC::constructWeakSet):
2724         * wasm/js/WasmToJS.cpp:
2725         (JSC::Wasm::wasmToJS):
2726
2727 2017-11-01  Michael Saboff  <msaboff@apple.com>
2728
2729         Integer overflow in code generated by LoadVarargs processing in DFG and FTL.
2730         https://bugs.webkit.org/show_bug.cgi?id=179140
2731
2732         Reviewed by Saam Barati.
2733
2734         Added overflow checks to computation of arg count plus this.
2735
2736         * dfg/DFGSpeculativeJIT32_64.cpp:
2737         (JSC::DFG::SpeculativeJIT::compile):
2738         * dfg/DFGSpeculativeJIT64.cpp:
2739         (JSC::DFG::SpeculativeJIT::compile):
2740         * ftl/FTLLowerDFGToB3.cpp:
2741         (JSC::FTL::DFG::LowerDFGToB3::compileLoadVarargs):
2742
2743 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2744
2745         Unreviewed, use weakPointer instead of FTLOutput::weakPointer
2746         https://bugs.webkit.org/show_bug.cgi?id=178934
2747
2748         * ftl/FTLLowerDFGToB3.cpp:
2749         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
2750
2751 2017-11-01  Yusuke Suzuki  <utatane.tea@gmail.com>
2752
2753         [JSC] Introduce @toObject
2754         https://bugs.webkit.org/show_bug.cgi?id=178726
2755
2756         Reviewed by Saam Barati.
2757
2758         This patch introduces @toObject intrinsic. And we introduce op_to_object bytecode and DFG ToObject node.
2759         Previously we emulated @toObject behavior in builtin JS. But it consumes much bytecode size while @toObject
2760         is frequently seen and defined clearly in the spec. Furthermore, the emulated @toObject always calls
2761         ObjectConstructor in LLInt and Baseline.
2762
2763         We add a new intrinsic `@toObject(target, "error message")`. It takes an error message string constant to
2764         offer understandable messages in builtin JS. We can change the frequently seen "emulated ToObject" operation
2765
2766             if (this === @undefined || this === null)
2767                 @throwTypeError("error message");
2768             var object = @Object(this);
2769
2770         with
2771
2772             var object = @toObject(this, "error message");
2773
2774         And we handle op_to_object in DFG as ToObject node. While CallObjectConstructor does not throw an error for null/undefined,
2775         ToObject needs to throw an error for null/undefined. So it is marked as MustGenerate and it clobbers the world.
2776         In fixup phase, we attempt to convert ToObject to CallObjectConstructor with edge filters to relax its side effect.
2777
2778         It also fixes a bug that CallObjectConstructor DFG node uses Node's semantic GlobalObject instead of function's one.
2779
2780         * builtins/ArrayConstructor.js:
2781         (from):
2782         * builtins/ArrayPrototype.js:
2783         (values):
2784         (keys):
2785         (entries):
2786         (reduce):
2787         (reduceRight):
2788         (every):
2789         (forEach):
2790         (filter):
2791         (map):
2792         (some):
2793         (fill):
2794         (find):
2795         (findIndex):
2796         (includes):
2797         (sort):
2798         (globalPrivate.concatSlowPath):
2799         (copyWithin):
2800         * builtins/DatePrototype.js:
2801         (toLocaleString.toDateTimeOptionsAnyAll):
2802         (toLocaleString):
2803         (toLocaleDateString.toDateTimeOptionsDateDate):
2804         (toLocaleDateString):
2805         (toLocaleTimeString.toDateTimeOptionsTimeTime):
2806         (toLocaleTimeString):
2807         * builtins/GlobalOperations.js:
2808         (globalPrivate.copyDataProperties):
2809         (globalPrivate.copyDataPropertiesNoExclusions):
2810         * builtins/ObjectConstructor.js:
2811         (entries):
2812         * builtins/StringConstructor.js:
2813         (raw):
2814         * builtins/TypedArrayConstructor.js:
2815         (from):
2816         * builtins/TypedArrayPrototype.js:
2817         (map):
2818         (filter):
2819         * bytecode/BytecodeDumper.cpp:
2820         (JSC::BytecodeDumper<Block>::dumpBytecode):
2821         * bytecode/BytecodeIntrinsicRegistry.h:
2822         * bytecode/BytecodeList.json:
2823         * bytecode/BytecodeUseDef.h:
2824         (JSC::computeUsesForBytecodeOffset):
2825         (JSC::computeDefsForBytecodeOffset):
2826         * bytecode/CodeBlock.cpp:
2827         (JSC::CodeBlock::finishCreation):
2828         * bytecompiler/BytecodeGenerator.cpp:
2829         (JSC::BytecodeGenerator::emitToObject):
2830         * bytecompiler/BytecodeGenerator.h:
2831         * bytecompiler/NodesCodegen.cpp:
2832         (JSC::BytecodeIntrinsicNode::emit_intrinsic_toObject):
2833         * dfg/DFGAbstractInterpreterInlines.h:
2834         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2835         * dfg/DFGByteCodeParser.cpp:
2836         (JSC::DFG::ByteCodeParser::handleConstantInternalFunction):
2837         (JSC::DFG::ByteCodeParser::parseBlock):
2838         * dfg/DFGCapabilities.cpp:
2839         (JSC::DFG::capabilityLevel):
2840         * dfg/DFGClobberize.h:
2841         (JSC::DFG::clobberize):
2842         * dfg/DFGDoesGC.cpp:
2843         (JSC::DFG::doesGC):
2844         * dfg/DFGFixupPhase.cpp:
2845         (JSC::DFG::FixupPhase::fixupNode):
2846         (JSC::DFG::FixupPhase::fixupToObject):
2847         (JSC::DFG::FixupPhase::fixupCallObjectConstructor):
2848         * dfg/DFGNode.h:
2849         (JSC::DFG::Node::convertToCallObjectConstructor):
2850         (JSC::DFG::Node::convertToNewStringObject):
2851         (JSC::DFG::Node::convertToNewObject):
2852         (JSC::DFG::Node::hasIdentifier):
2853         (JSC::DFG::Node::hasHeapPrediction):
2854         (JSC::DFG::Node::hasCellOperand):
2855         * dfg/DFGNodeType.h:
2856         * dfg/DFGOperations.cpp:
2857         * dfg/DFGOperations.h:
2858         * dfg/DFGPredictionPropagationPhase.cpp:
2859         * dfg/DFGSafeToExecute.h:
2860         (JSC::DFG::safeToExecute):
2861         * dfg/DFGSpeculativeJIT.cpp:
2862         (JSC::DFG::SpeculativeJIT::compileToObjectOrCallObjectConstructor):
2863         (JSC::DFG::SpeculativeJIT::compileCallObjectConstructor): Deleted.
2864         * dfg/DFGSpeculativeJIT.h:
2865         (JSC::DFG::SpeculativeJIT::callOperation):
2866         * dfg/DFGSpeculativeJIT32_64.cpp:
2867         (JSC::DFG::SpeculativeJIT::compile):
2868         * dfg/DFGSpeculativeJIT64.cpp:
2869         (JSC::DFG::SpeculativeJIT::compile):
2870         * ftl/FTLCapabilities.cpp:
2871         (JSC::FTL::canCompile):
2872         * ftl/FTLLowerDFGToB3.cpp:
2873         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2874         (JSC::FTL::DFG::LowerDFGToB3::compileToObjectOrCallObjectConstructor):
2875         (JSC::FTL::DFG::LowerDFGToB3::compileCallObjectConstructor): Deleted.
2876         * jit/JIT.cpp:
2877         (JSC::JIT::privateCompileMainPass):
2878         (JSC::JIT::privateCompileSlowCases):
2879         * jit/JIT.h:
2880         * jit/JITOpcodes.cpp:
2881         (JSC::JIT::emit_op_to_object):
2882         (JSC::JIT::emitSlow_op_to_object):
2883         * jit/JITOpcodes32_64.cpp:
2884         (JSC::JIT::emit_op_to_object):
2885         (JSC::JIT::emitSlow_op_to_object):
2886         * jit/JITOperations.cpp:
2887         * jit/JITOperations.h:
2888         * llint/LowLevelInterpreter32_64.asm:
2889         * llint/LowLevelInterpreter64.asm:
2890         * runtime/CommonSlowPaths.cpp:
2891         (JSC::SLOW_PATH_DECL):
2892         * runtime/CommonSlowPaths.h:
2893
2894 2017-11-01  Fujii Hironori  <Hironori.Fujii@sony.com>
2895
2896         Use LazyNeverDestroyed instead of DEFINE_GLOBAL
2897         https://bugs.webkit.org/show_bug.cgi?id=174979
2898
2899         Reviewed by Yusuke Suzuki.
2900
2901         * config.h: Removed definitions of SKIP_STATIC_CONSTRUCTORS_ON_MSVC and SKIP_STATIC_CONSTRUCTORS_ON_GCC.
2902
2903 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
2904
2905         [DFG][FTL] Introduce StringSlice
2906         https://bugs.webkit.org/show_bug.cgi?id=178934
2907
2908         Reviewed by Saam Barati.
2909
2910         String.prototype.slice is one of the most frequently called function in ARES-6/Babylon.
2911         This patch introduces StringSlice DFG node to optimize it in DFG and FTL.
2912
2913         This patch's StringSlice node optimizes the following things.
2914
2915         1. Empty string generation is accelerated. It is fully executed inline.
2916         2. One char string generation is accelerated. `< 0x100` character is supported right now.
2917         It is the same to charAt acceleration.
2918         3. We calculate start and end index in DFG/FTL with Int32Use information and call optimized
2919         operation.
2920
2921         We do not inline (3)'s operation right now since we do not have a way to call bmalloc allocation from DFG / FTL.
2922         And we do not optimize String.prototype.{substring,substr} right now. But they can be optimized based on this change
2923         in subsequent changes.
2924
2925         This patch improves ARES-6/Babylon performance by 3% in steady state.
2926
2927         Baseline:
2928             Running... Babylon ( 1  to go)
2929             firstIteration:     50.05 +- 13.68 ms
2930             averageWorstCase:   16.80 +- 1.27 ms
2931             steadyState:        7.53 +- 0.22 ms
2932
2933         Patched:
2934             Running... Babylon ( 1  to go)
2935             firstIteration:     50.91 +- 13.41 ms
2936             averageWorstCase:   16.12 +- 0.99 ms
2937             steadyState:        7.30 +- 0.29 ms
2938
2939         * dfg/DFGAbstractInterpreterInlines.h:
2940         (JSC::DFG::AbstractInterpreter<AbstractStateType>::executeEffects):
2941         * dfg/DFGBackwardsPropagationPhase.cpp:
2942         (JSC::DFG::BackwardsPropagationPhase::propagate):
2943         * dfg/DFGByteCodeParser.cpp:
2944         (JSC::DFG::ByteCodeParser::handleIntrinsicCall):
2945         * dfg/DFGClobberize.h:
2946         (JSC::DFG::clobberize):
2947         * dfg/DFGDoesGC.cpp:
2948         (JSC::DFG::doesGC):
2949         * dfg/DFGFixupPhase.cpp:
2950         (JSC::DFG::FixupPhase::fixupNode):
2951         * dfg/DFGNodeType.h:
2952         * dfg/DFGOperations.cpp:
2953         * dfg/DFGOperations.h:
2954         * dfg/DFGPredictionPropagationPhase.cpp:
2955         * dfg/DFGSafeToExecute.h:
2956         (JSC::DFG::safeToExecute):
2957         * dfg/DFGSpeculativeJIT.cpp:
2958         (JSC::DFG::SpeculativeJIT::compileStringSlice):
2959         (JSC::DFG::SpeculativeJIT::emitPopulateSliceIndex):
2960         (JSC::DFG::SpeculativeJIT::compileArraySlice):
2961         (JSC::DFG::SpeculativeJIT::compileArrayIndexOf):
2962         * dfg/DFGSpeculativeJIT.h:
2963         (JSC::DFG::SpeculativeJIT::callOperation):
2964         * dfg/DFGSpeculativeJIT32_64.cpp:
2965         (JSC::DFG::SpeculativeJIT::compile):
2966         * dfg/DFGSpeculativeJIT64.cpp:
2967         (JSC::DFG::SpeculativeJIT::compile):
2968         * ftl/FTLCapabilities.cpp:
2969         (JSC::FTL::canCompile):
2970         * ftl/FTLLowerDFGToB3.cpp:
2971         (JSC::FTL::DFG::LowerDFGToB3::compileNode):
2972         (JSC::FTL::DFG::LowerDFGToB3::populateSliceRange):
2973         (JSC::FTL::DFG::LowerDFGToB3::compileArraySlice):
2974         (JSC::FTL::DFG::LowerDFGToB3::compileStringSlice):
2975         * jit/JITOperations.h:
2976         * runtime/Intrinsic.cpp:
2977         (JSC::intrinsicName):
2978         * runtime/Intrinsic.h:
2979         * runtime/StringPrototype.cpp:
2980         (JSC::StringPrototype::finishCreation):
2981
2982 2017-10-31  JF Bastien  <jfbastien@apple.com>
2983
2984         WebAssembly: Wasm::IndexOrName has a raw pointer to Name
2985         https://bugs.webkit.org/show_bug.cgi?id=176644
2986
2987         Reviewed by Michael Saboff.
2988
2989         IndexOrName now keeps a RefPtr to its original NameSection, which
2990         holds the Name (or references nullptr if Index). Holding onto the
2991         entire section seems like the better thing to do, since backtraces
2992         probably contain multiple names from the same Module.
2993
2994         * JavaScriptCore.xcodeproj/project.pbxproj:
2995         * interpreter/Interpreter.cpp:
2996         (JSC::GetStackTraceFunctor::operator() const):
2997         * interpreter/StackVisitor.h: Frame is no longer POD because of the
2998         RefPtr.
2999         * runtime/StackFrame.cpp:
3000         (JSC::StackFrame::StackFrame):
3001         * runtime/StackFrame.h: Drop the union, size is now 40 bytes.
3002         (JSC::StackFrame::StackFrame): Deleted. Initialized in class instead.
3003         (JSC::StackFrame::wasm): Deleted. Make it a ctor instead.
3004         * wasm/WasmBBQPlanInlines.h:
3005         (JSC::Wasm::BBQPlan::initializeCallees):
3006         * wasm/WasmCallee.cpp:
3007         (JSC::Wasm::Callee::Callee):
3008         * wasm/WasmCallee.h:
3009         (JSC::Wasm::Callee::create):
3010         * wasm/WasmFormat.h: Move NameSection to its own header.
3011         (JSC::Wasm::isValidNameType):
3012         (JSC::Wasm::NameSection::get): Deleted.
3013         * wasm/WasmIndexOrName.cpp:
3014         (JSC::Wasm::IndexOrName::IndexOrName):
3015         (JSC::Wasm::makeString):
3016         * wasm/WasmIndexOrName.h:
3017         (JSC::Wasm::IndexOrName::IndexOrName):
3018         (JSC::Wasm::IndexOrName::isEmpty const):
3019         (JSC::Wasm::IndexOrName::isIndex const):
3020         * wasm/WasmModuleInformation.cpp:
3021         (JSC::Wasm::ModuleInformation::ModuleInformation):
3022         * wasm/WasmModuleInformation.h:
3023         (JSC::Wasm::ModuleInformation::ModuleInformation): Deleted.
3024         * wasm/WasmNameSection.h:
3025         (JSC::Wasm::NameSection::get):
3026         (JSC::Wasm::NameSection::create): Deleted.
3027         * wasm/WasmNameSectionParser.cpp:
3028         (JSC::Wasm::NameSectionParser::parse):
3029         * wasm/WasmNameSectionParser.h:
3030         * wasm/WasmOMGPlan.cpp:
3031         (JSC::Wasm::OMGPlan::work):
3032
3033 2017-10-31  Tim Horton  <timothy_horton@apple.com>
3034
3035         Clean up some drag and drop feature flags
3036         https://bugs.webkit.org/show_bug.cgi?id=179082
3037
3038         Reviewed by Simon Fraser.
3039
3040         * Configurations/FeatureDefines.xcconfig:
3041
3042 2017-10-31  Commit Queue  <commit-queue@webkit.org>
3043
3044         Unreviewed, rolling out r224243, r224246, and r224248.
3045         https://bugs.webkit.org/show_bug.cgi?id=179083
3046
3047         The patch and fix broke the Windows build. (Requested by
3048         mlewis13 on #webkit).
3049
3050         Reverted changesets:
3051
3052         "StructureStubInfo should have GPRReg members not int8_ts"
3053         https://bugs.webkit.org/show_bug.cgi?id=179071
3054         https://trac.webkit.org/changeset/224243
3055
3056         "Make all register enums be backed by uint8_t."
3057         https://bugs.webkit.org/show_bug.cgi?id=179074
3058         https://trac.webkit.org/changeset/224246
3059
3060         "Unreviewed, windows build fix."
3061         https://trac.webkit.org/changeset/224248
3062
3063 2017-10-31  Tim Horton  <timothy_horton@apple.com>
3064
3065         Fix up some content filtering feature flags
3066         https://bugs.webkit.org/show_bug.cgi?id=179079
3067
3068         Reviewed by Simon Fraser.
3069
3070         * Configurations/FeatureDefines.xcconfig:
3071
3072 2017-10-31  Keith Miller  <keith_miller@apple.com>
3073
3074         Unreviewed, windows build fix.
3075
3076         * assembler/X86Assembler.h:
3077         (JSC::X86Assembler::numberOfRegisters):
3078         (JSC::X86Assembler::numberOfSPRegisters):
3079         (JSC::X86Assembler::numberOfFPRegisters):
3080
3081 2017-10-31  Keith Miller  <keith_miller@apple.com>
3082
3083         Make all register enums be backed by uint8_t.
3084         https://bugs.webkit.org/show_bug.cgi?id=179074
3085
3086         Reviewed by Mark Lam.
3087
3088         * assembler/ARM64Assembler.h:
3089         * assembler/ARMAssembler.h:
3090         * assembler/ARMv7Assembler.h:
3091         * assembler/MIPSAssembler.h:
3092         * assembler/MacroAssembler.h:
3093         * assembler/X86Assembler.h:
3094
3095 2017-10-31  Keith Miller  <keith_miller@apple.com>
3096
3097         StructureStubInfo should have GPRReg members not int8_ts
3098         https://bugs.webkit.org/show_bug.cgi?id=179071
3099
3100         Reviewed by Michael Saboff.
3101
3102         This patch makes the various RegisterID enums be backed by
3103         uint8_t. This means that we can remove the old int8_t members in
3104         StructureStubInfo and replace them with the correct enum types.
3105
3106         Also, this fixes an indentation issue in ARMv7Assembler.h.
3107
3108         * assembler/ARM64Assembler.h:
3109         * assembler/ARMAssembler.h:
3110         * assembler/ARMv7Assembler.h:
3111         (JSC::ARMRegisters::asSingle):
3112         (JSC::ARMRegisters::asDouble):
3113         * assembler/MIPSAssembler.h:
3114         * assembler/X86Assembler.h:
3115         * bytecode/InlineAccess.cpp:
3116         (JSC::InlineAccess::generateSelfPropertyAccess):
3117         (JSC::getScratchRegister):
3118         * bytecode/PolymorphicAccess.cpp:
3119         (JSC::PolymorphicAccess::regenerate):
3120         * bytecode/StructureStubInfo.h:
3121         (JSC::StructureStubInfo::valueRegs const):
3122         * dfg/DFGSpeculativeJIT.cpp:
3123         (JSC::DFG::SpeculativeJIT::compileIn):
3124         * ftl/FTLLowerDFGToB3.cpp:
3125         (JSC::FTL::DFG::LowerDFGToB3::compileIn):
3126         * jit/JITInlineCacheGenerator.cpp:
3127         (JSC::JITByIdGenerator::JITByIdGenerator):
3128         (JSC::JITGetByIdWithThisGenerator::JITGetByIdWithThisGenerator):
3129
3130 2017-10-31  Devin Rousso  <webkit@devinrousso.com>
3131
3132         Web Inspector: make ScriptCallStack::maxCallStackSizeToCapture the default value when capturing backtraces
3133         https://bugs.webkit.org/show_bug.cgi?id=179048
3134
3135         Reviewed by Mark Lam.
3136
3137         * inspector/ScriptCallStackFactory.h:
3138         * inspector/ScriptCallStackFactory.cpp:
3139         (createScriptCallStack):
3140         (createScriptCallStackForConsole):
3141         (createScriptCallStackFromException):
3142
3143         * inspector/ConsoleMessage.cpp:
3144         (Inspector::ConsoleMessage::autogenerateMetadata):
3145         * inspector/JSGlobalObjectInspectorController.cpp:
3146         (Inspector::JSGlobalObjectInspectorController::reportAPIException):
3147         * inspector/agents/InspectorConsoleAgent.cpp:
3148         (Inspector::InspectorConsoleAgent::count):
3149         * inspector/agents/JSGlobalObjectDebuggerAgent.cpp:
3150         (Inspector::JSGlobalObjectDebuggerAgent::breakpointActionLog):
3151
3152 2017-10-31  Carlos Garcia Campos  <cgarcia@igalia.com>
3153
3154         Unreviewed. Fix GTK+ make distcheck.
3155
3156         Ensure DERIVED_SOURCES_JAVASCRIPTCORE_DIR/yarr is created before scripts generating files there are run.
3157
3158         * CMakeLists.txt:
3159
3160 2017-10-30  Saam Barati  <sbarati@apple.com>
3161
3162         We need a storeStoreFence before storing to the instruction stream's live variable catch data
3163         https://bugs.webkit.org/show_bug.cgi?id=178649
3164
3165         Reviewed by Keith Miller.
3166
3167         * bytecode/CodeBlock.cpp:
3168         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
3169
3170 2017-10-30  Michael Catanzaro  <mcatanzaro@igalia.com>
3171
3172         [WPE] Fix build warnings
3173         https://bugs.webkit.org/show_bug.cgi?id=178899
3174
3175         Reviewed by Carlos Alberto Lopez Perez.
3176
3177         * PlatformWPE.cmake:
3178
3179 2017-10-30  Zan Dobersek  <zdobersek@igalia.com>
3180
3181         [ARMv7] Fix initial start register support in YarrJIT
3182         https://bugs.webkit.org/show_bug.cgi?id=178641
3183
3184         Reviewed by Saam Barati.
3185
3186         * yarr/YarrJIT.cpp: On ARMv7, use r8 as the initialStart register in the
3187         YarrGenerator class. r6 should be avoided since it's already used inside
3188         MacroAssemblerARMv7 as addressTempRegister. r7 isn't picked because it
3189         can be used as the frame pointer register when targetting ARM Thumb2.
3190
3191 2017-10-30  Zan Dobersek  <zdobersek@igalia.com>
3192
3193         [ARM64][Linux] Re-enable Gigacage
3194         https://bugs.webkit.org/show_bug.cgi?id=178130
3195
3196         Reviewed by Michael Catanzaro.
3197
3198         Guard the current globaladdr opcode implementation for ARM64 with
3199         OS(DARWIN) as it's only usable for Mach-O.
3200
3201         For OS(LINUX), ELF-supported :got: and :got_lo12: relocation specifiers
3202         have to be used. The .loh directive can't be used as it's not supported
3203         in GCC or the ld linker.
3204
3205         On every other OS target, a compilation error is thrown.
3206
3207         * offlineasm/arm64.rb:
3208
3209 2017-10-27  Devin Rousso  <webkit@devinrousso.com>
3210
3211         Web Inspector: Canvas Tab: no way to see backtrace of where a canvas context was created
3212         https://bugs.webkit.org/show_bug.cgi?id=178799
3213         <rdar://problem/35175805>
3214
3215         Reviewed by Brian Burg.
3216
3217         * inspector/protocol/Canvas.json:
3218         Add optional `backtrace` to Canvas type that is an array of Console.CallFrame.
3219
3220 2017-10-27  Yusuke Suzuki  <utatane.tea@gmail.com>
3221
3222         [JSC] Tweak ES6 generator function to allow inlining
3223         https://bugs.webkit.org/show_bug.cgi?id=178935
3224
3225         Reviewed by Saam Barati.
3226
3227         We optimize builtins' generator helper functions to allow them inlined in the caller side.
3228         This patch adjust the layer between @generatorResume, next(), throw(), and return() to allow
3229         them inlined in DFG.
3230
3231                                        baseline                  patched
3232
3233         spread-generator.es6      301.2637+-11.1011    ^    260.5905+-14.2258       ^ definitely 1.1561x faster
3234         generator.es6             269.6030+-13.2435    ^    148.8840+-6.7614        ^ definitely 1.8108x faster
3235
3236         * builtins/GeneratorPrototype.js:
3237         (globalPrivate.generatorResume):
3238         (next):
3239         (return):
3240         (throw):
3241
3242 2017-10-27  Saam Barati  <sbarati@apple.com>
3243
3244         Bytecode liveness should live on UnlinkedCodeBlock so it can be shared amongst CodeBlocks
3245         https://bugs.webkit.org/show_bug.cgi?id=178949
3246
3247         Reviewed by Keith Miller.
3248
3249         This patch stores BytecodeLiveness on UnlinkedCodeBlock instead of CodeBlock
3250         so that we don't need to recompute liveness for the same UnlinkedCodeBlock
3251         more than once. To do this, this patch solidifies the invariant that CodeBlock
3252         linking can't do anything that would change the result of liveness. For example,
3253         it can't introduce new locals. This invariant was met my JSC before, because we
3254         didn't do anything in bytecode linking that would change liveness. However, it is
3255         now a correctness requirement that we don't do anything that would change the
3256         result of running liveness. To support this change, I've refactored BytecodeGraph
3257         to not be tied to a CodeBlockType*. Things that perform liveness will pass in
3258         CodeBlockType* and the instruction stream as needed. This means that we may
3259         compute liveness with one CodeBlock*'s instruction stream, and then perform
3260         queries on that analysis with a different CodeBlock*'s instruction stream.
3261
3262         This seems to be a 2% JSBench progression.
3263
3264         * bytecode/BytecodeGeneratorification.cpp:
3265         (JSC::BytecodeGeneratorification::BytecodeGeneratorification):
3266         (JSC::BytecodeGeneratorification::graph):
3267         (JSC::BytecodeGeneratorification::storageForGeneratorLocal):
3268         (JSC::GeneratorLivenessAnalysis::run):
3269         (JSC::BytecodeGeneratorification::run):
3270         * bytecode/BytecodeGraph.h:
3271         (JSC::BytecodeGraph::BytecodeGraph):
3272         (JSC::BytecodeGraph::codeBlock const): Deleted.
3273         (JSC::BytecodeGraph::instructions): Deleted.
3274         (JSC::BytecodeGraph<Block>::BytecodeGraph): Deleted.
3275         * bytecode/BytecodeLivenessAnalysis.cpp:
3276         (JSC::BytecodeLivenessAnalysis::BytecodeLivenessAnalysis):
3277         (JSC::BytecodeLivenessAnalysis::getLivenessInfoAtBytecodeOffset):
3278         (JSC::BytecodeLivenessAnalysis::computeFullLiveness):
3279         (JSC::BytecodeLivenessAnalysis::computeKills):
3280         (JSC::BytecodeLivenessAnalysis::dumpResults):
3281         (JSC::BytecodeLivenessAnalysis::operandIsLiveAtBytecodeOffset): Deleted.
3282         (JSC::BytecodeLivenessAnalysis::compute): Deleted.
3283         * bytecode/BytecodeLivenessAnalysis.h:
3284         * bytecode/BytecodeLivenessAnalysisInlines.h:
3285         (JSC::BytecodeLivenessPropagation::stepOverInstruction):
3286         (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBytecodeOffset):
3287         (JSC::BytecodeLivenessPropagation::computeLocalLivenessForBlock):
3288         (JSC::BytecodeLivenessPropagation::getLivenessInfoAtBytecodeOffset):
3289         (JSC::BytecodeLivenessPropagation::runLivenessFixpoint):
3290         * bytecode/BytecodeRewriter.cpp:
3291         (JSC::BytecodeRewriter::applyModification):
3292         (JSC::BytecodeRewriter::execute):
3293         (JSC::BytecodeRewriter::adjustJumpTargetsInFragment):
3294         * bytecode/BytecodeRewriter.h:
3295         (JSC::BytecodeRewriter::BytecodeRewriter):
3296         (JSC::BytecodeRewriter::removeBytecode):
3297         (JSC::BytecodeRewriter::graph):
3298         * bytecode/CodeBlock.cpp:
3299         (JSC::CodeBlock::finishCreation):
3300         (JSC::CodeBlock::ensureCatchLivenessIsComputedForBytecodeOffsetSlow):
3301         (JSC::CodeBlock::validate):
3302         (JSC::CodeBlock::livenessAnalysisSlow): Deleted.
3303         * bytecode/CodeBlock.h:
3304         (JSC::CodeBlock::livenessAnalysis):
3305         * bytecode/UnlinkedCodeBlock.cpp:
3306         (JSC::UnlinkedCodeBlock::applyModification):
3307         (JSC::UnlinkedCodeBlock::livenessAnalysisSlow):
3308         * bytecode/UnlinkedCodeBlock.h:
3309         (JSC::UnlinkedCodeBlock::livenessAnalysis):
3310         * dfg/DFGGraph.cpp:
3311         (JSC::DFG::Graph::livenessFor):
3312         (JSC::DFG::Graph::killsFor):
3313         * dfg/DFGPlan.cpp:
3314         (JSC::DFG::Plan::cleanMustHandleValuesIfNecessary):
3315         * jit/JIT.cpp:
3316         (JSC::JIT::privateCompileMainPass):
3317
3318 2017-10-27  Keith Miller  <keith_miller@apple.com>
3319
3320         Add unified source list files and build scripts to Xcode project navigator
3321         https://bugs.webkit.org/show_bug.cgi?id=178959
3322
3323         Reviewed by Andy Estes.
3324
3325         Also, Add some extra source files for so new .cpp/.mm files don't cause the build
3326         to fail right away. We already do this in WebCore.
3327
3328         * JavaScriptCore.xcodeproj/project.pbxproj:
3329         * PlatformMac.cmake:
3330         * SourcesCocoa.txt: Renamed from Source/JavaScriptCore/SourcesMac.txt.
3331
3332 2017-10-27  JF Bastien  <jfbastien@apple.com>
3333
3334         WebAssembly: update arbitrary limits to what browsers use
3335         https://bugs.webkit.org/show_bug.cgi?id=178946
3336         <rdar://problem/34257412>
3337         <rdar://problem/34501154>
3338
3339         Reviewed by Saam Barati.
3340
3341         https://github.com/WebAssembly/design/issues/1138 discusses the
3342         arbitrary function size limit, which it turns out Chrome and
3343         Firefox didn't enforce. We didn't use it because it was
3344         ridiculously low and actual programs ran into that limit (bummer
3345         for Edge which just shipped it...). Now that we agree on a high
3346         arbitrary program limit, let's update it! While I'm doing this
3347         there are a few other spots that I polished to use Checked or
3348         better check limits overall.
3349
3350         * wasm/WasmB3IRGenerator.cpp:
3351         (JSC::Wasm::B3IRGenerator::addLocal):
3352         * wasm/WasmFormat.cpp:
3353         (JSC::Wasm::Segment::create):
3354         * wasm/WasmFunctionParser.h:
3355         (JSC::Wasm::FunctionParser<Context>::parse):
3356         * wasm/WasmInstance.cpp:
3357         * wasm/WasmLimits.h:
3358         * wasm/WasmModuleParser.cpp:
3359         (JSC::Wasm::ModuleParser::parseGlobal):
3360         (JSC::Wasm::ModuleParser::parseCode):
3361         (JSC::Wasm::ModuleParser::parseData):
3362         * wasm/WasmSignature.h:
3363         (JSC::Wasm::Signature::allocatedSize):
3364         * wasm/WasmTable.cpp:
3365         (JSC::Wasm::Table::Table):
3366         *